diff --git a/datadog/resource_datadog_security_monitoring_default_rule.go b/datadog/resource_datadog_security_monitoring_default_rule.go index 354e9f4fc3..7e737e6ca1 100644 --- a/datadog/resource_datadog_security_monitoring_default_rule.go +++ b/datadog/resource_datadog_security_monitoring_default_rule.go @@ -164,9 +164,13 @@ func resourceDatadogSecurityMonitoringDefaultRuleRead(ctx context.Context, d *sc d.Set("type", rule.GetType()) responseOptions := rule.GetOptions() - ruleOptions := []map[string]interface{}{{ - "decrease_criticality_based_on_env": responseOptions.GetDecreaseCriticalityBasedOnEnv(), - }} + var ruleOptions []map[string]interface{} + + if *rule.Type == datadogV2.SECURITYMONITORINGRULETYPEREAD_LOG_DETECTION { + ruleOptions = append(ruleOptions, map[string]interface{}{ + "decrease_criticality_based_on_env": responseOptions.GetDecreaseCriticalityBasedOnEnv(), + }) + } d.Set("options", &ruleOptions) diff --git a/datadog/tests/cassettes/TestAccDatadogSecurityMonitoringDefaultRule_Basic.freeze b/datadog/tests/cassettes/TestAccDatadogSecurityMonitoringDefaultRule_Basic.freeze index a1be1f7eed..dd8fb61f4d 100644 --- a/datadog/tests/cassettes/TestAccDatadogSecurityMonitoringDefaultRule_Basic.freeze +++ b/datadog/tests/cassettes/TestAccDatadogSecurityMonitoringDefaultRule_Basic.freeze @@ -1 +1 @@ -2022-10-13T14:12:00.249128+02:00 \ No newline at end of file +2023-01-09T11:33:37.933584+01:00 \ No newline at end of file diff --git a/datadog/tests/cassettes/TestAccDatadogSecurityMonitoringDefaultRule_Basic.yaml b/datadog/tests/cassettes/TestAccDatadogSecurityMonitoringDefaultRule_Basic.yaml index 15db9ec90f..f8765db3a0 100644 --- a/datadog/tests/cassettes/TestAccDatadogSecurityMonitoringDefaultRule_Basic.yaml +++ b/datadog/tests/cassettes/TestAccDatadogSecurityMonitoringDefaultRule_Basic.yaml @@ -11,7 +11,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.3.6","source:google_sql_database_instance","control:3.4","requirement:Communications-Security","framework:cis-gcp","requirement:Compliance","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_sql_database_instance","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `3625 (trace flag)` database flag to `off` for GCP SQL Server instance.\n\n## Rationale\n\nMicrosoft SQL trace flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload. All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed. `3625 (trace log)` limits the information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'. Setting this in a Google Cloud flag for the instance allows for security through obscurity and prevents the disclosure of sensitive information. Hence, it is recommended to set this flag to `off` globally to prevent the flag from being left on or turned on by bad actors. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nChanging flags on a database may cause it to be restarted. The best time to do this is when there is low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `3625` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `3625` database flag for every GCP SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"3625=off\"\n```\n\n#### Note\nThis command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n\n## Additional Information\n\n- Configuring the above flag restarts the GCP SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"3625\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"2x0-5oi-nhu","createdAt":1657310084964,"name":"'3625 (trace flag)' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:2.11","cloud_provider:azure","control:A.12.4.1","level:1","source:azure.policy","requirement:Application-Updates","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","requirement:Security-Center","framework:cis-azure","control:6.2","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","scope:azure.policy","control:CC4.1","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable automatic provisioning of the monitoring agent to collect security data.\n\n## Rationale\n\nWhen automatic provisioning of monitoring agent is turned on, Azure Security Center provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Security Center\n2. Click on Pricing & Settings\n3. Click on a subscription\n4. Click on Data Collection\n5. Set Automatic provisioning to On\n6. Click save Repeat the above for any additional subscriptions.\n\nAzure Command Line Interface 2.0:\n\nUse the below command to set automatic provisioning of monitoring agent:\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@\"input.json\"''\n```\n\nWhere input.json contains the Request body json data as mentioned below. \n\n```bash\n{ \"id\"\"/subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default\", \"name\"\"default\", \"type\"\"Microsoft.Security/autoProvisioningSettings\", \"properties\"{ \"autoProvision\"\"On\" } }\n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security \n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection \n3. https://msdn.microsoft.com/en-us/library/mt704062.aspx\n4. https://msdn.microsoft.com/en-us/library/mt704063.aspx\n5. https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list \n6. https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create \n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\nAdditional Information: Excluding any of the entries in `input.json` may disable the specific setting by default Microsoft has recently changed APIs to get and Update Automatic Provisioning setting. This recommendation is updated accordingly.\n\n## CIS Controls\n\nVersion 7 3.1 - Run Automated Vulnerability Scanning Tools: Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.11","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"validationQuery":"@auto_provision:Off","resourceType":"azure_security_center_auto_provisioning","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_center_auto_provisioning (@auto_provision:Off)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ota-kzg-lsb","createdAt":1635237006719,"name":"'Automatic provisioning of monitoring agent' is set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.2","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with a Customer Managed Key (CMK).\n\n## Rationale\n\nEncrypting the IaaS VM's OS disk (boot volume) and data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning.\n\n## Remediation\n\nAzure Console:\n\n**Note**: Disks must be detached from VMs to have encryption changed.\n\n1. Go to Virtual Machines\n2. For each virtual machine, go to Settings\n3. Click on Disks\n4. Click the X to detach the disk from the VM\n5. Search for disks and locate the unattached disk\n6. Click the disk select Encryption\n7. Change your encryption type and select your encryption set\n8. Click Save\n9. Go back to the VM and re-attach the disk\n\nPowerShell:\n\n```powershell\n$KVRGname = ''MyKeyVaultResourceGroup''; $VMRGName = ''MyVirtualMachineResourceGroup''; $vmName = ''MySecureVM''; $KeyVaultName = ''MySecureVault''; $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname; $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri; $KeyVaultResourceId = $KeyVault.ResourceId; Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;\n```\n\n**NOTES**:\n\n- During encryption, a reboot is likely required. It may take up to 15 minutes to complete the process.\n\n- On Linux machines, you may need to set the `-skipVmBackup` parameter.\n\n## Impact\n\nUsing CMK/BYOK entail additional management of keys. You must have your key vault setup to use this.\n\n## References\n\n\n1. https://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n3. https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-resthttps://docs.microsoft.com/azure/virtual-machines/windows/disk-encryption-portal-quickstart\n4. https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n5. https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n7. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-customer-managed-keys-powershell\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@encryption_type:EncryptionAtRestWithCustomerKey","resourceType":"azure_managed_disk","filter":"@disk_state:Attached","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk @disk_state:Attached (-@encryption_type:EncryptionAtRestWithCustomerKey)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i6x-xne-idt","createdAt":1631690475494,"name":"'OS and Data' disks are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Application-Updates","framework:iso-27001","scope:azure.storage","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","control:6.5.3","framework:cis-azure","control:4.1","control:3.1","requirement:Control-Activities","requirement:Storage-Account","source:azure.storage","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable data encryption in transit.\n\n## Rationale\n\nThe secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must be HTTPS. Any requests using HTTP will be rejected when secure transfer required is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Storage Accounts\n2. For each storage account, go to Configuration\n3. Set Secure transfer required to Enabled\n\nAzure Command Line:\n\nInterface 2.0 - Use the below command to enable Secure transfer required for a Storage Account: `az storage account update --name --resource-group --https-only true`\n\n## References\n\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#encryption-in-transit\n2. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_list\n3. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 - 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@supports_https_traffic_only:true","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@supports_https_traffic_only:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"vlg-zuu-zub","createdAt":1635847712936,"name":"'Secure transfer required' is set to 'Enabled'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:3.7","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Storage-Account","source:azure.storage","control:A.13.1.3","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSome Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services use strong authentication to access the storage account. If Allow trusted Microsoft services exception is enabled, the following services, when registered in the subscription, are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse.\n\n## Rationale\n\nTurning on firewall rules for storage account blocks access to incoming requests for data, including from other Azure services. This includes using the portal, writing logs, etc. You can re-enable access to services like Monitor, Networking, Hubs, and Event Grid by enabling Trusted Microsoft Services through exceptions. The exception also supports backing up and restoring virtual machines using unmanaged disks in storage accounts with network rules applied.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Ensure that Allow access from selected networks is enabled.\n4. Enable Allow trusted Microsoft services to access this storage account.\n5. Click Save to apply your changes.\n\nAzure Command Line Interface:\n\nUse the following command to update trusted Microsoft services: `az storage account update --name --resource-group --bypass AzureServices`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n\n## CIS Controls\n\nVersion 7 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@network_acls.bypass:*AzureServices*","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@network_acls.bypass:*AzureServices*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"psg-u8u-lwo","createdAt":1631690476330,"name":"'Trusted Microsoft Services' is enabled for Storage Account access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.3","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that unattached disks in a subscription are encrypted with a customer managed key (CMK).\n\n## Rationale\n\nManaged disks are encrypted by default with platform-managed keys. Using customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks which may lead to sensitive information disclosure and tampering.\n\n## Impact\n\nEncryption is available only on standard tier VMs. This could impact cost. Utilizing and maintaining customer-managed keys requires additional work to create, protect, and rotate keys.\n\n## Remediation\n\nIf data stored in the disk is no longer useful, refer to [Azure documentation][1] to delete unattached data disks. If data stored in the disk is important, encrypt the disk. See the [Disk enable customer managed keys customer][2] or the [Encryption settings][3] documentation.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n3. https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n4. https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n5. https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n6. https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update\n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n\n[1]: https://docs.microsoft.com/en-us/rest/api/compute/disks/delete -https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal\n[3]: https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@encryption_type:EncryptionAtRestWithCustomerKey","resourceType":"azure_managed_disk","filter":"@disk_state:Unattached","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk @disk_state:Unattached (-@encryption_type:EncryptionAtRestWithCustomerKey)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bae-mte-pj5","createdAt":1631690476274,"name":"'Unattached disks' are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","control:10.3.6","control:10.5.4","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","control:10.3.5","control:10.5.3","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.1","control:10.2.5","control:10.3.4","control:A.12.4.1","control:10.2.4","control:10.3.3","control:10.2.3","control:10.3.2","control:A.12.4.3","control:10.2.2","control:10.3.1","framework:cis-gcp","level:1","scope:google_sql_database_instance","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","control:6.2.9","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the `cloudsql.enable_pgaudit` database flag so that each Cloud SQL PostgreSQL instance has centralized logging.\n\n## Rationale\n\nBecause many other recommendations in this section involve turning on flags for logging\npurposes, your organization needs a way to manage these logs. If you do not already have a solution in \nplace, consider enabling database auditing in PostgreSQL by installing the open source pgAudit extension and enabling the `cloudsql.enable_pgaudit` flag. The extension provides\ndetailed session and object logging to comply with government, financial, and ISO standards. It provides \nauditing capabilities to mitigate threats by monitoring security events on the\ninstance. Enabling the flag and the settings described below sends the logs to\nGoogle Logs Explorer so that you can access them in a central location. This\nrecommendation is applicable only to PostgreSQL database instances.\n\n## Impact\n\nEnabling the pgAudit extension can lead to increased data storage requirements. To\nensure durability of pgAudit log records in the event of unexpected storage issues, \nenable the **Enable automatic storage increases** setting on the\ninstance. Enabling flags on the command line will overwrite all existing flags, so you\nshould apply _all_ needed flags in each CLI command. You might need to restart the\nserver to see the effects of enabling flags, so update your servers at a\ntime of low usage.\n\n## Remediation\n\n### Initialize the pgAudit flag\n\n#### From the console\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `cloudsql.enable_pgaudit` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\nRun the following command by providing to enable `cloudsql.enable_pgaudit` flag:\n```\ngcloud sql instances patch --database-flags=cloudsql.enable_pgaudit=on\n```\n \n**Note**: Restart the database server for this configuration change to take effect.\n\n### Create the extension\n1. Connect to the the server running PostgreSQL or through a SQL client of your choice.\n2. Open the PostgreSQL shell. For example, if you're using SSH to access the server, run:\n3. Run the following command as a superuser:\n ```\n CREATE EXTENSION pgaudit;\n ```\n### Update the `pgaudit.log` flag\n\n#### From the console\n**Note**: There are multiple options for updating the flag. The following instructions enable logging for all databases\non a server. Read [Customizing database audit logging][4] for more flag\noptions.\n\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `pgaudit.log=all` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\n\nRun the command:\n```\ngcloud sql instances patch --database-flags \\\ncloudsql.enable_pgaudit=on,pgaudit.log=all\n```\n\n### Check for the logs in Google Logs Explorer\n1. From the Google Console home page, open the menu in the top left.\n2. In the menu's Operations section, select Logs Explorer.\n3. In the query box, copy in the following query:\n\n ```\n resource.type=\"cloudsql_database\"\n logName=\"projects//logs/cloudaudit.googleapis.com%2Fdata_access\"\n protoPayload.request.@type=\"type.googleapis.com/google.cloud.sql.audit.v1.PgAuditEntry\n ```\nIf it returns any log sources, they are correctly set up.\n\n## Default value\nBy default `cloudsql.enable_pgaudit` database flag is set to off and the extension is not enabled.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres][2]\n2. [https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag][3]\n3. [https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging][4]\n4. [https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable][5]\n\n## Additional Information\n**WARNING**: This extension modifies database flag values, which may require your instance to be\nrestarted. Check the [List of supported flags][6] to see if your instance needs to be restarted\nwhen this extension is set up.\n**Note**: Configuring the `cloudsql.enable_pgaudit` database flag requires restarting the Cloud\nSQL PostgreSQL instance.\n\n## CIS controls\n\nVersion 8\n8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n8.9 - Centralize Audit Logs\n- Centralize, to the extent possible, audit log collection and retention across\nenterprise assets.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres\n[3]: https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag\n[4]: https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging\n[5]: https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable\n[6]: https://cloud.google.com/sql/docs/postgres/flags\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.9","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cloudsql.enable_pgaudit\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6hz-owg-7y7","createdAt":1657889011689,"name":"'cloudsql.enable_pgaudit' database flag is set to 'on' for centralized logging on Postgresql Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.4","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.7","requirement:Least-Privileged-Access","requirement:Confidentiality","requirement:Communications-Security","control:7.1","control:C1.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `contained database authentication` database flag for SQL Server instances to `off`.\n\n## Rationale\n\nA contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed. Users can connect to the database without authenticating a login at the Database Engine level. Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server. Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators. Most of the threats are related to the `USER WITH PASSWORD` authentication process, which moves the authentication boundary from the Database Engine level to the database level. Hence, disabling this flag is recommended. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nWhen `contained database authentication` is off (`0`) for the instance, contained databases cannot be created, or attached to the Database Engine. Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via the command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `contained database authentication` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line\n\nConfigure the `contained database authentication` database flag for every SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"contained database authentication=off\"\n```\n\n**Note**: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n\n## Additional Information\n\n- Configuring this flag does not restart the SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15][3]\n3. [https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15][4]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15\n[4]: https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"contained database authentication\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"snw-rsr-ilm","createdAt":1658463161618,"name":"'contained database authentication' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.3.2","security:compliance","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that you set the `cross db ownership chaining` database flag for SQL Server instance to `off`.\n\n## Rationale\nThe `cross db ownership` option is used to configure cross-database ownership chaining for an instance of Microsoft SQL Server. This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases. Enabling `cross db ownership` is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining, and you are aware of the security implications of this setting. This recommendation is applicable to SQL Server database instances.\n\n### Impact\nUpdating flags may cause the database to restart. This may cause the database to be unavailable for a short amount of time, so this is best done at a time of low usage. You should also determine if the tables in your databases reference another table without using credentials for that database, as turning off cross database ownership will break this relationship.\n\n - Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n - Configuring the `cross db ownership chaining` flag does not restart the Cloud SQL instance.\n\n - Note: The command to set database flags overwrites all database flags previously set. To keep the existing settings while adding new flags, include the values for all flags to be set on the instance. Cloud SQL sets any flag not specifically included in the list to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Remediation\n\n### From the console:\n1. Go to the [Cloud SQL Instances page][1] in Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `cross db ownership chaining` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line:\nConfigure the `cross db ownership chaining` database flag for every SQL Server database instance using the below command:\n \n```\ngcloud sql instances patch --database-flags \"cross db ownership chaining=off\"\n```\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cross db ownership chaining\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yje-u1y-rls","createdAt":1657665271111,"name":"'cross db ownership chaining' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.1","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `external scripts enabled` database flag for SQL Server instance to `off`.\n\n## Rationale\n\nThe `external scripts enabled` flag enables the execution of scripts with certain remote language extensions. This flag is `off` by default. When Advanced Analytics Services is installed, during the set up, you can optionally set this flag to `on`. The External Scripts Enabled feature allows scripts external to SQL, such as files located in an R library, to be executed, which could adversely affect the security of the system. Hence, the flag should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances can cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flag section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `external scripts enabled` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `external scripts enabled` database flag for every SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"external scripts enabled=off\"\n```\n\nNote: This command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default Value\n\nBy default `external scripts enabled` is `off`.\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n- Configuring the `external scripts enabled` flag restarts the Cloud SQL instance.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15][2]\n2. [https://cloud.google.com/sql/docs/sqlserver/flags][3]\n3. [https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15][4]\n4. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79347][5]\n\n## CIS Controls\n\nVersion 8 - 2.7 Allowlist Authorized Scripts\n- Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.\n\nVersion 7 - 2.9 Implement Application Whitelisting of Scripts\n- The organization's application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1, *.py, macros, etc) are allowed to run on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15\n[3]: https://cloud.google.com/sql/docs/sqlserver/flags\n[4]: https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15\n[5]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"external scripts enabled\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"14g-yot-4od","createdAt":1657715719319,"name":"'external scripts enabled' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Communication-and-Information","security:compliance","control:6.1.3","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends setting the `local_infile` database flag for a Cloud SQL MySQL instance to off.\n\n## Rationale\n\nThe `local_infile` flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the `local_infile` setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.\n\nTo explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with `local_infile` disabled. `local_infile` can also be set at runtime.\n\nDue to security issues associated with the `local_infile` flag, Datadog recommends disabling it. This recommendation is applicable to MySQL database instances.\n\n## Impact\n\nDisabling `local_infile` causes the server to refuse local data loading by clients that have LOCAL enabled on the client side.\n\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [Cloud SQL Instances page][1].\n2. Select the MySQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the `local_infile` flag from the dropdown menu, and set its value to **off**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From Command Line\n\n1. List all Cloud SQL database instances using \n ```\n `gcloud sql instances list`.\n ```\n2. Configure the `local_infile` database flag for every Cloud SQL MySQL database instance using \n ```\n `gcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off`\n ```\n Note:\n This command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\n\n## Default Value\n\nBy default, `local_infile` is on.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile][3]\n3. [https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html][4]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n \n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/flags\n[3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile\n[4]: https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_mysql(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"local_infile\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_mysql(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"MYSQL_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"e40-q63-udh","createdAt":1657547707503,"name":"'local_infile' database flag is set to 'off' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.2","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy enabling the `log_connections` setting, every attempted server connection is logged along with the successful completion of client authentication. Once the session starts, you cannot change this parameter.\n\n## Rationale\n\nBy default, PostgreSQL does not log attempted connections. By enabling the `log_connections` setting, you can create log entries for every attempted connection as well as the successful completion of client authentication. This can be useful in troubleshooting issues and determining any unusual connection attempts to the server. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\n\nBy turning on logging, the required storage increaess over time. Mismanaged logs may cause your storage costs to increase. \n\nSetting custom flags through the command line on certain instances can cause all omitted flags to reset to defaults. This may cause you to lose\ncustom flags and can result in unforeseen complications or instance restarts. Because of this, Datadog recommends applying these flag changes during a period of low usage.\n\n## Remediation\n\n## From the console\n1. In the Google Cloud Console, navigate to the [Cloud SQL Instances page][1].\n2. Select the PostgreSQL instance that you want to enable the database flag for.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the **log_connections** flag from the dropdown menu, and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From the command line\n\nConfigure the `log_connections` database flag for every Cloud SQL PosgreSQL database instance using the following command:\n\n ```\n gcloud sql instances patch --database-flags\n log_connections=on\n ```\n\nThis command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\nYou do not need to restart the Cloud SQL instance.\n\n## Default Value\n\nBy default, `log_connections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n\nSome database flag settings can affect instance availability or stability, and may remove the instance from the Cloud SQL SLA.\n\nFor information about these flags, see the Operational Guidelines.\n\n## CIS Controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_connections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"84u-fez-kpn","createdAt":1657547707503,"name":"'log_connections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:6.2.3","scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnabling the `log_disconnections` setting logs the end of each session, including the\nsession duration.\n\n## Rationale\n\nPostgreSQL does not log session details such as duration and session end by default.\nEnabling the `log_disconnections` setting will create log entries at the end of each session,\nwhich can be useful in troubleshooting issues and determining any unusual activity across a\ntime period. The `log_disconnections` and `log_connections` settings work together and\ngenerally, the pair would be enabled or disabled together. This recommendation is applicable\nto PostgreSQL database instances.\n\n## Impact\n\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flags changes during a period of low usage.\n\n\n## Remediation\n\n## From the console\n\n1. Go to the [Cloud SQL Instances][1] page.\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_disconnections` from the drop-down menu and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the **Overview** page.\n\n## From the command line\n\n1. Configure the `log_disconnections` database flag for every Cloud SQL PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags\n log_disconnections=on\n ```\n\n **Note:** This command will overwrite all previously set database flags. To keep\n those and add new ones, include the values for all flags to be set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals\n sign (\"=\").\n\n## Default Value\n\nBy default, `log_disconnections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n## Additional Information\n\n- Configuring the `log_disconnections` flag does not require restarting the Cloud SQL instance.\n- Although the `log_disconnections` flag does not require a restart, you might modify other database flag values when you apply this patch. **Many database flags require restarting the Cloud SQL instance.** Before you modify a database flag, check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see [Operational Guidelines][4].\n\n\n## CIS controls\n\nVersion 8, 8.5 Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://console.cloud.google.com/sql/instances\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_disconnections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-b91-wj5","createdAt":1657665210451,"name":"'log_disconnections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:6.2.1","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","control:10.3","control:CC7.2","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_error_verbosity` flag controls the verbosity/details of messages logged. Valid values are:\n- `TERSE`\n- `DEFAULT`\n- `VERBOSE`\n\n`TERSE` excludes the logging of `DETAIL`, `HINT`, `QUERY`, and `CONTEXT` error information.\n`VERBOSE` output includes the `SQLSTATE` error code, source code file name, function name, and line number that generated the error.\n\nEnsure an appropriate value is set to `DEFAULT` or stricter.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_error_verbosity` is not set to the correct value, too many details or too few details\nmay be logged. This flag should be configured with a value of `DEFAULT` or stricter. This\nrecommendation is applicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flag changes during a period of low usage.\n\n- **WARNING**: This patch modifies database flag values, which may require your instance to be restarted. Check the list of supported flags -[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance will be restarted when this patch is submitted.\n- Note: some database flag settings can affect instance availability orn stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n### Default value\nBy default, `log_error_verbosity` is `DEFAULT`.\n\n## Remediation\n\n### From the console: \n1. Go to the Cloud SQL Instances page by visiting [https://console.cloud.google.com/sql/instances][2]\n2. Select the **PostgreSQL instance** for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_error_verbosity` from the drop-down menu and set appropriate **value**.\n6. Click **Save**\n7. Confirm your changes under Flags on the **Overview** page.\n\n### From the command line:\n1. Configure the `log_error_verbosity` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n ```\n gcloud sql instances patch --database-flags\n log_error_verbosity=\n ```\n\n **Note**: This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all flags you want set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_error_verbosity\"\n\tnot lower(db_flags.value) in [\"default\", \"terse\", \"verbose\"]\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"scj-vbv-qiu","createdAt":1660014086758,"name":"'log_error_verbosity' database flag is set to 'DEFAULT or Stricter' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:6.2.5","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nPostgreSQL only logs the IP address of the connecting hosts. The `log_hostname` flag\ncontrols the logging of hostnames, in addition to the IP addresses logged. The performance\nhit depends on the configuration of the environment and the host name resolution\nsetup. This parameter can only be set in the `postgresql.conf` file or on the server's\ncommand line.\n\n## Rationale\nLogging hostnames allows for the association of a hostname with the IP address at the time of\nconnection. This information helps with incident response efforts, particularly in an\nenvironment that utilizes dynamic IP addresses. Logging hostnames may incur overhead\non server performance because DNS resolution will be required to\nconvert the IP address to hostname. Depending on the setup, the overhead may be non-negligible.\nEnabling the log_hostname flag on PostgreSQL databases is recommended.\n\n## Impact\nUsing the command line to set custom flags on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended that you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_hostname` from the drop-down menu and select the value **On**.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n1. Configure the `log_hostname` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\n gcloud sql instances patch --database-flags log_hostname=on\n```\n\nNote: This command will overwrite all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## Default value\nBy default `log_hostname` is off.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of [supported flags][2] to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_hostname\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sco-bi7-twu","createdAt":1657547753389,"name":"'log_hostname' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:6.2.8","requirement:Confidentiality","control:A.12.4.1","control:C1.1","control:C1.2","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_duration_statement` flag defines the minimum execution time (milliseconds) of a\nstatement, where the total duration of the statement is logged. Ensure that\n`log_min_duration_statement` is disabled by setting the value to `-1`. This will disable statement logging.\n\n## Rationale\nSQL statement logs may include sensitive information that should not be recorded in\nthe logs. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting\n[https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_duration_statement` from the drop-down menu and set a value of `-1`.\n6. Click **Save**.\n7. Confirm the changes under the Flags section on the Overview page.\n\n### From the command line\n1. List all Cloud SQL database instances using the following command:\n\n ```\n gcloud sql instances list\n ```\n\n2. Configure the `log_min_duration_statement` flag for every PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags log_min_duration_statement=-1\n ```\n Note: This command will overwrite all database flags previously set. To keep\nthose and add new ones, include the values for all flags to be set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n## Default value\nBy default `log_min_duration_statement` is set to `-1`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.8","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_duration_statement\"\n\tnot database_flags.value == \"-1\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hfp-mu9-szg","createdAt":1658302988596,"name":"'log_min_duration_statement' database flag is set to '-1' (disabled) for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.7","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_error_statement` flag defines the minimum message severity level that is\nconsidered an error statement. Messages for error statements are logged with the SQL\nstatement. Valid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`,\n`WARNING`, `ERROR`, `LOG`, `FATAL`, and `PANIC`. Each severity level includes the subsequent levels\nmentioned above. Ensure a value of `ERROR` or stricter is set.\n\n## Rationale\nAuditing helps with troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. If general log messages are considered as error messages,\nit would be difficult to determine the actual errors. If only stricter severity levels are considered as\nerror messages, true errors might not be logged with their SQL statements. The\n`log_min_error_statement` flag should be set to `ERROR` or stricter. This recommendation is\napplicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From Console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the `Flags` section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_error_statement` from the drop-down menu and set the appropriate\nvalue.\n6. Click `Save` to save your changes.\n7. Confirm your changes under the `Flags` section on the Overview page.\n\n### From Command Line:\n1. Configure the `log_min_error_statement` database flag for every Cloud SQL\nPosgreSQL database instance using the below command.\n\n ```\n gcloud sql instances patch --database-flags log_min_error_statement=\n ```\n\n Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `log_min_error_statement` is `ERROR`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][2] - to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_error_statement\"\n\tnot upper(database_flags.value) in [\"ERROR\", \"LOG\", \"FATAL\", \"PANIC\"]\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dm2-ey8-wr5","createdAt":1657888969813,"name":"'log_min_error_statement' database flag is set to 'ERROR' or stricter for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.3.6","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","source:google_sql_database_instance","requirement:Monitoring","control:6.2.6","control:10.3.4","control:A.12.4.1","control:10.3.2","requirement:System-Operations","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:CC7.2","framework:pci","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_messages` flag defines the minimum message severity level that is considered\nas an error statement. Messages for error statements are logged with the SQL statement.\nValid values include `debug5`, `debug4`, `debug3`, `debug2`, `debug1`, `info`, `notice`, `warning`, `error`,\n`log`, `fatal`, and `panic`. Each severity level includes the subsequent levels mentioned above.\nFor best practices, set the value to `error`. Changes should only be made in accordance\nwith the organization's logging policy.\n\n### Default value\nBy default `log_min_error_statement` is `warning`.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. An organization will need to decide their own threshold\nfor logging `log_min_messages` flag.\n\n### Impact\nSetting the threshold too low will might result in increased log storage size and length,\nmaking it difficult to find actual errors. Setting the threshold to `warning` logs\nmost needed error messages. Setting the threshold to a higher severity level may result in some errors (that need troubleshooting) to not be logged.\n\nNote: To effectively turn off logging failing statements, set this parameter to `panic`.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n## Remediation\n\n### From the console:\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_messages` from the drop-down menu and set appropriate value.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line:\n1. Configure the `log_min_messages` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\ngcloud sql instances patch --database-flags\nlog_min_messages=\n```\n\nNote: This command overwrites all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_min_messages\"\n\tlower(db_flags.value) in [\"debug5\", \"debug4\", \"debug3\", \"debug2\", \"debug1\", \"info\", \"notice\"]\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"wha-a8w-2ic","createdAt":1661377322162,"name":"'log_min_messages' database flag is set to at least 'WARNING' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.2.4","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe value of the `log_statement` flag determines the SQL statements that are logged. Valid\nvalues are:\n\n- `none`\n- `ddl`\n- `mod`\n- `all`\n\nThe value `ddl` logs all data definition statements. The value `mod` logs all `ddl` statements, plus\ndata-modifying statements.\n\nThe statements are logged after a basic parsing is done and the statement type is determined,\nthus log statements with errors are not logged. When using an extended query protocol,\nlogging occurs after an `Execute` message is received and values of the bind parameters are\nincluded.\n\nA value of `ddl` is recommended unless otherwise directed by your organization's logging\npolicy.\n\n## Rationale\nAuditing helps with forensic analysis. If the `log_statement` is not set to the correct value, too\nmany statements may be logged and lead to issues with finding relevant information from\nthe logs, or too few statements may be logged with relevant information missing from the\nlogs. Setting the `log_statement` to align with your organization's security and logging policies\nfacilitates auditing and review of database activities later on. This recommendation is\napplicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n- **WARNING** This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance\nwill be restarted when this patch is submitted.\n- Note: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n\n## Remediation\n\n### From the console:\n1. Go to the Cloud SQL Instances page by visiting: [https://console.cloud.google.com/sql/instances][2]\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**. Choose the flag `log_statement` from the drop-down menu and set the appropriate value.\n6. Click **Save**.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line:\n1. Configure the `log_statement database` flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n ```\n gcloud sql instances patch --database-flags log_statement=\n ```\n\n **Note** This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all the flags that you want to set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n \n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tdb_flags.name == \"log_statement\"\n\tdb_flags.value in [\"ddl\", \"mod\", \"all\"]\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xzi-8ya-6hp","createdAt":1659621705012,"name":"'log_statement' database flag is set appropriately for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:6.3.5","control:2.2.5","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set the `remote access` database flag for Cloud SQL SQL Server instances to `off`.\n\n## Rationale\n\nThe remote access option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running. The default value for this option is 1. This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server. To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled. Remote access functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, so it should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances causes all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `remote access` from the drop-down menu, and set its value to `off`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n### From the command line\n\nConfigure the remote access database flag for every Cloud SQL SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"remote access=off\"\n```\n\n### Note: \nThis command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default Value\n\nRemote access is `on` by default.\n\n## Additional information\n\nConfiguring the remote access database flag does not restart the Cloud SQL instance.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337][4]\n\n## CIS Controls\n\nVersion 8 - 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"remote access\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"tnw-ph8-chr","createdAt":1657296719786,"name":"'remote access' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Communication-and-Information","security:compliance","control:6.1.2","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that for Cloud SQL Instances, you set the `skip_show_database` database flag to `ON`.\n\n## Rationale\n\nThe `skip_show_database` database flag prevents people from using the `SHOW DATABASES`\nstatement if they do not have the `SHOW DATABASES` privilege. This can improve security if\nyou have concerns about users being able to see databases belonging to other users. The `skip_show_database` flag's effect depends on the `SHOW DATABASES` privilege: If the variable value is `ON`, the `SHOW\nDATABASES` statement is permitted only for users who have the `SHOW DATABASES`\nprivilege, and the statement displays all database names. If the value is `OFF`, `SHOW\nDATABASES` is permitted for all users, but displays the names of only those databases for\nwhich the user has `SHOW DATABASES` or other privilege. This recommendation is\napplicable to MySQL database instances.\n\n## Remediation\n\n## Using console\n\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the MySQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `skip_show_database` from the drop-down menu, and set its value to `ON`.\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n\n## Using command line:\n1. To list all Cloud SQL database Instances, run:\n `gcloud sql instances list`\n2. Configure the `skip_show_database` database flag for every Cloud SQL MySQL database instance using the following command:\n \n ```\n gcloud sql instances patch INSTANCE_NAME --database-flags\n skip_show_database=on\n ```\n **Note**: This command overwrites all database flags previously set. To keep the previously set flags and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database][3]\n\n\n## Additional information\n\n**Warning**: This patch modifies database flag values, which may require your instance to be restarted. Check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n\n**Note**: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n**Note**: Configuring the above flag restarts the Cloud SQL instance.\n\n## CIS controls\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\n access control lists, also known as access permissions, to local and remote file systems,\n databases, and applications.\n\n [1]: https://console.cloud.google.com/sql/instances\n [2]: https://cloud.google.com/sql/docs/mysql/flags\n [3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot startswith(sql_database_instance.database_version, \"MYSQL_\")\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"skip_show_database\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qjv-gnn-q3l","createdAt":1657547753389,"name":"'skip_show_database' flag is set to 'on' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.3.3","security:compliance","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Control-Activities","level:1","control:2.2.3","framework:soc-2","scope:google_sql_database_instance","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to check the `user connections` option for a GCP SQL Server instance to\nensure that it is not artificially limiting connections.\n\n## Rationale\n\nThe `user connections` option specifies the maximum number of simultaneous user\nconnections that are allowed on an instance of SQL Server. The actual number of user\nconnections allowed also depends on the version of SQL Server that you are using, and also\nthe limits of your application(s) and hardware. SQL Server allows a maximum\nof 32,767 user connections. Because user connections is by default a self-configuring value,\nSQL Server adjusts the maximum number of user connections automatically as\nneeded, up to the maximum value allowed. For example, if only 10 users are logged in, then 10\nuser connection objects are allocated. In most cases, you do not have to change the value\nfor this option. The default is `0`, which means that the maximum (32,767) user connections\nare allowed. However, if there is a number defined here that limits connections, SQL Server\nwill not allow any connections above this limit. If the connections are at the limit, any new\nrequests will be dropped, potentially causing lost data or outages for those using the\ndatabase.\n\n## Impact\nSetting custom flags using the command line on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### Using the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `user connections` from the drop-down menu, and set its value to your organization's recommended value.\n6. Click **Save** to save your changes.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### Using the command line\n1. Configure the `user connections` database flag for every GCP SQL Server\ndatabase instance using the below command.\n ```\n gcloud sql instances patch --database-flags \"userconnections=[0-32,767]\"\n ```\n \n\n\nNote: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `user connections` is set to '0', which does not limit the number of connections\nand allows the server to facilitate a maximum of 32,767 connections.\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119][4]\n\n## Additional Information\n\nWARNING: This patch modifies database flag values, which may require your instance to be restarted. Check the list of [supported flags][2] to see if your instance will be restarted when this patch is submitted. \n\nNote: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not restart the GCP SQL instance.\n\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user connections\"\n\tnot database_flags.value == \"0\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"suj-vdt-udi","createdAt":1657547707508,"name":"'user connections' database flag is set to a non-limiting value for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.4","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the `user options` database flag for SQL Server instance not be configured.\n\n## Rationale\n\nThe `user options` flag specifies global defaults for all users. A list of default query processing options is established for the duration of a user's work session. The user options flag allows you to change the default values of the SET options (if the server's default settings are not appropriate).\n\nA user can override these defaults by using the SET statement. You can configure user options dynamically for new logins. After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nIn some instances, setting custom flags via the command line causes all omitted flags to be reset to their defaults. This might cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From console\n\n1. Go to the **Cloud SQL Instances** page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance you want to configure.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. Click the **X** next to the **user options** flag shown\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line\n\n1. List all Cloud SQL database Instances:\n \n ```\n gcloud sql instances list\n ```\n\n2. Clear the user options database flag for every Cloud SQL SQL Server database instance using either of the below commands:\n\n - To clear all flags and reset them to their default values:\n\n ```\n gcloud sql instances patch --clear-database-flags\n ```\n\n - To clear only the `user options` database flag, re-enter all of database flags that you want to configure and exclude the `user options` flag and its value:\n\n ```\n gcloud sql instances patch --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]\n ```\n\n **Note**: This command overwrites all database flags previously set. To keep those flags and add new ones, include the values for all flags you want set on the instance. Any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default value\n\nBy default, 'user options' is not configured.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][1]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15][2]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335][3]\n\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see [Operational Guidelines][4].\n\n- Configuring the above flag does not restart the Cloud SQL instance.\n\n[1]: https://cloud.google.com/sql/docs/sqlserver/flags\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15\n[3]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user options\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"l6m-j1r-hz1","createdAt":1657665179501,"name":"'user options' database flag is not configured for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a Kubernetes user attempts to perform a high number of actions that are denied in a short amount of time.\n\n## Strategy\nThis rule identifies responses of the API server where the reason for the error is set to `Forbidden`, indicating that an authenticated user attempted to perform an action that they are not explicitly authorized to perform.\n\nThe rule flags users who receive permission denied errors on several distinct API endpoints in a short amount of time.\n\n## Triage and response\n1. Determine if the user: `{{@usr.id}}` is expected to perform the denied actions. If yes, the alert may be due to a misconfigured application or a service account with insufficient privileges.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @responseStatus.reason:Forbidden -@usr.id:(system\\:serviceaccount\\:*\\:datadog* OR system\\:kube-scheduler OR system\\:anonymous OR eks\\:authenticator OR eks\\:pod-identity-mutating-webhook OR system\\:serviceaccount\\:kube-system\\:root-ca-cert-publisher)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"access_denied","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"access_denied > 10"}],"type":"log_detection","id":"elb-nlu-hso","createdAt":1649948632063,"name":"A Kubernetes user attempted to perform a high number of actions that were denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIdentify when a Kubernetes user is assigned cluster-level administrative permissions.\n\n## Strategy\n\nThis rule monitory when a `ClusterRoleBinding` object is created to bind a Kubernetes user to the `cluster-admin` [default cluster-wide role](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles). This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.\n\n## Triage and response\n\n1. Determine if the Kubernetes user referenced in `@requestObject.subjects` is expected to have been granted administrator permissions on the cluster\n2. Determine if the actor (`@usr.id`) is authorized to assign administrator permissions\n3. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @requestObject.kind:ClusterRoleBinding @requestObject.roleRef.name:cluster-admin -@usr.id:system\\:apiserver","groupByFields":["@usr.id"],"aggregation":"count","name":"cluster_admin_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"cluster_admin_added > 0"}],"type":"log_detection","id":"8ds-sxh-n83","createdAt":1649948626807,"name":"A Kubernetes user was assigned cluster administrator permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","scope:google_bigquery_dataset","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.3","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","source:google_bigquery_dataset","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user. For greater control, _customer-managed encryption keys_ (CMEKs) can be used as an encryption key management solution for BigQuery datasets.\n\n### Default Value\nGoogle-managed keys are used as key encryption keys.\n\n## Rationale\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user.\n\nFor greater control, CMEKs can be used as an encryption key management solution for BigQuery datasets. Setting a default CMEK for a dataset ensures that any tables created in the future will use the specified CMEK, if no others are provided.\n\n## Impact\nUsing CMEKs incurs an additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n**Note**: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n# Remediation\nTo update the default CMEK for existing data sets, specify the default key in the `EncryptionConfiguration.kmsKeyName` field when calling the `datasets.insert` or `datasets.patch` methods.\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_dataset) = \"pass\" if {\n\tbigquery_dataset.default_encryption_configuration.kms_key_name\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_dataset"]},"validationQuery":"","resourceType":"gcp_bigquery_dataset","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_dataset","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fdc-usk-ol3","createdAt":1664548344812,"name":"A default customer-managed encryption key (CMEK) is specified for the BigQuery data set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1158","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nHidden files may be used by attackers to hide from detection mechanisms on hosts and containers. This detection aims at finding the creation of any new hidden files.\n\n## Strategy\nIn Linux, files are hidden from users by prepending `.` to the filename. For example `.some.file`. This detection will monitor for the creation of any file thats name begins with a `.`.\n\n## Triage & Response\n1. Check to see which user or process created the new hidden file.\n3. If these new files are not expected contain the host or container, roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"irl-syq-8wf","createdAt":1598443015169,"name":"A hidden file was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the deletion of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was deleted.\n2. Check which user or process deleted the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"t7t-jio-cms","createdAt":1598516746158,"name":"A log file in /var/log/ was removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Logging","security:compliance","control:3.2.1","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes can audit the details of requests made to the API server. The `--audit-policy-file` flag must be set for this logging to be enabled.\n\n## Rationale\n\nLogging is an important detective control for all systems, to detect potential unauthorised access.\n\n## Audit\n\nRun the following command on one of the cluster master nodes: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-policy-file` is set. Review the contents of the file specified and ensure that it contains a valid audit policy.\n\n## Remediation\n\nCreate an audit policy file for your cluster.\n\n## Impact\n\nAudit logs will be created on the master nodes, which will consume disk space. Care should be taken to avoid generating too large volumes of log information as this could impact the available of the cluster nodes.\n\n## Default value\n\nUnless the `--audit-policy-file` flag is specified, no auditing will be carried out.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/debug-application-cluster/audit/][1]\n\n## CIS controls\n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices.\n\n[1]: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"3.2.1","framework":"cis-kubernetes","requirement":"Logging","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-3.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ehp-xpm-xi3","createdAt":1599602215207,"name":"A minimal audit policy exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a new Kubernetes [admission controller][1] is created in the cluster.\n\nAdmission controllers can intercept all incoming requests to the API server. An attacker can use them to establish persistence or to access sensitive data (such as secrets) sent to the API server.\n\n## Strategy\nThis rule identifies when a `MutatingWebhookConfiguration` or `ValidatingWebhookConfiguration` is created.\n\n## Triage and response\n1. Determine if the admission controller being created is expected.\n2. Determine if the user: `{{@usr.id}}` should be creating the admission controller.\n3. Use the Cloud SIEM `User Investigation` dashboard to review user actions that occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags\n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @objectRef.resource:(mutatingwebhookconfigurations OR validatingwebhookconfigurations) -@usr.id:(eks\\:cluster-bootstrap OR system\\:serviceaccount\\:kyverno\\:kyverno OR system\\:serviceaccount\\:kube-system\\:*)","groupByFields":["@usr.id"],"aggregation":"count","name":"admission_controller_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admission_controller_created > 0"}],"type":"log_detection","id":"jpb-ixq-qbz","createdAt":1649948611129,"name":"A new Kubernetes admission controller was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 teams app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `AppInstalled`, where the `AddOnType` has a value of `4` and a new `@AddOnName` is observed.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@AddOnName}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@AddOnName}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":165,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AddOnName","aggregation":"new_value","metrics":["@AddOnName"],"groupByFields":["@usr.id"],"query":"source:microsoft-365 @evt.name:AppInstalled @AddOnType:4"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"sja-6t5-2xv","createdAt":1636984812148,"name":"A new Microsoft 365 Teams app is observed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Add application.` and event `@evt.outcome` of `Success`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@ObjectId}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@ObjectId}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@ObjectId","aggregation":"new_value","metrics":["@ObjectId"],"groupByFields":["@ObjectId","@usr.id"],"query":"source:microsoft-365 @evt.name:\"Add application.\" @evt.outcome:Success"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"o4m-xqz-5gv","createdAt":1636984818117,"name":"A new Microsoft 365 application was installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:amazon","security:compliance","iaas:aws","framework:cis-aws","source:cloudtrail","control:4.1","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is assessing privileges in AWS through API bruteforcing technique.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect when the error message of `AccessDenied` is returned on more than 5 unique API calls.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be attempting to use {{@evt.name}} API commands.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. Contact the user to see if they intended to make these API calls.\n3. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate to see what API calls might have been made that were successful throughout the rest of the environment.\n\n## Changelog\nRule updated on 3 March 2022.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"unique_events_denied","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"more than 5 APIs AccessDenied","condition":"unique_events_denied > 5"}],"type":"log_detection","id":"3d9-oev-jbm","createdAt":1584475582956,"name":"A user received multiple AccessDenied errors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","security:compliance","control:164.312-e-1","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","requirement:Security-Management-Process","control:32.1a","source:acm","control:164.312-e-2-ii","framework:hipaa","control:164.308-a-1-ii-B","control:164.312-e-2-i","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRemove expired Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates with AWS Certificate Manager (ACM).\n\n## Rationale\n\nExpired AWS ACM SSL/TLS certificates that are deployed to another resource are at risk of triggering front-end errors and compromising the credibility of a web application.\n\n## Remediation\n\n### Console\n\nFollow the [Deleting Certificates Managed by ACM][1] docs to learn how to delete SSL/TLS certifications in the AWS Console.\n\n### CLI\n\n1. Run `delete-certificate` with the [certificate ARN][2].\n\n ```\n aws acm delete-certificate\n --certificate-arn arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012\n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-delete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/delete-certificate.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"EXPIRED\"\n\tacm.status != \"VALIDATION_TIMED_OUT\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qea-4gr-voj","createdAt":1616090994211,"name":"ACM certificate is active"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Security-of-Processing","requirement:Cardholder-Data","cloud_provider:aws","control:32.1a","source:acm","framework:gdpr","scope:acm","control:3.6.4","framework:pci","control:25.2","requirement:Data-Protection"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are 30 days left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### Console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### CLI\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\tthirty_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oc4-dzj-jtg","createdAt":1619112188918,"name":"ACM certificate is valid for 30 or more days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Security-of-Processing","requirement:Cardholder-Data","cloud_provider:aws","control:32.1a","source:acm","framework:gdpr","scope:acm","control:3.6.4","framework:pci","control:25.2","requirement:Data-Protection"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are seven day left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### Console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### CLI\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nseven_days_ms := (((7 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\t# assert that the difference between now (resource seen at) and not after time (certificate expiry) > 7 days\n\tseven_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"32b-dj3-8n2","createdAt":1619112188607,"name":"ACM certificate is valid for 7 or more days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Cardholder-Data","cloud_provider:aws","source:acm","scope:acm","control:3.6.4","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nValidate all Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates in Amazon Certificate Manager (ACM).\n\n## Rationale\n\n[Requests for AMC certificates time out if they are not not validated within 72 hours][1]. If a certificate is not validated, it can interrupt an application or service.\n\n## Remediation\n\n### Console\n\nFollow the [Setting Up DNS Validation][2] or [Resending Validation Email][3] docs to validate a certificate in the AWS Console or by email.\n\n### CLI\n\n1. Run `resend-validation-email` using the ARN of the invalid certificate with your `domain` and `validation-domain`.\n\n ```\n aws acm resend-validation-email\n --certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/a1b2345c-d678-9123-4567-89ab12c2345d\n --domain www.example.com\n --validation-domain example.com\n ```\n\n2. Click the link in the generated email to navigate to the Amazon Certificates Approvals page, and click the `I Approve` button.\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-timed-out.html\n[2]: https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html#setting-up-dns-validation\n[3]: https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html#gs-acm-resend","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"PENDING_VALIDATION\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"lpi-kie-f8h","createdAt":1616090994081,"name":"ACM certificate issue request is validated"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:ec2","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.9.4.5","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIdentify publicly accessible Amazon Machine Images (AMIs).\n\n## Rationale\n\nWhen an AMI is shared publicly, anyone outside your organization can see it in the [list of public AMIs][1] and create an EC2 instance from it, accessing all the files it contains.\n\nAMIs typically contain source code, configuration files and credentials and should not be shared publicly.\n\n## Remediation\n\nStop sharing the AMI publicly. AMIs should be shared only with [specific AWS accounts][2] or [your AWS Organization][3].\n\n### Console\n\nFollow the instructions outlined in the [AWS documentation][4]. Untick the public sharing option.\n\n### CLI\n\nUse the following command to stop sharing the AMI:\n\n```\naws ec2 modify-image-attribute \\\n--image-id ami-xxxx \\\n--launch-permission \"Remove=[{Group=all}]\"\n```\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usingsharedamis-finding.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/share-amis-with-organizations-and-OUs.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.5","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncustomer_owned(ami) if {\n\tami.image_owner_alias != \"aws-marketplace\"\n\tami.image_owner_alias != \"amazon\"\n} else {\n\tnot ami.image_owner_alias\n}\n\neval(ami) = \"skip\" if {\n\tnot customer_owned(ami)\n} else = \"pass\" {\n\tami.public == false\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ami"]},"validationQuery":"","resourceType":"aws_ami","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ami","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6l2-azd-mlu","createdAt":1645630055435,"name":"AMI is not publicly shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.30","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the TLS certificate and private key file parameters. \n```\n--tls-cert-file= \n--tls-private-key-file=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.30","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"m9r-8ka-arc","createdAt":1599604115727,"name":"API Server requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.1","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable anonymous requests to the Kubelet server.\n\n## Rationale\n\nWhen enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests.\n\n## Audit\n\nIf using a Kubelet configuration file, check that there is an entry for authentication: anonymous: enabled set to false. Run the following command on each node: `ps -ef | grep kubelet`. Verify that the `--anonymous-auth` argument is set to false. This executable argument may be omitted, provided there is a corresponding entry set to false in the Kubelet config file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to false. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable:\n\n```\n--anonymous-auth=false\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nAnonymous requests will be rejected.\n\n## Default value\n\nBy default, anonymous access is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.1","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oun-uxo-viy","createdAt":1599606050277,"name":"API server anonymous-auth argument is set to false"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.24","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain 10 or an appropriate number of old log files.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. For example, if you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxbackup` argument is set to `10` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxbackup` parameter to `10` or to an appropriate value: `--audit-log-maxbackup=10`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.24","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"r0g-aai-2xf","createdAt":1599605542630,"name":"API server audit log files are retained for at least 10 log file rotations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.25","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRotate log files on reaching 100 MB or as appropriate.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. If you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxsize` argument is set to `100` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxsize` parameter to an appropriate size in MB. For example, to set it as 100 MB: `--audit-log-maxsize=100`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.25","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qhy-gng-bh4","createdAt":1599603202907,"name":"API server audit log files are rotated once the file reaches 100 MB or more"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.22","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on the Kubernetes API Server and set the desired audit log path.\n\n## Rationale\n\nAuditing the Kubernetes API Server provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system. Even though currently, Kubernetes provides only basic audit capabilities, it should be enabled. You can enable it by setting an appropriate audit log path.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-path` argument is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example: --audit-log-path=/var/log/apiserver/audit.log\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. Version 7 6.2 Activate audit logging Ensure that local logging has been enabled on all systems and networking devices. 6.3 Enable Detailed Logging Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.22","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fny-sti-0dk","createdAt":1599601104396,"name":"API server audit logs are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.23","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain the logs for at least 30 days or as appropriate.\n\n## Rationale\n\nRetaining logs for at least 30 days ensures that you can go back in time and investigate or correlate any events. Set your audit log retention period to 30 days or as per your business requirements.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxage` argument is set to `30` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxage` parameter to `30` or as an appropriate number of days: `--audit-log-maxage=30`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.23","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.23\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jbu-o8v-pku","createdAt":1599605700813,"name":"API server audit logs are retained for at least 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.19","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind to insecure port.\n\n## Rationale\n\nSetting up the apiserver to serve on an insecure port would allow unauthenticated and unencrypted access to your master node. This would allow attackers who could access this port, to easily take control of the cluster.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-port` argument is set to `0`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --insecure-port=0\n\n## Impact\n\nAll components that use the API must connect via the secured port, authenticate themselves, and be authorized to use the API. This includes: kube-controller-manager kube-proxy kube-scheduler kubelets\n\n## Default value\n\nBy default, the insecure port is set to 8080.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.19","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2ci-yqv-wv0","createdAt":1599605796539,"name":"API server does not bind the API service to an insecure port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.18","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the insecure API service.\n\n## Rationale\n\nIf you bind the apiserver to an insecure address, basically anyone who could connect to it over the insecure port, would have unauthenticated and unencrypted access to your master node. The apiserver doesn't do any authentication checking for insecure binds and traffic to the Insecure API port is not encrpyted, allowing attackers to potentially read sensitive data in transit.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-bind-address` argument does not exist.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --insecure-bind-address parameter.\n\n## Impact\n\nConnections to the API server will require valid authentication credentials.\n\n## Default value\n\nBy default, the insecure bind address is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.18","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tzo-x3g-yya","createdAt":1599606081666,"name":"API server does not bind to an insecure API service address"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use token based authentication.\n\n## Rationale\n\nThe token-based authentication utilizes static tokens to authenticate requests to the apiserver. The tokens are stored in clear-text in a file on the apiserver, and cannot be revoked or rotated without restarting the apiserver. Hence, do not use static token-based authentication.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver \n```\nVerify that the `--token-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--token-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as certificates. Static token based authentication could not be used.\n\n## Default value\n\nBy default, `--token-auth-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/authentication/#static-token-file\n2. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.3","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mvv-hb7-ucv","createdAt":1599603449449,"name":"API server does not use token based authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not always authorize all requests.\n\n## Rationale\n\nThe API Server, can be configured to allow all requests. This mode should not be used on any production cluster.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is not set to `AlwaysAllow`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to values other than `AlwaysAllow`. One such example could be as below:\n\n```\n--authorization-mode=RBAC\n```\n\n## Impact\n\nOnly authorized requests will be served.\n\n## Default value\n\nBy default, `AlwaysAllow` is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.7","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kli-btm-jbr","createdAt":1599602646953,"name":"API server only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.1","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node:\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-apiserver.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.1","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8tj-q6g-eyj","createdAt":1599601227733,"name":"API server pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.21","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --profiling=false\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.21","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wk0-7yo-dw9","createdAt":1599602770265,"name":"API server profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.26","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet global request timeout for API server requests as appropriate.\n\n## Rationale\n\nSetting global request timeout allows extending the API server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 60 seconds which might be problematic on slower connections making cluster resources inaccessible once the data volume for requests exceeds what can be transmitted in 60 seconds. But, setting this timeout limit to be too large can exhaust the API server resources making it prone to Denial-of-Service attack. Hence, it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--request-timeout` argument is either not set or set to an appropriate value.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameter as appropriate and if needed. For example, --request-timeout=300s\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, --request-timeout is set to 60 seconds.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/kubernetes/pull/51415\n\n## CIS controls\n\nVersion 6 14.6 Enforce Detailed Audit Logging For Sensitive Information Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. Version 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.26","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1kt-cbt-hvl","createdAt":1599604242564,"name":"API server request timeout exceeds 60 seconds only if required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.20","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable the secure port.\n\n## Rationale\n\nThe secure port is used to serve https with authentication and authorization. If you disable it, no https traffic is served and all traffic is served unencrypted.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--secure-port` argument is either not set or is set to an integer value between `1` and `65535`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --secure-port parameter or set it to a different (non-zero) desired port.\n\n## Impact\n\nYou need to set the API Server up with the right TLS certificates.\n\n## Default value\n\nBy default, port 6443 is used as the secure port.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.20","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5w3-iw4-y16","createdAt":1599603757033,"name":"API server secure port is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.31","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic. If `--client-ca-file` argument is set, any request presenting a client certificate signed by one of the authorities in the `client-ca-file` is authenticated with an identity corresponding to the CommonName of the client certificate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--client-ca-file` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the client certificate authority file: `--client-ca-file=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--client-ca-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.31","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"nad-eon-2rv","createdAt":1599599105054,"name":"API server uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.28","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account public key file for service accounts on the apiserver.\n\n## Rationale\n\nBy default, if no --service-account-key-file is specified to the apiserver, it uses the private key from the TLS serving certificate to verify service account tokens. To ensure that the keys for service account tokens could be rotated as needed, a separate public/private key pair should be used for signing service account tokens. Hence, the public key should be specified to the apiserver with --service-account-key-file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--service-account-key-file` argument exists and is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--service-account-key-file` parameter to the public key file for service accounts: `--service-account-key-file=`\n\n## Impact\n\nThe corresponding private key must be provided to the controller manager. You would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-key-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167\n\n## CIS controls\n\nVersion 6 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers \nVersion 7 5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.28","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xtg-mzn-vft","createdAt":1599604846892,"name":"API server uses a service account public key file for service accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.27","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nValidate service account before validating token.\n\n## Rationale\n\nIf --service-account-lookup is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that if the `--service-account-lookup` argument exists it is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the below parameter. `--service-account-lookup=true` Alternatively, you can delete the `--service-account-lookup` parameter from this file so that the default takes effect.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--service-account-lookup` argument is set to true.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167 \n3. https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.27","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.27\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycp-ppm-trb","createdAt":1599599105043,"name":"API server validates the service account token exists in etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify kubelet's certificate before establishing connection.\n\n## Rationale\n\nThe connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelets port-forwarding functionality. These connections terminate at the kubelets HTTPS endpoint. By default, the apiserver does not verify the kubelets serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-certificate-authority` argument exists and is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--kubelet-certificate-authority` parameter to the path to the cert file for the certificate authority. \n\n```\n--kubelet-certificate-authority=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, `--kubelet-certificate-authority` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n3. https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.6","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sbm-nxt-qv3","createdAt":1599603880124,"name":"API server verifies the kubelet's certificate before establishing connection"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AMI is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an AMI is made public.\n\n* [ModifyImageAttribute][1]\n\nThis rule inspects the `@requestParameters.launchPermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the image is made public.\n\n## Triage and response\n1. Determine if the AMI (`@requestParameters.imageId`) should be made public using CloudTrail logs.\n2. Investigate the following ARN (`{{@userIdentity.arn}}`) that made the AMI public.\n3. Contact the user to see if they intended to make the image public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-image-attribute.html#examples","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifyImageAttribute @requestParameters.launchPermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"eh4-lwa-d9z","createdAt":1594140296319,"name":"AWS AMI Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:cloudtrail","framework:cis-aws","requirement:monitoring","control:4.5","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by modifying CloudTrail.\n\n## Strategy\nThis rule detects if a user is modifying CloudTrail by monitoring the CloudTrail API using [UpdateTrail][1] API calls.\n\n## Triage and response\n1. Review the `@responseElements` in the `UpdateTrail` event to determine the scope of the changes.\n2. Determine if the user ARN (`{{@userIdentity.arn}}`) intended to make a CloudTrail modification.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:UpdateTrail","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"configuration_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"configuration_modified > 0"}],"type":"log_detection","id":"4hv-083-miw","createdAt":1585870283907,"name":"AWS CloudTrail configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch Log Group is deleted. \n\n## Strategy\nDetect when a `@evt.name:DeleteLogGroup` event occurs successfully.\n\n## Triage and response\n1. Ensure that the `{{@requestParameters.logGroupName}}` log group is not used for auditing or security purposes.\n2. If it is then:\n * Ensure that the user: `{{@userIdentity.session_name}}` should be making this type of API call to your `{{env}}` environment.\n * Consider whitelisting the log group name: `{{@requestParameters.logGroupName}}` via a [suppression list][1]\n3. If not, begin your company's IR process and investigate.\n\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1] https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteLogGroup -@level:Error -@http.useragent:(cloudformation.amazonaws.com OR *www.terraform.io*) -@userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"j9h-inc-lg8","createdAt":1631618551008,"name":"AWS CloudWatch log group deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch rule has been disabled or deleted.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if a [`DisableRule`][1] or [`DeleteRule`][2] API call has occurred. An attacker may delete rules in an attempt to evade defenses.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, consider including the EventBus name in a [suppression list][6]: `{{@requestParameters.eventBusName}}`.\n * If **No**, enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], respectively, or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 4 October 2022 - Updated severity\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/events/put-rule.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/events/enable-rule.html\n[5]: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html\n[6]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DisableRule OR DeleteRule) -@userIdentity.invokedBy:(backup.amazonaws.com OR schemas.amazonaws.com OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudwatch_disable_or_delete_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"cloudwatch_disable_or_delete_rule > 0"}],"type":"log_detection","id":"dti-qfr-zle","createdAt":1631618552583,"name":"AWS CloudWatch rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","control:4.9","requirement:Monitoring","framework:cis-aws","scope:amazon-config","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by disabling or modifying AWS Config.\n\n## Strategy\nThis rule lets you monitor these AWS Config API calls per [CIS-AWS-4.9: Ensure a log metric filter and alarm exist for AWS Config configuration changes][5]:\n\n* [StopConfigurationRecorder][1] \n* [DeleteDeliveryChannel][2] \n* [PutDeliveryChannel][3]\n* [PutConfigurationRecorder][4]\n\n## Triage and response\n1. Determine which if {{@userIdentity.arn}} should have done a {{@evt.name}} to AWS Config.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html\n[2]: https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteDeliveryChannel.html\n[3]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutDeliveryChannel.html\n[4]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigurationRecorder.html\n[5]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_2.html\n\n## Changelog\n* 1 April 2022 - Updated rule and signal message.\n\n* 10 October 2022 - Updated severities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(StopConfigurationRecorder OR DeleteDeliveryChannel)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_deleted_or_stopped","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(PutDeliveryChannel OR PutConfigurationRecorder)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Deleted/Stopped","condition":"aws_config_deleted_or_stopped > 0"},{"status":"info","notifications":[],"name":"Modified","condition":"aws_config_modified > 0"}],"type":"log_detection","id":"p1b-9np-rw1","createdAt":1585870283149,"name":"AWS Config modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to your AWS console without multi-factor authentication.\n\n## Strategy\nThis rule monitors CloudTrail and detects when any `IAMUser` or `Root` user does a `Console Login`, and `@userIdentity.sessionContext.attributes.mfaAuthenticated` has a value of `false`. \n\n**Notes:** \n\n- This rule triggers with a `High` severity if the user logging in is a `Root` user.\n- This rule ignores logins using SAML because 2FA is implemented on the IdP and not through AWS.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate. \n * Use Cloud SIEM - User Investigation dashboard to see if the user: {{@usr.name}} with an account type of: {{@userIdentity.type}} has done any actions after logging in. \n2. If the login was legitimate, request that the user enables 2FA. \n3. If the login wasn't legitimate, rotate the credentials, enable 2FA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n\n## Changelog\n3 March 2022 - Rule updated\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:IAMUser -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:Root -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"root_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user console login no mfa","condition":"user_login_without_mfa > 0"},{"status":"high","notifications":[],"name":"root console login no mfa","condition":"root_login_without_mfa > 0"}],"type":"log_detection","id":"wkk-muq-vg8","createdAt":1585870278209,"name":"AWS Console login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the user used MFA.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n10 Mar 2022 - Rule updated.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"@evt.name:ConsoleLogin -@level:Error @userIdentity.sessionContext.attributes.mfaAuthenticated:true -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"impossible travel event for ConsoleLogin with MFA"}],"type":"log_detection","id":"vbv-f3o-8zo","createdAt":1646247475787,"name":"AWS ConsoleLogin with MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the account does not have MFA enabled.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n10 Mar 2022 - Rule updated.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_no_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"@evt.name:ConsoleLogin -@level:Error @userIdentity.sessionContext.attributes.mfaAuthenticated:false -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"a1n-son-6bk","createdAt":1646247437558,"name":"AWS ConsoleLogin without MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1562-impair-defenses","source:cloudtrail","scope:aws-detective","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes an Amazon Detective behavior graph.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted an Amazon Detective behavior graph:\n\n* [DeleteGraph][1]\n\n## Triage and response\n1. Determine if the behavior graph should have been deleted.\n2. Determine which user ({{@userIdentity.arn}}) in your organization deleted the behavior graph.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Updated rule and signal message.\n\n[1]: https://docs.aws.amazon.com/detective/latest/APIReference/API_DeleteGraph.html\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:detective.amazonaws.com @evt.name:DeleteGraph","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oje-vzw-qjp","createdAt":1631642344123,"name":"AWS Detective Graph deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","tactic:TA0005-defence-evasion","scope:cloudtrail","technique:T1562-impair-defences","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when CloudTrail has been disabled by creating an event selector on the Trail.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if an attacker used the [`PutEventSelectors`][1] API call to filter out management events, effectively disabling CloudTrail for the specified Trail.\n\nSee the [public Proof of Concept][2] (PoC) for this attack.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or use the [AWS console][4] to revert the event selector back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, work with the user to ensure that CloudTrail logs for the affected account `{{@usr.account_id}}` are being sent to the Datadog platform.\n * If **No**, remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or reference the [AWS console documentation][4] to revert the event selector back to the last known good state.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_PutEventSelectors.html\n[2]: https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass\n[3]: https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/put-event-selectors.html\n[4]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"disable_cloudtrail_with_event_selectors","distinctFields":[]},{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false @responseElements.eventSelectors.dataResources.type:(\"AWS::S3::Object\" AND \"AWS::Lambda::Function\") @responseElements.eventSelectors.readWriteType:ReadOnly","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_poc","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Public POC","condition":"public_poc > 0"},{"status":"low","notifications":[],"name":"IncludeManagementEvents set to False","condition":"disable_cloudtrail_with_event_selectors > 0"}],"type":"log_detection","id":"jam-62o-d0n","createdAt":1652796620111,"name":"AWS Disable Cloudtrail with event selectors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS snapshot is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an EBS snapshot is made public:\n\n* [ModifySnapshotAttribute][1]\n\nThis rule inspects the `@requestParameters.createVolumePermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the EBS snapshot is made public.\n\n## Triage and response\n1. Determine if the EBS snapshot should be made public.\n2. Determine which user, `{{@@userIdentity.arn}}`, in your organization made the EBS snapshot public.\n3. Contact the user to see if they intended to make the EBS snapshot public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html#examples\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.createVolumePermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kx1-upq-ea2","createdAt":1594140300821,"name":"AWS EBS Snapshot Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1537-transfer-data-to-cloud-account","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the possible exfiltration of an EBS snapshot.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect the following API calls within a 15 minute time window:\n\n* [`CreateSnapshot`][1]\n* [`ModifySnapshotAttribute`][2]\n\nAn attacker can create a EBS snapshot from the EBS volume and modify the permissions of the snapshot to allow it to be shared [publicly][3] or with another AWS account. Using an attacker-controlled account, a new EBS volume can be created from the snapshot and attached to an EC2 instance for analysis.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the API calls.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any snapshot attributes generated by the user with the `aws-cli` command [`modify-snapshot-attribute`][4].\n * Begin your organization's incident response process and investigate.\n3. If the API calls were made by the user:\n * Determine if the user should be performing these API calls.\n * If **No**, see if other API calls were made by the user and determine if they warrant further investigation.\n\n## Changelog\n* 10 October 2022 - Updated query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSnapshot.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html\n[3]: https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-ebs-snapshot-made-public/\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-snapshot-attribute.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":7200,"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSnapshot -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (-@userIdentity.assumed_role:(*orca* OR *wiz*) -@responseElements.description:\"Orca automatically generated snapshot\" -@requestParameters.description:auto-generatedbyWiz -@responseElements.description:\"auto-generated by Wiz\")","groupByFields":["@responseElements.snapshotId"],"aggregation":"count","name":"snapshot_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.attributeType:CREATE_VOLUME_PERMISSION -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (@requestParameters.createVolumePermission.add.items.userId:* OR @requestParameters.createVolumePermission.add.items.group:*) -@requestParameters.createVolumePermission.add.items.userId:(\"135916806842\" OR \"463932680998\" OR \"727815099310\" OR \"553950354547\" OR \"784971140435\" OR \"222606875197\")","groupByFields":["@requestParameters.snapshotId"],"aggregation":"count","name":"snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"EBS Snapshot created then shared","condition":"snapshot_created > 0 && snapshot_shared > 0"},{"status":"info","notifications":[],"name":"EBS Snapshot shared","condition":"snapshot_shared > 0"}],"type":"log_detection","id":"dka-ecn-adr","createdAt":1655223749994,"name":"AWS EBS Snapshot possible exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis-aws","control:2.2.1","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS encryption is disabled by default. \n\n## Strategy\nMonitor CloudTrail and detect when EBS encryption is disabled by default via the following API call:\n\n* [DisableEbsEncryptionByDefault][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user and let them know that it is best practice to enable EBS encryption by default.\n3. Re-enable EBS encryption by default.\n\nFor more information about Amazon EBS Encryption, check out the [Amazon EBS Encryption][2] documentation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html\n\n## Changelog\n18 March 2022 - Rule query and severity updated.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:DisableEbsEncryptionByDefault","groupByFields":["@usr.account_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4s7-uuu-lo8","createdAt":1585870284527,"name":"AWS EBS default encryption disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","security:attack","technique:T1522-cloud-instance-metadata-api"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes a DNS request and resolves to the AWS metadata IP address (169.254.169.254).\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MetadataDNSRebind][2]\n\n\n## Triage and response\n1. Determine which process made the DNS request. The DNS request can be found in the samples.\n2. Ensure the process is not a victim of an SSRF attack to steal the AWS EC2 Instance profile's STS credentials. \n2. If the STS credentials are compromised:\n * Review the AWS [documentation][3] on revoking the session.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#ec2-metadatadnsrebind\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MetadataDNSRebind)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"aad-vqz-7tk","createdAt":1587525387807,"name":"AWS EC2 Instance Victim to Metadata DNS Rebind Attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is compromised and sending spam emails.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Backdoor:EC2/Spambot][2]\n\n\n## Triage and response\n1. Determine if the EC2 should be sending out email over port 25. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor6\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/Spambot)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ecn-gew-dg2","createdAt":1587525385866,"name":"AWS EC2 instance Sending spam emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a malicious server.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/C&CActivity.B!DNS][2]\n* [Trojan:EC2/BlackholeTraffic][3]\n* [Trojan:EC2/DropPoint][4]\n* [Trojan:EC2/BlackholeTraffic!DNS][5]\n* [Trojan:EC2/DriveBySourceTraffic!DNS][6]\n* [Trojan:EC2/DropPoint!DNS][7]\n* [Trojan:EC2/DGADomainRequest.B][8]\n* [Trojan:EC2/DGADomainRequest.C!DNS][9]\n* [Trojan:EC2/DNSDataExfiltration][10]\n* [Trojan:EC2/PhishingDomainRequest!DNS][11]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][12] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor6\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan4\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan5\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan6\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan7\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan8\n[8]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan9\n[9]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan95\n[10]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan10\n[11]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan11\n[12]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Trojan\\:EC2\\/BlackholeTraffic OR Trojan\\:EC2\\/DropPoint OR Trojan\\:EC2\\/BlackholeTraffic\\!DNS OR Trojan\\:EC2\\/DriveBySourceTraffic\\!DNS OR Trojan\\:EC2\\/DropPoint\\!DNS OR Trojan\\:EC2\\/DGADomainRequest.B OR Trojan\\:EC2\\/DGADomainRequest.C\\!DNS OR Backdoor\\:EC2\\/C&CActivity.B\\!DNS OR Trojan\\:EC2\\/PhishingDomainRequest\\!DNS)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9du-jhn-b4f","createdAt":1587525393367,"name":"AWS EC2 instance communicated with a malicious server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0011-command-and-control","technique:T1571-non-standard-port"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating over an unusual port.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/NetworkPortUnusual][2]\n\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_behavior.html#behavior3\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/NetworkPortUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"qfd-ned-cjn","createdAt":1587525391873,"name":"AWS EC2 instance communicating over unusual port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a cryptocurrency server\n\n## Strategy\nThis rule lets you leverage GuardDuty to detect when an EC2 instance has made a DNS request or is communicating with an IP that is associated with cryptocurrency operations. The following GuardDuty Findings trigger this signal:\n\n* [CryptoCurrency:EC2/BitcoinTool.B!DNS][1]\n* [CryptoCurrency:EC2/BitcoinTool.B][2]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples. \n2. If the domain or IP address should not have been requested, open a security investigation, and determine which process requested the domain name or IP address.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_crypto.html#crypto3\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_crypto.html#crypto4\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(CryptoCurrency\\:EC2\\/BitcoinTool.B\\!DNS OR CryptoCurrency\\:EC2\\/BitcoinTool.B)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ky3-ds4-ipb","createdAt":1585870276326,"name":"AWS EC2 instance communicating with a cryptocurrency server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection to a malcious IP address.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MaliciousIPCaller.Custom][2]\n\n## Triage and response\n1. Determine which IP address triggered the signal. This can be found in the sample.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized5\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MaliciousIPCaller.Custom)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"22j-qk6-qv3","createdAt":1587525389461,"name":"AWS EC2 instance communicating with malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-scanning","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is conducting a port scan.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Recon:EC2/Portscan][2]\n\n\n## Triage and response\n1. Determine why traffic from the EC2 instance appears to be conducting a port scan.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n \n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon5\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/Portscan)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1y-h5t-gnp","createdAt":1587525376478,"name":"AWS EC2 instance conducting a port scan"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being used as a TOR relay.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorRelay][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be uses as a TOR relay. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized14\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorRelay)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tpv-3qf-v90","createdAt":1587525388119,"name":"AWS EC2 instance connecting to TOR as a relay"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance receives an inbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorIPCaller][2]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized7\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorIPCaller)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"1ew-u8i-att","createdAt":1587525383148,"name":"AWS EC2 instance inbound connections from TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Brute Force Attacks\n\n## Strategy\nLeverage GuardDuty and detect when an attacker is performing a brute force attack. The following are GuardDuty findings trigger this signal:\n\n* [UnauthorizedAccess:EC2/SSHBruteForce][1]\n* [UnauthorizedAccess:EC2/RDPBruteForce][2]\n\n\n## Triage and response\n1. Inspect the role of the EC2 instance in the attack. Find the role in the signal name - either `ACTOR` or `TARGET`.\n * If you are the `TARGET` and the instance is available on the internet, expect to see IPs scanning your systems.\n * If you are the `TARGET` and the instance is **not** available on the internet, this means a host on your internal network is scanning your EC2 instance. Open an investigation.\n * If you are the `ACTOR`, this means that your instance is performing brute force attacks on other systems. Open an investigation.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized9\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized10\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":18,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:ACTOR","groupByFields":["instance-id"],"aggregation":"count","name":"actor","distinctFields":[]},{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:TARGET","groupByFields":["instance-id"],"aggregation":"count","name":"target","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Actor","condition":"actor > 0"},{"status":"info","notifications":[],"name":"Target","condition":"target > 0"}],"type":"log_detection","id":"vyl-ylc-3io","createdAt":1585870284202,"name":"AWS EC2 instance involved in brute force attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance network traffic volume is unusual.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/TrafficVolumeUnusual][2]\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 10 October 2022 - Updated tags.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_behavior.html#behavior4\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/TrafficVolumeUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipt-dpt-t69","createdAt":1587525393982,"name":"AWS EC2 instance network traffic volume unusual"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","technique:T1188-multi-hop-proxy","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorClient][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be making requests to TOR. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized13\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorClient)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ihd-q9p-mwx","createdAt":1587525381864,"name":"AWS EC2 instance outbound connections to TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is participating in a Denial of Service (DoS) attack.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/DenialOfService.Tcp][2]\n* [Backdoor:EC2/DenialOfService.Udp][3]\n* [Backdoor:EC2/DenialOfService.Dns][4]\n* [Backdoor:EC2/DenialOfService.UdpOnTcpPorts][5]\n* [Backdoor:EC2/DenialOfService.UnusualProtocol][6]\n\n\n## Triage and response\n1. Determine if the EC2 instance is compromised and participating in a DoS attack.\n2. If the instance is compromised:\n * Review the AWS [documentation][7] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor8\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor9\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor10\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor11\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor12\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/DenialOfService.Tcp OR Backdoor\\:EC2\\/DenialOfService.Udp OR Backdoor\\:EC2\\/DenialOfService.Dns OR Backdoor\\:EC2\\/DenialOfService.UdpOnTcpPorts OR Backdoor\\:EC2\\/DenialOfService.UnusualProtocol)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3l6-vrm-iyn","createdAt":1587525383757,"name":"AWS EC2 instance participating in a DoS attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-scanning","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being probed by a scanner.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:EC2/PortProbeUnprotectedPort][2]\n* [Recon:EC2/PortProbeEMRUnprotectedPort][3]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon6\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#PortProbeEMRUnprotectedPort\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/PortProbeUnprotectedPort OR Recon\\:EC2\\/PortProbeEMRUnprotectedPort)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mrq-h3x-jus","createdAt":1587525381084,"name":"AWS EC2 instance probed by scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS EKS node group makes a new API call.\n\n## Strategy\nThis rule sets a baseline for host activity across an AWS EKS node group, and enables detection of potentially anomalous activity when a node group makes a new API call.\n\nA new API call from a node group can indicate an attacker gaining a foothold within the system and trying API calls not normally associated with this node group.\n\n## Triage and response\n1. Investigate API activity for the AWS EKS node group to determine if the specific API call is malicious.\n2. Review any other security signals for the AWS EKS node group.\n3. If the activity is deemed malicious:\n * If possible, isolate the compromised hosts.\n * Determine what other API calls were made by the EKS node group.\n * Begin your organization's incident response process and investigate.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":21,"learningThreshold":0},"keepAlive":3600},"version":187,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["eks_nodegroup-name"],"query":"source:cloudtrail"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"nkn-aw3-xb2","createdAt":1633097159259,"name":"AWS EC2 new event for EKS Node Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an application on a host has a new, unrecognized API call.\n\n## Strategy\nUsing the `New Value` detection method, find when an `application` has a new `@evt.name` on a `host`.\n\n## Triage and response\n1. Determine if the `host: {{host}}` running the `application: {{application}}` should have done the following event(s)`{{@evt.name}}`:\n * If yes, you can `Archive` the signal.\n * If no, investigate further by clicking on the **Suggested Actions** tab for the signal\n2. If necessary, initiate your company's incident response process.\n\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["application"],"query":"source:cloudtrail host:i-*"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"qcg-jbs-kcd","createdAt":1632769125953,"name":"AWS EC2 new event for application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an EC2 subnet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting an EC2 subnet.\n\n* [DeleteSubnet][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be deleting EC2 subnets.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Update rule and signal message\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-subnet.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:DeleteSubnet -@level:Error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ygi-fi5-qns","createdAt":1585870282197,"name":"AWS EC2 subnet deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecs","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an ECS Cluster\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an ECS cluster is deleted:\n\n* [DeleteCluster][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arm}} should be making a {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DeleteCluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecs.amazonaws.com @evt.name:DeleteCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"vwu-6id-9lz","createdAt":1585870279810,"name":"AWS ECS cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:elb","scope:elb","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous `@http.useragent`. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application using an HTTP header from [darkqusar][1]'s [gist][2]. The detection does this using 2 cases:\n* Case 1: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `200 TO 299`\n* Case 2: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `400 TO 499`\n\n## Triage and response\n1. Determine if this IP: {{@network.client.ip}} is making authenticated requests to the application.\n2. Check if these authentication requests are successful.\n * If they are successful, change the status of the signal to `UNDER REVIEW` and begin your company's incident response plan.\n * If they are not successful, `ARCHIVE` the signal.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Update rule cases and signal message.\n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:elb @http.status_code:[400 TO 499] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_400s_and_unique_paths","distinctFields":["@http.url_details.path"]},{"query":"source:elb @http.status_code:[200 TO 299] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_200s_and_unique_paths","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"scan detected returning several 200s","condition":"multiple_200s_and_unique_paths > 10"},{"status":"info","notifications":[],"name":"scan detected returning several 400s","condition":"multiple_400s_and_unique_paths > 10"}],"type":"log_detection","id":"csd-1pb-wxh","createdAt":1587530043452,"name":"AWS ELB HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:eventbridge","iaas:aws","technique:T1089-disabling-security-tools","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting or disabling EventBridge rules.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is modifying or disabling EventBridge rules:\n\n* [DeleteRule][1]\n* [DisableRule][2]\n\n## Triage and response\n1. Determine if the arn: {{@userIdentity.arn}} should have made the {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Rule query, options and signal markdown updated.\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DeleteRule OR DisableRule)","groupByFields":["@userIdentity.arn","@requestParameters.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mq6-cjx-h9o","createdAt":1585870277044,"name":"AWS EventBridge rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","source:amazon-fsx","scope:amazon-fsx","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify users accessing files they do not have permission to access.\n\n## Strategy\nMonitor AWS FSx logs and detect more than 10 occurrences where `@evt.id` is equal to `4656` and `@Event.System.Keywords` is equal to `0x8010000000000000`. \n\n## Triage & Response\n1. Inspect the log and determine if the user should be accessing the file: `{{@ObjectName}}`.\n2. If access is not legitimate, investigate user `({{@usr.id}})` activity. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:aws.fsx @evt.id:4656 @Event.System.Keywords:0x8010000000000000","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"file_deny","distinctFields":["@ObjectName"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"file_deny > 10"}],"type":"log_detection","id":"vsj-4y9-rg1","createdAt":1627668329581,"name":"AWS FSx Excessive File Denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0005-defense-evasion","technique:T1066-indicator-removal-from-tools","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is removing a FlowLogs collector.\n\n## Strategy\nThis rule lets you monitor this EC2 API call:\n\n* [DeleteFlowLogs][1]\n\n## Triage and response\n1. Determine if arn: {{@userIdentity.arn}} should make this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n4 April 2022 - Rule query and signal message updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteFlowLogs -@responseElements.DeleteFlowLogsResponse.unsuccessful:\"\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cws-b4f-uoh","createdAt":1585870278493,"name":"AWS FlowLogs removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1089-disabling-security-tools","scope:guardduty","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty detector.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty Detector:\n\n* [DeleteDetector][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/delete-detector.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteDetector","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pzi-led-yyc","createdAt":1585870279177,"name":"AWS GuardDuty detector deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a publishing destination for a detector which will prevent the exporting of findings. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted a Guard Duty publishing destination.\n\n* [DeletePublishingDestination][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/fr_fr/guardduty/latest/APIReference/API_DeletePublishingDestination.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeletePublishingDestination","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rdm-leo-ndi","createdAt":1631642345554,"name":"AWS GuardDuty publishing destination deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty ThreatIntelSet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty ThreatIntelSet:\n\n* [DeleteThreatIntelSet][1]\n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Replace ThreatIntelSets deleted by the user with the `aws-cli` command [create-threat-intel-set][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call and if it was an authorized change.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteThreatIntelSet.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/guardduty/create-threat-intel-set.html\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteThreatIntelSet","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_guardduty_threatintel_set_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"aws_guardduty_threatintel_set_deleted > 0"}],"type":"log_detection","id":"vzr-qw9-k82","createdAt":1631642339660,"name":"AWS GuardDuty threat intel set deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","technique:T1098-account-manipulation","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.4","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to an AWS IAM Policy.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when any event pertaining to an AWS IAM policy is detected with one of the following API calls:\n\n* [DeleteGroupPolicy][1]\n* [DeleteRolePolicy][16]\n* [DeleteUserPolicy][2]\n* [PutGroupPolicy][3]\n* [PutRolePolicy][4]\n* [PutUserPolicy][5]\n* [CreatePolicy][6]\n* [DeletePolicy][7]\n* [SetPolicyVersion][17]\n* [CreatePolicyVersion][8]\n* [DeletePolicyVersion][9]\n* [AttachRolePolicy][10]\n* [DetachRolePolicy][11]\n* [AttachUserPolicy][12]\n* [DetachUserPolicy][13]\n* [AttachGroupPolicy][14]\n* [DetachGroupPolicy][15]\n\n## Triage and response\n1. Review the IAM Policy change and ensure it does not negatively impact your risk in relation to authentication or authorization controls.\n2. If risk is increased, contact the individual that used the arn: {{@userIdentity.arn}} and determine if {{@evt.name}} API calls were made by them.\n\n## Changelog\n5 April 2022 - Rule modified and signal message updated.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroupPolicy.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPolicy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html\n[5]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html\n[7]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html\n[8]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html\n[9]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicyVersion.html\n[10]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[11]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachRolePolicy.html\n[12]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[13]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachUserPolicy.html\n[14]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[15]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachGroupPolicy.html\n[16]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteRolePolicy.html\n[17]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetDefaultPolicyVersion.html\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteGroupPolicy OR PutGroupPolicy OR AttachGroupPolicy OR DetachGroupPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"group_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteRolePolicy OR PutRolePolicy OR AttachRolePolicy OR DetachRolePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"role_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteUserPolicy OR PutUserPolicy OR AttachUserPolicy OR DetachUserPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"user_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreatePolicy OR DeletePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"account_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(SetPolicyVersion OR CreatePolicyVersion OR DeletePolicyVersion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"policy_version_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"group policy changed","condition":"group_policy_modified > 0"},{"status":"info","notifications":[],"name":"role policy changed","condition":"role_policy_modified > 0"},{"status":"info","notifications":[],"name":"user policy changed","condition":"user_policy_modified > 0"},{"status":"info","notifications":[],"name":"account policy changed","condition":"account_policy_modified > 0"},{"status":"info","notifications":[],"name":"policy version changed","condition":"policy_version_modified > 0"}],"type":"log_detection","id":"z8s-u06-ctu","createdAt":1584475584008,"name":"AWS IAM policy changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM group.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM group using the [`AttachGroupPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.groupName}}` group using the `aws-cli` command [detach-group-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the group `{{@requestParameters.groupName}}` requires the `AdministratorAccess` policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the group to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.groupName","aggregation":"new_value","metrics":["@requestParameters.groupName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachGroupPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"ju1-xlh-bdn","createdAt":1635445988771,"name":"AWS IAM privileged policy was applied to a group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM role.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM role via the [`AttachRolePolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.roleName}}` role using the `aws-cli` command [detach-role-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the role `{{@requestParameters.roleName}}` requires the AdministratorAccess policy to perform its intended function.\n * Advise the user to find the [least privileged][4] policy that allows the role to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-role-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.roleName","aggregation":"new_value","metrics":["@requestParameters.roleName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachRolePolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\" -@userIdentity.invokedBy:sso.amazonaws.com -@http.useragent:sso.amazonaws.com"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"kjs-xra-wzc","createdAt":1635445977216,"name":"AWS IAM privileged policy was applied to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to an AWS IAM user using the [`AttachUserPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.userName}}` user using the `aws-cli` command [detach-user-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the user `{{@requestParameters.userName}}` requires the AdministratorAccess policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the user to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-user-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":173,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.userName","aggregation":"new_value","metrics":["@requestParameters.userName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachUserPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"bxi-o7h-c79","createdAt":1635445981975,"name":"AWS IAM privileged policy was applied to a user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","technique:T1089-disabling-security-tools","source:guardduty","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is changing sensitive configurations and has no prior history of invoking these APIs.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Stealth:IAMUser/S3ServerAccessLoggingDisabled][2]\n* [Stealth:IAMUser/PasswordPolicyChange][3]\n* [Stealth:IAMUser/CloudTrailLoggingDisabled][4]\n* [Stealth:IAMUser/LoggingConfigurationModified][5]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][6] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth4\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth1\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth2\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth3\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Stealth\\:IAMUser\\/S3ServerAccessLoggingDisabled OR Stealth\\:IAMUser\\/PasswordPolicyChange OR Stealth\\:IAMUser\\/CloudTrailLoggingDisabled OR Stealth\\:IAMUser\\/LoggingConfigurationModified)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"48o-8me-0mo","createdAt":1587525385196,"name":"AWS IAM user changing sensitive configurations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user disables [S3 Block Public Access][1]\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][2] finding:\n\n* [Policy:IAMUser/S3BlockPublicAccessDisabled][3]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Contact the user and determine why the user disabled the S3 Block Access feature. \n3. Re-enable S3 Block Public Access.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n[2]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_policy.html#policy2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/S3BlockPublicAccessDisabled)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"loc-nk4-pkc","createdAt":1587525377921,"name":"AWS IAM user disabled S3 Block Public Access"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.3.6","source:google_sql_database_instance","control:3.4","requirement:Communications-Security","framework:cis-gcp","requirement:Compliance","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_sql_database_instance","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `3625 (trace flag)` database flag to `off` for GCP SQL Server instance.\n\n## Rationale\n\nMicrosoft SQL trace flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload. All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed. `3625 (trace log)` limits the information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'. Setting this in a Google Cloud flag for the instance allows for security through obscurity and prevents the disclosure of sensitive information. Hence, it is recommended to set this flag to `off` globally to prevent the flag from being left on or turned on by bad actors. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nChanging flags on a database may cause it to be restarted. The best time to do this is when there is low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `3625` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `3625` database flag for every GCP SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"3625=off\"\n```\n\n#### Note\nThis command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n\n## Additional Information\n\n- Configuring the above flag restarts the GCP SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"3625\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"2x0-5oi-nhu","createdAt":1657310084964,"name":"'3625 (trace flag)' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:2.11","cloud_provider:azure","control:A.12.4.1","level:1","source:azure.policy","requirement:Application-Updates","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","requirement:Security-Center","framework:cis-azure","control:6.2","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","scope:azure.policy","control:CC4.1","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable automatic provisioning of the monitoring agent to collect security data.\n\n## Rationale\n\nWhen automatic provisioning of monitoring agent is turned on, Azure Security Center provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.\n\n## Remediation\n\n### From the console\n\n1. Go to **Microsoft Defender for Cloud**\n2. Click on **Environment Settings**\n3. Click on a subscription\n4. Click on **Auto Provisioning** in the left column.\n5. Ensure that **Log Analytics agent for Azure VMs** is set to **On**\n\n### From the command line\n\nUse the below command to set automatic provisioning of monitoring agent:\n\n```bash\naz account get-access-token --query\n\"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" \nhttps://management.azure.com/subscriptions/$0/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@\"input.json\"'\n```\n\nWhere `input.json` contains the Request body JSON data as mentioned below: \n\n```bash\n{\n\t\"id\": \"/subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default \",\n\t\"name\": \"default\",\n\t\"type\": \"Microsoft.Security/autoProvisioningSettings\",\n\t\"properties\": {\n\t\t\"autoProvision\": \"On\"\n\t}\n}\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security][1]\n2. [https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection][2]\n3. [https://msdn.microsoft.com/en-us/library/mt704062.aspx][3]\n4. [https://msdn.microsoft.com/en-us/library/mt704063.aspx][4]\n5. [https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list][5]\n6. [https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create][6]\n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification][7]\n\n[1]: https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security\n[2]: https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection\n[3]: https://msdn.microsoft.com/en-us/library/mt704062.aspx\n[4]: https://msdn.microsoft.com/en-us/library/mt704063.aspx\n[5]: https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list\n[6]: https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create\n[7]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n## Additional Information\n- Excluding any of the entries in `input.json` may disable the specific setting by default.\n- Microsoft has recently changed APIs to get and Update Automatic Provisioning setting. This recommendation is updated accordingly.\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.11","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(security_center_auto_provisioning) = \"fail\" if {\n\tsecurity_center_auto_provisioning.auto_provision == \"Off\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_center_auto_provisioning"]},"validationQuery":"","resourceType":"azure_security_center_auto_provisioning","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_center_auto_provisioning","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ota-kzg-lsb","createdAt":1635237006719,"name":"'Automatic provisioning of monitoring agent' is set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","control:1.20","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.8","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you restrict unintended public access to Amazon S3 resources. By default, S3 buckets and objects are created without public access. However, someone with sufficient permissions can enable public access at the bucket or object level, often unexpectedly. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets in the account, and contained objects, from becoming publicly accessible.\n\n## Rationale\n\nAmazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective buckets. Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account. Blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.\n\n### Impact\n\nWhen you apply `Block Public Access` settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.\n\n\n## Remediation\n\n### From the console\n\nIf utilizing Block Public Access (account settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Choose **Block public access (account settings)**.\n3. Choose **Edit** to change the block public access settings for all the buckets in your AWS account.\n4. Click on **Block all public access**.\n5. When you're asked for confirmation, enter `confirm`. Then click Confirm to save your changes.\n\nIf utilizing Block public access (bucket settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Select the check box next to the bucket.\n3. Click on **Edit public access settings**.\n4. Click **Block all public access**.\n5. Repeat for all the buckets in your AWS account that contain sensitive data.\n\n\n### From the command line\n\nIf utilizing Block Public Access (bucket settings):\n\n1. List all of the S3 buckets: `aws s3 ls`\n2. To set the public access to true on a bucket, run: `aws s3api put-public-access-block --bucket --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\"`\n\nIf utilizing Block Public Access (account settings):\n\nTo set Public access settings for this account, run the following command: `aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id '`\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html][2]\n\n[1]: https://console.aws.amazon.com/s3/\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.20","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\naccount_public_access_block_by_account_id = {s3_account_public_access_block.account_id: s3_account_public_access_block |\n\tsome s3_account_public_access_block in input.resources.aws_s3_account_public_access_block\n}\n\nsecure_public_access_block(s3_account_public_access_block) if {\n\ts3_account_public_access_block.block_public_acls\n\ts3_account_public_access_block.block_public_policy\n\ts3_account_public_access_block.ignore_public_acls\n\ts3_account_public_access_block.restrict_public_buckets\n}\n\naccess_block_compliant(s3_bucket) if {\n\ts3_account_public_access_block := account_public_access_block_by_account_id[s3_bucket.account_id]\n\tsecure_public_access_block(s3_account_public_access_block)\n} else if {\n\tbucket_block := s3_bucket.access_block[_]\n\tsecure_public_access_block(bucket_block)\n}\n\neval(s3_bucket) = \"pass\" if {\n\taccess_block_compliant(s3_bucket)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b1p-nxn-wxx","createdAt":1619112188591,"name":"'Block Public Access' feature is enabled for S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.2","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with a Customer Managed Key (CMK).\n\n## Rationale\n\nEncrypting the IaaS VM's OS disk (boot volume) and data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning.\n\n## Remediation\n\n### From the console\n\n**Note**: Disks must be detached from VMs to have encryption changed.\n\n1. Go to Virtual Machines\n2. For each virtual machine, go to Settings\n3. Click on Disks\n4. Click the X to detach the disk from the VM\n5. Search for disks and locate the unattached disk\n6. Click the disk select Encryption\n7. Change your encryption type and select your encryption set\n8. Click Save\n9. Go back to the VM and re-attach the disk\n\n### Using PowerShell\n\n```powershell\n$KVRGname = ''MyKeyVaultResourceGroup''; $VMRGName = ''MyVirtualMachineResourceGroup''; $vmName = ''MySecureVM''; $KeyVaultName = ''MySecureVault''; $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname; $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri; $KeyVaultResourceId = $KeyVault.ResourceId; Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;\n```\n\n**NOTES**:\n\n- During encryption, a reboot is likely required. It may take up to 15 minutes to complete the process.\n\n- On Linux machines, you may need to set the `-skipVmBackup` parameter.\n\n## Impact\n\nUsing CMK/BYOK entail additional management of keys. You must have your key vault setup to use this.\n\n## References\n\n\n1. https://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n3. https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-resthttps://docs.microsoft.com/azure/virtual-machines/windows/disk-encryption-portal-quickstart\n4. https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n5. https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n7. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-customer-managed-keys-powershell\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_encryption_type(managed_disk) if {\n\tmanaged_disk.encryption_type == \"EncryptionAtRestWithCustomerKey\"\n} else if {\n\tmanaged_disk.encryption.type == \"EncryptionAtRestWithCustomerKey\"\n}\n\neval(managed_disk) = \"skip\" if {\n\tmanaged_disk.disk_state != \"Attached\"\n} else = \"pass\" if {\n\tcompliant_encryption_type(managed_disk)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_managed_disk"]},"validationQuery":"","resourceType":"azure_managed_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i6x-xne-idt","createdAt":1631690475494,"name":"'OS and Data' disks are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:Storage-Accounts","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Application-Updates","framework:iso-27001","scope:azure.storage","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Azure","control:6.5.3","framework:cis-azure","control:2.6","control:4.1","control:3.1","requirement:Control-Activities","source:azure.storage","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable data encryption in transit.\n\n## Rationale\n\nThe secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must be HTTPS. Any requests using HTTP will be rejected when secure transfer required is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Accounts\n2. For each storage account, go to Configuration\n3. Set Secure transfer required to Enabled\n\n### From the command line\n\nInterface 2.0 - Use the below command to enable Secure transfer required for a Storage Account: `az storage account update --name --resource-group --https-only true`\n\n## References\n\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#encryption-in-transit\n2. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_list\n3. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 - 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"2.6","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_account) = \"pass\" if {\n\tstorage_account.supports_https_traffic_only\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"vlg-zuu-zub","createdAt":1635847712936,"name":"'Secure transfer required' is set to 'Enabled'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Compliance","level:1","requirement:Storage-Accounts","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:3.7","framework:cis-azure","requirement:Communications-Security","control:7.2.1","source:azure.storage","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSome Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services use strong authentication to access the storage account. If Allow trusted Microsoft services exception is enabled, the following services, when registered in the subscription, are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse.\n\n## Rationale\n\nTurning on firewall rules for storage account blocks access to incoming requests for data, including from other Azure services. This includes using the portal, writing logs, etc. You can re-enable access to services like Monitor, Networking, Hubs, and Event Grid by enabling Trusted Microsoft Services through exceptions. The exception also supports backing up and restoring virtual machines using unmanaged disks in storage accounts with network rules applied.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Ensure that Allow access from selected networks is enabled.\n4. Enable Allow trusted Microsoft services to access this storage account.\n5. Click Save to apply your changes.\n\n### From the command line\n\nUse the following command to update trusted Microsoft services: `az storage account update --name --resource-group --bypass AzureServices`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n\n## CIS Controls\n\nVersion 7 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_account) = \"pass\" if {\n\tcontains(storage_account.network_acls.bypass, \"AzureServices\")\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"psg-u8u-lwo","createdAt":1631690476330,"name":"'Trusted Microsoft Services' is enabled for Storage Account access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.3","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that unattached disks in a subscription are encrypted with a customer managed key (CMK).\n\n## Rationale\n\nManaged disks are encrypted by default with platform-managed keys. Using customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks which may lead to sensitive information disclosure and tampering.\n\n## Impact\n\nEncryption is available only on standard tier VMs. This could impact cost. Utilizing and maintaining customer-managed keys requires additional work to create, protect, and rotate keys.\n\n## Remediation\n\n### From the console\n\n**Note:** Disks must be detached from VMs to have encryption changed. If data stored in the disk is no longer useful, refer to [Azure documentation][1] to delete unattached data disks. If data stored in the disk is important, encrypt the disk. See the [Disk enable customer managed keys customer][2] or the [Encryption settings][3] documentation.\n\n1. Go to `Virtual machines`\n2. For each virtual machine, go to `Settings`\n3. Click on `Disks`\n4. Click the `X` to detach the disk from the VM\n5. Now search for `Disks` and locate the unattached disk\n6. Click the disk then select `Encryption`\n7. Change your encryption type, then select your encryption set\n8. Click `Save`\n9. Go back to the VM and re-attach the disk\n\n### From the commandline\n\n```powershell\n$KVRGname = 'MyKeyVaultResourceGroup';\n$VMRGName = 'MyVirtualMachineResourceGroup';\n$vmName = 'MySecureVM';\n$KeyVaultName = 'MySecureVault';\n$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName\n$KVRGname;\n$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;\n$KeyVaultResourceId = $KeyVault.ResourceId;\nSet-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss][4]\n2. [https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json][5]\n3. [https://docs.microsoft.com/en-us/rest/api/compute/disks/delete][6]\n4. [https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete][7]\n5. [https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings][8]\n6. [https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update][9]\n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest][10]\n\n\n[1]: https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal\n[3]: https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n[4]: https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n[5]: https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n[6]: https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n[7]: https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n[8]: https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n[9]: https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update\n[10]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_encryption(managed_disk) if {\n\tmanaged_disk.encryption_type == \"EncryptionAtRestWithCustomerKey\"\n} else if {\n\tmanaged_disk.encryption.type == \"EncryptionAtRestWithCustomerKey\"\n}\n\neval(managed_disk) = \"skip\" if {\n\tmanaged_disk.disk_state != \"Unattached\"\n} else = \"pass\" if {\n\tcompliant_encryption(managed_disk)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_managed_disk"]},"validationQuery":"","resourceType":"azure_managed_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bae-mte-pj5","createdAt":1631690476274,"name":"'Unattached disks' are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","control:10.3.6","control:10.5.4","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","control:10.3.5","control:10.5.3","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.1","control:10.2.5","control:10.3.4","control:A.12.4.1","control:10.2.4","control:10.3.3","control:10.2.3","control:10.3.2","control:A.12.4.3","control:10.2.2","control:10.3.1","framework:cis-gcp","level:1","scope:google_sql_database_instance","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","control:6.2.9","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the `cloudsql.enable_pgaudit` database flag so that each Cloud SQL PostgreSQL instance has centralized logging.\n\n## Rationale\n\nBecause many other recommendations in this section involve turning on flags for logging\npurposes, your organization needs a way to manage these logs. If you do not already have a solution in \nplace, consider enabling database auditing in PostgreSQL by installing the open source pgAudit extension and enabling the `cloudsql.enable_pgaudit` flag. The extension provides\ndetailed session and object logging to comply with government, financial, and ISO standards. It provides \nauditing capabilities to mitigate threats by monitoring security events on the\ninstance. Enabling the flag and the settings described below sends the logs to\nGoogle Logs Explorer so that you can access them in a central location. This\nrecommendation is applicable only to PostgreSQL database instances.\n\n## Impact\n\nEnabling the pgAudit extension can lead to increased data storage requirements. To\nensure durability of pgAudit log records in the event of unexpected storage issues, \nenable the **Enable automatic storage increases** setting on the\ninstance. Enabling flags on the command line will overwrite all existing flags, so you\nshould apply _all_ needed flags in each CLI command. You might need to restart the\nserver to see the effects of enabling flags, so update your servers at a\ntime of low usage.\n\n## Remediation\n\n### Initialize the pgAudit flag\n\n#### From the console\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `cloudsql.enable_pgaudit` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\nRun the following command by providing to enable `cloudsql.enable_pgaudit` flag:\n```\ngcloud sql instances patch --database-flags=cloudsql.enable_pgaudit=on\n```\n \n**Note**: Restart the database server for this configuration change to take effect.\n\n### Create the extension\n1. Connect to the the server running PostgreSQL or through a SQL client of your choice.\n2. Open the PostgreSQL shell. For example, if you're using SSH to access the server, run:\n3. Run the following command as a superuser:\n ```\n CREATE EXTENSION pgaudit;\n ```\n### Update the `pgaudit.log` flag\n\n#### From the console\n**Note**: There are multiple options for updating the flag. The following instructions enable logging for all databases\non a server. Read [Customizing database audit logging][4] for more flag\noptions.\n\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `pgaudit.log=all` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\n\nRun the command:\n```\ngcloud sql instances patch --database-flags \\\ncloudsql.enable_pgaudit=on,pgaudit.log=all\n```\n\n### Check for the logs in Google Logs Explorer\n1. From the Google Console home page, open the menu in the top left.\n2. In the menu's Operations section, select Logs Explorer.\n3. In the query box, copy in the following query:\n\n ```\n resource.type=\"cloudsql_database\"\n logName=\"projects//logs/cloudaudit.googleapis.com%2Fdata_access\"\n protoPayload.request.@type=\"type.googleapis.com/google.cloud.sql.audit.v1.PgAuditEntry\n ```\nIf it returns any log sources, they are correctly set up.\n\n## Default value\nBy default `cloudsql.enable_pgaudit` database flag is set to off and the extension is not enabled.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres][2]\n2. [https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag][3]\n3. [https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging][4]\n4. [https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable][5]\n\n## Additional Information\n**WARNING**: This extension modifies database flag values, which may require your instance to be\nrestarted. Check the [List of supported flags][6] to see if your instance needs to be restarted\nwhen this extension is set up.\n**Note**: Configuring the `cloudsql.enable_pgaudit` database flag requires restarting the Cloud\nSQL PostgreSQL instance.\n\n## CIS controls\n\nVersion 8\n8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n8.9 - Centralize Audit Logs\n- Centralize, to the extent possible, audit log collection and retention across\nenterprise assets.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres\n[3]: https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag\n[4]: https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging\n[5]: https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable\n[6]: https://cloud.google.com/sql/docs/postgres/flags\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.9","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cloudsql.enable_pgaudit\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6hz-owg-7y7","createdAt":1657889011689,"name":"'cloudsql.enable_pgaudit' database flag is set to 'on' for centralized logging on Postgresql Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.4","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.7","requirement:Least-Privileged-Access","requirement:Confidentiality","requirement:Communications-Security","control:7.1","control:C1.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `contained database authentication` database flag for SQL Server instances to `off`.\n\n## Rationale\n\nA contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed. Users can connect to the database without authenticating a login at the Database Engine level. Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server. Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators. Most of the threats are related to the `USER WITH PASSWORD` authentication process, which moves the authentication boundary from the Database Engine level to the database level. Hence, disabling this flag is recommended. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nWhen `contained database authentication` is off (`0`) for the instance, contained databases cannot be created, or attached to the Database Engine. Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via the command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `contained database authentication` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line\n\nConfigure the `contained database authentication` database flag for every SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"contained database authentication=off\"\n```\n\n**Note**: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n\n## Additional Information\n\n- Configuring this flag does not restart the SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15][3]\n3. [https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15][4]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15\n[4]: https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"contained database authentication\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"snw-rsr-ilm","createdAt":1658463161618,"name":"'contained database authentication' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.3.2","security:compliance","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that you set the `cross db ownership chaining` database flag for SQL Server instance to `off`.\n\n## Rationale\nThe `cross db ownership` option is used to configure cross-database ownership chaining for an instance of Microsoft SQL Server. This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases. Enabling `cross db ownership` is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining, and you are aware of the security implications of this setting. This recommendation is applicable to SQL Server database instances.\n\n### Impact\nUpdating flags may cause the database to restart. This may cause the database to be unavailable for a short amount of time, so this is best done at a time of low usage. You should also determine if the tables in your databases reference another table without using credentials for that database, as turning off cross database ownership will break this relationship.\n\n - Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n - Configuring the `cross db ownership chaining` flag does not restart the Cloud SQL instance.\n\n - Note: The command to set database flags overwrites all database flags previously set. To keep the existing settings while adding new flags, include the values for all flags to be set on the instance. Cloud SQL sets any flag not specifically included in the list to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `cross db ownership chaining` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line\nConfigure the `cross db ownership chaining` database flag for every SQL Server database instance using the below command:\n \n```\ngcloud sql instances patch --database-flags \"cross db ownership chaining=off\"\n```\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cross db ownership chaining\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yje-u1y-rls","createdAt":1657665271111,"name":"'cross db ownership chaining' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.1","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `external scripts enabled` database flag for SQL Server instance to `off`.\n\n## Rationale\n\nThe `external scripts enabled` flag enables the execution of scripts with certain remote language extensions. This flag is `off` by default. When Advanced Analytics Services is installed, during the set up, you can optionally set this flag to `on`. The External Scripts Enabled feature allows scripts external to SQL, such as files located in an R library, to be executed, which could adversely affect the security of the system. Hence, the flag should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances can cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flag section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `external scripts enabled` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `external scripts enabled` database flag for every SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"external scripts enabled=off\"\n```\n\nNote: This command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default Value\n\nBy default `external scripts enabled` is `off`.\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n- Configuring the `external scripts enabled` flag restarts the Cloud SQL instance.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15][2]\n2. [https://cloud.google.com/sql/docs/sqlserver/flags][3]\n3. [https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15][4]\n4. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79347][5]\n\n## CIS Controls\n\nVersion 8 - 2.7 Allowlist Authorized Scripts\n- Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.\n\nVersion 7 - 2.9 Implement Application Whitelisting of Scripts\n- The organization's application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1, *.py, macros, etc) are allowed to run on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15\n[3]: https://cloud.google.com/sql/docs/sqlserver/flags\n[4]: https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15\n[5]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"external scripts enabled\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"14g-yot-4od","createdAt":1657715719319,"name":"'external scripts enabled' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.1.3","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends setting the `local_infile` database flag for a Cloud SQL MySQL instance to off.\n\n## Rationale\n\nThe `local_infile` flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the `local_infile` setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.\n\nTo explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with `local_infile` disabled. `local_infile` can also be set at runtime.\n\nDue to security issues associated with the `local_infile` flag, Datadog recommends disabling it. This recommendation is applicable to MySQL database instances.\n\n## Impact\n\nDisabling `local_infile` causes the server to refuse local data loading by clients that have LOCAL enabled on the client side.\n\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [Cloud SQL Instances page][1].\n2. Select the MySQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the `local_infile` flag from the dropdown menu, and set its value to **off**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From Command Line\n\n1. List all Cloud SQL database instances using \n ```\n `gcloud sql instances list`.\n ```\n2. Configure the `local_infile` database flag for every Cloud SQL MySQL database instance using \n ```\n `gcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off`\n ```\n Note:\n This command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\n\n## Default Value\n\nBy default, `local_infile` is on.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile][3]\n3. [https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html][4]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n \n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/flags\n[3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile\n[4]: https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_mysql(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"local_infile\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\"\n\nis_mysql(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"MYSQL_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"e40-q63-udh","createdAt":1657547707503,"name":"'local_infile' database flag is set to 'off' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.2","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy enabling the `log_connections` setting, every attempted server connection is logged along with the successful completion of client authentication. Once the session starts, you cannot change this parameter.\n\n## Rationale\n\nBy default, PostgreSQL does not log attempted connections. By enabling the `log_connections` setting, you can create log entries for every attempted connection as well as the successful completion of client authentication. This can be useful in troubleshooting issues and determining any unusual connection attempts to the server. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\n\nBy turning on logging, the required storage increaess over time. Mismanaged logs may cause your storage costs to increase. \n\nSetting custom flags through the command line on certain instances can cause all omitted flags to reset to defaults. This may cause you to lose\ncustom flags and can result in unforeseen complications or instance restarts. Because of this, Datadog recommends applying these flag changes during a period of low usage.\n\n## Remediation\n\n## From the console\n1. In the Google Cloud Console, navigate to the [Cloud SQL Instances page][1].\n2. Select the PostgreSQL instance that you want to enable the database flag for.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the **log_connections** flag from the dropdown menu, and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From the command line\n\nConfigure the `log_connections` database flag for every Cloud SQL PosgreSQL database instance using the following command:\n\n ```\n gcloud sql instances patch --database-flags\n log_connections=on\n ```\n\nThis command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\nYou do not need to restart the Cloud SQL instance.\n\n## Default Value\n\nBy default, `log_connections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n\nSome database flag settings can affect instance availability or stability, and may remove the instance from the Cloud SQL SLA.\n\nFor information about these flags, see the Operational Guidelines.\n\n## CIS Controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_connections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"84u-fez-kpn","createdAt":1657547707503,"name":"'log_connections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:6.2.3","scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnabling the `log_disconnections` setting logs the end of each session, including the\nsession duration.\n\n## Rationale\n\nPostgreSQL does not log session details such as duration and session end by default.\nEnabling the `log_disconnections` setting will create log entries at the end of each session,\nwhich can be useful in troubleshooting issues and determining any unusual activity across a\ntime period. The `log_disconnections` and `log_connections` settings work together and\ngenerally, the pair would be enabled or disabled together. This recommendation is applicable\nto PostgreSQL database instances.\n\n## Impact\n\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flags changes during a period of low usage.\n\n\n## Remediation\n\n## From the console\n\n1. Go to the [Cloud SQL Instances][1] page.\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_disconnections` from the drop-down menu and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the **Overview** page.\n\n## From the command line\n\n1. Configure the `log_disconnections` database flag for every Cloud SQL PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags\n log_disconnections=on\n ```\n\n **Note:** This command will overwrite all previously set database flags. To keep\n those and add new ones, include the values for all flags to be set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals\n sign (\"=\").\n\n## Default Value\n\nBy default, `log_disconnections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n## Additional Information\n\n- Configuring the `log_disconnections` flag does not require restarting the Cloud SQL instance.\n- Although the `log_disconnections` flag does not require a restart, you might modify other database flag values when you apply this patch. **Many database flags require restarting the Cloud SQL instance.** Before you modify a database flag, check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see [Operational Guidelines][4].\n\n\n## CIS controls\n\nVersion 8, 8.5 Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://console.cloud.google.com/sql/instances\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_disconnections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-b91-wj5","createdAt":1657665210451,"name":"'log_disconnections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:6.2.1","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","control:10.3","control:CC7.2","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_error_verbosity` flag controls the verbosity/details of messages logged. Valid values are:\n- `TERSE`\n- `DEFAULT`\n- `VERBOSE`\n\n`TERSE` excludes the logging of `DETAIL`, `HINT`, `QUERY`, and `CONTEXT` error information.\n`VERBOSE` output includes the `SQLSTATE` error code, source code file name, function name, and line number that generated the error.\n\nEnsure an appropriate value is set to `DEFAULT` or stricter.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_error_verbosity` is not set to the correct value, too many details or too few details\nmay be logged. This flag should be configured with a value of `DEFAULT` or stricter. This\nrecommendation is applicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flag changes during a period of low usage.\n\n- **WARNING**: This patch modifies database flag values, which may require your instance to be restarted. Check the list of supported flags -[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance will be restarted when this patch is submitted.\n- Note: some database flag settings can affect instance availability orn stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n### Default value\nBy default, `log_error_verbosity` is `DEFAULT`.\n\n## Remediation\n\n### From the console \n1. Go to the Cloud SQL Instances page by visiting [https://console.cloud.google.com/sql/instances][2]\n2. Select the **PostgreSQL instance** for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_error_verbosity` from the drop-down menu and set appropriate **value**.\n6. Click **Save**\n7. Confirm your changes under Flags on the **Overview** page.\n\n### From the command line\n1. Configure the `log_error_verbosity` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n ```\n gcloud sql instances patch --database-flags\n log_error_verbosity=\n ```\n\n **Note**: This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all flags you want set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" if {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_error_verbosity\"\n\tnot lower(db_flags.value) in [\"default\", \"terse\", \"verbose\"]\n} else = \"pass\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"scj-vbv-qiu","createdAt":1660014086758,"name":"'log_error_verbosity' database flag is set to 'DEFAULT or Stricter' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:6.2.5","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nPostgreSQL only logs the IP address of the connecting hosts. The `log_hostname` flag\ncontrols the logging of hostnames, in addition to the IP addresses logged. The performance\nhit depends on the configuration of the environment and the host name resolution\nsetup. This parameter can only be set in the `postgresql.conf` file or on the server's\ncommand line.\n\n## Rationale\nLogging hostnames allows for the association of a hostname with the IP address at the time of\nconnection. This information helps with incident response efforts, particularly in an\nenvironment that utilizes dynamic IP addresses. Logging hostnames may incur overhead\non server performance because DNS resolution will be required to\nconvert the IP address to hostname. Depending on the setup, the overhead may be non-negligible.\nEnabling the log_hostname flag on PostgreSQL databases is recommended.\n\n## Impact\nUsing the command line to set custom flags on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended that you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_hostname` from the drop-down menu and select the value **On**.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n1. Configure the `log_hostname` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\n gcloud sql instances patch --database-flags log_hostname=on\n```\n\nNote: This command will overwrite all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## Default value\nBy default `log_hostname` is off.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of [supported flags][2] to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_hostname\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sco-bi7-twu","createdAt":1657547753389,"name":"'log_hostname' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:6.2.8","requirement:Confidentiality","control:A.12.4.1","control:C1.1","control:C1.2","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_duration_statement` flag defines the minimum execution time (milliseconds) of a\nstatement, where the total duration of the statement is logged. Ensure that\n`log_min_duration_statement` is disabled by setting the value to `-1`. This will disable statement logging.\n\n## Rationale\nSQL statement logs may include sensitive information that should not be recorded in\nthe logs. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting\n[https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_duration_statement` from the drop-down menu and set a value of `-1`.\n6. Click **Save**.\n7. Confirm the changes under the Flags section on the Overview page.\n\n### From the command line\n1. List all Cloud SQL database instances using the following command:\n\n ```\n gcloud sql instances list\n ```\n\n2. Configure the `log_min_duration_statement` flag for every PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags log_min_duration_statement=-1\n ```\n Note: This command will overwrite all database flags previously set. To keep\nthose and add new ones, include the values for all flags to be set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n## Default value\nBy default `log_min_duration_statement` is set to `-1`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.8","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_duration_statement\"\n\tnot database_flags.value == \"-1\"\n} else = \"pass\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hfp-mu9-szg","createdAt":1658302988596,"name":"'log_min_duration_statement' database flag is set to '-1' (disabled) for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.7","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_error_statement` flag defines the minimum message severity level that is\nconsidered an error statement. Messages for error statements are logged with the SQL\nstatement. Valid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`,\n`WARNING`, `ERROR`, `LOG`, `FATAL`, and `PANIC`. Each severity level includes the subsequent levels\nmentioned above. Ensure a value of `ERROR` or stricter is set.\n\n## Rationale\nAuditing helps with troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. If general log messages are considered as error messages,\nit would be difficult to determine the actual errors. If only stricter severity levels are considered as\nerror messages, true errors might not be logged with their SQL statements. The\n`log_min_error_statement` flag should be set to `ERROR` or stricter. This recommendation is\napplicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the `Flags` section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_error_statement` from the drop-down menu and set the appropriate\nvalue.\n6. Click `Save` to save your changes.\n7. Confirm your changes under the `Flags` section on the Overview page.\n\n### From Command Line:\n1. Configure the `log_min_error_statement` database flag for every Cloud SQL\nPosgreSQL database instance using the below command.\n\n ```\n gcloud sql instances patch --database-flags log_min_error_statement=\n ```\n\n Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `log_min_error_statement` is `ERROR`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][2] - to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_error_statement\"\n\tnot upper(database_flags.value) in [\"ERROR\", \"LOG\", \"FATAL\", \"PANIC\"]\n} else = \"pass\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dm2-ey8-wr5","createdAt":1657888969813,"name":"'log_min_error_statement' database flag is set to 'ERROR' or stricter for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.3.6","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","source:google_sql_database_instance","requirement:Monitoring","control:6.2.6","control:10.3.4","control:A.12.4.1","control:10.3.2","requirement:System-Operations","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:CC7.2","framework:pci","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_messages` flag defines the minimum message severity level that is considered\nas an error statement. Messages for error statements are logged with the SQL statement.\nValid values include `debug5`, `debug4`, `debug3`, `debug2`, `debug1`, `info`, `notice`, `warning`, `error`,\n`log`, `fatal`, and `panic`. Each severity level includes the subsequent levels mentioned above.\nFor best practices, set the value to `error`. Changes should only be made in accordance\nwith the organization's logging policy.\n\n### Default value\nBy default `log_min_error_statement` is `warning`.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. An organization will need to decide their own threshold\nfor logging `log_min_messages` flag.\n\n### Impact\nSetting the threshold too low will might result in increased log storage size and length,\nmaking it difficult to find actual errors. Setting the threshold to `warning` logs\nmost needed error messages. Setting the threshold to a higher severity level may result in some errors (that need troubleshooting) to not be logged.\n\nNote: To effectively turn off logging failing statements, set this parameter to `panic`.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_messages` from the drop-down menu and set appropriate value.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n1. Configure the `log_min_messages` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\ngcloud sql instances patch --database-flags\nlog_min_messages=\n```\n\nNote: This command overwrites all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" if {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_min_messages\"\n\tlower(db_flags.value) in [\"debug5\", \"debug4\", \"debug3\", \"debug2\", \"debug1\", \"info\", \"notice\"]\n} else = \"pass\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"wha-a8w-2ic","createdAt":1661377322162,"name":"'log_min_messages' database flag is set to at least 'WARNING' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.2.4","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe value of the `log_statement` flag determines the SQL statements that are logged. Valid\nvalues are:\n\n- `none`\n- `ddl`\n- `mod`\n- `all`\n\nThe value `ddl` logs all data definition statements. The value `mod` logs all `ddl` statements, plus\ndata-modifying statements.\n\nThe statements are logged after a basic parsing is done and the statement type is determined,\nthus log statements with errors are not logged. When using an extended query protocol,\nlogging occurs after an `Execute` message is received and values of the bind parameters are\nincluded.\n\nA value of `ddl` is recommended unless otherwise directed by your organization's logging\npolicy.\n\n## Rationale\nAuditing helps with forensic analysis. If the `log_statement` is not set to the correct value, too\nmany statements may be logged and lead to issues with finding relevant information from\nthe logs, or too few statements may be logged with relevant information missing from the\nlogs. Setting the `log_statement` to align with your organization's security and logging policies\nfacilitates auditing and review of database activities later on. This recommendation is\napplicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n- **WARNING** This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance\nwill be restarted when this patch is submitted.\n- Note: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page by visiting: [https://console.cloud.google.com/sql/instances][2]\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**. Choose the flag `log_statement` from the drop-down menu and set the appropriate value.\n6. Click **Save**.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line\n1. Configure the `log_statement database` flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n ```\n gcloud sql instances patch --database-flags log_statement=\n ```\n\n **Note** This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all the flags that you want to set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n \n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tdb_flags.name == \"log_statement\"\n\tdb_flags.value in [\"ddl\", \"mod\", \"all\"]\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xzi-8ya-6hp","createdAt":1659621705012,"name":"'log_statement' database flag is set appropriately for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:6.3.5","control:2.2.5","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set the `remote access` database flag for Cloud SQL SQL Server instances to `off`.\n\n## Rationale\n\nThe remote access option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running. The default value for this option is 1. This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server. To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled. Remote access functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, so it should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances causes all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `remote access` from the drop-down menu, and set its value to `off`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n### From the command line\n\nConfigure the remote access database flag for every Cloud SQL SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"remote access=off\"\n```\n\n### Note: \nThis command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default Value\n\nRemote access is `on` by default.\n\n## Additional information\n\nConfiguring the remote access database flag does not restart the Cloud SQL instance.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337][4]\n\n## CIS Controls\n\nVersion 8 - 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"remote access\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"tnw-ph8-chr","createdAt":1657296719786,"name":"'remote access' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.1.2","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that for Cloud SQL Instances, you set the `skip_show_database` database flag to `ON`.\n\n## Rationale\n\nThe `skip_show_database` database flag prevents people from using the `SHOW DATABASES`\nstatement if they do not have the `SHOW DATABASES` privilege. This can improve security if\nyou have concerns about users being able to see databases belonging to other users. The `skip_show_database` flag's effect depends on the `SHOW DATABASES` privilege: If the variable value is `ON`, the `SHOW\nDATABASES` statement is permitted only for users who have the `SHOW DATABASES`\nprivilege, and the statement displays all database names. If the value is `OFF`, `SHOW\nDATABASES` is permitted for all users, but displays the names of only those databases for\nwhich the user has `SHOW DATABASES` or other privilege. This recommendation is\napplicable to MySQL database instances.\n\n## Remediation\n\n## Using console\n\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the MySQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `skip_show_database` from the drop-down menu, and set its value to `ON`.\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n\n## Using command line:\n1. To list all Cloud SQL database Instances, run:\n `gcloud sql instances list`\n2. Configure the `skip_show_database` database flag for every Cloud SQL MySQL database instance using the following command:\n \n ```\n gcloud sql instances patch INSTANCE_NAME --database-flags\n skip_show_database=on\n ```\n **Note**: This command overwrites all database flags previously set. To keep the previously set flags and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database][3]\n\n\n## Additional information\n\n**Warning**: This patch modifies database flag values, which may require your instance to be restarted. Check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n\n**Note**: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n**Note**: Configuring the above flag restarts the Cloud SQL instance.\n\n## CIS controls\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\n access control lists, also known as access permissions, to local and remote file systems,\n databases, and applications.\n\n [1]: https://console.cloud.google.com/sql/instances\n [2]: https://cloud.google.com/sql/docs/mysql/flags\n [3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot startswith(sql_database_instance.database_version, \"MYSQL_\")\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"skip_show_database\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qjv-gnn-q3l","createdAt":1657547753389,"name":"'skip_show_database' flag is set to 'on' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.3.3","security:compliance","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Control-Activities","level:1","control:2.2.3","framework:soc-2","scope:google_sql_database_instance","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to check the `user connections` option for a GCP SQL Server instance to\nensure that it is not artificially limiting connections.\n\n## Rationale\n\nThe `user connections` option specifies the maximum number of simultaneous user\nconnections that are allowed on an instance of SQL Server. The actual number of user\nconnections allowed also depends on the version of SQL Server that you are using, and also\nthe limits of your application(s) and hardware. SQL Server allows a maximum\nof 32,767 user connections. Because user connections is by default a self-configuring value,\nSQL Server adjusts the maximum number of user connections automatically as\nneeded, up to the maximum value allowed. For example, if only 10 users are logged in, then 10\nuser connection objects are allocated. In most cases, you do not have to change the value\nfor this option. The default is `0`, which means that the maximum (32,767) user connections\nare allowed. However, if there is a number defined here that limits connections, SQL Server\nwill not allow any connections above this limit. If the connections are at the limit, any new\nrequests will be dropped, potentially causing lost data or outages for those using the\ndatabase.\n\n## Impact\nSetting custom flags using the command line on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### Using the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `user connections` from the drop-down menu, and set its value to your organization's recommended value.\n6. Click **Save** to save your changes.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### Using the command line\n1. Configure the `user connections` database flag for every GCP SQL Server\ndatabase instance using the below command.\n ```\n gcloud sql instances patch --database-flags \"userconnections=[0-32,767]\"\n ```\n \n\n\nNote: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `user connections` is set to '0', which does not limit the number of connections\nand allows the server to facilitate a maximum of 32,767 connections.\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119][4]\n\n## Additional Information\n\nWARNING: This patch modifies database flag values, which may require your instance to be restarted. Check the list of [supported flags][2] to see if your instance will be restarted when this patch is submitted. \n\nNote: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not restart the GCP SQL instance.\n\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user connections\"\n\tnot database_flags.value == \"0\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"suj-vdt-udi","createdAt":1657547707508,"name":"'user connections' database flag is set to a non-limiting value for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.4","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the `user options` database flag for SQL Server instance not be configured.\n\n## Rationale\n\nThe `user options` flag specifies global defaults for all users. A list of default query processing options is established for the duration of a user's work session. The user options flag allows you to change the default values of the SET options (if the server's default settings are not appropriate).\n\nA user can override these defaults by using the SET statement. You can configure user options dynamically for new logins. After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nIn some instances, setting custom flags via the command line causes all omitted flags to be reset to their defaults. This might cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the **Cloud SQL Instances** page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance you want to configure.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. Click the **X** next to the **user options** flag shown\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line\n\n1. List all Cloud SQL database Instances:\n \n ```\n gcloud sql instances list\n ```\n\n2. Clear the user options database flag for every Cloud SQL SQL Server database instance using either of the below commands:\n\n - To clear all flags and reset them to their default values:\n\n ```\n gcloud sql instances patch --clear-database-flags\n ```\n\n - To clear only the `user options` database flag, re-enter all of database flags that you want to configure and exclude the `user options` flag and its value:\n\n ```\n gcloud sql instances patch --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]\n ```\n\n **Note**: This command overwrites all database flags previously set. To keep those flags and add new ones, include the values for all flags you want set on the instance. Any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default value\n\nBy default, 'user options' is not configured.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][1]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15][2]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335][3]\n\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see [Operational Guidelines][4].\n\n- Configuring the above flag does not restart the Cloud SQL instance.\n\n[1]: https://cloud.google.com/sql/docs/sqlserver/flags\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15\n[3]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user options\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"l6m-j1r-hz1","createdAt":1657665179501,"name":"'user options' database flag is not configured for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a Kubernetes user attempts to perform a high number of actions that are denied in a short amount of time.\n\n## Strategy\nThis rule identifies responses of the API server where the reason for the error is set to `Forbidden`, indicating that an authenticated user attempted to perform an action that they are not explicitly authorized to perform.\n\nThe rule flags users who receive permission denied errors on several distinct API endpoints in a short amount of time.\n\n## Triage and response\n1. Determine if the user: `{{@usr.id}}` is expected to perform the denied actions. If yes, the alert may be due to a misconfigured application or a service account with insufficient privileges.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @responseStatus.reason:Forbidden -@usr.id:(system\\:serviceaccount\\:*\\:datadog* OR system\\:kube-scheduler OR system\\:anonymous OR eks\\:authenticator OR eks\\:pod-identity-mutating-webhook OR system\\:serviceaccount\\:kube-system\\:root-ca-cert-publisher)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"access_denied","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"access_denied > 10"}],"type":"log_detection","id":"elb-nlu-hso","createdAt":1649948632063,"name":"A Kubernetes user attempted to perform a high number of actions that were denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIdentify when a Kubernetes user is assigned cluster-level administrative permissions.\n\n## Strategy\n\nThis rule monitory when a `ClusterRoleBinding` object is created to bind a Kubernetes user to the `cluster-admin` [default cluster-wide role](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles). This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.\n\n## Triage and response\n\n1. Determine if the Kubernetes user referenced in `@requestObject.subjects` is expected to have been granted administrator permissions on the cluster\n2. Determine if the actor (`@usr.id`) is authorized to assign administrator permissions\n3. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @requestObject.kind:ClusterRoleBinding @requestObject.roleRef.name:cluster-admin -@usr.id:system\\:apiserver","groupByFields":["@usr.id"],"aggregation":"count","name":"cluster_admin_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"cluster_admin_added > 0"}],"type":"log_detection","id":"8ds-sxh-n83","createdAt":1649948626807,"name":"A Kubernetes user was assigned cluster administrator permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","scope:google_bigquery_dataset","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.3","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","source:google_bigquery_dataset","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user. For greater control, _customer-managed encryption keys_ (CMEKs) can be used as an encryption key management solution for BigQuery datasets.\n\n### Default Value\nGoogle-managed keys are used as key encryption keys.\n\n## Rationale\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user.\n\nFor greater control, CMEKs can be used as an encryption key management solution for BigQuery datasets. Setting a default CMEK for a dataset ensures that any tables created in the future will use the specified CMEK, if no others are provided.\n\n## Impact\nUsing CMEKs incurs an additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n**Note**: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n# Remediation\nTo update the default CMEK for existing data sets, specify the default key in the `EncryptionConfiguration.kmsKeyName` field when calling the `datasets.insert` or `datasets.patch` methods.\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_dataset) = \"pass\" if {\n\tbigquery_dataset.default_encryption_configuration.kms_key_name\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_dataset"]},"validationQuery":"","resourceType":"gcp_bigquery_dataset","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_dataset","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fdc-usk-ol3","createdAt":1664548344812,"name":"A default customer-managed encryption key (CMEK) is specified for the BigQuery data set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1158","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nHidden files may be used by attackers to hide from detection mechanisms on hosts and containers. This detection aims at finding the creation of any new hidden files.\n\n## Strategy\nIn Linux, files are hidden from users by prepending `.` to the filename. For example `.some.file`. This detection will monitor for the creation of any file thats name begins with a `.`.\n\n## Triage & Response\n1. Check to see which user or process created the new hidden file.\n3. If these new files are not expected contain the host or container, roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"irl-syq-8wf","createdAt":1598443015169,"name":"A hidden file was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the deletion of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was deleted.\n2. Check which user or process deleted the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"t7t-jio-cms","createdAt":1598516746158,"name":"A log file in /var/log/ was removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:2.11","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be set up for SQL instance\nconfiguration changes.\n\n## Rationale\nMonitoring changes to SQL instance configuration changes may reduce the time needed to\ndetect and correct SQL server misconfigurations.\nBelow are a few configurable options that may impact the security posture of an\nSQL instance:\n \u2022 Enable auto backups and high availability: Misconfiguration may adversely impact\n business continuity, disaster recovery, and high availability\n \u2022 Authorize networks: Misconfiguration may increase exposure to untrusted networks\n\n### Impact \nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation \n\n### From the console\n#### Create the prescribed log metric\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and clicking **CREATE METRIC**.\n2. Click the down arrow icon on the **Filter Bar** at the top right corner and select **Convert to Advanced Filter**.\n3. Clear any text and add:\n\n ```\n protoPayload.methodName=\"cloudsql.instances.update\"\n ```\n\n4. Click **Submit Filter**. Display logs appear based on the filter text.\n5. In the **Metric Editor** menu on the right, fill out the name field. Set **Units** to `1` (default) and **Type** to `Counter`. \nThis ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n6. Click **Create Metric**.\n\n#### Create the prescribed alert policy\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every SQL instance configuration change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n1. Create the prescribed log metric using the following command: \n ```\n gcloud beta logging metrics create\n ```\n [Reference for command usage][9]\n2. Create the prescribed alert policy using the following command:\n ```\n gcloud alpha monitoring policies create\n ```\n [Reference for command usage][10]\n\n\n\n## References\n1. [https://console.cloud.google.com/logs/metrics][1] \n2. [https://cloud.google.com/monitoring/custom-metrics/][2]\n3. [https://cloud.google.com/monitoring/alerts/][3]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][4]\n5. [https://cloud.google.com/storage/docs/overview][5]\n6. [https://cloud.google.com/sql/docs/][6]\n7. [https://cloud.google.com/sql/docs/mysql/][7]\n8. [https://cloud.google.com/sql/docs/postgres/][8]\n9. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][9]\n10. [https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][10]\n\n\n[1]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[2]: https://cloud.google.com/monitoring/custom-metrics/\n[3]: https://cloud.google.com/monitoring/alerts/\n[4]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[5]: https://cloud.google.com/storage/docs/overview\n[6]: https://cloud.google.com/sql/docs/\n[7]: https://cloud.google.com/sql/docs/mysql/\n[8]: https://cloud.google.com/sql/docs/postgres/\n[9]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[10]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.11","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_method_name_constant := upper(\"protoPayload.methodName=\\\"cloudsql.instances.update\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, filter_method_name_constant)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"rtu-ij2-tg6","createdAt":1666265090604,"name":"A log metric filter and alert exists for SQL instance configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","control:2.9","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be set up for Virtual Private Cloud (VPC) network changes.\n\n## Rationale\nIt is possible to have more than one VPC within a project. \nIn addition, it is also possible to create a peer connection between two VPCs to enable network traffic routing between VPCs.\n\nMonitoring changes to a VPC helps to ensure that VPC traffic flow is not getting impacted.\n\n### Impact\nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console\n#### Create the prescribed log metric\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and click **CREATE METRIC**.\n2. Set **Metric Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n3. Fill out the **Log metric name** field.\n4. Set the **Units** to `1` (default).\n5. Under **Filter selection**, add the following text to the **Build filter** block: \n ```\n resource.type=gce_network\n AND (protoPayload.methodName:\"compute.networks.insert\"\n OR protoPayload.methodName:\"compute.networks.patch\"\n OR protoPayload.methodName:\"compute.networks.delete\"\n OR protoPayload.methodName:\"compute.networks.removePeering\"\n OR protoPayload.methodName:\"compute.networks.addPeering\")\n ```\n6. Click **Create Metric**.\n\n#### Create the prescribed alert policy\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every VPC network change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n1. Create the prescribed log metric using the following command: \n ```\n gcloud beta logging metrics create\n ```\n [Reference for command usage][6]\n2. Create the prescribed alert policy using the following command:\n ```\n gcloud alpha monitoring policies create\n ```\n [Reference for command usage][7]\n\n\n\n## References\n1. [https://console.cloud.google.com/logs/metrics][1] \n2. [https://cloud.google.com/monitoring/custom-metrics/][2]\n3. [https://cloud.google.com/monitoring/alerts/][3]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][4]\n5. [https://cloud.google.com/vpc/docs/overview][5]\n6. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][6]\n7. [https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][7]\n\n\n[1]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[2]: https://cloud.google.com/monitoring/custom-metrics/\n[3]: https://cloud.google.com/monitoring/alerts/\n[4]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[5]: https://cloud.google.com/vpc/docs/overview\n[6]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[7]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.9","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_resource_type := upper(\"resource.type=gce_network\")\n\nfilter_method_name_1 := upper(\"protoPayload.methodName:\\\"compute.networks.insert\\\"\")\n\nfilter_method_name_2 := upper(\"protoPayload.methodName:\\\"compute.networks.patch\\\"\")\n\nfilter_method_name_3 := upper(\"protoPayload.methodName:\\\"compute.networks.delete\\\"\")\n\nfilter_method_name_4 := upper(\"protoPayload.methodName:\\\"compute.networks.removePeering\\\"\")\n\nfilter_method_name_5 := upper(\"protoPayload.methodName:\\\"compute.networks.addPeering\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, \"OR\")\n\tcontains(filter_parsed, filter_resource_type)\n\tcontains(filter_parsed, filter_method_name_1)\n\tcontains(filter_parsed, filter_method_name_2)\n\tcontains(filter_parsed, filter_method_name_3)\n\tcontains(filter_parsed, filter_method_name_4)\n\tcontains(filter_parsed, filter_method_name_5)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"zv2-vh1-ixx","createdAt":1665677590865,"name":"A log metric filter and alert exists for VPC network changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:2.5","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGoogle Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data\nAccess logs to help answer the question of \"Who did what, where, and when?\" within GCP\nprojects.\nCloud audit logging records information such as the identity of the API caller, the time of\nthe API call, the source IP address of the API caller, the request parameters, and the\nresponse elements returned by GCP services. Cloud audit logging provides a history of GCP\nAPI calls for an account, including API calls made through the console, SDKs, command-line\ntools, and other GCP services.\n\n## Rationale\nCloud audit logging to Admin Activity and Data Access logs enables security\nanalysis, resource change tracking, and compliance auditing.\nConfiguring the metric filter and alerts for audit configuration changes ensures that the\nrecommended state of audit configuration is maintained so that all activities in the project\ncan be audited at any point in time.\n\n\n### Impact\nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console\n#### Create the prescribed log metric\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and click **CREATE METRIC**.\n2. Set **Metric Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n3. Fill out the **Log metric name** field.\n4. Set the **Units** to `1` (default).\n5. Under **Filter selection**, add the following text to the **Build filter** block: \n ```\n protoPayload.methodName=\"SetIamPolicy\" AND\n protoPayload.serviceData.policyDelta.auditConfigDeltas:*\n ```\n6. Click **Create Metric**.\n\n#### Create a prescribed alert policy\n\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every audit configuration change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n#### Create a prescribed log metric\n\nUse the command: `gcloud beta logging metrics create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][3]\n\n#### Create a prescribed alert policy\nUse the command: `gcloud alpha monitoring policies create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][4]\n\n## References\n1. [https://cloud.google.com/logging/docs/logs-based-metrics/][5]\n2. [https://cloud.google.com/monitoring/custom-metrics/][6]\n3. [https://cloud.google.com/monitoring/alerts/][7]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][8]\n5. [https://cloud.google.com/logging/docs/audit/configure-data-access#getiampolicy-setiampolicy][9]\n\n[1]: https://console.cloud.google.com/logs/metrics\n[2]: https://console.cloud.google.com/logs/metrics\n[3]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[4]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n[5]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[6]: https://cloud.google.com/monitoring/custom-metrics/\n[7]: https://cloud.google.com/monitoring/alerts/\n[8]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[9]: https://cloud.google.com/logging/docs/audit/configure-data-access#getiampolicy-setiampolicy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.5","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_methodname_constant := upper(\"protoPayload.methodName=\\\"SetIamPolicy\\\"\")\n\nfilter_servicedata_constant := upper(\"protoPayload.serviceData.policyDelta.auditConfigDeltas:*\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, filter_methodname_constant)\n\tcontains(filter_parsed, filter_servicedata_constant)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sni-qbq-wix","createdAt":1665677774002,"name":"A log metric filter and alert exists for audit configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:2.8","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be established for Virtual Private Cloud\n(VPC) network route changes.\n\n## Rationale\nGoogle Cloud Platform (GCP) routes define the paths taken by network traffic from a VM instance to another destination. The other destination can be inside the organization VPC network (such as another VM) or outside of it. Every route consists of a destination and a next hop. Traffic whose destination IP is within the destination range is sent to the next hop\nfor delivery.\nMonitoring changes to route tables helps to ensure that all VPC traffic flows through an expected path.\n\n### Impact\nEnabling of logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console:\n\n#### Create the prescribed Log Metric:\n1. Go to [Logs-based Metrics][1] within **Logging** in the Google Cloud console and click **CREATE METRIC**.\n2. Click the down arrow symbol on the filter bar at the rightmost corner and select\n**Convert to Advanced Filter**.\n3. Clear any text and add:\n ```\n resource.type=\"gce_route\"\n AND (protoPayload.methodName:\"compute.routes.delete\"\n OR protoPayload.methodName:\"compute.routes.insert\"\n ```\n4. Click **Submit Filter**. Display logs appear based on the entered filter text.\n5. In the `Metric Editor` menu on the right, fill out the name field. Set `Units` to `1`\n(default) and `Type` to `Counter`. This ensures that the log metric counts the number of\nlog entries matching the advanced logs query.\n6. Click **Create Metric**.\n\n#### Create the prescribed alert policy:\n\n1. Identify the newly created metric under the section `User-defined Metrics` in the\n[Logs-based Metrics][1] page in the Google Cloud console.\n2. Click the 3-dot icon in the rightmost column for the new metric and select `Create\nalert from Metric`. A new page appears.\n3. Fill out the alert policy configuration and click **Save**. Choose the alerting threshold\nand configuration that makes sense for your organization. For example, a\nthreshold of zero(0) for the most recent value ensures that a notification is triggered\nfor every owner change in the project:\n ```\n Set `Aggregator` to `Count`\n Set `Configuration`:\n - Condition: above\n - Threshold: 0\n - For: most recent value\n ```\n4. Configure the desired notification channels in the section **Notifications**.\n5. Name the `policy` and click **Save**.\n\n### From the command line:\n\n#### Create the prescribed Log Metric: \n\nUse the command `gcloud beta logging metrics create`. Read the [usage reference][2] in the Google Cloud documentation for more information.\n\n#### Create the prescribed alert policy:\n\nUse the command `gcloud alpha monitoring policies create`. Read the [usage reference][3] in the Google Cloud documentation for more information.\n\n## References\n\n1. [https://cloud.google.com/logging/docs/logs-based-metrics/][4]\n2. [https://cloud.google.com/monitoring/custom-metrics/][5]\n3. [https://cloud.google.com/monitoring/alerts/][6]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][7]\n5. [https://cloud.google.com/storage/docs/access-control/iam][8]\n\n[1]: https://console.cloud.google.com/logs/metrics\n[2]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[3]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n[4]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[5]: https://cloud.google.com/monitoring/custom-metrics/\n[6]: https://cloud.google.com/monitoring/alerts/\n[7]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[8]: https://cloud.google.com/storage/docs/access-control/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.8","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_resource_type := upper(\"resource.type=\\\"gce_route\\\"\")\n\nfilter_method_name_delete_beta := upper(\"protoPayload.methodName:\\\"beta.compute.routes.delete\\\"\")\n\nfilter_method_name_delete := upper(\"protoPayload.methodName:\\\"compute.routes.delete\\\"\")\n\nfilter_method_name_insert_beta := upper(\"protoPayload.methodName:\\\"beta.compute.routes.insert\\\"\")\n\nfilter_method_name_insert := upper(\"protoPayload.methodName:\\\"compute.routes.insert\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_filter(filter_parsed, filter_method_name_beta, filter_method_name) if {\n\tcontains(filter_parsed, filter_method_name_beta)\n} else if {\n\tcontains(filter_parsed, filter_method_name)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, \"OR\")\n\n\tcontains(filter_parsed, filter_resource_type)\n\n\tvalid_filter(filter_parsed, filter_method_name_delete_beta, filter_method_name_delete)\n\tvalid_filter(filter_parsed, filter_method_name_insert_beta, filter_method_name_insert)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.notification_channels[_]\n\tmonitoring_alert_policy.enabled == true\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"o0d-dyl-9lb","createdAt":1668685067568,"name":"A log metric filter and alerts exist for VPC Network route changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:2.7","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be established for Virtual Private Cloud\n(VPC) network firewall rule changes.\n\n## Rationale\nMonitoring create or update firewall rule events gives insight to network access\nchanges and may reduce the time it takes to detect suspicious activity.\n\n\n### Impact\nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console\n\n#### Create the prescribed log metric\n\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and click **CREATE METRIC**.\n2. Set **Metric Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n3. Fill out the **Log metric name** field.\n4. Set the **Units** to `1` (default).\n5. Under **Filter selection**, add the following text to the **Build filter** block: \n\n ```\n resource.type=\"gce_firewall_rule\"\n AND protoPayload.methodName:\"compute.firewalls.patch\"\n OR protoPayload.methodName:\"compute.firewalls.insert\"\n OR protoPayload.methodName:\"compute.firewalls.delete\"\n ```\n \n6. Click **Create Metric**\n\n#### Create a prescribed alert policy\n\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every VPC network firewall rule change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n#### Create a prescribed log metric\n\nUse the command: `gcloud beta logging metrics create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][3]\n\n#### Create a prescribed alert policy\nUse the command: `gcloud alpha monitoring policies create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][4]\n\n## References\n1. [https://cloud.google.com/logging/docs/logs-based-metrics/][5]\n2. [https://cloud.google.com/monitoring/custom-metrics/][6]\n3. [https://cloud.google.com/monitoring/alerts/][7]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][8]\n5. [https://cloud.google.com/vpc/docs/firewalls][9]\n\n[1]: https://console.cloud.google.com/logs/metrics\n[2]: https://console.cloud.google.com/logs/metrics\n[3]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[4]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n[5]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[6]: https://cloud.google.com/monitoring/custom-metrics/\n[7]: https://cloud.google.com/monitoring/alerts/\n[8]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[9]: https://cloud.google.com/vpc/docs/firewalls\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.7","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_resource_type_constant := upper(\"resource.type=\\\"gce_firewall_rule\\\"\")\n\nfilter_patch_constant := upper(\"protoPayload.methodName:\\\"compute.firewalls.patch\\\"\")\n\nfilter_insert_constant := upper(\"protoPayload.methodName:\\\"compute.firewalls.insert\\\"\")\n\nfilter_delete_constant := upper(\"protoPayload.methodName:\\\"compute.firewalls.delete\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, \"OR\")\n\tcontains(filter_parsed, filter_resource_type_constant)\n\tcontains(filter_parsed, filter_patch_constant)\n\tcontains(filter_parsed, filter_insert_constant)\n\tcontains(filter_parsed, filter_delete_constant)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"xrg-k52-qt3","createdAt":1665677775464,"name":"A log metric filter and alerts exist for VPC network firewall rule changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:2.6","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be established for changes to Identity and\nAccess Management (IAM) role creation, deletion and updating activities.\n\n## Rationale\nGoogle Cloud IAM provides predefined roles that give granular access to specific Google\nCloud Platform resources and prevent unwanted access to other resources. However, to\ncater to organization-specific needs, Cloud IAM also provides the ability to create custom\nroles. Project owners and administrators with the Organization Role Administrator role or\nthe IAM Role Administrator role can create custom roles. Monitoring role creation, deletion\nand updating activities helps identify any over-privileged role an early stage.\n\n\n### Impact\nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console\n\n#### Create the prescribed log metric\n\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and click **CREATE METRIC**.\n2. Set **Metric Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n3. Fill out the **Log metric name** field.\n4. Set the **Units** to `1` (default).\n5. Under **Filter selection**, add the following text to the **Build filter** block: \n\n ```\n resource.type=\"iam_role\"\n AND protoPayload.methodName = \"google.iam.admin.v1.CreateRole\"\n OR protoPayload.methodName=\"google.iam.admin.v1.DeleteRole\"\n OR protoPayload.methodName=\"google.iam.admin.v1.UpdateRole\"\n ```\n6. Click **Create Metric**\n\n#### Create a prescribed alert policy\n\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every custom role change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n#### Create a prescribed log metric\n\nUse the command: `gcloud beta logging metrics create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][3]\n\n#### Create a prescribed alert policy\nUse the command: `gcloud alpha monitoring policies create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][4]\n\n## References\n1. [https://cloud.google.com/logging/docs/logs-based-metrics/][5]\n2. [https://cloud.google.com/monitoring/custom-metrics/][6]\n3. [https://cloud.google.com/monitoring/alerts/][7]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][8]\n5. [https://cloud.google.com/iam/docs/understanding-custom-roles][9]\n\n[1]: https://console.cloud.google.com/logs/metrics\n[2]: https://console.cloud.google.com/logs/metrics\n[3]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[4]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n[5]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[6]: https://cloud.google.com/monitoring/custom-metrics/\n[7]: https://cloud.google.com/monitoring/alerts/\n[8]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[9]: https://cloud.google.com/iam/docs/understanding-custom-roles\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.6","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_resource_type_constant := upper(\"resource.type=\\\"iam_role\\\"\")\n\nfilter_create_constant := upper(\"protoPayload.methodName=\\\"google.iam.admin.v1.CreateRole\\\"\")\n\nfilter_delete_constant := upper(\"protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\"\")\n\nfilter_update_constant := upper(\"protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, \"OR\")\n\tcontains(filter_parsed, filter_resource_type_constant)\n\tcontains(filter_parsed, filter_create_constant)\n\tcontains(filter_parsed, filter_delete_constant)\n\tcontains(filter_parsed, filter_update_constant)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"8jp-b4x-ubz","createdAt":1665677984333,"name":"A log metric filter and alerts exist for custom role changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Logging","security:compliance","control:3.2.1","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes can audit the details of requests made to the API server. The `--audit-policy-file` flag must be set for this logging to be enabled.\n\n## Rationale\n\nLogging is an important detective control for all systems, to detect potential unauthorised access.\n\n## Audit\n\nRun the following command on one of the cluster master nodes: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-policy-file` is set. Review the contents of the file specified and ensure that it contains a valid audit policy.\n\n## Remediation\n\nCreate an audit policy file for your cluster.\n\n## Impact\n\nAudit logs will be created on the master nodes, which will consume disk space. Care should be taken to avoid generating too large volumes of log information as this could impact the available of the cluster nodes.\n\n## Default value\n\nUnless the `--audit-policy-file` flag is specified, no auditing will be carried out.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/debug-application-cluster/audit/][1]\n\n## CIS controls\n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices.\n\n[1]: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"3.2.1","framework":"cis-kubernetes","requirement":"Logging","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-3.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ehp-xpm-xi3","createdAt":1599602215207,"name":"A minimal audit policy exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a new Kubernetes [admission controller][1] is created in the cluster.\n\nAdmission controllers can intercept all incoming requests to the API server. An attacker can use them to establish persistence or to access sensitive data (such as secrets) sent to the API server.\n\n## Strategy\nThis rule identifies when a `MutatingWebhookConfiguration` or `ValidatingWebhookConfiguration` is created.\n\n## Triage and response\n1. Determine if the admission controller being created is expected.\n2. Determine if the user: `{{@usr.id}}` should be creating the admission controller.\n3. Use the Cloud SIEM `User Investigation` dashboard to review user actions that occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags\n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @objectRef.resource:(mutatingwebhookconfigurations OR validatingwebhookconfigurations) -@usr.id:(eks\\:cluster-bootstrap OR system\\:serviceaccount\\:kyverno\\:kyverno OR system\\:serviceaccount\\:kube-system\\:*)","groupByFields":["@usr.id"],"aggregation":"count","name":"admission_controller_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admission_controller_created > 0"}],"type":"log_detection","id":"jpb-ixq-qbz","createdAt":1649948611129,"name":"A new Kubernetes admission controller was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 teams app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `AppInstalled`, where the `AddOnType` has a value of `4` and a new `@AddOnName` is observed.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@AddOnName}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@AddOnName}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":165,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AddOnName","aggregation":"new_value","metrics":["@AddOnName"],"groupByFields":["@usr.id"],"query":"source:microsoft-365 @evt.name:AppInstalled @AddOnType:4"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"sja-6t5-2xv","createdAt":1636984812148,"name":"A new Microsoft 365 Teams app is observed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Add application.` and event `@evt.outcome` of `Success`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@ObjectId}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@ObjectId}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@ObjectId","aggregation":"new_value","metrics":["@ObjectId"],"groupByFields":["@ObjectId","@usr.id"],"query":"source:microsoft-365 @evt.name:\"Add application.\" @evt.outcome:Success"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"o4m-xqz-5gv","createdAt":1636984818117,"name":"A new Microsoft 365 application was installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:amazon","security:compliance","iaas:aws","framework:cis-aws","source:cloudtrail","control:4.1","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is assessing privileges in AWS through API bruteforcing technique.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect when the error message of `AccessDenied` is returned on more than 5 unique API calls.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be attempting to use {{@evt.name}} API commands.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. Contact the user to see if they intended to make these API calls.\n3. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate to see what API calls might have been made that were successful throughout the rest of the environment.\n\n## Changelog\nRule updated on 3 March 2022.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"unique_events_denied","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"more than 5 APIs AccessDenied","condition":"unique_events_denied > 5"}],"type":"log_detection","id":"3d9-oev-jbm","createdAt":1584475582956,"name":"A user received multiple AccessDenied errors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","control:32.1a","source:acm","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are seven day left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### From the console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### From the command line\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nseven_days_ms := (((7 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\t# assert that the difference between now (resource seen at) and not after time (certificate expiry) > 7 days\n\tseven_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"32b-dj3-8n2","createdAt":1619112188607,"name":"ACM certificate does not expire within the next 7 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","security:compliance","control:164.312-e-1","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","requirement:Security-Management-Process","control:32.1a","source:acm","control:164.312-e-2-ii","framework:hipaa","control:164.308-a-1-ii-B","control:164.312-e-2-i","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRemove expired Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates with AWS Certificate Manager (ACM).\n\n## Rationale\n\nExpired AWS ACM SSL/TLS certificates that are deployed to another resource are at risk of triggering front-end errors and compromising the credibility of a web application.\n\n## Remediation\n\n### From the console\n\nFollow the [Deleting Certificates Managed by ACM][1] docs to learn how to delete SSL/TLS certifications in the AWS Console.\n\n### From the command line\n\n1. Run the [`delete-certificate`][2] command to remove the invalid certificate.\n\n ```\n aws acm delete-certificate --certificate-arn insert-certificate-arn-here\n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-delete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/delete-certificate.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"EXPIRED\"\n\tacm.status != \"VALIDATION_TIMED_OUT\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qea-4gr-voj","createdAt":1616090994211,"name":"ACM certificate is active"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","control:32.1a","source:acm","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are 30 days left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### From the console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### From the command line\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\tthirty_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oc4-dzj-jtg","createdAt":1619112188918,"name":"ACM certificate is valid for 30 or more days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cardholder-Data","cloud_provider:aws","source:acm","scope:acm","control:3.6.4","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAll Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates in Amazon Certificate Manager (ACM) should be validated.\n\n## Rationale\n\n[Requests for ACM certificates time out if they are not validated within 72 hours][1]. ACM provides managed renewal for your Amazon-issued SSL/TLS certificates that are used with other AWS resources. \n\n[ACM either renews your certificates automatically (if you are using DNS validation)][2], or it sends you email notices when expiration is approaching. These services are provided for both public and private ACM certificates. However, renewal for other certificates must be done manually. If a certificate is not validated, it can interrupt an application or service. \n\n## Remediation\n\n### From the console\n\nFollow the [Setting Up DNS Validation][3] or [Resending Validation Email][4] docs to validate a certificate in the AWS Console or by email.\n\n### From the command line\n\n1. Run `resend-validation-email` using the ARN of the invalid certificate with your `domain` and `validation-domain`.\n\n ```\n aws acm resend-validation-email\n --certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/a1b2345c-d678-9123-4567-89ab12c2345d\n --domain www.example.com\n --validation-domain example.com\n ```\n\n2. Click the link in the generated email to navigate to the Amazon Certificates Approvals page, and click the `I Approve` button.\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-timed-out.html\n[2]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[3]: https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html#setting-up-dns-validation\n[4]: https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html#gs-acm-resend\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"PENDING_VALIDATION\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"lpi-kie-f8h","createdAt":1616090994081,"name":"ACM certificate issue request is not pending validation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:ec2","source:ec2","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.9.4.5","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIdentify publicly accessible Amazon Machine Images (AMIs).\n\n## Rationale\n\nWhen an AMI is shared publicly, anyone outside your organization can see it in the [list of public AMIs][1] and create an EC2 instance from it, accessing all the files it contains.\n\nAMIs typically contain source code, configuration files and credentials and should not be shared publicly. AMIs should only be shared with [specific AWS accounts][2] or [your AWS Organization][3].\n\n## Remediation\n\n### From the console\n\nFollow the instructions outlined in the [AWS documentation][4].\n\n### From the command line\n\nUse the following command to stop sharing the AMI:\n\n ```bash\n aws ec2 modify-image-attribute \\\n --image-id ami-xxxx \\\n --launch-permission \"Remove=[{Group=all}]\"\n ```\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usingsharedamis-finding.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/share-amis-with-organizations-and-OUs.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.5","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncustomer_owned(ami) if {\n\tnot ami.image_owner_alias in [\"aws-marketplace\", \"amazon\"]\n} else if {\n\tnot ami.image_owner_alias\n}\n\neval(ami) = \"skip\" if {\n\tnot customer_owned(ami)\n} else = \"pass\" if {\n\tami.public == false\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ami"]},"validationQuery":"","resourceType":"aws_ami","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ami","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6l2-azd-mlu","createdAt":1645630055435,"name":"AMI is not publicly shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.30","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the TLS certificate and private key file parameters. \n```\n--tls-cert-file= \n--tls-private-key-file=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.30","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"m9r-8ka-arc","createdAt":1599604115727,"name":"API Server requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.1","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable anonymous requests to the Kubelet server.\n\n## Rationale\n\nWhen enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests.\n\n## Audit\n\nIf using a Kubelet configuration file, check that there is an entry for authentication: anonymous: enabled set to false. Run the following command on each node: `ps -ef | grep kubelet`. Verify that the `--anonymous-auth` argument is set to false. This executable argument may be omitted, provided there is a corresponding entry set to false in the Kubelet config file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to false. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable:\n\n```\n--anonymous-auth=false\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nAnonymous requests will be rejected.\n\n## Default value\n\nBy default, anonymous access is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.1","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oun-uxo-viy","createdAt":1599606050277,"name":"API server anonymous-auth argument is set to false"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.24","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain 10 or an appropriate number of old log files.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. For example, if you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxbackup` argument is set to `10` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxbackup` parameter to `10` or to an appropriate value: `--audit-log-maxbackup=10`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.24","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"r0g-aai-2xf","createdAt":1599605542630,"name":"API server audit log files are retained for at least 10 log file rotations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.25","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRotate log files on reaching 100 MB or as appropriate.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. If you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxsize` argument is set to `100` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxsize` parameter to an appropriate size in MB. For example, to set it as 100 MB: `--audit-log-maxsize=100`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.25","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qhy-gng-bh4","createdAt":1599603202907,"name":"API server audit log files are rotated once the file reaches 100 MB or more"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.22","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on the Kubernetes API Server and set the desired audit log path.\n\n## Rationale\n\nAuditing the Kubernetes API Server provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system. Even though currently, Kubernetes provides only basic audit capabilities, it should be enabled. You can enable it by setting an appropriate audit log path.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-path` argument is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example: --audit-log-path=/var/log/apiserver/audit.log\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. Version 7 6.2 Activate audit logging Ensure that local logging has been enabled on all systems and networking devices. 6.3 Enable Detailed Logging Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.22","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fny-sti-0dk","createdAt":1599601104396,"name":"API server audit logs are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.23","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain the logs for at least 30 days or as appropriate.\n\n## Rationale\n\nRetaining logs for at least 30 days ensures that you can go back in time and investigate or correlate any events. Set your audit log retention period to 30 days or as per your business requirements.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxage` argument is set to `30` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxage` parameter to `30` or as an appropriate number of days: `--audit-log-maxage=30`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.23","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.23\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jbu-o8v-pku","createdAt":1599605700813,"name":"API server audit logs are retained for at least 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.19","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind to insecure port.\n\n## Rationale\n\nSetting up the apiserver to serve on an insecure port would allow unauthenticated and unencrypted access to your master node. This would allow attackers who could access this port, to easily take control of the cluster.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-port` argument is set to `0`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --insecure-port=0\n\n## Impact\n\nAll components that use the API must connect via the secured port, authenticate themselves, and be authorized to use the API. This includes: kube-controller-manager kube-proxy kube-scheduler kubelets\n\n## Default value\n\nBy default, the insecure port is set to 8080.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.19","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2ci-yqv-wv0","createdAt":1599605796539,"name":"API server does not bind the API service to an insecure port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.18","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the insecure API service.\n\n## Rationale\n\nIf you bind the apiserver to an insecure address, basically anyone who could connect to it over the insecure port, would have unauthenticated and unencrypted access to your master node. The apiserver doesn't do any authentication checking for insecure binds and traffic to the Insecure API port is not encrpyted, allowing attackers to potentially read sensitive data in transit.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-bind-address` argument does not exist.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --insecure-bind-address parameter.\n\n## Impact\n\nConnections to the API server will require valid authentication credentials.\n\n## Default value\n\nBy default, the insecure bind address is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.18","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tzo-x3g-yya","createdAt":1599606081666,"name":"API server does not bind to an insecure API service address"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use token based authentication.\n\n## Rationale\n\nThe token-based authentication utilizes static tokens to authenticate requests to the apiserver. The tokens are stored in clear-text in a file on the apiserver, and cannot be revoked or rotated without restarting the apiserver. Hence, do not use static token-based authentication.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver \n```\nVerify that the `--token-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--token-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as certificates. Static token based authentication could not be used.\n\n## Default value\n\nBy default, `--token-auth-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/authentication/#static-token-file\n2. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.3","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mvv-hb7-ucv","createdAt":1599603449449,"name":"API server does not use token based authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not always authorize all requests.\n\n## Rationale\n\nThe API Server, can be configured to allow all requests. This mode should not be used on any production cluster.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is not set to `AlwaysAllow`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to values other than `AlwaysAllow`. One such example could be as below:\n\n```\n--authorization-mode=RBAC\n```\n\n## Impact\n\nOnly authorized requests will be served.\n\n## Default value\n\nBy default, `AlwaysAllow` is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.7","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kli-btm-jbr","createdAt":1599602646953,"name":"API server only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.1","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node:\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-apiserver.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.1","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8tj-q6g-eyj","createdAt":1599601227733,"name":"API server pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.21","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --profiling=false\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.21","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wk0-7yo-dw9","createdAt":1599602770265,"name":"API server profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.26","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet global request timeout for API server requests as appropriate.\n\n## Rationale\n\nSetting global request timeout allows extending the API server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 60 seconds which might be problematic on slower connections making cluster resources inaccessible once the data volume for requests exceeds what can be transmitted in 60 seconds. But, setting this timeout limit to be too large can exhaust the API server resources making it prone to Denial-of-Service attack. Hence, it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--request-timeout` argument is either not set or set to an appropriate value.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameter as appropriate and if needed. For example, --request-timeout=300s\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, --request-timeout is set to 60 seconds.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/kubernetes/pull/51415\n\n## CIS controls\n\nVersion 6 14.6 Enforce Detailed Audit Logging For Sensitive Information Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. Version 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.26","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1kt-cbt-hvl","createdAt":1599604242564,"name":"API server request timeout exceeds 60 seconds only if required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.20","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable the secure port.\n\n## Rationale\n\nThe secure port is used to serve https with authentication and authorization. If you disable it, no https traffic is served and all traffic is served unencrypted.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--secure-port` argument is either not set or is set to an integer value between `1` and `65535`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --secure-port parameter or set it to a different (non-zero) desired port.\n\n## Impact\n\nYou need to set the API Server up with the right TLS certificates.\n\n## Default value\n\nBy default, port 6443 is used as the secure port.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.20","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5w3-iw4-y16","createdAt":1599603757033,"name":"API server secure port is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.31","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic. If `--client-ca-file` argument is set, any request presenting a client certificate signed by one of the authorities in the `client-ca-file` is authenticated with an identity corresponding to the CommonName of the client certificate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--client-ca-file` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the client certificate authority file: `--client-ca-file=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--client-ca-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.31","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"nad-eon-2rv","createdAt":1599599105054,"name":"API server uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.28","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account public key file for service accounts on the apiserver.\n\n## Rationale\n\nBy default, if no --service-account-key-file is specified to the apiserver, it uses the private key from the TLS serving certificate to verify service account tokens. To ensure that the keys for service account tokens could be rotated as needed, a separate public/private key pair should be used for signing service account tokens. Hence, the public key should be specified to the apiserver with --service-account-key-file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--service-account-key-file` argument exists and is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--service-account-key-file` parameter to the public key file for service accounts: `--service-account-key-file=`\n\n## Impact\n\nThe corresponding private key must be provided to the controller manager. You would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-key-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167\n\n## CIS controls\n\nVersion 6 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers \nVersion 7 5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.28","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xtg-mzn-vft","createdAt":1599604846892,"name":"API server uses a service account public key file for service accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.27","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nValidate service account before validating token.\n\n## Rationale\n\nIf --service-account-lookup is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that if the `--service-account-lookup` argument exists it is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the below parameter. `--service-account-lookup=true` Alternatively, you can delete the `--service-account-lookup` parameter from this file so that the default takes effect.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--service-account-lookup` argument is set to true.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167 \n3. https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.27","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.27\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycp-ppm-trb","createdAt":1599599105043,"name":"API server validates the service account token exists in etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify kubelet's certificate before establishing connection.\n\n## Rationale\n\nThe connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelets port-forwarding functionality. These connections terminate at the kubelets HTTPS endpoint. By default, the apiserver does not verify the kubelets serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-certificate-authority` argument exists and is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--kubelet-certificate-authority` parameter to the path to the cert file for the certificate authority. \n\n```\n--kubelet-certificate-authority=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, `--kubelet-certificate-authority` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n3. https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.6","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sbm-nxt-qv3","createdAt":1599603880124,"name":"API server verifies the kubelet's certificate before establishing connection"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AMI is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an AMI is made public.\n\n* [ModifyImageAttribute][1]\n\nThis rule inspects the `@requestParameters.launchPermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the image is made public.\n\n## Triage and response\n1. Determine if the AMI (`@requestParameters.imageId`) should be made public using CloudTrail logs.\n2. Investigate the following ARN (`{{@userIdentity.arn}}`) that made the AMI public.\n3. Contact the user to see if they intended to make the image public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n * Revert AMI permissions to the original state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 11 November 2022 - Add steps to Triage and response section.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-image-attribute.html#examples","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":18,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifyImageAttribute @requestParameters.launchPermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"eh4-lwa-d9z","createdAt":1594140296319,"name":"AWS AMI Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:cloudtrail","framework:cis-aws","requirement:monitoring","control:4.5","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by modifying CloudTrail.\n\n## Strategy\nThis rule detects if a user is modifying CloudTrail by monitoring the CloudTrail API using [UpdateTrail][1] API calls.\n\n## Triage and response\n1. Review the `@responseElements` in the `UpdateTrail` event to determine the scope of the changes.\n2. Determine if the user ARN (`{{@userIdentity.arn}}`) intended to make a CloudTrail modification.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:UpdateTrail","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"configuration_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"configuration_modified > 0"}],"type":"log_detection","id":"4hv-083-miw","createdAt":1585870283907,"name":"AWS CloudTrail configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch Log Group is deleted. \n\n## Strategy\nDetect a successful `@evt.name:DeleteLogGroup` event.\n\n## Triage and response\n1. Ensure that the `{{@requestParameters.logGroupName}}` log group is not used for auditing or security purposes.\n2. If it is then:\n * Ensure that the user: `{{@userIdentity.session_name}}` should be making this API call to your `{{env}}` environment.\n * Consider whitelisting the log group name: `{{@requestParameters.logGroupName}}` through a [suppression list][1]\n3. If not, begin your company's IR process and investigate.\n\n<<<<<<< HEAD\n[1]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment\n=======\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1] https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment\n>>>>>>> main\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteLogGroup -@level:Error -@http.useragent:(cloudformation.amazonaws.com OR *www.terraform.io*) -@userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"j9h-inc-lg8","createdAt":1631618551008,"name":"AWS CloudWatch log group deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch rule has been disabled or deleted.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if a [`DisableRule`][1] or [`DeleteRule`][2] API call has occurred. An attacker may delete rules in an attempt to evade defenses.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, consider including the EventBus name in a [suppression list][6]: `{{@requestParameters.eventBusName}}`.\n * If **No**, enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], respectively, or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 4 October 2022 - Updated severity\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/events/put-rule.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/events/enable-rule.html\n[5]: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html\n[6]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DisableRule OR DeleteRule) -@userIdentity.invokedBy:(backup.amazonaws.com OR schemas.amazonaws.com OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudwatch_disable_or_delete_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"cloudwatch_disable_or_delete_rule > 0"}],"type":"log_detection","id":"dti-qfr-zle","createdAt":1631618552583,"name":"AWS CloudWatch rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","control:4.9","requirement:Monitoring","framework:cis-aws","scope:amazon-config","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by disabling or modifying AWS Config.\n\n## Strategy\nThis rule lets you monitor these AWS Config API calls per [CIS-AWS-4.9: Ensure a log metric filter and alarm exist for AWS Config configuration changes][5]:\n\n* [StopConfigurationRecorder][1] \n* [DeleteDeliveryChannel][2] \n* [PutDeliveryChannel][3]\n* [PutConfigurationRecorder][4]\n\n## Triage and response\n1. Determine which if {{@userIdentity.arn}} should have done a {{@evt.name}} to AWS Config.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html\n[2]: https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteDeliveryChannel.html\n[3]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutDeliveryChannel.html\n[4]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigurationRecorder.html\n[5]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_2.html\n\n## Changelog\n* 1 April 2022 - Updated rule and signal message.\n\n* 10 October 2022 - Updated severities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(StopConfigurationRecorder OR DeleteDeliveryChannel)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_deleted_or_stopped","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(PutDeliveryChannel OR PutConfigurationRecorder)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Deleted/Stopped","condition":"aws_config_deleted_or_stopped > 0"},{"status":"info","notifications":[],"name":"Modified","condition":"aws_config_modified > 0"}],"type":"log_detection","id":"p1b-9np-rw1","createdAt":1585870283149,"name":"AWS Config modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to your AWS console without multi-factor authentication.\n\n## Strategy\nThis rule monitors CloudTrail and detects when any `IAMUser` or `Root` user does a `Console Login`, and `@userIdentity.sessionContext.attributes.mfaAuthenticated` has a value of `false`. \n\n**Notes:** \n\n- This rule triggers with a `High` severity if the user logging in is a `Root` user.\n- This rule ignores logins using SAML because 2FA is implemented on the IdP and not through AWS.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate. \n * Use Cloud SIEM - User Investigation dashboard to see if the user: {{@usr.name}} with an account type of: {{@userIdentity.type}} has done any actions after logging in. \n2. If the login was legitimate, request that the user enables 2FA. \n3. If the login wasn't legitimate, rotate the credentials, enable 2FA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n\n## Changelog\n3 March 2022 - Rule updated\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:IAMUser -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:Root -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"root_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user console login no mfa","condition":"user_login_without_mfa > 0"},{"status":"high","notifications":[],"name":"root console login no mfa","condition":"root_login_without_mfa > 0"}],"type":"log_detection","id":"wkk-muq-vg8","createdAt":1585870278209,"name":"AWS Console login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the user used MFA.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n* 10 March 2022 - Rule updated.\n* 15 December 2022 - Rule updated to cover edge case.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @evt.name:ConsoleLogin -@level:Error (@userIdentity.sessionContext.attributes.mfaAuthenticated:true OR @additionalEventData.MFAUsed:Yes) -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"impossible travel event for ConsoleLogin with MFA"}],"type":"log_detection","id":"vbv-f3o-8zo","createdAt":1646247475787,"name":"AWS ConsoleLogin with MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the account does not have MFA enabled.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n10 Mar 2022 - Rule updated.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_no_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"@evt.name:ConsoleLogin -@level:Error @userIdentity.sessionContext.attributes.mfaAuthenticated:false -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"a1n-son-6bk","createdAt":1646247437558,"name":"AWS ConsoleLogin without MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1562-impair-defenses","source:cloudtrail","scope:aws-detective","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes an Amazon Detective behavior graph.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted an Amazon Detective behavior graph:\n\n* [DeleteGraph][1]\n\n## Triage and response\n1. Determine if the behavior graph should have been deleted.\n2. Determine which user ({{@userIdentity.arn}}) in your organization deleted the behavior graph.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 1 April 2022 - Updated rule and signal message.\n* 18 November 2022 - Updated severity.\n\n[1]: https://docs.aws.amazon.com/detective/latest/APIReference/API_DeleteGraph.html\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:detective.amazonaws.com @evt.name:DeleteGraph","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oje-vzw-qjp","createdAt":1631642344123,"name":"AWS Detective Graph deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when CloudTrail has been disabled by creating an event selector on the Trail.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if an attacker used the [`PutEventSelectors`][1] API call to filter out management events, effectively disabling CloudTrail for the specified Trail.\n\nSee the [public Proof of Concept][2] (PoC) for this attack.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or use the [AWS console][4] to revert the event selector back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, work with the user to ensure that CloudTrail logs for the affected account `{{@usr.account_id}}` are being sent to the Datadog platform.\n * If **No**, remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or reference the [AWS console documentation][4] to revert the event selector back to the last known good state.\n\n## Changelog\n* 17 October 2022 - Updated tags.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_PutEventSelectors.html\n[2]: https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass\n[3]: https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/put-event-selectors.html\n[4]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"disable_cloudtrail_with_event_selectors","distinctFields":[]},{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false @responseElements.eventSelectors.dataResources.type:(\"AWS::S3::Object\" AND \"AWS::Lambda::Function\") @responseElements.eventSelectors.readWriteType:ReadOnly","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_poc","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Public POC","condition":"public_poc > 0"},{"status":"low","notifications":[],"name":"IncludeManagementEvents set to False","condition":"disable_cloudtrail_with_event_selectors > 0"}],"type":"log_detection","id":"jam-62o-d0n","createdAt":1652796620111,"name":"AWS Disable Cloudtrail with event selectors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS snapshot is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an EBS snapshot is made public:\n\n* [ModifySnapshotAttribute][1]\n\nThis rule inspects the `@requestParameters.createVolumePermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the EBS snapshot is made public.\n\n## Triage and response\n1. Determine if the EBS snapshot should be made public.\n2. Determine which user, `{{@@userIdentity.arn}}`, in your organization made the EBS snapshot public.\n3. Contact the user to see if they intended to make the EBS snapshot public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n * Revert AMI permissions to the original state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 11 November 2022 - Add additional triage and response steps.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html#examples\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":17,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.createVolumePermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kx1-upq-ea2","createdAt":1594140300821,"name":"AWS EBS Snapshot Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1537-transfer-data-to-cloud-account","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the possible exfiltration of an EBS snapshot.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect the following API calls within a 15 minute time window:\n\n* [`CreateSnapshot`][1]\n* [`ModifySnapshotAttribute`][2]\n\nAn attacker can create a EBS snapshot from the EBS volume and modify the permissions of the snapshot to allow it to be shared [publicly][3] or with another AWS account. Using an attacker-controlled account, a new EBS volume can be created from the snapshot and attached to an EC2 instance for analysis.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the API calls.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any snapshot attributes generated by the user with the `aws-cli` command [`modify-snapshot-attribute`][4].\n * Begin your organization's incident response process and investigate.\n3. If the API calls were made by the user:\n * Determine if the user should be performing these API calls.\n * If **No**, see if other API calls were made by the user and determine if they warrant further investigation.\n\n## Changelog\n* 10 October 2022 - Updated query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSnapshot.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html\n[3]: https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-ebs-snapshot-made-public/\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-snapshot-attribute.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":7200,"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSnapshot -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (-@userIdentity.assumed_role:(*orca* OR *wiz*) -@responseElements.description:\"Orca automatically generated snapshot\" -@requestParameters.description:auto-generatedbyWiz -@responseElements.description:\"auto-generated by Wiz\")","groupByFields":["@responseElements.snapshotId"],"aggregation":"count","name":"snapshot_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.attributeType:CREATE_VOLUME_PERMISSION -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (@requestParameters.createVolumePermission.add.items.userId:* OR @requestParameters.createVolumePermission.add.items.group:*) -@requestParameters.createVolumePermission.add.items.userId:(\"135916806842\" OR \"463932680998\" OR \"727815099310\" OR \"553950354547\" OR \"784971140435\" OR \"222606875197\")","groupByFields":["@requestParameters.snapshotId"],"aggregation":"count","name":"snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"EBS Snapshot created then shared","condition":"snapshot_created > 0 && snapshot_shared > 0"},{"status":"info","notifications":[],"name":"EBS Snapshot shared","condition":"snapshot_shared > 0"}],"type":"log_detection","id":"dka-ecn-adr","createdAt":1655223749994,"name":"AWS EBS Snapshot possible exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis-aws","control:2.2.1","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS encryption is disabled by default. \n\n## Strategy\nMonitor CloudTrail and detect when EBS encryption is disabled by default via the following API call:\n\n* [DisableEbsEncryptionByDefault][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user and let them know that it is best practice to enable EBS encryption by default.\n3. Re-enable EBS encryption by default.\n\nFor more information about Amazon EBS Encryption, check out the [Amazon EBS Encryption][2] documentation.\n\n## Changelog\n* 18 March 2022 - Rule query and severity updated.\n* 16 November 2022 - Rule query updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:(cloudtrail OR amazon-security-lake) @eventSource:ec2.amazonaws.com @evt.name:DisableEbsEncryptionByDefault","groupByFields":["@usr.account_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4s7-uuu-lo8","createdAt":1585870284527,"name":"AWS EBS default encryption disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","security:attack","technique:T1522-cloud-instance-metadata-api"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes a DNS request and resolves to the AWS metadata IP address (169.254.169.254).\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MetadataDNSRebind][2]\n\n\n## Triage and response\n1. Determine which process made the DNS request. The DNS request can be found in the samples.\n2. Ensure the process is not a victim of an SSRF attack to steal the AWS EC2 Instance profile's STS credentials. \n2. If the STS credentials are compromised:\n * Review the AWS [documentation][3] on revoking the session.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-metadatadnsrebind\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MetadataDNSRebind)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"aad-vqz-7tk","createdAt":1587525387807,"name":"AWS EC2 Instance Victim to Metadata DNS Rebind Attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is compromised and sending spam emails.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Backdoor:EC2/Spambot][2]\n\n\n## Triage and response\n1. Determine if the EC2 should be sending out email over port 25. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-spambot\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/Spambot)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ecn-gew-dg2","createdAt":1587525385866,"name":"AWS EC2 instance Sending spam emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a malicious server.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/C&CActivity.B!DNS][2]\n* [Trojan:EC2/BlackholeTraffic][3]\n* [Trojan:EC2/DropPoint][4]\n* [Trojan:EC2/BlackholeTraffic!DNS][5]\n* [Trojan:EC2/DriveBySourceTraffic!DNS][6]\n* [Trojan:EC2/DropPoint!DNS][7]\n* [Trojan:EC2/DGADomainRequest.B][8]\n* [Trojan:EC2/DGADomainRequest.C!DNS][9]\n* [Trojan:EC2/DNSDataExfiltration][10]\n* [Trojan:EC2/PhishingDomainRequest!DNS][11]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][12] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-ccactivitybdns\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-blackholetraffic\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-droppoint\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-blackholetrafficdns\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-drivebysourcetrafficdns\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-droppointdns\n[8]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestb\n[9]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestcdns\n[10]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dnsdataexfiltration\n[11]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-phishingdomainrequestdns\n[12]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Trojan\\:EC2\\/BlackholeTraffic OR Trojan\\:EC2\\/DropPoint OR Trojan\\:EC2\\/BlackholeTraffic\\!DNS OR Trojan\\:EC2\\/DriveBySourceTraffic\\!DNS OR Trojan\\:EC2\\/DropPoint\\!DNS OR Trojan\\:EC2\\/DGADomainRequest.B OR Trojan\\:EC2\\/DGADomainRequest.C\\!DNS OR Backdoor\\:EC2\\/C&CActivity.B\\!DNS OR Trojan\\:EC2\\/PhishingDomainRequest\\!DNS)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9du-jhn-b4f","createdAt":1587525393367,"name":"AWS EC2 instance communicated with a malicious server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0011-command-and-control","technique:T1571-non-standard-port"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating over an unusual port.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/NetworkPortUnusual][2]\n\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#behavior-ec2-networkportunusual\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/NetworkPortUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"qfd-ned-cjn","createdAt":1587525391873,"name":"AWS EC2 instance communicating over unusual port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a cryptocurrency server\n\n## Strategy\nThis rule lets you leverage GuardDuty to detect when an EC2 instance has made a DNS request or is communicating with an IP that is associated with cryptocurrency operations. The following GuardDuty Findings trigger this signal:\n\n* [CryptoCurrency:EC2/BitcoinTool.B!DNS][1]\n* [CryptoCurrency:EC2/BitcoinTool.B][2]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples. \n2. If the domain or IP address should not have been requested, open a security investigation, and determine which process requested the domain name or IP address.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#cryptocurrency-ec2-bitcointoolbdns\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#cryptocurrency-ec2-bitcointoolb\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(CryptoCurrency\\:EC2\\/BitcoinTool.B\\!DNS OR CryptoCurrency\\:EC2\\/BitcoinTool.B)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ky3-ds4-ipb","createdAt":1585870276326,"name":"AWS EC2 instance communicating with a cryptocurrency server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection to a malcious IP address.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MaliciousIPCaller.Custom][2]\n\n## Triage and response\n1. Determine which IP address triggered the signal. This can be found in the sample.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-maliciousipcallercustom\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MaliciousIPCaller.Custom)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"22j-qk6-qv3","createdAt":1587525389461,"name":"AWS EC2 instance communicating with malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is conducting a port scan.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Recon:EC2/Portscan][2]\n\n\n## Triage and response\n1. Determine why traffic from the EC2 instance appears to be conducting a port scan.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 17 October 2022 - Updated tags.\n* 1 November 2022 - Updated links.\n \n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/Portscan)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1y-h5t-gnp","createdAt":1587525376478,"name":"AWS EC2 instance conducting a port scan"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being used as a TOR relay.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorRelay][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be uses as a TOR relay. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance. \n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torrelay\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorRelay)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tpv-3qf-v90","createdAt":1587525388119,"name":"AWS EC2 instance connecting to TOR as a relay"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance receives an inbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorIPCaller][2]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized7\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorIPCaller)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"1ew-u8i-att","createdAt":1587525383148,"name":"AWS EC2 instance inbound connections from TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Brute Force Attacks\n\n## Strategy\nLeverage GuardDuty and detect when an attacker is performing a brute force attack. The following are GuardDuty findings trigger this signal:\n\n* [UnauthorizedAccess:EC2/SSHBruteForce][1]\n* [UnauthorizedAccess:EC2/RDPBruteForce][2]\n\n\n## Triage and response\n1. Inspect the role of the EC2 instance in the attack. Find the role in the signal name - either `ACTOR` or `TARGET`.\n * If you are the `TARGET` and the instance is available on the internet, expect to see IPs scanning your systems.\n * If you are the `TARGET` and the instance is **not** available on the internet, this means a host on your internal network is scanning your EC2 instance. Open an investigation.\n * If you are the `ACTOR`, this means that your instance is performing brute force attacks on other systems. Open an investigation.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-sshbruteforce\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-rdpbruteforce\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":20,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:ACTOR","groupByFields":["instance-id"],"aggregation":"count","name":"actor","distinctFields":[]},{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:TARGET","groupByFields":["instance-id"],"aggregation":"count","name":"target","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Actor","condition":"actor > 0"},{"status":"info","notifications":[],"name":"Target","condition":"target > 0"}],"type":"log_detection","id":"vyl-ylc-3io","createdAt":1585870284202,"name":"AWS EC2 instance involved in brute force attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance network traffic volume is unusual.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/TrafficVolumeUnusual][2]\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 10 October 2022 - Updated tags.\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#behavior-ec2-trafficvolumeunusual\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/TrafficVolumeUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipt-dpt-t69","createdAt":1587525393982,"name":"AWS EC2 instance network traffic volume unusual"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","technique:T1188-multi-hop-proxy","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorClient][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be making requests to TOR. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torclient\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorClient)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ihd-q9p-mwx","createdAt":1587525381864,"name":"AWS EC2 instance outbound connections to TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is participating in a Denial of Service (DoS) attack.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/DenialOfService.Tcp][2]\n* [Backdoor:EC2/DenialOfService.Udp][3]\n* [Backdoor:EC2/DenialOfService.Dns][4]\n* [Backdoor:EC2/DenialOfService.UdpOnTcpPorts][5]\n* [Backdoor:EC2/DenialOfService.UnusualProtocol][6]\n\n\n## Triage and response\n1. Determine if the EC2 instance is compromised and participating in a DoS attack.\n2. If the instance is compromised:\n * Review the AWS [documentation][7] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofservicetcp\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceudp\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofservicedns\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceudpontcpports\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceunusualprotocol\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/DenialOfService.Tcp OR Backdoor\\:EC2\\/DenialOfService.Udp OR Backdoor\\:EC2\\/DenialOfService.Dns OR Backdoor\\:EC2\\/DenialOfService.UdpOnTcpPorts OR Backdoor\\:EC2\\/DenialOfService.UnusualProtocol)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3l6-vrm-iyn","createdAt":1587525383757,"name":"AWS EC2 instance participating in a DoS attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being probed by a scanner.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:EC2/PortProbeUnprotectedPort][2]\n* [Recon:EC2/PortProbeEMRUnprotectedPort][3]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeunprotectedport\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeemrunprotectedport\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/PortProbeUnprotectedPort OR Recon\\:EC2\\/PortProbeEMRUnprotectedPort)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mrq-h3x-jus","createdAt":1587525381084,"name":"AWS EC2 instance probed by scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS EKS node group makes a new API call.\n\n## Strategy\nThis rule sets a baseline for host activity across an AWS EKS node group, and enables detection of potentially anomalous activity when a node group makes a new API call.\n\nA new API call from a node group can indicate an attacker gaining a foothold within the system and trying API calls not normally associated with this node group.\n\n## Triage and response\n1. Investigate API activity for the AWS EKS node group to determine if the specific API call is malicious.\n2. Review any other security signals for the AWS EKS node group.\n3. If the activity is deemed malicious:\n * If possible, isolate the compromised hosts.\n * Determine what other API calls were made by the EKS node group.\n * Begin your organization's incident response process and investigate.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":21,"learningThreshold":0},"keepAlive":3600},"version":187,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["eks_nodegroup-name"],"query":"source:cloudtrail"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"nkn-aw3-xb2","createdAt":1633097159259,"name":"AWS EC2 new event for EKS Node Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an application on a host has a new, unrecognized API call.\n\n## Strategy\nUsing the `New Value` detection method, find when an `application` has a new `@evt.name` on a `host`.\n\n## Triage and response\n1. Determine if the `host: {{host}}` running the `application: {{application}}` should have done the following event(s)`{{@evt.name}}`:\n * If yes, you can `Archive` the signal.\n * If no, investigate further by clicking on the **Suggested Actions** tab for the signal\n2. If necessary, initiate your company's incident response process.\n\n## Changelog\n* 14 November 2022 - Updated severity.\n\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["application"],"query":"source:cloudtrail host:i-*"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"qcg-jbs-kcd","createdAt":1632769125953,"name":"AWS EC2 new event for application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an EC2 subnet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting an EC2 subnet.\n\n* [DeleteSubnet][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be deleting EC2 subnets.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Update rule and signal message\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-subnet.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:DeleteSubnet -@level:Error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ygi-fi5-qns","createdAt":1585870282197,"name":"AWS EC2 subnet deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecs","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an ECS Cluster\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an ECS cluster is deleted:\n\n* [DeleteCluster][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arm}} should be making a {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DeleteCluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecs.amazonaws.com @evt.name:DeleteCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"vwu-6id-9lz","createdAt":1585870279810,"name":"AWS ECS cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:elb","scope:elb","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous `@http.useragent`. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application using an HTTP header from [darkqusar][1]'s [gist][2]. The detection does this using 2 cases:\n* Case 1: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `200 TO 299`\n* Case 2: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `400 TO 499`\n\n## Triage and response\n1. Determine if this IP: {{@network.client.ip}} is making authenticated requests to the application.\n2. Check if these authentication requests are successful.\n * If they are successful, change the status of the signal to `UNDER REVIEW` and begin your company's incident response plan.\n * If they are not successful, `ARCHIVE` the signal.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Update rule cases and signal message.\n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:elb @http.status_code:[400 TO 499] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_400s_and_unique_paths","distinctFields":["@http.url_details.path"]},{"query":"source:elb @http.status_code:[200 TO 299] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_200s_and_unique_paths","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"scan detected returning several 200s","condition":"multiple_200s_and_unique_paths > 10"},{"status":"info","notifications":[],"name":"scan detected returning several 400s","condition":"multiple_400s_and_unique_paths > 10"}],"type":"log_detection","id":"csd-1pb-wxh","createdAt":1587530043452,"name":"AWS ELB HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:eventbridge","iaas:aws","technique:T1089-disabling-security-tools","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting or disabling EventBridge rules.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is modifying or disabling EventBridge rules:\n\n* [DeleteRule][1]\n* [DisableRule][2]\n\n## Triage and response\n1. Determine if the arn: {{@userIdentity.arn}} should have made the {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Rule query, options and signal markdown updated.\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DeleteRule OR DisableRule)","groupByFields":["@userIdentity.arn","@requestParameters.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mq6-cjx-h9o","createdAt":1585870277044,"name":"AWS EventBridge rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","source:amazon-fsx","scope:amazon-fsx","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify users accessing files they do not have permission to access.\n\n## Strategy\nMonitor AWS FSx logs and detect more than 10 occurrences where `@evt.id` is equal to `4656` and `@Event.System.Keywords` is equal to `0x8010000000000000`. \n\n## Triage & Response\n1. Inspect the log and determine if the user should be accessing the file: `{{@ObjectName}}`.\n2. If access is not legitimate, investigate user `({{@usr.id}})` activity. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:aws.fsx @evt.id:4656 @Event.System.Keywords:0x8010000000000000","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"file_deny","distinctFields":["@ObjectName"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"file_deny > 10"}],"type":"log_detection","id":"vsj-4y9-rg1","createdAt":1627668329581,"name":"AWS FSx Excessive File Denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0005-defense-evasion","technique:T1066-indicator-removal-from-tools","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is removing a FlowLogs collector.\n\n## Strategy\nThis rule lets you monitor this EC2 API call:\n\n* [DeleteFlowLogs][1]\n\n## Triage and response\n1. Determine if arn: {{@userIdentity.arn}} should make this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 4 April 2022 - Rule query and signal message updated.\n* 16 November 2022 - Rule query updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:(cloudtrail OR amazon-security-lake) @evt.name:DeleteFlowLogs -@responseElements.DeleteFlowLogsResponse.unsuccessful:\"\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cws-b4f-uoh","createdAt":1585870278493,"name":"AWS FlowLogs removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1089-disabling-security-tools","scope:guardduty","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty detector.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty Detector:\n\n* [DeleteDetector][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/delete-detector.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteDetector","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pzi-led-yyc","createdAt":1585870279177,"name":"AWS GuardDuty detector deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a publishing destination for a detector which will prevent the exporting of findings. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted a Guard Duty publishing destination.\n\n* [DeletePublishingDestination][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/fr_fr/guardduty/latest/APIReference/API_DeletePublishingDestination.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeletePublishingDestination","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rdm-leo-ndi","createdAt":1631642345554,"name":"AWS GuardDuty publishing destination deleted"}]} headers: Content-Type: - application/json @@ -28,7 +28,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","source:guardduty","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is attempting to escalate permissions.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [PrivilegeEscalation:IAMUser/AdministrativePermissions][2]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_privilegeescalation.html#privilegeescalation1\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PrivilegeEscalation\\:IAMUser\\/AdministrativePermissions)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dsb-ciq-vrt","createdAt":1587525384559,"name":"AWS IAM user escalating privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","tactic:TA0007-disocvery","technique:T1580-cloud-infrastructure-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests with hacking tools.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [PenTest:IAMUser/KaliLinux][2]\n* [PenTest:IAMUser/ParrotLinux][3]\n* [PenTest:IAMUser/PentooLinux][4]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][5] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_pentest.html#pentest1\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_pentest.html#pentest2\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_pentest.html#pentest3\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PenTest\\:IAMUser\\/KaliLinux OR PenTest\\:IAMUser\\/ParrotLinux OR PenTest\\:IAMUser\\/PentooLinux)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ocf-ys6-78v","createdAt":1587525392995,"name":"AWS IAM user making API requests with hacking tools"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:threat-intel","source:guardduty","tactic:TA0007-discovery","security:attack","technique:T1526-cloud-service-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests from a malicious IP.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:IAMUser/TorIPCaller][2]\n* [Recon:IAMUser/MaliciousIPCaller.Custom][3]\n* [Recon:IAMUser/MaliciousIPCaller][4]\n* [UnauthorizedAccess:IAMUser/MaliciousIPCaller][5]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][6] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon1\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon2\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon3\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized5\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:IAMUser\\/TorIPCaller OR Recon\\:IAMUser\\/MaliciousIPCaller.Custom OR Recon\\:IAMUser\\/MaliciousIPCaller OR UnauthorizedAccess\\:IAMUser\\/MaliciousIPCaller)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"8w7-aaz-ojp","createdAt":1587525380153,"name":"AWS IAM user requests from malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","security:anomaly","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user login is suspicious.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B][2]\n* [UnauthorizedAccess:IAMUser/ConsoleLogin][3]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][4] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized4\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized12\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:IAMUser\\/ConsoleLoginSuccess.B OR UnauthorizedAccess\\:IAMUser\\/ConsoleLogin)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kme-i0z-ylv","createdAt":1587525388403,"name":"AWS IAM user suspicious login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:kms","requirement:Monitoring","tactic:TA0040-impact","framework:cis-aws","control:4.7","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a KMS (Key Management Service) key is deleted or scheduled for deletion.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is deleting KMS keys:\n* [DisableKey][1]\n* [ScheduleKeyDeletion][2]\n\n## Triage and response\n1. Determine if `user ARN:` {{@userIdentity.arn}} in your organization should be making this call.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Use the `Cloud SIEM - User Investigation` OOTB dashboard to investigate other potential unauthorized API calls from this user.\n\n[1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html\n[2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html \n\n## Changelog\n16 March 2022 - Rule severity and markdown updated.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(DisableKey OR ScheduleKeyDeletion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iff-hhm-bd3","createdAt":1584475576501,"name":"AWS KMS key deleted or scheduled for deletion"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","scope:firehose"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an AWS Kinesis Firehose Destination is modified.\n\n## Strategy\nThe rule monitors AWS Kinesis Firehose logs `@eventSource:firehose.amazonaws.com` and detects when the `@evt.name` is `UpdateDestination`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:firehose.amazonaws.com @evt.name:UpdateDestination -@http.useragent:(cloudformation.amazonaws.com OR APN\\/*)","groupByFields":["@requestParameters.deliveryStreamName"],"aggregation":"count","name":"firehose_destination_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"firehose_destination_modified","condition":"firehose_destination_modified > 0"}],"type":"log_detection","id":"jwi-qgm-ncc","createdAt":1632158028824,"name":"AWS Kinesis Firehose stream destination modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.11"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Access Control List (NACL) has been created, deleted or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS NACL has been created, deleted or modified with one of the following API calls:\n* [CreateNetworkAcl][1] \n* [CreateNetworkAclEntry][2] \n* [DeleteNetworkAcl][3] \n* [DeleteNetworkAclEntry][4] \n* [ReplaceNetworkAclEntry][5] \n* [ReplaceNetworkAclAssociation][6]\n\n## Triage and response\n1. Determine if the usr with arn: {{@userIdentity.arn}} should have used the API call: {{@evt.name}}.\n2. Contact the user and see if this API call was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n## Changelog\n5 April 2022 - Rule queries, cases and signal message updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html\n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclEntry.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclAssociation.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateNetworkAcl OR CreateNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteNetworkAcl OR DeleteNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_deleted","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceNetworkAclEntry OR ReplaceNetworkAclAssociation)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_updated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"network ACL/ACL entry created","condition":"nacl_created > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry deleted","condition":"nacl_deleted > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry updated","condition":"nacl_updated > 0"}],"type":"log_detection","id":"pcs-k05-rbc","createdAt":1584475579808,"name":"AWS Network Access Control List created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.12","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Gateway has been created or modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS Network Gateway has been created or modified with one of the following API calls:\n* [CreateCustomerGateway][1] \n* [DeleteCustomerGateway][2] \n* [AttachInternetGateway][3] \n* [CreateInternetGateway][4]\n* [DeleteInternetGateway][5] \n* [DetachInternetGateway][6]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule cases and signal message.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCustomerGateway \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteCustomerGateway \n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AttachInternetGateway \n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInternetGateway \n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteInternetGateway \n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DetachInternetGateway.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(CreateCustomerGateway OR CreateInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"create_gateway","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteCustomerGateway OR DeleteInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"delete_gateway","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AttachInternetGateway OR DetachInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_gateway","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"create gateway","condition":"create_gateway > 0"},{"status":"info","notifications":[],"name":"delete gateway","condition":"delete_gateway > 0"},{"status":"info","notifications":[],"name":"modify gateway","condition":"modify_gateway > 0"}],"type":"log_detection","id":"umr-47s-eyj","createdAt":1584475581301,"name":"AWS Network Gateway created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","scope:rds","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deleted a database cluster in RDS.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a RDS cluster:\n\n* [DeleteDBCluster][1]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/rds/delete-db-cluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteDBCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"6ng-pk1-ukh","createdAt":1585870276546,"name":"AWS RDS Cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","control:cis-1.1","framework:cis-aws","technique:T1078-valid-accounts","control:cis-3.3","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the AWS root user credentials are used.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Policy:IAMUser/RootCredentialUsage][2]\n\n## Triage and response\n1. Determine whether the root account activity was legitimate. \n * Review the sample for context. \n * Review CloudTrail logs for a full investigation. \n3. If the root user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n**[Root Account Best Practices][4]**\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_policy.html#policy1\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/RootCredentialUsage)","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cjm-gyr-zxb","createdAt":1587525393683,"name":"AWS Root credential activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a Route 53 query logging configuration.\n\n## Strategy\nMonitor cloudtrail logs where `@evt.name` is `DeleteResolverQueryLogConfig` which would stop Route53 Query logging for all of the Amazon VPCs that are associated with the configuration.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n7 April 2022 - Updated rule query and signal message.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"0pz-0jr-nfz","createdAt":1631642351057,"name":"AWS Route 53 DNS query logging disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disassociates a VPC from the query logging configuration.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disassociated.\n\n* [DisassociateResolverQueryLogConfig][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Update rule and signal message.\n\n[1]: https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DisassociateResolverQueryLogConfig.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DisassociateResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"nmk-a8n-zig","createdAt":1631642344888,"name":"AWS Route 53 VPC disassociated from query logging configuration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.13","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Route Table has been created or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS Route Table has been created or modified with one of the following API calls:\n* [CreateRoute][1] \n* [CreateRouteTable][2] \n* [ReplaceRoute][3] \n* [ReplaceRouteTableAssociation][4] \n* [DeleteRouteTable][5] \n* [DeleteRoute][6] \n* [DisassociateRouteTable][7]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call which was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n6 April 2022 - Update signal message. Updated rule query/case layout\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html \n [7]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateRoute OR CreateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceRoute OR ReplaceRouteTableAssociation OR DisassociateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteRouteTable OR DeleteRoute)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"VPC route table created","condition":"route_created > 0"},{"status":"info","notifications":[],"name":"VPC route table modified","condition":"route_modified > 0"},{"status":"info","notifications":[],"name":"VPC route table deleted","condition":"route_deleted > 0"}],"type":"log_detection","id":"qgo-jqs-03x","createdAt":1584475582644,"name":"AWS Route Table created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket policy is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an AWS bucket is made public:\n\n* [PutBucketAcl][1]\n\nThis rule inspects the `@requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI` array to determine if either of the strings are contained:\n* `http://acs.amazonaws.com/groups/global/AuthenticatedUsers`\n* `http://acs.amazonaws.com/groups/global/AllUsers`\n\nA match of either of these string indicates the S3 bucket policy is made public.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Update rule and signal message.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:PutBucketAcl -@level:Error @requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI:(\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" OR \"http://acs.amazonaws.com/groups/global/AllUsers\")","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"zdk-9gu-nrg","createdAt":1594140279364,"name":"AWS S3 Bucket ACL Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:7.2.1","iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","framework:pci","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the S3 Public Access Block configuration has been removed \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting the S3 Public Access Block configuration:\n\n* [DeleteAccountPublicAccessBlock][1]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and inform them of best practices of enabling Public Access Block on S3 buckets.\n3. Re-enable Public Access Block on the S3 bucket.\n\nMore details on S3 Public Block Public Access can be found [here][2].\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-public-access-block.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n\n## Changelog\n18 March 2022 - updated severity and query.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:error @evt.name:DeleteAccountPublicAccessBlock","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_access_block_removed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"User removed public access block","condition":"public_access_block_removed > 0"}],"type":"log_detection","id":"uxr-5wk-8hk","createdAt":1585870280316,"name":"AWS S3 Public Access Block removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disables AWS Security Hub.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disabled AWS Security Hub:\n\n* [DisableSecurityHub][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query and signal message.\n\n[1]: https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisableSecurityHub.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"not_cloudformation_action","distinctFields":[]},{"query":"source:cloudtrail @network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudformation_action","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"not a cloudformation action","condition":"not_cloudformation_action > 0"},{"status":"low","notifications":[],"name":"cloudformation action","condition":"cloudformation_action > 0"}],"type":"log_detection","id":"obj-kmn-bsa","createdAt":1631642348526,"name":"AWS Security Hub disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:vpc","iaas:aws","requirement:Monitoring","framework:cis-aws","control:4.14","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying a VPC.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a VPC:\n\n* [DeleteVpc][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query, cases and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteVpc OR DeleteVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_deleted","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreateVpc OR CreateVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_created","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(ModifyVpcAttribute OR AcceptVpcPeeringConnection OR RejectVpcPeeringConnection OR AttachClassicLinkVpc OR DetachClassicLinkVpc OR DisableVpcClassicLink OR EnableVpcClassicLink)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"vpc deleted","condition":"vpc_deleted > 0"},{"status":"info","notifications":[],"name":"vpc created","condition":"vpc_created > 0"},{"status":"info","notifications":[],"name":"vpc modified","condition":"vpc_modified > 0"}],"type":"log_detection","id":"igj-dr4-ico","createdAt":1585870280906,"name":"AWS VPC created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a specific AWS Web Application Firewall (WAF) rule blocks an anomalous amount of traffic.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@webaclId`: `{{@webaclId}}` logs to confirm if the observed traffic should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"count","name":"waf_traffic_block","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"scr-lzp-wrd","createdAt":1632158031553,"name":"AWS WAF traffic blocked by specific rule"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a specific AWS Web Application Firewall (WAF) rule blocks traffic from multiple IPs.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@http.request_id`: `{{@http.request_id}}` to confirm if this request should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"cardinality","name":"waf_traffic_block","distinctFields":["@network.client.ip"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"imr-goq-uww","createdAt":1634658977105,"name":"AWS WAF traffic blocked by specific rule on multiple IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is deleted.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `DeleteWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:DeleteWebACL -@http.useragent:\\APN\\/*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_deletion","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"waf_webacl_deletion > 0"}],"type":"log_detection","id":"8js-pr5-qga","createdAt":1632158029295,"name":"AWS WAF web access control list deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is updated.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `UpdateWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made legitimately by the user, rotate the user's credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:UpdateWebACL -@http.useragent:(\\APN\\/* OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"waf_webacl_update > 0"}],"type":"log_detection","id":"pmp-fqa-lwy","createdAt":1632158031800,"name":"AWS WAF web access control list modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:3.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect AWS root user activity. \n\n## Strategy\nMonitor CloudTrail and detect when any `@userIdentity.type` has a value of `Root`, but is not invoked by an AWS service or SAML provider.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate. \n2. If the login wasn't legitimate, rotate the credentials, enable 2FA, and open an investigation. \n\n* For best practices, check out the [AWS Root Account Best Practices][1] documentation.\n* For compliance, check out the [CIS AWS Foundations Benchmark controls][2] documentation.\n\n## Changelog\n30 March 2022 - Updated query and signal message.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[2]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:Root -@userIdentity.sessionContext.attributes.mfaAuthenticated:false -@userIdentity.invokedBy:* -@eventType:AwsServiceEvent -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"2kn-z6k-6kf","createdAt":1585870281964,"name":"AWS root account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group has been modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1] \n* [AuthorizeSecurityGroupEgress][2] \n* [RevokeSecurityGroupIngress][3] \n* [RevokeSecurityGroupEgress][4] \n* [CreateSecurityGroup][5] \n* [DeleteSecurityGroup][6]\n\n\n**Note:** There is a separate rule to detect AWS Security Group Open to the World.\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html \n [2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupEgress.html \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupIngress.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupEgress.html \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteSecurityGroup.html\n\n## Changelog\n18 March 2022 - Updated severity, split query into multiple queries, and split the single case into multiple cases.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AuthorizeSecurityGroupIngress OR AuthorizeSecurityGroupEgress OR RevokeSecurityGroupIngress OR RevokeSecurityGroupEgress) -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:DeleteSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"security group created","condition":"security_group_created > 0"},{"status":"info","notifications":[],"name":"security group modified","condition":"security_group_modified > 0"},{"status":"info","notifications":[],"name":"security group deleted","condition":"security_group_deleted > 0"}],"type":"log_detection","id":"bax-btp-3ct","createdAt":1584475583507,"name":"AWS security group created, modified or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1078-valid-accounts","scope:exchange-server","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event by a user logging in to Microsoft Exchange.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last and the current Microsoft-365 mailbox login event (`@evt.name:MailboxLogin`) to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if `{{@usr.name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. ","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":192,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:Exchange @evt.name:MailboxLogin @evt.outcome:Succeeded @threat_intel.results.category:*"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"9xi-6r1-5o5","createdAt":1638460550019,"name":"Abnormal successful Microsoft 365 Exchange login event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","scope:google-cloud-iam","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account (`@usr.id:*.iam.gserviceaccount.com`) exhibits access denied behavior that deviates from normal.\n\n## Strategy \nInspect the GCP Service Account (`@usr.id:*.iam.gserviceaccount.com`) for errors (`@data.protoPayload.status.code:7`) caused by denied permissions (`@evt.outcome`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account {{@usr.id}} is compromised.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"count","name":"access_denied","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"access_denied"}],"type":"log_detection","id":"jsg-pwu-sfv","createdAt":1605263719237,"name":"Access denied for GCP Service Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.11","scope:iam","scored:true","security:compliance","source:iam","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:7.1.1","control:7.1.2","control:7.1.3","level:1","framework:soc-2","framework:cis-aws","control:A.9.2.3","requirement:IAM","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM user credentials, you have to determine what type of access they require.\n\n**Programmatic access**: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.\n\n**AWS Management Console access**: If the user needs to access the AWS Management Console, create a password for the user.\n\n## Rationale\n\nRequiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are necessary for their work and once the access key is established on an account that the keys may be in use somewhere in the organization.\n\n**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html][2]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html][3]\n\n**Additional Information**: Credential report does not appear to contain \"Key Creation Date\"\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkeys_created_during_setup(credential_report) if {\n\tnot credential_report.access_key_1_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_1_last_rotated\n} else {\n\tnot credential_report.access_key_2_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_2_last_rotated\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot keys_created_during_setup(credential_report)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yuh-0pg-pqy","createdAt":1619112188582,"name":"Access keys are not created for IAM user during initial set up"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-C","requirement:Credentials","level:1","framework:cis-aws","requirement:Cardholder-Data","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.14","cloud_provider:aws","requirement:Control-Activities","framework:soc-2","control:A.9.2.3","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:3.6.4","control:CC6.2","control:CC5.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAccess keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. You should regularly rotate all access keys.\n\n## Rationale\n\nRotating access keys reduces the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78902-4\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html][3]\n4. [https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][4]\n5. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html][5]\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html\n[4]: https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"1.14","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\nmore_than_ninety(timestamp, resource_seen_at) if {\n\tresource_seen_at - timestamp > ninety_days_ms # Not rotated in last 90 days\n}\n\nactive_and_rotated_more_than_90(credential_report, resource_seen_at) if {\n\tcredential_report.access_key_1_active\n\tmore_than_ninety(credential_report.access_key_1_last_rotated, resource_seen_at)\n} else {\n\tcredential_report.access_key_2_active\n\tmore_than_ninety(credential_report.access_key_2_last_rotated, resource_seen_at)\n}\n\neval(iam_user) = \"pass\" if {\n\tresource_seen_at := iam_user.resource_seen_at\n\tcredential_report := iam_user.credential_report[_]\n\tnot active_and_rotated_more_than_90(credential_report, resource_seen_at)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5se-kvq-6mk","createdAt":1599574003833,"name":"Access keys are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:4.3.8","scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.6","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable access from Azure services to PostgreSQL Database Server\n\n## Rationale\n\nIf access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, set up firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In Firewall rules, ensure Allow access to Azure services is set to OFF.\n5. Click Save to apply the changed rule. \n\nAlternatively, use the Azure Command Line Interface and run the below command to delete the `AllowAllAzureIps` rule for PostgreSQL Database:\n\n ```bash\n az postgres server firewall-rule delete --name AllowAllAzureIps --resource-group --server-name \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-manage-firewall-using-cli\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-4-protect-applications-and-services-from-external-network-attacks\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.4 Apply Host-based Firewalls or Port Filtering: Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.\n\n9.5 Implement Application Firewalls: Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.\n\n14.2 Enable Firewall Filtering Between VLANs: Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.8","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@name:(\"AllowAllAzureIps\") OR @name:(\"ALL\") OR (@start_ip_address:(\"0.0.0.0\") @end_ip_address:(\"0.0.0.0\"))","resourceType":"azure_postgresql_firewall_rule","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_firewall_rule (@name:(\"AllowAllAzureIps\") OR @name:(\"ALL\") OR (@start_ip_address:(\"0.0.0.0\") @end_ip_address:(\"0.0.0.0\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"fn7-ase-uyc","createdAt":1624867979051,"name":"Access to Azure services for PostgreSQL Database Server is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 5432 (used by the PostgreSQL Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\nMalicious activity, such as hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 5432.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 5432 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=5432 @to_port:>=5432))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=5432 @to_port:>=5432))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2ca-hhj-wzj","createdAt":1599574007949,"name":"Access to PostgreSQL Database Server port is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3389 (used to connect a remote Remote Desktop Protocol (RDP) client application with an RDP server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as pass-the-hash (PtH) and man-in-the-middle attacks (MITM), can occur when permitting unfettered access to this port.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3389.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3389 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.2\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3389 @to_port:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3389 @to_port:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oia-snq-ar0","createdAt":1599574006239,"name":"Access to port 3389 is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests.\n\n## Rationale\n\nSetting admission control plugin AlwaysAdmit allows all requests and do not filter any requests. The AlwaysAdmit admission controller was deprecated in Kubernetes v1.13. Its behavior was equivalent to turning off all admission controllers.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--enable-admission-plugins` argument's value (if set) does not include `AlwaysAdmit`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --enable-admission-plugins parameter, or set it to a value that does not include AlwaysAdmit.\n\n## Impact\n\nOnly requests explicitly allowed by the admissions control plugins would be served.\n\n## Default value\n\nAlwaysAdmit is not in the list of default admission plugins.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#alwaysadmit\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.11","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysr-4gg-vu5","createdAt":1599599454382,"name":"Admission controller AlwaysAdmin is not enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.15","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating objects in a namespace that is undergoing termination.\n\n## Rationale\n\nSetting admission control policy to NamespaceLifecycle ensures that objects cannot be created in non-existent namespaces, and that namespaces undergoing termination are not used for creating the new objects. This is recommended to enforce the integrity of the namespace termination process and also for the availability of the newer objects.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--disable-admission-plugins` argument is set to a value that does not include `NamespaceLifecycle`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --disable-admission-plugins parameter to ensure it does not include NamespaceLifecycle.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NamespaceLifecycle is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#namespacelifecycle\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.15","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"elk-zj3-p6m","createdAt":1599605447784,"name":"Admission controller NamespaceLifecycle is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.17","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nLimit the Node and Pod objects that a kubelet could modify.\n\n## Rationale\n\nUsing the NodeRestriction plug-in ensures that the kubelet is restricted to the Node and Pod objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node API object, and only modify Pod API objects that are bound to their node.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `NodeRestriction`.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes NodeRestriction. --enable-admission-plugins=...,NodeRestriction,...\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NodeRestriction is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#noderestriction 3. https://kubernetes.io/docs/admin/authorization/node/ 4. https://acotten.com/post/kube17-security\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.17","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jre-tn7-yma","createdAt":1599601166101,"name":"Admission controller NodeRestriction is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.16","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating pods that do not match Pod Security Policies.\n\n## Rationale\n\nA Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions. Note: When the PodSecurityPolicy admission plugin is in use, there needs to be at least one PodSecurityPolicy in place for ANY pods to be admitted. See section 1.7 for recommendations on PodSecurityPolicy settings.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `PodSecurityPolicy`.\n\n## Remediation\n\nFollow the documentation and create Pod Security Policy objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes PodSecurityPolicy: --enable-admission-plugins=...,PodSecurityPolicy,... Then restart the API Server.\n\n## Impact\n\nThe policy objects must be created and granted before pod creation would be allowed.\n\n## Default value\n\nBy default, PodSecurityPolicy is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#podsecuritypolicy 3. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.16","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vwz-aw9-c09","createdAt":1599604624793,"name":"Admission controller PodSecurityPolicy is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.14","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAutomate service accounts management.\n\n## Rationale\n\nWhen you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. You should create your own service account and let the API server manage its security tokens.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--disable-admission-plugins` argument is set to a value that does not include `ServiceAccount`.\n\n## Remediation\n\nFollow the documentation and create ServiceAccount objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and ensure that the --disable-admission-plugins parameter is set to a value that does not include ServiceAccount.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, ServiceAccount is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#serviceaccount 3. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.14","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wrk-jrm-u8h","createdAt":1599601597784,"name":"Admission controller ServiceAccount is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","source:google_bigquery_table","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.2","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","scope:google_bigquery_table","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery encrypts data at rest by employing `Envelope Encryption` using\nGoogle managed cryptographic keys. The data is encrypted using the `data encryption keys` and data encryption keys themselves are further encrypted using `key encryption keys`. This is done automatically and does not require any additional input from the user. However, if you want to have greater control, customer-managed encryption keys (CMEK) can be used as an encryption key management solution for BigQuery datasets. If CMEK is used, the CMEK is used to encrypt the data encryption keys, instead of using google-managed encryption keys.\n\n### Default Value\nGoogle-managed keys are used as `key encryption keys`.\n\n## Rationale\nFor greater control over the encryption, customer-managed encryption keys (CMEK) can\nbe used as encryption key management solution for BigQuery tables. CMEK is used to\nencrypt the data encryption keys instead of using google-managed encryption keys.\nBigQuery stores the table and CMEK association. The encryption/decryption is done\nautomatically.\n\nApply the default customer-managed keys on BigQuery datasets to ensure that all\nnew tables created in the future will be encrypted using CMEK. However, existing tables need to be updated individually to use CMEK.\n\n## Impact\nUsing customer-managed encryption keys (CMEK) will incur additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n- Note: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n## Remediation\nCurrently, there is no way to update the encryption of existing data in the table. The data\nneeds to be copied to either an original table or another table. Either option requires the specification of the\ncustomer managed encryption key (CMEK).\n\n### From the command line:\nUse the following command to copy the data to the original table and encrypt it with the CMEK. The source and the destination needs to be same when copying to the original table.\n\n```\nbq cp --destination_kms_key source_dataset.source_table destination_dataset.destination_table\n```\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_table) = \"pass\" if {\n\tbigquery_table.encryption_configuration.kms_key_name\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_table"]},"validationQuery":"","resourceType":"gcp_bigquery_table","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_table","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4r0-dtx-hnw","createdAt":1659621698841,"name":"All BigQuery tables are encrypted with customer-managed encryption keys (CMEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Azure","cloud_provider:azure","control:2.7","control:8.1","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","scope:azure.keyvault","requirement:Cardholder-Data","requirement:Logical-and-Physical-Access-Control","control:3.6.4","source:azure.keyvault","framework:security-labs","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all keys in your Azure Key Vault have an expiration time set.\n\n## Rationale\n\nAzure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The `exp` (expiration time) attribute identifies the expiration time on or after which the key **must not** be used for a cryptographic operation. By default, keys never expire. Datadog recommends that keys be rotated in the key vault and set an explicit expiration time for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Key vaults\n2. For each Key vault, click on Keys.\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all keys. Using the Azure Command Line Interface, update the expiration date for the key using below command:\n\n ```bash\n az keyvault key set-attributes --name --vault-name --expires Y-m-d''T''H:M:S''Z''\n ```\n\n **Note**: To access expiration time on all keys in Azure Key Vault using Microsoft API requires \"List\" Key permission. To provide required access follow below steps:\n\n 1. Go to Key Vaults\n 2. For each Key Vault, click on Access Policy.\n 3. Add access policy with Key permission as List\n\n## Impact\n\nKeys cannot be used beyond their assigned expiration times respectively. Keys need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## CIS Controls\n\nVersion 7 13 Data Protection Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.7","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_type := \"azure_key_vault_key\"\n\ncompliant(key_vault_key) if {\n\tkey_vault_key.attributes_enabled == true\n\tnot key_vault_key.attributes_exp == 0\n\tnot key_vault_key.attributes_exp == \"\"\n}\n\neval(key_vault_key) = \"pass\" if {\n\tcompliant(key_vault_key)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_key"]},"validationQuery":"","resourceType":"azure_key_vault_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"op6-3uk-40w","createdAt":1624867980258,"name":"All keys in Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Network-Policies-and-CNI","control:5.3.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse network policies to isolate traffic in your cluster network.\n\n## Rationale\n\nRunning different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. A network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints. Network Policies are namespace scoped. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace, all traffic will be allowed into and out of the pods in that namespace.\n\n## Audit\n\nRun the following command and review the NetworkPolicy objects created in the cluster: `kubectl --all-namespaces get networkpolicy`\n\nEnsure that each namespace defined in the cluster has at least one Network Policy.\n\n## Remediation\n\nFollow the documentation and create network policy objects as you need them.\n\n## Impact\n\nOnce network policies are in use within a given namespace, traffic not explicitly allowed by a network policy will be denied. It is important to ensure that, when introducing network policies, legitimate traffic is not blocked.\n\n## Default value\n\nBy default, network policies are not created.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/services-networking/networkpolicies/ ][1]\n2. [https://octetz.com/posts/k8s-network-policy-apis ][2]\n3. [https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/][3]\n\n## CIS controls\n\nVersion 6.14.1 Implement Network Segmentation Based On Information Class Segment - The network based on the label or classification level of the information stored on the servers. Locate all sensitive information on separated VLANS with firewall filtering to ensure that only authorized individuals are only able to communicate with systems necessary to fulfill their specific responsibilities.\n\nVersion 7.14.1 Segment the Network Based on Sensitivity - Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).\n\nVersion 7.14.2 Enable Firewall Filtering Between VLANs - Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n\n[1]: https://kubernetes.io/docs/concepts/services-networking/networkpolicies/\n[2]: https://octetz.com/posts/k8s-network-policy-apis\n[3]: https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.3.2","framework":"cis-kubernetes","requirement":"Network-Policies-and-CNI","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrw-bae-anz","createdAt":1604312181303,"name":"All namespaces have network policies defined"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:2.10","requirement:Azure","cloud_provider:azure","control:8.2","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","requirement:Change-Management","scope:azure.keyvault","requirement:Logical-and-Physical-Access-Control","source:azure.keyvault","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all Secrets in the Azure Key Vault have an expiration time set.\n\n## Rationale\n\nThe Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The `exp` (expiration time) attribute identifies the expiration time on or after which the secret **must not** be used. By default, secrets never expire. Datadog recommends rotating secrets in the key vault and setting an explicit expiration time for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Key vaults\n2. For each Key vault, click on Secrets\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all secrets. Using the Azure Command Line Interface, use the below command to set expiration date on the all secrets:\n\n ```bash\n az keyvault secret set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z'\n ```\n\n## Impact\n\nSecrets cannot be used beyond their assigned expiry times respectively. Secrets need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-4-set-up-emergency-access-in-azure-ad\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-8-choose-approval-process-for-microsoft-support\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy\n\n## CIS Controls\n\nVersion 7 16 Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.10","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_type := \"azure_key_vault_secret\"\n\ncompliant(key_vault_secret) if {\n\tkey_vault_secret.id\n\tkey_vault_secret.attributes_enabled == true\n\tnot key_vault_secret.attributes_exp == 0\n\tnot key_vault_secret.attributes_exp == \"\"\n}\n\neval(key_vault_secret) = \"pass\" if {\n\tcompliant(key_vault_secret)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_secret"]},"validationQuery":"","resourceType":"azure_key_vault_secret","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_secret","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bbc-1aj-wsr","createdAt":1624867976874,"name":"All secrets in the Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:CC6.7","source:iam","requirement:Storage","requirement:Credentials","control:2.1.1","level:1","requirement:System-Acquisition-Development-and-Maintenance","framework:cis-aws","control:1.19","requirement:IAM","framework:iso-27001","requirement:Access-Control","framework:pci","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.\n\n## Rationale\n\nRemoving expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.\n\n## Remediation\n\nAWS Console:\n\nRemoving expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).\n\nAWS CLI:\n\nTo delete an expired certificate, run the following command by replacing `` with the name of the certificate to delete: `aws iam delete-server-certificate --server-certificate-name `.\n\n**Note**: When the preceding command is successful, it does not return any output.\n\n## Impact\n\nDeleting a certificate can have implications for your application. If you are using an expired server certificate with Elastic Load Balancing, Cloudfront, etc., you must update the configuration of the respective service to ensure there is no application interruption.\n\n## References\n\n1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html\n2. https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.19","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Storage","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_server_certificate) = \"pass\" if {\n\tiam_server_certificate.expiration - iam_server_certificate.resource_seen_at > 0\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"dih-stb-3p8","createdAt":1632209932850,"name":"All the expired SSL/TLS certificates stored in AWS IAM are removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow Kubelet to manage `iptables`.\n\n## Rationale\n\nKubelets can automatically manage the required changes to `iptables` based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to `iptables`. This ensures that the `iptables` configuration remains in sync with pods networking configuration. Manually configuring `iptables` with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have `iptables` rules too restrictive or too open.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that if the `--make-iptables-util-chains` argument exists then it is set to true. If the `--make-iptables-util-chains` argument does not exist, and there is a Kubelet config file specified by `--config`, verify that the file does not set `makeIPTablesUtilChains` to `false`.\n\n## Remediation\n\nIf using a kubelet config file, edit the file to set `makeIPTablesUtilChains: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--make-iptables-util-chains` argument from the `KUBELET_SYSTEM_PODS_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nKubelet would manage the `iptables` on the system and keep it in sync. If you are using any other `iptables` management solution, then there might be some conflicts.\n\n## Default value\n\nBy default, `--make-iptables-util-chains argument` is set to true.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.7","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"f3g-zcg-jm0","createdAt":1599605004390,"name":"Allow Kubelets to manage changes to the iptables"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an AWS S3 lifecycle expiration policy is set to disabled in your CloudTrail logs.\n\n## Strategy\nCheck if `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days`, `@requestParameters.LifecycleConfiguration.Status:Disabled` and `@evt.name:PutBucketLifecycle` fields are present in your S3 Lifecycle configuration log. If these fields are present together, a bucket's lifecycle configuration has been turned off.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n2. If the `{{@requestParameters.bucketName}}` should not be disabled, escalate to engineering so they can re-enable it.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketLifecycle @requestParameters.LifecycleConfiguration.Rule.Expiration:* @requestParameters.LifecycleConfiguration.Rule.Status:Disabled","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4gy-sks-edk","createdAt":1638798373598,"name":"An AWS S3 bucket lifecycle expiration policy was set to disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket has a lifecycle configuration set with an expiration policy of less than 90 days.\n\n## Strategy\nLook for `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90` in your Cloudtrail logs.\n\n**NOTE**: This rule should be set to logs that this policy applies to. The `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days` key path must be set as a measure to do a query.\n\n\n## Triage & response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}` and that the `{{@requestParameters.bucketName}}` bucket should have a file expiration of less than 90 days.\n2. If `{{@requestParameters.bucketName}}` is equal to `{{@aws.s3.bucket}}`, the CloudTrail bucket, consider escalating to higher severity and investigating further.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:PutBucketLifecycle -status:error @eventSource:s3.amazonaws.com @requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hdo-qqk-njz","createdAt":1638798329769,"name":"An AWS S3 bucket lifecycle policy expiration is set to < 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if versioning or MFA delete was disabled within an AWS S3 bucket's Lifecycle configuration.\n\n## Strategy\nThis rule has two separate queries. The first query determines if `@requestParameters.VersioningConfiguration.MfaDelete` is set to `Disabled`. The second query determines if `@requestParameters.VersioningConfiguration.Status` is set to `Suspended`. For generating a signal, there are two cases. Case one generates a `Medium` signal if query one AND two return `true`. Case two will generate a `Low` signal if query one OR two returns `true`.\n\n**NOTE**: Versioning cannot be disabled permanently; only suspended until turned back on, once it has been enabled on a bucket.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.MfaDelete:Disabled","groupByFields":["@aws.s3.bucket"],"aggregation":"count","name":"mfadelete_disabled","distinctFields":[]},{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.Status:Suspended","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"versioning_suspended","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"mfaDelete and Versioning are Disabled/Suspended","condition":"versioning_suspended > 0 && mfadelete_disabled > 0"},{"status":"low","notifications":[],"name":"mfaDelete or versioning are disabled","condition":"mfadelete_disabled > 0 || versioning_suspended > 0"}],"type":"log_detection","id":"qo0-ly0-8ls","createdAt":1638798322732,"name":"An AWS S3 bucket mfaDelete is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an AWS account attempting to leave an AWS organization.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to have an AWS account leave an AWS organization using the [LeaveOrganization][1] API call.\n\nAn attacker may attempt this API call for several reasons, such as:\n\n* Target security configurations that are often defined at the organization level. Leaving an organization can disrupt or disable these controls.\n* Perform a denial of service (DoS) attack on the victim's account that prevents the victim's organization to access it.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Initiate your company's incident response (IR) process.\n3. If the API call was made legitimately by the user:\n * Communicate with the user to understand if this was a planned action.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n * Initiate your company's incident response (IR) process.\n\n[1]: https://docs.aws.amazon.com/organizations/latest/APIReference/API_LeaveOrganization.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privileg","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:LeaveOrganization @eventSource:organizations.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"leave_organization","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"leave_organization > 0"}],"type":"log_detection","id":"9ku-enz-m7d","createdAt":1644595191484,"name":"An AWS account attempted to leave the AWS Organization"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","scope:s3","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an API call to AWS to list all of the S3 Buckets.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect a [ListBuckets][1] API call with the session name prefixed with `i-`. A session name prefixed with `i-` typically indicates that it is an EC2 instance using an [Instance Profile][2] to communicate with other AWS services, which is a common attacker technique to see the full list of S3 buckets in your AWS account.\n\n## Triage and response\n1. Determine if the EC2 instance should be making this API call.\n* If **not a legitimate** user/application, rotate the credentials, verify what else may have been accessed and open an investigation into how this instance was compromised.\n* If a **legitimate** user/application on the EC2 instance is making the `ListBuckets` API call, consider whether this API call is really needed. \n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profile\n\n## Changelog\n18 March 2022 - Updated rule severity and rule name.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_access_denied","distinctFields":[]},{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets -@error.kind:*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Access denied for ListBuckets","condition":"list_buckets_access_denied > 0"},{"status":"medium","notifications":[],"name":"Successful ListBuckets","condition":"list_buckets_success > 0"}],"type":"log_detection","id":"t6r-kqt-hxb","createdAt":1585870281123,"name":"An EC2 instance attempted to enumerate S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is enumerating API Gateway API keys.\n\n## Strategy\nBaseline `GetApiKeys` events by `@userIdentity.session_name` to surface anomalous `GetApiKeys` calls. \n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetApiKeys","groupByFields":["@userIdentity.session_name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"cc8-ljp-wwt","createdAt":1624968912281,"name":"Anomalous API Gateway API key reads by user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","tactic:TA0009-collection","scope:s3","source:cloudtrail","technique:T1530-data-from-cloud-storage-object","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS user performs S3 bucket write activities they do not usually perform. \n\n## Strategy\nMonitor cloudtrail logs for S3 Data Plane events (`@eventCategory:Data`) to detect when an AWS User (`@userIdentity.arn`) is detected performing anomalous S3 Write `(@evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*))` API calls. \n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should be performing the: `{{@evt.name}}` API calls.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. If not, investigate the user: `{{@userIdentity.arn}}` for indicators of account compromise and rotate credentials as necessary.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventCategory:Data @eventSource:s3.amazonaws.com @evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"s3_write_events","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"s3_write_events"}],"type":"log_detection","id":"mxi-syi-zeg","createdAt":1637613300981,"name":"Anomalous S3 bucket activity from user ARN"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is attempting to hijack an EC2 AutoScaling Group.\n\n## Strategy\nThis rule lets you monitor AWS EC2 Autoscaling logs (`@eventSource:autoscaling.amazonaws.com`) to detect when an Autoscaling group receives an anomalous amount of API calls (`{{@evt.name}}`).\n\n## Triage and response\n1. Confirm if the user `{{@userIdentity.arn}}` intended to make the `{{@evt.name}}` API calls.\n2. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:autoscaling.amazonaws.com","groupByFields":["@evt.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"1fj-e0d-mcy","createdAt":1632769123714,"name":"Anomalous amount of Autoscaling Group events"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","scope:salesforce","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a spike in Salesforce query results for a user. A large query can be an early warning sign of a user attempting to exfiltrate Salesforce data. \n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a spike in the number of rows returned (`@rows_returned`). \n\n## Triage and response\n1. Determine if the user should be legitimately performing large queries.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@rows_returned","aggregation":"sum","metrics":["@rows_returned"],"groupByFields":["@usr.id"],"query":"source:salesforce @rows_returned:*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"kls-bnv-ip8","createdAt":1621929255172,"name":"Anomalous amount of Salesforce query results"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","source:salesforce","tactic:TA0040-impact","scope:salesforce","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a significant increase in deleted records in Salesforce.\n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a significant increase in successful (`@evt.outcome:Success`) delete operations (`@operation:Delete`).\n\n## Triage and response\n1. Determine if the user should be legitimately deleting Salesforce records.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @operation:Delete @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"1x7-fhs-sdy","createdAt":1621929255178,"name":"Anomalous amount of Salesforce records deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is assessing privileges in AWS through various enumeration and discovery techniques.\n\n## Strategy\nMonitor CloudTrail logs to identify when an EC2 instance (`@userIdentity.session_name:i-*\"`) generates an anomalous amount of `AccessDenied` events.\n\n## Triage and response\n1. Determine what events the EC2 instance `{{@userIdentity.session_name}}` are generating in the time frame of the signal.\n2. If the root cause is not a misconfiguration, investigate any other signals around the same time of the signal by looking at the Host Investigation dashboard.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied @userIdentity.session_name:i-*","groupByFields":["@userIdentity.assumed_role"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"qyw-re3-iuf","createdAt":1605263699569,"name":"Anomalous amount of access denied events for AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","technique:T1619-cloud-storage-object-disovery","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS assumed role accesses S3 buckets that they do not usually access. \n\n## Strategy\nMonitor cloudtrail logs to identify when a `@userIdentity.assumed_role` makes an anomalous amount of `GetObject` calls to a unique number of S3 buckets (`@requestParameters.bucketName`).\n\n## Triage and response\n1. Determine if the user using the assumed role: {{@userIdentity.assumed_role}} should be accessing a bunch of random buckets.\n * Here is a list of buckets that were accessed (up to 10): {{@requestParameters.bucketName}}\n\n## Changelog\n30 Mar 2022 - Updated query and signal message.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":17,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetObject -status:error","groupByFields":["@userIdentity.assumed_role"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"i41-jb1-c8r","createdAt":1608050033941,"name":"Anomalous number of S3 buckets accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user has attempted to assume an anomalous number of unique roles.\n\n## Strategy\nThis rule sets a baseline for user activity for the [`AssumeRole`][1] API call, and enables detection of potentially anomalous activity.\n\nAn attacker may attempt this for the following reasons:\n\n* To identify which roles the user account has access to.\n* To identify what AWS services are being used internally.\n* To identify third party integrations and internal software.\n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response process and investigate.\n\n[1]: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:IAMUser @evt.name:AssumeRole","groupByFields":["@usr.name"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.roleArn"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rov-8oq-1fd","createdAt":1624968910002,"name":"Anomalous number of assumed roles from user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an unauthenticated request user is permitted in Kubernetes.\n\n## Strategy\nThis rule monitors when any action is permitted (`@http.status_code:[100 TO 299]`) for an unauthenticated user (`@user.username:\\\"system:anonymous\\\"`).\nThe `/healthz` endpoint is commonly accessed unauthenticated and it is excluded in the query filter.\n\n## Triage and response\n1. Inspect all of the HTTP paths accessed and determine if any of the path should be permitted by unauthenticated users.\n2. Determine what IP addresses accessed Kubernetes endpoints which may contain sensitive data.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@apiVersion:audit.k8s.io* @usr.name:\"system:anonymous\" @http.status_code:[100 TO 299] -@http.url_details.path:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @user.username:\"system:anonymous\" @responseStatus.code:[100 TO 299] -@requestURI:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"f1o-py5-a50","createdAt":1589376002149,"name":"Anonymous Request Authorized"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:apache","technique:T1190-exploit-public-facing-application","source:apache","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[{"action":"require","query":"source:foo"}],"queries":[{"query":"source:apache @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipl-oaz-eqf","createdAt":1587530038000,"name":"Apache HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1562-Impair-Defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modification of AppArmor profiles using an interactive session.\n\n## Strategy\nAfter an initial intrusion, attackers may attempt to disable security tools to avoid possible detection of their offensive tools and activities. [AppArmor][1] is a Linux Security Module (LSM) feature that confines programs to a limited set of resources. Disabling AppArmor could help an attacker run disallowed tools and gain access to resources that are otherwise blocked. This detection looks for commands that disable or modify AppArmor during interactive sessions, which is highly irregular in production environments.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://wiki.ubuntu.com/AppArmor\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:apparmor_modified_tty","groupByFields":["host"],"aggregation":"count","name":"apparmor_modified_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"apparmor_modified_tty","condition":"apparmor_modified_tty > 0"}],"type":"workload_security","id":"byn-fwk-eyv","createdAt":1627392836162,"name":"AppArmor profile modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","source:azure.sql","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Database-Services","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","framework:cis-azure","scope:azure.sql","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:4.1.3","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSQL Server Audit Retention should be configured to be greater than 90 days.\n\n## Rationale\n\nUse Audit Logs to check for anomalies and to get insight into suspected breaches or misuse of information and access.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Select Storage Details\n5. Set Retention (days) setting greater than 90 days\n6. Select OK\n7. Select Save using Azure PowerShell. For each server, set retention policy for more than or equal to 90 days:\n\n ```bash\n set-AzureRmSqlServerAuditing -ResourceGroupName -ServerName -RetentionInDays \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing\n2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditing?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention\n\n## CIS controls\n\nVersion 7\n\n6.4 Ensure adequate storage for logs: Ensure that all systems that store logs have adequate storage space for the logs generated.\n\n4.2 SQL Server: Azure Defender for SQL Azure Defender for SQL provides a layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. Users will receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. SQL Server Threat Detection alerts provide details of suspicious activity and recommend action on how to investigate and mitigate the threat. Azure Defender for SQL may incur additional cost per SQL server.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@audit_setting.retention_days:0 -@audit_setting.retention_days:>=90","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-@audit_setting.retention_days:0 -@audit_setting.retention_days:>=90)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"r6e-x2g-rfb","createdAt":1624867973932,"name":"Audit data for Azure SQL is retained for at least 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","source:google_iam_policy","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","scope:google_iam_policy","security:compliance","requirement:Logging-and-Monitoring","control:2.1","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that Cloud Audit Logging is configured to track all admin activities and\nread or write access to user data.\n\n### Default value\nAdmin Activity logs are always enabled. They cannot be disabled. Data Access audit logs are\ndisabled by default because they can be quite large.\n\n## Rationale\nCloud Audit Logging maintains two audit logs for each project, folder, and organization:\n**Admin Activity** and **Data Access**.\n\nAdmin Activity logs contain log entries for API calls or other administrative actions\nthat modify the configuration or metadata of resources. Admin Activity audit logs\nare enabled for all services and cannot be configured.\n\nData Access audit logs record API calls that create, modify, or read user-provided\ndata. These are disabled by default and should be enabled.\n\nThere are three kinds of Data Access audit log information:\n* Admin read: Records operations that read metadata or configuration\ninformation. Admin Activity audit logs record writes of metadata and\nconfiguration information. This cannot be disabled.\n* Data read: Records operations that read user-provided data.\n* Data write: Records operations that write user-provided data.\n\nIt is recommended to configure audit logging such that:\n\n* Log type is set to `DATA_READ` (to log user activity tracking) and `DATA_WRITES` (to\nlog changes/tampering to user data).\n* Audit config is enabled for all the services supported by the Data Access audit logs\nfeature.\n* Logs are captured for all users\u2014that is, there are no exempted users in any of the\naudit config sections. This ensures overriding the audit config does not contradict\nthe requirement.\n\n### Impact\nThere is no charge for Admin Activity audit logs. Enabling the Data Access audit logs might\nresult in your project being charged for the additional logs usage.\n- Note: Admin Activity Logs are not listed here, as they are enabled by default and cannot be disabled.\n `exemptedMembers` is not set, as audit logging should be enabled for all users.\n\n## Remediation\n\n### From the console: \n1. Go to the [Audit Logs page][1] in Google Cloud Console.\n2. Follow the steps in Google's [Configure Data Access audit logs][2] documentation to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.\n\n### From the command line:\n1. To read the project's IAM policy and store it in a file, run the following command:\n ```\n gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml\n ```\nAlternatively, the policy can be set at the organization or folder level. If you are setting the policy at\nthe organization level, it is not necessary to also set it for each folder or project.\n ```\n gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml\n gcloud resource-manager folders get-iam-policy FOLDER_ID >\n /tmp/folder_policy.yaml\n ```\n2. Edit the policy in `/tmp/policy.yaml`. Adding or change only the audit logs\nconfiguration to:\n ```\n auditConfigs:\n - auditLogConfigs:\n - logType: DATA_WRITE\n - logType: DATA_READ\n - service: allServices\n ```\n\n3. To write new IAM policy, run the following commands:\n ```\n gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml\n gcloud resource-manager folders set-iam-policy FOLDER_ID\n /tmp/folder_policy.yaml\n gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml\n ```\nIf the preceding command reports a conflict with another change, then repeat these steps,\nstarting with the first step.\n\n## Additional information\n* To track detailed user activities, the log type `DATA_READ` is as important as the log type `DATA_WRITE`.\n* BigQuery Data Access logs are handled differently than other data access logs.\n BigQuery logs are enabled by default and cannot be disabled. They do not count against logs allotment and do not result in extra logs charges.\n\n## References\n1. [https://cloud.google.com/logging/docs/audit/][1]\n2. [https://cloud.google.com/logging/docs/audit/configure-data-access][2]\n\n[1]: https://cloud.google.com/logging/docs/audit/\n[2]: https://cloud.google.com/logging/docs/audit/configure-data-access\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(iam_policy) if {\n\tnot has_exempted_members(iam_policy)\n\taudit_config := iam_policy.audit_configs[_]\n\taudit_config.service == \"allServices\"\n\taudit_config.audit_log_configs[_].log_type == \"ADMIN_READ\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_WRITE\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_READ\"\n}\n\nhas_exempted_members(iam_policy) if {\n\tiam_policy.audit_configs[_].audit_log_configs[_].exempted_members[_]\n}\n\nis_project(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_project\"\n}\n\neval(iam_policy) = \"skip\" if {\n\tnot is_project(iam_policy)\n} else = \"pass\" {\n\tcompliant(iam_policy)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mtc-xf1-a6x","createdAt":1664804019062,"name":"Audit logging is properly configured across all services and users in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit all Docker daemon activities.\n\n## Rationale\n\nAs well as auditing the normal Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges. It is very important to audit its activities and usage.\n\n## Audit\n\nVerify that there are audit rules for the Docker daemon. To see the rules associated with the Docker daemon, run: \n\n```\nauditctl -l | grep /usr/bin/dockerd\n```\n\n## Remediation\n\nYou should add rules for the Docker daemon. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /usr/bin/dockerd -k docker \n```\n\nThen restart the audit daemon using the following command:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, the Docker daemon is not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.3","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fpu-oe5-feu","createdAt":1599604305682,"name":"Auditing for Docker Daemon executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.4","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/var/lib/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories. For example, audit `/var/lib/docker`, which holds all the information about containers it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/var/lib/docker` directory. To see the rule for the `/var/lib/docker` directory, run: \n\n```\nauditctl -l | grep /var/lib/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/var/lib/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /var/lib/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.4","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tfa-927-tto","createdAt":1599602523672,"name":"Auditing for Docker local storage is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.10","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker/daemon.json`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/docker/daemon.json`. This holds various parameters for the Docker daemon, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/docker/daemon.json` file. To display the rule for the `/etc/docker/daemon.json` file, run: \n\n```\nauditctl -l | grep /etc/docker/daemon.json\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker/daemon.json` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/docker/daemon.json -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/docker/daemon.json` may not exist on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file][2]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.10","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"v2o-aio-i0e","createdAt":1599601474412,"name":"Auditing for the Docker daemon configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.11","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/bin/containerd`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/bin/containerd`, so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/bin/containerd` file. To display the rule for the `/usr/bin/containerd` file, run: \n\n```\nauditctl -l | grep /usr/bin/containerd\n```\n\n## Remediation\n\nYou should add a rule for the `/usr/bin/containerd` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/bin/containerd -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/usr/bin/containerd` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.11","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tor-6yx-oyz","createdAt":1599605637503,"name":"Auditing for the containerd executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.8"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/default/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/default/docker`. It holds various parameters related to the Docker daemon and should therefore be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/default/docker` file. To see the rule for the `/etc/default/docker` file, run: \n```\nauditctl -l | grep /etc/default/docker \n```\n\n## Remediation\n\nYou should add a rule for the `/etc/default/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/default/docker -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited so these defaults should be changed in line with organizational security policy. The file `/etc/default/docker` may not be present, and if so, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.8","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qfi-cgy-a6e","createdAt":1599601659531,"name":"Auditing for the default Docker configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.9"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/sysconfig/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including `/etc/sysconfig/docker`. It contains various parameters related to the Docker daemon when run on CentOS and RHEL based distributions. If present, it is important that it is audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/sysconfig/docker` file. To see the rule for the `/etc/sysconfig/docker` file, run: \n```\nauditctl -l | grep /etc/sysconfig/docker\n```\n\n## Remediation\n\nYou should add a rule for `/etc/sysconfig/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/sysconfig/docker -k docker\n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/sysconfig/docker` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.9","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ps6-vb4-bim","createdAt":1599604561498,"name":"Auditing for the default Docker configuration file is configured - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit the `docker.service` if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `docker.service`. The `docker.service` file might be present if the daemon parameters have been changed by an administrator. If so, it holds various parameters for the Docker daemon and should be audited.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n\n2. If the file does not exist, this recommendation does not apply. If the file does exist, verify that there is an audit rule corresponding to the `docker.service` file by running: \n\n ```\n auditctl -l | grep docker.service\n ```\n\n## Remediation\n\nIf the file exists, a rule for it should be added. For example, add the following line to the `/etc/audit/audit.rules` file: \n```\n-w /usr/lib/systemd/system/docker.service -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.service` may not be present on the system.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.6","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myy-dsj-omk","createdAt":1599605764788,"name":"Auditing for the docker.service file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.7","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `docker.socket`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including the `docker.socket` file, which holds various parameters for the Docker daemon, it should be audited.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the `docker.socket` file exists, verify that there is an audit rule corresponding to the `docker.socket` file by running: \n ```\n auditctl -l | grep docker.socket \n ```\n\n## Remediation\n\nIf the file exists, you should add a rule for it. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/lib/systemd/system/docker.socket -k docker \n```\n\nThen restart the audit daemon: \n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.socket` may not be present, but if it is, it should be audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.7","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afg-qbt-7uw","createdAt":1599600857858,"name":"Auditing for the docker.socket file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.12","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/sbin/runc`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/sbin/runc`, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/sbin/runc` file. To display the rule for the `/usr/sbin/runc` file, run:\n\n```\nauditctl -l | grep /usr/sbin/runc\n```\n\n## Remediation\n\nYou should add a rule for `/usr/sbin/runc` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/sbin/runc -k docker\n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The `file/usr/sbin/runc` may not be present on the system, and in that case this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n4. [https://github.com/opencontainers/runc][4]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/ \n[4]: https://github.com/opencontainers/runc\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.12","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ksp-ylk-dub","createdAt":1599603510904,"name":"Auditing for the runc executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.5","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privilege and its behavior depends on some key files and directories, including `/etc/docker`. This holds various certificates and keys used for TLS communication between Docker daemon and Docker client and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/etc/docker` directory. To see the rule for the `/etc/docker` directory, run: \n\n```\nauditctl -l | grep /etc/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.5","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5ns-uab-zcf","createdAt":1599604003342,"name":"Auditing is configured for Docker-related files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.6","cloud_provider:azure","control:10.1","requirement:Monitoring","source:azure.sql","control:A.12.4.1","control:A.12.4.3","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","scope:azure.sql","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:4.1.1","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on SQL Servers.\n\n## Rationale\n\nThe Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. The auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Set Auditing to On using Azure PowerShell.\n5. Get the list of all SQL Servers: `Get-AzureRmSqlServer`. For each Server, enable auditing:\n\n ```bash\n Set-AzureRmSqlServerAuditingPolicy -ResourceGroupName -ServerName -AuditType -StorageAccountName \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-servers\n2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n**Note**: A server policy applies to all existing and newly created databases on the server. If server blob auditing is enabled, it always applies to the database. The database is audited, regardless of the database auditing settings. The auditing type table is deprecated, leaving only the type blob available. Enabling blob auditing on the database, and enabling it on the server, does not override or change any of the settings of the server blob auditing. Both audits exist side by side. So, the database is audited twice in parallel; once by the server policy, and once by the database policy.\n\n## CIS controls\n\nVersion 7 6.3 Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"validationQuery":"-@audit_setting.state:(\"Enabled\")","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-@audit_setting.state:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"gxl-2f7-dso","createdAt":1624867978477,"name":"Auditing on SQL Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs in with a breached password.\n\n## Strategy\nAuth0 logs an event when a user logs in with a breached password. When this event is detected, Datadog generates a `MEDIUM` severity Security Signal.\n\nYou can see more information on how Auth0 detects breached passwords on their [documentation][1].\n\n## Triage and response\n1. Inspect the policy and user location to see if this was a login from approved location\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n[1][https://auth0.com/docs/anomaly-detection/brute-force-protection]\n","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:breached_password","groupByFields":["@usr.id"],"aggregation":"count","name":"breached_password","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"breached_password > 0"}],"type":"log_detection","id":"yhw-avf-dz0","createdAt":1597422957145,"name":"Auth0 user logged in with a breached password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","requirement:Cloud-SQL","cloud_provider:gcp","control:CC7.4","source:google_sql_database_instance","control:6.4.5.4","framework:cis-gcp","requirement:Compliance","level:1","control:6.7","scope:google_sql_database_instance","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Additional-Criteria-for-Availability","requirement:Communications-Security","requirement:System-Operations","control:3.1","requirement:Control-Activities","control:A1.1","control:A1.2","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:CC5.1","control:A.9.1.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nAll SQL database instances should have automated backups enabled.\n\n## Rationale: \nBackups provide a way to restore a Cloud SQL instance, to recover lost data, or to recover from\na problem with that instance. Enable automated backups for any instance that\ncontains data that should be protected from loss or damage. This recommendation is\napplicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2\ninstances.\n\n## Impact: \nAutomated backups increase the required storage size and may affect the costs associated with it.\n\n## Remediation: \n\n### From the console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Select the instance where the backups need to be configured.\n3. Click `Edit`.\n4. In the `Backups` section, check 'Enable automated backups', and choose a backup window.\n5. Click `Save`.\n\n### From the command line:\n\n1. List all Cloud SQL database instances using the following command:\n ```\n gcloud sql instances list\n ```\n2. Enable automated backups for a Cloud SQL database instance by running:\n ```\n gcloud sql instances patch --backup-start-time <[HH:MM]>\n ```\n\nThe `backup-start-time` parameter is specified in 24-hour time, in the UTC\u00b100 time zone,\nand specifies the start of a 4-hour backup window. Backups can start any time during the\nbackup window.\n\n## Default value:\nBy default, automated backups are not configured for Cloud SQL instances. Data backup is\nnot possible on any Cloud SQL instance unless Automated Backup is configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/backup-recovery/backups][2]\n2. [https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/backup-recovery/backups\n[3]: https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up\n\n## CIS controls:\n\nVersion 8: _11.2 Perform Automated Backups_. Perform automated backups of in-scope enterprise assets. Run backups weekly,\nor more frequently, based on the sensitivity of the data.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.4.5.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.1","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"pass\" if {\n\tsql_database_instance.settings.backup_configuration.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iir-4sf-rxn","createdAt":1657665285362,"name":"Automated backups are configured for SQL Database Instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to Azure AD without multi-factor authentication.\n\n## Strategy\nThis rule monitors Azure Activity logs for Active Directory logs and detects when any `@evt.category` has a value of `SignInLogs`, and `@properties.authenticationRequirement` has a value of `singleFactorAuthentication`.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables 2FA.\n3. If the login wasn't legitimate, rotate the credentials.\n4. Review all user accounts to ensure MFA is enabled.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:singleFactorAuthentication","groupByFields":["@usr.id"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_login_without_mfa > 0"}],"type":"log_detection","id":"c8i-66d-m7u","createdAt":1598468815267,"name":"Azure AD Login Without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to the [Global Administrator][1] role.\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\"`\n\nThe Global Administrator role can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. An adversary can add users as Global Administrators in order to maintain access to Azure AD.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][2] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.category:AuditLogs @evt.name:\"Add member to role\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_global_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"member_assigned_global_administrator_role > 0"}],"type":"log_detection","id":"bdq-rcs-dn5","createdAt":1658756175450,"name":"Azure AD member assigned Global Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to a [built-in Administrative role][1].\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:*Administrator*`\n\nAzure AD uses roles to assign privileges to users. There are over 80 roles available, the list below details some of the highest privileged roles that adversaries could target:\n\n* [Application Administrator][2]\n* [Cloud Application Administrator][3]\n* [Exchange Administrator][4]\n* [Privileged Role Administrator][5]\n* [User Administrator][6]\n* [Sharepoint Administrator][7]\n* [Hybrid Identity Administrator][8]\n\nThis [whitepaper][9] from Mandiant describes the abuse of Azure AD privileged roles.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][10] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator\n[3]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-application-administrator\n[4]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#exchange-administrator\n[5]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-role-administrator\n[6]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator\n[7]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#sharepoint-administrator\n[8]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#hybrid-identity-administrator\n[9]: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf\n[10]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:*Administrator* @evt.category:AuditLogs @evt.name:\"Add member to role\" -@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_built_in_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"member_assigned_built_in_administrator_role > 0"}],"type":"log_detection","id":"61p-mwe-rxm","createdAt":1658756175462,"name":"Azure AD member assigned built-in Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","control:8.7","level:1","requirement:Database-Services","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","scope:azure.sql","control:4.4","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse Azure Active Directory Authentication for authentication with SQL Database.\n\n## Rationale\n\nAzure Active Directory authentication is a mechanism to connect to the Microsoft Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). With Azure AD authentication, manage identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage database users and simplifies permission management in the following ways:\n\n- Provides an alternative to SQL Server authentication. \n- Helps stop the proliferation of user identities across database servers. \n- Allows password rotation in a single place. \n- Customers can manage database permissions using external (AAD) groups. \n- Eliminates storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure Active Directory. \n- Uses contained database users to authenticate identities at the database level. \n- Token-based authentication for applications connecting to SQL Database. \n- ADFS (domain federation) or native user/password authentication for a local Azure Active Directory without domain synchronization. \n- Connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication (MFA). MFA includes strong authentication with a range of easy verification options phone call, text message, smart cards with a pin, or mobile app notification.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each SQL server, click on Active Directory admin\n3. Click on Set admin\n4. Select an admin\n5. Click Save\n6. Using the Azure PowerShell for each Server, set `AD Admin Set-AzureRmSqlServerActiveDirectoryAdministrator -ResourceGroupName -ServerName -DisplayName \"\"`.\n6. From Azure Command Line Interface, get the ObjectID of user: `az ad user list --query \"[?mail==].{mail:mail, userPrincipal`.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure\n2. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: Assigning an administrator in Azure Active Directory (AAD) is just the first step. When using AAD for central authentication there are many other groups and roles that need to be configured base on the needs of your organization. To determine what roles should be assigned and what groups should be created to manage permissions and access to resources, see the How-to Guides.\n\n## CIS Controls\n\nVersion 7 16.2 Configure Centralized Point of Authentication: Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-(@name:(\"ActiveDirectory\") @administrator_type:(\"ActiveDirectory\"))","resourceType":"azure_sql_server","filter":"","queryPath":"active_directory_administrators","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-(@name:(\"ActiveDirectory\") @administrator_type:(\"ActiveDirectory\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kiv-p8l-5mk","createdAt":1624867977317,"name":"Azure Active Directory Admin is configured for Azure SQL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure-active-directory","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect whenever Azure Identity Protection categorizes an Azure Active Directory login as risky.\n\n## Strategy\nMonitor Azure Active Directory sign in activity (`@evt.name:\"Sign-in activity\"`) and generate a signal when Azure identifies the user as risky or compromised (`@properties.riskState:\"atRisk\" OR \"confirmedCompromised\"`). \n\n## Triage and response\n1. Analyze the location (`@network.client.geoip.subdivision.name`) of `{{@usr.id}}` to determine if they're logging into from their usual location. \n2. If log in activity is not legitimate, disable `{{@usr.id}}` account.\n3. Investigate any devices owned by `{{@usr.id}}`.\n\n## Changelog\n14 June 2022 - Fixed bug in rule query.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":167,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelDuringSignIn:high @properties.riskLevelDuringSignIn:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_during_signin_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:high @properties.riskLevelAggregated:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_aggregated_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:medium @properties.riskLevelDuringSignIn:medium","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_medium","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"High Risk Aggregated","condition":"risk_level_aggregated_high > 0"},{"status":"high","notifications":[],"name":"High Risk During Sign-In","condition":"risk_level_during_signin_high > 0"},{"status":"medium","notifications":[],"name":"Medium Risk","condition":"risk_level_medium > 0"}],"type":"log_detection","id":"h1h-4to-2ka","createdAt":1629464257705,"name":"Azure Active Directory Risky Sign-In"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.6","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-7-ii-A","control:164.312-a-2-ii","control:2.2.4","scope:azure.appservice","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Risk-Mitigation","requirement:Logical-and-Physical-Access-Control","control:CC9.1","control:CC6.3","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'remote debugging' **disabled** to enhance security and protect applications.\n\n## Rationale\n\nIf remote debugging is enabled, this can allow an attacker access to your applications.\n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services web apps by running the following in Azure Powershell:\n\n ```\n az webapp list\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n\n az webapp config show\n\t--ids \"\"\n\t--query 'remoteDebuggingEnabled'\n3. Disable the web app's remote debugging capability with the command:\n\n ```\n az webapp config set\n\t--ids \"\"\n\t--remote-debugging-enabled false\n ```\n4. Repeat steps one through three for each server that is not configured correctly.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@site_config_remote_debugging_enabled:true","resourceType":"azure_app_service","filter":"@site_config_remote_debugging_enabled:*","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service @site_config_remote_debugging_enabled:* (@site_config_remote_debugging_enabled:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ciw-6dd-ffz","createdAt":1645807220230,"name":"Azure App Service has remote debugging enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","scope:azure.app_service","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","framework:soc-2","source:azure.app_service","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'always on' **enabled** for web apps.\n\n## Rationale\n\nEnabling 'always on' will enhance your Azure Apps web apps' availability.\n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services by running the following in Azure Powershell:\n\n ```\n az webapp list\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n \n ```\n az webapp config show\n\t--ids \"\"\n\t--query 'alwaysOn'\n ```\n3. Enable the web app's 'always on' capability with the command:\n\n ```\n az webapp config set\n\t--ids \"\"\n\t--always-on true\n ```\n4. Repeat steps one through three for each server that is not configured correctly.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@site_config_always_on:false","resourceType":"azure_app_service","filter":"@site_config_always_on:*","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service @site_config_always_on:* (@site_config_always_on:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xmp-jgo-xdo","createdAt":1645807220325,"name":"Azure App Service is set to always on"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Datadog Azure function is deleted which will prevent Azure logs from being sent to Datadog.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.WEB/SITES/DELETE\"`, `@evt.outcome` is `Success`, and the `@resourceID` contains `DATADOG` and `LOG`. This rule does not work if the the Azure resource group or Azure function does not contain `DATADOG` or `LOG`.\n\n## Triage and response\n1. Verify the Azure function (`@resourceId`) is responsible for forwarding logs to Datadog.\n2. Determine if there is a legitimate reason for deleting the Azure function.\n3. If activity is not expected, investigate activity from the service principal (`@identity.authorization.evidence`) or user (`{{@usr.id}}`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.web @evt.name:\"MICROSOFT.WEB/SITES/DELETE\" @resourceId:(*DATADOG* AND *LOG*) @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"sit-o2a-uov","createdAt":1634570142022,"name":"Azure Datadog Log Forwarder Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","security:threat-intel"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure firewall threat intelligence alert is received.\n\n## Strategy\nMonitor Azure Network Diagnostic logs and detect when `@evt.name` is equal to `AzureFirewallThreatIntelLog`.\n\n## Triage and response\n1. Inspect the threat intelligence log.\n2. Investigate the activity from this IP address.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:AzureFirewallThreatIntelLog","groupByFields":["@network.client.ip"],"aggregation":"count","name":"azure_firewall_threat_intel_alert","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"azure_firewall_threat_intel_alert > 0"}],"type":"log_detection","id":"z0v-yfr-qat","createdAt":1607106300940,"name":"Azure Firewall Threat Intelligence Alert"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) blocks a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Block`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Block","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_blocked_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_blocked_a_request > 0"}],"type":"log_detection","id":"xyt-fqh-myv","createdAt":1598468816869,"name":"Azure Frontdoor WAF Blocked a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) logs a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Log`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Log","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_logged_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_logged_a_request > 0"}],"type":"log_detection","id":"bkk-48l-vem","createdAt":1598468815399,"name":"Azure Frontdoor WAF Logged a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","control:9.9","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","scope:azure.appservice","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nNew versions of HTTP are released periodically to address security issues and/or to include additional functionality. Using the latest version of HTTP for web apps takes advantage of security fixes and new functionality.\n\n## Rationale\n\nUsing the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software update, your organization needs to determine if the latest update meets your requirements.\n\nFor example, HTTP 2.0 has performance improvements for the head-of-line blocking problem, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism because it provides its own, more efficient mechanism for data streaming.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\nAzure Console:\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click *Configuration**.\n5. Set HTTP version to 2.0 under **General settings**.\n\n**Note**: Most modern browsers support HTTP 2.0 protocol over TLS, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third party certificate.\n\nAzure CLI:\n\nTo set the HTTP version to 2.0 for an existing app, run the following command:\n\n`az webapp config set --resource-group --name --http20-enabled true'`\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.9","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"@site_config_http20_enabled:false","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (@site_config_http20_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"y1o-cvu-xc7","createdAt":1645813490516,"name":"Azure HTTP version is the latest available"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.3.1","level:1","scope:azure.keyvault","control:8.4","requirement:Cardholder-Data","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","requirement:Azure","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:2.2","control:A1.2","requirement:Other-Security-Considerations","framework:soc-2","requirement:Risk-Mitigation","control:3.5.3","requirement:Logical-and-Physical-Access-Control","control:CC9.1","source:azure.keyvault","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe key vault contains object keys, secrets, and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. Datadog recommends the key vault be made recoverable by enabling the \"Do Not Purge\" and \"Soft Delete\" functions. This is to prevent loss of encrypted data including storage accounts, SQL databases, and dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.\n\n### Default value \n\nWhen a new Key Vault is created, both the parameters `enableSoftDelete` and `enablePurgeProtection` are set to `null`, disabling both the features.\n\n## Rationale\n\nThere could be scenarios where users accidentally run delete and purge commands on key vault or attacker or malicious user does it deliberately to cause disruption. Deleting or purging a key vault leads to immediate data loss as keys encrypting data and secrets and certificates causing access and services to become non-accessible. There are two key vault properties that plays role in permanent unavailability of a key vault:\n\n1. Setting the `enableSoftDeleteSetting` parameter to true for a key vault ensures that even if key vault is deleted, the key vault itself or its objects are recoverable for next 90 days. In this span of 90 days either key vault and objects can be recovered or purged (permanent deletion). If no action is taken, after 90 days, the key vault and its objects are purged.\n\n2. `enablePurgeProtectionenableSoftDelete` only ensures that the key vault is not deleted permanently and will be recoverable for 90 days from the deletion date. However, there is a chance that the key vault or objects are accidentally purged and are not recoverable. Setting `enablePurgeProtection` to \"true\" ensures that the key vault and its objects cannot be purged. Enabling both the parameters on key vaults ensures that key vaults and their objects cannot be deleted or purged permanently.\n\n### Impact\n\nOnce purge-protection and soft-delete is enabled for a key vault, the action is irreversible.\n\n- Note: When a key is used for the SQL server TDE or Encrypting Storage account, the corresponding key vault features \"Do Not Purge\" and \"Soft Delete\" are enabled by default by your Azure backend.\n\n## Remediation\n\n### From the command line \n\nTo enable \"Do Not Purge\" and \"Soft Delete\" for a key vault using Azure CLI:\n\n```bash\naz resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.KeyVault /vaults/ --set properties.enablePurgeProtection=true properties.enableSoftDelete=true\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli][1]\n2. [https://blogs.technet.microsoft.com/kv/2017/05/10/azure-key-vault-recovery-options/][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-8-define-backup-and-recovery-strategy][3]\n\n\n[1]: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli\n[2]: https://blogs.technet.microsoft.com/kv/2017/05/10/azure-key-vault-recovery-options/\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-8-define-backup-and-recovery-strategy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.4","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.2","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"3.5.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.3.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_key_vault_attributes(key_vault) if {\n\tkey_vault.enable_soft_delete\n} else {\n\tkey_vault.enable_purge_protection\n}\n\neval(key_vault) = \"pass\" if {\n\tcompliant_key_vault_attributes(key_vault)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault"]},"validationQuery":"","resourceType":"azure_key_vault","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"4tq-la5-9ei","createdAt":1624867975393,"name":"Azure Key Vault is recoverable"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","control:1.3.5","control:1.3.6","control:1.3.7","framework:pci","control:6.4.1","security:compliance","control:1.3.4","control:1.2.1","source:azure.kubernetes","requirement:Communications-Security","control:1.2","control:1.3","cloud:azure","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Private Cluster feature for Azure Kubernetes Service (AKS) cluster is enabled.\n\n## Rationale\n\nThe Private Cluster feature ensures that network traffic between your API server and your node pools remains solely on the private network. The API server is not exposed over the internet as it is with the standard AKS deployment. This configuration is a common requirement in many regulatory and industry compliance standards.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment. Changing the setting requires recreating your cluster.\n\n## Impact\n\nCreating and managing a Private AKS Cluster requires additional considerations when compared to a standard AKS deployment. It requires understanding how Azure Private Link and Private Endpoints work. It also requires a thorough assessment of your AKS networking architecture and dependencies. If your AKS cluster is on an isolated Azure Virtual Network (VNET), the Private Cluster feature requires additional configurations to allow connectivity between your AKS Cluster and your management VNET. Microsoft's official documentation, which is included in ``references``, helps you navigate the deployment of Private AKS Clusters.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/aks/private-clusters][1]\n2. [https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview][2]\n3. [https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/aks/private-clusters\n[2]: https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview\n[3]: https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.7","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aks_cluster) = \"fail\" if {\n\tnot aks_cluster.api_server_access_profile_enable_private_cluster\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_aks_cluster"]},"validationQuery":"","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxc-7gb-6q2","createdAt":1656924134424,"name":"Azure Kubernetes Service (AKS) Private Cluster Feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify the network IP address when multiple user accounts failed to complete the MFA process.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, `@properties.authenticationRequirement` is equal to `multiFactorAuthentication` and `@evt.outcome` is equal to `failure`.\n\n## Triage and response \n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:multiFactorAuthentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"failed_login_mfa_denied_w_multiple_user_accounts","distinctFields":["@usr.email"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Greater than 10 unique users","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 10"},{"status":"low","notifications":[],"name":"Greater than 3 unique user","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 3"}],"type":"log_detection","id":"zgm-z7i-mhu","createdAt":1607106317340,"name":"Azure Login Explicitly Denied MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group allows inbound traffic from all IP Addresses.\n\n## Strategy\nThis rule monitors Azure Activity logs for network changes and detects when the `@evt.name` has a value of `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`, `@properties.securityRules.properties.direction` has a value of `Inbound`, `@properties.securityRules.properties.access` has a value of `Allow`, and `@properties.securityRules.properties.sourceAddressPrefix` has a value of either `0.0.0.0/0` OR `*`.\n\n## Triage and response\n1. Inspect which Virtual Machines are associated with this security group.\n2. Determine whether this security group and the VMs should permit inbound traffic from all IP addresses.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\" @properties.securityRules.properties.direction:Inbound @properties.securityRules.properties.access:Allow @properties.securityRules.properties.sourceAddressPrefix:(\"0.0.0.0/0\" OR \"*\")","groupByFields":["@resourceId"],"aggregation":"count","name":"security_group_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"security_group_open_to_world > 0"}],"type":"log_detection","id":"owu-2uz-8cb","createdAt":1598468816111,"name":"Azure Network Security Group Open to the World"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group or an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any one of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security group or security rule and determine if it exposes any Azure resources that should not be exposed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:(\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\") @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mju-ynx-i1h","createdAt":1607106297216,"name":"Azure Network Security Groups or Rules Created, Modified, or Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added as a new owner for an Active Directory application which could be used as a persistence mechanism. \n\n## Strategy\nMonitor Azure Active Directory logs for `@evt.name: \"Add owner to application\"` has an `@evt.outcome` of `success`. \n\n## Triage and response\n1. Review evidence of anomalous activity for the user being added as an owner (`@properties.targetResources`) for the Active Directory application.\n2. Determine if there is a legitimate reason for the user being added to the application.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to application\" @evt.outcome:success @usr.name:* -@identity:*","groupByFields":[],"aggregation":"count","name":"new_owner","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner > 0"}],"type":"log_detection","id":"8vm-rcm-ss1","createdAt":1630591816193,"name":"Azure New Owner added to Azure Active Directory application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a new service principal is created in Azure, which applies to a persistence mechanism.\n\n## Strategy\n\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n\n1. Inspect the new service principal in `@properties.targetResources`.\n2. Verify with the user (`{{$usr.name}}`) to determine if the service principal is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_sp > 0"}],"type":"log_detection","id":"bog-iak-dms","createdAt":1630591822167,"name":"Azure New Service Principal created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure policy assignment has been created.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to `MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE` and `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the policy assignment and determine if an unsolicited change was made on any Azure resources.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure @evt.name:\"MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE\" @evt.outcome:Success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uvd-ets-ju9","createdAt":1607106302885,"name":"Azure Policy Assignment Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, and `@evt.outcome` is equal to `failure`.\n\n## Triage and response\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Successful login","condition":"failed_login > 5 && successful_login > 0"},{"status":"info","notifications":[],"name":"Unsuccessful","condition":"failed_login > 5"}],"type":"log_detection","id":"y0f-vsz-xms","createdAt":1607106309289,"name":"Azure Portal brute force login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses SSL/TLS in-transit encryption.\n\n## Rationale\n\nUsing in-transit encryption with PostgreSQL protects data from attacks like Man-In-The-Middle (MITM), by ensuring that data is encrypted with Transport Layer Security (SSL/TLS) while moving between endpoints. This is the default option with Azure. \n\n## Remediation\n\n### Console\n\n1. Follow the instructions listed at [Configure TLS connectivity in Azure Database for PostgreSQL - Single Server][1] to transition to SSL/TLS encyrption in-transit. \n\n### CLI\n\n1. Follow the steps listed at [Configure TLS connectivity in Azure Database for PostgreSQL - Single Server][2] to use the CLI to transition to SSL/TLS encyrption in-transit. \n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security#using-the-azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security#using-azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@ssl_enforcement:Disabled","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (@ssl_enforcement:Disabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"t58-y4w-igs","createdAt":1645642196325,"name":"Azure PostgreSQL Database Server uses In-Transit Encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.4","cloud_provider:azure","control:6.2","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","control:CC7.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL is using the most recent major version available.\n\n## Rationale\n\nPostegreSQL employs both minor and major version updates. Using the most recent version available (particularly the most recent major version) ensures that you are using the most secure, feature rich, and supported version available. Azure Database Migration Service can help minimize downtime when performing version upgrades in Azure Database for PostgreSQL - Single Server. \n\n## Remediation\n\n### Console\n\n1. Use Azure's [Configure server parameters in Azure Database for PostgreSQL - Single Server via the Azure portal][1] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate/Upgrade Azure DB for PostgreSQL - Single Server to Azure DB for PostgreSQL - Single Server online using DMS via the Azure portal][2] to migrate the old database to the new database.\n\n### CLI\n\n1. Use Azure's [Customize server configuration parameters for Azure Database for PostgreSQL - Single Server using Azure CLI][3] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate PostgreSQL to Azure DB for PostgreSQL online using DMS via the Azure CLI][4] to migrate the old database to the new database.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/dms/tutorial-azure-postgresql-to-azure-postgresql-online-portal\n[3]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli\n[4]: https://docs.microsoft.com/en-us/azure/dms/tutorial-postgresql-azure-postgresql-online","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"-@version:(\"11\" OR \"12\" OR \"13\" OR \"14\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@version:(\"11\" OR \"12\" OR \"13\" OR \"14\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"4ns-zxg-wye","createdAt":1645642207320,"name":"Azure PostgreSQL Database Server uses the current major PostgreSQL version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:A.12.3.1","source:azure.dbforpostgresql","control:164.308-a-7-ii-A","requirement:Compliance","scope:azure.dbforpostgresql","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","control:A.18.1.3","framework:soc-2","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses geo-redundant backups.\n\n## Rationale\n\nUsing geo-redundancy with PostgreSQL creates geographically distributed replicas by default. These replicas assist with achieving data durability, as they protect against data becoming unavailable because of a regional event, such as a natural disaster. You can select this option only at the time of database creation. To modify an existing database to use geo-redundancy, recreate the database.\n\n## Remediation\n\n### Console\n\n1. Follow the instructions listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using the Azure portal][1] to create a new PostgreSQL database. Ensure **Geo-redundant** is selected under **Backup redundancy options**.\n\n### CLI\n\n1. Follow the steps listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using Azure CLI][2] to create and deploy a PostgreSQL server.\n2. When configuring the [`az postgres server create` Microsoft Azure Module][3] ensure that `geoRedundantBackup` is set to `Enabled`, as shown in the example below. \n\n ```\n az postgres server create \n -l northeurope \n -g mygroup \n -n mysvr \n -u username \n -p password \n --sku-name my_sku\n --ssl-enforcement Enabled \n --minimal-tls-version TLS1_0 \n --public-network-access Disabled \n --backup-retention 10 \n --geo-redundant-backup Enabled \n --storage-size 51200 \n --tags \"key=value\" \n --version 11\n ```\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-cli\n[3]: https://docs.microsoft.com/en-us/cli/azure/postgres/server?view=azure-cli-latest#az-postgres-server-create","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.3.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@storage_profile_geo_redundant_backup:Disabled","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (@storage_profile_geo_redundant_backup:Disabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"9t5-0qz-cj3","createdAt":1645642195699,"name":"Azure PostgreSQL database server uses geo-redundant backups"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security rule and determine if it exposes any Azure resources that should not be made public.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.sql @evt.name:\"MICROSOFT.SQL/SERVERS/FIREWALLRULES/WRITE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kbv-sau-dwv","createdAt":1607106319051,"name":"Azure SQL Server Firewall Rules Created or Modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.15","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable security alert emails to subscription owners.\n\n## Rationale\n\nEnabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can quickly mitigate security risks.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. In the drop down of the All users with the following roles field, select Owner\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set Send email also to subscription owners:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management Storage Accounts: This section covers security recommendations to follow to set storage account policies on an Azure subscription. An Azure storage account provides a unique namespace to store and access Azure Storage data objects.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.15","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"validationQuery":"-(@properties.notifications_by_role.roles:(\"Owner\") AND @properties.notifications_by_role.state:(\"On\"))","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact (-(@properties.notifications_by_role.roles:(\"Owner\") AND @properties.notifications_by_role.state:(\"On\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qjw-pnm-kfh","createdAt":1625738237090,"name":"Azure Security Center is configured to send email notifications about security alerts to subscription owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.14","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule enables emailing security alerts to the email subscription owner or other designated security contact.\n\n## Rationale\n\nEnabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. Under Notification types, check the check box next to Notify about alerts with the following severity (or higher) and select High from the drop-down menu\n6. Click save using the Azure Command Line Interface\n7. Use the below command to set Send email notification for high severity alerts:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. And replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default. Microsoft has recently changed their REST APIs to get and update security contact information. This recommendation is updated accordingly.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.14","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"validationQuery":"-(@properties.alert_notifications.state:(\"On\") AND @properties.alert_notifications.minimal_severity:(\"High\"))","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact (-(@properties.alert_notifications.state:(\"On\") AND @properties.alert_notifications.minimal_severity:(\"High\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"cv4-lxu-yt1","createdAt":1625738237834,"name":"Azure Security Center is configured to send email notifications about security alerts with High severity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity Center emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.\n\n## Rationale\n\nAzure Security Center emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the \"Additional email addresses\" field ensures that your organization's security team is included in these alerts. This ensures that the proper people are aware of any potential compromise to mitigate the risk in a timely fashion.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email Notifications\n5. Enter a valid security contact email address (or multiple addresses separated by commas) in the additional email addresses field\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set security contact emails:\n\n ``` bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data, as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default\", \"name\"\"default\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details \n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list \n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"validationQuery":"((-@properties.emails:*) OR (@properties.emails:(\"\")))","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact (((-@properties.emails:*) OR (@properties.emails:(\"\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"1vo-ezv-ztj","createdAt":1625738244720,"name":"Azure Security Center is configured with a security contact email"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty ThreatIntelSet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty ThreatIntelSet:\n\n* [DeleteThreatIntelSet][1]\n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Replace ThreatIntelSets deleted by the user with the `aws-cli` command [create-threat-intel-set][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call and if it was an authorized change.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteThreatIntelSet.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/guardduty/create-threat-intel-set.html\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteThreatIntelSet","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_guardduty_threatintel_set_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"aws_guardduty_threatintel_set_deleted > 0"}],"type":"log_detection","id":"vzr-qw9-k82","createdAt":1631642339660,"name":"AWS GuardDuty threat intel set deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","technique:T1098-account-manipulation","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.4","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to an AWS IAM Policy.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when any event pertaining to an AWS IAM policy is detected with one of the following API calls:\n\n* [DeleteGroupPolicy][1]\n* [DeleteRolePolicy][16]\n* [DeleteUserPolicy][2]\n* [PutGroupPolicy][3]\n* [PutRolePolicy][4]\n* [PutUserPolicy][5]\n* [CreatePolicy][6]\n* [DeletePolicy][7]\n* [SetPolicyVersion][17]\n* [CreatePolicyVersion][8]\n* [DeletePolicyVersion][9]\n* [AttachRolePolicy][10]\n* [DetachRolePolicy][11]\n* [AttachUserPolicy][12]\n* [DetachUserPolicy][13]\n* [AttachGroupPolicy][14]\n* [DetachGroupPolicy][15]\n\n## Triage and response\n1. Review the IAM Policy change and ensure it does not negatively impact your risk in relation to authentication or authorization controls.\n2. If risk is increased, contact the individual that used the arn: {{@userIdentity.arn}} and determine if {{@evt.name}} API calls were made by them.\n\n## Changelog\n5 April 2022 - Rule modified and signal message updated.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroupPolicy.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPolicy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html\n[5]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html\n[7]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html\n[8]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html\n[9]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicyVersion.html\n[10]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[11]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachRolePolicy.html\n[12]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[13]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachUserPolicy.html\n[14]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[15]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachGroupPolicy.html\n[16]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteRolePolicy.html\n[17]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetDefaultPolicyVersion.html\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteGroupPolicy OR PutGroupPolicy OR AttachGroupPolicy OR DetachGroupPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"group_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteRolePolicy OR PutRolePolicy OR AttachRolePolicy OR DetachRolePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"role_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteUserPolicy OR PutUserPolicy OR AttachUserPolicy OR DetachUserPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"user_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreatePolicy OR DeletePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"account_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(SetPolicyVersion OR CreatePolicyVersion OR DeletePolicyVersion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"policy_version_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"group policy changed","condition":"group_policy_modified > 0"},{"status":"info","notifications":[],"name":"role policy changed","condition":"role_policy_modified > 0"},{"status":"info","notifications":[],"name":"user policy changed","condition":"user_policy_modified > 0"},{"status":"info","notifications":[],"name":"account policy changed","condition":"account_policy_modified > 0"},{"status":"info","notifications":[],"name":"policy version changed","condition":"policy_version_modified > 0"}],"type":"log_detection","id":"z8s-u06-ctu","createdAt":1584475584008,"name":"AWS IAM policy changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM group.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM group using the [`AttachGroupPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.groupName}}` group using the `aws-cli` command [detach-group-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the group `{{@requestParameters.groupName}}` requires the `AdministratorAccess` policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the group to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.groupName","aggregation":"new_value","metrics":["@requestParameters.groupName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachGroupPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"ju1-xlh-bdn","createdAt":1635445988771,"name":"AWS IAM privileged policy was applied to a group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM role.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM role via the [`AttachRolePolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.roleName}}` role using the `aws-cli` command [detach-role-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the role `{{@requestParameters.roleName}}` requires the AdministratorAccess policy to perform its intended function.\n * Advise the user to find the [least privileged][4] policy that allows the role to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-role-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.roleName","aggregation":"new_value","metrics":["@requestParameters.roleName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachRolePolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\" -@userIdentity.invokedBy:sso.amazonaws.com -@http.useragent:sso.amazonaws.com"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"kjs-xra-wzc","createdAt":1635445977216,"name":"AWS IAM privileged policy was applied to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to an AWS IAM user using the [`AttachUserPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.userName}}` user using the `aws-cli` command [detach-user-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the user `{{@requestParameters.userName}}` requires the AdministratorAccess policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the user to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-user-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":173,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.userName","aggregation":"new_value","metrics":["@requestParameters.userName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachUserPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"bxi-o7h-c79","createdAt":1635445981975,"name":"AWS IAM privileged policy was applied to a user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","technique:T1089-disabling-security-tools","source:guardduty","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is changing sensitive configurations and has no prior history of invoking these APIs.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Stealth:IAMUser/S3ServerAccessLoggingDisabled][2]\n* [Stealth:IAMUser/PasswordPolicyChange][3]\n* [Stealth:IAMUser/CloudTrailLoggingDisabled][4]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][5] on remediating compromised AWS credentials.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#stealth-s3-serveraccessloggingdisabled\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-passwordpolicychange\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-cloudtrailloggingdisabled\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Stealth\\:IAMUser\\/S3ServerAccessLoggingDisabled OR Stealth\\:IAMUser\\/PasswordPolicyChange OR Stealth\\:IAMUser\\/CloudTrailLoggingDisabled OR Stealth\\:IAMUser\\/LoggingConfigurationModified)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"48o-8me-0mo","createdAt":1587525385196,"name":"AWS IAM user changing sensitive configurations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user disables [S3 Block Public Access][1]\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][2] finding:\n\n* [Policy:S3/AccountBlockPublicAccessDisabled][3]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Contact the user and determine why the user disabled the S3 Block Access feature. \n3. Re-enable S3 Block Public Access.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n[2]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-accountblockpublicaccessdisabled\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/S3BlockPublicAccessDisabled)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"loc-nk4-pkc","createdAt":1587525377921,"name":"AWS IAM user disabled S3 Block Public Access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","source:guardduty","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is attempting to escalate permissions.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [PrivilegeEscalation:IAMUser/AdministrativePermissions][2]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_privilegeescalation.html#privilegeescalation1\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PrivilegeEscalation\\:IAMUser\\/AdministrativePermissions)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dsb-ciq-vrt","createdAt":1587525384559,"name":"AWS IAM user escalating privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","technique:T1580-cloud-infrastructure-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests with hacking tools.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [PenTest:IAMUser/KaliLinux][2]\n* [PenTest:IAMUser/ParrotLinux][3]\n* [PenTest:IAMUser/PentooLinux][4]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][5] on remediating compromised AWS credentials.\n\n## Changelog\n* 17 October 2022 - Updated tags.\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-kalilinux\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-parrotlinux\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-pentoolinux\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PenTest\\:IAMUser\\/KaliLinux OR PenTest\\:IAMUser\\/ParrotLinux OR PenTest\\:IAMUser\\/PentooLinux)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ocf-ys6-78v","createdAt":1587525392995,"name":"AWS IAM user making API requests with hacking tools"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:threat-intel","source:guardduty","tactic:TA0007-discovery","security:attack","technique:T1526-cloud-service-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests from a malicious IP.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:IAMUser/TorIPCaller][2]\n* [Recon:IAMUser/MaliciousIPCaller.Custom][3]\n* [Recon:IAMUser/MaliciousIPCaller][4]\n* [UnauthorizedAccess:IAMUser/MaliciousIPCaller][5]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][6] on remediating compromised AWS credentials.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-toripcaller\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-maliciousipcallercustom\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-toripcaller\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-maliciousipcaller\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:IAMUser\\/TorIPCaller OR Recon\\:IAMUser\\/MaliciousIPCaller.Custom OR Recon\\:IAMUser\\/MaliciousIPCaller OR UnauthorizedAccess\\:IAMUser\\/MaliciousIPCaller)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"8w7-aaz-ojp","createdAt":1587525380153,"name":"AWS IAM user requests from malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","security:anomaly","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user login is suspicious.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B][2]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-consoleloginsuccessb\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:IAMUser\\/ConsoleLoginSuccess.B OR UnauthorizedAccess\\:IAMUser\\/ConsoleLogin)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kme-i0z-ylv","createdAt":1587525388403,"name":"AWS IAM user suspicious login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:kms","requirement:Monitoring","tactic:TA0040-impact","framework:cis-aws","control:4.7","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a KMS (Key Management Service) key is deleted or scheduled for deletion.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is deleting KMS keys:\n* [DisableKey][1]\n* [ScheduleKeyDeletion][2]\n\n## Triage and response\n1. Determine if `user ARN:` {{@userIdentity.arn}} in your organization should be making this call.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Use the `Cloud SIEM - User Investigation` OOTB dashboard to investigate other potential unauthorized API calls from this user.\n\n## Changelog\n* 16 March 2022 - Rule severity and markdown updated.\n* 16 November 2022 - Rule query updated.\n\n[1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html\n[2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:(cloudtrail OR amazon-security-lake) @evt.name:(DisableKey OR ScheduleKeyDeletion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iff-hhm-bd3","createdAt":1584475576501,"name":"AWS KMS key deleted or scheduled for deletion"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","scope:firehose"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an AWS Kinesis Firehose Destination is modified.\n\n## Strategy\nThe rule monitors AWS Kinesis Firehose logs `@eventSource:firehose.amazonaws.com` and detects when the `@evt.name` is `UpdateDestination`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:firehose.amazonaws.com @evt.name:UpdateDestination -@http.useragent:(cloudformation.amazonaws.com OR APN\\/*)","groupByFields":["@requestParameters.deliveryStreamName"],"aggregation":"count","name":"firehose_destination_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"firehose_destination_modified","condition":"firehose_destination_modified > 0"}],"type":"log_detection","id":"jwi-qgm-ncc","createdAt":1632158028824,"name":"AWS Kinesis Firehose stream destination modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.11"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Access Control List (NACL) has been created, deleted or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS NACL has been created, deleted or modified with one of the following API calls:\n* [CreateNetworkAcl][1] \n* [CreateNetworkAclEntry][2] \n* [DeleteNetworkAcl][3] \n* [DeleteNetworkAclEntry][4] \n* [ReplaceNetworkAclEntry][5] \n* [ReplaceNetworkAclAssociation][6]\n\n## Triage and response\n1. Determine if the usr with arn: {{@userIdentity.arn}} should have used the API call: {{@evt.name}}.\n2. Contact the user and see if this API call was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n## Changelog\n5 April 2022 - Rule queries, cases and signal message updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html\n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclEntry.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclAssociation.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateNetworkAcl OR CreateNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteNetworkAcl OR DeleteNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_deleted","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceNetworkAclEntry OR ReplaceNetworkAclAssociation)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_updated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"network ACL/ACL entry created","condition":"nacl_created > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry deleted","condition":"nacl_deleted > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry updated","condition":"nacl_updated > 0"}],"type":"log_detection","id":"pcs-k05-rbc","createdAt":1584475579808,"name":"AWS Network Access Control List created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.12","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Gateway has been created or modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS Network Gateway has been created or modified with one of the following API calls:\n* [CreateCustomerGateway][1] \n* [DeleteCustomerGateway][2] \n* [AttachInternetGateway][3] \n* [CreateInternetGateway][4]\n* [DeleteInternetGateway][5] \n* [DetachInternetGateway][6]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule cases and signal message.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCustomerGateway \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteCustomerGateway \n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AttachInternetGateway \n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInternetGateway \n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteInternetGateway \n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DetachInternetGateway.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(CreateCustomerGateway OR CreateInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"create_gateway","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteCustomerGateway OR DeleteInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"delete_gateway","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AttachInternetGateway OR DetachInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_gateway","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"create gateway","condition":"create_gateway > 0"},{"status":"info","notifications":[],"name":"delete gateway","condition":"delete_gateway > 0"},{"status":"info","notifications":[],"name":"modify gateway","condition":"modify_gateway > 0"}],"type":"log_detection","id":"umr-47s-eyj","createdAt":1584475581301,"name":"AWS Network Gateway created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","scope:rds","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deleted a database cluster in RDS.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a RDS cluster:\n\n* [DeleteDBCluster][1]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/rds/delete-db-cluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteDBCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"6ng-pk1-ukh","createdAt":1585870276546,"name":"AWS RDS Cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","control:cis-1.1","framework:cis-aws","technique:T1078-valid-accounts","control:cis-3.3","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the AWS root user credentials are used.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Policy:IAMUser/RootCredentialUsage][2]\n\n## Triage and response\n1. Determine whether the root account activity was legitimate. \n * Review the sample for context. \n * Review CloudTrail logs for a full investigation. \n3. If the root user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n**[Root Account Best Practices][4]**\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#policy-iam-rootcredentialusage\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/RootCredentialUsage)","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cjm-gyr-zxb","createdAt":1587525393683,"name":"AWS Root credential activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a Route 53 query logging configuration.\n\n## Strategy\nMonitor cloudtrail logs where `@evt.name` is `DeleteResolverQueryLogConfig` which would stop Route53 Query logging for all of the Amazon VPCs that are associated with the configuration.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n* 7 April 2022 - Updated rule query and signal message.\n* 5 January 2023 - Updated severity.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"0pz-0jr-nfz","createdAt":1631642351057,"name":"AWS Route 53 DNS query logging disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disassociates a VPC from the query logging configuration.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disassociated.\n\n* [DisassociateResolverQueryLogConfig][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 7 April 2022 - Update rule and signal message.\n* 15 December 2022 - Update query to include Access Denied events and reduce severity.\n\n[1]: https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DisassociateResolverQueryLogConfig.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DisassociateResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_route53_querylogging_disassociated","distinctFields":[]},{"query":"source:cloudtrail @error.kind:AccessDenied @evt.name:DisassociateResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_route53_querylogging_disassociated_access_denied","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Successful","condition":"aws_route53_querylogging_disassociated > 0"},{"status":"info","notifications":[],"name":"Access Denied","condition":"aws_route53_querylogging_disassociated_access_denied > 0"}],"type":"log_detection","id":"nmk-a8n-zig","createdAt":1631642344888,"name":"AWS Route 53 VPC disassociated from query logging configuration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.13","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Route Table has been created or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS Route Table has been created or modified with one of the following API calls:\n* [CreateRoute][1] \n* [CreateRouteTable][2] \n* [ReplaceRoute][3] \n* [ReplaceRouteTableAssociation][4] \n* [DeleteRouteTable][5] \n* [DeleteRoute][6] \n* [DisassociateRouteTable][7]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call which was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n6 April 2022 - Update signal message. Updated rule query/case layout\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html \n [7]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateRoute OR CreateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceRoute OR ReplaceRouteTableAssociation OR DisassociateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteRouteTable OR DeleteRoute)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"VPC route table created","condition":"route_created > 0"},{"status":"info","notifications":[],"name":"VPC route table modified","condition":"route_modified > 0"},{"status":"info","notifications":[],"name":"VPC route table deleted","condition":"route_deleted > 0"}],"type":"log_detection","id":"qgo-jqs-03x","createdAt":1584475582644,"name":"AWS Route Table created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket policy is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an AWS bucket is made public:\n\n* [PutBucketAcl][1]\n\nThis rule inspects the `@requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI` array to determine if either of the strings are contained:\n* `http://acs.amazonaws.com/groups/global/AuthenticatedUsers`\n* `http://acs.amazonaws.com/groups/global/AllUsers`\n\nA match of either of these string indicates the S3 bucket policy is made public.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Update rule and signal message.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:PutBucketAcl -@level:Error @requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI:(\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" OR \"http://acs.amazonaws.com/groups/global/AllUsers\")","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"zdk-9gu-nrg","createdAt":1594140279364,"name":"AWS S3 Bucket ACL Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:7.2.1","iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","framework:pci","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the S3 Public Access Block configuration has been removed \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting the S3 Public Access Block configuration:\n\n* [DeleteAccountPublicAccessBlock][1]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and inform them of best practices of enabling Public Access Block on S3 buckets.\n3. Re-enable Public Access Block on the S3 bucket.\n\nMore details on S3 Public Block Public Access can be found [here][2].\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-public-access-block.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n\n## Changelog\n18 March 2022 - updated severity and query.\n31 October 2022 - updated severity.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:error @evt.name:DeleteAccountPublicAccessBlock","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_access_block_removed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"User removed public access block","condition":"public_access_block_removed > 0"}],"type":"log_detection","id":"uxr-5wk-8hk","createdAt":1585870280316,"name":"AWS S3 Public Access Block removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disables AWS Security Hub.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disabled AWS Security Hub:\n\n* [DisableSecurityHub][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query and signal message.\n\n[1]: https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisableSecurityHub.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"not_cloudformation_action","distinctFields":[]},{"query":"source:cloudtrail @network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudformation_action","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"not a cloudformation action","condition":"not_cloudformation_action > 0"},{"status":"low","notifications":[],"name":"cloudformation action","condition":"cloudformation_action > 0"}],"type":"log_detection","id":"obj-kmn-bsa","createdAt":1631642348526,"name":"AWS Security Hub disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:vpc","iaas:aws","requirement:Monitoring","framework:cis-aws","control:4.14","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying a VPC.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a VPC:\n\n* [DeleteVpc][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query, cases and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteVpc OR DeleteVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_deleted","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreateVpc OR CreateVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_created","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(ModifyVpcAttribute OR AcceptVpcPeeringConnection OR RejectVpcPeeringConnection OR AttachClassicLinkVpc OR DetachClassicLinkVpc OR DisableVpcClassicLink OR EnableVpcClassicLink)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"vpc deleted","condition":"vpc_deleted > 0"},{"status":"info","notifications":[],"name":"vpc created","condition":"vpc_created > 0"},{"status":"info","notifications":[],"name":"vpc modified","condition":"vpc_modified > 0"}],"type":"log_detection","id":"igj-dr4-ico","createdAt":1585870280906,"name":"AWS VPC created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a specific AWS Web Application Firewall (WAF) rule blocks an anomalous amount of traffic.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@webaclId`: `{{@webaclId}}` logs to confirm if the observed traffic should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"count","name":"waf_traffic_block","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"scr-lzp-wrd","createdAt":1632158031553,"name":"AWS WAF traffic blocked by specific rule"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a specific AWS Web Application Firewall (WAF) rule blocks traffic from multiple IPs.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@http.request_id`: `{{@http.request_id}}` to confirm if this request should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"cardinality","name":"waf_traffic_block","distinctFields":["@network.client.ip"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"imr-goq-uww","createdAt":1634658977105,"name":"AWS WAF traffic blocked by specific rule on multiple IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is deleted.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `DeleteWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:DeleteWebACL -@http.useragent:\\APN\\/*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_deletion","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"waf_webacl_deletion > 0"}],"type":"log_detection","id":"8js-pr5-qga","createdAt":1632158029295,"name":"AWS WAF web access control list deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is updated.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `UpdateWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made legitimately by the user, rotate the user's credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:UpdateWebACL -@http.useragent:(\\APN\\/* OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"waf_webacl_update > 0"}],"type":"log_detection","id":"pmp-fqa-lwy","createdAt":1632158031800,"name":"AWS WAF web access control list modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:3.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect AWS root user activity. \n\n## Strategy\nMonitor CloudTrail and detect when any `@userIdentity.type` has a value of `Root`, but is not invoked by an AWS service or SAML provider.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate. \n2. If the login wasn't legitimate, rotate the credentials, enable 2FA, and open an investigation. \n\n* For best practices, check out the [AWS Root Account Best Practices][1] documentation.\n* For compliance, check out the [CIS AWS Foundations Benchmark controls][2] documentation.\n\n## Changelog\n* 30 March 2022 - Updated query and signal message.\n* 14 November 2022 - Updated options.\n\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[2]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:Root -@userIdentity.sessionContext.attributes.mfaAuthenticated:false -@userIdentity.invokedBy:* -@eventType:AwsServiceEvent -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"2kn-z6k-6kf","createdAt":1585870281964,"name":"AWS root account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group has been modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1] \n* [AuthorizeSecurityGroupEgress][2] \n* [RevokeSecurityGroupIngress][3] \n* [RevokeSecurityGroupEgress][4] \n* [CreateSecurityGroup][5] \n* [DeleteSecurityGroup][6]\n\n\n**Note:** There is a separate rule to detect AWS Security Group Open to the World.\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html \n [2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupEgress.html \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupIngress.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupEgress.html \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteSecurityGroup.html\n\n## Changelog\n18 March 2022 - Updated severity, split query into multiple queries, and split the single case into multiple cases.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AuthorizeSecurityGroupIngress OR AuthorizeSecurityGroupEgress OR RevokeSecurityGroupIngress OR RevokeSecurityGroupEgress) -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:DeleteSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"security group created","condition":"security_group_created > 0"},{"status":"info","notifications":[],"name":"security group modified","condition":"security_group_modified > 0"},{"status":"info","notifications":[],"name":"security group deleted","condition":"security_group_deleted > 0"}],"type":"log_detection","id":"bax-btp-3ct","createdAt":1584475583507,"name":"AWS security group created, modified or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1078-valid-accounts","scope:exchange-server","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event by a user logging in to Microsoft Exchange.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last and the current Microsoft-365 mailbox login event (`@evt.name:MailboxLogin`) to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if `{{@usr.name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. ","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":192,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:Exchange @evt.name:MailboxLogin @evt.outcome:Succeeded @threat_intel.results.category:*"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"9xi-6r1-5o5","createdAt":1638460550019,"name":"Abnormal successful Microsoft 365 Exchange login event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","scope:google-cloud-iam","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account (`@usr.id:*.iam.gserviceaccount.com`) exhibits access denied behavior that deviates from normal.\n\n## Strategy \nInspect the GCP Service Account (`@usr.id:*.iam.gserviceaccount.com`) for errors (`@data.protoPayload.status.code:7`) caused by denied permissions (`@evt.outcome`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account {{@usr.id}} is compromised.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"count","name":"access_denied","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"access_denied"}],"type":"log_detection","id":"jsg-pwu-sfv","createdAt":1605263719237,"name":"Access denied for GCP Service Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.11","scope:iam","scored:true","security:compliance","source:iam","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:7.1.1","control:7.1.2","control:7.1.3","level:1","framework:soc-2","framework:cis-aws","control:A.9.2.3","requirement:Identity-and-Access-Management","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM user credentials, you have to determine what type of access they require.\n\n**Programmatic access**: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.\n\n**AWS Management Console access**: If the user needs to access the AWS Management Console, create a password for the user.\n\n## Rationale\n\nRequiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are necessary for their work and once the access key is established on an account that the keys may be in use somewhere in the organization.\n\n**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html][2]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html][3]\n\n**Additional Information**: Credential report does not appear to contain \"Key Creation Date\"\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkeys_created_during_setup(credential_report) if {\n\tnot credential_report.access_key_1_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_1_last_rotated\n} else if {\n\tnot credential_report.access_key_2_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_2_last_rotated\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot keys_created_during_setup(credential_report)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yuh-0pg-pqy","createdAt":1619112188582,"name":"Access keys are not created for IAM user during initial set up"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-C","requirement:Credentials","level:1","framework:cis-aws","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.14","cloud_provider:aws","requirement:Control-Activities","framework:soc-2","control:A.9.2.3","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:3.6.4","control:CC6.2","control:CC5.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAccess keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. You should regularly rotate all access keys.\n\n## Rationale\n\nRotating access keys reduces the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78902-4\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html][3]\n4. [https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][4]\n5. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html][5]\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html\n[4]: https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"1.14","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\nmore_than_ninety(timestamp, resource_seen_at) if {\n\tresource_seen_at - timestamp > ninety_days_ms # Not rotated in last 90 days\n}\n\nactive_and_rotated_more_than_90(credential_report, resource_seen_at) if {\n\tcredential_report.access_key_1_active\n\tmore_than_ninety(credential_report.access_key_1_last_rotated, resource_seen_at)\n} else if {\n\tcredential_report.access_key_2_active\n\tmore_than_ninety(credential_report.access_key_2_last_rotated, resource_seen_at)\n}\n\neval(iam_user) = \"pass\" if {\n\tresource_seen_at := iam_user.resource_seen_at\n\tcredential_report := iam_user.credential_report[_]\n\tnot active_and_rotated_more_than_90(credential_report, resource_seen_at)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5se-kvq-6mk","createdAt":1599574003833,"name":"Access keys are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:4.3.8","scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Default-Security-Parameter","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.6","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable access from Azure services to PostgreSQL Database Server\n\n## Rationale\n\nIf access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, set up firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In Firewall rules, ensure Allow access to Azure services is set to OFF.\n5. Click Save to apply the changed rule. \n\nAlternatively, use the Azure Command Line Interface and run the below command to delete the `AllowAllAzureIps` rule for PostgreSQL Database:\n\n ```bash\n az postgres server firewall-rule delete --name AllowAllAzureIps --resource-group --server-name \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-manage-firewall-using-cli\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-4-protect-applications-and-services-from-external-network-attacks\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.4 Apply Host-based Firewalls or Port Filtering: Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.\n\n9.5 Implement Application Firewalls: Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.\n\n14.2 Enable Firewall Filtering Between VLANs: Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.8","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_ip_addresses(azure_postgresql_firewall_rule) if {\n\tazure_postgresql_firewall_rule.start_ip_address != \"0.0.0.0\"\n} else if {\n\tazure_postgresql_firewall_rule.end_ip_address != \"0.0.0.0\"\n}\n\neval(azure_postgresql_firewall_rule) = \"pass\" if {\n\tnot azure_postgresql_firewall_rule.name in [\"ALL\", \"AllowAllAzureIps\"]\n\tcompliant_ip_addresses(azure_postgresql_firewall_rule)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_firewall_rule"]},"validationQuery":"","resourceType":"azure_postgresql_firewall_rule","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_firewall_rule","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"fn7-ase-uyc","createdAt":1624867979051,"name":"Access to Azure services for PostgreSQL Database Server is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 5432 (used by the PostgreSQL Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\nMalicious activity, such as hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 5432.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 5432 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 5432\n\trule.to_port >= 5432\n}\n\nnon_compliant_protocols_and_ports(rule) if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tnon_compliant_ports(rule)\n} else if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\", \"::/0\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome rule in security_group.rules\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocols_and_ports(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2ca-hhj-wzj","createdAt":1599574007949,"name":"Access to PostgreSQL Database Server port is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3389 (used to connect a remote Remote Desktop Protocol (RDP) client application with an RDP server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as pass-the-hash (PtH) and man-in-the-middle attacks (MITM), can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\nTo update a security group rule: \n\n1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/][2]\n2. In the navigation pane, choose **Security Groups**.\n3. Select the security group to update, then choose **Actions**.\n4. Choose **Edit inbound rules** to remove an inbound rule, or **Edit outbound rules** to remove an outbound rule.\n5. Update the rule as required.\n6. Choose **Preview changes**, **Confirm**.\n\nTo delete a security group rule: \n1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/][2].\n2. In the navigation pane, choose **Security Groups**.\n3. Choose the **Delete** button to the right of the rule to delete.\n4. Choose **Preview changes**, **Confirm**.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3389.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3389 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.2\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 3389\n\trule.to_port >= 3389\n}\n\nnon_compliant_protocol(rule) if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(rule) if {\n\trule.ip_range == \"0.0.0.0/0\"\n}\n\nnon_compliant_ip_range(rule) if {\n\trule.ipv6_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oia-snq-ar0","createdAt":1599574006239,"name":"Access to port 3389 is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests.\n\n## Rationale\n\nSetting admission control plugin AlwaysAdmit allows all requests and do not filter any requests. The AlwaysAdmit admission controller was deprecated in Kubernetes v1.13. Its behavior was equivalent to turning off all admission controllers.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--enable-admission-plugins` argument's value (if set) does not include `AlwaysAdmit`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --enable-admission-plugins parameter, or set it to a value that does not include AlwaysAdmit.\n\n## Impact\n\nOnly requests explicitly allowed by the admissions control plugins would be served.\n\n## Default value\n\nAlwaysAdmit is not in the list of default admission plugins.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#alwaysadmit\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.11","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysr-4gg-vu5","createdAt":1599599454382,"name":"Admission controller AlwaysAdmin is not enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.15","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating objects in a namespace that is undergoing termination.\n\n## Rationale\n\nSetting admission control policy to NamespaceLifecycle ensures that objects cannot be created in non-existent namespaces, and that namespaces undergoing termination are not used for creating the new objects. This is recommended to enforce the integrity of the namespace termination process and also for the availability of the newer objects.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--disable-admission-plugins` argument is set to a value that does not include `NamespaceLifecycle`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --disable-admission-plugins parameter to ensure it does not include NamespaceLifecycle.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NamespaceLifecycle is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#namespacelifecycle\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.15","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"elk-zj3-p6m","createdAt":1599605447784,"name":"Admission controller NamespaceLifecycle is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.17","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nLimit the Node and Pod objects that a kubelet could modify.\n\n## Rationale\n\nUsing the NodeRestriction plug-in ensures that the kubelet is restricted to the Node and Pod objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node API object, and only modify Pod API objects that are bound to their node.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `NodeRestriction`.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes NodeRestriction. --enable-admission-plugins=...,NodeRestriction,...\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NodeRestriction is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#noderestriction 3. https://kubernetes.io/docs/admin/authorization/node/ 4. https://acotten.com/post/kube17-security\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.17","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jre-tn7-yma","createdAt":1599601166101,"name":"Admission controller NodeRestriction is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.16","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating pods that do not match Pod Security Policies.\n\n## Rationale\n\nA Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions. Note: When the PodSecurityPolicy admission plugin is in use, there needs to be at least one PodSecurityPolicy in place for ANY pods to be admitted. See section 1.7 for recommendations on PodSecurityPolicy settings.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `PodSecurityPolicy`.\n\n## Remediation\n\nFollow the documentation and create Pod Security Policy objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes PodSecurityPolicy: --enable-admission-plugins=...,PodSecurityPolicy,... Then restart the API Server.\n\n## Impact\n\nThe policy objects must be created and granted before pod creation would be allowed.\n\n## Default value\n\nBy default, PodSecurityPolicy is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#podsecuritypolicy 3. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.16","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vwz-aw9-c09","createdAt":1599604624793,"name":"Admission controller PodSecurityPolicy is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.14","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAutomate service accounts management.\n\n## Rationale\n\nWhen you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. You should create your own service account and let the API server manage its security tokens.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--disable-admission-plugins` argument is set to a value that does not include `ServiceAccount`.\n\n## Remediation\n\nFollow the documentation and create ServiceAccount objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and ensure that the --disable-admission-plugins parameter is set to a value that does not include ServiceAccount.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, ServiceAccount is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#serviceaccount 3. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.14","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wrk-jrm-u8h","createdAt":1599601597784,"name":"Admission controller ServiceAccount is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","source:google_bigquery_table","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.2","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","scope:google_bigquery_table","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery encrypts data at rest by employing `Envelope Encryption` using\nGoogle managed cryptographic keys. The data is encrypted using the `data encryption keys` and data encryption keys themselves are further encrypted using `key encryption keys`. This is done automatically and does not require any additional input from the user. However, if you want to have greater control, customer-managed encryption keys (CMEK) can be used as an encryption key management solution for BigQuery datasets. If CMEK is used, the CMEK is used to encrypt the data encryption keys, instead of using google-managed encryption keys.\n\n### Default Value\nGoogle-managed keys are used as `key encryption keys`.\n\n## Rationale\nFor greater control over the encryption, customer-managed encryption keys (CMEK) can\nbe used as encryption key management solution for BigQuery tables. CMEK is used to\nencrypt the data encryption keys instead of using google-managed encryption keys.\nBigQuery stores the table and CMEK association. The encryption/decryption is done\nautomatically.\n\nApply the default customer-managed keys on BigQuery datasets to ensure that all\nnew tables created in the future will be encrypted using CMEK. However, existing tables need to be updated individually to use CMEK.\n\n## Impact\nUsing customer-managed encryption keys (CMEK) will incur additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n- Note: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n## Remediation\nCurrently, there is no way to update the encryption of existing data in the table. The data\nneeds to be copied to either an original table or another table. Either option requires the specification of the\ncustomer managed encryption key (CMEK).\n\n### From the command line\nUse the following command to copy the data to the original table and encrypt it with the CMEK. The source and the destination needs to be same when copying to the original table.\n\n```\nbq cp --destination_kms_key source_dataset.source_table destination_dataset.destination_table\n```\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_table) = \"pass\" if {\n\tbigquery_table.encryption_configuration.kms_key_name\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_table"]},"validationQuery":"","resourceType":"gcp_bigquery_table","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_table","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4r0-dtx-hnw","createdAt":1659621698841,"name":"All BigQuery tables are encrypted with customer-managed encryption keys (CMEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Azure","cloud_provider:azure","control:2.7","control:8.1","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","scope:azure.keyvault","requirement:Cardholder-Data","requirement:Logical-and-Physical-Access-Control","control:3.6.4","source:azure.keyvault","framework:security-labs","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all keys in your Azure Key Vault have an expiration time set.\n\n## Rationale\n\nAzure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The `exp` (expiration time) attribute identifies the expiration time on or after which the key **must not** be used for a cryptographic operation. By default, keys never expire. Datadog recommends that keys be rotated in the key vault and set an explicit expiration time for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\n### From the console\n\n1. Go to Key vaults\n2. For each Key vault, click on Keys.\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all keys. Using the Azure Command Line Interface, update the expiration date for the key using below command:\n\n ```bash\n az keyvault key set-attributes --name --vault-name --expires Y-m-d''T''H:M:S''Z''\n ```\n\n **Note**: To access expiration time on all keys in Azure Key Vault using Microsoft API requires \"List\" Key permission. To provide required access follow below steps:\n\n 1. Go to Key Vaults\n 2. For each Key Vault, click on Access Policy.\n 3. Add access policy with Key permission as List\n\n## Impact\n\nKeys cannot be used beyond their assigned expiration times respectively. Keys need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## CIS Controls\n\nVersion 7 13 Data Protection Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.7","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(key_vault_key) if {\n\tkey_vault_key.attributes_enabled == true\n\tnot key_vault_key.attributes_exp == 0\n\tnot key_vault_key.attributes_exp == \"\"\n} else if {\n\tkey_vault_key.attributes.enabled == true\n\tnot key_vault_key.attributes.exp == 0\n\tnot key_vault_key.attributes.exp == \"\"\n}\n\neval(key_vault_key) = \"pass\" if {\n\tcompliant(key_vault_key)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_key"]},"validationQuery":"","resourceType":"azure_key_vault_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"op6-3uk-40w","createdAt":1624867980258,"name":"All keys in Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Network-Policies-and-CNI","control:5.3.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse network policies to isolate traffic in your cluster network.\n\n## Rationale\n\nRunning different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. A network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints. Network Policies are namespace scoped. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace, all traffic will be allowed into and out of the pods in that namespace.\n\n## Audit\n\nRun the following command and review the NetworkPolicy objects created in the cluster: `kubectl --all-namespaces get networkpolicy`\n\nEnsure that each namespace defined in the cluster has at least one Network Policy.\n\n## Remediation\n\nFollow the documentation and create network policy objects as you need them.\n\n## Impact\n\nOnce network policies are in use within a given namespace, traffic not explicitly allowed by a network policy will be denied. It is important to ensure that, when introducing network policies, legitimate traffic is not blocked.\n\n## Default value\n\nBy default, network policies are not created.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/services-networking/networkpolicies/ ][1]\n2. [https://octetz.com/posts/k8s-network-policy-apis ][2]\n3. [https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/][3]\n\n## CIS controls\n\nVersion 6.14.1 Implement Network Segmentation Based On Information Class Segment - The network based on the label or classification level of the information stored on the servers. Locate all sensitive information on separated VLANS with firewall filtering to ensure that only authorized individuals are only able to communicate with systems necessary to fulfill their specific responsibilities.\n\nVersion 7.14.1 Segment the Network Based on Sensitivity - Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).\n\nVersion 7.14.2 Enable Firewall Filtering Between VLANs - Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n\n[1]: https://kubernetes.io/docs/concepts/services-networking/networkpolicies/\n[2]: https://octetz.com/posts/k8s-network-policy-apis\n[3]: https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.3.2","framework":"cis-kubernetes","requirement":"Network-Policies-and-CNI","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrw-bae-anz","createdAt":1604312181303,"name":"All namespaces have network policies defined"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:2.10","requirement:Azure","cloud_provider:azure","control:8.2","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","requirement:Change-Management","scope:azure.keyvault","requirement:Logical-and-Physical-Access-Control","source:azure.keyvault","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all Secrets in the Azure Key Vault have an expiration time set.\n\n## Rationale\n\nThe Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The `exp` (expiration time) attribute identifies the expiration time on or after which the secret **must not** be used. By default, secrets never expire. Datadog recommends rotating secrets in the key vault and setting an explicit expiration time for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\n### From the console\n\n1. Go to Key vaults\n2. For each Key vault, click on Secrets\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all secrets. Using the Azure Command Line Interface, use the below command to set expiration date on the all secrets:\n\n ```bash\n az keyvault secret set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z'\n ```\n\n## Impact\n\nSecrets cannot be used beyond their assigned expiry times respectively. Secrets need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-4-set-up-emergency-access-in-azure-ad\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-8-choose-approval-process-for-microsoft-support\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy\n\n## CIS Controls\n\nVersion 7 16 Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.10","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(key_vault_secret) if {\n\tkey_vault_secret.id\n\tkey_vault_secret.attributes_enabled == true\n\tkey_vault_secret.attributes_exp\n\tnot key_vault_secret.attributes_exp == 0\n} else if {\n\tkey_vault_secret.id\n\tkey_vault_secret.attributes.enabled == true\n\tkey_vault_secret.attributes.exp\n\tnot key_vault_secret.attributes.exp == 0\n}\n\neval(key_vault_secret) = \"pass\" if {\n\tcompliant(key_vault_secret)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_secret"]},"validationQuery":"","resourceType":"azure_key_vault_secret","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_secret","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bbc-1aj-wsr","createdAt":1624867976874,"name":"All secrets in the Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:CC6.7","source:iam","requirement:Default-Security-Parameter","requirement:Credentials","control:2.1.1","level:1","requirement:System-Acquisition-Development-and-Maintenance","framework:cis-aws","control:1.19","framework:iso-27001","requirement:Access-Control","framework:pci","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","control:A.9.4.3","framework:soc-2","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.\n\n## Rationale\n\nRemoving expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.\n\n## Remediation\n\nAWS Console:\n\nRemoving expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).\n\nAWS CLI:\n\nTo delete an expired certificate, run the following command by replacing `` with the name of the certificate to delete: `aws iam delete-server-certificate --server-certificate-name `.\n\n**Note**: When the preceding command is successful, it does not return any output.\n\n## Impact\n\nDeleting a certificate can have implications for your application. If you are using an expired server certificate with Elastic Load Balancing, Cloudfront, etc., you must update the configuration of the respective service to ensure there is no application interruption.\n\n## References\n\n1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html\n2. https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.19","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_server_certificate) = \"pass\" if {\n\tiam_server_certificate.expiration - iam_server_certificate.resource_seen_at > 0\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"dih-stb-3p8","createdAt":1632209932850,"name":"All the expired SSL/TLS certificates stored in AWS IAM are removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow Kubelet to manage `iptables`.\n\n## Rationale\n\nKubelets can automatically manage the required changes to `iptables` based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to `iptables`. This ensures that the `iptables` configuration remains in sync with pods networking configuration. Manually configuring `iptables` with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have `iptables` rules too restrictive or too open.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that if the `--make-iptables-util-chains` argument exists then it is set to true. If the `--make-iptables-util-chains` argument does not exist, and there is a Kubelet config file specified by `--config`, verify that the file does not set `makeIPTablesUtilChains` to `false`.\n\n## Remediation\n\nIf using a kubelet config file, edit the file to set `makeIPTablesUtilChains: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--make-iptables-util-chains` argument from the `KUBELET_SYSTEM_PODS_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nKubelet would manage the `iptables` on the system and keep it in sync. If you are using any other `iptables` management solution, then there might be some conflicts.\n\n## Default value\n\nBy default, `--make-iptables-util-chains argument` is set to true.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.7","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"f3g-zcg-jm0","createdAt":1599605004390,"name":"Allow Kubelets to manage changes to the iptables"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an AWS S3 lifecycle expiration policy is set to disabled in your CloudTrail logs.\n\n## Strategy\nCheck if `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days`, `@requestParameters.LifecycleConfiguration.Status:Disabled` and `@evt.name:PutBucketLifecycle` fields are present in your S3 Lifecycle configuration log. If these fields are present together, a bucket's lifecycle configuration has been turned off.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n2. If the `{{@requestParameters.bucketName}}` should not be disabled, escalate to engineering so they can re-enable it.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketLifecycle @requestParameters.LifecycleConfiguration.Rule.Expiration:* @requestParameters.LifecycleConfiguration.Rule.Status:Disabled","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4gy-sks-edk","createdAt":1638798373598,"name":"An AWS S3 bucket lifecycle expiration policy was set to disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket has a lifecycle configuration set with an expiration policy of less than 90 days.\n\n## Strategy\nLook for `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90` in your Cloudtrail logs.\n\n**NOTE**: This rule should be set to logs that this policy applies to. The `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days` key path must be set as a measure to do a query.\n\n\n## Triage & response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}` and that the `{{@requestParameters.bucketName}}` bucket should have a file expiration of less than 90 days.\n2. If `{{@requestParameters.bucketName}}` is equal to `{{@aws.s3.bucket}}`, the CloudTrail bucket, consider escalating to higher severity and investigating further.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:PutBucketLifecycle -status:error @eventSource:s3.amazonaws.com @requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hdo-qqk-njz","createdAt":1638798329769,"name":"An AWS S3 bucket lifecycle policy expiration is set to < 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if versioning or MFA delete was disabled within an AWS S3 bucket's Lifecycle configuration.\n\n## Strategy\nThis rule has two separate queries. The first query determines if `@requestParameters.VersioningConfiguration.MfaDelete` is set to `Disabled`. The second query determines if `@requestParameters.VersioningConfiguration.Status` is set to `Suspended`. For generating a signal, there are two cases. Case one generates a `Medium` signal if query one AND two return `true`. Case two will generate a `Low` signal if query one OR two returns `true`.\n\n**NOTE**: Versioning cannot be disabled permanently; only suspended until turned back on, once it has been enabled on a bucket.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.MfaDelete:Disabled","groupByFields":["@aws.s3.bucket"],"aggregation":"count","name":"mfadelete_disabled","distinctFields":[]},{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.Status:Suspended","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"versioning_suspended","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"mfaDelete and Versioning are Disabled/Suspended","condition":"versioning_suspended > 0 && mfadelete_disabled > 0"},{"status":"low","notifications":[],"name":"mfaDelete or versioning are disabled","condition":"mfadelete_disabled > 0 || versioning_suspended > 0"}],"type":"log_detection","id":"qo0-ly0-8ls","createdAt":1638798322732,"name":"An AWS S3 bucket mfaDelete is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an AWS account attempting to leave an AWS organization.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to have an AWS account leave an AWS organization using the [LeaveOrganization][1] API call.\n\nAn attacker may attempt this API call for several reasons, such as:\n\n* Target security configurations that are often defined at the organization level. Leaving an organization can disrupt or disable these controls.\n* Perform a denial of service (DoS) attack on the victim's account that prevents the victim's organization to access it.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Initiate your company's incident response (IR) process.\n3. If the API call was made legitimately by the user:\n * Communicate with the user to understand if this was a planned action.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n * Initiate your company's incident response (IR) process.\n\n[1]: https://docs.aws.amazon.com/organizations/latest/APIReference/API_LeaveOrganization.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privileg","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:LeaveOrganization @eventSource:organizations.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"leave_organization","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"leave_organization > 0"}],"type":"log_detection","id":"9ku-enz-m7d","createdAt":1644595191484,"name":"An AWS account attempted to leave the AWS Organization"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","scope:s3","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an API call to AWS to list all of the S3 Buckets.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect a [ListBuckets][1] API call with the session name prefixed with `i-`. A session name prefixed with `i-` typically indicates that it is an EC2 instance using an [Instance Profile][2] to communicate with other AWS services, which is a common attacker technique to see the full list of S3 buckets in your AWS account.\n\n## Triage and response\n1. Determine if the EC2 instance should be making this API call.\n* If **not a legitimate** user/application, rotate the credentials, verify what else may have been accessed and open an investigation into how this instance was compromised.\n* If a **legitimate** user/application on the EC2 instance is making the `ListBuckets` API call, consider whether this API call is really needed. \n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profile\n\n## Changelog\n18 March 2022 - Updated rule severity and rule name.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_access_denied","distinctFields":[]},{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets -@error.kind:*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Access denied for ListBuckets","condition":"list_buckets_access_denied > 0"},{"status":"medium","notifications":[],"name":"Successful ListBuckets","condition":"list_buckets_success > 0"}],"type":"log_detection","id":"t6r-kqt-hxb","createdAt":1585870281123,"name":"An EC2 instance attempted to enumerate S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is enumerating API Gateway API keys.\n\n## Strategy\nBaseline `GetApiKeys` events by `@userIdentity.session_name` to surface anomalous `GetApiKeys` calls. \n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetApiKeys","groupByFields":["@userIdentity.session_name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"cc8-ljp-wwt","createdAt":1624968912281,"name":"Anomalous API Gateway API key reads by user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","tactic:TA0009-collection","scope:s3","source:cloudtrail","technique:T1530-data-from-cloud-storage","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS user performs S3 bucket write activities they do not usually perform. \n\n## Strategy\nMonitor cloudtrail logs for S3 Data Plane events (`@eventCategory:Data`) to detect when an AWS User (`@userIdentity.arn`) is detected performing anomalous S3 Write `(@evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*))` API calls. \n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should be performing the: `{{@evt.name}}` API calls.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. If not, investigate the user: `{{@userIdentity.arn}}` for indicators of account compromise and rotate credentials as necessary.\n\n## Changelog\n* 27 October 2022 - updated tags.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventCategory:Data @eventSource:s3.amazonaws.com @evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"s3_write_events","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"s3_write_events"}],"type":"log_detection","id":"mxi-syi-zeg","createdAt":1637613300981,"name":"Anomalous S3 bucket activity from user ARN"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is attempting to hijack an EC2 AutoScaling Group.\n\n## Strategy\nThis rule lets you monitor AWS EC2 Autoscaling logs (`@eventSource:autoscaling.amazonaws.com`) to detect when an Autoscaling group receives an anomalous amount of API calls (`{{@evt.name}}`).\n\n## Triage and response\n1. Confirm if the user `{{@userIdentity.arn}}` intended to make the `{{@evt.name}}` API calls.\n2. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:autoscaling.amazonaws.com","groupByFields":["@evt.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"1fj-e0d-mcy","createdAt":1632769123714,"name":"Anomalous amount of Autoscaling Group events"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","scope:salesforce","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a spike in Salesforce query results for a user. A large query can be an early warning sign of a user attempting to exfiltrate Salesforce data. \n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a spike in the number of rows returned (`@rows_returned`). \n\n## Triage and response\n1. Determine if the user should be legitimately performing large queries.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@rows_returned","aggregation":"sum","metrics":["@rows_returned"],"groupByFields":["@usr.id"],"query":"source:salesforce @rows_returned:*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"kls-bnv-ip8","createdAt":1621929255172,"name":"Anomalous amount of Salesforce query results"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","source:salesforce","tactic:TA0040-impact","scope:salesforce","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a significant increase in deleted records in Salesforce.\n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a significant increase in successful (`@evt.outcome:Success`) delete operations (`@operation:Delete`).\n\n## Triage and response\n1. Determine if the user should be legitimately deleting Salesforce records.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @operation:Delete @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"1x7-fhs-sdy","createdAt":1621929255178,"name":"Anomalous amount of Salesforce records deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is assessing privileges in AWS through various enumeration and discovery techniques.\n\n## Strategy\nMonitor CloudTrail logs to identify when an EC2 instance (`@userIdentity.session_name:i-*\"`) generates an anomalous amount of `AccessDenied` events.\n\n## Triage and response\n1. Determine what events the EC2 instance `{{@userIdentity.session_name}}` are generating in the time frame of the signal.\n2. If the root cause is not a misconfiguration, investigate any other signals around the same time of the signal by looking at the Host Investigation dashboard.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied @userIdentity.session_name:i-*","groupByFields":["@userIdentity.assumed_role"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"qyw-re3-iuf","createdAt":1605263699569,"name":"Anomalous amount of access denied events for AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","technique:T1619-cloud-storage-object-discovery","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS assumed role accesses S3 buckets that they do not usually access. \n\n## Strategy\nMonitor cloudtrail logs to identify when a `@userIdentity.assumed_role` makes an anomalous amount of `GetObject` calls to a unique number of S3 buckets (`@requestParameters.bucketName`).\n\n## Triage and response\n1. Determine if the user using the assumed role: {{@userIdentity.assumed_role}} should be accessing a bunch of random buckets.\n * Here is a list of buckets that were accessed (up to 10): {{@requestParameters.bucketName}}\n\n## Changelog\n* 30 March 2022 - Updated query and signal message.\n* 17 October 2022 - Updated tags.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":19,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetObject -status:error","groupByFields":["@userIdentity.assumed_role"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"i41-jb1-c8r","createdAt":1608050033941,"name":"Anomalous number of S3 buckets accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user has attempted to assume an anomalous number of unique roles.\n\n## Strategy\nThis rule sets a baseline for user activity for the [`AssumeRole`][1] API call, and enables detection of potentially anomalous activity.\n\nAn attacker may attempt this for the following reasons:\n\n* To identify which roles the user account has access to.\n* To identify what AWS services are being used internally.\n* To identify third party integrations and internal software.\n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response process and investigate.\n\n[1]: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:IAMUser @evt.name:AssumeRole","groupByFields":["@usr.name"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.roleArn"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rov-8oq-1fd","createdAt":1624968910002,"name":"Anomalous number of assumed roles from user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an unauthenticated request user is permitted in Kubernetes.\n\n## Strategy\nThis rule monitors when any action is permitted (`@http.status_code:[100 TO 299]`) for an unauthenticated user (`@user.username:\\\"system:anonymous\\\"`).\nThe `/healthz` endpoint is commonly accessed unauthenticated and it is excluded in the query filter.\n\n## Triage and response\n1. Inspect all of the HTTP paths accessed and determine if any of the path should be permitted by unauthenticated users.\n2. Determine what IP addresses accessed Kubernetes endpoints which may contain sensitive data.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@apiVersion:audit.k8s.io* @usr.name:\"system:anonymous\" @http.status_code:[100 TO 299] -@http.url_details.path:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @user.username:\"system:anonymous\" @responseStatus.code:[100 TO 299] -@requestURI:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"f1o-py5-a50","createdAt":1589376002149,"name":"Anonymous Request Authorized"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:apache","technique:T1190-exploit-public-facing-application","source:apache","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[{"action":"require","query":"source:foo"}],"queries":[{"query":"source:apache @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipl-oaz-eqf","createdAt":1587530038000,"name":"Apache HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modification of AppArmor profiles using an interactive session.\n\n## Strategy\nAfter an initial intrusion, attackers may attempt to disable security tools to avoid possible detection of their offensive tools and activities. [AppArmor][1] is a Linux Security Module (LSM) feature that confines programs to a limited set of resources. Disabling AppArmor could help an attacker run disallowed tools and gain access to resources that are otherwise blocked. This detection looks for commands that disable or modify AppArmor during interactive sessions, which is highly irregular in production environments.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://wiki.ubuntu.com/AppArmor\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:apparmor_modified_tty","groupByFields":["host"],"aggregation":"count","name":"apparmor_modified_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"apparmor_modified_tty","condition":"apparmor_modified_tty > 0"}],"type":"workload_security","id":"byn-fwk-eyv","createdAt":1627392836162,"name":"AppArmor profile modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","source:azure.sql","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Database-Services","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","framework:cis-azure","scope:azure.sql","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:4.1.3","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSQL Server Audit Retention should be configured to be greater than 90 days.\n\n## Rationale\n\nUse Audit Logs to check for anomalies and to get insight into suspected breaches or misuse of information and access.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Select Storage Details\n5. Set Retention (days) setting greater than 90 days\n6. Select OK\n7. Select Save using Azure PowerShell. \n\n### From the commandline\n\n1. For each server, [set retention policy][3] for more than or equal to 90 days.\n\n ```powershell\n Set-AzSqlServerAuditing -State Enabled -ServerName \"\" -ResourceGroupName \"\" -StorageAccountName \"abcd1234abcd1234abcd1234\" -RetentionInDays \n ```\n\n**Note:** You can set the number of days to 0 for unlimited retention.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing][1]\n2. [https://learn.microsoft.com/en-us/powershell/module/az.sql/get-azsqlserveraudit?view=azps-9.2.0][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention][4]\n\n[https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing][1]\n[https://learn.microsoft.com/en-us/powershell/module/az.sql/get-azsqlserveraudit?view=azps-9.2.0][2]\n[https://learn.microsoft.com/en-us/powershell/module/az.sql/set-azsqlserveraudit?view=azps-9.2.0][3]\n[https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention][4]","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_retention_period(audit_setting) if {\n\taudit_setting.retention_days == 0\n} else if {\n\taudit_setting.retention_days >= 90\n}\n\neval(sql_server) = \"pass\" if {\n\tlower(sql_server.audit_setting.state) == \"enabled\"\n\tcompliant_retention_period(sql_server.audit_setting)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"r6e-x2g-rfb","createdAt":1624867973932,"name":"Audit data for Azure SQL is retained for at least 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","source:google_iam_policy","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","scope:google_iam_policy","security:compliance","requirement:Logging-and-Monitoring","control:2.1","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that Cloud Audit Logging is configured to track all admin activities and\nread or write access to user data.\n\n### Default value\nAdmin Activity logs are always enabled. They cannot be disabled. Data Access audit logs are\ndisabled by default because they can be quite large.\n\n## Rationale\nCloud Audit Logging maintains two audit logs for each project, folder, and organization:\n**Admin Activity** and **Data Access**.\n\nAdmin Activity logs contain log entries for API calls or other administrative actions\nthat modify the configuration or metadata of resources. Admin Activity audit logs\nare enabled for all services and cannot be configured.\n\nData Access audit logs record API calls that create, modify, or read user-provided\ndata. These are disabled by default and should be enabled.\n\nThere are three kinds of Data Access audit log information:\n* Admin read: Records operations that read metadata or configuration\ninformation. Admin Activity audit logs record writes of metadata and\nconfiguration information. This cannot be disabled.\n* Data read: Records operations that read user-provided data.\n* Data write: Records operations that write user-provided data.\n\nIt is recommended to configure audit logging such that:\n\n* Log type is set to `DATA_READ` (to log user activity tracking) and `DATA_WRITES` (to\nlog changes/tampering to user data).\n* Audit config is enabled for all the services supported by the Data Access audit logs\nfeature.\n* Logs are captured for all users\u2014that is, there are no exempted users in any of the\naudit config sections. This ensures overriding the audit config does not contradict\nthe requirement.\n\n### Impact\nThere is no charge for Admin Activity audit logs. Enabling the Data Access audit logs might\nresult in your project being charged for the additional logs usage.\n- Note: Admin Activity Logs are not listed here, as they are enabled by default and cannot be disabled.\n `exemptedMembers` is not set, as audit logging should be enabled for all users.\n\n## Remediation\n\n### From the console \n1. Go to the [Audit Logs page][1] in Google Cloud Console.\n2. Follow the steps in Google's [Configure Data Access audit logs][2] documentation to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.\n\n### From the command line\n1. To read the project's IAM policy and store it in a file, run the following command:\n ```\n gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml\n ```\nAlternatively, the policy can be set at the organization or folder level. If you are setting the policy at\nthe organization level, it is not necessary to also set it for each folder or project.\n ```\n gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml\n gcloud resource-manager folders get-iam-policy FOLDER_ID >\n /tmp/folder_policy.yaml\n ```\n2. Edit the policy in `/tmp/policy.yaml`. Adding or change only the audit logs\nconfiguration to:\n ```\n auditConfigs:\n - auditLogConfigs:\n - logType: DATA_WRITE\n - logType: DATA_READ\n - service: allServices\n ```\n\n3. To write new IAM policy, run the following commands:\n ```\n gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml\n gcloud resource-manager folders set-iam-policy FOLDER_ID\n /tmp/folder_policy.yaml\n gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml\n ```\nIf the preceding command reports a conflict with another change, then repeat these steps,\nstarting with the first step.\n\n## Additional information\n* To track detailed user activities, the log type `DATA_READ` is as important as the log type `DATA_WRITE`.\n* BigQuery Data Access logs are handled differently than other data access logs.\n BigQuery logs are enabled by default and cannot be disabled. They do not count against logs allotment and do not result in extra logs charges.\n\n## References\n1. [https://cloud.google.com/logging/docs/audit/][1]\n2. [https://cloud.google.com/logging/docs/audit/configure-data-access][2]\n\n[1]: https://cloud.google.com/logging/docs/audit/\n[2]: https://cloud.google.com/logging/docs/audit/configure-data-access\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(iam_policy) if {\n\tnot has_exempted_members(iam_policy)\n\taudit_config := iam_policy.audit_configs[_]\n\taudit_config.service == \"allServices\"\n\taudit_config.audit_log_configs[_].log_type == \"ADMIN_READ\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_WRITE\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_READ\"\n}\n\nhas_exempted_members(iam_policy) if {\n\tiam_policy.audit_configs[_].audit_log_configs[_].exempted_members[_]\n}\n\nis_project(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_project\"\n}\n\neval(iam_policy) = \"skip\" if {\n\tnot is_project(iam_policy)\n} else = \"pass\" if {\n\tcompliant(iam_policy)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mtc-xf1-a6x","createdAt":1664804019062,"name":"Audit logging is properly configured across all services and users in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit all Docker daemon activities.\n\n## Rationale\n\nAs well as auditing the normal Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges. It is very important to audit its activities and usage.\n\n## Audit\n\nVerify that there are audit rules for the Docker daemon. To see the rules associated with the Docker daemon, run: \n\n```\nauditctl -l | grep /usr/bin/dockerd\n```\n\n## Remediation\n\nYou should add rules for the Docker daemon. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /usr/bin/dockerd -k docker \n```\n\nThen restart the audit daemon using the following command:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, the Docker daemon is not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.3","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fpu-oe5-feu","createdAt":1599604305682,"name":"Auditing for Docker Daemon executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.4","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/var/lib/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories. For example, audit `/var/lib/docker`, which holds all the information about containers it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/var/lib/docker` directory. To see the rule for the `/var/lib/docker` directory, run: \n\n```\nauditctl -l | grep /var/lib/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/var/lib/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /var/lib/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.4","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tfa-927-tto","createdAt":1599602523672,"name":"Auditing for Docker local storage is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.10","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker/daemon.json`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/docker/daemon.json`. This holds various parameters for the Docker daemon, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/docker/daemon.json` file. To display the rule for the `/etc/docker/daemon.json` file, run: \n\n```\nauditctl -l | grep /etc/docker/daemon.json\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker/daemon.json` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/docker/daemon.json -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/docker/daemon.json` may not exist on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file][2]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.10","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"v2o-aio-i0e","createdAt":1599601474412,"name":"Auditing for the Docker daemon configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.11","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/bin/containerd`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/bin/containerd`, so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/bin/containerd` file. To display the rule for the `/usr/bin/containerd` file, run: \n\n```\nauditctl -l | grep /usr/bin/containerd\n```\n\n## Remediation\n\nYou should add a rule for the `/usr/bin/containerd` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/bin/containerd -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/usr/bin/containerd` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.11","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tor-6yx-oyz","createdAt":1599605637503,"name":"Auditing for the containerd executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.8"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/default/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/default/docker`. It holds various parameters related to the Docker daemon and should therefore be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/default/docker` file. To see the rule for the `/etc/default/docker` file, run: \n```\nauditctl -l | grep /etc/default/docker \n```\n\n## Remediation\n\nYou should add a rule for the `/etc/default/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/default/docker -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited so these defaults should be changed in line with organizational security policy. The file `/etc/default/docker` may not be present, and if so, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.8","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qfi-cgy-a6e","createdAt":1599601659531,"name":"Auditing for the default Docker configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.9"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/sysconfig/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including `/etc/sysconfig/docker`. It contains various parameters related to the Docker daemon when run on CentOS and RHEL based distributions. If present, it is important that it is audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/sysconfig/docker` file. To see the rule for the `/etc/sysconfig/docker` file, run: \n```\nauditctl -l | grep /etc/sysconfig/docker\n```\n\n## Remediation\n\nYou should add a rule for `/etc/sysconfig/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/sysconfig/docker -k docker\n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/sysconfig/docker` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.9","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ps6-vb4-bim","createdAt":1599604561498,"name":"Auditing for the default Docker configuration file is configured - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit the `docker.service` if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `docker.service`. The `docker.service` file might be present if the daemon parameters have been changed by an administrator. If so, it holds various parameters for the Docker daemon and should be audited.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n\n2. If the file does not exist, this recommendation does not apply. If the file does exist, verify that there is an audit rule corresponding to the `docker.service` file by running: \n\n ```\n auditctl -l | grep docker.service\n ```\n\n## Remediation\n\nIf the file exists, a rule for it should be added. For example, add the following line to the `/etc/audit/audit.rules` file: \n```\n-w /usr/lib/systemd/system/docker.service -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.service` may not be present on the system.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.6","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myy-dsj-omk","createdAt":1599605764788,"name":"Auditing for the docker.service file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.7","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `docker.socket`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including the `docker.socket` file, which holds various parameters for the Docker daemon, it should be audited.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the `docker.socket` file exists, verify that there is an audit rule corresponding to the `docker.socket` file by running: \n ```\n auditctl -l | grep docker.socket \n ```\n\n## Remediation\n\nIf the file exists, you should add a rule for it. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/lib/systemd/system/docker.socket -k docker \n```\n\nThen restart the audit daemon: \n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.socket` may not be present, but if it is, it should be audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.7","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afg-qbt-7uw","createdAt":1599600857858,"name":"Auditing for the docker.socket file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.12","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/sbin/runc`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/sbin/runc`, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/sbin/runc` file. To display the rule for the `/usr/sbin/runc` file, run:\n\n```\nauditctl -l | grep /usr/sbin/runc\n```\n\n## Remediation\n\nYou should add a rule for `/usr/sbin/runc` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/sbin/runc -k docker\n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The `file/usr/sbin/runc` may not be present on the system, and in that case this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n4. [https://github.com/opencontainers/runc][4]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/ \n[4]: https://github.com/opencontainers/runc\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.12","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ksp-ylk-dub","createdAt":1599603510904,"name":"Auditing for the runc executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.5","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privilege and its behavior depends on some key files and directories, including `/etc/docker`. This holds various certificates and keys used for TLS communication between Docker daemon and Docker client and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/etc/docker` directory. To see the rule for the `/etc/docker` directory, run: \n\n```\nauditctl -l | grep /etc/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.5","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5ns-uab-zcf","createdAt":1599604003342,"name":"Auditing is configured for Docker-related files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.6","cloud_provider:azure","control:10.1","requirement:Monitoring","source:azure.sql","control:A.12.4.1","control:A.12.4.3","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","scope:azure.sql","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:4.1.1","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on SQL Servers.\n\n## Rationale\n\nThe Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. The auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Set Auditing to On using Azure PowerShell.\n5. Get the list of all SQL Servers: `Get-AzureRmSqlServer`. For each Server, enable auditing:\n\n ```bash\n Set-AzureRmSqlServerAuditingPolicy -ResourceGroupName -ServerName -AuditType -StorageAccountName \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-servers\n2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n**Note**: A server policy applies to all existing and newly created databases on the server. If server blob auditing is enabled, it always applies to the database. The database is audited, regardless of the database auditing settings. The auditing type table is deprecated, leaving only the type blob available. Enabling blob auditing on the database, and enabling it on the server, does not override or change any of the settings of the server blob auditing. Both audits exist side by side. So, the database is audited twice in parallel; once by the server policy, and once by the database policy.\n\n## CIS controls\n\nVersion 7 6.3 Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_server) = \"pass\" if {\n\tsql_server.audit_setting.state == \"Enabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"gxl-2f7-dso","createdAt":1624867978477,"name":"Auditing on SQL Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs in with a breached password.\n\n## Strategy\nAuth0 logs an event when a user logs in with a breached password. When this event is detected, Datadog generates a `MEDIUM` severity Security Signal.\n\nYou can see more information on how Auth0 detects breached passwords on their [documentation][1].\n\n## Triage and response\n1. Inspect the policy and user location to see if this was a login from approved location\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n[1][https://auth0.com/docs/anomaly-detection/brute-force-protection]\n","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:breached_password","groupByFields":["@usr.id"],"aggregation":"count","name":"breached_password","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"breached_password > 0"}],"type":"log_detection","id":"yhw-avf-dz0","createdAt":1597422957145,"name":"Auth0 user logged in with a breached password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","requirement:Cloud-SQL","cloud_provider:gcp","control:CC7.4","source:google_sql_database_instance","control:6.4.5.4","framework:cis-gcp","requirement:Compliance","level:1","control:6.7","scope:google_sql_database_instance","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Additional-Criteria-for-Availability","requirement:Communications-Security","requirement:System-Operations","control:3.1","requirement:Control-Activities","control:A1.1","control:A1.2","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:CC5.1","control:A.9.1.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nAll SQL database instances should have automated backups enabled.\n\n## Rationale: \nBackups provide a way to restore a Cloud SQL instance, to recover lost data, or to recover from\na problem with that instance. Enable automated backups for any instance that\ncontains data that should be protected from loss or damage. This recommendation is\napplicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2\ninstances.\n\n## Impact: \nAutomated backups increase the required storage size and may affect the costs associated with it.\n\n## Remediation: \n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Select the instance where the backups need to be configured.\n3. Click `Edit`.\n4. In the `Backups` section, check 'Enable automated backups', and choose a backup window.\n5. Click `Save`.\n\n### From the command line\n\n1. List all Cloud SQL database instances using the following command:\n ```\n gcloud sql instances list\n ```\n2. Enable automated backups for a Cloud SQL database instance by running:\n ```\n gcloud sql instances patch --backup-start-time <[HH:MM]>\n ```\n\nThe `backup-start-time` parameter is specified in 24-hour time, in the UTC\u00b100 time zone,\nand specifies the start of a 4-hour backup window. Backups can start any time during the\nbackup window.\n\n## Default value:\nBy default, automated backups are not configured for Cloud SQL instances. Data backup is\nnot possible on any Cloud SQL instance unless Automated Backup is configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/backup-recovery/backups][2]\n2. [https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/backup-recovery/backups\n[3]: https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up\n\n## CIS controls:\n\nVersion 8: _11.2 Perform Automated Backups_. Perform automated backups of in-scope enterprise assets. Run backups weekly,\nor more frequently, based on the sensitivity of the data.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.4.5.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.1","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"pass\" if {\n\tsql_database_instance.settings.backup_configuration.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iir-4sf-rxn","createdAt":1657665285362,"name":"Automated backups are configured for SQL Database Instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to Azure AD without multi-factor authentication.\n\n## Strategy\nThis rule monitors Azure Activity logs for Active Directory logs and detects when any `@evt.category` has a value of `SignInLogs`, and `@properties.authenticationRequirement` has a value of `singleFactorAuthentication`.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables 2FA.\n3. If the login wasn't legitimate, rotate the credentials.\n4. Review all user accounts to ensure MFA is enabled.\n\n## Changelog\n* 15 November 2022 - Updated query to reduce false positives, updated option values.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:singleFactorAuthentication @evt.outcome:success ((-@properties.authenticationDetails.authenticationMethod:\"Previously satisfied\" -@properties.authenticationDetails.authenticationStepResultDetail:\"First factor requirement satisfied by claim in the token\") OR -message:(\"MFA requirement satisfied by claim in the token\" OR \"MFA requirement satisfied by strong authentication\" OR \"MFA requirement skipped due to remembered device\" OR \"MFA requirement satisfied by claim provided by external provider\") OR -@properties.authenticationDetails.authenticationMethod:\"Windows Hello for Business\") @properties.authenticationDetails.authenticationStepRequirement:\"Primary authentication\"","groupByFields":["@usr.id"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_login_without_mfa > 0"}],"type":"log_detection","id":"c8i-66d-m7u","createdAt":1598468815267,"name":"Azure AD Login Without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, and `@evt.outcome` is equal to `failure`.\n\n## Triage and response\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n\n## Changelog\n* 26 October 2022 - Updated query.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure @properties.status.errorCode:(50126 OR 50053 OR 53003 OR 50135 OR 50055)","groupByFields":["@usr.id","@properties.appId"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success -message:(\"MFA requirement satisfied by claim in the token\" OR \"MFA requirement satisfied by strong authentication\" OR \"MFA requirement skipped due to remembered device\" OR \"MFA requirement satisfied by claim provided by external provider\" OR \"MFA completed in Azure AD\")","groupByFields":["@usr.id","@properties.appId"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Successful login","condition":"failed_login > 4 && successful_login > 0"},{"status":"info","notifications":[],"name":"Unsuccessful","condition":"failed_login > 4"}],"type":"log_detection","id":"y0f-vsz-xms","createdAt":1607106309289,"name":"Azure AD brute force login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to the [Global Administrator][1] role.\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\"`\n\nThe Global Administrator role can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. An adversary can add users as Global Administrators in order to maintain access to Azure AD.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][2] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.category:AuditLogs @evt.name:\"Add member to role\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_global_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"member_assigned_global_administrator_role > 0"}],"type":"log_detection","id":"bdq-rcs-dn5","createdAt":1658756175450,"name":"Azure AD member assigned Global Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to a [built-in Administrative role][1].\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:*Administrator*`\n\nAzure AD uses roles to assign privileges to users. There are over 80 roles available, the list below details some of the highest privileged roles that adversaries could target:\n\n* [Application Administrator][2]\n* [Cloud Application Administrator][3]\n* [Exchange Administrator][4]\n* [Privileged Role Administrator][5]\n* [User Administrator][6]\n* [Sharepoint Administrator][7]\n* [Hybrid Identity Administrator][8]\n\nThis [whitepaper][9] from Mandiant describes the abuse of Azure AD privileged roles.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][10] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator\n[3]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-application-administrator\n[4]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#exchange-administrator\n[5]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-role-administrator\n[6]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator\n[7]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#sharepoint-administrator\n[8]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#hybrid-identity-administrator\n[9]: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf\n[10]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:*Administrator* @evt.category:AuditLogs @evt.name:\"Add member to role\" -@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_built_in_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"member_assigned_built_in_administrator_role > 0"}],"type":"log_detection","id":"61p-mwe-rxm","createdAt":1658756175462,"name":"Azure AD member assigned built-in Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","control:8.7","level:1","requirement:Database-Services","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","scope:azure.sql","control:4.4","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse Azure Active Directory Authentication for authentication with SQL Database.\n\n## Rationale\n\nAzure Active Directory authentication is a mechanism to connect to the Microsoft Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). With Azure AD authentication, manage identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage database users and simplifies permission management in the following ways:\n\n- Provides an alternative to SQL Server authentication. \n- Helps stop the proliferation of user identities across database servers. \n- Allows password rotation in a single place. \n- Customers can manage database permissions using external (AAD) groups. \n- Eliminates storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure Active Directory. \n- Uses contained database users to authenticate identities at the database level. \n- Token-based authentication for applications connecting to SQL Database. \n- ADFS (domain federation) or native user/password authentication for a local Azure Active Directory without domain synchronization. \n- Connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication (MFA). MFA includes strong authentication with a range of easy verification options phone call, text message, smart cards with a pin, or mobile app notification.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each SQL server, click on Active Directory admin\n3. Click on Set admin\n4. Select an admin\n5. Click Save\n6. Using the Azure PowerShell for each Server, set `AD Admin Set-AzureRmSqlServerActiveDirectoryAdministrator -ResourceGroupName -ServerName -DisplayName \"\"`.\n6. From Azure Command Line Interface, get the ObjectID of user: `az ad user list --query \"[?mail==].{mail:mail, userPrincipal`.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure\n2. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: Assigning an administrator in Azure Active Directory (AAD) is just the first step. When using AAD for central authentication there are many other groups and roles that need to be configured base on the needs of your organization. To determine what roles should be assigned and what groups should be created to manage permissions and access to resources, see the How-to Guides.\n\n## CIS Controls\n\nVersion 7 16.2 Configure Centralized Point of Authentication: Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_active_directory_administrators(sql_server) if {\n\tsome active_directory_administrator in sql_server.active_directory_administrators\n\tactive_directory_administrator.administrator_type == \"ActiveDirectory\"\n\tactive_directory_administrator.name == \"ActiveDirectory\"\n} else if {\n\tnot sql_server.active_directory_administrators\n}\n\neval(sql_server) = \"pass\" if {\n\tcompliant_active_directory_administrators(sql_server)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kiv-p8l-5mk","createdAt":1624867977317,"name":"Azure Active Directory Admin is configured for Azure SQL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure-active-directory","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect whenever Azure Identity Protection categorizes an Azure Active Directory login as risky.\n\n## Strategy\nMonitor Azure Active Directory sign in activity (`@evt.name:\"Sign-in activity\"`) and generate a signal when Azure identifies the user as risky or compromised (`@properties.riskState:\"atRisk\" OR \"confirmedCompromised\"`). \n\n## Triage and response\n1. Analyze the location (`@network.client.geoip.subdivision.name`) of `{{@usr.id}}` to determine if they're logging into from their usual location. \n2. If log in activity is not legitimate, disable `{{@usr.id}}` account.\n3. Investigate any devices owned by `{{@usr.id}}`.\n\n## Changelog\n14 June 2022 - Fixed bug in rule query.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":167,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelDuringSignIn:high @properties.riskLevelDuringSignIn:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_during_signin_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:high @properties.riskLevelAggregated:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_aggregated_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:medium @properties.riskLevelDuringSignIn:medium","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_medium","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"High Risk Aggregated","condition":"risk_level_aggregated_high > 0"},{"status":"high","notifications":[],"name":"High Risk During Sign-In","condition":"risk_level_during_signin_high > 0"},{"status":"medium","notifications":[],"name":"Medium Risk","condition":"risk_level_medium > 0"}],"type":"log_detection","id":"h1h-4to-2ka","createdAt":1629464257705,"name":"Azure Active Directory Risky Sign-In"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-7-ii-A","control:164.312-a-2-ii","control:2.2.4","scope:azure.appservice","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Risk-Mitigation","requirement:Logical-and-Physical-Access-Control","control:CC9.1","control:CC6.3","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'remote debugging' **disabled** to enhance security and protect applications.\n\n## Rationale\n\nIf [remote debugging][1] is enabled, this can allow an attacker access to your applications. To reduce your attack surface, disable remote debugging when not actively needed. \n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services web apps by running the following in Azure Powershell:\n\n ```\n az webapp list \\\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n\n ```\n az webapp config show \\\n\t--ids \"\" \\\n\t--query 'remoteDebuggingEnabled'\n ```\n3. Disable the web app's remote debugging capability with the command:\n\n ```\n az webapp config set \\\n\t--ids \"\" \\\n\t--remote-debugging-enabled false\n ```\n4. Repeat steps one through three for each server that is not configured correctly.\n\n\n## References\n1. [Azure webapp config set][2]\n\n[1]: https://devblogs.microsoft.com/premier-developer/remote-debugging-azure-app-services/\n[2]: https://learn.microsoft.com/en-us/cli/azure/webapp/config?view=azure-cli-latest#az-webapp-config-set\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_app_service(app_service) if {\n\tapp_service.site_config_remote_debugging_enabled == true\n} else if {\n\tapp_service.site_config.remote_debugging_enabled == true\n}\n\neval(app_service) = \"fail\" if {\n\tnon_compliant_app_service(app_service)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ciw-6dd-ffz","createdAt":1645807220230,"name":"Azure App Service has remote debugging disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","scope:azure.app_service","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","framework:soc-2","source:azure.app_service","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'always on' **enabled** for web apps.\n\n## Rationale\n\nEnabling 'always on' will enhance your Azure Apps web apps' availability.\n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services by running the following in Azure Powershell:\n\n ```\n az webapp list\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n \n ```\n az webapp config show\n\t--ids \"\"\n\t--query 'alwaysOn'\n ```\n3. Enable the web app's 'always on' capability with the command:\n\n ```\n az webapp config set\n\t--ids \"\"\n\t--always-on true\n ```\n4. Repeat steps one through three for each server that is not configured correctly.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_app_service(app_service) if {\n\tapp_service.site_config_always_on == false\n} else if {\n\tapp_service.site_config.always_on == false\n}\n\ncompliant_app_service(app_service) if {\n\tapp_service.site_config_always_on == true\n} else if {\n\tapp_service.site_config.always_on == true\n}\n\neval(app_service) = \"fail\" if {\n\tnon_compliant_app_service(app_service)\n} else = \"pass\" if {\n\tcompliant_app_service(app_service)\n} else = \"skip\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xmp-jgo-xdo","createdAt":1645807220325,"name":"Azure App Service is set to always on"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Datadog Azure function is deleted which will prevent Azure logs from being sent to Datadog.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.WEB/SITES/DELETE\"`, `@evt.outcome` is `Success`, and the `@resourceID` contains `DATADOG` and `LOG`. This rule does not work if the the Azure resource group or Azure function does not contain `DATADOG` or `LOG`.\n\n## Triage and response\n1. Verify the Azure function (`@resourceId`) is responsible for forwarding logs to Datadog.\n2. Determine if there is a legitimate reason for deleting the Azure function.\n3. If activity is not expected, investigate activity from the service principal (`@identity.authorization.evidence`) or user (`{{@usr.id}}`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.web @evt.name:\"MICROSOFT.WEB/SITES/DELETE\" @resourceId:(*DATADOG* AND *LOG*) @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"sit-o2a-uov","createdAt":1634570142022,"name":"Azure Datadog Log Forwarder Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","security:threat-intel"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure firewall threat intelligence alert is received.\n\n## Strategy\nMonitor Azure Network Diagnostic logs and detect when `@evt.name` is equal to `AzureFirewallThreatIntelLog`.\n\n## Triage and response\n1. Inspect the threat intelligence log.\n2. Investigate the activity from this IP address.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:AzureFirewallThreatIntelLog","groupByFields":["@network.client.ip"],"aggregation":"count","name":"azure_firewall_threat_intel_alert","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"azure_firewall_threat_intel_alert > 0"}],"type":"log_detection","id":"z0v-yfr-qat","createdAt":1607106300940,"name":"Azure Firewall Threat Intelligence Alert"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) blocks a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Block`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Block","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_blocked_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_blocked_a_request > 0"}],"type":"log_detection","id":"xyt-fqh-myv","createdAt":1598468816869,"name":"Azure Frontdoor WAF Blocked a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) logs a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Log`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Log","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_logged_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_logged_a_request > 0"}],"type":"log_detection","id":"bkk-48l-vem","createdAt":1598468815399,"name":"Azure Frontdoor WAF Logged a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","framework:cis-azure","control:6.2","requirement:Control-Activities","control:9.9","requirement:AppService","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","scope:azure.appservice","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nNew versions of HTTP are released periodically to address security issues and/or to include additional functionality. Using the latest version of HTTP for web apps takes advantage of security fixes and new functionality.\n\n## Rationale\n\nUsing the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software update, your organization needs to determine if the latest update meets your requirements.\n\nFor example, HTTP 2.0 has performance improvements for the head-of-line blocking problem, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism because it provides its own, more efficient mechanism for data streaming.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\n### From the console\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click *Configuration**.\n5. Set HTTP version to 2.0 under **General settings**.\n\n**Note**: Most modern browsers support HTTP 2.0 protocol over TLS, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third party certificate.\n\n### From the command line\n\nTo set the HTTP version to 2.0 for an existing app, run the following command:\n\n`az webapp config set --resource-group --name --http20-enabled true'`\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.9","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_site_config(app_service) if {\n\tapp_service.site_config_http20_enabled\n} else if {\n\tapp_service.site_config.http20_enabled\n}\n\neval(app_service) = \"pass\" if {\n\tcompliant_site_config(app_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"y1o-cvu-xc7","createdAt":1645813490516,"name":"Azure HTTP version is the latest available"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.3.1","level:1","scope:azure.keyvault","control:8.4","requirement:Cardholder-Data","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","requirement:Azure","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:2.2","control:A1.2","requirement:Other-Security-Considerations","framework:soc-2","requirement:Risk-Mitigation","control:3.5.3","requirement:Logical-and-Physical-Access-Control","control:CC9.1","source:azure.keyvault","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects. It is recommended the Key Vault be made recoverable by enabling the \"Do Not Purge\"\nand \"Soft Delete\" functions. This is to prevent loss of encrypted data, including storage accounts, SQL databases, and dependent services provided by Key Vault objects (keys, secrets, certificates, etc.), which may occur due to accidental deletion by a user or from disruptive activity by a malicious user.\n\n### Default value \n\nWhen a new Key Vault is created, both the parameters `enableSoftDelete` and `enablePurgeProtection` are set to `null`, disabling both the features.\n\n## Rationale\n\nThere could be scenarios where users accidentally run delete and purge commands on key vault or attacker or malicious user does it deliberately to cause disruption. Deleting or purging a key vault leads to immediate data loss as keys encrypting data and secrets and certificates causing access and services to become non-accessible. There are two key vault properties that plays role in permanent unavailability of a key vault:\n\n1. Setting the `enableSoftDeleteSetting` parameter to true for a key vault ensures that even if key vault is deleted, the key vault itself or its objects are recoverable for next 90 days. In this span of 90 days either key vault and objects can be recovered or purged (permanent deletion). If no action is taken, after 90 days, the key vault and its objects are purged.\n\n2. `enablePurgeProtectionenableSoftDelete` only ensures that the key vault is not deleted permanently and will be recoverable for 90 days from the deletion date. However, there is a chance that the key vault or objects are accidentally purged and are not recoverable. Setting `enablePurgeProtection` to \"true\" ensures that the key vault and its objects cannot be purged. \n\nEnabling both parameters on key vaults ensures that key vaults and their objects cannot be deleted or purged permanently.\n\n### Impact\n\nOnce purge protection and soft-delete is enabled for a key vault, the action is irreversible.\n\n- Note: When a key is used for the SQL server TDE or Encrypting Storage account, the corresponding key vault features \"Do Not Purge\" and \"Soft Delete\" are enabled by default by your Azure backend.\n\n**WARNING**: A current limitation of the soft-delete feature across all Azure services is that role assignments disappear when a Key Vault is deleted. All role assignments will need to be recreated after recovery.\n\n## Remediation\n\nEnable \"Do Not Purge\" and \"Soft Delete\" for a key vault.\n\n### From the console\n\n1. Go to **Key Vaults**.\n2. Click **Properties**.\n3. Ensure the status of soft-delete reads **'Soft delete has been enabled on this key vault'**.\n4. At the bottom of the page, click **'Enable Purge Protection'**.\n\n### From the command line \n\n ```bash\n az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.KeyVault/vaults/ --set properties.enablePurgeProtection=true properties.enableSoftDelete=true\n ```\n\n### From Powershell\n\n ```powershell\n Update-AzKeyVault -VaultName 0"}],"id":"4tq-la5-9ei","createdAt":1624867975393,"name":"Azure Key Vault is recoverable"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","control:1.3.5","control:1.3.6","control:1.3.7","framework:pci","control:6.4.1","security:compliance","control:1.3.4","control:1.2.1","source:azure.kubernetes","requirement:Communications-Security","control:1.2","control:1.3","cloud:azure","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Private Cluster feature for Azure Kubernetes Service (AKS) cluster is enabled.\n\n## Rationale\n\nThe Private Cluster feature ensures that network traffic between your API server and your node pools remains solely on the private network. The API server is not exposed over the internet as it is with the standard AKS deployment. This configuration is a common requirement in many regulatory and industry compliance standards.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment. Changing the setting requires recreating your cluster.\n\n## Impact\n\nCreating and managing a Private AKS Cluster requires additional considerations when compared to a standard AKS deployment. It requires understanding how Azure Private Link and Private Endpoints work. It also requires a thorough assessment of your AKS networking architecture and dependencies. If your AKS cluster is on an isolated Azure Virtual Network (VNET), the Private Cluster feature requires additional configurations to allow connectivity between your AKS Cluster and your management VNET. Microsoft's official documentation, which is included in ``references``, helps you navigate the deployment of Private AKS Clusters.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/aks/private-clusters][1]\n2. [https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview][2]\n3. [https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/aks/private-clusters\n[2]: https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview\n[3]: https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.7","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aks_cluster) = \"fail\" if {\n\tnot aks_cluster.api_server_access_profile_enable_private_cluster\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_aks_cluster"]},"validationQuery":"","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxc-7gb-6q2","createdAt":1656924134424,"name":"Azure Kubernetes Service (AKS) Private Cluster Feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify the network IP address when multiple user accounts failed to complete the MFA process.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, `@properties.authenticationRequirement` is equal to `multiFactorAuthentication` and `@evt.outcome` is equal to `failure`.\n\n## Triage and response \n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:multiFactorAuthentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"failed_login_mfa_denied_w_multiple_user_accounts","distinctFields":["@usr.email"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Greater than 10 unique users","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 10"},{"status":"low","notifications":[],"name":"Greater than 3 unique user","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 3"}],"type":"log_detection","id":"zgm-z7i-mhu","createdAt":1607106317340,"name":"Azure Login Explicitly Denied MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group allows inbound traffic from all IP Addresses.\n\n## Strategy\nThis rule monitors Azure Activity logs for network changes and detects when the `@evt.name` has a value of `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`, `@properties.securityRules.properties.direction` has a value of `Inbound`, `@properties.securityRules.properties.access` has a value of `Allow`, and `@properties.securityRules.properties.sourceAddressPrefix` has a value of either `0.0.0.0/0` OR `*`.\n\n## Triage and response\n1. Inspect which Virtual Machines are associated with this security group.\n2. Determine whether this security group and the VMs should permit inbound traffic from all IP addresses.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\" @properties.securityRules.properties.direction:Inbound @properties.securityRules.properties.access:Allow @properties.securityRules.properties.sourceAddressPrefix:(\"0.0.0.0/0\" OR \"*\")","groupByFields":["@resourceId"],"aggregation":"count","name":"security_group_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"security_group_open_to_world > 0"}],"type":"log_detection","id":"owu-2uz-8cb","createdAt":1598468816111,"name":"Azure Network Security Group Open to the World"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group or an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any one of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security group or security rule and determine if it exposes any Azure resources that should not be exposed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:(\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\") @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mju-ynx-i1h","createdAt":1607106297216,"name":"Azure Network Security Groups or Rules Created, Modified, or Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added as a new owner for an Active Directory application which could be used as a persistence mechanism. \n\n## Strategy\nMonitor Azure Active Directory logs for `@evt.name: \"Add owner to application\"` has an `@evt.outcome` of `success`. \n\n## Triage and response\n1. Review evidence of anomalous activity for the user being added as an owner (`@properties.targetResources`) for the Active Directory application.\n2. Determine if there is a legitimate reason for the user being added to the application.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to application\" @evt.outcome:success @usr.name:* -@identity:*","groupByFields":[],"aggregation":"count","name":"new_owner","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner > 0"}],"type":"log_detection","id":"8vm-rcm-ss1","createdAt":1630591816193,"name":"Azure New Owner added to Azure Active Directory application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a new service principal is created in Azure, which applies to a persistence mechanism.\n\n## Strategy\n\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n\n1. Inspect the new service principal in `@properties.targetResources`.\n2. Verify with the user (`{{$usr.name}}`) to determine if the service principal is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_sp > 0"}],"type":"log_detection","id":"bog-iak-dms","createdAt":1630591822167,"name":"Azure New Service Principal created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure policy assignment has been created.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to `MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE` and `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the policy assignment and determine if an unsolicited change was made on any Azure resources.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure @evt.name:\"MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE\" @evt.outcome:Success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uvd-ets-ju9","createdAt":1607106302885,"name":"Azure Policy Assignment Created"}]} headers: Content-Type: - application/json @@ -45,7 +45,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scope:iam","scored:true","requirement:Transmission-Security","source:iam","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","control:2.1.1","requirement:Compliance","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","control:4.1","control:1.2","control:1.3","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse SSH authentication keys to secure Linux virtual machines.\n\n## Rationale\n\nUsing SSH to secure authentications is a security best practice, as traditional username and password authentication is vulnerable to malicious tactics such as brute-force attacks. SSH uses a combination of public and private key pairs to secure the authentication process. Access to the private key is automated and tightly controlled, without both keys SSH access will not be granted. This also eliminates the need for users to memorize complex passwords for virtual machine access.\n\n## Remediation\n\n### CLI\n\n1. Follow the steps listed at [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure][1] to create and deploy VMs using SSH.\n2. If needing to transition from Username and Password authentication, to SSH, there is no way to transition directly. You must deprovision the current VM and create an image of it with SSH as the authentication method. Follow the steps on [How to create a managed image of a virtual machine or VHD][2]. \n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-ssh-keys-detailed\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/capture-image","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@os_profile.linux_configuration.disable_password_authentication:false","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance (@os_profile.linux_configuration.disable_password_authentication:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"p52-zrd-xlt","createdAt":1645813490150,"name":"Azure VM requires SSH Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.21","source:azure.active_directory","cloud_provider:azure","requirement:Compliance","scope:azure.active_directory","level:1","requirement:IAM","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:6.4","framework:cis-azure","requirement:Control-Activities","cloud:azure","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC8.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSubscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.\n\n## Rationale\n\nClassic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended.\n\n## Remediation\n\nUsing Azure Command Line Interface 2.0, list all roles with the `az role definition list` command. Check the output for any entries with an `assignableScope` of `/` or a `subscription`, and an action of `*`. Verify the usage and impact of removing the role identified. You can delete a role with the `az role definition delete --name \"rolename\"` command.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator \n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management \n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems \n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n8. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n9. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges 16 Account Monitoring and Control Account Monitoring and Control","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.21","framework":"cis-azure","requirement":"IAM","version":"1.3.0"},{"control":"6.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"@permissions.actions:\"*\" @assignable_scopes:(\\/ OR \\/subscriptions*)","resourceType":"azure_role_definition","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_role_definition (@permissions.actions:\"*\" @assignable_scopes:(\\/ OR \\/subscriptions*))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"til-md3-xoz","createdAt":1645802554619,"name":"Azure custom subscription owner roles do not exist"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a diagnostic setting is deleted which can disable centralized logging and metrics on Azure.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Inspect the diagnostic setting resource which is found in `@resourceId`.\n2. Verify that the user (`{{@usr.id}}`) to determine if the removal of the resource is legitimate.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uhp-qsj-h45","createdAt":1615578377631,"name":"Azure diagnostic setting deleted or disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure disk is successfully exported. Export URLs generated in Azure are accessible to anyone with the URI. This could be utilized as an exfiltration method that would allow an attacker to download an Azure Compute VM's disk as a VHD file.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/SNAPSHOTS/DISKS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the disk (`{{@resourceId}}`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URI.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"export_uri_generated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"export_uri_generated > 0"}],"type":"log_detection","id":"ggf-4ew-mxl","createdAt":1635258347843,"name":"Azure disk export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.8","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and new functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, your organization needs to determine if a given update meets your requirements and also verify the compatibility and support provided for any additional software against the update version.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Under General Settings, set Java version to latest version available\n6. Set Java minor version to latest version available\n7. Set Java web container to the latest version of web container available \n\n**NOTE**: No action is required if Java version is set to off as Java is not used by your web app.\n\nAzure CLI:\n\nTo see the list of supported runtimes, run the following command: `timesaz webapp list-runtimes | grep java`\n\nTo set latest Java version for an existing app, run the following command:\n\n```azurecli\naz webapp config set --resource-group --name --java-version ''\n1.8'' --java-container ''Tomcat'' --java-container-version '''''\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.8","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@site_config_java_version:11","resourceType":"azure_app_service","filter":"-@site_config_java_version:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service -@site_config_java_version:\"\" (-@site_config_java_version:11)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qhc-mac-fyy","createdAt":1645813490324,"name":"Azure is using the latest version of Java to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.6","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, a new version of PHP is released to address security issues and/or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes and additional functionalities.\n\n## Rationale\n\nNew versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software update, organizations need to determine if the update meets their requirements and also verify the new version's compatibility with other software.\n\n## Remediation\n\nAzure Console:\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click **Configuration**.\n5. Set PHP version to latest version available under **General Settings**.\n\n**Note**: No action is required if PHP version is set to off because PHP is not used by your web app.\n\nAzure CLI: To see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep php To set latest PHP version for an existing app, run the following commandaz webapp config set --resource-group --name --php-version \n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n# CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.6","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@site_config_php_version:7.4","resourceType":"azure_app_service","filter":"-@site_config_php_version:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service -@site_config_php_version:\"\" (-@site_config_php_version:7.4)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"sja-htc-xkm","createdAt":1645813490100,"name":"Azure is using the latest version of PHP to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.7","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Set Python version to latest version available under General Settings\n\n**Note**: No action is required if Python version is set to off as Python is not used by your web app.\n\nAzure CLI:\n\nTo see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep python To set latest Python version for an existing app, run the following commandaz webapp config set --resource-group --name --python-version '\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.7","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@site_config_python_version:3.6","resourceType":"azure_app_service","filter":"-@site_config_python_version:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service -@site_config_python_version:\"\" (-@site_config_python_version:3.6)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kuq-3pj-gyn","createdAt":1645813504306,"name":"Azure is using the latest version of Python to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","source:azure.networkwatcher","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","scope:azure.networkwatcher","framework:soc-2","control:10.3","control:CC2.1","control:164.312-e-2-i","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Watcher can use flow logs so that you can monitor traffic from resources. This rule generates a finding if there is no retention policy set with a duration over 90 days. \n\nNote: 0 days means unlimited retention.\n\n## Rationale\n\nSetting this attribute enables flow logs to be retained for an appropriate amount of time that enables a better security posture for your organization. These logs should be retained critical resources in your environment.\n\n## Remediation\n\n### Console\n\n1. Follow the instructions in [Tutorial: Log network traffic to and from a virtual machine using the Azure portal][1] to enable the 'flow logs' in Network Watcher.\n\n### CLI\n\n1. Follow the steps in [Configuring Network Security Group Flow logs with Azure CLI][2] to enable the 'flow logs' in Network Watcher.\n2. Ensure Insights provider is registered by running the following command to check:\n\n ```\n az provider register --namespace Microsoft.Insights\n ```\n3. Enable `flow logs`:\n Note: You will need to have a storage account setup prior to this.\n ```\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location --format JSON --log-version 2\n ```\n4. Repeat steps 2 and 3 for resources that are not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal#enable-nsg-flow-log\n[2]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-cli\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nflow_log_not_compliant(flow_log) if {\n\tflow_log.retention_policy_enabled == true\n\tflow_log.retention_policy_days >= 1\n\tflow_log.retention_policy_days <= 89\n} else {\n\tflow_log.retention_policy_enabled == false\n}\n\nflow_log_retention_policy_enabled_true_or_false(flow_log) if {\n\tflow_log.retention_policy_enabled == true\n} else {\n\tflow_log.retention_policy_enabled == false\n}\n\neval(network_watcher) = \"fail\" if {\n\tflow_log = network_watcher.flow_logs[_]\n\tflow_log_not_compliant(flow_log)\n} else = \"pass\" {\n\tflow_log = network_watcher.flow_logs[_]\n\tflow_log_retention_policy_enabled_true_or_false(flow_log)\n} else = \"skip\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_network_watcher"]},"validationQuery":"","resourceType":"azure_network_watcher","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_network_watcher","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"s5c-rsc-fkl","createdAt":1645572632106,"name":"Azure network service group log retention is properly set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new owner is added to a service principal, which applies to privilege escalation or persistence.\n\n## Strategy\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add owner to service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Inspect that the user is added to a service principal in `@properties.targetResources`.\n2. Verify with the user (`{{@usr.name}}`) to determine if the owner addition is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_owner_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner_sp > 0"}],"type":"log_detection","id":"rtl-xes-5he","createdAt":1632250370345,"name":"Azure new owner added for service principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an Azure snapshot is exported. Export URLs generated in Azure are accessible to anyone with the URL.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the snapshot (`@resourceId`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URL.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"export_uri","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"export_uri > 0"}],"type":"log_detection","id":"9tg-wsg-ung","createdAt":1635255178153,"name":"Azure snapshot export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an invitation is sent to an external user.\n\n## Strategy\nMonitor Azure Active Directory Audit logs and detect when any `@evt.name` is equal to `Invite external user` and the `@evt.outcome` is equal to `success`.\n\n## Triage and response\n1. Review and determine if the invitation and its recipient are valid.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Invite external user\" @evt.outcome:success","groupByFields":["@usr.id","@properties.targetResources.userPrincipalName"],"aggregation":"count","name":"invite_external_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"invite_external_user > 0"}],"type":"log_detection","id":"msq-9pm-ift","createdAt":1607106320758,"name":"Azure user invited an external user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure-containerinstances","source:azure","tactic:TA0002-execution","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a command is executed on a container instance with the Azure API.\n\n## Strategy\nMonitor Azure container instance logs where `@evt.name` is `\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.id}}`) should be executing commands on the container (`@resourceId`).\n2. If the activity is not expected, investigate the activity around the container (`@resourceId`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"container_exec_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"container_exec_success > 0"}],"type":"log_detection","id":"zgp-pfn-i0z","createdAt":1635255187164,"name":"Azure user ran command on container instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB access key with the Azure API. An attacker with the appropriate privileges can view an access key and use it to access and manage the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\\\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the access key for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB Database ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_keys","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_keys > 0"}],"type":"log_detection","id":"xtk-lr5-ryf","createdAt":1635356621176,"name":"Azure user viewed CosmosDB access keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB connection string with the Azure API. An attacker with the appropriate privileges can view a connection string and use it to access or modify data in the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the connection string for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_connectionstrings","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_connectionstrings > 0"}],"type":"log_detection","id":"h9n-pkk-zy9","createdAt":1635356624429,"name":"Azure user viewed CosmosDB connection string"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being exploited using the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `Base64` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. If you are not patched, decode the base64 string and look for any successful traffic to the malicious server.\n3. If a connection was successful to the malicious server, begin your company's IR procedures to remediate.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http.user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"medium","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"vfx-wnb-bkc","createdAt":1639665358897,"name":"Base64 was detected in an http.user_agent or http.referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","scored:true","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use basic authentication.\n\n## Rationale\n\nBasic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting the API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--basic-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--basic-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as tokens and certificates. Username and password for basic authentication could no longer be used.\n\n## Default value\n\nBy default, basic authentication is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n2. https://kubernetes.io/docs/admin/authentication/#static-password-file\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.2","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oug-uvq-sti","createdAt":1599605479472,"name":"Basic authentication is disabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:azure","requirement:Monitoring","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-3-i","control:10.5.1","requirement:Compliance","level:1","control:2.2.4","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","scope:azure.storage","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Azure","requirement:Least-Privileged-Access","control:2.8","requirement:Control-Activities","requirement:Data-Protection","control:7.2.1","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAnonymous read access is disabled for Azure Storage Blobs.\n\n## Rationale\n\nAnonymous access to Azure storage blob containers allows un-authenticated users to perform operations against your storage account. Datadog recommends only allowing authenticated users access to storage blobs. \n\n## Remediation\n\n### From the Console\n\nFollow the [Set the public access level for a container - Azure Console][1] guide to disable anonymous read access with the Azure Console.\n\n### From the Azure CLI\n\nFollow the [Set the public access level for a container - Azure CLI][2] guide to disable anonymous read access with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"10.5.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"2.8","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_blob_container) = \"pass\" if {\n\tstorage_blob_container.public_access == \"None\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_blob_container"]},"validationQuery":"","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"nlq-obf-whr","createdAt":1645177311610,"name":"Blob Containers do not allow anonymous access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:8.1","control:4.3","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","control:8.1.4","control:8.2.3","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends using instance-specific SSH key(s) instead of common or shared project-wide SSH key(s) to access instances.\n\n## Rationale\n\nProject-wide SSH keys are stored in compute or project-meta-data. Project-wide SSH keys can be used to log into all instances within a project. Using project-wide SSH keys facilitates SSH key management, but if compromised, poses a security risk which can impact all instances within a project. Datadog recommmends using instance-specific SSH keys, which can limit the attack surface if SSH keys are compromised.\n\n## Impact\n\nUsers already having project-wide SSH key pairs and are using third-party SSH clients will lose access to the impacted instances. For project users using Google Cloud or GCP Console-based SSH options, no manual key creation and distribution is required, this is all handled by Google Compute Engine (GCE) itself. To access an instance using third-party SSH clients, the instance-specific SSH key pairs need to be created and distributed to the required users.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. For every instance, click on the instance name.\n3. Under **SSH Keys**, ensure **Block project-wide SSH keys** is selected.\n\n## From command line\n\n1. List the instances in your project and get details on each instance using `gcloud compute instances list --format=json`.\n\n2. Ensure the `block-project-ssh-keys` key is set to true.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. Click on the impacted instance name.\n3. Click **Edit** in the toolbar.\n4. To block users with project-wide SSH keys from connecting to this instance, select **Block project-wide SSH keys** under **SSH Keys**.\n5. Click **Save** at the bottom of the page.\n6. Repeat these steps for every impacted instance.\n\n## From Command Line\n\nTo block project-wide public SSH keys, set the metadata value to true using `gcloud compute instances add-metadata --metadata block-project-ssh-keys=TRUE`.\n\n## Default Value\n\nBy default, Block Project-wide SSH keys is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n2. [https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n\n\n## Additional Information\n\nIf OS Login is enabled, SSH keys in the instance metadata are ignored, which means you do not need to block project-wide SSH keys.\n\n## CIS Controls\n\nVersion 8\n \n3.10 - Encrypt Sensitive Data in Transit\n- Encrypt sensitive data in transit. Example implementations can include: Transport\nLayer Security (TLS) and Open Secure Shell (OpenSSH).\n\n5.2 - Use Unique Passwords\n- Use unique passwords for all enterprise assets. Best practice implementation\nincludes, at a minimum, an 8-character password for accounts using MFA and a 14-\ncharacter password for accounts not using MFA.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n[3]: https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_item(item) if {\n\titem.key == \"block-project-ssh-keys\"\n} else {\n\titem.key == \"enable-oslogin\"\n}\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" {\n\titem := compute_instance.metadata.items[_]\n\tnon_compliant_item(item)\n\titem.value == \"true\"\n} else = \"fail\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"v8z-9ik-mjr","createdAt":1657296719827,"name":"Block project-wide SSH keys is enabled for VM instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login five times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n","options":{"detectionMethod":"threshold","evaluationWindow":600,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dde-oia-yjr","createdAt":1597422956269,"name":"Brute force attack on an Auth0 user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a bruteforce login with a user attempting to assume an anomalous number of roles.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [Anomalous number of assumed roles from user][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-user-attempted-to-assumerole-anomaly\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"anomalous_assumed_roles_from_user","additionalFilters":"","defaultRuleId":"fwu-obr-c9n","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to assumed role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && anomalous_assumed_roles_from_user > 0"}],"type":"signal_correlation","id":"vjo-1hm-1eg","createdAt":1664829839144,"name":"Brute forced ConsoleLogin event correlates with an assumed role event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","iaas:azure","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a successful credential stuffing login with a user assumed a role.\n\n## Strategy\nCorrelate the [Credential Stuffing Attack on Azure][1] and [Azure AD member assigned Global Administrator role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the credential stuffing attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the credential stuffed account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/azure_credential_stuffing_attack\n[2]: https://docs.datadoghq.com/security_platform/default_rules/azure-ad-user-assigned-global-admin-role","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"azure_credential_stuffing","correlatedQueryIndex":1,"additionalFilters":"","defaultRuleId":"ljt-3f4-8ty","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"admin_role_assigned","additionalFilters":"","defaultRuleId":"psm-gpc-pgy","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Brute-forced user has assigned a role","condition":"azure_credential_stuffing > 0 && admin_role_assigned > 0"}],"type":"signal_correlation","id":"it0-1kg-8pj","createdAt":1664829839146,"name":"Brute-forced user has assigned a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.11","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host you can control the host CPU resources that a container may consume.\n\n## Rationale\n\nBy default, CPU time is divided between containers equally. If you wish to control available CPU resources amongst container instances, you can use the CPU sharing feature. CPU sharing allows you to prioritize one container over others and prevents lower priority containers from absorbing CPU resources which may be required by other processes. This ensures that high priority containers are able to claim the CPU runtime they require.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CpuShares={{ .HostConfig.CpuShares }}'` \n\nIf this command returns 0 or 1024, it means that CPU shares are not in place. If it returns a non-zero value other than 1024, it means that they are in place.\n\n## Remediation\n\nYou should manage the CPU runtime between your containers dependent on their priority within your organization. To do so, start the container using the `--cpu-shares` argument. For example, you could run a container as `docker run --interactive --tty --cpu-shares 512 centos /bin/bash` The container is started with CPU shares of 50% of what other containers use. So if the other container has CPU shares of 80%, this container will have CPU shares of 40%. Every new container will have 1024 shares of CPU by default. However, this value is shown as 0 if you run the command mentioned in the audit section.\n\n\nAlternatively:\n\n1. Navigate to the `/sys/fs/cgroup/cpu/system.slice/` directory.\n2. Check your container instance ID using docker ps.\n3. Inside the above directory (in step 1), call a directory. For example: `docker-.scope` or `docker-4acae729e8659c6be696ee35b2237cc1fe4edd2672e9186434c5116e1a6fbed6.scope`. Navigate to this directory.\n4. You will find a file named `cpu.shares`. Execute `cat cpu.shares`. This will always give you the CPU share value based on the system. Even if there are no CPU shares configured using the `-c` or `--cpu-shares` argument in the docker run command, this file will have a value of 1024. If you set one containers CPU shares to 512 it will receive half of the CPU time compared to the other containers. So if you take 1024 as 100% you can then derive the number that you should set for respective CPU shares. For example, use 512 if you want to set it to 50% and 256 if you want to set it 25%.\n\n## Impact\n\nIf you do not correctly assign CPU thresholds, the container process may run out of resources and become unresponsive. If CPU resources on the host are not constrained, CPU shares do not place any restrictions on individual resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally. No CPU shares are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.11","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gfh-gqy-log","createdAt":1599605955638,"name":"CPU priorities are set to ensure critical containers do not become unresponsive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.7","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %a `. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command to modify the file permissions of the `--client-ca-file`:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7 14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.7","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qtd-deo-dgb","createdAt":1599600622129,"name":"Certificate authorities file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable certificate based kubelet authentication.\n\n## Rationale\n\nThe apiserver, by default, does not authenticate itself to the kubelet's HTTPS endpoints. The requests from the apiserver are treated anonymously. You should set up certificate-based kubelet authentication to ensure that the apiserver authenticates itself to kubelets when submitting requests.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-client-certificate` and `--kubelet-client-key` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the kubelet client certificate and key parameters as below. \n\n```\n--kubelet-client-certificate= \n--kubelet-client-key=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, certificate-based kubelet authentication is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ ][2]\n3. [https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet][3]\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n[3]: https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.5","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ruj-lze-13b","createdAt":1599605732980,"name":"Certificate-based kubelet authentication is required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.2","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable client authentication on etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--client-cert-auth` argument is set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--client-cert-auth=\"true\"\n```\n\n## Impact\n\nAll clients attempting to access the etcd server will require a valid client certificate.\n\n## Default value\n\nBy default, the etcd service can be queried by unauthenticated clients.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][`]\n2. [https://kubernetes.io/docs/admin/etcd/ ][1]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.2","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"joa-fjx-1li","createdAt":1599605891818,"name":"Client authentication is enabled for etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.8","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file ownership is set to `root:root`.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command to modify the ownership of the `--client-ca-file`:\n\n```\nchown root:root \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.8","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ifc-9ej-k7k","createdAt":1599603326156,"name":"Client certificate authorities file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","cloud_provider:gcp","control:9.9.1","source:google_cloud_asset_inventory","requirement:Logging-and-Monitoring","framework:cis-gcp","requirement:Control-Activities","scope:google_cloud_asset_inventory","requirement:Firewall-Configuration","level:2","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Cloud Asset Inventory is a service that provides a historical view of GCP resources and\nIAM policies through a time-series database. The information recorded includes metadata\non Google Cloud resources, metadata on policies set on Google Cloud projects or resources,\nand runtime information gathered within a Google Cloud resource.\n\n## Rationale\nThe GCP resources and IAM policies captured by GCP Cloud Asset Inventory enables\nsecurity analysis, resource change tracking, and compliance auditing. It is recommended GCP Cloud Asset Inventory be enabled for all GCP projects.\n\n### Additional Information\n - Cloud Asset Inventory only keeps a five-week history of Google Cloud asset metadata. If you need a longer history, consider building automation to export the history to Cloud Storage or BigQuery.\n\n### Default Value\nThe Cloud Asset Inventory API is disabled by default in each project.\n\n## Remediation\n\n### From the console:\n\n1. Go to **API & Services/Library** by visiting [https://console.cloud.google.com/apis/library][1]\n2. Search for `Cloud Asset API` and select the result for Cloud Asset API\n3. Click the **ENABLE** button.\n\n### From the command line:\n\n1. Enable the Cloud Asset API through the services interface\n ```\n gcloud services enable cloudasset.googleapis.com\n ```\n\n## References\n1. [https://cloud.google.com/asset-inventory/docs][2]\n\n[1]: https://cloud.google.com/asset-inventory/docs\n[2]: https://console.cloud.google.com/apis/library","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"9.9.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(project) = \"pass\" if {\n\tproject.project_id\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"g71-wcx-ugx","createdAt":1659396390100,"name":"Cloud Asset Inventory is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:2.12","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:2","framework:iso-27001","scope:google_dns_policy","framework:pci","requirement:Operations-Security","security:compliance","requirement:Logging-and-Monitoring","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","source:google_dns_policy","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud DNS logging records the queries from the name servers within your VPC to\nStackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other\nGCP resources provisioned within the VPC.\n\n### Default value\nCloud DNS logging is disabled by default on each network.\n\n## Rationale\nSecurity monitoring and forensics cannot depend solely on IP addresses from VPC flow\nlogs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual\nhost routing, and other technology that can obscure the DNS name used by a client from the\nIP address. Monitoring Cloud DNS logs provides visibility into DNS names requested by the\nclients within the VPC. These logs can be monitored for anomalous domain names and\nevaluated against threat intelligence.\n\nTo fully capture DNS logging records, your firewall must block egress for UDP/53 (DNS) and TCP/443 (DNS\nover HTTPS) to prevent the client from using an external DNS name server for resolution.\n\nOnly queries that reach a name server are logged. Cloud DNS resolvers cache\nresponses, queries answered from caches, and direct queries to an external DNS\nresolver outside the VPC are not logged.\n\n### Impact\nEnabling of Cloud DNS logging might result in your project being charged for the additional\nlogs usage.\n\n## Remediation\n\n### From the command line:\nFor VPC networks that need a new DNS policy with logging enabled, run the following:\n```\ngcloud dns policies create enable-dns-logging --enable-logging --\ndescription=\"Enable DNS Logging\" --networks=VPC_NETWORK_NAME\n```\n\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\nFor VPC networks that have existing DNS policies, run the following to enable logging:\n```\ngcloud dns policies update POLICY_NAME --enable-logging --\nnetworks=VPC_NETWORK_NAME\n```\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\n\n## References\n1. [https://cloud.google.com/dns/docs/monitoring][1]\n\n[1]: https://cloud.google.com/dns/docs/monitoring\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.12","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(dns_policy) = \"pass\" if {\n\tdns_policy.enable_logging\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_policy"]},"validationQuery":"","resourceType":"gcp_dns_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kcx-kad-uvs","createdAt":1662120179391,"name":"Cloud DNS logging is enabled for VPC networks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:7.2","control:1.9","control:3.5","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that the IAM policy on Cloud KMS `cryptokeys` should restrict anonymous and/or public access.\n\n## Rationale\n\nGranting permissions to `allUsers` or `allAuthenticatedUsers` allows anyone to access the\ndataset. Such access might not be desirable if sensitive data is stored at the location. In this\ncase, ensure that anonymous and/or public access to a Cloud KMS `cryptokey` is not\nallowed.\n\n### Default Value:\nBy default Cloud KMS does not allow access to `allUsers` or `allAuthenticatedUsers`.\n\n### Impact\nRemoving the binding for `allUsers` and `allAuthenticatedUsers` members denies anonymous and public users access to `cryptokeys`.\n\n`key_ring_name` is the resource ID of the key ring, which is the fully-qualified key ring name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING`\nYou can retrieve the key ring resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n3. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`key_name` is the resource ID of the key, which is the fully-qualified CryptoKey name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY`\nYou can retrieve the key resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. Click the name of the key ring that contains the key.\n3. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n4. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`role` is the role to remove the member from.\n\n## Remediation\n\n### From the command line:\n\n1. List all Cloud KMS `Cryptokeys`.\n ```\n gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'\n ```\n2. To remove access to `allUsers` and `allAuthenticatedUsers`, remove the IAM policy binding for a KMS key using the below command.\n ```\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'\n\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'\n ```\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding][1]\n2. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy][2]\n3. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy][3]\n4. [https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id][4]\n\n[1]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding\n[2]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy\n[3]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy\n[4]: https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot contains(iam_policy.resource_name, \"/keyRings/\")\n} else = \"fail\" {\n\tiam_policy.bindings[_].members[_] in [\"allAuthenticatedUsers\", \"allUsers\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kg9-ypa-tmt","createdAt":1658879416757,"name":"Cloud KMS cryptokeys are not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Storage","source:google_iam_policy","framework:cis-gcp","requirement:Compliance","level:1","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","scope:google_iam_policy","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:3.5","control:7.1","control:5.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that IAM policies on Cloud Storage buckets do not allow anonymous or public access.\n\n## Rationale\nWith anonymous or public access, anyone has permission to access bucket content. Such access might not be desired if you are storing sensitive data, so ensure that anonymous or public access to a bucket is not allowed.\n\n### Additional Information\nTo implement access restrictions on buckets, configuring Bucket IAM is preferred over configuring Bucket ACL. In the GCP console, the **Edit Permissions** button for a bucket exposes IAM configurations only. Bucket ACLs are configured to automatically implement and support user-enforced Bucket IAM policies. If an administrator changes a Bucket ACL using command-line gsutils or the API, the associated bucket IAM policy is also updated automatically.\n\n### Impact\nStorage buckets are not publicly accessible. You have to explicitly administer bucket access.\n\n### Prevention\nYou can prevent Storage buckets from becoming publicly accessible by setting up the `Domain restricted sharing` organization policy at:\n[https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains][2]\n\n### Default value\nBy default, Storage buckets are not publicly accessible.\n\n## Remediation\n\n### From the console:\n1. Go to `Storage browser` at [https://console.cloud.google.com/storage/browser][1].\n2. Click on the bucket name to access the `Bucket details` page.\n3. Click on the `Permissions` tab.\n4. Click the `Delete` button in front of `allUsers` and `allAuthenticatedUsers` to remove that particular role assignment.\n\n### From the command line:\nRemove `allUsers` and `allAuthenticatedUsers` access.\n``` \ngsutil iam ch -d allUsers gs://BUCKET_NAME\ngsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME\n```\n\n## References\n1. [https://cloud.google.com/storage/docs/access-control/iam-reference][3]\n2. [https://cloud.google.com/storage/docs/access-control/making-data-public][4]\n3. [https://cloud.google.com/storage/docs/gsutil/commands/iam][5]\n\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains\n[3]: https://cloud.google.com/storage/docs/access-control/iam-reference\n[4]: https://cloud.google.com/storage/docs/access-control/making-data-public\n[5]: https://cloud.google.com/storage/docs/gsutil/commands/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1","framework":"cis-gcp","requirement":"Storage","version":"1.3.0"},{"control":"3.5","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot isBucket(iam_policy)\n} else = \"fail\" {\n\tiam_policy.bindings[_].members[_] in [\"allUsers\", \"allAuthenticatedUsers\"]\n} else = \"pass\" {\n\ttrue\n}\n\nisBucket(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_storage_bucket\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"c2m-9sq-pbl","createdAt":1658821626959,"name":"Cloud storage bucket is not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","requirement:Logging","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:5.2","requirement:Communications-Security","control:7.1","control:3.3","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","source:google_storage_bucket","control:A.18.1.3","framework:soc-2","scope:google_storage_bucket","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUniform bucket-level access is enabled on Cloud Storage buckets.\n\n## Rationale\n\nYou should use uniform bucket-level access to unify and simplify how you grant\naccess to your Cloud Storage resources.\nCloud Storage offers two systems for granting users permission to access your buckets and\nobjects: \n- **Cloud Identity and Access Management (Cloud IAM)**: Used throughout Google Cloud, and allows you to grant a variety of permissions at the bucket and project levels. \n- **Access Control Lists(ACLs)**: Used only by Cloud Storage and has limited permission options, but allows you to grant permissions on a per-object basis.\n\nThese systems act in parallel. A user needs only one of the systems to grant them permission in order to access a Cloud Storage resource. \n\nTo facilitate maintaining consistent permissions, Cloud Storage provides an option called Uniform bucket-\nlevel access. Using this feature disables ACLs for all Cloud Storage resources. Access to\n\nCloud Storage resources then is granted exclusively through Cloud IAM. Enabling uniform\nbucket-level access guarantees that if a Storage bucket is not publicly accessible, no object\nin the bucket is publicly accessible either.\n\n## Impact\nIf you enable uniform bucket-level access, you revoke access from users who gain their\naccess solely through object ACLs.\nCertain Google Cloud services, such as Stackdriver, Cloud Audit Logs, and Datastore, cannot\nexport to Cloud Storage buckets that have uniform bucket-level access enabled.\n\n## Remediation\n\n## From the console:\n1. Open the Cloud Storage browser by visiting [https://console.cloud.google.com/storage/browser][1].\n2. In the list of buckets, select the name of the desired bucket.\n3. Select the Permissions tab.\n4. In the text box that starts with This bucket uses fine-grained access control..., click **Edit**.\n5. In the pop-up menu that appears, select Uniform.\n6. Click **Save**.\n\n## From the command line:\n\nRun the following command: \n ```\n `gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/`\n ```\n\n\n## Prevention\nSet up an Organization Policy to enforce that any new bucket has uniform bucket-level access enabled. Read more about [Organization Policy constraints][2].\n\n## Default\n\nBy default, Cloud Storage buckets do not have uniform bucket-level access enabled.\n\n\n## References\n1. [https://cloud.google.com/storage/docs/uniform-bucket-level-access][3]\n2. [https://cloud.google.com/storage/docs/using-uniform-bucket-level-access][4]\n3. [https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket][5]\n\n## Additional Information\nUniform bucket-level access cannot be disabled if it has been active on a bucket for 90 consecutive days.\n\n## CIS controls\n\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems,\ndatabases, and applications.\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket\n[3]: https://cloud.google.com/storage/docs/uniform-bucket-level-access\n[4]: https://cloud.google.com/storage/docs/using-uniform-bucket-level-access\n[5]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2","framework":"cis-gcp","requirement":"Logging","version":"1.3.0"},{"control":"3.3","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_bucket) = \"pass\" if {\n\tstorage_bucket.iam_configuration.uniform_bucket_level_access.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_storage_bucket"]},"validationQuery":"","resourceType":"gcp_storage_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_storage_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dwn-5mi-cjt","createdAt":1657547752494,"name":"Cloud storage buckets have uniform bucket-level access enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Secure-Applications","control:CC6.7","security:compliance","control:CC6.6","scope:cloudfront","cloud_provider:aws","control:A.12.2.1","requirement:Communications-Security","control:A.12.4.1","control:A.13.1.1","framework:soc-2","control:6.6","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that your [AWS CloudFront][1] distributions are integrated with [AWS Web Application Firewall][2] (AWS WAF).\n\n## Rationale\n\nAWS WAF helps protect web applications from common exploits, such as SQL injection or cross-site scripting.\n\n## Remediation\n\n### Console\n\nFollow the [associate or disassociate an AWS WAF web ACL and an existing CloudFront distribution by using the CloudFront console][3] docs to integrate with AWS WAF.\n\n### CLI\n\n1. Run `aws waf get-change-token` to generate a token.\n2. Run `aws waf create-ip-set` with your newly generated token. Additional information can be found in the [create-ip-set AWS documentation][4].\n\n ```\n create-ip-set\n --name test_ipset\n --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n3. Create an `IPSetDescriptor` JSON object in a new document and define the IP address or ranges you wish to block. Save the file.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"IPSetDescriptor\": {\n \"Type\": \"IPV4\" | \"IPV6\",\n \"Value\": \"192.0.2.0/24\"\n }\n }\n ]\n ```\n\n4. Run `aws waf update-ip-set` with the `change-token` (generated in step 1), `ip-set-id` (generated in step 2), and the file you just created. Additional information can be found in the [update-ip-set AWS documentation][5].\n\n ```\n aws waf update-ip-set\n --ip-set-id bd12ea6c-012a-4b7c-9342-80ab96e4b291\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n\t --updates file://ip-set-descriptor.json\n ```\n\n5. Run `aws waf create-rule` with a new rule `name` and your `change-token` (generated in step 1). Additional information can be found in the [create-rule AWS documentation][6].\n\n ```\n aws waf create-rule\n\t --name NameOfRule\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n6. Run `aws waf create-web-acl` with a `name` and your `change-token` (generated in step 1), and set the default action to block. Additional information can be found in the [create-web-acl AWS documentation][7].\n\n ```\n aws waf create-web-acl\n\t --name NameOfACL\n --default-action Type=BLOCK\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n7. Create a new JSON file and define `ActivatedRule` as an object that references the ACL rule created in step 6. Assign it a default action, `INSERT`.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"ActivatedRule\": {\n \"RuleId\": \"your-rule-id\",\n \"Action\": {\n \"Type\": \"BLOCK\"\n }\n }\n }\n ]\n ```\n\n8. Run `update-web-acl` with the `web-acl-id` (generated in step 5), `change-token` (generated in step 1), and the file you just created in step 7.\n\n ```\n aws waf update-web-acl\n --web-acl-id webaclid\n --change-token 96836241-b667-4f0a-a655-e4bc49eaa2c4\n --update activated-rule.json\n ```\n\n9. Run `get-distribution-config`.\n10. In a new JSON file, modify the returned configuration information to attach the WAF ACL. Set the `WebACLId` as the ID you returned in step 5. Save the file.\n\n ```\n {\n \"ETag\": \"etag\",\n \"DistributionConfig\": {\n ...\n \"WebACLId\": \"webaclid\",\n ...\n }\n }\n ```\n\n11. Run `update-distribution` with the `id` and `etag` previously returned in step 9. Additional information can be found in the [update-distribution AWS documentation][8].\n\n ```\n aws cloudfront update-distribution\n --id webaclid\n --distribution-config activated-ruled.json\n --if-match etag\n ```\n\n[1]: https://aws.amazon.com/cloudfront/\n[2]: https://aws.amazon.com/waf/\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/wafv2/create-ip-set.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/waf/update-ip-set.html\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-rule.html\n[7]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-web-acl.html\n[8]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"pci","requirement":"Secure-Applications","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"validationQuery":"(@distribution_config.web_acl_id:\"\" OR @distribution_config_web_acl_id:\"\")","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.web_acl_id:\"\" OR @distribution_config_web_acl_id:\"\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"qo4-jsd-nfn","createdAt":1599574008896,"name":"CloudFront distribution is integrated with WAF"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that AWS CloudFront distributions have a security policy of TLS v1.1 or greater.\n\n## Rationale\n\nTLS v1.1, the minimum protocol recommended for AWS CloudFront, and the cipher used to encrypt this content, improve application security.\n\n## Remediation\n\n### Console\n\nFollow the [Values That You Specify When You Create or Update a Distribution][3] docs to update your CloudFront distribution's [Minimum Origin SSL Protocol][3] to TLS v1.1 or greater.\n\n### CLI\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration by setting the minimum protocol version to TLC v1.1 (2016) or v1.2 (2018).\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n ...\n \"ViewerCertificate\": {\n ...\n \"MinimumProtocolVersion\": \"TLSv1.1_2016\",\n },\n ...\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config tls-version.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginSSLProtocols\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.viewer_certificate.minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\") OR @distribution_config_viewer_certificate_minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\"))","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.viewer_certificate.minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\") OR @distribution_config_viewer_certificate_minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2np-sw5-cre","createdAt":1599574001774,"name":"CloudFront distribution's security policy is TLS v1.1 or greater"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","source:cloudfront","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","scope:cloudfront","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure logging is enabled for AWS CloudFront to track things like client IP addresses and access points.\n\n## Rationale\n\nLogging tracks requests made through the CDN. With this information, you can detect changes in requests, complete security audits, and use other AWS tooling such as AWS WAF to block requests from certain IP addresses.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring and using standard logs][4] docs to enable logging for AWS CloudFront.\n\n### CLI\n\n1. Run `create-bucket` to [create an S3 bucket][1] for your CloudFront log files.\n\n ```\n aws s3api create-bucket\n --bucket your-bucket-name\n ```\n\n2. Once the S3 bucket location is returned, run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][2].\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n3. Create a new JSON file with the returned configuration. Enable logging and set an S3 bucket location (returned in step 1) to configure where the logs will be located. Save the file.\n\n ```\n {\n \"ETag\": \"ID000000000000\",\n \"DistributionConfig\": {\n ...\n \"Logging\": {\n \"Bucket\": \"your-bucket-name.s3.amazonaws.com\",\n \"Enabled\": true,\n },\n ...\n }\n }\n }\n ```\n\n4. Run `update-distribution` to [update your distribution][3] with your distribution `id`, the path of the configuration file (created in step 3), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config logging-enabled.json\n --if-match ETAG1000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[4]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(-@distribution_config.logging.enabled:true OR -@distribution_config_logging_enabled:true)","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((-@distribution_config.logging.enabled:true OR -@distribution_config_logging_enabled:true))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"e1l-f7w-llc","createdAt":1599574007739,"name":"CloudFront logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that an AWS CloudTrail trail has file integration validation enabled.\n\n### Rationale\n\nAWS CloudTrail file integration validation can verify whether files were modified or changed once delivered to an S3 bucket.\n\n### Remediation\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [enable-log-file-validation][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --enable-log-file-validation\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@log_file_validation_enabled:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ubl-mrs-ket","createdAt":1599574002238,"name":"CloudTrail Log File Integrity Validation Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that AWS CloudTrail logs are encrypted.\n\n### Rationale\n\nEncrypting AWS CloudTrail logs with a KMS encryption key helps protect your data and ensures only certain IAM users can access these logs.\n\n### Remediation\n\n1. Create a new policy configuration file that enables CloudTrail [encrypting and decrypting permissions][1].\n2. Run `create-key` using the policy file path.\n\n ```\n aws kms create-key\n --policy new-policy-file.json\n ```\n\n3. Run `create-alias` with a [newly created alias name][2] and the `target-key-id` as the KMS key returned in step 2.\n\n ```\n aws kms create-alias\n --alias-name alias/CloudTrailKSM\n --target-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n4. Run `update-trail` on [the trail name you wish to update][3] and the KMS key returned in step 2.\n\n ```\n aws cloudtrail update-trail\n --name MyGlobalTrail\n --kms-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@kms_key_id:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"cww-xfw-no7","createdAt":1599574002335,"name":"CloudTrail Logs Not Encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","control:A.12.4.2","requirement:Security-Incident-Procedures","control:10.3.2","control:10.3.1","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that an AWS CloudTrail trail has global service events enabled.\n\n## Rationale\n\nEasily troubleshoot security issues for global services that aren't region-specific.\n\n## Remediation\n\n### Console\n\nBy default, trail logs created in the CloudTrail console log global service events. For more information, see the [About global service events][2] docs.\n\n### CLI\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [include-global-service-events][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --include-global-service-events\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-update-trail.html\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":" @include_global_service_events:false","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail ( @include_global_service_events:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7ak-zke-f64","createdAt":1599574004589,"name":"CloudTrail global services are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.5.5","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","control:164.312-c-2","requirement:Integrity","control:164.312-c-1","security:compliance","cloud_provider:aws","control:3.2","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. Use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. You should enable file validation on all CloudTrails.\n\n## Rationale\n\nEnabling log file validation will provide additional integrity checking of CloudTrail logs.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNot Enabled\n\n## References\n\n1. [http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html][2]\n2. CCE-78914-9\n\n## CIS controls\n\nVersion 7, 6 - Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.2","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.312-c-2","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"}],"validationQuery":"-@log_file_validation_enabled:true @log_file_validation_enabled:*","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail (-@log_file_validation_enabled:true @log_file_validation_enabled:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9we-gmy-kne","createdAt":1599574003762,"name":"CloudTrail log file validation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Logging","requirement:System-Acquisition-Development-and-Maintenance","level:2","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.7","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:cloudtrail","control:A.9.2.3","control:32.1a","control:3.5.2","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources per IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data. It uses Hardware Security Modules (HSMs) to protect the security of encryption keys. Configure your CloudTrail logs to leverage server-side encryption (SSE), and KMS customer-created master keys (CMK) to further protect CloudTrail logs. You should set up CloudTrail to use SSE-KMS.\n\n## Rationale\n\nConfiguring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data. A given user must have S3 read permission on the corresponding log bucket and have decrypt permission by the CMK policy.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nCustomer created keys incur an additional cost. See [https://aws.amazon.com/kms/pricing/][2] for more information.\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html][3]\n2. [https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html][4]\n3. CCE-78919-8\n\n## CIS controls\n\nVersion 7 - 6 Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://aws.amazon.com/kms/pricing/\n[3]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html\n[4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.7","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@kms_key_id:*","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail (-@kms_key_id:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kah-ejb-3v1","createdAt":1599574006065,"name":"CloudTrail logs are encrypted at rest using KMS CMKs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:164.308-a-7-i","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","control:10.2.1","framework:gdpr","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS CloudTrail is enabled.\n\n## Rationale\n\nAWS CloudTrail enables you to configure regions from one location to maintain infrastructure security.\n\n## Remediation\n\n### Console\n\nFollow the [AWS CloudTrail tutorial][1] docs to get started with CloudTrail.\n\n### CLI\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [enable multi-region-trail][2].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --is-multi-region-trail\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-tutorial.html#tutorial-step2\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-update-trail.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-7-i","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@is_multi_region_trail:true","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail (-@is_multi_region_trail:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"v41-4ht-rxo","createdAt":1599573999944,"name":"CloudTrail multi-region is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that HTTPS is used to secure AWS CloudFront distributions communications.\n\n## Rationale\n\nHTTPS ensures that malicious activity cannot occur when data is sent within AWS CloudFront's Content Distribution Network (CDN).\n\n## Remediation\n\n### Console\n\nFollow the [configure CloudFront to require HTTPS between CloudFront and your custom origin][3] docs to change your Origin Protocol Policy to HTTPS only.\n\n### CLI\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `OriginProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"Items\": [\n {\n \"CustomOriginConfig\": {\n \"OriginProtocolPolicy\": \"https-only\",\n ...\n }\n }\n ]\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.origins.items.custom_origin_config.origin_protocol_policy:(\"http-only\" OR \"match-viewer\") OR @distribution_config.origins.items.custom_origin_config_origin_protocol_policy:(\"http-only\" OR \"match-viewer\"))","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.origins.items.custom_origin_config.origin_protocol_policy:(\"http-only\" OR \"match-viewer\") OR @distribution_config.origins.items.custom_origin_config_origin_protocol_policy:(\"http-only\" OR \"match-viewer\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q5e-clj-mow","createdAt":1599574006435,"name":"Cloudfront distribution is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS CloudFront field-level encryption is enabled.\n\n## Rationale\n\nField-level encryption ensures sensitive data, such as identification and credit card numbers, is protected across your services and applications.\n\n## Remediation\n\n### Console\n\nFollow the [Setting Up Field-Level Encryption][1] docs to enable field-level encryption.\n\n### CLI\n\n1. Generate a RSA key pair. Run `ssh-keygen -t rsa`.\n\n2. Run `create-public-key` with the generated key.\n\n ```\n aws cloudfront create-public-key\n --public-key-config CallerReference=\"0123456789012\",Name=\"public-key\",EncodedKey=\"-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----\",Comment=\"Field-level encryption public key.\"\n ```\n\n3. Modify the returned configuration in a new JSON file by setting `PublicKeyID` as your public ID key. Configure any other options you require and save the file.\n\n ```\n {\n \"PublicKey\": {\n ...\n \"Id\": \"PUBKEYID000000\",\n ...\n }\n }\n ```\n\n4. Run `create-field-level-encryption-profile` using the path of the configuration file saved in step 3.\n\n ```\n aws cloudfront create-field-level-encryption-profile\n --field-level-encryption-profile-config public-key-id.json\n ```\n\n5. Modify the returned configuration in a new JSON file by setting `ProfileID` as your profile ID. Configure any other options you require and save the file.\n\n ```\n {\n ...\n \"ContentTypeProfileConfig\": {\n ...\n \"Items\": [\n {\n \"ProfileId\": \"ABCD1234567890\",\n }\n ]\n }\n }\n ```\n\n6. Run `create-field-level-encryption-config` using the path of the configuration file saved in step 5.\n\n ```\n aws cloudfront create-field-level-encryption-config\n --field-level-encryption-config profile-id.json\n ```\n\n7. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your distribution's configuration information.\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n8. Modify the returned configuration in a new JSON file by setting `FieldLevelEncryptionID` as your field level encryption ID. Configure any other options you require and save the file.\n\n**Note**: Viewer Protocol Policy and Origin Protocol Policy must both be set to HTTPS.\n\n ```\n {\n \"DistributionConfig\": {\n ...\n \"Origins\": {\n \"Items\": [\n {\n ...,\n \"OriginProtocolPolicy\": \"https-only\",\n },\n ],\n ...\n },\n \"DefaultCacheBehavior\": {\n \"FieldLevelEncryptionId\": \"ACBD1234567890\",\n \"ViewerProtocolPolicy\" : \"https-only\"\n },\n ...\n }\n }\n ```\n\n9. Run `update-distribution` with your AWS CloudFront distribution `id`, the configuration file saved in step 8, and `etag` to enable field-level encryption.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config field-level-encryption-id.json\n --if-match E1000000000000\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.default_cache_behavior.field_level_encryption_id:\"\" OR @dist_config_default_cache_behavior_field_level_encryption_id:\"\")","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.default_cache_behavior.field_level_encryption_id:\"\" OR @dist_config_default_cache_behavior_field_level_encryption_id:\"\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"udh-nqo-4ct","createdAt":1599574007140,"name":"Cloudfront distribution is field-level encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the AWS CloudFront Content Delivery Network (CDN) for your distribution is using HTTPS to send and receive content.\n\n## Rationale\n\nHTTPS ensures encrypted communication for your AWS CloudFront distribution, alleviating the possibility of malicious attacks like packet interception.\n\n## Remediation\n\n### Console\n\nFollow the [configure CloudFront to require HTTPS between viewers and CloudFront][3] docs to change your Viewer Protocol Policy to HTTPS only.\n\n### CLI\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `ViewerProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"ViewerProtocolPolicy\": \"https-only\",\n ...\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.default_cache_behavior.viewer_protocol_policy:\"allow-all\" OR @dist_config_default_cache_behavior_viewer_protocol_policy:\"allow-all\")","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.default_cache_behavior.viewer_protocol_policy:\"allow-all\" OR @dist_config_default_cache_behavior_viewer_protocol_policy:\"allow-all\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fei-uz9-zhw","createdAt":1599574003275,"name":"Cloudfront viewer is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1027-obfuscated-files-or-information","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a compiler (like `clang` or `bcc`) is executed inside of a container.\n\n## Strategy\nAfter an initial compromise, attackers may attempt to download additional tools to their victim's infrastructure. In order to make these additional tools difficult to detect or analyze, attackers sometimes deliver their tools as uncompiled code, and then compile their malicious binaries directly on the victim's infrastructure. In containerized environments, the use of compilers is especially suspicious because in production it is best practice to make containers immutable. The use of a compiler in a production container could indicate an attacker staging tools, or unwanted container configuration drift. \n\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee compile a tool inside of a container for an approved reason, or does an approved software compile additional files on startup?\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:compiler_in_container","groupByFields":["host"],"aggregation":"count","name":"compiler_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"compiler_in_container","condition":"compiler_in_container > 0"}],"type":"workload_security","id":"cu1-ji1-azm","createdAt":1627392836759,"name":"Compiler executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS EC2 access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the EC2 instance with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS EC2 access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` instance should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the EC2 access key should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`., then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n7 April 2022 - Updated rule name and signal message.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId"],"query":"source:cloudtrail -@level:Error @userIdentity.type:AssumedRole @userIdentity.session_name:i-* -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"5cf-9yq-zxn","createdAt":1646247437871,"name":"Compromised AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.\n\n## Changelog\n- 7 April 2022 - Updated signal message.\n- 3 August 2022 - Fixed null groupby field in query.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId","@usr.name"],"query":"source:cloudtrail -@level:Error @userIdentity.type:IAMUser -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tln-vhi-j2e","createdAt":1646247475808,"name":"Compromised AWS IAM User Access Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:4.8","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, Datadog recommends launching compute instances with Shielded VM enabled.\n\n## Rationale\n\nShielded VMs are virtual machines on the Google Cloud Platform that are hardened by a set of security controls and help defend against rootkits and bootkits. Shielded VM offers verifiable integrity of your Compute Engine VM instances through Secure Boot, a virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring. This ensures your instances are not compromised by boot- or kernel-level malware, or rootkits. \n\nShielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishes trust for Secure Boot.\n\nIntegrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, also known as the integrity policy baseline. The integrity policy baseline is used to compare measurements from subsequent VM boots to determine if anything has changed.\n\nSecure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halts the boot process if signature verification fails.\n\n## Remediation\n\nTo turn on Shielded VM on an instance, your instance must use an image with Shielded VM support.\n\n### From console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project. \n2. Click on the instance name to see a VM Instance Details page.\n3. Click **Stop** to stop the instance.\n4. When the instance has stopped, click **Edit**.\n5. In the **Shielded VM** section, select **Turn on vTPM** and **Turn on Integrity Monitoring**.\n6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select **Turn on Secure Boot**.\n7. Click the **Save** button to modify the instance and click **Start** to restart it.\n\n### From the command line\n\nYou can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:\n\n```\ngcloud compute images list --project gce-uefi-images --no-standard-images\n```\n\n1. Stop the instance using `gcloud compute instances stop `.\n2. Update the instance using `gcloud compute instances update --shielded-vtpm --shielded-vm-integrity-monitoring`.\n3. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on Secure Boot using `gcloud compute instances update --shielded-vm-secure-boot`.\n4. Restart the instance using `gcloud compute instances start `.\n\n## Prevention\n\nTo ensure that all new VMs are created with Shielded VM enabled, create an Organization Policy for Shielded VM in the [Organization Policies page][2]. \n\nFor more information, see the [Google Cloud documentation][3].\n\n## Default Value\n\nBy default, Compute Instances do not have Shielded VM enabled.\n\n## References\n\n1. [https://cloud.google.com/compute/docs/instances/modifying-shielded-vm][4]\n2. [https://cloud.google.com/shielded-vm][5]\n3. [https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint][6]\n\n## Additional Information\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is created, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-requireShieldedVm\n[3]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n[4]: https://cloud.google.com/compute/docs/instances/modifying-shielded-vm\n[5]: https://cloud.google.com/shielded-vm\n[6]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.8","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"pass\" if {\n\tshieldedConfig := compute_instance.shielded_instance_config\n\tshieldedConfig.enable_integrity_monitoring\n\tshieldedConfig.enable_vtpm\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hwa-bzq-nzg","createdAt":1656620517029,"name":"Compute Instances are launched with Shielded VM enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","control:4.9","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:3.6","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCompute instances should not be configured to have external IP addresses.\n\n## Rationale\n\nTo reduce your attack surface, Compute instances should not have public IP addresses.\nInstead, instances should be configured behind load balancers, to minimize the instance's\nexposure to the internet.\n\nYou can connect to Linux VMs that do not have public IP addresses by using Identity-Aware Proxy for TCP forwarding. Learn more at\n[https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][8].\n\nFor Windows VMs, see [https://cloud.google.com/compute/docs/instances/connecting-to-instance][9].\n\n### Impact\n\nRemoving the external IP address from your Compute instance may cause some\napplications to stop working.\n\n### Prevention\n\nYou can configure the \"Define allowed external IPs for VM instances\" organization policy to prevent VMs from being configured with public IP addresses. Learn more at:\n[https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address][2]\n\n### Exception\n\nInstances created by GKE should be excluded because some of them have external IP\naddresses and cannot be changed by editing the instance settings. Instances created by GKE\nshould be excluded. These instances have names that start with \"gke-\" and are labeled\n\"goog-gke-node\".\n\n## Remediation\n\n### From the console:\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go the the Instance detail page.\n3. Click **Edit**.\n4. For each Network interface, ensure that **External IP** is set to None.\n5. Click **Done** and then click **Save**.\n\n### From the command line:\n\n1. Describe the instance properties:\n\n ```\n gcloud compute instances describe --zone=\n ```\n2. Identify the access config name that contains the external IP address. This access config appears in the following format:\n\n ```\n networkInterfaces:\n - accessConfigs:\n - kind: compute#accessConfig\n name: External NAT\n natIP: 130.211.181.55\n type: ONE_TO_ONE_NAT\n ```\n3. Delete the access config:\n\n ```\n gcloud compute instances delete-access-config --zone= --access-config-name \n ```\n\nIn the above example, the `ACCESS_CONFIG_NAME` is `External NAT`. The name of your access config might be different.\n\n## References\n\n1. [https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses][3]\n2. [https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][4]\n3. [https://cloud.google.com/compute/docs/instances/connecting-to-instance][5]\n4. [https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip][6]\n5. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][7]\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address\n[3]: https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses\n[4]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[5]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n[6]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip\n[7]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[8]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[9]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.9","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tcompute_instance.network_interfaces[_].access_configs[_]\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"zxk-7n9-rtz","createdAt":1657888953309,"name":"Compute instances do not have public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","control:4.11","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:3.5.2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:3.5.4","source:google_compute_instance","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nGoogle Cloud encrypts both stored and in-transit data, but customer data needs to be decrypted while it is processed. Confidential Computing is a Google technology that protects data by encrypting it while it is in use. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).\n\nConfidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD\nEPYCTM CPUs, keeping customer data encrypted while it is used, indexed, queried, or\ntrained on. Encryption keys are generated in hardware, per VM, and not exportable. There is no significant performance penalty to Confidential Computing workloads because of built-in hardware optimizations.\n\n## Rationale\n\nConfidential Computing enables customers' sensitive code and other data to be encrypted in\nmemory during processing. Google does not have access to the encryption keys.\nConfidential VMs can help alleviate concerns about risk related to either dependency on\nGoogle infrastructure or Google insiders' access to customer data in the clear.\n\n## Impact\n\n- Confidential Computing for Compute instances does not support live migration. Unlike regular Compute instances, Confidential VMs experience disruptions during maintenance events like a software or hardware update.\n\n- Additional charges may be incurred when enabling this security feature. See [https://cloud.google.com/compute/confidential-vm/pricing][1] for more info.\n\n## Remediation\n\nConfidential Computing can only be enabled when an instance is created. You must delete\nthe current instance and create a new one.\n\n### From console\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][2].\n2. Click **Create instance**.\n3. Fill out the desired configuration for your instance.\n4. Under the **Confidential VM service** section, click **Enable** > **Enable** to enable the Confidential Computing service on this VM instance.\n5. Click **Create**.\n\n### From the command line\n\nCreate a new instance with Confidential Compute enabled.\n\n ```\n gcloud beta compute instances create --zone --confidential-compute --maintenance-policy=TERMINATE\n ```\n## Default Value\n\nBy default, Confidential Computing is disabled for Compute instances.\n\n## References\n\n1. [https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance][3]\n2. [https://cloud.google.com/compute/confidential-vm/docs/about-cvm][4]\n3. [https://cloud.google.com/confidential-computing][5]\n4. [https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms][6]\n\n## CIS Controls\n\nVersion 8 - 3.11: Encrypt Sensitive Data at Rest\n- Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.\n\nVersion 7 - 14.8: Encrypt Sensitive Information at Rest\n- Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n\n[1]: https://cloud.google.com/compute/confidential-vm/pricing\n[2]: https://console.cloud.google.com/compute/instances\n[3]: https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance\n[4]: https://cloud.google.com/compute/confidential-vm/docs/about-cvm\n[5]: https://cloud.google.com/confidential-computing\n[6]: https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.11","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tnot machineType(compute_instance)\n} else = \"pass\" {\n\tcompute_instance.confidential_instance_config.enable_confidential_compute\n} else = \"fail\" {\n\ttrue\n}\n\nmachineType(compute_instance) if {\n\tcontains(compute_instance.machine_type, \"n2d-\")\n} else {\n\tcontains(compute_instance.machine_type, \"c2d-\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ofu-7xv-iqz","createdAt":1657888955714,"name":"Compute instances have confidential computing enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a brute force login with a privileged policy being applied to a role.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [AWS IAM privileged policy was applied to a role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Revert the privileged policy change\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-iam-priv-policy-applied-to-role/","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"aws_iam_privileged_policy_was_applied_to_a_role","additionalFilters":"","defaultRuleId":"1np-ggw-qpo","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to privileged policy applying to a role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && aws_iam_privileged_policy_was_applied_to_a_role > 0"}],"type":"signal_correlation","id":"z65-vsm-leu","createdAt":1664829682321,"name":"ConsoleLogin event correlates privileged policy applying to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.10","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host, you can control the amount of memory that a container is able to use.\n\n## Rationale\n\nBy default a container can use all of the memory on the host. You can use memory limit mechanisms to prevent a denial of service occurring where one container consumes all of the hosts resources and other containers on the same host are therefore not able to function. Having no limit on memory usage can lead to issues where one container can easily make the whole system unstable and as a result unusable.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Memory={{ .HostConfig.Memory }}'` \n\nIf this command returns 0, it means that memory limits are not in place; if it returns a non-zero value, it means that they are in place.\n\n## Remediation\n\nYou should run the container with only as much memory as it requires by using the `--memory argument`. For example, you could run a container using the command `docker run --interactive --tty --memory 256m centos /bin/bash`\n\nIn this example, the container is started with a memory limit of 256 MB. Note that the output of the command below returns values in scientific notation if memory limits are in place. `docker inspect --format='{{.Config.Memory}}' 7c5a2d4c7fe0`\n\nFor example, if the memory limit is set to 256 MB for a container instance, the output of the command above would be `2.68435456e+08` and NOT `256m`. You should convert this value using a scientific calculator.\n\n## Impact\n\nIf correct memory limits are not set on each container, one process can expand its usage and cause other containers to run out of resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally and no memory limits are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.10","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ecn-mmt-tqe","createdAt":1599605860081,"name":"Container has memory usage limits configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.26","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf the container image does not have an HEALTHCHECK instruction defined, you should use the `--health-cmd` parameter at container runtime to check container health.\n\n## Rationale\n\nIf the container image you are using does not have a pre-defined HEALTHCHECK instruction, use the `--health-cmd` parameter to check container health at runtime. Based on the reported health status, remedial actions can be taken if necessary.\n\n## Audit\n\nRun this command and ensure that all containers are reporting their health status: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}'`\n\n## Remediation\n\nYou should run the container using the `--health-cmd` parameter. For example, `docker run -d --health-cmd='stat /etc/passwd || exit 1' nginx`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, health checks are not carried out at container runtime.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.26","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ojg-sb1-nso","createdAt":1599605067593,"name":"Container health is monitored when not supported by default"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should add the `HEALTHCHECK` instruction to your Docker container images in order to ensure that health checks are executed against running containers.\n\n## Rationale\n\nAn important security control is that of availability. Adding the `HEALTHCHECK` instruction to your container image ensures that the Docker engine periodically checks the running container instances against that instruction to ensure that containers are still operational. Based on the results of the health check, the Docker engine could terminate containers which are not responding correctly, and instantiate new ones.\n\n## Audit\n\nRun this command to ensure that Docker images have the appropriate `HEALTHCHECK` instruction configured: `docker inspect --format='{{ .Config.Healthcheck }}' `\n\n## Remediation\n\nYou should follow the Docker documentation and rebuild your container images to include the `HEALTHCHECK` instruction.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `HEALTHCHECK` is not set.\n\n## References\n\n1. https://docs.docker.com/engine/reference/builder/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_image","complianceFrameworks":[{"control":"4.6","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5xs-afd-sfx","createdAt":1599604909942,"name":"Container image includes HealthCheck instructions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect vulnerabilities in container images.\n\n## Strategy\nThis rule lets you monitor Twistlock logs `(@vulnerability.log_type:vulnerability)` to detect vulnerabilities in a container image. \n\n## Triage and response\n1. Determine the impact of this vulnerability.\n2. Update the container image in the registry with a patched version of the software.\n3. Deploy the new image to all containers running the vulnerable image.\n\n## Change Log\n29 Jun 2022 - Added queries for various vulnerability severity levels.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:medium","groupByFields":["container_name"],"aggregation":"count","name":"medium_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:low","groupByFields":["container_name"],"aggregation":"count","name":"low_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerabiluty","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerabiluty","condition":"high_severity_vulnerability > 0"},{"status":"medium","notifications":[],"name":"Medium Severity Vulnerabiluty","condition":"medium_severity_vulnerability > 0"},{"status":"low","notifications":[],"name":"Low Severity Vulnerabiluty","condition":"low_severity_vulnerability > 0"}],"type":"log_detection","id":"d7s-rex-gjv","createdAt":1585870278701,"name":"Container image vulnerability detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.25","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should restrict the container from acquiring additional privileges via SUID or SGID bits.\n\n## Rationale\n\nA process can set the `no_new_priv` bit in the kernel and this persists across forks, clones and execve. The `no_new_priv` bit ensures that the process and its child processes do not gain any additional privileges via SUID or SGID bits. This reduces the danger associated with many operations because the possibility of subverting privileged binaries is lessened.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all of the security options currently configured for containers. The option `no-new-privileges` should be one of them.\n\n## Remediation\n\nStart your container with the options `docker run --rm -it --security-opt=no-new-privileges ubuntu bash`\n\n## Impact\n\nThe `no_new_priv` option prevents LSMs like SELinux from allowing processes to acquire new privileges.\n\n## Default value\n\nBy default, new privileges are not restricted.\n\n## References\n\n1. https://github.com/projectatomic/atomic-site/issues/269\n2. https://github.com/docker/docker/pull/20727\n3. https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt\n4. https://lwn.net/Articles/475678/\n5. https://lwn.net/Articles/475362/\n\n## CIS controls\n\nVersion 6\n\n5 Controlled Use of Administration Privileges Controlled Use of Administration Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.25","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"cft-3kh-z3l","createdAt":1599604337425,"name":"Container is restricted from acquiring additional privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a container management utility (e.g., `kubectl`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to escalate privileges, break out of the container, or exfiltrate secrets by running container management/orchestration utilities. This detection triggers when execution of one of a set of common container management utilities (like `kubectl` or `kubelet`) is detected in a container. If this is unexpected behavior, it could indicate an attacker attempting to compromise your containers and host.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires version 7.27 or higher*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:suspicious_container_client","groupByFields":["host"],"aggregation":"count","name":"suspicious_container_client","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"suspicious_container_client","condition":"suspicious_container_client > 0"}],"type":"workload_security","id":"ll8-gx6-k15","createdAt":1617722068555,"name":"Container management utility in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.12","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe container's root filesystem should be treated as a 'golden image' by using Docker run's `--read-only` option. This prevents any writes to the container's root filesystem at container runtime and enforces the principle of immutable infrastructure.\n\n## Rationale\n\nEnabling this option forces containers at runtime to explicitly define their data writing strategy to persist or not persist their data. This also reduces security attack vectors since the container instance's filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories.\n\n## Audit\n\nRun this command on the docker host: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: ReadonlyRootfs={{ .HostConfig.ReadonlyRootfs }}'` \n\nIf this command returns `true`, it means the container's root filesystem is mounted read-only. If the above command returns `false`, it means the container's root filesystem is writeable.\n\n## Remediation\n\nAdd a `--read-only` flag at a container's runtime to enforce the container's root filesystem being mounted as read only. For example, `docker run --read-only `\n\nEnabling the `--read-only` option at a container's runtime should be used by administrators to force a container's executable processes to only write container data to explicit storage locations during its lifetime. \n\nExamples of explicit storage locations during a container's runtime include, but are not limited to:\n\n1. Using the `--tmpfs` option to mount a temporary file system for non-persistent data writes. `docker run --interactive --tty --read-only --tmpfs \"/run\" --tmpfs \"/tmp\" centos /bin/bash`\n2. Enabling Docker rw mounts at a container's runtime to persist container data directly on the Docker host filesystem. For example, `docker run --interactive --tty --read-only -v /opt/app/data:/run/app/data:rw centos /bin/bash`\n\n3. Utilizing the Docker shared-storage volume plugin for Docker data volume to persist container data. For example, `docker volume create -d convoy --opt o=size=20GB my-named-volume docker run --interactive --tty --read-only -v my-named-volume:/run/app/data centos /bin/bash`\n\n3. Transmitting container data outside of the Docker controlled area during the container's runtime for container data in order to ensure that it is persistent. Examples include hosted databases, network file shares and APIs.\n\n## Impact\n\nEnabling `--read-only` at container runtime may break some container OS packages if a data writing strategy is not defined. You should define what the container's data should and should not persist at runtime in order to decide which strategy to use. Example: Enable use `--tmpfs` for temporary file writes to /tmp Use Docker shared data volumes for persistent data writes\n\n## Default value\n\nBy default, a container has its root filesystem writeable, allowing all container processes to write files owned by the container's actual runtime user.\n\n## References\n\n1. http://docs.docker.com/reference/commandline/cli/#run\n2. https://docs.docker.com/engine/tutorials/dockervolumes/\n3. http://www.projectatomic.io/blog/2015/12/making-docker-images-write-only-in-production/\n4. https://docs.docker.com/engine/reference/commandline/run/#mount-tmpfs-tmpfs\n5. https://docs.docker.com/engine/tutorials/dockervolumes/#creating-and-mounting-a-data-volume-container\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.12","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"635-mc8-3mr","createdAt":1599602276896,"name":"Container root file sytem is set to read-only"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a container is not running within compliance standards.\n\n## Strategy\nThis rule lets you monitor Twistlock logs to detect when a `High` or `Critical` severity compliance issue is discovered in a running container. \n\n## Triage and response\n1. Determine the impact of the compliance finding.\n2. Remediate the compliance finding.\n\n## Change Log\n27 Jun 2022 - Updated Rule and added findings for critical vulnerabilities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerability","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerability","condition":"high_severity_vulnerability > 0"}],"type":"log_detection","id":"9vp-d1j-kwp","createdAt":1585870281390,"name":"Container violated compliance standards"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:5.28","security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should use the `--pids-limit` flag at container runtime.\n\n## Rationale\n\nAttackers could launch a fork bomb with a single command inside the container. This fork bomb could crash the entire system and would require a restart of the host to make the system functional again. Using the PIDs cgroup parameter --pids-limit would prevent this kind of attack by restricting the number of forks that can happen inside a container within a specified time frame.\n\n## Audit\n\nRun this command and ensure that `PidsLimit` is not set to 0 or -\n1. A PidsLimit of 0 or -1 means that any number of processes can be forked concurrently inside the container. \n\n```\ndocker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidsLimit={{ .HostConfig.PidsLimit }}'\n```\n\n## Remediation\n\nUse `--pids-limit` flag with an appropriate value when launching the container. For example, `docker run -it --pids-limit 100 `\n\nIn the above example, the number of processes allowed to run at any given time is set to 100. After a limit of 100 concurrently running processes is reached, Docker would restrict any new process creation.\n\n## Impact\n\nSet the PIDs limit value as appropriate. Incorrect values might leave containers unusable.\n\n## Default value\n\nThe Default value for `--pids-limit` is 0 which means there is no restriction on the number of forks. Note that the PIDs cgroup limit works only for kernel versions 4.3 and higher.\n\n## References\n\n1. https://github.com/docker/docker/pull/18697\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.28","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tmp-lms-u8p","createdAt":1599603016485,"name":"Container's PIDs cgroup limit parameter is set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nContainers should run as a non-root user.\n\n## Rationale\n\nIt is good practice to run the container as a non-root user, where possible. This can be done either via the USER directive in the Dockerfile or through [gosu][1] or similar where used as part of the CMD or ENTRYPOINT directives.\n\n## Remediation\n\nEnsure that the Dockerfile for each container image contains `USER `\n\nIn this case, the user name or ID refers to the user that was found in the container base image. If there is no specific user created in the container base image, then make use of the `useradd` command to add a specific user before the USER instruction in the Dockerfile. \n\nFor example, add the below lines in the Dockerfile to create a user in the container:\n`RUN useradd -d /home/username -m -s /bin/bash username USER username`\n\n**Note**: If there are users in the image that are not needed, you should consider deleting them. After deleting those users, commit the image and then generate new instances of the containers. Alternatively, if it is not possible to set the USER directive in the Dockerfile, a script running as part of the CMD or ENTRYPOINT sections of the Dockerfile should be used to ensure that the container process switches to a non-root user.\n\n## Impact\n\nRunning as a non-root user can present challenges when binding mount volumes from the underlying host. In this case, ensure that the user running the contained process can read and write to the bound directory, according to their requirements.\n\n## Default value\n\nBy default, containers are run with root privileges and also run as the root user inside the container.\n\n## References\n\n1. https://github.com/docker/docker/issues/2918\n2. https://github.com/docker/docker/pull/4572\n3. https://github.com/docker/docker/issues/7906\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://github.com/tianon/gosu\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"4.1","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iml-sbn-bao","createdAt":1599605130883,"name":"Containers do not use the root user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","control:5.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.\n\n## Rationale\n\nAppArmor protects the Linux OS and applications from various threats by enforcing a security policy which is also known as an AppArmor profile. You can create your own AppArmor profile for containers or use Docker's default profile. Enabling this feature enforces security policies on containers as defined in the profile.\n\n## Audit\n\nYou should run this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: AppArmorProfile={{ .AppArmorProfile }}'` \n\nThis command returns a valid AppArmor Profile for each container instance.\n\n## Remediation\n\nIf AppArmor is applicable for your Linux OS, enable it.\n\n1. Verify AppArmor is installed.\n2. Create or import a AppArmor profile for Docker containers.\n3. Enable enforcement of the policy.\n4. Start your Docker container using the customized AppArmor profile. For example: `docker run --interactive --tty --security-opt=\"apparmor:PROFILENAME\" ubuntu /bin/bash` Alternatively, Docker's default AppArmor policy can be used.\n\n## Impact\n\nThe container will have the security controls defined in the AppArmor profile. It should be noted that if the AppArmor profile is misconfigured, this may cause issues with the operation of the container.\n\n## Default value\n\nBy default, the docker-default AppArmor profile is applied to running containers. This profile can be found at `/etc/apparmor.d/docker`\n\n## References\n\n1. https://docs.docker.com/engine/security/apparmor/\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.1","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"s4z-dsj-llz","createdAt":1599600498264,"name":"Containers have an AppArmor profile enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.24","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to attach to a particular `cgroup` when a container is instantiated. Confirming `cgroup` usage would ensure that containers are running in defined `cgroup`s.\n\n## Rationale\n\nSystem administrators typically define `cgroup`s in which containers are supposed to run. If `cgroup`s are not explicitly defined by the system administrator, containers run in the docker `cgroup` by default. At run time, it is possible to attach a container to a different `cgroup` other than the one originally defined. This usage should be monitored and confirmed, as by attaching to a different `cgroup`, excess permissions and resources might be granted to the container and this can therefore prove to be a security risk.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}'` \n\nThis command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n\n## Remediation\n\nYou should not use the `--cgroup-parent` option within the docker run command unless strictly required.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers run under docker `cgroup`.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#specify-custom-cgroups\n2. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/ch01.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n\n## Audit\n\nYou should run the following command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}' The above command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.24","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"maa-bf8-zan","createdAt":1599601906764,"name":"Containers use the cgroup configured in Docker"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","source:compliance-agent","control:1.3.7","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the Controller Manager service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Controller Manager API service which runs on port 10252/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ \n\n*Notes*: Although the current Kubernetes documentation site says that `--address` is deprecated in favour of `--bind-address`. Kubeadm 1.11 still makes use of `--address`.\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.7","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pvo-5un-k18","createdAt":1599603818624,"name":"Controller Manager API service is bound to localhost"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.3.2","security:compliance","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.2","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1ie-ddf-7wm","createdAt":1599604031896,"name":"Controller Manager profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.4","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account private key file for service accounts on the controller manager.\n\n## Rationale\n\nTo ensure that keys for service account tokens can be rotated as needed, a separate public/private key pair should be used for signing service account tokens. The private key should be specified to the controller manager with `--service-account-private-key-file` as appropriate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--service-account-private-key-file` argument is set as appropriate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--service-account-private-key-file parameter` to the private key file for service accounts:\n\n```\n--service-account-private-key-file=\n```\n\n## Impact\n\nYou would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-private-key-file` it not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.4","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mj1-ode-sln","createdAt":1599600796213,"name":"Controller manager has a service account private key file set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.1.3","scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of the Controller Manager on the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-controller-manager.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.3","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pr0-hcf-xkw","createdAt":1599603633988,"name":"Controller manager pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.1.4","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of various components of the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-controller-manager.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.4","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jwf-xdm-mi9","createdAt":1599599105053,"name":"Controller manager pod specification file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect and identify the network IP address when multiple user accounts have login attempt activities recorded.\n\n## Strategy\n\nMonitor Azure Active Directory and detect when any `@evt.category` is equal to `SignInLogs` and more than 10 of the `@evt.outcome` are equal to `false` by the same network IP address.\n\nSecurity Signal returns **HIGH** if`@evt.outcome` has value of `success` after 10 multiple failed logins by the same network IP address.\n\n## Triage and response\n\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n\n## Changelog\n14 June 2022 - Updated triggering cases to align with other credential stuffing rules. Also updated other backend options to reduce noise levels.","options":{"detectionMethod":"threshold","evaluationWindow":3600,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"failed_login_multiple_user_accounts_same_ip_address","distinctFields":["@usr.id"]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login_same_ip_address","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful login after multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 10 && successful_login_same_ip_address > 0"},{"status":"medium","notifications":[],"name":"Multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 10 "}],"type":"log_detection","id":"igg-0ve-xxc","createdAt":1607106304164,"name":"Credential Stuffing Attack on Azure"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:success @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials.\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application_o365","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"credential_added_azure_ad_application > 0 || credential_added_azure_ad_application_o365 > 0"}],"type":"log_detection","id":"myf-gpu-vqf","createdAt":1659365955026,"name":"Credential added to Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application that is not regularly updated.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it. An attacker may target an application that is seldom changed to avoid detection. Using the `New Value` detection method, a signal is raised when an application not seen in the previous 7 days has credentials added.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.","options":{"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"evaluationWindow":0,"maxSignalDuration":86400,"detectionMethod":"new_value","decreaseCriticalityBasedOnEnv":true,"keepAlive":3600},"version":54,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@properties.targetResources.displayName","aggregation":"new_value","metrics":["@properties.targetResources.displayName"],"groupByFields":["@usr.id"],"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @evt.outcome:success @evt.category:AuditLogs"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"1p0-9ix-ig2","createdAt":1660304687805,"name":"Credential added to rarely used Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["category:authentication","tactic:TA0006-credential-access","template:true","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least 25 unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\nUse [this Datadog runbook](https://app.datadoghq.com/notebook/credentialstuffingrunbook) to assist in your investigation.\n\n1. Determine if it is a legitimate attack or a false positive\n2. Determine compromised users\n3. Remediate compromised user accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@evt.category:authentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"@evt.category:authentication @evt.outcome:success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful - Greater than 50","condition":"unique_users_failing_to_login>50 && successful_login>=1"},{"status":"medium","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>25 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>25"}],"type":"log_detection","id":"ypo-jbm-p2s","createdAt":1608750331867,"name":"Credential stuffing attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user. This generates a `HIGH` severity signal.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n## Changelog\n13 June 2022 - Updated Keep Alive window and evaluation window to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":3600,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>10 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>10"}],"type":"log_detection","id":"ryo-snu-uva","createdAt":1597422958108,"name":"Credential stuffing attack on Auth0"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through credential stuffing attack against a Salesforce account.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\n1. Determine if it is a legitimate attack or a false positive.\n2. Determine compromised users.\n3. Remediate compromised user accounts.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @status:\"Invalid Password\"","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.email"]},{"query":"source:salesforce @status:\"Success\"","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login > 10 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login > 10 "}],"type":"log_detection","id":"y0t-wg6-3nq","createdAt":1621929255278,"name":"Credential stuffing attack on Salesforce"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1003-os-credential-dumping","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to sensitive credential files from non-standard processes.\n\n## Strategy\nEspecially in production, all credentials should be either defined as code, or static. Drift and unmonitored changes to these credentials can open up attack vectors for adversaries, and cause your organization to be out of compliance with any frameworks or regulations that you are subject to. This detection watches for the modification of sensitive credential files which should not be changed outside of their definitions as code (or static definitions). The Linux commands `vipw` and `vigr` are the standard way to modify shadow and gshadow files respectively. Other processes interacting with these sensitive credential files is highly suspicious and should be investigated.\n\n## Triage and response\n1. Identify the user or process that changed the credential file(s).\n2. Identify what was changed in the credential files.\n3. If these changes are not acceptable, roll back contain the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd","groupByFields":["host"],"aggregation":"count","name":"credential_modified","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd @process.comm:(adduser OR useradd OR groupadd OR userdel OR deluser OR chage)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_standard","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.executable.path:(\\/usr\\/sbin\\/* OR \\/usr\\/bin\\/* OR \\/bin\\/*)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_non_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"credential_modified_non_bin","condition":"credential_modified_non_bin > 0"},{"status":"info","notifications":[],"name":"credential_modified_standard","condition":"credential_modified_standard > 0"},{"status":"low","notifications":[],"name":"credential_modified","condition":"credential_modified > 0"}],"type":"workload_security","id":"srd-2ub-jov","createdAt":1598516746271,"name":"Credentials file modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","level:1","cloud:aws","cloud_provider:aws","control:8.1.4","framework:hipaa","requirement:Information-Access-Management","framework:pci","requirement:Credentials","control:164.308-a-4-ii-C"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. You should remove or deactivate all credentials that have been unused in 90+ days.\n\n## Rationale\n\nDisabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78900-8 2. CIS CSC v6.0 #16.6\n\n## CIS controls\n\n16.9 Disable Dormant Accounts Automatically - Disable dormant accounts after a set period of inactivity.\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\npassword_used_recently(resource_seen_at, credential_report) if {\n\tcredential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_used > ninety_days_ms\n} else {\n\tnot credential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_changed > ninety_days_ms\n}\n\nkey_used_recently(resource_seen_at, credential_report, key_name) if {\n\tcredential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_used_date\"])] > ninety_days_ms\n} else {\n\tnot credential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_rotated\"])] > ninety_days_ms\n}\n\npassword_or_access_key_is_enabled(resource_seen_at, credential_report) if {\n\tcredential_report.password_enabled\n\tpassword_used_recently(resource_seen_at, credential_report)\n} else {\n\tcredential_report.access_key_1_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_1\")\n} else {\n\tcredential_report.access_key_2_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_2\")\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot password_or_access_key_is_enabled(iam_user.resource_seen_at, credential_report)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"credential_report","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cl8-844-szh","createdAt":1621238614316,"name":"Credentials have been used within the last 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","framework_version:3.2","control:11.5","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications of critical system binaries.\n\n## Strategy\nPCI-DSS is the payment-card industry's compliance framework. Any systems that handle credit card data and transactions from the major credit card companies must be PCI-DSS compliance. Control 11.5 of the PCI-DSS framework states that organizations must \"alert personnel to unauthorized modifications (including changes, additions, and deletions) of critical system files, configuration files, or content files\". On Linux, critical system binaries are typically stored in `/bin/`, `/sbin/`, or `/usr/sbin/`. This rule tracks any modifications to those directories.\n\n## Triage and response\n1. Identify which user or process changed the critical system binaries.\n2. If these changes were not authorized, and you cannot confirm the safety of the changes, roll back the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chmod) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chown) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chown","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_link) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_link","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_rename) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_rename","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_open) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_open","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_unlink) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_utimes) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"pci_11_5_critical_binaries","condition":"pci_11_5_critical_binaries_chmod > 0 || pci_11_5_critical_binaries_chown > 0 || pci_11_5_critical_binaries_link > 0 || pci_11_5_critical_binaries_rename > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_unlink > 0 || pci_11_5_critical_binaries_utimes > 0"}],"type":"workload_security","id":"3rk-f4l-c7j","createdAt":1606142933669,"name":"Critical system binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation or modification of new cron jobs on a system.\n\n## Strategy\nCron is a task scheduling system that runs tasks on a time-based schedule. Attackers can use cron jobs to gain persistence on a system, or even to run malicious code at system-boot. Cron jobs can also be used for remote code execution, or to run a process under a different user-context.\n\n## Triage and response\n1. Check to see which cron task was created or modified.\n2. Check whether the cron task was created or modified by a known user or process.\n3. If these changes are not acceptable, roll back the host or container in question to an acceptable configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(cron_at_job_creation OR cron_at_job_creation_chmod OR cron_at_job_creation_chown OR cron_at_job_creation_link OR cron_at_job_creation_rename OR cron_at_job_creation_open OR cron_at_job_creation_utimes) -(@file.name:*.dpkg-new AND @process.executable.name:dpkg) -@process.ancestors.executable.path:\"/usr/bin/unattended-upgrade\" -@process.executable.path:\"/usr/bin/dockerd\"","groupByFields":["host"],"aggregation":"count","name":"cron_at_job_creation","distinctFields":[]},{"query":"@agent.rule_id:cron_at_job_creation_unlink","groupByFields":["host"],"aggregation":"count","name":"cron_at_job_deletion","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"cron_at_job_creation","condition":"cron_at_job_creation > 0"},{"status":"low","notifications":[],"name":"cron_at_job_deletion","condition":"cron_at_job_deletion > 0"}],"type":"workload_security","id":"qqk-vqp-6xt","createdAt":1606142961130,"name":"Cron job modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIP check services return the public IP of the client. They are used legitimately for configuration purposes when utilizing infrastructure as code. They can be abused by attackers to determine the organization they have compromised.\n\n## Strategy\n\nDetect when a DNS lookup is done for a domain belonging to an IP check service.\n\n## Triage and response\n\n1. Determine if `{{@process.executable.name}}` is expected to make a connection to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Start incident response and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ip_check_domain","groupByFields":["host"],"aggregation":"count","name":"ip_check_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"ip_check_domain","condition":"ip_check_domain > 0"}],"type":"workload_security","id":"v7i-jqs-gcx","createdAt":1653417825959,"name":"DNS lookup for IP lookup service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nAttackers often use compromised cloud infrastructure to mine cryptocurrency. \n\n## Strategy\n\nDetect when a process performs a DNS lookup for a domain related to cryptomining.\n\n## Triage and response\n\n`{{@process.executable.name}}` performed a DNS lookup for `{{@dns.question.name}}`\n\n1. Contain the host or container and roll back to a known good configuration.\n2. Review the process tree and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:potential_cryptominer","groupByFields":["host"],"aggregation":"count","name":"potential_cryptominer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"potential_cryptominer","condition":"potential_cryptominer > 0"}],"type":"workload_security","id":"8am-wzf-ixk","createdAt":1653417822316,"name":"DNS lookup for cryptocurrency mining pool"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nPaste sites such as pastebin.com can be used by attackers to host malicious scripts, configuration files, and other text data. The files are then downloaded to the host using a network utility such as `wget` or `curl`. These sites may also be used to exfiltrate data.\n\n## Strategy\n\nDetect when a process performs a DNS lookup for a paste site.\n\n## Triage and response\n1. Check if the application `{{@process.executable.name}}` is expected to make connections to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Follow your organization's internal processes for investigating and remediating compromised systems.\n\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:paste_site","groupByFields":["host"],"aggregation":"count","name":"paste_site","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"paste_site","condition":"paste_site > 0"}],"type":"workload_security","id":"bze-mml-h8r","createdAt":1653417817764,"name":"DNS lookup for paste service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.3","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","framework:pci","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud Domain Name System (DNS) is a fast, reliable, and cost-effective domain name system\nthat powers millions of domains on the internet. Domain Name System Security Extensions\n(DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains\nagainst DNS hijacking, man-in-the-middle attacks, and more.\n\n## Rationale\nDomain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling the DNS responses to be validated. A trustworthy DNS that translates a domain name like `www.example.com` into its associated IP address is an increasingly important building block for modern web-based applications. \n\nAttackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records to prevent attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.\n\nBy default, DNSSEC is not enabled.\n\n## Remediation\n\n### From the console:\n1. Navigate to the [Cloud DNS page][1].\n2. For each Type Public zone, set `DNSSEC` to **On**.\n\n### From the command line:\nUse this command to enable DNSSEC for Cloud DNS Zone Name:\n\n```\ngcloud dns managed-zones update ZONE_NAME --dnssec-state on\n```\n\n\n## References\n1. [https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html][2]\n2. [https://cloud.google.com/dns/dnssec-config#enabling][3]\n3. [https://cloud.google.com/dns/dnssec][4]\n\n\n[1]: https://console.cloud.google.com/net-services/dns/zones\n[2]: https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html\n[3]: https://cloud.google.com/dns/dnssec-config#enabling\n[4]: https://cloud.google.com/dns/dnssec\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-gcp","requirement":"Cardholder-Data","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nisZonePublic(dns_managed_zone) if {\n\tupper(dns_managed_zone.visibility) == \"PUBLIC\"\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot isZonePublic(dns_managed_zone)\n} else = \"pass\" {\n\tupper(dns_managed_zone.dnssec_config.state) == \"ON\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"crl-ytf-ohh","createdAt":1659621733035,"name":"DNSSEC is enabled for Cloud DNS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Credentials","requirement:Compliance","level:1","requirement:Database-Services","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","framework:pci","security:compliance","control:6.5.3","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:3.4","control:C1.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Transparent Data Encryption on every SQL server.\n\n## Rationale\n\nAzure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL databases\n2. For each DB instance\n3. Click on Transparent data encryption\n4. Set Data encryption to On using the Azure Command Line Interface\n5. Use the below command to enable Transparent data encryption for SQL DB instance:\n\n ```bash\n --resource-group --server --database --status\n ```\n\n **Note**: TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases. Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n\n**Note**: Transparent Data Encryption (TDE) can be enabled or disabled on individual SQL Database level and not on the SQL Server level. TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.\n\n# CIS Controls\n\nVersion 7 14.8 Encrypt Sensitive Information at Rest: Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"-@transparent_data_encryption.status:(\"Enabled\")","resourceType":"azure_sql_server_database","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server_database (-@transparent_data_encryption.status:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ahw-tol-knx","createdAt":1624867974429,"name":"Data encryption on SQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a database process (e.g., MySQL, PostgreSQL, MongoDB).\n\n## Strategy\nAttacks on databases often take advantage of oversights in I/O sanitization and validation to run attacker statements and commands. For example, these attacks could take the form of database query injection, which can signal the beginning of an intrusion and wider attack, by establishing a web shell or exfiltrating data. This detection triggers when common shell utilities, HTTP utilities, or shells are spawned by one of a set of database processes (e.g., MySQL, MongoDB, PostgreSQL). This is atypical behavior for a database. If this is unexpected behavior, it could indicate an attacker attempting to compromise your database or host machine.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your database to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:database_shell_execution -@process.ancestors.executable.name:initdb -@process.args:\"locale -a\"","groupByFields":["host"],"aggregation":"count","name":"database_shell_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"database_shell_execution","condition":"database_shell_execution > 0"}],"type":"workload_security","id":"4ni-kny-z5x","createdAt":1617722069155,"name":"Database process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:2","requirement:Cardholder-Data","control:1.17","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Confidentiality","control:3.5","control:7.1","control:C1.2","control:7.2.1","control:7.2.2","source:google_dataproc_cluster","control:7.2.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:3.6.1","scope:google_dataproc_cluster","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:3.6.4","control:3.6.5","control:CC6.3","control:CC6.2","control:3.6.7","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nWhen you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated\nwith the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This\nPD and bucket data is encrypted using a Google-generated data encryption key (DEK) and\nkey encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key\nencryption key (KEK). Google still controls the data encryption key (DEK).\n\n## Rationale\nCloud services offer the ability to protect data related to those services using encryption\nkeys managed by the customer within Cloud KMS. These encryption keys are called\ncustomer-managed encryption keys (CMEK). When customers protect data in Google Cloud\nservices with CMEK, the CMEK key is within the customer's control.\n\n## Remediation\n\n### From the console:\n1. Log in to the GCP Console and navigate to the **Dataproc Cluster** page by visiting [https://console.cloud.google.com/dataproc/clusters][1].\n2. Select the project from the projects dropdown list.\n3. On the **Dataproc Cluster** page, click on the **Create Cluster** to create a new cluster with customer-managed encryption keys.\n4. On the **Create a cluster** page, perform the following steps:\n 1. Inside **Set up cluster** section perform these steps:\n 1. In the **Name** textbox, provide a name for your cluster.\n 2. From **Location** select the location in which you want to deploy a cluster.\n 3. Configure other configurations as per your requirements.\n 2. Inside **Configure Nodes** and **Customize cluster** section configure the settings as\nper your requirements.\n 3. Inside the **Manage security** section, perform these steps:\n 1. From **Encryption**, select **Customer-managed key**.\n 2. Select a customer-managed key from dropdown list.\n 3. Ensure that the selected KMS Key has the **Cloud KMS CryptoKey Encrypter/Decrypter** role assigned to the Dataproc Cluster service account (`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n 4. Click on **Create** to create a cluster.\n5. Once the cluster is created, migrate all of your workloads from the old cluster to the new cluster and delete the old cluster by performing the following steps:\n 1. On the **Clusters** page, select the old cluster and click on **Delete cluster**.\n 2. On the **Confirm deletion** window, click **Confirm** to delete the cluster.\n6. Repeat the steps above for other Dataproc clusters available in the selected project.\n7. Change the project from the project dropdown list and repeat the remediation procedure for other Dataproc clusters available in other projects.\n\n### From the command line:\nBefore creating a cluster, ensure that the selected KMS Key has the **Cloud KMS CryptoKey\nEncrypter/Decrypter** role assigned to the Dataproc Cluster service account\n(`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n\nRun the `clusters create` command to create a new cluster with a customer-managed key:\n\n```\ngcloud dataproc clusters create --region=us-central1 --gce-pd-kms-key=\n```\n\nThe above command creates a new cluster in the selected region.\nAfter the cluster is created, migrate all your workloads from the older cluster to the new\ncluster and run the `clusters delete` command to delete the cluster:\n\n```\ngcloud dataproc clusters delete --region=us-central1\n```\n\nRepeat step no. 1 to create a new Dataproc cluster.\nChange the project by running the following command and repeat the remediation procedure\nfor other projects:\n\n```\ngcloud config set project \n```\n\n## References\n1. [https://cloud.google.com/docs/security/encryption/default-encryption][2]\n\n[1]: https://console.cloud.google.com/dataproc/clusters\n[2]: https://cloud.google.com/docs/security/encryption/default-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.17","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.7","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(gdc) = \"pass\" if {\n\tgdc.config.encryption_config.gce_pd_kms_key_name\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dataproc_cluster"]},"validationQuery":"","resourceType":"gcp_dataproc_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dataproc_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"7qp-kby-dut","createdAt":1659396397166,"name":"Dataproc cluster is encrypted using customer-managed encryption key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.22","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file permissions are set to `644` or more restrictively, by running: \n```\nstat -c %a /etc/default/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/default/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.22","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pqb-2cq-piw","createdAt":1599601845070,"name":"Default Docker configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.21","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/sysconfig/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/sysconfig/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.21","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"au3-ayl-tdm","createdAt":1599601289420,"name":"Default Docker configuration file cannot be altered by non-owners - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.19","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file ownership and group-ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/default/docker | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/default/docker`\n\nThis sets the ownership and group ownership of the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.19","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o5w-d8y-ka1","createdAt":1599604751728,"name":"Default Docker configuration file is owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.20","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/sysconfig/docker | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root /etc/sysconfig/docker`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.20","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xrt-uiz-s7o","createdAt":1599604498138,"name":"Default Docker configuration file is owned by the root account and group - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProtect tuned kernel parameters from overriding kubelet default kernel parameter values.\n\n## Rationale\n\nKernel parameters are usually tuned and hardened by the system administrators before putting the systems into production. These parameters protect the kernel and the system. Your kubelet kernel defaults that rely on such parameters should be appropriately set to match the desired secured system state. Ignoring this could potentially lead to running pods with undesired kernel behavior.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--protect-kernel-defaults` argument is set to true. If the `--protect-kernel-defaults` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets `protectKernelDefaults` to `true`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `protectKernelDefaults: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--protect-kernel-defaults=true`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou would have to re-tune kernel parameters to match kubelet parameters.\n\n## Default value\n\nBy default, `--protect-kernel-defaults` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.6","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"uiw-kms-wwu","createdAt":1599602462044,"name":"Default Kubelet kernel parameter values are protected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","control:2.9","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","control:1.3.1","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","requirement:Least-Privileged-Access","control:1.2.1","control:3.6","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Storage-Account","source:azure.storage","control:A.13.1.3","requirement:Default-Security-Parameters","control:7.2.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestricting default network access provides a layer of security, because storage accounts accept connections from clients on any network. To limit access to selected networks, change the default action.\n\n## Rationale\n\nConfigure storage accounts to deny access to traffic from all networks (including internet traffic). Grant access to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.\n\n## Remediation\n\n### From the console:\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Enable Allow access from selected networks.\n4. Add rules to allow traffic from a specific network.\n5. Click Save to apply your changes.\n\n### From the command line:\n\nUse the following command to update the default action to deny: \n```\naz storage account update --name --resource-group --default-action Deny\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security][1]\n2. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"2.9","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@network_acls.default_action:Deny","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@network_acls.default_action:Deny)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"hxy-syh-ofi","createdAt":1631690465637,"name":"Default network access rule for Storage Accounts is set to deny"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:RBAC-and-Service-Accounts","scored:true","security:compliance","control:5.1.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe default service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed.\n\n## Rationale\n\nKubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.\n\n## Audit\n\nFor each namespace in the cluster, review the rights assigned to the default service account and ensure that it has no roles or cluster roles bound to it apart from the defaults. Additionally ensure that the `automountServiceAccountToken: false` setting is in place for each default service account.\n\n## Remediation\n\nCreate explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value `automountServiceAccountToken: false`.\n\n## Impact\n\nAll workloads which require access to the Kubernetes API will require an explicit service account to be created.\n\n## Default value\n\nBy default the default service account allows for its service account token to be mounted in pods in its namespace.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/][1]\n\n## CIS controls\n\nNone\n\n[1]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.1.5","framework":"cis-kubernetes","requirement":"RBAC-and-Service-Accounts","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3yv-aqm-bxc","createdAt":1604312204438,"name":"Default service accounts are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Logging-Monitoring","source:azure.monitor","level:1","requirement:Regular-Testing","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","control:5.1.2","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","control:11.4","control:CC4.1","scope:azure.monitor","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure the diagnostic setting to log the appropriate activities from the control/management plane.\n\n## Rationale\n\nA diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Azure Monitor\n2. Click Activity log\n3. Click on Diagnostic settings\n4. Click on Edit Settings for the diagnostic settings entry\n5. Ensure that the following categories are checked: Administrative, Alert, Policy, and Security\n\nARM Template with AZ PowerShell cmdlets:\n\nCreate a file to hold the following JSON:\n\n```json\n{ \"$schema\"\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\", \"contentVersion\"\"\n1.0.0.0\", \"parameters\"{ \"settingName\"{ \"type\"\"String\" }, \"workspaceId\"{ \"type\"\"String\" } }, \"resources\"[ { \"type\"\"Microsoft.Insights/diagnosticSettings\", \"apiVersion\"\"2017-05-01-preview\", \"name\"\"[parameters(''settingName'')]\", \"dependsOn\"[], \"properties\"{ \"workspaceId\"\"[parameters(''workspaceId'')]\", \"logs\"[ { \"category\"\"Administrative\", \"enabled\"true }, { \"category\"\"Alert\", \"enabled\"true }, { \"category\"\"Autoscale\", \"enabled\"false }, { \"category\"\"Policy\", \"enabled\"true }, { \"category\"\"Recommendation\", \"enabled\"false }, { \"category\"\"ResourceHealth\", \"enabled\"false }, { \"category\"\"Security\", \"enabled\"true }, { \"category\"\"ServiceHealth\", \"enabled\"false } ] } } ] }\n```\n\nReference the JSON. In the `New-AzSubscriptionDeployment`, call `$OMSWorkspace`:\n\n```powershell\nGet-AzResource -ResourceType \"Microsoft.OperationalInsights/workspaces\" -Name New-AzSubscriptionDeployment -Name CreateDiagnosticSetting -location eastus -TemplateFile CreateDiagnosticSetting.jsonc -settingName \"Send Activity log to workspace\" -workspaceId $OMSWorkspace.ResourceId'\n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings\n2. https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource-manager-diagnostic-settings\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.3 - Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1.2","framework":"cis-azure","requirement":"Logging-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"11.4","framework":"pci","requirement":"Regular-Testing","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"validationQuery":"(@category:Administrative -@enabled:true) OR (@category:Alert -@enabled:true) OR (@category:Policy -@enabled:true) OR (@category:Security -@enabled:true)","resourceType":"azure_diagnostic_setting","filter":"","queryPath":"logs","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_diagnostic_setting ((@category:Administrative -@enabled:true) OR (@category:Alert -@enabled:true) OR (@category:Policy -@enabled:true) OR (@category:Security -@enabled:true))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q7k-c4u-n6i","createdAt":1635847719443,"name":"Diagnostic Setting captures appropriate categories"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2022-0847 \"Dirty Pipe\". Dirty Pipe is a vulnerability in the Linux kernel which allows underprivileged processes to write to arbitrary readable files, leading to privilege escalation. \n\n## Strategy\n\nThis detection triggers when the `splice()` syscall is made and the `PIPE_BUF_FLAG_CAN_MERGE` flag is set. Explanation of the vulnerability and exploitation can be found in the [public disclosure](https://dirtypipe.cm4all.com/).\n\n## Triage & Response\n\n1. Determine if the host is vulnerable. This vulnerability affects kernel versions starting from 5.8. After its discovery, it was fixed for all currently maintained releases of Linux in versions 5.16.11, 5.15.25, and 5.10.102. The exploit was successful if the field `splice.pipe_exit_flag` is `PIPE_BUF_FLAG_CAN_MERGE`.\n2. Attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. If the host is vulnerable, update the kernel to a patched version.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:dirty_pipe_attempt","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_attempt","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\")","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_exploitation","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation (@file.uid:0 OR @file.gid:0) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\")","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_root","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation @file.path:(*\\/bin\\/* OR *\\/boot\\/*) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\")","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"dirty_pipe_attempt","condition":"dirty_pipe_attempt > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_exploitation","condition":"dirty_pipe_exploitation > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_root","condition":"dirty_pipe_root > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_bin","condition":"dirty_pipe_bin > 0"}],"type":"workload_security","id":"dsi-8cf-mpj","createdAt":1648572788369,"name":"Dirty Pipe exploitation attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet Docker daemon log level to `info`.\n\n## Rationale\n\nSetting up an appropriate log level configures the Docker daemon to log events that you would want to review later. A base log level of `info` and above captures all logs except `debug` logs. Unless required, you should not run Docker daemon at `debug` log level.\n\n## Audit\n\nTo confirm that the log level setting is `info`, review both the `dockerd` startup options, and also the log level settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that either the `--log-level` parameter is not present or if present, that it is set to `info`. \n\nSimilarly, review the `/etc/docker/daemon.json` for the `log-level` setting.\n\n## Remediation\n\nEnsure that the Docker daemon configuration file has the following configuration included:\n\n```\n\"log-level\": \"info\" \n```\n\nAlternatively, run the Docker daemon with the `log-level` specified:\n\n```\ndockerd --log-level=\"info\"\n```\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker daemon is set to log level of `info`.\n\n## References\n\n1. [https://docs.docker.com/edge/engine/reference/commandline/dockerd/][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://docs.docker.com/edge/engine/reference/commandline/dockerd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"q6o-wrf-hf4","createdAt":1602076723155,"name":"Docker daemon logging level is set to 'info'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.5","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use `aufs` as the storage driver for your Docker instance.\n\n## Rationale\n\nThe `aufs` storage driver is the oldest storage driver used on Linux systems. It is based on a Linux kernel patch-set that is unlikely in future to be merged into the main OS kernel. The `aufs` driver is also known to cause some serious kernel crashes. `aufs` has only legacy support within systems using Docker. Most importantly, `aufs` is not a supported driver in many Linux distributions using latest Linux kernels.\n\n## Audit\n\nVerify that `aufs` is not used as storage driver by running this command and ensuring `aufs` is not listed: \n```\ndocker info --format 'Storage Driver: {{ .Driver }}' \n```\n\n## Remediation\n\nDo not explicitly use `aufs` as storage driver. For example, do not start Docker daemon with the `--storage-driver aufs` flag.\n\n## Impact\n\n`aufs` is the only storage driver that allows containers to share executable and shared library memory. It might be useful if you are running thousands of containers with the same program or libraries. However, you should review its use with respect to your organization's security policy.\n\n## Default value\n\nBy default, Docker uses `devicemapper` as the storage driver on most of the platforms. The default storage driver can vary based on your OS vendor. You should use the storage driver that is recommended by your preferred vendor and which is in line with policy around the applications which are being deployed.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems][1]\n2. [http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/][2]\n3. [http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1][3]\n4. [https://docs.docker.com/engine/userguide/storagedriver/][4]\n\n## CIS controls\n\nVersion 6.18 Application Software Security \n\n[1]: https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems \n[2]: http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/ \n[3]: http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1 \n[4]: https://docs.docker.com/engine/userguide/storagedriver/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"n0x-jqo-rof","createdAt":1599601042737,"name":"Docker does not use AUFS storage driver"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe `iptables` firewall is used to set up, maintain, and inspect the tables of IP packet filter rules within the Linux kernel. The Docker daemon should be allowed to make changes to the `iptables` ruleset.\n\n## Rationale\n\nDocker will not make changes to your system `iptables` rules unless you allow it to do so. If you do allow this, Docker server will automatically make any required changes. You should let Docker make changes to `iptables` automatically in order to avoid networking misconfigurations that could affect the communication between containers and with the outside world. Additionally, this reduces the administrative overhead of updating `iptables` every time you add containers or modify networking options.\n\n## Audit\n\nTo confirm that the Docker daemon is allowed to change the `iptables` ruleset, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that the `--iptables` parameter is either not present or not set to `false`. Also review the `/etc/docker/daemon.json` file to check that the `iptables` setting is not set to `false`.\n\n## Remediation\n\nDo not run the Docker daemon with `--iptables=false` parameter. \n\n## Impact\n\nThe Docker daemon service requires `iptables` rules to be enabled before it starts. Any restarts of `iptables` during Docker daemon operation may result in losing Docker-created rules. Adding `iptables-persistent` to your `iptables` install can mitigate.\n\n## Default value\n\nBy default, `iptables` is set to true.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/][1]\n2. [https://fralef.me/docker-and-iptables.html][2]\n\n## CIS controls\n\nVersion 6.5 Controlled Use of Administration Privileges \n\n[1]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/\n[2]: https://fralef.me/docker-and-iptables.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3fv-xgy-7fb","createdAt":1599599453907,"name":"Docker is authorized to make firewall configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.1","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAll Docker containers and their data and metadata are stored in the `/var/lib/docker` directory. By default, `/var/lib/docker` should be mounted under either the `/` or `/var` partitions depending on how the Linux operating system in use is configured.\n\n## Rationale\n\nDocker depends on `/var/lib/docker` as the default directory where all Docker related files, including the images, are stored. This directory could fill up quickly causing both Docker and the host to become unusable. For this reason, you should create a separate partition (logical volume) for storing Docker files.\n\n## Audit\n\nTo see the partition details for the `/var/lib/docker` mount point, at the Docker host run:\n\n```\ngrep '/var/lib/docker\\s' /proc/mounts \n```\n\nAlternatively, to see whether the configured root directory is a mount point, run.\n\n```\nmountpoint -- \"$(docker info -f '{{ .DockerRootDir }}')\" \n```\n\n## Remediation\n\nFor new installations, you should create a separate partition for the `/var/lib/docker` mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, `/var/lib/docker` is mounted under the `/` or `/var` partitions dependent on how the OS is configured.\n\n## References\n\n1. [https://www.projectatomic.io/docs/docker-storage-recommendation/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know \n\n[1]: https://www.projectatomic.io/docs/docker-storage-recommendation/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.1","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wcf-c0t-fkz","createdAt":1602076808377,"name":"Docker local storage is mounted on a separate disk partition"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.5","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various other sensitive files. It should therefore be individual owned and group owned by root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the directory is owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker | grep -v root:root\n``` \n\nThis command does not return any data.\n\n## Remediation\n\nTo resolve this issue, run the following command: `chown root:root /etc/docker`\n\nThis sets the ownership and group ownership for the directory to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for this directory is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.`\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"heb-axz-wdc","createdAt":1599604466531,"name":"Docker related files are owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.6","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory permissions are correctly set to 755 or more restrictively.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various sensitive files. It should therefore only be writeable by root to ensure that it can not be modified by a less privileged user.\n\n## Audit\n\nYou should execute the command below to verify that the directory has permissions of 755+: \n\n```\nstat -c %a /etc/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 755 /etc/docker`\n\nThis sets the permissions for the directory to 755.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for this directory are set to 755.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"een-7do-u18","createdAt":1599604083943,"name":"Docker related files cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.12","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, has permissions of 444 or more restrictive permissions.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It should therefore have permissions of 444 to prevent its modification.\n\n## Audit\n\nVerify that the Docker server certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the command below: `chmod 444 `\n\nThis sets the file permissions of the Docker server certificate file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.12","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"blu-k6b-re1","createdAt":1602076770300,"name":"Docker server certificate file permissions are set to read-only or more restrictive"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.4","cloud_provider:azure","control:6.2","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","control:CC7.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL is using the most recent major version available.\n\n## Rationale\n\nPostegreSQL employs both minor and major version updates. Using the most recent version available (particularly the most recent major version) ensures that you are using the most secure, feature rich, and supported version available. Azure Database Migration Service can help minimize downtime when performing version upgrades in Azure Database for PostgreSQL - Single Server. \n\n## Remediation\n\n### From the console\n\n1. Use Azure's [Configure server parameters in Azure Database for PostgreSQL - Single Server via the Azure portal][1] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate/Upgrade Azure DB for PostgreSQL - Single Server to Azure DB for PostgreSQL - Single Server online using DMS via the Azure portal][2] to migrate the old database to the new database.\n\n### From the command line\n\n1. Use Azure's [Customize server configuration parameters for Azure Database for PostgreSQL - Single Server using Azure CLI][3] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate PostgreSQL to Azure DB for PostgreSQL online using DMS via the Azure CLI][4] to migrate the old database to the new database.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/dms/tutorial-azure-postgresql-to-azure-postgresql-online-portal\n[3]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli\n[4]: https://docs.microsoft.com/en-us/azure/dms/tutorial-postgresql-azure-postgresql-online","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"pass\" if {\n\tto_number(postgresql_server.version) >= 11\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"4ns-zxg-wye","createdAt":1645642207320,"name":"Azure PostgreSQL Database Server uses the current major PostgreSQL version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:A.12.3.1","source:azure.dbforpostgresql","control:164.308-a-7-ii-A","requirement:Compliance","scope:azure.dbforpostgresql","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","control:A.18.1.3","framework:soc-2","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses geo-redundant backups.\n\n## Rationale\n\nUsing geo-redundancy with PostgreSQL creates geographically distributed replicas by default. These replicas assist with achieving data durability, as they protect against data becoming unavailable because of a regional event, such as a natural disaster. You can select this option only at the time of database creation. To modify an existing database to use geo-redundancy, recreate the database.\n\n## Remediation\n\n### From the console\n\n1. Follow the instructions listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using the Azure portal][1] to create a new PostgreSQL database. Ensure **Geo-redundant** is selected under **Backup redundancy options**.\n\n### From the command line\n\n1. Follow the steps listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using Azure CLI][2] to create and deploy a PostgreSQL server.\n2. When configuring the [`az postgres server create` Microsoft Azure Module][3] ensure that `geoRedundantBackup` is set to `Enabled`, as shown in the example below. \n\n ```\n az postgres server create \n -l northeurope \n -g mygroup \n -n mysvr \n -u username \n -p password \n --sku-name my_sku\n --ssl-enforcement Enabled \n --minimal-tls-version TLS1_0 \n --public-network-access Disabled \n --backup-retention 10 \n --geo-redundant-backup Enabled \n --storage-size 51200 \n --tags \"key=value\" \n --version 11\n ```\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-cli\n[3]: https://docs.microsoft.com/en-us/cli/azure/postgres/server?view=azure-cli-latest#az-postgres-server-create\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.3.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"pass\" if {\n\tpostgresql_server.storage_profile_geo_redundant_backup != \"Disabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"9t5-0qz-cj3","createdAt":1645642195699,"name":"Azure PostgreSQL database server uses geo-redundant backups"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security rule and determine if it exposes any Azure resources that should not be made public.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.sql @evt.name:\"MICROSOFT.SQL/SERVERS/FIREWALLRULES/WRITE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kbv-sau-dwv","createdAt":1607106319051,"name":"Azure SQL Server Firewall Rules Created or Modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.15","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable security alert emails to subscription owners.\n\n## Rationale\n\nEnabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can quickly mitigate security risks.\n\n## Remediation\n\n### From the console\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. In the drop down of the All users with the following roles field, select Owner\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set Send email also to subscription owners:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management Storage Accounts: This section covers security recommendations to follow to set storage account policies on an Azure subscription. An Azure storage account provides a unique namespace to store and access Azure Storage data objects.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.15","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(security_contact) = \"pass\" if {\n\tsecurity_contact.properties.notifications_by_role.state == \"On\"\n\t\"Owner\" in security_contact.properties.notifications_by_role.roles\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_contact"]},"validationQuery":"","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qjw-pnm-kfh","createdAt":1625738237090,"name":"Azure Security Center is configured to send email notifications about security alerts to subscription owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.14","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule enables emailing security alerts to the email subscription owner or other designated security contact.\n\n## Rationale\n\nEnabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.\n\n## Remediation\n\n### From the console\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. Under Notification types, check the check box next to Notify about alerts with the following severity (or higher) and select High from the drop-down menu\n6. Click save using the Azure Command Line Interface\n7. Use the below command to set Send email notification for high severity alerts:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. And replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default. Microsoft has recently changed their REST APIs to get and update security contact information. This recommendation is updated accordingly.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.14","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(security_contact) = \"pass\" if {\n\tsecurity_contact.properties.alert_notifications.minimal_severity == \"High\"\n\tsecurity_contact.properties.alert_notifications.state == \"On\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_contact"]},"validationQuery":"","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"cv4-lxu-yt1","createdAt":1625738237834,"name":"Azure Security Center is configured to send email notifications about security alerts with High severity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity Center emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.\n\n## Rationale\n\nAzure Security Center emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the \"Additional email addresses\" field ensures that your organization's security team is included in these alerts. This ensures that the proper people are aware of any potential compromise to mitigate the risk in a timely fashion.\n\n## Remediation\n\n### From the console\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email Notifications\n5. Enter a valid security contact email address (or multiple addresses separated by commas) in the additional email addresses field\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set security contact emails:\n\n ``` bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data, as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default\", \"name\"\"default\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details \n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list \n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(security_contact) = \"pass\" if {\n\tsecurity_contact.properties.emails != \"\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_contact"]},"validationQuery":"","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"1vo-ezv-ztj","createdAt":1625738244720,"name":"Azure Security Center is configured with a security contact email"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:azure","scope:azure-active-directory","technique:T1098-account-manipulation","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure service principal being assigned an Azure role.\n\n## Strategy\nMonitor Azure Activity logs for the following operations:\n\n* `@evt.name:\"MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE\"`\n* `@properties.requestbody:*ServicePrincipal*`\n\n## Triage and response\n1. Determine if this activity is legitimate by investigating the: \n * Source IP of this activity: `{{@network.client.ip}}`\n * The user who made this request: `@identity.claims.name`\n * The role that was assigned to the application or service principal.\n2. If this user should not be assigning this Azure role and if the service principal should not be assigned this role:\n * Revoke access of compromised credentials.\n * Remove unauthorized app registration and/or service principal.\n * Investigate other activities performed by the source IP `{{@network.client.ip}}` in the IP Investigation Dashboard.\n * Investigate other activities performed by the user `{{@usr.id}}` in the User Investigation Dashboard.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.authorization @evt.name:\"MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE\" @properties.requestbody:*ServicePrincipal*","groupByFields":["@usr.id","@network.client.ip"],"aggregation":"count","name":"role_assignment","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"role_assignment > 0"}],"type":"log_detection","id":"vu1-3je-k6m","createdAt":1661900093294,"name":"Azure Service Principal was assigned a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","control:2.1.1","requirement:Compliance","scope:azure.compute","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","control:4.1","control:1.2","control:1.3","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.2","source:azure.compute","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse SSH authentication keys to secure Linux virtual machines.\n\n## Rationale\n\nUsing SSH to secure authentications is a security best practice, as traditional username and password authentication is vulnerable to malicious tactics such as brute-force attacks. SSH uses a combination of public and private key pairs to secure the authentication process. Access to the private key is automated and tightly controlled, without both keys SSH access will not be granted. This also eliminates the need for users to memorize complex passwords for virtual machine access.\n\n## Remediation\n\n### From the command line\n\n1. Follow the steps listed at [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure][1] to create and deploy VMs using SSH.\n2. If needing to transition from Username and Password authentication, to SSH, there is no way to transition directly. You must deprovision the current VM and create an image of it with SSH as the authentication method. Follow the steps on [How to create a managed image of a virtual machine or VHD][2]. \n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-ssh-keys-detailed\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/capture-image","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(virtual_machine_instance) = \"skip\" if {\n\tnot virtual_machine_instance.os_profile.linux_configuration\n} else = \"pass\" if {\n\tvirtual_machine_instance.os_profile.linux_configuration.disable_password_authentication == true\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_virtual_machine_instance"]},"validationQuery":"","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"p52-zrd-xlt","createdAt":1645813490150,"name":"Azure VM requires SSH Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.21","source:azure.active_directory","cloud_provider:azure","requirement:Compliance","scope:azure.active_directory","level:1","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:6.4","framework:cis-azure","requirement:Control-Activities","cloud:azure","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:A.9.2.3","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC8.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSubscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.\n\n## Rationale\n\nClassic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended.\n\n## Remediation\n\nUsing Azure Command Line Interface 2.0, list all roles with the `az role definition list` command. Check the output for any entries with an `assignableScope` of `/` or a `subscription`, and an action of `*`. Verify the usage and impact of removing the role identified. You can delete a role with the `az role definition delete --name \"rolename\"` command.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator \n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management \n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems \n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n8. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n9. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges 16 Account Monitoring and Control Account Monitoring and Control","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.21","framework":"cis-azure","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"6.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_assignable_scope(assignable_scope) if {\n\tassignable_scope == \"/\"\n} else if {\n\tstartswith(assignable_scope, \"/subscriptions\")\n}\n\nnon_compliant_type(role_definition) if {\n\tlower(role_definition.properties_type) == \"customrole\"\n} else if {\n\tlower(role_definition.type) == \"customrole\"\n}\n\nnon_compliant_role_definition(role_definition) if {\n\tnon_compliant_type(role_definition)\n\tsome permission in role_definition.permissions\n\tsome action in permission.actions\n\taction == \"*\"\n\tsome assignable_scope in role_definition.assignable_scopes\n\tnon_compliant_assignable_scope(assignable_scope)\n}\n\neval(role_definition) = \"fail\" if {\n\tnon_compliant_role_definition(role_definition)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_role_definition"]},"validationQuery":"","resourceType":"azure_role_definition","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_role_definition","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"til-md3-xoz","createdAt":1645802554619,"name":"Azure custom subscription owner roles do not exist"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a diagnostic setting is deleted which can disable centralized logging and metrics on Azure.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Inspect the diagnostic setting resource which is found in `@resourceId`.\n2. Verify that the user (`{{@usr.id}}`) to determine if the removal of the resource is legitimate.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uhp-qsj-h45","createdAt":1615578377631,"name":"Azure diagnostic setting deleted or disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure disk is successfully exported. Export URLs generated in Azure are accessible to anyone with the URI. This could be utilized as an exfiltration method that would allow an attacker to download an Azure Compute VM's disk as a VHD file.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the disk (`{{@resourceId}}`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URI.\n\n## Changelog\n* 2 November 2022 - Update strategy.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"export_uri_generated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"export_uri_generated > 0"}],"type":"log_detection","id":"ggf-4ew-mxl","createdAt":1635258347843,"name":"Azure disk export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.8","requirement:AppService","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and new functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, your organization needs to determine if a given update meets your requirements and also verify the compatibility and support provided for any additional software against the update version.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Under General Settings, set Java version to latest version available\n6. Set Java minor version to latest version available\n7. Set Java web container to the latest version of web container available \n\n**NOTE**: No action is required if Java version is set to off as Java is not used by your web app.\n\n### From the command line\n\nTo see the list of supported runtimes, run the following command: `timesaz webapp list-runtimes | grep java`\n\nTo set latest Java version for an existing app, run the following command:\n\n```azurecli\naz webapp config set --resource-group --name --java-version ''\n1.8'' --java-container ''Tomcat'' --java-container-version '''''\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.8","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nshould_skip_app_service(app_service) if {\n\tapp_service.site_config_java_version == \"\"\n} else if {\n\tapp_service.site_config.java_version == \"\"\n}\n\ncompliant_app_service(app_service) if {\n\tapp_service.site_config_java_version == \"11\"\n} else if {\n\tapp_service.site_config.java_version == \"11\"\n}\n\neval(app_service) = \"skip\" if {\n\tshould_skip_app_service(app_service)\n} else = \"pass\" if {\n\tcompliant_app_service(app_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qhc-mac-fyy","createdAt":1645813490324,"name":"Azure is using the latest version of Java to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:AppService","control:9.6","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, a new version of PHP is released to address security issues and/or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes and additional functionalities.\n\n## Rationale\n\nNew versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software update, organizations need to determine if the update meets their requirements and also verify the new version's compatibility with other software.\n\n## Remediation\n\n### From the console\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click **Configuration**.\n5. Set PHP version to latest version available under **General Settings**.\n\n**Note**: No action is required if PHP version is set to off because PHP is not used by your web app.\n\n### From the command line\nTo see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep php To set latest PHP version for an existing app, run the following commandaz webapp config set --resource-group --name --php-version \n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n# CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.6","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.common as dd_common\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nshould_skip_app_service(app_service) if {\n\tapp_service.site_config_php_version == \"\"\n} else if {\n\tapp_service.site_config.php_version == \"\"\n}\n\nnon_compliant_version(version) if {\n\tformatted_semver := dd_common.format_semver(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"7.4.0\") < 0\n}\n\nnon_compliant_app_service(app_service) if {\n\tnon_compliant_version(app_service.site_config_php_version)\n} else if {\n\tnon_compliant_version(app_service.site_config.php_version)\n}\n\neval(app_service) = \"skip\" if {\n\tshould_skip_app_service(app_service)\n} else = \"fail\" if {\n\tnon_compliant_app_service(app_service)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"sja-htc-xkm","createdAt":1645813490100,"name":"Azure is using the latest version of PHP to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:AppService","control:9.7","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Set Python version to latest version available under General Settings\n\n**Note**: No action is required if Python version is set to off as Python is not used by your web app.\n\n### From the command line\n\nTo see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep python To set latest Python version for an existing app, run the following commandaz webapp config set --resource-group --name --python-version '\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.7","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.common as dd_common\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nshould_skip_app_service(app_service) if {\n\tapp_service.site_config_python_version == \"\"\n} else if {\n\tapp_service.site_config.python_version == \"\"\n}\n\nnon_compliant_version(version) if {\n\tformatted_semver := dd_common.format_semver(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"3.6.0\") < 0\n}\n\nnon_compliant_app_service(app_service) if {\n\tnon_compliant_version(app_service.site_config_python_version)\n} else if {\n\tnon_compliant_version(app_service.site_config.python_version)\n}\n\neval(app_service) = \"skip\" if {\n\tshould_skip_app_service(app_service)\n} else = \"fail\" if {\n\tnon_compliant_app_service(app_service)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kuq-3pj-gyn","createdAt":1645813504306,"name":"Azure is using the latest version of Python to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","source:azure.networkwatcher","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","scope:azure.networkwatcher","framework:soc-2","control:10.3","control:CC2.1","control:164.312-e-2-i","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Watcher can use flow logs so that you can monitor traffic from resources. This rule generates a finding if there is no retention policy set with a duration over 90 days. \n\nNote: 0 days means unlimited retention.\n\n## Rationale\n\nSetting this attribute enables flow logs to be retained for an appropriate amount of time that enables a better security posture for your organization. These logs should be retained critical resources in your environment.\n\n## Remediation\n\n### From the console\n\n1. Follow the instructions in [Tutorial: Log network traffic to and from a virtual machine using the Azure portal][1] to enable the 'flow logs' in Network Watcher.\n\n### From the command line\n\n1. Follow the steps in [Configuring Network Security Group Flow logs with Azure CLI][2] to enable the 'flow logs' in Network Watcher.\n2. Ensure Insights provider is registered by running the following command to check:\n\n ```\n az provider register --namespace Microsoft.Insights\n ```\n3. Enable `flow logs`:\n Note: You will need to have a storage account setup prior to this.\n ```\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location --format JSON --log-version 2\n ```\n4. Repeat steps 2 and 3 for resources that are not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal#enable-nsg-flow-log\n[2]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-cli\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nretention_policy_not_compliant(enabled, days) if {\n\tenabled == true\n\tdays >= 1\n\tdays <= 89\n} else if {\n\tenabled == false\n}\n\nflow_log_not_compliant(flow_log) if {\n\tretention_policy_not_compliant(flow_log.retention_policy_enabled, flow_log.retention_policy_days)\n} else if {\n\tretention_policy_not_compliant(flow_log.retention_policy.enabled, flow_log.retention_policy.days)\n}\n\nflow_log_retention_policy_enabled(flow_log) if {\n\tflow_log.retention_policy_enabled == true\n} else if {\n\tflow_log.retention_policy.enabled == true\n}\n\neval(network_watcher) = \"fail\" if {\n\tsome flow_log in network_watcher.flow_logs\n\tflow_log_not_compliant(flow_log)\n} else = \"pass\" if {\n\tsome flow_log in network_watcher.flow_logs\n\tflow_log_retention_policy_enabled(flow_log)\n} else = \"skip\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_network_watcher"]},"validationQuery":"","resourceType":"azure_network_watcher","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_network_watcher","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"s5c-rsc-fkl","createdAt":1645572632106,"name":"Azure network service group log retention is properly set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new owner is added to a service principal, which applies to privilege escalation or persistence.\n\n## Strategy\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add owner to service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Inspect that the user is added to a service principal in `@properties.targetResources`.\n2. Verify with the user (`{{@usr.name}}`) to determine if the owner addition is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_owner_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner_sp > 0"}],"type":"log_detection","id":"rtl-xes-5he","createdAt":1632250370345,"name":"Azure new owner added for service principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an Azure snapshot is exported. Export URLs generated in Azure are accessible to anyone with the URL.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the snapshot (`@resourceId`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URL.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"export_uri","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"export_uri > 0"}],"type":"log_detection","id":"9tg-wsg-ung","createdAt":1635255178153,"name":"Azure snapshot export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an invitation is sent to an external user.\n\n## Strategy\nMonitor Azure Active Directory Audit logs and detect when any `@evt.name` is equal to `Invite external user` and the `@evt.outcome` is equal to `success`.\n\n## Triage and response\n1. Review and determine if the invitation and its recipient are valid.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Invite external user\" @evt.outcome:success","groupByFields":["@usr.id","@properties.targetResources.userPrincipalName"],"aggregation":"count","name":"invite_external_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"invite_external_user > 0"}],"type":"log_detection","id":"msq-9pm-ift","createdAt":1607106320758,"name":"Azure user invited an external user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure-containerinstances","source:azure","tactic:TA0002-execution","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a command is executed on a container instance with the Azure API.\n\n## Strategy\nMonitor Azure container instance logs where `@evt.name` is `\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.id}}`) should be executing commands on the container (`@resourceId`).\n2. If the activity is not expected, investigate the activity around the container (`@resourceId`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"container_exec_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"container_exec_success > 0"}],"type":"log_detection","id":"zgp-pfn-i0z","createdAt":1635255187164,"name":"Azure user ran command on container instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB access key with the Azure API. An attacker with the appropriate privileges can view an access key and use it to access and manage the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\\\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the access key for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB Database ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_keys","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_keys > 0"}],"type":"log_detection","id":"xtk-lr5-ryf","createdAt":1635356621176,"name":"Azure user viewed CosmosDB access keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB connection string with the Azure API. An attacker with the appropriate privileges can view a connection string and use it to access or modify data in the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the connection string for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_connectionstrings","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_connectionstrings > 0"}],"type":"log_detection","id":"h9n-pkk-zy9","createdAt":1635356624429,"name":"Azure user viewed CosmosDB connection string"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being exploited using the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `Base64` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. If you are not patched, decode the base64 string and look for any successful traffic to the malicious server.\n3. If a connection was successful to the malicious server, begin your company's IR procedures to remediate.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http.user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"medium","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"vfx-wnb-bkc","createdAt":1639665358897,"name":"Base64 was detected in an http.user_agent or http.referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","scored:true","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use basic authentication.\n\n## Rationale\n\nBasic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting the API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--basic-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--basic-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as tokens and certificates. Username and password for basic authentication could no longer be used.\n\n## Default value\n\nBy default, basic authentication is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n2. https://kubernetes.io/docs/admin/authentication/#static-password-file\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.2","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oug-uvq-sti","createdAt":1599605479472,"name":"Basic authentication is disabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:azure","requirement:Monitoring","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-3-i","control:10.5.1","requirement:Compliance","level:1","control:2.2.4","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","scope:azure.storage","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Azure","requirement:Least-Privileged-Access","control:2.8","requirement:Control-Activities","requirement:Data-Protection","control:7.2.1","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAnonymous read access is disabled for Azure Storage Blobs.\n\n## Rationale\n\nAnonymous access to Azure storage blob containers allows un-authenticated users to perform operations against your storage account. Datadog recommends only allowing authenticated users access to storage blobs. \n\n## Remediation\n\n### From the Console\n\nFollow the [Set the public access level for a container - Azure Console][1] guide to disable anonymous read access with the Azure Console.\n\n### From the Azure CLI\n\nFollow the [Set the public access level for a container - Azure CLI][2] guide to disable anonymous read access with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"10.5.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"2.8","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_blob_container) = \"pass\" if {\n\tstorage_blob_container.public_access == \"None\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_blob_container"]},"validationQuery":"","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"nlq-obf-whr","createdAt":1645177311610,"name":"Blob Containers do not allow anonymous access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:8.1","control:4.3","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","control:8.1.4","control:8.2.3","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends using instance-specific SSH key(s) instead of common or shared project-wide SSH key(s) to access instances.\n\n## Rationale\n\nProject-wide SSH keys are stored in compute or project-meta-data. Project-wide SSH keys can be used to log into all instances within a project. Using project-wide SSH keys facilitates SSH key management, but if compromised, poses a security risk which can impact all instances within a project. Datadog recommmends using instance-specific SSH keys, which can limit the attack surface if SSH keys are compromised.\n\n## Impact\n\nUsers already having project-wide SSH key pairs and are using third-party SSH clients will lose access to the impacted instances. For project users using Google Cloud or GCP Console-based SSH options, no manual key creation and distribution is required, this is all handled by Google Compute Engine (GCE) itself. To access an instance using third-party SSH clients, the instance-specific SSH key pairs need to be created and distributed to the required users.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. For every instance, click on the instance name.\n3. Under **SSH Keys**, ensure **Block project-wide SSH keys** is selected.\n\n## From the command line\n\n1. List the instances in your project and get details on each instance using `gcloud compute instances list --format=json`.\n\n2. Ensure the `block-project-ssh-keys` key is set to true.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. Click on the impacted instance name.\n3. Click **Edit** in the toolbar.\n4. To block users with project-wide SSH keys from connecting to this instance, select **Block project-wide SSH keys** under **SSH Keys**.\n5. Click **Save** at the bottom of the page.\n6. Repeat these steps for every impacted instance.\n\n## From Command Line\n\nTo block project-wide public SSH keys, set the metadata value to true using `gcloud compute instances add-metadata --metadata block-project-ssh-keys=TRUE`.\n\n## Default Value\n\nBy default, Block Project-wide SSH keys is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n2. [https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n\n\n## Additional Information\n\nIf OS Login is enabled, SSH keys in the instance metadata are ignored, which means you do not need to block project-wide SSH keys.\n\n## CIS Controls\n\nVersion 8\n \n3.10 - Encrypt Sensitive Data in Transit\n- Encrypt sensitive data in transit. Example implementations can include: Transport\nLayer Security (TLS) and Open Secure Shell (OpenSSH).\n\n5.2 - Use Unique Passwords\n- Use unique passwords for all enterprise assets. Best practice implementation\nincludes, at a minimum, an 8-character password for accounts using MFA and a 14-\ncharacter password for accounts not using MFA.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n[3]: https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_item(item) if {\n\titem.key == \"block-project-ssh-keys\"\n} else if {\n\titem.key == \"enable-oslogin\"\n}\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" if {\n\titem := compute_instance.metadata.items[_]\n\tnon_compliant_item(item)\n\titem.value == \"true\"\n} else = \"fail\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"v8z-9ik-mjr","createdAt":1657296719827,"name":"Block project-wide SSH keys is enabled for VM instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login five times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n","options":{"detectionMethod":"threshold","evaluationWindow":600,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dde-oia-yjr","createdAt":1597422956269,"name":"Brute force attack on an Auth0 user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a bruteforce login with a user attempting to assume an anomalous number of roles.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [Anomalous number of assumed roles from user][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-user-attempted-to-assumerole-anomaly\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":2,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"anomalous_assumed_roles_from_user","additionalFilters":"","defaultRuleId":"fwu-obr-c9n","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to assumed role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && anomalous_assumed_roles_from_user > 0"}],"type":"signal_correlation","id":"vjo-1hm-1eg","createdAt":1664829839144,"name":"Brute forced ConsoleLogin event correlates with an assumed role event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","iaas:azure","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a successful credential stuffing login with a user assumed a role.\n\n## Strategy\nCorrelate the [Credential Stuffing Attack on Azure][1] and [Azure AD member assigned Global Administrator role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the credential stuffing attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the credential stuffed account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security/default_rules/azure_credential_stuffing_attack\n[2]: https://docs.datadoghq.com/security/default_rules/azure-ad-user-assigned-global-admin-role","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"azure_credential_stuffing","correlatedQueryIndex":1,"additionalFilters":"","defaultRuleId":"ljt-3f4-8ty","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"admin_role_assigned","additionalFilters":"","defaultRuleId":"psm-gpc-pgy","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Brute-forced user has assigned a role","condition":"azure_credential_stuffing > 0 && admin_role_assigned > 0"}],"type":"signal_correlation","id":"it0-1kg-8pj","createdAt":1664829839146,"name":"Brute-forced user has assigned a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.11","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host you can control the host CPU resources that a container may consume.\n\n## Rationale\n\nBy default, CPU time is divided between containers equally. If you wish to control available CPU resources amongst container instances, you can use the CPU sharing feature. CPU sharing allows you to prioritize one container over others and prevents lower priority containers from absorbing CPU resources which may be required by other processes. This ensures that high priority containers are able to claim the CPU runtime they require.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CpuShares={{ .HostConfig.CpuShares }}'` \n\nIf this command returns 0 or 1024, it means that CPU shares are not in place. If it returns a non-zero value other than 1024, it means that they are in place.\n\n## Remediation\n\nYou should manage the CPU runtime between your containers dependent on their priority within your organization. To do so, start the container using the `--cpu-shares` argument. For example, you could run a container as `docker run --interactive --tty --cpu-shares 512 centos /bin/bash` The container is started with CPU shares of 50% of what other containers use. So if the other container has CPU shares of 80%, this container will have CPU shares of 40%. Every new container will have 1024 shares of CPU by default. However, this value is shown as 0 if you run the command mentioned in the audit section.\n\n\nAlternatively:\n\n1. Navigate to the `/sys/fs/cgroup/cpu/system.slice/` directory.\n2. Check your container instance ID using docker ps.\n3. Inside the above directory (in step 1), call a directory. For example: `docker-.scope` or `docker-4acae729e8659c6be696ee35b2237cc1fe4edd2672e9186434c5116e1a6fbed6.scope`. Navigate to this directory.\n4. You will find a file named `cpu.shares`. Execute `cat cpu.shares`. This will always give you the CPU share value based on the system. Even if there are no CPU shares configured using the `-c` or `--cpu-shares` argument in the docker run command, this file will have a value of 1024. If you set one containers CPU shares to 512 it will receive half of the CPU time compared to the other containers. So if you take 1024 as 100% you can then derive the number that you should set for respective CPU shares. For example, use 512 if you want to set it to 50% and 256 if you want to set it 25%.\n\n## Impact\n\nIf you do not correctly assign CPU thresholds, the container process may run out of resources and become unresponsive. If CPU resources on the host are not constrained, CPU shares do not place any restrictions on individual resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally. No CPU shares are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.11","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gfh-gqy-log","createdAt":1599605955638,"name":"CPU priorities are set to ensure critical containers do not become unresponsive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.7","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %a `. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command to modify the file permissions of the `--client-ca-file`:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7 14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.7","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qtd-deo-dgb","createdAt":1599600622129,"name":"Certificate authorities file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable certificate based kubelet authentication.\n\n## Rationale\n\nThe apiserver, by default, does not authenticate itself to the kubelet's HTTPS endpoints. The requests from the apiserver are treated anonymously. You should set up certificate-based kubelet authentication to ensure that the apiserver authenticates itself to kubelets when submitting requests.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-client-certificate` and `--kubelet-client-key` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the kubelet client certificate and key parameters as below. \n\n```\n--kubelet-client-certificate= \n--kubelet-client-key=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, certificate-based kubelet authentication is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ ][2]\n3. [https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet][3]\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n[3]: https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.5","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ruj-lze-13b","createdAt":1599605732980,"name":"Certificate-based kubelet authentication is required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","source:elb","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","scope:elb","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse a secure protocol and cipher to protect communication between the client and your Classic Elastic Load Balancers (ELBs). TLS 1.0 and 1.1 are vulnerable to attacks due to multiple insecurities, for this reason we recommend the use of `ELBSecurityPolicy-TLS-1-2-2017-01` which authorizes TLS 1.2. \n\n## Rationale\n\nInsecure communication channels increase the risk of attacks, such as man-in-the-middle, downgrade attacks, and sensitive data breaches. It is recommended to configure listeners to use HTTPS, or SSL, and `ELBSecurityPolicy-TLS-1-2-2017-01`, or a custom policy with an equivalent or more secure [configuration][1]. TLS on port 443 will generate a `pass` condition for this rule only if a secure policy is attached to the listener.\n\n### Protocol and cipher details\n\nThis configuration check tests for a listener configured using HTTPS, SSL, or TLS on port 443, as well as for the absence of [ciphers][6] and [protocols][1] for secure listener configurations that are not recommended by AWS.\n\n\n## Remediation\n\nIt is recommended to modify listeners configured to use TLS on port 443, to HTTPS on port 443, and select a secure policy.\n\n### From the console\n\n1. Follow the [Create an HTTPS/SSL load balancer using the console][2] documentation to learn how to create an HTTPS/SSL load balancer in the AWS console. \n2. Follow the [Update the SSL negotiation configuration using the console][4] documentation to apply `ELBSecurityPolicy-TLS-1-2-2017-01` or a Custom Security Policy that is as or more secure. \n\n### From the command line\n\n1. Follow the [Create an HTTPS/SSL load balancer using the AWS CLI][3] documentation to learn how to create an HTTPS/SSL load balancer in the AWS command line. \n2. Follow the [Update the SSL negotiation configuration using the console][5] documentation to apply `ELBSecurityPolicy-TLS-1-2-2017-01` or a Custom Security Policy that is as or more secure. \n\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html#create-https-lb-console\n[3]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html#create-https-lb-clt\n[4]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-config-update.html#ssl-config-update-console\n[5]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-config-update.html#ssl-config-update-cli\n[6]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nweak_ciphers_and_protocols := {\n\t\"Protocol-SSLv2\", \"Protocol-SSLv3\",\n\t\"Protocol-TLSv1.1\", \"Protocol-TLSv1\",\n\t\"CAMELLIA128-SHA\", \"EDH-RSA-DES-CBC3-SHA\", \"DES-CBC3-SHA\", \"ECDHE-RSA-RC4-SHA\", \"RC4-SHA\", \"ECDHE-ECDSA-RC4-SHA\", \"DHE-DSS-AES256-GCM-SHA384\",\n\t\"DHE-RSA-AES256-GCM-SHA384\", \"DHE-RSA-AES256-SHA256\", \"DHE-DSS-AES256-SHA256\", \"DHE-RSA-AES256-SHA\", \"DHE-DSS-AES256-SHA\",\n\t\"DHE-RSA-CAMELLIA256-SHA\", \"DHE-DSS-CAMELLIA256-SHA\", \"CAMELLIA256-SHA\", \"EDH-DSS-DES-CBC3-SHA\", \"DHE-DSS-AES128-GCM-SHA256\",\n\t\"DHE-RSA-AES128-GCM-SHA256\", \"DHE-RSA-AES128-SHA256\", \"DHE-DSS-AES128-SHA256\", \"DHE-RSA-CAMELLIA128-SHA\", \"DHE-DSS-CAMELLIA128-SHA\",\n\t\"ADH-AES128-GCM-SHA256\", \"ADH-AES128-SHA\", \"ADH-AES128-SHA256\", \"ADH-AES256-GCM-SHA384\", \"ADH-AES256-SHA\", \"ADH-AES256-SHA256\",\n\t\"ADH-CAMELLIA128-SHA\", \"ADH-CAMELLIA256-SHA\", \"ADH-DES-CBC3-SHA\", \"ADH-DES-CBC-SHA\", \"ADH-RC4-MD5\", \"ADH-SEED-SHA\", \"DES-CBC-SHA\",\n\t\"DHE-DSS-SEED-SHA\", \"DHE-RSA-SEED-SHA\", \"EDH-DSS-DES-CBC-SHA\", \"EDH-RSA-DES-CBC-SHA\", \"IDEA-CBC-SHA\", \"RC4-MD5\", \"SEED-SHA\", \"DES-CBC3-MD5\",\n\t\"DES-CBC-MD5\", \"RC2-CBC-MD5\", \"PSK-AES256-CBC-SHA\", \"PSK-3DES-EDE-CBC-SHA\", \"KRB5-DES-CBC3-SHA\", \"KRB5-DES-CBC3-MD5\", \"PSK-AES128-CBC-SHA\",\n\t\"PSK-RC4-SHA\", \"KRB5-RC4-SHA\", \"KRB5-RC4-MD5\", \"KRB5-DES-CBC-SHA\", \"KRB5-DES-CBC-MD5\", \"EXP-EDH-RSA-DES-CBC-SHA\", \"EXP-EDH-DSS-DES-CBC-SHA\",\n\t\"EXP-ADH-DES-CBC-SHA\", \"EXP-DES-CBC-SHA\", \"EXP-RC2-CBC-MD5\", \"EXP-KRB5-RC2-CBC-SHA\", \"EXP-KRB5-DES-CBC-SHA\", \"EXP-KRB5-RC2-CBC-MD5\",\n\t\"EXP-KRB5-DES-CBC-MD5\", \"EXP-ADH-RC4-MD5\", \"EXP-RC4-MD5\", \"EXP-KRB5-RC4-SHA\", \"EXP-KRB5-RC4-MD5\", \"DHE-RSA-AES128-SHA\", \"ECDHE-RSA-AES128-SHA\",\n\t\"ECDHE-ECDSA-AES128-SHA\", \"DHE-DSS-AES128-SHA\",\n}\n\ncompliant_protocol(elb_load_balancer) if {\n\tupper(elb_load_balancer.listener_descriptions[_].listener.protocol) == \"HTTPS\"\n} else if {\n\tupper(elb_load_balancer.listener_descriptions[_].listener.protocol) == \"SSL\"\n} else if {\n\tupper(elb_load_balancer.listener_descriptions[_].listener.protocol) == \"TCP\"\n\telb_load_balancer.listener_descriptions[_].listener.load_balancer_port == 443\n}\n\nnon_compliant_encryption(elb_load_balancer) if {\n\tprotocol := elb_load_balancer.policy_descriptions[_].policy_attribute_descriptions[_]\n\tprotocol.attribute_name in weak_ciphers_and_protocols\n\tlower(protocol.attribute_value) == \"true\"\n}\n\npolicy_exists(elb_load_balancer) if {\n\telb_load_balancer.listener_descriptions[_].policy_names[_]\n}\n\neval(elb_load_balancer) = \"pass\" if {\n\tcompliant_protocol(elb_load_balancer)\n\tpolicy_exists(elb_load_balancer)\n\tnot non_compliant_encryption(elb_load_balancer)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elb_load_balancer"]},"validationQuery":"","resourceType":"aws_elb_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elb_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"wco-bmg-rfd","createdAt":1670369344591,"name":"Classic Load Balancer listener is securely configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.2","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable client authentication on etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--client-cert-auth` argument is set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--client-cert-auth=\"true\"\n```\n\n## Impact\n\nAll clients attempting to access the etcd server will require a valid client certificate.\n\n## Default value\n\nBy default, the etcd service can be queried by unauthenticated clients.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][`]\n2. [https://kubernetes.io/docs/admin/etcd/ ][1]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.2","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"joa-fjx-1li","createdAt":1599605891818,"name":"Client authentication is enabled for etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.8","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file ownership is set to `root:root`.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command to modify the ownership of the `--client-ca-file`:\n\n```\nchown root:root \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.8","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ifc-9ej-k7k","createdAt":1599603326156,"name":"Client certificate authorities file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","cloud_provider:gcp","control:9.9.1","source:google_cloud_asset_inventory","requirement:Logging-and-Monitoring","framework:cis-gcp","requirement:Control-Activities","scope:google_cloud_asset_inventory","requirement:Firewall-Configuration","level:2","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Cloud Asset Inventory is a service that provides a historical view of GCP resources and\nIAM policies through a time-series database. The information recorded includes metadata\non Google Cloud resources, metadata on policies set on Google Cloud projects or resources,\nand runtime information gathered within a Google Cloud resource.\n\n## Rationale\nThe GCP resources and IAM policies captured by GCP Cloud Asset Inventory enables\nsecurity analysis, resource change tracking, and compliance auditing. It is recommended GCP Cloud Asset Inventory be enabled for all GCP projects.\n\n### Additional Information\n - Cloud Asset Inventory only keeps a five-week history of Google Cloud asset metadata. If you need a longer history, consider building automation to export the history to Cloud Storage or BigQuery.\n\n### Default Value\nThe Cloud Asset Inventory API is disabled by default in each project.\n\n## Remediation\n\n### From the console\n\n1. Go to **API & Services/Library** by visiting [https://console.cloud.google.com/apis/library][1]\n2. Search for `Cloud Asset API` and select the result for Cloud Asset API\n3. Click the **ENABLE** button.\n\n### From the command line\n\n1. Enable the Cloud Asset API through the services interface\n ```\n gcloud services enable cloudasset.googleapis.com\n ```\n\n## References\n1. [https://cloud.google.com/asset-inventory/docs][2]\n\n[1]: https://cloud.google.com/asset-inventory/docs\n[2]: https://console.cloud.google.com/apis/library","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"9.9.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(project) = \"pass\" if {\n\tproject.project_id\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"g71-wcx-ugx","createdAt":1659396390100,"name":"Cloud Asset Inventory is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:2.12","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:2","framework:iso-27001","scope:google_dns_policy","framework:pci","requirement:Operations-Security","security:compliance","requirement:Logging-and-Monitoring","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","source:google_dns_policy","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud DNS logging records the queries from the name servers within your VPC to\nStackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other\nGCP resources provisioned within the VPC.\n\n### Default value\nCloud DNS logging is disabled by default on each network.\n\n## Rationale\nSecurity monitoring and forensics cannot depend solely on IP addresses from VPC flow\nlogs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual\nhost routing, and other technology that can obscure the DNS name used by a client from the\nIP address. Monitoring Cloud DNS logs provides visibility into DNS names requested by the\nclients within the VPC. These logs can be monitored for anomalous domain names and\nevaluated against threat intelligence.\n\nTo fully capture DNS logging records, your firewall must block egress for UDP/53 (DNS) and TCP/443 (DNS\nover HTTPS) to prevent the client from using an external DNS name server for resolution.\n\nOnly queries that reach a name server are logged. Cloud DNS resolvers cache\nresponses, queries answered from caches, and direct queries to an external DNS\nresolver outside the VPC are not logged.\n\n### Impact\nEnabling of Cloud DNS logging might result in your project being charged for the additional\nlogs usage.\n\n## Remediation\n\n### From the command line\nFor VPC networks that need a new DNS policy with logging enabled, run the following:\n```\ngcloud dns policies create enable-dns-logging --enable-logging --\ndescription=\"Enable DNS Logging\" --networks=VPC_NETWORK_NAME\n```\n\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\nFor VPC networks that have existing DNS policies, run the following to enable logging:\n```\ngcloud dns policies update POLICY_NAME --enable-logging --\nnetworks=VPC_NETWORK_NAME\n```\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\n\n## References\n1. [https://cloud.google.com/dns/docs/monitoring][1]\n\n[1]: https://cloud.google.com/dns/docs/monitoring\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.12","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(dns_policy) = \"pass\" if {\n\tdns_policy.enable_logging\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_policy"]},"validationQuery":"","resourceType":"gcp_dns_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kcx-kad-uvs","createdAt":1662120179391,"name":"Cloud DNS logging is enabled for VPC networks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:7.2","control:1.9","control:3.5","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that the IAM policy on Cloud KMS `cryptokeys` should restrict anonymous and/or public access.\n\n## Rationale\n\nGranting permissions to `allUsers` or `allAuthenticatedUsers` allows anyone to access the\ndataset. Such access might not be desirable if sensitive data is stored at the location. In this\ncase, ensure that anonymous and/or public access to a Cloud KMS `cryptokey` is not\nallowed.\n\n### Default Value:\nBy default Cloud KMS does not allow access to `allUsers` or `allAuthenticatedUsers`.\n\n### Impact\nRemoving the binding for `allUsers` and `allAuthenticatedUsers` members denies anonymous and public users access to `cryptokeys`.\n\n`key_ring_name` is the resource ID of the key ring, which is the fully-qualified key ring name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING`\nYou can retrieve the key ring resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n3. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`key_name` is the resource ID of the key, which is the fully-qualified CryptoKey name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY`\nYou can retrieve the key resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. Click the name of the key ring that contains the key.\n3. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n4. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`role` is the role to remove the member from.\n\n## Remediation\n\n### From the command line\n\n1. List all Cloud KMS `Cryptokeys`.\n ```\n gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'\n ```\n2. To remove access to `allUsers` and `allAuthenticatedUsers`, remove the IAM policy binding for a KMS key using the below command.\n ```\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'\n\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'\n ```\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding][1]\n2. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy][2]\n3. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy][3]\n4. [https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id][4]\n\n[1]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding\n[2]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy\n[3]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy\n[4]: https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot contains(iam_policy.resource_name, \"/keyRings/\")\n} else = \"fail\" if {\n\tiam_policy.bindings[_].members[_] in [\"allAuthenticatedUsers\", \"allUsers\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kg9-ypa-tmt","createdAt":1658879416757,"name":"Cloud KMS cryptokeys are not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Storage","source:google_iam_policy","framework:cis-gcp","requirement:Compliance","level:1","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","scope:google_iam_policy","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:3.5","control:7.1","control:5.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that IAM policies on Cloud Storage buckets do not allow anonymous or public access.\n\n## Rationale\nWith anonymous or public access, anyone has permission to access bucket content. Such access might not be desired if you are storing sensitive data, so ensure that anonymous or public access to a bucket is not allowed.\n\n### Additional Information\nTo implement access restrictions on buckets, configuring Bucket IAM is preferred over configuring Bucket ACL. In the GCP console, the **Edit Permissions** button for a bucket exposes IAM configurations only. Bucket ACLs are configured to automatically implement and support user-enforced Bucket IAM policies. If an administrator changes a Bucket ACL using command-line gsutils or the API, the associated bucket IAM policy is also updated automatically.\n\n### Impact\nStorage buckets are not publicly accessible. You have to explicitly administer bucket access.\n\n### Prevention\nYou can prevent Storage buckets from becoming publicly accessible by setting up the `Domain restricted sharing` organization policy at:\n[https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains][2]\n\n### Default value\nBy default, Storage buckets are not publicly accessible.\n\n## Remediation\n\n### From the console\n1. Go to `Storage browser` at [https://console.cloud.google.com/storage/browser][1].\n2. Click on the bucket name to access the `Bucket details` page.\n3. Click on the `Permissions` tab.\n4. Click the `Delete` button in front of `allUsers` and `allAuthenticatedUsers` to remove that particular role assignment.\n\n### From the command line\nRemove `allUsers` and `allAuthenticatedUsers` access.\n``` \ngsutil iam ch -d allUsers gs://BUCKET_NAME\ngsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME\n```\n\n## References\n1. [https://cloud.google.com/storage/docs/access-control/iam-reference][3]\n2. [https://cloud.google.com/storage/docs/access-control/making-data-public][4]\n3. [https://cloud.google.com/storage/docs/gsutil/commands/iam][5]\n\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains\n[3]: https://cloud.google.com/storage/docs/access-control/iam-reference\n[4]: https://cloud.google.com/storage/docs/access-control/making-data-public\n[5]: https://cloud.google.com/storage/docs/gsutil/commands/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1","framework":"cis-gcp","requirement":"Storage","version":"1.3.0"},{"control":"3.5","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot isBucket(iam_policy)\n} else = \"fail\" if {\n\tiam_policy.bindings[_].members[_] in [\"allUsers\", \"allAuthenticatedUsers\"]\n} else = \"pass\"\n\nisBucket(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_storage_bucket\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"c2m-9sq-pbl","createdAt":1658821626959,"name":"Cloud storage bucket is not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Storage","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:5.2","requirement:Communications-Security","control:7.1","control:3.3","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","source:google_storage_bucket","control:A.18.1.3","framework:soc-2","scope:google_storage_bucket","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUniform bucket-level access is enabled on Cloud Storage buckets.\n\n## Rationale\n\nYou should use uniform bucket-level access to unify and simplify how you grant\naccess to your Cloud Storage resources.\nCloud Storage offers two systems for granting users permission to access your buckets and\nobjects: \n- **Cloud Identity and Access Management (Cloud IAM)**: Used throughout Google Cloud, and allows you to grant a variety of permissions at the bucket and project levels. \n- **Access Control Lists(ACLs)**: Used only by Cloud Storage and has limited permission options, but allows you to grant permissions on a per-object basis.\n\nThese systems act in parallel. A user needs only one of the systems to grant them permission in order to access a Cloud Storage resource. \n\nTo facilitate maintaining consistent permissions, Cloud Storage provides an option called Uniform bucket-\nlevel access. Using this feature disables ACLs for all Cloud Storage resources. Access to\n\nCloud Storage resources then is granted exclusively through Cloud IAM. Enabling uniform\nbucket-level access guarantees that if a Storage bucket is not publicly accessible, no object\nin the bucket is publicly accessible either.\n\n## Impact\nIf you enable uniform bucket-level access, you revoke access from users who gain their\naccess solely through object ACLs.\nCertain Google Cloud services, such as Stackdriver, Cloud Audit Logs, and Datastore, cannot\nexport to Cloud Storage buckets that have uniform bucket-level access enabled.\n\n## Remediation\n\n## From the console\n1. Open the Cloud Storage browser by visiting [https://console.cloud.google.com/storage/browser][1].\n2. In the list of buckets, select the name of the desired bucket.\n3. Select the Permissions tab.\n4. In the text box that starts with This bucket uses fine-grained access control..., click **Edit**.\n5. In the pop-up menu that appears, select Uniform.\n6. Click **Save**.\n\n## From the command line\n\nRun the following command: \n ```\n `gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/`\n ```\n\n\n## Prevention\nSet up an Organization Policy to enforce that any new bucket has uniform bucket-level access enabled. Read more about [Organization Policy constraints][2].\n\n## Default\n\nBy default, Cloud Storage buckets do not have uniform bucket-level access enabled.\n\n\n## References\n1. [https://cloud.google.com/storage/docs/uniform-bucket-level-access][3]\n2. [https://cloud.google.com/storage/docs/using-uniform-bucket-level-access][4]\n3. [https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket][5]\n\n## Additional Information\nUniform bucket-level access cannot be disabled if it has been active on a bucket for 90 consecutive days.\n\n## CIS controls\n\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems,\ndatabases, and applications.\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket\n[3]: https://cloud.google.com/storage/docs/uniform-bucket-level-access\n[4]: https://cloud.google.com/storage/docs/using-uniform-bucket-level-access\n[5]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2","framework":"cis-gcp","requirement":"Storage","version":"1.3.0"},{"control":"3.3","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_bucket) = \"pass\" if {\n\tstorage_bucket.iam_configuration.uniform_bucket_level_access.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_storage_bucket"]},"validationQuery":"","resourceType":"gcp_storage_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_storage_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dwn-5mi-cjt","createdAt":1657547752494,"name":"Cloud storage buckets have uniform bucket-level access enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","security:compliance","control:CC6.6","scope:cloudfront","cloud_provider:aws","control:A.12.2.1","requirement:Communications-Security","control:A.12.4.1","control:A.13.1.1","framework:soc-2","control:6.6","requirement:Security-Management-Process","source:cloudfront","requirement:Application-Updates","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that your [AWS CloudFront][1] distributions are integrated with [AWS Web Application Firewall][2] (AWS WAF).\n\n## Rationale\n\nAWS WAF helps protect web applications from common exploits, such as SQL injection or cross-site scripting.\n\n## Remediation\n\n### From the console\n\nFollow the [associate or disassociate an AWS WAF web ACL and an existing CloudFront distribution by using the CloudFront console][3] docs to integrate with AWS WAF.\n\n### From the command line\n\n1. Run `aws waf get-change-token` to generate a token.\n2. Run `aws waf create-ip-set` with your newly generated token. Additional information can be found in the [create-ip-set AWS documentation][4].\n\n ```\n create-ip-set\n --name test_ipset\n --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n3. Create an `IPSetDescriptor` JSON object in a new document and define the IP address or ranges you wish to block. Save the file.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"IPSetDescriptor\": {\n \"Type\": \"IPV4\" | \"IPV6\",\n \"Value\": \"192.0.2.0/24\"\n }\n }\n ]\n ```\n\n4. Run `aws waf update-ip-set` with the `change-token` (generated in step 1), `ip-set-id` (generated in step 2), and the file you just created. Additional information can be found in the [update-ip-set AWS documentation][5].\n\n ```\n aws waf update-ip-set\n --ip-set-id bd12ea6c-012a-4b7c-9342-80ab96e4b291\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n\t --updates file://ip-set-descriptor.json\n ```\n\n5. Run `aws waf create-rule` with a new rule `name` and your `change-token` (generated in step 1). Additional information can be found in the [create-rule AWS documentation][6].\n\n ```\n aws waf create-rule\n\t --name NameOfRule\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n6. Run `aws waf create-web-acl` with a `name` and your `change-token` (generated in step 1), and set the default action to block. Additional information can be found in the [create-web-acl AWS documentation][7].\n\n ```\n aws waf create-web-acl\n\t --name NameOfACL\n --default-action Type=BLOCK\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n7. Create a new JSON file and define `ActivatedRule` as an object that references the ACL rule created in step 6. Assign it a default action, `INSERT`.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"ActivatedRule\": {\n \"RuleId\": \"your-rule-id\",\n \"Action\": {\n \"Type\": \"BLOCK\"\n }\n }\n }\n ]\n ```\n\n8. Run `update-web-acl` with the `web-acl-id` (generated in step 5), `change-token` (generated in step 1), and the file you just created in step 7.\n\n ```\n aws waf update-web-acl\n --web-acl-id webaclid\n --change-token 96836241-b667-4f0a-a655-e4bc49eaa2c4\n --update activated-rule.json\n ```\n\n9. Run `get-distribution-config`.\n10. In a new JSON file, modify the returned configuration information to attach the WAF ACL. Set the `WebACLId` as the ID you returned in step 5. Save the file.\n\n ```\n {\n \"ETag\": \"etag\",\n \"DistributionConfig\": {\n ...\n \"WebACLId\": \"webaclid\",\n ...\n }\n }\n ```\n\n11. Run `update-distribution` with the `id` and `etag` previously returned in step 9. Additional information can be found in the [update-distribution AWS documentation][8].\n\n ```\n aws cloudfront update-distribution\n --id webaclid\n --distribution-config activated-ruled.json\n --if-match etag\n ```\n\n[1]: https://aws.amazon.com/cloudfront/\n[2]: https://aws.amazon.com/waf/\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/wafv2/create-ip-set.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/waf/update-ip-set.html\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-rule.html\n[7]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-web-acl.html\n[8]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudfront_distribution) = \"fail\" if {\n\tcloudfront_distribution.distribution_config.web_acl_id == \"\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"qo4-jsd-nfn","createdAt":1599574008896,"name":"CloudFront distribution is integrated with WAF"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that AWS CloudFront distributions have a security policy of TLS v1.1 or greater.\n\n## Rationale\n\nTLS v1.1, the minimum protocol recommended for AWS CloudFront, and the cipher used to encrypt this content, improve application security.\n\n## Remediation\n\n### From the console\n\nFollow the [Values That You Specify When You Create or Update a Distribution][3] docs to update your CloudFront distribution's [Minimum Origin SSL Protocol][3] to TLS v1.1 or greater.\n\n### From the command line\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration by setting the minimum protocol version to TLC v1.1 (2016) or v1.2 (2018).\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n ...\n \"ViewerCertificate\": {\n ...\n \"MinimumProtocolVersion\": \"TLSv1.1_2016\",\n },\n ...\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config tls-version.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginSSLProtocols\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_distribution_config(origin_protocol_policy) if {\n\torigin_protocol_policy == \"TLSv1\"\n} else if {\n\torigin_protocol_policy == \"TLSv1_2016\"\n}\n\neval(cloudfront_distribution) = \"fail\" if {\n\tnon_compliant_distribution_config(cloudfront_distribution.distribution_config.viewer_certificate.minimum_protocol_version)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2np-sw5-cre","createdAt":1599574001774,"name":"CloudFront distribution's security policy is TLS v1.1 or greater"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","source:cloudfront","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","scope:cloudfront","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure logging is enabled for AWS CloudFront to track things like client IP addresses and access points.\n\n## Rationale\n\nLogging tracks requests made through the CDN. With this information, you can detect changes in requests, complete security audits, and use other AWS tooling such as AWS WAF to block requests from certain IP addresses.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring and using standard logs][4] docs to enable logging for AWS CloudFront.\n\n### From the command line\n\n1. Run `create-bucket` to [create an S3 bucket][1] for your CloudFront log files.\n\n ```\n aws s3api create-bucket\n --bucket your-bucket-name\n ```\n\n2. Once the S3 bucket location is returned, run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][2].\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n3. Create a new JSON file with the returned configuration. Enable logging and set an S3 bucket location (returned in step 1) to configure where the logs will be located. Save the file.\n\n ```\n {\n \"ETag\": \"ID000000000000\",\n \"DistributionConfig\": {\n ...\n \"Logging\": {\n \"Bucket\": \"your-bucket-name.s3.amazonaws.com\",\n \"Enabled\": true,\n },\n ...\n }\n }\n }\n ```\n\n4. Run `update-distribution` to [update your distribution][3] with your distribution `id`, the path of the configuration file (created in step 3), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config logging-enabled.json\n --if-match ETAG1000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[4]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudfront_distribution) = \"fail\" if {\n\tnot cloudfront_distribution.distribution_config.logging.enabled\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"e1l-f7w-llc","createdAt":1599574007739,"name":"CloudFront logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that an AWS CloudTrail trail has file integration validation enabled.\n\n### Rationale\n\nAWS CloudTrail file integration validation can verify whether files were modified or changed once delivered to an S3 bucket.\n\n### Remediation\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [enable-log-file-validation][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --enable-log-file-validation\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@log_file_validation_enabled:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ubl-mrs-ket","createdAt":1599574002238,"name":"CloudTrail Log File Integrity Validation Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that AWS CloudTrail logs are encrypted.\n\n### Rationale\n\nEncrypting AWS CloudTrail logs with a KMS encryption key helps protect your data and ensures only certain IAM users can access these logs.\n\n### Remediation\n\n1. Create a new policy configuration file that enables CloudTrail [encrypting and decrypting permissions][1].\n2. Run `create-key` using the policy file path.\n\n ```\n aws kms create-key\n --policy new-policy-file.json\n ```\n\n3. Run `create-alias` with a [newly created alias name][2] and the `target-key-id` as the KMS key returned in step 2.\n\n ```\n aws kms create-alias\n --alias-name alias/CloudTrailKSM\n --target-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n4. Run `update-trail` on [the trail name you wish to update][3] and the KMS key returned in step 2.\n\n ```\n aws cloudtrail update-trail\n --name MyGlobalTrail\n --kms-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@kms_key_id:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"cww-xfw-no7","createdAt":1599574002335,"name":"CloudTrail Logs Not Encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","control:A.12.4.2","requirement:Security-Incident-Procedures","control:10.3.2","control:10.3.1","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that an AWS CloudTrail trail has global service events enabled.\n\n## Rationale\n\nEasily troubleshoot security issues for global services that aren't region-specific.\n\n## Remediation\n\n### From the console\n\nBy default, trail logs created in the CloudTrail console log global service events. For more information, see the [About global service events][2] docs.\n\n### From the command line\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [include-global-service-events][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --include-global-service-events\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-update-trail.html\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudtrail_trail) = \"pass\" if {\n\tcloudtrail_trail.include_global_service_events\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7ak-zke-f64","createdAt":1599574004589,"name":"CloudTrail global services are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.5.5","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","control:164.312-c-2","requirement:Integrity","control:164.312-c-1","security:compliance","cloud_provider:aws","control:3.2","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. Use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. You should enable file validation on all CloudTrails.\n\n## Rationale\n\nEnabling log file validation will provide additional integrity checking of CloudTrail logs.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNot Enabled\n\n## References\n\n1. [http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html][2]\n2. CCE-78914-9\n\n## CIS controls\n\nVersion 7, 6 - Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.2","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.312-c-2","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudtrail_trail) = \"pass\" if {\n\tcloudtrail_trail.log_file_validation_enabled == true\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9we-gmy-kne","createdAt":1599574003762,"name":"CloudTrail log file validation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Logging","requirement:System-Acquisition-Development-and-Maintenance","level:2","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.7","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:cloudtrail","control:A.9.2.3","control:32.1a","control:3.5.2","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources per IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data. It uses Hardware Security Modules (HSMs) to protect the security of encryption keys. Configure your CloudTrail logs to leverage server-side encryption (SSE), and KMS customer-created master keys (CMK) to further protect CloudTrail logs. You should set up CloudTrail to use SSE-KMS.\n\n## Rationale\n\nConfiguring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data. A given user must have S3 read permission on the corresponding log bucket and have decrypt permission by the CMK policy.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nCustomer created keys incur an additional cost. See [https://aws.amazon.com/kms/pricing/][2] for more information.\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html][3]\n2. [https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html][4]\n3. CCE-78919-8\n\n## CIS controls\n\nVersion 7 - 6 Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://aws.amazon.com/kms/pricing/\n[3]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html\n[4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.7","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudtrail_trail) = \"pass\" if {\n\tcloudtrail_trail.kms_key_id\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kah-ejb-3v1","createdAt":1599574006065,"name":"CloudTrail logs are encrypted at rest using KMS CMKs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:164.308-a-7-i","scored:true","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","control:10.2.1","framework:gdpr","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsures AWS CloudTrail is enabled across all AWS regions.\n\n## Rationale\n\nAWS CloudTrail has the ability to deliver log files from multiple regions to a single S3 bucket, and a single CloudWatch Logs log group. This centralizes storage and control of logs data. \n\n## Remediation\n\nIt is beneficial to create an Organization trail, as that will create a trail with that name in every region, in every account belonging to the Organization. See the [Creating a trail for an organization][1] documentation for additional details.\n\nIf you are not using AWS Organizations, you can create a multi-region CloudTrail trail directly in the affected AWS account.\n\n### From the console\n\nTo create an Organization trail:\n1. Follow the [Creating a trail for an organization][2] instructions to get started with CloudTrail.\n\nTo create a multi-region trail in an AWS account:\n1. Follow the [Creating and updating a trail with the console][3] instructions to get started with CloudTrail. This will enable a multi-region CloudTrail by default. \n\n### From the command line\n\nTo convert a single-region trail to multi-region using the command line:\n\n1. Run `aws cloudtrail describe-trails` to investigate your current CloudTrail configuration.\n2. Run `update-trail` with the following arguments on your selected trail to [enable multi-region-trail][4].\n ```\n aws cloudtrail update-trail\n --name my-trail\n --is-multi-region-trail\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html\n[3]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-console.html\n[4]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-7-i","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudtrail_trail) = \"pass\" if {\n\tcloudtrail_trail.is_multi_region_trail\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":21,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"v41-4ht-rxo","createdAt":1599573999944,"name":"CloudTrail multi-region is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that HTTPS is used to secure AWS CloudFront distributions communications.\n\n## Rationale\n\nHTTPS ensures that malicious activity cannot occur when data is sent within AWS CloudFront's Content Distribution Network (CDN).\n\n## Remediation\n\n### From the console\n\nFollow the [configure CloudFront to require HTTPS between CloudFront and your custom origin][3] docs to change your Origin Protocol Policy to HTTPS only.\n\n### From the command line\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `OriginProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"Items\": [\n {\n \"CustomOriginConfig\": {\n \"OriginProtocolPolicy\": \"https-only\",\n ...\n }\n }\n ]\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_origin_protocol_policy(origin_protocol_policy) if {\n\torigin_protocol_policy == \"http-only\"\n} else if {\n\torigin_protocol_policy == \"match-viewer\"\n}\n\nnon_compliant_distribution_config(cloudfront_distribution) if {\n\tsome item in cloudfront_distribution.distribution_config.origins.items\n\tnon_compliant_origin_protocol_policy(item.custom_origin_config.origin_protocol_policy)\n}\n\neval(cloudfront_distribution) = \"fail\" if {\n\tnon_compliant_distribution_config(cloudfront_distribution)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q5e-clj-mow","createdAt":1599574006435,"name":"Cloudfront distribution is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS CloudFront field-level encryption is enabled.\n\n## Rationale\n\nField-level encryption ensures sensitive data, such as identification and credit card numbers, is protected across your services and applications.\n\n## Remediation\n\n### From the console\n\nFollow the [Setting Up Field-Level Encryption][1] docs to enable field-level encryption.\n\n### From the command line\n\n1. Generate a RSA key pair. Run `ssh-keygen -t rsa`.\n\n2. Run `create-public-key` with the generated key.\n\n ```\n aws cloudfront create-public-key\n --public-key-config CallerReference=\"0123456789012\",Name=\"public-key\",EncodedKey=\"-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----\",Comment=\"Field-level encryption public key.\"\n ```\n\n3. Modify the returned configuration in a new JSON file by setting `PublicKeyID` as your public ID key. Configure any other options you require and save the file.\n\n ```\n {\n \"PublicKey\": {\n ...\n \"Id\": \"PUBKEYID000000\",\n ...\n }\n }\n ```\n\n4. Run `create-field-level-encryption-profile` using the path of the configuration file saved in step 3.\n\n ```\n aws cloudfront create-field-level-encryption-profile\n --field-level-encryption-profile-config public-key-id.json\n ```\n\n5. Modify the returned configuration in a new JSON file by setting `ProfileID` as your profile ID. Configure any other options you require and save the file.\n\n ```\n {\n ...\n \"ContentTypeProfileConfig\": {\n ...\n \"Items\": [\n {\n \"ProfileId\": \"ABCD1234567890\",\n }\n ]\n }\n }\n ```\n\n6. Run `create-field-level-encryption-config` using the path of the configuration file saved in step 5.\n\n ```\n aws cloudfront create-field-level-encryption-config\n --field-level-encryption-config profile-id.json\n ```\n\n7. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your distribution's configuration information.\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n8. Modify the returned configuration in a new JSON file by setting `FieldLevelEncryptionID` as your field level encryption ID. Configure any other options you require and save the file.\n\n**Note**: Viewer Protocol Policy and Origin Protocol Policy must both be set to HTTPS.\n\n ```\n {\n \"DistributionConfig\": {\n ...\n \"Origins\": {\n \"Items\": [\n {\n ...,\n \"OriginProtocolPolicy\": \"https-only\",\n },\n ],\n ...\n },\n \"DefaultCacheBehavior\": {\n \"FieldLevelEncryptionId\": \"ACBD1234567890\",\n \"ViewerProtocolPolicy\" : \"https-only\"\n },\n ...\n }\n }\n ```\n\n9. Run `update-distribution` with your AWS CloudFront distribution `id`, the configuration file saved in step 8, and `etag` to enable field-level encryption.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config field-level-encryption-id.json\n --if-match E1000000000000\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudfront_distribution) = \"fail\" if {\n\tcloudfront_distribution.distribution_config.default_cache_behavior.field_level_encryption_id == \"\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"udh-nqo-4ct","createdAt":1599574007140,"name":"Cloudfront distribution is field-level encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the AWS CloudFront Content Delivery Network (CDN) for your distribution is using HTTPS to send and receive content.\n\n## Rationale\n\nHTTPS ensures encrypted communication for your AWS CloudFront distribution, alleviating the possibility of malicious attacks like packet interception.\n\n## Remediation\n\n### From the console\n\nFollow the [configure CloudFront to require HTTPS between viewers and CloudFront][3] docs to change your Viewer Protocol Policy to HTTPS only.\n\n### From the command line\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `ViewerProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"ViewerProtocolPolicy\": \"https-only\",\n ...\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudfront_distribution) = \"fail\" if {\n\tcloudfront_distribution.distribution_config.default_cache_behavior.viewer_protocol_policy == \"allow-all\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fei-uz9-zhw","createdAt":1599574003275,"name":"Cloudfront viewer is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1027-obfuscated-files-or-information","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a compiler (like `clang` or `bcc`) is executed inside of a container.\n\n## Strategy\nAfter an initial compromise, attackers may attempt to download additional tools to their victim's infrastructure. In order to make these additional tools difficult to detect or analyze, attackers sometimes deliver their tools as uncompiled code, and then compile their malicious binaries directly on the victim's infrastructure. In containerized environments, the use of compilers is especially suspicious because in production it is best practice to make containers immutable. The use of a compiler in a production container could indicate an attacker staging tools, or unwanted container configuration drift. \n\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee compile a tool inside of a container for an approved reason, or does an approved software compile additional files on startup?\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:compiler_in_container","groupByFields":["host"],"aggregation":"count","name":"compiler_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"compiler_in_container","condition":"compiler_in_container > 0"}],"type":"workload_security","id":"cu1-ji1-azm","createdAt":1627392836759,"name":"Compiler executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS EC2 access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the EC2 instance with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS EC2 access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` instance should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the EC2 access key should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`., then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n7 April 2022 - Updated rule name and signal message.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId"],"query":"source:cloudtrail -@level:Error @userIdentity.type:AssumedRole @userIdentity.session_name:i-* -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"5cf-9yq-zxn","createdAt":1646247437871,"name":"Compromised AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.\n\n## Changelog\n- 7 April 2022 - Updated signal message.\n- 3 August 2022 - Fixed null groupby field in query.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId","@usr.name"],"query":"source:cloudtrail -@level:Error @userIdentity.type:IAMUser -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tln-vhi-j2e","createdAt":1646247475808,"name":"Compromised AWS IAM User Access Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:4.8","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, Datadog recommends launching compute instances with Shielded VM enabled.\n\n## Rationale\n\nShielded VMs are virtual machines on the Google Cloud Platform that are hardened by a set of security controls and help defend against rootkits and bootkits. Shielded VM offers verifiable integrity of your Compute Engine VM instances through Secure Boot, a virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring. This ensures your instances are not compromised by boot- or kernel-level malware, or rootkits. \n\nShielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishes trust for Secure Boot.\n\nIntegrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, also known as the integrity policy baseline. The integrity policy baseline is used to compare measurements from subsequent VM boots to determine if anything has changed.\n\nSecure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halts the boot process if signature verification fails.\n\n## Remediation\n\nTo turn on Shielded VM on an instance, your instance must use an image with Shielded VM support.\n\n### From the console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project. \n2. Click on the instance name to see a VM Instance Details page.\n3. Click **Stop** to stop the instance.\n4. When the instance has stopped, click **Edit**.\n5. In the **Shielded VM** section, select **Turn on vTPM** and **Turn on Integrity Monitoring**.\n6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select **Turn on Secure Boot**.\n7. Click the **Save** button to modify the instance and click **Start** to restart it.\n\n### From the command line\n\nYou can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:\n\n```\ngcloud compute images list --project gce-uefi-images --no-standard-images\n```\n\n1. Stop the instance using `gcloud compute instances stop `.\n2. Update the instance using `gcloud compute instances update --shielded-vtpm --shielded-vm-integrity-monitoring`.\n3. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on Secure Boot using `gcloud compute instances update --shielded-vm-secure-boot`.\n4. Restart the instance using `gcloud compute instances start `.\n\n## Prevention\n\nTo ensure that all new VMs are created with Shielded VM enabled, create an Organization Policy for Shielded VM in the [Organization Policies page][2]. \n\nFor more information, see the [Google Cloud documentation][3].\n\n## Default Value\n\nBy default, Compute Instances do not have Shielded VM enabled.\n\n## References\n\n1. [https://cloud.google.com/compute/docs/instances/modifying-shielded-vm][4]\n2. [https://cloud.google.com/shielded-vm][5]\n3. [https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint][6]\n\n## Additional Information\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is created, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-requireShieldedVm\n[3]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n[4]: https://cloud.google.com/compute/docs/instances/modifying-shielded-vm\n[5]: https://cloud.google.com/shielded-vm\n[6]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.8","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"pass\" if {\n\tshieldedConfig := compute_instance.shielded_instance_config\n\tshieldedConfig.enable_integrity_monitoring\n\tshieldedConfig.enable_vtpm\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hwa-bzq-nzg","createdAt":1656620517029,"name":"Compute Instances are launched with Shielded VM enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","control:4.9","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:3.6","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCompute instances should not be configured to have external IP addresses.\n\n## Rationale\n\nTo reduce your attack surface, Compute instances should not have public IP addresses.\nInstead, instances should be configured behind load balancers, to minimize the instance's\nexposure to the internet.\n\nYou can connect to Linux VMs that do not have public IP addresses by using Identity-Aware Proxy for TCP forwarding. Learn more at\n[https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][8].\n\nFor Windows VMs, see [https://cloud.google.com/compute/docs/instances/connecting-to-instance][9].\n\n### Impact\n\nRemoving the external IP address from your Compute instance may cause some\napplications to stop working.\n\n### Prevention\n\nYou can configure the \"Define allowed external IPs for VM instances\" organization policy to prevent VMs from being configured with public IP addresses. Learn more at:\n[https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address][2]\n\n### Exception\n\nInstances created by GKE should be excluded because some of them have external IP\naddresses and cannot be changed by editing the instance settings. Instances created by GKE\nshould be excluded. These instances have names that start with \"gke-\" and are labeled\n\"goog-gke-node\".\n\n## Remediation\n\n### From the console\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go the the Instance detail page.\n3. Click **Edit**.\n4. For each Network interface, ensure that **External IP** is set to None.\n5. Click **Done** and then click **Save**.\n\n### From the command line\n\n1. Describe the instance properties:\n\n ```\n gcloud compute instances describe --zone=\n ```\n2. Identify the access config name that contains the external IP address. This access config appears in the following format:\n\n ```\n networkInterfaces:\n - accessConfigs:\n - kind: compute#accessConfig\n name: External NAT\n natIP: 130.211.181.55\n type: ONE_TO_ONE_NAT\n ```\n3. Delete the access config:\n\n ```\n gcloud compute instances delete-access-config --zone= --access-config-name \n ```\n\nIn the above example, the `ACCESS_CONFIG_NAME` is `External NAT`. The name of your access config might be different.\n\n## References\n\n1. [https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses][3]\n2. [https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][4]\n3. [https://cloud.google.com/compute/docs/instances/connecting-to-instance][5]\n4. [https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip][6]\n5. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][7]\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address\n[3]: https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses\n[4]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[5]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n[6]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip\n[7]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[8]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[9]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.9","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" if {\n\tcompute_instance.network_interfaces[_].access_configs[_]\n} else = \"pass\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"zxk-7n9-rtz","createdAt":1657888953309,"name":"Compute instances do not have public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","control:4.11","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:3.5.2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:3.5.4","source:google_compute_instance","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nGoogle Cloud encrypts both stored and in-transit data, but customer data needs to be decrypted while it is processed. Confidential Computing is a Google technology that protects data by encrypting it while it is in use. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).\n\nConfidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD\nEPYCTM CPUs, keeping customer data encrypted while it is used, indexed, queried, or\ntrained on. Encryption keys are generated in hardware, per VM, and not exportable. There is no significant performance penalty to Confidential Computing workloads because of built-in hardware optimizations.\n\n## Rationale\n\nConfidential Computing enables customers' sensitive code and other data to be encrypted in\nmemory during processing. Google does not have access to the encryption keys.\nConfidential VMs can help alleviate concerns about risk related to either dependency on\nGoogle infrastructure or Google insiders' access to customer data in the clear.\n\n## Impact\n\n- Confidential Computing for Compute instances does not support live migration. Unlike regular Compute instances, Confidential VMs experience disruptions during maintenance events like a software or hardware update.\n\n- Additional charges may be incurred when enabling this security feature. See [https://cloud.google.com/compute/confidential-vm/pricing][1] for more info.\n\n## Remediation\n\nConfidential Computing can only be enabled when an instance is created. You must delete\nthe current instance and create a new one.\n\n### From the console\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][2].\n2. Click **Create instance**.\n3. Fill out the desired configuration for your instance.\n4. Under the **Confidential VM service** section, click **Enable** > **Enable** to enable the Confidential Computing service on this VM instance.\n5. Click **Create**.\n\n### From the command line\n\nCreate a new instance with Confidential Compute enabled.\n\n ```\n gcloud beta compute instances create --zone --confidential-compute --maintenance-policy=TERMINATE\n ```\n## Default Value\n\nBy default, Confidential Computing is disabled for Compute instances.\n\n## References\n\n1. [https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance][3]\n2. [https://cloud.google.com/compute/confidential-vm/docs/about-cvm][4]\n3. [https://cloud.google.com/confidential-computing][5]\n4. [https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms][6]\n\n## CIS Controls\n\nVersion 8 - 3.11: Encrypt Sensitive Data at Rest\n- Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.\n\nVersion 7 - 14.8: Encrypt Sensitive Information at Rest\n- Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n\n[1]: https://cloud.google.com/compute/confidential-vm/pricing\n[2]: https://console.cloud.google.com/compute/instances\n[3]: https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance\n[4]: https://cloud.google.com/compute/confidential-vm/docs/about-cvm\n[5]: https://cloud.google.com/confidential-computing\n[6]: https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.11","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tnot machineType(compute_instance)\n} else = \"pass\" if {\n\tcompute_instance.confidential_instance_config.enable_confidential_compute\n} else = \"fail\"\n\nmachineType(compute_instance) if {\n\tcontains(compute_instance.machine_type, \"n2d-\")\n} else if {\n\tcontains(compute_instance.machine_type, \"c2d-\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ofu-7xv-iqz","createdAt":1657888955714,"name":"Compute instances have confidential computing enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a brute force login with a privileged policy being applied to a role.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [AWS IAM privileged policy was applied to a role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Revert the privileged policy change\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security/default_rules/aws-iam-priv-policy-applied-to-role/","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":2,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"aws_iam_privileged_policy_was_applied_to_a_role","additionalFilters":"","defaultRuleId":"1np-ggw-qpo","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to privileged policy applying to a role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && aws_iam_privileged_policy_was_applied_to_a_role > 0"}],"type":"signal_correlation","id":"z65-vsm-leu","createdAt":1664829682321,"name":"ConsoleLogin event correlates privileged policy applying to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.10","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host, you can control the amount of memory that a container is able to use.\n\n## Rationale\n\nBy default a container can use all of the memory on the host. You can use memory limit mechanisms to prevent a denial of service occurring where one container consumes all of the hosts resources and other containers on the same host are therefore not able to function. Having no limit on memory usage can lead to issues where one container can easily make the whole system unstable and as a result unusable.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Memory={{ .HostConfig.Memory }}'` \n\nIf this command returns 0, it means that memory limits are not in place; if it returns a non-zero value, it means that they are in place.\n\n## Remediation\n\nYou should run the container with only as much memory as it requires by using the `--memory argument`. For example, you could run a container using the command `docker run --interactive --tty --memory 256m centos /bin/bash`\n\nIn this example, the container is started with a memory limit of 256 MB. Note that the output of the command below returns values in scientific notation if memory limits are in place. `docker inspect --format='{{.Config.Memory}}' 7c5a2d4c7fe0`\n\nFor example, if the memory limit is set to 256 MB for a container instance, the output of the command above would be `2.68435456e+08` and NOT `256m`. You should convert this value using a scientific calculator.\n\n## Impact\n\nIf correct memory limits are not set on each container, one process can expand its usage and cause other containers to run out of resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally and no memory limits are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.10","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ecn-mmt-tqe","createdAt":1599605860081,"name":"Container has memory usage limits configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.26","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf the container image does not have an HEALTHCHECK instruction defined, you should use the `--health-cmd` parameter at container runtime to check container health.\n\n## Rationale\n\nIf the container image you are using does not have a pre-defined HEALTHCHECK instruction, use the `--health-cmd` parameter to check container health at runtime. Based on the reported health status, remedial actions can be taken if necessary.\n\n## Audit\n\nRun this command and ensure that all containers are reporting their health status: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}'`\n\n## Remediation\n\nYou should run the container using the `--health-cmd` parameter. For example, `docker run -d --health-cmd='stat /etc/passwd || exit 1' nginx`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, health checks are not carried out at container runtime.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.26","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ojg-sb1-nso","createdAt":1599605067593,"name":"Container health is monitored when not supported by default"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should add the `HEALTHCHECK` instruction to your Docker container images in order to ensure that health checks are executed against running containers.\n\n## Rationale\n\nAn important security control is that of availability. Adding the `HEALTHCHECK` instruction to your container image ensures that the Docker engine periodically checks the running container instances against that instruction to ensure that containers are still operational. Based on the results of the health check, the Docker engine could terminate containers which are not responding correctly, and instantiate new ones.\n\n## Audit\n\nRun this command to ensure that Docker images have the appropriate `HEALTHCHECK` instruction configured: `docker inspect --format='{{ .Config.Healthcheck }}' `\n\n## Remediation\n\nYou should follow the Docker documentation and rebuild your container images to include the `HEALTHCHECK` instruction.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `HEALTHCHECK` is not set.\n\n## References\n\n1. https://docs.docker.com/engine/reference/builder/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_image","complianceFrameworks":[{"control":"4.6","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5xs-afd-sfx","createdAt":1599604909942,"name":"Container image includes HealthCheck instructions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect vulnerabilities in container images.\n\n## Strategy\nThis rule lets you monitor Twistlock logs `(@vulnerability.log_type:vulnerability)` to detect vulnerabilities in a container image. \n\n## Triage and response\n1. Determine the impact of this vulnerability.\n2. Update the container image in the registry with a patched version of the software.\n3. Deploy the new image to all containers running the vulnerable image.\n\n## Change Log\n29 Jun 2022 - Added queries for various vulnerability severity levels.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:medium","groupByFields":["container_name"],"aggregation":"count","name":"medium_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:low","groupByFields":["container_name"],"aggregation":"count","name":"low_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerabiluty","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerabiluty","condition":"high_severity_vulnerability > 0"},{"status":"medium","notifications":[],"name":"Medium Severity Vulnerabiluty","condition":"medium_severity_vulnerability > 0"},{"status":"low","notifications":[],"name":"Low Severity Vulnerabiluty","condition":"low_severity_vulnerability > 0"}],"type":"log_detection","id":"d7s-rex-gjv","createdAt":1585870278701,"name":"Container image vulnerability detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.25","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should restrict the container from acquiring additional privileges via SUID or SGID bits.\n\n## Rationale\n\nA process can set the `no_new_priv` bit in the kernel and this persists across forks, clones and execve. The `no_new_priv` bit ensures that the process and its child processes do not gain any additional privileges via SUID or SGID bits. This reduces the danger associated with many operations because the possibility of subverting privileged binaries is lessened.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all of the security options currently configured for containers. The option `no-new-privileges` should be one of them.\n\n## Remediation\n\nStart your container with the options `docker run --rm -it --security-opt=no-new-privileges ubuntu bash`\n\n## Impact\n\nThe `no_new_priv` option prevents LSMs like SELinux from allowing processes to acquire new privileges.\n\n## Default value\n\nBy default, new privileges are not restricted.\n\n## References\n\n1. https://github.com/projectatomic/atomic-site/issues/269\n2. https://github.com/docker/docker/pull/20727\n3. https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt\n4. https://lwn.net/Articles/475678/\n5. https://lwn.net/Articles/475362/\n\n## CIS controls\n\nVersion 6\n\n5 Controlled Use of Administration Privileges Controlled Use of Administration Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.25","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"cft-3kh-z3l","createdAt":1599604337425,"name":"Container is restricted from acquiring additional privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a container management utility (for example, `kubectl` or `docker`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to enumerate other pods or containers, escalate privileges, or exfiltrate secrets by running container management orchestration utilities. This detection triggers when execution of one of a set of common container management utilities (like `kubectl` or `docker`) executes with specific process arguments detected in a container. If this is unexpected behavior, it could indicate an attacker attempting to compromise your pods, containers, and hosts.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires version 7.27 or higher*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:suspicious_container_client @process.executable.path:\"/usr/bin/kubectl\" (@process.args:(\"get\" AND \"--all-namespaces\") OR @process.args:(\"cluster-info\") OR @process.args:(\"auth\" AND \"can-i\"))","groupByFields":["host"],"aggregation":"count","name":"kubectl_enumeration","distinctFields":[]},{"query":"@agent.rule_id:suspicious_container_client @process.executable.path:\"/usr/bin/kubectl\" (@process.args:(\"create\" AND \"namespace\") OR @process.args:(\"run\" AND \"image=\") OR @process.args:(\"port-forward\") OR @process.args:(\"attach\") OR @process.args:(\"exec\"))","groupByFields":["host"],"aggregation":"count","name":"kubectl_provision","distinctFields":[]},{"query":"@agent.rule_id:suspicious_container_client @process.executable.path:\"/usr/bin/docker\" (@process.args:(\"run\" AND \"--privileged\") OR @process.args:(\"exec\" AND \"-it\") OR @process.args:(\"run\" AND \"--cap-add\") OR @process.args:(\"apparmor=unconfined\") OR @process.args:(\"attach\"))","groupByFields":["host"],"aggregation":"count","name":"docker_provision","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"kubectl_enumeration","condition":"kubectl_enumeration > 0"},{"status":"medium","notifications":[],"name":"kubectl_provision","condition":"kubectl_provision > 0"},{"status":"medium","notifications":[],"name":"docker_provision","condition":"docker_provision > 0"}],"type":"workload_security","id":"ll8-gx6-k15","createdAt":1617722068555,"name":"Container management utility in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.12","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe container's root filesystem should be treated as a 'golden image' by using Docker run's `--read-only` option. This prevents any writes to the container's root filesystem at container runtime and enforces the principle of immutable infrastructure.\n\n## Rationale\n\nEnabling this option forces containers at runtime to explicitly define their data writing strategy to persist or not persist their data. This also reduces security attack vectors since the container instance's filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories.\n\n## Audit\n\nRun this command on the docker host: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: ReadonlyRootfs={{ .HostConfig.ReadonlyRootfs }}'` \n\nIf this command returns `true`, it means the container's root filesystem is mounted read-only. If the above command returns `false`, it means the container's root filesystem is writeable.\n\n## Remediation\n\nAdd a `--read-only` flag at a container's runtime to enforce the container's root filesystem being mounted as read only. For example, `docker run --read-only `\n\nEnabling the `--read-only` option at a container's runtime should be used by administrators to force a container's executable processes to only write container data to explicit storage locations during its lifetime. \n\nExamples of explicit storage locations during a container's runtime include, but are not limited to:\n\n1. Using the `--tmpfs` option to mount a temporary file system for non-persistent data writes. `docker run --interactive --tty --read-only --tmpfs \"/run\" --tmpfs \"/tmp\" centos /bin/bash`\n2. Enabling Docker rw mounts at a container's runtime to persist container data directly on the Docker host filesystem. For example, `docker run --interactive --tty --read-only -v /opt/app/data:/run/app/data:rw centos /bin/bash`\n\n3. Utilizing the Docker shared-storage volume plugin for Docker data volume to persist container data. For example, `docker volume create -d convoy --opt o=size=20GB my-named-volume docker run --interactive --tty --read-only -v my-named-volume:/run/app/data centos /bin/bash`\n\n3. Transmitting container data outside of the Docker controlled area during the container's runtime for container data in order to ensure that it is persistent. Examples include hosted databases, network file shares and APIs.\n\n## Impact\n\nEnabling `--read-only` at container runtime may break some container OS packages if a data writing strategy is not defined. You should define what the container's data should and should not persist at runtime in order to decide which strategy to use. Example: Enable use `--tmpfs` for temporary file writes to /tmp Use Docker shared data volumes for persistent data writes\n\n## Default value\n\nBy default, a container has its root filesystem writeable, allowing all container processes to write files owned by the container's actual runtime user.\n\n## References\n\n1. http://docs.docker.com/reference/commandline/cli/#run\n2. https://docs.docker.com/engine/tutorials/dockervolumes/\n3. http://www.projectatomic.io/blog/2015/12/making-docker-images-write-only-in-production/\n4. https://docs.docker.com/engine/reference/commandline/run/#mount-tmpfs-tmpfs\n5. https://docs.docker.com/engine/tutorials/dockervolumes/#creating-and-mounting-a-data-volume-container\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.12","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"635-mc8-3mr","createdAt":1599602276896,"name":"Container root file sytem is set to read-only"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a container is not running within compliance standards.\n\n## Strategy\nThis rule lets you monitor Twistlock logs to detect when a `High` or `Critical` severity compliance issue is discovered in a running container. \n\n## Triage and response\n1. Determine the impact of the compliance finding.\n2. Remediate the compliance finding.\n\n## Change Log\n27 Jun 2022 - Updated Rule and added findings for critical vulnerabilities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerability","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerability","condition":"high_severity_vulnerability > 0"}],"type":"log_detection","id":"9vp-d1j-kwp","createdAt":1585870281390,"name":"Container violated compliance standards"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:5.28","security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should use the `--pids-limit` flag at container runtime.\n\n## Rationale\n\nAttackers could launch a fork bomb with a single command inside the container. This fork bomb could crash the entire system and would require a restart of the host to make the system functional again. Using the PIDs cgroup parameter --pids-limit would prevent this kind of attack by restricting the number of forks that can happen inside a container within a specified time frame.\n\n## Audit\n\nRun this command and ensure that `PidsLimit` is not set to 0 or -\n1. A PidsLimit of 0 or -1 means that any number of processes can be forked concurrently inside the container. \n\n```\ndocker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidsLimit={{ .HostConfig.PidsLimit }}'\n```\n\n## Remediation\n\nUse `--pids-limit` flag with an appropriate value when launching the container. For example, `docker run -it --pids-limit 100 `\n\nIn the above example, the number of processes allowed to run at any given time is set to 100. After a limit of 100 concurrently running processes is reached, Docker would restrict any new process creation.\n\n## Impact\n\nSet the PIDs limit value as appropriate. Incorrect values might leave containers unusable.\n\n## Default value\n\nThe Default value for `--pids-limit` is 0 which means there is no restriction on the number of forks. Note that the PIDs cgroup limit works only for kernel versions 4.3 and higher.\n\n## References\n\n1. https://github.com/docker/docker/pull/18697\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.28","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tmp-lms-u8p","createdAt":1599603016485,"name":"Container's PIDs cgroup limit parameter is set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nContainers should run as a non-root user.\n\n## Rationale\n\nIt is good practice to run the container as a non-root user, where possible. This can be done either via the USER directive in the Dockerfile or through [gosu][1] or similar where used as part of the CMD or ENTRYPOINT directives.\n\n## Remediation\n\nEnsure that the Dockerfile for each container image contains `USER `\n\nIn this case, the user name or ID refers to the user that was found in the container base image. If there is no specific user created in the container base image, then make use of the `useradd` command to add a specific user before the USER instruction in the Dockerfile. \n\nFor example, add the below lines in the Dockerfile to create a user in the container:\n`RUN useradd -d /home/username -m -s /bin/bash username USER username`\n\n**Note**: If there are users in the image that are not needed, you should consider deleting them. After deleting those users, commit the image and then generate new instances of the containers. Alternatively, if it is not possible to set the USER directive in the Dockerfile, a script running as part of the CMD or ENTRYPOINT sections of the Dockerfile should be used to ensure that the container process switches to a non-root user.\n\n## Impact\n\nRunning as a non-root user can present challenges when binding mount volumes from the underlying host. In this case, ensure that the user running the contained process can read and write to the bound directory, according to their requirements.\n\n## Default value\n\nBy default, containers are run with root privileges and also run as the root user inside the container.\n\n## References\n\n1. https://github.com/docker/docker/issues/2918\n2. https://github.com/docker/docker/pull/4572\n3. https://github.com/docker/docker/issues/7906\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://github.com/tianon/gosu\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"4.1","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iml-sbn-bao","createdAt":1599605130883,"name":"Containers do not use the root user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","control:5.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.\n\n## Rationale\n\nAppArmor protects the Linux OS and applications from various threats by enforcing a security policy which is also known as an AppArmor profile. You can create your own AppArmor profile for containers or use Docker's default profile. Enabling this feature enforces security policies on containers as defined in the profile.\n\n## Audit\n\nYou should run this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: AppArmorProfile={{ .AppArmorProfile }}'` \n\nThis command returns a valid AppArmor Profile for each container instance.\n\n## Remediation\n\nIf AppArmor is applicable for your Linux OS, enable it.\n\n1. Verify AppArmor is installed.\n2. Create or import a AppArmor profile for Docker containers.\n3. Enable enforcement of the policy.\n4. Start your Docker container using the customized AppArmor profile. For example: `docker run --interactive --tty --security-opt=\"apparmor:PROFILENAME\" ubuntu /bin/bash` Alternatively, Docker's default AppArmor policy can be used.\n\n## Impact\n\nThe container will have the security controls defined in the AppArmor profile. It should be noted that if the AppArmor profile is misconfigured, this may cause issues with the operation of the container.\n\n## Default value\n\nBy default, the docker-default AppArmor profile is applied to running containers. This profile can be found at `/etc/apparmor.d/docker`\n\n## References\n\n1. https://docs.docker.com/engine/security/apparmor/\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.1","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"s4z-dsj-llz","createdAt":1599600498264,"name":"Containers have an AppArmor profile enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.24","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to attach to a particular `cgroup` when a container is instantiated. Confirming `cgroup` usage would ensure that containers are running in defined `cgroup`s.\n\n## Rationale\n\nSystem administrators typically define `cgroup`s in which containers are supposed to run. If `cgroup`s are not explicitly defined by the system administrator, containers run in the docker `cgroup` by default. At run time, it is possible to attach a container to a different `cgroup` other than the one originally defined. This usage should be monitored and confirmed, as by attaching to a different `cgroup`, excess permissions and resources might be granted to the container and this can therefore prove to be a security risk.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}'` \n\nThis command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n\n## Remediation\n\nYou should not use the `--cgroup-parent` option within the docker run command unless strictly required.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers run under docker `cgroup`.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#specify-custom-cgroups\n2. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/ch01.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n\n## Audit\n\nYou should run the following command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}' The above command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.24","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"maa-bf8-zan","createdAt":1599601906764,"name":"Containers use the cgroup configured in Docker"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","source:compliance-agent","control:1.3.7","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the Controller Manager service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Controller Manager API service which runs on port 10252/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ \n\n*Notes*: Although the current Kubernetes documentation site says that `--address` is deprecated in favour of `--bind-address`. Kubeadm 1.11 still makes use of `--address`.\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.7","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pvo-5un-k18","createdAt":1599603818624,"name":"Controller Manager API service is bound to localhost"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.3.2","security:compliance","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.2","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1ie-ddf-7wm","createdAt":1599604031896,"name":"Controller Manager profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.4","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account private key file for service accounts on the controller manager.\n\n## Rationale\n\nTo ensure that keys for service account tokens can be rotated as needed, a separate public/private key pair should be used for signing service account tokens. The private key should be specified to the controller manager with `--service-account-private-key-file` as appropriate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--service-account-private-key-file` argument is set as appropriate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--service-account-private-key-file parameter` to the private key file for service accounts:\n\n```\n--service-account-private-key-file=\n```\n\n## Impact\n\nYou would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-private-key-file` it not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.4","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mj1-ode-sln","createdAt":1599600796213,"name":"Controller manager has a service account private key file set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.1.3","scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of the Controller Manager on the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-controller-manager.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.3","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pr0-hcf-xkw","createdAt":1599603633988,"name":"Controller manager pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.1.4","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of various components of the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-controller-manager.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.4","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jwf-xdm-mi9","createdAt":1599599105053,"name":"Controller manager pod specification file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect and identify the network IP address or user agent when multiple user accounts have login attempt activities recorded.\n\n## Strategy\n\nMonitor Azure Active Directory and detect when any `@evt.category` is equal to `SignInLogs` and at least 5 of the `@evt.outcome` are equal to `false` by the same network IP address or user agent.\n\nSecurity Signal returns **MEDIUM** if`@evt.outcome` has value of `success` after 5 multiple failed logins by the same network IP address or user agent.\n\n## Triage and response\n\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n\n## Changelog\n* 14 June 2022 - Updated triggering cases to align with other credential stuffing rules. Also updated other backend options to reduce noise levels.\n* 26 October 2022 - Updated query.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure @properties.status.errorCode:(50126 OR 50053 OR 53003 OR 50135 OR 50055)","groupByFields":["@network.client.ip","@properties.appId"],"aggregation":"cardinality","name":"failed_login_multiple_user_accounts_same_ip_address","distinctFields":["@usr.id"]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success -message:(\"MFA requirement satisfied by claim in the token\" OR \"MFA requirement satisfied by strong authentication\" OR \"MFA requirement skipped due to remembered device\" OR \"MFA requirement satisfied by claim provided by external provider\" OR \"MFA completed in Azure AD\")","groupByFields":["@network.client.ip","@properties.appId"],"aggregation":"count","name":"successful_login_same_ip_address","distinctFields":[]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure @properties.status.errorCode:(50126 OR 50053 OR 53003 OR 50135 OR 50055)","groupByFields":["@http.useragent","@properties.appId"],"aggregation":"cardinality","name":"failed_login_multiple_user_accounts_same_user_agent","distinctFields":["@usr.id"]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success -message:(\"MFA requirement satisfied by claim in the token\" OR \"MFA requirement satisfied by strong authentication\" OR \"MFA requirement skipped due to remembered device\" OR \"MFA requirement satisfied by claim provided by external provider\" OR \"MFA completed in Azure AD\")","groupByFields":["@http.useragent","@properties.appId"],"aggregation":"count","name":"successful_login_same_user_agent","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful login after multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 4 && successful_login_same_ip_address > 0"},{"status":"medium","notifications":[],"name":"Successful login after multiple failed login attempts from the same user agent","condition":"failed_login_multiple_user_accounts_same_user_agent > 4 && successful_login_same_user_agent > 0"},{"status":"info","notifications":[],"name":"Multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 4"},{"status":"info","notifications":[],"name":"Multiple failed login attempts from the same user agent","condition":"failed_login_multiple_user_accounts_same_user_agent > 4"}],"type":"log_detection","id":"igg-0ve-xxc","createdAt":1607106304164,"name":"Credential Stuffing Attack on Azure"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:success @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials.\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application_o365","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"credential_added_azure_ad_application > 0 || credential_added_azure_ad_application_o365 > 0"}],"type":"log_detection","id":"myf-gpu-vqf","createdAt":1659365955026,"name":"Credential added to Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application that is not regularly updated.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it. An attacker may target an application that is seldom changed to avoid detection. Using the `New Value` detection method, a signal is raised when an application not seen in the previous 7 days has credentials added.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.\n\n## Changelog\n* 2 November 2022 - Updated severity.","options":{"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"evaluationWindow":0,"maxSignalDuration":86400,"detectionMethod":"new_value","decreaseCriticalityBasedOnEnv":true,"keepAlive":3600},"version":56,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@properties.targetResources.displayName","aggregation":"new_value","metrics":["@properties.targetResources.displayName"],"groupByFields":["@usr.id"],"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @evt.outcome:success @evt.category:AuditLogs"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"1p0-9ix-ig2","createdAt":1660304687805,"name":"Credential added to rarely used Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["category:authentication","tactic:TA0006-credential-access","template:true","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least 25 unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\nUse [this Datadog runbook](https://app.datadoghq.com/notebook/credentialstuffingrunbook) to assist in your investigation.\n\n1. Determine if it is a legitimate attack or a false positive\n2. Determine compromised users\n3. Remediate compromised user accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@evt.category:authentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"@evt.category:authentication @evt.outcome:success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful - Greater than 50","condition":"unique_users_failing_to_login>50 && successful_login>=1"},{"status":"medium","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>25 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>25"}],"type":"log_detection","id":"ypo-jbm-p2s","createdAt":1608750331867,"name":"Credential stuffing attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user. This generates a `HIGH` severity signal.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n## Changelog\n13 June 2022 - Updated Keep Alive window and evaluation window to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":3600,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>10 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>10"}],"type":"log_detection","id":"ryo-snu-uva","createdAt":1597422958108,"name":"Credential stuffing attack on Auth0"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through credential stuffing attack against a Salesforce account.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\n1. Determine if it is a legitimate attack or a false positive.\n2. Determine compromised users.\n3. Remediate compromised user accounts.\n\n## Changelog\n* 5 January 2023 - Updated query, severity of cases, and group by values.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @evt.name:LoginEvent @status:(\"Invalid Password\" OR \"User is Inactive\")","groupByFields":["@network.client.ip","@login_url"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.email"]},{"query":"source:salesforce @evt.name:LoginEvent @status:\"Success\"","groupByFields":["@network.client.ip","@login_url"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"at least 1 unique login success from a single IP","condition":"unique_users_failing_to_login >= 5 && successful_login>=1"},{"status":"low","notifications":[],"name":"at least 5 unique users have failed to login from a single IP","condition":"unique_users_failing_to_login >= 5"}],"type":"log_detection","id":"y0t-wg6-3nq","createdAt":1621929255278,"name":"Credential stuffing attack on Salesforce"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1003-os-credential-dumping","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to sensitive credential files from non-standard processes.\n\n## Strategy\nEspecially in production, all credentials should be either defined as code, or static. Drift and unmonitored changes to these credentials can open up attack vectors for adversaries, and cause your organization to be out of compliance with any frameworks or regulations that you are subject to. This detection watches for the modification of sensitive credential files which should not be changed outside of their definitions as code (or static definitions). The Linux commands `vipw` and `vigr` are the standard way to modify shadow and gshadow files respectively. Other processes interacting with these sensitive credential files is highly suspicious and should be investigated.\n\n## Triage and response\n1. Identify the user or process that changed the credential file(s).\n2. Identify what was changed in the credential files.\n3. If these changes are not acceptable, roll back contain the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd","groupByFields":["host"],"aggregation":"count","name":"credential_modified","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd @process.comm:(adduser OR useradd OR groupadd OR userdel OR deluser OR chage)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_standard","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.executable.path:(\\/usr\\/sbin\\/* OR \\/usr\\/bin\\/* OR \\/bin\\/*)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_non_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"credential_modified_non_bin","condition":"credential_modified_non_bin > 0"},{"status":"info","notifications":[],"name":"credential_modified_standard","condition":"credential_modified_standard > 0"},{"status":"low","notifications":[],"name":"credential_modified","condition":"credential_modified > 0"}],"type":"workload_security","id":"srd-2ub-jov","createdAt":1598516746271,"name":"Credentials file modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","level:1","cloud:aws","cloud_provider:aws","control:8.1.4","framework:hipaa","requirement:Information-Access-Management","framework:pci","requirement:Credentials","control:164.308-a-4-ii-C"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. You should remove or deactivate all credentials that have been unused in 90+ days.\n\n## Rationale\n\nDisabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78900-8 2. CIS CSC v6.0 #16.6\n\n## CIS controls\n\n16.9 Disable Dormant Accounts Automatically - Disable dormant accounts after a set period of inactivity.\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\npassword_used_recently(resource_seen_at, credential_report) if {\n\tcredential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_used > ninety_days_ms\n} else if {\n\tnot credential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_changed > ninety_days_ms\n}\n\nkey_used_recently(resource_seen_at, credential_report, key_name) if {\n\tcredential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_used_date\"])] > ninety_days_ms\n} else if {\n\tnot credential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_rotated\"])] > ninety_days_ms\n}\n\npassword_or_access_key_is_enabled(resource_seen_at, credential_report) if {\n\tcredential_report.password_enabled\n\tpassword_used_recently(resource_seen_at, credential_report)\n} else if {\n\tcredential_report.access_key_1_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_1\")\n} else if {\n\tcredential_report.access_key_2_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_2\")\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot password_or_access_key_is_enabled(iam_user.resource_seen_at, credential_report)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"credential_report","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cl8-844-szh","createdAt":1621238614316,"name":"Credentials have been used within the last 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","framework_version:3.2","control:11.5","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications of critical system binaries.\n\n## Strategy\nPCI-DSS is the payment-card industry's compliance framework. Any systems that handle credit card data and transactions from the major credit card companies must be PCI-DSS compliance. Control 11.5 of the PCI-DSS framework states that organizations must \"alert personnel to unauthorized modifications (including changes, additions, and deletions) of critical system files, configuration files, or content files\". On Linux, critical system binaries are typically stored in `/bin/`, `/sbin/`, or `/usr/sbin/`. This rule tracks any modifications to those directories.\n\n## Triage and response\n1. Identify which user or process changed the critical system binaries.\n2. If these changes were not authorized, and you cannot confirm the safety of the changes, roll back the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chmod) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chown) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chown","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_link) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_link","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_rename) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_rename","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_open) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_open","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_unlink) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_utimes) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"pci_11_5_critical_binaries","condition":"pci_11_5_critical_binaries_chmod > 0 || pci_11_5_critical_binaries_chown > 0 || pci_11_5_critical_binaries_link > 0 || pci_11_5_critical_binaries_rename > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_unlink > 0 || pci_11_5_critical_binaries_utimes > 0"}],"type":"workload_security","id":"3rk-f4l-c7j","createdAt":1606142933669,"name":"Critical system binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation or modification of new cron jobs on a system.\n\n## Strategy\nCron is a task scheduling system that runs tasks on a time-based schedule. Attackers can use cron jobs to gain persistence on a system, or even to run malicious code at system-boot. Cron jobs can also be used for remote code execution, or to run a process under a different user-context.\n\n## Triage and response\n1. Check to see which cron task was created or modified.\n2. Check whether the cron task was created or modified by a known user or process.\n3. If these changes are not acceptable, roll back the host or container in question to an acceptable configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(cron_at_job_creation OR cron_at_job_creation_chmod OR cron_at_job_creation_chown OR cron_at_job_creation_link OR cron_at_job_creation_rename OR cron_at_job_creation_open OR cron_at_job_creation_utimes) -(@file.name:*.dpkg-new AND @process.executable.name:dpkg) -@process.ancestors.executable.path:\"/usr/bin/unattended-upgrade\" -@process.executable.path:\"/usr/bin/dockerd\" -(@process.executable.path:\"/usr/bin/touch\" @file.path:\"/var/spool/cron/lastrun\")","groupByFields":["host"],"aggregation":"count","name":"cron_at_job_creation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"cron_at_job_creation","condition":"cron_at_job_creation > 0"}],"type":"workload_security","id":"qqk-vqp-6xt","createdAt":1606142961130,"name":"Cron job modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIP check services return the public IP of the client. They are used legitimately for configuration purposes when utilizing infrastructure as code. They can be abused by attackers to determine the organization they have compromised.\n\n## Strategy\n\nDetect when a DNS lookup is done for a domain belonging to an IP check service.\n\n## Triage and response\n\n1. Determine if `{{@process.executable.name}}` is expected to make a connection to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Start incident response and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ip_check_domain","groupByFields":["host"],"aggregation":"count","name":"ip_check_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"ip_check_domain","condition":"ip_check_domain > 0"}],"type":"workload_security","id":"v7i-jqs-gcx","createdAt":1653417825959,"name":"DNS lookup for IP lookup service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nAttackers often use compromised cloud infrastructure to mine cryptocurrency. \n\n## Strategy\n\nDetect when a process performs a DNS lookup for a domain related to cryptomining.\n\n## Triage and response\n\n`{{@process.executable.name}}` performed a DNS lookup for `{{@dns.question.name}}`\n\n1. Contain the host or container and roll back to a known good configuration.\n2. Review the process tree and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:potential_cryptominer","groupByFields":["host"],"aggregation":"count","name":"potential_cryptominer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"potential_cryptominer","condition":"potential_cryptominer > 0"}],"type":"workload_security","id":"8am-wzf-ixk","createdAt":1653417822316,"name":"DNS lookup for cryptocurrency mining pool"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nPaste sites such as pastebin.com can be used by attackers to host malicious scripts, configuration files, and other text data. The files are then downloaded to the host using a network utility such as `wget` or `curl`. These sites may also be used to exfiltrate data.\n\n## Strategy\n\nDetect when a process performs a DNS lookup for a paste site.\n\n## Triage and response\n1. Check if the application `{{@process.executable.name}}` is expected to make connections to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Follow your organization's internal processes for investigating and remediating compromised systems.\n\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:paste_site","groupByFields":["host"],"aggregation":"count","name":"paste_site","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"paste_site","condition":"paste_site > 0"}],"type":"workload_security","id":"bze-mml-h8r","createdAt":1653417817764,"name":"DNS lookup for paste service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.3","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud Domain Name System (DNS) is a fast, reliable, and cost-effective domain name system\nthat powers millions of domains on the internet. Domain Name System Security Extensions\n(DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains\nagainst DNS hijacking, man-in-the-middle attacks, and more.\n\n## Rationale\nDomain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling the DNS responses to be validated. A trustworthy DNS that translates a domain name like `www.example.com` into its associated IP address is an increasingly important building block for modern web-based applications. \n\nAttackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records to prevent attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.\n\nBy default, DNSSEC is not enabled.\n\n## Remediation\n\n### From the console\n1. Navigate to the [Cloud DNS page][1].\n2. For each Type Public zone, set `DNSSEC` to **On**.\n\n### From the command line\nUse this command to enable DNSSEC for Cloud DNS Zone Name:\n\n```\ngcloud dns managed-zones update ZONE_NAME --dnssec-state on\n```\n\n\n## References\n1. [https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html][2]\n2. [https://cloud.google.com/dns/dnssec-config#enabling][3]\n3. [https://cloud.google.com/dns/dnssec][4]\n\n\n[1]: https://console.cloud.google.com/net-services/dns/zones\n[2]: https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html\n[3]: https://cloud.google.com/dns/dnssec-config#enabling\n[4]: https://cloud.google.com/dns/dnssec\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nisZonePublic(dns_managed_zone) if {\n\tupper(dns_managed_zone.visibility) == \"PUBLIC\"\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot isZonePublic(dns_managed_zone)\n} else = \"pass\" if {\n\tupper(dns_managed_zone.dnssec_config.state) == \"ON\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"crl-ytf-ohh","createdAt":1659621733035,"name":"DNSSEC is enabled for Cloud DNS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Credentials","requirement:Compliance","level:1","requirement:Database-Services","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","framework:pci","security:compliance","control:6.5.3","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:3.4","control:C1.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Transparent Data Encryption on every SQL server.\n\n## Rationale\n\nAzure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL databases\n2. For each DB instance\n3. Click on Transparent data encryption\n4. Set Data encryption to On using the Azure Command Line Interface\n5. Use the below command to enable Transparent data encryption for SQL DB instance:\n\n ```bash\n --resource-group --server --database --status\n ```\n\n **Note**: TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases. Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n\n**Note**: Transparent Data Encryption (TDE) can be enabled or disabled on individual SQL Database level and not on the SQL Server level. TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.\n\n# CIS Controls\n\nVersion 7 14.8 Encrypt Sensitive Information at Rest: Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_transparent_data_encryption(transparent_data_encryption) if {\n\ttransparent_data_encryption.status == \"Enabled\"\n} else if {\n\ttransparent_data_encryption.state == \"Enabled\"\n}\n\neval(sql_server_database) = \"pass\" if {\n\tcompliant_transparent_data_encryption(sql_server_database.transparent_data_encryption)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server_database"]},"validationQuery":"","resourceType":"azure_sql_server_database","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server_database","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ahw-tol-knx","createdAt":1624867974429,"name":"Data encryption on SQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a database process (e.g., MySQL, PostgreSQL, MongoDB).\n\n## Strategy\nAttacks on databases often take advantage of oversights in I/O sanitization and validation to run attacker statements and commands. For example, these attacks could take the form of database query injection, which can signal the beginning of an intrusion and wider attack, by establishing a web shell or exfiltrating data. This detection triggers when common shell utilities, HTTP utilities, or shells are spawned by one of a set of database processes (e.g., MySQL, MongoDB, PostgreSQL). This is atypical behavior for a database. If this is unexpected behavior, it could indicate an attacker attempting to compromise your database or host machine.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your database to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:database_shell_execution -@process.ancestors.executable.name:initdb -@process.args:\"locale -a\" -(@process.ancestors.executable.name:postgres @process.args:*pg_wal*)","groupByFields":["host"],"aggregation":"count","name":"database_shell_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"database_shell_execution","condition":"database_shell_execution > 0"}],"type":"workload_security","id":"4ni-kny-z5x","createdAt":1617722069155,"name":"Database process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:2","requirement:Cardholder-Data","control:1.17","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Confidentiality","control:3.5","control:7.1","control:C1.2","control:7.2.1","control:7.2.2","source:google_dataproc_cluster","control:7.2.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:3.6.1","scope:google_dataproc_cluster","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:3.6.4","control:3.6.5","control:CC6.3","control:CC6.2","control:3.6.7","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nWhen you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated\nwith the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This\nPD and bucket data is encrypted using a Google-generated data encryption key (DEK) and\nkey encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key\nencryption key (KEK). Google still controls the data encryption key (DEK).\n\n## Rationale\nCloud services offer the ability to protect data related to those services using encryption\nkeys managed by the customer within Cloud KMS. These encryption keys are called\ncustomer-managed encryption keys (CMEK). When customers protect data in Google Cloud\nservices with CMEK, the CMEK key is within the customer's control.\n\n## Remediation\n\n### From the console\n\n1. Log in to the GCP Console and navigate to the **Dataproc Cluster** page by visiting [https://console.cloud.google.com/dataproc/clusters][1].\n2. Select the project from the projects dropdown list.\n3. On the **Dataproc Cluster** page, click on the **Create Cluster** to create a new cluster with customer-managed encryption keys.\n4. On the **Create a cluster** page, perform the following steps:\n 1. Inside **Set up cluster** section perform these steps:\n 1. In the **Name** textbox, provide a name for your cluster.\n 2. From **Location** select the location in which you want to deploy a cluster.\n 3. Configure other configurations as per your requirements.\n 2. Inside **Configure Nodes** and **Customize cluster** section configure the settings as\nper your requirements.\n 3. Inside the **Manage security** section, perform these steps:\n 1. From **Encryption**, select **Customer-managed key**.\n 2. Select a customer-managed key from dropdown list.\n 3. Ensure that the selected KMS Key has the **Cloud KMS CryptoKey Encrypter/Decrypter** role assigned to the Dataproc Cluster service account (`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n 4. Click on **Create** to create a cluster.\n5. Once the cluster is created, migrate all of your workloads from the old cluster to the new cluster and delete the old cluster by performing the following steps:\n 1. On the **Clusters** page, select the old cluster and click on **Delete cluster**.\n 2. On the **Confirm deletion** window, click **Confirm** to delete the cluster.\n6. Repeat the steps above for other Dataproc clusters available in the selected project.\n7. Change the project from the project dropdown list and repeat the remediation procedure for other Dataproc clusters available in other projects.\n\n### From the command line\nBefore creating a cluster, ensure that the selected KMS Key has the **Cloud KMS CryptoKey\nEncrypter/Decrypter** role assigned to the Dataproc Cluster service account\n(`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n\nRun the `clusters create` command to create a new cluster with a customer-managed key:\n\n```\ngcloud dataproc clusters create --region=us-central1 --gce-pd-kms-key=\n```\n\nThe above command creates a new cluster in the selected region.\nAfter the cluster is created, migrate all your workloads from the older cluster to the new\ncluster and run the `clusters delete` command to delete the cluster:\n\n```\ngcloud dataproc clusters delete --region=us-central1\n```\n\nRepeat step no. 1 to create a new Dataproc cluster.\nChange the project by running the following command and repeat the remediation procedure\nfor other projects:\n\n```\ngcloud config set project \n```\n\n## References\n1. [https://cloud.google.com/docs/security/encryption/default-encryption][2]\n\n[1]: https://console.cloud.google.com/dataproc/clusters\n[2]: https://cloud.google.com/docs/security/encryption/default-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.17","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.7","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(gdc) = \"pass\" if {\n\tgdc.config.encryption_config.gce_pd_kms_key_name\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dataproc_cluster"]},"validationQuery":"","resourceType":"gcp_dataproc_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dataproc_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"7qp-kby-dut","createdAt":1659396397166,"name":"Dataproc cluster is encrypted using customer-managed encryption key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.22","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file permissions are set to `644` or more restrictively, by running: \n```\nstat -c %a /etc/default/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/default/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.22","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pqb-2cq-piw","createdAt":1599601845070,"name":"Default Docker configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.21","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/sysconfig/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/sysconfig/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.21","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"au3-ayl-tdm","createdAt":1599601289420,"name":"Default Docker configuration file cannot be altered by non-owners - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.19","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file ownership and group-ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/default/docker | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/default/docker`\n\nThis sets the ownership and group ownership of the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.19","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o5w-d8y-ka1","createdAt":1599604751728,"name":"Default Docker configuration file is owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.20","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/sysconfig/docker | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root /etc/sysconfig/docker`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.20","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xrt-uiz-s7o","createdAt":1599604498138,"name":"Default Docker configuration file is owned by the root account and group - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProtect tuned kernel parameters from overriding kubelet default kernel parameter values.\n\n## Rationale\n\nKernel parameters are usually tuned and hardened by the system administrators before putting the systems into production. These parameters protect the kernel and the system. Your kubelet kernel defaults that rely on such parameters should be appropriately set to match the desired secured system state. Ignoring this could potentially lead to running pods with undesired kernel behavior.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--protect-kernel-defaults` argument is set to true. If the `--protect-kernel-defaults` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets `protectKernelDefaults` to `true`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `protectKernelDefaults: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--protect-kernel-defaults=true`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou would have to re-tune kernel parameters to match kubelet parameters.\n\n## Default value\n\nBy default, `--protect-kernel-defaults` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.6","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"uiw-kms-wwu","createdAt":1599602462044,"name":"Default Kubelet kernel parameter values are protected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Compliance","level:1","requirement:Storage-Accounts","control:2.9","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","control:1.3.1","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","requirement:Least-Privileged-Access","control:1.2.1","control:3.6","framework:cis-azure","requirement:Communications-Security","control:7.2.1","source:azure.storage","control:A.13.1.3","control:7.2.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestricting default network access provides a layer of security, because storage accounts accept connections from clients on any network. To limit access to selected networks, change the default action.\n\n## Rationale\n\nConfigure storage accounts to deny access to traffic from all networks (including internet traffic). Grant access to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Enable Allow access from selected networks.\n4. Add rules to allow traffic from a specific network.\n5. Click Save to apply your changes.\n\n### From the command line\n\nUse the following command to update the default action to deny: \n```\naz storage account update --name --resource-group --default-action Deny\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security][1]\n2. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"2.9","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_account) = \"pass\" if {\n\tstorage_account.network_acls.default_action == \"Deny\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"hxy-syh-ofi","createdAt":1631690465637,"name":"Default network access rule for Storage Accounts is set to deny"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:RBAC-and-Service-Accounts","scored:true","security:compliance","control:5.1.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe default service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed.\n\n## Rationale\n\nKubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.\n\n## Audit\n\nFor each namespace in the cluster, review the rights assigned to the default service account and ensure that it has no roles or cluster roles bound to it apart from the defaults. Additionally ensure that the `automountServiceAccountToken: false` setting is in place for each default service account.\n\n## Remediation\n\nCreate explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value `automountServiceAccountToken: false`.\n\n## Impact\n\nAll workloads which require access to the Kubernetes API will require an explicit service account to be created.\n\n## Default value\n\nBy default the default service account allows for its service account token to be mounted in pods in its namespace.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/][1]\n\n## CIS controls\n\nNone\n\n[1]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.1.5","framework":"cis-kubernetes","requirement":"RBAC-and-Service-Accounts","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3yv-aqm-bxc","createdAt":1604312204438,"name":"Default service accounts are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","source:azure.monitor","level:1","requirement:Regular-Testing","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","control:5.1.2","requirement:Logging-and-Monitoring","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","control:11.4","control:CC4.1","scope:azure.monitor","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure the diagnostic setting to log the appropriate activities from the control/management plane.\n\n## Rationale\n\nA diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.\n\n## Remediation\n\n### From the console\n\n1. Go to Azure Monitor\n2. Click Activity log\n3. Click on Diagnostic settings\n4. Click on Edit Settings for the diagnostic settings entry\n5. Ensure that the following categories are checked: Administrative, Alert, Policy, and Security\n\nARM Template with AZ PowerShell cmdlets:\n\nCreate a file to hold the following JSON:\n\n```json\n{ \"$schema\"\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\", \"contentVersion\"\"\n1.0.0.0\", \"parameters\"{ \"settingName\"{ \"type\"\"String\" }, \"workspaceId\"{ \"type\"\"String\" } }, \"resources\"[ { \"type\"\"Microsoft.Insights/diagnosticSettings\", \"apiVersion\"\"2017-05-01-preview\", \"name\"\"[parameters(''settingName'')]\", \"dependsOn\"[], \"properties\"{ \"workspaceId\"\"[parameters(''workspaceId'')]\", \"logs\"[ { \"category\"\"Administrative\", \"enabled\"true }, { \"category\"\"Alert\", \"enabled\"true }, { \"category\"\"Autoscale\", \"enabled\"false }, { \"category\"\"Policy\", \"enabled\"true }, { \"category\"\"Recommendation\", \"enabled\"false }, { \"category\"\"ResourceHealth\", \"enabled\"false }, { \"category\"\"Security\", \"enabled\"true }, { \"category\"\"ServiceHealth\", \"enabled\"false } ] } } ] }\n```\n\nReference the JSON. In the `New-AzSubscriptionDeployment`, call `$OMSWorkspace`:\n\n```powershell\nGet-AzResource -ResourceType \"Microsoft.OperationalInsights/workspaces\" -Name New-AzSubscriptionDeployment -Name CreateDiagnosticSetting -location eastus -TemplateFile CreateDiagnosticSetting.jsonc -settingName \"Send Activity log to workspace\" -workspaceId $OMSWorkspace.ResourceId'\n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings\n2. https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource-manager-diagnostic-settings\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.3 - Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1.2","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"11.4","framework":"pci","requirement":"Regular-Testing","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(diagnostic_setting) = \"fail\" if {\n\tsome log in diagnostic_setting.logs\n\tlog.category in [\"Administrative\", \"Alert\", \"Policy\", \"Security\"]\n\tlog.enabled == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_diagnostic_setting"]},"validationQuery":"","resourceType":"azure_diagnostic_setting","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_diagnostic_setting","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q7k-c4u-n6i","createdAt":1635847719443,"name":"Diagnostic Setting captures appropriate categories"}]} headers: Content-Type: - application/json @@ -62,7 +62,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":832}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.31","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker socket docker.sock should not be mounted inside a container.\n\n## Rationale\n\nIf the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep docker.sock` This returns any instances where `docker.sock` has been mapped to a container as a volume.\n\n## Remediation\n\nYou should ensure that no containers mount docker.sock as a volume.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, docker.sock is not mounted inside containers.\n\n## References\n\n1. https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/\n2. https://forums.docker.com/t/docker-in-docker-vs-mounting-var-run-docker-sock/9450/2\n3. https://github.com/docker/docker/issues/21109\n\n## CIS controls\n\nVersion 6\n\n9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.31","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3iw-zus-yz3","createdAt":1599602585460,"name":"Docker socket is not allowed to mount inside any containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","source:dynamodb","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:dynamodb","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement server-side encryption for your AWS DynamoDB data.\n\n## Rationale\n\nServer-side encryption, or encryption at rest, provides an additional layer of data protection by securing your data in an encrypted table. Encryption at rest integrates with AWS Key Management Service (KMS) to manage encryption keys that are used to encrypt these tables.\n\n## Remediation\n\n### Console\n\nFollow the [Managing Encrypted Tables in DynamoDB tutorial][1] to learn how to create and update a table in the AWS Console.\n\n### CLI\n\nRun `create-table` with a table configuration to [create a new encrypted table][2]. You can create an encrypted table with the default AWS owned CMK, AWS managed CMK, or customer managed CMK. Refer to the [AWS documentation for examples of each configuration][3]. For example:\n\n ```\n aws dynamodb create-table\n --table-name your-table\n ...\n --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=abcd1234-abcd-1234-a123-ab1234a1b234\n ```\n\n[1]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/dynamodb/create-table.html\n[3]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html#encryption.tutorial-creating\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@sse_description_status:DISABLED","resourceType":"aws_dynamodb","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_dynamodb (@sse_description_status:DISABLED)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ilq-ifj-zxi","createdAt":1615309114701,"name":"DynamoDB table is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt Amazon Elastic Block Store (EBS) snapshots with volume snapshot encryption keys.\n\n## Rationale\n\nAmazon EBS snapshots contain sensitive data, and publicly accessible snapshots can be copied. Keep your data secure from exploits or unauthorized users by using AWS key management.\n\n## Remediation\n\n### Console\n\nFollow the [Default key for EBS encryption][1] docs to learn how to encrypt a snapshot in the AWS Console.\n\n### CLI\n\n1. Run `get-ebs-default-kms-key-id` to describe [the default CMK][2].\n\n2. If you need to create a new key, follow the [Creating keys][3] AWS Console docs or the [create-key][4] AWS CLI docs.\n\n3. Run `modify-ebs-default-kms-key-id` with your `--kms-key-id` to [modify the default CMK used to encrypt EBS volumes][3].\n\nSee the [Set encryption defaults using the API and CLI][6] docs for additional information.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_key_mgmt\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/get-ebs-default-kms-key-id.html\n[3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-ebs-default-kms-key-id.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encrypted:false","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot (@encrypted:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"i4v-od6-l5r","createdAt":1616090994130,"name":"EBS snapshot is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","requirement:Storage","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable encryption for Elastic Block Store (EBS).\n\n## Rationale\n\nAES-256 encryption, used by EBS, protects data stored on volumes, disk I/O, and the snapshots created from a volume to protect your sensitive data from exploits and unauthorized users.\n\n## Remediation\n\n### Console\n\nFollow the [EBS encryption][1] docs to learn about the requirements and methods for enabling encryption in the AWS Console.\n\n### CLI\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#ebs-encryption-requirements\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"2.2.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encrypted:false","resourceType":"aws_ebs_volume","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_volume (@encrypted:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"2b3-94n-p7e","createdAt":1616090994097,"name":"EBS volume is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","source:ebs","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.9.4.5","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure Amazon Elastic Block Store (EBS) snapshots.\n\n## Rationale\n\nPublicly shared Amazon EBS volume snapshots contain sensitive application data that can be seen, copied, and exploited.\n\n## Remediation\n\n### Console\n\nFollow the [EBS encryption][1] docs to learn how to implement EBS encryption. Public snapshots, which are encrypted by default, are not supported\n\n **Note**: You can share an encrypted snapshot with specific accounts.\n\n### CLI\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#how-ebs-encryption-works\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.5","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@attributes.create_volume_permission_group:all","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot (@attributes.create_volume_permission_group:all)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"t5f-m5z-oio","createdAt":1616090994084,"name":"EBS volume snapshot is not publicly shared with other AWS accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:route53","iaas:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain has a suspicious TLD.\n\n## Strategy\nInspect the Route 53 logs and determine if the TLD of the DNS question (`@dns.question.name`) matches one of the top 5 TLDs on [Spamhaus's Most Abused Top Level Domains list][1].\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n[1]: https://www.spamhaus.org/statistics/tlds/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@dns.question.name:(*.fit. OR *.work. OR *.webcam. OR *.loan. OR *.cf.) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_tld","distinctFields":[]},{"query":"@dns.question.name:(*.no-ip. OR *.hopto.org OR *.myftp.org OR *.us.to OR *.myvpc.com OR *.dlinkddns.com OR *.myftp.biz) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_ddns","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"TLD","condition":"suspicious_tld > 0"},{"status":"medium","notifications":[],"name":"Dynamic DNS","condition":"suspicious_ddns > 0"}],"type":"log_detection","id":"dus-bf6-3jr","createdAt":1603296605789,"name":"EC2 instance requested a suspicious domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:route53","iaas:aws","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain resolves to the AWS Metadata IP (169.254.169.254).\n\n## Strategy\nInspect the Route 53 logs and determine if the response data for a DNS request matches the AWS Metadata IP (169.254.169.254). This could indicate an attacker is attempting to steal your credentials from the AWS metadata service.\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n## Changelog\n- 19 May 2022 - Updated rule query.\n- 5 Jun 2022 - Updated rule query.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:route53 @answers.Rdata:169.254.169.254 -@route53_edge_location:* -@dns.question.name:instance-data*","groupByFields":["instance-id"],"aggregation":"count","name":"domain_resolve_to_metadata_ip","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"domain_resolve_to_metadata_ip > 0"}],"type":"log_detection","id":"mwi-zj7-db9","createdAt":1603296598998,"name":"EC2 instance resolved a suspicious AWS metadata DNS query"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","requirement:Transmission-Security","scope:ec2","source:ec2","framework:gdpr","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:1.9","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse the IMDSv2 session-oriented communication method to transport instance metadata. \n\n## Rationale\n\nAWS default configurations allow the use of either IMDSv1, IMDSv2, or both. IMDSv1 uses insecure GET request/responses which are at risk for a number of vulnerabilities, whereas IMDSv2 uses session-oriented requests and a secret token that expires after a maximum of six hours. This adds protection against misconfigured-open website application firewalls, misconfigured-open reverse proxies, unpatched Server Side Request Forgery (SSRF) vulnerabilities, and misconfigured-open layer-3 firewalls and network address translation.\n\n## Remediation\n\nFollow the [Transition to using Instance Metadata Service Version 2][1] docs to learn how to transition and reconfigure your software. \n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@metadata_options_http_tokens:required","resourceType":"aws_ec2_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ec2_instance (-@metadata_options_http_tokens:required)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zwp-mxe-p0v","createdAt":1649171077274,"name":"EC2 instance uses IMDSv2"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","source:elb","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","scope:elb","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up logging for your AWS Elastic Load Balancers (ELBs) to identify security issues.\n\n## Rationale\n\nAccess logs allow you to analyze each TCP and HTTP request, which are useful during security audits or troubleshooting.\n\n## Remediation\n\n### Console\n\nFollow the [Enable access logs for your Classic Load Balancer][1] docs to learn how to enable logging for your ELBs.\n\n### CLI\n\n1. Run `create-bucket` to [create an S3 bucket][2] that stores the ELB log files.\n\n **Note**: This bucket must be created in the same region as the ELB.\n\n ```\n aws s3api create-bucket\n --region us-west-1\n --bucket your-elb-logging-bucket\n ```\n\n2. Use the [AWS Policy Generator][3] to create a new policy.\n\n3. Run `put-bucket-policy` to [attach the policy document][4] to the S3 bucket.\n\n ```\n aws s3api put-bucket-policy\n --bucket your-elb-logging-bucket\n --policy file://elb-logging-policy.json\n ```\n\n4. Run `modify-load-balancer-attributes` to [enable logging][5] for the selected ELB.\n\n ```\n aws elb modify-load-balancer-attributes\n --region us-west-1\n --load-balancer-name YourLoadBalancerName\n --load-balancer-attributes\n \"{\\\"AccessLog\\\":{\\\"Enabled\\\":true,\\\"EmitInterval\\\":60,\\\"S3BucketName\\\":\\\"your-logging-bucket\\\"}}\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/elb/modify-load-balancer-attributes.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@attributes.access_log_enabled:false OR @load_balancer_attributes.access_log.enabled:false","resourceType":"aws_elb_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elb_load_balancer (@attributes.access_log_enabled:false OR @load_balancer_attributes.access_log.enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"orv-wcu-4d4","createdAt":1615309114856,"name":"ELB is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","security:compliance","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Security-of-Processing","scope:elbv2","framework:soc-2","requirement:Security-Management-Process","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","framework:hipaa","requirement:Encryption-In-Transit","control:164.308-a-1-ii-B","control:164.312-e-2-i","source:elbv2","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse HTTPS to secure communication between your application client and an Elastic Load Balancer (ELB) listener.\n\n## Rationale\n\nWithout an HTTPS listener, front-end connections are vulnerable to exploits, such as man-in-the-middle (MITM) attacks. Securing all communication between your application client and ELB listener ensures sensitive data is protected.\n\n## Remediation\n\n### Console\n\nFollow the [Create an HTTPS listener for your Application Load Balancer][1] docs to learn how to create a listener that checks for connection requests.\n\n### CLI\n\n1. Run `list-certificates` to retrieve the ARN of your SSL certificate. If you do not have an SSL certificate, follow the [Create or import an SSL/TLS certificate][2] docs.\n2. Run `create-listener` using the [ARN of the load balancer and SSL certificate][3].\n\n ```\n aws elbv2 create-listener\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912\n --protocol HTTPS\n --port 443\n --certificates CertificateArn=arn:aws:acm:region:123456789012:certificate/1abc0c41-bd73-5445-9ab9-123456a23456\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html#create-certificate-acm\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/create-listener.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@listeners.protocol:HTTPS","resourceType":"aws_elbv2_load_balancer","filter":"@type:application","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer @type:application (-@listeners.protocol:HTTPS)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6vz-qof-84o","createdAt":1616090994110,"name":"ELBv2 ALB is using a secure listener"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","source:elb","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","scope:elb","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure Amazon Network Load Balancers so all listeners use either TLS or HTTPS encryption. \n\n## Rationale\n\nUsing TLS or HTTPS helps ensure the communication between your network load balancers (NLBs) and backend servers is protected from decryption, data leaks, and other exploits. NLS's can accept and route TCP connections to Application load balancers(ALBs), this allows AWS customers to directly register an ALB as an NLB target, eliminating the need to actively manage changing ALB IP addresses. Amazon's NLBs can be configured to handle TLS termination. This reduces the workload on your backend systems and localizes TLS configuration to the NLBs, thereby improving both performance and security.\n\n\n\n## Remediation\n\n### Console\n\nFollow the [Create a listener for your network load balancer][1] docs to learn how to add a TLS listener to your network load balancer.\n\n### CLI\n\n1. Run `describe-load-balancers` to retrieve the ARNs of your network load balancers.\n2. Run `list-certificates` to retrieve the ARN of your Amazon ACM TLS certificates, or `list-server-certificates` to retrieve the ARN of your AWS IAM TLS certificates. If you do not have a TLS certificate, follow the [Configure TLS listeners: Certificates][2] docs.\n3. Run `create-listener` using the ARN of the desired load balancer and TLS certificate.\n\n ```\n aws elbv2 create-listener \n --load-balancer-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188 \n --certificates CertificateArn=arn:aws:acm:us-west-2:123456789012:certificate/3dcb0a41-bd72-4774-9ad9-756919c40557 \n --protocol TLS\n --port 443\n --ssl-policy ELBSecurityPolicy-2016-08 \n --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#tls-listener-certificates\n[3]: https://aws.amazon.com/fr/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@protocol:\"TLS\" -(@protocol:\"TCP\" @port:443)","resourceType":"aws_elbv2_load_balancer","filter":"@type:network","queryPath":"listeners","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer @type:network (-@protocol:\"TLS\" -(@protocol:\"TCP\" @port:443))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cyx-hvk-qq7","createdAt":1649774831020,"name":"ELBv2 Network Load Balancer listeners employ TLS or HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:elbv2","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","source:elbv2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Access Logging for your Amazon Application Load Balancers (ALBs).\n\n## Rationale\n\nLogs contain the time a request was received, a client's IP address, latencies, request paths, and server responses. You can use this information to analyze traffic patterns and troubleshoot issues.\n\n## Remediation\n\n### Console\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the console.\n\n### CLI\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_attribute(elbv2_load_balancer) if {\n\tattribute := elbv2_load_balancer.attributes[_]\n\tattribute.key == \"access_logs.s3.enabled\"\n\tattribute.value == \"true\"\n} else {\n\telbv2_load_balancer.attributes.access_logs_s3_enabled\n}\n\neval(elbv2_load_balancer) = \"pass\" if {\n\tcompliant_attribute(elbv2_load_balancer)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2sn-t47-ywf","createdAt":1632209936547,"name":"ELBv2 is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","control:CC6.6","framework:gdpr","requirement:Compliance","scope:elbv2","requirement:System-Acquisition-Development-and-Maintenance","framework:iso-27001","control:1.3.5","source:elbv2","framework:pci","control:A.14.1.2","security:compliance","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:1.3","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Application Load Balancers (ALB) or Network Load Balancers (NLB) with an internal ELBv2 load balancer.\n\n## Rationale\n\nInternet-facing load balancers receive a public DNS name. Secure your connection by using an ELBv2 load balancer instead.\n\n## Remediation\n\n### Console\n\nFollow the [Create an application load balancer][1] docs to learn how to create an internal load balancer that routes requests to targets using private IP addresses.\n\n### CLI\n\nRun `create-load-balancer` with a [load balancer name, scheme, and subnet][2].\n\n```\naws elbv2 create-load-balancer\n--name my-internal-load-balancer\n--scheme internal\n--subnets subnet-b7d581c0 subnet-8360a9e7\n```\n\nSee the [create-load-balancer][2] AWS CLI docs to create a load balancer for a network or gateway.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-application-load-balancer.html#configure-load-balancer\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/create-load-balancer.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"validationQuery":"@scheme:internet-facing","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer (@scheme:internet-facing)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"3wl-huh-f7v","createdAt":1616090994241,"name":"ELBv2 load balancer is not internet facing"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:elbv2","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","source:elbv2","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Application Load Balancer (ALB) with the latest predefined AWS security policy.\n\n## Rationale\n\nInsecure or deprecated security policies can expose the client and the load balancer to various SSL/TLS vulnerabilities.\n\n## Remediation\n\n### Console\n\nFollow the [Update security policy][1] docs to learn how to update your HTTPS listener with the latest security policy.\n\n### CLI\n\nRun `modify-listener` with the [ARN of the listener and the recommended SSL policy][2].\n\n```\naws elbv2 create-listener\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n```\n\nReview the [Security policies][3] docs for Amazon-recommended security policies.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html#update-security-policy\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/modify-listener.html\n[3]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-1-2017-01 -@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-2-Ext-2018-06 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-1-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2020-10","resourceType":"aws_elbv2_load_balancer","filter":"@type:application","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer @type:application (-@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-1-2017-01 -@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-2-Ext-2018-06 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-1-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2020-10)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"pty-qoz-aa9","createdAt":1616090994247,"name":"ELBv2 load balancer is using the latest security policy"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.3","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse individual service account credentials for each controller.\n\n## Rationale\n\nThe controller manager creates a service account per controller in the kube-system namespace, generates a credential for it, and builds a dedicated API client with that service account credential for each controller loop to use. Setting the `--use-service-account-credentials` to true runs each control loop within the controller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--use-service-account-credentials` argument is set to true.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node to set the below parameter:\n\n```\n--use-service-account-credentials=true\n```\n\n## Impact\n\nWhatever authorizer is configured for the cluster, it must grant sufficient permissions to the service accounts to perform their intended tasks. When using the RBAC authorizer, those roles are created and bound to the appropriate service accounts in the kube-system namespace automatically with default roles and rolebindings that are auto-reconciled on startup. If using other authorization methods (ABAC, Webhook, etc.), the cluster deployer is responsible for granting appropriate permissions to the service accounts (the required permissions can be seen by inspecting the `controller-roles.yaml` and `controller-role-bindings.yaml` files for the RBAC roles.\n\n## Default value\n\nBy default, `--use-service-account-credentials` is set to false.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://kubernetes.io/docs/admin/service-accounts-admin/ ][2]\n3. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml ][3]\n4. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml ][4]\n5. [https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles][5]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://kubernetes.io/docs/admin/service-accounts-admin/ \n[3]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml \n[4]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml \n[5]: https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.3","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"b7m-bho-nat","createdAt":1599602400314,"name":"Each controller uses individual service account credentials"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:A.12.2.1","framework:gdpr","requirement:Default-Security-Parameter","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:25.2","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","source:elasticache","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","scope:elasticache","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nChange your AWS ElastiCache cluster endpoint port to a non-default port.\n\n## Rationale\n\nUsing the default port puts clusters at risk of exploits and attacks. Configure a custom port to add an extra layer of security to your clusters.\n\n## Remediation\n\n### Console\n\nFollow the [Finding connection endpoints][1] console documentation to learn how to find and modify your cluster's endpoint port.\n\n### CLI\n\n1. Run `aws elasticache describe-cache-clusters` with your [ElastiCache cluster ID][2] to output the existing cluster configuration.\n\n ```\n\n aws elasticache describe-cache-clusters\n --cache-cluster-id your-cc-id\n\n ```\n\n2. Run `aws elasticache create-cache-cluster` with the cluster data returned in the previous step. Configure the new cache cluster with [a custom value][3] for the endpoint port. This returns new cluster metadata.\n\n ```\n\n aws elasticache create-cache-cluster\n --cache-cluster-id new-cc-id\n ...\n --port 10001\n\n ```\n\n3. Once the cluster endpoint port is updated, remove the old ElastiCache cluster. Run `delete-cache-cluster` with the [original cluster ID][4].\n\n ```\n\n aws elasticache delete-cache-cluster\n --cache-cluster-id your-cc-id\n\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Endpoints.html#Endpoints.Find.Redis\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/describe-cache-clusters.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/delete-cache-cluster.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@engine:memcached @configuration_endpoint_port:11211) OR (@engine:redis @configuration_endpoint_port:6379)","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache ((@engine:memcached @configuration_endpoint_port:11211) OR (@engine:redis @configuration_endpoint_port:6379))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"skt-e9r-x89","createdAt":1619112189062,"name":"ElastiCache cluster is not using default ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","source:elasticache","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticache","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProvision your AWS EC2-VPC ElastiCache cluster within the AWS ECS-VPC platform.\n\n## Rationale\n\nUsing the EC2-Classic platform minimizes control over cache cluster security and traffic routing. Provisioning with AWS EC2-VPC enables better networking infrastructure, control over VPC security groups, and more.\n\n## Remediation\n\n### Console\n\nFollow the [Getting started with Amazon VPC][1] docs to configure AWS EC2-VPC for your ElastiCache clusters.\n\n### CLI\n\n1. Run `create-vpc` to [create a new Virtual Private Cloud (VPC)][2] for your ElastiCache cluster.\n\n ```\n aws ec2 create-vpc\n --cidr-block 10.0.0.0/16\n ```\n\n2. Run `aws ec2 create-internet-gateway` to [create a new AWS Internet Gateway][3] for your new VPC.\n\n3. Run `attach-internet-gateway` with the [VPC ID returned in step 1, and the internet gateway ID returned in step 2][4].\n\n ```\n aws ec2 create-subnet\n --vpc-id vpc-ab12c345\n --cidr-block 10.0.1.0/24\n ```\n\n4. Run `create-route-table` with [your VPC ID][5] created in step 1.\n\n ```\n aws ec2 create-route-table\n --vpc-id vpc-ab12c345\n ```\n\n5. Run `associated-route-table` with the [subnet ID returned in step 3, and the route table ID returned in step 4][6].\n\n ```\n aws ec2 associate-route-table\n --route-table-id rta-12345678\n --subnet-id subnet-ab123c45\n ```\n\n6. Run `create-route` to [add a new route][7] to your new VPC route table.\n\n ```\n aws ec2 create-route\n --route-table-id rta-12345678\n --destination-cidr-block 0.0.0.0/0\n --gateway-id gwi-123a4b56\n ```\n\n7. Run `create-security-group` with your new VPC ID to [create a security group][8] for your new cluster.\n\n ```\n aws ec2 create-security-group\n --group-name ECSecurityGroup\n --description \"Redis CC Security Group\"\n --vpc-id vpc-ab12c345\n ```\n\n8. Run `authorize-security-group-ingress` to [add more inbound rules][9] to the security group created in step 7.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-id se-a12345b0\n --protocol tcp\n --port 1234\n --cidr 10.0.0.0/16\n ```\n\n9. Run `create-cache-cluster` to recreate your EC2-Classic cache cluster within your new AWS VPC. Use the newly created [ElastiCache cluster configuration attributes][10] returned in the steps above.\n\n ```\n aws elasticache create-cache-cluster\n --cache-cluster-id vpccachecluster\n --az-mode single-az\n --cache-node-type cache.m5.large\n --num-cache-nodes 1\n --engine redis\n --engine-version \"2.6.13\"\n --security-group-ids \"se-a12345b0\"\n --port 1234\n --auto-minor-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc.html#synopsis\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-internet-gateway.html#synopsis\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/attach-internet-gateway.html#synopsis\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route-table.html#synopsis\n[6]: https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-route-table.html#synopsis\n[7]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route.html#synopsis\n[8]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-security-group.html#synopsis\n[9]: https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html#synopsis\n[10]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@cache_subnet_group_name:\"\" OR (-@cache_subnet_group_name:*)","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache (@cache_subnet_group_name:\"\" OR (-@cache_subnet_group_name:*))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"0uf-cns-jqu","createdAt":1619112189088,"name":"ElastiCache cluster is provisioned in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","security:compliance","control:CC7.5","source:elasticache","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticache","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon ElastiCache cluster to the latest, stable version of the Redis/Memcached cache engine.\n\n## Rationale\n\nUsing the latest version allows for security patches, bug fixes, better performance, and memory management.\n\n## Remediation\n\n### Console\n\nFollow the [Upgrading engine versions][1] docs to learn how to modify your ElastiCache cluster or replication group in the console.\n\n### CLI\n\nFollow the [Modify an ElastiCache cluster (AWS CLI)][2] or [Modify a replication group (AWS CLI)][3] docs for configuration options.\n\nFor example, to modify an ElastiCache cluster, run `modify-replication-group` with your replication group ID and enable Multi-AZ.\n\n ```\n aws elasticache modify-replication-group\n --replication-group-id myReplGroup\n --multi-az-enabled = true\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VersionManagement.html\n[2]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.Modify.html#Clusters.Modify.CLI\n[3]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Replication.Modify.html#Replication.Modify.CLI","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"(@engine:memcached -@engine_version:1.6.6) OR (@engine:redis -@engine_version:6.*)","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache ((@engine:memcached -@engine_version:1.6.6) OR (@engine:redis -@engine_version:6.*))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sw1-liy-ybw","createdAt":1619112188570,"name":"ElastiCache cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","security:compliance","control:CC7.5","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticsearch","framework:soc-2","requirement:Change-Management","source:elasticsearch","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpgrade to the latest version of Amazon Elasticsearch (ES) engine.\n\n## Rationale\n\nUsing the latest version of Amazon ES ensures you receive the latest bug fixes, security patches, and features.\n\n## Remediation\n\n### Console\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (console)][1] docs to learn about the upgrade process and how to complete an upgrade from the AWS Console.\n\n### CLI\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (AWS CLI)][1] docs to being an upgrade using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades\n[2]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nformat(version) = semver if {\n\tcount(indexof_n(version, \".\")) == 0\n\tsemver := concat(\"\", [version, \".0.0\"])\n} else = semver {\n\tcount(indexof_n(version, \".\")) == 1\n\tsemver := concat(\"\", [version, \".0\"])\n} else = semver {\n\tsemver := version\n}\n\neval(version) = \"pass\" if {\n\tformatted_semver := format(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"7.10.0\") >= 0\n} else = \"pass\" {\n\tstartswith(version, \"OpenSearch_\")\n\tformatted_semver := format(trim_prefix(version, \"OpenSearch_\"))\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"1.3.0\") >= 0\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource.elasticsearch_version))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-iw7-z3h","createdAt":1619540057479,"name":"Elasticsearch cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","scope:elasticsearch","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate publicly accessible Amazon Elasticsearch domains to block unsigned requests.\n\n## Rationale\n\nUpdating your Amazon Elasticsearch domain to a private domain ensures your data cannot be accessed or altered by unauthorized users.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring Access Policies][1] docs to learn how to update your publicly accessible Amazon Elasticsearch domains in the AWS Console.\n\n### CLI\n\n1. Create a new policy JSON document. You can follow the [Amazon Elasticsearch templated policy][2] to create a custom policy that grants domain access only to a specific IP.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n \"Action\": \"es:*\",\n \"Condition\": {\n \"IpAddress\": {\n \"aws:SourceIp\": [\n \"54.197.25.93/32\"\n ]\n }\n },\n \"Resource\": \"arn:aws:es:123456789123:\n domain/es-cluster/*\"\n }\n ]\n }\n ```\n\n2. Run `update-elasticsearch-domain-config` using the name of the [Elasticsearch domain][3] created in the previous step.\n\n ```\n aws es update-elasticsearch-domain-config\n --domain-name es-cluster\n --access-policies file://ip-based-policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/update-elasticsearch-domain-config.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"policies","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ci6-bcw-l3n","createdAt":1615309114393,"name":"Elasticsearch domain is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticsearch","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure your Amazon Elasticsearch (ES) domain is only accessible from an AWS VPC.\n\n## Rationale\n\nUsing a VPC gives your Amazon ES domains an extra layer of security. Launching your clusters within a VPC ensures communication between your clusters and other AWS services is secure.\n\n## Remediation\n\nOnce a domain is created with a public endpoint, it cannot be switched to VPC access. Follow the [Migrating from Public Access to VPC Access][1] docs to learn how to create a new domain and either manually reindex or migrate your data.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html#es-migrating-public-to-vpc\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@endpoint:*\\.es\\.amazonaws\\.com","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain (@endpoint:*\\.es\\.amazonaws\\.com)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"vdg-rky-pye","createdAt":1619540057246,"name":"Elasticsearch domain resides in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement at-rest encryption for your Amazon Elasticsearch (ES) domain with the AWS KMS service.\n\n## Rationale\n\nImplementing encryption at-rest protects your domain from unauthorized access and ensures security and compliance requirements are met.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to implement encryption for your domain.\n\n### CLI\n\n1. Run `describe-elasticsearch-domain` with your ES domain to return configuration metadata.\n\n ```\n aws es describe-elasticsearch-domain\n --domain-name your-es-domain\n ```\n\n2. Run `create-elasticsearch-domain` with your domain name and `encryption-at-rest-options`. Use the metadata returned in the previous step to [create and relaunch your ES domain to enable at-rest encryption][3].\n\n ```\n aws es create-elasticsearch-domain\n --domain-name your-es-domain\n ...\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html#enabling-ear\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/describe-elasticsearch-domain.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encryption_at_rest_options_enabled:false","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain (@encryption_at_rest_options_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"75z-ehk-ced","createdAt":1615309114337,"name":"Elasticsearch domains are encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","control:3.5.2","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt your Amazon Elasticsearch domains with KMS Customer Master Keys (CMKs).\n\n## Rationale\n\nKMS Custom Master Keys protect your domains and allow more granular control over the encryption/decryption process.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to encrypt Amazon Elasticsearch domains in the AWS Console.\n\n### CLI\n\n1. Create a new policy JSON document with the following [configuration][2]:\n\n ```\n {\n \"Id\": \"es-custom-key-policy\",\n \"Statement\": [\n {\n \"Sid\": \"Enable IAM User Permissions\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:root\"},\n \"Action\": \"kms:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Grant access to CMK manager\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:role/AmazonESManager\"},\n \"Action\": [\n \"kms:Create*\",\n \"kms:Describe*\",\n \"kms:Enable*\",\n \"kms:List*\",\n \"kms:Put*\",\n \"kms:Update*\",\n \"kms:Revoke*\",\n \"kms:Disable*\",\n \"kms:Get*\",\n \"kms:Delete*\",\n \"kms:ScheduleKeyDeletion\",\n \"kms:CancelKeyDeletion\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow the use of the CMK\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:Decrypt\",\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:DescribeKey\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow attachment of persistent resources\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:CreateGrant\",\n \"kms:ListGrants\",\n \"kms:RevokeGrant\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"Bool\": {\"kms:GrantIsForAWSResource\": \"true\"}\n }\n }\n ]\n }\n ```\n\n2. Run `create-key` to [create a KMS key][3] with the new policy document.\n\n ```\n aws kms create-key\n --description 'KMS CMK policy for encrypting es domain data'\n --policy file://es-kms-cmk-policy.json\n ```\n\n3. Run `create-alias` with the returned ARN key to [attach a new alias][4] to the CMK.\n\n ```\n aws kms create-alias\n --alias-name your-alias/ESCustomCMK\n --target-key-id arn:aws:kms:111122223333:key/abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\n ```\n\n4. Run `create-elasticsearch-domain` with the returned configuration data in step 3 to [create the selected domain][5] with `encryption-at-rest-options` set as `enabled= true` and the `KmsKeyId=your-key-id`.\n\n ```\n aws es create-elasticsearch-domain\n --domain-name your-domain-name\n ....\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-alias.html#options\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html#options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encryption_at_rest_options_kms_key_id:\"(Default) aws/es\"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain (@encryption_at_rest_options_kms_key_id:\"(Default) aws/es\")","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"abl-8du-xrn","createdAt":1615309114399,"name":"Elasticsearch domains are encrypted with KMS Customer Master Keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation on controller-manager.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad. \n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--feature-gates` parameter to include `RotateKubeletServerCertificate=true`. \n\n```\n--feature-gates=RotateKubeletServerCe`rtificate=true\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `RotateKubeletServerCertificate` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller ][1]\n2. [https://github.com/kubernetes/features/issues/267 ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/45059 ][3]\n4. [https://kubernetes.io/docs/admin/kube-controller-manager/][4]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller \n[2]: https://github.com/kubernetes/features/issues/267 \n[3]: https://github.com/kubernetes/kubernetes/pull/45059 \n[4]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.6","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"asw-6hh-yc2","createdAt":1599605162809,"name":"Enable kubelet server certificate rotation on controller-manager"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1555-credentials-from-password-stores","scope:ec2","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to retrieve the encrypted Administrator password for a Windows EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to retrieve the encrypted Administrator password for a Windows EC2 instance using the [`GetPasswordData`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n3. If the API call was made by the user:\n * Determine if this user should be accessing this EC2 instance.\n * If Yes, advise the user to speak with the instance owner to resolve the error.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetPasswordData.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetPasswordData @eventSource:ec2.amazonaws.com status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"get_passwordata","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Error","condition":"get_passwordata > 0"}],"type":"log_detection","id":"kyo-yjf-zbm","createdAt":1652796676631,"name":"Encrypted administrator password retrieved for Windows EC2 instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.12","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory ownership is set to `etcd:etcd`.\n\n## Rationale\n\n`etcd` is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir` from the command:\n\n```bash\nps -ef | grep etcd\n```\n\nBased on the etcd data directory found above, run the command:\n\n```bash\nstat -c %U:%G /var/lib/etcd\n```\n\nVerify the ownership is set to `etcd:etcd`.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chown etcd:etcd /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory ownership is set to `etcd:etcd`.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.12","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"25d-zal-sfr","createdAt":1599601968321,"name":"Etcd data directory is owned by the etcd user and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.11","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory has permissions of 700 or more restrictive.\n\n## Rationale\n\netcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should not be readable or writable by any group members or the world.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir`, from the command:\n\n```bash\nps -ef | grep etcd\n```\n\n Based on the etcd data directory found above, run the command:\n \n ```bash\n stat -c %a /var/lib/etcd\n ```\n \n Verify the permissions are `700` or more restrictive.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chmod 700 /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory has permissions of 755.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.11","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qgj-hf0-an1","createdAt":1599601412710,"name":"Etcd data directory permissions cannot be accessed by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.7","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 640.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.7","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vqc-dps-6tp","createdAt":1599605605880,"name":"Etcd pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.8","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to `root:root`.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.8","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oac-lbl-npz","createdAt":1599600311388,"name":"Etcd pod specification file is owned by root"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"Test rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1665145801235,"filters":[],"queries":[{"query":"@test:true","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"e9v-9k1-5dm","isDefault":false,"name":"Example-Create_a_detection_rule_returns_OK_response"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":true,"message":"test","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1665145785229,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.id"],"query":"*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"uaf-siz-jfo","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_impossible_travel_returns_OK_response"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"Test rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1665145796516,"filters":[],"queries":[{"query":"@test:true","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"3cl-gl3-k7y","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_workload_security_returns_OK_response"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:exchange-server","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user sets up a mail forwarding rule to another email address. An adversary or insider threat could set a forwarding rule to forward all emails to an external email address.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with `@evt.name` value of `Set-Mailbox`, where a value is set for `@Parameters.ForwardingSmtpAddress` and the `@evt.outcome` is `True`.\n\n## Triage and response\n1. Inspect the `@Parameters.ForwardingSmtpAddress` for `{{@usr.email}}` to see if it is sending email to an external non-company owned domain.\n2. Determine if there is a legitimate use case for the mail forwarding rule.\n3. If `{{@usr.email}}` is not aware of the mail forwarding rule, investigate all `{{@usr.email}}` accounts for anomalous activity. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-Mailbox -@Parameters.ForwardingSmtpAddress:\"\" @Parameters.ForwardingSmtpAddress:* @evt.outcome:True","groupByFields":["@usr.id"],"aggregation":"count","name":"forwarding_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"forwarding_rule > 0"}],"type":"log_detection","id":"vmq-1zo-03a","createdAt":1630681822552,"name":"Exchange Online mail forwarding rule enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.2","scope:azure.appservice","framework:iso-27001","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","requirement:Communications-Security","control:4.1","control:9.10","requirement:App-Service","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Azure functions, web, and API services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPs should be required for FTP login for all App Service apps and functions.\n\n## Rationale\n\nAzure FTP deployment endpoints are public. An attacker listening to traffic on a Wi-Fi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if user credentials for deployment are set at the subscription level rather than using the default application credentials which are unique per app.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to the Azure Portal\n2. Select App Services\n3. Click on an app\n4. Select Settings > Configuration\n5. Under Platform Settings, set FTP state to Disabled or FTPS Only\n\n## Impact\n\nDeployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.\n\n## References\n\n1. Azure Web Service Deploy via FTP - https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp\n2. Azure Web Service Deployment - https://docs.microsoft.com/en-us/azure/app-service/overview-security\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n\n## CIS Controls\n\nVersion 7\n\n14.4 Encrypt All Sensitive Information in Transit\n16.5 Encrypt Transmittal of Username and Authentication Credentials - Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.10","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@site_config_ftps_state:AllAllowed","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (@site_config_ftps_state:AllAllowed)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"chw-olp-dfn","createdAt":1631623028308,"name":"FTP deployments are disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:fastly","scope:fastly","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2]. \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:fastly @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dqs-oru-107","createdAt":1587530162282,"name":"Fastly HTTP Requests from Security Scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a file that is not part of the original container image has been created and executed within the container.\n\n## Strategy\nAttackers sometimes add scripts to running containers to exploit some functionality or automate some actions. Normally, containers are meant to be immutable environments, and when you require new scripts or other executable files, you add them to the container image itself and not to the running container. This detection identifies when newly created files are executed shortly after file creation or modification.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage & Response\n1. Determine whether the file executing is expected to be present in the container. \n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether the file was added to multiple containers around the same time, and whether the affected systems follow a pattern. For example, if a file was seen executing in multiple containers, do the containers share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.29 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_binary_execution_in_container","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:new_binary_execution_in_container"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"new_binary_execution_in_container"}],"type":"workload_security","id":"n5d-tm8-kco","createdAt":1652131404468,"name":"File created and executed inside container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","tactic:TA0009-collection","technique:T1530-data-from-cloud-storage-object","scope:google-cloud-storage","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect unauthenticated access to an object in a GCS bucket (`bucket_name`).\n\n## Strategy \nMonitor GCS bucket (`bucket_name`) for get requests(`@evt.name:storage.objects.get`) made by unauthenticated users (`@usr.id`).\n\n## Triage and response\nInvestigate the logs and determine whether or not the accessed bucket: {{bucket_name}} should be accessible to unauthenticated users.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket -@usr.id:* @evt.name:storage.objects.get status:info","groupByFields":["project_id","bucket_name"],"aggregation":"count","name":"get_object","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"get_object","condition":"get_object > 0"}],"type":"log_detection","id":"nmj-sov-f5d","createdAt":1598043413480,"name":"GCP Bucket Contents Downloaded Without Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","source:gcp","scope:google-cloud-storage","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service account lists out GCS Buckets.\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine when a service account invokes the following method:\n\n* `storage.buckets.list`\n\n## Triage and response\n1. Determine whether this service account should be making list bucket calls.\n * If the account was compromised, secure the account and investigate how it was compromised and if the account made other unauthorized calls.\n * If the owner of the service account intended to make the `ListBuckets` API call, consider whether this API call is needed. It could cause a security issue for the application to know the name of the bucket it needs to access. If it's not needed, modify this rule's filter to stop generating signals for this specific service account.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.list @usr.id:*gserviceaccount.com","groupByFields":["project_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cnc-wi1-llf","createdAt":1587592199858,"name":"GCP Bucket enumerated"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an administrative change to a GCS Bucket has been made. This could change the retention policy or bucket lock. For more information, see the [GCS Bucket Lock docs][1].\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine if a bucket has been updated with the following method:\n\n* `storage.buckets.update`\n\n## Triage and response\n1. Review the bucket to ensure that it is properly configured.\n\n[1]: https://cloud.google.com/storage/docs/bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.update","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iz3-sc4-ryy","createdAt":1585871279860,"name":"GCP Bucket modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when permissions have changed on a GCS Bucket.\n\n## Strategy\nMonitor GCS bucket admin activity audit logs to determine the following method is invoked:\n\n* `storage.setIamPermissions`\n\n## Triage and response\n1. Review the bucket permissions and ensure they are not overly permissive.\n\n## Changelog\n5 Septermber 2022 - Updated rule query","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.setIamPermissions -@evt.outcome:ERROR","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fdk-tly-4qr","createdAt":1585871193842,"name":"GCP Bucket permissions modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.cloudsql.database"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Cloud SQL DB has been modified.\n\n## Strategy\nThis rule lets you monitor GCP Cloud SQL admin activity audit logs to determine when one of the following methods are invoked:\n\n* `cloudsql.instances.create`\n* `cloudsql.instances.create`\n* `cloudsql.users.update`\n\n## Triage and response\n1. Review the Cloud SQL DB and ensure it is configured properly with the correct permissions.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.cloudsql.database @evt.name:(cloudsql.instances.create OR cloudsql.instances.create OR cloudsql.users.create OR cloudsql.users.update)","groupByFields":["project_id","database_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ikf-ye8-cnu","createdAt":1585871198921,"name":"GCP Cloud SQL database modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.gce.firewall.rule","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created, modified or deleted. \n\n## Strategy\nMonitor GCP GCE activity audit logs to determine when any of the following methods are invoked:\n\n* `v1.compute.firewalls.delete`\n* `v1.compute.firewalls.insert`\n* `v1.compute.firewalls.patch` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.firewall.rule @evt.name:(v1.compute.firewalls.delete OR v1.compute.firewalls.insert OR v1.compute.firewalls.patch)","groupByFields":["project_id","@data.protoPayload.resourceOriginalState.name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"n1w-sql-apl","createdAt":1585870279610,"name":"GCP GCE Firewall rule modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a VPC network is created. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine when the following method is invoked to create a new VPC network:\n\n* `beta.compute.networks.insert`\n\n## Triage and response\n1. Review the VPC network.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:beta.compute.networks.insert","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"a9z-oic-grb","createdAt":1585871193403,"name":"GCP GCE VPC network modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created or modified. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine if a firewall is being adjusted by showing you when any of the following methods are invoked:\n\n* `beta.compute.routes.insert`\n* `beta.compute.routes.patch`\n\n## Triage and response\n1. Veirify that the GCP route is configured properly and that the user intended to modify the firewall.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:(beta.compute.routes.insert OR beta.compute.routes.patch)","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lht-ml8-u6r","createdAt":1585870282924,"name":"GCP GCE network route created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a custom role is created or modified. \n\n## Strategy\nMonitor GCP IAM activity audit logs to determine when any of the following methods are invoked:\n\n* `google.iam.admin.v1.CreateRole`\n* `google.iam.admin.v1.UpdateRole` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.iam.role @evt.name:(google.iam.admin.v1.CreateRole OR google.iam.admin.v1.UpdateRole)","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rhy-fzm-gwl","createdAt":1585870282410,"name":"GCP IAM custom role created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1098-account-manipulation","scope:gcp.project","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to the IAM policy. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when the `SetIamPolicy` method is invoked. \n\n## Triage and response\n1. Review the log and inspect the policy deltas (`@data.protoPayload.serviceData.policyDelta.bindingDeltas`) and ensure none of the actions are `REMOVE`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:SetIamPolicy","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fgm-8w4-cgx","createdAt":1585870280073,"name":"GCP IAM policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.subscription","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP Pub/Sub Subscription has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.pubsub.v1.Subscriber.UpdateSubscription`\n* `google.pubsub.v1.Subscriber.DeleteSubscription`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.subscription @evt.name:(google.pubsub.v1.Subscriber.UpdateSubscription OR google.pubsub.v1.Subscriber.DeleteSubscription)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tsj-mac-mdc","createdAt":1587592205917,"name":"GCP Pub/Sub Subscriber modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.topic","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP Pub/Sub Subscribtion has been deleted. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when the following method is invoked:\n\n* `google.pubsub.v1.Publisher.DeleteTopic`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.topic @evt.name:google.pubsub.v1.Publisher.DeleteTopic","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dp6-zom-jyv","createdAt":1587592198839,"name":"GCP Pub/Sub topic deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1562-impair-defenses","scope:gcp.project","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP logging sink has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.logging.v2.ConfigServiceV2.UpdateSink`\n* `google.logging.v2.ConfigServiceV2.DeleteSink`\n\n## Triage and response\n1. Review the sink and ensure the sink is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:(google.logging.v2.ConfigServiceV2.UpdateSink OR google.logging.v2.ConfigServiceV2.DeleteSink)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hil-rl3-yxs","createdAt":1585871191688,"name":"GCP logging sink modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","scope:google-cloud-iam","technique:T1850-cloud-infrastructure-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account is compromised.\n\n## Strategy \nInspect the GCP Admin Activity Logs (`@data.logName:*%2Factivity`) and filter for only GCP Service Accounts (`@usr.id:*.iam.gserviceaccount.com`). Count the unique number of GCP API calls (`@evt.name`) which are being made for each service account (`@usr.id`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\nTo read more about GCP Audit Logs, you can read our blog post [here][1].\n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account is compromised.\n\n[1]: https://www.datadoghq.com/blog/monitoring-gcp-audit-logs/","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp* @data.logName:*%2Factivity @usr.id:*.iam.gserviceaccount.com","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"hc1-nv3-hzw","createdAt":1629125255724,"name":"GCP service account accessing anomalous number of GCP APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1136-create-account","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account is created.\n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when a service account is created. \n\n## Triage and response\n1. Contact the user who created the service account and ensure that the account is needed and that the role is scoped properly.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccount","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"szx-4kh-eqs","createdAt":1585870281733,"name":"GCP service account created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account key is created. An attacker could use this key as a backdoor to your account. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to detect the creation of a service account key. \n\n## Triage and response\n1. Contact the user who created the service account key to ensure they're managing the key securely.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccountKey","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"79j-4wh-xlq","createdAt":1585870277946,"name":"GCP service account key created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is unauthorized activity by a service account in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a service account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the service account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the service account:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the service account.\n2. If unauthorized, revoke access of compromised service account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"89d-2v1-fvm","createdAt":1587592191518,"name":"GCP unauthorized service account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when unauthorized activity by a user is detected in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a user account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the user account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the user:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the user account.\n2. If unauthorized, revoke access of compromised user account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 -@usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"stt-ows-yte","createdAt":1587592193834,"name":"GCP unauthorized user activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google accesses your Google Workspace tenant using administrative tools. \n\n## Strategy\nMonitor Google Workspace logs to detect `ACCESS` events, which are part of Google's [Access Transparency][1] logs.\n\n## Triage and response\n1. Determine the scope of Google's access activity, which can be found in the `ACCESS` event in the Google Workspace event log.\n2. Review which Google Workspace user (`@event.parameters.OWNER_EMAIL`) and resources (`@event.parameters.RESOURCE_NAME`) were accessed by Google.\n3. Investigate the resource(s) being accessed to determine if there is a legitimate reason it should be reviewed by Google.\n\n[1]: https://support.google.com/a/answer/9230474?hl=en","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite service:access_transparency","groupByFields":[],"aggregation":"count","name":"workspace_accessed_by_google","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"workspace_accessed_by_google > 0"}],"type":"log_detection","id":"q4c-pxc-lbn","createdAt":1654120270956,"name":"Google Workspace accessed by Google"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","tactic:T1098-account-manipulation","technique:TA0003-persistence","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a new Google Workspace administrative role.\n\n## Strategy\nMonitor Google Workspace logs to detect `CREATE_ROLE` events.\n\n## Triage and response\n1. Determine if there is a legitimate reason for the new administrator role (`@event.parameters.ROLE_NAME`).\n2. If there is not a legitimate reason, investigate activity from around the Google Workspace administrator (`{{@usr.email}}`) and IP that created the role (`{{@network.client.ip}}`). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:CREATE_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_created > 0"}],"type":"log_detection","id":"isw-chn-iqi","createdAt":1654262215364,"name":"Google Workspace admin role created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the super administrator group on Google Workspace.\n\n## Strategy\nMonitor Google Workspace logs to detect `ASSIGN_ROLE` events where `@event.parameters.ROLE_NAME` is `_SEED_ADMIN_ROLE`. \n\n## Triage and response\n1. Verify with the Google admin (`{{@usr.email}}`) if the Google Workspace user in the `@event.parameters.USER_EMAIL` attribute should legitimately be given the super admin role.\n2. If the user in `@event.parameters.USER_EMAIL` was not legitimately added, investigate activity from the IP address (`{{@network.client.ip}}`) that made the role addition.\n3. Review activity around the Google Workspace admin who made the change (`{{@usr.email}}`) and the newly added super admin (`@event.parameters.USER_EMAIL`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:ASSIGN_ROLE @event.parameters.ROLE_NAME:_SEED_ADMIN_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"admin_role_added > 0"}],"type":"log_detection","id":"ort-cx2-jwq","createdAt":1654014456902,"name":"Google Workspace user assigned to super admin role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","tactic:TA0009-collection","technique:T1114-email-collection","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a user setting up mail forwarding to a non-Google Workspace domain.\n\n## Strategy\nMonitor Google Workspace logs to detect when `email_forwarding_out_of_domain` events.\n\n## Triage and response\n1. Determine if the email address defined in `@event.parameters.email_forwarding_destination_address` is legitimate.\n2. If the forwarding destination address is not legitimate, review all activity for `{{@usr.email}}` and all activity around the following IP: `{{@network.client.ip}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:email_forwarding_out_of_domain","groupByFields":["@usr.email"],"aggregation":"count","name":"non_workspace_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"non_workspace_domain > 0"}],"type":"log_detection","id":"ozn-l6x-exp","createdAt":1654021004136,"name":"Google Workspace user forwarding email out of non Google Workspace domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.16","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated.\n\n## Rationale\n\nThe IPC namespace provides separation of IPC between the host and containers. If the host's IPC namespace is shared with the container, it would allow processes within the container to see all of IPC communications on the host system. This would remove the benefit of IPC level isolation between host and containers. An attacker with access to a container could get access to the host at this level with major consequences. The IPC namespace should therefore not be shared between the host and its containers.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: IpcMode={{ .HostConfig.IpcMode }}'` \n\nIf the command returns `host`, it means that the host IPC namespace is shared with the container. Any other result means that it is not shared, and that the system is configured in line with good security practice.\n\n## Remediation\n\nDo not start a container with the `--ipc=host` argument. For example, do not start a container with the command `docker run --interactive --tty --ipc=host centos /bin/bash`\n\n## Impact\n\nShared memory segments are used in order to accelerate interprocess communications, commonly in high-performance applications. If this type of application is containerized into multiple containers, you might need to share the IPC namespace of the containers in order to achieve high performance. Under these circumstances, you should still only share container specific IPC namespaces and not the host IPC namespace. A container's IPC namespace can be shared with another container. For example, `docker run --interactive --tty --ipc=container:e3a7a1a97c58 centos /bin/bash`\n\n## Default value\n\nBy default, all containers have their IPC namespace enabled and host IPC namespace is not shared with any container.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#ipc-settings-ipc\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.16","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qpe-nj2-sl8","createdAt":1599604030036,"name":"Host's IPC namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.20","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUTS namespaces provide isolation between two system identifiers: the hostname and the NIS domain name. It is used to set the hostname and the domain which are visible to running processes in that namespace. Processes running within containers do not typically require to know either the hostname or the domain name. The UTS namespace should therefore not be shared with the host.\n\n## Rationale\n\nSharing the UTS namespace with the host provides full permission for each container to change the hostname of the host. This is not in line with good security practice and should not be permitted.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UTSMode={{ .HostConfig.UTSMode }}'` \n\nIf this command returns `host`, it means the host UTS namespace is shared with the container and this recommendation is non-compliant. If the above command returns nothing, then the host's UTS namespace is not shared. This recommendation is then compliant.\n\n## Remediation\n\nYou should not start a container with the `--uts=host` argument. For example, do not start a container using the command `docker run --rm --interactive --tty --uts=host rhel7.2`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, all containers have the UTS namespace enabled and the host UTS namespace is not shared with any containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#uts-settings-uts\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.20","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j1n-gsx-mlx","createdAt":1599605987292,"name":"Host's UTS namespace is not shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.9","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWhen the networking mode on a container is set to `--net=host`, the container is not placed inside a separate network stack. Effectively, applying this option instructs Docker to not containerize the container's networking. The consequence of this is that the container lives \"outside\" in the main Docker host and has full access to its network interfaces.\n\n## Rationale\n\nSelecting this option is potentially dangerous. It allows the container process to open reserved low numbered ports in the way that any other root process can. It also allows the container to access network services such as D-bus on the Docker host. A container process could potentially carry out undesired actions, such as shutting down the Docker host. This option should not be used unless there is a very specific reason for enabling it.\n\n## Audit\n\nUse this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: NetworkMode={{ .HostConfig.NetworkMode }}'` If this returns `NetworkMode=host`, it means that the `--net=host` option was passed when the container was started.\n\n## Remediation\n\nYou should not pass the --net=host option when starting any container.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers connect to the Docker bridge when starting and do not run in the context of the host's network stack.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/ 2. https://docs.docker.com/engine/reference/run/#network-settings\n\n## CIS controls\n\nVersion 6 12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.9","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1qj-oqa-jau","createdAt":1599605510860,"name":"Host's network namespace is not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.15","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host.\n\n## Rationale\n\nPID namespace provides separation between processes. It prevents system processes from being visible, and allows process ids to be reused including PID 1. If the host's PID namespace is shared with containers, it would basically allow these to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them. This could allow for the host itself being shut down, which could be extremely serious, particularly in a multi-tenanted environment. You should not share the host's process namespace with the containers running on it.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidMode={{ .HostConfig.PidMode }}'` \n\nIf the command returns `host`, it means that the host PID namespace is shared with its containers; any other result means that the system is configured in line with good security practice.\n\n## Remediation\n\nYou should not start a container with the `--pid=host` argument. For example, do not start a container with the command: `docker run --interactive --tty --pid=host centos /bin/bash`\n\n## Impact\n\nContainer processes cannot see processes on the host system. In certain circumstances, you may want your container to share the host's process namespace. For example, you could build a container containing debugging tools such as strace or gdb, and want to use these tools when debugging processes on the host. If this is desired, then share specific host processes using the `-p` switch. For example: `docker run --pid=host rhel7 strace -p 1234`\n\n## Default value\n\nBy default, all containers have the PID namespace enabled and the therefore the host's process namespace is not shared with its containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#pid-settings-pid 2. http://man7.org/linux/man-pages/man7/pid_namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.15","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mk8-jwd-4ag","createdAt":1599600919537,"name":"Host's process namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent","control:5.30"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not share the host's user namespaces with containers running on it.\n\n## Rationale\n\nUser namespaces ensure that a root process inside the container will be mapped to a non-root process outside the container. Sharing the user namespaces of the host with the container does not therefore isolate users on the host from users in the containers.\n\n## Audit\n\nRun this command and ensure that it does not return any value for `UsernsMode`. If it returns a value of `host`, it means that the host user namespace is shared with its containers: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UsernsMode={{ .HostConfig.UsernsMode }}'`\n\n## Remediation\n\nDo not share user namespaces between host and containers. For example, do not run the command `docker run --rm -it --userns=host ubuntu bash`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the host user namespace is shared with containers unless user namespace support is enabled.\n\n## References\n\n1. https://docs.docker.com/engine/security/userns-remap/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://github.com/docker/docker/pull/12648\n4. https://events.linuxfoundation.org/sites/events/files/slides/User%20Namespaces%20-%20ContainerCon%202015%20-%2016-9-final_0.pdf\n\n## CIS controls\n\nVersion 6\n\n12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.30","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"e7c-uzf-jwy","createdAt":1599604878282,"name":"Host's user namespaces are not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","security:compliance","scored:false","source:iam","cloud_provider:aws","control:1.7","control:164.308-a-3-ii-C","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","framework:security-labs","requirement:Information-Access-Management","control:CC6.2","control:164.308-a-4-ii-C","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule identifies IAM access keys that are older than one year and have not been used in the past 30 days.\n\n## Rationale\n\nThis is a good indicator that an access key or IAM user that is not used anymore, and raises a security risk. IAM access keys are static secrets that do not change. This leak represents a common cause for cloud security breaches.\n\n## Remediation\n\n* Verify that the IAM user is still actively used or if it can be removed.\n* Verify that the IAM access key is still actively used or if it can be removed.\n* If the IAM user is still needed, rotate the access key. For more information, see the [AWS documentation][2].\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/cis-aws-1.3.0-1.14/\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlast_rotated_age_threshold := (((365 * 24) * 60) * 60) * 1000\n\nlast_used_age_threshold := (((30 * 24) * 60) * 60) * 1000\n\nhas_active_access_key(credential_report) if {\n\tcredential_report.access_key_1_active\n} else {\n\tcredential_report.access_key_2_active\n}\n\naccess_key_1_used_too_long_ago(credential_report, seen) if {\n\tnot credential_report.access_key_1_last_used_date\n}\n\naccess_key_1_used_too_long_ago(credential_report, seen) if {\n\tseen - credential_report.access_key_1_last_used_date > last_used_age_threshold\n}\n\naccess_key_1_non_compliant(credential_report, seen) if {\n\tcredential_report.access_key_1_active\n\tseen - credential_report.access_key_1_last_rotated > last_rotated_age_threshold\n\taccess_key_1_used_too_long_ago(credential_report, seen)\n}\n\naccess_key_2_used_too_long_ago(credential_report, seen) if {\n\tnot credential_report.access_key_2_last_used_date\n}\n\naccess_key_2_used_too_long_ago(credential_report, seen) if {\n\tseen - credential_report.access_key_2_last_used_date > last_used_age_threshold\n}\n\naccess_key_2_non_compliant(credential_report, seen) if {\n\tcredential_report.access_key_2_active\n\tseen - credential_report.access_key_2_last_rotated > last_rotated_age_threshold\n\taccess_key_2_used_too_long_ago(credential_report, seen)\n}\n\nis_not_compliant(credential_report, seen) if {\n\taccess_key_1_non_compliant(credential_report, seen)\n} else {\n\taccess_key_2_non_compliant(credential_report, seen)\n}\n\nshould_skip(iam_user) if {\n\tcredential_report := iam_user.credential_report[0]\n\tnot credential_report.access_key_1_active\n\tnot credential_report.access_key_2_active\n} else {\n\tcount(iam_user.credential_report) == 0\n}\n\neval(iam_user) = \"skip\" if {\n\tshould_skip(iam_user)\n} else = \"fail\" {\n\tcredential_report := iam_user.credential_report[0]\n\tseen := iam_user.resource_seen_at\n\tis_not_compliant(credential_report, seen)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"jye-nyb-yvd","createdAt":1654722265266,"name":"IAM access keys older than 1 year have not been used in the last 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@user_policies:*","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@user_policies:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qeq-byd-rf5","createdAt":1617159692975,"name":"IAM inline policy is not directly set for users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","security:compliance","cloud_provider:aws","control:1.8","control:8.1","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","control:CC6.3","control:8.1.1","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are a minimum length. The password policy should require a minimum password length of 14 characters.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78907-3\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.8","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.minimum_password_length:<14","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.minimum_password_length:<14)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fyg-ptq-tnx","createdAt":1599573999939,"name":"IAM password policy has 14 or more characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:1.9","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","framework:cis-aws","control:164.312-d","requirement:IAM","control:8.2.5","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.\n\n## Rationale\n\nPreventing password reuse increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78908-1\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\n4.4 Use unique passwords where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2.5","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.9","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"-@password_policy.password_reuse_prevention:24","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (-@password_policy.password_reuse_prevention:24)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"wwj-kny-ll5","createdAt":1599574008460,"name":"IAM password policy prevents password reuse"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM policies are how privileges are granted to users, groups, or roles. It is recommended and considered best practice to give only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges.\n\n## Rationale\n\nIt's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\" should be removed.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2] \n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3] \n3. CCE-78912-3\n4. [http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam][4]\n\n## CIS controls\n\nVersion 7, 4 - Controlled Use of Administrative Privileges\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n[4]: http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_not_compliant(policy_version_statement) if {\n\tresource := policy_version_statement.resource[_]\n\tresource == \"*\"\n}\n\naction_not_compliant(policy_version_statement) if {\n\taction := policy_version_statement.action[_]\n\taction == \"*\"\n}\n\npolicy_version_statement_not_compliant(policy_version_statement) if {\n\tpolicy_version_statement.effect == \"Allow\"\n\tresource_not_compliant(policy_version_statement)\n\taction_not_compliant(policy_version_statement)\n}\n\neval(iam_policy) = \"skip\" if {\n\tiam_policy.scope != \"Local\"\n} else = \"fail\" {\n\tpolicy_version_statement := iam_policy.policy_version_statements[_]\n\tpolicy_version_statement_not_compliant(policy_version_statement)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_policy"]},"validationQuery":"","resourceType":"aws_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"31y-0if-yxo","createdAt":1599574003839,"name":"IAM policies that allow full \"*:*\" administrative privileges are not created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@attached_policies:*","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@attached_policies:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oys-6ti-vv4","createdAt":1599574006153,"name":"IAM policy does not have a user directly attached to it"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:1.12","security:compliance","cloud_provider:aws","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:CC6.3","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can require passwords to be rotated or expired after a given number of days. The password policy should expire passwords after 90 days or less.\n\n## Rationale\n\nReducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help if a password is stolen or compromised without your knowledge. This can happen if your system is compromised, because of a software vulnerability, or if there is an internal threat. Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted. Many people use the same password for many systems such as work, email, and personal. Compromised end-user workstations might have a keystroke logger.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78909-9\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"1.12","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"(-@password_policy:*) OR ((@password_policy.expire_passwords:false) OR (@password_policy.max_password_age:>90))","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account ((-@password_policy:*) OR ((@password_policy.expire_passwords:false) OR (@password_policy.max_password_age:>90)))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"nus-wps-5cc","createdAt":1599574003696,"name":"IAM policy is set to expire passwords within 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78904-0\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.6\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_lowercase_characters:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_lowercase_characters:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yaz-xyw-dr5","createdAt":1599574008777,"name":"IAM policy is set to require at least one lowercase letter"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one number.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78906-5\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.8\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_numbers:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_numbers:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ufg-4pj-olz","createdAt":1599574005590,"name":"IAM policy is set to require at least one number"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are comprised of different character sets. It is recommended that the password policy require at least one symbol.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78905-7\n\n## CIS controls\n\n16 Account Monitoring and Control Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.7\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_symbols:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_symbols:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dwv-hdv-vfe","createdAt":1599573999909,"name":"IAM policy is set to require at least one symbol"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one uppercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78903-2\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.5\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_uppercase_characters:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_uppercase_characters:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jfe-07v-m1n","createdAt":1599573999945,"name":"IAM policy is set to require uppercase characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:iam","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Security-Management-Process","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:CC6.3","requirement:Information-Access-Management","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm there are no [Amazon IAM users][1] (privileged users) with administrator permissions for your AWS account.\n\n## Rationale\n\nA privileged IAM user can access all AWS services and control resources through the [AdministratorAccess IAM managed policy][2]. Any user with administrator access that should not have access can potentially, whether unknowingly or purposefully, cause security issues or data leaks.\n\n## Remediation\n\n### Console\n\nFollow the [Removing a permissions policy from a user][6] docs to revoke AdministratorAccess for a user.\n\n### CLI\n\n1. Run `list-users` to get [a list of current IAM users][3].\n2. Run `list-user-policies` with an IAM `user-name` to find the [users attached policies][4].\n\n ```\n aws iam list-user-policies --user-name Name\n ```\n\n3. Run `detach-user-policy` to [revoke Administrator access][5] for that user.\n\n ```\n aws iam detach-user-policy --user-name Bob --policy-arn arn:aws:iam::123456789012:policy/TesterPolicy\n ```\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-users.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-user-policies.html#examples\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-user-policy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-remove-policy-console\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@attached_policies.policy_name:AdministratorAccess","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@attached_policies.policy_name:AdministratorAccess)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"z8a-10r-rdq","createdAt":1599574005071,"name":"IAM privileged user does have admin permissions to your AWS account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet a principal within your Amazon IAM policy.\n\n## Rationale\n\nA trust policy reduces the risks associated with privilege escalation. Setting a principal within your policy reduces the risk of unauthorized access to a resource.\n\n## Remediation\n\n### Console\n\nFollow the [Editing IAM policies][1] docs to learn how to grant permissions to a specific IAM user or account.\n\n### CLI\n\nFollow the [Editing managed policies (AWS CLI)][2] docs to learn how to grant permissions to a specific IAM or account using the CLI.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html#edit-policies-cli-api","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@role_policy.policy_principal.principal:(\"*\") OR @role_policy.policy_principal.principal_aws:(\"*\"))","resourceType":"aws_iam_role","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_role ((@role_policy.policy_principal.principal:(\"*\") OR @role_policy.policy_principal.principal_aws:(\"*\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q9l-42l-ape","createdAt":1619112188080,"name":"IAM role uses trusted principals"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:A.14.1.3","security:compliance","source:iam","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Data-Protection","requirement:Security-of-Processing","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:A.9.4.3","framework:soc-2","requirement:Cardholder-Data","control:32.1a","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","requirement:Encryption-In-Transit","control:3.6.4","framework:pci","control:25.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your IAM service SSL/TLS certificates are renewed 30 days prior to their validity period ending.\n\n## Rationale\n\nIf a certificate becomes invalid, the communication between the client and AWS resource that implements certificates is no longer secure.\n\n## Remediation\n\n### Console\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n### CLI\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nwithin_30_days(diff) if {\n\tdiff <= thirty_days_ms\n\tdiff > 0\n}\n\neval(iam_server_certificate) = \"pass\" if {\n\tdiff := iam_server_certificate.expiration - iam_server_certificate.resource_seen_at\n\tnot within_30_days(diff)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"nqd-536-xhi","createdAt":1632209935742,"name":"IAM server certificate will expire within 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:1.6","control:7.1","framework:cis-gcp","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","level:1","source:google_service_account","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nVerify that users have the Service Account User (`iam.serviceAccountUser`) and Service Account Token Creator (`iam.serviceAccountTokenCreator`) roles for a specific service account rather than at the project level.\n\n## Rationale\nA service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved. In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.\nUsers with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access. Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/service account.\nBased on business needs, there can be multiple user-managed service accounts configured for a project. Granting the `iam.serviceAccountUser` or `iam.serviceAccountTokenCreator` roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future. These roles can result in an elevation of privileges when someone uses a service account and corresponding Compute Engine instances.\nIn order to implement least privileges best practices, IAM users should not be assigned the Service Account User or Service Account Token Creator roles at the project level. Instead, these roles should be assigned to a user for a specific service account, giving that user access to the service account. The Service Account User role allows a user to bind a service account to a long-running job service, whereas the Service Account Token Creator role allows a user to directly impersonate (or assert) the identity of a service account.\n\n## Impact\nAfter revoking Service Account User or Service Account Token Creator roles at the project level from all impacted user accounts, these roles should be assigned to users for specific service accounts according to business needs.\n\n## Remediation\n\n### From console\n1. Go to the [IAM page][1] in the GCP Console.\n2. In the filter table text bar, enter the text `Role: Service Account User`.\n3. Click the delete bin icon in front of the role `Service Account User` for every user\nlisted as a result of the filter.\n4. In the filter table text bar, enter the text `Role: Service Account Token Creator`.\n5. Click the delete bin icon in front of the role `Service Account Token Creator` for\nevery user listed as a result of the filter.\n\n### From the command line\n1. Using a text editor, remove the bindings with the `roles/iam.serviceAccountUser` or `roles/iam.serviceAccountTokenCreator`.\n For example, you can use the iam.json file shown below as follows:\n ```\n {\n \"bindings\": [\n {\n \"members\": [ \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n ],\n \"role\": \"roles/appengine.appViewer\" },\n {\n \"members\": [\n \"user:email1@gmail.com\"\n ],\n \"role\": \"roles/owner\"\n },\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n \"serviceAccount:123456789012-compute@developer.gserviceaccount.com\" ],\n \"role\": \"roles/editor\"\n }\n ],\n \"etag\": \"BwUjMhCsNvY=\"\n }\n ```\n2. Update the project's IAM policy:\n ```\n gcloud projects set-iam-policy PROJECT_ID iam.json\n ```\n## Default value\nBy default, users do not have the Service Account User or Service Account Token Creator role assigned at the project level.\n\n## References\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][3]\n3. [https://cloud.google.com/iam/docs/understanding-roles][4]\n4. [https://cloud.google.com/iam/docs/granting-changing-revoking-access][5]\n5. [https://console.cloud.google.com/iam-admin/iam][6]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts \n[4]: https://cloud.google.com/iam/docs/understanding-roles\n[5]: https://cloud.google.com/iam/docs/granting-changing-revoking-access \n[6]: https://console.cloud.google.com/iam-admin/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.6","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_role(iam_policy, role) if {\n\tbinding := iam_policy.bindings[_]\n\tbinding.role == role\n\tmember := binding.members[_]\n\tnot endswith(member, \".gserviceaccount.com\")\n}\n\nnon_compliant_policy(iam_policy) if {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountUser\")\n} else {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountTokenCreator\")\n}\n\neval(iam_policy) = \"fail\" if {\n\tnon_compliant_policy(iam_policy)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"x4c-mos-epr","createdAt":1655328785677,"name":"IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:iis","scope:iis","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:iis @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ftm-iao-udy","createdAt":1587530716843,"name":"IIS HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","requirement:Virtual-Machines","security:compliance","control:CC6.6","cloud_provider:gcp","control:4.6","requirement:Communications-Security","control:1.4","framework:cis-gcp","requirement:Compliance","level:1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCompute Engine instance cannot forward a packet unless the source IP address of the\npacket matches the IP address of the instance. Similarly, GCP won't deliver a packet whose\ndestination IP address is different than the IP address of the instance receiving the packet.\nHowever, both capabilities are required if you want to use instances to help route packets.\n\nDisable the forwarding of data packets to prevent data loss or information\ndisclosure.\n\n## Rationale\nTo enable source and destination IP check, disable the `canIpForward` option, which\nallows an instance to send and receive packets with non-matching destination or source\nIPs.\n\n## Impact\nDeleting instances that act as routers or packet forwarders may break network\nconnectivity.\n\n## Exception\nInstances created by GKE should be excluded because they need to have IP forwarding\nenabled and cannot be changed. Instances created by GKE have names that start with `gke-`.\n\n## Remediation\nYou can only edit the `canIpForward` setting at instance creation time. Therefore, if `canIpForward` is set to false for an instance, you must delete the instance and create a new one.\n\n### From console\n1. Go to the `VM Instances` page: \n[https://pantheon.corp.google.com/compute/instances][1].\n2. Select the `VM Instance` you want to remediate.\n3. Click the `Delete` button.\n4. On the `VM Instances` page, click `CREATE INSTANCE`.\n5. Create a new instance with the desired configuration. By default, the instance is\nconfigured to not allow IP forwarding.\n\n### From the command line\n1. Delete the instance:\n ```\n gcloud compute instances delete INSTANCE_NAME\n ```\n2. Create a new instance to replace it, with IP forwarding set to Off\n ```\n gcloud compute instances create\n ```\n\n## Default Value:\nBy default, instances are not configured to allow IP forwarding.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-routes#canipforward][2]\n\n\n## Additional Information:\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is\ncreated, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://pantheon.corp.google.com/compute/instances\n[2]: https://cloud.google.com/vpc/docs/using-routes#canipforward","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.6","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tcompute_instance.can_ip_forward\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nh8-voo-5oy","createdAt":1656620560349,"name":"IP forwarding is not enabled on instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","scope:azure.storage","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1c","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImmutability is enabled for Azure Storage Blobs.\n\n## Rationale\n\nImmutability for Azure Blob enables Writes once read many (WORM) state storage, which protects data from being overwritten or deleted. \n\nThe two types of immutability policies are time-based retention and legal hold. Time-based policies are cleared when the time period expires. Legal holds are cleared when they are manually modified. \n\n## Remediation\n\n### Console\n\nFollow the [Enable version-level immutability support on a storage account - Azure Console][1] guide to enable version-level immutability with the Azure Console.\n\n### CLI\n\nFollow the [Enable version-level immutability support on a storage account - Azure CLI][2] guide to enable version-level immutability with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@hasLegalHold:false @hasImmutabilityPolicy:false","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container (@hasLegalHold:false @hasImmutabilityPolicy:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"8q8-s4l-qhy","createdAt":1645177333114,"name":"Immutable Blob Storage is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","scope:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when two successful authentication events occur in a short time frame.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if the user `{{@usr.name}}` should have authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If `{{@user.name}}` should not authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n* 10 October 2022 - Updated query.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"auth0_impossible_travel","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.name"],"query":"source:auth0 @evt.category:authentication @evt.name:success_login -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"m3u-dhg-c5l","createdAt":1651740293973,"name":"Impossible Travel Auth0 login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate an impossible travel login with permission enumeration of a user.\n\n## Strategy\nCorrelate the [User travel was impossible in AWS CloudTrail IAM log][1] and [A user received multiple AccessDenied errors][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the impossible travel login was is legitimate.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-user-impossible-travel-with-baseline-user-locations\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-access-denied-multiple-events","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"user_travel_was_impossible_in_cloudtrail_iam_log","additionalFilters":"","defaultRuleId":"fc6-4t7-vx9","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"a_user_received_multiple_access_denied_errors","additionalFilters":"","defaultRuleId":"1b1-37a-74c","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"user_travel_was_impossible_in_cloudtrail_iam_log > 0 && a_user_received_multiple_access_denied_errors > 0"}],"type":"signal_correlation","id":"zfw-zxw-uf2","createdAt":1664829682320,"name":"Impossible travel event leads to permission enumeration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the possibility of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 445, commonly used by client/server applications, and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) or man-in-the-middle attacks (MITM), can occur when permitting unrestricted Common Internet File System (CIFS) access. TCP port 445 is the port commonly used by client/server applications as a means of communication between network nodes over TCP.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 445.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 445\n --cidr 0.0.0.0/0\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=445 @to_port:>=445))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=445 @to_port:>=445))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"l9k-64o-mzm","createdAt":1599573999953,"name":"Inbound CIFS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the possibility of a breach by checking EC2 security groups for inbound rules that allow unfettered access to TCP and UDP port 53, commonly used during DNS resolution when a request is sent from DNS clients to DNS servers or between DNS servers.\n\n## Rationale\n\nMalicious activity, such as distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered DNS access.\n\n## Remediation\n\n## Console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n## CLI\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to port 53.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 53, \"ToPort\": 53, \"IpRanges\": [{\"CidrIp\": \"192.0.2.0/24\"}]}]'\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 53\n\trule.to_port >= 53\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kri-ci1-ymo","createdAt":1599573999958,"name":"Inbound DNS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 9200, used by the [Elasticsearch][2], and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered Elasticsearch access.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][3] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. First, remove the security group rule(s) that allow public, unrestricted access to the Elasticsearch database. The rule in question will open port 9200 for ingress from anywhere.\n\n2. Now that the database is contained, authorize only the specific entities that need access to the database like EC2 instances, or lambdas. You can do this by adding inbound security group rules for a specific elastic IP address, a specific range of IP addresses, or by allowing access for entities in another AWS security group.\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://aws.amazon.com/elasticsearch-service/\n[3]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=9200 @to_port:>=9200))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=9200 @to_port:>=9200))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"rns-eiq-lpl","createdAt":1599574008022,"name":"Inbound Elasticsearch access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP ports 20 and 21 (used by client/server applications for communication and file transfer) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and FTP bounce attacks, can occur when permitting unfettered access to these ports.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 20 and 21.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict FTP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=20 @to_port:>=20) OR (@from_port:<=21 @to_port:>=21))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=20 @to_port:>=20) OR (@from_port:<=21 @to_port:>=21))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9lv-1l3-vtp","createdAt":1599574002076,"name":"Inbound FTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 80 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 80.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 80\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=80 @to_port:>=80))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=80 @to_port:>=80))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o4x-exf-xn9","createdAt":1599574008139,"name":"Inbound HTTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 443 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 443.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 443\n\trule.to_port >= 443\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"vud-y9z-ucg","createdAt":1599574003526,"name":"Inbound HTTPS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to host using the Internet Control Message Protocol (ICMP), a protocol commonly used to troubleshoot TCP/IP networks and deliver IP packets, and restrict access.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and Smurf/Fraggle attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][2] docs to learn how to restrict access to host using the ICMP.\n\n### CLI\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to host using ICMP.\n\n ```\n aws ec2 describe-security-groups\n\t --filters Name=ip-permission.protocol,Values=icmp Name=ip-permission.cidr,Values='192.0.2.0/24'\n\t --query 'SecurityGroups[*].{Name:GroupName}'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nunrestricted_protocol(protocol) if {\n\tprotocol == \"icmp\"\n} else {\n\tprotocol == \"all\"\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"ingress\"\n\tunrestricted_protocol(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kyz-e99-tys","createdAt":1599573999911,"name":"Inbound ICMP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1433 (used by the Microsoft SQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1433.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1433 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1433 @to_port:>=1433))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1433 @to_port:>=1433))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5oc-hdq-fx7","createdAt":1599574003135,"name":"Inbound MSSQL access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 27017 (used by the MongoDB database) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 27017.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=27017 @to_port:>=27017))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=27017 @to_port:>=27017))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"lhy-ttz-yif","createdAt":1599574007108,"name":"Inbound MongoDB access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3306 (used by the MySQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3306.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3306 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3306 @to_port:>=3306))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3306 @to_port:>=3306))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yph-h6z-ant","createdAt":1599574008744,"name":"Inbound MySQL access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1521 (used by the Oracle Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1521.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1521 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1521 @to_port:>=1521))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1521 @to_port:>=1521))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2wg-auf-5gz","createdAt":1599574002369,"name":"Inbound Oracle access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 135 (used by Microsoft Message Queuing (MSMQ) and other Windows software) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as backdoor command shell hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 135.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 135 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 135\n\trule.to_port >= 135\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7vm-6f7-nfs","createdAt":1599574003256,"name":"Inbound RPC access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 25 (used by Simple Mail Transfer Protocol (SMTP) for email transmission) and restrict access to IP addresses that require this port.\n\n\n## Rationale\n\nMalicious activity, such as spamming, hacking, Shellshock, and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 25.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 25 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 25\n\trule.to_port >= 25\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fxy-iwb-1ji","createdAt":1599574007156,"name":"Inbound SMTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 22 (used for secure remote login) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as man-in-the-middle (MITM) and brute-force attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 22.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 22 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=22 @to_port:>=22))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=22 @to_port:>=22))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jq1-v7m-jkf","createdAt":1599574005407,"name":"Inbound SSH access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to TCP port 139.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 139\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 139\n\trule.to_port >= 139\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"bls-coy-rpp","createdAt":1599574002491,"name":"Inbound TCP NetBIOS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 23 (used by the Telnet server application) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 23.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 23 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=23 @to_port:>=23))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=23 @to_port:>=23))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"6oq-7ce-kej","createdAt":1599574007874,"name":"Inbound Telnet access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 and UDP ports 137 and 138 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 137 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 137\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 138 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 138\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=137 @to_port:>=137) OR (@from_port:<=138 @to_port:>=138))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=137 @to_port:>=137) OR (@from_port:<=138 @to_port:>=138))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dpw-bar-91p","createdAt":1599574006398,"name":"Inbound UDP NetBIOS access is restricted"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2022-0847 \"Dirty Pipe\". Dirty Pipe is a vulnerability in the Linux kernel which allows underprivileged processes to write to arbitrary readable files, leading to privilege escalation. \n\n## Strategy\n\nThis detection triggers when the `splice()` syscall is made and the `PIPE_BUF_FLAG_CAN_MERGE` flag is set. Explanation of the vulnerability and exploitation can be found in the [public disclosure](https://dirtypipe.cm4all.com/).\n\n## Triage & Response\n\n1. Determine if the host is vulnerable. This vulnerability affects kernel versions starting from 5.8. After its discovery, it was fixed for all currently maintained releases of Linux in versions 5.16.11, 5.15.25, and 5.10.102. The exploit was successful if the field `splice.pipe_exit_flag` is `PIPE_BUF_FLAG_CAN_MERGE`.\n2. Attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. If the host is vulnerable, update the kernel to a patched version.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:dirty_pipe_attempt","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_attempt","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\") -@process.uid:0 -@process.gid:0","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_exploitation","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation (@file.uid:0 OR @file.gid:0) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\") -@process.uid:0 -@process.gid:0","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_root","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation @file.path:(*\\/bin\\/* OR *\\/boot\\/*) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\") -@process.uid:0 -@process.gid:0","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"dirty_pipe_attempt","condition":"dirty_pipe_attempt > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_exploitation","condition":"dirty_pipe_exploitation > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_root","condition":"dirty_pipe_root > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_bin","condition":"dirty_pipe_bin > 0"}],"type":"workload_security","id":"dsi-8cf-mpj","createdAt":1648572788369,"name":"Dirty Pipe exploitation attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet Docker daemon log level to `info`.\n\n## Rationale\n\nSetting up an appropriate log level configures the Docker daemon to log events that you would want to review later. A base log level of `info` and above captures all logs except `debug` logs. Unless required, you should not run Docker daemon at `debug` log level.\n\n## Audit\n\nTo confirm that the log level setting is `info`, review both the `dockerd` startup options, and also the log level settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that either the `--log-level` parameter is not present or if present, that it is set to `info`. \n\nSimilarly, review the `/etc/docker/daemon.json` for the `log-level` setting.\n\n## Remediation\n\nEnsure that the Docker daemon configuration file has the following configuration included:\n\n```\n\"log-level\": \"info\" \n```\n\nAlternatively, run the Docker daemon with the `log-level` specified:\n\n```\ndockerd --log-level=\"info\"\n```\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker daemon is set to log level of `info`.\n\n## References\n\n1. [https://docs.docker.com/edge/engine/reference/commandline/dockerd/][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://docs.docker.com/edge/engine/reference/commandline/dockerd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"q6o-wrf-hf4","createdAt":1602076723155,"name":"Docker daemon logging level is set to 'info'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.5","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use `aufs` as the storage driver for your Docker instance.\n\n## Rationale\n\nThe `aufs` storage driver is the oldest storage driver used on Linux systems. It is based on a Linux kernel patch-set that is unlikely in future to be merged into the main OS kernel. The `aufs` driver is also known to cause some serious kernel crashes. `aufs` has only legacy support within systems using Docker. Most importantly, `aufs` is not a supported driver in many Linux distributions using latest Linux kernels.\n\n## Audit\n\nVerify that `aufs` is not used as storage driver by running this command and ensuring `aufs` is not listed: \n```\ndocker info --format 'Storage Driver: {{ .Driver }}' \n```\n\n## Remediation\n\nDo not explicitly use `aufs` as storage driver. For example, do not start Docker daemon with the `--storage-driver aufs` flag.\n\n## Impact\n\n`aufs` is the only storage driver that allows containers to share executable and shared library memory. It might be useful if you are running thousands of containers with the same program or libraries. However, you should review its use with respect to your organization's security policy.\n\n## Default value\n\nBy default, Docker uses `devicemapper` as the storage driver on most of the platforms. The default storage driver can vary based on your OS vendor. You should use the storage driver that is recommended by your preferred vendor and which is in line with policy around the applications which are being deployed.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems][1]\n2. [http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/][2]\n3. [http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1][3]\n4. [https://docs.docker.com/engine/userguide/storagedriver/][4]\n\n## CIS controls\n\nVersion 6.18 Application Software Security \n\n[1]: https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems \n[2]: http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/ \n[3]: http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1 \n[4]: https://docs.docker.com/engine/userguide/storagedriver/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"n0x-jqo-rof","createdAt":1599601042737,"name":"Docker does not use AUFS storage driver"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe `iptables` firewall is used to set up, maintain, and inspect the tables of IP packet filter rules within the Linux kernel. The Docker daemon should be allowed to make changes to the `iptables` ruleset.\n\n## Rationale\n\nDocker will not make changes to your system `iptables` rules unless you allow it to do so. If you do allow this, Docker server will automatically make any required changes. You should let Docker make changes to `iptables` automatically in order to avoid networking misconfigurations that could affect the communication between containers and with the outside world. Additionally, this reduces the administrative overhead of updating `iptables` every time you add containers or modify networking options.\n\n## Audit\n\nTo confirm that the Docker daemon is allowed to change the `iptables` ruleset, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that the `--iptables` parameter is either not present or not set to `false`. Also review the `/etc/docker/daemon.json` file to check that the `iptables` setting is not set to `false`.\n\n## Remediation\n\nDo not run the Docker daemon with `--iptables=false` parameter. \n\n## Impact\n\nThe Docker daemon service requires `iptables` rules to be enabled before it starts. Any restarts of `iptables` during Docker daemon operation may result in losing Docker-created rules. Adding `iptables-persistent` to your `iptables` install can mitigate.\n\n## Default value\n\nBy default, `iptables` is set to true.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/][1]\n2. [https://fralef.me/docker-and-iptables.html][2]\n\n## CIS controls\n\nVersion 6.5 Controlled Use of Administration Privileges \n\n[1]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/\n[2]: https://fralef.me/docker-and-iptables.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3fv-xgy-7fb","createdAt":1599599453907,"name":"Docker is authorized to make firewall configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.1","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAll Docker containers and their data and metadata are stored in the `/var/lib/docker` directory. By default, `/var/lib/docker` should be mounted under either the `/` or `/var` partitions depending on how the Linux operating system in use is configured.\n\n## Rationale\n\nDocker depends on `/var/lib/docker` as the default directory where all Docker related files, including the images, are stored. This directory could fill up quickly causing both Docker and the host to become unusable. For this reason, you should create a separate partition (logical volume) for storing Docker files.\n\n## Audit\n\nTo see the partition details for the `/var/lib/docker` mount point, at the Docker host run:\n\n```\ngrep '/var/lib/docker\\s' /proc/mounts \n```\n\nAlternatively, to see whether the configured root directory is a mount point, run.\n\n```\nmountpoint -- \"$(docker info -f '{{ .DockerRootDir }}')\" \n```\n\n## Remediation\n\nFor new installations, you should create a separate partition for the `/var/lib/docker` mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, `/var/lib/docker` is mounted under the `/` or `/var` partitions dependent on how the OS is configured.\n\n## References\n\n1. [https://www.projectatomic.io/docs/docker-storage-recommendation/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know \n\n[1]: https://www.projectatomic.io/docs/docker-storage-recommendation/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.1","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wcf-c0t-fkz","createdAt":1602076808377,"name":"Docker local storage is mounted on a separate disk partition"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.5","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various other sensitive files. It should therefore be individual owned and group owned by root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the directory is owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker | grep -v root:root\n``` \n\nThis command does not return any data.\n\n## Remediation\n\nTo resolve this issue, run the following command: `chown root:root /etc/docker`\n\nThis sets the ownership and group ownership for the directory to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for this directory is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.`\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"heb-axz-wdc","createdAt":1599604466531,"name":"Docker related files are owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.6","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory permissions are correctly set to 755 or more restrictively.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various sensitive files. It should therefore only be writeable by root to ensure that it can not be modified by a less privileged user.\n\n## Audit\n\nYou should execute the command below to verify that the directory has permissions of 755+: \n\n```\nstat -c %a /etc/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 755 /etc/docker`\n\nThis sets the permissions for the directory to 755.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for this directory are set to 755.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"een-7do-u18","createdAt":1599604083943,"name":"Docker related files cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.12","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, has permissions of 444 or more restrictive permissions.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It should therefore have permissions of 444 to prevent its modification.\n\n## Audit\n\nVerify that the Docker server certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the command below: `chmod 444 `\n\nThis sets the file permissions of the Docker server certificate file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.12","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"blu-k6b-re1","createdAt":1602076770300,"name":"Docker server certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.31","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker socket docker.sock should not be mounted inside a container.\n\n## Rationale\n\nIf the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep docker.sock` This returns any instances where `docker.sock` has been mapped to a container as a volume.\n\n## Remediation\n\nYou should ensure that no containers mount docker.sock as a volume.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, docker.sock is not mounted inside containers.\n\n## References\n\n1. https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/\n2. https://forums.docker.com/t/docker-in-docker-vs-mounting-var-run-docker-sock/9450/2\n3. https://github.com/docker/docker/issues/21109\n\n## CIS controls\n\nVersion 6\n\n9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.31","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3iw-zus-yz3","createdAt":1599602585460,"name":"Docker socket is not allowed to mount inside any containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","source:dynamodb","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:dynamodb","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement server-side encryption for your AWS DynamoDB data.\n\n## Rationale\n\nServer-side encryption, or encryption at rest, provides an additional layer of data protection by securing your data in an encrypted table. Encryption at rest integrates with AWS Key Management Service (KMS) to manage encryption keys that are used to encrypt these tables.\n\n## Remediation\n\n### From the console\n\nFollow the [Managing Encrypted Tables in DynamoDB tutorial][1] to learn how to create and update a table in the AWS Console.\n\n### From the command line\n\nRun `create-table` with a table configuration to [create a new encrypted table][2]. You can create an encrypted table with the default AWS owned CMK, AWS managed CMK, or customer managed CMK. Refer to the [AWS documentation for examples of each configuration][3]. For example:\n\n aws dynamodb create-table\n --table-name your-table\n ...\n --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=abcd1234-abcd-1234-a123-ab1234a1b234\n\n[1]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/dynamodb/create-table.html\n[3]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(dynamodb) = \"pass\" if {\n\tupper(dynamodb.sse_description.status) == \"ENABLED\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_dynamodb"]},"validationQuery":"","resourceType":"aws_dynamodb","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_dynamodb","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ilq-ifj-zxi","createdAt":1615309114701,"name":"DynamoDB table is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt Amazon Elastic Block Store (EBS) snapshots with volume snapshot encryption keys.\n\n## Rationale\n\nAmazon EBS snapshots contain sensitive data, and publicly accessible snapshots can be copied. Keep your data secure from exploits or unauthorized users by using AWS key management.\n\n## Remediation\n\n### From the console\n\nFollow the [Default key for EBS encryption][1] docs to learn how to encrypt a snapshot in the AWS Console.\n\n### From the command line\n\n1. Run `get-ebs-default-kms-key-id` to describe [the default CMK][2].\n\n2. If you need to create a new key, follow the [Creating keys][3] AWS Console docs or the [create-key][4] AWS CLI docs.\n\n3. Run `modify-ebs-default-kms-key-id` with your `--kms-key-id` to [modify the default CMK used to encrypt EBS volumes][3].\n\nSee the [Set encryption defaults using the API and CLI][6] docs for additional information.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_key_mgmt\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/get-ebs-default-kms-key-id.html\n[3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-ebs-default-kms-key-id.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ebs_snapshot) = \"pass\" if {\n\tebs_snapshot.encrypted\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ebs_snapshot"]},"validationQuery":"","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"i4v-od6-l5r","createdAt":1616090994130,"name":"EBS snapshot is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","requirement:Storage","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable encryption for Elastic Block Store (EBS).\n\n## Rationale\n\nAES-256 encryption, used by EBS, protects data stored on volumes, disk I/O, and the snapshots created from a volume to protect your sensitive data from exploits and unauthorized users.\n\n## Remediation\n\n### From the console\n\nFollow the [EBS encryption][1] docs to learn about the requirements and methods for enabling encryption in the AWS Console.\n\n### From the command line\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#ebs-encryption-requirements\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"2.2.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ebs_volume) = \"pass\" if {\n\tebs_volume.encrypted\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ebs_volume"]},"validationQuery":"","resourceType":"aws_ebs_volume","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_volume","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"2b3-94n-p7e","createdAt":1616090994097,"name":"EBS volume is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","requirement:Credentials","requirement:Compliance","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","framework:pci","control:1.11","security:compliance","source:ebs","control:6.5.3","cloud_provider:aws","requirement:Confidentiality","control:3.4","control:C1.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","framework:security-labs","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure Amazon Elastic Block Store (EBS) snapshots.\n\n## Rationale\n\nPublicly shared Amazon EBS volume snapshots contain sensitive application data that can be seen, copied, and exploited.\n\n## Remediation\n\n### From the console\n\nFollow the [EBS encryption][1] docs to learn how to implement EBS encryption. Public snapshots, which are encrypted by default, are not supported\n\n **Note**: You can share an encrypted snapshot with specific accounts.\n\n### From the command line\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#how-ebs-encryption-works\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.11","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ebs_snapshot) = \"fail\" if {\n\tsome permission in ebs_snapshot.create_volume_permissions\n\tpermission.group == \"all\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ebs_snapshot"]},"validationQuery":"","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"t5f-m5z-oio","createdAt":1616090994084,"name":"EBS volume snapshot is not publicly shared with other AWS accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:route53","iaas:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain has a suspicious TLD.\n\n## Strategy\nInspect the Route 53 logs and determine if the TLD of the DNS question (`@dns.question.name`) matches one of the top 5 TLDs on [Spamhaus's Most Abused Top Level Domains list][1].\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n[1]: https://www.spamhaus.org/statistics/tlds/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@dns.question.name:(*.fit. OR *.work. OR *.webcam. OR *.loan. OR *.cf.) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_tld","distinctFields":[]},{"query":"@dns.question.name:(*.no-ip. OR *.hopto.org OR *.myftp.org OR *.us.to OR *.myvpc.com OR *.dlinkddns.com OR *.myftp.biz) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_ddns","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"TLD","condition":"suspicious_tld > 0"},{"status":"medium","notifications":[],"name":"Dynamic DNS","condition":"suspicious_ddns > 0"}],"type":"log_detection","id":"dus-bf6-3jr","createdAt":1603296605789,"name":"EC2 instance requested a suspicious domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:route53","iaas:aws","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain resolves to the AWS Metadata IP (169.254.169.254).\n\n## Strategy\nInspect the Route 53 logs and determine if the response data for a DNS request matches the AWS Metadata IP (169.254.169.254). This could indicate an attacker is attempting to steal your credentials from the AWS metadata service.\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n## Changelog\n- 19 May 2022 - Updated rule query.\n- 5 Jun 2022 - Updated rule query.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:route53 @answers.Rdata:169.254.169.254 -@route53_edge_location:* -@dns.question.name:instance-data*","groupByFields":["instance-id"],"aggregation":"count","name":"domain_resolve_to_metadata_ip","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"domain_resolve_to_metadata_ip > 0"}],"type":"log_detection","id":"mwi-zj7-db9","createdAt":1603296598998,"name":"EC2 instance resolved a suspicious AWS metadata DNS query"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","requirement:Transmission-Security","scope:ec2","source:ec2","framework:gdpr","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:1.9","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse the IMDSv2 session-oriented communication method to transport instance metadata. \n\n## Rationale\n\nAWS default configurations allow the use of either IMDSv1, IMDSv2, or both. IMDSv1 uses insecure GET request/responses which are at risk for a number of vulnerabilities, whereas IMDSv2 uses session-oriented requests and a secret token that expires after a maximum of six hours. This adds protection against misconfigured-open website application firewalls, misconfigured-open reverse proxies, unpatched Server Side Request Forgery (SSRF) vulnerabilities, and misconfigured-open layer-3 firewalls and network address translation.\n\n## Remediation\n\nFollow the [Transition to using Instance Metadata Service Version 2][1] docs to learn how to transition and reconfigure your software. \n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ec2_instance) = \"pass\" if {\n\tec2_instance.metadata_options.http_tokens == \"required\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ec2_instance"]},"validationQuery":"","resourceType":"aws_ec2_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ec2_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zwp-mxe-p0v","createdAt":1649171077274,"name":"EC2 instance uses IMDSv2"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","source:elb","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","scope:elb","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up logging for your AWS Elastic Load Balancers (ELBs) to identify security issues.\n\n## Rationale\n\nAccess logs allow you to analyze each TCP and HTTP request, which are useful during security audits or troubleshooting.\n\n## Remediation\n\n### From the console\n\nFollow the [Enable access logs for your Classic Load Balancer][1] docs to learn how to enable logging for your ELBs.\n\n### From the command line\n\n1. Run `create-bucket` to [create an S3 bucket][2] that stores the ELB log files.\n\n **Note**: This bucket must be created in the same region as the ELB.\n\n ```\n aws s3api create-bucket\n --region us-west-1\n --bucket your-elb-logging-bucket\n ```\n\n2. Use the [AWS Policy Generator][3] to create a new policy.\n\n3. Run `put-bucket-policy` to [attach the policy document][4] to the S3 bucket.\n\n ```\n aws s3api put-bucket-policy\n --bucket your-elb-logging-bucket\n --policy file://elb-logging-policy.json\n ```\n\n4. Run `modify-load-balancer-attributes` to [enable logging][5] for the selected ELB.\n\n ```\n aws elb modify-load-balancer-attributes\n --region us-west-1\n --load-balancer-name YourLoadBalancerName\n --load-balancer-attributes\n \"{\\\"AccessLog\\\":{\\\"Enabled\\\":true,\\\"EmitInterval\\\":60,\\\"S3BucketName\\\":\\\"your-logging-bucket\\\"}}\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/elb/modify-load-balancer-attributes.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_access_logs(elb_load_balancer) if {\n\tsome attribute in elb_load_balancer.attributes\n\tattribute.access_log_enabled\n} else if {\n\telb_load_balancer.load_balancer_attributes.access_log.enabled\n}\n\neval(elb_load_balancer) = \"fail\" if {\n\tnot compliant_access_logs(elb_load_balancer)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elb_load_balancer"]},"validationQuery":"","resourceType":"aws_elb_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elb_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"orv-wcu-4d4","createdAt":1615309114856,"name":"ELB is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","security:compliance","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Security-of-Processing","scope:elbv2","framework:soc-2","requirement:Security-Management-Process","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","framework:hipaa","requirement:Encryption-In-Transit","control:164.308-a-1-ii-B","control:164.312-e-2-i","source:elbv2","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse HTTPS to secure communication between your application client and an Elastic Load Balancer (ELB) listener.\n\n## Rationale\n\nWithout an HTTPS listener, front-end connections are vulnerable to exploits, such as man-in-the-middle (MITM) attacks. Securing all communication between your application client and ELB listener ensures sensitive data is protected.\n\n## Remediation\n\n### From the console\n\nFollow the [Create an HTTPS listener for your Application Load Balancer][1] doc to learn how to create a listener that checks for connection requests.\n\n### From the command line\n\n1. Run `list-certificates` to retrieve the ARN of your SSL certificate. If you do not have an SSL certificate, follow the [Create or import an SSL/TLS certificate][2] doc.\n2. Run `create-listener` using the [ARN of the load balancer and SSL certificate][3].\n\n ```\n aws elbv2 create-listener \\\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912 \\\n --protocol HTTPS \\\n --port 443 \\\n --certificates CertificateArn=arn:aws:acm:region:123456789012:certificate/1abc0c41-bd73-5445-9ab9-123456a23456 \\\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html#create-certificate-acm\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/create-listener.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_listener(elbv2_load_balancer) if {\n\tsome listener in elbv2_load_balancer.listeners\n\tlistener.protocol == \"HTTPS\"\n} else if {\n\tsome listener in elbv2_load_balancer.listeners\n\tlistener.protocol == \"HTTP\"\n\telbv2_load_balancer.listeners[_].default_actions[_].redirect_config.protocol == \"HTTPS\"\n\telbv2_load_balancer.listeners[_].default_actions[_].type == \"redirect\"\n}\n\neval(elbv2_load_balancer) = \"skip\" if {\n\telbv2_load_balancer.type != \"application\"\n} else = \"fail\" if {\n\tnot compliant_listener(elbv2_load_balancer)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6vz-qof-84o","createdAt":1616090994110,"name":"ELBv2 ALB is using a secure listener"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","source:elb","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","scope:elb","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure Amazon Network Load Balancers so all listeners use either TLS or HTTPS encryption. \n\n## Rationale\n\nUsing TLS or HTTPS helps ensure the communication between your network load balancers (NLBs) and backend servers is protected from decryption, data leaks, and other exploits. NLB's can accept and route TCP connections to Application load balancers(ALBs), this allows AWS customers to directly register an ALB as an NLB target, eliminating the need to actively manage changing ALB IP addresses. Amazon's NLBs can be configured to handle TLS termination. This reduces the workload on your backend systems and localizes TLS configuration to the NLBs, thereby improving both performance and security.\n\n\n## Remediation\n\n### From the console\n\nFollow the [Create a listener for your network load balancer][1] doc to learn how to add a TLS listener to your network load balancer.\n\n### From the command line\n\n1. Run `describe-load-balancers` to retrieve the ARNs of your network load balancers.\n2. Run `list-certificates` to retrieve the ARN of your Amazon ACM TLS certificates, or `list-server-certificates` to retrieve the ARN of your AWS IAM TLS certificates. If you do not have a TLS certificate, follow the [Configure TLS listeners: Certificates][2] doc.\n3. Run `create-listener` using the ARN of the desired load balancer and TLS certificate.\n\n ```\n aws elbv2 create-listener \\\n --load-balancer-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188 \\\n --certificates CertificateArn=arn:aws:acm:us-west-2:123456789012:certificate/3dcb0a41-bd72-4774-9ad9-756919c40557 \\\n --protocol TLS \\\n --port 443 \\\n --ssl-policy ELBSecurityPolicy-2016-08 \\\n --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#tls-listener-certificates\n[3]: https://aws.amazon.com/fr/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_listener(listener) if {\n\tlistener.protocol == \"TCP\"\n\tlistener.port == 443\n}\n\neval(elbv2_load_balancer) = \"skip\" if {\n\tnot elbv2_load_balancer.type == \"network\"\n} else = \"fail\" if {\n\tsome listener in elbv2_load_balancer.listeners\n\tlistener.protocol != \"TLS\"\n\tnot compliant_listener(listener)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cyx-hvk-qq7","createdAt":1649774831020,"name":"ELBv2 Network Load Balancer listeners employ TLS or HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:elbv2","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","source:elbv2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Access Logging for your Amazon Application Load Balancers (ALBs).\n\n## Rationale\n\nLogs contain the time a request was received, a client's IP address, latencies, request paths, and server responses. You can use this information to analyze traffic patterns and troubleshoot issues.\n\n## Remediation\n\n### From the console\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the console.\n\n### From the command line\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_attribute(elbv2_load_balancer) if {\n\tattribute := elbv2_load_balancer.attributes[_]\n\tattribute.key == \"access_logs.s3.enabled\"\n\tattribute.value == \"true\"\n} else if {\n\telbv2_load_balancer.attributes.access_logs_s3_enabled\n}\n\neval(elbv2_load_balancer) = \"pass\" if {\n\tcompliant_attribute(elbv2_load_balancer)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2sn-t47-ywf","createdAt":1632209936547,"name":"ELBv2 is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:elbv2","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","source:elbv2","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Application Load Balancer (ALB) with the latest predefined AWS security policy.\n\n## Rationale\n\nInsecure or deprecated security policies can expose the client and the load balancer to various SSL/TLS vulnerabilities.\n\n## Remediation\n\n### From the console\n\nFollow the [Update security policy][1] docs to learn how to update your HTTPS listener with the latest security policy.\n\n### From the command line\n\nRun `modify-listener` with the [ARN of the listener and the recommended SSL policy][2].\n\n```\naws elbv2 create-listener\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n```\n\nReview the [Security policies][3] docs for Amazon-recommended security policies.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html#update-security-policy\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/modify-listener.html\n[3]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elbv2_load_balancer) = \"skip\" if {\n\telbv2_load_balancer.type != \"application\"\n} else = \"pass\" if {\n\tsome listener in elbv2_load_balancer.listeners\n\tlistener.ssl_policy in [\"ELBSecurityPolicy-TLS-1-1-2017-01\", \"ELBSecurityPolicy-TLS-1-2-Ext-2018-06\", \"ELBSecurityPolicy-FS-1-2-Res-2019-08\", \"ELBSecurityPolicy-FS-1-1-2019-08\", \"ELBSecurityPolicy-FS-1-2-Res-2020-10\"]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"pty-qoz-aa9","createdAt":1616090994247,"name":"ELBv2 load balancer is using the latest security policy"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.3","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse individual service account credentials for each controller.\n\n## Rationale\n\nThe controller manager creates a service account per controller in the kube-system namespace, generates a credential for it, and builds a dedicated API client with that service account credential for each controller loop to use. Setting the `--use-service-account-credentials` to true runs each control loop within the controller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--use-service-account-credentials` argument is set to true.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node to set the below parameter:\n\n```\n--use-service-account-credentials=true\n```\n\n## Impact\n\nWhatever authorizer is configured for the cluster, it must grant sufficient permissions to the service accounts to perform their intended tasks. When using the RBAC authorizer, those roles are created and bound to the appropriate service accounts in the kube-system namespace automatically with default roles and rolebindings that are auto-reconciled on startup. If using other authorization methods (ABAC, Webhook, etc.), the cluster deployer is responsible for granting appropriate permissions to the service accounts (the required permissions can be seen by inspecting the `controller-roles.yaml` and `controller-role-bindings.yaml` files for the RBAC roles.\n\n## Default value\n\nBy default, `--use-service-account-credentials` is set to false.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://kubernetes.io/docs/admin/service-accounts-admin/ ][2]\n3. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml ][3]\n4. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml ][4]\n5. [https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles][5]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://kubernetes.io/docs/admin/service-accounts-admin/ \n[3]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml \n[4]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml \n[5]: https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.3","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"b7m-bho-nat","createdAt":1599602400314,"name":"Each controller uses individual service account credentials"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:A.12.2.1","framework:gdpr","requirement:Default-Security-Parameter","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:25.2","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","source:elasticache","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","scope:elasticache","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nChange your AWS ElastiCache cluster endpoint port to a non-default port.\n\n## Rationale\n\nUsing the default port puts clusters at risk of exploits and attacks. Configure a custom port to add an extra layer of security to your clusters.\n\n## Remediation\n\n### From the console\n\nFollow the [Finding connection endpoints][1] console documentation to learn how to find and modify your cluster's endpoint port.\n\n### From the command line\n\n1. Run `aws elasticache describe-cache-clusters` with your [ElastiCache cluster ID][2] to output the existing cluster configuration.\n\n ```\n\n aws elasticache describe-cache-clusters\n --cache-cluster-id your-cc-id\n\n ```\n\n2. Run `aws elasticache create-cache-cluster` with the cluster data returned in the previous step. Configure the new cache cluster with [a custom value][3] for the endpoint port. This returns new cluster metadata.\n\n ```\n\n aws elasticache create-cache-cluster\n --cache-cluster-id new-cc-id\n ...\n --port 10001\n\n ```\n\n3. Once the cluster endpoint port is updated, remove the old ElastiCache cluster. Run `delete-cache-cluster` with the [original cluster ID][4].\n\n ```\n\n aws elasticache delete-cache-cluster\n --cache-cluster-id your-cc-id\n\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Endpoints.html#Endpoints.Find.Redis\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/describe-cache-clusters.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/delete-cache-cluster.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndefault_port_used(elasticache) if {\n\telasticache.engine == \"memcached\"\n\telasticache.configuration_endpoint.port == 11211\n} else if {\n\telasticache.engine == \"redis\"\n\telasticache.configuration_endpoint.port == 6379\n}\n\neval(elasticache) = \"fail\" if {\n\tdefault_port_used(elasticache)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticache"]},"validationQuery":"","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"skt-e9r-x89","createdAt":1619112189062,"name":"ElastiCache cluster is not using default ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","source:elasticache","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticache","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProvision your AWS EC2-VPC ElastiCache cluster within the AWS ECS-VPC platform.\n\n## Rationale\n\nUsing the EC2-Classic platform minimizes control over cache cluster security and traffic routing. Provisioning with AWS EC2-VPC enables better networking infrastructure, control over VPC security groups, and more.\n\n## Remediation\n\n### From the console\n\nFollow the [Getting started with Amazon VPC][1] docs to configure AWS EC2-VPC for your ElastiCache clusters.\n\n### From the command line\n\n1. Run `create-vpc` to [create a new Virtual Private Cloud (VPC)][2] for your ElastiCache cluster.\n\n ```\n aws ec2 create-vpc\n --cidr-block 10.0.0.0/16\n ```\n\n2. Run `aws ec2 create-internet-gateway` to [create a new AWS Internet Gateway][3] for your new VPC.\n\n3. Run `attach-internet-gateway` with the [VPC ID returned in step 1, and the internet gateway ID returned in step 2][4].\n\n ```\n aws ec2 create-subnet\n --vpc-id vpc-ab12c345\n --cidr-block 10.0.1.0/24\n ```\n\n4. Run `create-route-table` with [your VPC ID][5] created in step 1.\n\n ```\n aws ec2 create-route-table\n --vpc-id vpc-ab12c345\n ```\n\n5. Run `associated-route-table` with the [subnet ID returned in step 3, and the route table ID returned in step 4][6].\n\n ```\n aws ec2 associate-route-table\n --route-table-id rta-12345678\n --subnet-id subnet-ab123c45\n ```\n\n6. Run `create-route` to [add a new route][7] to your new VPC route table.\n\n ```\n aws ec2 create-route\n --route-table-id rta-12345678\n --destination-cidr-block 0.0.0.0/0\n --gateway-id gwi-123a4b56\n ```\n\n7. Run `create-security-group` with your new VPC ID to [create a security group][8] for your new cluster.\n\n ```\n aws ec2 create-security-group\n --group-name ECSecurityGroup\n --description \"Redis CC Security Group\"\n --vpc-id vpc-ab12c345\n ```\n\n8. Run `authorize-security-group-ingress` to [add more inbound rules][9] to the security group created in step 7.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-id se-a12345b0\n --protocol tcp\n --port 1234\n --cidr 10.0.0.0/16\n ```\n\n9. Run `create-cache-cluster` to recreate your EC2-Classic cache cluster within your new AWS VPC. Use the newly created [ElastiCache cluster configuration attributes][10] returned in the steps above.\n\n ```\n aws elasticache create-cache-cluster\n --cache-cluster-id vpccachecluster\n --az-mode single-az\n --cache-node-type cache.m5.large\n --num-cache-nodes 1\n --engine redis\n --engine-version \"2.6.13\"\n --security-group-ids \"se-a12345b0\"\n --port 1234\n --auto-minor-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc.html#synopsis\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-internet-gateway.html#synopsis\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/attach-internet-gateway.html#synopsis\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route-table.html#synopsis\n[6]: https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-route-table.html#synopsis\n[7]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route.html#synopsis\n[8]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-security-group.html#synopsis\n[9]: https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html#synopsis\n[10]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elasticache) = \"pass\" if {\n\tcount(elasticache.cache_subnet_group_name) > 0\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticache"]},"validationQuery":"","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"0uf-cns-jqu","createdAt":1619112189088,"name":"ElastiCache cluster is provisioned in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.5","source:elasticache","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticache","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon ElastiCache cluster to the latest, stable version of the Redis/Memcached cache engine.\n\n## Rationale\n\nUsing the latest version allows for security patches, bug fixes, better performance, and memory management.\n\n## Remediation\n\n### From the console\n\nFollow the [Upgrading engine versions][1] docs to learn how to modify your ElastiCache cluster or replication group in the console.\n\n### From the command line\n\nFollow the [Modify an ElastiCache cluster (AWS CLI)][2] or [Modify a replication group (AWS CLI)][3] docs for configuration options.\n\nFor example, to modify an ElastiCache cluster, run `modify-replication-group` with your replication group ID and enable Multi-AZ.\n\n ```\n aws elasticache modify-replication-group\n --replication-group-id myReplGroup\n --multi-az-enabled = true\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VersionManagement.html\n[2]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.Modify.html#Clusters.Modify.CLI\n[3]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Replication.Modify.html#Replication.Modify.CLI","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_engine_version(elasticache) if {\n\telasticache.engine == \"memcached\"\n\telasticache.engine_version == \"1.6.6\"\n} else if {\n\telasticache.engine == \"redis\"\n\tstartswith(elasticache.engine_version, \"6.\")\n} else if {\n\tnot elasticache.engine in [\"memcached\", \"redis\"]\n}\n\neval(elasticache) = \"pass\" if {\n\tcompliant_engine_version(elasticache)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticache"]},"validationQuery":"","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sw1-liy-ybw","createdAt":1619112188570,"name":"ElastiCache cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.5","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticsearch","framework:soc-2","requirement:Change-Management","source:elasticsearch","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpgrade to the latest version of Amazon Elasticsearch (ES) engine.\n\n## Rationale\n\nUsing the latest version of Amazon ES ensures you receive the latest bug fixes, security patches, and features.\n\n## Remediation\n\n### From the console\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (console)][1] docs to learn about the upgrade process and how to complete an upgrade from the AWS Console.\n\n### From the command line\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (AWS CLI)][1] docs to being an upgrade using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades\n[2]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.common as dd_common\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(version) = \"pass\" if {\n\tformatted_semver := dd_common.format_semver(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"7.10.0\") >= 0\n} else = \"pass\" if {\n\tstartswith(version, \"OpenSearch_\")\n\tformatted_semver := dd_common.format_semver(trim_prefix(version, \"OpenSearch_\"))\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"1.3.0\") >= 0\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource.elasticsearch_version))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-iw7-z3h","createdAt":1619540057479,"name":"Elasticsearch cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","scope:elasticsearch","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate publicly accessible Amazon Elasticsearch domains to block unsigned requests.\n\n## Rationale\n\nUpdating your Amazon Elasticsearch domain to a private domain ensures your data cannot be accessed or altered by unauthorized users.\n\n## Remediation\n\n### OpenSearch\n\nIf you are using OpenSearch Service Domains, refer to Amazon's [guide for creating and managing Amazon OpenSearch Service domains][1] for both console and CLI remediation actions. \n\n### From the console\n\nFollow the [Configuring Access Policies][1] docs to learn how to update your publicly accessible Amazon Elasticsearch domains in the AWS Console.\n\n### From the command line\n\n1. Create a new policy JSON document. You can follow the [Amazon Elasticsearch templated policy][2] to create a custom policy that grants domain access only to a specific IP.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n \"Action\": \"es:*\",\n \"Condition\": {\n \"IpAddress\": {\n \"aws:SourceIp\": [\n \"54.197.25.93/32\"\n ]\n }\n },\n \"Resource\": \"arn:aws:es:123456789123:\n domain/es-cluster/*\"\n }\n ]\n }\n ```\n\n2. Run `update-elasticsearch-domain-config` using the name of the [Elasticsearch domain][3] created in the previous step.\n\n ```\n aws es update-elasticsearch-domain-config\n --domain-name es-cluster\n --access-policies file://ip-based-policy.json\n ```\n\n\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/update-elasticsearch-domain-config.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tsome principal_aws in policy_principal.principal_aws\n\tprincipal_aws == \"*\"\n}\n\neval(elasticsearch_domain) = \"fail\" if {\n\tsome policy in elasticsearch_domain.policies\n\tbad_policy_principal(policy.policy_principal)\n\tpolicy.statement_effect = \"Allow\"\n\tpolicy.statement_has_condition = false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ci6-bcw-l3n","createdAt":1615309114393,"name":"Elasticsearch domain is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticsearch","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure your Amazon Elasticsearch (ES) domain is only accessible from an AWS VPC.\n\n## Rationale\n\nUsing a VPC gives your Amazon ES domains an extra layer of security. Launching your clusters within a VPC ensures communication between your clusters and other AWS services is secure.\n\n## Remediation\n\nOnce a domain is created with a public endpoint, it cannot be switched to VPC access. Follow the [Migrating from Public Access to VPC Access][1] docs to learn how to create a new domain and either manually reindex or migrate your data.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html#es-migrating-public-to-vpc\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elasticsearch_domain) = \"fail\" if {\n\tendswith(elasticsearch_domain.endpoint, \".es.amazonaws.com\")\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"vdg-rky-pye","createdAt":1619540057246,"name":"Elasticsearch domain resides in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement encryption at rest for your Amazon Elasticsearch (ES) domain with the AWS KMS service.\n\n## Rationale\n\nImplementing encryption at rest protects your domain from unauthorized access and ensures security and compliance requirements are met.\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to implement encryption for your domain.\n\n### From the command line\n\n1. Run `describe-elasticsearch-domain` with your ES domain to return configuration metadata.\n\n ```bash\n aws es describe-elasticsearch-domain\n --domain-name your-es-domain\n ```\n\n2. Run `create-elasticsearch-domain` with your domain name and `encryption-at-rest-options`. Use the metadata returned in the previous step to [create and relaunch your ES domain to enable at-rest encryption][3].\n\n ```bash\n aws es create-elasticsearch-domain\n --domain-name your-es-domain\n ...\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html#enabling-ear\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/describe-elasticsearch-domain.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elasticsearch_domain) = \"pass\" if {\n\telasticsearch_domain.encryption_at_rest_options_enabled == true\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"75z-ehk-ced","createdAt":1615309114337,"name":"Elasticsearch domains are encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","control:3.5.2","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt your Amazon Elasticsearch domains with KMS Customer Master Keys (CMKs).\n\n## Rationale\n\nKMS Custom Master Keys protect your domains and allow more granular control over the encryption/decryption process.\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to encrypt Amazon Elasticsearch domains in the AWS Console.\n\n### From the command line\n\n1. Create a new policy JSON document with the following [configuration][2]:\n\n ```\n {\n \"Id\": \"es-custom-key-policy\",\n \"Statement\": [\n {\n \"Sid\": \"Enable IAM User Permissions\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:root\"},\n \"Action\": \"kms:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Grant access to CMK manager\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:role/AmazonESManager\"},\n \"Action\": [\n \"kms:Create*\",\n \"kms:Describe*\",\n \"kms:Enable*\",\n \"kms:List*\",\n \"kms:Put*\",\n \"kms:Update*\",\n \"kms:Revoke*\",\n \"kms:Disable*\",\n \"kms:Get*\",\n \"kms:Delete*\",\n \"kms:ScheduleKeyDeletion\",\n \"kms:CancelKeyDeletion\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow the use of the CMK\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:Decrypt\",\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:DescribeKey\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow attachment of persistent resources\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:CreateGrant\",\n \"kms:ListGrants\",\n \"kms:RevokeGrant\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"Bool\": {\"kms:GrantIsForAWSResource\": \"true\"}\n }\n }\n ]\n }\n ```\n\n2. Run `create-key` to [create a KMS key][3] with the new policy document.\n\n ```\n aws kms create-key\n --description 'KMS CMK policy for encrypting es domain data'\n --policy file://es-kms-cmk-policy.json\n ```\n\n3. Run `create-alias` with the returned ARN key to [attach a new alias][4] to the CMK.\n\n ```\n aws kms create-alias\n --alias-name your-alias/ESCustomCMK\n --target-key-id arn:aws:kms:111122223333:key/abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\n ```\n\n4. Run `create-elasticsearch-domain` with the returned configuration data in step 3 to [create the selected domain][5] with `encryption-at-rest-options` set as `enabled= true` and the `KmsKeyId=your-key-id`.\n\n ```\n aws es create-elasticsearch-domain\n --domain-name your-domain-name\n ....\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-alias.html#options\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html#options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elasticsearch_domain) = \"fail\" if {\n\telasticsearch_domain.encryption_at_rest_options_kms_key_id == \"(Default) aws/es\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"abl-8du-xrn","createdAt":1615309114399,"name":"Elasticsearch domains are encrypted with KMS Customer Master Keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation on controller-manager.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad. \n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--feature-gates` parameter to include `RotateKubeletServerCertificate=true`. \n\n```\n--feature-gates=RotateKubeletServerCe`rtificate=true\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `RotateKubeletServerCertificate` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller ][1]\n2. [https://github.com/kubernetes/features/issues/267 ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/45059 ][3]\n4. [https://kubernetes.io/docs/admin/kube-controller-manager/][4]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller \n[2]: https://github.com/kubernetes/features/issues/267 \n[3]: https://github.com/kubernetes/kubernetes/pull/45059 \n[4]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.6","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"asw-6hh-yc2","createdAt":1599605162809,"name":"Enable kubelet server certificate rotation on controller-manager"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1555-credentials-from-password-stores","scope:ec2","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to retrieve the encrypted Administrator password for a Windows EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to retrieve the encrypted Administrator password for a Windows EC2 instance using the [`GetPasswordData`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n3. If the API call was made by the user:\n * Determine if this user should be accessing this EC2 instance.\n * If Yes, advise the user to speak with the instance owner to resolve the error.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetPasswordData.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetPasswordData @eventSource:ec2.amazonaws.com status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"get_passwordata","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Error","condition":"get_passwordata > 0"}],"type":"log_detection","id":"kyo-yjf-zbm","createdAt":1652796676631,"name":"Encrypted administrator password retrieved for Windows EC2 instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.12","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory ownership is set to `etcd:etcd`.\n\n## Rationale\n\n`etcd` is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir` from the command:\n\n```bash\nps -ef | grep etcd\n```\n\nBased on the etcd data directory found above, run the command:\n\n```bash\nstat -c %U:%G /var/lib/etcd\n```\n\nVerify the ownership is set to `etcd:etcd`.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chown etcd:etcd /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory ownership is set to `etcd:etcd`.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.12","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"25d-zal-sfr","createdAt":1599601968321,"name":"Etcd data directory is owned by the etcd user and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.11","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory has permissions of 700 or more restrictive.\n\n## Rationale\n\netcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should not be readable or writable by any group members or the world.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir`, from the command:\n\n```bash\nps -ef | grep etcd\n```\n\n Based on the etcd data directory found above, run the command:\n \n ```bash\n stat -c %a /var/lib/etcd\n ```\n \n Verify the permissions are `700` or more restrictive.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chmod 700 /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory has permissions of 755.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.11","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qgj-hf0-an1","createdAt":1599601412710,"name":"Etcd data directory permissions cannot be accessed by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.7","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 640.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.7","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vqc-dps-6tp","createdAt":1599605605880,"name":"Etcd pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.8","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to `root:root`.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.8","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oac-lbl-npz","createdAt":1599600311388,"name":"Etcd pod specification file is owned by root"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":true,"message":"test","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1668091740758,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.id"],"query":"*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"co7-ldi-49e","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_impossible_travel_returns_OK_response"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"Test rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1668543986037,"filters":[],"queries":[{"query":"@test:true","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"rje-tku-m3r","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_workload_security_returns_OK_response_1668543985"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:exchange-server","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user sets up a mail forwarding rule to another email address. An adversary or insider threat could set a forwarding rule to forward all emails to an external email address.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with `@evt.name` value of `Set-Mailbox`, where a value is set for `@Parameters.ForwardingSmtpAddress` and the `@evt.outcome` is `True`.\n\n## Triage and response\n1. Inspect the `@Parameters.ForwardingSmtpAddress` for `{{@usr.email}}` to see if it is sending email to an external non-company owned domain.\n2. Determine if there is a legitimate use case for the mail forwarding rule.\n3. If `{{@usr.email}}` is not aware of the mail forwarding rule, investigate all `{{@usr.email}}` accounts for anomalous activity. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-Mailbox -@Parameters.ForwardingSmtpAddress:\"\" @Parameters.ForwardingSmtpAddress:* @evt.outcome:True","groupByFields":["@usr.id"],"aggregation":"count","name":"forwarding_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"forwarding_rule > 0"}],"type":"log_detection","id":"vmq-1zo-03a","createdAt":1630681822552,"name":"Exchange Online mail forwarding rule enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:AppService","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.2","scope:azure.appservice","framework:iso-27001","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","requirement:Communications-Security","control:4.1","control:9.10","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Azure functions, web, and API services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPs should be required for FTP login for all App Service apps and functions.\n\n## Rationale\n\nAzure FTP deployment endpoints are public. An attacker listening to traffic on a Wi-Fi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if user credentials for deployment are set at the subscription level rather than using the default application credentials which are unique per app.\n\n## Remediation\n\n### From the console\n\n1. Go to the Azure Portal\n2. Select App Services\n3. Click on an app\n4. Select Settings > Configuration\n5. Under Platform Settings, set FTP state to Disabled or FTPS Only\n\n## Impact\n\nDeployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.\n\n## References\n\n1. Azure Web Service Deploy via FTP - https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp\n2. Azure Web Service Deployment - https://docs.microsoft.com/en-us/azure/app-service/overview-security\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n\n## CIS Controls\n\nVersion 7\n\n14.4 Encrypt All Sensitive Information in Transit\n16.5 Encrypt Transmittal of Username and Authentication Credentials - Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.10","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ftps_state(app_service) if {\n\tapp_service.site_config_ftps_state == \"AllAllowed\"\n} else if {\n\tapp_service.site_config.ftps_state == \"AllAllowed\"\n}\n\neval(app_service) = \"fail\" if {\n\tnon_compliant_ftps_state(app_service)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"chw-olp-dfn","createdAt":1631623028308,"name":"FTP deployments are disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:fastly","scope:fastly","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2]. \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:fastly @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dqs-oru-107","createdAt":1587530162282,"name":"Fastly HTTP Requests from Security Scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a file that is not part of the original container image has been created and executed within the container.\n\n## Strategy\nAttackers sometimes add scripts to running containers to exploit some functionality or automate some actions. Normally, containers are meant to be immutable environments, and when you require new scripts or other executable files, you add them to the container image itself and not to the running container. This detection identifies when newly created files are executed shortly after file creation or modification.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage & Response\n1. Determine whether the file executing is expected to be present in the container. \n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether the file was added to multiple containers around the same time, and whether the affected systems follow a pattern. For example, if a file was seen executing in multiple containers, do the containers share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.29 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_binary_execution_in_container","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:new_binary_execution_in_container"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"new_binary_execution_in_container"}],"type":"workload_security","id":"n5d-tm8-kco","createdAt":1652131404468,"name":"File created and executed inside container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","tactic:TA0009-collection","technique:T1530-data-from-cloud-storage","scope:google-cloud-storage","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect unauthenticated access to an object in a GCS bucket (`bucket_name`).\n\n## Strategy \nMonitor GCS bucket (`bucket_name`) for get requests(`@evt.name:storage.objects.get`) made by unauthenticated users (`@usr.id`).\n\n## Triage and response\nInvestigate the logs and determine whether or not the accessed bucket: {{bucket_name}} should be accessible to unauthenticated users.\n\n## Changelog\n* 27 October 2022 - updated tags.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket -@usr.id:* @evt.name:storage.objects.get status:info","groupByFields":["project_id","bucket_name"],"aggregation":"count","name":"get_object","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"get_object","condition":"get_object > 0"}],"type":"log_detection","id":"nmj-sov-f5d","createdAt":1598043413480,"name":"GCP Bucket Contents Downloaded Without Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","source:gcp","scope:google-cloud-storage","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service account lists out GCS Buckets.\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine when a service account invokes the following method:\n\n* `storage.buckets.list`\n\n## Triage and response\n1. Determine whether this service account should be making list bucket calls.\n * If the account was compromised, secure the account and investigate how it was compromised and if the account made other unauthorized calls.\n * If the owner of the service account intended to make the `ListBuckets` API call, consider whether this API call is needed. It could cause a security issue for the application to know the name of the bucket it needs to access. If it's not needed, modify this rule's filter to stop generating signals for this specific service account.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.list @usr.id:*gserviceaccount.com","groupByFields":["project_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cnc-wi1-llf","createdAt":1587592199858,"name":"GCP Bucket enumerated"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an administrative change to a GCS Bucket has been made. This could change the retention policy or bucket lock. For more information, see the [GCS Bucket Lock docs][1].\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine if a bucket has been updated with the following method:\n\n* `storage.buckets.update`\n\n## Triage and response\n1. Review the bucket to ensure that it is properly configured.\n\n[1]: https://cloud.google.com/storage/docs/bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.update","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iz3-sc4-ryy","createdAt":1585871279860,"name":"GCP Bucket modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when permissions have changed on a GCS Bucket.\n\n## Strategy\nMonitor GCS bucket admin activity audit logs to determine the following method is invoked:\n\n* `storage.setIamPermissions`\n\n## Triage and response\n1. Review the bucket permissions and ensure they are not overly permissive.\n\n## Changelog\n5 Septermber 2022 - Updated rule query","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.setIamPermissions -@evt.outcome:ERROR","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fdk-tly-4qr","createdAt":1585871193842,"name":"GCP Bucket permissions modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.cloudsql.database"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Cloud SQL DB has been modified.\n\n## Strategy\nThis rule lets you monitor GCP Cloud SQL admin activity audit logs to determine when one of the following methods are invoked:\n\n* `cloudsql.instances.create`\n* `cloudsql.instances.create`\n* `cloudsql.users.update`\n\n## Triage and response\n1. Review the Cloud SQL DB and ensure it is configured properly with the correct permissions.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.cloudsql.database @evt.name:(cloudsql.instances.create OR cloudsql.instances.create OR cloudsql.users.create OR cloudsql.users.update)","groupByFields":["project_id","database_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ikf-ye8-cnu","createdAt":1585871198921,"name":"GCP Cloud SQL database modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.gce.firewall.rule","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created, modified or deleted. \n\n## Strategy\nMonitor GCP GCE activity audit logs to determine when any of the following methods are invoked:\n\n* `v1.compute.firewalls.delete`\n* `v1.compute.firewalls.insert`\n* `v1.compute.firewalls.patch` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.firewall.rule @evt.name:(v1.compute.firewalls.delete OR v1.compute.firewalls.insert OR v1.compute.firewalls.patch)","groupByFields":["project_id","@data.protoPayload.resourceOriginalState.name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"n1w-sql-apl","createdAt":1585870279610,"name":"GCP GCE Firewall rule modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a VPC network is created. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine when the following method is invoked to create a new VPC network:\n\n* `beta.compute.networks.insert`\n\n## Triage and response\n1. Review the VPC network.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:beta.compute.networks.insert","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"a9z-oic-grb","createdAt":1585871193403,"name":"GCP GCE VPC network modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created or modified. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine if a firewall is being adjusted by showing you when any of the following methods are invoked:\n\n* `beta.compute.routes.insert`\n* `beta.compute.routes.patch`\n\n## Triage and response\n1. Veirify that the GCP route is configured properly and that the user intended to modify the firewall.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:(beta.compute.routes.insert OR beta.compute.routes.patch)","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lht-ml8-u6r","createdAt":1585870282924,"name":"GCP GCE network route created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a custom role is created or modified. \n\n## Strategy\nMonitor GCP IAM activity audit logs to determine when any of the following methods are invoked:\n\n* `google.iam.admin.v1.CreateRole`\n* `google.iam.admin.v1.UpdateRole` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.iam.role @evt.name:(google.iam.admin.v1.CreateRole OR google.iam.admin.v1.UpdateRole)","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rhy-fzm-gwl","createdAt":1585870282410,"name":"GCP IAM custom role created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1098-account-manipulation","scope:gcp.project","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to the IAM policy. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when the `SetIamPolicy` method is invoked. \n\n## Triage and response\n1. Review the log and inspect the policy deltas (`@data.protoPayload.serviceData.policyDelta.bindingDeltas`) and ensure none of the actions are `REMOVE`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:SetIamPolicy","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fgm-8w4-cgx","createdAt":1585870280073,"name":"GCP IAM policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.subscription","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP Pub/Sub Subscription has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.pubsub.v1.Subscriber.UpdateSubscription`\n* `google.pubsub.v1.Subscriber.DeleteSubscription`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.subscription @evt.name:(google.pubsub.v1.Subscriber.UpdateSubscription OR google.pubsub.v1.Subscriber.DeleteSubscription)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tsj-mac-mdc","createdAt":1587592205917,"name":"GCP Pub/Sub Subscriber modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.topic","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP Pub/Sub Subscribtion has been deleted. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when the following method is invoked:\n\n* `google.pubsub.v1.Publisher.DeleteTopic`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.topic @evt.name:google.pubsub.v1.Publisher.DeleteTopic","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dp6-zom-jyv","createdAt":1587592198839,"name":"GCP Pub/Sub topic deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","technique:T1078-valid-accounts","scope:gcp-cloud-functions","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect possible GCP service account impersonation activity using the gcploit exploitation framework.\n\n## Strategy\nMonitor GCP Cloud Function Logs `source:gcp.cloud.function` and detect if the following sequence of events has occurred within a one minute window:\n* Function is created - `google.cloud.functions.v1.CloudFunctionsService.CreateFunction` with a timeout of 539s (`@data.protoPayload.request.function.timeout:539s`)\n* Function's IAM access control policy is enumerated - `google.cloud.functions.v1.CloudFunctionsService.GetIamPolicy`\n* Function's IAM access control policy is set - `google.cloud.functions.v1.CloudFunctionsService.SetIamPolicy`\n\n## Triage & Response\n1. Investigate if the function:`{{@function.name}}` was intentionally created by user `{{@usr.id}}`.\n2. If unauthorized:\n * Revoke access of compromised credentials.\n * Remove unauthorized cloud functions.\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard.\n","options":{"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":3600,"keepAlive":300},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.cloud.function @evt.name:google.cloud.functions.v1.CloudFunctionsService.CreateFunction @data.protoPayload.request.function.timeout:539s","groupByFields":["@function.name"],"aggregation":"cardinality","name":"function_creation","distinctFields":["@usr.id"]},{"query":"@evt.name:google.cloud.functions.v1.CloudFunctionsService.GetIamPolicy","groupByFields":["@function.name"],"aggregation":"count","name":"get_iam_policy","distinctFields":[]},{"query":"@evt.name:google.cloud.functions.v1.CloudFunctionsService.SetIamPolicy","groupByFields":["@function.name"],"aggregation":"count","name":"set_iam_policy","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"function_creation > 0 && get_iam_policy > 0 && set_iam_policy >0"}],"type":"log_detection","id":"un3-5tn-fmz","createdAt":1657138827448,"name":"GCP Service Account Impersonation using GCPloit Exploitation Framework"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","scope:google-cloud-iam","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect GCP service account impersonation activity through the use of access tokens.\n\n## Strategy\nMonitor GCP Admin Activity audit logs for event `@evt.name:GenerateAccessToken`:\n* Successful Attempts: `@data.protoPayload.authorizationInfo.granted:true`\n* Failed Attempts: `@evt.outcome:PERMISSION_DENIED`\n\n## Triage & Response\n1. Investigate if the user `{{@usr.id}}` from IP address:`{{@network.client.ip}}` intended to perform this activity.\n2. If unauthorized:\n * Revoke access of compromised user and service account.\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard.\n * Investigate other activities performed by the IP `{{@network.client.ip}}` using the Cloud SIEM - IP Investigation dashboard.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":300},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account service:iamcredentials.googleapis.com @evt.name:GenerateAccessToken @data.protoPayload.authorizationInfo.granted:true","groupByFields":["@network.client.ip","@http.useragent"],"aggregation":"count","name":"generate_access_token_success","distinctFields":[]},{"query":"source:gcp.service.account service:iamcredentials.googleapis.com @evt.name:GenerateAccessToken @evt.outcome:PERMISSION_DENIED","groupByFields":["@network.client.ip","@http.useragent"],"aggregation":"count","name":"generate_access_token_failed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"generate_access_token_failed > 0 && generate_access_token_success > 0"},{"status":"low","notifications":[],"name":"Attempted","condition":"generate_access_token_failed > 0"}],"type":"log_detection","id":"mjs-vof-vtn","createdAt":1662479173677,"name":"GCP Service Account impersonation activity using access token generation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1562-impair-defenses","scope:gcp.project","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP logging sink has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.logging.v2.ConfigServiceV2.UpdateSink`\n* `google.logging.v2.ConfigServiceV2.DeleteSink`\n\n## Triage and response\n1. Review the sink and ensure the sink is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:(google.logging.v2.ConfigServiceV2.UpdateSink OR google.logging.v2.ConfigServiceV2.DeleteSink)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hil-rl3-yxs","createdAt":1585871191688,"name":"GCP logging sink modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","scope:google-cloud-iam","technique:T1580-cloud-infrastructure-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account is compromised.\n\n## Strategy \nInspect the GCP Admin Activity Logs (`@data.logName:*%2Factivity`) and filter for only GCP Service Accounts (`@usr.id:*.iam.gserviceaccount.com`). Count the unique number of GCP API calls (`@evt.name`) which are being made for each service account (`@usr.id`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\nTo read more about GCP Audit Logs, you can read our blog post [here][1].\n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account is compromised.\n\n## Changelog\n* 17 October 2022 - Updated tags.\n\n[1]: https://www.datadoghq.com/blog/monitoring-gcp-audit-logs/","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp* @data.logName:*%2Factivity @usr.id:*.iam.gserviceaccount.com","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"hc1-nv3-hzw","createdAt":1629125255724,"name":"GCP service account accessing anomalous number of GCP APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1136-create-account","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account is created.\n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when a service account is created. \n\n## Triage and response\n1. Contact the user who created the service account and ensure that the account is needed and that the role is scoped properly.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccount","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"szx-4kh-eqs","createdAt":1585870281733,"name":"GCP service account created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account key is created. An attacker could use this key as a backdoor to your account. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to detect the creation of a service account key. \n\n## Triage and response\n1. Contact the user who created the service account key to ensure they're managing the key securely.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccountKey","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"79j-4wh-xlq","createdAt":1585870277946,"name":"GCP service account key created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is unauthorized activity by a service account in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a service account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the service account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the service account:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the service account.\n2. If unauthorized, revoke access of compromised service account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"89d-2v1-fvm","createdAt":1587592191518,"name":"GCP unauthorized service account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when unauthorized activity by a user is detected in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a user account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the user account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the user:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the user account.\n2. If unauthorized, revoke access of compromised user account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 -@usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"stt-ows-yte","createdAt":1587592193834,"name":"GCP unauthorized user activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google accesses your Google Workspace tenant using administrative tools. \n\n## Strategy\nMonitor Google Workspace logs to detect `ACCESS` events, which are part of Google's [Access Transparency][1] logs.\n\n## Triage and response\n1. Determine the scope of Google's access activity, which can be found in the `ACCESS` event in the Google Workspace event log.\n2. Review which Google Workspace user (`@event.parameters.OWNER_EMAIL`) and resources (`@event.parameters.RESOURCE_NAME`) were accessed by Google.\n3. Investigate the resource(s) being accessed to determine if there is a legitimate reason it should be reviewed by Google.\n\n[1]: https://support.google.com/a/answer/9230474?hl=en","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite service:access_transparency","groupByFields":[],"aggregation":"count","name":"workspace_accessed_by_google","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"workspace_accessed_by_google > 0"}],"type":"log_detection","id":"q4c-pxc-lbn","createdAt":1654120270956,"name":"Google Workspace accessed by Google"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a new Google Workspace administrative role.\n\n## Strategy\nMonitor Google Workspace logs to detect `CREATE_ROLE` events.\n\n## Triage and response\n1. Determine if there is a legitimate reason for the new administrator role (`@event.parameters.ROLE_NAME`).\n2. If there is not a legitimate reason, investigate activity from around the Google Workspace administrator (`{{@usr.email}}`) and IP that created the role (`{{@network.client.ip}}`).\n\n## Changelog\n* 17 October 2022 - Updated tags.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:CREATE_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_created > 0"}],"type":"log_detection","id":"isw-chn-iqi","createdAt":1654262215364,"name":"Google Workspace admin role created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the super administrator group on Google Workspace.\n\n## Strategy\nMonitor Google Workspace logs to detect `ASSIGN_ROLE` events where `@event.parameters.ROLE_NAME` is `_SEED_ADMIN_ROLE`. \n\n## Triage and response\n1. Verify with the Google admin (`{{@usr.email}}`) if the Google Workspace user in the `@event.parameters.USER_EMAIL` attribute should legitimately be given the super admin role.\n2. If the user in `@event.parameters.USER_EMAIL` was not legitimately added, investigate activity from the IP address (`{{@network.client.ip}}`) that made the role addition.\n3. Review activity around the Google Workspace admin who made the change (`{{@usr.email}}`) and the newly added super admin (`@event.parameters.USER_EMAIL`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:ASSIGN_ROLE @event.parameters.ROLE_NAME:_SEED_ADMIN_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"admin_role_added > 0"}],"type":"log_detection","id":"ort-cx2-jwq","createdAt":1654014456902,"name":"Google Workspace user assigned to super admin role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","tactic:TA0009-collection","technique:T1114-email-collection","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a user setting up mail forwarding to a non-Google Workspace domain.\n\n## Strategy\nMonitor Google Workspace logs to detect when `email_forwarding_out_of_domain` events.\n\n## Triage and response\n1. Determine if the email address defined in `@event.parameters.email_forwarding_destination_address` is legitimate.\n2. If the forwarding destination address is not legitimate, review all activity for `{{@usr.email}}` and all activity around the following IP: `{{@network.client.ip}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:email_forwarding_out_of_domain","groupByFields":["@usr.email"],"aggregation":"count","name":"non_workspace_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"non_workspace_domain > 0"}],"type":"log_detection","id":"ozn-l6x-exp","createdAt":1654021004136,"name":"Google Workspace user forwarding email out of non Google Workspace domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.16","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated.\n\n## Rationale\n\nThe IPC namespace provides separation of IPC between the host and containers. If the host's IPC namespace is shared with the container, it would allow processes within the container to see all of IPC communications on the host system. This would remove the benefit of IPC level isolation between host and containers. An attacker with access to a container could get access to the host at this level with major consequences. The IPC namespace should therefore not be shared between the host and its containers.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: IpcMode={{ .HostConfig.IpcMode }}'` \n\nIf the command returns `host`, it means that the host IPC namespace is shared with the container. Any other result means that it is not shared, and that the system is configured in line with good security practice.\n\n## Remediation\n\nDo not start a container with the `--ipc=host` argument. For example, do not start a container with the command `docker run --interactive --tty --ipc=host centos /bin/bash`\n\n## Impact\n\nShared memory segments are used in order to accelerate interprocess communications, commonly in high-performance applications. If this type of application is containerized into multiple containers, you might need to share the IPC namespace of the containers in order to achieve high performance. Under these circumstances, you should still only share container specific IPC namespaces and not the host IPC namespace. A container's IPC namespace can be shared with another container. For example, `docker run --interactive --tty --ipc=container:e3a7a1a97c58 centos /bin/bash`\n\n## Default value\n\nBy default, all containers have their IPC namespace enabled and host IPC namespace is not shared with any container.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#ipc-settings-ipc\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.16","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qpe-nj2-sl8","createdAt":1599604030036,"name":"Host's IPC namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.20","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUTS namespaces provide isolation between two system identifiers: the hostname and the NIS domain name. It is used to set the hostname and the domain which are visible to running processes in that namespace. Processes running within containers do not typically require to know either the hostname or the domain name. The UTS namespace should therefore not be shared with the host.\n\n## Rationale\n\nSharing the UTS namespace with the host provides full permission for each container to change the hostname of the host. This is not in line with good security practice and should not be permitted.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UTSMode={{ .HostConfig.UTSMode }}'` \n\nIf this command returns `host`, it means the host UTS namespace is shared with the container and this recommendation is non-compliant. If the above command returns nothing, then the host's UTS namespace is not shared. This recommendation is then compliant.\n\n## Remediation\n\nYou should not start a container with the `--uts=host` argument. For example, do not start a container using the command `docker run --rm --interactive --tty --uts=host rhel7.2`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, all containers have the UTS namespace enabled and the host UTS namespace is not shared with any containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#uts-settings-uts\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.20","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j1n-gsx-mlx","createdAt":1599605987292,"name":"Host's UTS namespace is not shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.9","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWhen the networking mode on a container is set to `--net=host`, the container is not placed inside a separate network stack. Effectively, applying this option instructs Docker to not containerize the container's networking. The consequence of this is that the container lives \"outside\" in the main Docker host and has full access to its network interfaces.\n\n## Rationale\n\nSelecting this option is potentially dangerous. It allows the container process to open reserved low numbered ports in the way that any other root process can. It also allows the container to access network services such as D-bus on the Docker host. A container process could potentially carry out undesired actions, such as shutting down the Docker host. This option should not be used unless there is a very specific reason for enabling it.\n\n## Audit\n\nUse this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: NetworkMode={{ .HostConfig.NetworkMode }}'` If this returns `NetworkMode=host`, it means that the `--net=host` option was passed when the container was started.\n\n## Remediation\n\nYou should not pass the --net=host option when starting any container.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers connect to the Docker bridge when starting and do not run in the context of the host's network stack.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/ 2. https://docs.docker.com/engine/reference/run/#network-settings\n\n## CIS controls\n\nVersion 6 12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.9","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1qj-oqa-jau","createdAt":1599605510860,"name":"Host's network namespace is not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.15","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host.\n\n## Rationale\n\nPID namespace provides separation between processes. It prevents system processes from being visible, and allows process ids to be reused including PID 1. If the host's PID namespace is shared with containers, it would basically allow these to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them. This could allow for the host itself being shut down, which could be extremely serious, particularly in a multi-tenanted environment. You should not share the host's process namespace with the containers running on it.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidMode={{ .HostConfig.PidMode }}'` \n\nIf the command returns `host`, it means that the host PID namespace is shared with its containers; any other result means that the system is configured in line with good security practice.\n\n## Remediation\n\nYou should not start a container with the `--pid=host` argument. For example, do not start a container with the command: `docker run --interactive --tty --pid=host centos /bin/bash`\n\n## Impact\n\nContainer processes cannot see processes on the host system. In certain circumstances, you may want your container to share the host's process namespace. For example, you could build a container containing debugging tools such as strace or gdb, and want to use these tools when debugging processes on the host. If this is desired, then share specific host processes using the `-p` switch. For example: `docker run --pid=host rhel7 strace -p 1234`\n\n## Default value\n\nBy default, all containers have the PID namespace enabled and the therefore the host's process namespace is not shared with its containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#pid-settings-pid 2. http://man7.org/linux/man-pages/man7/pid_namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.15","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mk8-jwd-4ag","createdAt":1599600919537,"name":"Host's process namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent","control:5.30"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not share the host's user namespaces with containers running on it.\n\n## Rationale\n\nUser namespaces ensure that a root process inside the container will be mapped to a non-root process outside the container. Sharing the user namespaces of the host with the container does not therefore isolate users on the host from users in the containers.\n\n## Audit\n\nRun this command and ensure that it does not return any value for `UsernsMode`. If it returns a value of `host`, it means that the host user namespace is shared with its containers: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UsernsMode={{ .HostConfig.UsernsMode }}'`\n\n## Remediation\n\nDo not share user namespaces between host and containers. For example, do not run the command `docker run --rm -it --userns=host ubuntu bash`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the host user namespace is shared with containers unless user namespace support is enabled.\n\n## References\n\n1. https://docs.docker.com/engine/security/userns-remap/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://github.com/docker/docker/pull/12648\n4. https://events.linuxfoundation.org/sites/events/files/slides/User%20Namespaces%20-%20ContainerCon%202015%20-%2016-9-final_0.pdf\n\n## CIS controls\n\nVersion 6\n\n12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.30","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"e7c-uzf-jwy","createdAt":1599604878282,"name":"Host's user namespaces are not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","security:compliance","scored:false","source:iam","cloud_provider:aws","control:1.7","control:164.308-a-3-ii-C","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","framework:security-labs","requirement:Information-Access-Management","control:CC6.2","control:164.308-a-4-ii-C","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule identifies IAM access keys that are older than one year and have not been used in the past 30 days.\n\n## Rationale\n\nThis is a good indicator that an access key or IAM user that is not used anymore, and raises a security risk. IAM access keys are static secrets that do not change. This leak represents a common cause for cloud security breaches.\n\n## Remediation\n\n* Verify that the IAM user is still actively used or if it can be removed.\n* Verify that the IAM access key is still actively used or if it can be removed.\n* If the IAM user is still needed, rotate the access key. For more information, see the [AWS documentation][2].\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/cis-aws-1.3.0-1.14/\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlast_rotated_age_threshold := (((365 * 24) * 60) * 60) * 1000\n\nlast_used_age_threshold := (((30 * 24) * 60) * 60) * 1000\n\naccess_key_used_too_long_ago(credential_report, seen, key_to_check) if {\n\tseen - credential_report[concat(\"\", [\"access_key_\", key_to_check, \"_last_used_date\"])] > last_used_age_threshold\n} else if {\n\tnot credential_report[concat(\"\", [\"access_key_\", key_to_check, \"_last_used_date\"])]\n}\n\naccess_key_non_compliant(credential_report, seen, key_to_check) if {\n\tcredential_report[concat(\"\", [\"access_key_\", key_to_check, \"_active\"])]\n\tseen - credential_report[concat(\"\", [\"access_key_\", key_to_check, \"_last_rotated\"])] > last_rotated_age_threshold\n\taccess_key_used_too_long_ago(credential_report, seen, key_to_check)\n}\n\nnon_compliant_credential_report(credential_report, seen) if {\n\taccess_key_non_compliant(credential_report, seen, \"1\")\n} else if {\n\taccess_key_non_compliant(credential_report, seen, \"2\")\n}\n\nshould_skip(iam_user) if {\n\tsome credential_report in iam_user.credential_report\n\tnot credential_report.access_key_1_active\n\tnot credential_report.access_key_2_active\n} else if {\n\tcount(iam_user.credential_report) == 0\n}\n\neval(iam_user) = \"skip\" if {\n\tshould_skip(iam_user)\n} else = \"fail\" if {\n\tsome credential_report in iam_user.credential_report\n\tseen := iam_user.resource_seen_at\n\tnon_compliant_credential_report(credential_report, seen)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"jye-nyb-yvd","createdAt":1654722265266,"name":"IAM access keys older than 1 year have not been used in the last 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_user) = \"fail\" if {\n\tcount(iam_user.user_policies) > 0\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qeq-byd-rf5","createdAt":1617159692975,"name":"IAM inline policy is not directly set for users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","security:compliance","cloud_provider:aws","control:1.8","control:8.1","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","control:CC6.3","control:8.1.1","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are a minimum length. The password policy should require a minimum password length of 14 characters.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78907-3\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.8","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tsome password_policy in iam_account.password_policy\n\tpassword_policy.minimum_password_length < 14\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fyg-ptq-tnx","createdAt":1599573999939,"name":"IAM password policy has 14 or more characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:1.9","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","framework:cis-aws","control:164.312-d","requirement:Identity-and-Access-Management","control:8.2.5","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.\n\n## Rationale\n\nPreventing password reuse increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78908-1\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\n4.4 Use unique passwords where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2.5","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.9","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\naccount_invalid(iam_account) if {\n\tnot iam_account.password_policy_v2.password_reuse_prevention == 24\n}\n\neval(iam_account) = \"fail\" if {\n\taccount_invalid(iam_account)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"wwj-kny-ll5","createdAt":1599574008460,"name":"IAM password policy prevents password reuse"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:1.2","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM policies are how privileges are granted to users, groups, or roles. It is recommended and considered best practice to give only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges.\n\n## Rationale\n\nIt's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\" should be removed.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2] \n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3] \n3. CCE-78912-3\n4. [http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam][4]\n\n## CIS controls\n\nVersion 7, 4 - Controlled Use of Administrative Privileges\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n[4]: http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.2","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_not_compliant(policy_version_statement) if {\n\tresource := policy_version_statement.resource[_]\n\tresource == \"*\"\n}\n\naction_not_compliant(policy_version_statement) if {\n\taction := policy_version_statement.action[_]\n\taction == \"*\"\n}\n\npolicy_version_statement_not_compliant(policy_version_statement) if {\n\tpolicy_version_statement.effect == \"Allow\"\n\tresource_not_compliant(policy_version_statement)\n\taction_not_compliant(policy_version_statement)\n}\n\neval(iam_policy) = \"skip\" if {\n\tiam_policy.scope != \"Local\"\n} else = \"fail\" if {\n\tpolicy_version_statement := iam_policy.policy_version_statements[_]\n\tpolicy_version_statement_not_compliant(policy_version_statement)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_policy"]},"validationQuery":"","resourceType":"aws_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"31y-0if-yxo","createdAt":1599574003839,"name":"IAM policies that allow full \"*:*\" administrative privileges are not created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","control:A.9.4.3","framework:soc-2","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_user) = \"fail\" if {\n\tsome attached_policy in iam_user.attached_policies\n\tattached_policy\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oys-6ti-vv4","createdAt":1599574006153,"name":"IAM policy does not have a user directly attached to it"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:1.12","security:compliance","cloud_provider:aws","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:CC6.3","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can require passwords to be rotated or expired after a given number of days. The password policy should expire passwords after 90 days or less.\n\n## Rationale\n\nReducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help if a password is stolen or compromised without your knowledge. This can happen if your system is compromised, because of a software vulnerability, or if there is an internal threat. Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted. Many people use the same password for many systems such as work, email, and personal. Compromised end-user workstations might have a keystroke logger.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78909-9\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"1.12","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ninvalid_policy(password_policy) if {\n\tpassword_policy.expire_passwords == false\n} else if {\n\tpassword_policy.max_password_age > 90\n}\n\ninvalid_account(iam_account) if {\n\tinvalid_policy(iam_account.password_policy_v2)\n} else if {\n\tnot iam_account.password_policy_v2\n}\n\neval(iam_account) = \"fail\" if {\n\tinvalid_account(iam_account)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"nus-wps-5cc","createdAt":1599574003696,"name":"IAM policy is set to expire passwords within 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78904-0\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.6\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tiam_account.password_policy_v2.require_lowercase_characters == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yaz-xyw-dr5","createdAt":1599574008777,"name":"IAM policy is set to require at least one lowercase letter"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one number.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78906-5\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.8\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tiam_account.password_policy_v2.require_numbers == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ufg-4pj-olz","createdAt":1599574005590,"name":"IAM policy is set to require at least one number"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are comprised of different character sets. It is recommended that the password policy require at least one symbol.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78905-7\n\n## CIS controls\n\n16 Account Monitoring and Control Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.7\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tiam_account.password_policy_v2.require_symbols == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dwv-hdv-vfe","createdAt":1599573999909,"name":"IAM policy is set to require at least one symbol"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one uppercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78903-2\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.5\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tiam_account.password_policy_v2.require_uppercase_characters == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jfe-07v-m1n","createdAt":1599573999945,"name":"IAM policy is set to require uppercase characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm there are no [Amazon IAM users][1] (privileged users) with administrator permissions for your AWS account.\n\n## Rationale\n\nA privileged IAM user can access all AWS services and control resources through the [AdministratorAccess IAM managed policy][2]. Any user with administrator access that should not have access can potentially, whether unknowingly or purposefully, cause security issues or data leaks.\n\n## Remediation\n\n### From the console\n\nFollow the [Removing a permissions policy from a user][6] docs to revoke AdministratorAccess for a user.\n\n### From the command line\n\n1. Run `list-users` to get [a list of current IAM users][3].\n ```\n aws iam list-users\n ```\n\n2. Run the `list-user-policies` command find the [users attached policies][4].\n ```\n aws iam list-user-policies --user-name Name\n ```\n\n3. Run the `detach-user-policy` command to [revoke Administrator access][5].\n ```\n aws iam detach-user-policy \\\n --user-name insert-username-here \\\n --policy-arn insert-policy-arn-here\n ```\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-users.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-user-policies.html#examples\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-user-policy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-remove-policy-console\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_attached_policy(iam_user) if {\n\tsome attached_policy in iam_user.attached_policies\n\tattached_policy.policy_name == \"AdministratorAccess\"\n}\n\neval(iam_user) = \"fail\" if {\n\tnon_compliant_attached_policy(iam_user)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"z8a-10r-rdq","createdAt":1599574005071,"name":"IAM privileged user does not have admin permissions to your AWS account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","control:1.1","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEach IAM role must have a [trust policy][1] which defines the principals who are trusted to assume that role. It is possible to specify a [wildcard principal][2] which permits any principal, including those outside your organization, the ability to assume the role. It is strongly discouraged to use the wildcard principal in a trust policy unless there is a [`Condition` element][3] to restrict access.\n\n## Rationale\n\nA trust policy with a wildcard principal permits any AWS account the ability to assume the role. It is therefore discouraged.\n\n## Remediation\n\nEnsure the identified role does not have a principal value of `\"AWS\": \"*\"`. If a wildcard principal is necessary, use a `Condition` element to restrict access. Follow the [AWS documentation][4] to properly scope the `Principal` policy element.\n\n### From the console\n\n1. In the AWS Console, navigate to the IAM role you would like to change.\n2. On the IAM role page, click the **Trust relationships** tab.\n3. Click **Edit trust policy**.\n4. Make changes to the trust policy to remediate the risk.\n5. Click **Update policy**.\n\n### From the command line\n\nUse the `update-assume-role-policy` action to [update the role trust policy][5] to remediate the risk.\n\n aws iam update-assume-role-policy\n --role-name Test-Role\n --policy-document file://.json\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#term_trust-policy\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-anonymous\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-assume-role-policy.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.1","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncontains_case_insensitive(array, elem) if {\n\tcandidate := array[_]\n\tlower(candidate) == lower(elem)\n}\n\neval(iam_role) = \"fail\" if {\n\trole_policy := iam_role.role_policy[_]\n\n\tlower(role_policy.statement_effect) == \"allow\"\n\trole_policy.policy_principal.principal_aws[_] == \"*\"\n\n\tcontains_case_insensitive(role_policy.statement_action, \"sts:AssumeRole\")\n\n\tnot role_policy.statement_has_condition\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_role"]},"validationQuery":"","resourceType":"aws_iam_role","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_role","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"q9l-42l-ape","createdAt":1619112188080,"name":"IAM role trust policy does not contain a wildcard principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:A.14.1.3","security:compliance","source:iam","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Data-Protection","requirement:Security-of-Processing","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:A.9.4.3","framework:soc-2","requirement:Cardholder-Data","control:32.1a","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","requirement:Encryption-In-Transit","control:3.6.4","framework:pci","control:25.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your IAM service SSL/TLS certificates are renewed 30 days prior to their validity period ending.\n\n## Rationale\n\nIf a certificate becomes invalid, the communication between the client and AWS resource that implements certificates is no longer secure.\n\n## Remediation\n\n### From the console\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n### From the command line\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nwithin_30_days(diff) if {\n\tdiff <= thirty_days_ms\n\tdiff > 0\n}\n\neval(iam_server_certificate) = \"pass\" if {\n\tdiff := iam_server_certificate.expiration - iam_server_certificate.resource_seen_at\n\tnot within_30_days(diff)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"nqd-536-xhi","createdAt":1632209935742,"name":"IAM server certificate will expire within 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:1.6","control:7.1","framework:cis-gcp","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","level:1","source:google_service_account","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nVerify that users have the Service Account User (`iam.serviceAccountUser`) and Service Account Token Creator (`iam.serviceAccountTokenCreator`) roles for a specific service account rather than at the project level.\n\n## Rationale\nA service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved. In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.\nUsers with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access. Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/service account.\nBased on business needs, there can be multiple user-managed service accounts configured for a project. Granting the `iam.serviceAccountUser` or `iam.serviceAccountTokenCreator` roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future. These roles can result in an elevation of privileges when someone uses a service account and corresponding Compute Engine instances.\nIn order to implement least privileges best practices, IAM users should not be assigned the Service Account User or Service Account Token Creator roles at the project level. Instead, these roles should be assigned to a user for a specific service account, giving that user access to the service account. The Service Account User role allows a user to bind a service account to a long-running job service, whereas the Service Account Token Creator role allows a user to directly impersonate (or assert) the identity of a service account.\n\n## Impact\nAfter revoking Service Account User or Service Account Token Creator roles at the project level from all impacted user accounts, these roles should be assigned to users for specific service accounts according to business needs.\n\n## Remediation\n\n### From the console\n1. Go to the [IAM page][1] in the GCP Console.\n2. In the filter table text bar, enter the text `Role: Service Account User`.\n3. Click the delete bin icon in front of the role `Service Account User` for every user\nlisted as a result of the filter.\n4. In the filter table text bar, enter the text `Role: Service Account Token Creator`.\n5. Click the delete bin icon in front of the role `Service Account Token Creator` for\nevery user listed as a result of the filter.\n\n### From the command line\n1. Using a text editor, remove the bindings with the `roles/iam.serviceAccountUser` or `roles/iam.serviceAccountTokenCreator`.\n For example, you can use the iam.json file shown below as follows:\n ```\n {\n \"bindings\": [\n {\n \"members\": [ \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n ],\n \"role\": \"roles/appengine.appViewer\" },\n {\n \"members\": [\n \"user:email1@gmail.com\"\n ],\n \"role\": \"roles/owner\"\n },\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n \"serviceAccount:123456789012-compute@developer.gserviceaccount.com\" ],\n \"role\": \"roles/editor\"\n }\n ],\n \"etag\": \"BwUjMhCsNvY=\"\n }\n ```\n2. Update the project's IAM policy:\n ```\n gcloud projects set-iam-policy PROJECT_ID iam.json\n ```\n## Default value\nBy default, users do not have the Service Account User or Service Account Token Creator role assigned at the project level.\n\n## References\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][3]\n3. [https://cloud.google.com/iam/docs/understanding-roles][4]\n4. [https://cloud.google.com/iam/docs/granting-changing-revoking-access][5]\n5. [https://console.cloud.google.com/iam-admin/iam][6]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts \n[4]: https://cloud.google.com/iam/docs/understanding-roles\n[5]: https://cloud.google.com/iam/docs/granting-changing-revoking-access \n[6]: https://console.cloud.google.com/iam-admin/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.6","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_role(iam_policy, role) if {\n\tbinding := iam_policy.bindings[_]\n\tbinding.role == role\n\tmember := binding.members[_]\n\tnot endswith(member, \".gserviceaccount.com\")\n}\n\nnon_compliant_policy(iam_policy) if {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountUser\")\n} else if {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountTokenCreator\")\n}\n\neval(iam_policy) = \"fail\" if {\n\tnon_compliant_policy(iam_policy)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"x4c-mos-epr","createdAt":1655328785677,"name":"IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:iis","scope:iis","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:iis @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ftm-iao-udy","createdAt":1587530716843,"name":"IIS HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","requirement:Virtual-Machines","security:compliance","control:CC6.6","cloud_provider:gcp","control:4.6","requirement:Communications-Security","control:1.4","framework:cis-gcp","requirement:Compliance","level:1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCompute Engine instance cannot forward a packet unless the source IP address of the\npacket matches the IP address of the instance. Similarly, GCP won't deliver a packet whose\ndestination IP address is different than the IP address of the instance receiving the packet.\nHowever, both capabilities are required if you want to use instances to help route packets.\n\nDisable the forwarding of data packets to prevent data loss or information\ndisclosure.\n\n## Rationale\nTo enable source and destination IP check, disable the `canIpForward` option, which\nallows an instance to send and receive packets with non-matching destination or source\nIPs.\n\n## Impact\nDeleting instances that act as routers or packet forwarders may break network\nconnectivity.\n\n## Exception\nInstances created by GKE should be excluded because they need to have IP forwarding\nenabled and cannot be changed. Instances created by GKE have names that start with `gke-`.\n\n## Remediation\nYou can only edit the `canIpForward` setting at instance creation time. Therefore, if `canIpForward` is set to false for an instance, you must delete the instance and create a new one.\n\n### From the console\n1. Go to the `VM Instances` page: \n[https://pantheon.corp.google.com/compute/instances][1].\n2. Select the `VM Instance` you want to remediate.\n3. Click the `Delete` button.\n4. On the `VM Instances` page, click `CREATE INSTANCE`.\n5. Create a new instance with the desired configuration. By default, the instance is\nconfigured to not allow IP forwarding.\n\n### From the command line\n1. Delete the instance:\n ```\n gcloud compute instances delete INSTANCE_NAME\n ```\n2. Create a new instance to replace it, with IP forwarding set to Off\n ```\n gcloud compute instances create\n ```\n\n## Default Value:\nBy default, instances are not configured to allow IP forwarding.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-routes#canipforward][2]\n\n\n## Additional Information:\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is\ncreated, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://pantheon.corp.google.com/compute/instances\n[2]: https://cloud.google.com/vpc/docs/using-routes#canipforward","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.6","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" if {\n\tcompute_instance.can_ip_forward\n} else = \"pass\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nh8-voo-5oy","createdAt":1656620560349,"name":"IP forwarding is not enabled on instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","scope:azure.storage","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1c","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImmutability is enabled for Azure Storage Blobs.\n\n## Rationale\n\nImmutability for Azure Blob enables Writes once read many (WORM) state storage, which protects data from being overwritten or deleted. \n\nThe two types of immutability policies are time-based retention and legal hold. Time-based policies are cleared when the time period expires. Legal holds are cleared when they are manually modified. \n\n## Remediation\n\n### From the console\n\nFollow the [Enable version-level immutability support on a storage account - Azure Console][1] guide to enable version-level immutability with the Azure Console.\n\n### From the command line\n\nFollow the [Enable version-level immutability support on a storage account - Azure CLI][2] guide to enable version-level immutability with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_blob_container) = \"fail\" if {\n\tstorage_blob_container.has_immutability_policy == false\n\tstorage_blob_container.has_legal_hold == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_blob_container"]},"validationQuery":"","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"8q8-s4l-qhy","createdAt":1645177333114,"name":"Immutable Blob Storage is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","scope:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when two successful authentication events occur in a short time frame.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if the user `{{@usr.name}}` should have authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If `{{@user.name}}` should not authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n* 10 October 2022 - Updated query.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"auth0_impossible_travel","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.name"],"query":"source:auth0 @evt.category:authentication @evt.name:success_login -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"m3u-dhg-c5l","createdAt":1651740293973,"name":"Impossible Travel Auth0 login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate an impossible travel login with permission enumeration of a user.\n\n## Strategy\nCorrelate the [User travel was impossible in AWS CloudTrail IAM log][1] and [A user received multiple AccessDenied errors][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the impossible travel login was is legitimate.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security/default_rules/aws-cloudtrail-user-impossible-travel-with-baseline-user-locations\n[2]: https://docs.datadoghq.com/security/default_rules/aws-cloudtrail-access-denied-multiple-events","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"user_travel_was_impossible_in_cloudtrail_iam_log","additionalFilters":"","defaultRuleId":"fc6-4t7-vx9","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"a_user_received_multiple_access_denied_errors","additionalFilters":"","defaultRuleId":"1b1-37a-74c","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"user_travel_was_impossible_in_cloudtrail_iam_log > 0 && a_user_received_multiple_access_denied_errors > 0"}],"type":"signal_correlation","id":"zfw-zxw-uf2","createdAt":1664829682320,"name":"Impossible travel event leads to permission enumeration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the possibility of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 445, commonly used by client/server applications, and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) or man-in-the-middle attacks (MITM), can occur when permitting unrestricted Common Internet File System (CIFS) access. TCP port 445 is the port commonly used by client/server applications as a means of communication between network nodes over TCP.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 445.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 445\n --cidr 0.0.0.0/0\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 445\n\trule.to_port >= 445\n}\n\nnon_compliant_protocols_and_ports(rule) if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_ports(rule)\n} else if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\", \"::/0\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome rule in security_group.rules\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocols_and_ports(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"l9k-64o-mzm","createdAt":1599573999953,"name":"Inbound CIFS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the possibility of a breach by checking EC2 security groups for inbound rules that allow unfettered access to TCP and UDP port 53, commonly used during DNS resolution when a request is sent from DNS clients to DNS servers or between DNS servers.\n\n## Rationale\n\nMalicious activity, such as distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered DNS access.\n\n## Remediation\n\n## Console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n## CLI\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to port 53.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 53, \"ToPort\": 53, \"IpRanges\": [{\"CidrIp\": \"192.0.2.0/24\"}]}]'\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 53\n\trule.to_port >= 53\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kri-ci1-ymo","createdAt":1599573999958,"name":"Inbound DNS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP ports 20 and 21 (used by client/server applications for communication and file transfer) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and FTP bounce attacks, can occur when permitting unfettered access to these ports.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 20 and 21.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict FTP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 20\n\trule.to_port >= 20\n} else if {\n\trule.from_port <= 21\n\trule.to_port >= 21\n}\n\nnon_compliant_protocols_and_ports(rule) if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_ports(rule)\n} else if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\", \"::/0\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome rule in security_group.rules\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocols_and_ports(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9lv-1l3-vtp","createdAt":1599574002076,"name":"Inbound FTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 80 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 80.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 80\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 80\n\trule.to_port >= 80\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o4x-exf-xn9","createdAt":1599574008139,"name":"Inbound HTTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 443 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 443.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 443\n\trule.to_port >= 443\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"vud-y9z-ucg","createdAt":1599574003526,"name":"Inbound HTTPS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to host using the Internet Control Message Protocol (ICMP), a protocol commonly used to troubleshoot TCP/IP networks and deliver IP packets, and restrict access.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and Smurf/Fraggle attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][2] docs to learn how to restrict access to host using the ICMP.\n\n### From the command line\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to host using ICMP.\n\n ```\n aws ec2 describe-security-groups\n\t --filters Name=ip-permission.protocol,Values=icmp Name=ip-permission.cidr,Values='192.0.2.0/24'\n\t --query 'SecurityGroups[*].{Name:GroupName}'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nunrestricted_protocol(protocol) if {\n\tprotocol == \"icmp\"\n} else if {\n\tprotocol == \"all\"\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"ingress\"\n\tunrestricted_protocol(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kyz-e99-tys","createdAt":1599573999911,"name":"Inbound ICMP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1433 (used by the Microsoft SQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1433.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1433 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 1433\n\trule.to_port >= 1433\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5oc-hdq-fx7","createdAt":1599574003135,"name":"Inbound MSSQL access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 27017 (used by the MongoDB database) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 27017.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 27017\n\trule.to_port >= 27017\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"lhy-ttz-yif","createdAt":1599574007108,"name":"Inbound MongoDB access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3306 (used by the MySQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3306.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3306 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 3306\n\trule.to_port >= 3306\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yph-h6z-ant","createdAt":1599574008744,"name":"Inbound MySQL access is restricted"}]} headers: Content-Type: - application/json @@ -79,7 +79,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":833}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","control:3.7","requirement:Communications-Security","control:4.1","control:2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3","framework:security-labs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nConfigure your instance to use an account other than the default Compute Engine service account, because it has the Editor role on the project.\n\n## Rationale\nThe default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services. \nTo defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended that you not use the default Compute Engine service account. Instead, create a new service account and assign only the permissions needed by your instance. \nThe default Compute Engine service account is named `[PROJECT_NUMBER]-compute@developer.gserviceaccount.com`.\n\n## Exception\nVMs created by GKE are excluded from this guidance. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go to its `VM instance details` page.\n3. Click `STOP` and then click `EDIT`.\n4. Under the section `API and identity management`, select a service account other\nthan the default Compute Engine service account. You may first need to create a new\nservice account.\n5. Click `Save` and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account=\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/service-accounts][2]\n2. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][3]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account][4]\n\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/service-accounts\n[3]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[4]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.7","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tsa := compute_instance.service_accounts[_]\n\tendswith(sa.email, \"compute@developer.gserviceaccount.com\")\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oqw-y1z-sik","createdAt":1655990336323,"name":"Instances are not configured to use the default service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Communications-Security","requirement:Default-Security-Parameter","control:4.2","control:2.1","framework:cis-gcp","control:2.1.1","requirement:Compliance","control:A.13.1.3","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:google_compute_instance","control:CC6.3","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo support the principle of least privileges and to prevent potential privilege escalation, assign instances to a service account other than the default `Compute Engine default service account` with Scope `Allow full access to all Cloud APIs`.\n\n## Rationale\nThe Google `Compute Engine default service account` for an instance can access necessary cloud services, as well as create, manage, and use user-managed custom service accounts. The `Project Editor` role is assigned to `Compute Engine default service account` so it has almost all capabilities over all cloud services except billing. However, when `Compute Engine default service account` is assigned to an instance it can operate in three scopes:\n\n1. Allow default access: Allows the minimum access required to run an\ninstance (least privileges).\n\n2. Allow full access to all Cloud APIs: Allows full access to all cloud\nAPIs and services (too much access).\n\n3. Set access for each API: Allows an instance administrator to choose only\nthose APIs that are needed to perform the specific business functionality\nexpected by instance.\n\nWhen an instance is configured with the `Compute Engine default service account` with\nscope `Allow full access to all Cloud APIs`, depending on the IAM roles assigned to the users\naccessing the instance, it may allow users to perform cloud operations and API calls that they are not\nsupposed to perform, leading to successful privilege escalation.\n\n## Exception\nVMs created by GKE are excluded from this rule. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Impact\nTo change a service account or scope for an instance, the instance must be stopped.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the impacted VM instance.\n3. If the instance is not stopped, click the `Stop` button. Wait for the instance to stop.\n4. Click the `Edit` button.\n5. Scroll down to the `Service Account` section.\n6. Select a different service account or ensure that `Allow full access to all Cloud APIs` is not selected.\n7. Click the `Save` button to save your changes and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account= --scopes [SCOPE1, SCOPE2...]\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][2]\n2. [https://cloud.google.com/compute/docs/access/service-accounts][3]\n\n## Additional Information:\n- User IAM roles override service account scope, but configuring minimal scope\nensures a deeper defence.\n- Non-default service accounts do not offer selection of access scopes like the default\nservice account does. Use IAM roles with non-default service accounts to\ncontrol VM access.\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[3]: https://cloud.google.com/compute/docs/access/service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.2","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tservice_accounts := compute_instance.service_accounts[_]\n\tendswith(service_accounts.email, \"compute@developer.gserviceaccount.com\")\n\tstartswith(service_accounts.scopes[_], \"https://www.googleapis.com/auth/cloud-platform\")\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ica-spj-rua","createdAt":1656620517092,"name":"Instances are not configured to use the default service account with full access to all cloud APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the execution of a shell with the interactive flag (`-i`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to escalate privileges, break out of the container, or exfiltrate secrets by running interative shell utilities inside of the container. This detection triggers when execution of one of a set of common Linux shell utilities (like `bash` or `sh`) is detected in a container with the interactive flag (`-i`). If this is unexpected behavior, it could indicate an attacker attempting to run arbitrary commands inside of your containers and potentially break out onto the host.\n\n## Triage & Response\n1. Inspect the command line arguments of the shell process execution to determine if the shell was run with the `-i` flag.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:interactive_shell_in_container -@process.comm:(hostname OR sed OR find)","groupByFields":["host"],"aggregation":"count","name":"interactive_shell_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"interactive_shell_in_container","condition":"interactive_shell_in_container > 0"}],"type":"workload_security","id":"vc2-nws-ebu","createdAt":1653417817781,"name":"Interactive shell spawned in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a Java process.\n\n## Strategy\nMany applications (like some databases, web servers, and search engines) run as Java processes. Attackers may take advantage of flaws in programs built with these applications (for example, SQL injection on a database running as a Java process). This detection triggers when a Java process spawns common shell utilities, HTTP utilities, or shells. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\n## Triage and response\n1. Determine the nature and purpose of the Java process.\n2. Determine whether there is an approved purpose for the Java process to execute shells and utilities.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:java_shell_execution","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution @process.executable.name:(uname OR cat OR ls)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_suspicious","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution @process.executable.name:(curl OR wget OR whoami)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_unusual","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution @process.envs:CONFLUENCE*","groupByFields":["host"],"aggregation":"count","name":"confluence_server_spawned_shell_potential_rce","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"confluence_server_spawned_shell_potential_rce","condition":"confluence_server_spawned_shell_potential_rce > 0"},{"status":"high","notifications":[],"name":"java_shell_execution_unusual","condition":"java_shell_execution_unusual > 0"},{"status":"medium","notifications":[],"name":"java_shell_execution_suspicious","condition":"java_shell_execution_suspicious > 0"},{"status":"low","notifications":[],"name":"java_shell_execution","condition":"java_shell_execution > 0"}],"type":"workload_security","id":"bax-h0z-d14","createdAt":1617722069224,"name":"Java process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","technique:T1098-account-manipulation","scope:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a JumpCloud user grants administrative privileges on a user endpoint. This is not indicative of malicious activity, but detecting this event is valuable for auditing.\n\n## Strategy\n\nThis rule monitors JumpCloud audit logs to detect when a user triggers the `@evt.name` of `system_admin_grant`.\n\n## Triage and response\n\n1. Reach out to the admin making the change (`{{@usr.email}}`) to confirm that the user `(@usr.name`) should have administrative privileges on the specified resource (`@resource.name`).\n2. If the change was not authorized, reverify there are no other signals from the jumpcloud admin: {{@usr.email}} and the system (`@resource.name`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:system_admin_grant","groupByFields":["@usr.email"],"aggregation":"count","name":"system_admin_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"system_admin_grant > 0"}],"type":"log_detection","id":"0ym-nwo-srl","createdAt":1648844751568,"name":"Jumpcloud admin granted system privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:jumpcloud","requirement:Monitoring","scope:jumpcloud","framework:cis-aws","technique:T1078-valid-accounts","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud administrator authenticates without multi-factor authentication (MFA) enabled. This is not indicative of malicious activity, however as a best practice, administrator accounts should have MFA enabled.\n\n## Strategy\nThis rule monitors JumpCloud audit logs to detect when an admin user successfully authenticates to JumpCloud and the log indicates that `@mfa` is `false`.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables MFA.\n3. If the login wasn\u2019t legitimate, rotate the credentials, enable MFA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:admin_login_attempt @mfa:false @evt.outcome:true","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_login_no_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"admin_login_no_mfa > 0"}],"type":"log_detection","id":"mds-4sd-v5i","createdAt":1648844751569,"name":"Jumpcloud admin login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","scope:jumpcloud","technique:T1078-valid-accounts","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event with a JumpCloud administrator.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last log and the current log to determine if the user (`@usr.name`) traveled more than 500km at over 1,000km/h.\n\n## Triage and response\n1. Determine if {@usr.name}} should be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}} in a short period of time.\n2. If the user should not be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} or {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_admin","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:jumpcloud @usr.type:admin"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"wec-lzg-zau","createdAt":1648844772020,"name":"Jumpcloud admin triggered impossible travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:jumpcloud","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to a JumpCloud user.\n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when administrative privileges are provisioned:\n\n* `user_admin_granted`\n\n## Triage and response\n1. Contact the JumpCloud administrator: `{{@usr.email}}` to confirm that the users or devices should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the JumpCloud administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:user_admin_granted","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_grant > 0"}],"type":"log_detection","id":"goh-o1b-uuo","createdAt":1660796644737,"name":"Jumpcloud administrator role assigned"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is created. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is created:\n\n* `@evt.name:policy_create`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy creation was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_create","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_creation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_creation > 0"}],"type":"log_detection","id":"ht7-5pr-0hf","createdAt":1660809071730,"name":"Jumpcloud policy created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is modified. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is modified:\n\n* `@evt.name:policy_update`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy modification(s) was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_update","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_update > 0"}],"type":"log_detection","id":"epv-mm9-puh","createdAt":1660809071731,"name":"Jumpcloud policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:1.10","scope:google_kms_crypto_key","source:google_kms_crypto_key","requirement:Confidentiality","control:C1.2","framework:cis-gcp","requirement:Compliance","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGoogle Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.\nThe format for the rotation schedule depends on the client library that is used. For the gcloud CLI, the flag `--next-rotation-time` must be in ISO or RFC3339 format; the flag `--rotation-period` must be in the format `INTEGER[UNIT]`, where units can be one of: seconds (s), minutes (m), hours (h), or days (d). For example, `30d` for a rotation period of 30 days.\n\n## Rationale\nSet a key rotation period and starting time. A key can be created with a specified *rotation period*, which is the time between when new key versions are generated automatically. A key can also be created with a specified *next rotation time*. \n\nA key is a named object that represents a cryptographic key and is used for a specific purpose. The key material (the actual bits used for encryption) can change over time as new key versions are created.\nA key is used to protect a *corpus of data*. A collection of files could be encrypted with the same key, and people with `decrypt` permissions on that key would be able to decrypt those files. Therefore, it's necessary to make sure the rotation period is set to a specific time.\n\n## Impact\nAfter a successful key rotation, the older key version is required to decrypt the data encrypted by the previous key version.\n\n## Remediation\n\n### From console\n1. See your cryptographic keys by visiting: [https://console.cloud.google.com/security/kms][1].\n2. Click on the specific key ring.\n3. From the list of keys, locate the key you wish to edit. Click on the three vertical dots under the **Actions** column.\n4. Click on **Edit rotation period**.\n5. In the pop-up window, select a new rotation period. Choose value less than 90 days. Then, choose the date from which the rotation period begins.\n\n### From the command line\n1. Update and schedule rotation by `ROTATION_PERIOD` and `NEXT_ROTATION_TIME` for each key:\n For example, you can use the iam.json file shown below as follows:\n ```\n gcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next- rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD\n ```\n\n## Default value\nBy default, KMS encryption keys are rotated every 90 days.\n\n## References\n1. [https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation][2]\n2. [https://cloud.google.com/kms/docs/re-encrypt-data][3]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/security/kms\n[2]: https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation\n[3]: https://cloud.google.com/kms/docs/re-encrypt-data\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\n# convert rotation period from string to int (number of days)\nparse_rotation_period(str) = parsed if {\n\tendswith(str, \"s\")\n\tparsed := to_number(trim_suffix(str, \"s\")) / 86400\n} else = parsed {\n\tendswith(str, \"m\")\n\tparsed := to_number(trim_suffix(str, \"m\")) / 1440\n} else = parsed {\n\tendswith(str, \"h\")\n\tparsed := to_number(trim_suffix(str, \"h\")) / 24\n} else = parsed {\n\tendswith(str, \"d\")\n\tparsed := to_number(trim_suffix(str, \"d\"))\n}\n\neval(kms_crypto_key) = \"skip\" if {\n\tnot lower(kms_crypto_key.primary.state) == \"enabled\"\n} else = \"pass\" {\n\ttoday := kms_crypto_key.resource_seen_at / 86400000\n\tnext_rotation := kms_crypto_key.next_rotation_time / 86400000\n\tnext_rotation - today <= 90\n\tparse_rotation_period(kms_crypto_key.rotation_period) <= 90\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_kms_crypto_key"]},"validationQuery":"","resourceType":"gcp_kms_crypto_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_kms_crypto_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"l1f-f94-1my","createdAt":1655491486886,"name":"KMS Encryption Keys are rotated within a period of 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1547","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications made to the `/boot/` directory.\n\n## Strategy\nThe /boot/ directory in Linux contains everything required for the system to boot. This includes the kernel and other important boot files and data. Attackers may attempt to modify the /boot/ directory to inject malicious code or configuration. This can allow the attacker to gain persistence, by running the malicious code or configuration at boot time. It can also allow the attacker to run malicious code with elevated system privileges.\n\n## Triage & Response\n1. Check to see what modifications were made to the `/boot/` directory.\n2. Cross-check any changes with known system activity, such as startup scripts, or maintenance.\n3. If these changes are not acceptable, roll back the host or container in question to a known good `/boot/` configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"9cs-fap-2er","createdAt":1606142931057,"name":"Kernel Modification"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux. This detection watches for all new files created under that directory.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check which user or process created the module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(kernel_module OR kernel_module_chmod OR kernel_module_chown OR kernel_module_link OR kernel_module_rename OR kernel_module_open OR kernel_module_unlink OR kernel_module_utimes) -@process.envs:DPKG_FRONTEND_LOCKED","groupByFields":["host"],"aggregation":"count","name":"kernel_module","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"kernel_module","condition":"kernel_module > 0"}],"type":"workload_security","id":"jq9-m1m-spt","createdAt":1598516746168,"name":"Kernel module directory modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.3","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kube-proxy kubeconfig file controls various parameters of the kube-proxy service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system. It is possible to run kube-proxy with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a `. Verify that if a file is specified and it exists, the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates. \n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.3","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"alc-y7j-j9q","createdAt":1599602091672,"name":"Kube-proxy configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.4","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, ensure that the file ownership of its kubeconfig file is set to root:root.\n\n## Rationale\n\nThe kubeconfig file for kube-proxy controls various parameters for the kube-proxy service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n`chown root:root `\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n## Audit\n\nFind the kubeconfig file being used by kube-proxy by running the following command: ps -ef | grep kube-proxy If kube-proxy is running, get the kubeconfig file location from the --kubeconfig parameter. Run the below command (based on the file location on your system) on the each worker node. For example, stat -c %U:%G Verify that the ownership is set to root:root.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.4","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oat-dei-klo","createdAt":1599604401268,"name":"Kube-proxy configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet client certificate rotation.\n\n## Rationale\n\nThe `--rotate-certificates` setting causes the kubelet to rotate its client certificates by creating new CSRs as its existing credentials expire. This automated periodic rotation ensures that the there is no downtime due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself. \n\n*Note*: This feature also requires the `RotateKubeletClientCertificate` feature gate to be enabled (which is the default since Kubernetes v1.7).\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--rotate-certificates` argument is not present, or is set to true. If the `--rotate-certificates` argument is not present, verify that if there is a Kubelet config file specified by `--config`, that file does not contain `rotateCertificates: false`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to add the line `rotateCertificates: true` or remove it altogether to use the default value. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--rotate-certificates=false` argument from the `KUBELET_CERTIFICATE_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet client certificate rotation is enabled.\n\n## References\n\n1. [https://github.com/kubernetes/kubernetes/pull/41912 ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration ][2]\n3. [https://kubernetes.io/docs/imported/release/notes/ ][3]\n4. [https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted - Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/41912\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration\n[3]: https://kubernetes.io/docs/imported/release/notes/\n[4]: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.11","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"9x3-sy5-pte","createdAt":1599605353070,"name":"Kubelet client certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.10","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file is owned by root:root.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %U:%G /var/lib/kubelet/config.yaml`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step): `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/var/lib/kubelet/config.yaml` file as set up by kubeadm is owned by `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.10","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ptl-pla-t0c","createdAt":1599605828233,"name":"Kubelet configuration file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse https for kubelet connections.\n\n## Rationale\n\nConnections from apiserver to kubelets could potentially carry sensitive data such as secrets and keys. It is thus important to use in-transit encryption for any communication between the apiserver and kubelets.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-https` argument either does not exist or is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--kubelet-https` parameter.\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, kubelet connections are over https.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.4","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ftg-h4g-hqj","createdAt":1599600981186,"name":"Kubelet connections use HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.8","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestrict kubelet nodes to reading only objects associated with them.\n\n## Rationale\n\nThe Node authorization mode only allows kubelets to read Secret, ConfigMap, PersistentVolume, and PersistentVolumeClaim objects associated with their nodes.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include Node.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes Node. `--authorization-mode=Node,RBAC`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, Node authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/46076 ][3]\n4. [https://acotten.com/post/kube17-security][4]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/ \n[3]: https://github.com/kubernetes/kubernetes/pull/46076 \n[4]: https://acotten.com/post/kube17-security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.8","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vgg-kwx-7dh","createdAt":1599602338742,"name":"Kubelet nodes are only authorized to read objects they are associated with"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.2","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests. Enable explicit authorization.\n\n## Rationale\n\nKubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the API server. You should restrict this behavior and only allow explicitly authorized requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. If the `--authorization-mode` argument is present check that it is not set to AlwaysAllow. If it is not present check that there is a Kubelet config file specified by `--config`, and that file sets authorization: mode to something other than AlwaysAllow. It is also possible to review the running configuration of a Kubelet via the /configs endpoint on the Kubelet API port (typically `10250/TCP`). Accessing these with appropriate credentials will provide details of the Kubelet's configuration.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set authorization: mode to Webhook. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--authorization-mode=Webhook`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nUnauthorized requests will be denied.\n\n## Default value\n\nBy default, `--authorization-mode` argument is set to `AlwaysAllow`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.2","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"un4-gin-3dq","createdAt":1599600248005,"name":"Kubelet only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable the read-only port.\n\n## Rationale\n\nThe Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--read-only-port` argument exists and is set to 0. If the `--read-only-port` argument is not present, check that there is a Kubelet config file specified by `--config`. Check that if there is a readOnlyPort entry in the file, it is set to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `readOnlyPort` to 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--read-only-port=0`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nRemoval of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.\n\n## Default value\n\nBy default, `--read-only-port` is set to 10255/TCP. However, if a config file is specified by `--config` the default value for `readOnlyPort` is 0.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.4","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dgo-kog-lle","createdAt":1599604369044,"name":"Kubelet read-only port is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.10","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the Kubelets.\n\n## Rationale\n\nKubelet communication contains sensitive parameters that should remain encrypted in transit. Configure the Kubelets to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate. If these arguments are not present, check that there is a Kubelet config specified by `--config` and that it contains appropriate settings for `tlsCertFile` and `tlsPrivateKeyFile`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `tlsCertFile` to the location of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` to the location of the corresponding private key file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameters in K`UBELET_CERTIFICATE_ARGS` variable.\n\n```\n--tls-cert-file=\n--tls-private-key-file=\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set. If `--tls-cert-file` and `--tls-private-key-file` are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to `--cert-dir`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ ][2]\n3. [https://github.com/kelseyhightower/docker-kubernetes-tls-guide ][3]\n4. [https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/\n[3]: https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n[4]: https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.10","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gqg-7cf-6bu","createdAt":1599603572402,"name":"Kubelet requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.12","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nOn the master edit `/var/lib/kubelet/kubeadm-flags.env` and set the parameter `KUBELET_CERTIFICATE_ARGS --feature-gates=RotateKubeletServerCertificate=true` or as an alternative, and suggested as a last resort, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_CERTIFICATE_ARGS` variable:\n\n```\n--feature-gates=RotateKubeletServerCertificate=true\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet server certificate rotation is disabled.\n\n## References\n\n1. https://github.com/kubernetes/kubernetes/pull/45059\n2. https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/45059\n[2]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.12","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afr-qkp-94a","createdAt":1599599105048,"name":"Kubelet server certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.2","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file ownership is set to root:root.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the ownership is set to root:root.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet service file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.2","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sy4-z1k-udc","createdAt":1599605194356,"name":"Kubelet service file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.3","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Kubelet authentication using certificates.\n\n## Rationale\n\nThe connections from the API server to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet's port-forwarding functionality. These connections terminate at the kubelet's HTTPS endpoint. By default, the API server does not verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the API server could authenticate the Kubelet before submitting any requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--client-ca-file` argument exists and is set to the location of the client certificate authority file. If the `--client-ca-file` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets authentication: x509: clientCAFile to the location of the client certificate authority file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: x509: clientCAFile` to the location of the client CA file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--client-ca-file=`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou require TLS to be configured on API server as well as kubelets.\n\n## Default value\n\nBy default, `--client-ca-file argument` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.3","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x6l-4d1-dwh","createdAt":1599600373842,"name":"Kubelet uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.1.20","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that Kubernetes PKI certificate files have permissions of 644 or more restrictive.\n\n## Rationale\n\nKubernetes makes use of a number of certificate files as part of the operation of its components. The permissions on these files should be set to 644 or more restrictive to protect their integrity.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nfind /etc/kubernetes/pki -name \"*.crt\" | xargs stat -c '%n %a'\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod -R 644 /etc/kubernetes/pki/*.crt`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the certificates used by Kubernetes are set to have permissions of 644\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.20","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ion-6fc-xd4","createdAt":1599604147464,"name":"Kubernetes PKI certificate file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.19","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the Kubernetes PKI directory and file ownership is set to root:root.\n\n## Rationale\n\nKubernetes makes use of a number of certificates as part of its operation. You should set the ownership of the directory containing the PKI information and all files in that directory to maintain their integrity. The directory and files should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nls -laR /etc/kubernetes/pki/\n```\n\nVerify the ownership of all files and directories in this hierarchy is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown -R root:root /etc/kubernetes/pki/`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/etc/kubernetes/pki/` directory and all of the files and directories contained within it, are set to be owned by the root user.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.19","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tgm-6a5-ttf","createdAt":1599603695482,"name":"Kubernetes PKI directory is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a pod in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating pods in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for Kubernetes objects which should be readable by unauthenticated users. Thus, a pod should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new pod in one of the default namespaces.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"tvf-ju6-h3i","createdAt":1589376012191,"name":"Kubernetes Pod Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a pod is attached to the host network.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) with the host network `@requestObject.spec.hostNetwork:true` attached.\n\nAttaching the `hostNetwork` permits a pod to access the node's network adapter allowing a pod to listen to all network traffic for all pods on the node and communicate with other pods on the network namespace.\n\n## Triage and response\n1. Determine if the pod needs `hostNetwork` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.hostNetwork:true @http.status_code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.hostNetwork:true @responseStatus.code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"d3g-xpz-cwc","createdAt":1589376007079,"name":"Kubernetes Pod Created with hostNetwork"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","technique:T1536-create-account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a service account in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service account (`@objectRef.resource:serviceaccounts`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating service accounts in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for kubernetes objects which should be readable by unauthenticated users. Thus, a service account should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new service account in one of the default namespaces.\n\n## Changelog\n21 September 2022 - Tuned rule to remove system and EKS service account creations, increased severity, added decrease on environment flag.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:serviceaccounts @http.method:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299] -@user.username:(system\\:* OR eks\\:*)","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:serviceaccounts @verb:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299] -@usr.id:(system\\:* OR eks\\:*)","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"loy-9ka-bc2","createdAt":1589376017036,"name":"Kubernetes Service Account Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service's port is attached to the node's IP.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service (`@objectRef.resource:services`) attaching the service's port to the node's IP `@requestObject.spec.type:NodePort`.\n\nExposing the service's port to the the node's IP allows other hosts on the network namespace to access this service.\n\n## Triage and response\n1. Determine if the service needs to expose it's network connection with `NodePort` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:services @http.method:create @requestObject.spec.type:NodePort @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:services @verb:create @requestObject.spec.type:NodePort @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"cvp-3wz-v3s","createdAt":1589376023160,"name":"Kubernetes Service Created with NodePort"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a user is attempting to enumerate their permissions.\n\n## Strategy\nThis rule identifies when a user attempts to enumerate their permissions, for example, through the use of `kubectl auth can-i --list`. This can be an indicator of an attacker having compromised a Kubernetes service account or user and attempting to determine what permissions it has.\n\n## Triage and response\n1. Determine if enumerating the permissions of the user: `{{@usr.id}}` is suspicious. For example, a service account assigned to a web application and enumerating its privileges is highly suspicious, while a group assigned to operations engineers is likely to represent legitimate activity.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @requestObject.kind:SelfSubjectRulesReview @http.method:create -@usr.id:system\\:serviceaccount\\:*\\:datadog-kube-state-metrics","groupByFields":[],"aggregation":"count","name":"enumeration_attempt","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"enumeration_attempt > 0"}],"type":"log_detection","id":"9ft-ohp-w9w","createdAt":1649702540393,"name":"Kubernetes principal attempted to enumerate their permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","source:lambda","scope:lambda","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure your Amazon Lambda Function to have access to VPC-only resources.\n\n## Rationale\n\nBy default, Amazon Lambda functions run in a secure VPC with access to any AWS service and the internet. Selecting which resources have access secures the connections within your private VPC.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring VPC access (console)][1] docs to configure VPC access for an existing function.\n\n### CLI\n\n1. Run `update-function-configuration` with your [Amazon Lambda function name and VPC configuration][2]. Set network connectivity to AWS resources within the configured VPC.\n\n ```\n aws lambda update-function-configuration\n --function-name your-lambda-function-name\n --vpc-config SubnetIds=\"subnet-ab12cd34\",\"subnet-12345678\",SecurityGroupIds=\"id-0abcd1234abcd5678\"\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-configuring\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@vpc_config_vpc_id:null OR @vpc_config_vpc_id:\"\")","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function ((@vpc_config_vpc_id:null OR @vpc_config_vpc_id:\"\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"byt-pin-xaq","createdAt":1619112188962,"name":"Lambda function has access to VPC resources"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","source:lambda","control:7.2.1","requirement:Compliance","scope:lambda","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS Lambda function access policy to remove access for unauthorized users.\n\n## Rationale\n\nGiving anonymous users the ability to invoke Amazon Lambda functions can lead to data loss, data exposure, and unexpected AWS billing charges.\n\n## Remediation\n\n### Console\n\nFollow the [Using resource-based policies for AWS lambda][1] docs to update your AWS lambda function permissions.\n\n### CLI\n\n1. Run `remove-permission` with your [function name and statement ID][2].\n\n ```\n aws lambda remove-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n ```\n\n2. Run `add-permission` with your [function name, statement ID, principal for the trusted account, and action][3].\n\n ```\n aws lambda add-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n --principal 0123456780123\n --action lambda:InvokeFunction\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/remove-permission.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-permission.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false","resourceType":"aws_lambda_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_policy_statement ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"tko-rvz-akj","createdAt":1624344845094,"name":"Lambda function is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","control:CC6.7","requirement:Transmission-Security","security:compliance","control:CC7.5","cloud_provider:aws","framework:gdpr","control:6.2","requirement:System-Operations","source:lambda","scope:lambda","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","requirement:Security-Management-Process","control:32.1b","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","framework:hipaa","control:164.308-a-1-ii-B","control:164.312-e-2-i","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Lambda Function to the latest runtime environment version.\n\n## Rationale\n\nAs a best practice, Amazon recommends consistently updating your runtime environment to the latest version for security patches, bug fixes, and the latest features.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring functions in the console][1] docs to learn how to update the Lambda runtime that runs your function.\n\n### CLI\n\n1. Run `update-function-configuration` with [your function name and the latest runtime version][2] supported by AWS.\n\n#### python3.9\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"python3.9\"\n ```\n\n#### nodejs16.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"nodejs14.x\"\n ```\n\n#### java11\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"java11\"\n ```\n\n#### go1.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"go1.x\"\n ```\n\n#### dotnet6\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"dotnet6\"\n ```\n\n#### ruby2.7\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"ruby2.7\"\n ```\n\n#### provided.al2\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"provided.al2\"\n ```\n\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@runtime:(\"nodejs16.x\" OR \"python3.9\" OR \"ruby2.7\" OR \"java11\" OR \"go1.x\" OR \"dotnet6\" OR \"provided.al2\")","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function (-@runtime:(\"nodejs16.x\" OR \"python3.9\" OR \"ruby2.7\" OR \"java11\" OR \"go1.x\" OR \"dotnet6\" OR \"provided.al2\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxh-rvp-txm","createdAt":1619112189173,"name":"Lambda function uses latest runtime environment version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","level:1","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","requirement:Communications-Security","control:2.6","control:3.2","control:1.2","control:2.1","control:1.3","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of legacy networks, a project should not have a legacy network\nconfigured. Legacy networks can no longer be created, and their use is not recommended. This recommendation is to check old projects to ensure\nthat they are not using Legacy Networks.\n\n## Rationale\nEach legacy network has a single network IPv4 prefix range, and a single gateway IP address. The network is global in scope and spans all cloud regions.\nSubnetworks cannot be created in a legacy network, and are unable to switch from legacy to\nauto or custom subnet networks. Legacy networks can have an impact on high network\ntraffic projects, and are subject to a single point of contention or failure.\n\n### Default value\nBy default, networks are not created in the legacy mode.\n\n## Remediation\n\nFor each Google Cloud Platform project:\n1. Read [Create and modify Virtual Private Cloud (VPC) networks][3] to create a non-legacy network suitable for the organization's requirements.\n2. Read [Deleting a legacy network][2] to delete the networks in the `legacy` mode.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network][1]\n2. [https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network][2]\n\n[1]: https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network\n[2]: https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network\n[3]: https://cloud.google.com/vpc/docs/create-modify-vpc-networks\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.2","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.ipv4_range\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nzs-hyi-zqr","createdAt":1659405204525,"name":"Legacy networks do not exist for older projects"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostIPC flag set to true.\n\n## Rationale\n\nA container running in the host's IPC namespace can use IPC to interact with processes outside the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host IPC namespace. If you have a requirement to containers that require hostIPC, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostIPC}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostIPC: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.3","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vs4-ja0-gkh","createdAt":1599600435891,"name":"Limit admission of containers sharing the host IPC namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostPID flag set to true.\n\n## Rationale\n\nA container running in the host's PID namespace can inspect processes running outside the container. If the container also has access to ptrace capabilities this can be used to escalate privileges outside of the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host PID namespace. If you need to run containers which require hostPID, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostPID}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostPID` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostPID: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.2","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"flc-1s1-okw","createdAt":1599600559953,"name":"Limit admission of containers sharing the host PID namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the allowPrivilegeEscalation flag set to true.\n\n## Rationale\n\nA container running with the `allowPrivilegeEscalation` flag set to true may have processes that can gain more privileges than their parent. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to allow privilege escalation. The option exists (and is defaulted to true) to permit setuid binaries to run. If you have need to run containers that use setuid binaries or require privilege escalation, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.allowPrivilegeEscalation}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.allowPrivilegeEscalation` field is omitted or set to false.\n\n## Impact\n\nPods defined with `spec.allowPrivilegeEscalation: true` will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.5","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"frf-hog-dra","createdAt":1599601783271,"name":"Limit admission of containers that do not block privilege escalation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.3","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Docker starts containers with a restricted set of Linux kernel capabilities. This means that any process can be granted the required capabilities instead of giving it root access. Using Linux kernel capabilities, processes in general do not need to run as the root user.\n\n## Rationale\n\nDocker supports the addition and removal of capabilities. Remove all capabilities not required for the correct function of the container. Specifically, in the default capability set provided by Docker, the NET_RAW capability should be removed if not explicitly required, as it can give an attacker with access to a container the ability to create spoofed network traffic.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CapAdd={{ .HostConfig.CapAdd }} CapDrop={{ .HostConfig.CapDrop }}'` \n\nVerify that the added and deleted Linux kernel capabilities are in line with the ones needed by the container process in each container instance. Specifically, ensure that the `NET_RAW` capability is removed if not required.\n\n## Remediation\n\nExecute the command `docker run --cap-add={\"Capability 1\",\"Capability 2\"} ` to add required capabilities.\n\nExecute the command `docker run --cap-drop={\"Capability 1\",\"Capability 2\"} ` to remove unneeded capabilities.\n\nAlternatively, remove all the currently configured capabilities and then restore only the ones you specifically use: `docker run --cap-drop=all --cap-add={\"Capability 1\",\"Capability 2\"} `\n\n## Impact\n\nRestrictions on processes within a container are based on which Linux capabilities are in force. Removal of the `NET_RAW` capability prevents the container from creating raw sockets which is good security practice under most circumstances, but may affect some networking utilities.\n\n## Default value\n\nBy default, the capabilities below are applied to containers:\n\n* `AUDIT_WRITE`\n* `CHOWN`\n* `DAC_OVERRIDE`\n* `FOWNER`\n* `FSETID`\n* `KILL`\n* `MKNOD`\n* `NET_BIND_SERVICE`\n* `NET_RAW`\n* `SETFCAP`\n* `SETGID`\n* `SETPCAP`\n* `SETUID`\n* `SYS_CHROOT`\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#linux-kernel-capabilities\n2. http://man7.org/linux/man-pages/man7/capabilities.7.html\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.3","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3j5-bun-deq","createdAt":1599605923399,"name":"Linux kernel capabilities are restricted to only those which are required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect use of the `passwd` or `chpasswd` commands to change account passwords.\n\n## Strategy\nThe `passwd` operating system command is used to change user account passwords. The `chpasswd` does this in bulk. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host machine and achieve persistence. This detection is triggered when execution of the `passwd` or `chpasswd` command is detected.\n\n## Triage and response\n1. Determine which user executed the command and whether or not this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:passwd_execution -@process.args:\"-S\"","groupByFields":["host"],"aggregation":"count","name":"passwd_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"passwd_execution","condition":"passwd_execution > 0"}],"type":"workload_security","id":"yu0-i2l-ilb","createdAt":1617722068383,"name":"Local account password modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the truncation (like the clearing of data within) of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was modified.\n2. Check which user or process modified the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"llg-1g6-q0n","createdAt":1598516746163,"name":"Log data in /var/log/ was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","level:1","cloud:aws","requirement:Monitoring","framework:cis-aws","cloud_provider:datadog","control:4.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReal-time monitoring of API calls can be achieved by directing CloudTrail Logs to Datadog and enabling the default rule [A user received multiple AccessDenied errors][1]. It is recommended that a metric filter and alarm be established for unauthorized API calls.\n\n## Rationale\n\nMonitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.\n\n## Remediation\n\nTo enable default rule [A user received multiple AccessDenied errors][1], navigate to the [Rules page][2]. If you have not yet enabled Security Monitoring, visit the [Setup and Configuration page][3].\n\n## Impact\n\nThis alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don't have permissions. If an excessive number of alerts are being generated then an organization may wish to consider adding read access to the limited IAM user permissions simply to quiet the alerts. In some cases doing this may allow the users to actually view some areas of the system - any additional access given should be reviewed for alignment with the original limited IAM user intent.\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79186-3\n2. https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-access-denied-multiple-events/\n\n**Additional Information**: Configuring log metric filter and alarm on multi-region (global) CloudTrail ensures that activities from all regions (used as well as unused) are monitored.\n\n## CIS controls\n\nVersion 7:\n\n6.5 - Central Log Management - Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.\n\n6.7 - Regularly Review Logs - On a regular basis, review logs to identify anomalies or abnormal events.\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-access-denied-multiple-events/\n[2]: https://app.datadoghq.com/security/configuration/rules?query=una%20ruleId%3Abxz-x3r-zqw&sort=rule\n[3]: https://app.datadoghq.com/security/configuration?detect-threats=apache&secure-cloud-environment=amazon-web-services&secure-hosts-and-containers=kubernetes&selected-products=security_monitoring","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"cis-aws","requirement":"Monitoring","version":"1.3.0"}],"validationQuery":"@disabled_rules:(\"d17-702-f4a\")","resourceType":"datadog_configuration","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:datadog_configuration (@disabled_rules:(\"d17-702-f4a\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"3s1-mb8-7yw","createdAt":1625745858883,"name":"Log metric filter and alarm exist for unauthorized API calls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","source:google_logging_log_sink","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","control:2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","scope:google_logging_log_sink","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nIt is recommended to create a sink that will export copies of all log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).\n\n## Rationale: \nLog entries are held in Cloud Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. To export logs, create a filter that selects the log entries to export, and then choose a destination, such as Cloud Storage, BigQuery, or Cloud Pub/Sub, to which to export them. The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts.\n\n**Note:**\n1. A sink created by [these commands](#from-the-command-line), exports logs to storage buckets. However, sinks can be configured to export logs to BigQuery, or Cloud Pub/Sub, or a `Custom Destination`.\n2. While creating a sink, do not use the sink option `--log-filter` to ensure the sink exports all log entries.\n3. A sink can be created at a folder or organization level that collects the logs of all the projects underneath, bypassing the option `--include-children` in the `gcloud` command.\n\n### Impact: \nThere are no costs or limitations in Cloud Logging for exporting logs, but the destinations to which the logs are exported charge for storing or transmitting the log data.\n\n### Default value:\nBy default, there are no sinks configured.\n\n## Remediation: \n\n### From the console:\n1. Go to the Logs Router page by visiting [https://console.cloud.google.com/logs/router][1].\n2. Click **CREATE SINK**.\n3. Fill out the fields for the Sink details sections.\n4. Select **Cloud Logging bucket** in the Select sink destination dropdown menu.\n5. Select a log bucket in the Sink destination drop down menu.\n6. If an inclusion filter is not provided for this sink, all ingested logs will be routed to the destination provided above. This may result in higher than expected resource usage.\n7. Click **Create Sink**.\n\n### From the command line:\n\n1. To create a sink to export all log entries in a Google Cloud Storage bucket:\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME\n ```\n2. Sinks can be created for a folder or organization, which will include all projects.\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children -- folder=FOLDER_ID | --organization=ORGANIZATION_ID\n ```\n\n## References:\n1. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][2] \n2. [https://cloud.google.com/logging/quotas][3]\n3. [https://cloud.google.com/logging/docs/routing/overview][4]\n4. [https://cloud.google.com/logging/docs/export/using_exported_logs][5]\n5. [https://cloud.google.com/logging/docs/export/configure_export_v2][6]\n6. [https://cloud.google.com/logging/docs/export/aggregated_exports][7]\n7. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list][8]\n\n[1]: https://console.cloud.google.com/logs/router\n[2]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[3]: https://cloud.google.com/logging/quotas\n[4]: https://cloud.google.com/logging/docs/routing/overview\n[5]: https://cloud.google.com/logging/docs/export/using_exported_logs\n[6]: https://cloud.google.com/logging/docs/export/configure_export_v2\n[7]: https://cloud.google.com/logging/docs/export/aggregated_exports\n[8]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nvalid_log_sinks := {logging_log_sink.project_id |\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tvalid_log_filter(logging_log_sink)\n\tvalid_log_exclusions(logging_log_sink)\n\tlogging_log_sink.destination != \"\"\n}\n\nvalid_log_filter(logging_log_sink) if {\n\tnot logging_log_sink.filter\n} else {\n\tlogging_log_sink.filter == \"\"\n}\n\nany_enabled_exclusion(logging_log_sink) if {\n\tlogging_log_sink.exclusions[_].disabled == false\n}\n\nvalid_log_exclusions(logging_log_sink) if {\n\tnot any_enabled_exclusion(logging_log_sink)\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_sinks[project.project_id]\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hig-nyl-7xu","createdAt":1658996677403,"name":"Log sinks are configured for all log entries"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Log4j scanning attempt occurs in your environment.\n\n## Strategy\nRegex search on logs to find specific payloads indicative of Log4j scanning.\n\n## Triage and response\n1. Investigate if the host is running a vulnerable version of the Log4j Java library\n2. Use the [Log4j Investigation Dashboard](https://app.datadoghq.com/dash/integration/cloud_security_platform_log4shell_investigator) to conduct impact analysis\n3. Explore what other services the attacker hit in the last day - Linked to investigation query \n4. Explore Java logs associated with the attacker - linked to investigation query\n","options":{"detectionMethod":"hardcoded","evaluationWindow":300,"maxSignalDuration":3600,"hardcodedEvaluatorType":"log4shell","keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"query":"@http.url:*","groupByFields":["@network.client.ip"],"aggregation":"count","name":"log4shell_payloads_in_http_data","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"log4shell_payloads_in_http_data > 0"}],"type":"log_detection","id":"sdx-qzo-o9z","createdAt":1651680204724,"name":"Log4Shell Scanning Detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0043-reconnaissance","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being scanned for the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `jndi:(ldap OR rmi OR dns)` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. Check if the `Base64 was detected in an http.user_agent or http.referrer` rule was also triggered and follow the `Triage and response` steps in that rule.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.useragent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referrer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http_user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"info","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"2oy-oni-kx6","createdAt":1639665375423,"name":"Log4j Scanner detected in user agent or referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:1.5","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. MFA (multi-factor authentication) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their user name and password and an authentication code from their AWS MFA device.\n\n**Note**: When virtual MFA is used for root accounts, it should not be enabled on a personal device, but rather enable a dedicated and not personally owned mobile device (tablet or phone)(\"non-personal virtual MFA\"). This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and has knowledge of a credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78911-5\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root][3]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions.\n\n## CIS controls\n\nVersion 7, 4.5 - Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.5","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"-@account_mfa_enabled:1","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (-@account_mfa_enabled:1)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dth-jwu-9zo","createdAt":1599573999963,"name":"MFA is enabled for the \"root\" account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP address identified as malicious by Okta's ThreatInsight communicates with your Okta account.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.threat.detected`\n\n## Triage and response\n1. Determine if the `@usr.email` is `Unknown` or is an authenticated user.\n2. If the user is authenticated, conduct an investigation to determine if the IP address that is communicating with Okta is the user's IP address, or if the account is compromised.\n3. Consider switching ThreatInsight from `log mode` to `log and block mode` to block future requests from IP addresses on the ThreatInsight threat intelligence list.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.threat.detected @evt.outcome:ALLOW","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"x5j-v1t-d2r","createdAt":1589315626499,"name":"Malicious IP Communicating with Okta"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1003","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers looking for a specific mission target commonly gain access to a host or container adjacent to their mission target. To move laterally to the planned target, attackers commonly try to find credentials that would give them access to the host or container in question. A technique for finding these credentials is memory dumping. By dumping the contents of system memory to disk, an attacker can often find unencrypted credentials.\n\n## Strategy\nThis detection monitors the access of memory and memory maps that can be accessed from the `/proc/` directory on Linux.\n\n## Triage & Response\n1. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n2. Consider rotating any credentials that were in use on the host/container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"lhm-dok-amc","createdAt":1598516746171,"name":"Memory files in /proc/ were accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","scope:azure","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user creates or modifies a trusted domain object in Microsoft 365.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain`\n- `Set domain authentication`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain.`\n- `Set domain authentication.`\n\nAn attacker can create a new attacker-controlled domain as federated or modify the existing federation settings for a domain by configuring a new, secondary signing certificate. Both of these techniques would allow the attacker to authenticate as any user bypassing authentication requirements like a valid password or MFA.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n - Remove the suspicious domain or settings.\n - Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n - Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Set domain authentication\" OR \"Set domain authentication \" OR \"Set federation settings on domain\" OR \"Set federation settings on domain \") @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_trusted_domain_modified","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Set domain authentication.\" OR \"Set domain authentication. \" OR \"Set federation settings on domain.\" OR \"Set federation settings on domain. \")","groupByFields":["@usr.id"],"aggregation":"count","name":"m365_trusted_domain_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"azure_ad_trusted_domain_modified > 0 || m365_trusted_domain_modified > 0"}],"type":"log_detection","id":"dqm-ikd-5zd","createdAt":1660304700624,"name":"Microsoft 365 - Modification of Trusted Domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0040-impact","scope:exchange-server","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an anomalous amount of emails are deleted from Microsoft 365 Exchange.\n\n## Strategy\nMonitor Microsoft 365 Exchange audit logs to look for events with an `@evt.name` value of `HardDelete`, where the `@Folder.Path` is the inbox (`*Inbox*`).\n\n## Triage and response\n1. Determine if the user `{{@usr.id}}` intended to delete the observed emails.\n2. If `{{@usr.id}}` is not responsible for the email deletions, investigate `{{@usr.id}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:HardDelete @Folder.Path:*Inbox*","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tos-tbi-7dh","createdAt":1619020060666,"name":"Microsoft 365 Anomalous Amount of Deleted Emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 user downloads an anomalous amount of files. This could be an indicator of data exfilteration.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for an anomalous amount of logs with an `@evt.name` value of `@evt.name:FileDownloaded`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to download the files.\n2. If `{{@usr.email}}` is not responsible for file downloads, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:FileDownloaded","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"files_downloaded","distinctFields":["@SourceFileName"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"yhr-gui-v9i","createdAt":1658353411918,"name":"Microsoft 365 Anomalous Amount of Downloaded files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1562-impair-defenses","scope:microsoft-365","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when admin or unified audit logging is disabled. An adversary or insider threat can disable audit logging as a means of defense evasion.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Set-AdminAuditLogConfig`, where `@Parameters.AdminAuditLogEnabled` OR `@Parameters.UnifiedAuditLogIngestionEnabled` is set to `False`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to disable audit logging.\n2. If `{{@usr.email}}` is not responsible for disabling the audit logging, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.UnifiedAuditLogIngestionEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"unified_audit_disabled","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.AdminAuditLogEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_audit_disabled","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Unified Audit Logging Disabled","condition":"unified_audit_disabled > 0"},{"status":"high","notifications":[],"name":"Admin Audit Logging Disabled","condition":"admin_audit_disabled > 0"}],"type":"log_detection","id":"d86-6xx-tbg","createdAt":1630681812369,"name":"Microsoft 365 Audit Logging Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:onedrive","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user creates an anonymous link for a Microsoft 365 document in OneDrive. This would allow any unauthenticated user to access this document, if they had the link.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AnonymousLinkCreated`.\n\n## Triage and response\n1. Determine whether this document should be available anonymously.\n\n## Changelog\n* 4 October 2022 - Updated severity.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:OneDrive @evt.name:AnonymousLinkCreated","groupByFields":["@usr.id","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1h-h20-er6","createdAt":1608766368930,"name":"Microsoft 365 OneDrive Anonymous Link Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0009-collection","technique:T1213-data-from-information-repositories","scope:sharepoint"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user shares a Microsoft 365 Sharepoint document with a guest.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `SharingInvitationCreated` when the `TargetUserOrGroupType` is `Guest`.\n\n## Triage and response\n1. Determine whether this document should be shared with the external user.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:SharePoint @evt.name:(SharingInvitationCreated) @TargetUserOrGroupType:Guest","groupByFields":["@TargetUserOrGroupName","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"v72-psu-eln","createdAt":1608766365850,"name":"Microsoft 365 SharePoint object shared with guest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user installs an app to Microsoft 365 Teams.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AppInstalled`.\n\n## Triage and response\n1. Determine whether this app should be installed to Microsoft 365 teams.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:MicrosoftTeams @evt.name:AppInstalled","groupByFields":["@AddOnName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"i03-grd-ppd","createdAt":1608766367312,"name":"Microsoft 365 Teams app installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostNetwork flag set to true.\n\n## Rationale\n\nA container running in the host's network namespace could access the local loopback device, and could access network traffic to and from other pods. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host network namespace. If you have need to run containers which require hostNetwork, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostNetwork}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostNetwork` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostNetwork: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.4","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mlb-fwt-s80","createdAt":1599604274257,"name":"Minimize the admission of containers wishing to share the host network namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","cloud_provider:aws","control:164.308-a-3-ii-a","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMulti-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password, and for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of the credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://tools.ietf.org/html/rfc6238][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html][3]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users][4]\n4. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html][5]\n5. CCE-78901-6\n\n## CIS controls\n\n4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://tools.ietf.org/html/rfc6238\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.10","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_enabled:true -@mfa_active:true","resourceType":"aws_iam_user","filter":"","queryPath":"credential_report","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@password_enabled:true -@mfa_active:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"zd5-wvv-hv5","createdAt":1599573999956,"name":"Multi-factor authentication is enabled for all IAM users with a console password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"5jr-xi3-uto","createdAt":1587530047261,"name":"NGINX HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","scope:nginx-ingress-controller","source:nginx-ingress-controller","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx-ingress-controller @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oxj-rwr-gxq","createdAt":1587530154864,"name":"NGINX ingress controller HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to nsswitch.conf.\n\n## Strategy\nThe Name Service Switch (nsswitch) configuration file is used to point\u00a0system services and other applications to the sources of name-service information. This name-service information includes where the password file is stored, publickey information, and more. An attacker may attempt to modify nsswitch.conf in order to inject attacker-owned information into the authentication process. For instance, the attacker could point to a malicious password file and then login to privileged user accounts.\n\n## Triage and response\n1. Check to see what changes were made to nsswitch.conf.\n2. Check if critical name-service sources were changed, and whether the changes were a part of known system-setup or maintenance.\n3. If these changes are unauthorized, roll back the host in question to a known good nsswitch.conf, or replace the system with a known-good system image.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chmod)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chmod","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chown)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chown","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_link)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_link","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_rename)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_rename","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_open)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_open","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_unlink)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_unlink","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_utimes)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"nsswitch_conf_mod","condition":"nsswitch_conf_mod_chmod > 0 || nsswitch_conf_mod_chown > 0 || nsswitch_conf_mod_link > 0 || nsswitch_conf_mod_rename > 0 || nsswitch_conf_mod_open > 0 || nsswitch_conf_mod_unlink > 0 || nsswitch_conf_mod_utimes > 0"}],"type":"workload_security","id":"djc-3dp-3qm","createdAt":1606142958657,"name":"Name Service Switch configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:1.3.5","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that enable multiple open ports and limit ingress traffic access based on port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access malicious activities, such as Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks, by opening only the ports that are required by your application.\n\n## Remediation\n\n### Console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### CLI\n\n1. Run `replace-network-acl-entry` to create a rule that only allows ingress traffic from a specific port range.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --ingress\n --rule-number 01\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_lenient(acl_entry) if {\n\tnot acl_entry.egress\n\tacl_entry.rule_action == \"allow\"\n\tnot acl_entry.port_range_from\n\tnot acl_entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tacl_entry := network_acl.entries[_]\n\tacl_lenient(acl_entry)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q0m-mtc-9ks","createdAt":1599574008182,"name":"Network ACL inbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that utilize multiple ports and limit outbound traffic access to a specific port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access by setting a specified port range.\n\n## Remediation\n\n### Console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### CLI\n\n1. Run `replace-network-acl-entry` to create a rule that sets a specific port range for egress traffic.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --egress\n --rule-number 02\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_entry(entry) if {\n\tentry.egress\n\tentry.rule_action == \"allow\"\n\tnot entry.port_range_from\n\tnot entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tentry := network_acl.entries[_]\n\tnon_compliant_entry(entry)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ykz-hrn-ev3","createdAt":1599574004771,"name":"Network ACL outbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","control:CC6.6","requirement:Compliance","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:1.3.5","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Network Access Control List (NACL) function provides stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.\n\n## Rationale\n\nPublic access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.\n\n## Remediation\n\n1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home\n2. In the left pane, click Network ACLs.\n3. For each network ACL to remediate, perform the following: Select the network ACL, Click the Inbound Rules tab, Click Edit inbound rules. Either update the Source field to a range other than `0.0.0.0/0` or click Delete to remove the offending inbound rule. Click save.\n\n## Reference\n\n1. [https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html][1]\n2. [https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison][2]\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"5.1","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"validationQuery":"@egress:false @rule_action:\"allow\" (@cidr_block:\"0.0.0.0/0\" OR @cidr_block:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@port_range_from:* -@port_range_to:*) OR (@port_range_from:<=22 @port_range_to:>=22) OR (@port_range_from:<=3389 @port_range_to:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_network_acl","filter":"","queryPath":"entries","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl (@egress:false @rule_action:\"allow\" (@cidr_block:\"0.0.0.0/0\" OR @cidr_block:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@port_range_from:* -@port_range_to:*) OR (@port_range_from:<=22 @port_range_to:>=22) OR (@port_range_from:<=3389 @port_range_to:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b5p-spa-hx4","createdAt":1619112188801,"name":"Network ACLs do not allow ingress from 0.0.0.0/0 to remote server administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","cloud_provider:azure","framework:gdpr","source:azure.network","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","requirement:Communications-Security","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","scope:azure.network","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Security Group (NSG) is configured to allow specific ports rather than all ports or port ranges.\n\n## Rationale\n\nNSGs should be configured as granularly as possible, allowing only specific and necessary ports. Leaving ranges of ports open can allow access to ports that are vulnerabile to attack. \n\n## Remediation\n\n### Console\n\nFollow the [Work with security rules guide][1] to modify the port ranges associated with a NSG using the Microsoft Azure Console. \n\n### CLI\n\nUse the [Microsft Azure az network nsg rule update module][2] to update the ports associated with a NSG using the Microsoft Azure CLI. \n\n## References\n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#work-with-security-rules\n[2]: https://docs.microsoft.com/en-us/cli/azure/network/nsg/rule?view=azure-cli-latest#az-network-nsg-rule-update","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndestination_port_not_compliant(security_rule) if {\n\tsecurity_rule.destination_port_range == \"*\"\n} else {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tdestination_port_range == \"*\"\n} else {\n\tregex.match(\"([0-9])+-([0-9])+\", security_rule.destination_port_range)\n} else {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tregex.match(\"([0-9])+-([0-9])+\", destination_port_range)\n}\n\nsecurity_rule_not_compliant(security_rule) if {\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.access == \"Allow\"\n\tdestination_port_not_compliant(security_rule)\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule = security_group.security_rules[_]\n\tsecurity_rule_not_compliant(security_rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cis-7ih-ek8","createdAt":1645736563232,"name":"Network Security Group does not use port ranges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1046-network-service-scanning","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of the `nmap` network utility.\n\n## Strategy\n`nmap` is a network utility commonly used by attackers to understand a victim's network topology and vulnerabilities. After an attacker's initial intrusion into a host (for example, through a web shell exploit, container breakout), they may attempt to use `nmap` to do reconnaissance. This detection triggers when an execution of `nmap` is detected on a system. If this is unexpected behavior, it could indicate an attacker attempting to compromise your systems.\n\n## Triage and response\n1. Determine which user executed `nmap` and whether this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and network tools involved. Investigate the security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:common_net_intrusion_util -@process.args:\"-V\"","groupByFields":["host"],"aggregation":"count","name":"common_net_intrusion_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"common_net_intrusion_util","condition":"common_net_intrusion_util > 0"}],"type":"workload_security","id":"yqg-ebh-po2","createdAt":1617722067554,"name":"Network scanning utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all network traffic is allowed between containers on the same host on the default network bridge. You can restrict all inter-container communication and link specific containers together that require communication. Or, you can create a custom network and only join containers that need to communicate to that custom network.\n\n## Rationale\n\nBy default, unrestricted network traffic is enabled between all containers on the same host on the default network bridge. Each container has the potential of reading all packets across the container network on the same host. This might lead to an unintended and unwanted disclosure of information to other containers. Hence, restrict inter-container communication on the default network bridge.\n\n## Audit\n\nVerify that the default network bridge has been configured to restrict inter-container communication by running:\n```\ndocker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}' \n```\nCheck that it returns `com.docker.network.bridge.enable_icc:false` for the default network bridge.\n\n## Remediation\n\nEdit the Docker daemon configuration file to ensure that inter-container communication is disabled:\n\n```\n\"icc\": false\n```\n\nAlternatively, run the Docker daemon directly and pass `--icc=false` as an argument:\n\n```\ndockerd --icc=false \n```\n\nFollow the Docker documentation and create a custom network, and only join containers that need to communicate to that custom network. The `--icc` parameter only applies to the default docker bridge. If you use a custom network, adopt the segmenting networks approach instead.\n\n## Impact\n\nInter-container communication is disabled on the default network bridge. If any communication between containers on the same host is desired, it needs to be explicitly defined using container linking or custom networks.\n\n## Default value\n\nBy default, all inter-container communication is allowed on the default network bridge.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/][1]\n2. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers][2]\n\n## CIS controls\n\nNone \n\n[1]: https://docs.docker.com/engine/userguide/networking/ \n[2]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_network","complianceFrameworks":[{"control":"2.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmd-zy3-5un","createdAt":1599604593277,"name":"Network traffic is restricted between containers on the default network bridge"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a network utility (like `cURL` or `Wget`) is used to access the cloud instance metadata service (IMDS) in an interactive session.\n\n## Strategy\nThe cloud instance metadata service is a link-local HTTP endpoint that provides data about a given cloud instance. One function is to provide temporary security credentials so that they do not need to be stored on the host. Because IMDS can be used to fetch security credentials, attackers may use it to escalate privileges in order to access other cloud resources. This detection identifies when Linux network utilities are used in an interactive session to access the metadata service. Especially in production environments, it is unusual for this activity to occur interactively.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee run commands for an approved reason, or does a configuration management utility use an interactive session?\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Using cloud audit logs, identify if the attached identity was misused.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:aws_metadata_service @process.tty:*","groupByFields":["host"],"aggregation":"count","name":"aws_metadata_service","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"aws_metadata_service","condition":"aws_metadata_service > 0"}],"type":"workload_security","id":"ugv-e7o-qpv","createdAt":1627392836096,"name":"Network utility accessed cloud metadata service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location on a host.\n\n## Strategy\nAfter an attacker's initial intrusion into a host (for example, through a web shell exploit, or a container breakout), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance, or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected on a host. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine which user executed the utility and whether or not this is allowed or expected behavior.\n2. Review the ancestors for unexpected processes or files executed. \n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util @process.ancestors.executable.path:(*\\/tmp\\/* OR *\\/home\\/*)","groupByFields":["host"],"aggregation":"count","name":"net_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"net_util","condition":"net_util > 0"}],"type":"workload_security","id":"med-78m-snu","createdAt":1617722067377,"name":"Network utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected in a container. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your containers and host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. Review the ancestors for unexpected processes or files executed.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util_in_container @process.ancestors.executable.path:(*\\/tmp\\/* OR \\/home\\/* OR \\/run\\/user\\/*)","groupByFields":["@container.id","host"],"aggregation":"count","name":"net_util_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"net_util_in_container","condition":"net_util_in_container > 0"}],"type":"workload_security","id":"idj-fom-4qg","createdAt":1617722068439,"name":"Network utility executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1199-trusted-relationship","source:cloudtrail","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker accesses your AWS account from their AWS Account.\n\n## Strategy\nThis rule lets you monitor AssumeRole (`@evt.name:AssumeRole`) CloudTrail API calls to detect when an external AWS account (`@usr.account_id`) assumes a role into your AWS account (`account`). It does this by learning all AWS accounts from which the AssumeRole call occurs within a 7-day window. Newly detected accounts after this 7-day window will generate security signals.\n\n## Triage and response\n1. Determine if the `@usr.account_id` is an AWS account is managed by your company.\n2. If not, try to determine who is the owner of the AWS account.\n3. Inspect the role the account is assuming. Determine who created this role and who allowed this AWS account to assume this role.\n\n## Changelog\n7 April 2022 - Update rule query and signal message.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @evt.name:AssumeRole"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"xvo-lqg-7bu","createdAt":1614810571081,"name":"New AWS Account Seen Assuming a Role into AWS Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","tactic:TA0040-impact","source:cloudtrail","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker spawns an instance for malicious purposes. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect when a new instance type (`@responseElements.instancesSet.items.instanceType`) is spawned:\n\n* [RunInstances][1]\n\nIt does this by inspecting the AWS Instance types each AWS account are seen over a 7-day window. Newly detected instance types after this 7-day window till generate security signals.\n\n## Triage and response\n1. Determine whether the instance type `{{@responseElements.instancesSet.items.instanceType}}` is expected to be used in your AWS account by checking the [Datadog Infrastructure List][2].\n2. If not, determine who spawned this instance and ask the user whether their activity was legitimate or whether their credentials were compromised and this instance is being used by an attacker.\n\n## Changelog\n7 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html\n[2]: https://app.datadoghq.com/infrastructure?tab=details&tags=instance-type%3A{{@responseElements.instancesSet.items.instanceType}}","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@responseElements.instancesSet.items.instanceType","aggregation":"new_value","metrics":["@responseElements.instancesSet.items.instanceType"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @eventSource:ec2.amazonaws.com @evt.name:RunInstances"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rk5-l8o-jir","createdAt":1619019323550,"name":"New EC2 Instance Type"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a Kubernetes namespace.\n\n## Strategy\nThis rule monitors when a `create` action occurs for the Kubernetes namespace (`@objectRef.resource:namespaces`) to detect when a user is creating a new Kubernetes namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new namespace.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:namespaces @http.method:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:namespaces @verb:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"zgq-pd9-wgw","createdAt":1589376020564,"name":"New Kubernetes Namespace Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:kubernetes","tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a privileged pod is created. Privileged pods remove container isolation which allows privileged actions on the host.\n\n## Strategy\nThis rule monitors when a pod (`@objectRef.resource:pods`) is created (`@http.method:create`) and the privileged security context (`@requestObject.spec.containers.securityContext.privileged`) is `true`.\n\n## Triage & Response\n1. Determine if the pod should be privileged. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"smy-zpp-8hr","createdAt":1626700164544,"name":"New Kubernetes privileged pod created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1525-implant-internal-image","scope:ecr","iaas:aws","source:cloudtrail","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential persistence mechanisms being deployed in the AWS Elastic Container Registry (ECR).\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr:GetAuthorizationToken` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException @threat_intel.indicators_matched:*","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ori-yda-7sc","createdAt":1630665990802,"name":"New Private Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecr","technique:T1567-exfiltration-over-web-service","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new image is uploaded to the public ECR. This could be a potential exfil route of data from the cloud. Could be a supply chain effect as well if a company hosts their containers here for consumers.\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr-public:GetAuthorizationToken` and `sts:GetServiceBearerToken` API through an IAM policy before they can authenticate to a registry and push any images to an Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr-public.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr-public.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3ye-k1x-9mp","createdAt":1630666006819,"name":"New Public Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ecs","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user executes a command on an ECS container for the first time. An attacker may use this as a technique to escalate their privileges\nbecause they can run arbitrary commands on behalf of the container with the role and permissions associated with the\ncontainer.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user is executing a command on an ECS container:\n\n* `ExecuteCommand`\n\n## Triage and response\n1. Investigate the command that the user ({{@userIdentity.arn}}) ran on the container, which is located in the Cloudtrail log at `@requestParameters.container`, if the telemetry exists.\n2. Analyze Cloudtrail logs with {{@userIdentity.arn}} that are within the same time frame as this security signal.\n3. Review any other security signals generated for this container.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":175,"isDefault":true,"filters":[{"action":"suppress","query":"foo"},{"action":"require","query":"bar"}],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @evt.name:ExecuteCommand @requestParameters.interactive:true"}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@me"],"name":""}],"type":"log_detection","id":"o2p-sbu-rlg","createdAt":1615916348842,"name":"New user seen executing a command in an ECS task"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console:\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line:\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_GCM_SHA256\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_GCM_SHA384\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_3DES_EDE_CBC_SHA\")\n}\n\npolicy_align(compute_target_https_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_https_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_https_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_https_proxy, compute_ssl_policy)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_https_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_https_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_https_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wsz-dzl-7cw","createdAt":1664548936030,"name":"No HTTPS proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console:\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line:\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_GCM_SHA256\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_GCM_SHA384\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_3DES_EDE_CBC_SHA\")\n}\n\npolicy_align(compute_target_ssl_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_ssl_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_ssl_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_ssl_proxy, compute_ssl_policy)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_ssl_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_ssl_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_ssl_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kmq-mlb-uhu","createdAt":1664548316871,"name":"No SSL proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","level:1","framework:cis-aws","requirement:Security-Management-Process","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:1.4","control:2.1","control:2.2","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","requirement:Default-Security-Parameters","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:164.312-a-2-i","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed.\n\n## Rationale\n\nRemoving access keys associated with the root account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html][2]\n2. [http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][3]\n3. [http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html][4]\n4. CCE-78910-7\n5. [https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/][5]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables root access only through access-keys (CLI, API methods) for us-gov cloud region.\n\n## CIS controls\n\nVersions 7, 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html\n[3]: http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[4]: http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html\n[5]: https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.4","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-a-2-i","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@access_key_1_active:true OR @access_key_2_active:true","resourceType":"aws_iam_credential_report","filter":"@user:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report @user:\"\" (@access_key_1_active:true OR @access_key_2_active:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"snb-kjs-kgm","createdAt":1599574003908,"name":"No root account access key exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity groups provide stateful filtering of ingress/egress network traffic to AWS resources. You should not allow any security group unrestricted ingress access to port 22.\n\n## Rationale\n\nRemoving unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nIf you are updating an existing environment, ensure that administrators who currently rely on ingress from 0.0.0.0/0 have access to ports 22 and 3389 through another security group.\n\n## Default value\n\nNone\n\n## References\n\nNone\n\n## CIS controls\n\n9.2 Ensure Only Approved Ports, Protocols, and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.1\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 22\n\trule.to_port >= 22\n} else {\n\trule.from_port <= 3389\n\trule.to_port >= 3389\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ueo-zqv-fep","createdAt":1607607222597,"name":"No security groups allow ingress from 0.0.0.0/0 to remote administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:3.8","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","requirement:Communication-and-Information","security:compliance","control:8.1","control:4.4","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","control:4.1.1","control:8.1.4","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling OS Login binds SSH certificates to IAM users and facilitates effective SSH certificate\nmanagement.\n\n## Rationale\nEnabling OS Login ensures that SSH keys used to connect to instances are mapped to IAM\nusers. Revoking access to an IAM user will revoke all the SSH keys associated with that\nparticular user. It facilitates centralized and automated SSH key pair management, which is\nuseful in handling cases like compromised SSH key pairs and/or revocation of\nexternal, third-party, vendor users.\n\nTo use OS Login, the instance using Custom Images must have the latest version\nof the Linux Guest Environment installed. The following image families do not\nsupport OS Login:\n\n - Project cos-cloud (Container-Optimized OS) image family cos-stable.\n - All project coreos-cloud (CoreOS) image families\n - Project suse-cloud (SLES) image family sles-11\n - All Windows Server and SQL Server image families\n\nThe project's `enable-oslogin` can be overridden by setting the `enable-oslogin` parameter to an\ninstance metadata individually.\n\n### Impact\nEnabling OS Login on a project disables metadata-based SSH key configurations on all\ninstances of a project. Disabling OS Login restores SSH keys that you have configured in a\nproject's or an instance's metadata.\n\n### Exception\nVMs created by GKE should be excluded. These VMs have names that start with `gke-`\nand are labeled `goog-gke-node`.\n\n### Default value\nBy default, the parameter `enable-oslogin` is not set, which is equivalent to setting it to `FALSE`.\n\n## Remediation\n\n### From the console:\n\n1. Go to the [VM compute metadata][1] page.\n2. Click **Edit**.\n3. Add a metadata entry for the key `enable-oslogin` with the value `TRUE`.\n4. Click **Save** to apply the changes.\n5. For every instance that overrides the project setting, go to the VM Instance's page at \n https://console.cloud.google.com/compute/instances.\n6. Click the name of the instance from which you want to remove the metadata value.\n7. At the top of the instance's details page, click **Edit** to edit the instance's settings.\n8. Under Custom Metadata, remove any entries with the key `enable-oslogin` set to `FALSE`.\n9. At the bottom of the instance's details page, click **Save** to apply your changes to the instance.\n\n### From the command line:\n\n1. Configure OS Login for the project by running the following command:\n ```\n gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE\n ```\n\n2. Use the following command to remove instance metadata that overrides the project setting:\n ```\n gcloud compute instances remove-metadata --keys=enable-oslogin\n ```\n\nOptionally, you can enable two-factor authentication for OS Login. See [Setting up OS Login with 2-step verification ][2] for more information.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/managing-instance-access][3]\n2. [https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin][4]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata][5]\n4. [https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication][2]\n\n\n\n[1]: https://console.cloud.google.com/compute/metadata\n[2]: https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication\n[3]: https://cloud.google.com/compute/docs/instances/managing-instance-access\n[4]: https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin\n[5]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.8","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" {\n\titem := compute_instance.metadata.items[_]\n\titem.key == \"enable-oslogin\"\n\titem.value == \"true\"\n} else = \"fail\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hpp-bv9-lom","createdAt":1657547711348,"name":"OS Login is enabled for the project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Okta API token is created.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a new Okta API token is created:\n\n* `system.api_token.create`\n\n## Triage and response\n1. Contact the user who created the API token and ensure that the API token is needed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:system.api_token.create","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lpf-tho-8sx","createdAt":1589315541698,"name":"Okta API Token Created or Enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","scope:okta","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Okta session impersonation.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect a user session impersonation:\n\n* `user.session.impersonation.initiate`\n* `user.session.impersonation.end`\n* `user.session.impersonation.grant`\n* `user.session.impersonation.extend`\n* `user.session.impersonation.revoke`\n\nThese events indicate that the user: `{{@usr.email}}` has the effective permissions of the impersonated user. This is likely to occur through [Okta support access][1]. This [blog][2] illustrates the potential impact an attacker can cause by impersonation session.\n\n## Triage and response\n1. Contact your Okta administrator to ensure the user: `{{@usr.email}}` is authorized to impersonate a user session.\n2. If the user impersonation session is not legitimate:\n * Task your Okta administrator to end the impersonation session.\n * Investigate the actions taken by the user `{{@usr.email}}` during the session and revert back to the last known good state.\n * Begin your company's incident response process and investigate.\n\n[1]: https://support.okta.com/help/s/article/Granting-Access-to-Okta-Support?language=en_US\n[2]: https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.session.impersonation.initiate","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_initiate","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.end","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_end","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_grant","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.extend","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_extend","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.revoke","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_revoke","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Session initiated","condition":"user_session_impersonation_initiate > 0"},{"status":"info","notifications":[],"name":"Session ended","condition":"user_session_impersonation_end > 0"},{"status":"info","notifications":[],"name":"Session granted","condition":"user_session_impersonation_grant > 0"},{"status":"info","notifications":[],"name":"Session extended","condition":"user_session_impersonation_extend > 0"},{"status":"info","notifications":[],"name":"Session revoked","condition":"user_session_impersonation_revoke > 0"}],"type":"log_detection","id":"dfw-lx0-cha","createdAt":1647981974902,"name":"Okta Impersonation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to bypass multi-factor authentication (MFA).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user attempts to bypass MFA:\n\n* `user.mfa.attempt_bypass`\n\n## Triage and response\n1. Contact the user who attempted to bypass MFA and ensure the request was legitimate.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.attempt_bypass","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"wbd-slu-e6s","createdAt":1589315643307,"name":"Okta MFA Bypass Attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the multi-factor authentication (MFA) factors for an enrolled Okta user are reset.\n\n## Strategy\nThis rule lets you monitor the following Okta event to determine when a user's MFA factors are reset:\n\n* `user.mfa.factor.reset_all`\n\nAn attacker may attempt to reset MFA factors in a bid to access other user accounts by registering new attacker-controlled MFA factors.\n\n## Triage and response\n1. Determine if the user: `{{@usr.email}}` should have reset the MFA factors of the targeted user.\n2. If the change was not made by the user:\n * Disable the affected user accounts.\n * Rotate user credentials.\n * Return targeted users MFA factors to the last known good state.\n * Begin your organization's incident response process and investigate.\n3. If the change was made by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, ensure the targeted user has new MFA factors assigned in accordance with organization policies.\n * If **No**, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_success","distinctFields":[]},{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:FAILURE","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_failed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Succeeded","condition":"mfa_reset_success > 0"},{"status":"info","notifications":[],"name":"Failed","condition":"mfa_reset_failed > 0"}],"type":"log_detection","id":"ap2-mxs-fyh","createdAt":1622443751239,"name":"Okta MFA reset for user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to sign on to an app based on sign-on policy.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to sign on to an app based on sign-on policy:\n\n* `application.policy.sign_on.deny_access`\n\n## Triage and response\n1. Inspect the `@target` array to determine why the user was denied access to sign on.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:application.policy.sign_on.deny_access","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pjd-jyc-9fb","createdAt":1589315544752,"name":"Okta User Access Denied to Sign On"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to an app.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to an app:\n\n* `app.generic.unauth_app_access_attempt`\n\n## Triage and response\n1. Determine whether or not the user should have access to this app.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:app.generic.unauth_app_access_attempt","groupByFields":["@usr.email","@target_app"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rht-pdf-gyx","createdAt":1607371843994,"name":"Okta User Attempted to Access Unauthorized App"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:okta","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to an Okta user.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when administrative privileges are provisioned:\n\n* `user.account.privilege.grant`\n\n## Triage and response\n1. Contact the Okta administrator: `{{@usr.email}}` to confirm that the user or users should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.account.privilege.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"privilege_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"privilege_grant > 0"}],"type":"log_detection","id":"onl-syw-pqn","createdAt":1622443751733,"name":"Okta administrator role assigned to user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a request is blocked due to a block list rule (such as an IP network zone or location rule).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.request.blocked`\n\n## Triage & Response\n1. Verify with the owner of `{{@usr.name}}` that they were attempting a request to `{{@target_app}}`.\n2. If the request cannot be verified with the user, correlate with other log sources to see if the blocked IP in the `title` of `{{@title}}` has communicated elsewhere on the network.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.request.blocked @evt.outcome:SUCCESS","groupByFields":["@network.client.ip","@target_app"],"aggregation":"count","name":"request_blocked","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"request_blocked > 10"}],"type":"log_detection","id":"y2s-qzk-u0a","createdAt":1622443750820,"name":"Okta blocked numerous requests from a malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta [refresh token][1] is reused.\n\n## Strategy\nThis rule lets you monitor the following Okta events when token reuse is detected:\n\n* `app.oauth2.token.detect_reuse`\n* `app.oauth2.as.token.detect_reuse`\n\nAn attacker that has access to a refresh token could query the organization's authorization server `/token` endpoint to obtain additional access tokens. The additional access tokens potentially allow the attacker to get unauthorized access to applications.\n\n## Triage and response\n1. Determine if the source IP `{{@network.client.ip}}` is anomalous within the organization:\n * Does threat intelligence indicate that this IP has been associated with malicious activity?\n * Is the geo-location or ASN uncommon for the organization?\n * Has the IP created a `app.oauth2.token.detect_reuse` or `app.oauth2.as.token.detect_reuse` event previously?\n2. If the token reuse event has been determined to be malicious, carry out the following actions:\n * [Revoke compromised tokens][2].\n * Recycle the credentials of any impacted clients.\n * Begin your company's incident response process and investigate.\n\n[1]: https://developer.okta.com/docs/guides/refresh-tokens/main/\n[2]: https://developer.okta.com/docs/guides/revoke-tokens/main/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:false","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse","distinctFields":[]},{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:true","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse_threat","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Threat suspected","condition":"refresh_token_reuse_threat > 0"},{"status":"low","notifications":[],"name":"Threat unlikely","condition":"refresh_token_reuse > 0"}],"type":"log_detection","id":"i4t-x8n-ack","createdAt":1622443751931,"name":"Okta one-time refresh token reused"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta policy rule is deleted.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a policy rule is deleted:\n\n* `policy.rule.delete`\n\n## Triage and response\n1. Contact the Okta administrator to confirm that the user: `{{@usr.email}}` should be deleting policy rules.\n2. If the change was **not** authorized, verify there are no other signals from the user: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:policy.rule.delete @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_rule_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"policy_rule_deleted > 0"}],"type":"log_detection","id":"gxx-79h-brk","createdAt":1622443751301,"name":"Okta policy rule deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:onelogin","scope:onelogin","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user with appropriate privileges assumes another OneLogin user's identity. Logging in as another user allows the user to view another OneLogin user's account and perform actions on their behalf. \n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator assumes another OneLogin user's identity:\n\n* `@evt.name:USER_ASSUMED_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) should be legitimately assuming another user's identity.\n2. If the activity was not legitimate, review all activity from `{{@usr.name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_ASSUMED_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"admin_assumed_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admin_assumed_user > 0"}],"type":"log_detection","id":"ohz-g7c-wkp","createdAt":1656426840747,"name":"OneLogin administrator assumed a user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","technique:T1098-account-manipulation","scope:onelogin","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin administrator grants additional privileges to another OneLogin user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator grants additional privileges to another OneLogin user:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@actor_user_name}}`) should be legitimately adding additional roles to `@usr.name`. **Note:** The role granted to the user is not available in OneLogin logs.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:PRIVILEGE_GRANTED_TO_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"user_granted_admin_privileges","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"user_granted_admin_privileges > 0"}],"type":"log_detection","id":"oks-cap-rw1","createdAt":1656426808697,"name":"OneLogin user granted administrative privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user is locked out. This may be common if the user is repeatedly failing to log in. This rule is most useful when correlated with other anomalous activity for the user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to when a user is locked out:\n* `@evt.name:USER_LOCKED`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) was legitimately trying to authenticate and was locked out.\n2. If the activity was not legitimate, review all activity from the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_LOCKED","groupByFields":["@usr.name"],"aggregation":"count","name":"user_locked_out","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_locked_out > 0"}],"type":"log_detection","id":"efg-trs-jzb","createdAt":1656526301026,"name":"OneLogin user locked out"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user views a secure note.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when a user views a secure note:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\nThis rule is useful when correlating its findings with other anomalous events from the same OneLogin user (`{{@actor_user_name}}`).\n\n## Triage and response\n1. Determine whether the OneLogin user (`{{@actor_user_name}}`) should be legitimately accessing secure notes.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_VIEWED_NOTE","groupByFields":["@actor_user_name"],"aggregation":"count","name":"viewed_secure_note","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"viewed_secure_note > 0"}],"type":"log_detection","id":"gl4-z5x-dun","createdAt":1656426832414,"name":"OneLogin user viewed secure note"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","scope:google_service_account","requirement:Confidentiality","control:3.4","control:1.4","control:3.10","control:C1.1","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nUser managed service accounts should not have user-managed keys.\n\n## Rationale: \nAnyone who has access to the keys can access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.\nFor user-managed keys, you are responsible for key management activities including:\n- Key storage\n- Key distribution\n- Key revocation\n- Key rotation\n- Protecting the keys from unauthorized users\n- Key recovery\nEven with key owner precautions, it's easy to leak keys through common development accidents such as checking keys into the source code, leaving them in the Downloads directory, or posting them on support blogs.\nFor these reasons, it is recommended that you don't use user-managed service account keys.\n\n## Impact: \nDeleting user-managed service account keys may break communication with the applications using the keys.\n\n## Remediation: \n\n### From console:\n1. Go to the IAM page in the GCP Console at [https://console.cloud.google.com/iam-admin/iam][1].\n2. In the left navigation pane, click `Service accounts`. All service accounts and their\ncorresponding keys are listed.\n3. Click the service account.\n4. Click `Edit` and delete the keys.\n\n### From command line:\nTo delete a user-managed service account key run:\n```\ngcloud iam service-accounts keys delete --iam-account= \n```\n## Prevention:\nYou can disable service account key creation through the `Disable service account key creation` Organization policy by visiting [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation][2]. Learn more at: [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][3].\n\nIn addition, if you do not need service accounts in your project, you can prevent the creation of service accounts through the `Disable service account creation` Organization policy: [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation][4].\n\n## Default value:\nBy default, there are no user-managed keys created for user-managed service accounts.\n\n## References:\n1. [https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys][5]\n2. [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][6]\n\n## Additional information:\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation\n[3]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation\n[5]: https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n[6]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.4","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.10","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkey_parents_with_user_managed := {key.parent |\n\tkey := input.resources.gcp_iam_service_account_key[_]\n\tkey.key_type == \"USER_MANAGED\"\n}\n\neval(service_account) = \"fail\" if {\n\tkey_parents_with_user_managed[service_account.resource_name]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4cn-bpp-vya","createdAt":1654120292749,"name":"Only GCP-managed service account keys are used for service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.14","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, has permissions of 400.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads. It holds the private key for the Docker server certificate. It must therefore have permissions of 400 to ensure that the certificate key file is not modified.\n\n## Audit\n\nVerify that the Docker server certificate key file has permissions of `400` by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nYou should execute the following command: `chmod 400 `\n\nThis sets the Docker server certificate key file permissions to 400.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate key file might not be 400. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.14","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"z0n-cod-mxi","createdAt":1602077570102,"name":"Only the owner of the server certificate key file can read its contents"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker daemon requires access to the Docker socket which is, by default, owned by the user `root` and the group `docker`.\n\n## Rationale\n\nDocker allows you to share a directory between the Docker host and a guest container without limiting the access rights of the container. This means that you can start a container and map the `/` directory on your host to the container. The container is able to modify your host file system without any restrictions. This means that you could gain elevated privileges simply by being a member of the `docker` group and subsequently start a container which maps the root `/` directory on the host.\n\n\n## Audit\n\nRun the following command on the Docker host to see the members of the `docker` group, and ensure that only trusted users are members:\n\n```\ngetent group docker\n```\n\n## Remediation\n\nYou should remove any untrusted users from the `docker` group. Additionally, you should not create a mapping of sensitive directories from the host to container volumes.\n\n## Impact\n\nProvided the proceeding instructions are implemented, rights to build and execute containers as normal user would be restricted.\n\n## Default value\n\nNot Applicable\n\n## References\n\n1. [https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface]\n2. [https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful]\n3. [http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\n[1]: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface \n[2]: https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful \n[3]: http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.2","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dev-mh8-u1i","createdAt":1599598174666,"name":"Only the root account and Docker group members can control the Docker daemon"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.16","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file has permissions of 660 or are configured more restrictively.\n\n## Rationale\n\nOnly root and the members of the docker group should be allowed to read and write to the default Docker Unix socket. The Docker socket file should therefore have permissions of 660 or more restrictive permissions.\n\n## Audit\n\nVerify that the Docker socket file has permissions of `660` or more restrictive, by running: \n```\nstat -c %a /var/run/docker.sock\n```\n\n## Remediation\n\nRun the command `chmod 660 /var/run/docker.sock`\n\nThis sets the file permissions of the Docker socket file to 660.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker socket file is correctly set to 660.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.16","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jxv-zrr-1c1","createdAt":1599603387716,"name":"Only the root account and Docker group members can read and write to the Docker socket file"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 9200, used by the [Elasticsearch][2], and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered Elasticsearch access.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][3] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. First, remove the security group rule(s) that allow public, unrestricted access to the Elasticsearch database. The rule in question will open port 9200 for ingress from anywhere.\n\n2. Now that the database is contained, authorize only the specific entities that need access to the database like EC2 instances, or lambdas. You can do this by adding inbound security group rules for a specific elastic IP address, a specific range of IP addresses, or by allowing access for entities in another AWS security group.\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://aws.amazon.com/elasticsearch-service/\n[3]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 9200\n\trule.to_port >= 9200\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"rns-eiq-lpl","createdAt":1599574008022,"name":"Inbound OpenSearch access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1521 (used by the Oracle Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1521.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1521 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 1521\n\trule.to_port >= 1521\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2wg-auf-5gz","createdAt":1599574002369,"name":"Inbound Oracle access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 135 (used by Microsoft Message Queuing (MSMQ) and other Windows software) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as backdoor command shell hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 135.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 135 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 135\n\trule.to_port >= 135\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7vm-6f7-nfs","createdAt":1599574003256,"name":"Inbound RPC access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 25 (used by Simple Mail Transfer Protocol (SMTP) for email transmission) and restrict access to IP addresses that require this port.\n\n\n## Rationale\n\nMalicious activity, such as spamming, hacking, Shellshock, and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 25.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 25 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 25\n\trule.to_port >= 25\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fxy-iwb-1ji","createdAt":1599574007156,"name":"Inbound SMTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 22 (used for secure remote login) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as man-in-the-middle (MITM) and brute-force attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 22.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 22 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 22\n\trule.to_port >= 22\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jq1-v7m-jkf","createdAt":1599574005407,"name":"Inbound SSH access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to TCP port 139.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 139\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 139\n\trule.to_port >= 139\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"bls-coy-rpp","createdAt":1599574002491,"name":"Inbound TCP NetBIOS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 23 (used by the Telnet server application) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 23.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 23 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 23\n\trule.to_port >= 23\n}\n\nnon_compliant_protocols_and_ports(rule) if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tnon_compliant_ports(rule)\n} else if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\", \"::/0\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome rule in security_group.rules\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocols_and_ports(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"6oq-7ce-kej","createdAt":1599574007874,"name":"Inbound Telnet access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 and UDP ports 137 and 138 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 137 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 137\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 138 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 138\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 138\n\trule.to_port >= 137\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dpw-bar-91p","createdAt":1599574006398,"name":"Inbound UDP NetBIOS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","control:3.7","requirement:Communications-Security","control:4.1","control:2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3","framework:security-labs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nConfigure your instance to use an account other than the default Compute Engine service account, because it has the Editor role on the project.\n\n## Rationale\nThe default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services. \nTo defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended that you not use the default Compute Engine service account. Instead, create a new service account and assign only the permissions needed by your instance. \nThe default Compute Engine service account is named `[PROJECT_NUMBER]-compute@developer.gserviceaccount.com`.\n\n## Exception\nVMs created by GKE are excluded from this guidance. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go to its `VM instance details` page.\n3. Click `STOP` and then click `EDIT`.\n4. Under the section `API and identity management`, select a service account other\nthan the default Compute Engine service account. You may first need to create a new\nservice account.\n5. Click `Save` and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account=\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/service-accounts][2]\n2. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][3]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account][4]\n\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/service-accounts\n[3]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[4]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.7","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" if {\n\tsa := compute_instance.service_accounts[_]\n\tendswith(sa.email, \"compute@developer.gserviceaccount.com\")\n} else = \"pass\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oqw-y1z-sik","createdAt":1655990336323,"name":"Instances are not configured to use the default service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Communications-Security","requirement:Default-Security-Parameter","control:4.2","control:2.1","framework:cis-gcp","control:2.1.1","requirement:Compliance","control:A.13.1.3","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:google_compute_instance","control:CC6.3","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo support the principle of least privileges and to prevent potential privilege escalation, assign instances to a service account other than the default `Compute Engine default service account` with Scope `Allow full access to all Cloud APIs`.\n\n## Rationale\nThe Google `Compute Engine default service account` for an instance can access necessary cloud services, as well as create, manage, and use user-managed custom service accounts. The `Project Editor` role is assigned to `Compute Engine default service account` so it has almost all capabilities over all cloud services except billing. However, when `Compute Engine default service account` is assigned to an instance it can operate in three scopes:\n\n1. Allow default access: Allows the minimum access required to run an\ninstance (least privileges).\n\n2. Allow full access to all Cloud APIs: Allows full access to all cloud\nAPIs and services (too much access).\n\n3. Set access for each API: Allows an instance administrator to choose only\nthose APIs that are needed to perform the specific business functionality\nexpected by instance.\n\nWhen an instance is configured with the `Compute Engine default service account` with\nscope `Allow full access to all Cloud APIs`, depending on the IAM roles assigned to the users\naccessing the instance, it may allow users to perform cloud operations and API calls that they are not\nsupposed to perform, leading to successful privilege escalation.\n\n## Exception\nVMs created by GKE are excluded from this rule. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Impact\nTo change a service account or scope for an instance, the instance must be stopped.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the impacted VM instance.\n3. If the instance is not stopped, click the `Stop` button. Wait for the instance to stop.\n4. Click the `Edit` button.\n5. Scroll down to the `Service Account` section.\n6. Select a different service account or ensure that `Allow full access to all Cloud APIs` is not selected.\n7. Click the `Save` button to save your changes and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account= --scopes [SCOPE1, SCOPE2...]\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][2]\n2. [https://cloud.google.com/compute/docs/access/service-accounts][3]\n\n## Additional Information:\n- User IAM roles override service account scope, but configuring minimal scope\nensures a deeper defence.\n- Non-default service accounts do not offer selection of access scopes like the default\nservice account does. Use IAM roles with non-default service accounts to\ncontrol VM access.\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[3]: https://cloud.google.com/compute/docs/access/service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.2","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" if {\n\tservice_accounts := compute_instance.service_accounts[_]\n\tendswith(service_accounts.email, \"compute@developer.gserviceaccount.com\")\n\tstartswith(service_accounts.scopes[_], \"https://www.googleapis.com/auth/cloud-platform\")\n} else = \"pass\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ica-spj-rua","createdAt":1656620517092,"name":"Instances are not configured to use the default service account with full access to all cloud APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the execution of a shell with the interactive flag (`-i`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to escalate privileges, break out of the container, or exfiltrate secrets by running interative shell utilities inside of the container. This detection triggers when execution of one of a set of common Linux shell utilities (like `bash` or `sh`) is detected in a container with the interactive flag (`-i`). If this is unexpected behavior, it could indicate an attacker attempting to run arbitrary commands inside of your containers and potentially break out onto the host.\n\n## Triage & Response\n1. Inspect the command line arguments of the shell process execution to determine if the shell was run with the `-i` flag.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:interactive_shell_in_container -@process.comm:(hostname OR sed OR find)","groupByFields":["host"],"aggregation":"count","name":"interactive_shell_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"interactive_shell_in_container","condition":"interactive_shell_in_container > 0"}],"type":"workload_security","id":"vc2-nws-ebu","createdAt":1653417817781,"name":"Interactive shell spawned in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a Java process.\n\n## Strategy\nMany applications (like some databases, web servers, and search engines) run as Java processes. Attackers may take advantage of flaws in programs built with these applications (for example, SQL injection on a database running as a Java process). This detection triggers when a Java process spawns common shell utilities, HTTP utilities, or shells. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\n## Triage and response\n1. Determine the nature and purpose of the Java process.\n2. Determine whether there is an approved purpose for the Java process to execute shells and utilities.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java) @process.args:*\\/dev\\/tcp\\/*","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_known_bad","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java) @process.executable.name:(uname OR cat OR ls OR whoami)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_suspicious","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java) @process.executable.name:(curl OR wget)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_unusual","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java) @process.envs:CONFLUENCE*","groupByFields":["host"],"aggregation":"count","name":"confluence_server_spawned_shell_potential_rce","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"java_shell_execution_known_bad","condition":"java_shell_execution_known_bad > 0"},{"status":"high","notifications":[],"name":"confluence_server_spawned_shell_potential_rce","condition":"confluence_server_spawned_shell_potential_rce > 0"},{"status":"high","notifications":[],"name":"java_shell_execution_unusual","condition":"java_shell_execution_unusual > 0"},{"status":"medium","notifications":[],"name":"java_shell_execution_suspicious","condition":"java_shell_execution_suspicious > 0"},{"status":"low","notifications":[],"name":"java_shell_execution","condition":"java_shell_execution > 0"}],"type":"workload_security","id":"bax-h0z-d14","createdAt":1617722069224,"name":"Java process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","technique:T1098-account-manipulation","scope:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a JumpCloud user grants administrative privileges on a user endpoint. This is not indicative of malicious activity, but detecting this event is valuable for auditing.\n\n## Strategy\n\nThis rule monitors JumpCloud audit logs to detect when a user triggers the `@evt.name` of `system_admin_grant`.\n\n## Triage and response\n\n1. Reach out to the admin making the change (`{{@usr.email}}`) to confirm that the user `(@usr.name`) should have administrative privileges on the specified resource (`@resource.name`).\n2. If the change was not authorized, reverify there are no other signals from the jumpcloud admin: {{@usr.email}} and the system (`@resource.name`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:system_admin_grant","groupByFields":["@usr.email"],"aggregation":"count","name":"system_admin_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"system_admin_grant > 0"}],"type":"log_detection","id":"0ym-nwo-srl","createdAt":1648844751568,"name":"Jumpcloud admin granted system privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:jumpcloud","requirement:Monitoring","scope:jumpcloud","framework:cis-aws","technique:T1078-valid-accounts","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud administrator authenticates without multi-factor authentication (MFA) enabled. This is not indicative of malicious activity, however as a best practice, administrator accounts should have MFA enabled.\n\n## Strategy\nThis rule monitors JumpCloud audit logs to detect when an admin user successfully authenticates to JumpCloud and the log indicates that `@mfa` is `false`.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables MFA.\n3. If the login wasn\u2019t legitimate, rotate the credentials, enable MFA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:admin_login_attempt @mfa:false @evt.outcome:true","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_login_no_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"admin_login_no_mfa > 0"}],"type":"log_detection","id":"mds-4sd-v5i","createdAt":1648844751569,"name":"Jumpcloud admin login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","scope:jumpcloud","technique:T1078-valid-accounts","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event with a JumpCloud administrator.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last log and the current log to determine if the user (`@usr.name`) traveled more than 500km at over 1,000km/h.\n\n## Triage and response\n1. Determine if {@usr.name}} should be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}} in a short period of time.\n2. If the user should not be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} or {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_admin","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:jumpcloud @usr.type:admin"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"wec-lzg-zau","createdAt":1648844772020,"name":"Jumpcloud admin triggered impossible travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:jumpcloud","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to a JumpCloud user.\n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when administrative privileges are provisioned:\n\n* `user_admin_granted`\n\n## Triage and response\n1. Contact the JumpCloud administrator: `{{@usr.email}}` to confirm that the users or devices should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the JumpCloud administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:user_admin_granted","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_grant > 0"}],"type":"log_detection","id":"goh-o1b-uuo","createdAt":1660796644737,"name":"Jumpcloud administrator role assigned"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is created. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is created:\n\n* `@evt.name:policy_create`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy creation was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_create","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_creation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_creation > 0"}],"type":"log_detection","id":"ht7-5pr-0hf","createdAt":1660809071730,"name":"Jumpcloud policy created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is modified. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is modified:\n\n* `@evt.name:policy_update`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy modification(s) was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_update","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_update > 0"}],"type":"log_detection","id":"epv-mm9-puh","createdAt":1660809071731,"name":"Jumpcloud policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:1.10","scope:google_kms_crypto_key","source:google_kms_crypto_key","requirement:Confidentiality","control:C1.2","framework:cis-gcp","requirement:Compliance","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGoogle Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.\nThe format for the rotation schedule depends on the client library that is used. For the gcloud CLI, the flag `--next-rotation-time` must be in ISO or RFC3339 format; the flag `--rotation-period` must be in the format `INTEGER[UNIT]`, where units can be one of: seconds (s), minutes (m), hours (h), or days (d). For example, `30d` for a rotation period of 30 days.\n\n## Rationale\nSet a key rotation period and starting time. A key can be created with a specified *rotation period*, which is the time between when new key versions are generated automatically. A key can also be created with a specified *next rotation time*. \n\nA key is a named object that represents a cryptographic key and is used for a specific purpose. The key material (the actual bits used for encryption) can change over time as new key versions are created.\nA key is used to protect a *corpus of data*. A collection of files could be encrypted with the same key, and people with `decrypt` permissions on that key would be able to decrypt those files. Therefore, it's necessary to make sure the rotation period is set to a specific time.\n\n## Impact\nAfter a successful key rotation, the older key version is required to decrypt the data encrypted by the previous key version.\n\n## Remediation\n\n### From the console\n1. See your cryptographic keys by visiting: [https://console.cloud.google.com/security/kms][1].\n2. Click on the specific key ring.\n3. From the list of keys, locate the key you wish to edit. Click on the three vertical dots under the **Actions** column.\n4. Click on **Edit rotation period**.\n5. In the pop-up window, select a new rotation period. Choose value less than 90 days. Then, choose the date from which the rotation period begins.\n\n### From the command line\n1. Update and schedule rotation by `ROTATION_PERIOD` and `NEXT_ROTATION_TIME` for each key:\n For example, you can use the iam.json file shown below as follows:\n ```\n gcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next- rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD\n ```\n\n## Default value\nBy default, KMS encryption keys are rotated every 90 days.\n\n## References\n1. [https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation][2]\n2. [https://cloud.google.com/kms/docs/re-encrypt-data][3]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/security/kms\n[2]: https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation\n[3]: https://cloud.google.com/kms/docs/re-encrypt-data\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\n# convert rotation period from string to int (number of days)\nparse_rotation_period(str) = parsed if {\n\tendswith(str, \"s\")\n\tparsed := to_number(trim_suffix(str, \"s\")) / 86400\n} else = parsed if {\n\tendswith(str, \"m\")\n\tparsed := to_number(trim_suffix(str, \"m\")) / 1440\n} else = parsed if {\n\tendswith(str, \"h\")\n\tparsed := to_number(trim_suffix(str, \"h\")) / 24\n} else = parsed if {\n\tendswith(str, \"d\")\n\tparsed := to_number(trim_suffix(str, \"d\"))\n}\n\neval(kms_crypto_key) = \"skip\" if {\n\tnot lower(kms_crypto_key.primary.state) == \"enabled\"\n} else = \"pass\" if {\n\ttoday := kms_crypto_key.resource_seen_at / 86400000\n\tnext_rotation := kms_crypto_key.next_rotation_time / 86400000\n\tnext_rotation - today <= 90\n\tparse_rotation_period(kms_crypto_key.rotation_period) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_kms_crypto_key"]},"validationQuery":"","resourceType":"gcp_kms_crypto_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_kms_crypto_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"l1f-f94-1my","createdAt":1655491486886,"name":"KMS Encryption Keys are rotated within a period of 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1547","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications made to the `/boot/` directory.\n\n## Strategy\nThe /boot/ directory in Linux contains everything required for the system to boot. This includes the kernel and other important boot files and data. Attackers may attempt to modify the /boot/ directory to inject malicious code or configuration. This can allow the attacker to gain persistence, by running the malicious code or configuration at boot time. It can also allow the attacker to run malicious code with elevated system privileges.\n\n## Triage & Response\n1. Check to see what modifications were made to the `/boot/` directory.\n2. Cross-check any changes with known system activity, such as startup scripts, or maintenance.\n3. If these changes are not acceptable, roll back the host or container in question to a known good `/boot/` configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"9cs-fap-2er","createdAt":1606142931057,"name":"Kernel Modification"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux. This detection watches for all new files created under that directory.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check which user or process created the module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(kernel_module OR kernel_module_chmod OR kernel_module_chown OR kernel_module_link OR kernel_module_rename OR kernel_module_open OR kernel_module_unlink OR kernel_module_utimes) -@process.envs:DPKG_FRONTEND_LOCKED","groupByFields":["host"],"aggregation":"count","name":"kernel_module","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"kernel_module","condition":"kernel_module > 0"}],"type":"workload_security","id":"jq9-m1m-spt","createdAt":1598516746168,"name":"Kernel module directory modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.3","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kube-proxy kubeconfig file controls various parameters of the kube-proxy service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system. It is possible to run kube-proxy with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a `. Verify that if a file is specified and it exists, the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates. \n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.3","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"alc-y7j-j9q","createdAt":1599602091672,"name":"Kube-proxy configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.4","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, ensure that the file ownership of its kubeconfig file is set to root:root.\n\n## Rationale\n\nThe kubeconfig file for kube-proxy controls various parameters for the kube-proxy service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n`chown root:root `\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n## Audit\n\nFind the kubeconfig file being used by kube-proxy by running the following command: ps -ef | grep kube-proxy If kube-proxy is running, get the kubeconfig file location from the --kubeconfig parameter. Run the below command (based on the file location on your system) on the each worker node. For example, stat -c %U:%G Verify that the ownership is set to root:root.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.4","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oat-dei-klo","createdAt":1599604401268,"name":"Kube-proxy configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet client certificate rotation.\n\n## Rationale\n\nThe `--rotate-certificates` setting causes the kubelet to rotate its client certificates by creating new CSRs as its existing credentials expire. This automated periodic rotation ensures that the there is no downtime due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself. \n\n*Note*: This feature also requires the `RotateKubeletClientCertificate` feature gate to be enabled (which is the default since Kubernetes v1.7).\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--rotate-certificates` argument is not present, or is set to true. If the `--rotate-certificates` argument is not present, verify that if there is a Kubelet config file specified by `--config`, that file does not contain `rotateCertificates: false`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to add the line `rotateCertificates: true` or remove it altogether to use the default value. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--rotate-certificates=false` argument from the `KUBELET_CERTIFICATE_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet client certificate rotation is enabled.\n\n## References\n\n1. [https://github.com/kubernetes/kubernetes/pull/41912 ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration ][2]\n3. [https://kubernetes.io/docs/imported/release/notes/ ][3]\n4. [https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted - Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/41912\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration\n[3]: https://kubernetes.io/docs/imported/release/notes/\n[4]: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.11","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"9x3-sy5-pte","createdAt":1599605353070,"name":"Kubelet client certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.10","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file is owned by root:root.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %U:%G /var/lib/kubelet/config.yaml`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step): `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/var/lib/kubelet/config.yaml` file as set up by kubeadm is owned by `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.10","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ptl-pla-t0c","createdAt":1599605828233,"name":"Kubelet configuration file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse https for kubelet connections.\n\n## Rationale\n\nConnections from apiserver to kubelets could potentially carry sensitive data such as secrets and keys. It is thus important to use in-transit encryption for any communication between the apiserver and kubelets.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-https` argument either does not exist or is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--kubelet-https` parameter.\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, kubelet connections are over https.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.4","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ftg-h4g-hqj","createdAt":1599600981186,"name":"Kubelet connections use HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.8","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestrict kubelet nodes to reading only objects associated with them.\n\n## Rationale\n\nThe Node authorization mode only allows kubelets to read Secret, ConfigMap, PersistentVolume, and PersistentVolumeClaim objects associated with their nodes.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include Node.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes Node. `--authorization-mode=Node,RBAC`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, Node authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/46076 ][3]\n4. [https://acotten.com/post/kube17-security][4]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/ \n[3]: https://github.com/kubernetes/kubernetes/pull/46076 \n[4]: https://acotten.com/post/kube17-security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.8","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vgg-kwx-7dh","createdAt":1599602338742,"name":"Kubelet nodes are only authorized to read objects they are associated with"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.2","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests. Enable explicit authorization.\n\n## Rationale\n\nKubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the API server. You should restrict this behavior and only allow explicitly authorized requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. If the `--authorization-mode` argument is present check that it is not set to AlwaysAllow. If it is not present check that there is a Kubelet config file specified by `--config`, and that file sets authorization: mode to something other than AlwaysAllow. It is also possible to review the running configuration of a Kubelet via the /configs endpoint on the Kubelet API port (typically `10250/TCP`). Accessing these with appropriate credentials will provide details of the Kubelet's configuration.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set authorization: mode to Webhook. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--authorization-mode=Webhook`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nUnauthorized requests will be denied.\n\n## Default value\n\nBy default, `--authorization-mode` argument is set to `AlwaysAllow`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.2","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"un4-gin-3dq","createdAt":1599600248005,"name":"Kubelet only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable the read-only port.\n\n## Rationale\n\nThe Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--read-only-port` argument exists and is set to 0. If the `--read-only-port` argument is not present, check that there is a Kubelet config file specified by `--config`. Check that if there is a readOnlyPort entry in the file, it is set to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `readOnlyPort` to 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--read-only-port=0`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nRemoval of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.\n\n## Default value\n\nBy default, `--read-only-port` is set to 10255/TCP. However, if a config file is specified by `--config` the default value for `readOnlyPort` is 0.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.4","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dgo-kog-lle","createdAt":1599604369044,"name":"Kubelet read-only port is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.10","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the Kubelets.\n\n## Rationale\n\nKubelet communication contains sensitive parameters that should remain encrypted in transit. Configure the Kubelets to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate. If these arguments are not present, check that there is a Kubelet config specified by `--config` and that it contains appropriate settings for `tlsCertFile` and `tlsPrivateKeyFile`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `tlsCertFile` to the location of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` to the location of the corresponding private key file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameters in K`UBELET_CERTIFICATE_ARGS` variable.\n\n```\n--tls-cert-file=\n--tls-private-key-file=\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set. If `--tls-cert-file` and `--tls-private-key-file` are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to `--cert-dir`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ ][2]\n3. [https://github.com/kelseyhightower/docker-kubernetes-tls-guide ][3]\n4. [https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/\n[3]: https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n[4]: https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.10","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gqg-7cf-6bu","createdAt":1599603572402,"name":"Kubelet requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.12","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nOn the master edit `/var/lib/kubelet/kubeadm-flags.env` and set the parameter `KUBELET_CERTIFICATE_ARGS --feature-gates=RotateKubeletServerCertificate=true` or as an alternative, and suggested as a last resort, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_CERTIFICATE_ARGS` variable:\n\n```\n--feature-gates=RotateKubeletServerCertificate=true\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet server certificate rotation is disabled.\n\n## References\n\n1. https://github.com/kubernetes/kubernetes/pull/45059\n2. https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/45059\n[2]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.12","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afr-qkp-94a","createdAt":1599599105048,"name":"Kubelet server certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.2","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file ownership is set to root:root.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the ownership is set to root:root.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet service file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.2","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sy4-z1k-udc","createdAt":1599605194356,"name":"Kubelet service file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.3","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Kubelet authentication using certificates.\n\n## Rationale\n\nThe connections from the API server to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet's port-forwarding functionality. These connections terminate at the kubelet's HTTPS endpoint. By default, the API server does not verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the API server could authenticate the Kubelet before submitting any requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--client-ca-file` argument exists and is set to the location of the client certificate authority file. If the `--client-ca-file` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets authentication: x509: clientCAFile to the location of the client certificate authority file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: x509: clientCAFile` to the location of the client CA file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--client-ca-file=`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou require TLS to be configured on API server as well as kubelets.\n\n## Default value\n\nBy default, `--client-ca-file argument` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.3","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x6l-4d1-dwh","createdAt":1599600373842,"name":"Kubelet uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.1.20","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that Kubernetes PKI certificate files have permissions of 644 or more restrictive.\n\n## Rationale\n\nKubernetes makes use of a number of certificate files as part of the operation of its components. The permissions on these files should be set to 644 or more restrictive to protect their integrity.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nfind /etc/kubernetes/pki -name \"*.crt\" | xargs stat -c '%n %a'\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod -R 644 /etc/kubernetes/pki/*.crt`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the certificates used by Kubernetes are set to have permissions of 644\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.20","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ion-6fc-xd4","createdAt":1599604147464,"name":"Kubernetes PKI certificate file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.19","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the Kubernetes PKI directory and file ownership is set to root:root.\n\n## Rationale\n\nKubernetes makes use of a number of certificates as part of its operation. You should set the ownership of the directory containing the PKI information and all files in that directory to maintain their integrity. The directory and files should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nls -laR /etc/kubernetes/pki/\n```\n\nVerify the ownership of all files and directories in this hierarchy is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown -R root:root /etc/kubernetes/pki/`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/etc/kubernetes/pki/` directory and all of the files and directories contained within it, are set to be owned by the root user.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.19","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tgm-6a5-ttf","createdAt":1599603695482,"name":"Kubernetes PKI directory is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a pod in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating pods in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for Kubernetes objects which should be readable by unauthenticated users. Thus, a pod should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new pod in one of the default namespaces.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"tvf-ju6-h3i","createdAt":1589376012191,"name":"Kubernetes Pod Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a pod is attached to the host network.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) with the host network `@requestObject.spec.hostNetwork:true` attached.\n\nAttaching the `hostNetwork` permits a pod to access the node's network adapter allowing a pod to listen to all network traffic for all pods on the node and communicate with other pods on the network namespace.\n\n## Triage and response\n1. Determine if the pod needs `hostNetwork` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.hostNetwork:true @http.status_code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.hostNetwork:true @responseStatus.code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"d3g-xpz-cwc","createdAt":1589376007079,"name":"Kubernetes Pod Created with hostNetwork"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","technique:T1136-create-account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a service account in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service account (`@objectRef.resource:serviceaccounts`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating service accounts in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for kubernetes objects which should be readable by unauthenticated users. Thus, a service account should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new service account in one of the default namespaces.\n\n## Changelog\n* 21 September 2022 - Tuned rule to remove system and EKS service account creations, increased severity, added decrease on environment flag.\n* 17 October 2022 - Updated tags.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:serviceaccounts @http.method:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299] -@user.username:(system\\:* OR eks\\:*)","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:serviceaccounts @verb:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299] -@usr.id:(system\\:* OR eks\\:*)","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"loy-9ka-bc2","createdAt":1589376017036,"name":"Kubernetes Service Account Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service's port is attached to the node's IP.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service (`@objectRef.resource:services`) attaching the service's port to the node's IP `@requestObject.spec.type:NodePort`.\n\nExposing the service's port to the the node's IP allows other hosts on the network namespace to access this service.\n\n## Triage and response\n1. Determine if the service needs to expose it's network connection with `NodePort` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:services @http.method:create @requestObject.spec.type:NodePort @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:services @verb:create @requestObject.spec.type:NodePort @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"cvp-3wz-v3s","createdAt":1589376023160,"name":"Kubernetes Service Created with NodePort"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a user is attempting to enumerate their permissions.\n\n## Strategy\nThis rule identifies when a user attempts to enumerate their permissions, for example, through the use of `kubectl auth can-i --list`. This can be an indicator of an attacker having compromised a Kubernetes service account or user and attempting to determine what permissions it has.\n\n## Triage and response\n1. Determine if enumerating the permissions of the user: `{{@usr.id}}` is suspicious. For example, a service account assigned to a web application and enumerating its privileges is highly suspicious, while a group assigned to operations engineers is likely to represent legitimate activity.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @requestObject.kind:SelfSubjectRulesReview @http.method:create -@usr.id:system\\:serviceaccount\\:*\\:datadog-kube-state-metrics","groupByFields":[],"aggregation":"count","name":"enumeration_attempt","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"enumeration_attempt > 0"}],"type":"log_detection","id":"9ft-ohp-w9w","createdAt":1649702540393,"name":"Kubernetes principal attempted to enumerate their permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","source:lambda","scope:lambda","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure your Amazon Lambda Function to have access to VPC-only resources.\n\n## Rationale\n\nBy default, Amazon Lambda functions run in a secure VPC with access to any AWS service and the internet. Selecting which resources have access secures the connections within your private VPC.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring VPC access (console)][1] docs to configure VPC access for an existing function.\n\n### From the command line\n\n1. Run `update-function-configuration` with your [Amazon Lambda function name and VPC configuration][2]. Set network connectivity to AWS resources within the configured VPC.\n\n ```\n aws lambda update-function-configuration\n --function-name your-lambda-function-name\n --vpc-config SubnetIds=\"subnet-ab12cd34\",\"subnet-12345678\",SecurityGroupIds=\"id-0abcd1234abcd5678\"\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-configuring\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(lambda_function) = \"pass\" if {\n\tlambda_function.vpc_config_vpc_id != \"\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_lambda_function"]},"validationQuery":"","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"byt-pin-xaq","createdAt":1619112188962,"name":"Lambda function has access to VPC resources"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","source:lambda","control:7.2.1","requirement:Compliance","scope:lambda","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS Lambda function access policy to remove access for unauthorized users.\n\n## Rationale\n\nGiving anonymous users the ability to invoke Amazon Lambda functions can lead to data loss, data exposure, and unexpected AWS billing charges.\n\n## Remediation\n\n### From the console\n\nFollow the [Using resource-based policies for AWS lambda][1] docs to update your AWS lambda function permissions.\n\n### From the command line\n\n1. Run `remove-permission` with your [function name and statement ID][2].\n\n ```\n aws lambda remove-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n ```\n\n2. Run `add-permission` with your [function name, statement ID, principal for the trusted account, and action][3].\n\n ```\n aws lambda add-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n --principal 0123456780123\n --action lambda:InvokeFunction\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/remove-permission.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-permission.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnot_compliant_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tpolicy_principal.principal_aws[_] == \"*\"\n}\n\neval(lambda_policy_statement) = \"fail\" if {\n\tnot_compliant_policy_principal(lambda_policy_statement.policy_principal)\n\tlambda_policy_statement.statement_effect == \"Allow\"\n\tnot lambda_policy_statement.statement_has_condition\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_lambda_policy_statement"]},"validationQuery":"","resourceType":"aws_lambda_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_policy_statement","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"tko-rvz-akj","createdAt":1624344845094,"name":"Lambda function is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","control:CC7.5","framework:gdpr","requirement:Security-Management-Process","requirement:Application-Updates","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","cloud_provider:aws","control:6.2","requirement:System-Operations","source:lambda","scope:lambda","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Lambda Function to the latest runtime environment version.\n\n## Rationale\n\nAs a best practice, Amazon recommends consistently updating your runtime environment to the latest version for security patches, bug fixes, and the latest features.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring functions in the console][1] docs to learn how to update the Lambda runtime that runs your function.\n\n### From the command line\n\n1. Run `update-function-configuration` with [your function name and the latest runtime version][2] supported by AWS.\n\n#### python3.9\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"python3.9\"\n ```\n\n#### nodejs16.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"nodejs14.x\"\n ```\n\n#### java11\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"java11\"\n ```\n\n#### go1.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"go1.x\"\n ```\n\n#### dotnet6\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"dotnet6\"\n ```\n\n#### ruby2.7\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"ruby2.7\"\n ```\n\n#### provided.al2\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"provided.al2\"\n ```\n\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(lambda_function) = \"pass\" if {\n\tlambda_function.runtime in [\"nodejs16.x\", \"python3.9\", \"ruby2.7\", \"java11\", \"go1.x\", \"dotnet6\", \"provided.al2\"]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_lambda_function"]},"validationQuery":"","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxh-rvp-txm","createdAt":1619112189173,"name":"Lambda function uses latest runtime environment version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","level:1","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","requirement:Communications-Security","control:2.6","control:3.2","control:1.2","control:2.1","control:1.3","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of legacy networks, a project should not have a legacy network\nconfigured. Legacy networks can no longer be created, and their use is not recommended. This recommendation is to check old projects to ensure\nthat they are not using Legacy Networks.\n\n## Rationale\nEach legacy network has a single network IPv4 prefix range, and a single gateway IP address. The network is global in scope and spans all cloud regions.\nSubnetworks cannot be created in a legacy network, and are unable to switch from legacy to\nauto or custom subnet networks. Legacy networks can have an impact on high network\ntraffic projects, and are subject to a single point of contention or failure.\n\n### Default value\nBy default, networks are not created in the legacy mode.\n\n## Remediation\n\nFor each Google Cloud Platform project:\n1. Read [Create and modify Virtual Private Cloud (VPC) networks][3] to create a non-legacy network suitable for the organization's requirements.\n2. Read [Deleting a legacy network][2] to delete the networks in the `legacy` mode.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network][1]\n2. [https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network][2]\n\n[1]: https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network\n[2]: https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network\n[3]: https://cloud.google.com/vpc/docs/create-modify-vpc-networks\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.2","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.ipv4_range\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nzs-hyi-zqr","createdAt":1659405204525,"name":"Legacy networks do not exist for older projects"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostIPC flag set to true.\n\n## Rationale\n\nA container running in the host's IPC namespace can use IPC to interact with processes outside the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host IPC namespace. If you have a requirement to containers that require hostIPC, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostIPC}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostIPC: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.3","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vs4-ja0-gkh","createdAt":1599600435891,"name":"Limit admission of containers sharing the host IPC namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostPID flag set to true.\n\n## Rationale\n\nA container running in the host's PID namespace can inspect processes running outside the container. If the container also has access to ptrace capabilities this can be used to escalate privileges outside of the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host PID namespace. If you need to run containers which require hostPID, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostPID}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostPID` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostPID: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.2","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"flc-1s1-okw","createdAt":1599600559953,"name":"Limit admission of containers sharing the host PID namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the allowPrivilegeEscalation flag set to true.\n\n## Rationale\n\nA container running with the `allowPrivilegeEscalation` flag set to true may have processes that can gain more privileges than their parent. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to allow privilege escalation. The option exists (and is defaulted to true) to permit setuid binaries to run. If you have need to run containers that use setuid binaries or require privilege escalation, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.allowPrivilegeEscalation}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.allowPrivilegeEscalation` field is omitted or set to false.\n\n## Impact\n\nPods defined with `spec.allowPrivilegeEscalation: true` will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.5","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"frf-hog-dra","createdAt":1599601783271,"name":"Limit admission of containers that do not block privilege escalation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.3","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Docker starts containers with a restricted set of Linux kernel capabilities. This means that any process can be granted the required capabilities instead of giving it root access. Using Linux kernel capabilities, processes in general do not need to run as the root user.\n\n## Rationale\n\nDocker supports the addition and removal of capabilities. Remove all capabilities not required for the correct function of the container. Specifically, in the default capability set provided by Docker, the NET_RAW capability should be removed if not explicitly required, as it can give an attacker with access to a container the ability to create spoofed network traffic.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CapAdd={{ .HostConfig.CapAdd }} CapDrop={{ .HostConfig.CapDrop }}'` \n\nVerify that the added and deleted Linux kernel capabilities are in line with the ones needed by the container process in each container instance. Specifically, ensure that the `NET_RAW` capability is removed if not required.\n\n## Remediation\n\nExecute the command `docker run --cap-add={\"Capability 1\",\"Capability 2\"} ` to add required capabilities.\n\nExecute the command `docker run --cap-drop={\"Capability 1\",\"Capability 2\"} ` to remove unneeded capabilities.\n\nAlternatively, remove all the currently configured capabilities and then restore only the ones you specifically use: `docker run --cap-drop=all --cap-add={\"Capability 1\",\"Capability 2\"} `\n\n## Impact\n\nRestrictions on processes within a container are based on which Linux capabilities are in force. Removal of the `NET_RAW` capability prevents the container from creating raw sockets which is good security practice under most circumstances, but may affect some networking utilities.\n\n## Default value\n\nBy default, the capabilities below are applied to containers:\n\n* `AUDIT_WRITE`\n* `CHOWN`\n* `DAC_OVERRIDE`\n* `FOWNER`\n* `FSETID`\n* `KILL`\n* `MKNOD`\n* `NET_BIND_SERVICE`\n* `NET_RAW`\n* `SETFCAP`\n* `SETGID`\n* `SETPCAP`\n* `SETUID`\n* `SYS_CHROOT`\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#linux-kernel-capabilities\n2. http://man7.org/linux/man-pages/man7/capabilities.7.html\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.3","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3j5-bun-deq","createdAt":1599605923399,"name":"Linux kernel capabilities are restricted to only those which are required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect use of the `passwd` or `chpasswd` commands to change account passwords.\n\n## Strategy\nThe `passwd` operating system command is used to change user account passwords. The `chpasswd` does this in bulk. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host machine and achieve persistence. This detection is triggered when execution of the `passwd` or `chpasswd` command is detected.\n\n## Triage and response\n1. Determine which user executed the command and whether or not this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:passwd_execution -@process.args:(\"-S\" OR \"-Sa\" OR \"-aS\" OR \"--status\" OR \"--all\")","groupByFields":["host"],"aggregation":"count","name":"passwd_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"passwd_execution","condition":"passwd_execution > 0"}],"type":"workload_security","id":"yu0-i2l-ilb","createdAt":1617722068383,"name":"Local account password modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the truncation (like the clearing of data within) of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was modified.\n2. Check which user or process modified the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"llg-1g6-q0n","createdAt":1598516746163,"name":"Log data in /var/log/ was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","source:google_logging_log_sink","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","control:2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","scope:google_logging_log_sink","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nIt is recommended to create a sink that will export copies of all log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).\n\n## Rationale: \nLog entries are held in Cloud Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. To export logs, create a filter that selects the log entries to export, and then choose a destination, such as Cloud Storage, BigQuery, or Cloud Pub/Sub, to which to export them. The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts.\n\n**Note:**\n1. A sink created by [these commands](#from-the-command-line), exports logs to storage buckets. However, sinks can be configured to export logs to BigQuery, or Cloud Pub/Sub, or a `Custom Destination`.\n2. While creating a sink, do not use the sink option `--log-filter` to ensure the sink exports all log entries.\n3. A sink can be created at a folder or organization level that collects the logs of all the projects underneath, bypassing the option `--include-children` in the `gcloud` command.\n\n### Impact: \nThere are no costs or limitations in Cloud Logging for exporting logs, but the destinations to which the logs are exported charge for storing or transmitting the log data.\n\n### Default value:\nBy default, there are no sinks configured.\n\n## Remediation: \n\n### From the console\n1. Go to the Logs Router page by visiting [https://console.cloud.google.com/logs/router][1].\n2. Click **CREATE SINK**.\n3. Fill out the fields for the Sink details sections.\n4. Select **Cloud Logging bucket** in the Select sink destination dropdown menu.\n5. Select a log bucket in the Sink destination drop down menu.\n6. If an inclusion filter is not provided for this sink, all ingested logs will be routed to the destination provided above. This may result in higher than expected resource usage.\n7. Click **Create Sink**.\n\n### From the command line\n\n1. To create a sink to export all log entries in a Google Cloud Storage bucket:\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME\n ```\n2. Sinks can be created for a folder or organization, which will include all projects.\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children -- folder=FOLDER_ID | --organization=ORGANIZATION_ID\n ```\n\n## References:\n1. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][2] \n2. [https://cloud.google.com/logging/quotas][3]\n3. [https://cloud.google.com/logging/docs/routing/overview][4]\n4. [https://cloud.google.com/logging/docs/export/using_exported_logs][5]\n5. [https://cloud.google.com/logging/docs/export/configure_export_v2][6]\n6. [https://cloud.google.com/logging/docs/export/aggregated_exports][7]\n7. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list][8]\n\n[1]: https://console.cloud.google.com/logs/router\n[2]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[3]: https://cloud.google.com/logging/quotas\n[4]: https://cloud.google.com/logging/docs/routing/overview\n[5]: https://cloud.google.com/logging/docs/export/using_exported_logs\n[6]: https://cloud.google.com/logging/docs/export/configure_export_v2\n[7]: https://cloud.google.com/logging/docs/export/aggregated_exports\n[8]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nvalid_log_sinks := {logging_log_sink.project_id |\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tvalid_log_filter(logging_log_sink)\n\tvalid_log_exclusions(logging_log_sink)\n\tlogging_log_sink.destination != \"\"\n}\n\nvalid_log_filter(logging_log_sink) if {\n\tnot logging_log_sink.filter\n} else if {\n\tlogging_log_sink.filter == \"\"\n}\n\nany_enabled_exclusion(logging_log_sink) if {\n\tlogging_log_sink.exclusions[_].disabled == false\n}\n\nvalid_log_exclusions(logging_log_sink) if {\n\tnot any_enabled_exclusion(logging_log_sink)\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_sinks[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hig-nyl-7xu","createdAt":1658996677403,"name":"Log sinks are configured for all log entries"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Log4j scanning attempt occurs in your environment.\n\n## Strategy\nRegex search on logs to find specific payloads indicative of Log4j scanning.\n\n## Triage and response\n1. Investigate if the host is running a vulnerable version of the Log4j Java library\n2. Use the [Log4j Investigation Dashboard](https://app.datadoghq.com/dash/integration/cloud_security_platform_log4shell_investigator) to conduct impact analysis\n3. Explore what other services the attacker hit in the last day - Linked to investigation query \n4. Explore Java logs associated with the attacker - linked to investigation query\n","options":{"detectionMethod":"hardcoded","evaluationWindow":300,"maxSignalDuration":3600,"hardcodedEvaluatorType":"log4shell","keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"query":"@http.url:*","groupByFields":["@network.client.ip"],"aggregation":"count","name":"log4shell_payloads_in_http_data","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"log4shell_payloads_in_http_data > 0"}],"type":"log_detection","id":"sdx-qzo-o9z","createdAt":1651680204724,"name":"Log4Shell Scanning Detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0043-reconnaissance","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being scanned for the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `jndi:(ldap OR rmi OR dns)` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. Check if the `Base64 was detected in an http.user_agent or http.referrer` rule was also triggered and follow the `Triage and response` steps in that rule.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.useragent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referrer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http_user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"info","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"2oy-oni-kx6","createdAt":1639665375423,"name":"Log4j Scanner detected in user agent or referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:1.5","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. MFA (multi-factor authentication) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their user name and password and an authentication code from their AWS MFA device.\n\n**Note**: When virtual MFA is used for root accounts, it should not be enabled on a personal device, but rather enable a dedicated and not personally owned mobile device (tablet or phone)(\"non-personal virtual MFA\"). This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and has knowledge of a credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78911-5\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root][3]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions.\n\n## CIS controls\n\nVersion 7, 4.5 - Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.5","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tnot iam_account.account_mfa_enabled == 1\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dth-jwu-9zo","createdAt":1599573999963,"name":"MFA is enabled for the \"root\" account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP address identified as malicious by Okta's ThreatInsight communicates with your Okta account.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.threat.detected`\n\n## Triage and response\n1. Determine if the `@usr.email` is `Unknown` or is an authenticated user.\n2. If the user is authenticated, conduct an investigation to determine if the IP address that is communicating with Okta is the user's IP address, or if the account is compromised.\n3. Consider switching ThreatInsight from `log mode` to `log and block mode` to block future requests from IP addresses on the ThreatInsight threat intelligence list.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.threat.detected @evt.outcome:ALLOW","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"x5j-v1t-d2r","createdAt":1589315626499,"name":"Malicious IP Communicating with Okta"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1003","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers looking for a specific mission target commonly gain access to a host or container adjacent to their mission target. To move laterally to the planned target, attackers commonly try to find credentials that would give them access to the host or container in question. A technique for finding these credentials is memory dumping. By dumping the contents of system memory to disk, an attacker can often find unencrypted credentials.\n\n## Strategy\nThis detection monitors the access of memory and memory maps that can be accessed from the `/proc/` directory on Linux.\n\n## Triage & Response\n1. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n2. Consider rotating any credentials that were in use on the host/container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"lhm-dok-amc","createdAt":1598516746171,"name":"Memory files in /proc/ were accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","scope:azure","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user creates or modifies a trusted domain object in Microsoft 365.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain`\n- `Set domain authentication`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain.`\n- `Set domain authentication.`\n\nAn attacker can create a new attacker-controlled domain as federated or modify the existing federation settings for a domain by configuring a new, secondary signing certificate. Both of these techniques would allow the attacker to authenticate as any user bypassing authentication requirements like a valid password or MFA.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n - Remove the suspicious domain or settings.\n - Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n - Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Set domain authentication\" OR \"Set domain authentication \" OR \"Set federation settings on domain\" OR \"Set federation settings on domain \") @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_trusted_domain_modified","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Set domain authentication.\" OR \"Set domain authentication. \" OR \"Set federation settings on domain.\" OR \"Set federation settings on domain. \")","groupByFields":["@usr.id"],"aggregation":"count","name":"m365_trusted_domain_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"azure_ad_trusted_domain_modified > 0 || m365_trusted_domain_modified > 0"}],"type":"log_detection","id":"dqm-ikd-5zd","createdAt":1660304700624,"name":"Microsoft 365 - Modification of Trusted Domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0040-impact","scope:exchange-server","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an anomalous amount of emails are deleted from Microsoft 365 Exchange.\n\n## Strategy\nMonitor Microsoft 365 Exchange audit logs to look for events with an `@evt.name` value of `HardDelete`, where the `@Folder.Path` is the inbox (`*Inbox*`).\n\n## Triage and response\n1. Determine if the user `{{@usr.id}}` intended to delete the observed emails.\n2. If `{{@usr.id}}` is not responsible for the email deletions, investigate `{{@usr.id}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:HardDelete @Folder.Path:*Inbox*","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tos-tbi-7dh","createdAt":1619020060666,"name":"Microsoft 365 Anomalous Amount of Deleted Emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 user downloads an anomalous amount of files. This could be an indicator of data exfilteration.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for an anomalous amount of logs with an `@evt.name` value of `@evt.name:FileDownloaded`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to download the files.\n2. If `{{@usr.email}}` is not responsible for file downloads, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:FileDownloaded","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"files_downloaded","distinctFields":["@SourceFileName"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"yhr-gui-v9i","createdAt":1658353411918,"name":"Microsoft 365 Anomalous Amount of Downloaded files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1562-impair-defenses","scope:microsoft-365","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when admin or unified audit logging is disabled. An adversary or insider threat can disable audit logging as a means of defense evasion.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Set-AdminAuditLogConfig`, where `@Parameters.AdminAuditLogEnabled` OR `@Parameters.UnifiedAuditLogIngestionEnabled` is set to `False`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to disable audit logging.\n2. If `{{@usr.email}}` is not responsible for disabling the audit logging, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.UnifiedAuditLogIngestionEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"unified_audit_disabled","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.AdminAuditLogEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_audit_disabled","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Unified Audit Logging Disabled","condition":"unified_audit_disabled > 0"},{"status":"high","notifications":[],"name":"Admin Audit Logging Disabled","condition":"admin_audit_disabled > 0"}],"type":"log_detection","id":"d86-6xx-tbg","createdAt":1630681812369,"name":"Microsoft 365 Audit Logging Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:onedrive","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user creates an anonymous link for a Microsoft 365 document in OneDrive. This would allow any unauthenticated user to access this document, if they had the link.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AnonymousLinkCreated`.\n\n## Triage and response\n1. Determine whether this document should be available anonymously.\n\n## Changelog\n* 4 October 2022 - Updated severity.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:OneDrive @evt.name:AnonymousLinkCreated","groupByFields":["@usr.id","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1h-h20-er6","createdAt":1608766368930,"name":"Microsoft 365 OneDrive Anonymous Link Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0009-collection","technique:T1213-data-from-information-repositories","scope:sharepoint"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user shares a Microsoft 365 Sharepoint document with a guest.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `SharingInvitationCreated` when the `TargetUserOrGroupType` is `Guest`.\n\n## Triage and response\n1. Determine whether this document should be shared with the external user.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:SharePoint @evt.name:(SharingInvitationCreated) @TargetUserOrGroupType:Guest","groupByFields":["@TargetUserOrGroupName","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"v72-psu-eln","createdAt":1608766365850,"name":"Microsoft 365 SharePoint object shared with guest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user installs an app to Microsoft 365 Teams.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AppInstalled`.\n\n## Triage and response\n1. Determine whether this app should be installed to Microsoft 365 teams.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:MicrosoftTeams @evt.name:AppInstalled","groupByFields":["@AddOnName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"i03-grd-ppd","createdAt":1608766367312,"name":"Microsoft 365 Teams app installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostNetwork flag set to true.\n\n## Rationale\n\nA container running in the host's network namespace could access the local loopback device, and could access network traffic to and from other pods. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host network namespace. If you have need to run containers which require hostNetwork, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostNetwork}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostNetwork` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostNetwork: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.4","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mlb-fwt-s80","createdAt":1599604274257,"name":"Minimize the admission of containers wishing to share the host network namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","cloud_provider:aws","control:164.308-a-3-ii-a","control:1.6","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","framework:security-labs","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMulti-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password, and for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of the credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://tools.ietf.org/html/rfc6238][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html][3]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users][4]\n4. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html][5]\n5. CCE-78901-6\n\n## CIS controls\n\n4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://tools.ietf.org/html/rfc6238\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.6","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"1.10","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_user) = \"fail\" if {\n\tsome report in iam_user.credential_report\n\treport.password_enabled == true\n\treport.mfa_active == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"zd5-wvv-hv5","createdAt":1599573999956,"name":"Multi-factor authentication is enabled for all IAM users with a console password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"5jr-xi3-uto","createdAt":1587530047261,"name":"NGINX HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","scope:nginx-ingress-controller","source:nginx-ingress-controller","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx-ingress-controller @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oxj-rwr-gxq","createdAt":1587530154864,"name":"NGINX ingress controller HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to nsswitch.conf.\n\n## Strategy\nThe Name Service Switch (nsswitch) configuration file is used to point\u00a0system services and other applications to the sources of name-service information. This name-service information includes where the password file is stored, publickey information, and more. An attacker may attempt to modify nsswitch.conf in order to inject attacker-owned information into the authentication process. For instance, the attacker could point to a malicious password file and then login to privileged user accounts.\n\n## Triage and response\n1. Check to see what changes were made to nsswitch.conf.\n2. Check if critical name-service sources were changed, and whether the changes were a part of known system-setup or maintenance.\n3. If these changes are unauthorized, roll back the host in question to a known good nsswitch.conf, or replace the system with a known-good system image.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chmod)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chmod","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chown)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chown","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_link)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_link","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_rename)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_rename","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_open)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_open","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_unlink)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_unlink","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_utimes)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"nsswitch_conf_mod","condition":"nsswitch_conf_mod_chmod > 0 || nsswitch_conf_mod_chown > 0 || nsswitch_conf_mod_link > 0 || nsswitch_conf_mod_rename > 0 || nsswitch_conf_mod_open > 0 || nsswitch_conf_mod_unlink > 0 || nsswitch_conf_mod_utimes > 0"}],"type":"workload_security","id":"djc-3dp-3qm","createdAt":1606142958657,"name":"Name Service Switch configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:1.3.5","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that enable multiple open ports and limit ingress traffic access based on port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access malicious activities, such as Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks, by opening only the ports that are required by your application.\n\n## Remediation\n\n### From the console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### From the command line\n\n1. Run `replace-network-acl-entry` to create a rule that only allows ingress traffic from a specific port range.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --ingress\n --rule-number 01\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_lenient(acl_entry) if {\n\tnot acl_entry.egress\n\tacl_entry.rule_action == \"allow\"\n\tnot acl_entry.port_range_from\n\tnot acl_entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tacl_entry := network_acl.entries[_]\n\tacl_lenient(acl_entry)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q0m-mtc-9ks","createdAt":1599574008182,"name":"Network ACL inbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that utilize multiple ports and limit outbound traffic access to a specific port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access by setting a specified port range.\n\n## Remediation\n\n### From the console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### From the command line\n\n1. Run `replace-network-acl-entry` to create a rule that sets a specific port range for egress traffic.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --egress\n --rule-number 02\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_entry(entry) if {\n\tentry.egress\n\tentry.rule_action == \"allow\"\n\tnot entry.port_range_from\n\tnot entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tentry := network_acl.entries[_]\n\tnon_compliant_entry(entry)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ykz-hrn-ev3","createdAt":1599574004771,"name":"Network ACL outbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Default-Security-Parameter","requirement:Compliance","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:1.3.5","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.1","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Network Access Control List (NACL) function provides stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.\n\n## Rationale\n\nPublic access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.\n\n## Remediation\n\n1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home\n2. In the left pane, click Network ACLs.\n3. For each network ACL to remediate, perform the following: Select the network ACL, Click the Inbound Rules tab, Click Edit inbound rules. Either update the Source field to a range other than `0.0.0.0/0` or click Delete to remove the offending inbound rule. Click save.\n\n## Reference\n\n1. [https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html][1]\n2. [https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison][2]\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"5.1","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(entry) if {\n\tnot entry.port_range_from\n\tnot entry.port_range_to\n} else if {\n\tentry.port_range_from <= 22\n\tentry.port_range_to >= 22\n} else if {\n\tentry.port_range_from <= 3389\n\tentry.port_range_to >= 3389\n}\n\nnon_compliant_protocols_and_ports(entry) if {\n\tentry.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_ports(entry)\n} else if {\n\tnot entry.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_cidr_block(entry) if {\n\tentry.cidr_block == \"0.0.0.0/0\"\n}\n\nnon_compliant_cidr_block(entry) if {\n\tentry.ipv6_cidr_block == \"::/0\"\n}\n\neval(network_acl) = \"fail\" if {\n\tsome entry in network_acl.entries\n\tentry.egress == false\n\tentry.rule_action == \"allow\"\n\tnon_compliant_cidr_block(entry)\n\tnon_compliant_protocols_and_ports(entry)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b5p-spa-hx4","createdAt":1619112188801,"name":"Network ACLs do not allow ingress from 0.0.0.0/0 to remote server administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","cloud_provider:azure","framework:gdpr","source:azure.network","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","requirement:Communications-Security","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","scope:azure.network","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Security Group (NSG) is configured to allow specific ports rather than all ports or port ranges.\n\n## Rationale\n\nNSGs should be configured as granularly as possible, allowing only specific and necessary ports. Leaving ranges of ports open can allow access to ports that are vulnerabile to attack. \n\n## Remediation\n\n### From the console\n\nFollow the [Work with security rules guide][1] to modify the port ranges associated with a NSG using the Microsoft Azure Console. \n\n### From the command line\n\nUse the [Microsft Azure az network nsg rule update module][2] to update the ports associated with a NSG using the Microsoft Azure CLI. \n\n## References\n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#work-with-security-rules\n[2]: https://docs.microsoft.com/en-us/cli/azure/network/nsg/rule?view=azure-cli-latest#az-network-nsg-rule-update","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndestination_port_not_compliant(security_rule) if {\n\tsecurity_rule.destination_port_range == \"*\"\n} else if {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tdestination_port_range == \"*\"\n} else if {\n\tregex.match(\"([0-9])+-([0-9])+\", security_rule.destination_port_range)\n} else if {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tregex.match(\"([0-9])+-([0-9])+\", destination_port_range)\n}\n\nsecurity_rule_not_compliant(security_rule) if {\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.access == \"Allow\"\n\tdestination_port_not_compliant(security_rule)\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule = security_group.security_rules[_]\n\tsecurity_rule_not_compliant(security_rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cis-7ih-ek8","createdAt":1645736563232,"name":"Network Security Group does not use port ranges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1046-network-service-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of the `nmap` network utility.\n\n## Strategy\n`nmap` is a network utility commonly used by attackers to understand a victim's network topology and vulnerabilities. After an attacker's initial intrusion into a host (for example, through a web shell exploit, container breakout), they may attempt to use `nmap` to do reconnaissance. This detection triggers when an execution of `nmap` is detected on a system. If this is unexpected behavior, it could indicate an attacker attempting to compromise your systems.\n\n## Triage and response\n1. Determine which user executed `nmap` and whether this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and network tools involved. Investigate the security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:common_net_intrusion_util -@process.args:(\"-V\" OR \"--version\")","groupByFields":["host"],"aggregation":"count","name":"common_net_intrusion_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"common_net_intrusion_util","condition":"common_net_intrusion_util > 0"}],"type":"workload_security","id":"yqg-ebh-po2","createdAt":1617722067554,"name":"Network scanning utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all network traffic is allowed between containers on the same host on the default network bridge. You can restrict all inter-container communication and link specific containers together that require communication. Or, you can create a custom network and only join containers that need to communicate to that custom network.\n\n## Rationale\n\nBy default, unrestricted network traffic is enabled between all containers on the same host on the default network bridge. Each container has the potential of reading all packets across the container network on the same host. This might lead to an unintended and unwanted disclosure of information to other containers. Hence, restrict inter-container communication on the default network bridge.\n\n## Audit\n\nVerify that the default network bridge has been configured to restrict inter-container communication by running:\n```\ndocker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}' \n```\nCheck that it returns `com.docker.network.bridge.enable_icc:false` for the default network bridge.\n\n## Remediation\n\nEdit the Docker daemon configuration file to ensure that inter-container communication is disabled:\n\n```\n\"icc\": false\n```\n\nAlternatively, run the Docker daemon directly and pass `--icc=false` as an argument:\n\n```\ndockerd --icc=false \n```\n\nFollow the Docker documentation and create a custom network, and only join containers that need to communicate to that custom network. The `--icc` parameter only applies to the default docker bridge. If you use a custom network, adopt the segmenting networks approach instead.\n\n## Impact\n\nInter-container communication is disabled on the default network bridge. If any communication between containers on the same host is desired, it needs to be explicitly defined using container linking or custom networks.\n\n## Default value\n\nBy default, all inter-container communication is allowed on the default network bridge.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/][1]\n2. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers][2]\n\n## CIS controls\n\nNone \n\n[1]: https://docs.docker.com/engine/userguide/networking/ \n[2]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_network","complianceFrameworks":[{"control":"2.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmd-zy3-5un","createdAt":1599604593277,"name":"Network traffic is restricted between containers on the default network bridge"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a network utility (like `cURL` or `Wget`) is used to access the cloud instance metadata service (IMDS) in an interactive session.\n\n## Strategy\nThe cloud instance metadata service is a link-local HTTP endpoint that provides data about a given cloud instance. One function is to provide temporary security credentials so that they do not need to be stored on the host. Because IMDS can be used to fetch security credentials, attackers may use it to escalate privileges in order to access other cloud resources. This detection identifies when Linux network utilities are used in an interactive session to access the metadata service. Especially in production environments, it is unusual for this activity to occur interactively.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee run commands for an approved reason, or does a configuration management utility use an interactive session?\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Using cloud audit logs, identify if the attached identity was misused.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:aws_metadata_service @process.tty:*","groupByFields":["host"],"aggregation":"count","name":"aws_metadata_service","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"aws_metadata_service","condition":"aws_metadata_service > 0"}],"type":"workload_security","id":"ugv-e7o-qpv","createdAt":1627392836096,"name":"Network utility accessed cloud metadata service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location on a host.\n\n## Strategy\nAfter an attacker's initial intrusion into a host (for example, through a web shell exploit, or a container breakout), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance, or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected on a host. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine which user executed the utility and whether or not this is allowed or expected behavior.\n2. Review the ancestors for unexpected processes or files executed. \n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util @process.ancestors.executable.path:(*\\/tmp\\/* OR *\\/home\\/*)","groupByFields":["host"],"aggregation":"count","name":"net_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"net_util","condition":"net_util > 0"}],"type":"workload_security","id":"med-78m-snu","createdAt":1617722067377,"name":"Network utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected in a container. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your containers and host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. Review the ancestors for unexpected processes or files executed.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util_in_container @process.ancestors.executable.path:(*\\/tmp\\/* OR \\/home\\/* OR \\/run\\/user\\/*)","groupByFields":["@container.id","host"],"aggregation":"count","name":"net_util_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"net_util_in_container","condition":"net_util_in_container > 0"}],"type":"workload_security","id":"idj-fom-4qg","createdAt":1617722068439,"name":"Network utility executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1199-trusted-relationship","source:cloudtrail","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker accesses your AWS account from their AWS Account.\n\n## Strategy\nThis rule lets you monitor AssumeRole (`@evt.name:AssumeRole`) CloudTrail API calls to detect when an external AWS account (`@usr.account_id`) assumes a role into your AWS account (`account`). It does this by learning all AWS accounts from which the AssumeRole call occurs within a 7-day window. Newly detected accounts after this 7-day window will generate security signals.\n\n## Triage and response\n1. Determine if the `@usr.account_id` is an AWS account is managed by your company.\n2. If not, try to determine who is the owner of the AWS account.\n3. Inspect the role the account is assuming. Determine who created this role and who allowed this AWS account to assume this role.\n\n## Changelog\n7 April 2022 - Update rule query and signal message.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @evt.name:AssumeRole"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"xvo-lqg-7bu","createdAt":1614810571081,"name":"New AWS Account Seen Assuming a Role into AWS Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","tactic:TA0040-impact","source:cloudtrail","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker spawns an instance for malicious purposes. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect when a new instance type (`@responseElements.instancesSet.items.instanceType`) is spawned:\n\n* [RunInstances][1]\n\nIt does this by inspecting the AWS Instance types each AWS account are seen over a 7-day window. Newly detected instance types after this 7-day window till generate security signals.\n\n## Triage and response\n1. Determine whether the instance type `{{@responseElements.instancesSet.items.instanceType}}` is expected to be used in your AWS account by checking the [Datadog Infrastructure List][2].\n2. If not, determine who spawned this instance and ask the user whether their activity was legitimate or whether their credentials were compromised and this instance is being used by an attacker.\n\n## Changelog\n7 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html\n[2]: https://app.datadoghq.com/infrastructure?tab=details&tags=instance-type%3A{{@responseElements.instancesSet.items.instanceType}}","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@responseElements.instancesSet.items.instanceType","aggregation":"new_value","metrics":["@responseElements.instancesSet.items.instanceType"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @eventSource:ec2.amazonaws.com @evt.name:RunInstances"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rk5-l8o-jir","createdAt":1619019323550,"name":"New EC2 Instance Type"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a Kubernetes namespace.\n\n## Strategy\nThis rule monitors when a `create` action occurs for the Kubernetes namespace (`@objectRef.resource:namespaces`) to detect when a user is creating a new Kubernetes namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new namespace.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:namespaces @http.method:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:namespaces @verb:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"zgq-pd9-wgw","createdAt":1589376020564,"name":"New Kubernetes Namespace Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:kubernetes","tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a privileged pod is created. Privileged pods remove container isolation which allows privileged actions on the host.\n\n## Strategy\nThis rule monitors when a pod (`@objectRef.resource:pods`) is created (`@http.method:create`) and the privileged security context (`@requestObject.spec.containers.securityContext.privileged`) is `true`.\n\n## Triage & Response\n1. Determine if the pod should be privileged. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"smy-zpp-8hr","createdAt":1626700164544,"name":"New Kubernetes privileged pod created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1525-implant-internal-image","scope:ecr","iaas:aws","source:cloudtrail","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential persistence mechanisms being deployed in the AWS Elastic Container Registry (ECR).\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr:GetAuthorizationToken` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException @threat_intel.indicators_matched:*","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ori-yda-7sc","createdAt":1630665990802,"name":"New Private Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecr","technique:T1567-exfiltration-over-web-service","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new image is uploaded to the public ECR. This could be a potential exfil route of data from the cloud. Could be a supply chain effect as well if a company hosts their containers here for consumers.\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr-public:GetAuthorizationToken` and `sts:GetServiceBearerToken` API through an IAM policy before they can authenticate to a registry and push any images to an Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr-public.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr-public.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3ye-k1x-9mp","createdAt":1630666006819,"name":"New Public Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ecs","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user executes a command on an ECS container for the first time. An attacker may use this as a technique to escalate their privileges\nbecause they can run arbitrary commands on behalf of the container with the role and permissions associated with the\ncontainer.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user is executing a command on an ECS container:\n\n* `ExecuteCommand`\n\n## Triage and response\n1. Investigate the command that the user ({{@userIdentity.arn}}) ran on the container, which is located in the Cloudtrail log at `@requestParameters.container`, if the telemetry exists.\n2. Analyze Cloudtrail logs with {{@userIdentity.arn}} that are within the same time frame as this security signal.\n3. Review any other security signals generated for this container.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":175,"isDefault":true,"filters":[{"action":"suppress","query":"foo"},{"action":"require","query":"bar"}],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @evt.name:ExecuteCommand @requestParameters.interactive:true"}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@me"],"name":""}],"type":"log_detection","id":"o2p-sbu-rlg","createdAt":1615916348842,"name":"New user seen executing a command in an ECS task"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_enabled_features(enabled_features) if {\n\tsome enabled_feature in enabled_features\n\tupper(enabled_feature) in [\n\t\t\"TLS_RSA_WITH_AES_128_GCM_SHA256\",\n\t\t\"TLS_RSA_WITH_AES_256_GCM_SHA384\",\n\t\t\"TLS_RSA_WITH_AES_128_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_AES_256_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_3DES_EDE_CBC_SHA\",\n\t]\n}\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else if {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else if {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot non_compliant_enabled_features(compute_ssl_policy.enabled_features)\n}\n\npolicy_align(compute_target_https_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_https_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_https_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_https_proxy, compute_ssl_policy)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_https_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_https_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_https_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wsz-dzl-7cw","createdAt":1664548936030,"name":"No HTTPS proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_enabled_features(enabled_features) if {\n\tsome enabled_feature in enabled_features\n\tupper(enabled_feature) in [\n\t\t\"TLS_RSA_WITH_AES_128_GCM_SHA256\",\n\t\t\"TLS_RSA_WITH_AES_256_GCM_SHA384\",\n\t\t\"TLS_RSA_WITH_AES_128_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_AES_256_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_3DES_EDE_CBC_SHA\",\n\t]\n}\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else if {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else if {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot non_compliant_enabled_features(compute_ssl_policy.enabled_features)\n}\n\npolicy_align(compute_target_ssl_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_ssl_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_ssl_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_ssl_proxy, compute_ssl_policy)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_ssl_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_ssl_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_ssl_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kmq-mlb-uhu","createdAt":1664548316871,"name":"No SSL proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","requirement:Default-Security-Parameter","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","level:1","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:1.4","control:2.1","control:2.2","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:164.312-a-2-i","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed.\n\n## Rationale\n\nRemoving access keys associated with the root account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html][2]\n2. [http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][3]\n3. [http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html][4]\n4. CCE-78910-7\n5. [https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/][5]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables root access only through access-keys (CLI, API methods) for us-gov cloud region.\n\n## CIS controls\n\nVersions 7, 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html\n[3]: http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[4]: http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html\n[5]: https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.4","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-a-2-i","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_credential_report) = \"skip\" if {\n\tiam_credential_report.user != \"\"\n} else = \"pass\" if {\n\tnot iam_credential_report.access_key_1_active\n\tnot iam_credential_report.access_key_2_active\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_credential_report"]},"validationQuery":"","resourceType":"aws_iam_credential_report","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"snb-kjs-kgm","createdAt":1599574003908,"name":"No root account access key exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","requirement:Communications-Security","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access\nto remote server administration ports, such as SSH to port 22 and RDP to port 3389.\n\n## Rationale\n\nPublic access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.\n\n### Impact \n\nWhen updating an existing environment, ensure that administrators have access to\nremote server administration ports through another mechanism before removing access\nby deleting the 0.0.0.0/0 (IPv4) or ::/0 (IPv6) inbound rule.\n\n## Remediation\n\nPerform the following to implement the prescribed state:\n1. Login to the AWS Management Console at\n[https://console.aws.amazon.com/vpc/home][1]\n2. In the left pane, click **Security Groups**\n3. For each security group, perform the following:\n A. Select the security group\n B. Click the **Inbound Rules** tab\n C. Click the **Edit inbound rules** button\n D. Identify the rules to be edited or removed\n E. Either update the **Source** field to a range other than 0.0.0.0/0, or click\n**Delete** to remove the offending inbound rule\n F. Click **Save rules**\n\n\n[1]: https://console.aws.amazon.com/vpc/home\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 22\n\trule.to_port >= 22\n} else if {\n\trule.from_port <= 3389\n\trule.to_port >= 3389\n}\n\nnon_compliant_protocol(rule) if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(rule) if {\n\trule.ip_range == \"0.0.0.0/0\"\n}\n\nnon_compliant_ip_range(rule) if {\n\trule.ipv6_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ueo-zqv-fep","createdAt":1607607222597,"name":"No security groups allow ingress from 0.0.0.0/0 to remote administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:3.8","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","control:8.1","control:4.4","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","control:8.1.4","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling OS Login binds SSH certificates to IAM users and facilitates effective SSH certificate\nmanagement.\n\n## Rationale\nEnabling OS Login ensures that SSH keys used to connect to instances are mapped to IAM\nusers. Revoking access to an IAM user will revoke all the SSH keys associated with that\nparticular user. It facilitates centralized and automated SSH key pair management, which is\nuseful in handling cases like compromised SSH key pairs and/or revocation of\nexternal, third-party, vendor users.\n\nTo use OS Login, the instance using Custom Images must have the latest version\nof the Linux Guest Environment installed. The following image families do not\nsupport OS Login:\n\n - Project cos-cloud (Container-Optimized OS) image family cos-stable.\n - All project coreos-cloud (CoreOS) image families\n - Project suse-cloud (SLES) image family sles-11\n - All Windows Server and SQL Server image families\n\nThe project's `enable-oslogin` can be overridden by setting the `enable-oslogin` parameter to an\ninstance metadata individually.\n\n### Impact\nEnabling OS Login on a project disables metadata-based SSH key configurations on all\ninstances of a project. Disabling OS Login restores SSH keys that you have configured in a\nproject's or an instance's metadata.\n\n### Exception\nVMs created by GKE should be excluded. These VMs have names that start with `gke-`\nand are labeled `goog-gke-node`.\n\n### Default value\nBy default, the parameter `enable-oslogin` is not set, which is equivalent to setting it to `FALSE`.\n\n## Remediation\n\n### From the console\n\n1. Go to the [VM compute metadata][1] page.\n2. Click **Edit**.\n3. Add a metadata entry for the key `enable-oslogin` with the value `TRUE`.\n4. Click **Save** to apply the changes.\n5. For every instance that overrides the project setting, go to the VM Instance's page at \n https://console.cloud.google.com/compute/instances.\n6. Click the name of the instance from which you want to remove the metadata value.\n7. At the top of the instance's details page, click **Edit** to edit the instance's settings.\n8. Under Custom Metadata, remove any entries with the key `enable-oslogin` set to `FALSE`.\n9. At the bottom of the instance's details page, click **Save** to apply your changes to the instance.\n\n### From the command line\n\n1. Configure OS Login for the project by running the following command:\n ```\n gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE\n ```\n\n2. Use the following command to remove instance metadata that overrides the project setting:\n ```\n gcloud compute instances remove-metadata --keys=enable-oslogin\n ```\n\nOptionally, you can enable two-factor authentication for OS Login. See [Setting up OS Login with 2-step verification ][2] for more information.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/managing-instance-access][3]\n2. [https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin][4]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata][5]\n4. [https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication][2]\n\n\n\n[1]: https://console.cloud.google.com/compute/metadata\n[2]: https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication\n[3]: https://cloud.google.com/compute/docs/instances/managing-instance-access\n[4]: https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin\n[5]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.8","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" if {\n\titem := compute_instance.metadata.items[_]\n\titem.key == \"enable-oslogin\"\n\titem.value == \"true\"\n} else = \"fail\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hpp-bv9-lom","createdAt":1657547711348,"name":"OS Login is enabled for the project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Okta API token is created.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a new Okta API token is created:\n\n* `system.api_token.create`\n\n## Triage and response\n1. Contact the user who created the API token and ensure that the API token is needed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:system.api_token.create","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lpf-tho-8sx","createdAt":1589315541698,"name":"Okta API Token Created or Enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","scope:okta","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Okta session impersonation.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect a user session impersonation:\n\n* `user.session.impersonation.initiate`\n* `user.session.impersonation.end`\n* `user.session.impersonation.grant`\n* `user.session.impersonation.extend`\n* `user.session.impersonation.revoke`\n\nThese events indicate that the user: `{{@usr.email}}` has the effective permissions of the impersonated user. This is likely to occur through [Okta support access][1]. This [blog][2] illustrates the potential impact an attacker can cause by impersonation session.\n\n## Triage and response\n1. Contact your Okta administrator to ensure the user: `{{@usr.email}}` is authorized to impersonate a user session.\n2. If the user impersonation session is not legitimate:\n * Task your Okta administrator to end the impersonation session.\n * Investigate the actions taken by the user `{{@usr.email}}` during the session and revert back to the last known good state.\n * Begin your company's incident response process and investigate.\n\n[1]: https://support.okta.com/help/s/article/Granting-Access-to-Okta-Support?language=en_US\n[2]: https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.session.impersonation.initiate","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_initiate","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.end","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_end","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_grant","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.extend","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_extend","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.revoke","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_revoke","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Session initiated","condition":"user_session_impersonation_initiate > 0"},{"status":"info","notifications":[],"name":"Session ended","condition":"user_session_impersonation_end > 0"},{"status":"info","notifications":[],"name":"Session granted","condition":"user_session_impersonation_grant > 0"},{"status":"info","notifications":[],"name":"Session extended","condition":"user_session_impersonation_extend > 0"},{"status":"info","notifications":[],"name":"Session revoked","condition":"user_session_impersonation_revoke > 0"}],"type":"log_detection","id":"dfw-lx0-cha","createdAt":1647981974902,"name":"Okta Impersonation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to bypass multi-factor authentication (MFA).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user attempts to bypass MFA:\n\n* `user.mfa.attempt_bypass`\n\n## Triage and response\n1. Contact the user who attempted to bypass MFA and ensure the request was legitimate.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.attempt_bypass","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"wbd-slu-e6s","createdAt":1589315643307,"name":"Okta MFA Bypass Attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the multi-factor authentication (MFA) factors for an enrolled Okta user are reset.\n\n## Strategy\nThis rule lets you monitor the following Okta event to determine when a user's MFA factors are reset:\n\n* `user.mfa.factor.reset_all`\n\nAn attacker may attempt to reset MFA factors in a bid to access other user accounts by registering new attacker-controlled MFA factors.\n\n## Triage and response\n1. Determine if the user: `{{@usr.email}}` should have reset the MFA factors of the targeted user.\n2. If the change was not made by the user:\n * Disable the affected user accounts.\n * Rotate user credentials.\n * Return targeted users MFA factors to the last known good state.\n * Begin your organization's incident response process and investigate.\n3. If the change was made by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, ensure the targeted user has new MFA factors assigned in accordance with organization policies.\n * If **No**, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_success","distinctFields":[]},{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:FAILURE","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_failed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Succeeded","condition":"mfa_reset_success > 0"},{"status":"info","notifications":[],"name":"Failed","condition":"mfa_reset_failed > 0"}],"type":"log_detection","id":"ap2-mxs-fyh","createdAt":1622443751239,"name":"Okta MFA reset for user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to sign on to an app based on sign-on policy.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to sign on to an app based on sign-on policy:\n\n* `application.policy.sign_on.deny_access`\n\n## Triage and response\n1. Inspect the `@target` array to determine why the user was denied access to sign on.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:application.policy.sign_on.deny_access","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pjd-jyc-9fb","createdAt":1589315544752,"name":"Okta User Access Denied to Sign On"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to an app.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to an app:\n\n* `app.generic.unauth_app_access_attempt`\n\n## Triage and response\n1. Determine whether or not the user should have access to this app.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:app.generic.unauth_app_access_attempt","groupByFields":["@usr.email","@target_app"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rht-pdf-gyx","createdAt":1607371843994,"name":"Okta User Attempted to Access Unauthorized App"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:okta","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to an Okta user.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when administrative privileges are provisioned:\n\n* `user.account.privilege.grant`\n\n## Triage and response\n1. Contact the Okta administrator: `{{@usr.email}}` to confirm that the user or users should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.account.privilege.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"privilege_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"privilege_grant > 0"}],"type":"log_detection","id":"onl-syw-pqn","createdAt":1622443751733,"name":"Okta administrator role assigned to user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a request is blocked due to a block list rule (such as an IP network zone or location rule).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.request.blocked`\n\n## Triage & Response\n1. Verify with the owner of `{{@usr.name}}` that they were attempting a request to `{{@target_app}}`.\n2. If the request cannot be verified with the user, correlate with other log sources to see if the blocked IP in the `title` of `{{@title}}` has communicated elsewhere on the network.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.request.blocked @evt.outcome:SUCCESS","groupByFields":["@network.client.ip","@target_app"],"aggregation":"count","name":"request_blocked","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"request_blocked > 10"}],"type":"log_detection","id":"y2s-qzk-u0a","createdAt":1622443750820,"name":"Okta blocked numerous requests from a malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta [refresh token][1] is reused.\n\n## Strategy\nThis rule lets you monitor the following Okta events when token reuse is detected:\n\n* `app.oauth2.token.detect_reuse`\n* `app.oauth2.as.token.detect_reuse`\n\nAn attacker that has access to a refresh token could query the organization's authorization server `/token` endpoint to obtain additional access tokens. The additional access tokens potentially allow the attacker to get unauthorized access to applications.\n\n## Triage and response\n1. Determine if the source IP `{{@network.client.ip}}` is anomalous within the organization:\n * Does threat intelligence indicate that this IP has been associated with malicious activity?\n * Is the geo-location or ASN uncommon for the organization?\n * Has the IP created a `app.oauth2.token.detect_reuse` or `app.oauth2.as.token.detect_reuse` event previously?\n2. If the token reuse event has been determined to be malicious, carry out the following actions:\n * [Revoke compromised tokens][2].\n * Recycle the credentials of any impacted clients.\n * Begin your company's incident response process and investigate.\n\n[1]: https://developer.okta.com/docs/guides/refresh-tokens/main/\n[2]: https://developer.okta.com/docs/guides/revoke-tokens/main/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:false","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse","distinctFields":[]},{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:true","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse_threat","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Threat suspected","condition":"refresh_token_reuse_threat > 0"},{"status":"low","notifications":[],"name":"Threat unlikely","condition":"refresh_token_reuse > 0"}],"type":"log_detection","id":"i4t-x8n-ack","createdAt":1622443751931,"name":"Okta one-time refresh token reused"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta policy rule is deleted.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a policy rule is deleted:\n\n* `policy.rule.delete`\n\n## Triage and response\n1. Contact the Okta administrator to confirm that the user: `{{@usr.email}}` should be deleting policy rules.\n2. If the change was **not** authorized, verify there are no other signals from the user: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:policy.rule.delete @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_rule_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"policy_rule_deleted > 0"}],"type":"log_detection","id":"gxx-79h-brk","createdAt":1622443751301,"name":"Okta policy rule deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:onelogin","scope:onelogin","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user with appropriate privileges assumes another OneLogin user's identity. Logging in as another user allows the user to view another OneLogin user's account and perform actions on their behalf. \n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator assumes another OneLogin user's identity:\n\n* `@evt.name:USER_ASSUMED_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) should be legitimately assuming another user's identity.\n2. If the activity was not legitimate, review all activity from `{{@usr.name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_ASSUMED_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"admin_assumed_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admin_assumed_user > 0"}],"type":"log_detection","id":"ohz-g7c-wkp","createdAt":1656426840747,"name":"OneLogin administrator assumed a user"}]} headers: Content-Type: - application/json @@ -96,7 +96,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":833}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.15","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file is owned by root and group owned by docker.\n\n## Rationale\n\nThe Docker daemon runs as root. The default Unix socket therefore must be owned by root. If any other user or process owns this socket, it might be possible for that non-privileged user or process to interact with the Docker daemon. Additionally, in this case a non-privileged user or process might be able to interact with containers which is neither a secure nor desired behavior. Additionally, the Docker installer creates a Unix group called docker. You can add users to this group, and in this case, those users would be able to read and write to the default Docker Unix socket. The membership of the docker group is tightly controlled by the system administrator. However, ff any other group owns this socket, then it might be possible for members of that group to interact with the Docker daemon. Such a group might not be as tightly controlled as the docker group. Again, this is not in line with good security practice. For these reason, the default Docker Unix socket file should be owned by root and group owned by docker to maintain the integrity of the socket file.\n\n## Audit\n\nVerify that the Docker socket file is owned by root and group-owned by `docker` by running: \n```\nstat -c %U:%G /var/run/docker.sock | grep -v root:docker\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:docker /var/run/docker.sock`\n\nThis sets the ownership to root and group ownership to docker for the default Docker socket file.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for the Docker socket file is correctly set to root:docker.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.15","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysh-lkt-poz","createdAt":1599605574088,"name":"Only the root account and Docker group members have ownership of the Docker socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.2","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kube-apiserver.yaml file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. Version 7 5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.2","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vbb-t30-k0f","createdAt":1599602893246,"name":"Only the root account and group have ownership of the API server pod specification file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.11","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, is individual owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It must therefore be individually owned and group owned by root to prevent modification by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and the group ownership for the Docker server certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for Docker server certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.11","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tkm-izb-xe1","createdAt":1602077837917,"name":"Only the root account and group have ownership of the Docker server certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.13","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, is individually owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads/writes. As it holds the private key for the Docker server certificate, it must be individually owned and group owned by root to ensure that it cannot be accessed by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate key file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the Docker server certificate key file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for the Docker server certificate key file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.13","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oiu-e3x-yg6","createdAt":1602077710804,"name":"Only the root account and group have ownership of the Docker server certificate key file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.9","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert parameter`, is individually owned and group owned by root.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must be therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the TLS CA certificate file is owned and group owned by root: \n\n```\nstat -c %U:%G | grep -v root:root\n```\n\nThis command does not return any data.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the TLS CA certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for TLS CA certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.9","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8nb-ex2-pqe","createdAt":1602076303298,"name":"Only the root account and group have ownership of the TLS CA certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.14","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file ownership is set to root:root.\n\n## Rationale\n\nThe `admin.conf` file contains the admin credentials for the cluster. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/admin.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `admin.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.14","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kcn-wwa-os0","createdAt":1599604720378,"name":"Only the root account and group have ownership of the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.17","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that could alter the behavior of the docker daemon. It should therefore be owned and group owned by root to ensure it can not be modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file is owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/docker/daemon.json | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun `chown root:root /etc/docker/daemon.json`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.17","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hlb-qzw-opk","createdAt":1599603264485,"name":"Only the root account and group have ownership of the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent","control:3.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually and group owned by the root user in order to ensure that it is not modified or corrupted by a less privileged user.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that it is owned and group-owned by root, by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.service | grep -v root:root \n ```\n The command should not return anything.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path, in order to set the ownership and group ownership for the file to root.\n\nFor example, `chown root:root /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone.\n\n## Default value\n\nThis file may not be present on the system and if it is not, this recommendation is not applicable. By default, if the file is present, the correct permissions are for the ownership and group ownership to be set to \"root\".\n\n## References\n\n1. https://docs.docker.com/engine/admin/systemd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mhz-jes-n2m","createdAt":1599601536215,"name":"Only the root account and group have ownership of the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.socket file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. For this reason, it should be owned and group owned by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file is owned and group-owned by root by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.socket | grep -v root:root \n ```\n The command should not return a value.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below, including the correct file path to set the ownership and group ownership for the file to root. For example, `chown root:root /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the ownership and group ownership for it should be set to root.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option 2. https://github.com/docker/docker-ce/blob/master/components/packaging/deb/systemd/docker.socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vc0-12t-fpa","createdAt":1599605321060,"name":"Only the root account and group have ownership over the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.7","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under the `/etc/docker/certs.d/` directory, are individually owned and group owned by root.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must be individually owned and group owned by root to ensure that less privileged users are unable to modify the contents of the directory.\n\n## Audit\n\nYou should execute the command below to verify that the registry certificate files are individually owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker/certs.d/* | grep -v root:root \n```\n\nThis command does not return any data.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/docker/certs.d//*`\n\nThis sets the individual ownership and group ownership for the registry certificate files to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for registry certificate files is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.7","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fbv-qsy-urc","createdAt":1599599454050,"name":"Only the root account and group have ownership over the registry certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.13","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe admin.conf is the administrator kubeconfig file defining various settings for the administration of the cluster. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/admin.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, admin.conf has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.13","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zlc-pqm-t1x","createdAt":1599605384539,"name":"Only the root account has write permissions to the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.18","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that may alter the behavior of the docker daemon. Therefore it should be writeable only by root to ensure it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/docker/daemon.json\n```\n\n## Remediation\n\nRun `chmod 644 /etc/docker/daemon.json`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.18","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7df-4w8-g7l","createdAt":1599602831833,"name":"Only the root account has write permissions to the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.2","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file permissions are either set to 644 or to a more restrictive value.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore not be writable by any other user other than root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or a more restrictive value by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.service\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the file permissions are correctly set to 644.\n\n## References\n\n1. https://docs.docker.com/articles/systemd/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zyv-o6s-69z","createdAt":1599601721176,"name":"Only the root account has write permissions to the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.4","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the file permissions on the docker.socket file are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or more restrictively, by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.socket\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in that case, this recommendation is not applicable. By default, if the file is present, the permissions should be set to 644 or more restrictively.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n2. https://github.com/YungSang/fedora-atomic-packer/blob/master/oem/docker.socket\n3. http://daviddaeschler.com/2014/12/14/centos-7rhel-7-and-docker-containers-on-boot/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myf-zyh-89p","createdAt":1599604656679,"name":"Only the root account has write permissions to the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","control:CC6.7","scope:ec2","security:compliance","source:ec2","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Compliance","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the probability of a breach by checking [EC2 security groups][1] for outbound rules that allow unfettered access to any TCP/UDP ports and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered outbound access.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-egress` to remove IP permissions for the selected EC2 security group.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n2. Run `authorize-security-group-egress` with new parameters to restrict outbound access to specific destinations.\n\n ```\n aws ec2 authorize-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprotocol_icmp_or_1(protocol) if {\n\tprotocol == \"icmp\"\n} else {\n\tprotocol == \"1\"\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"egress\"\n\tnot protocol_icmp_or_1(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7lr-jfm-vcf","createdAt":1599574005188,"name":"Outbound access on all ports is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1497-virtualization-sandbox-evasion","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace system call with the `PTRACE_TRACEME` argument, indicating a program actively attempting to avoid debuggers attaching to the process. This behavior is typically indicative of malware activity.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. One limitation of this system call is that a process can only have one trace, and malicious actors have been observed making use of this limitation to prevent debuggers from attaching to malicious processes for the purpose of forensics or analysis.\n\n## Triage and response\n1. Check the name of the process using TRACEME\n2. If this file is not known or authorized, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_antidebug","groupByFields":["host"],"aggregation":"count","name":"ptrace_antidebug","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_antidebug","condition":"ptrace_antidebug > 0"}],"type":"workload_security","id":"u1r-hw3-pst","createdAt":1650464539514,"name":"PTRACE_TRACEME used to prevent process debugging"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect installation of software using a package management utility (`apt` or `yum`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim's container (for example, through a web shell exploit), they may attempt to install tools and utilities for a variety of malicious purposes. This detection triggers when one of a set of common package management utilities installs a package in a container. Package management in containers is against best practices which highly emphasize immutability. If this is unexpected behavior, it could indicate an attacker attempting to install tools to further compromise your systems.\n\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise. This may be achieved by terminating the workload, depending on the stage of attack.\n3. Look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:package_management_in_container @process.args:(add OR *install OR \"-i\")","groupByFields":["host"],"aggregation":"count","name":"package_management_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"package_management_in_container","condition":"package_management_in_container > 0"}],"type":"workload_security","id":"dgu-gba-tuf","createdAt":1617722067648,"name":"Package installed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1222","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nTo access protected files and directories, attackers may attempt to change the permissions on these files and directories.\n\n## Strategy\nThis detection monitors the permissions changes to sensitive files and directories such as `/etc/` and `/sbin/`.\n\n## Triage & Response\n1. Check to see if the file or directory was made more permissive.\n2. Check which user or process made the change.\n3. If these changes are unexpected, contain the host or container and roll back to the last known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"mj3-ucf-hr6","createdAt":1598516746259,"name":"Permissions were changed on sensitive Linux files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow pods to verify the API server's serving certificate before establishing connections.\n\n## Rationale\n\nProcesses running within pods that need to contact the API server must verify the API server's serving certificate. Failing to do so could be a subject to man-in-the-middle attacks. Providing the root certificate for the API server's serving certificate to the controller manager with the `--root-ca-file` argument allows the controller manager to inject the trusted bundle into pods so that they can verify TLS connections to the API server.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--root-ca-file` argument exists and is set to a certificate bundle file containing the root certificate for the API server's serving certificate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--root-ca-file` parameter to the certificate bundle file: `--root-ca-file=`\n\n## Impact\n\nYou need to setup and maintain root certificate authority file.\n\n## Default value\n\nBy default, `--root-ca-file` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/kubernetes/issues/11000][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/kubernetes/issues/11000\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.5","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"k7t-yxp-axc","createdAt":1599598174692,"name":"Pods utilize `root-ca-file` to pass serving certificates to the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ec2","iaas:aws","technique:T1037-boot-or-logon-initialization-scripts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to modify a [user data script][1] on an EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to modify the user data script on an EC2 instance using the following API calls:\n\n* [`StopInstances`][2]\n* [`ModifyInstanceAttribute`][3]\n* [`StartInstances`][4]\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have modified the user data script associated with `{{host}}`.\n2. If the API calls were not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Follow your company's incident response process to determine the impact to `{{host}}`.\n * Revert the user data script to the last known good state with the `aws-cli` command [modify-instance-attribute][5] or use the [AWS Console][6].\n3. If the API calls were made by the user:\n * Determine if the user should be modifying this user data script.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StopInstances.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartInstances.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-attribute.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-view-change","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StopInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"stop_instance","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:ModifyInstanceAttribute @requestParameters.userData:* ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_instance_attribute","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StartInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"start_instance","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"stop_instance > 0 && modify_instance_attribute > 0 && start_instance > 0"}],"type":"log_detection","id":"suz-czd-zxh","createdAt":1652796652545,"name":"Possible AWS EC2 privilege escalation via the modification of user data"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","iaas:aws","technique:T1078-valid-accounts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to create a password for a specified IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to create a password for an IAM user using the [`CreateLoginProfile`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any passwords generated by the user with the `aws-cli` command [delete-login-profile][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-login-profile.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html#id_credentials_passwords_admin-change-user_console","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:iam.amazonaws.com @eventName:CreateLoginProfile status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"loginprofile","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"loginprofile > 0"}],"type":"log_detection","id":"dkd-gqh-zrs","createdAt":1652796676631,"name":"Possible Privilege Escalation via AWS IAM CreateLoginProfile"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","scope:rds","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to exfiltrate data from an RDS Snapshot.\n\n## Strategy\nThis rule lets you monitor the [ModifyDBClusterSnapshotAttribute][1] CloudTrail API calls to detect when an RDS snapshot is made public.\n\nThis rule also inspects the:\n * `@requestParameters.valuesToAdd` array to determine if the string `all` is contained. This is the indicator which means the RDS snapshot is made public.\n * `@requestParameters.attributeName` array to determine if the string `restore` is contained. This is the indicator which means the RDS snapshot was shared with a new or unkown AWS Account.\n\n## Triage and response\n1. Confirm if the user: `{{@userIdentity.arn}}`intended to make the RDS snaphsot public.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-cluster-snapshot-attribute.html#modify-db-cluster-snapshot-attribute\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:ModifyDBClusterSnapshotAttribute @requestParameters.valuesToAdd:all","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_made_public","distinctFields":[]},{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:(ModifyDBClusterSnapshotAttribute OR ModifyDBSnapshotAttribute) @requestParameters.attributeName:restore -@http.useragent:(*AWS_Lambda* OR *AWS_ECS_FARGATE* OR backup.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Snapshot was shared","condition":"rds_snapshot_shared > 0"},{"status":"high","notifications":[],"name":"Snapshot was made public","condition":"rds_snapshot_made_public > 0"}],"type":"log_detection","id":"jqf-lpu-us1","createdAt":1594140309127,"name":"Possible RDS Snapshot Exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:6.3","framework:cis-azure","control:2.5","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no PostgreSQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nPostgreSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.\n\n### Impact\n\nDisabling Allow access to Azure Services will break all connections to PostgreSQL server and Hosted Databases unless custom IP specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console:\n\n1. Go to PostgreSQL servers\n2. For each PostgreSQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell:\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nNew-AzPostgreSqlFirewallRule -Name \"\" -ResourceGroupName \"\" -ServerName \"\" -EndIPAddress \"\" -StartIPAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules][1]\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"2.5","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255)","resourceType":"azure_postgresql_server","filter":"","queryPath":"firewall_rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"f2j-y8v-pht","createdAt":1635237002781,"name":"PostgreSQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1566-phishing","source:azure","scope:azure","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a user grants an application consent to access their data. An adversary may create an Azure-registered application to access data such as contact information, emails, or documents.\n\n## Strategy\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Consent to application`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Consent to application.`\n\nBecause these are thirty-party applications external to the organization, normal remediation steps like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts are not effective against this type of attack.\n\n## Triage and response\n1. See the official [Microsoft playbook][1] on responding to a potential Illicit Consent Grant.\n2. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out false positives.\n\n[1]: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:AuditLogs @evt.name:\"Consent to application\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_successful_consent_to_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.category:AuditLogs @evt.name:\"Consent to application.\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"o365_successful_consent_to_application","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"azure_ad_successful_consent_to_application > 0 || o365_successful_consent_to_application > 0"}],"type":"log_detection","id":"wu4-vsa-pec","createdAt":1658914589512,"name":"Potential Illicit Consent Grant attack via Azure registered application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with an administrative service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 21 (FTP)\n* 22 (SSH)\n* 23 (Telnet)\n* 445 (SMB)\n* 2375 (Docker daemon)\n* 3389 (RDP)\n* 5900 (VNC)\n* 5985 (WinRM HTTP)\n* 5986 (WinRM HTTPS)\n\nAdministrative ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** There is a separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n## Changelog\n26 August 2022 - Updated rule query\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ipPermissions.items.fromPort:(21 OR 22 OR 3389 OR 5900 OR 2375 OR 5985 OR 5986 OR 23 OR 445) OR @requestParameters.toPort:(21 OR 22 OR 3389 OR 5900 OR 2375 OR 5985 OR 5986 OR 23 OR 445) OR @requestParameters.ipPermissions.items.toPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986)) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:21 OR @requestParameters.ipPermissions.items.fromPort:21 OR @requestParameters.toPort:21 OR @requestParameters.ipPermissions.items.toPort:21)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ftp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:22 OR @requestParameters.ipPermissions.items.fromPort:22 OR @requestParameters.toPort:22 OR @requestParameters.ipPermissions.items.toPort:22)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ssh_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:3389 OR @requestParameters.ipPermissions.items.fromPort:3389 OR @requestParameters.toPort:3389 OR @requestParameters.ipPermissions.items.toPort:3389)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_rdp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5900 OR @requestParameters.ipPermissions.items.fromPort:5900 OR @requestParameters.toPort:5900 OR @requestParameters.ipPermissions.items.toPort:5900)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_vnc_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:2375 OR @requestParameters.ipPermissions.items.fromPort:2375 OR @requestParameters.toPort:2375 OR @requestParameters.ipPermissions.items.toPort:2375)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_dockerd_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5985 OR @requestParameters.ipPermissions.items.fromPort:5985 OR @requestParameters.toPort:5985 OR @requestParameters.ipPermissions.items.toPort:5985)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5986 OR @requestParameters.ipPermissions.items.fromPort:5986 OR @requestParameters.toPort:5986 OR @requestParameters.ipPermissions.items.toPort:5986)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:23 OR @requestParameters.ipPermissions.items.fromPort:23 OR @requestParameters.toPort:23 OR @requestParameters.ipPermissions.items.toPort:23)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_telnet_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:445 OR @requestParameters.ipPermissions.items.fromPort:445 OR @requestParameters.toPort:445 OR @requestParameters.ipPermissions.items.toPort:445)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_smb_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"high","notifications":[],"name":"FTP","condition":"sg_ftp_port > 0"},{"status":"high","notifications":[],"name":"SSH","condition":"sg_ssh_port > 0"},{"status":"high","notifications":[],"name":"RDP","condition":"sg_rdp_port > 0"},{"status":"high","notifications":[],"name":"VNC","condition":"sg_vnc_port > 0"},{"status":"high","notifications":[],"name":"Docker Daemon","condition":"sg_dockerd_port > 0"},{"status":"high","notifications":[],"name":"WinRm HTTP","condition":"sg_winrm_http_port > 0"},{"status":"high","notifications":[],"name":"WinRm HTTPS","condition":"sg_winrm_https_port > 0"},{"status":"high","notifications":[],"name":"Telnet","condition":"sg_telnet_port > 0"},{"status":"high","notifications":[],"name":"SMB","condition":"sg_smb_port > 0"}],"type":"log_detection","id":"d8d-usi-xuo","createdAt":1652796652158,"name":"Potential administrative port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\n This rule monitors CloudTrail and detects when any `@evt.name` has a value of `Console Login`, and `@responseElements.ConsoleLogin` has a value of `Failure`.\n\n## Triage and response\n1. Determine if the user logged in with 2FA.\n2. Reach out to the user and ensure the login was legitimate.\n\n## Changelog \n17 March 2022 - Update rule query.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Failure","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:true","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_with_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful - MFA Unused","condition":"failed_login > 5 && successful_login_without_mfa > 0"},{"status":"info","notifications":[],"name":"Successful Login - MFA Used","condition":"failed_login > 5 && successful_login_with_mfa > 0"},{"status":"info","notifications":[],"name":"Failed Login","condition":"failed_login > 5"}],"type":"log_detection","id":"csj-nez-h1v","createdAt":1584475581986,"name":"Potential brute force attack on AWS ConsoleLogin"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","threat_intel_category:cryptomining","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a host is potentially infected with a cryptominer.\n\n## Strategy\nThis rule compares the `@network.client.ip` standard attribute to a curated list of cryptomining pools.\n\n## Triage and response\n1. Determine if the `{{host}}` host should be contacting a cryptomining pool.\n2. If not, begin your company's IR process.\n\n**Note** You can use the signal sidepanel to assist with the initial investigation by looking at CPU utilization and processes to identify unauthorized activity.\n\n## Changelog\n- 8 April 2022 - Initial beta release to select organizations.\n- 13 April 2022 - Added additional filters for specific ports to reduce false positives. \n- 26 April 2022 - Removed restrictedToOrgs settings, launching rule to all of production.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@threat_intel.results.category:cryptomining @network.destination.port:(6641 OR 6642 OR 9000 OR 9999 OR 14433 OR 10191 OR 20009) host:*","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cgb-2rq-tqx","createdAt":1650989902666,"name":"Potential cryptomining detected through IP callback"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with a database service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 1433 (MSSQL)\n* 3306 (MySQL)\n* 5432 (PostgresSQL)\n* 5984/6984 (CouchDB)\n* 6379 (Redis)\n* 9200 (Elasticsearch)\n* 27017 (MongoDB)\n\nDatabase ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** There is a separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200)) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:3306 OR @requestParameters.ipPermissions.items.fromPort:3306 OR @requestParameters.toPort:3306 OR @requestParameters.ipPermissions.items.toPort:3306)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mysql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5432 OR @requestParameters.ipPermissions.items.fromPort:5432 OR @requestParameters.toPort:5432 OR @requestParameters.ipPermissions.items.toPort:5432)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_postgres_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:1433 OR @requestParameters.ipPermissions.items.fromPort:1433 OR @requestParameters.toPort:1433 OR @requestParameters.ipPermissions.items.toPort:1433)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mssql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:27017 OR @requestParameters.ipPermissions.items.fromPort:27017 OR @requestParameters.toPort:27017 OR @requestParameters.ipPermissions.items.toPort:27017)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mongodb_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:6379 OR @requestParameters.ipPermissions.items.fromPort:6379 OR @requestParameters.toPort:6379 OR @requestParameters.ipPermissions.items.toPort:6379)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_redis_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5984 OR @requestParameters.ipPermissions.items.fromPort:5984 OR @requestParameters.toPort:5984 OR @requestParameters.ipPermissions.items.toPort:5984)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:6984 OR @requestParameters.ipPermissions.items.fromPort:6984 OR @requestParameters.toPort:6984 OR @requestParameters.ipPermissions.items.toPort:6984)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:9200 OR @requestParameters.ipPermissions.items.fromPort:9200 OR @requestParameters.toPort:9200 OR @requestParameters.ipPermissions.items.toPort:9200)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_elastic_search_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"high","notifications":[],"name":"MySQL","condition":"sg_mysql_port > 0"},{"status":"high","notifications":[],"name":"PostgresSQL","condition":"sg_postgres_port > 0"},{"status":"high","notifications":[],"name":"MSSQL","condition":"sg_mssql_port > 0"},{"status":"high","notifications":[],"name":"MongoDB","condition":"sg_mongodb_port > 0"},{"status":"high","notifications":[],"name":"redis","condition":"sg_redis_port > 0"},{"status":"high","notifications":[],"name":"CouchDB HTTP","condition":"sg_couchdb_http_port > 0"},{"status":"high","notifications":[],"name":"CouchDB HTTPS","condition":"sg_couchdb_https_port > 0"},{"status":"high","notifications":[],"name":"Elasticsearch","condition":"sg_elastic_search_port > 0"}],"type":"log_detection","id":"1wf-ivp-q2g","createdAt":1652796776858,"name":"Potential database port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use automatically generated self-signed certificates for TLS connections between peers.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster. Hence, do not use self-signed certificates for authentication.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--peer-auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--peer-auto-tls` parameter or set it to false. \n\n```\n--peer-auto-tls=false\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-auto-tls` argument is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls][3]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.6","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l0y-lyz-foj","createdAt":1599598174666,"name":"Prevent use of self-signed certificates for TLS connections between etcd peers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.4","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDocker considers a private registry either secure or insecure. By default, registries are considered secure.\n\n## Rationale\n\nA secure registry uses TLS. A copy of the registry's CA certificate is placed on the Docker host in the `/etc/docker/certs.d//` directory. An insecure registry is one which does not have a valid registry certificate, or one not not using TLS. You should not use insecure registries because they present a risk of traffic interception and modification. Additionally, once a registry has been marked as insecure, commands such as `docker pull`, `docker push`, and `docker search` will not result in an error message, and users may indefinitely be working with this type of insecure registry without ever being notified of the risk of potential compromise.\n\n## Audit\n\nFind out if any insecure registries are in use by running: \n```\ndocker info --format 'Insecure Registries: {{.RegistryConfig.InsecureRegistryCIDRs}}'\n```\n\n## Remediation\n\nYou should ensure that no insecure registries are in use.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker assumes all registries except local ones are secure.\n\n## References\n\n1. [https://docs.docker.com/registry/insecure/][1]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://docs.docker.com/registry/insecure/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wki-o8r-1ha","createdAt":1599604688564,"name":"Private registry uses TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.4","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUsing the `--privileged` flag provides all Linux kernel capabilities to the container to which it is applied and therefore overwrites the `--cap-add` and `--cap-drop` flags. For this reason, ensure that it is not used.\n\n## Rationale\n\nThe `--privileged` flag provides all capabilities to the container to which it is applied, and also lifts all the limitations enforced by the device cgroup controller. As a consequence this the container has most of the rights of the underlying host. This flag only exists to allow for specific use cases (for example running Docker within Docker) and should not generally be used.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Privileged={{ .HostConfig.Privileged }}'` This command returns `Privileged=false` for each container instance.\n\n## Remediation\n\nDo not run containers with the `--privileged` flag. For example, do not start a container using the command `docker run --interactive --tty --privileged centos /bin/bash`\n\n## Impact\n\nIf you start a container without the `--privileged` flag, it will not have excessive default capabilities.\n\n## Default value\n\nFalse\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.4","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rbd-urm-klo","createdAt":1599602708557,"name":"Privileged containers are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.7","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TCP/IP port numbers below 1024are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Docker does, however allow a container port to be mapped to a privileged port.\n\n## Rationale\n\nBy default, if the user does not specifically declare a container port to host port mapping, Docker automatically and correctly maps the container port to one available in the `49153`-`65535` range on the host. Docker does, however, allow a container port to be mapped to a privileged port on the host if the user explicitly declares it. This is because containers are executed with `NET_BIND_SERVICE` Linux kernel capability which does not restrict privileged port mapping. The privileged ports receive and transmit various pieces of data which are security sensitive and allowing containers to use them is not in line with good security practice.\n\n## Audit\n\nList all running containers instances and their port mappings by executing this command: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'` You should then review the list and ensure that container ports are not mapped to host port numbers below `102.4`.\n\n## Remediation\n\nDo not map container ports to privileged host ports when starting a container. You should also ensure that there is no such container to host privileged port mapping declarations in the Dockerfile.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, mapping a container port to a privileged port on the host is allowed.\n\n**Note**: There might be certain cases where you want to map privileged ports, because if you forbid it, then the corresponding application has to run outside of a container.\n\nFor example: HTTP and HTTPS load balancers have to bind `80/tcp` and `443/tcp` respectively. Forbidding to map privileged ports effectively forbids from running those in a container, and mandates using an external load balancer. In such cases, those containers instances should be marked as exceptions for this recommendation.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.7","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ua5-ygj-jad","createdAt":1599602153218,"name":"Privileged ports are not mapped within containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a process launches with arguments associated with cryptocurrency miners.\n\n## Strategy\n\nCryptocurrency miners are often executed with unique arguments such as `--donate-level`. This can be used to identify suspicious processes with high confidence.\n\n## Triage and response\n\n1. Isolate the workload.\n2. Use host metrics to verify if cryptocurrency mining is taking place. This will be indicated by an increase in CPU usage.\n3. Review the process tree and related signals to determine the initial entry point.\n\n*Requires agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:cryptominer_args","groupByFields":["host"],"aggregation":"count","name":"cryptominer_args","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"cryptominer_args","condition":"cryptominer_args > 0"}],"type":"workload_security","id":"t95-1rc-mwi","createdAt":1660014107186,"name":"Process arguments match cryptocurrency miner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1055-process-injection","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace systemcall to inject code into another process.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. Malicious actors have been observed using ptrace to inject code into another process, for the purposes of defense evasion and privilege escalation.\n\n## Triage and response\n1. Check the name of the process doing the injection (the tracer).\n2. Identify if the file doing the injection (the tracer) is authorized.\n3. If the tracer is not authorized in this environment, or is not normally known to use the ptrace syscall, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_injection","groupByFields":["host"],"aggregation":"count","name":"ptrace_injection","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_injection","condition":"ptrace_injection > 0"}],"type":"workload_security","id":"1p3-rn6-jue","createdAt":1650464539501,"name":"Process injected into another process"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1068-Exploitation-for-Privilege-Escalation","source:runtime-security-agent","tactic:TA0004-Privilege-Escalation","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2021-4034 dubbed PwnKit.\n\n## Strategy\n\nPwnKit is a local privilege escalation vulnerability originally found by [Qualys](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034). It affects PolicyKit\u2019s `pkexec` program, which is a SUID-root program installed by default on many Linux distributions. This detection triggers whenever `pkexec` is executed by a non-root process with the `SHELL` and `PATH` variables set.\n\n## Triage and response\n\n1. Determine the purpose of the process executing `pkexec`.\n2. Look for any suspicious actions or commands being executed after the `pkexec` execution.\n3. If this behavior is unexpected, it could indicate a malicious actor has access to the host and is attempting to increase privileges for post exploitation actions. Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Ensure to update the PolicyKit package to its latest version to mitigate the vulnerability. If updating is not feasible, remove the SUID bit that is set by default on `pkexec` with the following command: `sudo chmod -s \\$(which pkexec)`.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:pwnkit_privilege_escalation","groupByFields":["host"],"aggregation":"count","name":"pwnkit_privilege_escalation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"pwnkit_privilege_escalation","condition":"pwnkit_privilege_escalation > 0"}],"type":"workload_security","id":"yne-n4q-dfs","createdAt":1643646954692,"name":"Pwnkit privilege escalation attempt"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1059-command-and-scripting-interpreter","tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect Python code being provided and executed on the command line using the `-c` flag.\n\n## Strategy\n\nPython code can be specified on the command line using the `-c` flag. Attackers may use this to run \"one-liners\" which establish communication with an attacker-run server, download additional malware, or otherwise advance their mission. Libraries such as `socket` and `subprocess` are commonly used in these attacks and are unlikely to have a legitimate purpose when used in this way.\n\n## Triage and response\n\n1. Review the process tree and identify if the Python command is expected.\n2. If the command is not expected, contain the host or container and roll back to a known good configuration.\n3. Start the incident response process and determine the initial entry point.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:python_cli_code @process.args:(*SOCK_STREAM* OR *subprocess* OR *\\/bash* OR *\\/bin\\/sh* OR *pty.spawn*)","groupByFields":["host"],"aggregation":"count","name":"python_cli_code_suspicious","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"python_cli_code_suspicious","condition":"python_cli_code_suspicious > 0"}],"type":"workload_security","id":"2mr-svj-kxj","createdAt":1655147245805,"name":"Python executed with suspicious arguments"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.9","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTurn on Role Based Access Control.\n\n## Rationale\n\nRole Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the cluster. It is recommended to use the RBAC authorization mode.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include RBAC.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes RBAC, for example: `--authorization-mode=Node,RBAC`\n\n## Impact\n\nWhen RBAC is enabled you will need to ensure that appropriate RBAC settings (including Roles, RoleBindings and ClusterRoleBindings) are configured to allow appropriate access.\n\n## Default value\n\nBy default, RBAC authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/access-authn-authz/rbac/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.9","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bn4-mzo-nyg","createdAt":1599605257601,"name":"RBAC is enabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","level:1","control:8.5","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.4.1","security:compliance","requirement:Least-Privileged-Access","control:7.2","framework:cis-azure","source:azure.kubernetes","control:7.1","control:2.3","requirement:Control-Activities","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","requirement:Other-Security-Considerations","framework:soc-2","control:A.9.2.3","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that RBAC is enabled on all Azure Kubernetes Services instances.\n\n## Rationale\n\nAzure Kubernetes Services can integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. Use this to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls, both to the overarching AKS instance and to the individual resources managed within Kubernetes.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment, your cluster will require recreation.\n\n## Impact\n\nIf RBAC is not enabled, the granularity of permissions granted to Kubernetes resources is diminished, because you are presenting more permissions than needed to users requiring access to your Kubernetes resources in AKS.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/aks/aad-integrationhttps://kubernetes.io/docs/reference/access-authn-authz/rbac/https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-list\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7\n\n4 Controlled Use of Administrative Privileges\n\n14 Controlled Access Based on the Need to Know\n\n9 AppService: This section covers security recommendations for Azure AppService\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.5","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"validationQuery":"@enable_rbac:false","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster (@enable_rbac:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"1ha-sj2-4mw","createdAt":1624867979755,"name":"RBAC within Azure Kubernetes Services is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","control:6.1","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable RDP access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using RDP over the internet is that attackers can use various brute force techniques to access Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct RDP access to your Azure Virtual Machines from the internet. After direct RDP access from the internet is disabled, you have other options you can use to access these virtual machines for remote management.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@access:(\"Allow\") @protocol:(\"TCP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"3389\" OR \"*\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\")","resourceType":"azure_security_group","filter":"","queryPath":"security_rules","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group (@access:(\"Allow\") @protocol:(\"TCP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"3389\" OR \"*\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tna-xfa-yol","createdAt":1624867976964,"name":"RDP access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.7","requirement:Communications-Security","control:1.4","control:3.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow users to specify the type of traffic,\nsuch as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, an IPv4 address or IPv4 block in CIDR notation can be used.\nGeneric (0.0.0.0/0) incoming traffic from the Internet to a VPC or VM instance using RDP\non Port 3389 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic\nfrom instances and incoming (ingress) traffic to instances in the network. Egress and\ningress traffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through RDP with the default\nPort 3389. Generic access from the Internet to a specific IP Range should be restricted.\n\n## Impact\nAll Remote Desktop Protocol (RDP) connections from outside of the network to the\nconcerned VPC(s) are blocked. There could be a business need where secure shell\naccess is required from outside of the network to access resources associated with the VPC.\nIn that case, specific source IP(s) should be mentioned in firewall rules to allow access\nto RDP ports for the concerned VPC(s).\n\n## Remediation\n\n### From console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule to be modified.\n4. Click Edit.\n5. Modify Source IP ranges to your specific IPs.\n6. Click Save.\n\n### From the command line\n1.Update the RDP Firewall rule with a new SOURCE_RANGE using the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with validated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.1","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 3389\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tcontains(allowed.ports[_], \"-\")\n\trange := split(allowed.ports[_], \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else {\n\tto_number(allowed.ports[_]) == target_port\n} else {\n\tallowed.ports[_] == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tallowed := compute_firewall.allowed[_]\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" {\n\tcompute_firewall.source_ranges in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tvo-mpp-0fa","createdAt":1657310084116,"name":"RDP access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","source:rds","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:rds","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your AWS RDS database instances are encrypted.\n\n## Rationale\n\nEncrypting your AWS RDS clusters protects sensitive data from unauthorized access.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling Amazon RDS encryption for a DB instance][1] docs to ensure your database instances are encrypted.\n\n### CLI\n\n1. Run `describe-db-instances` with an instance identifier query to list RDS database names.\n\n ```\n aws rds describe-db-instances\n --query 'DBInstances[*].DBInstanceIdentifier'\n ```\n\n2. Run `create-db-snapshot` with any returned database instance you wish to modify.\n\n ```\n aws rds create-db-snapshot\n --db-snapshot-identifier my-db-snapshot\n --db-instance-identifier my-db-id\n ```\n\n3. Run `list-aliases` to list KMS keys aliases by region.\n\n ```\n aws kms list-aliases\n --region us-west-1\n ```\n\n4. Run `copy-db-snapshot` with the `kms-key-id` returned in step 3.\n\n ```\n aws rds copy-db-snapshot\n --region us-west-1\n --source-db-snapshot-identifier original-db-snapshot-id\n --target-db-snapshot-identifier encrypted-db-snapshot-id\n --copy-tags\n --kms-key-id 01234567-1a2b-1234a-b45c-abcdef123456\n ```\n\n5. Run `restore-db-instance-from-db-snapshot` to restore the previously created snapshot.\n\n ```\n aws rds restore-db-instance-from-db-snapshot\n --region us-west-1\n --db-instance-identifier encrypted-db-id\n --db-snapshot-identifier encrypted-db-snapshot-id\n ```\n\n6. Run `describe-db-instances` with a query to ensure database encryption.\n\n ```\n aws rds describe-db-instances\n --region us-west-1\n --db-instance-identifier encrypted-db-snapshot-id\n --query 'DBInstances[*].StorageEncrypted'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Enabling","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@storage_encrypted:false","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance (@storage_encrypted:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"han-1rs-ghe","createdAt":1599574005316,"name":"RDS database instance is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:rds","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","scope:rds","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your RDS instance, so it is not publicly accessible.\n\n## Rationale\n\nUnrestricted access to your RDS instance allows everyone on the internet to establish a connection with your database. This can lead to brute-force, DoS/DDoS, or SQL injection attacks.\n\n## Remediation\n\n### Console\n\nFollow the [Modifying an Amazon RDS DB instance (Console)][2] docs to learn how to modify your RDS instance in the AWS console.\n\n### CLI\n\nFollow the [Modifying an Amazon RDS DB instance (AWS CLI)][2] docs to learn how to modify your RDS instance connection configuration.\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n[2]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@publicly_accessible:true","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance (@publicly_accessible:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qgu-ris-pnv","createdAt":1619540057520,"name":"RDS instance is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","security:compliance","control:CC6.6","control:164.312-e-1","cloud_provider:aws","framework:gdpr","requirement:Default-Security-Parameter","scope:rds","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","source:rds","requirement:Security-Management-Process","control:32.1a","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Amazon RDS database instances][1] are not using default ports. This includes default ports such as MySQL/Aurora port 3306, SQL Server port 1433, and PostgreSQL port 5432.\n\n## Rationale\n\nUsing a custom port can protect against potential brute-force and dictionary attacks.\n\n## Remediation\n\n### Console\n\nFollow the [Modifying an Amazon RDS DB instance][4] docs to verify you're not using a default. You can modify your port by modifying that [DB instance settings][5].\n\n### CLI\n\n1. Run `create-db-snapshot` with your database instance and snapshot identifiers to [create a snapshot][2].\n\n ```\n aws rds create-db-snapshot \\\n --db-instance-identifier database-mysql \\\n --db-snapshot-identifier snapshotidentifier\n ```\n\n2. Run `modify-db-instance` with a new, valid port number. A [list of port numbers are available][3].\n\n ```\n aws rds modify-db-instance \\\n --db-instance-identifier database-identifier \\\n --option-group-name test-group-name \\\n --db-parameter-group-name test-sqlserver-name \\\n --apply-immediately\n ```\n\n\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-snapshot.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-instance.html#options\n[4]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n[5]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html#USER_ModifyInstance.Settings\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@engine:(\"aurora\" OR \"aurora-mysql\" OR \"mysql\" OR \"mariadb\") @endpoint_port:3306) OR (@engine:(\"postgres\" OR \"aurora-postgresql\") @endpoint_port:5432) OR (@engine:(\"oracle-ee\" OR \"oracle-se2\" OR \"oracle-se1\" OR \"oracle-se\") @endpoint_port:1521) OR (@engine:(\"sqlserver-ee\" OR \"sqlserver-se\" OR \"lserver-ex\" OR \"sqlserver-web\") @endpoint_port:1433)","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance ((@engine:(\"aurora\" OR \"aurora-mysql\" OR \"mysql\" OR \"mariadb\") @endpoint_port:3306) OR (@engine:(\"postgres\" OR \"aurora-postgresql\") @endpoint_port:5432) OR (@engine:(\"oracle-ee\" OR \"oracle-se2\" OR \"oracle-se1\" OR \"oracle-se\") @endpoint_port:1521) OR (@engine:(\"sqlserver-ee\" OR \"sqlserver-se\" OR \"lserver-ex\" OR \"sqlserver-web\") @endpoint_port:1433))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"y0x-lgk-w1h","createdAt":1599574001845,"name":"RDS instance is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","source:rds","requirement:Security-Management-Process","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","scope:rds","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Relational Database Service (RDS) database snapshots.\n\n## Rationale\n\nSnapshots that are publicly available give other AWS accounts permission to copy a snapshot and create database instances from it, potentially exposing your private data.\n\n## Remediation\n\n### Console\n\nFollow the [Stop sharing a manual DB snapshot with an AWS account][1] AWS Console docs.\n\n### CLI\n\nRun `modify-db-snapshot-attribute` with the [snapshot identifier, attribute name, and values to remove][2]. This removes permission from a particular AWS account to restore the DB snapshot.\n\n ```\n aws rds modify-db-snapshot-attribute\n --db-snapshot-identifier yourdbsnapshot\n --attribute-name restore\n --values-to-remove 1111222233333\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Sharing\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-snapshot-attribute.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@db_snapshot_restore_attribute_values:all","resourceType":"aws_rds_db_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_db_snapshot (@db_snapshot_restore_attribute_values:all)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ptv-gce-is5","createdAt":1616090994243,"name":"RDS snapshot is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","control:3.4","scope:google_dns_managed_zone","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note:** The SHA1 algorithm has been removed from general use by Google. If used, it needs to be allowed on a per-project basis through Google, and therefore requires a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records. When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, you can select the DNSSEC signing algorithms and the denial-of-existence type. Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If there is a need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off, and then re-enable it with different settings.\n\n**Note**: RSASHA1 key-signing support may be required for compatibility reasons. The remediation CLI works with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If it is necessary to change the settings for a managed zone where it has been\nenabled, NSSEC must be turned off and re-enabled with different settings. To turn\noff DNSSEC, run the following command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update key-signing for a managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" {\n\tdefault_key_spec := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tdefault_key_spec.algorithm == \"RSASHA1\"\n\tdefault_key_spec.key_type == \"keySigning\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gny-fox-6gg","createdAt":1659339844054,"name":"RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.5","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note**: The SHA1 algorithm has been removed from general use by Google, and if\nbeing used, needs to be safe listed on a project basis by Google, which\nrequire a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records.\nWhen enabling DNSSEC for a managed zone or creating a managed zone with DNSSEC, select the\nDNSSEC signing algorithms and the denial-of-existence type. Changing the\nDNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If\nyou need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off and then re-enable it with different settings.\n\n**note**: RSASHA1 zone-signing support may be required for compatibility reasons.\n**note**: The remediation CLI works well with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If you need to change the settings for a managed zone where it has been\nenabled, DNSSEC must be turned off and then re-enabled with different settings. To\nturn off DNSSEC, run this command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update zone-signing for a reported managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.5","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" {\n\tkeyCheck := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tkeyCheck.algorithm == \"RSASHA1\"\n\tkeyCheck.key_type == \"zoneSigning\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"h57-78j-30x","createdAt":1659396390100,"name":"RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","scope:redshift","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS RedShift clusters are encrypted.\n\n## Rationale\n\nEncrypting Redshift clusters protects your sensitive data from unauthorized access.\n\n## Remediation\n\n### Console\n\nFollow the [Changing cluster encryption][5] docs to ensure your clusters are encrypted.\n\n### CLI\n\n1. Run `describe-clusters` with your [cluster identifier][1].\n\n ```\n aws redshift describe-clusters\n --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` using the configuration details returned in step 1 along with the [`encrypted` flag][2].\n\n ```\n aws redshift create-cluster\n --cluster-identifier cluster-name\n ...\n --encrypted\n ```\n\n3. Run `describe-cluster` with a [query filter][1] to expose the new endpoint address.\n\n ```\n aws redshift describe-clusters\n --cluster-identifier cluster-name\n --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Use the cluster endpoint URL with the [Amazon Redshift Unload/Copy][3] tool.\n\n5. Update your encrypted Redshift cluster configuration with the new Redshift cluster endpoint URL.\n\n6. Once the endpoint is changed, run `delete-cluster` to [remove the old unencrypted cluster][4].\n\n ```\n aws redshift delete-cluster\n --cluster-identifier old-cluster\n --final-cluster-snapshot-identifier old-cluster-finalsnapshot\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster.html\n[3]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@encrypted:true","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (-@encrypted:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o5n-lxt-ayr","createdAt":1599574004941,"name":"Redshift cluster is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.3","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are not publicly available.\n\n## Rationale\n\nPublicly available Redshift clusters have a public IP address, which gives any machine the opportunity to attempt to connect to your clusters. Malicious activity, such as SQL injections or distributed denial-of-service (DDoS) attacks, can occur if a connection is established.\n\n## Remediation\n\n### Console\n\nFollow the [Managing clusters in a VPC][7] docs to learn how to modify public accessibility for your clusters.\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#modify-cluster\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@publicly_accessible:true","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@publicly_accessible:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"syn-jic-zlu","createdAt":1599574002373,"name":"Redshift cluster is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","control:A.9.4.3","framework:soc-2","scope:redshift","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:redshift","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are using a custom master user name, versus the default master user name.\n\n## Rationale\n\nDefault master user names for publicly accessible clusters can be a backdoor for hacking. While setting a customer master user name alone does not fully protect against attacks, restricting the root account only to privileged users and using additional password measures can add an additional layer of protection.\n\n## Remediation\n\n### Console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a master user name of `awsuser`, it is the default master user name. Modify the user name to a custom user name in the console.\n\n### CLI\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` with the returned cluster metadata to [launch a new cluster][3] with the existing metadata and a new master user name.\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t --master-username awsmasterusr\n --vpc-security-group-ids id-012a3b4c\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier new-cluster-identifier\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n5. Use the returned new database cluster endpoint URL from step 3 to update your application's configuration to point to the new cluster endpoint.\n6. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"validationQuery":"@master_username:awsuser","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@master_username:awsuser)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ewv-jbb-gxa","createdAt":1599574001675,"name":"Redshift cluster is not using a custom master user name"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","security:compliance","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are not using default port 5439 to protect against non-targeted attacks.\n\n## Rationale\n\nUsing a custom port can protect your publicly accessible AWS Redshift clusters against potential brute-force and dictionary attacks. Although setting a custom port can help fend off these attacks, it is also recommended to restrict public access, use SSL to encrypt client connections to database clusters, and control cluster access through security groups and Network Access Control Lists (NACLs) to add an additional layer of security for your account.\n\n## Remediation\n\n### Console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a port 5439, it is the default port. Modify the port number in the console.\n\n### CLI\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster-snapshot` with [create a snapshot of your database cluster][3].\n\n ```\n aws redshift create-cluster-snapshot\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n ```\n\n3. Run `restore-from-cluster-snapshot` to [create a new cluster from the snapshot created above][4]. Use the retrieved metadata in step one to configure a new port number.\n\n ```\n aws redshift restore-from-cluster-snapshot\n ...\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n --port 2000\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster-snapshot.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/restore-from-cluster-snapshot.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@endpoint.port:5439 OR @endpoint_port:5439","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@endpoint.port:5439 OR @endpoint_port:5439)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"xrn-s6h-z9s","createdAt":1599574006854,"name":"Redshift cluster is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift Clusters][1] are using the [AWS EC2-VPC platform][2] for better cluster security.\n\n## Rationale\n\nThe AWS EC2-VPC platform offers better security control and traffic routing for clusters than the outdated EC2-Classic platform.\n\n## Remediation\n\n### Console\n\nFollow the [Use EC2-VPC when you create your cluster][7] docs to learn how to use the EC2-VPC platform in the console to secure your clusters.\n\n### CLI\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n ```\n\n2. Run `create-cluster` with the metadata to [launch a new cluster within a VPC][3].\n\n ```\n aws redshift create-cluster\n --cluster-identifier cluster-id\n --vpc-security-group-ids id-012a3b4c\n --port 5439\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n\n5. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.FindDefaultVPC.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#cluster-platforms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@vpc_id:\"\"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@vpc_id:\"\")","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"goz-ys2-tll","createdAt":1599573999940,"name":"Redshift cluster is using the EC2-VPC platform"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","control:10.2.6","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:redshift","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","source:redshift","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable logging for your Amazon Redshift cluster.\n\n## Rationale\n\nLogging data from Amazon Redshift clusters is helpful when troubleshooting or completing security and compliance audits.\n\n## Remediation\n\n### Console\n\nFollow the Amazon Redshift [Configuring auditing using the console][1] docs to enable logging, create audit log files, and store them in an Amazon S3 bucket.\n\n### CLI\n\n1. Run `enable-logging` with your [cluster ID and the S3 bucket][2] where log files are to be stored.\n\n ```\n aws redshift enable-logging\n --cluster-identifier your-cluster-id\n --bucket-name aws-redshift-logs\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/enable-logging.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"}],"validationQuery":"@cluster_logging.logging_enabled:false","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@cluster_logging.logging_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f05-rf3-w5i","createdAt":1619112188003,"name":"Redshift cluster logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","requirement:Least-Privileged-Access","framework:cis-azure","control:7.1","requirement:Credentials","requirement:App-Service","requirement:Compliance","control:8.7","level:1","control:9.5","control:A.18.1.3","framework:soc-2","scope:azure.appservice","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nManaged service identity in App Service makes an app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app connects to other Azure services securely without the need for a username and password.\n\n## Rationale\n\nApp Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.\n\n## References\n\n1. https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Identity\n5. Set Status to On\n\nAzure Command Line Interface:\n\nTo set Register with Azure Active Directory for an existing app, run the following command: `az webapp identity assign --resource-group --name '`\n\n## CIS Controls\n\nVersion 7 16.2 - Configure Centralized Point of Authentication - Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.5","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@identity_principal_id:*","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (-@identity_principal_id:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"t1t-uk4-nxu","createdAt":1631623033118,"name":"Register with Azure Active Directory is enabled on App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.8","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under `/etc/docker/certs.d/ directory`, have permissions of 444 or are set more restrictively.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must have permissions of 444or more restrictive permissions in order to ensure that unprivileged users do not have full access to them..\n\n## Audit\n\nYou should execute the command below to verify that registry certificate files have permissions of 444+.\n\n```\nstat -c %a /etc/docker/certs.d//*\n```\n\n## Remediation\n\nRun the following command: `chmod 444 /etc/docker/certs.d//*`\n\nThis sets the permissions for the registry certificate files to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for registry certificate files might not be 444. The default file permissions are governed by the system or user specific umask values which are defined within the operating system itself.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.8","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sjq-1m3-njp","createdAt":1599605226177,"name":"Registry certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:5.7.4","source:compliance-agent","requirement:General-Policies","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.\n\n## Rationale\n\nResources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources.\n\n## Audit\n\nRun this command to list objects in default namespace: `kubectl get all`\n\nThe only entries there should be system managed resources such as the Kubernetes service.\n\n## Remediation\n\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace.\n\n## Impact\n\nNone\n\n## Default value\n\nUnless a namespace is specific on object creation, the default namespace will be used.\n\n## References\n\nNone\n\n## CIS controls\n\nNone\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.7.4","framework":"cis-kubernetes","requirement":"General-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.7.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gly-1rp-obv","createdAt":1599604941259,"name":"Resources are not created in the default namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.14","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy using the `--restart` flag in the docker run command you can specify a restart policy for how a container should or should not be restarted on exit. You should choose the on-failure restart policy and limit the restart attempts to 5.\n\n## Rationale\n\nIf you indefinitely keep trying to start the container, it could possibly lead to a denial of service on the host. It could be an easy way to do a distributed denial of service attack especially if you have many containers on the same host. Additionally, ignoring the exit status of the container and always attempting to restart the container, leads to non-investigation of the root cause behind containers getting terminated. If a container gets terminated, you should investigate on the reason behind it instead of just attempting to restart it indefinitely. You should use the on-failure restart policy to limit the number of container restarts to a maximum of 5 attempts.\n\n## Audit\n\nExecute this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: RestartPolicyName={{ .HostConfig.RestartPolicy.Name }} MaximumRetryCount={{ .HostConfig.RestartPolicy.MaximumRetryCount }}'` \n\nIf this command returns `RestartPolicyName=always`, then the system is not configured optimally. If this command returns `RestartPolicyName=no` or just `RestartPolicyName=`, then restart policies are not being used and the container would never be restarted automatically. This may be a secure option, but it is not the best option from a usability standpoint. If this command returns `RestartPolicyName=on-failure`, then verify that the number of restart attempts is set to 5 or less by looking at `MaximumRetryCount`.\n\n## Remediation\n\nIf you wish a container to be automatically restarted, use `docker run --detach --restart=on-failure:5 nginx`\n\n## Impact\n\nIf this option is set, a container will only attempt to restart itself 5 times.\n\n## Default value\n\nBy default, containers are not configured with restart policies.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/run/#restart-policies-restart\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.14","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycq-buv-pf8","createdAt":1599598174688,"name":"Restart attempts on container failure is limited to 5 attempts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_logging_log_bucket","control:10.1","requirement:Monitoring","control:10.2.5","control:2.3","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","source:google_logging_log_bucket","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:2","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling retention policies on log buckets protects logs stored in cloud storage buckets\nfrom being overwritten or accidentally deleted. It is recommended to set up retention\npolicies and configure `Bucket Lock` on all storage buckets that are used as log sinks.\n\n### Default value\nBy default, storage buckets used as log sinks do not have retention policies and `Bucket Lock`\nconfigured.\n\n## Rationale\nLogs can be exported by creating one or more sinks that include a log filter and a\ndestination. As Cloud Logging receives new log entries, they are compared against each\nsink. If a log entry matches a sink's filter, then a copy of the log entry is written to the\ndestination.\nSinks can be configured to export logs in storage buckets. It is recommended to configure a\ndata retention policy for these cloud storage buckets and to lock the data retention policy,\nthus permanently preventing the policy from being reduced or removed. This way, if the\nsystem is ever compromised by an attacker or a malicious insider who wants to cover their\ntracks, the activity logs are definitely preserved for forensics and security investigations.\n\n\n### Impact\nLocking a bucket is an irreversible action. Once you lock a bucket, you cannot remove the\nretention policy from the bucket or decrease the retention period for the policy. You\nthen have to wait for the retention period for all items within the bucket before you can\ndelete them, and then delete the bucket.\n\n## Additional Information\n- **Caution**: Locking a retention policy is an irreversible action. Once locked, you must delete\nthe entire bucket in order to \"remove\" the bucket's retention policy. However, before you\ncan delete the bucket, you must be able to delete all the objects in the bucket, which itself is\nonly possible if all the objects have reached the retention period set by the retention policy.\n\n\n## Remediation\n\n### From the console: \n1. If sinks are not configured, first follow the instructions in the recommendation:\nEnsure that sinks are configured for all log entries.\n2. For each storage bucket configured as a sink, go to the Cloud Storage browser at\nhttps://console.cloud.google.com/storage/browser/.\n3. Select the **Protection** tab near the top of the page.\n4. In the **Retention policy** section, click the **Lock** button. The **Lock retention policy?** dialog box appears\n5. Read the `Permanent` notice.\n6. In the **Bucket name** text box, type in the name of your bucket.\n7. Click **Lock policy**\n\n### From the command line:\n1. To list all sinks destined to storage buckets:\n ```\n gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID\n | --project=PROJECT_ID\n ```\n\n2. For each storage bucket listed above, set a retention policy and lock it:\n ```\n gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]\n gsutil retention lock gs://[BUCKET_NAME]\n ```\nFor more information, visit [Set a retention policy on a bucket][1].\n\n## References\n1. [Retention policies and retention policy locks][2]\n2. [Use and lock retention policies ][3]\n\n[1]: https://cloud.google.com/storage/docs/using-bucket-lock#set-policy\n[2]: https://cloud.google.com/storage/docs/bucket-lock\n[3]: https://cloud.google.com/storage/docs/using-bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nvalid_log_filter(logging_log_sink) if {\n\tnot logging_log_sink.filter\n} else {\n\tlogging_log_sink.filter == \"\"\n}\n\ncompliant(logging_log_bucket) if {\n\tlogging_log_bucket.retention_days != \"\"\n\tlogging_log_bucket.locked == true\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tvalid_log_filter(logging_log_sink)\n}\n\ndestination_is_bucket(logging_log_bucket) if {\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tlogging_log_sink.project_number == logging_log_bucket.project_number\n\tbucket_name := split(logging_log_bucket.resource_name, \"buckets/\")[1]\n\tendswith(logging_log_sink.destination, bucket_name)\n}\n\neval(logging_log_bucket) = \"skip\" if {\n\tnot destination_is_bucket(logging_log_bucket)\n} else = \"pass\" {\n\tcompliant(logging_log_bucket)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules.\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_logging_log_bucket","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_logging_log_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_logging_log_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"trq-twi-wxj","createdAt":1664803576934,"name":"Retention policies used for exporting logs are configured using the bucket lock on Cloud Storage buckets"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-ii-B","control:1.7","control:164.308-a-3-i","control:164.308-a-4-i","control:7.2.1","level:1","cloud:aws","framework:soc-2","framework:cis-aws","requirement:IAM","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Information-Access-Management","control:CC6.2","framework:pci","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWith the creation of an AWS account, a root user is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.\n\n## Rationale\n\nThe root user has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.\n\n## Remediation\n\nIf you find that the root user account is being used for daily activity and administrative tasks that do not require the root user, remediate this by doing the following:\n\n1. Change the root user password.\n2. Deactivate or delete access keys associated with the root user.\n**Note**: Anyone who has root user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.\n\n## References\n\n1. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][1]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html][2]\n3. [https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html][3]\n\n**Additional Information**: The root user for us-gov cloud regions is not enabled by default. However, on request AWS support can enable the root user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the root user for us-gov cloud regions is enabled, this recommendation is applicable. Monitor usage of the root user by implementing recommendation *3.3 Ensure a log metric filter and alarm exist for usage of the root user*.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[3]: https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.7","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nnon_compliant_keys(iam_credential_report) if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.password_last_used < thirty_days_ms # Used in last 30 days\n} else {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_1_last_used_date < thirty_days_ms # Used in last 30 days\n} else {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_2_last_used_date < thirty_days_ms # Used in last 30 days\n}\n\neval(iam_credential_report) = \"skip\" if {\n\tnot iam_credential_report.user == \"\"\n} else = \"fail\" {\n\tnon_compliant_keys(iam_credential_report)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_credential_report"]},"validationQuery":"","resourceType":"aws_iam_credential_report","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yid-djj-bng","createdAt":1638865331666,"name":"Root account credentials have not been used in the past 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:kms","source:kms","framework:gdpr","requirement:Logging","level:2","control:3.8","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Security-of-Processing","framework:soc-2","control:3.5.2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:3.6.4","control:CC6.3","control:CC6.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS Key Management Service (KMS) allows customers to rotate the backing key, the key material stored within the KMS. The KMS connects o the key ID of the customer created customer master key (CMK). This backing key is used to perform cryptographic operations such as encryption and decryption. Automatic key rotation currently retains all prior backing keys so that encrypted data can be decrypted transparently. You should enable CMK key rotation.\n\n## Rationale\n\nRotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [https://aws.amazon.com/kms/pricing/][2]\n2. [http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf][3]\n3. CCE-78920-6\n\n## CIS controls\n\nVersion 7, 6 - Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://aws.amazon.com/kms/pricing/\n[3]: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.8","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"validationQuery":"@key_rotation_enabled:false","resourceType":"aws_kms","filter":"@key_manager:CUSTOMER","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_kms @key_manager:CUSTOMER (@key_rotation_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5xm-kxb-jxz","createdAt":1599574002243,"name":"Rotation for customer created CMKs is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:runtime-security-agent","technique:T1611-escape-to-host","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to the `runc` binary outside of the normal package management lifecycle.\n\n## Strategy\n[CVE-2019-5736][1], a vulnerability in `runc` through version 1.0-rc6 could allow attackers to overwrite the host `runc` binary, which allows the attacker to effectively escape a running container, and gain root access on the underlying host.\nAny modifications to `runc` (outside of standard package management upgrades) could be exploiting this vulnerability to gain root access to the system.\n\n## Triage & Response\n1. Check to see which user or process changed the `runc` binary.\n2. If these changes are not acceptable, roll back contain the host in question to an acceptable configuration.\n3. Update `runc` to a version above 1.0-rc6 (or Docker 18.09.2 and above).\n4. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://nvd.nist.gov/vuln/detail/CVE-2019-5736\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:runc_modification","groupByFields":["host"],"aggregation":"count","name":"runc_modification","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"runc_modification","condition":"runc_modification > 0"}],"type":"workload_security","id":"6ru-oyo-uag","createdAt":1627392837049,"name":"Runc binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","requirement:Compliance","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:s3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up the Multi-Factor Authentication (MFA) delete feature to prevent deletion of Amazon S3 objects.\n\n## Rationale\n\n## Remediation\n\nMFA-protected Amazon S3 buckets ensure S3 objects cannot be accidentally or intentionally deleted by AWS users who have access to your bucket.\n\n### Console\n\n`MFA DELETE` [cannot be enabled in the AWS Console][1]. See the CLI remediation below for configuration instructions.\n\n### CLI\n\n1. Run `put-bucket-versioning` with your [bucket name, versioning configuration, and MFA configuration][2].\n\n ```\n aws s3api put-bucket-versioning\n --bucket your-s3-bucket-name\n --versioning-configuration '{\"MFADelete\":\"Enabled\",\"Status\":\"Enabled\"}'\n --mfa 'arn:aws:iam::aws_account_id:mfa/root-account-mfa-device'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"-@versioning_mfa_delete:Enabled","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (-@versioning_mfa_delete:Enabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"f22-rvk-qko","createdAt":1619112188477,"name":"S3 bucket MFA Delete feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.1","requirement:Monitoring","cloud_provider:aws","control:A.12.4.1","control:3.3","requirement:System-Operations","requirement:Logging","level:2","framework:soc-2","scope:cloudtrail","framework:cis-aws","source:cloudtrail","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nS3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.\n\n## Rationale\n\nBy enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.\n\n## Remediation\n\n### Console\n\n1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.\n2. Under All Buckets click on the target S3 bucket\n3. Click on Properties in the top right of the console\n4. Under Bucket: click on Logging\n5. Configure bucket logging and click on the Enabled checkbox\n6. Select Target Bucket from list and enter a Target Prefix\n7. Click Save\n\n## Default value\n\nLogging is disabled.\n\n## References\n\n1. CCE-78918-0\n2. https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html\n\n## CIS controls\n\nVersion 7\n\n6.2 - Activate audit logging: Ensure that local logging has been enabled on all systems and networking devices.\n\n14.9 Enforce Detail Logging for Access or Changes to Sensitive Data: Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbucket_by_name := {bucket.bucket_name: bucket |\n\tbucket := input.resources.aws_s3_bucket[_]\n}\n\neval(cloudtrail_trail) = \"skip\" if {\n\tnot bucket_by_name[cloudtrail_trail.s3_bucket_name]\n} else = \"pass\" {\n\ts3_bucket := bucket_by_name[cloudtrail_trail.s3_bucket_name]\n\tcount(s3_bucket.bucket_logging) > 0\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail","aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@trail_arn"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gzk-vm2-67k","createdAt":1635929074549,"name":"S3 bucket access logging is enabled on the CloudTrail S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS S3 bucket to remove `WRITE` actions for any IAM user or AWS authenticated account.\n\n## Rationale\n\nAuthenticated users with AWS S3 bucket `WRITE` privileges can add, delete, and replace objects without restriction, which can lead to potential data loss or unintended billing charges.\n\n## Remediation\n\n### Console\n\nFollow the [Editing customer managed policies (console)][1] documentation to learn how to edit permissions for your existing policy. In the console, modify **Permissions** for Access Control Lists (ACLs). Deselect **Upload/Delete** for **Any Authenticated AWS User**.\n\n### CLI\n\n1. Run `list-buckets` to [list all available S3 buckets][2] for your account.\n\n ```\n aws s3api list-buckets\n --query \"Buckets[].Name\"\n ```\n\n2. Run `put-bucket-acl` with your [bucket name and the canned ACL to apply to the bucket][3].\n\n ```\n aws s3api put-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html#edit-managed-policy-console\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/list-buckets.html#examples\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"9rz-61l-xiu","createdAt":1619112188824,"name":"S3 bucket cannot be accessed for WRITE actions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your AWS S3 bucket content as it is publicly accessible.\n\n## Rationale\n\nGranting `READ` access to everyone allows unauthorized users to list objects within a bucket. Malicious users can use information exploited during this process to access compromised objects, which can lead to unfettered access to your data.\n\n## Remediation\n\n### Console\n\nFollow the [Blocking public access to your Amazon S3 storage][1] docs to learn how to manage access control lists for existing S3 buckets.\n\n**Note**: By default, new buckets, access points, and objects don't allow public access.\n\n### CLI\n\n1. Run `put-bucket-acl` with [your S3 bucket name][2] and set the ACL of the bucket to `private`.\n\n\t```\n\n\taws s3api put-bucket-acl\n\t\t--bucket webapp-data-repository\n\t\t--acl private\n\n\t```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:READ","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:READ)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"mqm-ntc-bra","createdAt":1619112188104,"name":"S3 bucket cannot be publicly listed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ` access for authenticated AWS accounts or IAM users.\n\n## Rationale\n\n`READ` access allows any authenticated IAM user or AWS authenticated account to list all objects within your bucket and exploit objects with misconfigured ACL permissions.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to deselect the `Bucket ACL - Read` permission and update ACL permissions.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:READ","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:READ)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"73w-cje-dhm","createdAt":1619112189198,"name":"S3 bucket content cannot be listed by users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove public `READ_ACP` access.\n\n## Rationale\n\nPublic `READ_ACP` access gives any user on the internet the `READ` Access Control List (ACL) permission. With this permission, anonymous users can see who controls your objects, and this information can be used to find misconfigured permissions and gain access to your S3 data.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_not_compliant(acl) if {\n\tacl.grantee_permission == \"READ_ACP\"\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AllUsers\"\n}\n\neval(s3_bucket) = \"fail\" if {\n\tacl = s3_bucket.acl[_]\n\tacl_not_compliant(acl)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i2o-7bz-zxc","createdAt":1619112188697,"name":"S3 bucket content permissions cannot be viewed by anonymous users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ_ACP` access for authenticated AWS accounts and AWS IAM users.\n\n## Rationale\n\nAWS authenticated accounts and users with `READ_ACP` access can examine Amazon S3 Access Control Lists (ACLs) configuration details. This information can be used maliciously to find misconfigured permissions and implement methods to access your S3 data.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `READ_ACP` access for AWS signed users.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [Amazon S3 bucket name and ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_not_compliant(acl) if {\n\tacl.grantee_permission == \"READ_ACP\"\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\"\n}\n\neval(s3_bucket) = \"fail\" if {\n\tacl = s3_bucket.acl[_]\n\tacl_not_compliant(acl)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cer-xg1-llv","createdAt":1619112188867,"name":"S3 bucket content permissions cannot be viewed by authenticated users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove `WRITE_ACP` access for anonymous users.\n\n## Rationale\n\nPublic `WRITE_ACP` access gives anonymous users `READ` and `WRITE` Access Control List (ACL) permissions. With these permissions, anonymous users can modify, delete, and update S3 objects, which can lead to data loss or unexpected charges on your AWS bill.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE_ACP","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE_ACP)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"8au-91a-7zf","createdAt":1619112188436,"name":"S3 bucket does not allow anonymous users to modify access control permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","control:164.308-a-3-i","control:7.2.1","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","source:s3","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove `WRITE_ACP` access for authenticated users.\n\n## Rationale\n\n`WRITE_ACP` access gives any authenticated AWS accounts or IAM users `READ` and `WRITE` Access Control List (ACL) permissions. With these permissions, authenticated users can modify, delete, and update S3 objects, which can lead to data loss or unexpected charges on your AWS bill.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE_ACP","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE_ACP)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"yuo-rt1-twl","createdAt":1619112188124,"name":"S3 bucket does not allow authenticated users to modify access controls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `FULL_CONTROL` access for authenticated AWS accounts and AWS IAM users.\n\n## Rationale\n\n`FULL_CONTROL` access allows any IAM user or AWS authenticated account to view, upload, modify and delete S3 objects without restriction.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `FULL_CONTROL` access and update ACL permissions.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:\"FULL_CONTROL\"","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:\"FULL_CONTROL\")","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"qem-nxn-zvw","createdAt":1619112188863,"name":"S3 bucket does not allow users full control access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","requirement:Storage","framework:gdpr","control:2.1.1","requirement:Compliance","level:1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides a variety of no-cost or low-cost encryption options to protect data at rest.\n\n## Rationale\n\nEncrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.\n\n## Remediation\n\n### Console\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/\n2. Select the Check box next to the Bucket.\n3. Click on Properties.\n4. Click on Default Encryption.\n5. Select either AES-256 or AWS-KMS.\n6. Click Save.\n7. Repeat for all the buckets in your AWS account lacking encryption.\n\n### CLI\n\nRun one of the following commands: \n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}''`\n\nor:\n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}''`\n\n**Note**: The `KMSMasterKeyID` can be set to the master key of your choosing; `aws/s3` is an AWS preconfigured default.\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html][1]\n2. [https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources][2]\n\n**Additional Information**: S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does not encrypt objects previously stored within the bucket.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.1.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@bucket_encryption_rules.rules.apply_server_side_encryption_by_default.sse_algorithm:(\"AES256\" OR \"aws:kms\")","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (-@bucket_encryption_rules.rules.apply_server_side_encryption_by_default.sse_algorithm:(\"AES256\" OR \"aws:kms\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i5u-x9l-ytw","createdAt":1619112188944,"name":"S3 bucket employs default encryption at-rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:A.12.1.2","framework:gdpr","control:A.12.4.2","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:3.1","requirement:Control-Activities","control:7.2.1","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Logical-and-Physical-Access-Control","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable versioning on S3 buckets to keep multiple versions of an object in one bucket.\n\n## Rationale\n\nVersioning-enabled buckets help [recover objects in the case of accidental deletion or overwriting][1].\n\n## Remediation\n\n### Console\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning within the S3 console.\n\n### CLI\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning with the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.1.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"-@versioning_status:Enabled","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (-@versioning_status:Enabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hfe-sv1-7ci","createdAt":1632209932330,"name":"S3 bucket has versioning enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","control:1.20","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:cis-aws","requirement:Security-Management-Process","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.8","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you restrict unintended public access to Amazon S3 resources. By default, S3 buckets and objects are created without public access. However, someone with sufficient permissions can enable public access at the bucket or object level, often unexpectedly. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets in the account, and contained objects, from becoming publicly accessible.\n\n## Rationale\n\nAmazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective buckets. Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account. Blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.\n\n### Impact\n\nWhen you apply `Block Public Access` settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.\n\n\n## Remediation\n\n### From the Console:\n\nIf utilizing Block Public Access (account settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Choose **Block public access (account settings)**.\n3. Choose **Edit** to change the block public access settings for all the buckets in your AWS account.\n4. Click on **Block all public access**.\n5. When you're asked for confirmation, enter `confirm`. Then click Confirm to save your changes.\n\nIf utilizing Block public access (bucket settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Select the check box next to the bucket.\n3. Click on **Edit public access settings**.\n4. Click **Block all public access**.\n5. Repeat for all the buckets in your AWS account that contain sensitive data.\n\n\n### From the command line:\n\nIf utilizing Block Public Access (bucket settings):\n\n1. List all of the S3 buckets: `aws s3 ls`\n2. To set the public access to true on a bucket, run: `aws s3api put-public-access-block --bucket --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\"`\n\nIf utilizing Block Public Access (account settings):\n\nTo set Public access settings for this account, run the following command: `aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id '`\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html][2]\n\n[1]: https://console.aws.amazon.com/s3/\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.20","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\naccount_public_access_block_by_account_id = {s3_account_public_access_block.account_id: s3_account_public_access_block |\n\tsome s3_account_public_access_block in input.resources.aws_s3_account_public_access_block\n}\n\nsecure_public_access_block(s3_public_access_block) if {\n\ts3_public_access_block.block_public_acls\n\ts3_public_access_block.block_public_policy\n\ts3_public_access_block.ignore_public_acls\n\ts3_public_access_block.restrict_public_buckets\n}\n\naccess_block_compliant(s3_bucket) if {\n\ts3_account_public_access_block := account_public_access_block_by_account_id[s3_bucket.account_id]\n\tsecure_public_access_block(s3_account_public_access_block)\n} else {\n\tbucket_block := s3_bucket.access_block[_]\n\tsecure_public_access_block(bucket_block)\n}\n\neval(s3_bucket) = \"pass\" if {\n\taccess_block_compliant(s3_bucket)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b1p-nxn-wxx","createdAt":1619112188591,"name":"S3 bucket is configured with 'Block public access'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove public `WRITE` access.\n\n## Rationale\n\nPublic `WRITE` access gives unauthorized users the ability to add, replace, and delete objects within a bucket. Attackers can use these abilities to access your data or incur charges on your AWS bill.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"wyn-eku-mhg","createdAt":1619112188471,"name":"S3 bucket is not publicly accessible for write actions by anonymous users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet your Amazon S3 bucket to private.\n\n## Rationale\n\nPublicly accessible Amazon S3 buckets grant `FULL_CONTROL` access to everyone, including anonymous users. `FULL_CONTROL` grants users the ability to upload, modify, delete, and view S3 objects.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `FULL_CONTROL` access and update ACL permissions.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tacl := s3_bucket.acl[_]\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AllUsers\"\n\tacl.grantee_permission == \"FULL_CONTROL\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"o0d-2zb-qbg","createdAt":1619112188881,"name":"S3 bucket is not publicly accessible to anonymous users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your bucket policy as your Amazon S3 bucket is currently publicly accessible.\n\n## Rationale\n\nPublicly accessible S3 buckets through bucket policies give any AWS user the ability to list, download, delete, and upload objects and edit object permissions.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. To remove the existing public bucket policy, run `delete-bucket-policy` with [your bucket name][2].\n\n ```\n delete-bucket-policy\n --bucket your-bucket-name\n ```\n\n2. Create a new non-public bucket policy using the [AWS Policy Generator][3].\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket-policy.html#synopsis\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false","resourceType":"aws_s3_bucket","filter":"","queryPath":"bucket_policy_statement","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"ftf-6wr-t2z","createdAt":1624344845705,"name":"S3 bucket is publicly accessible (via policy)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","requirement:Monitoring","scope:s3","framework:cis-aws","control:4.8","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a S3 Bucket policy is modified.\n\n## Strategy\nMonitor CloudTrail and detect when S3 policies are being modified via one of the following API calls:\n* [PutBucketAcl][1]\n* [PutBucketPolicy][2]\n* [PutBucketCors][3]\n* [PutBucketLifecycle][4]\n* [PutBucketReplication][5]\n* [DeleteBucketPolicy][6]\n* [DeleteBucketCors][7]\n* [DeleteBucketReplication][8]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html\n [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html\n [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketCors.html\n [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLifecycle.html\n [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html\n [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html\n [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html\n [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html\n\n## Changelog\n18 March 2022 - Updated signal message, query and severity.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(PutBucketAcl OR PutBucketPolicy OR PutBucketCors OR PutBucketLifecycle OR PutBucketReplication OR DeleteBucketPolicy OR DeleteBucketCors OR DeleteBucketReplication)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"s3_bucket_policy_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"A S3 bucket policy was modified","condition":"s3_bucket_policy_modified > 0"}],"type":"log_detection","id":"nl3-oht-jhi","createdAt":1584475579499,"name":"S3 bucket policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when SELinux enforcement is disabled.\n\n## Strategy\nThis detection monitors the change of SELinux enforcing mode.\n\n## Triage & Response\n1. Check which user or process disabled SELinux enforcing mode.\n2. If the change is not expected, roll back to enable SELinux enforcing mode.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the attack.\n\n*Requires Agent version 7.30 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:selinux_disable_enforcement","groupByFields":["host"],"aggregation":"count","name":"selinux_disable_enforcement","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"selinux_disable_enforcement","condition":"selinux_disable_enforcement > 0"}],"type":"workload_security","id":"vvf-qwb-uhj","createdAt":1635332067172,"name":"SELinux enforcement disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.2","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSELinux is an effective and easy-to-use Linux application security system. It is available by default on some distributions such as Red Hat and Fedora.\n\n## Rationale\n\nSELinux provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model. You can therefore add an extra layer of safety to your containers by enabling SELinux on your Linux host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all the security options currently configured on the containers listed.\n\n## Remediation\n\nIf SELinux is applicable for your Linux OS, you should use it.\n\n1. Set the SELinux State.\n2. Set the SELinux Policy.\n3. Create or import a SELinux policy template for Docker containers.\n4. Start Docker in daemon mode with SELinux enabled. For example: `docker daemon --selinux-enabled`\n5. Start your Docker container using the security options. For example, `docker run --interactive --tty --security-opt label=level:TopSecret centos /bin/bash`\n\n## Impact\n\nAny restrictions defined in the SELinux policy will be applied to your containers. It should be noted that if your SELinux policy is misconfigured, this may have an impact on the correct operation of the affected containers.\n\n## Default value\n\nBy default, no SELinux security options are applied on containers.\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/\n4. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/docker_selinux_security_policy\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.2","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"eww-c9f-0hf","createdAt":1599605036108,"name":"SELinux security options are configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic publishing permissions.\n\n## Rationale\n\nSetting the topic publishing permission to `Everyone` gives anyone access to publish on a topic. Unauthenticated users can publish malicious messages.\n\n## Remediation\n\n### Console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### CLI\n\n1. Update your [access control policy][2] with the IAM user ARN. Configure `action` to `SNS:Publish` and include your AWS IAM ARN. Save the file.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_pub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Publish\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```\n aws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name DisplayName\n --attribute-value YourTopicDisplayName\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Publish\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false","resourceType":"aws_sns_topic","filter":"","queryPath":"policies","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic (@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Publish\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mhf-jlo-c49","createdAt":1616090993934,"name":"SNS Topic has restrictions set for publishing"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic subscription permissions.\n\n## Rationale\n\nAnonymous users can subscribe and receive messages that you publish, leaving the security of your application or service at risk.\n\n## Remediation\n\n### Console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### CLI\n\n1. Update your [access control policy][2] with the IAM user ARN. Configure `action` to `SNS:Publish` and include your AWS IAM ARN. Save the file.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_sub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Subscribe\",\n \"SNS:Receive\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```\n aws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name DisplayName\n --attribute-value YourTopicDisplayName\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Subscribe\" OR \"sns:Subscribe\") @statement_action:(\"SNS:Receive\" OR \"sns:Receive\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false","resourceType":"aws_sns_topic","filter":"","queryPath":"policies","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic (@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Subscribe\" OR \"sns:Subscribe\") @statement_action:(\"SNS:Receive\" OR \"sns:Receive\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"bin-p21-78u","createdAt":1616090993824,"name":"SNS Topic has restrictions set for subscription"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","scope:sns","cloud_provider:aws","control:3.4","control:4.1","source:sns","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Server-Side Encryption for your AWS Simple Notification Service (SNS) topics.\n\n## Rationale\n\nServer-Side Encryption (SSE) protects the data of published messages within your SNS topics, which can help adhere to compliance and regulatory requirements.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling server-side encryption (SSE) for an Amazon SNS topic][1] docs to learn how to enable encryption from the AWS Management Console.\n\n### CLI\n\nRun `set-topic-attributes` with the [ARN of the SNS topic][2] and the [KmsMasterKeyId][3].\n\n```\naws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name KmsMasterKeyId\n --attribute-value YourTopicDisplayName\n```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n[3]: https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html#sse-key-terms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@kms_master_key_id:*","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic (-@kms_master_key_id:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"iel-fa4-gpw","createdAt":1623249809232,"name":"SNS Topic has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","control:164.308-a-3-i","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic permissions.\n\n## Rationale\n\nPublicly-accessible topics allow unauthorized users access to receive and publish messages and subscribe to exposed topics.\n\n## Remediation\n\n### Console\n\nFollow the [Using identity-based policies with Amazon SNS][1] docs to learn how to create or add to a policy in the AWS Console.\n\n### CLI\n\nIf you do not have an access control policy, [create one][2].\n\n1. Select `SNS Topic Policy` as the type of policy.\n2. Add a statement to allow only specific IAM users and roles to have access to the topic. For example:\n\n ```\n Effect: `Allow`\n Principal: `arn:aws:iam::123456789012:root`\n Action: `Add permission`\n Amazon Resource Name: `arn:aws:iam::123456789012:root`\n ```\n\nIf you do have an access control policy, follow the [add-permissions][3] docs to add a permission to your existing policy.\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-using-identity-based-policies.html#iam-and-sns-policies\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprincipal_policy_lenient(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else {\n\tpolicy_principal.principal_aws[_] == \"*\"\n}\n\npolicy_lenient(policy) if {\n\tpolicy.statement_effect == \"Allow\"\n\tnot policy.statement_has_condition\n\n\tprincipal_policy_lenient(policy.policy_principal)\n}\n\neval(sns_topic) = \"fail\" if {\n\tpolicy := sns_topic.policies[_]\n\tpolicy_lenient(policy)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"5q9-vwc-cqy","createdAt":1616090993891,"name":"SNS Topic is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:6.5","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nA database server should accept connections only from trusted networks and IPs and\nrestrict access from public IP addresses.\n\n## Rationale: \nTo minimize attack surface on a database server instance, only trusted, known, and\nrequired IPs should be allowed to connect to it.\nAn authorized network should not have IPs or networks configured to `0.0.0.0/0` which\nallows access to the instance from anywhere in the world. Authorized networks\napply only to instances with public IPs.\n\n## Impact: \nThe Cloud SQL database instance would not be available to public IP addresses.\n\n## Remediation: \n\n### From console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Click the instance name to open its `Instance details` page.\n3. Under the `Configuration` section click `Edit configurations`.\n4. Under `Configuration options` expand the `Connectivity` section.\n5. Click the `delete` icon for the authorized network `0.0.0.0/0`.\n6. Click `Save` to update the instance.\n\n### From command line:\nUpdate the authorized network list by removing addresses:\n```\ngcloud sql instances patch --authorized-networks=IP_ADDR1,IP_ADDR2...\n```\n## Prevention:\nTo prevent new SQL instances from being configured to accept incoming connections from\nany IP addresses, set up a `Restrict Authorized Networks on Cloud SQL instances` Organization Policy at: [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][2].\n\n\n## Default value:\nBy default, authorized networks are not configured. Remote connection to Cloud SQL\ndatabase instance is not possible unless authorized networks are configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-ip][3]\n2. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][4] \n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://cloud.google.com/sql/docs/mysql/connection-org-policy][6]\n\n\n## Additional information:\nThere is no IPv6 configuration found for Google cloud SQL server services.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[3]: https://cloud.google.com/sql/docs/mysql/configure-ip\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://cloud.google.com/sql/docs/mysql/connection-org-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"fail\" if {\n\taddress := sql_database_instance.settings.ip_configuration.authorized_networks[_]\n\taddress.value in [\"0.0.0.0\", \"0.0.0.0/0\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"thi-vol-4qb","createdAt":1657138883399,"name":"SQL Database Instances do not implicitly accept all public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:6.3","framework:cis-azure","requirement:Communications-Security","control:2.4","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific data centers. By default for a SQL server, a firewall exists with start IP of 0.0.0.0 and end IP of 0.0.0.0, allowing access to all the Azure services. Additionally a custom rule can be set up with start IP of 0.0.0.0 and end IP of 255.255.255.255, allowing access from ANY IP over the Internet. In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific data centers.\n\n### Impact\n\nDisabling allow access to Azure Services will break all connections to SQL server and hosted databases unless custom IP-specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console:\n\n1. Go to SQL servers\n2. For each SQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell:\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"\" -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nSet-AzureRmSqlServerFirewallRule -ResourceGroupName -ServerName -FirewallRuleName \"\" -StartIpAddress \"\" -EndIpAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017][1]\n2. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0][2]\n3. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0][3]\n4. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0][4] \n5. [https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure][5]\n6. [https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current][6] \n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][7]\n\nAdditional Information: Firewall rules configured on individual SQL Database using Transact-SQL overrides the rules set on SQL server. Azure does not provides any Powershell, API, CLI, Portal option to check database level firewall rules and so far Transact-SQL is the only way to check for the same. For comprehensive control over egress traffic on SQL Databases, firewall rules should be checked using SQL client.\n\n[1]:https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017\n[2]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[3]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[4]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[5]:https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure\n[6]:https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current\n[7]:https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"2.4","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255)","resourceType":"azure_sql_server","filter":"","queryPath":"firewall_rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"5k7-xx0-nje","createdAt":1635237001240,"name":"SQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.2.4","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure `send scan reports to` with the email IDs of concerned data owners and stakeholders for a critical SQL server.\n\n## Rationale\n\nVulnerability Assessment (VA) scan reports and alerts are sent to email IDs configured with `send scan reports to`. This may help in reducing time required for identifying risks and taking corrective measures.\n\n## Impact\n\n**Note**: Enabling the Azure Defender for SQL features incurs additional costs for each SQL server.\n\n## Remediation\n\nAzure Console:\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Ensure that Azure Defender for SQL is enabled\n5. Select Configure next to enabled at subscription-level\n6. In Vulnerability Assessment Settings, configure Storage Accounts\n7. Configure email IDs for concerned data owners and stakeholders in the `send scan reports to` section.\n8. Click Save\n\nAzure PowerShell:\n\nIf not already, enable Advanced Data Security for a SQL: `ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True`\n\n\nTo enable ADS-VA service and set `send scan reports to`:\n\n```bash\nUpdate-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"fiu-woq-ui1","createdAt":1645802555241,"name":"SQL Server Vulnerability Assessments send scan reports to subscribed admins"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","scope:google_sql_database_instance","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","control:6.4","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to enforce all incoming connections to SQL database instances to use SSL.\n\n## Rationale\nSQL database connections, if successfully trapped (MITM), can reveal sensitive data like\ncredentials, database queries, query outputs, and so on. For security, it is recommended to always\nuse SSL encryption when connecting to your instance. This recommendation is applicable\nto PostgreSQL, MySQL generation 1, MySQL generation 2, and SQL Server 2017 instances.\n\n### Additional Information\nBy default, `Settings: ipConfiguration` has no `authorizedNetworks` set or configured. In\nthat case, even if `requireSSL` is not set by default, which is equivalent to `requireSSL:false`,\nthere is no risk as the instance cannot be accessed outside of the network, unless\n`authorizedNetworks` is configured. However, if the default for `requireSSL` is not updated to\n`true`, any `authorizedNetworks` created later on will not enforce SSL-only connections.\n\n### Impact\nAfter enforcing SSL connections, the existing client will not be able to communicate with the SQL\nserver, unless it is configured with appropriate client-certificates to communicate to the SQL\ndatabase instance.\n\n### Default Value\nBy default, the parameter `settings: ipConfiguration: requireSSL` is not set, which is\nequivalent to `requireSSL:false`.\n\n## Remediation\n\n### From the console:\n1. Go to the [Cloud SQL Instances page][1].\n2. Click on an instance name to see its configuration overview.\n3. In the left-side panel, select **Connections**.\n4. In the SSL connections section, click **Allow only SSL connections**.\n5. Under Configure SSL server certificates, click **Create new certificate**.\n6. Under Configure SSL client certificates, click **Create a client certificate**.\n7. Follow the instructions shown to learn how to connect to your instance.\n\n### From the command line:\nTo enforce SSL encryption for an instance, run the command:\n```\ngcloud sql instances patch --require-ssl\n```\n\n**Note:** A **restart** is required for type MySQL Generation 1 Instances (`backendType: FIRST_GEN`) for\nthis configuration to go into effect.\n\n## References\n1. [http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot authorizedNetworksExists(sql_database_instance)\n} else = \"pass\" {\n\tsql_database_instance.settings.ip_configuration.require_ssl\n} else = \"fail\" {\n\ttrue\n}\n\nauthorizedNetworksExists(sql_database_instance) if {\n\tsql_database_instance.settings.ip_configuration.authorized_networks[_]\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"udh-mzm-bhu","createdAt":1658821626960,"name":"SQL database instance uses SSL for all incoming connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","scope:google_cloud_sql_instance","level:2","source:google_cloud_sql_instance","control:3.9","control:6.6","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nDatadog recommends configuring the second generation SQL instance to use private IPs instead of\npublic IPs.\n\n## Rationale: \nTo lower the organization's attack surface, ensure your Cloud SQL databases does not have public IPs.\nPrivate IPs provide improved network security and lower latency for your application.\n\n## Impact: \nRemoving the public IP address on SQL instances may break applications that relied\non it for database connectivity.\n\n## Remediation: \n\n### From console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Click the instance name to open its Instance details page.\n3. Select the `Connections` tab.\n4. Deselect the `Public IP` checkbox.\n5. Click `Save` to update the instance.\n\n### From command line:\n\n1. For every instance, remove the public IP and assign a private IP instead:\n ```\n gcloud sql instances patch --network= --no-assign-ip\n ```\n\n2. Confirm the changes using the following command:\n ```\n gcloud sql instances describe \n ```\n\n## Prevention:\nTo prevent new SQL instances from getting configured with public IP addresses, set up a\n`Restrict Public IP access on Cloud SQL instances` Organization policy at:\n\n\n[https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][2]\n\n## Default value:\nBy default, Cloud Sql instances have a public IP.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-private-ip][3]\n2. [https://cloud.google.com/sql/docs/mysql/private-ip][4]\n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][6]\n\n## Additional information:\nReplicas inherit their private IP status from their primary instance. You cannot configure a private IP directly on a replica.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n[3]: https://cloud.google.com/sql/docs/mysql/configure-private-ip\n[4]: https://cloud.google.com/sql/docs/mysql/private-ip\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.9","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_second_gen_instance(sql_database_instance)\n} else = \"fail\" {\n\tip := sql_database_instance.ip_addresses[_]\n\tip.type == \"PRIMARY\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_second_gen_instance(sql_database_instance) if {\n\tsql_database_instance.backend_type == \"SECOND_GEN\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cns-kbs-qb3","createdAt":1658244446751,"name":"SQL database instances do not have public IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.5","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:C1.1","requirement:Credentials","requirement:System-Operations","requirement:Compliance","level:1","requirement:Database-Services","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","control:3.5.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC7.2","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. With Customer-managed key support for TDE, the DEK can be protected with an asymmetric key stored in the Key Vault. The Key Vault is a highly available and scalable cloud-based key store that offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of keys and data for additional security. Based on business needs or the criticality of data/databases hosted a SQL server, Datadog recommends that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).\n\n## Rationale\n\nCustomer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azures cloud-based external key management system, is the first key management service where TDE has integrated support for customer-managed keys. With customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.\n\n## Remediation\n\nFrom Azure Console:\n1. Go to SQL servers for the desired server instance\n2. Click On Transparent data encryption\n3. Set Use your own key to YES\n4. Browse through your key vaults to select an existing key or create a new key in the key vault.\n5. Check Make selected key the default TDE protector Using Azure CLI. Use the below command to encrypt SQL server's TDE protector with a Customer-managed key: `az sql server tde-key >> Set --resource-group --server --server-key-type {AzureKeyVault} [--kid ]`\n\n## Impact\n\nOnce the TDE protector is encrypted with a customer-managed key, it transfers the entire responsibility of key management to you. Hence, you should be more careful about doing any operations on the particular key to keep data from the corresponding SQL server Databases host accessible. When deploying customer-managed keys, ensure that you deploy an automated toolset for managing these keys (this should include discovery and key rotation), and keys should be stored in an HSM or hardware backed keystore; for example, Azure Key Vault). As far as toolsets go, check with your cryptographic key provider as they may well provide one as an add-on to their service.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-byok-azure-sql\n2. https://azure.microsoft.com/en-in/blog/preview-sql-transparent-data-encryption-tde-with-bring-your-own-key-support/\n3. https://winterdom.com/2017/09/07/azure-sql-tde-protector-keyvault\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: This configuration can be done only on an SQL server. The same configuration will be in effect on SQL Databases hosted on SQL Server. Ensuring yourTDE is protected by a Customer-managed key on SQL Server does not ensure SQL Databases' encryption. Transparent Data Encryption Data Encryption (ON/OFF) setting on individual SQL Database decides whether the database is encrypted or not.\n\n## CIS Controls\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials: Encrypt or hash with a salt all authentication credentials when stored. \n\n5 Logging and Monitoring: This section covers security recommendations to follow to set logging and monitoring policies on an Azure Subscription.\n\n5.1 Configuring Diagnostic Settings: The Azure Diagnostic Settings capture control/management activities performed on a subscription. By default, the Azure Portal retains activity logs only for 90 days. The Diagnostic Settings define the type of stored or streamed events and the output storage account, and the event hub. The Diagnostic Settings, if appropriately configured, can ensure that all activity logs are retained for a longer duration. This section has recommendations for correctly configuring the Diagnostic Settings so that all activity logs captured are retained for longer periods. When configuring Diagnostic Settings, you may choose to export in one of three ways in which you need to ensure appropriate data retention. The options are Log Analytics, Event Hub, and a Storage Account. It is important to ensure you are aware and have set retention as your organization sees fit.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"-(@encryption_protector.kind:(\"azurekeyvault\") @encryption_protector.server_key_type:(\"AzureKeyVault\"))","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-(@encryption_protector.kind:(\"azurekeyvault\") @encryption_protector.server_key_type:(\"AzureKeyVault\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ju5-j5j-p5u","createdAt":1624867975195,"name":"SQL server's TDE protector is encrypted with Customer-managed key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","source:sqs","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","scope:sqs","security:compliance","cloud_provider:aws","control:3.4","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Simple Queue Service (SQS) messages with server-side encryption.\n\n## Rationale\n\nEncryption ensures that Amazon SQS messages, which may contain sensitive data, are not available to anonymous or unauthorized users.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring service-side encryption for a queue(console)][1] docs to learn how to create and use AWS Key Management Service (AWS KMS) to manage customer master keys (CMK) for server-side encryption.\n\n### CLI\n\n1. Define `set-queue-attributes` in [a file][2]. Use your custom KMS Master Key ARN for `KmsMasterKeyID`. Save the file.\n\n ```\n {\n \"KmsMasterKeyId\": \"custom_key_arn\",\n \"KmsDataKeyReusePeriodSeconds\": \"300\"\n }\n ```\n\n2. Run `set-queue-attributes` with the [queue URL and the file][2] created in step 1.\n\n ```\n aws sqs set-queue-attributes\n --queue-url https://us-west-2.queue.amazonaws.com/123456789012/WebWorkerSQSQueue\n --attributes file://sqs-sse-enabled.json\n ```\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html\n[2]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-properties-sqs-queues-syntax\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-(@kms_master_key_id:* OR @sqs_managed_sse_enabled:true)","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue (-(@kms_master_key_id:* OR @sqs_managed_sse_enabled:true))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0m4-moi-xdg","createdAt":1616090993978,"name":"SQS Queue has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:sqs","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security","scope:sqs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate Amazon Simple Queue Service (SQS) queue permissions.\n\n## Rationale\n\nPublicly-available Amazon SQS queues give unauthorized users access to potentially intercept, delete, or send queue messages, which can lead to data leaks.\n\n## Remediation\n\n### Console\n\nFollow the [Managing access to resources][1] docs to learn how to implement a permissions policy in the AWS console.\n\n### CLI\n\n1. Run `list-queues` to get a list of queue URLs.\n2. Run `get-queue-attributes` with a [queue URL][2] returned in step 1.\n\n ```\n aws sqs get-queue-attributes\n --queue-url https://queue.amazonaws.com/123456789012/YourQueue\n --attribute-names Policy\n ```\n\n3. Run `add-permission` to [add a new statement][3] to your queue policy.\n\n ```\n aws sqs add-permission\n --queue-url https://queue.amazonaws.com/123456789012/YourQueue\n --label SendMessages\n --aws-account-ids 123456789012\n --actions SendMessage\n ```\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.html#sqs-managing-access-to-resources\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/get-queue-attributes.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else {\n\tprincipal_aws = policy_principal.principal_aws[_]\n\tprincipal_aws == \"*\"\n}\n\neval(sqs_queue) = \"fail\" if {\n\tpolicy := sqs_queue.policies[_]\n\tbad_policy_principal(policy.policy_principal)\n\tpolicy.statement_effect = \"Allow\"\n\tpolicy.statement_has_condition = false\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sqs_queue"]},"validationQuery":"","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"aqs-n9k-inj","createdAt":1616090993985,"name":"SQS Queue is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:6.2","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable SSH access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using SSH over the internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct SSH access to your Azure Virtual Machines from the internet. After direct SSH access from the internet is disabled, you have other options you can use to access these virtual machines for remote management.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nssh_allowed(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"TCP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.destination_port_range in [\"22\", \"*\"]\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"*/0\", \"Internet\", \"Any\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule := security_group.security_rules[_]\n\tssh_allowed(security_rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tox-iwp-m0l","createdAt":1624867978808,"name":"SSH access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.6","requirement:Communications-Security","control:1.4","control:3.2","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow the user to specify the type of\ntraffic, such as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be\nused. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using\nSSH on Port 22 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from\ninstances and incoming (ingress) traffic to instances in the network. Egress and ingress\ntraffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through SSH with the default\nPort 22. Generic access from the Internet to a specific IP Range needs to be restricted.\n\n## Impact\nAll Secure Shell (SSH) connections from outside of the network to the concerned VPC(s)\nwill be blocked. There could be a business need where SSH access is required from outside\nof the network to access resources associated with the VPC. In that case, specific source\nIP(s) should be mentioned in firewall rules to include access to SSH port for the\nconcerned VPC(s).\n\n## Remediation\n\n### From console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule you want to modify.\n4. Click Edit.\n5. Modify Source IP ranges to specific IP.\n6. Click Save.\n\n### From the command line\n1.Update the Firewall rule with the new SOURCE_RANGE from the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.2","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 22\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tcontains(allowed.ports[_], \"-\")\n\trange := split(allowed.ports[_], \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else {\n\tto_number(allowed.ports[_]) == target_port\n} else {\n\tallowed.ports[_] == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tallowed := compute_firewall.allowed[_]\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" {\n\tcompute_firewall.source_ranges[_] in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"23t-kvk-vbo","createdAt":1657310084964,"name":"SSH access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to authorized SSH keys.\n\n## Strategy\nSSH is a commonly used key-based authentication mechanism. In this system, the authorized_keys file specifies SSH keys that can be used to authenticate as a specific user on the system. Attacker's may modify the authorized_keys file to authorize attacker-owned SSH keys. This allows the attacker to maintain persistence on a system as a specific user.\n\n## Triage and response\n1. Check what changes were made to authorized_keys, and under which user.\n2. Determine whether any keys were added. If so, determine if the added keys belong to known trusted users.\n3. If they keys in question are not acceptable, roll back the host or container in question to a known trusted SSH configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chmod)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chmod","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chown)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chown","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_link)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_link","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_rename)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_rename","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_open)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_open","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_unlink)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_unlink","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_utimes)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"ssh_authorized_keys","condition":"ssh_authorized_keys_chmod > 0 || ssh_authorized_keys_chown > 0 || ssh_authorized_keys_link > 0 || ssh_authorized_keys_rename > 0 || ssh_authorized_keys_open > 0 || ssh_authorized_keys_unlink > 0 || ssh_authorized_keys_utimes > 0"}],"type":"workload_security","id":"iqs-k9p-ivj","createdAt":1606142954844,"name":"SSH authorized keys modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1553-subvert-trust-controls","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential tampering with SSL certificates.\n\n## Strategy\nSSL certificates, and other forms of trust controls establish trust between systems. Attackers may attempt to subvert trust controls such as SSL certificates in order to trick systems or users into trusting attacker-owned assets such as fake websites, or falsely signed applications.\n\n## Triage and response\n1. Check whether there were any planned changed to the SSL certificates stores in your infrastructure.\n2. If these changes are not acceptable, roll back the host or container in question to a known trustworthy configuration.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssl_certificate_tampering OR ssl_certificate_tampering_chmod OR ssl_certificate_tampering_chown OR ssl_certificate_tampering_link OR ssl_certificate_tampering_rename OR ssl_certificate_tampering_open OR ssl_certificate_tampering_unlink OR ssl_certificate_tampering_utimes) -@process.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.parent.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\" -@process.executable.name:runc*","groupByFields":["host"],"aggregation":"count","name":"ssl_certificate_tampering","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"ssl_certificate_tampering","condition":"ssl_certificate_tampering > 0"}],"type":"workload_security","id":"any-phm-6ub","createdAt":1606142980369,"name":"SSL certificate tampering"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","control:4.3.2","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","source:azure.dbformysql","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","scope:azure.dbformysql","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on MySQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for MySQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled for enforce SSL connection \n\nAlternatively, use the Azure Command Line Interface and run the below command to set MYSQL Databases to Enforce SSL connection:\n\n ```bash\n az mysql server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security\n2. https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@ssl_enforcement:(\"Enabled\")","resourceType":"azure_mysql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_mysql_server (-@ssl_enforcement:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cxd-off-x2e","createdAt":1624867976718,"name":"SSL connection on MySQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.3.1","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on PostgreSQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\nFrom Azure Console:\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled to enforce SSL connection \n\nAlternatively, use the Azure Command Line Interface and run the below command to enforce SSL connection for PostgreSQL Database:\n\n ```bash\n az postgres server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@ssl_enforcement:(\"Enabled\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@ssl_enforcement:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"9cp-26e-jdc","createdAt":1624867978968,"name":"SSL connection on PostgreSQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a Salesforce user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login ten times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @status:\"Invalid Password\"","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:salesforce @status:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dm5-uvn-yrr","createdAt":1621929254947,"name":"Salesforce Brute force attack on user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a disabled account attempts to log into Salesforce\n\n## Strategy\nInspect Salesforce logs and determine if there is a login attempt (`@evt.name:LoginEvent`) from from a disabled account (`@status:\\\"User is Inactive\\\"`). If more than ten attempts to authenticate to a disabled account a `MEDIUM` severity signal is created.\n\n## Triage and response\n1. Determine if the IP (`@network.client.ip`) has attempted to log into other accounts.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @evt.name:LoginEvent @status:\"User is Inactive\"","groupByFields":["@usr.id"],"aggregation":"count","name":"disabled_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Single Attempt","condition":"disabled_login > 1"},{"status":"medium","notifications":[],"name":"Multiple Attempts","condition":"disabled_login > 10"}],"type":"log_detection","id":"j57-vod-bnw","createdAt":1621929254817,"name":"Salesforce Login from Disabled Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.4.2","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the scheduler service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.2","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"g1h-91b-y2x","createdAt":1599601351149,"name":"Scheduler API service is bound to localhost"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","technique:T1098-account-manipulation","scope:onelogin","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin administrator grants additional privileges to another OneLogin user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator grants additional privileges to another OneLogin user:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@actor_user_name}}`) should be legitimately adding additional roles to `@usr.name`. **Note:** The role granted to the user is not available in OneLogin logs.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:PRIVILEGE_GRANTED_TO_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"user_granted_admin_privileges","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"user_granted_admin_privileges > 0"}],"type":"log_detection","id":"oks-cap-rw1","createdAt":1656426808697,"name":"OneLogin user granted administrative privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user is locked out. This may be common if the user is repeatedly failing to log in. This rule is most useful when correlated with other anomalous activity for the user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to when a user is locked out:\n* `@evt.name:USER_LOCKED`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) was legitimately trying to authenticate and was locked out.\n2. If the activity was not legitimate, review all activity from the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_LOCKED","groupByFields":["@usr.name"],"aggregation":"count","name":"user_locked_out","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_locked_out > 0"}],"type":"log_detection","id":"efg-trs-jzb","createdAt":1656526301026,"name":"OneLogin user locked out"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user views a secure note.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when a user views a secure note:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\nThis rule is useful when correlating its findings with other anomalous events from the same OneLogin user (`{{@actor_user_name}}`).\n\n## Triage and response\n1. Determine whether the OneLogin user (`{{@actor_user_name}}`) should be legitimately accessing secure notes.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_VIEWED_NOTE","groupByFields":["@actor_user_name"],"aggregation":"count","name":"viewed_secure_note","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"viewed_secure_note > 0"}],"type":"log_detection","id":"gl4-z5x-dun","createdAt":1656426832414,"name":"OneLogin user viewed secure note"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","scope:google_service_account","requirement:Confidentiality","control:3.4","control:1.4","control:3.10","control:C1.1","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nUser managed service accounts should not have user-managed keys.\n\n## Rationale: \nAnyone who has access to the keys can access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.\nFor user-managed keys, you are responsible for key management activities including:\n- Key storage\n- Key distribution\n- Key revocation\n- Key rotation\n- Protecting the keys from unauthorized users\n- Key recovery\nEven with key owner precautions, it's easy to leak keys through common development accidents such as checking keys into the source code, leaving them in the Downloads directory, or posting them on support blogs.\nFor these reasons, it is recommended that you don't use user-managed service account keys.\n\n## Impact: \nDeleting user-managed service account keys may break communication with the applications using the keys.\n\n## Remediation: \n\n### From the console\n1. Go to the IAM page in the GCP Console at [https://console.cloud.google.com/iam-admin/iam][1].\n2. In the left navigation pane, click `Service accounts`. All service accounts and their\ncorresponding keys are listed.\n3. Click the service account.\n4. Click `Edit` and delete the keys.\n\n### From the command line\nTo delete a user-managed service account key run:\n```\ngcloud iam service-accounts keys delete --iam-account= \n```\n## Prevention:\nYou can disable service account key creation through the `Disable service account key creation` Organization policy by visiting [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation][2]. Learn more at: [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][3].\n\nIn addition, if you do not need service accounts in your project, you can prevent the creation of service accounts through the `Disable service account creation` Organization policy: [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation][4].\n\n## Default value:\nBy default, there are no user-managed keys created for user-managed service accounts.\n\n## References:\n1. [https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys][5]\n2. [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][6]\n\n## Additional information:\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation\n[3]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation\n[5]: https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n[6]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.4","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.10","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkey_parents_with_user_managed := {key.parent |\n\tkey := input.resources.gcp_iam_service_account_key[_]\n\tkey.key_type == \"USER_MANAGED\"\n}\n\neval(service_account) = \"fail\" if {\n\tkey_parents_with_user_managed[service_account.resource_name]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4cn-bpp-vya","createdAt":1654120292749,"name":"Only GCP-managed service account keys are used for service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.14","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, has permissions of 400.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads. It holds the private key for the Docker server certificate. It must therefore have permissions of 400 to ensure that the certificate key file is not modified.\n\n## Audit\n\nVerify that the Docker server certificate key file has permissions of `400` by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nYou should execute the following command: `chmod 400 `\n\nThis sets the Docker server certificate key file permissions to 400.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate key file might not be 400. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.14","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"z0n-cod-mxi","createdAt":1602077570102,"name":"Only the owner of the server certificate key file can read its contents"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker daemon requires access to the Docker socket which is, by default, owned by the user `root` and the group `docker`.\n\n## Rationale\n\nDocker allows you to share a directory between the Docker host and a guest container without limiting the access rights of the container. This means that you can start a container and map the `/` directory on your host to the container. The container is able to modify your host file system without any restrictions. This means that you could gain elevated privileges simply by being a member of the `docker` group and subsequently start a container which maps the root `/` directory on the host.\n\n\n## Audit\n\nRun the following command on the Docker host to see the members of the `docker` group, and ensure that only trusted users are members:\n\n```\ngetent group docker\n```\n\n## Remediation\n\nYou should remove any untrusted users from the `docker` group. Additionally, you should not create a mapping of sensitive directories from the host to container volumes.\n\n## Impact\n\nProvided the proceeding instructions are implemented, rights to build and execute containers as normal user would be restricted.\n\n## Default value\n\nNot Applicable\n\n## References\n\n1. [https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface]\n2. [https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful]\n3. [http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\n[1]: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface \n[2]: https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful \n[3]: http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.2","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dev-mh8-u1i","createdAt":1599598174666,"name":"Only the root account and Docker group members can control the Docker daemon"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.16","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file has permissions of 660 or are configured more restrictively.\n\n## Rationale\n\nOnly root and the members of the docker group should be allowed to read and write to the default Docker Unix socket. The Docker socket file should therefore have permissions of 660 or more restrictive permissions.\n\n## Audit\n\nVerify that the Docker socket file has permissions of `660` or more restrictive, by running: \n```\nstat -c %a /var/run/docker.sock\n```\n\n## Remediation\n\nRun the command `chmod 660 /var/run/docker.sock`\n\nThis sets the file permissions of the Docker socket file to 660.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker socket file is correctly set to 660.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.16","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jxv-zrr-1c1","createdAt":1599603387716,"name":"Only the root account and Docker group members can read and write to the Docker socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.15","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file is owned by root and group owned by docker.\n\n## Rationale\n\nThe Docker daemon runs as root. The default Unix socket therefore must be owned by root. If any other user or process owns this socket, it might be possible for that non-privileged user or process to interact with the Docker daemon. Additionally, in this case a non-privileged user or process might be able to interact with containers which is neither a secure nor desired behavior. Additionally, the Docker installer creates a Unix group called docker. You can add users to this group, and in this case, those users would be able to read and write to the default Docker Unix socket. The membership of the docker group is tightly controlled by the system administrator. However, ff any other group owns this socket, then it might be possible for members of that group to interact with the Docker daemon. Such a group might not be as tightly controlled as the docker group. Again, this is not in line with good security practice. For these reason, the default Docker Unix socket file should be owned by root and group owned by docker to maintain the integrity of the socket file.\n\n## Audit\n\nVerify that the Docker socket file is owned by root and group-owned by `docker` by running: \n```\nstat -c %U:%G /var/run/docker.sock | grep -v root:docker\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:docker /var/run/docker.sock`\n\nThis sets the ownership to root and group ownership to docker for the default Docker socket file.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for the Docker socket file is correctly set to root:docker.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.15","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysh-lkt-poz","createdAt":1599605574088,"name":"Only the root account and Docker group members have ownership of the Docker socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.2","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kube-apiserver.yaml file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. Version 7 5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.2","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vbb-t30-k0f","createdAt":1599602893246,"name":"Only the root account and group have ownership of the API server pod specification file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.11","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, is individual owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It must therefore be individually owned and group owned by root to prevent modification by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and the group ownership for the Docker server certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for Docker server certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.11","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tkm-izb-xe1","createdAt":1602077837917,"name":"Only the root account and group have ownership of the Docker server certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.13","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, is individually owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads/writes. As it holds the private key for the Docker server certificate, it must be individually owned and group owned by root to ensure that it cannot be accessed by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate key file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the Docker server certificate key file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for the Docker server certificate key file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.13","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oiu-e3x-yg6","createdAt":1602077710804,"name":"Only the root account and group have ownership of the Docker server certificate key file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.9","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert parameter`, is individually owned and group owned by root.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must be therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the TLS CA certificate file is owned and group owned by root: \n\n```\nstat -c %U:%G | grep -v root:root\n```\n\nThis command does not return any data.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the TLS CA certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for TLS CA certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.9","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8nb-ex2-pqe","createdAt":1602076303298,"name":"Only the root account and group have ownership of the TLS CA certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.14","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file ownership is set to root:root.\n\n## Rationale\n\nThe `admin.conf` file contains the admin credentials for the cluster. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/admin.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `admin.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.14","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kcn-wwa-os0","createdAt":1599604720378,"name":"Only the root account and group have ownership of the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.17","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that could alter the behavior of the docker daemon. It should therefore be owned and group owned by root to ensure it can not be modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file is owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/docker/daemon.json | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun `chown root:root /etc/docker/daemon.json`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.17","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hlb-qzw-opk","createdAt":1599603264485,"name":"Only the root account and group have ownership of the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent","control:3.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually and group owned by the root user in order to ensure that it is not modified or corrupted by a less privileged user.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that it is owned and group-owned by root, by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.service | grep -v root:root \n ```\n The command should not return anything.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path, in order to set the ownership and group ownership for the file to root.\n\nFor example, `chown root:root /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone.\n\n## Default value\n\nThis file may not be present on the system and if it is not, this recommendation is not applicable. By default, if the file is present, the correct permissions are for the ownership and group ownership to be set to \"root\".\n\n## References\n\n1. https://docs.docker.com/engine/admin/systemd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mhz-jes-n2m","createdAt":1599601536215,"name":"Only the root account and group have ownership of the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.socket file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. For this reason, it should be owned and group owned by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file is owned and group-owned by root by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.socket | grep -v root:root \n ```\n The command should not return a value.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below, including the correct file path to set the ownership and group ownership for the file to root. For example, `chown root:root /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the ownership and group ownership for it should be set to root.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option 2. https://github.com/docker/docker-ce/blob/master/components/packaging/deb/systemd/docker.socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vc0-12t-fpa","createdAt":1599605321060,"name":"Only the root account and group have ownership over the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.7","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under the `/etc/docker/certs.d/` directory, are individually owned and group owned by root.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must be individually owned and group owned by root to ensure that less privileged users are unable to modify the contents of the directory.\n\n## Audit\n\nYou should execute the command below to verify that the registry certificate files are individually owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker/certs.d/* | grep -v root:root \n```\n\nThis command does not return any data.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/docker/certs.d//*`\n\nThis sets the individual ownership and group ownership for the registry certificate files to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for registry certificate files is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.7","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fbv-qsy-urc","createdAt":1599599454050,"name":"Only the root account and group have ownership over the registry certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.13","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe admin.conf is the administrator kubeconfig file defining various settings for the administration of the cluster. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/admin.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, admin.conf has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.13","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zlc-pqm-t1x","createdAt":1599605384539,"name":"Only the root account has write permissions to the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.18","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that may alter the behavior of the docker daemon. Therefore it should be writeable only by root to ensure it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/docker/daemon.json\n```\n\n## Remediation\n\nRun `chmod 644 /etc/docker/daemon.json`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.18","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7df-4w8-g7l","createdAt":1599602831833,"name":"Only the root account has write permissions to the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.2","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file permissions are either set to 644 or to a more restrictive value.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore not be writable by any other user other than root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or a more restrictive value by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.service\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the file permissions are correctly set to 644.\n\n## References\n\n1. https://docs.docker.com/articles/systemd/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zyv-o6s-69z","createdAt":1599601721176,"name":"Only the root account has write permissions to the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.4","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the file permissions on the docker.socket file are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or more restrictively, by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.socket\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in that case, this recommendation is not applicable. By default, if the file is present, the permissions should be set to 644 or more restrictively.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n2. https://github.com/YungSang/fedora-atomic-packer/blob/master/oem/docker.socket\n3. http://daviddaeschler.com/2014/12/14/centos-7rhel-7-and-docker-containers-on-boot/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myf-zyh-89p","createdAt":1599604656679,"name":"Only the root account has write permissions to the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","control:CC6.7","scope:ec2","security:compliance","source:ec2","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Compliance","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the probability of a breach by checking [EC2 security groups][1] for outbound rules that allow unfettered access to any TCP/UDP ports and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered outbound access.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-egress` to remove IP permissions for the selected EC2 security group.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n2. Run `authorize-security-group-egress` with new parameters to restrict outbound access to specific destinations.\n\n ```\n aws ec2 authorize-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprotocol_icmp_or_1(protocol) if {\n\tprotocol in [\"icmp\", \"1\"]\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\"]\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"egress\"\n\tnot protocol_icmp_or_1(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7lr-jfm-vcf","createdAt":1599574005188,"name":"Outbound access on all ports is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1497-virtualization-or-sandbox-evasion","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace system call with the `PTRACE_TRACEME` argument, indicating a program actively attempting to avoid debuggers attaching to the process. This behavior is typically indicative of malware activity.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. One limitation of this system call is that a process can only have one trace, and malicious actors have been observed making use of this limitation to prevent debuggers from attaching to malicious processes for the purpose of forensics or analysis.\n\n## Triage and response\n1. Check the name of the process using TRACEME\n2. If this file is not known or authorized, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_antidebug -@process.executable.name(\"dlv\" OR \"dlv-linux-adm64\" OR \"strace\" OR \"gdb\" OR \"lldb-server\")","groupByFields":["host"],"aggregation":"count","name":"ptrace_antidebug_unknown_tracer","distinctFields":[]},{"query":"@agent.rule_id:ptrace_antidebug @process.executable.name(\"dlv\" OR \"dlv-linux-adm64\" OR \"strace\" OR \"gdb\" OR \"lldb-server\")","groupByFields":["host"],"aggregation":"count","name":"ptrace_antidebug_known_tracer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_antidebug_unknown_tracer","condition":"ptrace_antidebug_unknown_tracer > 0"},{"status":"low","notifications":[],"name":"ptrace_antidebug_known_tracer","condition":"ptrace_antidebug_known_tracer > 0"}],"type":"workload_security","id":"u1r-hw3-pst","createdAt":1650464539514,"name":"PTRACE_TRACEME used to prevent process debugging"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect installation of software using a package management utility (`apt` or `yum`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim's container (for example, through a web shell exploit), they may attempt to install tools and utilities for a variety of malicious purposes. This detection triggers when one of a set of common package management utilities installs a package in a container. Package management in containers is against best practices which highly emphasize immutability. If this is unexpected behavior, it could indicate an attacker attempting to install tools to further compromise your systems.\n\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise. This may be achieved by terminating the workload, depending on the stage of attack.\n3. Look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:package_management_in_container @process.args:(add OR *install OR \"-i\")","groupByFields":["host"],"aggregation":"count","name":"package_management_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"package_management_in_container","condition":"package_management_in_container > 0"}],"type":"workload_security","id":"dgu-gba-tuf","createdAt":1617722067648,"name":"Package installed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1222","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nTo access protected files and directories, attackers may attempt to change the permissions on these files and directories.\n\n## Strategy\nThis detection monitors the permissions changes to sensitive files and directories such as `/etc/` and `/sbin/`.\n\n## Triage & Response\n1. Check to see if the file or directory was made more permissive.\n2. Check which user or process made the change.\n3. If these changes are unexpected, contain the host or container and roll back to the last known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"mj3-ucf-hr6","createdAt":1598516746259,"name":"Permissions were changed on sensitive Linux files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow pods to verify the API server's serving certificate before establishing connections.\n\n## Rationale\n\nProcesses running within pods that need to contact the API server must verify the API server's serving certificate. Failing to do so could be a subject to man-in-the-middle attacks. Providing the root certificate for the API server's serving certificate to the controller manager with the `--root-ca-file` argument allows the controller manager to inject the trusted bundle into pods so that they can verify TLS connections to the API server.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--root-ca-file` argument exists and is set to a certificate bundle file containing the root certificate for the API server's serving certificate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--root-ca-file` parameter to the certificate bundle file: `--root-ca-file=`\n\n## Impact\n\nYou need to setup and maintain root certificate authority file.\n\n## Default value\n\nBy default, `--root-ca-file` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/kubernetes/issues/11000][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/kubernetes/issues/11000\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.5","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"k7t-yxp-axc","createdAt":1599598174692,"name":"Pods utilize `root-ca-file` to pass serving certificates to the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ec2","iaas:aws","technique:T1037-boot-or-logon-initialization-scripts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to modify a [user data script][1] on an EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to modify the user data script on an EC2 instance using the following API calls:\n\n* [`StopInstances`][2]\n* [`ModifyInstanceAttribute`][3]\n* [`StartInstances`][4]\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have modified the user data script associated with `{{host}}`.\n2. If the API calls were not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Follow your company's incident response process to determine the impact to `{{host}}`.\n * Revert the user data script to the last known good state with the `aws-cli` command [modify-instance-attribute][5] or use the [AWS Console][6].\n3. If the API calls were made by the user:\n * Determine if the user should be modifying this user data script.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StopInstances.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartInstances.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-attribute.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-view-change","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StopInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"stop_instance","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:ModifyInstanceAttribute @requestParameters.userData:* ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_instance_attribute","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StartInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"start_instance","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"stop_instance > 0 && modify_instance_attribute > 0 && start_instance > 0"}],"type":"log_detection","id":"suz-czd-zxh","createdAt":1652796652545,"name":"Possible AWS EC2 privilege escalation via the modification of user data"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","iaas:aws","technique:T1078-valid-accounts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to create a password for a specified IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to create a password for an IAM user using the [`CreateLoginProfile`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any passwords generated by the user with the `aws-cli` command [delete-login-profile][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-login-profile.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html#id_credentials_passwords_admin-change-user_console","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:iam.amazonaws.com @eventName:CreateLoginProfile status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"loginprofile","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"loginprofile > 0"}],"type":"log_detection","id":"dkd-gqh-zrs","createdAt":1652796676631,"name":"Possible Privilege Escalation via AWS IAM CreateLoginProfile"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","scope:rds","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to exfiltrate data from an RDS Snapshot.\n\n## Strategy\nThis rule lets you monitor the [ModifyDBClusterSnapshotAttribute][1] CloudTrail API calls to detect when an RDS snapshot is made public.\n\nThis rule also inspects the:\n * `@requestParameters.valuesToAdd` array to determine if the string `all` is contained. This is the indicator which means the RDS snapshot is made public.\n * `@requestParameters.attributeName` array to determine if the string `restore` is contained. This is the indicator which means the RDS snapshot was shared with a new or unkown AWS Account.\n\n## Triage and response\n1. Confirm if the user: `{{@userIdentity.arn}}`intended to make the RDS snaphsot public.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-cluster-snapshot-attribute.html#modify-db-cluster-snapshot-attribute\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:ModifyDBClusterSnapshotAttribute @requestParameters.valuesToAdd:all","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_made_public","distinctFields":[]},{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:(ModifyDBClusterSnapshotAttribute OR ModifyDBSnapshotAttribute) @requestParameters.attributeName:restore -@http.useragent:(*AWS_Lambda* OR *AWS_ECS_FARGATE* OR backup.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Snapshot was shared","condition":"rds_snapshot_shared > 0"},{"status":"high","notifications":[],"name":"Snapshot was made public","condition":"rds_snapshot_made_public > 0"}],"type":"log_detection","id":"jqf-lpu-us1","createdAt":1594140309127,"name":"Possible RDS Snapshot Exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:2.5","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no PostgreSQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nPostgreSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.\n\n### Impact\n\nDisabling Allow access to Azure Services will break all connections to PostgreSQL server and Hosted Databases unless custom IP specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console\n\n1. Go to PostgreSQL servers\n2. For each PostgreSQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nNew-AzPostgreSqlFirewallRule -Name \"\" -ResourceGroupName \"\" -ServerName \"\" -EndIPAddress \"\" -StartIPAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules][1]\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.5","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"fail\" if {\n\tsome firewall_rule in postgresql_server.firewall_rules\n\tfirewall_rule.start_ip_address == \"0.0.0.0\"\n\tfirewall_rule.end_ip_address in [\"0.0.0.0\", \"255.255.255.255\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"f2j-y8v-pht","createdAt":1635237002781,"name":"PostgreSQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1566-phishing","source:azure","scope:azure","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a user grants an application consent to access their data. An adversary may create an Azure-registered application to access data such as contact information, emails, or documents.\n\n## Strategy\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Consent to application`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Consent to application.`\n\nBecause these are thirty-party applications external to the organization, normal remediation steps like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts are not effective against this type of attack.\n\n## Triage and response\n1. See the official [Microsoft playbook][1] on responding to a potential Illicit Consent Grant.\n2. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out false positives.\n\n[1]: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:AuditLogs @evt.name:\"Consent to application\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_successful_consent_to_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.category:AuditLogs @evt.name:\"Consent to application.\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"o365_successful_consent_to_application","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"azure_ad_successful_consent_to_application > 0 || o365_successful_consent_to_application > 0"}],"type":"log_detection","id":"wu4-vsa-pec","createdAt":1658914589512,"name":"Potential Illicit Consent Grant attack via Azure registered application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with an administrative service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 21 (FTP)\n* 22 (SSH)\n* 23 (Telnet)\n* 445 (SMB)\n* 2375 (Docker daemon)\n* 3389 (RDP)\n* 5900 (VNC)\n* 5985 (WinRM HTTP)\n* 5986 (WinRM HTTPS)\n\nAdministrative ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** There is a separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n## Changelog\n* 26 August 2022 - Updated rule query\n* 1 November 2022 - Updated rule query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":17,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ipPermissions.items.fromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.toPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ipPermissions.items.toPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986)) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986))) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\")) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:21 OR @requestParameters.ipPermissions.items.fromPort:21 OR @requestParameters.toPort:21 OR @requestParameters.ipPermissions.items.toPort:21) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:21 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:21)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ftp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:22 OR @requestParameters.ipPermissions.items.fromPort:22 OR @requestParameters.toPort:22 OR @requestParameters.ipPermissions.items.toPort:22) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:22 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:22)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ssh_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:3389 OR @requestParameters.ipPermissions.items.fromPort:3389 OR @requestParameters.toPort:3389 OR @requestParameters.ipPermissions.items.toPort:3389) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:3389 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:3389)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_rdp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5900 OR @requestParameters.ipPermissions.items.fromPort:5900 OR @requestParameters.toPort:5900 OR @requestParameters.ipPermissions.items.toPort:5900) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5900 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5900)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_vnc_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:2375 OR @requestParameters.ipPermissions.items.fromPort:2375 OR @requestParameters.toPort:2375 OR @requestParameters.ipPermissions.items.toPort:2375) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:2375 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:2375)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_dockerd_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5985 OR @requestParameters.ipPermissions.items.fromPort:5985 OR @requestParameters.toPort:5985 OR @requestParameters.ipPermissions.items.toPort:5985) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5985 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5985)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5986 OR @requestParameters.ipPermissions.items.fromPort:5986 OR @requestParameters.toPort:5986 OR @requestParameters.ipPermissions.items.toPort:5986) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5986 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5986)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:23 OR @requestParameters.ipPermissions.items.fromPort:23 OR @requestParameters.toPort:23 OR @requestParameters.ipPermissions.items.toPort:23) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:23 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:23)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_telnet_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:445 OR @requestParameters.ipPermissions.items.fromPort:445 OR @requestParameters.toPort:445 OR @requestParameters.ipPermissions.items.toPort:445) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:445 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:445)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_smb_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"medium","notifications":[],"name":"FTP","condition":"sg_ftp_port > 0"},{"status":"medium","notifications":[],"name":"SSH","condition":"sg_ssh_port > 0"},{"status":"medium","notifications":[],"name":"RDP","condition":"sg_rdp_port > 0"},{"status":"medium","notifications":[],"name":"VNC","condition":"sg_vnc_port > 0"},{"status":"medium","notifications":[],"name":"Docker Daemon","condition":"sg_dockerd_port > 0"},{"status":"medium","notifications":[],"name":"WinRm HTTP","condition":"sg_winrm_http_port > 0"},{"status":"medium","notifications":[],"name":"WinRm HTTPS","condition":"sg_winrm_https_port > 0"},{"status":"medium","notifications":[],"name":"Telnet","condition":"sg_telnet_port > 0"},{"status":"medium","notifications":[],"name":"SMB","condition":"sg_smb_port > 0"}],"type":"log_detection","id":"d8d-usi-xuo","createdAt":1652796652158,"name":"Potential administrative port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\n This rule monitors CloudTrail and detects when any `@evt.name` has a value of `Console Login`, and `@responseElements.ConsoleLogin` has a value of `Failure`.\n\n## Triage and response\n1. Determine if the user logged in with 2FA.\n2. Reach out to the user and ensure the login was legitimate.\n\n## Changelog \n17 March 2022 - Update rule query.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Failure","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:true","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_with_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful - MFA Unused","condition":"failed_login > 5 && successful_login_without_mfa > 0"},{"status":"info","notifications":[],"name":"Successful Login - MFA Used","condition":"failed_login > 5 && successful_login_with_mfa > 0"},{"status":"info","notifications":[],"name":"Failed Login","condition":"failed_login > 5"}],"type":"log_detection","id":"csj-nez-h1v","createdAt":1584475581986,"name":"Potential brute force attack on AWS ConsoleLogin"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","threat_intel_category:cryptomining","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a host is potentially infected with a cryptominer.\n\n## Strategy\nThis rule compares the `@network.client.ip` standard attribute to a curated list of cryptomining pools.\n\n## Triage and response\n1. Determine if the `{{host}}` host should be contacting a cryptomining pool.\n2. If not, begin your company's IR process.\n\n**Note** You can use the signal sidepanel to assist with the initial investigation by looking at CPU utilization and processes to identify unauthorized activity.\n\n## Changelog\n- 8 April 2022 - Initial beta release to select organizations.\n- 13 April 2022 - Added additional filters for specific ports to reduce false positives. \n- 26 April 2022 - Removed restrictedToOrgs settings, launching rule to all of production.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@threat_intel.results.category:cryptomining @network.destination.port:(6641 OR 6642 OR 9000 OR 9999 OR 14433 OR 10191 OR 20009) host:*","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cgb-2rq-tqx","createdAt":1650989902666,"name":"Potential cryptomining detected through IP callback"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with a database service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 1433 (MSSQL)\n* 3306 (MySQL)\n* 5432 (PostgresSQL)\n* 5984/6984 (CouchDB)\n* 6379 (Redis)\n* 9200 (Elasticsearch)\n* 27017 (MongoDB)\n\nDatabase ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** A separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n## Changelog\n* 15 December 2022 - Updated rule query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200)) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200))) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\")) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:3306 OR @requestParameters.ipPermissions.items.fromPort:3306 OR @requestParameters.toPort:3306 OR @requestParameters.ipPermissions.items.toPort:3306) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:3306 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:3306)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mysql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5432 OR @requestParameters.ipPermissions.items.fromPort:5432 OR @requestParameters.toPort:5432 OR @requestParameters.ipPermissions.items.toPort:5432) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5432 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5432)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_postgres_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:1433 OR @requestParameters.ipPermissions.items.fromPort:1433 OR @requestParameters.toPort:1433 OR @requestParameters.ipPermissions.items.toPort:1433) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:1433 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:1433)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mssql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:27017 OR @requestParameters.ipPermissions.items.fromPort:27017 OR @requestParameters.toPort:27017 OR @requestParameters.ipPermissions.items.toPort:27017) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:27017 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:27017)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mongodb_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:6379 OR @requestParameters.ipPermissions.items.fromPort:6379 OR @requestParameters.toPort:6379 OR @requestParameters.ipPermissions.items.toPort:6379) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:6379 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:6379)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_redis_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5984 OR @requestParameters.ipPermissions.items.fromPort:5984 OR @requestParameters.toPort:5984 OR @requestParameters.ipPermissions.items.toPort:5984) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5984 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5984)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:6984 OR @requestParameters.ipPermissions.items.fromPort:6984 OR @requestParameters.toPort:6984 OR @requestParameters.ipPermissions.items.toPort:6984) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:6984 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:6984)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:9200 OR @requestParameters.ipPermissions.items.fromPort:9200 OR @requestParameters.toPort:9200 OR @requestParameters.ipPermissions.items.toPort:9200) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:9200 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:9200)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_elastic_search_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"medium","notifications":[],"name":"MySQL","condition":"sg_mysql_port > 0"},{"status":"medium","notifications":[],"name":"PostgresSQL","condition":"sg_postgres_port > 0"},{"status":"medium","notifications":[],"name":"MSSQL","condition":"sg_mssql_port > 0"},{"status":"medium","notifications":[],"name":"MongoDB","condition":"sg_mongodb_port > 0"},{"status":"medium","notifications":[],"name":"redis","condition":"sg_redis_port > 0"},{"status":"medium","notifications":[],"name":"CouchDB HTTP","condition":"sg_couchdb_http_port > 0"},{"status":"medium","notifications":[],"name":"CouchDB HTTPS","condition":"sg_couchdb_https_port > 0"},{"status":"medium","notifications":[],"name":"Elasticsearch","condition":"sg_elastic_search_port > 0"}],"type":"log_detection","id":"1wf-ivp-q2g","createdAt":1652796776858,"name":"Potential database port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use automatically generated self-signed certificates for TLS connections between peers.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster. Hence, do not use self-signed certificates for authentication.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--peer-auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--peer-auto-tls` parameter or set it to false. \n\n```\n--peer-auto-tls=false\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-auto-tls` argument is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls][3]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.6","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l0y-lyz-foj","createdAt":1599598174666,"name":"Prevent use of self-signed certificates for TLS connections between etcd peers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.4","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDocker considers a private registry either secure or insecure. By default, registries are considered secure.\n\n## Rationale\n\nA secure registry uses TLS. A copy of the registry's CA certificate is placed on the Docker host in the `/etc/docker/certs.d//` directory. An insecure registry is one which does not have a valid registry certificate, or one not not using TLS. You should not use insecure registries because they present a risk of traffic interception and modification. Additionally, once a registry has been marked as insecure, commands such as `docker pull`, `docker push`, and `docker search` will not result in an error message, and users may indefinitely be working with this type of insecure registry without ever being notified of the risk of potential compromise.\n\n## Audit\n\nFind out if any insecure registries are in use by running: \n```\ndocker info --format 'Insecure Registries: {{.RegistryConfig.InsecureRegistryCIDRs}}'\n```\n\n## Remediation\n\nYou should ensure that no insecure registries are in use.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker assumes all registries except local ones are secure.\n\n## References\n\n1. [https://docs.docker.com/registry/insecure/][1]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://docs.docker.com/registry/insecure/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wki-o8r-1ha","createdAt":1599604688564,"name":"Private registry uses TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.4","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUsing the `--privileged` flag provides all Linux kernel capabilities to the container to which it is applied and therefore overwrites the `--cap-add` and `--cap-drop` flags. For this reason, ensure that it is not used.\n\n## Rationale\n\nThe `--privileged` flag provides all capabilities to the container to which it is applied, and also lifts all the limitations enforced by the device cgroup controller. As a consequence this the container has most of the rights of the underlying host. This flag only exists to allow for specific use cases (for example running Docker within Docker) and should not generally be used.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Privileged={{ .HostConfig.Privileged }}'` This command returns `Privileged=false` for each container instance.\n\n## Remediation\n\nDo not run containers with the `--privileged` flag. For example, do not start a container using the command `docker run --interactive --tty --privileged centos /bin/bash`\n\n## Impact\n\nIf you start a container without the `--privileged` flag, it will not have excessive default capabilities.\n\n## Default value\n\nFalse\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.4","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rbd-urm-klo","createdAt":1599602708557,"name":"Privileged containers are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.7","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TCP/IP port numbers below 1024are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Docker does, however allow a container port to be mapped to a privileged port.\n\n## Rationale\n\nBy default, if the user does not specifically declare a container port to host port mapping, Docker automatically and correctly maps the container port to one available in the `49153`-`65535` range on the host. Docker does, however, allow a container port to be mapped to a privileged port on the host if the user explicitly declares it. This is because containers are executed with `NET_BIND_SERVICE` Linux kernel capability which does not restrict privileged port mapping. The privileged ports receive and transmit various pieces of data which are security sensitive and allowing containers to use them is not in line with good security practice.\n\n## Audit\n\nList all running containers instances and their port mappings by executing this command: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'` You should then review the list and ensure that container ports are not mapped to host port numbers below `102.4`.\n\n## Remediation\n\nDo not map container ports to privileged host ports when starting a container. You should also ensure that there is no such container to host privileged port mapping declarations in the Dockerfile.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, mapping a container port to a privileged port on the host is allowed.\n\n**Note**: There might be certain cases where you want to map privileged ports, because if you forbid it, then the corresponding application has to run outside of a container.\n\nFor example: HTTP and HTTPS load balancers have to bind `80/tcp` and `443/tcp` respectively. Forbidding to map privileged ports effectively forbids from running those in a container, and mandates using an external load balancer. In such cases, those containers instances should be marked as exceptions for this recommendation.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.7","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ua5-ygj-jad","createdAt":1599602153218,"name":"Privileged ports are not mapped within containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a process launches with arguments associated with cryptocurrency miners.\n\n## Strategy\n\nCryptocurrency miners are often executed with unique arguments such as `--donate-level`. This can be used to identify suspicious processes with high confidence.\n\n## Triage and response\n\n1. Isolate the workload.\n2. Use host metrics to verify if cryptocurrency mining is taking place. This will be indicated by an increase in CPU usage.\n3. Review the process tree and related signals to determine the initial entry point.\n\n*Requires agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:cryptominer_args -@process.executable.path:\"/usr/bin/grep\"","groupByFields":["host"],"aggregation":"count","name":"cryptominer_args","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"cryptominer_args","condition":"cryptominer_args > 0"}],"type":"workload_security","id":"t95-1rc-mwi","createdAt":1660014107186,"name":"Process arguments match cryptocurrency miner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1055-process-injection","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace systemcall to inject code into another process.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. Malicious actors have been observed using ptrace to inject code into another process, for the purposes of defense evasion and privilege escalation.\n\n## Triage and response\n1. Check the name of the process doing the injection (the tracer).\n2. Identify if the file doing the injection (the tracer) is authorized.\n3. If the tracer is not authorized in this environment, or is not normally known to use the ptrace syscall, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_injection -@process.executable.name:(\"dlv\" OR \"dlv-linux-adm64\" OR \"strace\" OR \"gdb\" OR \"lldb-server\")","groupByFields":["host"],"aggregation":"count","name":"ptrace_injection_unknown_tracer","distinctFields":[]},{"query":"@agent.rule_id:ptrace_injection @process.executable.name:(\"dlv\" OR \"dlv-linux-adm64\" OR \"strace\" OR \"gdb\" OR \"lldb-server\")","groupByFields":["host"],"aggregation":"count","name":"ptrace_injection_known_tracer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_injection_unknown_tracer","condition":"ptrace_injection_unknown_tracer > 0"},{"status":"low","notifications":[],"name":"ptrace_injection_known_tracer","condition":"ptrace_injection_known_tracer > 0"}],"type":"workload_security","id":"1p3-rn6-jue","createdAt":1650464539501,"name":"Process injected into another process"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2021-4034 dubbed PwnKit.\n\n## Strategy\n\nPwnKit is a local privilege escalation vulnerability originally found by [Qualys](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034). It affects PolicyKit\u2019s `pkexec` program, which is a SUID-root program installed by default on many Linux distributions. This detection triggers whenever `pkexec` is executed by a non-root process with the `SHELL` and `PATH` variables set.\n\n## Triage and response\n\n1. Determine the purpose of the process executing `pkexec`.\n2. Look for any suspicious actions or commands being executed after the `pkexec` execution.\n3. If this behavior is unexpected, it could indicate a malicious actor has access to the host and is attempting to increase privileges for post exploitation actions. Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Ensure to update the PolicyKit package to its latest version to mitigate the vulnerability. If updating is not feasible, remove the SUID bit that is set by default on `pkexec` with the following command: `sudo chmod -s \\$(which pkexec)`.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:pwnkit_privilege_escalation","groupByFields":["host"],"aggregation":"count","name":"pwnkit_privilege_escalation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"pwnkit_privilege_escalation","condition":"pwnkit_privilege_escalation > 0"}],"type":"workload_security","id":"yne-n4q-dfs","createdAt":1643646954692,"name":"Pwnkit privilege escalation attempt"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1059-command-and-scripting-interpreter","tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect Python code being provided and executed on the command line using the `-c` flag.\n\n## Strategy\n\nPython code can be specified on the command line using the `-c` flag. Attackers may use this to run \"one-liners\" which establish communication with an attacker-run server, download additional malware, or otherwise advance their mission. Libraries such as `socket` and `subprocess` are commonly used in these attacks and are unlikely to have a legitimate purpose when used in this way.\n\n## Triage and response\n\n1. Review the process tree and identify if the Python command is expected.\n2. If the command is not expected, contain the host or container and roll back to a known good configuration.\n3. Start the incident response process and determine the initial entry point.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:python_cli_code @process.args:(*SOCK_STREAM* OR *subprocess* OR *\\/bash* OR *\\/bin\\/sh* OR *pty.spawn*)","groupByFields":["host"],"aggregation":"count","name":"python_cli_code_suspicious","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"python_cli_code_suspicious","condition":"python_cli_code_suspicious > 0"}],"type":"workload_security","id":"2mr-svj-kxj","createdAt":1655147245805,"name":"Python executed with suspicious arguments"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.9","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTurn on Role Based Access Control.\n\n## Rationale\n\nRole Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the cluster. It is recommended to use the RBAC authorization mode.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include RBAC.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes RBAC, for example: `--authorization-mode=Node,RBAC`\n\n## Impact\n\nWhen RBAC is enabled you will need to ensure that appropriate RBAC settings (including Roles, RoleBindings and ClusterRoleBindings) are configured to allow appropriate access.\n\n## Default value\n\nBy default, RBAC authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/access-authn-authz/rbac/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.9","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bn4-mzo-nyg","createdAt":1599605257601,"name":"RBAC is enabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","level:1","control:8.5","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.4.1","security:compliance","requirement:Least-Privileged-Access","control:7.2","framework:cis-azure","source:azure.kubernetes","control:7.1","control:2.3","requirement:Control-Activities","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","requirement:Other-Security-Considerations","framework:soc-2","control:A.9.2.3","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that RBAC is enabled on all Azure Kubernetes Services instances.\n\n## Rationale\n\nAzure Kubernetes Services can integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. Use this to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls, both to the overarching AKS instance and to the individual resources managed within Kubernetes.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment, your cluster will require recreation.\n\n## Impact\n\nIf RBAC is not enabled, the granularity of permissions granted to Kubernetes resources is diminished, because you are presenting more permissions than needed to users requiring access to your Kubernetes resources in AKS.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/aks/aad-integrationhttps://kubernetes.io/docs/reference/access-authn-authz/rbac/https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-list\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7\n\n4 Controlled Use of Administrative Privileges\n\n14 Controlled Access Based on the Need to Know\n\n9 AppService: This section covers security recommendations for Azure AppService\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.5","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aks_cluster) = \"pass\" if {\n\taks_cluster.enable_rbac\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_aks_cluster"]},"validationQuery":"","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"1ha-sj2-4mw","createdAt":1624867979755,"name":"RBAC within Azure Kubernetes Services is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","control:6.1","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable RDP access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using RDP over the internet is that attackers can use various brute force techniques to access Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\n1. [Disable direct RDP access][1] to your Azure Virtual Machines from the internet. \n2. Choose one of the following methods to access the virtual machines for remote management:\n * [Point-to-site VPN][3]\n * [Site-to-site VPN][4]\n * [ExpressRoute][5]\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][2]\n\n[1]: https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n[3]: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal\n[4]: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal\n[5]: https://learn.microsoft.com/en-us/azure/expressroute/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_access(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"TCP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\n\tsome port_range in split(security_rule.destination_port_range, \",\")\n\tcheck_non_compliant_port_range(port_range)\n\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"::/0\", \"Internet\", \"Any\"]\n}\n\ncheck_non_compliant_port_range(port_range) if {\n\tport_range in [\"3389\", \"*\"]\n} else if {\n\tcontains(port_range, \"-\")\n\tsplit_port_range := split(port_range, \"-\")\n\n\tto_number(split_port_range[0]) <= 3389\n\tto_number(split_port_range[1]) >= 3389\n}\n\neval(security_group) = \"fail\" if {\n\tsome security_rule in security_group.security_rules\n\tnon_compliant_access(security_rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tna-xfa-yol","createdAt":1624867976964,"name":"RDP access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.7","requirement:Communications-Security","control:1.4","control:3.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow users to specify the type of traffic,\nsuch as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, an IPv4 address or IPv4 block in CIDR notation can be used.\nGeneric (0.0.0.0/0) incoming traffic from the Internet to a VPC or VM instance using RDP\non Port 3389 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic\nfrom instances and incoming (ingress) traffic to instances in the network. Egress and\ningress traffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through RDP with the default\nPort 3389. Generic access from the Internet to a specific IP Range should be restricted.\n\n## Impact\nAll Remote Desktop Protocol (RDP) connections from outside of the network to the\nconcerned VPC(s) are blocked. There could be a business need where secure shell\naccess is required from outside of the network to access resources associated with the VPC.\nIn that case, specific source IP(s) should be mentioned in firewall rules to allow access\nto RDP ports for the concerned VPC(s).\n\n## Remediation\n\n### From the console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule to be modified.\n4. Click Edit.\n5. Modify Source IP ranges to your specific IPs.\n6. Click Save.\n\n### From the command line\n1.Update the RDP Firewall rule with a new SOURCE_RANGE using the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with validated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.1","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 3389\n\nis_numeric(x) if {\n\tregex.match(`^-?\\d+(\\.\\d+)?$`, x)\n}\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tsome port in allowed.ports\n\tcontains(port, \"-\")\n\trange := split(port, \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else if {\n\tsome port in allowed.ports\n\tport != \"\"\n\tis_numeric(port)\n\tto_number(port) == target_port\n} else if {\n\tsome port in allowed.ports\n\tport == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tsome allowed in compute_firewall.allowed\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" if {\n\tsome source_range in compute_firewall.source_ranges\n\tsource_range in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tvo-mpp-0fa","createdAt":1657310084116,"name":"RDP access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","source:rds","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:rds","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your AWS RDS database instances are encrypted.\n\n## Rationale\n\nEncrypting your AWS RDS clusters protects sensitive data from unauthorized access.\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling Amazon RDS encryption for a DB instance][1] documentation to ensure your database instances are encrypted.\n\n### From the command line\n\n1. Run `describe-db-instances` with an instance identifier query to list RDS database names.\n\n ```\n aws rds describe-db-instances \\\n --query 'DBInstances[*].DBInstanceIdentifier'\n ```\n\n2. Run `create-db-snapshot` with any returned database instance you wish to modify.\n\n ```\n aws rds create-db-snapshot \\\n --db-snapshot-identifier my-db-snapshot \\\n --db-instance-identifier my-db-id\n ```\n\n3. Run `list-aliases` to list KMS keys aliases by region.\n\n ```\n aws kms list-aliases \\\n --region us-west-1\n ```\n\n4. Run `copy-db-snapshot` with the `kms-key-id` returned in step 3.\n\n ```\n aws rds copy-db-snapshot \\\n --region us-west-1 \\\n --source-db-snapshot-identifier original-db-snapshot-id \\\n --target-db-snapshot-identifier encrypted-db-snapshot-id \\\n --copy-tags \\\n --kms-key-id 01234567-1a2b-1234a-b45c-abcdef123456\n ```\n\n5. Run `restore-db-instance-from-db-snapshot` to restore the previously created snapshot.\n\n ```\n aws rds restore-db-instance-from-db-snapshot \\\n --region us-west-1 \\\n --db-instance-identifier encrypted-db-id \\\n --db-snapshot-identifier encrypted-db-snapshot-id\n ```\n\n6. Run `describe-db-instances` with a query to ensure database encryption.\n\n ```\n aws rds describe-db-instances \\\n --region us-west-1 \\\n --db-instance-identifier encrypted-db-snapshot-id \\\n --query 'DBInstances[*].StorageEncrypted'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Enabling","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(rds_instance) = \"pass\" if {\n\trds_instance.storage_encrypted == true\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_rds_instance"]},"validationQuery":"","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"han-1rs-ghe","createdAt":1599574005316,"name":"RDS database instance is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:rds","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","scope:rds","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your RDS instance, so it is not publicly accessible.\n\n## Rationale\n\nUnrestricted access to your RDS instance allows everyone on the internet to establish a connection with your database. This can lead to brute-force, DoS/DDoS, or SQL injection attacks.\n\n## Remediation\n\n### From the command line\n\n1. Run the `modify-db-instance` command to make the instance not publicly accessible.\n\n ```\n aws rds modify-db-instance\n\t --region INSERT_DB_INSTANCE_REGION \\\n\t --db-instance-identifier INSERT_DB_INSTANCE_NAME \\\n\t --no-publicly-accessible \\\n\t --apply-immediately\n ```\n2. Run the `revoke-security-group-ingress` command to block any IPv4 address connecting to port 3306.\n\n ```\n aws ec2 revoke-security-group-ingress\n\t --region INSERT_DB_INSTANCE_REGION \\\n\t --group-id INSERT_SECURITY_GROUP_ID \\\n\t --protocol tcp \\\n\t --port 3306 \\\n\t --cidr 0.0.0.0/0 \n ```\n3. For IPv6 you can use the same command from step 2 but use the `--ip-permissions` option instead. Reference this [aws-cli documentation][1] for more information.\n\n4. After removing the 0.0.0.0/0 or ::/0 cidr ranges from ingress you need to add in better cidr ranges using the `authorize-security-group-ingress` command.\n\n ```\n aws ec2 authorize-security-group-ingress\n \t --region INSERT_DB_INSTANCE_REGION\n\t --group-id INSERT_SECURITY_GROUP_ID\n\t --protocol tcp\n\t --port 3306\n\t --cidr INSERT_SMALLER_CIDR_RANGE\n ```\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html#options","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nsecurity_group_vpc_id_to_compliant = {security_group.vpc_id |\n\tsome security_group in input.resources.aws_security_group\n\tcheck_group_non_compliance(security_group)\n}\n\ncheck_group_non_compliance(security_group) if {\n\tsecurity_group_rules := security_group.rules[_]\n\tlower(security_group_rules.direction) == \"ingress\"\n\tcheck_ip_range(security_group_rules)\n}\n\ncheck_ip_range(security_group_rules) if {\n\tsecurity_group_rules.ip_range == \"0.0.0.0/0\"\n}\n\ncheck_ip_range(security_group_rules) if {\n\tsecurity_group_rules.ipv6_range == \"::/0\"\n}\n\neval(rds_instance) = \"fail\" if {\n\trds_instance.publicly_accessible == true\n\tsecurity_group_vpc_id_to_compliant[rds_instance.db_subnet_group_vpc_id]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_rds_instance","aws_security_group"]},"validationQuery":"","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qgu-ris-pnv","createdAt":1619540057520,"name":"RDS instance is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","security:compliance","control:CC6.6","control:164.312-e-1","cloud_provider:aws","framework:gdpr","requirement:Default-Security-Parameter","scope:rds","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","source:rds","requirement:Security-Management-Process","control:32.1a","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Amazon RDS database instances][1] are not using default ports. This includes default ports such as MySQL/Aurora port 3306, SQL Server port 1433, and PostgreSQL port 5432.\n\n## Rationale\n\nUsing a custom port can protect against potential brute-force and dictionary attacks.\n\n## Remediation\n\n### From the console\n\nFollow the [Modifying an Amazon RDS DB instance][4] docs to verify you're not using a default. You can modify your port by modifying that [DB instance settings][5].\n\n### From the command line\n\n1. Run `create-db-snapshot` with your database instance and snapshot identifiers to [create a snapshot][2].\n\n ```\n aws rds create-db-snapshot \\\n --db-instance-identifier database-mysql \\\n --db-snapshot-identifier snapshotidentifier\n ```\n\n2. Run `modify-db-instance` with a new, valid port number. A [list of port numbers are available][3].\n\n ```\n aws rds modify-db-instance \\\n --db-instance-identifier database-identifier \\\n --option-group-name test-group-name \\\n --db-parameter-group-name test-sqlserver-name \\\n --apply-immediately\n ```\n\n\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-snapshot.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-instance.html#options\n[4]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n[5]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html#USER_ModifyInstance.Settings\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndefault_port_used(rds_instance) if {\n\trds_instance.engine in [\"aurora\", \"aurora-mysql\", \"mysql\", \"mariadb\"]\n\trds_instance.endpoint_port == 3306\n} else if {\n\trds_instance.engine in [\"postgres\", \"aurora-postgresql\"]\n\trds_instance.endpoint_port == 5432\n} else if {\n\trds_instance.engine in [\"oracle-ee\", \"oracle-se2\", \"oracle-se1\", \"oracle-se\"]\n\trds_instance.endpoint_port == 1521\n} else if {\n\trds_instance.engine in [\"sqlserver-ee\", \"sqlserver-se\", \"lserver-ex\", \"sqlserver-web\"]\n\trds_instance.endpoint_port == 1433\n}\n\neval(rds_instance) = \"fail\" if {\n\tdefault_port_used(rds_instance)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_rds_instance"]},"validationQuery":"","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"y0x-lgk-w1h","createdAt":1599574001845,"name":"RDS instance is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","framework:gdpr","control:164.308-a-3-i","source:rds","requirement:Security-Management-Process","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","scope:rds","control:1.4","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Relational Database Service (RDS) database snapshots by ensuring they are not publicly accessible.\n\n## Rationale\n\nRDS Snapshots can be marked as [public][3], allowing anyone the ability to copy the snapshot to their AWS account and create database instances from it. Unless a snapshot is being shared intentionally, it should be deleted.\n\n## Remediation\n\n### From the console\n\nFollow the [Stop sharing a manual DB snapshot with an AWS account][1] AWS Console docs.\n\n### From the command line\n\nRun `modify-db-snapshot-attribute` with the [snapshot identifier, attribute name, and values to remove][2]. This removes permission from a particular AWS account to restore the DB snapshot.\n\n```\naws rds modify-db-snapshot-attribute \\\n --db-snapshot-identifier yourdbsnapshot \\\n --attribute-name restore \\\n --values-to-remove \"all\"\n```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Sharing\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-snapshot-attribute.html#synopsis\n[3]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Public\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.4","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_restore_attributes(db_snapshot_restore_attribute_values) if {\n\tdb_snapshot_restore_attribute_values[_] == \"all\"\n}\n\neval(rds_db_snapshot) = \"fail\" if {\n\tnon_compliant_restore_attributes(rds_db_snapshot.db_snapshot_restore_attribute_values)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_rds_db_snapshot"]},"validationQuery":"","resourceType":"aws_rds_db_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_db_snapshot","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ptv-gce-is5","createdAt":1616090994243,"name":"RDS snapshot is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","control:3.4","scope:google_dns_managed_zone","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note:** The SHA1 algorithm has been removed from general use by Google. If used, it needs to be allowed on a per-project basis through Google, and therefore requires a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records. When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, you can select the DNSSEC signing algorithms and the denial-of-existence type. Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If there is a need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off, and then re-enable it with different settings.\n\n**Note**: RSASHA1 key-signing support may be required for compatibility reasons. The remediation CLI works with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If it is necessary to change the settings for a managed zone where it has been\nenabled, NSSEC must be turned off and re-enabled with different settings. To turn\noff DNSSEC, run the following command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update key-signing for a managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" if {\n\tdefault_key_spec := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tdefault_key_spec.algorithm == \"RSASHA1\"\n\tdefault_key_spec.key_type == \"keySigning\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gny-fox-6gg","createdAt":1659339844054,"name":"RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.5","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note**: The SHA1 algorithm has been removed from general use by Google, and if\nbeing used, needs to be safe listed on a project basis by Google, which\nrequire a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records.\nWhen enabling DNSSEC for a managed zone or creating a managed zone with DNSSEC, select the\nDNSSEC signing algorithms and the denial-of-existence type. Changing the\nDNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If\nyou need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off and then re-enable it with different settings.\n\n**note**: RSASHA1 zone-signing support may be required for compatibility reasons.\n**note**: The remediation CLI works well with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If you need to change the settings for a managed zone where it has been\nenabled, DNSSEC must be turned off and then re-enabled with different settings. To\nturn off DNSSEC, run this command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update zone-signing for a reported managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.5","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" if {\n\tkeyCheck := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tkeyCheck.algorithm == \"RSASHA1\"\n\tkeyCheck.key_type == \"zoneSigning\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"h57-78j-30x","createdAt":1659396390100,"name":"RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","scope:redshift","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS RedShift clusters are encrypted.\n\n## Rationale\n\nEncrypting Redshift clusters protects your sensitive data from unauthorized access.\n\n## Remediation\n\n### From the console\n\nFollow the [Changing cluster encryption][5] docs to ensure your clusters are encrypted.\n\n### From the command line\n\n1. Run `describe-clusters` with your [cluster identifier][1].\n\n ```\n aws redshift describe-clusters \\\n --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` using the configuration details returned in step 1 along with the [`encrypted` flag][2].\n\n ```\n aws redshift create-cluster \\\n --cluster-identifier cluster-name \\\n --encrypted\n ```\n\n3. Run `describe-cluster` with a [query filter][1] to expose the new endpoint address.\n\n ```\n aws redshift describe-clusters \\\n --cluster-identifier cluster-name \\\n --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Use the cluster endpoint URL with the [Amazon Redshift Unload/Copy][3] tool.\n\n5. Update your encrypted Redshift cluster configuration with the new Redshift cluster endpoint URL.\n\n6. Once the endpoint is changed, run `delete-cluster` to [remove the old unencrypted cluster][4].\n\n ```\n aws redshift delete-cluster \\\n --cluster-identifier old-cluster \\\n --final-cluster-snapshot-identifier old-cluster-finalsnapshot\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster.html\n[3]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.encrypted\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o5n-lxt-ayr","createdAt":1599574004941,"name":"Redshift cluster is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.3","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm Redshift clusters are not publicly available.\n\n## Rationale\n\nPublicly available Redshift clusters have a public IP address, which gives any machine the opportunity to attempt to connect to your clusters. Malicious activity, such as SQL injections or distributed denial-of-service (DDoS) attacks, can occur if a connection is established.\n\n## Remediation\n\n### From the console\n\nFollow the [Managing clusters in a VPC][2] docs to learn how to modify public accessibility for your clusters.\n\n[2]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#modify-cluster\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tnot redshift_cluster.publicly_accessible\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"syn-jic-zlu","createdAt":1599574002373,"name":"Redshift cluster is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","control:A.9.4.3","framework:soc-2","scope:redshift","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:redshift","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are using a custom master user name, versus the default master user name.\n\n## Rationale\n\nDefault master user names for publicly accessible clusters can be a backdoor for hacking. While setting a customer master user name alone does not fully protect against attacks, restricting the root account only to privileged users and using additional password measures can add an additional layer of protection.\n\n## Remediation\n\n### From the console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a master user name of `awsuser`, it is the default master user name. Modify the user name to a custom user name in the console.\n\n### From the command line\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` with the returned cluster metadata to [launch a new cluster][3] with the existing metadata and a new master user name.\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t --master-username awsmasterusr\n --vpc-security-group-ids id-012a3b4c\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier new-cluster-identifier\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n5. Use the returned new database cluster endpoint URL from step 3 to update your application's configuration to point to the new cluster endpoint.\n6. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.master_username != \"awsuser\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ewv-jbb-gxa","createdAt":1599574001675,"name":"Redshift cluster is not using a custom master user name"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","security:compliance","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are not using default port 5439 to protect against non-targeted attacks.\n\n## Rationale\n\nUsing a custom port can protect your publicly accessible AWS Redshift clusters against potential brute-force and dictionary attacks. Although setting a custom port can help fend off these attacks, it is also recommended to restrict public access, use SSL to encrypt client connections to database clusters, and control cluster access through security groups and Network Access Control Lists (NACLs) to add an additional layer of security for your account.\n\n## Remediation\n\n### From the console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a port 5439, it is the default port. Modify the port number in the console.\n\n### From the command line\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster-snapshot` with [create a snapshot of your database cluster][3].\n\n ```\n aws redshift create-cluster-snapshot\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n ```\n\n3. Run `restore-from-cluster-snapshot` to [create a new cluster from the snapshot created above][4]. Use the retrieved metadata in step one to configure a new port number.\n\n ```\n aws redshift restore-from-cluster-snapshot\n ...\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n --port 2000\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster-snapshot.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/restore-from-cluster-snapshot.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.endpoint.port != 5439\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"xrn-s6h-z9s","createdAt":1599574006854,"name":"Redshift cluster is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift Clusters][1] are using the [AWS EC2-VPC platform][2] for better cluster security.\n\n## Rationale\n\nThe AWS EC2-VPC platform offers better security control and traffic routing for clusters than the outdated EC2-Classic platform.\n\n## Remediation\n\n### From the console\n\nFollow the [Use EC2-VPC when you create your cluster][7] docs to learn how to use the EC2-VPC platform in the console to secure your clusters.\n\n### From the command line\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n ```\n\n2. Run `create-cluster` with the metadata to [launch a new cluster within a VPC][3].\n\n ```\n aws redshift create-cluster\n --cluster-identifier cluster-id\n --vpc-security-group-ids id-012a3b4c\n --port 5439\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n\n5. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.FindDefaultVPC.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#cluster-platforms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.vpc_id != \"\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"goz-ys2-tll","createdAt":1599573999940,"name":"Redshift cluster is using the EC2-VPC platform"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.6","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:redshift","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","source:redshift","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable logging for your Amazon Redshift cluster.\n\n## Rationale\n\nLogging data from Amazon Redshift clusters is helpful when troubleshooting or completing security and compliance audits.\n\n## Remediation\n\n### From the console\n\nFollow the Amazon Redshift [Configuring auditing using the console][1] docs to enable logging, create audit log files, and store them in an Amazon S3 bucket.\n\n### From the command line\n\n1. Run `enable-logging` with your [cluster ID and the S3 bucket][2] where log files are to be stored.\n\n ```\n aws redshift enable-logging\n --cluster-identifier your-cluster-id\n --bucket-name aws-redshift-logs\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/enable-logging.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.cluster_logging.logging_enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f05-rf3-w5i","createdAt":1619112188003,"name":"Redshift cluster logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","requirement:Least-Privileged-Access","framework:cis-azure","control:7.1","requirement:Credentials","requirement:AppService","requirement:Compliance","control:8.7","level:1","control:9.5","control:A.18.1.3","framework:soc-2","scope:azure.appservice","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nManaged service identity in App Service makes an app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app connects to other Azure services securely without the need for a username and password.\n\n## Rationale\n\nApp Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.\n\n## References\n\n1. https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Identity\n5. Set Status to On\n\n### From the command line\n\nTo set Register with Azure Active Directory for an existing app, run the following command: `az webapp identity assign --resource-group --name '`\n\n## CIS Controls\n\nVersion 7 16.2 - Configure Centralized Point of Authentication - Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.5","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_identity(app_service) if {\n\tapp_service.identity_principal_id\n} else if {\n\tapp_service.identity.principal_id\n}\n\neval(app_service) = \"pass\" if {\n\tcompliant_identity(app_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"t1t-uk4-nxu","createdAt":1631623033118,"name":"Register with Azure Active Directory is enabled on App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.8","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under `/etc/docker/certs.d/ directory`, have permissions of 444 or are set more restrictively.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must have permissions of 444or more restrictive permissions in order to ensure that unprivileged users do not have full access to them..\n\n## Audit\n\nYou should execute the command below to verify that registry certificate files have permissions of 444+.\n\n```\nstat -c %a /etc/docker/certs.d//*\n```\n\n## Remediation\n\nRun the following command: `chmod 444 /etc/docker/certs.d//*`\n\nThis sets the permissions for the registry certificate files to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for registry certificate files might not be 444. The default file permissions are governed by the system or user specific umask values which are defined within the operating system itself.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.8","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sjq-1m3-njp","createdAt":1599605226177,"name":"Registry certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:5.7.4","source:compliance-agent","requirement:General-Policies","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.\n\n## Rationale\n\nResources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources.\n\n## Audit\n\nRun this command to list objects in default namespace: `kubectl get all`\n\nThe only entries there should be system managed resources such as the Kubernetes service.\n\n## Remediation\n\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace.\n\n## Impact\n\nNone\n\n## Default value\n\nUnless a namespace is specific on object creation, the default namespace will be used.\n\n## References\n\nNone\n\n## CIS controls\n\nNone\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.7.4","framework":"cis-kubernetes","requirement":"General-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.7.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gly-1rp-obv","createdAt":1599604941259,"name":"Resources are not created in the default namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.14","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy using the `--restart` flag in the docker run command you can specify a restart policy for how a container should or should not be restarted on exit. You should choose the on-failure restart policy and limit the restart attempts to 5.\n\n## Rationale\n\nIf you indefinitely keep trying to start the container, it could possibly lead to a denial of service on the host. It could be an easy way to do a distributed denial of service attack especially if you have many containers on the same host. Additionally, ignoring the exit status of the container and always attempting to restart the container, leads to non-investigation of the root cause behind containers getting terminated. If a container gets terminated, you should investigate on the reason behind it instead of just attempting to restart it indefinitely. You should use the on-failure restart policy to limit the number of container restarts to a maximum of 5 attempts.\n\n## Audit\n\nExecute this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: RestartPolicyName={{ .HostConfig.RestartPolicy.Name }} MaximumRetryCount={{ .HostConfig.RestartPolicy.MaximumRetryCount }}'` \n\nIf this command returns `RestartPolicyName=always`, then the system is not configured optimally. If this command returns `RestartPolicyName=no` or just `RestartPolicyName=`, then restart policies are not being used and the container would never be restarted automatically. This may be a secure option, but it is not the best option from a usability standpoint. If this command returns `RestartPolicyName=on-failure`, then verify that the number of restart attempts is set to 5 or less by looking at `MaximumRetryCount`.\n\n## Remediation\n\nIf you wish a container to be automatically restarted, use `docker run --detach --restart=on-failure:5 nginx`\n\n## Impact\n\nIf this option is set, a container will only attempt to restart itself 5 times.\n\n## Default value\n\nBy default, containers are not configured with restart policies.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/run/#restart-policies-restart\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.14","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycq-buv-pf8","createdAt":1599598174688,"name":"Restart attempts on container failure is limited to 5 attempts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_logging_log_bucket","control:10.1","requirement:Monitoring","control:10.2.5","control:2.3","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","source:google_logging_log_bucket","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:2","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling retention policies on log buckets protects logs stored in cloud storage buckets\nfrom being overwritten or accidentally deleted. It is recommended to set up retention\npolicies and configure `Bucket Lock` on all storage buckets that are used as log sinks.\n\n### Default value\nBy default, storage buckets used as log sinks do not have retention policies and `Bucket Lock`\nconfigured.\n\n## Rationale\nLogs can be exported by creating one or more sinks that include a log filter and a\ndestination. As Cloud Logging receives new log entries, they are compared against each\nsink. If a log entry matches a sink's filter, then a copy of the log entry is written to the\ndestination.\nSinks can be configured to export logs in storage buckets. It is recommended to configure a\ndata retention policy for these cloud storage buckets and to lock the data retention policy,\nthus permanently preventing the policy from being reduced or removed. This way, if the\nsystem is ever compromised by an attacker or a malicious insider who wants to cover their\ntracks, the activity logs are definitely preserved for forensics and security investigations.\n\n\n### Impact\nLocking a bucket is an irreversible action. Once you lock a bucket, you cannot remove the\nretention policy from the bucket or decrease the retention period for the policy. You\nthen have to wait for the retention period for all items within the bucket before you can\ndelete them, and then delete the bucket.\n\n## Additional Information\n- **Caution**: Locking a retention policy is an irreversible action. Once locked, you must delete\nthe entire bucket in order to \"remove\" the bucket's retention policy. However, before you\ncan delete the bucket, you must be able to delete all the objects in the bucket, which itself is\nonly possible if all the objects have reached the retention period set by the retention policy.\n\n\n## Remediation\n\n### From the console \n1. If sinks are not configured, first follow the instructions in the recommendation:\nEnsure that sinks are configured for all log entries.\n2. For each storage bucket configured as a sink, go to the Cloud Storage browser at\nhttps://console.cloud.google.com/storage/browser/.\n3. Select the **Protection** tab near the top of the page.\n4. In the **Retention policy** section, click the **Lock** button. The **Lock retention policy?** dialog box appears\n5. Read the `Permanent` notice.\n6. In the **Bucket name** text box, type in the name of your bucket.\n7. Click **Lock policy**\n\n### From the command line\n1. To list all sinks destined to storage buckets:\n ```\n gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID\n | --project=PROJECT_ID\n ```\n\n2. For each storage bucket listed above, set a retention policy and lock it:\n ```\n gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]\n gsutil retention lock gs://[BUCKET_NAME]\n ```\nFor more information, visit [Set a retention policy on a bucket][1].\n\n## References\n1. [Retention policies and retention policy locks][2]\n2. [Use and lock retention policies ][3]\n\n[1]: https://cloud.google.com/storage/docs/using-bucket-lock#set-policy\n[2]: https://cloud.google.com/storage/docs/bucket-lock\n[3]: https://cloud.google.com/storage/docs/using-bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(logging_log_bucket) if {\n\tlogging_log_bucket.retention_days != \"\"\n\tlogging_log_bucket.locked == true\n}\n\ndestination_with_filter(logging_log_bucket) if {\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tlogging_log_sink.project_number == logging_log_bucket.project_number\n\tlog_bucket_bucket_name := trim_right(split(logging_log_bucket.resource_name, \"buckets/\")[1], \"\\\"\")\n\tsink_bucket_bucket_name := trim_right(split(logging_log_sink.destination, \"buckets/\")[1], \"\\\"\")\n\tlog_bucket_bucket_name == sink_bucket_bucket_name\n\tlogging_log_sink.filter != \"\"\n}\n\neval(logging_log_bucket) = \"skip\" if {\n\tnot destination_with_filter(logging_log_bucket)\n} else = \"pass\" if {\n\tcompliant(logging_log_bucket)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_logging_log_bucket","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_logging_log_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_logging_log_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"trq-twi-wxj","createdAt":1664803576934,"name":"Retention policies used for exporting logs are configured using the bucket lock on Cloud Storage buckets"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-ii-B","control:1.7","control:164.308-a-3-i","control:164.308-a-4-i","control:7.2.1","level:1","cloud:aws","framework:soc-2","framework:cis-aws","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Information-Access-Management","control:CC6.2","framework:pci","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWith the creation of an AWS account, a root user is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.\n\n## Rationale\n\nThe root user has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.\n\n## Remediation\n\nIf you find that the root user account is being used for daily activity and administrative tasks that do not require the root user, remediate this by doing the following:\n\n1. Change the root user password.\n2. Deactivate or delete access keys associated with the root user.\n**Note**: Anyone who has root user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.\n\n## References\n\n1. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][1]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html][2]\n3. [https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html][3]\n\n**Additional Information**: The root user for us-gov cloud regions is not enabled by default. However, on request AWS support can enable the root user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the root user for us-gov cloud regions is enabled, this recommendation is applicable. Monitor usage of the root user by implementing recommendation *3.3 Ensure a log metric filter and alarm exist for usage of the root user*.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[3]: https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.7","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nnon_compliant_keys(iam_credential_report) if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.password_last_used < thirty_days_ms # Used in last 30 days\n} else if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_1_last_used_date < thirty_days_ms # Used in last 30 days\n} else if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_2_last_used_date < thirty_days_ms # Used in last 30 days\n}\n\neval(iam_credential_report) = \"skip\" if {\n\tnot iam_credential_report.user == \"\"\n} else = \"fail\" if {\n\tnon_compliant_keys(iam_credential_report)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_credential_report"]},"validationQuery":"","resourceType":"aws_iam_credential_report","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yid-djj-bng","createdAt":1638865331666,"name":"Root account credentials have not been used in the past 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:kms","source:kms","framework:gdpr","requirement:Logging","level:2","control:3.8","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Security-of-Processing","framework:soc-2","control:3.5.2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:3.6.4","control:CC6.3","control:CC6.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS Key Management Service (KMS) allows customers to rotate the backing key, the key material stored within the KMS. The KMS connects to the key ID of the customer created customer master key (CMK). This backing key is used to perform cryptographic operations such as encryption and decryption. Automatic key rotation retains all prior backing keys so that encrypted data can be decrypted transparently. You should enable CMK key rotation.\n\n## Rationale\n\nRotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\n\n## Remediation\n\n### From the console\n\n1. Open the [AWS KMS console][1].\n2. To change the AWS region, use the region selector in the upper-right corner of the page.\n3. Choose **Customer managed keys**.\n4. Choose the alias of the key to update in the **Alias** column.\n5. Choose **Key rotation**.\n6. Select **Automatically rotate this KMS key every year** and then choose **Save**.\n\n### From the command line\n\n1. Use the [`enable-key-rotation`][2] command to set an automatic rotation of a KMS key on an annual basis.\n\n ```\n aws kms enable-key-rotation \\\n --region insert-region-here \\\n --key-id insert-kms-key-id-here\n ```\n2. Use the [`get-key-rotation-status'][3] command to verify that you've set the rotation correctly.\n\n ```\n aws kms get-key-rotation-status \\\n --region insert-region-here \\\n --key-id insert-kms-key-id-here\n ```\n\n## References\n\n1. [https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html][4]\n\n[1]: https://console.aws.amazon.com/kms\n[2]: https://docs.aws.amazon.com/cli/latest/reference/kms/enable-key-rotation.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/kms/get-key-rotation-status.html\n[4]: https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.8","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aws_kms) = \"skip\" if {\n\taws_kms.key_manager != \"CUSTOMER\"\n} else = \"fail\" if {\n\tnot aws_kms.key_rotation_enabled\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_kms"]},"validationQuery":"","resourceType":"aws_kms","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_kms","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5xm-kxb-jxz","createdAt":1599574002243,"name":"Rotation for customer created CMKs is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:runtime-security-agent","technique:T1611-escape-to-host","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to the `runc` binary outside of the normal package management lifecycle.\n\n## Strategy\n[CVE-2019-5736][1], a vulnerability in `runc` through version 1.0-rc6 could allow attackers to overwrite the host `runc` binary, which allows the attacker to effectively escape a running container, and gain root access on the underlying host.\nAny modifications to `runc` (outside of standard package management upgrades) could be exploiting this vulnerability to gain root access to the system.\n\n## Triage & Response\n1. Check to see which user or process changed the `runc` binary.\n2. If these changes are not acceptable, roll back contain the host in question to an acceptable configuration.\n3. Update `runc` to a version above 1.0-rc6 (or Docker 18.09.2 and above).\n4. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://nvd.nist.gov/vuln/detail/CVE-2019-5736\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:runc_modification","groupByFields":["host"],"aggregation":"count","name":"runc_modification","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"runc_modification","condition":"runc_modification > 0"}],"type":"workload_security","id":"6ru-oyo-uag","createdAt":1627392837049,"name":"Runc binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your bucket ACL to remove public `READ_ACP`, `READ` access.\n\n## Rationale\n\n* Public `READ_ACP` access gives anyone the ability to read the bucket ACL. With this permission, anyone can see who controls your objects. This information can potentially be used to find misconfigured permissions and gain access to your S3 data.\n\n* Public `READ` access allows the grantee to list all objects within your bucket and exploit objects with misconfigured ACL permissions.\n\n\nFor more information about S3 bucket ACLs, see the [Access control list (ACL) documentation][3].\n\n## Remediation\n\n### From the console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### From the command line\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis\n[3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nsecure_s3_access_block(s3_access_block) if {\n\ts3_access_block.ignore_public_acls == true\n}\n\ninsecure_s3_bucket(s3_bucket) if {\n\tacl := s3_bucket.acl[_]\n\tupper(acl.grantee_permission) in [\"READ\", \"READ_ACP\"]\n\tlower(acl.grantee_uri) in [\"http://acs.amazonaws.com/groups/global/authenticatedusers\", \"http://acs.amazonaws.com/groups/global/allusers\"]\n}\n\ncompliant_s3_bucket(s3_bucket) if {\n\ts3_account_public_access_block := input.resources.aws_s3_account_public_access_block[_]\n\ts3_account_public_access_block.account_id == s3_bucket.account_id\n\tsecure_s3_access_block(s3_account_public_access_block)\n} else if {\n\tsecure_s3_access_block(s3_bucket.access_block[_])\n} else if {\n\tnot insecure_s3_bucket(s3_bucket)\n}\n\neval(s3_bucket) = \"pass\" if {\n\tcompliant_s3_bucket(s3_bucket)\n} else = \"fail\"\n\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"i2o-7bz-zxc","createdAt":1619112188697,"name":"S3 bucket ACL and bucket objects are not publicly readable"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ_ACP` access for authenticated AWS accounts and AWS IAM users.\n\n## Rationale\n\nAWS authenticated accounts and users with `READ_ACP` access can examine Amazon S3 Access Control Lists (ACLs) configuration details. This information can be used maliciously to find misconfigured permissions and implement methods to access your S3 data.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `READ_ACP` access for AWS signed users.\n\n### From the command line\n\n1. Run `put-bucket-acl` with your [Amazon S3 bucket name and ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_not_compliant(acl) if {\n\tacl.grantee_permission == \"READ_ACP\"\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\"\n}\n\neval(s3_bucket) = \"fail\" if {\n\tacl = s3_bucket.acl[_]\n\tacl_not_compliant(acl)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"cer-xg1-llv","createdAt":1619112188867,"name":"S3 bucket ACL is not viewable by all authenticated users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.5","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove `WRITE_ACP`, `WRITE`, or `FULL_CONTROL` access for all AWS users or any authenticated AWS user.\n\n## Rationale\n\n* Public `WRITE_ACP` access gives anyone permissions to change the S3 bucket Access Control List. With these permissions, anyone can grant any permissions they want, such as reading or writing objects inside the bucket.\n\n* Public `WRITE` access allows the grantee to create new objects in the bucket. For the bucket and object owners of existing objects, also allows deletions and overwrites of those objects. \n\n* Public `FULL_CONTROL` access allows the grantee the `READ`, `WRITE`, `READ_ACP`, and `WRITE_ACP` permissions on the bucket.\n\nFor more information about S3 bucket ACLs, see the [Access control list (ACL) documentation][1].\n\n\n## Remediation\n\n### From the console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### From the command line\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.5","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nsecure_s3_access_block(s3_access_block) if {\n\ts3_access_block.ignore_public_acls == true\n}\n\ninsecure_s3_bucket(s3_bucket) if {\n\tacl := s3_bucket.acl[_]\n\tupper(acl.grantee_permission) in [\"WRITE\", \"WRITE_ACP\", \"FULL_CONTROL\"]\n\tlower(acl.grantee_uri) in [\"http://acs.amazonaws.com/groups/global/authenticatedusers\", \"http://acs.amazonaws.com/groups/global/allusers\"]\n}\n\ncompliant_s3_bucket(s3_bucket) if {\n\ts3_account_public_access_block := input.resources.aws_s3_account_public_access_block[_]\n\ts3_account_public_access_block.account_id == s3_bucket.account_id\n\tsecure_s3_access_block(s3_account_public_access_block)\n} else if {\n\tsecure_s3_access_block(s3_bucket.access_block[_])\n} else if {\n\tnot insecure_s3_bucket(s3_bucket)\n}\n\neval(s3_bucket) = \"pass\" if {\n\tcompliant_s3_bucket(s3_bucket)\n} else = \"fail\"\n\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"8au-91a-7zf","createdAt":1619112188436,"name":"S3 bucket ACLs are configured to block public write actions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","requirement:Compliance","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:s3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up the Multi-Factor Authentication (MFA) delete feature to prevent deletion of Amazon S3 objects.\n\n## Rationale\n\n## Remediation\n\nMFA-protected Amazon S3 buckets ensure S3 objects cannot be accidentally or intentionally deleted by AWS users who have access to your bucket.\n\n### From the console\n\n`MFA DELETE` [cannot be enabled in the AWS Console][1]. See the CLI remediation below for configuration instructions.\n\n### From the command line\n\n1. Run `put-bucket-versioning` with your [bucket name, versioning configuration, and MFA configuration][2].\n\n ```\n aws s3api put-bucket-versioning\n --bucket your-s3-bucket-name\n --versioning-configuration '{\"MFADelete\":\"Enabled\",\"Status\":\"Enabled\"}'\n --mfa 'arn:aws:iam::aws_account_id:mfa/root-account-mfa-device'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"pass\" if {\n\ts3_bucket.versioning_mfa_delete == \"Enabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"f22-rvk-qko","createdAt":1619112188477,"name":"S3 bucket MFA Delete feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.1","requirement:Monitoring","cloud_provider:aws","control:A.12.4.1","control:3.3","requirement:System-Operations","requirement:Logging","level:2","framework:soc-2","scope:cloudtrail","framework:cis-aws","source:cloudtrail","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nS3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.\n\n## Rationale\n\nBy enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.\n\n## Remediation\n\n### From the console\n\n1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.\n2. Under All Buckets click on the target S3 bucket\n3. Click on Properties in the top right of the console\n4. Under Bucket: click on Logging\n5. Configure bucket logging and click on the Enabled checkbox\n6. Select Target Bucket from list and enter a Target Prefix\n7. Click Save\n\n## Default value\n\nLogging is disabled.\n\n## References\n\n1. CCE-78918-0\n2. https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html\n\n## CIS controls\n\nVersion 7\n\n6.2 - Activate audit logging: Ensure that local logging has been enabled on all systems and networking devices.\n\n14.9 Enforce Detail Logging for Access or Changes to Sensitive Data: Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbucket_by_name := {bucket.bucket_name: bucket |\n\tbucket := input.resources.aws_s3_bucket[_]\n}\n\neval(cloudtrail_trail) = \"skip\" if {\n\tnot bucket_by_name[cloudtrail_trail.s3_bucket_name]\n} else = \"pass\" if {\n\ts3_bucket := bucket_by_name[cloudtrail_trail.s3_bucket_name]\n\tcount(s3_bucket.bucket_logging) > 0\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail","aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@trail_arn"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gzk-vm2-67k","createdAt":1635929074549,"name":"S3 bucket access logging is enabled on the CloudTrail S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","requirement:Storage","framework:gdpr","control:2.1.1","requirement:Compliance","level:1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides a variety of no-cost or low-cost encryption options to protect data at rest.\n\n## Rationale\n\nEncrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.\n\n## Remediation\n\n### From the console\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/\n2. Select the Check box next to the Bucket.\n3. Click on Properties.\n4. Click on Default Encryption.\n5. Select either AES-256 or AWS-KMS.\n6. Click Save.\n7. Repeat for all the buckets in your AWS account lacking encryption.\n\n### From the command line\n\nRun one of the following commands: \n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}''`\n\nor:\n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}''`\n\n**Note**: The `KMSMasterKeyID` can be set to the master key of your choosing; `aws/s3` is an AWS preconfigured default.\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html][1]\n2. [https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources][2]\n\n**Additional Information**: S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does not encrypt objects previously stored within the bucket.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.1.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ninsecure_sse_algorithm(encryption_configuration) if {\n\tnot encryption_configuration.sse_algorithm in [\"AES256\", \"aws:kms\"]\n}\n\nbad_encryption_rules(s3_bucket) if {\n\tsome encryption_rules in s3_bucket.bucket_encryption_rules\n\tsome rules in encryption_rules.rules\n\tinsecure_sse_algorithm(rules.apply_server_side_encryption_by_default)\n} else if {\n\tnot s3_bucket.bucket_encryption_rules\n}\n\neval(s3_bucket) = \"fail\" if {\n\tbad_encryption_rules(s3_bucket)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i5u-x9l-ytw","createdAt":1619112188944,"name":"S3 bucket employs default encryption at-rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:A.12.1.2","framework:gdpr","control:A.12.4.2","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:3.1","requirement:Control-Activities","control:7.2.1","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Logical-and-Physical-Access-Control","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable versioning on S3 buckets to keep multiple versions of an object in one bucket.\n\n## Rationale\n\nVersioning-enabled buckets help [recover objects in the case of accidental deletion or overwriting][1].\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning within the S3 console.\n\n### From the command line\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning with the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.1.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tnot s3_bucket.versioning_status == \"Enabled\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hfe-sv1-7ci","createdAt":1632209932330,"name":"S3 bucket has versioning enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS S3 bucket ACL to remove public `READ` access.\n\n## Rationale\n\nGranting public `READ` allows anyone to list objects within a bucket. Note that it does not allow to directly read the actual bucket objects.\n\n## Remediation\n\n### From the console\n\nFollow the [Blocking public access to your Amazon S3 storage][1] docs to learn how to manage access control lists for existing S3 buckets.\n\n**Note**: By default, new buckets, access points, and objects don't allow public access.\n\n### From the command line\n\n1. Run `put-bucket-acl` with [your S3 bucket name][2] and set the ACL of the bucket to `private`.\n ```\n\taws s3api put-bucket-acl\n\t\t--bucket webapp-data-repository\n\t\t--acl private\n ```\n\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tsome acl in s3_bucket.acl\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AllUsers\"\n\tacl.grantee_permission == \"READ\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"mqm-ntc-bra","createdAt":1619112188104,"name":"S3 bucket is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.3","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your bucket policy as your Amazon S3 bucket is currently publicly accessible.\n\n## Rationale\n\nPublicly accessible S3 buckets through bucket policies give any AWS user the ability to list, download, delete, and upload objects and edit object permissions.\n\n## Remediation\n\n### From the console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### From the command line\n\n1. Run the [`delete-bucket-policy`][2] command to fully remove any public access to the bucket.\n\n ```\n aws s3api delete-bucket-policy \\\n --bucket insert-bucket-name-here\n ```\n\n2. If you need a bucket policy, create a new non-public bucket policy using the [AWS Policy Generator][3].\n3. Apply the bucket policy from Step 2 with the [`put-bucket-policy`][4] command.\n\n ```\n aws s3api put-bucket-policy\n --bucket insert-bucket-name-here\n --policy file://insert-bucket-policy-file-name-here.json\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket-policy.html#synopsis\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html#","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nsecure_s3_access_block(s3_access_block) if {\n\ts3_access_block.restrict_public_buckets == true\n}\n\ninsecure_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n}\n\ninsecure_policy_principal(policy_principal) if {\n\tprincipal_aws := policy_principal.principal_aws[_]\n\tprincipal_aws == \"*\"\n}\n\ninsecure_policy_statements(s3_bucket) if {\n\tbucket_policy_statement := s3_bucket.bucket_policy_statement[_]\n\tbucket_policy_statement.statement_effect == \"Allow\"\n\tbucket_policy_statement.statement_has_condition == false\n\tinsecure_policy_principal(bucket_policy_statement.policy_principal)\n}\n\ncompliant_s3_bucket_access(s3_bucket) if {\n\taccount_public_access_block := input.resources.aws_s3_account_public_access_block[_]\n\taccount_public_access_block.account_id == s3_bucket.account_id\n\tsecure_s3_access_block(account_public_access_block)\n} else if {\n\tsecure_s3_access_block(s3_bucket.access_block[_])\n} else if {\n\tnot insecure_policy_statements(s3_bucket)\n}\n\neval(s3_bucket) = \"pass\" if {\n\tcompliant_s3_bucket_access(s3_bucket)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"ftf-6wr-t2z","createdAt":1624344845705,"name":"S3 bucket is not publicly exposed via bucket policy"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ` access for authenticated AWS accounts or IAM users.\n\n## Rationale\n\n`READ` access allows any authenticated IAM user or AWS authenticated account to list all objects within your bucket and exploit objects with misconfigured ACL permissions.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to deselect the `Bucket ACL - Read` permission and update ACL permissions.\n\n### From the command line\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tsome acl in s3_bucket.acl\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\"\n\tacl.grantee_permission == \"READ\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"73w-cje-dhm","createdAt":1619112189198,"name":"S3 bucket objects cannot be listed by all authenticated users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","requirement:Monitoring","scope:s3","framework:cis-aws","control:4.8","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a S3 Bucket policy is modified.\n\n## Strategy\nMonitor CloudTrail and detect when S3 policies are being modified via one of the following API calls:\n* [PutBucketAcl][1]\n* [PutBucketPolicy][2]\n* [PutBucketCors][3]\n* [PutBucketLifecycle][4]\n* [PutBucketReplication][5]\n* [DeleteBucketPolicy][6]\n* [DeleteBucketCors][7]\n* [DeleteBucketReplication][8]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n## Changelog\n* 18 March 2022 - Updated signal message, query and severity.\n* 16 November 2022 - Rule query updated.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html\n[3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketCors.html\n[4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLifecycle.html\n[5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html\n[6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html\n[7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html\n[8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:(cloudtrail OR amazon-security-lake) @evt.name:(PutBucketAcl OR PutBucketPolicy OR PutBucketCors OR PutBucketLifecycle OR PutBucketReplication OR DeleteBucketPolicy OR DeleteBucketCors OR DeleteBucketReplication)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"s3_bucket_policy_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"A S3 bucket policy was modified","condition":"s3_bucket_policy_modified > 0"}],"type":"log_detection","id":"nl3-oht-jhi","createdAt":1584475579499,"name":"S3 bucket policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when SELinux enforcement is disabled.\n\n## Strategy\nThis detection monitors the change of SELinux enforcing mode.\n\n## Triage & Response\n1. Check which user or process disabled SELinux enforcing mode.\n2. If the change is not expected, roll back to enable SELinux enforcing mode.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the attack.\n\n*Requires Agent version 7.30 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:selinux_disable_enforcement","groupByFields":["host"],"aggregation":"count","name":"selinux_disable_enforcement","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"selinux_disable_enforcement","condition":"selinux_disable_enforcement > 0"}],"type":"workload_security","id":"vvf-qwb-uhj","createdAt":1635332067172,"name":"SELinux enforcement disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.2","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSELinux is an effective and easy-to-use Linux application security system. It is available by default on some distributions such as Red Hat and Fedora.\n\n## Rationale\n\nSELinux provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model. You can therefore add an extra layer of safety to your containers by enabling SELinux on your Linux host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all the security options currently configured on the containers listed.\n\n## Remediation\n\nIf SELinux is applicable for your Linux OS, you should use it.\n\n1. Set the SELinux State.\n2. Set the SELinux Policy.\n3. Create or import a SELinux policy template for Docker containers.\n4. Start Docker in daemon mode with SELinux enabled. For example: `docker daemon --selinux-enabled`\n5. Start your Docker container using the security options. For example, `docker run --interactive --tty --security-opt label=level:TopSecret centos /bin/bash`\n\n## Impact\n\nAny restrictions defined in the SELinux policy will be applied to your containers. It should be noted that if your SELinux policy is misconfigured, this may have an impact on the correct operation of the affected containers.\n\n## Default value\n\nBy default, no SELinux security options are applied on containers.\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/\n4. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/docker_selinux_security_policy\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.2","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"eww-c9f-0hf","createdAt":1599605036108,"name":"SELinux security options are configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic [resource-based policy][4] to prevent unintended access to the resource.\n\n## Rationale\n\nWhen a `*` is specified as a `Principal`, along with an `Allow` `Effect` it grants [anyone][5] the ability to perform actions on a resource. In this situation, if the policy includes the `sns:Subscribe` `Action`, it would permit anyone the ability to receive messages from the topic, resulting in an impact to the confidentiality of the application.\n\n## Remediation\n\n### From the console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### From the command line\n\n1. Update your [resource-based policy][2] with an appropriate `Principal` ARN or a `Condition` element. Save the file as `policy.json`.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_sub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Subscribe\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```\n aws sns set-topic-attributes \\\n --topic-arn arn:aws:sns:region:123456789012:YourTopic \\\n --attribute-name Policy \\\n --attribute-value file://policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-anonymous\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_policy(policy) if {\n\tpolicy.policy_principal.principal == \"*\"\n} else if {\n\tpolicy.policy_principal.principal_aws[_] == \"*\"\n}\n\nnon_compliant_statement_action(statement_action) if {\n\tlower(statement_action[_]) == \"sns:subscribe\"\n}\n\neval(sns_topic) = \"fail\" if {\n\tsome policy in sns_topic.policies\n\tlower(policy.statement_effect) == \"allow\"\n\tnon_compliant_policy(policy)\n\tnon_compliant_statement_action(policy.statement_action)\n\tpolicy.statement_has_condition == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"bin-p21-78u","createdAt":1616090993824,"name":"SNS Topic has access restrictions set for subscription"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic publishing permissions.\n\n## Rationale\n\nSetting the topic publishing permission to `*` gives anyone access to publish on a topic. Unauthenticated users can publish arbitrary messages, potentially leading to loss of integrity and denial of service.\n\n## Remediation\n\n### From the console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### From the command line\n\n1. Update your [access control policy][2] with an appropriate `Principal` ARN. Save the file as `policy.json`.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_pub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Publish\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```bash\n aws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name Policy\n --attribute-value file://policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tsome principal_aws in policy_principal.principal_aws\n\tprincipal_aws == \"*\"\n}\n\nnon_compliant_statement_action(statement_actions) if {\n\t\"SNS:Publish\" in statement_actions\n}\n\nnon_compliant_policy(policy) if {\n\tpolicy.statement_effect == \"Allow\"\n\tnon_compliant_statement_action(policy.statement_action)\n\tnot policy.statement_has_condition\n\n\tnon_compliant_policy_principal(policy.policy_principal)\n}\n\neval(sns_topic) = \"fail\" if {\n\tsome policy in sns_topic.policies\n\tnon_compliant_policy(policy)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mhf-jlo-c49","createdAt":1616090993934,"name":"SNS Topic has restrictions set for publishing"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","scope:sns","cloud_provider:aws","control:3.4","control:4.1","source:sns","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Server-Side Encryption for your AWS Simple Notification Service (SNS) topics.\n\n## Rationale\n\nServer-Side Encryption (SSE) protects the data of published messages within your SNS topics, which can help adhere to compliance and regulatory requirements.\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling server-side encryption (SSE) for an Amazon SNS topic][1] docs to learn how to enable encryption from the AWS Management Console.\n\n### From the command line\n\nRun `set-topic-attributes` with the [ARN of the SNS topic][2] and the [KmsMasterKeyId][3].\n\n```\naws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name KmsMasterKeyId\n --attribute-value YourTopicDisplayName\n```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n[3]: https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html#sse-key-terms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sns_topic) = \"pass\" if {\n\tsns_topic.kms_master_key_id\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"iel-fa4-gpw","createdAt":1623249809232,"name":"SNS Topic has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","control:164.308-a-3-i","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic permissions.\n\n## Rationale\n\nPublicly-accessible topics allow unauthorized users access to receive and publish messages and subscribe to exposed topics.\n\n## Remediation\n\n### From the console\n\nFollow the [Using identity-based policies with Amazon SNS][1] docs to learn how to create or add to a policy in the AWS Console.\n\n### From the command line\n\nIf you do not have an access control policy, [create one][2].\n\n1. Select `SNS Topic Policy` as the type of policy.\n2. Add a statement to allow only specific IAM users and roles to have access to the topic. For example:\n\n ```\n Effect: `Allow`\n Principal: `arn:aws:iam::123456789012:root`\n Action: `Add permission`\n Amazon Resource Name: `arn:aws:iam::123456789012:root`\n ```\n\nIf you do have an access control policy, follow the [add-permissions][3] docs to add a permission to your existing policy.\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-using-identity-based-policies.html#iam-and-sns-policies\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprincipal_policy_lenient(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tpolicy_principal.principal_aws[_] == \"*\"\n}\n\npolicy_lenient(policy) if {\n\tpolicy.statement_effect == \"Allow\"\n\tnot policy.statement_has_condition\n\n\tprincipal_policy_lenient(policy.policy_principal)\n}\n\neval(sns_topic) = \"fail\" if {\n\tpolicy := sns_topic.policies[_]\n\tpolicy_lenient(policy)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"5q9-vwc-cqy","createdAt":1616090993891,"name":"SNS Topic is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:6.5","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nA database server should accept connections only from trusted networks and IPs and\nrestrict access from public IP addresses.\n\n## Rationale: \nTo minimize attack surface on a database server instance, only trusted, known, and\nrequired IPs should be allowed to connect to it.\nAn authorized network should not have IPs or networks configured to `0.0.0.0/0` which\nallows access to the instance from anywhere in the world. Authorized networks\napply only to instances with public IPs.\n\n## Impact: \nThe Cloud SQL database instance would not be available to public IP addresses.\n\n## Remediation: \n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Click the instance name to open its `Instance details` page.\n3. Under the `Configuration` section click `Edit configurations`.\n4. Under `Configuration options` expand the `Connectivity` section.\n5. Click the `delete` icon for the authorized network `0.0.0.0/0`.\n6. Click `Save` to update the instance.\n\n### From the command line\nUpdate the authorized network list by removing addresses:\n```\ngcloud sql instances patch --authorized-networks=IP_ADDR1,IP_ADDR2...\n```\n## Prevention:\nTo prevent new SQL instances from being configured to accept incoming connections from\nany IP addresses, set up a `Restrict Authorized Networks on Cloud SQL instances` Organization Policy at: [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][2].\n\n\n## Default value:\nBy default, authorized networks are not configured. Remote connection to Cloud SQL\ndatabase instance is not possible unless authorized networks are configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-ip][3]\n2. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][4] \n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://cloud.google.com/sql/docs/mysql/connection-org-policy][6]\n\n\n## Additional information:\nThere is no IPv6 configuration found for Google cloud SQL server services.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[3]: https://cloud.google.com/sql/docs/mysql/configure-ip\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://cloud.google.com/sql/docs/mysql/connection-org-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"fail\" if {\n\taddress := sql_database_instance.settings.ip_configuration.authorized_networks[_]\n\taddress.value in [\"0.0.0.0\", \"0.0.0.0/0\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"thi-vol-4qb","createdAt":1657138883399,"name":"SQL Database Instances do not implicitly accept all public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:6.3","framework:cis-azure","requirement:Communications-Security","control:2.4","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific data centers. By default for a SQL server, a firewall exists with start IP of 0.0.0.0 and end IP of 0.0.0.0, allowing access to all the Azure services. Additionally a custom rule can be set up with start IP of 0.0.0.0 and end IP of 255.255.255.255, allowing access from ANY IP over the Internet. In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific data centers.\n\n### Impact\n\nDisabling allow access to Azure Services will break all connections to SQL server and hosted databases unless custom IP-specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each SQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"\" -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nSet-AzureRmSqlServerFirewallRule -ResourceGroupName -ServerName -FirewallRuleName \"\" -StartIpAddress \"\" -EndIpAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017][1]\n2. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0][2]\n3. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0][3]\n4. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0][4] \n5. [https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure][5]\n6. [https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current][6] \n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][7]\n\nAdditional Information: Firewall rules configured on individual SQL Database using Transact-SQL overrides the rules set on SQL server. Azure does not provides any Powershell, API, CLI, Portal option to check database level firewall rules and so far Transact-SQL is the only way to check for the same. For comprehensive control over egress traffic on SQL Databases, firewall rules should be checked using SQL client.\n\n[1]:https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017\n[2]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[3]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[4]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[5]:https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure\n[6]:https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current\n[7]:https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"2.4","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_server) = \"fail\" if {\n\tsome firewall_rule in sql_server.firewall_rules\n\tfirewall_rule.start_ip_address == \"0.0.0.0\"\n\tfirewall_rule.end_ip_address in [\"0.0.0.0\", \"255.255.255.255\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"5k7-xx0-nje","createdAt":1635237001240,"name":"SQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.2.4","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure `send scan reports to` with the email IDs of concerned data owners and stakeholders for a critical SQL server.\n\n## Rationale\n\nVulnerability Assessment (VA) scan reports and alerts are sent to email IDs configured with `send scan reports to`. This may help in reducing time required for identifying risks and taking corrective measures.\n\n## Impact\n\n**Note**: Enabling the Azure Defender for SQL features incurs additional costs for each SQL server.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Ensure that Azure Defender for SQL is enabled\n5. Select Configure next to enabled at subscription-level\n6. In Vulnerability Assessment Settings, configure Storage Accounts\n7. Configure email IDs for concerned data owners and stakeholders in the `send scan reports to` section.\n8. Click Save\n\n### Using PowerShell\n\nIf not already, enable Advanced Data Security for a SQL: `ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True`\n\n\nTo enable ADS-VA service and set `send scan reports to`:\n\n```bash\nUpdate-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"fiu-woq-ui1","createdAt":1645802555241,"name":"SQL Server Vulnerability Assessments send scan reports to subscribed admins"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","scope:google_sql_database_instance","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","control:6.4","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to enforce all incoming connections to SQL database instances to use SSL.\n\n## Rationale\nSQL database connections, if successfully trapped (MITM), can reveal sensitive data like\ncredentials, database queries, query outputs, and so on. For security, it is recommended to always\nuse SSL encryption when connecting to your instance. This recommendation is applicable\nto PostgreSQL, MySQL generation 1, MySQL generation 2, and SQL Server 2017 instances.\n\n### Additional Information\nBy default, `Settings: ipConfiguration` has no `authorizedNetworks` set or configured. In\nthat case, even if `requireSSL` is not set by default, which is equivalent to `requireSSL:false`,\nthere is no risk as the instance cannot be accessed outside of the network, unless\n`authorizedNetworks` is configured. However, if the default for `requireSSL` is not updated to\n`true`, any `authorizedNetworks` created later on will not enforce SSL-only connections.\n\n### Impact\nAfter enforcing SSL connections, the existing client will not be able to communicate with the SQL\nserver, unless it is configured with appropriate client-certificates to communicate to the SQL\ndatabase instance.\n\n### Default Value\nBy default, the parameter `settings: ipConfiguration: requireSSL` is not set, which is\nequivalent to `requireSSL:false`.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1].\n2. Click on an instance name to see its configuration overview.\n3. In the left-side panel, select **Connections**.\n4. In the SSL connections section, click **Allow only SSL connections**.\n5. Under Configure SSL server certificates, click **Create new certificate**.\n6. Under Configure SSL client certificates, click **Create a client certificate**.\n7. Follow the instructions shown to learn how to connect to your instance.\n\n### From the command line\nTo enforce SSL encryption for an instance, run the command:\n```\ngcloud sql instances patch --require-ssl\n```\n\n**Note:** A **restart** is required for type MySQL Generation 1 Instances (`backendType: FIRST_GEN`) for\nthis configuration to go into effect.\n\n## References\n1. [http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot authorizedNetworksExists(sql_database_instance)\n} else = \"pass\" if {\n\tsql_database_instance.settings.ip_configuration.require_ssl\n} else = \"fail\"\n\nauthorizedNetworksExists(sql_database_instance) if {\n\tsql_database_instance.settings.ip_configuration.authorized_networks[_]\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"udh-mzm-bhu","createdAt":1658821626960,"name":"SQL database instance uses SSL for all incoming connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","scope:google_cloud_sql_instance","level:2","source:google_cloud_sql_instance","control:3.9","control:6.6","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nDatadog recommends configuring the second generation SQL instance to use private IPs instead of\npublic IPs.\n\n## Rationale: \nTo lower the organization's attack surface, ensure your Cloud SQL databases does not have public IPs.\nPrivate IPs provide improved network security and lower latency for your application.\n\n## Impact: \nRemoving the public IP address on SQL instances may break applications that relied\non it for database connectivity.\n\n## Remediation: \n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Click the instance name to open its Instance details page.\n3. Select the `Connections` tab.\n4. Deselect the `Public IP` checkbox.\n5. Click `Save` to update the instance.\n\n### From the command line\n\n1. For every instance, remove the public IP and assign a private IP instead:\n ```\n gcloud sql instances patch --network= --no-assign-ip\n ```\n\n2. Confirm the changes using the following command:\n ```\n gcloud sql instances describe \n ```\n\n## Prevention:\nTo prevent new SQL instances from getting configured with public IP addresses, set up a\n`Restrict Public IP access on Cloud SQL instances` Organization policy at:\n\n\n[https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][2]\n\n## Default value:\nBy default, Cloud Sql instances have a public IP.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-private-ip][3]\n2. [https://cloud.google.com/sql/docs/mysql/private-ip][4]\n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][6]\n\n## Additional information:\nReplicas inherit their private IP status from their primary instance. You cannot configure a private IP directly on a replica.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n[3]: https://cloud.google.com/sql/docs/mysql/configure-private-ip\n[4]: https://cloud.google.com/sql/docs/mysql/private-ip\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.9","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_second_gen_instance(sql_database_instance)\n} else = \"fail\" if {\n\tip := sql_database_instance.ip_addresses[_]\n\tip.type == \"PRIMARY\"\n} else = \"pass\"\n\nis_second_gen_instance(sql_database_instance) if {\n\tsql_database_instance.backend_type == \"SECOND_GEN\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cns-kbs-qb3","createdAt":1658244446751,"name":"SQL database instances do not have public IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.5","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:C1.1","requirement:Credentials","requirement:System-Operations","requirement:Compliance","level:1","requirement:Database-Services","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","control:3.5.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC7.2","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. With Customer-managed key support for TDE, the DEK can be protected with an asymmetric key stored in the Key Vault. The Key Vault is a highly available and scalable cloud-based key store that offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of keys and data for additional security. Based on business needs or the criticality of data/databases hosted a SQL server, Datadog recommends that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).\n\n## Rationale\n\nCustomer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azures cloud-based external key management system, is the first key management service where TDE has integrated support for customer-managed keys. With customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.\n\n## Remediation\n\n### From the console\n1. Go to SQL servers for the desired server instance\n2. Click On Transparent data encryption\n3. Set Use your own key to YES\n4. Browse through your key vaults to select an existing key or create a new key in the key vault.\n5. Check Make selected key the default TDE protector Using Azure CLI. Use the below command to encrypt SQL server's TDE protector with a Customer-managed key: `az sql server tde-key >> Set --resource-group --server --server-key-type {AzureKeyVault} [--kid ]`\n\n## Impact\n\nOnce the TDE protector is encrypted with a customer-managed key, it transfers the entire responsibility of key management to you. Hence, you should be more careful about doing any operations on the particular key to keep data from the corresponding SQL server Databases host accessible. When deploying customer-managed keys, ensure that you deploy an automated toolset for managing these keys (this should include discovery and key rotation), and keys should be stored in an HSM or hardware backed keystore; for example, Azure Key Vault). As far as toolsets go, check with your cryptographic key provider as they may well provide one as an add-on to their service.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-byok-azure-sql\n2. https://azure.microsoft.com/en-in/blog/preview-sql-transparent-data-encryption-tde-with-bring-your-own-key-support/\n3. https://winterdom.com/2017/09/07/azure-sql-tde-protector-keyvault\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: This configuration can be done only on an SQL server. The same configuration will be in effect on SQL Databases hosted on SQL Server. Ensuring yourTDE is protected by a Customer-managed key on SQL Server does not ensure SQL Databases' encryption. Transparent Data Encryption Data Encryption (ON/OFF) setting on individual SQL Database decides whether the database is encrypted or not.\n\n## CIS Controls\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials: Encrypt or hash with a salt all authentication credentials when stored. \n\n5 Logging and Monitoring: This section covers security recommendations to follow to set logging and monitoring policies on an Azure Subscription.\n\n5.1 Configuring Diagnostic Settings: The Azure Diagnostic Settings capture control/management activities performed on a subscription. By default, the Azure Portal retains activity logs only for 90 days. The Diagnostic Settings define the type of stored or streamed events and the output storage account, and the event hub. The Diagnostic Settings, if appropriately configured, can ensure that all activity logs are retained for a longer duration. This section has recommendations for correctly configuring the Diagnostic Settings so that all activity logs captured are retained for longer periods. When configuring Diagnostic Settings, you may choose to export in one of three ways in which you need to ensure appropriate data retention. The options are Log Analytics, Event Hub, and a Storage Account. It is important to ensure you are aware and have set retention as your organization sees fit.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_server) = \"pass\" if {\n\tsql_server.encryption_protector.kind == \"azurekeyvault\"\n\tsql_server.encryption_protector.server_key_type == \"AzureKeyVault\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ju5-j5j-p5u","createdAt":1624867975195,"name":"SQL server's TDE protector is encrypted with Customer-managed key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","source:sqs","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","scope:sqs","security:compliance","cloud_provider:aws","control:3.4","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Simple Queue Service (SQS) messages with server-side encryption.\n\n## Rationale\n\nEncryption ensures that Amazon SQS messages, which may contain sensitive data, are not available to anonymous or unauthorized users.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring service-side encryption for a queue(console)][1] docs to learn how to create and use AWS Key Management Service (AWS KMS) to manage customer master keys (CMK) for server-side encryption.\n\n### From the command line\n\n1. Define `set-queue-attributes` in [a file][2]. Use your custom KMS Master Key ARN for `KmsMasterKeyID`. Save the file.\n\n ```\n {\n \"KmsMasterKeyId\": \"custom_key_arn\",\n \"KmsDataKeyReusePeriodSeconds\": \"300\"\n }\n ```\n\n2. Run `set-queue-attributes` with the [queue URL and the file][2] created in step 1.\n\n ```\n aws sqs set-queue-attributes\n --queue-url https://us-west-2.queue.amazonaws.com//\n --attributes file://sqs-sse-enabled.json\n ```\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html\n[2]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queue.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nhas_server_side_encryption(sqs_queue) if {\n\tsqs_queue.sqs_managed_sse_enabled == true\n} else if {\n\tsqs_queue.kms_master_key_id\n}\n\neval(sqs_queue) = \"pass\" if {\n\thas_server_side_encryption(sqs_queue)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sqs_queue"]},"validationQuery":"","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0m4-moi-xdg","createdAt":1616090993978,"name":"SQS Queue has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:sqs","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security","scope:sqs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate Amazon Simple Queue Service (SQS) queue permissions.\n\n## Rationale\n\nPublicly-available Amazon SQS queues give unauthorized users access to potentially intercept, delete, or send queue messages, which can lead to data leaks.\n\n## Remediation\n\n### From the console\n\nFollow the [Managing access to resources][1] docs to learn how to implement a permissions policy in the AWS console.\n\n### From the command line\n\n1. Run the `list-queues` command to get a list of queue URLs.\n \n ```\n aws sqs list-queues --region insert-your-region-here\n ```\n\n2. Run the `get-queue-attributes` command with a [queue URL][2] returned in step 1.\n\n ```\n aws sqs get-queue-attributes \\\n --queue-url https://queue.amazonaws.com/123456789012/YourQueue \\\n --attribute-names Policy\n ```\n3. Run the `remove-permission` command to [remove any unwanted permissions][3] from your queue policy.\n\n ```\n aws sqs remove-permission \\\n --region insert-your-region-here \\\n --queue-url https://queue.amazonaws.com/YourAccountID/YourQueue \\\n --label insert-label-name \\\n --aws-account-ids insert-aws-account-ids-here \\\n --actions insert-action-to-remove\n\n4. Run the `add-permission` command to [add a new permission][4] to your queue policy.\n\n ```\n aws sqs add-permission \\\n --queue-url https://queue.amazonaws.com/YourAccountID/YourQueue \\\n --label insert-label-name \\\n --aws-account-ids insert-aws-account-ids-here \\\n --actions insert-action-to-add\n ```\n5. Complete steps 2 through 4 for any remaining queue URLs returned from step 1 for each region you have SQS enabled.\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.html#sqs-managing-access-to-resources\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/get-queue-attributes.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/remove-permission.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tprincipal_aws = policy_principal.principal_aws[_]\n\tprincipal_aws == \"*\"\n}\n\neval(sqs_queue) = \"fail\" if {\n\tpolicy := sqs_queue.policies[_]\n\tbad_policy_principal(policy.policy_principal)\n\tpolicy.statement_effect = \"Allow\"\n\tpolicy.statement_has_condition = false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sqs_queue"]},"validationQuery":"","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"aqs-n9k-inj","createdAt":1616090993985,"name":"SQS Queue is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:6.2","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable SSH access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using SSH over the internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\n1. [Disable direct SSH access][1] to your Azure Virtual Machines from the internet. \n2. Choose one of the following methods to access the virtual machines for remote management:\n * [Point-to-site VPN][3]\n * [Site-to-site VPN][4]\n * [ExpressRoute][5]\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][2]\n\n[1]: https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n[3]: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal\n[4]: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal\n[5]: https://learn.microsoft.com/en-us/azure/expressroute/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_access(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"TCP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\n\tsome port_range in split(security_rule.destination_port_range, \",\")\n\tcheck_non_compliant_port_range(port_range)\n\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"::/0\", \"Internet\", \"Any\"]\n}\n\ncheck_non_compliant_port_range(port_range) if {\n\tport_range in [\"22\", \"*\"]\n} else if {\n\tcontains(port_range, \"-\")\n\tsplit_port_range := split(port_range, \"-\")\n\n\tto_number(split_port_range[0]) <= 22\n\tto_number(split_port_range[1]) >= 22\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule := security_group.security_rules[_]\n\tnon_compliant_access(security_rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tox-iwp-m0l","createdAt":1624867978808,"name":"SSH access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.6","requirement:Communications-Security","control:1.4","control:3.2","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow the user to specify the type of\ntraffic, such as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be\nused. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using\nSSH on Port 22 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from\ninstances and incoming (ingress) traffic to instances in the network. Egress and ingress\ntraffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through SSH with the default\nPort 22. Generic access from the Internet to a specific IP Range needs to be restricted.\n\n## Impact\nAll Secure Shell (SSH) connections from outside of the network to the concerned VPC(s)\nwill be blocked. There could be a business need where SSH access is required from outside\nof the network to access resources associated with the VPC. In that case, specific source\nIP(s) should be mentioned in firewall rules to include access to SSH port for the\nconcerned VPC(s).\n\n## Remediation\n\n### From the console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule you want to modify.\n4. Click Edit.\n5. Modify Source IP ranges to specific IP.\n6. Click Save.\n\n### From the command line\n1.Update the Firewall rule with the new SOURCE_RANGE from the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.2","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 22\n\nis_numeric(x) if {\n\tregex.match(`^-?\\d+(\\.\\d+)?$`, x)\n}\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tsome port in allowed.ports\n\tcontains(port, \"-\")\n\trange := split(port, \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else if {\n\tsome port in allowed.ports\n\tport != \"\"\n\tis_numeric(port)\n\tto_number(port) == target_port\n} else if {\n\tsome port in allowed.ports\n\tport == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tsome allowed in compute_firewall.allowed\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" if {\n\tsome source_range in compute_firewall.source_ranges\n\tsource_range in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"23t-kvk-vbo","createdAt":1657310084964,"name":"SSH access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to authorized SSH keys.\n\n## Strategy\nSSH is a commonly used key-based authentication mechanism. In this system, the authorized_keys file specifies SSH keys that can be used to authenticate as a specific user on the system. Attacker's may modify the authorized_keys file to authorize attacker-owned SSH keys. This allows the attacker to maintain persistence on a system as a specific user.\n\n## Triage and response\n1. Check what changes were made to authorized_keys, and under which user.\n2. Determine whether any keys were added. If so, determine if the added keys belong to known trusted users.\n3. If they keys in question are not acceptable, roll back the host or container in question to a known trusted SSH configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chmod)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chmod","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chown)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chown","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_link)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_link","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_rename)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_rename","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_open)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_open","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_unlink)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_unlink","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_utimes)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"ssh_authorized_keys","condition":"ssh_authorized_keys_chmod > 0 || ssh_authorized_keys_chown > 0 || ssh_authorized_keys_link > 0 || ssh_authorized_keys_rename > 0 || ssh_authorized_keys_open > 0 || ssh_authorized_keys_unlink > 0 || ssh_authorized_keys_utimes > 0"}],"type":"workload_security","id":"iqs-k9p-ivj","createdAt":1606142954844,"name":"SSH authorized keys modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1553-subvert-trust-controls","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential tampering with SSL certificates.\n\n## Strategy\nSSL certificates, and other forms of trust controls establish trust between systems. Attackers may attempt to subvert trust controls such as SSL certificates in order to trick systems or users into trusting attacker-owned assets such as fake websites, or falsely signed applications.\n\n## Triage and response\n1. Check whether there were any planned changed to the SSL certificates stores in your infrastructure.\n2. If these changes are not acceptable, roll back the host or container in question to a known trustworthy configuration.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssl_certificate_tampering OR ssl_certificate_tampering_chmod OR ssl_certificate_tampering_chown OR ssl_certificate_tampering_link OR ssl_certificate_tampering_rename OR ssl_certificate_tampering_open OR ssl_certificate_tampering_unlink OR ssl_certificate_tampering_utimes) -@process.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.parent.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\" -@process.executable.name:runc*","groupByFields":["host"],"aggregation":"count","name":"ssl_certificate_tampering","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"ssl_certificate_tampering","condition":"ssl_certificate_tampering > 0"}],"type":"workload_security","id":"any-phm-6ub","createdAt":1606142980369,"name":"SSL certificate tampering"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","control:4.3.2","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","source:azure.dbformysql","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","scope:azure.dbformysql","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on MySQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for MySQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled for enforce SSL connection \n\nAlternatively, use the Azure Command Line Interface and run the below command to set MYSQL Databases to Enforce SSL connection:\n\n ```bash\n az mysql server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security\n2. https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(mysql_server) = \"pass\" if {\n\tmysql_server.ssl_enforcement == \"Enabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_mysql_server"]},"validationQuery":"","resourceType":"azure_mysql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_mysql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cxd-off-x2e","createdAt":1624867976718,"name":"SSL connection on MySQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.3.1","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on PostgreSQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\n### From the console\n1. Login to Azure Portal using [https://portal.azure.com][1]\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled to enforce SSL connection \n\n### From the command line\n\n ```\n az postgres server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security][2]\n2. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit][3]\n\n[1]: https://portal.azure.com\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"pass\" if {\n\tlower(postgresql_server.ssl_enforcement) == \"enabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"9cp-26e-jdc","createdAt":1624867978968,"name":"SSL connection on PostgreSQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a Salesforce user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login ten times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @status:\"Invalid Password\"","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:salesforce @status:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dm5-uvn-yrr","createdAt":1621929254947,"name":"Salesforce Brute force attack on user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a disabled account attempts to log into Salesforce\n\n## Strategy\nInspect Salesforce logs and determine if there is a login attempt (`@evt.name:LoginEvent`) from from a disabled account (`@status:\\\"User is Inactive\\\"`). If more than ten attempts to authenticate to a disabled account a `MEDIUM` severity signal is created.\n\n## Triage and response\n1. Determine if the IP (`@network.client.ip`) has attempted to log into other accounts.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @evt.name:LoginEvent @status:\"User is Inactive\"","groupByFields":["@usr.id"],"aggregation":"count","name":"disabled_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Single Attempt","condition":"disabled_login > 1"},{"status":"medium","notifications":[],"name":"Multiple Attempts","condition":"disabled_login > 10"}],"type":"log_detection","id":"j57-vod-bnw","createdAt":1621929254817,"name":"Salesforce Login from Disabled Account"}]} headers: Content-Type: - application/json @@ -113,7 +113,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":833}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.15","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/scheduler.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.15","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fmc-m0d-pe5","createdAt":1599604530000,"name":"Scheduler configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.16","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/scheduler.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.16","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pbp-y4b-dhf","createdAt":1599600185878,"name":"Scheduler configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.5","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the Scheduler service in the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.5","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qxe-hc6-qlm","createdAt":1599604179189,"name":"Scheduler pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.6","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the kube-scheduler service in the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.6","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"y79-4ts-a0k","createdAt":1599603078027,"name":"Scheduler pod specification file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.4.1","security:compliance","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` file on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-scheduler/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-scheduler/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.1","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hya-urf-09b","createdAt":1599603139661,"name":"Scheduler profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.21","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSeccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on a whitelist basis and allows for a large number of common system calls, whilst blocking all others. This filtering should not be disabled unless it causes a problem with your container application usage.\n\n## Rationale\n\nA large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis returns either `` or your modified seccomp profile. If it returns `[seccomp:unconfined]`, the container is running without any seccomp profiles and is therefore not configured in line with good security practices.\n\n## Remediation\n\nBy default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.\n\n## Impact\n\nWith Docker 1.10 and greater, the default seccomp profile blocks syscalls, regardless of `--cap-add passed` to the container. You should create your own custom seccomp profile in such cases. You can also disable the default seccomp profile by passing `--security-opt=seccomp:unconfined` on docker run.\n\n## Default value\n\nWhen you run a container, it uses the default profile unless you override it with the `--security-opt` option.\n\n## References\n\n1. http://blog.scalock.com/new-docker-security-features-and-what-they-mean-seccomp-profiles\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://github.com/docker/docker/blob/master/profiles/seccomp/default.json\n4. https://docs.docker.com/engine/security/seccomp/\n5. https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt\n6. https://github.com/docker/docker/issues/22870\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.21","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hub-v5u-cw0","createdAt":1599604972925,"name":"Seccomp profiles are enabled for filtering incoming system calls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.22","scored:true","control:CC6.7","source:azure.active_directory","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:azure.active_directory","level:1","requirement:IAM","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft security defaults are available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You can enable security defaults in the Azure portal.\n\n## Rationale\n\nSecurity defaults provide secure default settings that are managed on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example:\n\n- Requiring all users and admins to register for MFA\n- Challenging users with MFA, mostly when they show up on a new device or app, but more often for critical roles and tasks.\n- Disabling authentication from legacy authentication clients, which can't do MFA.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Sign in to the Azure portal as a security administrator, conditional access administrator, or global administrator.\n2. Navigate to Azure Active Directory > Properties.\n3. Select Manage security defaults.\n4. Set the Enable security defaults toggle to Yes.\n5. Select Save.\n\n## Impact\n\nEnabling security defaults may negatively impact the functionality of other Microsoft services, such as Microsoft 365. This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults\n2. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414\n\nAdditional Information: The settings in this recommendation are different in the Microsoft 365 Benchmark. This is because the potential impact associated with disabling of security defaults is dependent upon the security settings implemented in the environment. It is recommended that organizations disabling security defaults plan to implement equivalent settings to replace the settings configured by security defaults.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.22","framework":"cis-azure","requirement":"IAM","version":"1.3.0"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@is_enabled:false","resourceType":"azure_ad_security_defaults_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_ad_security_defaults_policy (@is_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@display_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"fub-xjw-qwz","createdAt":1635237007654,"name":"Security Defaults is enabled on Azure Active Directory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a threat on your application.\n\n## Strategy\nThis rule creates a signal for every security incident created by Sqreen.\n\n## Triage and response\n1. Review the incident on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/incidents\n\n## Changelog\n23 June 2022 - Updated groupby count to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:critical @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_critical_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:major @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_major_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:minor @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_minor_incidents","distinctFields":["@sqreen.payload.incident_id"]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical","condition":"sqreen_critical_incidents > 0"},{"status":"high","notifications":[],"name":"Major","condition":"sqreen_major_incidents > 0"},{"status":"medium","notifications":[],"name":"Minor","condition":"sqreen_minor_incidents > 0"}],"type":"log_detection","id":"qyk-emv-hui","createdAt":1620224110121,"name":"Security Incident Detected by Sqreen"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis","source:cloudtrail","technique:T1562-impair-defenses","control:cis-3.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` array to determine if either of the strings are contained:\n* `0.0.0.0/0`\n* `::/0`\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n\n## Changelog\n18 March 2022 - Updated rule query.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:AuthorizeSecurityGroupIngress @requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@usr.account_id"],"aggregation":"count","name":"sg_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"SG open to world","condition":"sg_open_to_world > 0"}],"type":"log_detection","id":"qdm-6uu-gqf","createdAt":1593621503430,"name":"Security group open to the world"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.5","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not allow sensitive host system directories such as those listed below to be mounted as container volumes, especially in read-write mode. `/` `/boot` `/dev` `/etc` `/lib` `/proc` `/sys` `/usr`\n\n## Rationale\n\nIf sensitive directories are mounted in read-write mode, it is possible to make changes to files within them. This has obvious security implications and should be avoided.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}'` This command returns a list of currently mapped directories and indicates whether they are mounted in read-write mode for each container instance.\n\n## Remediation\n\nDo not mount directories which are security sensitive on the host within containers, especially in read-write mode.\n\n## Impact\n\nNone\n\n## Default value\n\nDocker defaults to using a read-write volume but you can also mount a directory read-only. By default, no sensitive host directories are mounted within containers.\n\n## References\n\n1. https://docs.docker.com/engine/tutorials/dockervolumes/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.5","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmq-wqu-2im","createdAt":1599604814929,"name":"Sensitive host system directories are not mounted on containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","source:google_iam_policy","framework:cis-gcp","level:2","framework:iso-27001","requirement:Access-Control","framework:pci","scope:google_iam_policy","control:1.11","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.2.1","control:7.1.3","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.\n\n## Rationale\nThe built-in/predefined IAM role `Cloud KMS Admin` allows the user/identity to create, delete, and manage service account(s). \n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter/Decrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Decrypter` allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).\n\nSeparation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.\n\nNo user(s) should have `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles assigned at the same time.\n\n### Impact\nRemoved roles should be assigned to another user based on business needs.\n\n### Additional Information\nUsers granted Owner (roles/owner) and Editor (roles/editor) roles have privileges equivalent to `Cloud KMS Admin` and `Cloud KMS CryptoKey Encrypter/Decrypter`. To avoid misuse, Owner and Editor roles should be granted to a very limited group of users. Use of these primitive privileges should be minimal. These requirements are addressed in our other rules.\n\n## Remediation\n\n### From the console\n1. Go to **IAM & Admin/IAM** using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles granted/assigned, click the **Delete Bin** icon to remove the role from the member.\n\n## References\n1. [https://cloud.google.com/kms/docs/separation-of-duties][2]\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/kms/docs/separation-of-duties\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_type = \"gcp_iam_policy\"\n\nis_admin_user(gip) if {\n\tmembers_to_roles_array := gip.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/cloudkms.admin\"\n}\n\neval(gip) = \"skip\" if {\n\tnot is_admin_user(gip)\n} else = \"fail\" {\n\trole := gip.member_to_roles[_].roles[_]\n\trole in [\"roles/cloudkms.cryptoKeyDecrypter\", \"roles/cloudkms.cryptoKeyEncrypter\", \"roles/cloudkms.cryptoKeyEncrypterDecrypter\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8uv-2ds-fnx","createdAt":1658410212713,"name":"Separation of duties is enforced while assigning KMS-related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:1.8","control:7.2","control:7.1","requirement:Control-Activities","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity best practices recommend that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users. This is achieved by ensuring that no user has the Service Account Admin and Service Account User roles assigned at the same time.\n\n## Rationale\n\nThe predefined IAM role ``Service Account admin`` allows the user/identity to\ncreate, delete, and manage service account(s). The predefined IAM role ``Service Account User`` allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute instances.\n\nSeparation of duties is the concept of ensuring that one individual does not have all\nnecessary permissions to be able to complete a malicious action. Using Cloud IAM service\naccounts, a malicious user could assume the identity of a service account to access resources that\nthey otherwise cannot access.\n\nSeparation of duties is a business control typically used in larger organizations, meant to\nhelp avoid security or privacy incidents and errors. It is considered a best practice.\n\nNo user should have ``Service Account Admin`` and ``Service Account User`` roles assigned\nat the same time.\n\n## Remediation\n\n1. Go to ``IAM & Admin/IAM`` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having both ``Service Account Admin`` and ``Service Account User`` roles granted/assigned, click the ``Delete Bin`` icon to remove either role from the member.\n\nRemoval of a role should be done based on the business requirements.\n\n## Impact\n\nThe removed role should be assigned to a different user based on business needs.\n\n## References\n\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][4]\n\n## Additional information \n\nUsers granted the Owner (roles/owner) and Editor (roles/editor) roles have privileges\nequivalent to Service Account Admin and Service Account User. To avoid misuse,\nOwner and Editor roles should be granted to a very limited number of users. Use of these primitive\nprivileges should be minimal. These requirements are addressed in separate\nrecommendations.\n\n## CIS controls\n\nVersion 8 3.3 - Configure Data Access Control Lists: Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems, databases, and applications.\n\nVersion 7 14.6 - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"fail\" if {\n\tmembers_to_roles_array := iam_policy.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountAdmin\"\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountUser\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"re5-dlh-43x","createdAt":1656443521016,"name":"Separation of duties is enforced while assigning service account related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.6","cloud_provider:azure","framework:cis-azure","requirement:Default-Security-Parameter","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.4","framework:soc-2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `connection_throttling` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `connection_throttling` helps the PostgreSQL Database to Set the verbosity of logged messages which generates query and error logs about concurrent connections. Too many concurrent connections could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `connection_throttling`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `connection_throttling` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name connection_throttling --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.6","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthrottling_disabled(server_config) if {\n\tserver_config.name == \"connection_throttling\"\n\tserver_config.value != \"on\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tthrottling_disabled(server_config)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"w1l-qav-gcj","createdAt":1624867980066,"name":"Server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","control:10.1","requirement:Monitoring","control:4.3.3","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_checkpoints` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_checkpoints` helps the PostgreSQL Database to log each checkpoint and generate query and error logs. Access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_checkpoints`.\n5. Click ON and save.\n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_checkpoints` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_checkpoints --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"validationQuery":"-@value:(\"on\") @name:(\"log_checkpoints\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"server_configs","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@value:(\"on\") @name:(\"log_checkpoints\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sc0-yfd-hsz","createdAt":1624867976912,"name":"Server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:4.3.4","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_connections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_connections` helps PostgreSQL Database to log an attempted connection to the server, as well as successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_connections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_connections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_connections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nserver_config_not_compliant(server_config) if {\n\tnot server_config.value == \"on\"\n\tserver_config.name == \"log_connections\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config = postgresql_server.server_configs[_]\n\tserver_config_not_compliant(server_config)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gle-oql-wen","createdAt":1624867976676,"name":"Server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","control:10.1","control:4.3.5","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_disconnections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_disconnections` helps your PostgreSQL database to log the end of a session, including duration, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_disconnections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_disconnections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_disconnections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"validationQuery":"-@value:(\"on\") @name:(\"log_disconnections\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"server_configs","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@value:(\"on\") @name:(\"log_disconnections\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"5av-e46-div","createdAt":1624867974164,"name":"Server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","requirement:Records-of-Processing-Activities","cloud:azure","control:A1.1","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses logging to track the time it takes to complete an SQL query.\n\n## Rationale\n\nThe \"log_duration\" parameter allows recording the duration of each completed PostgreSQL statement. Logging this attribute enables administrators to monitor for potential issues in the database.\n\n## Remediation\n\n### Console\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][1] documentation to enable the 'log_duration' logging in the PostgreSQL database. Ensure **log_duration** is selected under **Server Parameters**.\n\n### CLI\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][2] documentation to enable **log_duration** in **Server Parameters**.\n2. Get a list of your PostgreSQL servers by running the following in Azure Powershell:\n\n ```\n az postgres server list\n\t--output table\n\t--query '[*].{name:name, resourceGroup:resourceGroup}'\n ```\n3. Run the 'postgres server configuration set' command:\n\n ```\n az postgres server configuration set\n\t--server-name \"INSERT-SERVER-NAME-HERE-FROM-STEP-2\"\n\t--resource-group \"cloud-shell-storage-westeurope\"\n\t--name log_duration\n\t--value on\n ```\n4. Repeat steps two and three for each server that is not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tserver_config.name == \"log_duration\"\n\tserver_config.value == \"off\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iwo-oh9-bpi","createdAt":1645804679249,"name":"Server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.7","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","control:10.7","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_retention_days` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_retention_days` helps PostgreSQL Database to set the number of days a log file is retained, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_retention_days`.\n5. Enter value in range 4-7 (inclusive) and save. \n\nAlternatively, use the Azure Command Line Interface and run the the below command to update `log_retention_days` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_retention_days --value <4-7>\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n2. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention\n\n## CIS Controls\n\nVersion 7 6.4 Ensure adequate storage for logs: Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.7","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nserver_config_not_compliant(server_config) if {\n\tto_number(server_config.value) < 3\n\tserver_config.name == \"log_retention_days\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config = postgresql_server.server_configs[_]\n\tserver_config_not_compliant(server_config)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"jsy-iuu-a38","createdAt":1624867974261,"name":"Server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:7.1","requirement:Credentials","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","source:google_service_account","framework:soc-2","control:A.9.2.3","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:8.1.2","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA service account is a special Google account that belongs to an application or a VM, instead\nof to an individual end-user. The application uses the service account to call the service's\nGoogle API so that users aren't directly involved. It's recommended not to use admin roles for ServiceAccount.\n\n## Rationale\n\nService accounts represent service-level security of the Resources (application or a VM)\nwhich can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin\nrights gives full access to an assigned application or a VM. A ServiceAccount Access holder\ncan perform critical actions like delete, update, and change settings, etc. without user\nintervention. For this reason, Datadog recommends that service accounts not have an Admin role.\n\n## Remediation\n\n## From Console:\n1. Go to `IAM & admin/IAM` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. Go to the `Members`\n3. Identify `User-Managed user created service account(s)` with roles containing `*Admin or *admin`\n4. Click the `Delete bin` icon to remove the role from the member (service account in this case)\n\n\n## From Command Line: \n\n```bash\ngcloud projects get-iam-policy PROJECT_ID --format json > iam.json\n```\n\n1. Using a text editor, Remove `Role` which contains `roles/ *Admin` or `roles/ *admin`. Add a role to the bindings array that defines the group members and the role for those members.\n2. Update the project's IAM policy:\n\n```bash\ngcloud projects set-iam-policy PROJECT_ID iam.json\n```\n\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/understanding-service-accounts][4] \n\n## CIS Controls\n\nVersion 8 5.4 Restrict Administrator Privileges to Dedicated - Administrator Accounts Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user\u2019s primary, non-privileged account.\n\nVersion 7 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/understanding-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.1.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmembers_with_admin_role := {member |\n\tbinding := input.resources.gcp_iam_policy[_].member_to_roles[_]\n\tstartswith(binding.member, \"serviceAccount:\")\n\trole := binding.roles[_]\n\tcontains(lower(role), \"admin\")\n\tmember := trim_prefix(binding.member, \"serviceAccount:\")\n}\n\neval(iam_service_account) = \"fail\" if {\n\tsplit_name := split(iam_service_account.name, \"/\")\n\tmember := split_name[count(split_name) - 1]\n\tmembers_with_admin_role[member]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"4ea-as1-0bv","createdAt":1655820189596,"name":"Service Accounts are not bound to built-in Administrative roles"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0005-defense_evasion","source:runtime-security-agent","technique:T1070-indicator_removal_on_host","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the tampering of shell command history on a host or container. \n\n## Strategy\nCommands used within a terminal are contained within a local file so users can review applications, scripts, or processes that were previously executed. Adversaries tamper with the integrity of the shell command history by deletion, truncation, or the linking of `/dev/null` by use of a symlink. This allows adversaries to obfuscate their actions and delay the incident response process. \n\n## Triage and response\n1. Review the tampering action taken against the shell command history files.\n2. Review the user or process that performed the action against the shell command history.\n3. Determine whether or not this is expected behavior.\n4. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(shell_history_symlink OR shell_history_truncated OR shell_history_deleted)","groupByFields":["host"],"aggregation":"count","name":"shell_history_tamper","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"shell_history_tamper","condition":"shell_history_tamper > 0"}],"type":"workload_security","id":"5bq-qe4-ctu","createdAt":1661196433820,"name":"Shell command history modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:signal_sciences","scope:signal_sciences"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP is flagged by Signal Sciences.\n\n## Strategy\nThis rule lets you monitor Signal Sciences events submitted through the Signal Sciences [integration][1] to detect when an IP is flagged. \n\n## Triage and response\n1. Determine whether the attack is a false positive.\n2. Determine whether the attack was successful.\n3. If the attack exploited a vulnerability in the application, triage the vulnerability.\n\n[1]: https://app.datadoghq.com/account/settings#integrations/sigsci\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:signal_sciences @title:*flag","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bmg-ftn-dzo","createdAt":1584993292228,"name":"Signal Sciences flagged an IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.2.1","requirement:Compliance","level:1","control:3.8","requirement:Cardholder-Data","framework:iso-27001","scope:azure.storage","framework:pci","requirement:Operations-Security","security:compliance","framework:cis-azure","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Control-Activities","requirement:Storage-Account","source:azure.storage","control:A1.2","control:A.18.1.3","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Storage blobs contain ePHI, financial, secret, or personal data. If erroneously modified or deleted accidentally by an application or other storage account user, data loss or data unavailability can occur. It is recommended that Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.\n\n## Rationale\n\nA user can accidentally run delete commands on Azure Storage blobs or blob snapshots, or an attacker/malicious user can do it deliberately to cause disruption. Deleting an Azure Storage blob leads to immediate data loss or non-accessible data. Enable recoverable blobs configuration in the Azure Storage blob service to ensure that even if blobs/data are deleted from the storage account, the objects remain recoverable for a time set in the retention policy. Retention policies can be 7 days to 365 days.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Storage Account\n2. For each Storage Account, navigate to Data Protection\n3. Select Set soft delete enabled and enter the number of days to retain soft deleted data.\n\nAzure Command-Line Interface:\n\nUpdate retention days with the following command: `az storage blob service-properties delete-policy update --days-retained --account-name --enable true'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete\n\n## CIS Controls\n\nVersion 7 10 - Data Recovery Capabilities\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"(@blob_services.delete_retention_policy_enabled:false OR (-@blob_services.delete_retention_policy_days:*) OR @blob_services.delete_retention_policy_days:0)","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account ((@blob_services.delete_retention_policy_enabled:false OR (-@blob_services.delete_retention_policy_days:*) OR @blob_services.delete_retention_policy_days:0))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"w0h-o5o-lyp","createdAt":1631690471228,"name":"Soft delete is enabled for Azure Storage"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1505-server-software-component","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects attempted post-exploitation activity of [CVE-2022-22965][1] with an HTTP GET parameter.\n\n## Strategy\nThis rule looks for `@http.url_details.path` = .jsp, `@http.url_details.queryString.pwd` = `*`, and `@http.url_details.queryString.cmd` = . If found, it indicates web shell activity observed with successful Spring RCE exploitation. \n\n## Triage and response\nCheck your host to see if the {{@http.url_details.queryString.cmd}} command ran successfully. If so,\n * Refer to your company's Incident Response process since this is detection post-exploitation activity.\n * Refer to the vendor's [advisory][2] for remediation of this Remote Code Execution (RCE) vulnerability.\n\n## Changelog\n- 06 June 2022 - The severity has been lowered due to rule fidelity on just log telemetry.\n- 31 March 2022 - Rule added in response to [CVE-2022-22965][1]\n\n[1]: https://tanzu.vmware.com/security/cve-2022-22965\n[2]: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@http.url_details.path:*.jsp @http.url_details.queryString.pwd:* @http.url_details.queryString.cmd:* @http.method:GET @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_details","distinctFields":[]},{"query":"@http.url:*cmd* @http.url:*pwd* @http.method:GET @http.url:*.jsp* @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_url","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"PWD/CMD request in http.url_details.queryString key","condition":"pwd_cmd_in_details > 0"},{"status":"low","notifications":[],"name":"PWD/CMD request in http.url key","condition":"pwd_cmd_in_url > 0"}],"type":"log_detection","id":"6nf-i0e-ff0","createdAt":1648746485630,"name":"Spring RCE post-exploitation activity attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","framework:cis-azure","requirement:Confidentiality","control:3.4","control:C1.1","requirement:Credentials","requirement:Compliance","requirement:Storage-Account","source:azure.storage","level:1","control:A.18.1.3","framework:soc-2","control:3.9","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","scope:azure.storage","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable sensitive data encryption at rest using customer managed keys rather than Microsoft managed keys.\n\n## Rationale\n\nBy default, data in the storage account is encrypted using Microsoft managed keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. However, if you want to control and manage the encryption key yourself, you can specify a customer-managed key, and that key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated key vault.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Storage Accounts\n2. For each storage account, go to Encryption\n3. Set Customer Managed Keys\n4. Select the encryption key and enter the appropriate setting value\n5. Click Save\n\n## Impact\n\nIf the key expires by setting the activation date and expiration date of the key, you must rotate the key manually. Using customer managed keys may also incur additional effort to create, store, manage, and protect the keys as needed.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest\n3. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption#azure-storage-encryption-versus-disk-encryption\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-1-discovery,-classify-and-label-sensitive-data\n\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"-@encryption.key_source:Microsoft.Keyvault","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@encryption.key_source:Microsoft.Keyvault)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"kh6-wzv-u3s","createdAt":1631690464889,"name":"Storage for critical data is encrypted with Customer Managed Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to `pam.d` directory.\n\n## Strategy\nLinux Pluggable Authentication Modules (PAM) provide authentication for applications and services. Authentication modules in the PAM system are setup and configured under the `/etc/pam.d/` directory. An attacker may attempt to modify or add an authentication module in PAM in order to bypass the authentication process, or reveal system credentials.\n\n## Triage and response\n1. Identify if the changes to the path `{{@file.path}}` were part of known system setup or mainenance.\n2. If these changes were unauthorized, roll back the host in question to a known good PAM configuration, or replace the system with a known-good system image.\n\n*Required agent version 7.27 or higher*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pam_modification OR pam_modification_chmod) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_chown)-@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_link) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_rename) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_open) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_unlink) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_utimes) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"pam_modification","condition":"pam_modification_chmod > 0 || pam_modification_chown > 0 || pam_modification_link > 0 || pam_modification_rename > 0 || pam_modification_open > 0 || pam_modification_unlink > 0 || pam_modification_utimes > 0"}],"type":"workload_security","id":"59x-93j-pek","createdAt":1606142936138,"name":"System authentication files modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1543-create-or-modify-system-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to system services.\n\n## Strategy\nEspecially in production, systems should be generated based on standard images such as AMIs for Amazon EC2, VM images in Azure, or GCP images. Systemd is the default service manager in many Linux distributions. It manages the lifecycle of background processes and services, and can be used by an attacker to establish persistence in the system. Attackers can do this by injecting code into existing systemd services, or by creating new ones. Systemd services can be started on system boot, and therefore attacker code can persist through system reboots.\n\n## Triage and response\n1. Check to see what service was modified of created.\n2. Identify whether it is a known service, being modified by a known user and/or process.\n3. If these changes are not acceptable, roll back the host in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chmod) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chown) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_link) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_rename) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_open) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_unlink) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"systemd_modification","condition":"systemd_modification_chmod > 0 || systemd_modification_chown > 0 || systemd_modification_link > 0 || systemd_modification_rename > 0 || systemd_modification_open > 0 || systemd_modification_unlink > 0 || systemd_modification_utimes > 0"}],"type":"workload_security","id":"vjt-chu-njs","createdAt":1606142929241,"name":"Systemd service modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through brute force attempts.\n\n## Strategy\nTo determine a successful attempt: Detect a high amount of failed logins and at least one successful login for a given IP address. This will generate a `HIGH` severity signal.\nTo determine an attempt: Detect a high amount of failed logins for a given IP address. This will generate an `INFO severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:authentication @evt.outcome:failure","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]},{"query":"@evt.name:authentication @evt.outcome:success","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":["@slack-secops"],"name":"Successful","condition":"a>5 && b>0"},{"status":"info","notifications":[],"name":"Attempted","condition":"a>5"}],"type":"log_detection","id":"wce-cxo-pe4","createdAt":1585870283641,"name":"TEMPLATE - Brute Force Attack Grouped By IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:threat-intel","scope:template"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect when a stolen laptop has been connected to the network.\n\n## Strategy\nUsing the Datadog [Lookup Processor](https://docs.datadoghq.com/logs/processing/processors/?tab=ui#lookup-processor) you can maintain a blocklist of MAC addresses.\nWhen a MAC address connects to the network, the @threat.stolen_laptop attribute is set to `true`.\nThis threat detection rule queries for `@threat.stolen_laptop:true` and generates a security signal. \n\n## Triage and response\nEnter your triage and response process for when a stolen laptop has connected to your network to help users responding to the security signal quickly triage and respond to the signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@threat.stolen_laptop:true @network.client.mac:*","groupByFields":["@network.client.mac"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ap3-xy9-tsm","createdAt":1585870283379,"name":"TEMPLATE - Stolen Laptop Connected to Network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.10","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert` parameter, has permissions of 444 or is set more restrictively.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must therefore have permissions of 444, or more restrictive permissions to ensure that the file cannot be modified by a less privileged user.\n\n## Audit\n\nVerify that the TLS CA certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the following command: `chmod 444 `\n\nThis sets the file permissions on the TLS CA file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the TLS CA certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.10","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hyd-ar9-kzl","createdAt":1602076723625,"name":"TLS CA certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.6","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to make the Docker daemon available remotely over a TCP port. If this is required, you should ensure that TLS authentication is configured in order to restrict access to the Docker daemon via IP address and port.\n\n## Rationale\n\nBy default, the Docker daemon binds to a non-networked Unix socket and runs with root privileges. If you change the default Docker daemon binding to a TCP port or any other Unix socket, anyone with access to that port or socket could have full access to the Docker daemon and therefore in turn to the host system. For this reason, you should not bind the Docker daemon to another IP/port or a Unix socket. If you must expose the Docker daemon via a network socket, you should configure TLS authentication for the daemon and for any Docker Swarm APIs (if they are in use). This type of configuration restricts the connections to your Docker daemon over the network to a limited number of clients who have access to the TLS client credentials.\n\n## Audit\n\nTo confirm that the TLS authentication setting is correct, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nConfirm that the following parameters are present: `--tlsverify --tlscacert --tlscert --tlskey`.\n\nAlso review the `/etc/docker/daemon.json` file to ensure these settings are in place.\n\n## Remediation\n\nFollow the steps mentioned in the Docker documentation or other references.\n\n## Impact\n\nYou would need to manage and guard certificates and keys for the Docker daemon and Docker clients.\n\n## Default value\n\nBy default, TLS authentication is not configured.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rh4-jeh-afu","createdAt":1602077571799,"name":"TLS authentication is configured for Docker daemon"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.18","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller-manager.conf file ownership is set to `root:root`.\n\n## Rationale\n\nThe controller-manager.conf file is the kubeconfig file for the Controller Manager. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/controller-manager.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.18","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bud-aya-umc","createdAt":1599605289575,"name":"The controller-manager.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","requirement:GCP","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","control:3.4","requirement:Communications-Security","control:2.6","control:1.2","control:2.1","control:1.3","control:3.1","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of the `default` network, a project should not have a `default` network.\n\n### Default value\nBy default, for each project, a `default` network is created.\n\n\n## Rationale\nThe `default` network has a preconfigured network configuration and automatically generates the following insecure firewall rules:\n\n - default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.\n - default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.\n - default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.\n - default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.\n\nThese automatically-created firewall rules do not get audit-logged and cannot be configured to enable firewall rule logging.\n\nFurthermore, the `default` network is an auto-mode network, which means that its subnets use the same predefined range of IP addresses. As a result, it's not possible to use Cloud VPN or VPC Network Peering with the `default` network.\n\nBased on organization security and networking requirements, the organization should create a new network and delete the `default` network.\n\n### Impact\nWhen an organization deletes the `default` network, it may need to migrate services onto a new network.\n\n## Remediation\n\n### From the console\n1. Go to the [VPC networks][1] page.\n2. Click the network named `default`.\n3. On the network detail page, click **EDIT**.\n4. Click **DELETE VPC NETWORK**.\n5. If needed, create a new network to replace the `default` network.\n\n### From the command line\n1. Delete the `default` network:\n\n ```\n gcloud compute networks delete default\n ```\n\n2. If needed, create a new network to replace it:\n\n ```\n gcloud compute networks create NETWORK_NAME\n ```\n\n## Prevention\nYou can prevent the `default` network and its insecure firewall rules from being created by setting up an Organization Policy to skip `default` network creation at [https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation][2].\n\n## References\n1. [https://cloud.google.com/compute/docs/networking#firewall_rules][3]\n2. [https://cloud.google.com/compute/docs/reference/latest/networks/insert][4]\n3. [https://cloud.google.com/compute/docs/reference/latest/networks/delete][5]\n4. [https://cloud.google.com/vpc/docs/firewall-rules-logging][6]\n5. [https://cloud.google.com/vpc/docs/vpc#default-network][7]\n6. [https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete][8]\n\n[1]: https://console.cloud.google.com/networking/networks/list\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation\n[3]: https://cloud.google.com/compute/docs/networking#firewall_rules\n[4]: https://cloud.google.com/compute/docs/reference/latest/networks/insert\n[5]: https://cloud.google.com/compute/docs/reference/latest/networks/delete\n[6]: https://cloud.google.com/vpc/docs/firewall-rules-logging\n[7]: https://cloud.google.com/vpc/docs/vpc#default-network\n[8]: https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.4","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.name == \"default\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0j0-lvk-9wm","createdAt":1658410212694,"name":"The default network does not exist in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.9","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %a /var/lib/kubelet/config.yaml`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step:\n\n```\nchmod 644 /var/lib/kubelet/config.yaml\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/var/lib/kubelet/config.yaml` file as set up by kubeadm has permissions of 644.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.9","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tc4-kmy-wlt","createdAt":1599605416397,"name":"The kubelet configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.1","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kubelet service file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.1","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j8k-7ii-fwo","createdAt":1599604432646,"name":"The kubelet service file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.5","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet.conf file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/kubernetes/kubelet.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chmod 644 /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.5","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x88-8vs-ygw","createdAt":1599604783481,"name":"The kubelet.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.6","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `kubelet.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/kubernetes/kubelet.conf`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file ownership is set to `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.6","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrc-waf-mbs","createdAt":1599599696342,"name":"The kubelet.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable timeouts on streaming connections.\n\n## Rationale\n\nSetting idle timeouts ensures that you are protected against denial-of-service attacks, inactive connections, and running out of ephemeral ports.\n\n*Note*: By default, `--streaming-connection-idle-timeout` is set to four hours, which might be too high for your environment. Setting this as appropriate would additionally ensure that such streaming connections are timed out after serving legitimate use cases.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--streaming-connection-idle-timeout` argument is not set to 0. If the argument is not present, and there is a Kubelet config file specified by `--config`, check that it does not set `streamingConnectionIdleTimeout` to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a value other than 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--streaming-connection-idle-timeout=5m`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nLong-lived connections could be interrupted.\n\n## Default value\n\nBy default, `--streaming-connection-idle-timeout` is set to four hours.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://github.com/kubernetes/kubernetes/pull/18552][2]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://github.com/kubernetes/kubernetes/pull/18552\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.5","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xmg-h3a-wj4","createdAt":1599602030157,"name":"Timeouts on streaming connections are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","control:6.6","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable internet exposed UDP ports on network security groups.\n\n## Rationale\n\nThe potential security problem with broadly exposing UDP services over the internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP, and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct UDP access to your Azure Virtual Machines from the internet. After direct UDP access from the internet is disabled, you can use other options to access UDP-based services running on these virtual machines.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#secure-your-critical-azure-service-resources-to-only-your-virtual-networks\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/ddos-best-practices\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n7 Virtual Machines: This section covers security recommendations to follow to set virtual machine policies on an Azure subscription.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@access:(\"Allow\") @protocol:(\"UDP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"*\" OR \"53\" OR \"123\" OR \"161\" OR \"389\" OR \"1900\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\")","resourceType":"azure_security_group","filter":"","queryPath":"security_rules","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group (@access:(\"Allow\") @protocol:(\"UDP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"*\" OR \"53\" OR \"123\" OR \"161\" OR \"389\" OR \"1900\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"1is-0om-n7k","createdAt":1624867977600,"name":"UDP Services are restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect shell utilities, HTTP utilities, or shells spawned by a web server.\n\n## Strategy\nWeb shell attacks often involve attackers loading and running malicious files onto a victim machine, creating a backdoor on the compromised system. Attackers use web shells for a variety of purposes, and they can signal the beginning of an intrusion or wider attack. This detection triggers when shell utilities, HTTP utilities, or shells are spawned by a common web server process.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your web application to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"potential_web_shell","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["host"],"query":"@agent.rule_id:potential_web_shell -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"potential_web_shell"}],"type":"workload_security","id":"aks-ytd-8pf","createdAt":1647265136526,"name":"Unfamiliar command spawned from web server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers can leverage malicious kernel modules to gain persistence on a system, ensuring their malicious code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions and cover their tracks through the use of a rootkit.\n\nLoading a malicious kernel module can be a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default, however attackers may attempt to load kernel modules from other locations as well. This detection detects all kernel module loads. \n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check the name of the process loading the kernel module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":14,"learningThreshold":0},"keepAlive":3600},"version":173,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_kernel_module","metric":"@module.name","aggregation":"new_value","metrics":["@module.name"],"groupByFields":["host"],"query":"@agent.rule_id:(kernel_module_load OR new_kernel_module_audit OR kernel_module_load_container OR new_kernel_module_audit_container) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"new_kernel_module"}],"type":"workload_security","id":"56o-bpk-lkz","createdAt":1656443525724,"name":"Unfamiliar kernel module loaded"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default. In an attempt to thwart forensics, attackers sometimes attempt to load malicious kernel modules from memory so as not to leave artifacts on disk. This detection watches for all new kernel modules being loaded directly from memory. \n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:kernel_module_load_from_memory","groupByFields":["host"],"aggregation":"count","name":"kernel_module_load_from_memory","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"kernel_module_load_from_memory","condition":"kernel_module_load_from_memory > 0"}],"type":"workload_security","id":"dx9-30j-pas","createdAt":1650464539839,"name":"Unfamiliar kernel module loaded from memory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when the AWS EKS service account token has been viewed by a user.\n\n## Strategy\nAWS provides an authentication mechanism called [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to allow Kubernetes workloads such as pods to securely authenticate to AWS without hardcoding credentials.\n\nThe authentication token made available by AWS is located at `/var/run/secrets/eks.amazonaws.com/serviceaccount/token` and can be exchanged for AWS credentials using `sts:AssumeRoleWithWebIdentity`. It is consequently an attractive target for attackers.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"aws_eks_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:aws_eks_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"aws_eks_service_account_token_accessed"}],"type":"workload_security","id":"wq5-pnt-ij8","createdAt":1656443561852,"name":"Unfamiliar process accessed AWS EKS service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"Detects when the Kubernetes pod service account token has been viewed by a user.\n\n## Strategy\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"k8s_pod_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:k8s_pod_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"k8s_pod_service_account_token_accessed"}],"type":"workload_security","id":"7ow-znp-4fx","createdAt":1656443563565,"name":"Unfamiliar process accessed Kubernetes pod service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:active-directory","tactic:TA0004-privilege-escalation","source:microsoft-365","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 Azure AD service principal uses an unusual authentication method.\n\n## Strategy\nUsing the `New Value` detection method, find when a `Microsoft 365 Azure AD service principal` uses a new `@AuthenticationMethod`.\n\n## Triage and response\n1. Determine if the service principal `{{@usr.id}}` should be authenticating using the `{{@AuthenticationMethod}}` authentication method and `{{@ExtendedProperties.RequestType}}` request type.\n2. If `{{@usr.email}}` should not be authenticating using `{{@AuthenticationMethod}}`,\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard \n * If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":3600},"version":41,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AuthenticationMethod","aggregation":"new_value","metrics":["@AuthenticationMethod"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:AzureActiveDirectory @evt.name:UserLoggedIn @evt.outcome:Success @UserDescription:\"A service principal\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"toz-wdr-r1v","createdAt":1660857301768,"name":"Unusual Authentication by Microsoft 365 Azure AD Service Principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attaches to a pod.\n\n## Strategy\nThis rule monitors when a user attaches (`@objectRef.subresource:attach`) to a pod (`@objectRef.resource:pods`).\n\nA user should not need to attach to a pod. Attaching to a pod allows a user to attach to any process in a running container which may give an attacker access to sensitive data.\n\n## Triage and response\n1. Determine if the user should be attaching to a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:attach @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:attach @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"j6t-mva-rul","createdAt":1589375996858,"name":"User Attached to a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user execs into a pod.\n\n## Strategy\nThis rule monitors when a user execs (`@objectRef.subresource:exec`) into to a pod (`@objectRef.resource:pods`).\n\nA user should not need to exec into a pod. Execing into a pod allows a user to execute any process in container which is not already running.\nIt is most common to execute the bash process to gain an interactive shell.\nIf this is an attacker, they can access any data which the pod has permissions to, including secrets.\n\n## Triage and response\n1. Determine if the user should be execing into a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:exec @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:exec @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"hyd-cu4-79x","createdAt":1589376094658,"name":"User Exec into a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs into an application that is using Sqreen from a new country.\n\n## Strategy\nThis rule lets you monitor when a user logs into an application from a country that has not been seen before.\n\n## Triage and response\n1. Review the user activity on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/application/goto/users/\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip.country.name","aggregation":"new_value","metrics":["@network.client.geoip.country.name"],"groupByFields":["@usr.id"],"query":"@evt.name:sq.dd0.user_event.login @sqreen.payload.success:true"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"4xm-2og-l7s","createdAt":1620224109989,"name":"User Logged into an Application from a New Country"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","security:threat-intel","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to log in with a password which is known to be compromised.\n\n## Strategy\nThis rule allows you to monitor this Google Activity API call to detect if an attacker is trying to login with a leaked password: \n\n* [Leaked password][1]\n\n## Triage and response\n1. Determine which user in your organization owns the compromised password.\n2. Contact the user and ensure they rotate the password on Google and any other accounts where they may have reused this password. Ensure the user is aware of strong password guidelines.\n\n[1]: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.category:account_warning @evt.name:account_disabled_password_leak","groupByFields":["@actor.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9zi-bom-nmh","createdAt":1585870280553,"name":"User attempted login with leaked password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-create-account","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation of a new user on the system using an interactive session.\n\n## Strategy\nAttacker's may add local accounts to systems that they have compromised to maintain access to those systems. If an attacker has gained a sufficient level of access (like admin privileges) on a system, they can make a new user for themselves.\nIn production systems, users should be created in the base image of the system (for example, the AMI or other VM image), or they should be created programmatically by configuration management tools. The creation of a new user by an interactive (human) session is suspicious.\n\n## Triage & Response\n1. Determine whether the creation of a new user is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether or not multiple systems had this user added around the same time, and whether the systems impacted follow a pattern. For example, if a user was added to multiple systems, do they share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:user_created_tty -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"user_created_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user_created_tty","condition":"user_created_tty > 0"}],"type":"workload_security","id":"beh-ejq-upe","createdAt":1627392836979,"name":"User created interactively"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of secrets, through Cloudtrail's [`GetSecretValue`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetSecretValue` event, and enables the detection of potentially anomalous activity when a user attempts to retrieve an anomalous volume of secrets.\n\nAn attacker may attempt to enumerate and access the AWS Secrets Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any AWS secrets that were accessed by the user with the `aws-cli` command [`update-secret`][2] or use the [AWS Console][3].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n[1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/update-secret.html\n[3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetSecretValue -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.secretId"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"eg6-ogp-n1f","createdAt":1656426823748,"name":"User enumerated AWS Secrets Manager - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of parameters, through Cloudtrail's [`GetParameter`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetParameter` event, and enables detection of potentially anomalous activity when a user attempts to retrieve an anomalous volume of parameters.\n\nAn attacker may attempt to enumerate and access the AWS Systems Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any parameters that were accessed by the user with the `aws-cli` command [`put-parameter`][2].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n[1]: https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ssm/put-parameter.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ssm.amazonaws.com @evt.name:GetParameter -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.name"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"os3-zft-ung","createdAt":1656426796721,"name":"User enumerated AWS Systems Manager parameters - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:5.2.1","control:A.12.4.1","requirement:Logging","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"\n## Description\n\nCreate an activity log alert for the Create Policy Assignment event.\n\n## Rationale\n\nMonitoring for create policy assignment events gives insight into changes done in \"azure policy - assignments\" and can reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Monitor \n2. Select Alerts \n3. Click On New Alert Rule \n4. Under Scope, click Select resource \n5. Select the appropriate subscription under Filter by subscription \n6. Select Policy Assignment under Filter by resource type \n7. Select All for Filter by location \n8. Click on the subscription resource from the entries populated under Resource \n9. Verify Selection preview shows All Policy assignment (policyAssignments) and your selected subscription name \n10. Click Done \n11. Under Condition click Add Condition \n12. Select Create policy assignment signal \n13. Click Done \n14. Under Action group, select Add action groups and complete creation process or select appropriate action group \n15. Under Alert rule details, enter Alert rule name and Description \n16. Select appropriate resource group to save the alert to \n17. Check Enable alert rule upon creation checkbox \n18. Click Create alert rule Using the Azure Command Line Interface Use the below command to create an Activity Log Alert for Create policy assignment az account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'' Where input.json contains the Request body JSON data as mentioned below. { \"location\"\"Global\", \"tags\"{}, \"properties\"{ \"scopes\"[ \"/subscriptions/\" ], \"enabled\"true, \"condition\"{ \"allOf\"[ { \"containsAny\"null, \"equals\"\"Administrative\", \"field\"\"category\" }, { \"containsAny\"null, \"equals\"\"Microsoft.Authorization/policyAssignments/write\", \"field\"\"operationName\" } ] }, \"actions\"{ \"actionGroups\"[ { \"actionGroupId\"\"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\", \"webhookProperties\"null } ] }, } } Configurable Parameters for command line Configurable Parameters for input.json in scopes in actionGroupId in actionGroupId in actionGroupId'\n\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7\n6.3 Enable Detailed Logging Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.1","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"arc-fhe-mie","createdAt":1645219743755,"name":"User has 'Create Policy Assignement' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"axd-sm2-68f","createdAt":1649972323590,"name":"User has 'Create Update Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbformysql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dbv-9dd-noe","createdAt":1648760551340,"name":"User has 'Create Update MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbforpostgresql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yvw-kk1-tgq","createdAt":1648755639067,"name":"User has 'Create Update PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nActivity log alert exists for the creation or update of a load balancer. \n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Load Balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/loadbalancers/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"20n-ohj-aov","createdAt":1647625355122,"name":"User has 'Create or Update Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:System-Operations","requirement:Logging","level:1","control:5.2.3","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an Activity Log Alert for the Create or Update Network Security Group event.\n\n## Rationale\n\nBy monitoring for creation and updates to network security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name.\n11. Under **Condition**, click **Add Condition**.\n12. Select **Create or Update Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.3","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ape-a9h-0uq","createdAt":1645642194422,"name":"User has 'Create or Update Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.1","control:A.12.4.1","requirement:Logging","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update SQL Server Firewall Rule event.\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the Azure Console:\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window, select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Create/Update server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel.\n * Create action group - If you do not have an existing action group or want to create a new one.\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the Azure CLI:\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.1","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/firewallrules/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zpn-jpa-nzg","createdAt":1645736563954,"name":"User has 'Create or Update SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","control:5.2.7","requirement:Logging","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Security Solution event.\n\n## Rationale\n\nBy monitoring to changes to security solutions, you get insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under Resource. \n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Create or Update Security Solutions** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**. \n\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Security/securitySolutions/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.7","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/securitysolutions/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8wl-yfi-m7y","createdAt":1645731976437,"name":"User has 'Create or Update Security Solutions' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Storage Account event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Storage Account**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Storage/storageAccounts/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Storage Account'\n$Signal = 'Microsoft.Storage/storageAccounts/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fho-nrd-kod","createdAt":1647625355199,"name":"User has 'Create or Update Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wjq-yup-bbt","createdAt":1648803814385,"name":"User has 'Create or Update Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Deallocate Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Deallocate Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/deallocate\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Deallocatete Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/deallocate'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/deallocate\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ox0-4lx-ldg","createdAt":1649702560249,"name":"User has 'Deallocate Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mwl-a79-2lj","createdAt":1649774827099,"name":"User has 'Delete Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activity-log-alerts/delete\n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hf7-wzu-yjg","createdAt":1649774825146,"name":"User has 'Delete Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Load Balancer event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete load balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/loadbalancers/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgu-5yo-cxv","createdAt":1646928388547,"name":"User has 'Delete Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbformysql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nb1-ajv-1w5","createdAt":1648831710685,"name":"User has 'Delete MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:System-Operations","requirement:Logging","level:1","framework:soc-2","control:5.2.4","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Network Security Group event.\n\n## Rationale\n\nBy monitoring for delete betwork security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name \n11. Under **Condition**, click **Add Condition**.\n12. Select **Delete Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n\n18. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.4","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yjc-pc8-ybn","createdAt":1645645262376,"name":"User has 'Delete Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Compliance","requirement:Logging","level:1","control:5.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Communications-Security","requirement:System-Operations","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Policy Assignment event.\n\n## Rationale\n\nBy monitoring delete policy assignment events, you gain insight into changes in the **Policy - Assignments** page and reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Policy Assignment** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription from the entries populated under **Resource**. \n9. Verify that **Selection preview** shows All Policy assignments (`policyAssignments`) and your selected subscription name. \n10. Click **Done**. \n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete policy assignment signal**. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Authorization/policyAssignments/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Policy Assignment'\n$Signal = 'Microsoft.Authorization/policyAssignments/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n\n## References\n\n1. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n2. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n5. https://azure.microsoft.com/en-us/services/blueprints/ \n\n## Additional Information\n\nThis log alert also applies for Azure Blueprints.\n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.2","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qh0-u5z-imx","createdAt":1645642194422,"name":"User has 'Delete Policy Assignement' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbforpostgresql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ras-5h8-nbb","createdAt":1647625355173,"name":"User has 'Delete PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.2","control:A.12.4.1","requirement:Logging","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the \"Delete SQL Server Firewall Rule.\"\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the Azure Console:\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window,select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Delete server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel\n * Create action group - If you do not have an existing action group or want to create a new one\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the Azure CLI:\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.2","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/firewallrules/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6mh-u2h-598","createdAt":1664214570453,"name":"User has 'Delete SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Logging","control:5.2.8","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Security Solution event.\n\n## Rationale\n\nBy monitoring deletion of security solution events, you gain insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**.\n7. Select **All** for **Filter by location**.\n8. Click on the subscription resource from the entries populated under **Resource**.\n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete Security Solutions** signal.\n13. Click **Done**.\n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group.\n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n**Using the Azure CLI:** \n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nwhere `input.json` contains the Request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/securitySolutions/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.8","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/securitysolutions/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dmv-rv8-crn","createdAt":1645733607452,"name":"User has 'Delete Security Solution' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.5.5","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Storage Account event.\n\n## Rationale\n\nBy monitoring for storage accounts deletion events, you gain insight into storage account changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click on **New Alert Rule**.\n4. Under **Scope**, click **Select scope**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Storage Accounts** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the **Include all future resources** checkbox.\n9. Click **Done**. \n10. Under **Condition**, click **Add Condition**.\n11. Select **Delete Storage Account** signal. \n12. Click **Done**. \n13. Under **Actions**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n14. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n15. Select appropriate resource group to save the alert to. \n16. Click on the **Enable alert rule upon creation** checkbox.\n17. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Storage/storageAccounts/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a41-nfr-mlw","createdAt":1646928386487,"name":"User has 'Delete Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2jg-psh-mzj","createdAt":1648803812991,"name":"User has 'Delete Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Power Off Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Power Off Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/powerOff/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Power Off Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/powerOff/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/poweroff/action\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a74-hjg-yok","createdAt":1648760544699,"name":"User has 'Power Off Virtual Machine' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Rename Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Rename Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/move/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Rename Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/move/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/databases/move/action\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgo-i7v-g9b","createdAt":1649774831328,"name":"User has 'Rename Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4ri-hhx-fnd","createdAt":1648803815885,"name":"User has 'Update Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Security Policy event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Security Policy**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/policies/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Security Policy'\n$Signal = 'Microsoft.Security/policies/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/defender-for-cloud/tutorial-security-policy\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/policies/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xjf-qfe-xzs","createdAt":1649774850199,"name":"User has 'Update Security Policy' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.compute","source:azure","tactic:TA0002-execution","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs a command on an Azure Virtual Machine through the Azure CLI or Portal.\n\n## Strategy\nMonitor Azure Compute logs for `MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION` events that have `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Reach out to the user to determine if the activity is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"vm_exec","distinctFields":[]},{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"scaleset_exec","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Virtual Machine","condition":"vm_exec > 0"},{"status":"info","notifications":[],"name":"Virtual Machine Scale Set","condition":"scaleset_exec > 0"}],"type":"log_detection","id":"zsk-t0h-9ll","createdAt":1614973225002,"name":"User ran a command on Azure Compute"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Event Summary\n`@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` had activity from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` which are approximately `{{@impossible_travel.triggering_locations.travel_distance}}km` apart within `{{@impossible_travel.triggering_locations.travel_time_human_readable}}`. This indicates a potential impossible travel.\n\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key in CloudTrail logs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key in CloudTrail logs.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"source:cloudtrail @userIdentity.type:IAMUser"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"gvs-ybz-d25","createdAt":1646247437717,"name":"User travel was impossible in AWS CloudTrail IAM log"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_service_account","control:1.7","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","control:8.2.4","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nService Account keys consist of a key ID (private_key_id) and a private key. These keys are used to sign programmatic requests that users make to Google Cloud services and make them accessible to the particular service account. You should regularly rotate all Service Account keys.\n\n## Rationale\n\nRotating Service Account keys reduces the opportunity window of an access key associated with a compromised or terminated account being used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that may have been lost, cracked, or stolen.\n\nEach service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.\n\nGCP provides the option to create one or more user-managed (also called external) key pairs for use from outside GCP, for example: with Application Default Credentials. When a new key pair is created, the user is required to download the private key, which is not retained by Google. \n\nWith external keys, users are responsible for keeping the private key secure and other management operations such as key rotation. External keys can be managed by the IAM API, the Google Cloud Platform command-line tool, or the Service Accounts page in the Google Cloud Platform Console. GCP facilitates up to 10 external service account keys per service account for key rotation.\n\n## Remediation\n\nDelete any external, user-managed Service Account Keys older than 90 days:\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**.\n2. In the **Service Account Keys** section, click the Delete icon to delete every external, user-managed service account key where the creation date is greater or equal to the past 90 days.\n\nTo create an external, user-managed Service Account Key for a Service Account:\n\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**. \n2. Click **Create Credentials** and **Service Account Key**. \n3. Select the service account from the drop-down menu for every external, user-managed Service Account key you want to create.\n4. Select the desired key type format, such as JSON or P12.\n5. Click **Create**, which downloads the private key. Keep this key safe.\n6. If prompted, click **Close**.\n\nYou are redirected to the **APIs & Services** > **Credentials** page and you can see the new ID displayed in the **Service Account Keys** section.\n\n\n## Impact\n\nRotating service account keys breaks communication for dependent applications. Dependent applications need to be configured manually with the new key ID displayed in the **Service Account Keys** section and the user needs to download the private key.\n\n## References\n\n1. https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n2. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/list\n3. https://cloud.google.com/iam/docs/service-accounts\n\n[1]: https://console.cloud.google.com/apis/credentials\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"8.2.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ej5-n8p-p3x","createdAt":1656445783171,"name":"User-managed or external keys for service accounts are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Confidentiality","control:C1.2","source:google_compute_disk","framework:cis-gcp","requirement:Compliance","level:2","control:A.18.1.3","framework:soc-2","control:4.7","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","scope:google_compute_disk","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCustomer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and\nGoogle Compute Engine. If you supply your own encryption keys, Google uses your key to\nprotect the Google-generated keys used to encrypt and decrypt your data. By default,\nGoogle Compute Engine encrypts all data at rest. Compute Engine handles and manages\nthis encryption for you without any additional actions on your part. However, if you\nwanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\n\n### Default value\nBy default, VM disks are encrypted with Google-managed keys. They are not encrypted\nwith `Customer-Supplied` Encryption Keys.\n\n## Rationale\nBy default, Google Compute Engine encrypts all data at rest. Compute Engine handles and\nmanages this encryption for you without any additional actions on your part. However, if\nyou wanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\nIf you provide your own encryption keys, Compute Engine uses your key to protect the\nGoogle-generated keys used to encrypt and decrypt your data. Only users who can provide\nthe correct key can use resources protected by a customer-supplied encryption key.\nGoogle does not store your keys on its servers and cannot access your protected data\nunless you provide the key. This also means that if you forget or lose your key, there is no\nway for Google to recover the key or to recover any data encrypted with the lost key.\nBusiness critical VMs should have VM disks encrypted with CSEK.\n\n### Impact\nIf you lose your encryption key, you will not be able to recover the data.\n\n## Remediation\nYou cannot update the encryption of an existing disk. Therefore, you\nshould create a new disk with encryption set to **Customer supplied**.\n\n### From the console: \n1. Go to [Compute Engine Disks][1] in your Google Cloud console.\n2. Click **CREATE DISK**.\n3. Set **Encryption type** to `Customer supplied`.\n4. Provide the **Key** in the box.\n5. Select **Wrapped key**.\n6. Click **Create**.\n\n### From the command line:\nYou can use the `gcloud` CLI to encrypt a disk using the `--csek-key-file` flag during instance\ncreation. If you are using an RSA-wrapped key, use the gcloud beta component. See [RSA key wrapping][5] in Google's Compute Engine documentation.\n```\ngcloud compute instances create --csek-key-file \n```\n\nTo encrypt a standalone persistent disk:\n```\ngcloud compute disks create --csek-key-file \n```\n\n## References\n1. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys][2]\n2. [https://cloud.google.com/compute/docs/reference/rest/v1/disks/get][3]\n3. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file][4]\n\n[1]: https://console.cloud.google.com/compute/disks\n[2]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys\n[3]: https://cloud.google.com/compute/docs/reference/rest/v1/disks/get\n[4]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file\n[5]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#rsa-encryption","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.7","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_disk) = \"pass\" if {\n\tcompute_disk.disk_encryption_key.sha256\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_disk"]},"validationQuery":"","resourceType":"gcp_compute_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ltx-1jr-roe","createdAt":1662120164402,"name":"VM disks for critical VMs are encrypted with customer-supplied encryption keys (CSEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","scope:google_compute_subnetwork","level:1","framework:soc-2","control:3.8","source:google_compute_subnetwork","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Networking","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nFlow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in an organization's VPC subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs is enabled for every business-critical VPC subnet.\n\n### Default value\nBy default Flow Logs is set to `Off` when a new VPC network subnet is created.\n\n## Rationale\nVPC networks and subnetworks that are not reserved for internal HTTP(S) load balancing provide logically isolated and secure network partitions from which GCP resources can be launched.\nWhen Flow Logs are enabled for a subnet, VMs within that subnet start reporting on all\nTransmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows. Each VM\nsamples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or\nfrom another VM, a host in the on-premise datacenter, a Google service, or a host on the\nInternet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow\nLogs enabled, both VMs report the flows.\n\nFlow Logs supports the following use cases:\n- Network monitoring\n- Understanding network usage and optimizing network traffic expenses\n- Network forensics\n- Real-time security analysis\n\nFlow Logs provides visibility into network traffic for each VM inside the subnet and can be\nused to detect anomalous traffic or provide insight on security workflows.\nThe Flow Logs must be configured such that all network traffic is logged. The interval of\nlogging is granular enough to provide detailed information on the connections, where no logs are filtered and metadata to facilitate investigations are included.\n\n- Note: Subnets reserved for use by internal HTTP(S) load balancers do not support VPC\nFlow Logs.\n\n### Impact\nStandard pricing for Stackdriver Logging, BigQuery, or Cloud Pub/Sub applies. VPC Flow\nLogs generation will be charged when it's generally available, as described in this reference:\n[https://cloud.google.com/vpc/][1]\n\n## Remediation\n\n### From the console: \n1. Go to the VPC network GCP Console page by visiting:\n[https://console.cloud.google.com/networking/networks/list][2]\n2. Click the name of a **subnet** to display the subnet details page.\n3. Click **EDIT** .\n4. Set Flow Logs to **On**.\n5. Expand the **Configure Logs** section.\n6. Set **Aggregation Interval** to `5 SEC`.\n7. Check the box for **Include metadata**.\n8. Set **Sample rate** to `100`.\n9. Click **Save**.\n\n- Note: You can only configure a log filter from the command line.\n\n### From the command line:\nTo enable VPC Flow Logs for a network subnet, run the following command:\n```\ngcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --\nenable-flow-logs --logging-aggregation-interval=interval-5-sec --logging-\nflow-sampling=1 --logging-metadata=include-all\n```\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging][3]\n2. [https://cloud.google.com/vpc/][1]\n\n[1]: https://cloud.google.com/vpc/\n[2]: https://console.cloud.google.com/networking/networks/list\n[3]: https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_subnetwork) = \"skip\" if {\n\tinternal_HTTPS_LB_subnet(compute_subnetwork)\n} else = \"pass\" {\n\tcompute_subnetwork.enable_flow_logs == true\n\tcompute_subnetwork.purpose == \"PRIVATE\"\n} else = \"fail\" {\n\ttrue\n}\n\ninternal_HTTPS_LB_subnet(compute_subnetwork) if {\n\tcompute_subnetwork.purpose == \"INTERNAL_HTTPS_LOAD_BALANCER\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_subnetwork"]},"validationQuery":"","resourceType":"gcp_compute_subnetwork","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_subnetwork","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q4v-tv4-txv","createdAt":1663355398183,"name":"VPC Flow Logs are enabled for all subnets in the VPC network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","level:2","framework:cis-aws","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.3","control:2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. \n\nSet up your default security group to restrict all traffic. The default VPC in every region should have its default security group updated to comply. Any newly created VPCs automatically contain a default security group that needs remediation to comply with this recommendation. \n\n**Note**: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.\n\n## Rationale\n\nConfiguring all VPC default security groups to restrict all traffic will encourage the least privileged security group development and mindful placement of AWS resources into security groups, which will reduce the exposure of those resources.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nImplementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79201-0\n2. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html][2]\n3. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group][3]\n\n## CIS controls\n\nVersion 7, 14.6 - Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"5.3","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ningress_or_egress(direction) if {\n\tdirection == \"ingress\"\n} else {\n\tdirection == \"egress\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\tingress_or_egress(rule.direction)\n\tstartswith(rule.security_group_name, \"default\")\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"75q-ngx-snx","createdAt":1599574003676,"name":"VPC default security groups restrict all traffic"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:7.2.1","requirement:Firewall-Configuration","scope:vpc","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your VPC endpoint by allowing access to only trusted AWS accounts.\n\n## Rationale\n\nVPC endpoints that are publicly accessible are at risk of data exposure, data loss, and unexpected AWS billing charges.\n\n## Remediation\n\n### Console\n\nFollow the [Add or remove permissions for your endpoint service][1] AWS console docs.\n\n### CLI\n\n1. Edit your existing Amazon VPC endpoint access policy and replace untrusted AWS identifiers. To create a new policy document, [use the AWS policy generator][2].\n\n ```\n {\n \"Id\": \"VPCCrossAccountAccessPolicy\",\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": \"*\",\n \"Effect\": \"Allow\",\n \"Resource\": \"*\",\n \"Principal\": {\n \"AWS\": [\n \"arn:aws:iam::0123456789012:root\"\n ]\n }\n }\n ]\n }\n ```\n\n2. Run `modify-vpc-endpoint` with your [VPC endpoint ID and the updated or new policy document][3] to replace the existing policy.\n\n ```\n aws ec2 modify-vpc-endpoint\n --vpc-endpoint-id vpce-0a12b345\n --policy-document file://vpc-access-policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/privatelink/add-endpoint-service-permissions.html\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-vpc-endpoint.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_has_condition:false","resourceType":"aws_vpc_endpoint_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc_endpoint_policy_statement ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@vpc_endpoint_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"slh-tlx-4m0","createdAt":1619540057529,"name":"VPC endpoint is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","control:3.9","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","scope:vpc","framework:soc-2","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. Enable VPC Flow Logs for packet \"Rejects\" for VPCs.\n\n## Rationale\n\nVPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect unusual traffic or insight during security workflows.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nBy default, CloudWatch Logs will store Logs indefinitely unless you define a specific retention period for the log group. When choosing the number of days to retain, keep in mind that, on average, it takes an organization 210 days to detect a breach. Since additional time is required to research a breach, a minimum 365-day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods: \n\n1. [http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html][2]\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79202-8 \n2. [http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html][2]\n\n## CIS controls\n\nVersion 7:\n\n6.2 - Activate audit logging - Enable local logging on all systems and networking devices.\n\n12.5 - Configure Monitoring Systems to Record Network Packets - Configure monitoring systems to record network packets passing through the boundary at each of the organization's network boundaries.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.9","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"-@flowlogs.flow_log_status:ACTIVE","resourceType":"aws_vpc","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc (-@flowlogs.flow_log_status:ACTIVE)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"hw6-cqk-hrz","createdAt":1599574005318,"name":"VPC flow logging is enabled in all VPCs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault root token is used. Root tokens can perform any activity and have the highest level of privileges in Vault and should only be used in emergencies. \n\n## Strategy\nThis rule lets you monitor Vault Audit Logs (`source:vault`) to detect when `root` is seen in either of these two attributes.\n\n* auth policy (`@auth.policies`)\n* auth display name (`@auth.display_name`)\n\nThis rule also lets you monitor the API endpoint `/sys/generate-root` which is used to create new root keys.\n\n## Triage & Response\n1. Determine who created the root token and when. You can get token creation time using the token accessor with `vault token lookup -accessor `. \n2. Inspect the requests made with the root token and ensure that its usage is valid.\n3. Ensure that after the root token is no longer needed, it is revoked (`vault token revoke -accessor `).\n\n## Change Log\n29 Jun 2022 - Updated queries to reduce noise levels. Replaced initial query with token creation detection.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @auth.policies:root @http.method:create","groupByFields":["@http.url_details.path"],"aggregation":"count","name":"root_token_created","distinctFields":[]},{"query":"source:vault @auth.policies:root","groupByFields":["@http.url_details.path"],"aggregation":"cardinality","name":"root_token_auth_policy","distinctFields":["@http.method"]},{"query":"source:vault @auth.display_name:root","groupByFields":["@http.url_details.path"],"aggregation":"cardinality","name":"root_token_display_name","distinctFields":["@http.method"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"A newly created root token was used","condition":"root_token_created > 0 && root_token_auth_policy > 0"},{"status":"high","notifications":[],"name":"The auth policy is root","condition":"root_token_auth_policy > 0"},{"status":"high","notifications":[],"name":"The auth display name is root","condition":"root_token_display_name > 0"}],"type":"log_detection","id":"oki-am6-qeh","createdAt":1619801884317,"name":"Vault Root Token Used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault token is created with an excessive time-to-live (TTL) which can be indicative of an adversary maintaining persistence. \n\n## Strategy\nMonitoring of vault audit logs where tokens are created with a time-to-live greater than 90000 seconds (25 hours). If the TTL requires modification, clone this rule and update `@auth.token_ttl:>90000` in the query. \n\n## Triage & Response\n1. Verify max TTL for tokens in the appropriate Vault configuration.\n2. If the max TTL is higher than required, modify the max TTL.\n3. Verify with the token creator to confirm that the high TTL token is legitimate.\n4. Revoke the token if it does not have a legitimate use case.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @request.operation:create @auth.token_ttl:>90000","groupByFields":["@usr.id"],"aggregation":"count","name":"high_vault_ttl","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"high_vault_ttl > 0"}],"type":"log_detection","id":"ag8-huz-nlj","createdAt":1619801884333,"name":"Vault Token Created with Excessive TTL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","security:compliance","framework:soc-2","scope:redshift","cloud_provider:aws","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","source:redshift","control:6.2","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm `AllowVersionUpgrade` is enabled so [Redshift clusters][1] can automatically upgrade to the latest version.\n\n## Rationale\n\nEnablement allows the latest version to automatically install, deploying the most recent bug fixes and security patches.\n\n## Remediation\n\n### Console\n\nFollow the [Cluster maintenance][4] docs to permit automatic upgrade for your clusters.\n\n### CLI\n\n1. Run `modify-cluster` to [set `allow-version-upgrade` for a cluster][3].\n\n ```\n aws redshift modify-cluster\n\t --cluster-identifier cluster-id-name\n\t --allow-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/modify-cluster.html\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#rs-cluster-maintenance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@allow_version_upgrade:false","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@allow_version_upgrade:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5wo-2kl-jv1","createdAt":1599574006748,"name":"Version upgrade is enabled for Redshift cluster"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:6.5.3","framework:cis-azure","control:7.1","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Application-Updates","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMigrate blob-based VHDs to managed disks on virtual machines to exploit the default features of this configuration. The features include:\n\n1. Default disk encryption\n2. Resilience, as Microsoft manages the disk storage and moves it if underlying hardware is faulty\n3. Reduction of costs over storage accounts\n\n## Rationale\n\nManaged disks are by default encrypted on the underlying hardware so no additional encryption is required for basic protection. Additional encryption is available if required. Managed disks are more resilient than storage accounts. For ARM deployed virtual machines, Azure Adviser recommends moving VHDs to managed disks from both a security and cost management perspective.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## Remediation\n\nFrom Azure Console:\n\n1. Using the search feature, go to Virtual Machines\n2. Select the virtual machine you would like to convert\n3. Select Disks in the menu for the VM\n4. Select Migrate to managed disks\n5. Follow the prompts to convert the disk and finish by selecting Migrate to start the process\n\n**NOTE**: VMs are stopped and restarted after migration is complete.\n\nPowerShell:\n\n```powershell\nStop-AzVM -ResourceGroupName $rgName -Name $vmName -Force ConvertTo-AzVMManagedDisk -ResourceGroupName $rgName -VMName $vmName Start-AzVM -ResourceGroupName $rgName -Name $vmName\n```\n\n## Impact\n\nThere is no operational impact of migrating to managed disks other than the benefits mentioned above.\n\n**NOTE**: When converting to managed disks, VMs are powered off and back on.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"(-@storage_profile.os_disk.managed_disk_id:*) OR (@storage_profile.os_disk.managed_disk_id:(\"\"))","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance ((-@storage_profile.os_disk.managed_disk_id:*) OR (@storage_profile.os_disk.managed_disk_id:(\"\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mcc-ygq-5xf","createdAt":1631690464170,"name":"Virtual Machines are utilizing Managed Disks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","requirement:Context-of-the-Organization","control:4.2.2","framework:iso-27001","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nEnabling Azure Defender for SQL server does not enable vulnerability assessment capabilities for individual SQL databases unless a storage account is set to store the scanning data and reports. The Vulnerability Assessment service scans databases for known security vulnerabilities and highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally, an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, Click Storage Account\n6. Choose Storage Account (Existing or Create New). Click Ok\n7. Click Save Using Azure PowerShell. If not already, enable Azure Defender for a SQLSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service by setting Storage Account Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"e0l-3r9-cvj","createdAt":1624867975658,"name":"Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the vulnerability assessment (VA) setting, \"Also send email notifications to admins and subscription owners\".\n\n## Rationale\n\nVA scan reports and alerts are sent to admins and subscription owners by enabling the setting, \"Also send email notifications to admins and subscription owners\". This helps to reduce the time required for identifying risks and taking corrective measures.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, configure Storage Accounts\n6. Check/enable \"Also send email notifications to admins and subscription owners\"\n7. Click Save using the Azure PowerShell. If not already set, Enable Advanced Data Security for a SQL:\n\n ```bash\n -ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service and Set ''Also send email notifications to admins and subscription owners'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"gnq-rte-6fy","createdAt":1624867976876,"name":"Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","control:4.2.3","requirement:Default-Security-Parameter","level:1","requirement:Database-Services","requirement:Context-of-the-Organization","requirement:Regular-Testing","framework:iso-27001","control:11.2.1","framework:pci","security:compliance","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC7.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable vulnerability assessment (VA) periodic recurring scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nVA setting \"Periodic recurring scans\" schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Routine vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Security Center\n4. In Section Vulnerability Assessment Settings, set Storage Account\n5. Toggle \"Periodic recurring scans\" to ON.\n6. Click Save using the Azure PowerShell. If not already set, enable Advanced Data Security for a SQL ServerSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service with ''Periodic recurring scans'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"jum-0ht-les","createdAt":1624867977012,"name":"Vulnerability Assessment (VA) setting Periodic Recurring Scans is enabled on a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:9.4","scope:azure.appservice","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:4.1","requirement:App-Service","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nClient certificates allow for an app to request a certificate for incoming requests. Only clients that have a valid certificate can reach the app.\n\n## Rationale\n\nThe TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, only an authenticated client who has valid certificates can access the app.\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Configuration\n5. Under Incoming client certificates, set the Client Certificate Mode option to Require.\n\n\nAzure Command Line Interface:\n\nTo set incoming client certificates value for an existing app, run the following command: `az webapp update --resource-group --name --set clientCertEnabled=true'`\n\n## Impact\n\nUsing and maintaining client certificates requires additional work to obtain and manage key replacement and rotation.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14 - Controlled Access Based on the Need to Know","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.4","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@client_cert_enabled:true","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (-@client_cert_enabled:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"esg-ed4-xa9","createdAt":1631623027807,"name":"Web app has 'Client Certificates (Incoming client certificates)' set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:6.6","control:9.3","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:4.1","requirement:App-Service","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Change-Management","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App Service uses TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.\n\n## Rationale\n\nApp Service currently allows web apps to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for a secure connection.\n\n## Remediation\n\nAzure Console:\n\n 1. Login to Azure Portal using https://portal.azure.com\n 2. Go to App Services\n 3. Click on each app\n 4. Under the Settings section, click on SSL settings\n 5. Under Protocol Settings, set Minimum TLS Version to 1.2\n\nAzure Command Line Interface:\n\nTo set TLS Version for an existing app, run the following command: `az webapp config set --resource-group --name --min-tls-version 1.2'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.3","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"-@site_config_min_tls_version:1.2","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (-@site_config_min_tls_version:1.2)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8iy-ghp-cvk","createdAt":1631623032658,"name":"Web app is using the latest version of TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","control:9.2","control:6.6","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:4.1","requirement:App-Service","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Web Apps allow sites to use both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.\n\n## Rationale\n\nEnabling HTTPS-only traffic redirects all non-secure HTTP request to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated, so it is important to support HTTPS for the security benefits.\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on SSL settings\n5. Under Protocol Settings, set HTTPS Only to On.\n\nAzure Command Line Interface:\n\nTo set the HTTPS-only traffic value for an existing app, run the following command: `az webapp update --resource-group --name --set httpsOnly=true'`\n\n## Impact\n\nWhen enabled, every incoming HTTP request is redirected to the HTTPS port. This adds an extra level of security to the HTTP requests made to the app.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.2","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@https_only:false","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (@https_only:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f9i-ctz-jrp","createdAt":1631623031127,"name":"Web app redirects all HTTP traffic to HTTPS in Azure App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:windows","technique:T1070-indicator-removal-on-host","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user clears Windows Security logs.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `1102`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to clear the security event logs on `{{host}}`. \n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"psn-7zq-iqz","createdAt":1619018680072,"name":"Windows Audit Log Cleared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user resets the Directory Services Restore Mode (DSRM). The DSRM enabled emergency access to a Domain Controller. The DSRM user is a local administrator account that can be utilized for persistence. \n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4794`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to change the DSRM password on `{{host}}`. ","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4794","groupByFields":["host"],"aggregation":"count","name":"standardized","distinctFields":[]},{"query":"@Event.System.EventID:4794","groupByFields":["host"],"aggregation":"count","name":"non_standardized","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized > 0"}],"type":"log_detection","id":"ckw-1ve-anp","createdAt":1619018671358,"name":"Windows Directory Service Restore Mode password changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Domain Administrator group is modified.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is 4737 and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason for changing the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"vtr-u5p-65a","createdAt":1619018671758,"name":"Windows Domain Admin Group Changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","source:windows","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Windows firewall is disabled.\n\n## Strategy\nMonitor the Windows event logs where `@evt.id` is `4950` and the `@Event.EventData.Data.SettingValue:No`.\n\n## Triage and response\nVerify if `{{@Event.System.Computer}}` has a legitimate reason for having the Windows firewall disabled.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"medium","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"5yc-jqo-y3n","createdAt":1619018678867,"name":"Windows Firewall Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1087-account-discovery","source:windows","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs the `net` command to enumerate the `Administrators` group, which could be indicative of adversarial reconnaissance activity.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4799`, `@Event.EventData.Data.CallerProcessName` is `*net1.exe` and `@Event.EventData.Data.TargetUserName` is `Administrators`.\n\n## Triage and response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason to check for users in the Administrator group on `{{host}}`. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"low","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"dqi-uaj-wgy","createdAt":1619018678865,"name":"Windows Net command executed to enumerate administrators"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.4.2","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the scheduler service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.2","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"g1h-91b-y2x","createdAt":1599601351149,"name":"Scheduler API service is bound to localhost"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.15","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/scheduler.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.15","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fmc-m0d-pe5","createdAt":1599604530000,"name":"Scheduler configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.16","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/scheduler.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.16","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pbp-y4b-dhf","createdAt":1599600185878,"name":"Scheduler configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.5","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the Scheduler service in the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.5","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qxe-hc6-qlm","createdAt":1599604179189,"name":"Scheduler pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.6","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the kube-scheduler service in the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.6","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"y79-4ts-a0k","createdAt":1599603078027,"name":"Scheduler pod specification file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.4.1","security:compliance","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` file on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-scheduler/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-scheduler/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.1","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hya-urf-09b","createdAt":1599603139661,"name":"Scheduler profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.21","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSeccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on a whitelist basis and allows for a large number of common system calls, whilst blocking all others. This filtering should not be disabled unless it causes a problem with your container application usage.\n\n## Rationale\n\nA large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis returns either `` or your modified seccomp profile. If it returns `[seccomp:unconfined]`, the container is running without any seccomp profiles and is therefore not configured in line with good security practices.\n\n## Remediation\n\nBy default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.\n\n## Impact\n\nWith Docker 1.10 and greater, the default seccomp profile blocks syscalls, regardless of `--cap-add passed` to the container. You should create your own custom seccomp profile in such cases. You can also disable the default seccomp profile by passing `--security-opt=seccomp:unconfined` on docker run.\n\n## Default value\n\nWhen you run a container, it uses the default profile unless you override it with the `--security-opt` option.\n\n## References\n\n1. http://blog.scalock.com/new-docker-security-features-and-what-they-mean-seccomp-profiles\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://github.com/docker/docker/blob/master/profiles/seccomp/default.json\n4. https://docs.docker.com/engine/security/seccomp/\n5. https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt\n6. https://github.com/docker/docker/issues/22870\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.21","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hub-v5u-cw0","createdAt":1599604972925,"name":"Seccomp profiles are enabled for filtering incoming system calls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.22","scored:true","control:CC6.7","source:azure.active_directory","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:azure.active_directory","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft security defaults are available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You can enable security defaults in the Azure portal.\n\n## Rationale\n\nSecurity defaults provide secure default settings that are managed on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example:\n\n- Requiring all users and admins to register for MFA\n- Challenging users with MFA, mostly when they show up on a new device or app, but more often for critical roles and tasks.\n- Disabling authentication from legacy authentication clients, which can't do MFA.\n\n## Remediation\n\n### From the console\n\n1. Sign in to the Azure portal as a security administrator, conditional access administrator, or global administrator.\n2. Navigate to Azure Active Directory > Properties.\n3. Select Manage security defaults.\n4. Set the Enable security defaults toggle to Yes.\n5. Select Save.\n\n## Impact\n\nEnabling security defaults may negatively impact the functionality of other Microsoft services, such as Microsoft 365. This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults\n2. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414\n\nAdditional Information: The settings in this recommendation are different in the Microsoft 365 Benchmark. This is because the potential impact associated with disabling of security defaults is dependent upon the security settings implemented in the environment. It is recommended that organizations disabling security defaults plan to implement equivalent settings to replace the settings configured by security defaults.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.22","framework":"cis-azure","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ad_security_defaults_policy) = \"pass\" if {\n\tad_security_defaults_policy.is_enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_ad_security_defaults_policy"]},"validationQuery":"","resourceType":"azure_ad_security_defaults_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_ad_security_defaults_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@display_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"fub-xjw-qwz","createdAt":1635237007654,"name":"Security Defaults is enabled on Azure Active Directory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a threat on your application.\n\n## Strategy\nThis rule creates a signal for every security incident created by Sqreen.\n\n## Triage and response\n1. Review the incident on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/incidents\n\n## Changelog\n23 June 2022 - Updated groupby count to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:critical @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_critical_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:major @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_major_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:minor @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_minor_incidents","distinctFields":["@sqreen.payload.incident_id"]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical","condition":"sqreen_critical_incidents > 0"},{"status":"high","notifications":[],"name":"Major","condition":"sqreen_major_incidents > 0"},{"status":"medium","notifications":[],"name":"Minor","condition":"sqreen_minor_incidents > 0"}],"type":"log_detection","id":"qyk-emv-hui","createdAt":1620224110121,"name":"Security Incident Detected by Sqreen"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis","source:cloudtrail","technique:T1562-impair-defenses","control:cis-3.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` array to determine if either of the strings are contained:\n* `0.0.0.0/0`\n* `::/0`\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n\n## Changelog\n18 March 2022 - Updated rule query.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:AuthorizeSecurityGroupIngress @requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@usr.account_id"],"aggregation":"count","name":"sg_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"SG open to world","condition":"sg_open_to_world > 0"}],"type":"log_detection","id":"qdm-6uu-gqf","createdAt":1593621503430,"name":"Security group open to the world"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.5","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not allow sensitive host system directories such as those listed below to be mounted as container volumes, especially in read-write mode. `/` `/boot` `/dev` `/etc` `/lib` `/proc` `/sys` `/usr`\n\n## Rationale\n\nIf sensitive directories are mounted in read-write mode, it is possible to make changes to files within them. This has obvious security implications and should be avoided.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}'` This command returns a list of currently mapped directories and indicates whether they are mounted in read-write mode for each container instance.\n\n## Remediation\n\nDo not mount directories which are security sensitive on the host within containers, especially in read-write mode.\n\n## Impact\n\nNone\n\n## Default value\n\nDocker defaults to using a read-write volume but you can also mount a directory read-only. By default, no sensitive host directories are mounted within containers.\n\n## References\n\n1. https://docs.docker.com/engine/tutorials/dockervolumes/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.5","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmq-wqu-2im","createdAt":1599604814929,"name":"Sensitive host system directories are not mounted on containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","source:google_iam_policy","framework:cis-gcp","level:2","framework:iso-27001","requirement:Access-Control","framework:pci","scope:google_iam_policy","control:1.11","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.2.1","control:7.1.3","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.\n\n## Rationale\nThe built-in/predefined IAM role `Cloud KMS Admin` allows the user/identity to create, delete, and manage service account(s). \n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter/Decrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Decrypter` allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).\n\nSeparation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.\n\nNo user(s) should have `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles assigned at the same time.\n\n### Impact\nRemoved roles should be assigned to another user based on business needs.\n\n### Additional Information\nUsers granted Owner (roles/owner) and Editor (roles/editor) roles have privileges equivalent to `Cloud KMS Admin` and `Cloud KMS CryptoKey Encrypter/Decrypter`. To avoid misuse, Owner and Editor roles should be granted to a very limited group of users. Use of these primitive privileges should be minimal. These requirements are addressed in our other rules.\n\n## Remediation\n\n### From the console\n1. Go to **IAM & Admin/IAM** using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles granted/assigned, click the **Delete Bin** icon to remove the role from the member.\n\n## References\n1. [https://cloud.google.com/kms/docs/separation-of-duties][2]\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/kms/docs/separation-of-duties\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nis_admin_user(gip) if {\n\tmembers_to_roles_array := gip.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/cloudkms.admin\"\n}\n\neval(gip) = \"skip\" if {\n\tnot is_admin_user(gip)\n} else = \"fail\" if {\n\trole := gip.member_to_roles[_].roles[_]\n\trole in [\"roles/cloudkms.cryptoKeyDecrypter\", \"roles/cloudkms.cryptoKeyEncrypter\", \"roles/cloudkms.cryptoKeyEncrypterDecrypter\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8uv-2ds-fnx","createdAt":1658410212713,"name":"Separation of duties is enforced while assigning KMS-related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:1.8","control:7.2","control:7.1","requirement:Control-Activities","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity best practices recommend that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users. This is achieved by ensuring that no user has the Service Account Admin and Service Account User roles assigned at the same time.\n\n## Rationale\n\nThe predefined IAM role ``Service Account admin`` allows the user/identity to\ncreate, delete, and manage service account(s). The predefined IAM role ``Service Account User`` allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute instances.\n\nSeparation of duties is the concept of ensuring that one individual does not have all\nnecessary permissions to be able to complete a malicious action. Using Cloud IAM service\naccounts, a malicious user could assume the identity of a service account to access resources that\nthey otherwise cannot access.\n\nSeparation of duties is a business control typically used in larger organizations, meant to\nhelp avoid security or privacy incidents and errors. It is considered a best practice.\n\nNo user should have ``Service Account Admin`` and ``Service Account User`` roles assigned\nat the same time.\n\n## Remediation\n\n1. Go to ``IAM & Admin/IAM`` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having both ``Service Account Admin`` and ``Service Account User`` roles granted/assigned, click the ``Delete Bin`` icon to remove either role from the member.\n\nRemoval of a role should be done based on the business requirements.\n\n## Impact\n\nThe removed role should be assigned to a different user based on business needs.\n\n## References\n\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][4]\n\n## Additional information \n\nUsers granted the Owner (roles/owner) and Editor (roles/editor) roles have privileges\nequivalent to Service Account Admin and Service Account User. To avoid misuse,\nOwner and Editor roles should be granted to a very limited number of users. Use of these primitive\nprivileges should be minimal. These requirements are addressed in separate\nrecommendations.\n\n## CIS controls\n\nVersion 8 3.3 - Configure Data Access Control Lists: Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems, databases, and applications.\n\nVersion 7 14.6 - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"fail\" if {\n\tmembers_to_roles_array := iam_policy.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountAdmin\"\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountUser\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"re5-dlh-43x","createdAt":1656443521016,"name":"Separation of duties is enforced while assigning service account related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.6","cloud_provider:azure","framework:cis-azure","requirement:Default-Security-Parameter","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.4","framework:soc-2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `connection_throttling` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `connection_throttling` helps the PostgreSQL Database to Set the verbosity of logged messages which generates query and error logs about concurrent connections. Too many concurrent connections could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `connection_throttling`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `connection_throttling` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name connection_throttling --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.6","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthrottling_disabled(server_config) if {\n\tserver_config.name == \"connection_throttling\"\n\tserver_config.value != \"on\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tthrottling_disabled(server_config)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"w1l-qav-gcj","createdAt":1624867980066,"name":"Server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","control:10.1","requirement:Monitoring","control:4.3.3","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_checkpoints` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_checkpoints` helps the PostgreSQL Database to log each checkpoint and generate query and error logs. Access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_checkpoints`.\n5. Click ON and save.\n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_checkpoints` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_checkpoints --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlog_checkpoints_on(server_config) if {\n\tserver_config.name == \"log_checkpoints\"\n\tserver_config.value == \"on\"\n}\n\neval(postgresql_server) = \"pass\" if {\n\tsome server_config in postgresql_server.server_configs\n\tlog_checkpoints_on(server_config)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sc0-yfd-hsz","createdAt":1624867976912,"name":"Server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:4.3.4","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_connections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_connections` helps PostgreSQL Database to log an attempted connection to the server, as well as successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_connections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_connections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_connections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlog_connections_off(server_config) if {\n\tserver_config.name == \"log_connections\"\n\tserver_config.value == \"off\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tsome server_config in postgresql_server.server_configs\n\tlog_connections_off(server_config)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gle-oql-wen","createdAt":1624867976676,"name":"Server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","control:10.1","control:4.3.5","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_disconnections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_disconnections` helps your PostgreSQL database to log the end of a session, including duration, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_disconnections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_disconnections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_disconnections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlog_disconnections_on(server_config) if {\n\tserver_config.name == \"log_disconnections\"\n\tserver_config.value == \"on\"\n}\n\neval(postgresql_server) = \"pass\" if {\n\tsome server_config in postgresql_server.server_configs\n\tlog_disconnections_on(server_config)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"5av-e46-div","createdAt":1624867974164,"name":"Server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","requirement:Records-of-Processing-Activities","cloud:azure","control:A1.1","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses logging to track the time it takes to complete an SQL query.\n\n## Rationale\n\nThe \"log_duration\" parameter allows recording the duration of each completed PostgreSQL statement. Logging this attribute enables administrators to monitor for potential issues in the database.\n\n## Remediation\n\n### From the console\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][1] documentation to enable the 'log_duration' logging in the PostgreSQL database. Ensure **log_duration** is selected under **Server Parameters**.\n\n### From the command line\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][2] documentation to enable **log_duration** in **Server Parameters**.\n2. Get a list of your PostgreSQL servers by running the following in Azure Powershell:\n\n ```\n az postgres server list\n\t--output table\n\t--query '[*].{name:name, resourceGroup:resourceGroup}'\n ```\n3. Run the 'postgres server configuration set' command:\n\n ```\n az postgres server configuration set\n\t--server-name \"INSERT-SERVER-NAME-HERE-FROM-STEP-2\"\n\t--resource-group \"cloud-shell-storage-westeurope\"\n\t--name log_duration\n\t--value on\n ```\n4. Repeat steps two and three for each server that is not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tserver_config.name == \"log_duration\"\n\tserver_config.value == \"off\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iwo-oh9-bpi","createdAt":1645804679249,"name":"Server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.7","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","control:10.7","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_retention_days` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_retention_days` helps PostgreSQL Database to set the number of days a log file is retained, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_retention_days`.\n5. Enter value in range 4-7 (inclusive) and save. \n\nAlternatively, use the Azure Command Line Interface and run the the below command to update `log_retention_days` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_retention_days --value <4-7>\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n2. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention\n\n## CIS Controls\n\nVersion 7 6.4 Ensure adequate storage for logs: Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.7","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nis_numeric(x) if {\n\tregex.match(`^-?\\d+(\\.\\d+)?$`, x)\n}\n\nserver_config_not_compliant(server_config) if {\n\tis_numeric(server_config.value)\n\tto_number(server_config.value) < 3\n\tserver_config.name == \"log_retention_days\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config = postgresql_server.server_configs[_]\n\tserver_config_not_compliant(server_config)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"jsy-iuu-a38","createdAt":1624867974261,"name":"Server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:7.1","requirement:Credentials","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","source:google_service_account","framework:soc-2","control:A.9.2.3","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:8.1.2","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA service account is a special Google account that belongs to an application or a VM, instead\nof to an individual end-user. The application uses the service account to call the service's\nGoogle API so that users aren't directly involved. It's recommended not to use admin roles for ServiceAccount.\n\n## Rationale\n\nService accounts represent service-level security of the Resources (application or a VM)\nwhich can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin\nrights gives full access to an assigned application or a VM. A ServiceAccount Access holder\ncan perform critical actions like delete, update, and change settings, etc. without user\nintervention. For this reason, Datadog recommends that service accounts not have an Admin role.\n\n## Remediation\n\n## From Console:\n1. Go to `IAM & admin/IAM` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. Go to the `Members`\n3. Identify `User-Managed user created service account(s)` with roles containing `*Admin or *admin`\n4. Click the `Delete bin` icon to remove the role from the member (service account in this case)\n\n\n## From Command Line: \n\n```bash\ngcloud projects get-iam-policy PROJECT_ID --format json > iam.json\n```\n\n1. Using a text editor, Remove `Role` which contains `roles/ *Admin` or `roles/ *admin`. Add a role to the bindings array that defines the group members and the role for those members.\n2. Update the project's IAM policy:\n\n```bash\ngcloud projects set-iam-policy PROJECT_ID iam.json\n```\n\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/understanding-service-accounts][4] \n\n## CIS Controls\n\nVersion 8 5.4 Restrict Administrator Privileges to Dedicated - Administrator Accounts Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user\u2019s primary, non-privileged account.\n\nVersion 7 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/understanding-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.1.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmembers_with_admin_role := {member |\n\tbinding := input.resources.gcp_iam_policy[_].member_to_roles[_]\n\tstartswith(binding.member, \"serviceAccount:\")\n\trole := binding.roles[_]\n\tcontains(lower(role), \"admin\")\n\tmember := trim_prefix(binding.member, \"serviceAccount:\")\n}\n\neval(iam_service_account) = \"fail\" if {\n\tsplit_name := split(iam_service_account.name, \"/\")\n\tmember := split_name[count(split_name) - 1]\n\tmembers_with_admin_role[member]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"4ea-as1-0bv","createdAt":1655820189596,"name":"Service Accounts are not bound to built-in Administrative roles"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1070-indicator-removal","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the tampering of shell command history on a host or container. \n\n## Strategy\nCommands used within a terminal are contained within a local file so users can review applications, scripts, or processes that were previously executed. Adversaries tamper with the integrity of the shell command history by deletion, truncation, or the linking of `/dev/null` by use of a symlink. This allows adversaries to obfuscate their actions and delay the incident response process. \n\n## Triage and response\n1. Review the tampering action taken against the shell command history files.\n2. Review the user or process that performed the action against the shell command history.\n3. Determine whether or not this is expected behavior.\n4. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(shell_history_symlink OR shell_history_truncated OR shell_history_deleted)","groupByFields":["host"],"aggregation":"count","name":"shell_history_tamper","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"shell_history_tamper","condition":"shell_history_tamper > 0"}],"type":"workload_security","id":"5bq-qe4-ctu","createdAt":1661196433820,"name":"Shell command history modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:signal_sciences","scope:signal_sciences"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP is flagged by Signal Sciences.\n\n## Strategy\nThis rule lets you monitor Signal Sciences events submitted through the Signal Sciences [integration][1] to detect when an IP is flagged. \n\n## Triage and response\n1. Determine whether the attack is a false positive.\n2. Determine whether the attack was successful.\n3. If the attack exploited a vulnerability in the application, triage the vulnerability.\n\n[1]: https://app.datadoghq.com/account/settings#integrations/sigsci\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:signal_sciences @title:*flag","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bmg-ftn-dzo","createdAt":1584993292228,"name":"Signal Sciences flagged an IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.2.1","requirement:Compliance","level:1","requirement:Storage-Accounts","control:3.8","requirement:Cardholder-Data","framework:iso-27001","scope:azure.storage","framework:pci","requirement:Operations-Security","security:compliance","framework:cis-azure","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Control-Activities","source:azure.storage","control:A1.2","control:A.18.1.3","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Storage blobs contain ePHI, financial, secret, or personal data. If erroneously modified or deleted accidentally by an application or other storage account user, data loss or data unavailability can occur. It is recommended that Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.\n\n## Rationale\n\nA user can accidentally run delete commands on Azure Storage blobs or blob snapshots, or an attacker/malicious user can do it deliberately to cause disruption. Deleting an Azure Storage blob leads to immediate data loss or non-accessible data. Enable recoverable blobs configuration in the Azure Storage blob service to ensure that even if blobs/data are deleted from the storage account, the objects remain recoverable for a time set in the retention policy. Retention policies can be 7 days to 365 days.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Account\n2. For each Storage Account, navigate to Data Protection\n3. Select Set soft delete enabled and enter the number of days to retain soft deleted data.\n\nAzure Command-Line Interface:\n\nUpdate retention days with the following command: `az storage blob service-properties delete-policy update --days-retained --account-name --enable true'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete\n\n## CIS Controls\n\nVersion 7 10 - Data Recovery Capabilities\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_blob_service(blob_service) if {\n\tblob_service.delete_retention_policy_enabled\n\tblob_service.delete_retention_policy_days > 0\n} else if {\n\tblob_service.delete_retention_policy.enabled\n\tblob_service.delete_retention_policy.days > 0\n}\n\neval(storage_account) = \"pass\" if {\n\tsome blob_service in storage_account.blob_services\n\tcompliant_blob_service(blob_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"w0h-o5o-lyp","createdAt":1631690471228,"name":"Soft delete is enabled for Azure Storage"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1505-server-software-component","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects attempted post-exploitation activity of [CVE-2022-22965][1] with an HTTP GET parameter.\n\n## Strategy\nThis rule looks for `@http.url_details.path` = .jsp, `@http.url_details.queryString.pwd` = `*`, and `@http.url_details.queryString.cmd` = . If found, it indicates web shell activity observed with successful Spring RCE exploitation. \n\n## Triage and response\nCheck your host to see if the {{@http.url_details.queryString.cmd}} command ran successfully. If so,\n * Refer to your company's Incident Response process since this is detection post-exploitation activity.\n * Refer to the vendor's [advisory][2] for remediation of this Remote Code Execution (RCE) vulnerability.\n\n## Changelog\n- 06 June 2022 - The severity has been lowered due to rule fidelity on just log telemetry.\n- 31 March 2022 - Rule added in response to [CVE-2022-22965][1]\n\n[1]: https://tanzu.vmware.com/security/cve-2022-22965\n[2]: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@http.url_details.path:*.jsp @http.url_details.queryString.pwd:* @http.url_details.queryString.cmd:* @http.method:GET @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_details","distinctFields":[]},{"query":"@http.url:*cmd* @http.url:*pwd* @http.method:GET @http.url:*.jsp* @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_url","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"PWD/CMD request in http.url_details.queryString key","condition":"pwd_cmd_in_details > 0"},{"status":"low","notifications":[],"name":"PWD/CMD request in http.url key","condition":"pwd_cmd_in_url > 0"}],"type":"log_detection","id":"6nf-i0e-ff0","createdAt":1648746485630,"name":"Spring RCE post-exploitation activity attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","framework:cis-azure","requirement:Confidentiality","control:3.4","control:C1.1","requirement:Credentials","requirement:Compliance","source:azure.storage","level:1","requirement:Storage-Accounts","control:A.18.1.3","framework:soc-2","control:3.9","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","scope:azure.storage","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable sensitive data encryption at rest using customer managed keys rather than Microsoft managed keys.\n\n## Rationale\n\nBy default, data in the storage account is encrypted using Microsoft managed keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. However, if you want to control and manage the encryption key yourself, you can specify a customer-managed key, and that key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated key vault.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Accounts\n2. For each storage account, go to Encryption\n3. Set Customer Managed Keys\n4. Select the encryption key and enter the appropriate setting value\n5. Click Save\n\n## Impact\n\nIf the key expires by setting the activation date and expiration date of the key, you must rotate the key manually. Using customer managed keys may also incur additional effort to create, store, manage, and protect the keys as needed.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest\n3. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption#azure-storage-encryption-versus-disk-encryption\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-1-discovery,-classify-and-label-sensitive-data\n\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_account) = \"pass\" if {\n\tstorage_account.encryption.key_source == \"Microsoft.Keyvault\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"kh6-wzv-u3s","createdAt":1631690464889,"name":"Storage for critical data is encrypted with Customer Managed Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:runtime-security-agent","technique:T1574-hijack-execution-flow","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect attempts to load a malicious library.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container or host (for example, through a web shell exploit), they may attempt to escalate privileges, evade defenses, or establish persistence by hijacking environment variables such as `LD_PRELOAD`, or configuration files such as `/etc/ld.so.preload/`, which the dynamic linker uses to load shared libraries. \n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.39 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:dynamic_linker_config_unlink -@process.executable.path:(\"/usr/bin/dpkg\" OR \"/usr/bin/yum\")","groupByFields":["host"],"aggregation":"count","name":"dynamic_linker_config_unlink","distinctFields":[]},{"query":"@agent.rule_id:dynamic_linker_config_write","groupByFields":["host"],"aggregation":"count","name":"dynamic_linker_config_write","distinctFields":[]},{"query":"@agent.rule_id:ld_preload_unusual_library_path","groupByFields":["host"],"aggregation":"count","name":"ld_preload_unusual_library_path","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"suspected_dynamic_linker_hijacking","condition":"dynamic_linker_config_unlink > 0 || dynamic_linker_config_write > 0 || ld_preload_unusual_library_path > 0"}],"type":"workload_security","id":"qr1-yg4-ab3","createdAt":1670612608535,"name":"Suspected dynamic linker hijacking attempt"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to `pam.d` directory.\n\n## Strategy\nLinux Pluggable Authentication Modules (PAM) provide authentication for applications and services. Authentication modules in the PAM system are setup and configured under the `/etc/pam.d/` directory. An attacker may attempt to modify or add an authentication module in PAM in order to bypass the authentication process, or reveal system credentials.\n\n## Triage and response\n1. Identify if the changes to the path `{{@file.path}}` were part of known system setup or mainenance.\n2. If these changes were unauthorized, roll back the host in question to a known good PAM configuration, or replace the system with a known-good system image.\n\n*Required agent version 7.27 or higher*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pam_modification OR pam_modification_chmod) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_chown)-@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_link) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_rename) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_open) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_unlink) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_utimes) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"pam_modification","condition":"pam_modification_chmod > 0 || pam_modification_chown > 0 || pam_modification_link > 0 || pam_modification_rename > 0 || pam_modification_open > 0 || pam_modification_unlink > 0 || pam_modification_utimes > 0"}],"type":"workload_security","id":"59x-93j-pek","createdAt":1606142936138,"name":"System authentication files modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1543-create-or-modify-system-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to system services.\n\n## Strategy\nEspecially in production, systems should be generated based on standard images such as AMIs for Amazon EC2, VM images in Azure, or GCP images. Systemd is the default service manager in many Linux distributions. It manages the lifecycle of background processes and services, and can be used by an attacker to establish persistence in the system. Attackers can do this by injecting code into existing systemd services, or by creating new ones. Systemd services can be started on system boot, and therefore attacker code can persist through system reboots.\n\n## Triage and response\n1. Check to see what service was modified of created.\n2. Identify whether it is a known service, being modified by a known user and/or process.\n3. If these changes are not acceptable, roll back the host in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chmod) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chown) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_link) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_rename) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_open) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_unlink) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"systemd_modification","condition":"systemd_modification_chmod > 0 || systemd_modification_chown > 0 || systemd_modification_link > 0 || systemd_modification_rename > 0 || systemd_modification_open > 0 || systemd_modification_unlink > 0 || systemd_modification_utimes > 0"}],"type":"workload_security","id":"vjt-chu-njs","createdAt":1606142929241,"name":"Systemd service modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through brute force attempts.\n\n## Strategy\nTo determine a successful attempt: Detect a high amount of failed logins and at least one successful login for a given IP address. This will generate a `HIGH` severity signal.\nTo determine an attempt: Detect a high amount of failed logins for a given IP address. This will generate an `INFO severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:authentication @evt.outcome:failure","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]},{"query":"@evt.name:authentication @evt.outcome:success","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":["@slack-secops"],"name":"Successful","condition":"a>5 && b>0"},{"status":"info","notifications":[],"name":"Attempted","condition":"a>5"}],"type":"log_detection","id":"wce-cxo-pe4","createdAt":1585870283641,"name":"TEMPLATE - Brute Force Attack Grouped By IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:threat-intel","scope:template"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect when a stolen laptop has been connected to the network.\n\n## Strategy\nUsing the Datadog [Lookup Processor](https://docs.datadoghq.com/logs/processing/processors/?tab=ui#lookup-processor) you can maintain a blocklist of MAC addresses.\nWhen a MAC address connects to the network, the @threat.stolen_laptop attribute is set to `true`.\nThis threat detection rule queries for `@threat.stolen_laptop:true` and generates a security signal. \n\n## Triage and response\nEnter your triage and response process for when a stolen laptop has connected to your network to help users responding to the security signal quickly triage and respond to the signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@threat.stolen_laptop:true @network.client.mac:*","groupByFields":["@network.client.mac"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ap3-xy9-tsm","createdAt":1585870283379,"name":"TEMPLATE - Stolen Laptop Connected to Network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.10","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert` parameter, has permissions of 444 or is set more restrictively.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must therefore have permissions of 444, or more restrictive permissions to ensure that the file cannot be modified by a less privileged user.\n\n## Audit\n\nVerify that the TLS CA certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the following command: `chmod 444 `\n\nThis sets the file permissions on the TLS CA file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the TLS CA certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.10","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hyd-ar9-kzl","createdAt":1602076723625,"name":"TLS CA certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.6","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to make the Docker daemon available remotely over a TCP port. If this is required, you should ensure that TLS authentication is configured in order to restrict access to the Docker daemon via IP address and port.\n\n## Rationale\n\nBy default, the Docker daemon binds to a non-networked Unix socket and runs with root privileges. If you change the default Docker daemon binding to a TCP port or any other Unix socket, anyone with access to that port or socket could have full access to the Docker daemon and therefore in turn to the host system. For this reason, you should not bind the Docker daemon to another IP/port or a Unix socket. If you must expose the Docker daemon via a network socket, you should configure TLS authentication for the daemon and for any Docker Swarm APIs (if they are in use). This type of configuration restricts the connections to your Docker daemon over the network to a limited number of clients who have access to the TLS client credentials.\n\n## Audit\n\nTo confirm that the TLS authentication setting is correct, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nConfirm that the following parameters are present: `--tlsverify --tlscacert --tlscert --tlskey`.\n\nAlso review the `/etc/docker/daemon.json` file to ensure these settings are in place.\n\n## Remediation\n\nFollow the steps mentioned in the Docker documentation or other references.\n\n## Impact\n\nYou would need to manage and guard certificates and keys for the Docker daemon and Docker clients.\n\n## Default value\n\nBy default, TLS authentication is not configured.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rh4-jeh-afu","createdAt":1602077571799,"name":"TLS authentication is configured for Docker daemon"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":true,"message":"Test","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":1,"createdAt":1668092249514,"filters":[],"queries":[{"query":"@agent.rule_id:1234","groupByFields":[],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"6pg-sy3-vc5","isDefault":false,"name":"Test"},{"creationAuthorId":1445416,"tags":[],"isEnabled":false,"hasExtendedTitle":false,"message":"Test","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":1,"createdAt":1668092310914,"filters":[],"queries":[{"query":"@agent.rule_id:1234","groupByFields":[],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"c4n-gxt-rmi","isDefault":false,"name":"Test xxx1"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.18","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller-manager.conf file ownership is set to `root:root`.\n\n## Rationale\n\nThe controller-manager.conf file is the kubeconfig file for the Controller Manager. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/controller-manager.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.18","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bud-aya-umc","createdAt":1599605289575,"name":"The controller-manager.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","requirement:GCP","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","control:3.4","requirement:Communications-Security","control:2.6","control:1.2","control:2.1","control:1.3","control:3.1","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of the `default` network, a project should not have a `default` network.\n\n### Default value\nBy default, for each project, a `default` network is created.\n\n\n## Rationale\nThe `default` network has a preconfigured network configuration and automatically generates the following insecure firewall rules:\n\n - default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.\n - default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.\n - default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.\n - default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.\n\nThese automatically-created firewall rules do not get audit-logged and cannot be configured to enable firewall rule logging.\n\nFurthermore, the `default` network is an auto-mode network, which means that its subnets use the same predefined range of IP addresses. As a result, it's not possible to use Cloud VPN or VPC Network Peering with the `default` network.\n\nBased on organization security and networking requirements, the organization should create a new network and delete the `default` network.\n\n### Impact\nWhen an organization deletes the `default` network, it may need to migrate services onto a new network.\n\n## Remediation\n\n### From the console\n1. Go to the [VPC networks][1] page.\n2. Click the network named `default`.\n3. On the network detail page, click **EDIT**.\n4. Click **DELETE VPC NETWORK**.\n5. If needed, create a new network to replace the `default` network.\n\n### From the command line\n1. Delete the `default` network:\n\n ```\n gcloud compute networks delete default\n ```\n\n2. If needed, create a new network to replace it:\n\n ```\n gcloud compute networks create NETWORK_NAME\n ```\n\n## Prevention\nYou can prevent the `default` network and its insecure firewall rules from being created by setting up an Organization Policy to skip `default` network creation at [https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation][2].\n\n## References\n1. [https://cloud.google.com/compute/docs/networking#firewall_rules][3]\n2. [https://cloud.google.com/compute/docs/reference/latest/networks/insert][4]\n3. [https://cloud.google.com/compute/docs/reference/latest/networks/delete][5]\n4. [https://cloud.google.com/vpc/docs/firewall-rules-logging][6]\n5. [https://cloud.google.com/vpc/docs/vpc#default-network][7]\n6. [https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete][8]\n\n[1]: https://console.cloud.google.com/networking/networks/list\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation\n[3]: https://cloud.google.com/compute/docs/networking#firewall_rules\n[4]: https://cloud.google.com/compute/docs/reference/latest/networks/insert\n[5]: https://cloud.google.com/compute/docs/reference/latest/networks/delete\n[6]: https://cloud.google.com/vpc/docs/firewall-rules-logging\n[7]: https://cloud.google.com/vpc/docs/vpc#default-network\n[8]: https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.4","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.name == \"default\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0j0-lvk-9wm","createdAt":1658410212694,"name":"The default network does not exist in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.9","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %a /var/lib/kubelet/config.yaml`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step:\n\n```\nchmod 644 /var/lib/kubelet/config.yaml\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/var/lib/kubelet/config.yaml` file as set up by kubeadm has permissions of 644.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.9","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tc4-kmy-wlt","createdAt":1599605416397,"name":"The kubelet configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.1","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kubelet service file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.1","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j8k-7ii-fwo","createdAt":1599604432646,"name":"The kubelet service file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.5","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet.conf file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/kubernetes/kubelet.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chmod 644 /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.5","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x88-8vs-ygw","createdAt":1599604783481,"name":"The kubelet.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.6","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `kubelet.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/kubernetes/kubelet.conf`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file ownership is set to `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.6","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrc-waf-mbs","createdAt":1599599696342,"name":"The kubelet.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable timeouts on streaming connections.\n\n## Rationale\n\nSetting idle timeouts ensures that you are protected against denial-of-service attacks, inactive connections, and running out of ephemeral ports.\n\n*Note*: By default, `--streaming-connection-idle-timeout` is set to four hours, which might be too high for your environment. Setting this as appropriate would additionally ensure that such streaming connections are timed out after serving legitimate use cases.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--streaming-connection-idle-timeout` argument is not set to 0. If the argument is not present, and there is a Kubelet config file specified by `--config`, check that it does not set `streamingConnectionIdleTimeout` to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a value other than 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--streaming-connection-idle-timeout=5m`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nLong-lived connections could be interrupted.\n\n## Default value\n\nBy default, `--streaming-connection-idle-timeout` is set to four hours.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://github.com/kubernetes/kubernetes/pull/18552][2]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://github.com/kubernetes/kubernetes/pull/18552\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.5","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xmg-h3a-wj4","createdAt":1599602030157,"name":"Timeouts on streaming connections are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","control:6.6","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable internet exposed UDP ports on network security groups.\n\n## Rationale\n\nThe potential security problem with broadly exposing UDP services over the internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP, and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct UDP access to your Azure Virtual Machines from the internet. After direct UDP access from the internet is disabled, you can use other options to access UDP-based services running on these virtual machines.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#secure-your-critical-azure-service-resources-to-only-your-virtual-networks\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/ddos-best-practices\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n7 Virtual Machines: This section covers security recommendations to follow to set virtual machine policies on an Azure subscription.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_access(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"UDP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.destination_port_range in [\"*\", \"53\", \"123\", \"161\", \"389\", \"1900\"]\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"*/0\", \"Internet\", \"Any\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome security_rule in security_group.security_rules\n\tnon_compliant_access(security_rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"1is-0om-n7k","createdAt":1624867977600,"name":"UDP Services are restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect shell utilities, HTTP utilities, or shells spawned by a web server.\n\n## Strategy\nWeb shell attacks often involve attackers loading and running malicious files onto a victim machine, creating a backdoor on the compromised system. Attackers use web shells for a variety of purposes, and they can signal the beginning of an intrusion or wider attack. This detection triggers when shell utilities, HTTP utilities, or shells are spawned by a common web server process.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your web application to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"potential_web_shell","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["host"],"query":"@agent.rule_id:potential_web_shell -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"potential_web_shell"}],"type":"workload_security","id":"aks-ytd-8pf","createdAt":1647265136526,"name":"Unfamiliar command spawned from web server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers can leverage malicious kernel modules to gain persistence on a system, ensuring their malicious code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions and cover their tracks through the use of a rootkit.\n\nLoading a malicious kernel module can be a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default, however attackers may attempt to load kernel modules from other locations as well. This detection detects all kernel module loads. \n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check the name of the process loading the kernel module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":14,"learningThreshold":0},"keepAlive":3600},"version":176,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_kernel_module","metric":"@module.name","aggregation":"new_value","metrics":["@module.name"],"groupByFields":["host"],"query":"@agent.rule_id:(kernel_module_load OR new_kernel_module_audit OR kernel_module_load_container OR new_kernel_module_audit_container) -@process.ancestors.executable.name:\"unattended-upgrade\" -@process.ancestors.executable.name:(\"xtables-legacy-multi\" OR \"apt.systemd.daily\") -@module.name:(\"nf_tables\" OR \"iptable_filter\" OR \"ip6table_filter\" OR \"bpfilter\" OR \"ip6_tables\" OR \"ip6table_nat\" OR \"nf_reject_ipv4\" OR \"ipt_REJECT\" OR \"iptable_raw\")"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"new_kernel_module"}],"type":"workload_security","id":"56o-bpk-lkz","createdAt":1656443525724,"name":"Unfamiliar kernel module loaded"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default. In an attempt to thwart forensics, attackers sometimes attempt to load malicious kernel modules from memory so as not to leave artifacts on disk. This detection watches for all new kernel modules being loaded directly from memory. \n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:kernel_module_load_from_memory","groupByFields":["host"],"aggregation":"count","name":"kernel_module_load_from_memory","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"kernel_module_load_from_memory","condition":"kernel_module_load_from_memory > 0"}],"type":"workload_security","id":"dx9-30j-pas","createdAt":1650464539839,"name":"Unfamiliar kernel module loaded from memory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when the AWS EKS service account token has been viewed by a user.\n\n## Strategy\nAWS provides an authentication mechanism called [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to allow Kubernetes workloads such as pods to securely authenticate to AWS without hardcoding credentials.\n\nThe authentication token made available by AWS is located at `/var/run/secrets/eks.amazonaws.com/serviceaccount/token` and can be exchanged for AWS credentials using `sts:AssumeRoleWithWebIdentity`. It is consequently an attractive target for attackers.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"aws_eks_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:aws_eks_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"aws_eks_service_account_token_accessed"}],"type":"workload_security","id":"wq5-pnt-ij8","createdAt":1656443561852,"name":"Unfamiliar process accessed AWS EKS service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"Detects when the Kubernetes pod service account token has been viewed by a user.\n\n## Strategy\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"k8s_pod_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:k8s_pod_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"k8s_pod_service_account_token_accessed"}],"type":"workload_security","id":"7ow-znp-4fx","createdAt":1656443563565,"name":"Unfamiliar process accessed Kubernetes pod service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:active-directory","tactic:TA0004-privilege-escalation","source:microsoft-365","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 Azure AD service principal uses an unusual authentication method.\n\n## Strategy\nUsing the `New Value` detection method, find when a `Microsoft 365 Azure AD service principal` uses a new `@AuthenticationMethod`.\n\n## Triage and response\n1. Determine if the service principal `{{@usr.id}}` should be authenticating using the `{{@AuthenticationMethod}}` authentication method and `{{@ExtendedProperties.RequestType}}` request type.\n2. If `{{@usr.email}}` should not be authenticating using `{{@AuthenticationMethod}}`,\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard \n * If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":3600},"version":41,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AuthenticationMethod","aggregation":"new_value","metrics":["@AuthenticationMethod"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:AzureActiveDirectory @evt.name:UserLoggedIn @evt.outcome:Success @UserDescription:\"A service principal\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"toz-wdr-r1v","createdAt":1660857301768,"name":"Unusual Authentication by Microsoft 365 Azure AD Service Principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attaches to a pod.\n\n## Strategy\nThis rule monitors when a user attaches (`@objectRef.subresource:attach`) to a pod (`@objectRef.resource:pods`).\n\nA user should not need to attach to a pod. Attaching to a pod allows a user to attach to any process in a running container which may give an attacker access to sensitive data.\n\n## Triage and response\n1. Determine if the user should be attaching to a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:attach @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:attach @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"j6t-mva-rul","createdAt":1589375996858,"name":"User Attached to a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user execs into a pod.\n\n## Strategy\nThis rule monitors when a user execs (`@objectRef.subresource:exec`) into to a pod (`@objectRef.resource:pods`).\n\nA user should not need to exec into a pod. Execing into a pod allows a user to execute any process in container which is not already running.\nIt is most common to execute the bash process to gain an interactive shell.\nIf this is an attacker, they can access any data which the pod has permissions to, including secrets.\n\n## Triage and response\n1. Determine if the user should be execing into a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:exec @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:exec @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"hyd-cu4-79x","createdAt":1589376094658,"name":"User Exec into a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs into an application that is using Sqreen from a new country.\n\n## Strategy\nThis rule lets you monitor when a user logs into an application from a country that has not been seen before.\n\n## Triage and response\n1. Review the user activity on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/application/goto/users/\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip.country.name","aggregation":"new_value","metrics":["@network.client.geoip.country.name"],"groupByFields":["@usr.id"],"query":"@evt.name:sq.dd0.user_event.login @sqreen.payload.success:true"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"4xm-2og-l7s","createdAt":1620224109989,"name":"User Logged into an Application from a New Country"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","security:threat-intel","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to log in with a password which is known to be compromised.\n\n## Strategy\nThis rule allows you to monitor this Google Activity API call to detect if an attacker is trying to login with a leaked password: \n\n* [Leaked password][1]\n\n## Triage and response\n1. Determine which user in your organization owns the compromised password.\n2. Contact the user and ensure they rotate the password on Google and any other accounts where they may have reused this password. Ensure the user is aware of strong password guidelines.\n\n[1]: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.category:account_warning @evt.name:account_disabled_password_leak","groupByFields":["@actor.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9zi-bom-nmh","createdAt":1585870280553,"name":"User attempted login with leaked password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1136-create-account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation of a new user on the system using an interactive session.\n\n## Strategy\nAttacker's may add local accounts to systems that they have compromised to maintain access to those systems. If an attacker has gained a sufficient level of access (like admin privileges) on a system, they can make a new user for themselves.\nIn production systems, users should be created in the base image of the system (for example, the AMI or other VM image), or they should be created programmatically by configuration management tools. The creation of a new user by an interactive (human) session is suspicious.\n\n## Triage & Response\n1. Determine whether the creation of a new user is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether or not multiple systems had this user added around the same time, and whether the systems impacted follow a pattern. For example, if a user was added to multiple systems, do they share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:user_created_tty -@process.ancestors.executable.path:(\"/usr/bin/unattended-upgrade\" OR \"/usr/bin/dpkg\" OR \"/usr/bin/yum\" OR \"/usr/bin/rpm\") -@process.args:\"-D\"","groupByFields":["host"],"aggregation":"count","name":"user_created_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user_created_tty","condition":"user_created_tty > 0"}],"type":"workload_security","id":"beh-ejq-upe","createdAt":1627392836979,"name":"User created interactively"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of secrets while also receiving an error message of `AccessDenied`, through Cloudtrail's [`GetSecretValue`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetSecretValue` event, and enables the detection of potentially anomalous activity when a user receives an anomalous number of `AccessDenied` messages while attempting to retrieve secrets.\n\nAn attacker may attempt to enumerate and access the AWS Secrets Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any AWS secrets that were accessed by the user with the `aws-cli` command [`update-secret`][2] or use the [AWS Console][3].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n## Changelog\n* 25 October 2022 - Updated query.\n\n[1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/update-secret.html\n[3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetSecretValue @error.kind:AccessDenied -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.secretId"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"eg6-ogp-n1f","createdAt":1656426823748,"name":"User enumerated AWS Secrets Manager - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of parameters, through Cloudtrail's [`GetParameter`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetParameter` event, and enables detection of potentially anomalous activity when a user attempts to retrieve an anomalous volume of parameters.\n\nAn attacker may attempt to enumerate and access the AWS Systems Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any parameters that were accessed by the user with the `aws-cli` command [`put-parameter`][2].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n[1]: https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ssm/put-parameter.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ssm.amazonaws.com @evt.name:GetParameter -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.name"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"os3-zft-ung","createdAt":1656426796721,"name":"User enumerated AWS Systems Manager parameters - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:5.2.1","control:A.12.4.1","requirement:Logging-and-Monitoring","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"\n## Description\n\nCreate an activity log alert for the Create Policy Assignment event.\n\n## Rationale\n\nMonitoring for create policy assignment events gives insight into changes done in \"azure policy - assignments\" and can reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\n### From the console\n\n1. Go to **Monitor**.\n2. Select **Alerts**.\n3. Click On **New Alert Rule**.\n4. Under **Scope**, click **Select Resource**.\n5. Select the appropriate subscription under **Filter by Subscription**.\n6. Select **Policy Assignment** under **Filter by Resource Type**.\n7. Select **All** for **Filter by Location**.\n8. Click on the subscription resource from the entries populated under **Resource**.\n9. Verify selection preview shows **All Policy** assignment (policyAssignments) and your selected subscription name.\n10. Click **Done**.\n11. Under **Condition** click **Add Condition**.\n12. Select **Create Policy Assignment** signal.\n13. Click **Done**.\n14. Under **Action Group**, select **Add Action Groups** and complete creation process or select appropriate action group.\n15. Under **Alert Rule Details**, enter **Alert Rule Name** and **Description**.\n16. Select appropriate resource group to save the alert to.\n17. Check **Enable alert rule upon creation** checkbox.\n18. Click **Create Alert Rule**.\n\n### From the Azure Command Line Interface\n\nTo create an Activity Log Alert for Create policy, use this command:\n```\naz account get-access-token --query\n\"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1\nbash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type:\napplication/json\"\nhttps://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"\n```\n\nWhere `input.json` contains the request body JSON data mentioned below:\n\n```json\n{\n\t\"location\": \"Global\",\n\t\"tags\": {},\n\t\"properties\": {\n\t\t\"scopes\": [\n\t\t\t\"/subscriptions/\"\n\t\t],\n\t\t\"enabled\": true,\n\t\t\"condition\": {\n\t\t\t\"allOf\": [{\n\t\t\t\t\t\"containsAny\": null,\n\t\t\t\t\t\"equals\": \"Administrative\",\n\t\t\t\t\t\"field\": \"category\"\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\t\"containsAny\": null,\n\t\t\t\t\t\"equals\": \"Microsoft.Authorization/policyAssignments/write\",\n\t\t\t\t\t\"field\": \"operationName\"\n\t\t\t\t}\n\t\t\t]\n\t\t},\n\t\t\"actions\": {\n\t\t\t\"actionGroups\": [{\n\t\t\t\t\"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\t\t\t\t\"webhookProperties\": null\n\t\t\t}]\n\t\t}\n\t}\n}\n```\n\nConfigurable parameters for the command line include the following: \n- \n- \n \nConfigurable parameters for `input.json` include the following: \n- in scopes \n- in actionGroupId \n- in actionGroupId \n- in actionGroupId\n\n\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2]\n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3]\n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n[5]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.1","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"arc-fhe-mie","createdAt":1645219743755,"name":"User has 'Create Policy Assignment' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"axd-sm2-68f","createdAt":1649972323590,"name":"User has 'Create Update Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.dbformysql/servers/databases/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dbv-9dd-noe","createdAt":1648760551340,"name":"User has 'Create Update MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.dbforpostgresql/servers/databases/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yvw-kk1-tgq","createdAt":1648755639067,"name":"User has 'Create Update PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nActivity log alert exists for the creation or update of a load balancer. \n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Load Balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/loadbalancers/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"20n-ohj-aov","createdAt":1647625355122,"name":"User has 'Create or Update Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:Logging-and-Monitoring","requirement:System-Operations","level:1","control:5.2.3","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an Activity Log Alert for the Create or Update Network Security Group event.\n\n## Rationale\n\nBy monitoring for creation and updates to network security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name.\n11. Under **Condition**, click **Add Condition**.\n12. Select **Create or Update Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.3","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ape-a9h-0uq","createdAt":1645642194422,"name":"User has 'Create or Update Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.1","control:A.12.4.1","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Logging-and-Monitoring","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update SQL Server Firewall Rule event.\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the console\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window, select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Create/Update server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel.\n * Create action group - If you do not have an existing action group or want to create a new one.\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the command line\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.1","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.sql/servers/firewallrules/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zpn-jpa-nzg","createdAt":1645736563954,"name":"User has 'Create or Update SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","control:5.2.7","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Logging-and-Monitoring","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Security Solution event.\n\n## Rationale\n\nBy monitoring to changes to security solutions, you get insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under Resource. \n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Create or Update Security Solutions** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**. \n\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Security/securitySolutions/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.7","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.security/securitysolutions/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8wl-yfi-m7y","createdAt":1645731976437,"name":"User has 'Create or Update Security Solutions' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Storage Account event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Storage Account**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Storage/storageAccounts/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Storage Account'\n$Signal = 'Microsoft.Storage/storageAccounts/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fho-nrd-kod","createdAt":1647625355199,"name":"User has 'Create or Update Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.compute/virtualmachines/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wjq-yup-bbt","createdAt":1648803814385,"name":"User has 'Create or Update Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Deallocate Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Using the Azure Portal search bar, search for **Monitor**. \n2. Select **Alerts** from the left-hand panel.\n3. Click **Create** and from the drop down select **Alert rule**.\n4. Under **Scope**, click **Select scope**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Virtual machines** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows your selected Virtual Machine(s) and subscription name.\n11. Under **Condition**, click **Add Condition**.\n12. Select **Deallocate Virtual Machine** signal name. \n13. Navigate to **Actions**.\n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Navigate to **Details** and select the appropriate resource group to save the alert to. \n16. Enter **Alert rule name** and **Alert rule description**.\n17. Under the **Advanced options** drop-down menu, click on the **Enable alert rule upon creation** checkbox.\n18. Click **Review + create** and verify all of the alert settings are correct.\n19. Click **Create**.\n\n### From the command line\n\n ```bash\n az account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n ```\n\n`input.json` contains the request body JSON data mentioned below. \n\n ```json\n {\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/deallocate\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n }\n ```\n\n**Using PowerShell AZ cmdlets**: \n ```powershell\n $ComplianceName = 'Deallocatete Virtual Machine'\n $Signal = 'Microsoft.Compute/virtualMachines/deallocate'\n $Category = 'Administrative'\n $ResourceGroupName = 'MyResourceGroup'\n $actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n $ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n $Subscription = (Get-AzContext).Subscription\n $location = 'Global'\n $scope = \"/subscriptions/$($Subscription.Id)\"\n $alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n $conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n )\n Set-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/deallocate/action\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ox0-4lx-ldg","createdAt":1649702560249,"name":"User has 'Deallocate Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mwl-a79-2lj","createdAt":1649774827099,"name":"User has 'Delete Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","requirement:Azure","control:164.308-a-3-ii-a","control:2.3","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","framework:security-labs","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activity-log-alerts/delete\n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"2.3","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hf7-wzu-yjg","createdAt":1649774825146,"name":"User has 'Delete Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Load Balancer event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete load balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.network/loadbalancers/delete\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(azure_activity_log_alert)\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgu-5yo-cxv","createdAt":1646928388547,"name":"User has 'Delete Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbformysql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nb1-ajv-1w5","createdAt":1648831710685,"name":"User has 'Delete MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:Logging-and-Monitoring","requirement:System-Operations","level:1","framework:soc-2","control:5.2.4","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Network Security Group event.\n\n## Rationale\n\nBy monitoring for delete betwork security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name \n11. Under **Condition**, click **Add Condition**.\n12. Select **Delete Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n\n18. Click **Create alert rule**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.4","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yjc-pc8-ybn","createdAt":1645645262376,"name":"User has 'Delete Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Compliance","level:1","control:5.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Communications-Security","requirement:Logging-and-Monitoring","requirement:System-Operations","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Policy Assignment event.\n\n## Rationale\n\nBy monitoring delete policy assignment events, you gain insight into changes in the **Policy - Assignments** page and reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Policy Assignment** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription from the entries populated under **Resource**. \n9. Verify that **Selection preview** shows All Policy assignments (`policyAssignments`) and your selected subscription name. \n10. Click **Done**. \n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete policy assignment signal**. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**.\n\n### From the command line\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\"\nhttps://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"\n```\n\nWhere `input.json` contains the request body JSON data below: \n\n```json\n{\n\t\"location\": \"Global\",\n\t\"tags\": {},\n\t\"properties\": {\n\t\t\"scopes\": [\n\t\t\t\"/subscriptions/\"\n\t\t],\n\t\t\"enabled\": true,\n\t\t\"condition\": {\n\t\t\t\"allOf\": [{\n\t\t\t\t\t\"containsAny\": null,\n\t\t\t\t\t\"equals\": \"Administrative\",\n\t\t\t\t\t\"field\": \"category\"\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\t\"containsAny\": null,\n\t\t\t\t\t\"equals\": \"Microsoft.Authorization/policyAssignments/delete\",\n\t\t\t\t\t\"field\": \"operationName\"\n\t\t\t\t}\n\t\t\t]\n\t\t},\n\t\t\"actions\": {\n\t\t\t\"actionGroups\": [{\n\t\t\t\t\"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\t\t\t\t\"webhookProperties\": null\n\t\t\t}]\n\t\t}\n\t}\n}\n```\n\nConfigurable Parameters for command line:\n- ``\n- ``\n\nConfigurable Parameters for `input.json`:\n- `` in scopes\n- `` in actionGroupId\n- `` in actionGroupId\n- `` in actionGroupId\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Policy Assignment'\n$Signal = 'Microsoft.Authorization/policyAssignments/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][1]\n2. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][3] \n4. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources][4] \n5. [https://azure.microsoft.com/en-us/services/blueprints/][5]\n\n[1]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[2]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[4]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n[5]: https://azure.microsoft.com/en-us/services/blueprints/\n\n## Additional Information\n\n- This log alert also applies for Azure Blueprints.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.2","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qh0-u5z-imx","createdAt":1645642194422,"name":"User has 'Delete Policy Assignment' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbforpostgresql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ras-5h8-nbb","createdAt":1647625355173,"name":"User has 'Delete PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.2","control:A.12.4.1","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Logging-and-Monitoring","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the \"Delete SQL Server Firewall Rule.\"\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the console\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window,select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Delete server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel\n * Create action group - If you do not have an existing action group or want to create a new one\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the command line\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.2","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/firewallrules/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6mh-u2h-598","createdAt":1664214570453,"name":"User has 'Delete SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","control:5.2.8","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Logging-and-Monitoring","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Security Solution event.\n\n## Rationale\n\nBy monitoring deletion of security solution events, you gain insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**.\n7. Select **All** for **Filter by location**.\n8. Click on the subscription resource from the entries populated under **Resource**.\n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete Security Solutions** signal.\n13. Click **Done**.\n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group.\n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n### From the command line \n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nwhere `input.json` contains the Request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/securitySolutions/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.8","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/securitysolutions/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dmv-rv8-crn","createdAt":1645733607452,"name":"User has 'Delete Security Solution' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.5.5","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Storage Account event.\n\n## Rationale\n\nBy monitoring for storage accounts deletion events, you gain insight into storage account changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click on **New Alert Rule**.\n4. Under **Scope**, click **Select scope**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Storage Accounts** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the **Include all future resources** checkbox.\n9. Click **Done**. \n10. Under **Condition**, click **Add Condition**.\n11. Select **Delete Storage Account** signal. \n12. Click **Done**. \n13. Under **Actions**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n14. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n15. Select appropriate resource group to save the alert to. \n16. Click on the **Enable alert rule upon creation** checkbox.\n17. Click **Create alert rule**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Storage/storageAccounts/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a41-nfr-mlw","createdAt":1646928386487,"name":"User has 'Delete Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2jg-psh-mzj","createdAt":1648803812991,"name":"User has 'Delete Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Power Off Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Power Off Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/powerOff/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Power Off Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/powerOff/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.compute/virtualmachines/poweroff/action\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tsome activity_log_alert in input.resources.azure_activity_log_alert\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a74-hjg-yok","createdAt":1648760544699,"name":"User has 'Power Off Virtual Machine' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Rename Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Rename Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/move/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Rename Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/move/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.sql/servers/databases/move/action\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(azure_activity_log_alert)\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgo-i7v-g9b","createdAt":1649774831328,"name":"User has 'Rename Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4ri-hhx-fnd","createdAt":1648803815885,"name":"User has 'Update Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Security Policy event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Security Policy**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/policies/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Security Policy'\n$Signal = 'Microsoft.Security/policies/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/defender-for-cloud/tutorial-security-policy\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/policies/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xjf-qfe-xzs","createdAt":1649774850199,"name":"User has 'Update Security Policy' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.compute","source:azure","tactic:TA0002-execution","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs a command on an Azure Virtual Machine through the Azure CLI or Portal.\n\n## Strategy\nMonitor Azure Compute logs for `MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION` events that have `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Reach out to the user to determine if the activity is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"vm_exec","distinctFields":[]},{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"scaleset_exec","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Virtual Machine","condition":"vm_exec > 0"},{"status":"info","notifications":[],"name":"Virtual Machine Scale Set","condition":"scaleset_exec > 0"}],"type":"log_detection","id":"zsk-t0h-9ll","createdAt":1614973225002,"name":"User ran a command on Azure Compute"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Event Summary\n`@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` had activity from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` which are approximately `{{@impossible_travel.triggering_locations.travel_distance}}km` apart within `{{@impossible_travel.triggering_locations.travel_time_human_readable}}`. This indicates a potential impossible travel.\n\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key in CloudTrail logs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key in CloudTrail logs.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"source:cloudtrail @userIdentity.type:IAMUser"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"gvs-ybz-d25","createdAt":1646247437717,"name":"User travel was impossible in AWS CloudTrail IAM log"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_service_account","control:1.7","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","control:8.2.4","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nService Account keys consist of a key ID (private_key_id) and a private key. These keys are used to sign programmatic requests that users make to Google Cloud services and make them accessible to the particular service account. You should regularly rotate all Service Account keys.\n\n## Rationale\n\nRotating Service Account keys reduces the opportunity window of an access key associated with a compromised or terminated account being used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that may have been lost, cracked, or stolen.\n\nEach service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.\n\nGCP provides the option to create one or more user-managed (also called external) key pairs for use from outside GCP, for example: with Application Default Credentials. When a new key pair is created, the user is required to download the private key, which is not retained by Google. \n\nWith external keys, users are responsible for keeping the private key secure and other management operations such as key rotation. External keys can be managed by the IAM API, the Google Cloud Platform command-line tool, or the Service Accounts page in the Google Cloud Platform Console. GCP facilitates up to 10 external service account keys per service account for key rotation.\n\n## Remediation\n\nDelete any external, user-managed Service Account Keys older than 90 days:\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**.\n2. In the **Service Account Keys** section, click the Delete icon to delete every external, user-managed service account key where the creation date is greater or equal to the past 90 days.\n\nTo create an external, user-managed Service Account Key for a Service Account:\n\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**. \n2. Click **Create Credentials** and **Service Account Key**. \n3. Select the service account from the drop-down menu for every external, user-managed Service Account key you want to create.\n4. Select the desired key type format, such as JSON or P12.\n5. Click **Create**, which downloads the private key. Keep this key safe.\n6. If prompted, click **Close**.\n\nYou are redirected to the **APIs & Services** > **Credentials** page and you can see the new ID displayed in the **Service Account Keys** section.\n\n\n## Impact\n\nRotating service account keys breaks communication for dependent applications. Dependent applications need to be configured manually with the new key ID displayed in the **Service Account Keys** section and the user needs to download the private key.\n\n## References\n\n1. https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n2. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/list\n3. https://cloud.google.com/iam/docs/service-accounts\n\n[1]: https://console.cloud.google.com/apis/credentials\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"8.2.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ej5-n8p-p3x","createdAt":1656445783171,"name":"User-managed or external keys for service accounts are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Confidentiality","control:C1.2","source:google_compute_disk","framework:cis-gcp","requirement:Compliance","level:2","control:A.18.1.3","framework:soc-2","control:4.7","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","scope:google_compute_disk","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCustomer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and\nGoogle Compute Engine. If you supply your own encryption keys, Google uses your key to\nprotect the Google-generated keys used to encrypt and decrypt your data. By default,\nGoogle Compute Engine encrypts all data at rest. Compute Engine handles and manages\nthis encryption for you without any additional actions on your part. However, if you\nwanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\n\n### Default value\nBy default, VM disks are encrypted with Google-managed keys. They are not encrypted\nwith `Customer-Supplied` Encryption Keys.\n\n## Rationale\nBy default, Google Compute Engine encrypts all data at rest. Compute Engine handles and\nmanages this encryption for you without any additional actions on your part. However, if\nyou wanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\nIf you provide your own encryption keys, Compute Engine uses your key to protect the\nGoogle-generated keys used to encrypt and decrypt your data. Only users who can provide\nthe correct key can use resources protected by a customer-supplied encryption key.\nGoogle does not store your keys on its servers and cannot access your protected data\nunless you provide the key. This also means that if you forget or lose your key, there is no\nway for Google to recover the key or to recover any data encrypted with the lost key.\nBusiness critical VMs should have VM disks encrypted with CSEK.\n\n### Impact\nIf you lose your encryption key, you will not be able to recover the data.\n\n## Remediation\nYou cannot update the encryption of an existing disk. Therefore, you\nshould create a new disk with encryption set to **Customer supplied**.\n\n### From the console \n1. Go to [Compute Engine Disks][1] in your Google Cloud console.\n2. Click **CREATE DISK**.\n3. Set **Encryption type** to `Customer supplied`.\n4. Provide the **Key** in the box.\n5. Select **Wrapped key**.\n6. Click **Create**.\n\n### From the command line\nYou can use the `gcloud` CLI to encrypt a disk using the `--csek-key-file` flag during instance\ncreation. If you are using an RSA-wrapped key, use the gcloud beta component. See [RSA key wrapping][5] in Google's Compute Engine documentation.\n```\ngcloud compute instances create --csek-key-file \n```\n\nTo encrypt a standalone persistent disk:\n```\ngcloud compute disks create --csek-key-file \n```\n\n## References\n1. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys][2]\n2. [https://cloud.google.com/compute/docs/reference/rest/v1/disks/get][3]\n3. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file][4]\n\n[1]: https://console.cloud.google.com/compute/disks\n[2]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys\n[3]: https://cloud.google.com/compute/docs/reference/rest/v1/disks/get\n[4]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file\n[5]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#rsa-encryption","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.7","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_disk) = \"pass\" if {\n\tcompute_disk.disk_encryption_key.sha256\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_disk"]},"validationQuery":"","resourceType":"gcp_compute_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ltx-1jr-roe","createdAt":1662120164402,"name":"VM disks for critical VMs are encrypted with customer-supplied encryption keys (CSEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","scope:google_compute_subnetwork","level:1","framework:soc-2","control:3.8","source:google_compute_subnetwork","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Networking","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nFlow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in an organization's VPC subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs is enabled for every business-critical VPC subnet.\n\n### Default value\nBy default Flow Logs is set to `Off` when a new VPC network subnet is created.\n\n## Rationale\nVPC networks and subnetworks that are not reserved for internal HTTP(S) load balancing provide logically isolated and secure network partitions from which GCP resources can be launched.\nWhen Flow Logs are enabled for a subnet, VMs within that subnet start reporting on all\nTransmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows. Each VM\nsamples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or\nfrom another VM, a host in the on-premise datacenter, a Google service, or a host on the\nInternet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow\nLogs enabled, both VMs report the flows.\n\nFlow Logs supports the following use cases:\n- Network monitoring\n- Understanding network usage and optimizing network traffic expenses\n- Network forensics\n- Real-time security analysis\n\nFlow Logs provides visibility into network traffic for each VM inside the subnet and can be\nused to detect anomalous traffic or provide insight on security workflows.\nThe Flow Logs must be configured such that all network traffic is logged. The interval of\nlogging is granular enough to provide detailed information on the connections, where no logs are filtered and metadata to facilitate investigations are included.\n\n- Note: Subnets reserved for use by internal HTTP(S) load balancers do not support VPC\nFlow Logs.\n\n### Impact\nStandard pricing for Stackdriver Logging, BigQuery, or Cloud Pub/Sub applies. VPC Flow\nLogs generation will be charged when it's generally available, as described in this reference:\n[https://cloud.google.com/vpc/][1]\n\n## Remediation\n\n### From the console \n1. Go to the VPC network GCP Console page by visiting:\n[https://console.cloud.google.com/networking/networks/list][2]\n2. Click the name of a **subnet** to display the subnet details page.\n3. Click **EDIT** .\n4. Set Flow Logs to **On**.\n5. Expand the **Configure Logs** section.\n6. Set **Aggregation Interval** to `5 SEC`.\n7. Check the box for **Include metadata**.\n8. Set **Sample rate** to `100`.\n9. Click **Save**.\n\n- Note: You can only configure a log filter from the command line.\n\n### From the command line\nTo enable VPC Flow Logs for a network subnet, run the following command:\n```\ngcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --\nenable-flow-logs --logging-aggregation-interval=interval-5-sec --logging-\nflow-sampling=1 --logging-metadata=include-all\n```\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging][3]\n2. [https://cloud.google.com/vpc/][1]\n\n[1]: https://cloud.google.com/vpc/\n[2]: https://console.cloud.google.com/networking/networks/list\n[3]: https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_subnetwork) = \"skip\" if {\n\tinternal_HTTPS_LB_subnet(compute_subnetwork)\n} else = \"pass\" if {\n\tcompute_subnetwork.enable_flow_logs == true\n\tcompute_subnetwork.purpose == \"PRIVATE\"\n} else = \"fail\"\n\ninternal_HTTPS_LB_subnet(compute_subnetwork) if {\n\tcompute_subnetwork.purpose == \"INTERNAL_HTTPS_LOAD_BALANCER\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_subnetwork"]},"validationQuery":"","resourceType":"gcp_compute_subnetwork","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_subnetwork","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q4v-tv4-txv","createdAt":1663355398183,"name":"VPC Flow Logs are enabled for all subnets in the VPC network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Default-Security-Parameter","requirement:Compliance","level:2","framework:cis-aws","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.3","control:2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. \n\nSet up your default security group to restrict all traffic. The default VPC in every region should have its default security group updated to comply. Any newly created VPCs automatically contain a default security group that needs remediation to comply with this recommendation. \n\n**Note**: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.\n\n## Rationale\n\nConfiguring all VPC default security groups to restrict all traffic will encourage the least privileged security group development and mindful placement of AWS resources into security groups, which will reduce the exposure of those resources.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nImplementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79201-0\n2. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html][2]\n3. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group][3]\n\n## CIS controls\n\nVersion 7, 14.6 - Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"5.3","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ningress_or_egress(direction) if {\n\tdirection == \"ingress\"\n} else if {\n\tdirection == \"egress\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\tingress_or_egress(rule.direction)\n\tstartswith(rule.security_group_name, \"default\")\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"75q-ngx-snx","createdAt":1599574003676,"name":"VPC default security groups restrict all traffic"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:7.2.1","requirement:Firewall-Configuration","scope:vpc","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your VPC endpoint by allowing access to only trusted AWS accounts.\n\n## Rationale\n\nVPC endpoints that are publicly accessible are at risk of data exposure, data loss, and unexpected AWS billing charges.\n\n## Remediation\n\n### From the console\n\nFollow the [Add or remove permissions for your endpoint service][1] AWS console docs.\n\n### From the command line\n\n1. Edit your existing Amazon VPC endpoint access policy and replace untrusted AWS identifiers. To create a new policy document, [use the AWS policy generator][2].\n\n ```\n {\n \"Id\": \"insert-vpc-policy-id\",\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": \"*\",\n \"Effect\": \"Allow\",\n \"Resource\": \"*\",\n \"Principal\": {\n \"AWS\": [\n \"insert-allowed-arns\"\n ]\n }\n }\n ]\n }\n ```\n\n2. Run the `modify-vpc-endpoint` command with your [VPC endpoint ID and the updated or new policy document][3] to replace the existing policy.\n\n ```\n aws ec2 modify-vpc-endpoint \\\n --region insert-region-here\n --vpc-endpoint-id insert-vpc-endpoint-id \\\n --policy-document file://insert-new-vpc-policy-filename.json\n ```\n\n3. Repeat steps 1 & 2 for all non-compliant VPC Endpoints in the current region.\n4. Repeat steps 1 & 2 for all non-compliant VPC Endpoints in other regions.\n\n[1]: https://docs.aws.amazon.com/vpc/latest/privatelink/add-endpoint-service-permissions.html\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-vpc-endpoint.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_vpc_endpoint_policy_statement(vpc_endpoint_policy_statement) if {\n\tcheck_principal_conditions(vpc_endpoint_policy_statement)\n\tnon_compliant_policy_statement_conditions(vpc_endpoint_policy_statement)\n}\n\nnon_compliant_policy_statement_conditions(vpc_endpoint_policy_statement) if {\n\tnot vpc_endpoint_policy_statement.statement_has_condition\n\tlower(vpc_endpoint_policy_statement.statement_effect) == \"allow\"\n}\n\ncheck_principal_conditions(vpc_endpoint_policy_statement) if {\n\tvpc_endpoint_policy_statement.policy_principal.principal == \"*\"\n} else if {\n\tvpc_endpoint_policy_statement.policy_principal.principal_aws[_] == \"*\"\n}\n\neval(vpc_endpoint_policy_statement) = \"fail\" if {\n\tnon_compliant_vpc_endpoint_policy_statement(vpc_endpoint_policy_statement)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_vpc_endpoint_policy_statement"]},"validationQuery":"","resourceType":"aws_vpc_endpoint_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc_endpoint_policy_statement","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"slh-tlx-4m0","createdAt":1619540057529,"name":"VPC endpoint is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","control:3.9","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","scope:vpc","framework:soc-2","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. Enable VPC Flow Logs for packet \"Rejects\" for VPCs.\n\n## Rationale\n\nVPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect unusual traffic or insight during security workflows.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nBy default, CloudWatch Logs will store Logs indefinitely unless you define a specific retention period for the log group. When choosing the number of days to retain, keep in mind that, on average, it takes an organization 210 days to detect a breach. Since additional time is required to research a breach, a minimum 365-day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods: \n\n1. [http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html][2]\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79202-8 \n2. [http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html][2]\n\n## CIS controls\n\nVersion 7:\n\n6.2 - Activate audit logging - Enable local logging on all systems and networking devices.\n\n12.5 - Configure Monitoring Systems to Record Network Packets - Configure monitoring systems to record network packets passing through the boundary at each of the organization's network boundaries.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.9","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(vpc) = \"pass\" if {\n\tsome flowlog in vpc.flowlogs\n\tflowlog.flow_log_status == \"ACTIVE\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_vpc"]},"validationQuery":"","resourceType":"aws_vpc","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"hw6-cqk-hrz","createdAt":1599574005318,"name":"VPC flow logging is enabled in all VPCs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault root token is used. Root tokens can perform any activity and have the highest level of privileges in Vault and should only be used in emergencies. \n\n## Strategy\nThis rule monitors Vault Audit Logs (`source:vault`) to detect when `root` is seen in:\n\n* auth policy (`@auth.policies`)\n\nThis rule also monitors the API endpoint `/sys/generate-root` which is used to create new root keys.\n\n## Triage & Response\n1. Determine who created the root token and when. You can get token creation time using the token accessor with `vault token lookup -accessor `. \n2. Inspect the requests made with the root token and ensure that its usage is valid.\n3. Ensure that after the root token is no longer needed, it is revoked (`vault token revoke -accessor `).\n\n## Change Log\n* 29 June 2022 - Updated queries to reduce noise levels. Replaced initial query with token creation detection.\n* 17 October 2022 - Updated queries and cases.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @http.url_details.path:\"sys/generate-root/attempt\" @type:response @http.method:update","groupByFields":["@auth.accessor"],"aggregation":"count","name":"root_token_initialized","distinctFields":[]},{"query":"source:vault @http.url_details.path:\"sys/generate-root/update\" @type:response @http.method:update","groupByFields":["@auth.accessor"],"aggregation":"count","name":"root_token_created","distinctFields":[]},{"query":"source:vault @auth.policies:root @type:response","groupByFields":["@auth.accessor"],"aggregation":"count","name":"root_token_used","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Initialized","condition":"root_token_initialized > 0"},{"status":"high","notifications":[],"name":"Created","condition":"root_token_created > 0"},{"status":"high","notifications":[],"name":"Used","condition":"root_token_used > 0"}],"type":"log_detection","id":"oki-am6-qeh","createdAt":1619801884317,"name":"Vault Root Token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault token is created with an excessive time-to-live (TTL) which can be indicative of an adversary maintaining persistence. \n\n## Strategy\nMonitoring of vault audit logs where tokens are created with a time-to-live greater than 90000 seconds (25 hours). If the TTL requires modification, clone this rule and update `@auth.token_ttl:>90000` in the query. \n\n## Triage & Response\n1. Verify max TTL for tokens in the appropriate Vault configuration.\n2. If the max TTL is higher than required, modify the max TTL.\n3. Verify with the token creator to confirm that the high TTL token is legitimate.\n4. Revoke the token if it does not have a legitimate use case.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @request.operation:create @auth.token_ttl:>90000","groupByFields":["@usr.id"],"aggregation":"count","name":"high_vault_ttl","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"high_vault_ttl > 0"}],"type":"log_detection","id":"ag8-huz-nlj","createdAt":1619801884333,"name":"Vault Token Created with Excessive TTL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","framework:soc-2","scope:redshift","cloud_provider:aws","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","source:redshift","control:6.2","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm `AllowVersionUpgrade` is enabled so [Redshift clusters][1] can automatically upgrade to the latest version.\n\n## Rationale\n\nEnablement allows the latest version to automatically install, deploying the most recent bug fixes and security patches.\n\n## Remediation\n\n### From the console\n\nFollow the [Cluster maintenance][4] docs to permit automatic upgrade for your clusters.\n\n### From the command line\n\n1. Run `modify-cluster` to [set `allow-version-upgrade` for a cluster][3].\n\n ```\n aws redshift modify-cluster\n\t --cluster-identifier cluster-id-name\n\t --allow-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/modify-cluster.html\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#rs-cluster-maintenance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.allow_version_upgrade\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5wo-2kl-jv1","createdAt":1599574006748,"name":"Version upgrade is enabled for Redshift cluster"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:6.5.3","framework:cis-azure","control:7.1","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Application-Updates","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMigrate blob-based VHDs to managed disks on virtual machines to exploit the default features of this configuration. The features include:\n\n1. Default disk encryption\n2. Resilience, as Microsoft manages the disk storage and moves it if underlying hardware is faulty\n3. Reduction of costs over storage accounts\n\n## Rationale\n\nManaged disks are by default encrypted on the underlying hardware so no additional encryption is required for basic protection. Additional encryption is available if required. Managed disks are more resilient than storage accounts. For ARM deployed virtual machines, Azure Adviser recommends moving VHDs to managed disks from both a security and cost management perspective.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## Remediation\n\n### From the console\n\n1. Using the search feature, go to Virtual Machines\n2. Select the virtual machine you would like to convert\n3. Select Disks in the menu for the VM\n4. Select Migrate to managed disks\n5. Follow the prompts to convert the disk and finish by selecting Migrate to start the process\n\n**NOTE**: VMs are stopped and restarted after migration is complete.\n\n### Using PowerShell\n\n```powershell\nStop-AzVM -ResourceGroupName $rgName -Name $vmName -Force ConvertTo-AzVMManagedDisk -ResourceGroupName $rgName -VMName $vmName Start-AzVM -ResourceGroupName $rgName -Name $vmName\n```\n\n## Impact\n\nThere is no operational impact of migrating to managed disks other than the benefits mentioned above.\n\n**NOTE**: When converting to managed disks, VMs are powered off and back on.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(virtual_machine_instance) = \"pass\" if {\n\tvirtual_machine_instance.storage_profile.os_disk.managed_disk_id != \"\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_virtual_machine_instance"]},"validationQuery":"","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mcc-ygq-5xf","createdAt":1631690464170,"name":"Virtual Machines are utilizing Managed Disks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","requirement:Context-of-the-Organization","control:4.2.2","framework:iso-27001","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nEnabling Azure Defender for SQL server does not enable vulnerability assessment capabilities for individual SQL databases unless a storage account is set to store the scanning data and reports. The Vulnerability Assessment service scans databases for known security vulnerabilities and highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally, an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, Click Storage Account\n6. Choose Storage Account (Existing or Create New). Click Ok\n7. Click Save Using Azure PowerShell. If not already, enable Azure Defender for a SQLSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service by setting Storage Account Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"e0l-3r9-cvj","createdAt":1624867975658,"name":"Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the vulnerability assessment (VA) setting, \"Also send email notifications to admins and subscription owners\".\n\n## Rationale\n\nVA scan reports and alerts are sent to admins and subscription owners by enabling the setting, \"Also send email notifications to admins and subscription owners\". This helps to reduce the time required for identifying risks and taking corrective measures.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, configure Storage Accounts\n6. Check/enable \"Also send email notifications to admins and subscription owners\"\n7. Click Save using the Azure PowerShell. If not already set, Enable Advanced Data Security for a SQL:\n\n ```bash\n -ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service and Set ''Also send email notifications to admins and subscription owners'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"gnq-rte-6fy","createdAt":1624867976876,"name":"Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","control:4.2.3","requirement:Default-Security-Parameter","level:1","requirement:Database-Services","requirement:Context-of-the-Organization","requirement:Regular-Testing","framework:iso-27001","control:11.2.1","framework:pci","security:compliance","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC7.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable vulnerability assessment (VA) periodic recurring scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nVA setting \"Periodic recurring scans\" schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Routine vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Security Center\n4. In Section Vulnerability Assessment Settings, set Storage Account\n5. Toggle \"Periodic recurring scans\" to ON.\n6. Click Save using the Azure PowerShell. If not already set, enable Advanced Data Security for a SQL ServerSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service with ''Periodic recurring scans'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"jum-0ht-les","createdAt":1624867977012,"name":"Vulnerability Assessment (VA) setting Periodic Recurring Scans is enabled on a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","requirement:AppService","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:9.4","scope:azure.appservice","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:4.1","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nClient certificates allow for an app to request a certificate for incoming requests. Only clients that have a valid certificate can reach the app.\n\n## Rationale\n\nThe TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, only an authenticated client who has valid certificates can access the app.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Configuration\n5. Under Incoming client certificates, set the Client Certificate Mode option to Require.\n\n\n### From the command line\n\nTo set incoming client certificates value for an existing app, run the following command: `az webapp update --resource-group --name --set clientCertEnabled=true'`\n\n## Impact\n\nUsing and maintaining client certificates requires additional work to obtain and manage key replacement and rotation.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14 - Controlled Access Based on the Need to Know","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.4","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(app_service) = \"pass\" if {\n\tapp_service.client_cert_enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"esg-ed4-xa9","createdAt":1631623027807,"name":"Web app has 'Client Certificates (Incoming client certificates)' set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Credentials","requirement:AppService","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:6.6","control:9.3","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Change-Management","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App Service uses TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.\n\n## Rationale\n\nApp Service currently allows web apps to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for a secure connection.\n\n## Remediation\n\n### From the console\n\n 1. Login to Azure Portal using https://portal.azure.com\n 2. Go to App Services\n 3. Click on each app\n 4. Under the Settings section, click on SSL settings\n 5. Under Protocol Settings, set Minimum TLS Version to 1.2\n\n### From the command line\n\nTo set TLS Version for an existing app, run the following command: `az webapp config set --resource-group --name --min-tls-version 1.2'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.3","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_min_tls_version(app_service) if {\n\tapp_service.site_config_min_tls_version == \"1.2\"\n} else if {\n\tapp_service.site_config.min_tls_version == \"1.2\"\n}\n\neval(app_service) = \"pass\" if {\n\tcompliant_min_tls_version(app_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8iy-ghp-cvk","createdAt":1631623032658,"name":"Web app is using the latest version of TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:AppService","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","control:9.2","control:6.6","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Azure","framework:cis-azure","control:4.1","control:2.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Web Apps allow sites to use both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.\n\n## Rationale\n\nEnabling HTTPS-only traffic redirects all non-secure HTTP request to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated, so it is important to support HTTPS for the security benefits.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on SSL settings\n5. Under Protocol Settings, set HTTPS Only to On.\n\n### From the command line\n\nTo set the HTTPS-only traffic value for an existing app, run the following command: `az webapp update --resource-group --name --set httpsOnly=true'`\n\n## Impact\n\nWhen enabled, every incoming HTTP request is redirected to the HTTPS port. This adds an extra level of security to the HTTP requests made to the app.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.2","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"2.1","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(app_service) = \"pass\" if {\n\tapp_service.https_only\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f9i-ctz-jrp","createdAt":1631623031127,"name":"Web app redirects all HTTP traffic to HTTPS in Azure App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1070-indicator-removal","source:windows","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user clears Windows Security logs.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `1102`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to clear the security event logs on `{{host}}`.\n\n## Changelog\n* 27 October 2022 - updated tags.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"psn-7zq-iqz","createdAt":1619018680072,"name":"Windows Audit Log Cleared"}]} headers: Content-Type: - application/json @@ -130,7 +130,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":833}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the Domain Administrator group. A rogue active directory account can added to the Domain Admins group.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4728` and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.TargetUserName}}` should be added to the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"yzx-i3w-40t","createdAt":1619018679429,"name":"Windows User Added to Domain Admin Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"# WARNING: Rule is being deprecated on 10 April 2022\n\n## Goal\nDetect if an entire AWS S3 Lifecycle configuration is deleted from a bucket.\n\n## Strategy\nUsing the `@evt.name`, the Datadog standard attribute that shows the API call, determine if a `DeleteBucketLifecycle` call occurred.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@usr.name}}`, `accountId:` `{{@usr.id}}` of `type:` `{{@userIdentity.type}}`.\n2. If the `{{@evt.name}}` API call accidentally occurred, restore the configuration to the `{{@requestParameters.bucketName}}`. Otherwise, investigate further.\n\n## Changelog\n08 Mar 2022 - Deprecating rule. If a policy is deleted, the data remains forever.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:DeleteBucketLifecycle","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"policy_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"lifecycle policy deleted","condition":"policy_deleted > 0"}],"type":"log_detection","id":"lcn-irr-jo6","createdAt":1638798365190,"name":"[DEPRECATED] An AWS S3 bucket lifecycle policy was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.17","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `controller-manager.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `controller-manager.conf` file is the kubeconfig file for the Controller Manager. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/controller-manager.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.17","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iss-afi-xfp","createdAt":1599599454121,"name":"controller-manager.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use self-signed certificates for TLS.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--auto-tls` parameter or set it to false:\n\n```\n--auto-tls=false\n```\n\n## Impact\n\nClients will not be able to use self-signed certificates for TLS.\n\n## Default value\n\nBy default, `--auto-tls` is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls][3]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.3","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qai-h9s-xgt","createdAt":1599606018741,"name":"etcd does not allow the use of self-signed client certificates"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured for peer authentication.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-client-cert-auth` argument is set to `true`. \n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--peer-client-cert-auth=true\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-client-cert-auth` argument is set to false.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/security.html \n2. https://kubernetes.io/docs/admin/etcd/ \n3. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n\n## CIS controls\n\nVersion 6.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\nVersion 7.14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.5","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l01-5y2-miz","createdAt":1599605099307,"name":"etcd is configured for peer authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.1","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure TLS encryption for the etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--cert-file` and the `--key-file` arguments are set as appropriate.\n\n## Remediation\n\nFollow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--cert-file= \n--key-file=\n```\n\n## Impact\n\nClient connections only over TLS would be served.\n\n## Default value\n\nBy default, TLS encryption is not set.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.1","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ezf-1mn-luf","createdAt":1599604210918,"name":"etcd is configured with TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.2.33","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt etcd key-value store.\n\n## Rationale\n\netcd is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--encryption-provider-config` argument is set to a EncryptionConfig file. Additionally, ensure that the EncryptionConfig file has all the desired resources covered especially any secrets.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--encryption-provider-config` parameter to the path of that file: `--encryption-provider-config=`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--encryption-provider-config` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ \n2. https://acotten.com/post/kube17-security \n3. https://kubernetes.io/docs/admin/kube-apiserver/ \n4. https://github.com/kubernetes/features/issues/92\n\n## CIS controls\n\nVersion 6 14.5 Encrypt At Rest Sensitive Information Sensitive information stored on systems shall be encrypted at rest and require a secondary authentication mechanism, not integrated into the operating system, in order to access the information. \n\nVersion 7 14.8 Encrypt Sensitive Information at Rest Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.33","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.33\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7rg-crl-fs0","createdAt":1599602954959,"name":"etcd is encrypted at rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.29","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a client certificate and key.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-certfile` and `--etcd-keyfile` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate and key file parameters. \n```\n--etcd-certfile= \n--etcd-keyfile=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-certfile` and `--etcd-keyfile` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 9 Limitation and Control of Network Ports, Protocols, and Services\nVersion 7 9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.29","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.29\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2xl-vuo-tud","createdAt":1599606113167,"name":"etcd server requires API servers present a client certificate and key when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.32","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a SSL Certificate Authority file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-cafile` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate authority file parameter: `--etcd-cafile=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-cafile` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.32","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.32\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o8k-9hv-rri","createdAt":1599605669411,"name":"etcd server requires API servers present an SSL CA file when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured to make use of TLS encryption for peer connections.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit and also amongst peers in the etcd clusters.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-cert-file` and `--peer-key-file` arguments are set as appropriate. \n\n## Remediation\n\nFollow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--peer-cert-file= \n--peer-key-file=\n```\n\n## Impact\n\nEtcd cluster peers would need to set up TLS for their communication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, peer communication over TLS is not configured.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.4","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"lzq-1mk-xc7","createdAt":1599603941695,"name":"etcd uses TLS encryption for peer connections"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664268670005,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"0ki-9gf-7vw","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664268668"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664268675445,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"fis-tpv-7e9","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664268673"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664268680145,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"cz4-z0l-x9n","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664268677"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269014836,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rn5-nf5-ksh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269011"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269046838,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"fz1-gx5-cfu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269044"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269050802,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ypr-rnw-joz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269048"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269055831,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"zl4-kr6-djp","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269053"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664777973028,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"kth-eqs-z4b","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664777971"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778122036,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"0fg-gyo-jlu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778119"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778139644,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wee-m6g-g6a","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778135"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778146837,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"3it-fxn-3hr","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778144"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778474235,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"nw9-oof-55y","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778472"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778792415,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"gsl-t9k-ji6","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778790"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664779074513,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"dgt-zts-cbx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664779072"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664779118769,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"oxx-qrx-9b6","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664779116"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664779161311,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"7eo-dyi-vkr","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664779159"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664784675086,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sqx-soj-zop","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664784672"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664894383761,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rgz-io3-obc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664894381"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665500464305,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"py6-vnm-mjb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1665500463"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665500511838,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"bgv-pky-7u4","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1665500511"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":600,"keepAlive":300},"version":2,"isDefault":false,"filters":[{"action":"suppress","query":"does not really suppress (updated)"}],"queries":[{"query":"does not really match much (updated)","groupByFields":["service"],"aggregation":"cardinality","name":"first_updated","distinctFields":["@orgId"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first_updated > 3"},{"status":"high","notifications":[],"name":"warning case (updated)","condition":"first_updated > 0"}],"type":"log_detection","id":"rdc-qe2-jmq","createdAt":1664875756276,"name":"tf-TestAccDatadogSecurityMonitoringRule_Basic-local-1664875755 - updated"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665663121877,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"m1r-h1c-usk","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_Basic-local-1665663120"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664270708266,"filters":[],"queries":[{"query":"@agent.rule_id:(tf_TestAccDatadogSecurityMonitoringRule_CwsRule_local_1664270705_random_id OR random_id)","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"high case","condition":"first > 3"}],"type":"workload_security","id":"6i5-yop-zhx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_CwsRule-local-1664270705"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664270714195,"filters":[],"queries":[{"query":"@agent.rule_id:(tf_TestAccDatadogSecurityMonitoringRule_CwsRule_local_1664270711_random_id OR random_id)","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"high case","condition":"first > 3"}],"type":"workload_security","id":"h7e-iuc-twh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_CwsRule-local-1664270711"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"query":"@agent.rule_id:(tf_TestAccDatadogSecurityMonitoringRule_CwsRule_local_1664875755_random_id OR random_id)","groupByFields":["service"],"aggregation":"count","name":"first","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first > 10"}],"type":"workload_security","id":"4p6-8dj-vxk","createdAt":1664875756580,"name":"tf-TestAccDatadogSecurityMonitoringRule_CwsRule-local-1664875755"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665663121654,"filters":[],"queries":[{"query":"@agent.rule_id:(tf_TestAccDatadogSecurityMonitoringRule_CwsRule_local_1665663120_random_id OR random_id)","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"high case","condition":"first > 3"}],"type":"workload_security","id":"yhz-egd-p7o","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_CwsRule-local-1665663120"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875508591,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"l2h-irs-i4s","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_Import-local-1664875506"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664890796815,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rdn-on6-f0u","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_Import-local-1664890795"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665663121765,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ccr-aoo-xc2","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_Import-local-1665663120"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"impossible travel rule triggered (updated)","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"evaluationWindow":0,"maxSignalDuration":900,"detectionMethod":"impossible_travel","decreaseCriticalityBasedOnEnv":false,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"distinctFields":[],"name":"my_updated_query","metric":"@usr.handle","aggregation":"geo_data","metrics":["@usr.handle"],"groupByFields":["@usr.handle"],"query":"*"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"new case name (updated)","condition":""}],"type":"log_detection","id":"2e6-1vj-hdm","createdAt":1664875756231,"name":"tf-TestAccDatadogSecurityMonitoringRule_ImpossibleTravelRule-local-1664875755"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"impossible travel rule triggered","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"evaluationWindow":0,"maxSignalDuration":900,"detectionMethod":"impossible_travel","decreaseCriticalityBasedOnEnv":false,"keepAlive":600},"version":1,"createdAt":1665663121678,"filters":[],"queries":[{"distinctFields":[],"name":"my_query","metric":"@usr.handle","aggregation":"geo_data","metrics":["@usr.handle"],"groupByFields":["@usr.handle"],"query":"*"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"","condition":""}],"type":"log_detection","id":"pzl-svj-6y8","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_ImpossibleTravelRule-local-1665663120"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"newValueOptions":{"learningDuration":0,"learningMethod":"duration","forgetAfter":1,"learningThreshold":0},"evaluationWindow":0,"maxSignalDuration":900,"detectionMethod":"new_value","decreaseCriticalityBasedOnEnv":false,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"distinctFields":[],"name":"first","metric":"@network.bytes_read","aggregation":"new_value","metrics":["@network.bytes_read"],"groupByFields":["service"],"query":"does not really match much (updated)"}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":""}],"type":"log_detection","id":"d3o-dyr-ekr","createdAt":1664875756432,"name":"tf-TestAccDatadogSecurityMonitoringRule_NewValueRule-local-1664875755 - updated"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"evaluationWindow":0,"maxSignalDuration":900,"detectionMethod":"new_value","decreaseCriticalityBasedOnEnv":false,"keepAlive":600},"version":1,"createdAt":1665663121768,"filters":[],"queries":[{"distinctFields":[],"name":"first","metric":"@value","aggregation":"new_value","metrics":["@value"],"groupByFields":["host"],"query":"does not really match much"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"","condition":""}],"type":"log_detection","id":"oe9-gyh-mb2","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_NewValueRule-local-1665663120"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875438577,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"wtp-e5k-o0m","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875437"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875465554,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bxr-aqc-o02","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875463"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875502543,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lv2-e1f-cec","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875500"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875517305,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"qp0-onn-m2p","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875516"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875546323,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bzi-ilx-fzv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875544"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875579060,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"xul-toc-q1p","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875577"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":600,"keepAlive":300},"version":2,"isDefault":false,"filters":[{"action":"suppress","query":"does not really suppress (updated)"}],"queries":[{"query":"does not really match much (updated)","groupByFields":["service"],"aggregation":"cardinality","name":"first_updated","distinctFields":["@orgId"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first_updated > 3"},{"status":"high","notifications":[],"name":"warning case (updated)","condition":"first_updated > 0"}],"type":"log_detection","id":"l6c-xu1-dnv","createdAt":1664875756561,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875755 - updated"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":600,"keepAlive":300},"version":2,"isDefault":false,"filters":[{"action":"suppress","query":"does not really suppress (updated)"}],"queries":[{"query":"does not really match much (updated)","groupByFields":["service"],"aggregation":"cardinality","name":"first_updated","distinctFields":["@orgId"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first_updated > 3"},{"status":"high","notifications":[],"name":"warning case (updated)","condition":"first_updated > 0"}],"type":"log_detection","id":"e8n-cae-ky2","createdAt":1664883056478,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664883054 - updated"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665663121481,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ngm-obi-qbn","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1665663120"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528193711,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"gbr-ngi-oug","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528189_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528202423,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"uyk-nla-buh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528198_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528210535,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"nqe-0ga-if6","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528205_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528372295,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"m3p-iae-qru","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528368_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528379975,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"r7b-s2q-xnm","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528376_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528389235,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"dbd-bwe-l7e","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528385_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528434444,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"1un-efa-hcu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528429_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528441879,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"2ar-joj-lnc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528437_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528451689,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ajt-mur-fzi","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528446_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529209432,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"heh-hcb-gkz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529203_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529218377,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"zee-ycu-lwy","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529213_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529225654,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vhx-spk-1ho","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529221_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529297426,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"koq-fd2-uwo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529293_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529304614,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"l2l-obs-hre","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529300_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529312691,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"xgn-6s6-kbb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529307_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664550716802,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"w1p-qig-yrs","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664550714_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664550722486,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ipa-wdu-rxp","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664550720_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664550727477,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"jeh-od4-wng","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664550725_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551028985,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wq1-uls-vzk","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551027_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551034504,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"hrv-psy-1lt","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551032_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551039412,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"6jo-jph-rom","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551037_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551131496,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"gpa-wht-hgc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551129_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553855904,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ere-3ih-4hw","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553850_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553865781,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"igs-lhm-bvu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553859_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553874136,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"mkn-3te-hny","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553869_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553997811,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sjp-5hc-wd1","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553993_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664554005892,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"5en-kmi-voy","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664554001_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664554016093,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"jif-umi-il5","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664554010_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555846704,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ayu-n1y-lqx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555844_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555846736,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"95d-moy-b5g","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555844_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555986763,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"qtr-rfo-jyg","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555984_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555986772,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"jtt-tqn-ftb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555984_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557003507,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"l6w-anp-wyx","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"m5n-4i5-vuj","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"4r7-mzb-i0w","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664556999"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557003221,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"l6w-anp-wyx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664556999_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557001385,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"m5n-4i5-vuj","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664556999_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557009505,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"atg-jqy-mel","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"wdi-bm8-1zq","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"fbs-vj5-dgz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557007"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557009232,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"atg-jqy-mel","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557007_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557009200,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wdi-bm8-1zq","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557007_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557015634,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"pra-dle-ewv","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"wgt-akt-j4r","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"o9e-8fc-h5s","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557013"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557015289,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"pra-dle-ewv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557013_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557015280,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wgt-akt-j4r","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557013_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557114930,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"x69-ehr-pdl","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"ypr-isf-4vo","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"oi0-hje-74l","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557112"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557114644,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"x69-ehr-pdl","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557112_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557114607,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ypr-isf-4vo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557112_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557121029,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"ptq-rcm-nwe","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"bg8-5ts-afc","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"f3z-x8q-dcn","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557118"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557120765,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ptq-rcm-nwe","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557118_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557120726,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"bg8-5ts-afc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557118_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557127622,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"wtt-nh6-juo","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"myy-dya-nr5","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"nfo-yne-q60","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557125"}]} + {"meta":{"page":{"total_filtered_count":30,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user resets the Directory Services Restore Mode (DSRM). The DSRM enabled emergency access to a Domain Controller. The DSRM user is a local administrator account that can be utilized for persistence. \n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4794`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to change the DSRM password on `{{host}}`. ","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4794","groupByFields":["host"],"aggregation":"count","name":"standardized","distinctFields":[]},{"query":"@Event.System.EventID:4794","groupByFields":["host"],"aggregation":"count","name":"non_standardized","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized > 0"}],"type":"log_detection","id":"ckw-1ve-anp","createdAt":1619018671358,"name":"Windows Directory Service Restore Mode password changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Domain Administrator group is modified.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is 4737 and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason for changing the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"vtr-u5p-65a","createdAt":1619018671758,"name":"Windows Domain Admin Group Changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","source:windows","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Windows firewall is disabled.\n\n## Strategy\nMonitor the Windows event logs where `@evt.id` is `4950` and the `@Event.EventData.Data.SettingValue:No`.\n\n## Triage and response\nVerify if `{{@Event.System.Computer}}` has a legitimate reason for having the Windows firewall disabled.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"medium","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"5yc-jqo-y3n","createdAt":1619018678867,"name":"Windows Firewall Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1087-account-discovery","source:windows","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs the `net` command to enumerate the `Administrators` group, which could be indicative of adversarial reconnaissance activity.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4799`, `@Event.EventData.Data.CallerProcessName` is `*net1.exe` and `@Event.EventData.Data.TargetUserName` is `Administrators`.\n\n## Triage and response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason to check for users in the Administrator group on `{{host}}`. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"low","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"dqi-uaj-wgy","createdAt":1619018678865,"name":"Windows Net command executed to enumerate administrators"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the Domain Administrator group. A rogue active directory account can added to the Domain Admins group.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4728` and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.TargetUserName}}` should be added to the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"yzx-i3w-40t","createdAt":1619018679429,"name":"Windows User Added to Domain Admin Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"# WARNING: Rule is being deprecated on 10 April 2022\n\n## Goal\nDetect if an entire AWS S3 Lifecycle configuration is deleted from a bucket.\n\n## Strategy\nUsing the `@evt.name`, the Datadog standard attribute that shows the API call, determine if a `DeleteBucketLifecycle` call occurred.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@usr.name}}`, `accountId:` `{{@usr.id}}` of `type:` `{{@userIdentity.type}}`.\n2. If the `{{@evt.name}}` API call accidentally occurred, restore the configuration to the `{{@requestParameters.bucketName}}`. Otherwise, investigate further.\n\n## Changelog\n08 Mar 2022 - Deprecating rule. If a policy is deleted, the data remains forever.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:DeleteBucketLifecycle","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"policy_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"lifecycle policy deleted","condition":"policy_deleted > 0"}],"type":"log_detection","id":"lcn-irr-jo6","createdAt":1638798365190,"name":"[DEPRECATED] An AWS S3 bucket lifecycle policy was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.17","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `controller-manager.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `controller-manager.conf` file is the kubeconfig file for the Controller Manager. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/controller-manager.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.17","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iss-afi-xfp","createdAt":1599599454121,"name":"controller-manager.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use self-signed certificates for TLS.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--auto-tls` parameter or set it to false:\n\n```\n--auto-tls=false\n```\n\n## Impact\n\nClients will not be able to use self-signed certificates for TLS.\n\n## Default value\n\nBy default, `--auto-tls` is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls][3]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.3","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qai-h9s-xgt","createdAt":1599606018741,"name":"etcd does not allow the use of self-signed client certificates"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured for peer authentication.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-client-cert-auth` argument is set to `true`. \n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--peer-client-cert-auth=true\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-client-cert-auth` argument is set to false.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/security.html \n2. https://kubernetes.io/docs/admin/etcd/ \n3. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n\n## CIS controls\n\nVersion 6.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\nVersion 7.14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.5","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l01-5y2-miz","createdAt":1599605099307,"name":"etcd is configured for peer authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.1","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure TLS encryption for the etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--cert-file` and the `--key-file` arguments are set as appropriate.\n\n## Remediation\n\nFollow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--cert-file= \n--key-file=\n```\n\n## Impact\n\nClient connections only over TLS would be served.\n\n## Default value\n\nBy default, TLS encryption is not set.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.1","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ezf-1mn-luf","createdAt":1599604210918,"name":"etcd is configured with TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.2.33","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt etcd key-value store.\n\n## Rationale\n\netcd is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--encryption-provider-config` argument is set to a EncryptionConfig file. Additionally, ensure that the EncryptionConfig file has all the desired resources covered especially any secrets.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--encryption-provider-config` parameter to the path of that file: `--encryption-provider-config=`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--encryption-provider-config` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ \n2. https://acotten.com/post/kube17-security \n3. https://kubernetes.io/docs/admin/kube-apiserver/ \n4. https://github.com/kubernetes/features/issues/92\n\n## CIS controls\n\nVersion 6 14.5 Encrypt At Rest Sensitive Information Sensitive information stored on systems shall be encrypted at rest and require a secondary authentication mechanism, not integrated into the operating system, in order to access the information. \n\nVersion 7 14.8 Encrypt Sensitive Information at Rest Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.33","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.33\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7rg-crl-fs0","createdAt":1599602954959,"name":"etcd is encrypted at rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.29","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a client certificate and key.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-certfile` and `--etcd-keyfile` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate and key file parameters. \n```\n--etcd-certfile= \n--etcd-keyfile=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-certfile` and `--etcd-keyfile` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 9 Limitation and Control of Network Ports, Protocols, and Services\nVersion 7 9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.29","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.29\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2xl-vuo-tud","createdAt":1599606113167,"name":"etcd server requires API servers present a client certificate and key when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.32","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a SSL Certificate Authority file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-cafile` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate authority file parameter: `--etcd-cafile=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-cafile` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.32","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.32\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o8k-9hv-rri","createdAt":1599605669411,"name":"etcd server requires API servers present an SSL CA file when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured to make use of TLS encryption for peer connections.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit and also amongst peers in the etcd clusters.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-cert-file` and `--peer-key-file` arguments are set as appropriate. \n\n## Remediation\n\nFollow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--peer-cert-file= \n--peer-key-file=\n```\n\n## Impact\n\nEtcd cluster peers would need to set up TLS for their communication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, peer communication over TLS is not configured.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.4","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"lzq-1mk-xc7","createdAt":1599603941695,"name":"etcd uses TLS encryption for peer connections"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671540941284,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"o68-soo-c12","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671540939"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671540946161,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"r7n-huo-4rt","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671540944"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671540952520,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"wth-wau-03b","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671540950"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["terraform:true","test:acceptance-updated"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"Acceptance test TF rule - updated","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_disk","regoRule":{"policy":"package datadog # updated","resourceTypes":["gcp_compute_disk","gcp_compute_instance","gcp_compute_firewall"]},"complexRule":true},"keepAlive":21600},"version":2,"isDefault":false,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":true,"defaultGroupByFields":null,"userGroupByFields":["@resource","@resource_type"]},"cases":[{"status":"high","notifications":["@channel-upd"],"name":"","condition":"a > 0"}],"id":"u2m-agy-swa","createdAt":1671541008003,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671541006 - updated"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671542720397,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"grb-fzj-wqh","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671542718"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671542793321,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"il3-uli-eqq","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671542791"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671552482017,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"77c-zma-o7f","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671552480"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671552551633,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"hop-rqz-f8v","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671552550"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671552663049,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vhn-veo-7mp","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671552661"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671552679840,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"kbd-8wc-8cq","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671552678"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553311788,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"3am-l1f-ved","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553310"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553346438,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vmb-tgh-ihm","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553344"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553410647,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"p3o-o9v-1ha","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553409"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553453803,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"qfz-lca-swv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553452"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553538312,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"zmw-kgv-yds","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553537"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:1.1.6","control:1.2.1","control:4.5","control:2.2.5","requirement:Communications-Security","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nInteracting with a serial port is often referred to as the serial console, which is similar to\nusing a terminal window, in that input and output is entirely in text mode and there is no\ngraphical interface or mouse support.\nIf you enable the interactive serial console on an instance, clients can attempt to connect to\nthat instance from any IP address. Therefore interactive serial console support should be\ndisabled.\n\n## Rationale\nA virtual machine instance has four virtual serial ports. The instance's operating system, BIOS,\nand other system-level entities often write output to the serial ports, and can accept input\nsuch as commands or answers to prompts. Typically, these system-level entities use the\nfirst serial port (port 1) and serial port 1 is often referred to as the serial console.\nThe interactive serial console does not support IP-based access restrictions such as IP\nallow lists. If you enable the interactive serial console on an instance, clients can attempt to\nconnect to that instance from any IP address. This allows anybody to connect to that\ninstance if they know the correct SSH key, username, project ID, zone, and instance name.\nTherefore interactive serial console support should be disabled.\n\n## Remediation\n\n### From the console\n1. Login to Google Cloud console.\n2. Go to Computer Engine.\n3. Go to VM instances.\n4. Click on the specific VM.\n5. Click `EDIT`.\n6. in the `Remote access` section, clear the `Enable connecting to serial ports`.\n7. Click `Save`.\n\n### From the command line\nUse the following command to disable connecting to serial ports:\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=false\n ```\nor\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=0\n ```\n\n## Prevention:\nYou can prevent VMs from having serial port access by enabling the `Disable VM serial port access` organization policy:\n[https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess][1]\n\n## Default value\nBy default, connecting to serial ports is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/interacting-with-serial-console][2]\n\n\n## CIS Controls\n\nVersion 8 - 4.8: Uninstall or Disable Unnecessary Services on Enterprise\nAssets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such\nas an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure Only Approved Ports, Protocols and Services Are Running\n\n[1]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess\n[2]: https://cloud.google.com/compute/docs/instances/interacting-with-serial-console","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"1.1.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"fail\" if {\n\tmeta := compute_instance.metadata.items[_]\n\tmeta.key == \"serial-port-enable\"\n\tmeta.value == \"true\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mv9-8fa-zlf","createdAt":1656531993118,"name":"\u2018connecting to serial ports\u2019 is not enabled for VM Instance"}]} headers: Content-Type: - application/json @@ -147,24 +147,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":32,"total_count":832}},"data":[{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557127298,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"myy-dya-nr5","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557125_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557158347,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"riy-u8c-b7c","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"sf3-rrp-eak","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"9zw-k5p-x8b","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557156"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557158069,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"riy-u8c-b7c","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557156_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557158073,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sf3-rrp-eak","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557156_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557164542,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"cur-pie-tfb","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"do1-l3w-hgc","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"yvb-ymn-q2k","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557162"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557164250,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"cur-pie-tfb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557162_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557164241,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"do1-l3w-hgc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557162_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557171963,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"vhe-hy6-vz3","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"0mi-hea-lgr","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"i5g-kql-euh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557169"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557171680,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vhe-hy6-vz3","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557169_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557171647,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"0mi-hea-lgr","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557169_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557192391,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"njf-br2-d9z","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"mth-ttg-pke","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"tss-r1h-syz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557188"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557192123,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"njf-br2-d9z","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557188_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557190826,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"mth-ttg-pke","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557188_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664559663240,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"oas-ciy-bcx","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"sem-0mj-yqv","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"uus-bhq-ihb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664559659"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664559662957,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"oas-ciy-bcx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664559659_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664559662131,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sem-0mj-yqv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664559659_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875671210,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"4ja-gok-1x4","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"kp1-lvc-xv8","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"ncd-ps2-wdo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875668"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875670732,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"4ja-gok-1x4","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875668_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875670705,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"kp1-lvc-xv8","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875668_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875700315,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"rvg-pbb-0tm","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"dyi-it0-nj4","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"bew-lfi-qak","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875697"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875700066,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rvg-pbb-0tm","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875697_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875700033,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"dyi-it0-nj4","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875697_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875723289,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"sz5-vsm-3tk","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"slo-i5s-pb3","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"3qe-a0j-8iy","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875721"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875723030,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sz5-vsm-3tk","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875721_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875723034,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"slo-i5s-pb3","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875721_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875756892,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"keh-s9a-uhd","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"rvh-vhq-wjs","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"jy2-9kq-psb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875755"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875756573,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"keh-s9a-uhd","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875755_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875756604,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rvh-vhq-wjs","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875755_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665663122165,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"jvn-8zf-uia","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"y1g-9sk-mfb","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"wwi-4gf-3lv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1665663120"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665663121853,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"jvn-8zf-uia","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1665663120_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665663121822,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"y1g-9sk-mfb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1665663120_rule_1"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:1.1.6","control:1.2.1","control:4.5","control:2.2.5","requirement:Communications-Security","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nInteracting with a serial port is often referred to as the serial console, which is similar to\nusing a terminal window, in that input and output is entirely in text mode and there is no\ngraphical interface or mouse support.\nIf you enable the interactive serial console on an instance, clients can attempt to connect to\nthat instance from any IP address. Therefore interactive serial console support should be\ndisabled.\n\n## Rationale\nA virtual machine instance has four virtual serial ports. The instance's operating system, BIOS,\nand other system-level entities often write output to the serial ports, and can accept input\nsuch as commands or answers to prompts. Typically, these system-level entities use the\nfirst serial port (port 1) and serial port 1 is often referred to as the serial console.\nThe interactive serial console does not support IP-based access restrictions such as IP\nallow lists. If you enable the interactive serial console on an instance, clients can attempt to\nconnect to that instance from any IP address. This allows anybody to connect to that\ninstance if they know the correct SSH key, username, project ID, zone, and instance name.\nTherefore interactive serial console support should be disabled.\n\n## Remediation\n\n### From console\n1. Login to Google Cloud console.\n2. Go to Computer Engine.\n3. Go to VM instances.\n4. Click on the specific VM.\n5. Click `EDIT`.\n6. in the `Remote access` section, clear the `Enable connecting to serial ports`.\n7. Click `Save`.\n\n### From the command line\nUse the following command to disable connecting to serial ports:\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=false\n ```\nor\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=0\n ```\n\n## Prevention:\nYou can prevent VMs from having serial port access by enabling the `Disable VM serial port access` organization policy:\n[https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess][1]\n\n## Default value\nBy default, connecting to serial ports is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/interacting-with-serial-console][2]\n\n\n## CIS Controls\n\nVersion 8 - 4.8: Uninstall or Disable Unnecessary Services on Enterprise\nAssets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such\nas an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure Only Approved Ports, Protocols and Services Are Running\n\n[1]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess\n[2]: https://cloud.google.com/compute/docs/instances/interacting-with-serial-console","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"1.1.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"fail\" if {\n\tmeta := compute_instance.metadata.items[_]\n\tmeta.key == \"serial-port-enable\"\n\tmeta.value == \"true\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mv9-8fa-zlf","createdAt":1656531993118,"name":"\u2018connecting to serial ports\u2019 is not enabled for VM Instance"}]} - headers: - Content-Type: - - application/json - status: 200 OK - code: 200 - duration: "" -- request: - body: "" - form: {} - headers: - Accept: - - application/json - url: https://api.datadoghq.com/api/v2/security_monitoring/rules?page%5Bnumber%5D=9&page%5Bsize%5D=100 - method: GET - response: - body: | - {"meta":{"page":{"total_filtered_count":0,"total_count":832}},"data":[]} + {"meta":{"page":{"total_filtered_count":0,"total_count":730}},"data":[]} headers: Content-Type: - application/json @@ -181,7 +164,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":832}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.3.6","source:google_sql_database_instance","control:3.4","requirement:Communications-Security","framework:cis-gcp","requirement:Compliance","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_sql_database_instance","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `3625 (trace flag)` database flag to `off` for GCP SQL Server instance.\n\n## Rationale\n\nMicrosoft SQL trace flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload. All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed. `3625 (trace log)` limits the information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'. Setting this in a Google Cloud flag for the instance allows for security through obscurity and prevents the disclosure of sensitive information. Hence, it is recommended to set this flag to `off` globally to prevent the flag from being left on or turned on by bad actors. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nChanging flags on a database may cause it to be restarted. The best time to do this is when there is low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `3625` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `3625` database flag for every GCP SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"3625=off\"\n```\n\n#### Note\nThis command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n\n## Additional Information\n\n- Configuring the above flag restarts the GCP SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"3625\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"2x0-5oi-nhu","createdAt":1657310084964,"name":"'3625 (trace flag)' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:2.11","cloud_provider:azure","control:A.12.4.1","level:1","source:azure.policy","requirement:Application-Updates","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","requirement:Security-Center","framework:cis-azure","control:6.2","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","scope:azure.policy","control:CC4.1","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable automatic provisioning of the monitoring agent to collect security data.\n\n## Rationale\n\nWhen automatic provisioning of monitoring agent is turned on, Azure Security Center provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Security Center\n2. Click on Pricing & Settings\n3. Click on a subscription\n4. Click on Data Collection\n5. Set Automatic provisioning to On\n6. Click save Repeat the above for any additional subscriptions.\n\nAzure Command Line Interface 2.0:\n\nUse the below command to set automatic provisioning of monitoring agent:\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@\"input.json\"''\n```\n\nWhere input.json contains the Request body json data as mentioned below. \n\n```bash\n{ \"id\"\"/subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default\", \"name\"\"default\", \"type\"\"Microsoft.Security/autoProvisioningSettings\", \"properties\"{ \"autoProvision\"\"On\" } }\n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security \n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection \n3. https://msdn.microsoft.com/en-us/library/mt704062.aspx\n4. https://msdn.microsoft.com/en-us/library/mt704063.aspx\n5. https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list \n6. https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create \n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\nAdditional Information: Excluding any of the entries in `input.json` may disable the specific setting by default Microsoft has recently changed APIs to get and Update Automatic Provisioning setting. This recommendation is updated accordingly.\n\n## CIS Controls\n\nVersion 7 3.1 - Run Automated Vulnerability Scanning Tools: Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.11","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"validationQuery":"@auto_provision:Off","resourceType":"azure_security_center_auto_provisioning","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_center_auto_provisioning (@auto_provision:Off)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ota-kzg-lsb","createdAt":1635237006719,"name":"'Automatic provisioning of monitoring agent' is set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.2","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with a Customer Managed Key (CMK).\n\n## Rationale\n\nEncrypting the IaaS VM's OS disk (boot volume) and data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning.\n\n## Remediation\n\nAzure Console:\n\n**Note**: Disks must be detached from VMs to have encryption changed.\n\n1. Go to Virtual Machines\n2. For each virtual machine, go to Settings\n3. Click on Disks\n4. Click the X to detach the disk from the VM\n5. Search for disks and locate the unattached disk\n6. Click the disk select Encryption\n7. Change your encryption type and select your encryption set\n8. Click Save\n9. Go back to the VM and re-attach the disk\n\nPowerShell:\n\n```powershell\n$KVRGname = ''MyKeyVaultResourceGroup''; $VMRGName = ''MyVirtualMachineResourceGroup''; $vmName = ''MySecureVM''; $KeyVaultName = ''MySecureVault''; $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname; $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri; $KeyVaultResourceId = $KeyVault.ResourceId; Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;\n```\n\n**NOTES**:\n\n- During encryption, a reboot is likely required. It may take up to 15 minutes to complete the process.\n\n- On Linux machines, you may need to set the `-skipVmBackup` parameter.\n\n## Impact\n\nUsing CMK/BYOK entail additional management of keys. You must have your key vault setup to use this.\n\n## References\n\n\n1. https://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n3. https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-resthttps://docs.microsoft.com/azure/virtual-machines/windows/disk-encryption-portal-quickstart\n4. https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n5. https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n7. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-customer-managed-keys-powershell\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@encryption_type:EncryptionAtRestWithCustomerKey","resourceType":"azure_managed_disk","filter":"@disk_state:Attached","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk @disk_state:Attached (-@encryption_type:EncryptionAtRestWithCustomerKey)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i6x-xne-idt","createdAt":1631690475494,"name":"'OS and Data' disks are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Application-Updates","framework:iso-27001","scope:azure.storage","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","control:6.5.3","framework:cis-azure","control:4.1","control:3.1","requirement:Control-Activities","requirement:Storage-Account","source:azure.storage","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable data encryption in transit.\n\n## Rationale\n\nThe secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must be HTTPS. Any requests using HTTP will be rejected when secure transfer required is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Storage Accounts\n2. For each storage account, go to Configuration\n3. Set Secure transfer required to Enabled\n\nAzure Command Line:\n\nInterface 2.0 - Use the below command to enable Secure transfer required for a Storage Account: `az storage account update --name --resource-group --https-only true`\n\n## References\n\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#encryption-in-transit\n2. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_list\n3. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 - 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@supports_https_traffic_only:true","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@supports_https_traffic_only:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"vlg-zuu-zub","createdAt":1635847712936,"name":"'Secure transfer required' is set to 'Enabled'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:3.7","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Storage-Account","source:azure.storage","control:A.13.1.3","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSome Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services use strong authentication to access the storage account. If Allow trusted Microsoft services exception is enabled, the following services, when registered in the subscription, are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse.\n\n## Rationale\n\nTurning on firewall rules for storage account blocks access to incoming requests for data, including from other Azure services. This includes using the portal, writing logs, etc. You can re-enable access to services like Monitor, Networking, Hubs, and Event Grid by enabling Trusted Microsoft Services through exceptions. The exception also supports backing up and restoring virtual machines using unmanaged disks in storage accounts with network rules applied.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Ensure that Allow access from selected networks is enabled.\n4. Enable Allow trusted Microsoft services to access this storage account.\n5. Click Save to apply your changes.\n\nAzure Command Line Interface:\n\nUse the following command to update trusted Microsoft services: `az storage account update --name --resource-group --bypass AzureServices`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n\n## CIS Controls\n\nVersion 7 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@network_acls.bypass:*AzureServices*","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@network_acls.bypass:*AzureServices*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"psg-u8u-lwo","createdAt":1631690476330,"name":"'Trusted Microsoft Services' is enabled for Storage Account access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.3","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that unattached disks in a subscription are encrypted with a customer managed key (CMK).\n\n## Rationale\n\nManaged disks are encrypted by default with platform-managed keys. Using customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks which may lead to sensitive information disclosure and tampering.\n\n## Impact\n\nEncryption is available only on standard tier VMs. This could impact cost. Utilizing and maintaining customer-managed keys requires additional work to create, protect, and rotate keys.\n\n## Remediation\n\nIf data stored in the disk is no longer useful, refer to [Azure documentation][1] to delete unattached data disks. If data stored in the disk is important, encrypt the disk. See the [Disk enable customer managed keys customer][2] or the [Encryption settings][3] documentation.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n3. https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n4. https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n5. https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n6. https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update\n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n\n[1]: https://docs.microsoft.com/en-us/rest/api/compute/disks/delete -https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal\n[3]: https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@encryption_type:EncryptionAtRestWithCustomerKey","resourceType":"azure_managed_disk","filter":"@disk_state:Unattached","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk @disk_state:Unattached (-@encryption_type:EncryptionAtRestWithCustomerKey)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bae-mte-pj5","createdAt":1631690476274,"name":"'Unattached disks' are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","control:10.3.6","control:10.5.4","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","control:10.3.5","control:10.5.3","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.1","control:10.2.5","control:10.3.4","control:A.12.4.1","control:10.2.4","control:10.3.3","control:10.2.3","control:10.3.2","control:A.12.4.3","control:10.2.2","control:10.3.1","framework:cis-gcp","level:1","scope:google_sql_database_instance","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","control:6.2.9","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the `cloudsql.enable_pgaudit` database flag so that each Cloud SQL PostgreSQL instance has centralized logging.\n\n## Rationale\n\nBecause many other recommendations in this section involve turning on flags for logging\npurposes, your organization needs a way to manage these logs. If you do not already have a solution in \nplace, consider enabling database auditing in PostgreSQL by installing the open source pgAudit extension and enabling the `cloudsql.enable_pgaudit` flag. The extension provides\ndetailed session and object logging to comply with government, financial, and ISO standards. It provides \nauditing capabilities to mitigate threats by monitoring security events on the\ninstance. Enabling the flag and the settings described below sends the logs to\nGoogle Logs Explorer so that you can access them in a central location. This\nrecommendation is applicable only to PostgreSQL database instances.\n\n## Impact\n\nEnabling the pgAudit extension can lead to increased data storage requirements. To\nensure durability of pgAudit log records in the event of unexpected storage issues, \nenable the **Enable automatic storage increases** setting on the\ninstance. Enabling flags on the command line will overwrite all existing flags, so you\nshould apply _all_ needed flags in each CLI command. You might need to restart the\nserver to see the effects of enabling flags, so update your servers at a\ntime of low usage.\n\n## Remediation\n\n### Initialize the pgAudit flag\n\n#### From the console\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `cloudsql.enable_pgaudit` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\nRun the following command by providing to enable `cloudsql.enable_pgaudit` flag:\n```\ngcloud sql instances patch --database-flags=cloudsql.enable_pgaudit=on\n```\n \n**Note**: Restart the database server for this configuration change to take effect.\n\n### Create the extension\n1. Connect to the the server running PostgreSQL or through a SQL client of your choice.\n2. Open the PostgreSQL shell. For example, if you're using SSH to access the server, run:\n3. Run the following command as a superuser:\n ```\n CREATE EXTENSION pgaudit;\n ```\n### Update the `pgaudit.log` flag\n\n#### From the console\n**Note**: There are multiple options for updating the flag. The following instructions enable logging for all databases\non a server. Read [Customizing database audit logging][4] for more flag\noptions.\n\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `pgaudit.log=all` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\n\nRun the command:\n```\ngcloud sql instances patch --database-flags \\\ncloudsql.enable_pgaudit=on,pgaudit.log=all\n```\n\n### Check for the logs in Google Logs Explorer\n1. From the Google Console home page, open the menu in the top left.\n2. In the menu's Operations section, select Logs Explorer.\n3. In the query box, copy in the following query:\n\n ```\n resource.type=\"cloudsql_database\"\n logName=\"projects//logs/cloudaudit.googleapis.com%2Fdata_access\"\n protoPayload.request.@type=\"type.googleapis.com/google.cloud.sql.audit.v1.PgAuditEntry\n ```\nIf it returns any log sources, they are correctly set up.\n\n## Default value\nBy default `cloudsql.enable_pgaudit` database flag is set to off and the extension is not enabled.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres][2]\n2. [https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag][3]\n3. [https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging][4]\n4. [https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable][5]\n\n## Additional Information\n**WARNING**: This extension modifies database flag values, which may require your instance to be\nrestarted. Check the [List of supported flags][6] to see if your instance needs to be restarted\nwhen this extension is set up.\n**Note**: Configuring the `cloudsql.enable_pgaudit` database flag requires restarting the Cloud\nSQL PostgreSQL instance.\n\n## CIS controls\n\nVersion 8\n8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n8.9 - Centralize Audit Logs\n- Centralize, to the extent possible, audit log collection and retention across\nenterprise assets.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres\n[3]: https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag\n[4]: https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging\n[5]: https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable\n[6]: https://cloud.google.com/sql/docs/postgres/flags\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.9","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cloudsql.enable_pgaudit\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6hz-owg-7y7","createdAt":1657889011689,"name":"'cloudsql.enable_pgaudit' database flag is set to 'on' for centralized logging on Postgresql Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.4","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.7","requirement:Least-Privileged-Access","requirement:Confidentiality","requirement:Communications-Security","control:7.1","control:C1.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `contained database authentication` database flag for SQL Server instances to `off`.\n\n## Rationale\n\nA contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed. Users can connect to the database without authenticating a login at the Database Engine level. Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server. Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators. Most of the threats are related to the `USER WITH PASSWORD` authentication process, which moves the authentication boundary from the Database Engine level to the database level. Hence, disabling this flag is recommended. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nWhen `contained database authentication` is off (`0`) for the instance, contained databases cannot be created, or attached to the Database Engine. Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via the command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `contained database authentication` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line\n\nConfigure the `contained database authentication` database flag for every SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"contained database authentication=off\"\n```\n\n**Note**: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n\n## Additional Information\n\n- Configuring this flag does not restart the SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15][3]\n3. [https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15][4]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15\n[4]: https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"contained database authentication\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"snw-rsr-ilm","createdAt":1658463161618,"name":"'contained database authentication' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.3.2","security:compliance","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that you set the `cross db ownership chaining` database flag for SQL Server instance to `off`.\n\n## Rationale\nThe `cross db ownership` option is used to configure cross-database ownership chaining for an instance of Microsoft SQL Server. This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases. Enabling `cross db ownership` is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining, and you are aware of the security implications of this setting. This recommendation is applicable to SQL Server database instances.\n\n### Impact\nUpdating flags may cause the database to restart. This may cause the database to be unavailable for a short amount of time, so this is best done at a time of low usage. You should also determine if the tables in your databases reference another table without using credentials for that database, as turning off cross database ownership will break this relationship.\n\n - Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n - Configuring the `cross db ownership chaining` flag does not restart the Cloud SQL instance.\n\n - Note: The command to set database flags overwrites all database flags previously set. To keep the existing settings while adding new flags, include the values for all flags to be set on the instance. Cloud SQL sets any flag not specifically included in the list to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Remediation\n\n### From the console:\n1. Go to the [Cloud SQL Instances page][1] in Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `cross db ownership chaining` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line:\nConfigure the `cross db ownership chaining` database flag for every SQL Server database instance using the below command:\n \n```\ngcloud sql instances patch --database-flags \"cross db ownership chaining=off\"\n```\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cross db ownership chaining\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yje-u1y-rls","createdAt":1657665271111,"name":"'cross db ownership chaining' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.1","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `external scripts enabled` database flag for SQL Server instance to `off`.\n\n## Rationale\n\nThe `external scripts enabled` flag enables the execution of scripts with certain remote language extensions. This flag is `off` by default. When Advanced Analytics Services is installed, during the set up, you can optionally set this flag to `on`. The External Scripts Enabled feature allows scripts external to SQL, such as files located in an R library, to be executed, which could adversely affect the security of the system. Hence, the flag should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances can cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flag section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `external scripts enabled` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `external scripts enabled` database flag for every SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"external scripts enabled=off\"\n```\n\nNote: This command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default Value\n\nBy default `external scripts enabled` is `off`.\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n- Configuring the `external scripts enabled` flag restarts the Cloud SQL instance.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15][2]\n2. [https://cloud.google.com/sql/docs/sqlserver/flags][3]\n3. [https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15][4]\n4. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79347][5]\n\n## CIS Controls\n\nVersion 8 - 2.7 Allowlist Authorized Scripts\n- Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.\n\nVersion 7 - 2.9 Implement Application Whitelisting of Scripts\n- The organization's application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1, *.py, macros, etc) are allowed to run on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15\n[3]: https://cloud.google.com/sql/docs/sqlserver/flags\n[4]: https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15\n[5]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"external scripts enabled\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"14g-yot-4od","createdAt":1657715719319,"name":"'external scripts enabled' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Communication-and-Information","security:compliance","control:6.1.3","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends setting the `local_infile` database flag for a Cloud SQL MySQL instance to off.\n\n## Rationale\n\nThe `local_infile` flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the `local_infile` setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.\n\nTo explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with `local_infile` disabled. `local_infile` can also be set at runtime.\n\nDue to security issues associated with the `local_infile` flag, Datadog recommends disabling it. This recommendation is applicable to MySQL database instances.\n\n## Impact\n\nDisabling `local_infile` causes the server to refuse local data loading by clients that have LOCAL enabled on the client side.\n\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [Cloud SQL Instances page][1].\n2. Select the MySQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the `local_infile` flag from the dropdown menu, and set its value to **off**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From Command Line\n\n1. List all Cloud SQL database instances using \n ```\n `gcloud sql instances list`.\n ```\n2. Configure the `local_infile` database flag for every Cloud SQL MySQL database instance using \n ```\n `gcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off`\n ```\n Note:\n This command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\n\n## Default Value\n\nBy default, `local_infile` is on.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile][3]\n3. [https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html][4]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n \n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/flags\n[3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile\n[4]: https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_mysql(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"local_infile\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_mysql(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"MYSQL_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"e40-q63-udh","createdAt":1657547707503,"name":"'local_infile' database flag is set to 'off' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.2","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy enabling the `log_connections` setting, every attempted server connection is logged along with the successful completion of client authentication. Once the session starts, you cannot change this parameter.\n\n## Rationale\n\nBy default, PostgreSQL does not log attempted connections. By enabling the `log_connections` setting, you can create log entries for every attempted connection as well as the successful completion of client authentication. This can be useful in troubleshooting issues and determining any unusual connection attempts to the server. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\n\nBy turning on logging, the required storage increaess over time. Mismanaged logs may cause your storage costs to increase. \n\nSetting custom flags through the command line on certain instances can cause all omitted flags to reset to defaults. This may cause you to lose\ncustom flags and can result in unforeseen complications or instance restarts. Because of this, Datadog recommends applying these flag changes during a period of low usage.\n\n## Remediation\n\n## From the console\n1. In the Google Cloud Console, navigate to the [Cloud SQL Instances page][1].\n2. Select the PostgreSQL instance that you want to enable the database flag for.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the **log_connections** flag from the dropdown menu, and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From the command line\n\nConfigure the `log_connections` database flag for every Cloud SQL PosgreSQL database instance using the following command:\n\n ```\n gcloud sql instances patch --database-flags\n log_connections=on\n ```\n\nThis command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\nYou do not need to restart the Cloud SQL instance.\n\n## Default Value\n\nBy default, `log_connections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n\nSome database flag settings can affect instance availability or stability, and may remove the instance from the Cloud SQL SLA.\n\nFor information about these flags, see the Operational Guidelines.\n\n## CIS Controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_connections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"84u-fez-kpn","createdAt":1657547707503,"name":"'log_connections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:6.2.3","scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnabling the `log_disconnections` setting logs the end of each session, including the\nsession duration.\n\n## Rationale\n\nPostgreSQL does not log session details such as duration and session end by default.\nEnabling the `log_disconnections` setting will create log entries at the end of each session,\nwhich can be useful in troubleshooting issues and determining any unusual activity across a\ntime period. The `log_disconnections` and `log_connections` settings work together and\ngenerally, the pair would be enabled or disabled together. This recommendation is applicable\nto PostgreSQL database instances.\n\n## Impact\n\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flags changes during a period of low usage.\n\n\n## Remediation\n\n## From the console\n\n1. Go to the [Cloud SQL Instances][1] page.\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_disconnections` from the drop-down menu and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the **Overview** page.\n\n## From the command line\n\n1. Configure the `log_disconnections` database flag for every Cloud SQL PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags\n log_disconnections=on\n ```\n\n **Note:** This command will overwrite all previously set database flags. To keep\n those and add new ones, include the values for all flags to be set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals\n sign (\"=\").\n\n## Default Value\n\nBy default, `log_disconnections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n## Additional Information\n\n- Configuring the `log_disconnections` flag does not require restarting the Cloud SQL instance.\n- Although the `log_disconnections` flag does not require a restart, you might modify other database flag values when you apply this patch. **Many database flags require restarting the Cloud SQL instance.** Before you modify a database flag, check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see [Operational Guidelines][4].\n\n\n## CIS controls\n\nVersion 8, 8.5 Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://console.cloud.google.com/sql/instances\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_disconnections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-b91-wj5","createdAt":1657665210451,"name":"'log_disconnections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:6.2.1","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","control:10.3","control:CC7.2","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_error_verbosity` flag controls the verbosity/details of messages logged. Valid values are:\n- `TERSE`\n- `DEFAULT`\n- `VERBOSE`\n\n`TERSE` excludes the logging of `DETAIL`, `HINT`, `QUERY`, and `CONTEXT` error information.\n`VERBOSE` output includes the `SQLSTATE` error code, source code file name, function name, and line number that generated the error.\n\nEnsure an appropriate value is set to `DEFAULT` or stricter.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_error_verbosity` is not set to the correct value, too many details or too few details\nmay be logged. This flag should be configured with a value of `DEFAULT` or stricter. This\nrecommendation is applicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flag changes during a period of low usage.\n\n- **WARNING**: This patch modifies database flag values, which may require your instance to be restarted. Check the list of supported flags -[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance will be restarted when this patch is submitted.\n- Note: some database flag settings can affect instance availability orn stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n### Default value\nBy default, `log_error_verbosity` is `DEFAULT`.\n\n## Remediation\n\n### From the console: \n1. Go to the Cloud SQL Instances page by visiting [https://console.cloud.google.com/sql/instances][2]\n2. Select the **PostgreSQL instance** for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_error_verbosity` from the drop-down menu and set appropriate **value**.\n6. Click **Save**\n7. Confirm your changes under Flags on the **Overview** page.\n\n### From the command line:\n1. Configure the `log_error_verbosity` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n ```\n gcloud sql instances patch --database-flags\n log_error_verbosity=\n ```\n\n **Note**: This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all flags you want set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_error_verbosity\"\n\tnot lower(db_flags.value) in [\"default\", \"terse\", \"verbose\"]\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"scj-vbv-qiu","createdAt":1660014086758,"name":"'log_error_verbosity' database flag is set to 'DEFAULT or Stricter' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:6.2.5","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nPostgreSQL only logs the IP address of the connecting hosts. The `log_hostname` flag\ncontrols the logging of hostnames, in addition to the IP addresses logged. The performance\nhit depends on the configuration of the environment and the host name resolution\nsetup. This parameter can only be set in the `postgresql.conf` file or on the server's\ncommand line.\n\n## Rationale\nLogging hostnames allows for the association of a hostname with the IP address at the time of\nconnection. This information helps with incident response efforts, particularly in an\nenvironment that utilizes dynamic IP addresses. Logging hostnames may incur overhead\non server performance because DNS resolution will be required to\nconvert the IP address to hostname. Depending on the setup, the overhead may be non-negligible.\nEnabling the log_hostname flag on PostgreSQL databases is recommended.\n\n## Impact\nUsing the command line to set custom flags on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended that you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_hostname` from the drop-down menu and select the value **On**.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n1. Configure the `log_hostname` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\n gcloud sql instances patch --database-flags log_hostname=on\n```\n\nNote: This command will overwrite all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## Default value\nBy default `log_hostname` is off.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of [supported flags][2] to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_hostname\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sco-bi7-twu","createdAt":1657547753389,"name":"'log_hostname' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:6.2.8","requirement:Confidentiality","control:A.12.4.1","control:C1.1","control:C1.2","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_duration_statement` flag defines the minimum execution time (milliseconds) of a\nstatement, where the total duration of the statement is logged. Ensure that\n`log_min_duration_statement` is disabled by setting the value to `-1`. This will disable statement logging.\n\n## Rationale\nSQL statement logs may include sensitive information that should not be recorded in\nthe logs. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting\n[https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_duration_statement` from the drop-down menu and set a value of `-1`.\n6. Click **Save**.\n7. Confirm the changes under the Flags section on the Overview page.\n\n### From the command line\n1. List all Cloud SQL database instances using the following command:\n\n ```\n gcloud sql instances list\n ```\n\n2. Configure the `log_min_duration_statement` flag for every PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags log_min_duration_statement=-1\n ```\n Note: This command will overwrite all database flags previously set. To keep\nthose and add new ones, include the values for all flags to be set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n## Default value\nBy default `log_min_duration_statement` is set to `-1`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.8","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_duration_statement\"\n\tnot database_flags.value == \"-1\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hfp-mu9-szg","createdAt":1658302988596,"name":"'log_min_duration_statement' database flag is set to '-1' (disabled) for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.7","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_error_statement` flag defines the minimum message severity level that is\nconsidered an error statement. Messages for error statements are logged with the SQL\nstatement. Valid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`,\n`WARNING`, `ERROR`, `LOG`, `FATAL`, and `PANIC`. Each severity level includes the subsequent levels\nmentioned above. Ensure a value of `ERROR` or stricter is set.\n\n## Rationale\nAuditing helps with troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. If general log messages are considered as error messages,\nit would be difficult to determine the actual errors. If only stricter severity levels are considered as\nerror messages, true errors might not be logged with their SQL statements. The\n`log_min_error_statement` flag should be set to `ERROR` or stricter. This recommendation is\napplicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From Console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the `Flags` section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_error_statement` from the drop-down menu and set the appropriate\nvalue.\n6. Click `Save` to save your changes.\n7. Confirm your changes under the `Flags` section on the Overview page.\n\n### From Command Line:\n1. Configure the `log_min_error_statement` database flag for every Cloud SQL\nPosgreSQL database instance using the below command.\n\n ```\n gcloud sql instances patch --database-flags log_min_error_statement=\n ```\n\n Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `log_min_error_statement` is `ERROR`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][2] - to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_error_statement\"\n\tnot upper(database_flags.value) in [\"ERROR\", \"LOG\", \"FATAL\", \"PANIC\"]\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dm2-ey8-wr5","createdAt":1657888969813,"name":"'log_min_error_statement' database flag is set to 'ERROR' or stricter for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.3.6","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","source:google_sql_database_instance","requirement:Monitoring","control:6.2.6","control:10.3.4","control:A.12.4.1","control:10.3.2","requirement:System-Operations","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:CC7.2","framework:pci","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_messages` flag defines the minimum message severity level that is considered\nas an error statement. Messages for error statements are logged with the SQL statement.\nValid values include `debug5`, `debug4`, `debug3`, `debug2`, `debug1`, `info`, `notice`, `warning`, `error`,\n`log`, `fatal`, and `panic`. Each severity level includes the subsequent levels mentioned above.\nFor best practices, set the value to `error`. Changes should only be made in accordance\nwith the organization's logging policy.\n\n### Default value\nBy default `log_min_error_statement` is `warning`.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. An organization will need to decide their own threshold\nfor logging `log_min_messages` flag.\n\n### Impact\nSetting the threshold too low will might result in increased log storage size and length,\nmaking it difficult to find actual errors. Setting the threshold to `warning` logs\nmost needed error messages. Setting the threshold to a higher severity level may result in some errors (that need troubleshooting) to not be logged.\n\nNote: To effectively turn off logging failing statements, set this parameter to `panic`.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n## Remediation\n\n### From the console:\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_messages` from the drop-down menu and set appropriate value.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line:\n1. Configure the `log_min_messages` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\ngcloud sql instances patch --database-flags\nlog_min_messages=\n```\n\nNote: This command overwrites all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_min_messages\"\n\tlower(db_flags.value) in [\"debug5\", \"debug4\", \"debug3\", \"debug2\", \"debug1\", \"info\", \"notice\"]\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"wha-a8w-2ic","createdAt":1661377322162,"name":"'log_min_messages' database flag is set to at least 'WARNING' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.2.4","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe value of the `log_statement` flag determines the SQL statements that are logged. Valid\nvalues are:\n\n- `none`\n- `ddl`\n- `mod`\n- `all`\n\nThe value `ddl` logs all data definition statements. The value `mod` logs all `ddl` statements, plus\ndata-modifying statements.\n\nThe statements are logged after a basic parsing is done and the statement type is determined,\nthus log statements with errors are not logged. When using an extended query protocol,\nlogging occurs after an `Execute` message is received and values of the bind parameters are\nincluded.\n\nA value of `ddl` is recommended unless otherwise directed by your organization's logging\npolicy.\n\n## Rationale\nAuditing helps with forensic analysis. If the `log_statement` is not set to the correct value, too\nmany statements may be logged and lead to issues with finding relevant information from\nthe logs, or too few statements may be logged with relevant information missing from the\nlogs. Setting the `log_statement` to align with your organization's security and logging policies\nfacilitates auditing and review of database activities later on. This recommendation is\napplicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n- **WARNING** This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance\nwill be restarted when this patch is submitted.\n- Note: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n\n## Remediation\n\n### From the console:\n1. Go to the Cloud SQL Instances page by visiting: [https://console.cloud.google.com/sql/instances][2]\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**. Choose the flag `log_statement` from the drop-down menu and set the appropriate value.\n6. Click **Save**.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line:\n1. Configure the `log_statement database` flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n ```\n gcloud sql instances patch --database-flags log_statement=\n ```\n\n **Note** This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all the flags that you want to set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n \n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tdb_flags.name == \"log_statement\"\n\tdb_flags.value in [\"ddl\", \"mod\", \"all\"]\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xzi-8ya-6hp","createdAt":1659621705012,"name":"'log_statement' database flag is set appropriately for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:6.3.5","control:2.2.5","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set the `remote access` database flag for Cloud SQL SQL Server instances to `off`.\n\n## Rationale\n\nThe remote access option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running. The default value for this option is 1. This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server. To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled. Remote access functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, so it should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances causes all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `remote access` from the drop-down menu, and set its value to `off`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n### From the command line\n\nConfigure the remote access database flag for every Cloud SQL SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"remote access=off\"\n```\n\n### Note: \nThis command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default Value\n\nRemote access is `on` by default.\n\n## Additional information\n\nConfiguring the remote access database flag does not restart the Cloud SQL instance.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337][4]\n\n## CIS Controls\n\nVersion 8 - 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"remote access\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"tnw-ph8-chr","createdAt":1657296719786,"name":"'remote access' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Communication-and-Information","security:compliance","control:6.1.2","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that for Cloud SQL Instances, you set the `skip_show_database` database flag to `ON`.\n\n## Rationale\n\nThe `skip_show_database` database flag prevents people from using the `SHOW DATABASES`\nstatement if they do not have the `SHOW DATABASES` privilege. This can improve security if\nyou have concerns about users being able to see databases belonging to other users. The `skip_show_database` flag's effect depends on the `SHOW DATABASES` privilege: If the variable value is `ON`, the `SHOW\nDATABASES` statement is permitted only for users who have the `SHOW DATABASES`\nprivilege, and the statement displays all database names. If the value is `OFF`, `SHOW\nDATABASES` is permitted for all users, but displays the names of only those databases for\nwhich the user has `SHOW DATABASES` or other privilege. This recommendation is\napplicable to MySQL database instances.\n\n## Remediation\n\n## Using console\n\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the MySQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `skip_show_database` from the drop-down menu, and set its value to `ON`.\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n\n## Using command line:\n1. To list all Cloud SQL database Instances, run:\n `gcloud sql instances list`\n2. Configure the `skip_show_database` database flag for every Cloud SQL MySQL database instance using the following command:\n \n ```\n gcloud sql instances patch INSTANCE_NAME --database-flags\n skip_show_database=on\n ```\n **Note**: This command overwrites all database flags previously set. To keep the previously set flags and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database][3]\n\n\n## Additional information\n\n**Warning**: This patch modifies database flag values, which may require your instance to be restarted. Check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n\n**Note**: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n**Note**: Configuring the above flag restarts the Cloud SQL instance.\n\n## CIS controls\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\n access control lists, also known as access permissions, to local and remote file systems,\n databases, and applications.\n\n [1]: https://console.cloud.google.com/sql/instances\n [2]: https://cloud.google.com/sql/docs/mysql/flags\n [3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot startswith(sql_database_instance.database_version, \"MYSQL_\")\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"skip_show_database\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qjv-gnn-q3l","createdAt":1657547753389,"name":"'skip_show_database' flag is set to 'on' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.3.3","security:compliance","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Control-Activities","level:1","control:2.2.3","framework:soc-2","scope:google_sql_database_instance","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to check the `user connections` option for a GCP SQL Server instance to\nensure that it is not artificially limiting connections.\n\n## Rationale\n\nThe `user connections` option specifies the maximum number of simultaneous user\nconnections that are allowed on an instance of SQL Server. The actual number of user\nconnections allowed also depends on the version of SQL Server that you are using, and also\nthe limits of your application(s) and hardware. SQL Server allows a maximum\nof 32,767 user connections. Because user connections is by default a self-configuring value,\nSQL Server adjusts the maximum number of user connections automatically as\nneeded, up to the maximum value allowed. For example, if only 10 users are logged in, then 10\nuser connection objects are allocated. In most cases, you do not have to change the value\nfor this option. The default is `0`, which means that the maximum (32,767) user connections\nare allowed. However, if there is a number defined here that limits connections, SQL Server\nwill not allow any connections above this limit. If the connections are at the limit, any new\nrequests will be dropped, potentially causing lost data or outages for those using the\ndatabase.\n\n## Impact\nSetting custom flags using the command line on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### Using the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `user connections` from the drop-down menu, and set its value to your organization's recommended value.\n6. Click **Save** to save your changes.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### Using the command line\n1. Configure the `user connections` database flag for every GCP SQL Server\ndatabase instance using the below command.\n ```\n gcloud sql instances patch --database-flags \"userconnections=[0-32,767]\"\n ```\n \n\n\nNote: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `user connections` is set to '0', which does not limit the number of connections\nand allows the server to facilitate a maximum of 32,767 connections.\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119][4]\n\n## Additional Information\n\nWARNING: This patch modifies database flag values, which may require your instance to be restarted. Check the list of [supported flags][2] to see if your instance will be restarted when this patch is submitted. \n\nNote: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not restart the GCP SQL instance.\n\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user connections\"\n\tnot database_flags.value == \"0\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"suj-vdt-udi","createdAt":1657547707508,"name":"'user connections' database flag is set to a non-limiting value for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.4","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the `user options` database flag for SQL Server instance not be configured.\n\n## Rationale\n\nThe `user options` flag specifies global defaults for all users. A list of default query processing options is established for the duration of a user's work session. The user options flag allows you to change the default values of the SET options (if the server's default settings are not appropriate).\n\nA user can override these defaults by using the SET statement. You can configure user options dynamically for new logins. After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nIn some instances, setting custom flags via the command line causes all omitted flags to be reset to their defaults. This might cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From console\n\n1. Go to the **Cloud SQL Instances** page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance you want to configure.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. Click the **X** next to the **user options** flag shown\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line\n\n1. List all Cloud SQL database Instances:\n \n ```\n gcloud sql instances list\n ```\n\n2. Clear the user options database flag for every Cloud SQL SQL Server database instance using either of the below commands:\n\n - To clear all flags and reset them to their default values:\n\n ```\n gcloud sql instances patch --clear-database-flags\n ```\n\n - To clear only the `user options` database flag, re-enter all of database flags that you want to configure and exclude the `user options` flag and its value:\n\n ```\n gcloud sql instances patch --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]\n ```\n\n **Note**: This command overwrites all database flags previously set. To keep those flags and add new ones, include the values for all flags you want set on the instance. Any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default value\n\nBy default, 'user options' is not configured.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][1]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15][2]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335][3]\n\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see [Operational Guidelines][4].\n\n- Configuring the above flag does not restart the Cloud SQL instance.\n\n[1]: https://cloud.google.com/sql/docs/sqlserver/flags\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15\n[3]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user options\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"l6m-j1r-hz1","createdAt":1657665179501,"name":"'user options' database flag is not configured for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a Kubernetes user attempts to perform a high number of actions that are denied in a short amount of time.\n\n## Strategy\nThis rule identifies responses of the API server where the reason for the error is set to `Forbidden`, indicating that an authenticated user attempted to perform an action that they are not explicitly authorized to perform.\n\nThe rule flags users who receive permission denied errors on several distinct API endpoints in a short amount of time.\n\n## Triage and response\n1. Determine if the user: `{{@usr.id}}` is expected to perform the denied actions. If yes, the alert may be due to a misconfigured application or a service account with insufficient privileges.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @responseStatus.reason:Forbidden -@usr.id:(system\\:serviceaccount\\:*\\:datadog* OR system\\:kube-scheduler OR system\\:anonymous OR eks\\:authenticator OR eks\\:pod-identity-mutating-webhook OR system\\:serviceaccount\\:kube-system\\:root-ca-cert-publisher)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"access_denied","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"access_denied > 10"}],"type":"log_detection","id":"elb-nlu-hso","createdAt":1649948632063,"name":"A Kubernetes user attempted to perform a high number of actions that were denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIdentify when a Kubernetes user is assigned cluster-level administrative permissions.\n\n## Strategy\n\nThis rule monitory when a `ClusterRoleBinding` object is created to bind a Kubernetes user to the `cluster-admin` [default cluster-wide role](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles). This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.\n\n## Triage and response\n\n1. Determine if the Kubernetes user referenced in `@requestObject.subjects` is expected to have been granted administrator permissions on the cluster\n2. Determine if the actor (`@usr.id`) is authorized to assign administrator permissions\n3. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @requestObject.kind:ClusterRoleBinding @requestObject.roleRef.name:cluster-admin -@usr.id:system\\:apiserver","groupByFields":["@usr.id"],"aggregation":"count","name":"cluster_admin_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"cluster_admin_added > 0"}],"type":"log_detection","id":"8ds-sxh-n83","createdAt":1649948626807,"name":"A Kubernetes user was assigned cluster administrator permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","scope:google_bigquery_dataset","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.3","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","source:google_bigquery_dataset","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user. For greater control, _customer-managed encryption keys_ (CMEKs) can be used as an encryption key management solution for BigQuery datasets.\n\n### Default Value\nGoogle-managed keys are used as key encryption keys.\n\n## Rationale\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user.\n\nFor greater control, CMEKs can be used as an encryption key management solution for BigQuery datasets. Setting a default CMEK for a dataset ensures that any tables created in the future will use the specified CMEK, if no others are provided.\n\n## Impact\nUsing CMEKs incurs an additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n**Note**: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n# Remediation\nTo update the default CMEK for existing data sets, specify the default key in the `EncryptionConfiguration.kmsKeyName` field when calling the `datasets.insert` or `datasets.patch` methods.\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_dataset) = \"pass\" if {\n\tbigquery_dataset.default_encryption_configuration.kms_key_name\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_dataset"]},"validationQuery":"","resourceType":"gcp_bigquery_dataset","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_dataset","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fdc-usk-ol3","createdAt":1664548344812,"name":"A default customer-managed encryption key (CMEK) is specified for the BigQuery data set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1158","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nHidden files may be used by attackers to hide from detection mechanisms on hosts and containers. This detection aims at finding the creation of any new hidden files.\n\n## Strategy\nIn Linux, files are hidden from users by prepending `.` to the filename. For example `.some.file`. This detection will monitor for the creation of any file thats name begins with a `.`.\n\n## Triage & Response\n1. Check to see which user or process created the new hidden file.\n3. If these new files are not expected contain the host or container, roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"irl-syq-8wf","createdAt":1598443015169,"name":"A hidden file was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the deletion of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was deleted.\n2. Check which user or process deleted the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"t7t-jio-cms","createdAt":1598516746158,"name":"A log file in /var/log/ was removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Logging","security:compliance","control:3.2.1","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes can audit the details of requests made to the API server. The `--audit-policy-file` flag must be set for this logging to be enabled.\n\n## Rationale\n\nLogging is an important detective control for all systems, to detect potential unauthorised access.\n\n## Audit\n\nRun the following command on one of the cluster master nodes: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-policy-file` is set. Review the contents of the file specified and ensure that it contains a valid audit policy.\n\n## Remediation\n\nCreate an audit policy file for your cluster.\n\n## Impact\n\nAudit logs will be created on the master nodes, which will consume disk space. Care should be taken to avoid generating too large volumes of log information as this could impact the available of the cluster nodes.\n\n## Default value\n\nUnless the `--audit-policy-file` flag is specified, no auditing will be carried out.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/debug-application-cluster/audit/][1]\n\n## CIS controls\n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices.\n\n[1]: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"3.2.1","framework":"cis-kubernetes","requirement":"Logging","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-3.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ehp-xpm-xi3","createdAt":1599602215207,"name":"A minimal audit policy exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a new Kubernetes [admission controller][1] is created in the cluster.\n\nAdmission controllers can intercept all incoming requests to the API server. An attacker can use them to establish persistence or to access sensitive data (such as secrets) sent to the API server.\n\n## Strategy\nThis rule identifies when a `MutatingWebhookConfiguration` or `ValidatingWebhookConfiguration` is created.\n\n## Triage and response\n1. Determine if the admission controller being created is expected.\n2. Determine if the user: `{{@usr.id}}` should be creating the admission controller.\n3. Use the Cloud SIEM `User Investigation` dashboard to review user actions that occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags\n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @objectRef.resource:(mutatingwebhookconfigurations OR validatingwebhookconfigurations) -@usr.id:(eks\\:cluster-bootstrap OR system\\:serviceaccount\\:kyverno\\:kyverno OR system\\:serviceaccount\\:kube-system\\:*)","groupByFields":["@usr.id"],"aggregation":"count","name":"admission_controller_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admission_controller_created > 0"}],"type":"log_detection","id":"jpb-ixq-qbz","createdAt":1649948611129,"name":"A new Kubernetes admission controller was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 teams app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `AppInstalled`, where the `AddOnType` has a value of `4` and a new `@AddOnName` is observed.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@AddOnName}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@AddOnName}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":165,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AddOnName","aggregation":"new_value","metrics":["@AddOnName"],"groupByFields":["@usr.id"],"query":"source:microsoft-365 @evt.name:AppInstalled @AddOnType:4"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"sja-6t5-2xv","createdAt":1636984812148,"name":"A new Microsoft 365 Teams app is observed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Add application.` and event `@evt.outcome` of `Success`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@ObjectId}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@ObjectId}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@ObjectId","aggregation":"new_value","metrics":["@ObjectId"],"groupByFields":["@ObjectId","@usr.id"],"query":"source:microsoft-365 @evt.name:\"Add application.\" @evt.outcome:Success"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"o4m-xqz-5gv","createdAt":1636984818117,"name":"A new Microsoft 365 application was installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:amazon","security:compliance","iaas:aws","framework:cis-aws","source:cloudtrail","control:4.1","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is assessing privileges in AWS through API bruteforcing technique.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect when the error message of `AccessDenied` is returned on more than 5 unique API calls.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be attempting to use {{@evt.name}} API commands.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. Contact the user to see if they intended to make these API calls.\n3. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate to see what API calls might have been made that were successful throughout the rest of the environment.\n\n## Changelog\nRule updated on 3 March 2022.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"unique_events_denied","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"more than 5 APIs AccessDenied","condition":"unique_events_denied > 5"}],"type":"log_detection","id":"3d9-oev-jbm","createdAt":1584475582956,"name":"A user received multiple AccessDenied errors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","security:compliance","control:164.312-e-1","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","requirement:Security-Management-Process","control:32.1a","source:acm","control:164.312-e-2-ii","framework:hipaa","control:164.308-a-1-ii-B","control:164.312-e-2-i","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRemove expired Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates with AWS Certificate Manager (ACM).\n\n## Rationale\n\nExpired AWS ACM SSL/TLS certificates that are deployed to another resource are at risk of triggering front-end errors and compromising the credibility of a web application.\n\n## Remediation\n\n### Console\n\nFollow the [Deleting Certificates Managed by ACM][1] docs to learn how to delete SSL/TLS certifications in the AWS Console.\n\n### CLI\n\n1. Run `delete-certificate` with the [certificate ARN][2].\n\n ```\n aws acm delete-certificate\n --certificate-arn arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012\n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-delete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/delete-certificate.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"EXPIRED\"\n\tacm.status != \"VALIDATION_TIMED_OUT\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qea-4gr-voj","createdAt":1616090994211,"name":"ACM certificate is active"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Security-of-Processing","requirement:Cardholder-Data","cloud_provider:aws","control:32.1a","source:acm","framework:gdpr","scope:acm","control:3.6.4","framework:pci","control:25.2","requirement:Data-Protection"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are 30 days left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### Console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### CLI\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\tthirty_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oc4-dzj-jtg","createdAt":1619112188918,"name":"ACM certificate is valid for 30 or more days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Security-of-Processing","requirement:Cardholder-Data","cloud_provider:aws","control:32.1a","source:acm","framework:gdpr","scope:acm","control:3.6.4","framework:pci","control:25.2","requirement:Data-Protection"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are seven day left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### Console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### CLI\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nseven_days_ms := (((7 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\t# assert that the difference between now (resource seen at) and not after time (certificate expiry) > 7 days\n\tseven_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"32b-dj3-8n2","createdAt":1619112188607,"name":"ACM certificate is valid for 7 or more days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Cardholder-Data","cloud_provider:aws","source:acm","scope:acm","control:3.6.4","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nValidate all Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates in Amazon Certificate Manager (ACM).\n\n## Rationale\n\n[Requests for AMC certificates time out if they are not not validated within 72 hours][1]. If a certificate is not validated, it can interrupt an application or service.\n\n## Remediation\n\n### Console\n\nFollow the [Setting Up DNS Validation][2] or [Resending Validation Email][3] docs to validate a certificate in the AWS Console or by email.\n\n### CLI\n\n1. Run `resend-validation-email` using the ARN of the invalid certificate with your `domain` and `validation-domain`.\n\n ```\n aws acm resend-validation-email\n --certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/a1b2345c-d678-9123-4567-89ab12c2345d\n --domain www.example.com\n --validation-domain example.com\n ```\n\n2. Click the link in the generated email to navigate to the Amazon Certificates Approvals page, and click the `I Approve` button.\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-timed-out.html\n[2]: https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html#setting-up-dns-validation\n[3]: https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html#gs-acm-resend","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"PENDING_VALIDATION\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"lpi-kie-f8h","createdAt":1616090994081,"name":"ACM certificate issue request is validated"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:ec2","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.9.4.5","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIdentify publicly accessible Amazon Machine Images (AMIs).\n\n## Rationale\n\nWhen an AMI is shared publicly, anyone outside your organization can see it in the [list of public AMIs][1] and create an EC2 instance from it, accessing all the files it contains.\n\nAMIs typically contain source code, configuration files and credentials and should not be shared publicly.\n\n## Remediation\n\nStop sharing the AMI publicly. AMIs should be shared only with [specific AWS accounts][2] or [your AWS Organization][3].\n\n### Console\n\nFollow the instructions outlined in the [AWS documentation][4]. Untick the public sharing option.\n\n### CLI\n\nUse the following command to stop sharing the AMI:\n\n```\naws ec2 modify-image-attribute \\\n--image-id ami-xxxx \\\n--launch-permission \"Remove=[{Group=all}]\"\n```\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usingsharedamis-finding.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/share-amis-with-organizations-and-OUs.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.5","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncustomer_owned(ami) if {\n\tami.image_owner_alias != \"aws-marketplace\"\n\tami.image_owner_alias != \"amazon\"\n} else {\n\tnot ami.image_owner_alias\n}\n\neval(ami) = \"skip\" if {\n\tnot customer_owned(ami)\n} else = \"pass\" {\n\tami.public == false\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ami"]},"validationQuery":"","resourceType":"aws_ami","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ami","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6l2-azd-mlu","createdAt":1645630055435,"name":"AMI is not publicly shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.30","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the TLS certificate and private key file parameters. \n```\n--tls-cert-file= \n--tls-private-key-file=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.30","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"m9r-8ka-arc","createdAt":1599604115727,"name":"API Server requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.1","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable anonymous requests to the Kubelet server.\n\n## Rationale\n\nWhen enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests.\n\n## Audit\n\nIf using a Kubelet configuration file, check that there is an entry for authentication: anonymous: enabled set to false. Run the following command on each node: `ps -ef | grep kubelet`. Verify that the `--anonymous-auth` argument is set to false. This executable argument may be omitted, provided there is a corresponding entry set to false in the Kubelet config file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to false. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable:\n\n```\n--anonymous-auth=false\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nAnonymous requests will be rejected.\n\n## Default value\n\nBy default, anonymous access is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.1","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oun-uxo-viy","createdAt":1599606050277,"name":"API server anonymous-auth argument is set to false"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.24","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain 10 or an appropriate number of old log files.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. For example, if you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxbackup` argument is set to `10` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxbackup` parameter to `10` or to an appropriate value: `--audit-log-maxbackup=10`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.24","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"r0g-aai-2xf","createdAt":1599605542630,"name":"API server audit log files are retained for at least 10 log file rotations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.25","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRotate log files on reaching 100 MB or as appropriate.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. If you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxsize` argument is set to `100` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxsize` parameter to an appropriate size in MB. For example, to set it as 100 MB: `--audit-log-maxsize=100`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.25","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qhy-gng-bh4","createdAt":1599603202907,"name":"API server audit log files are rotated once the file reaches 100 MB or more"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.22","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on the Kubernetes API Server and set the desired audit log path.\n\n## Rationale\n\nAuditing the Kubernetes API Server provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system. Even though currently, Kubernetes provides only basic audit capabilities, it should be enabled. You can enable it by setting an appropriate audit log path.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-path` argument is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example: --audit-log-path=/var/log/apiserver/audit.log\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. Version 7 6.2 Activate audit logging Ensure that local logging has been enabled on all systems and networking devices. 6.3 Enable Detailed Logging Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.22","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fny-sti-0dk","createdAt":1599601104396,"name":"API server audit logs are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.23","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain the logs for at least 30 days or as appropriate.\n\n## Rationale\n\nRetaining logs for at least 30 days ensures that you can go back in time and investigate or correlate any events. Set your audit log retention period to 30 days or as per your business requirements.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxage` argument is set to `30` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxage` parameter to `30` or as an appropriate number of days: `--audit-log-maxage=30`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.23","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.23\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jbu-o8v-pku","createdAt":1599605700813,"name":"API server audit logs are retained for at least 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.19","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind to insecure port.\n\n## Rationale\n\nSetting up the apiserver to serve on an insecure port would allow unauthenticated and unencrypted access to your master node. This would allow attackers who could access this port, to easily take control of the cluster.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-port` argument is set to `0`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --insecure-port=0\n\n## Impact\n\nAll components that use the API must connect via the secured port, authenticate themselves, and be authorized to use the API. This includes: kube-controller-manager kube-proxy kube-scheduler kubelets\n\n## Default value\n\nBy default, the insecure port is set to 8080.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.19","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2ci-yqv-wv0","createdAt":1599605796539,"name":"API server does not bind the API service to an insecure port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.18","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the insecure API service.\n\n## Rationale\n\nIf you bind the apiserver to an insecure address, basically anyone who could connect to it over the insecure port, would have unauthenticated and unencrypted access to your master node. The apiserver doesn't do any authentication checking for insecure binds and traffic to the Insecure API port is not encrpyted, allowing attackers to potentially read sensitive data in transit.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-bind-address` argument does not exist.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --insecure-bind-address parameter.\n\n## Impact\n\nConnections to the API server will require valid authentication credentials.\n\n## Default value\n\nBy default, the insecure bind address is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.18","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tzo-x3g-yya","createdAt":1599606081666,"name":"API server does not bind to an insecure API service address"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use token based authentication.\n\n## Rationale\n\nThe token-based authentication utilizes static tokens to authenticate requests to the apiserver. The tokens are stored in clear-text in a file on the apiserver, and cannot be revoked or rotated without restarting the apiserver. Hence, do not use static token-based authentication.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver \n```\nVerify that the `--token-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--token-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as certificates. Static token based authentication could not be used.\n\n## Default value\n\nBy default, `--token-auth-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/authentication/#static-token-file\n2. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.3","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mvv-hb7-ucv","createdAt":1599603449449,"name":"API server does not use token based authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not always authorize all requests.\n\n## Rationale\n\nThe API Server, can be configured to allow all requests. This mode should not be used on any production cluster.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is not set to `AlwaysAllow`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to values other than `AlwaysAllow`. One such example could be as below:\n\n```\n--authorization-mode=RBAC\n```\n\n## Impact\n\nOnly authorized requests will be served.\n\n## Default value\n\nBy default, `AlwaysAllow` is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.7","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kli-btm-jbr","createdAt":1599602646953,"name":"API server only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.1","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node:\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-apiserver.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.1","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8tj-q6g-eyj","createdAt":1599601227733,"name":"API server pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.21","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --profiling=false\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.21","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wk0-7yo-dw9","createdAt":1599602770265,"name":"API server profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.26","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet global request timeout for API server requests as appropriate.\n\n## Rationale\n\nSetting global request timeout allows extending the API server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 60 seconds which might be problematic on slower connections making cluster resources inaccessible once the data volume for requests exceeds what can be transmitted in 60 seconds. But, setting this timeout limit to be too large can exhaust the API server resources making it prone to Denial-of-Service attack. Hence, it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--request-timeout` argument is either not set or set to an appropriate value.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameter as appropriate and if needed. For example, --request-timeout=300s\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, --request-timeout is set to 60 seconds.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/kubernetes/pull/51415\n\n## CIS controls\n\nVersion 6 14.6 Enforce Detailed Audit Logging For Sensitive Information Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. Version 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.26","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1kt-cbt-hvl","createdAt":1599604242564,"name":"API server request timeout exceeds 60 seconds only if required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.20","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable the secure port.\n\n## Rationale\n\nThe secure port is used to serve https with authentication and authorization. If you disable it, no https traffic is served and all traffic is served unencrypted.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--secure-port` argument is either not set or is set to an integer value between `1` and `65535`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --secure-port parameter or set it to a different (non-zero) desired port.\n\n## Impact\n\nYou need to set the API Server up with the right TLS certificates.\n\n## Default value\n\nBy default, port 6443 is used as the secure port.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.20","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5w3-iw4-y16","createdAt":1599603757033,"name":"API server secure port is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.31","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic. If `--client-ca-file` argument is set, any request presenting a client certificate signed by one of the authorities in the `client-ca-file` is authenticated with an identity corresponding to the CommonName of the client certificate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--client-ca-file` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the client certificate authority file: `--client-ca-file=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--client-ca-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.31","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"nad-eon-2rv","createdAt":1599599105054,"name":"API server uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.28","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account public key file for service accounts on the apiserver.\n\n## Rationale\n\nBy default, if no --service-account-key-file is specified to the apiserver, it uses the private key from the TLS serving certificate to verify service account tokens. To ensure that the keys for service account tokens could be rotated as needed, a separate public/private key pair should be used for signing service account tokens. Hence, the public key should be specified to the apiserver with --service-account-key-file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--service-account-key-file` argument exists and is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--service-account-key-file` parameter to the public key file for service accounts: `--service-account-key-file=`\n\n## Impact\n\nThe corresponding private key must be provided to the controller manager. You would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-key-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167\n\n## CIS controls\n\nVersion 6 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers \nVersion 7 5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.28","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xtg-mzn-vft","createdAt":1599604846892,"name":"API server uses a service account public key file for service accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.27","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nValidate service account before validating token.\n\n## Rationale\n\nIf --service-account-lookup is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that if the `--service-account-lookup` argument exists it is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the below parameter. `--service-account-lookup=true` Alternatively, you can delete the `--service-account-lookup` parameter from this file so that the default takes effect.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--service-account-lookup` argument is set to true.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167 \n3. https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.27","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.27\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycp-ppm-trb","createdAt":1599599105043,"name":"API server validates the service account token exists in etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify kubelet's certificate before establishing connection.\n\n## Rationale\n\nThe connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelets port-forwarding functionality. These connections terminate at the kubelets HTTPS endpoint. By default, the apiserver does not verify the kubelets serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-certificate-authority` argument exists and is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--kubelet-certificate-authority` parameter to the path to the cert file for the certificate authority. \n\n```\n--kubelet-certificate-authority=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, `--kubelet-certificate-authority` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n3. https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.6","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sbm-nxt-qv3","createdAt":1599603880124,"name":"API server verifies the kubelet's certificate before establishing connection"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AMI is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an AMI is made public.\n\n* [ModifyImageAttribute][1]\n\nThis rule inspects the `@requestParameters.launchPermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the image is made public.\n\n## Triage and response\n1. Determine if the AMI (`@requestParameters.imageId`) should be made public using CloudTrail logs.\n2. Investigate the following ARN (`{{@userIdentity.arn}}`) that made the AMI public.\n3. Contact the user to see if they intended to make the image public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-image-attribute.html#examples","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifyImageAttribute @requestParameters.launchPermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"eh4-lwa-d9z","createdAt":1594140296319,"name":"AWS AMI Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:cloudtrail","framework:cis-aws","requirement:monitoring","control:4.5","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by modifying CloudTrail.\n\n## Strategy\nThis rule detects if a user is modifying CloudTrail by monitoring the CloudTrail API using [UpdateTrail][1] API calls.\n\n## Triage and response\n1. Review the `@responseElements` in the `UpdateTrail` event to determine the scope of the changes.\n2. Determine if the user ARN (`{{@userIdentity.arn}}`) intended to make a CloudTrail modification.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:UpdateTrail","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"configuration_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"configuration_modified > 0"}],"type":"log_detection","id":"4hv-083-miw","createdAt":1585870283907,"name":"AWS CloudTrail configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch Log Group is deleted. \n\n## Strategy\nDetect when a `@evt.name:DeleteLogGroup` event occurs successfully.\n\n## Triage and response\n1. Ensure that the `{{@requestParameters.logGroupName}}` log group is not used for auditing or security purposes.\n2. If it is then:\n * Ensure that the user: `{{@userIdentity.session_name}}` should be making this type of API call to your `{{env}}` environment.\n * Consider whitelisting the log group name: `{{@requestParameters.logGroupName}}` via a [suppression list][1]\n3. If not, begin your company's IR process and investigate.\n\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1] https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteLogGroup -@level:Error -@http.useragent:(cloudformation.amazonaws.com OR *www.terraform.io*) -@userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"j9h-inc-lg8","createdAt":1631618551008,"name":"AWS CloudWatch log group deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch rule has been disabled or deleted.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if a [`DisableRule`][1] or [`DeleteRule`][2] API call has occurred. An attacker may delete rules in an attempt to evade defenses.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, consider including the EventBus name in a [suppression list][6]: `{{@requestParameters.eventBusName}}`.\n * If **No**, enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], respectively, or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 4 October 2022 - Updated severity\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/events/put-rule.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/events/enable-rule.html\n[5]: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html\n[6]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DisableRule OR DeleteRule) -@userIdentity.invokedBy:(backup.amazonaws.com OR schemas.amazonaws.com OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudwatch_disable_or_delete_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"cloudwatch_disable_or_delete_rule > 0"}],"type":"log_detection","id":"dti-qfr-zle","createdAt":1631618552583,"name":"AWS CloudWatch rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","control:4.9","requirement:Monitoring","framework:cis-aws","scope:amazon-config","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by disabling or modifying AWS Config.\n\n## Strategy\nThis rule lets you monitor these AWS Config API calls per [CIS-AWS-4.9: Ensure a log metric filter and alarm exist for AWS Config configuration changes][5]:\n\n* [StopConfigurationRecorder][1] \n* [DeleteDeliveryChannel][2] \n* [PutDeliveryChannel][3]\n* [PutConfigurationRecorder][4]\n\n## Triage and response\n1. Determine which if {{@userIdentity.arn}} should have done a {{@evt.name}} to AWS Config.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html\n[2]: https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteDeliveryChannel.html\n[3]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutDeliveryChannel.html\n[4]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigurationRecorder.html\n[5]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_2.html\n\n## Changelog\n* 1 April 2022 - Updated rule and signal message.\n\n* 10 October 2022 - Updated severities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(StopConfigurationRecorder OR DeleteDeliveryChannel)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_deleted_or_stopped","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(PutDeliveryChannel OR PutConfigurationRecorder)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Deleted/Stopped","condition":"aws_config_deleted_or_stopped > 0"},{"status":"info","notifications":[],"name":"Modified","condition":"aws_config_modified > 0"}],"type":"log_detection","id":"p1b-9np-rw1","createdAt":1585870283149,"name":"AWS Config modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to your AWS console without multi-factor authentication.\n\n## Strategy\nThis rule monitors CloudTrail and detects when any `IAMUser` or `Root` user does a `Console Login`, and `@userIdentity.sessionContext.attributes.mfaAuthenticated` has a value of `false`. \n\n**Notes:** \n\n- This rule triggers with a `High` severity if the user logging in is a `Root` user.\n- This rule ignores logins using SAML because 2FA is implemented on the IdP and not through AWS.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate. \n * Use Cloud SIEM - User Investigation dashboard to see if the user: {{@usr.name}} with an account type of: {{@userIdentity.type}} has done any actions after logging in. \n2. If the login was legitimate, request that the user enables 2FA. \n3. If the login wasn't legitimate, rotate the credentials, enable 2FA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n\n## Changelog\n3 March 2022 - Rule updated\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:IAMUser -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:Root -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"root_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user console login no mfa","condition":"user_login_without_mfa > 0"},{"status":"high","notifications":[],"name":"root console login no mfa","condition":"root_login_without_mfa > 0"}],"type":"log_detection","id":"wkk-muq-vg8","createdAt":1585870278209,"name":"AWS Console login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the user used MFA.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n10 Mar 2022 - Rule updated.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"@evt.name:ConsoleLogin -@level:Error @userIdentity.sessionContext.attributes.mfaAuthenticated:true -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"impossible travel event for ConsoleLogin with MFA"}],"type":"log_detection","id":"vbv-f3o-8zo","createdAt":1646247475787,"name":"AWS ConsoleLogin with MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the account does not have MFA enabled.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n10 Mar 2022 - Rule updated.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_no_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"@evt.name:ConsoleLogin -@level:Error @userIdentity.sessionContext.attributes.mfaAuthenticated:false -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"a1n-son-6bk","createdAt":1646247437558,"name":"AWS ConsoleLogin without MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1562-impair-defenses","source:cloudtrail","scope:aws-detective","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes an Amazon Detective behavior graph.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted an Amazon Detective behavior graph:\n\n* [DeleteGraph][1]\n\n## Triage and response\n1. Determine if the behavior graph should have been deleted.\n2. Determine which user ({{@userIdentity.arn}}) in your organization deleted the behavior graph.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Updated rule and signal message.\n\n[1]: https://docs.aws.amazon.com/detective/latest/APIReference/API_DeleteGraph.html\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:detective.amazonaws.com @evt.name:DeleteGraph","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oje-vzw-qjp","createdAt":1631642344123,"name":"AWS Detective Graph deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","tactic:TA0005-defence-evasion","scope:cloudtrail","technique:T1562-impair-defences","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when CloudTrail has been disabled by creating an event selector on the Trail.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if an attacker used the [`PutEventSelectors`][1] API call to filter out management events, effectively disabling CloudTrail for the specified Trail.\n\nSee the [public Proof of Concept][2] (PoC) for this attack.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or use the [AWS console][4] to revert the event selector back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, work with the user to ensure that CloudTrail logs for the affected account `{{@usr.account_id}}` are being sent to the Datadog platform.\n * If **No**, remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or reference the [AWS console documentation][4] to revert the event selector back to the last known good state.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_PutEventSelectors.html\n[2]: https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass\n[3]: https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/put-event-selectors.html\n[4]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"disable_cloudtrail_with_event_selectors","distinctFields":[]},{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false @responseElements.eventSelectors.dataResources.type:(\"AWS::S3::Object\" AND \"AWS::Lambda::Function\") @responseElements.eventSelectors.readWriteType:ReadOnly","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_poc","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Public POC","condition":"public_poc > 0"},{"status":"low","notifications":[],"name":"IncludeManagementEvents set to False","condition":"disable_cloudtrail_with_event_selectors > 0"}],"type":"log_detection","id":"jam-62o-d0n","createdAt":1652796620111,"name":"AWS Disable Cloudtrail with event selectors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS snapshot is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an EBS snapshot is made public:\n\n* [ModifySnapshotAttribute][1]\n\nThis rule inspects the `@requestParameters.createVolumePermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the EBS snapshot is made public.\n\n## Triage and response\n1. Determine if the EBS snapshot should be made public.\n2. Determine which user, `{{@@userIdentity.arn}}`, in your organization made the EBS snapshot public.\n3. Contact the user to see if they intended to make the EBS snapshot public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html#examples\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.createVolumePermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kx1-upq-ea2","createdAt":1594140300821,"name":"AWS EBS Snapshot Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1537-transfer-data-to-cloud-account","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the possible exfiltration of an EBS snapshot.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect the following API calls within a 15 minute time window:\n\n* [`CreateSnapshot`][1]\n* [`ModifySnapshotAttribute`][2]\n\nAn attacker can create a EBS snapshot from the EBS volume and modify the permissions of the snapshot to allow it to be shared [publicly][3] or with another AWS account. Using an attacker-controlled account, a new EBS volume can be created from the snapshot and attached to an EC2 instance for analysis.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the API calls.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any snapshot attributes generated by the user with the `aws-cli` command [`modify-snapshot-attribute`][4].\n * Begin your organization's incident response process and investigate.\n3. If the API calls were made by the user:\n * Determine if the user should be performing these API calls.\n * If **No**, see if other API calls were made by the user and determine if they warrant further investigation.\n\n## Changelog\n* 10 October 2022 - Updated query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSnapshot.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html\n[3]: https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-ebs-snapshot-made-public/\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-snapshot-attribute.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":7200,"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSnapshot -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (-@userIdentity.assumed_role:(*orca* OR *wiz*) -@responseElements.description:\"Orca automatically generated snapshot\" -@requestParameters.description:auto-generatedbyWiz -@responseElements.description:\"auto-generated by Wiz\")","groupByFields":["@responseElements.snapshotId"],"aggregation":"count","name":"snapshot_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.attributeType:CREATE_VOLUME_PERMISSION -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (@requestParameters.createVolumePermission.add.items.userId:* OR @requestParameters.createVolumePermission.add.items.group:*) -@requestParameters.createVolumePermission.add.items.userId:(\"135916806842\" OR \"463932680998\" OR \"727815099310\" OR \"553950354547\" OR \"784971140435\" OR \"222606875197\")","groupByFields":["@requestParameters.snapshotId"],"aggregation":"count","name":"snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"EBS Snapshot created then shared","condition":"snapshot_created > 0 && snapshot_shared > 0"},{"status":"info","notifications":[],"name":"EBS Snapshot shared","condition":"snapshot_shared > 0"}],"type":"log_detection","id":"dka-ecn-adr","createdAt":1655223749994,"name":"AWS EBS Snapshot possible exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis-aws","control:2.2.1","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS encryption is disabled by default. \n\n## Strategy\nMonitor CloudTrail and detect when EBS encryption is disabled by default via the following API call:\n\n* [DisableEbsEncryptionByDefault][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user and let them know that it is best practice to enable EBS encryption by default.\n3. Re-enable EBS encryption by default.\n\nFor more information about Amazon EBS Encryption, check out the [Amazon EBS Encryption][2] documentation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html\n\n## Changelog\n18 March 2022 - Rule query and severity updated.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:DisableEbsEncryptionByDefault","groupByFields":["@usr.account_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4s7-uuu-lo8","createdAt":1585870284527,"name":"AWS EBS default encryption disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","security:attack","technique:T1522-cloud-instance-metadata-api"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes a DNS request and resolves to the AWS metadata IP address (169.254.169.254).\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MetadataDNSRebind][2]\n\n\n## Triage and response\n1. Determine which process made the DNS request. The DNS request can be found in the samples.\n2. Ensure the process is not a victim of an SSRF attack to steal the AWS EC2 Instance profile's STS credentials. \n2. If the STS credentials are compromised:\n * Review the AWS [documentation][3] on revoking the session.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#ec2-metadatadnsrebind\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MetadataDNSRebind)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"aad-vqz-7tk","createdAt":1587525387807,"name":"AWS EC2 Instance Victim to Metadata DNS Rebind Attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is compromised and sending spam emails.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Backdoor:EC2/Spambot][2]\n\n\n## Triage and response\n1. Determine if the EC2 should be sending out email over port 25. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor6\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/Spambot)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ecn-gew-dg2","createdAt":1587525385866,"name":"AWS EC2 instance Sending spam emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a malicious server.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/C&CActivity.B!DNS][2]\n* [Trojan:EC2/BlackholeTraffic][3]\n* [Trojan:EC2/DropPoint][4]\n* [Trojan:EC2/BlackholeTraffic!DNS][5]\n* [Trojan:EC2/DriveBySourceTraffic!DNS][6]\n* [Trojan:EC2/DropPoint!DNS][7]\n* [Trojan:EC2/DGADomainRequest.B][8]\n* [Trojan:EC2/DGADomainRequest.C!DNS][9]\n* [Trojan:EC2/DNSDataExfiltration][10]\n* [Trojan:EC2/PhishingDomainRequest!DNS][11]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][12] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor6\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan4\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan5\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan6\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan7\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan8\n[8]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan9\n[9]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan95\n[10]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan10\n[11]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan11\n[12]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Trojan\\:EC2\\/BlackholeTraffic OR Trojan\\:EC2\\/DropPoint OR Trojan\\:EC2\\/BlackholeTraffic\\!DNS OR Trojan\\:EC2\\/DriveBySourceTraffic\\!DNS OR Trojan\\:EC2\\/DropPoint\\!DNS OR Trojan\\:EC2\\/DGADomainRequest.B OR Trojan\\:EC2\\/DGADomainRequest.C\\!DNS OR Backdoor\\:EC2\\/C&CActivity.B\\!DNS OR Trojan\\:EC2\\/PhishingDomainRequest\\!DNS)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9du-jhn-b4f","createdAt":1587525393367,"name":"AWS EC2 instance communicated with a malicious server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0011-command-and-control","technique:T1571-non-standard-port"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating over an unusual port.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/NetworkPortUnusual][2]\n\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_behavior.html#behavior3\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/NetworkPortUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"qfd-ned-cjn","createdAt":1587525391873,"name":"AWS EC2 instance communicating over unusual port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a cryptocurrency server\n\n## Strategy\nThis rule lets you leverage GuardDuty to detect when an EC2 instance has made a DNS request or is communicating with an IP that is associated with cryptocurrency operations. The following GuardDuty Findings trigger this signal:\n\n* [CryptoCurrency:EC2/BitcoinTool.B!DNS][1]\n* [CryptoCurrency:EC2/BitcoinTool.B][2]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples. \n2. If the domain or IP address should not have been requested, open a security investigation, and determine which process requested the domain name or IP address.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_crypto.html#crypto3\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_crypto.html#crypto4\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(CryptoCurrency\\:EC2\\/BitcoinTool.B\\!DNS OR CryptoCurrency\\:EC2\\/BitcoinTool.B)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ky3-ds4-ipb","createdAt":1585870276326,"name":"AWS EC2 instance communicating with a cryptocurrency server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection to a malcious IP address.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MaliciousIPCaller.Custom][2]\n\n## Triage and response\n1. Determine which IP address triggered the signal. This can be found in the sample.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized5\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MaliciousIPCaller.Custom)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"22j-qk6-qv3","createdAt":1587525389461,"name":"AWS EC2 instance communicating with malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-scanning","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is conducting a port scan.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Recon:EC2/Portscan][2]\n\n\n## Triage and response\n1. Determine why traffic from the EC2 instance appears to be conducting a port scan.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n \n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon5\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/Portscan)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1y-h5t-gnp","createdAt":1587525376478,"name":"AWS EC2 instance conducting a port scan"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being used as a TOR relay.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorRelay][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be uses as a TOR relay. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized14\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorRelay)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tpv-3qf-v90","createdAt":1587525388119,"name":"AWS EC2 instance connecting to TOR as a relay"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance receives an inbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorIPCaller][2]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized7\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorIPCaller)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"1ew-u8i-att","createdAt":1587525383148,"name":"AWS EC2 instance inbound connections from TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Brute Force Attacks\n\n## Strategy\nLeverage GuardDuty and detect when an attacker is performing a brute force attack. The following are GuardDuty findings trigger this signal:\n\n* [UnauthorizedAccess:EC2/SSHBruteForce][1]\n* [UnauthorizedAccess:EC2/RDPBruteForce][2]\n\n\n## Triage and response\n1. Inspect the role of the EC2 instance in the attack. Find the role in the signal name - either `ACTOR` or `TARGET`.\n * If you are the `TARGET` and the instance is available on the internet, expect to see IPs scanning your systems.\n * If you are the `TARGET` and the instance is **not** available on the internet, this means a host on your internal network is scanning your EC2 instance. Open an investigation.\n * If you are the `ACTOR`, this means that your instance is performing brute force attacks on other systems. Open an investigation.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized9\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized10\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":18,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:ACTOR","groupByFields":["instance-id"],"aggregation":"count","name":"actor","distinctFields":[]},{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:TARGET","groupByFields":["instance-id"],"aggregation":"count","name":"target","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Actor","condition":"actor > 0"},{"status":"info","notifications":[],"name":"Target","condition":"target > 0"}],"type":"log_detection","id":"vyl-ylc-3io","createdAt":1585870284202,"name":"AWS EC2 instance involved in brute force attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance network traffic volume is unusual.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/TrafficVolumeUnusual][2]\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 10 October 2022 - Updated tags.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_behavior.html#behavior4\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/TrafficVolumeUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipt-dpt-t69","createdAt":1587525393982,"name":"AWS EC2 instance network traffic volume unusual"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","technique:T1188-multi-hop-proxy","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorClient][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be making requests to TOR. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized13\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorClient)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ihd-q9p-mwx","createdAt":1587525381864,"name":"AWS EC2 instance outbound connections to TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is participating in a Denial of Service (DoS) attack.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/DenialOfService.Tcp][2]\n* [Backdoor:EC2/DenialOfService.Udp][3]\n* [Backdoor:EC2/DenialOfService.Dns][4]\n* [Backdoor:EC2/DenialOfService.UdpOnTcpPorts][5]\n* [Backdoor:EC2/DenialOfService.UnusualProtocol][6]\n\n\n## Triage and response\n1. Determine if the EC2 instance is compromised and participating in a DoS attack.\n2. If the instance is compromised:\n * Review the AWS [documentation][7] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor8\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor9\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor10\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor11\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor12\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/DenialOfService.Tcp OR Backdoor\\:EC2\\/DenialOfService.Udp OR Backdoor\\:EC2\\/DenialOfService.Dns OR Backdoor\\:EC2\\/DenialOfService.UdpOnTcpPorts OR Backdoor\\:EC2\\/DenialOfService.UnusualProtocol)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3l6-vrm-iyn","createdAt":1587525383757,"name":"AWS EC2 instance participating in a DoS attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-scanning","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being probed by a scanner.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:EC2/PortProbeUnprotectedPort][2]\n* [Recon:EC2/PortProbeEMRUnprotectedPort][3]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon6\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#PortProbeEMRUnprotectedPort\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/PortProbeUnprotectedPort OR Recon\\:EC2\\/PortProbeEMRUnprotectedPort)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mrq-h3x-jus","createdAt":1587525381084,"name":"AWS EC2 instance probed by scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS EKS node group makes a new API call.\n\n## Strategy\nThis rule sets a baseline for host activity across an AWS EKS node group, and enables detection of potentially anomalous activity when a node group makes a new API call.\n\nA new API call from a node group can indicate an attacker gaining a foothold within the system and trying API calls not normally associated with this node group.\n\n## Triage and response\n1. Investigate API activity for the AWS EKS node group to determine if the specific API call is malicious.\n2. Review any other security signals for the AWS EKS node group.\n3. If the activity is deemed malicious:\n * If possible, isolate the compromised hosts.\n * Determine what other API calls were made by the EKS node group.\n * Begin your organization's incident response process and investigate.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":21,"learningThreshold":0},"keepAlive":3600},"version":187,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["eks_nodegroup-name"],"query":"source:cloudtrail"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"nkn-aw3-xb2","createdAt":1633097159259,"name":"AWS EC2 new event for EKS Node Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an application on a host has a new, unrecognized API call.\n\n## Strategy\nUsing the `New Value` detection method, find when an `application` has a new `@evt.name` on a `host`.\n\n## Triage and response\n1. Determine if the `host: {{host}}` running the `application: {{application}}` should have done the following event(s)`{{@evt.name}}`:\n * If yes, you can `Archive` the signal.\n * If no, investigate further by clicking on the **Suggested Actions** tab for the signal\n2. If necessary, initiate your company's incident response process.\n\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["application"],"query":"source:cloudtrail host:i-*"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"qcg-jbs-kcd","createdAt":1632769125953,"name":"AWS EC2 new event for application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an EC2 subnet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting an EC2 subnet.\n\n* [DeleteSubnet][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be deleting EC2 subnets.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Update rule and signal message\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-subnet.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:DeleteSubnet -@level:Error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ygi-fi5-qns","createdAt":1585870282197,"name":"AWS EC2 subnet deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecs","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an ECS Cluster\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an ECS cluster is deleted:\n\n* [DeleteCluster][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arm}} should be making a {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DeleteCluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecs.amazonaws.com @evt.name:DeleteCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"vwu-6id-9lz","createdAt":1585870279810,"name":"AWS ECS cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:elb","scope:elb","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous `@http.useragent`. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application using an HTTP header from [darkqusar][1]'s [gist][2]. The detection does this using 2 cases:\n* Case 1: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `200 TO 299`\n* Case 2: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `400 TO 499`\n\n## Triage and response\n1. Determine if this IP: {{@network.client.ip}} is making authenticated requests to the application.\n2. Check if these authentication requests are successful.\n * If they are successful, change the status of the signal to `UNDER REVIEW` and begin your company's incident response plan.\n * If they are not successful, `ARCHIVE` the signal.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Update rule cases and signal message.\n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:elb @http.status_code:[400 TO 499] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_400s_and_unique_paths","distinctFields":["@http.url_details.path"]},{"query":"source:elb @http.status_code:[200 TO 299] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_200s_and_unique_paths","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"scan detected returning several 200s","condition":"multiple_200s_and_unique_paths > 10"},{"status":"info","notifications":[],"name":"scan detected returning several 400s","condition":"multiple_400s_and_unique_paths > 10"}],"type":"log_detection","id":"csd-1pb-wxh","createdAt":1587530043452,"name":"AWS ELB HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:eventbridge","iaas:aws","technique:T1089-disabling-security-tools","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting or disabling EventBridge rules.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is modifying or disabling EventBridge rules:\n\n* [DeleteRule][1]\n* [DisableRule][2]\n\n## Triage and response\n1. Determine if the arn: {{@userIdentity.arn}} should have made the {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Rule query, options and signal markdown updated.\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DeleteRule OR DisableRule)","groupByFields":["@userIdentity.arn","@requestParameters.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mq6-cjx-h9o","createdAt":1585870277044,"name":"AWS EventBridge rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","source:amazon-fsx","scope:amazon-fsx","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify users accessing files they do not have permission to access.\n\n## Strategy\nMonitor AWS FSx logs and detect more than 10 occurrences where `@evt.id` is equal to `4656` and `@Event.System.Keywords` is equal to `0x8010000000000000`. \n\n## Triage & Response\n1. Inspect the log and determine if the user should be accessing the file: `{{@ObjectName}}`.\n2. If access is not legitimate, investigate user `({{@usr.id}})` activity. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:aws.fsx @evt.id:4656 @Event.System.Keywords:0x8010000000000000","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"file_deny","distinctFields":["@ObjectName"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"file_deny > 10"}],"type":"log_detection","id":"vsj-4y9-rg1","createdAt":1627668329581,"name":"AWS FSx Excessive File Denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0005-defense-evasion","technique:T1066-indicator-removal-from-tools","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is removing a FlowLogs collector.\n\n## Strategy\nThis rule lets you monitor this EC2 API call:\n\n* [DeleteFlowLogs][1]\n\n## Triage and response\n1. Determine if arn: {{@userIdentity.arn}} should make this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n4 April 2022 - Rule query and signal message updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteFlowLogs -@responseElements.DeleteFlowLogsResponse.unsuccessful:\"\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cws-b4f-uoh","createdAt":1585870278493,"name":"AWS FlowLogs removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1089-disabling-security-tools","scope:guardduty","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty detector.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty Detector:\n\n* [DeleteDetector][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/delete-detector.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteDetector","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pzi-led-yyc","createdAt":1585870279177,"name":"AWS GuardDuty detector deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a publishing destination for a detector which will prevent the exporting of findings. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted a Guard Duty publishing destination.\n\n* [DeletePublishingDestination][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/fr_fr/guardduty/latest/APIReference/API_DeletePublishingDestination.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeletePublishingDestination","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rdm-leo-ndi","createdAt":1631642345554,"name":"AWS GuardDuty publishing destination deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty ThreatIntelSet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty ThreatIntelSet:\n\n* [DeleteThreatIntelSet][1]\n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Replace ThreatIntelSets deleted by the user with the `aws-cli` command [create-threat-intel-set][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call and if it was an authorized change.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteThreatIntelSet.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/guardduty/create-threat-intel-set.html\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteThreatIntelSet","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_guardduty_threatintel_set_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"aws_guardduty_threatintel_set_deleted > 0"}],"type":"log_detection","id":"vzr-qw9-k82","createdAt":1631642339660,"name":"AWS GuardDuty threat intel set deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","technique:T1098-account-manipulation","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.4","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to an AWS IAM Policy.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when any event pertaining to an AWS IAM policy is detected with one of the following API calls:\n\n* [DeleteGroupPolicy][1]\n* [DeleteRolePolicy][16]\n* [DeleteUserPolicy][2]\n* [PutGroupPolicy][3]\n* [PutRolePolicy][4]\n* [PutUserPolicy][5]\n* [CreatePolicy][6]\n* [DeletePolicy][7]\n* [SetPolicyVersion][17]\n* [CreatePolicyVersion][8]\n* [DeletePolicyVersion][9]\n* [AttachRolePolicy][10]\n* [DetachRolePolicy][11]\n* [AttachUserPolicy][12]\n* [DetachUserPolicy][13]\n* [AttachGroupPolicy][14]\n* [DetachGroupPolicy][15]\n\n## Triage and response\n1. Review the IAM Policy change and ensure it does not negatively impact your risk in relation to authentication or authorization controls.\n2. If risk is increased, contact the individual that used the arn: {{@userIdentity.arn}} and determine if {{@evt.name}} API calls were made by them.\n\n## Changelog\n5 April 2022 - Rule modified and signal message updated.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroupPolicy.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPolicy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html\n[5]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html\n[7]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html\n[8]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html\n[9]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicyVersion.html\n[10]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[11]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachRolePolicy.html\n[12]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[13]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachUserPolicy.html\n[14]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[15]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachGroupPolicy.html\n[16]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteRolePolicy.html\n[17]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetDefaultPolicyVersion.html\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteGroupPolicy OR PutGroupPolicy OR AttachGroupPolicy OR DetachGroupPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"group_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteRolePolicy OR PutRolePolicy OR AttachRolePolicy OR DetachRolePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"role_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteUserPolicy OR PutUserPolicy OR AttachUserPolicy OR DetachUserPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"user_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreatePolicy OR DeletePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"account_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(SetPolicyVersion OR CreatePolicyVersion OR DeletePolicyVersion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"policy_version_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"group policy changed","condition":"group_policy_modified > 0"},{"status":"info","notifications":[],"name":"role policy changed","condition":"role_policy_modified > 0"},{"status":"info","notifications":[],"name":"user policy changed","condition":"user_policy_modified > 0"},{"status":"info","notifications":[],"name":"account policy changed","condition":"account_policy_modified > 0"},{"status":"info","notifications":[],"name":"policy version changed","condition":"policy_version_modified > 0"}],"type":"log_detection","id":"z8s-u06-ctu","createdAt":1584475584008,"name":"AWS IAM policy changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM group.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM group using the [`AttachGroupPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.groupName}}` group using the `aws-cli` command [detach-group-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the group `{{@requestParameters.groupName}}` requires the `AdministratorAccess` policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the group to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.groupName","aggregation":"new_value","metrics":["@requestParameters.groupName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachGroupPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"ju1-xlh-bdn","createdAt":1635445988771,"name":"AWS IAM privileged policy was applied to a group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM role.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM role via the [`AttachRolePolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.roleName}}` role using the `aws-cli` command [detach-role-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the role `{{@requestParameters.roleName}}` requires the AdministratorAccess policy to perform its intended function.\n * Advise the user to find the [least privileged][4] policy that allows the role to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-role-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.roleName","aggregation":"new_value","metrics":["@requestParameters.roleName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachRolePolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\" -@userIdentity.invokedBy:sso.amazonaws.com -@http.useragent:sso.amazonaws.com"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"kjs-xra-wzc","createdAt":1635445977216,"name":"AWS IAM privileged policy was applied to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to an AWS IAM user using the [`AttachUserPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.userName}}` user using the `aws-cli` command [detach-user-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the user `{{@requestParameters.userName}}` requires the AdministratorAccess policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the user to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-user-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":173,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.userName","aggregation":"new_value","metrics":["@requestParameters.userName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachUserPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"bxi-o7h-c79","createdAt":1635445981975,"name":"AWS IAM privileged policy was applied to a user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","technique:T1089-disabling-security-tools","source:guardduty","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is changing sensitive configurations and has no prior history of invoking these APIs.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Stealth:IAMUser/S3ServerAccessLoggingDisabled][2]\n* [Stealth:IAMUser/PasswordPolicyChange][3]\n* [Stealth:IAMUser/CloudTrailLoggingDisabled][4]\n* [Stealth:IAMUser/LoggingConfigurationModified][5]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][6] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth4\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth1\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth2\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth3\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Stealth\\:IAMUser\\/S3ServerAccessLoggingDisabled OR Stealth\\:IAMUser\\/PasswordPolicyChange OR Stealth\\:IAMUser\\/CloudTrailLoggingDisabled OR Stealth\\:IAMUser\\/LoggingConfigurationModified)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"48o-8me-0mo","createdAt":1587525385196,"name":"AWS IAM user changing sensitive configurations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user disables [S3 Block Public Access][1]\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][2] finding:\n\n* [Policy:IAMUser/S3BlockPublicAccessDisabled][3]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Contact the user and determine why the user disabled the S3 Block Access feature. \n3. Re-enable S3 Block Public Access.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n[2]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_policy.html#policy2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/S3BlockPublicAccessDisabled)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"loc-nk4-pkc","createdAt":1587525377921,"name":"AWS IAM user disabled S3 Block Public Access"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.3.6","source:google_sql_database_instance","control:3.4","requirement:Communications-Security","framework:cis-gcp","requirement:Compliance","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_sql_database_instance","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `3625 (trace flag)` database flag to `off` for GCP SQL Server instance.\n\n## Rationale\n\nMicrosoft SQL trace flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload. All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed. `3625 (trace log)` limits the information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'. Setting this in a Google Cloud flag for the instance allows for security through obscurity and prevents the disclosure of sensitive information. Hence, it is recommended to set this flag to `off` globally to prevent the flag from being left on or turned on by bad actors. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nChanging flags on a database may cause it to be restarted. The best time to do this is when there is low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `3625` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `3625` database flag for every GCP SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"3625=off\"\n```\n\n#### Note\nThis command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n\n## Additional Information\n\n- Configuring the above flag restarts the GCP SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"3625\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"2x0-5oi-nhu","createdAt":1657310084964,"name":"'3625 (trace flag)' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:2.11","cloud_provider:azure","control:A.12.4.1","level:1","source:azure.policy","requirement:Application-Updates","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","requirement:Security-Center","framework:cis-azure","control:6.2","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","scope:azure.policy","control:CC4.1","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable automatic provisioning of the monitoring agent to collect security data.\n\n## Rationale\n\nWhen automatic provisioning of monitoring agent is turned on, Azure Security Center provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.\n\n## Remediation\n\n### From the console\n\n1. Go to **Microsoft Defender for Cloud**\n2. Click on **Environment Settings**\n3. Click on a subscription\n4. Click on **Auto Provisioning** in the left column.\n5. Ensure that **Log Analytics agent for Azure VMs** is set to **On**\n\n### From the command line\n\nUse the below command to set automatic provisioning of monitoring agent:\n\n```bash\naz account get-access-token --query\n\"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" \nhttps://management.azure.com/subscriptions/$0/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@\"input.json\"'\n```\n\nWhere `input.json` contains the Request body JSON data as mentioned below: \n\n```bash\n{\n\t\"id\": \"/subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default \",\n\t\"name\": \"default\",\n\t\"type\": \"Microsoft.Security/autoProvisioningSettings\",\n\t\"properties\": {\n\t\t\"autoProvision\": \"On\"\n\t}\n}\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security][1]\n2. [https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection][2]\n3. [https://msdn.microsoft.com/en-us/library/mt704062.aspx][3]\n4. [https://msdn.microsoft.com/en-us/library/mt704063.aspx][4]\n5. [https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list][5]\n6. [https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create][6]\n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification][7]\n\n[1]: https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security\n[2]: https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection\n[3]: https://msdn.microsoft.com/en-us/library/mt704062.aspx\n[4]: https://msdn.microsoft.com/en-us/library/mt704063.aspx\n[5]: https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list\n[6]: https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create\n[7]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n## Additional Information\n- Excluding any of the entries in `input.json` may disable the specific setting by default.\n- Microsoft has recently changed APIs to get and Update Automatic Provisioning setting. This recommendation is updated accordingly.\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.11","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(security_center_auto_provisioning) = \"fail\" if {\n\tsecurity_center_auto_provisioning.auto_provision == \"Off\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_center_auto_provisioning"]},"validationQuery":"","resourceType":"azure_security_center_auto_provisioning","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_center_auto_provisioning","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ota-kzg-lsb","createdAt":1635237006719,"name":"'Automatic provisioning of monitoring agent' is set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","control:1.20","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.8","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you restrict unintended public access to Amazon S3 resources. By default, S3 buckets and objects are created without public access. However, someone with sufficient permissions can enable public access at the bucket or object level, often unexpectedly. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets in the account, and contained objects, from becoming publicly accessible.\n\n## Rationale\n\nAmazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective buckets. Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account. Blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.\n\n### Impact\n\nWhen you apply `Block Public Access` settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.\n\n\n## Remediation\n\n### From the console\n\nIf utilizing Block Public Access (account settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Choose **Block public access (account settings)**.\n3. Choose **Edit** to change the block public access settings for all the buckets in your AWS account.\n4. Click on **Block all public access**.\n5. When you're asked for confirmation, enter `confirm`. Then click Confirm to save your changes.\n\nIf utilizing Block public access (bucket settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Select the check box next to the bucket.\n3. Click on **Edit public access settings**.\n4. Click **Block all public access**.\n5. Repeat for all the buckets in your AWS account that contain sensitive data.\n\n\n### From the command line\n\nIf utilizing Block Public Access (bucket settings):\n\n1. List all of the S3 buckets: `aws s3 ls`\n2. To set the public access to true on a bucket, run: `aws s3api put-public-access-block --bucket --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\"`\n\nIf utilizing Block Public Access (account settings):\n\nTo set Public access settings for this account, run the following command: `aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id '`\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html][2]\n\n[1]: https://console.aws.amazon.com/s3/\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.20","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\naccount_public_access_block_by_account_id = {s3_account_public_access_block.account_id: s3_account_public_access_block |\n\tsome s3_account_public_access_block in input.resources.aws_s3_account_public_access_block\n}\n\nsecure_public_access_block(s3_account_public_access_block) if {\n\ts3_account_public_access_block.block_public_acls\n\ts3_account_public_access_block.block_public_policy\n\ts3_account_public_access_block.ignore_public_acls\n\ts3_account_public_access_block.restrict_public_buckets\n}\n\naccess_block_compliant(s3_bucket) if {\n\ts3_account_public_access_block := account_public_access_block_by_account_id[s3_bucket.account_id]\n\tsecure_public_access_block(s3_account_public_access_block)\n} else if {\n\tbucket_block := s3_bucket.access_block[_]\n\tsecure_public_access_block(bucket_block)\n}\n\neval(s3_bucket) = \"pass\" if {\n\taccess_block_compliant(s3_bucket)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b1p-nxn-wxx","createdAt":1619112188591,"name":"'Block Public Access' feature is enabled for S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.2","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with a Customer Managed Key (CMK).\n\n## Rationale\n\nEncrypting the IaaS VM's OS disk (boot volume) and data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning.\n\n## Remediation\n\n### From the console\n\n**Note**: Disks must be detached from VMs to have encryption changed.\n\n1. Go to Virtual Machines\n2. For each virtual machine, go to Settings\n3. Click on Disks\n4. Click the X to detach the disk from the VM\n5. Search for disks and locate the unattached disk\n6. Click the disk select Encryption\n7. Change your encryption type and select your encryption set\n8. Click Save\n9. Go back to the VM and re-attach the disk\n\n### Using PowerShell\n\n```powershell\n$KVRGname = ''MyKeyVaultResourceGroup''; $VMRGName = ''MyVirtualMachineResourceGroup''; $vmName = ''MySecureVM''; $KeyVaultName = ''MySecureVault''; $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname; $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri; $KeyVaultResourceId = $KeyVault.ResourceId; Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;\n```\n\n**NOTES**:\n\n- During encryption, a reboot is likely required. It may take up to 15 minutes to complete the process.\n\n- On Linux machines, you may need to set the `-skipVmBackup` parameter.\n\n## Impact\n\nUsing CMK/BYOK entail additional management of keys. You must have your key vault setup to use this.\n\n## References\n\n\n1. https://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n3. https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-resthttps://docs.microsoft.com/azure/virtual-machines/windows/disk-encryption-portal-quickstart\n4. https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n5. https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n7. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-customer-managed-keys-powershell\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_encryption_type(managed_disk) if {\n\tmanaged_disk.encryption_type == \"EncryptionAtRestWithCustomerKey\"\n} else if {\n\tmanaged_disk.encryption.type == \"EncryptionAtRestWithCustomerKey\"\n}\n\neval(managed_disk) = \"skip\" if {\n\tmanaged_disk.disk_state != \"Attached\"\n} else = \"pass\" if {\n\tcompliant_encryption_type(managed_disk)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_managed_disk"]},"validationQuery":"","resourceType":"azure_managed_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i6x-xne-idt","createdAt":1631690475494,"name":"'OS and Data' disks are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:Storage-Accounts","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Application-Updates","framework:iso-27001","scope:azure.storage","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Azure","control:6.5.3","framework:cis-azure","control:2.6","control:4.1","control:3.1","requirement:Control-Activities","source:azure.storage","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable data encryption in transit.\n\n## Rationale\n\nThe secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must be HTTPS. Any requests using HTTP will be rejected when secure transfer required is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Accounts\n2. For each storage account, go to Configuration\n3. Set Secure transfer required to Enabled\n\n### From the command line\n\nInterface 2.0 - Use the below command to enable Secure transfer required for a Storage Account: `az storage account update --name --resource-group --https-only true`\n\n## References\n\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#encryption-in-transit\n2. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_list\n3. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 - 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"2.6","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_account) = \"pass\" if {\n\tstorage_account.supports_https_traffic_only\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"vlg-zuu-zub","createdAt":1635847712936,"name":"'Secure transfer required' is set to 'Enabled'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Compliance","level:1","requirement:Storage-Accounts","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:3.7","framework:cis-azure","requirement:Communications-Security","control:7.2.1","source:azure.storage","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSome Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services use strong authentication to access the storage account. If Allow trusted Microsoft services exception is enabled, the following services, when registered in the subscription, are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse.\n\n## Rationale\n\nTurning on firewall rules for storage account blocks access to incoming requests for data, including from other Azure services. This includes using the portal, writing logs, etc. You can re-enable access to services like Monitor, Networking, Hubs, and Event Grid by enabling Trusted Microsoft Services through exceptions. The exception also supports backing up and restoring virtual machines using unmanaged disks in storage accounts with network rules applied.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Ensure that Allow access from selected networks is enabled.\n4. Enable Allow trusted Microsoft services to access this storage account.\n5. Click Save to apply your changes.\n\n### From the command line\n\nUse the following command to update trusted Microsoft services: `az storage account update --name --resource-group --bypass AzureServices`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n\n## CIS Controls\n\nVersion 7 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_account) = \"pass\" if {\n\tcontains(storage_account.network_acls.bypass, \"AzureServices\")\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"psg-u8u-lwo","createdAt":1631690476330,"name":"'Trusted Microsoft Services' is enabled for Storage Account access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.3","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that unattached disks in a subscription are encrypted with a customer managed key (CMK).\n\n## Rationale\n\nManaged disks are encrypted by default with platform-managed keys. Using customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks which may lead to sensitive information disclosure and tampering.\n\n## Impact\n\nEncryption is available only on standard tier VMs. This could impact cost. Utilizing and maintaining customer-managed keys requires additional work to create, protect, and rotate keys.\n\n## Remediation\n\n### From the console\n\n**Note:** Disks must be detached from VMs to have encryption changed. If data stored in the disk is no longer useful, refer to [Azure documentation][1] to delete unattached data disks. If data stored in the disk is important, encrypt the disk. See the [Disk enable customer managed keys customer][2] or the [Encryption settings][3] documentation.\n\n1. Go to `Virtual machines`\n2. For each virtual machine, go to `Settings`\n3. Click on `Disks`\n4. Click the `X` to detach the disk from the VM\n5. Now search for `Disks` and locate the unattached disk\n6. Click the disk then select `Encryption`\n7. Change your encryption type, then select your encryption set\n8. Click `Save`\n9. Go back to the VM and re-attach the disk\n\n### From the commandline\n\n```powershell\n$KVRGname = 'MyKeyVaultResourceGroup';\n$VMRGName = 'MyVirtualMachineResourceGroup';\n$vmName = 'MySecureVM';\n$KeyVaultName = 'MySecureVault';\n$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName\n$KVRGname;\n$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;\n$KeyVaultResourceId = $KeyVault.ResourceId;\nSet-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss][4]\n2. [https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json][5]\n3. [https://docs.microsoft.com/en-us/rest/api/compute/disks/delete][6]\n4. [https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete][7]\n5. [https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings][8]\n6. [https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update][9]\n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest][10]\n\n\n[1]: https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal\n[3]: https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n[4]: https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n[5]: https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n[6]: https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n[7]: https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n[8]: https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n[9]: https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update\n[10]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_encryption(managed_disk) if {\n\tmanaged_disk.encryption_type == \"EncryptionAtRestWithCustomerKey\"\n} else if {\n\tmanaged_disk.encryption.type == \"EncryptionAtRestWithCustomerKey\"\n}\n\neval(managed_disk) = \"skip\" if {\n\tmanaged_disk.disk_state != \"Unattached\"\n} else = \"pass\" if {\n\tcompliant_encryption(managed_disk)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_managed_disk"]},"validationQuery":"","resourceType":"azure_managed_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bae-mte-pj5","createdAt":1631690476274,"name":"'Unattached disks' are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","control:10.3.6","control:10.5.4","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","control:10.3.5","control:10.5.3","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.1","control:10.2.5","control:10.3.4","control:A.12.4.1","control:10.2.4","control:10.3.3","control:10.2.3","control:10.3.2","control:A.12.4.3","control:10.2.2","control:10.3.1","framework:cis-gcp","level:1","scope:google_sql_database_instance","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","control:6.2.9","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the `cloudsql.enable_pgaudit` database flag so that each Cloud SQL PostgreSQL instance has centralized logging.\n\n## Rationale\n\nBecause many other recommendations in this section involve turning on flags for logging\npurposes, your organization needs a way to manage these logs. If you do not already have a solution in \nplace, consider enabling database auditing in PostgreSQL by installing the open source pgAudit extension and enabling the `cloudsql.enable_pgaudit` flag. The extension provides\ndetailed session and object logging to comply with government, financial, and ISO standards. It provides \nauditing capabilities to mitigate threats by monitoring security events on the\ninstance. Enabling the flag and the settings described below sends the logs to\nGoogle Logs Explorer so that you can access them in a central location. This\nrecommendation is applicable only to PostgreSQL database instances.\n\n## Impact\n\nEnabling the pgAudit extension can lead to increased data storage requirements. To\nensure durability of pgAudit log records in the event of unexpected storage issues, \nenable the **Enable automatic storage increases** setting on the\ninstance. Enabling flags on the command line will overwrite all existing flags, so you\nshould apply _all_ needed flags in each CLI command. You might need to restart the\nserver to see the effects of enabling flags, so update your servers at a\ntime of low usage.\n\n## Remediation\n\n### Initialize the pgAudit flag\n\n#### From the console\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `cloudsql.enable_pgaudit` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\nRun the following command by providing to enable `cloudsql.enable_pgaudit` flag:\n```\ngcloud sql instances patch --database-flags=cloudsql.enable_pgaudit=on\n```\n \n**Note**: Restart the database server for this configuration change to take effect.\n\n### Create the extension\n1. Connect to the the server running PostgreSQL or through a SQL client of your choice.\n2. Open the PostgreSQL shell. For example, if you're using SSH to access the server, run:\n3. Run the following command as a superuser:\n ```\n CREATE EXTENSION pgaudit;\n ```\n### Update the `pgaudit.log` flag\n\n#### From the console\n**Note**: There are multiple options for updating the flag. The following instructions enable logging for all databases\non a server. Read [Customizing database audit logging][4] for more flag\noptions.\n\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `pgaudit.log=all` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\n\nRun the command:\n```\ngcloud sql instances patch --database-flags \\\ncloudsql.enable_pgaudit=on,pgaudit.log=all\n```\n\n### Check for the logs in Google Logs Explorer\n1. From the Google Console home page, open the menu in the top left.\n2. In the menu's Operations section, select Logs Explorer.\n3. In the query box, copy in the following query:\n\n ```\n resource.type=\"cloudsql_database\"\n logName=\"projects//logs/cloudaudit.googleapis.com%2Fdata_access\"\n protoPayload.request.@type=\"type.googleapis.com/google.cloud.sql.audit.v1.PgAuditEntry\n ```\nIf it returns any log sources, they are correctly set up.\n\n## Default value\nBy default `cloudsql.enable_pgaudit` database flag is set to off and the extension is not enabled.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres][2]\n2. [https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag][3]\n3. [https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging][4]\n4. [https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable][5]\n\n## Additional Information\n**WARNING**: This extension modifies database flag values, which may require your instance to be\nrestarted. Check the [List of supported flags][6] to see if your instance needs to be restarted\nwhen this extension is set up.\n**Note**: Configuring the `cloudsql.enable_pgaudit` database flag requires restarting the Cloud\nSQL PostgreSQL instance.\n\n## CIS controls\n\nVersion 8\n8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n8.9 - Centralize Audit Logs\n- Centralize, to the extent possible, audit log collection and retention across\nenterprise assets.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres\n[3]: https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag\n[4]: https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging\n[5]: https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable\n[6]: https://cloud.google.com/sql/docs/postgres/flags\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.9","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cloudsql.enable_pgaudit\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6hz-owg-7y7","createdAt":1657889011689,"name":"'cloudsql.enable_pgaudit' database flag is set to 'on' for centralized logging on Postgresql Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.4","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.7","requirement:Least-Privileged-Access","requirement:Confidentiality","requirement:Communications-Security","control:7.1","control:C1.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `contained database authentication` database flag for SQL Server instances to `off`.\n\n## Rationale\n\nA contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed. Users can connect to the database without authenticating a login at the Database Engine level. Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server. Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators. Most of the threats are related to the `USER WITH PASSWORD` authentication process, which moves the authentication boundary from the Database Engine level to the database level. Hence, disabling this flag is recommended. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nWhen `contained database authentication` is off (`0`) for the instance, contained databases cannot be created, or attached to the Database Engine. Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via the command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `contained database authentication` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line\n\nConfigure the `contained database authentication` database flag for every SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"contained database authentication=off\"\n```\n\n**Note**: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n\n## Additional Information\n\n- Configuring this flag does not restart the SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15][3]\n3. [https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15][4]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15\n[4]: https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"contained database authentication\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"snw-rsr-ilm","createdAt":1658463161618,"name":"'contained database authentication' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.3.2","security:compliance","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that you set the `cross db ownership chaining` database flag for SQL Server instance to `off`.\n\n## Rationale\nThe `cross db ownership` option is used to configure cross-database ownership chaining for an instance of Microsoft SQL Server. This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases. Enabling `cross db ownership` is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining, and you are aware of the security implications of this setting. This recommendation is applicable to SQL Server database instances.\n\n### Impact\nUpdating flags may cause the database to restart. This may cause the database to be unavailable for a short amount of time, so this is best done at a time of low usage. You should also determine if the tables in your databases reference another table without using credentials for that database, as turning off cross database ownership will break this relationship.\n\n - Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n - Configuring the `cross db ownership chaining` flag does not restart the Cloud SQL instance.\n\n - Note: The command to set database flags overwrites all database flags previously set. To keep the existing settings while adding new flags, include the values for all flags to be set on the instance. Cloud SQL sets any flag not specifically included in the list to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `cross db ownership chaining` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line\nConfigure the `cross db ownership chaining` database flag for every SQL Server database instance using the below command:\n \n```\ngcloud sql instances patch --database-flags \"cross db ownership chaining=off\"\n```\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cross db ownership chaining\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yje-u1y-rls","createdAt":1657665271111,"name":"'cross db ownership chaining' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.1","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `external scripts enabled` database flag for SQL Server instance to `off`.\n\n## Rationale\n\nThe `external scripts enabled` flag enables the execution of scripts with certain remote language extensions. This flag is `off` by default. When Advanced Analytics Services is installed, during the set up, you can optionally set this flag to `on`. The External Scripts Enabled feature allows scripts external to SQL, such as files located in an R library, to be executed, which could adversely affect the security of the system. Hence, the flag should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances can cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flag section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `external scripts enabled` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `external scripts enabled` database flag for every SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"external scripts enabled=off\"\n```\n\nNote: This command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default Value\n\nBy default `external scripts enabled` is `off`.\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n- Configuring the `external scripts enabled` flag restarts the Cloud SQL instance.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15][2]\n2. [https://cloud.google.com/sql/docs/sqlserver/flags][3]\n3. [https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15][4]\n4. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79347][5]\n\n## CIS Controls\n\nVersion 8 - 2.7 Allowlist Authorized Scripts\n- Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.\n\nVersion 7 - 2.9 Implement Application Whitelisting of Scripts\n- The organization's application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1, *.py, macros, etc) are allowed to run on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15\n[3]: https://cloud.google.com/sql/docs/sqlserver/flags\n[4]: https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15\n[5]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"external scripts enabled\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"14g-yot-4od","createdAt":1657715719319,"name":"'external scripts enabled' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.1.3","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends setting the `local_infile` database flag for a Cloud SQL MySQL instance to off.\n\n## Rationale\n\nThe `local_infile` flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the `local_infile` setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.\n\nTo explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with `local_infile` disabled. `local_infile` can also be set at runtime.\n\nDue to security issues associated with the `local_infile` flag, Datadog recommends disabling it. This recommendation is applicable to MySQL database instances.\n\n## Impact\n\nDisabling `local_infile` causes the server to refuse local data loading by clients that have LOCAL enabled on the client side.\n\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [Cloud SQL Instances page][1].\n2. Select the MySQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the `local_infile` flag from the dropdown menu, and set its value to **off**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From Command Line\n\n1. List all Cloud SQL database instances using \n ```\n `gcloud sql instances list`.\n ```\n2. Configure the `local_infile` database flag for every Cloud SQL MySQL database instance using \n ```\n `gcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off`\n ```\n Note:\n This command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\n\n## Default Value\n\nBy default, `local_infile` is on.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile][3]\n3. [https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html][4]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n \n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/flags\n[3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile\n[4]: https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_mysql(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"local_infile\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\"\n\nis_mysql(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"MYSQL_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"e40-q63-udh","createdAt":1657547707503,"name":"'local_infile' database flag is set to 'off' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.2","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy enabling the `log_connections` setting, every attempted server connection is logged along with the successful completion of client authentication. Once the session starts, you cannot change this parameter.\n\n## Rationale\n\nBy default, PostgreSQL does not log attempted connections. By enabling the `log_connections` setting, you can create log entries for every attempted connection as well as the successful completion of client authentication. This can be useful in troubleshooting issues and determining any unusual connection attempts to the server. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\n\nBy turning on logging, the required storage increaess over time. Mismanaged logs may cause your storage costs to increase. \n\nSetting custom flags through the command line on certain instances can cause all omitted flags to reset to defaults. This may cause you to lose\ncustom flags and can result in unforeseen complications or instance restarts. Because of this, Datadog recommends applying these flag changes during a period of low usage.\n\n## Remediation\n\n## From the console\n1. In the Google Cloud Console, navigate to the [Cloud SQL Instances page][1].\n2. Select the PostgreSQL instance that you want to enable the database flag for.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the **log_connections** flag from the dropdown menu, and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From the command line\n\nConfigure the `log_connections` database flag for every Cloud SQL PosgreSQL database instance using the following command:\n\n ```\n gcloud sql instances patch --database-flags\n log_connections=on\n ```\n\nThis command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\nYou do not need to restart the Cloud SQL instance.\n\n## Default Value\n\nBy default, `log_connections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n\nSome database flag settings can affect instance availability or stability, and may remove the instance from the Cloud SQL SLA.\n\nFor information about these flags, see the Operational Guidelines.\n\n## CIS Controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_connections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"84u-fez-kpn","createdAt":1657547707503,"name":"'log_connections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:6.2.3","scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnabling the `log_disconnections` setting logs the end of each session, including the\nsession duration.\n\n## Rationale\n\nPostgreSQL does not log session details such as duration and session end by default.\nEnabling the `log_disconnections` setting will create log entries at the end of each session,\nwhich can be useful in troubleshooting issues and determining any unusual activity across a\ntime period. The `log_disconnections` and `log_connections` settings work together and\ngenerally, the pair would be enabled or disabled together. This recommendation is applicable\nto PostgreSQL database instances.\n\n## Impact\n\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flags changes during a period of low usage.\n\n\n## Remediation\n\n## From the console\n\n1. Go to the [Cloud SQL Instances][1] page.\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_disconnections` from the drop-down menu and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the **Overview** page.\n\n## From the command line\n\n1. Configure the `log_disconnections` database flag for every Cloud SQL PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags\n log_disconnections=on\n ```\n\n **Note:** This command will overwrite all previously set database flags. To keep\n those and add new ones, include the values for all flags to be set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals\n sign (\"=\").\n\n## Default Value\n\nBy default, `log_disconnections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n## Additional Information\n\n- Configuring the `log_disconnections` flag does not require restarting the Cloud SQL instance.\n- Although the `log_disconnections` flag does not require a restart, you might modify other database flag values when you apply this patch. **Many database flags require restarting the Cloud SQL instance.** Before you modify a database flag, check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see [Operational Guidelines][4].\n\n\n## CIS controls\n\nVersion 8, 8.5 Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://console.cloud.google.com/sql/instances\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_disconnections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-b91-wj5","createdAt":1657665210451,"name":"'log_disconnections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:6.2.1","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","control:10.3","control:CC7.2","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_error_verbosity` flag controls the verbosity/details of messages logged. Valid values are:\n- `TERSE`\n- `DEFAULT`\n- `VERBOSE`\n\n`TERSE` excludes the logging of `DETAIL`, `HINT`, `QUERY`, and `CONTEXT` error information.\n`VERBOSE` output includes the `SQLSTATE` error code, source code file name, function name, and line number that generated the error.\n\nEnsure an appropriate value is set to `DEFAULT` or stricter.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_error_verbosity` is not set to the correct value, too many details or too few details\nmay be logged. This flag should be configured with a value of `DEFAULT` or stricter. This\nrecommendation is applicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flag changes during a period of low usage.\n\n- **WARNING**: This patch modifies database flag values, which may require your instance to be restarted. Check the list of supported flags -[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance will be restarted when this patch is submitted.\n- Note: some database flag settings can affect instance availability orn stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n### Default value\nBy default, `log_error_verbosity` is `DEFAULT`.\n\n## Remediation\n\n### From the console \n1. Go to the Cloud SQL Instances page by visiting [https://console.cloud.google.com/sql/instances][2]\n2. Select the **PostgreSQL instance** for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_error_verbosity` from the drop-down menu and set appropriate **value**.\n6. Click **Save**\n7. Confirm your changes under Flags on the **Overview** page.\n\n### From the command line\n1. Configure the `log_error_verbosity` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n ```\n gcloud sql instances patch --database-flags\n log_error_verbosity=\n ```\n\n **Note**: This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all flags you want set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" if {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_error_verbosity\"\n\tnot lower(db_flags.value) in [\"default\", \"terse\", \"verbose\"]\n} else = \"pass\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"scj-vbv-qiu","createdAt":1660014086758,"name":"'log_error_verbosity' database flag is set to 'DEFAULT or Stricter' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:6.2.5","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nPostgreSQL only logs the IP address of the connecting hosts. The `log_hostname` flag\ncontrols the logging of hostnames, in addition to the IP addresses logged. The performance\nhit depends on the configuration of the environment and the host name resolution\nsetup. This parameter can only be set in the `postgresql.conf` file or on the server's\ncommand line.\n\n## Rationale\nLogging hostnames allows for the association of a hostname with the IP address at the time of\nconnection. This information helps with incident response efforts, particularly in an\nenvironment that utilizes dynamic IP addresses. Logging hostnames may incur overhead\non server performance because DNS resolution will be required to\nconvert the IP address to hostname. Depending on the setup, the overhead may be non-negligible.\nEnabling the log_hostname flag on PostgreSQL databases is recommended.\n\n## Impact\nUsing the command line to set custom flags on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended that you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_hostname` from the drop-down menu and select the value **On**.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n1. Configure the `log_hostname` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\n gcloud sql instances patch --database-flags log_hostname=on\n```\n\nNote: This command will overwrite all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## Default value\nBy default `log_hostname` is off.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of [supported flags][2] to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_hostname\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sco-bi7-twu","createdAt":1657547753389,"name":"'log_hostname' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:6.2.8","requirement:Confidentiality","control:A.12.4.1","control:C1.1","control:C1.2","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_duration_statement` flag defines the minimum execution time (milliseconds) of a\nstatement, where the total duration of the statement is logged. Ensure that\n`log_min_duration_statement` is disabled by setting the value to `-1`. This will disable statement logging.\n\n## Rationale\nSQL statement logs may include sensitive information that should not be recorded in\nthe logs. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting\n[https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_duration_statement` from the drop-down menu and set a value of `-1`.\n6. Click **Save**.\n7. Confirm the changes under the Flags section on the Overview page.\n\n### From the command line\n1. List all Cloud SQL database instances using the following command:\n\n ```\n gcloud sql instances list\n ```\n\n2. Configure the `log_min_duration_statement` flag for every PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags log_min_duration_statement=-1\n ```\n Note: This command will overwrite all database flags previously set. To keep\nthose and add new ones, include the values for all flags to be set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n## Default value\nBy default `log_min_duration_statement` is set to `-1`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.8","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_duration_statement\"\n\tnot database_flags.value == \"-1\"\n} else = \"pass\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hfp-mu9-szg","createdAt":1658302988596,"name":"'log_min_duration_statement' database flag is set to '-1' (disabled) for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.7","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_error_statement` flag defines the minimum message severity level that is\nconsidered an error statement. Messages for error statements are logged with the SQL\nstatement. Valid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`,\n`WARNING`, `ERROR`, `LOG`, `FATAL`, and `PANIC`. Each severity level includes the subsequent levels\nmentioned above. Ensure a value of `ERROR` or stricter is set.\n\n## Rationale\nAuditing helps with troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. If general log messages are considered as error messages,\nit would be difficult to determine the actual errors. If only stricter severity levels are considered as\nerror messages, true errors might not be logged with their SQL statements. The\n`log_min_error_statement` flag should be set to `ERROR` or stricter. This recommendation is\napplicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the `Flags` section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_error_statement` from the drop-down menu and set the appropriate\nvalue.\n6. Click `Save` to save your changes.\n7. Confirm your changes under the `Flags` section on the Overview page.\n\n### From Command Line:\n1. Configure the `log_min_error_statement` database flag for every Cloud SQL\nPosgreSQL database instance using the below command.\n\n ```\n gcloud sql instances patch --database-flags log_min_error_statement=\n ```\n\n Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `log_min_error_statement` is `ERROR`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][2] - to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_error_statement\"\n\tnot upper(database_flags.value) in [\"ERROR\", \"LOG\", \"FATAL\", \"PANIC\"]\n} else = \"pass\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dm2-ey8-wr5","createdAt":1657888969813,"name":"'log_min_error_statement' database flag is set to 'ERROR' or stricter for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.3.6","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","source:google_sql_database_instance","requirement:Monitoring","control:6.2.6","control:10.3.4","control:A.12.4.1","control:10.3.2","requirement:System-Operations","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:CC7.2","framework:pci","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_messages` flag defines the minimum message severity level that is considered\nas an error statement. Messages for error statements are logged with the SQL statement.\nValid values include `debug5`, `debug4`, `debug3`, `debug2`, `debug1`, `info`, `notice`, `warning`, `error`,\n`log`, `fatal`, and `panic`. Each severity level includes the subsequent levels mentioned above.\nFor best practices, set the value to `error`. Changes should only be made in accordance\nwith the organization's logging policy.\n\n### Default value\nBy default `log_min_error_statement` is `warning`.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. An organization will need to decide their own threshold\nfor logging `log_min_messages` flag.\n\n### Impact\nSetting the threshold too low will might result in increased log storage size and length,\nmaking it difficult to find actual errors. Setting the threshold to `warning` logs\nmost needed error messages. Setting the threshold to a higher severity level may result in some errors (that need troubleshooting) to not be logged.\n\nNote: To effectively turn off logging failing statements, set this parameter to `panic`.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_messages` from the drop-down menu and set appropriate value.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n1. Configure the `log_min_messages` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\ngcloud sql instances patch --database-flags\nlog_min_messages=\n```\n\nNote: This command overwrites all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" if {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_min_messages\"\n\tlower(db_flags.value) in [\"debug5\", \"debug4\", \"debug3\", \"debug2\", \"debug1\", \"info\", \"notice\"]\n} else = \"pass\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"wha-a8w-2ic","createdAt":1661377322162,"name":"'log_min_messages' database flag is set to at least 'WARNING' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.2.4","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe value of the `log_statement` flag determines the SQL statements that are logged. Valid\nvalues are:\n\n- `none`\n- `ddl`\n- `mod`\n- `all`\n\nThe value `ddl` logs all data definition statements. The value `mod` logs all `ddl` statements, plus\ndata-modifying statements.\n\nThe statements are logged after a basic parsing is done and the statement type is determined,\nthus log statements with errors are not logged. When using an extended query protocol,\nlogging occurs after an `Execute` message is received and values of the bind parameters are\nincluded.\n\nA value of `ddl` is recommended unless otherwise directed by your organization's logging\npolicy.\n\n## Rationale\nAuditing helps with forensic analysis. If the `log_statement` is not set to the correct value, too\nmany statements may be logged and lead to issues with finding relevant information from\nthe logs, or too few statements may be logged with relevant information missing from the\nlogs. Setting the `log_statement` to align with your organization's security and logging policies\nfacilitates auditing and review of database activities later on. This recommendation is\napplicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n- **WARNING** This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance\nwill be restarted when this patch is submitted.\n- Note: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page by visiting: [https://console.cloud.google.com/sql/instances][2]\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**. Choose the flag `log_statement` from the drop-down menu and set the appropriate value.\n6. Click **Save**.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line\n1. Configure the `log_statement database` flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n ```\n gcloud sql instances patch --database-flags log_statement=\n ```\n\n **Note** This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all the flags that you want to set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n \n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tdb_flags.name == \"log_statement\"\n\tdb_flags.value in [\"ddl\", \"mod\", \"all\"]\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xzi-8ya-6hp","createdAt":1659621705012,"name":"'log_statement' database flag is set appropriately for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:6.3.5","control:2.2.5","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set the `remote access` database flag for Cloud SQL SQL Server instances to `off`.\n\n## Rationale\n\nThe remote access option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running. The default value for this option is 1. This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server. To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled. Remote access functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, so it should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances causes all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `remote access` from the drop-down menu, and set its value to `off`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n### From the command line\n\nConfigure the remote access database flag for every Cloud SQL SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"remote access=off\"\n```\n\n### Note: \nThis command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default Value\n\nRemote access is `on` by default.\n\n## Additional information\n\nConfiguring the remote access database flag does not restart the Cloud SQL instance.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337][4]\n\n## CIS Controls\n\nVersion 8 - 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"remote access\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"tnw-ph8-chr","createdAt":1657296719786,"name":"'remote access' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.1.2","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that for Cloud SQL Instances, you set the `skip_show_database` database flag to `ON`.\n\n## Rationale\n\nThe `skip_show_database` database flag prevents people from using the `SHOW DATABASES`\nstatement if they do not have the `SHOW DATABASES` privilege. This can improve security if\nyou have concerns about users being able to see databases belonging to other users. The `skip_show_database` flag's effect depends on the `SHOW DATABASES` privilege: If the variable value is `ON`, the `SHOW\nDATABASES` statement is permitted only for users who have the `SHOW DATABASES`\nprivilege, and the statement displays all database names. If the value is `OFF`, `SHOW\nDATABASES` is permitted for all users, but displays the names of only those databases for\nwhich the user has `SHOW DATABASES` or other privilege. This recommendation is\napplicable to MySQL database instances.\n\n## Remediation\n\n## Using console\n\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the MySQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `skip_show_database` from the drop-down menu, and set its value to `ON`.\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n\n## Using command line:\n1. To list all Cloud SQL database Instances, run:\n `gcloud sql instances list`\n2. Configure the `skip_show_database` database flag for every Cloud SQL MySQL database instance using the following command:\n \n ```\n gcloud sql instances patch INSTANCE_NAME --database-flags\n skip_show_database=on\n ```\n **Note**: This command overwrites all database flags previously set. To keep the previously set flags and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database][3]\n\n\n## Additional information\n\n**Warning**: This patch modifies database flag values, which may require your instance to be restarted. Check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n\n**Note**: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n**Note**: Configuring the above flag restarts the Cloud SQL instance.\n\n## CIS controls\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\n access control lists, also known as access permissions, to local and remote file systems,\n databases, and applications.\n\n [1]: https://console.cloud.google.com/sql/instances\n [2]: https://cloud.google.com/sql/docs/mysql/flags\n [3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot startswith(sql_database_instance.database_version, \"MYSQL_\")\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"skip_show_database\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qjv-gnn-q3l","createdAt":1657547753389,"name":"'skip_show_database' flag is set to 'on' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.3.3","security:compliance","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Control-Activities","level:1","control:2.2.3","framework:soc-2","scope:google_sql_database_instance","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to check the `user connections` option for a GCP SQL Server instance to\nensure that it is not artificially limiting connections.\n\n## Rationale\n\nThe `user connections` option specifies the maximum number of simultaneous user\nconnections that are allowed on an instance of SQL Server. The actual number of user\nconnections allowed also depends on the version of SQL Server that you are using, and also\nthe limits of your application(s) and hardware. SQL Server allows a maximum\nof 32,767 user connections. Because user connections is by default a self-configuring value,\nSQL Server adjusts the maximum number of user connections automatically as\nneeded, up to the maximum value allowed. For example, if only 10 users are logged in, then 10\nuser connection objects are allocated. In most cases, you do not have to change the value\nfor this option. The default is `0`, which means that the maximum (32,767) user connections\nare allowed. However, if there is a number defined here that limits connections, SQL Server\nwill not allow any connections above this limit. If the connections are at the limit, any new\nrequests will be dropped, potentially causing lost data or outages for those using the\ndatabase.\n\n## Impact\nSetting custom flags using the command line on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### Using the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `user connections` from the drop-down menu, and set its value to your organization's recommended value.\n6. Click **Save** to save your changes.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### Using the command line\n1. Configure the `user connections` database flag for every GCP SQL Server\ndatabase instance using the below command.\n ```\n gcloud sql instances patch --database-flags \"userconnections=[0-32,767]\"\n ```\n \n\n\nNote: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `user connections` is set to '0', which does not limit the number of connections\nand allows the server to facilitate a maximum of 32,767 connections.\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119][4]\n\n## Additional Information\n\nWARNING: This patch modifies database flag values, which may require your instance to be restarted. Check the list of [supported flags][2] to see if your instance will be restarted when this patch is submitted. \n\nNote: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not restart the GCP SQL instance.\n\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user connections\"\n\tnot database_flags.value == \"0\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"suj-vdt-udi","createdAt":1657547707508,"name":"'user connections' database flag is set to a non-limiting value for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.4","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the `user options` database flag for SQL Server instance not be configured.\n\n## Rationale\n\nThe `user options` flag specifies global defaults for all users. A list of default query processing options is established for the duration of a user's work session. The user options flag allows you to change the default values of the SET options (if the server's default settings are not appropriate).\n\nA user can override these defaults by using the SET statement. You can configure user options dynamically for new logins. After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nIn some instances, setting custom flags via the command line causes all omitted flags to be reset to their defaults. This might cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the **Cloud SQL Instances** page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance you want to configure.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. Click the **X** next to the **user options** flag shown\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line\n\n1. List all Cloud SQL database Instances:\n \n ```\n gcloud sql instances list\n ```\n\n2. Clear the user options database flag for every Cloud SQL SQL Server database instance using either of the below commands:\n\n - To clear all flags and reset them to their default values:\n\n ```\n gcloud sql instances patch --clear-database-flags\n ```\n\n - To clear only the `user options` database flag, re-enter all of database flags that you want to configure and exclude the `user options` flag and its value:\n\n ```\n gcloud sql instances patch --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]\n ```\n\n **Note**: This command overwrites all database flags previously set. To keep those flags and add new ones, include the values for all flags you want set on the instance. Any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default value\n\nBy default, 'user options' is not configured.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][1]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15][2]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335][3]\n\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see [Operational Guidelines][4].\n\n- Configuring the above flag does not restart the Cloud SQL instance.\n\n[1]: https://cloud.google.com/sql/docs/sqlserver/flags\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15\n[3]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user options\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"l6m-j1r-hz1","createdAt":1657665179501,"name":"'user options' database flag is not configured for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a Kubernetes user attempts to perform a high number of actions that are denied in a short amount of time.\n\n## Strategy\nThis rule identifies responses of the API server where the reason for the error is set to `Forbidden`, indicating that an authenticated user attempted to perform an action that they are not explicitly authorized to perform.\n\nThe rule flags users who receive permission denied errors on several distinct API endpoints in a short amount of time.\n\n## Triage and response\n1. Determine if the user: `{{@usr.id}}` is expected to perform the denied actions. If yes, the alert may be due to a misconfigured application or a service account with insufficient privileges.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @responseStatus.reason:Forbidden -@usr.id:(system\\:serviceaccount\\:*\\:datadog* OR system\\:kube-scheduler OR system\\:anonymous OR eks\\:authenticator OR eks\\:pod-identity-mutating-webhook OR system\\:serviceaccount\\:kube-system\\:root-ca-cert-publisher)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"access_denied","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"access_denied > 10"}],"type":"log_detection","id":"elb-nlu-hso","createdAt":1649948632063,"name":"A Kubernetes user attempted to perform a high number of actions that were denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIdentify when a Kubernetes user is assigned cluster-level administrative permissions.\n\n## Strategy\n\nThis rule monitory when a `ClusterRoleBinding` object is created to bind a Kubernetes user to the `cluster-admin` [default cluster-wide role](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles). This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.\n\n## Triage and response\n\n1. Determine if the Kubernetes user referenced in `@requestObject.subjects` is expected to have been granted administrator permissions on the cluster\n2. Determine if the actor (`@usr.id`) is authorized to assign administrator permissions\n3. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @requestObject.kind:ClusterRoleBinding @requestObject.roleRef.name:cluster-admin -@usr.id:system\\:apiserver","groupByFields":["@usr.id"],"aggregation":"count","name":"cluster_admin_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"cluster_admin_added > 0"}],"type":"log_detection","id":"8ds-sxh-n83","createdAt":1649948626807,"name":"A Kubernetes user was assigned cluster administrator permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","scope:google_bigquery_dataset","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.3","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","source:google_bigquery_dataset","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user. For greater control, _customer-managed encryption keys_ (CMEKs) can be used as an encryption key management solution for BigQuery datasets.\n\n### Default Value\nGoogle-managed keys are used as key encryption keys.\n\n## Rationale\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user.\n\nFor greater control, CMEKs can be used as an encryption key management solution for BigQuery datasets. Setting a default CMEK for a dataset ensures that any tables created in the future will use the specified CMEK, if no others are provided.\n\n## Impact\nUsing CMEKs incurs an additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n**Note**: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n# Remediation\nTo update the default CMEK for existing data sets, specify the default key in the `EncryptionConfiguration.kmsKeyName` field when calling the `datasets.insert` or `datasets.patch` methods.\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_dataset) = \"pass\" if {\n\tbigquery_dataset.default_encryption_configuration.kms_key_name\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_dataset"]},"validationQuery":"","resourceType":"gcp_bigquery_dataset","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_dataset","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fdc-usk-ol3","createdAt":1664548344812,"name":"A default customer-managed encryption key (CMEK) is specified for the BigQuery data set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1158","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nHidden files may be used by attackers to hide from detection mechanisms on hosts and containers. This detection aims at finding the creation of any new hidden files.\n\n## Strategy\nIn Linux, files are hidden from users by prepending `.` to the filename. For example `.some.file`. This detection will monitor for the creation of any file thats name begins with a `.`.\n\n## Triage & Response\n1. Check to see which user or process created the new hidden file.\n3. If these new files are not expected contain the host or container, roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"irl-syq-8wf","createdAt":1598443015169,"name":"A hidden file was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the deletion of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was deleted.\n2. Check which user or process deleted the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"t7t-jio-cms","createdAt":1598516746158,"name":"A log file in /var/log/ was removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:2.11","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be set up for SQL instance\nconfiguration changes.\n\n## Rationale\nMonitoring changes to SQL instance configuration changes may reduce the time needed to\ndetect and correct SQL server misconfigurations.\nBelow are a few configurable options that may impact the security posture of an\nSQL instance:\n \u2022 Enable auto backups and high availability: Misconfiguration may adversely impact\n business continuity, disaster recovery, and high availability\n \u2022 Authorize networks: Misconfiguration may increase exposure to untrusted networks\n\n### Impact \nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation \n\n### From the console\n#### Create the prescribed log metric\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and clicking **CREATE METRIC**.\n2. Click the down arrow icon on the **Filter Bar** at the top right corner and select **Convert to Advanced Filter**.\n3. Clear any text and add:\n\n ```\n protoPayload.methodName=\"cloudsql.instances.update\"\n ```\n\n4. Click **Submit Filter**. Display logs appear based on the filter text.\n5. In the **Metric Editor** menu on the right, fill out the name field. Set **Units** to `1` (default) and **Type** to `Counter`. \nThis ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n6. Click **Create Metric**.\n\n#### Create the prescribed alert policy\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every SQL instance configuration change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n1. Create the prescribed log metric using the following command: \n ```\n gcloud beta logging metrics create\n ```\n [Reference for command usage][9]\n2. Create the prescribed alert policy using the following command:\n ```\n gcloud alpha monitoring policies create\n ```\n [Reference for command usage][10]\n\n\n\n## References\n1. [https://console.cloud.google.com/logs/metrics][1] \n2. [https://cloud.google.com/monitoring/custom-metrics/][2]\n3. [https://cloud.google.com/monitoring/alerts/][3]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][4]\n5. [https://cloud.google.com/storage/docs/overview][5]\n6. [https://cloud.google.com/sql/docs/][6]\n7. [https://cloud.google.com/sql/docs/mysql/][7]\n8. [https://cloud.google.com/sql/docs/postgres/][8]\n9. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][9]\n10. [https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][10]\n\n\n[1]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[2]: https://cloud.google.com/monitoring/custom-metrics/\n[3]: https://cloud.google.com/monitoring/alerts/\n[4]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[5]: https://cloud.google.com/storage/docs/overview\n[6]: https://cloud.google.com/sql/docs/\n[7]: https://cloud.google.com/sql/docs/mysql/\n[8]: https://cloud.google.com/sql/docs/postgres/\n[9]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[10]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.11","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_method_name_constant := upper(\"protoPayload.methodName=\\\"cloudsql.instances.update\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, filter_method_name_constant)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"rtu-ij2-tg6","createdAt":1666265090604,"name":"A log metric filter and alert exists for SQL instance configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","control:2.9","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be set up for Virtual Private Cloud (VPC) network changes.\n\n## Rationale\nIt is possible to have more than one VPC within a project. \nIn addition, it is also possible to create a peer connection between two VPCs to enable network traffic routing between VPCs.\n\nMonitoring changes to a VPC helps to ensure that VPC traffic flow is not getting impacted.\n\n### Impact\nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console\n#### Create the prescribed log metric\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and click **CREATE METRIC**.\n2. Set **Metric Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n3. Fill out the **Log metric name** field.\n4. Set the **Units** to `1` (default).\n5. Under **Filter selection**, add the following text to the **Build filter** block: \n ```\n resource.type=gce_network\n AND (protoPayload.methodName:\"compute.networks.insert\"\n OR protoPayload.methodName:\"compute.networks.patch\"\n OR protoPayload.methodName:\"compute.networks.delete\"\n OR protoPayload.methodName:\"compute.networks.removePeering\"\n OR protoPayload.methodName:\"compute.networks.addPeering\")\n ```\n6. Click **Create Metric**.\n\n#### Create the prescribed alert policy\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every VPC network change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n1. Create the prescribed log metric using the following command: \n ```\n gcloud beta logging metrics create\n ```\n [Reference for command usage][6]\n2. Create the prescribed alert policy using the following command:\n ```\n gcloud alpha monitoring policies create\n ```\n [Reference for command usage][7]\n\n\n\n## References\n1. [https://console.cloud.google.com/logs/metrics][1] \n2. [https://cloud.google.com/monitoring/custom-metrics/][2]\n3. [https://cloud.google.com/monitoring/alerts/][3]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][4]\n5. [https://cloud.google.com/vpc/docs/overview][5]\n6. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][6]\n7. [https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][7]\n\n\n[1]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[2]: https://cloud.google.com/monitoring/custom-metrics/\n[3]: https://cloud.google.com/monitoring/alerts/\n[4]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[5]: https://cloud.google.com/vpc/docs/overview\n[6]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[7]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.9","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_resource_type := upper(\"resource.type=gce_network\")\n\nfilter_method_name_1 := upper(\"protoPayload.methodName:\\\"compute.networks.insert\\\"\")\n\nfilter_method_name_2 := upper(\"protoPayload.methodName:\\\"compute.networks.patch\\\"\")\n\nfilter_method_name_3 := upper(\"protoPayload.methodName:\\\"compute.networks.delete\\\"\")\n\nfilter_method_name_4 := upper(\"protoPayload.methodName:\\\"compute.networks.removePeering\\\"\")\n\nfilter_method_name_5 := upper(\"protoPayload.methodName:\\\"compute.networks.addPeering\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, \"OR\")\n\tcontains(filter_parsed, filter_resource_type)\n\tcontains(filter_parsed, filter_method_name_1)\n\tcontains(filter_parsed, filter_method_name_2)\n\tcontains(filter_parsed, filter_method_name_3)\n\tcontains(filter_parsed, filter_method_name_4)\n\tcontains(filter_parsed, filter_method_name_5)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"zv2-vh1-ixx","createdAt":1665677590865,"name":"A log metric filter and alert exists for VPC network changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:2.5","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGoogle Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data\nAccess logs to help answer the question of \"Who did what, where, and when?\" within GCP\nprojects.\nCloud audit logging records information such as the identity of the API caller, the time of\nthe API call, the source IP address of the API caller, the request parameters, and the\nresponse elements returned by GCP services. Cloud audit logging provides a history of GCP\nAPI calls for an account, including API calls made through the console, SDKs, command-line\ntools, and other GCP services.\n\n## Rationale\nCloud audit logging to Admin Activity and Data Access logs enables security\nanalysis, resource change tracking, and compliance auditing.\nConfiguring the metric filter and alerts for audit configuration changes ensures that the\nrecommended state of audit configuration is maintained so that all activities in the project\ncan be audited at any point in time.\n\n\n### Impact\nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console\n#### Create the prescribed log metric\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and click **CREATE METRIC**.\n2. Set **Metric Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n3. Fill out the **Log metric name** field.\n4. Set the **Units** to `1` (default).\n5. Under **Filter selection**, add the following text to the **Build filter** block: \n ```\n protoPayload.methodName=\"SetIamPolicy\" AND\n protoPayload.serviceData.policyDelta.auditConfigDeltas:*\n ```\n6. Click **Create Metric**.\n\n#### Create a prescribed alert policy\n\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every audit configuration change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n#### Create a prescribed log metric\n\nUse the command: `gcloud beta logging metrics create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][3]\n\n#### Create a prescribed alert policy\nUse the command: `gcloud alpha monitoring policies create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][4]\n\n## References\n1. [https://cloud.google.com/logging/docs/logs-based-metrics/][5]\n2. [https://cloud.google.com/monitoring/custom-metrics/][6]\n3. [https://cloud.google.com/monitoring/alerts/][7]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][8]\n5. [https://cloud.google.com/logging/docs/audit/configure-data-access#getiampolicy-setiampolicy][9]\n\n[1]: https://console.cloud.google.com/logs/metrics\n[2]: https://console.cloud.google.com/logs/metrics\n[3]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[4]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n[5]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[6]: https://cloud.google.com/monitoring/custom-metrics/\n[7]: https://cloud.google.com/monitoring/alerts/\n[8]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[9]: https://cloud.google.com/logging/docs/audit/configure-data-access#getiampolicy-setiampolicy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.5","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_methodname_constant := upper(\"protoPayload.methodName=\\\"SetIamPolicy\\\"\")\n\nfilter_servicedata_constant := upper(\"protoPayload.serviceData.policyDelta.auditConfigDeltas:*\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, filter_methodname_constant)\n\tcontains(filter_parsed, filter_servicedata_constant)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sni-qbq-wix","createdAt":1665677774002,"name":"A log metric filter and alert exists for audit configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:2.8","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be established for Virtual Private Cloud\n(VPC) network route changes.\n\n## Rationale\nGoogle Cloud Platform (GCP) routes define the paths taken by network traffic from a VM instance to another destination. The other destination can be inside the organization VPC network (such as another VM) or outside of it. Every route consists of a destination and a next hop. Traffic whose destination IP is within the destination range is sent to the next hop\nfor delivery.\nMonitoring changes to route tables helps to ensure that all VPC traffic flows through an expected path.\n\n### Impact\nEnabling of logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console:\n\n#### Create the prescribed Log Metric:\n1. Go to [Logs-based Metrics][1] within **Logging** in the Google Cloud console and click **CREATE METRIC**.\n2. Click the down arrow symbol on the filter bar at the rightmost corner and select\n**Convert to Advanced Filter**.\n3. Clear any text and add:\n ```\n resource.type=\"gce_route\"\n AND (protoPayload.methodName:\"compute.routes.delete\"\n OR protoPayload.methodName:\"compute.routes.insert\"\n ```\n4. Click **Submit Filter**. Display logs appear based on the entered filter text.\n5. In the `Metric Editor` menu on the right, fill out the name field. Set `Units` to `1`\n(default) and `Type` to `Counter`. This ensures that the log metric counts the number of\nlog entries matching the advanced logs query.\n6. Click **Create Metric**.\n\n#### Create the prescribed alert policy:\n\n1. Identify the newly created metric under the section `User-defined Metrics` in the\n[Logs-based Metrics][1] page in the Google Cloud console.\n2. Click the 3-dot icon in the rightmost column for the new metric and select `Create\nalert from Metric`. A new page appears.\n3. Fill out the alert policy configuration and click **Save**. Choose the alerting threshold\nand configuration that makes sense for your organization. For example, a\nthreshold of zero(0) for the most recent value ensures that a notification is triggered\nfor every owner change in the project:\n ```\n Set `Aggregator` to `Count`\n Set `Configuration`:\n - Condition: above\n - Threshold: 0\n - For: most recent value\n ```\n4. Configure the desired notification channels in the section **Notifications**.\n5. Name the `policy` and click **Save**.\n\n### From the command line:\n\n#### Create the prescribed Log Metric: \n\nUse the command `gcloud beta logging metrics create`. Read the [usage reference][2] in the Google Cloud documentation for more information.\n\n#### Create the prescribed alert policy:\n\nUse the command `gcloud alpha monitoring policies create`. Read the [usage reference][3] in the Google Cloud documentation for more information.\n\n## References\n\n1. [https://cloud.google.com/logging/docs/logs-based-metrics/][4]\n2. [https://cloud.google.com/monitoring/custom-metrics/][5]\n3. [https://cloud.google.com/monitoring/alerts/][6]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][7]\n5. [https://cloud.google.com/storage/docs/access-control/iam][8]\n\n[1]: https://console.cloud.google.com/logs/metrics\n[2]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[3]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n[4]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[5]: https://cloud.google.com/monitoring/custom-metrics/\n[6]: https://cloud.google.com/monitoring/alerts/\n[7]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[8]: https://cloud.google.com/storage/docs/access-control/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.8","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_resource_type := upper(\"resource.type=\\\"gce_route\\\"\")\n\nfilter_method_name_delete_beta := upper(\"protoPayload.methodName:\\\"beta.compute.routes.delete\\\"\")\n\nfilter_method_name_delete := upper(\"protoPayload.methodName:\\\"compute.routes.delete\\\"\")\n\nfilter_method_name_insert_beta := upper(\"protoPayload.methodName:\\\"beta.compute.routes.insert\\\"\")\n\nfilter_method_name_insert := upper(\"protoPayload.methodName:\\\"compute.routes.insert\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_filter(filter_parsed, filter_method_name_beta, filter_method_name) if {\n\tcontains(filter_parsed, filter_method_name_beta)\n} else if {\n\tcontains(filter_parsed, filter_method_name)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, \"OR\")\n\n\tcontains(filter_parsed, filter_resource_type)\n\n\tvalid_filter(filter_parsed, filter_method_name_delete_beta, filter_method_name_delete)\n\tvalid_filter(filter_parsed, filter_method_name_insert_beta, filter_method_name_insert)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.notification_channels[_]\n\tmonitoring_alert_policy.enabled == true\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"o0d-dyl-9lb","createdAt":1668685067568,"name":"A log metric filter and alerts exist for VPC Network route changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:2.7","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be established for Virtual Private Cloud\n(VPC) network firewall rule changes.\n\n## Rationale\nMonitoring create or update firewall rule events gives insight to network access\nchanges and may reduce the time it takes to detect suspicious activity.\n\n\n### Impact\nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console\n\n#### Create the prescribed log metric\n\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and click **CREATE METRIC**.\n2. Set **Metric Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n3. Fill out the **Log metric name** field.\n4. Set the **Units** to `1` (default).\n5. Under **Filter selection**, add the following text to the **Build filter** block: \n\n ```\n resource.type=\"gce_firewall_rule\"\n AND protoPayload.methodName:\"compute.firewalls.patch\"\n OR protoPayload.methodName:\"compute.firewalls.insert\"\n OR protoPayload.methodName:\"compute.firewalls.delete\"\n ```\n \n6. Click **Create Metric**\n\n#### Create a prescribed alert policy\n\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every VPC network firewall rule change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n#### Create a prescribed log metric\n\nUse the command: `gcloud beta logging metrics create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][3]\n\n#### Create a prescribed alert policy\nUse the command: `gcloud alpha monitoring policies create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][4]\n\n## References\n1. [https://cloud.google.com/logging/docs/logs-based-metrics/][5]\n2. [https://cloud.google.com/monitoring/custom-metrics/][6]\n3. [https://cloud.google.com/monitoring/alerts/][7]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][8]\n5. [https://cloud.google.com/vpc/docs/firewalls][9]\n\n[1]: https://console.cloud.google.com/logs/metrics\n[2]: https://console.cloud.google.com/logs/metrics\n[3]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[4]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n[5]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[6]: https://cloud.google.com/monitoring/custom-metrics/\n[7]: https://cloud.google.com/monitoring/alerts/\n[8]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[9]: https://cloud.google.com/vpc/docs/firewalls\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.7","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_resource_type_constant := upper(\"resource.type=\\\"gce_firewall_rule\\\"\")\n\nfilter_patch_constant := upper(\"protoPayload.methodName:\\\"compute.firewalls.patch\\\"\")\n\nfilter_insert_constant := upper(\"protoPayload.methodName:\\\"compute.firewalls.insert\\\"\")\n\nfilter_delete_constant := upper(\"protoPayload.methodName:\\\"compute.firewalls.delete\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, \"OR\")\n\tcontains(filter_parsed, filter_resource_type_constant)\n\tcontains(filter_parsed, filter_patch_constant)\n\tcontains(filter_parsed, filter_insert_constant)\n\tcontains(filter_parsed, filter_delete_constant)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"xrg-k52-qt3","createdAt":1665677775464,"name":"A log metric filter and alerts exist for VPC network firewall rule changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:2.6","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be established for changes to Identity and\nAccess Management (IAM) role creation, deletion and updating activities.\n\n## Rationale\nGoogle Cloud IAM provides predefined roles that give granular access to specific Google\nCloud Platform resources and prevent unwanted access to other resources. However, to\ncater to organization-specific needs, Cloud IAM also provides the ability to create custom\nroles. Project owners and administrators with the Organization Role Administrator role or\nthe IAM Role Administrator role can create custom roles. Monitoring role creation, deletion\nand updating activities helps identify any over-privileged role an early stage.\n\n\n### Impact\nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console\n\n#### Create the prescribed log metric\n\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and click **CREATE METRIC**.\n2. Set **Metric Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n3. Fill out the **Log metric name** field.\n4. Set the **Units** to `1` (default).\n5. Under **Filter selection**, add the following text to the **Build filter** block: \n\n ```\n resource.type=\"iam_role\"\n AND protoPayload.methodName = \"google.iam.admin.v1.CreateRole\"\n OR protoPayload.methodName=\"google.iam.admin.v1.DeleteRole\"\n OR protoPayload.methodName=\"google.iam.admin.v1.UpdateRole\"\n ```\n6. Click **Create Metric**\n\n#### Create a prescribed alert policy\n\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every custom role change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n#### Create a prescribed log metric\n\nUse the command: `gcloud beta logging metrics create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][3]\n\n#### Create a prescribed alert policy\nUse the command: `gcloud alpha monitoring policies create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][4]\n\n## References\n1. [https://cloud.google.com/logging/docs/logs-based-metrics/][5]\n2. [https://cloud.google.com/monitoring/custom-metrics/][6]\n3. [https://cloud.google.com/monitoring/alerts/][7]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][8]\n5. [https://cloud.google.com/iam/docs/understanding-custom-roles][9]\n\n[1]: https://console.cloud.google.com/logs/metrics\n[2]: https://console.cloud.google.com/logs/metrics\n[3]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[4]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n[5]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[6]: https://cloud.google.com/monitoring/custom-metrics/\n[7]: https://cloud.google.com/monitoring/alerts/\n[8]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[9]: https://cloud.google.com/iam/docs/understanding-custom-roles\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.6","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_resource_type_constant := upper(\"resource.type=\\\"iam_role\\\"\")\n\nfilter_create_constant := upper(\"protoPayload.methodName=\\\"google.iam.admin.v1.CreateRole\\\"\")\n\nfilter_delete_constant := upper(\"protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\"\")\n\nfilter_update_constant := upper(\"protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, \"OR\")\n\tcontains(filter_parsed, filter_resource_type_constant)\n\tcontains(filter_parsed, filter_create_constant)\n\tcontains(filter_parsed, filter_delete_constant)\n\tcontains(filter_parsed, filter_update_constant)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"8jp-b4x-ubz","createdAt":1665677984333,"name":"A log metric filter and alerts exist for custom role changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Logging","security:compliance","control:3.2.1","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes can audit the details of requests made to the API server. The `--audit-policy-file` flag must be set for this logging to be enabled.\n\n## Rationale\n\nLogging is an important detective control for all systems, to detect potential unauthorised access.\n\n## Audit\n\nRun the following command on one of the cluster master nodes: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-policy-file` is set. Review the contents of the file specified and ensure that it contains a valid audit policy.\n\n## Remediation\n\nCreate an audit policy file for your cluster.\n\n## Impact\n\nAudit logs will be created on the master nodes, which will consume disk space. Care should be taken to avoid generating too large volumes of log information as this could impact the available of the cluster nodes.\n\n## Default value\n\nUnless the `--audit-policy-file` flag is specified, no auditing will be carried out.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/debug-application-cluster/audit/][1]\n\n## CIS controls\n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices.\n\n[1]: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"3.2.1","framework":"cis-kubernetes","requirement":"Logging","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-3.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ehp-xpm-xi3","createdAt":1599602215207,"name":"A minimal audit policy exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a new Kubernetes [admission controller][1] is created in the cluster.\n\nAdmission controllers can intercept all incoming requests to the API server. An attacker can use them to establish persistence or to access sensitive data (such as secrets) sent to the API server.\n\n## Strategy\nThis rule identifies when a `MutatingWebhookConfiguration` or `ValidatingWebhookConfiguration` is created.\n\n## Triage and response\n1. Determine if the admission controller being created is expected.\n2. Determine if the user: `{{@usr.id}}` should be creating the admission controller.\n3. Use the Cloud SIEM `User Investigation` dashboard to review user actions that occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags\n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @objectRef.resource:(mutatingwebhookconfigurations OR validatingwebhookconfigurations) -@usr.id:(eks\\:cluster-bootstrap OR system\\:serviceaccount\\:kyverno\\:kyverno OR system\\:serviceaccount\\:kube-system\\:*)","groupByFields":["@usr.id"],"aggregation":"count","name":"admission_controller_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admission_controller_created > 0"}],"type":"log_detection","id":"jpb-ixq-qbz","createdAt":1649948611129,"name":"A new Kubernetes admission controller was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 teams app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `AppInstalled`, where the `AddOnType` has a value of `4` and a new `@AddOnName` is observed.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@AddOnName}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@AddOnName}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":165,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AddOnName","aggregation":"new_value","metrics":["@AddOnName"],"groupByFields":["@usr.id"],"query":"source:microsoft-365 @evt.name:AppInstalled @AddOnType:4"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"sja-6t5-2xv","createdAt":1636984812148,"name":"A new Microsoft 365 Teams app is observed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Add application.` and event `@evt.outcome` of `Success`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@ObjectId}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@ObjectId}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@ObjectId","aggregation":"new_value","metrics":["@ObjectId"],"groupByFields":["@ObjectId","@usr.id"],"query":"source:microsoft-365 @evt.name:\"Add application.\" @evt.outcome:Success"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"o4m-xqz-5gv","createdAt":1636984818117,"name":"A new Microsoft 365 application was installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:amazon","security:compliance","iaas:aws","framework:cis-aws","source:cloudtrail","control:4.1","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is assessing privileges in AWS through API bruteforcing technique.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect when the error message of `AccessDenied` is returned on more than 5 unique API calls.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be attempting to use {{@evt.name}} API commands.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. Contact the user to see if they intended to make these API calls.\n3. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate to see what API calls might have been made that were successful throughout the rest of the environment.\n\n## Changelog\nRule updated on 3 March 2022.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"unique_events_denied","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"more than 5 APIs AccessDenied","condition":"unique_events_denied > 5"}],"type":"log_detection","id":"3d9-oev-jbm","createdAt":1584475582956,"name":"A user received multiple AccessDenied errors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","control:32.1a","source:acm","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are seven day left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### From the console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### From the command line\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nseven_days_ms := (((7 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\t# assert that the difference between now (resource seen at) and not after time (certificate expiry) > 7 days\n\tseven_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"32b-dj3-8n2","createdAt":1619112188607,"name":"ACM certificate does not expire within the next 7 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","security:compliance","control:164.312-e-1","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","requirement:Security-Management-Process","control:32.1a","source:acm","control:164.312-e-2-ii","framework:hipaa","control:164.308-a-1-ii-B","control:164.312-e-2-i","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRemove expired Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates with AWS Certificate Manager (ACM).\n\n## Rationale\n\nExpired AWS ACM SSL/TLS certificates that are deployed to another resource are at risk of triggering front-end errors and compromising the credibility of a web application.\n\n## Remediation\n\n### From the console\n\nFollow the [Deleting Certificates Managed by ACM][1] docs to learn how to delete SSL/TLS certifications in the AWS Console.\n\n### From the command line\n\n1. Run the [`delete-certificate`][2] command to remove the invalid certificate.\n\n ```\n aws acm delete-certificate --certificate-arn insert-certificate-arn-here\n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-delete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/delete-certificate.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"EXPIRED\"\n\tacm.status != \"VALIDATION_TIMED_OUT\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qea-4gr-voj","createdAt":1616090994211,"name":"ACM certificate is active"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","control:32.1a","source:acm","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are 30 days left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### From the console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### From the command line\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\tthirty_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oc4-dzj-jtg","createdAt":1619112188918,"name":"ACM certificate is valid for 30 or more days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cardholder-Data","cloud_provider:aws","source:acm","scope:acm","control:3.6.4","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAll Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates in Amazon Certificate Manager (ACM) should be validated.\n\n## Rationale\n\n[Requests for ACM certificates time out if they are not validated within 72 hours][1]. ACM provides managed renewal for your Amazon-issued SSL/TLS certificates that are used with other AWS resources. \n\n[ACM either renews your certificates automatically (if you are using DNS validation)][2], or it sends you email notices when expiration is approaching. These services are provided for both public and private ACM certificates. However, renewal for other certificates must be done manually. If a certificate is not validated, it can interrupt an application or service. \n\n## Remediation\n\n### From the console\n\nFollow the [Setting Up DNS Validation][3] or [Resending Validation Email][4] docs to validate a certificate in the AWS Console or by email.\n\n### From the command line\n\n1. Run `resend-validation-email` using the ARN of the invalid certificate with your `domain` and `validation-domain`.\n\n ```\n aws acm resend-validation-email\n --certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/a1b2345c-d678-9123-4567-89ab12c2345d\n --domain www.example.com\n --validation-domain example.com\n ```\n\n2. Click the link in the generated email to navigate to the Amazon Certificates Approvals page, and click the `I Approve` button.\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-timed-out.html\n[2]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[3]: https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html#setting-up-dns-validation\n[4]: https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html#gs-acm-resend\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"PENDING_VALIDATION\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"lpi-kie-f8h","createdAt":1616090994081,"name":"ACM certificate issue request is not pending validation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:ec2","source:ec2","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.9.4.5","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIdentify publicly accessible Amazon Machine Images (AMIs).\n\n## Rationale\n\nWhen an AMI is shared publicly, anyone outside your organization can see it in the [list of public AMIs][1] and create an EC2 instance from it, accessing all the files it contains.\n\nAMIs typically contain source code, configuration files and credentials and should not be shared publicly. AMIs should only be shared with [specific AWS accounts][2] or [your AWS Organization][3].\n\n## Remediation\n\n### From the console\n\nFollow the instructions outlined in the [AWS documentation][4].\n\n### From the command line\n\nUse the following command to stop sharing the AMI:\n\n ```bash\n aws ec2 modify-image-attribute \\\n --image-id ami-xxxx \\\n --launch-permission \"Remove=[{Group=all}]\"\n ```\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usingsharedamis-finding.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/share-amis-with-organizations-and-OUs.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.5","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncustomer_owned(ami) if {\n\tnot ami.image_owner_alias in [\"aws-marketplace\", \"amazon\"]\n} else if {\n\tnot ami.image_owner_alias\n}\n\neval(ami) = \"skip\" if {\n\tnot customer_owned(ami)\n} else = \"pass\" if {\n\tami.public == false\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ami"]},"validationQuery":"","resourceType":"aws_ami","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ami","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6l2-azd-mlu","createdAt":1645630055435,"name":"AMI is not publicly shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.30","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the TLS certificate and private key file parameters. \n```\n--tls-cert-file= \n--tls-private-key-file=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.30","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"m9r-8ka-arc","createdAt":1599604115727,"name":"API Server requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.1","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable anonymous requests to the Kubelet server.\n\n## Rationale\n\nWhen enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests.\n\n## Audit\n\nIf using a Kubelet configuration file, check that there is an entry for authentication: anonymous: enabled set to false. Run the following command on each node: `ps -ef | grep kubelet`. Verify that the `--anonymous-auth` argument is set to false. This executable argument may be omitted, provided there is a corresponding entry set to false in the Kubelet config file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to false. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable:\n\n```\n--anonymous-auth=false\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nAnonymous requests will be rejected.\n\n## Default value\n\nBy default, anonymous access is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.1","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oun-uxo-viy","createdAt":1599606050277,"name":"API server anonymous-auth argument is set to false"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.24","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain 10 or an appropriate number of old log files.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. For example, if you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxbackup` argument is set to `10` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxbackup` parameter to `10` or to an appropriate value: `--audit-log-maxbackup=10`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.24","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"r0g-aai-2xf","createdAt":1599605542630,"name":"API server audit log files are retained for at least 10 log file rotations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.25","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRotate log files on reaching 100 MB or as appropriate.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. If you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxsize` argument is set to `100` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxsize` parameter to an appropriate size in MB. For example, to set it as 100 MB: `--audit-log-maxsize=100`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.25","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qhy-gng-bh4","createdAt":1599603202907,"name":"API server audit log files are rotated once the file reaches 100 MB or more"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.22","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on the Kubernetes API Server and set the desired audit log path.\n\n## Rationale\n\nAuditing the Kubernetes API Server provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system. Even though currently, Kubernetes provides only basic audit capabilities, it should be enabled. You can enable it by setting an appropriate audit log path.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-path` argument is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example: --audit-log-path=/var/log/apiserver/audit.log\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. Version 7 6.2 Activate audit logging Ensure that local logging has been enabled on all systems and networking devices. 6.3 Enable Detailed Logging Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.22","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fny-sti-0dk","createdAt":1599601104396,"name":"API server audit logs are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.23","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain the logs for at least 30 days or as appropriate.\n\n## Rationale\n\nRetaining logs for at least 30 days ensures that you can go back in time and investigate or correlate any events. Set your audit log retention period to 30 days or as per your business requirements.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxage` argument is set to `30` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxage` parameter to `30` or as an appropriate number of days: `--audit-log-maxage=30`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.23","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.23\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jbu-o8v-pku","createdAt":1599605700813,"name":"API server audit logs are retained for at least 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.19","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind to insecure port.\n\n## Rationale\n\nSetting up the apiserver to serve on an insecure port would allow unauthenticated and unencrypted access to your master node. This would allow attackers who could access this port, to easily take control of the cluster.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-port` argument is set to `0`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --insecure-port=0\n\n## Impact\n\nAll components that use the API must connect via the secured port, authenticate themselves, and be authorized to use the API. This includes: kube-controller-manager kube-proxy kube-scheduler kubelets\n\n## Default value\n\nBy default, the insecure port is set to 8080.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.19","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2ci-yqv-wv0","createdAt":1599605796539,"name":"API server does not bind the API service to an insecure port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.18","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the insecure API service.\n\n## Rationale\n\nIf you bind the apiserver to an insecure address, basically anyone who could connect to it over the insecure port, would have unauthenticated and unencrypted access to your master node. The apiserver doesn't do any authentication checking for insecure binds and traffic to the Insecure API port is not encrpyted, allowing attackers to potentially read sensitive data in transit.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-bind-address` argument does not exist.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --insecure-bind-address parameter.\n\n## Impact\n\nConnections to the API server will require valid authentication credentials.\n\n## Default value\n\nBy default, the insecure bind address is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.18","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tzo-x3g-yya","createdAt":1599606081666,"name":"API server does not bind to an insecure API service address"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use token based authentication.\n\n## Rationale\n\nThe token-based authentication utilizes static tokens to authenticate requests to the apiserver. The tokens are stored in clear-text in a file on the apiserver, and cannot be revoked or rotated without restarting the apiserver. Hence, do not use static token-based authentication.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver \n```\nVerify that the `--token-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--token-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as certificates. Static token based authentication could not be used.\n\n## Default value\n\nBy default, `--token-auth-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/authentication/#static-token-file\n2. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.3","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mvv-hb7-ucv","createdAt":1599603449449,"name":"API server does not use token based authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not always authorize all requests.\n\n## Rationale\n\nThe API Server, can be configured to allow all requests. This mode should not be used on any production cluster.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is not set to `AlwaysAllow`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to values other than `AlwaysAllow`. One such example could be as below:\n\n```\n--authorization-mode=RBAC\n```\n\n## Impact\n\nOnly authorized requests will be served.\n\n## Default value\n\nBy default, `AlwaysAllow` is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.7","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kli-btm-jbr","createdAt":1599602646953,"name":"API server only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.1","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node:\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-apiserver.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.1","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8tj-q6g-eyj","createdAt":1599601227733,"name":"API server pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.21","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --profiling=false\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.21","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wk0-7yo-dw9","createdAt":1599602770265,"name":"API server profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.26","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet global request timeout for API server requests as appropriate.\n\n## Rationale\n\nSetting global request timeout allows extending the API server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 60 seconds which might be problematic on slower connections making cluster resources inaccessible once the data volume for requests exceeds what can be transmitted in 60 seconds. But, setting this timeout limit to be too large can exhaust the API server resources making it prone to Denial-of-Service attack. Hence, it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--request-timeout` argument is either not set or set to an appropriate value.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameter as appropriate and if needed. For example, --request-timeout=300s\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, --request-timeout is set to 60 seconds.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/kubernetes/pull/51415\n\n## CIS controls\n\nVersion 6 14.6 Enforce Detailed Audit Logging For Sensitive Information Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. Version 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.26","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1kt-cbt-hvl","createdAt":1599604242564,"name":"API server request timeout exceeds 60 seconds only if required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.20","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable the secure port.\n\n## Rationale\n\nThe secure port is used to serve https with authentication and authorization. If you disable it, no https traffic is served and all traffic is served unencrypted.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--secure-port` argument is either not set or is set to an integer value between `1` and `65535`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --secure-port parameter or set it to a different (non-zero) desired port.\n\n## Impact\n\nYou need to set the API Server up with the right TLS certificates.\n\n## Default value\n\nBy default, port 6443 is used as the secure port.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.20","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5w3-iw4-y16","createdAt":1599603757033,"name":"API server secure port is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.31","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic. If `--client-ca-file` argument is set, any request presenting a client certificate signed by one of the authorities in the `client-ca-file` is authenticated with an identity corresponding to the CommonName of the client certificate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--client-ca-file` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the client certificate authority file: `--client-ca-file=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--client-ca-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.31","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"nad-eon-2rv","createdAt":1599599105054,"name":"API server uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.28","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account public key file for service accounts on the apiserver.\n\n## Rationale\n\nBy default, if no --service-account-key-file is specified to the apiserver, it uses the private key from the TLS serving certificate to verify service account tokens. To ensure that the keys for service account tokens could be rotated as needed, a separate public/private key pair should be used for signing service account tokens. Hence, the public key should be specified to the apiserver with --service-account-key-file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--service-account-key-file` argument exists and is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--service-account-key-file` parameter to the public key file for service accounts: `--service-account-key-file=`\n\n## Impact\n\nThe corresponding private key must be provided to the controller manager. You would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-key-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167\n\n## CIS controls\n\nVersion 6 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers \nVersion 7 5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.28","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xtg-mzn-vft","createdAt":1599604846892,"name":"API server uses a service account public key file for service accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.27","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nValidate service account before validating token.\n\n## Rationale\n\nIf --service-account-lookup is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that if the `--service-account-lookup` argument exists it is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the below parameter. `--service-account-lookup=true` Alternatively, you can delete the `--service-account-lookup` parameter from this file so that the default takes effect.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--service-account-lookup` argument is set to true.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167 \n3. https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.27","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.27\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycp-ppm-trb","createdAt":1599599105043,"name":"API server validates the service account token exists in etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify kubelet's certificate before establishing connection.\n\n## Rationale\n\nThe connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelets port-forwarding functionality. These connections terminate at the kubelets HTTPS endpoint. By default, the apiserver does not verify the kubelets serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-certificate-authority` argument exists and is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--kubelet-certificate-authority` parameter to the path to the cert file for the certificate authority. \n\n```\n--kubelet-certificate-authority=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, `--kubelet-certificate-authority` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n3. https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.6","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sbm-nxt-qv3","createdAt":1599603880124,"name":"API server verifies the kubelet's certificate before establishing connection"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AMI is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an AMI is made public.\n\n* [ModifyImageAttribute][1]\n\nThis rule inspects the `@requestParameters.launchPermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the image is made public.\n\n## Triage and response\n1. Determine if the AMI (`@requestParameters.imageId`) should be made public using CloudTrail logs.\n2. Investigate the following ARN (`{{@userIdentity.arn}}`) that made the AMI public.\n3. Contact the user to see if they intended to make the image public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n * Revert AMI permissions to the original state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 11 November 2022 - Add steps to Triage and response section.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-image-attribute.html#examples","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":18,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifyImageAttribute @requestParameters.launchPermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"eh4-lwa-d9z","createdAt":1594140296319,"name":"AWS AMI Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:cloudtrail","framework:cis-aws","requirement:monitoring","control:4.5","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by modifying CloudTrail.\n\n## Strategy\nThis rule detects if a user is modifying CloudTrail by monitoring the CloudTrail API using [UpdateTrail][1] API calls.\n\n## Triage and response\n1. Review the `@responseElements` in the `UpdateTrail` event to determine the scope of the changes.\n2. Determine if the user ARN (`{{@userIdentity.arn}}`) intended to make a CloudTrail modification.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:UpdateTrail","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"configuration_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"configuration_modified > 0"}],"type":"log_detection","id":"4hv-083-miw","createdAt":1585870283907,"name":"AWS CloudTrail configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch Log Group is deleted. \n\n## Strategy\nDetect a successful `@evt.name:DeleteLogGroup` event.\n\n## Triage and response\n1. Ensure that the `{{@requestParameters.logGroupName}}` log group is not used for auditing or security purposes.\n2. If it is then:\n * Ensure that the user: `{{@userIdentity.session_name}}` should be making this API call to your `{{env}}` environment.\n * Consider whitelisting the log group name: `{{@requestParameters.logGroupName}}` through a [suppression list][1]\n3. If not, begin your company's IR process and investigate.\n\n<<<<<<< HEAD\n[1]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment\n=======\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1] https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment\n>>>>>>> main\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteLogGroup -@level:Error -@http.useragent:(cloudformation.amazonaws.com OR *www.terraform.io*) -@userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"j9h-inc-lg8","createdAt":1631618551008,"name":"AWS CloudWatch log group deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch rule has been disabled or deleted.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if a [`DisableRule`][1] or [`DeleteRule`][2] API call has occurred. An attacker may delete rules in an attempt to evade defenses.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, consider including the EventBus name in a [suppression list][6]: `{{@requestParameters.eventBusName}}`.\n * If **No**, enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], respectively, or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 4 October 2022 - Updated severity\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/events/put-rule.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/events/enable-rule.html\n[5]: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html\n[6]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DisableRule OR DeleteRule) -@userIdentity.invokedBy:(backup.amazonaws.com OR schemas.amazonaws.com OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudwatch_disable_or_delete_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"cloudwatch_disable_or_delete_rule > 0"}],"type":"log_detection","id":"dti-qfr-zle","createdAt":1631618552583,"name":"AWS CloudWatch rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","control:4.9","requirement:Monitoring","framework:cis-aws","scope:amazon-config","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by disabling or modifying AWS Config.\n\n## Strategy\nThis rule lets you monitor these AWS Config API calls per [CIS-AWS-4.9: Ensure a log metric filter and alarm exist for AWS Config configuration changes][5]:\n\n* [StopConfigurationRecorder][1] \n* [DeleteDeliveryChannel][2] \n* [PutDeliveryChannel][3]\n* [PutConfigurationRecorder][4]\n\n## Triage and response\n1. Determine which if {{@userIdentity.arn}} should have done a {{@evt.name}} to AWS Config.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html\n[2]: https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteDeliveryChannel.html\n[3]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutDeliveryChannel.html\n[4]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigurationRecorder.html\n[5]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_2.html\n\n## Changelog\n* 1 April 2022 - Updated rule and signal message.\n\n* 10 October 2022 - Updated severities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(StopConfigurationRecorder OR DeleteDeliveryChannel)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_deleted_or_stopped","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(PutDeliveryChannel OR PutConfigurationRecorder)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Deleted/Stopped","condition":"aws_config_deleted_or_stopped > 0"},{"status":"info","notifications":[],"name":"Modified","condition":"aws_config_modified > 0"}],"type":"log_detection","id":"p1b-9np-rw1","createdAt":1585870283149,"name":"AWS Config modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to your AWS console without multi-factor authentication.\n\n## Strategy\nThis rule monitors CloudTrail and detects when any `IAMUser` or `Root` user does a `Console Login`, and `@userIdentity.sessionContext.attributes.mfaAuthenticated` has a value of `false`. \n\n**Notes:** \n\n- This rule triggers with a `High` severity if the user logging in is a `Root` user.\n- This rule ignores logins using SAML because 2FA is implemented on the IdP and not through AWS.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate. \n * Use Cloud SIEM - User Investigation dashboard to see if the user: {{@usr.name}} with an account type of: {{@userIdentity.type}} has done any actions after logging in. \n2. If the login was legitimate, request that the user enables 2FA. \n3. If the login wasn't legitimate, rotate the credentials, enable 2FA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n\n## Changelog\n3 March 2022 - Rule updated\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:IAMUser -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:Root -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"root_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user console login no mfa","condition":"user_login_without_mfa > 0"},{"status":"high","notifications":[],"name":"root console login no mfa","condition":"root_login_without_mfa > 0"}],"type":"log_detection","id":"wkk-muq-vg8","createdAt":1585870278209,"name":"AWS Console login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the user used MFA.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n* 10 March 2022 - Rule updated.\n* 15 December 2022 - Rule updated to cover edge case.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @evt.name:ConsoleLogin -@level:Error (@userIdentity.sessionContext.attributes.mfaAuthenticated:true OR @additionalEventData.MFAUsed:Yes) -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"impossible travel event for ConsoleLogin with MFA"}],"type":"log_detection","id":"vbv-f3o-8zo","createdAt":1646247475787,"name":"AWS ConsoleLogin with MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the account does not have MFA enabled.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n10 Mar 2022 - Rule updated.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_no_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"@evt.name:ConsoleLogin -@level:Error @userIdentity.sessionContext.attributes.mfaAuthenticated:false -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"a1n-son-6bk","createdAt":1646247437558,"name":"AWS ConsoleLogin without MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1562-impair-defenses","source:cloudtrail","scope:aws-detective","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes an Amazon Detective behavior graph.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted an Amazon Detective behavior graph:\n\n* [DeleteGraph][1]\n\n## Triage and response\n1. Determine if the behavior graph should have been deleted.\n2. Determine which user ({{@userIdentity.arn}}) in your organization deleted the behavior graph.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 1 April 2022 - Updated rule and signal message.\n* 18 November 2022 - Updated severity.\n\n[1]: https://docs.aws.amazon.com/detective/latest/APIReference/API_DeleteGraph.html\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:detective.amazonaws.com @evt.name:DeleteGraph","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oje-vzw-qjp","createdAt":1631642344123,"name":"AWS Detective Graph deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when CloudTrail has been disabled by creating an event selector on the Trail.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if an attacker used the [`PutEventSelectors`][1] API call to filter out management events, effectively disabling CloudTrail for the specified Trail.\n\nSee the [public Proof of Concept][2] (PoC) for this attack.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or use the [AWS console][4] to revert the event selector back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, work with the user to ensure that CloudTrail logs for the affected account `{{@usr.account_id}}` are being sent to the Datadog platform.\n * If **No**, remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or reference the [AWS console documentation][4] to revert the event selector back to the last known good state.\n\n## Changelog\n* 17 October 2022 - Updated tags.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_PutEventSelectors.html\n[2]: https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass\n[3]: https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/put-event-selectors.html\n[4]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"disable_cloudtrail_with_event_selectors","distinctFields":[]},{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false @responseElements.eventSelectors.dataResources.type:(\"AWS::S3::Object\" AND \"AWS::Lambda::Function\") @responseElements.eventSelectors.readWriteType:ReadOnly","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_poc","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Public POC","condition":"public_poc > 0"},{"status":"low","notifications":[],"name":"IncludeManagementEvents set to False","condition":"disable_cloudtrail_with_event_selectors > 0"}],"type":"log_detection","id":"jam-62o-d0n","createdAt":1652796620111,"name":"AWS Disable Cloudtrail with event selectors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS snapshot is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an EBS snapshot is made public:\n\n* [ModifySnapshotAttribute][1]\n\nThis rule inspects the `@requestParameters.createVolumePermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the EBS snapshot is made public.\n\n## Triage and response\n1. Determine if the EBS snapshot should be made public.\n2. Determine which user, `{{@@userIdentity.arn}}`, in your organization made the EBS snapshot public.\n3. Contact the user to see if they intended to make the EBS snapshot public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n * Revert AMI permissions to the original state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 11 November 2022 - Add additional triage and response steps.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html#examples\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":17,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.createVolumePermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kx1-upq-ea2","createdAt":1594140300821,"name":"AWS EBS Snapshot Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1537-transfer-data-to-cloud-account","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the possible exfiltration of an EBS snapshot.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect the following API calls within a 15 minute time window:\n\n* [`CreateSnapshot`][1]\n* [`ModifySnapshotAttribute`][2]\n\nAn attacker can create a EBS snapshot from the EBS volume and modify the permissions of the snapshot to allow it to be shared [publicly][3] or with another AWS account. Using an attacker-controlled account, a new EBS volume can be created from the snapshot and attached to an EC2 instance for analysis.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the API calls.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any snapshot attributes generated by the user with the `aws-cli` command [`modify-snapshot-attribute`][4].\n * Begin your organization's incident response process and investigate.\n3. If the API calls were made by the user:\n * Determine if the user should be performing these API calls.\n * If **No**, see if other API calls were made by the user and determine if they warrant further investigation.\n\n## Changelog\n* 10 October 2022 - Updated query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSnapshot.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html\n[3]: https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-ebs-snapshot-made-public/\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-snapshot-attribute.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":7200,"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSnapshot -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (-@userIdentity.assumed_role:(*orca* OR *wiz*) -@responseElements.description:\"Orca automatically generated snapshot\" -@requestParameters.description:auto-generatedbyWiz -@responseElements.description:\"auto-generated by Wiz\")","groupByFields":["@responseElements.snapshotId"],"aggregation":"count","name":"snapshot_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.attributeType:CREATE_VOLUME_PERMISSION -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (@requestParameters.createVolumePermission.add.items.userId:* OR @requestParameters.createVolumePermission.add.items.group:*) -@requestParameters.createVolumePermission.add.items.userId:(\"135916806842\" OR \"463932680998\" OR \"727815099310\" OR \"553950354547\" OR \"784971140435\" OR \"222606875197\")","groupByFields":["@requestParameters.snapshotId"],"aggregation":"count","name":"snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"EBS Snapshot created then shared","condition":"snapshot_created > 0 && snapshot_shared > 0"},{"status":"info","notifications":[],"name":"EBS Snapshot shared","condition":"snapshot_shared > 0"}],"type":"log_detection","id":"dka-ecn-adr","createdAt":1655223749994,"name":"AWS EBS Snapshot possible exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis-aws","control:2.2.1","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS encryption is disabled by default. \n\n## Strategy\nMonitor CloudTrail and detect when EBS encryption is disabled by default via the following API call:\n\n* [DisableEbsEncryptionByDefault][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user and let them know that it is best practice to enable EBS encryption by default.\n3. Re-enable EBS encryption by default.\n\nFor more information about Amazon EBS Encryption, check out the [Amazon EBS Encryption][2] documentation.\n\n## Changelog\n* 18 March 2022 - Rule query and severity updated.\n* 16 November 2022 - Rule query updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:(cloudtrail OR amazon-security-lake) @eventSource:ec2.amazonaws.com @evt.name:DisableEbsEncryptionByDefault","groupByFields":["@usr.account_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4s7-uuu-lo8","createdAt":1585870284527,"name":"AWS EBS default encryption disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","security:attack","technique:T1522-cloud-instance-metadata-api"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes a DNS request and resolves to the AWS metadata IP address (169.254.169.254).\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MetadataDNSRebind][2]\n\n\n## Triage and response\n1. Determine which process made the DNS request. The DNS request can be found in the samples.\n2. Ensure the process is not a victim of an SSRF attack to steal the AWS EC2 Instance profile's STS credentials. \n2. If the STS credentials are compromised:\n * Review the AWS [documentation][3] on revoking the session.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-metadatadnsrebind\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MetadataDNSRebind)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"aad-vqz-7tk","createdAt":1587525387807,"name":"AWS EC2 Instance Victim to Metadata DNS Rebind Attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is compromised and sending spam emails.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Backdoor:EC2/Spambot][2]\n\n\n## Triage and response\n1. Determine if the EC2 should be sending out email over port 25. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-spambot\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/Spambot)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ecn-gew-dg2","createdAt":1587525385866,"name":"AWS EC2 instance Sending spam emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a malicious server.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/C&CActivity.B!DNS][2]\n* [Trojan:EC2/BlackholeTraffic][3]\n* [Trojan:EC2/DropPoint][4]\n* [Trojan:EC2/BlackholeTraffic!DNS][5]\n* [Trojan:EC2/DriveBySourceTraffic!DNS][6]\n* [Trojan:EC2/DropPoint!DNS][7]\n* [Trojan:EC2/DGADomainRequest.B][8]\n* [Trojan:EC2/DGADomainRequest.C!DNS][9]\n* [Trojan:EC2/DNSDataExfiltration][10]\n* [Trojan:EC2/PhishingDomainRequest!DNS][11]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][12] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-ccactivitybdns\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-blackholetraffic\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-droppoint\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-blackholetrafficdns\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-drivebysourcetrafficdns\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-droppointdns\n[8]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestb\n[9]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestcdns\n[10]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dnsdataexfiltration\n[11]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-phishingdomainrequestdns\n[12]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Trojan\\:EC2\\/BlackholeTraffic OR Trojan\\:EC2\\/DropPoint OR Trojan\\:EC2\\/BlackholeTraffic\\!DNS OR Trojan\\:EC2\\/DriveBySourceTraffic\\!DNS OR Trojan\\:EC2\\/DropPoint\\!DNS OR Trojan\\:EC2\\/DGADomainRequest.B OR Trojan\\:EC2\\/DGADomainRequest.C\\!DNS OR Backdoor\\:EC2\\/C&CActivity.B\\!DNS OR Trojan\\:EC2\\/PhishingDomainRequest\\!DNS)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9du-jhn-b4f","createdAt":1587525393367,"name":"AWS EC2 instance communicated with a malicious server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0011-command-and-control","technique:T1571-non-standard-port"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating over an unusual port.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/NetworkPortUnusual][2]\n\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#behavior-ec2-networkportunusual\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/NetworkPortUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"qfd-ned-cjn","createdAt":1587525391873,"name":"AWS EC2 instance communicating over unusual port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a cryptocurrency server\n\n## Strategy\nThis rule lets you leverage GuardDuty to detect when an EC2 instance has made a DNS request or is communicating with an IP that is associated with cryptocurrency operations. The following GuardDuty Findings trigger this signal:\n\n* [CryptoCurrency:EC2/BitcoinTool.B!DNS][1]\n* [CryptoCurrency:EC2/BitcoinTool.B][2]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples. \n2. If the domain or IP address should not have been requested, open a security investigation, and determine which process requested the domain name or IP address.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#cryptocurrency-ec2-bitcointoolbdns\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#cryptocurrency-ec2-bitcointoolb\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(CryptoCurrency\\:EC2\\/BitcoinTool.B\\!DNS OR CryptoCurrency\\:EC2\\/BitcoinTool.B)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ky3-ds4-ipb","createdAt":1585870276326,"name":"AWS EC2 instance communicating with a cryptocurrency server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection to a malcious IP address.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MaliciousIPCaller.Custom][2]\n\n## Triage and response\n1. Determine which IP address triggered the signal. This can be found in the sample.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-maliciousipcallercustom\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MaliciousIPCaller.Custom)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"22j-qk6-qv3","createdAt":1587525389461,"name":"AWS EC2 instance communicating with malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is conducting a port scan.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Recon:EC2/Portscan][2]\n\n\n## Triage and response\n1. Determine why traffic from the EC2 instance appears to be conducting a port scan.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 17 October 2022 - Updated tags.\n* 1 November 2022 - Updated links.\n \n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/Portscan)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1y-h5t-gnp","createdAt":1587525376478,"name":"AWS EC2 instance conducting a port scan"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being used as a TOR relay.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorRelay][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be uses as a TOR relay. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance. \n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torrelay\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorRelay)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tpv-3qf-v90","createdAt":1587525388119,"name":"AWS EC2 instance connecting to TOR as a relay"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance receives an inbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorIPCaller][2]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized7\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorIPCaller)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"1ew-u8i-att","createdAt":1587525383148,"name":"AWS EC2 instance inbound connections from TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Brute Force Attacks\n\n## Strategy\nLeverage GuardDuty and detect when an attacker is performing a brute force attack. The following are GuardDuty findings trigger this signal:\n\n* [UnauthorizedAccess:EC2/SSHBruteForce][1]\n* [UnauthorizedAccess:EC2/RDPBruteForce][2]\n\n\n## Triage and response\n1. Inspect the role of the EC2 instance in the attack. Find the role in the signal name - either `ACTOR` or `TARGET`.\n * If you are the `TARGET` and the instance is available on the internet, expect to see IPs scanning your systems.\n * If you are the `TARGET` and the instance is **not** available on the internet, this means a host on your internal network is scanning your EC2 instance. Open an investigation.\n * If you are the `ACTOR`, this means that your instance is performing brute force attacks on other systems. Open an investigation.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-sshbruteforce\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-rdpbruteforce\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":20,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:ACTOR","groupByFields":["instance-id"],"aggregation":"count","name":"actor","distinctFields":[]},{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:TARGET","groupByFields":["instance-id"],"aggregation":"count","name":"target","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Actor","condition":"actor > 0"},{"status":"info","notifications":[],"name":"Target","condition":"target > 0"}],"type":"log_detection","id":"vyl-ylc-3io","createdAt":1585870284202,"name":"AWS EC2 instance involved in brute force attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance network traffic volume is unusual.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/TrafficVolumeUnusual][2]\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 10 October 2022 - Updated tags.\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#behavior-ec2-trafficvolumeunusual\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/TrafficVolumeUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipt-dpt-t69","createdAt":1587525393982,"name":"AWS EC2 instance network traffic volume unusual"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","technique:T1188-multi-hop-proxy","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorClient][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be making requests to TOR. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torclient\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorClient)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ihd-q9p-mwx","createdAt":1587525381864,"name":"AWS EC2 instance outbound connections to TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is participating in a Denial of Service (DoS) attack.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/DenialOfService.Tcp][2]\n* [Backdoor:EC2/DenialOfService.Udp][3]\n* [Backdoor:EC2/DenialOfService.Dns][4]\n* [Backdoor:EC2/DenialOfService.UdpOnTcpPorts][5]\n* [Backdoor:EC2/DenialOfService.UnusualProtocol][6]\n\n\n## Triage and response\n1. Determine if the EC2 instance is compromised and participating in a DoS attack.\n2. If the instance is compromised:\n * Review the AWS [documentation][7] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofservicetcp\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceudp\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofservicedns\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceudpontcpports\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceunusualprotocol\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/DenialOfService.Tcp OR Backdoor\\:EC2\\/DenialOfService.Udp OR Backdoor\\:EC2\\/DenialOfService.Dns OR Backdoor\\:EC2\\/DenialOfService.UdpOnTcpPorts OR Backdoor\\:EC2\\/DenialOfService.UnusualProtocol)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3l6-vrm-iyn","createdAt":1587525383757,"name":"AWS EC2 instance participating in a DoS attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being probed by a scanner.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:EC2/PortProbeUnprotectedPort][2]\n* [Recon:EC2/PortProbeEMRUnprotectedPort][3]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeunprotectedport\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeemrunprotectedport\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/PortProbeUnprotectedPort OR Recon\\:EC2\\/PortProbeEMRUnprotectedPort)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mrq-h3x-jus","createdAt":1587525381084,"name":"AWS EC2 instance probed by scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS EKS node group makes a new API call.\n\n## Strategy\nThis rule sets a baseline for host activity across an AWS EKS node group, and enables detection of potentially anomalous activity when a node group makes a new API call.\n\nA new API call from a node group can indicate an attacker gaining a foothold within the system and trying API calls not normally associated with this node group.\n\n## Triage and response\n1. Investigate API activity for the AWS EKS node group to determine if the specific API call is malicious.\n2. Review any other security signals for the AWS EKS node group.\n3. If the activity is deemed malicious:\n * If possible, isolate the compromised hosts.\n * Determine what other API calls were made by the EKS node group.\n * Begin your organization's incident response process and investigate.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":21,"learningThreshold":0},"keepAlive":3600},"version":187,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["eks_nodegroup-name"],"query":"source:cloudtrail"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"nkn-aw3-xb2","createdAt":1633097159259,"name":"AWS EC2 new event for EKS Node Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an application on a host has a new, unrecognized API call.\n\n## Strategy\nUsing the `New Value` detection method, find when an `application` has a new `@evt.name` on a `host`.\n\n## Triage and response\n1. Determine if the `host: {{host}}` running the `application: {{application}}` should have done the following event(s)`{{@evt.name}}`:\n * If yes, you can `Archive` the signal.\n * If no, investigate further by clicking on the **Suggested Actions** tab for the signal\n2. If necessary, initiate your company's incident response process.\n\n## Changelog\n* 14 November 2022 - Updated severity.\n\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["application"],"query":"source:cloudtrail host:i-*"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"qcg-jbs-kcd","createdAt":1632769125953,"name":"AWS EC2 new event for application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an EC2 subnet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting an EC2 subnet.\n\n* [DeleteSubnet][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be deleting EC2 subnets.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Update rule and signal message\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-subnet.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:DeleteSubnet -@level:Error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ygi-fi5-qns","createdAt":1585870282197,"name":"AWS EC2 subnet deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecs","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an ECS Cluster\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an ECS cluster is deleted:\n\n* [DeleteCluster][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arm}} should be making a {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DeleteCluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecs.amazonaws.com @evt.name:DeleteCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"vwu-6id-9lz","createdAt":1585870279810,"name":"AWS ECS cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:elb","scope:elb","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous `@http.useragent`. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application using an HTTP header from [darkqusar][1]'s [gist][2]. The detection does this using 2 cases:\n* Case 1: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `200 TO 299`\n* Case 2: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `400 TO 499`\n\n## Triage and response\n1. Determine if this IP: {{@network.client.ip}} is making authenticated requests to the application.\n2. Check if these authentication requests are successful.\n * If they are successful, change the status of the signal to `UNDER REVIEW` and begin your company's incident response plan.\n * If they are not successful, `ARCHIVE` the signal.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Update rule cases and signal message.\n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:elb @http.status_code:[400 TO 499] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_400s_and_unique_paths","distinctFields":["@http.url_details.path"]},{"query":"source:elb @http.status_code:[200 TO 299] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_200s_and_unique_paths","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"scan detected returning several 200s","condition":"multiple_200s_and_unique_paths > 10"},{"status":"info","notifications":[],"name":"scan detected returning several 400s","condition":"multiple_400s_and_unique_paths > 10"}],"type":"log_detection","id":"csd-1pb-wxh","createdAt":1587530043452,"name":"AWS ELB HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:eventbridge","iaas:aws","technique:T1089-disabling-security-tools","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting or disabling EventBridge rules.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is modifying or disabling EventBridge rules:\n\n* [DeleteRule][1]\n* [DisableRule][2]\n\n## Triage and response\n1. Determine if the arn: {{@userIdentity.arn}} should have made the {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Rule query, options and signal markdown updated.\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DeleteRule OR DisableRule)","groupByFields":["@userIdentity.arn","@requestParameters.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mq6-cjx-h9o","createdAt":1585870277044,"name":"AWS EventBridge rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","source:amazon-fsx","scope:amazon-fsx","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify users accessing files they do not have permission to access.\n\n## Strategy\nMonitor AWS FSx logs and detect more than 10 occurrences where `@evt.id` is equal to `4656` and `@Event.System.Keywords` is equal to `0x8010000000000000`. \n\n## Triage & Response\n1. Inspect the log and determine if the user should be accessing the file: `{{@ObjectName}}`.\n2. If access is not legitimate, investigate user `({{@usr.id}})` activity. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:aws.fsx @evt.id:4656 @Event.System.Keywords:0x8010000000000000","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"file_deny","distinctFields":["@ObjectName"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"file_deny > 10"}],"type":"log_detection","id":"vsj-4y9-rg1","createdAt":1627668329581,"name":"AWS FSx Excessive File Denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0005-defense-evasion","technique:T1066-indicator-removal-from-tools","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is removing a FlowLogs collector.\n\n## Strategy\nThis rule lets you monitor this EC2 API call:\n\n* [DeleteFlowLogs][1]\n\n## Triage and response\n1. Determine if arn: {{@userIdentity.arn}} should make this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 4 April 2022 - Rule query and signal message updated.\n* 16 November 2022 - Rule query updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:(cloudtrail OR amazon-security-lake) @evt.name:DeleteFlowLogs -@responseElements.DeleteFlowLogsResponse.unsuccessful:\"\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cws-b4f-uoh","createdAt":1585870278493,"name":"AWS FlowLogs removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1089-disabling-security-tools","scope:guardduty","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty detector.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty Detector:\n\n* [DeleteDetector][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/delete-detector.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteDetector","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pzi-led-yyc","createdAt":1585870279177,"name":"AWS GuardDuty detector deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a publishing destination for a detector which will prevent the exporting of findings. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted a Guard Duty publishing destination.\n\n* [DeletePublishingDestination][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/fr_fr/guardduty/latest/APIReference/API_DeletePublishingDestination.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeletePublishingDestination","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rdm-leo-ndi","createdAt":1631642345554,"name":"AWS GuardDuty publishing destination deleted"}]} headers: Content-Type: - application/json @@ -198,7 +181,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":832}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","source:guardduty","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is attempting to escalate permissions.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [PrivilegeEscalation:IAMUser/AdministrativePermissions][2]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_privilegeescalation.html#privilegeescalation1\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PrivilegeEscalation\\:IAMUser\\/AdministrativePermissions)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dsb-ciq-vrt","createdAt":1587525384559,"name":"AWS IAM user escalating privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","tactic:TA0007-disocvery","technique:T1580-cloud-infrastructure-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests with hacking tools.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [PenTest:IAMUser/KaliLinux][2]\n* [PenTest:IAMUser/ParrotLinux][3]\n* [PenTest:IAMUser/PentooLinux][4]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][5] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_pentest.html#pentest1\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_pentest.html#pentest2\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_pentest.html#pentest3\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PenTest\\:IAMUser\\/KaliLinux OR PenTest\\:IAMUser\\/ParrotLinux OR PenTest\\:IAMUser\\/PentooLinux)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ocf-ys6-78v","createdAt":1587525392995,"name":"AWS IAM user making API requests with hacking tools"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:threat-intel","source:guardduty","tactic:TA0007-discovery","security:attack","technique:T1526-cloud-service-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests from a malicious IP.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:IAMUser/TorIPCaller][2]\n* [Recon:IAMUser/MaliciousIPCaller.Custom][3]\n* [Recon:IAMUser/MaliciousIPCaller][4]\n* [UnauthorizedAccess:IAMUser/MaliciousIPCaller][5]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][6] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon1\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon2\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon3\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized5\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:IAMUser\\/TorIPCaller OR Recon\\:IAMUser\\/MaliciousIPCaller.Custom OR Recon\\:IAMUser\\/MaliciousIPCaller OR UnauthorizedAccess\\:IAMUser\\/MaliciousIPCaller)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"8w7-aaz-ojp","createdAt":1587525380153,"name":"AWS IAM user requests from malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","security:anomaly","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user login is suspicious.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B][2]\n* [UnauthorizedAccess:IAMUser/ConsoleLogin][3]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][4] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized4\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized12\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:IAMUser\\/ConsoleLoginSuccess.B OR UnauthorizedAccess\\:IAMUser\\/ConsoleLogin)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kme-i0z-ylv","createdAt":1587525388403,"name":"AWS IAM user suspicious login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:kms","requirement:Monitoring","tactic:TA0040-impact","framework:cis-aws","control:4.7","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a KMS (Key Management Service) key is deleted or scheduled for deletion.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is deleting KMS keys:\n* [DisableKey][1]\n* [ScheduleKeyDeletion][2]\n\n## Triage and response\n1. Determine if `user ARN:` {{@userIdentity.arn}} in your organization should be making this call.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Use the `Cloud SIEM - User Investigation` OOTB dashboard to investigate other potential unauthorized API calls from this user.\n\n[1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html\n[2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html \n\n## Changelog\n16 March 2022 - Rule severity and markdown updated.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(DisableKey OR ScheduleKeyDeletion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iff-hhm-bd3","createdAt":1584475576501,"name":"AWS KMS key deleted or scheduled for deletion"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","scope:firehose"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an AWS Kinesis Firehose Destination is modified.\n\n## Strategy\nThe rule monitors AWS Kinesis Firehose logs `@eventSource:firehose.amazonaws.com` and detects when the `@evt.name` is `UpdateDestination`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:firehose.amazonaws.com @evt.name:UpdateDestination -@http.useragent:(cloudformation.amazonaws.com OR APN\\/*)","groupByFields":["@requestParameters.deliveryStreamName"],"aggregation":"count","name":"firehose_destination_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"firehose_destination_modified","condition":"firehose_destination_modified > 0"}],"type":"log_detection","id":"jwi-qgm-ncc","createdAt":1632158028824,"name":"AWS Kinesis Firehose stream destination modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.11"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Access Control List (NACL) has been created, deleted or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS NACL has been created, deleted or modified with one of the following API calls:\n* [CreateNetworkAcl][1] \n* [CreateNetworkAclEntry][2] \n* [DeleteNetworkAcl][3] \n* [DeleteNetworkAclEntry][4] \n* [ReplaceNetworkAclEntry][5] \n* [ReplaceNetworkAclAssociation][6]\n\n## Triage and response\n1. Determine if the usr with arn: {{@userIdentity.arn}} should have used the API call: {{@evt.name}}.\n2. Contact the user and see if this API call was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n## Changelog\n5 April 2022 - Rule queries, cases and signal message updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html\n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclEntry.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclAssociation.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateNetworkAcl OR CreateNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteNetworkAcl OR DeleteNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_deleted","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceNetworkAclEntry OR ReplaceNetworkAclAssociation)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_updated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"network ACL/ACL entry created","condition":"nacl_created > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry deleted","condition":"nacl_deleted > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry updated","condition":"nacl_updated > 0"}],"type":"log_detection","id":"pcs-k05-rbc","createdAt":1584475579808,"name":"AWS Network Access Control List created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.12","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Gateway has been created or modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS Network Gateway has been created or modified with one of the following API calls:\n* [CreateCustomerGateway][1] \n* [DeleteCustomerGateway][2] \n* [AttachInternetGateway][3] \n* [CreateInternetGateway][4]\n* [DeleteInternetGateway][5] \n* [DetachInternetGateway][6]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule cases and signal message.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCustomerGateway \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteCustomerGateway \n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AttachInternetGateway \n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInternetGateway \n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteInternetGateway \n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DetachInternetGateway.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(CreateCustomerGateway OR CreateInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"create_gateway","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteCustomerGateway OR DeleteInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"delete_gateway","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AttachInternetGateway OR DetachInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_gateway","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"create gateway","condition":"create_gateway > 0"},{"status":"info","notifications":[],"name":"delete gateway","condition":"delete_gateway > 0"},{"status":"info","notifications":[],"name":"modify gateway","condition":"modify_gateway > 0"}],"type":"log_detection","id":"umr-47s-eyj","createdAt":1584475581301,"name":"AWS Network Gateway created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","scope:rds","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deleted a database cluster in RDS.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a RDS cluster:\n\n* [DeleteDBCluster][1]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/rds/delete-db-cluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteDBCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"6ng-pk1-ukh","createdAt":1585870276546,"name":"AWS RDS Cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","control:cis-1.1","framework:cis-aws","technique:T1078-valid-accounts","control:cis-3.3","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the AWS root user credentials are used.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Policy:IAMUser/RootCredentialUsage][2]\n\n## Triage and response\n1. Determine whether the root account activity was legitimate. \n * Review the sample for context. \n * Review CloudTrail logs for a full investigation. \n3. If the root user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n**[Root Account Best Practices][4]**\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_policy.html#policy1\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/RootCredentialUsage)","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cjm-gyr-zxb","createdAt":1587525393683,"name":"AWS Root credential activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a Route 53 query logging configuration.\n\n## Strategy\nMonitor cloudtrail logs where `@evt.name` is `DeleteResolverQueryLogConfig` which would stop Route53 Query logging for all of the Amazon VPCs that are associated with the configuration.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n7 April 2022 - Updated rule query and signal message.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"0pz-0jr-nfz","createdAt":1631642351057,"name":"AWS Route 53 DNS query logging disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disassociates a VPC from the query logging configuration.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disassociated.\n\n* [DisassociateResolverQueryLogConfig][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Update rule and signal message.\n\n[1]: https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DisassociateResolverQueryLogConfig.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DisassociateResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"nmk-a8n-zig","createdAt":1631642344888,"name":"AWS Route 53 VPC disassociated from query logging configuration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.13","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Route Table has been created or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS Route Table has been created or modified with one of the following API calls:\n* [CreateRoute][1] \n* [CreateRouteTable][2] \n* [ReplaceRoute][3] \n* [ReplaceRouteTableAssociation][4] \n* [DeleteRouteTable][5] \n* [DeleteRoute][6] \n* [DisassociateRouteTable][7]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call which was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n6 April 2022 - Update signal message. Updated rule query/case layout\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html \n [7]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateRoute OR CreateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceRoute OR ReplaceRouteTableAssociation OR DisassociateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteRouteTable OR DeleteRoute)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"VPC route table created","condition":"route_created > 0"},{"status":"info","notifications":[],"name":"VPC route table modified","condition":"route_modified > 0"},{"status":"info","notifications":[],"name":"VPC route table deleted","condition":"route_deleted > 0"}],"type":"log_detection","id":"qgo-jqs-03x","createdAt":1584475582644,"name":"AWS Route Table created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket policy is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an AWS bucket is made public:\n\n* [PutBucketAcl][1]\n\nThis rule inspects the `@requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI` array to determine if either of the strings are contained:\n* `http://acs.amazonaws.com/groups/global/AuthenticatedUsers`\n* `http://acs.amazonaws.com/groups/global/AllUsers`\n\nA match of either of these string indicates the S3 bucket policy is made public.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Update rule and signal message.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:PutBucketAcl -@level:Error @requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI:(\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" OR \"http://acs.amazonaws.com/groups/global/AllUsers\")","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"zdk-9gu-nrg","createdAt":1594140279364,"name":"AWS S3 Bucket ACL Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:7.2.1","iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","framework:pci","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the S3 Public Access Block configuration has been removed \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting the S3 Public Access Block configuration:\n\n* [DeleteAccountPublicAccessBlock][1]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and inform them of best practices of enabling Public Access Block on S3 buckets.\n3. Re-enable Public Access Block on the S3 bucket.\n\nMore details on S3 Public Block Public Access can be found [here][2].\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-public-access-block.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n\n## Changelog\n18 March 2022 - updated severity and query.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:error @evt.name:DeleteAccountPublicAccessBlock","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_access_block_removed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"User removed public access block","condition":"public_access_block_removed > 0"}],"type":"log_detection","id":"uxr-5wk-8hk","createdAt":1585870280316,"name":"AWS S3 Public Access Block removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disables AWS Security Hub.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disabled AWS Security Hub:\n\n* [DisableSecurityHub][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query and signal message.\n\n[1]: https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisableSecurityHub.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"not_cloudformation_action","distinctFields":[]},{"query":"source:cloudtrail @network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudformation_action","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"not a cloudformation action","condition":"not_cloudformation_action > 0"},{"status":"low","notifications":[],"name":"cloudformation action","condition":"cloudformation_action > 0"}],"type":"log_detection","id":"obj-kmn-bsa","createdAt":1631642348526,"name":"AWS Security Hub disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:vpc","iaas:aws","requirement:Monitoring","framework:cis-aws","control:4.14","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying a VPC.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a VPC:\n\n* [DeleteVpc][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query, cases and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteVpc OR DeleteVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_deleted","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreateVpc OR CreateVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_created","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(ModifyVpcAttribute OR AcceptVpcPeeringConnection OR RejectVpcPeeringConnection OR AttachClassicLinkVpc OR DetachClassicLinkVpc OR DisableVpcClassicLink OR EnableVpcClassicLink)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"vpc deleted","condition":"vpc_deleted > 0"},{"status":"info","notifications":[],"name":"vpc created","condition":"vpc_created > 0"},{"status":"info","notifications":[],"name":"vpc modified","condition":"vpc_modified > 0"}],"type":"log_detection","id":"igj-dr4-ico","createdAt":1585870280906,"name":"AWS VPC created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a specific AWS Web Application Firewall (WAF) rule blocks an anomalous amount of traffic.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@webaclId`: `{{@webaclId}}` logs to confirm if the observed traffic should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"count","name":"waf_traffic_block","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"scr-lzp-wrd","createdAt":1632158031553,"name":"AWS WAF traffic blocked by specific rule"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a specific AWS Web Application Firewall (WAF) rule blocks traffic from multiple IPs.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@http.request_id`: `{{@http.request_id}}` to confirm if this request should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"cardinality","name":"waf_traffic_block","distinctFields":["@network.client.ip"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"imr-goq-uww","createdAt":1634658977105,"name":"AWS WAF traffic blocked by specific rule on multiple IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is deleted.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `DeleteWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:DeleteWebACL -@http.useragent:\\APN\\/*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_deletion","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"waf_webacl_deletion > 0"}],"type":"log_detection","id":"8js-pr5-qga","createdAt":1632158029295,"name":"AWS WAF web access control list deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is updated.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `UpdateWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made legitimately by the user, rotate the user's credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:UpdateWebACL -@http.useragent:(\\APN\\/* OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"waf_webacl_update > 0"}],"type":"log_detection","id":"pmp-fqa-lwy","createdAt":1632158031800,"name":"AWS WAF web access control list modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:3.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect AWS root user activity. \n\n## Strategy\nMonitor CloudTrail and detect when any `@userIdentity.type` has a value of `Root`, but is not invoked by an AWS service or SAML provider.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate. \n2. If the login wasn't legitimate, rotate the credentials, enable 2FA, and open an investigation. \n\n* For best practices, check out the [AWS Root Account Best Practices][1] documentation.\n* For compliance, check out the [CIS AWS Foundations Benchmark controls][2] documentation.\n\n## Changelog\n30 March 2022 - Updated query and signal message.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[2]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:Root -@userIdentity.sessionContext.attributes.mfaAuthenticated:false -@userIdentity.invokedBy:* -@eventType:AwsServiceEvent -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"2kn-z6k-6kf","createdAt":1585870281964,"name":"AWS root account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group has been modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1] \n* [AuthorizeSecurityGroupEgress][2] \n* [RevokeSecurityGroupIngress][3] \n* [RevokeSecurityGroupEgress][4] \n* [CreateSecurityGroup][5] \n* [DeleteSecurityGroup][6]\n\n\n**Note:** There is a separate rule to detect AWS Security Group Open to the World.\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html \n [2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupEgress.html \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupIngress.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupEgress.html \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteSecurityGroup.html\n\n## Changelog\n18 March 2022 - Updated severity, split query into multiple queries, and split the single case into multiple cases.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AuthorizeSecurityGroupIngress OR AuthorizeSecurityGroupEgress OR RevokeSecurityGroupIngress OR RevokeSecurityGroupEgress) -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:DeleteSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"security group created","condition":"security_group_created > 0"},{"status":"info","notifications":[],"name":"security group modified","condition":"security_group_modified > 0"},{"status":"info","notifications":[],"name":"security group deleted","condition":"security_group_deleted > 0"}],"type":"log_detection","id":"bax-btp-3ct","createdAt":1584475583507,"name":"AWS security group created, modified or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1078-valid-accounts","scope:exchange-server","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event by a user logging in to Microsoft Exchange.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last and the current Microsoft-365 mailbox login event (`@evt.name:MailboxLogin`) to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if `{{@usr.name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. ","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":192,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:Exchange @evt.name:MailboxLogin @evt.outcome:Succeeded @threat_intel.results.category:*"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"9xi-6r1-5o5","createdAt":1638460550019,"name":"Abnormal successful Microsoft 365 Exchange login event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","scope:google-cloud-iam","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account (`@usr.id:*.iam.gserviceaccount.com`) exhibits access denied behavior that deviates from normal.\n\n## Strategy \nInspect the GCP Service Account (`@usr.id:*.iam.gserviceaccount.com`) for errors (`@data.protoPayload.status.code:7`) caused by denied permissions (`@evt.outcome`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account {{@usr.id}} is compromised.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"count","name":"access_denied","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"access_denied"}],"type":"log_detection","id":"jsg-pwu-sfv","createdAt":1605263719237,"name":"Access denied for GCP Service Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.11","scope:iam","scored:true","security:compliance","source:iam","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:7.1.1","control:7.1.2","control:7.1.3","level:1","framework:soc-2","framework:cis-aws","control:A.9.2.3","requirement:IAM","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM user credentials, you have to determine what type of access they require.\n\n**Programmatic access**: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.\n\n**AWS Management Console access**: If the user needs to access the AWS Management Console, create a password for the user.\n\n## Rationale\n\nRequiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are necessary for their work and once the access key is established on an account that the keys may be in use somewhere in the organization.\n\n**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html][2]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html][3]\n\n**Additional Information**: Credential report does not appear to contain \"Key Creation Date\"\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkeys_created_during_setup(credential_report) if {\n\tnot credential_report.access_key_1_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_1_last_rotated\n} else {\n\tnot credential_report.access_key_2_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_2_last_rotated\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot keys_created_during_setup(credential_report)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yuh-0pg-pqy","createdAt":1619112188582,"name":"Access keys are not created for IAM user during initial set up"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-C","requirement:Credentials","level:1","framework:cis-aws","requirement:Cardholder-Data","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.14","cloud_provider:aws","requirement:Control-Activities","framework:soc-2","control:A.9.2.3","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:3.6.4","control:CC6.2","control:CC5.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAccess keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. You should regularly rotate all access keys.\n\n## Rationale\n\nRotating access keys reduces the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78902-4\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html][3]\n4. [https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][4]\n5. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html][5]\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html\n[4]: https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"1.14","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\nmore_than_ninety(timestamp, resource_seen_at) if {\n\tresource_seen_at - timestamp > ninety_days_ms # Not rotated in last 90 days\n}\n\nactive_and_rotated_more_than_90(credential_report, resource_seen_at) if {\n\tcredential_report.access_key_1_active\n\tmore_than_ninety(credential_report.access_key_1_last_rotated, resource_seen_at)\n} else {\n\tcredential_report.access_key_2_active\n\tmore_than_ninety(credential_report.access_key_2_last_rotated, resource_seen_at)\n}\n\neval(iam_user) = \"pass\" if {\n\tresource_seen_at := iam_user.resource_seen_at\n\tcredential_report := iam_user.credential_report[_]\n\tnot active_and_rotated_more_than_90(credential_report, resource_seen_at)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5se-kvq-6mk","createdAt":1599574003833,"name":"Access keys are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:4.3.8","scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.6","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable access from Azure services to PostgreSQL Database Server\n\n## Rationale\n\nIf access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, set up firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In Firewall rules, ensure Allow access to Azure services is set to OFF.\n5. Click Save to apply the changed rule. \n\nAlternatively, use the Azure Command Line Interface and run the below command to delete the `AllowAllAzureIps` rule for PostgreSQL Database:\n\n ```bash\n az postgres server firewall-rule delete --name AllowAllAzureIps --resource-group --server-name \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-manage-firewall-using-cli\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-4-protect-applications-and-services-from-external-network-attacks\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.4 Apply Host-based Firewalls or Port Filtering: Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.\n\n9.5 Implement Application Firewalls: Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.\n\n14.2 Enable Firewall Filtering Between VLANs: Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.8","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@name:(\"AllowAllAzureIps\") OR @name:(\"ALL\") OR (@start_ip_address:(\"0.0.0.0\") @end_ip_address:(\"0.0.0.0\"))","resourceType":"azure_postgresql_firewall_rule","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_firewall_rule (@name:(\"AllowAllAzureIps\") OR @name:(\"ALL\") OR (@start_ip_address:(\"0.0.0.0\") @end_ip_address:(\"0.0.0.0\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"fn7-ase-uyc","createdAt":1624867979051,"name":"Access to Azure services for PostgreSQL Database Server is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 5432 (used by the PostgreSQL Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\nMalicious activity, such as hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 5432.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 5432 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=5432 @to_port:>=5432))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=5432 @to_port:>=5432))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2ca-hhj-wzj","createdAt":1599574007949,"name":"Access to PostgreSQL Database Server port is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3389 (used to connect a remote Remote Desktop Protocol (RDP) client application with an RDP server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as pass-the-hash (PtH) and man-in-the-middle attacks (MITM), can occur when permitting unfettered access to this port.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3389.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3389 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.2\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3389 @to_port:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3389 @to_port:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oia-snq-ar0","createdAt":1599574006239,"name":"Access to port 3389 is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests.\n\n## Rationale\n\nSetting admission control plugin AlwaysAdmit allows all requests and do not filter any requests. The AlwaysAdmit admission controller was deprecated in Kubernetes v1.13. Its behavior was equivalent to turning off all admission controllers.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--enable-admission-plugins` argument's value (if set) does not include `AlwaysAdmit`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --enable-admission-plugins parameter, or set it to a value that does not include AlwaysAdmit.\n\n## Impact\n\nOnly requests explicitly allowed by the admissions control plugins would be served.\n\n## Default value\n\nAlwaysAdmit is not in the list of default admission plugins.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#alwaysadmit\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.11","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysr-4gg-vu5","createdAt":1599599454382,"name":"Admission controller AlwaysAdmin is not enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.15","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating objects in a namespace that is undergoing termination.\n\n## Rationale\n\nSetting admission control policy to NamespaceLifecycle ensures that objects cannot be created in non-existent namespaces, and that namespaces undergoing termination are not used for creating the new objects. This is recommended to enforce the integrity of the namespace termination process and also for the availability of the newer objects.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--disable-admission-plugins` argument is set to a value that does not include `NamespaceLifecycle`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --disable-admission-plugins parameter to ensure it does not include NamespaceLifecycle.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NamespaceLifecycle is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#namespacelifecycle\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.15","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"elk-zj3-p6m","createdAt":1599605447784,"name":"Admission controller NamespaceLifecycle is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.17","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nLimit the Node and Pod objects that a kubelet could modify.\n\n## Rationale\n\nUsing the NodeRestriction plug-in ensures that the kubelet is restricted to the Node and Pod objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node API object, and only modify Pod API objects that are bound to their node.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `NodeRestriction`.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes NodeRestriction. --enable-admission-plugins=...,NodeRestriction,...\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NodeRestriction is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#noderestriction 3. https://kubernetes.io/docs/admin/authorization/node/ 4. https://acotten.com/post/kube17-security\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.17","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jre-tn7-yma","createdAt":1599601166101,"name":"Admission controller NodeRestriction is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.16","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating pods that do not match Pod Security Policies.\n\n## Rationale\n\nA Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions. Note: When the PodSecurityPolicy admission plugin is in use, there needs to be at least one PodSecurityPolicy in place for ANY pods to be admitted. See section 1.7 for recommendations on PodSecurityPolicy settings.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `PodSecurityPolicy`.\n\n## Remediation\n\nFollow the documentation and create Pod Security Policy objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes PodSecurityPolicy: --enable-admission-plugins=...,PodSecurityPolicy,... Then restart the API Server.\n\n## Impact\n\nThe policy objects must be created and granted before pod creation would be allowed.\n\n## Default value\n\nBy default, PodSecurityPolicy is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#podsecuritypolicy 3. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.16","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vwz-aw9-c09","createdAt":1599604624793,"name":"Admission controller PodSecurityPolicy is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.14","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAutomate service accounts management.\n\n## Rationale\n\nWhen you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. You should create your own service account and let the API server manage its security tokens.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--disable-admission-plugins` argument is set to a value that does not include `ServiceAccount`.\n\n## Remediation\n\nFollow the documentation and create ServiceAccount objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and ensure that the --disable-admission-plugins parameter is set to a value that does not include ServiceAccount.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, ServiceAccount is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#serviceaccount 3. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.14","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wrk-jrm-u8h","createdAt":1599601597784,"name":"Admission controller ServiceAccount is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","source:google_bigquery_table","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.2","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","scope:google_bigquery_table","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery encrypts data at rest by employing `Envelope Encryption` using\nGoogle managed cryptographic keys. The data is encrypted using the `data encryption keys` and data encryption keys themselves are further encrypted using `key encryption keys`. This is done automatically and does not require any additional input from the user. However, if you want to have greater control, customer-managed encryption keys (CMEK) can be used as an encryption key management solution for BigQuery datasets. If CMEK is used, the CMEK is used to encrypt the data encryption keys, instead of using google-managed encryption keys.\n\n### Default Value\nGoogle-managed keys are used as `key encryption keys`.\n\n## Rationale\nFor greater control over the encryption, customer-managed encryption keys (CMEK) can\nbe used as encryption key management solution for BigQuery tables. CMEK is used to\nencrypt the data encryption keys instead of using google-managed encryption keys.\nBigQuery stores the table and CMEK association. The encryption/decryption is done\nautomatically.\n\nApply the default customer-managed keys on BigQuery datasets to ensure that all\nnew tables created in the future will be encrypted using CMEK. However, existing tables need to be updated individually to use CMEK.\n\n## Impact\nUsing customer-managed encryption keys (CMEK) will incur additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n- Note: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n## Remediation\nCurrently, there is no way to update the encryption of existing data in the table. The data\nneeds to be copied to either an original table or another table. Either option requires the specification of the\ncustomer managed encryption key (CMEK).\n\n### From the command line:\nUse the following command to copy the data to the original table and encrypt it with the CMEK. The source and the destination needs to be same when copying to the original table.\n\n```\nbq cp --destination_kms_key source_dataset.source_table destination_dataset.destination_table\n```\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_table) = \"pass\" if {\n\tbigquery_table.encryption_configuration.kms_key_name\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_table"]},"validationQuery":"","resourceType":"gcp_bigquery_table","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_table","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4r0-dtx-hnw","createdAt":1659621698841,"name":"All BigQuery tables are encrypted with customer-managed encryption keys (CMEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Azure","cloud_provider:azure","control:2.7","control:8.1","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","scope:azure.keyvault","requirement:Cardholder-Data","requirement:Logical-and-Physical-Access-Control","control:3.6.4","source:azure.keyvault","framework:security-labs","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all keys in your Azure Key Vault have an expiration time set.\n\n## Rationale\n\nAzure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The `exp` (expiration time) attribute identifies the expiration time on or after which the key **must not** be used for a cryptographic operation. By default, keys never expire. Datadog recommends that keys be rotated in the key vault and set an explicit expiration time for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Key vaults\n2. For each Key vault, click on Keys.\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all keys. Using the Azure Command Line Interface, update the expiration date for the key using below command:\n\n ```bash\n az keyvault key set-attributes --name --vault-name --expires Y-m-d''T''H:M:S''Z''\n ```\n\n **Note**: To access expiration time on all keys in Azure Key Vault using Microsoft API requires \"List\" Key permission. To provide required access follow below steps:\n\n 1. Go to Key Vaults\n 2. For each Key Vault, click on Access Policy.\n 3. Add access policy with Key permission as List\n\n## Impact\n\nKeys cannot be used beyond their assigned expiration times respectively. Keys need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## CIS Controls\n\nVersion 7 13 Data Protection Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.7","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_type := \"azure_key_vault_key\"\n\ncompliant(key_vault_key) if {\n\tkey_vault_key.attributes_enabled == true\n\tnot key_vault_key.attributes_exp == 0\n\tnot key_vault_key.attributes_exp == \"\"\n}\n\neval(key_vault_key) = \"pass\" if {\n\tcompliant(key_vault_key)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_key"]},"validationQuery":"","resourceType":"azure_key_vault_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"op6-3uk-40w","createdAt":1624867980258,"name":"All keys in Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Network-Policies-and-CNI","control:5.3.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse network policies to isolate traffic in your cluster network.\n\n## Rationale\n\nRunning different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. A network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints. Network Policies are namespace scoped. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace, all traffic will be allowed into and out of the pods in that namespace.\n\n## Audit\n\nRun the following command and review the NetworkPolicy objects created in the cluster: `kubectl --all-namespaces get networkpolicy`\n\nEnsure that each namespace defined in the cluster has at least one Network Policy.\n\n## Remediation\n\nFollow the documentation and create network policy objects as you need them.\n\n## Impact\n\nOnce network policies are in use within a given namespace, traffic not explicitly allowed by a network policy will be denied. It is important to ensure that, when introducing network policies, legitimate traffic is not blocked.\n\n## Default value\n\nBy default, network policies are not created.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/services-networking/networkpolicies/ ][1]\n2. [https://octetz.com/posts/k8s-network-policy-apis ][2]\n3. [https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/][3]\n\n## CIS controls\n\nVersion 6.14.1 Implement Network Segmentation Based On Information Class Segment - The network based on the label or classification level of the information stored on the servers. Locate all sensitive information on separated VLANS with firewall filtering to ensure that only authorized individuals are only able to communicate with systems necessary to fulfill their specific responsibilities.\n\nVersion 7.14.1 Segment the Network Based on Sensitivity - Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).\n\nVersion 7.14.2 Enable Firewall Filtering Between VLANs - Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n\n[1]: https://kubernetes.io/docs/concepts/services-networking/networkpolicies/\n[2]: https://octetz.com/posts/k8s-network-policy-apis\n[3]: https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.3.2","framework":"cis-kubernetes","requirement":"Network-Policies-and-CNI","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrw-bae-anz","createdAt":1604312181303,"name":"All namespaces have network policies defined"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:2.10","requirement:Azure","cloud_provider:azure","control:8.2","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","requirement:Change-Management","scope:azure.keyvault","requirement:Logical-and-Physical-Access-Control","source:azure.keyvault","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all Secrets in the Azure Key Vault have an expiration time set.\n\n## Rationale\n\nThe Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The `exp` (expiration time) attribute identifies the expiration time on or after which the secret **must not** be used. By default, secrets never expire. Datadog recommends rotating secrets in the key vault and setting an explicit expiration time for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Key vaults\n2. For each Key vault, click on Secrets\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all secrets. Using the Azure Command Line Interface, use the below command to set expiration date on the all secrets:\n\n ```bash\n az keyvault secret set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z'\n ```\n\n## Impact\n\nSecrets cannot be used beyond their assigned expiry times respectively. Secrets need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-4-set-up-emergency-access-in-azure-ad\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-8-choose-approval-process-for-microsoft-support\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy\n\n## CIS Controls\n\nVersion 7 16 Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.10","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_type := \"azure_key_vault_secret\"\n\ncompliant(key_vault_secret) if {\n\tkey_vault_secret.id\n\tkey_vault_secret.attributes_enabled == true\n\tnot key_vault_secret.attributes_exp == 0\n\tnot key_vault_secret.attributes_exp == \"\"\n}\n\neval(key_vault_secret) = \"pass\" if {\n\tcompliant(key_vault_secret)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_secret"]},"validationQuery":"","resourceType":"azure_key_vault_secret","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_secret","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bbc-1aj-wsr","createdAt":1624867976874,"name":"All secrets in the Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:CC6.7","source:iam","requirement:Storage","requirement:Credentials","control:2.1.1","level:1","requirement:System-Acquisition-Development-and-Maintenance","framework:cis-aws","control:1.19","requirement:IAM","framework:iso-27001","requirement:Access-Control","framework:pci","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.\n\n## Rationale\n\nRemoving expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.\n\n## Remediation\n\nAWS Console:\n\nRemoving expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).\n\nAWS CLI:\n\nTo delete an expired certificate, run the following command by replacing `` with the name of the certificate to delete: `aws iam delete-server-certificate --server-certificate-name `.\n\n**Note**: When the preceding command is successful, it does not return any output.\n\n## Impact\n\nDeleting a certificate can have implications for your application. If you are using an expired server certificate with Elastic Load Balancing, Cloudfront, etc., you must update the configuration of the respective service to ensure there is no application interruption.\n\n## References\n\n1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html\n2. https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.19","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Storage","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_server_certificate) = \"pass\" if {\n\tiam_server_certificate.expiration - iam_server_certificate.resource_seen_at > 0\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"dih-stb-3p8","createdAt":1632209932850,"name":"All the expired SSL/TLS certificates stored in AWS IAM are removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow Kubelet to manage `iptables`.\n\n## Rationale\n\nKubelets can automatically manage the required changes to `iptables` based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to `iptables`. This ensures that the `iptables` configuration remains in sync with pods networking configuration. Manually configuring `iptables` with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have `iptables` rules too restrictive or too open.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that if the `--make-iptables-util-chains` argument exists then it is set to true. If the `--make-iptables-util-chains` argument does not exist, and there is a Kubelet config file specified by `--config`, verify that the file does not set `makeIPTablesUtilChains` to `false`.\n\n## Remediation\n\nIf using a kubelet config file, edit the file to set `makeIPTablesUtilChains: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--make-iptables-util-chains` argument from the `KUBELET_SYSTEM_PODS_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nKubelet would manage the `iptables` on the system and keep it in sync. If you are using any other `iptables` management solution, then there might be some conflicts.\n\n## Default value\n\nBy default, `--make-iptables-util-chains argument` is set to true.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.7","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"f3g-zcg-jm0","createdAt":1599605004390,"name":"Allow Kubelets to manage changes to the iptables"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an AWS S3 lifecycle expiration policy is set to disabled in your CloudTrail logs.\n\n## Strategy\nCheck if `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days`, `@requestParameters.LifecycleConfiguration.Status:Disabled` and `@evt.name:PutBucketLifecycle` fields are present in your S3 Lifecycle configuration log. If these fields are present together, a bucket's lifecycle configuration has been turned off.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n2. If the `{{@requestParameters.bucketName}}` should not be disabled, escalate to engineering so they can re-enable it.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketLifecycle @requestParameters.LifecycleConfiguration.Rule.Expiration:* @requestParameters.LifecycleConfiguration.Rule.Status:Disabled","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4gy-sks-edk","createdAt":1638798373598,"name":"An AWS S3 bucket lifecycle expiration policy was set to disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket has a lifecycle configuration set with an expiration policy of less than 90 days.\n\n## Strategy\nLook for `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90` in your Cloudtrail logs.\n\n**NOTE**: This rule should be set to logs that this policy applies to. The `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days` key path must be set as a measure to do a query.\n\n\n## Triage & response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}` and that the `{{@requestParameters.bucketName}}` bucket should have a file expiration of less than 90 days.\n2. If `{{@requestParameters.bucketName}}` is equal to `{{@aws.s3.bucket}}`, the CloudTrail bucket, consider escalating to higher severity and investigating further.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:PutBucketLifecycle -status:error @eventSource:s3.amazonaws.com @requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hdo-qqk-njz","createdAt":1638798329769,"name":"An AWS S3 bucket lifecycle policy expiration is set to < 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if versioning or MFA delete was disabled within an AWS S3 bucket's Lifecycle configuration.\n\n## Strategy\nThis rule has two separate queries. The first query determines if `@requestParameters.VersioningConfiguration.MfaDelete` is set to `Disabled`. The second query determines if `@requestParameters.VersioningConfiguration.Status` is set to `Suspended`. For generating a signal, there are two cases. Case one generates a `Medium` signal if query one AND two return `true`. Case two will generate a `Low` signal if query one OR two returns `true`.\n\n**NOTE**: Versioning cannot be disabled permanently; only suspended until turned back on, once it has been enabled on a bucket.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.MfaDelete:Disabled","groupByFields":["@aws.s3.bucket"],"aggregation":"count","name":"mfadelete_disabled","distinctFields":[]},{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.Status:Suspended","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"versioning_suspended","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"mfaDelete and Versioning are Disabled/Suspended","condition":"versioning_suspended > 0 && mfadelete_disabled > 0"},{"status":"low","notifications":[],"name":"mfaDelete or versioning are disabled","condition":"mfadelete_disabled > 0 || versioning_suspended > 0"}],"type":"log_detection","id":"qo0-ly0-8ls","createdAt":1638798322732,"name":"An AWS S3 bucket mfaDelete is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an AWS account attempting to leave an AWS organization.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to have an AWS account leave an AWS organization using the [LeaveOrganization][1] API call.\n\nAn attacker may attempt this API call for several reasons, such as:\n\n* Target security configurations that are often defined at the organization level. Leaving an organization can disrupt or disable these controls.\n* Perform a denial of service (DoS) attack on the victim's account that prevents the victim's organization to access it.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Initiate your company's incident response (IR) process.\n3. If the API call was made legitimately by the user:\n * Communicate with the user to understand if this was a planned action.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n * Initiate your company's incident response (IR) process.\n\n[1]: https://docs.aws.amazon.com/organizations/latest/APIReference/API_LeaveOrganization.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privileg","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:LeaveOrganization @eventSource:organizations.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"leave_organization","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"leave_organization > 0"}],"type":"log_detection","id":"9ku-enz-m7d","createdAt":1644595191484,"name":"An AWS account attempted to leave the AWS Organization"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","scope:s3","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an API call to AWS to list all of the S3 Buckets.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect a [ListBuckets][1] API call with the session name prefixed with `i-`. A session name prefixed with `i-` typically indicates that it is an EC2 instance using an [Instance Profile][2] to communicate with other AWS services, which is a common attacker technique to see the full list of S3 buckets in your AWS account.\n\n## Triage and response\n1. Determine if the EC2 instance should be making this API call.\n* If **not a legitimate** user/application, rotate the credentials, verify what else may have been accessed and open an investigation into how this instance was compromised.\n* If a **legitimate** user/application on the EC2 instance is making the `ListBuckets` API call, consider whether this API call is really needed. \n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profile\n\n## Changelog\n18 March 2022 - Updated rule severity and rule name.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_access_denied","distinctFields":[]},{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets -@error.kind:*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Access denied for ListBuckets","condition":"list_buckets_access_denied > 0"},{"status":"medium","notifications":[],"name":"Successful ListBuckets","condition":"list_buckets_success > 0"}],"type":"log_detection","id":"t6r-kqt-hxb","createdAt":1585870281123,"name":"An EC2 instance attempted to enumerate S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is enumerating API Gateway API keys.\n\n## Strategy\nBaseline `GetApiKeys` events by `@userIdentity.session_name` to surface anomalous `GetApiKeys` calls. \n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetApiKeys","groupByFields":["@userIdentity.session_name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"cc8-ljp-wwt","createdAt":1624968912281,"name":"Anomalous API Gateway API key reads by user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","tactic:TA0009-collection","scope:s3","source:cloudtrail","technique:T1530-data-from-cloud-storage-object","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS user performs S3 bucket write activities they do not usually perform. \n\n## Strategy\nMonitor cloudtrail logs for S3 Data Plane events (`@eventCategory:Data`) to detect when an AWS User (`@userIdentity.arn`) is detected performing anomalous S3 Write `(@evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*))` API calls. \n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should be performing the: `{{@evt.name}}` API calls.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. If not, investigate the user: `{{@userIdentity.arn}}` for indicators of account compromise and rotate credentials as necessary.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventCategory:Data @eventSource:s3.amazonaws.com @evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"s3_write_events","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"s3_write_events"}],"type":"log_detection","id":"mxi-syi-zeg","createdAt":1637613300981,"name":"Anomalous S3 bucket activity from user ARN"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is attempting to hijack an EC2 AutoScaling Group.\n\n## Strategy\nThis rule lets you monitor AWS EC2 Autoscaling logs (`@eventSource:autoscaling.amazonaws.com`) to detect when an Autoscaling group receives an anomalous amount of API calls (`{{@evt.name}}`).\n\n## Triage and response\n1. Confirm if the user `{{@userIdentity.arn}}` intended to make the `{{@evt.name}}` API calls.\n2. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:autoscaling.amazonaws.com","groupByFields":["@evt.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"1fj-e0d-mcy","createdAt":1632769123714,"name":"Anomalous amount of Autoscaling Group events"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","scope:salesforce","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a spike in Salesforce query results for a user. A large query can be an early warning sign of a user attempting to exfiltrate Salesforce data. \n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a spike in the number of rows returned (`@rows_returned`). \n\n## Triage and response\n1. Determine if the user should be legitimately performing large queries.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@rows_returned","aggregation":"sum","metrics":["@rows_returned"],"groupByFields":["@usr.id"],"query":"source:salesforce @rows_returned:*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"kls-bnv-ip8","createdAt":1621929255172,"name":"Anomalous amount of Salesforce query results"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","source:salesforce","tactic:TA0040-impact","scope:salesforce","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a significant increase in deleted records in Salesforce.\n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a significant increase in successful (`@evt.outcome:Success`) delete operations (`@operation:Delete`).\n\n## Triage and response\n1. Determine if the user should be legitimately deleting Salesforce records.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @operation:Delete @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"1x7-fhs-sdy","createdAt":1621929255178,"name":"Anomalous amount of Salesforce records deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is assessing privileges in AWS through various enumeration and discovery techniques.\n\n## Strategy\nMonitor CloudTrail logs to identify when an EC2 instance (`@userIdentity.session_name:i-*\"`) generates an anomalous amount of `AccessDenied` events.\n\n## Triage and response\n1. Determine what events the EC2 instance `{{@userIdentity.session_name}}` are generating in the time frame of the signal.\n2. If the root cause is not a misconfiguration, investigate any other signals around the same time of the signal by looking at the Host Investigation dashboard.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied @userIdentity.session_name:i-*","groupByFields":["@userIdentity.assumed_role"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"qyw-re3-iuf","createdAt":1605263699569,"name":"Anomalous amount of access denied events for AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","technique:T1619-cloud-storage-object-disovery","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS assumed role accesses S3 buckets that they do not usually access. \n\n## Strategy\nMonitor cloudtrail logs to identify when a `@userIdentity.assumed_role` makes an anomalous amount of `GetObject` calls to a unique number of S3 buckets (`@requestParameters.bucketName`).\n\n## Triage and response\n1. Determine if the user using the assumed role: {{@userIdentity.assumed_role}} should be accessing a bunch of random buckets.\n * Here is a list of buckets that were accessed (up to 10): {{@requestParameters.bucketName}}\n\n## Changelog\n30 Mar 2022 - Updated query and signal message.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":17,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetObject -status:error","groupByFields":["@userIdentity.assumed_role"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"i41-jb1-c8r","createdAt":1608050033941,"name":"Anomalous number of S3 buckets accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user has attempted to assume an anomalous number of unique roles.\n\n## Strategy\nThis rule sets a baseline for user activity for the [`AssumeRole`][1] API call, and enables detection of potentially anomalous activity.\n\nAn attacker may attempt this for the following reasons:\n\n* To identify which roles the user account has access to.\n* To identify what AWS services are being used internally.\n* To identify third party integrations and internal software.\n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response process and investigate.\n\n[1]: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:IAMUser @evt.name:AssumeRole","groupByFields":["@usr.name"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.roleArn"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rov-8oq-1fd","createdAt":1624968910002,"name":"Anomalous number of assumed roles from user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an unauthenticated request user is permitted in Kubernetes.\n\n## Strategy\nThis rule monitors when any action is permitted (`@http.status_code:[100 TO 299]`) for an unauthenticated user (`@user.username:\\\"system:anonymous\\\"`).\nThe `/healthz` endpoint is commonly accessed unauthenticated and it is excluded in the query filter.\n\n## Triage and response\n1. Inspect all of the HTTP paths accessed and determine if any of the path should be permitted by unauthenticated users.\n2. Determine what IP addresses accessed Kubernetes endpoints which may contain sensitive data.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@apiVersion:audit.k8s.io* @usr.name:\"system:anonymous\" @http.status_code:[100 TO 299] -@http.url_details.path:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @user.username:\"system:anonymous\" @responseStatus.code:[100 TO 299] -@requestURI:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"f1o-py5-a50","createdAt":1589376002149,"name":"Anonymous Request Authorized"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:apache","technique:T1190-exploit-public-facing-application","source:apache","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[{"action":"require","query":"source:foo"}],"queries":[{"query":"source:apache @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipl-oaz-eqf","createdAt":1587530038000,"name":"Apache HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1562-Impair-Defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modification of AppArmor profiles using an interactive session.\n\n## Strategy\nAfter an initial intrusion, attackers may attempt to disable security tools to avoid possible detection of their offensive tools and activities. [AppArmor][1] is a Linux Security Module (LSM) feature that confines programs to a limited set of resources. Disabling AppArmor could help an attacker run disallowed tools and gain access to resources that are otherwise blocked. This detection looks for commands that disable or modify AppArmor during interactive sessions, which is highly irregular in production environments.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://wiki.ubuntu.com/AppArmor\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:apparmor_modified_tty","groupByFields":["host"],"aggregation":"count","name":"apparmor_modified_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"apparmor_modified_tty","condition":"apparmor_modified_tty > 0"}],"type":"workload_security","id":"byn-fwk-eyv","createdAt":1627392836162,"name":"AppArmor profile modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","source:azure.sql","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Database-Services","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","framework:cis-azure","scope:azure.sql","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:4.1.3","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSQL Server Audit Retention should be configured to be greater than 90 days.\n\n## Rationale\n\nUse Audit Logs to check for anomalies and to get insight into suspected breaches or misuse of information and access.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Select Storage Details\n5. Set Retention (days) setting greater than 90 days\n6. Select OK\n7. Select Save using Azure PowerShell. For each server, set retention policy for more than or equal to 90 days:\n\n ```bash\n set-AzureRmSqlServerAuditing -ResourceGroupName -ServerName -RetentionInDays \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing\n2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditing?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention\n\n## CIS controls\n\nVersion 7\n\n6.4 Ensure adequate storage for logs: Ensure that all systems that store logs have adequate storage space for the logs generated.\n\n4.2 SQL Server: Azure Defender for SQL Azure Defender for SQL provides a layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. Users will receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. SQL Server Threat Detection alerts provide details of suspicious activity and recommend action on how to investigate and mitigate the threat. Azure Defender for SQL may incur additional cost per SQL server.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@audit_setting.retention_days:0 -@audit_setting.retention_days:>=90","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-@audit_setting.retention_days:0 -@audit_setting.retention_days:>=90)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"r6e-x2g-rfb","createdAt":1624867973932,"name":"Audit data for Azure SQL is retained for at least 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","source:google_iam_policy","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","scope:google_iam_policy","security:compliance","requirement:Logging-and-Monitoring","control:2.1","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that Cloud Audit Logging is configured to track all admin activities and\nread or write access to user data.\n\n### Default value\nAdmin Activity logs are always enabled. They cannot be disabled. Data Access audit logs are\ndisabled by default because they can be quite large.\n\n## Rationale\nCloud Audit Logging maintains two audit logs for each project, folder, and organization:\n**Admin Activity** and **Data Access**.\n\nAdmin Activity logs contain log entries for API calls or other administrative actions\nthat modify the configuration or metadata of resources. Admin Activity audit logs\nare enabled for all services and cannot be configured.\n\nData Access audit logs record API calls that create, modify, or read user-provided\ndata. These are disabled by default and should be enabled.\n\nThere are three kinds of Data Access audit log information:\n* Admin read: Records operations that read metadata or configuration\ninformation. Admin Activity audit logs record writes of metadata and\nconfiguration information. This cannot be disabled.\n* Data read: Records operations that read user-provided data.\n* Data write: Records operations that write user-provided data.\n\nIt is recommended to configure audit logging such that:\n\n* Log type is set to `DATA_READ` (to log user activity tracking) and `DATA_WRITES` (to\nlog changes/tampering to user data).\n* Audit config is enabled for all the services supported by the Data Access audit logs\nfeature.\n* Logs are captured for all users\u2014that is, there are no exempted users in any of the\naudit config sections. This ensures overriding the audit config does not contradict\nthe requirement.\n\n### Impact\nThere is no charge for Admin Activity audit logs. Enabling the Data Access audit logs might\nresult in your project being charged for the additional logs usage.\n- Note: Admin Activity Logs are not listed here, as they are enabled by default and cannot be disabled.\n `exemptedMembers` is not set, as audit logging should be enabled for all users.\n\n## Remediation\n\n### From the console: \n1. Go to the [Audit Logs page][1] in Google Cloud Console.\n2. Follow the steps in Google's [Configure Data Access audit logs][2] documentation to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.\n\n### From the command line:\n1. To read the project's IAM policy and store it in a file, run the following command:\n ```\n gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml\n ```\nAlternatively, the policy can be set at the organization or folder level. If you are setting the policy at\nthe organization level, it is not necessary to also set it for each folder or project.\n ```\n gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml\n gcloud resource-manager folders get-iam-policy FOLDER_ID >\n /tmp/folder_policy.yaml\n ```\n2. Edit the policy in `/tmp/policy.yaml`. Adding or change only the audit logs\nconfiguration to:\n ```\n auditConfigs:\n - auditLogConfigs:\n - logType: DATA_WRITE\n - logType: DATA_READ\n - service: allServices\n ```\n\n3. To write new IAM policy, run the following commands:\n ```\n gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml\n gcloud resource-manager folders set-iam-policy FOLDER_ID\n /tmp/folder_policy.yaml\n gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml\n ```\nIf the preceding command reports a conflict with another change, then repeat these steps,\nstarting with the first step.\n\n## Additional information\n* To track detailed user activities, the log type `DATA_READ` is as important as the log type `DATA_WRITE`.\n* BigQuery Data Access logs are handled differently than other data access logs.\n BigQuery logs are enabled by default and cannot be disabled. They do not count against logs allotment and do not result in extra logs charges.\n\n## References\n1. [https://cloud.google.com/logging/docs/audit/][1]\n2. [https://cloud.google.com/logging/docs/audit/configure-data-access][2]\n\n[1]: https://cloud.google.com/logging/docs/audit/\n[2]: https://cloud.google.com/logging/docs/audit/configure-data-access\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(iam_policy) if {\n\tnot has_exempted_members(iam_policy)\n\taudit_config := iam_policy.audit_configs[_]\n\taudit_config.service == \"allServices\"\n\taudit_config.audit_log_configs[_].log_type == \"ADMIN_READ\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_WRITE\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_READ\"\n}\n\nhas_exempted_members(iam_policy) if {\n\tiam_policy.audit_configs[_].audit_log_configs[_].exempted_members[_]\n}\n\nis_project(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_project\"\n}\n\neval(iam_policy) = \"skip\" if {\n\tnot is_project(iam_policy)\n} else = \"pass\" {\n\tcompliant(iam_policy)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mtc-xf1-a6x","createdAt":1664804019062,"name":"Audit logging is properly configured across all services and users in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit all Docker daemon activities.\n\n## Rationale\n\nAs well as auditing the normal Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges. It is very important to audit its activities and usage.\n\n## Audit\n\nVerify that there are audit rules for the Docker daemon. To see the rules associated with the Docker daemon, run: \n\n```\nauditctl -l | grep /usr/bin/dockerd\n```\n\n## Remediation\n\nYou should add rules for the Docker daemon. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /usr/bin/dockerd -k docker \n```\n\nThen restart the audit daemon using the following command:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, the Docker daemon is not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.3","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fpu-oe5-feu","createdAt":1599604305682,"name":"Auditing for Docker Daemon executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.4","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/var/lib/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories. For example, audit `/var/lib/docker`, which holds all the information about containers it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/var/lib/docker` directory. To see the rule for the `/var/lib/docker` directory, run: \n\n```\nauditctl -l | grep /var/lib/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/var/lib/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /var/lib/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.4","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tfa-927-tto","createdAt":1599602523672,"name":"Auditing for Docker local storage is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.10","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker/daemon.json`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/docker/daemon.json`. This holds various parameters for the Docker daemon, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/docker/daemon.json` file. To display the rule for the `/etc/docker/daemon.json` file, run: \n\n```\nauditctl -l | grep /etc/docker/daemon.json\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker/daemon.json` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/docker/daemon.json -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/docker/daemon.json` may not exist on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file][2]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.10","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"v2o-aio-i0e","createdAt":1599601474412,"name":"Auditing for the Docker daemon configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.11","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/bin/containerd`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/bin/containerd`, so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/bin/containerd` file. To display the rule for the `/usr/bin/containerd` file, run: \n\n```\nauditctl -l | grep /usr/bin/containerd\n```\n\n## Remediation\n\nYou should add a rule for the `/usr/bin/containerd` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/bin/containerd -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/usr/bin/containerd` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.11","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tor-6yx-oyz","createdAt":1599605637503,"name":"Auditing for the containerd executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.8"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/default/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/default/docker`. It holds various parameters related to the Docker daemon and should therefore be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/default/docker` file. To see the rule for the `/etc/default/docker` file, run: \n```\nauditctl -l | grep /etc/default/docker \n```\n\n## Remediation\n\nYou should add a rule for the `/etc/default/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/default/docker -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited so these defaults should be changed in line with organizational security policy. The file `/etc/default/docker` may not be present, and if so, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.8","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qfi-cgy-a6e","createdAt":1599601659531,"name":"Auditing for the default Docker configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.9"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/sysconfig/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including `/etc/sysconfig/docker`. It contains various parameters related to the Docker daemon when run on CentOS and RHEL based distributions. If present, it is important that it is audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/sysconfig/docker` file. To see the rule for the `/etc/sysconfig/docker` file, run: \n```\nauditctl -l | grep /etc/sysconfig/docker\n```\n\n## Remediation\n\nYou should add a rule for `/etc/sysconfig/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/sysconfig/docker -k docker\n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/sysconfig/docker` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.9","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ps6-vb4-bim","createdAt":1599604561498,"name":"Auditing for the default Docker configuration file is configured - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit the `docker.service` if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `docker.service`. The `docker.service` file might be present if the daemon parameters have been changed by an administrator. If so, it holds various parameters for the Docker daemon and should be audited.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n\n2. If the file does not exist, this recommendation does not apply. If the file does exist, verify that there is an audit rule corresponding to the `docker.service` file by running: \n\n ```\n auditctl -l | grep docker.service\n ```\n\n## Remediation\n\nIf the file exists, a rule for it should be added. For example, add the following line to the `/etc/audit/audit.rules` file: \n```\n-w /usr/lib/systemd/system/docker.service -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.service` may not be present on the system.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.6","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myy-dsj-omk","createdAt":1599605764788,"name":"Auditing for the docker.service file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.7","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `docker.socket`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including the `docker.socket` file, which holds various parameters for the Docker daemon, it should be audited.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the `docker.socket` file exists, verify that there is an audit rule corresponding to the `docker.socket` file by running: \n ```\n auditctl -l | grep docker.socket \n ```\n\n## Remediation\n\nIf the file exists, you should add a rule for it. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/lib/systemd/system/docker.socket -k docker \n```\n\nThen restart the audit daemon: \n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.socket` may not be present, but if it is, it should be audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.7","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afg-qbt-7uw","createdAt":1599600857858,"name":"Auditing for the docker.socket file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.12","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/sbin/runc`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/sbin/runc`, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/sbin/runc` file. To display the rule for the `/usr/sbin/runc` file, run:\n\n```\nauditctl -l | grep /usr/sbin/runc\n```\n\n## Remediation\n\nYou should add a rule for `/usr/sbin/runc` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/sbin/runc -k docker\n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The `file/usr/sbin/runc` may not be present on the system, and in that case this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n4. [https://github.com/opencontainers/runc][4]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/ \n[4]: https://github.com/opencontainers/runc\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.12","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ksp-ylk-dub","createdAt":1599603510904,"name":"Auditing for the runc executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.5","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privilege and its behavior depends on some key files and directories, including `/etc/docker`. This holds various certificates and keys used for TLS communication between Docker daemon and Docker client and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/etc/docker` directory. To see the rule for the `/etc/docker` directory, run: \n\n```\nauditctl -l | grep /etc/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.5","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5ns-uab-zcf","createdAt":1599604003342,"name":"Auditing is configured for Docker-related files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.6","cloud_provider:azure","control:10.1","requirement:Monitoring","source:azure.sql","control:A.12.4.1","control:A.12.4.3","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","scope:azure.sql","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:4.1.1","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on SQL Servers.\n\n## Rationale\n\nThe Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. The auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Set Auditing to On using Azure PowerShell.\n5. Get the list of all SQL Servers: `Get-AzureRmSqlServer`. For each Server, enable auditing:\n\n ```bash\n Set-AzureRmSqlServerAuditingPolicy -ResourceGroupName -ServerName -AuditType -StorageAccountName \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-servers\n2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n**Note**: A server policy applies to all existing and newly created databases on the server. If server blob auditing is enabled, it always applies to the database. The database is audited, regardless of the database auditing settings. The auditing type table is deprecated, leaving only the type blob available. Enabling blob auditing on the database, and enabling it on the server, does not override or change any of the settings of the server blob auditing. Both audits exist side by side. So, the database is audited twice in parallel; once by the server policy, and once by the database policy.\n\n## CIS controls\n\nVersion 7 6.3 Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"validationQuery":"-@audit_setting.state:(\"Enabled\")","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-@audit_setting.state:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"gxl-2f7-dso","createdAt":1624867978477,"name":"Auditing on SQL Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs in with a breached password.\n\n## Strategy\nAuth0 logs an event when a user logs in with a breached password. When this event is detected, Datadog generates a `MEDIUM` severity Security Signal.\n\nYou can see more information on how Auth0 detects breached passwords on their [documentation][1].\n\n## Triage and response\n1. Inspect the policy and user location to see if this was a login from approved location\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n[1][https://auth0.com/docs/anomaly-detection/brute-force-protection]\n","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:breached_password","groupByFields":["@usr.id"],"aggregation":"count","name":"breached_password","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"breached_password > 0"}],"type":"log_detection","id":"yhw-avf-dz0","createdAt":1597422957145,"name":"Auth0 user logged in with a breached password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","requirement:Cloud-SQL","cloud_provider:gcp","control:CC7.4","source:google_sql_database_instance","control:6.4.5.4","framework:cis-gcp","requirement:Compliance","level:1","control:6.7","scope:google_sql_database_instance","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Additional-Criteria-for-Availability","requirement:Communications-Security","requirement:System-Operations","control:3.1","requirement:Control-Activities","control:A1.1","control:A1.2","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:CC5.1","control:A.9.1.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nAll SQL database instances should have automated backups enabled.\n\n## Rationale: \nBackups provide a way to restore a Cloud SQL instance, to recover lost data, or to recover from\na problem with that instance. Enable automated backups for any instance that\ncontains data that should be protected from loss or damage. This recommendation is\napplicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2\ninstances.\n\n## Impact: \nAutomated backups increase the required storage size and may affect the costs associated with it.\n\n## Remediation: \n\n### From the console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Select the instance where the backups need to be configured.\n3. Click `Edit`.\n4. In the `Backups` section, check 'Enable automated backups', and choose a backup window.\n5. Click `Save`.\n\n### From the command line:\n\n1. List all Cloud SQL database instances using the following command:\n ```\n gcloud sql instances list\n ```\n2. Enable automated backups for a Cloud SQL database instance by running:\n ```\n gcloud sql instances patch --backup-start-time <[HH:MM]>\n ```\n\nThe `backup-start-time` parameter is specified in 24-hour time, in the UTC\u00b100 time zone,\nand specifies the start of a 4-hour backup window. Backups can start any time during the\nbackup window.\n\n## Default value:\nBy default, automated backups are not configured for Cloud SQL instances. Data backup is\nnot possible on any Cloud SQL instance unless Automated Backup is configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/backup-recovery/backups][2]\n2. [https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/backup-recovery/backups\n[3]: https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up\n\n## CIS controls:\n\nVersion 8: _11.2 Perform Automated Backups_. Perform automated backups of in-scope enterprise assets. Run backups weekly,\nor more frequently, based on the sensitivity of the data.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.4.5.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.1","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"pass\" if {\n\tsql_database_instance.settings.backup_configuration.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iir-4sf-rxn","createdAt":1657665285362,"name":"Automated backups are configured for SQL Database Instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to Azure AD without multi-factor authentication.\n\n## Strategy\nThis rule monitors Azure Activity logs for Active Directory logs and detects when any `@evt.category` has a value of `SignInLogs`, and `@properties.authenticationRequirement` has a value of `singleFactorAuthentication`.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables 2FA.\n3. If the login wasn't legitimate, rotate the credentials.\n4. Review all user accounts to ensure MFA is enabled.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:singleFactorAuthentication","groupByFields":["@usr.id"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_login_without_mfa > 0"}],"type":"log_detection","id":"c8i-66d-m7u","createdAt":1598468815267,"name":"Azure AD Login Without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to the [Global Administrator][1] role.\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\"`\n\nThe Global Administrator role can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. An adversary can add users as Global Administrators in order to maintain access to Azure AD.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][2] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.category:AuditLogs @evt.name:\"Add member to role\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_global_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"member_assigned_global_administrator_role > 0"}],"type":"log_detection","id":"bdq-rcs-dn5","createdAt":1658756175450,"name":"Azure AD member assigned Global Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to a [built-in Administrative role][1].\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:*Administrator*`\n\nAzure AD uses roles to assign privileges to users. There are over 80 roles available, the list below details some of the highest privileged roles that adversaries could target:\n\n* [Application Administrator][2]\n* [Cloud Application Administrator][3]\n* [Exchange Administrator][4]\n* [Privileged Role Administrator][5]\n* [User Administrator][6]\n* [Sharepoint Administrator][7]\n* [Hybrid Identity Administrator][8]\n\nThis [whitepaper][9] from Mandiant describes the abuse of Azure AD privileged roles.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][10] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator\n[3]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-application-administrator\n[4]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#exchange-administrator\n[5]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-role-administrator\n[6]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator\n[7]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#sharepoint-administrator\n[8]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#hybrid-identity-administrator\n[9]: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf\n[10]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:*Administrator* @evt.category:AuditLogs @evt.name:\"Add member to role\" -@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_built_in_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"member_assigned_built_in_administrator_role > 0"}],"type":"log_detection","id":"61p-mwe-rxm","createdAt":1658756175462,"name":"Azure AD member assigned built-in Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","control:8.7","level:1","requirement:Database-Services","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","scope:azure.sql","control:4.4","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse Azure Active Directory Authentication for authentication with SQL Database.\n\n## Rationale\n\nAzure Active Directory authentication is a mechanism to connect to the Microsoft Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). With Azure AD authentication, manage identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage database users and simplifies permission management in the following ways:\n\n- Provides an alternative to SQL Server authentication. \n- Helps stop the proliferation of user identities across database servers. \n- Allows password rotation in a single place. \n- Customers can manage database permissions using external (AAD) groups. \n- Eliminates storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure Active Directory. \n- Uses contained database users to authenticate identities at the database level. \n- Token-based authentication for applications connecting to SQL Database. \n- ADFS (domain federation) or native user/password authentication for a local Azure Active Directory without domain synchronization. \n- Connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication (MFA). MFA includes strong authentication with a range of easy verification options phone call, text message, smart cards with a pin, or mobile app notification.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each SQL server, click on Active Directory admin\n3. Click on Set admin\n4. Select an admin\n5. Click Save\n6. Using the Azure PowerShell for each Server, set `AD Admin Set-AzureRmSqlServerActiveDirectoryAdministrator -ResourceGroupName -ServerName -DisplayName \"\"`.\n6. From Azure Command Line Interface, get the ObjectID of user: `az ad user list --query \"[?mail==].{mail:mail, userPrincipal`.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure\n2. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: Assigning an administrator in Azure Active Directory (AAD) is just the first step. When using AAD for central authentication there are many other groups and roles that need to be configured base on the needs of your organization. To determine what roles should be assigned and what groups should be created to manage permissions and access to resources, see the How-to Guides.\n\n## CIS Controls\n\nVersion 7 16.2 Configure Centralized Point of Authentication: Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-(@name:(\"ActiveDirectory\") @administrator_type:(\"ActiveDirectory\"))","resourceType":"azure_sql_server","filter":"","queryPath":"active_directory_administrators","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-(@name:(\"ActiveDirectory\") @administrator_type:(\"ActiveDirectory\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kiv-p8l-5mk","createdAt":1624867977317,"name":"Azure Active Directory Admin is configured for Azure SQL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure-active-directory","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect whenever Azure Identity Protection categorizes an Azure Active Directory login as risky.\n\n## Strategy\nMonitor Azure Active Directory sign in activity (`@evt.name:\"Sign-in activity\"`) and generate a signal when Azure identifies the user as risky or compromised (`@properties.riskState:\"atRisk\" OR \"confirmedCompromised\"`). \n\n## Triage and response\n1. Analyze the location (`@network.client.geoip.subdivision.name`) of `{{@usr.id}}` to determine if they're logging into from their usual location. \n2. If log in activity is not legitimate, disable `{{@usr.id}}` account.\n3. Investigate any devices owned by `{{@usr.id}}`.\n\n## Changelog\n14 June 2022 - Fixed bug in rule query.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":167,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelDuringSignIn:high @properties.riskLevelDuringSignIn:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_during_signin_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:high @properties.riskLevelAggregated:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_aggregated_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:medium @properties.riskLevelDuringSignIn:medium","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_medium","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"High Risk Aggregated","condition":"risk_level_aggregated_high > 0"},{"status":"high","notifications":[],"name":"High Risk During Sign-In","condition":"risk_level_during_signin_high > 0"},{"status":"medium","notifications":[],"name":"Medium Risk","condition":"risk_level_medium > 0"}],"type":"log_detection","id":"h1h-4to-2ka","createdAt":1629464257705,"name":"Azure Active Directory Risky Sign-In"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.6","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-7-ii-A","control:164.312-a-2-ii","control:2.2.4","scope:azure.appservice","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Risk-Mitigation","requirement:Logical-and-Physical-Access-Control","control:CC9.1","control:CC6.3","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'remote debugging' **disabled** to enhance security and protect applications.\n\n## Rationale\n\nIf remote debugging is enabled, this can allow an attacker access to your applications.\n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services web apps by running the following in Azure Powershell:\n\n ```\n az webapp list\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n\n az webapp config show\n\t--ids \"\"\n\t--query 'remoteDebuggingEnabled'\n3. Disable the web app's remote debugging capability with the command:\n\n ```\n az webapp config set\n\t--ids \"\"\n\t--remote-debugging-enabled false\n ```\n4. Repeat steps one through three for each server that is not configured correctly.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@site_config_remote_debugging_enabled:true","resourceType":"azure_app_service","filter":"@site_config_remote_debugging_enabled:*","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service @site_config_remote_debugging_enabled:* (@site_config_remote_debugging_enabled:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ciw-6dd-ffz","createdAt":1645807220230,"name":"Azure App Service has remote debugging enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","scope:azure.app_service","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","framework:soc-2","source:azure.app_service","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'always on' **enabled** for web apps.\n\n## Rationale\n\nEnabling 'always on' will enhance your Azure Apps web apps' availability.\n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services by running the following in Azure Powershell:\n\n ```\n az webapp list\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n \n ```\n az webapp config show\n\t--ids \"\"\n\t--query 'alwaysOn'\n ```\n3. Enable the web app's 'always on' capability with the command:\n\n ```\n az webapp config set\n\t--ids \"\"\n\t--always-on true\n ```\n4. Repeat steps one through three for each server that is not configured correctly.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@site_config_always_on:false","resourceType":"azure_app_service","filter":"@site_config_always_on:*","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service @site_config_always_on:* (@site_config_always_on:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xmp-jgo-xdo","createdAt":1645807220325,"name":"Azure App Service is set to always on"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Datadog Azure function is deleted which will prevent Azure logs from being sent to Datadog.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.WEB/SITES/DELETE\"`, `@evt.outcome` is `Success`, and the `@resourceID` contains `DATADOG` and `LOG`. This rule does not work if the the Azure resource group or Azure function does not contain `DATADOG` or `LOG`.\n\n## Triage and response\n1. Verify the Azure function (`@resourceId`) is responsible for forwarding logs to Datadog.\n2. Determine if there is a legitimate reason for deleting the Azure function.\n3. If activity is not expected, investigate activity from the service principal (`@identity.authorization.evidence`) or user (`{{@usr.id}}`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.web @evt.name:\"MICROSOFT.WEB/SITES/DELETE\" @resourceId:(*DATADOG* AND *LOG*) @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"sit-o2a-uov","createdAt":1634570142022,"name":"Azure Datadog Log Forwarder Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","security:threat-intel"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure firewall threat intelligence alert is received.\n\n## Strategy\nMonitor Azure Network Diagnostic logs and detect when `@evt.name` is equal to `AzureFirewallThreatIntelLog`.\n\n## Triage and response\n1. Inspect the threat intelligence log.\n2. Investigate the activity from this IP address.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:AzureFirewallThreatIntelLog","groupByFields":["@network.client.ip"],"aggregation":"count","name":"azure_firewall_threat_intel_alert","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"azure_firewall_threat_intel_alert > 0"}],"type":"log_detection","id":"z0v-yfr-qat","createdAt":1607106300940,"name":"Azure Firewall Threat Intelligence Alert"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) blocks a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Block`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Block","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_blocked_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_blocked_a_request > 0"}],"type":"log_detection","id":"xyt-fqh-myv","createdAt":1598468816869,"name":"Azure Frontdoor WAF Blocked a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) logs a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Log`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Log","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_logged_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_logged_a_request > 0"}],"type":"log_detection","id":"bkk-48l-vem","createdAt":1598468815399,"name":"Azure Frontdoor WAF Logged a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","control:9.9","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","scope:azure.appservice","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nNew versions of HTTP are released periodically to address security issues and/or to include additional functionality. Using the latest version of HTTP for web apps takes advantage of security fixes and new functionality.\n\n## Rationale\n\nUsing the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software update, your organization needs to determine if the latest update meets your requirements.\n\nFor example, HTTP 2.0 has performance improvements for the head-of-line blocking problem, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism because it provides its own, more efficient mechanism for data streaming.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\nAzure Console:\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click *Configuration**.\n5. Set HTTP version to 2.0 under **General settings**.\n\n**Note**: Most modern browsers support HTTP 2.0 protocol over TLS, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third party certificate.\n\nAzure CLI:\n\nTo set the HTTP version to 2.0 for an existing app, run the following command:\n\n`az webapp config set --resource-group --name --http20-enabled true'`\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.9","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"@site_config_http20_enabled:false","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (@site_config_http20_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"y1o-cvu-xc7","createdAt":1645813490516,"name":"Azure HTTP version is the latest available"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.3.1","level:1","scope:azure.keyvault","control:8.4","requirement:Cardholder-Data","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","requirement:Azure","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:2.2","control:A1.2","requirement:Other-Security-Considerations","framework:soc-2","requirement:Risk-Mitigation","control:3.5.3","requirement:Logical-and-Physical-Access-Control","control:CC9.1","source:azure.keyvault","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe key vault contains object keys, secrets, and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. Datadog recommends the key vault be made recoverable by enabling the \"Do Not Purge\" and \"Soft Delete\" functions. This is to prevent loss of encrypted data including storage accounts, SQL databases, and dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.\n\n### Default value \n\nWhen a new Key Vault is created, both the parameters `enableSoftDelete` and `enablePurgeProtection` are set to `null`, disabling both the features.\n\n## Rationale\n\nThere could be scenarios where users accidentally run delete and purge commands on key vault or attacker or malicious user does it deliberately to cause disruption. Deleting or purging a key vault leads to immediate data loss as keys encrypting data and secrets and certificates causing access and services to become non-accessible. There are two key vault properties that plays role in permanent unavailability of a key vault:\n\n1. Setting the `enableSoftDeleteSetting` parameter to true for a key vault ensures that even if key vault is deleted, the key vault itself or its objects are recoverable for next 90 days. In this span of 90 days either key vault and objects can be recovered or purged (permanent deletion). If no action is taken, after 90 days, the key vault and its objects are purged.\n\n2. `enablePurgeProtectionenableSoftDelete` only ensures that the key vault is not deleted permanently and will be recoverable for 90 days from the deletion date. However, there is a chance that the key vault or objects are accidentally purged and are not recoverable. Setting `enablePurgeProtection` to \"true\" ensures that the key vault and its objects cannot be purged. Enabling both the parameters on key vaults ensures that key vaults and their objects cannot be deleted or purged permanently.\n\n### Impact\n\nOnce purge-protection and soft-delete is enabled for a key vault, the action is irreversible.\n\n- Note: When a key is used for the SQL server TDE or Encrypting Storage account, the corresponding key vault features \"Do Not Purge\" and \"Soft Delete\" are enabled by default by your Azure backend.\n\n## Remediation\n\n### From the command line \n\nTo enable \"Do Not Purge\" and \"Soft Delete\" for a key vault using Azure CLI:\n\n```bash\naz resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.KeyVault /vaults/ --set properties.enablePurgeProtection=true properties.enableSoftDelete=true\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli][1]\n2. [https://blogs.technet.microsoft.com/kv/2017/05/10/azure-key-vault-recovery-options/][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-8-define-backup-and-recovery-strategy][3]\n\n\n[1]: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli\n[2]: https://blogs.technet.microsoft.com/kv/2017/05/10/azure-key-vault-recovery-options/\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-8-define-backup-and-recovery-strategy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.4","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.2","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"3.5.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.3.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_key_vault_attributes(key_vault) if {\n\tkey_vault.enable_soft_delete\n} else {\n\tkey_vault.enable_purge_protection\n}\n\neval(key_vault) = \"pass\" if {\n\tcompliant_key_vault_attributes(key_vault)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault"]},"validationQuery":"","resourceType":"azure_key_vault","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"4tq-la5-9ei","createdAt":1624867975393,"name":"Azure Key Vault is recoverable"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","control:1.3.5","control:1.3.6","control:1.3.7","framework:pci","control:6.4.1","security:compliance","control:1.3.4","control:1.2.1","source:azure.kubernetes","requirement:Communications-Security","control:1.2","control:1.3","cloud:azure","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Private Cluster feature for Azure Kubernetes Service (AKS) cluster is enabled.\n\n## Rationale\n\nThe Private Cluster feature ensures that network traffic between your API server and your node pools remains solely on the private network. The API server is not exposed over the internet as it is with the standard AKS deployment. This configuration is a common requirement in many regulatory and industry compliance standards.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment. Changing the setting requires recreating your cluster.\n\n## Impact\n\nCreating and managing a Private AKS Cluster requires additional considerations when compared to a standard AKS deployment. It requires understanding how Azure Private Link and Private Endpoints work. It also requires a thorough assessment of your AKS networking architecture and dependencies. If your AKS cluster is on an isolated Azure Virtual Network (VNET), the Private Cluster feature requires additional configurations to allow connectivity between your AKS Cluster and your management VNET. Microsoft's official documentation, which is included in ``references``, helps you navigate the deployment of Private AKS Clusters.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/aks/private-clusters][1]\n2. [https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview][2]\n3. [https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/aks/private-clusters\n[2]: https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview\n[3]: https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.7","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aks_cluster) = \"fail\" if {\n\tnot aks_cluster.api_server_access_profile_enable_private_cluster\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_aks_cluster"]},"validationQuery":"","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxc-7gb-6q2","createdAt":1656924134424,"name":"Azure Kubernetes Service (AKS) Private Cluster Feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify the network IP address when multiple user accounts failed to complete the MFA process.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, `@properties.authenticationRequirement` is equal to `multiFactorAuthentication` and `@evt.outcome` is equal to `failure`.\n\n## Triage and response \n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:multiFactorAuthentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"failed_login_mfa_denied_w_multiple_user_accounts","distinctFields":["@usr.email"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Greater than 10 unique users","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 10"},{"status":"low","notifications":[],"name":"Greater than 3 unique user","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 3"}],"type":"log_detection","id":"zgm-z7i-mhu","createdAt":1607106317340,"name":"Azure Login Explicitly Denied MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group allows inbound traffic from all IP Addresses.\n\n## Strategy\nThis rule monitors Azure Activity logs for network changes and detects when the `@evt.name` has a value of `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`, `@properties.securityRules.properties.direction` has a value of `Inbound`, `@properties.securityRules.properties.access` has a value of `Allow`, and `@properties.securityRules.properties.sourceAddressPrefix` has a value of either `0.0.0.0/0` OR `*`.\n\n## Triage and response\n1. Inspect which Virtual Machines are associated with this security group.\n2. Determine whether this security group and the VMs should permit inbound traffic from all IP addresses.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\" @properties.securityRules.properties.direction:Inbound @properties.securityRules.properties.access:Allow @properties.securityRules.properties.sourceAddressPrefix:(\"0.0.0.0/0\" OR \"*\")","groupByFields":["@resourceId"],"aggregation":"count","name":"security_group_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"security_group_open_to_world > 0"}],"type":"log_detection","id":"owu-2uz-8cb","createdAt":1598468816111,"name":"Azure Network Security Group Open to the World"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group or an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any one of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security group or security rule and determine if it exposes any Azure resources that should not be exposed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:(\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\") @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mju-ynx-i1h","createdAt":1607106297216,"name":"Azure Network Security Groups or Rules Created, Modified, or Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added as a new owner for an Active Directory application which could be used as a persistence mechanism. \n\n## Strategy\nMonitor Azure Active Directory logs for `@evt.name: \"Add owner to application\"` has an `@evt.outcome` of `success`. \n\n## Triage and response\n1. Review evidence of anomalous activity for the user being added as an owner (`@properties.targetResources`) for the Active Directory application.\n2. Determine if there is a legitimate reason for the user being added to the application.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to application\" @evt.outcome:success @usr.name:* -@identity:*","groupByFields":[],"aggregation":"count","name":"new_owner","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner > 0"}],"type":"log_detection","id":"8vm-rcm-ss1","createdAt":1630591816193,"name":"Azure New Owner added to Azure Active Directory application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a new service principal is created in Azure, which applies to a persistence mechanism.\n\n## Strategy\n\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n\n1. Inspect the new service principal in `@properties.targetResources`.\n2. Verify with the user (`{{$usr.name}}`) to determine if the service principal is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_sp > 0"}],"type":"log_detection","id":"bog-iak-dms","createdAt":1630591822167,"name":"Azure New Service Principal created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure policy assignment has been created.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to `MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE` and `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the policy assignment and determine if an unsolicited change was made on any Azure resources.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure @evt.name:\"MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE\" @evt.outcome:Success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uvd-ets-ju9","createdAt":1607106302885,"name":"Azure Policy Assignment Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, and `@evt.outcome` is equal to `failure`.\n\n## Triage and response\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Successful login","condition":"failed_login > 5 && successful_login > 0"},{"status":"info","notifications":[],"name":"Unsuccessful","condition":"failed_login > 5"}],"type":"log_detection","id":"y0f-vsz-xms","createdAt":1607106309289,"name":"Azure Portal brute force login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses SSL/TLS in-transit encryption.\n\n## Rationale\n\nUsing in-transit encryption with PostgreSQL protects data from attacks like Man-In-The-Middle (MITM), by ensuring that data is encrypted with Transport Layer Security (SSL/TLS) while moving between endpoints. This is the default option with Azure. \n\n## Remediation\n\n### Console\n\n1. Follow the instructions listed at [Configure TLS connectivity in Azure Database for PostgreSQL - Single Server][1] to transition to SSL/TLS encyrption in-transit. \n\n### CLI\n\n1. Follow the steps listed at [Configure TLS connectivity in Azure Database for PostgreSQL - Single Server][2] to use the CLI to transition to SSL/TLS encyrption in-transit. \n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security#using-the-azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security#using-azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@ssl_enforcement:Disabled","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (@ssl_enforcement:Disabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"t58-y4w-igs","createdAt":1645642196325,"name":"Azure PostgreSQL Database Server uses In-Transit Encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.4","cloud_provider:azure","control:6.2","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","control:CC7.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL is using the most recent major version available.\n\n## Rationale\n\nPostegreSQL employs both minor and major version updates. Using the most recent version available (particularly the most recent major version) ensures that you are using the most secure, feature rich, and supported version available. Azure Database Migration Service can help minimize downtime when performing version upgrades in Azure Database for PostgreSQL - Single Server. \n\n## Remediation\n\n### Console\n\n1. Use Azure's [Configure server parameters in Azure Database for PostgreSQL - Single Server via the Azure portal][1] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate/Upgrade Azure DB for PostgreSQL - Single Server to Azure DB for PostgreSQL - Single Server online using DMS via the Azure portal][2] to migrate the old database to the new database.\n\n### CLI\n\n1. Use Azure's [Customize server configuration parameters for Azure Database for PostgreSQL - Single Server using Azure CLI][3] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate PostgreSQL to Azure DB for PostgreSQL online using DMS via the Azure CLI][4] to migrate the old database to the new database.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/dms/tutorial-azure-postgresql-to-azure-postgresql-online-portal\n[3]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli\n[4]: https://docs.microsoft.com/en-us/azure/dms/tutorial-postgresql-azure-postgresql-online","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"-@version:(\"11\" OR \"12\" OR \"13\" OR \"14\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@version:(\"11\" OR \"12\" OR \"13\" OR \"14\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"4ns-zxg-wye","createdAt":1645642207320,"name":"Azure PostgreSQL Database Server uses the current major PostgreSQL version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:A.12.3.1","source:azure.dbforpostgresql","control:164.308-a-7-ii-A","requirement:Compliance","scope:azure.dbforpostgresql","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","control:A.18.1.3","framework:soc-2","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses geo-redundant backups.\n\n## Rationale\n\nUsing geo-redundancy with PostgreSQL creates geographically distributed replicas by default. These replicas assist with achieving data durability, as they protect against data becoming unavailable because of a regional event, such as a natural disaster. You can select this option only at the time of database creation. To modify an existing database to use geo-redundancy, recreate the database.\n\n## Remediation\n\n### Console\n\n1. Follow the instructions listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using the Azure portal][1] to create a new PostgreSQL database. Ensure **Geo-redundant** is selected under **Backup redundancy options**.\n\n### CLI\n\n1. Follow the steps listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using Azure CLI][2] to create and deploy a PostgreSQL server.\n2. When configuring the [`az postgres server create` Microsoft Azure Module][3] ensure that `geoRedundantBackup` is set to `Enabled`, as shown in the example below. \n\n ```\n az postgres server create \n -l northeurope \n -g mygroup \n -n mysvr \n -u username \n -p password \n --sku-name my_sku\n --ssl-enforcement Enabled \n --minimal-tls-version TLS1_0 \n --public-network-access Disabled \n --backup-retention 10 \n --geo-redundant-backup Enabled \n --storage-size 51200 \n --tags \"key=value\" \n --version 11\n ```\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-cli\n[3]: https://docs.microsoft.com/en-us/cli/azure/postgres/server?view=azure-cli-latest#az-postgres-server-create","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.3.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@storage_profile_geo_redundant_backup:Disabled","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (@storage_profile_geo_redundant_backup:Disabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"9t5-0qz-cj3","createdAt":1645642195699,"name":"Azure PostgreSQL database server uses geo-redundant backups"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security rule and determine if it exposes any Azure resources that should not be made public.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.sql @evt.name:\"MICROSOFT.SQL/SERVERS/FIREWALLRULES/WRITE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kbv-sau-dwv","createdAt":1607106319051,"name":"Azure SQL Server Firewall Rules Created or Modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.15","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable security alert emails to subscription owners.\n\n## Rationale\n\nEnabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can quickly mitigate security risks.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. In the drop down of the All users with the following roles field, select Owner\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set Send email also to subscription owners:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management Storage Accounts: This section covers security recommendations to follow to set storage account policies on an Azure subscription. An Azure storage account provides a unique namespace to store and access Azure Storage data objects.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.15","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"validationQuery":"-(@properties.notifications_by_role.roles:(\"Owner\") AND @properties.notifications_by_role.state:(\"On\"))","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact (-(@properties.notifications_by_role.roles:(\"Owner\") AND @properties.notifications_by_role.state:(\"On\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qjw-pnm-kfh","createdAt":1625738237090,"name":"Azure Security Center is configured to send email notifications about security alerts to subscription owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.14","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule enables emailing security alerts to the email subscription owner or other designated security contact.\n\n## Rationale\n\nEnabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. Under Notification types, check the check box next to Notify about alerts with the following severity (or higher) and select High from the drop-down menu\n6. Click save using the Azure Command Line Interface\n7. Use the below command to set Send email notification for high severity alerts:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. And replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default. Microsoft has recently changed their REST APIs to get and update security contact information. This recommendation is updated accordingly.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.14","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"validationQuery":"-(@properties.alert_notifications.state:(\"On\") AND @properties.alert_notifications.minimal_severity:(\"High\"))","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact (-(@properties.alert_notifications.state:(\"On\") AND @properties.alert_notifications.minimal_severity:(\"High\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"cv4-lxu-yt1","createdAt":1625738237834,"name":"Azure Security Center is configured to send email notifications about security alerts with High severity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity Center emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.\n\n## Rationale\n\nAzure Security Center emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the \"Additional email addresses\" field ensures that your organization's security team is included in these alerts. This ensures that the proper people are aware of any potential compromise to mitigate the risk in a timely fashion.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email Notifications\n5. Enter a valid security contact email address (or multiple addresses separated by commas) in the additional email addresses field\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set security contact emails:\n\n ``` bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data, as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default\", \"name\"\"default\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details \n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list \n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"validationQuery":"((-@properties.emails:*) OR (@properties.emails:(\"\")))","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact (((-@properties.emails:*) OR (@properties.emails:(\"\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"1vo-ezv-ztj","createdAt":1625738244720,"name":"Azure Security Center is configured with a security contact email"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty ThreatIntelSet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty ThreatIntelSet:\n\n* [DeleteThreatIntelSet][1]\n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Replace ThreatIntelSets deleted by the user with the `aws-cli` command [create-threat-intel-set][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call and if it was an authorized change.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteThreatIntelSet.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/guardduty/create-threat-intel-set.html\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteThreatIntelSet","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_guardduty_threatintel_set_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"aws_guardduty_threatintel_set_deleted > 0"}],"type":"log_detection","id":"vzr-qw9-k82","createdAt":1631642339660,"name":"AWS GuardDuty threat intel set deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","technique:T1098-account-manipulation","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.4","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to an AWS IAM Policy.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when any event pertaining to an AWS IAM policy is detected with one of the following API calls:\n\n* [DeleteGroupPolicy][1]\n* [DeleteRolePolicy][16]\n* [DeleteUserPolicy][2]\n* [PutGroupPolicy][3]\n* [PutRolePolicy][4]\n* [PutUserPolicy][5]\n* [CreatePolicy][6]\n* [DeletePolicy][7]\n* [SetPolicyVersion][17]\n* [CreatePolicyVersion][8]\n* [DeletePolicyVersion][9]\n* [AttachRolePolicy][10]\n* [DetachRolePolicy][11]\n* [AttachUserPolicy][12]\n* [DetachUserPolicy][13]\n* [AttachGroupPolicy][14]\n* [DetachGroupPolicy][15]\n\n## Triage and response\n1. Review the IAM Policy change and ensure it does not negatively impact your risk in relation to authentication or authorization controls.\n2. If risk is increased, contact the individual that used the arn: {{@userIdentity.arn}} and determine if {{@evt.name}} API calls were made by them.\n\n## Changelog\n5 April 2022 - Rule modified and signal message updated.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroupPolicy.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPolicy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html\n[5]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html\n[7]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html\n[8]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html\n[9]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicyVersion.html\n[10]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[11]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachRolePolicy.html\n[12]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[13]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachUserPolicy.html\n[14]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[15]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachGroupPolicy.html\n[16]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteRolePolicy.html\n[17]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetDefaultPolicyVersion.html\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteGroupPolicy OR PutGroupPolicy OR AttachGroupPolicy OR DetachGroupPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"group_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteRolePolicy OR PutRolePolicy OR AttachRolePolicy OR DetachRolePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"role_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteUserPolicy OR PutUserPolicy OR AttachUserPolicy OR DetachUserPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"user_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreatePolicy OR DeletePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"account_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(SetPolicyVersion OR CreatePolicyVersion OR DeletePolicyVersion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"policy_version_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"group policy changed","condition":"group_policy_modified > 0"},{"status":"info","notifications":[],"name":"role policy changed","condition":"role_policy_modified > 0"},{"status":"info","notifications":[],"name":"user policy changed","condition":"user_policy_modified > 0"},{"status":"info","notifications":[],"name":"account policy changed","condition":"account_policy_modified > 0"},{"status":"info","notifications":[],"name":"policy version changed","condition":"policy_version_modified > 0"}],"type":"log_detection","id":"z8s-u06-ctu","createdAt":1584475584008,"name":"AWS IAM policy changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM group.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM group using the [`AttachGroupPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.groupName}}` group using the `aws-cli` command [detach-group-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the group `{{@requestParameters.groupName}}` requires the `AdministratorAccess` policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the group to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.groupName","aggregation":"new_value","metrics":["@requestParameters.groupName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachGroupPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"ju1-xlh-bdn","createdAt":1635445988771,"name":"AWS IAM privileged policy was applied to a group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM role.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM role via the [`AttachRolePolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.roleName}}` role using the `aws-cli` command [detach-role-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the role `{{@requestParameters.roleName}}` requires the AdministratorAccess policy to perform its intended function.\n * Advise the user to find the [least privileged][4] policy that allows the role to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-role-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.roleName","aggregation":"new_value","metrics":["@requestParameters.roleName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachRolePolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\" -@userIdentity.invokedBy:sso.amazonaws.com -@http.useragent:sso.amazonaws.com"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"kjs-xra-wzc","createdAt":1635445977216,"name":"AWS IAM privileged policy was applied to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to an AWS IAM user using the [`AttachUserPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.userName}}` user using the `aws-cli` command [detach-user-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the user `{{@requestParameters.userName}}` requires the AdministratorAccess policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the user to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-user-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":173,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.userName","aggregation":"new_value","metrics":["@requestParameters.userName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachUserPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"bxi-o7h-c79","createdAt":1635445981975,"name":"AWS IAM privileged policy was applied to a user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","technique:T1089-disabling-security-tools","source:guardduty","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is changing sensitive configurations and has no prior history of invoking these APIs.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Stealth:IAMUser/S3ServerAccessLoggingDisabled][2]\n* [Stealth:IAMUser/PasswordPolicyChange][3]\n* [Stealth:IAMUser/CloudTrailLoggingDisabled][4]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][5] on remediating compromised AWS credentials.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#stealth-s3-serveraccessloggingdisabled\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-passwordpolicychange\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-cloudtrailloggingdisabled\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Stealth\\:IAMUser\\/S3ServerAccessLoggingDisabled OR Stealth\\:IAMUser\\/PasswordPolicyChange OR Stealth\\:IAMUser\\/CloudTrailLoggingDisabled OR Stealth\\:IAMUser\\/LoggingConfigurationModified)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"48o-8me-0mo","createdAt":1587525385196,"name":"AWS IAM user changing sensitive configurations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user disables [S3 Block Public Access][1]\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][2] finding:\n\n* [Policy:S3/AccountBlockPublicAccessDisabled][3]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Contact the user and determine why the user disabled the S3 Block Access feature. \n3. Re-enable S3 Block Public Access.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n[2]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-accountblockpublicaccessdisabled\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/S3BlockPublicAccessDisabled)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"loc-nk4-pkc","createdAt":1587525377921,"name":"AWS IAM user disabled S3 Block Public Access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","source:guardduty","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is attempting to escalate permissions.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [PrivilegeEscalation:IAMUser/AdministrativePermissions][2]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_privilegeescalation.html#privilegeescalation1\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PrivilegeEscalation\\:IAMUser\\/AdministrativePermissions)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dsb-ciq-vrt","createdAt":1587525384559,"name":"AWS IAM user escalating privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","technique:T1580-cloud-infrastructure-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests with hacking tools.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [PenTest:IAMUser/KaliLinux][2]\n* [PenTest:IAMUser/ParrotLinux][3]\n* [PenTest:IAMUser/PentooLinux][4]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][5] on remediating compromised AWS credentials.\n\n## Changelog\n* 17 October 2022 - Updated tags.\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-kalilinux\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-parrotlinux\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-pentoolinux\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PenTest\\:IAMUser\\/KaliLinux OR PenTest\\:IAMUser\\/ParrotLinux OR PenTest\\:IAMUser\\/PentooLinux)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ocf-ys6-78v","createdAt":1587525392995,"name":"AWS IAM user making API requests with hacking tools"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:threat-intel","source:guardduty","tactic:TA0007-discovery","security:attack","technique:T1526-cloud-service-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests from a malicious IP.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:IAMUser/TorIPCaller][2]\n* [Recon:IAMUser/MaliciousIPCaller.Custom][3]\n* [Recon:IAMUser/MaliciousIPCaller][4]\n* [UnauthorizedAccess:IAMUser/MaliciousIPCaller][5]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][6] on remediating compromised AWS credentials.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-toripcaller\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-maliciousipcallercustom\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-toripcaller\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-maliciousipcaller\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:IAMUser\\/TorIPCaller OR Recon\\:IAMUser\\/MaliciousIPCaller.Custom OR Recon\\:IAMUser\\/MaliciousIPCaller OR UnauthorizedAccess\\:IAMUser\\/MaliciousIPCaller)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"8w7-aaz-ojp","createdAt":1587525380153,"name":"AWS IAM user requests from malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","security:anomaly","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user login is suspicious.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B][2]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-consoleloginsuccessb\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:IAMUser\\/ConsoleLoginSuccess.B OR UnauthorizedAccess\\:IAMUser\\/ConsoleLogin)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kme-i0z-ylv","createdAt":1587525388403,"name":"AWS IAM user suspicious login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:kms","requirement:Monitoring","tactic:TA0040-impact","framework:cis-aws","control:4.7","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a KMS (Key Management Service) key is deleted or scheduled for deletion.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is deleting KMS keys:\n* [DisableKey][1]\n* [ScheduleKeyDeletion][2]\n\n## Triage and response\n1. Determine if `user ARN:` {{@userIdentity.arn}} in your organization should be making this call.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Use the `Cloud SIEM - User Investigation` OOTB dashboard to investigate other potential unauthorized API calls from this user.\n\n## Changelog\n* 16 March 2022 - Rule severity and markdown updated.\n* 16 November 2022 - Rule query updated.\n\n[1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html\n[2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:(cloudtrail OR amazon-security-lake) @evt.name:(DisableKey OR ScheduleKeyDeletion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iff-hhm-bd3","createdAt":1584475576501,"name":"AWS KMS key deleted or scheduled for deletion"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","scope:firehose"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an AWS Kinesis Firehose Destination is modified.\n\n## Strategy\nThe rule monitors AWS Kinesis Firehose logs `@eventSource:firehose.amazonaws.com` and detects when the `@evt.name` is `UpdateDestination`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:firehose.amazonaws.com @evt.name:UpdateDestination -@http.useragent:(cloudformation.amazonaws.com OR APN\\/*)","groupByFields":["@requestParameters.deliveryStreamName"],"aggregation":"count","name":"firehose_destination_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"firehose_destination_modified","condition":"firehose_destination_modified > 0"}],"type":"log_detection","id":"jwi-qgm-ncc","createdAt":1632158028824,"name":"AWS Kinesis Firehose stream destination modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.11"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Access Control List (NACL) has been created, deleted or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS NACL has been created, deleted or modified with one of the following API calls:\n* [CreateNetworkAcl][1] \n* [CreateNetworkAclEntry][2] \n* [DeleteNetworkAcl][3] \n* [DeleteNetworkAclEntry][4] \n* [ReplaceNetworkAclEntry][5] \n* [ReplaceNetworkAclAssociation][6]\n\n## Triage and response\n1. Determine if the usr with arn: {{@userIdentity.arn}} should have used the API call: {{@evt.name}}.\n2. Contact the user and see if this API call was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n## Changelog\n5 April 2022 - Rule queries, cases and signal message updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html\n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclEntry.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclAssociation.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateNetworkAcl OR CreateNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteNetworkAcl OR DeleteNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_deleted","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceNetworkAclEntry OR ReplaceNetworkAclAssociation)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_updated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"network ACL/ACL entry created","condition":"nacl_created > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry deleted","condition":"nacl_deleted > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry updated","condition":"nacl_updated > 0"}],"type":"log_detection","id":"pcs-k05-rbc","createdAt":1584475579808,"name":"AWS Network Access Control List created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.12","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Gateway has been created or modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS Network Gateway has been created or modified with one of the following API calls:\n* [CreateCustomerGateway][1] \n* [DeleteCustomerGateway][2] \n* [AttachInternetGateway][3] \n* [CreateInternetGateway][4]\n* [DeleteInternetGateway][5] \n* [DetachInternetGateway][6]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule cases and signal message.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCustomerGateway \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteCustomerGateway \n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AttachInternetGateway \n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInternetGateway \n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteInternetGateway \n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DetachInternetGateway.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(CreateCustomerGateway OR CreateInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"create_gateway","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteCustomerGateway OR DeleteInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"delete_gateway","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AttachInternetGateway OR DetachInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_gateway","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"create gateway","condition":"create_gateway > 0"},{"status":"info","notifications":[],"name":"delete gateway","condition":"delete_gateway > 0"},{"status":"info","notifications":[],"name":"modify gateway","condition":"modify_gateway > 0"}],"type":"log_detection","id":"umr-47s-eyj","createdAt":1584475581301,"name":"AWS Network Gateway created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","scope:rds","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deleted a database cluster in RDS.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a RDS cluster:\n\n* [DeleteDBCluster][1]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/rds/delete-db-cluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteDBCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"6ng-pk1-ukh","createdAt":1585870276546,"name":"AWS RDS Cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","control:cis-1.1","framework:cis-aws","technique:T1078-valid-accounts","control:cis-3.3","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the AWS root user credentials are used.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Policy:IAMUser/RootCredentialUsage][2]\n\n## Triage and response\n1. Determine whether the root account activity was legitimate. \n * Review the sample for context. \n * Review CloudTrail logs for a full investigation. \n3. If the root user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n**[Root Account Best Practices][4]**\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#policy-iam-rootcredentialusage\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/RootCredentialUsage)","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cjm-gyr-zxb","createdAt":1587525393683,"name":"AWS Root credential activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a Route 53 query logging configuration.\n\n## Strategy\nMonitor cloudtrail logs where `@evt.name` is `DeleteResolverQueryLogConfig` which would stop Route53 Query logging for all of the Amazon VPCs that are associated with the configuration.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n* 7 April 2022 - Updated rule query and signal message.\n* 5 January 2023 - Updated severity.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"0pz-0jr-nfz","createdAt":1631642351057,"name":"AWS Route 53 DNS query logging disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disassociates a VPC from the query logging configuration.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disassociated.\n\n* [DisassociateResolverQueryLogConfig][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 7 April 2022 - Update rule and signal message.\n* 15 December 2022 - Update query to include Access Denied events and reduce severity.\n\n[1]: https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DisassociateResolverQueryLogConfig.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DisassociateResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_route53_querylogging_disassociated","distinctFields":[]},{"query":"source:cloudtrail @error.kind:AccessDenied @evt.name:DisassociateResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_route53_querylogging_disassociated_access_denied","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Successful","condition":"aws_route53_querylogging_disassociated > 0"},{"status":"info","notifications":[],"name":"Access Denied","condition":"aws_route53_querylogging_disassociated_access_denied > 0"}],"type":"log_detection","id":"nmk-a8n-zig","createdAt":1631642344888,"name":"AWS Route 53 VPC disassociated from query logging configuration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.13","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Route Table has been created or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS Route Table has been created or modified with one of the following API calls:\n* [CreateRoute][1] \n* [CreateRouteTable][2] \n* [ReplaceRoute][3] \n* [ReplaceRouteTableAssociation][4] \n* [DeleteRouteTable][5] \n* [DeleteRoute][6] \n* [DisassociateRouteTable][7]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call which was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n6 April 2022 - Update signal message. Updated rule query/case layout\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html \n [7]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateRoute OR CreateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceRoute OR ReplaceRouteTableAssociation OR DisassociateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteRouteTable OR DeleteRoute)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"VPC route table created","condition":"route_created > 0"},{"status":"info","notifications":[],"name":"VPC route table modified","condition":"route_modified > 0"},{"status":"info","notifications":[],"name":"VPC route table deleted","condition":"route_deleted > 0"}],"type":"log_detection","id":"qgo-jqs-03x","createdAt":1584475582644,"name":"AWS Route Table created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket policy is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an AWS bucket is made public:\n\n* [PutBucketAcl][1]\n\nThis rule inspects the `@requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI` array to determine if either of the strings are contained:\n* `http://acs.amazonaws.com/groups/global/AuthenticatedUsers`\n* `http://acs.amazonaws.com/groups/global/AllUsers`\n\nA match of either of these string indicates the S3 bucket policy is made public.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Update rule and signal message.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:PutBucketAcl -@level:Error @requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI:(\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" OR \"http://acs.amazonaws.com/groups/global/AllUsers\")","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"zdk-9gu-nrg","createdAt":1594140279364,"name":"AWS S3 Bucket ACL Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:7.2.1","iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","framework:pci","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the S3 Public Access Block configuration has been removed \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting the S3 Public Access Block configuration:\n\n* [DeleteAccountPublicAccessBlock][1]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and inform them of best practices of enabling Public Access Block on S3 buckets.\n3. Re-enable Public Access Block on the S3 bucket.\n\nMore details on S3 Public Block Public Access can be found [here][2].\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-public-access-block.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n\n## Changelog\n18 March 2022 - updated severity and query.\n31 October 2022 - updated severity.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:error @evt.name:DeleteAccountPublicAccessBlock","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_access_block_removed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"User removed public access block","condition":"public_access_block_removed > 0"}],"type":"log_detection","id":"uxr-5wk-8hk","createdAt":1585870280316,"name":"AWS S3 Public Access Block removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disables AWS Security Hub.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disabled AWS Security Hub:\n\n* [DisableSecurityHub][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query and signal message.\n\n[1]: https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisableSecurityHub.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"not_cloudformation_action","distinctFields":[]},{"query":"source:cloudtrail @network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudformation_action","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"not a cloudformation action","condition":"not_cloudformation_action > 0"},{"status":"low","notifications":[],"name":"cloudformation action","condition":"cloudformation_action > 0"}],"type":"log_detection","id":"obj-kmn-bsa","createdAt":1631642348526,"name":"AWS Security Hub disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:vpc","iaas:aws","requirement:Monitoring","framework:cis-aws","control:4.14","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying a VPC.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a VPC:\n\n* [DeleteVpc][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query, cases and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteVpc OR DeleteVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_deleted","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreateVpc OR CreateVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_created","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(ModifyVpcAttribute OR AcceptVpcPeeringConnection OR RejectVpcPeeringConnection OR AttachClassicLinkVpc OR DetachClassicLinkVpc OR DisableVpcClassicLink OR EnableVpcClassicLink)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"vpc deleted","condition":"vpc_deleted > 0"},{"status":"info","notifications":[],"name":"vpc created","condition":"vpc_created > 0"},{"status":"info","notifications":[],"name":"vpc modified","condition":"vpc_modified > 0"}],"type":"log_detection","id":"igj-dr4-ico","createdAt":1585870280906,"name":"AWS VPC created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a specific AWS Web Application Firewall (WAF) rule blocks an anomalous amount of traffic.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@webaclId`: `{{@webaclId}}` logs to confirm if the observed traffic should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"count","name":"waf_traffic_block","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"scr-lzp-wrd","createdAt":1632158031553,"name":"AWS WAF traffic blocked by specific rule"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a specific AWS Web Application Firewall (WAF) rule blocks traffic from multiple IPs.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@http.request_id`: `{{@http.request_id}}` to confirm if this request should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"cardinality","name":"waf_traffic_block","distinctFields":["@network.client.ip"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"imr-goq-uww","createdAt":1634658977105,"name":"AWS WAF traffic blocked by specific rule on multiple IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is deleted.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `DeleteWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:DeleteWebACL -@http.useragent:\\APN\\/*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_deletion","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"waf_webacl_deletion > 0"}],"type":"log_detection","id":"8js-pr5-qga","createdAt":1632158029295,"name":"AWS WAF web access control list deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is updated.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `UpdateWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made legitimately by the user, rotate the user's credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:UpdateWebACL -@http.useragent:(\\APN\\/* OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"waf_webacl_update > 0"}],"type":"log_detection","id":"pmp-fqa-lwy","createdAt":1632158031800,"name":"AWS WAF web access control list modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:3.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect AWS root user activity. \n\n## Strategy\nMonitor CloudTrail and detect when any `@userIdentity.type` has a value of `Root`, but is not invoked by an AWS service or SAML provider.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate. \n2. If the login wasn't legitimate, rotate the credentials, enable 2FA, and open an investigation. \n\n* For best practices, check out the [AWS Root Account Best Practices][1] documentation.\n* For compliance, check out the [CIS AWS Foundations Benchmark controls][2] documentation.\n\n## Changelog\n* 30 March 2022 - Updated query and signal message.\n* 14 November 2022 - Updated options.\n\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[2]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:Root -@userIdentity.sessionContext.attributes.mfaAuthenticated:false -@userIdentity.invokedBy:* -@eventType:AwsServiceEvent -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"2kn-z6k-6kf","createdAt":1585870281964,"name":"AWS root account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group has been modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1] \n* [AuthorizeSecurityGroupEgress][2] \n* [RevokeSecurityGroupIngress][3] \n* [RevokeSecurityGroupEgress][4] \n* [CreateSecurityGroup][5] \n* [DeleteSecurityGroup][6]\n\n\n**Note:** There is a separate rule to detect AWS Security Group Open to the World.\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html \n [2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupEgress.html \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupIngress.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupEgress.html \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteSecurityGroup.html\n\n## Changelog\n18 March 2022 - Updated severity, split query into multiple queries, and split the single case into multiple cases.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AuthorizeSecurityGroupIngress OR AuthorizeSecurityGroupEgress OR RevokeSecurityGroupIngress OR RevokeSecurityGroupEgress) -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:DeleteSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"security group created","condition":"security_group_created > 0"},{"status":"info","notifications":[],"name":"security group modified","condition":"security_group_modified > 0"},{"status":"info","notifications":[],"name":"security group deleted","condition":"security_group_deleted > 0"}],"type":"log_detection","id":"bax-btp-3ct","createdAt":1584475583507,"name":"AWS security group created, modified or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1078-valid-accounts","scope:exchange-server","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event by a user logging in to Microsoft Exchange.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last and the current Microsoft-365 mailbox login event (`@evt.name:MailboxLogin`) to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if `{{@usr.name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. ","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":192,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:Exchange @evt.name:MailboxLogin @evt.outcome:Succeeded @threat_intel.results.category:*"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"9xi-6r1-5o5","createdAt":1638460550019,"name":"Abnormal successful Microsoft 365 Exchange login event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","scope:google-cloud-iam","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account (`@usr.id:*.iam.gserviceaccount.com`) exhibits access denied behavior that deviates from normal.\n\n## Strategy \nInspect the GCP Service Account (`@usr.id:*.iam.gserviceaccount.com`) for errors (`@data.protoPayload.status.code:7`) caused by denied permissions (`@evt.outcome`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account {{@usr.id}} is compromised.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"count","name":"access_denied","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"access_denied"}],"type":"log_detection","id":"jsg-pwu-sfv","createdAt":1605263719237,"name":"Access denied for GCP Service Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.11","scope:iam","scored:true","security:compliance","source:iam","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:7.1.1","control:7.1.2","control:7.1.3","level:1","framework:soc-2","framework:cis-aws","control:A.9.2.3","requirement:Identity-and-Access-Management","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM user credentials, you have to determine what type of access they require.\n\n**Programmatic access**: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.\n\n**AWS Management Console access**: If the user needs to access the AWS Management Console, create a password for the user.\n\n## Rationale\n\nRequiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are necessary for their work and once the access key is established on an account that the keys may be in use somewhere in the organization.\n\n**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html][2]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html][3]\n\n**Additional Information**: Credential report does not appear to contain \"Key Creation Date\"\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkeys_created_during_setup(credential_report) if {\n\tnot credential_report.access_key_1_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_1_last_rotated\n} else if {\n\tnot credential_report.access_key_2_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_2_last_rotated\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot keys_created_during_setup(credential_report)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yuh-0pg-pqy","createdAt":1619112188582,"name":"Access keys are not created for IAM user during initial set up"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-C","requirement:Credentials","level:1","framework:cis-aws","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.14","cloud_provider:aws","requirement:Control-Activities","framework:soc-2","control:A.9.2.3","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:3.6.4","control:CC6.2","control:CC5.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAccess keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. You should regularly rotate all access keys.\n\n## Rationale\n\nRotating access keys reduces the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78902-4\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html][3]\n4. [https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][4]\n5. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html][5]\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html\n[4]: https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"1.14","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\nmore_than_ninety(timestamp, resource_seen_at) if {\n\tresource_seen_at - timestamp > ninety_days_ms # Not rotated in last 90 days\n}\n\nactive_and_rotated_more_than_90(credential_report, resource_seen_at) if {\n\tcredential_report.access_key_1_active\n\tmore_than_ninety(credential_report.access_key_1_last_rotated, resource_seen_at)\n} else if {\n\tcredential_report.access_key_2_active\n\tmore_than_ninety(credential_report.access_key_2_last_rotated, resource_seen_at)\n}\n\neval(iam_user) = \"pass\" if {\n\tresource_seen_at := iam_user.resource_seen_at\n\tcredential_report := iam_user.credential_report[_]\n\tnot active_and_rotated_more_than_90(credential_report, resource_seen_at)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5se-kvq-6mk","createdAt":1599574003833,"name":"Access keys are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:4.3.8","scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Default-Security-Parameter","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.6","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable access from Azure services to PostgreSQL Database Server\n\n## Rationale\n\nIf access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, set up firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In Firewall rules, ensure Allow access to Azure services is set to OFF.\n5. Click Save to apply the changed rule. \n\nAlternatively, use the Azure Command Line Interface and run the below command to delete the `AllowAllAzureIps` rule for PostgreSQL Database:\n\n ```bash\n az postgres server firewall-rule delete --name AllowAllAzureIps --resource-group --server-name \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-manage-firewall-using-cli\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-4-protect-applications-and-services-from-external-network-attacks\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.4 Apply Host-based Firewalls or Port Filtering: Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.\n\n9.5 Implement Application Firewalls: Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.\n\n14.2 Enable Firewall Filtering Between VLANs: Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.8","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_ip_addresses(azure_postgresql_firewall_rule) if {\n\tazure_postgresql_firewall_rule.start_ip_address != \"0.0.0.0\"\n} else if {\n\tazure_postgresql_firewall_rule.end_ip_address != \"0.0.0.0\"\n}\n\neval(azure_postgresql_firewall_rule) = \"pass\" if {\n\tnot azure_postgresql_firewall_rule.name in [\"ALL\", \"AllowAllAzureIps\"]\n\tcompliant_ip_addresses(azure_postgresql_firewall_rule)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_firewall_rule"]},"validationQuery":"","resourceType":"azure_postgresql_firewall_rule","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_firewall_rule","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"fn7-ase-uyc","createdAt":1624867979051,"name":"Access to Azure services for PostgreSQL Database Server is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 5432 (used by the PostgreSQL Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\nMalicious activity, such as hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 5432.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 5432 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 5432\n\trule.to_port >= 5432\n}\n\nnon_compliant_protocols_and_ports(rule) if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tnon_compliant_ports(rule)\n} else if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\", \"::/0\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome rule in security_group.rules\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocols_and_ports(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2ca-hhj-wzj","createdAt":1599574007949,"name":"Access to PostgreSQL Database Server port is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3389 (used to connect a remote Remote Desktop Protocol (RDP) client application with an RDP server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as pass-the-hash (PtH) and man-in-the-middle attacks (MITM), can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\nTo update a security group rule: \n\n1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/][2]\n2. In the navigation pane, choose **Security Groups**.\n3. Select the security group to update, then choose **Actions**.\n4. Choose **Edit inbound rules** to remove an inbound rule, or **Edit outbound rules** to remove an outbound rule.\n5. Update the rule as required.\n6. Choose **Preview changes**, **Confirm**.\n\nTo delete a security group rule: \n1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/][2].\n2. In the navigation pane, choose **Security Groups**.\n3. Choose the **Delete** button to the right of the rule to delete.\n4. Choose **Preview changes**, **Confirm**.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3389.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3389 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.2\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 3389\n\trule.to_port >= 3389\n}\n\nnon_compliant_protocol(rule) if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(rule) if {\n\trule.ip_range == \"0.0.0.0/0\"\n}\n\nnon_compliant_ip_range(rule) if {\n\trule.ipv6_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oia-snq-ar0","createdAt":1599574006239,"name":"Access to port 3389 is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests.\n\n## Rationale\n\nSetting admission control plugin AlwaysAdmit allows all requests and do not filter any requests. The AlwaysAdmit admission controller was deprecated in Kubernetes v1.13. Its behavior was equivalent to turning off all admission controllers.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--enable-admission-plugins` argument's value (if set) does not include `AlwaysAdmit`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --enable-admission-plugins parameter, or set it to a value that does not include AlwaysAdmit.\n\n## Impact\n\nOnly requests explicitly allowed by the admissions control plugins would be served.\n\n## Default value\n\nAlwaysAdmit is not in the list of default admission plugins.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#alwaysadmit\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.11","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysr-4gg-vu5","createdAt":1599599454382,"name":"Admission controller AlwaysAdmin is not enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.15","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating objects in a namespace that is undergoing termination.\n\n## Rationale\n\nSetting admission control policy to NamespaceLifecycle ensures that objects cannot be created in non-existent namespaces, and that namespaces undergoing termination are not used for creating the new objects. This is recommended to enforce the integrity of the namespace termination process and also for the availability of the newer objects.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--disable-admission-plugins` argument is set to a value that does not include `NamespaceLifecycle`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --disable-admission-plugins parameter to ensure it does not include NamespaceLifecycle.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NamespaceLifecycle is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#namespacelifecycle\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.15","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"elk-zj3-p6m","createdAt":1599605447784,"name":"Admission controller NamespaceLifecycle is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.17","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nLimit the Node and Pod objects that a kubelet could modify.\n\n## Rationale\n\nUsing the NodeRestriction plug-in ensures that the kubelet is restricted to the Node and Pod objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node API object, and only modify Pod API objects that are bound to their node.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `NodeRestriction`.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes NodeRestriction. --enable-admission-plugins=...,NodeRestriction,...\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NodeRestriction is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#noderestriction 3. https://kubernetes.io/docs/admin/authorization/node/ 4. https://acotten.com/post/kube17-security\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.17","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jre-tn7-yma","createdAt":1599601166101,"name":"Admission controller NodeRestriction is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.16","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating pods that do not match Pod Security Policies.\n\n## Rationale\n\nA Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions. Note: When the PodSecurityPolicy admission plugin is in use, there needs to be at least one PodSecurityPolicy in place for ANY pods to be admitted. See section 1.7 for recommendations on PodSecurityPolicy settings.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `PodSecurityPolicy`.\n\n## Remediation\n\nFollow the documentation and create Pod Security Policy objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes PodSecurityPolicy: --enable-admission-plugins=...,PodSecurityPolicy,... Then restart the API Server.\n\n## Impact\n\nThe policy objects must be created and granted before pod creation would be allowed.\n\n## Default value\n\nBy default, PodSecurityPolicy is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#podsecuritypolicy 3. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.16","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vwz-aw9-c09","createdAt":1599604624793,"name":"Admission controller PodSecurityPolicy is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.14","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAutomate service accounts management.\n\n## Rationale\n\nWhen you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. You should create your own service account and let the API server manage its security tokens.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--disable-admission-plugins` argument is set to a value that does not include `ServiceAccount`.\n\n## Remediation\n\nFollow the documentation and create ServiceAccount objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and ensure that the --disable-admission-plugins parameter is set to a value that does not include ServiceAccount.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, ServiceAccount is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#serviceaccount 3. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.14","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wrk-jrm-u8h","createdAt":1599601597784,"name":"Admission controller ServiceAccount is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","source:google_bigquery_table","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.2","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","scope:google_bigquery_table","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery encrypts data at rest by employing `Envelope Encryption` using\nGoogle managed cryptographic keys. The data is encrypted using the `data encryption keys` and data encryption keys themselves are further encrypted using `key encryption keys`. This is done automatically and does not require any additional input from the user. However, if you want to have greater control, customer-managed encryption keys (CMEK) can be used as an encryption key management solution for BigQuery datasets. If CMEK is used, the CMEK is used to encrypt the data encryption keys, instead of using google-managed encryption keys.\n\n### Default Value\nGoogle-managed keys are used as `key encryption keys`.\n\n## Rationale\nFor greater control over the encryption, customer-managed encryption keys (CMEK) can\nbe used as encryption key management solution for BigQuery tables. CMEK is used to\nencrypt the data encryption keys instead of using google-managed encryption keys.\nBigQuery stores the table and CMEK association. The encryption/decryption is done\nautomatically.\n\nApply the default customer-managed keys on BigQuery datasets to ensure that all\nnew tables created in the future will be encrypted using CMEK. However, existing tables need to be updated individually to use CMEK.\n\n## Impact\nUsing customer-managed encryption keys (CMEK) will incur additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n- Note: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n## Remediation\nCurrently, there is no way to update the encryption of existing data in the table. The data\nneeds to be copied to either an original table or another table. Either option requires the specification of the\ncustomer managed encryption key (CMEK).\n\n### From the command line\nUse the following command to copy the data to the original table and encrypt it with the CMEK. The source and the destination needs to be same when copying to the original table.\n\n```\nbq cp --destination_kms_key source_dataset.source_table destination_dataset.destination_table\n```\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_table) = \"pass\" if {\n\tbigquery_table.encryption_configuration.kms_key_name\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_table"]},"validationQuery":"","resourceType":"gcp_bigquery_table","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_table","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4r0-dtx-hnw","createdAt":1659621698841,"name":"All BigQuery tables are encrypted with customer-managed encryption keys (CMEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Azure","cloud_provider:azure","control:2.7","control:8.1","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","scope:azure.keyvault","requirement:Cardholder-Data","requirement:Logical-and-Physical-Access-Control","control:3.6.4","source:azure.keyvault","framework:security-labs","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all keys in your Azure Key Vault have an expiration time set.\n\n## Rationale\n\nAzure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The `exp` (expiration time) attribute identifies the expiration time on or after which the key **must not** be used for a cryptographic operation. By default, keys never expire. Datadog recommends that keys be rotated in the key vault and set an explicit expiration time for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\n### From the console\n\n1. Go to Key vaults\n2. For each Key vault, click on Keys.\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all keys. Using the Azure Command Line Interface, update the expiration date for the key using below command:\n\n ```bash\n az keyvault key set-attributes --name --vault-name --expires Y-m-d''T''H:M:S''Z''\n ```\n\n **Note**: To access expiration time on all keys in Azure Key Vault using Microsoft API requires \"List\" Key permission. To provide required access follow below steps:\n\n 1. Go to Key Vaults\n 2. For each Key Vault, click on Access Policy.\n 3. Add access policy with Key permission as List\n\n## Impact\n\nKeys cannot be used beyond their assigned expiration times respectively. Keys need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## CIS Controls\n\nVersion 7 13 Data Protection Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.7","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(key_vault_key) if {\n\tkey_vault_key.attributes_enabled == true\n\tnot key_vault_key.attributes_exp == 0\n\tnot key_vault_key.attributes_exp == \"\"\n} else if {\n\tkey_vault_key.attributes.enabled == true\n\tnot key_vault_key.attributes.exp == 0\n\tnot key_vault_key.attributes.exp == \"\"\n}\n\neval(key_vault_key) = \"pass\" if {\n\tcompliant(key_vault_key)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_key"]},"validationQuery":"","resourceType":"azure_key_vault_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"op6-3uk-40w","createdAt":1624867980258,"name":"All keys in Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Network-Policies-and-CNI","control:5.3.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse network policies to isolate traffic in your cluster network.\n\n## Rationale\n\nRunning different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. A network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints. Network Policies are namespace scoped. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace, all traffic will be allowed into and out of the pods in that namespace.\n\n## Audit\n\nRun the following command and review the NetworkPolicy objects created in the cluster: `kubectl --all-namespaces get networkpolicy`\n\nEnsure that each namespace defined in the cluster has at least one Network Policy.\n\n## Remediation\n\nFollow the documentation and create network policy objects as you need them.\n\n## Impact\n\nOnce network policies are in use within a given namespace, traffic not explicitly allowed by a network policy will be denied. It is important to ensure that, when introducing network policies, legitimate traffic is not blocked.\n\n## Default value\n\nBy default, network policies are not created.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/services-networking/networkpolicies/ ][1]\n2. [https://octetz.com/posts/k8s-network-policy-apis ][2]\n3. [https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/][3]\n\n## CIS controls\n\nVersion 6.14.1 Implement Network Segmentation Based On Information Class Segment - The network based on the label or classification level of the information stored on the servers. Locate all sensitive information on separated VLANS with firewall filtering to ensure that only authorized individuals are only able to communicate with systems necessary to fulfill their specific responsibilities.\n\nVersion 7.14.1 Segment the Network Based on Sensitivity - Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).\n\nVersion 7.14.2 Enable Firewall Filtering Between VLANs - Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n\n[1]: https://kubernetes.io/docs/concepts/services-networking/networkpolicies/\n[2]: https://octetz.com/posts/k8s-network-policy-apis\n[3]: https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.3.2","framework":"cis-kubernetes","requirement":"Network-Policies-and-CNI","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrw-bae-anz","createdAt":1604312181303,"name":"All namespaces have network policies defined"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:2.10","requirement:Azure","cloud_provider:azure","control:8.2","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","requirement:Change-Management","scope:azure.keyvault","requirement:Logical-and-Physical-Access-Control","source:azure.keyvault","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all Secrets in the Azure Key Vault have an expiration time set.\n\n## Rationale\n\nThe Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The `exp` (expiration time) attribute identifies the expiration time on or after which the secret **must not** be used. By default, secrets never expire. Datadog recommends rotating secrets in the key vault and setting an explicit expiration time for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\n### From the console\n\n1. Go to Key vaults\n2. For each Key vault, click on Secrets\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all secrets. Using the Azure Command Line Interface, use the below command to set expiration date on the all secrets:\n\n ```bash\n az keyvault secret set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z'\n ```\n\n## Impact\n\nSecrets cannot be used beyond their assigned expiry times respectively. Secrets need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-4-set-up-emergency-access-in-azure-ad\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-8-choose-approval-process-for-microsoft-support\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy\n\n## CIS Controls\n\nVersion 7 16 Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.10","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(key_vault_secret) if {\n\tkey_vault_secret.id\n\tkey_vault_secret.attributes_enabled == true\n\tkey_vault_secret.attributes_exp\n\tnot key_vault_secret.attributes_exp == 0\n} else if {\n\tkey_vault_secret.id\n\tkey_vault_secret.attributes.enabled == true\n\tkey_vault_secret.attributes.exp\n\tnot key_vault_secret.attributes.exp == 0\n}\n\neval(key_vault_secret) = \"pass\" if {\n\tcompliant(key_vault_secret)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_secret"]},"validationQuery":"","resourceType":"azure_key_vault_secret","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_secret","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bbc-1aj-wsr","createdAt":1624867976874,"name":"All secrets in the Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:CC6.7","source:iam","requirement:Default-Security-Parameter","requirement:Credentials","control:2.1.1","level:1","requirement:System-Acquisition-Development-and-Maintenance","framework:cis-aws","control:1.19","framework:iso-27001","requirement:Access-Control","framework:pci","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","control:A.9.4.3","framework:soc-2","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.\n\n## Rationale\n\nRemoving expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.\n\n## Remediation\n\nAWS Console:\n\nRemoving expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).\n\nAWS CLI:\n\nTo delete an expired certificate, run the following command by replacing `` with the name of the certificate to delete: `aws iam delete-server-certificate --server-certificate-name `.\n\n**Note**: When the preceding command is successful, it does not return any output.\n\n## Impact\n\nDeleting a certificate can have implications for your application. If you are using an expired server certificate with Elastic Load Balancing, Cloudfront, etc., you must update the configuration of the respective service to ensure there is no application interruption.\n\n## References\n\n1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html\n2. https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.19","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_server_certificate) = \"pass\" if {\n\tiam_server_certificate.expiration - iam_server_certificate.resource_seen_at > 0\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"dih-stb-3p8","createdAt":1632209932850,"name":"All the expired SSL/TLS certificates stored in AWS IAM are removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow Kubelet to manage `iptables`.\n\n## Rationale\n\nKubelets can automatically manage the required changes to `iptables` based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to `iptables`. This ensures that the `iptables` configuration remains in sync with pods networking configuration. Manually configuring `iptables` with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have `iptables` rules too restrictive or too open.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that if the `--make-iptables-util-chains` argument exists then it is set to true. If the `--make-iptables-util-chains` argument does not exist, and there is a Kubelet config file specified by `--config`, verify that the file does not set `makeIPTablesUtilChains` to `false`.\n\n## Remediation\n\nIf using a kubelet config file, edit the file to set `makeIPTablesUtilChains: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--make-iptables-util-chains` argument from the `KUBELET_SYSTEM_PODS_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nKubelet would manage the `iptables` on the system and keep it in sync. If you are using any other `iptables` management solution, then there might be some conflicts.\n\n## Default value\n\nBy default, `--make-iptables-util-chains argument` is set to true.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.7","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"f3g-zcg-jm0","createdAt":1599605004390,"name":"Allow Kubelets to manage changes to the iptables"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an AWS S3 lifecycle expiration policy is set to disabled in your CloudTrail logs.\n\n## Strategy\nCheck if `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days`, `@requestParameters.LifecycleConfiguration.Status:Disabled` and `@evt.name:PutBucketLifecycle` fields are present in your S3 Lifecycle configuration log. If these fields are present together, a bucket's lifecycle configuration has been turned off.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n2. If the `{{@requestParameters.bucketName}}` should not be disabled, escalate to engineering so they can re-enable it.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketLifecycle @requestParameters.LifecycleConfiguration.Rule.Expiration:* @requestParameters.LifecycleConfiguration.Rule.Status:Disabled","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4gy-sks-edk","createdAt":1638798373598,"name":"An AWS S3 bucket lifecycle expiration policy was set to disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket has a lifecycle configuration set with an expiration policy of less than 90 days.\n\n## Strategy\nLook for `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90` in your Cloudtrail logs.\n\n**NOTE**: This rule should be set to logs that this policy applies to. The `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days` key path must be set as a measure to do a query.\n\n\n## Triage & response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}` and that the `{{@requestParameters.bucketName}}` bucket should have a file expiration of less than 90 days.\n2. If `{{@requestParameters.bucketName}}` is equal to `{{@aws.s3.bucket}}`, the CloudTrail bucket, consider escalating to higher severity and investigating further.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:PutBucketLifecycle -status:error @eventSource:s3.amazonaws.com @requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hdo-qqk-njz","createdAt":1638798329769,"name":"An AWS S3 bucket lifecycle policy expiration is set to < 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if versioning or MFA delete was disabled within an AWS S3 bucket's Lifecycle configuration.\n\n## Strategy\nThis rule has two separate queries. The first query determines if `@requestParameters.VersioningConfiguration.MfaDelete` is set to `Disabled`. The second query determines if `@requestParameters.VersioningConfiguration.Status` is set to `Suspended`. For generating a signal, there are two cases. Case one generates a `Medium` signal if query one AND two return `true`. Case two will generate a `Low` signal if query one OR two returns `true`.\n\n**NOTE**: Versioning cannot be disabled permanently; only suspended until turned back on, once it has been enabled on a bucket.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.MfaDelete:Disabled","groupByFields":["@aws.s3.bucket"],"aggregation":"count","name":"mfadelete_disabled","distinctFields":[]},{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.Status:Suspended","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"versioning_suspended","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"mfaDelete and Versioning are Disabled/Suspended","condition":"versioning_suspended > 0 && mfadelete_disabled > 0"},{"status":"low","notifications":[],"name":"mfaDelete or versioning are disabled","condition":"mfadelete_disabled > 0 || versioning_suspended > 0"}],"type":"log_detection","id":"qo0-ly0-8ls","createdAt":1638798322732,"name":"An AWS S3 bucket mfaDelete is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an AWS account attempting to leave an AWS organization.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to have an AWS account leave an AWS organization using the [LeaveOrganization][1] API call.\n\nAn attacker may attempt this API call for several reasons, such as:\n\n* Target security configurations that are often defined at the organization level. Leaving an organization can disrupt or disable these controls.\n* Perform a denial of service (DoS) attack on the victim's account that prevents the victim's organization to access it.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Initiate your company's incident response (IR) process.\n3. If the API call was made legitimately by the user:\n * Communicate with the user to understand if this was a planned action.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n * Initiate your company's incident response (IR) process.\n\n[1]: https://docs.aws.amazon.com/organizations/latest/APIReference/API_LeaveOrganization.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privileg","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:LeaveOrganization @eventSource:organizations.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"leave_organization","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"leave_organization > 0"}],"type":"log_detection","id":"9ku-enz-m7d","createdAt":1644595191484,"name":"An AWS account attempted to leave the AWS Organization"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","scope:s3","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an API call to AWS to list all of the S3 Buckets.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect a [ListBuckets][1] API call with the session name prefixed with `i-`. A session name prefixed with `i-` typically indicates that it is an EC2 instance using an [Instance Profile][2] to communicate with other AWS services, which is a common attacker technique to see the full list of S3 buckets in your AWS account.\n\n## Triage and response\n1. Determine if the EC2 instance should be making this API call.\n* If **not a legitimate** user/application, rotate the credentials, verify what else may have been accessed and open an investigation into how this instance was compromised.\n* If a **legitimate** user/application on the EC2 instance is making the `ListBuckets` API call, consider whether this API call is really needed. \n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profile\n\n## Changelog\n18 March 2022 - Updated rule severity and rule name.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_access_denied","distinctFields":[]},{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets -@error.kind:*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Access denied for ListBuckets","condition":"list_buckets_access_denied > 0"},{"status":"medium","notifications":[],"name":"Successful ListBuckets","condition":"list_buckets_success > 0"}],"type":"log_detection","id":"t6r-kqt-hxb","createdAt":1585870281123,"name":"An EC2 instance attempted to enumerate S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is enumerating API Gateway API keys.\n\n## Strategy\nBaseline `GetApiKeys` events by `@userIdentity.session_name` to surface anomalous `GetApiKeys` calls. \n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetApiKeys","groupByFields":["@userIdentity.session_name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"cc8-ljp-wwt","createdAt":1624968912281,"name":"Anomalous API Gateway API key reads by user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","tactic:TA0009-collection","scope:s3","source:cloudtrail","technique:T1530-data-from-cloud-storage","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS user performs S3 bucket write activities they do not usually perform. \n\n## Strategy\nMonitor cloudtrail logs for S3 Data Plane events (`@eventCategory:Data`) to detect when an AWS User (`@userIdentity.arn`) is detected performing anomalous S3 Write `(@evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*))` API calls. \n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should be performing the: `{{@evt.name}}` API calls.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. If not, investigate the user: `{{@userIdentity.arn}}` for indicators of account compromise and rotate credentials as necessary.\n\n## Changelog\n* 27 October 2022 - updated tags.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventCategory:Data @eventSource:s3.amazonaws.com @evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"s3_write_events","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"s3_write_events"}],"type":"log_detection","id":"mxi-syi-zeg","createdAt":1637613300981,"name":"Anomalous S3 bucket activity from user ARN"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is attempting to hijack an EC2 AutoScaling Group.\n\n## Strategy\nThis rule lets you monitor AWS EC2 Autoscaling logs (`@eventSource:autoscaling.amazonaws.com`) to detect when an Autoscaling group receives an anomalous amount of API calls (`{{@evt.name}}`).\n\n## Triage and response\n1. Confirm if the user `{{@userIdentity.arn}}` intended to make the `{{@evt.name}}` API calls.\n2. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:autoscaling.amazonaws.com","groupByFields":["@evt.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"1fj-e0d-mcy","createdAt":1632769123714,"name":"Anomalous amount of Autoscaling Group events"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","scope:salesforce","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a spike in Salesforce query results for a user. A large query can be an early warning sign of a user attempting to exfiltrate Salesforce data. \n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a spike in the number of rows returned (`@rows_returned`). \n\n## Triage and response\n1. Determine if the user should be legitimately performing large queries.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@rows_returned","aggregation":"sum","metrics":["@rows_returned"],"groupByFields":["@usr.id"],"query":"source:salesforce @rows_returned:*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"kls-bnv-ip8","createdAt":1621929255172,"name":"Anomalous amount of Salesforce query results"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","source:salesforce","tactic:TA0040-impact","scope:salesforce","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a significant increase in deleted records in Salesforce.\n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a significant increase in successful (`@evt.outcome:Success`) delete operations (`@operation:Delete`).\n\n## Triage and response\n1. Determine if the user should be legitimately deleting Salesforce records.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @operation:Delete @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"1x7-fhs-sdy","createdAt":1621929255178,"name":"Anomalous amount of Salesforce records deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is assessing privileges in AWS through various enumeration and discovery techniques.\n\n## Strategy\nMonitor CloudTrail logs to identify when an EC2 instance (`@userIdentity.session_name:i-*\"`) generates an anomalous amount of `AccessDenied` events.\n\n## Triage and response\n1. Determine what events the EC2 instance `{{@userIdentity.session_name}}` are generating in the time frame of the signal.\n2. If the root cause is not a misconfiguration, investigate any other signals around the same time of the signal by looking at the Host Investigation dashboard.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied @userIdentity.session_name:i-*","groupByFields":["@userIdentity.assumed_role"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"qyw-re3-iuf","createdAt":1605263699569,"name":"Anomalous amount of access denied events for AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","technique:T1619-cloud-storage-object-discovery","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS assumed role accesses S3 buckets that they do not usually access. \n\n## Strategy\nMonitor cloudtrail logs to identify when a `@userIdentity.assumed_role` makes an anomalous amount of `GetObject` calls to a unique number of S3 buckets (`@requestParameters.bucketName`).\n\n## Triage and response\n1. Determine if the user using the assumed role: {{@userIdentity.assumed_role}} should be accessing a bunch of random buckets.\n * Here is a list of buckets that were accessed (up to 10): {{@requestParameters.bucketName}}\n\n## Changelog\n* 30 March 2022 - Updated query and signal message.\n* 17 October 2022 - Updated tags.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":19,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetObject -status:error","groupByFields":["@userIdentity.assumed_role"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"i41-jb1-c8r","createdAt":1608050033941,"name":"Anomalous number of S3 buckets accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user has attempted to assume an anomalous number of unique roles.\n\n## Strategy\nThis rule sets a baseline for user activity for the [`AssumeRole`][1] API call, and enables detection of potentially anomalous activity.\n\nAn attacker may attempt this for the following reasons:\n\n* To identify which roles the user account has access to.\n* To identify what AWS services are being used internally.\n* To identify third party integrations and internal software.\n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response process and investigate.\n\n[1]: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:IAMUser @evt.name:AssumeRole","groupByFields":["@usr.name"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.roleArn"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rov-8oq-1fd","createdAt":1624968910002,"name":"Anomalous number of assumed roles from user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an unauthenticated request user is permitted in Kubernetes.\n\n## Strategy\nThis rule monitors when any action is permitted (`@http.status_code:[100 TO 299]`) for an unauthenticated user (`@user.username:\\\"system:anonymous\\\"`).\nThe `/healthz` endpoint is commonly accessed unauthenticated and it is excluded in the query filter.\n\n## Triage and response\n1. Inspect all of the HTTP paths accessed and determine if any of the path should be permitted by unauthenticated users.\n2. Determine what IP addresses accessed Kubernetes endpoints which may contain sensitive data.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@apiVersion:audit.k8s.io* @usr.name:\"system:anonymous\" @http.status_code:[100 TO 299] -@http.url_details.path:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @user.username:\"system:anonymous\" @responseStatus.code:[100 TO 299] -@requestURI:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"f1o-py5-a50","createdAt":1589376002149,"name":"Anonymous Request Authorized"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:apache","technique:T1190-exploit-public-facing-application","source:apache","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[{"action":"require","query":"source:foo"}],"queries":[{"query":"source:apache @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipl-oaz-eqf","createdAt":1587530038000,"name":"Apache HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modification of AppArmor profiles using an interactive session.\n\n## Strategy\nAfter an initial intrusion, attackers may attempt to disable security tools to avoid possible detection of their offensive tools and activities. [AppArmor][1] is a Linux Security Module (LSM) feature that confines programs to a limited set of resources. Disabling AppArmor could help an attacker run disallowed tools and gain access to resources that are otherwise blocked. This detection looks for commands that disable or modify AppArmor during interactive sessions, which is highly irregular in production environments.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://wiki.ubuntu.com/AppArmor\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:apparmor_modified_tty","groupByFields":["host"],"aggregation":"count","name":"apparmor_modified_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"apparmor_modified_tty","condition":"apparmor_modified_tty > 0"}],"type":"workload_security","id":"byn-fwk-eyv","createdAt":1627392836162,"name":"AppArmor profile modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","source:azure.sql","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Database-Services","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","framework:cis-azure","scope:azure.sql","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:4.1.3","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSQL Server Audit Retention should be configured to be greater than 90 days.\n\n## Rationale\n\nUse Audit Logs to check for anomalies and to get insight into suspected breaches or misuse of information and access.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Select Storage Details\n5. Set Retention (days) setting greater than 90 days\n6. Select OK\n7. Select Save using Azure PowerShell. \n\n### From the commandline\n\n1. For each server, [set retention policy][3] for more than or equal to 90 days.\n\n ```powershell\n Set-AzSqlServerAuditing -State Enabled -ServerName \"\" -ResourceGroupName \"\" -StorageAccountName \"abcd1234abcd1234abcd1234\" -RetentionInDays \n ```\n\n**Note:** You can set the number of days to 0 for unlimited retention.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing][1]\n2. [https://learn.microsoft.com/en-us/powershell/module/az.sql/get-azsqlserveraudit?view=azps-9.2.0][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention][4]\n\n[https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing][1]\n[https://learn.microsoft.com/en-us/powershell/module/az.sql/get-azsqlserveraudit?view=azps-9.2.0][2]\n[https://learn.microsoft.com/en-us/powershell/module/az.sql/set-azsqlserveraudit?view=azps-9.2.0][3]\n[https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention][4]","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_retention_period(audit_setting) if {\n\taudit_setting.retention_days == 0\n} else if {\n\taudit_setting.retention_days >= 90\n}\n\neval(sql_server) = \"pass\" if {\n\tlower(sql_server.audit_setting.state) == \"enabled\"\n\tcompliant_retention_period(sql_server.audit_setting)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"r6e-x2g-rfb","createdAt":1624867973932,"name":"Audit data for Azure SQL is retained for at least 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","source:google_iam_policy","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","scope:google_iam_policy","security:compliance","requirement:Logging-and-Monitoring","control:2.1","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that Cloud Audit Logging is configured to track all admin activities and\nread or write access to user data.\n\n### Default value\nAdmin Activity logs are always enabled. They cannot be disabled. Data Access audit logs are\ndisabled by default because they can be quite large.\n\n## Rationale\nCloud Audit Logging maintains two audit logs for each project, folder, and organization:\n**Admin Activity** and **Data Access**.\n\nAdmin Activity logs contain log entries for API calls or other administrative actions\nthat modify the configuration or metadata of resources. Admin Activity audit logs\nare enabled for all services and cannot be configured.\n\nData Access audit logs record API calls that create, modify, or read user-provided\ndata. These are disabled by default and should be enabled.\n\nThere are three kinds of Data Access audit log information:\n* Admin read: Records operations that read metadata or configuration\ninformation. Admin Activity audit logs record writes of metadata and\nconfiguration information. This cannot be disabled.\n* Data read: Records operations that read user-provided data.\n* Data write: Records operations that write user-provided data.\n\nIt is recommended to configure audit logging such that:\n\n* Log type is set to `DATA_READ` (to log user activity tracking) and `DATA_WRITES` (to\nlog changes/tampering to user data).\n* Audit config is enabled for all the services supported by the Data Access audit logs\nfeature.\n* Logs are captured for all users\u2014that is, there are no exempted users in any of the\naudit config sections. This ensures overriding the audit config does not contradict\nthe requirement.\n\n### Impact\nThere is no charge for Admin Activity audit logs. Enabling the Data Access audit logs might\nresult in your project being charged for the additional logs usage.\n- Note: Admin Activity Logs are not listed here, as they are enabled by default and cannot be disabled.\n `exemptedMembers` is not set, as audit logging should be enabled for all users.\n\n## Remediation\n\n### From the console \n1. Go to the [Audit Logs page][1] in Google Cloud Console.\n2. Follow the steps in Google's [Configure Data Access audit logs][2] documentation to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.\n\n### From the command line\n1. To read the project's IAM policy and store it in a file, run the following command:\n ```\n gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml\n ```\nAlternatively, the policy can be set at the organization or folder level. If you are setting the policy at\nthe organization level, it is not necessary to also set it for each folder or project.\n ```\n gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml\n gcloud resource-manager folders get-iam-policy FOLDER_ID >\n /tmp/folder_policy.yaml\n ```\n2. Edit the policy in `/tmp/policy.yaml`. Adding or change only the audit logs\nconfiguration to:\n ```\n auditConfigs:\n - auditLogConfigs:\n - logType: DATA_WRITE\n - logType: DATA_READ\n - service: allServices\n ```\n\n3. To write new IAM policy, run the following commands:\n ```\n gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml\n gcloud resource-manager folders set-iam-policy FOLDER_ID\n /tmp/folder_policy.yaml\n gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml\n ```\nIf the preceding command reports a conflict with another change, then repeat these steps,\nstarting with the first step.\n\n## Additional information\n* To track detailed user activities, the log type `DATA_READ` is as important as the log type `DATA_WRITE`.\n* BigQuery Data Access logs are handled differently than other data access logs.\n BigQuery logs are enabled by default and cannot be disabled. They do not count against logs allotment and do not result in extra logs charges.\n\n## References\n1. [https://cloud.google.com/logging/docs/audit/][1]\n2. [https://cloud.google.com/logging/docs/audit/configure-data-access][2]\n\n[1]: https://cloud.google.com/logging/docs/audit/\n[2]: https://cloud.google.com/logging/docs/audit/configure-data-access\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(iam_policy) if {\n\tnot has_exempted_members(iam_policy)\n\taudit_config := iam_policy.audit_configs[_]\n\taudit_config.service == \"allServices\"\n\taudit_config.audit_log_configs[_].log_type == \"ADMIN_READ\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_WRITE\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_READ\"\n}\n\nhas_exempted_members(iam_policy) if {\n\tiam_policy.audit_configs[_].audit_log_configs[_].exempted_members[_]\n}\n\nis_project(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_project\"\n}\n\neval(iam_policy) = \"skip\" if {\n\tnot is_project(iam_policy)\n} else = \"pass\" if {\n\tcompliant(iam_policy)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mtc-xf1-a6x","createdAt":1664804019062,"name":"Audit logging is properly configured across all services and users in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit all Docker daemon activities.\n\n## Rationale\n\nAs well as auditing the normal Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges. It is very important to audit its activities and usage.\n\n## Audit\n\nVerify that there are audit rules for the Docker daemon. To see the rules associated with the Docker daemon, run: \n\n```\nauditctl -l | grep /usr/bin/dockerd\n```\n\n## Remediation\n\nYou should add rules for the Docker daemon. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /usr/bin/dockerd -k docker \n```\n\nThen restart the audit daemon using the following command:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, the Docker daemon is not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.3","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fpu-oe5-feu","createdAt":1599604305682,"name":"Auditing for Docker Daemon executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.4","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/var/lib/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories. For example, audit `/var/lib/docker`, which holds all the information about containers it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/var/lib/docker` directory. To see the rule for the `/var/lib/docker` directory, run: \n\n```\nauditctl -l | grep /var/lib/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/var/lib/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /var/lib/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.4","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tfa-927-tto","createdAt":1599602523672,"name":"Auditing for Docker local storage is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.10","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker/daemon.json`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/docker/daemon.json`. This holds various parameters for the Docker daemon, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/docker/daemon.json` file. To display the rule for the `/etc/docker/daemon.json` file, run: \n\n```\nauditctl -l | grep /etc/docker/daemon.json\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker/daemon.json` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/docker/daemon.json -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/docker/daemon.json` may not exist on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file][2]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.10","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"v2o-aio-i0e","createdAt":1599601474412,"name":"Auditing for the Docker daemon configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.11","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/bin/containerd`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/bin/containerd`, so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/bin/containerd` file. To display the rule for the `/usr/bin/containerd` file, run: \n\n```\nauditctl -l | grep /usr/bin/containerd\n```\n\n## Remediation\n\nYou should add a rule for the `/usr/bin/containerd` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/bin/containerd -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/usr/bin/containerd` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.11","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tor-6yx-oyz","createdAt":1599605637503,"name":"Auditing for the containerd executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.8"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/default/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/default/docker`. It holds various parameters related to the Docker daemon and should therefore be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/default/docker` file. To see the rule for the `/etc/default/docker` file, run: \n```\nauditctl -l | grep /etc/default/docker \n```\n\n## Remediation\n\nYou should add a rule for the `/etc/default/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/default/docker -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited so these defaults should be changed in line with organizational security policy. The file `/etc/default/docker` may not be present, and if so, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.8","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qfi-cgy-a6e","createdAt":1599601659531,"name":"Auditing for the default Docker configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.9"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/sysconfig/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including `/etc/sysconfig/docker`. It contains various parameters related to the Docker daemon when run on CentOS and RHEL based distributions. If present, it is important that it is audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/sysconfig/docker` file. To see the rule for the `/etc/sysconfig/docker` file, run: \n```\nauditctl -l | grep /etc/sysconfig/docker\n```\n\n## Remediation\n\nYou should add a rule for `/etc/sysconfig/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/sysconfig/docker -k docker\n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/sysconfig/docker` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.9","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ps6-vb4-bim","createdAt":1599604561498,"name":"Auditing for the default Docker configuration file is configured - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit the `docker.service` if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `docker.service`. The `docker.service` file might be present if the daemon parameters have been changed by an administrator. If so, it holds various parameters for the Docker daemon and should be audited.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n\n2. If the file does not exist, this recommendation does not apply. If the file does exist, verify that there is an audit rule corresponding to the `docker.service` file by running: \n\n ```\n auditctl -l | grep docker.service\n ```\n\n## Remediation\n\nIf the file exists, a rule for it should be added. For example, add the following line to the `/etc/audit/audit.rules` file: \n```\n-w /usr/lib/systemd/system/docker.service -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.service` may not be present on the system.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.6","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myy-dsj-omk","createdAt":1599605764788,"name":"Auditing for the docker.service file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.7","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `docker.socket`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including the `docker.socket` file, which holds various parameters for the Docker daemon, it should be audited.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the `docker.socket` file exists, verify that there is an audit rule corresponding to the `docker.socket` file by running: \n ```\n auditctl -l | grep docker.socket \n ```\n\n## Remediation\n\nIf the file exists, you should add a rule for it. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/lib/systemd/system/docker.socket -k docker \n```\n\nThen restart the audit daemon: \n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.socket` may not be present, but if it is, it should be audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.7","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afg-qbt-7uw","createdAt":1599600857858,"name":"Auditing for the docker.socket file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.12","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/sbin/runc`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/sbin/runc`, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/sbin/runc` file. To display the rule for the `/usr/sbin/runc` file, run:\n\n```\nauditctl -l | grep /usr/sbin/runc\n```\n\n## Remediation\n\nYou should add a rule for `/usr/sbin/runc` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/sbin/runc -k docker\n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The `file/usr/sbin/runc` may not be present on the system, and in that case this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n4. [https://github.com/opencontainers/runc][4]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/ \n[4]: https://github.com/opencontainers/runc\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.12","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ksp-ylk-dub","createdAt":1599603510904,"name":"Auditing for the runc executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.5","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privilege and its behavior depends on some key files and directories, including `/etc/docker`. This holds various certificates and keys used for TLS communication between Docker daemon and Docker client and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/etc/docker` directory. To see the rule for the `/etc/docker` directory, run: \n\n```\nauditctl -l | grep /etc/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.5","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5ns-uab-zcf","createdAt":1599604003342,"name":"Auditing is configured for Docker-related files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.6","cloud_provider:azure","control:10.1","requirement:Monitoring","source:azure.sql","control:A.12.4.1","control:A.12.4.3","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","scope:azure.sql","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:4.1.1","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on SQL Servers.\n\n## Rationale\n\nThe Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. The auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Set Auditing to On using Azure PowerShell.\n5. Get the list of all SQL Servers: `Get-AzureRmSqlServer`. For each Server, enable auditing:\n\n ```bash\n Set-AzureRmSqlServerAuditingPolicy -ResourceGroupName -ServerName -AuditType -StorageAccountName \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-servers\n2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n**Note**: A server policy applies to all existing and newly created databases on the server. If server blob auditing is enabled, it always applies to the database. The database is audited, regardless of the database auditing settings. The auditing type table is deprecated, leaving only the type blob available. Enabling blob auditing on the database, and enabling it on the server, does not override or change any of the settings of the server blob auditing. Both audits exist side by side. So, the database is audited twice in parallel; once by the server policy, and once by the database policy.\n\n## CIS controls\n\nVersion 7 6.3 Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_server) = \"pass\" if {\n\tsql_server.audit_setting.state == \"Enabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"gxl-2f7-dso","createdAt":1624867978477,"name":"Auditing on SQL Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs in with a breached password.\n\n## Strategy\nAuth0 logs an event when a user logs in with a breached password. When this event is detected, Datadog generates a `MEDIUM` severity Security Signal.\n\nYou can see more information on how Auth0 detects breached passwords on their [documentation][1].\n\n## Triage and response\n1. Inspect the policy and user location to see if this was a login from approved location\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n[1][https://auth0.com/docs/anomaly-detection/brute-force-protection]\n","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:breached_password","groupByFields":["@usr.id"],"aggregation":"count","name":"breached_password","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"breached_password > 0"}],"type":"log_detection","id":"yhw-avf-dz0","createdAt":1597422957145,"name":"Auth0 user logged in with a breached password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","requirement:Cloud-SQL","cloud_provider:gcp","control:CC7.4","source:google_sql_database_instance","control:6.4.5.4","framework:cis-gcp","requirement:Compliance","level:1","control:6.7","scope:google_sql_database_instance","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Additional-Criteria-for-Availability","requirement:Communications-Security","requirement:System-Operations","control:3.1","requirement:Control-Activities","control:A1.1","control:A1.2","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:CC5.1","control:A.9.1.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nAll SQL database instances should have automated backups enabled.\n\n## Rationale: \nBackups provide a way to restore a Cloud SQL instance, to recover lost data, or to recover from\na problem with that instance. Enable automated backups for any instance that\ncontains data that should be protected from loss or damage. This recommendation is\napplicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2\ninstances.\n\n## Impact: \nAutomated backups increase the required storage size and may affect the costs associated with it.\n\n## Remediation: \n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Select the instance where the backups need to be configured.\n3. Click `Edit`.\n4. In the `Backups` section, check 'Enable automated backups', and choose a backup window.\n5. Click `Save`.\n\n### From the command line\n\n1. List all Cloud SQL database instances using the following command:\n ```\n gcloud sql instances list\n ```\n2. Enable automated backups for a Cloud SQL database instance by running:\n ```\n gcloud sql instances patch --backup-start-time <[HH:MM]>\n ```\n\nThe `backup-start-time` parameter is specified in 24-hour time, in the UTC\u00b100 time zone,\nand specifies the start of a 4-hour backup window. Backups can start any time during the\nbackup window.\n\n## Default value:\nBy default, automated backups are not configured for Cloud SQL instances. Data backup is\nnot possible on any Cloud SQL instance unless Automated Backup is configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/backup-recovery/backups][2]\n2. [https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/backup-recovery/backups\n[3]: https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up\n\n## CIS controls:\n\nVersion 8: _11.2 Perform Automated Backups_. Perform automated backups of in-scope enterprise assets. Run backups weekly,\nor more frequently, based on the sensitivity of the data.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.4.5.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.1","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"pass\" if {\n\tsql_database_instance.settings.backup_configuration.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iir-4sf-rxn","createdAt":1657665285362,"name":"Automated backups are configured for SQL Database Instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to Azure AD without multi-factor authentication.\n\n## Strategy\nThis rule monitors Azure Activity logs for Active Directory logs and detects when any `@evt.category` has a value of `SignInLogs`, and `@properties.authenticationRequirement` has a value of `singleFactorAuthentication`.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables 2FA.\n3. If the login wasn't legitimate, rotate the credentials.\n4. Review all user accounts to ensure MFA is enabled.\n\n## Changelog\n* 15 November 2022 - Updated query to reduce false positives, updated option values.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:singleFactorAuthentication @evt.outcome:success ((-@properties.authenticationDetails.authenticationMethod:\"Previously satisfied\" -@properties.authenticationDetails.authenticationStepResultDetail:\"First factor requirement satisfied by claim in the token\") OR -message:(\"MFA requirement satisfied by claim in the token\" OR \"MFA requirement satisfied by strong authentication\" OR \"MFA requirement skipped due to remembered device\" OR \"MFA requirement satisfied by claim provided by external provider\") OR -@properties.authenticationDetails.authenticationMethod:\"Windows Hello for Business\") @properties.authenticationDetails.authenticationStepRequirement:\"Primary authentication\"","groupByFields":["@usr.id"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_login_without_mfa > 0"}],"type":"log_detection","id":"c8i-66d-m7u","createdAt":1598468815267,"name":"Azure AD Login Without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, and `@evt.outcome` is equal to `failure`.\n\n## Triage and response\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n\n## Changelog\n* 26 October 2022 - Updated query.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure @properties.status.errorCode:(50126 OR 50053 OR 53003 OR 50135 OR 50055)","groupByFields":["@usr.id","@properties.appId"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success -message:(\"MFA requirement satisfied by claim in the token\" OR \"MFA requirement satisfied by strong authentication\" OR \"MFA requirement skipped due to remembered device\" OR \"MFA requirement satisfied by claim provided by external provider\" OR \"MFA completed in Azure AD\")","groupByFields":["@usr.id","@properties.appId"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Successful login","condition":"failed_login > 4 && successful_login > 0"},{"status":"info","notifications":[],"name":"Unsuccessful","condition":"failed_login > 4"}],"type":"log_detection","id":"y0f-vsz-xms","createdAt":1607106309289,"name":"Azure AD brute force login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to the [Global Administrator][1] role.\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\"`\n\nThe Global Administrator role can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. An adversary can add users as Global Administrators in order to maintain access to Azure AD.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][2] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.category:AuditLogs @evt.name:\"Add member to role\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_global_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"member_assigned_global_administrator_role > 0"}],"type":"log_detection","id":"bdq-rcs-dn5","createdAt":1658756175450,"name":"Azure AD member assigned Global Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to a [built-in Administrative role][1].\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:*Administrator*`\n\nAzure AD uses roles to assign privileges to users. There are over 80 roles available, the list below details some of the highest privileged roles that adversaries could target:\n\n* [Application Administrator][2]\n* [Cloud Application Administrator][3]\n* [Exchange Administrator][4]\n* [Privileged Role Administrator][5]\n* [User Administrator][6]\n* [Sharepoint Administrator][7]\n* [Hybrid Identity Administrator][8]\n\nThis [whitepaper][9] from Mandiant describes the abuse of Azure AD privileged roles.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][10] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator\n[3]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-application-administrator\n[4]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#exchange-administrator\n[5]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-role-administrator\n[6]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator\n[7]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#sharepoint-administrator\n[8]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#hybrid-identity-administrator\n[9]: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf\n[10]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:*Administrator* @evt.category:AuditLogs @evt.name:\"Add member to role\" -@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_built_in_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"member_assigned_built_in_administrator_role > 0"}],"type":"log_detection","id":"61p-mwe-rxm","createdAt":1658756175462,"name":"Azure AD member assigned built-in Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","control:8.7","level:1","requirement:Database-Services","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","scope:azure.sql","control:4.4","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse Azure Active Directory Authentication for authentication with SQL Database.\n\n## Rationale\n\nAzure Active Directory authentication is a mechanism to connect to the Microsoft Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). With Azure AD authentication, manage identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage database users and simplifies permission management in the following ways:\n\n- Provides an alternative to SQL Server authentication. \n- Helps stop the proliferation of user identities across database servers. \n- Allows password rotation in a single place. \n- Customers can manage database permissions using external (AAD) groups. \n- Eliminates storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure Active Directory. \n- Uses contained database users to authenticate identities at the database level. \n- Token-based authentication for applications connecting to SQL Database. \n- ADFS (domain federation) or native user/password authentication for a local Azure Active Directory without domain synchronization. \n- Connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication (MFA). MFA includes strong authentication with a range of easy verification options phone call, text message, smart cards with a pin, or mobile app notification.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each SQL server, click on Active Directory admin\n3. Click on Set admin\n4. Select an admin\n5. Click Save\n6. Using the Azure PowerShell for each Server, set `AD Admin Set-AzureRmSqlServerActiveDirectoryAdministrator -ResourceGroupName -ServerName -DisplayName \"\"`.\n6. From Azure Command Line Interface, get the ObjectID of user: `az ad user list --query \"[?mail==].{mail:mail, userPrincipal`.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure\n2. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: Assigning an administrator in Azure Active Directory (AAD) is just the first step. When using AAD for central authentication there are many other groups and roles that need to be configured base on the needs of your organization. To determine what roles should be assigned and what groups should be created to manage permissions and access to resources, see the How-to Guides.\n\n## CIS Controls\n\nVersion 7 16.2 Configure Centralized Point of Authentication: Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_active_directory_administrators(sql_server) if {\n\tsome active_directory_administrator in sql_server.active_directory_administrators\n\tactive_directory_administrator.administrator_type == \"ActiveDirectory\"\n\tactive_directory_administrator.name == \"ActiveDirectory\"\n} else if {\n\tnot sql_server.active_directory_administrators\n}\n\neval(sql_server) = \"pass\" if {\n\tcompliant_active_directory_administrators(sql_server)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kiv-p8l-5mk","createdAt":1624867977317,"name":"Azure Active Directory Admin is configured for Azure SQL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure-active-directory","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect whenever Azure Identity Protection categorizes an Azure Active Directory login as risky.\n\n## Strategy\nMonitor Azure Active Directory sign in activity (`@evt.name:\"Sign-in activity\"`) and generate a signal when Azure identifies the user as risky or compromised (`@properties.riskState:\"atRisk\" OR \"confirmedCompromised\"`). \n\n## Triage and response\n1. Analyze the location (`@network.client.geoip.subdivision.name`) of `{{@usr.id}}` to determine if they're logging into from their usual location. \n2. If log in activity is not legitimate, disable `{{@usr.id}}` account.\n3. Investigate any devices owned by `{{@usr.id}}`.\n\n## Changelog\n14 June 2022 - Fixed bug in rule query.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":167,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelDuringSignIn:high @properties.riskLevelDuringSignIn:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_during_signin_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:high @properties.riskLevelAggregated:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_aggregated_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:medium @properties.riskLevelDuringSignIn:medium","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_medium","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"High Risk Aggregated","condition":"risk_level_aggregated_high > 0"},{"status":"high","notifications":[],"name":"High Risk During Sign-In","condition":"risk_level_during_signin_high > 0"},{"status":"medium","notifications":[],"name":"Medium Risk","condition":"risk_level_medium > 0"}],"type":"log_detection","id":"h1h-4to-2ka","createdAt":1629464257705,"name":"Azure Active Directory Risky Sign-In"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-7-ii-A","control:164.312-a-2-ii","control:2.2.4","scope:azure.appservice","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Risk-Mitigation","requirement:Logical-and-Physical-Access-Control","control:CC9.1","control:CC6.3","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'remote debugging' **disabled** to enhance security and protect applications.\n\n## Rationale\n\nIf [remote debugging][1] is enabled, this can allow an attacker access to your applications. To reduce your attack surface, disable remote debugging when not actively needed. \n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services web apps by running the following in Azure Powershell:\n\n ```\n az webapp list \\\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n\n ```\n az webapp config show \\\n\t--ids \"\" \\\n\t--query 'remoteDebuggingEnabled'\n ```\n3. Disable the web app's remote debugging capability with the command:\n\n ```\n az webapp config set \\\n\t--ids \"\" \\\n\t--remote-debugging-enabled false\n ```\n4. Repeat steps one through three for each server that is not configured correctly.\n\n\n## References\n1. [Azure webapp config set][2]\n\n[1]: https://devblogs.microsoft.com/premier-developer/remote-debugging-azure-app-services/\n[2]: https://learn.microsoft.com/en-us/cli/azure/webapp/config?view=azure-cli-latest#az-webapp-config-set\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_app_service(app_service) if {\n\tapp_service.site_config_remote_debugging_enabled == true\n} else if {\n\tapp_service.site_config.remote_debugging_enabled == true\n}\n\neval(app_service) = \"fail\" if {\n\tnon_compliant_app_service(app_service)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ciw-6dd-ffz","createdAt":1645807220230,"name":"Azure App Service has remote debugging disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","scope:azure.app_service","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","framework:soc-2","source:azure.app_service","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'always on' **enabled** for web apps.\n\n## Rationale\n\nEnabling 'always on' will enhance your Azure Apps web apps' availability.\n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services by running the following in Azure Powershell:\n\n ```\n az webapp list\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n \n ```\n az webapp config show\n\t--ids \"\"\n\t--query 'alwaysOn'\n ```\n3. Enable the web app's 'always on' capability with the command:\n\n ```\n az webapp config set\n\t--ids \"\"\n\t--always-on true\n ```\n4. Repeat steps one through three for each server that is not configured correctly.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_app_service(app_service) if {\n\tapp_service.site_config_always_on == false\n} else if {\n\tapp_service.site_config.always_on == false\n}\n\ncompliant_app_service(app_service) if {\n\tapp_service.site_config_always_on == true\n} else if {\n\tapp_service.site_config.always_on == true\n}\n\neval(app_service) = \"fail\" if {\n\tnon_compliant_app_service(app_service)\n} else = \"pass\" if {\n\tcompliant_app_service(app_service)\n} else = \"skip\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xmp-jgo-xdo","createdAt":1645807220325,"name":"Azure App Service is set to always on"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Datadog Azure function is deleted which will prevent Azure logs from being sent to Datadog.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.WEB/SITES/DELETE\"`, `@evt.outcome` is `Success`, and the `@resourceID` contains `DATADOG` and `LOG`. This rule does not work if the the Azure resource group or Azure function does not contain `DATADOG` or `LOG`.\n\n## Triage and response\n1. Verify the Azure function (`@resourceId`) is responsible for forwarding logs to Datadog.\n2. Determine if there is a legitimate reason for deleting the Azure function.\n3. If activity is not expected, investigate activity from the service principal (`@identity.authorization.evidence`) or user (`{{@usr.id}}`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.web @evt.name:\"MICROSOFT.WEB/SITES/DELETE\" @resourceId:(*DATADOG* AND *LOG*) @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"sit-o2a-uov","createdAt":1634570142022,"name":"Azure Datadog Log Forwarder Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","security:threat-intel"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure firewall threat intelligence alert is received.\n\n## Strategy\nMonitor Azure Network Diagnostic logs and detect when `@evt.name` is equal to `AzureFirewallThreatIntelLog`.\n\n## Triage and response\n1. Inspect the threat intelligence log.\n2. Investigate the activity from this IP address.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:AzureFirewallThreatIntelLog","groupByFields":["@network.client.ip"],"aggregation":"count","name":"azure_firewall_threat_intel_alert","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"azure_firewall_threat_intel_alert > 0"}],"type":"log_detection","id":"z0v-yfr-qat","createdAt":1607106300940,"name":"Azure Firewall Threat Intelligence Alert"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) blocks a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Block`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Block","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_blocked_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_blocked_a_request > 0"}],"type":"log_detection","id":"xyt-fqh-myv","createdAt":1598468816869,"name":"Azure Frontdoor WAF Blocked a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) logs a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Log`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Log","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_logged_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_logged_a_request > 0"}],"type":"log_detection","id":"bkk-48l-vem","createdAt":1598468815399,"name":"Azure Frontdoor WAF Logged a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","framework:cis-azure","control:6.2","requirement:Control-Activities","control:9.9","requirement:AppService","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","scope:azure.appservice","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nNew versions of HTTP are released periodically to address security issues and/or to include additional functionality. Using the latest version of HTTP for web apps takes advantage of security fixes and new functionality.\n\n## Rationale\n\nUsing the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software update, your organization needs to determine if the latest update meets your requirements.\n\nFor example, HTTP 2.0 has performance improvements for the head-of-line blocking problem, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism because it provides its own, more efficient mechanism for data streaming.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\n### From the console\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click *Configuration**.\n5. Set HTTP version to 2.0 under **General settings**.\n\n**Note**: Most modern browsers support HTTP 2.0 protocol over TLS, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third party certificate.\n\n### From the command line\n\nTo set the HTTP version to 2.0 for an existing app, run the following command:\n\n`az webapp config set --resource-group --name --http20-enabled true'`\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.9","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_site_config(app_service) if {\n\tapp_service.site_config_http20_enabled\n} else if {\n\tapp_service.site_config.http20_enabled\n}\n\neval(app_service) = \"pass\" if {\n\tcompliant_site_config(app_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"y1o-cvu-xc7","createdAt":1645813490516,"name":"Azure HTTP version is the latest available"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.3.1","level:1","scope:azure.keyvault","control:8.4","requirement:Cardholder-Data","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","requirement:Azure","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:2.2","control:A1.2","requirement:Other-Security-Considerations","framework:soc-2","requirement:Risk-Mitigation","control:3.5.3","requirement:Logical-and-Physical-Access-Control","control:CC9.1","source:azure.keyvault","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects. It is recommended the Key Vault be made recoverable by enabling the \"Do Not Purge\"\nand \"Soft Delete\" functions. This is to prevent loss of encrypted data, including storage accounts, SQL databases, and dependent services provided by Key Vault objects (keys, secrets, certificates, etc.), which may occur due to accidental deletion by a user or from disruptive activity by a malicious user.\n\n### Default value \n\nWhen a new Key Vault is created, both the parameters `enableSoftDelete` and `enablePurgeProtection` are set to `null`, disabling both the features.\n\n## Rationale\n\nThere could be scenarios where users accidentally run delete and purge commands on key vault or attacker or malicious user does it deliberately to cause disruption. Deleting or purging a key vault leads to immediate data loss as keys encrypting data and secrets and certificates causing access and services to become non-accessible. There are two key vault properties that plays role in permanent unavailability of a key vault:\n\n1. Setting the `enableSoftDeleteSetting` parameter to true for a key vault ensures that even if key vault is deleted, the key vault itself or its objects are recoverable for next 90 days. In this span of 90 days either key vault and objects can be recovered or purged (permanent deletion). If no action is taken, after 90 days, the key vault and its objects are purged.\n\n2. `enablePurgeProtectionenableSoftDelete` only ensures that the key vault is not deleted permanently and will be recoverable for 90 days from the deletion date. However, there is a chance that the key vault or objects are accidentally purged and are not recoverable. Setting `enablePurgeProtection` to \"true\" ensures that the key vault and its objects cannot be purged. \n\nEnabling both parameters on key vaults ensures that key vaults and their objects cannot be deleted or purged permanently.\n\n### Impact\n\nOnce purge protection and soft-delete is enabled for a key vault, the action is irreversible.\n\n- Note: When a key is used for the SQL server TDE or Encrypting Storage account, the corresponding key vault features \"Do Not Purge\" and \"Soft Delete\" are enabled by default by your Azure backend.\n\n**WARNING**: A current limitation of the soft-delete feature across all Azure services is that role assignments disappear when a Key Vault is deleted. All role assignments will need to be recreated after recovery.\n\n## Remediation\n\nEnable \"Do Not Purge\" and \"Soft Delete\" for a key vault.\n\n### From the console\n\n1. Go to **Key Vaults**.\n2. Click **Properties**.\n3. Ensure the status of soft-delete reads **'Soft delete has been enabled on this key vault'**.\n4. At the bottom of the page, click **'Enable Purge Protection'**.\n\n### From the command line \n\n ```bash\n az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.KeyVault/vaults/ --set properties.enablePurgeProtection=true properties.enableSoftDelete=true\n ```\n\n### From Powershell\n\n ```powershell\n Update-AzKeyVault -VaultName 0"}],"id":"4tq-la5-9ei","createdAt":1624867975393,"name":"Azure Key Vault is recoverable"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","control:1.3.5","control:1.3.6","control:1.3.7","framework:pci","control:6.4.1","security:compliance","control:1.3.4","control:1.2.1","source:azure.kubernetes","requirement:Communications-Security","control:1.2","control:1.3","cloud:azure","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Private Cluster feature for Azure Kubernetes Service (AKS) cluster is enabled.\n\n## Rationale\n\nThe Private Cluster feature ensures that network traffic between your API server and your node pools remains solely on the private network. The API server is not exposed over the internet as it is with the standard AKS deployment. This configuration is a common requirement in many regulatory and industry compliance standards.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment. Changing the setting requires recreating your cluster.\n\n## Impact\n\nCreating and managing a Private AKS Cluster requires additional considerations when compared to a standard AKS deployment. It requires understanding how Azure Private Link and Private Endpoints work. It also requires a thorough assessment of your AKS networking architecture and dependencies. If your AKS cluster is on an isolated Azure Virtual Network (VNET), the Private Cluster feature requires additional configurations to allow connectivity between your AKS Cluster and your management VNET. Microsoft's official documentation, which is included in ``references``, helps you navigate the deployment of Private AKS Clusters.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/aks/private-clusters][1]\n2. [https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview][2]\n3. [https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/aks/private-clusters\n[2]: https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview\n[3]: https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.7","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aks_cluster) = \"fail\" if {\n\tnot aks_cluster.api_server_access_profile_enable_private_cluster\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_aks_cluster"]},"validationQuery":"","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxc-7gb-6q2","createdAt":1656924134424,"name":"Azure Kubernetes Service (AKS) Private Cluster Feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify the network IP address when multiple user accounts failed to complete the MFA process.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, `@properties.authenticationRequirement` is equal to `multiFactorAuthentication` and `@evt.outcome` is equal to `failure`.\n\n## Triage and response \n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:multiFactorAuthentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"failed_login_mfa_denied_w_multiple_user_accounts","distinctFields":["@usr.email"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Greater than 10 unique users","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 10"},{"status":"low","notifications":[],"name":"Greater than 3 unique user","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 3"}],"type":"log_detection","id":"zgm-z7i-mhu","createdAt":1607106317340,"name":"Azure Login Explicitly Denied MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group allows inbound traffic from all IP Addresses.\n\n## Strategy\nThis rule monitors Azure Activity logs for network changes and detects when the `@evt.name` has a value of `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`, `@properties.securityRules.properties.direction` has a value of `Inbound`, `@properties.securityRules.properties.access` has a value of `Allow`, and `@properties.securityRules.properties.sourceAddressPrefix` has a value of either `0.0.0.0/0` OR `*`.\n\n## Triage and response\n1. Inspect which Virtual Machines are associated with this security group.\n2. Determine whether this security group and the VMs should permit inbound traffic from all IP addresses.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\" @properties.securityRules.properties.direction:Inbound @properties.securityRules.properties.access:Allow @properties.securityRules.properties.sourceAddressPrefix:(\"0.0.0.0/0\" OR \"*\")","groupByFields":["@resourceId"],"aggregation":"count","name":"security_group_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"security_group_open_to_world > 0"}],"type":"log_detection","id":"owu-2uz-8cb","createdAt":1598468816111,"name":"Azure Network Security Group Open to the World"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group or an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any one of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security group or security rule and determine if it exposes any Azure resources that should not be exposed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:(\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\") @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mju-ynx-i1h","createdAt":1607106297216,"name":"Azure Network Security Groups or Rules Created, Modified, or Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added as a new owner for an Active Directory application which could be used as a persistence mechanism. \n\n## Strategy\nMonitor Azure Active Directory logs for `@evt.name: \"Add owner to application\"` has an `@evt.outcome` of `success`. \n\n## Triage and response\n1. Review evidence of anomalous activity for the user being added as an owner (`@properties.targetResources`) for the Active Directory application.\n2. Determine if there is a legitimate reason for the user being added to the application.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to application\" @evt.outcome:success @usr.name:* -@identity:*","groupByFields":[],"aggregation":"count","name":"new_owner","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner > 0"}],"type":"log_detection","id":"8vm-rcm-ss1","createdAt":1630591816193,"name":"Azure New Owner added to Azure Active Directory application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a new service principal is created in Azure, which applies to a persistence mechanism.\n\n## Strategy\n\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n\n1. Inspect the new service principal in `@properties.targetResources`.\n2. Verify with the user (`{{$usr.name}}`) to determine if the service principal is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_sp > 0"}],"type":"log_detection","id":"bog-iak-dms","createdAt":1630591822167,"name":"Azure New Service Principal created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure policy assignment has been created.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to `MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE` and `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the policy assignment and determine if an unsolicited change was made on any Azure resources.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure @evt.name:\"MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE\" @evt.outcome:Success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uvd-ets-ju9","createdAt":1607106302885,"name":"Azure Policy Assignment Created"}]} headers: Content-Type: - application/json @@ -215,7 +198,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":831}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scope:iam","scored:true","requirement:Transmission-Security","source:iam","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","control:2.1.1","requirement:Compliance","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","control:4.1","control:1.2","control:1.3","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse SSH authentication keys to secure Linux virtual machines.\n\n## Rationale\n\nUsing SSH to secure authentications is a security best practice, as traditional username and password authentication is vulnerable to malicious tactics such as brute-force attacks. SSH uses a combination of public and private key pairs to secure the authentication process. Access to the private key is automated and tightly controlled, without both keys SSH access will not be granted. This also eliminates the need for users to memorize complex passwords for virtual machine access.\n\n## Remediation\n\n### CLI\n\n1. Follow the steps listed at [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure][1] to create and deploy VMs using SSH.\n2. If needing to transition from Username and Password authentication, to SSH, there is no way to transition directly. You must deprovision the current VM and create an image of it with SSH as the authentication method. Follow the steps on [How to create a managed image of a virtual machine or VHD][2]. \n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-ssh-keys-detailed\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/capture-image","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@os_profile.linux_configuration.disable_password_authentication:false","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance (@os_profile.linux_configuration.disable_password_authentication:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"p52-zrd-xlt","createdAt":1645813490150,"name":"Azure VM requires SSH Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.21","source:azure.active_directory","cloud_provider:azure","requirement:Compliance","scope:azure.active_directory","level:1","requirement:IAM","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:6.4","framework:cis-azure","requirement:Control-Activities","cloud:azure","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC8.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSubscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.\n\n## Rationale\n\nClassic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended.\n\n## Remediation\n\nUsing Azure Command Line Interface 2.0, list all roles with the `az role definition list` command. Check the output for any entries with an `assignableScope` of `/` or a `subscription`, and an action of `*`. Verify the usage and impact of removing the role identified. You can delete a role with the `az role definition delete --name \"rolename\"` command.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator \n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management \n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems \n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n8. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n9. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges 16 Account Monitoring and Control Account Monitoring and Control","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.21","framework":"cis-azure","requirement":"IAM","version":"1.3.0"},{"control":"6.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"@permissions.actions:\"*\" @assignable_scopes:(\\/ OR \\/subscriptions*)","resourceType":"azure_role_definition","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_role_definition (@permissions.actions:\"*\" @assignable_scopes:(\\/ OR \\/subscriptions*))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"til-md3-xoz","createdAt":1645802554619,"name":"Azure custom subscription owner roles do not exist"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a diagnostic setting is deleted which can disable centralized logging and metrics on Azure.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Inspect the diagnostic setting resource which is found in `@resourceId`.\n2. Verify that the user (`{{@usr.id}}`) to determine if the removal of the resource is legitimate.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uhp-qsj-h45","createdAt":1615578377631,"name":"Azure diagnostic setting deleted or disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure disk is successfully exported. Export URLs generated in Azure are accessible to anyone with the URI. This could be utilized as an exfiltration method that would allow an attacker to download an Azure Compute VM's disk as a VHD file.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/SNAPSHOTS/DISKS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the disk (`{{@resourceId}}`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URI.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"export_uri_generated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"export_uri_generated > 0"}],"type":"log_detection","id":"ggf-4ew-mxl","createdAt":1635258347843,"name":"Azure disk export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.8","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and new functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, your organization needs to determine if a given update meets your requirements and also verify the compatibility and support provided for any additional software against the update version.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Under General Settings, set Java version to latest version available\n6. Set Java minor version to latest version available\n7. Set Java web container to the latest version of web container available \n\n**NOTE**: No action is required if Java version is set to off as Java is not used by your web app.\n\nAzure CLI:\n\nTo see the list of supported runtimes, run the following command: `timesaz webapp list-runtimes | grep java`\n\nTo set latest Java version for an existing app, run the following command:\n\n```azurecli\naz webapp config set --resource-group --name --java-version ''\n1.8'' --java-container ''Tomcat'' --java-container-version '''''\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.8","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@site_config_java_version:11","resourceType":"azure_app_service","filter":"-@site_config_java_version:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service -@site_config_java_version:\"\" (-@site_config_java_version:11)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qhc-mac-fyy","createdAt":1645813490324,"name":"Azure is using the latest version of Java to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.6","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, a new version of PHP is released to address security issues and/or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes and additional functionalities.\n\n## Rationale\n\nNew versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software update, organizations need to determine if the update meets their requirements and also verify the new version's compatibility with other software.\n\n## Remediation\n\nAzure Console:\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click **Configuration**.\n5. Set PHP version to latest version available under **General Settings**.\n\n**Note**: No action is required if PHP version is set to off because PHP is not used by your web app.\n\nAzure CLI: To see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep php To set latest PHP version for an existing app, run the following commandaz webapp config set --resource-group --name --php-version \n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n# CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.6","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@site_config_php_version:7.4","resourceType":"azure_app_service","filter":"-@site_config_php_version:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service -@site_config_php_version:\"\" (-@site_config_php_version:7.4)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"sja-htc-xkm","createdAt":1645813490100,"name":"Azure is using the latest version of PHP to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.7","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Set Python version to latest version available under General Settings\n\n**Note**: No action is required if Python version is set to off as Python is not used by your web app.\n\nAzure CLI:\n\nTo see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep python To set latest Python version for an existing app, run the following commandaz webapp config set --resource-group --name --python-version '\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.7","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@site_config_python_version:3.6","resourceType":"azure_app_service","filter":"-@site_config_python_version:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service -@site_config_python_version:\"\" (-@site_config_python_version:3.6)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kuq-3pj-gyn","createdAt":1645813504306,"name":"Azure is using the latest version of Python to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","source:azure.networkwatcher","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","scope:azure.networkwatcher","framework:soc-2","control:10.3","control:CC2.1","control:164.312-e-2-i","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Watcher can use flow logs so that you can monitor traffic from resources. This rule generates a finding if there is no retention policy set with a duration over 90 days. \n\nNote: 0 days means unlimited retention.\n\n## Rationale\n\nSetting this attribute enables flow logs to be retained for an appropriate amount of time that enables a better security posture for your organization. These logs should be retained critical resources in your environment.\n\n## Remediation\n\n### Console\n\n1. Follow the instructions in [Tutorial: Log network traffic to and from a virtual machine using the Azure portal][1] to enable the 'flow logs' in Network Watcher.\n\n### CLI\n\n1. Follow the steps in [Configuring Network Security Group Flow logs with Azure CLI][2] to enable the 'flow logs' in Network Watcher.\n2. Ensure Insights provider is registered by running the following command to check:\n\n ```\n az provider register --namespace Microsoft.Insights\n ```\n3. Enable `flow logs`:\n Note: You will need to have a storage account setup prior to this.\n ```\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location --format JSON --log-version 2\n ```\n4. Repeat steps 2 and 3 for resources that are not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal#enable-nsg-flow-log\n[2]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-cli\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nflow_log_not_compliant(flow_log) if {\n\tflow_log.retention_policy_enabled == true\n\tflow_log.retention_policy_days >= 1\n\tflow_log.retention_policy_days <= 89\n} else {\n\tflow_log.retention_policy_enabled == false\n}\n\nflow_log_retention_policy_enabled_true_or_false(flow_log) if {\n\tflow_log.retention_policy_enabled == true\n} else {\n\tflow_log.retention_policy_enabled == false\n}\n\neval(network_watcher) = \"fail\" if {\n\tflow_log = network_watcher.flow_logs[_]\n\tflow_log_not_compliant(flow_log)\n} else = \"pass\" {\n\tflow_log = network_watcher.flow_logs[_]\n\tflow_log_retention_policy_enabled_true_or_false(flow_log)\n} else = \"skip\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_network_watcher"]},"validationQuery":"","resourceType":"azure_network_watcher","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_network_watcher","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"s5c-rsc-fkl","createdAt":1645572632106,"name":"Azure network service group log retention is properly set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new owner is added to a service principal, which applies to privilege escalation or persistence.\n\n## Strategy\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add owner to service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Inspect that the user is added to a service principal in `@properties.targetResources`.\n2. Verify with the user (`{{@usr.name}}`) to determine if the owner addition is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_owner_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner_sp > 0"}],"type":"log_detection","id":"rtl-xes-5he","createdAt":1632250370345,"name":"Azure new owner added for service principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an Azure snapshot is exported. Export URLs generated in Azure are accessible to anyone with the URL.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the snapshot (`@resourceId`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URL.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"export_uri","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"export_uri > 0"}],"type":"log_detection","id":"9tg-wsg-ung","createdAt":1635255178153,"name":"Azure snapshot export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an invitation is sent to an external user.\n\n## Strategy\nMonitor Azure Active Directory Audit logs and detect when any `@evt.name` is equal to `Invite external user` and the `@evt.outcome` is equal to `success`.\n\n## Triage and response\n1. Review and determine if the invitation and its recipient are valid.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Invite external user\" @evt.outcome:success","groupByFields":["@usr.id","@properties.targetResources.userPrincipalName"],"aggregation":"count","name":"invite_external_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"invite_external_user > 0"}],"type":"log_detection","id":"msq-9pm-ift","createdAt":1607106320758,"name":"Azure user invited an external user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure-containerinstances","source:azure","tactic:TA0002-execution","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a command is executed on a container instance with the Azure API.\n\n## Strategy\nMonitor Azure container instance logs where `@evt.name` is `\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.id}}`) should be executing commands on the container (`@resourceId`).\n2. If the activity is not expected, investigate the activity around the container (`@resourceId`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"container_exec_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"container_exec_success > 0"}],"type":"log_detection","id":"zgp-pfn-i0z","createdAt":1635255187164,"name":"Azure user ran command on container instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB access key with the Azure API. An attacker with the appropriate privileges can view an access key and use it to access and manage the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\\\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the access key for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB Database ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_keys","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_keys > 0"}],"type":"log_detection","id":"xtk-lr5-ryf","createdAt":1635356621176,"name":"Azure user viewed CosmosDB access keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB connection string with the Azure API. An attacker with the appropriate privileges can view a connection string and use it to access or modify data in the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the connection string for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_connectionstrings","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_connectionstrings > 0"}],"type":"log_detection","id":"h9n-pkk-zy9","createdAt":1635356624429,"name":"Azure user viewed CosmosDB connection string"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being exploited using the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `Base64` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. If you are not patched, decode the base64 string and look for any successful traffic to the malicious server.\n3. If a connection was successful to the malicious server, begin your company's IR procedures to remediate.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http.user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"medium","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"vfx-wnb-bkc","createdAt":1639665358897,"name":"Base64 was detected in an http.user_agent or http.referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","scored:true","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use basic authentication.\n\n## Rationale\n\nBasic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting the API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--basic-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--basic-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as tokens and certificates. Username and password for basic authentication could no longer be used.\n\n## Default value\n\nBy default, basic authentication is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n2. https://kubernetes.io/docs/admin/authentication/#static-password-file\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.2","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oug-uvq-sti","createdAt":1599605479472,"name":"Basic authentication is disabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:azure","requirement:Monitoring","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-3-i","control:10.5.1","requirement:Compliance","level:1","control:2.2.4","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","scope:azure.storage","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Azure","requirement:Least-Privileged-Access","control:2.8","requirement:Control-Activities","requirement:Data-Protection","control:7.2.1","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAnonymous read access is disabled for Azure Storage Blobs.\n\n## Rationale\n\nAnonymous access to Azure storage blob containers allows un-authenticated users to perform operations against your storage account. Datadog recommends only allowing authenticated users access to storage blobs. \n\n## Remediation\n\n### From the Console\n\nFollow the [Set the public access level for a container - Azure Console][1] guide to disable anonymous read access with the Azure Console.\n\n### From the Azure CLI\n\nFollow the [Set the public access level for a container - Azure CLI][2] guide to disable anonymous read access with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"10.5.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"2.8","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_blob_container) = \"pass\" if {\n\tstorage_blob_container.public_access == \"None\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_blob_container"]},"validationQuery":"","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"nlq-obf-whr","createdAt":1645177311610,"name":"Blob Containers do not allow anonymous access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:8.1","control:4.3","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","control:8.1.4","control:8.2.3","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends using instance-specific SSH key(s) instead of common or shared project-wide SSH key(s) to access instances.\n\n## Rationale\n\nProject-wide SSH keys are stored in compute or project-meta-data. Project-wide SSH keys can be used to log into all instances within a project. Using project-wide SSH keys facilitates SSH key management, but if compromised, poses a security risk which can impact all instances within a project. Datadog recommmends using instance-specific SSH keys, which can limit the attack surface if SSH keys are compromised.\n\n## Impact\n\nUsers already having project-wide SSH key pairs and are using third-party SSH clients will lose access to the impacted instances. For project users using Google Cloud or GCP Console-based SSH options, no manual key creation and distribution is required, this is all handled by Google Compute Engine (GCE) itself. To access an instance using third-party SSH clients, the instance-specific SSH key pairs need to be created and distributed to the required users.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. For every instance, click on the instance name.\n3. Under **SSH Keys**, ensure **Block project-wide SSH keys** is selected.\n\n## From command line\n\n1. List the instances in your project and get details on each instance using `gcloud compute instances list --format=json`.\n\n2. Ensure the `block-project-ssh-keys` key is set to true.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. Click on the impacted instance name.\n3. Click **Edit** in the toolbar.\n4. To block users with project-wide SSH keys from connecting to this instance, select **Block project-wide SSH keys** under **SSH Keys**.\n5. Click **Save** at the bottom of the page.\n6. Repeat these steps for every impacted instance.\n\n## From Command Line\n\nTo block project-wide public SSH keys, set the metadata value to true using `gcloud compute instances add-metadata --metadata block-project-ssh-keys=TRUE`.\n\n## Default Value\n\nBy default, Block Project-wide SSH keys is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n2. [https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n\n\n## Additional Information\n\nIf OS Login is enabled, SSH keys in the instance metadata are ignored, which means you do not need to block project-wide SSH keys.\n\n## CIS Controls\n\nVersion 8\n \n3.10 - Encrypt Sensitive Data in Transit\n- Encrypt sensitive data in transit. Example implementations can include: Transport\nLayer Security (TLS) and Open Secure Shell (OpenSSH).\n\n5.2 - Use Unique Passwords\n- Use unique passwords for all enterprise assets. Best practice implementation\nincludes, at a minimum, an 8-character password for accounts using MFA and a 14-\ncharacter password for accounts not using MFA.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n[3]: https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_item(item) if {\n\titem.key == \"block-project-ssh-keys\"\n} else {\n\titem.key == \"enable-oslogin\"\n}\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" {\n\titem := compute_instance.metadata.items[_]\n\tnon_compliant_item(item)\n\titem.value == \"true\"\n} else = \"fail\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"v8z-9ik-mjr","createdAt":1657296719827,"name":"Block project-wide SSH keys is enabled for VM instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login five times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n","options":{"detectionMethod":"threshold","evaluationWindow":600,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dde-oia-yjr","createdAt":1597422956269,"name":"Brute force attack on an Auth0 user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a bruteforce login with a user attempting to assume an anomalous number of roles.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [Anomalous number of assumed roles from user][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-user-attempted-to-assumerole-anomaly\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"anomalous_assumed_roles_from_user","additionalFilters":"","defaultRuleId":"fwu-obr-c9n","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to assumed role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && anomalous_assumed_roles_from_user > 0"}],"type":"signal_correlation","id":"vjo-1hm-1eg","createdAt":1664829839144,"name":"Brute forced ConsoleLogin event correlates with an assumed role event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","iaas:azure","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a successful credential stuffing login with a user assumed a role.\n\n## Strategy\nCorrelate the [Credential Stuffing Attack on Azure][1] and [Azure AD member assigned Global Administrator role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the credential stuffing attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the credential stuffed account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/azure_credential_stuffing_attack\n[2]: https://docs.datadoghq.com/security_platform/default_rules/azure-ad-user-assigned-global-admin-role","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"azure_credential_stuffing","correlatedQueryIndex":1,"additionalFilters":"","defaultRuleId":"ljt-3f4-8ty","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"admin_role_assigned","additionalFilters":"","defaultRuleId":"psm-gpc-pgy","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Brute-forced user has assigned a role","condition":"azure_credential_stuffing > 0 && admin_role_assigned > 0"}],"type":"signal_correlation","id":"it0-1kg-8pj","createdAt":1664829839146,"name":"Brute-forced user has assigned a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.11","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host you can control the host CPU resources that a container may consume.\n\n## Rationale\n\nBy default, CPU time is divided between containers equally. If you wish to control available CPU resources amongst container instances, you can use the CPU sharing feature. CPU sharing allows you to prioritize one container over others and prevents lower priority containers from absorbing CPU resources which may be required by other processes. This ensures that high priority containers are able to claim the CPU runtime they require.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CpuShares={{ .HostConfig.CpuShares }}'` \n\nIf this command returns 0 or 1024, it means that CPU shares are not in place. If it returns a non-zero value other than 1024, it means that they are in place.\n\n## Remediation\n\nYou should manage the CPU runtime between your containers dependent on their priority within your organization. To do so, start the container using the `--cpu-shares` argument. For example, you could run a container as `docker run --interactive --tty --cpu-shares 512 centos /bin/bash` The container is started with CPU shares of 50% of what other containers use. So if the other container has CPU shares of 80%, this container will have CPU shares of 40%. Every new container will have 1024 shares of CPU by default. However, this value is shown as 0 if you run the command mentioned in the audit section.\n\n\nAlternatively:\n\n1. Navigate to the `/sys/fs/cgroup/cpu/system.slice/` directory.\n2. Check your container instance ID using docker ps.\n3. Inside the above directory (in step 1), call a directory. For example: `docker-.scope` or `docker-4acae729e8659c6be696ee35b2237cc1fe4edd2672e9186434c5116e1a6fbed6.scope`. Navigate to this directory.\n4. You will find a file named `cpu.shares`. Execute `cat cpu.shares`. This will always give you the CPU share value based on the system. Even if there are no CPU shares configured using the `-c` or `--cpu-shares` argument in the docker run command, this file will have a value of 1024. If you set one containers CPU shares to 512 it will receive half of the CPU time compared to the other containers. So if you take 1024 as 100% you can then derive the number that you should set for respective CPU shares. For example, use 512 if you want to set it to 50% and 256 if you want to set it 25%.\n\n## Impact\n\nIf you do not correctly assign CPU thresholds, the container process may run out of resources and become unresponsive. If CPU resources on the host are not constrained, CPU shares do not place any restrictions on individual resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally. No CPU shares are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.11","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gfh-gqy-log","createdAt":1599605955638,"name":"CPU priorities are set to ensure critical containers do not become unresponsive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.7","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %a `. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command to modify the file permissions of the `--client-ca-file`:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7 14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.7","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qtd-deo-dgb","createdAt":1599600622129,"name":"Certificate authorities file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable certificate based kubelet authentication.\n\n## Rationale\n\nThe apiserver, by default, does not authenticate itself to the kubelet's HTTPS endpoints. The requests from the apiserver are treated anonymously. You should set up certificate-based kubelet authentication to ensure that the apiserver authenticates itself to kubelets when submitting requests.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-client-certificate` and `--kubelet-client-key` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the kubelet client certificate and key parameters as below. \n\n```\n--kubelet-client-certificate= \n--kubelet-client-key=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, certificate-based kubelet authentication is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ ][2]\n3. [https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet][3]\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n[3]: https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.5","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ruj-lze-13b","createdAt":1599605732980,"name":"Certificate-based kubelet authentication is required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.2","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable client authentication on etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--client-cert-auth` argument is set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--client-cert-auth=\"true\"\n```\n\n## Impact\n\nAll clients attempting to access the etcd server will require a valid client certificate.\n\n## Default value\n\nBy default, the etcd service can be queried by unauthenticated clients.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][`]\n2. [https://kubernetes.io/docs/admin/etcd/ ][1]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.2","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"joa-fjx-1li","createdAt":1599605891818,"name":"Client authentication is enabled for etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.8","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file ownership is set to `root:root`.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command to modify the ownership of the `--client-ca-file`:\n\n```\nchown root:root \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.8","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ifc-9ej-k7k","createdAt":1599603326156,"name":"Client certificate authorities file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","cloud_provider:gcp","control:9.9.1","source:google_cloud_asset_inventory","requirement:Logging-and-Monitoring","framework:cis-gcp","requirement:Control-Activities","scope:google_cloud_asset_inventory","requirement:Firewall-Configuration","level:2","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Cloud Asset Inventory is a service that provides a historical view of GCP resources and\nIAM policies through a time-series database. The information recorded includes metadata\non Google Cloud resources, metadata on policies set on Google Cloud projects or resources,\nand runtime information gathered within a Google Cloud resource.\n\n## Rationale\nThe GCP resources and IAM policies captured by GCP Cloud Asset Inventory enables\nsecurity analysis, resource change tracking, and compliance auditing. It is recommended GCP Cloud Asset Inventory be enabled for all GCP projects.\n\n### Additional Information\n - Cloud Asset Inventory only keeps a five-week history of Google Cloud asset metadata. If you need a longer history, consider building automation to export the history to Cloud Storage or BigQuery.\n\n### Default Value\nThe Cloud Asset Inventory API is disabled by default in each project.\n\n## Remediation\n\n### From the console:\n\n1. Go to **API & Services/Library** by visiting [https://console.cloud.google.com/apis/library][1]\n2. Search for `Cloud Asset API` and select the result for Cloud Asset API\n3. Click the **ENABLE** button.\n\n### From the command line:\n\n1. Enable the Cloud Asset API through the services interface\n ```\n gcloud services enable cloudasset.googleapis.com\n ```\n\n## References\n1. [https://cloud.google.com/asset-inventory/docs][2]\n\n[1]: https://cloud.google.com/asset-inventory/docs\n[2]: https://console.cloud.google.com/apis/library","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"9.9.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(project) = \"pass\" if {\n\tproject.project_id\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"g71-wcx-ugx","createdAt":1659396390100,"name":"Cloud Asset Inventory is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:2.12","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:2","framework:iso-27001","scope:google_dns_policy","framework:pci","requirement:Operations-Security","security:compliance","requirement:Logging-and-Monitoring","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","source:google_dns_policy","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud DNS logging records the queries from the name servers within your VPC to\nStackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other\nGCP resources provisioned within the VPC.\n\n### Default value\nCloud DNS logging is disabled by default on each network.\n\n## Rationale\nSecurity monitoring and forensics cannot depend solely on IP addresses from VPC flow\nlogs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual\nhost routing, and other technology that can obscure the DNS name used by a client from the\nIP address. Monitoring Cloud DNS logs provides visibility into DNS names requested by the\nclients within the VPC. These logs can be monitored for anomalous domain names and\nevaluated against threat intelligence.\n\nTo fully capture DNS logging records, your firewall must block egress for UDP/53 (DNS) and TCP/443 (DNS\nover HTTPS) to prevent the client from using an external DNS name server for resolution.\n\nOnly queries that reach a name server are logged. Cloud DNS resolvers cache\nresponses, queries answered from caches, and direct queries to an external DNS\nresolver outside the VPC are not logged.\n\n### Impact\nEnabling of Cloud DNS logging might result in your project being charged for the additional\nlogs usage.\n\n## Remediation\n\n### From the command line:\nFor VPC networks that need a new DNS policy with logging enabled, run the following:\n```\ngcloud dns policies create enable-dns-logging --enable-logging --\ndescription=\"Enable DNS Logging\" --networks=VPC_NETWORK_NAME\n```\n\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\nFor VPC networks that have existing DNS policies, run the following to enable logging:\n```\ngcloud dns policies update POLICY_NAME --enable-logging --\nnetworks=VPC_NETWORK_NAME\n```\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\n\n## References\n1. [https://cloud.google.com/dns/docs/monitoring][1]\n\n[1]: https://cloud.google.com/dns/docs/monitoring\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.12","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(dns_policy) = \"pass\" if {\n\tdns_policy.enable_logging\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_policy"]},"validationQuery":"","resourceType":"gcp_dns_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kcx-kad-uvs","createdAt":1662120179391,"name":"Cloud DNS logging is enabled for VPC networks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:7.2","control:1.9","control:3.5","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that the IAM policy on Cloud KMS `cryptokeys` should restrict anonymous and/or public access.\n\n## Rationale\n\nGranting permissions to `allUsers` or `allAuthenticatedUsers` allows anyone to access the\ndataset. Such access might not be desirable if sensitive data is stored at the location. In this\ncase, ensure that anonymous and/or public access to a Cloud KMS `cryptokey` is not\nallowed.\n\n### Default Value:\nBy default Cloud KMS does not allow access to `allUsers` or `allAuthenticatedUsers`.\n\n### Impact\nRemoving the binding for `allUsers` and `allAuthenticatedUsers` members denies anonymous and public users access to `cryptokeys`.\n\n`key_ring_name` is the resource ID of the key ring, which is the fully-qualified key ring name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING`\nYou can retrieve the key ring resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n3. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`key_name` is the resource ID of the key, which is the fully-qualified CryptoKey name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY`\nYou can retrieve the key resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. Click the name of the key ring that contains the key.\n3. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n4. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`role` is the role to remove the member from.\n\n## Remediation\n\n### From the command line:\n\n1. List all Cloud KMS `Cryptokeys`.\n ```\n gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'\n ```\n2. To remove access to `allUsers` and `allAuthenticatedUsers`, remove the IAM policy binding for a KMS key using the below command.\n ```\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'\n\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'\n ```\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding][1]\n2. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy][2]\n3. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy][3]\n4. [https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id][4]\n\n[1]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding\n[2]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy\n[3]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy\n[4]: https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot contains(iam_policy.resource_name, \"/keyRings/\")\n} else = \"fail\" {\n\tiam_policy.bindings[_].members[_] in [\"allAuthenticatedUsers\", \"allUsers\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kg9-ypa-tmt","createdAt":1658879416757,"name":"Cloud KMS cryptokeys are not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Storage","source:google_iam_policy","framework:cis-gcp","requirement:Compliance","level:1","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","scope:google_iam_policy","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:3.5","control:7.1","control:5.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that IAM policies on Cloud Storage buckets do not allow anonymous or public access.\n\n## Rationale\nWith anonymous or public access, anyone has permission to access bucket content. Such access might not be desired if you are storing sensitive data, so ensure that anonymous or public access to a bucket is not allowed.\n\n### Additional Information\nTo implement access restrictions on buckets, configuring Bucket IAM is preferred over configuring Bucket ACL. In the GCP console, the **Edit Permissions** button for a bucket exposes IAM configurations only. Bucket ACLs are configured to automatically implement and support user-enforced Bucket IAM policies. If an administrator changes a Bucket ACL using command-line gsutils or the API, the associated bucket IAM policy is also updated automatically.\n\n### Impact\nStorage buckets are not publicly accessible. You have to explicitly administer bucket access.\n\n### Prevention\nYou can prevent Storage buckets from becoming publicly accessible by setting up the `Domain restricted sharing` organization policy at:\n[https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains][2]\n\n### Default value\nBy default, Storage buckets are not publicly accessible.\n\n## Remediation\n\n### From the console:\n1. Go to `Storage browser` at [https://console.cloud.google.com/storage/browser][1].\n2. Click on the bucket name to access the `Bucket details` page.\n3. Click on the `Permissions` tab.\n4. Click the `Delete` button in front of `allUsers` and `allAuthenticatedUsers` to remove that particular role assignment.\n\n### From the command line:\nRemove `allUsers` and `allAuthenticatedUsers` access.\n``` \ngsutil iam ch -d allUsers gs://BUCKET_NAME\ngsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME\n```\n\n## References\n1. [https://cloud.google.com/storage/docs/access-control/iam-reference][3]\n2. [https://cloud.google.com/storage/docs/access-control/making-data-public][4]\n3. [https://cloud.google.com/storage/docs/gsutil/commands/iam][5]\n\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains\n[3]: https://cloud.google.com/storage/docs/access-control/iam-reference\n[4]: https://cloud.google.com/storage/docs/access-control/making-data-public\n[5]: https://cloud.google.com/storage/docs/gsutil/commands/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1","framework":"cis-gcp","requirement":"Storage","version":"1.3.0"},{"control":"3.5","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot isBucket(iam_policy)\n} else = \"fail\" {\n\tiam_policy.bindings[_].members[_] in [\"allUsers\", \"allAuthenticatedUsers\"]\n} else = \"pass\" {\n\ttrue\n}\n\nisBucket(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_storage_bucket\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"c2m-9sq-pbl","createdAt":1658821626959,"name":"Cloud storage bucket is not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","requirement:Logging","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:5.2","requirement:Communications-Security","control:7.1","control:3.3","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","source:google_storage_bucket","control:A.18.1.3","framework:soc-2","scope:google_storage_bucket","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUniform bucket-level access is enabled on Cloud Storage buckets.\n\n## Rationale\n\nYou should use uniform bucket-level access to unify and simplify how you grant\naccess to your Cloud Storage resources.\nCloud Storage offers two systems for granting users permission to access your buckets and\nobjects: \n- **Cloud Identity and Access Management (Cloud IAM)**: Used throughout Google Cloud, and allows you to grant a variety of permissions at the bucket and project levels. \n- **Access Control Lists(ACLs)**: Used only by Cloud Storage and has limited permission options, but allows you to grant permissions on a per-object basis.\n\nThese systems act in parallel. A user needs only one of the systems to grant them permission in order to access a Cloud Storage resource. \n\nTo facilitate maintaining consistent permissions, Cloud Storage provides an option called Uniform bucket-\nlevel access. Using this feature disables ACLs for all Cloud Storage resources. Access to\n\nCloud Storage resources then is granted exclusively through Cloud IAM. Enabling uniform\nbucket-level access guarantees that if a Storage bucket is not publicly accessible, no object\nin the bucket is publicly accessible either.\n\n## Impact\nIf you enable uniform bucket-level access, you revoke access from users who gain their\naccess solely through object ACLs.\nCertain Google Cloud services, such as Stackdriver, Cloud Audit Logs, and Datastore, cannot\nexport to Cloud Storage buckets that have uniform bucket-level access enabled.\n\n## Remediation\n\n## From the console:\n1. Open the Cloud Storage browser by visiting [https://console.cloud.google.com/storage/browser][1].\n2. In the list of buckets, select the name of the desired bucket.\n3. Select the Permissions tab.\n4. In the text box that starts with This bucket uses fine-grained access control..., click **Edit**.\n5. In the pop-up menu that appears, select Uniform.\n6. Click **Save**.\n\n## From the command line:\n\nRun the following command: \n ```\n `gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/`\n ```\n\n\n## Prevention\nSet up an Organization Policy to enforce that any new bucket has uniform bucket-level access enabled. Read more about [Organization Policy constraints][2].\n\n## Default\n\nBy default, Cloud Storage buckets do not have uniform bucket-level access enabled.\n\n\n## References\n1. [https://cloud.google.com/storage/docs/uniform-bucket-level-access][3]\n2. [https://cloud.google.com/storage/docs/using-uniform-bucket-level-access][4]\n3. [https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket][5]\n\n## Additional Information\nUniform bucket-level access cannot be disabled if it has been active on a bucket for 90 consecutive days.\n\n## CIS controls\n\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems,\ndatabases, and applications.\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket\n[3]: https://cloud.google.com/storage/docs/uniform-bucket-level-access\n[4]: https://cloud.google.com/storage/docs/using-uniform-bucket-level-access\n[5]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2","framework":"cis-gcp","requirement":"Logging","version":"1.3.0"},{"control":"3.3","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_bucket) = \"pass\" if {\n\tstorage_bucket.iam_configuration.uniform_bucket_level_access.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_storage_bucket"]},"validationQuery":"","resourceType":"gcp_storage_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_storage_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dwn-5mi-cjt","createdAt":1657547752494,"name":"Cloud storage buckets have uniform bucket-level access enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Secure-Applications","control:CC6.7","security:compliance","control:CC6.6","scope:cloudfront","cloud_provider:aws","control:A.12.2.1","requirement:Communications-Security","control:A.12.4.1","control:A.13.1.1","framework:soc-2","control:6.6","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that your [AWS CloudFront][1] distributions are integrated with [AWS Web Application Firewall][2] (AWS WAF).\n\n## Rationale\n\nAWS WAF helps protect web applications from common exploits, such as SQL injection or cross-site scripting.\n\n## Remediation\n\n### Console\n\nFollow the [associate or disassociate an AWS WAF web ACL and an existing CloudFront distribution by using the CloudFront console][3] docs to integrate with AWS WAF.\n\n### CLI\n\n1. Run `aws waf get-change-token` to generate a token.\n2. Run `aws waf create-ip-set` with your newly generated token. Additional information can be found in the [create-ip-set AWS documentation][4].\n\n ```\n create-ip-set\n --name test_ipset\n --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n3. Create an `IPSetDescriptor` JSON object in a new document and define the IP address or ranges you wish to block. Save the file.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"IPSetDescriptor\": {\n \"Type\": \"IPV4\" | \"IPV6\",\n \"Value\": \"192.0.2.0/24\"\n }\n }\n ]\n ```\n\n4. Run `aws waf update-ip-set` with the `change-token` (generated in step 1), `ip-set-id` (generated in step 2), and the file you just created. Additional information can be found in the [update-ip-set AWS documentation][5].\n\n ```\n aws waf update-ip-set\n --ip-set-id bd12ea6c-012a-4b7c-9342-80ab96e4b291\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n\t --updates file://ip-set-descriptor.json\n ```\n\n5. Run `aws waf create-rule` with a new rule `name` and your `change-token` (generated in step 1). Additional information can be found in the [create-rule AWS documentation][6].\n\n ```\n aws waf create-rule\n\t --name NameOfRule\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n6. Run `aws waf create-web-acl` with a `name` and your `change-token` (generated in step 1), and set the default action to block. Additional information can be found in the [create-web-acl AWS documentation][7].\n\n ```\n aws waf create-web-acl\n\t --name NameOfACL\n --default-action Type=BLOCK\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n7. Create a new JSON file and define `ActivatedRule` as an object that references the ACL rule created in step 6. Assign it a default action, `INSERT`.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"ActivatedRule\": {\n \"RuleId\": \"your-rule-id\",\n \"Action\": {\n \"Type\": \"BLOCK\"\n }\n }\n }\n ]\n ```\n\n8. Run `update-web-acl` with the `web-acl-id` (generated in step 5), `change-token` (generated in step 1), and the file you just created in step 7.\n\n ```\n aws waf update-web-acl\n --web-acl-id webaclid\n --change-token 96836241-b667-4f0a-a655-e4bc49eaa2c4\n --update activated-rule.json\n ```\n\n9. Run `get-distribution-config`.\n10. In a new JSON file, modify the returned configuration information to attach the WAF ACL. Set the `WebACLId` as the ID you returned in step 5. Save the file.\n\n ```\n {\n \"ETag\": \"etag\",\n \"DistributionConfig\": {\n ...\n \"WebACLId\": \"webaclid\",\n ...\n }\n }\n ```\n\n11. Run `update-distribution` with the `id` and `etag` previously returned in step 9. Additional information can be found in the [update-distribution AWS documentation][8].\n\n ```\n aws cloudfront update-distribution\n --id webaclid\n --distribution-config activated-ruled.json\n --if-match etag\n ```\n\n[1]: https://aws.amazon.com/cloudfront/\n[2]: https://aws.amazon.com/waf/\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/wafv2/create-ip-set.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/waf/update-ip-set.html\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-rule.html\n[7]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-web-acl.html\n[8]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"pci","requirement":"Secure-Applications","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"validationQuery":"(@distribution_config.web_acl_id:\"\" OR @distribution_config_web_acl_id:\"\")","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.web_acl_id:\"\" OR @distribution_config_web_acl_id:\"\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"qo4-jsd-nfn","createdAt":1599574008896,"name":"CloudFront distribution is integrated with WAF"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that AWS CloudFront distributions have a security policy of TLS v1.1 or greater.\n\n## Rationale\n\nTLS v1.1, the minimum protocol recommended for AWS CloudFront, and the cipher used to encrypt this content, improve application security.\n\n## Remediation\n\n### Console\n\nFollow the [Values That You Specify When You Create or Update a Distribution][3] docs to update your CloudFront distribution's [Minimum Origin SSL Protocol][3] to TLS v1.1 or greater.\n\n### CLI\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration by setting the minimum protocol version to TLC v1.1 (2016) or v1.2 (2018).\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n ...\n \"ViewerCertificate\": {\n ...\n \"MinimumProtocolVersion\": \"TLSv1.1_2016\",\n },\n ...\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config tls-version.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginSSLProtocols\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.viewer_certificate.minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\") OR @distribution_config_viewer_certificate_minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\"))","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.viewer_certificate.minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\") OR @distribution_config_viewer_certificate_minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2np-sw5-cre","createdAt":1599574001774,"name":"CloudFront distribution's security policy is TLS v1.1 or greater"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","source:cloudfront","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","scope:cloudfront","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure logging is enabled for AWS CloudFront to track things like client IP addresses and access points.\n\n## Rationale\n\nLogging tracks requests made through the CDN. With this information, you can detect changes in requests, complete security audits, and use other AWS tooling such as AWS WAF to block requests from certain IP addresses.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring and using standard logs][4] docs to enable logging for AWS CloudFront.\n\n### CLI\n\n1. Run `create-bucket` to [create an S3 bucket][1] for your CloudFront log files.\n\n ```\n aws s3api create-bucket\n --bucket your-bucket-name\n ```\n\n2. Once the S3 bucket location is returned, run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][2].\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n3. Create a new JSON file with the returned configuration. Enable logging and set an S3 bucket location (returned in step 1) to configure where the logs will be located. Save the file.\n\n ```\n {\n \"ETag\": \"ID000000000000\",\n \"DistributionConfig\": {\n ...\n \"Logging\": {\n \"Bucket\": \"your-bucket-name.s3.amazonaws.com\",\n \"Enabled\": true,\n },\n ...\n }\n }\n }\n ```\n\n4. Run `update-distribution` to [update your distribution][3] with your distribution `id`, the path of the configuration file (created in step 3), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config logging-enabled.json\n --if-match ETAG1000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[4]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(-@distribution_config.logging.enabled:true OR -@distribution_config_logging_enabled:true)","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((-@distribution_config.logging.enabled:true OR -@distribution_config_logging_enabled:true))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"e1l-f7w-llc","createdAt":1599574007739,"name":"CloudFront logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that an AWS CloudTrail trail has file integration validation enabled.\n\n### Rationale\n\nAWS CloudTrail file integration validation can verify whether files were modified or changed once delivered to an S3 bucket.\n\n### Remediation\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [enable-log-file-validation][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --enable-log-file-validation\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@log_file_validation_enabled:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ubl-mrs-ket","createdAt":1599574002238,"name":"CloudTrail Log File Integrity Validation Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that AWS CloudTrail logs are encrypted.\n\n### Rationale\n\nEncrypting AWS CloudTrail logs with a KMS encryption key helps protect your data and ensures only certain IAM users can access these logs.\n\n### Remediation\n\n1. Create a new policy configuration file that enables CloudTrail [encrypting and decrypting permissions][1].\n2. Run `create-key` using the policy file path.\n\n ```\n aws kms create-key\n --policy new-policy-file.json\n ```\n\n3. Run `create-alias` with a [newly created alias name][2] and the `target-key-id` as the KMS key returned in step 2.\n\n ```\n aws kms create-alias\n --alias-name alias/CloudTrailKSM\n --target-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n4. Run `update-trail` on [the trail name you wish to update][3] and the KMS key returned in step 2.\n\n ```\n aws cloudtrail update-trail\n --name MyGlobalTrail\n --kms-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@kms_key_id:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"cww-xfw-no7","createdAt":1599574002335,"name":"CloudTrail Logs Not Encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","control:A.12.4.2","requirement:Security-Incident-Procedures","control:10.3.2","control:10.3.1","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that an AWS CloudTrail trail has global service events enabled.\n\n## Rationale\n\nEasily troubleshoot security issues for global services that aren't region-specific.\n\n## Remediation\n\n### Console\n\nBy default, trail logs created in the CloudTrail console log global service events. For more information, see the [About global service events][2] docs.\n\n### CLI\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [include-global-service-events][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --include-global-service-events\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-update-trail.html\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":" @include_global_service_events:false","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail ( @include_global_service_events:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7ak-zke-f64","createdAt":1599574004589,"name":"CloudTrail global services are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.5.5","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","control:164.312-c-2","requirement:Integrity","control:164.312-c-1","security:compliance","cloud_provider:aws","control:3.2","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. Use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. You should enable file validation on all CloudTrails.\n\n## Rationale\n\nEnabling log file validation will provide additional integrity checking of CloudTrail logs.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNot Enabled\n\n## References\n\n1. [http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html][2]\n2. CCE-78914-9\n\n## CIS controls\n\nVersion 7, 6 - Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.2","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.312-c-2","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"}],"validationQuery":"-@log_file_validation_enabled:true @log_file_validation_enabled:*","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail (-@log_file_validation_enabled:true @log_file_validation_enabled:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9we-gmy-kne","createdAt":1599574003762,"name":"CloudTrail log file validation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Logging","requirement:System-Acquisition-Development-and-Maintenance","level:2","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.7","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:cloudtrail","control:A.9.2.3","control:32.1a","control:3.5.2","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources per IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data. It uses Hardware Security Modules (HSMs) to protect the security of encryption keys. Configure your CloudTrail logs to leverage server-side encryption (SSE), and KMS customer-created master keys (CMK) to further protect CloudTrail logs. You should set up CloudTrail to use SSE-KMS.\n\n## Rationale\n\nConfiguring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data. A given user must have S3 read permission on the corresponding log bucket and have decrypt permission by the CMK policy.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nCustomer created keys incur an additional cost. See [https://aws.amazon.com/kms/pricing/][2] for more information.\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html][3]\n2. [https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html][4]\n3. CCE-78919-8\n\n## CIS controls\n\nVersion 7 - 6 Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://aws.amazon.com/kms/pricing/\n[3]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html\n[4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.7","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@kms_key_id:*","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail (-@kms_key_id:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kah-ejb-3v1","createdAt":1599574006065,"name":"CloudTrail logs are encrypted at rest using KMS CMKs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:164.308-a-7-i","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","control:10.2.1","framework:gdpr","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS CloudTrail is enabled.\n\n## Rationale\n\nAWS CloudTrail enables you to configure regions from one location to maintain infrastructure security.\n\n## Remediation\n\n### Console\n\nFollow the [AWS CloudTrail tutorial][1] docs to get started with CloudTrail.\n\n### CLI\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [enable multi-region-trail][2].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --is-multi-region-trail\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-tutorial.html#tutorial-step2\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-update-trail.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-7-i","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@is_multi_region_trail:true","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail (-@is_multi_region_trail:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"v41-4ht-rxo","createdAt":1599573999944,"name":"CloudTrail multi-region is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that HTTPS is used to secure AWS CloudFront distributions communications.\n\n## Rationale\n\nHTTPS ensures that malicious activity cannot occur when data is sent within AWS CloudFront's Content Distribution Network (CDN).\n\n## Remediation\n\n### Console\n\nFollow the [configure CloudFront to require HTTPS between CloudFront and your custom origin][3] docs to change your Origin Protocol Policy to HTTPS only.\n\n### CLI\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `OriginProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"Items\": [\n {\n \"CustomOriginConfig\": {\n \"OriginProtocolPolicy\": \"https-only\",\n ...\n }\n }\n ]\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.origins.items.custom_origin_config.origin_protocol_policy:(\"http-only\" OR \"match-viewer\") OR @distribution_config.origins.items.custom_origin_config_origin_protocol_policy:(\"http-only\" OR \"match-viewer\"))","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.origins.items.custom_origin_config.origin_protocol_policy:(\"http-only\" OR \"match-viewer\") OR @distribution_config.origins.items.custom_origin_config_origin_protocol_policy:(\"http-only\" OR \"match-viewer\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q5e-clj-mow","createdAt":1599574006435,"name":"Cloudfront distribution is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS CloudFront field-level encryption is enabled.\n\n## Rationale\n\nField-level encryption ensures sensitive data, such as identification and credit card numbers, is protected across your services and applications.\n\n## Remediation\n\n### Console\n\nFollow the [Setting Up Field-Level Encryption][1] docs to enable field-level encryption.\n\n### CLI\n\n1. Generate a RSA key pair. Run `ssh-keygen -t rsa`.\n\n2. Run `create-public-key` with the generated key.\n\n ```\n aws cloudfront create-public-key\n --public-key-config CallerReference=\"0123456789012\",Name=\"public-key\",EncodedKey=\"-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----\",Comment=\"Field-level encryption public key.\"\n ```\n\n3. Modify the returned configuration in a new JSON file by setting `PublicKeyID` as your public ID key. Configure any other options you require and save the file.\n\n ```\n {\n \"PublicKey\": {\n ...\n \"Id\": \"PUBKEYID000000\",\n ...\n }\n }\n ```\n\n4. Run `create-field-level-encryption-profile` using the path of the configuration file saved in step 3.\n\n ```\n aws cloudfront create-field-level-encryption-profile\n --field-level-encryption-profile-config public-key-id.json\n ```\n\n5. Modify the returned configuration in a new JSON file by setting `ProfileID` as your profile ID. Configure any other options you require and save the file.\n\n ```\n {\n ...\n \"ContentTypeProfileConfig\": {\n ...\n \"Items\": [\n {\n \"ProfileId\": \"ABCD1234567890\",\n }\n ]\n }\n }\n ```\n\n6. Run `create-field-level-encryption-config` using the path of the configuration file saved in step 5.\n\n ```\n aws cloudfront create-field-level-encryption-config\n --field-level-encryption-config profile-id.json\n ```\n\n7. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your distribution's configuration information.\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n8. Modify the returned configuration in a new JSON file by setting `FieldLevelEncryptionID` as your field level encryption ID. Configure any other options you require and save the file.\n\n**Note**: Viewer Protocol Policy and Origin Protocol Policy must both be set to HTTPS.\n\n ```\n {\n \"DistributionConfig\": {\n ...\n \"Origins\": {\n \"Items\": [\n {\n ...,\n \"OriginProtocolPolicy\": \"https-only\",\n },\n ],\n ...\n },\n \"DefaultCacheBehavior\": {\n \"FieldLevelEncryptionId\": \"ACBD1234567890\",\n \"ViewerProtocolPolicy\" : \"https-only\"\n },\n ...\n }\n }\n ```\n\n9. Run `update-distribution` with your AWS CloudFront distribution `id`, the configuration file saved in step 8, and `etag` to enable field-level encryption.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config field-level-encryption-id.json\n --if-match E1000000000000\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.default_cache_behavior.field_level_encryption_id:\"\" OR @dist_config_default_cache_behavior_field_level_encryption_id:\"\")","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.default_cache_behavior.field_level_encryption_id:\"\" OR @dist_config_default_cache_behavior_field_level_encryption_id:\"\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"udh-nqo-4ct","createdAt":1599574007140,"name":"Cloudfront distribution is field-level encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the AWS CloudFront Content Delivery Network (CDN) for your distribution is using HTTPS to send and receive content.\n\n## Rationale\n\nHTTPS ensures encrypted communication for your AWS CloudFront distribution, alleviating the possibility of malicious attacks like packet interception.\n\n## Remediation\n\n### Console\n\nFollow the [configure CloudFront to require HTTPS between viewers and CloudFront][3] docs to change your Viewer Protocol Policy to HTTPS only.\n\n### CLI\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `ViewerProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"ViewerProtocolPolicy\": \"https-only\",\n ...\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.default_cache_behavior.viewer_protocol_policy:\"allow-all\" OR @dist_config_default_cache_behavior_viewer_protocol_policy:\"allow-all\")","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.default_cache_behavior.viewer_protocol_policy:\"allow-all\" OR @dist_config_default_cache_behavior_viewer_protocol_policy:\"allow-all\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fei-uz9-zhw","createdAt":1599574003275,"name":"Cloudfront viewer is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1027-obfuscated-files-or-information","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a compiler (like `clang` or `bcc`) is executed inside of a container.\n\n## Strategy\nAfter an initial compromise, attackers may attempt to download additional tools to their victim's infrastructure. In order to make these additional tools difficult to detect or analyze, attackers sometimes deliver their tools as uncompiled code, and then compile their malicious binaries directly on the victim's infrastructure. In containerized environments, the use of compilers is especially suspicious because in production it is best practice to make containers immutable. The use of a compiler in a production container could indicate an attacker staging tools, or unwanted container configuration drift. \n\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee compile a tool inside of a container for an approved reason, or does an approved software compile additional files on startup?\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:compiler_in_container","groupByFields":["host"],"aggregation":"count","name":"compiler_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"compiler_in_container","condition":"compiler_in_container > 0"}],"type":"workload_security","id":"cu1-ji1-azm","createdAt":1627392836759,"name":"Compiler executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS EC2 access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the EC2 instance with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS EC2 access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` instance should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the EC2 access key should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`., then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n7 April 2022 - Updated rule name and signal message.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId"],"query":"source:cloudtrail -@level:Error @userIdentity.type:AssumedRole @userIdentity.session_name:i-* -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"5cf-9yq-zxn","createdAt":1646247437871,"name":"Compromised AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.\n\n## Changelog\n- 7 April 2022 - Updated signal message.\n- 3 August 2022 - Fixed null groupby field in query.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId","@usr.name"],"query":"source:cloudtrail -@level:Error @userIdentity.type:IAMUser -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tln-vhi-j2e","createdAt":1646247475808,"name":"Compromised AWS IAM User Access Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:4.8","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, Datadog recommends launching compute instances with Shielded VM enabled.\n\n## Rationale\n\nShielded VMs are virtual machines on the Google Cloud Platform that are hardened by a set of security controls and help defend against rootkits and bootkits. Shielded VM offers verifiable integrity of your Compute Engine VM instances through Secure Boot, a virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring. This ensures your instances are not compromised by boot- or kernel-level malware, or rootkits. \n\nShielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishes trust for Secure Boot.\n\nIntegrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, also known as the integrity policy baseline. The integrity policy baseline is used to compare measurements from subsequent VM boots to determine if anything has changed.\n\nSecure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halts the boot process if signature verification fails.\n\n## Remediation\n\nTo turn on Shielded VM on an instance, your instance must use an image with Shielded VM support.\n\n### From console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project. \n2. Click on the instance name to see a VM Instance Details page.\n3. Click **Stop** to stop the instance.\n4. When the instance has stopped, click **Edit**.\n5. In the **Shielded VM** section, select **Turn on vTPM** and **Turn on Integrity Monitoring**.\n6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select **Turn on Secure Boot**.\n7. Click the **Save** button to modify the instance and click **Start** to restart it.\n\n### From the command line\n\nYou can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:\n\n```\ngcloud compute images list --project gce-uefi-images --no-standard-images\n```\n\n1. Stop the instance using `gcloud compute instances stop `.\n2. Update the instance using `gcloud compute instances update --shielded-vtpm --shielded-vm-integrity-monitoring`.\n3. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on Secure Boot using `gcloud compute instances update --shielded-vm-secure-boot`.\n4. Restart the instance using `gcloud compute instances start `.\n\n## Prevention\n\nTo ensure that all new VMs are created with Shielded VM enabled, create an Organization Policy for Shielded VM in the [Organization Policies page][2]. \n\nFor more information, see the [Google Cloud documentation][3].\n\n## Default Value\n\nBy default, Compute Instances do not have Shielded VM enabled.\n\n## References\n\n1. [https://cloud.google.com/compute/docs/instances/modifying-shielded-vm][4]\n2. [https://cloud.google.com/shielded-vm][5]\n3. [https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint][6]\n\n## Additional Information\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is created, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-requireShieldedVm\n[3]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n[4]: https://cloud.google.com/compute/docs/instances/modifying-shielded-vm\n[5]: https://cloud.google.com/shielded-vm\n[6]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.8","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"pass\" if {\n\tshieldedConfig := compute_instance.shielded_instance_config\n\tshieldedConfig.enable_integrity_monitoring\n\tshieldedConfig.enable_vtpm\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hwa-bzq-nzg","createdAt":1656620517029,"name":"Compute Instances are launched with Shielded VM enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","control:4.9","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:3.6","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCompute instances should not be configured to have external IP addresses.\n\n## Rationale\n\nTo reduce your attack surface, Compute instances should not have public IP addresses.\nInstead, instances should be configured behind load balancers, to minimize the instance's\nexposure to the internet.\n\nYou can connect to Linux VMs that do not have public IP addresses by using Identity-Aware Proxy for TCP forwarding. Learn more at\n[https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][8].\n\nFor Windows VMs, see [https://cloud.google.com/compute/docs/instances/connecting-to-instance][9].\n\n### Impact\n\nRemoving the external IP address from your Compute instance may cause some\napplications to stop working.\n\n### Prevention\n\nYou can configure the \"Define allowed external IPs for VM instances\" organization policy to prevent VMs from being configured with public IP addresses. Learn more at:\n[https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address][2]\n\n### Exception\n\nInstances created by GKE should be excluded because some of them have external IP\naddresses and cannot be changed by editing the instance settings. Instances created by GKE\nshould be excluded. These instances have names that start with \"gke-\" and are labeled\n\"goog-gke-node\".\n\n## Remediation\n\n### From the console:\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go the the Instance detail page.\n3. Click **Edit**.\n4. For each Network interface, ensure that **External IP** is set to None.\n5. Click **Done** and then click **Save**.\n\n### From the command line:\n\n1. Describe the instance properties:\n\n ```\n gcloud compute instances describe --zone=\n ```\n2. Identify the access config name that contains the external IP address. This access config appears in the following format:\n\n ```\n networkInterfaces:\n - accessConfigs:\n - kind: compute#accessConfig\n name: External NAT\n natIP: 130.211.181.55\n type: ONE_TO_ONE_NAT\n ```\n3. Delete the access config:\n\n ```\n gcloud compute instances delete-access-config --zone= --access-config-name \n ```\n\nIn the above example, the `ACCESS_CONFIG_NAME` is `External NAT`. The name of your access config might be different.\n\n## References\n\n1. [https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses][3]\n2. [https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][4]\n3. [https://cloud.google.com/compute/docs/instances/connecting-to-instance][5]\n4. [https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip][6]\n5. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][7]\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address\n[3]: https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses\n[4]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[5]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n[6]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip\n[7]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[8]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[9]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.9","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tcompute_instance.network_interfaces[_].access_configs[_]\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"zxk-7n9-rtz","createdAt":1657888953309,"name":"Compute instances do not have public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","control:4.11","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:3.5.2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:3.5.4","source:google_compute_instance","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nGoogle Cloud encrypts both stored and in-transit data, but customer data needs to be decrypted while it is processed. Confidential Computing is a Google technology that protects data by encrypting it while it is in use. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).\n\nConfidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD\nEPYCTM CPUs, keeping customer data encrypted while it is used, indexed, queried, or\ntrained on. Encryption keys are generated in hardware, per VM, and not exportable. There is no significant performance penalty to Confidential Computing workloads because of built-in hardware optimizations.\n\n## Rationale\n\nConfidential Computing enables customers' sensitive code and other data to be encrypted in\nmemory during processing. Google does not have access to the encryption keys.\nConfidential VMs can help alleviate concerns about risk related to either dependency on\nGoogle infrastructure or Google insiders' access to customer data in the clear.\n\n## Impact\n\n- Confidential Computing for Compute instances does not support live migration. Unlike regular Compute instances, Confidential VMs experience disruptions during maintenance events like a software or hardware update.\n\n- Additional charges may be incurred when enabling this security feature. See [https://cloud.google.com/compute/confidential-vm/pricing][1] for more info.\n\n## Remediation\n\nConfidential Computing can only be enabled when an instance is created. You must delete\nthe current instance and create a new one.\n\n### From console\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][2].\n2. Click **Create instance**.\n3. Fill out the desired configuration for your instance.\n4. Under the **Confidential VM service** section, click **Enable** > **Enable** to enable the Confidential Computing service on this VM instance.\n5. Click **Create**.\n\n### From the command line\n\nCreate a new instance with Confidential Compute enabled.\n\n ```\n gcloud beta compute instances create --zone --confidential-compute --maintenance-policy=TERMINATE\n ```\n## Default Value\n\nBy default, Confidential Computing is disabled for Compute instances.\n\n## References\n\n1. [https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance][3]\n2. [https://cloud.google.com/compute/confidential-vm/docs/about-cvm][4]\n3. [https://cloud.google.com/confidential-computing][5]\n4. [https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms][6]\n\n## CIS Controls\n\nVersion 8 - 3.11: Encrypt Sensitive Data at Rest\n- Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.\n\nVersion 7 - 14.8: Encrypt Sensitive Information at Rest\n- Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n\n[1]: https://cloud.google.com/compute/confidential-vm/pricing\n[2]: https://console.cloud.google.com/compute/instances\n[3]: https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance\n[4]: https://cloud.google.com/compute/confidential-vm/docs/about-cvm\n[5]: https://cloud.google.com/confidential-computing\n[6]: https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.11","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tnot machineType(compute_instance)\n} else = \"pass\" {\n\tcompute_instance.confidential_instance_config.enable_confidential_compute\n} else = \"fail\" {\n\ttrue\n}\n\nmachineType(compute_instance) if {\n\tcontains(compute_instance.machine_type, \"n2d-\")\n} else {\n\tcontains(compute_instance.machine_type, \"c2d-\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ofu-7xv-iqz","createdAt":1657888955714,"name":"Compute instances have confidential computing enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a brute force login with a privileged policy being applied to a role.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [AWS IAM privileged policy was applied to a role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Revert the privileged policy change\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-iam-priv-policy-applied-to-role/","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"aws_iam_privileged_policy_was_applied_to_a_role","additionalFilters":"","defaultRuleId":"1np-ggw-qpo","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to privileged policy applying to a role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && aws_iam_privileged_policy_was_applied_to_a_role > 0"}],"type":"signal_correlation","id":"z65-vsm-leu","createdAt":1664829682321,"name":"ConsoleLogin event correlates privileged policy applying to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.10","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host, you can control the amount of memory that a container is able to use.\n\n## Rationale\n\nBy default a container can use all of the memory on the host. You can use memory limit mechanisms to prevent a denial of service occurring where one container consumes all of the hosts resources and other containers on the same host are therefore not able to function. Having no limit on memory usage can lead to issues where one container can easily make the whole system unstable and as a result unusable.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Memory={{ .HostConfig.Memory }}'` \n\nIf this command returns 0, it means that memory limits are not in place; if it returns a non-zero value, it means that they are in place.\n\n## Remediation\n\nYou should run the container with only as much memory as it requires by using the `--memory argument`. For example, you could run a container using the command `docker run --interactive --tty --memory 256m centos /bin/bash`\n\nIn this example, the container is started with a memory limit of 256 MB. Note that the output of the command below returns values in scientific notation if memory limits are in place. `docker inspect --format='{{.Config.Memory}}' 7c5a2d4c7fe0`\n\nFor example, if the memory limit is set to 256 MB for a container instance, the output of the command above would be `2.68435456e+08` and NOT `256m`. You should convert this value using a scientific calculator.\n\n## Impact\n\nIf correct memory limits are not set on each container, one process can expand its usage and cause other containers to run out of resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally and no memory limits are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.10","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ecn-mmt-tqe","createdAt":1599605860081,"name":"Container has memory usage limits configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.26","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf the container image does not have an HEALTHCHECK instruction defined, you should use the `--health-cmd` parameter at container runtime to check container health.\n\n## Rationale\n\nIf the container image you are using does not have a pre-defined HEALTHCHECK instruction, use the `--health-cmd` parameter to check container health at runtime. Based on the reported health status, remedial actions can be taken if necessary.\n\n## Audit\n\nRun this command and ensure that all containers are reporting their health status: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}'`\n\n## Remediation\n\nYou should run the container using the `--health-cmd` parameter. For example, `docker run -d --health-cmd='stat /etc/passwd || exit 1' nginx`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, health checks are not carried out at container runtime.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.26","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ojg-sb1-nso","createdAt":1599605067593,"name":"Container health is monitored when not supported by default"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should add the `HEALTHCHECK` instruction to your Docker container images in order to ensure that health checks are executed against running containers.\n\n## Rationale\n\nAn important security control is that of availability. Adding the `HEALTHCHECK` instruction to your container image ensures that the Docker engine periodically checks the running container instances against that instruction to ensure that containers are still operational. Based on the results of the health check, the Docker engine could terminate containers which are not responding correctly, and instantiate new ones.\n\n## Audit\n\nRun this command to ensure that Docker images have the appropriate `HEALTHCHECK` instruction configured: `docker inspect --format='{{ .Config.Healthcheck }}' `\n\n## Remediation\n\nYou should follow the Docker documentation and rebuild your container images to include the `HEALTHCHECK` instruction.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `HEALTHCHECK` is not set.\n\n## References\n\n1. https://docs.docker.com/engine/reference/builder/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_image","complianceFrameworks":[{"control":"4.6","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5xs-afd-sfx","createdAt":1599604909942,"name":"Container image includes HealthCheck instructions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect vulnerabilities in container images.\n\n## Strategy\nThis rule lets you monitor Twistlock logs `(@vulnerability.log_type:vulnerability)` to detect vulnerabilities in a container image. \n\n## Triage and response\n1. Determine the impact of this vulnerability.\n2. Update the container image in the registry with a patched version of the software.\n3. Deploy the new image to all containers running the vulnerable image.\n\n## Change Log\n29 Jun 2022 - Added queries for various vulnerability severity levels.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:medium","groupByFields":["container_name"],"aggregation":"count","name":"medium_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:low","groupByFields":["container_name"],"aggregation":"count","name":"low_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerabiluty","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerabiluty","condition":"high_severity_vulnerability > 0"},{"status":"medium","notifications":[],"name":"Medium Severity Vulnerabiluty","condition":"medium_severity_vulnerability > 0"},{"status":"low","notifications":[],"name":"Low Severity Vulnerabiluty","condition":"low_severity_vulnerability > 0"}],"type":"log_detection","id":"d7s-rex-gjv","createdAt":1585870278701,"name":"Container image vulnerability detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.25","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should restrict the container from acquiring additional privileges via SUID or SGID bits.\n\n## Rationale\n\nA process can set the `no_new_priv` bit in the kernel and this persists across forks, clones and execve. The `no_new_priv` bit ensures that the process and its child processes do not gain any additional privileges via SUID or SGID bits. This reduces the danger associated with many operations because the possibility of subverting privileged binaries is lessened.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all of the security options currently configured for containers. The option `no-new-privileges` should be one of them.\n\n## Remediation\n\nStart your container with the options `docker run --rm -it --security-opt=no-new-privileges ubuntu bash`\n\n## Impact\n\nThe `no_new_priv` option prevents LSMs like SELinux from allowing processes to acquire new privileges.\n\n## Default value\n\nBy default, new privileges are not restricted.\n\n## References\n\n1. https://github.com/projectatomic/atomic-site/issues/269\n2. https://github.com/docker/docker/pull/20727\n3. https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt\n4. https://lwn.net/Articles/475678/\n5. https://lwn.net/Articles/475362/\n\n## CIS controls\n\nVersion 6\n\n5 Controlled Use of Administration Privileges Controlled Use of Administration Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.25","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"cft-3kh-z3l","createdAt":1599604337425,"name":"Container is restricted from acquiring additional privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a container management utility (e.g., `kubectl`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to escalate privileges, break out of the container, or exfiltrate secrets by running container management/orchestration utilities. This detection triggers when execution of one of a set of common container management utilities (like `kubectl` or `kubelet`) is detected in a container. If this is unexpected behavior, it could indicate an attacker attempting to compromise your containers and host.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires version 7.27 or higher*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:suspicious_container_client","groupByFields":["host"],"aggregation":"count","name":"suspicious_container_client","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"suspicious_container_client","condition":"suspicious_container_client > 0"}],"type":"workload_security","id":"ll8-gx6-k15","createdAt":1617722068555,"name":"Container management utility in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.12","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe container's root filesystem should be treated as a 'golden image' by using Docker run's `--read-only` option. This prevents any writes to the container's root filesystem at container runtime and enforces the principle of immutable infrastructure.\n\n## Rationale\n\nEnabling this option forces containers at runtime to explicitly define their data writing strategy to persist or not persist their data. This also reduces security attack vectors since the container instance's filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories.\n\n## Audit\n\nRun this command on the docker host: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: ReadonlyRootfs={{ .HostConfig.ReadonlyRootfs }}'` \n\nIf this command returns `true`, it means the container's root filesystem is mounted read-only. If the above command returns `false`, it means the container's root filesystem is writeable.\n\n## Remediation\n\nAdd a `--read-only` flag at a container's runtime to enforce the container's root filesystem being mounted as read only. For example, `docker run --read-only `\n\nEnabling the `--read-only` option at a container's runtime should be used by administrators to force a container's executable processes to only write container data to explicit storage locations during its lifetime. \n\nExamples of explicit storage locations during a container's runtime include, but are not limited to:\n\n1. Using the `--tmpfs` option to mount a temporary file system for non-persistent data writes. `docker run --interactive --tty --read-only --tmpfs \"/run\" --tmpfs \"/tmp\" centos /bin/bash`\n2. Enabling Docker rw mounts at a container's runtime to persist container data directly on the Docker host filesystem. For example, `docker run --interactive --tty --read-only -v /opt/app/data:/run/app/data:rw centos /bin/bash`\n\n3. Utilizing the Docker shared-storage volume plugin for Docker data volume to persist container data. For example, `docker volume create -d convoy --opt o=size=20GB my-named-volume docker run --interactive --tty --read-only -v my-named-volume:/run/app/data centos /bin/bash`\n\n3. Transmitting container data outside of the Docker controlled area during the container's runtime for container data in order to ensure that it is persistent. Examples include hosted databases, network file shares and APIs.\n\n## Impact\n\nEnabling `--read-only` at container runtime may break some container OS packages if a data writing strategy is not defined. You should define what the container's data should and should not persist at runtime in order to decide which strategy to use. Example: Enable use `--tmpfs` for temporary file writes to /tmp Use Docker shared data volumes for persistent data writes\n\n## Default value\n\nBy default, a container has its root filesystem writeable, allowing all container processes to write files owned by the container's actual runtime user.\n\n## References\n\n1. http://docs.docker.com/reference/commandline/cli/#run\n2. https://docs.docker.com/engine/tutorials/dockervolumes/\n3. http://www.projectatomic.io/blog/2015/12/making-docker-images-write-only-in-production/\n4. https://docs.docker.com/engine/reference/commandline/run/#mount-tmpfs-tmpfs\n5. https://docs.docker.com/engine/tutorials/dockervolumes/#creating-and-mounting-a-data-volume-container\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.12","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"635-mc8-3mr","createdAt":1599602276896,"name":"Container root file sytem is set to read-only"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a container is not running within compliance standards.\n\n## Strategy\nThis rule lets you monitor Twistlock logs to detect when a `High` or `Critical` severity compliance issue is discovered in a running container. \n\n## Triage and response\n1. Determine the impact of the compliance finding.\n2. Remediate the compliance finding.\n\n## Change Log\n27 Jun 2022 - Updated Rule and added findings for critical vulnerabilities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerability","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerability","condition":"high_severity_vulnerability > 0"}],"type":"log_detection","id":"9vp-d1j-kwp","createdAt":1585870281390,"name":"Container violated compliance standards"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:5.28","security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should use the `--pids-limit` flag at container runtime.\n\n## Rationale\n\nAttackers could launch a fork bomb with a single command inside the container. This fork bomb could crash the entire system and would require a restart of the host to make the system functional again. Using the PIDs cgroup parameter --pids-limit would prevent this kind of attack by restricting the number of forks that can happen inside a container within a specified time frame.\n\n## Audit\n\nRun this command and ensure that `PidsLimit` is not set to 0 or -\n1. A PidsLimit of 0 or -1 means that any number of processes can be forked concurrently inside the container. \n\n```\ndocker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidsLimit={{ .HostConfig.PidsLimit }}'\n```\n\n## Remediation\n\nUse `--pids-limit` flag with an appropriate value when launching the container. For example, `docker run -it --pids-limit 100 `\n\nIn the above example, the number of processes allowed to run at any given time is set to 100. After a limit of 100 concurrently running processes is reached, Docker would restrict any new process creation.\n\n## Impact\n\nSet the PIDs limit value as appropriate. Incorrect values might leave containers unusable.\n\n## Default value\n\nThe Default value for `--pids-limit` is 0 which means there is no restriction on the number of forks. Note that the PIDs cgroup limit works only for kernel versions 4.3 and higher.\n\n## References\n\n1. https://github.com/docker/docker/pull/18697\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.28","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tmp-lms-u8p","createdAt":1599603016485,"name":"Container's PIDs cgroup limit parameter is set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nContainers should run as a non-root user.\n\n## Rationale\n\nIt is good practice to run the container as a non-root user, where possible. This can be done either via the USER directive in the Dockerfile or through [gosu][1] or similar where used as part of the CMD or ENTRYPOINT directives.\n\n## Remediation\n\nEnsure that the Dockerfile for each container image contains `USER `\n\nIn this case, the user name or ID refers to the user that was found in the container base image. If there is no specific user created in the container base image, then make use of the `useradd` command to add a specific user before the USER instruction in the Dockerfile. \n\nFor example, add the below lines in the Dockerfile to create a user in the container:\n`RUN useradd -d /home/username -m -s /bin/bash username USER username`\n\n**Note**: If there are users in the image that are not needed, you should consider deleting them. After deleting those users, commit the image and then generate new instances of the containers. Alternatively, if it is not possible to set the USER directive in the Dockerfile, a script running as part of the CMD or ENTRYPOINT sections of the Dockerfile should be used to ensure that the container process switches to a non-root user.\n\n## Impact\n\nRunning as a non-root user can present challenges when binding mount volumes from the underlying host. In this case, ensure that the user running the contained process can read and write to the bound directory, according to their requirements.\n\n## Default value\n\nBy default, containers are run with root privileges and also run as the root user inside the container.\n\n## References\n\n1. https://github.com/docker/docker/issues/2918\n2. https://github.com/docker/docker/pull/4572\n3. https://github.com/docker/docker/issues/7906\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://github.com/tianon/gosu\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"4.1","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iml-sbn-bao","createdAt":1599605130883,"name":"Containers do not use the root user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","control:5.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.\n\n## Rationale\n\nAppArmor protects the Linux OS and applications from various threats by enforcing a security policy which is also known as an AppArmor profile. You can create your own AppArmor profile for containers or use Docker's default profile. Enabling this feature enforces security policies on containers as defined in the profile.\n\n## Audit\n\nYou should run this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: AppArmorProfile={{ .AppArmorProfile }}'` \n\nThis command returns a valid AppArmor Profile for each container instance.\n\n## Remediation\n\nIf AppArmor is applicable for your Linux OS, enable it.\n\n1. Verify AppArmor is installed.\n2. Create or import a AppArmor profile for Docker containers.\n3. Enable enforcement of the policy.\n4. Start your Docker container using the customized AppArmor profile. For example: `docker run --interactive --tty --security-opt=\"apparmor:PROFILENAME\" ubuntu /bin/bash` Alternatively, Docker's default AppArmor policy can be used.\n\n## Impact\n\nThe container will have the security controls defined in the AppArmor profile. It should be noted that if the AppArmor profile is misconfigured, this may cause issues with the operation of the container.\n\n## Default value\n\nBy default, the docker-default AppArmor profile is applied to running containers. This profile can be found at `/etc/apparmor.d/docker`\n\n## References\n\n1. https://docs.docker.com/engine/security/apparmor/\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.1","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"s4z-dsj-llz","createdAt":1599600498264,"name":"Containers have an AppArmor profile enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.24","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to attach to a particular `cgroup` when a container is instantiated. Confirming `cgroup` usage would ensure that containers are running in defined `cgroup`s.\n\n## Rationale\n\nSystem administrators typically define `cgroup`s in which containers are supposed to run. If `cgroup`s are not explicitly defined by the system administrator, containers run in the docker `cgroup` by default. At run time, it is possible to attach a container to a different `cgroup` other than the one originally defined. This usage should be monitored and confirmed, as by attaching to a different `cgroup`, excess permissions and resources might be granted to the container and this can therefore prove to be a security risk.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}'` \n\nThis command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n\n## Remediation\n\nYou should not use the `--cgroup-parent` option within the docker run command unless strictly required.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers run under docker `cgroup`.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#specify-custom-cgroups\n2. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/ch01.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n\n## Audit\n\nYou should run the following command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}' The above command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.24","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"maa-bf8-zan","createdAt":1599601906764,"name":"Containers use the cgroup configured in Docker"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","source:compliance-agent","control:1.3.7","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the Controller Manager service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Controller Manager API service which runs on port 10252/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ \n\n*Notes*: Although the current Kubernetes documentation site says that `--address` is deprecated in favour of `--bind-address`. Kubeadm 1.11 still makes use of `--address`.\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.7","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pvo-5un-k18","createdAt":1599603818624,"name":"Controller Manager API service is bound to localhost"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.3.2","security:compliance","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.2","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1ie-ddf-7wm","createdAt":1599604031896,"name":"Controller Manager profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.4","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account private key file for service accounts on the controller manager.\n\n## Rationale\n\nTo ensure that keys for service account tokens can be rotated as needed, a separate public/private key pair should be used for signing service account tokens. The private key should be specified to the controller manager with `--service-account-private-key-file` as appropriate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--service-account-private-key-file` argument is set as appropriate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--service-account-private-key-file parameter` to the private key file for service accounts:\n\n```\n--service-account-private-key-file=\n```\n\n## Impact\n\nYou would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-private-key-file` it not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.4","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mj1-ode-sln","createdAt":1599600796213,"name":"Controller manager has a service account private key file set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.1.3","scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of the Controller Manager on the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-controller-manager.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.3","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pr0-hcf-xkw","createdAt":1599603633988,"name":"Controller manager pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.1.4","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of various components of the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-controller-manager.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.4","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jwf-xdm-mi9","createdAt":1599599105053,"name":"Controller manager pod specification file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect and identify the network IP address when multiple user accounts have login attempt activities recorded.\n\n## Strategy\n\nMonitor Azure Active Directory and detect when any `@evt.category` is equal to `SignInLogs` and more than 10 of the `@evt.outcome` are equal to `false` by the same network IP address.\n\nSecurity Signal returns **HIGH** if`@evt.outcome` has value of `success` after 10 multiple failed logins by the same network IP address.\n\n## Triage and response\n\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n\n## Changelog\n14 June 2022 - Updated triggering cases to align with other credential stuffing rules. Also updated other backend options to reduce noise levels.","options":{"detectionMethod":"threshold","evaluationWindow":3600,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"failed_login_multiple_user_accounts_same_ip_address","distinctFields":["@usr.id"]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login_same_ip_address","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful login after multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 10 && successful_login_same_ip_address > 0"},{"status":"medium","notifications":[],"name":"Multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 10 "}],"type":"log_detection","id":"igg-0ve-xxc","createdAt":1607106304164,"name":"Credential Stuffing Attack on Azure"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:success @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials.\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application_o365","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"credential_added_azure_ad_application > 0 || credential_added_azure_ad_application_o365 > 0"}],"type":"log_detection","id":"myf-gpu-vqf","createdAt":1659365955026,"name":"Credential added to Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application that is not regularly updated.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it. An attacker may target an application that is seldom changed to avoid detection. Using the `New Value` detection method, a signal is raised when an application not seen in the previous 7 days has credentials added.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.","options":{"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"evaluationWindow":0,"maxSignalDuration":86400,"detectionMethod":"new_value","decreaseCriticalityBasedOnEnv":true,"keepAlive":3600},"version":54,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@properties.targetResources.displayName","aggregation":"new_value","metrics":["@properties.targetResources.displayName"],"groupByFields":["@usr.id"],"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @evt.outcome:success @evt.category:AuditLogs"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"1p0-9ix-ig2","createdAt":1660304687805,"name":"Credential added to rarely used Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["category:authentication","tactic:TA0006-credential-access","template:true","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least 25 unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\nUse [this Datadog runbook](https://app.datadoghq.com/notebook/credentialstuffingrunbook) to assist in your investigation.\n\n1. Determine if it is a legitimate attack or a false positive\n2. Determine compromised users\n3. Remediate compromised user accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@evt.category:authentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"@evt.category:authentication @evt.outcome:success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful - Greater than 50","condition":"unique_users_failing_to_login>50 && successful_login>=1"},{"status":"medium","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>25 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>25"}],"type":"log_detection","id":"ypo-jbm-p2s","createdAt":1608750331867,"name":"Credential stuffing attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user. This generates a `HIGH` severity signal.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n## Changelog\n13 June 2022 - Updated Keep Alive window and evaluation window to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":3600,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>10 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>10"}],"type":"log_detection","id":"ryo-snu-uva","createdAt":1597422958108,"name":"Credential stuffing attack on Auth0"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through credential stuffing attack against a Salesforce account.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\n1. Determine if it is a legitimate attack or a false positive.\n2. Determine compromised users.\n3. Remediate compromised user accounts.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @status:\"Invalid Password\"","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.email"]},{"query":"source:salesforce @status:\"Success\"","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login > 10 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login > 10 "}],"type":"log_detection","id":"y0t-wg6-3nq","createdAt":1621929255278,"name":"Credential stuffing attack on Salesforce"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1003-os-credential-dumping","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to sensitive credential files from non-standard processes.\n\n## Strategy\nEspecially in production, all credentials should be either defined as code, or static. Drift and unmonitored changes to these credentials can open up attack vectors for adversaries, and cause your organization to be out of compliance with any frameworks or regulations that you are subject to. This detection watches for the modification of sensitive credential files which should not be changed outside of their definitions as code (or static definitions). The Linux commands `vipw` and `vigr` are the standard way to modify shadow and gshadow files respectively. Other processes interacting with these sensitive credential files is highly suspicious and should be investigated.\n\n## Triage and response\n1. Identify the user or process that changed the credential file(s).\n2. Identify what was changed in the credential files.\n3. If these changes are not acceptable, roll back contain the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd","groupByFields":["host"],"aggregation":"count","name":"credential_modified","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd @process.comm:(adduser OR useradd OR groupadd OR userdel OR deluser OR chage)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_standard","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.executable.path:(\\/usr\\/sbin\\/* OR \\/usr\\/bin\\/* OR \\/bin\\/*)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_non_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"credential_modified_non_bin","condition":"credential_modified_non_bin > 0"},{"status":"info","notifications":[],"name":"credential_modified_standard","condition":"credential_modified_standard > 0"},{"status":"low","notifications":[],"name":"credential_modified","condition":"credential_modified > 0"}],"type":"workload_security","id":"srd-2ub-jov","createdAt":1598516746271,"name":"Credentials file modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","level:1","cloud:aws","cloud_provider:aws","control:8.1.4","framework:hipaa","requirement:Information-Access-Management","framework:pci","requirement:Credentials","control:164.308-a-4-ii-C"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. You should remove or deactivate all credentials that have been unused in 90+ days.\n\n## Rationale\n\nDisabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78900-8 2. CIS CSC v6.0 #16.6\n\n## CIS controls\n\n16.9 Disable Dormant Accounts Automatically - Disable dormant accounts after a set period of inactivity.\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\npassword_used_recently(resource_seen_at, credential_report) if {\n\tcredential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_used > ninety_days_ms\n} else {\n\tnot credential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_changed > ninety_days_ms\n}\n\nkey_used_recently(resource_seen_at, credential_report, key_name) if {\n\tcredential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_used_date\"])] > ninety_days_ms\n} else {\n\tnot credential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_rotated\"])] > ninety_days_ms\n}\n\npassword_or_access_key_is_enabled(resource_seen_at, credential_report) if {\n\tcredential_report.password_enabled\n\tpassword_used_recently(resource_seen_at, credential_report)\n} else {\n\tcredential_report.access_key_1_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_1\")\n} else {\n\tcredential_report.access_key_2_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_2\")\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot password_or_access_key_is_enabled(iam_user.resource_seen_at, credential_report)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"credential_report","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cl8-844-szh","createdAt":1621238614316,"name":"Credentials have been used within the last 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","framework_version:3.2","control:11.5","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications of critical system binaries.\n\n## Strategy\nPCI-DSS is the payment-card industry's compliance framework. Any systems that handle credit card data and transactions from the major credit card companies must be PCI-DSS compliance. Control 11.5 of the PCI-DSS framework states that organizations must \"alert personnel to unauthorized modifications (including changes, additions, and deletions) of critical system files, configuration files, or content files\". On Linux, critical system binaries are typically stored in `/bin/`, `/sbin/`, or `/usr/sbin/`. This rule tracks any modifications to those directories.\n\n## Triage and response\n1. Identify which user or process changed the critical system binaries.\n2. If these changes were not authorized, and you cannot confirm the safety of the changes, roll back the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chmod) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chown) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chown","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_link) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_link","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_rename) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_rename","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_open) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_open","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_unlink) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_utimes) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"pci_11_5_critical_binaries","condition":"pci_11_5_critical_binaries_chmod > 0 || pci_11_5_critical_binaries_chown > 0 || pci_11_5_critical_binaries_link > 0 || pci_11_5_critical_binaries_rename > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_unlink > 0 || pci_11_5_critical_binaries_utimes > 0"}],"type":"workload_security","id":"3rk-f4l-c7j","createdAt":1606142933669,"name":"Critical system binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation or modification of new cron jobs on a system.\n\n## Strategy\nCron is a task scheduling system that runs tasks on a time-based schedule. Attackers can use cron jobs to gain persistence on a system, or even to run malicious code at system-boot. Cron jobs can also be used for remote code execution, or to run a process under a different user-context.\n\n## Triage and response\n1. Check to see which cron task was created or modified.\n2. Check whether the cron task was created or modified by a known user or process.\n3. If these changes are not acceptable, roll back the host or container in question to an acceptable configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(cron_at_job_creation OR cron_at_job_creation_chmod OR cron_at_job_creation_chown OR cron_at_job_creation_link OR cron_at_job_creation_rename OR cron_at_job_creation_open OR cron_at_job_creation_utimes) -(@file.name:*.dpkg-new AND @process.executable.name:dpkg) -@process.ancestors.executable.path:\"/usr/bin/unattended-upgrade\" -@process.executable.path:\"/usr/bin/dockerd\"","groupByFields":["host"],"aggregation":"count","name":"cron_at_job_creation","distinctFields":[]},{"query":"@agent.rule_id:cron_at_job_creation_unlink","groupByFields":["host"],"aggregation":"count","name":"cron_at_job_deletion","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"cron_at_job_creation","condition":"cron_at_job_creation > 0"},{"status":"low","notifications":[],"name":"cron_at_job_deletion","condition":"cron_at_job_deletion > 0"}],"type":"workload_security","id":"qqk-vqp-6xt","createdAt":1606142961130,"name":"Cron job modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIP check services return the public IP of the client. They are used legitimately for configuration purposes when utilizing infrastructure as code. They can be abused by attackers to determine the organization they have compromised.\n\n## Strategy\n\nDetect when a DNS lookup is done for a domain belonging to an IP check service.\n\n## Triage and response\n\n1. Determine if `{{@process.executable.name}}` is expected to make a connection to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Start incident response and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ip_check_domain","groupByFields":["host"],"aggregation":"count","name":"ip_check_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"ip_check_domain","condition":"ip_check_domain > 0"}],"type":"workload_security","id":"v7i-jqs-gcx","createdAt":1653417825959,"name":"DNS lookup for IP lookup service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nAttackers often use compromised cloud infrastructure to mine cryptocurrency. \n\n## Strategy\n\nDetect when a process performs a DNS lookup for a domain related to cryptomining.\n\n## Triage and response\n\n`{{@process.executable.name}}` performed a DNS lookup for `{{@dns.question.name}}`\n\n1. Contain the host or container and roll back to a known good configuration.\n2. Review the process tree and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:potential_cryptominer","groupByFields":["host"],"aggregation":"count","name":"potential_cryptominer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"potential_cryptominer","condition":"potential_cryptominer > 0"}],"type":"workload_security","id":"8am-wzf-ixk","createdAt":1653417822316,"name":"DNS lookup for cryptocurrency mining pool"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nPaste sites such as pastebin.com can be used by attackers to host malicious scripts, configuration files, and other text data. The files are then downloaded to the host using a network utility such as `wget` or `curl`. These sites may also be used to exfiltrate data.\n\n## Strategy\n\nDetect when a process performs a DNS lookup for a paste site.\n\n## Triage and response\n1. Check if the application `{{@process.executable.name}}` is expected to make connections to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Follow your organization's internal processes for investigating and remediating compromised systems.\n\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:paste_site","groupByFields":["host"],"aggregation":"count","name":"paste_site","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"paste_site","condition":"paste_site > 0"}],"type":"workload_security","id":"bze-mml-h8r","createdAt":1653417817764,"name":"DNS lookup for paste service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.3","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","framework:pci","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud Domain Name System (DNS) is a fast, reliable, and cost-effective domain name system\nthat powers millions of domains on the internet. Domain Name System Security Extensions\n(DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains\nagainst DNS hijacking, man-in-the-middle attacks, and more.\n\n## Rationale\nDomain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling the DNS responses to be validated. A trustworthy DNS that translates a domain name like `www.example.com` into its associated IP address is an increasingly important building block for modern web-based applications. \n\nAttackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records to prevent attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.\n\nBy default, DNSSEC is not enabled.\n\n## Remediation\n\n### From the console:\n1. Navigate to the [Cloud DNS page][1].\n2. For each Type Public zone, set `DNSSEC` to **On**.\n\n### From the command line:\nUse this command to enable DNSSEC for Cloud DNS Zone Name:\n\n```\ngcloud dns managed-zones update ZONE_NAME --dnssec-state on\n```\n\n\n## References\n1. [https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html][2]\n2. [https://cloud.google.com/dns/dnssec-config#enabling][3]\n3. [https://cloud.google.com/dns/dnssec][4]\n\n\n[1]: https://console.cloud.google.com/net-services/dns/zones\n[2]: https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html\n[3]: https://cloud.google.com/dns/dnssec-config#enabling\n[4]: https://cloud.google.com/dns/dnssec\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-gcp","requirement":"Cardholder-Data","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nisZonePublic(dns_managed_zone) if {\n\tupper(dns_managed_zone.visibility) == \"PUBLIC\"\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot isZonePublic(dns_managed_zone)\n} else = \"pass\" {\n\tupper(dns_managed_zone.dnssec_config.state) == \"ON\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"crl-ytf-ohh","createdAt":1659621733035,"name":"DNSSEC is enabled for Cloud DNS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Credentials","requirement:Compliance","level:1","requirement:Database-Services","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","framework:pci","security:compliance","control:6.5.3","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:3.4","control:C1.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Transparent Data Encryption on every SQL server.\n\n## Rationale\n\nAzure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL databases\n2. For each DB instance\n3. Click on Transparent data encryption\n4. Set Data encryption to On using the Azure Command Line Interface\n5. Use the below command to enable Transparent data encryption for SQL DB instance:\n\n ```bash\n --resource-group --server --database --status\n ```\n\n **Note**: TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases. Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n\n**Note**: Transparent Data Encryption (TDE) can be enabled or disabled on individual SQL Database level and not on the SQL Server level. TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.\n\n# CIS Controls\n\nVersion 7 14.8 Encrypt Sensitive Information at Rest: Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"-@transparent_data_encryption.status:(\"Enabled\")","resourceType":"azure_sql_server_database","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server_database (-@transparent_data_encryption.status:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ahw-tol-knx","createdAt":1624867974429,"name":"Data encryption on SQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a database process (e.g., MySQL, PostgreSQL, MongoDB).\n\n## Strategy\nAttacks on databases often take advantage of oversights in I/O sanitization and validation to run attacker statements and commands. For example, these attacks could take the form of database query injection, which can signal the beginning of an intrusion and wider attack, by establishing a web shell or exfiltrating data. This detection triggers when common shell utilities, HTTP utilities, or shells are spawned by one of a set of database processes (e.g., MySQL, MongoDB, PostgreSQL). This is atypical behavior for a database. If this is unexpected behavior, it could indicate an attacker attempting to compromise your database or host machine.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your database to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:database_shell_execution -@process.ancestors.executable.name:initdb -@process.args:\"locale -a\"","groupByFields":["host"],"aggregation":"count","name":"database_shell_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"database_shell_execution","condition":"database_shell_execution > 0"}],"type":"workload_security","id":"4ni-kny-z5x","createdAt":1617722069155,"name":"Database process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:2","requirement:Cardholder-Data","control:1.17","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Confidentiality","control:3.5","control:7.1","control:C1.2","control:7.2.1","control:7.2.2","source:google_dataproc_cluster","control:7.2.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:3.6.1","scope:google_dataproc_cluster","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:3.6.4","control:3.6.5","control:CC6.3","control:CC6.2","control:3.6.7","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nWhen you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated\nwith the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This\nPD and bucket data is encrypted using a Google-generated data encryption key (DEK) and\nkey encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key\nencryption key (KEK). Google still controls the data encryption key (DEK).\n\n## Rationale\nCloud services offer the ability to protect data related to those services using encryption\nkeys managed by the customer within Cloud KMS. These encryption keys are called\ncustomer-managed encryption keys (CMEK). When customers protect data in Google Cloud\nservices with CMEK, the CMEK key is within the customer's control.\n\n## Remediation\n\n### From the console:\n1. Log in to the GCP Console and navigate to the **Dataproc Cluster** page by visiting [https://console.cloud.google.com/dataproc/clusters][1].\n2. Select the project from the projects dropdown list.\n3. On the **Dataproc Cluster** page, click on the **Create Cluster** to create a new cluster with customer-managed encryption keys.\n4. On the **Create a cluster** page, perform the following steps:\n 1. Inside **Set up cluster** section perform these steps:\n 1. In the **Name** textbox, provide a name for your cluster.\n 2. From **Location** select the location in which you want to deploy a cluster.\n 3. Configure other configurations as per your requirements.\n 2. Inside **Configure Nodes** and **Customize cluster** section configure the settings as\nper your requirements.\n 3. Inside the **Manage security** section, perform these steps:\n 1. From **Encryption**, select **Customer-managed key**.\n 2. Select a customer-managed key from dropdown list.\n 3. Ensure that the selected KMS Key has the **Cloud KMS CryptoKey Encrypter/Decrypter** role assigned to the Dataproc Cluster service account (`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n 4. Click on **Create** to create a cluster.\n5. Once the cluster is created, migrate all of your workloads from the old cluster to the new cluster and delete the old cluster by performing the following steps:\n 1. On the **Clusters** page, select the old cluster and click on **Delete cluster**.\n 2. On the **Confirm deletion** window, click **Confirm** to delete the cluster.\n6. Repeat the steps above for other Dataproc clusters available in the selected project.\n7. Change the project from the project dropdown list and repeat the remediation procedure for other Dataproc clusters available in other projects.\n\n### From the command line:\nBefore creating a cluster, ensure that the selected KMS Key has the **Cloud KMS CryptoKey\nEncrypter/Decrypter** role assigned to the Dataproc Cluster service account\n(`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n\nRun the `clusters create` command to create a new cluster with a customer-managed key:\n\n```\ngcloud dataproc clusters create --region=us-central1 --gce-pd-kms-key=\n```\n\nThe above command creates a new cluster in the selected region.\nAfter the cluster is created, migrate all your workloads from the older cluster to the new\ncluster and run the `clusters delete` command to delete the cluster:\n\n```\ngcloud dataproc clusters delete --region=us-central1\n```\n\nRepeat step no. 1 to create a new Dataproc cluster.\nChange the project by running the following command and repeat the remediation procedure\nfor other projects:\n\n```\ngcloud config set project \n```\n\n## References\n1. [https://cloud.google.com/docs/security/encryption/default-encryption][2]\n\n[1]: https://console.cloud.google.com/dataproc/clusters\n[2]: https://cloud.google.com/docs/security/encryption/default-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.17","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.7","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(gdc) = \"pass\" if {\n\tgdc.config.encryption_config.gce_pd_kms_key_name\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dataproc_cluster"]},"validationQuery":"","resourceType":"gcp_dataproc_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dataproc_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"7qp-kby-dut","createdAt":1659396397166,"name":"Dataproc cluster is encrypted using customer-managed encryption key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.22","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file permissions are set to `644` or more restrictively, by running: \n```\nstat -c %a /etc/default/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/default/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.22","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pqb-2cq-piw","createdAt":1599601845070,"name":"Default Docker configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.21","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/sysconfig/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/sysconfig/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.21","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"au3-ayl-tdm","createdAt":1599601289420,"name":"Default Docker configuration file cannot be altered by non-owners - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.19","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file ownership and group-ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/default/docker | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/default/docker`\n\nThis sets the ownership and group ownership of the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.19","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o5w-d8y-ka1","createdAt":1599604751728,"name":"Default Docker configuration file is owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.20","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/sysconfig/docker | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root /etc/sysconfig/docker`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.20","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xrt-uiz-s7o","createdAt":1599604498138,"name":"Default Docker configuration file is owned by the root account and group - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProtect tuned kernel parameters from overriding kubelet default kernel parameter values.\n\n## Rationale\n\nKernel parameters are usually tuned and hardened by the system administrators before putting the systems into production. These parameters protect the kernel and the system. Your kubelet kernel defaults that rely on such parameters should be appropriately set to match the desired secured system state. Ignoring this could potentially lead to running pods with undesired kernel behavior.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--protect-kernel-defaults` argument is set to true. If the `--protect-kernel-defaults` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets `protectKernelDefaults` to `true`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `protectKernelDefaults: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--protect-kernel-defaults=true`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou would have to re-tune kernel parameters to match kubelet parameters.\n\n## Default value\n\nBy default, `--protect-kernel-defaults` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.6","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"uiw-kms-wwu","createdAt":1599602462044,"name":"Default Kubelet kernel parameter values are protected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","control:2.9","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","control:1.3.1","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","requirement:Least-Privileged-Access","control:1.2.1","control:3.6","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Storage-Account","source:azure.storage","control:A.13.1.3","requirement:Default-Security-Parameters","control:7.2.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestricting default network access provides a layer of security, because storage accounts accept connections from clients on any network. To limit access to selected networks, change the default action.\n\n## Rationale\n\nConfigure storage accounts to deny access to traffic from all networks (including internet traffic). Grant access to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.\n\n## Remediation\n\n### From the console:\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Enable Allow access from selected networks.\n4. Add rules to allow traffic from a specific network.\n5. Click Save to apply your changes.\n\n### From the command line:\n\nUse the following command to update the default action to deny: \n```\naz storage account update --name --resource-group --default-action Deny\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security][1]\n2. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"2.9","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@network_acls.default_action:Deny","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@network_acls.default_action:Deny)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"hxy-syh-ofi","createdAt":1631690465637,"name":"Default network access rule for Storage Accounts is set to deny"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:RBAC-and-Service-Accounts","scored:true","security:compliance","control:5.1.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe default service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed.\n\n## Rationale\n\nKubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.\n\n## Audit\n\nFor each namespace in the cluster, review the rights assigned to the default service account and ensure that it has no roles or cluster roles bound to it apart from the defaults. Additionally ensure that the `automountServiceAccountToken: false` setting is in place for each default service account.\n\n## Remediation\n\nCreate explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value `automountServiceAccountToken: false`.\n\n## Impact\n\nAll workloads which require access to the Kubernetes API will require an explicit service account to be created.\n\n## Default value\n\nBy default the default service account allows for its service account token to be mounted in pods in its namespace.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/][1]\n\n## CIS controls\n\nNone\n\n[1]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.1.5","framework":"cis-kubernetes","requirement":"RBAC-and-Service-Accounts","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3yv-aqm-bxc","createdAt":1604312204438,"name":"Default service accounts are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Logging-Monitoring","source:azure.monitor","level:1","requirement:Regular-Testing","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","control:5.1.2","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","control:11.4","control:CC4.1","scope:azure.monitor","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure the diagnostic setting to log the appropriate activities from the control/management plane.\n\n## Rationale\n\nA diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Azure Monitor\n2. Click Activity log\n3. Click on Diagnostic settings\n4. Click on Edit Settings for the diagnostic settings entry\n5. Ensure that the following categories are checked: Administrative, Alert, Policy, and Security\n\nARM Template with AZ PowerShell cmdlets:\n\nCreate a file to hold the following JSON:\n\n```json\n{ \"$schema\"\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\", \"contentVersion\"\"\n1.0.0.0\", \"parameters\"{ \"settingName\"{ \"type\"\"String\" }, \"workspaceId\"{ \"type\"\"String\" } }, \"resources\"[ { \"type\"\"Microsoft.Insights/diagnosticSettings\", \"apiVersion\"\"2017-05-01-preview\", \"name\"\"[parameters(''settingName'')]\", \"dependsOn\"[], \"properties\"{ \"workspaceId\"\"[parameters(''workspaceId'')]\", \"logs\"[ { \"category\"\"Administrative\", \"enabled\"true }, { \"category\"\"Alert\", \"enabled\"true }, { \"category\"\"Autoscale\", \"enabled\"false }, { \"category\"\"Policy\", \"enabled\"true }, { \"category\"\"Recommendation\", \"enabled\"false }, { \"category\"\"ResourceHealth\", \"enabled\"false }, { \"category\"\"Security\", \"enabled\"true }, { \"category\"\"ServiceHealth\", \"enabled\"false } ] } } ] }\n```\n\nReference the JSON. In the `New-AzSubscriptionDeployment`, call `$OMSWorkspace`:\n\n```powershell\nGet-AzResource -ResourceType \"Microsoft.OperationalInsights/workspaces\" -Name New-AzSubscriptionDeployment -Name CreateDiagnosticSetting -location eastus -TemplateFile CreateDiagnosticSetting.jsonc -settingName \"Send Activity log to workspace\" -workspaceId $OMSWorkspace.ResourceId'\n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings\n2. https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource-manager-diagnostic-settings\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.3 - Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1.2","framework":"cis-azure","requirement":"Logging-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"11.4","framework":"pci","requirement":"Regular-Testing","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"validationQuery":"(@category:Administrative -@enabled:true) OR (@category:Alert -@enabled:true) OR (@category:Policy -@enabled:true) OR (@category:Security -@enabled:true)","resourceType":"azure_diagnostic_setting","filter":"","queryPath":"logs","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_diagnostic_setting ((@category:Administrative -@enabled:true) OR (@category:Alert -@enabled:true) OR (@category:Policy -@enabled:true) OR (@category:Security -@enabled:true))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q7k-c4u-n6i","createdAt":1635847719443,"name":"Diagnostic Setting captures appropriate categories"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2022-0847 \"Dirty Pipe\". Dirty Pipe is a vulnerability in the Linux kernel which allows underprivileged processes to write to arbitrary readable files, leading to privilege escalation. \n\n## Strategy\n\nThis detection triggers when the `splice()` syscall is made and the `PIPE_BUF_FLAG_CAN_MERGE` flag is set. Explanation of the vulnerability and exploitation can be found in the [public disclosure](https://dirtypipe.cm4all.com/).\n\n## Triage & Response\n\n1. Determine if the host is vulnerable. This vulnerability affects kernel versions starting from 5.8. After its discovery, it was fixed for all currently maintained releases of Linux in versions 5.16.11, 5.15.25, and 5.10.102. The exploit was successful if the field `splice.pipe_exit_flag` is `PIPE_BUF_FLAG_CAN_MERGE`.\n2. Attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. If the host is vulnerable, update the kernel to a patched version.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:dirty_pipe_attempt","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_attempt","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\")","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_exploitation","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation (@file.uid:0 OR @file.gid:0) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\")","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_root","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation @file.path:(*\\/bin\\/* OR *\\/boot\\/*) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\")","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"dirty_pipe_attempt","condition":"dirty_pipe_attempt > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_exploitation","condition":"dirty_pipe_exploitation > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_root","condition":"dirty_pipe_root > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_bin","condition":"dirty_pipe_bin > 0"}],"type":"workload_security","id":"dsi-8cf-mpj","createdAt":1648572788369,"name":"Dirty Pipe exploitation attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet Docker daemon log level to `info`.\n\n## Rationale\n\nSetting up an appropriate log level configures the Docker daemon to log events that you would want to review later. A base log level of `info` and above captures all logs except `debug` logs. Unless required, you should not run Docker daemon at `debug` log level.\n\n## Audit\n\nTo confirm that the log level setting is `info`, review both the `dockerd` startup options, and also the log level settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that either the `--log-level` parameter is not present or if present, that it is set to `info`. \n\nSimilarly, review the `/etc/docker/daemon.json` for the `log-level` setting.\n\n## Remediation\n\nEnsure that the Docker daemon configuration file has the following configuration included:\n\n```\n\"log-level\": \"info\" \n```\n\nAlternatively, run the Docker daemon with the `log-level` specified:\n\n```\ndockerd --log-level=\"info\"\n```\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker daemon is set to log level of `info`.\n\n## References\n\n1. [https://docs.docker.com/edge/engine/reference/commandline/dockerd/][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://docs.docker.com/edge/engine/reference/commandline/dockerd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"q6o-wrf-hf4","createdAt":1602076723155,"name":"Docker daemon logging level is set to 'info'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.5","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use `aufs` as the storage driver for your Docker instance.\n\n## Rationale\n\nThe `aufs` storage driver is the oldest storage driver used on Linux systems. It is based on a Linux kernel patch-set that is unlikely in future to be merged into the main OS kernel. The `aufs` driver is also known to cause some serious kernel crashes. `aufs` has only legacy support within systems using Docker. Most importantly, `aufs` is not a supported driver in many Linux distributions using latest Linux kernels.\n\n## Audit\n\nVerify that `aufs` is not used as storage driver by running this command and ensuring `aufs` is not listed: \n```\ndocker info --format 'Storage Driver: {{ .Driver }}' \n```\n\n## Remediation\n\nDo not explicitly use `aufs` as storage driver. For example, do not start Docker daemon with the `--storage-driver aufs` flag.\n\n## Impact\n\n`aufs` is the only storage driver that allows containers to share executable and shared library memory. It might be useful if you are running thousands of containers with the same program or libraries. However, you should review its use with respect to your organization's security policy.\n\n## Default value\n\nBy default, Docker uses `devicemapper` as the storage driver on most of the platforms. The default storage driver can vary based on your OS vendor. You should use the storage driver that is recommended by your preferred vendor and which is in line with policy around the applications which are being deployed.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems][1]\n2. [http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/][2]\n3. [http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1][3]\n4. [https://docs.docker.com/engine/userguide/storagedriver/][4]\n\n## CIS controls\n\nVersion 6.18 Application Software Security \n\n[1]: https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems \n[2]: http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/ \n[3]: http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1 \n[4]: https://docs.docker.com/engine/userguide/storagedriver/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"n0x-jqo-rof","createdAt":1599601042737,"name":"Docker does not use AUFS storage driver"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe `iptables` firewall is used to set up, maintain, and inspect the tables of IP packet filter rules within the Linux kernel. The Docker daemon should be allowed to make changes to the `iptables` ruleset.\n\n## Rationale\n\nDocker will not make changes to your system `iptables` rules unless you allow it to do so. If you do allow this, Docker server will automatically make any required changes. You should let Docker make changes to `iptables` automatically in order to avoid networking misconfigurations that could affect the communication between containers and with the outside world. Additionally, this reduces the administrative overhead of updating `iptables` every time you add containers or modify networking options.\n\n## Audit\n\nTo confirm that the Docker daemon is allowed to change the `iptables` ruleset, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that the `--iptables` parameter is either not present or not set to `false`. Also review the `/etc/docker/daemon.json` file to check that the `iptables` setting is not set to `false`.\n\n## Remediation\n\nDo not run the Docker daemon with `--iptables=false` parameter. \n\n## Impact\n\nThe Docker daemon service requires `iptables` rules to be enabled before it starts. Any restarts of `iptables` during Docker daemon operation may result in losing Docker-created rules. Adding `iptables-persistent` to your `iptables` install can mitigate.\n\n## Default value\n\nBy default, `iptables` is set to true.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/][1]\n2. [https://fralef.me/docker-and-iptables.html][2]\n\n## CIS controls\n\nVersion 6.5 Controlled Use of Administration Privileges \n\n[1]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/\n[2]: https://fralef.me/docker-and-iptables.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3fv-xgy-7fb","createdAt":1599599453907,"name":"Docker is authorized to make firewall configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.1","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAll Docker containers and their data and metadata are stored in the `/var/lib/docker` directory. By default, `/var/lib/docker` should be mounted under either the `/` or `/var` partitions depending on how the Linux operating system in use is configured.\n\n## Rationale\n\nDocker depends on `/var/lib/docker` as the default directory where all Docker related files, including the images, are stored. This directory could fill up quickly causing both Docker and the host to become unusable. For this reason, you should create a separate partition (logical volume) for storing Docker files.\n\n## Audit\n\nTo see the partition details for the `/var/lib/docker` mount point, at the Docker host run:\n\n```\ngrep '/var/lib/docker\\s' /proc/mounts \n```\n\nAlternatively, to see whether the configured root directory is a mount point, run.\n\n```\nmountpoint -- \"$(docker info -f '{{ .DockerRootDir }}')\" \n```\n\n## Remediation\n\nFor new installations, you should create a separate partition for the `/var/lib/docker` mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, `/var/lib/docker` is mounted under the `/` or `/var` partitions dependent on how the OS is configured.\n\n## References\n\n1. [https://www.projectatomic.io/docs/docker-storage-recommendation/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know \n\n[1]: https://www.projectatomic.io/docs/docker-storage-recommendation/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.1","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wcf-c0t-fkz","createdAt":1602076808377,"name":"Docker local storage is mounted on a separate disk partition"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.5","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various other sensitive files. It should therefore be individual owned and group owned by root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the directory is owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker | grep -v root:root\n``` \n\nThis command does not return any data.\n\n## Remediation\n\nTo resolve this issue, run the following command: `chown root:root /etc/docker`\n\nThis sets the ownership and group ownership for the directory to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for this directory is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.`\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"heb-axz-wdc","createdAt":1599604466531,"name":"Docker related files are owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.6","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory permissions are correctly set to 755 or more restrictively.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various sensitive files. It should therefore only be writeable by root to ensure that it can not be modified by a less privileged user.\n\n## Audit\n\nYou should execute the command below to verify that the directory has permissions of 755+: \n\n```\nstat -c %a /etc/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 755 /etc/docker`\n\nThis sets the permissions for the directory to 755.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for this directory are set to 755.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"een-7do-u18","createdAt":1599604083943,"name":"Docker related files cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.12","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, has permissions of 444 or more restrictive permissions.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It should therefore have permissions of 444 to prevent its modification.\n\n## Audit\n\nVerify that the Docker server certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the command below: `chmod 444 `\n\nThis sets the file permissions of the Docker server certificate file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.12","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"blu-k6b-re1","createdAt":1602076770300,"name":"Docker server certificate file permissions are set to read-only or more restrictive"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.4","cloud_provider:azure","control:6.2","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","control:CC7.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL is using the most recent major version available.\n\n## Rationale\n\nPostegreSQL employs both minor and major version updates. Using the most recent version available (particularly the most recent major version) ensures that you are using the most secure, feature rich, and supported version available. Azure Database Migration Service can help minimize downtime when performing version upgrades in Azure Database for PostgreSQL - Single Server. \n\n## Remediation\n\n### From the console\n\n1. Use Azure's [Configure server parameters in Azure Database for PostgreSQL - Single Server via the Azure portal][1] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate/Upgrade Azure DB for PostgreSQL - Single Server to Azure DB for PostgreSQL - Single Server online using DMS via the Azure portal][2] to migrate the old database to the new database.\n\n### From the command line\n\n1. Use Azure's [Customize server configuration parameters for Azure Database for PostgreSQL - Single Server using Azure CLI][3] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate PostgreSQL to Azure DB for PostgreSQL online using DMS via the Azure CLI][4] to migrate the old database to the new database.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/dms/tutorial-azure-postgresql-to-azure-postgresql-online-portal\n[3]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli\n[4]: https://docs.microsoft.com/en-us/azure/dms/tutorial-postgresql-azure-postgresql-online","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"pass\" if {\n\tto_number(postgresql_server.version) >= 11\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"4ns-zxg-wye","createdAt":1645642207320,"name":"Azure PostgreSQL Database Server uses the current major PostgreSQL version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:A.12.3.1","source:azure.dbforpostgresql","control:164.308-a-7-ii-A","requirement:Compliance","scope:azure.dbforpostgresql","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","control:A.18.1.3","framework:soc-2","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses geo-redundant backups.\n\n## Rationale\n\nUsing geo-redundancy with PostgreSQL creates geographically distributed replicas by default. These replicas assist with achieving data durability, as they protect against data becoming unavailable because of a regional event, such as a natural disaster. You can select this option only at the time of database creation. To modify an existing database to use geo-redundancy, recreate the database.\n\n## Remediation\n\n### From the console\n\n1. Follow the instructions listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using the Azure portal][1] to create a new PostgreSQL database. Ensure **Geo-redundant** is selected under **Backup redundancy options**.\n\n### From the command line\n\n1. Follow the steps listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using Azure CLI][2] to create and deploy a PostgreSQL server.\n2. When configuring the [`az postgres server create` Microsoft Azure Module][3] ensure that `geoRedundantBackup` is set to `Enabled`, as shown in the example below. \n\n ```\n az postgres server create \n -l northeurope \n -g mygroup \n -n mysvr \n -u username \n -p password \n --sku-name my_sku\n --ssl-enforcement Enabled \n --minimal-tls-version TLS1_0 \n --public-network-access Disabled \n --backup-retention 10 \n --geo-redundant-backup Enabled \n --storage-size 51200 \n --tags \"key=value\" \n --version 11\n ```\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-cli\n[3]: https://docs.microsoft.com/en-us/cli/azure/postgres/server?view=azure-cli-latest#az-postgres-server-create\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.3.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"pass\" if {\n\tpostgresql_server.storage_profile_geo_redundant_backup != \"Disabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"9t5-0qz-cj3","createdAt":1645642195699,"name":"Azure PostgreSQL database server uses geo-redundant backups"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security rule and determine if it exposes any Azure resources that should not be made public.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.sql @evt.name:\"MICROSOFT.SQL/SERVERS/FIREWALLRULES/WRITE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kbv-sau-dwv","createdAt":1607106319051,"name":"Azure SQL Server Firewall Rules Created or Modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.15","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable security alert emails to subscription owners.\n\n## Rationale\n\nEnabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can quickly mitigate security risks.\n\n## Remediation\n\n### From the console\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. In the drop down of the All users with the following roles field, select Owner\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set Send email also to subscription owners:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management Storage Accounts: This section covers security recommendations to follow to set storage account policies on an Azure subscription. An Azure storage account provides a unique namespace to store and access Azure Storage data objects.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.15","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(security_contact) = \"pass\" if {\n\tsecurity_contact.properties.notifications_by_role.state == \"On\"\n\t\"Owner\" in security_contact.properties.notifications_by_role.roles\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_contact"]},"validationQuery":"","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qjw-pnm-kfh","createdAt":1625738237090,"name":"Azure Security Center is configured to send email notifications about security alerts to subscription owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.14","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule enables emailing security alerts to the email subscription owner or other designated security contact.\n\n## Rationale\n\nEnabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.\n\n## Remediation\n\n### From the console\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. Under Notification types, check the check box next to Notify about alerts with the following severity (or higher) and select High from the drop-down menu\n6. Click save using the Azure Command Line Interface\n7. Use the below command to set Send email notification for high severity alerts:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. And replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default. Microsoft has recently changed their REST APIs to get and update security contact information. This recommendation is updated accordingly.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.14","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(security_contact) = \"pass\" if {\n\tsecurity_contact.properties.alert_notifications.minimal_severity == \"High\"\n\tsecurity_contact.properties.alert_notifications.state == \"On\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_contact"]},"validationQuery":"","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"cv4-lxu-yt1","createdAt":1625738237834,"name":"Azure Security Center is configured to send email notifications about security alerts with High severity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity Center emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.\n\n## Rationale\n\nAzure Security Center emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the \"Additional email addresses\" field ensures that your organization's security team is included in these alerts. This ensures that the proper people are aware of any potential compromise to mitigate the risk in a timely fashion.\n\n## Remediation\n\n### From the console\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email Notifications\n5. Enter a valid security contact email address (or multiple addresses separated by commas) in the additional email addresses field\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set security contact emails:\n\n ``` bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data, as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default\", \"name\"\"default\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details \n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list \n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(security_contact) = \"pass\" if {\n\tsecurity_contact.properties.emails != \"\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_contact"]},"validationQuery":"","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"1vo-ezv-ztj","createdAt":1625738244720,"name":"Azure Security Center is configured with a security contact email"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:azure","scope:azure-active-directory","technique:T1098-account-manipulation","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure service principal being assigned an Azure role.\n\n## Strategy\nMonitor Azure Activity logs for the following operations:\n\n* `@evt.name:\"MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE\"`\n* `@properties.requestbody:*ServicePrincipal*`\n\n## Triage and response\n1. Determine if this activity is legitimate by investigating the: \n * Source IP of this activity: `{{@network.client.ip}}`\n * The user who made this request: `@identity.claims.name`\n * The role that was assigned to the application or service principal.\n2. If this user should not be assigning this Azure role and if the service principal should not be assigned this role:\n * Revoke access of compromised credentials.\n * Remove unauthorized app registration and/or service principal.\n * Investigate other activities performed by the source IP `{{@network.client.ip}}` in the IP Investigation Dashboard.\n * Investigate other activities performed by the user `{{@usr.id}}` in the User Investigation Dashboard.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.authorization @evt.name:\"MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE\" @properties.requestbody:*ServicePrincipal*","groupByFields":["@usr.id","@network.client.ip"],"aggregation":"count","name":"role_assignment","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"role_assignment > 0"}],"type":"log_detection","id":"vu1-3je-k6m","createdAt":1661900093294,"name":"Azure Service Principal was assigned a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","control:2.1.1","requirement:Compliance","scope:azure.compute","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","control:4.1","control:1.2","control:1.3","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.2","source:azure.compute","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse SSH authentication keys to secure Linux virtual machines.\n\n## Rationale\n\nUsing SSH to secure authentications is a security best practice, as traditional username and password authentication is vulnerable to malicious tactics such as brute-force attacks. SSH uses a combination of public and private key pairs to secure the authentication process. Access to the private key is automated and tightly controlled, without both keys SSH access will not be granted. This also eliminates the need for users to memorize complex passwords for virtual machine access.\n\n## Remediation\n\n### From the command line\n\n1. Follow the steps listed at [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure][1] to create and deploy VMs using SSH.\n2. If needing to transition from Username and Password authentication, to SSH, there is no way to transition directly. You must deprovision the current VM and create an image of it with SSH as the authentication method. Follow the steps on [How to create a managed image of a virtual machine or VHD][2]. \n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-ssh-keys-detailed\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/capture-image","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(virtual_machine_instance) = \"skip\" if {\n\tnot virtual_machine_instance.os_profile.linux_configuration\n} else = \"pass\" if {\n\tvirtual_machine_instance.os_profile.linux_configuration.disable_password_authentication == true\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_virtual_machine_instance"]},"validationQuery":"","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"p52-zrd-xlt","createdAt":1645813490150,"name":"Azure VM requires SSH Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.21","source:azure.active_directory","cloud_provider:azure","requirement:Compliance","scope:azure.active_directory","level:1","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:6.4","framework:cis-azure","requirement:Control-Activities","cloud:azure","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:A.9.2.3","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC8.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSubscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.\n\n## Rationale\n\nClassic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended.\n\n## Remediation\n\nUsing Azure Command Line Interface 2.0, list all roles with the `az role definition list` command. Check the output for any entries with an `assignableScope` of `/` or a `subscription`, and an action of `*`. Verify the usage and impact of removing the role identified. You can delete a role with the `az role definition delete --name \"rolename\"` command.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator \n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management \n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems \n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n8. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n9. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges 16 Account Monitoring and Control Account Monitoring and Control","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.21","framework":"cis-azure","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"6.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_assignable_scope(assignable_scope) if {\n\tassignable_scope == \"/\"\n} else if {\n\tstartswith(assignable_scope, \"/subscriptions\")\n}\n\nnon_compliant_type(role_definition) if {\n\tlower(role_definition.properties_type) == \"customrole\"\n} else if {\n\tlower(role_definition.type) == \"customrole\"\n}\n\nnon_compliant_role_definition(role_definition) if {\n\tnon_compliant_type(role_definition)\n\tsome permission in role_definition.permissions\n\tsome action in permission.actions\n\taction == \"*\"\n\tsome assignable_scope in role_definition.assignable_scopes\n\tnon_compliant_assignable_scope(assignable_scope)\n}\n\neval(role_definition) = \"fail\" if {\n\tnon_compliant_role_definition(role_definition)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_role_definition"]},"validationQuery":"","resourceType":"azure_role_definition","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_role_definition","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"til-md3-xoz","createdAt":1645802554619,"name":"Azure custom subscription owner roles do not exist"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a diagnostic setting is deleted which can disable centralized logging and metrics on Azure.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Inspect the diagnostic setting resource which is found in `@resourceId`.\n2. Verify that the user (`{{@usr.id}}`) to determine if the removal of the resource is legitimate.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uhp-qsj-h45","createdAt":1615578377631,"name":"Azure diagnostic setting deleted or disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure disk is successfully exported. Export URLs generated in Azure are accessible to anyone with the URI. This could be utilized as an exfiltration method that would allow an attacker to download an Azure Compute VM's disk as a VHD file.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the disk (`{{@resourceId}}`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URI.\n\n## Changelog\n* 2 November 2022 - Update strategy.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"export_uri_generated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"export_uri_generated > 0"}],"type":"log_detection","id":"ggf-4ew-mxl","createdAt":1635258347843,"name":"Azure disk export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.8","requirement:AppService","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and new functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, your organization needs to determine if a given update meets your requirements and also verify the compatibility and support provided for any additional software against the update version.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Under General Settings, set Java version to latest version available\n6. Set Java minor version to latest version available\n7. Set Java web container to the latest version of web container available \n\n**NOTE**: No action is required if Java version is set to off as Java is not used by your web app.\n\n### From the command line\n\nTo see the list of supported runtimes, run the following command: `timesaz webapp list-runtimes | grep java`\n\nTo set latest Java version for an existing app, run the following command:\n\n```azurecli\naz webapp config set --resource-group --name --java-version ''\n1.8'' --java-container ''Tomcat'' --java-container-version '''''\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.8","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nshould_skip_app_service(app_service) if {\n\tapp_service.site_config_java_version == \"\"\n} else if {\n\tapp_service.site_config.java_version == \"\"\n}\n\ncompliant_app_service(app_service) if {\n\tapp_service.site_config_java_version == \"11\"\n} else if {\n\tapp_service.site_config.java_version == \"11\"\n}\n\neval(app_service) = \"skip\" if {\n\tshould_skip_app_service(app_service)\n} else = \"pass\" if {\n\tcompliant_app_service(app_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qhc-mac-fyy","createdAt":1645813490324,"name":"Azure is using the latest version of Java to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:AppService","control:9.6","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, a new version of PHP is released to address security issues and/or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes and additional functionalities.\n\n## Rationale\n\nNew versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software update, organizations need to determine if the update meets their requirements and also verify the new version's compatibility with other software.\n\n## Remediation\n\n### From the console\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click **Configuration**.\n5. Set PHP version to latest version available under **General Settings**.\n\n**Note**: No action is required if PHP version is set to off because PHP is not used by your web app.\n\n### From the command line\nTo see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep php To set latest PHP version for an existing app, run the following commandaz webapp config set --resource-group --name --php-version \n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n# CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.6","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.common as dd_common\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nshould_skip_app_service(app_service) if {\n\tapp_service.site_config_php_version == \"\"\n} else if {\n\tapp_service.site_config.php_version == \"\"\n}\n\nnon_compliant_version(version) if {\n\tformatted_semver := dd_common.format_semver(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"7.4.0\") < 0\n}\n\nnon_compliant_app_service(app_service) if {\n\tnon_compliant_version(app_service.site_config_php_version)\n} else if {\n\tnon_compliant_version(app_service.site_config.php_version)\n}\n\neval(app_service) = \"skip\" if {\n\tshould_skip_app_service(app_service)\n} else = \"fail\" if {\n\tnon_compliant_app_service(app_service)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"sja-htc-xkm","createdAt":1645813490100,"name":"Azure is using the latest version of PHP to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:AppService","control:9.7","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Set Python version to latest version available under General Settings\n\n**Note**: No action is required if Python version is set to off as Python is not used by your web app.\n\n### From the command line\n\nTo see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep python To set latest Python version for an existing app, run the following commandaz webapp config set --resource-group --name --python-version '\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.7","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.common as dd_common\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nshould_skip_app_service(app_service) if {\n\tapp_service.site_config_python_version == \"\"\n} else if {\n\tapp_service.site_config.python_version == \"\"\n}\n\nnon_compliant_version(version) if {\n\tformatted_semver := dd_common.format_semver(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"3.6.0\") < 0\n}\n\nnon_compliant_app_service(app_service) if {\n\tnon_compliant_version(app_service.site_config_python_version)\n} else if {\n\tnon_compliant_version(app_service.site_config.python_version)\n}\n\neval(app_service) = \"skip\" if {\n\tshould_skip_app_service(app_service)\n} else = \"fail\" if {\n\tnon_compliant_app_service(app_service)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kuq-3pj-gyn","createdAt":1645813504306,"name":"Azure is using the latest version of Python to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","source:azure.networkwatcher","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","scope:azure.networkwatcher","framework:soc-2","control:10.3","control:CC2.1","control:164.312-e-2-i","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Watcher can use flow logs so that you can monitor traffic from resources. This rule generates a finding if there is no retention policy set with a duration over 90 days. \n\nNote: 0 days means unlimited retention.\n\n## Rationale\n\nSetting this attribute enables flow logs to be retained for an appropriate amount of time that enables a better security posture for your organization. These logs should be retained critical resources in your environment.\n\n## Remediation\n\n### From the console\n\n1. Follow the instructions in [Tutorial: Log network traffic to and from a virtual machine using the Azure portal][1] to enable the 'flow logs' in Network Watcher.\n\n### From the command line\n\n1. Follow the steps in [Configuring Network Security Group Flow logs with Azure CLI][2] to enable the 'flow logs' in Network Watcher.\n2. Ensure Insights provider is registered by running the following command to check:\n\n ```\n az provider register --namespace Microsoft.Insights\n ```\n3. Enable `flow logs`:\n Note: You will need to have a storage account setup prior to this.\n ```\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location --format JSON --log-version 2\n ```\n4. Repeat steps 2 and 3 for resources that are not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal#enable-nsg-flow-log\n[2]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-cli\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nretention_policy_not_compliant(enabled, days) if {\n\tenabled == true\n\tdays >= 1\n\tdays <= 89\n} else if {\n\tenabled == false\n}\n\nflow_log_not_compliant(flow_log) if {\n\tretention_policy_not_compliant(flow_log.retention_policy_enabled, flow_log.retention_policy_days)\n} else if {\n\tretention_policy_not_compliant(flow_log.retention_policy.enabled, flow_log.retention_policy.days)\n}\n\nflow_log_retention_policy_enabled(flow_log) if {\n\tflow_log.retention_policy_enabled == true\n} else if {\n\tflow_log.retention_policy.enabled == true\n}\n\neval(network_watcher) = \"fail\" if {\n\tsome flow_log in network_watcher.flow_logs\n\tflow_log_not_compliant(flow_log)\n} else = \"pass\" if {\n\tsome flow_log in network_watcher.flow_logs\n\tflow_log_retention_policy_enabled(flow_log)\n} else = \"skip\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_network_watcher"]},"validationQuery":"","resourceType":"azure_network_watcher","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_network_watcher","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"s5c-rsc-fkl","createdAt":1645572632106,"name":"Azure network service group log retention is properly set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new owner is added to a service principal, which applies to privilege escalation or persistence.\n\n## Strategy\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add owner to service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Inspect that the user is added to a service principal in `@properties.targetResources`.\n2. Verify with the user (`{{@usr.name}}`) to determine if the owner addition is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_owner_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner_sp > 0"}],"type":"log_detection","id":"rtl-xes-5he","createdAt":1632250370345,"name":"Azure new owner added for service principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an Azure snapshot is exported. Export URLs generated in Azure are accessible to anyone with the URL.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the snapshot (`@resourceId`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URL.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"export_uri","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"export_uri > 0"}],"type":"log_detection","id":"9tg-wsg-ung","createdAt":1635255178153,"name":"Azure snapshot export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an invitation is sent to an external user.\n\n## Strategy\nMonitor Azure Active Directory Audit logs and detect when any `@evt.name` is equal to `Invite external user` and the `@evt.outcome` is equal to `success`.\n\n## Triage and response\n1. Review and determine if the invitation and its recipient are valid.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Invite external user\" @evt.outcome:success","groupByFields":["@usr.id","@properties.targetResources.userPrincipalName"],"aggregation":"count","name":"invite_external_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"invite_external_user > 0"}],"type":"log_detection","id":"msq-9pm-ift","createdAt":1607106320758,"name":"Azure user invited an external user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure-containerinstances","source:azure","tactic:TA0002-execution","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a command is executed on a container instance with the Azure API.\n\n## Strategy\nMonitor Azure container instance logs where `@evt.name` is `\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.id}}`) should be executing commands on the container (`@resourceId`).\n2. If the activity is not expected, investigate the activity around the container (`@resourceId`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"container_exec_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"container_exec_success > 0"}],"type":"log_detection","id":"zgp-pfn-i0z","createdAt":1635255187164,"name":"Azure user ran command on container instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB access key with the Azure API. An attacker with the appropriate privileges can view an access key and use it to access and manage the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\\\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the access key for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB Database ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_keys","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_keys > 0"}],"type":"log_detection","id":"xtk-lr5-ryf","createdAt":1635356621176,"name":"Azure user viewed CosmosDB access keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB connection string with the Azure API. An attacker with the appropriate privileges can view a connection string and use it to access or modify data in the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the connection string for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_connectionstrings","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_connectionstrings > 0"}],"type":"log_detection","id":"h9n-pkk-zy9","createdAt":1635356624429,"name":"Azure user viewed CosmosDB connection string"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being exploited using the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `Base64` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. If you are not patched, decode the base64 string and look for any successful traffic to the malicious server.\n3. If a connection was successful to the malicious server, begin your company's IR procedures to remediate.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http.user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"medium","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"vfx-wnb-bkc","createdAt":1639665358897,"name":"Base64 was detected in an http.user_agent or http.referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","scored:true","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use basic authentication.\n\n## Rationale\n\nBasic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting the API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--basic-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--basic-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as tokens and certificates. Username and password for basic authentication could no longer be used.\n\n## Default value\n\nBy default, basic authentication is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n2. https://kubernetes.io/docs/admin/authentication/#static-password-file\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.2","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oug-uvq-sti","createdAt":1599605479472,"name":"Basic authentication is disabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:azure","requirement:Monitoring","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-3-i","control:10.5.1","requirement:Compliance","level:1","control:2.2.4","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","scope:azure.storage","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Azure","requirement:Least-Privileged-Access","control:2.8","requirement:Control-Activities","requirement:Data-Protection","control:7.2.1","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAnonymous read access is disabled for Azure Storage Blobs.\n\n## Rationale\n\nAnonymous access to Azure storage blob containers allows un-authenticated users to perform operations against your storage account. Datadog recommends only allowing authenticated users access to storage blobs. \n\n## Remediation\n\n### From the Console\n\nFollow the [Set the public access level for a container - Azure Console][1] guide to disable anonymous read access with the Azure Console.\n\n### From the Azure CLI\n\nFollow the [Set the public access level for a container - Azure CLI][2] guide to disable anonymous read access with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"10.5.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"2.8","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_blob_container) = \"pass\" if {\n\tstorage_blob_container.public_access == \"None\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_blob_container"]},"validationQuery":"","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"nlq-obf-whr","createdAt":1645177311610,"name":"Blob Containers do not allow anonymous access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:8.1","control:4.3","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","control:8.1.4","control:8.2.3","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends using instance-specific SSH key(s) instead of common or shared project-wide SSH key(s) to access instances.\n\n## Rationale\n\nProject-wide SSH keys are stored in compute or project-meta-data. Project-wide SSH keys can be used to log into all instances within a project. Using project-wide SSH keys facilitates SSH key management, but if compromised, poses a security risk which can impact all instances within a project. Datadog recommmends using instance-specific SSH keys, which can limit the attack surface if SSH keys are compromised.\n\n## Impact\n\nUsers already having project-wide SSH key pairs and are using third-party SSH clients will lose access to the impacted instances. For project users using Google Cloud or GCP Console-based SSH options, no manual key creation and distribution is required, this is all handled by Google Compute Engine (GCE) itself. To access an instance using third-party SSH clients, the instance-specific SSH key pairs need to be created and distributed to the required users.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. For every instance, click on the instance name.\n3. Under **SSH Keys**, ensure **Block project-wide SSH keys** is selected.\n\n## From the command line\n\n1. List the instances in your project and get details on each instance using `gcloud compute instances list --format=json`.\n\n2. Ensure the `block-project-ssh-keys` key is set to true.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. Click on the impacted instance name.\n3. Click **Edit** in the toolbar.\n4. To block users with project-wide SSH keys from connecting to this instance, select **Block project-wide SSH keys** under **SSH Keys**.\n5. Click **Save** at the bottom of the page.\n6. Repeat these steps for every impacted instance.\n\n## From Command Line\n\nTo block project-wide public SSH keys, set the metadata value to true using `gcloud compute instances add-metadata --metadata block-project-ssh-keys=TRUE`.\n\n## Default Value\n\nBy default, Block Project-wide SSH keys is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n2. [https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n\n\n## Additional Information\n\nIf OS Login is enabled, SSH keys in the instance metadata are ignored, which means you do not need to block project-wide SSH keys.\n\n## CIS Controls\n\nVersion 8\n \n3.10 - Encrypt Sensitive Data in Transit\n- Encrypt sensitive data in transit. Example implementations can include: Transport\nLayer Security (TLS) and Open Secure Shell (OpenSSH).\n\n5.2 - Use Unique Passwords\n- Use unique passwords for all enterprise assets. Best practice implementation\nincludes, at a minimum, an 8-character password for accounts using MFA and a 14-\ncharacter password for accounts not using MFA.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n[3]: https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_item(item) if {\n\titem.key == \"block-project-ssh-keys\"\n} else if {\n\titem.key == \"enable-oslogin\"\n}\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" if {\n\titem := compute_instance.metadata.items[_]\n\tnon_compliant_item(item)\n\titem.value == \"true\"\n} else = \"fail\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"v8z-9ik-mjr","createdAt":1657296719827,"name":"Block project-wide SSH keys is enabled for VM instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login five times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n","options":{"detectionMethod":"threshold","evaluationWindow":600,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dde-oia-yjr","createdAt":1597422956269,"name":"Brute force attack on an Auth0 user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a bruteforce login with a user attempting to assume an anomalous number of roles.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [Anomalous number of assumed roles from user][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-user-attempted-to-assumerole-anomaly\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":2,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"anomalous_assumed_roles_from_user","additionalFilters":"","defaultRuleId":"fwu-obr-c9n","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to assumed role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && anomalous_assumed_roles_from_user > 0"}],"type":"signal_correlation","id":"vjo-1hm-1eg","createdAt":1664829839144,"name":"Brute forced ConsoleLogin event correlates with an assumed role event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","iaas:azure","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a successful credential stuffing login with a user assumed a role.\n\n## Strategy\nCorrelate the [Credential Stuffing Attack on Azure][1] and [Azure AD member assigned Global Administrator role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the credential stuffing attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the credential stuffed account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security/default_rules/azure_credential_stuffing_attack\n[2]: https://docs.datadoghq.com/security/default_rules/azure-ad-user-assigned-global-admin-role","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"azure_credential_stuffing","correlatedQueryIndex":1,"additionalFilters":"","defaultRuleId":"ljt-3f4-8ty","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"admin_role_assigned","additionalFilters":"","defaultRuleId":"psm-gpc-pgy","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Brute-forced user has assigned a role","condition":"azure_credential_stuffing > 0 && admin_role_assigned > 0"}],"type":"signal_correlation","id":"it0-1kg-8pj","createdAt":1664829839146,"name":"Brute-forced user has assigned a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.11","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host you can control the host CPU resources that a container may consume.\n\n## Rationale\n\nBy default, CPU time is divided between containers equally. If you wish to control available CPU resources amongst container instances, you can use the CPU sharing feature. CPU sharing allows you to prioritize one container over others and prevents lower priority containers from absorbing CPU resources which may be required by other processes. This ensures that high priority containers are able to claim the CPU runtime they require.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CpuShares={{ .HostConfig.CpuShares }}'` \n\nIf this command returns 0 or 1024, it means that CPU shares are not in place. If it returns a non-zero value other than 1024, it means that they are in place.\n\n## Remediation\n\nYou should manage the CPU runtime between your containers dependent on their priority within your organization. To do so, start the container using the `--cpu-shares` argument. For example, you could run a container as `docker run --interactive --tty --cpu-shares 512 centos /bin/bash` The container is started with CPU shares of 50% of what other containers use. So if the other container has CPU shares of 80%, this container will have CPU shares of 40%. Every new container will have 1024 shares of CPU by default. However, this value is shown as 0 if you run the command mentioned in the audit section.\n\n\nAlternatively:\n\n1. Navigate to the `/sys/fs/cgroup/cpu/system.slice/` directory.\n2. Check your container instance ID using docker ps.\n3. Inside the above directory (in step 1), call a directory. For example: `docker-.scope` or `docker-4acae729e8659c6be696ee35b2237cc1fe4edd2672e9186434c5116e1a6fbed6.scope`. Navigate to this directory.\n4. You will find a file named `cpu.shares`. Execute `cat cpu.shares`. This will always give you the CPU share value based on the system. Even if there are no CPU shares configured using the `-c` or `--cpu-shares` argument in the docker run command, this file will have a value of 1024. If you set one containers CPU shares to 512 it will receive half of the CPU time compared to the other containers. So if you take 1024 as 100% you can then derive the number that you should set for respective CPU shares. For example, use 512 if you want to set it to 50% and 256 if you want to set it 25%.\n\n## Impact\n\nIf you do not correctly assign CPU thresholds, the container process may run out of resources and become unresponsive. If CPU resources on the host are not constrained, CPU shares do not place any restrictions on individual resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally. No CPU shares are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.11","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gfh-gqy-log","createdAt":1599605955638,"name":"CPU priorities are set to ensure critical containers do not become unresponsive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.7","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %a `. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command to modify the file permissions of the `--client-ca-file`:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7 14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.7","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qtd-deo-dgb","createdAt":1599600622129,"name":"Certificate authorities file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable certificate based kubelet authentication.\n\n## Rationale\n\nThe apiserver, by default, does not authenticate itself to the kubelet's HTTPS endpoints. The requests from the apiserver are treated anonymously. You should set up certificate-based kubelet authentication to ensure that the apiserver authenticates itself to kubelets when submitting requests.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-client-certificate` and `--kubelet-client-key` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the kubelet client certificate and key parameters as below. \n\n```\n--kubelet-client-certificate= \n--kubelet-client-key=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, certificate-based kubelet authentication is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ ][2]\n3. [https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet][3]\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n[3]: https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.5","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ruj-lze-13b","createdAt":1599605732980,"name":"Certificate-based kubelet authentication is required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","source:elb","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","scope:elb","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse a secure protocol and cipher to protect communication between the client and your Classic Elastic Load Balancers (ELBs). TLS 1.0 and 1.1 are vulnerable to attacks due to multiple insecurities, for this reason we recommend the use of `ELBSecurityPolicy-TLS-1-2-2017-01` which authorizes TLS 1.2. \n\n## Rationale\n\nInsecure communication channels increase the risk of attacks, such as man-in-the-middle, downgrade attacks, and sensitive data breaches. It is recommended to configure listeners to use HTTPS, or SSL, and `ELBSecurityPolicy-TLS-1-2-2017-01`, or a custom policy with an equivalent or more secure [configuration][1]. TLS on port 443 will generate a `pass` condition for this rule only if a secure policy is attached to the listener.\n\n### Protocol and cipher details\n\nThis configuration check tests for a listener configured using HTTPS, SSL, or TLS on port 443, as well as for the absence of [ciphers][6] and [protocols][1] for secure listener configurations that are not recommended by AWS.\n\n\n## Remediation\n\nIt is recommended to modify listeners configured to use TLS on port 443, to HTTPS on port 443, and select a secure policy.\n\n### From the console\n\n1. Follow the [Create an HTTPS/SSL load balancer using the console][2] documentation to learn how to create an HTTPS/SSL load balancer in the AWS console. \n2. Follow the [Update the SSL negotiation configuration using the console][4] documentation to apply `ELBSecurityPolicy-TLS-1-2-2017-01` or a Custom Security Policy that is as or more secure. \n\n### From the command line\n\n1. Follow the [Create an HTTPS/SSL load balancer using the AWS CLI][3] documentation to learn how to create an HTTPS/SSL load balancer in the AWS command line. \n2. Follow the [Update the SSL negotiation configuration using the console][5] documentation to apply `ELBSecurityPolicy-TLS-1-2-2017-01` or a Custom Security Policy that is as or more secure. \n\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html#create-https-lb-console\n[3]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html#create-https-lb-clt\n[4]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-config-update.html#ssl-config-update-console\n[5]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-config-update.html#ssl-config-update-cli\n[6]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nweak_ciphers_and_protocols := {\n\t\"Protocol-SSLv2\", \"Protocol-SSLv3\",\n\t\"Protocol-TLSv1.1\", \"Protocol-TLSv1\",\n\t\"CAMELLIA128-SHA\", \"EDH-RSA-DES-CBC3-SHA\", \"DES-CBC3-SHA\", \"ECDHE-RSA-RC4-SHA\", \"RC4-SHA\", \"ECDHE-ECDSA-RC4-SHA\", \"DHE-DSS-AES256-GCM-SHA384\",\n\t\"DHE-RSA-AES256-GCM-SHA384\", \"DHE-RSA-AES256-SHA256\", \"DHE-DSS-AES256-SHA256\", \"DHE-RSA-AES256-SHA\", \"DHE-DSS-AES256-SHA\",\n\t\"DHE-RSA-CAMELLIA256-SHA\", \"DHE-DSS-CAMELLIA256-SHA\", \"CAMELLIA256-SHA\", \"EDH-DSS-DES-CBC3-SHA\", \"DHE-DSS-AES128-GCM-SHA256\",\n\t\"DHE-RSA-AES128-GCM-SHA256\", \"DHE-RSA-AES128-SHA256\", \"DHE-DSS-AES128-SHA256\", \"DHE-RSA-CAMELLIA128-SHA\", \"DHE-DSS-CAMELLIA128-SHA\",\n\t\"ADH-AES128-GCM-SHA256\", \"ADH-AES128-SHA\", \"ADH-AES128-SHA256\", \"ADH-AES256-GCM-SHA384\", \"ADH-AES256-SHA\", \"ADH-AES256-SHA256\",\n\t\"ADH-CAMELLIA128-SHA\", \"ADH-CAMELLIA256-SHA\", \"ADH-DES-CBC3-SHA\", \"ADH-DES-CBC-SHA\", \"ADH-RC4-MD5\", \"ADH-SEED-SHA\", \"DES-CBC-SHA\",\n\t\"DHE-DSS-SEED-SHA\", \"DHE-RSA-SEED-SHA\", \"EDH-DSS-DES-CBC-SHA\", \"EDH-RSA-DES-CBC-SHA\", \"IDEA-CBC-SHA\", \"RC4-MD5\", \"SEED-SHA\", \"DES-CBC3-MD5\",\n\t\"DES-CBC-MD5\", \"RC2-CBC-MD5\", \"PSK-AES256-CBC-SHA\", \"PSK-3DES-EDE-CBC-SHA\", \"KRB5-DES-CBC3-SHA\", \"KRB5-DES-CBC3-MD5\", \"PSK-AES128-CBC-SHA\",\n\t\"PSK-RC4-SHA\", \"KRB5-RC4-SHA\", \"KRB5-RC4-MD5\", \"KRB5-DES-CBC-SHA\", \"KRB5-DES-CBC-MD5\", \"EXP-EDH-RSA-DES-CBC-SHA\", \"EXP-EDH-DSS-DES-CBC-SHA\",\n\t\"EXP-ADH-DES-CBC-SHA\", \"EXP-DES-CBC-SHA\", \"EXP-RC2-CBC-MD5\", \"EXP-KRB5-RC2-CBC-SHA\", \"EXP-KRB5-DES-CBC-SHA\", \"EXP-KRB5-RC2-CBC-MD5\",\n\t\"EXP-KRB5-DES-CBC-MD5\", \"EXP-ADH-RC4-MD5\", \"EXP-RC4-MD5\", \"EXP-KRB5-RC4-SHA\", \"EXP-KRB5-RC4-MD5\", \"DHE-RSA-AES128-SHA\", \"ECDHE-RSA-AES128-SHA\",\n\t\"ECDHE-ECDSA-AES128-SHA\", \"DHE-DSS-AES128-SHA\",\n}\n\ncompliant_protocol(elb_load_balancer) if {\n\tupper(elb_load_balancer.listener_descriptions[_].listener.protocol) == \"HTTPS\"\n} else if {\n\tupper(elb_load_balancer.listener_descriptions[_].listener.protocol) == \"SSL\"\n} else if {\n\tupper(elb_load_balancer.listener_descriptions[_].listener.protocol) == \"TCP\"\n\telb_load_balancer.listener_descriptions[_].listener.load_balancer_port == 443\n}\n\nnon_compliant_encryption(elb_load_balancer) if {\n\tprotocol := elb_load_balancer.policy_descriptions[_].policy_attribute_descriptions[_]\n\tprotocol.attribute_name in weak_ciphers_and_protocols\n\tlower(protocol.attribute_value) == \"true\"\n}\n\npolicy_exists(elb_load_balancer) if {\n\telb_load_balancer.listener_descriptions[_].policy_names[_]\n}\n\neval(elb_load_balancer) = \"pass\" if {\n\tcompliant_protocol(elb_load_balancer)\n\tpolicy_exists(elb_load_balancer)\n\tnot non_compliant_encryption(elb_load_balancer)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elb_load_balancer"]},"validationQuery":"","resourceType":"aws_elb_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elb_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"wco-bmg-rfd","createdAt":1670369344591,"name":"Classic Load Balancer listener is securely configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.2","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable client authentication on etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--client-cert-auth` argument is set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--client-cert-auth=\"true\"\n```\n\n## Impact\n\nAll clients attempting to access the etcd server will require a valid client certificate.\n\n## Default value\n\nBy default, the etcd service can be queried by unauthenticated clients.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][`]\n2. [https://kubernetes.io/docs/admin/etcd/ ][1]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.2","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"joa-fjx-1li","createdAt":1599605891818,"name":"Client authentication is enabled for etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.8","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file ownership is set to `root:root`.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command to modify the ownership of the `--client-ca-file`:\n\n```\nchown root:root \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.8","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ifc-9ej-k7k","createdAt":1599603326156,"name":"Client certificate authorities file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","cloud_provider:gcp","control:9.9.1","source:google_cloud_asset_inventory","requirement:Logging-and-Monitoring","framework:cis-gcp","requirement:Control-Activities","scope:google_cloud_asset_inventory","requirement:Firewall-Configuration","level:2","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Cloud Asset Inventory is a service that provides a historical view of GCP resources and\nIAM policies through a time-series database. The information recorded includes metadata\non Google Cloud resources, metadata on policies set on Google Cloud projects or resources,\nand runtime information gathered within a Google Cloud resource.\n\n## Rationale\nThe GCP resources and IAM policies captured by GCP Cloud Asset Inventory enables\nsecurity analysis, resource change tracking, and compliance auditing. It is recommended GCP Cloud Asset Inventory be enabled for all GCP projects.\n\n### Additional Information\n - Cloud Asset Inventory only keeps a five-week history of Google Cloud asset metadata. If you need a longer history, consider building automation to export the history to Cloud Storage or BigQuery.\n\n### Default Value\nThe Cloud Asset Inventory API is disabled by default in each project.\n\n## Remediation\n\n### From the console\n\n1. Go to **API & Services/Library** by visiting [https://console.cloud.google.com/apis/library][1]\n2. Search for `Cloud Asset API` and select the result for Cloud Asset API\n3. Click the **ENABLE** button.\n\n### From the command line\n\n1. Enable the Cloud Asset API through the services interface\n ```\n gcloud services enable cloudasset.googleapis.com\n ```\n\n## References\n1. [https://cloud.google.com/asset-inventory/docs][2]\n\n[1]: https://cloud.google.com/asset-inventory/docs\n[2]: https://console.cloud.google.com/apis/library","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"9.9.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(project) = \"pass\" if {\n\tproject.project_id\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"g71-wcx-ugx","createdAt":1659396390100,"name":"Cloud Asset Inventory is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:2.12","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:2","framework:iso-27001","scope:google_dns_policy","framework:pci","requirement:Operations-Security","security:compliance","requirement:Logging-and-Monitoring","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","source:google_dns_policy","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud DNS logging records the queries from the name servers within your VPC to\nStackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other\nGCP resources provisioned within the VPC.\n\n### Default value\nCloud DNS logging is disabled by default on each network.\n\n## Rationale\nSecurity monitoring and forensics cannot depend solely on IP addresses from VPC flow\nlogs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual\nhost routing, and other technology that can obscure the DNS name used by a client from the\nIP address. Monitoring Cloud DNS logs provides visibility into DNS names requested by the\nclients within the VPC. These logs can be monitored for anomalous domain names and\nevaluated against threat intelligence.\n\nTo fully capture DNS logging records, your firewall must block egress for UDP/53 (DNS) and TCP/443 (DNS\nover HTTPS) to prevent the client from using an external DNS name server for resolution.\n\nOnly queries that reach a name server are logged. Cloud DNS resolvers cache\nresponses, queries answered from caches, and direct queries to an external DNS\nresolver outside the VPC are not logged.\n\n### Impact\nEnabling of Cloud DNS logging might result in your project being charged for the additional\nlogs usage.\n\n## Remediation\n\n### From the command line\nFor VPC networks that need a new DNS policy with logging enabled, run the following:\n```\ngcloud dns policies create enable-dns-logging --enable-logging --\ndescription=\"Enable DNS Logging\" --networks=VPC_NETWORK_NAME\n```\n\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\nFor VPC networks that have existing DNS policies, run the following to enable logging:\n```\ngcloud dns policies update POLICY_NAME --enable-logging --\nnetworks=VPC_NETWORK_NAME\n```\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\n\n## References\n1. [https://cloud.google.com/dns/docs/monitoring][1]\n\n[1]: https://cloud.google.com/dns/docs/monitoring\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.12","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(dns_policy) = \"pass\" if {\n\tdns_policy.enable_logging\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_policy"]},"validationQuery":"","resourceType":"gcp_dns_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kcx-kad-uvs","createdAt":1662120179391,"name":"Cloud DNS logging is enabled for VPC networks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:7.2","control:1.9","control:3.5","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that the IAM policy on Cloud KMS `cryptokeys` should restrict anonymous and/or public access.\n\n## Rationale\n\nGranting permissions to `allUsers` or `allAuthenticatedUsers` allows anyone to access the\ndataset. Such access might not be desirable if sensitive data is stored at the location. In this\ncase, ensure that anonymous and/or public access to a Cloud KMS `cryptokey` is not\nallowed.\n\n### Default Value:\nBy default Cloud KMS does not allow access to `allUsers` or `allAuthenticatedUsers`.\n\n### Impact\nRemoving the binding for `allUsers` and `allAuthenticatedUsers` members denies anonymous and public users access to `cryptokeys`.\n\n`key_ring_name` is the resource ID of the key ring, which is the fully-qualified key ring name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING`\nYou can retrieve the key ring resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n3. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`key_name` is the resource ID of the key, which is the fully-qualified CryptoKey name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY`\nYou can retrieve the key resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. Click the name of the key ring that contains the key.\n3. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n4. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`role` is the role to remove the member from.\n\n## Remediation\n\n### From the command line\n\n1. List all Cloud KMS `Cryptokeys`.\n ```\n gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'\n ```\n2. To remove access to `allUsers` and `allAuthenticatedUsers`, remove the IAM policy binding for a KMS key using the below command.\n ```\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'\n\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'\n ```\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding][1]\n2. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy][2]\n3. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy][3]\n4. [https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id][4]\n\n[1]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding\n[2]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy\n[3]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy\n[4]: https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot contains(iam_policy.resource_name, \"/keyRings/\")\n} else = \"fail\" if {\n\tiam_policy.bindings[_].members[_] in [\"allAuthenticatedUsers\", \"allUsers\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kg9-ypa-tmt","createdAt":1658879416757,"name":"Cloud KMS cryptokeys are not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Storage","source:google_iam_policy","framework:cis-gcp","requirement:Compliance","level:1","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","scope:google_iam_policy","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:3.5","control:7.1","control:5.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that IAM policies on Cloud Storage buckets do not allow anonymous or public access.\n\n## Rationale\nWith anonymous or public access, anyone has permission to access bucket content. Such access might not be desired if you are storing sensitive data, so ensure that anonymous or public access to a bucket is not allowed.\n\n### Additional Information\nTo implement access restrictions on buckets, configuring Bucket IAM is preferred over configuring Bucket ACL. In the GCP console, the **Edit Permissions** button for a bucket exposes IAM configurations only. Bucket ACLs are configured to automatically implement and support user-enforced Bucket IAM policies. If an administrator changes a Bucket ACL using command-line gsutils or the API, the associated bucket IAM policy is also updated automatically.\n\n### Impact\nStorage buckets are not publicly accessible. You have to explicitly administer bucket access.\n\n### Prevention\nYou can prevent Storage buckets from becoming publicly accessible by setting up the `Domain restricted sharing` organization policy at:\n[https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains][2]\n\n### Default value\nBy default, Storage buckets are not publicly accessible.\n\n## Remediation\n\n### From the console\n1. Go to `Storage browser` at [https://console.cloud.google.com/storage/browser][1].\n2. Click on the bucket name to access the `Bucket details` page.\n3. Click on the `Permissions` tab.\n4. Click the `Delete` button in front of `allUsers` and `allAuthenticatedUsers` to remove that particular role assignment.\n\n### From the command line\nRemove `allUsers` and `allAuthenticatedUsers` access.\n``` \ngsutil iam ch -d allUsers gs://BUCKET_NAME\ngsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME\n```\n\n## References\n1. [https://cloud.google.com/storage/docs/access-control/iam-reference][3]\n2. [https://cloud.google.com/storage/docs/access-control/making-data-public][4]\n3. [https://cloud.google.com/storage/docs/gsutil/commands/iam][5]\n\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains\n[3]: https://cloud.google.com/storage/docs/access-control/iam-reference\n[4]: https://cloud.google.com/storage/docs/access-control/making-data-public\n[5]: https://cloud.google.com/storage/docs/gsutil/commands/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1","framework":"cis-gcp","requirement":"Storage","version":"1.3.0"},{"control":"3.5","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot isBucket(iam_policy)\n} else = \"fail\" if {\n\tiam_policy.bindings[_].members[_] in [\"allUsers\", \"allAuthenticatedUsers\"]\n} else = \"pass\"\n\nisBucket(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_storage_bucket\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"c2m-9sq-pbl","createdAt":1658821626959,"name":"Cloud storage bucket is not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Storage","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:5.2","requirement:Communications-Security","control:7.1","control:3.3","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","source:google_storage_bucket","control:A.18.1.3","framework:soc-2","scope:google_storage_bucket","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUniform bucket-level access is enabled on Cloud Storage buckets.\n\n## Rationale\n\nYou should use uniform bucket-level access to unify and simplify how you grant\naccess to your Cloud Storage resources.\nCloud Storage offers two systems for granting users permission to access your buckets and\nobjects: \n- **Cloud Identity and Access Management (Cloud IAM)**: Used throughout Google Cloud, and allows you to grant a variety of permissions at the bucket and project levels. \n- **Access Control Lists(ACLs)**: Used only by Cloud Storage and has limited permission options, but allows you to grant permissions on a per-object basis.\n\nThese systems act in parallel. A user needs only one of the systems to grant them permission in order to access a Cloud Storage resource. \n\nTo facilitate maintaining consistent permissions, Cloud Storage provides an option called Uniform bucket-\nlevel access. Using this feature disables ACLs for all Cloud Storage resources. Access to\n\nCloud Storage resources then is granted exclusively through Cloud IAM. Enabling uniform\nbucket-level access guarantees that if a Storage bucket is not publicly accessible, no object\nin the bucket is publicly accessible either.\n\n## Impact\nIf you enable uniform bucket-level access, you revoke access from users who gain their\naccess solely through object ACLs.\nCertain Google Cloud services, such as Stackdriver, Cloud Audit Logs, and Datastore, cannot\nexport to Cloud Storage buckets that have uniform bucket-level access enabled.\n\n## Remediation\n\n## From the console\n1. Open the Cloud Storage browser by visiting [https://console.cloud.google.com/storage/browser][1].\n2. In the list of buckets, select the name of the desired bucket.\n3. Select the Permissions tab.\n4. In the text box that starts with This bucket uses fine-grained access control..., click **Edit**.\n5. In the pop-up menu that appears, select Uniform.\n6. Click **Save**.\n\n## From the command line\n\nRun the following command: \n ```\n `gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/`\n ```\n\n\n## Prevention\nSet up an Organization Policy to enforce that any new bucket has uniform bucket-level access enabled. Read more about [Organization Policy constraints][2].\n\n## Default\n\nBy default, Cloud Storage buckets do not have uniform bucket-level access enabled.\n\n\n## References\n1. [https://cloud.google.com/storage/docs/uniform-bucket-level-access][3]\n2. [https://cloud.google.com/storage/docs/using-uniform-bucket-level-access][4]\n3. [https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket][5]\n\n## Additional Information\nUniform bucket-level access cannot be disabled if it has been active on a bucket for 90 consecutive days.\n\n## CIS controls\n\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems,\ndatabases, and applications.\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket\n[3]: https://cloud.google.com/storage/docs/uniform-bucket-level-access\n[4]: https://cloud.google.com/storage/docs/using-uniform-bucket-level-access\n[5]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2","framework":"cis-gcp","requirement":"Storage","version":"1.3.0"},{"control":"3.3","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_bucket) = \"pass\" if {\n\tstorage_bucket.iam_configuration.uniform_bucket_level_access.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_storage_bucket"]},"validationQuery":"","resourceType":"gcp_storage_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_storage_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dwn-5mi-cjt","createdAt":1657547752494,"name":"Cloud storage buckets have uniform bucket-level access enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","security:compliance","control:CC6.6","scope:cloudfront","cloud_provider:aws","control:A.12.2.1","requirement:Communications-Security","control:A.12.4.1","control:A.13.1.1","framework:soc-2","control:6.6","requirement:Security-Management-Process","source:cloudfront","requirement:Application-Updates","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that your [AWS CloudFront][1] distributions are integrated with [AWS Web Application Firewall][2] (AWS WAF).\n\n## Rationale\n\nAWS WAF helps protect web applications from common exploits, such as SQL injection or cross-site scripting.\n\n## Remediation\n\n### From the console\n\nFollow the [associate or disassociate an AWS WAF web ACL and an existing CloudFront distribution by using the CloudFront console][3] docs to integrate with AWS WAF.\n\n### From the command line\n\n1. Run `aws waf get-change-token` to generate a token.\n2. Run `aws waf create-ip-set` with your newly generated token. Additional information can be found in the [create-ip-set AWS documentation][4].\n\n ```\n create-ip-set\n --name test_ipset\n --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n3. Create an `IPSetDescriptor` JSON object in a new document and define the IP address or ranges you wish to block. Save the file.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"IPSetDescriptor\": {\n \"Type\": \"IPV4\" | \"IPV6\",\n \"Value\": \"192.0.2.0/24\"\n }\n }\n ]\n ```\n\n4. Run `aws waf update-ip-set` with the `change-token` (generated in step 1), `ip-set-id` (generated in step 2), and the file you just created. Additional information can be found in the [update-ip-set AWS documentation][5].\n\n ```\n aws waf update-ip-set\n --ip-set-id bd12ea6c-012a-4b7c-9342-80ab96e4b291\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n\t --updates file://ip-set-descriptor.json\n ```\n\n5. Run `aws waf create-rule` with a new rule `name` and your `change-token` (generated in step 1). Additional information can be found in the [create-rule AWS documentation][6].\n\n ```\n aws waf create-rule\n\t --name NameOfRule\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n6. Run `aws waf create-web-acl` with a `name` and your `change-token` (generated in step 1), and set the default action to block. Additional information can be found in the [create-web-acl AWS documentation][7].\n\n ```\n aws waf create-web-acl\n\t --name NameOfACL\n --default-action Type=BLOCK\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n7. Create a new JSON file and define `ActivatedRule` as an object that references the ACL rule created in step 6. Assign it a default action, `INSERT`.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"ActivatedRule\": {\n \"RuleId\": \"your-rule-id\",\n \"Action\": {\n \"Type\": \"BLOCK\"\n }\n }\n }\n ]\n ```\n\n8. Run `update-web-acl` with the `web-acl-id` (generated in step 5), `change-token` (generated in step 1), and the file you just created in step 7.\n\n ```\n aws waf update-web-acl\n --web-acl-id webaclid\n --change-token 96836241-b667-4f0a-a655-e4bc49eaa2c4\n --update activated-rule.json\n ```\n\n9. Run `get-distribution-config`.\n10. In a new JSON file, modify the returned configuration information to attach the WAF ACL. Set the `WebACLId` as the ID you returned in step 5. Save the file.\n\n ```\n {\n \"ETag\": \"etag\",\n \"DistributionConfig\": {\n ...\n \"WebACLId\": \"webaclid\",\n ...\n }\n }\n ```\n\n11. Run `update-distribution` with the `id` and `etag` previously returned in step 9. Additional information can be found in the [update-distribution AWS documentation][8].\n\n ```\n aws cloudfront update-distribution\n --id webaclid\n --distribution-config activated-ruled.json\n --if-match etag\n ```\n\n[1]: https://aws.amazon.com/cloudfront/\n[2]: https://aws.amazon.com/waf/\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/wafv2/create-ip-set.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/waf/update-ip-set.html\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-rule.html\n[7]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-web-acl.html\n[8]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudfront_distribution) = \"fail\" if {\n\tcloudfront_distribution.distribution_config.web_acl_id == \"\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"qo4-jsd-nfn","createdAt":1599574008896,"name":"CloudFront distribution is integrated with WAF"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that AWS CloudFront distributions have a security policy of TLS v1.1 or greater.\n\n## Rationale\n\nTLS v1.1, the minimum protocol recommended for AWS CloudFront, and the cipher used to encrypt this content, improve application security.\n\n## Remediation\n\n### From the console\n\nFollow the [Values That You Specify When You Create or Update a Distribution][3] docs to update your CloudFront distribution's [Minimum Origin SSL Protocol][3] to TLS v1.1 or greater.\n\n### From the command line\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration by setting the minimum protocol version to TLC v1.1 (2016) or v1.2 (2018).\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n ...\n \"ViewerCertificate\": {\n ...\n \"MinimumProtocolVersion\": \"TLSv1.1_2016\",\n },\n ...\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config tls-version.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginSSLProtocols\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_distribution_config(origin_protocol_policy) if {\n\torigin_protocol_policy == \"TLSv1\"\n} else if {\n\torigin_protocol_policy == \"TLSv1_2016\"\n}\n\neval(cloudfront_distribution) = \"fail\" if {\n\tnon_compliant_distribution_config(cloudfront_distribution.distribution_config.viewer_certificate.minimum_protocol_version)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2np-sw5-cre","createdAt":1599574001774,"name":"CloudFront distribution's security policy is TLS v1.1 or greater"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","source:cloudfront","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","scope:cloudfront","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure logging is enabled for AWS CloudFront to track things like client IP addresses and access points.\n\n## Rationale\n\nLogging tracks requests made through the CDN. With this information, you can detect changes in requests, complete security audits, and use other AWS tooling such as AWS WAF to block requests from certain IP addresses.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring and using standard logs][4] docs to enable logging for AWS CloudFront.\n\n### From the command line\n\n1. Run `create-bucket` to [create an S3 bucket][1] for your CloudFront log files.\n\n ```\n aws s3api create-bucket\n --bucket your-bucket-name\n ```\n\n2. Once the S3 bucket location is returned, run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][2].\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n3. Create a new JSON file with the returned configuration. Enable logging and set an S3 bucket location (returned in step 1) to configure where the logs will be located. Save the file.\n\n ```\n {\n \"ETag\": \"ID000000000000\",\n \"DistributionConfig\": {\n ...\n \"Logging\": {\n \"Bucket\": \"your-bucket-name.s3.amazonaws.com\",\n \"Enabled\": true,\n },\n ...\n }\n }\n }\n ```\n\n4. Run `update-distribution` to [update your distribution][3] with your distribution `id`, the path of the configuration file (created in step 3), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config logging-enabled.json\n --if-match ETAG1000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[4]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudfront_distribution) = \"fail\" if {\n\tnot cloudfront_distribution.distribution_config.logging.enabled\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"e1l-f7w-llc","createdAt":1599574007739,"name":"CloudFront logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that an AWS CloudTrail trail has file integration validation enabled.\n\n### Rationale\n\nAWS CloudTrail file integration validation can verify whether files were modified or changed once delivered to an S3 bucket.\n\n### Remediation\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [enable-log-file-validation][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --enable-log-file-validation\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@log_file_validation_enabled:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ubl-mrs-ket","createdAt":1599574002238,"name":"CloudTrail Log File Integrity Validation Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that AWS CloudTrail logs are encrypted.\n\n### Rationale\n\nEncrypting AWS CloudTrail logs with a KMS encryption key helps protect your data and ensures only certain IAM users can access these logs.\n\n### Remediation\n\n1. Create a new policy configuration file that enables CloudTrail [encrypting and decrypting permissions][1].\n2. Run `create-key` using the policy file path.\n\n ```\n aws kms create-key\n --policy new-policy-file.json\n ```\n\n3. Run `create-alias` with a [newly created alias name][2] and the `target-key-id` as the KMS key returned in step 2.\n\n ```\n aws kms create-alias\n --alias-name alias/CloudTrailKSM\n --target-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n4. Run `update-trail` on [the trail name you wish to update][3] and the KMS key returned in step 2.\n\n ```\n aws cloudtrail update-trail\n --name MyGlobalTrail\n --kms-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@kms_key_id:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"cww-xfw-no7","createdAt":1599574002335,"name":"CloudTrail Logs Not Encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","control:A.12.4.2","requirement:Security-Incident-Procedures","control:10.3.2","control:10.3.1","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that an AWS CloudTrail trail has global service events enabled.\n\n## Rationale\n\nEasily troubleshoot security issues for global services that aren't region-specific.\n\n## Remediation\n\n### From the console\n\nBy default, trail logs created in the CloudTrail console log global service events. For more information, see the [About global service events][2] docs.\n\n### From the command line\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [include-global-service-events][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --include-global-service-events\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-update-trail.html\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudtrail_trail) = \"pass\" if {\n\tcloudtrail_trail.include_global_service_events\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7ak-zke-f64","createdAt":1599574004589,"name":"CloudTrail global services are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.5.5","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","control:164.312-c-2","requirement:Integrity","control:164.312-c-1","security:compliance","cloud_provider:aws","control:3.2","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. Use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. You should enable file validation on all CloudTrails.\n\n## Rationale\n\nEnabling log file validation will provide additional integrity checking of CloudTrail logs.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNot Enabled\n\n## References\n\n1. [http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html][2]\n2. CCE-78914-9\n\n## CIS controls\n\nVersion 7, 6 - Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.2","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.312-c-2","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudtrail_trail) = \"pass\" if {\n\tcloudtrail_trail.log_file_validation_enabled == true\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9we-gmy-kne","createdAt":1599574003762,"name":"CloudTrail log file validation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Logging","requirement:System-Acquisition-Development-and-Maintenance","level:2","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.7","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:cloudtrail","control:A.9.2.3","control:32.1a","control:3.5.2","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources per IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data. It uses Hardware Security Modules (HSMs) to protect the security of encryption keys. Configure your CloudTrail logs to leverage server-side encryption (SSE), and KMS customer-created master keys (CMK) to further protect CloudTrail logs. You should set up CloudTrail to use SSE-KMS.\n\n## Rationale\n\nConfiguring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data. A given user must have S3 read permission on the corresponding log bucket and have decrypt permission by the CMK policy.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nCustomer created keys incur an additional cost. See [https://aws.amazon.com/kms/pricing/][2] for more information.\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html][3]\n2. [https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html][4]\n3. CCE-78919-8\n\n## CIS controls\n\nVersion 7 - 6 Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://aws.amazon.com/kms/pricing/\n[3]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html\n[4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.7","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudtrail_trail) = \"pass\" if {\n\tcloudtrail_trail.kms_key_id\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kah-ejb-3v1","createdAt":1599574006065,"name":"CloudTrail logs are encrypted at rest using KMS CMKs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:164.308-a-7-i","scored:true","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","control:10.2.1","framework:gdpr","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsures AWS CloudTrail is enabled across all AWS regions.\n\n## Rationale\n\nAWS CloudTrail has the ability to deliver log files from multiple regions to a single S3 bucket, and a single CloudWatch Logs log group. This centralizes storage and control of logs data. \n\n## Remediation\n\nIt is beneficial to create an Organization trail, as that will create a trail with that name in every region, in every account belonging to the Organization. See the [Creating a trail for an organization][1] documentation for additional details.\n\nIf you are not using AWS Organizations, you can create a multi-region CloudTrail trail directly in the affected AWS account.\n\n### From the console\n\nTo create an Organization trail:\n1. Follow the [Creating a trail for an organization][2] instructions to get started with CloudTrail.\n\nTo create a multi-region trail in an AWS account:\n1. Follow the [Creating and updating a trail with the console][3] instructions to get started with CloudTrail. This will enable a multi-region CloudTrail by default. \n\n### From the command line\n\nTo convert a single-region trail to multi-region using the command line:\n\n1. Run `aws cloudtrail describe-trails` to investigate your current CloudTrail configuration.\n2. Run `update-trail` with the following arguments on your selected trail to [enable multi-region-trail][4].\n ```\n aws cloudtrail update-trail\n --name my-trail\n --is-multi-region-trail\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html\n[3]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-console.html\n[4]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-7-i","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudtrail_trail) = \"pass\" if {\n\tcloudtrail_trail.is_multi_region_trail\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":21,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"v41-4ht-rxo","createdAt":1599573999944,"name":"CloudTrail multi-region is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that HTTPS is used to secure AWS CloudFront distributions communications.\n\n## Rationale\n\nHTTPS ensures that malicious activity cannot occur when data is sent within AWS CloudFront's Content Distribution Network (CDN).\n\n## Remediation\n\n### From the console\n\nFollow the [configure CloudFront to require HTTPS between CloudFront and your custom origin][3] docs to change your Origin Protocol Policy to HTTPS only.\n\n### From the command line\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `OriginProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"Items\": [\n {\n \"CustomOriginConfig\": {\n \"OriginProtocolPolicy\": \"https-only\",\n ...\n }\n }\n ]\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_origin_protocol_policy(origin_protocol_policy) if {\n\torigin_protocol_policy == \"http-only\"\n} else if {\n\torigin_protocol_policy == \"match-viewer\"\n}\n\nnon_compliant_distribution_config(cloudfront_distribution) if {\n\tsome item in cloudfront_distribution.distribution_config.origins.items\n\tnon_compliant_origin_protocol_policy(item.custom_origin_config.origin_protocol_policy)\n}\n\neval(cloudfront_distribution) = \"fail\" if {\n\tnon_compliant_distribution_config(cloudfront_distribution)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q5e-clj-mow","createdAt":1599574006435,"name":"Cloudfront distribution is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS CloudFront field-level encryption is enabled.\n\n## Rationale\n\nField-level encryption ensures sensitive data, such as identification and credit card numbers, is protected across your services and applications.\n\n## Remediation\n\n### From the console\n\nFollow the [Setting Up Field-Level Encryption][1] docs to enable field-level encryption.\n\n### From the command line\n\n1. Generate a RSA key pair. Run `ssh-keygen -t rsa`.\n\n2. Run `create-public-key` with the generated key.\n\n ```\n aws cloudfront create-public-key\n --public-key-config CallerReference=\"0123456789012\",Name=\"public-key\",EncodedKey=\"-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----\",Comment=\"Field-level encryption public key.\"\n ```\n\n3. Modify the returned configuration in a new JSON file by setting `PublicKeyID` as your public ID key. Configure any other options you require and save the file.\n\n ```\n {\n \"PublicKey\": {\n ...\n \"Id\": \"PUBKEYID000000\",\n ...\n }\n }\n ```\n\n4. Run `create-field-level-encryption-profile` using the path of the configuration file saved in step 3.\n\n ```\n aws cloudfront create-field-level-encryption-profile\n --field-level-encryption-profile-config public-key-id.json\n ```\n\n5. Modify the returned configuration in a new JSON file by setting `ProfileID` as your profile ID. Configure any other options you require and save the file.\n\n ```\n {\n ...\n \"ContentTypeProfileConfig\": {\n ...\n \"Items\": [\n {\n \"ProfileId\": \"ABCD1234567890\",\n }\n ]\n }\n }\n ```\n\n6. Run `create-field-level-encryption-config` using the path of the configuration file saved in step 5.\n\n ```\n aws cloudfront create-field-level-encryption-config\n --field-level-encryption-config profile-id.json\n ```\n\n7. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your distribution's configuration information.\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n8. Modify the returned configuration in a new JSON file by setting `FieldLevelEncryptionID` as your field level encryption ID. Configure any other options you require and save the file.\n\n**Note**: Viewer Protocol Policy and Origin Protocol Policy must both be set to HTTPS.\n\n ```\n {\n \"DistributionConfig\": {\n ...\n \"Origins\": {\n \"Items\": [\n {\n ...,\n \"OriginProtocolPolicy\": \"https-only\",\n },\n ],\n ...\n },\n \"DefaultCacheBehavior\": {\n \"FieldLevelEncryptionId\": \"ACBD1234567890\",\n \"ViewerProtocolPolicy\" : \"https-only\"\n },\n ...\n }\n }\n ```\n\n9. Run `update-distribution` with your AWS CloudFront distribution `id`, the configuration file saved in step 8, and `etag` to enable field-level encryption.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config field-level-encryption-id.json\n --if-match E1000000000000\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudfront_distribution) = \"fail\" if {\n\tcloudfront_distribution.distribution_config.default_cache_behavior.field_level_encryption_id == \"\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"udh-nqo-4ct","createdAt":1599574007140,"name":"Cloudfront distribution is field-level encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the AWS CloudFront Content Delivery Network (CDN) for your distribution is using HTTPS to send and receive content.\n\n## Rationale\n\nHTTPS ensures encrypted communication for your AWS CloudFront distribution, alleviating the possibility of malicious attacks like packet interception.\n\n## Remediation\n\n### From the console\n\nFollow the [configure CloudFront to require HTTPS between viewers and CloudFront][3] docs to change your Viewer Protocol Policy to HTTPS only.\n\n### From the command line\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `ViewerProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"ViewerProtocolPolicy\": \"https-only\",\n ...\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudfront_distribution) = \"fail\" if {\n\tcloudfront_distribution.distribution_config.default_cache_behavior.viewer_protocol_policy == \"allow-all\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fei-uz9-zhw","createdAt":1599574003275,"name":"Cloudfront viewer is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1027-obfuscated-files-or-information","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a compiler (like `clang` or `bcc`) is executed inside of a container.\n\n## Strategy\nAfter an initial compromise, attackers may attempt to download additional tools to their victim's infrastructure. In order to make these additional tools difficult to detect or analyze, attackers sometimes deliver their tools as uncompiled code, and then compile their malicious binaries directly on the victim's infrastructure. In containerized environments, the use of compilers is especially suspicious because in production it is best practice to make containers immutable. The use of a compiler in a production container could indicate an attacker staging tools, or unwanted container configuration drift. \n\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee compile a tool inside of a container for an approved reason, or does an approved software compile additional files on startup?\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:compiler_in_container","groupByFields":["host"],"aggregation":"count","name":"compiler_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"compiler_in_container","condition":"compiler_in_container > 0"}],"type":"workload_security","id":"cu1-ji1-azm","createdAt":1627392836759,"name":"Compiler executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS EC2 access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the EC2 instance with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS EC2 access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` instance should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the EC2 access key should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`., then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n7 April 2022 - Updated rule name and signal message.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId"],"query":"source:cloudtrail -@level:Error @userIdentity.type:AssumedRole @userIdentity.session_name:i-* -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"5cf-9yq-zxn","createdAt":1646247437871,"name":"Compromised AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.\n\n## Changelog\n- 7 April 2022 - Updated signal message.\n- 3 August 2022 - Fixed null groupby field in query.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId","@usr.name"],"query":"source:cloudtrail -@level:Error @userIdentity.type:IAMUser -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tln-vhi-j2e","createdAt":1646247475808,"name":"Compromised AWS IAM User Access Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:4.8","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, Datadog recommends launching compute instances with Shielded VM enabled.\n\n## Rationale\n\nShielded VMs are virtual machines on the Google Cloud Platform that are hardened by a set of security controls and help defend against rootkits and bootkits. Shielded VM offers verifiable integrity of your Compute Engine VM instances through Secure Boot, a virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring. This ensures your instances are not compromised by boot- or kernel-level malware, or rootkits. \n\nShielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishes trust for Secure Boot.\n\nIntegrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, also known as the integrity policy baseline. The integrity policy baseline is used to compare measurements from subsequent VM boots to determine if anything has changed.\n\nSecure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halts the boot process if signature verification fails.\n\n## Remediation\n\nTo turn on Shielded VM on an instance, your instance must use an image with Shielded VM support.\n\n### From the console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project. \n2. Click on the instance name to see a VM Instance Details page.\n3. Click **Stop** to stop the instance.\n4. When the instance has stopped, click **Edit**.\n5. In the **Shielded VM** section, select **Turn on vTPM** and **Turn on Integrity Monitoring**.\n6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select **Turn on Secure Boot**.\n7. Click the **Save** button to modify the instance and click **Start** to restart it.\n\n### From the command line\n\nYou can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:\n\n```\ngcloud compute images list --project gce-uefi-images --no-standard-images\n```\n\n1. Stop the instance using `gcloud compute instances stop `.\n2. Update the instance using `gcloud compute instances update --shielded-vtpm --shielded-vm-integrity-monitoring`.\n3. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on Secure Boot using `gcloud compute instances update --shielded-vm-secure-boot`.\n4. Restart the instance using `gcloud compute instances start `.\n\n## Prevention\n\nTo ensure that all new VMs are created with Shielded VM enabled, create an Organization Policy for Shielded VM in the [Organization Policies page][2]. \n\nFor more information, see the [Google Cloud documentation][3].\n\n## Default Value\n\nBy default, Compute Instances do not have Shielded VM enabled.\n\n## References\n\n1. [https://cloud.google.com/compute/docs/instances/modifying-shielded-vm][4]\n2. [https://cloud.google.com/shielded-vm][5]\n3. [https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint][6]\n\n## Additional Information\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is created, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-requireShieldedVm\n[3]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n[4]: https://cloud.google.com/compute/docs/instances/modifying-shielded-vm\n[5]: https://cloud.google.com/shielded-vm\n[6]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.8","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"pass\" if {\n\tshieldedConfig := compute_instance.shielded_instance_config\n\tshieldedConfig.enable_integrity_monitoring\n\tshieldedConfig.enable_vtpm\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hwa-bzq-nzg","createdAt":1656620517029,"name":"Compute Instances are launched with Shielded VM enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","control:4.9","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:3.6","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCompute instances should not be configured to have external IP addresses.\n\n## Rationale\n\nTo reduce your attack surface, Compute instances should not have public IP addresses.\nInstead, instances should be configured behind load balancers, to minimize the instance's\nexposure to the internet.\n\nYou can connect to Linux VMs that do not have public IP addresses by using Identity-Aware Proxy for TCP forwarding. Learn more at\n[https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][8].\n\nFor Windows VMs, see [https://cloud.google.com/compute/docs/instances/connecting-to-instance][9].\n\n### Impact\n\nRemoving the external IP address from your Compute instance may cause some\napplications to stop working.\n\n### Prevention\n\nYou can configure the \"Define allowed external IPs for VM instances\" organization policy to prevent VMs from being configured with public IP addresses. Learn more at:\n[https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address][2]\n\n### Exception\n\nInstances created by GKE should be excluded because some of them have external IP\naddresses and cannot be changed by editing the instance settings. Instances created by GKE\nshould be excluded. These instances have names that start with \"gke-\" and are labeled\n\"goog-gke-node\".\n\n## Remediation\n\n### From the console\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go the the Instance detail page.\n3. Click **Edit**.\n4. For each Network interface, ensure that **External IP** is set to None.\n5. Click **Done** and then click **Save**.\n\n### From the command line\n\n1. Describe the instance properties:\n\n ```\n gcloud compute instances describe --zone=\n ```\n2. Identify the access config name that contains the external IP address. This access config appears in the following format:\n\n ```\n networkInterfaces:\n - accessConfigs:\n - kind: compute#accessConfig\n name: External NAT\n natIP: 130.211.181.55\n type: ONE_TO_ONE_NAT\n ```\n3. Delete the access config:\n\n ```\n gcloud compute instances delete-access-config --zone= --access-config-name \n ```\n\nIn the above example, the `ACCESS_CONFIG_NAME` is `External NAT`. The name of your access config might be different.\n\n## References\n\n1. [https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses][3]\n2. [https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][4]\n3. [https://cloud.google.com/compute/docs/instances/connecting-to-instance][5]\n4. [https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip][6]\n5. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][7]\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address\n[3]: https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses\n[4]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[5]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n[6]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip\n[7]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[8]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[9]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.9","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" if {\n\tcompute_instance.network_interfaces[_].access_configs[_]\n} else = \"pass\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"zxk-7n9-rtz","createdAt":1657888953309,"name":"Compute instances do not have public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","control:4.11","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:3.5.2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:3.5.4","source:google_compute_instance","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nGoogle Cloud encrypts both stored and in-transit data, but customer data needs to be decrypted while it is processed. Confidential Computing is a Google technology that protects data by encrypting it while it is in use. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).\n\nConfidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD\nEPYCTM CPUs, keeping customer data encrypted while it is used, indexed, queried, or\ntrained on. Encryption keys are generated in hardware, per VM, and not exportable. There is no significant performance penalty to Confidential Computing workloads because of built-in hardware optimizations.\n\n## Rationale\n\nConfidential Computing enables customers' sensitive code and other data to be encrypted in\nmemory during processing. Google does not have access to the encryption keys.\nConfidential VMs can help alleviate concerns about risk related to either dependency on\nGoogle infrastructure or Google insiders' access to customer data in the clear.\n\n## Impact\n\n- Confidential Computing for Compute instances does not support live migration. Unlike regular Compute instances, Confidential VMs experience disruptions during maintenance events like a software or hardware update.\n\n- Additional charges may be incurred when enabling this security feature. See [https://cloud.google.com/compute/confidential-vm/pricing][1] for more info.\n\n## Remediation\n\nConfidential Computing can only be enabled when an instance is created. You must delete\nthe current instance and create a new one.\n\n### From the console\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][2].\n2. Click **Create instance**.\n3. Fill out the desired configuration for your instance.\n4. Under the **Confidential VM service** section, click **Enable** > **Enable** to enable the Confidential Computing service on this VM instance.\n5. Click **Create**.\n\n### From the command line\n\nCreate a new instance with Confidential Compute enabled.\n\n ```\n gcloud beta compute instances create --zone --confidential-compute --maintenance-policy=TERMINATE\n ```\n## Default Value\n\nBy default, Confidential Computing is disabled for Compute instances.\n\n## References\n\n1. [https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance][3]\n2. [https://cloud.google.com/compute/confidential-vm/docs/about-cvm][4]\n3. [https://cloud.google.com/confidential-computing][5]\n4. [https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms][6]\n\n## CIS Controls\n\nVersion 8 - 3.11: Encrypt Sensitive Data at Rest\n- Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.\n\nVersion 7 - 14.8: Encrypt Sensitive Information at Rest\n- Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n\n[1]: https://cloud.google.com/compute/confidential-vm/pricing\n[2]: https://console.cloud.google.com/compute/instances\n[3]: https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance\n[4]: https://cloud.google.com/compute/confidential-vm/docs/about-cvm\n[5]: https://cloud.google.com/confidential-computing\n[6]: https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.11","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tnot machineType(compute_instance)\n} else = \"pass\" if {\n\tcompute_instance.confidential_instance_config.enable_confidential_compute\n} else = \"fail\"\n\nmachineType(compute_instance) if {\n\tcontains(compute_instance.machine_type, \"n2d-\")\n} else if {\n\tcontains(compute_instance.machine_type, \"c2d-\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ofu-7xv-iqz","createdAt":1657888955714,"name":"Compute instances have confidential computing enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a brute force login with a privileged policy being applied to a role.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [AWS IAM privileged policy was applied to a role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Revert the privileged policy change\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security/default_rules/aws-iam-priv-policy-applied-to-role/","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":2,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"aws_iam_privileged_policy_was_applied_to_a_role","additionalFilters":"","defaultRuleId":"1np-ggw-qpo","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to privileged policy applying to a role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && aws_iam_privileged_policy_was_applied_to_a_role > 0"}],"type":"signal_correlation","id":"z65-vsm-leu","createdAt":1664829682321,"name":"ConsoleLogin event correlates privileged policy applying to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.10","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host, you can control the amount of memory that a container is able to use.\n\n## Rationale\n\nBy default a container can use all of the memory on the host. You can use memory limit mechanisms to prevent a denial of service occurring where one container consumes all of the hosts resources and other containers on the same host are therefore not able to function. Having no limit on memory usage can lead to issues where one container can easily make the whole system unstable and as a result unusable.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Memory={{ .HostConfig.Memory }}'` \n\nIf this command returns 0, it means that memory limits are not in place; if it returns a non-zero value, it means that they are in place.\n\n## Remediation\n\nYou should run the container with only as much memory as it requires by using the `--memory argument`. For example, you could run a container using the command `docker run --interactive --tty --memory 256m centos /bin/bash`\n\nIn this example, the container is started with a memory limit of 256 MB. Note that the output of the command below returns values in scientific notation if memory limits are in place. `docker inspect --format='{{.Config.Memory}}' 7c5a2d4c7fe0`\n\nFor example, if the memory limit is set to 256 MB for a container instance, the output of the command above would be `2.68435456e+08` and NOT `256m`. You should convert this value using a scientific calculator.\n\n## Impact\n\nIf correct memory limits are not set on each container, one process can expand its usage and cause other containers to run out of resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally and no memory limits are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.10","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ecn-mmt-tqe","createdAt":1599605860081,"name":"Container has memory usage limits configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.26","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf the container image does not have an HEALTHCHECK instruction defined, you should use the `--health-cmd` parameter at container runtime to check container health.\n\n## Rationale\n\nIf the container image you are using does not have a pre-defined HEALTHCHECK instruction, use the `--health-cmd` parameter to check container health at runtime. Based on the reported health status, remedial actions can be taken if necessary.\n\n## Audit\n\nRun this command and ensure that all containers are reporting their health status: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}'`\n\n## Remediation\n\nYou should run the container using the `--health-cmd` parameter. For example, `docker run -d --health-cmd='stat /etc/passwd || exit 1' nginx`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, health checks are not carried out at container runtime.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.26","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ojg-sb1-nso","createdAt":1599605067593,"name":"Container health is monitored when not supported by default"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should add the `HEALTHCHECK` instruction to your Docker container images in order to ensure that health checks are executed against running containers.\n\n## Rationale\n\nAn important security control is that of availability. Adding the `HEALTHCHECK` instruction to your container image ensures that the Docker engine periodically checks the running container instances against that instruction to ensure that containers are still operational. Based on the results of the health check, the Docker engine could terminate containers which are not responding correctly, and instantiate new ones.\n\n## Audit\n\nRun this command to ensure that Docker images have the appropriate `HEALTHCHECK` instruction configured: `docker inspect --format='{{ .Config.Healthcheck }}' `\n\n## Remediation\n\nYou should follow the Docker documentation and rebuild your container images to include the `HEALTHCHECK` instruction.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `HEALTHCHECK` is not set.\n\n## References\n\n1. https://docs.docker.com/engine/reference/builder/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_image","complianceFrameworks":[{"control":"4.6","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5xs-afd-sfx","createdAt":1599604909942,"name":"Container image includes HealthCheck instructions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect vulnerabilities in container images.\n\n## Strategy\nThis rule lets you monitor Twistlock logs `(@vulnerability.log_type:vulnerability)` to detect vulnerabilities in a container image. \n\n## Triage and response\n1. Determine the impact of this vulnerability.\n2. Update the container image in the registry with a patched version of the software.\n3. Deploy the new image to all containers running the vulnerable image.\n\n## Change Log\n29 Jun 2022 - Added queries for various vulnerability severity levels.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:medium","groupByFields":["container_name"],"aggregation":"count","name":"medium_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:low","groupByFields":["container_name"],"aggregation":"count","name":"low_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerabiluty","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerabiluty","condition":"high_severity_vulnerability > 0"},{"status":"medium","notifications":[],"name":"Medium Severity Vulnerabiluty","condition":"medium_severity_vulnerability > 0"},{"status":"low","notifications":[],"name":"Low Severity Vulnerabiluty","condition":"low_severity_vulnerability > 0"}],"type":"log_detection","id":"d7s-rex-gjv","createdAt":1585870278701,"name":"Container image vulnerability detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.25","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should restrict the container from acquiring additional privileges via SUID or SGID bits.\n\n## Rationale\n\nA process can set the `no_new_priv` bit in the kernel and this persists across forks, clones and execve. The `no_new_priv` bit ensures that the process and its child processes do not gain any additional privileges via SUID or SGID bits. This reduces the danger associated with many operations because the possibility of subverting privileged binaries is lessened.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all of the security options currently configured for containers. The option `no-new-privileges` should be one of them.\n\n## Remediation\n\nStart your container with the options `docker run --rm -it --security-opt=no-new-privileges ubuntu bash`\n\n## Impact\n\nThe `no_new_priv` option prevents LSMs like SELinux from allowing processes to acquire new privileges.\n\n## Default value\n\nBy default, new privileges are not restricted.\n\n## References\n\n1. https://github.com/projectatomic/atomic-site/issues/269\n2. https://github.com/docker/docker/pull/20727\n3. https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt\n4. https://lwn.net/Articles/475678/\n5. https://lwn.net/Articles/475362/\n\n## CIS controls\n\nVersion 6\n\n5 Controlled Use of Administration Privileges Controlled Use of Administration Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.25","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"cft-3kh-z3l","createdAt":1599604337425,"name":"Container is restricted from acquiring additional privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a container management utility (for example, `kubectl` or `docker`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to enumerate other pods or containers, escalate privileges, or exfiltrate secrets by running container management orchestration utilities. This detection triggers when execution of one of a set of common container management utilities (like `kubectl` or `docker`) executes with specific process arguments detected in a container. If this is unexpected behavior, it could indicate an attacker attempting to compromise your pods, containers, and hosts.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires version 7.27 or higher*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:suspicious_container_client @process.executable.path:\"/usr/bin/kubectl\" (@process.args:(\"get\" AND \"--all-namespaces\") OR @process.args:(\"cluster-info\") OR @process.args:(\"auth\" AND \"can-i\"))","groupByFields":["host"],"aggregation":"count","name":"kubectl_enumeration","distinctFields":[]},{"query":"@agent.rule_id:suspicious_container_client @process.executable.path:\"/usr/bin/kubectl\" (@process.args:(\"create\" AND \"namespace\") OR @process.args:(\"run\" AND \"image=\") OR @process.args:(\"port-forward\") OR @process.args:(\"attach\") OR @process.args:(\"exec\"))","groupByFields":["host"],"aggregation":"count","name":"kubectl_provision","distinctFields":[]},{"query":"@agent.rule_id:suspicious_container_client @process.executable.path:\"/usr/bin/docker\" (@process.args:(\"run\" AND \"--privileged\") OR @process.args:(\"exec\" AND \"-it\") OR @process.args:(\"run\" AND \"--cap-add\") OR @process.args:(\"apparmor=unconfined\") OR @process.args:(\"attach\"))","groupByFields":["host"],"aggregation":"count","name":"docker_provision","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"kubectl_enumeration","condition":"kubectl_enumeration > 0"},{"status":"medium","notifications":[],"name":"kubectl_provision","condition":"kubectl_provision > 0"},{"status":"medium","notifications":[],"name":"docker_provision","condition":"docker_provision > 0"}],"type":"workload_security","id":"ll8-gx6-k15","createdAt":1617722068555,"name":"Container management utility in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.12","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe container's root filesystem should be treated as a 'golden image' by using Docker run's `--read-only` option. This prevents any writes to the container's root filesystem at container runtime and enforces the principle of immutable infrastructure.\n\n## Rationale\n\nEnabling this option forces containers at runtime to explicitly define their data writing strategy to persist or not persist their data. This also reduces security attack vectors since the container instance's filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories.\n\n## Audit\n\nRun this command on the docker host: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: ReadonlyRootfs={{ .HostConfig.ReadonlyRootfs }}'` \n\nIf this command returns `true`, it means the container's root filesystem is mounted read-only. If the above command returns `false`, it means the container's root filesystem is writeable.\n\n## Remediation\n\nAdd a `--read-only` flag at a container's runtime to enforce the container's root filesystem being mounted as read only. For example, `docker run --read-only `\n\nEnabling the `--read-only` option at a container's runtime should be used by administrators to force a container's executable processes to only write container data to explicit storage locations during its lifetime. \n\nExamples of explicit storage locations during a container's runtime include, but are not limited to:\n\n1. Using the `--tmpfs` option to mount a temporary file system for non-persistent data writes. `docker run --interactive --tty --read-only --tmpfs \"/run\" --tmpfs \"/tmp\" centos /bin/bash`\n2. Enabling Docker rw mounts at a container's runtime to persist container data directly on the Docker host filesystem. For example, `docker run --interactive --tty --read-only -v /opt/app/data:/run/app/data:rw centos /bin/bash`\n\n3. Utilizing the Docker shared-storage volume plugin for Docker data volume to persist container data. For example, `docker volume create -d convoy --opt o=size=20GB my-named-volume docker run --interactive --tty --read-only -v my-named-volume:/run/app/data centos /bin/bash`\n\n3. Transmitting container data outside of the Docker controlled area during the container's runtime for container data in order to ensure that it is persistent. Examples include hosted databases, network file shares and APIs.\n\n## Impact\n\nEnabling `--read-only` at container runtime may break some container OS packages if a data writing strategy is not defined. You should define what the container's data should and should not persist at runtime in order to decide which strategy to use. Example: Enable use `--tmpfs` for temporary file writes to /tmp Use Docker shared data volumes for persistent data writes\n\n## Default value\n\nBy default, a container has its root filesystem writeable, allowing all container processes to write files owned by the container's actual runtime user.\n\n## References\n\n1. http://docs.docker.com/reference/commandline/cli/#run\n2. https://docs.docker.com/engine/tutorials/dockervolumes/\n3. http://www.projectatomic.io/blog/2015/12/making-docker-images-write-only-in-production/\n4. https://docs.docker.com/engine/reference/commandline/run/#mount-tmpfs-tmpfs\n5. https://docs.docker.com/engine/tutorials/dockervolumes/#creating-and-mounting-a-data-volume-container\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.12","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"635-mc8-3mr","createdAt":1599602276896,"name":"Container root file sytem is set to read-only"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a container is not running within compliance standards.\n\n## Strategy\nThis rule lets you monitor Twistlock logs to detect when a `High` or `Critical` severity compliance issue is discovered in a running container. \n\n## Triage and response\n1. Determine the impact of the compliance finding.\n2. Remediate the compliance finding.\n\n## Change Log\n27 Jun 2022 - Updated Rule and added findings for critical vulnerabilities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerability","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerability","condition":"high_severity_vulnerability > 0"}],"type":"log_detection","id":"9vp-d1j-kwp","createdAt":1585870281390,"name":"Container violated compliance standards"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:5.28","security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should use the `--pids-limit` flag at container runtime.\n\n## Rationale\n\nAttackers could launch a fork bomb with a single command inside the container. This fork bomb could crash the entire system and would require a restart of the host to make the system functional again. Using the PIDs cgroup parameter --pids-limit would prevent this kind of attack by restricting the number of forks that can happen inside a container within a specified time frame.\n\n## Audit\n\nRun this command and ensure that `PidsLimit` is not set to 0 or -\n1. A PidsLimit of 0 or -1 means that any number of processes can be forked concurrently inside the container. \n\n```\ndocker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidsLimit={{ .HostConfig.PidsLimit }}'\n```\n\n## Remediation\n\nUse `--pids-limit` flag with an appropriate value when launching the container. For example, `docker run -it --pids-limit 100 `\n\nIn the above example, the number of processes allowed to run at any given time is set to 100. After a limit of 100 concurrently running processes is reached, Docker would restrict any new process creation.\n\n## Impact\n\nSet the PIDs limit value as appropriate. Incorrect values might leave containers unusable.\n\n## Default value\n\nThe Default value for `--pids-limit` is 0 which means there is no restriction on the number of forks. Note that the PIDs cgroup limit works only for kernel versions 4.3 and higher.\n\n## References\n\n1. https://github.com/docker/docker/pull/18697\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.28","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tmp-lms-u8p","createdAt":1599603016485,"name":"Container's PIDs cgroup limit parameter is set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nContainers should run as a non-root user.\n\n## Rationale\n\nIt is good practice to run the container as a non-root user, where possible. This can be done either via the USER directive in the Dockerfile or through [gosu][1] or similar where used as part of the CMD or ENTRYPOINT directives.\n\n## Remediation\n\nEnsure that the Dockerfile for each container image contains `USER `\n\nIn this case, the user name or ID refers to the user that was found in the container base image. If there is no specific user created in the container base image, then make use of the `useradd` command to add a specific user before the USER instruction in the Dockerfile. \n\nFor example, add the below lines in the Dockerfile to create a user in the container:\n`RUN useradd -d /home/username -m -s /bin/bash username USER username`\n\n**Note**: If there are users in the image that are not needed, you should consider deleting them. After deleting those users, commit the image and then generate new instances of the containers. Alternatively, if it is not possible to set the USER directive in the Dockerfile, a script running as part of the CMD or ENTRYPOINT sections of the Dockerfile should be used to ensure that the container process switches to a non-root user.\n\n## Impact\n\nRunning as a non-root user can present challenges when binding mount volumes from the underlying host. In this case, ensure that the user running the contained process can read and write to the bound directory, according to their requirements.\n\n## Default value\n\nBy default, containers are run with root privileges and also run as the root user inside the container.\n\n## References\n\n1. https://github.com/docker/docker/issues/2918\n2. https://github.com/docker/docker/pull/4572\n3. https://github.com/docker/docker/issues/7906\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://github.com/tianon/gosu\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"4.1","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iml-sbn-bao","createdAt":1599605130883,"name":"Containers do not use the root user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","control:5.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.\n\n## Rationale\n\nAppArmor protects the Linux OS and applications from various threats by enforcing a security policy which is also known as an AppArmor profile. You can create your own AppArmor profile for containers or use Docker's default profile. Enabling this feature enforces security policies on containers as defined in the profile.\n\n## Audit\n\nYou should run this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: AppArmorProfile={{ .AppArmorProfile }}'` \n\nThis command returns a valid AppArmor Profile for each container instance.\n\n## Remediation\n\nIf AppArmor is applicable for your Linux OS, enable it.\n\n1. Verify AppArmor is installed.\n2. Create or import a AppArmor profile for Docker containers.\n3. Enable enforcement of the policy.\n4. Start your Docker container using the customized AppArmor profile. For example: `docker run --interactive --tty --security-opt=\"apparmor:PROFILENAME\" ubuntu /bin/bash` Alternatively, Docker's default AppArmor policy can be used.\n\n## Impact\n\nThe container will have the security controls defined in the AppArmor profile. It should be noted that if the AppArmor profile is misconfigured, this may cause issues with the operation of the container.\n\n## Default value\n\nBy default, the docker-default AppArmor profile is applied to running containers. This profile can be found at `/etc/apparmor.d/docker`\n\n## References\n\n1. https://docs.docker.com/engine/security/apparmor/\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.1","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"s4z-dsj-llz","createdAt":1599600498264,"name":"Containers have an AppArmor profile enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.24","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to attach to a particular `cgroup` when a container is instantiated. Confirming `cgroup` usage would ensure that containers are running in defined `cgroup`s.\n\n## Rationale\n\nSystem administrators typically define `cgroup`s in which containers are supposed to run. If `cgroup`s are not explicitly defined by the system administrator, containers run in the docker `cgroup` by default. At run time, it is possible to attach a container to a different `cgroup` other than the one originally defined. This usage should be monitored and confirmed, as by attaching to a different `cgroup`, excess permissions and resources might be granted to the container and this can therefore prove to be a security risk.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}'` \n\nThis command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n\n## Remediation\n\nYou should not use the `--cgroup-parent` option within the docker run command unless strictly required.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers run under docker `cgroup`.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#specify-custom-cgroups\n2. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/ch01.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n\n## Audit\n\nYou should run the following command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}' The above command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.24","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"maa-bf8-zan","createdAt":1599601906764,"name":"Containers use the cgroup configured in Docker"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","source:compliance-agent","control:1.3.7","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the Controller Manager service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Controller Manager API service which runs on port 10252/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ \n\n*Notes*: Although the current Kubernetes documentation site says that `--address` is deprecated in favour of `--bind-address`. Kubeadm 1.11 still makes use of `--address`.\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.7","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pvo-5un-k18","createdAt":1599603818624,"name":"Controller Manager API service is bound to localhost"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.3.2","security:compliance","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.2","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1ie-ddf-7wm","createdAt":1599604031896,"name":"Controller Manager profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.4","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account private key file for service accounts on the controller manager.\n\n## Rationale\n\nTo ensure that keys for service account tokens can be rotated as needed, a separate public/private key pair should be used for signing service account tokens. The private key should be specified to the controller manager with `--service-account-private-key-file` as appropriate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--service-account-private-key-file` argument is set as appropriate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--service-account-private-key-file parameter` to the private key file for service accounts:\n\n```\n--service-account-private-key-file=\n```\n\n## Impact\n\nYou would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-private-key-file` it not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.4","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mj1-ode-sln","createdAt":1599600796213,"name":"Controller manager has a service account private key file set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.1.3","scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of the Controller Manager on the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-controller-manager.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.3","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pr0-hcf-xkw","createdAt":1599603633988,"name":"Controller manager pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.1.4","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of various components of the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-controller-manager.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.4","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jwf-xdm-mi9","createdAt":1599599105053,"name":"Controller manager pod specification file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect and identify the network IP address or user agent when multiple user accounts have login attempt activities recorded.\n\n## Strategy\n\nMonitor Azure Active Directory and detect when any `@evt.category` is equal to `SignInLogs` and at least 5 of the `@evt.outcome` are equal to `false` by the same network IP address or user agent.\n\nSecurity Signal returns **MEDIUM** if`@evt.outcome` has value of `success` after 5 multiple failed logins by the same network IP address or user agent.\n\n## Triage and response\n\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n\n## Changelog\n* 14 June 2022 - Updated triggering cases to align with other credential stuffing rules. Also updated other backend options to reduce noise levels.\n* 26 October 2022 - Updated query.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure @properties.status.errorCode:(50126 OR 50053 OR 53003 OR 50135 OR 50055)","groupByFields":["@network.client.ip","@properties.appId"],"aggregation":"cardinality","name":"failed_login_multiple_user_accounts_same_ip_address","distinctFields":["@usr.id"]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success -message:(\"MFA requirement satisfied by claim in the token\" OR \"MFA requirement satisfied by strong authentication\" OR \"MFA requirement skipped due to remembered device\" OR \"MFA requirement satisfied by claim provided by external provider\" OR \"MFA completed in Azure AD\")","groupByFields":["@network.client.ip","@properties.appId"],"aggregation":"count","name":"successful_login_same_ip_address","distinctFields":[]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure @properties.status.errorCode:(50126 OR 50053 OR 53003 OR 50135 OR 50055)","groupByFields":["@http.useragent","@properties.appId"],"aggregation":"cardinality","name":"failed_login_multiple_user_accounts_same_user_agent","distinctFields":["@usr.id"]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success -message:(\"MFA requirement satisfied by claim in the token\" OR \"MFA requirement satisfied by strong authentication\" OR \"MFA requirement skipped due to remembered device\" OR \"MFA requirement satisfied by claim provided by external provider\" OR \"MFA completed in Azure AD\")","groupByFields":["@http.useragent","@properties.appId"],"aggregation":"count","name":"successful_login_same_user_agent","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful login after multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 4 && successful_login_same_ip_address > 0"},{"status":"medium","notifications":[],"name":"Successful login after multiple failed login attempts from the same user agent","condition":"failed_login_multiple_user_accounts_same_user_agent > 4 && successful_login_same_user_agent > 0"},{"status":"info","notifications":[],"name":"Multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 4"},{"status":"info","notifications":[],"name":"Multiple failed login attempts from the same user agent","condition":"failed_login_multiple_user_accounts_same_user_agent > 4"}],"type":"log_detection","id":"igg-0ve-xxc","createdAt":1607106304164,"name":"Credential Stuffing Attack on Azure"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:success @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials.\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application_o365","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"credential_added_azure_ad_application > 0 || credential_added_azure_ad_application_o365 > 0"}],"type":"log_detection","id":"myf-gpu-vqf","createdAt":1659365955026,"name":"Credential added to Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application that is not regularly updated.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it. An attacker may target an application that is seldom changed to avoid detection. Using the `New Value` detection method, a signal is raised when an application not seen in the previous 7 days has credentials added.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.\n\n## Changelog\n* 2 November 2022 - Updated severity.","options":{"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"evaluationWindow":0,"maxSignalDuration":86400,"detectionMethod":"new_value","decreaseCriticalityBasedOnEnv":true,"keepAlive":3600},"version":56,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@properties.targetResources.displayName","aggregation":"new_value","metrics":["@properties.targetResources.displayName"],"groupByFields":["@usr.id"],"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @evt.outcome:success @evt.category:AuditLogs"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"1p0-9ix-ig2","createdAt":1660304687805,"name":"Credential added to rarely used Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["category:authentication","tactic:TA0006-credential-access","template:true","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least 25 unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\nUse [this Datadog runbook](https://app.datadoghq.com/notebook/credentialstuffingrunbook) to assist in your investigation.\n\n1. Determine if it is a legitimate attack or a false positive\n2. Determine compromised users\n3. Remediate compromised user accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@evt.category:authentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"@evt.category:authentication @evt.outcome:success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful - Greater than 50","condition":"unique_users_failing_to_login>50 && successful_login>=1"},{"status":"medium","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>25 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>25"}],"type":"log_detection","id":"ypo-jbm-p2s","createdAt":1608750331867,"name":"Credential stuffing attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user. This generates a `HIGH` severity signal.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n## Changelog\n13 June 2022 - Updated Keep Alive window and evaluation window to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":3600,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>10 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>10"}],"type":"log_detection","id":"ryo-snu-uva","createdAt":1597422958108,"name":"Credential stuffing attack on Auth0"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through credential stuffing attack against a Salesforce account.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\n1. Determine if it is a legitimate attack or a false positive.\n2. Determine compromised users.\n3. Remediate compromised user accounts.\n\n## Changelog\n* 5 January 2023 - Updated query, severity of cases, and group by values.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @evt.name:LoginEvent @status:(\"Invalid Password\" OR \"User is Inactive\")","groupByFields":["@network.client.ip","@login_url"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.email"]},{"query":"source:salesforce @evt.name:LoginEvent @status:\"Success\"","groupByFields":["@network.client.ip","@login_url"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"at least 1 unique login success from a single IP","condition":"unique_users_failing_to_login >= 5 && successful_login>=1"},{"status":"low","notifications":[],"name":"at least 5 unique users have failed to login from a single IP","condition":"unique_users_failing_to_login >= 5"}],"type":"log_detection","id":"y0t-wg6-3nq","createdAt":1621929255278,"name":"Credential stuffing attack on Salesforce"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1003-os-credential-dumping","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to sensitive credential files from non-standard processes.\n\n## Strategy\nEspecially in production, all credentials should be either defined as code, or static. Drift and unmonitored changes to these credentials can open up attack vectors for adversaries, and cause your organization to be out of compliance with any frameworks or regulations that you are subject to. This detection watches for the modification of sensitive credential files which should not be changed outside of their definitions as code (or static definitions). The Linux commands `vipw` and `vigr` are the standard way to modify shadow and gshadow files respectively. Other processes interacting with these sensitive credential files is highly suspicious and should be investigated.\n\n## Triage and response\n1. Identify the user or process that changed the credential file(s).\n2. Identify what was changed in the credential files.\n3. If these changes are not acceptable, roll back contain the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd","groupByFields":["host"],"aggregation":"count","name":"credential_modified","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd @process.comm:(adduser OR useradd OR groupadd OR userdel OR deluser OR chage)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_standard","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.executable.path:(\\/usr\\/sbin\\/* OR \\/usr\\/bin\\/* OR \\/bin\\/*)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_non_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"credential_modified_non_bin","condition":"credential_modified_non_bin > 0"},{"status":"info","notifications":[],"name":"credential_modified_standard","condition":"credential_modified_standard > 0"},{"status":"low","notifications":[],"name":"credential_modified","condition":"credential_modified > 0"}],"type":"workload_security","id":"srd-2ub-jov","createdAt":1598516746271,"name":"Credentials file modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","level:1","cloud:aws","cloud_provider:aws","control:8.1.4","framework:hipaa","requirement:Information-Access-Management","framework:pci","requirement:Credentials","control:164.308-a-4-ii-C"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. You should remove or deactivate all credentials that have been unused in 90+ days.\n\n## Rationale\n\nDisabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78900-8 2. CIS CSC v6.0 #16.6\n\n## CIS controls\n\n16.9 Disable Dormant Accounts Automatically - Disable dormant accounts after a set period of inactivity.\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\npassword_used_recently(resource_seen_at, credential_report) if {\n\tcredential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_used > ninety_days_ms\n} else if {\n\tnot credential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_changed > ninety_days_ms\n}\n\nkey_used_recently(resource_seen_at, credential_report, key_name) if {\n\tcredential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_used_date\"])] > ninety_days_ms\n} else if {\n\tnot credential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_rotated\"])] > ninety_days_ms\n}\n\npassword_or_access_key_is_enabled(resource_seen_at, credential_report) if {\n\tcredential_report.password_enabled\n\tpassword_used_recently(resource_seen_at, credential_report)\n} else if {\n\tcredential_report.access_key_1_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_1\")\n} else if {\n\tcredential_report.access_key_2_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_2\")\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot password_or_access_key_is_enabled(iam_user.resource_seen_at, credential_report)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"credential_report","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cl8-844-szh","createdAt":1621238614316,"name":"Credentials have been used within the last 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","framework_version:3.2","control:11.5","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications of critical system binaries.\n\n## Strategy\nPCI-DSS is the payment-card industry's compliance framework. Any systems that handle credit card data and transactions from the major credit card companies must be PCI-DSS compliance. Control 11.5 of the PCI-DSS framework states that organizations must \"alert personnel to unauthorized modifications (including changes, additions, and deletions) of critical system files, configuration files, or content files\". On Linux, critical system binaries are typically stored in `/bin/`, `/sbin/`, or `/usr/sbin/`. This rule tracks any modifications to those directories.\n\n## Triage and response\n1. Identify which user or process changed the critical system binaries.\n2. If these changes were not authorized, and you cannot confirm the safety of the changes, roll back the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chmod) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chown) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chown","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_link) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_link","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_rename) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_rename","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_open) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_open","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_unlink) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_utimes) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"pci_11_5_critical_binaries","condition":"pci_11_5_critical_binaries_chmod > 0 || pci_11_5_critical_binaries_chown > 0 || pci_11_5_critical_binaries_link > 0 || pci_11_5_critical_binaries_rename > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_unlink > 0 || pci_11_5_critical_binaries_utimes > 0"}],"type":"workload_security","id":"3rk-f4l-c7j","createdAt":1606142933669,"name":"Critical system binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation or modification of new cron jobs on a system.\n\n## Strategy\nCron is a task scheduling system that runs tasks on a time-based schedule. Attackers can use cron jobs to gain persistence on a system, or even to run malicious code at system-boot. Cron jobs can also be used for remote code execution, or to run a process under a different user-context.\n\n## Triage and response\n1. Check to see which cron task was created or modified.\n2. Check whether the cron task was created or modified by a known user or process.\n3. If these changes are not acceptable, roll back the host or container in question to an acceptable configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(cron_at_job_creation OR cron_at_job_creation_chmod OR cron_at_job_creation_chown OR cron_at_job_creation_link OR cron_at_job_creation_rename OR cron_at_job_creation_open OR cron_at_job_creation_utimes) -(@file.name:*.dpkg-new AND @process.executable.name:dpkg) -@process.ancestors.executable.path:\"/usr/bin/unattended-upgrade\" -@process.executable.path:\"/usr/bin/dockerd\" -(@process.executable.path:\"/usr/bin/touch\" @file.path:\"/var/spool/cron/lastrun\")","groupByFields":["host"],"aggregation":"count","name":"cron_at_job_creation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"cron_at_job_creation","condition":"cron_at_job_creation > 0"}],"type":"workload_security","id":"qqk-vqp-6xt","createdAt":1606142961130,"name":"Cron job modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIP check services return the public IP of the client. They are used legitimately for configuration purposes when utilizing infrastructure as code. They can be abused by attackers to determine the organization they have compromised.\n\n## Strategy\n\nDetect when a DNS lookup is done for a domain belonging to an IP check service.\n\n## Triage and response\n\n1. Determine if `{{@process.executable.name}}` is expected to make a connection to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Start incident response and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ip_check_domain","groupByFields":["host"],"aggregation":"count","name":"ip_check_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"ip_check_domain","condition":"ip_check_domain > 0"}],"type":"workload_security","id":"v7i-jqs-gcx","createdAt":1653417825959,"name":"DNS lookup for IP lookup service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nAttackers often use compromised cloud infrastructure to mine cryptocurrency. \n\n## Strategy\n\nDetect when a process performs a DNS lookup for a domain related to cryptomining.\n\n## Triage and response\n\n`{{@process.executable.name}}` performed a DNS lookup for `{{@dns.question.name}}`\n\n1. Contain the host or container and roll back to a known good configuration.\n2. Review the process tree and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:potential_cryptominer","groupByFields":["host"],"aggregation":"count","name":"potential_cryptominer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"potential_cryptominer","condition":"potential_cryptominer > 0"}],"type":"workload_security","id":"8am-wzf-ixk","createdAt":1653417822316,"name":"DNS lookup for cryptocurrency mining pool"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nPaste sites such as pastebin.com can be used by attackers to host malicious scripts, configuration files, and other text data. The files are then downloaded to the host using a network utility such as `wget` or `curl`. These sites may also be used to exfiltrate data.\n\n## Strategy\n\nDetect when a process performs a DNS lookup for a paste site.\n\n## Triage and response\n1. Check if the application `{{@process.executable.name}}` is expected to make connections to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Follow your organization's internal processes for investigating and remediating compromised systems.\n\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:paste_site","groupByFields":["host"],"aggregation":"count","name":"paste_site","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"paste_site","condition":"paste_site > 0"}],"type":"workload_security","id":"bze-mml-h8r","createdAt":1653417817764,"name":"DNS lookup for paste service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.3","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud Domain Name System (DNS) is a fast, reliable, and cost-effective domain name system\nthat powers millions of domains on the internet. Domain Name System Security Extensions\n(DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains\nagainst DNS hijacking, man-in-the-middle attacks, and more.\n\n## Rationale\nDomain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling the DNS responses to be validated. A trustworthy DNS that translates a domain name like `www.example.com` into its associated IP address is an increasingly important building block for modern web-based applications. \n\nAttackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records to prevent attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.\n\nBy default, DNSSEC is not enabled.\n\n## Remediation\n\n### From the console\n1. Navigate to the [Cloud DNS page][1].\n2. For each Type Public zone, set `DNSSEC` to **On**.\n\n### From the command line\nUse this command to enable DNSSEC for Cloud DNS Zone Name:\n\n```\ngcloud dns managed-zones update ZONE_NAME --dnssec-state on\n```\n\n\n## References\n1. [https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html][2]\n2. [https://cloud.google.com/dns/dnssec-config#enabling][3]\n3. [https://cloud.google.com/dns/dnssec][4]\n\n\n[1]: https://console.cloud.google.com/net-services/dns/zones\n[2]: https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html\n[3]: https://cloud.google.com/dns/dnssec-config#enabling\n[4]: https://cloud.google.com/dns/dnssec\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nisZonePublic(dns_managed_zone) if {\n\tupper(dns_managed_zone.visibility) == \"PUBLIC\"\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot isZonePublic(dns_managed_zone)\n} else = \"pass\" if {\n\tupper(dns_managed_zone.dnssec_config.state) == \"ON\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"crl-ytf-ohh","createdAt":1659621733035,"name":"DNSSEC is enabled for Cloud DNS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Credentials","requirement:Compliance","level:1","requirement:Database-Services","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","framework:pci","security:compliance","control:6.5.3","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:3.4","control:C1.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Transparent Data Encryption on every SQL server.\n\n## Rationale\n\nAzure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL databases\n2. For each DB instance\n3. Click on Transparent data encryption\n4. Set Data encryption to On using the Azure Command Line Interface\n5. Use the below command to enable Transparent data encryption for SQL DB instance:\n\n ```bash\n --resource-group --server --database --status\n ```\n\n **Note**: TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases. Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n\n**Note**: Transparent Data Encryption (TDE) can be enabled or disabled on individual SQL Database level and not on the SQL Server level. TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.\n\n# CIS Controls\n\nVersion 7 14.8 Encrypt Sensitive Information at Rest: Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_transparent_data_encryption(transparent_data_encryption) if {\n\ttransparent_data_encryption.status == \"Enabled\"\n} else if {\n\ttransparent_data_encryption.state == \"Enabled\"\n}\n\neval(sql_server_database) = \"pass\" if {\n\tcompliant_transparent_data_encryption(sql_server_database.transparent_data_encryption)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server_database"]},"validationQuery":"","resourceType":"azure_sql_server_database","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server_database","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ahw-tol-knx","createdAt":1624867974429,"name":"Data encryption on SQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a database process (e.g., MySQL, PostgreSQL, MongoDB).\n\n## Strategy\nAttacks on databases often take advantage of oversights in I/O sanitization and validation to run attacker statements and commands. For example, these attacks could take the form of database query injection, which can signal the beginning of an intrusion and wider attack, by establishing a web shell or exfiltrating data. This detection triggers when common shell utilities, HTTP utilities, or shells are spawned by one of a set of database processes (e.g., MySQL, MongoDB, PostgreSQL). This is atypical behavior for a database. If this is unexpected behavior, it could indicate an attacker attempting to compromise your database or host machine.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your database to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:database_shell_execution -@process.ancestors.executable.name:initdb -@process.args:\"locale -a\" -(@process.ancestors.executable.name:postgres @process.args:*pg_wal*)","groupByFields":["host"],"aggregation":"count","name":"database_shell_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"database_shell_execution","condition":"database_shell_execution > 0"}],"type":"workload_security","id":"4ni-kny-z5x","createdAt":1617722069155,"name":"Database process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:2","requirement:Cardholder-Data","control:1.17","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Confidentiality","control:3.5","control:7.1","control:C1.2","control:7.2.1","control:7.2.2","source:google_dataproc_cluster","control:7.2.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:3.6.1","scope:google_dataproc_cluster","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:3.6.4","control:3.6.5","control:CC6.3","control:CC6.2","control:3.6.7","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nWhen you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated\nwith the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This\nPD and bucket data is encrypted using a Google-generated data encryption key (DEK) and\nkey encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key\nencryption key (KEK). Google still controls the data encryption key (DEK).\n\n## Rationale\nCloud services offer the ability to protect data related to those services using encryption\nkeys managed by the customer within Cloud KMS. These encryption keys are called\ncustomer-managed encryption keys (CMEK). When customers protect data in Google Cloud\nservices with CMEK, the CMEK key is within the customer's control.\n\n## Remediation\n\n### From the console\n\n1. Log in to the GCP Console and navigate to the **Dataproc Cluster** page by visiting [https://console.cloud.google.com/dataproc/clusters][1].\n2. Select the project from the projects dropdown list.\n3. On the **Dataproc Cluster** page, click on the **Create Cluster** to create a new cluster with customer-managed encryption keys.\n4. On the **Create a cluster** page, perform the following steps:\n 1. Inside **Set up cluster** section perform these steps:\n 1. In the **Name** textbox, provide a name for your cluster.\n 2. From **Location** select the location in which you want to deploy a cluster.\n 3. Configure other configurations as per your requirements.\n 2. Inside **Configure Nodes** and **Customize cluster** section configure the settings as\nper your requirements.\n 3. Inside the **Manage security** section, perform these steps:\n 1. From **Encryption**, select **Customer-managed key**.\n 2. Select a customer-managed key from dropdown list.\n 3. Ensure that the selected KMS Key has the **Cloud KMS CryptoKey Encrypter/Decrypter** role assigned to the Dataproc Cluster service account (`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n 4. Click on **Create** to create a cluster.\n5. Once the cluster is created, migrate all of your workloads from the old cluster to the new cluster and delete the old cluster by performing the following steps:\n 1. On the **Clusters** page, select the old cluster and click on **Delete cluster**.\n 2. On the **Confirm deletion** window, click **Confirm** to delete the cluster.\n6. Repeat the steps above for other Dataproc clusters available in the selected project.\n7. Change the project from the project dropdown list and repeat the remediation procedure for other Dataproc clusters available in other projects.\n\n### From the command line\nBefore creating a cluster, ensure that the selected KMS Key has the **Cloud KMS CryptoKey\nEncrypter/Decrypter** role assigned to the Dataproc Cluster service account\n(`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n\nRun the `clusters create` command to create a new cluster with a customer-managed key:\n\n```\ngcloud dataproc clusters create --region=us-central1 --gce-pd-kms-key=\n```\n\nThe above command creates a new cluster in the selected region.\nAfter the cluster is created, migrate all your workloads from the older cluster to the new\ncluster and run the `clusters delete` command to delete the cluster:\n\n```\ngcloud dataproc clusters delete --region=us-central1\n```\n\nRepeat step no. 1 to create a new Dataproc cluster.\nChange the project by running the following command and repeat the remediation procedure\nfor other projects:\n\n```\ngcloud config set project \n```\n\n## References\n1. [https://cloud.google.com/docs/security/encryption/default-encryption][2]\n\n[1]: https://console.cloud.google.com/dataproc/clusters\n[2]: https://cloud.google.com/docs/security/encryption/default-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.17","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.7","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(gdc) = \"pass\" if {\n\tgdc.config.encryption_config.gce_pd_kms_key_name\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dataproc_cluster"]},"validationQuery":"","resourceType":"gcp_dataproc_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dataproc_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"7qp-kby-dut","createdAt":1659396397166,"name":"Dataproc cluster is encrypted using customer-managed encryption key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.22","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file permissions are set to `644` or more restrictively, by running: \n```\nstat -c %a /etc/default/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/default/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.22","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pqb-2cq-piw","createdAt":1599601845070,"name":"Default Docker configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.21","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/sysconfig/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/sysconfig/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.21","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"au3-ayl-tdm","createdAt":1599601289420,"name":"Default Docker configuration file cannot be altered by non-owners - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.19","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file ownership and group-ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/default/docker | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/default/docker`\n\nThis sets the ownership and group ownership of the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.19","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o5w-d8y-ka1","createdAt":1599604751728,"name":"Default Docker configuration file is owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.20","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/sysconfig/docker | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root /etc/sysconfig/docker`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.20","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xrt-uiz-s7o","createdAt":1599604498138,"name":"Default Docker configuration file is owned by the root account and group - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProtect tuned kernel parameters from overriding kubelet default kernel parameter values.\n\n## Rationale\n\nKernel parameters are usually tuned and hardened by the system administrators before putting the systems into production. These parameters protect the kernel and the system. Your kubelet kernel defaults that rely on such parameters should be appropriately set to match the desired secured system state. Ignoring this could potentially lead to running pods with undesired kernel behavior.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--protect-kernel-defaults` argument is set to true. If the `--protect-kernel-defaults` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets `protectKernelDefaults` to `true`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `protectKernelDefaults: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--protect-kernel-defaults=true`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou would have to re-tune kernel parameters to match kubelet parameters.\n\n## Default value\n\nBy default, `--protect-kernel-defaults` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.6","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"uiw-kms-wwu","createdAt":1599602462044,"name":"Default Kubelet kernel parameter values are protected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Compliance","level:1","requirement:Storage-Accounts","control:2.9","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","control:1.3.1","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","requirement:Least-Privileged-Access","control:1.2.1","control:3.6","framework:cis-azure","requirement:Communications-Security","control:7.2.1","source:azure.storage","control:A.13.1.3","control:7.2.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestricting default network access provides a layer of security, because storage accounts accept connections from clients on any network. To limit access to selected networks, change the default action.\n\n## Rationale\n\nConfigure storage accounts to deny access to traffic from all networks (including internet traffic). Grant access to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Enable Allow access from selected networks.\n4. Add rules to allow traffic from a specific network.\n5. Click Save to apply your changes.\n\n### From the command line\n\nUse the following command to update the default action to deny: \n```\naz storage account update --name --resource-group --default-action Deny\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security][1]\n2. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"2.9","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_account) = \"pass\" if {\n\tstorage_account.network_acls.default_action == \"Deny\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"hxy-syh-ofi","createdAt":1631690465637,"name":"Default network access rule for Storage Accounts is set to deny"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:RBAC-and-Service-Accounts","scored:true","security:compliance","control:5.1.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe default service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed.\n\n## Rationale\n\nKubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.\n\n## Audit\n\nFor each namespace in the cluster, review the rights assigned to the default service account and ensure that it has no roles or cluster roles bound to it apart from the defaults. Additionally ensure that the `automountServiceAccountToken: false` setting is in place for each default service account.\n\n## Remediation\n\nCreate explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value `automountServiceAccountToken: false`.\n\n## Impact\n\nAll workloads which require access to the Kubernetes API will require an explicit service account to be created.\n\n## Default value\n\nBy default the default service account allows for its service account token to be mounted in pods in its namespace.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/][1]\n\n## CIS controls\n\nNone\n\n[1]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.1.5","framework":"cis-kubernetes","requirement":"RBAC-and-Service-Accounts","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3yv-aqm-bxc","createdAt":1604312204438,"name":"Default service accounts are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","source:azure.monitor","level:1","requirement:Regular-Testing","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","control:5.1.2","requirement:Logging-and-Monitoring","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","control:11.4","control:CC4.1","scope:azure.monitor","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure the diagnostic setting to log the appropriate activities from the control/management plane.\n\n## Rationale\n\nA diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.\n\n## Remediation\n\n### From the console\n\n1. Go to Azure Monitor\n2. Click Activity log\n3. Click on Diagnostic settings\n4. Click on Edit Settings for the diagnostic settings entry\n5. Ensure that the following categories are checked: Administrative, Alert, Policy, and Security\n\nARM Template with AZ PowerShell cmdlets:\n\nCreate a file to hold the following JSON:\n\n```json\n{ \"$schema\"\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\", \"contentVersion\"\"\n1.0.0.0\", \"parameters\"{ \"settingName\"{ \"type\"\"String\" }, \"workspaceId\"{ \"type\"\"String\" } }, \"resources\"[ { \"type\"\"Microsoft.Insights/diagnosticSettings\", \"apiVersion\"\"2017-05-01-preview\", \"name\"\"[parameters(''settingName'')]\", \"dependsOn\"[], \"properties\"{ \"workspaceId\"\"[parameters(''workspaceId'')]\", \"logs\"[ { \"category\"\"Administrative\", \"enabled\"true }, { \"category\"\"Alert\", \"enabled\"true }, { \"category\"\"Autoscale\", \"enabled\"false }, { \"category\"\"Policy\", \"enabled\"true }, { \"category\"\"Recommendation\", \"enabled\"false }, { \"category\"\"ResourceHealth\", \"enabled\"false }, { \"category\"\"Security\", \"enabled\"true }, { \"category\"\"ServiceHealth\", \"enabled\"false } ] } } ] }\n```\n\nReference the JSON. In the `New-AzSubscriptionDeployment`, call `$OMSWorkspace`:\n\n```powershell\nGet-AzResource -ResourceType \"Microsoft.OperationalInsights/workspaces\" -Name New-AzSubscriptionDeployment -Name CreateDiagnosticSetting -location eastus -TemplateFile CreateDiagnosticSetting.jsonc -settingName \"Send Activity log to workspace\" -workspaceId $OMSWorkspace.ResourceId'\n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings\n2. https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource-manager-diagnostic-settings\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.3 - Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1.2","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"11.4","framework":"pci","requirement":"Regular-Testing","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(diagnostic_setting) = \"fail\" if {\n\tsome log in diagnostic_setting.logs\n\tlog.category in [\"Administrative\", \"Alert\", \"Policy\", \"Security\"]\n\tlog.enabled == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_diagnostic_setting"]},"validationQuery":"","resourceType":"azure_diagnostic_setting","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_diagnostic_setting","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q7k-c4u-n6i","createdAt":1635847719443,"name":"Diagnostic Setting captures appropriate categories"}]} headers: Content-Type: - application/json @@ -232,7 +215,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":829}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.31","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker socket docker.sock should not be mounted inside a container.\n\n## Rationale\n\nIf the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep docker.sock` This returns any instances where `docker.sock` has been mapped to a container as a volume.\n\n## Remediation\n\nYou should ensure that no containers mount docker.sock as a volume.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, docker.sock is not mounted inside containers.\n\n## References\n\n1. https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/\n2. https://forums.docker.com/t/docker-in-docker-vs-mounting-var-run-docker-sock/9450/2\n3. https://github.com/docker/docker/issues/21109\n\n## CIS controls\n\nVersion 6\n\n9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.31","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3iw-zus-yz3","createdAt":1599602585460,"name":"Docker socket is not allowed to mount inside any containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","source:dynamodb","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:dynamodb","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement server-side encryption for your AWS DynamoDB data.\n\n## Rationale\n\nServer-side encryption, or encryption at rest, provides an additional layer of data protection by securing your data in an encrypted table. Encryption at rest integrates with AWS Key Management Service (KMS) to manage encryption keys that are used to encrypt these tables.\n\n## Remediation\n\n### Console\n\nFollow the [Managing Encrypted Tables in DynamoDB tutorial][1] to learn how to create and update a table in the AWS Console.\n\n### CLI\n\nRun `create-table` with a table configuration to [create a new encrypted table][2]. You can create an encrypted table with the default AWS owned CMK, AWS managed CMK, or customer managed CMK. Refer to the [AWS documentation for examples of each configuration][3]. For example:\n\n ```\n aws dynamodb create-table\n --table-name your-table\n ...\n --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=abcd1234-abcd-1234-a123-ab1234a1b234\n ```\n\n[1]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/dynamodb/create-table.html\n[3]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html#encryption.tutorial-creating\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@sse_description_status:DISABLED","resourceType":"aws_dynamodb","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_dynamodb (@sse_description_status:DISABLED)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ilq-ifj-zxi","createdAt":1615309114701,"name":"DynamoDB table is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt Amazon Elastic Block Store (EBS) snapshots with volume snapshot encryption keys.\n\n## Rationale\n\nAmazon EBS snapshots contain sensitive data, and publicly accessible snapshots can be copied. Keep your data secure from exploits or unauthorized users by using AWS key management.\n\n## Remediation\n\n### Console\n\nFollow the [Default key for EBS encryption][1] docs to learn how to encrypt a snapshot in the AWS Console.\n\n### CLI\n\n1. Run `get-ebs-default-kms-key-id` to describe [the default CMK][2].\n\n2. If you need to create a new key, follow the [Creating keys][3] AWS Console docs or the [create-key][4] AWS CLI docs.\n\n3. Run `modify-ebs-default-kms-key-id` with your `--kms-key-id` to [modify the default CMK used to encrypt EBS volumes][3].\n\nSee the [Set encryption defaults using the API and CLI][6] docs for additional information.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_key_mgmt\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/get-ebs-default-kms-key-id.html\n[3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-ebs-default-kms-key-id.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encrypted:false","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot (@encrypted:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"i4v-od6-l5r","createdAt":1616090994130,"name":"EBS snapshot is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","requirement:Storage","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable encryption for Elastic Block Store (EBS).\n\n## Rationale\n\nAES-256 encryption, used by EBS, protects data stored on volumes, disk I/O, and the snapshots created from a volume to protect your sensitive data from exploits and unauthorized users.\n\n## Remediation\n\n### Console\n\nFollow the [EBS encryption][1] docs to learn about the requirements and methods for enabling encryption in the AWS Console.\n\n### CLI\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#ebs-encryption-requirements\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"2.2.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encrypted:false","resourceType":"aws_ebs_volume","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_volume (@encrypted:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"2b3-94n-p7e","createdAt":1616090994097,"name":"EBS volume is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","source:ebs","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.9.4.5","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure Amazon Elastic Block Store (EBS) snapshots.\n\n## Rationale\n\nPublicly shared Amazon EBS volume snapshots contain sensitive application data that can be seen, copied, and exploited.\n\n## Remediation\n\n### Console\n\nFollow the [EBS encryption][1] docs to learn how to implement EBS encryption. Public snapshots, which are encrypted by default, are not supported\n\n **Note**: You can share an encrypted snapshot with specific accounts.\n\n### CLI\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#how-ebs-encryption-works\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.5","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@attributes.create_volume_permission_group:all","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot (@attributes.create_volume_permission_group:all)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"t5f-m5z-oio","createdAt":1616090994084,"name":"EBS volume snapshot is not publicly shared with other AWS accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:route53","iaas:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain has a suspicious TLD.\n\n## Strategy\nInspect the Route 53 logs and determine if the TLD of the DNS question (`@dns.question.name`) matches one of the top 5 TLDs on [Spamhaus's Most Abused Top Level Domains list][1].\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n[1]: https://www.spamhaus.org/statistics/tlds/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@dns.question.name:(*.fit. OR *.work. OR *.webcam. OR *.loan. OR *.cf.) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_tld","distinctFields":[]},{"query":"@dns.question.name:(*.no-ip. OR *.hopto.org OR *.myftp.org OR *.us.to OR *.myvpc.com OR *.dlinkddns.com OR *.myftp.biz) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_ddns","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"TLD","condition":"suspicious_tld > 0"},{"status":"medium","notifications":[],"name":"Dynamic DNS","condition":"suspicious_ddns > 0"}],"type":"log_detection","id":"dus-bf6-3jr","createdAt":1603296605789,"name":"EC2 instance requested a suspicious domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:route53","iaas:aws","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain resolves to the AWS Metadata IP (169.254.169.254).\n\n## Strategy\nInspect the Route 53 logs and determine if the response data for a DNS request matches the AWS Metadata IP (169.254.169.254). This could indicate an attacker is attempting to steal your credentials from the AWS metadata service.\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n## Changelog\n- 19 May 2022 - Updated rule query.\n- 5 Jun 2022 - Updated rule query.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:route53 @answers.Rdata:169.254.169.254 -@route53_edge_location:* -@dns.question.name:instance-data*","groupByFields":["instance-id"],"aggregation":"count","name":"domain_resolve_to_metadata_ip","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"domain_resolve_to_metadata_ip > 0"}],"type":"log_detection","id":"mwi-zj7-db9","createdAt":1603296598998,"name":"EC2 instance resolved a suspicious AWS metadata DNS query"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","requirement:Transmission-Security","scope:ec2","source:ec2","framework:gdpr","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:1.9","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse the IMDSv2 session-oriented communication method to transport instance metadata. \n\n## Rationale\n\nAWS default configurations allow the use of either IMDSv1, IMDSv2, or both. IMDSv1 uses insecure GET request/responses which are at risk for a number of vulnerabilities, whereas IMDSv2 uses session-oriented requests and a secret token that expires after a maximum of six hours. This adds protection against misconfigured-open website application firewalls, misconfigured-open reverse proxies, unpatched Server Side Request Forgery (SSRF) vulnerabilities, and misconfigured-open layer-3 firewalls and network address translation.\n\n## Remediation\n\nFollow the [Transition to using Instance Metadata Service Version 2][1] docs to learn how to transition and reconfigure your software. \n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@metadata_options_http_tokens:required","resourceType":"aws_ec2_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ec2_instance (-@metadata_options_http_tokens:required)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zwp-mxe-p0v","createdAt":1649171077274,"name":"EC2 instance uses IMDSv2"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","source:elb","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","scope:elb","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up logging for your AWS Elastic Load Balancers (ELBs) to identify security issues.\n\n## Rationale\n\nAccess logs allow you to analyze each TCP and HTTP request, which are useful during security audits or troubleshooting.\n\n## Remediation\n\n### Console\n\nFollow the [Enable access logs for your Classic Load Balancer][1] docs to learn how to enable logging for your ELBs.\n\n### CLI\n\n1. Run `create-bucket` to [create an S3 bucket][2] that stores the ELB log files.\n\n **Note**: This bucket must be created in the same region as the ELB.\n\n ```\n aws s3api create-bucket\n --region us-west-1\n --bucket your-elb-logging-bucket\n ```\n\n2. Use the [AWS Policy Generator][3] to create a new policy.\n\n3. Run `put-bucket-policy` to [attach the policy document][4] to the S3 bucket.\n\n ```\n aws s3api put-bucket-policy\n --bucket your-elb-logging-bucket\n --policy file://elb-logging-policy.json\n ```\n\n4. Run `modify-load-balancer-attributes` to [enable logging][5] for the selected ELB.\n\n ```\n aws elb modify-load-balancer-attributes\n --region us-west-1\n --load-balancer-name YourLoadBalancerName\n --load-balancer-attributes\n \"{\\\"AccessLog\\\":{\\\"Enabled\\\":true,\\\"EmitInterval\\\":60,\\\"S3BucketName\\\":\\\"your-logging-bucket\\\"}}\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/elb/modify-load-balancer-attributes.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@attributes.access_log_enabled:false OR @load_balancer_attributes.access_log.enabled:false","resourceType":"aws_elb_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elb_load_balancer (@attributes.access_log_enabled:false OR @load_balancer_attributes.access_log.enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"orv-wcu-4d4","createdAt":1615309114856,"name":"ELB is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","security:compliance","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Security-of-Processing","scope:elbv2","framework:soc-2","requirement:Security-Management-Process","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","framework:hipaa","requirement:Encryption-In-Transit","control:164.308-a-1-ii-B","control:164.312-e-2-i","source:elbv2","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse HTTPS to secure communication between your application client and an Elastic Load Balancer (ELB) listener.\n\n## Rationale\n\nWithout an HTTPS listener, front-end connections are vulnerable to exploits, such as man-in-the-middle (MITM) attacks. Securing all communication between your application client and ELB listener ensures sensitive data is protected.\n\n## Remediation\n\n### Console\n\nFollow the [Create an HTTPS listener for your Application Load Balancer][1] docs to learn how to create a listener that checks for connection requests.\n\n### CLI\n\n1. Run `list-certificates` to retrieve the ARN of your SSL certificate. If you do not have an SSL certificate, follow the [Create or import an SSL/TLS certificate][2] docs.\n2. Run `create-listener` using the [ARN of the load balancer and SSL certificate][3].\n\n ```\n aws elbv2 create-listener\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912\n --protocol HTTPS\n --port 443\n --certificates CertificateArn=arn:aws:acm:region:123456789012:certificate/1abc0c41-bd73-5445-9ab9-123456a23456\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html#create-certificate-acm\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/create-listener.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@listeners.protocol:HTTPS","resourceType":"aws_elbv2_load_balancer","filter":"@type:application","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer @type:application (-@listeners.protocol:HTTPS)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6vz-qof-84o","createdAt":1616090994110,"name":"ELBv2 ALB is using a secure listener"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","source:elb","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","scope:elb","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure Amazon Network Load Balancers so all listeners use either TLS or HTTPS encryption. \n\n## Rationale\n\nUsing TLS or HTTPS helps ensure the communication between your network load balancers (NLBs) and backend servers is protected from decryption, data leaks, and other exploits. NLS's can accept and route TCP connections to Application load balancers(ALBs), this allows AWS customers to directly register an ALB as an NLB target, eliminating the need to actively manage changing ALB IP addresses. Amazon's NLBs can be configured to handle TLS termination. This reduces the workload on your backend systems and localizes TLS configuration to the NLBs, thereby improving both performance and security.\n\n\n\n## Remediation\n\n### Console\n\nFollow the [Create a listener for your network load balancer][1] docs to learn how to add a TLS listener to your network load balancer.\n\n### CLI\n\n1. Run `describe-load-balancers` to retrieve the ARNs of your network load balancers.\n2. Run `list-certificates` to retrieve the ARN of your Amazon ACM TLS certificates, or `list-server-certificates` to retrieve the ARN of your AWS IAM TLS certificates. If you do not have a TLS certificate, follow the [Configure TLS listeners: Certificates][2] docs.\n3. Run `create-listener` using the ARN of the desired load balancer and TLS certificate.\n\n ```\n aws elbv2 create-listener \n --load-balancer-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188 \n --certificates CertificateArn=arn:aws:acm:us-west-2:123456789012:certificate/3dcb0a41-bd72-4774-9ad9-756919c40557 \n --protocol TLS\n --port 443\n --ssl-policy ELBSecurityPolicy-2016-08 \n --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#tls-listener-certificates\n[3]: https://aws.amazon.com/fr/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@protocol:\"TLS\" -(@protocol:\"TCP\" @port:443)","resourceType":"aws_elbv2_load_balancer","filter":"@type:network","queryPath":"listeners","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer @type:network (-@protocol:\"TLS\" -(@protocol:\"TCP\" @port:443))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cyx-hvk-qq7","createdAt":1649774831020,"name":"ELBv2 Network Load Balancer listeners employ TLS or HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:elbv2","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","source:elbv2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Access Logging for your Amazon Application Load Balancers (ALBs).\n\n## Rationale\n\nLogs contain the time a request was received, a client's IP address, latencies, request paths, and server responses. You can use this information to analyze traffic patterns and troubleshoot issues.\n\n## Remediation\n\n### Console\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the console.\n\n### CLI\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_attribute(elbv2_load_balancer) if {\n\tattribute := elbv2_load_balancer.attributes[_]\n\tattribute.key == \"access_logs.s3.enabled\"\n\tattribute.value == \"true\"\n} else {\n\telbv2_load_balancer.attributes.access_logs_s3_enabled\n}\n\neval(elbv2_load_balancer) = \"pass\" if {\n\tcompliant_attribute(elbv2_load_balancer)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2sn-t47-ywf","createdAt":1632209936547,"name":"ELBv2 is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","control:CC6.6","framework:gdpr","requirement:Compliance","scope:elbv2","requirement:System-Acquisition-Development-and-Maintenance","framework:iso-27001","control:1.3.5","source:elbv2","framework:pci","control:A.14.1.2","security:compliance","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:1.3","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Application Load Balancers (ALB) or Network Load Balancers (NLB) with an internal ELBv2 load balancer.\n\n## Rationale\n\nInternet-facing load balancers receive a public DNS name. Secure your connection by using an ELBv2 load balancer instead.\n\n## Remediation\n\n### Console\n\nFollow the [Create an application load balancer][1] docs to learn how to create an internal load balancer that routes requests to targets using private IP addresses.\n\n### CLI\n\nRun `create-load-balancer` with a [load balancer name, scheme, and subnet][2].\n\n```\naws elbv2 create-load-balancer\n--name my-internal-load-balancer\n--scheme internal\n--subnets subnet-b7d581c0 subnet-8360a9e7\n```\n\nSee the [create-load-balancer][2] AWS CLI docs to create a load balancer for a network or gateway.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-application-load-balancer.html#configure-load-balancer\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/create-load-balancer.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"validationQuery":"@scheme:internet-facing","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer (@scheme:internet-facing)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"3wl-huh-f7v","createdAt":1616090994241,"name":"ELBv2 load balancer is not internet facing"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:elbv2","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","source:elbv2","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Application Load Balancer (ALB) with the latest predefined AWS security policy.\n\n## Rationale\n\nInsecure or deprecated security policies can expose the client and the load balancer to various SSL/TLS vulnerabilities.\n\n## Remediation\n\n### Console\n\nFollow the [Update security policy][1] docs to learn how to update your HTTPS listener with the latest security policy.\n\n### CLI\n\nRun `modify-listener` with the [ARN of the listener and the recommended SSL policy][2].\n\n```\naws elbv2 create-listener\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n```\n\nReview the [Security policies][3] docs for Amazon-recommended security policies.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html#update-security-policy\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/modify-listener.html\n[3]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-1-2017-01 -@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-2-Ext-2018-06 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-1-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2020-10","resourceType":"aws_elbv2_load_balancer","filter":"@type:application","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer @type:application (-@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-1-2017-01 -@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-2-Ext-2018-06 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-1-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2020-10)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"pty-qoz-aa9","createdAt":1616090994247,"name":"ELBv2 load balancer is using the latest security policy"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.3","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse individual service account credentials for each controller.\n\n## Rationale\n\nThe controller manager creates a service account per controller in the kube-system namespace, generates a credential for it, and builds a dedicated API client with that service account credential for each controller loop to use. Setting the `--use-service-account-credentials` to true runs each control loop within the controller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--use-service-account-credentials` argument is set to true.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node to set the below parameter:\n\n```\n--use-service-account-credentials=true\n```\n\n## Impact\n\nWhatever authorizer is configured for the cluster, it must grant sufficient permissions to the service accounts to perform their intended tasks. When using the RBAC authorizer, those roles are created and bound to the appropriate service accounts in the kube-system namespace automatically with default roles and rolebindings that are auto-reconciled on startup. If using other authorization methods (ABAC, Webhook, etc.), the cluster deployer is responsible for granting appropriate permissions to the service accounts (the required permissions can be seen by inspecting the `controller-roles.yaml` and `controller-role-bindings.yaml` files for the RBAC roles.\n\n## Default value\n\nBy default, `--use-service-account-credentials` is set to false.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://kubernetes.io/docs/admin/service-accounts-admin/ ][2]\n3. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml ][3]\n4. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml ][4]\n5. [https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles][5]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://kubernetes.io/docs/admin/service-accounts-admin/ \n[3]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml \n[4]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml \n[5]: https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.3","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"b7m-bho-nat","createdAt":1599602400314,"name":"Each controller uses individual service account credentials"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:A.12.2.1","framework:gdpr","requirement:Default-Security-Parameter","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:25.2","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","source:elasticache","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","scope:elasticache","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nChange your AWS ElastiCache cluster endpoint port to a non-default port.\n\n## Rationale\n\nUsing the default port puts clusters at risk of exploits and attacks. Configure a custom port to add an extra layer of security to your clusters.\n\n## Remediation\n\n### Console\n\nFollow the [Finding connection endpoints][1] console documentation to learn how to find and modify your cluster's endpoint port.\n\n### CLI\n\n1. Run `aws elasticache describe-cache-clusters` with your [ElastiCache cluster ID][2] to output the existing cluster configuration.\n\n ```\n\n aws elasticache describe-cache-clusters\n --cache-cluster-id your-cc-id\n\n ```\n\n2. Run `aws elasticache create-cache-cluster` with the cluster data returned in the previous step. Configure the new cache cluster with [a custom value][3] for the endpoint port. This returns new cluster metadata.\n\n ```\n\n aws elasticache create-cache-cluster\n --cache-cluster-id new-cc-id\n ...\n --port 10001\n\n ```\n\n3. Once the cluster endpoint port is updated, remove the old ElastiCache cluster. Run `delete-cache-cluster` with the [original cluster ID][4].\n\n ```\n\n aws elasticache delete-cache-cluster\n --cache-cluster-id your-cc-id\n\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Endpoints.html#Endpoints.Find.Redis\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/describe-cache-clusters.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/delete-cache-cluster.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@engine:memcached @configuration_endpoint_port:11211) OR (@engine:redis @configuration_endpoint_port:6379)","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache ((@engine:memcached @configuration_endpoint_port:11211) OR (@engine:redis @configuration_endpoint_port:6379))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"skt-e9r-x89","createdAt":1619112189062,"name":"ElastiCache cluster is not using default ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","source:elasticache","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticache","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProvision your AWS EC2-VPC ElastiCache cluster within the AWS ECS-VPC platform.\n\n## Rationale\n\nUsing the EC2-Classic platform minimizes control over cache cluster security and traffic routing. Provisioning with AWS EC2-VPC enables better networking infrastructure, control over VPC security groups, and more.\n\n## Remediation\n\n### Console\n\nFollow the [Getting started with Amazon VPC][1] docs to configure AWS EC2-VPC for your ElastiCache clusters.\n\n### CLI\n\n1. Run `create-vpc` to [create a new Virtual Private Cloud (VPC)][2] for your ElastiCache cluster.\n\n ```\n aws ec2 create-vpc\n --cidr-block 10.0.0.0/16\n ```\n\n2. Run `aws ec2 create-internet-gateway` to [create a new AWS Internet Gateway][3] for your new VPC.\n\n3. Run `attach-internet-gateway` with the [VPC ID returned in step 1, and the internet gateway ID returned in step 2][4].\n\n ```\n aws ec2 create-subnet\n --vpc-id vpc-ab12c345\n --cidr-block 10.0.1.0/24\n ```\n\n4. Run `create-route-table` with [your VPC ID][5] created in step 1.\n\n ```\n aws ec2 create-route-table\n --vpc-id vpc-ab12c345\n ```\n\n5. Run `associated-route-table` with the [subnet ID returned in step 3, and the route table ID returned in step 4][6].\n\n ```\n aws ec2 associate-route-table\n --route-table-id rta-12345678\n --subnet-id subnet-ab123c45\n ```\n\n6. Run `create-route` to [add a new route][7] to your new VPC route table.\n\n ```\n aws ec2 create-route\n --route-table-id rta-12345678\n --destination-cidr-block 0.0.0.0/0\n --gateway-id gwi-123a4b56\n ```\n\n7. Run `create-security-group` with your new VPC ID to [create a security group][8] for your new cluster.\n\n ```\n aws ec2 create-security-group\n --group-name ECSecurityGroup\n --description \"Redis CC Security Group\"\n --vpc-id vpc-ab12c345\n ```\n\n8. Run `authorize-security-group-ingress` to [add more inbound rules][9] to the security group created in step 7.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-id se-a12345b0\n --protocol tcp\n --port 1234\n --cidr 10.0.0.0/16\n ```\n\n9. Run `create-cache-cluster` to recreate your EC2-Classic cache cluster within your new AWS VPC. Use the newly created [ElastiCache cluster configuration attributes][10] returned in the steps above.\n\n ```\n aws elasticache create-cache-cluster\n --cache-cluster-id vpccachecluster\n --az-mode single-az\n --cache-node-type cache.m5.large\n --num-cache-nodes 1\n --engine redis\n --engine-version \"2.6.13\"\n --security-group-ids \"se-a12345b0\"\n --port 1234\n --auto-minor-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc.html#synopsis\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-internet-gateway.html#synopsis\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/attach-internet-gateway.html#synopsis\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route-table.html#synopsis\n[6]: https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-route-table.html#synopsis\n[7]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route.html#synopsis\n[8]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-security-group.html#synopsis\n[9]: https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html#synopsis\n[10]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@cache_subnet_group_name:\"\" OR (-@cache_subnet_group_name:*)","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache (@cache_subnet_group_name:\"\" OR (-@cache_subnet_group_name:*))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"0uf-cns-jqu","createdAt":1619112189088,"name":"ElastiCache cluster is provisioned in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","security:compliance","control:CC7.5","source:elasticache","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticache","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon ElastiCache cluster to the latest, stable version of the Redis/Memcached cache engine.\n\n## Rationale\n\nUsing the latest version allows for security patches, bug fixes, better performance, and memory management.\n\n## Remediation\n\n### Console\n\nFollow the [Upgrading engine versions][1] docs to learn how to modify your ElastiCache cluster or replication group in the console.\n\n### CLI\n\nFollow the [Modify an ElastiCache cluster (AWS CLI)][2] or [Modify a replication group (AWS CLI)][3] docs for configuration options.\n\nFor example, to modify an ElastiCache cluster, run `modify-replication-group` with your replication group ID and enable Multi-AZ.\n\n ```\n aws elasticache modify-replication-group\n --replication-group-id myReplGroup\n --multi-az-enabled = true\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VersionManagement.html\n[2]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.Modify.html#Clusters.Modify.CLI\n[3]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Replication.Modify.html#Replication.Modify.CLI","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"(@engine:memcached -@engine_version:1.6.6) OR (@engine:redis -@engine_version:6.*)","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache ((@engine:memcached -@engine_version:1.6.6) OR (@engine:redis -@engine_version:6.*))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sw1-liy-ybw","createdAt":1619112188570,"name":"ElastiCache cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","security:compliance","control:CC7.5","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticsearch","framework:soc-2","requirement:Change-Management","source:elasticsearch","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpgrade to the latest version of Amazon Elasticsearch (ES) engine.\n\n## Rationale\n\nUsing the latest version of Amazon ES ensures you receive the latest bug fixes, security patches, and features.\n\n## Remediation\n\n### Console\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (console)][1] docs to learn about the upgrade process and how to complete an upgrade from the AWS Console.\n\n### CLI\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (AWS CLI)][1] docs to being an upgrade using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades\n[2]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nformat(version) = semver if {\n\tcount(indexof_n(version, \".\")) == 0\n\tsemver := concat(\"\", [version, \".0.0\"])\n} else = semver {\n\tcount(indexof_n(version, \".\")) == 1\n\tsemver := concat(\"\", [version, \".0\"])\n} else = semver {\n\tsemver := version\n}\n\neval(version) = \"pass\" if {\n\tformatted_semver := format(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"7.10.0\") >= 0\n} else = \"pass\" {\n\tstartswith(version, \"OpenSearch_\")\n\tformatted_semver := format(trim_prefix(version, \"OpenSearch_\"))\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"1.3.0\") >= 0\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource.elasticsearch_version))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-iw7-z3h","createdAt":1619540057479,"name":"Elasticsearch cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","scope:elasticsearch","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate publicly accessible Amazon Elasticsearch domains to block unsigned requests.\n\n## Rationale\n\nUpdating your Amazon Elasticsearch domain to a private domain ensures your data cannot be accessed or altered by unauthorized users.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring Access Policies][1] docs to learn how to update your publicly accessible Amazon Elasticsearch domains in the AWS Console.\n\n### CLI\n\n1. Create a new policy JSON document. You can follow the [Amazon Elasticsearch templated policy][2] to create a custom policy that grants domain access only to a specific IP.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n \"Action\": \"es:*\",\n \"Condition\": {\n \"IpAddress\": {\n \"aws:SourceIp\": [\n \"54.197.25.93/32\"\n ]\n }\n },\n \"Resource\": \"arn:aws:es:123456789123:\n domain/es-cluster/*\"\n }\n ]\n }\n ```\n\n2. Run `update-elasticsearch-domain-config` using the name of the [Elasticsearch domain][3] created in the previous step.\n\n ```\n aws es update-elasticsearch-domain-config\n --domain-name es-cluster\n --access-policies file://ip-based-policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/update-elasticsearch-domain-config.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"policies","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ci6-bcw-l3n","createdAt":1615309114393,"name":"Elasticsearch domain is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticsearch","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure your Amazon Elasticsearch (ES) domain is only accessible from an AWS VPC.\n\n## Rationale\n\nUsing a VPC gives your Amazon ES domains an extra layer of security. Launching your clusters within a VPC ensures communication between your clusters and other AWS services is secure.\n\n## Remediation\n\nOnce a domain is created with a public endpoint, it cannot be switched to VPC access. Follow the [Migrating from Public Access to VPC Access][1] docs to learn how to create a new domain and either manually reindex or migrate your data.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html#es-migrating-public-to-vpc\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@endpoint:*\\.es\\.amazonaws\\.com","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain (@endpoint:*\\.es\\.amazonaws\\.com)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"vdg-rky-pye","createdAt":1619540057246,"name":"Elasticsearch domain resides in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement at-rest encryption for your Amazon Elasticsearch (ES) domain with the AWS KMS service.\n\n## Rationale\n\nImplementing encryption at-rest protects your domain from unauthorized access and ensures security and compliance requirements are met.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to implement encryption for your domain.\n\n### CLI\n\n1. Run `describe-elasticsearch-domain` with your ES domain to return configuration metadata.\n\n ```\n aws es describe-elasticsearch-domain\n --domain-name your-es-domain\n ```\n\n2. Run `create-elasticsearch-domain` with your domain name and `encryption-at-rest-options`. Use the metadata returned in the previous step to [create and relaunch your ES domain to enable at-rest encryption][3].\n\n ```\n aws es create-elasticsearch-domain\n --domain-name your-es-domain\n ...\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html#enabling-ear\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/describe-elasticsearch-domain.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encryption_at_rest_options_enabled:false","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain (@encryption_at_rest_options_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"75z-ehk-ced","createdAt":1615309114337,"name":"Elasticsearch domains are encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","control:3.5.2","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt your Amazon Elasticsearch domains with KMS Customer Master Keys (CMKs).\n\n## Rationale\n\nKMS Custom Master Keys protect your domains and allow more granular control over the encryption/decryption process.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to encrypt Amazon Elasticsearch domains in the AWS Console.\n\n### CLI\n\n1. Create a new policy JSON document with the following [configuration][2]:\n\n ```\n {\n \"Id\": \"es-custom-key-policy\",\n \"Statement\": [\n {\n \"Sid\": \"Enable IAM User Permissions\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:root\"},\n \"Action\": \"kms:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Grant access to CMK manager\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:role/AmazonESManager\"},\n \"Action\": [\n \"kms:Create*\",\n \"kms:Describe*\",\n \"kms:Enable*\",\n \"kms:List*\",\n \"kms:Put*\",\n \"kms:Update*\",\n \"kms:Revoke*\",\n \"kms:Disable*\",\n \"kms:Get*\",\n \"kms:Delete*\",\n \"kms:ScheduleKeyDeletion\",\n \"kms:CancelKeyDeletion\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow the use of the CMK\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:Decrypt\",\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:DescribeKey\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow attachment of persistent resources\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:CreateGrant\",\n \"kms:ListGrants\",\n \"kms:RevokeGrant\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"Bool\": {\"kms:GrantIsForAWSResource\": \"true\"}\n }\n }\n ]\n }\n ```\n\n2. Run `create-key` to [create a KMS key][3] with the new policy document.\n\n ```\n aws kms create-key\n --description 'KMS CMK policy for encrypting es domain data'\n --policy file://es-kms-cmk-policy.json\n ```\n\n3. Run `create-alias` with the returned ARN key to [attach a new alias][4] to the CMK.\n\n ```\n aws kms create-alias\n --alias-name your-alias/ESCustomCMK\n --target-key-id arn:aws:kms:111122223333:key/abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\n ```\n\n4. Run `create-elasticsearch-domain` with the returned configuration data in step 3 to [create the selected domain][5] with `encryption-at-rest-options` set as `enabled= true` and the `KmsKeyId=your-key-id`.\n\n ```\n aws es create-elasticsearch-domain\n --domain-name your-domain-name\n ....\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-alias.html#options\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html#options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encryption_at_rest_options_kms_key_id:\"(Default) aws/es\"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain (@encryption_at_rest_options_kms_key_id:\"(Default) aws/es\")","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"abl-8du-xrn","createdAt":1615309114399,"name":"Elasticsearch domains are encrypted with KMS Customer Master Keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation on controller-manager.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad. \n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--feature-gates` parameter to include `RotateKubeletServerCertificate=true`. \n\n```\n--feature-gates=RotateKubeletServerCe`rtificate=true\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `RotateKubeletServerCertificate` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller ][1]\n2. [https://github.com/kubernetes/features/issues/267 ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/45059 ][3]\n4. [https://kubernetes.io/docs/admin/kube-controller-manager/][4]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller \n[2]: https://github.com/kubernetes/features/issues/267 \n[3]: https://github.com/kubernetes/kubernetes/pull/45059 \n[4]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.6","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"asw-6hh-yc2","createdAt":1599605162809,"name":"Enable kubelet server certificate rotation on controller-manager"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1555-credentials-from-password-stores","scope:ec2","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to retrieve the encrypted Administrator password for a Windows EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to retrieve the encrypted Administrator password for a Windows EC2 instance using the [`GetPasswordData`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n3. If the API call was made by the user:\n * Determine if this user should be accessing this EC2 instance.\n * If Yes, advise the user to speak with the instance owner to resolve the error.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetPasswordData.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetPasswordData @eventSource:ec2.amazonaws.com status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"get_passwordata","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Error","condition":"get_passwordata > 0"}],"type":"log_detection","id":"kyo-yjf-zbm","createdAt":1652796676631,"name":"Encrypted administrator password retrieved for Windows EC2 instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.12","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory ownership is set to `etcd:etcd`.\n\n## Rationale\n\n`etcd` is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir` from the command:\n\n```bash\nps -ef | grep etcd\n```\n\nBased on the etcd data directory found above, run the command:\n\n```bash\nstat -c %U:%G /var/lib/etcd\n```\n\nVerify the ownership is set to `etcd:etcd`.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chown etcd:etcd /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory ownership is set to `etcd:etcd`.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.12","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"25d-zal-sfr","createdAt":1599601968321,"name":"Etcd data directory is owned by the etcd user and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.11","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory has permissions of 700 or more restrictive.\n\n## Rationale\n\netcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should not be readable or writable by any group members or the world.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir`, from the command:\n\n```bash\nps -ef | grep etcd\n```\n\n Based on the etcd data directory found above, run the command:\n \n ```bash\n stat -c %a /var/lib/etcd\n ```\n \n Verify the permissions are `700` or more restrictive.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chmod 700 /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory has permissions of 755.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.11","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qgj-hf0-an1","createdAt":1599601412710,"name":"Etcd data directory permissions cannot be accessed by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.7","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 640.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.7","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vqc-dps-6tp","createdAt":1599605605880,"name":"Etcd pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.8","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to `root:root`.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.8","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oac-lbl-npz","createdAt":1599600311388,"name":"Etcd pod specification file is owned by root"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"Test rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1665145801235,"filters":[],"queries":[{"query":"@test:true","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"e9v-9k1-5dm","isDefault":false,"name":"Example-Create_a_detection_rule_returns_OK_response"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":true,"message":"test","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1665145785229,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.id"],"query":"*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"uaf-siz-jfo","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_impossible_travel_returns_OK_response"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"Test rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1665145796516,"filters":[],"queries":[{"query":"@test:true","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"3cl-gl3-k7y","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_workload_security_returns_OK_response"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:exchange-server","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user sets up a mail forwarding rule to another email address. An adversary or insider threat could set a forwarding rule to forward all emails to an external email address.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with `@evt.name` value of `Set-Mailbox`, where a value is set for `@Parameters.ForwardingSmtpAddress` and the `@evt.outcome` is `True`.\n\n## Triage and response\n1. Inspect the `@Parameters.ForwardingSmtpAddress` for `{{@usr.email}}` to see if it is sending email to an external non-company owned domain.\n2. Determine if there is a legitimate use case for the mail forwarding rule.\n3. If `{{@usr.email}}` is not aware of the mail forwarding rule, investigate all `{{@usr.email}}` accounts for anomalous activity. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-Mailbox -@Parameters.ForwardingSmtpAddress:\"\" @Parameters.ForwardingSmtpAddress:* @evt.outcome:True","groupByFields":["@usr.id"],"aggregation":"count","name":"forwarding_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"forwarding_rule > 0"}],"type":"log_detection","id":"vmq-1zo-03a","createdAt":1630681822552,"name":"Exchange Online mail forwarding rule enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.2","scope:azure.appservice","framework:iso-27001","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","requirement:Communications-Security","control:4.1","control:9.10","requirement:App-Service","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Azure functions, web, and API services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPs should be required for FTP login for all App Service apps and functions.\n\n## Rationale\n\nAzure FTP deployment endpoints are public. An attacker listening to traffic on a Wi-Fi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if user credentials for deployment are set at the subscription level rather than using the default application credentials which are unique per app.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to the Azure Portal\n2. Select App Services\n3. Click on an app\n4. Select Settings > Configuration\n5. Under Platform Settings, set FTP state to Disabled or FTPS Only\n\n## Impact\n\nDeployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.\n\n## References\n\n1. Azure Web Service Deploy via FTP - https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp\n2. Azure Web Service Deployment - https://docs.microsoft.com/en-us/azure/app-service/overview-security\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n\n## CIS Controls\n\nVersion 7\n\n14.4 Encrypt All Sensitive Information in Transit\n16.5 Encrypt Transmittal of Username and Authentication Credentials - Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.10","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@site_config_ftps_state:AllAllowed","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (@site_config_ftps_state:AllAllowed)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"chw-olp-dfn","createdAt":1631623028308,"name":"FTP deployments are disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:fastly","scope:fastly","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2]. \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:fastly @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dqs-oru-107","createdAt":1587530162282,"name":"Fastly HTTP Requests from Security Scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a file that is not part of the original container image has been created and executed within the container.\n\n## Strategy\nAttackers sometimes add scripts to running containers to exploit some functionality or automate some actions. Normally, containers are meant to be immutable environments, and when you require new scripts or other executable files, you add them to the container image itself and not to the running container. This detection identifies when newly created files are executed shortly after file creation or modification.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage & Response\n1. Determine whether the file executing is expected to be present in the container. \n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether the file was added to multiple containers around the same time, and whether the affected systems follow a pattern. For example, if a file was seen executing in multiple containers, do the containers share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.29 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_binary_execution_in_container","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:new_binary_execution_in_container"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"new_binary_execution_in_container"}],"type":"workload_security","id":"n5d-tm8-kco","createdAt":1652131404468,"name":"File created and executed inside container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","tactic:TA0009-collection","technique:T1530-data-from-cloud-storage-object","scope:google-cloud-storage","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect unauthenticated access to an object in a GCS bucket (`bucket_name`).\n\n## Strategy \nMonitor GCS bucket (`bucket_name`) for get requests(`@evt.name:storage.objects.get`) made by unauthenticated users (`@usr.id`).\n\n## Triage and response\nInvestigate the logs and determine whether or not the accessed bucket: {{bucket_name}} should be accessible to unauthenticated users.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket -@usr.id:* @evt.name:storage.objects.get status:info","groupByFields":["project_id","bucket_name"],"aggregation":"count","name":"get_object","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"get_object","condition":"get_object > 0"}],"type":"log_detection","id":"nmj-sov-f5d","createdAt":1598043413480,"name":"GCP Bucket Contents Downloaded Without Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","source:gcp","scope:google-cloud-storage","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service account lists out GCS Buckets.\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine when a service account invokes the following method:\n\n* `storage.buckets.list`\n\n## Triage and response\n1. Determine whether this service account should be making list bucket calls.\n * If the account was compromised, secure the account and investigate how it was compromised and if the account made other unauthorized calls.\n * If the owner of the service account intended to make the `ListBuckets` API call, consider whether this API call is needed. It could cause a security issue for the application to know the name of the bucket it needs to access. If it's not needed, modify this rule's filter to stop generating signals for this specific service account.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.list @usr.id:*gserviceaccount.com","groupByFields":["project_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cnc-wi1-llf","createdAt":1587592199858,"name":"GCP Bucket enumerated"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an administrative change to a GCS Bucket has been made. This could change the retention policy or bucket lock. For more information, see the [GCS Bucket Lock docs][1].\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine if a bucket has been updated with the following method:\n\n* `storage.buckets.update`\n\n## Triage and response\n1. Review the bucket to ensure that it is properly configured.\n\n[1]: https://cloud.google.com/storage/docs/bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.update","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iz3-sc4-ryy","createdAt":1585871279860,"name":"GCP Bucket modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when permissions have changed on a GCS Bucket.\n\n## Strategy\nMonitor GCS bucket admin activity audit logs to determine the following method is invoked:\n\n* `storage.setIamPermissions`\n\n## Triage and response\n1. Review the bucket permissions and ensure they are not overly permissive.\n\n## Changelog\n5 Septermber 2022 - Updated rule query","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.setIamPermissions -@evt.outcome:ERROR","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fdk-tly-4qr","createdAt":1585871193842,"name":"GCP Bucket permissions modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.cloudsql.database"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Cloud SQL DB has been modified.\n\n## Strategy\nThis rule lets you monitor GCP Cloud SQL admin activity audit logs to determine when one of the following methods are invoked:\n\n* `cloudsql.instances.create`\n* `cloudsql.instances.create`\n* `cloudsql.users.update`\n\n## Triage and response\n1. Review the Cloud SQL DB and ensure it is configured properly with the correct permissions.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.cloudsql.database @evt.name:(cloudsql.instances.create OR cloudsql.instances.create OR cloudsql.users.create OR cloudsql.users.update)","groupByFields":["project_id","database_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ikf-ye8-cnu","createdAt":1585871198921,"name":"GCP Cloud SQL database modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.gce.firewall.rule","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created, modified or deleted. \n\n## Strategy\nMonitor GCP GCE activity audit logs to determine when any of the following methods are invoked:\n\n* `v1.compute.firewalls.delete`\n* `v1.compute.firewalls.insert`\n* `v1.compute.firewalls.patch` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.firewall.rule @evt.name:(v1.compute.firewalls.delete OR v1.compute.firewalls.insert OR v1.compute.firewalls.patch)","groupByFields":["project_id","@data.protoPayload.resourceOriginalState.name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"n1w-sql-apl","createdAt":1585870279610,"name":"GCP GCE Firewall rule modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a VPC network is created. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine when the following method is invoked to create a new VPC network:\n\n* `beta.compute.networks.insert`\n\n## Triage and response\n1. Review the VPC network.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:beta.compute.networks.insert","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"a9z-oic-grb","createdAt":1585871193403,"name":"GCP GCE VPC network modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created or modified. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine if a firewall is being adjusted by showing you when any of the following methods are invoked:\n\n* `beta.compute.routes.insert`\n* `beta.compute.routes.patch`\n\n## Triage and response\n1. Veirify that the GCP route is configured properly and that the user intended to modify the firewall.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:(beta.compute.routes.insert OR beta.compute.routes.patch)","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lht-ml8-u6r","createdAt":1585870282924,"name":"GCP GCE network route created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a custom role is created or modified. \n\n## Strategy\nMonitor GCP IAM activity audit logs to determine when any of the following methods are invoked:\n\n* `google.iam.admin.v1.CreateRole`\n* `google.iam.admin.v1.UpdateRole` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.iam.role @evt.name:(google.iam.admin.v1.CreateRole OR google.iam.admin.v1.UpdateRole)","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rhy-fzm-gwl","createdAt":1585870282410,"name":"GCP IAM custom role created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1098-account-manipulation","scope:gcp.project","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to the IAM policy. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when the `SetIamPolicy` method is invoked. \n\n## Triage and response\n1. Review the log and inspect the policy deltas (`@data.protoPayload.serviceData.policyDelta.bindingDeltas`) and ensure none of the actions are `REMOVE`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:SetIamPolicy","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fgm-8w4-cgx","createdAt":1585870280073,"name":"GCP IAM policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.subscription","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP Pub/Sub Subscription has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.pubsub.v1.Subscriber.UpdateSubscription`\n* `google.pubsub.v1.Subscriber.DeleteSubscription`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.subscription @evt.name:(google.pubsub.v1.Subscriber.UpdateSubscription OR google.pubsub.v1.Subscriber.DeleteSubscription)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tsj-mac-mdc","createdAt":1587592205917,"name":"GCP Pub/Sub Subscriber modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.topic","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP Pub/Sub Subscribtion has been deleted. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when the following method is invoked:\n\n* `google.pubsub.v1.Publisher.DeleteTopic`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.topic @evt.name:google.pubsub.v1.Publisher.DeleteTopic","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dp6-zom-jyv","createdAt":1587592198839,"name":"GCP Pub/Sub topic deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1562-impair-defenses","scope:gcp.project","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP logging sink has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.logging.v2.ConfigServiceV2.UpdateSink`\n* `google.logging.v2.ConfigServiceV2.DeleteSink`\n\n## Triage and response\n1. Review the sink and ensure the sink is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:(google.logging.v2.ConfigServiceV2.UpdateSink OR google.logging.v2.ConfigServiceV2.DeleteSink)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hil-rl3-yxs","createdAt":1585871191688,"name":"GCP logging sink modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","scope:google-cloud-iam","technique:T1850-cloud-infrastructure-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account is compromised.\n\n## Strategy \nInspect the GCP Admin Activity Logs (`@data.logName:*%2Factivity`) and filter for only GCP Service Accounts (`@usr.id:*.iam.gserviceaccount.com`). Count the unique number of GCP API calls (`@evt.name`) which are being made for each service account (`@usr.id`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\nTo read more about GCP Audit Logs, you can read our blog post [here][1].\n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account is compromised.\n\n[1]: https://www.datadoghq.com/blog/monitoring-gcp-audit-logs/","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp* @data.logName:*%2Factivity @usr.id:*.iam.gserviceaccount.com","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"hc1-nv3-hzw","createdAt":1629125255724,"name":"GCP service account accessing anomalous number of GCP APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1136-create-account","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account is created.\n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when a service account is created. \n\n## Triage and response\n1. Contact the user who created the service account and ensure that the account is needed and that the role is scoped properly.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccount","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"szx-4kh-eqs","createdAt":1585870281733,"name":"GCP service account created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account key is created. An attacker could use this key as a backdoor to your account. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to detect the creation of a service account key. \n\n## Triage and response\n1. Contact the user who created the service account key to ensure they're managing the key securely.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccountKey","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"79j-4wh-xlq","createdAt":1585870277946,"name":"GCP service account key created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is unauthorized activity by a service account in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a service account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the service account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the service account:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the service account.\n2. If unauthorized, revoke access of compromised service account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"89d-2v1-fvm","createdAt":1587592191518,"name":"GCP unauthorized service account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when unauthorized activity by a user is detected in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a user account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the user account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the user:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the user account.\n2. If unauthorized, revoke access of compromised user account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 -@usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"stt-ows-yte","createdAt":1587592193834,"name":"GCP unauthorized user activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google accesses your Google Workspace tenant using administrative tools. \n\n## Strategy\nMonitor Google Workspace logs to detect `ACCESS` events, which are part of Google's [Access Transparency][1] logs.\n\n## Triage and response\n1. Determine the scope of Google's access activity, which can be found in the `ACCESS` event in the Google Workspace event log.\n2. Review which Google Workspace user (`@event.parameters.OWNER_EMAIL`) and resources (`@event.parameters.RESOURCE_NAME`) were accessed by Google.\n3. Investigate the resource(s) being accessed to determine if there is a legitimate reason it should be reviewed by Google.\n\n[1]: https://support.google.com/a/answer/9230474?hl=en","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite service:access_transparency","groupByFields":[],"aggregation":"count","name":"workspace_accessed_by_google","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"workspace_accessed_by_google > 0"}],"type":"log_detection","id":"q4c-pxc-lbn","createdAt":1654120270956,"name":"Google Workspace accessed by Google"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","tactic:T1098-account-manipulation","technique:TA0003-persistence","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a new Google Workspace administrative role.\n\n## Strategy\nMonitor Google Workspace logs to detect `CREATE_ROLE` events.\n\n## Triage and response\n1. Determine if there is a legitimate reason for the new administrator role (`@event.parameters.ROLE_NAME`).\n2. If there is not a legitimate reason, investigate activity from around the Google Workspace administrator (`{{@usr.email}}`) and IP that created the role (`{{@network.client.ip}}`). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:CREATE_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_created > 0"}],"type":"log_detection","id":"isw-chn-iqi","createdAt":1654262215364,"name":"Google Workspace admin role created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the super administrator group on Google Workspace.\n\n## Strategy\nMonitor Google Workspace logs to detect `ASSIGN_ROLE` events where `@event.parameters.ROLE_NAME` is `_SEED_ADMIN_ROLE`. \n\n## Triage and response\n1. Verify with the Google admin (`{{@usr.email}}`) if the Google Workspace user in the `@event.parameters.USER_EMAIL` attribute should legitimately be given the super admin role.\n2. If the user in `@event.parameters.USER_EMAIL` was not legitimately added, investigate activity from the IP address (`{{@network.client.ip}}`) that made the role addition.\n3. Review activity around the Google Workspace admin who made the change (`{{@usr.email}}`) and the newly added super admin (`@event.parameters.USER_EMAIL`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:ASSIGN_ROLE @event.parameters.ROLE_NAME:_SEED_ADMIN_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"admin_role_added > 0"}],"type":"log_detection","id":"ort-cx2-jwq","createdAt":1654014456902,"name":"Google Workspace user assigned to super admin role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","tactic:TA0009-collection","technique:T1114-email-collection","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a user setting up mail forwarding to a non-Google Workspace domain.\n\n## Strategy\nMonitor Google Workspace logs to detect when `email_forwarding_out_of_domain` events.\n\n## Triage and response\n1. Determine if the email address defined in `@event.parameters.email_forwarding_destination_address` is legitimate.\n2. If the forwarding destination address is not legitimate, review all activity for `{{@usr.email}}` and all activity around the following IP: `{{@network.client.ip}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:email_forwarding_out_of_domain","groupByFields":["@usr.email"],"aggregation":"count","name":"non_workspace_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"non_workspace_domain > 0"}],"type":"log_detection","id":"ozn-l6x-exp","createdAt":1654021004136,"name":"Google Workspace user forwarding email out of non Google Workspace domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.16","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated.\n\n## Rationale\n\nThe IPC namespace provides separation of IPC between the host and containers. If the host's IPC namespace is shared with the container, it would allow processes within the container to see all of IPC communications on the host system. This would remove the benefit of IPC level isolation between host and containers. An attacker with access to a container could get access to the host at this level with major consequences. The IPC namespace should therefore not be shared between the host and its containers.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: IpcMode={{ .HostConfig.IpcMode }}'` \n\nIf the command returns `host`, it means that the host IPC namespace is shared with the container. Any other result means that it is not shared, and that the system is configured in line with good security practice.\n\n## Remediation\n\nDo not start a container with the `--ipc=host` argument. For example, do not start a container with the command `docker run --interactive --tty --ipc=host centos /bin/bash`\n\n## Impact\n\nShared memory segments are used in order to accelerate interprocess communications, commonly in high-performance applications. If this type of application is containerized into multiple containers, you might need to share the IPC namespace of the containers in order to achieve high performance. Under these circumstances, you should still only share container specific IPC namespaces and not the host IPC namespace. A container's IPC namespace can be shared with another container. For example, `docker run --interactive --tty --ipc=container:e3a7a1a97c58 centos /bin/bash`\n\n## Default value\n\nBy default, all containers have their IPC namespace enabled and host IPC namespace is not shared with any container.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#ipc-settings-ipc\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.16","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qpe-nj2-sl8","createdAt":1599604030036,"name":"Host's IPC namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.20","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUTS namespaces provide isolation between two system identifiers: the hostname and the NIS domain name. It is used to set the hostname and the domain which are visible to running processes in that namespace. Processes running within containers do not typically require to know either the hostname or the domain name. The UTS namespace should therefore not be shared with the host.\n\n## Rationale\n\nSharing the UTS namespace with the host provides full permission for each container to change the hostname of the host. This is not in line with good security practice and should not be permitted.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UTSMode={{ .HostConfig.UTSMode }}'` \n\nIf this command returns `host`, it means the host UTS namespace is shared with the container and this recommendation is non-compliant. If the above command returns nothing, then the host's UTS namespace is not shared. This recommendation is then compliant.\n\n## Remediation\n\nYou should not start a container with the `--uts=host` argument. For example, do not start a container using the command `docker run --rm --interactive --tty --uts=host rhel7.2`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, all containers have the UTS namespace enabled and the host UTS namespace is not shared with any containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#uts-settings-uts\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.20","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j1n-gsx-mlx","createdAt":1599605987292,"name":"Host's UTS namespace is not shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.9","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWhen the networking mode on a container is set to `--net=host`, the container is not placed inside a separate network stack. Effectively, applying this option instructs Docker to not containerize the container's networking. The consequence of this is that the container lives \"outside\" in the main Docker host and has full access to its network interfaces.\n\n## Rationale\n\nSelecting this option is potentially dangerous. It allows the container process to open reserved low numbered ports in the way that any other root process can. It also allows the container to access network services such as D-bus on the Docker host. A container process could potentially carry out undesired actions, such as shutting down the Docker host. This option should not be used unless there is a very specific reason for enabling it.\n\n## Audit\n\nUse this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: NetworkMode={{ .HostConfig.NetworkMode }}'` If this returns `NetworkMode=host`, it means that the `--net=host` option was passed when the container was started.\n\n## Remediation\n\nYou should not pass the --net=host option when starting any container.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers connect to the Docker bridge when starting and do not run in the context of the host's network stack.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/ 2. https://docs.docker.com/engine/reference/run/#network-settings\n\n## CIS controls\n\nVersion 6 12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.9","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1qj-oqa-jau","createdAt":1599605510860,"name":"Host's network namespace is not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.15","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host.\n\n## Rationale\n\nPID namespace provides separation between processes. It prevents system processes from being visible, and allows process ids to be reused including PID 1. If the host's PID namespace is shared with containers, it would basically allow these to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them. This could allow for the host itself being shut down, which could be extremely serious, particularly in a multi-tenanted environment. You should not share the host's process namespace with the containers running on it.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidMode={{ .HostConfig.PidMode }}'` \n\nIf the command returns `host`, it means that the host PID namespace is shared with its containers; any other result means that the system is configured in line with good security practice.\n\n## Remediation\n\nYou should not start a container with the `--pid=host` argument. For example, do not start a container with the command: `docker run --interactive --tty --pid=host centos /bin/bash`\n\n## Impact\n\nContainer processes cannot see processes on the host system. In certain circumstances, you may want your container to share the host's process namespace. For example, you could build a container containing debugging tools such as strace or gdb, and want to use these tools when debugging processes on the host. If this is desired, then share specific host processes using the `-p` switch. For example: `docker run --pid=host rhel7 strace -p 1234`\n\n## Default value\n\nBy default, all containers have the PID namespace enabled and the therefore the host's process namespace is not shared with its containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#pid-settings-pid 2. http://man7.org/linux/man-pages/man7/pid_namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.15","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mk8-jwd-4ag","createdAt":1599600919537,"name":"Host's process namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent","control:5.30"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not share the host's user namespaces with containers running on it.\n\n## Rationale\n\nUser namespaces ensure that a root process inside the container will be mapped to a non-root process outside the container. Sharing the user namespaces of the host with the container does not therefore isolate users on the host from users in the containers.\n\n## Audit\n\nRun this command and ensure that it does not return any value for `UsernsMode`. If it returns a value of `host`, it means that the host user namespace is shared with its containers: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UsernsMode={{ .HostConfig.UsernsMode }}'`\n\n## Remediation\n\nDo not share user namespaces between host and containers. For example, do not run the command `docker run --rm -it --userns=host ubuntu bash`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the host user namespace is shared with containers unless user namespace support is enabled.\n\n## References\n\n1. https://docs.docker.com/engine/security/userns-remap/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://github.com/docker/docker/pull/12648\n4. https://events.linuxfoundation.org/sites/events/files/slides/User%20Namespaces%20-%20ContainerCon%202015%20-%2016-9-final_0.pdf\n\n## CIS controls\n\nVersion 6\n\n12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.30","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"e7c-uzf-jwy","createdAt":1599604878282,"name":"Host's user namespaces are not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","security:compliance","scored:false","source:iam","cloud_provider:aws","control:1.7","control:164.308-a-3-ii-C","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","framework:security-labs","requirement:Information-Access-Management","control:CC6.2","control:164.308-a-4-ii-C","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule identifies IAM access keys that are older than one year and have not been used in the past 30 days.\n\n## Rationale\n\nThis is a good indicator that an access key or IAM user that is not used anymore, and raises a security risk. IAM access keys are static secrets that do not change. This leak represents a common cause for cloud security breaches.\n\n## Remediation\n\n* Verify that the IAM user is still actively used or if it can be removed.\n* Verify that the IAM access key is still actively used or if it can be removed.\n* If the IAM user is still needed, rotate the access key. For more information, see the [AWS documentation][2].\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/cis-aws-1.3.0-1.14/\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlast_rotated_age_threshold := (((365 * 24) * 60) * 60) * 1000\n\nlast_used_age_threshold := (((30 * 24) * 60) * 60) * 1000\n\nhas_active_access_key(credential_report) if {\n\tcredential_report.access_key_1_active\n} else {\n\tcredential_report.access_key_2_active\n}\n\naccess_key_1_used_too_long_ago(credential_report, seen) if {\n\tnot credential_report.access_key_1_last_used_date\n}\n\naccess_key_1_used_too_long_ago(credential_report, seen) if {\n\tseen - credential_report.access_key_1_last_used_date > last_used_age_threshold\n}\n\naccess_key_1_non_compliant(credential_report, seen) if {\n\tcredential_report.access_key_1_active\n\tseen - credential_report.access_key_1_last_rotated > last_rotated_age_threshold\n\taccess_key_1_used_too_long_ago(credential_report, seen)\n}\n\naccess_key_2_used_too_long_ago(credential_report, seen) if {\n\tnot credential_report.access_key_2_last_used_date\n}\n\naccess_key_2_used_too_long_ago(credential_report, seen) if {\n\tseen - credential_report.access_key_2_last_used_date > last_used_age_threshold\n}\n\naccess_key_2_non_compliant(credential_report, seen) if {\n\tcredential_report.access_key_2_active\n\tseen - credential_report.access_key_2_last_rotated > last_rotated_age_threshold\n\taccess_key_2_used_too_long_ago(credential_report, seen)\n}\n\nis_not_compliant(credential_report, seen) if {\n\taccess_key_1_non_compliant(credential_report, seen)\n} else {\n\taccess_key_2_non_compliant(credential_report, seen)\n}\n\nshould_skip(iam_user) if {\n\tcredential_report := iam_user.credential_report[0]\n\tnot credential_report.access_key_1_active\n\tnot credential_report.access_key_2_active\n} else {\n\tcount(iam_user.credential_report) == 0\n}\n\neval(iam_user) = \"skip\" if {\n\tshould_skip(iam_user)\n} else = \"fail\" {\n\tcredential_report := iam_user.credential_report[0]\n\tseen := iam_user.resource_seen_at\n\tis_not_compliant(credential_report, seen)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"jye-nyb-yvd","createdAt":1654722265266,"name":"IAM access keys older than 1 year have not been used in the last 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@user_policies:*","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@user_policies:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qeq-byd-rf5","createdAt":1617159692975,"name":"IAM inline policy is not directly set for users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","security:compliance","cloud_provider:aws","control:1.8","control:8.1","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","control:CC6.3","control:8.1.1","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are a minimum length. The password policy should require a minimum password length of 14 characters.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78907-3\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.8","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.minimum_password_length:<14","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.minimum_password_length:<14)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fyg-ptq-tnx","createdAt":1599573999939,"name":"IAM password policy has 14 or more characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:1.9","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","framework:cis-aws","control:164.312-d","requirement:IAM","control:8.2.5","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.\n\n## Rationale\n\nPreventing password reuse increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78908-1\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\n4.4 Use unique passwords where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2.5","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.9","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"-@password_policy.password_reuse_prevention:24","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (-@password_policy.password_reuse_prevention:24)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"wwj-kny-ll5","createdAt":1599574008460,"name":"IAM password policy prevents password reuse"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM policies are how privileges are granted to users, groups, or roles. It is recommended and considered best practice to give only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges.\n\n## Rationale\n\nIt's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\" should be removed.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2] \n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3] \n3. CCE-78912-3\n4. [http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam][4]\n\n## CIS controls\n\nVersion 7, 4 - Controlled Use of Administrative Privileges\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n[4]: http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_not_compliant(policy_version_statement) if {\n\tresource := policy_version_statement.resource[_]\n\tresource == \"*\"\n}\n\naction_not_compliant(policy_version_statement) if {\n\taction := policy_version_statement.action[_]\n\taction == \"*\"\n}\n\npolicy_version_statement_not_compliant(policy_version_statement) if {\n\tpolicy_version_statement.effect == \"Allow\"\n\tresource_not_compliant(policy_version_statement)\n\taction_not_compliant(policy_version_statement)\n}\n\neval(iam_policy) = \"skip\" if {\n\tiam_policy.scope != \"Local\"\n} else = \"fail\" {\n\tpolicy_version_statement := iam_policy.policy_version_statements[_]\n\tpolicy_version_statement_not_compliant(policy_version_statement)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_policy"]},"validationQuery":"","resourceType":"aws_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"31y-0if-yxo","createdAt":1599574003839,"name":"IAM policies that allow full \"*:*\" administrative privileges are not created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@attached_policies:*","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@attached_policies:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oys-6ti-vv4","createdAt":1599574006153,"name":"IAM policy does not have a user directly attached to it"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:1.12","security:compliance","cloud_provider:aws","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:CC6.3","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can require passwords to be rotated or expired after a given number of days. The password policy should expire passwords after 90 days or less.\n\n## Rationale\n\nReducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help if a password is stolen or compromised without your knowledge. This can happen if your system is compromised, because of a software vulnerability, or if there is an internal threat. Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted. Many people use the same password for many systems such as work, email, and personal. Compromised end-user workstations might have a keystroke logger.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78909-9\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"1.12","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"(-@password_policy:*) OR ((@password_policy.expire_passwords:false) OR (@password_policy.max_password_age:>90))","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account ((-@password_policy:*) OR ((@password_policy.expire_passwords:false) OR (@password_policy.max_password_age:>90)))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"nus-wps-5cc","createdAt":1599574003696,"name":"IAM policy is set to expire passwords within 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78904-0\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.6\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_lowercase_characters:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_lowercase_characters:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yaz-xyw-dr5","createdAt":1599574008777,"name":"IAM policy is set to require at least one lowercase letter"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one number.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78906-5\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.8\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_numbers:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_numbers:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ufg-4pj-olz","createdAt":1599574005590,"name":"IAM policy is set to require at least one number"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are comprised of different character sets. It is recommended that the password policy require at least one symbol.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78905-7\n\n## CIS controls\n\n16 Account Monitoring and Control Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.7\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_symbols:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_symbols:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dwv-hdv-vfe","createdAt":1599573999909,"name":"IAM policy is set to require at least one symbol"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one uppercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78903-2\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.5\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_uppercase_characters:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_uppercase_characters:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jfe-07v-m1n","createdAt":1599573999945,"name":"IAM policy is set to require uppercase characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:iam","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Security-Management-Process","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:CC6.3","requirement:Information-Access-Management","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm there are no [Amazon IAM users][1] (privileged users) with administrator permissions for your AWS account.\n\n## Rationale\n\nA privileged IAM user can access all AWS services and control resources through the [AdministratorAccess IAM managed policy][2]. Any user with administrator access that should not have access can potentially, whether unknowingly or purposefully, cause security issues or data leaks.\n\n## Remediation\n\n### Console\n\nFollow the [Removing a permissions policy from a user][6] docs to revoke AdministratorAccess for a user.\n\n### CLI\n\n1. Run `list-users` to get [a list of current IAM users][3].\n2. Run `list-user-policies` with an IAM `user-name` to find the [users attached policies][4].\n\n ```\n aws iam list-user-policies --user-name Name\n ```\n\n3. Run `detach-user-policy` to [revoke Administrator access][5] for that user.\n\n ```\n aws iam detach-user-policy --user-name Bob --policy-arn arn:aws:iam::123456789012:policy/TesterPolicy\n ```\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-users.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-user-policies.html#examples\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-user-policy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-remove-policy-console\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@attached_policies.policy_name:AdministratorAccess","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@attached_policies.policy_name:AdministratorAccess)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"z8a-10r-rdq","createdAt":1599574005071,"name":"IAM privileged user does have admin permissions to your AWS account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet a principal within your Amazon IAM policy.\n\n## Rationale\n\nA trust policy reduces the risks associated with privilege escalation. Setting a principal within your policy reduces the risk of unauthorized access to a resource.\n\n## Remediation\n\n### Console\n\nFollow the [Editing IAM policies][1] docs to learn how to grant permissions to a specific IAM user or account.\n\n### CLI\n\nFollow the [Editing managed policies (AWS CLI)][2] docs to learn how to grant permissions to a specific IAM or account using the CLI.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html#edit-policies-cli-api","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@role_policy.policy_principal.principal:(\"*\") OR @role_policy.policy_principal.principal_aws:(\"*\"))","resourceType":"aws_iam_role","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_role ((@role_policy.policy_principal.principal:(\"*\") OR @role_policy.policy_principal.principal_aws:(\"*\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q9l-42l-ape","createdAt":1619112188080,"name":"IAM role uses trusted principals"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:A.14.1.3","security:compliance","source:iam","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Data-Protection","requirement:Security-of-Processing","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:A.9.4.3","framework:soc-2","requirement:Cardholder-Data","control:32.1a","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","requirement:Encryption-In-Transit","control:3.6.4","framework:pci","control:25.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your IAM service SSL/TLS certificates are renewed 30 days prior to their validity period ending.\n\n## Rationale\n\nIf a certificate becomes invalid, the communication between the client and AWS resource that implements certificates is no longer secure.\n\n## Remediation\n\n### Console\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n### CLI\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nwithin_30_days(diff) if {\n\tdiff <= thirty_days_ms\n\tdiff > 0\n}\n\neval(iam_server_certificate) = \"pass\" if {\n\tdiff := iam_server_certificate.expiration - iam_server_certificate.resource_seen_at\n\tnot within_30_days(diff)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"nqd-536-xhi","createdAt":1632209935742,"name":"IAM server certificate will expire within 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:1.6","control:7.1","framework:cis-gcp","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","level:1","source:google_service_account","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nVerify that users have the Service Account User (`iam.serviceAccountUser`) and Service Account Token Creator (`iam.serviceAccountTokenCreator`) roles for a specific service account rather than at the project level.\n\n## Rationale\nA service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved. In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.\nUsers with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access. Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/service account.\nBased on business needs, there can be multiple user-managed service accounts configured for a project. Granting the `iam.serviceAccountUser` or `iam.serviceAccountTokenCreator` roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future. These roles can result in an elevation of privileges when someone uses a service account and corresponding Compute Engine instances.\nIn order to implement least privileges best practices, IAM users should not be assigned the Service Account User or Service Account Token Creator roles at the project level. Instead, these roles should be assigned to a user for a specific service account, giving that user access to the service account. The Service Account User role allows a user to bind a service account to a long-running job service, whereas the Service Account Token Creator role allows a user to directly impersonate (or assert) the identity of a service account.\n\n## Impact\nAfter revoking Service Account User or Service Account Token Creator roles at the project level from all impacted user accounts, these roles should be assigned to users for specific service accounts according to business needs.\n\n## Remediation\n\n### From console\n1. Go to the [IAM page][1] in the GCP Console.\n2. In the filter table text bar, enter the text `Role: Service Account User`.\n3. Click the delete bin icon in front of the role `Service Account User` for every user\nlisted as a result of the filter.\n4. In the filter table text bar, enter the text `Role: Service Account Token Creator`.\n5. Click the delete bin icon in front of the role `Service Account Token Creator` for\nevery user listed as a result of the filter.\n\n### From the command line\n1. Using a text editor, remove the bindings with the `roles/iam.serviceAccountUser` or `roles/iam.serviceAccountTokenCreator`.\n For example, you can use the iam.json file shown below as follows:\n ```\n {\n \"bindings\": [\n {\n \"members\": [ \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n ],\n \"role\": \"roles/appengine.appViewer\" },\n {\n \"members\": [\n \"user:email1@gmail.com\"\n ],\n \"role\": \"roles/owner\"\n },\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n \"serviceAccount:123456789012-compute@developer.gserviceaccount.com\" ],\n \"role\": \"roles/editor\"\n }\n ],\n \"etag\": \"BwUjMhCsNvY=\"\n }\n ```\n2. Update the project's IAM policy:\n ```\n gcloud projects set-iam-policy PROJECT_ID iam.json\n ```\n## Default value\nBy default, users do not have the Service Account User or Service Account Token Creator role assigned at the project level.\n\n## References\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][3]\n3. [https://cloud.google.com/iam/docs/understanding-roles][4]\n4. [https://cloud.google.com/iam/docs/granting-changing-revoking-access][5]\n5. [https://console.cloud.google.com/iam-admin/iam][6]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts \n[4]: https://cloud.google.com/iam/docs/understanding-roles\n[5]: https://cloud.google.com/iam/docs/granting-changing-revoking-access \n[6]: https://console.cloud.google.com/iam-admin/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.6","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_role(iam_policy, role) if {\n\tbinding := iam_policy.bindings[_]\n\tbinding.role == role\n\tmember := binding.members[_]\n\tnot endswith(member, \".gserviceaccount.com\")\n}\n\nnon_compliant_policy(iam_policy) if {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountUser\")\n} else {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountTokenCreator\")\n}\n\neval(iam_policy) = \"fail\" if {\n\tnon_compliant_policy(iam_policy)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"x4c-mos-epr","createdAt":1655328785677,"name":"IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:iis","scope:iis","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:iis @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ftm-iao-udy","createdAt":1587530716843,"name":"IIS HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","requirement:Virtual-Machines","security:compliance","control:CC6.6","cloud_provider:gcp","control:4.6","requirement:Communications-Security","control:1.4","framework:cis-gcp","requirement:Compliance","level:1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCompute Engine instance cannot forward a packet unless the source IP address of the\npacket matches the IP address of the instance. Similarly, GCP won't deliver a packet whose\ndestination IP address is different than the IP address of the instance receiving the packet.\nHowever, both capabilities are required if you want to use instances to help route packets.\n\nDisable the forwarding of data packets to prevent data loss or information\ndisclosure.\n\n## Rationale\nTo enable source and destination IP check, disable the `canIpForward` option, which\nallows an instance to send and receive packets with non-matching destination or source\nIPs.\n\n## Impact\nDeleting instances that act as routers or packet forwarders may break network\nconnectivity.\n\n## Exception\nInstances created by GKE should be excluded because they need to have IP forwarding\nenabled and cannot be changed. Instances created by GKE have names that start with `gke-`.\n\n## Remediation\nYou can only edit the `canIpForward` setting at instance creation time. Therefore, if `canIpForward` is set to false for an instance, you must delete the instance and create a new one.\n\n### From console\n1. Go to the `VM Instances` page: \n[https://pantheon.corp.google.com/compute/instances][1].\n2. Select the `VM Instance` you want to remediate.\n3. Click the `Delete` button.\n4. On the `VM Instances` page, click `CREATE INSTANCE`.\n5. Create a new instance with the desired configuration. By default, the instance is\nconfigured to not allow IP forwarding.\n\n### From the command line\n1. Delete the instance:\n ```\n gcloud compute instances delete INSTANCE_NAME\n ```\n2. Create a new instance to replace it, with IP forwarding set to Off\n ```\n gcloud compute instances create\n ```\n\n## Default Value:\nBy default, instances are not configured to allow IP forwarding.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-routes#canipforward][2]\n\n\n## Additional Information:\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is\ncreated, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://pantheon.corp.google.com/compute/instances\n[2]: https://cloud.google.com/vpc/docs/using-routes#canipforward","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.6","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tcompute_instance.can_ip_forward\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nh8-voo-5oy","createdAt":1656620560349,"name":"IP forwarding is not enabled on instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","scope:azure.storage","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1c","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImmutability is enabled for Azure Storage Blobs.\n\n## Rationale\n\nImmutability for Azure Blob enables Writes once read many (WORM) state storage, which protects data from being overwritten or deleted. \n\nThe two types of immutability policies are time-based retention and legal hold. Time-based policies are cleared when the time period expires. Legal holds are cleared when they are manually modified. \n\n## Remediation\n\n### Console\n\nFollow the [Enable version-level immutability support on a storage account - Azure Console][1] guide to enable version-level immutability with the Azure Console.\n\n### CLI\n\nFollow the [Enable version-level immutability support on a storage account - Azure CLI][2] guide to enable version-level immutability with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@hasLegalHold:false @hasImmutabilityPolicy:false","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container (@hasLegalHold:false @hasImmutabilityPolicy:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"8q8-s4l-qhy","createdAt":1645177333114,"name":"Immutable Blob Storage is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","scope:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when two successful authentication events occur in a short time frame.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if the user `{{@usr.name}}` should have authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If `{{@user.name}}` should not authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n* 10 October 2022 - Updated query.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"auth0_impossible_travel","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.name"],"query":"source:auth0 @evt.category:authentication @evt.name:success_login -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"m3u-dhg-c5l","createdAt":1651740293973,"name":"Impossible Travel Auth0 login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate an impossible travel login with permission enumeration of a user.\n\n## Strategy\nCorrelate the [User travel was impossible in AWS CloudTrail IAM log][1] and [A user received multiple AccessDenied errors][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the impossible travel login was is legitimate.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-user-impossible-travel-with-baseline-user-locations\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-access-denied-multiple-events","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"user_travel_was_impossible_in_cloudtrail_iam_log","additionalFilters":"","defaultRuleId":"fc6-4t7-vx9","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"a_user_received_multiple_access_denied_errors","additionalFilters":"","defaultRuleId":"1b1-37a-74c","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"user_travel_was_impossible_in_cloudtrail_iam_log > 0 && a_user_received_multiple_access_denied_errors > 0"}],"type":"signal_correlation","id":"zfw-zxw-uf2","createdAt":1664829682320,"name":"Impossible travel event leads to permission enumeration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the possibility of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 445, commonly used by client/server applications, and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) or man-in-the-middle attacks (MITM), can occur when permitting unrestricted Common Internet File System (CIFS) access. TCP port 445 is the port commonly used by client/server applications as a means of communication between network nodes over TCP.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 445.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 445\n --cidr 0.0.0.0/0\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=445 @to_port:>=445))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=445 @to_port:>=445))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"l9k-64o-mzm","createdAt":1599573999953,"name":"Inbound CIFS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the possibility of a breach by checking EC2 security groups for inbound rules that allow unfettered access to TCP and UDP port 53, commonly used during DNS resolution when a request is sent from DNS clients to DNS servers or between DNS servers.\n\n## Rationale\n\nMalicious activity, such as distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered DNS access.\n\n## Remediation\n\n## Console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n## CLI\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to port 53.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 53, \"ToPort\": 53, \"IpRanges\": [{\"CidrIp\": \"192.0.2.0/24\"}]}]'\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 53\n\trule.to_port >= 53\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kri-ci1-ymo","createdAt":1599573999958,"name":"Inbound DNS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 9200, used by the [Elasticsearch][2], and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered Elasticsearch access.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][3] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. First, remove the security group rule(s) that allow public, unrestricted access to the Elasticsearch database. The rule in question will open port 9200 for ingress from anywhere.\n\n2. Now that the database is contained, authorize only the specific entities that need access to the database like EC2 instances, or lambdas. You can do this by adding inbound security group rules for a specific elastic IP address, a specific range of IP addresses, or by allowing access for entities in another AWS security group.\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://aws.amazon.com/elasticsearch-service/\n[3]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=9200 @to_port:>=9200))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=9200 @to_port:>=9200))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"rns-eiq-lpl","createdAt":1599574008022,"name":"Inbound Elasticsearch access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP ports 20 and 21 (used by client/server applications for communication and file transfer) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and FTP bounce attacks, can occur when permitting unfettered access to these ports.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 20 and 21.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict FTP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=20 @to_port:>=20) OR (@from_port:<=21 @to_port:>=21))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=20 @to_port:>=20) OR (@from_port:<=21 @to_port:>=21))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9lv-1l3-vtp","createdAt":1599574002076,"name":"Inbound FTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 80 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 80.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 80\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=80 @to_port:>=80))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=80 @to_port:>=80))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o4x-exf-xn9","createdAt":1599574008139,"name":"Inbound HTTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 443 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 443.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 443\n\trule.to_port >= 443\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"vud-y9z-ucg","createdAt":1599574003526,"name":"Inbound HTTPS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to host using the Internet Control Message Protocol (ICMP), a protocol commonly used to troubleshoot TCP/IP networks and deliver IP packets, and restrict access.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and Smurf/Fraggle attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][2] docs to learn how to restrict access to host using the ICMP.\n\n### CLI\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to host using ICMP.\n\n ```\n aws ec2 describe-security-groups\n\t --filters Name=ip-permission.protocol,Values=icmp Name=ip-permission.cidr,Values='192.0.2.0/24'\n\t --query 'SecurityGroups[*].{Name:GroupName}'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nunrestricted_protocol(protocol) if {\n\tprotocol == \"icmp\"\n} else {\n\tprotocol == \"all\"\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"ingress\"\n\tunrestricted_protocol(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kyz-e99-tys","createdAt":1599573999911,"name":"Inbound ICMP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1433 (used by the Microsoft SQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1433.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1433 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1433 @to_port:>=1433))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1433 @to_port:>=1433))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5oc-hdq-fx7","createdAt":1599574003135,"name":"Inbound MSSQL access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 27017 (used by the MongoDB database) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 27017.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=27017 @to_port:>=27017))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=27017 @to_port:>=27017))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"lhy-ttz-yif","createdAt":1599574007108,"name":"Inbound MongoDB access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3306 (used by the MySQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3306.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3306 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3306 @to_port:>=3306))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3306 @to_port:>=3306))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yph-h6z-ant","createdAt":1599574008744,"name":"Inbound MySQL access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1521 (used by the Oracle Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1521.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1521 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1521 @to_port:>=1521))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1521 @to_port:>=1521))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2wg-auf-5gz","createdAt":1599574002369,"name":"Inbound Oracle access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 135 (used by Microsoft Message Queuing (MSMQ) and other Windows software) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as backdoor command shell hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 135.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 135 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 135\n\trule.to_port >= 135\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7vm-6f7-nfs","createdAt":1599574003256,"name":"Inbound RPC access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 25 (used by Simple Mail Transfer Protocol (SMTP) for email transmission) and restrict access to IP addresses that require this port.\n\n\n## Rationale\n\nMalicious activity, such as spamming, hacking, Shellshock, and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 25.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 25 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 25\n\trule.to_port >= 25\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fxy-iwb-1ji","createdAt":1599574007156,"name":"Inbound SMTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 22 (used for secure remote login) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as man-in-the-middle (MITM) and brute-force attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 22.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 22 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=22 @to_port:>=22))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=22 @to_port:>=22))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jq1-v7m-jkf","createdAt":1599574005407,"name":"Inbound SSH access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to TCP port 139.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 139\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 139\n\trule.to_port >= 139\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"bls-coy-rpp","createdAt":1599574002491,"name":"Inbound TCP NetBIOS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 23 (used by the Telnet server application) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 23.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 23 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=23 @to_port:>=23))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=23 @to_port:>=23))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"6oq-7ce-kej","createdAt":1599574007874,"name":"Inbound Telnet access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 and UDP ports 137 and 138 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 137 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 137\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 138 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 138\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=137 @to_port:>=137) OR (@from_port:<=138 @to_port:>=138))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=137 @to_port:>=137) OR (@from_port:<=138 @to_port:>=138))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dpw-bar-91p","createdAt":1599574006398,"name":"Inbound UDP NetBIOS access is restricted"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2022-0847 \"Dirty Pipe\". Dirty Pipe is a vulnerability in the Linux kernel which allows underprivileged processes to write to arbitrary readable files, leading to privilege escalation. \n\n## Strategy\n\nThis detection triggers when the `splice()` syscall is made and the `PIPE_BUF_FLAG_CAN_MERGE` flag is set. Explanation of the vulnerability and exploitation can be found in the [public disclosure](https://dirtypipe.cm4all.com/).\n\n## Triage & Response\n\n1. Determine if the host is vulnerable. This vulnerability affects kernel versions starting from 5.8. After its discovery, it was fixed for all currently maintained releases of Linux in versions 5.16.11, 5.15.25, and 5.10.102. The exploit was successful if the field `splice.pipe_exit_flag` is `PIPE_BUF_FLAG_CAN_MERGE`.\n2. Attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. If the host is vulnerable, update the kernel to a patched version.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:dirty_pipe_attempt","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_attempt","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\") -@process.uid:0 -@process.gid:0","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_exploitation","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation (@file.uid:0 OR @file.gid:0) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\") -@process.uid:0 -@process.gid:0","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_root","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation @file.path:(*\\/bin\\/* OR *\\/boot\\/*) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\") -@process.uid:0 -@process.gid:0","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"dirty_pipe_attempt","condition":"dirty_pipe_attempt > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_exploitation","condition":"dirty_pipe_exploitation > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_root","condition":"dirty_pipe_root > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_bin","condition":"dirty_pipe_bin > 0"}],"type":"workload_security","id":"dsi-8cf-mpj","createdAt":1648572788369,"name":"Dirty Pipe exploitation attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet Docker daemon log level to `info`.\n\n## Rationale\n\nSetting up an appropriate log level configures the Docker daemon to log events that you would want to review later. A base log level of `info` and above captures all logs except `debug` logs. Unless required, you should not run Docker daemon at `debug` log level.\n\n## Audit\n\nTo confirm that the log level setting is `info`, review both the `dockerd` startup options, and also the log level settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that either the `--log-level` parameter is not present or if present, that it is set to `info`. \n\nSimilarly, review the `/etc/docker/daemon.json` for the `log-level` setting.\n\n## Remediation\n\nEnsure that the Docker daemon configuration file has the following configuration included:\n\n```\n\"log-level\": \"info\" \n```\n\nAlternatively, run the Docker daemon with the `log-level` specified:\n\n```\ndockerd --log-level=\"info\"\n```\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker daemon is set to log level of `info`.\n\n## References\n\n1. [https://docs.docker.com/edge/engine/reference/commandline/dockerd/][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://docs.docker.com/edge/engine/reference/commandline/dockerd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"q6o-wrf-hf4","createdAt":1602076723155,"name":"Docker daemon logging level is set to 'info'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.5","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use `aufs` as the storage driver for your Docker instance.\n\n## Rationale\n\nThe `aufs` storage driver is the oldest storage driver used on Linux systems. It is based on a Linux kernel patch-set that is unlikely in future to be merged into the main OS kernel. The `aufs` driver is also known to cause some serious kernel crashes. `aufs` has only legacy support within systems using Docker. Most importantly, `aufs` is not a supported driver in many Linux distributions using latest Linux kernels.\n\n## Audit\n\nVerify that `aufs` is not used as storage driver by running this command and ensuring `aufs` is not listed: \n```\ndocker info --format 'Storage Driver: {{ .Driver }}' \n```\n\n## Remediation\n\nDo not explicitly use `aufs` as storage driver. For example, do not start Docker daemon with the `--storage-driver aufs` flag.\n\n## Impact\n\n`aufs` is the only storage driver that allows containers to share executable and shared library memory. It might be useful if you are running thousands of containers with the same program or libraries. However, you should review its use with respect to your organization's security policy.\n\n## Default value\n\nBy default, Docker uses `devicemapper` as the storage driver on most of the platforms. The default storage driver can vary based on your OS vendor. You should use the storage driver that is recommended by your preferred vendor and which is in line with policy around the applications which are being deployed.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems][1]\n2. [http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/][2]\n3. [http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1][3]\n4. [https://docs.docker.com/engine/userguide/storagedriver/][4]\n\n## CIS controls\n\nVersion 6.18 Application Software Security \n\n[1]: https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems \n[2]: http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/ \n[3]: http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1 \n[4]: https://docs.docker.com/engine/userguide/storagedriver/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"n0x-jqo-rof","createdAt":1599601042737,"name":"Docker does not use AUFS storage driver"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe `iptables` firewall is used to set up, maintain, and inspect the tables of IP packet filter rules within the Linux kernel. The Docker daemon should be allowed to make changes to the `iptables` ruleset.\n\n## Rationale\n\nDocker will not make changes to your system `iptables` rules unless you allow it to do so. If you do allow this, Docker server will automatically make any required changes. You should let Docker make changes to `iptables` automatically in order to avoid networking misconfigurations that could affect the communication between containers and with the outside world. Additionally, this reduces the administrative overhead of updating `iptables` every time you add containers or modify networking options.\n\n## Audit\n\nTo confirm that the Docker daemon is allowed to change the `iptables` ruleset, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that the `--iptables` parameter is either not present or not set to `false`. Also review the `/etc/docker/daemon.json` file to check that the `iptables` setting is not set to `false`.\n\n## Remediation\n\nDo not run the Docker daemon with `--iptables=false` parameter. \n\n## Impact\n\nThe Docker daemon service requires `iptables` rules to be enabled before it starts. Any restarts of `iptables` during Docker daemon operation may result in losing Docker-created rules. Adding `iptables-persistent` to your `iptables` install can mitigate.\n\n## Default value\n\nBy default, `iptables` is set to true.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/][1]\n2. [https://fralef.me/docker-and-iptables.html][2]\n\n## CIS controls\n\nVersion 6.5 Controlled Use of Administration Privileges \n\n[1]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/\n[2]: https://fralef.me/docker-and-iptables.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3fv-xgy-7fb","createdAt":1599599453907,"name":"Docker is authorized to make firewall configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.1","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAll Docker containers and their data and metadata are stored in the `/var/lib/docker` directory. By default, `/var/lib/docker` should be mounted under either the `/` or `/var` partitions depending on how the Linux operating system in use is configured.\n\n## Rationale\n\nDocker depends on `/var/lib/docker` as the default directory where all Docker related files, including the images, are stored. This directory could fill up quickly causing both Docker and the host to become unusable. For this reason, you should create a separate partition (logical volume) for storing Docker files.\n\n## Audit\n\nTo see the partition details for the `/var/lib/docker` mount point, at the Docker host run:\n\n```\ngrep '/var/lib/docker\\s' /proc/mounts \n```\n\nAlternatively, to see whether the configured root directory is a mount point, run.\n\n```\nmountpoint -- \"$(docker info -f '{{ .DockerRootDir }}')\" \n```\n\n## Remediation\n\nFor new installations, you should create a separate partition for the `/var/lib/docker` mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, `/var/lib/docker` is mounted under the `/` or `/var` partitions dependent on how the OS is configured.\n\n## References\n\n1. [https://www.projectatomic.io/docs/docker-storage-recommendation/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know \n\n[1]: https://www.projectatomic.io/docs/docker-storage-recommendation/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.1","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wcf-c0t-fkz","createdAt":1602076808377,"name":"Docker local storage is mounted on a separate disk partition"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.5","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various other sensitive files. It should therefore be individual owned and group owned by root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the directory is owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker | grep -v root:root\n``` \n\nThis command does not return any data.\n\n## Remediation\n\nTo resolve this issue, run the following command: `chown root:root /etc/docker`\n\nThis sets the ownership and group ownership for the directory to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for this directory is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.`\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"heb-axz-wdc","createdAt":1599604466531,"name":"Docker related files are owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.6","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory permissions are correctly set to 755 or more restrictively.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various sensitive files. It should therefore only be writeable by root to ensure that it can not be modified by a less privileged user.\n\n## Audit\n\nYou should execute the command below to verify that the directory has permissions of 755+: \n\n```\nstat -c %a /etc/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 755 /etc/docker`\n\nThis sets the permissions for the directory to 755.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for this directory are set to 755.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"een-7do-u18","createdAt":1599604083943,"name":"Docker related files cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.12","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, has permissions of 444 or more restrictive permissions.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It should therefore have permissions of 444 to prevent its modification.\n\n## Audit\n\nVerify that the Docker server certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the command below: `chmod 444 `\n\nThis sets the file permissions of the Docker server certificate file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.12","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"blu-k6b-re1","createdAt":1602076770300,"name":"Docker server certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.31","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker socket docker.sock should not be mounted inside a container.\n\n## Rationale\n\nIf the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep docker.sock` This returns any instances where `docker.sock` has been mapped to a container as a volume.\n\n## Remediation\n\nYou should ensure that no containers mount docker.sock as a volume.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, docker.sock is not mounted inside containers.\n\n## References\n\n1. https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/\n2. https://forums.docker.com/t/docker-in-docker-vs-mounting-var-run-docker-sock/9450/2\n3. https://github.com/docker/docker/issues/21109\n\n## CIS controls\n\nVersion 6\n\n9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.31","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3iw-zus-yz3","createdAt":1599602585460,"name":"Docker socket is not allowed to mount inside any containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","source:dynamodb","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:dynamodb","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement server-side encryption for your AWS DynamoDB data.\n\n## Rationale\n\nServer-side encryption, or encryption at rest, provides an additional layer of data protection by securing your data in an encrypted table. Encryption at rest integrates with AWS Key Management Service (KMS) to manage encryption keys that are used to encrypt these tables.\n\n## Remediation\n\n### From the console\n\nFollow the [Managing Encrypted Tables in DynamoDB tutorial][1] to learn how to create and update a table in the AWS Console.\n\n### From the command line\n\nRun `create-table` with a table configuration to [create a new encrypted table][2]. You can create an encrypted table with the default AWS owned CMK, AWS managed CMK, or customer managed CMK. Refer to the [AWS documentation for examples of each configuration][3]. For example:\n\n aws dynamodb create-table\n --table-name your-table\n ...\n --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=abcd1234-abcd-1234-a123-ab1234a1b234\n\n[1]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/dynamodb/create-table.html\n[3]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(dynamodb) = \"pass\" if {\n\tupper(dynamodb.sse_description.status) == \"ENABLED\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_dynamodb"]},"validationQuery":"","resourceType":"aws_dynamodb","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_dynamodb","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ilq-ifj-zxi","createdAt":1615309114701,"name":"DynamoDB table is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt Amazon Elastic Block Store (EBS) snapshots with volume snapshot encryption keys.\n\n## Rationale\n\nAmazon EBS snapshots contain sensitive data, and publicly accessible snapshots can be copied. Keep your data secure from exploits or unauthorized users by using AWS key management.\n\n## Remediation\n\n### From the console\n\nFollow the [Default key for EBS encryption][1] docs to learn how to encrypt a snapshot in the AWS Console.\n\n### From the command line\n\n1. Run `get-ebs-default-kms-key-id` to describe [the default CMK][2].\n\n2. If you need to create a new key, follow the [Creating keys][3] AWS Console docs or the [create-key][4] AWS CLI docs.\n\n3. Run `modify-ebs-default-kms-key-id` with your `--kms-key-id` to [modify the default CMK used to encrypt EBS volumes][3].\n\nSee the [Set encryption defaults using the API and CLI][6] docs for additional information.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_key_mgmt\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/get-ebs-default-kms-key-id.html\n[3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-ebs-default-kms-key-id.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ebs_snapshot) = \"pass\" if {\n\tebs_snapshot.encrypted\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ebs_snapshot"]},"validationQuery":"","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"i4v-od6-l5r","createdAt":1616090994130,"name":"EBS snapshot is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","requirement:Storage","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable encryption for Elastic Block Store (EBS).\n\n## Rationale\n\nAES-256 encryption, used by EBS, protects data stored on volumes, disk I/O, and the snapshots created from a volume to protect your sensitive data from exploits and unauthorized users.\n\n## Remediation\n\n### From the console\n\nFollow the [EBS encryption][1] docs to learn about the requirements and methods for enabling encryption in the AWS Console.\n\n### From the command line\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#ebs-encryption-requirements\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"2.2.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ebs_volume) = \"pass\" if {\n\tebs_volume.encrypted\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ebs_volume"]},"validationQuery":"","resourceType":"aws_ebs_volume","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_volume","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"2b3-94n-p7e","createdAt":1616090994097,"name":"EBS volume is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","requirement:Credentials","requirement:Compliance","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","framework:pci","control:1.11","security:compliance","source:ebs","control:6.5.3","cloud_provider:aws","requirement:Confidentiality","control:3.4","control:C1.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","framework:security-labs","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure Amazon Elastic Block Store (EBS) snapshots.\n\n## Rationale\n\nPublicly shared Amazon EBS volume snapshots contain sensitive application data that can be seen, copied, and exploited.\n\n## Remediation\n\n### From the console\n\nFollow the [EBS encryption][1] docs to learn how to implement EBS encryption. Public snapshots, which are encrypted by default, are not supported\n\n **Note**: You can share an encrypted snapshot with specific accounts.\n\n### From the command line\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#how-ebs-encryption-works\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.11","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ebs_snapshot) = \"fail\" if {\n\tsome permission in ebs_snapshot.create_volume_permissions\n\tpermission.group == \"all\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ebs_snapshot"]},"validationQuery":"","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"t5f-m5z-oio","createdAt":1616090994084,"name":"EBS volume snapshot is not publicly shared with other AWS accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:route53","iaas:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain has a suspicious TLD.\n\n## Strategy\nInspect the Route 53 logs and determine if the TLD of the DNS question (`@dns.question.name`) matches one of the top 5 TLDs on [Spamhaus's Most Abused Top Level Domains list][1].\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n[1]: https://www.spamhaus.org/statistics/tlds/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@dns.question.name:(*.fit. OR *.work. OR *.webcam. OR *.loan. OR *.cf.) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_tld","distinctFields":[]},{"query":"@dns.question.name:(*.no-ip. OR *.hopto.org OR *.myftp.org OR *.us.to OR *.myvpc.com OR *.dlinkddns.com OR *.myftp.biz) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_ddns","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"TLD","condition":"suspicious_tld > 0"},{"status":"medium","notifications":[],"name":"Dynamic DNS","condition":"suspicious_ddns > 0"}],"type":"log_detection","id":"dus-bf6-3jr","createdAt":1603296605789,"name":"EC2 instance requested a suspicious domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:route53","iaas:aws","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain resolves to the AWS Metadata IP (169.254.169.254).\n\n## Strategy\nInspect the Route 53 logs and determine if the response data for a DNS request matches the AWS Metadata IP (169.254.169.254). This could indicate an attacker is attempting to steal your credentials from the AWS metadata service.\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n## Changelog\n- 19 May 2022 - Updated rule query.\n- 5 Jun 2022 - Updated rule query.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:route53 @answers.Rdata:169.254.169.254 -@route53_edge_location:* -@dns.question.name:instance-data*","groupByFields":["instance-id"],"aggregation":"count","name":"domain_resolve_to_metadata_ip","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"domain_resolve_to_metadata_ip > 0"}],"type":"log_detection","id":"mwi-zj7-db9","createdAt":1603296598998,"name":"EC2 instance resolved a suspicious AWS metadata DNS query"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","requirement:Transmission-Security","scope:ec2","source:ec2","framework:gdpr","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:1.9","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse the IMDSv2 session-oriented communication method to transport instance metadata. \n\n## Rationale\n\nAWS default configurations allow the use of either IMDSv1, IMDSv2, or both. IMDSv1 uses insecure GET request/responses which are at risk for a number of vulnerabilities, whereas IMDSv2 uses session-oriented requests and a secret token that expires after a maximum of six hours. This adds protection against misconfigured-open website application firewalls, misconfigured-open reverse proxies, unpatched Server Side Request Forgery (SSRF) vulnerabilities, and misconfigured-open layer-3 firewalls and network address translation.\n\n## Remediation\n\nFollow the [Transition to using Instance Metadata Service Version 2][1] docs to learn how to transition and reconfigure your software. \n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ec2_instance) = \"pass\" if {\n\tec2_instance.metadata_options.http_tokens == \"required\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ec2_instance"]},"validationQuery":"","resourceType":"aws_ec2_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ec2_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zwp-mxe-p0v","createdAt":1649171077274,"name":"EC2 instance uses IMDSv2"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","source:elb","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","scope:elb","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up logging for your AWS Elastic Load Balancers (ELBs) to identify security issues.\n\n## Rationale\n\nAccess logs allow you to analyze each TCP and HTTP request, which are useful during security audits or troubleshooting.\n\n## Remediation\n\n### From the console\n\nFollow the [Enable access logs for your Classic Load Balancer][1] docs to learn how to enable logging for your ELBs.\n\n### From the command line\n\n1. Run `create-bucket` to [create an S3 bucket][2] that stores the ELB log files.\n\n **Note**: This bucket must be created in the same region as the ELB.\n\n ```\n aws s3api create-bucket\n --region us-west-1\n --bucket your-elb-logging-bucket\n ```\n\n2. Use the [AWS Policy Generator][3] to create a new policy.\n\n3. Run `put-bucket-policy` to [attach the policy document][4] to the S3 bucket.\n\n ```\n aws s3api put-bucket-policy\n --bucket your-elb-logging-bucket\n --policy file://elb-logging-policy.json\n ```\n\n4. Run `modify-load-balancer-attributes` to [enable logging][5] for the selected ELB.\n\n ```\n aws elb modify-load-balancer-attributes\n --region us-west-1\n --load-balancer-name YourLoadBalancerName\n --load-balancer-attributes\n \"{\\\"AccessLog\\\":{\\\"Enabled\\\":true,\\\"EmitInterval\\\":60,\\\"S3BucketName\\\":\\\"your-logging-bucket\\\"}}\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/elb/modify-load-balancer-attributes.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_access_logs(elb_load_balancer) if {\n\tsome attribute in elb_load_balancer.attributes\n\tattribute.access_log_enabled\n} else if {\n\telb_load_balancer.load_balancer_attributes.access_log.enabled\n}\n\neval(elb_load_balancer) = \"fail\" if {\n\tnot compliant_access_logs(elb_load_balancer)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elb_load_balancer"]},"validationQuery":"","resourceType":"aws_elb_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elb_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"orv-wcu-4d4","createdAt":1615309114856,"name":"ELB is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","security:compliance","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Security-of-Processing","scope:elbv2","framework:soc-2","requirement:Security-Management-Process","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","framework:hipaa","requirement:Encryption-In-Transit","control:164.308-a-1-ii-B","control:164.312-e-2-i","source:elbv2","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse HTTPS to secure communication between your application client and an Elastic Load Balancer (ELB) listener.\n\n## Rationale\n\nWithout an HTTPS listener, front-end connections are vulnerable to exploits, such as man-in-the-middle (MITM) attacks. Securing all communication between your application client and ELB listener ensures sensitive data is protected.\n\n## Remediation\n\n### From the console\n\nFollow the [Create an HTTPS listener for your Application Load Balancer][1] doc to learn how to create a listener that checks for connection requests.\n\n### From the command line\n\n1. Run `list-certificates` to retrieve the ARN of your SSL certificate. If you do not have an SSL certificate, follow the [Create or import an SSL/TLS certificate][2] doc.\n2. Run `create-listener` using the [ARN of the load balancer and SSL certificate][3].\n\n ```\n aws elbv2 create-listener \\\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912 \\\n --protocol HTTPS \\\n --port 443 \\\n --certificates CertificateArn=arn:aws:acm:region:123456789012:certificate/1abc0c41-bd73-5445-9ab9-123456a23456 \\\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html#create-certificate-acm\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/create-listener.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_listener(elbv2_load_balancer) if {\n\tsome listener in elbv2_load_balancer.listeners\n\tlistener.protocol == \"HTTPS\"\n} else if {\n\tsome listener in elbv2_load_balancer.listeners\n\tlistener.protocol == \"HTTP\"\n\telbv2_load_balancer.listeners[_].default_actions[_].redirect_config.protocol == \"HTTPS\"\n\telbv2_load_balancer.listeners[_].default_actions[_].type == \"redirect\"\n}\n\neval(elbv2_load_balancer) = \"skip\" if {\n\telbv2_load_balancer.type != \"application\"\n} else = \"fail\" if {\n\tnot compliant_listener(elbv2_load_balancer)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6vz-qof-84o","createdAt":1616090994110,"name":"ELBv2 ALB is using a secure listener"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","source:elb","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","scope:elb","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure Amazon Network Load Balancers so all listeners use either TLS or HTTPS encryption. \n\n## Rationale\n\nUsing TLS or HTTPS helps ensure the communication between your network load balancers (NLBs) and backend servers is protected from decryption, data leaks, and other exploits. NLB's can accept and route TCP connections to Application load balancers(ALBs), this allows AWS customers to directly register an ALB as an NLB target, eliminating the need to actively manage changing ALB IP addresses. Amazon's NLBs can be configured to handle TLS termination. This reduces the workload on your backend systems and localizes TLS configuration to the NLBs, thereby improving both performance and security.\n\n\n## Remediation\n\n### From the console\n\nFollow the [Create a listener for your network load balancer][1] doc to learn how to add a TLS listener to your network load balancer.\n\n### From the command line\n\n1. Run `describe-load-balancers` to retrieve the ARNs of your network load balancers.\n2. Run `list-certificates` to retrieve the ARN of your Amazon ACM TLS certificates, or `list-server-certificates` to retrieve the ARN of your AWS IAM TLS certificates. If you do not have a TLS certificate, follow the [Configure TLS listeners: Certificates][2] doc.\n3. Run `create-listener` using the ARN of the desired load balancer and TLS certificate.\n\n ```\n aws elbv2 create-listener \\\n --load-balancer-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188 \\\n --certificates CertificateArn=arn:aws:acm:us-west-2:123456789012:certificate/3dcb0a41-bd72-4774-9ad9-756919c40557 \\\n --protocol TLS \\\n --port 443 \\\n --ssl-policy ELBSecurityPolicy-2016-08 \\\n --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#tls-listener-certificates\n[3]: https://aws.amazon.com/fr/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_listener(listener) if {\n\tlistener.protocol == \"TCP\"\n\tlistener.port == 443\n}\n\neval(elbv2_load_balancer) = \"skip\" if {\n\tnot elbv2_load_balancer.type == \"network\"\n} else = \"fail\" if {\n\tsome listener in elbv2_load_balancer.listeners\n\tlistener.protocol != \"TLS\"\n\tnot compliant_listener(listener)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cyx-hvk-qq7","createdAt":1649774831020,"name":"ELBv2 Network Load Balancer listeners employ TLS or HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:elbv2","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","source:elbv2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Access Logging for your Amazon Application Load Balancers (ALBs).\n\n## Rationale\n\nLogs contain the time a request was received, a client's IP address, latencies, request paths, and server responses. You can use this information to analyze traffic patterns and troubleshoot issues.\n\n## Remediation\n\n### From the console\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the console.\n\n### From the command line\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_attribute(elbv2_load_balancer) if {\n\tattribute := elbv2_load_balancer.attributes[_]\n\tattribute.key == \"access_logs.s3.enabled\"\n\tattribute.value == \"true\"\n} else if {\n\telbv2_load_balancer.attributes.access_logs_s3_enabled\n}\n\neval(elbv2_load_balancer) = \"pass\" if {\n\tcompliant_attribute(elbv2_load_balancer)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2sn-t47-ywf","createdAt":1632209936547,"name":"ELBv2 is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:elbv2","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","source:elbv2","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Application Load Balancer (ALB) with the latest predefined AWS security policy.\n\n## Rationale\n\nInsecure or deprecated security policies can expose the client and the load balancer to various SSL/TLS vulnerabilities.\n\n## Remediation\n\n### From the console\n\nFollow the [Update security policy][1] docs to learn how to update your HTTPS listener with the latest security policy.\n\n### From the command line\n\nRun `modify-listener` with the [ARN of the listener and the recommended SSL policy][2].\n\n```\naws elbv2 create-listener\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n```\n\nReview the [Security policies][3] docs for Amazon-recommended security policies.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html#update-security-policy\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/modify-listener.html\n[3]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elbv2_load_balancer) = \"skip\" if {\n\telbv2_load_balancer.type != \"application\"\n} else = \"pass\" if {\n\tsome listener in elbv2_load_balancer.listeners\n\tlistener.ssl_policy in [\"ELBSecurityPolicy-TLS-1-1-2017-01\", \"ELBSecurityPolicy-TLS-1-2-Ext-2018-06\", \"ELBSecurityPolicy-FS-1-2-Res-2019-08\", \"ELBSecurityPolicy-FS-1-1-2019-08\", \"ELBSecurityPolicy-FS-1-2-Res-2020-10\"]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"pty-qoz-aa9","createdAt":1616090994247,"name":"ELBv2 load balancer is using the latest security policy"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.3","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse individual service account credentials for each controller.\n\n## Rationale\n\nThe controller manager creates a service account per controller in the kube-system namespace, generates a credential for it, and builds a dedicated API client with that service account credential for each controller loop to use. Setting the `--use-service-account-credentials` to true runs each control loop within the controller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--use-service-account-credentials` argument is set to true.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node to set the below parameter:\n\n```\n--use-service-account-credentials=true\n```\n\n## Impact\n\nWhatever authorizer is configured for the cluster, it must grant sufficient permissions to the service accounts to perform their intended tasks. When using the RBAC authorizer, those roles are created and bound to the appropriate service accounts in the kube-system namespace automatically with default roles and rolebindings that are auto-reconciled on startup. If using other authorization methods (ABAC, Webhook, etc.), the cluster deployer is responsible for granting appropriate permissions to the service accounts (the required permissions can be seen by inspecting the `controller-roles.yaml` and `controller-role-bindings.yaml` files for the RBAC roles.\n\n## Default value\n\nBy default, `--use-service-account-credentials` is set to false.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://kubernetes.io/docs/admin/service-accounts-admin/ ][2]\n3. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml ][3]\n4. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml ][4]\n5. [https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles][5]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://kubernetes.io/docs/admin/service-accounts-admin/ \n[3]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml \n[4]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml \n[5]: https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.3","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"b7m-bho-nat","createdAt":1599602400314,"name":"Each controller uses individual service account credentials"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:A.12.2.1","framework:gdpr","requirement:Default-Security-Parameter","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:25.2","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","source:elasticache","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","scope:elasticache","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nChange your AWS ElastiCache cluster endpoint port to a non-default port.\n\n## Rationale\n\nUsing the default port puts clusters at risk of exploits and attacks. Configure a custom port to add an extra layer of security to your clusters.\n\n## Remediation\n\n### From the console\n\nFollow the [Finding connection endpoints][1] console documentation to learn how to find and modify your cluster's endpoint port.\n\n### From the command line\n\n1. Run `aws elasticache describe-cache-clusters` with your [ElastiCache cluster ID][2] to output the existing cluster configuration.\n\n ```\n\n aws elasticache describe-cache-clusters\n --cache-cluster-id your-cc-id\n\n ```\n\n2. Run `aws elasticache create-cache-cluster` with the cluster data returned in the previous step. Configure the new cache cluster with [a custom value][3] for the endpoint port. This returns new cluster metadata.\n\n ```\n\n aws elasticache create-cache-cluster\n --cache-cluster-id new-cc-id\n ...\n --port 10001\n\n ```\n\n3. Once the cluster endpoint port is updated, remove the old ElastiCache cluster. Run `delete-cache-cluster` with the [original cluster ID][4].\n\n ```\n\n aws elasticache delete-cache-cluster\n --cache-cluster-id your-cc-id\n\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Endpoints.html#Endpoints.Find.Redis\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/describe-cache-clusters.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/delete-cache-cluster.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndefault_port_used(elasticache) if {\n\telasticache.engine == \"memcached\"\n\telasticache.configuration_endpoint.port == 11211\n} else if {\n\telasticache.engine == \"redis\"\n\telasticache.configuration_endpoint.port == 6379\n}\n\neval(elasticache) = \"fail\" if {\n\tdefault_port_used(elasticache)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticache"]},"validationQuery":"","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"skt-e9r-x89","createdAt":1619112189062,"name":"ElastiCache cluster is not using default ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","source:elasticache","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticache","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProvision your AWS EC2-VPC ElastiCache cluster within the AWS ECS-VPC platform.\n\n## Rationale\n\nUsing the EC2-Classic platform minimizes control over cache cluster security and traffic routing. Provisioning with AWS EC2-VPC enables better networking infrastructure, control over VPC security groups, and more.\n\n## Remediation\n\n### From the console\n\nFollow the [Getting started with Amazon VPC][1] docs to configure AWS EC2-VPC for your ElastiCache clusters.\n\n### From the command line\n\n1. Run `create-vpc` to [create a new Virtual Private Cloud (VPC)][2] for your ElastiCache cluster.\n\n ```\n aws ec2 create-vpc\n --cidr-block 10.0.0.0/16\n ```\n\n2. Run `aws ec2 create-internet-gateway` to [create a new AWS Internet Gateway][3] for your new VPC.\n\n3. Run `attach-internet-gateway` with the [VPC ID returned in step 1, and the internet gateway ID returned in step 2][4].\n\n ```\n aws ec2 create-subnet\n --vpc-id vpc-ab12c345\n --cidr-block 10.0.1.0/24\n ```\n\n4. Run `create-route-table` with [your VPC ID][5] created in step 1.\n\n ```\n aws ec2 create-route-table\n --vpc-id vpc-ab12c345\n ```\n\n5. Run `associated-route-table` with the [subnet ID returned in step 3, and the route table ID returned in step 4][6].\n\n ```\n aws ec2 associate-route-table\n --route-table-id rta-12345678\n --subnet-id subnet-ab123c45\n ```\n\n6. Run `create-route` to [add a new route][7] to your new VPC route table.\n\n ```\n aws ec2 create-route\n --route-table-id rta-12345678\n --destination-cidr-block 0.0.0.0/0\n --gateway-id gwi-123a4b56\n ```\n\n7. Run `create-security-group` with your new VPC ID to [create a security group][8] for your new cluster.\n\n ```\n aws ec2 create-security-group\n --group-name ECSecurityGroup\n --description \"Redis CC Security Group\"\n --vpc-id vpc-ab12c345\n ```\n\n8. Run `authorize-security-group-ingress` to [add more inbound rules][9] to the security group created in step 7.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-id se-a12345b0\n --protocol tcp\n --port 1234\n --cidr 10.0.0.0/16\n ```\n\n9. Run `create-cache-cluster` to recreate your EC2-Classic cache cluster within your new AWS VPC. Use the newly created [ElastiCache cluster configuration attributes][10] returned in the steps above.\n\n ```\n aws elasticache create-cache-cluster\n --cache-cluster-id vpccachecluster\n --az-mode single-az\n --cache-node-type cache.m5.large\n --num-cache-nodes 1\n --engine redis\n --engine-version \"2.6.13\"\n --security-group-ids \"se-a12345b0\"\n --port 1234\n --auto-minor-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc.html#synopsis\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-internet-gateway.html#synopsis\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/attach-internet-gateway.html#synopsis\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route-table.html#synopsis\n[6]: https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-route-table.html#synopsis\n[7]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route.html#synopsis\n[8]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-security-group.html#synopsis\n[9]: https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html#synopsis\n[10]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elasticache) = \"pass\" if {\n\tcount(elasticache.cache_subnet_group_name) > 0\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticache"]},"validationQuery":"","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"0uf-cns-jqu","createdAt":1619112189088,"name":"ElastiCache cluster is provisioned in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.5","source:elasticache","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticache","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon ElastiCache cluster to the latest, stable version of the Redis/Memcached cache engine.\n\n## Rationale\n\nUsing the latest version allows for security patches, bug fixes, better performance, and memory management.\n\n## Remediation\n\n### From the console\n\nFollow the [Upgrading engine versions][1] docs to learn how to modify your ElastiCache cluster or replication group in the console.\n\n### From the command line\n\nFollow the [Modify an ElastiCache cluster (AWS CLI)][2] or [Modify a replication group (AWS CLI)][3] docs for configuration options.\n\nFor example, to modify an ElastiCache cluster, run `modify-replication-group` with your replication group ID and enable Multi-AZ.\n\n ```\n aws elasticache modify-replication-group\n --replication-group-id myReplGroup\n --multi-az-enabled = true\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VersionManagement.html\n[2]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.Modify.html#Clusters.Modify.CLI\n[3]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Replication.Modify.html#Replication.Modify.CLI","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_engine_version(elasticache) if {\n\telasticache.engine == \"memcached\"\n\telasticache.engine_version == \"1.6.6\"\n} else if {\n\telasticache.engine == \"redis\"\n\tstartswith(elasticache.engine_version, \"6.\")\n} else if {\n\tnot elasticache.engine in [\"memcached\", \"redis\"]\n}\n\neval(elasticache) = \"pass\" if {\n\tcompliant_engine_version(elasticache)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticache"]},"validationQuery":"","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sw1-liy-ybw","createdAt":1619112188570,"name":"ElastiCache cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.5","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticsearch","framework:soc-2","requirement:Change-Management","source:elasticsearch","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpgrade to the latest version of Amazon Elasticsearch (ES) engine.\n\n## Rationale\n\nUsing the latest version of Amazon ES ensures you receive the latest bug fixes, security patches, and features.\n\n## Remediation\n\n### From the console\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (console)][1] docs to learn about the upgrade process and how to complete an upgrade from the AWS Console.\n\n### From the command line\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (AWS CLI)][1] docs to being an upgrade using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades\n[2]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.common as dd_common\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(version) = \"pass\" if {\n\tformatted_semver := dd_common.format_semver(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"7.10.0\") >= 0\n} else = \"pass\" if {\n\tstartswith(version, \"OpenSearch_\")\n\tformatted_semver := dd_common.format_semver(trim_prefix(version, \"OpenSearch_\"))\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"1.3.0\") >= 0\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource.elasticsearch_version))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-iw7-z3h","createdAt":1619540057479,"name":"Elasticsearch cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","scope:elasticsearch","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate publicly accessible Amazon Elasticsearch domains to block unsigned requests.\n\n## Rationale\n\nUpdating your Amazon Elasticsearch domain to a private domain ensures your data cannot be accessed or altered by unauthorized users.\n\n## Remediation\n\n### OpenSearch\n\nIf you are using OpenSearch Service Domains, refer to Amazon's [guide for creating and managing Amazon OpenSearch Service domains][1] for both console and CLI remediation actions. \n\n### From the console\n\nFollow the [Configuring Access Policies][1] docs to learn how to update your publicly accessible Amazon Elasticsearch domains in the AWS Console.\n\n### From the command line\n\n1. Create a new policy JSON document. You can follow the [Amazon Elasticsearch templated policy][2] to create a custom policy that grants domain access only to a specific IP.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n \"Action\": \"es:*\",\n \"Condition\": {\n \"IpAddress\": {\n \"aws:SourceIp\": [\n \"54.197.25.93/32\"\n ]\n }\n },\n \"Resource\": \"arn:aws:es:123456789123:\n domain/es-cluster/*\"\n }\n ]\n }\n ```\n\n2. Run `update-elasticsearch-domain-config` using the name of the [Elasticsearch domain][3] created in the previous step.\n\n ```\n aws es update-elasticsearch-domain-config\n --domain-name es-cluster\n --access-policies file://ip-based-policy.json\n ```\n\n\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/update-elasticsearch-domain-config.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tsome principal_aws in policy_principal.principal_aws\n\tprincipal_aws == \"*\"\n}\n\neval(elasticsearch_domain) = \"fail\" if {\n\tsome policy in elasticsearch_domain.policies\n\tbad_policy_principal(policy.policy_principal)\n\tpolicy.statement_effect = \"Allow\"\n\tpolicy.statement_has_condition = false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ci6-bcw-l3n","createdAt":1615309114393,"name":"Elasticsearch domain is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticsearch","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure your Amazon Elasticsearch (ES) domain is only accessible from an AWS VPC.\n\n## Rationale\n\nUsing a VPC gives your Amazon ES domains an extra layer of security. Launching your clusters within a VPC ensures communication between your clusters and other AWS services is secure.\n\n## Remediation\n\nOnce a domain is created with a public endpoint, it cannot be switched to VPC access. Follow the [Migrating from Public Access to VPC Access][1] docs to learn how to create a new domain and either manually reindex or migrate your data.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html#es-migrating-public-to-vpc\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elasticsearch_domain) = \"fail\" if {\n\tendswith(elasticsearch_domain.endpoint, \".es.amazonaws.com\")\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"vdg-rky-pye","createdAt":1619540057246,"name":"Elasticsearch domain resides in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement encryption at rest for your Amazon Elasticsearch (ES) domain with the AWS KMS service.\n\n## Rationale\n\nImplementing encryption at rest protects your domain from unauthorized access and ensures security and compliance requirements are met.\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to implement encryption for your domain.\n\n### From the command line\n\n1. Run `describe-elasticsearch-domain` with your ES domain to return configuration metadata.\n\n ```bash\n aws es describe-elasticsearch-domain\n --domain-name your-es-domain\n ```\n\n2. Run `create-elasticsearch-domain` with your domain name and `encryption-at-rest-options`. Use the metadata returned in the previous step to [create and relaunch your ES domain to enable at-rest encryption][3].\n\n ```bash\n aws es create-elasticsearch-domain\n --domain-name your-es-domain\n ...\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html#enabling-ear\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/describe-elasticsearch-domain.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elasticsearch_domain) = \"pass\" if {\n\telasticsearch_domain.encryption_at_rest_options_enabled == true\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"75z-ehk-ced","createdAt":1615309114337,"name":"Elasticsearch domains are encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","control:3.5.2","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt your Amazon Elasticsearch domains with KMS Customer Master Keys (CMKs).\n\n## Rationale\n\nKMS Custom Master Keys protect your domains and allow more granular control over the encryption/decryption process.\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to encrypt Amazon Elasticsearch domains in the AWS Console.\n\n### From the command line\n\n1. Create a new policy JSON document with the following [configuration][2]:\n\n ```\n {\n \"Id\": \"es-custom-key-policy\",\n \"Statement\": [\n {\n \"Sid\": \"Enable IAM User Permissions\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:root\"},\n \"Action\": \"kms:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Grant access to CMK manager\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:role/AmazonESManager\"},\n \"Action\": [\n \"kms:Create*\",\n \"kms:Describe*\",\n \"kms:Enable*\",\n \"kms:List*\",\n \"kms:Put*\",\n \"kms:Update*\",\n \"kms:Revoke*\",\n \"kms:Disable*\",\n \"kms:Get*\",\n \"kms:Delete*\",\n \"kms:ScheduleKeyDeletion\",\n \"kms:CancelKeyDeletion\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow the use of the CMK\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:Decrypt\",\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:DescribeKey\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow attachment of persistent resources\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:CreateGrant\",\n \"kms:ListGrants\",\n \"kms:RevokeGrant\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"Bool\": {\"kms:GrantIsForAWSResource\": \"true\"}\n }\n }\n ]\n }\n ```\n\n2. Run `create-key` to [create a KMS key][3] with the new policy document.\n\n ```\n aws kms create-key\n --description 'KMS CMK policy for encrypting es domain data'\n --policy file://es-kms-cmk-policy.json\n ```\n\n3. Run `create-alias` with the returned ARN key to [attach a new alias][4] to the CMK.\n\n ```\n aws kms create-alias\n --alias-name your-alias/ESCustomCMK\n --target-key-id arn:aws:kms:111122223333:key/abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\n ```\n\n4. Run `create-elasticsearch-domain` with the returned configuration data in step 3 to [create the selected domain][5] with `encryption-at-rest-options` set as `enabled= true` and the `KmsKeyId=your-key-id`.\n\n ```\n aws es create-elasticsearch-domain\n --domain-name your-domain-name\n ....\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-alias.html#options\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html#options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elasticsearch_domain) = \"fail\" if {\n\telasticsearch_domain.encryption_at_rest_options_kms_key_id == \"(Default) aws/es\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"abl-8du-xrn","createdAt":1615309114399,"name":"Elasticsearch domains are encrypted with KMS Customer Master Keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation on controller-manager.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad. \n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--feature-gates` parameter to include `RotateKubeletServerCertificate=true`. \n\n```\n--feature-gates=RotateKubeletServerCe`rtificate=true\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `RotateKubeletServerCertificate` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller ][1]\n2. [https://github.com/kubernetes/features/issues/267 ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/45059 ][3]\n4. [https://kubernetes.io/docs/admin/kube-controller-manager/][4]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller \n[2]: https://github.com/kubernetes/features/issues/267 \n[3]: https://github.com/kubernetes/kubernetes/pull/45059 \n[4]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.6","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"asw-6hh-yc2","createdAt":1599605162809,"name":"Enable kubelet server certificate rotation on controller-manager"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1555-credentials-from-password-stores","scope:ec2","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to retrieve the encrypted Administrator password for a Windows EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to retrieve the encrypted Administrator password for a Windows EC2 instance using the [`GetPasswordData`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n3. If the API call was made by the user:\n * Determine if this user should be accessing this EC2 instance.\n * If Yes, advise the user to speak with the instance owner to resolve the error.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetPasswordData.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetPasswordData @eventSource:ec2.amazonaws.com status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"get_passwordata","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Error","condition":"get_passwordata > 0"}],"type":"log_detection","id":"kyo-yjf-zbm","createdAt":1652796676631,"name":"Encrypted administrator password retrieved for Windows EC2 instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.12","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory ownership is set to `etcd:etcd`.\n\n## Rationale\n\n`etcd` is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir` from the command:\n\n```bash\nps -ef | grep etcd\n```\n\nBased on the etcd data directory found above, run the command:\n\n```bash\nstat -c %U:%G /var/lib/etcd\n```\n\nVerify the ownership is set to `etcd:etcd`.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chown etcd:etcd /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory ownership is set to `etcd:etcd`.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.12","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"25d-zal-sfr","createdAt":1599601968321,"name":"Etcd data directory is owned by the etcd user and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.11","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory has permissions of 700 or more restrictive.\n\n## Rationale\n\netcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should not be readable or writable by any group members or the world.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir`, from the command:\n\n```bash\nps -ef | grep etcd\n```\n\n Based on the etcd data directory found above, run the command:\n \n ```bash\n stat -c %a /var/lib/etcd\n ```\n \n Verify the permissions are `700` or more restrictive.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chmod 700 /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory has permissions of 755.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.11","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qgj-hf0-an1","createdAt":1599601412710,"name":"Etcd data directory permissions cannot be accessed by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.7","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 640.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.7","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vqc-dps-6tp","createdAt":1599605605880,"name":"Etcd pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.8","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to `root:root`.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.8","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oac-lbl-npz","createdAt":1599600311388,"name":"Etcd pod specification file is owned by root"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":true,"message":"test","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1668091740758,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.id"],"query":"*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"co7-ldi-49e","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_impossible_travel_returns_OK_response"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"Test rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1668543986037,"filters":[],"queries":[{"query":"@test:true","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"rje-tku-m3r","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_workload_security_returns_OK_response_1668543985"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:exchange-server","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user sets up a mail forwarding rule to another email address. An adversary or insider threat could set a forwarding rule to forward all emails to an external email address.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with `@evt.name` value of `Set-Mailbox`, where a value is set for `@Parameters.ForwardingSmtpAddress` and the `@evt.outcome` is `True`.\n\n## Triage and response\n1. Inspect the `@Parameters.ForwardingSmtpAddress` for `{{@usr.email}}` to see if it is sending email to an external non-company owned domain.\n2. Determine if there is a legitimate use case for the mail forwarding rule.\n3. If `{{@usr.email}}` is not aware of the mail forwarding rule, investigate all `{{@usr.email}}` accounts for anomalous activity. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-Mailbox -@Parameters.ForwardingSmtpAddress:\"\" @Parameters.ForwardingSmtpAddress:* @evt.outcome:True","groupByFields":["@usr.id"],"aggregation":"count","name":"forwarding_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"forwarding_rule > 0"}],"type":"log_detection","id":"vmq-1zo-03a","createdAt":1630681822552,"name":"Exchange Online mail forwarding rule enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:AppService","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.2","scope:azure.appservice","framework:iso-27001","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","requirement:Communications-Security","control:4.1","control:9.10","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Azure functions, web, and API services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPs should be required for FTP login for all App Service apps and functions.\n\n## Rationale\n\nAzure FTP deployment endpoints are public. An attacker listening to traffic on a Wi-Fi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if user credentials for deployment are set at the subscription level rather than using the default application credentials which are unique per app.\n\n## Remediation\n\n### From the console\n\n1. Go to the Azure Portal\n2. Select App Services\n3. Click on an app\n4. Select Settings > Configuration\n5. Under Platform Settings, set FTP state to Disabled or FTPS Only\n\n## Impact\n\nDeployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.\n\n## References\n\n1. Azure Web Service Deploy via FTP - https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp\n2. Azure Web Service Deployment - https://docs.microsoft.com/en-us/azure/app-service/overview-security\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n\n## CIS Controls\n\nVersion 7\n\n14.4 Encrypt All Sensitive Information in Transit\n16.5 Encrypt Transmittal of Username and Authentication Credentials - Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.10","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ftps_state(app_service) if {\n\tapp_service.site_config_ftps_state == \"AllAllowed\"\n} else if {\n\tapp_service.site_config.ftps_state == \"AllAllowed\"\n}\n\neval(app_service) = \"fail\" if {\n\tnon_compliant_ftps_state(app_service)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"chw-olp-dfn","createdAt":1631623028308,"name":"FTP deployments are disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:fastly","scope:fastly","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2]. \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:fastly @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dqs-oru-107","createdAt":1587530162282,"name":"Fastly HTTP Requests from Security Scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a file that is not part of the original container image has been created and executed within the container.\n\n## Strategy\nAttackers sometimes add scripts to running containers to exploit some functionality or automate some actions. Normally, containers are meant to be immutable environments, and when you require new scripts or other executable files, you add them to the container image itself and not to the running container. This detection identifies when newly created files are executed shortly after file creation or modification.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage & Response\n1. Determine whether the file executing is expected to be present in the container. \n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether the file was added to multiple containers around the same time, and whether the affected systems follow a pattern. For example, if a file was seen executing in multiple containers, do the containers share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.29 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_binary_execution_in_container","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:new_binary_execution_in_container"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"new_binary_execution_in_container"}],"type":"workload_security","id":"n5d-tm8-kco","createdAt":1652131404468,"name":"File created and executed inside container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","tactic:TA0009-collection","technique:T1530-data-from-cloud-storage","scope:google-cloud-storage","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect unauthenticated access to an object in a GCS bucket (`bucket_name`).\n\n## Strategy \nMonitor GCS bucket (`bucket_name`) for get requests(`@evt.name:storage.objects.get`) made by unauthenticated users (`@usr.id`).\n\n## Triage and response\nInvestigate the logs and determine whether or not the accessed bucket: {{bucket_name}} should be accessible to unauthenticated users.\n\n## Changelog\n* 27 October 2022 - updated tags.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket -@usr.id:* @evt.name:storage.objects.get status:info","groupByFields":["project_id","bucket_name"],"aggregation":"count","name":"get_object","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"get_object","condition":"get_object > 0"}],"type":"log_detection","id":"nmj-sov-f5d","createdAt":1598043413480,"name":"GCP Bucket Contents Downloaded Without Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","source:gcp","scope:google-cloud-storage","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service account lists out GCS Buckets.\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine when a service account invokes the following method:\n\n* `storage.buckets.list`\n\n## Triage and response\n1. Determine whether this service account should be making list bucket calls.\n * If the account was compromised, secure the account and investigate how it was compromised and if the account made other unauthorized calls.\n * If the owner of the service account intended to make the `ListBuckets` API call, consider whether this API call is needed. It could cause a security issue for the application to know the name of the bucket it needs to access. If it's not needed, modify this rule's filter to stop generating signals for this specific service account.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.list @usr.id:*gserviceaccount.com","groupByFields":["project_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cnc-wi1-llf","createdAt":1587592199858,"name":"GCP Bucket enumerated"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an administrative change to a GCS Bucket has been made. This could change the retention policy or bucket lock. For more information, see the [GCS Bucket Lock docs][1].\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine if a bucket has been updated with the following method:\n\n* `storage.buckets.update`\n\n## Triage and response\n1. Review the bucket to ensure that it is properly configured.\n\n[1]: https://cloud.google.com/storage/docs/bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.update","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iz3-sc4-ryy","createdAt":1585871279860,"name":"GCP Bucket modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when permissions have changed on a GCS Bucket.\n\n## Strategy\nMonitor GCS bucket admin activity audit logs to determine the following method is invoked:\n\n* `storage.setIamPermissions`\n\n## Triage and response\n1. Review the bucket permissions and ensure they are not overly permissive.\n\n## Changelog\n5 Septermber 2022 - Updated rule query","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.setIamPermissions -@evt.outcome:ERROR","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fdk-tly-4qr","createdAt":1585871193842,"name":"GCP Bucket permissions modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.cloudsql.database"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Cloud SQL DB has been modified.\n\n## Strategy\nThis rule lets you monitor GCP Cloud SQL admin activity audit logs to determine when one of the following methods are invoked:\n\n* `cloudsql.instances.create`\n* `cloudsql.instances.create`\n* `cloudsql.users.update`\n\n## Triage and response\n1. Review the Cloud SQL DB and ensure it is configured properly with the correct permissions.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.cloudsql.database @evt.name:(cloudsql.instances.create OR cloudsql.instances.create OR cloudsql.users.create OR cloudsql.users.update)","groupByFields":["project_id","database_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ikf-ye8-cnu","createdAt":1585871198921,"name":"GCP Cloud SQL database modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.gce.firewall.rule","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created, modified or deleted. \n\n## Strategy\nMonitor GCP GCE activity audit logs to determine when any of the following methods are invoked:\n\n* `v1.compute.firewalls.delete`\n* `v1.compute.firewalls.insert`\n* `v1.compute.firewalls.patch` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.firewall.rule @evt.name:(v1.compute.firewalls.delete OR v1.compute.firewalls.insert OR v1.compute.firewalls.patch)","groupByFields":["project_id","@data.protoPayload.resourceOriginalState.name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"n1w-sql-apl","createdAt":1585870279610,"name":"GCP GCE Firewall rule modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a VPC network is created. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine when the following method is invoked to create a new VPC network:\n\n* `beta.compute.networks.insert`\n\n## Triage and response\n1. Review the VPC network.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:beta.compute.networks.insert","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"a9z-oic-grb","createdAt":1585871193403,"name":"GCP GCE VPC network modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created or modified. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine if a firewall is being adjusted by showing you when any of the following methods are invoked:\n\n* `beta.compute.routes.insert`\n* `beta.compute.routes.patch`\n\n## Triage and response\n1. Veirify that the GCP route is configured properly and that the user intended to modify the firewall.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:(beta.compute.routes.insert OR beta.compute.routes.patch)","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lht-ml8-u6r","createdAt":1585870282924,"name":"GCP GCE network route created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a custom role is created or modified. \n\n## Strategy\nMonitor GCP IAM activity audit logs to determine when any of the following methods are invoked:\n\n* `google.iam.admin.v1.CreateRole`\n* `google.iam.admin.v1.UpdateRole` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.iam.role @evt.name:(google.iam.admin.v1.CreateRole OR google.iam.admin.v1.UpdateRole)","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rhy-fzm-gwl","createdAt":1585870282410,"name":"GCP IAM custom role created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1098-account-manipulation","scope:gcp.project","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to the IAM policy. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when the `SetIamPolicy` method is invoked. \n\n## Triage and response\n1. Review the log and inspect the policy deltas (`@data.protoPayload.serviceData.policyDelta.bindingDeltas`) and ensure none of the actions are `REMOVE`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:SetIamPolicy","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fgm-8w4-cgx","createdAt":1585870280073,"name":"GCP IAM policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.subscription","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP Pub/Sub Subscription has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.pubsub.v1.Subscriber.UpdateSubscription`\n* `google.pubsub.v1.Subscriber.DeleteSubscription`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.subscription @evt.name:(google.pubsub.v1.Subscriber.UpdateSubscription OR google.pubsub.v1.Subscriber.DeleteSubscription)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tsj-mac-mdc","createdAt":1587592205917,"name":"GCP Pub/Sub Subscriber modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.topic","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP Pub/Sub Subscribtion has been deleted. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when the following method is invoked:\n\n* `google.pubsub.v1.Publisher.DeleteTopic`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.topic @evt.name:google.pubsub.v1.Publisher.DeleteTopic","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dp6-zom-jyv","createdAt":1587592198839,"name":"GCP Pub/Sub topic deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","technique:T1078-valid-accounts","scope:gcp-cloud-functions","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect possible GCP service account impersonation activity using the gcploit exploitation framework.\n\n## Strategy\nMonitor GCP Cloud Function Logs `source:gcp.cloud.function` and detect if the following sequence of events has occurred within a one minute window:\n* Function is created - `google.cloud.functions.v1.CloudFunctionsService.CreateFunction` with a timeout of 539s (`@data.protoPayload.request.function.timeout:539s`)\n* Function's IAM access control policy is enumerated - `google.cloud.functions.v1.CloudFunctionsService.GetIamPolicy`\n* Function's IAM access control policy is set - `google.cloud.functions.v1.CloudFunctionsService.SetIamPolicy`\n\n## Triage & Response\n1. Investigate if the function:`{{@function.name}}` was intentionally created by user `{{@usr.id}}`.\n2. If unauthorized:\n * Revoke access of compromised credentials.\n * Remove unauthorized cloud functions.\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard.\n","options":{"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":3600,"keepAlive":300},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.cloud.function @evt.name:google.cloud.functions.v1.CloudFunctionsService.CreateFunction @data.protoPayload.request.function.timeout:539s","groupByFields":["@function.name"],"aggregation":"cardinality","name":"function_creation","distinctFields":["@usr.id"]},{"query":"@evt.name:google.cloud.functions.v1.CloudFunctionsService.GetIamPolicy","groupByFields":["@function.name"],"aggregation":"count","name":"get_iam_policy","distinctFields":[]},{"query":"@evt.name:google.cloud.functions.v1.CloudFunctionsService.SetIamPolicy","groupByFields":["@function.name"],"aggregation":"count","name":"set_iam_policy","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"function_creation > 0 && get_iam_policy > 0 && set_iam_policy >0"}],"type":"log_detection","id":"un3-5tn-fmz","createdAt":1657138827448,"name":"GCP Service Account Impersonation using GCPloit Exploitation Framework"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","scope:google-cloud-iam","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect GCP service account impersonation activity through the use of access tokens.\n\n## Strategy\nMonitor GCP Admin Activity audit logs for event `@evt.name:GenerateAccessToken`:\n* Successful Attempts: `@data.protoPayload.authorizationInfo.granted:true`\n* Failed Attempts: `@evt.outcome:PERMISSION_DENIED`\n\n## Triage & Response\n1. Investigate if the user `{{@usr.id}}` from IP address:`{{@network.client.ip}}` intended to perform this activity.\n2. If unauthorized:\n * Revoke access of compromised user and service account.\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard.\n * Investigate other activities performed by the IP `{{@network.client.ip}}` using the Cloud SIEM - IP Investigation dashboard.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":300},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account service:iamcredentials.googleapis.com @evt.name:GenerateAccessToken @data.protoPayload.authorizationInfo.granted:true","groupByFields":["@network.client.ip","@http.useragent"],"aggregation":"count","name":"generate_access_token_success","distinctFields":[]},{"query":"source:gcp.service.account service:iamcredentials.googleapis.com @evt.name:GenerateAccessToken @evt.outcome:PERMISSION_DENIED","groupByFields":["@network.client.ip","@http.useragent"],"aggregation":"count","name":"generate_access_token_failed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"generate_access_token_failed > 0 && generate_access_token_success > 0"},{"status":"low","notifications":[],"name":"Attempted","condition":"generate_access_token_failed > 0"}],"type":"log_detection","id":"mjs-vof-vtn","createdAt":1662479173677,"name":"GCP Service Account impersonation activity using access token generation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1562-impair-defenses","scope:gcp.project","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP logging sink has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.logging.v2.ConfigServiceV2.UpdateSink`\n* `google.logging.v2.ConfigServiceV2.DeleteSink`\n\n## Triage and response\n1. Review the sink and ensure the sink is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:(google.logging.v2.ConfigServiceV2.UpdateSink OR google.logging.v2.ConfigServiceV2.DeleteSink)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hil-rl3-yxs","createdAt":1585871191688,"name":"GCP logging sink modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","scope:google-cloud-iam","technique:T1580-cloud-infrastructure-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account is compromised.\n\n## Strategy \nInspect the GCP Admin Activity Logs (`@data.logName:*%2Factivity`) and filter for only GCP Service Accounts (`@usr.id:*.iam.gserviceaccount.com`). Count the unique number of GCP API calls (`@evt.name`) which are being made for each service account (`@usr.id`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\nTo read more about GCP Audit Logs, you can read our blog post [here][1].\n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account is compromised.\n\n## Changelog\n* 17 October 2022 - Updated tags.\n\n[1]: https://www.datadoghq.com/blog/monitoring-gcp-audit-logs/","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp* @data.logName:*%2Factivity @usr.id:*.iam.gserviceaccount.com","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"hc1-nv3-hzw","createdAt":1629125255724,"name":"GCP service account accessing anomalous number of GCP APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1136-create-account","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account is created.\n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when a service account is created. \n\n## Triage and response\n1. Contact the user who created the service account and ensure that the account is needed and that the role is scoped properly.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccount","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"szx-4kh-eqs","createdAt":1585870281733,"name":"GCP service account created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account key is created. An attacker could use this key as a backdoor to your account. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to detect the creation of a service account key. \n\n## Triage and response\n1. Contact the user who created the service account key to ensure they're managing the key securely.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccountKey","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"79j-4wh-xlq","createdAt":1585870277946,"name":"GCP service account key created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is unauthorized activity by a service account in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a service account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the service account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the service account:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the service account.\n2. If unauthorized, revoke access of compromised service account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"89d-2v1-fvm","createdAt":1587592191518,"name":"GCP unauthorized service account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when unauthorized activity by a user is detected in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a user account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the user account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the user:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the user account.\n2. If unauthorized, revoke access of compromised user account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 -@usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"stt-ows-yte","createdAt":1587592193834,"name":"GCP unauthorized user activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google accesses your Google Workspace tenant using administrative tools. \n\n## Strategy\nMonitor Google Workspace logs to detect `ACCESS` events, which are part of Google's [Access Transparency][1] logs.\n\n## Triage and response\n1. Determine the scope of Google's access activity, which can be found in the `ACCESS` event in the Google Workspace event log.\n2. Review which Google Workspace user (`@event.parameters.OWNER_EMAIL`) and resources (`@event.parameters.RESOURCE_NAME`) were accessed by Google.\n3. Investigate the resource(s) being accessed to determine if there is a legitimate reason it should be reviewed by Google.\n\n[1]: https://support.google.com/a/answer/9230474?hl=en","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite service:access_transparency","groupByFields":[],"aggregation":"count","name":"workspace_accessed_by_google","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"workspace_accessed_by_google > 0"}],"type":"log_detection","id":"q4c-pxc-lbn","createdAt":1654120270956,"name":"Google Workspace accessed by Google"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a new Google Workspace administrative role.\n\n## Strategy\nMonitor Google Workspace logs to detect `CREATE_ROLE` events.\n\n## Triage and response\n1. Determine if there is a legitimate reason for the new administrator role (`@event.parameters.ROLE_NAME`).\n2. If there is not a legitimate reason, investigate activity from around the Google Workspace administrator (`{{@usr.email}}`) and IP that created the role (`{{@network.client.ip}}`).\n\n## Changelog\n* 17 October 2022 - Updated tags.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:CREATE_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_created > 0"}],"type":"log_detection","id":"isw-chn-iqi","createdAt":1654262215364,"name":"Google Workspace admin role created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the super administrator group on Google Workspace.\n\n## Strategy\nMonitor Google Workspace logs to detect `ASSIGN_ROLE` events where `@event.parameters.ROLE_NAME` is `_SEED_ADMIN_ROLE`. \n\n## Triage and response\n1. Verify with the Google admin (`{{@usr.email}}`) if the Google Workspace user in the `@event.parameters.USER_EMAIL` attribute should legitimately be given the super admin role.\n2. If the user in `@event.parameters.USER_EMAIL` was not legitimately added, investigate activity from the IP address (`{{@network.client.ip}}`) that made the role addition.\n3. Review activity around the Google Workspace admin who made the change (`{{@usr.email}}`) and the newly added super admin (`@event.parameters.USER_EMAIL`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:ASSIGN_ROLE @event.parameters.ROLE_NAME:_SEED_ADMIN_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"admin_role_added > 0"}],"type":"log_detection","id":"ort-cx2-jwq","createdAt":1654014456902,"name":"Google Workspace user assigned to super admin role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","tactic:TA0009-collection","technique:T1114-email-collection","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a user setting up mail forwarding to a non-Google Workspace domain.\n\n## Strategy\nMonitor Google Workspace logs to detect when `email_forwarding_out_of_domain` events.\n\n## Triage and response\n1. Determine if the email address defined in `@event.parameters.email_forwarding_destination_address` is legitimate.\n2. If the forwarding destination address is not legitimate, review all activity for `{{@usr.email}}` and all activity around the following IP: `{{@network.client.ip}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:email_forwarding_out_of_domain","groupByFields":["@usr.email"],"aggregation":"count","name":"non_workspace_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"non_workspace_domain > 0"}],"type":"log_detection","id":"ozn-l6x-exp","createdAt":1654021004136,"name":"Google Workspace user forwarding email out of non Google Workspace domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.16","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated.\n\n## Rationale\n\nThe IPC namespace provides separation of IPC between the host and containers. If the host's IPC namespace is shared with the container, it would allow processes within the container to see all of IPC communications on the host system. This would remove the benefit of IPC level isolation between host and containers. An attacker with access to a container could get access to the host at this level with major consequences. The IPC namespace should therefore not be shared between the host and its containers.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: IpcMode={{ .HostConfig.IpcMode }}'` \n\nIf the command returns `host`, it means that the host IPC namespace is shared with the container. Any other result means that it is not shared, and that the system is configured in line with good security practice.\n\n## Remediation\n\nDo not start a container with the `--ipc=host` argument. For example, do not start a container with the command `docker run --interactive --tty --ipc=host centos /bin/bash`\n\n## Impact\n\nShared memory segments are used in order to accelerate interprocess communications, commonly in high-performance applications. If this type of application is containerized into multiple containers, you might need to share the IPC namespace of the containers in order to achieve high performance. Under these circumstances, you should still only share container specific IPC namespaces and not the host IPC namespace. A container's IPC namespace can be shared with another container. For example, `docker run --interactive --tty --ipc=container:e3a7a1a97c58 centos /bin/bash`\n\n## Default value\n\nBy default, all containers have their IPC namespace enabled and host IPC namespace is not shared with any container.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#ipc-settings-ipc\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.16","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qpe-nj2-sl8","createdAt":1599604030036,"name":"Host's IPC namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.20","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUTS namespaces provide isolation between two system identifiers: the hostname and the NIS domain name. It is used to set the hostname and the domain which are visible to running processes in that namespace. Processes running within containers do not typically require to know either the hostname or the domain name. The UTS namespace should therefore not be shared with the host.\n\n## Rationale\n\nSharing the UTS namespace with the host provides full permission for each container to change the hostname of the host. This is not in line with good security practice and should not be permitted.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UTSMode={{ .HostConfig.UTSMode }}'` \n\nIf this command returns `host`, it means the host UTS namespace is shared with the container and this recommendation is non-compliant. If the above command returns nothing, then the host's UTS namespace is not shared. This recommendation is then compliant.\n\n## Remediation\n\nYou should not start a container with the `--uts=host` argument. For example, do not start a container using the command `docker run --rm --interactive --tty --uts=host rhel7.2`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, all containers have the UTS namespace enabled and the host UTS namespace is not shared with any containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#uts-settings-uts\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.20","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j1n-gsx-mlx","createdAt":1599605987292,"name":"Host's UTS namespace is not shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.9","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWhen the networking mode on a container is set to `--net=host`, the container is not placed inside a separate network stack. Effectively, applying this option instructs Docker to not containerize the container's networking. The consequence of this is that the container lives \"outside\" in the main Docker host and has full access to its network interfaces.\n\n## Rationale\n\nSelecting this option is potentially dangerous. It allows the container process to open reserved low numbered ports in the way that any other root process can. It also allows the container to access network services such as D-bus on the Docker host. A container process could potentially carry out undesired actions, such as shutting down the Docker host. This option should not be used unless there is a very specific reason for enabling it.\n\n## Audit\n\nUse this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: NetworkMode={{ .HostConfig.NetworkMode }}'` If this returns `NetworkMode=host`, it means that the `--net=host` option was passed when the container was started.\n\n## Remediation\n\nYou should not pass the --net=host option when starting any container.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers connect to the Docker bridge when starting and do not run in the context of the host's network stack.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/ 2. https://docs.docker.com/engine/reference/run/#network-settings\n\n## CIS controls\n\nVersion 6 12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.9","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1qj-oqa-jau","createdAt":1599605510860,"name":"Host's network namespace is not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.15","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host.\n\n## Rationale\n\nPID namespace provides separation between processes. It prevents system processes from being visible, and allows process ids to be reused including PID 1. If the host's PID namespace is shared with containers, it would basically allow these to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them. This could allow for the host itself being shut down, which could be extremely serious, particularly in a multi-tenanted environment. You should not share the host's process namespace with the containers running on it.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidMode={{ .HostConfig.PidMode }}'` \n\nIf the command returns `host`, it means that the host PID namespace is shared with its containers; any other result means that the system is configured in line with good security practice.\n\n## Remediation\n\nYou should not start a container with the `--pid=host` argument. For example, do not start a container with the command: `docker run --interactive --tty --pid=host centos /bin/bash`\n\n## Impact\n\nContainer processes cannot see processes on the host system. In certain circumstances, you may want your container to share the host's process namespace. For example, you could build a container containing debugging tools such as strace or gdb, and want to use these tools when debugging processes on the host. If this is desired, then share specific host processes using the `-p` switch. For example: `docker run --pid=host rhel7 strace -p 1234`\n\n## Default value\n\nBy default, all containers have the PID namespace enabled and the therefore the host's process namespace is not shared with its containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#pid-settings-pid 2. http://man7.org/linux/man-pages/man7/pid_namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.15","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mk8-jwd-4ag","createdAt":1599600919537,"name":"Host's process namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent","control:5.30"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not share the host's user namespaces with containers running on it.\n\n## Rationale\n\nUser namespaces ensure that a root process inside the container will be mapped to a non-root process outside the container. Sharing the user namespaces of the host with the container does not therefore isolate users on the host from users in the containers.\n\n## Audit\n\nRun this command and ensure that it does not return any value for `UsernsMode`. If it returns a value of `host`, it means that the host user namespace is shared with its containers: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UsernsMode={{ .HostConfig.UsernsMode }}'`\n\n## Remediation\n\nDo not share user namespaces between host and containers. For example, do not run the command `docker run --rm -it --userns=host ubuntu bash`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the host user namespace is shared with containers unless user namespace support is enabled.\n\n## References\n\n1. https://docs.docker.com/engine/security/userns-remap/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://github.com/docker/docker/pull/12648\n4. https://events.linuxfoundation.org/sites/events/files/slides/User%20Namespaces%20-%20ContainerCon%202015%20-%2016-9-final_0.pdf\n\n## CIS controls\n\nVersion 6\n\n12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.30","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"e7c-uzf-jwy","createdAt":1599604878282,"name":"Host's user namespaces are not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","security:compliance","scored:false","source:iam","cloud_provider:aws","control:1.7","control:164.308-a-3-ii-C","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","framework:security-labs","requirement:Information-Access-Management","control:CC6.2","control:164.308-a-4-ii-C","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule identifies IAM access keys that are older than one year and have not been used in the past 30 days.\n\n## Rationale\n\nThis is a good indicator that an access key or IAM user that is not used anymore, and raises a security risk. IAM access keys are static secrets that do not change. This leak represents a common cause for cloud security breaches.\n\n## Remediation\n\n* Verify that the IAM user is still actively used or if it can be removed.\n* Verify that the IAM access key is still actively used or if it can be removed.\n* If the IAM user is still needed, rotate the access key. For more information, see the [AWS documentation][2].\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/cis-aws-1.3.0-1.14/\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlast_rotated_age_threshold := (((365 * 24) * 60) * 60) * 1000\n\nlast_used_age_threshold := (((30 * 24) * 60) * 60) * 1000\n\naccess_key_used_too_long_ago(credential_report, seen, key_to_check) if {\n\tseen - credential_report[concat(\"\", [\"access_key_\", key_to_check, \"_last_used_date\"])] > last_used_age_threshold\n} else if {\n\tnot credential_report[concat(\"\", [\"access_key_\", key_to_check, \"_last_used_date\"])]\n}\n\naccess_key_non_compliant(credential_report, seen, key_to_check) if {\n\tcredential_report[concat(\"\", [\"access_key_\", key_to_check, \"_active\"])]\n\tseen - credential_report[concat(\"\", [\"access_key_\", key_to_check, \"_last_rotated\"])] > last_rotated_age_threshold\n\taccess_key_used_too_long_ago(credential_report, seen, key_to_check)\n}\n\nnon_compliant_credential_report(credential_report, seen) if {\n\taccess_key_non_compliant(credential_report, seen, \"1\")\n} else if {\n\taccess_key_non_compliant(credential_report, seen, \"2\")\n}\n\nshould_skip(iam_user) if {\n\tsome credential_report in iam_user.credential_report\n\tnot credential_report.access_key_1_active\n\tnot credential_report.access_key_2_active\n} else if {\n\tcount(iam_user.credential_report) == 0\n}\n\neval(iam_user) = \"skip\" if {\n\tshould_skip(iam_user)\n} else = \"fail\" if {\n\tsome credential_report in iam_user.credential_report\n\tseen := iam_user.resource_seen_at\n\tnon_compliant_credential_report(credential_report, seen)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"jye-nyb-yvd","createdAt":1654722265266,"name":"IAM access keys older than 1 year have not been used in the last 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_user) = \"fail\" if {\n\tcount(iam_user.user_policies) > 0\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qeq-byd-rf5","createdAt":1617159692975,"name":"IAM inline policy is not directly set for users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","security:compliance","cloud_provider:aws","control:1.8","control:8.1","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","control:CC6.3","control:8.1.1","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are a minimum length. The password policy should require a minimum password length of 14 characters.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78907-3\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.8","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tsome password_policy in iam_account.password_policy\n\tpassword_policy.minimum_password_length < 14\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fyg-ptq-tnx","createdAt":1599573999939,"name":"IAM password policy has 14 or more characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:1.9","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","framework:cis-aws","control:164.312-d","requirement:Identity-and-Access-Management","control:8.2.5","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.\n\n## Rationale\n\nPreventing password reuse increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78908-1\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\n4.4 Use unique passwords where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2.5","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.9","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\naccount_invalid(iam_account) if {\n\tnot iam_account.password_policy_v2.password_reuse_prevention == 24\n}\n\neval(iam_account) = \"fail\" if {\n\taccount_invalid(iam_account)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"wwj-kny-ll5","createdAt":1599574008460,"name":"IAM password policy prevents password reuse"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:1.2","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM policies are how privileges are granted to users, groups, or roles. It is recommended and considered best practice to give only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges.\n\n## Rationale\n\nIt's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\" should be removed.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2] \n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3] \n3. CCE-78912-3\n4. [http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam][4]\n\n## CIS controls\n\nVersion 7, 4 - Controlled Use of Administrative Privileges\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n[4]: http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.2","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_not_compliant(policy_version_statement) if {\n\tresource := policy_version_statement.resource[_]\n\tresource == \"*\"\n}\n\naction_not_compliant(policy_version_statement) if {\n\taction := policy_version_statement.action[_]\n\taction == \"*\"\n}\n\npolicy_version_statement_not_compliant(policy_version_statement) if {\n\tpolicy_version_statement.effect == \"Allow\"\n\tresource_not_compliant(policy_version_statement)\n\taction_not_compliant(policy_version_statement)\n}\n\neval(iam_policy) = \"skip\" if {\n\tiam_policy.scope != \"Local\"\n} else = \"fail\" if {\n\tpolicy_version_statement := iam_policy.policy_version_statements[_]\n\tpolicy_version_statement_not_compliant(policy_version_statement)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_policy"]},"validationQuery":"","resourceType":"aws_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"31y-0if-yxo","createdAt":1599574003839,"name":"IAM policies that allow full \"*:*\" administrative privileges are not created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","control:A.9.4.3","framework:soc-2","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_user) = \"fail\" if {\n\tsome attached_policy in iam_user.attached_policies\n\tattached_policy\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oys-6ti-vv4","createdAt":1599574006153,"name":"IAM policy does not have a user directly attached to it"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:1.12","security:compliance","cloud_provider:aws","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:CC6.3","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can require passwords to be rotated or expired after a given number of days. The password policy should expire passwords after 90 days or less.\n\n## Rationale\n\nReducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help if a password is stolen or compromised without your knowledge. This can happen if your system is compromised, because of a software vulnerability, or if there is an internal threat. Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted. Many people use the same password for many systems such as work, email, and personal. Compromised end-user workstations might have a keystroke logger.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78909-9\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"1.12","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ninvalid_policy(password_policy) if {\n\tpassword_policy.expire_passwords == false\n} else if {\n\tpassword_policy.max_password_age > 90\n}\n\ninvalid_account(iam_account) if {\n\tinvalid_policy(iam_account.password_policy_v2)\n} else if {\n\tnot iam_account.password_policy_v2\n}\n\neval(iam_account) = \"fail\" if {\n\tinvalid_account(iam_account)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"nus-wps-5cc","createdAt":1599574003696,"name":"IAM policy is set to expire passwords within 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78904-0\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.6\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tiam_account.password_policy_v2.require_lowercase_characters == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yaz-xyw-dr5","createdAt":1599574008777,"name":"IAM policy is set to require at least one lowercase letter"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one number.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78906-5\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.8\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tiam_account.password_policy_v2.require_numbers == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ufg-4pj-olz","createdAt":1599574005590,"name":"IAM policy is set to require at least one number"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are comprised of different character sets. It is recommended that the password policy require at least one symbol.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78905-7\n\n## CIS controls\n\n16 Account Monitoring and Control Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.7\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tiam_account.password_policy_v2.require_symbols == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dwv-hdv-vfe","createdAt":1599573999909,"name":"IAM policy is set to require at least one symbol"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one uppercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78903-2\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.5\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tiam_account.password_policy_v2.require_uppercase_characters == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jfe-07v-m1n","createdAt":1599573999945,"name":"IAM policy is set to require uppercase characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm there are no [Amazon IAM users][1] (privileged users) with administrator permissions for your AWS account.\n\n## Rationale\n\nA privileged IAM user can access all AWS services and control resources through the [AdministratorAccess IAM managed policy][2]. Any user with administrator access that should not have access can potentially, whether unknowingly or purposefully, cause security issues or data leaks.\n\n## Remediation\n\n### From the console\n\nFollow the [Removing a permissions policy from a user][6] docs to revoke AdministratorAccess for a user.\n\n### From the command line\n\n1. Run `list-users` to get [a list of current IAM users][3].\n ```\n aws iam list-users\n ```\n\n2. Run the `list-user-policies` command find the [users attached policies][4].\n ```\n aws iam list-user-policies --user-name Name\n ```\n\n3. Run the `detach-user-policy` command to [revoke Administrator access][5].\n ```\n aws iam detach-user-policy \\\n --user-name insert-username-here \\\n --policy-arn insert-policy-arn-here\n ```\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-users.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-user-policies.html#examples\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-user-policy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-remove-policy-console\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_attached_policy(iam_user) if {\n\tsome attached_policy in iam_user.attached_policies\n\tattached_policy.policy_name == \"AdministratorAccess\"\n}\n\neval(iam_user) = \"fail\" if {\n\tnon_compliant_attached_policy(iam_user)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"z8a-10r-rdq","createdAt":1599574005071,"name":"IAM privileged user does not have admin permissions to your AWS account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","control:1.1","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEach IAM role must have a [trust policy][1] which defines the principals who are trusted to assume that role. It is possible to specify a [wildcard principal][2] which permits any principal, including those outside your organization, the ability to assume the role. It is strongly discouraged to use the wildcard principal in a trust policy unless there is a [`Condition` element][3] to restrict access.\n\n## Rationale\n\nA trust policy with a wildcard principal permits any AWS account the ability to assume the role. It is therefore discouraged.\n\n## Remediation\n\nEnsure the identified role does not have a principal value of `\"AWS\": \"*\"`. If a wildcard principal is necessary, use a `Condition` element to restrict access. Follow the [AWS documentation][4] to properly scope the `Principal` policy element.\n\n### From the console\n\n1. In the AWS Console, navigate to the IAM role you would like to change.\n2. On the IAM role page, click the **Trust relationships** tab.\n3. Click **Edit trust policy**.\n4. Make changes to the trust policy to remediate the risk.\n5. Click **Update policy**.\n\n### From the command line\n\nUse the `update-assume-role-policy` action to [update the role trust policy][5] to remediate the risk.\n\n aws iam update-assume-role-policy\n --role-name Test-Role\n --policy-document file://.json\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#term_trust-policy\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-anonymous\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-assume-role-policy.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.1","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncontains_case_insensitive(array, elem) if {\n\tcandidate := array[_]\n\tlower(candidate) == lower(elem)\n}\n\neval(iam_role) = \"fail\" if {\n\trole_policy := iam_role.role_policy[_]\n\n\tlower(role_policy.statement_effect) == \"allow\"\n\trole_policy.policy_principal.principal_aws[_] == \"*\"\n\n\tcontains_case_insensitive(role_policy.statement_action, \"sts:AssumeRole\")\n\n\tnot role_policy.statement_has_condition\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_role"]},"validationQuery":"","resourceType":"aws_iam_role","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_role","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"q9l-42l-ape","createdAt":1619112188080,"name":"IAM role trust policy does not contain a wildcard principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:A.14.1.3","security:compliance","source:iam","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Data-Protection","requirement:Security-of-Processing","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:A.9.4.3","framework:soc-2","requirement:Cardholder-Data","control:32.1a","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","requirement:Encryption-In-Transit","control:3.6.4","framework:pci","control:25.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your IAM service SSL/TLS certificates are renewed 30 days prior to their validity period ending.\n\n## Rationale\n\nIf a certificate becomes invalid, the communication between the client and AWS resource that implements certificates is no longer secure.\n\n## Remediation\n\n### From the console\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n### From the command line\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nwithin_30_days(diff) if {\n\tdiff <= thirty_days_ms\n\tdiff > 0\n}\n\neval(iam_server_certificate) = \"pass\" if {\n\tdiff := iam_server_certificate.expiration - iam_server_certificate.resource_seen_at\n\tnot within_30_days(diff)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"nqd-536-xhi","createdAt":1632209935742,"name":"IAM server certificate will expire within 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:1.6","control:7.1","framework:cis-gcp","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","level:1","source:google_service_account","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nVerify that users have the Service Account User (`iam.serviceAccountUser`) and Service Account Token Creator (`iam.serviceAccountTokenCreator`) roles for a specific service account rather than at the project level.\n\n## Rationale\nA service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved. In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.\nUsers with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access. Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/service account.\nBased on business needs, there can be multiple user-managed service accounts configured for a project. Granting the `iam.serviceAccountUser` or `iam.serviceAccountTokenCreator` roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future. These roles can result in an elevation of privileges when someone uses a service account and corresponding Compute Engine instances.\nIn order to implement least privileges best practices, IAM users should not be assigned the Service Account User or Service Account Token Creator roles at the project level. Instead, these roles should be assigned to a user for a specific service account, giving that user access to the service account. The Service Account User role allows a user to bind a service account to a long-running job service, whereas the Service Account Token Creator role allows a user to directly impersonate (or assert) the identity of a service account.\n\n## Impact\nAfter revoking Service Account User or Service Account Token Creator roles at the project level from all impacted user accounts, these roles should be assigned to users for specific service accounts according to business needs.\n\n## Remediation\n\n### From the console\n1. Go to the [IAM page][1] in the GCP Console.\n2. In the filter table text bar, enter the text `Role: Service Account User`.\n3. Click the delete bin icon in front of the role `Service Account User` for every user\nlisted as a result of the filter.\n4. In the filter table text bar, enter the text `Role: Service Account Token Creator`.\n5. Click the delete bin icon in front of the role `Service Account Token Creator` for\nevery user listed as a result of the filter.\n\n### From the command line\n1. Using a text editor, remove the bindings with the `roles/iam.serviceAccountUser` or `roles/iam.serviceAccountTokenCreator`.\n For example, you can use the iam.json file shown below as follows:\n ```\n {\n \"bindings\": [\n {\n \"members\": [ \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n ],\n \"role\": \"roles/appengine.appViewer\" },\n {\n \"members\": [\n \"user:email1@gmail.com\"\n ],\n \"role\": \"roles/owner\"\n },\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n \"serviceAccount:123456789012-compute@developer.gserviceaccount.com\" ],\n \"role\": \"roles/editor\"\n }\n ],\n \"etag\": \"BwUjMhCsNvY=\"\n }\n ```\n2. Update the project's IAM policy:\n ```\n gcloud projects set-iam-policy PROJECT_ID iam.json\n ```\n## Default value\nBy default, users do not have the Service Account User or Service Account Token Creator role assigned at the project level.\n\n## References\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][3]\n3. [https://cloud.google.com/iam/docs/understanding-roles][4]\n4. [https://cloud.google.com/iam/docs/granting-changing-revoking-access][5]\n5. [https://console.cloud.google.com/iam-admin/iam][6]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts \n[4]: https://cloud.google.com/iam/docs/understanding-roles\n[5]: https://cloud.google.com/iam/docs/granting-changing-revoking-access \n[6]: https://console.cloud.google.com/iam-admin/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.6","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_role(iam_policy, role) if {\n\tbinding := iam_policy.bindings[_]\n\tbinding.role == role\n\tmember := binding.members[_]\n\tnot endswith(member, \".gserviceaccount.com\")\n}\n\nnon_compliant_policy(iam_policy) if {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountUser\")\n} else if {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountTokenCreator\")\n}\n\neval(iam_policy) = \"fail\" if {\n\tnon_compliant_policy(iam_policy)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"x4c-mos-epr","createdAt":1655328785677,"name":"IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:iis","scope:iis","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:iis @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ftm-iao-udy","createdAt":1587530716843,"name":"IIS HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","requirement:Virtual-Machines","security:compliance","control:CC6.6","cloud_provider:gcp","control:4.6","requirement:Communications-Security","control:1.4","framework:cis-gcp","requirement:Compliance","level:1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCompute Engine instance cannot forward a packet unless the source IP address of the\npacket matches the IP address of the instance. Similarly, GCP won't deliver a packet whose\ndestination IP address is different than the IP address of the instance receiving the packet.\nHowever, both capabilities are required if you want to use instances to help route packets.\n\nDisable the forwarding of data packets to prevent data loss or information\ndisclosure.\n\n## Rationale\nTo enable source and destination IP check, disable the `canIpForward` option, which\nallows an instance to send and receive packets with non-matching destination or source\nIPs.\n\n## Impact\nDeleting instances that act as routers or packet forwarders may break network\nconnectivity.\n\n## Exception\nInstances created by GKE should be excluded because they need to have IP forwarding\nenabled and cannot be changed. Instances created by GKE have names that start with `gke-`.\n\n## Remediation\nYou can only edit the `canIpForward` setting at instance creation time. Therefore, if `canIpForward` is set to false for an instance, you must delete the instance and create a new one.\n\n### From the console\n1. Go to the `VM Instances` page: \n[https://pantheon.corp.google.com/compute/instances][1].\n2. Select the `VM Instance` you want to remediate.\n3. Click the `Delete` button.\n4. On the `VM Instances` page, click `CREATE INSTANCE`.\n5. Create a new instance with the desired configuration. By default, the instance is\nconfigured to not allow IP forwarding.\n\n### From the command line\n1. Delete the instance:\n ```\n gcloud compute instances delete INSTANCE_NAME\n ```\n2. Create a new instance to replace it, with IP forwarding set to Off\n ```\n gcloud compute instances create\n ```\n\n## Default Value:\nBy default, instances are not configured to allow IP forwarding.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-routes#canipforward][2]\n\n\n## Additional Information:\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is\ncreated, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://pantheon.corp.google.com/compute/instances\n[2]: https://cloud.google.com/vpc/docs/using-routes#canipforward","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.6","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" if {\n\tcompute_instance.can_ip_forward\n} else = \"pass\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nh8-voo-5oy","createdAt":1656620560349,"name":"IP forwarding is not enabled on instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","scope:azure.storage","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1c","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImmutability is enabled for Azure Storage Blobs.\n\n## Rationale\n\nImmutability for Azure Blob enables Writes once read many (WORM) state storage, which protects data from being overwritten or deleted. \n\nThe two types of immutability policies are time-based retention and legal hold. Time-based policies are cleared when the time period expires. Legal holds are cleared when they are manually modified. \n\n## Remediation\n\n### From the console\n\nFollow the [Enable version-level immutability support on a storage account - Azure Console][1] guide to enable version-level immutability with the Azure Console.\n\n### From the command line\n\nFollow the [Enable version-level immutability support on a storage account - Azure CLI][2] guide to enable version-level immutability with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_blob_container) = \"fail\" if {\n\tstorage_blob_container.has_immutability_policy == false\n\tstorage_blob_container.has_legal_hold == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_blob_container"]},"validationQuery":"","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"8q8-s4l-qhy","createdAt":1645177333114,"name":"Immutable Blob Storage is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","scope:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when two successful authentication events occur in a short time frame.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if the user `{{@usr.name}}` should have authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If `{{@user.name}}` should not authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n* 10 October 2022 - Updated query.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"auth0_impossible_travel","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.name"],"query":"source:auth0 @evt.category:authentication @evt.name:success_login -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"m3u-dhg-c5l","createdAt":1651740293973,"name":"Impossible Travel Auth0 login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate an impossible travel login with permission enumeration of a user.\n\n## Strategy\nCorrelate the [User travel was impossible in AWS CloudTrail IAM log][1] and [A user received multiple AccessDenied errors][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the impossible travel login was is legitimate.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security/default_rules/aws-cloudtrail-user-impossible-travel-with-baseline-user-locations\n[2]: https://docs.datadoghq.com/security/default_rules/aws-cloudtrail-access-denied-multiple-events","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"user_travel_was_impossible_in_cloudtrail_iam_log","additionalFilters":"","defaultRuleId":"fc6-4t7-vx9","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"a_user_received_multiple_access_denied_errors","additionalFilters":"","defaultRuleId":"1b1-37a-74c","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"user_travel_was_impossible_in_cloudtrail_iam_log > 0 && a_user_received_multiple_access_denied_errors > 0"}],"type":"signal_correlation","id":"zfw-zxw-uf2","createdAt":1664829682320,"name":"Impossible travel event leads to permission enumeration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the possibility of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 445, commonly used by client/server applications, and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) or man-in-the-middle attacks (MITM), can occur when permitting unrestricted Common Internet File System (CIFS) access. TCP port 445 is the port commonly used by client/server applications as a means of communication between network nodes over TCP.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 445.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 445\n --cidr 0.0.0.0/0\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 445\n\trule.to_port >= 445\n}\n\nnon_compliant_protocols_and_ports(rule) if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_ports(rule)\n} else if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\", \"::/0\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome rule in security_group.rules\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocols_and_ports(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"l9k-64o-mzm","createdAt":1599573999953,"name":"Inbound CIFS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the possibility of a breach by checking EC2 security groups for inbound rules that allow unfettered access to TCP and UDP port 53, commonly used during DNS resolution when a request is sent from DNS clients to DNS servers or between DNS servers.\n\n## Rationale\n\nMalicious activity, such as distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered DNS access.\n\n## Remediation\n\n## Console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n## CLI\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to port 53.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 53, \"ToPort\": 53, \"IpRanges\": [{\"CidrIp\": \"192.0.2.0/24\"}]}]'\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 53\n\trule.to_port >= 53\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kri-ci1-ymo","createdAt":1599573999958,"name":"Inbound DNS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP ports 20 and 21 (used by client/server applications for communication and file transfer) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and FTP bounce attacks, can occur when permitting unfettered access to these ports.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 20 and 21.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict FTP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 20\n\trule.to_port >= 20\n} else if {\n\trule.from_port <= 21\n\trule.to_port >= 21\n}\n\nnon_compliant_protocols_and_ports(rule) if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_ports(rule)\n} else if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\", \"::/0\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome rule in security_group.rules\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocols_and_ports(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9lv-1l3-vtp","createdAt":1599574002076,"name":"Inbound FTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 80 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 80.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 80\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 80\n\trule.to_port >= 80\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o4x-exf-xn9","createdAt":1599574008139,"name":"Inbound HTTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 443 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 443.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 443\n\trule.to_port >= 443\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"vud-y9z-ucg","createdAt":1599574003526,"name":"Inbound HTTPS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to host using the Internet Control Message Protocol (ICMP), a protocol commonly used to troubleshoot TCP/IP networks and deliver IP packets, and restrict access.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and Smurf/Fraggle attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][2] docs to learn how to restrict access to host using the ICMP.\n\n### From the command line\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to host using ICMP.\n\n ```\n aws ec2 describe-security-groups\n\t --filters Name=ip-permission.protocol,Values=icmp Name=ip-permission.cidr,Values='192.0.2.0/24'\n\t --query 'SecurityGroups[*].{Name:GroupName}'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nunrestricted_protocol(protocol) if {\n\tprotocol == \"icmp\"\n} else if {\n\tprotocol == \"all\"\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"ingress\"\n\tunrestricted_protocol(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kyz-e99-tys","createdAt":1599573999911,"name":"Inbound ICMP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1433 (used by the Microsoft SQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1433.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1433 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 1433\n\trule.to_port >= 1433\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5oc-hdq-fx7","createdAt":1599574003135,"name":"Inbound MSSQL access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 27017 (used by the MongoDB database) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 27017.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 27017\n\trule.to_port >= 27017\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"lhy-ttz-yif","createdAt":1599574007108,"name":"Inbound MongoDB access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3306 (used by the MySQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3306.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3306 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 3306\n\trule.to_port >= 3306\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yph-h6z-ant","createdAt":1599574008744,"name":"Inbound MySQL access is restricted"}]} headers: Content-Type: - application/json @@ -249,7 +232,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":828}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","control:3.7","requirement:Communications-Security","control:4.1","control:2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3","framework:security-labs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nConfigure your instance to use an account other than the default Compute Engine service account, because it has the Editor role on the project.\n\n## Rationale\nThe default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services. \nTo defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended that you not use the default Compute Engine service account. Instead, create a new service account and assign only the permissions needed by your instance. \nThe default Compute Engine service account is named `[PROJECT_NUMBER]-compute@developer.gserviceaccount.com`.\n\n## Exception\nVMs created by GKE are excluded from this guidance. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go to its `VM instance details` page.\n3. Click `STOP` and then click `EDIT`.\n4. Under the section `API and identity management`, select a service account other\nthan the default Compute Engine service account. You may first need to create a new\nservice account.\n5. Click `Save` and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account=\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/service-accounts][2]\n2. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][3]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account][4]\n\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/service-accounts\n[3]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[4]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.7","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tsa := compute_instance.service_accounts[_]\n\tendswith(sa.email, \"compute@developer.gserviceaccount.com\")\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oqw-y1z-sik","createdAt":1655990336323,"name":"Instances are not configured to use the default service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Communications-Security","requirement:Default-Security-Parameter","control:4.2","control:2.1","framework:cis-gcp","control:2.1.1","requirement:Compliance","control:A.13.1.3","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:google_compute_instance","control:CC6.3","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo support the principle of least privileges and to prevent potential privilege escalation, assign instances to a service account other than the default `Compute Engine default service account` with Scope `Allow full access to all Cloud APIs`.\n\n## Rationale\nThe Google `Compute Engine default service account` for an instance can access necessary cloud services, as well as create, manage, and use user-managed custom service accounts. The `Project Editor` role is assigned to `Compute Engine default service account` so it has almost all capabilities over all cloud services except billing. However, when `Compute Engine default service account` is assigned to an instance it can operate in three scopes:\n\n1. Allow default access: Allows the minimum access required to run an\ninstance (least privileges).\n\n2. Allow full access to all Cloud APIs: Allows full access to all cloud\nAPIs and services (too much access).\n\n3. Set access for each API: Allows an instance administrator to choose only\nthose APIs that are needed to perform the specific business functionality\nexpected by instance.\n\nWhen an instance is configured with the `Compute Engine default service account` with\nscope `Allow full access to all Cloud APIs`, depending on the IAM roles assigned to the users\naccessing the instance, it may allow users to perform cloud operations and API calls that they are not\nsupposed to perform, leading to successful privilege escalation.\n\n## Exception\nVMs created by GKE are excluded from this rule. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Impact\nTo change a service account or scope for an instance, the instance must be stopped.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the impacted VM instance.\n3. If the instance is not stopped, click the `Stop` button. Wait for the instance to stop.\n4. Click the `Edit` button.\n5. Scroll down to the `Service Account` section.\n6. Select a different service account or ensure that `Allow full access to all Cloud APIs` is not selected.\n7. Click the `Save` button to save your changes and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account= --scopes [SCOPE1, SCOPE2...]\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][2]\n2. [https://cloud.google.com/compute/docs/access/service-accounts][3]\n\n## Additional Information:\n- User IAM roles override service account scope, but configuring minimal scope\nensures a deeper defence.\n- Non-default service accounts do not offer selection of access scopes like the default\nservice account does. Use IAM roles with non-default service accounts to\ncontrol VM access.\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[3]: https://cloud.google.com/compute/docs/access/service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.2","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tservice_accounts := compute_instance.service_accounts[_]\n\tendswith(service_accounts.email, \"compute@developer.gserviceaccount.com\")\n\tstartswith(service_accounts.scopes[_], \"https://www.googleapis.com/auth/cloud-platform\")\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ica-spj-rua","createdAt":1656620517092,"name":"Instances are not configured to use the default service account with full access to all cloud APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the execution of a shell with the interactive flag (`-i`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to escalate privileges, break out of the container, or exfiltrate secrets by running interative shell utilities inside of the container. This detection triggers when execution of one of a set of common Linux shell utilities (like `bash` or `sh`) is detected in a container with the interactive flag (`-i`). If this is unexpected behavior, it could indicate an attacker attempting to run arbitrary commands inside of your containers and potentially break out onto the host.\n\n## Triage & Response\n1. Inspect the command line arguments of the shell process execution to determine if the shell was run with the `-i` flag.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:interactive_shell_in_container -@process.comm:(hostname OR sed OR find)","groupByFields":["host"],"aggregation":"count","name":"interactive_shell_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"interactive_shell_in_container","condition":"interactive_shell_in_container > 0"}],"type":"workload_security","id":"vc2-nws-ebu","createdAt":1653417817781,"name":"Interactive shell spawned in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a Java process.\n\n## Strategy\nMany applications (like some databases, web servers, and search engines) run as Java processes. Attackers may take advantage of flaws in programs built with these applications (for example, SQL injection on a database running as a Java process). This detection triggers when a Java process spawns common shell utilities, HTTP utilities, or shells. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\n## Triage and response\n1. Determine the nature and purpose of the Java process.\n2. Determine whether there is an approved purpose for the Java process to execute shells and utilities.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:java_shell_execution","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution @process.executable.name:(uname OR cat OR ls)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_suspicious","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution @process.executable.name:(curl OR wget OR whoami)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_unusual","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution @process.envs:CONFLUENCE*","groupByFields":["host"],"aggregation":"count","name":"confluence_server_spawned_shell_potential_rce","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"confluence_server_spawned_shell_potential_rce","condition":"confluence_server_spawned_shell_potential_rce > 0"},{"status":"high","notifications":[],"name":"java_shell_execution_unusual","condition":"java_shell_execution_unusual > 0"},{"status":"medium","notifications":[],"name":"java_shell_execution_suspicious","condition":"java_shell_execution_suspicious > 0"},{"status":"low","notifications":[],"name":"java_shell_execution","condition":"java_shell_execution > 0"}],"type":"workload_security","id":"bax-h0z-d14","createdAt":1617722069224,"name":"Java process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","technique:T1098-account-manipulation","scope:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a JumpCloud user grants administrative privileges on a user endpoint. This is not indicative of malicious activity, but detecting this event is valuable for auditing.\n\n## Strategy\n\nThis rule monitors JumpCloud audit logs to detect when a user triggers the `@evt.name` of `system_admin_grant`.\n\n## Triage and response\n\n1. Reach out to the admin making the change (`{{@usr.email}}`) to confirm that the user `(@usr.name`) should have administrative privileges on the specified resource (`@resource.name`).\n2. If the change was not authorized, reverify there are no other signals from the jumpcloud admin: {{@usr.email}} and the system (`@resource.name`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:system_admin_grant","groupByFields":["@usr.email"],"aggregation":"count","name":"system_admin_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"system_admin_grant > 0"}],"type":"log_detection","id":"0ym-nwo-srl","createdAt":1648844751568,"name":"Jumpcloud admin granted system privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:jumpcloud","requirement:Monitoring","scope:jumpcloud","framework:cis-aws","technique:T1078-valid-accounts","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud administrator authenticates without multi-factor authentication (MFA) enabled. This is not indicative of malicious activity, however as a best practice, administrator accounts should have MFA enabled.\n\n## Strategy\nThis rule monitors JumpCloud audit logs to detect when an admin user successfully authenticates to JumpCloud and the log indicates that `@mfa` is `false`.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables MFA.\n3. If the login wasn\u2019t legitimate, rotate the credentials, enable MFA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:admin_login_attempt @mfa:false @evt.outcome:true","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_login_no_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"admin_login_no_mfa > 0"}],"type":"log_detection","id":"mds-4sd-v5i","createdAt":1648844751569,"name":"Jumpcloud admin login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","scope:jumpcloud","technique:T1078-valid-accounts","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event with a JumpCloud administrator.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last log and the current log to determine if the user (`@usr.name`) traveled more than 500km at over 1,000km/h.\n\n## Triage and response\n1. Determine if {@usr.name}} should be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}} in a short period of time.\n2. If the user should not be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} or {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_admin","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:jumpcloud @usr.type:admin"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"wec-lzg-zau","createdAt":1648844772020,"name":"Jumpcloud admin triggered impossible travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:jumpcloud","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to a JumpCloud user.\n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when administrative privileges are provisioned:\n\n* `user_admin_granted`\n\n## Triage and response\n1. Contact the JumpCloud administrator: `{{@usr.email}}` to confirm that the users or devices should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the JumpCloud administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:user_admin_granted","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_grant > 0"}],"type":"log_detection","id":"goh-o1b-uuo","createdAt":1660796644737,"name":"Jumpcloud administrator role assigned"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is created. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is created:\n\n* `@evt.name:policy_create`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy creation was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_create","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_creation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_creation > 0"}],"type":"log_detection","id":"ht7-5pr-0hf","createdAt":1660809071730,"name":"Jumpcloud policy created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is modified. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is modified:\n\n* `@evt.name:policy_update`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy modification(s) was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_update","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_update > 0"}],"type":"log_detection","id":"epv-mm9-puh","createdAt":1660809071731,"name":"Jumpcloud policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:1.10","scope:google_kms_crypto_key","source:google_kms_crypto_key","requirement:Confidentiality","control:C1.2","framework:cis-gcp","requirement:Compliance","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGoogle Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.\nThe format for the rotation schedule depends on the client library that is used. For the gcloud CLI, the flag `--next-rotation-time` must be in ISO or RFC3339 format; the flag `--rotation-period` must be in the format `INTEGER[UNIT]`, where units can be one of: seconds (s), minutes (m), hours (h), or days (d). For example, `30d` for a rotation period of 30 days.\n\n## Rationale\nSet a key rotation period and starting time. A key can be created with a specified *rotation period*, which is the time between when new key versions are generated automatically. A key can also be created with a specified *next rotation time*. \n\nA key is a named object that represents a cryptographic key and is used for a specific purpose. The key material (the actual bits used for encryption) can change over time as new key versions are created.\nA key is used to protect a *corpus of data*. A collection of files could be encrypted with the same key, and people with `decrypt` permissions on that key would be able to decrypt those files. Therefore, it's necessary to make sure the rotation period is set to a specific time.\n\n## Impact\nAfter a successful key rotation, the older key version is required to decrypt the data encrypted by the previous key version.\n\n## Remediation\n\n### From console\n1. See your cryptographic keys by visiting: [https://console.cloud.google.com/security/kms][1].\n2. Click on the specific key ring.\n3. From the list of keys, locate the key you wish to edit. Click on the three vertical dots under the **Actions** column.\n4. Click on **Edit rotation period**.\n5. In the pop-up window, select a new rotation period. Choose value less than 90 days. Then, choose the date from which the rotation period begins.\n\n### From the command line\n1. Update and schedule rotation by `ROTATION_PERIOD` and `NEXT_ROTATION_TIME` for each key:\n For example, you can use the iam.json file shown below as follows:\n ```\n gcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next- rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD\n ```\n\n## Default value\nBy default, KMS encryption keys are rotated every 90 days.\n\n## References\n1. [https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation][2]\n2. [https://cloud.google.com/kms/docs/re-encrypt-data][3]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/security/kms\n[2]: https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation\n[3]: https://cloud.google.com/kms/docs/re-encrypt-data\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\n# convert rotation period from string to int (number of days)\nparse_rotation_period(str) = parsed if {\n\tendswith(str, \"s\")\n\tparsed := to_number(trim_suffix(str, \"s\")) / 86400\n} else = parsed {\n\tendswith(str, \"m\")\n\tparsed := to_number(trim_suffix(str, \"m\")) / 1440\n} else = parsed {\n\tendswith(str, \"h\")\n\tparsed := to_number(trim_suffix(str, \"h\")) / 24\n} else = parsed {\n\tendswith(str, \"d\")\n\tparsed := to_number(trim_suffix(str, \"d\"))\n}\n\neval(kms_crypto_key) = \"skip\" if {\n\tnot lower(kms_crypto_key.primary.state) == \"enabled\"\n} else = \"pass\" {\n\ttoday := kms_crypto_key.resource_seen_at / 86400000\n\tnext_rotation := kms_crypto_key.next_rotation_time / 86400000\n\tnext_rotation - today <= 90\n\tparse_rotation_period(kms_crypto_key.rotation_period) <= 90\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_kms_crypto_key"]},"validationQuery":"","resourceType":"gcp_kms_crypto_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_kms_crypto_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"l1f-f94-1my","createdAt":1655491486886,"name":"KMS Encryption Keys are rotated within a period of 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1547","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications made to the `/boot/` directory.\n\n## Strategy\nThe /boot/ directory in Linux contains everything required for the system to boot. This includes the kernel and other important boot files and data. Attackers may attempt to modify the /boot/ directory to inject malicious code or configuration. This can allow the attacker to gain persistence, by running the malicious code or configuration at boot time. It can also allow the attacker to run malicious code with elevated system privileges.\n\n## Triage & Response\n1. Check to see what modifications were made to the `/boot/` directory.\n2. Cross-check any changes with known system activity, such as startup scripts, or maintenance.\n3. If these changes are not acceptable, roll back the host or container in question to a known good `/boot/` configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"9cs-fap-2er","createdAt":1606142931057,"name":"Kernel Modification"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux. This detection watches for all new files created under that directory.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check which user or process created the module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(kernel_module OR kernel_module_chmod OR kernel_module_chown OR kernel_module_link OR kernel_module_rename OR kernel_module_open OR kernel_module_unlink OR kernel_module_utimes) -@process.envs:DPKG_FRONTEND_LOCKED","groupByFields":["host"],"aggregation":"count","name":"kernel_module","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"kernel_module","condition":"kernel_module > 0"}],"type":"workload_security","id":"jq9-m1m-spt","createdAt":1598516746168,"name":"Kernel module directory modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.3","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kube-proxy kubeconfig file controls various parameters of the kube-proxy service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system. It is possible to run kube-proxy with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a `. Verify that if a file is specified and it exists, the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates. \n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.3","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"alc-y7j-j9q","createdAt":1599602091672,"name":"Kube-proxy configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.4","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, ensure that the file ownership of its kubeconfig file is set to root:root.\n\n## Rationale\n\nThe kubeconfig file for kube-proxy controls various parameters for the kube-proxy service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n`chown root:root `\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n## Audit\n\nFind the kubeconfig file being used by kube-proxy by running the following command: ps -ef | grep kube-proxy If kube-proxy is running, get the kubeconfig file location from the --kubeconfig parameter. Run the below command (based on the file location on your system) on the each worker node. For example, stat -c %U:%G Verify that the ownership is set to root:root.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.4","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oat-dei-klo","createdAt":1599604401268,"name":"Kube-proxy configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet client certificate rotation.\n\n## Rationale\n\nThe `--rotate-certificates` setting causes the kubelet to rotate its client certificates by creating new CSRs as its existing credentials expire. This automated periodic rotation ensures that the there is no downtime due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself. \n\n*Note*: This feature also requires the `RotateKubeletClientCertificate` feature gate to be enabled (which is the default since Kubernetes v1.7).\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--rotate-certificates` argument is not present, or is set to true. If the `--rotate-certificates` argument is not present, verify that if there is a Kubelet config file specified by `--config`, that file does not contain `rotateCertificates: false`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to add the line `rotateCertificates: true` or remove it altogether to use the default value. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--rotate-certificates=false` argument from the `KUBELET_CERTIFICATE_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet client certificate rotation is enabled.\n\n## References\n\n1. [https://github.com/kubernetes/kubernetes/pull/41912 ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration ][2]\n3. [https://kubernetes.io/docs/imported/release/notes/ ][3]\n4. [https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted - Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/41912\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration\n[3]: https://kubernetes.io/docs/imported/release/notes/\n[4]: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.11","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"9x3-sy5-pte","createdAt":1599605353070,"name":"Kubelet client certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.10","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file is owned by root:root.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %U:%G /var/lib/kubelet/config.yaml`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step): `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/var/lib/kubelet/config.yaml` file as set up by kubeadm is owned by `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.10","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ptl-pla-t0c","createdAt":1599605828233,"name":"Kubelet configuration file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse https for kubelet connections.\n\n## Rationale\n\nConnections from apiserver to kubelets could potentially carry sensitive data such as secrets and keys. It is thus important to use in-transit encryption for any communication between the apiserver and kubelets.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-https` argument either does not exist or is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--kubelet-https` parameter.\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, kubelet connections are over https.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.4","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ftg-h4g-hqj","createdAt":1599600981186,"name":"Kubelet connections use HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.8","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestrict kubelet nodes to reading only objects associated with them.\n\n## Rationale\n\nThe Node authorization mode only allows kubelets to read Secret, ConfigMap, PersistentVolume, and PersistentVolumeClaim objects associated with their nodes.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include Node.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes Node. `--authorization-mode=Node,RBAC`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, Node authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/46076 ][3]\n4. [https://acotten.com/post/kube17-security][4]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/ \n[3]: https://github.com/kubernetes/kubernetes/pull/46076 \n[4]: https://acotten.com/post/kube17-security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.8","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vgg-kwx-7dh","createdAt":1599602338742,"name":"Kubelet nodes are only authorized to read objects they are associated with"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.2","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests. Enable explicit authorization.\n\n## Rationale\n\nKubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the API server. You should restrict this behavior and only allow explicitly authorized requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. If the `--authorization-mode` argument is present check that it is not set to AlwaysAllow. If it is not present check that there is a Kubelet config file specified by `--config`, and that file sets authorization: mode to something other than AlwaysAllow. It is also possible to review the running configuration of a Kubelet via the /configs endpoint on the Kubelet API port (typically `10250/TCP`). Accessing these with appropriate credentials will provide details of the Kubelet's configuration.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set authorization: mode to Webhook. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--authorization-mode=Webhook`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nUnauthorized requests will be denied.\n\n## Default value\n\nBy default, `--authorization-mode` argument is set to `AlwaysAllow`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.2","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"un4-gin-3dq","createdAt":1599600248005,"name":"Kubelet only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable the read-only port.\n\n## Rationale\n\nThe Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--read-only-port` argument exists and is set to 0. If the `--read-only-port` argument is not present, check that there is a Kubelet config file specified by `--config`. Check that if there is a readOnlyPort entry in the file, it is set to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `readOnlyPort` to 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--read-only-port=0`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nRemoval of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.\n\n## Default value\n\nBy default, `--read-only-port` is set to 10255/TCP. However, if a config file is specified by `--config` the default value for `readOnlyPort` is 0.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.4","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dgo-kog-lle","createdAt":1599604369044,"name":"Kubelet read-only port is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.10","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the Kubelets.\n\n## Rationale\n\nKubelet communication contains sensitive parameters that should remain encrypted in transit. Configure the Kubelets to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate. If these arguments are not present, check that there is a Kubelet config specified by `--config` and that it contains appropriate settings for `tlsCertFile` and `tlsPrivateKeyFile`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `tlsCertFile` to the location of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` to the location of the corresponding private key file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameters in K`UBELET_CERTIFICATE_ARGS` variable.\n\n```\n--tls-cert-file=\n--tls-private-key-file=\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set. If `--tls-cert-file` and `--tls-private-key-file` are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to `--cert-dir`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ ][2]\n3. [https://github.com/kelseyhightower/docker-kubernetes-tls-guide ][3]\n4. [https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/\n[3]: https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n[4]: https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.10","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gqg-7cf-6bu","createdAt":1599603572402,"name":"Kubelet requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.12","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nOn the master edit `/var/lib/kubelet/kubeadm-flags.env` and set the parameter `KUBELET_CERTIFICATE_ARGS --feature-gates=RotateKubeletServerCertificate=true` or as an alternative, and suggested as a last resort, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_CERTIFICATE_ARGS` variable:\n\n```\n--feature-gates=RotateKubeletServerCertificate=true\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet server certificate rotation is disabled.\n\n## References\n\n1. https://github.com/kubernetes/kubernetes/pull/45059\n2. https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/45059\n[2]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.12","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afr-qkp-94a","createdAt":1599599105048,"name":"Kubelet server certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.2","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file ownership is set to root:root.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the ownership is set to root:root.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet service file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.2","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sy4-z1k-udc","createdAt":1599605194356,"name":"Kubelet service file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.3","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Kubelet authentication using certificates.\n\n## Rationale\n\nThe connections from the API server to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet's port-forwarding functionality. These connections terminate at the kubelet's HTTPS endpoint. By default, the API server does not verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the API server could authenticate the Kubelet before submitting any requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--client-ca-file` argument exists and is set to the location of the client certificate authority file. If the `--client-ca-file` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets authentication: x509: clientCAFile to the location of the client certificate authority file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: x509: clientCAFile` to the location of the client CA file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--client-ca-file=`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou require TLS to be configured on API server as well as kubelets.\n\n## Default value\n\nBy default, `--client-ca-file argument` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.3","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x6l-4d1-dwh","createdAt":1599600373842,"name":"Kubelet uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.1.20","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that Kubernetes PKI certificate files have permissions of 644 or more restrictive.\n\n## Rationale\n\nKubernetes makes use of a number of certificate files as part of the operation of its components. The permissions on these files should be set to 644 or more restrictive to protect their integrity.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nfind /etc/kubernetes/pki -name \"*.crt\" | xargs stat -c '%n %a'\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod -R 644 /etc/kubernetes/pki/*.crt`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the certificates used by Kubernetes are set to have permissions of 644\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.20","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ion-6fc-xd4","createdAt":1599604147464,"name":"Kubernetes PKI certificate file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.19","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the Kubernetes PKI directory and file ownership is set to root:root.\n\n## Rationale\n\nKubernetes makes use of a number of certificates as part of its operation. You should set the ownership of the directory containing the PKI information and all files in that directory to maintain their integrity. The directory and files should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nls -laR /etc/kubernetes/pki/\n```\n\nVerify the ownership of all files and directories in this hierarchy is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown -R root:root /etc/kubernetes/pki/`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/etc/kubernetes/pki/` directory and all of the files and directories contained within it, are set to be owned by the root user.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.19","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tgm-6a5-ttf","createdAt":1599603695482,"name":"Kubernetes PKI directory is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a pod in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating pods in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for Kubernetes objects which should be readable by unauthenticated users. Thus, a pod should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new pod in one of the default namespaces.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"tvf-ju6-h3i","createdAt":1589376012191,"name":"Kubernetes Pod Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a pod is attached to the host network.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) with the host network `@requestObject.spec.hostNetwork:true` attached.\n\nAttaching the `hostNetwork` permits a pod to access the node's network adapter allowing a pod to listen to all network traffic for all pods on the node and communicate with other pods on the network namespace.\n\n## Triage and response\n1. Determine if the pod needs `hostNetwork` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.hostNetwork:true @http.status_code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.hostNetwork:true @responseStatus.code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"d3g-xpz-cwc","createdAt":1589376007079,"name":"Kubernetes Pod Created with hostNetwork"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","technique:T1536-create-account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a service account in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service account (`@objectRef.resource:serviceaccounts`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating service accounts in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for kubernetes objects which should be readable by unauthenticated users. Thus, a service account should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new service account in one of the default namespaces.\n\n## Changelog\n21 September 2022 - Tuned rule to remove system and EKS service account creations, increased severity, added decrease on environment flag.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:serviceaccounts @http.method:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299] -@user.username:(system\\:* OR eks\\:*)","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:serviceaccounts @verb:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299] -@usr.id:(system\\:* OR eks\\:*)","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"loy-9ka-bc2","createdAt":1589376017036,"name":"Kubernetes Service Account Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service's port is attached to the node's IP.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service (`@objectRef.resource:services`) attaching the service's port to the node's IP `@requestObject.spec.type:NodePort`.\n\nExposing the service's port to the the node's IP allows other hosts on the network namespace to access this service.\n\n## Triage and response\n1. Determine if the service needs to expose it's network connection with `NodePort` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:services @http.method:create @requestObject.spec.type:NodePort @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:services @verb:create @requestObject.spec.type:NodePort @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"cvp-3wz-v3s","createdAt":1589376023160,"name":"Kubernetes Service Created with NodePort"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a user is attempting to enumerate their permissions.\n\n## Strategy\nThis rule identifies when a user attempts to enumerate their permissions, for example, through the use of `kubectl auth can-i --list`. This can be an indicator of an attacker having compromised a Kubernetes service account or user and attempting to determine what permissions it has.\n\n## Triage and response\n1. Determine if enumerating the permissions of the user: `{{@usr.id}}` is suspicious. For example, a service account assigned to a web application and enumerating its privileges is highly suspicious, while a group assigned to operations engineers is likely to represent legitimate activity.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @requestObject.kind:SelfSubjectRulesReview @http.method:create -@usr.id:system\\:serviceaccount\\:*\\:datadog-kube-state-metrics","groupByFields":[],"aggregation":"count","name":"enumeration_attempt","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"enumeration_attempt > 0"}],"type":"log_detection","id":"9ft-ohp-w9w","createdAt":1649702540393,"name":"Kubernetes principal attempted to enumerate their permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","source:lambda","scope:lambda","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure your Amazon Lambda Function to have access to VPC-only resources.\n\n## Rationale\n\nBy default, Amazon Lambda functions run in a secure VPC with access to any AWS service and the internet. Selecting which resources have access secures the connections within your private VPC.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring VPC access (console)][1] docs to configure VPC access for an existing function.\n\n### CLI\n\n1. Run `update-function-configuration` with your [Amazon Lambda function name and VPC configuration][2]. Set network connectivity to AWS resources within the configured VPC.\n\n ```\n aws lambda update-function-configuration\n --function-name your-lambda-function-name\n --vpc-config SubnetIds=\"subnet-ab12cd34\",\"subnet-12345678\",SecurityGroupIds=\"id-0abcd1234abcd5678\"\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-configuring\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@vpc_config_vpc_id:null OR @vpc_config_vpc_id:\"\")","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function ((@vpc_config_vpc_id:null OR @vpc_config_vpc_id:\"\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"byt-pin-xaq","createdAt":1619112188962,"name":"Lambda function has access to VPC resources"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","source:lambda","control:7.2.1","requirement:Compliance","scope:lambda","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS Lambda function access policy to remove access for unauthorized users.\n\n## Rationale\n\nGiving anonymous users the ability to invoke Amazon Lambda functions can lead to data loss, data exposure, and unexpected AWS billing charges.\n\n## Remediation\n\n### Console\n\nFollow the [Using resource-based policies for AWS lambda][1] docs to update your AWS lambda function permissions.\n\n### CLI\n\n1. Run `remove-permission` with your [function name and statement ID][2].\n\n ```\n aws lambda remove-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n ```\n\n2. Run `add-permission` with your [function name, statement ID, principal for the trusted account, and action][3].\n\n ```\n aws lambda add-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n --principal 0123456780123\n --action lambda:InvokeFunction\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/remove-permission.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-permission.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false","resourceType":"aws_lambda_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_policy_statement ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"tko-rvz-akj","createdAt":1624344845094,"name":"Lambda function is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","control:CC6.7","requirement:Transmission-Security","security:compliance","control:CC7.5","cloud_provider:aws","framework:gdpr","control:6.2","requirement:System-Operations","source:lambda","scope:lambda","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","requirement:Security-Management-Process","control:32.1b","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","framework:hipaa","control:164.308-a-1-ii-B","control:164.312-e-2-i","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Lambda Function to the latest runtime environment version.\n\n## Rationale\n\nAs a best practice, Amazon recommends consistently updating your runtime environment to the latest version for security patches, bug fixes, and the latest features.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring functions in the console][1] docs to learn how to update the Lambda runtime that runs your function.\n\n### CLI\n\n1. Run `update-function-configuration` with [your function name and the latest runtime version][2] supported by AWS.\n\n#### python3.9\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"python3.9\"\n ```\n\n#### nodejs16.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"nodejs14.x\"\n ```\n\n#### java11\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"java11\"\n ```\n\n#### go1.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"go1.x\"\n ```\n\n#### dotnet6\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"dotnet6\"\n ```\n\n#### ruby2.7\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"ruby2.7\"\n ```\n\n#### provided.al2\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"provided.al2\"\n ```\n\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@runtime:(\"nodejs16.x\" OR \"python3.9\" OR \"ruby2.7\" OR \"java11\" OR \"go1.x\" OR \"dotnet6\" OR \"provided.al2\")","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function (-@runtime:(\"nodejs16.x\" OR \"python3.9\" OR \"ruby2.7\" OR \"java11\" OR \"go1.x\" OR \"dotnet6\" OR \"provided.al2\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxh-rvp-txm","createdAt":1619112189173,"name":"Lambda function uses latest runtime environment version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","level:1","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","requirement:Communications-Security","control:2.6","control:3.2","control:1.2","control:2.1","control:1.3","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of legacy networks, a project should not have a legacy network\nconfigured. Legacy networks can no longer be created, and their use is not recommended. This recommendation is to check old projects to ensure\nthat they are not using Legacy Networks.\n\n## Rationale\nEach legacy network has a single network IPv4 prefix range, and a single gateway IP address. The network is global in scope and spans all cloud regions.\nSubnetworks cannot be created in a legacy network, and are unable to switch from legacy to\nauto or custom subnet networks. Legacy networks can have an impact on high network\ntraffic projects, and are subject to a single point of contention or failure.\n\n### Default value\nBy default, networks are not created in the legacy mode.\n\n## Remediation\n\nFor each Google Cloud Platform project:\n1. Read [Create and modify Virtual Private Cloud (VPC) networks][3] to create a non-legacy network suitable for the organization's requirements.\n2. Read [Deleting a legacy network][2] to delete the networks in the `legacy` mode.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network][1]\n2. [https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network][2]\n\n[1]: https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network\n[2]: https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network\n[3]: https://cloud.google.com/vpc/docs/create-modify-vpc-networks\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.2","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.ipv4_range\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nzs-hyi-zqr","createdAt":1659405204525,"name":"Legacy networks do not exist for older projects"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostIPC flag set to true.\n\n## Rationale\n\nA container running in the host's IPC namespace can use IPC to interact with processes outside the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host IPC namespace. If you have a requirement to containers that require hostIPC, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostIPC}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostIPC: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.3","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vs4-ja0-gkh","createdAt":1599600435891,"name":"Limit admission of containers sharing the host IPC namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostPID flag set to true.\n\n## Rationale\n\nA container running in the host's PID namespace can inspect processes running outside the container. If the container also has access to ptrace capabilities this can be used to escalate privileges outside of the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host PID namespace. If you need to run containers which require hostPID, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostPID}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostPID` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostPID: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.2","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"flc-1s1-okw","createdAt":1599600559953,"name":"Limit admission of containers sharing the host PID namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the allowPrivilegeEscalation flag set to true.\n\n## Rationale\n\nA container running with the `allowPrivilegeEscalation` flag set to true may have processes that can gain more privileges than their parent. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to allow privilege escalation. The option exists (and is defaulted to true) to permit setuid binaries to run. If you have need to run containers that use setuid binaries or require privilege escalation, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.allowPrivilegeEscalation}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.allowPrivilegeEscalation` field is omitted or set to false.\n\n## Impact\n\nPods defined with `spec.allowPrivilegeEscalation: true` will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.5","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"frf-hog-dra","createdAt":1599601783271,"name":"Limit admission of containers that do not block privilege escalation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.3","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Docker starts containers with a restricted set of Linux kernel capabilities. This means that any process can be granted the required capabilities instead of giving it root access. Using Linux kernel capabilities, processes in general do not need to run as the root user.\n\n## Rationale\n\nDocker supports the addition and removal of capabilities. Remove all capabilities not required for the correct function of the container. Specifically, in the default capability set provided by Docker, the NET_RAW capability should be removed if not explicitly required, as it can give an attacker with access to a container the ability to create spoofed network traffic.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CapAdd={{ .HostConfig.CapAdd }} CapDrop={{ .HostConfig.CapDrop }}'` \n\nVerify that the added and deleted Linux kernel capabilities are in line with the ones needed by the container process in each container instance. Specifically, ensure that the `NET_RAW` capability is removed if not required.\n\n## Remediation\n\nExecute the command `docker run --cap-add={\"Capability 1\",\"Capability 2\"} ` to add required capabilities.\n\nExecute the command `docker run --cap-drop={\"Capability 1\",\"Capability 2\"} ` to remove unneeded capabilities.\n\nAlternatively, remove all the currently configured capabilities and then restore only the ones you specifically use: `docker run --cap-drop=all --cap-add={\"Capability 1\",\"Capability 2\"} `\n\n## Impact\n\nRestrictions on processes within a container are based on which Linux capabilities are in force. Removal of the `NET_RAW` capability prevents the container from creating raw sockets which is good security practice under most circumstances, but may affect some networking utilities.\n\n## Default value\n\nBy default, the capabilities below are applied to containers:\n\n* `AUDIT_WRITE`\n* `CHOWN`\n* `DAC_OVERRIDE`\n* `FOWNER`\n* `FSETID`\n* `KILL`\n* `MKNOD`\n* `NET_BIND_SERVICE`\n* `NET_RAW`\n* `SETFCAP`\n* `SETGID`\n* `SETPCAP`\n* `SETUID`\n* `SYS_CHROOT`\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#linux-kernel-capabilities\n2. http://man7.org/linux/man-pages/man7/capabilities.7.html\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.3","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3j5-bun-deq","createdAt":1599605923399,"name":"Linux kernel capabilities are restricted to only those which are required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect use of the `passwd` or `chpasswd` commands to change account passwords.\n\n## Strategy\nThe `passwd` operating system command is used to change user account passwords. The `chpasswd` does this in bulk. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host machine and achieve persistence. This detection is triggered when execution of the `passwd` or `chpasswd` command is detected.\n\n## Triage and response\n1. Determine which user executed the command and whether or not this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:passwd_execution -@process.args:\"-S\"","groupByFields":["host"],"aggregation":"count","name":"passwd_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"passwd_execution","condition":"passwd_execution > 0"}],"type":"workload_security","id":"yu0-i2l-ilb","createdAt":1617722068383,"name":"Local account password modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the truncation (like the clearing of data within) of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was modified.\n2. Check which user or process modified the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"llg-1g6-q0n","createdAt":1598516746163,"name":"Log data in /var/log/ was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","level:1","cloud:aws","requirement:Monitoring","framework:cis-aws","cloud_provider:datadog","control:4.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReal-time monitoring of API calls can be achieved by directing CloudTrail Logs to Datadog and enabling the default rule [A user received multiple AccessDenied errors][1]. It is recommended that a metric filter and alarm be established for unauthorized API calls.\n\n## Rationale\n\nMonitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.\n\n## Remediation\n\nTo enable default rule [A user received multiple AccessDenied errors][1], navigate to the [Rules page][2]. If you have not yet enabled Security Monitoring, visit the [Setup and Configuration page][3].\n\n## Impact\n\nThis alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don't have permissions. If an excessive number of alerts are being generated then an organization may wish to consider adding read access to the limited IAM user permissions simply to quiet the alerts. In some cases doing this may allow the users to actually view some areas of the system - any additional access given should be reviewed for alignment with the original limited IAM user intent.\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79186-3\n2. https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-access-denied-multiple-events/\n\n**Additional Information**: Configuring log metric filter and alarm on multi-region (global) CloudTrail ensures that activities from all regions (used as well as unused) are monitored.\n\n## CIS controls\n\nVersion 7:\n\n6.5 - Central Log Management - Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.\n\n6.7 - Regularly Review Logs - On a regular basis, review logs to identify anomalies or abnormal events.\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-access-denied-multiple-events/\n[2]: https://app.datadoghq.com/security/configuration/rules?query=una%20ruleId%3Abxz-x3r-zqw&sort=rule\n[3]: https://app.datadoghq.com/security/configuration?detect-threats=apache&secure-cloud-environment=amazon-web-services&secure-hosts-and-containers=kubernetes&selected-products=security_monitoring","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"cis-aws","requirement":"Monitoring","version":"1.3.0"}],"validationQuery":"@disabled_rules:(\"d17-702-f4a\")","resourceType":"datadog_configuration","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:datadog_configuration (@disabled_rules:(\"d17-702-f4a\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"3s1-mb8-7yw","createdAt":1625745858883,"name":"Log metric filter and alarm exist for unauthorized API calls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","source:google_logging_log_sink","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","control:2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","scope:google_logging_log_sink","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nIt is recommended to create a sink that will export copies of all log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).\n\n## Rationale: \nLog entries are held in Cloud Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. To export logs, create a filter that selects the log entries to export, and then choose a destination, such as Cloud Storage, BigQuery, or Cloud Pub/Sub, to which to export them. The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts.\n\n**Note:**\n1. A sink created by [these commands](#from-the-command-line), exports logs to storage buckets. However, sinks can be configured to export logs to BigQuery, or Cloud Pub/Sub, or a `Custom Destination`.\n2. While creating a sink, do not use the sink option `--log-filter` to ensure the sink exports all log entries.\n3. A sink can be created at a folder or organization level that collects the logs of all the projects underneath, bypassing the option `--include-children` in the `gcloud` command.\n\n### Impact: \nThere are no costs or limitations in Cloud Logging for exporting logs, but the destinations to which the logs are exported charge for storing or transmitting the log data.\n\n### Default value:\nBy default, there are no sinks configured.\n\n## Remediation: \n\n### From the console:\n1. Go to the Logs Router page by visiting [https://console.cloud.google.com/logs/router][1].\n2. Click **CREATE SINK**.\n3. Fill out the fields for the Sink details sections.\n4. Select **Cloud Logging bucket** in the Select sink destination dropdown menu.\n5. Select a log bucket in the Sink destination drop down menu.\n6. If an inclusion filter is not provided for this sink, all ingested logs will be routed to the destination provided above. This may result in higher than expected resource usage.\n7. Click **Create Sink**.\n\n### From the command line:\n\n1. To create a sink to export all log entries in a Google Cloud Storage bucket:\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME\n ```\n2. Sinks can be created for a folder or organization, which will include all projects.\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children -- folder=FOLDER_ID | --organization=ORGANIZATION_ID\n ```\n\n## References:\n1. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][2] \n2. [https://cloud.google.com/logging/quotas][3]\n3. [https://cloud.google.com/logging/docs/routing/overview][4]\n4. [https://cloud.google.com/logging/docs/export/using_exported_logs][5]\n5. [https://cloud.google.com/logging/docs/export/configure_export_v2][6]\n6. [https://cloud.google.com/logging/docs/export/aggregated_exports][7]\n7. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list][8]\n\n[1]: https://console.cloud.google.com/logs/router\n[2]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[3]: https://cloud.google.com/logging/quotas\n[4]: https://cloud.google.com/logging/docs/routing/overview\n[5]: https://cloud.google.com/logging/docs/export/using_exported_logs\n[6]: https://cloud.google.com/logging/docs/export/configure_export_v2\n[7]: https://cloud.google.com/logging/docs/export/aggregated_exports\n[8]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nvalid_log_sinks := {logging_log_sink.project_id |\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tvalid_log_filter(logging_log_sink)\n\tvalid_log_exclusions(logging_log_sink)\n\tlogging_log_sink.destination != \"\"\n}\n\nvalid_log_filter(logging_log_sink) if {\n\tnot logging_log_sink.filter\n} else {\n\tlogging_log_sink.filter == \"\"\n}\n\nany_enabled_exclusion(logging_log_sink) if {\n\tlogging_log_sink.exclusions[_].disabled == false\n}\n\nvalid_log_exclusions(logging_log_sink) if {\n\tnot any_enabled_exclusion(logging_log_sink)\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_sinks[project.project_id]\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hig-nyl-7xu","createdAt":1658996677403,"name":"Log sinks are configured for all log entries"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Log4j scanning attempt occurs in your environment.\n\n## Strategy\nRegex search on logs to find specific payloads indicative of Log4j scanning.\n\n## Triage and response\n1. Investigate if the host is running a vulnerable version of the Log4j Java library\n2. Use the [Log4j Investigation Dashboard](https://app.datadoghq.com/dash/integration/cloud_security_platform_log4shell_investigator) to conduct impact analysis\n3. Explore what other services the attacker hit in the last day - Linked to investigation query \n4. Explore Java logs associated with the attacker - linked to investigation query\n","options":{"detectionMethod":"hardcoded","evaluationWindow":300,"maxSignalDuration":3600,"hardcodedEvaluatorType":"log4shell","keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"query":"@http.url:*","groupByFields":["@network.client.ip"],"aggregation":"count","name":"log4shell_payloads_in_http_data","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"log4shell_payloads_in_http_data > 0"}],"type":"log_detection","id":"sdx-qzo-o9z","createdAt":1651680204724,"name":"Log4Shell Scanning Detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0043-reconnaissance","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being scanned for the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `jndi:(ldap OR rmi OR dns)` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. Check if the `Base64 was detected in an http.user_agent or http.referrer` rule was also triggered and follow the `Triage and response` steps in that rule.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.useragent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referrer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http_user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"info","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"2oy-oni-kx6","createdAt":1639665375423,"name":"Log4j Scanner detected in user agent or referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:1.5","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. MFA (multi-factor authentication) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their user name and password and an authentication code from their AWS MFA device.\n\n**Note**: When virtual MFA is used for root accounts, it should not be enabled on a personal device, but rather enable a dedicated and not personally owned mobile device (tablet or phone)(\"non-personal virtual MFA\"). This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and has knowledge of a credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78911-5\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root][3]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions.\n\n## CIS controls\n\nVersion 7, 4.5 - Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.5","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"-@account_mfa_enabled:1","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (-@account_mfa_enabled:1)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dth-jwu-9zo","createdAt":1599573999963,"name":"MFA is enabled for the \"root\" account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP address identified as malicious by Okta's ThreatInsight communicates with your Okta account.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.threat.detected`\n\n## Triage and response\n1. Determine if the `@usr.email` is `Unknown` or is an authenticated user.\n2. If the user is authenticated, conduct an investigation to determine if the IP address that is communicating with Okta is the user's IP address, or if the account is compromised.\n3. Consider switching ThreatInsight from `log mode` to `log and block mode` to block future requests from IP addresses on the ThreatInsight threat intelligence list.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.threat.detected @evt.outcome:ALLOW","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"x5j-v1t-d2r","createdAt":1589315626499,"name":"Malicious IP Communicating with Okta"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1003","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers looking for a specific mission target commonly gain access to a host or container adjacent to their mission target. To move laterally to the planned target, attackers commonly try to find credentials that would give them access to the host or container in question. A technique for finding these credentials is memory dumping. By dumping the contents of system memory to disk, an attacker can often find unencrypted credentials.\n\n## Strategy\nThis detection monitors the access of memory and memory maps that can be accessed from the `/proc/` directory on Linux.\n\n## Triage & Response\n1. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n2. Consider rotating any credentials that were in use on the host/container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"lhm-dok-amc","createdAt":1598516746171,"name":"Memory files in /proc/ were accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","scope:azure","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user creates or modifies a trusted domain object in Microsoft 365.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain`\n- `Set domain authentication`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain.`\n- `Set domain authentication.`\n\nAn attacker can create a new attacker-controlled domain as federated or modify the existing federation settings for a domain by configuring a new, secondary signing certificate. Both of these techniques would allow the attacker to authenticate as any user bypassing authentication requirements like a valid password or MFA.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n - Remove the suspicious domain or settings.\n - Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n - Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Set domain authentication\" OR \"Set domain authentication \" OR \"Set federation settings on domain\" OR \"Set federation settings on domain \") @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_trusted_domain_modified","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Set domain authentication.\" OR \"Set domain authentication. \" OR \"Set federation settings on domain.\" OR \"Set federation settings on domain. \")","groupByFields":["@usr.id"],"aggregation":"count","name":"m365_trusted_domain_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"azure_ad_trusted_domain_modified > 0 || m365_trusted_domain_modified > 0"}],"type":"log_detection","id":"dqm-ikd-5zd","createdAt":1660304700624,"name":"Microsoft 365 - Modification of Trusted Domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0040-impact","scope:exchange-server","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an anomalous amount of emails are deleted from Microsoft 365 Exchange.\n\n## Strategy\nMonitor Microsoft 365 Exchange audit logs to look for events with an `@evt.name` value of `HardDelete`, where the `@Folder.Path` is the inbox (`*Inbox*`).\n\n## Triage and response\n1. Determine if the user `{{@usr.id}}` intended to delete the observed emails.\n2. If `{{@usr.id}}` is not responsible for the email deletions, investigate `{{@usr.id}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:HardDelete @Folder.Path:*Inbox*","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tos-tbi-7dh","createdAt":1619020060666,"name":"Microsoft 365 Anomalous Amount of Deleted Emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 user downloads an anomalous amount of files. This could be an indicator of data exfilteration.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for an anomalous amount of logs with an `@evt.name` value of `@evt.name:FileDownloaded`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to download the files.\n2. If `{{@usr.email}}` is not responsible for file downloads, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:FileDownloaded","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"files_downloaded","distinctFields":["@SourceFileName"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"yhr-gui-v9i","createdAt":1658353411918,"name":"Microsoft 365 Anomalous Amount of Downloaded files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1562-impair-defenses","scope:microsoft-365","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when admin or unified audit logging is disabled. An adversary or insider threat can disable audit logging as a means of defense evasion.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Set-AdminAuditLogConfig`, where `@Parameters.AdminAuditLogEnabled` OR `@Parameters.UnifiedAuditLogIngestionEnabled` is set to `False`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to disable audit logging.\n2. If `{{@usr.email}}` is not responsible for disabling the audit logging, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.UnifiedAuditLogIngestionEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"unified_audit_disabled","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.AdminAuditLogEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_audit_disabled","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Unified Audit Logging Disabled","condition":"unified_audit_disabled > 0"},{"status":"high","notifications":[],"name":"Admin Audit Logging Disabled","condition":"admin_audit_disabled > 0"}],"type":"log_detection","id":"d86-6xx-tbg","createdAt":1630681812369,"name":"Microsoft 365 Audit Logging Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:onedrive","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user creates an anonymous link for a Microsoft 365 document in OneDrive. This would allow any unauthenticated user to access this document, if they had the link.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AnonymousLinkCreated`.\n\n## Triage and response\n1. Determine whether this document should be available anonymously.\n\n## Changelog\n* 4 October 2022 - Updated severity.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:OneDrive @evt.name:AnonymousLinkCreated","groupByFields":["@usr.id","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1h-h20-er6","createdAt":1608766368930,"name":"Microsoft 365 OneDrive Anonymous Link Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0009-collection","technique:T1213-data-from-information-repositories","scope:sharepoint"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user shares a Microsoft 365 Sharepoint document with a guest.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `SharingInvitationCreated` when the `TargetUserOrGroupType` is `Guest`.\n\n## Triage and response\n1. Determine whether this document should be shared with the external user.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:SharePoint @evt.name:(SharingInvitationCreated) @TargetUserOrGroupType:Guest","groupByFields":["@TargetUserOrGroupName","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"v72-psu-eln","createdAt":1608766365850,"name":"Microsoft 365 SharePoint object shared with guest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user installs an app to Microsoft 365 Teams.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AppInstalled`.\n\n## Triage and response\n1. Determine whether this app should be installed to Microsoft 365 teams.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:MicrosoftTeams @evt.name:AppInstalled","groupByFields":["@AddOnName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"i03-grd-ppd","createdAt":1608766367312,"name":"Microsoft 365 Teams app installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostNetwork flag set to true.\n\n## Rationale\n\nA container running in the host's network namespace could access the local loopback device, and could access network traffic to and from other pods. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host network namespace. If you have need to run containers which require hostNetwork, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostNetwork}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostNetwork` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostNetwork: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.4","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mlb-fwt-s80","createdAt":1599604274257,"name":"Minimize the admission of containers wishing to share the host network namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","cloud_provider:aws","control:164.308-a-3-ii-a","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMulti-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password, and for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of the credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://tools.ietf.org/html/rfc6238][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html][3]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users][4]\n4. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html][5]\n5. CCE-78901-6\n\n## CIS controls\n\n4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://tools.ietf.org/html/rfc6238\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.10","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_enabled:true -@mfa_active:true","resourceType":"aws_iam_user","filter":"","queryPath":"credential_report","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@password_enabled:true -@mfa_active:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"zd5-wvv-hv5","createdAt":1599573999956,"name":"Multi-factor authentication is enabled for all IAM users with a console password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"5jr-xi3-uto","createdAt":1587530047261,"name":"NGINX HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","scope:nginx-ingress-controller","source:nginx-ingress-controller","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx-ingress-controller @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oxj-rwr-gxq","createdAt":1587530154864,"name":"NGINX ingress controller HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to nsswitch.conf.\n\n## Strategy\nThe Name Service Switch (nsswitch) configuration file is used to point\u00a0system services and other applications to the sources of name-service information. This name-service information includes where the password file is stored, publickey information, and more. An attacker may attempt to modify nsswitch.conf in order to inject attacker-owned information into the authentication process. For instance, the attacker could point to a malicious password file and then login to privileged user accounts.\n\n## Triage and response\n1. Check to see what changes were made to nsswitch.conf.\n2. Check if critical name-service sources were changed, and whether the changes were a part of known system-setup or maintenance.\n3. If these changes are unauthorized, roll back the host in question to a known good nsswitch.conf, or replace the system with a known-good system image.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chmod)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chmod","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chown)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chown","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_link)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_link","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_rename)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_rename","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_open)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_open","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_unlink)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_unlink","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_utimes)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"nsswitch_conf_mod","condition":"nsswitch_conf_mod_chmod > 0 || nsswitch_conf_mod_chown > 0 || nsswitch_conf_mod_link > 0 || nsswitch_conf_mod_rename > 0 || nsswitch_conf_mod_open > 0 || nsswitch_conf_mod_unlink > 0 || nsswitch_conf_mod_utimes > 0"}],"type":"workload_security","id":"djc-3dp-3qm","createdAt":1606142958657,"name":"Name Service Switch configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:1.3.5","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that enable multiple open ports and limit ingress traffic access based on port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access malicious activities, such as Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks, by opening only the ports that are required by your application.\n\n## Remediation\n\n### Console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### CLI\n\n1. Run `replace-network-acl-entry` to create a rule that only allows ingress traffic from a specific port range.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --ingress\n --rule-number 01\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_lenient(acl_entry) if {\n\tnot acl_entry.egress\n\tacl_entry.rule_action == \"allow\"\n\tnot acl_entry.port_range_from\n\tnot acl_entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tacl_entry := network_acl.entries[_]\n\tacl_lenient(acl_entry)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q0m-mtc-9ks","createdAt":1599574008182,"name":"Network ACL inbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that utilize multiple ports and limit outbound traffic access to a specific port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access by setting a specified port range.\n\n## Remediation\n\n### Console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### CLI\n\n1. Run `replace-network-acl-entry` to create a rule that sets a specific port range for egress traffic.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --egress\n --rule-number 02\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_entry(entry) if {\n\tentry.egress\n\tentry.rule_action == \"allow\"\n\tnot entry.port_range_from\n\tnot entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tentry := network_acl.entries[_]\n\tnon_compliant_entry(entry)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ykz-hrn-ev3","createdAt":1599574004771,"name":"Network ACL outbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","control:CC6.6","requirement:Compliance","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:1.3.5","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Network Access Control List (NACL) function provides stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.\n\n## Rationale\n\nPublic access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.\n\n## Remediation\n\n1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home\n2. In the left pane, click Network ACLs.\n3. For each network ACL to remediate, perform the following: Select the network ACL, Click the Inbound Rules tab, Click Edit inbound rules. Either update the Source field to a range other than `0.0.0.0/0` or click Delete to remove the offending inbound rule. Click save.\n\n## Reference\n\n1. [https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html][1]\n2. [https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison][2]\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"5.1","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"validationQuery":"@egress:false @rule_action:\"allow\" (@cidr_block:\"0.0.0.0/0\" OR @cidr_block:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@port_range_from:* -@port_range_to:*) OR (@port_range_from:<=22 @port_range_to:>=22) OR (@port_range_from:<=3389 @port_range_to:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_network_acl","filter":"","queryPath":"entries","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl (@egress:false @rule_action:\"allow\" (@cidr_block:\"0.0.0.0/0\" OR @cidr_block:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@port_range_from:* -@port_range_to:*) OR (@port_range_from:<=22 @port_range_to:>=22) OR (@port_range_from:<=3389 @port_range_to:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b5p-spa-hx4","createdAt":1619112188801,"name":"Network ACLs do not allow ingress from 0.0.0.0/0 to remote server administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","cloud_provider:azure","framework:gdpr","source:azure.network","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","requirement:Communications-Security","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","scope:azure.network","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Security Group (NSG) is configured to allow specific ports rather than all ports or port ranges.\n\n## Rationale\n\nNSGs should be configured as granularly as possible, allowing only specific and necessary ports. Leaving ranges of ports open can allow access to ports that are vulnerabile to attack. \n\n## Remediation\n\n### Console\n\nFollow the [Work with security rules guide][1] to modify the port ranges associated with a NSG using the Microsoft Azure Console. \n\n### CLI\n\nUse the [Microsft Azure az network nsg rule update module][2] to update the ports associated with a NSG using the Microsoft Azure CLI. \n\n## References\n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#work-with-security-rules\n[2]: https://docs.microsoft.com/en-us/cli/azure/network/nsg/rule?view=azure-cli-latest#az-network-nsg-rule-update","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndestination_port_not_compliant(security_rule) if {\n\tsecurity_rule.destination_port_range == \"*\"\n} else {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tdestination_port_range == \"*\"\n} else {\n\tregex.match(\"([0-9])+-([0-9])+\", security_rule.destination_port_range)\n} else {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tregex.match(\"([0-9])+-([0-9])+\", destination_port_range)\n}\n\nsecurity_rule_not_compliant(security_rule) if {\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.access == \"Allow\"\n\tdestination_port_not_compliant(security_rule)\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule = security_group.security_rules[_]\n\tsecurity_rule_not_compliant(security_rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cis-7ih-ek8","createdAt":1645736563232,"name":"Network Security Group does not use port ranges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1046-network-service-scanning","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of the `nmap` network utility.\n\n## Strategy\n`nmap` is a network utility commonly used by attackers to understand a victim's network topology and vulnerabilities. After an attacker's initial intrusion into a host (for example, through a web shell exploit, container breakout), they may attempt to use `nmap` to do reconnaissance. This detection triggers when an execution of `nmap` is detected on a system. If this is unexpected behavior, it could indicate an attacker attempting to compromise your systems.\n\n## Triage and response\n1. Determine which user executed `nmap` and whether this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and network tools involved. Investigate the security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:common_net_intrusion_util -@process.args:\"-V\"","groupByFields":["host"],"aggregation":"count","name":"common_net_intrusion_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"common_net_intrusion_util","condition":"common_net_intrusion_util > 0"}],"type":"workload_security","id":"yqg-ebh-po2","createdAt":1617722067554,"name":"Network scanning utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all network traffic is allowed between containers on the same host on the default network bridge. You can restrict all inter-container communication and link specific containers together that require communication. Or, you can create a custom network and only join containers that need to communicate to that custom network.\n\n## Rationale\n\nBy default, unrestricted network traffic is enabled between all containers on the same host on the default network bridge. Each container has the potential of reading all packets across the container network on the same host. This might lead to an unintended and unwanted disclosure of information to other containers. Hence, restrict inter-container communication on the default network bridge.\n\n## Audit\n\nVerify that the default network bridge has been configured to restrict inter-container communication by running:\n```\ndocker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}' \n```\nCheck that it returns `com.docker.network.bridge.enable_icc:false` for the default network bridge.\n\n## Remediation\n\nEdit the Docker daemon configuration file to ensure that inter-container communication is disabled:\n\n```\n\"icc\": false\n```\n\nAlternatively, run the Docker daemon directly and pass `--icc=false` as an argument:\n\n```\ndockerd --icc=false \n```\n\nFollow the Docker documentation and create a custom network, and only join containers that need to communicate to that custom network. The `--icc` parameter only applies to the default docker bridge. If you use a custom network, adopt the segmenting networks approach instead.\n\n## Impact\n\nInter-container communication is disabled on the default network bridge. If any communication between containers on the same host is desired, it needs to be explicitly defined using container linking or custom networks.\n\n## Default value\n\nBy default, all inter-container communication is allowed on the default network bridge.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/][1]\n2. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers][2]\n\n## CIS controls\n\nNone \n\n[1]: https://docs.docker.com/engine/userguide/networking/ \n[2]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_network","complianceFrameworks":[{"control":"2.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmd-zy3-5un","createdAt":1599604593277,"name":"Network traffic is restricted between containers on the default network bridge"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a network utility (like `cURL` or `Wget`) is used to access the cloud instance metadata service (IMDS) in an interactive session.\n\n## Strategy\nThe cloud instance metadata service is a link-local HTTP endpoint that provides data about a given cloud instance. One function is to provide temporary security credentials so that they do not need to be stored on the host. Because IMDS can be used to fetch security credentials, attackers may use it to escalate privileges in order to access other cloud resources. This detection identifies when Linux network utilities are used in an interactive session to access the metadata service. Especially in production environments, it is unusual for this activity to occur interactively.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee run commands for an approved reason, or does a configuration management utility use an interactive session?\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Using cloud audit logs, identify if the attached identity was misused.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:aws_metadata_service @process.tty:*","groupByFields":["host"],"aggregation":"count","name":"aws_metadata_service","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"aws_metadata_service","condition":"aws_metadata_service > 0"}],"type":"workload_security","id":"ugv-e7o-qpv","createdAt":1627392836096,"name":"Network utility accessed cloud metadata service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location on a host.\n\n## Strategy\nAfter an attacker's initial intrusion into a host (for example, through a web shell exploit, or a container breakout), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance, or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected on a host. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine which user executed the utility and whether or not this is allowed or expected behavior.\n2. Review the ancestors for unexpected processes or files executed. \n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util @process.ancestors.executable.path:(*\\/tmp\\/* OR *\\/home\\/*)","groupByFields":["host"],"aggregation":"count","name":"net_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"net_util","condition":"net_util > 0"}],"type":"workload_security","id":"med-78m-snu","createdAt":1617722067377,"name":"Network utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected in a container. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your containers and host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. Review the ancestors for unexpected processes or files executed.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util_in_container @process.ancestors.executable.path:(*\\/tmp\\/* OR \\/home\\/* OR \\/run\\/user\\/*)","groupByFields":["@container.id","host"],"aggregation":"count","name":"net_util_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"net_util_in_container","condition":"net_util_in_container > 0"}],"type":"workload_security","id":"idj-fom-4qg","createdAt":1617722068439,"name":"Network utility executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1199-trusted-relationship","source:cloudtrail","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker accesses your AWS account from their AWS Account.\n\n## Strategy\nThis rule lets you monitor AssumeRole (`@evt.name:AssumeRole`) CloudTrail API calls to detect when an external AWS account (`@usr.account_id`) assumes a role into your AWS account (`account`). It does this by learning all AWS accounts from which the AssumeRole call occurs within a 7-day window. Newly detected accounts after this 7-day window will generate security signals.\n\n## Triage and response\n1. Determine if the `@usr.account_id` is an AWS account is managed by your company.\n2. If not, try to determine who is the owner of the AWS account.\n3. Inspect the role the account is assuming. Determine who created this role and who allowed this AWS account to assume this role.\n\n## Changelog\n7 April 2022 - Update rule query and signal message.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @evt.name:AssumeRole"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"xvo-lqg-7bu","createdAt":1614810571081,"name":"New AWS Account Seen Assuming a Role into AWS Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","tactic:TA0040-impact","source:cloudtrail","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker spawns an instance for malicious purposes. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect when a new instance type (`@responseElements.instancesSet.items.instanceType`) is spawned:\n\n* [RunInstances][1]\n\nIt does this by inspecting the AWS Instance types each AWS account are seen over a 7-day window. Newly detected instance types after this 7-day window till generate security signals.\n\n## Triage and response\n1. Determine whether the instance type `{{@responseElements.instancesSet.items.instanceType}}` is expected to be used in your AWS account by checking the [Datadog Infrastructure List][2].\n2. If not, determine who spawned this instance and ask the user whether their activity was legitimate or whether their credentials were compromised and this instance is being used by an attacker.\n\n## Changelog\n7 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html\n[2]: https://app.datadoghq.com/infrastructure?tab=details&tags=instance-type%3A{{@responseElements.instancesSet.items.instanceType}}","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@responseElements.instancesSet.items.instanceType","aggregation":"new_value","metrics":["@responseElements.instancesSet.items.instanceType"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @eventSource:ec2.amazonaws.com @evt.name:RunInstances"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rk5-l8o-jir","createdAt":1619019323550,"name":"New EC2 Instance Type"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a Kubernetes namespace.\n\n## Strategy\nThis rule monitors when a `create` action occurs for the Kubernetes namespace (`@objectRef.resource:namespaces`) to detect when a user is creating a new Kubernetes namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new namespace.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:namespaces @http.method:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:namespaces @verb:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"zgq-pd9-wgw","createdAt":1589376020564,"name":"New Kubernetes Namespace Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:kubernetes","tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a privileged pod is created. Privileged pods remove container isolation which allows privileged actions on the host.\n\n## Strategy\nThis rule monitors when a pod (`@objectRef.resource:pods`) is created (`@http.method:create`) and the privileged security context (`@requestObject.spec.containers.securityContext.privileged`) is `true`.\n\n## Triage & Response\n1. Determine if the pod should be privileged. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"smy-zpp-8hr","createdAt":1626700164544,"name":"New Kubernetes privileged pod created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1525-implant-internal-image","scope:ecr","iaas:aws","source:cloudtrail","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential persistence mechanisms being deployed in the AWS Elastic Container Registry (ECR).\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr:GetAuthorizationToken` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException @threat_intel.indicators_matched:*","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ori-yda-7sc","createdAt":1630665990802,"name":"New Private Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecr","technique:T1567-exfiltration-over-web-service","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new image is uploaded to the public ECR. This could be a potential exfil route of data from the cloud. Could be a supply chain effect as well if a company hosts their containers here for consumers.\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr-public:GetAuthorizationToken` and `sts:GetServiceBearerToken` API through an IAM policy before they can authenticate to a registry and push any images to an Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr-public.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr-public.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3ye-k1x-9mp","createdAt":1630666006819,"name":"New Public Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ecs","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user executes a command on an ECS container for the first time. An attacker may use this as a technique to escalate their privileges\nbecause they can run arbitrary commands on behalf of the container with the role and permissions associated with the\ncontainer.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user is executing a command on an ECS container:\n\n* `ExecuteCommand`\n\n## Triage and response\n1. Investigate the command that the user ({{@userIdentity.arn}}) ran on the container, which is located in the Cloudtrail log at `@requestParameters.container`, if the telemetry exists.\n2. Analyze Cloudtrail logs with {{@userIdentity.arn}} that are within the same time frame as this security signal.\n3. Review any other security signals generated for this container.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":175,"isDefault":true,"filters":[{"action":"suppress","query":"foo"},{"action":"require","query":"bar"}],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @evt.name:ExecuteCommand @requestParameters.interactive:true"}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@me"],"name":""}],"type":"log_detection","id":"o2p-sbu-rlg","createdAt":1615916348842,"name":"New user seen executing a command in an ECS task"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console:\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line:\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_GCM_SHA256\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_GCM_SHA384\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_3DES_EDE_CBC_SHA\")\n}\n\npolicy_align(compute_target_https_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_https_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_https_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_https_proxy, compute_ssl_policy)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_https_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_https_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_https_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wsz-dzl-7cw","createdAt":1664548936030,"name":"No HTTPS proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console:\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line:\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_GCM_SHA256\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_GCM_SHA384\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_3DES_EDE_CBC_SHA\")\n}\n\npolicy_align(compute_target_ssl_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_ssl_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_ssl_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_ssl_proxy, compute_ssl_policy)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_ssl_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_ssl_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_ssl_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kmq-mlb-uhu","createdAt":1664548316871,"name":"No SSL proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","level:1","framework:cis-aws","requirement:Security-Management-Process","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:1.4","control:2.1","control:2.2","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","requirement:Default-Security-Parameters","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:164.312-a-2-i","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed.\n\n## Rationale\n\nRemoving access keys associated with the root account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html][2]\n2. [http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][3]\n3. [http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html][4]\n4. CCE-78910-7\n5. [https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/][5]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables root access only through access-keys (CLI, API methods) for us-gov cloud region.\n\n## CIS controls\n\nVersions 7, 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html\n[3]: http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[4]: http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html\n[5]: https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.4","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-a-2-i","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@access_key_1_active:true OR @access_key_2_active:true","resourceType":"aws_iam_credential_report","filter":"@user:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report @user:\"\" (@access_key_1_active:true OR @access_key_2_active:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"snb-kjs-kgm","createdAt":1599574003908,"name":"No root account access key exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity groups provide stateful filtering of ingress/egress network traffic to AWS resources. You should not allow any security group unrestricted ingress access to port 22.\n\n## Rationale\n\nRemoving unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nIf you are updating an existing environment, ensure that administrators who currently rely on ingress from 0.0.0.0/0 have access to ports 22 and 3389 through another security group.\n\n## Default value\n\nNone\n\n## References\n\nNone\n\n## CIS controls\n\n9.2 Ensure Only Approved Ports, Protocols, and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.1\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 22\n\trule.to_port >= 22\n} else {\n\trule.from_port <= 3389\n\trule.to_port >= 3389\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ueo-zqv-fep","createdAt":1607607222597,"name":"No security groups allow ingress from 0.0.0.0/0 to remote administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:3.8","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","requirement:Communication-and-Information","security:compliance","control:8.1","control:4.4","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","control:4.1.1","control:8.1.4","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling OS Login binds SSH certificates to IAM users and facilitates effective SSH certificate\nmanagement.\n\n## Rationale\nEnabling OS Login ensures that SSH keys used to connect to instances are mapped to IAM\nusers. Revoking access to an IAM user will revoke all the SSH keys associated with that\nparticular user. It facilitates centralized and automated SSH key pair management, which is\nuseful in handling cases like compromised SSH key pairs and/or revocation of\nexternal, third-party, vendor users.\n\nTo use OS Login, the instance using Custom Images must have the latest version\nof the Linux Guest Environment installed. The following image families do not\nsupport OS Login:\n\n - Project cos-cloud (Container-Optimized OS) image family cos-stable.\n - All project coreos-cloud (CoreOS) image families\n - Project suse-cloud (SLES) image family sles-11\n - All Windows Server and SQL Server image families\n\nThe project's `enable-oslogin` can be overridden by setting the `enable-oslogin` parameter to an\ninstance metadata individually.\n\n### Impact\nEnabling OS Login on a project disables metadata-based SSH key configurations on all\ninstances of a project. Disabling OS Login restores SSH keys that you have configured in a\nproject's or an instance's metadata.\n\n### Exception\nVMs created by GKE should be excluded. These VMs have names that start with `gke-`\nand are labeled `goog-gke-node`.\n\n### Default value\nBy default, the parameter `enable-oslogin` is not set, which is equivalent to setting it to `FALSE`.\n\n## Remediation\n\n### From the console:\n\n1. Go to the [VM compute metadata][1] page.\n2. Click **Edit**.\n3. Add a metadata entry for the key `enable-oslogin` with the value `TRUE`.\n4. Click **Save** to apply the changes.\n5. For every instance that overrides the project setting, go to the VM Instance's page at \n https://console.cloud.google.com/compute/instances.\n6. Click the name of the instance from which you want to remove the metadata value.\n7. At the top of the instance's details page, click **Edit** to edit the instance's settings.\n8. Under Custom Metadata, remove any entries with the key `enable-oslogin` set to `FALSE`.\n9. At the bottom of the instance's details page, click **Save** to apply your changes to the instance.\n\n### From the command line:\n\n1. Configure OS Login for the project by running the following command:\n ```\n gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE\n ```\n\n2. Use the following command to remove instance metadata that overrides the project setting:\n ```\n gcloud compute instances remove-metadata --keys=enable-oslogin\n ```\n\nOptionally, you can enable two-factor authentication for OS Login. See [Setting up OS Login with 2-step verification ][2] for more information.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/managing-instance-access][3]\n2. [https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin][4]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata][5]\n4. [https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication][2]\n\n\n\n[1]: https://console.cloud.google.com/compute/metadata\n[2]: https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication\n[3]: https://cloud.google.com/compute/docs/instances/managing-instance-access\n[4]: https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin\n[5]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.8","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" {\n\titem := compute_instance.metadata.items[_]\n\titem.key == \"enable-oslogin\"\n\titem.value == \"true\"\n} else = \"fail\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hpp-bv9-lom","createdAt":1657547711348,"name":"OS Login is enabled for the project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Okta API token is created.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a new Okta API token is created:\n\n* `system.api_token.create`\n\n## Triage and response\n1. Contact the user who created the API token and ensure that the API token is needed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:system.api_token.create","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lpf-tho-8sx","createdAt":1589315541698,"name":"Okta API Token Created or Enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","scope:okta","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Okta session impersonation.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect a user session impersonation:\n\n* `user.session.impersonation.initiate`\n* `user.session.impersonation.end`\n* `user.session.impersonation.grant`\n* `user.session.impersonation.extend`\n* `user.session.impersonation.revoke`\n\nThese events indicate that the user: `{{@usr.email}}` has the effective permissions of the impersonated user. This is likely to occur through [Okta support access][1]. This [blog][2] illustrates the potential impact an attacker can cause by impersonation session.\n\n## Triage and response\n1. Contact your Okta administrator to ensure the user: `{{@usr.email}}` is authorized to impersonate a user session.\n2. If the user impersonation session is not legitimate:\n * Task your Okta administrator to end the impersonation session.\n * Investigate the actions taken by the user `{{@usr.email}}` during the session and revert back to the last known good state.\n * Begin your company's incident response process and investigate.\n\n[1]: https://support.okta.com/help/s/article/Granting-Access-to-Okta-Support?language=en_US\n[2]: https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.session.impersonation.initiate","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_initiate","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.end","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_end","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_grant","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.extend","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_extend","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.revoke","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_revoke","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Session initiated","condition":"user_session_impersonation_initiate > 0"},{"status":"info","notifications":[],"name":"Session ended","condition":"user_session_impersonation_end > 0"},{"status":"info","notifications":[],"name":"Session granted","condition":"user_session_impersonation_grant > 0"},{"status":"info","notifications":[],"name":"Session extended","condition":"user_session_impersonation_extend > 0"},{"status":"info","notifications":[],"name":"Session revoked","condition":"user_session_impersonation_revoke > 0"}],"type":"log_detection","id":"dfw-lx0-cha","createdAt":1647981974902,"name":"Okta Impersonation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to bypass multi-factor authentication (MFA).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user attempts to bypass MFA:\n\n* `user.mfa.attempt_bypass`\n\n## Triage and response\n1. Contact the user who attempted to bypass MFA and ensure the request was legitimate.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.attempt_bypass","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"wbd-slu-e6s","createdAt":1589315643307,"name":"Okta MFA Bypass Attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the multi-factor authentication (MFA) factors for an enrolled Okta user are reset.\n\n## Strategy\nThis rule lets you monitor the following Okta event to determine when a user's MFA factors are reset:\n\n* `user.mfa.factor.reset_all`\n\nAn attacker may attempt to reset MFA factors in a bid to access other user accounts by registering new attacker-controlled MFA factors.\n\n## Triage and response\n1. Determine if the user: `{{@usr.email}}` should have reset the MFA factors of the targeted user.\n2. If the change was not made by the user:\n * Disable the affected user accounts.\n * Rotate user credentials.\n * Return targeted users MFA factors to the last known good state.\n * Begin your organization's incident response process and investigate.\n3. If the change was made by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, ensure the targeted user has new MFA factors assigned in accordance with organization policies.\n * If **No**, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_success","distinctFields":[]},{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:FAILURE","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_failed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Succeeded","condition":"mfa_reset_success > 0"},{"status":"info","notifications":[],"name":"Failed","condition":"mfa_reset_failed > 0"}],"type":"log_detection","id":"ap2-mxs-fyh","createdAt":1622443751239,"name":"Okta MFA reset for user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to sign on to an app based on sign-on policy.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to sign on to an app based on sign-on policy:\n\n* `application.policy.sign_on.deny_access`\n\n## Triage and response\n1. Inspect the `@target` array to determine why the user was denied access to sign on.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:application.policy.sign_on.deny_access","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pjd-jyc-9fb","createdAt":1589315544752,"name":"Okta User Access Denied to Sign On"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to an app.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to an app:\n\n* `app.generic.unauth_app_access_attempt`\n\n## Triage and response\n1. Determine whether or not the user should have access to this app.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:app.generic.unauth_app_access_attempt","groupByFields":["@usr.email","@target_app"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rht-pdf-gyx","createdAt":1607371843994,"name":"Okta User Attempted to Access Unauthorized App"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:okta","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to an Okta user.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when administrative privileges are provisioned:\n\n* `user.account.privilege.grant`\n\n## Triage and response\n1. Contact the Okta administrator: `{{@usr.email}}` to confirm that the user or users should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.account.privilege.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"privilege_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"privilege_grant > 0"}],"type":"log_detection","id":"onl-syw-pqn","createdAt":1622443751733,"name":"Okta administrator role assigned to user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a request is blocked due to a block list rule (such as an IP network zone or location rule).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.request.blocked`\n\n## Triage & Response\n1. Verify with the owner of `{{@usr.name}}` that they were attempting a request to `{{@target_app}}`.\n2. If the request cannot be verified with the user, correlate with other log sources to see if the blocked IP in the `title` of `{{@title}}` has communicated elsewhere on the network.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.request.blocked @evt.outcome:SUCCESS","groupByFields":["@network.client.ip","@target_app"],"aggregation":"count","name":"request_blocked","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"request_blocked > 10"}],"type":"log_detection","id":"y2s-qzk-u0a","createdAt":1622443750820,"name":"Okta blocked numerous requests from a malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta [refresh token][1] is reused.\n\n## Strategy\nThis rule lets you monitor the following Okta events when token reuse is detected:\n\n* `app.oauth2.token.detect_reuse`\n* `app.oauth2.as.token.detect_reuse`\n\nAn attacker that has access to a refresh token could query the organization's authorization server `/token` endpoint to obtain additional access tokens. The additional access tokens potentially allow the attacker to get unauthorized access to applications.\n\n## Triage and response\n1. Determine if the source IP `{{@network.client.ip}}` is anomalous within the organization:\n * Does threat intelligence indicate that this IP has been associated with malicious activity?\n * Is the geo-location or ASN uncommon for the organization?\n * Has the IP created a `app.oauth2.token.detect_reuse` or `app.oauth2.as.token.detect_reuse` event previously?\n2. If the token reuse event has been determined to be malicious, carry out the following actions:\n * [Revoke compromised tokens][2].\n * Recycle the credentials of any impacted clients.\n * Begin your company's incident response process and investigate.\n\n[1]: https://developer.okta.com/docs/guides/refresh-tokens/main/\n[2]: https://developer.okta.com/docs/guides/revoke-tokens/main/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:false","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse","distinctFields":[]},{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:true","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse_threat","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Threat suspected","condition":"refresh_token_reuse_threat > 0"},{"status":"low","notifications":[],"name":"Threat unlikely","condition":"refresh_token_reuse > 0"}],"type":"log_detection","id":"i4t-x8n-ack","createdAt":1622443751931,"name":"Okta one-time refresh token reused"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta policy rule is deleted.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a policy rule is deleted:\n\n* `policy.rule.delete`\n\n## Triage and response\n1. Contact the Okta administrator to confirm that the user: `{{@usr.email}}` should be deleting policy rules.\n2. If the change was **not** authorized, verify there are no other signals from the user: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:policy.rule.delete @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_rule_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"policy_rule_deleted > 0"}],"type":"log_detection","id":"gxx-79h-brk","createdAt":1622443751301,"name":"Okta policy rule deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:onelogin","scope:onelogin","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user with appropriate privileges assumes another OneLogin user's identity. Logging in as another user allows the user to view another OneLogin user's account and perform actions on their behalf. \n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator assumes another OneLogin user's identity:\n\n* `@evt.name:USER_ASSUMED_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) should be legitimately assuming another user's identity.\n2. If the activity was not legitimate, review all activity from `{{@usr.name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_ASSUMED_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"admin_assumed_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admin_assumed_user > 0"}],"type":"log_detection","id":"ohz-g7c-wkp","createdAt":1656426840747,"name":"OneLogin administrator assumed a user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","technique:T1098-account-manipulation","scope:onelogin","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin administrator grants additional privileges to another OneLogin user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator grants additional privileges to another OneLogin user:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@actor_user_name}}`) should be legitimately adding additional roles to `@usr.name`. **Note:** The role granted to the user is not available in OneLogin logs.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:PRIVILEGE_GRANTED_TO_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"user_granted_admin_privileges","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"user_granted_admin_privileges > 0"}],"type":"log_detection","id":"oks-cap-rw1","createdAt":1656426808697,"name":"OneLogin user granted administrative privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user is locked out. This may be common if the user is repeatedly failing to log in. This rule is most useful when correlated with other anomalous activity for the user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to when a user is locked out:\n* `@evt.name:USER_LOCKED`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) was legitimately trying to authenticate and was locked out.\n2. If the activity was not legitimate, review all activity from the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_LOCKED","groupByFields":["@usr.name"],"aggregation":"count","name":"user_locked_out","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_locked_out > 0"}],"type":"log_detection","id":"efg-trs-jzb","createdAt":1656526301026,"name":"OneLogin user locked out"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user views a secure note.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when a user views a secure note:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\nThis rule is useful when correlating its findings with other anomalous events from the same OneLogin user (`{{@actor_user_name}}`).\n\n## Triage and response\n1. Determine whether the OneLogin user (`{{@actor_user_name}}`) should be legitimately accessing secure notes.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_VIEWED_NOTE","groupByFields":["@actor_user_name"],"aggregation":"count","name":"viewed_secure_note","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"viewed_secure_note > 0"}],"type":"log_detection","id":"gl4-z5x-dun","createdAt":1656426832414,"name":"OneLogin user viewed secure note"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","scope:google_service_account","requirement:Confidentiality","control:3.4","control:1.4","control:3.10","control:C1.1","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nUser managed service accounts should not have user-managed keys.\n\n## Rationale: \nAnyone who has access to the keys can access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.\nFor user-managed keys, you are responsible for key management activities including:\n- Key storage\n- Key distribution\n- Key revocation\n- Key rotation\n- Protecting the keys from unauthorized users\n- Key recovery\nEven with key owner precautions, it's easy to leak keys through common development accidents such as checking keys into the source code, leaving them in the Downloads directory, or posting them on support blogs.\nFor these reasons, it is recommended that you don't use user-managed service account keys.\n\n## Impact: \nDeleting user-managed service account keys may break communication with the applications using the keys.\n\n## Remediation: \n\n### From console:\n1. Go to the IAM page in the GCP Console at [https://console.cloud.google.com/iam-admin/iam][1].\n2. In the left navigation pane, click `Service accounts`. All service accounts and their\ncorresponding keys are listed.\n3. Click the service account.\n4. Click `Edit` and delete the keys.\n\n### From command line:\nTo delete a user-managed service account key run:\n```\ngcloud iam service-accounts keys delete --iam-account= \n```\n## Prevention:\nYou can disable service account key creation through the `Disable service account key creation` Organization policy by visiting [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation][2]. Learn more at: [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][3].\n\nIn addition, if you do not need service accounts in your project, you can prevent the creation of service accounts through the `Disable service account creation` Organization policy: [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation][4].\n\n## Default value:\nBy default, there are no user-managed keys created for user-managed service accounts.\n\n## References:\n1. [https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys][5]\n2. [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][6]\n\n## Additional information:\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation\n[3]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation\n[5]: https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n[6]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.4","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.10","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkey_parents_with_user_managed := {key.parent |\n\tkey := input.resources.gcp_iam_service_account_key[_]\n\tkey.key_type == \"USER_MANAGED\"\n}\n\neval(service_account) = \"fail\" if {\n\tkey_parents_with_user_managed[service_account.resource_name]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4cn-bpp-vya","createdAt":1654120292749,"name":"Only GCP-managed service account keys are used for service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.14","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, has permissions of 400.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads. It holds the private key for the Docker server certificate. It must therefore have permissions of 400 to ensure that the certificate key file is not modified.\n\n## Audit\n\nVerify that the Docker server certificate key file has permissions of `400` by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nYou should execute the following command: `chmod 400 `\n\nThis sets the Docker server certificate key file permissions to 400.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate key file might not be 400. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.14","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"z0n-cod-mxi","createdAt":1602077570102,"name":"Only the owner of the server certificate key file can read its contents"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker daemon requires access to the Docker socket which is, by default, owned by the user `root` and the group `docker`.\n\n## Rationale\n\nDocker allows you to share a directory between the Docker host and a guest container without limiting the access rights of the container. This means that you can start a container and map the `/` directory on your host to the container. The container is able to modify your host file system without any restrictions. This means that you could gain elevated privileges simply by being a member of the `docker` group and subsequently start a container which maps the root `/` directory on the host.\n\n\n## Audit\n\nRun the following command on the Docker host to see the members of the `docker` group, and ensure that only trusted users are members:\n\n```\ngetent group docker\n```\n\n## Remediation\n\nYou should remove any untrusted users from the `docker` group. Additionally, you should not create a mapping of sensitive directories from the host to container volumes.\n\n## Impact\n\nProvided the proceeding instructions are implemented, rights to build and execute containers as normal user would be restricted.\n\n## Default value\n\nNot Applicable\n\n## References\n\n1. [https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface]\n2. [https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful]\n3. [http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\n[1]: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface \n[2]: https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful \n[3]: http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.2","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dev-mh8-u1i","createdAt":1599598174666,"name":"Only the root account and Docker group members can control the Docker daemon"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.16","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file has permissions of 660 or are configured more restrictively.\n\n## Rationale\n\nOnly root and the members of the docker group should be allowed to read and write to the default Docker Unix socket. The Docker socket file should therefore have permissions of 660 or more restrictive permissions.\n\n## Audit\n\nVerify that the Docker socket file has permissions of `660` or more restrictive, by running: \n```\nstat -c %a /var/run/docker.sock\n```\n\n## Remediation\n\nRun the command `chmod 660 /var/run/docker.sock`\n\nThis sets the file permissions of the Docker socket file to 660.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker socket file is correctly set to 660.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.16","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jxv-zrr-1c1","createdAt":1599603387716,"name":"Only the root account and Docker group members can read and write to the Docker socket file"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 9200, used by the [Elasticsearch][2], and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered Elasticsearch access.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][3] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. First, remove the security group rule(s) that allow public, unrestricted access to the Elasticsearch database. The rule in question will open port 9200 for ingress from anywhere.\n\n2. Now that the database is contained, authorize only the specific entities that need access to the database like EC2 instances, or lambdas. You can do this by adding inbound security group rules for a specific elastic IP address, a specific range of IP addresses, or by allowing access for entities in another AWS security group.\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://aws.amazon.com/elasticsearch-service/\n[3]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 9200\n\trule.to_port >= 9200\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"rns-eiq-lpl","createdAt":1599574008022,"name":"Inbound OpenSearch access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1521 (used by the Oracle Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1521.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1521 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 1521\n\trule.to_port >= 1521\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2wg-auf-5gz","createdAt":1599574002369,"name":"Inbound Oracle access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 135 (used by Microsoft Message Queuing (MSMQ) and other Windows software) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as backdoor command shell hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 135.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 135 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 135\n\trule.to_port >= 135\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7vm-6f7-nfs","createdAt":1599574003256,"name":"Inbound RPC access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 25 (used by Simple Mail Transfer Protocol (SMTP) for email transmission) and restrict access to IP addresses that require this port.\n\n\n## Rationale\n\nMalicious activity, such as spamming, hacking, Shellshock, and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 25.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 25 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 25\n\trule.to_port >= 25\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fxy-iwb-1ji","createdAt":1599574007156,"name":"Inbound SMTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 22 (used for secure remote login) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as man-in-the-middle (MITM) and brute-force attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 22.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 22 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 22\n\trule.to_port >= 22\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jq1-v7m-jkf","createdAt":1599574005407,"name":"Inbound SSH access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to TCP port 139.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 139\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 139\n\trule.to_port >= 139\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"bls-coy-rpp","createdAt":1599574002491,"name":"Inbound TCP NetBIOS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 23 (used by the Telnet server application) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 23.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 23 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 23\n\trule.to_port >= 23\n}\n\nnon_compliant_protocols_and_ports(rule) if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tnon_compliant_ports(rule)\n} else if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\", \"::/0\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome rule in security_group.rules\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocols_and_ports(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"6oq-7ce-kej","createdAt":1599574007874,"name":"Inbound Telnet access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 and UDP ports 137 and 138 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 137 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 137\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 138 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 138\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 138\n\trule.to_port >= 137\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dpw-bar-91p","createdAt":1599574006398,"name":"Inbound UDP NetBIOS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","control:3.7","requirement:Communications-Security","control:4.1","control:2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3","framework:security-labs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nConfigure your instance to use an account other than the default Compute Engine service account, because it has the Editor role on the project.\n\n## Rationale\nThe default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services. \nTo defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended that you not use the default Compute Engine service account. Instead, create a new service account and assign only the permissions needed by your instance. \nThe default Compute Engine service account is named `[PROJECT_NUMBER]-compute@developer.gserviceaccount.com`.\n\n## Exception\nVMs created by GKE are excluded from this guidance. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go to its `VM instance details` page.\n3. Click `STOP` and then click `EDIT`.\n4. Under the section `API and identity management`, select a service account other\nthan the default Compute Engine service account. You may first need to create a new\nservice account.\n5. Click `Save` and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account=\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/service-accounts][2]\n2. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][3]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account][4]\n\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/service-accounts\n[3]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[4]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.7","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" if {\n\tsa := compute_instance.service_accounts[_]\n\tendswith(sa.email, \"compute@developer.gserviceaccount.com\")\n} else = \"pass\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oqw-y1z-sik","createdAt":1655990336323,"name":"Instances are not configured to use the default service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Communications-Security","requirement:Default-Security-Parameter","control:4.2","control:2.1","framework:cis-gcp","control:2.1.1","requirement:Compliance","control:A.13.1.3","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:google_compute_instance","control:CC6.3","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo support the principle of least privileges and to prevent potential privilege escalation, assign instances to a service account other than the default `Compute Engine default service account` with Scope `Allow full access to all Cloud APIs`.\n\n## Rationale\nThe Google `Compute Engine default service account` for an instance can access necessary cloud services, as well as create, manage, and use user-managed custom service accounts. The `Project Editor` role is assigned to `Compute Engine default service account` so it has almost all capabilities over all cloud services except billing. However, when `Compute Engine default service account` is assigned to an instance it can operate in three scopes:\n\n1. Allow default access: Allows the minimum access required to run an\ninstance (least privileges).\n\n2. Allow full access to all Cloud APIs: Allows full access to all cloud\nAPIs and services (too much access).\n\n3. Set access for each API: Allows an instance administrator to choose only\nthose APIs that are needed to perform the specific business functionality\nexpected by instance.\n\nWhen an instance is configured with the `Compute Engine default service account` with\nscope `Allow full access to all Cloud APIs`, depending on the IAM roles assigned to the users\naccessing the instance, it may allow users to perform cloud operations and API calls that they are not\nsupposed to perform, leading to successful privilege escalation.\n\n## Exception\nVMs created by GKE are excluded from this rule. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Impact\nTo change a service account or scope for an instance, the instance must be stopped.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the impacted VM instance.\n3. If the instance is not stopped, click the `Stop` button. Wait for the instance to stop.\n4. Click the `Edit` button.\n5. Scroll down to the `Service Account` section.\n6. Select a different service account or ensure that `Allow full access to all Cloud APIs` is not selected.\n7. Click the `Save` button to save your changes and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account= --scopes [SCOPE1, SCOPE2...]\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][2]\n2. [https://cloud.google.com/compute/docs/access/service-accounts][3]\n\n## Additional Information:\n- User IAM roles override service account scope, but configuring minimal scope\nensures a deeper defence.\n- Non-default service accounts do not offer selection of access scopes like the default\nservice account does. Use IAM roles with non-default service accounts to\ncontrol VM access.\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[3]: https://cloud.google.com/compute/docs/access/service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.2","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" if {\n\tservice_accounts := compute_instance.service_accounts[_]\n\tendswith(service_accounts.email, \"compute@developer.gserviceaccount.com\")\n\tstartswith(service_accounts.scopes[_], \"https://www.googleapis.com/auth/cloud-platform\")\n} else = \"pass\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ica-spj-rua","createdAt":1656620517092,"name":"Instances are not configured to use the default service account with full access to all cloud APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the execution of a shell with the interactive flag (`-i`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to escalate privileges, break out of the container, or exfiltrate secrets by running interative shell utilities inside of the container. This detection triggers when execution of one of a set of common Linux shell utilities (like `bash` or `sh`) is detected in a container with the interactive flag (`-i`). If this is unexpected behavior, it could indicate an attacker attempting to run arbitrary commands inside of your containers and potentially break out onto the host.\n\n## Triage & Response\n1. Inspect the command line arguments of the shell process execution to determine if the shell was run with the `-i` flag.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:interactive_shell_in_container -@process.comm:(hostname OR sed OR find)","groupByFields":["host"],"aggregation":"count","name":"interactive_shell_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"interactive_shell_in_container","condition":"interactive_shell_in_container > 0"}],"type":"workload_security","id":"vc2-nws-ebu","createdAt":1653417817781,"name":"Interactive shell spawned in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a Java process.\n\n## Strategy\nMany applications (like some databases, web servers, and search engines) run as Java processes. Attackers may take advantage of flaws in programs built with these applications (for example, SQL injection on a database running as a Java process). This detection triggers when a Java process spawns common shell utilities, HTTP utilities, or shells. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\n## Triage and response\n1. Determine the nature and purpose of the Java process.\n2. Determine whether there is an approved purpose for the Java process to execute shells and utilities.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java) @process.args:*\\/dev\\/tcp\\/*","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_known_bad","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java) @process.executable.name:(uname OR cat OR ls OR whoami)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_suspicious","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java) @process.executable.name:(curl OR wget)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_unusual","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java) @process.envs:CONFLUENCE*","groupByFields":["host"],"aggregation":"count","name":"confluence_server_spawned_shell_potential_rce","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"java_shell_execution_known_bad","condition":"java_shell_execution_known_bad > 0"},{"status":"high","notifications":[],"name":"confluence_server_spawned_shell_potential_rce","condition":"confluence_server_spawned_shell_potential_rce > 0"},{"status":"high","notifications":[],"name":"java_shell_execution_unusual","condition":"java_shell_execution_unusual > 0"},{"status":"medium","notifications":[],"name":"java_shell_execution_suspicious","condition":"java_shell_execution_suspicious > 0"},{"status":"low","notifications":[],"name":"java_shell_execution","condition":"java_shell_execution > 0"}],"type":"workload_security","id":"bax-h0z-d14","createdAt":1617722069224,"name":"Java process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","technique:T1098-account-manipulation","scope:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a JumpCloud user grants administrative privileges on a user endpoint. This is not indicative of malicious activity, but detecting this event is valuable for auditing.\n\n## Strategy\n\nThis rule monitors JumpCloud audit logs to detect when a user triggers the `@evt.name` of `system_admin_grant`.\n\n## Triage and response\n\n1. Reach out to the admin making the change (`{{@usr.email}}`) to confirm that the user `(@usr.name`) should have administrative privileges on the specified resource (`@resource.name`).\n2. If the change was not authorized, reverify there are no other signals from the jumpcloud admin: {{@usr.email}} and the system (`@resource.name`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:system_admin_grant","groupByFields":["@usr.email"],"aggregation":"count","name":"system_admin_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"system_admin_grant > 0"}],"type":"log_detection","id":"0ym-nwo-srl","createdAt":1648844751568,"name":"Jumpcloud admin granted system privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:jumpcloud","requirement:Monitoring","scope:jumpcloud","framework:cis-aws","technique:T1078-valid-accounts","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud administrator authenticates without multi-factor authentication (MFA) enabled. This is not indicative of malicious activity, however as a best practice, administrator accounts should have MFA enabled.\n\n## Strategy\nThis rule monitors JumpCloud audit logs to detect when an admin user successfully authenticates to JumpCloud and the log indicates that `@mfa` is `false`.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables MFA.\n3. If the login wasn\u2019t legitimate, rotate the credentials, enable MFA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:admin_login_attempt @mfa:false @evt.outcome:true","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_login_no_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"admin_login_no_mfa > 0"}],"type":"log_detection","id":"mds-4sd-v5i","createdAt":1648844751569,"name":"Jumpcloud admin login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","scope:jumpcloud","technique:T1078-valid-accounts","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event with a JumpCloud administrator.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last log and the current log to determine if the user (`@usr.name`) traveled more than 500km at over 1,000km/h.\n\n## Triage and response\n1. Determine if {@usr.name}} should be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}} in a short period of time.\n2. If the user should not be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} or {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_admin","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:jumpcloud @usr.type:admin"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"wec-lzg-zau","createdAt":1648844772020,"name":"Jumpcloud admin triggered impossible travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:jumpcloud","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to a JumpCloud user.\n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when administrative privileges are provisioned:\n\n* `user_admin_granted`\n\n## Triage and response\n1. Contact the JumpCloud administrator: `{{@usr.email}}` to confirm that the users or devices should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the JumpCloud administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:user_admin_granted","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_grant > 0"}],"type":"log_detection","id":"goh-o1b-uuo","createdAt":1660796644737,"name":"Jumpcloud administrator role assigned"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is created. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is created:\n\n* `@evt.name:policy_create`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy creation was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_create","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_creation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_creation > 0"}],"type":"log_detection","id":"ht7-5pr-0hf","createdAt":1660809071730,"name":"Jumpcloud policy created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is modified. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is modified:\n\n* `@evt.name:policy_update`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy modification(s) was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_update","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_update > 0"}],"type":"log_detection","id":"epv-mm9-puh","createdAt":1660809071731,"name":"Jumpcloud policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:1.10","scope:google_kms_crypto_key","source:google_kms_crypto_key","requirement:Confidentiality","control:C1.2","framework:cis-gcp","requirement:Compliance","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGoogle Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.\nThe format for the rotation schedule depends on the client library that is used. For the gcloud CLI, the flag `--next-rotation-time` must be in ISO or RFC3339 format; the flag `--rotation-period` must be in the format `INTEGER[UNIT]`, where units can be one of: seconds (s), minutes (m), hours (h), or days (d). For example, `30d` for a rotation period of 30 days.\n\n## Rationale\nSet a key rotation period and starting time. A key can be created with a specified *rotation period*, which is the time between when new key versions are generated automatically. A key can also be created with a specified *next rotation time*. \n\nA key is a named object that represents a cryptographic key and is used for a specific purpose. The key material (the actual bits used for encryption) can change over time as new key versions are created.\nA key is used to protect a *corpus of data*. A collection of files could be encrypted with the same key, and people with `decrypt` permissions on that key would be able to decrypt those files. Therefore, it's necessary to make sure the rotation period is set to a specific time.\n\n## Impact\nAfter a successful key rotation, the older key version is required to decrypt the data encrypted by the previous key version.\n\n## Remediation\n\n### From the console\n1. See your cryptographic keys by visiting: [https://console.cloud.google.com/security/kms][1].\n2. Click on the specific key ring.\n3. From the list of keys, locate the key you wish to edit. Click on the three vertical dots under the **Actions** column.\n4. Click on **Edit rotation period**.\n5. In the pop-up window, select a new rotation period. Choose value less than 90 days. Then, choose the date from which the rotation period begins.\n\n### From the command line\n1. Update and schedule rotation by `ROTATION_PERIOD` and `NEXT_ROTATION_TIME` for each key:\n For example, you can use the iam.json file shown below as follows:\n ```\n gcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next- rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD\n ```\n\n## Default value\nBy default, KMS encryption keys are rotated every 90 days.\n\n## References\n1. [https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation][2]\n2. [https://cloud.google.com/kms/docs/re-encrypt-data][3]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/security/kms\n[2]: https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation\n[3]: https://cloud.google.com/kms/docs/re-encrypt-data\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\n# convert rotation period from string to int (number of days)\nparse_rotation_period(str) = parsed if {\n\tendswith(str, \"s\")\n\tparsed := to_number(trim_suffix(str, \"s\")) / 86400\n} else = parsed if {\n\tendswith(str, \"m\")\n\tparsed := to_number(trim_suffix(str, \"m\")) / 1440\n} else = parsed if {\n\tendswith(str, \"h\")\n\tparsed := to_number(trim_suffix(str, \"h\")) / 24\n} else = parsed if {\n\tendswith(str, \"d\")\n\tparsed := to_number(trim_suffix(str, \"d\"))\n}\n\neval(kms_crypto_key) = \"skip\" if {\n\tnot lower(kms_crypto_key.primary.state) == \"enabled\"\n} else = \"pass\" if {\n\ttoday := kms_crypto_key.resource_seen_at / 86400000\n\tnext_rotation := kms_crypto_key.next_rotation_time / 86400000\n\tnext_rotation - today <= 90\n\tparse_rotation_period(kms_crypto_key.rotation_period) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_kms_crypto_key"]},"validationQuery":"","resourceType":"gcp_kms_crypto_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_kms_crypto_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"l1f-f94-1my","createdAt":1655491486886,"name":"KMS Encryption Keys are rotated within a period of 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1547","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications made to the `/boot/` directory.\n\n## Strategy\nThe /boot/ directory in Linux contains everything required for the system to boot. This includes the kernel and other important boot files and data. Attackers may attempt to modify the /boot/ directory to inject malicious code or configuration. This can allow the attacker to gain persistence, by running the malicious code or configuration at boot time. It can also allow the attacker to run malicious code with elevated system privileges.\n\n## Triage & Response\n1. Check to see what modifications were made to the `/boot/` directory.\n2. Cross-check any changes with known system activity, such as startup scripts, or maintenance.\n3. If these changes are not acceptable, roll back the host or container in question to a known good `/boot/` configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"9cs-fap-2er","createdAt":1606142931057,"name":"Kernel Modification"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux. This detection watches for all new files created under that directory.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check which user or process created the module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(kernel_module OR kernel_module_chmod OR kernel_module_chown OR kernel_module_link OR kernel_module_rename OR kernel_module_open OR kernel_module_unlink OR kernel_module_utimes) -@process.envs:DPKG_FRONTEND_LOCKED","groupByFields":["host"],"aggregation":"count","name":"kernel_module","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"kernel_module","condition":"kernel_module > 0"}],"type":"workload_security","id":"jq9-m1m-spt","createdAt":1598516746168,"name":"Kernel module directory modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.3","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kube-proxy kubeconfig file controls various parameters of the kube-proxy service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system. It is possible to run kube-proxy with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a `. Verify that if a file is specified and it exists, the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates. \n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.3","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"alc-y7j-j9q","createdAt":1599602091672,"name":"Kube-proxy configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.4","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, ensure that the file ownership of its kubeconfig file is set to root:root.\n\n## Rationale\n\nThe kubeconfig file for kube-proxy controls various parameters for the kube-proxy service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n`chown root:root `\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n## Audit\n\nFind the kubeconfig file being used by kube-proxy by running the following command: ps -ef | grep kube-proxy If kube-proxy is running, get the kubeconfig file location from the --kubeconfig parameter. Run the below command (based on the file location on your system) on the each worker node. For example, stat -c %U:%G Verify that the ownership is set to root:root.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.4","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oat-dei-klo","createdAt":1599604401268,"name":"Kube-proxy configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet client certificate rotation.\n\n## Rationale\n\nThe `--rotate-certificates` setting causes the kubelet to rotate its client certificates by creating new CSRs as its existing credentials expire. This automated periodic rotation ensures that the there is no downtime due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself. \n\n*Note*: This feature also requires the `RotateKubeletClientCertificate` feature gate to be enabled (which is the default since Kubernetes v1.7).\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--rotate-certificates` argument is not present, or is set to true. If the `--rotate-certificates` argument is not present, verify that if there is a Kubelet config file specified by `--config`, that file does not contain `rotateCertificates: false`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to add the line `rotateCertificates: true` or remove it altogether to use the default value. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--rotate-certificates=false` argument from the `KUBELET_CERTIFICATE_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet client certificate rotation is enabled.\n\n## References\n\n1. [https://github.com/kubernetes/kubernetes/pull/41912 ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration ][2]\n3. [https://kubernetes.io/docs/imported/release/notes/ ][3]\n4. [https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted - Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/41912\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration\n[3]: https://kubernetes.io/docs/imported/release/notes/\n[4]: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.11","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"9x3-sy5-pte","createdAt":1599605353070,"name":"Kubelet client certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.10","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file is owned by root:root.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %U:%G /var/lib/kubelet/config.yaml`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step): `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/var/lib/kubelet/config.yaml` file as set up by kubeadm is owned by `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.10","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ptl-pla-t0c","createdAt":1599605828233,"name":"Kubelet configuration file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse https for kubelet connections.\n\n## Rationale\n\nConnections from apiserver to kubelets could potentially carry sensitive data such as secrets and keys. It is thus important to use in-transit encryption for any communication between the apiserver and kubelets.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-https` argument either does not exist or is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--kubelet-https` parameter.\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, kubelet connections are over https.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.4","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ftg-h4g-hqj","createdAt":1599600981186,"name":"Kubelet connections use HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.8","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestrict kubelet nodes to reading only objects associated with them.\n\n## Rationale\n\nThe Node authorization mode only allows kubelets to read Secret, ConfigMap, PersistentVolume, and PersistentVolumeClaim objects associated with their nodes.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include Node.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes Node. `--authorization-mode=Node,RBAC`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, Node authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/46076 ][3]\n4. [https://acotten.com/post/kube17-security][4]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/ \n[3]: https://github.com/kubernetes/kubernetes/pull/46076 \n[4]: https://acotten.com/post/kube17-security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.8","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vgg-kwx-7dh","createdAt":1599602338742,"name":"Kubelet nodes are only authorized to read objects they are associated with"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.2","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests. Enable explicit authorization.\n\n## Rationale\n\nKubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the API server. You should restrict this behavior and only allow explicitly authorized requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. If the `--authorization-mode` argument is present check that it is not set to AlwaysAllow. If it is not present check that there is a Kubelet config file specified by `--config`, and that file sets authorization: mode to something other than AlwaysAllow. It is also possible to review the running configuration of a Kubelet via the /configs endpoint on the Kubelet API port (typically `10250/TCP`). Accessing these with appropriate credentials will provide details of the Kubelet's configuration.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set authorization: mode to Webhook. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--authorization-mode=Webhook`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nUnauthorized requests will be denied.\n\n## Default value\n\nBy default, `--authorization-mode` argument is set to `AlwaysAllow`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.2","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"un4-gin-3dq","createdAt":1599600248005,"name":"Kubelet only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable the read-only port.\n\n## Rationale\n\nThe Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--read-only-port` argument exists and is set to 0. If the `--read-only-port` argument is not present, check that there is a Kubelet config file specified by `--config`. Check that if there is a readOnlyPort entry in the file, it is set to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `readOnlyPort` to 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--read-only-port=0`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nRemoval of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.\n\n## Default value\n\nBy default, `--read-only-port` is set to 10255/TCP. However, if a config file is specified by `--config` the default value for `readOnlyPort` is 0.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.4","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dgo-kog-lle","createdAt":1599604369044,"name":"Kubelet read-only port is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.10","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the Kubelets.\n\n## Rationale\n\nKubelet communication contains sensitive parameters that should remain encrypted in transit. Configure the Kubelets to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate. If these arguments are not present, check that there is a Kubelet config specified by `--config` and that it contains appropriate settings for `tlsCertFile` and `tlsPrivateKeyFile`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `tlsCertFile` to the location of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` to the location of the corresponding private key file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameters in K`UBELET_CERTIFICATE_ARGS` variable.\n\n```\n--tls-cert-file=\n--tls-private-key-file=\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set. If `--tls-cert-file` and `--tls-private-key-file` are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to `--cert-dir`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ ][2]\n3. [https://github.com/kelseyhightower/docker-kubernetes-tls-guide ][3]\n4. [https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/\n[3]: https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n[4]: https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.10","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gqg-7cf-6bu","createdAt":1599603572402,"name":"Kubelet requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.12","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nOn the master edit `/var/lib/kubelet/kubeadm-flags.env` and set the parameter `KUBELET_CERTIFICATE_ARGS --feature-gates=RotateKubeletServerCertificate=true` or as an alternative, and suggested as a last resort, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_CERTIFICATE_ARGS` variable:\n\n```\n--feature-gates=RotateKubeletServerCertificate=true\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet server certificate rotation is disabled.\n\n## References\n\n1. https://github.com/kubernetes/kubernetes/pull/45059\n2. https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/45059\n[2]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.12","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afr-qkp-94a","createdAt":1599599105048,"name":"Kubelet server certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.2","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file ownership is set to root:root.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the ownership is set to root:root.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet service file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.2","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sy4-z1k-udc","createdAt":1599605194356,"name":"Kubelet service file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.3","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Kubelet authentication using certificates.\n\n## Rationale\n\nThe connections from the API server to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet's port-forwarding functionality. These connections terminate at the kubelet's HTTPS endpoint. By default, the API server does not verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the API server could authenticate the Kubelet before submitting any requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--client-ca-file` argument exists and is set to the location of the client certificate authority file. If the `--client-ca-file` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets authentication: x509: clientCAFile to the location of the client certificate authority file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: x509: clientCAFile` to the location of the client CA file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--client-ca-file=`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou require TLS to be configured on API server as well as kubelets.\n\n## Default value\n\nBy default, `--client-ca-file argument` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.3","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x6l-4d1-dwh","createdAt":1599600373842,"name":"Kubelet uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.1.20","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that Kubernetes PKI certificate files have permissions of 644 or more restrictive.\n\n## Rationale\n\nKubernetes makes use of a number of certificate files as part of the operation of its components. The permissions on these files should be set to 644 or more restrictive to protect their integrity.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nfind /etc/kubernetes/pki -name \"*.crt\" | xargs stat -c '%n %a'\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod -R 644 /etc/kubernetes/pki/*.crt`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the certificates used by Kubernetes are set to have permissions of 644\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.20","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ion-6fc-xd4","createdAt":1599604147464,"name":"Kubernetes PKI certificate file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.19","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the Kubernetes PKI directory and file ownership is set to root:root.\n\n## Rationale\n\nKubernetes makes use of a number of certificates as part of its operation. You should set the ownership of the directory containing the PKI information and all files in that directory to maintain their integrity. The directory and files should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nls -laR /etc/kubernetes/pki/\n```\n\nVerify the ownership of all files and directories in this hierarchy is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown -R root:root /etc/kubernetes/pki/`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/etc/kubernetes/pki/` directory and all of the files and directories contained within it, are set to be owned by the root user.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.19","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tgm-6a5-ttf","createdAt":1599603695482,"name":"Kubernetes PKI directory is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a pod in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating pods in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for Kubernetes objects which should be readable by unauthenticated users. Thus, a pod should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new pod in one of the default namespaces.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"tvf-ju6-h3i","createdAt":1589376012191,"name":"Kubernetes Pod Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a pod is attached to the host network.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) with the host network `@requestObject.spec.hostNetwork:true` attached.\n\nAttaching the `hostNetwork` permits a pod to access the node's network adapter allowing a pod to listen to all network traffic for all pods on the node and communicate with other pods on the network namespace.\n\n## Triage and response\n1. Determine if the pod needs `hostNetwork` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.hostNetwork:true @http.status_code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.hostNetwork:true @responseStatus.code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"d3g-xpz-cwc","createdAt":1589376007079,"name":"Kubernetes Pod Created with hostNetwork"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","technique:T1136-create-account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a service account in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service account (`@objectRef.resource:serviceaccounts`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating service accounts in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for kubernetes objects which should be readable by unauthenticated users. Thus, a service account should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new service account in one of the default namespaces.\n\n## Changelog\n* 21 September 2022 - Tuned rule to remove system and EKS service account creations, increased severity, added decrease on environment flag.\n* 17 October 2022 - Updated tags.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:serviceaccounts @http.method:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299] -@user.username:(system\\:* OR eks\\:*)","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:serviceaccounts @verb:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299] -@usr.id:(system\\:* OR eks\\:*)","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"loy-9ka-bc2","createdAt":1589376017036,"name":"Kubernetes Service Account Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service's port is attached to the node's IP.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service (`@objectRef.resource:services`) attaching the service's port to the node's IP `@requestObject.spec.type:NodePort`.\n\nExposing the service's port to the the node's IP allows other hosts on the network namespace to access this service.\n\n## Triage and response\n1. Determine if the service needs to expose it's network connection with `NodePort` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:services @http.method:create @requestObject.spec.type:NodePort @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:services @verb:create @requestObject.spec.type:NodePort @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"cvp-3wz-v3s","createdAt":1589376023160,"name":"Kubernetes Service Created with NodePort"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a user is attempting to enumerate their permissions.\n\n## Strategy\nThis rule identifies when a user attempts to enumerate their permissions, for example, through the use of `kubectl auth can-i --list`. This can be an indicator of an attacker having compromised a Kubernetes service account or user and attempting to determine what permissions it has.\n\n## Triage and response\n1. Determine if enumerating the permissions of the user: `{{@usr.id}}` is suspicious. For example, a service account assigned to a web application and enumerating its privileges is highly suspicious, while a group assigned to operations engineers is likely to represent legitimate activity.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @requestObject.kind:SelfSubjectRulesReview @http.method:create -@usr.id:system\\:serviceaccount\\:*\\:datadog-kube-state-metrics","groupByFields":[],"aggregation":"count","name":"enumeration_attempt","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"enumeration_attempt > 0"}],"type":"log_detection","id":"9ft-ohp-w9w","createdAt":1649702540393,"name":"Kubernetes principal attempted to enumerate their permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","source:lambda","scope:lambda","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure your Amazon Lambda Function to have access to VPC-only resources.\n\n## Rationale\n\nBy default, Amazon Lambda functions run in a secure VPC with access to any AWS service and the internet. Selecting which resources have access secures the connections within your private VPC.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring VPC access (console)][1] docs to configure VPC access for an existing function.\n\n### From the command line\n\n1. Run `update-function-configuration` with your [Amazon Lambda function name and VPC configuration][2]. Set network connectivity to AWS resources within the configured VPC.\n\n ```\n aws lambda update-function-configuration\n --function-name your-lambda-function-name\n --vpc-config SubnetIds=\"subnet-ab12cd34\",\"subnet-12345678\",SecurityGroupIds=\"id-0abcd1234abcd5678\"\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-configuring\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(lambda_function) = \"pass\" if {\n\tlambda_function.vpc_config_vpc_id != \"\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_lambda_function"]},"validationQuery":"","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"byt-pin-xaq","createdAt":1619112188962,"name":"Lambda function has access to VPC resources"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","source:lambda","control:7.2.1","requirement:Compliance","scope:lambda","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS Lambda function access policy to remove access for unauthorized users.\n\n## Rationale\n\nGiving anonymous users the ability to invoke Amazon Lambda functions can lead to data loss, data exposure, and unexpected AWS billing charges.\n\n## Remediation\n\n### From the console\n\nFollow the [Using resource-based policies for AWS lambda][1] docs to update your AWS lambda function permissions.\n\n### From the command line\n\n1. Run `remove-permission` with your [function name and statement ID][2].\n\n ```\n aws lambda remove-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n ```\n\n2. Run `add-permission` with your [function name, statement ID, principal for the trusted account, and action][3].\n\n ```\n aws lambda add-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n --principal 0123456780123\n --action lambda:InvokeFunction\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/remove-permission.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-permission.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnot_compliant_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tpolicy_principal.principal_aws[_] == \"*\"\n}\n\neval(lambda_policy_statement) = \"fail\" if {\n\tnot_compliant_policy_principal(lambda_policy_statement.policy_principal)\n\tlambda_policy_statement.statement_effect == \"Allow\"\n\tnot lambda_policy_statement.statement_has_condition\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_lambda_policy_statement"]},"validationQuery":"","resourceType":"aws_lambda_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_policy_statement","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"tko-rvz-akj","createdAt":1624344845094,"name":"Lambda function is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","control:CC7.5","framework:gdpr","requirement:Security-Management-Process","requirement:Application-Updates","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","cloud_provider:aws","control:6.2","requirement:System-Operations","source:lambda","scope:lambda","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Lambda Function to the latest runtime environment version.\n\n## Rationale\n\nAs a best practice, Amazon recommends consistently updating your runtime environment to the latest version for security patches, bug fixes, and the latest features.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring functions in the console][1] docs to learn how to update the Lambda runtime that runs your function.\n\n### From the command line\n\n1. Run `update-function-configuration` with [your function name and the latest runtime version][2] supported by AWS.\n\n#### python3.9\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"python3.9\"\n ```\n\n#### nodejs16.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"nodejs14.x\"\n ```\n\n#### java11\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"java11\"\n ```\n\n#### go1.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"go1.x\"\n ```\n\n#### dotnet6\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"dotnet6\"\n ```\n\n#### ruby2.7\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"ruby2.7\"\n ```\n\n#### provided.al2\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"provided.al2\"\n ```\n\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(lambda_function) = \"pass\" if {\n\tlambda_function.runtime in [\"nodejs16.x\", \"python3.9\", \"ruby2.7\", \"java11\", \"go1.x\", \"dotnet6\", \"provided.al2\"]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_lambda_function"]},"validationQuery":"","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxh-rvp-txm","createdAt":1619112189173,"name":"Lambda function uses latest runtime environment version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","level:1","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","requirement:Communications-Security","control:2.6","control:3.2","control:1.2","control:2.1","control:1.3","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of legacy networks, a project should not have a legacy network\nconfigured. Legacy networks can no longer be created, and their use is not recommended. This recommendation is to check old projects to ensure\nthat they are not using Legacy Networks.\n\n## Rationale\nEach legacy network has a single network IPv4 prefix range, and a single gateway IP address. The network is global in scope and spans all cloud regions.\nSubnetworks cannot be created in a legacy network, and are unable to switch from legacy to\nauto or custom subnet networks. Legacy networks can have an impact on high network\ntraffic projects, and are subject to a single point of contention or failure.\n\n### Default value\nBy default, networks are not created in the legacy mode.\n\n## Remediation\n\nFor each Google Cloud Platform project:\n1. Read [Create and modify Virtual Private Cloud (VPC) networks][3] to create a non-legacy network suitable for the organization's requirements.\n2. Read [Deleting a legacy network][2] to delete the networks in the `legacy` mode.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network][1]\n2. [https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network][2]\n\n[1]: https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network\n[2]: https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network\n[3]: https://cloud.google.com/vpc/docs/create-modify-vpc-networks\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.2","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.ipv4_range\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nzs-hyi-zqr","createdAt":1659405204525,"name":"Legacy networks do not exist for older projects"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostIPC flag set to true.\n\n## Rationale\n\nA container running in the host's IPC namespace can use IPC to interact with processes outside the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host IPC namespace. If you have a requirement to containers that require hostIPC, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostIPC}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostIPC: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.3","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vs4-ja0-gkh","createdAt":1599600435891,"name":"Limit admission of containers sharing the host IPC namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostPID flag set to true.\n\n## Rationale\n\nA container running in the host's PID namespace can inspect processes running outside the container. If the container also has access to ptrace capabilities this can be used to escalate privileges outside of the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host PID namespace. If you need to run containers which require hostPID, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostPID}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostPID` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostPID: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.2","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"flc-1s1-okw","createdAt":1599600559953,"name":"Limit admission of containers sharing the host PID namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the allowPrivilegeEscalation flag set to true.\n\n## Rationale\n\nA container running with the `allowPrivilegeEscalation` flag set to true may have processes that can gain more privileges than their parent. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to allow privilege escalation. The option exists (and is defaulted to true) to permit setuid binaries to run. If you have need to run containers that use setuid binaries or require privilege escalation, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.allowPrivilegeEscalation}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.allowPrivilegeEscalation` field is omitted or set to false.\n\n## Impact\n\nPods defined with `spec.allowPrivilegeEscalation: true` will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.5","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"frf-hog-dra","createdAt":1599601783271,"name":"Limit admission of containers that do not block privilege escalation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.3","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Docker starts containers with a restricted set of Linux kernel capabilities. This means that any process can be granted the required capabilities instead of giving it root access. Using Linux kernel capabilities, processes in general do not need to run as the root user.\n\n## Rationale\n\nDocker supports the addition and removal of capabilities. Remove all capabilities not required for the correct function of the container. Specifically, in the default capability set provided by Docker, the NET_RAW capability should be removed if not explicitly required, as it can give an attacker with access to a container the ability to create spoofed network traffic.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CapAdd={{ .HostConfig.CapAdd }} CapDrop={{ .HostConfig.CapDrop }}'` \n\nVerify that the added and deleted Linux kernel capabilities are in line with the ones needed by the container process in each container instance. Specifically, ensure that the `NET_RAW` capability is removed if not required.\n\n## Remediation\n\nExecute the command `docker run --cap-add={\"Capability 1\",\"Capability 2\"} ` to add required capabilities.\n\nExecute the command `docker run --cap-drop={\"Capability 1\",\"Capability 2\"} ` to remove unneeded capabilities.\n\nAlternatively, remove all the currently configured capabilities and then restore only the ones you specifically use: `docker run --cap-drop=all --cap-add={\"Capability 1\",\"Capability 2\"} `\n\n## Impact\n\nRestrictions on processes within a container are based on which Linux capabilities are in force. Removal of the `NET_RAW` capability prevents the container from creating raw sockets which is good security practice under most circumstances, but may affect some networking utilities.\n\n## Default value\n\nBy default, the capabilities below are applied to containers:\n\n* `AUDIT_WRITE`\n* `CHOWN`\n* `DAC_OVERRIDE`\n* `FOWNER`\n* `FSETID`\n* `KILL`\n* `MKNOD`\n* `NET_BIND_SERVICE`\n* `NET_RAW`\n* `SETFCAP`\n* `SETGID`\n* `SETPCAP`\n* `SETUID`\n* `SYS_CHROOT`\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#linux-kernel-capabilities\n2. http://man7.org/linux/man-pages/man7/capabilities.7.html\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.3","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3j5-bun-deq","createdAt":1599605923399,"name":"Linux kernel capabilities are restricted to only those which are required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect use of the `passwd` or `chpasswd` commands to change account passwords.\n\n## Strategy\nThe `passwd` operating system command is used to change user account passwords. The `chpasswd` does this in bulk. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host machine and achieve persistence. This detection is triggered when execution of the `passwd` or `chpasswd` command is detected.\n\n## Triage and response\n1. Determine which user executed the command and whether or not this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:passwd_execution -@process.args:(\"-S\" OR \"-Sa\" OR \"-aS\" OR \"--status\" OR \"--all\")","groupByFields":["host"],"aggregation":"count","name":"passwd_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"passwd_execution","condition":"passwd_execution > 0"}],"type":"workload_security","id":"yu0-i2l-ilb","createdAt":1617722068383,"name":"Local account password modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the truncation (like the clearing of data within) of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was modified.\n2. Check which user or process modified the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"llg-1g6-q0n","createdAt":1598516746163,"name":"Log data in /var/log/ was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","source:google_logging_log_sink","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","control:2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","scope:google_logging_log_sink","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nIt is recommended to create a sink that will export copies of all log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).\n\n## Rationale: \nLog entries are held in Cloud Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. To export logs, create a filter that selects the log entries to export, and then choose a destination, such as Cloud Storage, BigQuery, or Cloud Pub/Sub, to which to export them. The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts.\n\n**Note:**\n1. A sink created by [these commands](#from-the-command-line), exports logs to storage buckets. However, sinks can be configured to export logs to BigQuery, or Cloud Pub/Sub, or a `Custom Destination`.\n2. While creating a sink, do not use the sink option `--log-filter` to ensure the sink exports all log entries.\n3. A sink can be created at a folder or organization level that collects the logs of all the projects underneath, bypassing the option `--include-children` in the `gcloud` command.\n\n### Impact: \nThere are no costs or limitations in Cloud Logging for exporting logs, but the destinations to which the logs are exported charge for storing or transmitting the log data.\n\n### Default value:\nBy default, there are no sinks configured.\n\n## Remediation: \n\n### From the console\n1. Go to the Logs Router page by visiting [https://console.cloud.google.com/logs/router][1].\n2. Click **CREATE SINK**.\n3. Fill out the fields for the Sink details sections.\n4. Select **Cloud Logging bucket** in the Select sink destination dropdown menu.\n5. Select a log bucket in the Sink destination drop down menu.\n6. If an inclusion filter is not provided for this sink, all ingested logs will be routed to the destination provided above. This may result in higher than expected resource usage.\n7. Click **Create Sink**.\n\n### From the command line\n\n1. To create a sink to export all log entries in a Google Cloud Storage bucket:\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME\n ```\n2. Sinks can be created for a folder or organization, which will include all projects.\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children -- folder=FOLDER_ID | --organization=ORGANIZATION_ID\n ```\n\n## References:\n1. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][2] \n2. [https://cloud.google.com/logging/quotas][3]\n3. [https://cloud.google.com/logging/docs/routing/overview][4]\n4. [https://cloud.google.com/logging/docs/export/using_exported_logs][5]\n5. [https://cloud.google.com/logging/docs/export/configure_export_v2][6]\n6. [https://cloud.google.com/logging/docs/export/aggregated_exports][7]\n7. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list][8]\n\n[1]: https://console.cloud.google.com/logs/router\n[2]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[3]: https://cloud.google.com/logging/quotas\n[4]: https://cloud.google.com/logging/docs/routing/overview\n[5]: https://cloud.google.com/logging/docs/export/using_exported_logs\n[6]: https://cloud.google.com/logging/docs/export/configure_export_v2\n[7]: https://cloud.google.com/logging/docs/export/aggregated_exports\n[8]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nvalid_log_sinks := {logging_log_sink.project_id |\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tvalid_log_filter(logging_log_sink)\n\tvalid_log_exclusions(logging_log_sink)\n\tlogging_log_sink.destination != \"\"\n}\n\nvalid_log_filter(logging_log_sink) if {\n\tnot logging_log_sink.filter\n} else if {\n\tlogging_log_sink.filter == \"\"\n}\n\nany_enabled_exclusion(logging_log_sink) if {\n\tlogging_log_sink.exclusions[_].disabled == false\n}\n\nvalid_log_exclusions(logging_log_sink) if {\n\tnot any_enabled_exclusion(logging_log_sink)\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_sinks[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hig-nyl-7xu","createdAt":1658996677403,"name":"Log sinks are configured for all log entries"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Log4j scanning attempt occurs in your environment.\n\n## Strategy\nRegex search on logs to find specific payloads indicative of Log4j scanning.\n\n## Triage and response\n1. Investigate if the host is running a vulnerable version of the Log4j Java library\n2. Use the [Log4j Investigation Dashboard](https://app.datadoghq.com/dash/integration/cloud_security_platform_log4shell_investigator) to conduct impact analysis\n3. Explore what other services the attacker hit in the last day - Linked to investigation query \n4. Explore Java logs associated with the attacker - linked to investigation query\n","options":{"detectionMethod":"hardcoded","evaluationWindow":300,"maxSignalDuration":3600,"hardcodedEvaluatorType":"log4shell","keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"query":"@http.url:*","groupByFields":["@network.client.ip"],"aggregation":"count","name":"log4shell_payloads_in_http_data","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"log4shell_payloads_in_http_data > 0"}],"type":"log_detection","id":"sdx-qzo-o9z","createdAt":1651680204724,"name":"Log4Shell Scanning Detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0043-reconnaissance","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being scanned for the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `jndi:(ldap OR rmi OR dns)` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. Check if the `Base64 was detected in an http.user_agent or http.referrer` rule was also triggered and follow the `Triage and response` steps in that rule.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.useragent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referrer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http_user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"info","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"2oy-oni-kx6","createdAt":1639665375423,"name":"Log4j Scanner detected in user agent or referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:1.5","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. MFA (multi-factor authentication) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their user name and password and an authentication code from their AWS MFA device.\n\n**Note**: When virtual MFA is used for root accounts, it should not be enabled on a personal device, but rather enable a dedicated and not personally owned mobile device (tablet or phone)(\"non-personal virtual MFA\"). This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and has knowledge of a credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78911-5\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root][3]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions.\n\n## CIS controls\n\nVersion 7, 4.5 - Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.5","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tnot iam_account.account_mfa_enabled == 1\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dth-jwu-9zo","createdAt":1599573999963,"name":"MFA is enabled for the \"root\" account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP address identified as malicious by Okta's ThreatInsight communicates with your Okta account.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.threat.detected`\n\n## Triage and response\n1. Determine if the `@usr.email` is `Unknown` or is an authenticated user.\n2. If the user is authenticated, conduct an investigation to determine if the IP address that is communicating with Okta is the user's IP address, or if the account is compromised.\n3. Consider switching ThreatInsight from `log mode` to `log and block mode` to block future requests from IP addresses on the ThreatInsight threat intelligence list.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.threat.detected @evt.outcome:ALLOW","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"x5j-v1t-d2r","createdAt":1589315626499,"name":"Malicious IP Communicating with Okta"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1003","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers looking for a specific mission target commonly gain access to a host or container adjacent to their mission target. To move laterally to the planned target, attackers commonly try to find credentials that would give them access to the host or container in question. A technique for finding these credentials is memory dumping. By dumping the contents of system memory to disk, an attacker can often find unencrypted credentials.\n\n## Strategy\nThis detection monitors the access of memory and memory maps that can be accessed from the `/proc/` directory on Linux.\n\n## Triage & Response\n1. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n2. Consider rotating any credentials that were in use on the host/container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"lhm-dok-amc","createdAt":1598516746171,"name":"Memory files in /proc/ were accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","scope:azure","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user creates or modifies a trusted domain object in Microsoft 365.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain`\n- `Set domain authentication`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain.`\n- `Set domain authentication.`\n\nAn attacker can create a new attacker-controlled domain as federated or modify the existing federation settings for a domain by configuring a new, secondary signing certificate. Both of these techniques would allow the attacker to authenticate as any user bypassing authentication requirements like a valid password or MFA.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n - Remove the suspicious domain or settings.\n - Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n - Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Set domain authentication\" OR \"Set domain authentication \" OR \"Set federation settings on domain\" OR \"Set federation settings on domain \") @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_trusted_domain_modified","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Set domain authentication.\" OR \"Set domain authentication. \" OR \"Set federation settings on domain.\" OR \"Set federation settings on domain. \")","groupByFields":["@usr.id"],"aggregation":"count","name":"m365_trusted_domain_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"azure_ad_trusted_domain_modified > 0 || m365_trusted_domain_modified > 0"}],"type":"log_detection","id":"dqm-ikd-5zd","createdAt":1660304700624,"name":"Microsoft 365 - Modification of Trusted Domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0040-impact","scope:exchange-server","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an anomalous amount of emails are deleted from Microsoft 365 Exchange.\n\n## Strategy\nMonitor Microsoft 365 Exchange audit logs to look for events with an `@evt.name` value of `HardDelete`, where the `@Folder.Path` is the inbox (`*Inbox*`).\n\n## Triage and response\n1. Determine if the user `{{@usr.id}}` intended to delete the observed emails.\n2. If `{{@usr.id}}` is not responsible for the email deletions, investigate `{{@usr.id}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:HardDelete @Folder.Path:*Inbox*","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tos-tbi-7dh","createdAt":1619020060666,"name":"Microsoft 365 Anomalous Amount of Deleted Emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 user downloads an anomalous amount of files. This could be an indicator of data exfilteration.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for an anomalous amount of logs with an `@evt.name` value of `@evt.name:FileDownloaded`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to download the files.\n2. If `{{@usr.email}}` is not responsible for file downloads, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:FileDownloaded","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"files_downloaded","distinctFields":["@SourceFileName"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"yhr-gui-v9i","createdAt":1658353411918,"name":"Microsoft 365 Anomalous Amount of Downloaded files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1562-impair-defenses","scope:microsoft-365","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when admin or unified audit logging is disabled. An adversary or insider threat can disable audit logging as a means of defense evasion.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Set-AdminAuditLogConfig`, where `@Parameters.AdminAuditLogEnabled` OR `@Parameters.UnifiedAuditLogIngestionEnabled` is set to `False`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to disable audit logging.\n2. If `{{@usr.email}}` is not responsible for disabling the audit logging, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.UnifiedAuditLogIngestionEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"unified_audit_disabled","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.AdminAuditLogEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_audit_disabled","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Unified Audit Logging Disabled","condition":"unified_audit_disabled > 0"},{"status":"high","notifications":[],"name":"Admin Audit Logging Disabled","condition":"admin_audit_disabled > 0"}],"type":"log_detection","id":"d86-6xx-tbg","createdAt":1630681812369,"name":"Microsoft 365 Audit Logging Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:onedrive","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user creates an anonymous link for a Microsoft 365 document in OneDrive. This would allow any unauthenticated user to access this document, if they had the link.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AnonymousLinkCreated`.\n\n## Triage and response\n1. Determine whether this document should be available anonymously.\n\n## Changelog\n* 4 October 2022 - Updated severity.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:OneDrive @evt.name:AnonymousLinkCreated","groupByFields":["@usr.id","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1h-h20-er6","createdAt":1608766368930,"name":"Microsoft 365 OneDrive Anonymous Link Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0009-collection","technique:T1213-data-from-information-repositories","scope:sharepoint"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user shares a Microsoft 365 Sharepoint document with a guest.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `SharingInvitationCreated` when the `TargetUserOrGroupType` is `Guest`.\n\n## Triage and response\n1. Determine whether this document should be shared with the external user.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:SharePoint @evt.name:(SharingInvitationCreated) @TargetUserOrGroupType:Guest","groupByFields":["@TargetUserOrGroupName","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"v72-psu-eln","createdAt":1608766365850,"name":"Microsoft 365 SharePoint object shared with guest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user installs an app to Microsoft 365 Teams.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AppInstalled`.\n\n## Triage and response\n1. Determine whether this app should be installed to Microsoft 365 teams.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:MicrosoftTeams @evt.name:AppInstalled","groupByFields":["@AddOnName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"i03-grd-ppd","createdAt":1608766367312,"name":"Microsoft 365 Teams app installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostNetwork flag set to true.\n\n## Rationale\n\nA container running in the host's network namespace could access the local loopback device, and could access network traffic to and from other pods. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host network namespace. If you have need to run containers which require hostNetwork, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostNetwork}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostNetwork` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostNetwork: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.4","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mlb-fwt-s80","createdAt":1599604274257,"name":"Minimize the admission of containers wishing to share the host network namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","cloud_provider:aws","control:164.308-a-3-ii-a","control:1.6","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","framework:security-labs","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMulti-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password, and for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of the credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://tools.ietf.org/html/rfc6238][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html][3]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users][4]\n4. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html][5]\n5. CCE-78901-6\n\n## CIS controls\n\n4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://tools.ietf.org/html/rfc6238\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.6","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"1.10","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_user) = \"fail\" if {\n\tsome report in iam_user.credential_report\n\treport.password_enabled == true\n\treport.mfa_active == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"zd5-wvv-hv5","createdAt":1599573999956,"name":"Multi-factor authentication is enabled for all IAM users with a console password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"5jr-xi3-uto","createdAt":1587530047261,"name":"NGINX HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","scope:nginx-ingress-controller","source:nginx-ingress-controller","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx-ingress-controller @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oxj-rwr-gxq","createdAt":1587530154864,"name":"NGINX ingress controller HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to nsswitch.conf.\n\n## Strategy\nThe Name Service Switch (nsswitch) configuration file is used to point\u00a0system services and other applications to the sources of name-service information. This name-service information includes where the password file is stored, publickey information, and more. An attacker may attempt to modify nsswitch.conf in order to inject attacker-owned information into the authentication process. For instance, the attacker could point to a malicious password file and then login to privileged user accounts.\n\n## Triage and response\n1. Check to see what changes were made to nsswitch.conf.\n2. Check if critical name-service sources were changed, and whether the changes were a part of known system-setup or maintenance.\n3. If these changes are unauthorized, roll back the host in question to a known good nsswitch.conf, or replace the system with a known-good system image.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chmod)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chmod","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chown)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chown","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_link)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_link","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_rename)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_rename","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_open)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_open","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_unlink)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_unlink","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_utimes)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"nsswitch_conf_mod","condition":"nsswitch_conf_mod_chmod > 0 || nsswitch_conf_mod_chown > 0 || nsswitch_conf_mod_link > 0 || nsswitch_conf_mod_rename > 0 || nsswitch_conf_mod_open > 0 || nsswitch_conf_mod_unlink > 0 || nsswitch_conf_mod_utimes > 0"}],"type":"workload_security","id":"djc-3dp-3qm","createdAt":1606142958657,"name":"Name Service Switch configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:1.3.5","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that enable multiple open ports and limit ingress traffic access based on port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access malicious activities, such as Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks, by opening only the ports that are required by your application.\n\n## Remediation\n\n### From the console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### From the command line\n\n1. Run `replace-network-acl-entry` to create a rule that only allows ingress traffic from a specific port range.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --ingress\n --rule-number 01\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_lenient(acl_entry) if {\n\tnot acl_entry.egress\n\tacl_entry.rule_action == \"allow\"\n\tnot acl_entry.port_range_from\n\tnot acl_entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tacl_entry := network_acl.entries[_]\n\tacl_lenient(acl_entry)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q0m-mtc-9ks","createdAt":1599574008182,"name":"Network ACL inbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that utilize multiple ports and limit outbound traffic access to a specific port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access by setting a specified port range.\n\n## Remediation\n\n### From the console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### From the command line\n\n1. Run `replace-network-acl-entry` to create a rule that sets a specific port range for egress traffic.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --egress\n --rule-number 02\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_entry(entry) if {\n\tentry.egress\n\tentry.rule_action == \"allow\"\n\tnot entry.port_range_from\n\tnot entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tentry := network_acl.entries[_]\n\tnon_compliant_entry(entry)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ykz-hrn-ev3","createdAt":1599574004771,"name":"Network ACL outbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Default-Security-Parameter","requirement:Compliance","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:1.3.5","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.1","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Network Access Control List (NACL) function provides stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.\n\n## Rationale\n\nPublic access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.\n\n## Remediation\n\n1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home\n2. In the left pane, click Network ACLs.\n3. For each network ACL to remediate, perform the following: Select the network ACL, Click the Inbound Rules tab, Click Edit inbound rules. Either update the Source field to a range other than `0.0.0.0/0` or click Delete to remove the offending inbound rule. Click save.\n\n## Reference\n\n1. [https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html][1]\n2. [https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison][2]\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"5.1","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(entry) if {\n\tnot entry.port_range_from\n\tnot entry.port_range_to\n} else if {\n\tentry.port_range_from <= 22\n\tentry.port_range_to >= 22\n} else if {\n\tentry.port_range_from <= 3389\n\tentry.port_range_to >= 3389\n}\n\nnon_compliant_protocols_and_ports(entry) if {\n\tentry.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_ports(entry)\n} else if {\n\tnot entry.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_cidr_block(entry) if {\n\tentry.cidr_block == \"0.0.0.0/0\"\n}\n\nnon_compliant_cidr_block(entry) if {\n\tentry.ipv6_cidr_block == \"::/0\"\n}\n\neval(network_acl) = \"fail\" if {\n\tsome entry in network_acl.entries\n\tentry.egress == false\n\tentry.rule_action == \"allow\"\n\tnon_compliant_cidr_block(entry)\n\tnon_compliant_protocols_and_ports(entry)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b5p-spa-hx4","createdAt":1619112188801,"name":"Network ACLs do not allow ingress from 0.0.0.0/0 to remote server administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","cloud_provider:azure","framework:gdpr","source:azure.network","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","requirement:Communications-Security","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","scope:azure.network","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Security Group (NSG) is configured to allow specific ports rather than all ports or port ranges.\n\n## Rationale\n\nNSGs should be configured as granularly as possible, allowing only specific and necessary ports. Leaving ranges of ports open can allow access to ports that are vulnerabile to attack. \n\n## Remediation\n\n### From the console\n\nFollow the [Work with security rules guide][1] to modify the port ranges associated with a NSG using the Microsoft Azure Console. \n\n### From the command line\n\nUse the [Microsft Azure az network nsg rule update module][2] to update the ports associated with a NSG using the Microsoft Azure CLI. \n\n## References\n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#work-with-security-rules\n[2]: https://docs.microsoft.com/en-us/cli/azure/network/nsg/rule?view=azure-cli-latest#az-network-nsg-rule-update","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndestination_port_not_compliant(security_rule) if {\n\tsecurity_rule.destination_port_range == \"*\"\n} else if {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tdestination_port_range == \"*\"\n} else if {\n\tregex.match(\"([0-9])+-([0-9])+\", security_rule.destination_port_range)\n} else if {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tregex.match(\"([0-9])+-([0-9])+\", destination_port_range)\n}\n\nsecurity_rule_not_compliant(security_rule) if {\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.access == \"Allow\"\n\tdestination_port_not_compliant(security_rule)\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule = security_group.security_rules[_]\n\tsecurity_rule_not_compliant(security_rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cis-7ih-ek8","createdAt":1645736563232,"name":"Network Security Group does not use port ranges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1046-network-service-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of the `nmap` network utility.\n\n## Strategy\n`nmap` is a network utility commonly used by attackers to understand a victim's network topology and vulnerabilities. After an attacker's initial intrusion into a host (for example, through a web shell exploit, container breakout), they may attempt to use `nmap` to do reconnaissance. This detection triggers when an execution of `nmap` is detected on a system. If this is unexpected behavior, it could indicate an attacker attempting to compromise your systems.\n\n## Triage and response\n1. Determine which user executed `nmap` and whether this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and network tools involved. Investigate the security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:common_net_intrusion_util -@process.args:(\"-V\" OR \"--version\")","groupByFields":["host"],"aggregation":"count","name":"common_net_intrusion_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"common_net_intrusion_util","condition":"common_net_intrusion_util > 0"}],"type":"workload_security","id":"yqg-ebh-po2","createdAt":1617722067554,"name":"Network scanning utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all network traffic is allowed between containers on the same host on the default network bridge. You can restrict all inter-container communication and link specific containers together that require communication. Or, you can create a custom network and only join containers that need to communicate to that custom network.\n\n## Rationale\n\nBy default, unrestricted network traffic is enabled between all containers on the same host on the default network bridge. Each container has the potential of reading all packets across the container network on the same host. This might lead to an unintended and unwanted disclosure of information to other containers. Hence, restrict inter-container communication on the default network bridge.\n\n## Audit\n\nVerify that the default network bridge has been configured to restrict inter-container communication by running:\n```\ndocker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}' \n```\nCheck that it returns `com.docker.network.bridge.enable_icc:false` for the default network bridge.\n\n## Remediation\n\nEdit the Docker daemon configuration file to ensure that inter-container communication is disabled:\n\n```\n\"icc\": false\n```\n\nAlternatively, run the Docker daemon directly and pass `--icc=false` as an argument:\n\n```\ndockerd --icc=false \n```\n\nFollow the Docker documentation and create a custom network, and only join containers that need to communicate to that custom network. The `--icc` parameter only applies to the default docker bridge. If you use a custom network, adopt the segmenting networks approach instead.\n\n## Impact\n\nInter-container communication is disabled on the default network bridge. If any communication between containers on the same host is desired, it needs to be explicitly defined using container linking or custom networks.\n\n## Default value\n\nBy default, all inter-container communication is allowed on the default network bridge.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/][1]\n2. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers][2]\n\n## CIS controls\n\nNone \n\n[1]: https://docs.docker.com/engine/userguide/networking/ \n[2]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_network","complianceFrameworks":[{"control":"2.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmd-zy3-5un","createdAt":1599604593277,"name":"Network traffic is restricted between containers on the default network bridge"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a network utility (like `cURL` or `Wget`) is used to access the cloud instance metadata service (IMDS) in an interactive session.\n\n## Strategy\nThe cloud instance metadata service is a link-local HTTP endpoint that provides data about a given cloud instance. One function is to provide temporary security credentials so that they do not need to be stored on the host. Because IMDS can be used to fetch security credentials, attackers may use it to escalate privileges in order to access other cloud resources. This detection identifies when Linux network utilities are used in an interactive session to access the metadata service. Especially in production environments, it is unusual for this activity to occur interactively.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee run commands for an approved reason, or does a configuration management utility use an interactive session?\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Using cloud audit logs, identify if the attached identity was misused.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:aws_metadata_service @process.tty:*","groupByFields":["host"],"aggregation":"count","name":"aws_metadata_service","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"aws_metadata_service","condition":"aws_metadata_service > 0"}],"type":"workload_security","id":"ugv-e7o-qpv","createdAt":1627392836096,"name":"Network utility accessed cloud metadata service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location on a host.\n\n## Strategy\nAfter an attacker's initial intrusion into a host (for example, through a web shell exploit, or a container breakout), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance, or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected on a host. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine which user executed the utility and whether or not this is allowed or expected behavior.\n2. Review the ancestors for unexpected processes or files executed. \n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util @process.ancestors.executable.path:(*\\/tmp\\/* OR *\\/home\\/*)","groupByFields":["host"],"aggregation":"count","name":"net_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"net_util","condition":"net_util > 0"}],"type":"workload_security","id":"med-78m-snu","createdAt":1617722067377,"name":"Network utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected in a container. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your containers and host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. Review the ancestors for unexpected processes or files executed.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util_in_container @process.ancestors.executable.path:(*\\/tmp\\/* OR \\/home\\/* OR \\/run\\/user\\/*)","groupByFields":["@container.id","host"],"aggregation":"count","name":"net_util_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"net_util_in_container","condition":"net_util_in_container > 0"}],"type":"workload_security","id":"idj-fom-4qg","createdAt":1617722068439,"name":"Network utility executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1199-trusted-relationship","source:cloudtrail","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker accesses your AWS account from their AWS Account.\n\n## Strategy\nThis rule lets you monitor AssumeRole (`@evt.name:AssumeRole`) CloudTrail API calls to detect when an external AWS account (`@usr.account_id`) assumes a role into your AWS account (`account`). It does this by learning all AWS accounts from which the AssumeRole call occurs within a 7-day window. Newly detected accounts after this 7-day window will generate security signals.\n\n## Triage and response\n1. Determine if the `@usr.account_id` is an AWS account is managed by your company.\n2. If not, try to determine who is the owner of the AWS account.\n3. Inspect the role the account is assuming. Determine who created this role and who allowed this AWS account to assume this role.\n\n## Changelog\n7 April 2022 - Update rule query and signal message.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @evt.name:AssumeRole"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"xvo-lqg-7bu","createdAt":1614810571081,"name":"New AWS Account Seen Assuming a Role into AWS Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","tactic:TA0040-impact","source:cloudtrail","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker spawns an instance for malicious purposes. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect when a new instance type (`@responseElements.instancesSet.items.instanceType`) is spawned:\n\n* [RunInstances][1]\n\nIt does this by inspecting the AWS Instance types each AWS account are seen over a 7-day window. Newly detected instance types after this 7-day window till generate security signals.\n\n## Triage and response\n1. Determine whether the instance type `{{@responseElements.instancesSet.items.instanceType}}` is expected to be used in your AWS account by checking the [Datadog Infrastructure List][2].\n2. If not, determine who spawned this instance and ask the user whether their activity was legitimate or whether their credentials were compromised and this instance is being used by an attacker.\n\n## Changelog\n7 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html\n[2]: https://app.datadoghq.com/infrastructure?tab=details&tags=instance-type%3A{{@responseElements.instancesSet.items.instanceType}}","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@responseElements.instancesSet.items.instanceType","aggregation":"new_value","metrics":["@responseElements.instancesSet.items.instanceType"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @eventSource:ec2.amazonaws.com @evt.name:RunInstances"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rk5-l8o-jir","createdAt":1619019323550,"name":"New EC2 Instance Type"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a Kubernetes namespace.\n\n## Strategy\nThis rule monitors when a `create` action occurs for the Kubernetes namespace (`@objectRef.resource:namespaces`) to detect when a user is creating a new Kubernetes namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new namespace.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:namespaces @http.method:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:namespaces @verb:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"zgq-pd9-wgw","createdAt":1589376020564,"name":"New Kubernetes Namespace Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:kubernetes","tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a privileged pod is created. Privileged pods remove container isolation which allows privileged actions on the host.\n\n## Strategy\nThis rule monitors when a pod (`@objectRef.resource:pods`) is created (`@http.method:create`) and the privileged security context (`@requestObject.spec.containers.securityContext.privileged`) is `true`.\n\n## Triage & Response\n1. Determine if the pod should be privileged. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"smy-zpp-8hr","createdAt":1626700164544,"name":"New Kubernetes privileged pod created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1525-implant-internal-image","scope:ecr","iaas:aws","source:cloudtrail","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential persistence mechanisms being deployed in the AWS Elastic Container Registry (ECR).\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr:GetAuthorizationToken` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException @threat_intel.indicators_matched:*","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ori-yda-7sc","createdAt":1630665990802,"name":"New Private Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecr","technique:T1567-exfiltration-over-web-service","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new image is uploaded to the public ECR. This could be a potential exfil route of data from the cloud. Could be a supply chain effect as well if a company hosts their containers here for consumers.\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr-public:GetAuthorizationToken` and `sts:GetServiceBearerToken` API through an IAM policy before they can authenticate to a registry and push any images to an Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr-public.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr-public.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3ye-k1x-9mp","createdAt":1630666006819,"name":"New Public Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ecs","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user executes a command on an ECS container for the first time. An attacker may use this as a technique to escalate their privileges\nbecause they can run arbitrary commands on behalf of the container with the role and permissions associated with the\ncontainer.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user is executing a command on an ECS container:\n\n* `ExecuteCommand`\n\n## Triage and response\n1. Investigate the command that the user ({{@userIdentity.arn}}) ran on the container, which is located in the Cloudtrail log at `@requestParameters.container`, if the telemetry exists.\n2. Analyze Cloudtrail logs with {{@userIdentity.arn}} that are within the same time frame as this security signal.\n3. Review any other security signals generated for this container.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":175,"isDefault":true,"filters":[{"action":"suppress","query":"foo"},{"action":"require","query":"bar"}],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @evt.name:ExecuteCommand @requestParameters.interactive:true"}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@me"],"name":""}],"type":"log_detection","id":"o2p-sbu-rlg","createdAt":1615916348842,"name":"New user seen executing a command in an ECS task"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_enabled_features(enabled_features) if {\n\tsome enabled_feature in enabled_features\n\tupper(enabled_feature) in [\n\t\t\"TLS_RSA_WITH_AES_128_GCM_SHA256\",\n\t\t\"TLS_RSA_WITH_AES_256_GCM_SHA384\",\n\t\t\"TLS_RSA_WITH_AES_128_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_AES_256_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_3DES_EDE_CBC_SHA\",\n\t]\n}\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else if {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else if {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot non_compliant_enabled_features(compute_ssl_policy.enabled_features)\n}\n\npolicy_align(compute_target_https_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_https_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_https_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_https_proxy, compute_ssl_policy)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_https_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_https_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_https_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wsz-dzl-7cw","createdAt":1664548936030,"name":"No HTTPS proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_enabled_features(enabled_features) if {\n\tsome enabled_feature in enabled_features\n\tupper(enabled_feature) in [\n\t\t\"TLS_RSA_WITH_AES_128_GCM_SHA256\",\n\t\t\"TLS_RSA_WITH_AES_256_GCM_SHA384\",\n\t\t\"TLS_RSA_WITH_AES_128_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_AES_256_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_3DES_EDE_CBC_SHA\",\n\t]\n}\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else if {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else if {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot non_compliant_enabled_features(compute_ssl_policy.enabled_features)\n}\n\npolicy_align(compute_target_ssl_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_ssl_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_ssl_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_ssl_proxy, compute_ssl_policy)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_ssl_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_ssl_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_ssl_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kmq-mlb-uhu","createdAt":1664548316871,"name":"No SSL proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","requirement:Default-Security-Parameter","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","level:1","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:1.4","control:2.1","control:2.2","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:164.312-a-2-i","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed.\n\n## Rationale\n\nRemoving access keys associated with the root account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html][2]\n2. [http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][3]\n3. [http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html][4]\n4. CCE-78910-7\n5. [https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/][5]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables root access only through access-keys (CLI, API methods) for us-gov cloud region.\n\n## CIS controls\n\nVersions 7, 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html\n[3]: http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[4]: http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html\n[5]: https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.4","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-a-2-i","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_credential_report) = \"skip\" if {\n\tiam_credential_report.user != \"\"\n} else = \"pass\" if {\n\tnot iam_credential_report.access_key_1_active\n\tnot iam_credential_report.access_key_2_active\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_credential_report"]},"validationQuery":"","resourceType":"aws_iam_credential_report","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"snb-kjs-kgm","createdAt":1599574003908,"name":"No root account access key exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","requirement:Communications-Security","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access\nto remote server administration ports, such as SSH to port 22 and RDP to port 3389.\n\n## Rationale\n\nPublic access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.\n\n### Impact \n\nWhen updating an existing environment, ensure that administrators have access to\nremote server administration ports through another mechanism before removing access\nby deleting the 0.0.0.0/0 (IPv4) or ::/0 (IPv6) inbound rule.\n\n## Remediation\n\nPerform the following to implement the prescribed state:\n1. Login to the AWS Management Console at\n[https://console.aws.amazon.com/vpc/home][1]\n2. In the left pane, click **Security Groups**\n3. For each security group, perform the following:\n A. Select the security group\n B. Click the **Inbound Rules** tab\n C. Click the **Edit inbound rules** button\n D. Identify the rules to be edited or removed\n E. Either update the **Source** field to a range other than 0.0.0.0/0, or click\n**Delete** to remove the offending inbound rule\n F. Click **Save rules**\n\n\n[1]: https://console.aws.amazon.com/vpc/home\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 22\n\trule.to_port >= 22\n} else if {\n\trule.from_port <= 3389\n\trule.to_port >= 3389\n}\n\nnon_compliant_protocol(rule) if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(rule) if {\n\trule.ip_range == \"0.0.0.0/0\"\n}\n\nnon_compliant_ip_range(rule) if {\n\trule.ipv6_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ueo-zqv-fep","createdAt":1607607222597,"name":"No security groups allow ingress from 0.0.0.0/0 to remote administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:3.8","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","control:8.1","control:4.4","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","control:8.1.4","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling OS Login binds SSH certificates to IAM users and facilitates effective SSH certificate\nmanagement.\n\n## Rationale\nEnabling OS Login ensures that SSH keys used to connect to instances are mapped to IAM\nusers. Revoking access to an IAM user will revoke all the SSH keys associated with that\nparticular user. It facilitates centralized and automated SSH key pair management, which is\nuseful in handling cases like compromised SSH key pairs and/or revocation of\nexternal, third-party, vendor users.\n\nTo use OS Login, the instance using Custom Images must have the latest version\nof the Linux Guest Environment installed. The following image families do not\nsupport OS Login:\n\n - Project cos-cloud (Container-Optimized OS) image family cos-stable.\n - All project coreos-cloud (CoreOS) image families\n - Project suse-cloud (SLES) image family sles-11\n - All Windows Server and SQL Server image families\n\nThe project's `enable-oslogin` can be overridden by setting the `enable-oslogin` parameter to an\ninstance metadata individually.\n\n### Impact\nEnabling OS Login on a project disables metadata-based SSH key configurations on all\ninstances of a project. Disabling OS Login restores SSH keys that you have configured in a\nproject's or an instance's metadata.\n\n### Exception\nVMs created by GKE should be excluded. These VMs have names that start with `gke-`\nand are labeled `goog-gke-node`.\n\n### Default value\nBy default, the parameter `enable-oslogin` is not set, which is equivalent to setting it to `FALSE`.\n\n## Remediation\n\n### From the console\n\n1. Go to the [VM compute metadata][1] page.\n2. Click **Edit**.\n3. Add a metadata entry for the key `enable-oslogin` with the value `TRUE`.\n4. Click **Save** to apply the changes.\n5. For every instance that overrides the project setting, go to the VM Instance's page at \n https://console.cloud.google.com/compute/instances.\n6. Click the name of the instance from which you want to remove the metadata value.\n7. At the top of the instance's details page, click **Edit** to edit the instance's settings.\n8. Under Custom Metadata, remove any entries with the key `enable-oslogin` set to `FALSE`.\n9. At the bottom of the instance's details page, click **Save** to apply your changes to the instance.\n\n### From the command line\n\n1. Configure OS Login for the project by running the following command:\n ```\n gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE\n ```\n\n2. Use the following command to remove instance metadata that overrides the project setting:\n ```\n gcloud compute instances remove-metadata --keys=enable-oslogin\n ```\n\nOptionally, you can enable two-factor authentication for OS Login. See [Setting up OS Login with 2-step verification ][2] for more information.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/managing-instance-access][3]\n2. [https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin][4]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata][5]\n4. [https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication][2]\n\n\n\n[1]: https://console.cloud.google.com/compute/metadata\n[2]: https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication\n[3]: https://cloud.google.com/compute/docs/instances/managing-instance-access\n[4]: https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin\n[5]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.8","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" if {\n\titem := compute_instance.metadata.items[_]\n\titem.key == \"enable-oslogin\"\n\titem.value == \"true\"\n} else = \"fail\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hpp-bv9-lom","createdAt":1657547711348,"name":"OS Login is enabled for the project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Okta API token is created.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a new Okta API token is created:\n\n* `system.api_token.create`\n\n## Triage and response\n1. Contact the user who created the API token and ensure that the API token is needed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:system.api_token.create","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lpf-tho-8sx","createdAt":1589315541698,"name":"Okta API Token Created or Enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","scope:okta","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Okta session impersonation.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect a user session impersonation:\n\n* `user.session.impersonation.initiate`\n* `user.session.impersonation.end`\n* `user.session.impersonation.grant`\n* `user.session.impersonation.extend`\n* `user.session.impersonation.revoke`\n\nThese events indicate that the user: `{{@usr.email}}` has the effective permissions of the impersonated user. This is likely to occur through [Okta support access][1]. This [blog][2] illustrates the potential impact an attacker can cause by impersonation session.\n\n## Triage and response\n1. Contact your Okta administrator to ensure the user: `{{@usr.email}}` is authorized to impersonate a user session.\n2. If the user impersonation session is not legitimate:\n * Task your Okta administrator to end the impersonation session.\n * Investigate the actions taken by the user `{{@usr.email}}` during the session and revert back to the last known good state.\n * Begin your company's incident response process and investigate.\n\n[1]: https://support.okta.com/help/s/article/Granting-Access-to-Okta-Support?language=en_US\n[2]: https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.session.impersonation.initiate","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_initiate","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.end","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_end","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_grant","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.extend","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_extend","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.revoke","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_revoke","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Session initiated","condition":"user_session_impersonation_initiate > 0"},{"status":"info","notifications":[],"name":"Session ended","condition":"user_session_impersonation_end > 0"},{"status":"info","notifications":[],"name":"Session granted","condition":"user_session_impersonation_grant > 0"},{"status":"info","notifications":[],"name":"Session extended","condition":"user_session_impersonation_extend > 0"},{"status":"info","notifications":[],"name":"Session revoked","condition":"user_session_impersonation_revoke > 0"}],"type":"log_detection","id":"dfw-lx0-cha","createdAt":1647981974902,"name":"Okta Impersonation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to bypass multi-factor authentication (MFA).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user attempts to bypass MFA:\n\n* `user.mfa.attempt_bypass`\n\n## Triage and response\n1. Contact the user who attempted to bypass MFA and ensure the request was legitimate.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.attempt_bypass","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"wbd-slu-e6s","createdAt":1589315643307,"name":"Okta MFA Bypass Attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the multi-factor authentication (MFA) factors for an enrolled Okta user are reset.\n\n## Strategy\nThis rule lets you monitor the following Okta event to determine when a user's MFA factors are reset:\n\n* `user.mfa.factor.reset_all`\n\nAn attacker may attempt to reset MFA factors in a bid to access other user accounts by registering new attacker-controlled MFA factors.\n\n## Triage and response\n1. Determine if the user: `{{@usr.email}}` should have reset the MFA factors of the targeted user.\n2. If the change was not made by the user:\n * Disable the affected user accounts.\n * Rotate user credentials.\n * Return targeted users MFA factors to the last known good state.\n * Begin your organization's incident response process and investigate.\n3. If the change was made by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, ensure the targeted user has new MFA factors assigned in accordance with organization policies.\n * If **No**, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_success","distinctFields":[]},{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:FAILURE","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_failed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Succeeded","condition":"mfa_reset_success > 0"},{"status":"info","notifications":[],"name":"Failed","condition":"mfa_reset_failed > 0"}],"type":"log_detection","id":"ap2-mxs-fyh","createdAt":1622443751239,"name":"Okta MFA reset for user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to sign on to an app based on sign-on policy.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to sign on to an app based on sign-on policy:\n\n* `application.policy.sign_on.deny_access`\n\n## Triage and response\n1. Inspect the `@target` array to determine why the user was denied access to sign on.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:application.policy.sign_on.deny_access","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pjd-jyc-9fb","createdAt":1589315544752,"name":"Okta User Access Denied to Sign On"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to an app.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to an app:\n\n* `app.generic.unauth_app_access_attempt`\n\n## Triage and response\n1. Determine whether or not the user should have access to this app.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:app.generic.unauth_app_access_attempt","groupByFields":["@usr.email","@target_app"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rht-pdf-gyx","createdAt":1607371843994,"name":"Okta User Attempted to Access Unauthorized App"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:okta","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to an Okta user.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when administrative privileges are provisioned:\n\n* `user.account.privilege.grant`\n\n## Triage and response\n1. Contact the Okta administrator: `{{@usr.email}}` to confirm that the user or users should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.account.privilege.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"privilege_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"privilege_grant > 0"}],"type":"log_detection","id":"onl-syw-pqn","createdAt":1622443751733,"name":"Okta administrator role assigned to user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a request is blocked due to a block list rule (such as an IP network zone or location rule).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.request.blocked`\n\n## Triage & Response\n1. Verify with the owner of `{{@usr.name}}` that they were attempting a request to `{{@target_app}}`.\n2. If the request cannot be verified with the user, correlate with other log sources to see if the blocked IP in the `title` of `{{@title}}` has communicated elsewhere on the network.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.request.blocked @evt.outcome:SUCCESS","groupByFields":["@network.client.ip","@target_app"],"aggregation":"count","name":"request_blocked","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"request_blocked > 10"}],"type":"log_detection","id":"y2s-qzk-u0a","createdAt":1622443750820,"name":"Okta blocked numerous requests from a malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta [refresh token][1] is reused.\n\n## Strategy\nThis rule lets you monitor the following Okta events when token reuse is detected:\n\n* `app.oauth2.token.detect_reuse`\n* `app.oauth2.as.token.detect_reuse`\n\nAn attacker that has access to a refresh token could query the organization's authorization server `/token` endpoint to obtain additional access tokens. The additional access tokens potentially allow the attacker to get unauthorized access to applications.\n\n## Triage and response\n1. Determine if the source IP `{{@network.client.ip}}` is anomalous within the organization:\n * Does threat intelligence indicate that this IP has been associated with malicious activity?\n * Is the geo-location or ASN uncommon for the organization?\n * Has the IP created a `app.oauth2.token.detect_reuse` or `app.oauth2.as.token.detect_reuse` event previously?\n2. If the token reuse event has been determined to be malicious, carry out the following actions:\n * [Revoke compromised tokens][2].\n * Recycle the credentials of any impacted clients.\n * Begin your company's incident response process and investigate.\n\n[1]: https://developer.okta.com/docs/guides/refresh-tokens/main/\n[2]: https://developer.okta.com/docs/guides/revoke-tokens/main/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:false","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse","distinctFields":[]},{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:true","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse_threat","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Threat suspected","condition":"refresh_token_reuse_threat > 0"},{"status":"low","notifications":[],"name":"Threat unlikely","condition":"refresh_token_reuse > 0"}],"type":"log_detection","id":"i4t-x8n-ack","createdAt":1622443751931,"name":"Okta one-time refresh token reused"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta policy rule is deleted.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a policy rule is deleted:\n\n* `policy.rule.delete`\n\n## Triage and response\n1. Contact the Okta administrator to confirm that the user: `{{@usr.email}}` should be deleting policy rules.\n2. If the change was **not** authorized, verify there are no other signals from the user: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:policy.rule.delete @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_rule_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"policy_rule_deleted > 0"}],"type":"log_detection","id":"gxx-79h-brk","createdAt":1622443751301,"name":"Okta policy rule deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:onelogin","scope:onelogin","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user with appropriate privileges assumes another OneLogin user's identity. Logging in as another user allows the user to view another OneLogin user's account and perform actions on their behalf. \n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator assumes another OneLogin user's identity:\n\n* `@evt.name:USER_ASSUMED_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) should be legitimately assuming another user's identity.\n2. If the activity was not legitimate, review all activity from `{{@usr.name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_ASSUMED_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"admin_assumed_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admin_assumed_user > 0"}],"type":"log_detection","id":"ohz-g7c-wkp","createdAt":1656426840747,"name":"OneLogin administrator assumed a user"}]} headers: Content-Type: - application/json @@ -266,7 +249,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":828}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.15","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file is owned by root and group owned by docker.\n\n## Rationale\n\nThe Docker daemon runs as root. The default Unix socket therefore must be owned by root. If any other user or process owns this socket, it might be possible for that non-privileged user or process to interact with the Docker daemon. Additionally, in this case a non-privileged user or process might be able to interact with containers which is neither a secure nor desired behavior. Additionally, the Docker installer creates a Unix group called docker. You can add users to this group, and in this case, those users would be able to read and write to the default Docker Unix socket. The membership of the docker group is tightly controlled by the system administrator. However, ff any other group owns this socket, then it might be possible for members of that group to interact with the Docker daemon. Such a group might not be as tightly controlled as the docker group. Again, this is not in line with good security practice. For these reason, the default Docker Unix socket file should be owned by root and group owned by docker to maintain the integrity of the socket file.\n\n## Audit\n\nVerify that the Docker socket file is owned by root and group-owned by `docker` by running: \n```\nstat -c %U:%G /var/run/docker.sock | grep -v root:docker\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:docker /var/run/docker.sock`\n\nThis sets the ownership to root and group ownership to docker for the default Docker socket file.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for the Docker socket file is correctly set to root:docker.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.15","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysh-lkt-poz","createdAt":1599605574088,"name":"Only the root account and Docker group members have ownership of the Docker socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.2","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kube-apiserver.yaml file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. Version 7 5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.2","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vbb-t30-k0f","createdAt":1599602893246,"name":"Only the root account and group have ownership of the API server pod specification file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.11","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, is individual owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It must therefore be individually owned and group owned by root to prevent modification by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and the group ownership for the Docker server certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for Docker server certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.11","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tkm-izb-xe1","createdAt":1602077837917,"name":"Only the root account and group have ownership of the Docker server certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.13","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, is individually owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads/writes. As it holds the private key for the Docker server certificate, it must be individually owned and group owned by root to ensure that it cannot be accessed by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate key file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the Docker server certificate key file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for the Docker server certificate key file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.13","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oiu-e3x-yg6","createdAt":1602077710804,"name":"Only the root account and group have ownership of the Docker server certificate key file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.9","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert parameter`, is individually owned and group owned by root.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must be therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the TLS CA certificate file is owned and group owned by root: \n\n```\nstat -c %U:%G | grep -v root:root\n```\n\nThis command does not return any data.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the TLS CA certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for TLS CA certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.9","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8nb-ex2-pqe","createdAt":1602076303298,"name":"Only the root account and group have ownership of the TLS CA certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.14","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file ownership is set to root:root.\n\n## Rationale\n\nThe `admin.conf` file contains the admin credentials for the cluster. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/admin.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `admin.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.14","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kcn-wwa-os0","createdAt":1599604720378,"name":"Only the root account and group have ownership of the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.17","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that could alter the behavior of the docker daemon. It should therefore be owned and group owned by root to ensure it can not be modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file is owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/docker/daemon.json | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun `chown root:root /etc/docker/daemon.json`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.17","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hlb-qzw-opk","createdAt":1599603264485,"name":"Only the root account and group have ownership of the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent","control:3.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually and group owned by the root user in order to ensure that it is not modified or corrupted by a less privileged user.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that it is owned and group-owned by root, by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.service | grep -v root:root \n ```\n The command should not return anything.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path, in order to set the ownership and group ownership for the file to root.\n\nFor example, `chown root:root /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone.\n\n## Default value\n\nThis file may not be present on the system and if it is not, this recommendation is not applicable. By default, if the file is present, the correct permissions are for the ownership and group ownership to be set to \"root\".\n\n## References\n\n1. https://docs.docker.com/engine/admin/systemd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mhz-jes-n2m","createdAt":1599601536215,"name":"Only the root account and group have ownership of the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.socket file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. For this reason, it should be owned and group owned by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file is owned and group-owned by root by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.socket | grep -v root:root \n ```\n The command should not return a value.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below, including the correct file path to set the ownership and group ownership for the file to root. For example, `chown root:root /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the ownership and group ownership for it should be set to root.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option 2. https://github.com/docker/docker-ce/blob/master/components/packaging/deb/systemd/docker.socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vc0-12t-fpa","createdAt":1599605321060,"name":"Only the root account and group have ownership over the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.7","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under the `/etc/docker/certs.d/` directory, are individually owned and group owned by root.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must be individually owned and group owned by root to ensure that less privileged users are unable to modify the contents of the directory.\n\n## Audit\n\nYou should execute the command below to verify that the registry certificate files are individually owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker/certs.d/* | grep -v root:root \n```\n\nThis command does not return any data.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/docker/certs.d//*`\n\nThis sets the individual ownership and group ownership for the registry certificate files to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for registry certificate files is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.7","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fbv-qsy-urc","createdAt":1599599454050,"name":"Only the root account and group have ownership over the registry certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.13","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe admin.conf is the administrator kubeconfig file defining various settings for the administration of the cluster. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/admin.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, admin.conf has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.13","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zlc-pqm-t1x","createdAt":1599605384539,"name":"Only the root account has write permissions to the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.18","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that may alter the behavior of the docker daemon. Therefore it should be writeable only by root to ensure it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/docker/daemon.json\n```\n\n## Remediation\n\nRun `chmod 644 /etc/docker/daemon.json`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.18","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7df-4w8-g7l","createdAt":1599602831833,"name":"Only the root account has write permissions to the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.2","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file permissions are either set to 644 or to a more restrictive value.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore not be writable by any other user other than root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or a more restrictive value by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.service\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the file permissions are correctly set to 644.\n\n## References\n\n1. https://docs.docker.com/articles/systemd/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zyv-o6s-69z","createdAt":1599601721176,"name":"Only the root account has write permissions to the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.4","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the file permissions on the docker.socket file are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or more restrictively, by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.socket\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in that case, this recommendation is not applicable. By default, if the file is present, the permissions should be set to 644 or more restrictively.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n2. https://github.com/YungSang/fedora-atomic-packer/blob/master/oem/docker.socket\n3. http://daviddaeschler.com/2014/12/14/centos-7rhel-7-and-docker-containers-on-boot/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myf-zyh-89p","createdAt":1599604656679,"name":"Only the root account has write permissions to the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","control:CC6.7","scope:ec2","security:compliance","source:ec2","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Compliance","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the probability of a breach by checking [EC2 security groups][1] for outbound rules that allow unfettered access to any TCP/UDP ports and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered outbound access.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-egress` to remove IP permissions for the selected EC2 security group.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n2. Run `authorize-security-group-egress` with new parameters to restrict outbound access to specific destinations.\n\n ```\n aws ec2 authorize-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprotocol_icmp_or_1(protocol) if {\n\tprotocol == \"icmp\"\n} else {\n\tprotocol == \"1\"\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"egress\"\n\tnot protocol_icmp_or_1(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7lr-jfm-vcf","createdAt":1599574005188,"name":"Outbound access on all ports is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1497-virtualization-sandbox-evasion","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace system call with the `PTRACE_TRACEME` argument, indicating a program actively attempting to avoid debuggers attaching to the process. This behavior is typically indicative of malware activity.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. One limitation of this system call is that a process can only have one trace, and malicious actors have been observed making use of this limitation to prevent debuggers from attaching to malicious processes for the purpose of forensics or analysis.\n\n## Triage and response\n1. Check the name of the process using TRACEME\n2. If this file is not known or authorized, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_antidebug","groupByFields":["host"],"aggregation":"count","name":"ptrace_antidebug","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_antidebug","condition":"ptrace_antidebug > 0"}],"type":"workload_security","id":"u1r-hw3-pst","createdAt":1650464539514,"name":"PTRACE_TRACEME used to prevent process debugging"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect installation of software using a package management utility (`apt` or `yum`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim's container (for example, through a web shell exploit), they may attempt to install tools and utilities for a variety of malicious purposes. This detection triggers when one of a set of common package management utilities installs a package in a container. Package management in containers is against best practices which highly emphasize immutability. If this is unexpected behavior, it could indicate an attacker attempting to install tools to further compromise your systems.\n\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise. This may be achieved by terminating the workload, depending on the stage of attack.\n3. Look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:package_management_in_container @process.args:(add OR *install OR \"-i\")","groupByFields":["host"],"aggregation":"count","name":"package_management_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"package_management_in_container","condition":"package_management_in_container > 0"}],"type":"workload_security","id":"dgu-gba-tuf","createdAt":1617722067648,"name":"Package installed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1222","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nTo access protected files and directories, attackers may attempt to change the permissions on these files and directories.\n\n## Strategy\nThis detection monitors the permissions changes to sensitive files and directories such as `/etc/` and `/sbin/`.\n\n## Triage & Response\n1. Check to see if the file or directory was made more permissive.\n2. Check which user or process made the change.\n3. If these changes are unexpected, contain the host or container and roll back to the last known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"mj3-ucf-hr6","createdAt":1598516746259,"name":"Permissions were changed on sensitive Linux files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow pods to verify the API server's serving certificate before establishing connections.\n\n## Rationale\n\nProcesses running within pods that need to contact the API server must verify the API server's serving certificate. Failing to do so could be a subject to man-in-the-middle attacks. Providing the root certificate for the API server's serving certificate to the controller manager with the `--root-ca-file` argument allows the controller manager to inject the trusted bundle into pods so that they can verify TLS connections to the API server.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--root-ca-file` argument exists and is set to a certificate bundle file containing the root certificate for the API server's serving certificate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--root-ca-file` parameter to the certificate bundle file: `--root-ca-file=`\n\n## Impact\n\nYou need to setup and maintain root certificate authority file.\n\n## Default value\n\nBy default, `--root-ca-file` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/kubernetes/issues/11000][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/kubernetes/issues/11000\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.5","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"k7t-yxp-axc","createdAt":1599598174692,"name":"Pods utilize `root-ca-file` to pass serving certificates to the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ec2","iaas:aws","technique:T1037-boot-or-logon-initialization-scripts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to modify a [user data script][1] on an EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to modify the user data script on an EC2 instance using the following API calls:\n\n* [`StopInstances`][2]\n* [`ModifyInstanceAttribute`][3]\n* [`StartInstances`][4]\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have modified the user data script associated with `{{host}}`.\n2. If the API calls were not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Follow your company's incident response process to determine the impact to `{{host}}`.\n * Revert the user data script to the last known good state with the `aws-cli` command [modify-instance-attribute][5] or use the [AWS Console][6].\n3. If the API calls were made by the user:\n * Determine if the user should be modifying this user data script.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StopInstances.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartInstances.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-attribute.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-view-change","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StopInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"stop_instance","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:ModifyInstanceAttribute @requestParameters.userData:* ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_instance_attribute","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StartInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"start_instance","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"stop_instance > 0 && modify_instance_attribute > 0 && start_instance > 0"}],"type":"log_detection","id":"suz-czd-zxh","createdAt":1652796652545,"name":"Possible AWS EC2 privilege escalation via the modification of user data"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","iaas:aws","technique:T1078-valid-accounts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to create a password for a specified IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to create a password for an IAM user using the [`CreateLoginProfile`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any passwords generated by the user with the `aws-cli` command [delete-login-profile][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-login-profile.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html#id_credentials_passwords_admin-change-user_console","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:iam.amazonaws.com @eventName:CreateLoginProfile status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"loginprofile","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"loginprofile > 0"}],"type":"log_detection","id":"dkd-gqh-zrs","createdAt":1652796676631,"name":"Possible Privilege Escalation via AWS IAM CreateLoginProfile"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","scope:rds","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to exfiltrate data from an RDS Snapshot.\n\n## Strategy\nThis rule lets you monitor the [ModifyDBClusterSnapshotAttribute][1] CloudTrail API calls to detect when an RDS snapshot is made public.\n\nThis rule also inspects the:\n * `@requestParameters.valuesToAdd` array to determine if the string `all` is contained. This is the indicator which means the RDS snapshot is made public.\n * `@requestParameters.attributeName` array to determine if the string `restore` is contained. This is the indicator which means the RDS snapshot was shared with a new or unkown AWS Account.\n\n## Triage and response\n1. Confirm if the user: `{{@userIdentity.arn}}`intended to make the RDS snaphsot public.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-cluster-snapshot-attribute.html#modify-db-cluster-snapshot-attribute\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:ModifyDBClusterSnapshotAttribute @requestParameters.valuesToAdd:all","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_made_public","distinctFields":[]},{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:(ModifyDBClusterSnapshotAttribute OR ModifyDBSnapshotAttribute) @requestParameters.attributeName:restore -@http.useragent:(*AWS_Lambda* OR *AWS_ECS_FARGATE* OR backup.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Snapshot was shared","condition":"rds_snapshot_shared > 0"},{"status":"high","notifications":[],"name":"Snapshot was made public","condition":"rds_snapshot_made_public > 0"}],"type":"log_detection","id":"jqf-lpu-us1","createdAt":1594140309127,"name":"Possible RDS Snapshot Exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:6.3","framework:cis-azure","control:2.5","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no PostgreSQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nPostgreSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.\n\n### Impact\n\nDisabling Allow access to Azure Services will break all connections to PostgreSQL server and Hosted Databases unless custom IP specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console:\n\n1. Go to PostgreSQL servers\n2. For each PostgreSQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell:\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nNew-AzPostgreSqlFirewallRule -Name \"\" -ResourceGroupName \"\" -ServerName \"\" -EndIPAddress \"\" -StartIPAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules][1]\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"2.5","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255)","resourceType":"azure_postgresql_server","filter":"","queryPath":"firewall_rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"f2j-y8v-pht","createdAt":1635237002781,"name":"PostgreSQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1566-phishing","source:azure","scope:azure","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a user grants an application consent to access their data. An adversary may create an Azure-registered application to access data such as contact information, emails, or documents.\n\n## Strategy\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Consent to application`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Consent to application.`\n\nBecause these are thirty-party applications external to the organization, normal remediation steps like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts are not effective against this type of attack.\n\n## Triage and response\n1. See the official [Microsoft playbook][1] on responding to a potential Illicit Consent Grant.\n2. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out false positives.\n\n[1]: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:AuditLogs @evt.name:\"Consent to application\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_successful_consent_to_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.category:AuditLogs @evt.name:\"Consent to application.\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"o365_successful_consent_to_application","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"azure_ad_successful_consent_to_application > 0 || o365_successful_consent_to_application > 0"}],"type":"log_detection","id":"wu4-vsa-pec","createdAt":1658914589512,"name":"Potential Illicit Consent Grant attack via Azure registered application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with an administrative service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 21 (FTP)\n* 22 (SSH)\n* 23 (Telnet)\n* 445 (SMB)\n* 2375 (Docker daemon)\n* 3389 (RDP)\n* 5900 (VNC)\n* 5985 (WinRM HTTP)\n* 5986 (WinRM HTTPS)\n\nAdministrative ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** There is a separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n## Changelog\n26 August 2022 - Updated rule query\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ipPermissions.items.fromPort:(21 OR 22 OR 3389 OR 5900 OR 2375 OR 5985 OR 5986 OR 23 OR 445) OR @requestParameters.toPort:(21 OR 22 OR 3389 OR 5900 OR 2375 OR 5985 OR 5986 OR 23 OR 445) OR @requestParameters.ipPermissions.items.toPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986)) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:21 OR @requestParameters.ipPermissions.items.fromPort:21 OR @requestParameters.toPort:21 OR @requestParameters.ipPermissions.items.toPort:21)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ftp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:22 OR @requestParameters.ipPermissions.items.fromPort:22 OR @requestParameters.toPort:22 OR @requestParameters.ipPermissions.items.toPort:22)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ssh_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:3389 OR @requestParameters.ipPermissions.items.fromPort:3389 OR @requestParameters.toPort:3389 OR @requestParameters.ipPermissions.items.toPort:3389)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_rdp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5900 OR @requestParameters.ipPermissions.items.fromPort:5900 OR @requestParameters.toPort:5900 OR @requestParameters.ipPermissions.items.toPort:5900)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_vnc_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:2375 OR @requestParameters.ipPermissions.items.fromPort:2375 OR @requestParameters.toPort:2375 OR @requestParameters.ipPermissions.items.toPort:2375)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_dockerd_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5985 OR @requestParameters.ipPermissions.items.fromPort:5985 OR @requestParameters.toPort:5985 OR @requestParameters.ipPermissions.items.toPort:5985)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5986 OR @requestParameters.ipPermissions.items.fromPort:5986 OR @requestParameters.toPort:5986 OR @requestParameters.ipPermissions.items.toPort:5986)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:23 OR @requestParameters.ipPermissions.items.fromPort:23 OR @requestParameters.toPort:23 OR @requestParameters.ipPermissions.items.toPort:23)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_telnet_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:445 OR @requestParameters.ipPermissions.items.fromPort:445 OR @requestParameters.toPort:445 OR @requestParameters.ipPermissions.items.toPort:445)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_smb_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"high","notifications":[],"name":"FTP","condition":"sg_ftp_port > 0"},{"status":"high","notifications":[],"name":"SSH","condition":"sg_ssh_port > 0"},{"status":"high","notifications":[],"name":"RDP","condition":"sg_rdp_port > 0"},{"status":"high","notifications":[],"name":"VNC","condition":"sg_vnc_port > 0"},{"status":"high","notifications":[],"name":"Docker Daemon","condition":"sg_dockerd_port > 0"},{"status":"high","notifications":[],"name":"WinRm HTTP","condition":"sg_winrm_http_port > 0"},{"status":"high","notifications":[],"name":"WinRm HTTPS","condition":"sg_winrm_https_port > 0"},{"status":"high","notifications":[],"name":"Telnet","condition":"sg_telnet_port > 0"},{"status":"high","notifications":[],"name":"SMB","condition":"sg_smb_port > 0"}],"type":"log_detection","id":"d8d-usi-xuo","createdAt":1652796652158,"name":"Potential administrative port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\n This rule monitors CloudTrail and detects when any `@evt.name` has a value of `Console Login`, and `@responseElements.ConsoleLogin` has a value of `Failure`.\n\n## Triage and response\n1. Determine if the user logged in with 2FA.\n2. Reach out to the user and ensure the login was legitimate.\n\n## Changelog \n17 March 2022 - Update rule query.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Failure","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:true","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_with_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful - MFA Unused","condition":"failed_login > 5 && successful_login_without_mfa > 0"},{"status":"info","notifications":[],"name":"Successful Login - MFA Used","condition":"failed_login > 5 && successful_login_with_mfa > 0"},{"status":"info","notifications":[],"name":"Failed Login","condition":"failed_login > 5"}],"type":"log_detection","id":"csj-nez-h1v","createdAt":1584475581986,"name":"Potential brute force attack on AWS ConsoleLogin"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","threat_intel_category:cryptomining","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a host is potentially infected with a cryptominer.\n\n## Strategy\nThis rule compares the `@network.client.ip` standard attribute to a curated list of cryptomining pools.\n\n## Triage and response\n1. Determine if the `{{host}}` host should be contacting a cryptomining pool.\n2. If not, begin your company's IR process.\n\n**Note** You can use the signal sidepanel to assist with the initial investigation by looking at CPU utilization and processes to identify unauthorized activity.\n\n## Changelog\n- 8 April 2022 - Initial beta release to select organizations.\n- 13 April 2022 - Added additional filters for specific ports to reduce false positives. \n- 26 April 2022 - Removed restrictedToOrgs settings, launching rule to all of production.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@threat_intel.results.category:cryptomining @network.destination.port:(6641 OR 6642 OR 9000 OR 9999 OR 14433 OR 10191 OR 20009) host:*","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cgb-2rq-tqx","createdAt":1650989902666,"name":"Potential cryptomining detected through IP callback"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with a database service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 1433 (MSSQL)\n* 3306 (MySQL)\n* 5432 (PostgresSQL)\n* 5984/6984 (CouchDB)\n* 6379 (Redis)\n* 9200 (Elasticsearch)\n* 27017 (MongoDB)\n\nDatabase ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** There is a separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200)) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:3306 OR @requestParameters.ipPermissions.items.fromPort:3306 OR @requestParameters.toPort:3306 OR @requestParameters.ipPermissions.items.toPort:3306)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mysql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5432 OR @requestParameters.ipPermissions.items.fromPort:5432 OR @requestParameters.toPort:5432 OR @requestParameters.ipPermissions.items.toPort:5432)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_postgres_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:1433 OR @requestParameters.ipPermissions.items.fromPort:1433 OR @requestParameters.toPort:1433 OR @requestParameters.ipPermissions.items.toPort:1433)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mssql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:27017 OR @requestParameters.ipPermissions.items.fromPort:27017 OR @requestParameters.toPort:27017 OR @requestParameters.ipPermissions.items.toPort:27017)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mongodb_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:6379 OR @requestParameters.ipPermissions.items.fromPort:6379 OR @requestParameters.toPort:6379 OR @requestParameters.ipPermissions.items.toPort:6379)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_redis_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5984 OR @requestParameters.ipPermissions.items.fromPort:5984 OR @requestParameters.toPort:5984 OR @requestParameters.ipPermissions.items.toPort:5984)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:6984 OR @requestParameters.ipPermissions.items.fromPort:6984 OR @requestParameters.toPort:6984 OR @requestParameters.ipPermissions.items.toPort:6984)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:9200 OR @requestParameters.ipPermissions.items.fromPort:9200 OR @requestParameters.toPort:9200 OR @requestParameters.ipPermissions.items.toPort:9200)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_elastic_search_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"high","notifications":[],"name":"MySQL","condition":"sg_mysql_port > 0"},{"status":"high","notifications":[],"name":"PostgresSQL","condition":"sg_postgres_port > 0"},{"status":"high","notifications":[],"name":"MSSQL","condition":"sg_mssql_port > 0"},{"status":"high","notifications":[],"name":"MongoDB","condition":"sg_mongodb_port > 0"},{"status":"high","notifications":[],"name":"redis","condition":"sg_redis_port > 0"},{"status":"high","notifications":[],"name":"CouchDB HTTP","condition":"sg_couchdb_http_port > 0"},{"status":"high","notifications":[],"name":"CouchDB HTTPS","condition":"sg_couchdb_https_port > 0"},{"status":"high","notifications":[],"name":"Elasticsearch","condition":"sg_elastic_search_port > 0"}],"type":"log_detection","id":"1wf-ivp-q2g","createdAt":1652796776858,"name":"Potential database port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use automatically generated self-signed certificates for TLS connections between peers.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster. Hence, do not use self-signed certificates for authentication.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--peer-auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--peer-auto-tls` parameter or set it to false. \n\n```\n--peer-auto-tls=false\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-auto-tls` argument is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls][3]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.6","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l0y-lyz-foj","createdAt":1599598174666,"name":"Prevent use of self-signed certificates for TLS connections between etcd peers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.4","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDocker considers a private registry either secure or insecure. By default, registries are considered secure.\n\n## Rationale\n\nA secure registry uses TLS. A copy of the registry's CA certificate is placed on the Docker host in the `/etc/docker/certs.d//` directory. An insecure registry is one which does not have a valid registry certificate, or one not not using TLS. You should not use insecure registries because they present a risk of traffic interception and modification. Additionally, once a registry has been marked as insecure, commands such as `docker pull`, `docker push`, and `docker search` will not result in an error message, and users may indefinitely be working with this type of insecure registry without ever being notified of the risk of potential compromise.\n\n## Audit\n\nFind out if any insecure registries are in use by running: \n```\ndocker info --format 'Insecure Registries: {{.RegistryConfig.InsecureRegistryCIDRs}}'\n```\n\n## Remediation\n\nYou should ensure that no insecure registries are in use.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker assumes all registries except local ones are secure.\n\n## References\n\n1. [https://docs.docker.com/registry/insecure/][1]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://docs.docker.com/registry/insecure/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wki-o8r-1ha","createdAt":1599604688564,"name":"Private registry uses TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.4","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUsing the `--privileged` flag provides all Linux kernel capabilities to the container to which it is applied and therefore overwrites the `--cap-add` and `--cap-drop` flags. For this reason, ensure that it is not used.\n\n## Rationale\n\nThe `--privileged` flag provides all capabilities to the container to which it is applied, and also lifts all the limitations enforced by the device cgroup controller. As a consequence this the container has most of the rights of the underlying host. This flag only exists to allow for specific use cases (for example running Docker within Docker) and should not generally be used.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Privileged={{ .HostConfig.Privileged }}'` This command returns `Privileged=false` for each container instance.\n\n## Remediation\n\nDo not run containers with the `--privileged` flag. For example, do not start a container using the command `docker run --interactive --tty --privileged centos /bin/bash`\n\n## Impact\n\nIf you start a container without the `--privileged` flag, it will not have excessive default capabilities.\n\n## Default value\n\nFalse\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.4","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rbd-urm-klo","createdAt":1599602708557,"name":"Privileged containers are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.7","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TCP/IP port numbers below 1024are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Docker does, however allow a container port to be mapped to a privileged port.\n\n## Rationale\n\nBy default, if the user does not specifically declare a container port to host port mapping, Docker automatically and correctly maps the container port to one available in the `49153`-`65535` range on the host. Docker does, however, allow a container port to be mapped to a privileged port on the host if the user explicitly declares it. This is because containers are executed with `NET_BIND_SERVICE` Linux kernel capability which does not restrict privileged port mapping. The privileged ports receive and transmit various pieces of data which are security sensitive and allowing containers to use them is not in line with good security practice.\n\n## Audit\n\nList all running containers instances and their port mappings by executing this command: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'` You should then review the list and ensure that container ports are not mapped to host port numbers below `102.4`.\n\n## Remediation\n\nDo not map container ports to privileged host ports when starting a container. You should also ensure that there is no such container to host privileged port mapping declarations in the Dockerfile.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, mapping a container port to a privileged port on the host is allowed.\n\n**Note**: There might be certain cases where you want to map privileged ports, because if you forbid it, then the corresponding application has to run outside of a container.\n\nFor example: HTTP and HTTPS load balancers have to bind `80/tcp` and `443/tcp` respectively. Forbidding to map privileged ports effectively forbids from running those in a container, and mandates using an external load balancer. In such cases, those containers instances should be marked as exceptions for this recommendation.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.7","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ua5-ygj-jad","createdAt":1599602153218,"name":"Privileged ports are not mapped within containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a process launches with arguments associated with cryptocurrency miners.\n\n## Strategy\n\nCryptocurrency miners are often executed with unique arguments such as `--donate-level`. This can be used to identify suspicious processes with high confidence.\n\n## Triage and response\n\n1. Isolate the workload.\n2. Use host metrics to verify if cryptocurrency mining is taking place. This will be indicated by an increase in CPU usage.\n3. Review the process tree and related signals to determine the initial entry point.\n\n*Requires agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:cryptominer_args","groupByFields":["host"],"aggregation":"count","name":"cryptominer_args","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"cryptominer_args","condition":"cryptominer_args > 0"}],"type":"workload_security","id":"t95-1rc-mwi","createdAt":1660014107186,"name":"Process arguments match cryptocurrency miner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1055-process-injection","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace systemcall to inject code into another process.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. Malicious actors have been observed using ptrace to inject code into another process, for the purposes of defense evasion and privilege escalation.\n\n## Triage and response\n1. Check the name of the process doing the injection (the tracer).\n2. Identify if the file doing the injection (the tracer) is authorized.\n3. If the tracer is not authorized in this environment, or is not normally known to use the ptrace syscall, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_injection","groupByFields":["host"],"aggregation":"count","name":"ptrace_injection","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_injection","condition":"ptrace_injection > 0"}],"type":"workload_security","id":"1p3-rn6-jue","createdAt":1650464539501,"name":"Process injected into another process"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1068-Exploitation-for-Privilege-Escalation","source:runtime-security-agent","tactic:TA0004-Privilege-Escalation","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2021-4034 dubbed PwnKit.\n\n## Strategy\n\nPwnKit is a local privilege escalation vulnerability originally found by [Qualys](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034). It affects PolicyKit\u2019s `pkexec` program, which is a SUID-root program installed by default on many Linux distributions. This detection triggers whenever `pkexec` is executed by a non-root process with the `SHELL` and `PATH` variables set.\n\n## Triage and response\n\n1. Determine the purpose of the process executing `pkexec`.\n2. Look for any suspicious actions or commands being executed after the `pkexec` execution.\n3. If this behavior is unexpected, it could indicate a malicious actor has access to the host and is attempting to increase privileges for post exploitation actions. Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Ensure to update the PolicyKit package to its latest version to mitigate the vulnerability. If updating is not feasible, remove the SUID bit that is set by default on `pkexec` with the following command: `sudo chmod -s \\$(which pkexec)`.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:pwnkit_privilege_escalation","groupByFields":["host"],"aggregation":"count","name":"pwnkit_privilege_escalation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"pwnkit_privilege_escalation","condition":"pwnkit_privilege_escalation > 0"}],"type":"workload_security","id":"yne-n4q-dfs","createdAt":1643646954692,"name":"Pwnkit privilege escalation attempt"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1059-command-and-scripting-interpreter","tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect Python code being provided and executed on the command line using the `-c` flag.\n\n## Strategy\n\nPython code can be specified on the command line using the `-c` flag. Attackers may use this to run \"one-liners\" which establish communication with an attacker-run server, download additional malware, or otherwise advance their mission. Libraries such as `socket` and `subprocess` are commonly used in these attacks and are unlikely to have a legitimate purpose when used in this way.\n\n## Triage and response\n\n1. Review the process tree and identify if the Python command is expected.\n2. If the command is not expected, contain the host or container and roll back to a known good configuration.\n3. Start the incident response process and determine the initial entry point.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:python_cli_code @process.args:(*SOCK_STREAM* OR *subprocess* OR *\\/bash* OR *\\/bin\\/sh* OR *pty.spawn*)","groupByFields":["host"],"aggregation":"count","name":"python_cli_code_suspicious","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"python_cli_code_suspicious","condition":"python_cli_code_suspicious > 0"}],"type":"workload_security","id":"2mr-svj-kxj","createdAt":1655147245805,"name":"Python executed with suspicious arguments"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.9","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTurn on Role Based Access Control.\n\n## Rationale\n\nRole Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the cluster. It is recommended to use the RBAC authorization mode.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include RBAC.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes RBAC, for example: `--authorization-mode=Node,RBAC`\n\n## Impact\n\nWhen RBAC is enabled you will need to ensure that appropriate RBAC settings (including Roles, RoleBindings and ClusterRoleBindings) are configured to allow appropriate access.\n\n## Default value\n\nBy default, RBAC authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/access-authn-authz/rbac/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.9","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bn4-mzo-nyg","createdAt":1599605257601,"name":"RBAC is enabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","level:1","control:8.5","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.4.1","security:compliance","requirement:Least-Privileged-Access","control:7.2","framework:cis-azure","source:azure.kubernetes","control:7.1","control:2.3","requirement:Control-Activities","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","requirement:Other-Security-Considerations","framework:soc-2","control:A.9.2.3","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that RBAC is enabled on all Azure Kubernetes Services instances.\n\n## Rationale\n\nAzure Kubernetes Services can integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. Use this to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls, both to the overarching AKS instance and to the individual resources managed within Kubernetes.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment, your cluster will require recreation.\n\n## Impact\n\nIf RBAC is not enabled, the granularity of permissions granted to Kubernetes resources is diminished, because you are presenting more permissions than needed to users requiring access to your Kubernetes resources in AKS.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/aks/aad-integrationhttps://kubernetes.io/docs/reference/access-authn-authz/rbac/https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-list\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7\n\n4 Controlled Use of Administrative Privileges\n\n14 Controlled Access Based on the Need to Know\n\n9 AppService: This section covers security recommendations for Azure AppService\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.5","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"validationQuery":"@enable_rbac:false","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster (@enable_rbac:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"1ha-sj2-4mw","createdAt":1624867979755,"name":"RBAC within Azure Kubernetes Services is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","control:6.1","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable RDP access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using RDP over the internet is that attackers can use various brute force techniques to access Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct RDP access to your Azure Virtual Machines from the internet. After direct RDP access from the internet is disabled, you have other options you can use to access these virtual machines for remote management.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@access:(\"Allow\") @protocol:(\"TCP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"3389\" OR \"*\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\")","resourceType":"azure_security_group","filter":"","queryPath":"security_rules","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group (@access:(\"Allow\") @protocol:(\"TCP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"3389\" OR \"*\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tna-xfa-yol","createdAt":1624867976964,"name":"RDP access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.7","requirement:Communications-Security","control:1.4","control:3.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow users to specify the type of traffic,\nsuch as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, an IPv4 address or IPv4 block in CIDR notation can be used.\nGeneric (0.0.0.0/0) incoming traffic from the Internet to a VPC or VM instance using RDP\non Port 3389 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic\nfrom instances and incoming (ingress) traffic to instances in the network. Egress and\ningress traffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through RDP with the default\nPort 3389. Generic access from the Internet to a specific IP Range should be restricted.\n\n## Impact\nAll Remote Desktop Protocol (RDP) connections from outside of the network to the\nconcerned VPC(s) are blocked. There could be a business need where secure shell\naccess is required from outside of the network to access resources associated with the VPC.\nIn that case, specific source IP(s) should be mentioned in firewall rules to allow access\nto RDP ports for the concerned VPC(s).\n\n## Remediation\n\n### From console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule to be modified.\n4. Click Edit.\n5. Modify Source IP ranges to your specific IPs.\n6. Click Save.\n\n### From the command line\n1.Update the RDP Firewall rule with a new SOURCE_RANGE using the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with validated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.1","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 3389\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tcontains(allowed.ports[_], \"-\")\n\trange := split(allowed.ports[_], \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else {\n\tto_number(allowed.ports[_]) == target_port\n} else {\n\tallowed.ports[_] == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tallowed := compute_firewall.allowed[_]\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" {\n\tcompute_firewall.source_ranges in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tvo-mpp-0fa","createdAt":1657310084116,"name":"RDP access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","source:rds","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:rds","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your AWS RDS database instances are encrypted.\n\n## Rationale\n\nEncrypting your AWS RDS clusters protects sensitive data from unauthorized access.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling Amazon RDS encryption for a DB instance][1] docs to ensure your database instances are encrypted.\n\n### CLI\n\n1. Run `describe-db-instances` with an instance identifier query to list RDS database names.\n\n ```\n aws rds describe-db-instances\n --query 'DBInstances[*].DBInstanceIdentifier'\n ```\n\n2. Run `create-db-snapshot` with any returned database instance you wish to modify.\n\n ```\n aws rds create-db-snapshot\n --db-snapshot-identifier my-db-snapshot\n --db-instance-identifier my-db-id\n ```\n\n3. Run `list-aliases` to list KMS keys aliases by region.\n\n ```\n aws kms list-aliases\n --region us-west-1\n ```\n\n4. Run `copy-db-snapshot` with the `kms-key-id` returned in step 3.\n\n ```\n aws rds copy-db-snapshot\n --region us-west-1\n --source-db-snapshot-identifier original-db-snapshot-id\n --target-db-snapshot-identifier encrypted-db-snapshot-id\n --copy-tags\n --kms-key-id 01234567-1a2b-1234a-b45c-abcdef123456\n ```\n\n5. Run `restore-db-instance-from-db-snapshot` to restore the previously created snapshot.\n\n ```\n aws rds restore-db-instance-from-db-snapshot\n --region us-west-1\n --db-instance-identifier encrypted-db-id\n --db-snapshot-identifier encrypted-db-snapshot-id\n ```\n\n6. Run `describe-db-instances` with a query to ensure database encryption.\n\n ```\n aws rds describe-db-instances\n --region us-west-1\n --db-instance-identifier encrypted-db-snapshot-id\n --query 'DBInstances[*].StorageEncrypted'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Enabling","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@storage_encrypted:false","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance (@storage_encrypted:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"han-1rs-ghe","createdAt":1599574005316,"name":"RDS database instance is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:rds","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","scope:rds","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your RDS instance, so it is not publicly accessible.\n\n## Rationale\n\nUnrestricted access to your RDS instance allows everyone on the internet to establish a connection with your database. This can lead to brute-force, DoS/DDoS, or SQL injection attacks.\n\n## Remediation\n\n### Console\n\nFollow the [Modifying an Amazon RDS DB instance (Console)][2] docs to learn how to modify your RDS instance in the AWS console.\n\n### CLI\n\nFollow the [Modifying an Amazon RDS DB instance (AWS CLI)][2] docs to learn how to modify your RDS instance connection configuration.\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n[2]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@publicly_accessible:true","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance (@publicly_accessible:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qgu-ris-pnv","createdAt":1619540057520,"name":"RDS instance is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","security:compliance","control:CC6.6","control:164.312-e-1","cloud_provider:aws","framework:gdpr","requirement:Default-Security-Parameter","scope:rds","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","source:rds","requirement:Security-Management-Process","control:32.1a","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Amazon RDS database instances][1] are not using default ports. This includes default ports such as MySQL/Aurora port 3306, SQL Server port 1433, and PostgreSQL port 5432.\n\n## Rationale\n\nUsing a custom port can protect against potential brute-force and dictionary attacks.\n\n## Remediation\n\n### Console\n\nFollow the [Modifying an Amazon RDS DB instance][4] docs to verify you're not using a default. You can modify your port by modifying that [DB instance settings][5].\n\n### CLI\n\n1. Run `create-db-snapshot` with your database instance and snapshot identifiers to [create a snapshot][2].\n\n ```\n aws rds create-db-snapshot \\\n --db-instance-identifier database-mysql \\\n --db-snapshot-identifier snapshotidentifier\n ```\n\n2. Run `modify-db-instance` with a new, valid port number. A [list of port numbers are available][3].\n\n ```\n aws rds modify-db-instance \\\n --db-instance-identifier database-identifier \\\n --option-group-name test-group-name \\\n --db-parameter-group-name test-sqlserver-name \\\n --apply-immediately\n ```\n\n\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-snapshot.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-instance.html#options\n[4]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n[5]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html#USER_ModifyInstance.Settings\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@engine:(\"aurora\" OR \"aurora-mysql\" OR \"mysql\" OR \"mariadb\") @endpoint_port:3306) OR (@engine:(\"postgres\" OR \"aurora-postgresql\") @endpoint_port:5432) OR (@engine:(\"oracle-ee\" OR \"oracle-se2\" OR \"oracle-se1\" OR \"oracle-se\") @endpoint_port:1521) OR (@engine:(\"sqlserver-ee\" OR \"sqlserver-se\" OR \"lserver-ex\" OR \"sqlserver-web\") @endpoint_port:1433)","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance ((@engine:(\"aurora\" OR \"aurora-mysql\" OR \"mysql\" OR \"mariadb\") @endpoint_port:3306) OR (@engine:(\"postgres\" OR \"aurora-postgresql\") @endpoint_port:5432) OR (@engine:(\"oracle-ee\" OR \"oracle-se2\" OR \"oracle-se1\" OR \"oracle-se\") @endpoint_port:1521) OR (@engine:(\"sqlserver-ee\" OR \"sqlserver-se\" OR \"lserver-ex\" OR \"sqlserver-web\") @endpoint_port:1433))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"y0x-lgk-w1h","createdAt":1599574001845,"name":"RDS instance is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","source:rds","requirement:Security-Management-Process","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","scope:rds","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Relational Database Service (RDS) database snapshots.\n\n## Rationale\n\nSnapshots that are publicly available give other AWS accounts permission to copy a snapshot and create database instances from it, potentially exposing your private data.\n\n## Remediation\n\n### Console\n\nFollow the [Stop sharing a manual DB snapshot with an AWS account][1] AWS Console docs.\n\n### CLI\n\nRun `modify-db-snapshot-attribute` with the [snapshot identifier, attribute name, and values to remove][2]. This removes permission from a particular AWS account to restore the DB snapshot.\n\n ```\n aws rds modify-db-snapshot-attribute\n --db-snapshot-identifier yourdbsnapshot\n --attribute-name restore\n --values-to-remove 1111222233333\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Sharing\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-snapshot-attribute.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@db_snapshot_restore_attribute_values:all","resourceType":"aws_rds_db_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_db_snapshot (@db_snapshot_restore_attribute_values:all)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ptv-gce-is5","createdAt":1616090994243,"name":"RDS snapshot is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","control:3.4","scope:google_dns_managed_zone","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note:** The SHA1 algorithm has been removed from general use by Google. If used, it needs to be allowed on a per-project basis through Google, and therefore requires a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records. When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, you can select the DNSSEC signing algorithms and the denial-of-existence type. Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If there is a need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off, and then re-enable it with different settings.\n\n**Note**: RSASHA1 key-signing support may be required for compatibility reasons. The remediation CLI works with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If it is necessary to change the settings for a managed zone where it has been\nenabled, NSSEC must be turned off and re-enabled with different settings. To turn\noff DNSSEC, run the following command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update key-signing for a managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" {\n\tdefault_key_spec := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tdefault_key_spec.algorithm == \"RSASHA1\"\n\tdefault_key_spec.key_type == \"keySigning\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gny-fox-6gg","createdAt":1659339844054,"name":"RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.5","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note**: The SHA1 algorithm has been removed from general use by Google, and if\nbeing used, needs to be safe listed on a project basis by Google, which\nrequire a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records.\nWhen enabling DNSSEC for a managed zone or creating a managed zone with DNSSEC, select the\nDNSSEC signing algorithms and the denial-of-existence type. Changing the\nDNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If\nyou need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off and then re-enable it with different settings.\n\n**note**: RSASHA1 zone-signing support may be required for compatibility reasons.\n**note**: The remediation CLI works well with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If you need to change the settings for a managed zone where it has been\nenabled, DNSSEC must be turned off and then re-enabled with different settings. To\nturn off DNSSEC, run this command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update zone-signing for a reported managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.5","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" {\n\tkeyCheck := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tkeyCheck.algorithm == \"RSASHA1\"\n\tkeyCheck.key_type == \"zoneSigning\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"h57-78j-30x","createdAt":1659396390100,"name":"RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","scope:redshift","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS RedShift clusters are encrypted.\n\n## Rationale\n\nEncrypting Redshift clusters protects your sensitive data from unauthorized access.\n\n## Remediation\n\n### Console\n\nFollow the [Changing cluster encryption][5] docs to ensure your clusters are encrypted.\n\n### CLI\n\n1. Run `describe-clusters` with your [cluster identifier][1].\n\n ```\n aws redshift describe-clusters\n --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` using the configuration details returned in step 1 along with the [`encrypted` flag][2].\n\n ```\n aws redshift create-cluster\n --cluster-identifier cluster-name\n ...\n --encrypted\n ```\n\n3. Run `describe-cluster` with a [query filter][1] to expose the new endpoint address.\n\n ```\n aws redshift describe-clusters\n --cluster-identifier cluster-name\n --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Use the cluster endpoint URL with the [Amazon Redshift Unload/Copy][3] tool.\n\n5. Update your encrypted Redshift cluster configuration with the new Redshift cluster endpoint URL.\n\n6. Once the endpoint is changed, run `delete-cluster` to [remove the old unencrypted cluster][4].\n\n ```\n aws redshift delete-cluster\n --cluster-identifier old-cluster\n --final-cluster-snapshot-identifier old-cluster-finalsnapshot\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster.html\n[3]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@encrypted:true","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (-@encrypted:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o5n-lxt-ayr","createdAt":1599574004941,"name":"Redshift cluster is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.3","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are not publicly available.\n\n## Rationale\n\nPublicly available Redshift clusters have a public IP address, which gives any machine the opportunity to attempt to connect to your clusters. Malicious activity, such as SQL injections or distributed denial-of-service (DDoS) attacks, can occur if a connection is established.\n\n## Remediation\n\n### Console\n\nFollow the [Managing clusters in a VPC][7] docs to learn how to modify public accessibility for your clusters.\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#modify-cluster\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@publicly_accessible:true","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@publicly_accessible:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"syn-jic-zlu","createdAt":1599574002373,"name":"Redshift cluster is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","control:A.9.4.3","framework:soc-2","scope:redshift","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:redshift","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are using a custom master user name, versus the default master user name.\n\n## Rationale\n\nDefault master user names for publicly accessible clusters can be a backdoor for hacking. While setting a customer master user name alone does not fully protect against attacks, restricting the root account only to privileged users and using additional password measures can add an additional layer of protection.\n\n## Remediation\n\n### Console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a master user name of `awsuser`, it is the default master user name. Modify the user name to a custom user name in the console.\n\n### CLI\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` with the returned cluster metadata to [launch a new cluster][3] with the existing metadata and a new master user name.\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t --master-username awsmasterusr\n --vpc-security-group-ids id-012a3b4c\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier new-cluster-identifier\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n5. Use the returned new database cluster endpoint URL from step 3 to update your application's configuration to point to the new cluster endpoint.\n6. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"validationQuery":"@master_username:awsuser","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@master_username:awsuser)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ewv-jbb-gxa","createdAt":1599574001675,"name":"Redshift cluster is not using a custom master user name"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","security:compliance","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are not using default port 5439 to protect against non-targeted attacks.\n\n## Rationale\n\nUsing a custom port can protect your publicly accessible AWS Redshift clusters against potential brute-force and dictionary attacks. Although setting a custom port can help fend off these attacks, it is also recommended to restrict public access, use SSL to encrypt client connections to database clusters, and control cluster access through security groups and Network Access Control Lists (NACLs) to add an additional layer of security for your account.\n\n## Remediation\n\n### Console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a port 5439, it is the default port. Modify the port number in the console.\n\n### CLI\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster-snapshot` with [create a snapshot of your database cluster][3].\n\n ```\n aws redshift create-cluster-snapshot\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n ```\n\n3. Run `restore-from-cluster-snapshot` to [create a new cluster from the snapshot created above][4]. Use the retrieved metadata in step one to configure a new port number.\n\n ```\n aws redshift restore-from-cluster-snapshot\n ...\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n --port 2000\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster-snapshot.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/restore-from-cluster-snapshot.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@endpoint.port:5439 OR @endpoint_port:5439","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@endpoint.port:5439 OR @endpoint_port:5439)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"xrn-s6h-z9s","createdAt":1599574006854,"name":"Redshift cluster is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift Clusters][1] are using the [AWS EC2-VPC platform][2] for better cluster security.\n\n## Rationale\n\nThe AWS EC2-VPC platform offers better security control and traffic routing for clusters than the outdated EC2-Classic platform.\n\n## Remediation\n\n### Console\n\nFollow the [Use EC2-VPC when you create your cluster][7] docs to learn how to use the EC2-VPC platform in the console to secure your clusters.\n\n### CLI\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n ```\n\n2. Run `create-cluster` with the metadata to [launch a new cluster within a VPC][3].\n\n ```\n aws redshift create-cluster\n --cluster-identifier cluster-id\n --vpc-security-group-ids id-012a3b4c\n --port 5439\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n\n5. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.FindDefaultVPC.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#cluster-platforms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@vpc_id:\"\"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@vpc_id:\"\")","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"goz-ys2-tll","createdAt":1599573999940,"name":"Redshift cluster is using the EC2-VPC platform"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","control:10.2.6","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:redshift","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","source:redshift","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable logging for your Amazon Redshift cluster.\n\n## Rationale\n\nLogging data from Amazon Redshift clusters is helpful when troubleshooting or completing security and compliance audits.\n\n## Remediation\n\n### Console\n\nFollow the Amazon Redshift [Configuring auditing using the console][1] docs to enable logging, create audit log files, and store them in an Amazon S3 bucket.\n\n### CLI\n\n1. Run `enable-logging` with your [cluster ID and the S3 bucket][2] where log files are to be stored.\n\n ```\n aws redshift enable-logging\n --cluster-identifier your-cluster-id\n --bucket-name aws-redshift-logs\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/enable-logging.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"}],"validationQuery":"@cluster_logging.logging_enabled:false","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@cluster_logging.logging_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f05-rf3-w5i","createdAt":1619112188003,"name":"Redshift cluster logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","requirement:Least-Privileged-Access","framework:cis-azure","control:7.1","requirement:Credentials","requirement:App-Service","requirement:Compliance","control:8.7","level:1","control:9.5","control:A.18.1.3","framework:soc-2","scope:azure.appservice","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nManaged service identity in App Service makes an app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app connects to other Azure services securely without the need for a username and password.\n\n## Rationale\n\nApp Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.\n\n## References\n\n1. https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Identity\n5. Set Status to On\n\nAzure Command Line Interface:\n\nTo set Register with Azure Active Directory for an existing app, run the following command: `az webapp identity assign --resource-group --name '`\n\n## CIS Controls\n\nVersion 7 16.2 - Configure Centralized Point of Authentication - Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.5","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@identity_principal_id:*","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (-@identity_principal_id:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"t1t-uk4-nxu","createdAt":1631623033118,"name":"Register with Azure Active Directory is enabled on App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.8","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under `/etc/docker/certs.d/ directory`, have permissions of 444 or are set more restrictively.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must have permissions of 444or more restrictive permissions in order to ensure that unprivileged users do not have full access to them..\n\n## Audit\n\nYou should execute the command below to verify that registry certificate files have permissions of 444+.\n\n```\nstat -c %a /etc/docker/certs.d//*\n```\n\n## Remediation\n\nRun the following command: `chmod 444 /etc/docker/certs.d//*`\n\nThis sets the permissions for the registry certificate files to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for registry certificate files might not be 444. The default file permissions are governed by the system or user specific umask values which are defined within the operating system itself.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.8","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sjq-1m3-njp","createdAt":1599605226177,"name":"Registry certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:5.7.4","source:compliance-agent","requirement:General-Policies","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.\n\n## Rationale\n\nResources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources.\n\n## Audit\n\nRun this command to list objects in default namespace: `kubectl get all`\n\nThe only entries there should be system managed resources such as the Kubernetes service.\n\n## Remediation\n\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace.\n\n## Impact\n\nNone\n\n## Default value\n\nUnless a namespace is specific on object creation, the default namespace will be used.\n\n## References\n\nNone\n\n## CIS controls\n\nNone\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.7.4","framework":"cis-kubernetes","requirement":"General-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.7.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gly-1rp-obv","createdAt":1599604941259,"name":"Resources are not created in the default namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.14","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy using the `--restart` flag in the docker run command you can specify a restart policy for how a container should or should not be restarted on exit. You should choose the on-failure restart policy and limit the restart attempts to 5.\n\n## Rationale\n\nIf you indefinitely keep trying to start the container, it could possibly lead to a denial of service on the host. It could be an easy way to do a distributed denial of service attack especially if you have many containers on the same host. Additionally, ignoring the exit status of the container and always attempting to restart the container, leads to non-investigation of the root cause behind containers getting terminated. If a container gets terminated, you should investigate on the reason behind it instead of just attempting to restart it indefinitely. You should use the on-failure restart policy to limit the number of container restarts to a maximum of 5 attempts.\n\n## Audit\n\nExecute this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: RestartPolicyName={{ .HostConfig.RestartPolicy.Name }} MaximumRetryCount={{ .HostConfig.RestartPolicy.MaximumRetryCount }}'` \n\nIf this command returns `RestartPolicyName=always`, then the system is not configured optimally. If this command returns `RestartPolicyName=no` or just `RestartPolicyName=`, then restart policies are not being used and the container would never be restarted automatically. This may be a secure option, but it is not the best option from a usability standpoint. If this command returns `RestartPolicyName=on-failure`, then verify that the number of restart attempts is set to 5 or less by looking at `MaximumRetryCount`.\n\n## Remediation\n\nIf you wish a container to be automatically restarted, use `docker run --detach --restart=on-failure:5 nginx`\n\n## Impact\n\nIf this option is set, a container will only attempt to restart itself 5 times.\n\n## Default value\n\nBy default, containers are not configured with restart policies.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/run/#restart-policies-restart\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.14","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycq-buv-pf8","createdAt":1599598174688,"name":"Restart attempts on container failure is limited to 5 attempts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_logging_log_bucket","control:10.1","requirement:Monitoring","control:10.2.5","control:2.3","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","source:google_logging_log_bucket","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:2","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling retention policies on log buckets protects logs stored in cloud storage buckets\nfrom being overwritten or accidentally deleted. It is recommended to set up retention\npolicies and configure `Bucket Lock` on all storage buckets that are used as log sinks.\n\n### Default value\nBy default, storage buckets used as log sinks do not have retention policies and `Bucket Lock`\nconfigured.\n\n## Rationale\nLogs can be exported by creating one or more sinks that include a log filter and a\ndestination. As Cloud Logging receives new log entries, they are compared against each\nsink. If a log entry matches a sink's filter, then a copy of the log entry is written to the\ndestination.\nSinks can be configured to export logs in storage buckets. It is recommended to configure a\ndata retention policy for these cloud storage buckets and to lock the data retention policy,\nthus permanently preventing the policy from being reduced or removed. This way, if the\nsystem is ever compromised by an attacker or a malicious insider who wants to cover their\ntracks, the activity logs are definitely preserved for forensics and security investigations.\n\n\n### Impact\nLocking a bucket is an irreversible action. Once you lock a bucket, you cannot remove the\nretention policy from the bucket or decrease the retention period for the policy. You\nthen have to wait for the retention period for all items within the bucket before you can\ndelete them, and then delete the bucket.\n\n## Additional Information\n- **Caution**: Locking a retention policy is an irreversible action. Once locked, you must delete\nthe entire bucket in order to \"remove\" the bucket's retention policy. However, before you\ncan delete the bucket, you must be able to delete all the objects in the bucket, which itself is\nonly possible if all the objects have reached the retention period set by the retention policy.\n\n\n## Remediation\n\n### From the console: \n1. If sinks are not configured, first follow the instructions in the recommendation:\nEnsure that sinks are configured for all log entries.\n2. For each storage bucket configured as a sink, go to the Cloud Storage browser at\nhttps://console.cloud.google.com/storage/browser/.\n3. Select the **Protection** tab near the top of the page.\n4. In the **Retention policy** section, click the **Lock** button. The **Lock retention policy?** dialog box appears\n5. Read the `Permanent` notice.\n6. In the **Bucket name** text box, type in the name of your bucket.\n7. Click **Lock policy**\n\n### From the command line:\n1. To list all sinks destined to storage buckets:\n ```\n gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID\n | --project=PROJECT_ID\n ```\n\n2. For each storage bucket listed above, set a retention policy and lock it:\n ```\n gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]\n gsutil retention lock gs://[BUCKET_NAME]\n ```\nFor more information, visit [Set a retention policy on a bucket][1].\n\n## References\n1. [Retention policies and retention policy locks][2]\n2. [Use and lock retention policies ][3]\n\n[1]: https://cloud.google.com/storage/docs/using-bucket-lock#set-policy\n[2]: https://cloud.google.com/storage/docs/bucket-lock\n[3]: https://cloud.google.com/storage/docs/using-bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nvalid_log_filter(logging_log_sink) if {\n\tnot logging_log_sink.filter\n} else {\n\tlogging_log_sink.filter == \"\"\n}\n\ncompliant(logging_log_bucket) if {\n\tlogging_log_bucket.retention_days != \"\"\n\tlogging_log_bucket.locked == true\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tvalid_log_filter(logging_log_sink)\n}\n\ndestination_is_bucket(logging_log_bucket) if {\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tlogging_log_sink.project_number == logging_log_bucket.project_number\n\tbucket_name := split(logging_log_bucket.resource_name, \"buckets/\")[1]\n\tendswith(logging_log_sink.destination, bucket_name)\n}\n\neval(logging_log_bucket) = \"skip\" if {\n\tnot destination_is_bucket(logging_log_bucket)\n} else = \"pass\" {\n\tcompliant(logging_log_bucket)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules.\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_logging_log_bucket","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_logging_log_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_logging_log_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"trq-twi-wxj","createdAt":1664803576934,"name":"Retention policies used for exporting logs are configured using the bucket lock on Cloud Storage buckets"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-ii-B","control:1.7","control:164.308-a-3-i","control:164.308-a-4-i","control:7.2.1","level:1","cloud:aws","framework:soc-2","framework:cis-aws","requirement:IAM","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Information-Access-Management","control:CC6.2","framework:pci","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWith the creation of an AWS account, a root user is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.\n\n## Rationale\n\nThe root user has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.\n\n## Remediation\n\nIf you find that the root user account is being used for daily activity and administrative tasks that do not require the root user, remediate this by doing the following:\n\n1. Change the root user password.\n2. Deactivate or delete access keys associated with the root user.\n**Note**: Anyone who has root user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.\n\n## References\n\n1. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][1]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html][2]\n3. [https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html][3]\n\n**Additional Information**: The root user for us-gov cloud regions is not enabled by default. However, on request AWS support can enable the root user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the root user for us-gov cloud regions is enabled, this recommendation is applicable. Monitor usage of the root user by implementing recommendation *3.3 Ensure a log metric filter and alarm exist for usage of the root user*.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[3]: https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.7","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nnon_compliant_keys(iam_credential_report) if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.password_last_used < thirty_days_ms # Used in last 30 days\n} else {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_1_last_used_date < thirty_days_ms # Used in last 30 days\n} else {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_2_last_used_date < thirty_days_ms # Used in last 30 days\n}\n\neval(iam_credential_report) = \"skip\" if {\n\tnot iam_credential_report.user == \"\"\n} else = \"fail\" {\n\tnon_compliant_keys(iam_credential_report)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_credential_report"]},"validationQuery":"","resourceType":"aws_iam_credential_report","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yid-djj-bng","createdAt":1638865331666,"name":"Root account credentials have not been used in the past 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:kms","source:kms","framework:gdpr","requirement:Logging","level:2","control:3.8","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Security-of-Processing","framework:soc-2","control:3.5.2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:3.6.4","control:CC6.3","control:CC6.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS Key Management Service (KMS) allows customers to rotate the backing key, the key material stored within the KMS. The KMS connects o the key ID of the customer created customer master key (CMK). This backing key is used to perform cryptographic operations such as encryption and decryption. Automatic key rotation currently retains all prior backing keys so that encrypted data can be decrypted transparently. You should enable CMK key rotation.\n\n## Rationale\n\nRotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [https://aws.amazon.com/kms/pricing/][2]\n2. [http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf][3]\n3. CCE-78920-6\n\n## CIS controls\n\nVersion 7, 6 - Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://aws.amazon.com/kms/pricing/\n[3]: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.8","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"validationQuery":"@key_rotation_enabled:false","resourceType":"aws_kms","filter":"@key_manager:CUSTOMER","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_kms @key_manager:CUSTOMER (@key_rotation_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5xm-kxb-jxz","createdAt":1599574002243,"name":"Rotation for customer created CMKs is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:runtime-security-agent","technique:T1611-escape-to-host","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to the `runc` binary outside of the normal package management lifecycle.\n\n## Strategy\n[CVE-2019-5736][1], a vulnerability in `runc` through version 1.0-rc6 could allow attackers to overwrite the host `runc` binary, which allows the attacker to effectively escape a running container, and gain root access on the underlying host.\nAny modifications to `runc` (outside of standard package management upgrades) could be exploiting this vulnerability to gain root access to the system.\n\n## Triage & Response\n1. Check to see which user or process changed the `runc` binary.\n2. If these changes are not acceptable, roll back contain the host in question to an acceptable configuration.\n3. Update `runc` to a version above 1.0-rc6 (or Docker 18.09.2 and above).\n4. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://nvd.nist.gov/vuln/detail/CVE-2019-5736\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:runc_modification","groupByFields":["host"],"aggregation":"count","name":"runc_modification","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"runc_modification","condition":"runc_modification > 0"}],"type":"workload_security","id":"6ru-oyo-uag","createdAt":1627392837049,"name":"Runc binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","requirement:Compliance","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:s3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up the Multi-Factor Authentication (MFA) delete feature to prevent deletion of Amazon S3 objects.\n\n## Rationale\n\n## Remediation\n\nMFA-protected Amazon S3 buckets ensure S3 objects cannot be accidentally or intentionally deleted by AWS users who have access to your bucket.\n\n### Console\n\n`MFA DELETE` [cannot be enabled in the AWS Console][1]. See the CLI remediation below for configuration instructions.\n\n### CLI\n\n1. Run `put-bucket-versioning` with your [bucket name, versioning configuration, and MFA configuration][2].\n\n ```\n aws s3api put-bucket-versioning\n --bucket your-s3-bucket-name\n --versioning-configuration '{\"MFADelete\":\"Enabled\",\"Status\":\"Enabled\"}'\n --mfa 'arn:aws:iam::aws_account_id:mfa/root-account-mfa-device'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"-@versioning_mfa_delete:Enabled","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (-@versioning_mfa_delete:Enabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"f22-rvk-qko","createdAt":1619112188477,"name":"S3 bucket MFA Delete feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.1","requirement:Monitoring","cloud_provider:aws","control:A.12.4.1","control:3.3","requirement:System-Operations","requirement:Logging","level:2","framework:soc-2","scope:cloudtrail","framework:cis-aws","source:cloudtrail","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nS3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.\n\n## Rationale\n\nBy enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.\n\n## Remediation\n\n### Console\n\n1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.\n2. Under All Buckets click on the target S3 bucket\n3. Click on Properties in the top right of the console\n4. Under Bucket: click on Logging\n5. Configure bucket logging and click on the Enabled checkbox\n6. Select Target Bucket from list and enter a Target Prefix\n7. Click Save\n\n## Default value\n\nLogging is disabled.\n\n## References\n\n1. CCE-78918-0\n2. https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html\n\n## CIS controls\n\nVersion 7\n\n6.2 - Activate audit logging: Ensure that local logging has been enabled on all systems and networking devices.\n\n14.9 Enforce Detail Logging for Access or Changes to Sensitive Data: Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbucket_by_name := {bucket.bucket_name: bucket |\n\tbucket := input.resources.aws_s3_bucket[_]\n}\n\neval(cloudtrail_trail) = \"skip\" if {\n\tnot bucket_by_name[cloudtrail_trail.s3_bucket_name]\n} else = \"pass\" {\n\ts3_bucket := bucket_by_name[cloudtrail_trail.s3_bucket_name]\n\tcount(s3_bucket.bucket_logging) > 0\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail","aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@trail_arn"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gzk-vm2-67k","createdAt":1635929074549,"name":"S3 bucket access logging is enabled on the CloudTrail S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS S3 bucket to remove `WRITE` actions for any IAM user or AWS authenticated account.\n\n## Rationale\n\nAuthenticated users with AWS S3 bucket `WRITE` privileges can add, delete, and replace objects without restriction, which can lead to potential data loss or unintended billing charges.\n\n## Remediation\n\n### Console\n\nFollow the [Editing customer managed policies (console)][1] documentation to learn how to edit permissions for your existing policy. In the console, modify **Permissions** for Access Control Lists (ACLs). Deselect **Upload/Delete** for **Any Authenticated AWS User**.\n\n### CLI\n\n1. Run `list-buckets` to [list all available S3 buckets][2] for your account.\n\n ```\n aws s3api list-buckets\n --query \"Buckets[].Name\"\n ```\n\n2. Run `put-bucket-acl` with your [bucket name and the canned ACL to apply to the bucket][3].\n\n ```\n aws s3api put-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html#edit-managed-policy-console\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/list-buckets.html#examples\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"9rz-61l-xiu","createdAt":1619112188824,"name":"S3 bucket cannot be accessed for WRITE actions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your AWS S3 bucket content as it is publicly accessible.\n\n## Rationale\n\nGranting `READ` access to everyone allows unauthorized users to list objects within a bucket. Malicious users can use information exploited during this process to access compromised objects, which can lead to unfettered access to your data.\n\n## Remediation\n\n### Console\n\nFollow the [Blocking public access to your Amazon S3 storage][1] docs to learn how to manage access control lists for existing S3 buckets.\n\n**Note**: By default, new buckets, access points, and objects don't allow public access.\n\n### CLI\n\n1. Run `put-bucket-acl` with [your S3 bucket name][2] and set the ACL of the bucket to `private`.\n\n\t```\n\n\taws s3api put-bucket-acl\n\t\t--bucket webapp-data-repository\n\t\t--acl private\n\n\t```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:READ","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:READ)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"mqm-ntc-bra","createdAt":1619112188104,"name":"S3 bucket cannot be publicly listed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ` access for authenticated AWS accounts or IAM users.\n\n## Rationale\n\n`READ` access allows any authenticated IAM user or AWS authenticated account to list all objects within your bucket and exploit objects with misconfigured ACL permissions.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to deselect the `Bucket ACL - Read` permission and update ACL permissions.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:READ","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:READ)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"73w-cje-dhm","createdAt":1619112189198,"name":"S3 bucket content cannot be listed by users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove public `READ_ACP` access.\n\n## Rationale\n\nPublic `READ_ACP` access gives any user on the internet the `READ` Access Control List (ACL) permission. With this permission, anonymous users can see who controls your objects, and this information can be used to find misconfigured permissions and gain access to your S3 data.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_not_compliant(acl) if {\n\tacl.grantee_permission == \"READ_ACP\"\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AllUsers\"\n}\n\neval(s3_bucket) = \"fail\" if {\n\tacl = s3_bucket.acl[_]\n\tacl_not_compliant(acl)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i2o-7bz-zxc","createdAt":1619112188697,"name":"S3 bucket content permissions cannot be viewed by anonymous users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ_ACP` access for authenticated AWS accounts and AWS IAM users.\n\n## Rationale\n\nAWS authenticated accounts and users with `READ_ACP` access can examine Amazon S3 Access Control Lists (ACLs) configuration details. This information can be used maliciously to find misconfigured permissions and implement methods to access your S3 data.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `READ_ACP` access for AWS signed users.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [Amazon S3 bucket name and ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_not_compliant(acl) if {\n\tacl.grantee_permission == \"READ_ACP\"\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\"\n}\n\neval(s3_bucket) = \"fail\" if {\n\tacl = s3_bucket.acl[_]\n\tacl_not_compliant(acl)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cer-xg1-llv","createdAt":1619112188867,"name":"S3 bucket content permissions cannot be viewed by authenticated users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove `WRITE_ACP` access for anonymous users.\n\n## Rationale\n\nPublic `WRITE_ACP` access gives anonymous users `READ` and `WRITE` Access Control List (ACL) permissions. With these permissions, anonymous users can modify, delete, and update S3 objects, which can lead to data loss or unexpected charges on your AWS bill.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE_ACP","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE_ACP)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"8au-91a-7zf","createdAt":1619112188436,"name":"S3 bucket does not allow anonymous users to modify access control permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","control:164.308-a-3-i","control:7.2.1","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","source:s3","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove `WRITE_ACP` access for authenticated users.\n\n## Rationale\n\n`WRITE_ACP` access gives any authenticated AWS accounts or IAM users `READ` and `WRITE` Access Control List (ACL) permissions. With these permissions, authenticated users can modify, delete, and update S3 objects, which can lead to data loss or unexpected charges on your AWS bill.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE_ACP","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE_ACP)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"yuo-rt1-twl","createdAt":1619112188124,"name":"S3 bucket does not allow authenticated users to modify access controls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `FULL_CONTROL` access for authenticated AWS accounts and AWS IAM users.\n\n## Rationale\n\n`FULL_CONTROL` access allows any IAM user or AWS authenticated account to view, upload, modify and delete S3 objects without restriction.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `FULL_CONTROL` access and update ACL permissions.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:\"FULL_CONTROL\"","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:\"FULL_CONTROL\")","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"qem-nxn-zvw","createdAt":1619112188863,"name":"S3 bucket does not allow users full control access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","requirement:Storage","framework:gdpr","control:2.1.1","requirement:Compliance","level:1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides a variety of no-cost or low-cost encryption options to protect data at rest.\n\n## Rationale\n\nEncrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.\n\n## Remediation\n\n### Console\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/\n2. Select the Check box next to the Bucket.\n3. Click on Properties.\n4. Click on Default Encryption.\n5. Select either AES-256 or AWS-KMS.\n6. Click Save.\n7. Repeat for all the buckets in your AWS account lacking encryption.\n\n### CLI\n\nRun one of the following commands: \n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}''`\n\nor:\n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}''`\n\n**Note**: The `KMSMasterKeyID` can be set to the master key of your choosing; `aws/s3` is an AWS preconfigured default.\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html][1]\n2. [https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources][2]\n\n**Additional Information**: S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does not encrypt objects previously stored within the bucket.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.1.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@bucket_encryption_rules.rules.apply_server_side_encryption_by_default.sse_algorithm:(\"AES256\" OR \"aws:kms\")","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (-@bucket_encryption_rules.rules.apply_server_side_encryption_by_default.sse_algorithm:(\"AES256\" OR \"aws:kms\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i5u-x9l-ytw","createdAt":1619112188944,"name":"S3 bucket employs default encryption at-rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:A.12.1.2","framework:gdpr","control:A.12.4.2","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:3.1","requirement:Control-Activities","control:7.2.1","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Logical-and-Physical-Access-Control","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable versioning on S3 buckets to keep multiple versions of an object in one bucket.\n\n## Rationale\n\nVersioning-enabled buckets help [recover objects in the case of accidental deletion or overwriting][1].\n\n## Remediation\n\n### Console\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning within the S3 console.\n\n### CLI\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning with the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.1.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"-@versioning_status:Enabled","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (-@versioning_status:Enabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hfe-sv1-7ci","createdAt":1632209932330,"name":"S3 bucket has versioning enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","control:1.20","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:cis-aws","requirement:Security-Management-Process","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.8","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you restrict unintended public access to Amazon S3 resources. By default, S3 buckets and objects are created without public access. However, someone with sufficient permissions can enable public access at the bucket or object level, often unexpectedly. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets in the account, and contained objects, from becoming publicly accessible.\n\n## Rationale\n\nAmazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective buckets. Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account. Blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.\n\n### Impact\n\nWhen you apply `Block Public Access` settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.\n\n\n## Remediation\n\n### From the Console:\n\nIf utilizing Block Public Access (account settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Choose **Block public access (account settings)**.\n3. Choose **Edit** to change the block public access settings for all the buckets in your AWS account.\n4. Click on **Block all public access**.\n5. When you're asked for confirmation, enter `confirm`. Then click Confirm to save your changes.\n\nIf utilizing Block public access (bucket settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Select the check box next to the bucket.\n3. Click on **Edit public access settings**.\n4. Click **Block all public access**.\n5. Repeat for all the buckets in your AWS account that contain sensitive data.\n\n\n### From the command line:\n\nIf utilizing Block Public Access (bucket settings):\n\n1. List all of the S3 buckets: `aws s3 ls`\n2. To set the public access to true on a bucket, run: `aws s3api put-public-access-block --bucket --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\"`\n\nIf utilizing Block Public Access (account settings):\n\nTo set Public access settings for this account, run the following command: `aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id '`\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html][2]\n\n[1]: https://console.aws.amazon.com/s3/\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.20","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\naccount_public_access_block_by_account_id = {s3_account_public_access_block.account_id: s3_account_public_access_block |\n\tsome s3_account_public_access_block in input.resources.aws_s3_account_public_access_block\n}\n\nsecure_public_access_block(s3_public_access_block) if {\n\ts3_public_access_block.block_public_acls\n\ts3_public_access_block.block_public_policy\n\ts3_public_access_block.ignore_public_acls\n\ts3_public_access_block.restrict_public_buckets\n}\n\naccess_block_compliant(s3_bucket) if {\n\ts3_account_public_access_block := account_public_access_block_by_account_id[s3_bucket.account_id]\n\tsecure_public_access_block(s3_account_public_access_block)\n} else {\n\tbucket_block := s3_bucket.access_block[_]\n\tsecure_public_access_block(bucket_block)\n}\n\neval(s3_bucket) = \"pass\" if {\n\taccess_block_compliant(s3_bucket)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b1p-nxn-wxx","createdAt":1619112188591,"name":"S3 bucket is configured with 'Block public access'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove public `WRITE` access.\n\n## Rationale\n\nPublic `WRITE` access gives unauthorized users the ability to add, replace, and delete objects within a bucket. Attackers can use these abilities to access your data or incur charges on your AWS bill.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"wyn-eku-mhg","createdAt":1619112188471,"name":"S3 bucket is not publicly accessible for write actions by anonymous users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet your Amazon S3 bucket to private.\n\n## Rationale\n\nPublicly accessible Amazon S3 buckets grant `FULL_CONTROL` access to everyone, including anonymous users. `FULL_CONTROL` grants users the ability to upload, modify, delete, and view S3 objects.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `FULL_CONTROL` access and update ACL permissions.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tacl := s3_bucket.acl[_]\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AllUsers\"\n\tacl.grantee_permission == \"FULL_CONTROL\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"o0d-2zb-qbg","createdAt":1619112188881,"name":"S3 bucket is not publicly accessible to anonymous users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your bucket policy as your Amazon S3 bucket is currently publicly accessible.\n\n## Rationale\n\nPublicly accessible S3 buckets through bucket policies give any AWS user the ability to list, download, delete, and upload objects and edit object permissions.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. To remove the existing public bucket policy, run `delete-bucket-policy` with [your bucket name][2].\n\n ```\n delete-bucket-policy\n --bucket your-bucket-name\n ```\n\n2. Create a new non-public bucket policy using the [AWS Policy Generator][3].\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket-policy.html#synopsis\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false","resourceType":"aws_s3_bucket","filter":"","queryPath":"bucket_policy_statement","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"ftf-6wr-t2z","createdAt":1624344845705,"name":"S3 bucket is publicly accessible (via policy)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","requirement:Monitoring","scope:s3","framework:cis-aws","control:4.8","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a S3 Bucket policy is modified.\n\n## Strategy\nMonitor CloudTrail and detect when S3 policies are being modified via one of the following API calls:\n* [PutBucketAcl][1]\n* [PutBucketPolicy][2]\n* [PutBucketCors][3]\n* [PutBucketLifecycle][4]\n* [PutBucketReplication][5]\n* [DeleteBucketPolicy][6]\n* [DeleteBucketCors][7]\n* [DeleteBucketReplication][8]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html\n [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html\n [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketCors.html\n [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLifecycle.html\n [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html\n [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html\n [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html\n [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html\n\n## Changelog\n18 March 2022 - Updated signal message, query and severity.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(PutBucketAcl OR PutBucketPolicy OR PutBucketCors OR PutBucketLifecycle OR PutBucketReplication OR DeleteBucketPolicy OR DeleteBucketCors OR DeleteBucketReplication)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"s3_bucket_policy_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"A S3 bucket policy was modified","condition":"s3_bucket_policy_modified > 0"}],"type":"log_detection","id":"nl3-oht-jhi","createdAt":1584475579499,"name":"S3 bucket policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when SELinux enforcement is disabled.\n\n## Strategy\nThis detection monitors the change of SELinux enforcing mode.\n\n## Triage & Response\n1. Check which user or process disabled SELinux enforcing mode.\n2. If the change is not expected, roll back to enable SELinux enforcing mode.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the attack.\n\n*Requires Agent version 7.30 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:selinux_disable_enforcement","groupByFields":["host"],"aggregation":"count","name":"selinux_disable_enforcement","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"selinux_disable_enforcement","condition":"selinux_disable_enforcement > 0"}],"type":"workload_security","id":"vvf-qwb-uhj","createdAt":1635332067172,"name":"SELinux enforcement disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.2","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSELinux is an effective and easy-to-use Linux application security system. It is available by default on some distributions such as Red Hat and Fedora.\n\n## Rationale\n\nSELinux provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model. You can therefore add an extra layer of safety to your containers by enabling SELinux on your Linux host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all the security options currently configured on the containers listed.\n\n## Remediation\n\nIf SELinux is applicable for your Linux OS, you should use it.\n\n1. Set the SELinux State.\n2. Set the SELinux Policy.\n3. Create or import a SELinux policy template for Docker containers.\n4. Start Docker in daemon mode with SELinux enabled. For example: `docker daemon --selinux-enabled`\n5. Start your Docker container using the security options. For example, `docker run --interactive --tty --security-opt label=level:TopSecret centos /bin/bash`\n\n## Impact\n\nAny restrictions defined in the SELinux policy will be applied to your containers. It should be noted that if your SELinux policy is misconfigured, this may have an impact on the correct operation of the affected containers.\n\n## Default value\n\nBy default, no SELinux security options are applied on containers.\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/\n4. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/docker_selinux_security_policy\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.2","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"eww-c9f-0hf","createdAt":1599605036108,"name":"SELinux security options are configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic publishing permissions.\n\n## Rationale\n\nSetting the topic publishing permission to `Everyone` gives anyone access to publish on a topic. Unauthenticated users can publish malicious messages.\n\n## Remediation\n\n### Console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### CLI\n\n1. Update your [access control policy][2] with the IAM user ARN. Configure `action` to `SNS:Publish` and include your AWS IAM ARN. Save the file.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_pub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Publish\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```\n aws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name DisplayName\n --attribute-value YourTopicDisplayName\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Publish\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false","resourceType":"aws_sns_topic","filter":"","queryPath":"policies","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic (@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Publish\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mhf-jlo-c49","createdAt":1616090993934,"name":"SNS Topic has restrictions set for publishing"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic subscription permissions.\n\n## Rationale\n\nAnonymous users can subscribe and receive messages that you publish, leaving the security of your application or service at risk.\n\n## Remediation\n\n### Console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### CLI\n\n1. Update your [access control policy][2] with the IAM user ARN. Configure `action` to `SNS:Publish` and include your AWS IAM ARN. Save the file.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_sub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Subscribe\",\n \"SNS:Receive\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```\n aws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name DisplayName\n --attribute-value YourTopicDisplayName\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Subscribe\" OR \"sns:Subscribe\") @statement_action:(\"SNS:Receive\" OR \"sns:Receive\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false","resourceType":"aws_sns_topic","filter":"","queryPath":"policies","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic (@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Subscribe\" OR \"sns:Subscribe\") @statement_action:(\"SNS:Receive\" OR \"sns:Receive\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"bin-p21-78u","createdAt":1616090993824,"name":"SNS Topic has restrictions set for subscription"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","scope:sns","cloud_provider:aws","control:3.4","control:4.1","source:sns","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Server-Side Encryption for your AWS Simple Notification Service (SNS) topics.\n\n## Rationale\n\nServer-Side Encryption (SSE) protects the data of published messages within your SNS topics, which can help adhere to compliance and regulatory requirements.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling server-side encryption (SSE) for an Amazon SNS topic][1] docs to learn how to enable encryption from the AWS Management Console.\n\n### CLI\n\nRun `set-topic-attributes` with the [ARN of the SNS topic][2] and the [KmsMasterKeyId][3].\n\n```\naws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name KmsMasterKeyId\n --attribute-value YourTopicDisplayName\n```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n[3]: https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html#sse-key-terms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@kms_master_key_id:*","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic (-@kms_master_key_id:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"iel-fa4-gpw","createdAt":1623249809232,"name":"SNS Topic has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","control:164.308-a-3-i","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic permissions.\n\n## Rationale\n\nPublicly-accessible topics allow unauthorized users access to receive and publish messages and subscribe to exposed topics.\n\n## Remediation\n\n### Console\n\nFollow the [Using identity-based policies with Amazon SNS][1] docs to learn how to create or add to a policy in the AWS Console.\n\n### CLI\n\nIf you do not have an access control policy, [create one][2].\n\n1. Select `SNS Topic Policy` as the type of policy.\n2. Add a statement to allow only specific IAM users and roles to have access to the topic. For example:\n\n ```\n Effect: `Allow`\n Principal: `arn:aws:iam::123456789012:root`\n Action: `Add permission`\n Amazon Resource Name: `arn:aws:iam::123456789012:root`\n ```\n\nIf you do have an access control policy, follow the [add-permissions][3] docs to add a permission to your existing policy.\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-using-identity-based-policies.html#iam-and-sns-policies\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprincipal_policy_lenient(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else {\n\tpolicy_principal.principal_aws[_] == \"*\"\n}\n\npolicy_lenient(policy) if {\n\tpolicy.statement_effect == \"Allow\"\n\tnot policy.statement_has_condition\n\n\tprincipal_policy_lenient(policy.policy_principal)\n}\n\neval(sns_topic) = \"fail\" if {\n\tpolicy := sns_topic.policies[_]\n\tpolicy_lenient(policy)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"5q9-vwc-cqy","createdAt":1616090993891,"name":"SNS Topic is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:6.5","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nA database server should accept connections only from trusted networks and IPs and\nrestrict access from public IP addresses.\n\n## Rationale: \nTo minimize attack surface on a database server instance, only trusted, known, and\nrequired IPs should be allowed to connect to it.\nAn authorized network should not have IPs or networks configured to `0.0.0.0/0` which\nallows access to the instance from anywhere in the world. Authorized networks\napply only to instances with public IPs.\n\n## Impact: \nThe Cloud SQL database instance would not be available to public IP addresses.\n\n## Remediation: \n\n### From console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Click the instance name to open its `Instance details` page.\n3. Under the `Configuration` section click `Edit configurations`.\n4. Under `Configuration options` expand the `Connectivity` section.\n5. Click the `delete` icon for the authorized network `0.0.0.0/0`.\n6. Click `Save` to update the instance.\n\n### From command line:\nUpdate the authorized network list by removing addresses:\n```\ngcloud sql instances patch --authorized-networks=IP_ADDR1,IP_ADDR2...\n```\n## Prevention:\nTo prevent new SQL instances from being configured to accept incoming connections from\nany IP addresses, set up a `Restrict Authorized Networks on Cloud SQL instances` Organization Policy at: [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][2].\n\n\n## Default value:\nBy default, authorized networks are not configured. Remote connection to Cloud SQL\ndatabase instance is not possible unless authorized networks are configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-ip][3]\n2. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][4] \n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://cloud.google.com/sql/docs/mysql/connection-org-policy][6]\n\n\n## Additional information:\nThere is no IPv6 configuration found for Google cloud SQL server services.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[3]: https://cloud.google.com/sql/docs/mysql/configure-ip\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://cloud.google.com/sql/docs/mysql/connection-org-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"fail\" if {\n\taddress := sql_database_instance.settings.ip_configuration.authorized_networks[_]\n\taddress.value in [\"0.0.0.0\", \"0.0.0.0/0\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"thi-vol-4qb","createdAt":1657138883399,"name":"SQL Database Instances do not implicitly accept all public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:6.3","framework:cis-azure","requirement:Communications-Security","control:2.4","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific data centers. By default for a SQL server, a firewall exists with start IP of 0.0.0.0 and end IP of 0.0.0.0, allowing access to all the Azure services. Additionally a custom rule can be set up with start IP of 0.0.0.0 and end IP of 255.255.255.255, allowing access from ANY IP over the Internet. In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific data centers.\n\n### Impact\n\nDisabling allow access to Azure Services will break all connections to SQL server and hosted databases unless custom IP-specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console:\n\n1. Go to SQL servers\n2. For each SQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell:\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"\" -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nSet-AzureRmSqlServerFirewallRule -ResourceGroupName -ServerName -FirewallRuleName \"\" -StartIpAddress \"\" -EndIpAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017][1]\n2. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0][2]\n3. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0][3]\n4. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0][4] \n5. [https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure][5]\n6. [https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current][6] \n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][7]\n\nAdditional Information: Firewall rules configured on individual SQL Database using Transact-SQL overrides the rules set on SQL server. Azure does not provides any Powershell, API, CLI, Portal option to check database level firewall rules and so far Transact-SQL is the only way to check for the same. For comprehensive control over egress traffic on SQL Databases, firewall rules should be checked using SQL client.\n\n[1]:https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017\n[2]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[3]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[4]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[5]:https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure\n[6]:https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current\n[7]:https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"2.4","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255)","resourceType":"azure_sql_server","filter":"","queryPath":"firewall_rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"5k7-xx0-nje","createdAt":1635237001240,"name":"SQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.2.4","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure `send scan reports to` with the email IDs of concerned data owners and stakeholders for a critical SQL server.\n\n## Rationale\n\nVulnerability Assessment (VA) scan reports and alerts are sent to email IDs configured with `send scan reports to`. This may help in reducing time required for identifying risks and taking corrective measures.\n\n## Impact\n\n**Note**: Enabling the Azure Defender for SQL features incurs additional costs for each SQL server.\n\n## Remediation\n\nAzure Console:\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Ensure that Azure Defender for SQL is enabled\n5. Select Configure next to enabled at subscription-level\n6. In Vulnerability Assessment Settings, configure Storage Accounts\n7. Configure email IDs for concerned data owners and stakeholders in the `send scan reports to` section.\n8. Click Save\n\nAzure PowerShell:\n\nIf not already, enable Advanced Data Security for a SQL: `ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True`\n\n\nTo enable ADS-VA service and set `send scan reports to`:\n\n```bash\nUpdate-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"fiu-woq-ui1","createdAt":1645802555241,"name":"SQL Server Vulnerability Assessments send scan reports to subscribed admins"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","scope:google_sql_database_instance","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","control:6.4","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to enforce all incoming connections to SQL database instances to use SSL.\n\n## Rationale\nSQL database connections, if successfully trapped (MITM), can reveal sensitive data like\ncredentials, database queries, query outputs, and so on. For security, it is recommended to always\nuse SSL encryption when connecting to your instance. This recommendation is applicable\nto PostgreSQL, MySQL generation 1, MySQL generation 2, and SQL Server 2017 instances.\n\n### Additional Information\nBy default, `Settings: ipConfiguration` has no `authorizedNetworks` set or configured. In\nthat case, even if `requireSSL` is not set by default, which is equivalent to `requireSSL:false`,\nthere is no risk as the instance cannot be accessed outside of the network, unless\n`authorizedNetworks` is configured. However, if the default for `requireSSL` is not updated to\n`true`, any `authorizedNetworks` created later on will not enforce SSL-only connections.\n\n### Impact\nAfter enforcing SSL connections, the existing client will not be able to communicate with the SQL\nserver, unless it is configured with appropriate client-certificates to communicate to the SQL\ndatabase instance.\n\n### Default Value\nBy default, the parameter `settings: ipConfiguration: requireSSL` is not set, which is\nequivalent to `requireSSL:false`.\n\n## Remediation\n\n### From the console:\n1. Go to the [Cloud SQL Instances page][1].\n2. Click on an instance name to see its configuration overview.\n3. In the left-side panel, select **Connections**.\n4. In the SSL connections section, click **Allow only SSL connections**.\n5. Under Configure SSL server certificates, click **Create new certificate**.\n6. Under Configure SSL client certificates, click **Create a client certificate**.\n7. Follow the instructions shown to learn how to connect to your instance.\n\n### From the command line:\nTo enforce SSL encryption for an instance, run the command:\n```\ngcloud sql instances patch --require-ssl\n```\n\n**Note:** A **restart** is required for type MySQL Generation 1 Instances (`backendType: FIRST_GEN`) for\nthis configuration to go into effect.\n\n## References\n1. [http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot authorizedNetworksExists(sql_database_instance)\n} else = \"pass\" {\n\tsql_database_instance.settings.ip_configuration.require_ssl\n} else = \"fail\" {\n\ttrue\n}\n\nauthorizedNetworksExists(sql_database_instance) if {\n\tsql_database_instance.settings.ip_configuration.authorized_networks[_]\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"udh-mzm-bhu","createdAt":1658821626960,"name":"SQL database instance uses SSL for all incoming connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","scope:google_cloud_sql_instance","level:2","source:google_cloud_sql_instance","control:3.9","control:6.6","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nDatadog recommends configuring the second generation SQL instance to use private IPs instead of\npublic IPs.\n\n## Rationale: \nTo lower the organization's attack surface, ensure your Cloud SQL databases does not have public IPs.\nPrivate IPs provide improved network security and lower latency for your application.\n\n## Impact: \nRemoving the public IP address on SQL instances may break applications that relied\non it for database connectivity.\n\n## Remediation: \n\n### From console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Click the instance name to open its Instance details page.\n3. Select the `Connections` tab.\n4. Deselect the `Public IP` checkbox.\n5. Click `Save` to update the instance.\n\n### From command line:\n\n1. For every instance, remove the public IP and assign a private IP instead:\n ```\n gcloud sql instances patch --network= --no-assign-ip\n ```\n\n2. Confirm the changes using the following command:\n ```\n gcloud sql instances describe \n ```\n\n## Prevention:\nTo prevent new SQL instances from getting configured with public IP addresses, set up a\n`Restrict Public IP access on Cloud SQL instances` Organization policy at:\n\n\n[https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][2]\n\n## Default value:\nBy default, Cloud Sql instances have a public IP.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-private-ip][3]\n2. [https://cloud.google.com/sql/docs/mysql/private-ip][4]\n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][6]\n\n## Additional information:\nReplicas inherit their private IP status from their primary instance. You cannot configure a private IP directly on a replica.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n[3]: https://cloud.google.com/sql/docs/mysql/configure-private-ip\n[4]: https://cloud.google.com/sql/docs/mysql/private-ip\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.9","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_second_gen_instance(sql_database_instance)\n} else = \"fail\" {\n\tip := sql_database_instance.ip_addresses[_]\n\tip.type == \"PRIMARY\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_second_gen_instance(sql_database_instance) if {\n\tsql_database_instance.backend_type == \"SECOND_GEN\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cns-kbs-qb3","createdAt":1658244446751,"name":"SQL database instances do not have public IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.5","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:C1.1","requirement:Credentials","requirement:System-Operations","requirement:Compliance","level:1","requirement:Database-Services","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","control:3.5.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC7.2","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. With Customer-managed key support for TDE, the DEK can be protected with an asymmetric key stored in the Key Vault. The Key Vault is a highly available and scalable cloud-based key store that offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of keys and data for additional security. Based on business needs or the criticality of data/databases hosted a SQL server, Datadog recommends that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).\n\n## Rationale\n\nCustomer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azures cloud-based external key management system, is the first key management service where TDE has integrated support for customer-managed keys. With customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.\n\n## Remediation\n\nFrom Azure Console:\n1. Go to SQL servers for the desired server instance\n2. Click On Transparent data encryption\n3. Set Use your own key to YES\n4. Browse through your key vaults to select an existing key or create a new key in the key vault.\n5. Check Make selected key the default TDE protector Using Azure CLI. Use the below command to encrypt SQL server's TDE protector with a Customer-managed key: `az sql server tde-key >> Set --resource-group --server --server-key-type {AzureKeyVault} [--kid ]`\n\n## Impact\n\nOnce the TDE protector is encrypted with a customer-managed key, it transfers the entire responsibility of key management to you. Hence, you should be more careful about doing any operations on the particular key to keep data from the corresponding SQL server Databases host accessible. When deploying customer-managed keys, ensure that you deploy an automated toolset for managing these keys (this should include discovery and key rotation), and keys should be stored in an HSM or hardware backed keystore; for example, Azure Key Vault). As far as toolsets go, check with your cryptographic key provider as they may well provide one as an add-on to their service.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-byok-azure-sql\n2. https://azure.microsoft.com/en-in/blog/preview-sql-transparent-data-encryption-tde-with-bring-your-own-key-support/\n3. https://winterdom.com/2017/09/07/azure-sql-tde-protector-keyvault\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: This configuration can be done only on an SQL server. The same configuration will be in effect on SQL Databases hosted on SQL Server. Ensuring yourTDE is protected by a Customer-managed key on SQL Server does not ensure SQL Databases' encryption. Transparent Data Encryption Data Encryption (ON/OFF) setting on individual SQL Database decides whether the database is encrypted or not.\n\n## CIS Controls\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials: Encrypt or hash with a salt all authentication credentials when stored. \n\n5 Logging and Monitoring: This section covers security recommendations to follow to set logging and monitoring policies on an Azure Subscription.\n\n5.1 Configuring Diagnostic Settings: The Azure Diagnostic Settings capture control/management activities performed on a subscription. By default, the Azure Portal retains activity logs only for 90 days. The Diagnostic Settings define the type of stored or streamed events and the output storage account, and the event hub. The Diagnostic Settings, if appropriately configured, can ensure that all activity logs are retained for a longer duration. This section has recommendations for correctly configuring the Diagnostic Settings so that all activity logs captured are retained for longer periods. When configuring Diagnostic Settings, you may choose to export in one of three ways in which you need to ensure appropriate data retention. The options are Log Analytics, Event Hub, and a Storage Account. It is important to ensure you are aware and have set retention as your organization sees fit.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"-(@encryption_protector.kind:(\"azurekeyvault\") @encryption_protector.server_key_type:(\"AzureKeyVault\"))","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-(@encryption_protector.kind:(\"azurekeyvault\") @encryption_protector.server_key_type:(\"AzureKeyVault\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ju5-j5j-p5u","createdAt":1624867975195,"name":"SQL server's TDE protector is encrypted with Customer-managed key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","source:sqs","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","scope:sqs","security:compliance","cloud_provider:aws","control:3.4","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Simple Queue Service (SQS) messages with server-side encryption.\n\n## Rationale\n\nEncryption ensures that Amazon SQS messages, which may contain sensitive data, are not available to anonymous or unauthorized users.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring service-side encryption for a queue(console)][1] docs to learn how to create and use AWS Key Management Service (AWS KMS) to manage customer master keys (CMK) for server-side encryption.\n\n### CLI\n\n1. Define `set-queue-attributes` in [a file][2]. Use your custom KMS Master Key ARN for `KmsMasterKeyID`. Save the file.\n\n ```\n {\n \"KmsMasterKeyId\": \"custom_key_arn\",\n \"KmsDataKeyReusePeriodSeconds\": \"300\"\n }\n ```\n\n2. Run `set-queue-attributes` with the [queue URL and the file][2] created in step 1.\n\n ```\n aws sqs set-queue-attributes\n --queue-url https://us-west-2.queue.amazonaws.com/123456789012/WebWorkerSQSQueue\n --attributes file://sqs-sse-enabled.json\n ```\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html\n[2]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-properties-sqs-queues-syntax\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-(@kms_master_key_id:* OR @sqs_managed_sse_enabled:true)","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue (-(@kms_master_key_id:* OR @sqs_managed_sse_enabled:true))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0m4-moi-xdg","createdAt":1616090993978,"name":"SQS Queue has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:sqs","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security","scope:sqs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate Amazon Simple Queue Service (SQS) queue permissions.\n\n## Rationale\n\nPublicly-available Amazon SQS queues give unauthorized users access to potentially intercept, delete, or send queue messages, which can lead to data leaks.\n\n## Remediation\n\n### Console\n\nFollow the [Managing access to resources][1] docs to learn how to implement a permissions policy in the AWS console.\n\n### CLI\n\n1. Run `list-queues` to get a list of queue URLs.\n2. Run `get-queue-attributes` with a [queue URL][2] returned in step 1.\n\n ```\n aws sqs get-queue-attributes\n --queue-url https://queue.amazonaws.com/123456789012/YourQueue\n --attribute-names Policy\n ```\n\n3. Run `add-permission` to [add a new statement][3] to your queue policy.\n\n ```\n aws sqs add-permission\n --queue-url https://queue.amazonaws.com/123456789012/YourQueue\n --label SendMessages\n --aws-account-ids 123456789012\n --actions SendMessage\n ```\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.html#sqs-managing-access-to-resources\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/get-queue-attributes.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else {\n\tprincipal_aws = policy_principal.principal_aws[_]\n\tprincipal_aws == \"*\"\n}\n\neval(sqs_queue) = \"fail\" if {\n\tpolicy := sqs_queue.policies[_]\n\tbad_policy_principal(policy.policy_principal)\n\tpolicy.statement_effect = \"Allow\"\n\tpolicy.statement_has_condition = false\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sqs_queue"]},"validationQuery":"","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"aqs-n9k-inj","createdAt":1616090993985,"name":"SQS Queue is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:6.2","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable SSH access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using SSH over the internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct SSH access to your Azure Virtual Machines from the internet. After direct SSH access from the internet is disabled, you have other options you can use to access these virtual machines for remote management.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nssh_allowed(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"TCP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.destination_port_range in [\"22\", \"*\"]\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"*/0\", \"Internet\", \"Any\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule := security_group.security_rules[_]\n\tssh_allowed(security_rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tox-iwp-m0l","createdAt":1624867978808,"name":"SSH access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.6","requirement:Communications-Security","control:1.4","control:3.2","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow the user to specify the type of\ntraffic, such as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be\nused. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using\nSSH on Port 22 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from\ninstances and incoming (ingress) traffic to instances in the network. Egress and ingress\ntraffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through SSH with the default\nPort 22. Generic access from the Internet to a specific IP Range needs to be restricted.\n\n## Impact\nAll Secure Shell (SSH) connections from outside of the network to the concerned VPC(s)\nwill be blocked. There could be a business need where SSH access is required from outside\nof the network to access resources associated with the VPC. In that case, specific source\nIP(s) should be mentioned in firewall rules to include access to SSH port for the\nconcerned VPC(s).\n\n## Remediation\n\n### From console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule you want to modify.\n4. Click Edit.\n5. Modify Source IP ranges to specific IP.\n6. Click Save.\n\n### From the command line\n1.Update the Firewall rule with the new SOURCE_RANGE from the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.2","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 22\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tcontains(allowed.ports[_], \"-\")\n\trange := split(allowed.ports[_], \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else {\n\tto_number(allowed.ports[_]) == target_port\n} else {\n\tallowed.ports[_] == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tallowed := compute_firewall.allowed[_]\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" {\n\tcompute_firewall.source_ranges[_] in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"23t-kvk-vbo","createdAt":1657310084964,"name":"SSH access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to authorized SSH keys.\n\n## Strategy\nSSH is a commonly used key-based authentication mechanism. In this system, the authorized_keys file specifies SSH keys that can be used to authenticate as a specific user on the system. Attacker's may modify the authorized_keys file to authorize attacker-owned SSH keys. This allows the attacker to maintain persistence on a system as a specific user.\n\n## Triage and response\n1. Check what changes were made to authorized_keys, and under which user.\n2. Determine whether any keys were added. If so, determine if the added keys belong to known trusted users.\n3. If they keys in question are not acceptable, roll back the host or container in question to a known trusted SSH configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chmod)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chmod","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chown)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chown","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_link)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_link","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_rename)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_rename","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_open)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_open","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_unlink)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_unlink","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_utimes)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"ssh_authorized_keys","condition":"ssh_authorized_keys_chmod > 0 || ssh_authorized_keys_chown > 0 || ssh_authorized_keys_link > 0 || ssh_authorized_keys_rename > 0 || ssh_authorized_keys_open > 0 || ssh_authorized_keys_unlink > 0 || ssh_authorized_keys_utimes > 0"}],"type":"workload_security","id":"iqs-k9p-ivj","createdAt":1606142954844,"name":"SSH authorized keys modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1553-subvert-trust-controls","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential tampering with SSL certificates.\n\n## Strategy\nSSL certificates, and other forms of trust controls establish trust between systems. Attackers may attempt to subvert trust controls such as SSL certificates in order to trick systems or users into trusting attacker-owned assets such as fake websites, or falsely signed applications.\n\n## Triage and response\n1. Check whether there were any planned changed to the SSL certificates stores in your infrastructure.\n2. If these changes are not acceptable, roll back the host or container in question to a known trustworthy configuration.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssl_certificate_tampering OR ssl_certificate_tampering_chmod OR ssl_certificate_tampering_chown OR ssl_certificate_tampering_link OR ssl_certificate_tampering_rename OR ssl_certificate_tampering_open OR ssl_certificate_tampering_unlink OR ssl_certificate_tampering_utimes) -@process.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.parent.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\" -@process.executable.name:runc*","groupByFields":["host"],"aggregation":"count","name":"ssl_certificate_tampering","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"ssl_certificate_tampering","condition":"ssl_certificate_tampering > 0"}],"type":"workload_security","id":"any-phm-6ub","createdAt":1606142980369,"name":"SSL certificate tampering"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","control:4.3.2","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","source:azure.dbformysql","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","scope:azure.dbformysql","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on MySQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for MySQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled for enforce SSL connection \n\nAlternatively, use the Azure Command Line Interface and run the below command to set MYSQL Databases to Enforce SSL connection:\n\n ```bash\n az mysql server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security\n2. https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@ssl_enforcement:(\"Enabled\")","resourceType":"azure_mysql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_mysql_server (-@ssl_enforcement:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cxd-off-x2e","createdAt":1624867976718,"name":"SSL connection on MySQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.3.1","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on PostgreSQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\nFrom Azure Console:\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled to enforce SSL connection \n\nAlternatively, use the Azure Command Line Interface and run the below command to enforce SSL connection for PostgreSQL Database:\n\n ```bash\n az postgres server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@ssl_enforcement:(\"Enabled\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@ssl_enforcement:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"9cp-26e-jdc","createdAt":1624867978968,"name":"SSL connection on PostgreSQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a Salesforce user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login ten times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @status:\"Invalid Password\"","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:salesforce @status:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dm5-uvn-yrr","createdAt":1621929254947,"name":"Salesforce Brute force attack on user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a disabled account attempts to log into Salesforce\n\n## Strategy\nInspect Salesforce logs and determine if there is a login attempt (`@evt.name:LoginEvent`) from from a disabled account (`@status:\\\"User is Inactive\\\"`). If more than ten attempts to authenticate to a disabled account a `MEDIUM` severity signal is created.\n\n## Triage and response\n1. Determine if the IP (`@network.client.ip`) has attempted to log into other accounts.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @evt.name:LoginEvent @status:\"User is Inactive\"","groupByFields":["@usr.id"],"aggregation":"count","name":"disabled_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Single Attempt","condition":"disabled_login > 1"},{"status":"medium","notifications":[],"name":"Multiple Attempts","condition":"disabled_login > 10"}],"type":"log_detection","id":"j57-vod-bnw","createdAt":1621929254817,"name":"Salesforce Login from Disabled Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.4.2","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the scheduler service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.2","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"g1h-91b-y2x","createdAt":1599601351149,"name":"Scheduler API service is bound to localhost"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","technique:T1098-account-manipulation","scope:onelogin","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin administrator grants additional privileges to another OneLogin user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator grants additional privileges to another OneLogin user:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@actor_user_name}}`) should be legitimately adding additional roles to `@usr.name`. **Note:** The role granted to the user is not available in OneLogin logs.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:PRIVILEGE_GRANTED_TO_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"user_granted_admin_privileges","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"user_granted_admin_privileges > 0"}],"type":"log_detection","id":"oks-cap-rw1","createdAt":1656426808697,"name":"OneLogin user granted administrative privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user is locked out. This may be common if the user is repeatedly failing to log in. This rule is most useful when correlated with other anomalous activity for the user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to when a user is locked out:\n* `@evt.name:USER_LOCKED`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) was legitimately trying to authenticate and was locked out.\n2. If the activity was not legitimate, review all activity from the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_LOCKED","groupByFields":["@usr.name"],"aggregation":"count","name":"user_locked_out","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_locked_out > 0"}],"type":"log_detection","id":"efg-trs-jzb","createdAt":1656526301026,"name":"OneLogin user locked out"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user views a secure note.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when a user views a secure note:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\nThis rule is useful when correlating its findings with other anomalous events from the same OneLogin user (`{{@actor_user_name}}`).\n\n## Triage and response\n1. Determine whether the OneLogin user (`{{@actor_user_name}}`) should be legitimately accessing secure notes.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_VIEWED_NOTE","groupByFields":["@actor_user_name"],"aggregation":"count","name":"viewed_secure_note","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"viewed_secure_note > 0"}],"type":"log_detection","id":"gl4-z5x-dun","createdAt":1656426832414,"name":"OneLogin user viewed secure note"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","scope:google_service_account","requirement:Confidentiality","control:3.4","control:1.4","control:3.10","control:C1.1","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nUser managed service accounts should not have user-managed keys.\n\n## Rationale: \nAnyone who has access to the keys can access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.\nFor user-managed keys, you are responsible for key management activities including:\n- Key storage\n- Key distribution\n- Key revocation\n- Key rotation\n- Protecting the keys from unauthorized users\n- Key recovery\nEven with key owner precautions, it's easy to leak keys through common development accidents such as checking keys into the source code, leaving them in the Downloads directory, or posting them on support blogs.\nFor these reasons, it is recommended that you don't use user-managed service account keys.\n\n## Impact: \nDeleting user-managed service account keys may break communication with the applications using the keys.\n\n## Remediation: \n\n### From the console\n1. Go to the IAM page in the GCP Console at [https://console.cloud.google.com/iam-admin/iam][1].\n2. In the left navigation pane, click `Service accounts`. All service accounts and their\ncorresponding keys are listed.\n3. Click the service account.\n4. Click `Edit` and delete the keys.\n\n### From the command line\nTo delete a user-managed service account key run:\n```\ngcloud iam service-accounts keys delete --iam-account= \n```\n## Prevention:\nYou can disable service account key creation through the `Disable service account key creation` Organization policy by visiting [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation][2]. Learn more at: [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][3].\n\nIn addition, if you do not need service accounts in your project, you can prevent the creation of service accounts through the `Disable service account creation` Organization policy: [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation][4].\n\n## Default value:\nBy default, there are no user-managed keys created for user-managed service accounts.\n\n## References:\n1. [https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys][5]\n2. [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][6]\n\n## Additional information:\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation\n[3]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation\n[5]: https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n[6]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.4","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.10","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkey_parents_with_user_managed := {key.parent |\n\tkey := input.resources.gcp_iam_service_account_key[_]\n\tkey.key_type == \"USER_MANAGED\"\n}\n\neval(service_account) = \"fail\" if {\n\tkey_parents_with_user_managed[service_account.resource_name]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4cn-bpp-vya","createdAt":1654120292749,"name":"Only GCP-managed service account keys are used for service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.14","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, has permissions of 400.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads. It holds the private key for the Docker server certificate. It must therefore have permissions of 400 to ensure that the certificate key file is not modified.\n\n## Audit\n\nVerify that the Docker server certificate key file has permissions of `400` by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nYou should execute the following command: `chmod 400 `\n\nThis sets the Docker server certificate key file permissions to 400.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate key file might not be 400. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.14","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"z0n-cod-mxi","createdAt":1602077570102,"name":"Only the owner of the server certificate key file can read its contents"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker daemon requires access to the Docker socket which is, by default, owned by the user `root` and the group `docker`.\n\n## Rationale\n\nDocker allows you to share a directory between the Docker host and a guest container without limiting the access rights of the container. This means that you can start a container and map the `/` directory on your host to the container. The container is able to modify your host file system without any restrictions. This means that you could gain elevated privileges simply by being a member of the `docker` group and subsequently start a container which maps the root `/` directory on the host.\n\n\n## Audit\n\nRun the following command on the Docker host to see the members of the `docker` group, and ensure that only trusted users are members:\n\n```\ngetent group docker\n```\n\n## Remediation\n\nYou should remove any untrusted users from the `docker` group. Additionally, you should not create a mapping of sensitive directories from the host to container volumes.\n\n## Impact\n\nProvided the proceeding instructions are implemented, rights to build and execute containers as normal user would be restricted.\n\n## Default value\n\nNot Applicable\n\n## References\n\n1. [https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface]\n2. [https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful]\n3. [http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\n[1]: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface \n[2]: https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful \n[3]: http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.2","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dev-mh8-u1i","createdAt":1599598174666,"name":"Only the root account and Docker group members can control the Docker daemon"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.16","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file has permissions of 660 or are configured more restrictively.\n\n## Rationale\n\nOnly root and the members of the docker group should be allowed to read and write to the default Docker Unix socket. The Docker socket file should therefore have permissions of 660 or more restrictive permissions.\n\n## Audit\n\nVerify that the Docker socket file has permissions of `660` or more restrictive, by running: \n```\nstat -c %a /var/run/docker.sock\n```\n\n## Remediation\n\nRun the command `chmod 660 /var/run/docker.sock`\n\nThis sets the file permissions of the Docker socket file to 660.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker socket file is correctly set to 660.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.16","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jxv-zrr-1c1","createdAt":1599603387716,"name":"Only the root account and Docker group members can read and write to the Docker socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.15","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file is owned by root and group owned by docker.\n\n## Rationale\n\nThe Docker daemon runs as root. The default Unix socket therefore must be owned by root. If any other user or process owns this socket, it might be possible for that non-privileged user or process to interact with the Docker daemon. Additionally, in this case a non-privileged user or process might be able to interact with containers which is neither a secure nor desired behavior. Additionally, the Docker installer creates a Unix group called docker. You can add users to this group, and in this case, those users would be able to read and write to the default Docker Unix socket. The membership of the docker group is tightly controlled by the system administrator. However, ff any other group owns this socket, then it might be possible for members of that group to interact with the Docker daemon. Such a group might not be as tightly controlled as the docker group. Again, this is not in line with good security practice. For these reason, the default Docker Unix socket file should be owned by root and group owned by docker to maintain the integrity of the socket file.\n\n## Audit\n\nVerify that the Docker socket file is owned by root and group-owned by `docker` by running: \n```\nstat -c %U:%G /var/run/docker.sock | grep -v root:docker\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:docker /var/run/docker.sock`\n\nThis sets the ownership to root and group ownership to docker for the default Docker socket file.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for the Docker socket file is correctly set to root:docker.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.15","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysh-lkt-poz","createdAt":1599605574088,"name":"Only the root account and Docker group members have ownership of the Docker socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.2","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kube-apiserver.yaml file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. Version 7 5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.2","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vbb-t30-k0f","createdAt":1599602893246,"name":"Only the root account and group have ownership of the API server pod specification file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.11","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, is individual owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It must therefore be individually owned and group owned by root to prevent modification by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and the group ownership for the Docker server certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for Docker server certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.11","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tkm-izb-xe1","createdAt":1602077837917,"name":"Only the root account and group have ownership of the Docker server certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.13","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, is individually owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads/writes. As it holds the private key for the Docker server certificate, it must be individually owned and group owned by root to ensure that it cannot be accessed by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate key file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the Docker server certificate key file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for the Docker server certificate key file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.13","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oiu-e3x-yg6","createdAt":1602077710804,"name":"Only the root account and group have ownership of the Docker server certificate key file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.9","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert parameter`, is individually owned and group owned by root.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must be therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the TLS CA certificate file is owned and group owned by root: \n\n```\nstat -c %U:%G | grep -v root:root\n```\n\nThis command does not return any data.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the TLS CA certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for TLS CA certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.9","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8nb-ex2-pqe","createdAt":1602076303298,"name":"Only the root account and group have ownership of the TLS CA certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.14","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file ownership is set to root:root.\n\n## Rationale\n\nThe `admin.conf` file contains the admin credentials for the cluster. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/admin.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `admin.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.14","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kcn-wwa-os0","createdAt":1599604720378,"name":"Only the root account and group have ownership of the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.17","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that could alter the behavior of the docker daemon. It should therefore be owned and group owned by root to ensure it can not be modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file is owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/docker/daemon.json | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun `chown root:root /etc/docker/daemon.json`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.17","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hlb-qzw-opk","createdAt":1599603264485,"name":"Only the root account and group have ownership of the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent","control:3.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually and group owned by the root user in order to ensure that it is not modified or corrupted by a less privileged user.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that it is owned and group-owned by root, by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.service | grep -v root:root \n ```\n The command should not return anything.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path, in order to set the ownership and group ownership for the file to root.\n\nFor example, `chown root:root /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone.\n\n## Default value\n\nThis file may not be present on the system and if it is not, this recommendation is not applicable. By default, if the file is present, the correct permissions are for the ownership and group ownership to be set to \"root\".\n\n## References\n\n1. https://docs.docker.com/engine/admin/systemd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mhz-jes-n2m","createdAt":1599601536215,"name":"Only the root account and group have ownership of the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.socket file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. For this reason, it should be owned and group owned by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file is owned and group-owned by root by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.socket | grep -v root:root \n ```\n The command should not return a value.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below, including the correct file path to set the ownership and group ownership for the file to root. For example, `chown root:root /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the ownership and group ownership for it should be set to root.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option 2. https://github.com/docker/docker-ce/blob/master/components/packaging/deb/systemd/docker.socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vc0-12t-fpa","createdAt":1599605321060,"name":"Only the root account and group have ownership over the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.7","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under the `/etc/docker/certs.d/` directory, are individually owned and group owned by root.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must be individually owned and group owned by root to ensure that less privileged users are unable to modify the contents of the directory.\n\n## Audit\n\nYou should execute the command below to verify that the registry certificate files are individually owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker/certs.d/* | grep -v root:root \n```\n\nThis command does not return any data.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/docker/certs.d//*`\n\nThis sets the individual ownership and group ownership for the registry certificate files to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for registry certificate files is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.7","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fbv-qsy-urc","createdAt":1599599454050,"name":"Only the root account and group have ownership over the registry certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.13","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe admin.conf is the administrator kubeconfig file defining various settings for the administration of the cluster. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/admin.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, admin.conf has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.13","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zlc-pqm-t1x","createdAt":1599605384539,"name":"Only the root account has write permissions to the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.18","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that may alter the behavior of the docker daemon. Therefore it should be writeable only by root to ensure it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/docker/daemon.json\n```\n\n## Remediation\n\nRun `chmod 644 /etc/docker/daemon.json`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.18","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7df-4w8-g7l","createdAt":1599602831833,"name":"Only the root account has write permissions to the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.2","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file permissions are either set to 644 or to a more restrictive value.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore not be writable by any other user other than root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or a more restrictive value by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.service\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the file permissions are correctly set to 644.\n\n## References\n\n1. https://docs.docker.com/articles/systemd/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zyv-o6s-69z","createdAt":1599601721176,"name":"Only the root account has write permissions to the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.4","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the file permissions on the docker.socket file are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or more restrictively, by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.socket\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in that case, this recommendation is not applicable. By default, if the file is present, the permissions should be set to 644 or more restrictively.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n2. https://github.com/YungSang/fedora-atomic-packer/blob/master/oem/docker.socket\n3. http://daviddaeschler.com/2014/12/14/centos-7rhel-7-and-docker-containers-on-boot/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myf-zyh-89p","createdAt":1599604656679,"name":"Only the root account has write permissions to the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","control:CC6.7","scope:ec2","security:compliance","source:ec2","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Compliance","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the probability of a breach by checking [EC2 security groups][1] for outbound rules that allow unfettered access to any TCP/UDP ports and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered outbound access.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-egress` to remove IP permissions for the selected EC2 security group.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n2. Run `authorize-security-group-egress` with new parameters to restrict outbound access to specific destinations.\n\n ```\n aws ec2 authorize-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprotocol_icmp_or_1(protocol) if {\n\tprotocol in [\"icmp\", \"1\"]\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\"]\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"egress\"\n\tnot protocol_icmp_or_1(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7lr-jfm-vcf","createdAt":1599574005188,"name":"Outbound access on all ports is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1497-virtualization-or-sandbox-evasion","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace system call with the `PTRACE_TRACEME` argument, indicating a program actively attempting to avoid debuggers attaching to the process. This behavior is typically indicative of malware activity.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. One limitation of this system call is that a process can only have one trace, and malicious actors have been observed making use of this limitation to prevent debuggers from attaching to malicious processes for the purpose of forensics or analysis.\n\n## Triage and response\n1. Check the name of the process using TRACEME\n2. If this file is not known or authorized, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_antidebug -@process.executable.name(\"dlv\" OR \"dlv-linux-adm64\" OR \"strace\" OR \"gdb\" OR \"lldb-server\")","groupByFields":["host"],"aggregation":"count","name":"ptrace_antidebug_unknown_tracer","distinctFields":[]},{"query":"@agent.rule_id:ptrace_antidebug @process.executable.name(\"dlv\" OR \"dlv-linux-adm64\" OR \"strace\" OR \"gdb\" OR \"lldb-server\")","groupByFields":["host"],"aggregation":"count","name":"ptrace_antidebug_known_tracer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_antidebug_unknown_tracer","condition":"ptrace_antidebug_unknown_tracer > 0"},{"status":"low","notifications":[],"name":"ptrace_antidebug_known_tracer","condition":"ptrace_antidebug_known_tracer > 0"}],"type":"workload_security","id":"u1r-hw3-pst","createdAt":1650464539514,"name":"PTRACE_TRACEME used to prevent process debugging"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect installation of software using a package management utility (`apt` or `yum`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim's container (for example, through a web shell exploit), they may attempt to install tools and utilities for a variety of malicious purposes. This detection triggers when one of a set of common package management utilities installs a package in a container. Package management in containers is against best practices which highly emphasize immutability. If this is unexpected behavior, it could indicate an attacker attempting to install tools to further compromise your systems.\n\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise. This may be achieved by terminating the workload, depending on the stage of attack.\n3. Look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:package_management_in_container @process.args:(add OR *install OR \"-i\")","groupByFields":["host"],"aggregation":"count","name":"package_management_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"package_management_in_container","condition":"package_management_in_container > 0"}],"type":"workload_security","id":"dgu-gba-tuf","createdAt":1617722067648,"name":"Package installed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1222","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nTo access protected files and directories, attackers may attempt to change the permissions on these files and directories.\n\n## Strategy\nThis detection monitors the permissions changes to sensitive files and directories such as `/etc/` and `/sbin/`.\n\n## Triage & Response\n1. Check to see if the file or directory was made more permissive.\n2. Check which user or process made the change.\n3. If these changes are unexpected, contain the host or container and roll back to the last known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"mj3-ucf-hr6","createdAt":1598516746259,"name":"Permissions were changed on sensitive Linux files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow pods to verify the API server's serving certificate before establishing connections.\n\n## Rationale\n\nProcesses running within pods that need to contact the API server must verify the API server's serving certificate. Failing to do so could be a subject to man-in-the-middle attacks. Providing the root certificate for the API server's serving certificate to the controller manager with the `--root-ca-file` argument allows the controller manager to inject the trusted bundle into pods so that they can verify TLS connections to the API server.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--root-ca-file` argument exists and is set to a certificate bundle file containing the root certificate for the API server's serving certificate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--root-ca-file` parameter to the certificate bundle file: `--root-ca-file=`\n\n## Impact\n\nYou need to setup and maintain root certificate authority file.\n\n## Default value\n\nBy default, `--root-ca-file` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/kubernetes/issues/11000][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/kubernetes/issues/11000\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.5","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"k7t-yxp-axc","createdAt":1599598174692,"name":"Pods utilize `root-ca-file` to pass serving certificates to the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ec2","iaas:aws","technique:T1037-boot-or-logon-initialization-scripts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to modify a [user data script][1] on an EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to modify the user data script on an EC2 instance using the following API calls:\n\n* [`StopInstances`][2]\n* [`ModifyInstanceAttribute`][3]\n* [`StartInstances`][4]\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have modified the user data script associated with `{{host}}`.\n2. If the API calls were not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Follow your company's incident response process to determine the impact to `{{host}}`.\n * Revert the user data script to the last known good state with the `aws-cli` command [modify-instance-attribute][5] or use the [AWS Console][6].\n3. If the API calls were made by the user:\n * Determine if the user should be modifying this user data script.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StopInstances.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartInstances.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-attribute.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-view-change","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StopInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"stop_instance","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:ModifyInstanceAttribute @requestParameters.userData:* ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_instance_attribute","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StartInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"start_instance","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"stop_instance > 0 && modify_instance_attribute > 0 && start_instance > 0"}],"type":"log_detection","id":"suz-czd-zxh","createdAt":1652796652545,"name":"Possible AWS EC2 privilege escalation via the modification of user data"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","iaas:aws","technique:T1078-valid-accounts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to create a password for a specified IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to create a password for an IAM user using the [`CreateLoginProfile`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any passwords generated by the user with the `aws-cli` command [delete-login-profile][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-login-profile.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html#id_credentials_passwords_admin-change-user_console","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:iam.amazonaws.com @eventName:CreateLoginProfile status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"loginprofile","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"loginprofile > 0"}],"type":"log_detection","id":"dkd-gqh-zrs","createdAt":1652796676631,"name":"Possible Privilege Escalation via AWS IAM CreateLoginProfile"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","scope:rds","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to exfiltrate data from an RDS Snapshot.\n\n## Strategy\nThis rule lets you monitor the [ModifyDBClusterSnapshotAttribute][1] CloudTrail API calls to detect when an RDS snapshot is made public.\n\nThis rule also inspects the:\n * `@requestParameters.valuesToAdd` array to determine if the string `all` is contained. This is the indicator which means the RDS snapshot is made public.\n * `@requestParameters.attributeName` array to determine if the string `restore` is contained. This is the indicator which means the RDS snapshot was shared with a new or unkown AWS Account.\n\n## Triage and response\n1. Confirm if the user: `{{@userIdentity.arn}}`intended to make the RDS snaphsot public.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-cluster-snapshot-attribute.html#modify-db-cluster-snapshot-attribute\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:ModifyDBClusterSnapshotAttribute @requestParameters.valuesToAdd:all","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_made_public","distinctFields":[]},{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:(ModifyDBClusterSnapshotAttribute OR ModifyDBSnapshotAttribute) @requestParameters.attributeName:restore -@http.useragent:(*AWS_Lambda* OR *AWS_ECS_FARGATE* OR backup.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Snapshot was shared","condition":"rds_snapshot_shared > 0"},{"status":"high","notifications":[],"name":"Snapshot was made public","condition":"rds_snapshot_made_public > 0"}],"type":"log_detection","id":"jqf-lpu-us1","createdAt":1594140309127,"name":"Possible RDS Snapshot Exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:2.5","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no PostgreSQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nPostgreSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.\n\n### Impact\n\nDisabling Allow access to Azure Services will break all connections to PostgreSQL server and Hosted Databases unless custom IP specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console\n\n1. Go to PostgreSQL servers\n2. For each PostgreSQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nNew-AzPostgreSqlFirewallRule -Name \"\" -ResourceGroupName \"\" -ServerName \"\" -EndIPAddress \"\" -StartIPAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules][1]\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.5","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"fail\" if {\n\tsome firewall_rule in postgresql_server.firewall_rules\n\tfirewall_rule.start_ip_address == \"0.0.0.0\"\n\tfirewall_rule.end_ip_address in [\"0.0.0.0\", \"255.255.255.255\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"f2j-y8v-pht","createdAt":1635237002781,"name":"PostgreSQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1566-phishing","source:azure","scope:azure","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a user grants an application consent to access their data. An adversary may create an Azure-registered application to access data such as contact information, emails, or documents.\n\n## Strategy\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Consent to application`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Consent to application.`\n\nBecause these are thirty-party applications external to the organization, normal remediation steps like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts are not effective against this type of attack.\n\n## Triage and response\n1. See the official [Microsoft playbook][1] on responding to a potential Illicit Consent Grant.\n2. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out false positives.\n\n[1]: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:AuditLogs @evt.name:\"Consent to application\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_successful_consent_to_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.category:AuditLogs @evt.name:\"Consent to application.\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"o365_successful_consent_to_application","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"azure_ad_successful_consent_to_application > 0 || o365_successful_consent_to_application > 0"}],"type":"log_detection","id":"wu4-vsa-pec","createdAt":1658914589512,"name":"Potential Illicit Consent Grant attack via Azure registered application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with an administrative service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 21 (FTP)\n* 22 (SSH)\n* 23 (Telnet)\n* 445 (SMB)\n* 2375 (Docker daemon)\n* 3389 (RDP)\n* 5900 (VNC)\n* 5985 (WinRM HTTP)\n* 5986 (WinRM HTTPS)\n\nAdministrative ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** There is a separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n## Changelog\n* 26 August 2022 - Updated rule query\n* 1 November 2022 - Updated rule query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":17,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ipPermissions.items.fromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.toPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ipPermissions.items.toPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986)) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986))) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\")) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:21 OR @requestParameters.ipPermissions.items.fromPort:21 OR @requestParameters.toPort:21 OR @requestParameters.ipPermissions.items.toPort:21) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:21 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:21)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ftp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:22 OR @requestParameters.ipPermissions.items.fromPort:22 OR @requestParameters.toPort:22 OR @requestParameters.ipPermissions.items.toPort:22) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:22 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:22)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ssh_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:3389 OR @requestParameters.ipPermissions.items.fromPort:3389 OR @requestParameters.toPort:3389 OR @requestParameters.ipPermissions.items.toPort:3389) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:3389 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:3389)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_rdp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5900 OR @requestParameters.ipPermissions.items.fromPort:5900 OR @requestParameters.toPort:5900 OR @requestParameters.ipPermissions.items.toPort:5900) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5900 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5900)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_vnc_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:2375 OR @requestParameters.ipPermissions.items.fromPort:2375 OR @requestParameters.toPort:2375 OR @requestParameters.ipPermissions.items.toPort:2375) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:2375 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:2375)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_dockerd_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5985 OR @requestParameters.ipPermissions.items.fromPort:5985 OR @requestParameters.toPort:5985 OR @requestParameters.ipPermissions.items.toPort:5985) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5985 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5985)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5986 OR @requestParameters.ipPermissions.items.fromPort:5986 OR @requestParameters.toPort:5986 OR @requestParameters.ipPermissions.items.toPort:5986) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5986 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5986)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:23 OR @requestParameters.ipPermissions.items.fromPort:23 OR @requestParameters.toPort:23 OR @requestParameters.ipPermissions.items.toPort:23) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:23 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:23)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_telnet_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:445 OR @requestParameters.ipPermissions.items.fromPort:445 OR @requestParameters.toPort:445 OR @requestParameters.ipPermissions.items.toPort:445) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:445 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:445)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_smb_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"medium","notifications":[],"name":"FTP","condition":"sg_ftp_port > 0"},{"status":"medium","notifications":[],"name":"SSH","condition":"sg_ssh_port > 0"},{"status":"medium","notifications":[],"name":"RDP","condition":"sg_rdp_port > 0"},{"status":"medium","notifications":[],"name":"VNC","condition":"sg_vnc_port > 0"},{"status":"medium","notifications":[],"name":"Docker Daemon","condition":"sg_dockerd_port > 0"},{"status":"medium","notifications":[],"name":"WinRm HTTP","condition":"sg_winrm_http_port > 0"},{"status":"medium","notifications":[],"name":"WinRm HTTPS","condition":"sg_winrm_https_port > 0"},{"status":"medium","notifications":[],"name":"Telnet","condition":"sg_telnet_port > 0"},{"status":"medium","notifications":[],"name":"SMB","condition":"sg_smb_port > 0"}],"type":"log_detection","id":"d8d-usi-xuo","createdAt":1652796652158,"name":"Potential administrative port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\n This rule monitors CloudTrail and detects when any `@evt.name` has a value of `Console Login`, and `@responseElements.ConsoleLogin` has a value of `Failure`.\n\n## Triage and response\n1. Determine if the user logged in with 2FA.\n2. Reach out to the user and ensure the login was legitimate.\n\n## Changelog \n17 March 2022 - Update rule query.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Failure","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:true","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_with_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful - MFA Unused","condition":"failed_login > 5 && successful_login_without_mfa > 0"},{"status":"info","notifications":[],"name":"Successful Login - MFA Used","condition":"failed_login > 5 && successful_login_with_mfa > 0"},{"status":"info","notifications":[],"name":"Failed Login","condition":"failed_login > 5"}],"type":"log_detection","id":"csj-nez-h1v","createdAt":1584475581986,"name":"Potential brute force attack on AWS ConsoleLogin"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","threat_intel_category:cryptomining","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a host is potentially infected with a cryptominer.\n\n## Strategy\nThis rule compares the `@network.client.ip` standard attribute to a curated list of cryptomining pools.\n\n## Triage and response\n1. Determine if the `{{host}}` host should be contacting a cryptomining pool.\n2. If not, begin your company's IR process.\n\n**Note** You can use the signal sidepanel to assist with the initial investigation by looking at CPU utilization and processes to identify unauthorized activity.\n\n## Changelog\n- 8 April 2022 - Initial beta release to select organizations.\n- 13 April 2022 - Added additional filters for specific ports to reduce false positives. \n- 26 April 2022 - Removed restrictedToOrgs settings, launching rule to all of production.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@threat_intel.results.category:cryptomining @network.destination.port:(6641 OR 6642 OR 9000 OR 9999 OR 14433 OR 10191 OR 20009) host:*","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cgb-2rq-tqx","createdAt":1650989902666,"name":"Potential cryptomining detected through IP callback"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with a database service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 1433 (MSSQL)\n* 3306 (MySQL)\n* 5432 (PostgresSQL)\n* 5984/6984 (CouchDB)\n* 6379 (Redis)\n* 9200 (Elasticsearch)\n* 27017 (MongoDB)\n\nDatabase ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** A separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n## Changelog\n* 15 December 2022 - Updated rule query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200)) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200))) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\")) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:3306 OR @requestParameters.ipPermissions.items.fromPort:3306 OR @requestParameters.toPort:3306 OR @requestParameters.ipPermissions.items.toPort:3306) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:3306 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:3306)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mysql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5432 OR @requestParameters.ipPermissions.items.fromPort:5432 OR @requestParameters.toPort:5432 OR @requestParameters.ipPermissions.items.toPort:5432) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5432 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5432)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_postgres_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:1433 OR @requestParameters.ipPermissions.items.fromPort:1433 OR @requestParameters.toPort:1433 OR @requestParameters.ipPermissions.items.toPort:1433) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:1433 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:1433)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mssql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:27017 OR @requestParameters.ipPermissions.items.fromPort:27017 OR @requestParameters.toPort:27017 OR @requestParameters.ipPermissions.items.toPort:27017) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:27017 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:27017)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mongodb_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:6379 OR @requestParameters.ipPermissions.items.fromPort:6379 OR @requestParameters.toPort:6379 OR @requestParameters.ipPermissions.items.toPort:6379) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:6379 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:6379)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_redis_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5984 OR @requestParameters.ipPermissions.items.fromPort:5984 OR @requestParameters.toPort:5984 OR @requestParameters.ipPermissions.items.toPort:5984) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5984 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5984)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:6984 OR @requestParameters.ipPermissions.items.fromPort:6984 OR @requestParameters.toPort:6984 OR @requestParameters.ipPermissions.items.toPort:6984) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:6984 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:6984)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:9200 OR @requestParameters.ipPermissions.items.fromPort:9200 OR @requestParameters.toPort:9200 OR @requestParameters.ipPermissions.items.toPort:9200) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:9200 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:9200)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_elastic_search_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"medium","notifications":[],"name":"MySQL","condition":"sg_mysql_port > 0"},{"status":"medium","notifications":[],"name":"PostgresSQL","condition":"sg_postgres_port > 0"},{"status":"medium","notifications":[],"name":"MSSQL","condition":"sg_mssql_port > 0"},{"status":"medium","notifications":[],"name":"MongoDB","condition":"sg_mongodb_port > 0"},{"status":"medium","notifications":[],"name":"redis","condition":"sg_redis_port > 0"},{"status":"medium","notifications":[],"name":"CouchDB HTTP","condition":"sg_couchdb_http_port > 0"},{"status":"medium","notifications":[],"name":"CouchDB HTTPS","condition":"sg_couchdb_https_port > 0"},{"status":"medium","notifications":[],"name":"Elasticsearch","condition":"sg_elastic_search_port > 0"}],"type":"log_detection","id":"1wf-ivp-q2g","createdAt":1652796776858,"name":"Potential database port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use automatically generated self-signed certificates for TLS connections between peers.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster. Hence, do not use self-signed certificates for authentication.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--peer-auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--peer-auto-tls` parameter or set it to false. \n\n```\n--peer-auto-tls=false\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-auto-tls` argument is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls][3]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.6","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l0y-lyz-foj","createdAt":1599598174666,"name":"Prevent use of self-signed certificates for TLS connections between etcd peers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.4","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDocker considers a private registry either secure or insecure. By default, registries are considered secure.\n\n## Rationale\n\nA secure registry uses TLS. A copy of the registry's CA certificate is placed on the Docker host in the `/etc/docker/certs.d//` directory. An insecure registry is one which does not have a valid registry certificate, or one not not using TLS. You should not use insecure registries because they present a risk of traffic interception and modification. Additionally, once a registry has been marked as insecure, commands such as `docker pull`, `docker push`, and `docker search` will not result in an error message, and users may indefinitely be working with this type of insecure registry without ever being notified of the risk of potential compromise.\n\n## Audit\n\nFind out if any insecure registries are in use by running: \n```\ndocker info --format 'Insecure Registries: {{.RegistryConfig.InsecureRegistryCIDRs}}'\n```\n\n## Remediation\n\nYou should ensure that no insecure registries are in use.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker assumes all registries except local ones are secure.\n\n## References\n\n1. [https://docs.docker.com/registry/insecure/][1]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://docs.docker.com/registry/insecure/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wki-o8r-1ha","createdAt":1599604688564,"name":"Private registry uses TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.4","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUsing the `--privileged` flag provides all Linux kernel capabilities to the container to which it is applied and therefore overwrites the `--cap-add` and `--cap-drop` flags. For this reason, ensure that it is not used.\n\n## Rationale\n\nThe `--privileged` flag provides all capabilities to the container to which it is applied, and also lifts all the limitations enforced by the device cgroup controller. As a consequence this the container has most of the rights of the underlying host. This flag only exists to allow for specific use cases (for example running Docker within Docker) and should not generally be used.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Privileged={{ .HostConfig.Privileged }}'` This command returns `Privileged=false` for each container instance.\n\n## Remediation\n\nDo not run containers with the `--privileged` flag. For example, do not start a container using the command `docker run --interactive --tty --privileged centos /bin/bash`\n\n## Impact\n\nIf you start a container without the `--privileged` flag, it will not have excessive default capabilities.\n\n## Default value\n\nFalse\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.4","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rbd-urm-klo","createdAt":1599602708557,"name":"Privileged containers are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.7","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TCP/IP port numbers below 1024are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Docker does, however allow a container port to be mapped to a privileged port.\n\n## Rationale\n\nBy default, if the user does not specifically declare a container port to host port mapping, Docker automatically and correctly maps the container port to one available in the `49153`-`65535` range on the host. Docker does, however, allow a container port to be mapped to a privileged port on the host if the user explicitly declares it. This is because containers are executed with `NET_BIND_SERVICE` Linux kernel capability which does not restrict privileged port mapping. The privileged ports receive and transmit various pieces of data which are security sensitive and allowing containers to use them is not in line with good security practice.\n\n## Audit\n\nList all running containers instances and their port mappings by executing this command: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'` You should then review the list and ensure that container ports are not mapped to host port numbers below `102.4`.\n\n## Remediation\n\nDo not map container ports to privileged host ports when starting a container. You should also ensure that there is no such container to host privileged port mapping declarations in the Dockerfile.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, mapping a container port to a privileged port on the host is allowed.\n\n**Note**: There might be certain cases where you want to map privileged ports, because if you forbid it, then the corresponding application has to run outside of a container.\n\nFor example: HTTP and HTTPS load balancers have to bind `80/tcp` and `443/tcp` respectively. Forbidding to map privileged ports effectively forbids from running those in a container, and mandates using an external load balancer. In such cases, those containers instances should be marked as exceptions for this recommendation.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.7","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ua5-ygj-jad","createdAt":1599602153218,"name":"Privileged ports are not mapped within containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a process launches with arguments associated with cryptocurrency miners.\n\n## Strategy\n\nCryptocurrency miners are often executed with unique arguments such as `--donate-level`. This can be used to identify suspicious processes with high confidence.\n\n## Triage and response\n\n1. Isolate the workload.\n2. Use host metrics to verify if cryptocurrency mining is taking place. This will be indicated by an increase in CPU usage.\n3. Review the process tree and related signals to determine the initial entry point.\n\n*Requires agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:cryptominer_args -@process.executable.path:\"/usr/bin/grep\"","groupByFields":["host"],"aggregation":"count","name":"cryptominer_args","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"cryptominer_args","condition":"cryptominer_args > 0"}],"type":"workload_security","id":"t95-1rc-mwi","createdAt":1660014107186,"name":"Process arguments match cryptocurrency miner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1055-process-injection","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace systemcall to inject code into another process.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. Malicious actors have been observed using ptrace to inject code into another process, for the purposes of defense evasion and privilege escalation.\n\n## Triage and response\n1. Check the name of the process doing the injection (the tracer).\n2. Identify if the file doing the injection (the tracer) is authorized.\n3. If the tracer is not authorized in this environment, or is not normally known to use the ptrace syscall, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_injection -@process.executable.name:(\"dlv\" OR \"dlv-linux-adm64\" OR \"strace\" OR \"gdb\" OR \"lldb-server\")","groupByFields":["host"],"aggregation":"count","name":"ptrace_injection_unknown_tracer","distinctFields":[]},{"query":"@agent.rule_id:ptrace_injection @process.executable.name:(\"dlv\" OR \"dlv-linux-adm64\" OR \"strace\" OR \"gdb\" OR \"lldb-server\")","groupByFields":["host"],"aggregation":"count","name":"ptrace_injection_known_tracer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_injection_unknown_tracer","condition":"ptrace_injection_unknown_tracer > 0"},{"status":"low","notifications":[],"name":"ptrace_injection_known_tracer","condition":"ptrace_injection_known_tracer > 0"}],"type":"workload_security","id":"1p3-rn6-jue","createdAt":1650464539501,"name":"Process injected into another process"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2021-4034 dubbed PwnKit.\n\n## Strategy\n\nPwnKit is a local privilege escalation vulnerability originally found by [Qualys](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034). It affects PolicyKit\u2019s `pkexec` program, which is a SUID-root program installed by default on many Linux distributions. This detection triggers whenever `pkexec` is executed by a non-root process with the `SHELL` and `PATH` variables set.\n\n## Triage and response\n\n1. Determine the purpose of the process executing `pkexec`.\n2. Look for any suspicious actions or commands being executed after the `pkexec` execution.\n3. If this behavior is unexpected, it could indicate a malicious actor has access to the host and is attempting to increase privileges for post exploitation actions. Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Ensure to update the PolicyKit package to its latest version to mitigate the vulnerability. If updating is not feasible, remove the SUID bit that is set by default on `pkexec` with the following command: `sudo chmod -s \\$(which pkexec)`.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:pwnkit_privilege_escalation","groupByFields":["host"],"aggregation":"count","name":"pwnkit_privilege_escalation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"pwnkit_privilege_escalation","condition":"pwnkit_privilege_escalation > 0"}],"type":"workload_security","id":"yne-n4q-dfs","createdAt":1643646954692,"name":"Pwnkit privilege escalation attempt"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1059-command-and-scripting-interpreter","tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect Python code being provided and executed on the command line using the `-c` flag.\n\n## Strategy\n\nPython code can be specified on the command line using the `-c` flag. Attackers may use this to run \"one-liners\" which establish communication with an attacker-run server, download additional malware, or otherwise advance their mission. Libraries such as `socket` and `subprocess` are commonly used in these attacks and are unlikely to have a legitimate purpose when used in this way.\n\n## Triage and response\n\n1. Review the process tree and identify if the Python command is expected.\n2. If the command is not expected, contain the host or container and roll back to a known good configuration.\n3. Start the incident response process and determine the initial entry point.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:python_cli_code @process.args:(*SOCK_STREAM* OR *subprocess* OR *\\/bash* OR *\\/bin\\/sh* OR *pty.spawn*)","groupByFields":["host"],"aggregation":"count","name":"python_cli_code_suspicious","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"python_cli_code_suspicious","condition":"python_cli_code_suspicious > 0"}],"type":"workload_security","id":"2mr-svj-kxj","createdAt":1655147245805,"name":"Python executed with suspicious arguments"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.9","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTurn on Role Based Access Control.\n\n## Rationale\n\nRole Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the cluster. It is recommended to use the RBAC authorization mode.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include RBAC.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes RBAC, for example: `--authorization-mode=Node,RBAC`\n\n## Impact\n\nWhen RBAC is enabled you will need to ensure that appropriate RBAC settings (including Roles, RoleBindings and ClusterRoleBindings) are configured to allow appropriate access.\n\n## Default value\n\nBy default, RBAC authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/access-authn-authz/rbac/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.9","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bn4-mzo-nyg","createdAt":1599605257601,"name":"RBAC is enabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","level:1","control:8.5","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.4.1","security:compliance","requirement:Least-Privileged-Access","control:7.2","framework:cis-azure","source:azure.kubernetes","control:7.1","control:2.3","requirement:Control-Activities","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","requirement:Other-Security-Considerations","framework:soc-2","control:A.9.2.3","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that RBAC is enabled on all Azure Kubernetes Services instances.\n\n## Rationale\n\nAzure Kubernetes Services can integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. Use this to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls, both to the overarching AKS instance and to the individual resources managed within Kubernetes.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment, your cluster will require recreation.\n\n## Impact\n\nIf RBAC is not enabled, the granularity of permissions granted to Kubernetes resources is diminished, because you are presenting more permissions than needed to users requiring access to your Kubernetes resources in AKS.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/aks/aad-integrationhttps://kubernetes.io/docs/reference/access-authn-authz/rbac/https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-list\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7\n\n4 Controlled Use of Administrative Privileges\n\n14 Controlled Access Based on the Need to Know\n\n9 AppService: This section covers security recommendations for Azure AppService\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.5","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aks_cluster) = \"pass\" if {\n\taks_cluster.enable_rbac\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_aks_cluster"]},"validationQuery":"","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"1ha-sj2-4mw","createdAt":1624867979755,"name":"RBAC within Azure Kubernetes Services is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","control:6.1","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable RDP access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using RDP over the internet is that attackers can use various brute force techniques to access Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\n1. [Disable direct RDP access][1] to your Azure Virtual Machines from the internet. \n2. Choose one of the following methods to access the virtual machines for remote management:\n * [Point-to-site VPN][3]\n * [Site-to-site VPN][4]\n * [ExpressRoute][5]\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][2]\n\n[1]: https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n[3]: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal\n[4]: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal\n[5]: https://learn.microsoft.com/en-us/azure/expressroute/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_access(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"TCP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\n\tsome port_range in split(security_rule.destination_port_range, \",\")\n\tcheck_non_compliant_port_range(port_range)\n\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"::/0\", \"Internet\", \"Any\"]\n}\n\ncheck_non_compliant_port_range(port_range) if {\n\tport_range in [\"3389\", \"*\"]\n} else if {\n\tcontains(port_range, \"-\")\n\tsplit_port_range := split(port_range, \"-\")\n\n\tto_number(split_port_range[0]) <= 3389\n\tto_number(split_port_range[1]) >= 3389\n}\n\neval(security_group) = \"fail\" if {\n\tsome security_rule in security_group.security_rules\n\tnon_compliant_access(security_rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tna-xfa-yol","createdAt":1624867976964,"name":"RDP access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.7","requirement:Communications-Security","control:1.4","control:3.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow users to specify the type of traffic,\nsuch as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, an IPv4 address or IPv4 block in CIDR notation can be used.\nGeneric (0.0.0.0/0) incoming traffic from the Internet to a VPC or VM instance using RDP\non Port 3389 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic\nfrom instances and incoming (ingress) traffic to instances in the network. Egress and\ningress traffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through RDP with the default\nPort 3389. Generic access from the Internet to a specific IP Range should be restricted.\n\n## Impact\nAll Remote Desktop Protocol (RDP) connections from outside of the network to the\nconcerned VPC(s) are blocked. There could be a business need where secure shell\naccess is required from outside of the network to access resources associated with the VPC.\nIn that case, specific source IP(s) should be mentioned in firewall rules to allow access\nto RDP ports for the concerned VPC(s).\n\n## Remediation\n\n### From the console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule to be modified.\n4. Click Edit.\n5. Modify Source IP ranges to your specific IPs.\n6. Click Save.\n\n### From the command line\n1.Update the RDP Firewall rule with a new SOURCE_RANGE using the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with validated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.1","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 3389\n\nis_numeric(x) if {\n\tregex.match(`^-?\\d+(\\.\\d+)?$`, x)\n}\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tsome port in allowed.ports\n\tcontains(port, \"-\")\n\trange := split(port, \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else if {\n\tsome port in allowed.ports\n\tport != \"\"\n\tis_numeric(port)\n\tto_number(port) == target_port\n} else if {\n\tsome port in allowed.ports\n\tport == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tsome allowed in compute_firewall.allowed\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" if {\n\tsome source_range in compute_firewall.source_ranges\n\tsource_range in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tvo-mpp-0fa","createdAt":1657310084116,"name":"RDP access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","source:rds","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:rds","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your AWS RDS database instances are encrypted.\n\n## Rationale\n\nEncrypting your AWS RDS clusters protects sensitive data from unauthorized access.\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling Amazon RDS encryption for a DB instance][1] documentation to ensure your database instances are encrypted.\n\n### From the command line\n\n1. Run `describe-db-instances` with an instance identifier query to list RDS database names.\n\n ```\n aws rds describe-db-instances \\\n --query 'DBInstances[*].DBInstanceIdentifier'\n ```\n\n2. Run `create-db-snapshot` with any returned database instance you wish to modify.\n\n ```\n aws rds create-db-snapshot \\\n --db-snapshot-identifier my-db-snapshot \\\n --db-instance-identifier my-db-id\n ```\n\n3. Run `list-aliases` to list KMS keys aliases by region.\n\n ```\n aws kms list-aliases \\\n --region us-west-1\n ```\n\n4. Run `copy-db-snapshot` with the `kms-key-id` returned in step 3.\n\n ```\n aws rds copy-db-snapshot \\\n --region us-west-1 \\\n --source-db-snapshot-identifier original-db-snapshot-id \\\n --target-db-snapshot-identifier encrypted-db-snapshot-id \\\n --copy-tags \\\n --kms-key-id 01234567-1a2b-1234a-b45c-abcdef123456\n ```\n\n5. Run `restore-db-instance-from-db-snapshot` to restore the previously created snapshot.\n\n ```\n aws rds restore-db-instance-from-db-snapshot \\\n --region us-west-1 \\\n --db-instance-identifier encrypted-db-id \\\n --db-snapshot-identifier encrypted-db-snapshot-id\n ```\n\n6. Run `describe-db-instances` with a query to ensure database encryption.\n\n ```\n aws rds describe-db-instances \\\n --region us-west-1 \\\n --db-instance-identifier encrypted-db-snapshot-id \\\n --query 'DBInstances[*].StorageEncrypted'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Enabling","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(rds_instance) = \"pass\" if {\n\trds_instance.storage_encrypted == true\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_rds_instance"]},"validationQuery":"","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"han-1rs-ghe","createdAt":1599574005316,"name":"RDS database instance is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:rds","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","scope:rds","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your RDS instance, so it is not publicly accessible.\n\n## Rationale\n\nUnrestricted access to your RDS instance allows everyone on the internet to establish a connection with your database. This can lead to brute-force, DoS/DDoS, or SQL injection attacks.\n\n## Remediation\n\n### From the command line\n\n1. Run the `modify-db-instance` command to make the instance not publicly accessible.\n\n ```\n aws rds modify-db-instance\n\t --region INSERT_DB_INSTANCE_REGION \\\n\t --db-instance-identifier INSERT_DB_INSTANCE_NAME \\\n\t --no-publicly-accessible \\\n\t --apply-immediately\n ```\n2. Run the `revoke-security-group-ingress` command to block any IPv4 address connecting to port 3306.\n\n ```\n aws ec2 revoke-security-group-ingress\n\t --region INSERT_DB_INSTANCE_REGION \\\n\t --group-id INSERT_SECURITY_GROUP_ID \\\n\t --protocol tcp \\\n\t --port 3306 \\\n\t --cidr 0.0.0.0/0 \n ```\n3. For IPv6 you can use the same command from step 2 but use the `--ip-permissions` option instead. Reference this [aws-cli documentation][1] for more information.\n\n4. After removing the 0.0.0.0/0 or ::/0 cidr ranges from ingress you need to add in better cidr ranges using the `authorize-security-group-ingress` command.\n\n ```\n aws ec2 authorize-security-group-ingress\n \t --region INSERT_DB_INSTANCE_REGION\n\t --group-id INSERT_SECURITY_GROUP_ID\n\t --protocol tcp\n\t --port 3306\n\t --cidr INSERT_SMALLER_CIDR_RANGE\n ```\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html#options","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nsecurity_group_vpc_id_to_compliant = {security_group.vpc_id |\n\tsome security_group in input.resources.aws_security_group\n\tcheck_group_non_compliance(security_group)\n}\n\ncheck_group_non_compliance(security_group) if {\n\tsecurity_group_rules := security_group.rules[_]\n\tlower(security_group_rules.direction) == \"ingress\"\n\tcheck_ip_range(security_group_rules)\n}\n\ncheck_ip_range(security_group_rules) if {\n\tsecurity_group_rules.ip_range == \"0.0.0.0/0\"\n}\n\ncheck_ip_range(security_group_rules) if {\n\tsecurity_group_rules.ipv6_range == \"::/0\"\n}\n\neval(rds_instance) = \"fail\" if {\n\trds_instance.publicly_accessible == true\n\tsecurity_group_vpc_id_to_compliant[rds_instance.db_subnet_group_vpc_id]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_rds_instance","aws_security_group"]},"validationQuery":"","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qgu-ris-pnv","createdAt":1619540057520,"name":"RDS instance is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","security:compliance","control:CC6.6","control:164.312-e-1","cloud_provider:aws","framework:gdpr","requirement:Default-Security-Parameter","scope:rds","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","source:rds","requirement:Security-Management-Process","control:32.1a","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Amazon RDS database instances][1] are not using default ports. This includes default ports such as MySQL/Aurora port 3306, SQL Server port 1433, and PostgreSQL port 5432.\n\n## Rationale\n\nUsing a custom port can protect against potential brute-force and dictionary attacks.\n\n## Remediation\n\n### From the console\n\nFollow the [Modifying an Amazon RDS DB instance][4] docs to verify you're not using a default. You can modify your port by modifying that [DB instance settings][5].\n\n### From the command line\n\n1. Run `create-db-snapshot` with your database instance and snapshot identifiers to [create a snapshot][2].\n\n ```\n aws rds create-db-snapshot \\\n --db-instance-identifier database-mysql \\\n --db-snapshot-identifier snapshotidentifier\n ```\n\n2. Run `modify-db-instance` with a new, valid port number. A [list of port numbers are available][3].\n\n ```\n aws rds modify-db-instance \\\n --db-instance-identifier database-identifier \\\n --option-group-name test-group-name \\\n --db-parameter-group-name test-sqlserver-name \\\n --apply-immediately\n ```\n\n\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-snapshot.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-instance.html#options\n[4]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n[5]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html#USER_ModifyInstance.Settings\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndefault_port_used(rds_instance) if {\n\trds_instance.engine in [\"aurora\", \"aurora-mysql\", \"mysql\", \"mariadb\"]\n\trds_instance.endpoint_port == 3306\n} else if {\n\trds_instance.engine in [\"postgres\", \"aurora-postgresql\"]\n\trds_instance.endpoint_port == 5432\n} else if {\n\trds_instance.engine in [\"oracle-ee\", \"oracle-se2\", \"oracle-se1\", \"oracle-se\"]\n\trds_instance.endpoint_port == 1521\n} else if {\n\trds_instance.engine in [\"sqlserver-ee\", \"sqlserver-se\", \"lserver-ex\", \"sqlserver-web\"]\n\trds_instance.endpoint_port == 1433\n}\n\neval(rds_instance) = \"fail\" if {\n\tdefault_port_used(rds_instance)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_rds_instance"]},"validationQuery":"","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"y0x-lgk-w1h","createdAt":1599574001845,"name":"RDS instance is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","framework:gdpr","control:164.308-a-3-i","source:rds","requirement:Security-Management-Process","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","scope:rds","control:1.4","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Relational Database Service (RDS) database snapshots by ensuring they are not publicly accessible.\n\n## Rationale\n\nRDS Snapshots can be marked as [public][3], allowing anyone the ability to copy the snapshot to their AWS account and create database instances from it. Unless a snapshot is being shared intentionally, it should be deleted.\n\n## Remediation\n\n### From the console\n\nFollow the [Stop sharing a manual DB snapshot with an AWS account][1] AWS Console docs.\n\n### From the command line\n\nRun `modify-db-snapshot-attribute` with the [snapshot identifier, attribute name, and values to remove][2]. This removes permission from a particular AWS account to restore the DB snapshot.\n\n```\naws rds modify-db-snapshot-attribute \\\n --db-snapshot-identifier yourdbsnapshot \\\n --attribute-name restore \\\n --values-to-remove \"all\"\n```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Sharing\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-snapshot-attribute.html#synopsis\n[3]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Public\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.4","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_restore_attributes(db_snapshot_restore_attribute_values) if {\n\tdb_snapshot_restore_attribute_values[_] == \"all\"\n}\n\neval(rds_db_snapshot) = \"fail\" if {\n\tnon_compliant_restore_attributes(rds_db_snapshot.db_snapshot_restore_attribute_values)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_rds_db_snapshot"]},"validationQuery":"","resourceType":"aws_rds_db_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_db_snapshot","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ptv-gce-is5","createdAt":1616090994243,"name":"RDS snapshot is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","control:3.4","scope:google_dns_managed_zone","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note:** The SHA1 algorithm has been removed from general use by Google. If used, it needs to be allowed on a per-project basis through Google, and therefore requires a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records. When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, you can select the DNSSEC signing algorithms and the denial-of-existence type. Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If there is a need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off, and then re-enable it with different settings.\n\n**Note**: RSASHA1 key-signing support may be required for compatibility reasons. The remediation CLI works with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If it is necessary to change the settings for a managed zone where it has been\nenabled, NSSEC must be turned off and re-enabled with different settings. To turn\noff DNSSEC, run the following command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update key-signing for a managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" if {\n\tdefault_key_spec := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tdefault_key_spec.algorithm == \"RSASHA1\"\n\tdefault_key_spec.key_type == \"keySigning\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gny-fox-6gg","createdAt":1659339844054,"name":"RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.5","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note**: The SHA1 algorithm has been removed from general use by Google, and if\nbeing used, needs to be safe listed on a project basis by Google, which\nrequire a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records.\nWhen enabling DNSSEC for a managed zone or creating a managed zone with DNSSEC, select the\nDNSSEC signing algorithms and the denial-of-existence type. Changing the\nDNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If\nyou need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off and then re-enable it with different settings.\n\n**note**: RSASHA1 zone-signing support may be required for compatibility reasons.\n**note**: The remediation CLI works well with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If you need to change the settings for a managed zone where it has been\nenabled, DNSSEC must be turned off and then re-enabled with different settings. To\nturn off DNSSEC, run this command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update zone-signing for a reported managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.5","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" if {\n\tkeyCheck := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tkeyCheck.algorithm == \"RSASHA1\"\n\tkeyCheck.key_type == \"zoneSigning\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"h57-78j-30x","createdAt":1659396390100,"name":"RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","scope:redshift","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS RedShift clusters are encrypted.\n\n## Rationale\n\nEncrypting Redshift clusters protects your sensitive data from unauthorized access.\n\n## Remediation\n\n### From the console\n\nFollow the [Changing cluster encryption][5] docs to ensure your clusters are encrypted.\n\n### From the command line\n\n1. Run `describe-clusters` with your [cluster identifier][1].\n\n ```\n aws redshift describe-clusters \\\n --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` using the configuration details returned in step 1 along with the [`encrypted` flag][2].\n\n ```\n aws redshift create-cluster \\\n --cluster-identifier cluster-name \\\n --encrypted\n ```\n\n3. Run `describe-cluster` with a [query filter][1] to expose the new endpoint address.\n\n ```\n aws redshift describe-clusters \\\n --cluster-identifier cluster-name \\\n --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Use the cluster endpoint URL with the [Amazon Redshift Unload/Copy][3] tool.\n\n5. Update your encrypted Redshift cluster configuration with the new Redshift cluster endpoint URL.\n\n6. Once the endpoint is changed, run `delete-cluster` to [remove the old unencrypted cluster][4].\n\n ```\n aws redshift delete-cluster \\\n --cluster-identifier old-cluster \\\n --final-cluster-snapshot-identifier old-cluster-finalsnapshot\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster.html\n[3]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.encrypted\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o5n-lxt-ayr","createdAt":1599574004941,"name":"Redshift cluster is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.3","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm Redshift clusters are not publicly available.\n\n## Rationale\n\nPublicly available Redshift clusters have a public IP address, which gives any machine the opportunity to attempt to connect to your clusters. Malicious activity, such as SQL injections or distributed denial-of-service (DDoS) attacks, can occur if a connection is established.\n\n## Remediation\n\n### From the console\n\nFollow the [Managing clusters in a VPC][2] docs to learn how to modify public accessibility for your clusters.\n\n[2]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#modify-cluster\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tnot redshift_cluster.publicly_accessible\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"syn-jic-zlu","createdAt":1599574002373,"name":"Redshift cluster is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","control:A.9.4.3","framework:soc-2","scope:redshift","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:redshift","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are using a custom master user name, versus the default master user name.\n\n## Rationale\n\nDefault master user names for publicly accessible clusters can be a backdoor for hacking. While setting a customer master user name alone does not fully protect against attacks, restricting the root account only to privileged users and using additional password measures can add an additional layer of protection.\n\n## Remediation\n\n### From the console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a master user name of `awsuser`, it is the default master user name. Modify the user name to a custom user name in the console.\n\n### From the command line\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` with the returned cluster metadata to [launch a new cluster][3] with the existing metadata and a new master user name.\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t --master-username awsmasterusr\n --vpc-security-group-ids id-012a3b4c\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier new-cluster-identifier\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n5. Use the returned new database cluster endpoint URL from step 3 to update your application's configuration to point to the new cluster endpoint.\n6. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.master_username != \"awsuser\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ewv-jbb-gxa","createdAt":1599574001675,"name":"Redshift cluster is not using a custom master user name"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","security:compliance","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are not using default port 5439 to protect against non-targeted attacks.\n\n## Rationale\n\nUsing a custom port can protect your publicly accessible AWS Redshift clusters against potential brute-force and dictionary attacks. Although setting a custom port can help fend off these attacks, it is also recommended to restrict public access, use SSL to encrypt client connections to database clusters, and control cluster access through security groups and Network Access Control Lists (NACLs) to add an additional layer of security for your account.\n\n## Remediation\n\n### From the console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a port 5439, it is the default port. Modify the port number in the console.\n\n### From the command line\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster-snapshot` with [create a snapshot of your database cluster][3].\n\n ```\n aws redshift create-cluster-snapshot\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n ```\n\n3. Run `restore-from-cluster-snapshot` to [create a new cluster from the snapshot created above][4]. Use the retrieved metadata in step one to configure a new port number.\n\n ```\n aws redshift restore-from-cluster-snapshot\n ...\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n --port 2000\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster-snapshot.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/restore-from-cluster-snapshot.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.endpoint.port != 5439\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"xrn-s6h-z9s","createdAt":1599574006854,"name":"Redshift cluster is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift Clusters][1] are using the [AWS EC2-VPC platform][2] for better cluster security.\n\n## Rationale\n\nThe AWS EC2-VPC platform offers better security control and traffic routing for clusters than the outdated EC2-Classic platform.\n\n## Remediation\n\n### From the console\n\nFollow the [Use EC2-VPC when you create your cluster][7] docs to learn how to use the EC2-VPC platform in the console to secure your clusters.\n\n### From the command line\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n ```\n\n2. Run `create-cluster` with the metadata to [launch a new cluster within a VPC][3].\n\n ```\n aws redshift create-cluster\n --cluster-identifier cluster-id\n --vpc-security-group-ids id-012a3b4c\n --port 5439\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n\n5. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.FindDefaultVPC.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#cluster-platforms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.vpc_id != \"\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"goz-ys2-tll","createdAt":1599573999940,"name":"Redshift cluster is using the EC2-VPC platform"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.6","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:redshift","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","source:redshift","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable logging for your Amazon Redshift cluster.\n\n## Rationale\n\nLogging data from Amazon Redshift clusters is helpful when troubleshooting or completing security and compliance audits.\n\n## Remediation\n\n### From the console\n\nFollow the Amazon Redshift [Configuring auditing using the console][1] docs to enable logging, create audit log files, and store them in an Amazon S3 bucket.\n\n### From the command line\n\n1. Run `enable-logging` with your [cluster ID and the S3 bucket][2] where log files are to be stored.\n\n ```\n aws redshift enable-logging\n --cluster-identifier your-cluster-id\n --bucket-name aws-redshift-logs\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/enable-logging.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.cluster_logging.logging_enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f05-rf3-w5i","createdAt":1619112188003,"name":"Redshift cluster logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","requirement:Least-Privileged-Access","framework:cis-azure","control:7.1","requirement:Credentials","requirement:AppService","requirement:Compliance","control:8.7","level:1","control:9.5","control:A.18.1.3","framework:soc-2","scope:azure.appservice","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nManaged service identity in App Service makes an app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app connects to other Azure services securely without the need for a username and password.\n\n## Rationale\n\nApp Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.\n\n## References\n\n1. https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Identity\n5. Set Status to On\n\n### From the command line\n\nTo set Register with Azure Active Directory for an existing app, run the following command: `az webapp identity assign --resource-group --name '`\n\n## CIS Controls\n\nVersion 7 16.2 - Configure Centralized Point of Authentication - Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.5","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_identity(app_service) if {\n\tapp_service.identity_principal_id\n} else if {\n\tapp_service.identity.principal_id\n}\n\neval(app_service) = \"pass\" if {\n\tcompliant_identity(app_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"t1t-uk4-nxu","createdAt":1631623033118,"name":"Register with Azure Active Directory is enabled on App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.8","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under `/etc/docker/certs.d/ directory`, have permissions of 444 or are set more restrictively.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must have permissions of 444or more restrictive permissions in order to ensure that unprivileged users do not have full access to them..\n\n## Audit\n\nYou should execute the command below to verify that registry certificate files have permissions of 444+.\n\n```\nstat -c %a /etc/docker/certs.d//*\n```\n\n## Remediation\n\nRun the following command: `chmod 444 /etc/docker/certs.d//*`\n\nThis sets the permissions for the registry certificate files to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for registry certificate files might not be 444. The default file permissions are governed by the system or user specific umask values which are defined within the operating system itself.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.8","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sjq-1m3-njp","createdAt":1599605226177,"name":"Registry certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:5.7.4","source:compliance-agent","requirement:General-Policies","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.\n\n## Rationale\n\nResources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources.\n\n## Audit\n\nRun this command to list objects in default namespace: `kubectl get all`\n\nThe only entries there should be system managed resources such as the Kubernetes service.\n\n## Remediation\n\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace.\n\n## Impact\n\nNone\n\n## Default value\n\nUnless a namespace is specific on object creation, the default namespace will be used.\n\n## References\n\nNone\n\n## CIS controls\n\nNone\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.7.4","framework":"cis-kubernetes","requirement":"General-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.7.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gly-1rp-obv","createdAt":1599604941259,"name":"Resources are not created in the default namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.14","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy using the `--restart` flag in the docker run command you can specify a restart policy for how a container should or should not be restarted on exit. You should choose the on-failure restart policy and limit the restart attempts to 5.\n\n## Rationale\n\nIf you indefinitely keep trying to start the container, it could possibly lead to a denial of service on the host. It could be an easy way to do a distributed denial of service attack especially if you have many containers on the same host. Additionally, ignoring the exit status of the container and always attempting to restart the container, leads to non-investigation of the root cause behind containers getting terminated. If a container gets terminated, you should investigate on the reason behind it instead of just attempting to restart it indefinitely. You should use the on-failure restart policy to limit the number of container restarts to a maximum of 5 attempts.\n\n## Audit\n\nExecute this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: RestartPolicyName={{ .HostConfig.RestartPolicy.Name }} MaximumRetryCount={{ .HostConfig.RestartPolicy.MaximumRetryCount }}'` \n\nIf this command returns `RestartPolicyName=always`, then the system is not configured optimally. If this command returns `RestartPolicyName=no` or just `RestartPolicyName=`, then restart policies are not being used and the container would never be restarted automatically. This may be a secure option, but it is not the best option from a usability standpoint. If this command returns `RestartPolicyName=on-failure`, then verify that the number of restart attempts is set to 5 or less by looking at `MaximumRetryCount`.\n\n## Remediation\n\nIf you wish a container to be automatically restarted, use `docker run --detach --restart=on-failure:5 nginx`\n\n## Impact\n\nIf this option is set, a container will only attempt to restart itself 5 times.\n\n## Default value\n\nBy default, containers are not configured with restart policies.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/run/#restart-policies-restart\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.14","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycq-buv-pf8","createdAt":1599598174688,"name":"Restart attempts on container failure is limited to 5 attempts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_logging_log_bucket","control:10.1","requirement:Monitoring","control:10.2.5","control:2.3","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","source:google_logging_log_bucket","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:2","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling retention policies on log buckets protects logs stored in cloud storage buckets\nfrom being overwritten or accidentally deleted. It is recommended to set up retention\npolicies and configure `Bucket Lock` on all storage buckets that are used as log sinks.\n\n### Default value\nBy default, storage buckets used as log sinks do not have retention policies and `Bucket Lock`\nconfigured.\n\n## Rationale\nLogs can be exported by creating one or more sinks that include a log filter and a\ndestination. As Cloud Logging receives new log entries, they are compared against each\nsink. If a log entry matches a sink's filter, then a copy of the log entry is written to the\ndestination.\nSinks can be configured to export logs in storage buckets. It is recommended to configure a\ndata retention policy for these cloud storage buckets and to lock the data retention policy,\nthus permanently preventing the policy from being reduced or removed. This way, if the\nsystem is ever compromised by an attacker or a malicious insider who wants to cover their\ntracks, the activity logs are definitely preserved for forensics and security investigations.\n\n\n### Impact\nLocking a bucket is an irreversible action. Once you lock a bucket, you cannot remove the\nretention policy from the bucket or decrease the retention period for the policy. You\nthen have to wait for the retention period for all items within the bucket before you can\ndelete them, and then delete the bucket.\n\n## Additional Information\n- **Caution**: Locking a retention policy is an irreversible action. Once locked, you must delete\nthe entire bucket in order to \"remove\" the bucket's retention policy. However, before you\ncan delete the bucket, you must be able to delete all the objects in the bucket, which itself is\nonly possible if all the objects have reached the retention period set by the retention policy.\n\n\n## Remediation\n\n### From the console \n1. If sinks are not configured, first follow the instructions in the recommendation:\nEnsure that sinks are configured for all log entries.\n2. For each storage bucket configured as a sink, go to the Cloud Storage browser at\nhttps://console.cloud.google.com/storage/browser/.\n3. Select the **Protection** tab near the top of the page.\n4. In the **Retention policy** section, click the **Lock** button. The **Lock retention policy?** dialog box appears\n5. Read the `Permanent` notice.\n6. In the **Bucket name** text box, type in the name of your bucket.\n7. Click **Lock policy**\n\n### From the command line\n1. To list all sinks destined to storage buckets:\n ```\n gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID\n | --project=PROJECT_ID\n ```\n\n2. For each storage bucket listed above, set a retention policy and lock it:\n ```\n gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]\n gsutil retention lock gs://[BUCKET_NAME]\n ```\nFor more information, visit [Set a retention policy on a bucket][1].\n\n## References\n1. [Retention policies and retention policy locks][2]\n2. [Use and lock retention policies ][3]\n\n[1]: https://cloud.google.com/storage/docs/using-bucket-lock#set-policy\n[2]: https://cloud.google.com/storage/docs/bucket-lock\n[3]: https://cloud.google.com/storage/docs/using-bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(logging_log_bucket) if {\n\tlogging_log_bucket.retention_days != \"\"\n\tlogging_log_bucket.locked == true\n}\n\ndestination_with_filter(logging_log_bucket) if {\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tlogging_log_sink.project_number == logging_log_bucket.project_number\n\tlog_bucket_bucket_name := trim_right(split(logging_log_bucket.resource_name, \"buckets/\")[1], \"\\\"\")\n\tsink_bucket_bucket_name := trim_right(split(logging_log_sink.destination, \"buckets/\")[1], \"\\\"\")\n\tlog_bucket_bucket_name == sink_bucket_bucket_name\n\tlogging_log_sink.filter != \"\"\n}\n\neval(logging_log_bucket) = \"skip\" if {\n\tnot destination_with_filter(logging_log_bucket)\n} else = \"pass\" if {\n\tcompliant(logging_log_bucket)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_logging_log_bucket","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_logging_log_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_logging_log_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"trq-twi-wxj","createdAt":1664803576934,"name":"Retention policies used for exporting logs are configured using the bucket lock on Cloud Storage buckets"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-ii-B","control:1.7","control:164.308-a-3-i","control:164.308-a-4-i","control:7.2.1","level:1","cloud:aws","framework:soc-2","framework:cis-aws","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Information-Access-Management","control:CC6.2","framework:pci","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWith the creation of an AWS account, a root user is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.\n\n## Rationale\n\nThe root user has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.\n\n## Remediation\n\nIf you find that the root user account is being used for daily activity and administrative tasks that do not require the root user, remediate this by doing the following:\n\n1. Change the root user password.\n2. Deactivate or delete access keys associated with the root user.\n**Note**: Anyone who has root user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.\n\n## References\n\n1. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][1]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html][2]\n3. [https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html][3]\n\n**Additional Information**: The root user for us-gov cloud regions is not enabled by default. However, on request AWS support can enable the root user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the root user for us-gov cloud regions is enabled, this recommendation is applicable. Monitor usage of the root user by implementing recommendation *3.3 Ensure a log metric filter and alarm exist for usage of the root user*.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[3]: https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.7","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nnon_compliant_keys(iam_credential_report) if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.password_last_used < thirty_days_ms # Used in last 30 days\n} else if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_1_last_used_date < thirty_days_ms # Used in last 30 days\n} else if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_2_last_used_date < thirty_days_ms # Used in last 30 days\n}\n\neval(iam_credential_report) = \"skip\" if {\n\tnot iam_credential_report.user == \"\"\n} else = \"fail\" if {\n\tnon_compliant_keys(iam_credential_report)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_credential_report"]},"validationQuery":"","resourceType":"aws_iam_credential_report","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yid-djj-bng","createdAt":1638865331666,"name":"Root account credentials have not been used in the past 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:kms","source:kms","framework:gdpr","requirement:Logging","level:2","control:3.8","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Security-of-Processing","framework:soc-2","control:3.5.2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:3.6.4","control:CC6.3","control:CC6.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS Key Management Service (KMS) allows customers to rotate the backing key, the key material stored within the KMS. The KMS connects to the key ID of the customer created customer master key (CMK). This backing key is used to perform cryptographic operations such as encryption and decryption. Automatic key rotation retains all prior backing keys so that encrypted data can be decrypted transparently. You should enable CMK key rotation.\n\n## Rationale\n\nRotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\n\n## Remediation\n\n### From the console\n\n1. Open the [AWS KMS console][1].\n2. To change the AWS region, use the region selector in the upper-right corner of the page.\n3. Choose **Customer managed keys**.\n4. Choose the alias of the key to update in the **Alias** column.\n5. Choose **Key rotation**.\n6. Select **Automatically rotate this KMS key every year** and then choose **Save**.\n\n### From the command line\n\n1. Use the [`enable-key-rotation`][2] command to set an automatic rotation of a KMS key on an annual basis.\n\n ```\n aws kms enable-key-rotation \\\n --region insert-region-here \\\n --key-id insert-kms-key-id-here\n ```\n2. Use the [`get-key-rotation-status'][3] command to verify that you've set the rotation correctly.\n\n ```\n aws kms get-key-rotation-status \\\n --region insert-region-here \\\n --key-id insert-kms-key-id-here\n ```\n\n## References\n\n1. [https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html][4]\n\n[1]: https://console.aws.amazon.com/kms\n[2]: https://docs.aws.amazon.com/cli/latest/reference/kms/enable-key-rotation.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/kms/get-key-rotation-status.html\n[4]: https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.8","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aws_kms) = \"skip\" if {\n\taws_kms.key_manager != \"CUSTOMER\"\n} else = \"fail\" if {\n\tnot aws_kms.key_rotation_enabled\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_kms"]},"validationQuery":"","resourceType":"aws_kms","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_kms","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5xm-kxb-jxz","createdAt":1599574002243,"name":"Rotation for customer created CMKs is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:runtime-security-agent","technique:T1611-escape-to-host","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to the `runc` binary outside of the normal package management lifecycle.\n\n## Strategy\n[CVE-2019-5736][1], a vulnerability in `runc` through version 1.0-rc6 could allow attackers to overwrite the host `runc` binary, which allows the attacker to effectively escape a running container, and gain root access on the underlying host.\nAny modifications to `runc` (outside of standard package management upgrades) could be exploiting this vulnerability to gain root access to the system.\n\n## Triage & Response\n1. Check to see which user or process changed the `runc` binary.\n2. If these changes are not acceptable, roll back contain the host in question to an acceptable configuration.\n3. Update `runc` to a version above 1.0-rc6 (or Docker 18.09.2 and above).\n4. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://nvd.nist.gov/vuln/detail/CVE-2019-5736\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:runc_modification","groupByFields":["host"],"aggregation":"count","name":"runc_modification","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"runc_modification","condition":"runc_modification > 0"}],"type":"workload_security","id":"6ru-oyo-uag","createdAt":1627392837049,"name":"Runc binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your bucket ACL to remove public `READ_ACP`, `READ` access.\n\n## Rationale\n\n* Public `READ_ACP` access gives anyone the ability to read the bucket ACL. With this permission, anyone can see who controls your objects. This information can potentially be used to find misconfigured permissions and gain access to your S3 data.\n\n* Public `READ` access allows the grantee to list all objects within your bucket and exploit objects with misconfigured ACL permissions.\n\n\nFor more information about S3 bucket ACLs, see the [Access control list (ACL) documentation][3].\n\n## Remediation\n\n### From the console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### From the command line\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis\n[3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nsecure_s3_access_block(s3_access_block) if {\n\ts3_access_block.ignore_public_acls == true\n}\n\ninsecure_s3_bucket(s3_bucket) if {\n\tacl := s3_bucket.acl[_]\n\tupper(acl.grantee_permission) in [\"READ\", \"READ_ACP\"]\n\tlower(acl.grantee_uri) in [\"http://acs.amazonaws.com/groups/global/authenticatedusers\", \"http://acs.amazonaws.com/groups/global/allusers\"]\n}\n\ncompliant_s3_bucket(s3_bucket) if {\n\ts3_account_public_access_block := input.resources.aws_s3_account_public_access_block[_]\n\ts3_account_public_access_block.account_id == s3_bucket.account_id\n\tsecure_s3_access_block(s3_account_public_access_block)\n} else if {\n\tsecure_s3_access_block(s3_bucket.access_block[_])\n} else if {\n\tnot insecure_s3_bucket(s3_bucket)\n}\n\neval(s3_bucket) = \"pass\" if {\n\tcompliant_s3_bucket(s3_bucket)\n} else = \"fail\"\n\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"i2o-7bz-zxc","createdAt":1619112188697,"name":"S3 bucket ACL and bucket objects are not publicly readable"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ_ACP` access for authenticated AWS accounts and AWS IAM users.\n\n## Rationale\n\nAWS authenticated accounts and users with `READ_ACP` access can examine Amazon S3 Access Control Lists (ACLs) configuration details. This information can be used maliciously to find misconfigured permissions and implement methods to access your S3 data.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `READ_ACP` access for AWS signed users.\n\n### From the command line\n\n1. Run `put-bucket-acl` with your [Amazon S3 bucket name and ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_not_compliant(acl) if {\n\tacl.grantee_permission == \"READ_ACP\"\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\"\n}\n\neval(s3_bucket) = \"fail\" if {\n\tacl = s3_bucket.acl[_]\n\tacl_not_compliant(acl)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"cer-xg1-llv","createdAt":1619112188867,"name":"S3 bucket ACL is not viewable by all authenticated users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.5","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove `WRITE_ACP`, `WRITE`, or `FULL_CONTROL` access for all AWS users or any authenticated AWS user.\n\n## Rationale\n\n* Public `WRITE_ACP` access gives anyone permissions to change the S3 bucket Access Control List. With these permissions, anyone can grant any permissions they want, such as reading or writing objects inside the bucket.\n\n* Public `WRITE` access allows the grantee to create new objects in the bucket. For the bucket and object owners of existing objects, also allows deletions and overwrites of those objects. \n\n* Public `FULL_CONTROL` access allows the grantee the `READ`, `WRITE`, `READ_ACP`, and `WRITE_ACP` permissions on the bucket.\n\nFor more information about S3 bucket ACLs, see the [Access control list (ACL) documentation][1].\n\n\n## Remediation\n\n### From the console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### From the command line\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.5","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nsecure_s3_access_block(s3_access_block) if {\n\ts3_access_block.ignore_public_acls == true\n}\n\ninsecure_s3_bucket(s3_bucket) if {\n\tacl := s3_bucket.acl[_]\n\tupper(acl.grantee_permission) in [\"WRITE\", \"WRITE_ACP\", \"FULL_CONTROL\"]\n\tlower(acl.grantee_uri) in [\"http://acs.amazonaws.com/groups/global/authenticatedusers\", \"http://acs.amazonaws.com/groups/global/allusers\"]\n}\n\ncompliant_s3_bucket(s3_bucket) if {\n\ts3_account_public_access_block := input.resources.aws_s3_account_public_access_block[_]\n\ts3_account_public_access_block.account_id == s3_bucket.account_id\n\tsecure_s3_access_block(s3_account_public_access_block)\n} else if {\n\tsecure_s3_access_block(s3_bucket.access_block[_])\n} else if {\n\tnot insecure_s3_bucket(s3_bucket)\n}\n\neval(s3_bucket) = \"pass\" if {\n\tcompliant_s3_bucket(s3_bucket)\n} else = \"fail\"\n\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"8au-91a-7zf","createdAt":1619112188436,"name":"S3 bucket ACLs are configured to block public write actions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","requirement:Compliance","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:s3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up the Multi-Factor Authentication (MFA) delete feature to prevent deletion of Amazon S3 objects.\n\n## Rationale\n\n## Remediation\n\nMFA-protected Amazon S3 buckets ensure S3 objects cannot be accidentally or intentionally deleted by AWS users who have access to your bucket.\n\n### From the console\n\n`MFA DELETE` [cannot be enabled in the AWS Console][1]. See the CLI remediation below for configuration instructions.\n\n### From the command line\n\n1. Run `put-bucket-versioning` with your [bucket name, versioning configuration, and MFA configuration][2].\n\n ```\n aws s3api put-bucket-versioning\n --bucket your-s3-bucket-name\n --versioning-configuration '{\"MFADelete\":\"Enabled\",\"Status\":\"Enabled\"}'\n --mfa 'arn:aws:iam::aws_account_id:mfa/root-account-mfa-device'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"pass\" if {\n\ts3_bucket.versioning_mfa_delete == \"Enabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"f22-rvk-qko","createdAt":1619112188477,"name":"S3 bucket MFA Delete feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.1","requirement:Monitoring","cloud_provider:aws","control:A.12.4.1","control:3.3","requirement:System-Operations","requirement:Logging","level:2","framework:soc-2","scope:cloudtrail","framework:cis-aws","source:cloudtrail","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nS3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.\n\n## Rationale\n\nBy enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.\n\n## Remediation\n\n### From the console\n\n1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.\n2. Under All Buckets click on the target S3 bucket\n3. Click on Properties in the top right of the console\n4. Under Bucket: click on Logging\n5. Configure bucket logging and click on the Enabled checkbox\n6. Select Target Bucket from list and enter a Target Prefix\n7. Click Save\n\n## Default value\n\nLogging is disabled.\n\n## References\n\n1. CCE-78918-0\n2. https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html\n\n## CIS controls\n\nVersion 7\n\n6.2 - Activate audit logging: Ensure that local logging has been enabled on all systems and networking devices.\n\n14.9 Enforce Detail Logging for Access or Changes to Sensitive Data: Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbucket_by_name := {bucket.bucket_name: bucket |\n\tbucket := input.resources.aws_s3_bucket[_]\n}\n\neval(cloudtrail_trail) = \"skip\" if {\n\tnot bucket_by_name[cloudtrail_trail.s3_bucket_name]\n} else = \"pass\" if {\n\ts3_bucket := bucket_by_name[cloudtrail_trail.s3_bucket_name]\n\tcount(s3_bucket.bucket_logging) > 0\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail","aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@trail_arn"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gzk-vm2-67k","createdAt":1635929074549,"name":"S3 bucket access logging is enabled on the CloudTrail S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","requirement:Storage","framework:gdpr","control:2.1.1","requirement:Compliance","level:1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides a variety of no-cost or low-cost encryption options to protect data at rest.\n\n## Rationale\n\nEncrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.\n\n## Remediation\n\n### From the console\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/\n2. Select the Check box next to the Bucket.\n3. Click on Properties.\n4. Click on Default Encryption.\n5. Select either AES-256 or AWS-KMS.\n6. Click Save.\n7. Repeat for all the buckets in your AWS account lacking encryption.\n\n### From the command line\n\nRun one of the following commands: \n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}''`\n\nor:\n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}''`\n\n**Note**: The `KMSMasterKeyID` can be set to the master key of your choosing; `aws/s3` is an AWS preconfigured default.\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html][1]\n2. [https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources][2]\n\n**Additional Information**: S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does not encrypt objects previously stored within the bucket.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.1.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ninsecure_sse_algorithm(encryption_configuration) if {\n\tnot encryption_configuration.sse_algorithm in [\"AES256\", \"aws:kms\"]\n}\n\nbad_encryption_rules(s3_bucket) if {\n\tsome encryption_rules in s3_bucket.bucket_encryption_rules\n\tsome rules in encryption_rules.rules\n\tinsecure_sse_algorithm(rules.apply_server_side_encryption_by_default)\n} else if {\n\tnot s3_bucket.bucket_encryption_rules\n}\n\neval(s3_bucket) = \"fail\" if {\n\tbad_encryption_rules(s3_bucket)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i5u-x9l-ytw","createdAt":1619112188944,"name":"S3 bucket employs default encryption at-rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:A.12.1.2","framework:gdpr","control:A.12.4.2","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:3.1","requirement:Control-Activities","control:7.2.1","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Logical-and-Physical-Access-Control","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable versioning on S3 buckets to keep multiple versions of an object in one bucket.\n\n## Rationale\n\nVersioning-enabled buckets help [recover objects in the case of accidental deletion or overwriting][1].\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning within the S3 console.\n\n### From the command line\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning with the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.1.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tnot s3_bucket.versioning_status == \"Enabled\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hfe-sv1-7ci","createdAt":1632209932330,"name":"S3 bucket has versioning enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS S3 bucket ACL to remove public `READ` access.\n\n## Rationale\n\nGranting public `READ` allows anyone to list objects within a bucket. Note that it does not allow to directly read the actual bucket objects.\n\n## Remediation\n\n### From the console\n\nFollow the [Blocking public access to your Amazon S3 storage][1] docs to learn how to manage access control lists for existing S3 buckets.\n\n**Note**: By default, new buckets, access points, and objects don't allow public access.\n\n### From the command line\n\n1. Run `put-bucket-acl` with [your S3 bucket name][2] and set the ACL of the bucket to `private`.\n ```\n\taws s3api put-bucket-acl\n\t\t--bucket webapp-data-repository\n\t\t--acl private\n ```\n\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tsome acl in s3_bucket.acl\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AllUsers\"\n\tacl.grantee_permission == \"READ\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"mqm-ntc-bra","createdAt":1619112188104,"name":"S3 bucket is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.3","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your bucket policy as your Amazon S3 bucket is currently publicly accessible.\n\n## Rationale\n\nPublicly accessible S3 buckets through bucket policies give any AWS user the ability to list, download, delete, and upload objects and edit object permissions.\n\n## Remediation\n\n### From the console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### From the command line\n\n1. Run the [`delete-bucket-policy`][2] command to fully remove any public access to the bucket.\n\n ```\n aws s3api delete-bucket-policy \\\n --bucket insert-bucket-name-here\n ```\n\n2. If you need a bucket policy, create a new non-public bucket policy using the [AWS Policy Generator][3].\n3. Apply the bucket policy from Step 2 with the [`put-bucket-policy`][4] command.\n\n ```\n aws s3api put-bucket-policy\n --bucket insert-bucket-name-here\n --policy file://insert-bucket-policy-file-name-here.json\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket-policy.html#synopsis\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html#","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nsecure_s3_access_block(s3_access_block) if {\n\ts3_access_block.restrict_public_buckets == true\n}\n\ninsecure_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n}\n\ninsecure_policy_principal(policy_principal) if {\n\tprincipal_aws := policy_principal.principal_aws[_]\n\tprincipal_aws == \"*\"\n}\n\ninsecure_policy_statements(s3_bucket) if {\n\tbucket_policy_statement := s3_bucket.bucket_policy_statement[_]\n\tbucket_policy_statement.statement_effect == \"Allow\"\n\tbucket_policy_statement.statement_has_condition == false\n\tinsecure_policy_principal(bucket_policy_statement.policy_principal)\n}\n\ncompliant_s3_bucket_access(s3_bucket) if {\n\taccount_public_access_block := input.resources.aws_s3_account_public_access_block[_]\n\taccount_public_access_block.account_id == s3_bucket.account_id\n\tsecure_s3_access_block(account_public_access_block)\n} else if {\n\tsecure_s3_access_block(s3_bucket.access_block[_])\n} else if {\n\tnot insecure_policy_statements(s3_bucket)\n}\n\neval(s3_bucket) = \"pass\" if {\n\tcompliant_s3_bucket_access(s3_bucket)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"ftf-6wr-t2z","createdAt":1624344845705,"name":"S3 bucket is not publicly exposed via bucket policy"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ` access for authenticated AWS accounts or IAM users.\n\n## Rationale\n\n`READ` access allows any authenticated IAM user or AWS authenticated account to list all objects within your bucket and exploit objects with misconfigured ACL permissions.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to deselect the `Bucket ACL - Read` permission and update ACL permissions.\n\n### From the command line\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tsome acl in s3_bucket.acl\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\"\n\tacl.grantee_permission == \"READ\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"73w-cje-dhm","createdAt":1619112189198,"name":"S3 bucket objects cannot be listed by all authenticated users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","requirement:Monitoring","scope:s3","framework:cis-aws","control:4.8","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a S3 Bucket policy is modified.\n\n## Strategy\nMonitor CloudTrail and detect when S3 policies are being modified via one of the following API calls:\n* [PutBucketAcl][1]\n* [PutBucketPolicy][2]\n* [PutBucketCors][3]\n* [PutBucketLifecycle][4]\n* [PutBucketReplication][5]\n* [DeleteBucketPolicy][6]\n* [DeleteBucketCors][7]\n* [DeleteBucketReplication][8]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n## Changelog\n* 18 March 2022 - Updated signal message, query and severity.\n* 16 November 2022 - Rule query updated.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html\n[3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketCors.html\n[4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLifecycle.html\n[5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html\n[6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html\n[7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html\n[8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:(cloudtrail OR amazon-security-lake) @evt.name:(PutBucketAcl OR PutBucketPolicy OR PutBucketCors OR PutBucketLifecycle OR PutBucketReplication OR DeleteBucketPolicy OR DeleteBucketCors OR DeleteBucketReplication)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"s3_bucket_policy_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"A S3 bucket policy was modified","condition":"s3_bucket_policy_modified > 0"}],"type":"log_detection","id":"nl3-oht-jhi","createdAt":1584475579499,"name":"S3 bucket policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when SELinux enforcement is disabled.\n\n## Strategy\nThis detection monitors the change of SELinux enforcing mode.\n\n## Triage & Response\n1. Check which user or process disabled SELinux enforcing mode.\n2. If the change is not expected, roll back to enable SELinux enforcing mode.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the attack.\n\n*Requires Agent version 7.30 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:selinux_disable_enforcement","groupByFields":["host"],"aggregation":"count","name":"selinux_disable_enforcement","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"selinux_disable_enforcement","condition":"selinux_disable_enforcement > 0"}],"type":"workload_security","id":"vvf-qwb-uhj","createdAt":1635332067172,"name":"SELinux enforcement disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.2","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSELinux is an effective and easy-to-use Linux application security system. It is available by default on some distributions such as Red Hat and Fedora.\n\n## Rationale\n\nSELinux provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model. You can therefore add an extra layer of safety to your containers by enabling SELinux on your Linux host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all the security options currently configured on the containers listed.\n\n## Remediation\n\nIf SELinux is applicable for your Linux OS, you should use it.\n\n1. Set the SELinux State.\n2. Set the SELinux Policy.\n3. Create or import a SELinux policy template for Docker containers.\n4. Start Docker in daemon mode with SELinux enabled. For example: `docker daemon --selinux-enabled`\n5. Start your Docker container using the security options. For example, `docker run --interactive --tty --security-opt label=level:TopSecret centos /bin/bash`\n\n## Impact\n\nAny restrictions defined in the SELinux policy will be applied to your containers. It should be noted that if your SELinux policy is misconfigured, this may have an impact on the correct operation of the affected containers.\n\n## Default value\n\nBy default, no SELinux security options are applied on containers.\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/\n4. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/docker_selinux_security_policy\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.2","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"eww-c9f-0hf","createdAt":1599605036108,"name":"SELinux security options are configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic [resource-based policy][4] to prevent unintended access to the resource.\n\n## Rationale\n\nWhen a `*` is specified as a `Principal`, along with an `Allow` `Effect` it grants [anyone][5] the ability to perform actions on a resource. In this situation, if the policy includes the `sns:Subscribe` `Action`, it would permit anyone the ability to receive messages from the topic, resulting in an impact to the confidentiality of the application.\n\n## Remediation\n\n### From the console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### From the command line\n\n1. Update your [resource-based policy][2] with an appropriate `Principal` ARN or a `Condition` element. Save the file as `policy.json`.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_sub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Subscribe\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```\n aws sns set-topic-attributes \\\n --topic-arn arn:aws:sns:region:123456789012:YourTopic \\\n --attribute-name Policy \\\n --attribute-value file://policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-anonymous\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_policy(policy) if {\n\tpolicy.policy_principal.principal == \"*\"\n} else if {\n\tpolicy.policy_principal.principal_aws[_] == \"*\"\n}\n\nnon_compliant_statement_action(statement_action) if {\n\tlower(statement_action[_]) == \"sns:subscribe\"\n}\n\neval(sns_topic) = \"fail\" if {\n\tsome policy in sns_topic.policies\n\tlower(policy.statement_effect) == \"allow\"\n\tnon_compliant_policy(policy)\n\tnon_compliant_statement_action(policy.statement_action)\n\tpolicy.statement_has_condition == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"bin-p21-78u","createdAt":1616090993824,"name":"SNS Topic has access restrictions set for subscription"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic publishing permissions.\n\n## Rationale\n\nSetting the topic publishing permission to `*` gives anyone access to publish on a topic. Unauthenticated users can publish arbitrary messages, potentially leading to loss of integrity and denial of service.\n\n## Remediation\n\n### From the console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### From the command line\n\n1. Update your [access control policy][2] with an appropriate `Principal` ARN. Save the file as `policy.json`.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_pub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Publish\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```bash\n aws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name Policy\n --attribute-value file://policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tsome principal_aws in policy_principal.principal_aws\n\tprincipal_aws == \"*\"\n}\n\nnon_compliant_statement_action(statement_actions) if {\n\t\"SNS:Publish\" in statement_actions\n}\n\nnon_compliant_policy(policy) if {\n\tpolicy.statement_effect == \"Allow\"\n\tnon_compliant_statement_action(policy.statement_action)\n\tnot policy.statement_has_condition\n\n\tnon_compliant_policy_principal(policy.policy_principal)\n}\n\neval(sns_topic) = \"fail\" if {\n\tsome policy in sns_topic.policies\n\tnon_compliant_policy(policy)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mhf-jlo-c49","createdAt":1616090993934,"name":"SNS Topic has restrictions set for publishing"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","scope:sns","cloud_provider:aws","control:3.4","control:4.1","source:sns","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Server-Side Encryption for your AWS Simple Notification Service (SNS) topics.\n\n## Rationale\n\nServer-Side Encryption (SSE) protects the data of published messages within your SNS topics, which can help adhere to compliance and regulatory requirements.\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling server-side encryption (SSE) for an Amazon SNS topic][1] docs to learn how to enable encryption from the AWS Management Console.\n\n### From the command line\n\nRun `set-topic-attributes` with the [ARN of the SNS topic][2] and the [KmsMasterKeyId][3].\n\n```\naws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name KmsMasterKeyId\n --attribute-value YourTopicDisplayName\n```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n[3]: https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html#sse-key-terms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sns_topic) = \"pass\" if {\n\tsns_topic.kms_master_key_id\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"iel-fa4-gpw","createdAt":1623249809232,"name":"SNS Topic has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","control:164.308-a-3-i","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic permissions.\n\n## Rationale\n\nPublicly-accessible topics allow unauthorized users access to receive and publish messages and subscribe to exposed topics.\n\n## Remediation\n\n### From the console\n\nFollow the [Using identity-based policies with Amazon SNS][1] docs to learn how to create or add to a policy in the AWS Console.\n\n### From the command line\n\nIf you do not have an access control policy, [create one][2].\n\n1. Select `SNS Topic Policy` as the type of policy.\n2. Add a statement to allow only specific IAM users and roles to have access to the topic. For example:\n\n ```\n Effect: `Allow`\n Principal: `arn:aws:iam::123456789012:root`\n Action: `Add permission`\n Amazon Resource Name: `arn:aws:iam::123456789012:root`\n ```\n\nIf you do have an access control policy, follow the [add-permissions][3] docs to add a permission to your existing policy.\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-using-identity-based-policies.html#iam-and-sns-policies\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprincipal_policy_lenient(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tpolicy_principal.principal_aws[_] == \"*\"\n}\n\npolicy_lenient(policy) if {\n\tpolicy.statement_effect == \"Allow\"\n\tnot policy.statement_has_condition\n\n\tprincipal_policy_lenient(policy.policy_principal)\n}\n\neval(sns_topic) = \"fail\" if {\n\tpolicy := sns_topic.policies[_]\n\tpolicy_lenient(policy)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"5q9-vwc-cqy","createdAt":1616090993891,"name":"SNS Topic is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:6.5","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nA database server should accept connections only from trusted networks and IPs and\nrestrict access from public IP addresses.\n\n## Rationale: \nTo minimize attack surface on a database server instance, only trusted, known, and\nrequired IPs should be allowed to connect to it.\nAn authorized network should not have IPs or networks configured to `0.0.0.0/0` which\nallows access to the instance from anywhere in the world. Authorized networks\napply only to instances with public IPs.\n\n## Impact: \nThe Cloud SQL database instance would not be available to public IP addresses.\n\n## Remediation: \n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Click the instance name to open its `Instance details` page.\n3. Under the `Configuration` section click `Edit configurations`.\n4. Under `Configuration options` expand the `Connectivity` section.\n5. Click the `delete` icon for the authorized network `0.0.0.0/0`.\n6. Click `Save` to update the instance.\n\n### From the command line\nUpdate the authorized network list by removing addresses:\n```\ngcloud sql instances patch --authorized-networks=IP_ADDR1,IP_ADDR2...\n```\n## Prevention:\nTo prevent new SQL instances from being configured to accept incoming connections from\nany IP addresses, set up a `Restrict Authorized Networks on Cloud SQL instances` Organization Policy at: [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][2].\n\n\n## Default value:\nBy default, authorized networks are not configured. Remote connection to Cloud SQL\ndatabase instance is not possible unless authorized networks are configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-ip][3]\n2. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][4] \n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://cloud.google.com/sql/docs/mysql/connection-org-policy][6]\n\n\n## Additional information:\nThere is no IPv6 configuration found for Google cloud SQL server services.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[3]: https://cloud.google.com/sql/docs/mysql/configure-ip\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://cloud.google.com/sql/docs/mysql/connection-org-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"fail\" if {\n\taddress := sql_database_instance.settings.ip_configuration.authorized_networks[_]\n\taddress.value in [\"0.0.0.0\", \"0.0.0.0/0\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"thi-vol-4qb","createdAt":1657138883399,"name":"SQL Database Instances do not implicitly accept all public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:6.3","framework:cis-azure","requirement:Communications-Security","control:2.4","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific data centers. By default for a SQL server, a firewall exists with start IP of 0.0.0.0 and end IP of 0.0.0.0, allowing access to all the Azure services. Additionally a custom rule can be set up with start IP of 0.0.0.0 and end IP of 255.255.255.255, allowing access from ANY IP over the Internet. In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific data centers.\n\n### Impact\n\nDisabling allow access to Azure Services will break all connections to SQL server and hosted databases unless custom IP-specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each SQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"\" -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nSet-AzureRmSqlServerFirewallRule -ResourceGroupName -ServerName -FirewallRuleName \"\" -StartIpAddress \"\" -EndIpAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017][1]\n2. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0][2]\n3. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0][3]\n4. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0][4] \n5. [https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure][5]\n6. [https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current][6] \n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][7]\n\nAdditional Information: Firewall rules configured on individual SQL Database using Transact-SQL overrides the rules set on SQL server. Azure does not provides any Powershell, API, CLI, Portal option to check database level firewall rules and so far Transact-SQL is the only way to check for the same. For comprehensive control over egress traffic on SQL Databases, firewall rules should be checked using SQL client.\n\n[1]:https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017\n[2]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[3]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[4]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[5]:https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure\n[6]:https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current\n[7]:https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"2.4","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_server) = \"fail\" if {\n\tsome firewall_rule in sql_server.firewall_rules\n\tfirewall_rule.start_ip_address == \"0.0.0.0\"\n\tfirewall_rule.end_ip_address in [\"0.0.0.0\", \"255.255.255.255\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"5k7-xx0-nje","createdAt":1635237001240,"name":"SQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.2.4","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure `send scan reports to` with the email IDs of concerned data owners and stakeholders for a critical SQL server.\n\n## Rationale\n\nVulnerability Assessment (VA) scan reports and alerts are sent to email IDs configured with `send scan reports to`. This may help in reducing time required for identifying risks and taking corrective measures.\n\n## Impact\n\n**Note**: Enabling the Azure Defender for SQL features incurs additional costs for each SQL server.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Ensure that Azure Defender for SQL is enabled\n5. Select Configure next to enabled at subscription-level\n6. In Vulnerability Assessment Settings, configure Storage Accounts\n7. Configure email IDs for concerned data owners and stakeholders in the `send scan reports to` section.\n8. Click Save\n\n### Using PowerShell\n\nIf not already, enable Advanced Data Security for a SQL: `ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True`\n\n\nTo enable ADS-VA service and set `send scan reports to`:\n\n```bash\nUpdate-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"fiu-woq-ui1","createdAt":1645802555241,"name":"SQL Server Vulnerability Assessments send scan reports to subscribed admins"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","scope:google_sql_database_instance","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","control:6.4","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to enforce all incoming connections to SQL database instances to use SSL.\n\n## Rationale\nSQL database connections, if successfully trapped (MITM), can reveal sensitive data like\ncredentials, database queries, query outputs, and so on. For security, it is recommended to always\nuse SSL encryption when connecting to your instance. This recommendation is applicable\nto PostgreSQL, MySQL generation 1, MySQL generation 2, and SQL Server 2017 instances.\n\n### Additional Information\nBy default, `Settings: ipConfiguration` has no `authorizedNetworks` set or configured. In\nthat case, even if `requireSSL` is not set by default, which is equivalent to `requireSSL:false`,\nthere is no risk as the instance cannot be accessed outside of the network, unless\n`authorizedNetworks` is configured. However, if the default for `requireSSL` is not updated to\n`true`, any `authorizedNetworks` created later on will not enforce SSL-only connections.\n\n### Impact\nAfter enforcing SSL connections, the existing client will not be able to communicate with the SQL\nserver, unless it is configured with appropriate client-certificates to communicate to the SQL\ndatabase instance.\n\n### Default Value\nBy default, the parameter `settings: ipConfiguration: requireSSL` is not set, which is\nequivalent to `requireSSL:false`.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1].\n2. Click on an instance name to see its configuration overview.\n3. In the left-side panel, select **Connections**.\n4. In the SSL connections section, click **Allow only SSL connections**.\n5. Under Configure SSL server certificates, click **Create new certificate**.\n6. Under Configure SSL client certificates, click **Create a client certificate**.\n7. Follow the instructions shown to learn how to connect to your instance.\n\n### From the command line\nTo enforce SSL encryption for an instance, run the command:\n```\ngcloud sql instances patch --require-ssl\n```\n\n**Note:** A **restart** is required for type MySQL Generation 1 Instances (`backendType: FIRST_GEN`) for\nthis configuration to go into effect.\n\n## References\n1. [http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot authorizedNetworksExists(sql_database_instance)\n} else = \"pass\" if {\n\tsql_database_instance.settings.ip_configuration.require_ssl\n} else = \"fail\"\n\nauthorizedNetworksExists(sql_database_instance) if {\n\tsql_database_instance.settings.ip_configuration.authorized_networks[_]\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"udh-mzm-bhu","createdAt":1658821626960,"name":"SQL database instance uses SSL for all incoming connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","scope:google_cloud_sql_instance","level:2","source:google_cloud_sql_instance","control:3.9","control:6.6","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nDatadog recommends configuring the second generation SQL instance to use private IPs instead of\npublic IPs.\n\n## Rationale: \nTo lower the organization's attack surface, ensure your Cloud SQL databases does not have public IPs.\nPrivate IPs provide improved network security and lower latency for your application.\n\n## Impact: \nRemoving the public IP address on SQL instances may break applications that relied\non it for database connectivity.\n\n## Remediation: \n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Click the instance name to open its Instance details page.\n3. Select the `Connections` tab.\n4. Deselect the `Public IP` checkbox.\n5. Click `Save` to update the instance.\n\n### From the command line\n\n1. For every instance, remove the public IP and assign a private IP instead:\n ```\n gcloud sql instances patch --network= --no-assign-ip\n ```\n\n2. Confirm the changes using the following command:\n ```\n gcloud sql instances describe \n ```\n\n## Prevention:\nTo prevent new SQL instances from getting configured with public IP addresses, set up a\n`Restrict Public IP access on Cloud SQL instances` Organization policy at:\n\n\n[https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][2]\n\n## Default value:\nBy default, Cloud Sql instances have a public IP.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-private-ip][3]\n2. [https://cloud.google.com/sql/docs/mysql/private-ip][4]\n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][6]\n\n## Additional information:\nReplicas inherit their private IP status from their primary instance. You cannot configure a private IP directly on a replica.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n[3]: https://cloud.google.com/sql/docs/mysql/configure-private-ip\n[4]: https://cloud.google.com/sql/docs/mysql/private-ip\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.9","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_second_gen_instance(sql_database_instance)\n} else = \"fail\" if {\n\tip := sql_database_instance.ip_addresses[_]\n\tip.type == \"PRIMARY\"\n} else = \"pass\"\n\nis_second_gen_instance(sql_database_instance) if {\n\tsql_database_instance.backend_type == \"SECOND_GEN\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cns-kbs-qb3","createdAt":1658244446751,"name":"SQL database instances do not have public IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.5","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:C1.1","requirement:Credentials","requirement:System-Operations","requirement:Compliance","level:1","requirement:Database-Services","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","control:3.5.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC7.2","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. With Customer-managed key support for TDE, the DEK can be protected with an asymmetric key stored in the Key Vault. The Key Vault is a highly available and scalable cloud-based key store that offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of keys and data for additional security. Based on business needs or the criticality of data/databases hosted a SQL server, Datadog recommends that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).\n\n## Rationale\n\nCustomer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azures cloud-based external key management system, is the first key management service where TDE has integrated support for customer-managed keys. With customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.\n\n## Remediation\n\n### From the console\n1. Go to SQL servers for the desired server instance\n2. Click On Transparent data encryption\n3. Set Use your own key to YES\n4. Browse through your key vaults to select an existing key or create a new key in the key vault.\n5. Check Make selected key the default TDE protector Using Azure CLI. Use the below command to encrypt SQL server's TDE protector with a Customer-managed key: `az sql server tde-key >> Set --resource-group --server --server-key-type {AzureKeyVault} [--kid ]`\n\n## Impact\n\nOnce the TDE protector is encrypted with a customer-managed key, it transfers the entire responsibility of key management to you. Hence, you should be more careful about doing any operations on the particular key to keep data from the corresponding SQL server Databases host accessible. When deploying customer-managed keys, ensure that you deploy an automated toolset for managing these keys (this should include discovery and key rotation), and keys should be stored in an HSM or hardware backed keystore; for example, Azure Key Vault). As far as toolsets go, check with your cryptographic key provider as they may well provide one as an add-on to their service.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-byok-azure-sql\n2. https://azure.microsoft.com/en-in/blog/preview-sql-transparent-data-encryption-tde-with-bring-your-own-key-support/\n3. https://winterdom.com/2017/09/07/azure-sql-tde-protector-keyvault\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: This configuration can be done only on an SQL server. The same configuration will be in effect on SQL Databases hosted on SQL Server. Ensuring yourTDE is protected by a Customer-managed key on SQL Server does not ensure SQL Databases' encryption. Transparent Data Encryption Data Encryption (ON/OFF) setting on individual SQL Database decides whether the database is encrypted or not.\n\n## CIS Controls\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials: Encrypt or hash with a salt all authentication credentials when stored. \n\n5 Logging and Monitoring: This section covers security recommendations to follow to set logging and monitoring policies on an Azure Subscription.\n\n5.1 Configuring Diagnostic Settings: The Azure Diagnostic Settings capture control/management activities performed on a subscription. By default, the Azure Portal retains activity logs only for 90 days. The Diagnostic Settings define the type of stored or streamed events and the output storage account, and the event hub. The Diagnostic Settings, if appropriately configured, can ensure that all activity logs are retained for a longer duration. This section has recommendations for correctly configuring the Diagnostic Settings so that all activity logs captured are retained for longer periods. When configuring Diagnostic Settings, you may choose to export in one of three ways in which you need to ensure appropriate data retention. The options are Log Analytics, Event Hub, and a Storage Account. It is important to ensure you are aware and have set retention as your organization sees fit.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_server) = \"pass\" if {\n\tsql_server.encryption_protector.kind == \"azurekeyvault\"\n\tsql_server.encryption_protector.server_key_type == \"AzureKeyVault\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ju5-j5j-p5u","createdAt":1624867975195,"name":"SQL server's TDE protector is encrypted with Customer-managed key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","source:sqs","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","scope:sqs","security:compliance","cloud_provider:aws","control:3.4","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Simple Queue Service (SQS) messages with server-side encryption.\n\n## Rationale\n\nEncryption ensures that Amazon SQS messages, which may contain sensitive data, are not available to anonymous or unauthorized users.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring service-side encryption for a queue(console)][1] docs to learn how to create and use AWS Key Management Service (AWS KMS) to manage customer master keys (CMK) for server-side encryption.\n\n### From the command line\n\n1. Define `set-queue-attributes` in [a file][2]. Use your custom KMS Master Key ARN for `KmsMasterKeyID`. Save the file.\n\n ```\n {\n \"KmsMasterKeyId\": \"custom_key_arn\",\n \"KmsDataKeyReusePeriodSeconds\": \"300\"\n }\n ```\n\n2. Run `set-queue-attributes` with the [queue URL and the file][2] created in step 1.\n\n ```\n aws sqs set-queue-attributes\n --queue-url https://us-west-2.queue.amazonaws.com//\n --attributes file://sqs-sse-enabled.json\n ```\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html\n[2]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queue.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nhas_server_side_encryption(sqs_queue) if {\n\tsqs_queue.sqs_managed_sse_enabled == true\n} else if {\n\tsqs_queue.kms_master_key_id\n}\n\neval(sqs_queue) = \"pass\" if {\n\thas_server_side_encryption(sqs_queue)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sqs_queue"]},"validationQuery":"","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0m4-moi-xdg","createdAt":1616090993978,"name":"SQS Queue has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:sqs","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security","scope:sqs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate Amazon Simple Queue Service (SQS) queue permissions.\n\n## Rationale\n\nPublicly-available Amazon SQS queues give unauthorized users access to potentially intercept, delete, or send queue messages, which can lead to data leaks.\n\n## Remediation\n\n### From the console\n\nFollow the [Managing access to resources][1] docs to learn how to implement a permissions policy in the AWS console.\n\n### From the command line\n\n1. Run the `list-queues` command to get a list of queue URLs.\n \n ```\n aws sqs list-queues --region insert-your-region-here\n ```\n\n2. Run the `get-queue-attributes` command with a [queue URL][2] returned in step 1.\n\n ```\n aws sqs get-queue-attributes \\\n --queue-url https://queue.amazonaws.com/123456789012/YourQueue \\\n --attribute-names Policy\n ```\n3. Run the `remove-permission` command to [remove any unwanted permissions][3] from your queue policy.\n\n ```\n aws sqs remove-permission \\\n --region insert-your-region-here \\\n --queue-url https://queue.amazonaws.com/YourAccountID/YourQueue \\\n --label insert-label-name \\\n --aws-account-ids insert-aws-account-ids-here \\\n --actions insert-action-to-remove\n\n4. Run the `add-permission` command to [add a new permission][4] to your queue policy.\n\n ```\n aws sqs add-permission \\\n --queue-url https://queue.amazonaws.com/YourAccountID/YourQueue \\\n --label insert-label-name \\\n --aws-account-ids insert-aws-account-ids-here \\\n --actions insert-action-to-add\n ```\n5. Complete steps 2 through 4 for any remaining queue URLs returned from step 1 for each region you have SQS enabled.\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.html#sqs-managing-access-to-resources\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/get-queue-attributes.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/remove-permission.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tprincipal_aws = policy_principal.principal_aws[_]\n\tprincipal_aws == \"*\"\n}\n\neval(sqs_queue) = \"fail\" if {\n\tpolicy := sqs_queue.policies[_]\n\tbad_policy_principal(policy.policy_principal)\n\tpolicy.statement_effect = \"Allow\"\n\tpolicy.statement_has_condition = false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sqs_queue"]},"validationQuery":"","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"aqs-n9k-inj","createdAt":1616090993985,"name":"SQS Queue is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:6.2","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable SSH access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using SSH over the internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\n1. [Disable direct SSH access][1] to your Azure Virtual Machines from the internet. \n2. Choose one of the following methods to access the virtual machines for remote management:\n * [Point-to-site VPN][3]\n * [Site-to-site VPN][4]\n * [ExpressRoute][5]\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][2]\n\n[1]: https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n[3]: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal\n[4]: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal\n[5]: https://learn.microsoft.com/en-us/azure/expressroute/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_access(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"TCP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\n\tsome port_range in split(security_rule.destination_port_range, \",\")\n\tcheck_non_compliant_port_range(port_range)\n\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"::/0\", \"Internet\", \"Any\"]\n}\n\ncheck_non_compliant_port_range(port_range) if {\n\tport_range in [\"22\", \"*\"]\n} else if {\n\tcontains(port_range, \"-\")\n\tsplit_port_range := split(port_range, \"-\")\n\n\tto_number(split_port_range[0]) <= 22\n\tto_number(split_port_range[1]) >= 22\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule := security_group.security_rules[_]\n\tnon_compliant_access(security_rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tox-iwp-m0l","createdAt":1624867978808,"name":"SSH access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.6","requirement:Communications-Security","control:1.4","control:3.2","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow the user to specify the type of\ntraffic, such as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be\nused. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using\nSSH on Port 22 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from\ninstances and incoming (ingress) traffic to instances in the network. Egress and ingress\ntraffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through SSH with the default\nPort 22. Generic access from the Internet to a specific IP Range needs to be restricted.\n\n## Impact\nAll Secure Shell (SSH) connections from outside of the network to the concerned VPC(s)\nwill be blocked. There could be a business need where SSH access is required from outside\nof the network to access resources associated with the VPC. In that case, specific source\nIP(s) should be mentioned in firewall rules to include access to SSH port for the\nconcerned VPC(s).\n\n## Remediation\n\n### From the console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule you want to modify.\n4. Click Edit.\n5. Modify Source IP ranges to specific IP.\n6. Click Save.\n\n### From the command line\n1.Update the Firewall rule with the new SOURCE_RANGE from the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.2","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 22\n\nis_numeric(x) if {\n\tregex.match(`^-?\\d+(\\.\\d+)?$`, x)\n}\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tsome port in allowed.ports\n\tcontains(port, \"-\")\n\trange := split(port, \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else if {\n\tsome port in allowed.ports\n\tport != \"\"\n\tis_numeric(port)\n\tto_number(port) == target_port\n} else if {\n\tsome port in allowed.ports\n\tport == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tsome allowed in compute_firewall.allowed\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" if {\n\tsome source_range in compute_firewall.source_ranges\n\tsource_range in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"23t-kvk-vbo","createdAt":1657310084964,"name":"SSH access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to authorized SSH keys.\n\n## Strategy\nSSH is a commonly used key-based authentication mechanism. In this system, the authorized_keys file specifies SSH keys that can be used to authenticate as a specific user on the system. Attacker's may modify the authorized_keys file to authorize attacker-owned SSH keys. This allows the attacker to maintain persistence on a system as a specific user.\n\n## Triage and response\n1. Check what changes were made to authorized_keys, and under which user.\n2. Determine whether any keys were added. If so, determine if the added keys belong to known trusted users.\n3. If they keys in question are not acceptable, roll back the host or container in question to a known trusted SSH configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chmod)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chmod","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chown)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chown","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_link)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_link","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_rename)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_rename","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_open)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_open","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_unlink)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_unlink","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_utimes)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"ssh_authorized_keys","condition":"ssh_authorized_keys_chmod > 0 || ssh_authorized_keys_chown > 0 || ssh_authorized_keys_link > 0 || ssh_authorized_keys_rename > 0 || ssh_authorized_keys_open > 0 || ssh_authorized_keys_unlink > 0 || ssh_authorized_keys_utimes > 0"}],"type":"workload_security","id":"iqs-k9p-ivj","createdAt":1606142954844,"name":"SSH authorized keys modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1553-subvert-trust-controls","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential tampering with SSL certificates.\n\n## Strategy\nSSL certificates, and other forms of trust controls establish trust between systems. Attackers may attempt to subvert trust controls such as SSL certificates in order to trick systems or users into trusting attacker-owned assets such as fake websites, or falsely signed applications.\n\n## Triage and response\n1. Check whether there were any planned changed to the SSL certificates stores in your infrastructure.\n2. If these changes are not acceptable, roll back the host or container in question to a known trustworthy configuration.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssl_certificate_tampering OR ssl_certificate_tampering_chmod OR ssl_certificate_tampering_chown OR ssl_certificate_tampering_link OR ssl_certificate_tampering_rename OR ssl_certificate_tampering_open OR ssl_certificate_tampering_unlink OR ssl_certificate_tampering_utimes) -@process.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.parent.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\" -@process.executable.name:runc*","groupByFields":["host"],"aggregation":"count","name":"ssl_certificate_tampering","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"ssl_certificate_tampering","condition":"ssl_certificate_tampering > 0"}],"type":"workload_security","id":"any-phm-6ub","createdAt":1606142980369,"name":"SSL certificate tampering"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","control:4.3.2","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","source:azure.dbformysql","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","scope:azure.dbformysql","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on MySQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for MySQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled for enforce SSL connection \n\nAlternatively, use the Azure Command Line Interface and run the below command to set MYSQL Databases to Enforce SSL connection:\n\n ```bash\n az mysql server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security\n2. https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(mysql_server) = \"pass\" if {\n\tmysql_server.ssl_enforcement == \"Enabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_mysql_server"]},"validationQuery":"","resourceType":"azure_mysql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_mysql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cxd-off-x2e","createdAt":1624867976718,"name":"SSL connection on MySQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.3.1","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on PostgreSQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\n### From the console\n1. Login to Azure Portal using [https://portal.azure.com][1]\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled to enforce SSL connection \n\n### From the command line\n\n ```\n az postgres server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security][2]\n2. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit][3]\n\n[1]: https://portal.azure.com\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"pass\" if {\n\tlower(postgresql_server.ssl_enforcement) == \"enabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"9cp-26e-jdc","createdAt":1624867978968,"name":"SSL connection on PostgreSQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a Salesforce user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login ten times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @status:\"Invalid Password\"","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:salesforce @status:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dm5-uvn-yrr","createdAt":1621929254947,"name":"Salesforce Brute force attack on user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a disabled account attempts to log into Salesforce\n\n## Strategy\nInspect Salesforce logs and determine if there is a login attempt (`@evt.name:LoginEvent`) from from a disabled account (`@status:\\\"User is Inactive\\\"`). If more than ten attempts to authenticate to a disabled account a `MEDIUM` severity signal is created.\n\n## Triage and response\n1. Determine if the IP (`@network.client.ip`) has attempted to log into other accounts.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @evt.name:LoginEvent @status:\"User is Inactive\"","groupByFields":["@usr.id"],"aggregation":"count","name":"disabled_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Single Attempt","condition":"disabled_login > 1"},{"status":"medium","notifications":[],"name":"Multiple Attempts","condition":"disabled_login > 10"}],"type":"log_detection","id":"j57-vod-bnw","createdAt":1621929254817,"name":"Salesforce Login from Disabled Account"}]} headers: Content-Type: - application/json @@ -283,7 +266,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":828}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.15","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/scheduler.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.15","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fmc-m0d-pe5","createdAt":1599604530000,"name":"Scheduler configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.16","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/scheduler.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.16","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pbp-y4b-dhf","createdAt":1599600185878,"name":"Scheduler configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.5","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the Scheduler service in the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.5","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qxe-hc6-qlm","createdAt":1599604179189,"name":"Scheduler pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.6","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the kube-scheduler service in the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.6","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"y79-4ts-a0k","createdAt":1599603078027,"name":"Scheduler pod specification file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.4.1","security:compliance","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` file on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-scheduler/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-scheduler/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.1","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hya-urf-09b","createdAt":1599603139661,"name":"Scheduler profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.21","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSeccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on a whitelist basis and allows for a large number of common system calls, whilst blocking all others. This filtering should not be disabled unless it causes a problem with your container application usage.\n\n## Rationale\n\nA large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis returns either `` or your modified seccomp profile. If it returns `[seccomp:unconfined]`, the container is running without any seccomp profiles and is therefore not configured in line with good security practices.\n\n## Remediation\n\nBy default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.\n\n## Impact\n\nWith Docker 1.10 and greater, the default seccomp profile blocks syscalls, regardless of `--cap-add passed` to the container. You should create your own custom seccomp profile in such cases. You can also disable the default seccomp profile by passing `--security-opt=seccomp:unconfined` on docker run.\n\n## Default value\n\nWhen you run a container, it uses the default profile unless you override it with the `--security-opt` option.\n\n## References\n\n1. http://blog.scalock.com/new-docker-security-features-and-what-they-mean-seccomp-profiles\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://github.com/docker/docker/blob/master/profiles/seccomp/default.json\n4. https://docs.docker.com/engine/security/seccomp/\n5. https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt\n6. https://github.com/docker/docker/issues/22870\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.21","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hub-v5u-cw0","createdAt":1599604972925,"name":"Seccomp profiles are enabled for filtering incoming system calls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.22","scored:true","control:CC6.7","source:azure.active_directory","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:azure.active_directory","level:1","requirement:IAM","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft security defaults are available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You can enable security defaults in the Azure portal.\n\n## Rationale\n\nSecurity defaults provide secure default settings that are managed on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example:\n\n- Requiring all users and admins to register for MFA\n- Challenging users with MFA, mostly when they show up on a new device or app, but more often for critical roles and tasks.\n- Disabling authentication from legacy authentication clients, which can't do MFA.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Sign in to the Azure portal as a security administrator, conditional access administrator, or global administrator.\n2. Navigate to Azure Active Directory > Properties.\n3. Select Manage security defaults.\n4. Set the Enable security defaults toggle to Yes.\n5. Select Save.\n\n## Impact\n\nEnabling security defaults may negatively impact the functionality of other Microsoft services, such as Microsoft 365. This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults\n2. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414\n\nAdditional Information: The settings in this recommendation are different in the Microsoft 365 Benchmark. This is because the potential impact associated with disabling of security defaults is dependent upon the security settings implemented in the environment. It is recommended that organizations disabling security defaults plan to implement equivalent settings to replace the settings configured by security defaults.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.22","framework":"cis-azure","requirement":"IAM","version":"1.3.0"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@is_enabled:false","resourceType":"azure_ad_security_defaults_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_ad_security_defaults_policy (@is_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@display_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"fub-xjw-qwz","createdAt":1635237007654,"name":"Security Defaults is enabled on Azure Active Directory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a threat on your application.\n\n## Strategy\nThis rule creates a signal for every security incident created by Sqreen.\n\n## Triage and response\n1. Review the incident on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/incidents\n\n## Changelog\n23 June 2022 - Updated groupby count to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:critical @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_critical_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:major @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_major_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:minor @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_minor_incidents","distinctFields":["@sqreen.payload.incident_id"]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical","condition":"sqreen_critical_incidents > 0"},{"status":"high","notifications":[],"name":"Major","condition":"sqreen_major_incidents > 0"},{"status":"medium","notifications":[],"name":"Minor","condition":"sqreen_minor_incidents > 0"}],"type":"log_detection","id":"qyk-emv-hui","createdAt":1620224110121,"name":"Security Incident Detected by Sqreen"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis","source:cloudtrail","technique:T1562-impair-defenses","control:cis-3.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` array to determine if either of the strings are contained:\n* `0.0.0.0/0`\n* `::/0`\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n\n## Changelog\n18 March 2022 - Updated rule query.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:AuthorizeSecurityGroupIngress @requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@usr.account_id"],"aggregation":"count","name":"sg_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"SG open to world","condition":"sg_open_to_world > 0"}],"type":"log_detection","id":"qdm-6uu-gqf","createdAt":1593621503430,"name":"Security group open to the world"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.5","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not allow sensitive host system directories such as those listed below to be mounted as container volumes, especially in read-write mode. `/` `/boot` `/dev` `/etc` `/lib` `/proc` `/sys` `/usr`\n\n## Rationale\n\nIf sensitive directories are mounted in read-write mode, it is possible to make changes to files within them. This has obvious security implications and should be avoided.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}'` This command returns a list of currently mapped directories and indicates whether they are mounted in read-write mode for each container instance.\n\n## Remediation\n\nDo not mount directories which are security sensitive on the host within containers, especially in read-write mode.\n\n## Impact\n\nNone\n\n## Default value\n\nDocker defaults to using a read-write volume but you can also mount a directory read-only. By default, no sensitive host directories are mounted within containers.\n\n## References\n\n1. https://docs.docker.com/engine/tutorials/dockervolumes/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.5","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmq-wqu-2im","createdAt":1599604814929,"name":"Sensitive host system directories are not mounted on containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","source:google_iam_policy","framework:cis-gcp","level:2","framework:iso-27001","requirement:Access-Control","framework:pci","scope:google_iam_policy","control:1.11","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.2.1","control:7.1.3","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.\n\n## Rationale\nThe built-in/predefined IAM role `Cloud KMS Admin` allows the user/identity to create, delete, and manage service account(s). \n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter/Decrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Decrypter` allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).\n\nSeparation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.\n\nNo user(s) should have `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles assigned at the same time.\n\n### Impact\nRemoved roles should be assigned to another user based on business needs.\n\n### Additional Information\nUsers granted Owner (roles/owner) and Editor (roles/editor) roles have privileges equivalent to `Cloud KMS Admin` and `Cloud KMS CryptoKey Encrypter/Decrypter`. To avoid misuse, Owner and Editor roles should be granted to a very limited group of users. Use of these primitive privileges should be minimal. These requirements are addressed in our other rules.\n\n## Remediation\n\n### From the console\n1. Go to **IAM & Admin/IAM** using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles granted/assigned, click the **Delete Bin** icon to remove the role from the member.\n\n## References\n1. [https://cloud.google.com/kms/docs/separation-of-duties][2]\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/kms/docs/separation-of-duties\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_type = \"gcp_iam_policy\"\n\nis_admin_user(gip) if {\n\tmembers_to_roles_array := gip.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/cloudkms.admin\"\n}\n\neval(gip) = \"skip\" if {\n\tnot is_admin_user(gip)\n} else = \"fail\" {\n\trole := gip.member_to_roles[_].roles[_]\n\trole in [\"roles/cloudkms.cryptoKeyDecrypter\", \"roles/cloudkms.cryptoKeyEncrypter\", \"roles/cloudkms.cryptoKeyEncrypterDecrypter\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8uv-2ds-fnx","createdAt":1658410212713,"name":"Separation of duties is enforced while assigning KMS-related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:1.8","control:7.2","control:7.1","requirement:Control-Activities","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity best practices recommend that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users. This is achieved by ensuring that no user has the Service Account Admin and Service Account User roles assigned at the same time.\n\n## Rationale\n\nThe predefined IAM role ``Service Account admin`` allows the user/identity to\ncreate, delete, and manage service account(s). The predefined IAM role ``Service Account User`` allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute instances.\n\nSeparation of duties is the concept of ensuring that one individual does not have all\nnecessary permissions to be able to complete a malicious action. Using Cloud IAM service\naccounts, a malicious user could assume the identity of a service account to access resources that\nthey otherwise cannot access.\n\nSeparation of duties is a business control typically used in larger organizations, meant to\nhelp avoid security or privacy incidents and errors. It is considered a best practice.\n\nNo user should have ``Service Account Admin`` and ``Service Account User`` roles assigned\nat the same time.\n\n## Remediation\n\n1. Go to ``IAM & Admin/IAM`` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having both ``Service Account Admin`` and ``Service Account User`` roles granted/assigned, click the ``Delete Bin`` icon to remove either role from the member.\n\nRemoval of a role should be done based on the business requirements.\n\n## Impact\n\nThe removed role should be assigned to a different user based on business needs.\n\n## References\n\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][4]\n\n## Additional information \n\nUsers granted the Owner (roles/owner) and Editor (roles/editor) roles have privileges\nequivalent to Service Account Admin and Service Account User. To avoid misuse,\nOwner and Editor roles should be granted to a very limited number of users. Use of these primitive\nprivileges should be minimal. These requirements are addressed in separate\nrecommendations.\n\n## CIS controls\n\nVersion 8 3.3 - Configure Data Access Control Lists: Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems, databases, and applications.\n\nVersion 7 14.6 - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"fail\" if {\n\tmembers_to_roles_array := iam_policy.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountAdmin\"\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountUser\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"re5-dlh-43x","createdAt":1656443521016,"name":"Separation of duties is enforced while assigning service account related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.6","cloud_provider:azure","framework:cis-azure","requirement:Default-Security-Parameter","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.4","framework:soc-2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `connection_throttling` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `connection_throttling` helps the PostgreSQL Database to Set the verbosity of logged messages which generates query and error logs about concurrent connections. Too many concurrent connections could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `connection_throttling`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `connection_throttling` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name connection_throttling --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.6","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthrottling_disabled(server_config) if {\n\tserver_config.name == \"connection_throttling\"\n\tserver_config.value != \"on\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tthrottling_disabled(server_config)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"w1l-qav-gcj","createdAt":1624867980066,"name":"Server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","control:10.1","requirement:Monitoring","control:4.3.3","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_checkpoints` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_checkpoints` helps the PostgreSQL Database to log each checkpoint and generate query and error logs. Access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_checkpoints`.\n5. Click ON and save.\n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_checkpoints` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_checkpoints --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"validationQuery":"-@value:(\"on\") @name:(\"log_checkpoints\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"server_configs","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@value:(\"on\") @name:(\"log_checkpoints\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sc0-yfd-hsz","createdAt":1624867976912,"name":"Server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:4.3.4","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_connections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_connections` helps PostgreSQL Database to log an attempted connection to the server, as well as successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_connections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_connections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_connections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nserver_config_not_compliant(server_config) if {\n\tnot server_config.value == \"on\"\n\tserver_config.name == \"log_connections\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config = postgresql_server.server_configs[_]\n\tserver_config_not_compliant(server_config)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gle-oql-wen","createdAt":1624867976676,"name":"Server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","control:10.1","control:4.3.5","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_disconnections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_disconnections` helps your PostgreSQL database to log the end of a session, including duration, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_disconnections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_disconnections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_disconnections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"validationQuery":"-@value:(\"on\") @name:(\"log_disconnections\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"server_configs","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@value:(\"on\") @name:(\"log_disconnections\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"5av-e46-div","createdAt":1624867974164,"name":"Server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","requirement:Records-of-Processing-Activities","cloud:azure","control:A1.1","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses logging to track the time it takes to complete an SQL query.\n\n## Rationale\n\nThe \"log_duration\" parameter allows recording the duration of each completed PostgreSQL statement. Logging this attribute enables administrators to monitor for potential issues in the database.\n\n## Remediation\n\n### Console\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][1] documentation to enable the 'log_duration' logging in the PostgreSQL database. Ensure **log_duration** is selected under **Server Parameters**.\n\n### CLI\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][2] documentation to enable **log_duration** in **Server Parameters**.\n2. Get a list of your PostgreSQL servers by running the following in Azure Powershell:\n\n ```\n az postgres server list\n\t--output table\n\t--query '[*].{name:name, resourceGroup:resourceGroup}'\n ```\n3. Run the 'postgres server configuration set' command:\n\n ```\n az postgres server configuration set\n\t--server-name \"INSERT-SERVER-NAME-HERE-FROM-STEP-2\"\n\t--resource-group \"cloud-shell-storage-westeurope\"\n\t--name log_duration\n\t--value on\n ```\n4. Repeat steps two and three for each server that is not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tserver_config.name == \"log_duration\"\n\tserver_config.value == \"off\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iwo-oh9-bpi","createdAt":1645804679249,"name":"Server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.7","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","control:10.7","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_retention_days` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_retention_days` helps PostgreSQL Database to set the number of days a log file is retained, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_retention_days`.\n5. Enter value in range 4-7 (inclusive) and save. \n\nAlternatively, use the Azure Command Line Interface and run the the below command to update `log_retention_days` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_retention_days --value <4-7>\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n2. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention\n\n## CIS Controls\n\nVersion 7 6.4 Ensure adequate storage for logs: Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.7","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nserver_config_not_compliant(server_config) if {\n\tto_number(server_config.value) < 3\n\tserver_config.name == \"log_retention_days\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config = postgresql_server.server_configs[_]\n\tserver_config_not_compliant(server_config)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"jsy-iuu-a38","createdAt":1624867974261,"name":"Server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:7.1","requirement:Credentials","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","source:google_service_account","framework:soc-2","control:A.9.2.3","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:8.1.2","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA service account is a special Google account that belongs to an application or a VM, instead\nof to an individual end-user. The application uses the service account to call the service's\nGoogle API so that users aren't directly involved. It's recommended not to use admin roles for ServiceAccount.\n\n## Rationale\n\nService accounts represent service-level security of the Resources (application or a VM)\nwhich can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin\nrights gives full access to an assigned application or a VM. A ServiceAccount Access holder\ncan perform critical actions like delete, update, and change settings, etc. without user\nintervention. For this reason, Datadog recommends that service accounts not have an Admin role.\n\n## Remediation\n\n## From Console:\n1. Go to `IAM & admin/IAM` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. Go to the `Members`\n3. Identify `User-Managed user created service account(s)` with roles containing `*Admin or *admin`\n4. Click the `Delete bin` icon to remove the role from the member (service account in this case)\n\n\n## From Command Line: \n\n```bash\ngcloud projects get-iam-policy PROJECT_ID --format json > iam.json\n```\n\n1. Using a text editor, Remove `Role` which contains `roles/ *Admin` or `roles/ *admin`. Add a role to the bindings array that defines the group members and the role for those members.\n2. Update the project's IAM policy:\n\n```bash\ngcloud projects set-iam-policy PROJECT_ID iam.json\n```\n\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/understanding-service-accounts][4] \n\n## CIS Controls\n\nVersion 8 5.4 Restrict Administrator Privileges to Dedicated - Administrator Accounts Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user\u2019s primary, non-privileged account.\n\nVersion 7 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/understanding-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.1.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmembers_with_admin_role := {member |\n\tbinding := input.resources.gcp_iam_policy[_].member_to_roles[_]\n\tstartswith(binding.member, \"serviceAccount:\")\n\trole := binding.roles[_]\n\tcontains(lower(role), \"admin\")\n\tmember := trim_prefix(binding.member, \"serviceAccount:\")\n}\n\neval(iam_service_account) = \"fail\" if {\n\tsplit_name := split(iam_service_account.name, \"/\")\n\tmember := split_name[count(split_name) - 1]\n\tmembers_with_admin_role[member]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"4ea-as1-0bv","createdAt":1655820189596,"name":"Service Accounts are not bound to built-in Administrative roles"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0005-defense_evasion","source:runtime-security-agent","technique:T1070-indicator_removal_on_host","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the tampering of shell command history on a host or container. \n\n## Strategy\nCommands used within a terminal are contained within a local file so users can review applications, scripts, or processes that were previously executed. Adversaries tamper with the integrity of the shell command history by deletion, truncation, or the linking of `/dev/null` by use of a symlink. This allows adversaries to obfuscate their actions and delay the incident response process. \n\n## Triage and response\n1. Review the tampering action taken against the shell command history files.\n2. Review the user or process that performed the action against the shell command history.\n3. Determine whether or not this is expected behavior.\n4. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(shell_history_symlink OR shell_history_truncated OR shell_history_deleted)","groupByFields":["host"],"aggregation":"count","name":"shell_history_tamper","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"shell_history_tamper","condition":"shell_history_tamper > 0"}],"type":"workload_security","id":"5bq-qe4-ctu","createdAt":1661196433820,"name":"Shell command history modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:signal_sciences","scope:signal_sciences"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP is flagged by Signal Sciences.\n\n## Strategy\nThis rule lets you monitor Signal Sciences events submitted through the Signal Sciences [integration][1] to detect when an IP is flagged. \n\n## Triage and response\n1. Determine whether the attack is a false positive.\n2. Determine whether the attack was successful.\n3. If the attack exploited a vulnerability in the application, triage the vulnerability.\n\n[1]: https://app.datadoghq.com/account/settings#integrations/sigsci\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:signal_sciences @title:*flag","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bmg-ftn-dzo","createdAt":1584993292228,"name":"Signal Sciences flagged an IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.2.1","requirement:Compliance","level:1","control:3.8","requirement:Cardholder-Data","framework:iso-27001","scope:azure.storage","framework:pci","requirement:Operations-Security","security:compliance","framework:cis-azure","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Control-Activities","requirement:Storage-Account","source:azure.storage","control:A1.2","control:A.18.1.3","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Storage blobs contain ePHI, financial, secret, or personal data. If erroneously modified or deleted accidentally by an application or other storage account user, data loss or data unavailability can occur. It is recommended that Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.\n\n## Rationale\n\nA user can accidentally run delete commands on Azure Storage blobs or blob snapshots, or an attacker/malicious user can do it deliberately to cause disruption. Deleting an Azure Storage blob leads to immediate data loss or non-accessible data. Enable recoverable blobs configuration in the Azure Storage blob service to ensure that even if blobs/data are deleted from the storage account, the objects remain recoverable for a time set in the retention policy. Retention policies can be 7 days to 365 days.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Storage Account\n2. For each Storage Account, navigate to Data Protection\n3. Select Set soft delete enabled and enter the number of days to retain soft deleted data.\n\nAzure Command-Line Interface:\n\nUpdate retention days with the following command: `az storage blob service-properties delete-policy update --days-retained --account-name --enable true'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete\n\n## CIS Controls\n\nVersion 7 10 - Data Recovery Capabilities\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"(@blob_services.delete_retention_policy_enabled:false OR (-@blob_services.delete_retention_policy_days:*) OR @blob_services.delete_retention_policy_days:0)","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account ((@blob_services.delete_retention_policy_enabled:false OR (-@blob_services.delete_retention_policy_days:*) OR @blob_services.delete_retention_policy_days:0))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"w0h-o5o-lyp","createdAt":1631690471228,"name":"Soft delete is enabled for Azure Storage"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1505-server-software-component","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects attempted post-exploitation activity of [CVE-2022-22965][1] with an HTTP GET parameter.\n\n## Strategy\nThis rule looks for `@http.url_details.path` = .jsp, `@http.url_details.queryString.pwd` = `*`, and `@http.url_details.queryString.cmd` = . If found, it indicates web shell activity observed with successful Spring RCE exploitation. \n\n## Triage and response\nCheck your host to see if the {{@http.url_details.queryString.cmd}} command ran successfully. If so,\n * Refer to your company's Incident Response process since this is detection post-exploitation activity.\n * Refer to the vendor's [advisory][2] for remediation of this Remote Code Execution (RCE) vulnerability.\n\n## Changelog\n- 06 June 2022 - The severity has been lowered due to rule fidelity on just log telemetry.\n- 31 March 2022 - Rule added in response to [CVE-2022-22965][1]\n\n[1]: https://tanzu.vmware.com/security/cve-2022-22965\n[2]: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@http.url_details.path:*.jsp @http.url_details.queryString.pwd:* @http.url_details.queryString.cmd:* @http.method:GET @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_details","distinctFields":[]},{"query":"@http.url:*cmd* @http.url:*pwd* @http.method:GET @http.url:*.jsp* @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_url","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"PWD/CMD request in http.url_details.queryString key","condition":"pwd_cmd_in_details > 0"},{"status":"low","notifications":[],"name":"PWD/CMD request in http.url key","condition":"pwd_cmd_in_url > 0"}],"type":"log_detection","id":"6nf-i0e-ff0","createdAt":1648746485630,"name":"Spring RCE post-exploitation activity attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","framework:cis-azure","requirement:Confidentiality","control:3.4","control:C1.1","requirement:Credentials","requirement:Compliance","requirement:Storage-Account","source:azure.storage","level:1","control:A.18.1.3","framework:soc-2","control:3.9","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","scope:azure.storage","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable sensitive data encryption at rest using customer managed keys rather than Microsoft managed keys.\n\n## Rationale\n\nBy default, data in the storage account is encrypted using Microsoft managed keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. However, if you want to control and manage the encryption key yourself, you can specify a customer-managed key, and that key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated key vault.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Storage Accounts\n2. For each storage account, go to Encryption\n3. Set Customer Managed Keys\n4. Select the encryption key and enter the appropriate setting value\n5. Click Save\n\n## Impact\n\nIf the key expires by setting the activation date and expiration date of the key, you must rotate the key manually. Using customer managed keys may also incur additional effort to create, store, manage, and protect the keys as needed.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest\n3. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption#azure-storage-encryption-versus-disk-encryption\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-1-discovery,-classify-and-label-sensitive-data\n\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"-@encryption.key_source:Microsoft.Keyvault","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@encryption.key_source:Microsoft.Keyvault)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"kh6-wzv-u3s","createdAt":1631690464889,"name":"Storage for critical data is encrypted with Customer Managed Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to `pam.d` directory.\n\n## Strategy\nLinux Pluggable Authentication Modules (PAM) provide authentication for applications and services. Authentication modules in the PAM system are setup and configured under the `/etc/pam.d/` directory. An attacker may attempt to modify or add an authentication module in PAM in order to bypass the authentication process, or reveal system credentials.\n\n## Triage and response\n1. Identify if the changes to the path `{{@file.path}}` were part of known system setup or mainenance.\n2. If these changes were unauthorized, roll back the host in question to a known good PAM configuration, or replace the system with a known-good system image.\n\n*Required agent version 7.27 or higher*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pam_modification OR pam_modification_chmod) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_chown)-@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_link) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_rename) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_open) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_unlink) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_utimes) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"pam_modification","condition":"pam_modification_chmod > 0 || pam_modification_chown > 0 || pam_modification_link > 0 || pam_modification_rename > 0 || pam_modification_open > 0 || pam_modification_unlink > 0 || pam_modification_utimes > 0"}],"type":"workload_security","id":"59x-93j-pek","createdAt":1606142936138,"name":"System authentication files modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1543-create-or-modify-system-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to system services.\n\n## Strategy\nEspecially in production, systems should be generated based on standard images such as AMIs for Amazon EC2, VM images in Azure, or GCP images. Systemd is the default service manager in many Linux distributions. It manages the lifecycle of background processes and services, and can be used by an attacker to establish persistence in the system. Attackers can do this by injecting code into existing systemd services, or by creating new ones. Systemd services can be started on system boot, and therefore attacker code can persist through system reboots.\n\n## Triage and response\n1. Check to see what service was modified of created.\n2. Identify whether it is a known service, being modified by a known user and/or process.\n3. If these changes are not acceptable, roll back the host in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chmod) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chown) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_link) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_rename) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_open) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_unlink) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"systemd_modification","condition":"systemd_modification_chmod > 0 || systemd_modification_chown > 0 || systemd_modification_link > 0 || systemd_modification_rename > 0 || systemd_modification_open > 0 || systemd_modification_unlink > 0 || systemd_modification_utimes > 0"}],"type":"workload_security","id":"vjt-chu-njs","createdAt":1606142929241,"name":"Systemd service modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through brute force attempts.\n\n## Strategy\nTo determine a successful attempt: Detect a high amount of failed logins and at least one successful login for a given IP address. This will generate a `HIGH` severity signal.\nTo determine an attempt: Detect a high amount of failed logins for a given IP address. This will generate an `INFO severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:authentication @evt.outcome:failure","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]},{"query":"@evt.name:authentication @evt.outcome:success","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":["@slack-secops"],"name":"Successful","condition":"a>5 && b>0"},{"status":"info","notifications":[],"name":"Attempted","condition":"a>5"}],"type":"log_detection","id":"wce-cxo-pe4","createdAt":1585870283641,"name":"TEMPLATE - Brute Force Attack Grouped By IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:threat-intel","scope:template"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect when a stolen laptop has been connected to the network.\n\n## Strategy\nUsing the Datadog [Lookup Processor](https://docs.datadoghq.com/logs/processing/processors/?tab=ui#lookup-processor) you can maintain a blocklist of MAC addresses.\nWhen a MAC address connects to the network, the @threat.stolen_laptop attribute is set to `true`.\nThis threat detection rule queries for `@threat.stolen_laptop:true` and generates a security signal. \n\n## Triage and response\nEnter your triage and response process for when a stolen laptop has connected to your network to help users responding to the security signal quickly triage and respond to the signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@threat.stolen_laptop:true @network.client.mac:*","groupByFields":["@network.client.mac"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ap3-xy9-tsm","createdAt":1585870283379,"name":"TEMPLATE - Stolen Laptop Connected to Network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.10","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert` parameter, has permissions of 444 or is set more restrictively.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must therefore have permissions of 444, or more restrictive permissions to ensure that the file cannot be modified by a less privileged user.\n\n## Audit\n\nVerify that the TLS CA certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the following command: `chmod 444 `\n\nThis sets the file permissions on the TLS CA file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the TLS CA certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.10","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hyd-ar9-kzl","createdAt":1602076723625,"name":"TLS CA certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.6","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to make the Docker daemon available remotely over a TCP port. If this is required, you should ensure that TLS authentication is configured in order to restrict access to the Docker daemon via IP address and port.\n\n## Rationale\n\nBy default, the Docker daemon binds to a non-networked Unix socket and runs with root privileges. If you change the default Docker daemon binding to a TCP port or any other Unix socket, anyone with access to that port or socket could have full access to the Docker daemon and therefore in turn to the host system. For this reason, you should not bind the Docker daemon to another IP/port or a Unix socket. If you must expose the Docker daemon via a network socket, you should configure TLS authentication for the daemon and for any Docker Swarm APIs (if they are in use). This type of configuration restricts the connections to your Docker daemon over the network to a limited number of clients who have access to the TLS client credentials.\n\n## Audit\n\nTo confirm that the TLS authentication setting is correct, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nConfirm that the following parameters are present: `--tlsverify --tlscacert --tlscert --tlskey`.\n\nAlso review the `/etc/docker/daemon.json` file to ensure these settings are in place.\n\n## Remediation\n\nFollow the steps mentioned in the Docker documentation or other references.\n\n## Impact\n\nYou would need to manage and guard certificates and keys for the Docker daemon and Docker clients.\n\n## Default value\n\nBy default, TLS authentication is not configured.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rh4-jeh-afu","createdAt":1602077571799,"name":"TLS authentication is configured for Docker daemon"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.18","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller-manager.conf file ownership is set to `root:root`.\n\n## Rationale\n\nThe controller-manager.conf file is the kubeconfig file for the Controller Manager. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/controller-manager.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.18","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bud-aya-umc","createdAt":1599605289575,"name":"The controller-manager.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","requirement:GCP","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","control:3.4","requirement:Communications-Security","control:2.6","control:1.2","control:2.1","control:1.3","control:3.1","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of the `default` network, a project should not have a `default` network.\n\n### Default value\nBy default, for each project, a `default` network is created.\n\n\n## Rationale\nThe `default` network has a preconfigured network configuration and automatically generates the following insecure firewall rules:\n\n - default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.\n - default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.\n - default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.\n - default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.\n\nThese automatically-created firewall rules do not get audit-logged and cannot be configured to enable firewall rule logging.\n\nFurthermore, the `default` network is an auto-mode network, which means that its subnets use the same predefined range of IP addresses. As a result, it's not possible to use Cloud VPN or VPC Network Peering with the `default` network.\n\nBased on organization security and networking requirements, the organization should create a new network and delete the `default` network.\n\n### Impact\nWhen an organization deletes the `default` network, it may need to migrate services onto a new network.\n\n## Remediation\n\n### From the console\n1. Go to the [VPC networks][1] page.\n2. Click the network named `default`.\n3. On the network detail page, click **EDIT**.\n4. Click **DELETE VPC NETWORK**.\n5. If needed, create a new network to replace the `default` network.\n\n### From the command line\n1. Delete the `default` network:\n\n ```\n gcloud compute networks delete default\n ```\n\n2. If needed, create a new network to replace it:\n\n ```\n gcloud compute networks create NETWORK_NAME\n ```\n\n## Prevention\nYou can prevent the `default` network and its insecure firewall rules from being created by setting up an Organization Policy to skip `default` network creation at [https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation][2].\n\n## References\n1. [https://cloud.google.com/compute/docs/networking#firewall_rules][3]\n2. [https://cloud.google.com/compute/docs/reference/latest/networks/insert][4]\n3. [https://cloud.google.com/compute/docs/reference/latest/networks/delete][5]\n4. [https://cloud.google.com/vpc/docs/firewall-rules-logging][6]\n5. [https://cloud.google.com/vpc/docs/vpc#default-network][7]\n6. [https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete][8]\n\n[1]: https://console.cloud.google.com/networking/networks/list\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation\n[3]: https://cloud.google.com/compute/docs/networking#firewall_rules\n[4]: https://cloud.google.com/compute/docs/reference/latest/networks/insert\n[5]: https://cloud.google.com/compute/docs/reference/latest/networks/delete\n[6]: https://cloud.google.com/vpc/docs/firewall-rules-logging\n[7]: https://cloud.google.com/vpc/docs/vpc#default-network\n[8]: https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.4","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.name == \"default\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0j0-lvk-9wm","createdAt":1658410212694,"name":"The default network does not exist in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.9","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %a /var/lib/kubelet/config.yaml`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step:\n\n```\nchmod 644 /var/lib/kubelet/config.yaml\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/var/lib/kubelet/config.yaml` file as set up by kubeadm has permissions of 644.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.9","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tc4-kmy-wlt","createdAt":1599605416397,"name":"The kubelet configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.1","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kubelet service file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.1","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j8k-7ii-fwo","createdAt":1599604432646,"name":"The kubelet service file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.5","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet.conf file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/kubernetes/kubelet.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chmod 644 /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.5","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x88-8vs-ygw","createdAt":1599604783481,"name":"The kubelet.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.6","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `kubelet.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/kubernetes/kubelet.conf`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file ownership is set to `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.6","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrc-waf-mbs","createdAt":1599599696342,"name":"The kubelet.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable timeouts on streaming connections.\n\n## Rationale\n\nSetting idle timeouts ensures that you are protected against denial-of-service attacks, inactive connections, and running out of ephemeral ports.\n\n*Note*: By default, `--streaming-connection-idle-timeout` is set to four hours, which might be too high for your environment. Setting this as appropriate would additionally ensure that such streaming connections are timed out after serving legitimate use cases.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--streaming-connection-idle-timeout` argument is not set to 0. If the argument is not present, and there is a Kubelet config file specified by `--config`, check that it does not set `streamingConnectionIdleTimeout` to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a value other than 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--streaming-connection-idle-timeout=5m`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nLong-lived connections could be interrupted.\n\n## Default value\n\nBy default, `--streaming-connection-idle-timeout` is set to four hours.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://github.com/kubernetes/kubernetes/pull/18552][2]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://github.com/kubernetes/kubernetes/pull/18552\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.5","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xmg-h3a-wj4","createdAt":1599602030157,"name":"Timeouts on streaming connections are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","control:6.6","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable internet exposed UDP ports on network security groups.\n\n## Rationale\n\nThe potential security problem with broadly exposing UDP services over the internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP, and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct UDP access to your Azure Virtual Machines from the internet. After direct UDP access from the internet is disabled, you can use other options to access UDP-based services running on these virtual machines.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#secure-your-critical-azure-service-resources-to-only-your-virtual-networks\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/ddos-best-practices\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n7 Virtual Machines: This section covers security recommendations to follow to set virtual machine policies on an Azure subscription.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@access:(\"Allow\") @protocol:(\"UDP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"*\" OR \"53\" OR \"123\" OR \"161\" OR \"389\" OR \"1900\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\")","resourceType":"azure_security_group","filter":"","queryPath":"security_rules","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group (@access:(\"Allow\") @protocol:(\"UDP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"*\" OR \"53\" OR \"123\" OR \"161\" OR \"389\" OR \"1900\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"1is-0om-n7k","createdAt":1624867977600,"name":"UDP Services are restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect shell utilities, HTTP utilities, or shells spawned by a web server.\n\n## Strategy\nWeb shell attacks often involve attackers loading and running malicious files onto a victim machine, creating a backdoor on the compromised system. Attackers use web shells for a variety of purposes, and they can signal the beginning of an intrusion or wider attack. This detection triggers when shell utilities, HTTP utilities, or shells are spawned by a common web server process.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your web application to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"potential_web_shell","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["host"],"query":"@agent.rule_id:potential_web_shell -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"potential_web_shell"}],"type":"workload_security","id":"aks-ytd-8pf","createdAt":1647265136526,"name":"Unfamiliar command spawned from web server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers can leverage malicious kernel modules to gain persistence on a system, ensuring their malicious code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions and cover their tracks through the use of a rootkit.\n\nLoading a malicious kernel module can be a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default, however attackers may attempt to load kernel modules from other locations as well. This detection detects all kernel module loads. \n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check the name of the process loading the kernel module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":14,"learningThreshold":0},"keepAlive":3600},"version":173,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_kernel_module","metric":"@module.name","aggregation":"new_value","metrics":["@module.name"],"groupByFields":["host"],"query":"@agent.rule_id:(kernel_module_load OR new_kernel_module_audit OR kernel_module_load_container OR new_kernel_module_audit_container) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"new_kernel_module"}],"type":"workload_security","id":"56o-bpk-lkz","createdAt":1656443525724,"name":"Unfamiliar kernel module loaded"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default. In an attempt to thwart forensics, attackers sometimes attempt to load malicious kernel modules from memory so as not to leave artifacts on disk. This detection watches for all new kernel modules being loaded directly from memory. \n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:kernel_module_load_from_memory","groupByFields":["host"],"aggregation":"count","name":"kernel_module_load_from_memory","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"kernel_module_load_from_memory","condition":"kernel_module_load_from_memory > 0"}],"type":"workload_security","id":"dx9-30j-pas","createdAt":1650464539839,"name":"Unfamiliar kernel module loaded from memory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when the AWS EKS service account token has been viewed by a user.\n\n## Strategy\nAWS provides an authentication mechanism called [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to allow Kubernetes workloads such as pods to securely authenticate to AWS without hardcoding credentials.\n\nThe authentication token made available by AWS is located at `/var/run/secrets/eks.amazonaws.com/serviceaccount/token` and can be exchanged for AWS credentials using `sts:AssumeRoleWithWebIdentity`. It is consequently an attractive target for attackers.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"aws_eks_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:aws_eks_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"aws_eks_service_account_token_accessed"}],"type":"workload_security","id":"wq5-pnt-ij8","createdAt":1656443561852,"name":"Unfamiliar process accessed AWS EKS service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"Detects when the Kubernetes pod service account token has been viewed by a user.\n\n## Strategy\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"k8s_pod_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:k8s_pod_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"k8s_pod_service_account_token_accessed"}],"type":"workload_security","id":"7ow-znp-4fx","createdAt":1656443563565,"name":"Unfamiliar process accessed Kubernetes pod service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:active-directory","tactic:TA0004-privilege-escalation","source:microsoft-365","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 Azure AD service principal uses an unusual authentication method.\n\n## Strategy\nUsing the `New Value` detection method, find when a `Microsoft 365 Azure AD service principal` uses a new `@AuthenticationMethod`.\n\n## Triage and response\n1. Determine if the service principal `{{@usr.id}}` should be authenticating using the `{{@AuthenticationMethod}}` authentication method and `{{@ExtendedProperties.RequestType}}` request type.\n2. If `{{@usr.email}}` should not be authenticating using `{{@AuthenticationMethod}}`,\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard \n * If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":3600},"version":41,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AuthenticationMethod","aggregation":"new_value","metrics":["@AuthenticationMethod"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:AzureActiveDirectory @evt.name:UserLoggedIn @evt.outcome:Success @UserDescription:\"A service principal\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"toz-wdr-r1v","createdAt":1660857301768,"name":"Unusual Authentication by Microsoft 365 Azure AD Service Principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attaches to a pod.\n\n## Strategy\nThis rule monitors when a user attaches (`@objectRef.subresource:attach`) to a pod (`@objectRef.resource:pods`).\n\nA user should not need to attach to a pod. Attaching to a pod allows a user to attach to any process in a running container which may give an attacker access to sensitive data.\n\n## Triage and response\n1. Determine if the user should be attaching to a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:attach @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:attach @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"j6t-mva-rul","createdAt":1589375996858,"name":"User Attached to a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user execs into a pod.\n\n## Strategy\nThis rule monitors when a user execs (`@objectRef.subresource:exec`) into to a pod (`@objectRef.resource:pods`).\n\nA user should not need to exec into a pod. Execing into a pod allows a user to execute any process in container which is not already running.\nIt is most common to execute the bash process to gain an interactive shell.\nIf this is an attacker, they can access any data which the pod has permissions to, including secrets.\n\n## Triage and response\n1. Determine if the user should be execing into a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:exec @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:exec @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"hyd-cu4-79x","createdAt":1589376094658,"name":"User Exec into a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs into an application that is using Sqreen from a new country.\n\n## Strategy\nThis rule lets you monitor when a user logs into an application from a country that has not been seen before.\n\n## Triage and response\n1. Review the user activity on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/application/goto/users/\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip.country.name","aggregation":"new_value","metrics":["@network.client.geoip.country.name"],"groupByFields":["@usr.id"],"query":"@evt.name:sq.dd0.user_event.login @sqreen.payload.success:true"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"4xm-2og-l7s","createdAt":1620224109989,"name":"User Logged into an Application from a New Country"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","security:threat-intel","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to log in with a password which is known to be compromised.\n\n## Strategy\nThis rule allows you to monitor this Google Activity API call to detect if an attacker is trying to login with a leaked password: \n\n* [Leaked password][1]\n\n## Triage and response\n1. Determine which user in your organization owns the compromised password.\n2. Contact the user and ensure they rotate the password on Google and any other accounts where they may have reused this password. Ensure the user is aware of strong password guidelines.\n\n[1]: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.category:account_warning @evt.name:account_disabled_password_leak","groupByFields":["@actor.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9zi-bom-nmh","createdAt":1585870280553,"name":"User attempted login with leaked password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-create-account","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation of a new user on the system using an interactive session.\n\n## Strategy\nAttacker's may add local accounts to systems that they have compromised to maintain access to those systems. If an attacker has gained a sufficient level of access (like admin privileges) on a system, they can make a new user for themselves.\nIn production systems, users should be created in the base image of the system (for example, the AMI or other VM image), or they should be created programmatically by configuration management tools. The creation of a new user by an interactive (human) session is suspicious.\n\n## Triage & Response\n1. Determine whether the creation of a new user is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether or not multiple systems had this user added around the same time, and whether the systems impacted follow a pattern. For example, if a user was added to multiple systems, do they share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:user_created_tty -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"user_created_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user_created_tty","condition":"user_created_tty > 0"}],"type":"workload_security","id":"beh-ejq-upe","createdAt":1627392836979,"name":"User created interactively"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of secrets, through Cloudtrail's [`GetSecretValue`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetSecretValue` event, and enables the detection of potentially anomalous activity when a user attempts to retrieve an anomalous volume of secrets.\n\nAn attacker may attempt to enumerate and access the AWS Secrets Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any AWS secrets that were accessed by the user with the `aws-cli` command [`update-secret`][2] or use the [AWS Console][3].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n[1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/update-secret.html\n[3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetSecretValue -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.secretId"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"eg6-ogp-n1f","createdAt":1656426823748,"name":"User enumerated AWS Secrets Manager - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of parameters, through Cloudtrail's [`GetParameter`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetParameter` event, and enables detection of potentially anomalous activity when a user attempts to retrieve an anomalous volume of parameters.\n\nAn attacker may attempt to enumerate and access the AWS Systems Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any parameters that were accessed by the user with the `aws-cli` command [`put-parameter`][2].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n[1]: https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ssm/put-parameter.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ssm.amazonaws.com @evt.name:GetParameter -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.name"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"os3-zft-ung","createdAt":1656426796721,"name":"User enumerated AWS Systems Manager parameters - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:5.2.1","control:A.12.4.1","requirement:Logging","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"\n## Description\n\nCreate an activity log alert for the Create Policy Assignment event.\n\n## Rationale\n\nMonitoring for create policy assignment events gives insight into changes done in \"azure policy - assignments\" and can reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Monitor \n2. Select Alerts \n3. Click On New Alert Rule \n4. Under Scope, click Select resource \n5. Select the appropriate subscription under Filter by subscription \n6. Select Policy Assignment under Filter by resource type \n7. Select All for Filter by location \n8. Click on the subscription resource from the entries populated under Resource \n9. Verify Selection preview shows All Policy assignment (policyAssignments) and your selected subscription name \n10. Click Done \n11. Under Condition click Add Condition \n12. Select Create policy assignment signal \n13. Click Done \n14. Under Action group, select Add action groups and complete creation process or select appropriate action group \n15. Under Alert rule details, enter Alert rule name and Description \n16. Select appropriate resource group to save the alert to \n17. Check Enable alert rule upon creation checkbox \n18. Click Create alert rule Using the Azure Command Line Interface Use the below command to create an Activity Log Alert for Create policy assignment az account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'' Where input.json contains the Request body JSON data as mentioned below. { \"location\"\"Global\", \"tags\"{}, \"properties\"{ \"scopes\"[ \"/subscriptions/\" ], \"enabled\"true, \"condition\"{ \"allOf\"[ { \"containsAny\"null, \"equals\"\"Administrative\", \"field\"\"category\" }, { \"containsAny\"null, \"equals\"\"Microsoft.Authorization/policyAssignments/write\", \"field\"\"operationName\" } ] }, \"actions\"{ \"actionGroups\"[ { \"actionGroupId\"\"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\", \"webhookProperties\"null } ] }, } } Configurable Parameters for command line Configurable Parameters for input.json in scopes in actionGroupId in actionGroupId in actionGroupId'\n\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7\n6.3 Enable Detailed Logging Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.1","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"arc-fhe-mie","createdAt":1645219743755,"name":"User has 'Create Policy Assignement' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"axd-sm2-68f","createdAt":1649972323590,"name":"User has 'Create Update Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbformysql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dbv-9dd-noe","createdAt":1648760551340,"name":"User has 'Create Update MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbforpostgresql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yvw-kk1-tgq","createdAt":1648755639067,"name":"User has 'Create Update PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nActivity log alert exists for the creation or update of a load balancer. \n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Load Balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/loadbalancers/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"20n-ohj-aov","createdAt":1647625355122,"name":"User has 'Create or Update Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:System-Operations","requirement:Logging","level:1","control:5.2.3","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an Activity Log Alert for the Create or Update Network Security Group event.\n\n## Rationale\n\nBy monitoring for creation and updates to network security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name.\n11. Under **Condition**, click **Add Condition**.\n12. Select **Create or Update Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.3","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ape-a9h-0uq","createdAt":1645642194422,"name":"User has 'Create or Update Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.1","control:A.12.4.1","requirement:Logging","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update SQL Server Firewall Rule event.\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the Azure Console:\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window, select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Create/Update server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel.\n * Create action group - If you do not have an existing action group or want to create a new one.\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the Azure CLI:\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.1","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/firewallrules/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zpn-jpa-nzg","createdAt":1645736563954,"name":"User has 'Create or Update SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","control:5.2.7","requirement:Logging","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Security Solution event.\n\n## Rationale\n\nBy monitoring to changes to security solutions, you get insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under Resource. \n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Create or Update Security Solutions** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**. \n\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Security/securitySolutions/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.7","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/securitysolutions/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8wl-yfi-m7y","createdAt":1645731976437,"name":"User has 'Create or Update Security Solutions' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Storage Account event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Storage Account**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Storage/storageAccounts/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Storage Account'\n$Signal = 'Microsoft.Storage/storageAccounts/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fho-nrd-kod","createdAt":1647625355199,"name":"User has 'Create or Update Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wjq-yup-bbt","createdAt":1648803814385,"name":"User has 'Create or Update Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Deallocate Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Deallocate Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/deallocate\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Deallocatete Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/deallocate'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/deallocate\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ox0-4lx-ldg","createdAt":1649702560249,"name":"User has 'Deallocate Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mwl-a79-2lj","createdAt":1649774827099,"name":"User has 'Delete Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activity-log-alerts/delete\n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hf7-wzu-yjg","createdAt":1649774825146,"name":"User has 'Delete Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Load Balancer event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete load balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/loadbalancers/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgu-5yo-cxv","createdAt":1646928388547,"name":"User has 'Delete Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbformysql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nb1-ajv-1w5","createdAt":1648831710685,"name":"User has 'Delete MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:System-Operations","requirement:Logging","level:1","framework:soc-2","control:5.2.4","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Network Security Group event.\n\n## Rationale\n\nBy monitoring for delete betwork security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name \n11. Under **Condition**, click **Add Condition**.\n12. Select **Delete Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n\n18. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.4","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yjc-pc8-ybn","createdAt":1645645262376,"name":"User has 'Delete Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Compliance","requirement:Logging","level:1","control:5.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Communications-Security","requirement:System-Operations","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Policy Assignment event.\n\n## Rationale\n\nBy monitoring delete policy assignment events, you gain insight into changes in the **Policy - Assignments** page and reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Policy Assignment** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription from the entries populated under **Resource**. \n9. Verify that **Selection preview** shows All Policy assignments (`policyAssignments`) and your selected subscription name. \n10. Click **Done**. \n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete policy assignment signal**. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Authorization/policyAssignments/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Policy Assignment'\n$Signal = 'Microsoft.Authorization/policyAssignments/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n\n## References\n\n1. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n2. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n5. https://azure.microsoft.com/en-us/services/blueprints/ \n\n## Additional Information\n\nThis log alert also applies for Azure Blueprints.\n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.2","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qh0-u5z-imx","createdAt":1645642194422,"name":"User has 'Delete Policy Assignement' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbforpostgresql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ras-5h8-nbb","createdAt":1647625355173,"name":"User has 'Delete PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.2","control:A.12.4.1","requirement:Logging","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the \"Delete SQL Server Firewall Rule.\"\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the Azure Console:\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window,select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Delete server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel\n * Create action group - If you do not have an existing action group or want to create a new one\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the Azure CLI:\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.2","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/firewallrules/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6mh-u2h-598","createdAt":1664214570453,"name":"User has 'Delete SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Logging","control:5.2.8","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Security Solution event.\n\n## Rationale\n\nBy monitoring deletion of security solution events, you gain insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**.\n7. Select **All** for **Filter by location**.\n8. Click on the subscription resource from the entries populated under **Resource**.\n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete Security Solutions** signal.\n13. Click **Done**.\n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group.\n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n**Using the Azure CLI:** \n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nwhere `input.json` contains the Request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/securitySolutions/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.8","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/securitysolutions/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dmv-rv8-crn","createdAt":1645733607452,"name":"User has 'Delete Security Solution' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.5.5","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Storage Account event.\n\n## Rationale\n\nBy monitoring for storage accounts deletion events, you gain insight into storage account changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click on **New Alert Rule**.\n4. Under **Scope**, click **Select scope**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Storage Accounts** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the **Include all future resources** checkbox.\n9. Click **Done**. \n10. Under **Condition**, click **Add Condition**.\n11. Select **Delete Storage Account** signal. \n12. Click **Done**. \n13. Under **Actions**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n14. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n15. Select appropriate resource group to save the alert to. \n16. Click on the **Enable alert rule upon creation** checkbox.\n17. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Storage/storageAccounts/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a41-nfr-mlw","createdAt":1646928386487,"name":"User has 'Delete Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2jg-psh-mzj","createdAt":1648803812991,"name":"User has 'Delete Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Power Off Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Power Off Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/powerOff/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Power Off Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/powerOff/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/poweroff/action\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a74-hjg-yok","createdAt":1648760544699,"name":"User has 'Power Off Virtual Machine' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Rename Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Rename Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/move/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Rename Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/move/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/databases/move/action\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgo-i7v-g9b","createdAt":1649774831328,"name":"User has 'Rename Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4ri-hhx-fnd","createdAt":1648803815885,"name":"User has 'Update Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Security Policy event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Security Policy**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/policies/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Security Policy'\n$Signal = 'Microsoft.Security/policies/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/defender-for-cloud/tutorial-security-policy\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/policies/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xjf-qfe-xzs","createdAt":1649774850199,"name":"User has 'Update Security Policy' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.compute","source:azure","tactic:TA0002-execution","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs a command on an Azure Virtual Machine through the Azure CLI or Portal.\n\n## Strategy\nMonitor Azure Compute logs for `MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION` events that have `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Reach out to the user to determine if the activity is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"vm_exec","distinctFields":[]},{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"scaleset_exec","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Virtual Machine","condition":"vm_exec > 0"},{"status":"info","notifications":[],"name":"Virtual Machine Scale Set","condition":"scaleset_exec > 0"}],"type":"log_detection","id":"zsk-t0h-9ll","createdAt":1614973225002,"name":"User ran a command on Azure Compute"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Event Summary\n`@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` had activity from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` which are approximately `{{@impossible_travel.triggering_locations.travel_distance}}km` apart within `{{@impossible_travel.triggering_locations.travel_time_human_readable}}`. This indicates a potential impossible travel.\n\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key in CloudTrail logs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key in CloudTrail logs.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"source:cloudtrail @userIdentity.type:IAMUser"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"gvs-ybz-d25","createdAt":1646247437717,"name":"User travel was impossible in AWS CloudTrail IAM log"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_service_account","control:1.7","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","control:8.2.4","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nService Account keys consist of a key ID (private_key_id) and a private key. These keys are used to sign programmatic requests that users make to Google Cloud services and make them accessible to the particular service account. You should regularly rotate all Service Account keys.\n\n## Rationale\n\nRotating Service Account keys reduces the opportunity window of an access key associated with a compromised or terminated account being used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that may have been lost, cracked, or stolen.\n\nEach service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.\n\nGCP provides the option to create one or more user-managed (also called external) key pairs for use from outside GCP, for example: with Application Default Credentials. When a new key pair is created, the user is required to download the private key, which is not retained by Google. \n\nWith external keys, users are responsible for keeping the private key secure and other management operations such as key rotation. External keys can be managed by the IAM API, the Google Cloud Platform command-line tool, or the Service Accounts page in the Google Cloud Platform Console. GCP facilitates up to 10 external service account keys per service account for key rotation.\n\n## Remediation\n\nDelete any external, user-managed Service Account Keys older than 90 days:\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**.\n2. In the **Service Account Keys** section, click the Delete icon to delete every external, user-managed service account key where the creation date is greater or equal to the past 90 days.\n\nTo create an external, user-managed Service Account Key for a Service Account:\n\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**. \n2. Click **Create Credentials** and **Service Account Key**. \n3. Select the service account from the drop-down menu for every external, user-managed Service Account key you want to create.\n4. Select the desired key type format, such as JSON or P12.\n5. Click **Create**, which downloads the private key. Keep this key safe.\n6. If prompted, click **Close**.\n\nYou are redirected to the **APIs & Services** > **Credentials** page and you can see the new ID displayed in the **Service Account Keys** section.\n\n\n## Impact\n\nRotating service account keys breaks communication for dependent applications. Dependent applications need to be configured manually with the new key ID displayed in the **Service Account Keys** section and the user needs to download the private key.\n\n## References\n\n1. https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n2. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/list\n3. https://cloud.google.com/iam/docs/service-accounts\n\n[1]: https://console.cloud.google.com/apis/credentials\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"8.2.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ej5-n8p-p3x","createdAt":1656445783171,"name":"User-managed or external keys for service accounts are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Confidentiality","control:C1.2","source:google_compute_disk","framework:cis-gcp","requirement:Compliance","level:2","control:A.18.1.3","framework:soc-2","control:4.7","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","scope:google_compute_disk","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCustomer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and\nGoogle Compute Engine. If you supply your own encryption keys, Google uses your key to\nprotect the Google-generated keys used to encrypt and decrypt your data. By default,\nGoogle Compute Engine encrypts all data at rest. Compute Engine handles and manages\nthis encryption for you without any additional actions on your part. However, if you\nwanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\n\n### Default value\nBy default, VM disks are encrypted with Google-managed keys. They are not encrypted\nwith `Customer-Supplied` Encryption Keys.\n\n## Rationale\nBy default, Google Compute Engine encrypts all data at rest. Compute Engine handles and\nmanages this encryption for you without any additional actions on your part. However, if\nyou wanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\nIf you provide your own encryption keys, Compute Engine uses your key to protect the\nGoogle-generated keys used to encrypt and decrypt your data. Only users who can provide\nthe correct key can use resources protected by a customer-supplied encryption key.\nGoogle does not store your keys on its servers and cannot access your protected data\nunless you provide the key. This also means that if you forget or lose your key, there is no\nway for Google to recover the key or to recover any data encrypted with the lost key.\nBusiness critical VMs should have VM disks encrypted with CSEK.\n\n### Impact\nIf you lose your encryption key, you will not be able to recover the data.\n\n## Remediation\nYou cannot update the encryption of an existing disk. Therefore, you\nshould create a new disk with encryption set to **Customer supplied**.\n\n### From the console: \n1. Go to [Compute Engine Disks][1] in your Google Cloud console.\n2. Click **CREATE DISK**.\n3. Set **Encryption type** to `Customer supplied`.\n4. Provide the **Key** in the box.\n5. Select **Wrapped key**.\n6. Click **Create**.\n\n### From the command line:\nYou can use the `gcloud` CLI to encrypt a disk using the `--csek-key-file` flag during instance\ncreation. If you are using an RSA-wrapped key, use the gcloud beta component. See [RSA key wrapping][5] in Google's Compute Engine documentation.\n```\ngcloud compute instances create --csek-key-file \n```\n\nTo encrypt a standalone persistent disk:\n```\ngcloud compute disks create --csek-key-file \n```\n\n## References\n1. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys][2]\n2. [https://cloud.google.com/compute/docs/reference/rest/v1/disks/get][3]\n3. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file][4]\n\n[1]: https://console.cloud.google.com/compute/disks\n[2]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys\n[3]: https://cloud.google.com/compute/docs/reference/rest/v1/disks/get\n[4]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file\n[5]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#rsa-encryption","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.7","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_disk) = \"pass\" if {\n\tcompute_disk.disk_encryption_key.sha256\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_disk"]},"validationQuery":"","resourceType":"gcp_compute_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ltx-1jr-roe","createdAt":1662120164402,"name":"VM disks for critical VMs are encrypted with customer-supplied encryption keys (CSEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","scope:google_compute_subnetwork","level:1","framework:soc-2","control:3.8","source:google_compute_subnetwork","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Networking","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nFlow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in an organization's VPC subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs is enabled for every business-critical VPC subnet.\n\n### Default value\nBy default Flow Logs is set to `Off` when a new VPC network subnet is created.\n\n## Rationale\nVPC networks and subnetworks that are not reserved for internal HTTP(S) load balancing provide logically isolated and secure network partitions from which GCP resources can be launched.\nWhen Flow Logs are enabled for a subnet, VMs within that subnet start reporting on all\nTransmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows. Each VM\nsamples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or\nfrom another VM, a host in the on-premise datacenter, a Google service, or a host on the\nInternet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow\nLogs enabled, both VMs report the flows.\n\nFlow Logs supports the following use cases:\n- Network monitoring\n- Understanding network usage and optimizing network traffic expenses\n- Network forensics\n- Real-time security analysis\n\nFlow Logs provides visibility into network traffic for each VM inside the subnet and can be\nused to detect anomalous traffic or provide insight on security workflows.\nThe Flow Logs must be configured such that all network traffic is logged. The interval of\nlogging is granular enough to provide detailed information on the connections, where no logs are filtered and metadata to facilitate investigations are included.\n\n- Note: Subnets reserved for use by internal HTTP(S) load balancers do not support VPC\nFlow Logs.\n\n### Impact\nStandard pricing for Stackdriver Logging, BigQuery, or Cloud Pub/Sub applies. VPC Flow\nLogs generation will be charged when it's generally available, as described in this reference:\n[https://cloud.google.com/vpc/][1]\n\n## Remediation\n\n### From the console: \n1. Go to the VPC network GCP Console page by visiting:\n[https://console.cloud.google.com/networking/networks/list][2]\n2. Click the name of a **subnet** to display the subnet details page.\n3. Click **EDIT** .\n4. Set Flow Logs to **On**.\n5. Expand the **Configure Logs** section.\n6. Set **Aggregation Interval** to `5 SEC`.\n7. Check the box for **Include metadata**.\n8. Set **Sample rate** to `100`.\n9. Click **Save**.\n\n- Note: You can only configure a log filter from the command line.\n\n### From the command line:\nTo enable VPC Flow Logs for a network subnet, run the following command:\n```\ngcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --\nenable-flow-logs --logging-aggregation-interval=interval-5-sec --logging-\nflow-sampling=1 --logging-metadata=include-all\n```\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging][3]\n2. [https://cloud.google.com/vpc/][1]\n\n[1]: https://cloud.google.com/vpc/\n[2]: https://console.cloud.google.com/networking/networks/list\n[3]: https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_subnetwork) = \"skip\" if {\n\tinternal_HTTPS_LB_subnet(compute_subnetwork)\n} else = \"pass\" {\n\tcompute_subnetwork.enable_flow_logs == true\n\tcompute_subnetwork.purpose == \"PRIVATE\"\n} else = \"fail\" {\n\ttrue\n}\n\ninternal_HTTPS_LB_subnet(compute_subnetwork) if {\n\tcompute_subnetwork.purpose == \"INTERNAL_HTTPS_LOAD_BALANCER\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_subnetwork"]},"validationQuery":"","resourceType":"gcp_compute_subnetwork","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_subnetwork","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q4v-tv4-txv","createdAt":1663355398183,"name":"VPC Flow Logs are enabled for all subnets in the VPC network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","level:2","framework:cis-aws","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.3","control:2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. \n\nSet up your default security group to restrict all traffic. The default VPC in every region should have its default security group updated to comply. Any newly created VPCs automatically contain a default security group that needs remediation to comply with this recommendation. \n\n**Note**: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.\n\n## Rationale\n\nConfiguring all VPC default security groups to restrict all traffic will encourage the least privileged security group development and mindful placement of AWS resources into security groups, which will reduce the exposure of those resources.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nImplementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79201-0\n2. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html][2]\n3. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group][3]\n\n## CIS controls\n\nVersion 7, 14.6 - Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"5.3","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ningress_or_egress(direction) if {\n\tdirection == \"ingress\"\n} else {\n\tdirection == \"egress\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\tingress_or_egress(rule.direction)\n\tstartswith(rule.security_group_name, \"default\")\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"75q-ngx-snx","createdAt":1599574003676,"name":"VPC default security groups restrict all traffic"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:7.2.1","requirement:Firewall-Configuration","scope:vpc","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your VPC endpoint by allowing access to only trusted AWS accounts.\n\n## Rationale\n\nVPC endpoints that are publicly accessible are at risk of data exposure, data loss, and unexpected AWS billing charges.\n\n## Remediation\n\n### Console\n\nFollow the [Add or remove permissions for your endpoint service][1] AWS console docs.\n\n### CLI\n\n1. Edit your existing Amazon VPC endpoint access policy and replace untrusted AWS identifiers. To create a new policy document, [use the AWS policy generator][2].\n\n ```\n {\n \"Id\": \"VPCCrossAccountAccessPolicy\",\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": \"*\",\n \"Effect\": \"Allow\",\n \"Resource\": \"*\",\n \"Principal\": {\n \"AWS\": [\n \"arn:aws:iam::0123456789012:root\"\n ]\n }\n }\n ]\n }\n ```\n\n2. Run `modify-vpc-endpoint` with your [VPC endpoint ID and the updated or new policy document][3] to replace the existing policy.\n\n ```\n aws ec2 modify-vpc-endpoint\n --vpc-endpoint-id vpce-0a12b345\n --policy-document file://vpc-access-policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/privatelink/add-endpoint-service-permissions.html\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-vpc-endpoint.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_has_condition:false","resourceType":"aws_vpc_endpoint_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc_endpoint_policy_statement ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@vpc_endpoint_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"slh-tlx-4m0","createdAt":1619540057529,"name":"VPC endpoint is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","control:3.9","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","scope:vpc","framework:soc-2","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. Enable VPC Flow Logs for packet \"Rejects\" for VPCs.\n\n## Rationale\n\nVPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect unusual traffic or insight during security workflows.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nBy default, CloudWatch Logs will store Logs indefinitely unless you define a specific retention period for the log group. When choosing the number of days to retain, keep in mind that, on average, it takes an organization 210 days to detect a breach. Since additional time is required to research a breach, a minimum 365-day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods: \n\n1. [http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html][2]\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79202-8 \n2. [http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html][2]\n\n## CIS controls\n\nVersion 7:\n\n6.2 - Activate audit logging - Enable local logging on all systems and networking devices.\n\n12.5 - Configure Monitoring Systems to Record Network Packets - Configure monitoring systems to record network packets passing through the boundary at each of the organization's network boundaries.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.9","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"-@flowlogs.flow_log_status:ACTIVE","resourceType":"aws_vpc","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc (-@flowlogs.flow_log_status:ACTIVE)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"hw6-cqk-hrz","createdAt":1599574005318,"name":"VPC flow logging is enabled in all VPCs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault root token is used. Root tokens can perform any activity and have the highest level of privileges in Vault and should only be used in emergencies. \n\n## Strategy\nThis rule lets you monitor Vault Audit Logs (`source:vault`) to detect when `root` is seen in either of these two attributes.\n\n* auth policy (`@auth.policies`)\n* auth display name (`@auth.display_name`)\n\nThis rule also lets you monitor the API endpoint `/sys/generate-root` which is used to create new root keys.\n\n## Triage & Response\n1. Determine who created the root token and when. You can get token creation time using the token accessor with `vault token lookup -accessor `. \n2. Inspect the requests made with the root token and ensure that its usage is valid.\n3. Ensure that after the root token is no longer needed, it is revoked (`vault token revoke -accessor `).\n\n## Change Log\n29 Jun 2022 - Updated queries to reduce noise levels. Replaced initial query with token creation detection.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @auth.policies:root @http.method:create","groupByFields":["@http.url_details.path"],"aggregation":"count","name":"root_token_created","distinctFields":[]},{"query":"source:vault @auth.policies:root","groupByFields":["@http.url_details.path"],"aggregation":"cardinality","name":"root_token_auth_policy","distinctFields":["@http.method"]},{"query":"source:vault @auth.display_name:root","groupByFields":["@http.url_details.path"],"aggregation":"cardinality","name":"root_token_display_name","distinctFields":["@http.method"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"A newly created root token was used","condition":"root_token_created > 0 && root_token_auth_policy > 0"},{"status":"high","notifications":[],"name":"The auth policy is root","condition":"root_token_auth_policy > 0"},{"status":"high","notifications":[],"name":"The auth display name is root","condition":"root_token_display_name > 0"}],"type":"log_detection","id":"oki-am6-qeh","createdAt":1619801884317,"name":"Vault Root Token Used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault token is created with an excessive time-to-live (TTL) which can be indicative of an adversary maintaining persistence. \n\n## Strategy\nMonitoring of vault audit logs where tokens are created with a time-to-live greater than 90000 seconds (25 hours). If the TTL requires modification, clone this rule and update `@auth.token_ttl:>90000` in the query. \n\n## Triage & Response\n1. Verify max TTL for tokens in the appropriate Vault configuration.\n2. If the max TTL is higher than required, modify the max TTL.\n3. Verify with the token creator to confirm that the high TTL token is legitimate.\n4. Revoke the token if it does not have a legitimate use case.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @request.operation:create @auth.token_ttl:>90000","groupByFields":["@usr.id"],"aggregation":"count","name":"high_vault_ttl","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"high_vault_ttl > 0"}],"type":"log_detection","id":"ag8-huz-nlj","createdAt":1619801884333,"name":"Vault Token Created with Excessive TTL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","security:compliance","framework:soc-2","scope:redshift","cloud_provider:aws","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","source:redshift","control:6.2","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm `AllowVersionUpgrade` is enabled so [Redshift clusters][1] can automatically upgrade to the latest version.\n\n## Rationale\n\nEnablement allows the latest version to automatically install, deploying the most recent bug fixes and security patches.\n\n## Remediation\n\n### Console\n\nFollow the [Cluster maintenance][4] docs to permit automatic upgrade for your clusters.\n\n### CLI\n\n1. Run `modify-cluster` to [set `allow-version-upgrade` for a cluster][3].\n\n ```\n aws redshift modify-cluster\n\t --cluster-identifier cluster-id-name\n\t --allow-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/modify-cluster.html\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#rs-cluster-maintenance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@allow_version_upgrade:false","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@allow_version_upgrade:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5wo-2kl-jv1","createdAt":1599574006748,"name":"Version upgrade is enabled for Redshift cluster"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:6.5.3","framework:cis-azure","control:7.1","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Application-Updates","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMigrate blob-based VHDs to managed disks on virtual machines to exploit the default features of this configuration. The features include:\n\n1. Default disk encryption\n2. Resilience, as Microsoft manages the disk storage and moves it if underlying hardware is faulty\n3. Reduction of costs over storage accounts\n\n## Rationale\n\nManaged disks are by default encrypted on the underlying hardware so no additional encryption is required for basic protection. Additional encryption is available if required. Managed disks are more resilient than storage accounts. For ARM deployed virtual machines, Azure Adviser recommends moving VHDs to managed disks from both a security and cost management perspective.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## Remediation\n\nFrom Azure Console:\n\n1. Using the search feature, go to Virtual Machines\n2. Select the virtual machine you would like to convert\n3. Select Disks in the menu for the VM\n4. Select Migrate to managed disks\n5. Follow the prompts to convert the disk and finish by selecting Migrate to start the process\n\n**NOTE**: VMs are stopped and restarted after migration is complete.\n\nPowerShell:\n\n```powershell\nStop-AzVM -ResourceGroupName $rgName -Name $vmName -Force ConvertTo-AzVMManagedDisk -ResourceGroupName $rgName -VMName $vmName Start-AzVM -ResourceGroupName $rgName -Name $vmName\n```\n\n## Impact\n\nThere is no operational impact of migrating to managed disks other than the benefits mentioned above.\n\n**NOTE**: When converting to managed disks, VMs are powered off and back on.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"(-@storage_profile.os_disk.managed_disk_id:*) OR (@storage_profile.os_disk.managed_disk_id:(\"\"))","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance ((-@storage_profile.os_disk.managed_disk_id:*) OR (@storage_profile.os_disk.managed_disk_id:(\"\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mcc-ygq-5xf","createdAt":1631690464170,"name":"Virtual Machines are utilizing Managed Disks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","requirement:Context-of-the-Organization","control:4.2.2","framework:iso-27001","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nEnabling Azure Defender for SQL server does not enable vulnerability assessment capabilities for individual SQL databases unless a storage account is set to store the scanning data and reports. The Vulnerability Assessment service scans databases for known security vulnerabilities and highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally, an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, Click Storage Account\n6. Choose Storage Account (Existing or Create New). Click Ok\n7. Click Save Using Azure PowerShell. If not already, enable Azure Defender for a SQLSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service by setting Storage Account Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"e0l-3r9-cvj","createdAt":1624867975658,"name":"Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the vulnerability assessment (VA) setting, \"Also send email notifications to admins and subscription owners\".\n\n## Rationale\n\nVA scan reports and alerts are sent to admins and subscription owners by enabling the setting, \"Also send email notifications to admins and subscription owners\". This helps to reduce the time required for identifying risks and taking corrective measures.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, configure Storage Accounts\n6. Check/enable \"Also send email notifications to admins and subscription owners\"\n7. Click Save using the Azure PowerShell. If not already set, Enable Advanced Data Security for a SQL:\n\n ```bash\n -ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service and Set ''Also send email notifications to admins and subscription owners'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"gnq-rte-6fy","createdAt":1624867976876,"name":"Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","control:4.2.3","requirement:Default-Security-Parameter","level:1","requirement:Database-Services","requirement:Context-of-the-Organization","requirement:Regular-Testing","framework:iso-27001","control:11.2.1","framework:pci","security:compliance","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC7.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable vulnerability assessment (VA) periodic recurring scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nVA setting \"Periodic recurring scans\" schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Routine vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Security Center\n4. In Section Vulnerability Assessment Settings, set Storage Account\n5. Toggle \"Periodic recurring scans\" to ON.\n6. Click Save using the Azure PowerShell. If not already set, enable Advanced Data Security for a SQL ServerSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service with ''Periodic recurring scans'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"jum-0ht-les","createdAt":1624867977012,"name":"Vulnerability Assessment (VA) setting Periodic Recurring Scans is enabled on a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:9.4","scope:azure.appservice","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:4.1","requirement:App-Service","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nClient certificates allow for an app to request a certificate for incoming requests. Only clients that have a valid certificate can reach the app.\n\n## Rationale\n\nThe TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, only an authenticated client who has valid certificates can access the app.\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Configuration\n5. Under Incoming client certificates, set the Client Certificate Mode option to Require.\n\n\nAzure Command Line Interface:\n\nTo set incoming client certificates value for an existing app, run the following command: `az webapp update --resource-group --name --set clientCertEnabled=true'`\n\n## Impact\n\nUsing and maintaining client certificates requires additional work to obtain and manage key replacement and rotation.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14 - Controlled Access Based on the Need to Know","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.4","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@client_cert_enabled:true","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (-@client_cert_enabled:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"esg-ed4-xa9","createdAt":1631623027807,"name":"Web app has 'Client Certificates (Incoming client certificates)' set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:6.6","control:9.3","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:4.1","requirement:App-Service","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Change-Management","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App Service uses TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.\n\n## Rationale\n\nApp Service currently allows web apps to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for a secure connection.\n\n## Remediation\n\nAzure Console:\n\n 1. Login to Azure Portal using https://portal.azure.com\n 2. Go to App Services\n 3. Click on each app\n 4. Under the Settings section, click on SSL settings\n 5. Under Protocol Settings, set Minimum TLS Version to 1.2\n\nAzure Command Line Interface:\n\nTo set TLS Version for an existing app, run the following command: `az webapp config set --resource-group --name --min-tls-version 1.2'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.3","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"-@site_config_min_tls_version:1.2","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (-@site_config_min_tls_version:1.2)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8iy-ghp-cvk","createdAt":1631623032658,"name":"Web app is using the latest version of TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","control:9.2","control:6.6","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:4.1","requirement:App-Service","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Web Apps allow sites to use both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.\n\n## Rationale\n\nEnabling HTTPS-only traffic redirects all non-secure HTTP request to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated, so it is important to support HTTPS for the security benefits.\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on SSL settings\n5. Under Protocol Settings, set HTTPS Only to On.\n\nAzure Command Line Interface:\n\nTo set the HTTPS-only traffic value for an existing app, run the following command: `az webapp update --resource-group --name --set httpsOnly=true'`\n\n## Impact\n\nWhen enabled, every incoming HTTP request is redirected to the HTTPS port. This adds an extra level of security to the HTTP requests made to the app.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.2","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@https_only:false","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (@https_only:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f9i-ctz-jrp","createdAt":1631623031127,"name":"Web app redirects all HTTP traffic to HTTPS in Azure App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:windows","technique:T1070-indicator-removal-on-host","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user clears Windows Security logs.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `1102`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to clear the security event logs on `{{host}}`. \n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"psn-7zq-iqz","createdAt":1619018680072,"name":"Windows Audit Log Cleared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user resets the Directory Services Restore Mode (DSRM). The DSRM enabled emergency access to a Domain Controller. The DSRM user is a local administrator account that can be utilized for persistence. \n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4794`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to change the DSRM password on `{{host}}`. ","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4794","groupByFields":["host"],"aggregation":"count","name":"standardized","distinctFields":[]},{"query":"@Event.System.EventID:4794","groupByFields":["host"],"aggregation":"count","name":"non_standardized","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized > 0"}],"type":"log_detection","id":"ckw-1ve-anp","createdAt":1619018671358,"name":"Windows Directory Service Restore Mode password changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Domain Administrator group is modified.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is 4737 and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason for changing the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"vtr-u5p-65a","createdAt":1619018671758,"name":"Windows Domain Admin Group Changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","source:windows","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Windows firewall is disabled.\n\n## Strategy\nMonitor the Windows event logs where `@evt.id` is `4950` and the `@Event.EventData.Data.SettingValue:No`.\n\n## Triage and response\nVerify if `{{@Event.System.Computer}}` has a legitimate reason for having the Windows firewall disabled.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"medium","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"5yc-jqo-y3n","createdAt":1619018678867,"name":"Windows Firewall Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1087-account-discovery","source:windows","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs the `net` command to enumerate the `Administrators` group, which could be indicative of adversarial reconnaissance activity.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4799`, `@Event.EventData.Data.CallerProcessName` is `*net1.exe` and `@Event.EventData.Data.TargetUserName` is `Administrators`.\n\n## Triage and response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason to check for users in the Administrator group on `{{host}}`. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"low","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"dqi-uaj-wgy","createdAt":1619018678865,"name":"Windows Net command executed to enumerate administrators"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.4.2","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the scheduler service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.2","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"g1h-91b-y2x","createdAt":1599601351149,"name":"Scheduler API service is bound to localhost"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.15","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/scheduler.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.15","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fmc-m0d-pe5","createdAt":1599604530000,"name":"Scheduler configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.16","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/scheduler.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.16","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pbp-y4b-dhf","createdAt":1599600185878,"name":"Scheduler configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.5","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the Scheduler service in the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.5","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qxe-hc6-qlm","createdAt":1599604179189,"name":"Scheduler pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.6","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the kube-scheduler service in the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.6","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"y79-4ts-a0k","createdAt":1599603078027,"name":"Scheduler pod specification file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.4.1","security:compliance","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` file on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-scheduler/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-scheduler/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.1","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hya-urf-09b","createdAt":1599603139661,"name":"Scheduler profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.21","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSeccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on a whitelist basis and allows for a large number of common system calls, whilst blocking all others. This filtering should not be disabled unless it causes a problem with your container application usage.\n\n## Rationale\n\nA large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis returns either `` or your modified seccomp profile. If it returns `[seccomp:unconfined]`, the container is running without any seccomp profiles and is therefore not configured in line with good security practices.\n\n## Remediation\n\nBy default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.\n\n## Impact\n\nWith Docker 1.10 and greater, the default seccomp profile blocks syscalls, regardless of `--cap-add passed` to the container. You should create your own custom seccomp profile in such cases. You can also disable the default seccomp profile by passing `--security-opt=seccomp:unconfined` on docker run.\n\n## Default value\n\nWhen you run a container, it uses the default profile unless you override it with the `--security-opt` option.\n\n## References\n\n1. http://blog.scalock.com/new-docker-security-features-and-what-they-mean-seccomp-profiles\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://github.com/docker/docker/blob/master/profiles/seccomp/default.json\n4. https://docs.docker.com/engine/security/seccomp/\n5. https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt\n6. https://github.com/docker/docker/issues/22870\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.21","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hub-v5u-cw0","createdAt":1599604972925,"name":"Seccomp profiles are enabled for filtering incoming system calls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.22","scored:true","control:CC6.7","source:azure.active_directory","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:azure.active_directory","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft security defaults are available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You can enable security defaults in the Azure portal.\n\n## Rationale\n\nSecurity defaults provide secure default settings that are managed on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example:\n\n- Requiring all users and admins to register for MFA\n- Challenging users with MFA, mostly when they show up on a new device or app, but more often for critical roles and tasks.\n- Disabling authentication from legacy authentication clients, which can't do MFA.\n\n## Remediation\n\n### From the console\n\n1. Sign in to the Azure portal as a security administrator, conditional access administrator, or global administrator.\n2. Navigate to Azure Active Directory > Properties.\n3. Select Manage security defaults.\n4. Set the Enable security defaults toggle to Yes.\n5. Select Save.\n\n## Impact\n\nEnabling security defaults may negatively impact the functionality of other Microsoft services, such as Microsoft 365. This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults\n2. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414\n\nAdditional Information: The settings in this recommendation are different in the Microsoft 365 Benchmark. This is because the potential impact associated with disabling of security defaults is dependent upon the security settings implemented in the environment. It is recommended that organizations disabling security defaults plan to implement equivalent settings to replace the settings configured by security defaults.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.22","framework":"cis-azure","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ad_security_defaults_policy) = \"pass\" if {\n\tad_security_defaults_policy.is_enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_ad_security_defaults_policy"]},"validationQuery":"","resourceType":"azure_ad_security_defaults_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_ad_security_defaults_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@display_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"fub-xjw-qwz","createdAt":1635237007654,"name":"Security Defaults is enabled on Azure Active Directory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a threat on your application.\n\n## Strategy\nThis rule creates a signal for every security incident created by Sqreen.\n\n## Triage and response\n1. Review the incident on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/incidents\n\n## Changelog\n23 June 2022 - Updated groupby count to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:critical @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_critical_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:major @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_major_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:minor @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_minor_incidents","distinctFields":["@sqreen.payload.incident_id"]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical","condition":"sqreen_critical_incidents > 0"},{"status":"high","notifications":[],"name":"Major","condition":"sqreen_major_incidents > 0"},{"status":"medium","notifications":[],"name":"Minor","condition":"sqreen_minor_incidents > 0"}],"type":"log_detection","id":"qyk-emv-hui","createdAt":1620224110121,"name":"Security Incident Detected by Sqreen"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis","source:cloudtrail","technique:T1562-impair-defenses","control:cis-3.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` array to determine if either of the strings are contained:\n* `0.0.0.0/0`\n* `::/0`\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n\n## Changelog\n18 March 2022 - Updated rule query.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:AuthorizeSecurityGroupIngress @requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@usr.account_id"],"aggregation":"count","name":"sg_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"SG open to world","condition":"sg_open_to_world > 0"}],"type":"log_detection","id":"qdm-6uu-gqf","createdAt":1593621503430,"name":"Security group open to the world"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.5","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not allow sensitive host system directories such as those listed below to be mounted as container volumes, especially in read-write mode. `/` `/boot` `/dev` `/etc` `/lib` `/proc` `/sys` `/usr`\n\n## Rationale\n\nIf sensitive directories are mounted in read-write mode, it is possible to make changes to files within them. This has obvious security implications and should be avoided.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}'` This command returns a list of currently mapped directories and indicates whether they are mounted in read-write mode for each container instance.\n\n## Remediation\n\nDo not mount directories which are security sensitive on the host within containers, especially in read-write mode.\n\n## Impact\n\nNone\n\n## Default value\n\nDocker defaults to using a read-write volume but you can also mount a directory read-only. By default, no sensitive host directories are mounted within containers.\n\n## References\n\n1. https://docs.docker.com/engine/tutorials/dockervolumes/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.5","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmq-wqu-2im","createdAt":1599604814929,"name":"Sensitive host system directories are not mounted on containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","source:google_iam_policy","framework:cis-gcp","level:2","framework:iso-27001","requirement:Access-Control","framework:pci","scope:google_iam_policy","control:1.11","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.2.1","control:7.1.3","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.\n\n## Rationale\nThe built-in/predefined IAM role `Cloud KMS Admin` allows the user/identity to create, delete, and manage service account(s). \n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter/Decrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Decrypter` allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).\n\nSeparation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.\n\nNo user(s) should have `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles assigned at the same time.\n\n### Impact\nRemoved roles should be assigned to another user based on business needs.\n\n### Additional Information\nUsers granted Owner (roles/owner) and Editor (roles/editor) roles have privileges equivalent to `Cloud KMS Admin` and `Cloud KMS CryptoKey Encrypter/Decrypter`. To avoid misuse, Owner and Editor roles should be granted to a very limited group of users. Use of these primitive privileges should be minimal. These requirements are addressed in our other rules.\n\n## Remediation\n\n### From the console\n1. Go to **IAM & Admin/IAM** using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles granted/assigned, click the **Delete Bin** icon to remove the role from the member.\n\n## References\n1. [https://cloud.google.com/kms/docs/separation-of-duties][2]\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/kms/docs/separation-of-duties\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nis_admin_user(gip) if {\n\tmembers_to_roles_array := gip.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/cloudkms.admin\"\n}\n\neval(gip) = \"skip\" if {\n\tnot is_admin_user(gip)\n} else = \"fail\" if {\n\trole := gip.member_to_roles[_].roles[_]\n\trole in [\"roles/cloudkms.cryptoKeyDecrypter\", \"roles/cloudkms.cryptoKeyEncrypter\", \"roles/cloudkms.cryptoKeyEncrypterDecrypter\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8uv-2ds-fnx","createdAt":1658410212713,"name":"Separation of duties is enforced while assigning KMS-related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:1.8","control:7.2","control:7.1","requirement:Control-Activities","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity best practices recommend that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users. This is achieved by ensuring that no user has the Service Account Admin and Service Account User roles assigned at the same time.\n\n## Rationale\n\nThe predefined IAM role ``Service Account admin`` allows the user/identity to\ncreate, delete, and manage service account(s). The predefined IAM role ``Service Account User`` allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute instances.\n\nSeparation of duties is the concept of ensuring that one individual does not have all\nnecessary permissions to be able to complete a malicious action. Using Cloud IAM service\naccounts, a malicious user could assume the identity of a service account to access resources that\nthey otherwise cannot access.\n\nSeparation of duties is a business control typically used in larger organizations, meant to\nhelp avoid security or privacy incidents and errors. It is considered a best practice.\n\nNo user should have ``Service Account Admin`` and ``Service Account User`` roles assigned\nat the same time.\n\n## Remediation\n\n1. Go to ``IAM & Admin/IAM`` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having both ``Service Account Admin`` and ``Service Account User`` roles granted/assigned, click the ``Delete Bin`` icon to remove either role from the member.\n\nRemoval of a role should be done based on the business requirements.\n\n## Impact\n\nThe removed role should be assigned to a different user based on business needs.\n\n## References\n\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][4]\n\n## Additional information \n\nUsers granted the Owner (roles/owner) and Editor (roles/editor) roles have privileges\nequivalent to Service Account Admin and Service Account User. To avoid misuse,\nOwner and Editor roles should be granted to a very limited number of users. Use of these primitive\nprivileges should be minimal. These requirements are addressed in separate\nrecommendations.\n\n## CIS controls\n\nVersion 8 3.3 - Configure Data Access Control Lists: Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems, databases, and applications.\n\nVersion 7 14.6 - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"fail\" if {\n\tmembers_to_roles_array := iam_policy.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountAdmin\"\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountUser\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"re5-dlh-43x","createdAt":1656443521016,"name":"Separation of duties is enforced while assigning service account related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.6","cloud_provider:azure","framework:cis-azure","requirement:Default-Security-Parameter","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.4","framework:soc-2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `connection_throttling` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `connection_throttling` helps the PostgreSQL Database to Set the verbosity of logged messages which generates query and error logs about concurrent connections. Too many concurrent connections could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `connection_throttling`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `connection_throttling` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name connection_throttling --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.6","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthrottling_disabled(server_config) if {\n\tserver_config.name == \"connection_throttling\"\n\tserver_config.value != \"on\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tthrottling_disabled(server_config)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"w1l-qav-gcj","createdAt":1624867980066,"name":"Server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","control:10.1","requirement:Monitoring","control:4.3.3","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_checkpoints` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_checkpoints` helps the PostgreSQL Database to log each checkpoint and generate query and error logs. Access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_checkpoints`.\n5. Click ON and save.\n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_checkpoints` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_checkpoints --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlog_checkpoints_on(server_config) if {\n\tserver_config.name == \"log_checkpoints\"\n\tserver_config.value == \"on\"\n}\n\neval(postgresql_server) = \"pass\" if {\n\tsome server_config in postgresql_server.server_configs\n\tlog_checkpoints_on(server_config)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sc0-yfd-hsz","createdAt":1624867976912,"name":"Server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:4.3.4","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_connections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_connections` helps PostgreSQL Database to log an attempted connection to the server, as well as successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_connections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_connections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_connections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlog_connections_off(server_config) if {\n\tserver_config.name == \"log_connections\"\n\tserver_config.value == \"off\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tsome server_config in postgresql_server.server_configs\n\tlog_connections_off(server_config)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gle-oql-wen","createdAt":1624867976676,"name":"Server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","control:10.1","control:4.3.5","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_disconnections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_disconnections` helps your PostgreSQL database to log the end of a session, including duration, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_disconnections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_disconnections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_disconnections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlog_disconnections_on(server_config) if {\n\tserver_config.name == \"log_disconnections\"\n\tserver_config.value == \"on\"\n}\n\neval(postgresql_server) = \"pass\" if {\n\tsome server_config in postgresql_server.server_configs\n\tlog_disconnections_on(server_config)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"5av-e46-div","createdAt":1624867974164,"name":"Server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","requirement:Records-of-Processing-Activities","cloud:azure","control:A1.1","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses logging to track the time it takes to complete an SQL query.\n\n## Rationale\n\nThe \"log_duration\" parameter allows recording the duration of each completed PostgreSQL statement. Logging this attribute enables administrators to monitor for potential issues in the database.\n\n## Remediation\n\n### From the console\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][1] documentation to enable the 'log_duration' logging in the PostgreSQL database. Ensure **log_duration** is selected under **Server Parameters**.\n\n### From the command line\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][2] documentation to enable **log_duration** in **Server Parameters**.\n2. Get a list of your PostgreSQL servers by running the following in Azure Powershell:\n\n ```\n az postgres server list\n\t--output table\n\t--query '[*].{name:name, resourceGroup:resourceGroup}'\n ```\n3. Run the 'postgres server configuration set' command:\n\n ```\n az postgres server configuration set\n\t--server-name \"INSERT-SERVER-NAME-HERE-FROM-STEP-2\"\n\t--resource-group \"cloud-shell-storage-westeurope\"\n\t--name log_duration\n\t--value on\n ```\n4. Repeat steps two and three for each server that is not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tserver_config.name == \"log_duration\"\n\tserver_config.value == \"off\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iwo-oh9-bpi","createdAt":1645804679249,"name":"Server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.7","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","control:10.7","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_retention_days` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_retention_days` helps PostgreSQL Database to set the number of days a log file is retained, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_retention_days`.\n5. Enter value in range 4-7 (inclusive) and save. \n\nAlternatively, use the Azure Command Line Interface and run the the below command to update `log_retention_days` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_retention_days --value <4-7>\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n2. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention\n\n## CIS Controls\n\nVersion 7 6.4 Ensure adequate storage for logs: Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.7","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nis_numeric(x) if {\n\tregex.match(`^-?\\d+(\\.\\d+)?$`, x)\n}\n\nserver_config_not_compliant(server_config) if {\n\tis_numeric(server_config.value)\n\tto_number(server_config.value) < 3\n\tserver_config.name == \"log_retention_days\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config = postgresql_server.server_configs[_]\n\tserver_config_not_compliant(server_config)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"jsy-iuu-a38","createdAt":1624867974261,"name":"Server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:7.1","requirement:Credentials","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","source:google_service_account","framework:soc-2","control:A.9.2.3","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:8.1.2","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA service account is a special Google account that belongs to an application or a VM, instead\nof to an individual end-user. The application uses the service account to call the service's\nGoogle API so that users aren't directly involved. It's recommended not to use admin roles for ServiceAccount.\n\n## Rationale\n\nService accounts represent service-level security of the Resources (application or a VM)\nwhich can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin\nrights gives full access to an assigned application or a VM. A ServiceAccount Access holder\ncan perform critical actions like delete, update, and change settings, etc. without user\nintervention. For this reason, Datadog recommends that service accounts not have an Admin role.\n\n## Remediation\n\n## From Console:\n1. Go to `IAM & admin/IAM` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. Go to the `Members`\n3. Identify `User-Managed user created service account(s)` with roles containing `*Admin or *admin`\n4. Click the `Delete bin` icon to remove the role from the member (service account in this case)\n\n\n## From Command Line: \n\n```bash\ngcloud projects get-iam-policy PROJECT_ID --format json > iam.json\n```\n\n1. Using a text editor, Remove `Role` which contains `roles/ *Admin` or `roles/ *admin`. Add a role to the bindings array that defines the group members and the role for those members.\n2. Update the project's IAM policy:\n\n```bash\ngcloud projects set-iam-policy PROJECT_ID iam.json\n```\n\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/understanding-service-accounts][4] \n\n## CIS Controls\n\nVersion 8 5.4 Restrict Administrator Privileges to Dedicated - Administrator Accounts Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user\u2019s primary, non-privileged account.\n\nVersion 7 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/understanding-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.1.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmembers_with_admin_role := {member |\n\tbinding := input.resources.gcp_iam_policy[_].member_to_roles[_]\n\tstartswith(binding.member, \"serviceAccount:\")\n\trole := binding.roles[_]\n\tcontains(lower(role), \"admin\")\n\tmember := trim_prefix(binding.member, \"serviceAccount:\")\n}\n\neval(iam_service_account) = \"fail\" if {\n\tsplit_name := split(iam_service_account.name, \"/\")\n\tmember := split_name[count(split_name) - 1]\n\tmembers_with_admin_role[member]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"4ea-as1-0bv","createdAt":1655820189596,"name":"Service Accounts are not bound to built-in Administrative roles"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1070-indicator-removal","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the tampering of shell command history on a host or container. \n\n## Strategy\nCommands used within a terminal are contained within a local file so users can review applications, scripts, or processes that were previously executed. Adversaries tamper with the integrity of the shell command history by deletion, truncation, or the linking of `/dev/null` by use of a symlink. This allows adversaries to obfuscate their actions and delay the incident response process. \n\n## Triage and response\n1. Review the tampering action taken against the shell command history files.\n2. Review the user or process that performed the action against the shell command history.\n3. Determine whether or not this is expected behavior.\n4. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(shell_history_symlink OR shell_history_truncated OR shell_history_deleted)","groupByFields":["host"],"aggregation":"count","name":"shell_history_tamper","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"shell_history_tamper","condition":"shell_history_tamper > 0"}],"type":"workload_security","id":"5bq-qe4-ctu","createdAt":1661196433820,"name":"Shell command history modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:signal_sciences","scope:signal_sciences"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP is flagged by Signal Sciences.\n\n## Strategy\nThis rule lets you monitor Signal Sciences events submitted through the Signal Sciences [integration][1] to detect when an IP is flagged. \n\n## Triage and response\n1. Determine whether the attack is a false positive.\n2. Determine whether the attack was successful.\n3. If the attack exploited a vulnerability in the application, triage the vulnerability.\n\n[1]: https://app.datadoghq.com/account/settings#integrations/sigsci\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:signal_sciences @title:*flag","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bmg-ftn-dzo","createdAt":1584993292228,"name":"Signal Sciences flagged an IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.2.1","requirement:Compliance","level:1","requirement:Storage-Accounts","control:3.8","requirement:Cardholder-Data","framework:iso-27001","scope:azure.storage","framework:pci","requirement:Operations-Security","security:compliance","framework:cis-azure","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Control-Activities","source:azure.storage","control:A1.2","control:A.18.1.3","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Storage blobs contain ePHI, financial, secret, or personal data. If erroneously modified or deleted accidentally by an application or other storage account user, data loss or data unavailability can occur. It is recommended that Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.\n\n## Rationale\n\nA user can accidentally run delete commands on Azure Storage blobs or blob snapshots, or an attacker/malicious user can do it deliberately to cause disruption. Deleting an Azure Storage blob leads to immediate data loss or non-accessible data. Enable recoverable blobs configuration in the Azure Storage blob service to ensure that even if blobs/data are deleted from the storage account, the objects remain recoverable for a time set in the retention policy. Retention policies can be 7 days to 365 days.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Account\n2. For each Storage Account, navigate to Data Protection\n3. Select Set soft delete enabled and enter the number of days to retain soft deleted data.\n\nAzure Command-Line Interface:\n\nUpdate retention days with the following command: `az storage blob service-properties delete-policy update --days-retained --account-name --enable true'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete\n\n## CIS Controls\n\nVersion 7 10 - Data Recovery Capabilities\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_blob_service(blob_service) if {\n\tblob_service.delete_retention_policy_enabled\n\tblob_service.delete_retention_policy_days > 0\n} else if {\n\tblob_service.delete_retention_policy.enabled\n\tblob_service.delete_retention_policy.days > 0\n}\n\neval(storage_account) = \"pass\" if {\n\tsome blob_service in storage_account.blob_services\n\tcompliant_blob_service(blob_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"w0h-o5o-lyp","createdAt":1631690471228,"name":"Soft delete is enabled for Azure Storage"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1505-server-software-component","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects attempted post-exploitation activity of [CVE-2022-22965][1] with an HTTP GET parameter.\n\n## Strategy\nThis rule looks for `@http.url_details.path` = .jsp, `@http.url_details.queryString.pwd` = `*`, and `@http.url_details.queryString.cmd` = . If found, it indicates web shell activity observed with successful Spring RCE exploitation. \n\n## Triage and response\nCheck your host to see if the {{@http.url_details.queryString.cmd}} command ran successfully. If so,\n * Refer to your company's Incident Response process since this is detection post-exploitation activity.\n * Refer to the vendor's [advisory][2] for remediation of this Remote Code Execution (RCE) vulnerability.\n\n## Changelog\n- 06 June 2022 - The severity has been lowered due to rule fidelity on just log telemetry.\n- 31 March 2022 - Rule added in response to [CVE-2022-22965][1]\n\n[1]: https://tanzu.vmware.com/security/cve-2022-22965\n[2]: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@http.url_details.path:*.jsp @http.url_details.queryString.pwd:* @http.url_details.queryString.cmd:* @http.method:GET @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_details","distinctFields":[]},{"query":"@http.url:*cmd* @http.url:*pwd* @http.method:GET @http.url:*.jsp* @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_url","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"PWD/CMD request in http.url_details.queryString key","condition":"pwd_cmd_in_details > 0"},{"status":"low","notifications":[],"name":"PWD/CMD request in http.url key","condition":"pwd_cmd_in_url > 0"}],"type":"log_detection","id":"6nf-i0e-ff0","createdAt":1648746485630,"name":"Spring RCE post-exploitation activity attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","framework:cis-azure","requirement:Confidentiality","control:3.4","control:C1.1","requirement:Credentials","requirement:Compliance","source:azure.storage","level:1","requirement:Storage-Accounts","control:A.18.1.3","framework:soc-2","control:3.9","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","scope:azure.storage","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable sensitive data encryption at rest using customer managed keys rather than Microsoft managed keys.\n\n## Rationale\n\nBy default, data in the storage account is encrypted using Microsoft managed keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. However, if you want to control and manage the encryption key yourself, you can specify a customer-managed key, and that key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated key vault.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Accounts\n2. For each storage account, go to Encryption\n3. Set Customer Managed Keys\n4. Select the encryption key and enter the appropriate setting value\n5. Click Save\n\n## Impact\n\nIf the key expires by setting the activation date and expiration date of the key, you must rotate the key manually. Using customer managed keys may also incur additional effort to create, store, manage, and protect the keys as needed.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest\n3. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption#azure-storage-encryption-versus-disk-encryption\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-1-discovery,-classify-and-label-sensitive-data\n\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_account) = \"pass\" if {\n\tstorage_account.encryption.key_source == \"Microsoft.Keyvault\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"kh6-wzv-u3s","createdAt":1631690464889,"name":"Storage for critical data is encrypted with Customer Managed Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:runtime-security-agent","technique:T1574-hijack-execution-flow","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect attempts to load a malicious library.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container or host (for example, through a web shell exploit), they may attempt to escalate privileges, evade defenses, or establish persistence by hijacking environment variables such as `LD_PRELOAD`, or configuration files such as `/etc/ld.so.preload/`, which the dynamic linker uses to load shared libraries. \n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.39 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:dynamic_linker_config_unlink -@process.executable.path:(\"/usr/bin/dpkg\" OR \"/usr/bin/yum\")","groupByFields":["host"],"aggregation":"count","name":"dynamic_linker_config_unlink","distinctFields":[]},{"query":"@agent.rule_id:dynamic_linker_config_write","groupByFields":["host"],"aggregation":"count","name":"dynamic_linker_config_write","distinctFields":[]},{"query":"@agent.rule_id:ld_preload_unusual_library_path","groupByFields":["host"],"aggregation":"count","name":"ld_preload_unusual_library_path","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"suspected_dynamic_linker_hijacking","condition":"dynamic_linker_config_unlink > 0 || dynamic_linker_config_write > 0 || ld_preload_unusual_library_path > 0"}],"type":"workload_security","id":"qr1-yg4-ab3","createdAt":1670612608535,"name":"Suspected dynamic linker hijacking attempt"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to `pam.d` directory.\n\n## Strategy\nLinux Pluggable Authentication Modules (PAM) provide authentication for applications and services. Authentication modules in the PAM system are setup and configured under the `/etc/pam.d/` directory. An attacker may attempt to modify or add an authentication module in PAM in order to bypass the authentication process, or reveal system credentials.\n\n## Triage and response\n1. Identify if the changes to the path `{{@file.path}}` were part of known system setup or mainenance.\n2. If these changes were unauthorized, roll back the host in question to a known good PAM configuration, or replace the system with a known-good system image.\n\n*Required agent version 7.27 or higher*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pam_modification OR pam_modification_chmod) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_chown)-@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_link) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_rename) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_open) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_unlink) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_utimes) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"pam_modification","condition":"pam_modification_chmod > 0 || pam_modification_chown > 0 || pam_modification_link > 0 || pam_modification_rename > 0 || pam_modification_open > 0 || pam_modification_unlink > 0 || pam_modification_utimes > 0"}],"type":"workload_security","id":"59x-93j-pek","createdAt":1606142936138,"name":"System authentication files modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1543-create-or-modify-system-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to system services.\n\n## Strategy\nEspecially in production, systems should be generated based on standard images such as AMIs for Amazon EC2, VM images in Azure, or GCP images. Systemd is the default service manager in many Linux distributions. It manages the lifecycle of background processes and services, and can be used by an attacker to establish persistence in the system. Attackers can do this by injecting code into existing systemd services, or by creating new ones. Systemd services can be started on system boot, and therefore attacker code can persist through system reboots.\n\n## Triage and response\n1. Check to see what service was modified of created.\n2. Identify whether it is a known service, being modified by a known user and/or process.\n3. If these changes are not acceptable, roll back the host in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chmod) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chown) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_link) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_rename) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_open) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_unlink) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"systemd_modification","condition":"systemd_modification_chmod > 0 || systemd_modification_chown > 0 || systemd_modification_link > 0 || systemd_modification_rename > 0 || systemd_modification_open > 0 || systemd_modification_unlink > 0 || systemd_modification_utimes > 0"}],"type":"workload_security","id":"vjt-chu-njs","createdAt":1606142929241,"name":"Systemd service modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through brute force attempts.\n\n## Strategy\nTo determine a successful attempt: Detect a high amount of failed logins and at least one successful login for a given IP address. This will generate a `HIGH` severity signal.\nTo determine an attempt: Detect a high amount of failed logins for a given IP address. This will generate an `INFO severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:authentication @evt.outcome:failure","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]},{"query":"@evt.name:authentication @evt.outcome:success","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":["@slack-secops"],"name":"Successful","condition":"a>5 && b>0"},{"status":"info","notifications":[],"name":"Attempted","condition":"a>5"}],"type":"log_detection","id":"wce-cxo-pe4","createdAt":1585870283641,"name":"TEMPLATE - Brute Force Attack Grouped By IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:threat-intel","scope:template"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect when a stolen laptop has been connected to the network.\n\n## Strategy\nUsing the Datadog [Lookup Processor](https://docs.datadoghq.com/logs/processing/processors/?tab=ui#lookup-processor) you can maintain a blocklist of MAC addresses.\nWhen a MAC address connects to the network, the @threat.stolen_laptop attribute is set to `true`.\nThis threat detection rule queries for `@threat.stolen_laptop:true` and generates a security signal. \n\n## Triage and response\nEnter your triage and response process for when a stolen laptop has connected to your network to help users responding to the security signal quickly triage and respond to the signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@threat.stolen_laptop:true @network.client.mac:*","groupByFields":["@network.client.mac"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ap3-xy9-tsm","createdAt":1585870283379,"name":"TEMPLATE - Stolen Laptop Connected to Network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.10","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert` parameter, has permissions of 444 or is set more restrictively.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must therefore have permissions of 444, or more restrictive permissions to ensure that the file cannot be modified by a less privileged user.\n\n## Audit\n\nVerify that the TLS CA certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the following command: `chmod 444 `\n\nThis sets the file permissions on the TLS CA file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the TLS CA certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.10","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hyd-ar9-kzl","createdAt":1602076723625,"name":"TLS CA certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.6","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to make the Docker daemon available remotely over a TCP port. If this is required, you should ensure that TLS authentication is configured in order to restrict access to the Docker daemon via IP address and port.\n\n## Rationale\n\nBy default, the Docker daemon binds to a non-networked Unix socket and runs with root privileges. If you change the default Docker daemon binding to a TCP port or any other Unix socket, anyone with access to that port or socket could have full access to the Docker daemon and therefore in turn to the host system. For this reason, you should not bind the Docker daemon to another IP/port or a Unix socket. If you must expose the Docker daemon via a network socket, you should configure TLS authentication for the daemon and for any Docker Swarm APIs (if they are in use). This type of configuration restricts the connections to your Docker daemon over the network to a limited number of clients who have access to the TLS client credentials.\n\n## Audit\n\nTo confirm that the TLS authentication setting is correct, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nConfirm that the following parameters are present: `--tlsverify --tlscacert --tlscert --tlskey`.\n\nAlso review the `/etc/docker/daemon.json` file to ensure these settings are in place.\n\n## Remediation\n\nFollow the steps mentioned in the Docker documentation or other references.\n\n## Impact\n\nYou would need to manage and guard certificates and keys for the Docker daemon and Docker clients.\n\n## Default value\n\nBy default, TLS authentication is not configured.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rh4-jeh-afu","createdAt":1602077571799,"name":"TLS authentication is configured for Docker daemon"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":true,"message":"Test","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":1,"createdAt":1668092249514,"filters":[],"queries":[{"query":"@agent.rule_id:1234","groupByFields":[],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"6pg-sy3-vc5","isDefault":false,"name":"Test"},{"creationAuthorId":1445416,"tags":[],"isEnabled":false,"hasExtendedTitle":false,"message":"Test","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":1,"createdAt":1668092310914,"filters":[],"queries":[{"query":"@agent.rule_id:1234","groupByFields":[],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"c4n-gxt-rmi","isDefault":false,"name":"Test xxx1"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.18","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller-manager.conf file ownership is set to `root:root`.\n\n## Rationale\n\nThe controller-manager.conf file is the kubeconfig file for the Controller Manager. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/controller-manager.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.18","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bud-aya-umc","createdAt":1599605289575,"name":"The controller-manager.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","requirement:GCP","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","control:3.4","requirement:Communications-Security","control:2.6","control:1.2","control:2.1","control:1.3","control:3.1","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of the `default` network, a project should not have a `default` network.\n\n### Default value\nBy default, for each project, a `default` network is created.\n\n\n## Rationale\nThe `default` network has a preconfigured network configuration and automatically generates the following insecure firewall rules:\n\n - default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.\n - default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.\n - default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.\n - default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.\n\nThese automatically-created firewall rules do not get audit-logged and cannot be configured to enable firewall rule logging.\n\nFurthermore, the `default` network is an auto-mode network, which means that its subnets use the same predefined range of IP addresses. As a result, it's not possible to use Cloud VPN or VPC Network Peering with the `default` network.\n\nBased on organization security and networking requirements, the organization should create a new network and delete the `default` network.\n\n### Impact\nWhen an organization deletes the `default` network, it may need to migrate services onto a new network.\n\n## Remediation\n\n### From the console\n1. Go to the [VPC networks][1] page.\n2. Click the network named `default`.\n3. On the network detail page, click **EDIT**.\n4. Click **DELETE VPC NETWORK**.\n5. If needed, create a new network to replace the `default` network.\n\n### From the command line\n1. Delete the `default` network:\n\n ```\n gcloud compute networks delete default\n ```\n\n2. If needed, create a new network to replace it:\n\n ```\n gcloud compute networks create NETWORK_NAME\n ```\n\n## Prevention\nYou can prevent the `default` network and its insecure firewall rules from being created by setting up an Organization Policy to skip `default` network creation at [https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation][2].\n\n## References\n1. [https://cloud.google.com/compute/docs/networking#firewall_rules][3]\n2. [https://cloud.google.com/compute/docs/reference/latest/networks/insert][4]\n3. [https://cloud.google.com/compute/docs/reference/latest/networks/delete][5]\n4. [https://cloud.google.com/vpc/docs/firewall-rules-logging][6]\n5. [https://cloud.google.com/vpc/docs/vpc#default-network][7]\n6. [https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete][8]\n\n[1]: https://console.cloud.google.com/networking/networks/list\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation\n[3]: https://cloud.google.com/compute/docs/networking#firewall_rules\n[4]: https://cloud.google.com/compute/docs/reference/latest/networks/insert\n[5]: https://cloud.google.com/compute/docs/reference/latest/networks/delete\n[6]: https://cloud.google.com/vpc/docs/firewall-rules-logging\n[7]: https://cloud.google.com/vpc/docs/vpc#default-network\n[8]: https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.4","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.name == \"default\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0j0-lvk-9wm","createdAt":1658410212694,"name":"The default network does not exist in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.9","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %a /var/lib/kubelet/config.yaml`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step:\n\n```\nchmod 644 /var/lib/kubelet/config.yaml\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/var/lib/kubelet/config.yaml` file as set up by kubeadm has permissions of 644.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.9","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tc4-kmy-wlt","createdAt":1599605416397,"name":"The kubelet configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.1","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kubelet service file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.1","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j8k-7ii-fwo","createdAt":1599604432646,"name":"The kubelet service file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.5","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet.conf file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/kubernetes/kubelet.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chmod 644 /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.5","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x88-8vs-ygw","createdAt":1599604783481,"name":"The kubelet.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.6","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `kubelet.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/kubernetes/kubelet.conf`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file ownership is set to `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.6","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrc-waf-mbs","createdAt":1599599696342,"name":"The kubelet.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable timeouts on streaming connections.\n\n## Rationale\n\nSetting idle timeouts ensures that you are protected against denial-of-service attacks, inactive connections, and running out of ephemeral ports.\n\n*Note*: By default, `--streaming-connection-idle-timeout` is set to four hours, which might be too high for your environment. Setting this as appropriate would additionally ensure that such streaming connections are timed out after serving legitimate use cases.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--streaming-connection-idle-timeout` argument is not set to 0. If the argument is not present, and there is a Kubelet config file specified by `--config`, check that it does not set `streamingConnectionIdleTimeout` to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a value other than 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--streaming-connection-idle-timeout=5m`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nLong-lived connections could be interrupted.\n\n## Default value\n\nBy default, `--streaming-connection-idle-timeout` is set to four hours.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://github.com/kubernetes/kubernetes/pull/18552][2]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://github.com/kubernetes/kubernetes/pull/18552\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.5","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xmg-h3a-wj4","createdAt":1599602030157,"name":"Timeouts on streaming connections are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","control:6.6","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable internet exposed UDP ports on network security groups.\n\n## Rationale\n\nThe potential security problem with broadly exposing UDP services over the internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP, and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct UDP access to your Azure Virtual Machines from the internet. After direct UDP access from the internet is disabled, you can use other options to access UDP-based services running on these virtual machines.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#secure-your-critical-azure-service-resources-to-only-your-virtual-networks\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/ddos-best-practices\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n7 Virtual Machines: This section covers security recommendations to follow to set virtual machine policies on an Azure subscription.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_access(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"UDP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.destination_port_range in [\"*\", \"53\", \"123\", \"161\", \"389\", \"1900\"]\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"*/0\", \"Internet\", \"Any\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome security_rule in security_group.security_rules\n\tnon_compliant_access(security_rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"1is-0om-n7k","createdAt":1624867977600,"name":"UDP Services are restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect shell utilities, HTTP utilities, or shells spawned by a web server.\n\n## Strategy\nWeb shell attacks often involve attackers loading and running malicious files onto a victim machine, creating a backdoor on the compromised system. Attackers use web shells for a variety of purposes, and they can signal the beginning of an intrusion or wider attack. This detection triggers when shell utilities, HTTP utilities, or shells are spawned by a common web server process.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your web application to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"potential_web_shell","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["host"],"query":"@agent.rule_id:potential_web_shell -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"potential_web_shell"}],"type":"workload_security","id":"aks-ytd-8pf","createdAt":1647265136526,"name":"Unfamiliar command spawned from web server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers can leverage malicious kernel modules to gain persistence on a system, ensuring their malicious code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions and cover their tracks through the use of a rootkit.\n\nLoading a malicious kernel module can be a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default, however attackers may attempt to load kernel modules from other locations as well. This detection detects all kernel module loads. \n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check the name of the process loading the kernel module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":14,"learningThreshold":0},"keepAlive":3600},"version":176,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_kernel_module","metric":"@module.name","aggregation":"new_value","metrics":["@module.name"],"groupByFields":["host"],"query":"@agent.rule_id:(kernel_module_load OR new_kernel_module_audit OR kernel_module_load_container OR new_kernel_module_audit_container) -@process.ancestors.executable.name:\"unattended-upgrade\" -@process.ancestors.executable.name:(\"xtables-legacy-multi\" OR \"apt.systemd.daily\") -@module.name:(\"nf_tables\" OR \"iptable_filter\" OR \"ip6table_filter\" OR \"bpfilter\" OR \"ip6_tables\" OR \"ip6table_nat\" OR \"nf_reject_ipv4\" OR \"ipt_REJECT\" OR \"iptable_raw\")"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"new_kernel_module"}],"type":"workload_security","id":"56o-bpk-lkz","createdAt":1656443525724,"name":"Unfamiliar kernel module loaded"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default. In an attempt to thwart forensics, attackers sometimes attempt to load malicious kernel modules from memory so as not to leave artifacts on disk. This detection watches for all new kernel modules being loaded directly from memory. \n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:kernel_module_load_from_memory","groupByFields":["host"],"aggregation":"count","name":"kernel_module_load_from_memory","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"kernel_module_load_from_memory","condition":"kernel_module_load_from_memory > 0"}],"type":"workload_security","id":"dx9-30j-pas","createdAt":1650464539839,"name":"Unfamiliar kernel module loaded from memory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when the AWS EKS service account token has been viewed by a user.\n\n## Strategy\nAWS provides an authentication mechanism called [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to allow Kubernetes workloads such as pods to securely authenticate to AWS without hardcoding credentials.\n\nThe authentication token made available by AWS is located at `/var/run/secrets/eks.amazonaws.com/serviceaccount/token` and can be exchanged for AWS credentials using `sts:AssumeRoleWithWebIdentity`. It is consequently an attractive target for attackers.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"aws_eks_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:aws_eks_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"aws_eks_service_account_token_accessed"}],"type":"workload_security","id":"wq5-pnt-ij8","createdAt":1656443561852,"name":"Unfamiliar process accessed AWS EKS service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"Detects when the Kubernetes pod service account token has been viewed by a user.\n\n## Strategy\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"k8s_pod_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:k8s_pod_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"k8s_pod_service_account_token_accessed"}],"type":"workload_security","id":"7ow-znp-4fx","createdAt":1656443563565,"name":"Unfamiliar process accessed Kubernetes pod service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:active-directory","tactic:TA0004-privilege-escalation","source:microsoft-365","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 Azure AD service principal uses an unusual authentication method.\n\n## Strategy\nUsing the `New Value` detection method, find when a `Microsoft 365 Azure AD service principal` uses a new `@AuthenticationMethod`.\n\n## Triage and response\n1. Determine if the service principal `{{@usr.id}}` should be authenticating using the `{{@AuthenticationMethod}}` authentication method and `{{@ExtendedProperties.RequestType}}` request type.\n2. If `{{@usr.email}}` should not be authenticating using `{{@AuthenticationMethod}}`,\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard \n * If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":3600},"version":41,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AuthenticationMethod","aggregation":"new_value","metrics":["@AuthenticationMethod"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:AzureActiveDirectory @evt.name:UserLoggedIn @evt.outcome:Success @UserDescription:\"A service principal\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"toz-wdr-r1v","createdAt":1660857301768,"name":"Unusual Authentication by Microsoft 365 Azure AD Service Principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attaches to a pod.\n\n## Strategy\nThis rule monitors when a user attaches (`@objectRef.subresource:attach`) to a pod (`@objectRef.resource:pods`).\n\nA user should not need to attach to a pod. Attaching to a pod allows a user to attach to any process in a running container which may give an attacker access to sensitive data.\n\n## Triage and response\n1. Determine if the user should be attaching to a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:attach @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:attach @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"j6t-mva-rul","createdAt":1589375996858,"name":"User Attached to a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user execs into a pod.\n\n## Strategy\nThis rule monitors when a user execs (`@objectRef.subresource:exec`) into to a pod (`@objectRef.resource:pods`).\n\nA user should not need to exec into a pod. Execing into a pod allows a user to execute any process in container which is not already running.\nIt is most common to execute the bash process to gain an interactive shell.\nIf this is an attacker, they can access any data which the pod has permissions to, including secrets.\n\n## Triage and response\n1. Determine if the user should be execing into a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:exec @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:exec @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"hyd-cu4-79x","createdAt":1589376094658,"name":"User Exec into a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs into an application that is using Sqreen from a new country.\n\n## Strategy\nThis rule lets you monitor when a user logs into an application from a country that has not been seen before.\n\n## Triage and response\n1. Review the user activity on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/application/goto/users/\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip.country.name","aggregation":"new_value","metrics":["@network.client.geoip.country.name"],"groupByFields":["@usr.id"],"query":"@evt.name:sq.dd0.user_event.login @sqreen.payload.success:true"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"4xm-2og-l7s","createdAt":1620224109989,"name":"User Logged into an Application from a New Country"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","security:threat-intel","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to log in with a password which is known to be compromised.\n\n## Strategy\nThis rule allows you to monitor this Google Activity API call to detect if an attacker is trying to login with a leaked password: \n\n* [Leaked password][1]\n\n## Triage and response\n1. Determine which user in your organization owns the compromised password.\n2. Contact the user and ensure they rotate the password on Google and any other accounts where they may have reused this password. Ensure the user is aware of strong password guidelines.\n\n[1]: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.category:account_warning @evt.name:account_disabled_password_leak","groupByFields":["@actor.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9zi-bom-nmh","createdAt":1585870280553,"name":"User attempted login with leaked password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1136-create-account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation of a new user on the system using an interactive session.\n\n## Strategy\nAttacker's may add local accounts to systems that they have compromised to maintain access to those systems. If an attacker has gained a sufficient level of access (like admin privileges) on a system, they can make a new user for themselves.\nIn production systems, users should be created in the base image of the system (for example, the AMI or other VM image), or they should be created programmatically by configuration management tools. The creation of a new user by an interactive (human) session is suspicious.\n\n## Triage & Response\n1. Determine whether the creation of a new user is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether or not multiple systems had this user added around the same time, and whether the systems impacted follow a pattern. For example, if a user was added to multiple systems, do they share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:user_created_tty -@process.ancestors.executable.path:(\"/usr/bin/unattended-upgrade\" OR \"/usr/bin/dpkg\" OR \"/usr/bin/yum\" OR \"/usr/bin/rpm\") -@process.args:\"-D\"","groupByFields":["host"],"aggregation":"count","name":"user_created_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user_created_tty","condition":"user_created_tty > 0"}],"type":"workload_security","id":"beh-ejq-upe","createdAt":1627392836979,"name":"User created interactively"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of secrets while also receiving an error message of `AccessDenied`, through Cloudtrail's [`GetSecretValue`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetSecretValue` event, and enables the detection of potentially anomalous activity when a user receives an anomalous number of `AccessDenied` messages while attempting to retrieve secrets.\n\nAn attacker may attempt to enumerate and access the AWS Secrets Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any AWS secrets that were accessed by the user with the `aws-cli` command [`update-secret`][2] or use the [AWS Console][3].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n## Changelog\n* 25 October 2022 - Updated query.\n\n[1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/update-secret.html\n[3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetSecretValue @error.kind:AccessDenied -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.secretId"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"eg6-ogp-n1f","createdAt":1656426823748,"name":"User enumerated AWS Secrets Manager - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of parameters, through Cloudtrail's [`GetParameter`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetParameter` event, and enables detection of potentially anomalous activity when a user attempts to retrieve an anomalous volume of parameters.\n\nAn attacker may attempt to enumerate and access the AWS Systems Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any parameters that were accessed by the user with the `aws-cli` command [`put-parameter`][2].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n[1]: https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ssm/put-parameter.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ssm.amazonaws.com @evt.name:GetParameter -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.name"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"os3-zft-ung","createdAt":1656426796721,"name":"User enumerated AWS Systems Manager parameters - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:5.2.1","control:A.12.4.1","requirement:Logging-and-Monitoring","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"\n## Description\n\nCreate an activity log alert for the Create Policy Assignment event.\n\n## Rationale\n\nMonitoring for create policy assignment events gives insight into changes done in \"azure policy - assignments\" and can reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\n### From the console\n\n1. Go to **Monitor**.\n2. Select **Alerts**.\n3. Click On **New Alert Rule**.\n4. Under **Scope**, click **Select Resource**.\n5. Select the appropriate subscription under **Filter by Subscription**.\n6. Select **Policy Assignment** under **Filter by Resource Type**.\n7. Select **All** for **Filter by Location**.\n8. Click on the subscription resource from the entries populated under **Resource**.\n9. Verify selection preview shows **All Policy** assignment (policyAssignments) and your selected subscription name.\n10. Click **Done**.\n11. Under **Condition** click **Add Condition**.\n12. Select **Create Policy Assignment** signal.\n13. Click **Done**.\n14. Under **Action Group**, select **Add Action Groups** and complete creation process or select appropriate action group.\n15. Under **Alert Rule Details**, enter **Alert Rule Name** and **Description**.\n16. Select appropriate resource group to save the alert to.\n17. Check **Enable alert rule upon creation** checkbox.\n18. Click **Create Alert Rule**.\n\n### From the Azure Command Line Interface\n\nTo create an Activity Log Alert for Create policy, use this command:\n```\naz account get-access-token --query\n\"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1\nbash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type:\napplication/json\"\nhttps://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"\n```\n\nWhere `input.json` contains the request body JSON data mentioned below:\n\n```json\n{\n\t\"location\": \"Global\",\n\t\"tags\": {},\n\t\"properties\": {\n\t\t\"scopes\": [\n\t\t\t\"/subscriptions/\"\n\t\t],\n\t\t\"enabled\": true,\n\t\t\"condition\": {\n\t\t\t\"allOf\": [{\n\t\t\t\t\t\"containsAny\": null,\n\t\t\t\t\t\"equals\": \"Administrative\",\n\t\t\t\t\t\"field\": \"category\"\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\t\"containsAny\": null,\n\t\t\t\t\t\"equals\": \"Microsoft.Authorization/policyAssignments/write\",\n\t\t\t\t\t\"field\": \"operationName\"\n\t\t\t\t}\n\t\t\t]\n\t\t},\n\t\t\"actions\": {\n\t\t\t\"actionGroups\": [{\n\t\t\t\t\"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\t\t\t\t\"webhookProperties\": null\n\t\t\t}]\n\t\t}\n\t}\n}\n```\n\nConfigurable parameters for the command line include the following: \n- \n- \n \nConfigurable parameters for `input.json` include the following: \n- in scopes \n- in actionGroupId \n- in actionGroupId \n- in actionGroupId\n\n\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2]\n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3]\n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n[5]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.1","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"arc-fhe-mie","createdAt":1645219743755,"name":"User has 'Create Policy Assignment' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"axd-sm2-68f","createdAt":1649972323590,"name":"User has 'Create Update Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.dbformysql/servers/databases/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dbv-9dd-noe","createdAt":1648760551340,"name":"User has 'Create Update MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.dbforpostgresql/servers/databases/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yvw-kk1-tgq","createdAt":1648755639067,"name":"User has 'Create Update PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nActivity log alert exists for the creation or update of a load balancer. \n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Load Balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/loadbalancers/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"20n-ohj-aov","createdAt":1647625355122,"name":"User has 'Create or Update Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:Logging-and-Monitoring","requirement:System-Operations","level:1","control:5.2.3","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an Activity Log Alert for the Create or Update Network Security Group event.\n\n## Rationale\n\nBy monitoring for creation and updates to network security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name.\n11. Under **Condition**, click **Add Condition**.\n12. Select **Create or Update Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.3","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ape-a9h-0uq","createdAt":1645642194422,"name":"User has 'Create or Update Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.1","control:A.12.4.1","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Logging-and-Monitoring","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update SQL Server Firewall Rule event.\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the console\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window, select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Create/Update server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel.\n * Create action group - If you do not have an existing action group or want to create a new one.\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the command line\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.1","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.sql/servers/firewallrules/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zpn-jpa-nzg","createdAt":1645736563954,"name":"User has 'Create or Update SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","control:5.2.7","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Logging-and-Monitoring","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Security Solution event.\n\n## Rationale\n\nBy monitoring to changes to security solutions, you get insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under Resource. \n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Create or Update Security Solutions** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**. \n\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Security/securitySolutions/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.7","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.security/securitysolutions/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8wl-yfi-m7y","createdAt":1645731976437,"name":"User has 'Create or Update Security Solutions' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Storage Account event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Storage Account**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Storage/storageAccounts/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Storage Account'\n$Signal = 'Microsoft.Storage/storageAccounts/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fho-nrd-kod","createdAt":1647625355199,"name":"User has 'Create or Update Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.compute/virtualmachines/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wjq-yup-bbt","createdAt":1648803814385,"name":"User has 'Create or Update Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Deallocate Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Using the Azure Portal search bar, search for **Monitor**. \n2. Select **Alerts** from the left-hand panel.\n3. Click **Create** and from the drop down select **Alert rule**.\n4. Under **Scope**, click **Select scope**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Virtual machines** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows your selected Virtual Machine(s) and subscription name.\n11. Under **Condition**, click **Add Condition**.\n12. Select **Deallocate Virtual Machine** signal name. \n13. Navigate to **Actions**.\n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Navigate to **Details** and select the appropriate resource group to save the alert to. \n16. Enter **Alert rule name** and **Alert rule description**.\n17. Under the **Advanced options** drop-down menu, click on the **Enable alert rule upon creation** checkbox.\n18. Click **Review + create** and verify all of the alert settings are correct.\n19. Click **Create**.\n\n### From the command line\n\n ```bash\n az account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n ```\n\n`input.json` contains the request body JSON data mentioned below. \n\n ```json\n {\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/deallocate\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n }\n ```\n\n**Using PowerShell AZ cmdlets**: \n ```powershell\n $ComplianceName = 'Deallocatete Virtual Machine'\n $Signal = 'Microsoft.Compute/virtualMachines/deallocate'\n $Category = 'Administrative'\n $ResourceGroupName = 'MyResourceGroup'\n $actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n $ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n $Subscription = (Get-AzContext).Subscription\n $location = 'Global'\n $scope = \"/subscriptions/$($Subscription.Id)\"\n $alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n $conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n )\n Set-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/deallocate/action\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ox0-4lx-ldg","createdAt":1649702560249,"name":"User has 'Deallocate Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mwl-a79-2lj","createdAt":1649774827099,"name":"User has 'Delete Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","requirement:Azure","control:164.308-a-3-ii-a","control:2.3","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","framework:security-labs","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activity-log-alerts/delete\n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"2.3","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hf7-wzu-yjg","createdAt":1649774825146,"name":"User has 'Delete Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Load Balancer event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete load balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.network/loadbalancers/delete\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(azure_activity_log_alert)\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgu-5yo-cxv","createdAt":1646928388547,"name":"User has 'Delete Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbformysql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nb1-ajv-1w5","createdAt":1648831710685,"name":"User has 'Delete MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:Logging-and-Monitoring","requirement:System-Operations","level:1","framework:soc-2","control:5.2.4","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Network Security Group event.\n\n## Rationale\n\nBy monitoring for delete betwork security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name \n11. Under **Condition**, click **Add Condition**.\n12. Select **Delete Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n\n18. Click **Create alert rule**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.4","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yjc-pc8-ybn","createdAt":1645645262376,"name":"User has 'Delete Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Compliance","level:1","control:5.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Communications-Security","requirement:Logging-and-Monitoring","requirement:System-Operations","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Policy Assignment event.\n\n## Rationale\n\nBy monitoring delete policy assignment events, you gain insight into changes in the **Policy - Assignments** page and reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Policy Assignment** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription from the entries populated under **Resource**. \n9. Verify that **Selection preview** shows All Policy assignments (`policyAssignments`) and your selected subscription name. \n10. Click **Done**. \n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete policy assignment signal**. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**.\n\n### From the command line\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\"\nhttps://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"\n```\n\nWhere `input.json` contains the request body JSON data below: \n\n```json\n{\n\t\"location\": \"Global\",\n\t\"tags\": {},\n\t\"properties\": {\n\t\t\"scopes\": [\n\t\t\t\"/subscriptions/\"\n\t\t],\n\t\t\"enabled\": true,\n\t\t\"condition\": {\n\t\t\t\"allOf\": [{\n\t\t\t\t\t\"containsAny\": null,\n\t\t\t\t\t\"equals\": \"Administrative\",\n\t\t\t\t\t\"field\": \"category\"\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\t\"containsAny\": null,\n\t\t\t\t\t\"equals\": \"Microsoft.Authorization/policyAssignments/delete\",\n\t\t\t\t\t\"field\": \"operationName\"\n\t\t\t\t}\n\t\t\t]\n\t\t},\n\t\t\"actions\": {\n\t\t\t\"actionGroups\": [{\n\t\t\t\t\"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\t\t\t\t\"webhookProperties\": null\n\t\t\t}]\n\t\t}\n\t}\n}\n```\n\nConfigurable Parameters for command line:\n- ``\n- ``\n\nConfigurable Parameters for `input.json`:\n- `` in scopes\n- `` in actionGroupId\n- `` in actionGroupId\n- `` in actionGroupId\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Policy Assignment'\n$Signal = 'Microsoft.Authorization/policyAssignments/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][1]\n2. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][3] \n4. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources][4] \n5. [https://azure.microsoft.com/en-us/services/blueprints/][5]\n\n[1]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[2]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[4]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n[5]: https://azure.microsoft.com/en-us/services/blueprints/\n\n## Additional Information\n\n- This log alert also applies for Azure Blueprints.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.2","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qh0-u5z-imx","createdAt":1645642194422,"name":"User has 'Delete Policy Assignment' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbforpostgresql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ras-5h8-nbb","createdAt":1647625355173,"name":"User has 'Delete PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.2","control:A.12.4.1","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Logging-and-Monitoring","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the \"Delete SQL Server Firewall Rule.\"\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the console\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window,select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Delete server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel\n * Create action group - If you do not have an existing action group or want to create a new one\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the command line\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.2","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/firewallrules/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6mh-u2h-598","createdAt":1664214570453,"name":"User has 'Delete SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","control:5.2.8","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Logging-and-Monitoring","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Security Solution event.\n\n## Rationale\n\nBy monitoring deletion of security solution events, you gain insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**.\n7. Select **All** for **Filter by location**.\n8. Click on the subscription resource from the entries populated under **Resource**.\n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete Security Solutions** signal.\n13. Click **Done**.\n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group.\n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n### From the command line \n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nwhere `input.json` contains the Request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/securitySolutions/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.8","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/securitysolutions/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dmv-rv8-crn","createdAt":1645733607452,"name":"User has 'Delete Security Solution' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.5.5","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Storage Account event.\n\n## Rationale\n\nBy monitoring for storage accounts deletion events, you gain insight into storage account changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click on **New Alert Rule**.\n4. Under **Scope**, click **Select scope**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Storage Accounts** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the **Include all future resources** checkbox.\n9. Click **Done**. \n10. Under **Condition**, click **Add Condition**.\n11. Select **Delete Storage Account** signal. \n12. Click **Done**. \n13. Under **Actions**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n14. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n15. Select appropriate resource group to save the alert to. \n16. Click on the **Enable alert rule upon creation** checkbox.\n17. Click **Create alert rule**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Storage/storageAccounts/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a41-nfr-mlw","createdAt":1646928386487,"name":"User has 'Delete Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2jg-psh-mzj","createdAt":1648803812991,"name":"User has 'Delete Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Power Off Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Power Off Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/powerOff/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Power Off Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/powerOff/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.compute/virtualmachines/poweroff/action\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tsome activity_log_alert in input.resources.azure_activity_log_alert\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a74-hjg-yok","createdAt":1648760544699,"name":"User has 'Power Off Virtual Machine' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Rename Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Rename Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/move/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Rename Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/move/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.sql/servers/databases/move/action\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(azure_activity_log_alert)\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgo-i7v-g9b","createdAt":1649774831328,"name":"User has 'Rename Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4ri-hhx-fnd","createdAt":1648803815885,"name":"User has 'Update Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Security Policy event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Security Policy**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/policies/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Security Policy'\n$Signal = 'Microsoft.Security/policies/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/defender-for-cloud/tutorial-security-policy\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/policies/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xjf-qfe-xzs","createdAt":1649774850199,"name":"User has 'Update Security Policy' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.compute","source:azure","tactic:TA0002-execution","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs a command on an Azure Virtual Machine through the Azure CLI or Portal.\n\n## Strategy\nMonitor Azure Compute logs for `MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION` events that have `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Reach out to the user to determine if the activity is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"vm_exec","distinctFields":[]},{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"scaleset_exec","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Virtual Machine","condition":"vm_exec > 0"},{"status":"info","notifications":[],"name":"Virtual Machine Scale Set","condition":"scaleset_exec > 0"}],"type":"log_detection","id":"zsk-t0h-9ll","createdAt":1614973225002,"name":"User ran a command on Azure Compute"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Event Summary\n`@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` had activity from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` which are approximately `{{@impossible_travel.triggering_locations.travel_distance}}km` apart within `{{@impossible_travel.triggering_locations.travel_time_human_readable}}`. This indicates a potential impossible travel.\n\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key in CloudTrail logs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key in CloudTrail logs.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"source:cloudtrail @userIdentity.type:IAMUser"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"gvs-ybz-d25","createdAt":1646247437717,"name":"User travel was impossible in AWS CloudTrail IAM log"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_service_account","control:1.7","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","control:8.2.4","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nService Account keys consist of a key ID (private_key_id) and a private key. These keys are used to sign programmatic requests that users make to Google Cloud services and make them accessible to the particular service account. You should regularly rotate all Service Account keys.\n\n## Rationale\n\nRotating Service Account keys reduces the opportunity window of an access key associated with a compromised or terminated account being used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that may have been lost, cracked, or stolen.\n\nEach service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.\n\nGCP provides the option to create one or more user-managed (also called external) key pairs for use from outside GCP, for example: with Application Default Credentials. When a new key pair is created, the user is required to download the private key, which is not retained by Google. \n\nWith external keys, users are responsible for keeping the private key secure and other management operations such as key rotation. External keys can be managed by the IAM API, the Google Cloud Platform command-line tool, or the Service Accounts page in the Google Cloud Platform Console. GCP facilitates up to 10 external service account keys per service account for key rotation.\n\n## Remediation\n\nDelete any external, user-managed Service Account Keys older than 90 days:\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**.\n2. In the **Service Account Keys** section, click the Delete icon to delete every external, user-managed service account key where the creation date is greater or equal to the past 90 days.\n\nTo create an external, user-managed Service Account Key for a Service Account:\n\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**. \n2. Click **Create Credentials** and **Service Account Key**. \n3. Select the service account from the drop-down menu for every external, user-managed Service Account key you want to create.\n4. Select the desired key type format, such as JSON or P12.\n5. Click **Create**, which downloads the private key. Keep this key safe.\n6. If prompted, click **Close**.\n\nYou are redirected to the **APIs & Services** > **Credentials** page and you can see the new ID displayed in the **Service Account Keys** section.\n\n\n## Impact\n\nRotating service account keys breaks communication for dependent applications. Dependent applications need to be configured manually with the new key ID displayed in the **Service Account Keys** section and the user needs to download the private key.\n\n## References\n\n1. https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n2. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/list\n3. https://cloud.google.com/iam/docs/service-accounts\n\n[1]: https://console.cloud.google.com/apis/credentials\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"8.2.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ej5-n8p-p3x","createdAt":1656445783171,"name":"User-managed or external keys for service accounts are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Confidentiality","control:C1.2","source:google_compute_disk","framework:cis-gcp","requirement:Compliance","level:2","control:A.18.1.3","framework:soc-2","control:4.7","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","scope:google_compute_disk","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCustomer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and\nGoogle Compute Engine. If you supply your own encryption keys, Google uses your key to\nprotect the Google-generated keys used to encrypt and decrypt your data. By default,\nGoogle Compute Engine encrypts all data at rest. Compute Engine handles and manages\nthis encryption for you without any additional actions on your part. However, if you\nwanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\n\n### Default value\nBy default, VM disks are encrypted with Google-managed keys. They are not encrypted\nwith `Customer-Supplied` Encryption Keys.\n\n## Rationale\nBy default, Google Compute Engine encrypts all data at rest. Compute Engine handles and\nmanages this encryption for you without any additional actions on your part. However, if\nyou wanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\nIf you provide your own encryption keys, Compute Engine uses your key to protect the\nGoogle-generated keys used to encrypt and decrypt your data. Only users who can provide\nthe correct key can use resources protected by a customer-supplied encryption key.\nGoogle does not store your keys on its servers and cannot access your protected data\nunless you provide the key. This also means that if you forget or lose your key, there is no\nway for Google to recover the key or to recover any data encrypted with the lost key.\nBusiness critical VMs should have VM disks encrypted with CSEK.\n\n### Impact\nIf you lose your encryption key, you will not be able to recover the data.\n\n## Remediation\nYou cannot update the encryption of an existing disk. Therefore, you\nshould create a new disk with encryption set to **Customer supplied**.\n\n### From the console \n1. Go to [Compute Engine Disks][1] in your Google Cloud console.\n2. Click **CREATE DISK**.\n3. Set **Encryption type** to `Customer supplied`.\n4. Provide the **Key** in the box.\n5. Select **Wrapped key**.\n6. Click **Create**.\n\n### From the command line\nYou can use the `gcloud` CLI to encrypt a disk using the `--csek-key-file` flag during instance\ncreation. If you are using an RSA-wrapped key, use the gcloud beta component. See [RSA key wrapping][5] in Google's Compute Engine documentation.\n```\ngcloud compute instances create --csek-key-file \n```\n\nTo encrypt a standalone persistent disk:\n```\ngcloud compute disks create --csek-key-file \n```\n\n## References\n1. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys][2]\n2. [https://cloud.google.com/compute/docs/reference/rest/v1/disks/get][3]\n3. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file][4]\n\n[1]: https://console.cloud.google.com/compute/disks\n[2]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys\n[3]: https://cloud.google.com/compute/docs/reference/rest/v1/disks/get\n[4]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file\n[5]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#rsa-encryption","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.7","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_disk) = \"pass\" if {\n\tcompute_disk.disk_encryption_key.sha256\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_disk"]},"validationQuery":"","resourceType":"gcp_compute_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ltx-1jr-roe","createdAt":1662120164402,"name":"VM disks for critical VMs are encrypted with customer-supplied encryption keys (CSEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","scope:google_compute_subnetwork","level:1","framework:soc-2","control:3.8","source:google_compute_subnetwork","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Networking","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nFlow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in an organization's VPC subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs is enabled for every business-critical VPC subnet.\n\n### Default value\nBy default Flow Logs is set to `Off` when a new VPC network subnet is created.\n\n## Rationale\nVPC networks and subnetworks that are not reserved for internal HTTP(S) load balancing provide logically isolated and secure network partitions from which GCP resources can be launched.\nWhen Flow Logs are enabled for a subnet, VMs within that subnet start reporting on all\nTransmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows. Each VM\nsamples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or\nfrom another VM, a host in the on-premise datacenter, a Google service, or a host on the\nInternet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow\nLogs enabled, both VMs report the flows.\n\nFlow Logs supports the following use cases:\n- Network monitoring\n- Understanding network usage and optimizing network traffic expenses\n- Network forensics\n- Real-time security analysis\n\nFlow Logs provides visibility into network traffic for each VM inside the subnet and can be\nused to detect anomalous traffic or provide insight on security workflows.\nThe Flow Logs must be configured such that all network traffic is logged. The interval of\nlogging is granular enough to provide detailed information on the connections, where no logs are filtered and metadata to facilitate investigations are included.\n\n- Note: Subnets reserved for use by internal HTTP(S) load balancers do not support VPC\nFlow Logs.\n\n### Impact\nStandard pricing for Stackdriver Logging, BigQuery, or Cloud Pub/Sub applies. VPC Flow\nLogs generation will be charged when it's generally available, as described in this reference:\n[https://cloud.google.com/vpc/][1]\n\n## Remediation\n\n### From the console \n1. Go to the VPC network GCP Console page by visiting:\n[https://console.cloud.google.com/networking/networks/list][2]\n2. Click the name of a **subnet** to display the subnet details page.\n3. Click **EDIT** .\n4. Set Flow Logs to **On**.\n5. Expand the **Configure Logs** section.\n6. Set **Aggregation Interval** to `5 SEC`.\n7. Check the box for **Include metadata**.\n8. Set **Sample rate** to `100`.\n9. Click **Save**.\n\n- Note: You can only configure a log filter from the command line.\n\n### From the command line\nTo enable VPC Flow Logs for a network subnet, run the following command:\n```\ngcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --\nenable-flow-logs --logging-aggregation-interval=interval-5-sec --logging-\nflow-sampling=1 --logging-metadata=include-all\n```\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging][3]\n2. [https://cloud.google.com/vpc/][1]\n\n[1]: https://cloud.google.com/vpc/\n[2]: https://console.cloud.google.com/networking/networks/list\n[3]: https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_subnetwork) = \"skip\" if {\n\tinternal_HTTPS_LB_subnet(compute_subnetwork)\n} else = \"pass\" if {\n\tcompute_subnetwork.enable_flow_logs == true\n\tcompute_subnetwork.purpose == \"PRIVATE\"\n} else = \"fail\"\n\ninternal_HTTPS_LB_subnet(compute_subnetwork) if {\n\tcompute_subnetwork.purpose == \"INTERNAL_HTTPS_LOAD_BALANCER\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_subnetwork"]},"validationQuery":"","resourceType":"gcp_compute_subnetwork","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_subnetwork","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q4v-tv4-txv","createdAt":1663355398183,"name":"VPC Flow Logs are enabled for all subnets in the VPC network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Default-Security-Parameter","requirement:Compliance","level:2","framework:cis-aws","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.3","control:2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. \n\nSet up your default security group to restrict all traffic. The default VPC in every region should have its default security group updated to comply. Any newly created VPCs automatically contain a default security group that needs remediation to comply with this recommendation. \n\n**Note**: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.\n\n## Rationale\n\nConfiguring all VPC default security groups to restrict all traffic will encourage the least privileged security group development and mindful placement of AWS resources into security groups, which will reduce the exposure of those resources.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nImplementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79201-0\n2. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html][2]\n3. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group][3]\n\n## CIS controls\n\nVersion 7, 14.6 - Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"5.3","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ningress_or_egress(direction) if {\n\tdirection == \"ingress\"\n} else if {\n\tdirection == \"egress\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\tingress_or_egress(rule.direction)\n\tstartswith(rule.security_group_name, \"default\")\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"75q-ngx-snx","createdAt":1599574003676,"name":"VPC default security groups restrict all traffic"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:7.2.1","requirement:Firewall-Configuration","scope:vpc","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your VPC endpoint by allowing access to only trusted AWS accounts.\n\n## Rationale\n\nVPC endpoints that are publicly accessible are at risk of data exposure, data loss, and unexpected AWS billing charges.\n\n## Remediation\n\n### From the console\n\nFollow the [Add or remove permissions for your endpoint service][1] AWS console docs.\n\n### From the command line\n\n1. Edit your existing Amazon VPC endpoint access policy and replace untrusted AWS identifiers. To create a new policy document, [use the AWS policy generator][2].\n\n ```\n {\n \"Id\": \"insert-vpc-policy-id\",\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": \"*\",\n \"Effect\": \"Allow\",\n \"Resource\": \"*\",\n \"Principal\": {\n \"AWS\": [\n \"insert-allowed-arns\"\n ]\n }\n }\n ]\n }\n ```\n\n2. Run the `modify-vpc-endpoint` command with your [VPC endpoint ID and the updated or new policy document][3] to replace the existing policy.\n\n ```\n aws ec2 modify-vpc-endpoint \\\n --region insert-region-here\n --vpc-endpoint-id insert-vpc-endpoint-id \\\n --policy-document file://insert-new-vpc-policy-filename.json\n ```\n\n3. Repeat steps 1 & 2 for all non-compliant VPC Endpoints in the current region.\n4. Repeat steps 1 & 2 for all non-compliant VPC Endpoints in other regions.\n\n[1]: https://docs.aws.amazon.com/vpc/latest/privatelink/add-endpoint-service-permissions.html\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-vpc-endpoint.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_vpc_endpoint_policy_statement(vpc_endpoint_policy_statement) if {\n\tcheck_principal_conditions(vpc_endpoint_policy_statement)\n\tnon_compliant_policy_statement_conditions(vpc_endpoint_policy_statement)\n}\n\nnon_compliant_policy_statement_conditions(vpc_endpoint_policy_statement) if {\n\tnot vpc_endpoint_policy_statement.statement_has_condition\n\tlower(vpc_endpoint_policy_statement.statement_effect) == \"allow\"\n}\n\ncheck_principal_conditions(vpc_endpoint_policy_statement) if {\n\tvpc_endpoint_policy_statement.policy_principal.principal == \"*\"\n} else if {\n\tvpc_endpoint_policy_statement.policy_principal.principal_aws[_] == \"*\"\n}\n\neval(vpc_endpoint_policy_statement) = \"fail\" if {\n\tnon_compliant_vpc_endpoint_policy_statement(vpc_endpoint_policy_statement)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_vpc_endpoint_policy_statement"]},"validationQuery":"","resourceType":"aws_vpc_endpoint_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc_endpoint_policy_statement","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"slh-tlx-4m0","createdAt":1619540057529,"name":"VPC endpoint is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","control:3.9","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","scope:vpc","framework:soc-2","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. Enable VPC Flow Logs for packet \"Rejects\" for VPCs.\n\n## Rationale\n\nVPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect unusual traffic or insight during security workflows.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nBy default, CloudWatch Logs will store Logs indefinitely unless you define a specific retention period for the log group. When choosing the number of days to retain, keep in mind that, on average, it takes an organization 210 days to detect a breach. Since additional time is required to research a breach, a minimum 365-day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods: \n\n1. [http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html][2]\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79202-8 \n2. [http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html][2]\n\n## CIS controls\n\nVersion 7:\n\n6.2 - Activate audit logging - Enable local logging on all systems and networking devices.\n\n12.5 - Configure Monitoring Systems to Record Network Packets - Configure monitoring systems to record network packets passing through the boundary at each of the organization's network boundaries.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.9","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(vpc) = \"pass\" if {\n\tsome flowlog in vpc.flowlogs\n\tflowlog.flow_log_status == \"ACTIVE\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_vpc"]},"validationQuery":"","resourceType":"aws_vpc","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"hw6-cqk-hrz","createdAt":1599574005318,"name":"VPC flow logging is enabled in all VPCs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault root token is used. Root tokens can perform any activity and have the highest level of privileges in Vault and should only be used in emergencies. \n\n## Strategy\nThis rule monitors Vault Audit Logs (`source:vault`) to detect when `root` is seen in:\n\n* auth policy (`@auth.policies`)\n\nThis rule also monitors the API endpoint `/sys/generate-root` which is used to create new root keys.\n\n## Triage & Response\n1. Determine who created the root token and when. You can get token creation time using the token accessor with `vault token lookup -accessor `. \n2. Inspect the requests made with the root token and ensure that its usage is valid.\n3. Ensure that after the root token is no longer needed, it is revoked (`vault token revoke -accessor `).\n\n## Change Log\n* 29 June 2022 - Updated queries to reduce noise levels. Replaced initial query with token creation detection.\n* 17 October 2022 - Updated queries and cases.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @http.url_details.path:\"sys/generate-root/attempt\" @type:response @http.method:update","groupByFields":["@auth.accessor"],"aggregation":"count","name":"root_token_initialized","distinctFields":[]},{"query":"source:vault @http.url_details.path:\"sys/generate-root/update\" @type:response @http.method:update","groupByFields":["@auth.accessor"],"aggregation":"count","name":"root_token_created","distinctFields":[]},{"query":"source:vault @auth.policies:root @type:response","groupByFields":["@auth.accessor"],"aggregation":"count","name":"root_token_used","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Initialized","condition":"root_token_initialized > 0"},{"status":"high","notifications":[],"name":"Created","condition":"root_token_created > 0"},{"status":"high","notifications":[],"name":"Used","condition":"root_token_used > 0"}],"type":"log_detection","id":"oki-am6-qeh","createdAt":1619801884317,"name":"Vault Root Token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault token is created with an excessive time-to-live (TTL) which can be indicative of an adversary maintaining persistence. \n\n## Strategy\nMonitoring of vault audit logs where tokens are created with a time-to-live greater than 90000 seconds (25 hours). If the TTL requires modification, clone this rule and update `@auth.token_ttl:>90000` in the query. \n\n## Triage & Response\n1. Verify max TTL for tokens in the appropriate Vault configuration.\n2. If the max TTL is higher than required, modify the max TTL.\n3. Verify with the token creator to confirm that the high TTL token is legitimate.\n4. Revoke the token if it does not have a legitimate use case.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @request.operation:create @auth.token_ttl:>90000","groupByFields":["@usr.id"],"aggregation":"count","name":"high_vault_ttl","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"high_vault_ttl > 0"}],"type":"log_detection","id":"ag8-huz-nlj","createdAt":1619801884333,"name":"Vault Token Created with Excessive TTL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","framework:soc-2","scope:redshift","cloud_provider:aws","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","source:redshift","control:6.2","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm `AllowVersionUpgrade` is enabled so [Redshift clusters][1] can automatically upgrade to the latest version.\n\n## Rationale\n\nEnablement allows the latest version to automatically install, deploying the most recent bug fixes and security patches.\n\n## Remediation\n\n### From the console\n\nFollow the [Cluster maintenance][4] docs to permit automatic upgrade for your clusters.\n\n### From the command line\n\n1. Run `modify-cluster` to [set `allow-version-upgrade` for a cluster][3].\n\n ```\n aws redshift modify-cluster\n\t --cluster-identifier cluster-id-name\n\t --allow-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/modify-cluster.html\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#rs-cluster-maintenance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.allow_version_upgrade\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5wo-2kl-jv1","createdAt":1599574006748,"name":"Version upgrade is enabled for Redshift cluster"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:6.5.3","framework:cis-azure","control:7.1","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Application-Updates","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMigrate blob-based VHDs to managed disks on virtual machines to exploit the default features of this configuration. The features include:\n\n1. Default disk encryption\n2. Resilience, as Microsoft manages the disk storage and moves it if underlying hardware is faulty\n3. Reduction of costs over storage accounts\n\n## Rationale\n\nManaged disks are by default encrypted on the underlying hardware so no additional encryption is required for basic protection. Additional encryption is available if required. Managed disks are more resilient than storage accounts. For ARM deployed virtual machines, Azure Adviser recommends moving VHDs to managed disks from both a security and cost management perspective.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## Remediation\n\n### From the console\n\n1. Using the search feature, go to Virtual Machines\n2. Select the virtual machine you would like to convert\n3. Select Disks in the menu for the VM\n4. Select Migrate to managed disks\n5. Follow the prompts to convert the disk and finish by selecting Migrate to start the process\n\n**NOTE**: VMs are stopped and restarted after migration is complete.\n\n### Using PowerShell\n\n```powershell\nStop-AzVM -ResourceGroupName $rgName -Name $vmName -Force ConvertTo-AzVMManagedDisk -ResourceGroupName $rgName -VMName $vmName Start-AzVM -ResourceGroupName $rgName -Name $vmName\n```\n\n## Impact\n\nThere is no operational impact of migrating to managed disks other than the benefits mentioned above.\n\n**NOTE**: When converting to managed disks, VMs are powered off and back on.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(virtual_machine_instance) = \"pass\" if {\n\tvirtual_machine_instance.storage_profile.os_disk.managed_disk_id != \"\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_virtual_machine_instance"]},"validationQuery":"","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mcc-ygq-5xf","createdAt":1631690464170,"name":"Virtual Machines are utilizing Managed Disks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","requirement:Context-of-the-Organization","control:4.2.2","framework:iso-27001","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nEnabling Azure Defender for SQL server does not enable vulnerability assessment capabilities for individual SQL databases unless a storage account is set to store the scanning data and reports. The Vulnerability Assessment service scans databases for known security vulnerabilities and highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally, an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, Click Storage Account\n6. Choose Storage Account (Existing or Create New). Click Ok\n7. Click Save Using Azure PowerShell. If not already, enable Azure Defender for a SQLSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service by setting Storage Account Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"e0l-3r9-cvj","createdAt":1624867975658,"name":"Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the vulnerability assessment (VA) setting, \"Also send email notifications to admins and subscription owners\".\n\n## Rationale\n\nVA scan reports and alerts are sent to admins and subscription owners by enabling the setting, \"Also send email notifications to admins and subscription owners\". This helps to reduce the time required for identifying risks and taking corrective measures.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, configure Storage Accounts\n6. Check/enable \"Also send email notifications to admins and subscription owners\"\n7. Click Save using the Azure PowerShell. If not already set, Enable Advanced Data Security for a SQL:\n\n ```bash\n -ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service and Set ''Also send email notifications to admins and subscription owners'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"gnq-rte-6fy","createdAt":1624867976876,"name":"Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","control:4.2.3","requirement:Default-Security-Parameter","level:1","requirement:Database-Services","requirement:Context-of-the-Organization","requirement:Regular-Testing","framework:iso-27001","control:11.2.1","framework:pci","security:compliance","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC7.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable vulnerability assessment (VA) periodic recurring scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nVA setting \"Periodic recurring scans\" schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Routine vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Security Center\n4. In Section Vulnerability Assessment Settings, set Storage Account\n5. Toggle \"Periodic recurring scans\" to ON.\n6. Click Save using the Azure PowerShell. If not already set, enable Advanced Data Security for a SQL ServerSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service with ''Periodic recurring scans'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"jum-0ht-les","createdAt":1624867977012,"name":"Vulnerability Assessment (VA) setting Periodic Recurring Scans is enabled on a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","requirement:AppService","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:9.4","scope:azure.appservice","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:4.1","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nClient certificates allow for an app to request a certificate for incoming requests. Only clients that have a valid certificate can reach the app.\n\n## Rationale\n\nThe TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, only an authenticated client who has valid certificates can access the app.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Configuration\n5. Under Incoming client certificates, set the Client Certificate Mode option to Require.\n\n\n### From the command line\n\nTo set incoming client certificates value for an existing app, run the following command: `az webapp update --resource-group --name --set clientCertEnabled=true'`\n\n## Impact\n\nUsing and maintaining client certificates requires additional work to obtain and manage key replacement and rotation.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14 - Controlled Access Based on the Need to Know","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.4","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(app_service) = \"pass\" if {\n\tapp_service.client_cert_enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"esg-ed4-xa9","createdAt":1631623027807,"name":"Web app has 'Client Certificates (Incoming client certificates)' set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Credentials","requirement:AppService","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:6.6","control:9.3","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Change-Management","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App Service uses TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.\n\n## Rationale\n\nApp Service currently allows web apps to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for a secure connection.\n\n## Remediation\n\n### From the console\n\n 1. Login to Azure Portal using https://portal.azure.com\n 2. Go to App Services\n 3. Click on each app\n 4. Under the Settings section, click on SSL settings\n 5. Under Protocol Settings, set Minimum TLS Version to 1.2\n\n### From the command line\n\nTo set TLS Version for an existing app, run the following command: `az webapp config set --resource-group --name --min-tls-version 1.2'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.3","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_min_tls_version(app_service) if {\n\tapp_service.site_config_min_tls_version == \"1.2\"\n} else if {\n\tapp_service.site_config.min_tls_version == \"1.2\"\n}\n\neval(app_service) = \"pass\" if {\n\tcompliant_min_tls_version(app_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8iy-ghp-cvk","createdAt":1631623032658,"name":"Web app is using the latest version of TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:AppService","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","control:9.2","control:6.6","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Azure","framework:cis-azure","control:4.1","control:2.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Web Apps allow sites to use both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.\n\n## Rationale\n\nEnabling HTTPS-only traffic redirects all non-secure HTTP request to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated, so it is important to support HTTPS for the security benefits.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on SSL settings\n5. Under Protocol Settings, set HTTPS Only to On.\n\n### From the command line\n\nTo set the HTTPS-only traffic value for an existing app, run the following command: `az webapp update --resource-group --name --set httpsOnly=true'`\n\n## Impact\n\nWhen enabled, every incoming HTTP request is redirected to the HTTPS port. This adds an extra level of security to the HTTP requests made to the app.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.2","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"2.1","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(app_service) = \"pass\" if {\n\tapp_service.https_only\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f9i-ctz-jrp","createdAt":1631623031127,"name":"Web app redirects all HTTP traffic to HTTPS in Azure App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1070-indicator-removal","source:windows","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user clears Windows Security logs.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `1102`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to clear the security event logs on `{{host}}`.\n\n## Changelog\n* 27 October 2022 - updated tags.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"psn-7zq-iqz","createdAt":1619018680072,"name":"Windows Audit Log Cleared"}]} headers: Content-Type: - application/json @@ -300,7 +283,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":828}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the Domain Administrator group. A rogue active directory account can added to the Domain Admins group.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4728` and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.TargetUserName}}` should be added to the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"yzx-i3w-40t","createdAt":1619018679429,"name":"Windows User Added to Domain Admin Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"# WARNING: Rule is being deprecated on 10 April 2022\n\n## Goal\nDetect if an entire AWS S3 Lifecycle configuration is deleted from a bucket.\n\n## Strategy\nUsing the `@evt.name`, the Datadog standard attribute that shows the API call, determine if a `DeleteBucketLifecycle` call occurred.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@usr.name}}`, `accountId:` `{{@usr.id}}` of `type:` `{{@userIdentity.type}}`.\n2. If the `{{@evt.name}}` API call accidentally occurred, restore the configuration to the `{{@requestParameters.bucketName}}`. Otherwise, investigate further.\n\n## Changelog\n08 Mar 2022 - Deprecating rule. If a policy is deleted, the data remains forever.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:DeleteBucketLifecycle","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"policy_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"lifecycle policy deleted","condition":"policy_deleted > 0"}],"type":"log_detection","id":"lcn-irr-jo6","createdAt":1638798365190,"name":"[DEPRECATED] An AWS S3 bucket lifecycle policy was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.17","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `controller-manager.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `controller-manager.conf` file is the kubeconfig file for the Controller Manager. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/controller-manager.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.17","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iss-afi-xfp","createdAt":1599599454121,"name":"controller-manager.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use self-signed certificates for TLS.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--auto-tls` parameter or set it to false:\n\n```\n--auto-tls=false\n```\n\n## Impact\n\nClients will not be able to use self-signed certificates for TLS.\n\n## Default value\n\nBy default, `--auto-tls` is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls][3]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.3","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qai-h9s-xgt","createdAt":1599606018741,"name":"etcd does not allow the use of self-signed client certificates"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured for peer authentication.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-client-cert-auth` argument is set to `true`. \n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--peer-client-cert-auth=true\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-client-cert-auth` argument is set to false.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/security.html \n2. https://kubernetes.io/docs/admin/etcd/ \n3. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n\n## CIS controls\n\nVersion 6.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\nVersion 7.14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.5","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l01-5y2-miz","createdAt":1599605099307,"name":"etcd is configured for peer authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.1","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure TLS encryption for the etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--cert-file` and the `--key-file` arguments are set as appropriate.\n\n## Remediation\n\nFollow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--cert-file= \n--key-file=\n```\n\n## Impact\n\nClient connections only over TLS would be served.\n\n## Default value\n\nBy default, TLS encryption is not set.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.1","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ezf-1mn-luf","createdAt":1599604210918,"name":"etcd is configured with TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.2.33","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt etcd key-value store.\n\n## Rationale\n\netcd is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--encryption-provider-config` argument is set to a EncryptionConfig file. Additionally, ensure that the EncryptionConfig file has all the desired resources covered especially any secrets.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--encryption-provider-config` parameter to the path of that file: `--encryption-provider-config=`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--encryption-provider-config` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ \n2. https://acotten.com/post/kube17-security \n3. https://kubernetes.io/docs/admin/kube-apiserver/ \n4. https://github.com/kubernetes/features/issues/92\n\n## CIS controls\n\nVersion 6 14.5 Encrypt At Rest Sensitive Information Sensitive information stored on systems shall be encrypted at rest and require a secondary authentication mechanism, not integrated into the operating system, in order to access the information. \n\nVersion 7 14.8 Encrypt Sensitive Information at Rest Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.33","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.33\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7rg-crl-fs0","createdAt":1599602954959,"name":"etcd is encrypted at rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.29","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a client certificate and key.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-certfile` and `--etcd-keyfile` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate and key file parameters. \n```\n--etcd-certfile= \n--etcd-keyfile=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-certfile` and `--etcd-keyfile` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 9 Limitation and Control of Network Ports, Protocols, and Services\nVersion 7 9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.29","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.29\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2xl-vuo-tud","createdAt":1599606113167,"name":"etcd server requires API servers present a client certificate and key when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.32","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a SSL Certificate Authority file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-cafile` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate authority file parameter: `--etcd-cafile=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-cafile` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.32","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.32\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o8k-9hv-rri","createdAt":1599605669411,"name":"etcd server requires API servers present an SSL CA file when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured to make use of TLS encryption for peer connections.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit and also amongst peers in the etcd clusters.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-cert-file` and `--peer-key-file` arguments are set as appropriate. \n\n## Remediation\n\nFollow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--peer-cert-file= \n--peer-key-file=\n```\n\n## Impact\n\nEtcd cluster peers would need to set up TLS for their communication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, peer communication over TLS is not configured.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.4","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"lzq-1mk-xc7","createdAt":1599603941695,"name":"etcd uses TLS encryption for peer connections"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664268670005,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"0ki-9gf-7vw","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664268668"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664268675445,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"fis-tpv-7e9","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664268673"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664268680145,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"cz4-z0l-x9n","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664268677"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269014836,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rn5-nf5-ksh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269011"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269046838,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"fz1-gx5-cfu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269044"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269050802,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ypr-rnw-joz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269048"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269055831,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"zl4-kr6-djp","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269053"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664777973028,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"kth-eqs-z4b","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664777971"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778122036,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"0fg-gyo-jlu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778119"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778139644,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wee-m6g-g6a","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778135"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778146837,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"3it-fxn-3hr","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778144"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778474235,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"nw9-oof-55y","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778472"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778792415,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"gsl-t9k-ji6","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778790"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664779074513,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"dgt-zts-cbx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664779072"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664779118769,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"oxx-qrx-9b6","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664779116"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664779161311,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"7eo-dyi-vkr","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664779159"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664784675086,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sqx-soj-zop","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664784672"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664894383761,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rgz-io3-obc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664894381"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665500464305,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"py6-vnm-mjb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1665500463"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665500511838,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"bgv-pky-7u4","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1665500511"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":600,"keepAlive":300},"version":2,"isDefault":false,"filters":[{"action":"suppress","query":"does not really suppress (updated)"}],"queries":[{"query":"does not really match much (updated)","groupByFields":["service"],"aggregation":"cardinality","name":"first_updated","distinctFields":["@orgId"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first_updated > 3"},{"status":"high","notifications":[],"name":"warning case (updated)","condition":"first_updated > 0"}],"type":"log_detection","id":"rdc-qe2-jmq","createdAt":1664875756276,"name":"tf-TestAccDatadogSecurityMonitoringRule_Basic-local-1664875755 - updated"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":600,"keepAlive":300},"version":2,"isDefault":false,"filters":[{"action":"suppress","query":"does not really suppress (updated)"}],"queries":[{"query":"does not really match much (updated)","groupByFields":["service"],"aggregation":"cardinality","name":"first_updated","distinctFields":["@orgId"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first_updated > 3"},{"status":"high","notifications":[],"name":"warning case (updated)","condition":"first_updated > 0"}],"type":"log_detection","id":"m1r-h1c-usk","createdAt":1665663121877,"name":"tf-TestAccDatadogSecurityMonitoringRule_Basic-local-1665663120 - updated"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664270708266,"filters":[],"queries":[{"query":"@agent.rule_id:(tf_TestAccDatadogSecurityMonitoringRule_CwsRule_local_1664270705_random_id OR random_id)","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"high case","condition":"first > 3"}],"type":"workload_security","id":"6i5-yop-zhx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_CwsRule-local-1664270705"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664270714195,"filters":[],"queries":[{"query":"@agent.rule_id:(tf_TestAccDatadogSecurityMonitoringRule_CwsRule_local_1664270711_random_id OR random_id)","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"high case","condition":"first > 3"}],"type":"workload_security","id":"h7e-iuc-twh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_CwsRule-local-1664270711"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"query":"@agent.rule_id:(tf_TestAccDatadogSecurityMonitoringRule_CwsRule_local_1664875755_random_id OR random_id)","groupByFields":["service"],"aggregation":"count","name":"first","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first > 10"}],"type":"workload_security","id":"4p6-8dj-vxk","createdAt":1664875756580,"name":"tf-TestAccDatadogSecurityMonitoringRule_CwsRule-local-1664875755"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875508591,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"l2h-irs-i4s","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_Import-local-1664875506"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664890796815,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rdn-on6-f0u","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_Import-local-1664890795"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"impossible travel rule triggered (updated)","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"evaluationWindow":0,"maxSignalDuration":900,"detectionMethod":"impossible_travel","decreaseCriticalityBasedOnEnv":false,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"distinctFields":[],"name":"my_updated_query","metric":"@usr.handle","aggregation":"geo_data","metrics":["@usr.handle"],"groupByFields":["@usr.handle"],"query":"*"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"new case name (updated)","condition":""}],"type":"log_detection","id":"2e6-1vj-hdm","createdAt":1664875756231,"name":"tf-TestAccDatadogSecurityMonitoringRule_ImpossibleTravelRule-local-1664875755"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"newValueOptions":{"learningDuration":0,"learningMethod":"duration","forgetAfter":1,"learningThreshold":0},"evaluationWindow":0,"maxSignalDuration":900,"detectionMethod":"new_value","decreaseCriticalityBasedOnEnv":false,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"distinctFields":[],"name":"first","metric":"@network.bytes_read","aggregation":"new_value","metrics":["@network.bytes_read"],"groupByFields":["service"],"query":"does not really match much (updated)"}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":""}],"type":"log_detection","id":"d3o-dyr-ekr","createdAt":1664875756432,"name":"tf-TestAccDatadogSecurityMonitoringRule_NewValueRule-local-1664875755 - updated"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875438577,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"wtp-e5k-o0m","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875437"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875465554,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bxr-aqc-o02","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875463"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875502543,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lv2-e1f-cec","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875500"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875517305,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"qp0-onn-m2p","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875516"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875546323,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bzi-ilx-fzv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875544"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875579060,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"xul-toc-q1p","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875577"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":600,"keepAlive":300},"version":2,"isDefault":false,"filters":[{"action":"suppress","query":"does not really suppress (updated)"}],"queries":[{"query":"does not really match much (updated)","groupByFields":["service"],"aggregation":"cardinality","name":"first_updated","distinctFields":["@orgId"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first_updated > 3"},{"status":"high","notifications":[],"name":"warning case (updated)","condition":"first_updated > 0"}],"type":"log_detection","id":"l6c-xu1-dnv","createdAt":1664875756561,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875755 - updated"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":600,"keepAlive":300},"version":2,"isDefault":false,"filters":[{"action":"suppress","query":"does not really suppress (updated)"}],"queries":[{"query":"does not really match much (updated)","groupByFields":["service"],"aggregation":"cardinality","name":"first_updated","distinctFields":["@orgId"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first_updated > 3"},{"status":"high","notifications":[],"name":"warning case (updated)","condition":"first_updated > 0"}],"type":"log_detection","id":"e8n-cae-ky2","createdAt":1664883056478,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664883054 - updated"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528193711,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"gbr-ngi-oug","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528189_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528202423,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"uyk-nla-buh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528198_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528210535,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"nqe-0ga-if6","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528205_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528372295,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"m3p-iae-qru","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528368_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528379975,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"r7b-s2q-xnm","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528376_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528389235,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"dbd-bwe-l7e","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528385_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528434444,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"1un-efa-hcu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528429_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528441879,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"2ar-joj-lnc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528437_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528451689,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ajt-mur-fzi","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528446_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529209432,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"heh-hcb-gkz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529203_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529218377,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"zee-ycu-lwy","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529213_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529225654,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vhx-spk-1ho","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529221_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529297426,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"koq-fd2-uwo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529293_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529304614,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"l2l-obs-hre","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529300_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529312691,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"xgn-6s6-kbb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529307_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664550716802,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"w1p-qig-yrs","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664550714_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664550722486,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ipa-wdu-rxp","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664550720_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664550727477,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"jeh-od4-wng","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664550725_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551028985,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wq1-uls-vzk","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551027_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551034504,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"hrv-psy-1lt","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551032_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551039412,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"6jo-jph-rom","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551037_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551131496,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"gpa-wht-hgc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551129_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553855904,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ere-3ih-4hw","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553850_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553865781,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"igs-lhm-bvu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553859_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553874136,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"mkn-3te-hny","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553869_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553997811,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sjp-5hc-wd1","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553993_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664554005892,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"5en-kmi-voy","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664554001_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664554016093,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"jif-umi-il5","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664554010_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555846704,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ayu-n1y-lqx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555844_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555846736,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"95d-moy-b5g","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555844_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555986763,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"qtr-rfo-jyg","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555984_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555986772,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"jtt-tqn-ftb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555984_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557003507,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"l6w-anp-wyx","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"m5n-4i5-vuj","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"4r7-mzb-i0w","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664556999"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557003221,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"l6w-anp-wyx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664556999_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557001385,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"m5n-4i5-vuj","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664556999_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557009505,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"atg-jqy-mel","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"wdi-bm8-1zq","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"fbs-vj5-dgz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557007"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557009232,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"atg-jqy-mel","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557007_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557009200,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wdi-bm8-1zq","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557007_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557015634,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"pra-dle-ewv","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"wgt-akt-j4r","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"o9e-8fc-h5s","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557013"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557015289,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"pra-dle-ewv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557013_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557015280,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wgt-akt-j4r","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557013_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557114930,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"x69-ehr-pdl","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"ypr-isf-4vo","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"oi0-hje-74l","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557112"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557114644,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"x69-ehr-pdl","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557112_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557114607,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ypr-isf-4vo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557112_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557121029,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"ptq-rcm-nwe","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"bg8-5ts-afc","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"f3z-x8q-dcn","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557118"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557120765,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ptq-rcm-nwe","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557118_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557120726,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"bg8-5ts-afc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557118_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557127622,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"wtt-nh6-juo","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"myy-dya-nr5","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"nfo-yne-q60","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557125"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557127340,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wtt-nh6-juo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557125_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557127298,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"myy-dya-nr5","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557125_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557158347,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"riy-u8c-b7c","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"sf3-rrp-eak","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"9zw-k5p-x8b","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557156"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557158069,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"riy-u8c-b7c","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557156_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557158073,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sf3-rrp-eak","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557156_rule_1"}]} + {"meta":{"page":{"total_filtered_count":30,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user resets the Directory Services Restore Mode (DSRM). The DSRM enabled emergency access to a Domain Controller. The DSRM user is a local administrator account that can be utilized for persistence. \n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4794`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to change the DSRM password on `{{host}}`. ","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4794","groupByFields":["host"],"aggregation":"count","name":"standardized","distinctFields":[]},{"query":"@Event.System.EventID:4794","groupByFields":["host"],"aggregation":"count","name":"non_standardized","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized > 0"}],"type":"log_detection","id":"ckw-1ve-anp","createdAt":1619018671358,"name":"Windows Directory Service Restore Mode password changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Domain Administrator group is modified.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is 4737 and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason for changing the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"vtr-u5p-65a","createdAt":1619018671758,"name":"Windows Domain Admin Group Changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","source:windows","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Windows firewall is disabled.\n\n## Strategy\nMonitor the Windows event logs where `@evt.id` is `4950` and the `@Event.EventData.Data.SettingValue:No`.\n\n## Triage and response\nVerify if `{{@Event.System.Computer}}` has a legitimate reason for having the Windows firewall disabled.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"medium","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"5yc-jqo-y3n","createdAt":1619018678867,"name":"Windows Firewall Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1087-account-discovery","source:windows","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs the `net` command to enumerate the `Administrators` group, which could be indicative of adversarial reconnaissance activity.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4799`, `@Event.EventData.Data.CallerProcessName` is `*net1.exe` and `@Event.EventData.Data.TargetUserName` is `Administrators`.\n\n## Triage and response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason to check for users in the Administrator group on `{{host}}`. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"low","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"dqi-uaj-wgy","createdAt":1619018678865,"name":"Windows Net command executed to enumerate administrators"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the Domain Administrator group. A rogue active directory account can added to the Domain Admins group.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4728` and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.TargetUserName}}` should be added to the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"yzx-i3w-40t","createdAt":1619018679429,"name":"Windows User Added to Domain Admin Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"# WARNING: Rule is being deprecated on 10 April 2022\n\n## Goal\nDetect if an entire AWS S3 Lifecycle configuration is deleted from a bucket.\n\n## Strategy\nUsing the `@evt.name`, the Datadog standard attribute that shows the API call, determine if a `DeleteBucketLifecycle` call occurred.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@usr.name}}`, `accountId:` `{{@usr.id}}` of `type:` `{{@userIdentity.type}}`.\n2. If the `{{@evt.name}}` API call accidentally occurred, restore the configuration to the `{{@requestParameters.bucketName}}`. Otherwise, investigate further.\n\n## Changelog\n08 Mar 2022 - Deprecating rule. If a policy is deleted, the data remains forever.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:DeleteBucketLifecycle","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"policy_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"lifecycle policy deleted","condition":"policy_deleted > 0"}],"type":"log_detection","id":"lcn-irr-jo6","createdAt":1638798365190,"name":"[DEPRECATED] An AWS S3 bucket lifecycle policy was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.17","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `controller-manager.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `controller-manager.conf` file is the kubeconfig file for the Controller Manager. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/controller-manager.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.17","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iss-afi-xfp","createdAt":1599599454121,"name":"controller-manager.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use self-signed certificates for TLS.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--auto-tls` parameter or set it to false:\n\n```\n--auto-tls=false\n```\n\n## Impact\n\nClients will not be able to use self-signed certificates for TLS.\n\n## Default value\n\nBy default, `--auto-tls` is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls][3]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.3","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qai-h9s-xgt","createdAt":1599606018741,"name":"etcd does not allow the use of self-signed client certificates"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured for peer authentication.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-client-cert-auth` argument is set to `true`. \n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--peer-client-cert-auth=true\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-client-cert-auth` argument is set to false.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/security.html \n2. https://kubernetes.io/docs/admin/etcd/ \n3. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n\n## CIS controls\n\nVersion 6.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\nVersion 7.14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.5","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l01-5y2-miz","createdAt":1599605099307,"name":"etcd is configured for peer authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.1","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure TLS encryption for the etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--cert-file` and the `--key-file` arguments are set as appropriate.\n\n## Remediation\n\nFollow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--cert-file= \n--key-file=\n```\n\n## Impact\n\nClient connections only over TLS would be served.\n\n## Default value\n\nBy default, TLS encryption is not set.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.1","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ezf-1mn-luf","createdAt":1599604210918,"name":"etcd is configured with TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.2.33","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt etcd key-value store.\n\n## Rationale\n\netcd is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--encryption-provider-config` argument is set to a EncryptionConfig file. Additionally, ensure that the EncryptionConfig file has all the desired resources covered especially any secrets.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--encryption-provider-config` parameter to the path of that file: `--encryption-provider-config=`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--encryption-provider-config` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ \n2. https://acotten.com/post/kube17-security \n3. https://kubernetes.io/docs/admin/kube-apiserver/ \n4. https://github.com/kubernetes/features/issues/92\n\n## CIS controls\n\nVersion 6 14.5 Encrypt At Rest Sensitive Information Sensitive information stored on systems shall be encrypted at rest and require a secondary authentication mechanism, not integrated into the operating system, in order to access the information. \n\nVersion 7 14.8 Encrypt Sensitive Information at Rest Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.33","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.33\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7rg-crl-fs0","createdAt":1599602954959,"name":"etcd is encrypted at rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.29","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a client certificate and key.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-certfile` and `--etcd-keyfile` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate and key file parameters. \n```\n--etcd-certfile= \n--etcd-keyfile=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-certfile` and `--etcd-keyfile` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 9 Limitation and Control of Network Ports, Protocols, and Services\nVersion 7 9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.29","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.29\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2xl-vuo-tud","createdAt":1599606113167,"name":"etcd server requires API servers present a client certificate and key when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.32","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a SSL Certificate Authority file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-cafile` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate authority file parameter: `--etcd-cafile=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-cafile` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.32","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.32\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o8k-9hv-rri","createdAt":1599605669411,"name":"etcd server requires API servers present an SSL CA file when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured to make use of TLS encryption for peer connections.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit and also amongst peers in the etcd clusters.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-cert-file` and `--peer-key-file` arguments are set as appropriate. \n\n## Remediation\n\nFollow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--peer-cert-file= \n--peer-key-file=\n```\n\n## Impact\n\nEtcd cluster peers would need to set up TLS for their communication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, peer communication over TLS is not configured.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.4","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"lzq-1mk-xc7","createdAt":1599603941695,"name":"etcd uses TLS encryption for peer connections"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671540941284,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"o68-soo-c12","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671540939"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671540946161,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"r7n-huo-4rt","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671540944"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671540952520,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"wth-wau-03b","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671540950"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["terraform:true","test:acceptance-updated"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"Acceptance test TF rule - updated","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_disk","regoRule":{"policy":"package datadog # updated","resourceTypes":["gcp_compute_disk","gcp_compute_instance","gcp_compute_firewall"]},"complexRule":true},"keepAlive":21600},"version":2,"isDefault":false,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":true,"defaultGroupByFields":null,"userGroupByFields":["@resource","@resource_type"]},"cases":[{"status":"high","notifications":["@channel-upd"],"name":"","condition":"a > 0"}],"id":"u2m-agy-swa","createdAt":1671541008003,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671541006 - updated"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671542720397,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"grb-fzj-wqh","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671542718"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671542793321,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"il3-uli-eqq","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671542791"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671552482017,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"77c-zma-o7f","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671552480"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671552551633,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"hop-rqz-f8v","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671552550"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671552663049,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vhn-veo-7mp","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671552661"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671552679840,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"kbd-8wc-8cq","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671552678"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553311788,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"3am-l1f-ved","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553310"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553346438,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vmb-tgh-ihm","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553344"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553410647,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"p3o-o9v-1ha","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553409"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553453803,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"qfz-lca-swv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553452"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553538312,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"zmw-kgv-yds","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553537"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:1.1.6","control:1.2.1","control:4.5","control:2.2.5","requirement:Communications-Security","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nInteracting with a serial port is often referred to as the serial console, which is similar to\nusing a terminal window, in that input and output is entirely in text mode and there is no\ngraphical interface or mouse support.\nIf you enable the interactive serial console on an instance, clients can attempt to connect to\nthat instance from any IP address. Therefore interactive serial console support should be\ndisabled.\n\n## Rationale\nA virtual machine instance has four virtual serial ports. The instance's operating system, BIOS,\nand other system-level entities often write output to the serial ports, and can accept input\nsuch as commands or answers to prompts. Typically, these system-level entities use the\nfirst serial port (port 1) and serial port 1 is often referred to as the serial console.\nThe interactive serial console does not support IP-based access restrictions such as IP\nallow lists. If you enable the interactive serial console on an instance, clients can attempt to\nconnect to that instance from any IP address. This allows anybody to connect to that\ninstance if they know the correct SSH key, username, project ID, zone, and instance name.\nTherefore interactive serial console support should be disabled.\n\n## Remediation\n\n### From the console\n1. Login to Google Cloud console.\n2. Go to Computer Engine.\n3. Go to VM instances.\n4. Click on the specific VM.\n5. Click `EDIT`.\n6. in the `Remote access` section, clear the `Enable connecting to serial ports`.\n7. Click `Save`.\n\n### From the command line\nUse the following command to disable connecting to serial ports:\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=false\n ```\nor\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=0\n ```\n\n## Prevention:\nYou can prevent VMs from having serial port access by enabling the `Disable VM serial port access` organization policy:\n[https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess][1]\n\n## Default value\nBy default, connecting to serial ports is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/interacting-with-serial-console][2]\n\n\n## CIS Controls\n\nVersion 8 - 4.8: Uninstall or Disable Unnecessary Services on Enterprise\nAssets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such\nas an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure Only Approved Ports, Protocols and Services Are Running\n\n[1]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess\n[2]: https://cloud.google.com/compute/docs/instances/interacting-with-serial-console","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"1.1.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"fail\" if {\n\tmeta := compute_instance.metadata.items[_]\n\tmeta.key == \"serial-port-enable\"\n\tmeta.value == \"true\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mv9-8fa-zlf","createdAt":1656531993118,"name":"\u2018connecting to serial ports\u2019 is not enabled for VM Instance"}]} headers: Content-Type: - application/json @@ -317,24 +300,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":28,"total_count":828}},"data":[{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557164542,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"cur-pie-tfb","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"do1-l3w-hgc","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"yvb-ymn-q2k","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557162"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557164250,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"cur-pie-tfb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557162_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557164241,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"do1-l3w-hgc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557162_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557171963,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"vhe-hy6-vz3","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"0mi-hea-lgr","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"i5g-kql-euh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557169"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557171680,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vhe-hy6-vz3","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557169_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557171647,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"0mi-hea-lgr","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557169_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557192391,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"njf-br2-d9z","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"mth-ttg-pke","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"tss-r1h-syz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557188"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557192123,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"njf-br2-d9z","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557188_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557190826,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"mth-ttg-pke","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557188_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664559663240,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"oas-ciy-bcx","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"sem-0mj-yqv","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"uus-bhq-ihb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664559659"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664559662957,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"oas-ciy-bcx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664559659_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664559662131,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sem-0mj-yqv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664559659_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875671210,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"4ja-gok-1x4","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"kp1-lvc-xv8","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"ncd-ps2-wdo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875668"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875670732,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"4ja-gok-1x4","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875668_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875670705,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"kp1-lvc-xv8","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875668_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875700315,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"rvg-pbb-0tm","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"dyi-it0-nj4","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"bew-lfi-qak","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875697"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875700066,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rvg-pbb-0tm","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875697_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875700033,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"dyi-it0-nj4","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875697_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875723289,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"sz5-vsm-3tk","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"slo-i5s-pb3","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"3qe-a0j-8iy","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875721"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875723030,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sz5-vsm-3tk","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875721_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875723034,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"slo-i5s-pb3","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875721_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875756892,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"keh-s9a-uhd","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"rvh-vhq-wjs","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"jy2-9kq-psb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875755"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875756573,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"keh-s9a-uhd","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875755_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875756604,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rvh-vhq-wjs","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875755_rule_1"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":600,"keepAlive":300},"version":2,"isDefault":false,"filters":[{"action":"suppress","query":"does not really suppress (updated)"}],"queries":[{"distinctFields":[],"correlatedByFields":["service"],"name":"first_updated","ruleId":"jvn-8zf-uia","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["service"],"name":"second_updated","ruleId":"y1g-9sk-mfb","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first_updated > 0 && second_updated > 0"}],"type":"signal_correlation","id":"wwi-4gf-3lv","createdAt":1665663122165,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1665663120 - updated"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665663121853,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"jvn-8zf-uia","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1665663120_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665663121822,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"y1g-9sk-mfb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1665663120_rule_1"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:1.1.6","control:1.2.1","control:4.5","control:2.2.5","requirement:Communications-Security","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nInteracting with a serial port is often referred to as the serial console, which is similar to\nusing a terminal window, in that input and output is entirely in text mode and there is no\ngraphical interface or mouse support.\nIf you enable the interactive serial console on an instance, clients can attempt to connect to\nthat instance from any IP address. Therefore interactive serial console support should be\ndisabled.\n\n## Rationale\nA virtual machine instance has four virtual serial ports. The instance's operating system, BIOS,\nand other system-level entities often write output to the serial ports, and can accept input\nsuch as commands or answers to prompts. Typically, these system-level entities use the\nfirst serial port (port 1) and serial port 1 is often referred to as the serial console.\nThe interactive serial console does not support IP-based access restrictions such as IP\nallow lists. If you enable the interactive serial console on an instance, clients can attempt to\nconnect to that instance from any IP address. This allows anybody to connect to that\ninstance if they know the correct SSH key, username, project ID, zone, and instance name.\nTherefore interactive serial console support should be disabled.\n\n## Remediation\n\n### From console\n1. Login to Google Cloud console.\n2. Go to Computer Engine.\n3. Go to VM instances.\n4. Click on the specific VM.\n5. Click `EDIT`.\n6. in the `Remote access` section, clear the `Enable connecting to serial ports`.\n7. Click `Save`.\n\n### From the command line\nUse the following command to disable connecting to serial ports:\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=false\n ```\nor\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=0\n ```\n\n## Prevention:\nYou can prevent VMs from having serial port access by enabling the `Disable VM serial port access` organization policy:\n[https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess][1]\n\n## Default value\nBy default, connecting to serial ports is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/interacting-with-serial-console][2]\n\n\n## CIS Controls\n\nVersion 8 - 4.8: Uninstall or Disable Unnecessary Services on Enterprise\nAssets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such\nas an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure Only Approved Ports, Protocols and Services Are Running\n\n[1]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess\n[2]: https://cloud.google.com/compute/docs/instances/interacting-with-serial-console","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"1.1.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"fail\" if {\n\tmeta := compute_instance.metadata.items[_]\n\tmeta.key == \"serial-port-enable\"\n\tmeta.value == \"true\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mv9-8fa-zlf","createdAt":1656531993118,"name":"\u2018connecting to serial ports\u2019 is not enabled for VM Instance"}]} - headers: - Content-Type: - - application/json - status: 200 OK - code: 200 - duration: "" -- request: - body: "" - form: {} - headers: - Accept: - - application/json - url: https://api.datadoghq.com/api/v2/security_monitoring/rules?page%5Bnumber%5D=9&page%5Bsize%5D=100 - method: GET - response: - body: | - {"meta":{"page":{"total_filtered_count":0,"total_count":827}},"data":[]} + {"meta":{"page":{"total_filtered_count":0,"total_count":730}},"data":[]} headers: Content-Type: - application/json @@ -351,7 +317,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.3.6","source:google_sql_database_instance","control:3.4","requirement:Communications-Security","framework:cis-gcp","requirement:Compliance","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_sql_database_instance","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `3625 (trace flag)` database flag to `off` for GCP SQL Server instance.\n\n## Rationale\n\nMicrosoft SQL trace flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload. All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed. `3625 (trace log)` limits the information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'. Setting this in a Google Cloud flag for the instance allows for security through obscurity and prevents the disclosure of sensitive information. Hence, it is recommended to set this flag to `off` globally to prevent the flag from being left on or turned on by bad actors. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nChanging flags on a database may cause it to be restarted. The best time to do this is when there is low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `3625` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `3625` database flag for every GCP SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"3625=off\"\n```\n\n#### Note\nThis command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n\n## Additional Information\n\n- Configuring the above flag restarts the GCP SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"3625\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"2x0-5oi-nhu","createdAt":1657310084964,"name":"'3625 (trace flag)' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:2.11","cloud_provider:azure","control:A.12.4.1","level:1","source:azure.policy","requirement:Application-Updates","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","requirement:Security-Center","framework:cis-azure","control:6.2","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","scope:azure.policy","control:CC4.1","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable automatic provisioning of the monitoring agent to collect security data.\n\n## Rationale\n\nWhen automatic provisioning of monitoring agent is turned on, Azure Security Center provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Security Center\n2. Click on Pricing & Settings\n3. Click on a subscription\n4. Click on Data Collection\n5. Set Automatic provisioning to On\n6. Click save Repeat the above for any additional subscriptions.\n\nAzure Command Line Interface 2.0:\n\nUse the below command to set automatic provisioning of monitoring agent:\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@\"input.json\"''\n```\n\nWhere input.json contains the Request body json data as mentioned below. \n\n```bash\n{ \"id\"\"/subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default\", \"name\"\"default\", \"type\"\"Microsoft.Security/autoProvisioningSettings\", \"properties\"{ \"autoProvision\"\"On\" } }\n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security \n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection \n3. https://msdn.microsoft.com/en-us/library/mt704062.aspx\n4. https://msdn.microsoft.com/en-us/library/mt704063.aspx\n5. https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list \n6. https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create \n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\nAdditional Information: Excluding any of the entries in `input.json` may disable the specific setting by default Microsoft has recently changed APIs to get and Update Automatic Provisioning setting. This recommendation is updated accordingly.\n\n## CIS Controls\n\nVersion 7 3.1 - Run Automated Vulnerability Scanning Tools: Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.11","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"validationQuery":"@auto_provision:Off","resourceType":"azure_security_center_auto_provisioning","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_center_auto_provisioning (@auto_provision:Off)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ota-kzg-lsb","createdAt":1635237006719,"name":"'Automatic provisioning of monitoring agent' is set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.2","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with a Customer Managed Key (CMK).\n\n## Rationale\n\nEncrypting the IaaS VM's OS disk (boot volume) and data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning.\n\n## Remediation\n\nAzure Console:\n\n**Note**: Disks must be detached from VMs to have encryption changed.\n\n1. Go to Virtual Machines\n2. For each virtual machine, go to Settings\n3. Click on Disks\n4. Click the X to detach the disk from the VM\n5. Search for disks and locate the unattached disk\n6. Click the disk select Encryption\n7. Change your encryption type and select your encryption set\n8. Click Save\n9. Go back to the VM and re-attach the disk\n\nPowerShell:\n\n```powershell\n$KVRGname = ''MyKeyVaultResourceGroup''; $VMRGName = ''MyVirtualMachineResourceGroup''; $vmName = ''MySecureVM''; $KeyVaultName = ''MySecureVault''; $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname; $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri; $KeyVaultResourceId = $KeyVault.ResourceId; Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;\n```\n\n**NOTES**:\n\n- During encryption, a reboot is likely required. It may take up to 15 minutes to complete the process.\n\n- On Linux machines, you may need to set the `-skipVmBackup` parameter.\n\n## Impact\n\nUsing CMK/BYOK entail additional management of keys. You must have your key vault setup to use this.\n\n## References\n\n\n1. https://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n3. https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-resthttps://docs.microsoft.com/azure/virtual-machines/windows/disk-encryption-portal-quickstart\n4. https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n5. https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n7. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-customer-managed-keys-powershell\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@encryption_type:EncryptionAtRestWithCustomerKey","resourceType":"azure_managed_disk","filter":"@disk_state:Attached","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk @disk_state:Attached (-@encryption_type:EncryptionAtRestWithCustomerKey)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i6x-xne-idt","createdAt":1631690475494,"name":"'OS and Data' disks are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Application-Updates","framework:iso-27001","scope:azure.storage","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","control:6.5.3","framework:cis-azure","control:4.1","control:3.1","requirement:Control-Activities","requirement:Storage-Account","source:azure.storage","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable data encryption in transit.\n\n## Rationale\n\nThe secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must be HTTPS. Any requests using HTTP will be rejected when secure transfer required is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Storage Accounts\n2. For each storage account, go to Configuration\n3. Set Secure transfer required to Enabled\n\nAzure Command Line:\n\nInterface 2.0 - Use the below command to enable Secure transfer required for a Storage Account: `az storage account update --name --resource-group --https-only true`\n\n## References\n\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#encryption-in-transit\n2. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_list\n3. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 - 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@supports_https_traffic_only:true","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@supports_https_traffic_only:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"vlg-zuu-zub","createdAt":1635847712936,"name":"'Secure transfer required' is set to 'Enabled'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:3.7","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Storage-Account","source:azure.storage","control:A.13.1.3","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSome Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services use strong authentication to access the storage account. If Allow trusted Microsoft services exception is enabled, the following services, when registered in the subscription, are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse.\n\n## Rationale\n\nTurning on firewall rules for storage account blocks access to incoming requests for data, including from other Azure services. This includes using the portal, writing logs, etc. You can re-enable access to services like Monitor, Networking, Hubs, and Event Grid by enabling Trusted Microsoft Services through exceptions. The exception also supports backing up and restoring virtual machines using unmanaged disks in storage accounts with network rules applied.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Ensure that Allow access from selected networks is enabled.\n4. Enable Allow trusted Microsoft services to access this storage account.\n5. Click Save to apply your changes.\n\nAzure Command Line Interface:\n\nUse the following command to update trusted Microsoft services: `az storage account update --name --resource-group --bypass AzureServices`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n\n## CIS Controls\n\nVersion 7 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@network_acls.bypass:*AzureServices*","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@network_acls.bypass:*AzureServices*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"psg-u8u-lwo","createdAt":1631690476330,"name":"'Trusted Microsoft Services' is enabled for Storage Account access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.3","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that unattached disks in a subscription are encrypted with a customer managed key (CMK).\n\n## Rationale\n\nManaged disks are encrypted by default with platform-managed keys. Using customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks which may lead to sensitive information disclosure and tampering.\n\n## Impact\n\nEncryption is available only on standard tier VMs. This could impact cost. Utilizing and maintaining customer-managed keys requires additional work to create, protect, and rotate keys.\n\n## Remediation\n\nIf data stored in the disk is no longer useful, refer to [Azure documentation][1] to delete unattached data disks. If data stored in the disk is important, encrypt the disk. See the [Disk enable customer managed keys customer][2] or the [Encryption settings][3] documentation.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n3. https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n4. https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n5. https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n6. https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update\n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n\n[1]: https://docs.microsoft.com/en-us/rest/api/compute/disks/delete -https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal\n[3]: https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@encryption_type:EncryptionAtRestWithCustomerKey","resourceType":"azure_managed_disk","filter":"@disk_state:Unattached","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk @disk_state:Unattached (-@encryption_type:EncryptionAtRestWithCustomerKey)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bae-mte-pj5","createdAt":1631690476274,"name":"'Unattached disks' are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","control:10.3.6","control:10.5.4","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","control:10.3.5","control:10.5.3","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.1","control:10.2.5","control:10.3.4","control:A.12.4.1","control:10.2.4","control:10.3.3","control:10.2.3","control:10.3.2","control:A.12.4.3","control:10.2.2","control:10.3.1","framework:cis-gcp","level:1","scope:google_sql_database_instance","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","control:6.2.9","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the `cloudsql.enable_pgaudit` database flag so that each Cloud SQL PostgreSQL instance has centralized logging.\n\n## Rationale\n\nBecause many other recommendations in this section involve turning on flags for logging\npurposes, your organization needs a way to manage these logs. If you do not already have a solution in \nplace, consider enabling database auditing in PostgreSQL by installing the open source pgAudit extension and enabling the `cloudsql.enable_pgaudit` flag. The extension provides\ndetailed session and object logging to comply with government, financial, and ISO standards. It provides \nauditing capabilities to mitigate threats by monitoring security events on the\ninstance. Enabling the flag and the settings described below sends the logs to\nGoogle Logs Explorer so that you can access them in a central location. This\nrecommendation is applicable only to PostgreSQL database instances.\n\n## Impact\n\nEnabling the pgAudit extension can lead to increased data storage requirements. To\nensure durability of pgAudit log records in the event of unexpected storage issues, \nenable the **Enable automatic storage increases** setting on the\ninstance. Enabling flags on the command line will overwrite all existing flags, so you\nshould apply _all_ needed flags in each CLI command. You might need to restart the\nserver to see the effects of enabling flags, so update your servers at a\ntime of low usage.\n\n## Remediation\n\n### Initialize the pgAudit flag\n\n#### From the console\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `cloudsql.enable_pgaudit` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\nRun the following command by providing to enable `cloudsql.enable_pgaudit` flag:\n```\ngcloud sql instances patch --database-flags=cloudsql.enable_pgaudit=on\n```\n \n**Note**: Restart the database server for this configuration change to take effect.\n\n### Create the extension\n1. Connect to the the server running PostgreSQL or through a SQL client of your choice.\n2. Open the PostgreSQL shell. For example, if you're using SSH to access the server, run:\n3. Run the following command as a superuser:\n ```\n CREATE EXTENSION pgaudit;\n ```\n### Update the `pgaudit.log` flag\n\n#### From the console\n**Note**: There are multiple options for updating the flag. The following instructions enable logging for all databases\non a server. Read [Customizing database audit logging][4] for more flag\noptions.\n\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `pgaudit.log=all` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\n\nRun the command:\n```\ngcloud sql instances patch --database-flags \\\ncloudsql.enable_pgaudit=on,pgaudit.log=all\n```\n\n### Check for the logs in Google Logs Explorer\n1. From the Google Console home page, open the menu in the top left.\n2. In the menu's Operations section, select Logs Explorer.\n3. In the query box, copy in the following query:\n\n ```\n resource.type=\"cloudsql_database\"\n logName=\"projects//logs/cloudaudit.googleapis.com%2Fdata_access\"\n protoPayload.request.@type=\"type.googleapis.com/google.cloud.sql.audit.v1.PgAuditEntry\n ```\nIf it returns any log sources, they are correctly set up.\n\n## Default value\nBy default `cloudsql.enable_pgaudit` database flag is set to off and the extension is not enabled.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres][2]\n2. [https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag][3]\n3. [https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging][4]\n4. [https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable][5]\n\n## Additional Information\n**WARNING**: This extension modifies database flag values, which may require your instance to be\nrestarted. Check the [List of supported flags][6] to see if your instance needs to be restarted\nwhen this extension is set up.\n**Note**: Configuring the `cloudsql.enable_pgaudit` database flag requires restarting the Cloud\nSQL PostgreSQL instance.\n\n## CIS controls\n\nVersion 8\n8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n8.9 - Centralize Audit Logs\n- Centralize, to the extent possible, audit log collection and retention across\nenterprise assets.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres\n[3]: https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag\n[4]: https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging\n[5]: https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable\n[6]: https://cloud.google.com/sql/docs/postgres/flags\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.9","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cloudsql.enable_pgaudit\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6hz-owg-7y7","createdAt":1657889011689,"name":"'cloudsql.enable_pgaudit' database flag is set to 'on' for centralized logging on Postgresql Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.4","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.7","requirement:Least-Privileged-Access","requirement:Confidentiality","requirement:Communications-Security","control:7.1","control:C1.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `contained database authentication` database flag for SQL Server instances to `off`.\n\n## Rationale\n\nA contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed. Users can connect to the database without authenticating a login at the Database Engine level. Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server. Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators. Most of the threats are related to the `USER WITH PASSWORD` authentication process, which moves the authentication boundary from the Database Engine level to the database level. Hence, disabling this flag is recommended. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nWhen `contained database authentication` is off (`0`) for the instance, contained databases cannot be created, or attached to the Database Engine. Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via the command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `contained database authentication` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line\n\nConfigure the `contained database authentication` database flag for every SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"contained database authentication=off\"\n```\n\n**Note**: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n\n## Additional Information\n\n- Configuring this flag does not restart the SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15][3]\n3. [https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15][4]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15\n[4]: https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"contained database authentication\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"snw-rsr-ilm","createdAt":1658463161618,"name":"'contained database authentication' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.3.2","security:compliance","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that you set the `cross db ownership chaining` database flag for SQL Server instance to `off`.\n\n## Rationale\nThe `cross db ownership` option is used to configure cross-database ownership chaining for an instance of Microsoft SQL Server. This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases. Enabling `cross db ownership` is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining, and you are aware of the security implications of this setting. This recommendation is applicable to SQL Server database instances.\n\n### Impact\nUpdating flags may cause the database to restart. This may cause the database to be unavailable for a short amount of time, so this is best done at a time of low usage. You should also determine if the tables in your databases reference another table without using credentials for that database, as turning off cross database ownership will break this relationship.\n\n - Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n - Configuring the `cross db ownership chaining` flag does not restart the Cloud SQL instance.\n\n - Note: The command to set database flags overwrites all database flags previously set. To keep the existing settings while adding new flags, include the values for all flags to be set on the instance. Cloud SQL sets any flag not specifically included in the list to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Remediation\n\n### From the console:\n1. Go to the [Cloud SQL Instances page][1] in Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `cross db ownership chaining` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line:\nConfigure the `cross db ownership chaining` database flag for every SQL Server database instance using the below command:\n \n```\ngcloud sql instances patch --database-flags \"cross db ownership chaining=off\"\n```\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cross db ownership chaining\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yje-u1y-rls","createdAt":1657665271111,"name":"'cross db ownership chaining' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.1","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `external scripts enabled` database flag for SQL Server instance to `off`.\n\n## Rationale\n\nThe `external scripts enabled` flag enables the execution of scripts with certain remote language extensions. This flag is `off` by default. When Advanced Analytics Services is installed, during the set up, you can optionally set this flag to `on`. The External Scripts Enabled feature allows scripts external to SQL, such as files located in an R library, to be executed, which could adversely affect the security of the system. Hence, the flag should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances can cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flag section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `external scripts enabled` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `external scripts enabled` database flag for every SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"external scripts enabled=off\"\n```\n\nNote: This command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default Value\n\nBy default `external scripts enabled` is `off`.\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n- Configuring the `external scripts enabled` flag restarts the Cloud SQL instance.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15][2]\n2. [https://cloud.google.com/sql/docs/sqlserver/flags][3]\n3. [https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15][4]\n4. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79347][5]\n\n## CIS Controls\n\nVersion 8 - 2.7 Allowlist Authorized Scripts\n- Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.\n\nVersion 7 - 2.9 Implement Application Whitelisting of Scripts\n- The organization's application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1, *.py, macros, etc) are allowed to run on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15\n[3]: https://cloud.google.com/sql/docs/sqlserver/flags\n[4]: https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15\n[5]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"external scripts enabled\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"14g-yot-4od","createdAt":1657715719319,"name":"'external scripts enabled' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Communication-and-Information","security:compliance","control:6.1.3","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends setting the `local_infile` database flag for a Cloud SQL MySQL instance to off.\n\n## Rationale\n\nThe `local_infile` flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the `local_infile` setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.\n\nTo explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with `local_infile` disabled. `local_infile` can also be set at runtime.\n\nDue to security issues associated with the `local_infile` flag, Datadog recommends disabling it. This recommendation is applicable to MySQL database instances.\n\n## Impact\n\nDisabling `local_infile` causes the server to refuse local data loading by clients that have LOCAL enabled on the client side.\n\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [Cloud SQL Instances page][1].\n2. Select the MySQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the `local_infile` flag from the dropdown menu, and set its value to **off**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From Command Line\n\n1. List all Cloud SQL database instances using \n ```\n `gcloud sql instances list`.\n ```\n2. Configure the `local_infile` database flag for every Cloud SQL MySQL database instance using \n ```\n `gcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off`\n ```\n Note:\n This command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\n\n## Default Value\n\nBy default, `local_infile` is on.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile][3]\n3. [https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html][4]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n \n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/flags\n[3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile\n[4]: https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_mysql(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"local_infile\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_mysql(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"MYSQL_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"e40-q63-udh","createdAt":1657547707503,"name":"'local_infile' database flag is set to 'off' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.2","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy enabling the `log_connections` setting, every attempted server connection is logged along with the successful completion of client authentication. Once the session starts, you cannot change this parameter.\n\n## Rationale\n\nBy default, PostgreSQL does not log attempted connections. By enabling the `log_connections` setting, you can create log entries for every attempted connection as well as the successful completion of client authentication. This can be useful in troubleshooting issues and determining any unusual connection attempts to the server. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\n\nBy turning on logging, the required storage increaess over time. Mismanaged logs may cause your storage costs to increase. \n\nSetting custom flags through the command line on certain instances can cause all omitted flags to reset to defaults. This may cause you to lose\ncustom flags and can result in unforeseen complications or instance restarts. Because of this, Datadog recommends applying these flag changes during a period of low usage.\n\n## Remediation\n\n## From the console\n1. In the Google Cloud Console, navigate to the [Cloud SQL Instances page][1].\n2. Select the PostgreSQL instance that you want to enable the database flag for.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the **log_connections** flag from the dropdown menu, and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From the command line\n\nConfigure the `log_connections` database flag for every Cloud SQL PosgreSQL database instance using the following command:\n\n ```\n gcloud sql instances patch --database-flags\n log_connections=on\n ```\n\nThis command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\nYou do not need to restart the Cloud SQL instance.\n\n## Default Value\n\nBy default, `log_connections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n\nSome database flag settings can affect instance availability or stability, and may remove the instance from the Cloud SQL SLA.\n\nFor information about these flags, see the Operational Guidelines.\n\n## CIS Controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_connections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"84u-fez-kpn","createdAt":1657547707503,"name":"'log_connections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:6.2.3","scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnabling the `log_disconnections` setting logs the end of each session, including the\nsession duration.\n\n## Rationale\n\nPostgreSQL does not log session details such as duration and session end by default.\nEnabling the `log_disconnections` setting will create log entries at the end of each session,\nwhich can be useful in troubleshooting issues and determining any unusual activity across a\ntime period. The `log_disconnections` and `log_connections` settings work together and\ngenerally, the pair would be enabled or disabled together. This recommendation is applicable\nto PostgreSQL database instances.\n\n## Impact\n\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flags changes during a period of low usage.\n\n\n## Remediation\n\n## From the console\n\n1. Go to the [Cloud SQL Instances][1] page.\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_disconnections` from the drop-down menu and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the **Overview** page.\n\n## From the command line\n\n1. Configure the `log_disconnections` database flag for every Cloud SQL PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags\n log_disconnections=on\n ```\n\n **Note:** This command will overwrite all previously set database flags. To keep\n those and add new ones, include the values for all flags to be set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals\n sign (\"=\").\n\n## Default Value\n\nBy default, `log_disconnections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n## Additional Information\n\n- Configuring the `log_disconnections` flag does not require restarting the Cloud SQL instance.\n- Although the `log_disconnections` flag does not require a restart, you might modify other database flag values when you apply this patch. **Many database flags require restarting the Cloud SQL instance.** Before you modify a database flag, check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see [Operational Guidelines][4].\n\n\n## CIS controls\n\nVersion 8, 8.5 Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://console.cloud.google.com/sql/instances\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_disconnections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-b91-wj5","createdAt":1657665210451,"name":"'log_disconnections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:6.2.1","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","control:10.3","control:CC7.2","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_error_verbosity` flag controls the verbosity/details of messages logged. Valid values are:\n- `TERSE`\n- `DEFAULT`\n- `VERBOSE`\n\n`TERSE` excludes the logging of `DETAIL`, `HINT`, `QUERY`, and `CONTEXT` error information.\n`VERBOSE` output includes the `SQLSTATE` error code, source code file name, function name, and line number that generated the error.\n\nEnsure an appropriate value is set to `DEFAULT` or stricter.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_error_verbosity` is not set to the correct value, too many details or too few details\nmay be logged. This flag should be configured with a value of `DEFAULT` or stricter. This\nrecommendation is applicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flag changes during a period of low usage.\n\n- **WARNING**: This patch modifies database flag values, which may require your instance to be restarted. Check the list of supported flags -[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance will be restarted when this patch is submitted.\n- Note: some database flag settings can affect instance availability orn stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n### Default value\nBy default, `log_error_verbosity` is `DEFAULT`.\n\n## Remediation\n\n### From the console: \n1. Go to the Cloud SQL Instances page by visiting [https://console.cloud.google.com/sql/instances][2]\n2. Select the **PostgreSQL instance** for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_error_verbosity` from the drop-down menu and set appropriate **value**.\n6. Click **Save**\n7. Confirm your changes under Flags on the **Overview** page.\n\n### From the command line:\n1. Configure the `log_error_verbosity` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n ```\n gcloud sql instances patch --database-flags\n log_error_verbosity=\n ```\n\n **Note**: This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all flags you want set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_error_verbosity\"\n\tnot lower(db_flags.value) in [\"default\", \"terse\", \"verbose\"]\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"scj-vbv-qiu","createdAt":1660014086758,"name":"'log_error_verbosity' database flag is set to 'DEFAULT or Stricter' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:6.2.5","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nPostgreSQL only logs the IP address of the connecting hosts. The `log_hostname` flag\ncontrols the logging of hostnames, in addition to the IP addresses logged. The performance\nhit depends on the configuration of the environment and the host name resolution\nsetup. This parameter can only be set in the `postgresql.conf` file or on the server's\ncommand line.\n\n## Rationale\nLogging hostnames allows for the association of a hostname with the IP address at the time of\nconnection. This information helps with incident response efforts, particularly in an\nenvironment that utilizes dynamic IP addresses. Logging hostnames may incur overhead\non server performance because DNS resolution will be required to\nconvert the IP address to hostname. Depending on the setup, the overhead may be non-negligible.\nEnabling the log_hostname flag on PostgreSQL databases is recommended.\n\n## Impact\nUsing the command line to set custom flags on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended that you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_hostname` from the drop-down menu and select the value **On**.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n1. Configure the `log_hostname` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\n gcloud sql instances patch --database-flags log_hostname=on\n```\n\nNote: This command will overwrite all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## Default value\nBy default `log_hostname` is off.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of [supported flags][2] to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_hostname\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sco-bi7-twu","createdAt":1657547753389,"name":"'log_hostname' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:6.2.8","requirement:Confidentiality","control:A.12.4.1","control:C1.1","control:C1.2","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_duration_statement` flag defines the minimum execution time (milliseconds) of a\nstatement, where the total duration of the statement is logged. Ensure that\n`log_min_duration_statement` is disabled by setting the value to `-1`. This will disable statement logging.\n\n## Rationale\nSQL statement logs may include sensitive information that should not be recorded in\nthe logs. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting\n[https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_duration_statement` from the drop-down menu and set a value of `-1`.\n6. Click **Save**.\n7. Confirm the changes under the Flags section on the Overview page.\n\n### From the command line\n1. List all Cloud SQL database instances using the following command:\n\n ```\n gcloud sql instances list\n ```\n\n2. Configure the `log_min_duration_statement` flag for every PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags log_min_duration_statement=-1\n ```\n Note: This command will overwrite all database flags previously set. To keep\nthose and add new ones, include the values for all flags to be set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n## Default value\nBy default `log_min_duration_statement` is set to `-1`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.8","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_duration_statement\"\n\tnot database_flags.value == \"-1\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hfp-mu9-szg","createdAt":1658302988596,"name":"'log_min_duration_statement' database flag is set to '-1' (disabled) for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.7","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_error_statement` flag defines the minimum message severity level that is\nconsidered an error statement. Messages for error statements are logged with the SQL\nstatement. Valid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`,\n`WARNING`, `ERROR`, `LOG`, `FATAL`, and `PANIC`. Each severity level includes the subsequent levels\nmentioned above. Ensure a value of `ERROR` or stricter is set.\n\n## Rationale\nAuditing helps with troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. If general log messages are considered as error messages,\nit would be difficult to determine the actual errors. If only stricter severity levels are considered as\nerror messages, true errors might not be logged with their SQL statements. The\n`log_min_error_statement` flag should be set to `ERROR` or stricter. This recommendation is\napplicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From Console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the `Flags` section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_error_statement` from the drop-down menu and set the appropriate\nvalue.\n6. Click `Save` to save your changes.\n7. Confirm your changes under the `Flags` section on the Overview page.\n\n### From Command Line:\n1. Configure the `log_min_error_statement` database flag for every Cloud SQL\nPosgreSQL database instance using the below command.\n\n ```\n gcloud sql instances patch --database-flags log_min_error_statement=\n ```\n\n Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `log_min_error_statement` is `ERROR`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][2] - to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_error_statement\"\n\tnot upper(database_flags.value) in [\"ERROR\", \"LOG\", \"FATAL\", \"PANIC\"]\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dm2-ey8-wr5","createdAt":1657888969813,"name":"'log_min_error_statement' database flag is set to 'ERROR' or stricter for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.3.6","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","source:google_sql_database_instance","requirement:Monitoring","control:6.2.6","control:10.3.4","control:A.12.4.1","control:10.3.2","requirement:System-Operations","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:CC7.2","framework:pci","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_messages` flag defines the minimum message severity level that is considered\nas an error statement. Messages for error statements are logged with the SQL statement.\nValid values include `debug5`, `debug4`, `debug3`, `debug2`, `debug1`, `info`, `notice`, `warning`, `error`,\n`log`, `fatal`, and `panic`. Each severity level includes the subsequent levels mentioned above.\nFor best practices, set the value to `error`. Changes should only be made in accordance\nwith the organization's logging policy.\n\n### Default value\nBy default `log_min_error_statement` is `warning`.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. An organization will need to decide their own threshold\nfor logging `log_min_messages` flag.\n\n### Impact\nSetting the threshold too low will might result in increased log storage size and length,\nmaking it difficult to find actual errors. Setting the threshold to `warning` logs\nmost needed error messages. Setting the threshold to a higher severity level may result in some errors (that need troubleshooting) to not be logged.\n\nNote: To effectively turn off logging failing statements, set this parameter to `panic`.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n## Remediation\n\n### From the console:\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_messages` from the drop-down menu and set appropriate value.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line:\n1. Configure the `log_min_messages` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\ngcloud sql instances patch --database-flags\nlog_min_messages=\n```\n\nNote: This command overwrites all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_min_messages\"\n\tlower(db_flags.value) in [\"debug5\", \"debug4\", \"debug3\", \"debug2\", \"debug1\", \"info\", \"notice\"]\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"wha-a8w-2ic","createdAt":1661377322162,"name":"'log_min_messages' database flag is set to at least 'WARNING' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.2.4","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe value of the `log_statement` flag determines the SQL statements that are logged. Valid\nvalues are:\n\n- `none`\n- `ddl`\n- `mod`\n- `all`\n\nThe value `ddl` logs all data definition statements. The value `mod` logs all `ddl` statements, plus\ndata-modifying statements.\n\nThe statements are logged after a basic parsing is done and the statement type is determined,\nthus log statements with errors are not logged. When using an extended query protocol,\nlogging occurs after an `Execute` message is received and values of the bind parameters are\nincluded.\n\nA value of `ddl` is recommended unless otherwise directed by your organization's logging\npolicy.\n\n## Rationale\nAuditing helps with forensic analysis. If the `log_statement` is not set to the correct value, too\nmany statements may be logged and lead to issues with finding relevant information from\nthe logs, or too few statements may be logged with relevant information missing from the\nlogs. Setting the `log_statement` to align with your organization's security and logging policies\nfacilitates auditing and review of database activities later on. This recommendation is\napplicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n- **WARNING** This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance\nwill be restarted when this patch is submitted.\n- Note: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n\n## Remediation\n\n### From the console:\n1. Go to the Cloud SQL Instances page by visiting: [https://console.cloud.google.com/sql/instances][2]\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**. Choose the flag `log_statement` from the drop-down menu and set the appropriate value.\n6. Click **Save**.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line:\n1. Configure the `log_statement database` flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n ```\n gcloud sql instances patch --database-flags log_statement=\n ```\n\n **Note** This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all the flags that you want to set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n \n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tdb_flags.name == \"log_statement\"\n\tdb_flags.value in [\"ddl\", \"mod\", \"all\"]\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xzi-8ya-6hp","createdAt":1659621705012,"name":"'log_statement' database flag is set appropriately for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:6.3.5","control:2.2.5","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set the `remote access` database flag for Cloud SQL SQL Server instances to `off`.\n\n## Rationale\n\nThe remote access option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running. The default value for this option is 1. This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server. To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled. Remote access functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, so it should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances causes all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `remote access` from the drop-down menu, and set its value to `off`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n### From the command line\n\nConfigure the remote access database flag for every Cloud SQL SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"remote access=off\"\n```\n\n### Note: \nThis command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default Value\n\nRemote access is `on` by default.\n\n## Additional information\n\nConfiguring the remote access database flag does not restart the Cloud SQL instance.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337][4]\n\n## CIS Controls\n\nVersion 8 - 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"remote access\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"tnw-ph8-chr","createdAt":1657296719786,"name":"'remote access' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Communication-and-Information","security:compliance","control:6.1.2","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that for Cloud SQL Instances, you set the `skip_show_database` database flag to `ON`.\n\n## Rationale\n\nThe `skip_show_database` database flag prevents people from using the `SHOW DATABASES`\nstatement if they do not have the `SHOW DATABASES` privilege. This can improve security if\nyou have concerns about users being able to see databases belonging to other users. The `skip_show_database` flag's effect depends on the `SHOW DATABASES` privilege: If the variable value is `ON`, the `SHOW\nDATABASES` statement is permitted only for users who have the `SHOW DATABASES`\nprivilege, and the statement displays all database names. If the value is `OFF`, `SHOW\nDATABASES` is permitted for all users, but displays the names of only those databases for\nwhich the user has `SHOW DATABASES` or other privilege. This recommendation is\napplicable to MySQL database instances.\n\n## Remediation\n\n## Using console\n\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the MySQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `skip_show_database` from the drop-down menu, and set its value to `ON`.\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n\n## Using command line:\n1. To list all Cloud SQL database Instances, run:\n `gcloud sql instances list`\n2. Configure the `skip_show_database` database flag for every Cloud SQL MySQL database instance using the following command:\n \n ```\n gcloud sql instances patch INSTANCE_NAME --database-flags\n skip_show_database=on\n ```\n **Note**: This command overwrites all database flags previously set. To keep the previously set flags and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database][3]\n\n\n## Additional information\n\n**Warning**: This patch modifies database flag values, which may require your instance to be restarted. Check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n\n**Note**: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n**Note**: Configuring the above flag restarts the Cloud SQL instance.\n\n## CIS controls\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\n access control lists, also known as access permissions, to local and remote file systems,\n databases, and applications.\n\n [1]: https://console.cloud.google.com/sql/instances\n [2]: https://cloud.google.com/sql/docs/mysql/flags\n [3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot startswith(sql_database_instance.database_version, \"MYSQL_\")\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"skip_show_database\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qjv-gnn-q3l","createdAt":1657547753389,"name":"'skip_show_database' flag is set to 'on' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.3.3","security:compliance","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Control-Activities","level:1","control:2.2.3","framework:soc-2","scope:google_sql_database_instance","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to check the `user connections` option for a GCP SQL Server instance to\nensure that it is not artificially limiting connections.\n\n## Rationale\n\nThe `user connections` option specifies the maximum number of simultaneous user\nconnections that are allowed on an instance of SQL Server. The actual number of user\nconnections allowed also depends on the version of SQL Server that you are using, and also\nthe limits of your application(s) and hardware. SQL Server allows a maximum\nof 32,767 user connections. Because user connections is by default a self-configuring value,\nSQL Server adjusts the maximum number of user connections automatically as\nneeded, up to the maximum value allowed. For example, if only 10 users are logged in, then 10\nuser connection objects are allocated. In most cases, you do not have to change the value\nfor this option. The default is `0`, which means that the maximum (32,767) user connections\nare allowed. However, if there is a number defined here that limits connections, SQL Server\nwill not allow any connections above this limit. If the connections are at the limit, any new\nrequests will be dropped, potentially causing lost data or outages for those using the\ndatabase.\n\n## Impact\nSetting custom flags using the command line on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### Using the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `user connections` from the drop-down menu, and set its value to your organization's recommended value.\n6. Click **Save** to save your changes.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### Using the command line\n1. Configure the `user connections` database flag for every GCP SQL Server\ndatabase instance using the below command.\n ```\n gcloud sql instances patch --database-flags \"userconnections=[0-32,767]\"\n ```\n \n\n\nNote: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `user connections` is set to '0', which does not limit the number of connections\nand allows the server to facilitate a maximum of 32,767 connections.\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119][4]\n\n## Additional Information\n\nWARNING: This patch modifies database flag values, which may require your instance to be restarted. Check the list of [supported flags][2] to see if your instance will be restarted when this patch is submitted. \n\nNote: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not restart the GCP SQL instance.\n\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user connections\"\n\tnot database_flags.value == \"0\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"suj-vdt-udi","createdAt":1657547707508,"name":"'user connections' database flag is set to a non-limiting value for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.4","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the `user options` database flag for SQL Server instance not be configured.\n\n## Rationale\n\nThe `user options` flag specifies global defaults for all users. A list of default query processing options is established for the duration of a user's work session. The user options flag allows you to change the default values of the SET options (if the server's default settings are not appropriate).\n\nA user can override these defaults by using the SET statement. You can configure user options dynamically for new logins. After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nIn some instances, setting custom flags via the command line causes all omitted flags to be reset to their defaults. This might cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From console\n\n1. Go to the **Cloud SQL Instances** page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance you want to configure.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. Click the **X** next to the **user options** flag shown\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line\n\n1. List all Cloud SQL database Instances:\n \n ```\n gcloud sql instances list\n ```\n\n2. Clear the user options database flag for every Cloud SQL SQL Server database instance using either of the below commands:\n\n - To clear all flags and reset them to their default values:\n\n ```\n gcloud sql instances patch --clear-database-flags\n ```\n\n - To clear only the `user options` database flag, re-enter all of database flags that you want to configure and exclude the `user options` flag and its value:\n\n ```\n gcloud sql instances patch --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]\n ```\n\n **Note**: This command overwrites all database flags previously set. To keep those flags and add new ones, include the values for all flags you want set on the instance. Any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default value\n\nBy default, 'user options' is not configured.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][1]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15][2]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335][3]\n\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see [Operational Guidelines][4].\n\n- Configuring the above flag does not restart the Cloud SQL instance.\n\n[1]: https://cloud.google.com/sql/docs/sqlserver/flags\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15\n[3]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user options\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"l6m-j1r-hz1","createdAt":1657665179501,"name":"'user options' database flag is not configured for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a Kubernetes user attempts to perform a high number of actions that are denied in a short amount of time.\n\n## Strategy\nThis rule identifies responses of the API server where the reason for the error is set to `Forbidden`, indicating that an authenticated user attempted to perform an action that they are not explicitly authorized to perform.\n\nThe rule flags users who receive permission denied errors on several distinct API endpoints in a short amount of time.\n\n## Triage and response\n1. Determine if the user: `{{@usr.id}}` is expected to perform the denied actions. If yes, the alert may be due to a misconfigured application or a service account with insufficient privileges.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @responseStatus.reason:Forbidden -@usr.id:(system\\:serviceaccount\\:*\\:datadog* OR system\\:kube-scheduler OR system\\:anonymous OR eks\\:authenticator OR eks\\:pod-identity-mutating-webhook OR system\\:serviceaccount\\:kube-system\\:root-ca-cert-publisher)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"access_denied","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"access_denied > 10"}],"type":"log_detection","id":"elb-nlu-hso","createdAt":1649948632063,"name":"A Kubernetes user attempted to perform a high number of actions that were denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIdentify when a Kubernetes user is assigned cluster-level administrative permissions.\n\n## Strategy\n\nThis rule monitory when a `ClusterRoleBinding` object is created to bind a Kubernetes user to the `cluster-admin` [default cluster-wide role](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles). This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.\n\n## Triage and response\n\n1. Determine if the Kubernetes user referenced in `@requestObject.subjects` is expected to have been granted administrator permissions on the cluster\n2. Determine if the actor (`@usr.id`) is authorized to assign administrator permissions\n3. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @requestObject.kind:ClusterRoleBinding @requestObject.roleRef.name:cluster-admin -@usr.id:system\\:apiserver","groupByFields":["@usr.id"],"aggregation":"count","name":"cluster_admin_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"cluster_admin_added > 0"}],"type":"log_detection","id":"8ds-sxh-n83","createdAt":1649948626807,"name":"A Kubernetes user was assigned cluster administrator permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","scope:google_bigquery_dataset","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.3","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","source:google_bigquery_dataset","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user. For greater control, _customer-managed encryption keys_ (CMEKs) can be used as an encryption key management solution for BigQuery datasets.\n\n### Default Value\nGoogle-managed keys are used as key encryption keys.\n\n## Rationale\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user.\n\nFor greater control, CMEKs can be used as an encryption key management solution for BigQuery datasets. Setting a default CMEK for a dataset ensures that any tables created in the future will use the specified CMEK, if no others are provided.\n\n## Impact\nUsing CMEKs incurs an additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n**Note**: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n# Remediation\nTo update the default CMEK for existing data sets, specify the default key in the `EncryptionConfiguration.kmsKeyName` field when calling the `datasets.insert` or `datasets.patch` methods.\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_dataset) = \"pass\" if {\n\tbigquery_dataset.default_encryption_configuration.kms_key_name\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_dataset"]},"validationQuery":"","resourceType":"gcp_bigquery_dataset","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_dataset","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fdc-usk-ol3","createdAt":1664548344812,"name":"A default customer-managed encryption key (CMEK) is specified for the BigQuery data set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1158","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nHidden files may be used by attackers to hide from detection mechanisms on hosts and containers. This detection aims at finding the creation of any new hidden files.\n\n## Strategy\nIn Linux, files are hidden from users by prepending `.` to the filename. For example `.some.file`. This detection will monitor for the creation of any file thats name begins with a `.`.\n\n## Triage & Response\n1. Check to see which user or process created the new hidden file.\n3. If these new files are not expected contain the host or container, roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"irl-syq-8wf","createdAt":1598443015169,"name":"A hidden file was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the deletion of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was deleted.\n2. Check which user or process deleted the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"t7t-jio-cms","createdAt":1598516746158,"name":"A log file in /var/log/ was removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Logging","security:compliance","control:3.2.1","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes can audit the details of requests made to the API server. The `--audit-policy-file` flag must be set for this logging to be enabled.\n\n## Rationale\n\nLogging is an important detective control for all systems, to detect potential unauthorised access.\n\n## Audit\n\nRun the following command on one of the cluster master nodes: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-policy-file` is set. Review the contents of the file specified and ensure that it contains a valid audit policy.\n\n## Remediation\n\nCreate an audit policy file for your cluster.\n\n## Impact\n\nAudit logs will be created on the master nodes, which will consume disk space. Care should be taken to avoid generating too large volumes of log information as this could impact the available of the cluster nodes.\n\n## Default value\n\nUnless the `--audit-policy-file` flag is specified, no auditing will be carried out.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/debug-application-cluster/audit/][1]\n\n## CIS controls\n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices.\n\n[1]: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"3.2.1","framework":"cis-kubernetes","requirement":"Logging","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-3.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ehp-xpm-xi3","createdAt":1599602215207,"name":"A minimal audit policy exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a new Kubernetes [admission controller][1] is created in the cluster.\n\nAdmission controllers can intercept all incoming requests to the API server. An attacker can use them to establish persistence or to access sensitive data (such as secrets) sent to the API server.\n\n## Strategy\nThis rule identifies when a `MutatingWebhookConfiguration` or `ValidatingWebhookConfiguration` is created.\n\n## Triage and response\n1. Determine if the admission controller being created is expected.\n2. Determine if the user: `{{@usr.id}}` should be creating the admission controller.\n3. Use the Cloud SIEM `User Investigation` dashboard to review user actions that occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags\n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @objectRef.resource:(mutatingwebhookconfigurations OR validatingwebhookconfigurations) -@usr.id:(eks\\:cluster-bootstrap OR system\\:serviceaccount\\:kyverno\\:kyverno OR system\\:serviceaccount\\:kube-system\\:*)","groupByFields":["@usr.id"],"aggregation":"count","name":"admission_controller_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admission_controller_created > 0"}],"type":"log_detection","id":"jpb-ixq-qbz","createdAt":1649948611129,"name":"A new Kubernetes admission controller was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 teams app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `AppInstalled`, where the `AddOnType` has a value of `4` and a new `@AddOnName` is observed.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@AddOnName}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@AddOnName}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":165,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AddOnName","aggregation":"new_value","metrics":["@AddOnName"],"groupByFields":["@usr.id"],"query":"source:microsoft-365 @evt.name:AppInstalled @AddOnType:4"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"sja-6t5-2xv","createdAt":1636984812148,"name":"A new Microsoft 365 Teams app is observed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Add application.` and event `@evt.outcome` of `Success`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@ObjectId}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@ObjectId}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@ObjectId","aggregation":"new_value","metrics":["@ObjectId"],"groupByFields":["@ObjectId","@usr.id"],"query":"source:microsoft-365 @evt.name:\"Add application.\" @evt.outcome:Success"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"o4m-xqz-5gv","createdAt":1636984818117,"name":"A new Microsoft 365 application was installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:amazon","security:compliance","iaas:aws","framework:cis-aws","source:cloudtrail","control:4.1","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is assessing privileges in AWS through API bruteforcing technique.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect when the error message of `AccessDenied` is returned on more than 5 unique API calls.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be attempting to use {{@evt.name}} API commands.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. Contact the user to see if they intended to make these API calls.\n3. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate to see what API calls might have been made that were successful throughout the rest of the environment.\n\n## Changelog\nRule updated on 3 March 2022.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"unique_events_denied","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"more than 5 APIs AccessDenied","condition":"unique_events_denied > 5"}],"type":"log_detection","id":"3d9-oev-jbm","createdAt":1584475582956,"name":"A user received multiple AccessDenied errors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","security:compliance","control:164.312-e-1","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","requirement:Security-Management-Process","control:32.1a","source:acm","control:164.312-e-2-ii","framework:hipaa","control:164.308-a-1-ii-B","control:164.312-e-2-i","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRemove expired Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates with AWS Certificate Manager (ACM).\n\n## Rationale\n\nExpired AWS ACM SSL/TLS certificates that are deployed to another resource are at risk of triggering front-end errors and compromising the credibility of a web application.\n\n## Remediation\n\n### Console\n\nFollow the [Deleting Certificates Managed by ACM][1] docs to learn how to delete SSL/TLS certifications in the AWS Console.\n\n### CLI\n\n1. Run `delete-certificate` with the [certificate ARN][2].\n\n ```\n aws acm delete-certificate\n --certificate-arn arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012\n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-delete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/delete-certificate.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"EXPIRED\"\n\tacm.status != \"VALIDATION_TIMED_OUT\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qea-4gr-voj","createdAt":1616090994211,"name":"ACM certificate is active"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Security-of-Processing","requirement:Cardholder-Data","cloud_provider:aws","control:32.1a","source:acm","framework:gdpr","scope:acm","control:3.6.4","framework:pci","control:25.2","requirement:Data-Protection"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are 30 days left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### Console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### CLI\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\tthirty_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oc4-dzj-jtg","createdAt":1619112188918,"name":"ACM certificate is valid for 30 or more days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Security-of-Processing","requirement:Cardholder-Data","cloud_provider:aws","control:32.1a","source:acm","framework:gdpr","scope:acm","control:3.6.4","framework:pci","control:25.2","requirement:Data-Protection"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are seven day left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### Console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### CLI\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nseven_days_ms := (((7 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\t# assert that the difference between now (resource seen at) and not after time (certificate expiry) > 7 days\n\tseven_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"32b-dj3-8n2","createdAt":1619112188607,"name":"ACM certificate is valid for 7 or more days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Cardholder-Data","cloud_provider:aws","source:acm","scope:acm","control:3.6.4","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nValidate all Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates in Amazon Certificate Manager (ACM).\n\n## Rationale\n\n[Requests for AMC certificates time out if they are not not validated within 72 hours][1]. If a certificate is not validated, it can interrupt an application or service.\n\n## Remediation\n\n### Console\n\nFollow the [Setting Up DNS Validation][2] or [Resending Validation Email][3] docs to validate a certificate in the AWS Console or by email.\n\n### CLI\n\n1. Run `resend-validation-email` using the ARN of the invalid certificate with your `domain` and `validation-domain`.\n\n ```\n aws acm resend-validation-email\n --certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/a1b2345c-d678-9123-4567-89ab12c2345d\n --domain www.example.com\n --validation-domain example.com\n ```\n\n2. Click the link in the generated email to navigate to the Amazon Certificates Approvals page, and click the `I Approve` button.\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-timed-out.html\n[2]: https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html#setting-up-dns-validation\n[3]: https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html#gs-acm-resend","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"PENDING_VALIDATION\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"lpi-kie-f8h","createdAt":1616090994081,"name":"ACM certificate issue request is validated"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:ec2","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.9.4.5","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIdentify publicly accessible Amazon Machine Images (AMIs).\n\n## Rationale\n\nWhen an AMI is shared publicly, anyone outside your organization can see it in the [list of public AMIs][1] and create an EC2 instance from it, accessing all the files it contains.\n\nAMIs typically contain source code, configuration files and credentials and should not be shared publicly.\n\n## Remediation\n\nStop sharing the AMI publicly. AMIs should be shared only with [specific AWS accounts][2] or [your AWS Organization][3].\n\n### Console\n\nFollow the instructions outlined in the [AWS documentation][4]. Untick the public sharing option.\n\n### CLI\n\nUse the following command to stop sharing the AMI:\n\n```\naws ec2 modify-image-attribute \\\n--image-id ami-xxxx \\\n--launch-permission \"Remove=[{Group=all}]\"\n```\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usingsharedamis-finding.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/share-amis-with-organizations-and-OUs.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.5","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncustomer_owned(ami) if {\n\tami.image_owner_alias != \"aws-marketplace\"\n\tami.image_owner_alias != \"amazon\"\n} else {\n\tnot ami.image_owner_alias\n}\n\neval(ami) = \"skip\" if {\n\tnot customer_owned(ami)\n} else = \"pass\" {\n\tami.public == false\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ami"]},"validationQuery":"","resourceType":"aws_ami","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ami","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6l2-azd-mlu","createdAt":1645630055435,"name":"AMI is not publicly shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.30","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the TLS certificate and private key file parameters. \n```\n--tls-cert-file= \n--tls-private-key-file=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.30","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"m9r-8ka-arc","createdAt":1599604115727,"name":"API Server requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.1","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable anonymous requests to the Kubelet server.\n\n## Rationale\n\nWhen enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests.\n\n## Audit\n\nIf using a Kubelet configuration file, check that there is an entry for authentication: anonymous: enabled set to false. Run the following command on each node: `ps -ef | grep kubelet`. Verify that the `--anonymous-auth` argument is set to false. This executable argument may be omitted, provided there is a corresponding entry set to false in the Kubelet config file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to false. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable:\n\n```\n--anonymous-auth=false\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nAnonymous requests will be rejected.\n\n## Default value\n\nBy default, anonymous access is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.1","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oun-uxo-viy","createdAt":1599606050277,"name":"API server anonymous-auth argument is set to false"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.24","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain 10 or an appropriate number of old log files.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. For example, if you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxbackup` argument is set to `10` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxbackup` parameter to `10` or to an appropriate value: `--audit-log-maxbackup=10`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.24","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"r0g-aai-2xf","createdAt":1599605542630,"name":"API server audit log files are retained for at least 10 log file rotations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.25","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRotate log files on reaching 100 MB or as appropriate.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. If you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxsize` argument is set to `100` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxsize` parameter to an appropriate size in MB. For example, to set it as 100 MB: `--audit-log-maxsize=100`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.25","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qhy-gng-bh4","createdAt":1599603202907,"name":"API server audit log files are rotated once the file reaches 100 MB or more"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.22","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on the Kubernetes API Server and set the desired audit log path.\n\n## Rationale\n\nAuditing the Kubernetes API Server provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system. Even though currently, Kubernetes provides only basic audit capabilities, it should be enabled. You can enable it by setting an appropriate audit log path.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-path` argument is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example: --audit-log-path=/var/log/apiserver/audit.log\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. Version 7 6.2 Activate audit logging Ensure that local logging has been enabled on all systems and networking devices. 6.3 Enable Detailed Logging Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.22","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fny-sti-0dk","createdAt":1599601104396,"name":"API server audit logs are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.23","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain the logs for at least 30 days or as appropriate.\n\n## Rationale\n\nRetaining logs for at least 30 days ensures that you can go back in time and investigate or correlate any events. Set your audit log retention period to 30 days or as per your business requirements.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxage` argument is set to `30` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxage` parameter to `30` or as an appropriate number of days: `--audit-log-maxage=30`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.23","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.23\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jbu-o8v-pku","createdAt":1599605700813,"name":"API server audit logs are retained for at least 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.19","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind to insecure port.\n\n## Rationale\n\nSetting up the apiserver to serve on an insecure port would allow unauthenticated and unencrypted access to your master node. This would allow attackers who could access this port, to easily take control of the cluster.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-port` argument is set to `0`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --insecure-port=0\n\n## Impact\n\nAll components that use the API must connect via the secured port, authenticate themselves, and be authorized to use the API. This includes: kube-controller-manager kube-proxy kube-scheduler kubelets\n\n## Default value\n\nBy default, the insecure port is set to 8080.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.19","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2ci-yqv-wv0","createdAt":1599605796539,"name":"API server does not bind the API service to an insecure port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.18","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the insecure API service.\n\n## Rationale\n\nIf you bind the apiserver to an insecure address, basically anyone who could connect to it over the insecure port, would have unauthenticated and unencrypted access to your master node. The apiserver doesn't do any authentication checking for insecure binds and traffic to the Insecure API port is not encrpyted, allowing attackers to potentially read sensitive data in transit.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-bind-address` argument does not exist.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --insecure-bind-address parameter.\n\n## Impact\n\nConnections to the API server will require valid authentication credentials.\n\n## Default value\n\nBy default, the insecure bind address is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.18","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tzo-x3g-yya","createdAt":1599606081666,"name":"API server does not bind to an insecure API service address"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use token based authentication.\n\n## Rationale\n\nThe token-based authentication utilizes static tokens to authenticate requests to the apiserver. The tokens are stored in clear-text in a file on the apiserver, and cannot be revoked or rotated without restarting the apiserver. Hence, do not use static token-based authentication.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver \n```\nVerify that the `--token-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--token-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as certificates. Static token based authentication could not be used.\n\n## Default value\n\nBy default, `--token-auth-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/authentication/#static-token-file\n2. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.3","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mvv-hb7-ucv","createdAt":1599603449449,"name":"API server does not use token based authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not always authorize all requests.\n\n## Rationale\n\nThe API Server, can be configured to allow all requests. This mode should not be used on any production cluster.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is not set to `AlwaysAllow`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to values other than `AlwaysAllow`. One such example could be as below:\n\n```\n--authorization-mode=RBAC\n```\n\n## Impact\n\nOnly authorized requests will be served.\n\n## Default value\n\nBy default, `AlwaysAllow` is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.7","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kli-btm-jbr","createdAt":1599602646953,"name":"API server only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.1","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node:\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-apiserver.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.1","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8tj-q6g-eyj","createdAt":1599601227733,"name":"API server pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.21","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --profiling=false\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.21","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wk0-7yo-dw9","createdAt":1599602770265,"name":"API server profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.26","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet global request timeout for API server requests as appropriate.\n\n## Rationale\n\nSetting global request timeout allows extending the API server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 60 seconds which might be problematic on slower connections making cluster resources inaccessible once the data volume for requests exceeds what can be transmitted in 60 seconds. But, setting this timeout limit to be too large can exhaust the API server resources making it prone to Denial-of-Service attack. Hence, it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--request-timeout` argument is either not set or set to an appropriate value.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameter as appropriate and if needed. For example, --request-timeout=300s\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, --request-timeout is set to 60 seconds.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/kubernetes/pull/51415\n\n## CIS controls\n\nVersion 6 14.6 Enforce Detailed Audit Logging For Sensitive Information Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. Version 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.26","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1kt-cbt-hvl","createdAt":1599604242564,"name":"API server request timeout exceeds 60 seconds only if required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.20","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable the secure port.\n\n## Rationale\n\nThe secure port is used to serve https with authentication and authorization. If you disable it, no https traffic is served and all traffic is served unencrypted.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--secure-port` argument is either not set or is set to an integer value between `1` and `65535`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --secure-port parameter or set it to a different (non-zero) desired port.\n\n## Impact\n\nYou need to set the API Server up with the right TLS certificates.\n\n## Default value\n\nBy default, port 6443 is used as the secure port.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.20","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5w3-iw4-y16","createdAt":1599603757033,"name":"API server secure port is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.31","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic. If `--client-ca-file` argument is set, any request presenting a client certificate signed by one of the authorities in the `client-ca-file` is authenticated with an identity corresponding to the CommonName of the client certificate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--client-ca-file` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the client certificate authority file: `--client-ca-file=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--client-ca-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.31","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"nad-eon-2rv","createdAt":1599599105054,"name":"API server uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.28","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account public key file for service accounts on the apiserver.\n\n## Rationale\n\nBy default, if no --service-account-key-file is specified to the apiserver, it uses the private key from the TLS serving certificate to verify service account tokens. To ensure that the keys for service account tokens could be rotated as needed, a separate public/private key pair should be used for signing service account tokens. Hence, the public key should be specified to the apiserver with --service-account-key-file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--service-account-key-file` argument exists and is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--service-account-key-file` parameter to the public key file for service accounts: `--service-account-key-file=`\n\n## Impact\n\nThe corresponding private key must be provided to the controller manager. You would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-key-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167\n\n## CIS controls\n\nVersion 6 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers \nVersion 7 5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.28","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xtg-mzn-vft","createdAt":1599604846892,"name":"API server uses a service account public key file for service accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.27","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nValidate service account before validating token.\n\n## Rationale\n\nIf --service-account-lookup is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that if the `--service-account-lookup` argument exists it is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the below parameter. `--service-account-lookup=true` Alternatively, you can delete the `--service-account-lookup` parameter from this file so that the default takes effect.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--service-account-lookup` argument is set to true.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167 \n3. https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.27","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.27\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycp-ppm-trb","createdAt":1599599105043,"name":"API server validates the service account token exists in etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify kubelet's certificate before establishing connection.\n\n## Rationale\n\nThe connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelets port-forwarding functionality. These connections terminate at the kubelets HTTPS endpoint. By default, the apiserver does not verify the kubelets serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-certificate-authority` argument exists and is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--kubelet-certificate-authority` parameter to the path to the cert file for the certificate authority. \n\n```\n--kubelet-certificate-authority=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, `--kubelet-certificate-authority` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n3. https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.6","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sbm-nxt-qv3","createdAt":1599603880124,"name":"API server verifies the kubelet's certificate before establishing connection"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AMI is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an AMI is made public.\n\n* [ModifyImageAttribute][1]\n\nThis rule inspects the `@requestParameters.launchPermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the image is made public.\n\n## Triage and response\n1. Determine if the AMI (`@requestParameters.imageId`) should be made public using CloudTrail logs.\n2. Investigate the following ARN (`{{@userIdentity.arn}}`) that made the AMI public.\n3. Contact the user to see if they intended to make the image public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-image-attribute.html#examples","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifyImageAttribute @requestParameters.launchPermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"eh4-lwa-d9z","createdAt":1594140296319,"name":"AWS AMI Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:cloudtrail","framework:cis-aws","requirement:monitoring","control:4.5","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by modifying CloudTrail.\n\n## Strategy\nThis rule detects if a user is modifying CloudTrail by monitoring the CloudTrail API using [UpdateTrail][1] API calls.\n\n## Triage and response\n1. Review the `@responseElements` in the `UpdateTrail` event to determine the scope of the changes.\n2. Determine if the user ARN (`{{@userIdentity.arn}}`) intended to make a CloudTrail modification.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:UpdateTrail","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"configuration_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"configuration_modified > 0"}],"type":"log_detection","id":"4hv-083-miw","createdAt":1585870283907,"name":"AWS CloudTrail configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch Log Group is deleted. \n\n## Strategy\nDetect when a `@evt.name:DeleteLogGroup` event occurs successfully.\n\n## Triage and response\n1. Ensure that the `{{@requestParameters.logGroupName}}` log group is not used for auditing or security purposes.\n2. If it is then:\n * Ensure that the user: `{{@userIdentity.session_name}}` should be making this type of API call to your `{{env}}` environment.\n * Consider whitelisting the log group name: `{{@requestParameters.logGroupName}}` via a [suppression list][1]\n3. If not, begin your company's IR process and investigate.\n\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1] https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteLogGroup -@level:Error -@http.useragent:(cloudformation.amazonaws.com OR *www.terraform.io*) -@userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"j9h-inc-lg8","createdAt":1631618551008,"name":"AWS CloudWatch log group deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch rule has been disabled or deleted.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if a [`DisableRule`][1] or [`DeleteRule`][2] API call has occurred. An attacker may delete rules in an attempt to evade defenses.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, consider including the EventBus name in a [suppression list][6]: `{{@requestParameters.eventBusName}}`.\n * If **No**, enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], respectively, or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 4 October 2022 - Updated severity\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/events/put-rule.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/events/enable-rule.html\n[5]: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html\n[6]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DisableRule OR DeleteRule) -@userIdentity.invokedBy:(backup.amazonaws.com OR schemas.amazonaws.com OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudwatch_disable_or_delete_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"cloudwatch_disable_or_delete_rule > 0"}],"type":"log_detection","id":"dti-qfr-zle","createdAt":1631618552583,"name":"AWS CloudWatch rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","control:4.9","requirement:Monitoring","framework:cis-aws","scope:amazon-config","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by disabling or modifying AWS Config.\n\n## Strategy\nThis rule lets you monitor these AWS Config API calls per [CIS-AWS-4.9: Ensure a log metric filter and alarm exist for AWS Config configuration changes][5]:\n\n* [StopConfigurationRecorder][1] \n* [DeleteDeliveryChannel][2] \n* [PutDeliveryChannel][3]\n* [PutConfigurationRecorder][4]\n\n## Triage and response\n1. Determine which if {{@userIdentity.arn}} should have done a {{@evt.name}} to AWS Config.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html\n[2]: https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteDeliveryChannel.html\n[3]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutDeliveryChannel.html\n[4]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigurationRecorder.html\n[5]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_2.html\n\n## Changelog\n* 1 April 2022 - Updated rule and signal message.\n\n* 10 October 2022 - Updated severities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(StopConfigurationRecorder OR DeleteDeliveryChannel)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_deleted_or_stopped","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(PutDeliveryChannel OR PutConfigurationRecorder)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Deleted/Stopped","condition":"aws_config_deleted_or_stopped > 0"},{"status":"info","notifications":[],"name":"Modified","condition":"aws_config_modified > 0"}],"type":"log_detection","id":"p1b-9np-rw1","createdAt":1585870283149,"name":"AWS Config modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to your AWS console without multi-factor authentication.\n\n## Strategy\nThis rule monitors CloudTrail and detects when any `IAMUser` or `Root` user does a `Console Login`, and `@userIdentity.sessionContext.attributes.mfaAuthenticated` has a value of `false`. \n\n**Notes:** \n\n- This rule triggers with a `High` severity if the user logging in is a `Root` user.\n- This rule ignores logins using SAML because 2FA is implemented on the IdP and not through AWS.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate. \n * Use Cloud SIEM - User Investigation dashboard to see if the user: {{@usr.name}} with an account type of: {{@userIdentity.type}} has done any actions after logging in. \n2. If the login was legitimate, request that the user enables 2FA. \n3. If the login wasn't legitimate, rotate the credentials, enable 2FA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n\n## Changelog\n3 March 2022 - Rule updated\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:IAMUser -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:Root -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"root_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user console login no mfa","condition":"user_login_without_mfa > 0"},{"status":"high","notifications":[],"name":"root console login no mfa","condition":"root_login_without_mfa > 0"}],"type":"log_detection","id":"wkk-muq-vg8","createdAt":1585870278209,"name":"AWS Console login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the user used MFA.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n10 Mar 2022 - Rule updated.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"@evt.name:ConsoleLogin -@level:Error @userIdentity.sessionContext.attributes.mfaAuthenticated:true -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"impossible travel event for ConsoleLogin with MFA"}],"type":"log_detection","id":"vbv-f3o-8zo","createdAt":1646247475787,"name":"AWS ConsoleLogin with MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the account does not have MFA enabled.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n10 Mar 2022 - Rule updated.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_no_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"@evt.name:ConsoleLogin -@level:Error @userIdentity.sessionContext.attributes.mfaAuthenticated:false -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"a1n-son-6bk","createdAt":1646247437558,"name":"AWS ConsoleLogin without MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1562-impair-defenses","source:cloudtrail","scope:aws-detective","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes an Amazon Detective behavior graph.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted an Amazon Detective behavior graph:\n\n* [DeleteGraph][1]\n\n## Triage and response\n1. Determine if the behavior graph should have been deleted.\n2. Determine which user ({{@userIdentity.arn}}) in your organization deleted the behavior graph.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Updated rule and signal message.\n\n[1]: https://docs.aws.amazon.com/detective/latest/APIReference/API_DeleteGraph.html\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:detective.amazonaws.com @evt.name:DeleteGraph","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oje-vzw-qjp","createdAt":1631642344123,"name":"AWS Detective Graph deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","tactic:TA0005-defence-evasion","scope:cloudtrail","technique:T1562-impair-defences","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when CloudTrail has been disabled by creating an event selector on the Trail.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if an attacker used the [`PutEventSelectors`][1] API call to filter out management events, effectively disabling CloudTrail for the specified Trail.\n\nSee the [public Proof of Concept][2] (PoC) for this attack.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or use the [AWS console][4] to revert the event selector back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, work with the user to ensure that CloudTrail logs for the affected account `{{@usr.account_id}}` are being sent to the Datadog platform.\n * If **No**, remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or reference the [AWS console documentation][4] to revert the event selector back to the last known good state.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_PutEventSelectors.html\n[2]: https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass\n[3]: https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/put-event-selectors.html\n[4]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"disable_cloudtrail_with_event_selectors","distinctFields":[]},{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false @responseElements.eventSelectors.dataResources.type:(\"AWS::S3::Object\" AND \"AWS::Lambda::Function\") @responseElements.eventSelectors.readWriteType:ReadOnly","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_poc","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Public POC","condition":"public_poc > 0"},{"status":"low","notifications":[],"name":"IncludeManagementEvents set to False","condition":"disable_cloudtrail_with_event_selectors > 0"}],"type":"log_detection","id":"jam-62o-d0n","createdAt":1652796620111,"name":"AWS Disable Cloudtrail with event selectors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS snapshot is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an EBS snapshot is made public:\n\n* [ModifySnapshotAttribute][1]\n\nThis rule inspects the `@requestParameters.createVolumePermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the EBS snapshot is made public.\n\n## Triage and response\n1. Determine if the EBS snapshot should be made public.\n2. Determine which user, `{{@@userIdentity.arn}}`, in your organization made the EBS snapshot public.\n3. Contact the user to see if they intended to make the EBS snapshot public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html#examples\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.createVolumePermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kx1-upq-ea2","createdAt":1594140300821,"name":"AWS EBS Snapshot Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1537-transfer-data-to-cloud-account","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the possible exfiltration of an EBS snapshot.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect the following API calls within a 15 minute time window:\n\n* [`CreateSnapshot`][1]\n* [`ModifySnapshotAttribute`][2]\n\nAn attacker can create a EBS snapshot from the EBS volume and modify the permissions of the snapshot to allow it to be shared [publicly][3] or with another AWS account. Using an attacker-controlled account, a new EBS volume can be created from the snapshot and attached to an EC2 instance for analysis.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the API calls.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any snapshot attributes generated by the user with the `aws-cli` command [`modify-snapshot-attribute`][4].\n * Begin your organization's incident response process and investigate.\n3. If the API calls were made by the user:\n * Determine if the user should be performing these API calls.\n * If **No**, see if other API calls were made by the user and determine if they warrant further investigation.\n\n## Changelog\n* 10 October 2022 - Updated query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSnapshot.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html\n[3]: https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-ebs-snapshot-made-public/\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-snapshot-attribute.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":7200,"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSnapshot -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (-@userIdentity.assumed_role:(*orca* OR *wiz*) -@responseElements.description:\"Orca automatically generated snapshot\" -@requestParameters.description:auto-generatedbyWiz -@responseElements.description:\"auto-generated by Wiz\")","groupByFields":["@responseElements.snapshotId"],"aggregation":"count","name":"snapshot_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.attributeType:CREATE_VOLUME_PERMISSION -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (@requestParameters.createVolumePermission.add.items.userId:* OR @requestParameters.createVolumePermission.add.items.group:*) -@requestParameters.createVolumePermission.add.items.userId:(\"135916806842\" OR \"463932680998\" OR \"727815099310\" OR \"553950354547\" OR \"784971140435\" OR \"222606875197\")","groupByFields":["@requestParameters.snapshotId"],"aggregation":"count","name":"snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"EBS Snapshot created then shared","condition":"snapshot_created > 0 && snapshot_shared > 0"},{"status":"info","notifications":[],"name":"EBS Snapshot shared","condition":"snapshot_shared > 0"}],"type":"log_detection","id":"dka-ecn-adr","createdAt":1655223749994,"name":"AWS EBS Snapshot possible exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis-aws","control:2.2.1","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS encryption is disabled by default. \n\n## Strategy\nMonitor CloudTrail and detect when EBS encryption is disabled by default via the following API call:\n\n* [DisableEbsEncryptionByDefault][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user and let them know that it is best practice to enable EBS encryption by default.\n3. Re-enable EBS encryption by default.\n\nFor more information about Amazon EBS Encryption, check out the [Amazon EBS Encryption][2] documentation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html\n\n## Changelog\n18 March 2022 - Rule query and severity updated.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:DisableEbsEncryptionByDefault","groupByFields":["@usr.account_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4s7-uuu-lo8","createdAt":1585870284527,"name":"AWS EBS default encryption disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","security:attack","technique:T1522-cloud-instance-metadata-api"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes a DNS request and resolves to the AWS metadata IP address (169.254.169.254).\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MetadataDNSRebind][2]\n\n\n## Triage and response\n1. Determine which process made the DNS request. The DNS request can be found in the samples.\n2. Ensure the process is not a victim of an SSRF attack to steal the AWS EC2 Instance profile's STS credentials. \n2. If the STS credentials are compromised:\n * Review the AWS [documentation][3] on revoking the session.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#ec2-metadatadnsrebind\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MetadataDNSRebind)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"aad-vqz-7tk","createdAt":1587525387807,"name":"AWS EC2 Instance Victim to Metadata DNS Rebind Attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is compromised and sending spam emails.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Backdoor:EC2/Spambot][2]\n\n\n## Triage and response\n1. Determine if the EC2 should be sending out email over port 25. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor6\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/Spambot)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ecn-gew-dg2","createdAt":1587525385866,"name":"AWS EC2 instance Sending spam emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a malicious server.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/C&CActivity.B!DNS][2]\n* [Trojan:EC2/BlackholeTraffic][3]\n* [Trojan:EC2/DropPoint][4]\n* [Trojan:EC2/BlackholeTraffic!DNS][5]\n* [Trojan:EC2/DriveBySourceTraffic!DNS][6]\n* [Trojan:EC2/DropPoint!DNS][7]\n* [Trojan:EC2/DGADomainRequest.B][8]\n* [Trojan:EC2/DGADomainRequest.C!DNS][9]\n* [Trojan:EC2/DNSDataExfiltration][10]\n* [Trojan:EC2/PhishingDomainRequest!DNS][11]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][12] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor6\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan4\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan5\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan6\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan7\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan8\n[8]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan9\n[9]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan95\n[10]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan10\n[11]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan11\n[12]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Trojan\\:EC2\\/BlackholeTraffic OR Trojan\\:EC2\\/DropPoint OR Trojan\\:EC2\\/BlackholeTraffic\\!DNS OR Trojan\\:EC2\\/DriveBySourceTraffic\\!DNS OR Trojan\\:EC2\\/DropPoint\\!DNS OR Trojan\\:EC2\\/DGADomainRequest.B OR Trojan\\:EC2\\/DGADomainRequest.C\\!DNS OR Backdoor\\:EC2\\/C&CActivity.B\\!DNS OR Trojan\\:EC2\\/PhishingDomainRequest\\!DNS)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9du-jhn-b4f","createdAt":1587525393367,"name":"AWS EC2 instance communicated with a malicious server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0011-command-and-control","technique:T1571-non-standard-port"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating over an unusual port.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/NetworkPortUnusual][2]\n\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_behavior.html#behavior3\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/NetworkPortUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"qfd-ned-cjn","createdAt":1587525391873,"name":"AWS EC2 instance communicating over unusual port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a cryptocurrency server\n\n## Strategy\nThis rule lets you leverage GuardDuty to detect when an EC2 instance has made a DNS request or is communicating with an IP that is associated with cryptocurrency operations. The following GuardDuty Findings trigger this signal:\n\n* [CryptoCurrency:EC2/BitcoinTool.B!DNS][1]\n* [CryptoCurrency:EC2/BitcoinTool.B][2]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples. \n2. If the domain or IP address should not have been requested, open a security investigation, and determine which process requested the domain name or IP address.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_crypto.html#crypto3\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_crypto.html#crypto4\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(CryptoCurrency\\:EC2\\/BitcoinTool.B\\!DNS OR CryptoCurrency\\:EC2\\/BitcoinTool.B)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ky3-ds4-ipb","createdAt":1585870276326,"name":"AWS EC2 instance communicating with a cryptocurrency server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection to a malcious IP address.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MaliciousIPCaller.Custom][2]\n\n## Triage and response\n1. Determine which IP address triggered the signal. This can be found in the sample.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized5\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MaliciousIPCaller.Custom)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"22j-qk6-qv3","createdAt":1587525389461,"name":"AWS EC2 instance communicating with malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-scanning","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is conducting a port scan.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Recon:EC2/Portscan][2]\n\n\n## Triage and response\n1. Determine why traffic from the EC2 instance appears to be conducting a port scan.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n \n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon5\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/Portscan)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1y-h5t-gnp","createdAt":1587525376478,"name":"AWS EC2 instance conducting a port scan"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being used as a TOR relay.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorRelay][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be uses as a TOR relay. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized14\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorRelay)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tpv-3qf-v90","createdAt":1587525388119,"name":"AWS EC2 instance connecting to TOR as a relay"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance receives an inbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorIPCaller][2]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized7\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorIPCaller)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"1ew-u8i-att","createdAt":1587525383148,"name":"AWS EC2 instance inbound connections from TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Brute Force Attacks\n\n## Strategy\nLeverage GuardDuty and detect when an attacker is performing a brute force attack. The following are GuardDuty findings trigger this signal:\n\n* [UnauthorizedAccess:EC2/SSHBruteForce][1]\n* [UnauthorizedAccess:EC2/RDPBruteForce][2]\n\n\n## Triage and response\n1. Inspect the role of the EC2 instance in the attack. Find the role in the signal name - either `ACTOR` or `TARGET`.\n * If you are the `TARGET` and the instance is available on the internet, expect to see IPs scanning your systems.\n * If you are the `TARGET` and the instance is **not** available on the internet, this means a host on your internal network is scanning your EC2 instance. Open an investigation.\n * If you are the `ACTOR`, this means that your instance is performing brute force attacks on other systems. Open an investigation.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized9\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized10\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":18,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:ACTOR","groupByFields":["instance-id"],"aggregation":"count","name":"actor","distinctFields":[]},{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:TARGET","groupByFields":["instance-id"],"aggregation":"count","name":"target","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Actor","condition":"actor > 0"},{"status":"info","notifications":[],"name":"Target","condition":"target > 0"}],"type":"log_detection","id":"vyl-ylc-3io","createdAt":1585870284202,"name":"AWS EC2 instance involved in brute force attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance network traffic volume is unusual.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/TrafficVolumeUnusual][2]\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 10 October 2022 - Updated tags.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_behavior.html#behavior4\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/TrafficVolumeUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipt-dpt-t69","createdAt":1587525393982,"name":"AWS EC2 instance network traffic volume unusual"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","technique:T1188-multi-hop-proxy","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorClient][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be making requests to TOR. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized13\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorClient)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ihd-q9p-mwx","createdAt":1587525381864,"name":"AWS EC2 instance outbound connections to TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is participating in a Denial of Service (DoS) attack.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/DenialOfService.Tcp][2]\n* [Backdoor:EC2/DenialOfService.Udp][3]\n* [Backdoor:EC2/DenialOfService.Dns][4]\n* [Backdoor:EC2/DenialOfService.UdpOnTcpPorts][5]\n* [Backdoor:EC2/DenialOfService.UnusualProtocol][6]\n\n\n## Triage and response\n1. Determine if the EC2 instance is compromised and participating in a DoS attack.\n2. If the instance is compromised:\n * Review the AWS [documentation][7] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor8\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor9\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor10\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor11\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor12\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/DenialOfService.Tcp OR Backdoor\\:EC2\\/DenialOfService.Udp OR Backdoor\\:EC2\\/DenialOfService.Dns OR Backdoor\\:EC2\\/DenialOfService.UdpOnTcpPorts OR Backdoor\\:EC2\\/DenialOfService.UnusualProtocol)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3l6-vrm-iyn","createdAt":1587525383757,"name":"AWS EC2 instance participating in a DoS attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-scanning","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being probed by a scanner.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:EC2/PortProbeUnprotectedPort][2]\n* [Recon:EC2/PortProbeEMRUnprotectedPort][3]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon6\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#PortProbeEMRUnprotectedPort\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/PortProbeUnprotectedPort OR Recon\\:EC2\\/PortProbeEMRUnprotectedPort)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mrq-h3x-jus","createdAt":1587525381084,"name":"AWS EC2 instance probed by scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS EKS node group makes a new API call.\n\n## Strategy\nThis rule sets a baseline for host activity across an AWS EKS node group, and enables detection of potentially anomalous activity when a node group makes a new API call.\n\nA new API call from a node group can indicate an attacker gaining a foothold within the system and trying API calls not normally associated with this node group.\n\n## Triage and response\n1. Investigate API activity for the AWS EKS node group to determine if the specific API call is malicious.\n2. Review any other security signals for the AWS EKS node group.\n3. If the activity is deemed malicious:\n * If possible, isolate the compromised hosts.\n * Determine what other API calls were made by the EKS node group.\n * Begin your organization's incident response process and investigate.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":21,"learningThreshold":0},"keepAlive":3600},"version":187,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["eks_nodegroup-name"],"query":"source:cloudtrail"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"nkn-aw3-xb2","createdAt":1633097159259,"name":"AWS EC2 new event for EKS Node Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an application on a host has a new, unrecognized API call.\n\n## Strategy\nUsing the `New Value` detection method, find when an `application` has a new `@evt.name` on a `host`.\n\n## Triage and response\n1. Determine if the `host: {{host}}` running the `application: {{application}}` should have done the following event(s)`{{@evt.name}}`:\n * If yes, you can `Archive` the signal.\n * If no, investigate further by clicking on the **Suggested Actions** tab for the signal\n2. If necessary, initiate your company's incident response process.\n\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["application"],"query":"source:cloudtrail host:i-*"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"qcg-jbs-kcd","createdAt":1632769125953,"name":"AWS EC2 new event for application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an EC2 subnet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting an EC2 subnet.\n\n* [DeleteSubnet][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be deleting EC2 subnets.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Update rule and signal message\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-subnet.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:DeleteSubnet -@level:Error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ygi-fi5-qns","createdAt":1585870282197,"name":"AWS EC2 subnet deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecs","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an ECS Cluster\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an ECS cluster is deleted:\n\n* [DeleteCluster][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arm}} should be making a {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DeleteCluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecs.amazonaws.com @evt.name:DeleteCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"vwu-6id-9lz","createdAt":1585870279810,"name":"AWS ECS cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:elb","scope:elb","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous `@http.useragent`. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application using an HTTP header from [darkqusar][1]'s [gist][2]. The detection does this using 2 cases:\n* Case 1: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `200 TO 299`\n* Case 2: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `400 TO 499`\n\n## Triage and response\n1. Determine if this IP: {{@network.client.ip}} is making authenticated requests to the application.\n2. Check if these authentication requests are successful.\n * If they are successful, change the status of the signal to `UNDER REVIEW` and begin your company's incident response plan.\n * If they are not successful, `ARCHIVE` the signal.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Update rule cases and signal message.\n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:elb @http.status_code:[400 TO 499] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_400s_and_unique_paths","distinctFields":["@http.url_details.path"]},{"query":"source:elb @http.status_code:[200 TO 299] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_200s_and_unique_paths","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"scan detected returning several 200s","condition":"multiple_200s_and_unique_paths > 10"},{"status":"info","notifications":[],"name":"scan detected returning several 400s","condition":"multiple_400s_and_unique_paths > 10"}],"type":"log_detection","id":"csd-1pb-wxh","createdAt":1587530043452,"name":"AWS ELB HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:eventbridge","iaas:aws","technique:T1089-disabling-security-tools","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting or disabling EventBridge rules.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is modifying or disabling EventBridge rules:\n\n* [DeleteRule][1]\n* [DisableRule][2]\n\n## Triage and response\n1. Determine if the arn: {{@userIdentity.arn}} should have made the {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Rule query, options and signal markdown updated.\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DeleteRule OR DisableRule)","groupByFields":["@userIdentity.arn","@requestParameters.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mq6-cjx-h9o","createdAt":1585870277044,"name":"AWS EventBridge rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","source:amazon-fsx","scope:amazon-fsx","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify users accessing files they do not have permission to access.\n\n## Strategy\nMonitor AWS FSx logs and detect more than 10 occurrences where `@evt.id` is equal to `4656` and `@Event.System.Keywords` is equal to `0x8010000000000000`. \n\n## Triage & Response\n1. Inspect the log and determine if the user should be accessing the file: `{{@ObjectName}}`.\n2. If access is not legitimate, investigate user `({{@usr.id}})` activity. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:aws.fsx @evt.id:4656 @Event.System.Keywords:0x8010000000000000","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"file_deny","distinctFields":["@ObjectName"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"file_deny > 10"}],"type":"log_detection","id":"vsj-4y9-rg1","createdAt":1627668329581,"name":"AWS FSx Excessive File Denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0005-defense-evasion","technique:T1066-indicator-removal-from-tools","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is removing a FlowLogs collector.\n\n## Strategy\nThis rule lets you monitor this EC2 API call:\n\n* [DeleteFlowLogs][1]\n\n## Triage and response\n1. Determine if arn: {{@userIdentity.arn}} should make this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n4 April 2022 - Rule query and signal message updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteFlowLogs -@responseElements.DeleteFlowLogsResponse.unsuccessful:\"\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cws-b4f-uoh","createdAt":1585870278493,"name":"AWS FlowLogs removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1089-disabling-security-tools","scope:guardduty","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty detector.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty Detector:\n\n* [DeleteDetector][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/delete-detector.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteDetector","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pzi-led-yyc","createdAt":1585870279177,"name":"AWS GuardDuty detector deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a publishing destination for a detector which will prevent the exporting of findings. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted a Guard Duty publishing destination.\n\n* [DeletePublishingDestination][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/fr_fr/guardduty/latest/APIReference/API_DeletePublishingDestination.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeletePublishingDestination","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rdm-leo-ndi","createdAt":1631642345554,"name":"AWS GuardDuty publishing destination deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty ThreatIntelSet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty ThreatIntelSet:\n\n* [DeleteThreatIntelSet][1]\n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Replace ThreatIntelSets deleted by the user with the `aws-cli` command [create-threat-intel-set][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call and if it was an authorized change.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteThreatIntelSet.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/guardduty/create-threat-intel-set.html\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteThreatIntelSet","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_guardduty_threatintel_set_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"aws_guardduty_threatintel_set_deleted > 0"}],"type":"log_detection","id":"vzr-qw9-k82","createdAt":1631642339660,"name":"AWS GuardDuty threat intel set deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","technique:T1098-account-manipulation","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.4","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to an AWS IAM Policy.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when any event pertaining to an AWS IAM policy is detected with one of the following API calls:\n\n* [DeleteGroupPolicy][1]\n* [DeleteRolePolicy][16]\n* [DeleteUserPolicy][2]\n* [PutGroupPolicy][3]\n* [PutRolePolicy][4]\n* [PutUserPolicy][5]\n* [CreatePolicy][6]\n* [DeletePolicy][7]\n* [SetPolicyVersion][17]\n* [CreatePolicyVersion][8]\n* [DeletePolicyVersion][9]\n* [AttachRolePolicy][10]\n* [DetachRolePolicy][11]\n* [AttachUserPolicy][12]\n* [DetachUserPolicy][13]\n* [AttachGroupPolicy][14]\n* [DetachGroupPolicy][15]\n\n## Triage and response\n1. Review the IAM Policy change and ensure it does not negatively impact your risk in relation to authentication or authorization controls.\n2. If risk is increased, contact the individual that used the arn: {{@userIdentity.arn}} and determine if {{@evt.name}} API calls were made by them.\n\n## Changelog\n5 April 2022 - Rule modified and signal message updated.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroupPolicy.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPolicy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html\n[5]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html\n[7]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html\n[8]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html\n[9]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicyVersion.html\n[10]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[11]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachRolePolicy.html\n[12]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[13]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachUserPolicy.html\n[14]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[15]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachGroupPolicy.html\n[16]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteRolePolicy.html\n[17]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetDefaultPolicyVersion.html\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteGroupPolicy OR PutGroupPolicy OR AttachGroupPolicy OR DetachGroupPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"group_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteRolePolicy OR PutRolePolicy OR AttachRolePolicy OR DetachRolePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"role_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteUserPolicy OR PutUserPolicy OR AttachUserPolicy OR DetachUserPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"user_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreatePolicy OR DeletePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"account_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(SetPolicyVersion OR CreatePolicyVersion OR DeletePolicyVersion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"policy_version_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"group policy changed","condition":"group_policy_modified > 0"},{"status":"info","notifications":[],"name":"role policy changed","condition":"role_policy_modified > 0"},{"status":"info","notifications":[],"name":"user policy changed","condition":"user_policy_modified > 0"},{"status":"info","notifications":[],"name":"account policy changed","condition":"account_policy_modified > 0"},{"status":"info","notifications":[],"name":"policy version changed","condition":"policy_version_modified > 0"}],"type":"log_detection","id":"z8s-u06-ctu","createdAt":1584475584008,"name":"AWS IAM policy changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM group.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM group using the [`AttachGroupPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.groupName}}` group using the `aws-cli` command [detach-group-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the group `{{@requestParameters.groupName}}` requires the `AdministratorAccess` policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the group to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.groupName","aggregation":"new_value","metrics":["@requestParameters.groupName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachGroupPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"ju1-xlh-bdn","createdAt":1635445988771,"name":"AWS IAM privileged policy was applied to a group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM role.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM role via the [`AttachRolePolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.roleName}}` role using the `aws-cli` command [detach-role-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the role `{{@requestParameters.roleName}}` requires the AdministratorAccess policy to perform its intended function.\n * Advise the user to find the [least privileged][4] policy that allows the role to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-role-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.roleName","aggregation":"new_value","metrics":["@requestParameters.roleName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachRolePolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\" -@userIdentity.invokedBy:sso.amazonaws.com -@http.useragent:sso.amazonaws.com"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"kjs-xra-wzc","createdAt":1635445977216,"name":"AWS IAM privileged policy was applied to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to an AWS IAM user using the [`AttachUserPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.userName}}` user using the `aws-cli` command [detach-user-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the user `{{@requestParameters.userName}}` requires the AdministratorAccess policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the user to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-user-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":173,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.userName","aggregation":"new_value","metrics":["@requestParameters.userName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachUserPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"bxi-o7h-c79","createdAt":1635445981975,"name":"AWS IAM privileged policy was applied to a user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","technique:T1089-disabling-security-tools","source:guardduty","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is changing sensitive configurations and has no prior history of invoking these APIs.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Stealth:IAMUser/S3ServerAccessLoggingDisabled][2]\n* [Stealth:IAMUser/PasswordPolicyChange][3]\n* [Stealth:IAMUser/CloudTrailLoggingDisabled][4]\n* [Stealth:IAMUser/LoggingConfigurationModified][5]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][6] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth4\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth1\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth2\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth3\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Stealth\\:IAMUser\\/S3ServerAccessLoggingDisabled OR Stealth\\:IAMUser\\/PasswordPolicyChange OR Stealth\\:IAMUser\\/CloudTrailLoggingDisabled OR Stealth\\:IAMUser\\/LoggingConfigurationModified)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"48o-8me-0mo","createdAt":1587525385196,"name":"AWS IAM user changing sensitive configurations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user disables [S3 Block Public Access][1]\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][2] finding:\n\n* [Policy:IAMUser/S3BlockPublicAccessDisabled][3]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Contact the user and determine why the user disabled the S3 Block Access feature. \n3. Re-enable S3 Block Public Access.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n[2]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_policy.html#policy2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/S3BlockPublicAccessDisabled)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"loc-nk4-pkc","createdAt":1587525377921,"name":"AWS IAM user disabled S3 Block Public Access"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.3.6","source:google_sql_database_instance","control:3.4","requirement:Communications-Security","framework:cis-gcp","requirement:Compliance","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_sql_database_instance","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `3625 (trace flag)` database flag to `off` for GCP SQL Server instance.\n\n## Rationale\n\nMicrosoft SQL trace flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload. All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed. `3625 (trace log)` limits the information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'. Setting this in a Google Cloud flag for the instance allows for security through obscurity and prevents the disclosure of sensitive information. Hence, it is recommended to set this flag to `off` globally to prevent the flag from being left on or turned on by bad actors. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nChanging flags on a database may cause it to be restarted. The best time to do this is when there is low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `3625` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `3625` database flag for every GCP SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"3625=off\"\n```\n\n#### Note\nThis command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n\n## Additional Information\n\n- Configuring the above flag restarts the GCP SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"3625\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"2x0-5oi-nhu","createdAt":1657310084964,"name":"'3625 (trace flag)' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:2.11","cloud_provider:azure","control:A.12.4.1","level:1","source:azure.policy","requirement:Application-Updates","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","requirement:Security-Center","framework:cis-azure","control:6.2","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","scope:azure.policy","control:CC4.1","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable automatic provisioning of the monitoring agent to collect security data.\n\n## Rationale\n\nWhen automatic provisioning of monitoring agent is turned on, Azure Security Center provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.\n\n## Remediation\n\n### From the console\n\n1. Go to **Microsoft Defender for Cloud**\n2. Click on **Environment Settings**\n3. Click on a subscription\n4. Click on **Auto Provisioning** in the left column.\n5. Ensure that **Log Analytics agent for Azure VMs** is set to **On**\n\n### From the command line\n\nUse the below command to set automatic provisioning of monitoring agent:\n\n```bash\naz account get-access-token --query\n\"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" \nhttps://management.azure.com/subscriptions/$0/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@\"input.json\"'\n```\n\nWhere `input.json` contains the Request body JSON data as mentioned below: \n\n```bash\n{\n\t\"id\": \"/subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default \",\n\t\"name\": \"default\",\n\t\"type\": \"Microsoft.Security/autoProvisioningSettings\",\n\t\"properties\": {\n\t\t\"autoProvision\": \"On\"\n\t}\n}\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security][1]\n2. [https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection][2]\n3. [https://msdn.microsoft.com/en-us/library/mt704062.aspx][3]\n4. [https://msdn.microsoft.com/en-us/library/mt704063.aspx][4]\n5. [https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list][5]\n6. [https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create][6]\n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification][7]\n\n[1]: https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security\n[2]: https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection\n[3]: https://msdn.microsoft.com/en-us/library/mt704062.aspx\n[4]: https://msdn.microsoft.com/en-us/library/mt704063.aspx\n[5]: https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list\n[6]: https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create\n[7]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n## Additional Information\n- Excluding any of the entries in `input.json` may disable the specific setting by default.\n- Microsoft has recently changed APIs to get and Update Automatic Provisioning setting. This recommendation is updated accordingly.\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.11","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(security_center_auto_provisioning) = \"fail\" if {\n\tsecurity_center_auto_provisioning.auto_provision == \"Off\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_center_auto_provisioning"]},"validationQuery":"","resourceType":"azure_security_center_auto_provisioning","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_center_auto_provisioning","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ota-kzg-lsb","createdAt":1635237006719,"name":"'Automatic provisioning of monitoring agent' is set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","control:1.20","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.8","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you restrict unintended public access to Amazon S3 resources. By default, S3 buckets and objects are created without public access. However, someone with sufficient permissions can enable public access at the bucket or object level, often unexpectedly. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets in the account, and contained objects, from becoming publicly accessible.\n\n## Rationale\n\nAmazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective buckets. Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account. Blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.\n\n### Impact\n\nWhen you apply `Block Public Access` settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.\n\n\n## Remediation\n\n### From the console\n\nIf utilizing Block Public Access (account settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Choose **Block public access (account settings)**.\n3. Choose **Edit** to change the block public access settings for all the buckets in your AWS account.\n4. Click on **Block all public access**.\n5. When you're asked for confirmation, enter `confirm`. Then click Confirm to save your changes.\n\nIf utilizing Block public access (bucket settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Select the check box next to the bucket.\n3. Click on **Edit public access settings**.\n4. Click **Block all public access**.\n5. Repeat for all the buckets in your AWS account that contain sensitive data.\n\n\n### From the command line\n\nIf utilizing Block Public Access (bucket settings):\n\n1. List all of the S3 buckets: `aws s3 ls`\n2. To set the public access to true on a bucket, run: `aws s3api put-public-access-block --bucket --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\"`\n\nIf utilizing Block Public Access (account settings):\n\nTo set Public access settings for this account, run the following command: `aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id '`\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html][2]\n\n[1]: https://console.aws.amazon.com/s3/\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.20","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\naccount_public_access_block_by_account_id = {s3_account_public_access_block.account_id: s3_account_public_access_block |\n\tsome s3_account_public_access_block in input.resources.aws_s3_account_public_access_block\n}\n\nsecure_public_access_block(s3_account_public_access_block) if {\n\ts3_account_public_access_block.block_public_acls\n\ts3_account_public_access_block.block_public_policy\n\ts3_account_public_access_block.ignore_public_acls\n\ts3_account_public_access_block.restrict_public_buckets\n}\n\naccess_block_compliant(s3_bucket) if {\n\ts3_account_public_access_block := account_public_access_block_by_account_id[s3_bucket.account_id]\n\tsecure_public_access_block(s3_account_public_access_block)\n} else if {\n\tbucket_block := s3_bucket.access_block[_]\n\tsecure_public_access_block(bucket_block)\n}\n\neval(s3_bucket) = \"pass\" if {\n\taccess_block_compliant(s3_bucket)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b1p-nxn-wxx","createdAt":1619112188591,"name":"'Block Public Access' feature is enabled for S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.2","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with a Customer Managed Key (CMK).\n\n## Rationale\n\nEncrypting the IaaS VM's OS disk (boot volume) and data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning.\n\n## Remediation\n\n### From the console\n\n**Note**: Disks must be detached from VMs to have encryption changed.\n\n1. Go to Virtual Machines\n2. For each virtual machine, go to Settings\n3. Click on Disks\n4. Click the X to detach the disk from the VM\n5. Search for disks and locate the unattached disk\n6. Click the disk select Encryption\n7. Change your encryption type and select your encryption set\n8. Click Save\n9. Go back to the VM and re-attach the disk\n\n### Using PowerShell\n\n```powershell\n$KVRGname = ''MyKeyVaultResourceGroup''; $VMRGName = ''MyVirtualMachineResourceGroup''; $vmName = ''MySecureVM''; $KeyVaultName = ''MySecureVault''; $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname; $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri; $KeyVaultResourceId = $KeyVault.ResourceId; Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;\n```\n\n**NOTES**:\n\n- During encryption, a reboot is likely required. It may take up to 15 minutes to complete the process.\n\n- On Linux machines, you may need to set the `-skipVmBackup` parameter.\n\n## Impact\n\nUsing CMK/BYOK entail additional management of keys. You must have your key vault setup to use this.\n\n## References\n\n\n1. https://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n3. https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-resthttps://docs.microsoft.com/azure/virtual-machines/windows/disk-encryption-portal-quickstart\n4. https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n5. https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n7. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-customer-managed-keys-powershell\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_encryption_type(managed_disk) if {\n\tmanaged_disk.encryption_type == \"EncryptionAtRestWithCustomerKey\"\n} else if {\n\tmanaged_disk.encryption.type == \"EncryptionAtRestWithCustomerKey\"\n}\n\neval(managed_disk) = \"skip\" if {\n\tmanaged_disk.disk_state != \"Attached\"\n} else = \"pass\" if {\n\tcompliant_encryption_type(managed_disk)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_managed_disk"]},"validationQuery":"","resourceType":"azure_managed_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i6x-xne-idt","createdAt":1631690475494,"name":"'OS and Data' disks are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:Storage-Accounts","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Application-Updates","framework:iso-27001","scope:azure.storage","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Azure","control:6.5.3","framework:cis-azure","control:2.6","control:4.1","control:3.1","requirement:Control-Activities","source:azure.storage","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable data encryption in transit.\n\n## Rationale\n\nThe secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must be HTTPS. Any requests using HTTP will be rejected when secure transfer required is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Accounts\n2. For each storage account, go to Configuration\n3. Set Secure transfer required to Enabled\n\n### From the command line\n\nInterface 2.0 - Use the below command to enable Secure transfer required for a Storage Account: `az storage account update --name --resource-group --https-only true`\n\n## References\n\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#encryption-in-transit\n2. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_list\n3. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 - 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"2.6","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_account) = \"pass\" if {\n\tstorage_account.supports_https_traffic_only\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"vlg-zuu-zub","createdAt":1635847712936,"name":"'Secure transfer required' is set to 'Enabled'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Compliance","level:1","requirement:Storage-Accounts","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:3.7","framework:cis-azure","requirement:Communications-Security","control:7.2.1","source:azure.storage","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSome Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services use strong authentication to access the storage account. If Allow trusted Microsoft services exception is enabled, the following services, when registered in the subscription, are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse.\n\n## Rationale\n\nTurning on firewall rules for storage account blocks access to incoming requests for data, including from other Azure services. This includes using the portal, writing logs, etc. You can re-enable access to services like Monitor, Networking, Hubs, and Event Grid by enabling Trusted Microsoft Services through exceptions. The exception also supports backing up and restoring virtual machines using unmanaged disks in storage accounts with network rules applied.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Ensure that Allow access from selected networks is enabled.\n4. Enable Allow trusted Microsoft services to access this storage account.\n5. Click Save to apply your changes.\n\n### From the command line\n\nUse the following command to update trusted Microsoft services: `az storage account update --name --resource-group --bypass AzureServices`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n\n## CIS Controls\n\nVersion 7 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_account) = \"pass\" if {\n\tcontains(storage_account.network_acls.bypass, \"AzureServices\")\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"psg-u8u-lwo","createdAt":1631690476330,"name":"'Trusted Microsoft Services' is enabled for Storage Account access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.3","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that unattached disks in a subscription are encrypted with a customer managed key (CMK).\n\n## Rationale\n\nManaged disks are encrypted by default with platform-managed keys. Using customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks which may lead to sensitive information disclosure and tampering.\n\n## Impact\n\nEncryption is available only on standard tier VMs. This could impact cost. Utilizing and maintaining customer-managed keys requires additional work to create, protect, and rotate keys.\n\n## Remediation\n\n### From the console\n\n**Note:** Disks must be detached from VMs to have encryption changed. If data stored in the disk is no longer useful, refer to [Azure documentation][1] to delete unattached data disks. If data stored in the disk is important, encrypt the disk. See the [Disk enable customer managed keys customer][2] or the [Encryption settings][3] documentation.\n\n1. Go to `Virtual machines`\n2. For each virtual machine, go to `Settings`\n3. Click on `Disks`\n4. Click the `X` to detach the disk from the VM\n5. Now search for `Disks` and locate the unattached disk\n6. Click the disk then select `Encryption`\n7. Change your encryption type, then select your encryption set\n8. Click `Save`\n9. Go back to the VM and re-attach the disk\n\n### From the commandline\n\n```powershell\n$KVRGname = 'MyKeyVaultResourceGroup';\n$VMRGName = 'MyVirtualMachineResourceGroup';\n$vmName = 'MySecureVM';\n$KeyVaultName = 'MySecureVault';\n$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName\n$KVRGname;\n$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;\n$KeyVaultResourceId = $KeyVault.ResourceId;\nSet-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss][4]\n2. [https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json][5]\n3. [https://docs.microsoft.com/en-us/rest/api/compute/disks/delete][6]\n4. [https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete][7]\n5. [https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings][8]\n6. [https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update][9]\n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest][10]\n\n\n[1]: https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal\n[3]: https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n[4]: https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n[5]: https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n[6]: https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n[7]: https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n[8]: https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n[9]: https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update\n[10]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_encryption(managed_disk) if {\n\tmanaged_disk.encryption_type == \"EncryptionAtRestWithCustomerKey\"\n} else if {\n\tmanaged_disk.encryption.type == \"EncryptionAtRestWithCustomerKey\"\n}\n\neval(managed_disk) = \"skip\" if {\n\tmanaged_disk.disk_state != \"Unattached\"\n} else = \"pass\" if {\n\tcompliant_encryption(managed_disk)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_managed_disk"]},"validationQuery":"","resourceType":"azure_managed_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bae-mte-pj5","createdAt":1631690476274,"name":"'Unattached disks' are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","control:10.3.6","control:10.5.4","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","control:10.3.5","control:10.5.3","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.1","control:10.2.5","control:10.3.4","control:A.12.4.1","control:10.2.4","control:10.3.3","control:10.2.3","control:10.3.2","control:A.12.4.3","control:10.2.2","control:10.3.1","framework:cis-gcp","level:1","scope:google_sql_database_instance","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","control:6.2.9","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the `cloudsql.enable_pgaudit` database flag so that each Cloud SQL PostgreSQL instance has centralized logging.\n\n## Rationale\n\nBecause many other recommendations in this section involve turning on flags for logging\npurposes, your organization needs a way to manage these logs. If you do not already have a solution in \nplace, consider enabling database auditing in PostgreSQL by installing the open source pgAudit extension and enabling the `cloudsql.enable_pgaudit` flag. The extension provides\ndetailed session and object logging to comply with government, financial, and ISO standards. It provides \nauditing capabilities to mitigate threats by monitoring security events on the\ninstance. Enabling the flag and the settings described below sends the logs to\nGoogle Logs Explorer so that you can access them in a central location. This\nrecommendation is applicable only to PostgreSQL database instances.\n\n## Impact\n\nEnabling the pgAudit extension can lead to increased data storage requirements. To\nensure durability of pgAudit log records in the event of unexpected storage issues, \nenable the **Enable automatic storage increases** setting on the\ninstance. Enabling flags on the command line will overwrite all existing flags, so you\nshould apply _all_ needed flags in each CLI command. You might need to restart the\nserver to see the effects of enabling flags, so update your servers at a\ntime of low usage.\n\n## Remediation\n\n### Initialize the pgAudit flag\n\n#### From the console\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `cloudsql.enable_pgaudit` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\nRun the following command by providing to enable `cloudsql.enable_pgaudit` flag:\n```\ngcloud sql instances patch --database-flags=cloudsql.enable_pgaudit=on\n```\n \n**Note**: Restart the database server for this configuration change to take effect.\n\n### Create the extension\n1. Connect to the the server running PostgreSQL or through a SQL client of your choice.\n2. Open the PostgreSQL shell. For example, if you're using SSH to access the server, run:\n3. Run the following command as a superuser:\n ```\n CREATE EXTENSION pgaudit;\n ```\n### Update the `pgaudit.log` flag\n\n#### From the console\n**Note**: There are multiple options for updating the flag. The following instructions enable logging for all databases\non a server. Read [Customizing database audit logging][4] for more flag\noptions.\n\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `pgaudit.log=all` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\n\nRun the command:\n```\ngcloud sql instances patch --database-flags \\\ncloudsql.enable_pgaudit=on,pgaudit.log=all\n```\n\n### Check for the logs in Google Logs Explorer\n1. From the Google Console home page, open the menu in the top left.\n2. In the menu's Operations section, select Logs Explorer.\n3. In the query box, copy in the following query:\n\n ```\n resource.type=\"cloudsql_database\"\n logName=\"projects//logs/cloudaudit.googleapis.com%2Fdata_access\"\n protoPayload.request.@type=\"type.googleapis.com/google.cloud.sql.audit.v1.PgAuditEntry\n ```\nIf it returns any log sources, they are correctly set up.\n\n## Default value\nBy default `cloudsql.enable_pgaudit` database flag is set to off and the extension is not enabled.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres][2]\n2. [https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag][3]\n3. [https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging][4]\n4. [https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable][5]\n\n## Additional Information\n**WARNING**: This extension modifies database flag values, which may require your instance to be\nrestarted. Check the [List of supported flags][6] to see if your instance needs to be restarted\nwhen this extension is set up.\n**Note**: Configuring the `cloudsql.enable_pgaudit` database flag requires restarting the Cloud\nSQL PostgreSQL instance.\n\n## CIS controls\n\nVersion 8\n8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n8.9 - Centralize Audit Logs\n- Centralize, to the extent possible, audit log collection and retention across\nenterprise assets.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres\n[3]: https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag\n[4]: https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging\n[5]: https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable\n[6]: https://cloud.google.com/sql/docs/postgres/flags\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.9","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cloudsql.enable_pgaudit\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6hz-owg-7y7","createdAt":1657889011689,"name":"'cloudsql.enable_pgaudit' database flag is set to 'on' for centralized logging on Postgresql Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.4","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.7","requirement:Least-Privileged-Access","requirement:Confidentiality","requirement:Communications-Security","control:7.1","control:C1.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `contained database authentication` database flag for SQL Server instances to `off`.\n\n## Rationale\n\nA contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed. Users can connect to the database without authenticating a login at the Database Engine level. Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server. Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators. Most of the threats are related to the `USER WITH PASSWORD` authentication process, which moves the authentication boundary from the Database Engine level to the database level. Hence, disabling this flag is recommended. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nWhen `contained database authentication` is off (`0`) for the instance, contained databases cannot be created, or attached to the Database Engine. Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via the command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `contained database authentication` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line\n\nConfigure the `contained database authentication` database flag for every SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"contained database authentication=off\"\n```\n\n**Note**: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n\n## Additional Information\n\n- Configuring this flag does not restart the SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15][3]\n3. [https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15][4]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15\n[4]: https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"contained database authentication\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"snw-rsr-ilm","createdAt":1658463161618,"name":"'contained database authentication' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.3.2","security:compliance","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that you set the `cross db ownership chaining` database flag for SQL Server instance to `off`.\n\n## Rationale\nThe `cross db ownership` option is used to configure cross-database ownership chaining for an instance of Microsoft SQL Server. This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases. Enabling `cross db ownership` is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining, and you are aware of the security implications of this setting. This recommendation is applicable to SQL Server database instances.\n\n### Impact\nUpdating flags may cause the database to restart. This may cause the database to be unavailable for a short amount of time, so this is best done at a time of low usage. You should also determine if the tables in your databases reference another table without using credentials for that database, as turning off cross database ownership will break this relationship.\n\n - Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n - Configuring the `cross db ownership chaining` flag does not restart the Cloud SQL instance.\n\n - Note: The command to set database flags overwrites all database flags previously set. To keep the existing settings while adding new flags, include the values for all flags to be set on the instance. Cloud SQL sets any flag not specifically included in the list to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `cross db ownership chaining` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line\nConfigure the `cross db ownership chaining` database flag for every SQL Server database instance using the below command:\n \n```\ngcloud sql instances patch --database-flags \"cross db ownership chaining=off\"\n```\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cross db ownership chaining\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yje-u1y-rls","createdAt":1657665271111,"name":"'cross db ownership chaining' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.1","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `external scripts enabled` database flag for SQL Server instance to `off`.\n\n## Rationale\n\nThe `external scripts enabled` flag enables the execution of scripts with certain remote language extensions. This flag is `off` by default. When Advanced Analytics Services is installed, during the set up, you can optionally set this flag to `on`. The External Scripts Enabled feature allows scripts external to SQL, such as files located in an R library, to be executed, which could adversely affect the security of the system. Hence, the flag should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances can cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flag section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `external scripts enabled` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `external scripts enabled` database flag for every SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"external scripts enabled=off\"\n```\n\nNote: This command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default Value\n\nBy default `external scripts enabled` is `off`.\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n- Configuring the `external scripts enabled` flag restarts the Cloud SQL instance.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15][2]\n2. [https://cloud.google.com/sql/docs/sqlserver/flags][3]\n3. [https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15][4]\n4. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79347][5]\n\n## CIS Controls\n\nVersion 8 - 2.7 Allowlist Authorized Scripts\n- Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.\n\nVersion 7 - 2.9 Implement Application Whitelisting of Scripts\n- The organization's application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1, *.py, macros, etc) are allowed to run on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15\n[3]: https://cloud.google.com/sql/docs/sqlserver/flags\n[4]: https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15\n[5]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"external scripts enabled\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"14g-yot-4od","createdAt":1657715719319,"name":"'external scripts enabled' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.1.3","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends setting the `local_infile` database flag for a Cloud SQL MySQL instance to off.\n\n## Rationale\n\nThe `local_infile` flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the `local_infile` setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.\n\nTo explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with `local_infile` disabled. `local_infile` can also be set at runtime.\n\nDue to security issues associated with the `local_infile` flag, Datadog recommends disabling it. This recommendation is applicable to MySQL database instances.\n\n## Impact\n\nDisabling `local_infile` causes the server to refuse local data loading by clients that have LOCAL enabled on the client side.\n\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [Cloud SQL Instances page][1].\n2. Select the MySQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the `local_infile` flag from the dropdown menu, and set its value to **off**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From Command Line\n\n1. List all Cloud SQL database instances using \n ```\n `gcloud sql instances list`.\n ```\n2. Configure the `local_infile` database flag for every Cloud SQL MySQL database instance using \n ```\n `gcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off`\n ```\n Note:\n This command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\n\n## Default Value\n\nBy default, `local_infile` is on.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile][3]\n3. [https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html][4]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n \n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/flags\n[3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile\n[4]: https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_mysql(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"local_infile\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\"\n\nis_mysql(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"MYSQL_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"e40-q63-udh","createdAt":1657547707503,"name":"'local_infile' database flag is set to 'off' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.2","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy enabling the `log_connections` setting, every attempted server connection is logged along with the successful completion of client authentication. Once the session starts, you cannot change this parameter.\n\n## Rationale\n\nBy default, PostgreSQL does not log attempted connections. By enabling the `log_connections` setting, you can create log entries for every attempted connection as well as the successful completion of client authentication. This can be useful in troubleshooting issues and determining any unusual connection attempts to the server. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\n\nBy turning on logging, the required storage increaess over time. Mismanaged logs may cause your storage costs to increase. \n\nSetting custom flags through the command line on certain instances can cause all omitted flags to reset to defaults. This may cause you to lose\ncustom flags and can result in unforeseen complications or instance restarts. Because of this, Datadog recommends applying these flag changes during a period of low usage.\n\n## Remediation\n\n## From the console\n1. In the Google Cloud Console, navigate to the [Cloud SQL Instances page][1].\n2. Select the PostgreSQL instance that you want to enable the database flag for.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the **log_connections** flag from the dropdown menu, and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From the command line\n\nConfigure the `log_connections` database flag for every Cloud SQL PosgreSQL database instance using the following command:\n\n ```\n gcloud sql instances patch --database-flags\n log_connections=on\n ```\n\nThis command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\nYou do not need to restart the Cloud SQL instance.\n\n## Default Value\n\nBy default, `log_connections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n\nSome database flag settings can affect instance availability or stability, and may remove the instance from the Cloud SQL SLA.\n\nFor information about these flags, see the Operational Guidelines.\n\n## CIS Controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_connections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"84u-fez-kpn","createdAt":1657547707503,"name":"'log_connections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:6.2.3","scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnabling the `log_disconnections` setting logs the end of each session, including the\nsession duration.\n\n## Rationale\n\nPostgreSQL does not log session details such as duration and session end by default.\nEnabling the `log_disconnections` setting will create log entries at the end of each session,\nwhich can be useful in troubleshooting issues and determining any unusual activity across a\ntime period. The `log_disconnections` and `log_connections` settings work together and\ngenerally, the pair would be enabled or disabled together. This recommendation is applicable\nto PostgreSQL database instances.\n\n## Impact\n\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flags changes during a period of low usage.\n\n\n## Remediation\n\n## From the console\n\n1. Go to the [Cloud SQL Instances][1] page.\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_disconnections` from the drop-down menu and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the **Overview** page.\n\n## From the command line\n\n1. Configure the `log_disconnections` database flag for every Cloud SQL PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags\n log_disconnections=on\n ```\n\n **Note:** This command will overwrite all previously set database flags. To keep\n those and add new ones, include the values for all flags to be set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals\n sign (\"=\").\n\n## Default Value\n\nBy default, `log_disconnections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n## Additional Information\n\n- Configuring the `log_disconnections` flag does not require restarting the Cloud SQL instance.\n- Although the `log_disconnections` flag does not require a restart, you might modify other database flag values when you apply this patch. **Many database flags require restarting the Cloud SQL instance.** Before you modify a database flag, check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see [Operational Guidelines][4].\n\n\n## CIS controls\n\nVersion 8, 8.5 Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://console.cloud.google.com/sql/instances\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_disconnections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-b91-wj5","createdAt":1657665210451,"name":"'log_disconnections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:6.2.1","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","control:10.3","control:CC7.2","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_error_verbosity` flag controls the verbosity/details of messages logged. Valid values are:\n- `TERSE`\n- `DEFAULT`\n- `VERBOSE`\n\n`TERSE` excludes the logging of `DETAIL`, `HINT`, `QUERY`, and `CONTEXT` error information.\n`VERBOSE` output includes the `SQLSTATE` error code, source code file name, function name, and line number that generated the error.\n\nEnsure an appropriate value is set to `DEFAULT` or stricter.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_error_verbosity` is not set to the correct value, too many details or too few details\nmay be logged. This flag should be configured with a value of `DEFAULT` or stricter. This\nrecommendation is applicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flag changes during a period of low usage.\n\n- **WARNING**: This patch modifies database flag values, which may require your instance to be restarted. Check the list of supported flags -[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance will be restarted when this patch is submitted.\n- Note: some database flag settings can affect instance availability orn stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n### Default value\nBy default, `log_error_verbosity` is `DEFAULT`.\n\n## Remediation\n\n### From the console \n1. Go to the Cloud SQL Instances page by visiting [https://console.cloud.google.com/sql/instances][2]\n2. Select the **PostgreSQL instance** for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_error_verbosity` from the drop-down menu and set appropriate **value**.\n6. Click **Save**\n7. Confirm your changes under Flags on the **Overview** page.\n\n### From the command line\n1. Configure the `log_error_verbosity` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n ```\n gcloud sql instances patch --database-flags\n log_error_verbosity=\n ```\n\n **Note**: This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all flags you want set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" if {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_error_verbosity\"\n\tnot lower(db_flags.value) in [\"default\", \"terse\", \"verbose\"]\n} else = \"pass\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"scj-vbv-qiu","createdAt":1660014086758,"name":"'log_error_verbosity' database flag is set to 'DEFAULT or Stricter' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:6.2.5","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nPostgreSQL only logs the IP address of the connecting hosts. The `log_hostname` flag\ncontrols the logging of hostnames, in addition to the IP addresses logged. The performance\nhit depends on the configuration of the environment and the host name resolution\nsetup. This parameter can only be set in the `postgresql.conf` file or on the server's\ncommand line.\n\n## Rationale\nLogging hostnames allows for the association of a hostname with the IP address at the time of\nconnection. This information helps with incident response efforts, particularly in an\nenvironment that utilizes dynamic IP addresses. Logging hostnames may incur overhead\non server performance because DNS resolution will be required to\nconvert the IP address to hostname. Depending on the setup, the overhead may be non-negligible.\nEnabling the log_hostname flag on PostgreSQL databases is recommended.\n\n## Impact\nUsing the command line to set custom flags on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended that you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_hostname` from the drop-down menu and select the value **On**.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n1. Configure the `log_hostname` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\n gcloud sql instances patch --database-flags log_hostname=on\n```\n\nNote: This command will overwrite all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## Default value\nBy default `log_hostname` is off.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of [supported flags][2] to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_hostname\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sco-bi7-twu","createdAt":1657547753389,"name":"'log_hostname' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:6.2.8","requirement:Confidentiality","control:A.12.4.1","control:C1.1","control:C1.2","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_duration_statement` flag defines the minimum execution time (milliseconds) of a\nstatement, where the total duration of the statement is logged. Ensure that\n`log_min_duration_statement` is disabled by setting the value to `-1`. This will disable statement logging.\n\n## Rationale\nSQL statement logs may include sensitive information that should not be recorded in\nthe logs. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting\n[https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_duration_statement` from the drop-down menu and set a value of `-1`.\n6. Click **Save**.\n7. Confirm the changes under the Flags section on the Overview page.\n\n### From the command line\n1. List all Cloud SQL database instances using the following command:\n\n ```\n gcloud sql instances list\n ```\n\n2. Configure the `log_min_duration_statement` flag for every PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags log_min_duration_statement=-1\n ```\n Note: This command will overwrite all database flags previously set. To keep\nthose and add new ones, include the values for all flags to be set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n## Default value\nBy default `log_min_duration_statement` is set to `-1`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.8","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_duration_statement\"\n\tnot database_flags.value == \"-1\"\n} else = \"pass\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hfp-mu9-szg","createdAt":1658302988596,"name":"'log_min_duration_statement' database flag is set to '-1' (disabled) for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.7","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_error_statement` flag defines the minimum message severity level that is\nconsidered an error statement. Messages for error statements are logged with the SQL\nstatement. Valid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`,\n`WARNING`, `ERROR`, `LOG`, `FATAL`, and `PANIC`. Each severity level includes the subsequent levels\nmentioned above. Ensure a value of `ERROR` or stricter is set.\n\n## Rationale\nAuditing helps with troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. If general log messages are considered as error messages,\nit would be difficult to determine the actual errors. If only stricter severity levels are considered as\nerror messages, true errors might not be logged with their SQL statements. The\n`log_min_error_statement` flag should be set to `ERROR` or stricter. This recommendation is\napplicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the `Flags` section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_error_statement` from the drop-down menu and set the appropriate\nvalue.\n6. Click `Save` to save your changes.\n7. Confirm your changes under the `Flags` section on the Overview page.\n\n### From Command Line:\n1. Configure the `log_min_error_statement` database flag for every Cloud SQL\nPosgreSQL database instance using the below command.\n\n ```\n gcloud sql instances patch --database-flags log_min_error_statement=\n ```\n\n Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `log_min_error_statement` is `ERROR`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][2] - to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_error_statement\"\n\tnot upper(database_flags.value) in [\"ERROR\", \"LOG\", \"FATAL\", \"PANIC\"]\n} else = \"pass\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dm2-ey8-wr5","createdAt":1657888969813,"name":"'log_min_error_statement' database flag is set to 'ERROR' or stricter for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.3.6","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","source:google_sql_database_instance","requirement:Monitoring","control:6.2.6","control:10.3.4","control:A.12.4.1","control:10.3.2","requirement:System-Operations","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:CC7.2","framework:pci","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_messages` flag defines the minimum message severity level that is considered\nas an error statement. Messages for error statements are logged with the SQL statement.\nValid values include `debug5`, `debug4`, `debug3`, `debug2`, `debug1`, `info`, `notice`, `warning`, `error`,\n`log`, `fatal`, and `panic`. Each severity level includes the subsequent levels mentioned above.\nFor best practices, set the value to `error`. Changes should only be made in accordance\nwith the organization's logging policy.\n\n### Default value\nBy default `log_min_error_statement` is `warning`.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. An organization will need to decide their own threshold\nfor logging `log_min_messages` flag.\n\n### Impact\nSetting the threshold too low will might result in increased log storage size and length,\nmaking it difficult to find actual errors. Setting the threshold to `warning` logs\nmost needed error messages. Setting the threshold to a higher severity level may result in some errors (that need troubleshooting) to not be logged.\n\nNote: To effectively turn off logging failing statements, set this parameter to `panic`.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_messages` from the drop-down menu and set appropriate value.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n1. Configure the `log_min_messages` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\ngcloud sql instances patch --database-flags\nlog_min_messages=\n```\n\nNote: This command overwrites all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" if {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_min_messages\"\n\tlower(db_flags.value) in [\"debug5\", \"debug4\", \"debug3\", \"debug2\", \"debug1\", \"info\", \"notice\"]\n} else = \"pass\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"wha-a8w-2ic","createdAt":1661377322162,"name":"'log_min_messages' database flag is set to at least 'WARNING' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.2.4","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe value of the `log_statement` flag determines the SQL statements that are logged. Valid\nvalues are:\n\n- `none`\n- `ddl`\n- `mod`\n- `all`\n\nThe value `ddl` logs all data definition statements. The value `mod` logs all `ddl` statements, plus\ndata-modifying statements.\n\nThe statements are logged after a basic parsing is done and the statement type is determined,\nthus log statements with errors are not logged. When using an extended query protocol,\nlogging occurs after an `Execute` message is received and values of the bind parameters are\nincluded.\n\nA value of `ddl` is recommended unless otherwise directed by your organization's logging\npolicy.\n\n## Rationale\nAuditing helps with forensic analysis. If the `log_statement` is not set to the correct value, too\nmany statements may be logged and lead to issues with finding relevant information from\nthe logs, or too few statements may be logged with relevant information missing from the\nlogs. Setting the `log_statement` to align with your organization's security and logging policies\nfacilitates auditing and review of database activities later on. This recommendation is\napplicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n- **WARNING** This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance\nwill be restarted when this patch is submitted.\n- Note: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page by visiting: [https://console.cloud.google.com/sql/instances][2]\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**. Choose the flag `log_statement` from the drop-down menu and set the appropriate value.\n6. Click **Save**.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line\n1. Configure the `log_statement database` flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n ```\n gcloud sql instances patch --database-flags log_statement=\n ```\n\n **Note** This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all the flags that you want to set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n \n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tdb_flags.name == \"log_statement\"\n\tdb_flags.value in [\"ddl\", \"mod\", \"all\"]\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xzi-8ya-6hp","createdAt":1659621705012,"name":"'log_statement' database flag is set appropriately for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:6.3.5","control:2.2.5","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set the `remote access` database flag for Cloud SQL SQL Server instances to `off`.\n\n## Rationale\n\nThe remote access option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running. The default value for this option is 1. This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server. To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled. Remote access functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, so it should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances causes all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `remote access` from the drop-down menu, and set its value to `off`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n### From the command line\n\nConfigure the remote access database flag for every Cloud SQL SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"remote access=off\"\n```\n\n### Note: \nThis command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default Value\n\nRemote access is `on` by default.\n\n## Additional information\n\nConfiguring the remote access database flag does not restart the Cloud SQL instance.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337][4]\n\n## CIS Controls\n\nVersion 8 - 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"remote access\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"tnw-ph8-chr","createdAt":1657296719786,"name":"'remote access' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.1.2","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that for Cloud SQL Instances, you set the `skip_show_database` database flag to `ON`.\n\n## Rationale\n\nThe `skip_show_database` database flag prevents people from using the `SHOW DATABASES`\nstatement if they do not have the `SHOW DATABASES` privilege. This can improve security if\nyou have concerns about users being able to see databases belonging to other users. The `skip_show_database` flag's effect depends on the `SHOW DATABASES` privilege: If the variable value is `ON`, the `SHOW\nDATABASES` statement is permitted only for users who have the `SHOW DATABASES`\nprivilege, and the statement displays all database names. If the value is `OFF`, `SHOW\nDATABASES` is permitted for all users, but displays the names of only those databases for\nwhich the user has `SHOW DATABASES` or other privilege. This recommendation is\napplicable to MySQL database instances.\n\n## Remediation\n\n## Using console\n\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the MySQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `skip_show_database` from the drop-down menu, and set its value to `ON`.\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n\n## Using command line:\n1. To list all Cloud SQL database Instances, run:\n `gcloud sql instances list`\n2. Configure the `skip_show_database` database flag for every Cloud SQL MySQL database instance using the following command:\n \n ```\n gcloud sql instances patch INSTANCE_NAME --database-flags\n skip_show_database=on\n ```\n **Note**: This command overwrites all database flags previously set. To keep the previously set flags and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database][3]\n\n\n## Additional information\n\n**Warning**: This patch modifies database flag values, which may require your instance to be restarted. Check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n\n**Note**: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n**Note**: Configuring the above flag restarts the Cloud SQL instance.\n\n## CIS controls\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\n access control lists, also known as access permissions, to local and remote file systems,\n databases, and applications.\n\n [1]: https://console.cloud.google.com/sql/instances\n [2]: https://cloud.google.com/sql/docs/mysql/flags\n [3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot startswith(sql_database_instance.database_version, \"MYSQL_\")\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"skip_show_database\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qjv-gnn-q3l","createdAt":1657547753389,"name":"'skip_show_database' flag is set to 'on' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.3.3","security:compliance","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Control-Activities","level:1","control:2.2.3","framework:soc-2","scope:google_sql_database_instance","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to check the `user connections` option for a GCP SQL Server instance to\nensure that it is not artificially limiting connections.\n\n## Rationale\n\nThe `user connections` option specifies the maximum number of simultaneous user\nconnections that are allowed on an instance of SQL Server. The actual number of user\nconnections allowed also depends on the version of SQL Server that you are using, and also\nthe limits of your application(s) and hardware. SQL Server allows a maximum\nof 32,767 user connections. Because user connections is by default a self-configuring value,\nSQL Server adjusts the maximum number of user connections automatically as\nneeded, up to the maximum value allowed. For example, if only 10 users are logged in, then 10\nuser connection objects are allocated. In most cases, you do not have to change the value\nfor this option. The default is `0`, which means that the maximum (32,767) user connections\nare allowed. However, if there is a number defined here that limits connections, SQL Server\nwill not allow any connections above this limit. If the connections are at the limit, any new\nrequests will be dropped, potentially causing lost data or outages for those using the\ndatabase.\n\n## Impact\nSetting custom flags using the command line on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### Using the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `user connections` from the drop-down menu, and set its value to your organization's recommended value.\n6. Click **Save** to save your changes.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### Using the command line\n1. Configure the `user connections` database flag for every GCP SQL Server\ndatabase instance using the below command.\n ```\n gcloud sql instances patch --database-flags \"userconnections=[0-32,767]\"\n ```\n \n\n\nNote: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `user connections` is set to '0', which does not limit the number of connections\nand allows the server to facilitate a maximum of 32,767 connections.\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119][4]\n\n## Additional Information\n\nWARNING: This patch modifies database flag values, which may require your instance to be restarted. Check the list of [supported flags][2] to see if your instance will be restarted when this patch is submitted. \n\nNote: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not restart the GCP SQL instance.\n\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user connections\"\n\tnot database_flags.value == \"0\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"suj-vdt-udi","createdAt":1657547707508,"name":"'user connections' database flag is set to a non-limiting value for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.4","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the `user options` database flag for SQL Server instance not be configured.\n\n## Rationale\n\nThe `user options` flag specifies global defaults for all users. A list of default query processing options is established for the duration of a user's work session. The user options flag allows you to change the default values of the SET options (if the server's default settings are not appropriate).\n\nA user can override these defaults by using the SET statement. You can configure user options dynamically for new logins. After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nIn some instances, setting custom flags via the command line causes all omitted flags to be reset to their defaults. This might cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the **Cloud SQL Instances** page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance you want to configure.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. Click the **X** next to the **user options** flag shown\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line\n\n1. List all Cloud SQL database Instances:\n \n ```\n gcloud sql instances list\n ```\n\n2. Clear the user options database flag for every Cloud SQL SQL Server database instance using either of the below commands:\n\n - To clear all flags and reset them to their default values:\n\n ```\n gcloud sql instances patch --clear-database-flags\n ```\n\n - To clear only the `user options` database flag, re-enter all of database flags that you want to configure and exclude the `user options` flag and its value:\n\n ```\n gcloud sql instances patch --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]\n ```\n\n **Note**: This command overwrites all database flags previously set. To keep those flags and add new ones, include the values for all flags you want set on the instance. Any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default value\n\nBy default, 'user options' is not configured.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][1]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15][2]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335][3]\n\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see [Operational Guidelines][4].\n\n- Configuring the above flag does not restart the Cloud SQL instance.\n\n[1]: https://cloud.google.com/sql/docs/sqlserver/flags\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15\n[3]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user options\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"l6m-j1r-hz1","createdAt":1657665179501,"name":"'user options' database flag is not configured for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a Kubernetes user attempts to perform a high number of actions that are denied in a short amount of time.\n\n## Strategy\nThis rule identifies responses of the API server where the reason for the error is set to `Forbidden`, indicating that an authenticated user attempted to perform an action that they are not explicitly authorized to perform.\n\nThe rule flags users who receive permission denied errors on several distinct API endpoints in a short amount of time.\n\n## Triage and response\n1. Determine if the user: `{{@usr.id}}` is expected to perform the denied actions. If yes, the alert may be due to a misconfigured application or a service account with insufficient privileges.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @responseStatus.reason:Forbidden -@usr.id:(system\\:serviceaccount\\:*\\:datadog* OR system\\:kube-scheduler OR system\\:anonymous OR eks\\:authenticator OR eks\\:pod-identity-mutating-webhook OR system\\:serviceaccount\\:kube-system\\:root-ca-cert-publisher)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"access_denied","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"access_denied > 10"}],"type":"log_detection","id":"elb-nlu-hso","createdAt":1649948632063,"name":"A Kubernetes user attempted to perform a high number of actions that were denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIdentify when a Kubernetes user is assigned cluster-level administrative permissions.\n\n## Strategy\n\nThis rule monitory when a `ClusterRoleBinding` object is created to bind a Kubernetes user to the `cluster-admin` [default cluster-wide role](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles). This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.\n\n## Triage and response\n\n1. Determine if the Kubernetes user referenced in `@requestObject.subjects` is expected to have been granted administrator permissions on the cluster\n2. Determine if the actor (`@usr.id`) is authorized to assign administrator permissions\n3. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @requestObject.kind:ClusterRoleBinding @requestObject.roleRef.name:cluster-admin -@usr.id:system\\:apiserver","groupByFields":["@usr.id"],"aggregation":"count","name":"cluster_admin_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"cluster_admin_added > 0"}],"type":"log_detection","id":"8ds-sxh-n83","createdAt":1649948626807,"name":"A Kubernetes user was assigned cluster administrator permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","scope:google_bigquery_dataset","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.3","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","source:google_bigquery_dataset","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user. For greater control, _customer-managed encryption keys_ (CMEKs) can be used as an encryption key management solution for BigQuery datasets.\n\n### Default Value\nGoogle-managed keys are used as key encryption keys.\n\n## Rationale\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user.\n\nFor greater control, CMEKs can be used as an encryption key management solution for BigQuery datasets. Setting a default CMEK for a dataset ensures that any tables created in the future will use the specified CMEK, if no others are provided.\n\n## Impact\nUsing CMEKs incurs an additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n**Note**: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n# Remediation\nTo update the default CMEK for existing data sets, specify the default key in the `EncryptionConfiguration.kmsKeyName` field when calling the `datasets.insert` or `datasets.patch` methods.\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_dataset) = \"pass\" if {\n\tbigquery_dataset.default_encryption_configuration.kms_key_name\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_dataset"]},"validationQuery":"","resourceType":"gcp_bigquery_dataset","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_dataset","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fdc-usk-ol3","createdAt":1664548344812,"name":"A default customer-managed encryption key (CMEK) is specified for the BigQuery data set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1158","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nHidden files may be used by attackers to hide from detection mechanisms on hosts and containers. This detection aims at finding the creation of any new hidden files.\n\n## Strategy\nIn Linux, files are hidden from users by prepending `.` to the filename. For example `.some.file`. This detection will monitor for the creation of any file thats name begins with a `.`.\n\n## Triage & Response\n1. Check to see which user or process created the new hidden file.\n3. If these new files are not expected contain the host or container, roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"irl-syq-8wf","createdAt":1598443015169,"name":"A hidden file was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the deletion of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was deleted.\n2. Check which user or process deleted the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"t7t-jio-cms","createdAt":1598516746158,"name":"A log file in /var/log/ was removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:2.11","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be set up for SQL instance\nconfiguration changes.\n\n## Rationale\nMonitoring changes to SQL instance configuration changes may reduce the time needed to\ndetect and correct SQL server misconfigurations.\nBelow are a few configurable options that may impact the security posture of an\nSQL instance:\n \u2022 Enable auto backups and high availability: Misconfiguration may adversely impact\n business continuity, disaster recovery, and high availability\n \u2022 Authorize networks: Misconfiguration may increase exposure to untrusted networks\n\n### Impact \nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation \n\n### From the console\n#### Create the prescribed log metric\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and clicking **CREATE METRIC**.\n2. Click the down arrow icon on the **Filter Bar** at the top right corner and select **Convert to Advanced Filter**.\n3. Clear any text and add:\n\n ```\n protoPayload.methodName=\"cloudsql.instances.update\"\n ```\n\n4. Click **Submit Filter**. Display logs appear based on the filter text.\n5. In the **Metric Editor** menu on the right, fill out the name field. Set **Units** to `1` (default) and **Type** to `Counter`. \nThis ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n6. Click **Create Metric**.\n\n#### Create the prescribed alert policy\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every SQL instance configuration change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n1. Create the prescribed log metric using the following command: \n ```\n gcloud beta logging metrics create\n ```\n [Reference for command usage][9]\n2. Create the prescribed alert policy using the following command:\n ```\n gcloud alpha monitoring policies create\n ```\n [Reference for command usage][10]\n\n\n\n## References\n1. [https://console.cloud.google.com/logs/metrics][1] \n2. [https://cloud.google.com/monitoring/custom-metrics/][2]\n3. [https://cloud.google.com/monitoring/alerts/][3]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][4]\n5. [https://cloud.google.com/storage/docs/overview][5]\n6. [https://cloud.google.com/sql/docs/][6]\n7. [https://cloud.google.com/sql/docs/mysql/][7]\n8. [https://cloud.google.com/sql/docs/postgres/][8]\n9. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][9]\n10. [https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][10]\n\n\n[1]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[2]: https://cloud.google.com/monitoring/custom-metrics/\n[3]: https://cloud.google.com/monitoring/alerts/\n[4]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[5]: https://cloud.google.com/storage/docs/overview\n[6]: https://cloud.google.com/sql/docs/\n[7]: https://cloud.google.com/sql/docs/mysql/\n[8]: https://cloud.google.com/sql/docs/postgres/\n[9]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[10]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.11","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_method_name_constant := upper(\"protoPayload.methodName=\\\"cloudsql.instances.update\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, filter_method_name_constant)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"rtu-ij2-tg6","createdAt":1666265090604,"name":"A log metric filter and alert exists for SQL instance configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","control:2.9","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be set up for Virtual Private Cloud (VPC) network changes.\n\n## Rationale\nIt is possible to have more than one VPC within a project. \nIn addition, it is also possible to create a peer connection between two VPCs to enable network traffic routing between VPCs.\n\nMonitoring changes to a VPC helps to ensure that VPC traffic flow is not getting impacted.\n\n### Impact\nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console\n#### Create the prescribed log metric\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and click **CREATE METRIC**.\n2. Set **Metric Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n3. Fill out the **Log metric name** field.\n4. Set the **Units** to `1` (default).\n5. Under **Filter selection**, add the following text to the **Build filter** block: \n ```\n resource.type=gce_network\n AND (protoPayload.methodName:\"compute.networks.insert\"\n OR protoPayload.methodName:\"compute.networks.patch\"\n OR protoPayload.methodName:\"compute.networks.delete\"\n OR protoPayload.methodName:\"compute.networks.removePeering\"\n OR protoPayload.methodName:\"compute.networks.addPeering\")\n ```\n6. Click **Create Metric**.\n\n#### Create the prescribed alert policy\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every VPC network change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n1. Create the prescribed log metric using the following command: \n ```\n gcloud beta logging metrics create\n ```\n [Reference for command usage][6]\n2. Create the prescribed alert policy using the following command:\n ```\n gcloud alpha monitoring policies create\n ```\n [Reference for command usage][7]\n\n\n\n## References\n1. [https://console.cloud.google.com/logs/metrics][1] \n2. [https://cloud.google.com/monitoring/custom-metrics/][2]\n3. [https://cloud.google.com/monitoring/alerts/][3]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][4]\n5. [https://cloud.google.com/vpc/docs/overview][5]\n6. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][6]\n7. [https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][7]\n\n\n[1]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[2]: https://cloud.google.com/monitoring/custom-metrics/\n[3]: https://cloud.google.com/monitoring/alerts/\n[4]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[5]: https://cloud.google.com/vpc/docs/overview\n[6]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[7]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.9","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_resource_type := upper(\"resource.type=gce_network\")\n\nfilter_method_name_1 := upper(\"protoPayload.methodName:\\\"compute.networks.insert\\\"\")\n\nfilter_method_name_2 := upper(\"protoPayload.methodName:\\\"compute.networks.patch\\\"\")\n\nfilter_method_name_3 := upper(\"protoPayload.methodName:\\\"compute.networks.delete\\\"\")\n\nfilter_method_name_4 := upper(\"protoPayload.methodName:\\\"compute.networks.removePeering\\\"\")\n\nfilter_method_name_5 := upper(\"protoPayload.methodName:\\\"compute.networks.addPeering\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, \"OR\")\n\tcontains(filter_parsed, filter_resource_type)\n\tcontains(filter_parsed, filter_method_name_1)\n\tcontains(filter_parsed, filter_method_name_2)\n\tcontains(filter_parsed, filter_method_name_3)\n\tcontains(filter_parsed, filter_method_name_4)\n\tcontains(filter_parsed, filter_method_name_5)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"zv2-vh1-ixx","createdAt":1665677590865,"name":"A log metric filter and alert exists for VPC network changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:2.5","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGoogle Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data\nAccess logs to help answer the question of \"Who did what, where, and when?\" within GCP\nprojects.\nCloud audit logging records information such as the identity of the API caller, the time of\nthe API call, the source IP address of the API caller, the request parameters, and the\nresponse elements returned by GCP services. Cloud audit logging provides a history of GCP\nAPI calls for an account, including API calls made through the console, SDKs, command-line\ntools, and other GCP services.\n\n## Rationale\nCloud audit logging to Admin Activity and Data Access logs enables security\nanalysis, resource change tracking, and compliance auditing.\nConfiguring the metric filter and alerts for audit configuration changes ensures that the\nrecommended state of audit configuration is maintained so that all activities in the project\ncan be audited at any point in time.\n\n\n### Impact\nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console\n#### Create the prescribed log metric\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and click **CREATE METRIC**.\n2. Set **Metric Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n3. Fill out the **Log metric name** field.\n4. Set the **Units** to `1` (default).\n5. Under **Filter selection**, add the following text to the **Build filter** block: \n ```\n protoPayload.methodName=\"SetIamPolicy\" AND\n protoPayload.serviceData.policyDelta.auditConfigDeltas:*\n ```\n6. Click **Create Metric**.\n\n#### Create a prescribed alert policy\n\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every audit configuration change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n#### Create a prescribed log metric\n\nUse the command: `gcloud beta logging metrics create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][3]\n\n#### Create a prescribed alert policy\nUse the command: `gcloud alpha monitoring policies create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][4]\n\n## References\n1. [https://cloud.google.com/logging/docs/logs-based-metrics/][5]\n2. [https://cloud.google.com/monitoring/custom-metrics/][6]\n3. [https://cloud.google.com/monitoring/alerts/][7]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][8]\n5. [https://cloud.google.com/logging/docs/audit/configure-data-access#getiampolicy-setiampolicy][9]\n\n[1]: https://console.cloud.google.com/logs/metrics\n[2]: https://console.cloud.google.com/logs/metrics\n[3]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[4]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n[5]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[6]: https://cloud.google.com/monitoring/custom-metrics/\n[7]: https://cloud.google.com/monitoring/alerts/\n[8]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[9]: https://cloud.google.com/logging/docs/audit/configure-data-access#getiampolicy-setiampolicy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.5","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_methodname_constant := upper(\"protoPayload.methodName=\\\"SetIamPolicy\\\"\")\n\nfilter_servicedata_constant := upper(\"protoPayload.serviceData.policyDelta.auditConfigDeltas:*\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, filter_methodname_constant)\n\tcontains(filter_parsed, filter_servicedata_constant)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sni-qbq-wix","createdAt":1665677774002,"name":"A log metric filter and alert exists for audit configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:2.8","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be established for Virtual Private Cloud\n(VPC) network route changes.\n\n## Rationale\nGoogle Cloud Platform (GCP) routes define the paths taken by network traffic from a VM instance to another destination. The other destination can be inside the organization VPC network (such as another VM) or outside of it. Every route consists of a destination and a next hop. Traffic whose destination IP is within the destination range is sent to the next hop\nfor delivery.\nMonitoring changes to route tables helps to ensure that all VPC traffic flows through an expected path.\n\n### Impact\nEnabling of logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console:\n\n#### Create the prescribed Log Metric:\n1. Go to [Logs-based Metrics][1] within **Logging** in the Google Cloud console and click **CREATE METRIC**.\n2. Click the down arrow symbol on the filter bar at the rightmost corner and select\n**Convert to Advanced Filter**.\n3. Clear any text and add:\n ```\n resource.type=\"gce_route\"\n AND (protoPayload.methodName:\"compute.routes.delete\"\n OR protoPayload.methodName:\"compute.routes.insert\"\n ```\n4. Click **Submit Filter**. Display logs appear based on the entered filter text.\n5. In the `Metric Editor` menu on the right, fill out the name field. Set `Units` to `1`\n(default) and `Type` to `Counter`. This ensures that the log metric counts the number of\nlog entries matching the advanced logs query.\n6. Click **Create Metric**.\n\n#### Create the prescribed alert policy:\n\n1. Identify the newly created metric under the section `User-defined Metrics` in the\n[Logs-based Metrics][1] page in the Google Cloud console.\n2. Click the 3-dot icon in the rightmost column for the new metric and select `Create\nalert from Metric`. A new page appears.\n3. Fill out the alert policy configuration and click **Save**. Choose the alerting threshold\nand configuration that makes sense for your organization. For example, a\nthreshold of zero(0) for the most recent value ensures that a notification is triggered\nfor every owner change in the project:\n ```\n Set `Aggregator` to `Count`\n Set `Configuration`:\n - Condition: above\n - Threshold: 0\n - For: most recent value\n ```\n4. Configure the desired notification channels in the section **Notifications**.\n5. Name the `policy` and click **Save**.\n\n### From the command line:\n\n#### Create the prescribed Log Metric: \n\nUse the command `gcloud beta logging metrics create`. Read the [usage reference][2] in the Google Cloud documentation for more information.\n\n#### Create the prescribed alert policy:\n\nUse the command `gcloud alpha monitoring policies create`. Read the [usage reference][3] in the Google Cloud documentation for more information.\n\n## References\n\n1. [https://cloud.google.com/logging/docs/logs-based-metrics/][4]\n2. [https://cloud.google.com/monitoring/custom-metrics/][5]\n3. [https://cloud.google.com/monitoring/alerts/][6]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][7]\n5. [https://cloud.google.com/storage/docs/access-control/iam][8]\n\n[1]: https://console.cloud.google.com/logs/metrics\n[2]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[3]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n[4]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[5]: https://cloud.google.com/monitoring/custom-metrics/\n[6]: https://cloud.google.com/monitoring/alerts/\n[7]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[8]: https://cloud.google.com/storage/docs/access-control/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.8","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_resource_type := upper(\"resource.type=\\\"gce_route\\\"\")\n\nfilter_method_name_delete_beta := upper(\"protoPayload.methodName:\\\"beta.compute.routes.delete\\\"\")\n\nfilter_method_name_delete := upper(\"protoPayload.methodName:\\\"compute.routes.delete\\\"\")\n\nfilter_method_name_insert_beta := upper(\"protoPayload.methodName:\\\"beta.compute.routes.insert\\\"\")\n\nfilter_method_name_insert := upper(\"protoPayload.methodName:\\\"compute.routes.insert\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_filter(filter_parsed, filter_method_name_beta, filter_method_name) if {\n\tcontains(filter_parsed, filter_method_name_beta)\n} else if {\n\tcontains(filter_parsed, filter_method_name)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, \"OR\")\n\n\tcontains(filter_parsed, filter_resource_type)\n\n\tvalid_filter(filter_parsed, filter_method_name_delete_beta, filter_method_name_delete)\n\tvalid_filter(filter_parsed, filter_method_name_insert_beta, filter_method_name_insert)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.notification_channels[_]\n\tmonitoring_alert_policy.enabled == true\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"o0d-dyl-9lb","createdAt":1668685067568,"name":"A log metric filter and alerts exist for VPC Network route changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:2.7","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be established for Virtual Private Cloud\n(VPC) network firewall rule changes.\n\n## Rationale\nMonitoring create or update firewall rule events gives insight to network access\nchanges and may reduce the time it takes to detect suspicious activity.\n\n\n### Impact\nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console\n\n#### Create the prescribed log metric\n\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and click **CREATE METRIC**.\n2. Set **Metric Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n3. Fill out the **Log metric name** field.\n4. Set the **Units** to `1` (default).\n5. Under **Filter selection**, add the following text to the **Build filter** block: \n\n ```\n resource.type=\"gce_firewall_rule\"\n AND protoPayload.methodName:\"compute.firewalls.patch\"\n OR protoPayload.methodName:\"compute.firewalls.insert\"\n OR protoPayload.methodName:\"compute.firewalls.delete\"\n ```\n \n6. Click **Create Metric**\n\n#### Create a prescribed alert policy\n\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every VPC network firewall rule change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n#### Create a prescribed log metric\n\nUse the command: `gcloud beta logging metrics create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][3]\n\n#### Create a prescribed alert policy\nUse the command: `gcloud alpha monitoring policies create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][4]\n\n## References\n1. [https://cloud.google.com/logging/docs/logs-based-metrics/][5]\n2. [https://cloud.google.com/monitoring/custom-metrics/][6]\n3. [https://cloud.google.com/monitoring/alerts/][7]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][8]\n5. [https://cloud.google.com/vpc/docs/firewalls][9]\n\n[1]: https://console.cloud.google.com/logs/metrics\n[2]: https://console.cloud.google.com/logs/metrics\n[3]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[4]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n[5]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[6]: https://cloud.google.com/monitoring/custom-metrics/\n[7]: https://cloud.google.com/monitoring/alerts/\n[8]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[9]: https://cloud.google.com/vpc/docs/firewalls\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.7","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_resource_type_constant := upper(\"resource.type=\\\"gce_firewall_rule\\\"\")\n\nfilter_patch_constant := upper(\"protoPayload.methodName:\\\"compute.firewalls.patch\\\"\")\n\nfilter_insert_constant := upper(\"protoPayload.methodName:\\\"compute.firewalls.insert\\\"\")\n\nfilter_delete_constant := upper(\"protoPayload.methodName:\\\"compute.firewalls.delete\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, \"OR\")\n\tcontains(filter_parsed, filter_resource_type_constant)\n\tcontains(filter_parsed, filter_patch_constant)\n\tcontains(filter_parsed, filter_insert_constant)\n\tcontains(filter_parsed, filter_delete_constant)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"xrg-k52-qt3","createdAt":1665677775464,"name":"A log metric filter and alerts exist for VPC network firewall rule changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:2.6","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be established for changes to Identity and\nAccess Management (IAM) role creation, deletion and updating activities.\n\n## Rationale\nGoogle Cloud IAM provides predefined roles that give granular access to specific Google\nCloud Platform resources and prevent unwanted access to other resources. However, to\ncater to organization-specific needs, Cloud IAM also provides the ability to create custom\nroles. Project owners and administrators with the Organization Role Administrator role or\nthe IAM Role Administrator role can create custom roles. Monitoring role creation, deletion\nand updating activities helps identify any over-privileged role an early stage.\n\n\n### Impact\nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console\n\n#### Create the prescribed log metric\n\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and click **CREATE METRIC**.\n2. Set **Metric Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n3. Fill out the **Log metric name** field.\n4. Set the **Units** to `1` (default).\n5. Under **Filter selection**, add the following text to the **Build filter** block: \n\n ```\n resource.type=\"iam_role\"\n AND protoPayload.methodName = \"google.iam.admin.v1.CreateRole\"\n OR protoPayload.methodName=\"google.iam.admin.v1.DeleteRole\"\n OR protoPayload.methodName=\"google.iam.admin.v1.UpdateRole\"\n ```\n6. Click **Create Metric**\n\n#### Create a prescribed alert policy\n\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every custom role change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n#### Create a prescribed log metric\n\nUse the command: `gcloud beta logging metrics create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][3]\n\n#### Create a prescribed alert policy\nUse the command: `gcloud alpha monitoring policies create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][4]\n\n## References\n1. [https://cloud.google.com/logging/docs/logs-based-metrics/][5]\n2. [https://cloud.google.com/monitoring/custom-metrics/][6]\n3. [https://cloud.google.com/monitoring/alerts/][7]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][8]\n5. [https://cloud.google.com/iam/docs/understanding-custom-roles][9]\n\n[1]: https://console.cloud.google.com/logs/metrics\n[2]: https://console.cloud.google.com/logs/metrics\n[3]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[4]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n[5]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[6]: https://cloud.google.com/monitoring/custom-metrics/\n[7]: https://cloud.google.com/monitoring/alerts/\n[8]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[9]: https://cloud.google.com/iam/docs/understanding-custom-roles\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.6","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_resource_type_constant := upper(\"resource.type=\\\"iam_role\\\"\")\n\nfilter_create_constant := upper(\"protoPayload.methodName=\\\"google.iam.admin.v1.CreateRole\\\"\")\n\nfilter_delete_constant := upper(\"protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\"\")\n\nfilter_update_constant := upper(\"protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, \"OR\")\n\tcontains(filter_parsed, filter_resource_type_constant)\n\tcontains(filter_parsed, filter_create_constant)\n\tcontains(filter_parsed, filter_delete_constant)\n\tcontains(filter_parsed, filter_update_constant)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"8jp-b4x-ubz","createdAt":1665677984333,"name":"A log metric filter and alerts exist for custom role changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Logging","security:compliance","control:3.2.1","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes can audit the details of requests made to the API server. The `--audit-policy-file` flag must be set for this logging to be enabled.\n\n## Rationale\n\nLogging is an important detective control for all systems, to detect potential unauthorised access.\n\n## Audit\n\nRun the following command on one of the cluster master nodes: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-policy-file` is set. Review the contents of the file specified and ensure that it contains a valid audit policy.\n\n## Remediation\n\nCreate an audit policy file for your cluster.\n\n## Impact\n\nAudit logs will be created on the master nodes, which will consume disk space. Care should be taken to avoid generating too large volumes of log information as this could impact the available of the cluster nodes.\n\n## Default value\n\nUnless the `--audit-policy-file` flag is specified, no auditing will be carried out.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/debug-application-cluster/audit/][1]\n\n## CIS controls\n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices.\n\n[1]: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"3.2.1","framework":"cis-kubernetes","requirement":"Logging","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-3.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ehp-xpm-xi3","createdAt":1599602215207,"name":"A minimal audit policy exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a new Kubernetes [admission controller][1] is created in the cluster.\n\nAdmission controllers can intercept all incoming requests to the API server. An attacker can use them to establish persistence or to access sensitive data (such as secrets) sent to the API server.\n\n## Strategy\nThis rule identifies when a `MutatingWebhookConfiguration` or `ValidatingWebhookConfiguration` is created.\n\n## Triage and response\n1. Determine if the admission controller being created is expected.\n2. Determine if the user: `{{@usr.id}}` should be creating the admission controller.\n3. Use the Cloud SIEM `User Investigation` dashboard to review user actions that occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags\n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @objectRef.resource:(mutatingwebhookconfigurations OR validatingwebhookconfigurations) -@usr.id:(eks\\:cluster-bootstrap OR system\\:serviceaccount\\:kyverno\\:kyverno OR system\\:serviceaccount\\:kube-system\\:*)","groupByFields":["@usr.id"],"aggregation":"count","name":"admission_controller_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admission_controller_created > 0"}],"type":"log_detection","id":"jpb-ixq-qbz","createdAt":1649948611129,"name":"A new Kubernetes admission controller was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 teams app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `AppInstalled`, where the `AddOnType` has a value of `4` and a new `@AddOnName` is observed.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@AddOnName}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@AddOnName}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":165,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AddOnName","aggregation":"new_value","metrics":["@AddOnName"],"groupByFields":["@usr.id"],"query":"source:microsoft-365 @evt.name:AppInstalled @AddOnType:4"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"sja-6t5-2xv","createdAt":1636984812148,"name":"A new Microsoft 365 Teams app is observed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Add application.` and event `@evt.outcome` of `Success`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@ObjectId}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@ObjectId}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@ObjectId","aggregation":"new_value","metrics":["@ObjectId"],"groupByFields":["@ObjectId","@usr.id"],"query":"source:microsoft-365 @evt.name:\"Add application.\" @evt.outcome:Success"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"o4m-xqz-5gv","createdAt":1636984818117,"name":"A new Microsoft 365 application was installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:amazon","security:compliance","iaas:aws","framework:cis-aws","source:cloudtrail","control:4.1","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is assessing privileges in AWS through API bruteforcing technique.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect when the error message of `AccessDenied` is returned on more than 5 unique API calls.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be attempting to use {{@evt.name}} API commands.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. Contact the user to see if they intended to make these API calls.\n3. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate to see what API calls might have been made that were successful throughout the rest of the environment.\n\n## Changelog\nRule updated on 3 March 2022.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"unique_events_denied","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"more than 5 APIs AccessDenied","condition":"unique_events_denied > 5"}],"type":"log_detection","id":"3d9-oev-jbm","createdAt":1584475582956,"name":"A user received multiple AccessDenied errors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","control:32.1a","source:acm","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are seven day left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### From the console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### From the command line\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nseven_days_ms := (((7 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\t# assert that the difference between now (resource seen at) and not after time (certificate expiry) > 7 days\n\tseven_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"32b-dj3-8n2","createdAt":1619112188607,"name":"ACM certificate does not expire within the next 7 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","security:compliance","control:164.312-e-1","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","requirement:Security-Management-Process","control:32.1a","source:acm","control:164.312-e-2-ii","framework:hipaa","control:164.308-a-1-ii-B","control:164.312-e-2-i","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRemove expired Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates with AWS Certificate Manager (ACM).\n\n## Rationale\n\nExpired AWS ACM SSL/TLS certificates that are deployed to another resource are at risk of triggering front-end errors and compromising the credibility of a web application.\n\n## Remediation\n\n### From the console\n\nFollow the [Deleting Certificates Managed by ACM][1] docs to learn how to delete SSL/TLS certifications in the AWS Console.\n\n### From the command line\n\n1. Run the [`delete-certificate`][2] command to remove the invalid certificate.\n\n ```\n aws acm delete-certificate --certificate-arn insert-certificate-arn-here\n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-delete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/delete-certificate.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"EXPIRED\"\n\tacm.status != \"VALIDATION_TIMED_OUT\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qea-4gr-voj","createdAt":1616090994211,"name":"ACM certificate is active"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","control:32.1a","source:acm","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are 30 days left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### From the console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### From the command line\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\tthirty_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oc4-dzj-jtg","createdAt":1619112188918,"name":"ACM certificate is valid for 30 or more days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cardholder-Data","cloud_provider:aws","source:acm","scope:acm","control:3.6.4","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAll Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates in Amazon Certificate Manager (ACM) should be validated.\n\n## Rationale\n\n[Requests for ACM certificates time out if they are not validated within 72 hours][1]. ACM provides managed renewal for your Amazon-issued SSL/TLS certificates that are used with other AWS resources. \n\n[ACM either renews your certificates automatically (if you are using DNS validation)][2], or it sends you email notices when expiration is approaching. These services are provided for both public and private ACM certificates. However, renewal for other certificates must be done manually. If a certificate is not validated, it can interrupt an application or service. \n\n## Remediation\n\n### From the console\n\nFollow the [Setting Up DNS Validation][3] or [Resending Validation Email][4] docs to validate a certificate in the AWS Console or by email.\n\n### From the command line\n\n1. Run `resend-validation-email` using the ARN of the invalid certificate with your `domain` and `validation-domain`.\n\n ```\n aws acm resend-validation-email\n --certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/a1b2345c-d678-9123-4567-89ab12c2345d\n --domain www.example.com\n --validation-domain example.com\n ```\n\n2. Click the link in the generated email to navigate to the Amazon Certificates Approvals page, and click the `I Approve` button.\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-timed-out.html\n[2]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[3]: https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html#setting-up-dns-validation\n[4]: https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html#gs-acm-resend\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"PENDING_VALIDATION\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"lpi-kie-f8h","createdAt":1616090994081,"name":"ACM certificate issue request is not pending validation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:ec2","source:ec2","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.9.4.5","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIdentify publicly accessible Amazon Machine Images (AMIs).\n\n## Rationale\n\nWhen an AMI is shared publicly, anyone outside your organization can see it in the [list of public AMIs][1] and create an EC2 instance from it, accessing all the files it contains.\n\nAMIs typically contain source code, configuration files and credentials and should not be shared publicly. AMIs should only be shared with [specific AWS accounts][2] or [your AWS Organization][3].\n\n## Remediation\n\n### From the console\n\nFollow the instructions outlined in the [AWS documentation][4].\n\n### From the command line\n\nUse the following command to stop sharing the AMI:\n\n ```bash\n aws ec2 modify-image-attribute \\\n --image-id ami-xxxx \\\n --launch-permission \"Remove=[{Group=all}]\"\n ```\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usingsharedamis-finding.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/share-amis-with-organizations-and-OUs.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.5","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncustomer_owned(ami) if {\n\tnot ami.image_owner_alias in [\"aws-marketplace\", \"amazon\"]\n} else if {\n\tnot ami.image_owner_alias\n}\n\neval(ami) = \"skip\" if {\n\tnot customer_owned(ami)\n} else = \"pass\" if {\n\tami.public == false\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ami"]},"validationQuery":"","resourceType":"aws_ami","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ami","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6l2-azd-mlu","createdAt":1645630055435,"name":"AMI is not publicly shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.30","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the TLS certificate and private key file parameters. \n```\n--tls-cert-file= \n--tls-private-key-file=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.30","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"m9r-8ka-arc","createdAt":1599604115727,"name":"API Server requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.1","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable anonymous requests to the Kubelet server.\n\n## Rationale\n\nWhen enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests.\n\n## Audit\n\nIf using a Kubelet configuration file, check that there is an entry for authentication: anonymous: enabled set to false. Run the following command on each node: `ps -ef | grep kubelet`. Verify that the `--anonymous-auth` argument is set to false. This executable argument may be omitted, provided there is a corresponding entry set to false in the Kubelet config file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to false. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable:\n\n```\n--anonymous-auth=false\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nAnonymous requests will be rejected.\n\n## Default value\n\nBy default, anonymous access is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.1","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oun-uxo-viy","createdAt":1599606050277,"name":"API server anonymous-auth argument is set to false"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.24","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain 10 or an appropriate number of old log files.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. For example, if you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxbackup` argument is set to `10` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxbackup` parameter to `10` or to an appropriate value: `--audit-log-maxbackup=10`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.24","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"r0g-aai-2xf","createdAt":1599605542630,"name":"API server audit log files are retained for at least 10 log file rotations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.25","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRotate log files on reaching 100 MB or as appropriate.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. If you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxsize` argument is set to `100` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxsize` parameter to an appropriate size in MB. For example, to set it as 100 MB: `--audit-log-maxsize=100`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.25","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qhy-gng-bh4","createdAt":1599603202907,"name":"API server audit log files are rotated once the file reaches 100 MB or more"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.22","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on the Kubernetes API Server and set the desired audit log path.\n\n## Rationale\n\nAuditing the Kubernetes API Server provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system. Even though currently, Kubernetes provides only basic audit capabilities, it should be enabled. You can enable it by setting an appropriate audit log path.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-path` argument is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example: --audit-log-path=/var/log/apiserver/audit.log\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. Version 7 6.2 Activate audit logging Ensure that local logging has been enabled on all systems and networking devices. 6.3 Enable Detailed Logging Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.22","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fny-sti-0dk","createdAt":1599601104396,"name":"API server audit logs are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.23","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain the logs for at least 30 days or as appropriate.\n\n## Rationale\n\nRetaining logs for at least 30 days ensures that you can go back in time and investigate or correlate any events. Set your audit log retention period to 30 days or as per your business requirements.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxage` argument is set to `30` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxage` parameter to `30` or as an appropriate number of days: `--audit-log-maxage=30`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.23","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.23\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jbu-o8v-pku","createdAt":1599605700813,"name":"API server audit logs are retained for at least 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.19","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind to insecure port.\n\n## Rationale\n\nSetting up the apiserver to serve on an insecure port would allow unauthenticated and unencrypted access to your master node. This would allow attackers who could access this port, to easily take control of the cluster.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-port` argument is set to `0`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --insecure-port=0\n\n## Impact\n\nAll components that use the API must connect via the secured port, authenticate themselves, and be authorized to use the API. This includes: kube-controller-manager kube-proxy kube-scheduler kubelets\n\n## Default value\n\nBy default, the insecure port is set to 8080.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.19","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2ci-yqv-wv0","createdAt":1599605796539,"name":"API server does not bind the API service to an insecure port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.18","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the insecure API service.\n\n## Rationale\n\nIf you bind the apiserver to an insecure address, basically anyone who could connect to it over the insecure port, would have unauthenticated and unencrypted access to your master node. The apiserver doesn't do any authentication checking for insecure binds and traffic to the Insecure API port is not encrpyted, allowing attackers to potentially read sensitive data in transit.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-bind-address` argument does not exist.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --insecure-bind-address parameter.\n\n## Impact\n\nConnections to the API server will require valid authentication credentials.\n\n## Default value\n\nBy default, the insecure bind address is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.18","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tzo-x3g-yya","createdAt":1599606081666,"name":"API server does not bind to an insecure API service address"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use token based authentication.\n\n## Rationale\n\nThe token-based authentication utilizes static tokens to authenticate requests to the apiserver. The tokens are stored in clear-text in a file on the apiserver, and cannot be revoked or rotated without restarting the apiserver. Hence, do not use static token-based authentication.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver \n```\nVerify that the `--token-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--token-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as certificates. Static token based authentication could not be used.\n\n## Default value\n\nBy default, `--token-auth-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/authentication/#static-token-file\n2. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.3","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mvv-hb7-ucv","createdAt":1599603449449,"name":"API server does not use token based authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not always authorize all requests.\n\n## Rationale\n\nThe API Server, can be configured to allow all requests. This mode should not be used on any production cluster.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is not set to `AlwaysAllow`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to values other than `AlwaysAllow`. One such example could be as below:\n\n```\n--authorization-mode=RBAC\n```\n\n## Impact\n\nOnly authorized requests will be served.\n\n## Default value\n\nBy default, `AlwaysAllow` is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.7","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kli-btm-jbr","createdAt":1599602646953,"name":"API server only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.1","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node:\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-apiserver.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.1","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8tj-q6g-eyj","createdAt":1599601227733,"name":"API server pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.21","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --profiling=false\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.21","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wk0-7yo-dw9","createdAt":1599602770265,"name":"API server profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.26","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet global request timeout for API server requests as appropriate.\n\n## Rationale\n\nSetting global request timeout allows extending the API server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 60 seconds which might be problematic on slower connections making cluster resources inaccessible once the data volume for requests exceeds what can be transmitted in 60 seconds. But, setting this timeout limit to be too large can exhaust the API server resources making it prone to Denial-of-Service attack. Hence, it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--request-timeout` argument is either not set or set to an appropriate value.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameter as appropriate and if needed. For example, --request-timeout=300s\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, --request-timeout is set to 60 seconds.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/kubernetes/pull/51415\n\n## CIS controls\n\nVersion 6 14.6 Enforce Detailed Audit Logging For Sensitive Information Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. Version 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.26","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1kt-cbt-hvl","createdAt":1599604242564,"name":"API server request timeout exceeds 60 seconds only if required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.20","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable the secure port.\n\n## Rationale\n\nThe secure port is used to serve https with authentication and authorization. If you disable it, no https traffic is served and all traffic is served unencrypted.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--secure-port` argument is either not set or is set to an integer value between `1` and `65535`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --secure-port parameter or set it to a different (non-zero) desired port.\n\n## Impact\n\nYou need to set the API Server up with the right TLS certificates.\n\n## Default value\n\nBy default, port 6443 is used as the secure port.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.20","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5w3-iw4-y16","createdAt":1599603757033,"name":"API server secure port is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.31","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic. If `--client-ca-file` argument is set, any request presenting a client certificate signed by one of the authorities in the `client-ca-file` is authenticated with an identity corresponding to the CommonName of the client certificate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--client-ca-file` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the client certificate authority file: `--client-ca-file=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--client-ca-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.31","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"nad-eon-2rv","createdAt":1599599105054,"name":"API server uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.28","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account public key file for service accounts on the apiserver.\n\n## Rationale\n\nBy default, if no --service-account-key-file is specified to the apiserver, it uses the private key from the TLS serving certificate to verify service account tokens. To ensure that the keys for service account tokens could be rotated as needed, a separate public/private key pair should be used for signing service account tokens. Hence, the public key should be specified to the apiserver with --service-account-key-file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--service-account-key-file` argument exists and is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--service-account-key-file` parameter to the public key file for service accounts: `--service-account-key-file=`\n\n## Impact\n\nThe corresponding private key must be provided to the controller manager. You would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-key-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167\n\n## CIS controls\n\nVersion 6 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers \nVersion 7 5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.28","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xtg-mzn-vft","createdAt":1599604846892,"name":"API server uses a service account public key file for service accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.27","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nValidate service account before validating token.\n\n## Rationale\n\nIf --service-account-lookup is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that if the `--service-account-lookup` argument exists it is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the below parameter. `--service-account-lookup=true` Alternatively, you can delete the `--service-account-lookup` parameter from this file so that the default takes effect.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--service-account-lookup` argument is set to true.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167 \n3. https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.27","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.27\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycp-ppm-trb","createdAt":1599599105043,"name":"API server validates the service account token exists in etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify kubelet's certificate before establishing connection.\n\n## Rationale\n\nThe connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelets port-forwarding functionality. These connections terminate at the kubelets HTTPS endpoint. By default, the apiserver does not verify the kubelets serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-certificate-authority` argument exists and is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--kubelet-certificate-authority` parameter to the path to the cert file for the certificate authority. \n\n```\n--kubelet-certificate-authority=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, `--kubelet-certificate-authority` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n3. https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.6","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sbm-nxt-qv3","createdAt":1599603880124,"name":"API server verifies the kubelet's certificate before establishing connection"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AMI is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an AMI is made public.\n\n* [ModifyImageAttribute][1]\n\nThis rule inspects the `@requestParameters.launchPermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the image is made public.\n\n## Triage and response\n1. Determine if the AMI (`@requestParameters.imageId`) should be made public using CloudTrail logs.\n2. Investigate the following ARN (`{{@userIdentity.arn}}`) that made the AMI public.\n3. Contact the user to see if they intended to make the image public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n * Revert AMI permissions to the original state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 11 November 2022 - Add steps to Triage and response section.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-image-attribute.html#examples","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":18,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifyImageAttribute @requestParameters.launchPermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"eh4-lwa-d9z","createdAt":1594140296319,"name":"AWS AMI Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:cloudtrail","framework:cis-aws","requirement:monitoring","control:4.5","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by modifying CloudTrail.\n\n## Strategy\nThis rule detects if a user is modifying CloudTrail by monitoring the CloudTrail API using [UpdateTrail][1] API calls.\n\n## Triage and response\n1. Review the `@responseElements` in the `UpdateTrail` event to determine the scope of the changes.\n2. Determine if the user ARN (`{{@userIdentity.arn}}`) intended to make a CloudTrail modification.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:UpdateTrail","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"configuration_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"configuration_modified > 0"}],"type":"log_detection","id":"4hv-083-miw","createdAt":1585870283907,"name":"AWS CloudTrail configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch Log Group is deleted. \n\n## Strategy\nDetect a successful `@evt.name:DeleteLogGroup` event.\n\n## Triage and response\n1. Ensure that the `{{@requestParameters.logGroupName}}` log group is not used for auditing or security purposes.\n2. If it is then:\n * Ensure that the user: `{{@userIdentity.session_name}}` should be making this API call to your `{{env}}` environment.\n * Consider whitelisting the log group name: `{{@requestParameters.logGroupName}}` through a [suppression list][1]\n3. If not, begin your company's IR process and investigate.\n\n<<<<<<< HEAD\n[1]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment\n=======\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1] https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment\n>>>>>>> main\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteLogGroup -@level:Error -@http.useragent:(cloudformation.amazonaws.com OR *www.terraform.io*) -@userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"j9h-inc-lg8","createdAt":1631618551008,"name":"AWS CloudWatch log group deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch rule has been disabled or deleted.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if a [`DisableRule`][1] or [`DeleteRule`][2] API call has occurred. An attacker may delete rules in an attempt to evade defenses.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, consider including the EventBus name in a [suppression list][6]: `{{@requestParameters.eventBusName}}`.\n * If **No**, enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], respectively, or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 4 October 2022 - Updated severity\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/events/put-rule.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/events/enable-rule.html\n[5]: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html\n[6]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DisableRule OR DeleteRule) -@userIdentity.invokedBy:(backup.amazonaws.com OR schemas.amazonaws.com OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudwatch_disable_or_delete_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"cloudwatch_disable_or_delete_rule > 0"}],"type":"log_detection","id":"dti-qfr-zle","createdAt":1631618552583,"name":"AWS CloudWatch rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","control:4.9","requirement:Monitoring","framework:cis-aws","scope:amazon-config","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by disabling or modifying AWS Config.\n\n## Strategy\nThis rule lets you monitor these AWS Config API calls per [CIS-AWS-4.9: Ensure a log metric filter and alarm exist for AWS Config configuration changes][5]:\n\n* [StopConfigurationRecorder][1] \n* [DeleteDeliveryChannel][2] \n* [PutDeliveryChannel][3]\n* [PutConfigurationRecorder][4]\n\n## Triage and response\n1. Determine which if {{@userIdentity.arn}} should have done a {{@evt.name}} to AWS Config.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html\n[2]: https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteDeliveryChannel.html\n[3]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutDeliveryChannel.html\n[4]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigurationRecorder.html\n[5]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_2.html\n\n## Changelog\n* 1 April 2022 - Updated rule and signal message.\n\n* 10 October 2022 - Updated severities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(StopConfigurationRecorder OR DeleteDeliveryChannel)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_deleted_or_stopped","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(PutDeliveryChannel OR PutConfigurationRecorder)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Deleted/Stopped","condition":"aws_config_deleted_or_stopped > 0"},{"status":"info","notifications":[],"name":"Modified","condition":"aws_config_modified > 0"}],"type":"log_detection","id":"p1b-9np-rw1","createdAt":1585870283149,"name":"AWS Config modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to your AWS console without multi-factor authentication.\n\n## Strategy\nThis rule monitors CloudTrail and detects when any `IAMUser` or `Root` user does a `Console Login`, and `@userIdentity.sessionContext.attributes.mfaAuthenticated` has a value of `false`. \n\n**Notes:** \n\n- This rule triggers with a `High` severity if the user logging in is a `Root` user.\n- This rule ignores logins using SAML because 2FA is implemented on the IdP and not through AWS.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate. \n * Use Cloud SIEM - User Investigation dashboard to see if the user: {{@usr.name}} with an account type of: {{@userIdentity.type}} has done any actions after logging in. \n2. If the login was legitimate, request that the user enables 2FA. \n3. If the login wasn't legitimate, rotate the credentials, enable 2FA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n\n## Changelog\n3 March 2022 - Rule updated\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:IAMUser -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:Root -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"root_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user console login no mfa","condition":"user_login_without_mfa > 0"},{"status":"high","notifications":[],"name":"root console login no mfa","condition":"root_login_without_mfa > 0"}],"type":"log_detection","id":"wkk-muq-vg8","createdAt":1585870278209,"name":"AWS Console login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the user used MFA.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n* 10 March 2022 - Rule updated.\n* 15 December 2022 - Rule updated to cover edge case.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @evt.name:ConsoleLogin -@level:Error (@userIdentity.sessionContext.attributes.mfaAuthenticated:true OR @additionalEventData.MFAUsed:Yes) -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"impossible travel event for ConsoleLogin with MFA"}],"type":"log_detection","id":"vbv-f3o-8zo","createdAt":1646247475787,"name":"AWS ConsoleLogin with MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the account does not have MFA enabled.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n10 Mar 2022 - Rule updated.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_no_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"@evt.name:ConsoleLogin -@level:Error @userIdentity.sessionContext.attributes.mfaAuthenticated:false -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"a1n-son-6bk","createdAt":1646247437558,"name":"AWS ConsoleLogin without MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1562-impair-defenses","source:cloudtrail","scope:aws-detective","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes an Amazon Detective behavior graph.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted an Amazon Detective behavior graph:\n\n* [DeleteGraph][1]\n\n## Triage and response\n1. Determine if the behavior graph should have been deleted.\n2. Determine which user ({{@userIdentity.arn}}) in your organization deleted the behavior graph.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 1 April 2022 - Updated rule and signal message.\n* 18 November 2022 - Updated severity.\n\n[1]: https://docs.aws.amazon.com/detective/latest/APIReference/API_DeleteGraph.html\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:detective.amazonaws.com @evt.name:DeleteGraph","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oje-vzw-qjp","createdAt":1631642344123,"name":"AWS Detective Graph deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when CloudTrail has been disabled by creating an event selector on the Trail.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if an attacker used the [`PutEventSelectors`][1] API call to filter out management events, effectively disabling CloudTrail for the specified Trail.\n\nSee the [public Proof of Concept][2] (PoC) for this attack.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or use the [AWS console][4] to revert the event selector back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, work with the user to ensure that CloudTrail logs for the affected account `{{@usr.account_id}}` are being sent to the Datadog platform.\n * If **No**, remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or reference the [AWS console documentation][4] to revert the event selector back to the last known good state.\n\n## Changelog\n* 17 October 2022 - Updated tags.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_PutEventSelectors.html\n[2]: https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass\n[3]: https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/put-event-selectors.html\n[4]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"disable_cloudtrail_with_event_selectors","distinctFields":[]},{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false @responseElements.eventSelectors.dataResources.type:(\"AWS::S3::Object\" AND \"AWS::Lambda::Function\") @responseElements.eventSelectors.readWriteType:ReadOnly","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_poc","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Public POC","condition":"public_poc > 0"},{"status":"low","notifications":[],"name":"IncludeManagementEvents set to False","condition":"disable_cloudtrail_with_event_selectors > 0"}],"type":"log_detection","id":"jam-62o-d0n","createdAt":1652796620111,"name":"AWS Disable Cloudtrail with event selectors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS snapshot is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an EBS snapshot is made public:\n\n* [ModifySnapshotAttribute][1]\n\nThis rule inspects the `@requestParameters.createVolumePermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the EBS snapshot is made public.\n\n## Triage and response\n1. Determine if the EBS snapshot should be made public.\n2. Determine which user, `{{@@userIdentity.arn}}`, in your organization made the EBS snapshot public.\n3. Contact the user to see if they intended to make the EBS snapshot public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n * Revert AMI permissions to the original state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 11 November 2022 - Add additional triage and response steps.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html#examples\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":17,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.createVolumePermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kx1-upq-ea2","createdAt":1594140300821,"name":"AWS EBS Snapshot Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1537-transfer-data-to-cloud-account","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the possible exfiltration of an EBS snapshot.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect the following API calls within a 15 minute time window:\n\n* [`CreateSnapshot`][1]\n* [`ModifySnapshotAttribute`][2]\n\nAn attacker can create a EBS snapshot from the EBS volume and modify the permissions of the snapshot to allow it to be shared [publicly][3] or with another AWS account. Using an attacker-controlled account, a new EBS volume can be created from the snapshot and attached to an EC2 instance for analysis.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the API calls.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any snapshot attributes generated by the user with the `aws-cli` command [`modify-snapshot-attribute`][4].\n * Begin your organization's incident response process and investigate.\n3. If the API calls were made by the user:\n * Determine if the user should be performing these API calls.\n * If **No**, see if other API calls were made by the user and determine if they warrant further investigation.\n\n## Changelog\n* 10 October 2022 - Updated query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSnapshot.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html\n[3]: https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-ebs-snapshot-made-public/\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-snapshot-attribute.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":7200,"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSnapshot -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (-@userIdentity.assumed_role:(*orca* OR *wiz*) -@responseElements.description:\"Orca automatically generated snapshot\" -@requestParameters.description:auto-generatedbyWiz -@responseElements.description:\"auto-generated by Wiz\")","groupByFields":["@responseElements.snapshotId"],"aggregation":"count","name":"snapshot_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.attributeType:CREATE_VOLUME_PERMISSION -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (@requestParameters.createVolumePermission.add.items.userId:* OR @requestParameters.createVolumePermission.add.items.group:*) -@requestParameters.createVolumePermission.add.items.userId:(\"135916806842\" OR \"463932680998\" OR \"727815099310\" OR \"553950354547\" OR \"784971140435\" OR \"222606875197\")","groupByFields":["@requestParameters.snapshotId"],"aggregation":"count","name":"snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"EBS Snapshot created then shared","condition":"snapshot_created > 0 && snapshot_shared > 0"},{"status":"info","notifications":[],"name":"EBS Snapshot shared","condition":"snapshot_shared > 0"}],"type":"log_detection","id":"dka-ecn-adr","createdAt":1655223749994,"name":"AWS EBS Snapshot possible exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis-aws","control:2.2.1","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS encryption is disabled by default. \n\n## Strategy\nMonitor CloudTrail and detect when EBS encryption is disabled by default via the following API call:\n\n* [DisableEbsEncryptionByDefault][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user and let them know that it is best practice to enable EBS encryption by default.\n3. Re-enable EBS encryption by default.\n\nFor more information about Amazon EBS Encryption, check out the [Amazon EBS Encryption][2] documentation.\n\n## Changelog\n* 18 March 2022 - Rule query and severity updated.\n* 16 November 2022 - Rule query updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:(cloudtrail OR amazon-security-lake) @eventSource:ec2.amazonaws.com @evt.name:DisableEbsEncryptionByDefault","groupByFields":["@usr.account_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4s7-uuu-lo8","createdAt":1585870284527,"name":"AWS EBS default encryption disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","security:attack","technique:T1522-cloud-instance-metadata-api"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes a DNS request and resolves to the AWS metadata IP address (169.254.169.254).\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MetadataDNSRebind][2]\n\n\n## Triage and response\n1. Determine which process made the DNS request. The DNS request can be found in the samples.\n2. Ensure the process is not a victim of an SSRF attack to steal the AWS EC2 Instance profile's STS credentials. \n2. If the STS credentials are compromised:\n * Review the AWS [documentation][3] on revoking the session.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-metadatadnsrebind\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MetadataDNSRebind)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"aad-vqz-7tk","createdAt":1587525387807,"name":"AWS EC2 Instance Victim to Metadata DNS Rebind Attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is compromised and sending spam emails.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Backdoor:EC2/Spambot][2]\n\n\n## Triage and response\n1. Determine if the EC2 should be sending out email over port 25. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-spambot\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/Spambot)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ecn-gew-dg2","createdAt":1587525385866,"name":"AWS EC2 instance Sending spam emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a malicious server.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/C&CActivity.B!DNS][2]\n* [Trojan:EC2/BlackholeTraffic][3]\n* [Trojan:EC2/DropPoint][4]\n* [Trojan:EC2/BlackholeTraffic!DNS][5]\n* [Trojan:EC2/DriveBySourceTraffic!DNS][6]\n* [Trojan:EC2/DropPoint!DNS][7]\n* [Trojan:EC2/DGADomainRequest.B][8]\n* [Trojan:EC2/DGADomainRequest.C!DNS][9]\n* [Trojan:EC2/DNSDataExfiltration][10]\n* [Trojan:EC2/PhishingDomainRequest!DNS][11]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][12] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-ccactivitybdns\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-blackholetraffic\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-droppoint\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-blackholetrafficdns\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-drivebysourcetrafficdns\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-droppointdns\n[8]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestb\n[9]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestcdns\n[10]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dnsdataexfiltration\n[11]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-phishingdomainrequestdns\n[12]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Trojan\\:EC2\\/BlackholeTraffic OR Trojan\\:EC2\\/DropPoint OR Trojan\\:EC2\\/BlackholeTraffic\\!DNS OR Trojan\\:EC2\\/DriveBySourceTraffic\\!DNS OR Trojan\\:EC2\\/DropPoint\\!DNS OR Trojan\\:EC2\\/DGADomainRequest.B OR Trojan\\:EC2\\/DGADomainRequest.C\\!DNS OR Backdoor\\:EC2\\/C&CActivity.B\\!DNS OR Trojan\\:EC2\\/PhishingDomainRequest\\!DNS)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9du-jhn-b4f","createdAt":1587525393367,"name":"AWS EC2 instance communicated with a malicious server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0011-command-and-control","technique:T1571-non-standard-port"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating over an unusual port.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/NetworkPortUnusual][2]\n\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#behavior-ec2-networkportunusual\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/NetworkPortUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"qfd-ned-cjn","createdAt":1587525391873,"name":"AWS EC2 instance communicating over unusual port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a cryptocurrency server\n\n## Strategy\nThis rule lets you leverage GuardDuty to detect when an EC2 instance has made a DNS request or is communicating with an IP that is associated with cryptocurrency operations. The following GuardDuty Findings trigger this signal:\n\n* [CryptoCurrency:EC2/BitcoinTool.B!DNS][1]\n* [CryptoCurrency:EC2/BitcoinTool.B][2]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples. \n2. If the domain or IP address should not have been requested, open a security investigation, and determine which process requested the domain name or IP address.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#cryptocurrency-ec2-bitcointoolbdns\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#cryptocurrency-ec2-bitcointoolb\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(CryptoCurrency\\:EC2\\/BitcoinTool.B\\!DNS OR CryptoCurrency\\:EC2\\/BitcoinTool.B)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ky3-ds4-ipb","createdAt":1585870276326,"name":"AWS EC2 instance communicating with a cryptocurrency server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection to a malcious IP address.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MaliciousIPCaller.Custom][2]\n\n## Triage and response\n1. Determine which IP address triggered the signal. This can be found in the sample.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-maliciousipcallercustom\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MaliciousIPCaller.Custom)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"22j-qk6-qv3","createdAt":1587525389461,"name":"AWS EC2 instance communicating with malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is conducting a port scan.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Recon:EC2/Portscan][2]\n\n\n## Triage and response\n1. Determine why traffic from the EC2 instance appears to be conducting a port scan.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 17 October 2022 - Updated tags.\n* 1 November 2022 - Updated links.\n \n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/Portscan)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1y-h5t-gnp","createdAt":1587525376478,"name":"AWS EC2 instance conducting a port scan"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being used as a TOR relay.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorRelay][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be uses as a TOR relay. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance. \n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torrelay\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorRelay)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tpv-3qf-v90","createdAt":1587525388119,"name":"AWS EC2 instance connecting to TOR as a relay"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance receives an inbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorIPCaller][2]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized7\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorIPCaller)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"1ew-u8i-att","createdAt":1587525383148,"name":"AWS EC2 instance inbound connections from TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Brute Force Attacks\n\n## Strategy\nLeverage GuardDuty and detect when an attacker is performing a brute force attack. The following are GuardDuty findings trigger this signal:\n\n* [UnauthorizedAccess:EC2/SSHBruteForce][1]\n* [UnauthorizedAccess:EC2/RDPBruteForce][2]\n\n\n## Triage and response\n1. Inspect the role of the EC2 instance in the attack. Find the role in the signal name - either `ACTOR` or `TARGET`.\n * If you are the `TARGET` and the instance is available on the internet, expect to see IPs scanning your systems.\n * If you are the `TARGET` and the instance is **not** available on the internet, this means a host on your internal network is scanning your EC2 instance. Open an investigation.\n * If you are the `ACTOR`, this means that your instance is performing brute force attacks on other systems. Open an investigation.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-sshbruteforce\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-rdpbruteforce\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":20,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:ACTOR","groupByFields":["instance-id"],"aggregation":"count","name":"actor","distinctFields":[]},{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:TARGET","groupByFields":["instance-id"],"aggregation":"count","name":"target","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Actor","condition":"actor > 0"},{"status":"info","notifications":[],"name":"Target","condition":"target > 0"}],"type":"log_detection","id":"vyl-ylc-3io","createdAt":1585870284202,"name":"AWS EC2 instance involved in brute force attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance network traffic volume is unusual.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/TrafficVolumeUnusual][2]\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 10 October 2022 - Updated tags.\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#behavior-ec2-trafficvolumeunusual\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/TrafficVolumeUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipt-dpt-t69","createdAt":1587525393982,"name":"AWS EC2 instance network traffic volume unusual"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","technique:T1188-multi-hop-proxy","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorClient][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be making requests to TOR. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torclient\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorClient)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ihd-q9p-mwx","createdAt":1587525381864,"name":"AWS EC2 instance outbound connections to TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is participating in a Denial of Service (DoS) attack.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/DenialOfService.Tcp][2]\n* [Backdoor:EC2/DenialOfService.Udp][3]\n* [Backdoor:EC2/DenialOfService.Dns][4]\n* [Backdoor:EC2/DenialOfService.UdpOnTcpPorts][5]\n* [Backdoor:EC2/DenialOfService.UnusualProtocol][6]\n\n\n## Triage and response\n1. Determine if the EC2 instance is compromised and participating in a DoS attack.\n2. If the instance is compromised:\n * Review the AWS [documentation][7] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofservicetcp\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceudp\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofservicedns\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceudpontcpports\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceunusualprotocol\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/DenialOfService.Tcp OR Backdoor\\:EC2\\/DenialOfService.Udp OR Backdoor\\:EC2\\/DenialOfService.Dns OR Backdoor\\:EC2\\/DenialOfService.UdpOnTcpPorts OR Backdoor\\:EC2\\/DenialOfService.UnusualProtocol)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3l6-vrm-iyn","createdAt":1587525383757,"name":"AWS EC2 instance participating in a DoS attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being probed by a scanner.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:EC2/PortProbeUnprotectedPort][2]\n* [Recon:EC2/PortProbeEMRUnprotectedPort][3]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeunprotectedport\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeemrunprotectedport\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/PortProbeUnprotectedPort OR Recon\\:EC2\\/PortProbeEMRUnprotectedPort)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mrq-h3x-jus","createdAt":1587525381084,"name":"AWS EC2 instance probed by scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS EKS node group makes a new API call.\n\n## Strategy\nThis rule sets a baseline for host activity across an AWS EKS node group, and enables detection of potentially anomalous activity when a node group makes a new API call.\n\nA new API call from a node group can indicate an attacker gaining a foothold within the system and trying API calls not normally associated with this node group.\n\n## Triage and response\n1. Investigate API activity for the AWS EKS node group to determine if the specific API call is malicious.\n2. Review any other security signals for the AWS EKS node group.\n3. If the activity is deemed malicious:\n * If possible, isolate the compromised hosts.\n * Determine what other API calls were made by the EKS node group.\n * Begin your organization's incident response process and investigate.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":21,"learningThreshold":0},"keepAlive":3600},"version":187,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["eks_nodegroup-name"],"query":"source:cloudtrail"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"nkn-aw3-xb2","createdAt":1633097159259,"name":"AWS EC2 new event for EKS Node Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an application on a host has a new, unrecognized API call.\n\n## Strategy\nUsing the `New Value` detection method, find when an `application` has a new `@evt.name` on a `host`.\n\n## Triage and response\n1. Determine if the `host: {{host}}` running the `application: {{application}}` should have done the following event(s)`{{@evt.name}}`:\n * If yes, you can `Archive` the signal.\n * If no, investigate further by clicking on the **Suggested Actions** tab for the signal\n2. If necessary, initiate your company's incident response process.\n\n## Changelog\n* 14 November 2022 - Updated severity.\n\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["application"],"query":"source:cloudtrail host:i-*"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"qcg-jbs-kcd","createdAt":1632769125953,"name":"AWS EC2 new event for application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an EC2 subnet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting an EC2 subnet.\n\n* [DeleteSubnet][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be deleting EC2 subnets.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Update rule and signal message\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-subnet.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:DeleteSubnet -@level:Error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ygi-fi5-qns","createdAt":1585870282197,"name":"AWS EC2 subnet deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecs","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an ECS Cluster\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an ECS cluster is deleted:\n\n* [DeleteCluster][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arm}} should be making a {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DeleteCluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecs.amazonaws.com @evt.name:DeleteCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"vwu-6id-9lz","createdAt":1585870279810,"name":"AWS ECS cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:elb","scope:elb","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous `@http.useragent`. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application using an HTTP header from [darkqusar][1]'s [gist][2]. The detection does this using 2 cases:\n* Case 1: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `200 TO 299`\n* Case 2: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `400 TO 499`\n\n## Triage and response\n1. Determine if this IP: {{@network.client.ip}} is making authenticated requests to the application.\n2. Check if these authentication requests are successful.\n * If they are successful, change the status of the signal to `UNDER REVIEW` and begin your company's incident response plan.\n * If they are not successful, `ARCHIVE` the signal.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Update rule cases and signal message.\n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:elb @http.status_code:[400 TO 499] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_400s_and_unique_paths","distinctFields":["@http.url_details.path"]},{"query":"source:elb @http.status_code:[200 TO 299] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_200s_and_unique_paths","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"scan detected returning several 200s","condition":"multiple_200s_and_unique_paths > 10"},{"status":"info","notifications":[],"name":"scan detected returning several 400s","condition":"multiple_400s_and_unique_paths > 10"}],"type":"log_detection","id":"csd-1pb-wxh","createdAt":1587530043452,"name":"AWS ELB HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:eventbridge","iaas:aws","technique:T1089-disabling-security-tools","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting or disabling EventBridge rules.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is modifying or disabling EventBridge rules:\n\n* [DeleteRule][1]\n* [DisableRule][2]\n\n## Triage and response\n1. Determine if the arn: {{@userIdentity.arn}} should have made the {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Rule query, options and signal markdown updated.\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DeleteRule OR DisableRule)","groupByFields":["@userIdentity.arn","@requestParameters.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mq6-cjx-h9o","createdAt":1585870277044,"name":"AWS EventBridge rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","source:amazon-fsx","scope:amazon-fsx","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify users accessing files they do not have permission to access.\n\n## Strategy\nMonitor AWS FSx logs and detect more than 10 occurrences where `@evt.id` is equal to `4656` and `@Event.System.Keywords` is equal to `0x8010000000000000`. \n\n## Triage & Response\n1. Inspect the log and determine if the user should be accessing the file: `{{@ObjectName}}`.\n2. If access is not legitimate, investigate user `({{@usr.id}})` activity. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:aws.fsx @evt.id:4656 @Event.System.Keywords:0x8010000000000000","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"file_deny","distinctFields":["@ObjectName"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"file_deny > 10"}],"type":"log_detection","id":"vsj-4y9-rg1","createdAt":1627668329581,"name":"AWS FSx Excessive File Denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0005-defense-evasion","technique:T1066-indicator-removal-from-tools","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is removing a FlowLogs collector.\n\n## Strategy\nThis rule lets you monitor this EC2 API call:\n\n* [DeleteFlowLogs][1]\n\n## Triage and response\n1. Determine if arn: {{@userIdentity.arn}} should make this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 4 April 2022 - Rule query and signal message updated.\n* 16 November 2022 - Rule query updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:(cloudtrail OR amazon-security-lake) @evt.name:DeleteFlowLogs -@responseElements.DeleteFlowLogsResponse.unsuccessful:\"\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cws-b4f-uoh","createdAt":1585870278493,"name":"AWS FlowLogs removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1089-disabling-security-tools","scope:guardduty","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty detector.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty Detector:\n\n* [DeleteDetector][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/delete-detector.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteDetector","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pzi-led-yyc","createdAt":1585870279177,"name":"AWS GuardDuty detector deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a publishing destination for a detector which will prevent the exporting of findings. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted a Guard Duty publishing destination.\n\n* [DeletePublishingDestination][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/fr_fr/guardduty/latest/APIReference/API_DeletePublishingDestination.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeletePublishingDestination","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rdm-leo-ndi","createdAt":1631642345554,"name":"AWS GuardDuty publishing destination deleted"}]} headers: Content-Type: - application/json @@ -368,7 +334,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","source:guardduty","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is attempting to escalate permissions.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [PrivilegeEscalation:IAMUser/AdministrativePermissions][2]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_privilegeescalation.html#privilegeescalation1\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PrivilegeEscalation\\:IAMUser\\/AdministrativePermissions)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dsb-ciq-vrt","createdAt":1587525384559,"name":"AWS IAM user escalating privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","tactic:TA0007-disocvery","technique:T1580-cloud-infrastructure-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests with hacking tools.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [PenTest:IAMUser/KaliLinux][2]\n* [PenTest:IAMUser/ParrotLinux][3]\n* [PenTest:IAMUser/PentooLinux][4]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][5] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_pentest.html#pentest1\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_pentest.html#pentest2\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_pentest.html#pentest3\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PenTest\\:IAMUser\\/KaliLinux OR PenTest\\:IAMUser\\/ParrotLinux OR PenTest\\:IAMUser\\/PentooLinux)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ocf-ys6-78v","createdAt":1587525392995,"name":"AWS IAM user making API requests with hacking tools"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:threat-intel","source:guardduty","tactic:TA0007-discovery","security:attack","technique:T1526-cloud-service-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests from a malicious IP.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:IAMUser/TorIPCaller][2]\n* [Recon:IAMUser/MaliciousIPCaller.Custom][3]\n* [Recon:IAMUser/MaliciousIPCaller][4]\n* [UnauthorizedAccess:IAMUser/MaliciousIPCaller][5]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][6] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon1\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon2\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon3\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized5\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:IAMUser\\/TorIPCaller OR Recon\\:IAMUser\\/MaliciousIPCaller.Custom OR Recon\\:IAMUser\\/MaliciousIPCaller OR UnauthorizedAccess\\:IAMUser\\/MaliciousIPCaller)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"8w7-aaz-ojp","createdAt":1587525380153,"name":"AWS IAM user requests from malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","security:anomaly","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user login is suspicious.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B][2]\n* [UnauthorizedAccess:IAMUser/ConsoleLogin][3]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][4] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized4\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized12\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:IAMUser\\/ConsoleLoginSuccess.B OR UnauthorizedAccess\\:IAMUser\\/ConsoleLogin)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kme-i0z-ylv","createdAt":1587525388403,"name":"AWS IAM user suspicious login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:kms","requirement:Monitoring","tactic:TA0040-impact","framework:cis-aws","control:4.7","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a KMS (Key Management Service) key is deleted or scheduled for deletion.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is deleting KMS keys:\n* [DisableKey][1]\n* [ScheduleKeyDeletion][2]\n\n## Triage and response\n1. Determine if `user ARN:` {{@userIdentity.arn}} in your organization should be making this call.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Use the `Cloud SIEM - User Investigation` OOTB dashboard to investigate other potential unauthorized API calls from this user.\n\n[1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html\n[2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html \n\n## Changelog\n16 March 2022 - Rule severity and markdown updated.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(DisableKey OR ScheduleKeyDeletion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iff-hhm-bd3","createdAt":1584475576501,"name":"AWS KMS key deleted or scheduled for deletion"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","scope:firehose"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an AWS Kinesis Firehose Destination is modified.\n\n## Strategy\nThe rule monitors AWS Kinesis Firehose logs `@eventSource:firehose.amazonaws.com` and detects when the `@evt.name` is `UpdateDestination`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:firehose.amazonaws.com @evt.name:UpdateDestination -@http.useragent:(cloudformation.amazonaws.com OR APN\\/*)","groupByFields":["@requestParameters.deliveryStreamName"],"aggregation":"count","name":"firehose_destination_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"firehose_destination_modified","condition":"firehose_destination_modified > 0"}],"type":"log_detection","id":"jwi-qgm-ncc","createdAt":1632158028824,"name":"AWS Kinesis Firehose stream destination modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.11"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Access Control List (NACL) has been created, deleted or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS NACL has been created, deleted or modified with one of the following API calls:\n* [CreateNetworkAcl][1] \n* [CreateNetworkAclEntry][2] \n* [DeleteNetworkAcl][3] \n* [DeleteNetworkAclEntry][4] \n* [ReplaceNetworkAclEntry][5] \n* [ReplaceNetworkAclAssociation][6]\n\n## Triage and response\n1. Determine if the usr with arn: {{@userIdentity.arn}} should have used the API call: {{@evt.name}}.\n2. Contact the user and see if this API call was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n## Changelog\n5 April 2022 - Rule queries, cases and signal message updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html\n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclEntry.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclAssociation.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateNetworkAcl OR CreateNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteNetworkAcl OR DeleteNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_deleted","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceNetworkAclEntry OR ReplaceNetworkAclAssociation)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_updated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"network ACL/ACL entry created","condition":"nacl_created > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry deleted","condition":"nacl_deleted > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry updated","condition":"nacl_updated > 0"}],"type":"log_detection","id":"pcs-k05-rbc","createdAt":1584475579808,"name":"AWS Network Access Control List created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.12","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Gateway has been created or modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS Network Gateway has been created or modified with one of the following API calls:\n* [CreateCustomerGateway][1] \n* [DeleteCustomerGateway][2] \n* [AttachInternetGateway][3] \n* [CreateInternetGateway][4]\n* [DeleteInternetGateway][5] \n* [DetachInternetGateway][6]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule cases and signal message.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCustomerGateway \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteCustomerGateway \n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AttachInternetGateway \n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInternetGateway \n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteInternetGateway \n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DetachInternetGateway.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(CreateCustomerGateway OR CreateInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"create_gateway","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteCustomerGateway OR DeleteInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"delete_gateway","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AttachInternetGateway OR DetachInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_gateway","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"create gateway","condition":"create_gateway > 0"},{"status":"info","notifications":[],"name":"delete gateway","condition":"delete_gateway > 0"},{"status":"info","notifications":[],"name":"modify gateway","condition":"modify_gateway > 0"}],"type":"log_detection","id":"umr-47s-eyj","createdAt":1584475581301,"name":"AWS Network Gateway created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","scope:rds","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deleted a database cluster in RDS.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a RDS cluster:\n\n* [DeleteDBCluster][1]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/rds/delete-db-cluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteDBCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"6ng-pk1-ukh","createdAt":1585870276546,"name":"AWS RDS Cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","control:cis-1.1","framework:cis-aws","technique:T1078-valid-accounts","control:cis-3.3","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the AWS root user credentials are used.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Policy:IAMUser/RootCredentialUsage][2]\n\n## Triage and response\n1. Determine whether the root account activity was legitimate. \n * Review the sample for context. \n * Review CloudTrail logs for a full investigation. \n3. If the root user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n**[Root Account Best Practices][4]**\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_policy.html#policy1\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/RootCredentialUsage)","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cjm-gyr-zxb","createdAt":1587525393683,"name":"AWS Root credential activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a Route 53 query logging configuration.\n\n## Strategy\nMonitor cloudtrail logs where `@evt.name` is `DeleteResolverQueryLogConfig` which would stop Route53 Query logging for all of the Amazon VPCs that are associated with the configuration.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n7 April 2022 - Updated rule query and signal message.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"0pz-0jr-nfz","createdAt":1631642351057,"name":"AWS Route 53 DNS query logging disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disassociates a VPC from the query logging configuration.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disassociated.\n\n* [DisassociateResolverQueryLogConfig][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Update rule and signal message.\n\n[1]: https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DisassociateResolverQueryLogConfig.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DisassociateResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"nmk-a8n-zig","createdAt":1631642344888,"name":"AWS Route 53 VPC disassociated from query logging configuration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.13","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Route Table has been created or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS Route Table has been created or modified with one of the following API calls:\n* [CreateRoute][1] \n* [CreateRouteTable][2] \n* [ReplaceRoute][3] \n* [ReplaceRouteTableAssociation][4] \n* [DeleteRouteTable][5] \n* [DeleteRoute][6] \n* [DisassociateRouteTable][7]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call which was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n6 April 2022 - Update signal message. Updated rule query/case layout\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html \n [7]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateRoute OR CreateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceRoute OR ReplaceRouteTableAssociation OR DisassociateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteRouteTable OR DeleteRoute)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"VPC route table created","condition":"route_created > 0"},{"status":"info","notifications":[],"name":"VPC route table modified","condition":"route_modified > 0"},{"status":"info","notifications":[],"name":"VPC route table deleted","condition":"route_deleted > 0"}],"type":"log_detection","id":"qgo-jqs-03x","createdAt":1584475582644,"name":"AWS Route Table created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket policy is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an AWS bucket is made public:\n\n* [PutBucketAcl][1]\n\nThis rule inspects the `@requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI` array to determine if either of the strings are contained:\n* `http://acs.amazonaws.com/groups/global/AuthenticatedUsers`\n* `http://acs.amazonaws.com/groups/global/AllUsers`\n\nA match of either of these string indicates the S3 bucket policy is made public.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Update rule and signal message.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:PutBucketAcl -@level:Error @requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI:(\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" OR \"http://acs.amazonaws.com/groups/global/AllUsers\")","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"zdk-9gu-nrg","createdAt":1594140279364,"name":"AWS S3 Bucket ACL Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:7.2.1","iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","framework:pci","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the S3 Public Access Block configuration has been removed \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting the S3 Public Access Block configuration:\n\n* [DeleteAccountPublicAccessBlock][1]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and inform them of best practices of enabling Public Access Block on S3 buckets.\n3. Re-enable Public Access Block on the S3 bucket.\n\nMore details on S3 Public Block Public Access can be found [here][2].\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-public-access-block.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n\n## Changelog\n18 March 2022 - updated severity and query.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:error @evt.name:DeleteAccountPublicAccessBlock","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_access_block_removed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"User removed public access block","condition":"public_access_block_removed > 0"}],"type":"log_detection","id":"uxr-5wk-8hk","createdAt":1585870280316,"name":"AWS S3 Public Access Block removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disables AWS Security Hub.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disabled AWS Security Hub:\n\n* [DisableSecurityHub][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query and signal message.\n\n[1]: https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisableSecurityHub.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"not_cloudformation_action","distinctFields":[]},{"query":"source:cloudtrail @network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudformation_action","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"not a cloudformation action","condition":"not_cloudformation_action > 0"},{"status":"low","notifications":[],"name":"cloudformation action","condition":"cloudformation_action > 0"}],"type":"log_detection","id":"obj-kmn-bsa","createdAt":1631642348526,"name":"AWS Security Hub disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:vpc","iaas:aws","requirement:Monitoring","framework:cis-aws","control:4.14","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying a VPC.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a VPC:\n\n* [DeleteVpc][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query, cases and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteVpc OR DeleteVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_deleted","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreateVpc OR CreateVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_created","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(ModifyVpcAttribute OR AcceptVpcPeeringConnection OR RejectVpcPeeringConnection OR AttachClassicLinkVpc OR DetachClassicLinkVpc OR DisableVpcClassicLink OR EnableVpcClassicLink)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"vpc deleted","condition":"vpc_deleted > 0"},{"status":"info","notifications":[],"name":"vpc created","condition":"vpc_created > 0"},{"status":"info","notifications":[],"name":"vpc modified","condition":"vpc_modified > 0"}],"type":"log_detection","id":"igj-dr4-ico","createdAt":1585870280906,"name":"AWS VPC created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a specific AWS Web Application Firewall (WAF) rule blocks an anomalous amount of traffic.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@webaclId`: `{{@webaclId}}` logs to confirm if the observed traffic should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"count","name":"waf_traffic_block","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"scr-lzp-wrd","createdAt":1632158031553,"name":"AWS WAF traffic blocked by specific rule"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a specific AWS Web Application Firewall (WAF) rule blocks traffic from multiple IPs.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@http.request_id`: `{{@http.request_id}}` to confirm if this request should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"cardinality","name":"waf_traffic_block","distinctFields":["@network.client.ip"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"imr-goq-uww","createdAt":1634658977105,"name":"AWS WAF traffic blocked by specific rule on multiple IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is deleted.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `DeleteWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:DeleteWebACL -@http.useragent:\\APN\\/*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_deletion","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"waf_webacl_deletion > 0"}],"type":"log_detection","id":"8js-pr5-qga","createdAt":1632158029295,"name":"AWS WAF web access control list deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is updated.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `UpdateWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made legitimately by the user, rotate the user's credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:UpdateWebACL -@http.useragent:(\\APN\\/* OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"waf_webacl_update > 0"}],"type":"log_detection","id":"pmp-fqa-lwy","createdAt":1632158031800,"name":"AWS WAF web access control list modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:3.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect AWS root user activity. \n\n## Strategy\nMonitor CloudTrail and detect when any `@userIdentity.type` has a value of `Root`, but is not invoked by an AWS service or SAML provider.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate. \n2. If the login wasn't legitimate, rotate the credentials, enable 2FA, and open an investigation. \n\n* For best practices, check out the [AWS Root Account Best Practices][1] documentation.\n* For compliance, check out the [CIS AWS Foundations Benchmark controls][2] documentation.\n\n## Changelog\n30 March 2022 - Updated query and signal message.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[2]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:Root -@userIdentity.sessionContext.attributes.mfaAuthenticated:false -@userIdentity.invokedBy:* -@eventType:AwsServiceEvent -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"2kn-z6k-6kf","createdAt":1585870281964,"name":"AWS root account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group has been modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1] \n* [AuthorizeSecurityGroupEgress][2] \n* [RevokeSecurityGroupIngress][3] \n* [RevokeSecurityGroupEgress][4] \n* [CreateSecurityGroup][5] \n* [DeleteSecurityGroup][6]\n\n\n**Note:** There is a separate rule to detect AWS Security Group Open to the World.\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html \n [2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupEgress.html \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupIngress.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupEgress.html \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteSecurityGroup.html\n\n## Changelog\n18 March 2022 - Updated severity, split query into multiple queries, and split the single case into multiple cases.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AuthorizeSecurityGroupIngress OR AuthorizeSecurityGroupEgress OR RevokeSecurityGroupIngress OR RevokeSecurityGroupEgress) -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:DeleteSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"security group created","condition":"security_group_created > 0"},{"status":"info","notifications":[],"name":"security group modified","condition":"security_group_modified > 0"},{"status":"info","notifications":[],"name":"security group deleted","condition":"security_group_deleted > 0"}],"type":"log_detection","id":"bax-btp-3ct","createdAt":1584475583507,"name":"AWS security group created, modified or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1078-valid-accounts","scope:exchange-server","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event by a user logging in to Microsoft Exchange.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last and the current Microsoft-365 mailbox login event (`@evt.name:MailboxLogin`) to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if `{{@usr.name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. ","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":192,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:Exchange @evt.name:MailboxLogin @evt.outcome:Succeeded @threat_intel.results.category:*"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"9xi-6r1-5o5","createdAt":1638460550019,"name":"Abnormal successful Microsoft 365 Exchange login event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","scope:google-cloud-iam","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account (`@usr.id:*.iam.gserviceaccount.com`) exhibits access denied behavior that deviates from normal.\n\n## Strategy \nInspect the GCP Service Account (`@usr.id:*.iam.gserviceaccount.com`) for errors (`@data.protoPayload.status.code:7`) caused by denied permissions (`@evt.outcome`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account {{@usr.id}} is compromised.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"count","name":"access_denied","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"access_denied"}],"type":"log_detection","id":"jsg-pwu-sfv","createdAt":1605263719237,"name":"Access denied for GCP Service Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.11","scope:iam","scored:true","security:compliance","source:iam","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:7.1.1","control:7.1.2","control:7.1.3","level:1","framework:soc-2","framework:cis-aws","control:A.9.2.3","requirement:IAM","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM user credentials, you have to determine what type of access they require.\n\n**Programmatic access**: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.\n\n**AWS Management Console access**: If the user needs to access the AWS Management Console, create a password for the user.\n\n## Rationale\n\nRequiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are necessary for their work and once the access key is established on an account that the keys may be in use somewhere in the organization.\n\n**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html][2]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html][3]\n\n**Additional Information**: Credential report does not appear to contain \"Key Creation Date\"\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkeys_created_during_setup(credential_report) if {\n\tnot credential_report.access_key_1_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_1_last_rotated\n} else {\n\tnot credential_report.access_key_2_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_2_last_rotated\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot keys_created_during_setup(credential_report)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yuh-0pg-pqy","createdAt":1619112188582,"name":"Access keys are not created for IAM user during initial set up"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-C","requirement:Credentials","level:1","framework:cis-aws","requirement:Cardholder-Data","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.14","cloud_provider:aws","requirement:Control-Activities","framework:soc-2","control:A.9.2.3","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:3.6.4","control:CC6.2","control:CC5.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAccess keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. You should regularly rotate all access keys.\n\n## Rationale\n\nRotating access keys reduces the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78902-4\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html][3]\n4. [https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][4]\n5. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html][5]\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html\n[4]: https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"1.14","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\nmore_than_ninety(timestamp, resource_seen_at) if {\n\tresource_seen_at - timestamp > ninety_days_ms # Not rotated in last 90 days\n}\n\nactive_and_rotated_more_than_90(credential_report, resource_seen_at) if {\n\tcredential_report.access_key_1_active\n\tmore_than_ninety(credential_report.access_key_1_last_rotated, resource_seen_at)\n} else {\n\tcredential_report.access_key_2_active\n\tmore_than_ninety(credential_report.access_key_2_last_rotated, resource_seen_at)\n}\n\neval(iam_user) = \"pass\" if {\n\tresource_seen_at := iam_user.resource_seen_at\n\tcredential_report := iam_user.credential_report[_]\n\tnot active_and_rotated_more_than_90(credential_report, resource_seen_at)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5se-kvq-6mk","createdAt":1599574003833,"name":"Access keys are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:4.3.8","scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.6","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable access from Azure services to PostgreSQL Database Server\n\n## Rationale\n\nIf access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, set up firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In Firewall rules, ensure Allow access to Azure services is set to OFF.\n5. Click Save to apply the changed rule. \n\nAlternatively, use the Azure Command Line Interface and run the below command to delete the `AllowAllAzureIps` rule for PostgreSQL Database:\n\n ```bash\n az postgres server firewall-rule delete --name AllowAllAzureIps --resource-group --server-name \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-manage-firewall-using-cli\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-4-protect-applications-and-services-from-external-network-attacks\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.4 Apply Host-based Firewalls or Port Filtering: Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.\n\n9.5 Implement Application Firewalls: Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.\n\n14.2 Enable Firewall Filtering Between VLANs: Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.8","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@name:(\"AllowAllAzureIps\") OR @name:(\"ALL\") OR (@start_ip_address:(\"0.0.0.0\") @end_ip_address:(\"0.0.0.0\"))","resourceType":"azure_postgresql_firewall_rule","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_firewall_rule (@name:(\"AllowAllAzureIps\") OR @name:(\"ALL\") OR (@start_ip_address:(\"0.0.0.0\") @end_ip_address:(\"0.0.0.0\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"fn7-ase-uyc","createdAt":1624867979051,"name":"Access to Azure services for PostgreSQL Database Server is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 5432 (used by the PostgreSQL Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\nMalicious activity, such as hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 5432.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 5432 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=5432 @to_port:>=5432))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=5432 @to_port:>=5432))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2ca-hhj-wzj","createdAt":1599574007949,"name":"Access to PostgreSQL Database Server port is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3389 (used to connect a remote Remote Desktop Protocol (RDP) client application with an RDP server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as pass-the-hash (PtH) and man-in-the-middle attacks (MITM), can occur when permitting unfettered access to this port.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3389.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3389 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.2\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3389 @to_port:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3389 @to_port:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oia-snq-ar0","createdAt":1599574006239,"name":"Access to port 3389 is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests.\n\n## Rationale\n\nSetting admission control plugin AlwaysAdmit allows all requests and do not filter any requests. The AlwaysAdmit admission controller was deprecated in Kubernetes v1.13. Its behavior was equivalent to turning off all admission controllers.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--enable-admission-plugins` argument's value (if set) does not include `AlwaysAdmit`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --enable-admission-plugins parameter, or set it to a value that does not include AlwaysAdmit.\n\n## Impact\n\nOnly requests explicitly allowed by the admissions control plugins would be served.\n\n## Default value\n\nAlwaysAdmit is not in the list of default admission plugins.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#alwaysadmit\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.11","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysr-4gg-vu5","createdAt":1599599454382,"name":"Admission controller AlwaysAdmin is not enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.15","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating objects in a namespace that is undergoing termination.\n\n## Rationale\n\nSetting admission control policy to NamespaceLifecycle ensures that objects cannot be created in non-existent namespaces, and that namespaces undergoing termination are not used for creating the new objects. This is recommended to enforce the integrity of the namespace termination process and also for the availability of the newer objects.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--disable-admission-plugins` argument is set to a value that does not include `NamespaceLifecycle`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --disable-admission-plugins parameter to ensure it does not include NamespaceLifecycle.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NamespaceLifecycle is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#namespacelifecycle\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.15","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"elk-zj3-p6m","createdAt":1599605447784,"name":"Admission controller NamespaceLifecycle is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.17","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nLimit the Node and Pod objects that a kubelet could modify.\n\n## Rationale\n\nUsing the NodeRestriction plug-in ensures that the kubelet is restricted to the Node and Pod objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node API object, and only modify Pod API objects that are bound to their node.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `NodeRestriction`.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes NodeRestriction. --enable-admission-plugins=...,NodeRestriction,...\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NodeRestriction is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#noderestriction 3. https://kubernetes.io/docs/admin/authorization/node/ 4. https://acotten.com/post/kube17-security\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.17","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jre-tn7-yma","createdAt":1599601166101,"name":"Admission controller NodeRestriction is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.16","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating pods that do not match Pod Security Policies.\n\n## Rationale\n\nA Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions. Note: When the PodSecurityPolicy admission plugin is in use, there needs to be at least one PodSecurityPolicy in place for ANY pods to be admitted. See section 1.7 for recommendations on PodSecurityPolicy settings.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `PodSecurityPolicy`.\n\n## Remediation\n\nFollow the documentation and create Pod Security Policy objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes PodSecurityPolicy: --enable-admission-plugins=...,PodSecurityPolicy,... Then restart the API Server.\n\n## Impact\n\nThe policy objects must be created and granted before pod creation would be allowed.\n\n## Default value\n\nBy default, PodSecurityPolicy is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#podsecuritypolicy 3. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.16","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vwz-aw9-c09","createdAt":1599604624793,"name":"Admission controller PodSecurityPolicy is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.14","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAutomate service accounts management.\n\n## Rationale\n\nWhen you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. You should create your own service account and let the API server manage its security tokens.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--disable-admission-plugins` argument is set to a value that does not include `ServiceAccount`.\n\n## Remediation\n\nFollow the documentation and create ServiceAccount objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and ensure that the --disable-admission-plugins parameter is set to a value that does not include ServiceAccount.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, ServiceAccount is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#serviceaccount 3. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.14","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wrk-jrm-u8h","createdAt":1599601597784,"name":"Admission controller ServiceAccount is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","source:google_bigquery_table","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.2","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","scope:google_bigquery_table","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery encrypts data at rest by employing `Envelope Encryption` using\nGoogle managed cryptographic keys. The data is encrypted using the `data encryption keys` and data encryption keys themselves are further encrypted using `key encryption keys`. This is done automatically and does not require any additional input from the user. However, if you want to have greater control, customer-managed encryption keys (CMEK) can be used as an encryption key management solution for BigQuery datasets. If CMEK is used, the CMEK is used to encrypt the data encryption keys, instead of using google-managed encryption keys.\n\n### Default Value\nGoogle-managed keys are used as `key encryption keys`.\n\n## Rationale\nFor greater control over the encryption, customer-managed encryption keys (CMEK) can\nbe used as encryption key management solution for BigQuery tables. CMEK is used to\nencrypt the data encryption keys instead of using google-managed encryption keys.\nBigQuery stores the table and CMEK association. The encryption/decryption is done\nautomatically.\n\nApply the default customer-managed keys on BigQuery datasets to ensure that all\nnew tables created in the future will be encrypted using CMEK. However, existing tables need to be updated individually to use CMEK.\n\n## Impact\nUsing customer-managed encryption keys (CMEK) will incur additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n- Note: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n## Remediation\nCurrently, there is no way to update the encryption of existing data in the table. The data\nneeds to be copied to either an original table or another table. Either option requires the specification of the\ncustomer managed encryption key (CMEK).\n\n### From the command line:\nUse the following command to copy the data to the original table and encrypt it with the CMEK. The source and the destination needs to be same when copying to the original table.\n\n```\nbq cp --destination_kms_key source_dataset.source_table destination_dataset.destination_table\n```\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_table) = \"pass\" if {\n\tbigquery_table.encryption_configuration.kms_key_name\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_table"]},"validationQuery":"","resourceType":"gcp_bigquery_table","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_table","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4r0-dtx-hnw","createdAt":1659621698841,"name":"All BigQuery tables are encrypted with customer-managed encryption keys (CMEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Azure","cloud_provider:azure","control:2.7","control:8.1","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","scope:azure.keyvault","requirement:Cardholder-Data","requirement:Logical-and-Physical-Access-Control","control:3.6.4","source:azure.keyvault","framework:security-labs","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all keys in your Azure Key Vault have an expiration time set.\n\n## Rationale\n\nAzure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The `exp` (expiration time) attribute identifies the expiration time on or after which the key **must not** be used for a cryptographic operation. By default, keys never expire. Datadog recommends that keys be rotated in the key vault and set an explicit expiration time for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Key vaults\n2. For each Key vault, click on Keys.\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all keys. Using the Azure Command Line Interface, update the expiration date for the key using below command:\n\n ```bash\n az keyvault key set-attributes --name --vault-name --expires Y-m-d''T''H:M:S''Z''\n ```\n\n **Note**: To access expiration time on all keys in Azure Key Vault using Microsoft API requires \"List\" Key permission. To provide required access follow below steps:\n\n 1. Go to Key Vaults\n 2. For each Key Vault, click on Access Policy.\n 3. Add access policy with Key permission as List\n\n## Impact\n\nKeys cannot be used beyond their assigned expiration times respectively. Keys need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## CIS Controls\n\nVersion 7 13 Data Protection Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.7","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_type := \"azure_key_vault_key\"\n\ncompliant(key_vault_key) if {\n\tkey_vault_key.attributes_enabled == true\n\tnot key_vault_key.attributes_exp == 0\n\tnot key_vault_key.attributes_exp == \"\"\n}\n\neval(key_vault_key) = \"pass\" if {\n\tcompliant(key_vault_key)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_key"]},"validationQuery":"","resourceType":"azure_key_vault_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"op6-3uk-40w","createdAt":1624867980258,"name":"All keys in Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Network-Policies-and-CNI","control:5.3.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse network policies to isolate traffic in your cluster network.\n\n## Rationale\n\nRunning different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. A network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints. Network Policies are namespace scoped. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace, all traffic will be allowed into and out of the pods in that namespace.\n\n## Audit\n\nRun the following command and review the NetworkPolicy objects created in the cluster: `kubectl --all-namespaces get networkpolicy`\n\nEnsure that each namespace defined in the cluster has at least one Network Policy.\n\n## Remediation\n\nFollow the documentation and create network policy objects as you need them.\n\n## Impact\n\nOnce network policies are in use within a given namespace, traffic not explicitly allowed by a network policy will be denied. It is important to ensure that, when introducing network policies, legitimate traffic is not blocked.\n\n## Default value\n\nBy default, network policies are not created.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/services-networking/networkpolicies/ ][1]\n2. [https://octetz.com/posts/k8s-network-policy-apis ][2]\n3. [https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/][3]\n\n## CIS controls\n\nVersion 6.14.1 Implement Network Segmentation Based On Information Class Segment - The network based on the label or classification level of the information stored on the servers. Locate all sensitive information on separated VLANS with firewall filtering to ensure that only authorized individuals are only able to communicate with systems necessary to fulfill their specific responsibilities.\n\nVersion 7.14.1 Segment the Network Based on Sensitivity - Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).\n\nVersion 7.14.2 Enable Firewall Filtering Between VLANs - Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n\n[1]: https://kubernetes.io/docs/concepts/services-networking/networkpolicies/\n[2]: https://octetz.com/posts/k8s-network-policy-apis\n[3]: https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.3.2","framework":"cis-kubernetes","requirement":"Network-Policies-and-CNI","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrw-bae-anz","createdAt":1604312181303,"name":"All namespaces have network policies defined"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:2.10","requirement:Azure","cloud_provider:azure","control:8.2","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","requirement:Change-Management","scope:azure.keyvault","requirement:Logical-and-Physical-Access-Control","source:azure.keyvault","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all Secrets in the Azure Key Vault have an expiration time set.\n\n## Rationale\n\nThe Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The `exp` (expiration time) attribute identifies the expiration time on or after which the secret **must not** be used. By default, secrets never expire. Datadog recommends rotating secrets in the key vault and setting an explicit expiration time for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Key vaults\n2. For each Key vault, click on Secrets\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all secrets. Using the Azure Command Line Interface, use the below command to set expiration date on the all secrets:\n\n ```bash\n az keyvault secret set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z'\n ```\n\n## Impact\n\nSecrets cannot be used beyond their assigned expiry times respectively. Secrets need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-4-set-up-emergency-access-in-azure-ad\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-8-choose-approval-process-for-microsoft-support\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy\n\n## CIS Controls\n\nVersion 7 16 Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.10","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_type := \"azure_key_vault_secret\"\n\ncompliant(key_vault_secret) if {\n\tkey_vault_secret.id\n\tkey_vault_secret.attributes_enabled == true\n\tnot key_vault_secret.attributes_exp == 0\n\tnot key_vault_secret.attributes_exp == \"\"\n}\n\neval(key_vault_secret) = \"pass\" if {\n\tcompliant(key_vault_secret)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_secret"]},"validationQuery":"","resourceType":"azure_key_vault_secret","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_secret","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bbc-1aj-wsr","createdAt":1624867976874,"name":"All secrets in the Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:CC6.7","source:iam","requirement:Storage","requirement:Credentials","control:2.1.1","level:1","requirement:System-Acquisition-Development-and-Maintenance","framework:cis-aws","control:1.19","requirement:IAM","framework:iso-27001","requirement:Access-Control","framework:pci","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.\n\n## Rationale\n\nRemoving expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.\n\n## Remediation\n\nAWS Console:\n\nRemoving expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).\n\nAWS CLI:\n\nTo delete an expired certificate, run the following command by replacing `` with the name of the certificate to delete: `aws iam delete-server-certificate --server-certificate-name `.\n\n**Note**: When the preceding command is successful, it does not return any output.\n\n## Impact\n\nDeleting a certificate can have implications for your application. If you are using an expired server certificate with Elastic Load Balancing, Cloudfront, etc., you must update the configuration of the respective service to ensure there is no application interruption.\n\n## References\n\n1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html\n2. https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.19","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Storage","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_server_certificate) = \"pass\" if {\n\tiam_server_certificate.expiration - iam_server_certificate.resource_seen_at > 0\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"dih-stb-3p8","createdAt":1632209932850,"name":"All the expired SSL/TLS certificates stored in AWS IAM are removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow Kubelet to manage `iptables`.\n\n## Rationale\n\nKubelets can automatically manage the required changes to `iptables` based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to `iptables`. This ensures that the `iptables` configuration remains in sync with pods networking configuration. Manually configuring `iptables` with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have `iptables` rules too restrictive or too open.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that if the `--make-iptables-util-chains` argument exists then it is set to true. If the `--make-iptables-util-chains` argument does not exist, and there is a Kubelet config file specified by `--config`, verify that the file does not set `makeIPTablesUtilChains` to `false`.\n\n## Remediation\n\nIf using a kubelet config file, edit the file to set `makeIPTablesUtilChains: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--make-iptables-util-chains` argument from the `KUBELET_SYSTEM_PODS_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nKubelet would manage the `iptables` on the system and keep it in sync. If you are using any other `iptables` management solution, then there might be some conflicts.\n\n## Default value\n\nBy default, `--make-iptables-util-chains argument` is set to true.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.7","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"f3g-zcg-jm0","createdAt":1599605004390,"name":"Allow Kubelets to manage changes to the iptables"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an AWS S3 lifecycle expiration policy is set to disabled in your CloudTrail logs.\n\n## Strategy\nCheck if `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days`, `@requestParameters.LifecycleConfiguration.Status:Disabled` and `@evt.name:PutBucketLifecycle` fields are present in your S3 Lifecycle configuration log. If these fields are present together, a bucket's lifecycle configuration has been turned off.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n2. If the `{{@requestParameters.bucketName}}` should not be disabled, escalate to engineering so they can re-enable it.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketLifecycle @requestParameters.LifecycleConfiguration.Rule.Expiration:* @requestParameters.LifecycleConfiguration.Rule.Status:Disabled","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4gy-sks-edk","createdAt":1638798373598,"name":"An AWS S3 bucket lifecycle expiration policy was set to disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket has a lifecycle configuration set with an expiration policy of less than 90 days.\n\n## Strategy\nLook for `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90` in your Cloudtrail logs.\n\n**NOTE**: This rule should be set to logs that this policy applies to. The `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days` key path must be set as a measure to do a query.\n\n\n## Triage & response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}` and that the `{{@requestParameters.bucketName}}` bucket should have a file expiration of less than 90 days.\n2. If `{{@requestParameters.bucketName}}` is equal to `{{@aws.s3.bucket}}`, the CloudTrail bucket, consider escalating to higher severity and investigating further.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:PutBucketLifecycle -status:error @eventSource:s3.amazonaws.com @requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hdo-qqk-njz","createdAt":1638798329769,"name":"An AWS S3 bucket lifecycle policy expiration is set to < 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if versioning or MFA delete was disabled within an AWS S3 bucket's Lifecycle configuration.\n\n## Strategy\nThis rule has two separate queries. The first query determines if `@requestParameters.VersioningConfiguration.MfaDelete` is set to `Disabled`. The second query determines if `@requestParameters.VersioningConfiguration.Status` is set to `Suspended`. For generating a signal, there are two cases. Case one generates a `Medium` signal if query one AND two return `true`. Case two will generate a `Low` signal if query one OR two returns `true`.\n\n**NOTE**: Versioning cannot be disabled permanently; only suspended until turned back on, once it has been enabled on a bucket.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.MfaDelete:Disabled","groupByFields":["@aws.s3.bucket"],"aggregation":"count","name":"mfadelete_disabled","distinctFields":[]},{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.Status:Suspended","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"versioning_suspended","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"mfaDelete and Versioning are Disabled/Suspended","condition":"versioning_suspended > 0 && mfadelete_disabled > 0"},{"status":"low","notifications":[],"name":"mfaDelete or versioning are disabled","condition":"mfadelete_disabled > 0 || versioning_suspended > 0"}],"type":"log_detection","id":"qo0-ly0-8ls","createdAt":1638798322732,"name":"An AWS S3 bucket mfaDelete is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an AWS account attempting to leave an AWS organization.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to have an AWS account leave an AWS organization using the [LeaveOrganization][1] API call.\n\nAn attacker may attempt this API call for several reasons, such as:\n\n* Target security configurations that are often defined at the organization level. Leaving an organization can disrupt or disable these controls.\n* Perform a denial of service (DoS) attack on the victim's account that prevents the victim's organization to access it.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Initiate your company's incident response (IR) process.\n3. If the API call was made legitimately by the user:\n * Communicate with the user to understand if this was a planned action.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n * Initiate your company's incident response (IR) process.\n\n[1]: https://docs.aws.amazon.com/organizations/latest/APIReference/API_LeaveOrganization.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privileg","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:LeaveOrganization @eventSource:organizations.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"leave_organization","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"leave_organization > 0"}],"type":"log_detection","id":"9ku-enz-m7d","createdAt":1644595191484,"name":"An AWS account attempted to leave the AWS Organization"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","scope:s3","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an API call to AWS to list all of the S3 Buckets.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect a [ListBuckets][1] API call with the session name prefixed with `i-`. A session name prefixed with `i-` typically indicates that it is an EC2 instance using an [Instance Profile][2] to communicate with other AWS services, which is a common attacker technique to see the full list of S3 buckets in your AWS account.\n\n## Triage and response\n1. Determine if the EC2 instance should be making this API call.\n* If **not a legitimate** user/application, rotate the credentials, verify what else may have been accessed and open an investigation into how this instance was compromised.\n* If a **legitimate** user/application on the EC2 instance is making the `ListBuckets` API call, consider whether this API call is really needed. \n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profile\n\n## Changelog\n18 March 2022 - Updated rule severity and rule name.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_access_denied","distinctFields":[]},{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets -@error.kind:*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Access denied for ListBuckets","condition":"list_buckets_access_denied > 0"},{"status":"medium","notifications":[],"name":"Successful ListBuckets","condition":"list_buckets_success > 0"}],"type":"log_detection","id":"t6r-kqt-hxb","createdAt":1585870281123,"name":"An EC2 instance attempted to enumerate S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is enumerating API Gateway API keys.\n\n## Strategy\nBaseline `GetApiKeys` events by `@userIdentity.session_name` to surface anomalous `GetApiKeys` calls. \n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetApiKeys","groupByFields":["@userIdentity.session_name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"cc8-ljp-wwt","createdAt":1624968912281,"name":"Anomalous API Gateway API key reads by user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","tactic:TA0009-collection","scope:s3","source:cloudtrail","technique:T1530-data-from-cloud-storage-object","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS user performs S3 bucket write activities they do not usually perform. \n\n## Strategy\nMonitor cloudtrail logs for S3 Data Plane events (`@eventCategory:Data`) to detect when an AWS User (`@userIdentity.arn`) is detected performing anomalous S3 Write `(@evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*))` API calls. \n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should be performing the: `{{@evt.name}}` API calls.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. If not, investigate the user: `{{@userIdentity.arn}}` for indicators of account compromise and rotate credentials as necessary.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventCategory:Data @eventSource:s3.amazonaws.com @evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"s3_write_events","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"s3_write_events"}],"type":"log_detection","id":"mxi-syi-zeg","createdAt":1637613300981,"name":"Anomalous S3 bucket activity from user ARN"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is attempting to hijack an EC2 AutoScaling Group.\n\n## Strategy\nThis rule lets you monitor AWS EC2 Autoscaling logs (`@eventSource:autoscaling.amazonaws.com`) to detect when an Autoscaling group receives an anomalous amount of API calls (`{{@evt.name}}`).\n\n## Triage and response\n1. Confirm if the user `{{@userIdentity.arn}}` intended to make the `{{@evt.name}}` API calls.\n2. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:autoscaling.amazonaws.com","groupByFields":["@evt.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"1fj-e0d-mcy","createdAt":1632769123714,"name":"Anomalous amount of Autoscaling Group events"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","scope:salesforce","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a spike in Salesforce query results for a user. A large query can be an early warning sign of a user attempting to exfiltrate Salesforce data. \n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a spike in the number of rows returned (`@rows_returned`). \n\n## Triage and response\n1. Determine if the user should be legitimately performing large queries.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@rows_returned","aggregation":"sum","metrics":["@rows_returned"],"groupByFields":["@usr.id"],"query":"source:salesforce @rows_returned:*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"kls-bnv-ip8","createdAt":1621929255172,"name":"Anomalous amount of Salesforce query results"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","source:salesforce","tactic:TA0040-impact","scope:salesforce","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a significant increase in deleted records in Salesforce.\n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a significant increase in successful (`@evt.outcome:Success`) delete operations (`@operation:Delete`).\n\n## Triage and response\n1. Determine if the user should be legitimately deleting Salesforce records.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @operation:Delete @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"1x7-fhs-sdy","createdAt":1621929255178,"name":"Anomalous amount of Salesforce records deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is assessing privileges in AWS through various enumeration and discovery techniques.\n\n## Strategy\nMonitor CloudTrail logs to identify when an EC2 instance (`@userIdentity.session_name:i-*\"`) generates an anomalous amount of `AccessDenied` events.\n\n## Triage and response\n1. Determine what events the EC2 instance `{{@userIdentity.session_name}}` are generating in the time frame of the signal.\n2. If the root cause is not a misconfiguration, investigate any other signals around the same time of the signal by looking at the Host Investigation dashboard.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied @userIdentity.session_name:i-*","groupByFields":["@userIdentity.assumed_role"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"qyw-re3-iuf","createdAt":1605263699569,"name":"Anomalous amount of access denied events for AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","technique:T1619-cloud-storage-object-disovery","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS assumed role accesses S3 buckets that they do not usually access. \n\n## Strategy\nMonitor cloudtrail logs to identify when a `@userIdentity.assumed_role` makes an anomalous amount of `GetObject` calls to a unique number of S3 buckets (`@requestParameters.bucketName`).\n\n## Triage and response\n1. Determine if the user using the assumed role: {{@userIdentity.assumed_role}} should be accessing a bunch of random buckets.\n * Here is a list of buckets that were accessed (up to 10): {{@requestParameters.bucketName}}\n\n## Changelog\n30 Mar 2022 - Updated query and signal message.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":17,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetObject -status:error","groupByFields":["@userIdentity.assumed_role"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"i41-jb1-c8r","createdAt":1608050033941,"name":"Anomalous number of S3 buckets accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user has attempted to assume an anomalous number of unique roles.\n\n## Strategy\nThis rule sets a baseline for user activity for the [`AssumeRole`][1] API call, and enables detection of potentially anomalous activity.\n\nAn attacker may attempt this for the following reasons:\n\n* To identify which roles the user account has access to.\n* To identify what AWS services are being used internally.\n* To identify third party integrations and internal software.\n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response process and investigate.\n\n[1]: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:IAMUser @evt.name:AssumeRole","groupByFields":["@usr.name"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.roleArn"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rov-8oq-1fd","createdAt":1624968910002,"name":"Anomalous number of assumed roles from user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an unauthenticated request user is permitted in Kubernetes.\n\n## Strategy\nThis rule monitors when any action is permitted (`@http.status_code:[100 TO 299]`) for an unauthenticated user (`@user.username:\\\"system:anonymous\\\"`).\nThe `/healthz` endpoint is commonly accessed unauthenticated and it is excluded in the query filter.\n\n## Triage and response\n1. Inspect all of the HTTP paths accessed and determine if any of the path should be permitted by unauthenticated users.\n2. Determine what IP addresses accessed Kubernetes endpoints which may contain sensitive data.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@apiVersion:audit.k8s.io* @usr.name:\"system:anonymous\" @http.status_code:[100 TO 299] -@http.url_details.path:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @user.username:\"system:anonymous\" @responseStatus.code:[100 TO 299] -@requestURI:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"f1o-py5-a50","createdAt":1589376002149,"name":"Anonymous Request Authorized"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:apache","technique:T1190-exploit-public-facing-application","source:apache","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[{"action":"require","query":"source:foo"}],"queries":[{"query":"source:apache @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipl-oaz-eqf","createdAt":1587530038000,"name":"Apache HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1562-Impair-Defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modification of AppArmor profiles using an interactive session.\n\n## Strategy\nAfter an initial intrusion, attackers may attempt to disable security tools to avoid possible detection of their offensive tools and activities. [AppArmor][1] is a Linux Security Module (LSM) feature that confines programs to a limited set of resources. Disabling AppArmor could help an attacker run disallowed tools and gain access to resources that are otherwise blocked. This detection looks for commands that disable or modify AppArmor during interactive sessions, which is highly irregular in production environments.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://wiki.ubuntu.com/AppArmor\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:apparmor_modified_tty","groupByFields":["host"],"aggregation":"count","name":"apparmor_modified_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"apparmor_modified_tty","condition":"apparmor_modified_tty > 0"}],"type":"workload_security","id":"byn-fwk-eyv","createdAt":1627392836162,"name":"AppArmor profile modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","source:azure.sql","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Database-Services","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","framework:cis-azure","scope:azure.sql","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:4.1.3","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSQL Server Audit Retention should be configured to be greater than 90 days.\n\n## Rationale\n\nUse Audit Logs to check for anomalies and to get insight into suspected breaches or misuse of information and access.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Select Storage Details\n5. Set Retention (days) setting greater than 90 days\n6. Select OK\n7. Select Save using Azure PowerShell. For each server, set retention policy for more than or equal to 90 days:\n\n ```bash\n set-AzureRmSqlServerAuditing -ResourceGroupName -ServerName -RetentionInDays \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing\n2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditing?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention\n\n## CIS controls\n\nVersion 7\n\n6.4 Ensure adequate storage for logs: Ensure that all systems that store logs have adequate storage space for the logs generated.\n\n4.2 SQL Server: Azure Defender for SQL Azure Defender for SQL provides a layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. Users will receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. SQL Server Threat Detection alerts provide details of suspicious activity and recommend action on how to investigate and mitigate the threat. Azure Defender for SQL may incur additional cost per SQL server.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@audit_setting.retention_days:0 -@audit_setting.retention_days:>=90","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-@audit_setting.retention_days:0 -@audit_setting.retention_days:>=90)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"r6e-x2g-rfb","createdAt":1624867973932,"name":"Audit data for Azure SQL is retained for at least 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","source:google_iam_policy","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","scope:google_iam_policy","security:compliance","requirement:Logging-and-Monitoring","control:2.1","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that Cloud Audit Logging is configured to track all admin activities and\nread or write access to user data.\n\n### Default value\nAdmin Activity logs are always enabled. They cannot be disabled. Data Access audit logs are\ndisabled by default because they can be quite large.\n\n## Rationale\nCloud Audit Logging maintains two audit logs for each project, folder, and organization:\n**Admin Activity** and **Data Access**.\n\nAdmin Activity logs contain log entries for API calls or other administrative actions\nthat modify the configuration or metadata of resources. Admin Activity audit logs\nare enabled for all services and cannot be configured.\n\nData Access audit logs record API calls that create, modify, or read user-provided\ndata. These are disabled by default and should be enabled.\n\nThere are three kinds of Data Access audit log information:\n* Admin read: Records operations that read metadata or configuration\ninformation. Admin Activity audit logs record writes of metadata and\nconfiguration information. This cannot be disabled.\n* Data read: Records operations that read user-provided data.\n* Data write: Records operations that write user-provided data.\n\nIt is recommended to configure audit logging such that:\n\n* Log type is set to `DATA_READ` (to log user activity tracking) and `DATA_WRITES` (to\nlog changes/tampering to user data).\n* Audit config is enabled for all the services supported by the Data Access audit logs\nfeature.\n* Logs are captured for all users\u2014that is, there are no exempted users in any of the\naudit config sections. This ensures overriding the audit config does not contradict\nthe requirement.\n\n### Impact\nThere is no charge for Admin Activity audit logs. Enabling the Data Access audit logs might\nresult in your project being charged for the additional logs usage.\n- Note: Admin Activity Logs are not listed here, as they are enabled by default and cannot be disabled.\n `exemptedMembers` is not set, as audit logging should be enabled for all users.\n\n## Remediation\n\n### From the console: \n1. Go to the [Audit Logs page][1] in Google Cloud Console.\n2. Follow the steps in Google's [Configure Data Access audit logs][2] documentation to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.\n\n### From the command line:\n1. To read the project's IAM policy and store it in a file, run the following command:\n ```\n gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml\n ```\nAlternatively, the policy can be set at the organization or folder level. If you are setting the policy at\nthe organization level, it is not necessary to also set it for each folder or project.\n ```\n gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml\n gcloud resource-manager folders get-iam-policy FOLDER_ID >\n /tmp/folder_policy.yaml\n ```\n2. Edit the policy in `/tmp/policy.yaml`. Adding or change only the audit logs\nconfiguration to:\n ```\n auditConfigs:\n - auditLogConfigs:\n - logType: DATA_WRITE\n - logType: DATA_READ\n - service: allServices\n ```\n\n3. To write new IAM policy, run the following commands:\n ```\n gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml\n gcloud resource-manager folders set-iam-policy FOLDER_ID\n /tmp/folder_policy.yaml\n gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml\n ```\nIf the preceding command reports a conflict with another change, then repeat these steps,\nstarting with the first step.\n\n## Additional information\n* To track detailed user activities, the log type `DATA_READ` is as important as the log type `DATA_WRITE`.\n* BigQuery Data Access logs are handled differently than other data access logs.\n BigQuery logs are enabled by default and cannot be disabled. They do not count against logs allotment and do not result in extra logs charges.\n\n## References\n1. [https://cloud.google.com/logging/docs/audit/][1]\n2. [https://cloud.google.com/logging/docs/audit/configure-data-access][2]\n\n[1]: https://cloud.google.com/logging/docs/audit/\n[2]: https://cloud.google.com/logging/docs/audit/configure-data-access\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(iam_policy) if {\n\tnot has_exempted_members(iam_policy)\n\taudit_config := iam_policy.audit_configs[_]\n\taudit_config.service == \"allServices\"\n\taudit_config.audit_log_configs[_].log_type == \"ADMIN_READ\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_WRITE\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_READ\"\n}\n\nhas_exempted_members(iam_policy) if {\n\tiam_policy.audit_configs[_].audit_log_configs[_].exempted_members[_]\n}\n\nis_project(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_project\"\n}\n\neval(iam_policy) = \"skip\" if {\n\tnot is_project(iam_policy)\n} else = \"pass\" {\n\tcompliant(iam_policy)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mtc-xf1-a6x","createdAt":1664804019062,"name":"Audit logging is properly configured across all services and users in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit all Docker daemon activities.\n\n## Rationale\n\nAs well as auditing the normal Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges. It is very important to audit its activities and usage.\n\n## Audit\n\nVerify that there are audit rules for the Docker daemon. To see the rules associated with the Docker daemon, run: \n\n```\nauditctl -l | grep /usr/bin/dockerd\n```\n\n## Remediation\n\nYou should add rules for the Docker daemon. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /usr/bin/dockerd -k docker \n```\n\nThen restart the audit daemon using the following command:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, the Docker daemon is not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.3","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fpu-oe5-feu","createdAt":1599604305682,"name":"Auditing for Docker Daemon executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.4","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/var/lib/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories. For example, audit `/var/lib/docker`, which holds all the information about containers it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/var/lib/docker` directory. To see the rule for the `/var/lib/docker` directory, run: \n\n```\nauditctl -l | grep /var/lib/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/var/lib/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /var/lib/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.4","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tfa-927-tto","createdAt":1599602523672,"name":"Auditing for Docker local storage is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.10","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker/daemon.json`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/docker/daemon.json`. This holds various parameters for the Docker daemon, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/docker/daemon.json` file. To display the rule for the `/etc/docker/daemon.json` file, run: \n\n```\nauditctl -l | grep /etc/docker/daemon.json\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker/daemon.json` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/docker/daemon.json -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/docker/daemon.json` may not exist on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file][2]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.10","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"v2o-aio-i0e","createdAt":1599601474412,"name":"Auditing for the Docker daemon configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.11","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/bin/containerd`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/bin/containerd`, so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/bin/containerd` file. To display the rule for the `/usr/bin/containerd` file, run: \n\n```\nauditctl -l | grep /usr/bin/containerd\n```\n\n## Remediation\n\nYou should add a rule for the `/usr/bin/containerd` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/bin/containerd -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/usr/bin/containerd` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.11","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tor-6yx-oyz","createdAt":1599605637503,"name":"Auditing for the containerd executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.8"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/default/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/default/docker`. It holds various parameters related to the Docker daemon and should therefore be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/default/docker` file. To see the rule for the `/etc/default/docker` file, run: \n```\nauditctl -l | grep /etc/default/docker \n```\n\n## Remediation\n\nYou should add a rule for the `/etc/default/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/default/docker -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited so these defaults should be changed in line with organizational security policy. The file `/etc/default/docker` may not be present, and if so, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.8","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qfi-cgy-a6e","createdAt":1599601659531,"name":"Auditing for the default Docker configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.9"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/sysconfig/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including `/etc/sysconfig/docker`. It contains various parameters related to the Docker daemon when run on CentOS and RHEL based distributions. If present, it is important that it is audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/sysconfig/docker` file. To see the rule for the `/etc/sysconfig/docker` file, run: \n```\nauditctl -l | grep /etc/sysconfig/docker\n```\n\n## Remediation\n\nYou should add a rule for `/etc/sysconfig/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/sysconfig/docker -k docker\n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/sysconfig/docker` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.9","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ps6-vb4-bim","createdAt":1599604561498,"name":"Auditing for the default Docker configuration file is configured - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit the `docker.service` if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `docker.service`. The `docker.service` file might be present if the daemon parameters have been changed by an administrator. If so, it holds various parameters for the Docker daemon and should be audited.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n\n2. If the file does not exist, this recommendation does not apply. If the file does exist, verify that there is an audit rule corresponding to the `docker.service` file by running: \n\n ```\n auditctl -l | grep docker.service\n ```\n\n## Remediation\n\nIf the file exists, a rule for it should be added. For example, add the following line to the `/etc/audit/audit.rules` file: \n```\n-w /usr/lib/systemd/system/docker.service -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.service` may not be present on the system.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.6","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myy-dsj-omk","createdAt":1599605764788,"name":"Auditing for the docker.service file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.7","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `docker.socket`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including the `docker.socket` file, which holds various parameters for the Docker daemon, it should be audited.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the `docker.socket` file exists, verify that there is an audit rule corresponding to the `docker.socket` file by running: \n ```\n auditctl -l | grep docker.socket \n ```\n\n## Remediation\n\nIf the file exists, you should add a rule for it. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/lib/systemd/system/docker.socket -k docker \n```\n\nThen restart the audit daemon: \n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.socket` may not be present, but if it is, it should be audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.7","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afg-qbt-7uw","createdAt":1599600857858,"name":"Auditing for the docker.socket file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.12","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/sbin/runc`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/sbin/runc`, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/sbin/runc` file. To display the rule for the `/usr/sbin/runc` file, run:\n\n```\nauditctl -l | grep /usr/sbin/runc\n```\n\n## Remediation\n\nYou should add a rule for `/usr/sbin/runc` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/sbin/runc -k docker\n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The `file/usr/sbin/runc` may not be present on the system, and in that case this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n4. [https://github.com/opencontainers/runc][4]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/ \n[4]: https://github.com/opencontainers/runc\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.12","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ksp-ylk-dub","createdAt":1599603510904,"name":"Auditing for the runc executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.5","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privilege and its behavior depends on some key files and directories, including `/etc/docker`. This holds various certificates and keys used for TLS communication between Docker daemon and Docker client and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/etc/docker` directory. To see the rule for the `/etc/docker` directory, run: \n\n```\nauditctl -l | grep /etc/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.5","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5ns-uab-zcf","createdAt":1599604003342,"name":"Auditing is configured for Docker-related files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.6","cloud_provider:azure","control:10.1","requirement:Monitoring","source:azure.sql","control:A.12.4.1","control:A.12.4.3","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","scope:azure.sql","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:4.1.1","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on SQL Servers.\n\n## Rationale\n\nThe Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. The auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Set Auditing to On using Azure PowerShell.\n5. Get the list of all SQL Servers: `Get-AzureRmSqlServer`. For each Server, enable auditing:\n\n ```bash\n Set-AzureRmSqlServerAuditingPolicy -ResourceGroupName -ServerName -AuditType -StorageAccountName \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-servers\n2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n**Note**: A server policy applies to all existing and newly created databases on the server. If server blob auditing is enabled, it always applies to the database. The database is audited, regardless of the database auditing settings. The auditing type table is deprecated, leaving only the type blob available. Enabling blob auditing on the database, and enabling it on the server, does not override or change any of the settings of the server blob auditing. Both audits exist side by side. So, the database is audited twice in parallel; once by the server policy, and once by the database policy.\n\n## CIS controls\n\nVersion 7 6.3 Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"validationQuery":"-@audit_setting.state:(\"Enabled\")","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-@audit_setting.state:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"gxl-2f7-dso","createdAt":1624867978477,"name":"Auditing on SQL Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs in with a breached password.\n\n## Strategy\nAuth0 logs an event when a user logs in with a breached password. When this event is detected, Datadog generates a `MEDIUM` severity Security Signal.\n\nYou can see more information on how Auth0 detects breached passwords on their [documentation][1].\n\n## Triage and response\n1. Inspect the policy and user location to see if this was a login from approved location\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n[1][https://auth0.com/docs/anomaly-detection/brute-force-protection]\n","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:breached_password","groupByFields":["@usr.id"],"aggregation":"count","name":"breached_password","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"breached_password > 0"}],"type":"log_detection","id":"yhw-avf-dz0","createdAt":1597422957145,"name":"Auth0 user logged in with a breached password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","requirement:Cloud-SQL","cloud_provider:gcp","control:CC7.4","source:google_sql_database_instance","control:6.4.5.4","framework:cis-gcp","requirement:Compliance","level:1","control:6.7","scope:google_sql_database_instance","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Additional-Criteria-for-Availability","requirement:Communications-Security","requirement:System-Operations","control:3.1","requirement:Control-Activities","control:A1.1","control:A1.2","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:CC5.1","control:A.9.1.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nAll SQL database instances should have automated backups enabled.\n\n## Rationale: \nBackups provide a way to restore a Cloud SQL instance, to recover lost data, or to recover from\na problem with that instance. Enable automated backups for any instance that\ncontains data that should be protected from loss or damage. This recommendation is\napplicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2\ninstances.\n\n## Impact: \nAutomated backups increase the required storage size and may affect the costs associated with it.\n\n## Remediation: \n\n### From the console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Select the instance where the backups need to be configured.\n3. Click `Edit`.\n4. In the `Backups` section, check 'Enable automated backups', and choose a backup window.\n5. Click `Save`.\n\n### From the command line:\n\n1. List all Cloud SQL database instances using the following command:\n ```\n gcloud sql instances list\n ```\n2. Enable automated backups for a Cloud SQL database instance by running:\n ```\n gcloud sql instances patch --backup-start-time <[HH:MM]>\n ```\n\nThe `backup-start-time` parameter is specified in 24-hour time, in the UTC\u00b100 time zone,\nand specifies the start of a 4-hour backup window. Backups can start any time during the\nbackup window.\n\n## Default value:\nBy default, automated backups are not configured for Cloud SQL instances. Data backup is\nnot possible on any Cloud SQL instance unless Automated Backup is configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/backup-recovery/backups][2]\n2. [https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/backup-recovery/backups\n[3]: https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up\n\n## CIS controls:\n\nVersion 8: _11.2 Perform Automated Backups_. Perform automated backups of in-scope enterprise assets. Run backups weekly,\nor more frequently, based on the sensitivity of the data.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.4.5.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.1","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"pass\" if {\n\tsql_database_instance.settings.backup_configuration.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iir-4sf-rxn","createdAt":1657665285362,"name":"Automated backups are configured for SQL Database Instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to Azure AD without multi-factor authentication.\n\n## Strategy\nThis rule monitors Azure Activity logs for Active Directory logs and detects when any `@evt.category` has a value of `SignInLogs`, and `@properties.authenticationRequirement` has a value of `singleFactorAuthentication`.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables 2FA.\n3. If the login wasn't legitimate, rotate the credentials.\n4. Review all user accounts to ensure MFA is enabled.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:singleFactorAuthentication","groupByFields":["@usr.id"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_login_without_mfa > 0"}],"type":"log_detection","id":"c8i-66d-m7u","createdAt":1598468815267,"name":"Azure AD Login Without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to the [Global Administrator][1] role.\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\"`\n\nThe Global Administrator role can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. An adversary can add users as Global Administrators in order to maintain access to Azure AD.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][2] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.category:AuditLogs @evt.name:\"Add member to role\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_global_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"member_assigned_global_administrator_role > 0"}],"type":"log_detection","id":"bdq-rcs-dn5","createdAt":1658756175450,"name":"Azure AD member assigned Global Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to a [built-in Administrative role][1].\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:*Administrator*`\n\nAzure AD uses roles to assign privileges to users. There are over 80 roles available, the list below details some of the highest privileged roles that adversaries could target:\n\n* [Application Administrator][2]\n* [Cloud Application Administrator][3]\n* [Exchange Administrator][4]\n* [Privileged Role Administrator][5]\n* [User Administrator][6]\n* [Sharepoint Administrator][7]\n* [Hybrid Identity Administrator][8]\n\nThis [whitepaper][9] from Mandiant describes the abuse of Azure AD privileged roles.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][10] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator\n[3]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-application-administrator\n[4]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#exchange-administrator\n[5]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-role-administrator\n[6]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator\n[7]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#sharepoint-administrator\n[8]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#hybrid-identity-administrator\n[9]: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf\n[10]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:*Administrator* @evt.category:AuditLogs @evt.name:\"Add member to role\" -@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_built_in_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"member_assigned_built_in_administrator_role > 0"}],"type":"log_detection","id":"61p-mwe-rxm","createdAt":1658756175462,"name":"Azure AD member assigned built-in Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","control:8.7","level:1","requirement:Database-Services","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","scope:azure.sql","control:4.4","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse Azure Active Directory Authentication for authentication with SQL Database.\n\n## Rationale\n\nAzure Active Directory authentication is a mechanism to connect to the Microsoft Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). With Azure AD authentication, manage identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage database users and simplifies permission management in the following ways:\n\n- Provides an alternative to SQL Server authentication. \n- Helps stop the proliferation of user identities across database servers. \n- Allows password rotation in a single place. \n- Customers can manage database permissions using external (AAD) groups. \n- Eliminates storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure Active Directory. \n- Uses contained database users to authenticate identities at the database level. \n- Token-based authentication for applications connecting to SQL Database. \n- ADFS (domain federation) or native user/password authentication for a local Azure Active Directory without domain synchronization. \n- Connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication (MFA). MFA includes strong authentication with a range of easy verification options phone call, text message, smart cards with a pin, or mobile app notification.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each SQL server, click on Active Directory admin\n3. Click on Set admin\n4. Select an admin\n5. Click Save\n6. Using the Azure PowerShell for each Server, set `AD Admin Set-AzureRmSqlServerActiveDirectoryAdministrator -ResourceGroupName -ServerName -DisplayName \"\"`.\n6. From Azure Command Line Interface, get the ObjectID of user: `az ad user list --query \"[?mail==].{mail:mail, userPrincipal`.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure\n2. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: Assigning an administrator in Azure Active Directory (AAD) is just the first step. When using AAD for central authentication there are many other groups and roles that need to be configured base on the needs of your organization. To determine what roles should be assigned and what groups should be created to manage permissions and access to resources, see the How-to Guides.\n\n## CIS Controls\n\nVersion 7 16.2 Configure Centralized Point of Authentication: Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-(@name:(\"ActiveDirectory\") @administrator_type:(\"ActiveDirectory\"))","resourceType":"azure_sql_server","filter":"","queryPath":"active_directory_administrators","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-(@name:(\"ActiveDirectory\") @administrator_type:(\"ActiveDirectory\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kiv-p8l-5mk","createdAt":1624867977317,"name":"Azure Active Directory Admin is configured for Azure SQL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure-active-directory","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect whenever Azure Identity Protection categorizes an Azure Active Directory login as risky.\n\n## Strategy\nMonitor Azure Active Directory sign in activity (`@evt.name:\"Sign-in activity\"`) and generate a signal when Azure identifies the user as risky or compromised (`@properties.riskState:\"atRisk\" OR \"confirmedCompromised\"`). \n\n## Triage and response\n1. Analyze the location (`@network.client.geoip.subdivision.name`) of `{{@usr.id}}` to determine if they're logging into from their usual location. \n2. If log in activity is not legitimate, disable `{{@usr.id}}` account.\n3. Investigate any devices owned by `{{@usr.id}}`.\n\n## Changelog\n14 June 2022 - Fixed bug in rule query.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":167,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelDuringSignIn:high @properties.riskLevelDuringSignIn:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_during_signin_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:high @properties.riskLevelAggregated:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_aggregated_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:medium @properties.riskLevelDuringSignIn:medium","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_medium","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"High Risk Aggregated","condition":"risk_level_aggregated_high > 0"},{"status":"high","notifications":[],"name":"High Risk During Sign-In","condition":"risk_level_during_signin_high > 0"},{"status":"medium","notifications":[],"name":"Medium Risk","condition":"risk_level_medium > 0"}],"type":"log_detection","id":"h1h-4to-2ka","createdAt":1629464257705,"name":"Azure Active Directory Risky Sign-In"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.6","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-7-ii-A","control:164.312-a-2-ii","control:2.2.4","scope:azure.appservice","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Risk-Mitigation","requirement:Logical-and-Physical-Access-Control","control:CC9.1","control:CC6.3","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'remote debugging' **disabled** to enhance security and protect applications.\n\n## Rationale\n\nIf remote debugging is enabled, this can allow an attacker access to your applications.\n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services web apps by running the following in Azure Powershell:\n\n ```\n az webapp list\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n\n az webapp config show\n\t--ids \"\"\n\t--query 'remoteDebuggingEnabled'\n3. Disable the web app's remote debugging capability with the command:\n\n ```\n az webapp config set\n\t--ids \"\"\n\t--remote-debugging-enabled false\n ```\n4. Repeat steps one through three for each server that is not configured correctly.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@site_config_remote_debugging_enabled:true","resourceType":"azure_app_service","filter":"@site_config_remote_debugging_enabled:*","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service @site_config_remote_debugging_enabled:* (@site_config_remote_debugging_enabled:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ciw-6dd-ffz","createdAt":1645807220230,"name":"Azure App Service has remote debugging enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","scope:azure.app_service","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","framework:soc-2","source:azure.app_service","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'always on' **enabled** for web apps.\n\n## Rationale\n\nEnabling 'always on' will enhance your Azure Apps web apps' availability.\n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services by running the following in Azure Powershell:\n\n ```\n az webapp list\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n \n ```\n az webapp config show\n\t--ids \"\"\n\t--query 'alwaysOn'\n ```\n3. Enable the web app's 'always on' capability with the command:\n\n ```\n az webapp config set\n\t--ids \"\"\n\t--always-on true\n ```\n4. Repeat steps one through three for each server that is not configured correctly.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@site_config_always_on:false","resourceType":"azure_app_service","filter":"@site_config_always_on:*","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service @site_config_always_on:* (@site_config_always_on:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xmp-jgo-xdo","createdAt":1645807220325,"name":"Azure App Service is set to always on"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Datadog Azure function is deleted which will prevent Azure logs from being sent to Datadog.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.WEB/SITES/DELETE\"`, `@evt.outcome` is `Success`, and the `@resourceID` contains `DATADOG` and `LOG`. This rule does not work if the the Azure resource group or Azure function does not contain `DATADOG` or `LOG`.\n\n## Triage and response\n1. Verify the Azure function (`@resourceId`) is responsible for forwarding logs to Datadog.\n2. Determine if there is a legitimate reason for deleting the Azure function.\n3. If activity is not expected, investigate activity from the service principal (`@identity.authorization.evidence`) or user (`{{@usr.id}}`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.web @evt.name:\"MICROSOFT.WEB/SITES/DELETE\" @resourceId:(*DATADOG* AND *LOG*) @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"sit-o2a-uov","createdAt":1634570142022,"name":"Azure Datadog Log Forwarder Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","security:threat-intel"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure firewall threat intelligence alert is received.\n\n## Strategy\nMonitor Azure Network Diagnostic logs and detect when `@evt.name` is equal to `AzureFirewallThreatIntelLog`.\n\n## Triage and response\n1. Inspect the threat intelligence log.\n2. Investigate the activity from this IP address.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:AzureFirewallThreatIntelLog","groupByFields":["@network.client.ip"],"aggregation":"count","name":"azure_firewall_threat_intel_alert","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"azure_firewall_threat_intel_alert > 0"}],"type":"log_detection","id":"z0v-yfr-qat","createdAt":1607106300940,"name":"Azure Firewall Threat Intelligence Alert"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) blocks a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Block`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Block","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_blocked_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_blocked_a_request > 0"}],"type":"log_detection","id":"xyt-fqh-myv","createdAt":1598468816869,"name":"Azure Frontdoor WAF Blocked a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) logs a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Log`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Log","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_logged_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_logged_a_request > 0"}],"type":"log_detection","id":"bkk-48l-vem","createdAt":1598468815399,"name":"Azure Frontdoor WAF Logged a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","control:9.9","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","scope:azure.appservice","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nNew versions of HTTP are released periodically to address security issues and/or to include additional functionality. Using the latest version of HTTP for web apps takes advantage of security fixes and new functionality.\n\n## Rationale\n\nUsing the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software update, your organization needs to determine if the latest update meets your requirements.\n\nFor example, HTTP 2.0 has performance improvements for the head-of-line blocking problem, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism because it provides its own, more efficient mechanism for data streaming.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\nAzure Console:\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click *Configuration**.\n5. Set HTTP version to 2.0 under **General settings**.\n\n**Note**: Most modern browsers support HTTP 2.0 protocol over TLS, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third party certificate.\n\nAzure CLI:\n\nTo set the HTTP version to 2.0 for an existing app, run the following command:\n\n`az webapp config set --resource-group --name --http20-enabled true'`\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.9","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"@site_config_http20_enabled:false","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (@site_config_http20_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"y1o-cvu-xc7","createdAt":1645813490516,"name":"Azure HTTP version is the latest available"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.3.1","level:1","scope:azure.keyvault","control:8.4","requirement:Cardholder-Data","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","requirement:Azure","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:2.2","control:A1.2","requirement:Other-Security-Considerations","framework:soc-2","requirement:Risk-Mitigation","control:3.5.3","requirement:Logical-and-Physical-Access-Control","control:CC9.1","source:azure.keyvault","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe key vault contains object keys, secrets, and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. Datadog recommends the key vault be made recoverable by enabling the \"Do Not Purge\" and \"Soft Delete\" functions. This is to prevent loss of encrypted data including storage accounts, SQL databases, and dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.\n\n### Default value \n\nWhen a new Key Vault is created, both the parameters `enableSoftDelete` and `enablePurgeProtection` are set to `null`, disabling both the features.\n\n## Rationale\n\nThere could be scenarios where users accidentally run delete and purge commands on key vault or attacker or malicious user does it deliberately to cause disruption. Deleting or purging a key vault leads to immediate data loss as keys encrypting data and secrets and certificates causing access and services to become non-accessible. There are two key vault properties that plays role in permanent unavailability of a key vault:\n\n1. Setting the `enableSoftDeleteSetting` parameter to true for a key vault ensures that even if key vault is deleted, the key vault itself or its objects are recoverable for next 90 days. In this span of 90 days either key vault and objects can be recovered or purged (permanent deletion). If no action is taken, after 90 days, the key vault and its objects are purged.\n\n2. `enablePurgeProtectionenableSoftDelete` only ensures that the key vault is not deleted permanently and will be recoverable for 90 days from the deletion date. However, there is a chance that the key vault or objects are accidentally purged and are not recoverable. Setting `enablePurgeProtection` to \"true\" ensures that the key vault and its objects cannot be purged. Enabling both the parameters on key vaults ensures that key vaults and their objects cannot be deleted or purged permanently.\n\n### Impact\n\nOnce purge-protection and soft-delete is enabled for a key vault, the action is irreversible.\n\n- Note: When a key is used for the SQL server TDE or Encrypting Storage account, the corresponding key vault features \"Do Not Purge\" and \"Soft Delete\" are enabled by default by your Azure backend.\n\n## Remediation\n\n### From the command line \n\nTo enable \"Do Not Purge\" and \"Soft Delete\" for a key vault using Azure CLI:\n\n```bash\naz resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.KeyVault /vaults/ --set properties.enablePurgeProtection=true properties.enableSoftDelete=true\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli][1]\n2. [https://blogs.technet.microsoft.com/kv/2017/05/10/azure-key-vault-recovery-options/][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-8-define-backup-and-recovery-strategy][3]\n\n\n[1]: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli\n[2]: https://blogs.technet.microsoft.com/kv/2017/05/10/azure-key-vault-recovery-options/\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-8-define-backup-and-recovery-strategy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.4","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.2","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"3.5.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.3.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_key_vault_attributes(key_vault) if {\n\tkey_vault.enable_soft_delete\n} else {\n\tkey_vault.enable_purge_protection\n}\n\neval(key_vault) = \"pass\" if {\n\tcompliant_key_vault_attributes(key_vault)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault"]},"validationQuery":"","resourceType":"azure_key_vault","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"4tq-la5-9ei","createdAt":1624867975393,"name":"Azure Key Vault is recoverable"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","control:1.3.5","control:1.3.6","control:1.3.7","framework:pci","control:6.4.1","security:compliance","control:1.3.4","control:1.2.1","source:azure.kubernetes","requirement:Communications-Security","control:1.2","control:1.3","cloud:azure","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Private Cluster feature for Azure Kubernetes Service (AKS) cluster is enabled.\n\n## Rationale\n\nThe Private Cluster feature ensures that network traffic between your API server and your node pools remains solely on the private network. The API server is not exposed over the internet as it is with the standard AKS deployment. This configuration is a common requirement in many regulatory and industry compliance standards.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment. Changing the setting requires recreating your cluster.\n\n## Impact\n\nCreating and managing a Private AKS Cluster requires additional considerations when compared to a standard AKS deployment. It requires understanding how Azure Private Link and Private Endpoints work. It also requires a thorough assessment of your AKS networking architecture and dependencies. If your AKS cluster is on an isolated Azure Virtual Network (VNET), the Private Cluster feature requires additional configurations to allow connectivity between your AKS Cluster and your management VNET. Microsoft's official documentation, which is included in ``references``, helps you navigate the deployment of Private AKS Clusters.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/aks/private-clusters][1]\n2. [https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview][2]\n3. [https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/aks/private-clusters\n[2]: https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview\n[3]: https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.7","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aks_cluster) = \"fail\" if {\n\tnot aks_cluster.api_server_access_profile_enable_private_cluster\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_aks_cluster"]},"validationQuery":"","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxc-7gb-6q2","createdAt":1656924134424,"name":"Azure Kubernetes Service (AKS) Private Cluster Feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify the network IP address when multiple user accounts failed to complete the MFA process.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, `@properties.authenticationRequirement` is equal to `multiFactorAuthentication` and `@evt.outcome` is equal to `failure`.\n\n## Triage and response \n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:multiFactorAuthentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"failed_login_mfa_denied_w_multiple_user_accounts","distinctFields":["@usr.email"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Greater than 10 unique users","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 10"},{"status":"low","notifications":[],"name":"Greater than 3 unique user","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 3"}],"type":"log_detection","id":"zgm-z7i-mhu","createdAt":1607106317340,"name":"Azure Login Explicitly Denied MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group allows inbound traffic from all IP Addresses.\n\n## Strategy\nThis rule monitors Azure Activity logs for network changes and detects when the `@evt.name` has a value of `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`, `@properties.securityRules.properties.direction` has a value of `Inbound`, `@properties.securityRules.properties.access` has a value of `Allow`, and `@properties.securityRules.properties.sourceAddressPrefix` has a value of either `0.0.0.0/0` OR `*`.\n\n## Triage and response\n1. Inspect which Virtual Machines are associated with this security group.\n2. Determine whether this security group and the VMs should permit inbound traffic from all IP addresses.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\" @properties.securityRules.properties.direction:Inbound @properties.securityRules.properties.access:Allow @properties.securityRules.properties.sourceAddressPrefix:(\"0.0.0.0/0\" OR \"*\")","groupByFields":["@resourceId"],"aggregation":"count","name":"security_group_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"security_group_open_to_world > 0"}],"type":"log_detection","id":"owu-2uz-8cb","createdAt":1598468816111,"name":"Azure Network Security Group Open to the World"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group or an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any one of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security group or security rule and determine if it exposes any Azure resources that should not be exposed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:(\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\") @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mju-ynx-i1h","createdAt":1607106297216,"name":"Azure Network Security Groups or Rules Created, Modified, or Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added as a new owner for an Active Directory application which could be used as a persistence mechanism. \n\n## Strategy\nMonitor Azure Active Directory logs for `@evt.name: \"Add owner to application\"` has an `@evt.outcome` of `success`. \n\n## Triage and response\n1. Review evidence of anomalous activity for the user being added as an owner (`@properties.targetResources`) for the Active Directory application.\n2. Determine if there is a legitimate reason for the user being added to the application.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to application\" @evt.outcome:success @usr.name:* -@identity:*","groupByFields":[],"aggregation":"count","name":"new_owner","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner > 0"}],"type":"log_detection","id":"8vm-rcm-ss1","createdAt":1630591816193,"name":"Azure New Owner added to Azure Active Directory application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a new service principal is created in Azure, which applies to a persistence mechanism.\n\n## Strategy\n\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n\n1. Inspect the new service principal in `@properties.targetResources`.\n2. Verify with the user (`{{$usr.name}}`) to determine if the service principal is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_sp > 0"}],"type":"log_detection","id":"bog-iak-dms","createdAt":1630591822167,"name":"Azure New Service Principal created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure policy assignment has been created.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to `MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE` and `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the policy assignment and determine if an unsolicited change was made on any Azure resources.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure @evt.name:\"MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE\" @evt.outcome:Success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uvd-ets-ju9","createdAt":1607106302885,"name":"Azure Policy Assignment Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, and `@evt.outcome` is equal to `failure`.\n\n## Triage and response\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Successful login","condition":"failed_login > 5 && successful_login > 0"},{"status":"info","notifications":[],"name":"Unsuccessful","condition":"failed_login > 5"}],"type":"log_detection","id":"y0f-vsz-xms","createdAt":1607106309289,"name":"Azure Portal brute force login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses SSL/TLS in-transit encryption.\n\n## Rationale\n\nUsing in-transit encryption with PostgreSQL protects data from attacks like Man-In-The-Middle (MITM), by ensuring that data is encrypted with Transport Layer Security (SSL/TLS) while moving between endpoints. This is the default option with Azure. \n\n## Remediation\n\n### Console\n\n1. Follow the instructions listed at [Configure TLS connectivity in Azure Database for PostgreSQL - Single Server][1] to transition to SSL/TLS encyrption in-transit. \n\n### CLI\n\n1. Follow the steps listed at [Configure TLS connectivity in Azure Database for PostgreSQL - Single Server][2] to use the CLI to transition to SSL/TLS encyrption in-transit. \n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security#using-the-azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security#using-azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@ssl_enforcement:Disabled","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (@ssl_enforcement:Disabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"t58-y4w-igs","createdAt":1645642196325,"name":"Azure PostgreSQL Database Server uses In-Transit Encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.4","cloud_provider:azure","control:6.2","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","control:CC7.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL is using the most recent major version available.\n\n## Rationale\n\nPostegreSQL employs both minor and major version updates. Using the most recent version available (particularly the most recent major version) ensures that you are using the most secure, feature rich, and supported version available. Azure Database Migration Service can help minimize downtime when performing version upgrades in Azure Database for PostgreSQL - Single Server. \n\n## Remediation\n\n### Console\n\n1. Use Azure's [Configure server parameters in Azure Database for PostgreSQL - Single Server via the Azure portal][1] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate/Upgrade Azure DB for PostgreSQL - Single Server to Azure DB for PostgreSQL - Single Server online using DMS via the Azure portal][2] to migrate the old database to the new database.\n\n### CLI\n\n1. Use Azure's [Customize server configuration parameters for Azure Database for PostgreSQL - Single Server using Azure CLI][3] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate PostgreSQL to Azure DB for PostgreSQL online using DMS via the Azure CLI][4] to migrate the old database to the new database.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/dms/tutorial-azure-postgresql-to-azure-postgresql-online-portal\n[3]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli\n[4]: https://docs.microsoft.com/en-us/azure/dms/tutorial-postgresql-azure-postgresql-online","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"-@version:(\"11\" OR \"12\" OR \"13\" OR \"14\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@version:(\"11\" OR \"12\" OR \"13\" OR \"14\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"4ns-zxg-wye","createdAt":1645642207320,"name":"Azure PostgreSQL Database Server uses the current major PostgreSQL version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:A.12.3.1","source:azure.dbforpostgresql","control:164.308-a-7-ii-A","requirement:Compliance","scope:azure.dbforpostgresql","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","control:A.18.1.3","framework:soc-2","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses geo-redundant backups.\n\n## Rationale\n\nUsing geo-redundancy with PostgreSQL creates geographically distributed replicas by default. These replicas assist with achieving data durability, as they protect against data becoming unavailable because of a regional event, such as a natural disaster. You can select this option only at the time of database creation. To modify an existing database to use geo-redundancy, recreate the database.\n\n## Remediation\n\n### Console\n\n1. Follow the instructions listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using the Azure portal][1] to create a new PostgreSQL database. Ensure **Geo-redundant** is selected under **Backup redundancy options**.\n\n### CLI\n\n1. Follow the steps listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using Azure CLI][2] to create and deploy a PostgreSQL server.\n2. When configuring the [`az postgres server create` Microsoft Azure Module][3] ensure that `geoRedundantBackup` is set to `Enabled`, as shown in the example below. \n\n ```\n az postgres server create \n -l northeurope \n -g mygroup \n -n mysvr \n -u username \n -p password \n --sku-name my_sku\n --ssl-enforcement Enabled \n --minimal-tls-version TLS1_0 \n --public-network-access Disabled \n --backup-retention 10 \n --geo-redundant-backup Enabled \n --storage-size 51200 \n --tags \"key=value\" \n --version 11\n ```\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-cli\n[3]: https://docs.microsoft.com/en-us/cli/azure/postgres/server?view=azure-cli-latest#az-postgres-server-create","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.3.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@storage_profile_geo_redundant_backup:Disabled","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (@storage_profile_geo_redundant_backup:Disabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"9t5-0qz-cj3","createdAt":1645642195699,"name":"Azure PostgreSQL database server uses geo-redundant backups"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security rule and determine if it exposes any Azure resources that should not be made public.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.sql @evt.name:\"MICROSOFT.SQL/SERVERS/FIREWALLRULES/WRITE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kbv-sau-dwv","createdAt":1607106319051,"name":"Azure SQL Server Firewall Rules Created or Modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.15","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable security alert emails to subscription owners.\n\n## Rationale\n\nEnabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can quickly mitigate security risks.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. In the drop down of the All users with the following roles field, select Owner\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set Send email also to subscription owners:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management Storage Accounts: This section covers security recommendations to follow to set storage account policies on an Azure subscription. An Azure storage account provides a unique namespace to store and access Azure Storage data objects.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.15","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"validationQuery":"-(@properties.notifications_by_role.roles:(\"Owner\") AND @properties.notifications_by_role.state:(\"On\"))","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact (-(@properties.notifications_by_role.roles:(\"Owner\") AND @properties.notifications_by_role.state:(\"On\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qjw-pnm-kfh","createdAt":1625738237090,"name":"Azure Security Center is configured to send email notifications about security alerts to subscription owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.14","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule enables emailing security alerts to the email subscription owner or other designated security contact.\n\n## Rationale\n\nEnabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. Under Notification types, check the check box next to Notify about alerts with the following severity (or higher) and select High from the drop-down menu\n6. Click save using the Azure Command Line Interface\n7. Use the below command to set Send email notification for high severity alerts:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. And replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default. Microsoft has recently changed their REST APIs to get and update security contact information. This recommendation is updated accordingly.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.14","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"validationQuery":"-(@properties.alert_notifications.state:(\"On\") AND @properties.alert_notifications.minimal_severity:(\"High\"))","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact (-(@properties.alert_notifications.state:(\"On\") AND @properties.alert_notifications.minimal_severity:(\"High\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"cv4-lxu-yt1","createdAt":1625738237834,"name":"Azure Security Center is configured to send email notifications about security alerts with High severity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity Center emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.\n\n## Rationale\n\nAzure Security Center emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the \"Additional email addresses\" field ensures that your organization's security team is included in these alerts. This ensures that the proper people are aware of any potential compromise to mitigate the risk in a timely fashion.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email Notifications\n5. Enter a valid security contact email address (or multiple addresses separated by commas) in the additional email addresses field\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set security contact emails:\n\n ``` bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data, as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default\", \"name\"\"default\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details \n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list \n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"validationQuery":"((-@properties.emails:*) OR (@properties.emails:(\"\")))","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact (((-@properties.emails:*) OR (@properties.emails:(\"\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"1vo-ezv-ztj","createdAt":1625738244720,"name":"Azure Security Center is configured with a security contact email"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty ThreatIntelSet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty ThreatIntelSet:\n\n* [DeleteThreatIntelSet][1]\n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Replace ThreatIntelSets deleted by the user with the `aws-cli` command [create-threat-intel-set][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call and if it was an authorized change.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteThreatIntelSet.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/guardduty/create-threat-intel-set.html\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteThreatIntelSet","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_guardduty_threatintel_set_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"aws_guardduty_threatintel_set_deleted > 0"}],"type":"log_detection","id":"vzr-qw9-k82","createdAt":1631642339660,"name":"AWS GuardDuty threat intel set deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","technique:T1098-account-manipulation","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.4","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to an AWS IAM Policy.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when any event pertaining to an AWS IAM policy is detected with one of the following API calls:\n\n* [DeleteGroupPolicy][1]\n* [DeleteRolePolicy][16]\n* [DeleteUserPolicy][2]\n* [PutGroupPolicy][3]\n* [PutRolePolicy][4]\n* [PutUserPolicy][5]\n* [CreatePolicy][6]\n* [DeletePolicy][7]\n* [SetPolicyVersion][17]\n* [CreatePolicyVersion][8]\n* [DeletePolicyVersion][9]\n* [AttachRolePolicy][10]\n* [DetachRolePolicy][11]\n* [AttachUserPolicy][12]\n* [DetachUserPolicy][13]\n* [AttachGroupPolicy][14]\n* [DetachGroupPolicy][15]\n\n## Triage and response\n1. Review the IAM Policy change and ensure it does not negatively impact your risk in relation to authentication or authorization controls.\n2. If risk is increased, contact the individual that used the arn: {{@userIdentity.arn}} and determine if {{@evt.name}} API calls were made by them.\n\n## Changelog\n5 April 2022 - Rule modified and signal message updated.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroupPolicy.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPolicy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html\n[5]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html\n[7]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html\n[8]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html\n[9]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicyVersion.html\n[10]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[11]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachRolePolicy.html\n[12]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[13]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachUserPolicy.html\n[14]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[15]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachGroupPolicy.html\n[16]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteRolePolicy.html\n[17]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetDefaultPolicyVersion.html\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteGroupPolicy OR PutGroupPolicy OR AttachGroupPolicy OR DetachGroupPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"group_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteRolePolicy OR PutRolePolicy OR AttachRolePolicy OR DetachRolePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"role_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteUserPolicy OR PutUserPolicy OR AttachUserPolicy OR DetachUserPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"user_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreatePolicy OR DeletePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"account_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(SetPolicyVersion OR CreatePolicyVersion OR DeletePolicyVersion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"policy_version_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"group policy changed","condition":"group_policy_modified > 0"},{"status":"info","notifications":[],"name":"role policy changed","condition":"role_policy_modified > 0"},{"status":"info","notifications":[],"name":"user policy changed","condition":"user_policy_modified > 0"},{"status":"info","notifications":[],"name":"account policy changed","condition":"account_policy_modified > 0"},{"status":"info","notifications":[],"name":"policy version changed","condition":"policy_version_modified > 0"}],"type":"log_detection","id":"z8s-u06-ctu","createdAt":1584475584008,"name":"AWS IAM policy changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM group.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM group using the [`AttachGroupPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.groupName}}` group using the `aws-cli` command [detach-group-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the group `{{@requestParameters.groupName}}` requires the `AdministratorAccess` policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the group to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.groupName","aggregation":"new_value","metrics":["@requestParameters.groupName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachGroupPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"ju1-xlh-bdn","createdAt":1635445988771,"name":"AWS IAM privileged policy was applied to a group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM role.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM role via the [`AttachRolePolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.roleName}}` role using the `aws-cli` command [detach-role-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the role `{{@requestParameters.roleName}}` requires the AdministratorAccess policy to perform its intended function.\n * Advise the user to find the [least privileged][4] policy that allows the role to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-role-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.roleName","aggregation":"new_value","metrics":["@requestParameters.roleName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachRolePolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\" -@userIdentity.invokedBy:sso.amazonaws.com -@http.useragent:sso.amazonaws.com"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"kjs-xra-wzc","createdAt":1635445977216,"name":"AWS IAM privileged policy was applied to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to an AWS IAM user using the [`AttachUserPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.userName}}` user using the `aws-cli` command [detach-user-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the user `{{@requestParameters.userName}}` requires the AdministratorAccess policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the user to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-user-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":173,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.userName","aggregation":"new_value","metrics":["@requestParameters.userName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachUserPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"bxi-o7h-c79","createdAt":1635445981975,"name":"AWS IAM privileged policy was applied to a user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","technique:T1089-disabling-security-tools","source:guardduty","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is changing sensitive configurations and has no prior history of invoking these APIs.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Stealth:IAMUser/S3ServerAccessLoggingDisabled][2]\n* [Stealth:IAMUser/PasswordPolicyChange][3]\n* [Stealth:IAMUser/CloudTrailLoggingDisabled][4]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][5] on remediating compromised AWS credentials.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#stealth-s3-serveraccessloggingdisabled\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-passwordpolicychange\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-cloudtrailloggingdisabled\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Stealth\\:IAMUser\\/S3ServerAccessLoggingDisabled OR Stealth\\:IAMUser\\/PasswordPolicyChange OR Stealth\\:IAMUser\\/CloudTrailLoggingDisabled OR Stealth\\:IAMUser\\/LoggingConfigurationModified)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"48o-8me-0mo","createdAt":1587525385196,"name":"AWS IAM user changing sensitive configurations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user disables [S3 Block Public Access][1]\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][2] finding:\n\n* [Policy:S3/AccountBlockPublicAccessDisabled][3]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Contact the user and determine why the user disabled the S3 Block Access feature. \n3. Re-enable S3 Block Public Access.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n[2]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-accountblockpublicaccessdisabled\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/S3BlockPublicAccessDisabled)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"loc-nk4-pkc","createdAt":1587525377921,"name":"AWS IAM user disabled S3 Block Public Access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","source:guardduty","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is attempting to escalate permissions.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [PrivilegeEscalation:IAMUser/AdministrativePermissions][2]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_privilegeescalation.html#privilegeescalation1\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PrivilegeEscalation\\:IAMUser\\/AdministrativePermissions)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dsb-ciq-vrt","createdAt":1587525384559,"name":"AWS IAM user escalating privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","technique:T1580-cloud-infrastructure-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests with hacking tools.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [PenTest:IAMUser/KaliLinux][2]\n* [PenTest:IAMUser/ParrotLinux][3]\n* [PenTest:IAMUser/PentooLinux][4]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][5] on remediating compromised AWS credentials.\n\n## Changelog\n* 17 October 2022 - Updated tags.\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-kalilinux\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-parrotlinux\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-pentoolinux\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PenTest\\:IAMUser\\/KaliLinux OR PenTest\\:IAMUser\\/ParrotLinux OR PenTest\\:IAMUser\\/PentooLinux)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ocf-ys6-78v","createdAt":1587525392995,"name":"AWS IAM user making API requests with hacking tools"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:threat-intel","source:guardduty","tactic:TA0007-discovery","security:attack","technique:T1526-cloud-service-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests from a malicious IP.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:IAMUser/TorIPCaller][2]\n* [Recon:IAMUser/MaliciousIPCaller.Custom][3]\n* [Recon:IAMUser/MaliciousIPCaller][4]\n* [UnauthorizedAccess:IAMUser/MaliciousIPCaller][5]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][6] on remediating compromised AWS credentials.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-toripcaller\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-maliciousipcallercustom\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-toripcaller\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-maliciousipcaller\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:IAMUser\\/TorIPCaller OR Recon\\:IAMUser\\/MaliciousIPCaller.Custom OR Recon\\:IAMUser\\/MaliciousIPCaller OR UnauthorizedAccess\\:IAMUser\\/MaliciousIPCaller)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"8w7-aaz-ojp","createdAt":1587525380153,"name":"AWS IAM user requests from malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","security:anomaly","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user login is suspicious.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B][2]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-consoleloginsuccessb\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:IAMUser\\/ConsoleLoginSuccess.B OR UnauthorizedAccess\\:IAMUser\\/ConsoleLogin)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kme-i0z-ylv","createdAt":1587525388403,"name":"AWS IAM user suspicious login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:kms","requirement:Monitoring","tactic:TA0040-impact","framework:cis-aws","control:4.7","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a KMS (Key Management Service) key is deleted or scheduled for deletion.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is deleting KMS keys:\n* [DisableKey][1]\n* [ScheduleKeyDeletion][2]\n\n## Triage and response\n1. Determine if `user ARN:` {{@userIdentity.arn}} in your organization should be making this call.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Use the `Cloud SIEM - User Investigation` OOTB dashboard to investigate other potential unauthorized API calls from this user.\n\n## Changelog\n* 16 March 2022 - Rule severity and markdown updated.\n* 16 November 2022 - Rule query updated.\n\n[1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html\n[2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:(cloudtrail OR amazon-security-lake) @evt.name:(DisableKey OR ScheduleKeyDeletion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iff-hhm-bd3","createdAt":1584475576501,"name":"AWS KMS key deleted or scheduled for deletion"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","scope:firehose"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an AWS Kinesis Firehose Destination is modified.\n\n## Strategy\nThe rule monitors AWS Kinesis Firehose logs `@eventSource:firehose.amazonaws.com` and detects when the `@evt.name` is `UpdateDestination`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:firehose.amazonaws.com @evt.name:UpdateDestination -@http.useragent:(cloudformation.amazonaws.com OR APN\\/*)","groupByFields":["@requestParameters.deliveryStreamName"],"aggregation":"count","name":"firehose_destination_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"firehose_destination_modified","condition":"firehose_destination_modified > 0"}],"type":"log_detection","id":"jwi-qgm-ncc","createdAt":1632158028824,"name":"AWS Kinesis Firehose stream destination modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.11"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Access Control List (NACL) has been created, deleted or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS NACL has been created, deleted or modified with one of the following API calls:\n* [CreateNetworkAcl][1] \n* [CreateNetworkAclEntry][2] \n* [DeleteNetworkAcl][3] \n* [DeleteNetworkAclEntry][4] \n* [ReplaceNetworkAclEntry][5] \n* [ReplaceNetworkAclAssociation][6]\n\n## Triage and response\n1. Determine if the usr with arn: {{@userIdentity.arn}} should have used the API call: {{@evt.name}}.\n2. Contact the user and see if this API call was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n## Changelog\n5 April 2022 - Rule queries, cases and signal message updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html\n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclEntry.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclAssociation.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateNetworkAcl OR CreateNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteNetworkAcl OR DeleteNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_deleted","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceNetworkAclEntry OR ReplaceNetworkAclAssociation)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_updated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"network ACL/ACL entry created","condition":"nacl_created > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry deleted","condition":"nacl_deleted > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry updated","condition":"nacl_updated > 0"}],"type":"log_detection","id":"pcs-k05-rbc","createdAt":1584475579808,"name":"AWS Network Access Control List created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.12","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Gateway has been created or modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS Network Gateway has been created or modified with one of the following API calls:\n* [CreateCustomerGateway][1] \n* [DeleteCustomerGateway][2] \n* [AttachInternetGateway][3] \n* [CreateInternetGateway][4]\n* [DeleteInternetGateway][5] \n* [DetachInternetGateway][6]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule cases and signal message.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCustomerGateway \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteCustomerGateway \n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AttachInternetGateway \n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInternetGateway \n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteInternetGateway \n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DetachInternetGateway.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(CreateCustomerGateway OR CreateInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"create_gateway","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteCustomerGateway OR DeleteInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"delete_gateway","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AttachInternetGateway OR DetachInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_gateway","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"create gateway","condition":"create_gateway > 0"},{"status":"info","notifications":[],"name":"delete gateway","condition":"delete_gateway > 0"},{"status":"info","notifications":[],"name":"modify gateway","condition":"modify_gateway > 0"}],"type":"log_detection","id":"umr-47s-eyj","createdAt":1584475581301,"name":"AWS Network Gateway created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","scope:rds","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deleted a database cluster in RDS.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a RDS cluster:\n\n* [DeleteDBCluster][1]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/rds/delete-db-cluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteDBCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"6ng-pk1-ukh","createdAt":1585870276546,"name":"AWS RDS Cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","control:cis-1.1","framework:cis-aws","technique:T1078-valid-accounts","control:cis-3.3","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the AWS root user credentials are used.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Policy:IAMUser/RootCredentialUsage][2]\n\n## Triage and response\n1. Determine whether the root account activity was legitimate. \n * Review the sample for context. \n * Review CloudTrail logs for a full investigation. \n3. If the root user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n**[Root Account Best Practices][4]**\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#policy-iam-rootcredentialusage\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/RootCredentialUsage)","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cjm-gyr-zxb","createdAt":1587525393683,"name":"AWS Root credential activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a Route 53 query logging configuration.\n\n## Strategy\nMonitor cloudtrail logs where `@evt.name` is `DeleteResolverQueryLogConfig` which would stop Route53 Query logging for all of the Amazon VPCs that are associated with the configuration.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n* 7 April 2022 - Updated rule query and signal message.\n* 5 January 2023 - Updated severity.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"0pz-0jr-nfz","createdAt":1631642351057,"name":"AWS Route 53 DNS query logging disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disassociates a VPC from the query logging configuration.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disassociated.\n\n* [DisassociateResolverQueryLogConfig][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 7 April 2022 - Update rule and signal message.\n* 15 December 2022 - Update query to include Access Denied events and reduce severity.\n\n[1]: https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DisassociateResolverQueryLogConfig.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DisassociateResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_route53_querylogging_disassociated","distinctFields":[]},{"query":"source:cloudtrail @error.kind:AccessDenied @evt.name:DisassociateResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_route53_querylogging_disassociated_access_denied","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Successful","condition":"aws_route53_querylogging_disassociated > 0"},{"status":"info","notifications":[],"name":"Access Denied","condition":"aws_route53_querylogging_disassociated_access_denied > 0"}],"type":"log_detection","id":"nmk-a8n-zig","createdAt":1631642344888,"name":"AWS Route 53 VPC disassociated from query logging configuration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.13","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Route Table has been created or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS Route Table has been created or modified with one of the following API calls:\n* [CreateRoute][1] \n* [CreateRouteTable][2] \n* [ReplaceRoute][3] \n* [ReplaceRouteTableAssociation][4] \n* [DeleteRouteTable][5] \n* [DeleteRoute][6] \n* [DisassociateRouteTable][7]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call which was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n6 April 2022 - Update signal message. Updated rule query/case layout\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html \n [7]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateRoute OR CreateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceRoute OR ReplaceRouteTableAssociation OR DisassociateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteRouteTable OR DeleteRoute)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"VPC route table created","condition":"route_created > 0"},{"status":"info","notifications":[],"name":"VPC route table modified","condition":"route_modified > 0"},{"status":"info","notifications":[],"name":"VPC route table deleted","condition":"route_deleted > 0"}],"type":"log_detection","id":"qgo-jqs-03x","createdAt":1584475582644,"name":"AWS Route Table created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket policy is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an AWS bucket is made public:\n\n* [PutBucketAcl][1]\n\nThis rule inspects the `@requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI` array to determine if either of the strings are contained:\n* `http://acs.amazonaws.com/groups/global/AuthenticatedUsers`\n* `http://acs.amazonaws.com/groups/global/AllUsers`\n\nA match of either of these string indicates the S3 bucket policy is made public.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Update rule and signal message.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:PutBucketAcl -@level:Error @requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI:(\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" OR \"http://acs.amazonaws.com/groups/global/AllUsers\")","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"zdk-9gu-nrg","createdAt":1594140279364,"name":"AWS S3 Bucket ACL Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:7.2.1","iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","framework:pci","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the S3 Public Access Block configuration has been removed \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting the S3 Public Access Block configuration:\n\n* [DeleteAccountPublicAccessBlock][1]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and inform them of best practices of enabling Public Access Block on S3 buckets.\n3. Re-enable Public Access Block on the S3 bucket.\n\nMore details on S3 Public Block Public Access can be found [here][2].\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-public-access-block.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n\n## Changelog\n18 March 2022 - updated severity and query.\n31 October 2022 - updated severity.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:error @evt.name:DeleteAccountPublicAccessBlock","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_access_block_removed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"User removed public access block","condition":"public_access_block_removed > 0"}],"type":"log_detection","id":"uxr-5wk-8hk","createdAt":1585870280316,"name":"AWS S3 Public Access Block removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disables AWS Security Hub.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disabled AWS Security Hub:\n\n* [DisableSecurityHub][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query and signal message.\n\n[1]: https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisableSecurityHub.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"not_cloudformation_action","distinctFields":[]},{"query":"source:cloudtrail @network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudformation_action","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"not a cloudformation action","condition":"not_cloudformation_action > 0"},{"status":"low","notifications":[],"name":"cloudformation action","condition":"cloudformation_action > 0"}],"type":"log_detection","id":"obj-kmn-bsa","createdAt":1631642348526,"name":"AWS Security Hub disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:vpc","iaas:aws","requirement:Monitoring","framework:cis-aws","control:4.14","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying a VPC.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a VPC:\n\n* [DeleteVpc][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query, cases and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteVpc OR DeleteVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_deleted","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreateVpc OR CreateVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_created","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(ModifyVpcAttribute OR AcceptVpcPeeringConnection OR RejectVpcPeeringConnection OR AttachClassicLinkVpc OR DetachClassicLinkVpc OR DisableVpcClassicLink OR EnableVpcClassicLink)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"vpc deleted","condition":"vpc_deleted > 0"},{"status":"info","notifications":[],"name":"vpc created","condition":"vpc_created > 0"},{"status":"info","notifications":[],"name":"vpc modified","condition":"vpc_modified > 0"}],"type":"log_detection","id":"igj-dr4-ico","createdAt":1585870280906,"name":"AWS VPC created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a specific AWS Web Application Firewall (WAF) rule blocks an anomalous amount of traffic.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@webaclId`: `{{@webaclId}}` logs to confirm if the observed traffic should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"count","name":"waf_traffic_block","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"scr-lzp-wrd","createdAt":1632158031553,"name":"AWS WAF traffic blocked by specific rule"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a specific AWS Web Application Firewall (WAF) rule blocks traffic from multiple IPs.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@http.request_id`: `{{@http.request_id}}` to confirm if this request should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"cardinality","name":"waf_traffic_block","distinctFields":["@network.client.ip"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"imr-goq-uww","createdAt":1634658977105,"name":"AWS WAF traffic blocked by specific rule on multiple IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is deleted.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `DeleteWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:DeleteWebACL -@http.useragent:\\APN\\/*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_deletion","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"waf_webacl_deletion > 0"}],"type":"log_detection","id":"8js-pr5-qga","createdAt":1632158029295,"name":"AWS WAF web access control list deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is updated.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `UpdateWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made legitimately by the user, rotate the user's credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:UpdateWebACL -@http.useragent:(\\APN\\/* OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"waf_webacl_update > 0"}],"type":"log_detection","id":"pmp-fqa-lwy","createdAt":1632158031800,"name":"AWS WAF web access control list modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:3.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect AWS root user activity. \n\n## Strategy\nMonitor CloudTrail and detect when any `@userIdentity.type` has a value of `Root`, but is not invoked by an AWS service or SAML provider.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate. \n2. If the login wasn't legitimate, rotate the credentials, enable 2FA, and open an investigation. \n\n* For best practices, check out the [AWS Root Account Best Practices][1] documentation.\n* For compliance, check out the [CIS AWS Foundations Benchmark controls][2] documentation.\n\n## Changelog\n* 30 March 2022 - Updated query and signal message.\n* 14 November 2022 - Updated options.\n\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[2]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:Root -@userIdentity.sessionContext.attributes.mfaAuthenticated:false -@userIdentity.invokedBy:* -@eventType:AwsServiceEvent -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"2kn-z6k-6kf","createdAt":1585870281964,"name":"AWS root account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group has been modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1] \n* [AuthorizeSecurityGroupEgress][2] \n* [RevokeSecurityGroupIngress][3] \n* [RevokeSecurityGroupEgress][4] \n* [CreateSecurityGroup][5] \n* [DeleteSecurityGroup][6]\n\n\n**Note:** There is a separate rule to detect AWS Security Group Open to the World.\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html \n [2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupEgress.html \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupIngress.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupEgress.html \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteSecurityGroup.html\n\n## Changelog\n18 March 2022 - Updated severity, split query into multiple queries, and split the single case into multiple cases.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AuthorizeSecurityGroupIngress OR AuthorizeSecurityGroupEgress OR RevokeSecurityGroupIngress OR RevokeSecurityGroupEgress) -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:DeleteSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"security group created","condition":"security_group_created > 0"},{"status":"info","notifications":[],"name":"security group modified","condition":"security_group_modified > 0"},{"status":"info","notifications":[],"name":"security group deleted","condition":"security_group_deleted > 0"}],"type":"log_detection","id":"bax-btp-3ct","createdAt":1584475583507,"name":"AWS security group created, modified or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1078-valid-accounts","scope:exchange-server","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event by a user logging in to Microsoft Exchange.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last and the current Microsoft-365 mailbox login event (`@evt.name:MailboxLogin`) to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if `{{@usr.name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. ","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":192,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:Exchange @evt.name:MailboxLogin @evt.outcome:Succeeded @threat_intel.results.category:*"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"9xi-6r1-5o5","createdAt":1638460550019,"name":"Abnormal successful Microsoft 365 Exchange login event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","scope:google-cloud-iam","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account (`@usr.id:*.iam.gserviceaccount.com`) exhibits access denied behavior that deviates from normal.\n\n## Strategy \nInspect the GCP Service Account (`@usr.id:*.iam.gserviceaccount.com`) for errors (`@data.protoPayload.status.code:7`) caused by denied permissions (`@evt.outcome`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account {{@usr.id}} is compromised.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"count","name":"access_denied","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"access_denied"}],"type":"log_detection","id":"jsg-pwu-sfv","createdAt":1605263719237,"name":"Access denied for GCP Service Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.11","scope:iam","scored:true","security:compliance","source:iam","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:7.1.1","control:7.1.2","control:7.1.3","level:1","framework:soc-2","framework:cis-aws","control:A.9.2.3","requirement:Identity-and-Access-Management","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM user credentials, you have to determine what type of access they require.\n\n**Programmatic access**: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.\n\n**AWS Management Console access**: If the user needs to access the AWS Management Console, create a password for the user.\n\n## Rationale\n\nRequiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are necessary for their work and once the access key is established on an account that the keys may be in use somewhere in the organization.\n\n**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html][2]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html][3]\n\n**Additional Information**: Credential report does not appear to contain \"Key Creation Date\"\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkeys_created_during_setup(credential_report) if {\n\tnot credential_report.access_key_1_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_1_last_rotated\n} else if {\n\tnot credential_report.access_key_2_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_2_last_rotated\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot keys_created_during_setup(credential_report)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yuh-0pg-pqy","createdAt":1619112188582,"name":"Access keys are not created for IAM user during initial set up"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-C","requirement:Credentials","level:1","framework:cis-aws","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.14","cloud_provider:aws","requirement:Control-Activities","framework:soc-2","control:A.9.2.3","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:3.6.4","control:CC6.2","control:CC5.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAccess keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. You should regularly rotate all access keys.\n\n## Rationale\n\nRotating access keys reduces the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78902-4\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html][3]\n4. [https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][4]\n5. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html][5]\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html\n[4]: https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"1.14","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\nmore_than_ninety(timestamp, resource_seen_at) if {\n\tresource_seen_at - timestamp > ninety_days_ms # Not rotated in last 90 days\n}\n\nactive_and_rotated_more_than_90(credential_report, resource_seen_at) if {\n\tcredential_report.access_key_1_active\n\tmore_than_ninety(credential_report.access_key_1_last_rotated, resource_seen_at)\n} else if {\n\tcredential_report.access_key_2_active\n\tmore_than_ninety(credential_report.access_key_2_last_rotated, resource_seen_at)\n}\n\neval(iam_user) = \"pass\" if {\n\tresource_seen_at := iam_user.resource_seen_at\n\tcredential_report := iam_user.credential_report[_]\n\tnot active_and_rotated_more_than_90(credential_report, resource_seen_at)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5se-kvq-6mk","createdAt":1599574003833,"name":"Access keys are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:4.3.8","scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Default-Security-Parameter","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.6","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable access from Azure services to PostgreSQL Database Server\n\n## Rationale\n\nIf access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, set up firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In Firewall rules, ensure Allow access to Azure services is set to OFF.\n5. Click Save to apply the changed rule. \n\nAlternatively, use the Azure Command Line Interface and run the below command to delete the `AllowAllAzureIps` rule for PostgreSQL Database:\n\n ```bash\n az postgres server firewall-rule delete --name AllowAllAzureIps --resource-group --server-name \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-manage-firewall-using-cli\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-4-protect-applications-and-services-from-external-network-attacks\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.4 Apply Host-based Firewalls or Port Filtering: Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.\n\n9.5 Implement Application Firewalls: Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.\n\n14.2 Enable Firewall Filtering Between VLANs: Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.8","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_ip_addresses(azure_postgresql_firewall_rule) if {\n\tazure_postgresql_firewall_rule.start_ip_address != \"0.0.0.0\"\n} else if {\n\tazure_postgresql_firewall_rule.end_ip_address != \"0.0.0.0\"\n}\n\neval(azure_postgresql_firewall_rule) = \"pass\" if {\n\tnot azure_postgresql_firewall_rule.name in [\"ALL\", \"AllowAllAzureIps\"]\n\tcompliant_ip_addresses(azure_postgresql_firewall_rule)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_firewall_rule"]},"validationQuery":"","resourceType":"azure_postgresql_firewall_rule","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_firewall_rule","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"fn7-ase-uyc","createdAt":1624867979051,"name":"Access to Azure services for PostgreSQL Database Server is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 5432 (used by the PostgreSQL Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\nMalicious activity, such as hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 5432.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 5432 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 5432\n\trule.to_port >= 5432\n}\n\nnon_compliant_protocols_and_ports(rule) if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tnon_compliant_ports(rule)\n} else if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\", \"::/0\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome rule in security_group.rules\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocols_and_ports(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2ca-hhj-wzj","createdAt":1599574007949,"name":"Access to PostgreSQL Database Server port is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3389 (used to connect a remote Remote Desktop Protocol (RDP) client application with an RDP server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as pass-the-hash (PtH) and man-in-the-middle attacks (MITM), can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\nTo update a security group rule: \n\n1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/][2]\n2. In the navigation pane, choose **Security Groups**.\n3. Select the security group to update, then choose **Actions**.\n4. Choose **Edit inbound rules** to remove an inbound rule, or **Edit outbound rules** to remove an outbound rule.\n5. Update the rule as required.\n6. Choose **Preview changes**, **Confirm**.\n\nTo delete a security group rule: \n1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/][2].\n2. In the navigation pane, choose **Security Groups**.\n3. Choose the **Delete** button to the right of the rule to delete.\n4. Choose **Preview changes**, **Confirm**.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3389.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3389 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.2\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 3389\n\trule.to_port >= 3389\n}\n\nnon_compliant_protocol(rule) if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(rule) if {\n\trule.ip_range == \"0.0.0.0/0\"\n}\n\nnon_compliant_ip_range(rule) if {\n\trule.ipv6_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oia-snq-ar0","createdAt":1599574006239,"name":"Access to port 3389 is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests.\n\n## Rationale\n\nSetting admission control plugin AlwaysAdmit allows all requests and do not filter any requests. The AlwaysAdmit admission controller was deprecated in Kubernetes v1.13. Its behavior was equivalent to turning off all admission controllers.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--enable-admission-plugins` argument's value (if set) does not include `AlwaysAdmit`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --enable-admission-plugins parameter, or set it to a value that does not include AlwaysAdmit.\n\n## Impact\n\nOnly requests explicitly allowed by the admissions control plugins would be served.\n\n## Default value\n\nAlwaysAdmit is not in the list of default admission plugins.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#alwaysadmit\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.11","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysr-4gg-vu5","createdAt":1599599454382,"name":"Admission controller AlwaysAdmin is not enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.15","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating objects in a namespace that is undergoing termination.\n\n## Rationale\n\nSetting admission control policy to NamespaceLifecycle ensures that objects cannot be created in non-existent namespaces, and that namespaces undergoing termination are not used for creating the new objects. This is recommended to enforce the integrity of the namespace termination process and also for the availability of the newer objects.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--disable-admission-plugins` argument is set to a value that does not include `NamespaceLifecycle`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --disable-admission-plugins parameter to ensure it does not include NamespaceLifecycle.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NamespaceLifecycle is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#namespacelifecycle\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.15","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"elk-zj3-p6m","createdAt":1599605447784,"name":"Admission controller NamespaceLifecycle is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.17","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nLimit the Node and Pod objects that a kubelet could modify.\n\n## Rationale\n\nUsing the NodeRestriction plug-in ensures that the kubelet is restricted to the Node and Pod objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node API object, and only modify Pod API objects that are bound to their node.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `NodeRestriction`.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes NodeRestriction. --enable-admission-plugins=...,NodeRestriction,...\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NodeRestriction is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#noderestriction 3. https://kubernetes.io/docs/admin/authorization/node/ 4. https://acotten.com/post/kube17-security\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.17","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jre-tn7-yma","createdAt":1599601166101,"name":"Admission controller NodeRestriction is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.16","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating pods that do not match Pod Security Policies.\n\n## Rationale\n\nA Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions. Note: When the PodSecurityPolicy admission plugin is in use, there needs to be at least one PodSecurityPolicy in place for ANY pods to be admitted. See section 1.7 for recommendations on PodSecurityPolicy settings.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `PodSecurityPolicy`.\n\n## Remediation\n\nFollow the documentation and create Pod Security Policy objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes PodSecurityPolicy: --enable-admission-plugins=...,PodSecurityPolicy,... Then restart the API Server.\n\n## Impact\n\nThe policy objects must be created and granted before pod creation would be allowed.\n\n## Default value\n\nBy default, PodSecurityPolicy is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#podsecuritypolicy 3. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.16","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vwz-aw9-c09","createdAt":1599604624793,"name":"Admission controller PodSecurityPolicy is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.14","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAutomate service accounts management.\n\n## Rationale\n\nWhen you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. You should create your own service account and let the API server manage its security tokens.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--disable-admission-plugins` argument is set to a value that does not include `ServiceAccount`.\n\n## Remediation\n\nFollow the documentation and create ServiceAccount objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and ensure that the --disable-admission-plugins parameter is set to a value that does not include ServiceAccount.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, ServiceAccount is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#serviceaccount 3. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.14","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wrk-jrm-u8h","createdAt":1599601597784,"name":"Admission controller ServiceAccount is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","source:google_bigquery_table","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.2","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","scope:google_bigquery_table","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery encrypts data at rest by employing `Envelope Encryption` using\nGoogle managed cryptographic keys. The data is encrypted using the `data encryption keys` and data encryption keys themselves are further encrypted using `key encryption keys`. This is done automatically and does not require any additional input from the user. However, if you want to have greater control, customer-managed encryption keys (CMEK) can be used as an encryption key management solution for BigQuery datasets. If CMEK is used, the CMEK is used to encrypt the data encryption keys, instead of using google-managed encryption keys.\n\n### Default Value\nGoogle-managed keys are used as `key encryption keys`.\n\n## Rationale\nFor greater control over the encryption, customer-managed encryption keys (CMEK) can\nbe used as encryption key management solution for BigQuery tables. CMEK is used to\nencrypt the data encryption keys instead of using google-managed encryption keys.\nBigQuery stores the table and CMEK association. The encryption/decryption is done\nautomatically.\n\nApply the default customer-managed keys on BigQuery datasets to ensure that all\nnew tables created in the future will be encrypted using CMEK. However, existing tables need to be updated individually to use CMEK.\n\n## Impact\nUsing customer-managed encryption keys (CMEK) will incur additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n- Note: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n## Remediation\nCurrently, there is no way to update the encryption of existing data in the table. The data\nneeds to be copied to either an original table or another table. Either option requires the specification of the\ncustomer managed encryption key (CMEK).\n\n### From the command line\nUse the following command to copy the data to the original table and encrypt it with the CMEK. The source and the destination needs to be same when copying to the original table.\n\n```\nbq cp --destination_kms_key source_dataset.source_table destination_dataset.destination_table\n```\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_table) = \"pass\" if {\n\tbigquery_table.encryption_configuration.kms_key_name\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_table"]},"validationQuery":"","resourceType":"gcp_bigquery_table","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_table","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4r0-dtx-hnw","createdAt":1659621698841,"name":"All BigQuery tables are encrypted with customer-managed encryption keys (CMEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Azure","cloud_provider:azure","control:2.7","control:8.1","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","scope:azure.keyvault","requirement:Cardholder-Data","requirement:Logical-and-Physical-Access-Control","control:3.6.4","source:azure.keyvault","framework:security-labs","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all keys in your Azure Key Vault have an expiration time set.\n\n## Rationale\n\nAzure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The `exp` (expiration time) attribute identifies the expiration time on or after which the key **must not** be used for a cryptographic operation. By default, keys never expire. Datadog recommends that keys be rotated in the key vault and set an explicit expiration time for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\n### From the console\n\n1. Go to Key vaults\n2. For each Key vault, click on Keys.\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all keys. Using the Azure Command Line Interface, update the expiration date for the key using below command:\n\n ```bash\n az keyvault key set-attributes --name --vault-name --expires Y-m-d''T''H:M:S''Z''\n ```\n\n **Note**: To access expiration time on all keys in Azure Key Vault using Microsoft API requires \"List\" Key permission. To provide required access follow below steps:\n\n 1. Go to Key Vaults\n 2. For each Key Vault, click on Access Policy.\n 3. Add access policy with Key permission as List\n\n## Impact\n\nKeys cannot be used beyond their assigned expiration times respectively. Keys need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## CIS Controls\n\nVersion 7 13 Data Protection Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.7","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(key_vault_key) if {\n\tkey_vault_key.attributes_enabled == true\n\tnot key_vault_key.attributes_exp == 0\n\tnot key_vault_key.attributes_exp == \"\"\n} else if {\n\tkey_vault_key.attributes.enabled == true\n\tnot key_vault_key.attributes.exp == 0\n\tnot key_vault_key.attributes.exp == \"\"\n}\n\neval(key_vault_key) = \"pass\" if {\n\tcompliant(key_vault_key)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_key"]},"validationQuery":"","resourceType":"azure_key_vault_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"op6-3uk-40w","createdAt":1624867980258,"name":"All keys in Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Network-Policies-and-CNI","control:5.3.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse network policies to isolate traffic in your cluster network.\n\n## Rationale\n\nRunning different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. A network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints. Network Policies are namespace scoped. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace, all traffic will be allowed into and out of the pods in that namespace.\n\n## Audit\n\nRun the following command and review the NetworkPolicy objects created in the cluster: `kubectl --all-namespaces get networkpolicy`\n\nEnsure that each namespace defined in the cluster has at least one Network Policy.\n\n## Remediation\n\nFollow the documentation and create network policy objects as you need them.\n\n## Impact\n\nOnce network policies are in use within a given namespace, traffic not explicitly allowed by a network policy will be denied. It is important to ensure that, when introducing network policies, legitimate traffic is not blocked.\n\n## Default value\n\nBy default, network policies are not created.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/services-networking/networkpolicies/ ][1]\n2. [https://octetz.com/posts/k8s-network-policy-apis ][2]\n3. [https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/][3]\n\n## CIS controls\n\nVersion 6.14.1 Implement Network Segmentation Based On Information Class Segment - The network based on the label or classification level of the information stored on the servers. Locate all sensitive information on separated VLANS with firewall filtering to ensure that only authorized individuals are only able to communicate with systems necessary to fulfill their specific responsibilities.\n\nVersion 7.14.1 Segment the Network Based on Sensitivity - Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).\n\nVersion 7.14.2 Enable Firewall Filtering Between VLANs - Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n\n[1]: https://kubernetes.io/docs/concepts/services-networking/networkpolicies/\n[2]: https://octetz.com/posts/k8s-network-policy-apis\n[3]: https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.3.2","framework":"cis-kubernetes","requirement":"Network-Policies-and-CNI","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrw-bae-anz","createdAt":1604312181303,"name":"All namespaces have network policies defined"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:2.10","requirement:Azure","cloud_provider:azure","control:8.2","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","requirement:Change-Management","scope:azure.keyvault","requirement:Logical-and-Physical-Access-Control","source:azure.keyvault","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all Secrets in the Azure Key Vault have an expiration time set.\n\n## Rationale\n\nThe Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The `exp` (expiration time) attribute identifies the expiration time on or after which the secret **must not** be used. By default, secrets never expire. Datadog recommends rotating secrets in the key vault and setting an explicit expiration time for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\n### From the console\n\n1. Go to Key vaults\n2. For each Key vault, click on Secrets\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all secrets. Using the Azure Command Line Interface, use the below command to set expiration date on the all secrets:\n\n ```bash\n az keyvault secret set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z'\n ```\n\n## Impact\n\nSecrets cannot be used beyond their assigned expiry times respectively. Secrets need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-4-set-up-emergency-access-in-azure-ad\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-8-choose-approval-process-for-microsoft-support\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy\n\n## CIS Controls\n\nVersion 7 16 Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.10","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(key_vault_secret) if {\n\tkey_vault_secret.id\n\tkey_vault_secret.attributes_enabled == true\n\tkey_vault_secret.attributes_exp\n\tnot key_vault_secret.attributes_exp == 0\n} else if {\n\tkey_vault_secret.id\n\tkey_vault_secret.attributes.enabled == true\n\tkey_vault_secret.attributes.exp\n\tnot key_vault_secret.attributes.exp == 0\n}\n\neval(key_vault_secret) = \"pass\" if {\n\tcompliant(key_vault_secret)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_secret"]},"validationQuery":"","resourceType":"azure_key_vault_secret","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_secret","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bbc-1aj-wsr","createdAt":1624867976874,"name":"All secrets in the Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:CC6.7","source:iam","requirement:Default-Security-Parameter","requirement:Credentials","control:2.1.1","level:1","requirement:System-Acquisition-Development-and-Maintenance","framework:cis-aws","control:1.19","framework:iso-27001","requirement:Access-Control","framework:pci","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","control:A.9.4.3","framework:soc-2","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.\n\n## Rationale\n\nRemoving expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.\n\n## Remediation\n\nAWS Console:\n\nRemoving expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).\n\nAWS CLI:\n\nTo delete an expired certificate, run the following command by replacing `` with the name of the certificate to delete: `aws iam delete-server-certificate --server-certificate-name `.\n\n**Note**: When the preceding command is successful, it does not return any output.\n\n## Impact\n\nDeleting a certificate can have implications for your application. If you are using an expired server certificate with Elastic Load Balancing, Cloudfront, etc., you must update the configuration of the respective service to ensure there is no application interruption.\n\n## References\n\n1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html\n2. https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.19","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_server_certificate) = \"pass\" if {\n\tiam_server_certificate.expiration - iam_server_certificate.resource_seen_at > 0\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"dih-stb-3p8","createdAt":1632209932850,"name":"All the expired SSL/TLS certificates stored in AWS IAM are removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow Kubelet to manage `iptables`.\n\n## Rationale\n\nKubelets can automatically manage the required changes to `iptables` based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to `iptables`. This ensures that the `iptables` configuration remains in sync with pods networking configuration. Manually configuring `iptables` with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have `iptables` rules too restrictive or too open.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that if the `--make-iptables-util-chains` argument exists then it is set to true. If the `--make-iptables-util-chains` argument does not exist, and there is a Kubelet config file specified by `--config`, verify that the file does not set `makeIPTablesUtilChains` to `false`.\n\n## Remediation\n\nIf using a kubelet config file, edit the file to set `makeIPTablesUtilChains: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--make-iptables-util-chains` argument from the `KUBELET_SYSTEM_PODS_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nKubelet would manage the `iptables` on the system and keep it in sync. If you are using any other `iptables` management solution, then there might be some conflicts.\n\n## Default value\n\nBy default, `--make-iptables-util-chains argument` is set to true.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.7","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"f3g-zcg-jm0","createdAt":1599605004390,"name":"Allow Kubelets to manage changes to the iptables"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an AWS S3 lifecycle expiration policy is set to disabled in your CloudTrail logs.\n\n## Strategy\nCheck if `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days`, `@requestParameters.LifecycleConfiguration.Status:Disabled` and `@evt.name:PutBucketLifecycle` fields are present in your S3 Lifecycle configuration log. If these fields are present together, a bucket's lifecycle configuration has been turned off.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n2. If the `{{@requestParameters.bucketName}}` should not be disabled, escalate to engineering so they can re-enable it.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketLifecycle @requestParameters.LifecycleConfiguration.Rule.Expiration:* @requestParameters.LifecycleConfiguration.Rule.Status:Disabled","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4gy-sks-edk","createdAt":1638798373598,"name":"An AWS S3 bucket lifecycle expiration policy was set to disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket has a lifecycle configuration set with an expiration policy of less than 90 days.\n\n## Strategy\nLook for `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90` in your Cloudtrail logs.\n\n**NOTE**: This rule should be set to logs that this policy applies to. The `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days` key path must be set as a measure to do a query.\n\n\n## Triage & response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}` and that the `{{@requestParameters.bucketName}}` bucket should have a file expiration of less than 90 days.\n2. If `{{@requestParameters.bucketName}}` is equal to `{{@aws.s3.bucket}}`, the CloudTrail bucket, consider escalating to higher severity and investigating further.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:PutBucketLifecycle -status:error @eventSource:s3.amazonaws.com @requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hdo-qqk-njz","createdAt":1638798329769,"name":"An AWS S3 bucket lifecycle policy expiration is set to < 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if versioning or MFA delete was disabled within an AWS S3 bucket's Lifecycle configuration.\n\n## Strategy\nThis rule has two separate queries. The first query determines if `@requestParameters.VersioningConfiguration.MfaDelete` is set to `Disabled`. The second query determines if `@requestParameters.VersioningConfiguration.Status` is set to `Suspended`. For generating a signal, there are two cases. Case one generates a `Medium` signal if query one AND two return `true`. Case two will generate a `Low` signal if query one OR two returns `true`.\n\n**NOTE**: Versioning cannot be disabled permanently; only suspended until turned back on, once it has been enabled on a bucket.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.MfaDelete:Disabled","groupByFields":["@aws.s3.bucket"],"aggregation":"count","name":"mfadelete_disabled","distinctFields":[]},{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.Status:Suspended","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"versioning_suspended","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"mfaDelete and Versioning are Disabled/Suspended","condition":"versioning_suspended > 0 && mfadelete_disabled > 0"},{"status":"low","notifications":[],"name":"mfaDelete or versioning are disabled","condition":"mfadelete_disabled > 0 || versioning_suspended > 0"}],"type":"log_detection","id":"qo0-ly0-8ls","createdAt":1638798322732,"name":"An AWS S3 bucket mfaDelete is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an AWS account attempting to leave an AWS organization.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to have an AWS account leave an AWS organization using the [LeaveOrganization][1] API call.\n\nAn attacker may attempt this API call for several reasons, such as:\n\n* Target security configurations that are often defined at the organization level. Leaving an organization can disrupt or disable these controls.\n* Perform a denial of service (DoS) attack on the victim's account that prevents the victim's organization to access it.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Initiate your company's incident response (IR) process.\n3. If the API call was made legitimately by the user:\n * Communicate with the user to understand if this was a planned action.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n * Initiate your company's incident response (IR) process.\n\n[1]: https://docs.aws.amazon.com/organizations/latest/APIReference/API_LeaveOrganization.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privileg","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:LeaveOrganization @eventSource:organizations.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"leave_organization","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"leave_organization > 0"}],"type":"log_detection","id":"9ku-enz-m7d","createdAt":1644595191484,"name":"An AWS account attempted to leave the AWS Organization"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","scope:s3","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an API call to AWS to list all of the S3 Buckets.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect a [ListBuckets][1] API call with the session name prefixed with `i-`. A session name prefixed with `i-` typically indicates that it is an EC2 instance using an [Instance Profile][2] to communicate with other AWS services, which is a common attacker technique to see the full list of S3 buckets in your AWS account.\n\n## Triage and response\n1. Determine if the EC2 instance should be making this API call.\n* If **not a legitimate** user/application, rotate the credentials, verify what else may have been accessed and open an investigation into how this instance was compromised.\n* If a **legitimate** user/application on the EC2 instance is making the `ListBuckets` API call, consider whether this API call is really needed. \n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profile\n\n## Changelog\n18 March 2022 - Updated rule severity and rule name.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_access_denied","distinctFields":[]},{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets -@error.kind:*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Access denied for ListBuckets","condition":"list_buckets_access_denied > 0"},{"status":"medium","notifications":[],"name":"Successful ListBuckets","condition":"list_buckets_success > 0"}],"type":"log_detection","id":"t6r-kqt-hxb","createdAt":1585870281123,"name":"An EC2 instance attempted to enumerate S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is enumerating API Gateway API keys.\n\n## Strategy\nBaseline `GetApiKeys` events by `@userIdentity.session_name` to surface anomalous `GetApiKeys` calls. \n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetApiKeys","groupByFields":["@userIdentity.session_name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"cc8-ljp-wwt","createdAt":1624968912281,"name":"Anomalous API Gateway API key reads by user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","tactic:TA0009-collection","scope:s3","source:cloudtrail","technique:T1530-data-from-cloud-storage","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS user performs S3 bucket write activities they do not usually perform. \n\n## Strategy\nMonitor cloudtrail logs for S3 Data Plane events (`@eventCategory:Data`) to detect when an AWS User (`@userIdentity.arn`) is detected performing anomalous S3 Write `(@evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*))` API calls. \n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should be performing the: `{{@evt.name}}` API calls.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. If not, investigate the user: `{{@userIdentity.arn}}` for indicators of account compromise and rotate credentials as necessary.\n\n## Changelog\n* 27 October 2022 - updated tags.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventCategory:Data @eventSource:s3.amazonaws.com @evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"s3_write_events","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"s3_write_events"}],"type":"log_detection","id":"mxi-syi-zeg","createdAt":1637613300981,"name":"Anomalous S3 bucket activity from user ARN"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is attempting to hijack an EC2 AutoScaling Group.\n\n## Strategy\nThis rule lets you monitor AWS EC2 Autoscaling logs (`@eventSource:autoscaling.amazonaws.com`) to detect when an Autoscaling group receives an anomalous amount of API calls (`{{@evt.name}}`).\n\n## Triage and response\n1. Confirm if the user `{{@userIdentity.arn}}` intended to make the `{{@evt.name}}` API calls.\n2. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:autoscaling.amazonaws.com","groupByFields":["@evt.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"1fj-e0d-mcy","createdAt":1632769123714,"name":"Anomalous amount of Autoscaling Group events"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","scope:salesforce","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a spike in Salesforce query results for a user. A large query can be an early warning sign of a user attempting to exfiltrate Salesforce data. \n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a spike in the number of rows returned (`@rows_returned`). \n\n## Triage and response\n1. Determine if the user should be legitimately performing large queries.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@rows_returned","aggregation":"sum","metrics":["@rows_returned"],"groupByFields":["@usr.id"],"query":"source:salesforce @rows_returned:*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"kls-bnv-ip8","createdAt":1621929255172,"name":"Anomalous amount of Salesforce query results"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","source:salesforce","tactic:TA0040-impact","scope:salesforce","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a significant increase in deleted records in Salesforce.\n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a significant increase in successful (`@evt.outcome:Success`) delete operations (`@operation:Delete`).\n\n## Triage and response\n1. Determine if the user should be legitimately deleting Salesforce records.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @operation:Delete @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"1x7-fhs-sdy","createdAt":1621929255178,"name":"Anomalous amount of Salesforce records deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is assessing privileges in AWS through various enumeration and discovery techniques.\n\n## Strategy\nMonitor CloudTrail logs to identify when an EC2 instance (`@userIdentity.session_name:i-*\"`) generates an anomalous amount of `AccessDenied` events.\n\n## Triage and response\n1. Determine what events the EC2 instance `{{@userIdentity.session_name}}` are generating in the time frame of the signal.\n2. If the root cause is not a misconfiguration, investigate any other signals around the same time of the signal by looking at the Host Investigation dashboard.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied @userIdentity.session_name:i-*","groupByFields":["@userIdentity.assumed_role"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"qyw-re3-iuf","createdAt":1605263699569,"name":"Anomalous amount of access denied events for AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","technique:T1619-cloud-storage-object-discovery","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS assumed role accesses S3 buckets that they do not usually access. \n\n## Strategy\nMonitor cloudtrail logs to identify when a `@userIdentity.assumed_role` makes an anomalous amount of `GetObject` calls to a unique number of S3 buckets (`@requestParameters.bucketName`).\n\n## Triage and response\n1. Determine if the user using the assumed role: {{@userIdentity.assumed_role}} should be accessing a bunch of random buckets.\n * Here is a list of buckets that were accessed (up to 10): {{@requestParameters.bucketName}}\n\n## Changelog\n* 30 March 2022 - Updated query and signal message.\n* 17 October 2022 - Updated tags.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":19,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetObject -status:error","groupByFields":["@userIdentity.assumed_role"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"i41-jb1-c8r","createdAt":1608050033941,"name":"Anomalous number of S3 buckets accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user has attempted to assume an anomalous number of unique roles.\n\n## Strategy\nThis rule sets a baseline for user activity for the [`AssumeRole`][1] API call, and enables detection of potentially anomalous activity.\n\nAn attacker may attempt this for the following reasons:\n\n* To identify which roles the user account has access to.\n* To identify what AWS services are being used internally.\n* To identify third party integrations and internal software.\n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response process and investigate.\n\n[1]: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:IAMUser @evt.name:AssumeRole","groupByFields":["@usr.name"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.roleArn"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rov-8oq-1fd","createdAt":1624968910002,"name":"Anomalous number of assumed roles from user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an unauthenticated request user is permitted in Kubernetes.\n\n## Strategy\nThis rule monitors when any action is permitted (`@http.status_code:[100 TO 299]`) for an unauthenticated user (`@user.username:\\\"system:anonymous\\\"`).\nThe `/healthz` endpoint is commonly accessed unauthenticated and it is excluded in the query filter.\n\n## Triage and response\n1. Inspect all of the HTTP paths accessed and determine if any of the path should be permitted by unauthenticated users.\n2. Determine what IP addresses accessed Kubernetes endpoints which may contain sensitive data.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@apiVersion:audit.k8s.io* @usr.name:\"system:anonymous\" @http.status_code:[100 TO 299] -@http.url_details.path:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @user.username:\"system:anonymous\" @responseStatus.code:[100 TO 299] -@requestURI:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"f1o-py5-a50","createdAt":1589376002149,"name":"Anonymous Request Authorized"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:apache","technique:T1190-exploit-public-facing-application","source:apache","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[{"action":"require","query":"source:foo"}],"queries":[{"query":"source:apache @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipl-oaz-eqf","createdAt":1587530038000,"name":"Apache HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modification of AppArmor profiles using an interactive session.\n\n## Strategy\nAfter an initial intrusion, attackers may attempt to disable security tools to avoid possible detection of their offensive tools and activities. [AppArmor][1] is a Linux Security Module (LSM) feature that confines programs to a limited set of resources. Disabling AppArmor could help an attacker run disallowed tools and gain access to resources that are otherwise blocked. This detection looks for commands that disable or modify AppArmor during interactive sessions, which is highly irregular in production environments.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://wiki.ubuntu.com/AppArmor\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:apparmor_modified_tty","groupByFields":["host"],"aggregation":"count","name":"apparmor_modified_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"apparmor_modified_tty","condition":"apparmor_modified_tty > 0"}],"type":"workload_security","id":"byn-fwk-eyv","createdAt":1627392836162,"name":"AppArmor profile modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","source:azure.sql","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Database-Services","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","framework:cis-azure","scope:azure.sql","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:4.1.3","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSQL Server Audit Retention should be configured to be greater than 90 days.\n\n## Rationale\n\nUse Audit Logs to check for anomalies and to get insight into suspected breaches or misuse of information and access.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Select Storage Details\n5. Set Retention (days) setting greater than 90 days\n6. Select OK\n7. Select Save using Azure PowerShell. \n\n### From the commandline\n\n1. For each server, [set retention policy][3] for more than or equal to 90 days.\n\n ```powershell\n Set-AzSqlServerAuditing -State Enabled -ServerName \"\" -ResourceGroupName \"\" -StorageAccountName \"abcd1234abcd1234abcd1234\" -RetentionInDays \n ```\n\n**Note:** You can set the number of days to 0 for unlimited retention.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing][1]\n2. [https://learn.microsoft.com/en-us/powershell/module/az.sql/get-azsqlserveraudit?view=azps-9.2.0][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention][4]\n\n[https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing][1]\n[https://learn.microsoft.com/en-us/powershell/module/az.sql/get-azsqlserveraudit?view=azps-9.2.0][2]\n[https://learn.microsoft.com/en-us/powershell/module/az.sql/set-azsqlserveraudit?view=azps-9.2.0][3]\n[https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention][4]","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_retention_period(audit_setting) if {\n\taudit_setting.retention_days == 0\n} else if {\n\taudit_setting.retention_days >= 90\n}\n\neval(sql_server) = \"pass\" if {\n\tlower(sql_server.audit_setting.state) == \"enabled\"\n\tcompliant_retention_period(sql_server.audit_setting)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"r6e-x2g-rfb","createdAt":1624867973932,"name":"Audit data for Azure SQL is retained for at least 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","source:google_iam_policy","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","scope:google_iam_policy","security:compliance","requirement:Logging-and-Monitoring","control:2.1","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that Cloud Audit Logging is configured to track all admin activities and\nread or write access to user data.\n\n### Default value\nAdmin Activity logs are always enabled. They cannot be disabled. Data Access audit logs are\ndisabled by default because they can be quite large.\n\n## Rationale\nCloud Audit Logging maintains two audit logs for each project, folder, and organization:\n**Admin Activity** and **Data Access**.\n\nAdmin Activity logs contain log entries for API calls or other administrative actions\nthat modify the configuration or metadata of resources. Admin Activity audit logs\nare enabled for all services and cannot be configured.\n\nData Access audit logs record API calls that create, modify, or read user-provided\ndata. These are disabled by default and should be enabled.\n\nThere are three kinds of Data Access audit log information:\n* Admin read: Records operations that read metadata or configuration\ninformation. Admin Activity audit logs record writes of metadata and\nconfiguration information. This cannot be disabled.\n* Data read: Records operations that read user-provided data.\n* Data write: Records operations that write user-provided data.\n\nIt is recommended to configure audit logging such that:\n\n* Log type is set to `DATA_READ` (to log user activity tracking) and `DATA_WRITES` (to\nlog changes/tampering to user data).\n* Audit config is enabled for all the services supported by the Data Access audit logs\nfeature.\n* Logs are captured for all users\u2014that is, there are no exempted users in any of the\naudit config sections. This ensures overriding the audit config does not contradict\nthe requirement.\n\n### Impact\nThere is no charge for Admin Activity audit logs. Enabling the Data Access audit logs might\nresult in your project being charged for the additional logs usage.\n- Note: Admin Activity Logs are not listed here, as they are enabled by default and cannot be disabled.\n `exemptedMembers` is not set, as audit logging should be enabled for all users.\n\n## Remediation\n\n### From the console \n1. Go to the [Audit Logs page][1] in Google Cloud Console.\n2. Follow the steps in Google's [Configure Data Access audit logs][2] documentation to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.\n\n### From the command line\n1. To read the project's IAM policy and store it in a file, run the following command:\n ```\n gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml\n ```\nAlternatively, the policy can be set at the organization or folder level. If you are setting the policy at\nthe organization level, it is not necessary to also set it for each folder or project.\n ```\n gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml\n gcloud resource-manager folders get-iam-policy FOLDER_ID >\n /tmp/folder_policy.yaml\n ```\n2. Edit the policy in `/tmp/policy.yaml`. Adding or change only the audit logs\nconfiguration to:\n ```\n auditConfigs:\n - auditLogConfigs:\n - logType: DATA_WRITE\n - logType: DATA_READ\n - service: allServices\n ```\n\n3. To write new IAM policy, run the following commands:\n ```\n gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml\n gcloud resource-manager folders set-iam-policy FOLDER_ID\n /tmp/folder_policy.yaml\n gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml\n ```\nIf the preceding command reports a conflict with another change, then repeat these steps,\nstarting with the first step.\n\n## Additional information\n* To track detailed user activities, the log type `DATA_READ` is as important as the log type `DATA_WRITE`.\n* BigQuery Data Access logs are handled differently than other data access logs.\n BigQuery logs are enabled by default and cannot be disabled. They do not count against logs allotment and do not result in extra logs charges.\n\n## References\n1. [https://cloud.google.com/logging/docs/audit/][1]\n2. [https://cloud.google.com/logging/docs/audit/configure-data-access][2]\n\n[1]: https://cloud.google.com/logging/docs/audit/\n[2]: https://cloud.google.com/logging/docs/audit/configure-data-access\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(iam_policy) if {\n\tnot has_exempted_members(iam_policy)\n\taudit_config := iam_policy.audit_configs[_]\n\taudit_config.service == \"allServices\"\n\taudit_config.audit_log_configs[_].log_type == \"ADMIN_READ\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_WRITE\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_READ\"\n}\n\nhas_exempted_members(iam_policy) if {\n\tiam_policy.audit_configs[_].audit_log_configs[_].exempted_members[_]\n}\n\nis_project(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_project\"\n}\n\neval(iam_policy) = \"skip\" if {\n\tnot is_project(iam_policy)\n} else = \"pass\" if {\n\tcompliant(iam_policy)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mtc-xf1-a6x","createdAt":1664804019062,"name":"Audit logging is properly configured across all services and users in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit all Docker daemon activities.\n\n## Rationale\n\nAs well as auditing the normal Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges. It is very important to audit its activities and usage.\n\n## Audit\n\nVerify that there are audit rules for the Docker daemon. To see the rules associated with the Docker daemon, run: \n\n```\nauditctl -l | grep /usr/bin/dockerd\n```\n\n## Remediation\n\nYou should add rules for the Docker daemon. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /usr/bin/dockerd -k docker \n```\n\nThen restart the audit daemon using the following command:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, the Docker daemon is not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.3","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fpu-oe5-feu","createdAt":1599604305682,"name":"Auditing for Docker Daemon executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.4","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/var/lib/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories. For example, audit `/var/lib/docker`, which holds all the information about containers it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/var/lib/docker` directory. To see the rule for the `/var/lib/docker` directory, run: \n\n```\nauditctl -l | grep /var/lib/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/var/lib/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /var/lib/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.4","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tfa-927-tto","createdAt":1599602523672,"name":"Auditing for Docker local storage is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.10","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker/daemon.json`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/docker/daemon.json`. This holds various parameters for the Docker daemon, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/docker/daemon.json` file. To display the rule for the `/etc/docker/daemon.json` file, run: \n\n```\nauditctl -l | grep /etc/docker/daemon.json\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker/daemon.json` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/docker/daemon.json -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/docker/daemon.json` may not exist on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file][2]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.10","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"v2o-aio-i0e","createdAt":1599601474412,"name":"Auditing for the Docker daemon configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.11","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/bin/containerd`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/bin/containerd`, so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/bin/containerd` file. To display the rule for the `/usr/bin/containerd` file, run: \n\n```\nauditctl -l | grep /usr/bin/containerd\n```\n\n## Remediation\n\nYou should add a rule for the `/usr/bin/containerd` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/bin/containerd -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/usr/bin/containerd` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.11","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tor-6yx-oyz","createdAt":1599605637503,"name":"Auditing for the containerd executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.8"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/default/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/default/docker`. It holds various parameters related to the Docker daemon and should therefore be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/default/docker` file. To see the rule for the `/etc/default/docker` file, run: \n```\nauditctl -l | grep /etc/default/docker \n```\n\n## Remediation\n\nYou should add a rule for the `/etc/default/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/default/docker -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited so these defaults should be changed in line with organizational security policy. The file `/etc/default/docker` may not be present, and if so, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.8","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qfi-cgy-a6e","createdAt":1599601659531,"name":"Auditing for the default Docker configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.9"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/sysconfig/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including `/etc/sysconfig/docker`. It contains various parameters related to the Docker daemon when run on CentOS and RHEL based distributions. If present, it is important that it is audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/sysconfig/docker` file. To see the rule for the `/etc/sysconfig/docker` file, run: \n```\nauditctl -l | grep /etc/sysconfig/docker\n```\n\n## Remediation\n\nYou should add a rule for `/etc/sysconfig/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/sysconfig/docker -k docker\n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/sysconfig/docker` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.9","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ps6-vb4-bim","createdAt":1599604561498,"name":"Auditing for the default Docker configuration file is configured - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit the `docker.service` if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `docker.service`. The `docker.service` file might be present if the daemon parameters have been changed by an administrator. If so, it holds various parameters for the Docker daemon and should be audited.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n\n2. If the file does not exist, this recommendation does not apply. If the file does exist, verify that there is an audit rule corresponding to the `docker.service` file by running: \n\n ```\n auditctl -l | grep docker.service\n ```\n\n## Remediation\n\nIf the file exists, a rule for it should be added. For example, add the following line to the `/etc/audit/audit.rules` file: \n```\n-w /usr/lib/systemd/system/docker.service -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.service` may not be present on the system.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.6","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myy-dsj-omk","createdAt":1599605764788,"name":"Auditing for the docker.service file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.7","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `docker.socket`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including the `docker.socket` file, which holds various parameters for the Docker daemon, it should be audited.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the `docker.socket` file exists, verify that there is an audit rule corresponding to the `docker.socket` file by running: \n ```\n auditctl -l | grep docker.socket \n ```\n\n## Remediation\n\nIf the file exists, you should add a rule for it. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/lib/systemd/system/docker.socket -k docker \n```\n\nThen restart the audit daemon: \n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.socket` may not be present, but if it is, it should be audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.7","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afg-qbt-7uw","createdAt":1599600857858,"name":"Auditing for the docker.socket file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.12","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/sbin/runc`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/sbin/runc`, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/sbin/runc` file. To display the rule for the `/usr/sbin/runc` file, run:\n\n```\nauditctl -l | grep /usr/sbin/runc\n```\n\n## Remediation\n\nYou should add a rule for `/usr/sbin/runc` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/sbin/runc -k docker\n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The `file/usr/sbin/runc` may not be present on the system, and in that case this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n4. [https://github.com/opencontainers/runc][4]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/ \n[4]: https://github.com/opencontainers/runc\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.12","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ksp-ylk-dub","createdAt":1599603510904,"name":"Auditing for the runc executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.5","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privilege and its behavior depends on some key files and directories, including `/etc/docker`. This holds various certificates and keys used for TLS communication between Docker daemon and Docker client and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/etc/docker` directory. To see the rule for the `/etc/docker` directory, run: \n\n```\nauditctl -l | grep /etc/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.5","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5ns-uab-zcf","createdAt":1599604003342,"name":"Auditing is configured for Docker-related files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.6","cloud_provider:azure","control:10.1","requirement:Monitoring","source:azure.sql","control:A.12.4.1","control:A.12.4.3","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","scope:azure.sql","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:4.1.1","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on SQL Servers.\n\n## Rationale\n\nThe Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. The auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Set Auditing to On using Azure PowerShell.\n5. Get the list of all SQL Servers: `Get-AzureRmSqlServer`. For each Server, enable auditing:\n\n ```bash\n Set-AzureRmSqlServerAuditingPolicy -ResourceGroupName -ServerName -AuditType -StorageAccountName \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-servers\n2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n**Note**: A server policy applies to all existing and newly created databases on the server. If server blob auditing is enabled, it always applies to the database. The database is audited, regardless of the database auditing settings. The auditing type table is deprecated, leaving only the type blob available. Enabling blob auditing on the database, and enabling it on the server, does not override or change any of the settings of the server blob auditing. Both audits exist side by side. So, the database is audited twice in parallel; once by the server policy, and once by the database policy.\n\n## CIS controls\n\nVersion 7 6.3 Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_server) = \"pass\" if {\n\tsql_server.audit_setting.state == \"Enabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"gxl-2f7-dso","createdAt":1624867978477,"name":"Auditing on SQL Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs in with a breached password.\n\n## Strategy\nAuth0 logs an event when a user logs in with a breached password. When this event is detected, Datadog generates a `MEDIUM` severity Security Signal.\n\nYou can see more information on how Auth0 detects breached passwords on their [documentation][1].\n\n## Triage and response\n1. Inspect the policy and user location to see if this was a login from approved location\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n[1][https://auth0.com/docs/anomaly-detection/brute-force-protection]\n","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:breached_password","groupByFields":["@usr.id"],"aggregation":"count","name":"breached_password","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"breached_password > 0"}],"type":"log_detection","id":"yhw-avf-dz0","createdAt":1597422957145,"name":"Auth0 user logged in with a breached password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","requirement:Cloud-SQL","cloud_provider:gcp","control:CC7.4","source:google_sql_database_instance","control:6.4.5.4","framework:cis-gcp","requirement:Compliance","level:1","control:6.7","scope:google_sql_database_instance","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Additional-Criteria-for-Availability","requirement:Communications-Security","requirement:System-Operations","control:3.1","requirement:Control-Activities","control:A1.1","control:A1.2","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:CC5.1","control:A.9.1.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nAll SQL database instances should have automated backups enabled.\n\n## Rationale: \nBackups provide a way to restore a Cloud SQL instance, to recover lost data, or to recover from\na problem with that instance. Enable automated backups for any instance that\ncontains data that should be protected from loss or damage. This recommendation is\napplicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2\ninstances.\n\n## Impact: \nAutomated backups increase the required storage size and may affect the costs associated with it.\n\n## Remediation: \n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Select the instance where the backups need to be configured.\n3. Click `Edit`.\n4. In the `Backups` section, check 'Enable automated backups', and choose a backup window.\n5. Click `Save`.\n\n### From the command line\n\n1. List all Cloud SQL database instances using the following command:\n ```\n gcloud sql instances list\n ```\n2. Enable automated backups for a Cloud SQL database instance by running:\n ```\n gcloud sql instances patch --backup-start-time <[HH:MM]>\n ```\n\nThe `backup-start-time` parameter is specified in 24-hour time, in the UTC\u00b100 time zone,\nand specifies the start of a 4-hour backup window. Backups can start any time during the\nbackup window.\n\n## Default value:\nBy default, automated backups are not configured for Cloud SQL instances. Data backup is\nnot possible on any Cloud SQL instance unless Automated Backup is configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/backup-recovery/backups][2]\n2. [https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/backup-recovery/backups\n[3]: https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up\n\n## CIS controls:\n\nVersion 8: _11.2 Perform Automated Backups_. Perform automated backups of in-scope enterprise assets. Run backups weekly,\nor more frequently, based on the sensitivity of the data.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.4.5.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.1","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"pass\" if {\n\tsql_database_instance.settings.backup_configuration.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iir-4sf-rxn","createdAt":1657665285362,"name":"Automated backups are configured for SQL Database Instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to Azure AD without multi-factor authentication.\n\n## Strategy\nThis rule monitors Azure Activity logs for Active Directory logs and detects when any `@evt.category` has a value of `SignInLogs`, and `@properties.authenticationRequirement` has a value of `singleFactorAuthentication`.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables 2FA.\n3. If the login wasn't legitimate, rotate the credentials.\n4. Review all user accounts to ensure MFA is enabled.\n\n## Changelog\n* 15 November 2022 - Updated query to reduce false positives, updated option values.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:singleFactorAuthentication @evt.outcome:success ((-@properties.authenticationDetails.authenticationMethod:\"Previously satisfied\" -@properties.authenticationDetails.authenticationStepResultDetail:\"First factor requirement satisfied by claim in the token\") OR -message:(\"MFA requirement satisfied by claim in the token\" OR \"MFA requirement satisfied by strong authentication\" OR \"MFA requirement skipped due to remembered device\" OR \"MFA requirement satisfied by claim provided by external provider\") OR -@properties.authenticationDetails.authenticationMethod:\"Windows Hello for Business\") @properties.authenticationDetails.authenticationStepRequirement:\"Primary authentication\"","groupByFields":["@usr.id"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_login_without_mfa > 0"}],"type":"log_detection","id":"c8i-66d-m7u","createdAt":1598468815267,"name":"Azure AD Login Without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, and `@evt.outcome` is equal to `failure`.\n\n## Triage and response\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n\n## Changelog\n* 26 October 2022 - Updated query.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure @properties.status.errorCode:(50126 OR 50053 OR 53003 OR 50135 OR 50055)","groupByFields":["@usr.id","@properties.appId"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success -message:(\"MFA requirement satisfied by claim in the token\" OR \"MFA requirement satisfied by strong authentication\" OR \"MFA requirement skipped due to remembered device\" OR \"MFA requirement satisfied by claim provided by external provider\" OR \"MFA completed in Azure AD\")","groupByFields":["@usr.id","@properties.appId"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Successful login","condition":"failed_login > 4 && successful_login > 0"},{"status":"info","notifications":[],"name":"Unsuccessful","condition":"failed_login > 4"}],"type":"log_detection","id":"y0f-vsz-xms","createdAt":1607106309289,"name":"Azure AD brute force login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to the [Global Administrator][1] role.\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\"`\n\nThe Global Administrator role can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. An adversary can add users as Global Administrators in order to maintain access to Azure AD.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][2] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.category:AuditLogs @evt.name:\"Add member to role\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_global_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"member_assigned_global_administrator_role > 0"}],"type":"log_detection","id":"bdq-rcs-dn5","createdAt":1658756175450,"name":"Azure AD member assigned Global Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to a [built-in Administrative role][1].\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:*Administrator*`\n\nAzure AD uses roles to assign privileges to users. There are over 80 roles available, the list below details some of the highest privileged roles that adversaries could target:\n\n* [Application Administrator][2]\n* [Cloud Application Administrator][3]\n* [Exchange Administrator][4]\n* [Privileged Role Administrator][5]\n* [User Administrator][6]\n* [Sharepoint Administrator][7]\n* [Hybrid Identity Administrator][8]\n\nThis [whitepaper][9] from Mandiant describes the abuse of Azure AD privileged roles.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][10] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator\n[3]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-application-administrator\n[4]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#exchange-administrator\n[5]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-role-administrator\n[6]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator\n[7]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#sharepoint-administrator\n[8]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#hybrid-identity-administrator\n[9]: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf\n[10]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:*Administrator* @evt.category:AuditLogs @evt.name:\"Add member to role\" -@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_built_in_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"member_assigned_built_in_administrator_role > 0"}],"type":"log_detection","id":"61p-mwe-rxm","createdAt":1658756175462,"name":"Azure AD member assigned built-in Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","control:8.7","level:1","requirement:Database-Services","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","scope:azure.sql","control:4.4","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse Azure Active Directory Authentication for authentication with SQL Database.\n\n## Rationale\n\nAzure Active Directory authentication is a mechanism to connect to the Microsoft Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). With Azure AD authentication, manage identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage database users and simplifies permission management in the following ways:\n\n- Provides an alternative to SQL Server authentication. \n- Helps stop the proliferation of user identities across database servers. \n- Allows password rotation in a single place. \n- Customers can manage database permissions using external (AAD) groups. \n- Eliminates storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure Active Directory. \n- Uses contained database users to authenticate identities at the database level. \n- Token-based authentication for applications connecting to SQL Database. \n- ADFS (domain federation) or native user/password authentication for a local Azure Active Directory without domain synchronization. \n- Connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication (MFA). MFA includes strong authentication with a range of easy verification options phone call, text message, smart cards with a pin, or mobile app notification.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each SQL server, click on Active Directory admin\n3. Click on Set admin\n4. Select an admin\n5. Click Save\n6. Using the Azure PowerShell for each Server, set `AD Admin Set-AzureRmSqlServerActiveDirectoryAdministrator -ResourceGroupName -ServerName -DisplayName \"\"`.\n6. From Azure Command Line Interface, get the ObjectID of user: `az ad user list --query \"[?mail==].{mail:mail, userPrincipal`.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure\n2. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: Assigning an administrator in Azure Active Directory (AAD) is just the first step. When using AAD for central authentication there are many other groups and roles that need to be configured base on the needs of your organization. To determine what roles should be assigned and what groups should be created to manage permissions and access to resources, see the How-to Guides.\n\n## CIS Controls\n\nVersion 7 16.2 Configure Centralized Point of Authentication: Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_active_directory_administrators(sql_server) if {\n\tsome active_directory_administrator in sql_server.active_directory_administrators\n\tactive_directory_administrator.administrator_type == \"ActiveDirectory\"\n\tactive_directory_administrator.name == \"ActiveDirectory\"\n} else if {\n\tnot sql_server.active_directory_administrators\n}\n\neval(sql_server) = \"pass\" if {\n\tcompliant_active_directory_administrators(sql_server)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kiv-p8l-5mk","createdAt":1624867977317,"name":"Azure Active Directory Admin is configured for Azure SQL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure-active-directory","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect whenever Azure Identity Protection categorizes an Azure Active Directory login as risky.\n\n## Strategy\nMonitor Azure Active Directory sign in activity (`@evt.name:\"Sign-in activity\"`) and generate a signal when Azure identifies the user as risky or compromised (`@properties.riskState:\"atRisk\" OR \"confirmedCompromised\"`). \n\n## Triage and response\n1. Analyze the location (`@network.client.geoip.subdivision.name`) of `{{@usr.id}}` to determine if they're logging into from their usual location. \n2. If log in activity is not legitimate, disable `{{@usr.id}}` account.\n3. Investigate any devices owned by `{{@usr.id}}`.\n\n## Changelog\n14 June 2022 - Fixed bug in rule query.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":167,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelDuringSignIn:high @properties.riskLevelDuringSignIn:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_during_signin_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:high @properties.riskLevelAggregated:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_aggregated_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:medium @properties.riskLevelDuringSignIn:medium","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_medium","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"High Risk Aggregated","condition":"risk_level_aggregated_high > 0"},{"status":"high","notifications":[],"name":"High Risk During Sign-In","condition":"risk_level_during_signin_high > 0"},{"status":"medium","notifications":[],"name":"Medium Risk","condition":"risk_level_medium > 0"}],"type":"log_detection","id":"h1h-4to-2ka","createdAt":1629464257705,"name":"Azure Active Directory Risky Sign-In"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-7-ii-A","control:164.312-a-2-ii","control:2.2.4","scope:azure.appservice","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Risk-Mitigation","requirement:Logical-and-Physical-Access-Control","control:CC9.1","control:CC6.3","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'remote debugging' **disabled** to enhance security and protect applications.\n\n## Rationale\n\nIf [remote debugging][1] is enabled, this can allow an attacker access to your applications. To reduce your attack surface, disable remote debugging when not actively needed. \n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services web apps by running the following in Azure Powershell:\n\n ```\n az webapp list \\\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n\n ```\n az webapp config show \\\n\t--ids \"\" \\\n\t--query 'remoteDebuggingEnabled'\n ```\n3. Disable the web app's remote debugging capability with the command:\n\n ```\n az webapp config set \\\n\t--ids \"\" \\\n\t--remote-debugging-enabled false\n ```\n4. Repeat steps one through three for each server that is not configured correctly.\n\n\n## References\n1. [Azure webapp config set][2]\n\n[1]: https://devblogs.microsoft.com/premier-developer/remote-debugging-azure-app-services/\n[2]: https://learn.microsoft.com/en-us/cli/azure/webapp/config?view=azure-cli-latest#az-webapp-config-set\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_app_service(app_service) if {\n\tapp_service.site_config_remote_debugging_enabled == true\n} else if {\n\tapp_service.site_config.remote_debugging_enabled == true\n}\n\neval(app_service) = \"fail\" if {\n\tnon_compliant_app_service(app_service)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ciw-6dd-ffz","createdAt":1645807220230,"name":"Azure App Service has remote debugging disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","scope:azure.app_service","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","framework:soc-2","source:azure.app_service","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'always on' **enabled** for web apps.\n\n## Rationale\n\nEnabling 'always on' will enhance your Azure Apps web apps' availability.\n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services by running the following in Azure Powershell:\n\n ```\n az webapp list\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n \n ```\n az webapp config show\n\t--ids \"\"\n\t--query 'alwaysOn'\n ```\n3. Enable the web app's 'always on' capability with the command:\n\n ```\n az webapp config set\n\t--ids \"\"\n\t--always-on true\n ```\n4. Repeat steps one through three for each server that is not configured correctly.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_app_service(app_service) if {\n\tapp_service.site_config_always_on == false\n} else if {\n\tapp_service.site_config.always_on == false\n}\n\ncompliant_app_service(app_service) if {\n\tapp_service.site_config_always_on == true\n} else if {\n\tapp_service.site_config.always_on == true\n}\n\neval(app_service) = \"fail\" if {\n\tnon_compliant_app_service(app_service)\n} else = \"pass\" if {\n\tcompliant_app_service(app_service)\n} else = \"skip\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xmp-jgo-xdo","createdAt":1645807220325,"name":"Azure App Service is set to always on"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Datadog Azure function is deleted which will prevent Azure logs from being sent to Datadog.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.WEB/SITES/DELETE\"`, `@evt.outcome` is `Success`, and the `@resourceID` contains `DATADOG` and `LOG`. This rule does not work if the the Azure resource group or Azure function does not contain `DATADOG` or `LOG`.\n\n## Triage and response\n1. Verify the Azure function (`@resourceId`) is responsible for forwarding logs to Datadog.\n2. Determine if there is a legitimate reason for deleting the Azure function.\n3. If activity is not expected, investigate activity from the service principal (`@identity.authorization.evidence`) or user (`{{@usr.id}}`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.web @evt.name:\"MICROSOFT.WEB/SITES/DELETE\" @resourceId:(*DATADOG* AND *LOG*) @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"sit-o2a-uov","createdAt":1634570142022,"name":"Azure Datadog Log Forwarder Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","security:threat-intel"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure firewall threat intelligence alert is received.\n\n## Strategy\nMonitor Azure Network Diagnostic logs and detect when `@evt.name` is equal to `AzureFirewallThreatIntelLog`.\n\n## Triage and response\n1. Inspect the threat intelligence log.\n2. Investigate the activity from this IP address.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:AzureFirewallThreatIntelLog","groupByFields":["@network.client.ip"],"aggregation":"count","name":"azure_firewall_threat_intel_alert","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"azure_firewall_threat_intel_alert > 0"}],"type":"log_detection","id":"z0v-yfr-qat","createdAt":1607106300940,"name":"Azure Firewall Threat Intelligence Alert"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) blocks a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Block`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Block","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_blocked_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_blocked_a_request > 0"}],"type":"log_detection","id":"xyt-fqh-myv","createdAt":1598468816869,"name":"Azure Frontdoor WAF Blocked a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) logs a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Log`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Log","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_logged_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_logged_a_request > 0"}],"type":"log_detection","id":"bkk-48l-vem","createdAt":1598468815399,"name":"Azure Frontdoor WAF Logged a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","framework:cis-azure","control:6.2","requirement:Control-Activities","control:9.9","requirement:AppService","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","scope:azure.appservice","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nNew versions of HTTP are released periodically to address security issues and/or to include additional functionality. Using the latest version of HTTP for web apps takes advantage of security fixes and new functionality.\n\n## Rationale\n\nUsing the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software update, your organization needs to determine if the latest update meets your requirements.\n\nFor example, HTTP 2.0 has performance improvements for the head-of-line blocking problem, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism because it provides its own, more efficient mechanism for data streaming.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\n### From the console\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click *Configuration**.\n5. Set HTTP version to 2.0 under **General settings**.\n\n**Note**: Most modern browsers support HTTP 2.0 protocol over TLS, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third party certificate.\n\n### From the command line\n\nTo set the HTTP version to 2.0 for an existing app, run the following command:\n\n`az webapp config set --resource-group --name --http20-enabled true'`\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.9","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_site_config(app_service) if {\n\tapp_service.site_config_http20_enabled\n} else if {\n\tapp_service.site_config.http20_enabled\n}\n\neval(app_service) = \"pass\" if {\n\tcompliant_site_config(app_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"y1o-cvu-xc7","createdAt":1645813490516,"name":"Azure HTTP version is the latest available"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.3.1","level:1","scope:azure.keyvault","control:8.4","requirement:Cardholder-Data","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","requirement:Azure","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:2.2","control:A1.2","requirement:Other-Security-Considerations","framework:soc-2","requirement:Risk-Mitigation","control:3.5.3","requirement:Logical-and-Physical-Access-Control","control:CC9.1","source:azure.keyvault","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects. It is recommended the Key Vault be made recoverable by enabling the \"Do Not Purge\"\nand \"Soft Delete\" functions. This is to prevent loss of encrypted data, including storage accounts, SQL databases, and dependent services provided by Key Vault objects (keys, secrets, certificates, etc.), which may occur due to accidental deletion by a user or from disruptive activity by a malicious user.\n\n### Default value \n\nWhen a new Key Vault is created, both the parameters `enableSoftDelete` and `enablePurgeProtection` are set to `null`, disabling both the features.\n\n## Rationale\n\nThere could be scenarios where users accidentally run delete and purge commands on key vault or attacker or malicious user does it deliberately to cause disruption. Deleting or purging a key vault leads to immediate data loss as keys encrypting data and secrets and certificates causing access and services to become non-accessible. There are two key vault properties that plays role in permanent unavailability of a key vault:\n\n1. Setting the `enableSoftDeleteSetting` parameter to true for a key vault ensures that even if key vault is deleted, the key vault itself or its objects are recoverable for next 90 days. In this span of 90 days either key vault and objects can be recovered or purged (permanent deletion). If no action is taken, after 90 days, the key vault and its objects are purged.\n\n2. `enablePurgeProtectionenableSoftDelete` only ensures that the key vault is not deleted permanently and will be recoverable for 90 days from the deletion date. However, there is a chance that the key vault or objects are accidentally purged and are not recoverable. Setting `enablePurgeProtection` to \"true\" ensures that the key vault and its objects cannot be purged. \n\nEnabling both parameters on key vaults ensures that key vaults and their objects cannot be deleted or purged permanently.\n\n### Impact\n\nOnce purge protection and soft-delete is enabled for a key vault, the action is irreversible.\n\n- Note: When a key is used for the SQL server TDE or Encrypting Storage account, the corresponding key vault features \"Do Not Purge\" and \"Soft Delete\" are enabled by default by your Azure backend.\n\n**WARNING**: A current limitation of the soft-delete feature across all Azure services is that role assignments disappear when a Key Vault is deleted. All role assignments will need to be recreated after recovery.\n\n## Remediation\n\nEnable \"Do Not Purge\" and \"Soft Delete\" for a key vault.\n\n### From the console\n\n1. Go to **Key Vaults**.\n2. Click **Properties**.\n3. Ensure the status of soft-delete reads **'Soft delete has been enabled on this key vault'**.\n4. At the bottom of the page, click **'Enable Purge Protection'**.\n\n### From the command line \n\n ```bash\n az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.KeyVault/vaults/ --set properties.enablePurgeProtection=true properties.enableSoftDelete=true\n ```\n\n### From Powershell\n\n ```powershell\n Update-AzKeyVault -VaultName 0"}],"id":"4tq-la5-9ei","createdAt":1624867975393,"name":"Azure Key Vault is recoverable"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","control:1.3.5","control:1.3.6","control:1.3.7","framework:pci","control:6.4.1","security:compliance","control:1.3.4","control:1.2.1","source:azure.kubernetes","requirement:Communications-Security","control:1.2","control:1.3","cloud:azure","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Private Cluster feature for Azure Kubernetes Service (AKS) cluster is enabled.\n\n## Rationale\n\nThe Private Cluster feature ensures that network traffic between your API server and your node pools remains solely on the private network. The API server is not exposed over the internet as it is with the standard AKS deployment. This configuration is a common requirement in many regulatory and industry compliance standards.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment. Changing the setting requires recreating your cluster.\n\n## Impact\n\nCreating and managing a Private AKS Cluster requires additional considerations when compared to a standard AKS deployment. It requires understanding how Azure Private Link and Private Endpoints work. It also requires a thorough assessment of your AKS networking architecture and dependencies. If your AKS cluster is on an isolated Azure Virtual Network (VNET), the Private Cluster feature requires additional configurations to allow connectivity between your AKS Cluster and your management VNET. Microsoft's official documentation, which is included in ``references``, helps you navigate the deployment of Private AKS Clusters.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/aks/private-clusters][1]\n2. [https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview][2]\n3. [https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/aks/private-clusters\n[2]: https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview\n[3]: https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.7","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aks_cluster) = \"fail\" if {\n\tnot aks_cluster.api_server_access_profile_enable_private_cluster\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_aks_cluster"]},"validationQuery":"","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxc-7gb-6q2","createdAt":1656924134424,"name":"Azure Kubernetes Service (AKS) Private Cluster Feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify the network IP address when multiple user accounts failed to complete the MFA process.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, `@properties.authenticationRequirement` is equal to `multiFactorAuthentication` and `@evt.outcome` is equal to `failure`.\n\n## Triage and response \n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:multiFactorAuthentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"failed_login_mfa_denied_w_multiple_user_accounts","distinctFields":["@usr.email"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Greater than 10 unique users","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 10"},{"status":"low","notifications":[],"name":"Greater than 3 unique user","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 3"}],"type":"log_detection","id":"zgm-z7i-mhu","createdAt":1607106317340,"name":"Azure Login Explicitly Denied MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group allows inbound traffic from all IP Addresses.\n\n## Strategy\nThis rule monitors Azure Activity logs for network changes and detects when the `@evt.name` has a value of `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`, `@properties.securityRules.properties.direction` has a value of `Inbound`, `@properties.securityRules.properties.access` has a value of `Allow`, and `@properties.securityRules.properties.sourceAddressPrefix` has a value of either `0.0.0.0/0` OR `*`.\n\n## Triage and response\n1. Inspect which Virtual Machines are associated with this security group.\n2. Determine whether this security group and the VMs should permit inbound traffic from all IP addresses.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\" @properties.securityRules.properties.direction:Inbound @properties.securityRules.properties.access:Allow @properties.securityRules.properties.sourceAddressPrefix:(\"0.0.0.0/0\" OR \"*\")","groupByFields":["@resourceId"],"aggregation":"count","name":"security_group_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"security_group_open_to_world > 0"}],"type":"log_detection","id":"owu-2uz-8cb","createdAt":1598468816111,"name":"Azure Network Security Group Open to the World"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group or an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any one of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security group or security rule and determine if it exposes any Azure resources that should not be exposed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:(\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\") @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mju-ynx-i1h","createdAt":1607106297216,"name":"Azure Network Security Groups or Rules Created, Modified, or Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added as a new owner for an Active Directory application which could be used as a persistence mechanism. \n\n## Strategy\nMonitor Azure Active Directory logs for `@evt.name: \"Add owner to application\"` has an `@evt.outcome` of `success`. \n\n## Triage and response\n1. Review evidence of anomalous activity for the user being added as an owner (`@properties.targetResources`) for the Active Directory application.\n2. Determine if there is a legitimate reason for the user being added to the application.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to application\" @evt.outcome:success @usr.name:* -@identity:*","groupByFields":[],"aggregation":"count","name":"new_owner","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner > 0"}],"type":"log_detection","id":"8vm-rcm-ss1","createdAt":1630591816193,"name":"Azure New Owner added to Azure Active Directory application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a new service principal is created in Azure, which applies to a persistence mechanism.\n\n## Strategy\n\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n\n1. Inspect the new service principal in `@properties.targetResources`.\n2. Verify with the user (`{{$usr.name}}`) to determine if the service principal is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_sp > 0"}],"type":"log_detection","id":"bog-iak-dms","createdAt":1630591822167,"name":"Azure New Service Principal created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure policy assignment has been created.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to `MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE` and `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the policy assignment and determine if an unsolicited change was made on any Azure resources.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure @evt.name:\"MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE\" @evt.outcome:Success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uvd-ets-ju9","createdAt":1607106302885,"name":"Azure Policy Assignment Created"}]} headers: Content-Type: - application/json @@ -385,7 +351,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scope:iam","scored:true","requirement:Transmission-Security","source:iam","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","control:2.1.1","requirement:Compliance","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","control:4.1","control:1.2","control:1.3","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse SSH authentication keys to secure Linux virtual machines.\n\n## Rationale\n\nUsing SSH to secure authentications is a security best practice, as traditional username and password authentication is vulnerable to malicious tactics such as brute-force attacks. SSH uses a combination of public and private key pairs to secure the authentication process. Access to the private key is automated and tightly controlled, without both keys SSH access will not be granted. This also eliminates the need for users to memorize complex passwords for virtual machine access.\n\n## Remediation\n\n### CLI\n\n1. Follow the steps listed at [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure][1] to create and deploy VMs using SSH.\n2. If needing to transition from Username and Password authentication, to SSH, there is no way to transition directly. You must deprovision the current VM and create an image of it with SSH as the authentication method. Follow the steps on [How to create a managed image of a virtual machine or VHD][2]. \n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-ssh-keys-detailed\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/capture-image","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@os_profile.linux_configuration.disable_password_authentication:false","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance (@os_profile.linux_configuration.disable_password_authentication:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"p52-zrd-xlt","createdAt":1645813490150,"name":"Azure VM requires SSH Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.21","source:azure.active_directory","cloud_provider:azure","requirement:Compliance","scope:azure.active_directory","level:1","requirement:IAM","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:6.4","framework:cis-azure","requirement:Control-Activities","cloud:azure","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC8.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSubscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.\n\n## Rationale\n\nClassic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended.\n\n## Remediation\n\nUsing Azure Command Line Interface 2.0, list all roles with the `az role definition list` command. Check the output for any entries with an `assignableScope` of `/` or a `subscription`, and an action of `*`. Verify the usage and impact of removing the role identified. You can delete a role with the `az role definition delete --name \"rolename\"` command.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator \n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management \n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems \n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n8. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n9. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges 16 Account Monitoring and Control Account Monitoring and Control","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.21","framework":"cis-azure","requirement":"IAM","version":"1.3.0"},{"control":"6.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"@permissions.actions:\"*\" @assignable_scopes:(\\/ OR \\/subscriptions*)","resourceType":"azure_role_definition","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_role_definition (@permissions.actions:\"*\" @assignable_scopes:(\\/ OR \\/subscriptions*))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"til-md3-xoz","createdAt":1645802554619,"name":"Azure custom subscription owner roles do not exist"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a diagnostic setting is deleted which can disable centralized logging and metrics on Azure.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Inspect the diagnostic setting resource which is found in `@resourceId`.\n2. Verify that the user (`{{@usr.id}}`) to determine if the removal of the resource is legitimate.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uhp-qsj-h45","createdAt":1615578377631,"name":"Azure diagnostic setting deleted or disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure disk is successfully exported. Export URLs generated in Azure are accessible to anyone with the URI. This could be utilized as an exfiltration method that would allow an attacker to download an Azure Compute VM's disk as a VHD file.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/SNAPSHOTS/DISKS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the disk (`{{@resourceId}}`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URI.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"export_uri_generated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"export_uri_generated > 0"}],"type":"log_detection","id":"ggf-4ew-mxl","createdAt":1635258347843,"name":"Azure disk export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.8","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and new functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, your organization needs to determine if a given update meets your requirements and also verify the compatibility and support provided for any additional software against the update version.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Under General Settings, set Java version to latest version available\n6. Set Java minor version to latest version available\n7. Set Java web container to the latest version of web container available \n\n**NOTE**: No action is required if Java version is set to off as Java is not used by your web app.\n\nAzure CLI:\n\nTo see the list of supported runtimes, run the following command: `timesaz webapp list-runtimes | grep java`\n\nTo set latest Java version for an existing app, run the following command:\n\n```azurecli\naz webapp config set --resource-group --name --java-version ''\n1.8'' --java-container ''Tomcat'' --java-container-version '''''\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.8","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@site_config_java_version:11","resourceType":"azure_app_service","filter":"-@site_config_java_version:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service -@site_config_java_version:\"\" (-@site_config_java_version:11)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qhc-mac-fyy","createdAt":1645813490324,"name":"Azure is using the latest version of Java to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.6","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, a new version of PHP is released to address security issues and/or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes and additional functionalities.\n\n## Rationale\n\nNew versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software update, organizations need to determine if the update meets their requirements and also verify the new version's compatibility with other software.\n\n## Remediation\n\nAzure Console:\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click **Configuration**.\n5. Set PHP version to latest version available under **General Settings**.\n\n**Note**: No action is required if PHP version is set to off because PHP is not used by your web app.\n\nAzure CLI: To see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep php To set latest PHP version for an existing app, run the following commandaz webapp config set --resource-group --name --php-version \n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n# CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.6","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@site_config_php_version:7.4","resourceType":"azure_app_service","filter":"-@site_config_php_version:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service -@site_config_php_version:\"\" (-@site_config_php_version:7.4)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"sja-htc-xkm","createdAt":1645813490100,"name":"Azure is using the latest version of PHP to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.7","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Set Python version to latest version available under General Settings\n\n**Note**: No action is required if Python version is set to off as Python is not used by your web app.\n\nAzure CLI:\n\nTo see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep python To set latest Python version for an existing app, run the following commandaz webapp config set --resource-group --name --python-version '\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.7","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@site_config_python_version:3.6","resourceType":"azure_app_service","filter":"-@site_config_python_version:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service -@site_config_python_version:\"\" (-@site_config_python_version:3.6)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kuq-3pj-gyn","createdAt":1645813504306,"name":"Azure is using the latest version of Python to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","source:azure.networkwatcher","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","scope:azure.networkwatcher","framework:soc-2","control:10.3","control:CC2.1","control:164.312-e-2-i","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Watcher can use flow logs so that you can monitor traffic from resources. This rule generates a finding if there is no retention policy set with a duration over 90 days. \n\nNote: 0 days means unlimited retention.\n\n## Rationale\n\nSetting this attribute enables flow logs to be retained for an appropriate amount of time that enables a better security posture for your organization. These logs should be retained critical resources in your environment.\n\n## Remediation\n\n### Console\n\n1. Follow the instructions in [Tutorial: Log network traffic to and from a virtual machine using the Azure portal][1] to enable the 'flow logs' in Network Watcher.\n\n### CLI\n\n1. Follow the steps in [Configuring Network Security Group Flow logs with Azure CLI][2] to enable the 'flow logs' in Network Watcher.\n2. Ensure Insights provider is registered by running the following command to check:\n\n ```\n az provider register --namespace Microsoft.Insights\n ```\n3. Enable `flow logs`:\n Note: You will need to have a storage account setup prior to this.\n ```\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location --format JSON --log-version 2\n ```\n4. Repeat steps 2 and 3 for resources that are not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal#enable-nsg-flow-log\n[2]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-cli\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nflow_log_not_compliant(flow_log) if {\n\tflow_log.retention_policy_enabled == true\n\tflow_log.retention_policy_days >= 1\n\tflow_log.retention_policy_days <= 89\n} else {\n\tflow_log.retention_policy_enabled == false\n}\n\nflow_log_retention_policy_enabled_true_or_false(flow_log) if {\n\tflow_log.retention_policy_enabled == true\n} else {\n\tflow_log.retention_policy_enabled == false\n}\n\neval(network_watcher) = \"fail\" if {\n\tflow_log = network_watcher.flow_logs[_]\n\tflow_log_not_compliant(flow_log)\n} else = \"pass\" {\n\tflow_log = network_watcher.flow_logs[_]\n\tflow_log_retention_policy_enabled_true_or_false(flow_log)\n} else = \"skip\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_network_watcher"]},"validationQuery":"","resourceType":"azure_network_watcher","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_network_watcher","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"s5c-rsc-fkl","createdAt":1645572632106,"name":"Azure network service group log retention is properly set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new owner is added to a service principal, which applies to privilege escalation or persistence.\n\n## Strategy\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add owner to service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Inspect that the user is added to a service principal in `@properties.targetResources`.\n2. Verify with the user (`{{@usr.name}}`) to determine if the owner addition is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_owner_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner_sp > 0"}],"type":"log_detection","id":"rtl-xes-5he","createdAt":1632250370345,"name":"Azure new owner added for service principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an Azure snapshot is exported. Export URLs generated in Azure are accessible to anyone with the URL.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the snapshot (`@resourceId`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URL.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"export_uri","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"export_uri > 0"}],"type":"log_detection","id":"9tg-wsg-ung","createdAt":1635255178153,"name":"Azure snapshot export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an invitation is sent to an external user.\n\n## Strategy\nMonitor Azure Active Directory Audit logs and detect when any `@evt.name` is equal to `Invite external user` and the `@evt.outcome` is equal to `success`.\n\n## Triage and response\n1. Review and determine if the invitation and its recipient are valid.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Invite external user\" @evt.outcome:success","groupByFields":["@usr.id","@properties.targetResources.userPrincipalName"],"aggregation":"count","name":"invite_external_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"invite_external_user > 0"}],"type":"log_detection","id":"msq-9pm-ift","createdAt":1607106320758,"name":"Azure user invited an external user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure-containerinstances","source:azure","tactic:TA0002-execution","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a command is executed on a container instance with the Azure API.\n\n## Strategy\nMonitor Azure container instance logs where `@evt.name` is `\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.id}}`) should be executing commands on the container (`@resourceId`).\n2. If the activity is not expected, investigate the activity around the container (`@resourceId`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"container_exec_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"container_exec_success > 0"}],"type":"log_detection","id":"zgp-pfn-i0z","createdAt":1635255187164,"name":"Azure user ran command on container instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB access key with the Azure API. An attacker with the appropriate privileges can view an access key and use it to access and manage the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\\\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the access key for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB Database ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_keys","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_keys > 0"}],"type":"log_detection","id":"xtk-lr5-ryf","createdAt":1635356621176,"name":"Azure user viewed CosmosDB access keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB connection string with the Azure API. An attacker with the appropriate privileges can view a connection string and use it to access or modify data in the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the connection string for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_connectionstrings","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_connectionstrings > 0"}],"type":"log_detection","id":"h9n-pkk-zy9","createdAt":1635356624429,"name":"Azure user viewed CosmosDB connection string"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being exploited using the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `Base64` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. If you are not patched, decode the base64 string and look for any successful traffic to the malicious server.\n3. If a connection was successful to the malicious server, begin your company's IR procedures to remediate.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http.user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"medium","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"vfx-wnb-bkc","createdAt":1639665358897,"name":"Base64 was detected in an http.user_agent or http.referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","scored:true","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use basic authentication.\n\n## Rationale\n\nBasic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting the API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--basic-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--basic-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as tokens and certificates. Username and password for basic authentication could no longer be used.\n\n## Default value\n\nBy default, basic authentication is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n2. https://kubernetes.io/docs/admin/authentication/#static-password-file\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.2","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oug-uvq-sti","createdAt":1599605479472,"name":"Basic authentication is disabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:azure","requirement:Monitoring","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-3-i","control:10.5.1","requirement:Compliance","level:1","control:2.2.4","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","scope:azure.storage","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Azure","requirement:Least-Privileged-Access","control:2.8","requirement:Control-Activities","requirement:Data-Protection","control:7.2.1","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAnonymous read access is disabled for Azure Storage Blobs.\n\n## Rationale\n\nAnonymous access to Azure storage blob containers allows un-authenticated users to perform operations against your storage account. Datadog recommends only allowing authenticated users access to storage blobs. \n\n## Remediation\n\n### From the Console\n\nFollow the [Set the public access level for a container - Azure Console][1] guide to disable anonymous read access with the Azure Console.\n\n### From the Azure CLI\n\nFollow the [Set the public access level for a container - Azure CLI][2] guide to disable anonymous read access with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"10.5.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"2.8","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_blob_container) = \"pass\" if {\n\tstorage_blob_container.public_access == \"None\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_blob_container"]},"validationQuery":"","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"nlq-obf-whr","createdAt":1645177311610,"name":"Blob Containers do not allow anonymous access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:8.1","control:4.3","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","control:8.1.4","control:8.2.3","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends using instance-specific SSH key(s) instead of common or shared project-wide SSH key(s) to access instances.\n\n## Rationale\n\nProject-wide SSH keys are stored in compute or project-meta-data. Project-wide SSH keys can be used to log into all instances within a project. Using project-wide SSH keys facilitates SSH key management, but if compromised, poses a security risk which can impact all instances within a project. Datadog recommmends using instance-specific SSH keys, which can limit the attack surface if SSH keys are compromised.\n\n## Impact\n\nUsers already having project-wide SSH key pairs and are using third-party SSH clients will lose access to the impacted instances. For project users using Google Cloud or GCP Console-based SSH options, no manual key creation and distribution is required, this is all handled by Google Compute Engine (GCE) itself. To access an instance using third-party SSH clients, the instance-specific SSH key pairs need to be created and distributed to the required users.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. For every instance, click on the instance name.\n3. Under **SSH Keys**, ensure **Block project-wide SSH keys** is selected.\n\n## From command line\n\n1. List the instances in your project and get details on each instance using `gcloud compute instances list --format=json`.\n\n2. Ensure the `block-project-ssh-keys` key is set to true.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. Click on the impacted instance name.\n3. Click **Edit** in the toolbar.\n4. To block users with project-wide SSH keys from connecting to this instance, select **Block project-wide SSH keys** under **SSH Keys**.\n5. Click **Save** at the bottom of the page.\n6. Repeat these steps for every impacted instance.\n\n## From Command Line\n\nTo block project-wide public SSH keys, set the metadata value to true using `gcloud compute instances add-metadata --metadata block-project-ssh-keys=TRUE`.\n\n## Default Value\n\nBy default, Block Project-wide SSH keys is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n2. [https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n\n\n## Additional Information\n\nIf OS Login is enabled, SSH keys in the instance metadata are ignored, which means you do not need to block project-wide SSH keys.\n\n## CIS Controls\n\nVersion 8\n \n3.10 - Encrypt Sensitive Data in Transit\n- Encrypt sensitive data in transit. Example implementations can include: Transport\nLayer Security (TLS) and Open Secure Shell (OpenSSH).\n\n5.2 - Use Unique Passwords\n- Use unique passwords for all enterprise assets. Best practice implementation\nincludes, at a minimum, an 8-character password for accounts using MFA and a 14-\ncharacter password for accounts not using MFA.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n[3]: https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_item(item) if {\n\titem.key == \"block-project-ssh-keys\"\n} else {\n\titem.key == \"enable-oslogin\"\n}\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" {\n\titem := compute_instance.metadata.items[_]\n\tnon_compliant_item(item)\n\titem.value == \"true\"\n} else = \"fail\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"v8z-9ik-mjr","createdAt":1657296719827,"name":"Block project-wide SSH keys is enabled for VM instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login five times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n","options":{"detectionMethod":"threshold","evaluationWindow":600,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dde-oia-yjr","createdAt":1597422956269,"name":"Brute force attack on an Auth0 user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a bruteforce login with a user attempting to assume an anomalous number of roles.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [Anomalous number of assumed roles from user][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-user-attempted-to-assumerole-anomaly\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"anomalous_assumed_roles_from_user","additionalFilters":"","defaultRuleId":"fwu-obr-c9n","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to assumed role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && anomalous_assumed_roles_from_user > 0"}],"type":"signal_correlation","id":"vjo-1hm-1eg","createdAt":1664829839144,"name":"Brute forced ConsoleLogin event correlates with an assumed role event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","iaas:azure","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a successful credential stuffing login with a user assumed a role.\n\n## Strategy\nCorrelate the [Credential Stuffing Attack on Azure][1] and [Azure AD member assigned Global Administrator role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the credential stuffing attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the credential stuffed account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/azure_credential_stuffing_attack\n[2]: https://docs.datadoghq.com/security_platform/default_rules/azure-ad-user-assigned-global-admin-role","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"azure_credential_stuffing","correlatedQueryIndex":1,"additionalFilters":"","defaultRuleId":"ljt-3f4-8ty","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"admin_role_assigned","additionalFilters":"","defaultRuleId":"psm-gpc-pgy","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Brute-forced user has assigned a role","condition":"azure_credential_stuffing > 0 && admin_role_assigned > 0"}],"type":"signal_correlation","id":"it0-1kg-8pj","createdAt":1664829839146,"name":"Brute-forced user has assigned a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.11","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host you can control the host CPU resources that a container may consume.\n\n## Rationale\n\nBy default, CPU time is divided between containers equally. If you wish to control available CPU resources amongst container instances, you can use the CPU sharing feature. CPU sharing allows you to prioritize one container over others and prevents lower priority containers from absorbing CPU resources which may be required by other processes. This ensures that high priority containers are able to claim the CPU runtime they require.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CpuShares={{ .HostConfig.CpuShares }}'` \n\nIf this command returns 0 or 1024, it means that CPU shares are not in place. If it returns a non-zero value other than 1024, it means that they are in place.\n\n## Remediation\n\nYou should manage the CPU runtime between your containers dependent on their priority within your organization. To do so, start the container using the `--cpu-shares` argument. For example, you could run a container as `docker run --interactive --tty --cpu-shares 512 centos /bin/bash` The container is started with CPU shares of 50% of what other containers use. So if the other container has CPU shares of 80%, this container will have CPU shares of 40%. Every new container will have 1024 shares of CPU by default. However, this value is shown as 0 if you run the command mentioned in the audit section.\n\n\nAlternatively:\n\n1. Navigate to the `/sys/fs/cgroup/cpu/system.slice/` directory.\n2. Check your container instance ID using docker ps.\n3. Inside the above directory (in step 1), call a directory. For example: `docker-.scope` or `docker-4acae729e8659c6be696ee35b2237cc1fe4edd2672e9186434c5116e1a6fbed6.scope`. Navigate to this directory.\n4. You will find a file named `cpu.shares`. Execute `cat cpu.shares`. This will always give you the CPU share value based on the system. Even if there are no CPU shares configured using the `-c` or `--cpu-shares` argument in the docker run command, this file will have a value of 1024. If you set one containers CPU shares to 512 it will receive half of the CPU time compared to the other containers. So if you take 1024 as 100% you can then derive the number that you should set for respective CPU shares. For example, use 512 if you want to set it to 50% and 256 if you want to set it 25%.\n\n## Impact\n\nIf you do not correctly assign CPU thresholds, the container process may run out of resources and become unresponsive. If CPU resources on the host are not constrained, CPU shares do not place any restrictions on individual resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally. No CPU shares are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.11","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gfh-gqy-log","createdAt":1599605955638,"name":"CPU priorities are set to ensure critical containers do not become unresponsive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.7","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %a `. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command to modify the file permissions of the `--client-ca-file`:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7 14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.7","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qtd-deo-dgb","createdAt":1599600622129,"name":"Certificate authorities file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable certificate based kubelet authentication.\n\n## Rationale\n\nThe apiserver, by default, does not authenticate itself to the kubelet's HTTPS endpoints. The requests from the apiserver are treated anonymously. You should set up certificate-based kubelet authentication to ensure that the apiserver authenticates itself to kubelets when submitting requests.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-client-certificate` and `--kubelet-client-key` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the kubelet client certificate and key parameters as below. \n\n```\n--kubelet-client-certificate= \n--kubelet-client-key=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, certificate-based kubelet authentication is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ ][2]\n3. [https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet][3]\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n[3]: https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.5","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ruj-lze-13b","createdAt":1599605732980,"name":"Certificate-based kubelet authentication is required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.2","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable client authentication on etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--client-cert-auth` argument is set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--client-cert-auth=\"true\"\n```\n\n## Impact\n\nAll clients attempting to access the etcd server will require a valid client certificate.\n\n## Default value\n\nBy default, the etcd service can be queried by unauthenticated clients.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][`]\n2. [https://kubernetes.io/docs/admin/etcd/ ][1]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.2","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"joa-fjx-1li","createdAt":1599605891818,"name":"Client authentication is enabled for etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.8","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file ownership is set to `root:root`.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command to modify the ownership of the `--client-ca-file`:\n\n```\nchown root:root \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.8","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ifc-9ej-k7k","createdAt":1599603326156,"name":"Client certificate authorities file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","cloud_provider:gcp","control:9.9.1","source:google_cloud_asset_inventory","requirement:Logging-and-Monitoring","framework:cis-gcp","requirement:Control-Activities","scope:google_cloud_asset_inventory","requirement:Firewall-Configuration","level:2","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Cloud Asset Inventory is a service that provides a historical view of GCP resources and\nIAM policies through a time-series database. The information recorded includes metadata\non Google Cloud resources, metadata on policies set on Google Cloud projects or resources,\nand runtime information gathered within a Google Cloud resource.\n\n## Rationale\nThe GCP resources and IAM policies captured by GCP Cloud Asset Inventory enables\nsecurity analysis, resource change tracking, and compliance auditing. It is recommended GCP Cloud Asset Inventory be enabled for all GCP projects.\n\n### Additional Information\n - Cloud Asset Inventory only keeps a five-week history of Google Cloud asset metadata. If you need a longer history, consider building automation to export the history to Cloud Storage or BigQuery.\n\n### Default Value\nThe Cloud Asset Inventory API is disabled by default in each project.\n\n## Remediation\n\n### From the console:\n\n1. Go to **API & Services/Library** by visiting [https://console.cloud.google.com/apis/library][1]\n2. Search for `Cloud Asset API` and select the result for Cloud Asset API\n3. Click the **ENABLE** button.\n\n### From the command line:\n\n1. Enable the Cloud Asset API through the services interface\n ```\n gcloud services enable cloudasset.googleapis.com\n ```\n\n## References\n1. [https://cloud.google.com/asset-inventory/docs][2]\n\n[1]: https://cloud.google.com/asset-inventory/docs\n[2]: https://console.cloud.google.com/apis/library","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"9.9.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(project) = \"pass\" if {\n\tproject.project_id\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"g71-wcx-ugx","createdAt":1659396390100,"name":"Cloud Asset Inventory is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:2.12","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:2","framework:iso-27001","scope:google_dns_policy","framework:pci","requirement:Operations-Security","security:compliance","requirement:Logging-and-Monitoring","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","source:google_dns_policy","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud DNS logging records the queries from the name servers within your VPC to\nStackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other\nGCP resources provisioned within the VPC.\n\n### Default value\nCloud DNS logging is disabled by default on each network.\n\n## Rationale\nSecurity monitoring and forensics cannot depend solely on IP addresses from VPC flow\nlogs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual\nhost routing, and other technology that can obscure the DNS name used by a client from the\nIP address. Monitoring Cloud DNS logs provides visibility into DNS names requested by the\nclients within the VPC. These logs can be monitored for anomalous domain names and\nevaluated against threat intelligence.\n\nTo fully capture DNS logging records, your firewall must block egress for UDP/53 (DNS) and TCP/443 (DNS\nover HTTPS) to prevent the client from using an external DNS name server for resolution.\n\nOnly queries that reach a name server are logged. Cloud DNS resolvers cache\nresponses, queries answered from caches, and direct queries to an external DNS\nresolver outside the VPC are not logged.\n\n### Impact\nEnabling of Cloud DNS logging might result in your project being charged for the additional\nlogs usage.\n\n## Remediation\n\n### From the command line:\nFor VPC networks that need a new DNS policy with logging enabled, run the following:\n```\ngcloud dns policies create enable-dns-logging --enable-logging --\ndescription=\"Enable DNS Logging\" --networks=VPC_NETWORK_NAME\n```\n\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\nFor VPC networks that have existing DNS policies, run the following to enable logging:\n```\ngcloud dns policies update POLICY_NAME --enable-logging --\nnetworks=VPC_NETWORK_NAME\n```\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\n\n## References\n1. [https://cloud.google.com/dns/docs/monitoring][1]\n\n[1]: https://cloud.google.com/dns/docs/monitoring\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.12","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(dns_policy) = \"pass\" if {\n\tdns_policy.enable_logging\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_policy"]},"validationQuery":"","resourceType":"gcp_dns_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kcx-kad-uvs","createdAt":1662120179391,"name":"Cloud DNS logging is enabled for VPC networks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:7.2","control:1.9","control:3.5","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that the IAM policy on Cloud KMS `cryptokeys` should restrict anonymous and/or public access.\n\n## Rationale\n\nGranting permissions to `allUsers` or `allAuthenticatedUsers` allows anyone to access the\ndataset. Such access might not be desirable if sensitive data is stored at the location. In this\ncase, ensure that anonymous and/or public access to a Cloud KMS `cryptokey` is not\nallowed.\n\n### Default Value:\nBy default Cloud KMS does not allow access to `allUsers` or `allAuthenticatedUsers`.\n\n### Impact\nRemoving the binding for `allUsers` and `allAuthenticatedUsers` members denies anonymous and public users access to `cryptokeys`.\n\n`key_ring_name` is the resource ID of the key ring, which is the fully-qualified key ring name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING`\nYou can retrieve the key ring resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n3. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`key_name` is the resource ID of the key, which is the fully-qualified CryptoKey name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY`\nYou can retrieve the key resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. Click the name of the key ring that contains the key.\n3. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n4. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`role` is the role to remove the member from.\n\n## Remediation\n\n### From the command line:\n\n1. List all Cloud KMS `Cryptokeys`.\n ```\n gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'\n ```\n2. To remove access to `allUsers` and `allAuthenticatedUsers`, remove the IAM policy binding for a KMS key using the below command.\n ```\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'\n\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'\n ```\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding][1]\n2. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy][2]\n3. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy][3]\n4. [https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id][4]\n\n[1]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding\n[2]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy\n[3]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy\n[4]: https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot contains(iam_policy.resource_name, \"/keyRings/\")\n} else = \"fail\" {\n\tiam_policy.bindings[_].members[_] in [\"allAuthenticatedUsers\", \"allUsers\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kg9-ypa-tmt","createdAt":1658879416757,"name":"Cloud KMS cryptokeys are not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Storage","source:google_iam_policy","framework:cis-gcp","requirement:Compliance","level:1","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","scope:google_iam_policy","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:3.5","control:7.1","control:5.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that IAM policies on Cloud Storage buckets do not allow anonymous or public access.\n\n## Rationale\nWith anonymous or public access, anyone has permission to access bucket content. Such access might not be desired if you are storing sensitive data, so ensure that anonymous or public access to a bucket is not allowed.\n\n### Additional Information\nTo implement access restrictions on buckets, configuring Bucket IAM is preferred over configuring Bucket ACL. In the GCP console, the **Edit Permissions** button for a bucket exposes IAM configurations only. Bucket ACLs are configured to automatically implement and support user-enforced Bucket IAM policies. If an administrator changes a Bucket ACL using command-line gsutils or the API, the associated bucket IAM policy is also updated automatically.\n\n### Impact\nStorage buckets are not publicly accessible. You have to explicitly administer bucket access.\n\n### Prevention\nYou can prevent Storage buckets from becoming publicly accessible by setting up the `Domain restricted sharing` organization policy at:\n[https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains][2]\n\n### Default value\nBy default, Storage buckets are not publicly accessible.\n\n## Remediation\n\n### From the console:\n1. Go to `Storage browser` at [https://console.cloud.google.com/storage/browser][1].\n2. Click on the bucket name to access the `Bucket details` page.\n3. Click on the `Permissions` tab.\n4. Click the `Delete` button in front of `allUsers` and `allAuthenticatedUsers` to remove that particular role assignment.\n\n### From the command line:\nRemove `allUsers` and `allAuthenticatedUsers` access.\n``` \ngsutil iam ch -d allUsers gs://BUCKET_NAME\ngsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME\n```\n\n## References\n1. [https://cloud.google.com/storage/docs/access-control/iam-reference][3]\n2. [https://cloud.google.com/storage/docs/access-control/making-data-public][4]\n3. [https://cloud.google.com/storage/docs/gsutil/commands/iam][5]\n\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains\n[3]: https://cloud.google.com/storage/docs/access-control/iam-reference\n[4]: https://cloud.google.com/storage/docs/access-control/making-data-public\n[5]: https://cloud.google.com/storage/docs/gsutil/commands/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1","framework":"cis-gcp","requirement":"Storage","version":"1.3.0"},{"control":"3.5","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot isBucket(iam_policy)\n} else = \"fail\" {\n\tiam_policy.bindings[_].members[_] in [\"allUsers\", \"allAuthenticatedUsers\"]\n} else = \"pass\" {\n\ttrue\n}\n\nisBucket(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_storage_bucket\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"c2m-9sq-pbl","createdAt":1658821626959,"name":"Cloud storage bucket is not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","requirement:Logging","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:5.2","requirement:Communications-Security","control:7.1","control:3.3","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","source:google_storage_bucket","control:A.18.1.3","framework:soc-2","scope:google_storage_bucket","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUniform bucket-level access is enabled on Cloud Storage buckets.\n\n## Rationale\n\nYou should use uniform bucket-level access to unify and simplify how you grant\naccess to your Cloud Storage resources.\nCloud Storage offers two systems for granting users permission to access your buckets and\nobjects: \n- **Cloud Identity and Access Management (Cloud IAM)**: Used throughout Google Cloud, and allows you to grant a variety of permissions at the bucket and project levels. \n- **Access Control Lists(ACLs)**: Used only by Cloud Storage and has limited permission options, but allows you to grant permissions on a per-object basis.\n\nThese systems act in parallel. A user needs only one of the systems to grant them permission in order to access a Cloud Storage resource. \n\nTo facilitate maintaining consistent permissions, Cloud Storage provides an option called Uniform bucket-\nlevel access. Using this feature disables ACLs for all Cloud Storage resources. Access to\n\nCloud Storage resources then is granted exclusively through Cloud IAM. Enabling uniform\nbucket-level access guarantees that if a Storage bucket is not publicly accessible, no object\nin the bucket is publicly accessible either.\n\n## Impact\nIf you enable uniform bucket-level access, you revoke access from users who gain their\naccess solely through object ACLs.\nCertain Google Cloud services, such as Stackdriver, Cloud Audit Logs, and Datastore, cannot\nexport to Cloud Storage buckets that have uniform bucket-level access enabled.\n\n## Remediation\n\n## From the console:\n1. Open the Cloud Storage browser by visiting [https://console.cloud.google.com/storage/browser][1].\n2. In the list of buckets, select the name of the desired bucket.\n3. Select the Permissions tab.\n4. In the text box that starts with This bucket uses fine-grained access control..., click **Edit**.\n5. In the pop-up menu that appears, select Uniform.\n6. Click **Save**.\n\n## From the command line:\n\nRun the following command: \n ```\n `gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/`\n ```\n\n\n## Prevention\nSet up an Organization Policy to enforce that any new bucket has uniform bucket-level access enabled. Read more about [Organization Policy constraints][2].\n\n## Default\n\nBy default, Cloud Storage buckets do not have uniform bucket-level access enabled.\n\n\n## References\n1. [https://cloud.google.com/storage/docs/uniform-bucket-level-access][3]\n2. [https://cloud.google.com/storage/docs/using-uniform-bucket-level-access][4]\n3. [https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket][5]\n\n## Additional Information\nUniform bucket-level access cannot be disabled if it has been active on a bucket for 90 consecutive days.\n\n## CIS controls\n\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems,\ndatabases, and applications.\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket\n[3]: https://cloud.google.com/storage/docs/uniform-bucket-level-access\n[4]: https://cloud.google.com/storage/docs/using-uniform-bucket-level-access\n[5]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2","framework":"cis-gcp","requirement":"Logging","version":"1.3.0"},{"control":"3.3","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_bucket) = \"pass\" if {\n\tstorage_bucket.iam_configuration.uniform_bucket_level_access.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_storage_bucket"]},"validationQuery":"","resourceType":"gcp_storage_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_storage_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dwn-5mi-cjt","createdAt":1657547752494,"name":"Cloud storage buckets have uniform bucket-level access enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Secure-Applications","control:CC6.7","security:compliance","control:CC6.6","scope:cloudfront","cloud_provider:aws","control:A.12.2.1","requirement:Communications-Security","control:A.12.4.1","control:A.13.1.1","framework:soc-2","control:6.6","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that your [AWS CloudFront][1] distributions are integrated with [AWS Web Application Firewall][2] (AWS WAF).\n\n## Rationale\n\nAWS WAF helps protect web applications from common exploits, such as SQL injection or cross-site scripting.\n\n## Remediation\n\n### Console\n\nFollow the [associate or disassociate an AWS WAF web ACL and an existing CloudFront distribution by using the CloudFront console][3] docs to integrate with AWS WAF.\n\n### CLI\n\n1. Run `aws waf get-change-token` to generate a token.\n2. Run `aws waf create-ip-set` with your newly generated token. Additional information can be found in the [create-ip-set AWS documentation][4].\n\n ```\n create-ip-set\n --name test_ipset\n --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n3. Create an `IPSetDescriptor` JSON object in a new document and define the IP address or ranges you wish to block. Save the file.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"IPSetDescriptor\": {\n \"Type\": \"IPV4\" | \"IPV6\",\n \"Value\": \"192.0.2.0/24\"\n }\n }\n ]\n ```\n\n4. Run `aws waf update-ip-set` with the `change-token` (generated in step 1), `ip-set-id` (generated in step 2), and the file you just created. Additional information can be found in the [update-ip-set AWS documentation][5].\n\n ```\n aws waf update-ip-set\n --ip-set-id bd12ea6c-012a-4b7c-9342-80ab96e4b291\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n\t --updates file://ip-set-descriptor.json\n ```\n\n5. Run `aws waf create-rule` with a new rule `name` and your `change-token` (generated in step 1). Additional information can be found in the [create-rule AWS documentation][6].\n\n ```\n aws waf create-rule\n\t --name NameOfRule\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n6. Run `aws waf create-web-acl` with a `name` and your `change-token` (generated in step 1), and set the default action to block. Additional information can be found in the [create-web-acl AWS documentation][7].\n\n ```\n aws waf create-web-acl\n\t --name NameOfACL\n --default-action Type=BLOCK\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n7. Create a new JSON file and define `ActivatedRule` as an object that references the ACL rule created in step 6. Assign it a default action, `INSERT`.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"ActivatedRule\": {\n \"RuleId\": \"your-rule-id\",\n \"Action\": {\n \"Type\": \"BLOCK\"\n }\n }\n }\n ]\n ```\n\n8. Run `update-web-acl` with the `web-acl-id` (generated in step 5), `change-token` (generated in step 1), and the file you just created in step 7.\n\n ```\n aws waf update-web-acl\n --web-acl-id webaclid\n --change-token 96836241-b667-4f0a-a655-e4bc49eaa2c4\n --update activated-rule.json\n ```\n\n9. Run `get-distribution-config`.\n10. In a new JSON file, modify the returned configuration information to attach the WAF ACL. Set the `WebACLId` as the ID you returned in step 5. Save the file.\n\n ```\n {\n \"ETag\": \"etag\",\n \"DistributionConfig\": {\n ...\n \"WebACLId\": \"webaclid\",\n ...\n }\n }\n ```\n\n11. Run `update-distribution` with the `id` and `etag` previously returned in step 9. Additional information can be found in the [update-distribution AWS documentation][8].\n\n ```\n aws cloudfront update-distribution\n --id webaclid\n --distribution-config activated-ruled.json\n --if-match etag\n ```\n\n[1]: https://aws.amazon.com/cloudfront/\n[2]: https://aws.amazon.com/waf/\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/wafv2/create-ip-set.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/waf/update-ip-set.html\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-rule.html\n[7]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-web-acl.html\n[8]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"pci","requirement":"Secure-Applications","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"validationQuery":"(@distribution_config.web_acl_id:\"\" OR @distribution_config_web_acl_id:\"\")","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.web_acl_id:\"\" OR @distribution_config_web_acl_id:\"\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"qo4-jsd-nfn","createdAt":1599574008896,"name":"CloudFront distribution is integrated with WAF"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that AWS CloudFront distributions have a security policy of TLS v1.1 or greater.\n\n## Rationale\n\nTLS v1.1, the minimum protocol recommended for AWS CloudFront, and the cipher used to encrypt this content, improve application security.\n\n## Remediation\n\n### Console\n\nFollow the [Values That You Specify When You Create or Update a Distribution][3] docs to update your CloudFront distribution's [Minimum Origin SSL Protocol][3] to TLS v1.1 or greater.\n\n### CLI\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration by setting the minimum protocol version to TLC v1.1 (2016) or v1.2 (2018).\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n ...\n \"ViewerCertificate\": {\n ...\n \"MinimumProtocolVersion\": \"TLSv1.1_2016\",\n },\n ...\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config tls-version.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginSSLProtocols\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.viewer_certificate.minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\") OR @distribution_config_viewer_certificate_minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\"))","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.viewer_certificate.minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\") OR @distribution_config_viewer_certificate_minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2np-sw5-cre","createdAt":1599574001774,"name":"CloudFront distribution's security policy is TLS v1.1 or greater"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","source:cloudfront","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","scope:cloudfront","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure logging is enabled for AWS CloudFront to track things like client IP addresses and access points.\n\n## Rationale\n\nLogging tracks requests made through the CDN. With this information, you can detect changes in requests, complete security audits, and use other AWS tooling such as AWS WAF to block requests from certain IP addresses.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring and using standard logs][4] docs to enable logging for AWS CloudFront.\n\n### CLI\n\n1. Run `create-bucket` to [create an S3 bucket][1] for your CloudFront log files.\n\n ```\n aws s3api create-bucket\n --bucket your-bucket-name\n ```\n\n2. Once the S3 bucket location is returned, run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][2].\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n3. Create a new JSON file with the returned configuration. Enable logging and set an S3 bucket location (returned in step 1) to configure where the logs will be located. Save the file.\n\n ```\n {\n \"ETag\": \"ID000000000000\",\n \"DistributionConfig\": {\n ...\n \"Logging\": {\n \"Bucket\": \"your-bucket-name.s3.amazonaws.com\",\n \"Enabled\": true,\n },\n ...\n }\n }\n }\n ```\n\n4. Run `update-distribution` to [update your distribution][3] with your distribution `id`, the path of the configuration file (created in step 3), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config logging-enabled.json\n --if-match ETAG1000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[4]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(-@distribution_config.logging.enabled:true OR -@distribution_config_logging_enabled:true)","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((-@distribution_config.logging.enabled:true OR -@distribution_config_logging_enabled:true))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"e1l-f7w-llc","createdAt":1599574007739,"name":"CloudFront logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that an AWS CloudTrail trail has file integration validation enabled.\n\n### Rationale\n\nAWS CloudTrail file integration validation can verify whether files were modified or changed once delivered to an S3 bucket.\n\n### Remediation\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [enable-log-file-validation][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --enable-log-file-validation\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@log_file_validation_enabled:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ubl-mrs-ket","createdAt":1599574002238,"name":"CloudTrail Log File Integrity Validation Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that AWS CloudTrail logs are encrypted.\n\n### Rationale\n\nEncrypting AWS CloudTrail logs with a KMS encryption key helps protect your data and ensures only certain IAM users can access these logs.\n\n### Remediation\n\n1. Create a new policy configuration file that enables CloudTrail [encrypting and decrypting permissions][1].\n2. Run `create-key` using the policy file path.\n\n ```\n aws kms create-key\n --policy new-policy-file.json\n ```\n\n3. Run `create-alias` with a [newly created alias name][2] and the `target-key-id` as the KMS key returned in step 2.\n\n ```\n aws kms create-alias\n --alias-name alias/CloudTrailKSM\n --target-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n4. Run `update-trail` on [the trail name you wish to update][3] and the KMS key returned in step 2.\n\n ```\n aws cloudtrail update-trail\n --name MyGlobalTrail\n --kms-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@kms_key_id:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"cww-xfw-no7","createdAt":1599574002335,"name":"CloudTrail Logs Not Encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","control:A.12.4.2","requirement:Security-Incident-Procedures","control:10.3.2","control:10.3.1","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that an AWS CloudTrail trail has global service events enabled.\n\n## Rationale\n\nEasily troubleshoot security issues for global services that aren't region-specific.\n\n## Remediation\n\n### Console\n\nBy default, trail logs created in the CloudTrail console log global service events. For more information, see the [About global service events][2] docs.\n\n### CLI\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [include-global-service-events][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --include-global-service-events\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-update-trail.html\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":" @include_global_service_events:false","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail ( @include_global_service_events:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7ak-zke-f64","createdAt":1599574004589,"name":"CloudTrail global services are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.5.5","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","control:164.312-c-2","requirement:Integrity","control:164.312-c-1","security:compliance","cloud_provider:aws","control:3.2","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. Use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. You should enable file validation on all CloudTrails.\n\n## Rationale\n\nEnabling log file validation will provide additional integrity checking of CloudTrail logs.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNot Enabled\n\n## References\n\n1. [http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html][2]\n2. CCE-78914-9\n\n## CIS controls\n\nVersion 7, 6 - Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.2","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.312-c-2","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"}],"validationQuery":"-@log_file_validation_enabled:true @log_file_validation_enabled:*","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail (-@log_file_validation_enabled:true @log_file_validation_enabled:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9we-gmy-kne","createdAt":1599574003762,"name":"CloudTrail log file validation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Logging","requirement:System-Acquisition-Development-and-Maintenance","level:2","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.7","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:cloudtrail","control:A.9.2.3","control:32.1a","control:3.5.2","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources per IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data. It uses Hardware Security Modules (HSMs) to protect the security of encryption keys. Configure your CloudTrail logs to leverage server-side encryption (SSE), and KMS customer-created master keys (CMK) to further protect CloudTrail logs. You should set up CloudTrail to use SSE-KMS.\n\n## Rationale\n\nConfiguring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data. A given user must have S3 read permission on the corresponding log bucket and have decrypt permission by the CMK policy.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nCustomer created keys incur an additional cost. See [https://aws.amazon.com/kms/pricing/][2] for more information.\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html][3]\n2. [https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html][4]\n3. CCE-78919-8\n\n## CIS controls\n\nVersion 7 - 6 Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://aws.amazon.com/kms/pricing/\n[3]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html\n[4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.7","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@kms_key_id:*","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail (-@kms_key_id:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kah-ejb-3v1","createdAt":1599574006065,"name":"CloudTrail logs are encrypted at rest using KMS CMKs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:164.308-a-7-i","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","control:10.2.1","framework:gdpr","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS CloudTrail is enabled.\n\n## Rationale\n\nAWS CloudTrail enables you to configure regions from one location to maintain infrastructure security.\n\n## Remediation\n\n### Console\n\nFollow the [AWS CloudTrail tutorial][1] docs to get started with CloudTrail.\n\n### CLI\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [enable multi-region-trail][2].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --is-multi-region-trail\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-tutorial.html#tutorial-step2\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-update-trail.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-7-i","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@is_multi_region_trail:true","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail (-@is_multi_region_trail:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"v41-4ht-rxo","createdAt":1599573999944,"name":"CloudTrail multi-region is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that HTTPS is used to secure AWS CloudFront distributions communications.\n\n## Rationale\n\nHTTPS ensures that malicious activity cannot occur when data is sent within AWS CloudFront's Content Distribution Network (CDN).\n\n## Remediation\n\n### Console\n\nFollow the [configure CloudFront to require HTTPS between CloudFront and your custom origin][3] docs to change your Origin Protocol Policy to HTTPS only.\n\n### CLI\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `OriginProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"Items\": [\n {\n \"CustomOriginConfig\": {\n \"OriginProtocolPolicy\": \"https-only\",\n ...\n }\n }\n ]\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.origins.items.custom_origin_config.origin_protocol_policy:(\"http-only\" OR \"match-viewer\") OR @distribution_config.origins.items.custom_origin_config_origin_protocol_policy:(\"http-only\" OR \"match-viewer\"))","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.origins.items.custom_origin_config.origin_protocol_policy:(\"http-only\" OR \"match-viewer\") OR @distribution_config.origins.items.custom_origin_config_origin_protocol_policy:(\"http-only\" OR \"match-viewer\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q5e-clj-mow","createdAt":1599574006435,"name":"Cloudfront distribution is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS CloudFront field-level encryption is enabled.\n\n## Rationale\n\nField-level encryption ensures sensitive data, such as identification and credit card numbers, is protected across your services and applications.\n\n## Remediation\n\n### Console\n\nFollow the [Setting Up Field-Level Encryption][1] docs to enable field-level encryption.\n\n### CLI\n\n1. Generate a RSA key pair. Run `ssh-keygen -t rsa`.\n\n2. Run `create-public-key` with the generated key.\n\n ```\n aws cloudfront create-public-key\n --public-key-config CallerReference=\"0123456789012\",Name=\"public-key\",EncodedKey=\"-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----\",Comment=\"Field-level encryption public key.\"\n ```\n\n3. Modify the returned configuration in a new JSON file by setting `PublicKeyID` as your public ID key. Configure any other options you require and save the file.\n\n ```\n {\n \"PublicKey\": {\n ...\n \"Id\": \"PUBKEYID000000\",\n ...\n }\n }\n ```\n\n4. Run `create-field-level-encryption-profile` using the path of the configuration file saved in step 3.\n\n ```\n aws cloudfront create-field-level-encryption-profile\n --field-level-encryption-profile-config public-key-id.json\n ```\n\n5. Modify the returned configuration in a new JSON file by setting `ProfileID` as your profile ID. Configure any other options you require and save the file.\n\n ```\n {\n ...\n \"ContentTypeProfileConfig\": {\n ...\n \"Items\": [\n {\n \"ProfileId\": \"ABCD1234567890\",\n }\n ]\n }\n }\n ```\n\n6. Run `create-field-level-encryption-config` using the path of the configuration file saved in step 5.\n\n ```\n aws cloudfront create-field-level-encryption-config\n --field-level-encryption-config profile-id.json\n ```\n\n7. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your distribution's configuration information.\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n8. Modify the returned configuration in a new JSON file by setting `FieldLevelEncryptionID` as your field level encryption ID. Configure any other options you require and save the file.\n\n**Note**: Viewer Protocol Policy and Origin Protocol Policy must both be set to HTTPS.\n\n ```\n {\n \"DistributionConfig\": {\n ...\n \"Origins\": {\n \"Items\": [\n {\n ...,\n \"OriginProtocolPolicy\": \"https-only\",\n },\n ],\n ...\n },\n \"DefaultCacheBehavior\": {\n \"FieldLevelEncryptionId\": \"ACBD1234567890\",\n \"ViewerProtocolPolicy\" : \"https-only\"\n },\n ...\n }\n }\n ```\n\n9. Run `update-distribution` with your AWS CloudFront distribution `id`, the configuration file saved in step 8, and `etag` to enable field-level encryption.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config field-level-encryption-id.json\n --if-match E1000000000000\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.default_cache_behavior.field_level_encryption_id:\"\" OR @dist_config_default_cache_behavior_field_level_encryption_id:\"\")","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.default_cache_behavior.field_level_encryption_id:\"\" OR @dist_config_default_cache_behavior_field_level_encryption_id:\"\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"udh-nqo-4ct","createdAt":1599574007140,"name":"Cloudfront distribution is field-level encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the AWS CloudFront Content Delivery Network (CDN) for your distribution is using HTTPS to send and receive content.\n\n## Rationale\n\nHTTPS ensures encrypted communication for your AWS CloudFront distribution, alleviating the possibility of malicious attacks like packet interception.\n\n## Remediation\n\n### Console\n\nFollow the [configure CloudFront to require HTTPS between viewers and CloudFront][3] docs to change your Viewer Protocol Policy to HTTPS only.\n\n### CLI\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `ViewerProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"ViewerProtocolPolicy\": \"https-only\",\n ...\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.default_cache_behavior.viewer_protocol_policy:\"allow-all\" OR @dist_config_default_cache_behavior_viewer_protocol_policy:\"allow-all\")","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.default_cache_behavior.viewer_protocol_policy:\"allow-all\" OR @dist_config_default_cache_behavior_viewer_protocol_policy:\"allow-all\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fei-uz9-zhw","createdAt":1599574003275,"name":"Cloudfront viewer is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1027-obfuscated-files-or-information","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a compiler (like `clang` or `bcc`) is executed inside of a container.\n\n## Strategy\nAfter an initial compromise, attackers may attempt to download additional tools to their victim's infrastructure. In order to make these additional tools difficult to detect or analyze, attackers sometimes deliver their tools as uncompiled code, and then compile their malicious binaries directly on the victim's infrastructure. In containerized environments, the use of compilers is especially suspicious because in production it is best practice to make containers immutable. The use of a compiler in a production container could indicate an attacker staging tools, or unwanted container configuration drift. \n\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee compile a tool inside of a container for an approved reason, or does an approved software compile additional files on startup?\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:compiler_in_container","groupByFields":["host"],"aggregation":"count","name":"compiler_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"compiler_in_container","condition":"compiler_in_container > 0"}],"type":"workload_security","id":"cu1-ji1-azm","createdAt":1627392836759,"name":"Compiler executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS EC2 access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the EC2 instance with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS EC2 access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` instance should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the EC2 access key should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`., then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n7 April 2022 - Updated rule name and signal message.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId"],"query":"source:cloudtrail -@level:Error @userIdentity.type:AssumedRole @userIdentity.session_name:i-* -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"5cf-9yq-zxn","createdAt":1646247437871,"name":"Compromised AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.\n\n## Changelog\n- 7 April 2022 - Updated signal message.\n- 3 August 2022 - Fixed null groupby field in query.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId","@usr.name"],"query":"source:cloudtrail -@level:Error @userIdentity.type:IAMUser -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tln-vhi-j2e","createdAt":1646247475808,"name":"Compromised AWS IAM User Access Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:4.8","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, Datadog recommends launching compute instances with Shielded VM enabled.\n\n## Rationale\n\nShielded VMs are virtual machines on the Google Cloud Platform that are hardened by a set of security controls and help defend against rootkits and bootkits. Shielded VM offers verifiable integrity of your Compute Engine VM instances through Secure Boot, a virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring. This ensures your instances are not compromised by boot- or kernel-level malware, or rootkits. \n\nShielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishes trust for Secure Boot.\n\nIntegrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, also known as the integrity policy baseline. The integrity policy baseline is used to compare measurements from subsequent VM boots to determine if anything has changed.\n\nSecure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halts the boot process if signature verification fails.\n\n## Remediation\n\nTo turn on Shielded VM on an instance, your instance must use an image with Shielded VM support.\n\n### From console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project. \n2. Click on the instance name to see a VM Instance Details page.\n3. Click **Stop** to stop the instance.\n4. When the instance has stopped, click **Edit**.\n5. In the **Shielded VM** section, select **Turn on vTPM** and **Turn on Integrity Monitoring**.\n6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select **Turn on Secure Boot**.\n7. Click the **Save** button to modify the instance and click **Start** to restart it.\n\n### From the command line\n\nYou can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:\n\n```\ngcloud compute images list --project gce-uefi-images --no-standard-images\n```\n\n1. Stop the instance using `gcloud compute instances stop `.\n2. Update the instance using `gcloud compute instances update --shielded-vtpm --shielded-vm-integrity-monitoring`.\n3. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on Secure Boot using `gcloud compute instances update --shielded-vm-secure-boot`.\n4. Restart the instance using `gcloud compute instances start `.\n\n## Prevention\n\nTo ensure that all new VMs are created with Shielded VM enabled, create an Organization Policy for Shielded VM in the [Organization Policies page][2]. \n\nFor more information, see the [Google Cloud documentation][3].\n\n## Default Value\n\nBy default, Compute Instances do not have Shielded VM enabled.\n\n## References\n\n1. [https://cloud.google.com/compute/docs/instances/modifying-shielded-vm][4]\n2. [https://cloud.google.com/shielded-vm][5]\n3. [https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint][6]\n\n## Additional Information\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is created, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-requireShieldedVm\n[3]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n[4]: https://cloud.google.com/compute/docs/instances/modifying-shielded-vm\n[5]: https://cloud.google.com/shielded-vm\n[6]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.8","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"pass\" if {\n\tshieldedConfig := compute_instance.shielded_instance_config\n\tshieldedConfig.enable_integrity_monitoring\n\tshieldedConfig.enable_vtpm\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hwa-bzq-nzg","createdAt":1656620517029,"name":"Compute Instances are launched with Shielded VM enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","control:4.9","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:3.6","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCompute instances should not be configured to have external IP addresses.\n\n## Rationale\n\nTo reduce your attack surface, Compute instances should not have public IP addresses.\nInstead, instances should be configured behind load balancers, to minimize the instance's\nexposure to the internet.\n\nYou can connect to Linux VMs that do not have public IP addresses by using Identity-Aware Proxy for TCP forwarding. Learn more at\n[https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][8].\n\nFor Windows VMs, see [https://cloud.google.com/compute/docs/instances/connecting-to-instance][9].\n\n### Impact\n\nRemoving the external IP address from your Compute instance may cause some\napplications to stop working.\n\n### Prevention\n\nYou can configure the \"Define allowed external IPs for VM instances\" organization policy to prevent VMs from being configured with public IP addresses. Learn more at:\n[https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address][2]\n\n### Exception\n\nInstances created by GKE should be excluded because some of them have external IP\naddresses and cannot be changed by editing the instance settings. Instances created by GKE\nshould be excluded. These instances have names that start with \"gke-\" and are labeled\n\"goog-gke-node\".\n\n## Remediation\n\n### From the console:\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go the the Instance detail page.\n3. Click **Edit**.\n4. For each Network interface, ensure that **External IP** is set to None.\n5. Click **Done** and then click **Save**.\n\n### From the command line:\n\n1. Describe the instance properties:\n\n ```\n gcloud compute instances describe --zone=\n ```\n2. Identify the access config name that contains the external IP address. This access config appears in the following format:\n\n ```\n networkInterfaces:\n - accessConfigs:\n - kind: compute#accessConfig\n name: External NAT\n natIP: 130.211.181.55\n type: ONE_TO_ONE_NAT\n ```\n3. Delete the access config:\n\n ```\n gcloud compute instances delete-access-config --zone= --access-config-name \n ```\n\nIn the above example, the `ACCESS_CONFIG_NAME` is `External NAT`. The name of your access config might be different.\n\n## References\n\n1. [https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses][3]\n2. [https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][4]\n3. [https://cloud.google.com/compute/docs/instances/connecting-to-instance][5]\n4. [https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip][6]\n5. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][7]\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address\n[3]: https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses\n[4]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[5]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n[6]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip\n[7]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[8]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[9]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.9","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tcompute_instance.network_interfaces[_].access_configs[_]\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"zxk-7n9-rtz","createdAt":1657888953309,"name":"Compute instances do not have public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","control:4.11","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:3.5.2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:3.5.4","source:google_compute_instance","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nGoogle Cloud encrypts both stored and in-transit data, but customer data needs to be decrypted while it is processed. Confidential Computing is a Google technology that protects data by encrypting it while it is in use. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).\n\nConfidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD\nEPYCTM CPUs, keeping customer data encrypted while it is used, indexed, queried, or\ntrained on. Encryption keys are generated in hardware, per VM, and not exportable. There is no significant performance penalty to Confidential Computing workloads because of built-in hardware optimizations.\n\n## Rationale\n\nConfidential Computing enables customers' sensitive code and other data to be encrypted in\nmemory during processing. Google does not have access to the encryption keys.\nConfidential VMs can help alleviate concerns about risk related to either dependency on\nGoogle infrastructure or Google insiders' access to customer data in the clear.\n\n## Impact\n\n- Confidential Computing for Compute instances does not support live migration. Unlike regular Compute instances, Confidential VMs experience disruptions during maintenance events like a software or hardware update.\n\n- Additional charges may be incurred when enabling this security feature. See [https://cloud.google.com/compute/confidential-vm/pricing][1] for more info.\n\n## Remediation\n\nConfidential Computing can only be enabled when an instance is created. You must delete\nthe current instance and create a new one.\n\n### From console\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][2].\n2. Click **Create instance**.\n3. Fill out the desired configuration for your instance.\n4. Under the **Confidential VM service** section, click **Enable** > **Enable** to enable the Confidential Computing service on this VM instance.\n5. Click **Create**.\n\n### From the command line\n\nCreate a new instance with Confidential Compute enabled.\n\n ```\n gcloud beta compute instances create --zone --confidential-compute --maintenance-policy=TERMINATE\n ```\n## Default Value\n\nBy default, Confidential Computing is disabled for Compute instances.\n\n## References\n\n1. [https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance][3]\n2. [https://cloud.google.com/compute/confidential-vm/docs/about-cvm][4]\n3. [https://cloud.google.com/confidential-computing][5]\n4. [https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms][6]\n\n## CIS Controls\n\nVersion 8 - 3.11: Encrypt Sensitive Data at Rest\n- Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.\n\nVersion 7 - 14.8: Encrypt Sensitive Information at Rest\n- Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n\n[1]: https://cloud.google.com/compute/confidential-vm/pricing\n[2]: https://console.cloud.google.com/compute/instances\n[3]: https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance\n[4]: https://cloud.google.com/compute/confidential-vm/docs/about-cvm\n[5]: https://cloud.google.com/confidential-computing\n[6]: https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.11","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tnot machineType(compute_instance)\n} else = \"pass\" {\n\tcompute_instance.confidential_instance_config.enable_confidential_compute\n} else = \"fail\" {\n\ttrue\n}\n\nmachineType(compute_instance) if {\n\tcontains(compute_instance.machine_type, \"n2d-\")\n} else {\n\tcontains(compute_instance.machine_type, \"c2d-\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ofu-7xv-iqz","createdAt":1657888955714,"name":"Compute instances have confidential computing enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a brute force login with a privileged policy being applied to a role.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [AWS IAM privileged policy was applied to a role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Revert the privileged policy change\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-iam-priv-policy-applied-to-role/","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"aws_iam_privileged_policy_was_applied_to_a_role","additionalFilters":"","defaultRuleId":"1np-ggw-qpo","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to privileged policy applying to a role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && aws_iam_privileged_policy_was_applied_to_a_role > 0"}],"type":"signal_correlation","id":"z65-vsm-leu","createdAt":1664829682321,"name":"ConsoleLogin event correlates privileged policy applying to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.10","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host, you can control the amount of memory that a container is able to use.\n\n## Rationale\n\nBy default a container can use all of the memory on the host. You can use memory limit mechanisms to prevent a denial of service occurring where one container consumes all of the hosts resources and other containers on the same host are therefore not able to function. Having no limit on memory usage can lead to issues where one container can easily make the whole system unstable and as a result unusable.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Memory={{ .HostConfig.Memory }}'` \n\nIf this command returns 0, it means that memory limits are not in place; if it returns a non-zero value, it means that they are in place.\n\n## Remediation\n\nYou should run the container with only as much memory as it requires by using the `--memory argument`. For example, you could run a container using the command `docker run --interactive --tty --memory 256m centos /bin/bash`\n\nIn this example, the container is started with a memory limit of 256 MB. Note that the output of the command below returns values in scientific notation if memory limits are in place. `docker inspect --format='{{.Config.Memory}}' 7c5a2d4c7fe0`\n\nFor example, if the memory limit is set to 256 MB for a container instance, the output of the command above would be `2.68435456e+08` and NOT `256m`. You should convert this value using a scientific calculator.\n\n## Impact\n\nIf correct memory limits are not set on each container, one process can expand its usage and cause other containers to run out of resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally and no memory limits are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.10","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ecn-mmt-tqe","createdAt":1599605860081,"name":"Container has memory usage limits configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.26","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf the container image does not have an HEALTHCHECK instruction defined, you should use the `--health-cmd` parameter at container runtime to check container health.\n\n## Rationale\n\nIf the container image you are using does not have a pre-defined HEALTHCHECK instruction, use the `--health-cmd` parameter to check container health at runtime. Based on the reported health status, remedial actions can be taken if necessary.\n\n## Audit\n\nRun this command and ensure that all containers are reporting their health status: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}'`\n\n## Remediation\n\nYou should run the container using the `--health-cmd` parameter. For example, `docker run -d --health-cmd='stat /etc/passwd || exit 1' nginx`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, health checks are not carried out at container runtime.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.26","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ojg-sb1-nso","createdAt":1599605067593,"name":"Container health is monitored when not supported by default"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should add the `HEALTHCHECK` instruction to your Docker container images in order to ensure that health checks are executed against running containers.\n\n## Rationale\n\nAn important security control is that of availability. Adding the `HEALTHCHECK` instruction to your container image ensures that the Docker engine periodically checks the running container instances against that instruction to ensure that containers are still operational. Based on the results of the health check, the Docker engine could terminate containers which are not responding correctly, and instantiate new ones.\n\n## Audit\n\nRun this command to ensure that Docker images have the appropriate `HEALTHCHECK` instruction configured: `docker inspect --format='{{ .Config.Healthcheck }}' `\n\n## Remediation\n\nYou should follow the Docker documentation and rebuild your container images to include the `HEALTHCHECK` instruction.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `HEALTHCHECK` is not set.\n\n## References\n\n1. https://docs.docker.com/engine/reference/builder/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_image","complianceFrameworks":[{"control":"4.6","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5xs-afd-sfx","createdAt":1599604909942,"name":"Container image includes HealthCheck instructions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect vulnerabilities in container images.\n\n## Strategy\nThis rule lets you monitor Twistlock logs `(@vulnerability.log_type:vulnerability)` to detect vulnerabilities in a container image. \n\n## Triage and response\n1. Determine the impact of this vulnerability.\n2. Update the container image in the registry with a patched version of the software.\n3. Deploy the new image to all containers running the vulnerable image.\n\n## Change Log\n29 Jun 2022 - Added queries for various vulnerability severity levels.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:medium","groupByFields":["container_name"],"aggregation":"count","name":"medium_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:low","groupByFields":["container_name"],"aggregation":"count","name":"low_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerabiluty","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerabiluty","condition":"high_severity_vulnerability > 0"},{"status":"medium","notifications":[],"name":"Medium Severity Vulnerabiluty","condition":"medium_severity_vulnerability > 0"},{"status":"low","notifications":[],"name":"Low Severity Vulnerabiluty","condition":"low_severity_vulnerability > 0"}],"type":"log_detection","id":"d7s-rex-gjv","createdAt":1585870278701,"name":"Container image vulnerability detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.25","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should restrict the container from acquiring additional privileges via SUID or SGID bits.\n\n## Rationale\n\nA process can set the `no_new_priv` bit in the kernel and this persists across forks, clones and execve. The `no_new_priv` bit ensures that the process and its child processes do not gain any additional privileges via SUID or SGID bits. This reduces the danger associated with many operations because the possibility of subverting privileged binaries is lessened.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all of the security options currently configured for containers. The option `no-new-privileges` should be one of them.\n\n## Remediation\n\nStart your container with the options `docker run --rm -it --security-opt=no-new-privileges ubuntu bash`\n\n## Impact\n\nThe `no_new_priv` option prevents LSMs like SELinux from allowing processes to acquire new privileges.\n\n## Default value\n\nBy default, new privileges are not restricted.\n\n## References\n\n1. https://github.com/projectatomic/atomic-site/issues/269\n2. https://github.com/docker/docker/pull/20727\n3. https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt\n4. https://lwn.net/Articles/475678/\n5. https://lwn.net/Articles/475362/\n\n## CIS controls\n\nVersion 6\n\n5 Controlled Use of Administration Privileges Controlled Use of Administration Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.25","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"cft-3kh-z3l","createdAt":1599604337425,"name":"Container is restricted from acquiring additional privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a container management utility (e.g., `kubectl`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to escalate privileges, break out of the container, or exfiltrate secrets by running container management/orchestration utilities. This detection triggers when execution of one of a set of common container management utilities (like `kubectl` or `kubelet`) is detected in a container. If this is unexpected behavior, it could indicate an attacker attempting to compromise your containers and host.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires version 7.27 or higher*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:suspicious_container_client","groupByFields":["host"],"aggregation":"count","name":"suspicious_container_client","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"suspicious_container_client","condition":"suspicious_container_client > 0"}],"type":"workload_security","id":"ll8-gx6-k15","createdAt":1617722068555,"name":"Container management utility in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.12","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe container's root filesystem should be treated as a 'golden image' by using Docker run's `--read-only` option. This prevents any writes to the container's root filesystem at container runtime and enforces the principle of immutable infrastructure.\n\n## Rationale\n\nEnabling this option forces containers at runtime to explicitly define their data writing strategy to persist or not persist their data. This also reduces security attack vectors since the container instance's filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories.\n\n## Audit\n\nRun this command on the docker host: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: ReadonlyRootfs={{ .HostConfig.ReadonlyRootfs }}'` \n\nIf this command returns `true`, it means the container's root filesystem is mounted read-only. If the above command returns `false`, it means the container's root filesystem is writeable.\n\n## Remediation\n\nAdd a `--read-only` flag at a container's runtime to enforce the container's root filesystem being mounted as read only. For example, `docker run --read-only `\n\nEnabling the `--read-only` option at a container's runtime should be used by administrators to force a container's executable processes to only write container data to explicit storage locations during its lifetime. \n\nExamples of explicit storage locations during a container's runtime include, but are not limited to:\n\n1. Using the `--tmpfs` option to mount a temporary file system for non-persistent data writes. `docker run --interactive --tty --read-only --tmpfs \"/run\" --tmpfs \"/tmp\" centos /bin/bash`\n2. Enabling Docker rw mounts at a container's runtime to persist container data directly on the Docker host filesystem. For example, `docker run --interactive --tty --read-only -v /opt/app/data:/run/app/data:rw centos /bin/bash`\n\n3. Utilizing the Docker shared-storage volume plugin for Docker data volume to persist container data. For example, `docker volume create -d convoy --opt o=size=20GB my-named-volume docker run --interactive --tty --read-only -v my-named-volume:/run/app/data centos /bin/bash`\n\n3. Transmitting container data outside of the Docker controlled area during the container's runtime for container data in order to ensure that it is persistent. Examples include hosted databases, network file shares and APIs.\n\n## Impact\n\nEnabling `--read-only` at container runtime may break some container OS packages if a data writing strategy is not defined. You should define what the container's data should and should not persist at runtime in order to decide which strategy to use. Example: Enable use `--tmpfs` for temporary file writes to /tmp Use Docker shared data volumes for persistent data writes\n\n## Default value\n\nBy default, a container has its root filesystem writeable, allowing all container processes to write files owned by the container's actual runtime user.\n\n## References\n\n1. http://docs.docker.com/reference/commandline/cli/#run\n2. https://docs.docker.com/engine/tutorials/dockervolumes/\n3. http://www.projectatomic.io/blog/2015/12/making-docker-images-write-only-in-production/\n4. https://docs.docker.com/engine/reference/commandline/run/#mount-tmpfs-tmpfs\n5. https://docs.docker.com/engine/tutorials/dockervolumes/#creating-and-mounting-a-data-volume-container\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.12","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"635-mc8-3mr","createdAt":1599602276896,"name":"Container root file sytem is set to read-only"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a container is not running within compliance standards.\n\n## Strategy\nThis rule lets you monitor Twistlock logs to detect when a `High` or `Critical` severity compliance issue is discovered in a running container. \n\n## Triage and response\n1. Determine the impact of the compliance finding.\n2. Remediate the compliance finding.\n\n## Change Log\n27 Jun 2022 - Updated Rule and added findings for critical vulnerabilities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerability","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerability","condition":"high_severity_vulnerability > 0"}],"type":"log_detection","id":"9vp-d1j-kwp","createdAt":1585870281390,"name":"Container violated compliance standards"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:5.28","security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should use the `--pids-limit` flag at container runtime.\n\n## Rationale\n\nAttackers could launch a fork bomb with a single command inside the container. This fork bomb could crash the entire system and would require a restart of the host to make the system functional again. Using the PIDs cgroup parameter --pids-limit would prevent this kind of attack by restricting the number of forks that can happen inside a container within a specified time frame.\n\n## Audit\n\nRun this command and ensure that `PidsLimit` is not set to 0 or -\n1. A PidsLimit of 0 or -1 means that any number of processes can be forked concurrently inside the container. \n\n```\ndocker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidsLimit={{ .HostConfig.PidsLimit }}'\n```\n\n## Remediation\n\nUse `--pids-limit` flag with an appropriate value when launching the container. For example, `docker run -it --pids-limit 100 `\n\nIn the above example, the number of processes allowed to run at any given time is set to 100. After a limit of 100 concurrently running processes is reached, Docker would restrict any new process creation.\n\n## Impact\n\nSet the PIDs limit value as appropriate. Incorrect values might leave containers unusable.\n\n## Default value\n\nThe Default value for `--pids-limit` is 0 which means there is no restriction on the number of forks. Note that the PIDs cgroup limit works only for kernel versions 4.3 and higher.\n\n## References\n\n1. https://github.com/docker/docker/pull/18697\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.28","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tmp-lms-u8p","createdAt":1599603016485,"name":"Container's PIDs cgroup limit parameter is set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nContainers should run as a non-root user.\n\n## Rationale\n\nIt is good practice to run the container as a non-root user, where possible. This can be done either via the USER directive in the Dockerfile or through [gosu][1] or similar where used as part of the CMD or ENTRYPOINT directives.\n\n## Remediation\n\nEnsure that the Dockerfile for each container image contains `USER `\n\nIn this case, the user name or ID refers to the user that was found in the container base image. If there is no specific user created in the container base image, then make use of the `useradd` command to add a specific user before the USER instruction in the Dockerfile. \n\nFor example, add the below lines in the Dockerfile to create a user in the container:\n`RUN useradd -d /home/username -m -s /bin/bash username USER username`\n\n**Note**: If there are users in the image that are not needed, you should consider deleting them. After deleting those users, commit the image and then generate new instances of the containers. Alternatively, if it is not possible to set the USER directive in the Dockerfile, a script running as part of the CMD or ENTRYPOINT sections of the Dockerfile should be used to ensure that the container process switches to a non-root user.\n\n## Impact\n\nRunning as a non-root user can present challenges when binding mount volumes from the underlying host. In this case, ensure that the user running the contained process can read and write to the bound directory, according to their requirements.\n\n## Default value\n\nBy default, containers are run with root privileges and also run as the root user inside the container.\n\n## References\n\n1. https://github.com/docker/docker/issues/2918\n2. https://github.com/docker/docker/pull/4572\n3. https://github.com/docker/docker/issues/7906\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://github.com/tianon/gosu\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"4.1","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iml-sbn-bao","createdAt":1599605130883,"name":"Containers do not use the root user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","control:5.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.\n\n## Rationale\n\nAppArmor protects the Linux OS and applications from various threats by enforcing a security policy which is also known as an AppArmor profile. You can create your own AppArmor profile for containers or use Docker's default profile. Enabling this feature enforces security policies on containers as defined in the profile.\n\n## Audit\n\nYou should run this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: AppArmorProfile={{ .AppArmorProfile }}'` \n\nThis command returns a valid AppArmor Profile for each container instance.\n\n## Remediation\n\nIf AppArmor is applicable for your Linux OS, enable it.\n\n1. Verify AppArmor is installed.\n2. Create or import a AppArmor profile for Docker containers.\n3. Enable enforcement of the policy.\n4. Start your Docker container using the customized AppArmor profile. For example: `docker run --interactive --tty --security-opt=\"apparmor:PROFILENAME\" ubuntu /bin/bash` Alternatively, Docker's default AppArmor policy can be used.\n\n## Impact\n\nThe container will have the security controls defined in the AppArmor profile. It should be noted that if the AppArmor profile is misconfigured, this may cause issues with the operation of the container.\n\n## Default value\n\nBy default, the docker-default AppArmor profile is applied to running containers. This profile can be found at `/etc/apparmor.d/docker`\n\n## References\n\n1. https://docs.docker.com/engine/security/apparmor/\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.1","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"s4z-dsj-llz","createdAt":1599600498264,"name":"Containers have an AppArmor profile enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.24","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to attach to a particular `cgroup` when a container is instantiated. Confirming `cgroup` usage would ensure that containers are running in defined `cgroup`s.\n\n## Rationale\n\nSystem administrators typically define `cgroup`s in which containers are supposed to run. If `cgroup`s are not explicitly defined by the system administrator, containers run in the docker `cgroup` by default. At run time, it is possible to attach a container to a different `cgroup` other than the one originally defined. This usage should be monitored and confirmed, as by attaching to a different `cgroup`, excess permissions and resources might be granted to the container and this can therefore prove to be a security risk.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}'` \n\nThis command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n\n## Remediation\n\nYou should not use the `--cgroup-parent` option within the docker run command unless strictly required.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers run under docker `cgroup`.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#specify-custom-cgroups\n2. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/ch01.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n\n## Audit\n\nYou should run the following command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}' The above command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.24","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"maa-bf8-zan","createdAt":1599601906764,"name":"Containers use the cgroup configured in Docker"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","source:compliance-agent","control:1.3.7","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the Controller Manager service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Controller Manager API service which runs on port 10252/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ \n\n*Notes*: Although the current Kubernetes documentation site says that `--address` is deprecated in favour of `--bind-address`. Kubeadm 1.11 still makes use of `--address`.\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.7","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pvo-5un-k18","createdAt":1599603818624,"name":"Controller Manager API service is bound to localhost"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.3.2","security:compliance","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.2","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1ie-ddf-7wm","createdAt":1599604031896,"name":"Controller Manager profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.4","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account private key file for service accounts on the controller manager.\n\n## Rationale\n\nTo ensure that keys for service account tokens can be rotated as needed, a separate public/private key pair should be used for signing service account tokens. The private key should be specified to the controller manager with `--service-account-private-key-file` as appropriate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--service-account-private-key-file` argument is set as appropriate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--service-account-private-key-file parameter` to the private key file for service accounts:\n\n```\n--service-account-private-key-file=\n```\n\n## Impact\n\nYou would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-private-key-file` it not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.4","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mj1-ode-sln","createdAt":1599600796213,"name":"Controller manager has a service account private key file set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.1.3","scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of the Controller Manager on the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-controller-manager.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.3","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pr0-hcf-xkw","createdAt":1599603633988,"name":"Controller manager pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.1.4","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of various components of the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-controller-manager.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.4","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jwf-xdm-mi9","createdAt":1599599105053,"name":"Controller manager pod specification file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect and identify the network IP address when multiple user accounts have login attempt activities recorded.\n\n## Strategy\n\nMonitor Azure Active Directory and detect when any `@evt.category` is equal to `SignInLogs` and more than 10 of the `@evt.outcome` are equal to `false` by the same network IP address.\n\nSecurity Signal returns **HIGH** if`@evt.outcome` has value of `success` after 10 multiple failed logins by the same network IP address.\n\n## Triage and response\n\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n\n## Changelog\n14 June 2022 - Updated triggering cases to align with other credential stuffing rules. Also updated other backend options to reduce noise levels.","options":{"detectionMethod":"threshold","evaluationWindow":3600,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"failed_login_multiple_user_accounts_same_ip_address","distinctFields":["@usr.id"]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login_same_ip_address","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful login after multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 10 && successful_login_same_ip_address > 0"},{"status":"medium","notifications":[],"name":"Multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 10 "}],"type":"log_detection","id":"igg-0ve-xxc","createdAt":1607106304164,"name":"Credential Stuffing Attack on Azure"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:success @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials.\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application_o365","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"credential_added_azure_ad_application > 0 || credential_added_azure_ad_application_o365 > 0"}],"type":"log_detection","id":"myf-gpu-vqf","createdAt":1659365955026,"name":"Credential added to Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application that is not regularly updated.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it. An attacker may target an application that is seldom changed to avoid detection. Using the `New Value` detection method, a signal is raised when an application not seen in the previous 7 days has credentials added.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.","options":{"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"evaluationWindow":0,"maxSignalDuration":86400,"detectionMethod":"new_value","decreaseCriticalityBasedOnEnv":true,"keepAlive":3600},"version":54,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@properties.targetResources.displayName","aggregation":"new_value","metrics":["@properties.targetResources.displayName"],"groupByFields":["@usr.id"],"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @evt.outcome:success @evt.category:AuditLogs"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"1p0-9ix-ig2","createdAt":1660304687805,"name":"Credential added to rarely used Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["category:authentication","tactic:TA0006-credential-access","template:true","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least 25 unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\nUse [this Datadog runbook](https://app.datadoghq.com/notebook/credentialstuffingrunbook) to assist in your investigation.\n\n1. Determine if it is a legitimate attack or a false positive\n2. Determine compromised users\n3. Remediate compromised user accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@evt.category:authentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"@evt.category:authentication @evt.outcome:success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful - Greater than 50","condition":"unique_users_failing_to_login>50 && successful_login>=1"},{"status":"medium","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>25 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>25"}],"type":"log_detection","id":"ypo-jbm-p2s","createdAt":1608750331867,"name":"Credential stuffing attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user. This generates a `HIGH` severity signal.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n## Changelog\n13 June 2022 - Updated Keep Alive window and evaluation window to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":3600,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>10 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>10"}],"type":"log_detection","id":"ryo-snu-uva","createdAt":1597422958108,"name":"Credential stuffing attack on Auth0"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through credential stuffing attack against a Salesforce account.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\n1. Determine if it is a legitimate attack or a false positive.\n2. Determine compromised users.\n3. Remediate compromised user accounts.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @status:\"Invalid Password\"","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.email"]},{"query":"source:salesforce @status:\"Success\"","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login > 10 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login > 10 "}],"type":"log_detection","id":"y0t-wg6-3nq","createdAt":1621929255278,"name":"Credential stuffing attack on Salesforce"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1003-os-credential-dumping","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to sensitive credential files from non-standard processes.\n\n## Strategy\nEspecially in production, all credentials should be either defined as code, or static. Drift and unmonitored changes to these credentials can open up attack vectors for adversaries, and cause your organization to be out of compliance with any frameworks or regulations that you are subject to. This detection watches for the modification of sensitive credential files which should not be changed outside of their definitions as code (or static definitions). The Linux commands `vipw` and `vigr` are the standard way to modify shadow and gshadow files respectively. Other processes interacting with these sensitive credential files is highly suspicious and should be investigated.\n\n## Triage and response\n1. Identify the user or process that changed the credential file(s).\n2. Identify what was changed in the credential files.\n3. If these changes are not acceptable, roll back contain the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd","groupByFields":["host"],"aggregation":"count","name":"credential_modified","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd @process.comm:(adduser OR useradd OR groupadd OR userdel OR deluser OR chage)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_standard","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.executable.path:(\\/usr\\/sbin\\/* OR \\/usr\\/bin\\/* OR \\/bin\\/*)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_non_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"credential_modified_non_bin","condition":"credential_modified_non_bin > 0"},{"status":"info","notifications":[],"name":"credential_modified_standard","condition":"credential_modified_standard > 0"},{"status":"low","notifications":[],"name":"credential_modified","condition":"credential_modified > 0"}],"type":"workload_security","id":"srd-2ub-jov","createdAt":1598516746271,"name":"Credentials file modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","level:1","cloud:aws","cloud_provider:aws","control:8.1.4","framework:hipaa","requirement:Information-Access-Management","framework:pci","requirement:Credentials","control:164.308-a-4-ii-C"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. You should remove or deactivate all credentials that have been unused in 90+ days.\n\n## Rationale\n\nDisabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78900-8 2. CIS CSC v6.0 #16.6\n\n## CIS controls\n\n16.9 Disable Dormant Accounts Automatically - Disable dormant accounts after a set period of inactivity.\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\npassword_used_recently(resource_seen_at, credential_report) if {\n\tcredential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_used > ninety_days_ms\n} else {\n\tnot credential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_changed > ninety_days_ms\n}\n\nkey_used_recently(resource_seen_at, credential_report, key_name) if {\n\tcredential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_used_date\"])] > ninety_days_ms\n} else {\n\tnot credential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_rotated\"])] > ninety_days_ms\n}\n\npassword_or_access_key_is_enabled(resource_seen_at, credential_report) if {\n\tcredential_report.password_enabled\n\tpassword_used_recently(resource_seen_at, credential_report)\n} else {\n\tcredential_report.access_key_1_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_1\")\n} else {\n\tcredential_report.access_key_2_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_2\")\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot password_or_access_key_is_enabled(iam_user.resource_seen_at, credential_report)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"credential_report","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cl8-844-szh","createdAt":1621238614316,"name":"Credentials have been used within the last 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","framework_version:3.2","control:11.5","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications of critical system binaries.\n\n## Strategy\nPCI-DSS is the payment-card industry's compliance framework. Any systems that handle credit card data and transactions from the major credit card companies must be PCI-DSS compliance. Control 11.5 of the PCI-DSS framework states that organizations must \"alert personnel to unauthorized modifications (including changes, additions, and deletions) of critical system files, configuration files, or content files\". On Linux, critical system binaries are typically stored in `/bin/`, `/sbin/`, or `/usr/sbin/`. This rule tracks any modifications to those directories.\n\n## Triage and response\n1. Identify which user or process changed the critical system binaries.\n2. If these changes were not authorized, and you cannot confirm the safety of the changes, roll back the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chmod) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chown) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chown","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_link) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_link","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_rename) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_rename","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_open) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_open","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_unlink) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_utimes) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"pci_11_5_critical_binaries","condition":"pci_11_5_critical_binaries_chmod > 0 || pci_11_5_critical_binaries_chown > 0 || pci_11_5_critical_binaries_link > 0 || pci_11_5_critical_binaries_rename > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_unlink > 0 || pci_11_5_critical_binaries_utimes > 0"}],"type":"workload_security","id":"3rk-f4l-c7j","createdAt":1606142933669,"name":"Critical system binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation or modification of new cron jobs on a system.\n\n## Strategy\nCron is a task scheduling system that runs tasks on a time-based schedule. Attackers can use cron jobs to gain persistence on a system, or even to run malicious code at system-boot. Cron jobs can also be used for remote code execution, or to run a process under a different user-context.\n\n## Triage and response\n1. Check to see which cron task was created or modified.\n2. Check whether the cron task was created or modified by a known user or process.\n3. If these changes are not acceptable, roll back the host or container in question to an acceptable configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(cron_at_job_creation OR cron_at_job_creation_chmod OR cron_at_job_creation_chown OR cron_at_job_creation_link OR cron_at_job_creation_rename OR cron_at_job_creation_open OR cron_at_job_creation_utimes) -(@file.name:*.dpkg-new AND @process.executable.name:dpkg) -@process.ancestors.executable.path:\"/usr/bin/unattended-upgrade\" -@process.executable.path:\"/usr/bin/dockerd\"","groupByFields":["host"],"aggregation":"count","name":"cron_at_job_creation","distinctFields":[]},{"query":"@agent.rule_id:cron_at_job_creation_unlink","groupByFields":["host"],"aggregation":"count","name":"cron_at_job_deletion","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"cron_at_job_creation","condition":"cron_at_job_creation > 0"},{"status":"low","notifications":[],"name":"cron_at_job_deletion","condition":"cron_at_job_deletion > 0"}],"type":"workload_security","id":"qqk-vqp-6xt","createdAt":1606142961130,"name":"Cron job modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIP check services return the public IP of the client. They are used legitimately for configuration purposes when utilizing infrastructure as code. They can be abused by attackers to determine the organization they have compromised.\n\n## Strategy\n\nDetect when a DNS lookup is done for a domain belonging to an IP check service.\n\n## Triage and response\n\n1. Determine if `{{@process.executable.name}}` is expected to make a connection to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Start incident response and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ip_check_domain","groupByFields":["host"],"aggregation":"count","name":"ip_check_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"ip_check_domain","condition":"ip_check_domain > 0"}],"type":"workload_security","id":"v7i-jqs-gcx","createdAt":1653417825959,"name":"DNS lookup for IP lookup service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nAttackers often use compromised cloud infrastructure to mine cryptocurrency. \n\n## Strategy\n\nDetect when a process performs a DNS lookup for a domain related to cryptomining.\n\n## Triage and response\n\n`{{@process.executable.name}}` performed a DNS lookup for `{{@dns.question.name}}`\n\n1. Contain the host or container and roll back to a known good configuration.\n2. Review the process tree and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:potential_cryptominer","groupByFields":["host"],"aggregation":"count","name":"potential_cryptominer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"potential_cryptominer","condition":"potential_cryptominer > 0"}],"type":"workload_security","id":"8am-wzf-ixk","createdAt":1653417822316,"name":"DNS lookup for cryptocurrency mining pool"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nPaste sites such as pastebin.com can be used by attackers to host malicious scripts, configuration files, and other text data. The files are then downloaded to the host using a network utility such as `wget` or `curl`. These sites may also be used to exfiltrate data.\n\n## Strategy\n\nDetect when a process performs a DNS lookup for a paste site.\n\n## Triage and response\n1. Check if the application `{{@process.executable.name}}` is expected to make connections to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Follow your organization's internal processes for investigating and remediating compromised systems.\n\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:paste_site","groupByFields":["host"],"aggregation":"count","name":"paste_site","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"paste_site","condition":"paste_site > 0"}],"type":"workload_security","id":"bze-mml-h8r","createdAt":1653417817764,"name":"DNS lookup for paste service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.3","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","framework:pci","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud Domain Name System (DNS) is a fast, reliable, and cost-effective domain name system\nthat powers millions of domains on the internet. Domain Name System Security Extensions\n(DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains\nagainst DNS hijacking, man-in-the-middle attacks, and more.\n\n## Rationale\nDomain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling the DNS responses to be validated. A trustworthy DNS that translates a domain name like `www.example.com` into its associated IP address is an increasingly important building block for modern web-based applications. \n\nAttackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records to prevent attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.\n\nBy default, DNSSEC is not enabled.\n\n## Remediation\n\n### From the console:\n1. Navigate to the [Cloud DNS page][1].\n2. For each Type Public zone, set `DNSSEC` to **On**.\n\n### From the command line:\nUse this command to enable DNSSEC for Cloud DNS Zone Name:\n\n```\ngcloud dns managed-zones update ZONE_NAME --dnssec-state on\n```\n\n\n## References\n1. [https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html][2]\n2. [https://cloud.google.com/dns/dnssec-config#enabling][3]\n3. [https://cloud.google.com/dns/dnssec][4]\n\n\n[1]: https://console.cloud.google.com/net-services/dns/zones\n[2]: https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html\n[3]: https://cloud.google.com/dns/dnssec-config#enabling\n[4]: https://cloud.google.com/dns/dnssec\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-gcp","requirement":"Cardholder-Data","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nisZonePublic(dns_managed_zone) if {\n\tupper(dns_managed_zone.visibility) == \"PUBLIC\"\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot isZonePublic(dns_managed_zone)\n} else = \"pass\" {\n\tupper(dns_managed_zone.dnssec_config.state) == \"ON\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"crl-ytf-ohh","createdAt":1659621733035,"name":"DNSSEC is enabled for Cloud DNS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Credentials","requirement:Compliance","level:1","requirement:Database-Services","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","framework:pci","security:compliance","control:6.5.3","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:3.4","control:C1.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Transparent Data Encryption on every SQL server.\n\n## Rationale\n\nAzure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL databases\n2. For each DB instance\n3. Click on Transparent data encryption\n4. Set Data encryption to On using the Azure Command Line Interface\n5. Use the below command to enable Transparent data encryption for SQL DB instance:\n\n ```bash\n --resource-group --server --database --status\n ```\n\n **Note**: TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases. Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n\n**Note**: Transparent Data Encryption (TDE) can be enabled or disabled on individual SQL Database level and not on the SQL Server level. TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.\n\n# CIS Controls\n\nVersion 7 14.8 Encrypt Sensitive Information at Rest: Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"-@transparent_data_encryption.status:(\"Enabled\")","resourceType":"azure_sql_server_database","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server_database (-@transparent_data_encryption.status:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ahw-tol-knx","createdAt":1624867974429,"name":"Data encryption on SQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a database process (e.g., MySQL, PostgreSQL, MongoDB).\n\n## Strategy\nAttacks on databases often take advantage of oversights in I/O sanitization and validation to run attacker statements and commands. For example, these attacks could take the form of database query injection, which can signal the beginning of an intrusion and wider attack, by establishing a web shell or exfiltrating data. This detection triggers when common shell utilities, HTTP utilities, or shells are spawned by one of a set of database processes (e.g., MySQL, MongoDB, PostgreSQL). This is atypical behavior for a database. If this is unexpected behavior, it could indicate an attacker attempting to compromise your database or host machine.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your database to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:database_shell_execution -@process.ancestors.executable.name:initdb -@process.args:\"locale -a\"","groupByFields":["host"],"aggregation":"count","name":"database_shell_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"database_shell_execution","condition":"database_shell_execution > 0"}],"type":"workload_security","id":"4ni-kny-z5x","createdAt":1617722069155,"name":"Database process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:2","requirement:Cardholder-Data","control:1.17","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Confidentiality","control:3.5","control:7.1","control:C1.2","control:7.2.1","control:7.2.2","source:google_dataproc_cluster","control:7.2.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:3.6.1","scope:google_dataproc_cluster","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:3.6.4","control:3.6.5","control:CC6.3","control:CC6.2","control:3.6.7","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nWhen you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated\nwith the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This\nPD and bucket data is encrypted using a Google-generated data encryption key (DEK) and\nkey encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key\nencryption key (KEK). Google still controls the data encryption key (DEK).\n\n## Rationale\nCloud services offer the ability to protect data related to those services using encryption\nkeys managed by the customer within Cloud KMS. These encryption keys are called\ncustomer-managed encryption keys (CMEK). When customers protect data in Google Cloud\nservices with CMEK, the CMEK key is within the customer's control.\n\n## Remediation\n\n### From the console:\n1. Log in to the GCP Console and navigate to the **Dataproc Cluster** page by visiting [https://console.cloud.google.com/dataproc/clusters][1].\n2. Select the project from the projects dropdown list.\n3. On the **Dataproc Cluster** page, click on the **Create Cluster** to create a new cluster with customer-managed encryption keys.\n4. On the **Create a cluster** page, perform the following steps:\n 1. Inside **Set up cluster** section perform these steps:\n 1. In the **Name** textbox, provide a name for your cluster.\n 2. From **Location** select the location in which you want to deploy a cluster.\n 3. Configure other configurations as per your requirements.\n 2. Inside **Configure Nodes** and **Customize cluster** section configure the settings as\nper your requirements.\n 3. Inside the **Manage security** section, perform these steps:\n 1. From **Encryption**, select **Customer-managed key**.\n 2. Select a customer-managed key from dropdown list.\n 3. Ensure that the selected KMS Key has the **Cloud KMS CryptoKey Encrypter/Decrypter** role assigned to the Dataproc Cluster service account (`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n 4. Click on **Create** to create a cluster.\n5. Once the cluster is created, migrate all of your workloads from the old cluster to the new cluster and delete the old cluster by performing the following steps:\n 1. On the **Clusters** page, select the old cluster and click on **Delete cluster**.\n 2. On the **Confirm deletion** window, click **Confirm** to delete the cluster.\n6. Repeat the steps above for other Dataproc clusters available in the selected project.\n7. Change the project from the project dropdown list and repeat the remediation procedure for other Dataproc clusters available in other projects.\n\n### From the command line:\nBefore creating a cluster, ensure that the selected KMS Key has the **Cloud KMS CryptoKey\nEncrypter/Decrypter** role assigned to the Dataproc Cluster service account\n(`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n\nRun the `clusters create` command to create a new cluster with a customer-managed key:\n\n```\ngcloud dataproc clusters create --region=us-central1 --gce-pd-kms-key=\n```\n\nThe above command creates a new cluster in the selected region.\nAfter the cluster is created, migrate all your workloads from the older cluster to the new\ncluster and run the `clusters delete` command to delete the cluster:\n\n```\ngcloud dataproc clusters delete --region=us-central1\n```\n\nRepeat step no. 1 to create a new Dataproc cluster.\nChange the project by running the following command and repeat the remediation procedure\nfor other projects:\n\n```\ngcloud config set project \n```\n\n## References\n1. [https://cloud.google.com/docs/security/encryption/default-encryption][2]\n\n[1]: https://console.cloud.google.com/dataproc/clusters\n[2]: https://cloud.google.com/docs/security/encryption/default-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.17","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.7","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(gdc) = \"pass\" if {\n\tgdc.config.encryption_config.gce_pd_kms_key_name\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dataproc_cluster"]},"validationQuery":"","resourceType":"gcp_dataproc_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dataproc_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"7qp-kby-dut","createdAt":1659396397166,"name":"Dataproc cluster is encrypted using customer-managed encryption key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.22","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file permissions are set to `644` or more restrictively, by running: \n```\nstat -c %a /etc/default/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/default/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.22","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pqb-2cq-piw","createdAt":1599601845070,"name":"Default Docker configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.21","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/sysconfig/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/sysconfig/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.21","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"au3-ayl-tdm","createdAt":1599601289420,"name":"Default Docker configuration file cannot be altered by non-owners - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.19","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file ownership and group-ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/default/docker | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/default/docker`\n\nThis sets the ownership and group ownership of the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.19","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o5w-d8y-ka1","createdAt":1599604751728,"name":"Default Docker configuration file is owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.20","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/sysconfig/docker | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root /etc/sysconfig/docker`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.20","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xrt-uiz-s7o","createdAt":1599604498138,"name":"Default Docker configuration file is owned by the root account and group - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProtect tuned kernel parameters from overriding kubelet default kernel parameter values.\n\n## Rationale\n\nKernel parameters are usually tuned and hardened by the system administrators before putting the systems into production. These parameters protect the kernel and the system. Your kubelet kernel defaults that rely on such parameters should be appropriately set to match the desired secured system state. Ignoring this could potentially lead to running pods with undesired kernel behavior.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--protect-kernel-defaults` argument is set to true. If the `--protect-kernel-defaults` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets `protectKernelDefaults` to `true`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `protectKernelDefaults: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--protect-kernel-defaults=true`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou would have to re-tune kernel parameters to match kubelet parameters.\n\n## Default value\n\nBy default, `--protect-kernel-defaults` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.6","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"uiw-kms-wwu","createdAt":1599602462044,"name":"Default Kubelet kernel parameter values are protected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","control:2.9","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","control:1.3.1","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","requirement:Least-Privileged-Access","control:1.2.1","control:3.6","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Storage-Account","source:azure.storage","control:A.13.1.3","requirement:Default-Security-Parameters","control:7.2.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestricting default network access provides a layer of security, because storage accounts accept connections from clients on any network. To limit access to selected networks, change the default action.\n\n## Rationale\n\nConfigure storage accounts to deny access to traffic from all networks (including internet traffic). Grant access to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.\n\n## Remediation\n\n### From the console:\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Enable Allow access from selected networks.\n4. Add rules to allow traffic from a specific network.\n5. Click Save to apply your changes.\n\n### From the command line:\n\nUse the following command to update the default action to deny: \n```\naz storage account update --name --resource-group --default-action Deny\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security][1]\n2. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"2.9","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@network_acls.default_action:Deny","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@network_acls.default_action:Deny)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"hxy-syh-ofi","createdAt":1631690465637,"name":"Default network access rule for Storage Accounts is set to deny"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:RBAC-and-Service-Accounts","scored:true","security:compliance","control:5.1.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe default service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed.\n\n## Rationale\n\nKubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.\n\n## Audit\n\nFor each namespace in the cluster, review the rights assigned to the default service account and ensure that it has no roles or cluster roles bound to it apart from the defaults. Additionally ensure that the `automountServiceAccountToken: false` setting is in place for each default service account.\n\n## Remediation\n\nCreate explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value `automountServiceAccountToken: false`.\n\n## Impact\n\nAll workloads which require access to the Kubernetes API will require an explicit service account to be created.\n\n## Default value\n\nBy default the default service account allows for its service account token to be mounted in pods in its namespace.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/][1]\n\n## CIS controls\n\nNone\n\n[1]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.1.5","framework":"cis-kubernetes","requirement":"RBAC-and-Service-Accounts","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3yv-aqm-bxc","createdAt":1604312204438,"name":"Default service accounts are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Logging-Monitoring","source:azure.monitor","level:1","requirement:Regular-Testing","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","control:5.1.2","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","control:11.4","control:CC4.1","scope:azure.monitor","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure the diagnostic setting to log the appropriate activities from the control/management plane.\n\n## Rationale\n\nA diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Azure Monitor\n2. Click Activity log\n3. Click on Diagnostic settings\n4. Click on Edit Settings for the diagnostic settings entry\n5. Ensure that the following categories are checked: Administrative, Alert, Policy, and Security\n\nARM Template with AZ PowerShell cmdlets:\n\nCreate a file to hold the following JSON:\n\n```json\n{ \"$schema\"\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\", \"contentVersion\"\"\n1.0.0.0\", \"parameters\"{ \"settingName\"{ \"type\"\"String\" }, \"workspaceId\"{ \"type\"\"String\" } }, \"resources\"[ { \"type\"\"Microsoft.Insights/diagnosticSettings\", \"apiVersion\"\"2017-05-01-preview\", \"name\"\"[parameters(''settingName'')]\", \"dependsOn\"[], \"properties\"{ \"workspaceId\"\"[parameters(''workspaceId'')]\", \"logs\"[ { \"category\"\"Administrative\", \"enabled\"true }, { \"category\"\"Alert\", \"enabled\"true }, { \"category\"\"Autoscale\", \"enabled\"false }, { \"category\"\"Policy\", \"enabled\"true }, { \"category\"\"Recommendation\", \"enabled\"false }, { \"category\"\"ResourceHealth\", \"enabled\"false }, { \"category\"\"Security\", \"enabled\"true }, { \"category\"\"ServiceHealth\", \"enabled\"false } ] } } ] }\n```\n\nReference the JSON. In the `New-AzSubscriptionDeployment`, call `$OMSWorkspace`:\n\n```powershell\nGet-AzResource -ResourceType \"Microsoft.OperationalInsights/workspaces\" -Name New-AzSubscriptionDeployment -Name CreateDiagnosticSetting -location eastus -TemplateFile CreateDiagnosticSetting.jsonc -settingName \"Send Activity log to workspace\" -workspaceId $OMSWorkspace.ResourceId'\n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings\n2. https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource-manager-diagnostic-settings\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.3 - Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1.2","framework":"cis-azure","requirement":"Logging-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"11.4","framework":"pci","requirement":"Regular-Testing","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"validationQuery":"(@category:Administrative -@enabled:true) OR (@category:Alert -@enabled:true) OR (@category:Policy -@enabled:true) OR (@category:Security -@enabled:true)","resourceType":"azure_diagnostic_setting","filter":"","queryPath":"logs","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_diagnostic_setting ((@category:Administrative -@enabled:true) OR (@category:Alert -@enabled:true) OR (@category:Policy -@enabled:true) OR (@category:Security -@enabled:true))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q7k-c4u-n6i","createdAt":1635847719443,"name":"Diagnostic Setting captures appropriate categories"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2022-0847 \"Dirty Pipe\". Dirty Pipe is a vulnerability in the Linux kernel which allows underprivileged processes to write to arbitrary readable files, leading to privilege escalation. \n\n## Strategy\n\nThis detection triggers when the `splice()` syscall is made and the `PIPE_BUF_FLAG_CAN_MERGE` flag is set. Explanation of the vulnerability and exploitation can be found in the [public disclosure](https://dirtypipe.cm4all.com/).\n\n## Triage & Response\n\n1. Determine if the host is vulnerable. This vulnerability affects kernel versions starting from 5.8. After its discovery, it was fixed for all currently maintained releases of Linux in versions 5.16.11, 5.15.25, and 5.10.102. The exploit was successful if the field `splice.pipe_exit_flag` is `PIPE_BUF_FLAG_CAN_MERGE`.\n2. Attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. If the host is vulnerable, update the kernel to a patched version.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:dirty_pipe_attempt","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_attempt","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\")","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_exploitation","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation (@file.uid:0 OR @file.gid:0) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\")","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_root","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation @file.path:(*\\/bin\\/* OR *\\/boot\\/*) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\")","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"dirty_pipe_attempt","condition":"dirty_pipe_attempt > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_exploitation","condition":"dirty_pipe_exploitation > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_root","condition":"dirty_pipe_root > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_bin","condition":"dirty_pipe_bin > 0"}],"type":"workload_security","id":"dsi-8cf-mpj","createdAt":1648572788369,"name":"Dirty Pipe exploitation attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet Docker daemon log level to `info`.\n\n## Rationale\n\nSetting up an appropriate log level configures the Docker daemon to log events that you would want to review later. A base log level of `info` and above captures all logs except `debug` logs. Unless required, you should not run Docker daemon at `debug` log level.\n\n## Audit\n\nTo confirm that the log level setting is `info`, review both the `dockerd` startup options, and also the log level settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that either the `--log-level` parameter is not present or if present, that it is set to `info`. \n\nSimilarly, review the `/etc/docker/daemon.json` for the `log-level` setting.\n\n## Remediation\n\nEnsure that the Docker daemon configuration file has the following configuration included:\n\n```\n\"log-level\": \"info\" \n```\n\nAlternatively, run the Docker daemon with the `log-level` specified:\n\n```\ndockerd --log-level=\"info\"\n```\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker daemon is set to log level of `info`.\n\n## References\n\n1. [https://docs.docker.com/edge/engine/reference/commandline/dockerd/][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://docs.docker.com/edge/engine/reference/commandline/dockerd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"q6o-wrf-hf4","createdAt":1602076723155,"name":"Docker daemon logging level is set to 'info'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.5","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use `aufs` as the storage driver for your Docker instance.\n\n## Rationale\n\nThe `aufs` storage driver is the oldest storage driver used on Linux systems. It is based on a Linux kernel patch-set that is unlikely in future to be merged into the main OS kernel. The `aufs` driver is also known to cause some serious kernel crashes. `aufs` has only legacy support within systems using Docker. Most importantly, `aufs` is not a supported driver in many Linux distributions using latest Linux kernels.\n\n## Audit\n\nVerify that `aufs` is not used as storage driver by running this command and ensuring `aufs` is not listed: \n```\ndocker info --format 'Storage Driver: {{ .Driver }}' \n```\n\n## Remediation\n\nDo not explicitly use `aufs` as storage driver. For example, do not start Docker daemon with the `--storage-driver aufs` flag.\n\n## Impact\n\n`aufs` is the only storage driver that allows containers to share executable and shared library memory. It might be useful if you are running thousands of containers with the same program or libraries. However, you should review its use with respect to your organization's security policy.\n\n## Default value\n\nBy default, Docker uses `devicemapper` as the storage driver on most of the platforms. The default storage driver can vary based on your OS vendor. You should use the storage driver that is recommended by your preferred vendor and which is in line with policy around the applications which are being deployed.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems][1]\n2. [http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/][2]\n3. [http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1][3]\n4. [https://docs.docker.com/engine/userguide/storagedriver/][4]\n\n## CIS controls\n\nVersion 6.18 Application Software Security \n\n[1]: https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems \n[2]: http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/ \n[3]: http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1 \n[4]: https://docs.docker.com/engine/userguide/storagedriver/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"n0x-jqo-rof","createdAt":1599601042737,"name":"Docker does not use AUFS storage driver"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe `iptables` firewall is used to set up, maintain, and inspect the tables of IP packet filter rules within the Linux kernel. The Docker daemon should be allowed to make changes to the `iptables` ruleset.\n\n## Rationale\n\nDocker will not make changes to your system `iptables` rules unless you allow it to do so. If you do allow this, Docker server will automatically make any required changes. You should let Docker make changes to `iptables` automatically in order to avoid networking misconfigurations that could affect the communication between containers and with the outside world. Additionally, this reduces the administrative overhead of updating `iptables` every time you add containers or modify networking options.\n\n## Audit\n\nTo confirm that the Docker daemon is allowed to change the `iptables` ruleset, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that the `--iptables` parameter is either not present or not set to `false`. Also review the `/etc/docker/daemon.json` file to check that the `iptables` setting is not set to `false`.\n\n## Remediation\n\nDo not run the Docker daemon with `--iptables=false` parameter. \n\n## Impact\n\nThe Docker daemon service requires `iptables` rules to be enabled before it starts. Any restarts of `iptables` during Docker daemon operation may result in losing Docker-created rules. Adding `iptables-persistent` to your `iptables` install can mitigate.\n\n## Default value\n\nBy default, `iptables` is set to true.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/][1]\n2. [https://fralef.me/docker-and-iptables.html][2]\n\n## CIS controls\n\nVersion 6.5 Controlled Use of Administration Privileges \n\n[1]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/\n[2]: https://fralef.me/docker-and-iptables.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3fv-xgy-7fb","createdAt":1599599453907,"name":"Docker is authorized to make firewall configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.1","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAll Docker containers and their data and metadata are stored in the `/var/lib/docker` directory. By default, `/var/lib/docker` should be mounted under either the `/` or `/var` partitions depending on how the Linux operating system in use is configured.\n\n## Rationale\n\nDocker depends on `/var/lib/docker` as the default directory where all Docker related files, including the images, are stored. This directory could fill up quickly causing both Docker and the host to become unusable. For this reason, you should create a separate partition (logical volume) for storing Docker files.\n\n## Audit\n\nTo see the partition details for the `/var/lib/docker` mount point, at the Docker host run:\n\n```\ngrep '/var/lib/docker\\s' /proc/mounts \n```\n\nAlternatively, to see whether the configured root directory is a mount point, run.\n\n```\nmountpoint -- \"$(docker info -f '{{ .DockerRootDir }}')\" \n```\n\n## Remediation\n\nFor new installations, you should create a separate partition for the `/var/lib/docker` mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, `/var/lib/docker` is mounted under the `/` or `/var` partitions dependent on how the OS is configured.\n\n## References\n\n1. [https://www.projectatomic.io/docs/docker-storage-recommendation/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know \n\n[1]: https://www.projectatomic.io/docs/docker-storage-recommendation/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.1","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wcf-c0t-fkz","createdAt":1602076808377,"name":"Docker local storage is mounted on a separate disk partition"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.5","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various other sensitive files. It should therefore be individual owned and group owned by root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the directory is owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker | grep -v root:root\n``` \n\nThis command does not return any data.\n\n## Remediation\n\nTo resolve this issue, run the following command: `chown root:root /etc/docker`\n\nThis sets the ownership and group ownership for the directory to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for this directory is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.`\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"heb-axz-wdc","createdAt":1599604466531,"name":"Docker related files are owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.6","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory permissions are correctly set to 755 or more restrictively.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various sensitive files. It should therefore only be writeable by root to ensure that it can not be modified by a less privileged user.\n\n## Audit\n\nYou should execute the command below to verify that the directory has permissions of 755+: \n\n```\nstat -c %a /etc/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 755 /etc/docker`\n\nThis sets the permissions for the directory to 755.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for this directory are set to 755.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"een-7do-u18","createdAt":1599604083943,"name":"Docker related files cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.12","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, has permissions of 444 or more restrictive permissions.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It should therefore have permissions of 444 to prevent its modification.\n\n## Audit\n\nVerify that the Docker server certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the command below: `chmod 444 `\n\nThis sets the file permissions of the Docker server certificate file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.12","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"blu-k6b-re1","createdAt":1602076770300,"name":"Docker server certificate file permissions are set to read-only or more restrictive"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.4","cloud_provider:azure","control:6.2","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","control:CC7.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL is using the most recent major version available.\n\n## Rationale\n\nPostegreSQL employs both minor and major version updates. Using the most recent version available (particularly the most recent major version) ensures that you are using the most secure, feature rich, and supported version available. Azure Database Migration Service can help minimize downtime when performing version upgrades in Azure Database for PostgreSQL - Single Server. \n\n## Remediation\n\n### From the console\n\n1. Use Azure's [Configure server parameters in Azure Database for PostgreSQL - Single Server via the Azure portal][1] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate/Upgrade Azure DB for PostgreSQL - Single Server to Azure DB for PostgreSQL - Single Server online using DMS via the Azure portal][2] to migrate the old database to the new database.\n\n### From the command line\n\n1. Use Azure's [Customize server configuration parameters for Azure Database for PostgreSQL - Single Server using Azure CLI][3] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate PostgreSQL to Azure DB for PostgreSQL online using DMS via the Azure CLI][4] to migrate the old database to the new database.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/dms/tutorial-azure-postgresql-to-azure-postgresql-online-portal\n[3]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli\n[4]: https://docs.microsoft.com/en-us/azure/dms/tutorial-postgresql-azure-postgresql-online","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"pass\" if {\n\tto_number(postgresql_server.version) >= 11\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"4ns-zxg-wye","createdAt":1645642207320,"name":"Azure PostgreSQL Database Server uses the current major PostgreSQL version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:A.12.3.1","source:azure.dbforpostgresql","control:164.308-a-7-ii-A","requirement:Compliance","scope:azure.dbforpostgresql","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","control:A.18.1.3","framework:soc-2","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses geo-redundant backups.\n\n## Rationale\n\nUsing geo-redundancy with PostgreSQL creates geographically distributed replicas by default. These replicas assist with achieving data durability, as they protect against data becoming unavailable because of a regional event, such as a natural disaster. You can select this option only at the time of database creation. To modify an existing database to use geo-redundancy, recreate the database.\n\n## Remediation\n\n### From the console\n\n1. Follow the instructions listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using the Azure portal][1] to create a new PostgreSQL database. Ensure **Geo-redundant** is selected under **Backup redundancy options**.\n\n### From the command line\n\n1. Follow the steps listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using Azure CLI][2] to create and deploy a PostgreSQL server.\n2. When configuring the [`az postgres server create` Microsoft Azure Module][3] ensure that `geoRedundantBackup` is set to `Enabled`, as shown in the example below. \n\n ```\n az postgres server create \n -l northeurope \n -g mygroup \n -n mysvr \n -u username \n -p password \n --sku-name my_sku\n --ssl-enforcement Enabled \n --minimal-tls-version TLS1_0 \n --public-network-access Disabled \n --backup-retention 10 \n --geo-redundant-backup Enabled \n --storage-size 51200 \n --tags \"key=value\" \n --version 11\n ```\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-cli\n[3]: https://docs.microsoft.com/en-us/cli/azure/postgres/server?view=azure-cli-latest#az-postgres-server-create\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.3.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"pass\" if {\n\tpostgresql_server.storage_profile_geo_redundant_backup != \"Disabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"9t5-0qz-cj3","createdAt":1645642195699,"name":"Azure PostgreSQL database server uses geo-redundant backups"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security rule and determine if it exposes any Azure resources that should not be made public.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.sql @evt.name:\"MICROSOFT.SQL/SERVERS/FIREWALLRULES/WRITE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kbv-sau-dwv","createdAt":1607106319051,"name":"Azure SQL Server Firewall Rules Created or Modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.15","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable security alert emails to subscription owners.\n\n## Rationale\n\nEnabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can quickly mitigate security risks.\n\n## Remediation\n\n### From the console\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. In the drop down of the All users with the following roles field, select Owner\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set Send email also to subscription owners:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management Storage Accounts: This section covers security recommendations to follow to set storage account policies on an Azure subscription. An Azure storage account provides a unique namespace to store and access Azure Storage data objects.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.15","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(security_contact) = \"pass\" if {\n\tsecurity_contact.properties.notifications_by_role.state == \"On\"\n\t\"Owner\" in security_contact.properties.notifications_by_role.roles\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_contact"]},"validationQuery":"","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qjw-pnm-kfh","createdAt":1625738237090,"name":"Azure Security Center is configured to send email notifications about security alerts to subscription owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.14","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule enables emailing security alerts to the email subscription owner or other designated security contact.\n\n## Rationale\n\nEnabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.\n\n## Remediation\n\n### From the console\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. Under Notification types, check the check box next to Notify about alerts with the following severity (or higher) and select High from the drop-down menu\n6. Click save using the Azure Command Line Interface\n7. Use the below command to set Send email notification for high severity alerts:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. And replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default. Microsoft has recently changed their REST APIs to get and update security contact information. This recommendation is updated accordingly.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.14","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(security_contact) = \"pass\" if {\n\tsecurity_contact.properties.alert_notifications.minimal_severity == \"High\"\n\tsecurity_contact.properties.alert_notifications.state == \"On\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_contact"]},"validationQuery":"","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"cv4-lxu-yt1","createdAt":1625738237834,"name":"Azure Security Center is configured to send email notifications about security alerts with High severity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity Center emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.\n\n## Rationale\n\nAzure Security Center emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the \"Additional email addresses\" field ensures that your organization's security team is included in these alerts. This ensures that the proper people are aware of any potential compromise to mitigate the risk in a timely fashion.\n\n## Remediation\n\n### From the console\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email Notifications\n5. Enter a valid security contact email address (or multiple addresses separated by commas) in the additional email addresses field\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set security contact emails:\n\n ``` bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data, as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default\", \"name\"\"default\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details \n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list \n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(security_contact) = \"pass\" if {\n\tsecurity_contact.properties.emails != \"\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_contact"]},"validationQuery":"","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"1vo-ezv-ztj","createdAt":1625738244720,"name":"Azure Security Center is configured with a security contact email"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:azure","scope:azure-active-directory","technique:T1098-account-manipulation","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure service principal being assigned an Azure role.\n\n## Strategy\nMonitor Azure Activity logs for the following operations:\n\n* `@evt.name:\"MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE\"`\n* `@properties.requestbody:*ServicePrincipal*`\n\n## Triage and response\n1. Determine if this activity is legitimate by investigating the: \n * Source IP of this activity: `{{@network.client.ip}}`\n * The user who made this request: `@identity.claims.name`\n * The role that was assigned to the application or service principal.\n2. If this user should not be assigning this Azure role and if the service principal should not be assigned this role:\n * Revoke access of compromised credentials.\n * Remove unauthorized app registration and/or service principal.\n * Investigate other activities performed by the source IP `{{@network.client.ip}}` in the IP Investigation Dashboard.\n * Investigate other activities performed by the user `{{@usr.id}}` in the User Investigation Dashboard.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.authorization @evt.name:\"MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE\" @properties.requestbody:*ServicePrincipal*","groupByFields":["@usr.id","@network.client.ip"],"aggregation":"count","name":"role_assignment","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"role_assignment > 0"}],"type":"log_detection","id":"vu1-3je-k6m","createdAt":1661900093294,"name":"Azure Service Principal was assigned a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","control:2.1.1","requirement:Compliance","scope:azure.compute","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","control:4.1","control:1.2","control:1.3","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.2","source:azure.compute","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse SSH authentication keys to secure Linux virtual machines.\n\n## Rationale\n\nUsing SSH to secure authentications is a security best practice, as traditional username and password authentication is vulnerable to malicious tactics such as brute-force attacks. SSH uses a combination of public and private key pairs to secure the authentication process. Access to the private key is automated and tightly controlled, without both keys SSH access will not be granted. This also eliminates the need for users to memorize complex passwords for virtual machine access.\n\n## Remediation\n\n### From the command line\n\n1. Follow the steps listed at [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure][1] to create and deploy VMs using SSH.\n2. If needing to transition from Username and Password authentication, to SSH, there is no way to transition directly. You must deprovision the current VM and create an image of it with SSH as the authentication method. Follow the steps on [How to create a managed image of a virtual machine or VHD][2]. \n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-ssh-keys-detailed\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/capture-image","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(virtual_machine_instance) = \"skip\" if {\n\tnot virtual_machine_instance.os_profile.linux_configuration\n} else = \"pass\" if {\n\tvirtual_machine_instance.os_profile.linux_configuration.disable_password_authentication == true\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_virtual_machine_instance"]},"validationQuery":"","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"p52-zrd-xlt","createdAt":1645813490150,"name":"Azure VM requires SSH Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.21","source:azure.active_directory","cloud_provider:azure","requirement:Compliance","scope:azure.active_directory","level:1","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:6.4","framework:cis-azure","requirement:Control-Activities","cloud:azure","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:A.9.2.3","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC8.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSubscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.\n\n## Rationale\n\nClassic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended.\n\n## Remediation\n\nUsing Azure Command Line Interface 2.0, list all roles with the `az role definition list` command. Check the output for any entries with an `assignableScope` of `/` or a `subscription`, and an action of `*`. Verify the usage and impact of removing the role identified. You can delete a role with the `az role definition delete --name \"rolename\"` command.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator \n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management \n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems \n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n8. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n9. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges 16 Account Monitoring and Control Account Monitoring and Control","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.21","framework":"cis-azure","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"6.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_assignable_scope(assignable_scope) if {\n\tassignable_scope == \"/\"\n} else if {\n\tstartswith(assignable_scope, \"/subscriptions\")\n}\n\nnon_compliant_type(role_definition) if {\n\tlower(role_definition.properties_type) == \"customrole\"\n} else if {\n\tlower(role_definition.type) == \"customrole\"\n}\n\nnon_compliant_role_definition(role_definition) if {\n\tnon_compliant_type(role_definition)\n\tsome permission in role_definition.permissions\n\tsome action in permission.actions\n\taction == \"*\"\n\tsome assignable_scope in role_definition.assignable_scopes\n\tnon_compliant_assignable_scope(assignable_scope)\n}\n\neval(role_definition) = \"fail\" if {\n\tnon_compliant_role_definition(role_definition)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_role_definition"]},"validationQuery":"","resourceType":"azure_role_definition","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_role_definition","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"til-md3-xoz","createdAt":1645802554619,"name":"Azure custom subscription owner roles do not exist"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a diagnostic setting is deleted which can disable centralized logging and metrics on Azure.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Inspect the diagnostic setting resource which is found in `@resourceId`.\n2. Verify that the user (`{{@usr.id}}`) to determine if the removal of the resource is legitimate.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uhp-qsj-h45","createdAt":1615578377631,"name":"Azure diagnostic setting deleted or disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure disk is successfully exported. Export URLs generated in Azure are accessible to anyone with the URI. This could be utilized as an exfiltration method that would allow an attacker to download an Azure Compute VM's disk as a VHD file.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the disk (`{{@resourceId}}`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URI.\n\n## Changelog\n* 2 November 2022 - Update strategy.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"export_uri_generated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"export_uri_generated > 0"}],"type":"log_detection","id":"ggf-4ew-mxl","createdAt":1635258347843,"name":"Azure disk export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.8","requirement:AppService","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and new functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, your organization needs to determine if a given update meets your requirements and also verify the compatibility and support provided for any additional software against the update version.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Under General Settings, set Java version to latest version available\n6. Set Java minor version to latest version available\n7. Set Java web container to the latest version of web container available \n\n**NOTE**: No action is required if Java version is set to off as Java is not used by your web app.\n\n### From the command line\n\nTo see the list of supported runtimes, run the following command: `timesaz webapp list-runtimes | grep java`\n\nTo set latest Java version for an existing app, run the following command:\n\n```azurecli\naz webapp config set --resource-group --name --java-version ''\n1.8'' --java-container ''Tomcat'' --java-container-version '''''\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.8","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nshould_skip_app_service(app_service) if {\n\tapp_service.site_config_java_version == \"\"\n} else if {\n\tapp_service.site_config.java_version == \"\"\n}\n\ncompliant_app_service(app_service) if {\n\tapp_service.site_config_java_version == \"11\"\n} else if {\n\tapp_service.site_config.java_version == \"11\"\n}\n\neval(app_service) = \"skip\" if {\n\tshould_skip_app_service(app_service)\n} else = \"pass\" if {\n\tcompliant_app_service(app_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qhc-mac-fyy","createdAt":1645813490324,"name":"Azure is using the latest version of Java to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:AppService","control:9.6","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, a new version of PHP is released to address security issues and/or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes and additional functionalities.\n\n## Rationale\n\nNew versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software update, organizations need to determine if the update meets their requirements and also verify the new version's compatibility with other software.\n\n## Remediation\n\n### From the console\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click **Configuration**.\n5. Set PHP version to latest version available under **General Settings**.\n\n**Note**: No action is required if PHP version is set to off because PHP is not used by your web app.\n\n### From the command line\nTo see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep php To set latest PHP version for an existing app, run the following commandaz webapp config set --resource-group --name --php-version \n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n# CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.6","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.common as dd_common\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nshould_skip_app_service(app_service) if {\n\tapp_service.site_config_php_version == \"\"\n} else if {\n\tapp_service.site_config.php_version == \"\"\n}\n\nnon_compliant_version(version) if {\n\tformatted_semver := dd_common.format_semver(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"7.4.0\") < 0\n}\n\nnon_compliant_app_service(app_service) if {\n\tnon_compliant_version(app_service.site_config_php_version)\n} else if {\n\tnon_compliant_version(app_service.site_config.php_version)\n}\n\neval(app_service) = \"skip\" if {\n\tshould_skip_app_service(app_service)\n} else = \"fail\" if {\n\tnon_compliant_app_service(app_service)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"sja-htc-xkm","createdAt":1645813490100,"name":"Azure is using the latest version of PHP to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:AppService","control:9.7","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Set Python version to latest version available under General Settings\n\n**Note**: No action is required if Python version is set to off as Python is not used by your web app.\n\n### From the command line\n\nTo see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep python To set latest Python version for an existing app, run the following commandaz webapp config set --resource-group --name --python-version '\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.7","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.common as dd_common\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nshould_skip_app_service(app_service) if {\n\tapp_service.site_config_python_version == \"\"\n} else if {\n\tapp_service.site_config.python_version == \"\"\n}\n\nnon_compliant_version(version) if {\n\tformatted_semver := dd_common.format_semver(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"3.6.0\") < 0\n}\n\nnon_compliant_app_service(app_service) if {\n\tnon_compliant_version(app_service.site_config_python_version)\n} else if {\n\tnon_compliant_version(app_service.site_config.python_version)\n}\n\neval(app_service) = \"skip\" if {\n\tshould_skip_app_service(app_service)\n} else = \"fail\" if {\n\tnon_compliant_app_service(app_service)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kuq-3pj-gyn","createdAt":1645813504306,"name":"Azure is using the latest version of Python to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","source:azure.networkwatcher","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","scope:azure.networkwatcher","framework:soc-2","control:10.3","control:CC2.1","control:164.312-e-2-i","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Watcher can use flow logs so that you can monitor traffic from resources. This rule generates a finding if there is no retention policy set with a duration over 90 days. \n\nNote: 0 days means unlimited retention.\n\n## Rationale\n\nSetting this attribute enables flow logs to be retained for an appropriate amount of time that enables a better security posture for your organization. These logs should be retained critical resources in your environment.\n\n## Remediation\n\n### From the console\n\n1. Follow the instructions in [Tutorial: Log network traffic to and from a virtual machine using the Azure portal][1] to enable the 'flow logs' in Network Watcher.\n\n### From the command line\n\n1. Follow the steps in [Configuring Network Security Group Flow logs with Azure CLI][2] to enable the 'flow logs' in Network Watcher.\n2. Ensure Insights provider is registered by running the following command to check:\n\n ```\n az provider register --namespace Microsoft.Insights\n ```\n3. Enable `flow logs`:\n Note: You will need to have a storage account setup prior to this.\n ```\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location --format JSON --log-version 2\n ```\n4. Repeat steps 2 and 3 for resources that are not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal#enable-nsg-flow-log\n[2]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-cli\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nretention_policy_not_compliant(enabled, days) if {\n\tenabled == true\n\tdays >= 1\n\tdays <= 89\n} else if {\n\tenabled == false\n}\n\nflow_log_not_compliant(flow_log) if {\n\tretention_policy_not_compliant(flow_log.retention_policy_enabled, flow_log.retention_policy_days)\n} else if {\n\tretention_policy_not_compliant(flow_log.retention_policy.enabled, flow_log.retention_policy.days)\n}\n\nflow_log_retention_policy_enabled(flow_log) if {\n\tflow_log.retention_policy_enabled == true\n} else if {\n\tflow_log.retention_policy.enabled == true\n}\n\neval(network_watcher) = \"fail\" if {\n\tsome flow_log in network_watcher.flow_logs\n\tflow_log_not_compliant(flow_log)\n} else = \"pass\" if {\n\tsome flow_log in network_watcher.flow_logs\n\tflow_log_retention_policy_enabled(flow_log)\n} else = \"skip\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_network_watcher"]},"validationQuery":"","resourceType":"azure_network_watcher","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_network_watcher","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"s5c-rsc-fkl","createdAt":1645572632106,"name":"Azure network service group log retention is properly set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new owner is added to a service principal, which applies to privilege escalation or persistence.\n\n## Strategy\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add owner to service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Inspect that the user is added to a service principal in `@properties.targetResources`.\n2. Verify with the user (`{{@usr.name}}`) to determine if the owner addition is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_owner_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner_sp > 0"}],"type":"log_detection","id":"rtl-xes-5he","createdAt":1632250370345,"name":"Azure new owner added for service principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an Azure snapshot is exported. Export URLs generated in Azure are accessible to anyone with the URL.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the snapshot (`@resourceId`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URL.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"export_uri","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"export_uri > 0"}],"type":"log_detection","id":"9tg-wsg-ung","createdAt":1635255178153,"name":"Azure snapshot export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an invitation is sent to an external user.\n\n## Strategy\nMonitor Azure Active Directory Audit logs and detect when any `@evt.name` is equal to `Invite external user` and the `@evt.outcome` is equal to `success`.\n\n## Triage and response\n1. Review and determine if the invitation and its recipient are valid.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Invite external user\" @evt.outcome:success","groupByFields":["@usr.id","@properties.targetResources.userPrincipalName"],"aggregation":"count","name":"invite_external_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"invite_external_user > 0"}],"type":"log_detection","id":"msq-9pm-ift","createdAt":1607106320758,"name":"Azure user invited an external user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure-containerinstances","source:azure","tactic:TA0002-execution","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a command is executed on a container instance with the Azure API.\n\n## Strategy\nMonitor Azure container instance logs where `@evt.name` is `\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.id}}`) should be executing commands on the container (`@resourceId`).\n2. If the activity is not expected, investigate the activity around the container (`@resourceId`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"container_exec_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"container_exec_success > 0"}],"type":"log_detection","id":"zgp-pfn-i0z","createdAt":1635255187164,"name":"Azure user ran command on container instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB access key with the Azure API. An attacker with the appropriate privileges can view an access key and use it to access and manage the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\\\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the access key for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB Database ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_keys","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_keys > 0"}],"type":"log_detection","id":"xtk-lr5-ryf","createdAt":1635356621176,"name":"Azure user viewed CosmosDB access keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB connection string with the Azure API. An attacker with the appropriate privileges can view a connection string and use it to access or modify data in the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the connection string for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_connectionstrings","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_connectionstrings > 0"}],"type":"log_detection","id":"h9n-pkk-zy9","createdAt":1635356624429,"name":"Azure user viewed CosmosDB connection string"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being exploited using the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `Base64` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. If you are not patched, decode the base64 string and look for any successful traffic to the malicious server.\n3. If a connection was successful to the malicious server, begin your company's IR procedures to remediate.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http.user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"medium","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"vfx-wnb-bkc","createdAt":1639665358897,"name":"Base64 was detected in an http.user_agent or http.referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","scored:true","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use basic authentication.\n\n## Rationale\n\nBasic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting the API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--basic-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--basic-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as tokens and certificates. Username and password for basic authentication could no longer be used.\n\n## Default value\n\nBy default, basic authentication is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n2. https://kubernetes.io/docs/admin/authentication/#static-password-file\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.2","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oug-uvq-sti","createdAt":1599605479472,"name":"Basic authentication is disabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:azure","requirement:Monitoring","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-3-i","control:10.5.1","requirement:Compliance","level:1","control:2.2.4","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","scope:azure.storage","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Azure","requirement:Least-Privileged-Access","control:2.8","requirement:Control-Activities","requirement:Data-Protection","control:7.2.1","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAnonymous read access is disabled for Azure Storage Blobs.\n\n## Rationale\n\nAnonymous access to Azure storage blob containers allows un-authenticated users to perform operations against your storage account. Datadog recommends only allowing authenticated users access to storage blobs. \n\n## Remediation\n\n### From the Console\n\nFollow the [Set the public access level for a container - Azure Console][1] guide to disable anonymous read access with the Azure Console.\n\n### From the Azure CLI\n\nFollow the [Set the public access level for a container - Azure CLI][2] guide to disable anonymous read access with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"10.5.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"2.8","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_blob_container) = \"pass\" if {\n\tstorage_blob_container.public_access == \"None\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_blob_container"]},"validationQuery":"","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"nlq-obf-whr","createdAt":1645177311610,"name":"Blob Containers do not allow anonymous access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:8.1","control:4.3","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","control:8.1.4","control:8.2.3","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends using instance-specific SSH key(s) instead of common or shared project-wide SSH key(s) to access instances.\n\n## Rationale\n\nProject-wide SSH keys are stored in compute or project-meta-data. Project-wide SSH keys can be used to log into all instances within a project. Using project-wide SSH keys facilitates SSH key management, but if compromised, poses a security risk which can impact all instances within a project. Datadog recommmends using instance-specific SSH keys, which can limit the attack surface if SSH keys are compromised.\n\n## Impact\n\nUsers already having project-wide SSH key pairs and are using third-party SSH clients will lose access to the impacted instances. For project users using Google Cloud or GCP Console-based SSH options, no manual key creation and distribution is required, this is all handled by Google Compute Engine (GCE) itself. To access an instance using third-party SSH clients, the instance-specific SSH key pairs need to be created and distributed to the required users.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. For every instance, click on the instance name.\n3. Under **SSH Keys**, ensure **Block project-wide SSH keys** is selected.\n\n## From the command line\n\n1. List the instances in your project and get details on each instance using `gcloud compute instances list --format=json`.\n\n2. Ensure the `block-project-ssh-keys` key is set to true.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. Click on the impacted instance name.\n3. Click **Edit** in the toolbar.\n4. To block users with project-wide SSH keys from connecting to this instance, select **Block project-wide SSH keys** under **SSH Keys**.\n5. Click **Save** at the bottom of the page.\n6. Repeat these steps for every impacted instance.\n\n## From Command Line\n\nTo block project-wide public SSH keys, set the metadata value to true using `gcloud compute instances add-metadata --metadata block-project-ssh-keys=TRUE`.\n\n## Default Value\n\nBy default, Block Project-wide SSH keys is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n2. [https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n\n\n## Additional Information\n\nIf OS Login is enabled, SSH keys in the instance metadata are ignored, which means you do not need to block project-wide SSH keys.\n\n## CIS Controls\n\nVersion 8\n \n3.10 - Encrypt Sensitive Data in Transit\n- Encrypt sensitive data in transit. Example implementations can include: Transport\nLayer Security (TLS) and Open Secure Shell (OpenSSH).\n\n5.2 - Use Unique Passwords\n- Use unique passwords for all enterprise assets. Best practice implementation\nincludes, at a minimum, an 8-character password for accounts using MFA and a 14-\ncharacter password for accounts not using MFA.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n[3]: https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_item(item) if {\n\titem.key == \"block-project-ssh-keys\"\n} else if {\n\titem.key == \"enable-oslogin\"\n}\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" if {\n\titem := compute_instance.metadata.items[_]\n\tnon_compliant_item(item)\n\titem.value == \"true\"\n} else = \"fail\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"v8z-9ik-mjr","createdAt":1657296719827,"name":"Block project-wide SSH keys is enabled for VM instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login five times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n","options":{"detectionMethod":"threshold","evaluationWindow":600,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dde-oia-yjr","createdAt":1597422956269,"name":"Brute force attack on an Auth0 user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a bruteforce login with a user attempting to assume an anomalous number of roles.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [Anomalous number of assumed roles from user][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-user-attempted-to-assumerole-anomaly\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":2,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"anomalous_assumed_roles_from_user","additionalFilters":"","defaultRuleId":"fwu-obr-c9n","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to assumed role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && anomalous_assumed_roles_from_user > 0"}],"type":"signal_correlation","id":"vjo-1hm-1eg","createdAt":1664829839144,"name":"Brute forced ConsoleLogin event correlates with an assumed role event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","iaas:azure","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a successful credential stuffing login with a user assumed a role.\n\n## Strategy\nCorrelate the [Credential Stuffing Attack on Azure][1] and [Azure AD member assigned Global Administrator role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the credential stuffing attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the credential stuffed account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security/default_rules/azure_credential_stuffing_attack\n[2]: https://docs.datadoghq.com/security/default_rules/azure-ad-user-assigned-global-admin-role","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"azure_credential_stuffing","correlatedQueryIndex":1,"additionalFilters":"","defaultRuleId":"ljt-3f4-8ty","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"admin_role_assigned","additionalFilters":"","defaultRuleId":"psm-gpc-pgy","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Brute-forced user has assigned a role","condition":"azure_credential_stuffing > 0 && admin_role_assigned > 0"}],"type":"signal_correlation","id":"it0-1kg-8pj","createdAt":1664829839146,"name":"Brute-forced user has assigned a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.11","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host you can control the host CPU resources that a container may consume.\n\n## Rationale\n\nBy default, CPU time is divided between containers equally. If you wish to control available CPU resources amongst container instances, you can use the CPU sharing feature. CPU sharing allows you to prioritize one container over others and prevents lower priority containers from absorbing CPU resources which may be required by other processes. This ensures that high priority containers are able to claim the CPU runtime they require.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CpuShares={{ .HostConfig.CpuShares }}'` \n\nIf this command returns 0 or 1024, it means that CPU shares are not in place. If it returns a non-zero value other than 1024, it means that they are in place.\n\n## Remediation\n\nYou should manage the CPU runtime between your containers dependent on their priority within your organization. To do so, start the container using the `--cpu-shares` argument. For example, you could run a container as `docker run --interactive --tty --cpu-shares 512 centos /bin/bash` The container is started with CPU shares of 50% of what other containers use. So if the other container has CPU shares of 80%, this container will have CPU shares of 40%. Every new container will have 1024 shares of CPU by default. However, this value is shown as 0 if you run the command mentioned in the audit section.\n\n\nAlternatively:\n\n1. Navigate to the `/sys/fs/cgroup/cpu/system.slice/` directory.\n2. Check your container instance ID using docker ps.\n3. Inside the above directory (in step 1), call a directory. For example: `docker-.scope` or `docker-4acae729e8659c6be696ee35b2237cc1fe4edd2672e9186434c5116e1a6fbed6.scope`. Navigate to this directory.\n4. You will find a file named `cpu.shares`. Execute `cat cpu.shares`. This will always give you the CPU share value based on the system. Even if there are no CPU shares configured using the `-c` or `--cpu-shares` argument in the docker run command, this file will have a value of 1024. If you set one containers CPU shares to 512 it will receive half of the CPU time compared to the other containers. So if you take 1024 as 100% you can then derive the number that you should set for respective CPU shares. For example, use 512 if you want to set it to 50% and 256 if you want to set it 25%.\n\n## Impact\n\nIf you do not correctly assign CPU thresholds, the container process may run out of resources and become unresponsive. If CPU resources on the host are not constrained, CPU shares do not place any restrictions on individual resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally. No CPU shares are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.11","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gfh-gqy-log","createdAt":1599605955638,"name":"CPU priorities are set to ensure critical containers do not become unresponsive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.7","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %a `. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command to modify the file permissions of the `--client-ca-file`:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7 14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.7","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qtd-deo-dgb","createdAt":1599600622129,"name":"Certificate authorities file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable certificate based kubelet authentication.\n\n## Rationale\n\nThe apiserver, by default, does not authenticate itself to the kubelet's HTTPS endpoints. The requests from the apiserver are treated anonymously. You should set up certificate-based kubelet authentication to ensure that the apiserver authenticates itself to kubelets when submitting requests.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-client-certificate` and `--kubelet-client-key` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the kubelet client certificate and key parameters as below. \n\n```\n--kubelet-client-certificate= \n--kubelet-client-key=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, certificate-based kubelet authentication is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ ][2]\n3. [https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet][3]\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n[3]: https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.5","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ruj-lze-13b","createdAt":1599605732980,"name":"Certificate-based kubelet authentication is required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","source:elb","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","scope:elb","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse a secure protocol and cipher to protect communication between the client and your Classic Elastic Load Balancers (ELBs). TLS 1.0 and 1.1 are vulnerable to attacks due to multiple insecurities, for this reason we recommend the use of `ELBSecurityPolicy-TLS-1-2-2017-01` which authorizes TLS 1.2. \n\n## Rationale\n\nInsecure communication channels increase the risk of attacks, such as man-in-the-middle, downgrade attacks, and sensitive data breaches. It is recommended to configure listeners to use HTTPS, or SSL, and `ELBSecurityPolicy-TLS-1-2-2017-01`, or a custom policy with an equivalent or more secure [configuration][1]. TLS on port 443 will generate a `pass` condition for this rule only if a secure policy is attached to the listener.\n\n### Protocol and cipher details\n\nThis configuration check tests for a listener configured using HTTPS, SSL, or TLS on port 443, as well as for the absence of [ciphers][6] and [protocols][1] for secure listener configurations that are not recommended by AWS.\n\n\n## Remediation\n\nIt is recommended to modify listeners configured to use TLS on port 443, to HTTPS on port 443, and select a secure policy.\n\n### From the console\n\n1. Follow the [Create an HTTPS/SSL load balancer using the console][2] documentation to learn how to create an HTTPS/SSL load balancer in the AWS console. \n2. Follow the [Update the SSL negotiation configuration using the console][4] documentation to apply `ELBSecurityPolicy-TLS-1-2-2017-01` or a Custom Security Policy that is as or more secure. \n\n### From the command line\n\n1. Follow the [Create an HTTPS/SSL load balancer using the AWS CLI][3] documentation to learn how to create an HTTPS/SSL load balancer in the AWS command line. \n2. Follow the [Update the SSL negotiation configuration using the console][5] documentation to apply `ELBSecurityPolicy-TLS-1-2-2017-01` or a Custom Security Policy that is as or more secure. \n\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html#create-https-lb-console\n[3]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html#create-https-lb-clt\n[4]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-config-update.html#ssl-config-update-console\n[5]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-config-update.html#ssl-config-update-cli\n[6]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nweak_ciphers_and_protocols := {\n\t\"Protocol-SSLv2\", \"Protocol-SSLv3\",\n\t\"Protocol-TLSv1.1\", \"Protocol-TLSv1\",\n\t\"CAMELLIA128-SHA\", \"EDH-RSA-DES-CBC3-SHA\", \"DES-CBC3-SHA\", \"ECDHE-RSA-RC4-SHA\", \"RC4-SHA\", \"ECDHE-ECDSA-RC4-SHA\", \"DHE-DSS-AES256-GCM-SHA384\",\n\t\"DHE-RSA-AES256-GCM-SHA384\", \"DHE-RSA-AES256-SHA256\", \"DHE-DSS-AES256-SHA256\", \"DHE-RSA-AES256-SHA\", \"DHE-DSS-AES256-SHA\",\n\t\"DHE-RSA-CAMELLIA256-SHA\", \"DHE-DSS-CAMELLIA256-SHA\", \"CAMELLIA256-SHA\", \"EDH-DSS-DES-CBC3-SHA\", \"DHE-DSS-AES128-GCM-SHA256\",\n\t\"DHE-RSA-AES128-GCM-SHA256\", \"DHE-RSA-AES128-SHA256\", \"DHE-DSS-AES128-SHA256\", \"DHE-RSA-CAMELLIA128-SHA\", \"DHE-DSS-CAMELLIA128-SHA\",\n\t\"ADH-AES128-GCM-SHA256\", \"ADH-AES128-SHA\", \"ADH-AES128-SHA256\", \"ADH-AES256-GCM-SHA384\", \"ADH-AES256-SHA\", \"ADH-AES256-SHA256\",\n\t\"ADH-CAMELLIA128-SHA\", \"ADH-CAMELLIA256-SHA\", \"ADH-DES-CBC3-SHA\", \"ADH-DES-CBC-SHA\", \"ADH-RC4-MD5\", \"ADH-SEED-SHA\", \"DES-CBC-SHA\",\n\t\"DHE-DSS-SEED-SHA\", \"DHE-RSA-SEED-SHA\", \"EDH-DSS-DES-CBC-SHA\", \"EDH-RSA-DES-CBC-SHA\", \"IDEA-CBC-SHA\", \"RC4-MD5\", \"SEED-SHA\", \"DES-CBC3-MD5\",\n\t\"DES-CBC-MD5\", \"RC2-CBC-MD5\", \"PSK-AES256-CBC-SHA\", \"PSK-3DES-EDE-CBC-SHA\", \"KRB5-DES-CBC3-SHA\", \"KRB5-DES-CBC3-MD5\", \"PSK-AES128-CBC-SHA\",\n\t\"PSK-RC4-SHA\", \"KRB5-RC4-SHA\", \"KRB5-RC4-MD5\", \"KRB5-DES-CBC-SHA\", \"KRB5-DES-CBC-MD5\", \"EXP-EDH-RSA-DES-CBC-SHA\", \"EXP-EDH-DSS-DES-CBC-SHA\",\n\t\"EXP-ADH-DES-CBC-SHA\", \"EXP-DES-CBC-SHA\", \"EXP-RC2-CBC-MD5\", \"EXP-KRB5-RC2-CBC-SHA\", \"EXP-KRB5-DES-CBC-SHA\", \"EXP-KRB5-RC2-CBC-MD5\",\n\t\"EXP-KRB5-DES-CBC-MD5\", \"EXP-ADH-RC4-MD5\", \"EXP-RC4-MD5\", \"EXP-KRB5-RC4-SHA\", \"EXP-KRB5-RC4-MD5\", \"DHE-RSA-AES128-SHA\", \"ECDHE-RSA-AES128-SHA\",\n\t\"ECDHE-ECDSA-AES128-SHA\", \"DHE-DSS-AES128-SHA\",\n}\n\ncompliant_protocol(elb_load_balancer) if {\n\tupper(elb_load_balancer.listener_descriptions[_].listener.protocol) == \"HTTPS\"\n} else if {\n\tupper(elb_load_balancer.listener_descriptions[_].listener.protocol) == \"SSL\"\n} else if {\n\tupper(elb_load_balancer.listener_descriptions[_].listener.protocol) == \"TCP\"\n\telb_load_balancer.listener_descriptions[_].listener.load_balancer_port == 443\n}\n\nnon_compliant_encryption(elb_load_balancer) if {\n\tprotocol := elb_load_balancer.policy_descriptions[_].policy_attribute_descriptions[_]\n\tprotocol.attribute_name in weak_ciphers_and_protocols\n\tlower(protocol.attribute_value) == \"true\"\n}\n\npolicy_exists(elb_load_balancer) if {\n\telb_load_balancer.listener_descriptions[_].policy_names[_]\n}\n\neval(elb_load_balancer) = \"pass\" if {\n\tcompliant_protocol(elb_load_balancer)\n\tpolicy_exists(elb_load_balancer)\n\tnot non_compliant_encryption(elb_load_balancer)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elb_load_balancer"]},"validationQuery":"","resourceType":"aws_elb_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elb_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"wco-bmg-rfd","createdAt":1670369344591,"name":"Classic Load Balancer listener is securely configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.2","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable client authentication on etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--client-cert-auth` argument is set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--client-cert-auth=\"true\"\n```\n\n## Impact\n\nAll clients attempting to access the etcd server will require a valid client certificate.\n\n## Default value\n\nBy default, the etcd service can be queried by unauthenticated clients.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][`]\n2. [https://kubernetes.io/docs/admin/etcd/ ][1]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.2","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"joa-fjx-1li","createdAt":1599605891818,"name":"Client authentication is enabled for etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.8","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file ownership is set to `root:root`.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command to modify the ownership of the `--client-ca-file`:\n\n```\nchown root:root \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.8","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ifc-9ej-k7k","createdAt":1599603326156,"name":"Client certificate authorities file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","cloud_provider:gcp","control:9.9.1","source:google_cloud_asset_inventory","requirement:Logging-and-Monitoring","framework:cis-gcp","requirement:Control-Activities","scope:google_cloud_asset_inventory","requirement:Firewall-Configuration","level:2","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Cloud Asset Inventory is a service that provides a historical view of GCP resources and\nIAM policies through a time-series database. The information recorded includes metadata\non Google Cloud resources, metadata on policies set on Google Cloud projects or resources,\nand runtime information gathered within a Google Cloud resource.\n\n## Rationale\nThe GCP resources and IAM policies captured by GCP Cloud Asset Inventory enables\nsecurity analysis, resource change tracking, and compliance auditing. It is recommended GCP Cloud Asset Inventory be enabled for all GCP projects.\n\n### Additional Information\n - Cloud Asset Inventory only keeps a five-week history of Google Cloud asset metadata. If you need a longer history, consider building automation to export the history to Cloud Storage or BigQuery.\n\n### Default Value\nThe Cloud Asset Inventory API is disabled by default in each project.\n\n## Remediation\n\n### From the console\n\n1. Go to **API & Services/Library** by visiting [https://console.cloud.google.com/apis/library][1]\n2. Search for `Cloud Asset API` and select the result for Cloud Asset API\n3. Click the **ENABLE** button.\n\n### From the command line\n\n1. Enable the Cloud Asset API through the services interface\n ```\n gcloud services enable cloudasset.googleapis.com\n ```\n\n## References\n1. [https://cloud.google.com/asset-inventory/docs][2]\n\n[1]: https://cloud.google.com/asset-inventory/docs\n[2]: https://console.cloud.google.com/apis/library","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"9.9.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(project) = \"pass\" if {\n\tproject.project_id\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"g71-wcx-ugx","createdAt":1659396390100,"name":"Cloud Asset Inventory is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:2.12","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:2","framework:iso-27001","scope:google_dns_policy","framework:pci","requirement:Operations-Security","security:compliance","requirement:Logging-and-Monitoring","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","source:google_dns_policy","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud DNS logging records the queries from the name servers within your VPC to\nStackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other\nGCP resources provisioned within the VPC.\n\n### Default value\nCloud DNS logging is disabled by default on each network.\n\n## Rationale\nSecurity monitoring and forensics cannot depend solely on IP addresses from VPC flow\nlogs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual\nhost routing, and other technology that can obscure the DNS name used by a client from the\nIP address. Monitoring Cloud DNS logs provides visibility into DNS names requested by the\nclients within the VPC. These logs can be monitored for anomalous domain names and\nevaluated against threat intelligence.\n\nTo fully capture DNS logging records, your firewall must block egress for UDP/53 (DNS) and TCP/443 (DNS\nover HTTPS) to prevent the client from using an external DNS name server for resolution.\n\nOnly queries that reach a name server are logged. Cloud DNS resolvers cache\nresponses, queries answered from caches, and direct queries to an external DNS\nresolver outside the VPC are not logged.\n\n### Impact\nEnabling of Cloud DNS logging might result in your project being charged for the additional\nlogs usage.\n\n## Remediation\n\n### From the command line\nFor VPC networks that need a new DNS policy with logging enabled, run the following:\n```\ngcloud dns policies create enable-dns-logging --enable-logging --\ndescription=\"Enable DNS Logging\" --networks=VPC_NETWORK_NAME\n```\n\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\nFor VPC networks that have existing DNS policies, run the following to enable logging:\n```\ngcloud dns policies update POLICY_NAME --enable-logging --\nnetworks=VPC_NETWORK_NAME\n```\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\n\n## References\n1. [https://cloud.google.com/dns/docs/monitoring][1]\n\n[1]: https://cloud.google.com/dns/docs/monitoring\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.12","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(dns_policy) = \"pass\" if {\n\tdns_policy.enable_logging\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_policy"]},"validationQuery":"","resourceType":"gcp_dns_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kcx-kad-uvs","createdAt":1662120179391,"name":"Cloud DNS logging is enabled for VPC networks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:7.2","control:1.9","control:3.5","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that the IAM policy on Cloud KMS `cryptokeys` should restrict anonymous and/or public access.\n\n## Rationale\n\nGranting permissions to `allUsers` or `allAuthenticatedUsers` allows anyone to access the\ndataset. Such access might not be desirable if sensitive data is stored at the location. In this\ncase, ensure that anonymous and/or public access to a Cloud KMS `cryptokey` is not\nallowed.\n\n### Default Value:\nBy default Cloud KMS does not allow access to `allUsers` or `allAuthenticatedUsers`.\n\n### Impact\nRemoving the binding for `allUsers` and `allAuthenticatedUsers` members denies anonymous and public users access to `cryptokeys`.\n\n`key_ring_name` is the resource ID of the key ring, which is the fully-qualified key ring name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING`\nYou can retrieve the key ring resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n3. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`key_name` is the resource ID of the key, which is the fully-qualified CryptoKey name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY`\nYou can retrieve the key resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. Click the name of the key ring that contains the key.\n3. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n4. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`role` is the role to remove the member from.\n\n## Remediation\n\n### From the command line\n\n1. List all Cloud KMS `Cryptokeys`.\n ```\n gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'\n ```\n2. To remove access to `allUsers` and `allAuthenticatedUsers`, remove the IAM policy binding for a KMS key using the below command.\n ```\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'\n\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'\n ```\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding][1]\n2. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy][2]\n3. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy][3]\n4. [https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id][4]\n\n[1]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding\n[2]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy\n[3]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy\n[4]: https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot contains(iam_policy.resource_name, \"/keyRings/\")\n} else = \"fail\" if {\n\tiam_policy.bindings[_].members[_] in [\"allAuthenticatedUsers\", \"allUsers\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kg9-ypa-tmt","createdAt":1658879416757,"name":"Cloud KMS cryptokeys are not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Storage","source:google_iam_policy","framework:cis-gcp","requirement:Compliance","level:1","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","scope:google_iam_policy","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:3.5","control:7.1","control:5.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that IAM policies on Cloud Storage buckets do not allow anonymous or public access.\n\n## Rationale\nWith anonymous or public access, anyone has permission to access bucket content. Such access might not be desired if you are storing sensitive data, so ensure that anonymous or public access to a bucket is not allowed.\n\n### Additional Information\nTo implement access restrictions on buckets, configuring Bucket IAM is preferred over configuring Bucket ACL. In the GCP console, the **Edit Permissions** button for a bucket exposes IAM configurations only. Bucket ACLs are configured to automatically implement and support user-enforced Bucket IAM policies. If an administrator changes a Bucket ACL using command-line gsutils or the API, the associated bucket IAM policy is also updated automatically.\n\n### Impact\nStorage buckets are not publicly accessible. You have to explicitly administer bucket access.\n\n### Prevention\nYou can prevent Storage buckets from becoming publicly accessible by setting up the `Domain restricted sharing` organization policy at:\n[https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains][2]\n\n### Default value\nBy default, Storage buckets are not publicly accessible.\n\n## Remediation\n\n### From the console\n1. Go to `Storage browser` at [https://console.cloud.google.com/storage/browser][1].\n2. Click on the bucket name to access the `Bucket details` page.\n3. Click on the `Permissions` tab.\n4. Click the `Delete` button in front of `allUsers` and `allAuthenticatedUsers` to remove that particular role assignment.\n\n### From the command line\nRemove `allUsers` and `allAuthenticatedUsers` access.\n``` \ngsutil iam ch -d allUsers gs://BUCKET_NAME\ngsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME\n```\n\n## References\n1. [https://cloud.google.com/storage/docs/access-control/iam-reference][3]\n2. [https://cloud.google.com/storage/docs/access-control/making-data-public][4]\n3. [https://cloud.google.com/storage/docs/gsutil/commands/iam][5]\n\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains\n[3]: https://cloud.google.com/storage/docs/access-control/iam-reference\n[4]: https://cloud.google.com/storage/docs/access-control/making-data-public\n[5]: https://cloud.google.com/storage/docs/gsutil/commands/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1","framework":"cis-gcp","requirement":"Storage","version":"1.3.0"},{"control":"3.5","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot isBucket(iam_policy)\n} else = \"fail\" if {\n\tiam_policy.bindings[_].members[_] in [\"allUsers\", \"allAuthenticatedUsers\"]\n} else = \"pass\"\n\nisBucket(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_storage_bucket\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"c2m-9sq-pbl","createdAt":1658821626959,"name":"Cloud storage bucket is not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Storage","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:5.2","requirement:Communications-Security","control:7.1","control:3.3","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","source:google_storage_bucket","control:A.18.1.3","framework:soc-2","scope:google_storage_bucket","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUniform bucket-level access is enabled on Cloud Storage buckets.\n\n## Rationale\n\nYou should use uniform bucket-level access to unify and simplify how you grant\naccess to your Cloud Storage resources.\nCloud Storage offers two systems for granting users permission to access your buckets and\nobjects: \n- **Cloud Identity and Access Management (Cloud IAM)**: Used throughout Google Cloud, and allows you to grant a variety of permissions at the bucket and project levels. \n- **Access Control Lists(ACLs)**: Used only by Cloud Storage and has limited permission options, but allows you to grant permissions on a per-object basis.\n\nThese systems act in parallel. A user needs only one of the systems to grant them permission in order to access a Cloud Storage resource. \n\nTo facilitate maintaining consistent permissions, Cloud Storage provides an option called Uniform bucket-\nlevel access. Using this feature disables ACLs for all Cloud Storage resources. Access to\n\nCloud Storage resources then is granted exclusively through Cloud IAM. Enabling uniform\nbucket-level access guarantees that if a Storage bucket is not publicly accessible, no object\nin the bucket is publicly accessible either.\n\n## Impact\nIf you enable uniform bucket-level access, you revoke access from users who gain their\naccess solely through object ACLs.\nCertain Google Cloud services, such as Stackdriver, Cloud Audit Logs, and Datastore, cannot\nexport to Cloud Storage buckets that have uniform bucket-level access enabled.\n\n## Remediation\n\n## From the console\n1. Open the Cloud Storage browser by visiting [https://console.cloud.google.com/storage/browser][1].\n2. In the list of buckets, select the name of the desired bucket.\n3. Select the Permissions tab.\n4. In the text box that starts with This bucket uses fine-grained access control..., click **Edit**.\n5. In the pop-up menu that appears, select Uniform.\n6. Click **Save**.\n\n## From the command line\n\nRun the following command: \n ```\n `gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/`\n ```\n\n\n## Prevention\nSet up an Organization Policy to enforce that any new bucket has uniform bucket-level access enabled. Read more about [Organization Policy constraints][2].\n\n## Default\n\nBy default, Cloud Storage buckets do not have uniform bucket-level access enabled.\n\n\n## References\n1. [https://cloud.google.com/storage/docs/uniform-bucket-level-access][3]\n2. [https://cloud.google.com/storage/docs/using-uniform-bucket-level-access][4]\n3. [https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket][5]\n\n## Additional Information\nUniform bucket-level access cannot be disabled if it has been active on a bucket for 90 consecutive days.\n\n## CIS controls\n\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems,\ndatabases, and applications.\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket\n[3]: https://cloud.google.com/storage/docs/uniform-bucket-level-access\n[4]: https://cloud.google.com/storage/docs/using-uniform-bucket-level-access\n[5]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2","framework":"cis-gcp","requirement":"Storage","version":"1.3.0"},{"control":"3.3","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_bucket) = \"pass\" if {\n\tstorage_bucket.iam_configuration.uniform_bucket_level_access.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_storage_bucket"]},"validationQuery":"","resourceType":"gcp_storage_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_storage_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dwn-5mi-cjt","createdAt":1657547752494,"name":"Cloud storage buckets have uniform bucket-level access enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","security:compliance","control:CC6.6","scope:cloudfront","cloud_provider:aws","control:A.12.2.1","requirement:Communications-Security","control:A.12.4.1","control:A.13.1.1","framework:soc-2","control:6.6","requirement:Security-Management-Process","source:cloudfront","requirement:Application-Updates","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that your [AWS CloudFront][1] distributions are integrated with [AWS Web Application Firewall][2] (AWS WAF).\n\n## Rationale\n\nAWS WAF helps protect web applications from common exploits, such as SQL injection or cross-site scripting.\n\n## Remediation\n\n### From the console\n\nFollow the [associate or disassociate an AWS WAF web ACL and an existing CloudFront distribution by using the CloudFront console][3] docs to integrate with AWS WAF.\n\n### From the command line\n\n1. Run `aws waf get-change-token` to generate a token.\n2. Run `aws waf create-ip-set` with your newly generated token. Additional information can be found in the [create-ip-set AWS documentation][4].\n\n ```\n create-ip-set\n --name test_ipset\n --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n3. Create an `IPSetDescriptor` JSON object in a new document and define the IP address or ranges you wish to block. Save the file.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"IPSetDescriptor\": {\n \"Type\": \"IPV4\" | \"IPV6\",\n \"Value\": \"192.0.2.0/24\"\n }\n }\n ]\n ```\n\n4. Run `aws waf update-ip-set` with the `change-token` (generated in step 1), `ip-set-id` (generated in step 2), and the file you just created. Additional information can be found in the [update-ip-set AWS documentation][5].\n\n ```\n aws waf update-ip-set\n --ip-set-id bd12ea6c-012a-4b7c-9342-80ab96e4b291\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n\t --updates file://ip-set-descriptor.json\n ```\n\n5. Run `aws waf create-rule` with a new rule `name` and your `change-token` (generated in step 1). Additional information can be found in the [create-rule AWS documentation][6].\n\n ```\n aws waf create-rule\n\t --name NameOfRule\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n6. Run `aws waf create-web-acl` with a `name` and your `change-token` (generated in step 1), and set the default action to block. Additional information can be found in the [create-web-acl AWS documentation][7].\n\n ```\n aws waf create-web-acl\n\t --name NameOfACL\n --default-action Type=BLOCK\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n7. Create a new JSON file and define `ActivatedRule` as an object that references the ACL rule created in step 6. Assign it a default action, `INSERT`.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"ActivatedRule\": {\n \"RuleId\": \"your-rule-id\",\n \"Action\": {\n \"Type\": \"BLOCK\"\n }\n }\n }\n ]\n ```\n\n8. Run `update-web-acl` with the `web-acl-id` (generated in step 5), `change-token` (generated in step 1), and the file you just created in step 7.\n\n ```\n aws waf update-web-acl\n --web-acl-id webaclid\n --change-token 96836241-b667-4f0a-a655-e4bc49eaa2c4\n --update activated-rule.json\n ```\n\n9. Run `get-distribution-config`.\n10. In a new JSON file, modify the returned configuration information to attach the WAF ACL. Set the `WebACLId` as the ID you returned in step 5. Save the file.\n\n ```\n {\n \"ETag\": \"etag\",\n \"DistributionConfig\": {\n ...\n \"WebACLId\": \"webaclid\",\n ...\n }\n }\n ```\n\n11. Run `update-distribution` with the `id` and `etag` previously returned in step 9. Additional information can be found in the [update-distribution AWS documentation][8].\n\n ```\n aws cloudfront update-distribution\n --id webaclid\n --distribution-config activated-ruled.json\n --if-match etag\n ```\n\n[1]: https://aws.amazon.com/cloudfront/\n[2]: https://aws.amazon.com/waf/\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/wafv2/create-ip-set.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/waf/update-ip-set.html\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-rule.html\n[7]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-web-acl.html\n[8]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudfront_distribution) = \"fail\" if {\n\tcloudfront_distribution.distribution_config.web_acl_id == \"\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"qo4-jsd-nfn","createdAt":1599574008896,"name":"CloudFront distribution is integrated with WAF"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that AWS CloudFront distributions have a security policy of TLS v1.1 or greater.\n\n## Rationale\n\nTLS v1.1, the minimum protocol recommended for AWS CloudFront, and the cipher used to encrypt this content, improve application security.\n\n## Remediation\n\n### From the console\n\nFollow the [Values That You Specify When You Create or Update a Distribution][3] docs to update your CloudFront distribution's [Minimum Origin SSL Protocol][3] to TLS v1.1 or greater.\n\n### From the command line\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration by setting the minimum protocol version to TLC v1.1 (2016) or v1.2 (2018).\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n ...\n \"ViewerCertificate\": {\n ...\n \"MinimumProtocolVersion\": \"TLSv1.1_2016\",\n },\n ...\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config tls-version.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginSSLProtocols\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_distribution_config(origin_protocol_policy) if {\n\torigin_protocol_policy == \"TLSv1\"\n} else if {\n\torigin_protocol_policy == \"TLSv1_2016\"\n}\n\neval(cloudfront_distribution) = \"fail\" if {\n\tnon_compliant_distribution_config(cloudfront_distribution.distribution_config.viewer_certificate.minimum_protocol_version)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2np-sw5-cre","createdAt":1599574001774,"name":"CloudFront distribution's security policy is TLS v1.1 or greater"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","source:cloudfront","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","scope:cloudfront","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure logging is enabled for AWS CloudFront to track things like client IP addresses and access points.\n\n## Rationale\n\nLogging tracks requests made through the CDN. With this information, you can detect changes in requests, complete security audits, and use other AWS tooling such as AWS WAF to block requests from certain IP addresses.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring and using standard logs][4] docs to enable logging for AWS CloudFront.\n\n### From the command line\n\n1. Run `create-bucket` to [create an S3 bucket][1] for your CloudFront log files.\n\n ```\n aws s3api create-bucket\n --bucket your-bucket-name\n ```\n\n2. Once the S3 bucket location is returned, run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][2].\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n3. Create a new JSON file with the returned configuration. Enable logging and set an S3 bucket location (returned in step 1) to configure where the logs will be located. Save the file.\n\n ```\n {\n \"ETag\": \"ID000000000000\",\n \"DistributionConfig\": {\n ...\n \"Logging\": {\n \"Bucket\": \"your-bucket-name.s3.amazonaws.com\",\n \"Enabled\": true,\n },\n ...\n }\n }\n }\n ```\n\n4. Run `update-distribution` to [update your distribution][3] with your distribution `id`, the path of the configuration file (created in step 3), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config logging-enabled.json\n --if-match ETAG1000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[4]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudfront_distribution) = \"fail\" if {\n\tnot cloudfront_distribution.distribution_config.logging.enabled\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"e1l-f7w-llc","createdAt":1599574007739,"name":"CloudFront logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that an AWS CloudTrail trail has file integration validation enabled.\n\n### Rationale\n\nAWS CloudTrail file integration validation can verify whether files were modified or changed once delivered to an S3 bucket.\n\n### Remediation\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [enable-log-file-validation][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --enable-log-file-validation\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@log_file_validation_enabled:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ubl-mrs-ket","createdAt":1599574002238,"name":"CloudTrail Log File Integrity Validation Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that AWS CloudTrail logs are encrypted.\n\n### Rationale\n\nEncrypting AWS CloudTrail logs with a KMS encryption key helps protect your data and ensures only certain IAM users can access these logs.\n\n### Remediation\n\n1. Create a new policy configuration file that enables CloudTrail [encrypting and decrypting permissions][1].\n2. Run `create-key` using the policy file path.\n\n ```\n aws kms create-key\n --policy new-policy-file.json\n ```\n\n3. Run `create-alias` with a [newly created alias name][2] and the `target-key-id` as the KMS key returned in step 2.\n\n ```\n aws kms create-alias\n --alias-name alias/CloudTrailKSM\n --target-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n4. Run `update-trail` on [the trail name you wish to update][3] and the KMS key returned in step 2.\n\n ```\n aws cloudtrail update-trail\n --name MyGlobalTrail\n --kms-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@kms_key_id:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"cww-xfw-no7","createdAt":1599574002335,"name":"CloudTrail Logs Not Encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","control:A.12.4.2","requirement:Security-Incident-Procedures","control:10.3.2","control:10.3.1","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that an AWS CloudTrail trail has global service events enabled.\n\n## Rationale\n\nEasily troubleshoot security issues for global services that aren't region-specific.\n\n## Remediation\n\n### From the console\n\nBy default, trail logs created in the CloudTrail console log global service events. For more information, see the [About global service events][2] docs.\n\n### From the command line\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [include-global-service-events][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --include-global-service-events\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-update-trail.html\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudtrail_trail) = \"pass\" if {\n\tcloudtrail_trail.include_global_service_events\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7ak-zke-f64","createdAt":1599574004589,"name":"CloudTrail global services are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.5.5","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","control:164.312-c-2","requirement:Integrity","control:164.312-c-1","security:compliance","cloud_provider:aws","control:3.2","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. Use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. You should enable file validation on all CloudTrails.\n\n## Rationale\n\nEnabling log file validation will provide additional integrity checking of CloudTrail logs.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNot Enabled\n\n## References\n\n1. [http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html][2]\n2. CCE-78914-9\n\n## CIS controls\n\nVersion 7, 6 - Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.2","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.312-c-2","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudtrail_trail) = \"pass\" if {\n\tcloudtrail_trail.log_file_validation_enabled == true\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9we-gmy-kne","createdAt":1599574003762,"name":"CloudTrail log file validation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Logging","requirement:System-Acquisition-Development-and-Maintenance","level:2","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.7","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:cloudtrail","control:A.9.2.3","control:32.1a","control:3.5.2","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources per IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data. It uses Hardware Security Modules (HSMs) to protect the security of encryption keys. Configure your CloudTrail logs to leverage server-side encryption (SSE), and KMS customer-created master keys (CMK) to further protect CloudTrail logs. You should set up CloudTrail to use SSE-KMS.\n\n## Rationale\n\nConfiguring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data. A given user must have S3 read permission on the corresponding log bucket and have decrypt permission by the CMK policy.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nCustomer created keys incur an additional cost. See [https://aws.amazon.com/kms/pricing/][2] for more information.\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html][3]\n2. [https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html][4]\n3. CCE-78919-8\n\n## CIS controls\n\nVersion 7 - 6 Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://aws.amazon.com/kms/pricing/\n[3]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html\n[4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.7","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudtrail_trail) = \"pass\" if {\n\tcloudtrail_trail.kms_key_id\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kah-ejb-3v1","createdAt":1599574006065,"name":"CloudTrail logs are encrypted at rest using KMS CMKs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:164.308-a-7-i","scored:true","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","control:10.2.1","framework:gdpr","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsures AWS CloudTrail is enabled across all AWS regions.\n\n## Rationale\n\nAWS CloudTrail has the ability to deliver log files from multiple regions to a single S3 bucket, and a single CloudWatch Logs log group. This centralizes storage and control of logs data. \n\n## Remediation\n\nIt is beneficial to create an Organization trail, as that will create a trail with that name in every region, in every account belonging to the Organization. See the [Creating a trail for an organization][1] documentation for additional details.\n\nIf you are not using AWS Organizations, you can create a multi-region CloudTrail trail directly in the affected AWS account.\n\n### From the console\n\nTo create an Organization trail:\n1. Follow the [Creating a trail for an organization][2] instructions to get started with CloudTrail.\n\nTo create a multi-region trail in an AWS account:\n1. Follow the [Creating and updating a trail with the console][3] instructions to get started with CloudTrail. This will enable a multi-region CloudTrail by default. \n\n### From the command line\n\nTo convert a single-region trail to multi-region using the command line:\n\n1. Run `aws cloudtrail describe-trails` to investigate your current CloudTrail configuration.\n2. Run `update-trail` with the following arguments on your selected trail to [enable multi-region-trail][4].\n ```\n aws cloudtrail update-trail\n --name my-trail\n --is-multi-region-trail\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html\n[3]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-console.html\n[4]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-7-i","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudtrail_trail) = \"pass\" if {\n\tcloudtrail_trail.is_multi_region_trail\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":21,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"v41-4ht-rxo","createdAt":1599573999944,"name":"CloudTrail multi-region is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that HTTPS is used to secure AWS CloudFront distributions communications.\n\n## Rationale\n\nHTTPS ensures that malicious activity cannot occur when data is sent within AWS CloudFront's Content Distribution Network (CDN).\n\n## Remediation\n\n### From the console\n\nFollow the [configure CloudFront to require HTTPS between CloudFront and your custom origin][3] docs to change your Origin Protocol Policy to HTTPS only.\n\n### From the command line\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `OriginProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"Items\": [\n {\n \"CustomOriginConfig\": {\n \"OriginProtocolPolicy\": \"https-only\",\n ...\n }\n }\n ]\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_origin_protocol_policy(origin_protocol_policy) if {\n\torigin_protocol_policy == \"http-only\"\n} else if {\n\torigin_protocol_policy == \"match-viewer\"\n}\n\nnon_compliant_distribution_config(cloudfront_distribution) if {\n\tsome item in cloudfront_distribution.distribution_config.origins.items\n\tnon_compliant_origin_protocol_policy(item.custom_origin_config.origin_protocol_policy)\n}\n\neval(cloudfront_distribution) = \"fail\" if {\n\tnon_compliant_distribution_config(cloudfront_distribution)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q5e-clj-mow","createdAt":1599574006435,"name":"Cloudfront distribution is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS CloudFront field-level encryption is enabled.\n\n## Rationale\n\nField-level encryption ensures sensitive data, such as identification and credit card numbers, is protected across your services and applications.\n\n## Remediation\n\n### From the console\n\nFollow the [Setting Up Field-Level Encryption][1] docs to enable field-level encryption.\n\n### From the command line\n\n1. Generate a RSA key pair. Run `ssh-keygen -t rsa`.\n\n2. Run `create-public-key` with the generated key.\n\n ```\n aws cloudfront create-public-key\n --public-key-config CallerReference=\"0123456789012\",Name=\"public-key\",EncodedKey=\"-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----\",Comment=\"Field-level encryption public key.\"\n ```\n\n3. Modify the returned configuration in a new JSON file by setting `PublicKeyID` as your public ID key. Configure any other options you require and save the file.\n\n ```\n {\n \"PublicKey\": {\n ...\n \"Id\": \"PUBKEYID000000\",\n ...\n }\n }\n ```\n\n4. Run `create-field-level-encryption-profile` using the path of the configuration file saved in step 3.\n\n ```\n aws cloudfront create-field-level-encryption-profile\n --field-level-encryption-profile-config public-key-id.json\n ```\n\n5. Modify the returned configuration in a new JSON file by setting `ProfileID` as your profile ID. Configure any other options you require and save the file.\n\n ```\n {\n ...\n \"ContentTypeProfileConfig\": {\n ...\n \"Items\": [\n {\n \"ProfileId\": \"ABCD1234567890\",\n }\n ]\n }\n }\n ```\n\n6. Run `create-field-level-encryption-config` using the path of the configuration file saved in step 5.\n\n ```\n aws cloudfront create-field-level-encryption-config\n --field-level-encryption-config profile-id.json\n ```\n\n7. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your distribution's configuration information.\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n8. Modify the returned configuration in a new JSON file by setting `FieldLevelEncryptionID` as your field level encryption ID. Configure any other options you require and save the file.\n\n**Note**: Viewer Protocol Policy and Origin Protocol Policy must both be set to HTTPS.\n\n ```\n {\n \"DistributionConfig\": {\n ...\n \"Origins\": {\n \"Items\": [\n {\n ...,\n \"OriginProtocolPolicy\": \"https-only\",\n },\n ],\n ...\n },\n \"DefaultCacheBehavior\": {\n \"FieldLevelEncryptionId\": \"ACBD1234567890\",\n \"ViewerProtocolPolicy\" : \"https-only\"\n },\n ...\n }\n }\n ```\n\n9. Run `update-distribution` with your AWS CloudFront distribution `id`, the configuration file saved in step 8, and `etag` to enable field-level encryption.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config field-level-encryption-id.json\n --if-match E1000000000000\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudfront_distribution) = \"fail\" if {\n\tcloudfront_distribution.distribution_config.default_cache_behavior.field_level_encryption_id == \"\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"udh-nqo-4ct","createdAt":1599574007140,"name":"Cloudfront distribution is field-level encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the AWS CloudFront Content Delivery Network (CDN) for your distribution is using HTTPS to send and receive content.\n\n## Rationale\n\nHTTPS ensures encrypted communication for your AWS CloudFront distribution, alleviating the possibility of malicious attacks like packet interception.\n\n## Remediation\n\n### From the console\n\nFollow the [configure CloudFront to require HTTPS between viewers and CloudFront][3] docs to change your Viewer Protocol Policy to HTTPS only.\n\n### From the command line\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `ViewerProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"ViewerProtocolPolicy\": \"https-only\",\n ...\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudfront_distribution) = \"fail\" if {\n\tcloudfront_distribution.distribution_config.default_cache_behavior.viewer_protocol_policy == \"allow-all\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fei-uz9-zhw","createdAt":1599574003275,"name":"Cloudfront viewer is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1027-obfuscated-files-or-information","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a compiler (like `clang` or `bcc`) is executed inside of a container.\n\n## Strategy\nAfter an initial compromise, attackers may attempt to download additional tools to their victim's infrastructure. In order to make these additional tools difficult to detect or analyze, attackers sometimes deliver their tools as uncompiled code, and then compile their malicious binaries directly on the victim's infrastructure. In containerized environments, the use of compilers is especially suspicious because in production it is best practice to make containers immutable. The use of a compiler in a production container could indicate an attacker staging tools, or unwanted container configuration drift. \n\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee compile a tool inside of a container for an approved reason, or does an approved software compile additional files on startup?\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:compiler_in_container","groupByFields":["host"],"aggregation":"count","name":"compiler_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"compiler_in_container","condition":"compiler_in_container > 0"}],"type":"workload_security","id":"cu1-ji1-azm","createdAt":1627392836759,"name":"Compiler executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS EC2 access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the EC2 instance with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS EC2 access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` instance should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the EC2 access key should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`., then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n7 April 2022 - Updated rule name and signal message.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId"],"query":"source:cloudtrail -@level:Error @userIdentity.type:AssumedRole @userIdentity.session_name:i-* -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"5cf-9yq-zxn","createdAt":1646247437871,"name":"Compromised AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.\n\n## Changelog\n- 7 April 2022 - Updated signal message.\n- 3 August 2022 - Fixed null groupby field in query.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId","@usr.name"],"query":"source:cloudtrail -@level:Error @userIdentity.type:IAMUser -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tln-vhi-j2e","createdAt":1646247475808,"name":"Compromised AWS IAM User Access Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:4.8","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, Datadog recommends launching compute instances with Shielded VM enabled.\n\n## Rationale\n\nShielded VMs are virtual machines on the Google Cloud Platform that are hardened by a set of security controls and help defend against rootkits and bootkits. Shielded VM offers verifiable integrity of your Compute Engine VM instances through Secure Boot, a virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring. This ensures your instances are not compromised by boot- or kernel-level malware, or rootkits. \n\nShielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishes trust for Secure Boot.\n\nIntegrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, also known as the integrity policy baseline. The integrity policy baseline is used to compare measurements from subsequent VM boots to determine if anything has changed.\n\nSecure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halts the boot process if signature verification fails.\n\n## Remediation\n\nTo turn on Shielded VM on an instance, your instance must use an image with Shielded VM support.\n\n### From the console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project. \n2. Click on the instance name to see a VM Instance Details page.\n3. Click **Stop** to stop the instance.\n4. When the instance has stopped, click **Edit**.\n5. In the **Shielded VM** section, select **Turn on vTPM** and **Turn on Integrity Monitoring**.\n6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select **Turn on Secure Boot**.\n7. Click the **Save** button to modify the instance and click **Start** to restart it.\n\n### From the command line\n\nYou can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:\n\n```\ngcloud compute images list --project gce-uefi-images --no-standard-images\n```\n\n1. Stop the instance using `gcloud compute instances stop `.\n2. Update the instance using `gcloud compute instances update --shielded-vtpm --shielded-vm-integrity-monitoring`.\n3. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on Secure Boot using `gcloud compute instances update --shielded-vm-secure-boot`.\n4. Restart the instance using `gcloud compute instances start `.\n\n## Prevention\n\nTo ensure that all new VMs are created with Shielded VM enabled, create an Organization Policy for Shielded VM in the [Organization Policies page][2]. \n\nFor more information, see the [Google Cloud documentation][3].\n\n## Default Value\n\nBy default, Compute Instances do not have Shielded VM enabled.\n\n## References\n\n1. [https://cloud.google.com/compute/docs/instances/modifying-shielded-vm][4]\n2. [https://cloud.google.com/shielded-vm][5]\n3. [https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint][6]\n\n## Additional Information\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is created, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-requireShieldedVm\n[3]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n[4]: https://cloud.google.com/compute/docs/instances/modifying-shielded-vm\n[5]: https://cloud.google.com/shielded-vm\n[6]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.8","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"pass\" if {\n\tshieldedConfig := compute_instance.shielded_instance_config\n\tshieldedConfig.enable_integrity_monitoring\n\tshieldedConfig.enable_vtpm\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hwa-bzq-nzg","createdAt":1656620517029,"name":"Compute Instances are launched with Shielded VM enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","control:4.9","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:3.6","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCompute instances should not be configured to have external IP addresses.\n\n## Rationale\n\nTo reduce your attack surface, Compute instances should not have public IP addresses.\nInstead, instances should be configured behind load balancers, to minimize the instance's\nexposure to the internet.\n\nYou can connect to Linux VMs that do not have public IP addresses by using Identity-Aware Proxy for TCP forwarding. Learn more at\n[https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][8].\n\nFor Windows VMs, see [https://cloud.google.com/compute/docs/instances/connecting-to-instance][9].\n\n### Impact\n\nRemoving the external IP address from your Compute instance may cause some\napplications to stop working.\n\n### Prevention\n\nYou can configure the \"Define allowed external IPs for VM instances\" organization policy to prevent VMs from being configured with public IP addresses. Learn more at:\n[https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address][2]\n\n### Exception\n\nInstances created by GKE should be excluded because some of them have external IP\naddresses and cannot be changed by editing the instance settings. Instances created by GKE\nshould be excluded. These instances have names that start with \"gke-\" and are labeled\n\"goog-gke-node\".\n\n## Remediation\n\n### From the console\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go the the Instance detail page.\n3. Click **Edit**.\n4. For each Network interface, ensure that **External IP** is set to None.\n5. Click **Done** and then click **Save**.\n\n### From the command line\n\n1. Describe the instance properties:\n\n ```\n gcloud compute instances describe --zone=\n ```\n2. Identify the access config name that contains the external IP address. This access config appears in the following format:\n\n ```\n networkInterfaces:\n - accessConfigs:\n - kind: compute#accessConfig\n name: External NAT\n natIP: 130.211.181.55\n type: ONE_TO_ONE_NAT\n ```\n3. Delete the access config:\n\n ```\n gcloud compute instances delete-access-config --zone= --access-config-name \n ```\n\nIn the above example, the `ACCESS_CONFIG_NAME` is `External NAT`. The name of your access config might be different.\n\n## References\n\n1. [https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses][3]\n2. [https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][4]\n3. [https://cloud.google.com/compute/docs/instances/connecting-to-instance][5]\n4. [https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip][6]\n5. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][7]\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address\n[3]: https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses\n[4]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[5]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n[6]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip\n[7]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[8]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[9]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.9","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" if {\n\tcompute_instance.network_interfaces[_].access_configs[_]\n} else = \"pass\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"zxk-7n9-rtz","createdAt":1657888953309,"name":"Compute instances do not have public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","control:4.11","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:3.5.2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:3.5.4","source:google_compute_instance","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nGoogle Cloud encrypts both stored and in-transit data, but customer data needs to be decrypted while it is processed. Confidential Computing is a Google technology that protects data by encrypting it while it is in use. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).\n\nConfidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD\nEPYCTM CPUs, keeping customer data encrypted while it is used, indexed, queried, or\ntrained on. Encryption keys are generated in hardware, per VM, and not exportable. There is no significant performance penalty to Confidential Computing workloads because of built-in hardware optimizations.\n\n## Rationale\n\nConfidential Computing enables customers' sensitive code and other data to be encrypted in\nmemory during processing. Google does not have access to the encryption keys.\nConfidential VMs can help alleviate concerns about risk related to either dependency on\nGoogle infrastructure or Google insiders' access to customer data in the clear.\n\n## Impact\n\n- Confidential Computing for Compute instances does not support live migration. Unlike regular Compute instances, Confidential VMs experience disruptions during maintenance events like a software or hardware update.\n\n- Additional charges may be incurred when enabling this security feature. See [https://cloud.google.com/compute/confidential-vm/pricing][1] for more info.\n\n## Remediation\n\nConfidential Computing can only be enabled when an instance is created. You must delete\nthe current instance and create a new one.\n\n### From the console\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][2].\n2. Click **Create instance**.\n3. Fill out the desired configuration for your instance.\n4. Under the **Confidential VM service** section, click **Enable** > **Enable** to enable the Confidential Computing service on this VM instance.\n5. Click **Create**.\n\n### From the command line\n\nCreate a new instance with Confidential Compute enabled.\n\n ```\n gcloud beta compute instances create --zone --confidential-compute --maintenance-policy=TERMINATE\n ```\n## Default Value\n\nBy default, Confidential Computing is disabled for Compute instances.\n\n## References\n\n1. [https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance][3]\n2. [https://cloud.google.com/compute/confidential-vm/docs/about-cvm][4]\n3. [https://cloud.google.com/confidential-computing][5]\n4. [https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms][6]\n\n## CIS Controls\n\nVersion 8 - 3.11: Encrypt Sensitive Data at Rest\n- Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.\n\nVersion 7 - 14.8: Encrypt Sensitive Information at Rest\n- Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n\n[1]: https://cloud.google.com/compute/confidential-vm/pricing\n[2]: https://console.cloud.google.com/compute/instances\n[3]: https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance\n[4]: https://cloud.google.com/compute/confidential-vm/docs/about-cvm\n[5]: https://cloud.google.com/confidential-computing\n[6]: https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.11","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tnot machineType(compute_instance)\n} else = \"pass\" if {\n\tcompute_instance.confidential_instance_config.enable_confidential_compute\n} else = \"fail\"\n\nmachineType(compute_instance) if {\n\tcontains(compute_instance.machine_type, \"n2d-\")\n} else if {\n\tcontains(compute_instance.machine_type, \"c2d-\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ofu-7xv-iqz","createdAt":1657888955714,"name":"Compute instances have confidential computing enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a brute force login with a privileged policy being applied to a role.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [AWS IAM privileged policy was applied to a role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Revert the privileged policy change\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security/default_rules/aws-iam-priv-policy-applied-to-role/","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":2,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"aws_iam_privileged_policy_was_applied_to_a_role","additionalFilters":"","defaultRuleId":"1np-ggw-qpo","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to privileged policy applying to a role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && aws_iam_privileged_policy_was_applied_to_a_role > 0"}],"type":"signal_correlation","id":"z65-vsm-leu","createdAt":1664829682321,"name":"ConsoleLogin event correlates privileged policy applying to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.10","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host, you can control the amount of memory that a container is able to use.\n\n## Rationale\n\nBy default a container can use all of the memory on the host. You can use memory limit mechanisms to prevent a denial of service occurring where one container consumes all of the hosts resources and other containers on the same host are therefore not able to function. Having no limit on memory usage can lead to issues where one container can easily make the whole system unstable and as a result unusable.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Memory={{ .HostConfig.Memory }}'` \n\nIf this command returns 0, it means that memory limits are not in place; if it returns a non-zero value, it means that they are in place.\n\n## Remediation\n\nYou should run the container with only as much memory as it requires by using the `--memory argument`. For example, you could run a container using the command `docker run --interactive --tty --memory 256m centos /bin/bash`\n\nIn this example, the container is started with a memory limit of 256 MB. Note that the output of the command below returns values in scientific notation if memory limits are in place. `docker inspect --format='{{.Config.Memory}}' 7c5a2d4c7fe0`\n\nFor example, if the memory limit is set to 256 MB for a container instance, the output of the command above would be `2.68435456e+08` and NOT `256m`. You should convert this value using a scientific calculator.\n\n## Impact\n\nIf correct memory limits are not set on each container, one process can expand its usage and cause other containers to run out of resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally and no memory limits are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.10","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ecn-mmt-tqe","createdAt":1599605860081,"name":"Container has memory usage limits configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.26","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf the container image does not have an HEALTHCHECK instruction defined, you should use the `--health-cmd` parameter at container runtime to check container health.\n\n## Rationale\n\nIf the container image you are using does not have a pre-defined HEALTHCHECK instruction, use the `--health-cmd` parameter to check container health at runtime. Based on the reported health status, remedial actions can be taken if necessary.\n\n## Audit\n\nRun this command and ensure that all containers are reporting their health status: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}'`\n\n## Remediation\n\nYou should run the container using the `--health-cmd` parameter. For example, `docker run -d --health-cmd='stat /etc/passwd || exit 1' nginx`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, health checks are not carried out at container runtime.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.26","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ojg-sb1-nso","createdAt":1599605067593,"name":"Container health is monitored when not supported by default"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should add the `HEALTHCHECK` instruction to your Docker container images in order to ensure that health checks are executed against running containers.\n\n## Rationale\n\nAn important security control is that of availability. Adding the `HEALTHCHECK` instruction to your container image ensures that the Docker engine periodically checks the running container instances against that instruction to ensure that containers are still operational. Based on the results of the health check, the Docker engine could terminate containers which are not responding correctly, and instantiate new ones.\n\n## Audit\n\nRun this command to ensure that Docker images have the appropriate `HEALTHCHECK` instruction configured: `docker inspect --format='{{ .Config.Healthcheck }}' `\n\n## Remediation\n\nYou should follow the Docker documentation and rebuild your container images to include the `HEALTHCHECK` instruction.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `HEALTHCHECK` is not set.\n\n## References\n\n1. https://docs.docker.com/engine/reference/builder/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_image","complianceFrameworks":[{"control":"4.6","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5xs-afd-sfx","createdAt":1599604909942,"name":"Container image includes HealthCheck instructions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect vulnerabilities in container images.\n\n## Strategy\nThis rule lets you monitor Twistlock logs `(@vulnerability.log_type:vulnerability)` to detect vulnerabilities in a container image. \n\n## Triage and response\n1. Determine the impact of this vulnerability.\n2. Update the container image in the registry with a patched version of the software.\n3. Deploy the new image to all containers running the vulnerable image.\n\n## Change Log\n29 Jun 2022 - Added queries for various vulnerability severity levels.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:medium","groupByFields":["container_name"],"aggregation":"count","name":"medium_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:low","groupByFields":["container_name"],"aggregation":"count","name":"low_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerabiluty","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerabiluty","condition":"high_severity_vulnerability > 0"},{"status":"medium","notifications":[],"name":"Medium Severity Vulnerabiluty","condition":"medium_severity_vulnerability > 0"},{"status":"low","notifications":[],"name":"Low Severity Vulnerabiluty","condition":"low_severity_vulnerability > 0"}],"type":"log_detection","id":"d7s-rex-gjv","createdAt":1585870278701,"name":"Container image vulnerability detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.25","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should restrict the container from acquiring additional privileges via SUID or SGID bits.\n\n## Rationale\n\nA process can set the `no_new_priv` bit in the kernel and this persists across forks, clones and execve. The `no_new_priv` bit ensures that the process and its child processes do not gain any additional privileges via SUID or SGID bits. This reduces the danger associated with many operations because the possibility of subverting privileged binaries is lessened.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all of the security options currently configured for containers. The option `no-new-privileges` should be one of them.\n\n## Remediation\n\nStart your container with the options `docker run --rm -it --security-opt=no-new-privileges ubuntu bash`\n\n## Impact\n\nThe `no_new_priv` option prevents LSMs like SELinux from allowing processes to acquire new privileges.\n\n## Default value\n\nBy default, new privileges are not restricted.\n\n## References\n\n1. https://github.com/projectatomic/atomic-site/issues/269\n2. https://github.com/docker/docker/pull/20727\n3. https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt\n4. https://lwn.net/Articles/475678/\n5. https://lwn.net/Articles/475362/\n\n## CIS controls\n\nVersion 6\n\n5 Controlled Use of Administration Privileges Controlled Use of Administration Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.25","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"cft-3kh-z3l","createdAt":1599604337425,"name":"Container is restricted from acquiring additional privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a container management utility (for example, `kubectl` or `docker`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to enumerate other pods or containers, escalate privileges, or exfiltrate secrets by running container management orchestration utilities. This detection triggers when execution of one of a set of common container management utilities (like `kubectl` or `docker`) executes with specific process arguments detected in a container. If this is unexpected behavior, it could indicate an attacker attempting to compromise your pods, containers, and hosts.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires version 7.27 or higher*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:suspicious_container_client @process.executable.path:\"/usr/bin/kubectl\" (@process.args:(\"get\" AND \"--all-namespaces\") OR @process.args:(\"cluster-info\") OR @process.args:(\"auth\" AND \"can-i\"))","groupByFields":["host"],"aggregation":"count","name":"kubectl_enumeration","distinctFields":[]},{"query":"@agent.rule_id:suspicious_container_client @process.executable.path:\"/usr/bin/kubectl\" (@process.args:(\"create\" AND \"namespace\") OR @process.args:(\"run\" AND \"image=\") OR @process.args:(\"port-forward\") OR @process.args:(\"attach\") OR @process.args:(\"exec\"))","groupByFields":["host"],"aggregation":"count","name":"kubectl_provision","distinctFields":[]},{"query":"@agent.rule_id:suspicious_container_client @process.executable.path:\"/usr/bin/docker\" (@process.args:(\"run\" AND \"--privileged\") OR @process.args:(\"exec\" AND \"-it\") OR @process.args:(\"run\" AND \"--cap-add\") OR @process.args:(\"apparmor=unconfined\") OR @process.args:(\"attach\"))","groupByFields":["host"],"aggregation":"count","name":"docker_provision","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"kubectl_enumeration","condition":"kubectl_enumeration > 0"},{"status":"medium","notifications":[],"name":"kubectl_provision","condition":"kubectl_provision > 0"},{"status":"medium","notifications":[],"name":"docker_provision","condition":"docker_provision > 0"}],"type":"workload_security","id":"ll8-gx6-k15","createdAt":1617722068555,"name":"Container management utility in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.12","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe container's root filesystem should be treated as a 'golden image' by using Docker run's `--read-only` option. This prevents any writes to the container's root filesystem at container runtime and enforces the principle of immutable infrastructure.\n\n## Rationale\n\nEnabling this option forces containers at runtime to explicitly define their data writing strategy to persist or not persist their data. This also reduces security attack vectors since the container instance's filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories.\n\n## Audit\n\nRun this command on the docker host: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: ReadonlyRootfs={{ .HostConfig.ReadonlyRootfs }}'` \n\nIf this command returns `true`, it means the container's root filesystem is mounted read-only. If the above command returns `false`, it means the container's root filesystem is writeable.\n\n## Remediation\n\nAdd a `--read-only` flag at a container's runtime to enforce the container's root filesystem being mounted as read only. For example, `docker run --read-only `\n\nEnabling the `--read-only` option at a container's runtime should be used by administrators to force a container's executable processes to only write container data to explicit storage locations during its lifetime. \n\nExamples of explicit storage locations during a container's runtime include, but are not limited to:\n\n1. Using the `--tmpfs` option to mount a temporary file system for non-persistent data writes. `docker run --interactive --tty --read-only --tmpfs \"/run\" --tmpfs \"/tmp\" centos /bin/bash`\n2. Enabling Docker rw mounts at a container's runtime to persist container data directly on the Docker host filesystem. For example, `docker run --interactive --tty --read-only -v /opt/app/data:/run/app/data:rw centos /bin/bash`\n\n3. Utilizing the Docker shared-storage volume plugin for Docker data volume to persist container data. For example, `docker volume create -d convoy --opt o=size=20GB my-named-volume docker run --interactive --tty --read-only -v my-named-volume:/run/app/data centos /bin/bash`\n\n3. Transmitting container data outside of the Docker controlled area during the container's runtime for container data in order to ensure that it is persistent. Examples include hosted databases, network file shares and APIs.\n\n## Impact\n\nEnabling `--read-only` at container runtime may break some container OS packages if a data writing strategy is not defined. You should define what the container's data should and should not persist at runtime in order to decide which strategy to use. Example: Enable use `--tmpfs` for temporary file writes to /tmp Use Docker shared data volumes for persistent data writes\n\n## Default value\n\nBy default, a container has its root filesystem writeable, allowing all container processes to write files owned by the container's actual runtime user.\n\n## References\n\n1. http://docs.docker.com/reference/commandline/cli/#run\n2. https://docs.docker.com/engine/tutorials/dockervolumes/\n3. http://www.projectatomic.io/blog/2015/12/making-docker-images-write-only-in-production/\n4. https://docs.docker.com/engine/reference/commandline/run/#mount-tmpfs-tmpfs\n5. https://docs.docker.com/engine/tutorials/dockervolumes/#creating-and-mounting-a-data-volume-container\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.12","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"635-mc8-3mr","createdAt":1599602276896,"name":"Container root file sytem is set to read-only"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a container is not running within compliance standards.\n\n## Strategy\nThis rule lets you monitor Twistlock logs to detect when a `High` or `Critical` severity compliance issue is discovered in a running container. \n\n## Triage and response\n1. Determine the impact of the compliance finding.\n2. Remediate the compliance finding.\n\n## Change Log\n27 Jun 2022 - Updated Rule and added findings for critical vulnerabilities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerability","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerability","condition":"high_severity_vulnerability > 0"}],"type":"log_detection","id":"9vp-d1j-kwp","createdAt":1585870281390,"name":"Container violated compliance standards"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:5.28","security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should use the `--pids-limit` flag at container runtime.\n\n## Rationale\n\nAttackers could launch a fork bomb with a single command inside the container. This fork bomb could crash the entire system and would require a restart of the host to make the system functional again. Using the PIDs cgroup parameter --pids-limit would prevent this kind of attack by restricting the number of forks that can happen inside a container within a specified time frame.\n\n## Audit\n\nRun this command and ensure that `PidsLimit` is not set to 0 or -\n1. A PidsLimit of 0 or -1 means that any number of processes can be forked concurrently inside the container. \n\n```\ndocker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidsLimit={{ .HostConfig.PidsLimit }}'\n```\n\n## Remediation\n\nUse `--pids-limit` flag with an appropriate value when launching the container. For example, `docker run -it --pids-limit 100 `\n\nIn the above example, the number of processes allowed to run at any given time is set to 100. After a limit of 100 concurrently running processes is reached, Docker would restrict any new process creation.\n\n## Impact\n\nSet the PIDs limit value as appropriate. Incorrect values might leave containers unusable.\n\n## Default value\n\nThe Default value for `--pids-limit` is 0 which means there is no restriction on the number of forks. Note that the PIDs cgroup limit works only for kernel versions 4.3 and higher.\n\n## References\n\n1. https://github.com/docker/docker/pull/18697\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.28","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tmp-lms-u8p","createdAt":1599603016485,"name":"Container's PIDs cgroup limit parameter is set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nContainers should run as a non-root user.\n\n## Rationale\n\nIt is good practice to run the container as a non-root user, where possible. This can be done either via the USER directive in the Dockerfile or through [gosu][1] or similar where used as part of the CMD or ENTRYPOINT directives.\n\n## Remediation\n\nEnsure that the Dockerfile for each container image contains `USER `\n\nIn this case, the user name or ID refers to the user that was found in the container base image. If there is no specific user created in the container base image, then make use of the `useradd` command to add a specific user before the USER instruction in the Dockerfile. \n\nFor example, add the below lines in the Dockerfile to create a user in the container:\n`RUN useradd -d /home/username -m -s /bin/bash username USER username`\n\n**Note**: If there are users in the image that are not needed, you should consider deleting them. After deleting those users, commit the image and then generate new instances of the containers. Alternatively, if it is not possible to set the USER directive in the Dockerfile, a script running as part of the CMD or ENTRYPOINT sections of the Dockerfile should be used to ensure that the container process switches to a non-root user.\n\n## Impact\n\nRunning as a non-root user can present challenges when binding mount volumes from the underlying host. In this case, ensure that the user running the contained process can read and write to the bound directory, according to their requirements.\n\n## Default value\n\nBy default, containers are run with root privileges and also run as the root user inside the container.\n\n## References\n\n1. https://github.com/docker/docker/issues/2918\n2. https://github.com/docker/docker/pull/4572\n3. https://github.com/docker/docker/issues/7906\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://github.com/tianon/gosu\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"4.1","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iml-sbn-bao","createdAt":1599605130883,"name":"Containers do not use the root user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","control:5.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.\n\n## Rationale\n\nAppArmor protects the Linux OS and applications from various threats by enforcing a security policy which is also known as an AppArmor profile. You can create your own AppArmor profile for containers or use Docker's default profile. Enabling this feature enforces security policies on containers as defined in the profile.\n\n## Audit\n\nYou should run this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: AppArmorProfile={{ .AppArmorProfile }}'` \n\nThis command returns a valid AppArmor Profile for each container instance.\n\n## Remediation\n\nIf AppArmor is applicable for your Linux OS, enable it.\n\n1. Verify AppArmor is installed.\n2. Create or import a AppArmor profile for Docker containers.\n3. Enable enforcement of the policy.\n4. Start your Docker container using the customized AppArmor profile. For example: `docker run --interactive --tty --security-opt=\"apparmor:PROFILENAME\" ubuntu /bin/bash` Alternatively, Docker's default AppArmor policy can be used.\n\n## Impact\n\nThe container will have the security controls defined in the AppArmor profile. It should be noted that if the AppArmor profile is misconfigured, this may cause issues with the operation of the container.\n\n## Default value\n\nBy default, the docker-default AppArmor profile is applied to running containers. This profile can be found at `/etc/apparmor.d/docker`\n\n## References\n\n1. https://docs.docker.com/engine/security/apparmor/\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.1","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"s4z-dsj-llz","createdAt":1599600498264,"name":"Containers have an AppArmor profile enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.24","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to attach to a particular `cgroup` when a container is instantiated. Confirming `cgroup` usage would ensure that containers are running in defined `cgroup`s.\n\n## Rationale\n\nSystem administrators typically define `cgroup`s in which containers are supposed to run. If `cgroup`s are not explicitly defined by the system administrator, containers run in the docker `cgroup` by default. At run time, it is possible to attach a container to a different `cgroup` other than the one originally defined. This usage should be monitored and confirmed, as by attaching to a different `cgroup`, excess permissions and resources might be granted to the container and this can therefore prove to be a security risk.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}'` \n\nThis command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n\n## Remediation\n\nYou should not use the `--cgroup-parent` option within the docker run command unless strictly required.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers run under docker `cgroup`.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#specify-custom-cgroups\n2. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/ch01.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n\n## Audit\n\nYou should run the following command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}' The above command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.24","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"maa-bf8-zan","createdAt":1599601906764,"name":"Containers use the cgroup configured in Docker"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","source:compliance-agent","control:1.3.7","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the Controller Manager service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Controller Manager API service which runs on port 10252/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ \n\n*Notes*: Although the current Kubernetes documentation site says that `--address` is deprecated in favour of `--bind-address`. Kubeadm 1.11 still makes use of `--address`.\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.7","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pvo-5un-k18","createdAt":1599603818624,"name":"Controller Manager API service is bound to localhost"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.3.2","security:compliance","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.2","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1ie-ddf-7wm","createdAt":1599604031896,"name":"Controller Manager profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.4","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account private key file for service accounts on the controller manager.\n\n## Rationale\n\nTo ensure that keys for service account tokens can be rotated as needed, a separate public/private key pair should be used for signing service account tokens. The private key should be specified to the controller manager with `--service-account-private-key-file` as appropriate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--service-account-private-key-file` argument is set as appropriate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--service-account-private-key-file parameter` to the private key file for service accounts:\n\n```\n--service-account-private-key-file=\n```\n\n## Impact\n\nYou would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-private-key-file` it not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.4","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mj1-ode-sln","createdAt":1599600796213,"name":"Controller manager has a service account private key file set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.1.3","scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of the Controller Manager on the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-controller-manager.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.3","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pr0-hcf-xkw","createdAt":1599603633988,"name":"Controller manager pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.1.4","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of various components of the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-controller-manager.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.4","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jwf-xdm-mi9","createdAt":1599599105053,"name":"Controller manager pod specification file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect and identify the network IP address or user agent when multiple user accounts have login attempt activities recorded.\n\n## Strategy\n\nMonitor Azure Active Directory and detect when any `@evt.category` is equal to `SignInLogs` and at least 5 of the `@evt.outcome` are equal to `false` by the same network IP address or user agent.\n\nSecurity Signal returns **MEDIUM** if`@evt.outcome` has value of `success` after 5 multiple failed logins by the same network IP address or user agent.\n\n## Triage and response\n\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n\n## Changelog\n* 14 June 2022 - Updated triggering cases to align with other credential stuffing rules. Also updated other backend options to reduce noise levels.\n* 26 October 2022 - Updated query.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure @properties.status.errorCode:(50126 OR 50053 OR 53003 OR 50135 OR 50055)","groupByFields":["@network.client.ip","@properties.appId"],"aggregation":"cardinality","name":"failed_login_multiple_user_accounts_same_ip_address","distinctFields":["@usr.id"]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success -message:(\"MFA requirement satisfied by claim in the token\" OR \"MFA requirement satisfied by strong authentication\" OR \"MFA requirement skipped due to remembered device\" OR \"MFA requirement satisfied by claim provided by external provider\" OR \"MFA completed in Azure AD\")","groupByFields":["@network.client.ip","@properties.appId"],"aggregation":"count","name":"successful_login_same_ip_address","distinctFields":[]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure @properties.status.errorCode:(50126 OR 50053 OR 53003 OR 50135 OR 50055)","groupByFields":["@http.useragent","@properties.appId"],"aggregation":"cardinality","name":"failed_login_multiple_user_accounts_same_user_agent","distinctFields":["@usr.id"]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success -message:(\"MFA requirement satisfied by claim in the token\" OR \"MFA requirement satisfied by strong authentication\" OR \"MFA requirement skipped due to remembered device\" OR \"MFA requirement satisfied by claim provided by external provider\" OR \"MFA completed in Azure AD\")","groupByFields":["@http.useragent","@properties.appId"],"aggregation":"count","name":"successful_login_same_user_agent","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful login after multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 4 && successful_login_same_ip_address > 0"},{"status":"medium","notifications":[],"name":"Successful login after multiple failed login attempts from the same user agent","condition":"failed_login_multiple_user_accounts_same_user_agent > 4 && successful_login_same_user_agent > 0"},{"status":"info","notifications":[],"name":"Multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 4"},{"status":"info","notifications":[],"name":"Multiple failed login attempts from the same user agent","condition":"failed_login_multiple_user_accounts_same_user_agent > 4"}],"type":"log_detection","id":"igg-0ve-xxc","createdAt":1607106304164,"name":"Credential Stuffing Attack on Azure"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:success @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials.\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application_o365","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"credential_added_azure_ad_application > 0 || credential_added_azure_ad_application_o365 > 0"}],"type":"log_detection","id":"myf-gpu-vqf","createdAt":1659365955026,"name":"Credential added to Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application that is not regularly updated.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it. An attacker may target an application that is seldom changed to avoid detection. Using the `New Value` detection method, a signal is raised when an application not seen in the previous 7 days has credentials added.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.\n\n## Changelog\n* 2 November 2022 - Updated severity.","options":{"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"evaluationWindow":0,"maxSignalDuration":86400,"detectionMethod":"new_value","decreaseCriticalityBasedOnEnv":true,"keepAlive":3600},"version":56,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@properties.targetResources.displayName","aggregation":"new_value","metrics":["@properties.targetResources.displayName"],"groupByFields":["@usr.id"],"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @evt.outcome:success @evt.category:AuditLogs"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"1p0-9ix-ig2","createdAt":1660304687805,"name":"Credential added to rarely used Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["category:authentication","tactic:TA0006-credential-access","template:true","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least 25 unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\nUse [this Datadog runbook](https://app.datadoghq.com/notebook/credentialstuffingrunbook) to assist in your investigation.\n\n1. Determine if it is a legitimate attack or a false positive\n2. Determine compromised users\n3. Remediate compromised user accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@evt.category:authentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"@evt.category:authentication @evt.outcome:success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful - Greater than 50","condition":"unique_users_failing_to_login>50 && successful_login>=1"},{"status":"medium","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>25 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>25"}],"type":"log_detection","id":"ypo-jbm-p2s","createdAt":1608750331867,"name":"Credential stuffing attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user. This generates a `HIGH` severity signal.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n## Changelog\n13 June 2022 - Updated Keep Alive window and evaluation window to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":3600,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>10 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>10"}],"type":"log_detection","id":"ryo-snu-uva","createdAt":1597422958108,"name":"Credential stuffing attack on Auth0"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through credential stuffing attack against a Salesforce account.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\n1. Determine if it is a legitimate attack or a false positive.\n2. Determine compromised users.\n3. Remediate compromised user accounts.\n\n## Changelog\n* 5 January 2023 - Updated query, severity of cases, and group by values.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @evt.name:LoginEvent @status:(\"Invalid Password\" OR \"User is Inactive\")","groupByFields":["@network.client.ip","@login_url"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.email"]},{"query":"source:salesforce @evt.name:LoginEvent @status:\"Success\"","groupByFields":["@network.client.ip","@login_url"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"at least 1 unique login success from a single IP","condition":"unique_users_failing_to_login >= 5 && successful_login>=1"},{"status":"low","notifications":[],"name":"at least 5 unique users have failed to login from a single IP","condition":"unique_users_failing_to_login >= 5"}],"type":"log_detection","id":"y0t-wg6-3nq","createdAt":1621929255278,"name":"Credential stuffing attack on Salesforce"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1003-os-credential-dumping","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to sensitive credential files from non-standard processes.\n\n## Strategy\nEspecially in production, all credentials should be either defined as code, or static. Drift and unmonitored changes to these credentials can open up attack vectors for adversaries, and cause your organization to be out of compliance with any frameworks or regulations that you are subject to. This detection watches for the modification of sensitive credential files which should not be changed outside of their definitions as code (or static definitions). The Linux commands `vipw` and `vigr` are the standard way to modify shadow and gshadow files respectively. Other processes interacting with these sensitive credential files is highly suspicious and should be investigated.\n\n## Triage and response\n1. Identify the user or process that changed the credential file(s).\n2. Identify what was changed in the credential files.\n3. If these changes are not acceptable, roll back contain the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd","groupByFields":["host"],"aggregation":"count","name":"credential_modified","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd @process.comm:(adduser OR useradd OR groupadd OR userdel OR deluser OR chage)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_standard","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.executable.path:(\\/usr\\/sbin\\/* OR \\/usr\\/bin\\/* OR \\/bin\\/*)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_non_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"credential_modified_non_bin","condition":"credential_modified_non_bin > 0"},{"status":"info","notifications":[],"name":"credential_modified_standard","condition":"credential_modified_standard > 0"},{"status":"low","notifications":[],"name":"credential_modified","condition":"credential_modified > 0"}],"type":"workload_security","id":"srd-2ub-jov","createdAt":1598516746271,"name":"Credentials file modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","level:1","cloud:aws","cloud_provider:aws","control:8.1.4","framework:hipaa","requirement:Information-Access-Management","framework:pci","requirement:Credentials","control:164.308-a-4-ii-C"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. You should remove or deactivate all credentials that have been unused in 90+ days.\n\n## Rationale\n\nDisabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78900-8 2. CIS CSC v6.0 #16.6\n\n## CIS controls\n\n16.9 Disable Dormant Accounts Automatically - Disable dormant accounts after a set period of inactivity.\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\npassword_used_recently(resource_seen_at, credential_report) if {\n\tcredential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_used > ninety_days_ms\n} else if {\n\tnot credential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_changed > ninety_days_ms\n}\n\nkey_used_recently(resource_seen_at, credential_report, key_name) if {\n\tcredential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_used_date\"])] > ninety_days_ms\n} else if {\n\tnot credential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_rotated\"])] > ninety_days_ms\n}\n\npassword_or_access_key_is_enabled(resource_seen_at, credential_report) if {\n\tcredential_report.password_enabled\n\tpassword_used_recently(resource_seen_at, credential_report)\n} else if {\n\tcredential_report.access_key_1_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_1\")\n} else if {\n\tcredential_report.access_key_2_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_2\")\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot password_or_access_key_is_enabled(iam_user.resource_seen_at, credential_report)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"credential_report","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cl8-844-szh","createdAt":1621238614316,"name":"Credentials have been used within the last 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","framework_version:3.2","control:11.5","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications of critical system binaries.\n\n## Strategy\nPCI-DSS is the payment-card industry's compliance framework. Any systems that handle credit card data and transactions from the major credit card companies must be PCI-DSS compliance. Control 11.5 of the PCI-DSS framework states that organizations must \"alert personnel to unauthorized modifications (including changes, additions, and deletions) of critical system files, configuration files, or content files\". On Linux, critical system binaries are typically stored in `/bin/`, `/sbin/`, or `/usr/sbin/`. This rule tracks any modifications to those directories.\n\n## Triage and response\n1. Identify which user or process changed the critical system binaries.\n2. If these changes were not authorized, and you cannot confirm the safety of the changes, roll back the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chmod) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chown) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chown","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_link) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_link","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_rename) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_rename","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_open) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_open","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_unlink) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_utimes) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"pci_11_5_critical_binaries","condition":"pci_11_5_critical_binaries_chmod > 0 || pci_11_5_critical_binaries_chown > 0 || pci_11_5_critical_binaries_link > 0 || pci_11_5_critical_binaries_rename > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_unlink > 0 || pci_11_5_critical_binaries_utimes > 0"}],"type":"workload_security","id":"3rk-f4l-c7j","createdAt":1606142933669,"name":"Critical system binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation or modification of new cron jobs on a system.\n\n## Strategy\nCron is a task scheduling system that runs tasks on a time-based schedule. Attackers can use cron jobs to gain persistence on a system, or even to run malicious code at system-boot. Cron jobs can also be used for remote code execution, or to run a process under a different user-context.\n\n## Triage and response\n1. Check to see which cron task was created or modified.\n2. Check whether the cron task was created or modified by a known user or process.\n3. If these changes are not acceptable, roll back the host or container in question to an acceptable configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(cron_at_job_creation OR cron_at_job_creation_chmod OR cron_at_job_creation_chown OR cron_at_job_creation_link OR cron_at_job_creation_rename OR cron_at_job_creation_open OR cron_at_job_creation_utimes) -(@file.name:*.dpkg-new AND @process.executable.name:dpkg) -@process.ancestors.executable.path:\"/usr/bin/unattended-upgrade\" -@process.executable.path:\"/usr/bin/dockerd\" -(@process.executable.path:\"/usr/bin/touch\" @file.path:\"/var/spool/cron/lastrun\")","groupByFields":["host"],"aggregation":"count","name":"cron_at_job_creation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"cron_at_job_creation","condition":"cron_at_job_creation > 0"}],"type":"workload_security","id":"qqk-vqp-6xt","createdAt":1606142961130,"name":"Cron job modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIP check services return the public IP of the client. They are used legitimately for configuration purposes when utilizing infrastructure as code. They can be abused by attackers to determine the organization they have compromised.\n\n## Strategy\n\nDetect when a DNS lookup is done for a domain belonging to an IP check service.\n\n## Triage and response\n\n1. Determine if `{{@process.executable.name}}` is expected to make a connection to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Start incident response and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ip_check_domain","groupByFields":["host"],"aggregation":"count","name":"ip_check_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"ip_check_domain","condition":"ip_check_domain > 0"}],"type":"workload_security","id":"v7i-jqs-gcx","createdAt":1653417825959,"name":"DNS lookup for IP lookup service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nAttackers often use compromised cloud infrastructure to mine cryptocurrency. \n\n## Strategy\n\nDetect when a process performs a DNS lookup for a domain related to cryptomining.\n\n## Triage and response\n\n`{{@process.executable.name}}` performed a DNS lookup for `{{@dns.question.name}}`\n\n1. Contain the host or container and roll back to a known good configuration.\n2. Review the process tree and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:potential_cryptominer","groupByFields":["host"],"aggregation":"count","name":"potential_cryptominer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"potential_cryptominer","condition":"potential_cryptominer > 0"}],"type":"workload_security","id":"8am-wzf-ixk","createdAt":1653417822316,"name":"DNS lookup for cryptocurrency mining pool"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nPaste sites such as pastebin.com can be used by attackers to host malicious scripts, configuration files, and other text data. The files are then downloaded to the host using a network utility such as `wget` or `curl`. These sites may also be used to exfiltrate data.\n\n## Strategy\n\nDetect when a process performs a DNS lookup for a paste site.\n\n## Triage and response\n1. Check if the application `{{@process.executable.name}}` is expected to make connections to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Follow your organization's internal processes for investigating and remediating compromised systems.\n\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:paste_site","groupByFields":["host"],"aggregation":"count","name":"paste_site","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"paste_site","condition":"paste_site > 0"}],"type":"workload_security","id":"bze-mml-h8r","createdAt":1653417817764,"name":"DNS lookup for paste service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.3","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud Domain Name System (DNS) is a fast, reliable, and cost-effective domain name system\nthat powers millions of domains on the internet. Domain Name System Security Extensions\n(DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains\nagainst DNS hijacking, man-in-the-middle attacks, and more.\n\n## Rationale\nDomain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling the DNS responses to be validated. A trustworthy DNS that translates a domain name like `www.example.com` into its associated IP address is an increasingly important building block for modern web-based applications. \n\nAttackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records to prevent attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.\n\nBy default, DNSSEC is not enabled.\n\n## Remediation\n\n### From the console\n1. Navigate to the [Cloud DNS page][1].\n2. For each Type Public zone, set `DNSSEC` to **On**.\n\n### From the command line\nUse this command to enable DNSSEC for Cloud DNS Zone Name:\n\n```\ngcloud dns managed-zones update ZONE_NAME --dnssec-state on\n```\n\n\n## References\n1. [https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html][2]\n2. [https://cloud.google.com/dns/dnssec-config#enabling][3]\n3. [https://cloud.google.com/dns/dnssec][4]\n\n\n[1]: https://console.cloud.google.com/net-services/dns/zones\n[2]: https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html\n[3]: https://cloud.google.com/dns/dnssec-config#enabling\n[4]: https://cloud.google.com/dns/dnssec\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nisZonePublic(dns_managed_zone) if {\n\tupper(dns_managed_zone.visibility) == \"PUBLIC\"\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot isZonePublic(dns_managed_zone)\n} else = \"pass\" if {\n\tupper(dns_managed_zone.dnssec_config.state) == \"ON\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"crl-ytf-ohh","createdAt":1659621733035,"name":"DNSSEC is enabled for Cloud DNS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Credentials","requirement:Compliance","level:1","requirement:Database-Services","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","framework:pci","security:compliance","control:6.5.3","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:3.4","control:C1.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Transparent Data Encryption on every SQL server.\n\n## Rationale\n\nAzure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL databases\n2. For each DB instance\n3. Click on Transparent data encryption\n4. Set Data encryption to On using the Azure Command Line Interface\n5. Use the below command to enable Transparent data encryption for SQL DB instance:\n\n ```bash\n --resource-group --server --database --status\n ```\n\n **Note**: TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases. Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n\n**Note**: Transparent Data Encryption (TDE) can be enabled or disabled on individual SQL Database level and not on the SQL Server level. TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.\n\n# CIS Controls\n\nVersion 7 14.8 Encrypt Sensitive Information at Rest: Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_transparent_data_encryption(transparent_data_encryption) if {\n\ttransparent_data_encryption.status == \"Enabled\"\n} else if {\n\ttransparent_data_encryption.state == \"Enabled\"\n}\n\neval(sql_server_database) = \"pass\" if {\n\tcompliant_transparent_data_encryption(sql_server_database.transparent_data_encryption)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server_database"]},"validationQuery":"","resourceType":"azure_sql_server_database","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server_database","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ahw-tol-knx","createdAt":1624867974429,"name":"Data encryption on SQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a database process (e.g., MySQL, PostgreSQL, MongoDB).\n\n## Strategy\nAttacks on databases often take advantage of oversights in I/O sanitization and validation to run attacker statements and commands. For example, these attacks could take the form of database query injection, which can signal the beginning of an intrusion and wider attack, by establishing a web shell or exfiltrating data. This detection triggers when common shell utilities, HTTP utilities, or shells are spawned by one of a set of database processes (e.g., MySQL, MongoDB, PostgreSQL). This is atypical behavior for a database. If this is unexpected behavior, it could indicate an attacker attempting to compromise your database or host machine.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your database to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:database_shell_execution -@process.ancestors.executable.name:initdb -@process.args:\"locale -a\" -(@process.ancestors.executable.name:postgres @process.args:*pg_wal*)","groupByFields":["host"],"aggregation":"count","name":"database_shell_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"database_shell_execution","condition":"database_shell_execution > 0"}],"type":"workload_security","id":"4ni-kny-z5x","createdAt":1617722069155,"name":"Database process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:2","requirement:Cardholder-Data","control:1.17","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Confidentiality","control:3.5","control:7.1","control:C1.2","control:7.2.1","control:7.2.2","source:google_dataproc_cluster","control:7.2.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:3.6.1","scope:google_dataproc_cluster","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:3.6.4","control:3.6.5","control:CC6.3","control:CC6.2","control:3.6.7","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nWhen you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated\nwith the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This\nPD and bucket data is encrypted using a Google-generated data encryption key (DEK) and\nkey encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key\nencryption key (KEK). Google still controls the data encryption key (DEK).\n\n## Rationale\nCloud services offer the ability to protect data related to those services using encryption\nkeys managed by the customer within Cloud KMS. These encryption keys are called\ncustomer-managed encryption keys (CMEK). When customers protect data in Google Cloud\nservices with CMEK, the CMEK key is within the customer's control.\n\n## Remediation\n\n### From the console\n\n1. Log in to the GCP Console and navigate to the **Dataproc Cluster** page by visiting [https://console.cloud.google.com/dataproc/clusters][1].\n2. Select the project from the projects dropdown list.\n3. On the **Dataproc Cluster** page, click on the **Create Cluster** to create a new cluster with customer-managed encryption keys.\n4. On the **Create a cluster** page, perform the following steps:\n 1. Inside **Set up cluster** section perform these steps:\n 1. In the **Name** textbox, provide a name for your cluster.\n 2. From **Location** select the location in which you want to deploy a cluster.\n 3. Configure other configurations as per your requirements.\n 2. Inside **Configure Nodes** and **Customize cluster** section configure the settings as\nper your requirements.\n 3. Inside the **Manage security** section, perform these steps:\n 1. From **Encryption**, select **Customer-managed key**.\n 2. Select a customer-managed key from dropdown list.\n 3. Ensure that the selected KMS Key has the **Cloud KMS CryptoKey Encrypter/Decrypter** role assigned to the Dataproc Cluster service account (`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n 4. Click on **Create** to create a cluster.\n5. Once the cluster is created, migrate all of your workloads from the old cluster to the new cluster and delete the old cluster by performing the following steps:\n 1. On the **Clusters** page, select the old cluster and click on **Delete cluster**.\n 2. On the **Confirm deletion** window, click **Confirm** to delete the cluster.\n6. Repeat the steps above for other Dataproc clusters available in the selected project.\n7. Change the project from the project dropdown list and repeat the remediation procedure for other Dataproc clusters available in other projects.\n\n### From the command line\nBefore creating a cluster, ensure that the selected KMS Key has the **Cloud KMS CryptoKey\nEncrypter/Decrypter** role assigned to the Dataproc Cluster service account\n(`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n\nRun the `clusters create` command to create a new cluster with a customer-managed key:\n\n```\ngcloud dataproc clusters create --region=us-central1 --gce-pd-kms-key=\n```\n\nThe above command creates a new cluster in the selected region.\nAfter the cluster is created, migrate all your workloads from the older cluster to the new\ncluster and run the `clusters delete` command to delete the cluster:\n\n```\ngcloud dataproc clusters delete --region=us-central1\n```\n\nRepeat step no. 1 to create a new Dataproc cluster.\nChange the project by running the following command and repeat the remediation procedure\nfor other projects:\n\n```\ngcloud config set project \n```\n\n## References\n1. [https://cloud.google.com/docs/security/encryption/default-encryption][2]\n\n[1]: https://console.cloud.google.com/dataproc/clusters\n[2]: https://cloud.google.com/docs/security/encryption/default-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.17","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.7","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(gdc) = \"pass\" if {\n\tgdc.config.encryption_config.gce_pd_kms_key_name\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dataproc_cluster"]},"validationQuery":"","resourceType":"gcp_dataproc_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dataproc_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"7qp-kby-dut","createdAt":1659396397166,"name":"Dataproc cluster is encrypted using customer-managed encryption key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.22","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file permissions are set to `644` or more restrictively, by running: \n```\nstat -c %a /etc/default/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/default/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.22","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pqb-2cq-piw","createdAt":1599601845070,"name":"Default Docker configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.21","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/sysconfig/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/sysconfig/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.21","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"au3-ayl-tdm","createdAt":1599601289420,"name":"Default Docker configuration file cannot be altered by non-owners - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.19","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file ownership and group-ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/default/docker | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/default/docker`\n\nThis sets the ownership and group ownership of the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.19","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o5w-d8y-ka1","createdAt":1599604751728,"name":"Default Docker configuration file is owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.20","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/sysconfig/docker | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root /etc/sysconfig/docker`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.20","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xrt-uiz-s7o","createdAt":1599604498138,"name":"Default Docker configuration file is owned by the root account and group - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProtect tuned kernel parameters from overriding kubelet default kernel parameter values.\n\n## Rationale\n\nKernel parameters are usually tuned and hardened by the system administrators before putting the systems into production. These parameters protect the kernel and the system. Your kubelet kernel defaults that rely on such parameters should be appropriately set to match the desired secured system state. Ignoring this could potentially lead to running pods with undesired kernel behavior.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--protect-kernel-defaults` argument is set to true. If the `--protect-kernel-defaults` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets `protectKernelDefaults` to `true`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `protectKernelDefaults: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--protect-kernel-defaults=true`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou would have to re-tune kernel parameters to match kubelet parameters.\n\n## Default value\n\nBy default, `--protect-kernel-defaults` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.6","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"uiw-kms-wwu","createdAt":1599602462044,"name":"Default Kubelet kernel parameter values are protected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Compliance","level:1","requirement:Storage-Accounts","control:2.9","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","control:1.3.1","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","requirement:Least-Privileged-Access","control:1.2.1","control:3.6","framework:cis-azure","requirement:Communications-Security","control:7.2.1","source:azure.storage","control:A.13.1.3","control:7.2.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestricting default network access provides a layer of security, because storage accounts accept connections from clients on any network. To limit access to selected networks, change the default action.\n\n## Rationale\n\nConfigure storage accounts to deny access to traffic from all networks (including internet traffic). Grant access to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Enable Allow access from selected networks.\n4. Add rules to allow traffic from a specific network.\n5. Click Save to apply your changes.\n\n### From the command line\n\nUse the following command to update the default action to deny: \n```\naz storage account update --name --resource-group --default-action Deny\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security][1]\n2. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"2.9","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_account) = \"pass\" if {\n\tstorage_account.network_acls.default_action == \"Deny\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"hxy-syh-ofi","createdAt":1631690465637,"name":"Default network access rule for Storage Accounts is set to deny"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:RBAC-and-Service-Accounts","scored:true","security:compliance","control:5.1.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe default service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed.\n\n## Rationale\n\nKubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.\n\n## Audit\n\nFor each namespace in the cluster, review the rights assigned to the default service account and ensure that it has no roles or cluster roles bound to it apart from the defaults. Additionally ensure that the `automountServiceAccountToken: false` setting is in place for each default service account.\n\n## Remediation\n\nCreate explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value `automountServiceAccountToken: false`.\n\n## Impact\n\nAll workloads which require access to the Kubernetes API will require an explicit service account to be created.\n\n## Default value\n\nBy default the default service account allows for its service account token to be mounted in pods in its namespace.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/][1]\n\n## CIS controls\n\nNone\n\n[1]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.1.5","framework":"cis-kubernetes","requirement":"RBAC-and-Service-Accounts","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3yv-aqm-bxc","createdAt":1604312204438,"name":"Default service accounts are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","source:azure.monitor","level:1","requirement:Regular-Testing","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","control:5.1.2","requirement:Logging-and-Monitoring","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","control:11.4","control:CC4.1","scope:azure.monitor","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure the diagnostic setting to log the appropriate activities from the control/management plane.\n\n## Rationale\n\nA diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.\n\n## Remediation\n\n### From the console\n\n1. Go to Azure Monitor\n2. Click Activity log\n3. Click on Diagnostic settings\n4. Click on Edit Settings for the diagnostic settings entry\n5. Ensure that the following categories are checked: Administrative, Alert, Policy, and Security\n\nARM Template with AZ PowerShell cmdlets:\n\nCreate a file to hold the following JSON:\n\n```json\n{ \"$schema\"\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\", \"contentVersion\"\"\n1.0.0.0\", \"parameters\"{ \"settingName\"{ \"type\"\"String\" }, \"workspaceId\"{ \"type\"\"String\" } }, \"resources\"[ { \"type\"\"Microsoft.Insights/diagnosticSettings\", \"apiVersion\"\"2017-05-01-preview\", \"name\"\"[parameters(''settingName'')]\", \"dependsOn\"[], \"properties\"{ \"workspaceId\"\"[parameters(''workspaceId'')]\", \"logs\"[ { \"category\"\"Administrative\", \"enabled\"true }, { \"category\"\"Alert\", \"enabled\"true }, { \"category\"\"Autoscale\", \"enabled\"false }, { \"category\"\"Policy\", \"enabled\"true }, { \"category\"\"Recommendation\", \"enabled\"false }, { \"category\"\"ResourceHealth\", \"enabled\"false }, { \"category\"\"Security\", \"enabled\"true }, { \"category\"\"ServiceHealth\", \"enabled\"false } ] } } ] }\n```\n\nReference the JSON. In the `New-AzSubscriptionDeployment`, call `$OMSWorkspace`:\n\n```powershell\nGet-AzResource -ResourceType \"Microsoft.OperationalInsights/workspaces\" -Name New-AzSubscriptionDeployment -Name CreateDiagnosticSetting -location eastus -TemplateFile CreateDiagnosticSetting.jsonc -settingName \"Send Activity log to workspace\" -workspaceId $OMSWorkspace.ResourceId'\n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings\n2. https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource-manager-diagnostic-settings\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.3 - Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1.2","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"11.4","framework":"pci","requirement":"Regular-Testing","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(diagnostic_setting) = \"fail\" if {\n\tsome log in diagnostic_setting.logs\n\tlog.category in [\"Administrative\", \"Alert\", \"Policy\", \"Security\"]\n\tlog.enabled == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_diagnostic_setting"]},"validationQuery":"","resourceType":"azure_diagnostic_setting","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_diagnostic_setting","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q7k-c4u-n6i","createdAt":1635847719443,"name":"Diagnostic Setting captures appropriate categories"}]} headers: Content-Type: - application/json @@ -402,7 +368,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.31","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker socket docker.sock should not be mounted inside a container.\n\n## Rationale\n\nIf the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep docker.sock` This returns any instances where `docker.sock` has been mapped to a container as a volume.\n\n## Remediation\n\nYou should ensure that no containers mount docker.sock as a volume.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, docker.sock is not mounted inside containers.\n\n## References\n\n1. https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/\n2. https://forums.docker.com/t/docker-in-docker-vs-mounting-var-run-docker-sock/9450/2\n3. https://github.com/docker/docker/issues/21109\n\n## CIS controls\n\nVersion 6\n\n9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.31","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3iw-zus-yz3","createdAt":1599602585460,"name":"Docker socket is not allowed to mount inside any containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","source:dynamodb","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:dynamodb","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement server-side encryption for your AWS DynamoDB data.\n\n## Rationale\n\nServer-side encryption, or encryption at rest, provides an additional layer of data protection by securing your data in an encrypted table. Encryption at rest integrates with AWS Key Management Service (KMS) to manage encryption keys that are used to encrypt these tables.\n\n## Remediation\n\n### Console\n\nFollow the [Managing Encrypted Tables in DynamoDB tutorial][1] to learn how to create and update a table in the AWS Console.\n\n### CLI\n\nRun `create-table` with a table configuration to [create a new encrypted table][2]. You can create an encrypted table with the default AWS owned CMK, AWS managed CMK, or customer managed CMK. Refer to the [AWS documentation for examples of each configuration][3]. For example:\n\n ```\n aws dynamodb create-table\n --table-name your-table\n ...\n --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=abcd1234-abcd-1234-a123-ab1234a1b234\n ```\n\n[1]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/dynamodb/create-table.html\n[3]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html#encryption.tutorial-creating\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@sse_description_status:DISABLED","resourceType":"aws_dynamodb","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_dynamodb (@sse_description_status:DISABLED)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ilq-ifj-zxi","createdAt":1615309114701,"name":"DynamoDB table is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt Amazon Elastic Block Store (EBS) snapshots with volume snapshot encryption keys.\n\n## Rationale\n\nAmazon EBS snapshots contain sensitive data, and publicly accessible snapshots can be copied. Keep your data secure from exploits or unauthorized users by using AWS key management.\n\n## Remediation\n\n### Console\n\nFollow the [Default key for EBS encryption][1] docs to learn how to encrypt a snapshot in the AWS Console.\n\n### CLI\n\n1. Run `get-ebs-default-kms-key-id` to describe [the default CMK][2].\n\n2. If you need to create a new key, follow the [Creating keys][3] AWS Console docs or the [create-key][4] AWS CLI docs.\n\n3. Run `modify-ebs-default-kms-key-id` with your `--kms-key-id` to [modify the default CMK used to encrypt EBS volumes][3].\n\nSee the [Set encryption defaults using the API and CLI][6] docs for additional information.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_key_mgmt\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/get-ebs-default-kms-key-id.html\n[3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-ebs-default-kms-key-id.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encrypted:false","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot (@encrypted:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"i4v-od6-l5r","createdAt":1616090994130,"name":"EBS snapshot is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","requirement:Storage","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable encryption for Elastic Block Store (EBS).\n\n## Rationale\n\nAES-256 encryption, used by EBS, protects data stored on volumes, disk I/O, and the snapshots created from a volume to protect your sensitive data from exploits and unauthorized users.\n\n## Remediation\n\n### Console\n\nFollow the [EBS encryption][1] docs to learn about the requirements and methods for enabling encryption in the AWS Console.\n\n### CLI\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#ebs-encryption-requirements\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"2.2.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encrypted:false","resourceType":"aws_ebs_volume","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_volume (@encrypted:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"2b3-94n-p7e","createdAt":1616090994097,"name":"EBS volume is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","source:ebs","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.9.4.5","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure Amazon Elastic Block Store (EBS) snapshots.\n\n## Rationale\n\nPublicly shared Amazon EBS volume snapshots contain sensitive application data that can be seen, copied, and exploited.\n\n## Remediation\n\n### Console\n\nFollow the [EBS encryption][1] docs to learn how to implement EBS encryption. Public snapshots, which are encrypted by default, are not supported\n\n **Note**: You can share an encrypted snapshot with specific accounts.\n\n### CLI\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#how-ebs-encryption-works\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.5","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@attributes.create_volume_permission_group:all","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot (@attributes.create_volume_permission_group:all)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"t5f-m5z-oio","createdAt":1616090994084,"name":"EBS volume snapshot is not publicly shared with other AWS accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:route53","iaas:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain has a suspicious TLD.\n\n## Strategy\nInspect the Route 53 logs and determine if the TLD of the DNS question (`@dns.question.name`) matches one of the top 5 TLDs on [Spamhaus's Most Abused Top Level Domains list][1].\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n[1]: https://www.spamhaus.org/statistics/tlds/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@dns.question.name:(*.fit. OR *.work. OR *.webcam. OR *.loan. OR *.cf.) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_tld","distinctFields":[]},{"query":"@dns.question.name:(*.no-ip. OR *.hopto.org OR *.myftp.org OR *.us.to OR *.myvpc.com OR *.dlinkddns.com OR *.myftp.biz) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_ddns","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"TLD","condition":"suspicious_tld > 0"},{"status":"medium","notifications":[],"name":"Dynamic DNS","condition":"suspicious_ddns > 0"}],"type":"log_detection","id":"dus-bf6-3jr","createdAt":1603296605789,"name":"EC2 instance requested a suspicious domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:route53","iaas:aws","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain resolves to the AWS Metadata IP (169.254.169.254).\n\n## Strategy\nInspect the Route 53 logs and determine if the response data for a DNS request matches the AWS Metadata IP (169.254.169.254). This could indicate an attacker is attempting to steal your credentials from the AWS metadata service.\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n## Changelog\n- 19 May 2022 - Updated rule query.\n- 5 Jun 2022 - Updated rule query.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:route53 @answers.Rdata:169.254.169.254 -@route53_edge_location:* -@dns.question.name:instance-data*","groupByFields":["instance-id"],"aggregation":"count","name":"domain_resolve_to_metadata_ip","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"domain_resolve_to_metadata_ip > 0"}],"type":"log_detection","id":"mwi-zj7-db9","createdAt":1603296598998,"name":"EC2 instance resolved a suspicious AWS metadata DNS query"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","requirement:Transmission-Security","scope:ec2","source:ec2","framework:gdpr","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:1.9","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse the IMDSv2 session-oriented communication method to transport instance metadata. \n\n## Rationale\n\nAWS default configurations allow the use of either IMDSv1, IMDSv2, or both. IMDSv1 uses insecure GET request/responses which are at risk for a number of vulnerabilities, whereas IMDSv2 uses session-oriented requests and a secret token that expires after a maximum of six hours. This adds protection against misconfigured-open website application firewalls, misconfigured-open reverse proxies, unpatched Server Side Request Forgery (SSRF) vulnerabilities, and misconfigured-open layer-3 firewalls and network address translation.\n\n## Remediation\n\nFollow the [Transition to using Instance Metadata Service Version 2][1] docs to learn how to transition and reconfigure your software. \n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@metadata_options_http_tokens:required","resourceType":"aws_ec2_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ec2_instance (-@metadata_options_http_tokens:required)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zwp-mxe-p0v","createdAt":1649171077274,"name":"EC2 instance uses IMDSv2"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","source:elb","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","scope:elb","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up logging for your AWS Elastic Load Balancers (ELBs) to identify security issues.\n\n## Rationale\n\nAccess logs allow you to analyze each TCP and HTTP request, which are useful during security audits or troubleshooting.\n\n## Remediation\n\n### Console\n\nFollow the [Enable access logs for your Classic Load Balancer][1] docs to learn how to enable logging for your ELBs.\n\n### CLI\n\n1. Run `create-bucket` to [create an S3 bucket][2] that stores the ELB log files.\n\n **Note**: This bucket must be created in the same region as the ELB.\n\n ```\n aws s3api create-bucket\n --region us-west-1\n --bucket your-elb-logging-bucket\n ```\n\n2. Use the [AWS Policy Generator][3] to create a new policy.\n\n3. Run `put-bucket-policy` to [attach the policy document][4] to the S3 bucket.\n\n ```\n aws s3api put-bucket-policy\n --bucket your-elb-logging-bucket\n --policy file://elb-logging-policy.json\n ```\n\n4. Run `modify-load-balancer-attributes` to [enable logging][5] for the selected ELB.\n\n ```\n aws elb modify-load-balancer-attributes\n --region us-west-1\n --load-balancer-name YourLoadBalancerName\n --load-balancer-attributes\n \"{\\\"AccessLog\\\":{\\\"Enabled\\\":true,\\\"EmitInterval\\\":60,\\\"S3BucketName\\\":\\\"your-logging-bucket\\\"}}\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/elb/modify-load-balancer-attributes.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@attributes.access_log_enabled:false OR @load_balancer_attributes.access_log.enabled:false","resourceType":"aws_elb_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elb_load_balancer (@attributes.access_log_enabled:false OR @load_balancer_attributes.access_log.enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"orv-wcu-4d4","createdAt":1615309114856,"name":"ELB is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","security:compliance","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Security-of-Processing","scope:elbv2","framework:soc-2","requirement:Security-Management-Process","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","framework:hipaa","requirement:Encryption-In-Transit","control:164.308-a-1-ii-B","control:164.312-e-2-i","source:elbv2","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse HTTPS to secure communication between your application client and an Elastic Load Balancer (ELB) listener.\n\n## Rationale\n\nWithout an HTTPS listener, front-end connections are vulnerable to exploits, such as man-in-the-middle (MITM) attacks. Securing all communication between your application client and ELB listener ensures sensitive data is protected.\n\n## Remediation\n\n### Console\n\nFollow the [Create an HTTPS listener for your Application Load Balancer][1] docs to learn how to create a listener that checks for connection requests.\n\n### CLI\n\n1. Run `list-certificates` to retrieve the ARN of your SSL certificate. If you do not have an SSL certificate, follow the [Create or import an SSL/TLS certificate][2] docs.\n2. Run `create-listener` using the [ARN of the load balancer and SSL certificate][3].\n\n ```\n aws elbv2 create-listener\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912\n --protocol HTTPS\n --port 443\n --certificates CertificateArn=arn:aws:acm:region:123456789012:certificate/1abc0c41-bd73-5445-9ab9-123456a23456\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html#create-certificate-acm\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/create-listener.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@listeners.protocol:HTTPS","resourceType":"aws_elbv2_load_balancer","filter":"@type:application","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer @type:application (-@listeners.protocol:HTTPS)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6vz-qof-84o","createdAt":1616090994110,"name":"ELBv2 ALB is using a secure listener"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","source:elb","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","scope:elb","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure Amazon Network Load Balancers so all listeners use either TLS or HTTPS encryption. \n\n## Rationale\n\nUsing TLS or HTTPS helps ensure the communication between your network load balancers (NLBs) and backend servers is protected from decryption, data leaks, and other exploits. NLS's can accept and route TCP connections to Application load balancers(ALBs), this allows AWS customers to directly register an ALB as an NLB target, eliminating the need to actively manage changing ALB IP addresses. Amazon's NLBs can be configured to handle TLS termination. This reduces the workload on your backend systems and localizes TLS configuration to the NLBs, thereby improving both performance and security.\n\n\n\n## Remediation\n\n### Console\n\nFollow the [Create a listener for your network load balancer][1] docs to learn how to add a TLS listener to your network load balancer.\n\n### CLI\n\n1. Run `describe-load-balancers` to retrieve the ARNs of your network load balancers.\n2. Run `list-certificates` to retrieve the ARN of your Amazon ACM TLS certificates, or `list-server-certificates` to retrieve the ARN of your AWS IAM TLS certificates. If you do not have a TLS certificate, follow the [Configure TLS listeners: Certificates][2] docs.\n3. Run `create-listener` using the ARN of the desired load balancer and TLS certificate.\n\n ```\n aws elbv2 create-listener \n --load-balancer-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188 \n --certificates CertificateArn=arn:aws:acm:us-west-2:123456789012:certificate/3dcb0a41-bd72-4774-9ad9-756919c40557 \n --protocol TLS\n --port 443\n --ssl-policy ELBSecurityPolicy-2016-08 \n --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#tls-listener-certificates\n[3]: https://aws.amazon.com/fr/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@protocol:\"TLS\" -(@protocol:\"TCP\" @port:443)","resourceType":"aws_elbv2_load_balancer","filter":"@type:network","queryPath":"listeners","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer @type:network (-@protocol:\"TLS\" -(@protocol:\"TCP\" @port:443))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cyx-hvk-qq7","createdAt":1649774831020,"name":"ELBv2 Network Load Balancer listeners employ TLS or HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:elbv2","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","source:elbv2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Access Logging for your Amazon Application Load Balancers (ALBs).\n\n## Rationale\n\nLogs contain the time a request was received, a client's IP address, latencies, request paths, and server responses. You can use this information to analyze traffic patterns and troubleshoot issues.\n\n## Remediation\n\n### Console\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the console.\n\n### CLI\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_attribute(elbv2_load_balancer) if {\n\tattribute := elbv2_load_balancer.attributes[_]\n\tattribute.key == \"access_logs.s3.enabled\"\n\tattribute.value == \"true\"\n} else {\n\telbv2_load_balancer.attributes.access_logs_s3_enabled\n}\n\neval(elbv2_load_balancer) = \"pass\" if {\n\tcompliant_attribute(elbv2_load_balancer)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2sn-t47-ywf","createdAt":1632209936547,"name":"ELBv2 is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","control:CC6.6","framework:gdpr","requirement:Compliance","scope:elbv2","requirement:System-Acquisition-Development-and-Maintenance","framework:iso-27001","control:1.3.5","source:elbv2","framework:pci","control:A.14.1.2","security:compliance","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:1.3","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Application Load Balancers (ALB) or Network Load Balancers (NLB) with an internal ELBv2 load balancer.\n\n## Rationale\n\nInternet-facing load balancers receive a public DNS name. Secure your connection by using an ELBv2 load balancer instead.\n\n## Remediation\n\n### Console\n\nFollow the [Create an application load balancer][1] docs to learn how to create an internal load balancer that routes requests to targets using private IP addresses.\n\n### CLI\n\nRun `create-load-balancer` with a [load balancer name, scheme, and subnet][2].\n\n```\naws elbv2 create-load-balancer\n--name my-internal-load-balancer\n--scheme internal\n--subnets subnet-b7d581c0 subnet-8360a9e7\n```\n\nSee the [create-load-balancer][2] AWS CLI docs to create a load balancer for a network or gateway.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-application-load-balancer.html#configure-load-balancer\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/create-load-balancer.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"validationQuery":"@scheme:internet-facing","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer (@scheme:internet-facing)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"3wl-huh-f7v","createdAt":1616090994241,"name":"ELBv2 load balancer is not internet facing"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:elbv2","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","source:elbv2","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Application Load Balancer (ALB) with the latest predefined AWS security policy.\n\n## Rationale\n\nInsecure or deprecated security policies can expose the client and the load balancer to various SSL/TLS vulnerabilities.\n\n## Remediation\n\n### Console\n\nFollow the [Update security policy][1] docs to learn how to update your HTTPS listener with the latest security policy.\n\n### CLI\n\nRun `modify-listener` with the [ARN of the listener and the recommended SSL policy][2].\n\n```\naws elbv2 create-listener\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n```\n\nReview the [Security policies][3] docs for Amazon-recommended security policies.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html#update-security-policy\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/modify-listener.html\n[3]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-1-2017-01 -@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-2-Ext-2018-06 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-1-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2020-10","resourceType":"aws_elbv2_load_balancer","filter":"@type:application","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer @type:application (-@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-1-2017-01 -@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-2-Ext-2018-06 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-1-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2020-10)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"pty-qoz-aa9","createdAt":1616090994247,"name":"ELBv2 load balancer is using the latest security policy"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.3","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse individual service account credentials for each controller.\n\n## Rationale\n\nThe controller manager creates a service account per controller in the kube-system namespace, generates a credential for it, and builds a dedicated API client with that service account credential for each controller loop to use. Setting the `--use-service-account-credentials` to true runs each control loop within the controller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--use-service-account-credentials` argument is set to true.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node to set the below parameter:\n\n```\n--use-service-account-credentials=true\n```\n\n## Impact\n\nWhatever authorizer is configured for the cluster, it must grant sufficient permissions to the service accounts to perform their intended tasks. When using the RBAC authorizer, those roles are created and bound to the appropriate service accounts in the kube-system namespace automatically with default roles and rolebindings that are auto-reconciled on startup. If using other authorization methods (ABAC, Webhook, etc.), the cluster deployer is responsible for granting appropriate permissions to the service accounts (the required permissions can be seen by inspecting the `controller-roles.yaml` and `controller-role-bindings.yaml` files for the RBAC roles.\n\n## Default value\n\nBy default, `--use-service-account-credentials` is set to false.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://kubernetes.io/docs/admin/service-accounts-admin/ ][2]\n3. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml ][3]\n4. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml ][4]\n5. [https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles][5]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://kubernetes.io/docs/admin/service-accounts-admin/ \n[3]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml \n[4]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml \n[5]: https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.3","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"b7m-bho-nat","createdAt":1599602400314,"name":"Each controller uses individual service account credentials"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:A.12.2.1","framework:gdpr","requirement:Default-Security-Parameter","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:25.2","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","source:elasticache","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","scope:elasticache","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nChange your AWS ElastiCache cluster endpoint port to a non-default port.\n\n## Rationale\n\nUsing the default port puts clusters at risk of exploits and attacks. Configure a custom port to add an extra layer of security to your clusters.\n\n## Remediation\n\n### Console\n\nFollow the [Finding connection endpoints][1] console documentation to learn how to find and modify your cluster's endpoint port.\n\n### CLI\n\n1. Run `aws elasticache describe-cache-clusters` with your [ElastiCache cluster ID][2] to output the existing cluster configuration.\n\n ```\n\n aws elasticache describe-cache-clusters\n --cache-cluster-id your-cc-id\n\n ```\n\n2. Run `aws elasticache create-cache-cluster` with the cluster data returned in the previous step. Configure the new cache cluster with [a custom value][3] for the endpoint port. This returns new cluster metadata.\n\n ```\n\n aws elasticache create-cache-cluster\n --cache-cluster-id new-cc-id\n ...\n --port 10001\n\n ```\n\n3. Once the cluster endpoint port is updated, remove the old ElastiCache cluster. Run `delete-cache-cluster` with the [original cluster ID][4].\n\n ```\n\n aws elasticache delete-cache-cluster\n --cache-cluster-id your-cc-id\n\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Endpoints.html#Endpoints.Find.Redis\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/describe-cache-clusters.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/delete-cache-cluster.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@engine:memcached @configuration_endpoint_port:11211) OR (@engine:redis @configuration_endpoint_port:6379)","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache ((@engine:memcached @configuration_endpoint_port:11211) OR (@engine:redis @configuration_endpoint_port:6379))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"skt-e9r-x89","createdAt":1619112189062,"name":"ElastiCache cluster is not using default ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","source:elasticache","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticache","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProvision your AWS EC2-VPC ElastiCache cluster within the AWS ECS-VPC platform.\n\n## Rationale\n\nUsing the EC2-Classic platform minimizes control over cache cluster security and traffic routing. Provisioning with AWS EC2-VPC enables better networking infrastructure, control over VPC security groups, and more.\n\n## Remediation\n\n### Console\n\nFollow the [Getting started with Amazon VPC][1] docs to configure AWS EC2-VPC for your ElastiCache clusters.\n\n### CLI\n\n1. Run `create-vpc` to [create a new Virtual Private Cloud (VPC)][2] for your ElastiCache cluster.\n\n ```\n aws ec2 create-vpc\n --cidr-block 10.0.0.0/16\n ```\n\n2. Run `aws ec2 create-internet-gateway` to [create a new AWS Internet Gateway][3] for your new VPC.\n\n3. Run `attach-internet-gateway` with the [VPC ID returned in step 1, and the internet gateway ID returned in step 2][4].\n\n ```\n aws ec2 create-subnet\n --vpc-id vpc-ab12c345\n --cidr-block 10.0.1.0/24\n ```\n\n4. Run `create-route-table` with [your VPC ID][5] created in step 1.\n\n ```\n aws ec2 create-route-table\n --vpc-id vpc-ab12c345\n ```\n\n5. Run `associated-route-table` with the [subnet ID returned in step 3, and the route table ID returned in step 4][6].\n\n ```\n aws ec2 associate-route-table\n --route-table-id rta-12345678\n --subnet-id subnet-ab123c45\n ```\n\n6. Run `create-route` to [add a new route][7] to your new VPC route table.\n\n ```\n aws ec2 create-route\n --route-table-id rta-12345678\n --destination-cidr-block 0.0.0.0/0\n --gateway-id gwi-123a4b56\n ```\n\n7. Run `create-security-group` with your new VPC ID to [create a security group][8] for your new cluster.\n\n ```\n aws ec2 create-security-group\n --group-name ECSecurityGroup\n --description \"Redis CC Security Group\"\n --vpc-id vpc-ab12c345\n ```\n\n8. Run `authorize-security-group-ingress` to [add more inbound rules][9] to the security group created in step 7.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-id se-a12345b0\n --protocol tcp\n --port 1234\n --cidr 10.0.0.0/16\n ```\n\n9. Run `create-cache-cluster` to recreate your EC2-Classic cache cluster within your new AWS VPC. Use the newly created [ElastiCache cluster configuration attributes][10] returned in the steps above.\n\n ```\n aws elasticache create-cache-cluster\n --cache-cluster-id vpccachecluster\n --az-mode single-az\n --cache-node-type cache.m5.large\n --num-cache-nodes 1\n --engine redis\n --engine-version \"2.6.13\"\n --security-group-ids \"se-a12345b0\"\n --port 1234\n --auto-minor-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc.html#synopsis\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-internet-gateway.html#synopsis\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/attach-internet-gateway.html#synopsis\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route-table.html#synopsis\n[6]: https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-route-table.html#synopsis\n[7]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route.html#synopsis\n[8]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-security-group.html#synopsis\n[9]: https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html#synopsis\n[10]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@cache_subnet_group_name:\"\" OR (-@cache_subnet_group_name:*)","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache (@cache_subnet_group_name:\"\" OR (-@cache_subnet_group_name:*))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"0uf-cns-jqu","createdAt":1619112189088,"name":"ElastiCache cluster is provisioned in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","security:compliance","control:CC7.5","source:elasticache","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticache","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon ElastiCache cluster to the latest, stable version of the Redis/Memcached cache engine.\n\n## Rationale\n\nUsing the latest version allows for security patches, bug fixes, better performance, and memory management.\n\n## Remediation\n\n### Console\n\nFollow the [Upgrading engine versions][1] docs to learn how to modify your ElastiCache cluster or replication group in the console.\n\n### CLI\n\nFollow the [Modify an ElastiCache cluster (AWS CLI)][2] or [Modify a replication group (AWS CLI)][3] docs for configuration options.\n\nFor example, to modify an ElastiCache cluster, run `modify-replication-group` with your replication group ID and enable Multi-AZ.\n\n ```\n aws elasticache modify-replication-group\n --replication-group-id myReplGroup\n --multi-az-enabled = true\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VersionManagement.html\n[2]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.Modify.html#Clusters.Modify.CLI\n[3]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Replication.Modify.html#Replication.Modify.CLI","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"(@engine:memcached -@engine_version:1.6.6) OR (@engine:redis -@engine_version:6.*)","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache ((@engine:memcached -@engine_version:1.6.6) OR (@engine:redis -@engine_version:6.*))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sw1-liy-ybw","createdAt":1619112188570,"name":"ElastiCache cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","security:compliance","control:CC7.5","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticsearch","framework:soc-2","requirement:Change-Management","source:elasticsearch","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpgrade to the latest version of Amazon Elasticsearch (ES) engine.\n\n## Rationale\n\nUsing the latest version of Amazon ES ensures you receive the latest bug fixes, security patches, and features.\n\n## Remediation\n\n### Console\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (console)][1] docs to learn about the upgrade process and how to complete an upgrade from the AWS Console.\n\n### CLI\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (AWS CLI)][1] docs to being an upgrade using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades\n[2]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nformat(version) = semver if {\n\tcount(indexof_n(version, \".\")) == 0\n\tsemver := concat(\"\", [version, \".0.0\"])\n} else = semver {\n\tcount(indexof_n(version, \".\")) == 1\n\tsemver := concat(\"\", [version, \".0\"])\n} else = semver {\n\tsemver := version\n}\n\neval(version) = \"pass\" if {\n\tformatted_semver := format(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"7.10.0\") >= 0\n} else = \"pass\" {\n\tstartswith(version, \"OpenSearch_\")\n\tformatted_semver := format(trim_prefix(version, \"OpenSearch_\"))\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"1.3.0\") >= 0\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource.elasticsearch_version))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-iw7-z3h","createdAt":1619540057479,"name":"Elasticsearch cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","scope:elasticsearch","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate publicly accessible Amazon Elasticsearch domains to block unsigned requests.\n\n## Rationale\n\nUpdating your Amazon Elasticsearch domain to a private domain ensures your data cannot be accessed or altered by unauthorized users.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring Access Policies][1] docs to learn how to update your publicly accessible Amazon Elasticsearch domains in the AWS Console.\n\n### CLI\n\n1. Create a new policy JSON document. You can follow the [Amazon Elasticsearch templated policy][2] to create a custom policy that grants domain access only to a specific IP.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n \"Action\": \"es:*\",\n \"Condition\": {\n \"IpAddress\": {\n \"aws:SourceIp\": [\n \"54.197.25.93/32\"\n ]\n }\n },\n \"Resource\": \"arn:aws:es:123456789123:\n domain/es-cluster/*\"\n }\n ]\n }\n ```\n\n2. Run `update-elasticsearch-domain-config` using the name of the [Elasticsearch domain][3] created in the previous step.\n\n ```\n aws es update-elasticsearch-domain-config\n --domain-name es-cluster\n --access-policies file://ip-based-policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/update-elasticsearch-domain-config.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"policies","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ci6-bcw-l3n","createdAt":1615309114393,"name":"Elasticsearch domain is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticsearch","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure your Amazon Elasticsearch (ES) domain is only accessible from an AWS VPC.\n\n## Rationale\n\nUsing a VPC gives your Amazon ES domains an extra layer of security. Launching your clusters within a VPC ensures communication between your clusters and other AWS services is secure.\n\n## Remediation\n\nOnce a domain is created with a public endpoint, it cannot be switched to VPC access. Follow the [Migrating from Public Access to VPC Access][1] docs to learn how to create a new domain and either manually reindex or migrate your data.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html#es-migrating-public-to-vpc\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@endpoint:*\\.es\\.amazonaws\\.com","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain (@endpoint:*\\.es\\.amazonaws\\.com)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"vdg-rky-pye","createdAt":1619540057246,"name":"Elasticsearch domain resides in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement at-rest encryption for your Amazon Elasticsearch (ES) domain with the AWS KMS service.\n\n## Rationale\n\nImplementing encryption at-rest protects your domain from unauthorized access and ensures security and compliance requirements are met.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to implement encryption for your domain.\n\n### CLI\n\n1. Run `describe-elasticsearch-domain` with your ES domain to return configuration metadata.\n\n ```\n aws es describe-elasticsearch-domain\n --domain-name your-es-domain\n ```\n\n2. Run `create-elasticsearch-domain` with your domain name and `encryption-at-rest-options`. Use the metadata returned in the previous step to [create and relaunch your ES domain to enable at-rest encryption][3].\n\n ```\n aws es create-elasticsearch-domain\n --domain-name your-es-domain\n ...\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html#enabling-ear\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/describe-elasticsearch-domain.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encryption_at_rest_options_enabled:false","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain (@encryption_at_rest_options_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"75z-ehk-ced","createdAt":1615309114337,"name":"Elasticsearch domains are encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","control:3.5.2","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt your Amazon Elasticsearch domains with KMS Customer Master Keys (CMKs).\n\n## Rationale\n\nKMS Custom Master Keys protect your domains and allow more granular control over the encryption/decryption process.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to encrypt Amazon Elasticsearch domains in the AWS Console.\n\n### CLI\n\n1. Create a new policy JSON document with the following [configuration][2]:\n\n ```\n {\n \"Id\": \"es-custom-key-policy\",\n \"Statement\": [\n {\n \"Sid\": \"Enable IAM User Permissions\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:root\"},\n \"Action\": \"kms:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Grant access to CMK manager\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:role/AmazonESManager\"},\n \"Action\": [\n \"kms:Create*\",\n \"kms:Describe*\",\n \"kms:Enable*\",\n \"kms:List*\",\n \"kms:Put*\",\n \"kms:Update*\",\n \"kms:Revoke*\",\n \"kms:Disable*\",\n \"kms:Get*\",\n \"kms:Delete*\",\n \"kms:ScheduleKeyDeletion\",\n \"kms:CancelKeyDeletion\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow the use of the CMK\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:Decrypt\",\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:DescribeKey\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow attachment of persistent resources\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:CreateGrant\",\n \"kms:ListGrants\",\n \"kms:RevokeGrant\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"Bool\": {\"kms:GrantIsForAWSResource\": \"true\"}\n }\n }\n ]\n }\n ```\n\n2. Run `create-key` to [create a KMS key][3] with the new policy document.\n\n ```\n aws kms create-key\n --description 'KMS CMK policy for encrypting es domain data'\n --policy file://es-kms-cmk-policy.json\n ```\n\n3. Run `create-alias` with the returned ARN key to [attach a new alias][4] to the CMK.\n\n ```\n aws kms create-alias\n --alias-name your-alias/ESCustomCMK\n --target-key-id arn:aws:kms:111122223333:key/abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\n ```\n\n4. Run `create-elasticsearch-domain` with the returned configuration data in step 3 to [create the selected domain][5] with `encryption-at-rest-options` set as `enabled= true` and the `KmsKeyId=your-key-id`.\n\n ```\n aws es create-elasticsearch-domain\n --domain-name your-domain-name\n ....\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-alias.html#options\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html#options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encryption_at_rest_options_kms_key_id:\"(Default) aws/es\"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain (@encryption_at_rest_options_kms_key_id:\"(Default) aws/es\")","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"abl-8du-xrn","createdAt":1615309114399,"name":"Elasticsearch domains are encrypted with KMS Customer Master Keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation on controller-manager.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad. \n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--feature-gates` parameter to include `RotateKubeletServerCertificate=true`. \n\n```\n--feature-gates=RotateKubeletServerCe`rtificate=true\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `RotateKubeletServerCertificate` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller ][1]\n2. [https://github.com/kubernetes/features/issues/267 ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/45059 ][3]\n4. [https://kubernetes.io/docs/admin/kube-controller-manager/][4]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller \n[2]: https://github.com/kubernetes/features/issues/267 \n[3]: https://github.com/kubernetes/kubernetes/pull/45059 \n[4]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.6","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"asw-6hh-yc2","createdAt":1599605162809,"name":"Enable kubelet server certificate rotation on controller-manager"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1555-credentials-from-password-stores","scope:ec2","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to retrieve the encrypted Administrator password for a Windows EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to retrieve the encrypted Administrator password for a Windows EC2 instance using the [`GetPasswordData`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n3. If the API call was made by the user:\n * Determine if this user should be accessing this EC2 instance.\n * If Yes, advise the user to speak with the instance owner to resolve the error.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetPasswordData.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetPasswordData @eventSource:ec2.amazonaws.com status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"get_passwordata","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Error","condition":"get_passwordata > 0"}],"type":"log_detection","id":"kyo-yjf-zbm","createdAt":1652796676631,"name":"Encrypted administrator password retrieved for Windows EC2 instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.12","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory ownership is set to `etcd:etcd`.\n\n## Rationale\n\n`etcd` is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir` from the command:\n\n```bash\nps -ef | grep etcd\n```\n\nBased on the etcd data directory found above, run the command:\n\n```bash\nstat -c %U:%G /var/lib/etcd\n```\n\nVerify the ownership is set to `etcd:etcd`.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chown etcd:etcd /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory ownership is set to `etcd:etcd`.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.12","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"25d-zal-sfr","createdAt":1599601968321,"name":"Etcd data directory is owned by the etcd user and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.11","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory has permissions of 700 or more restrictive.\n\n## Rationale\n\netcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should not be readable or writable by any group members or the world.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir`, from the command:\n\n```bash\nps -ef | grep etcd\n```\n\n Based on the etcd data directory found above, run the command:\n \n ```bash\n stat -c %a /var/lib/etcd\n ```\n \n Verify the permissions are `700` or more restrictive.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chmod 700 /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory has permissions of 755.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.11","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qgj-hf0-an1","createdAt":1599601412710,"name":"Etcd data directory permissions cannot be accessed by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.7","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 640.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.7","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vqc-dps-6tp","createdAt":1599605605880,"name":"Etcd pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.8","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to `root:root`.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.8","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oac-lbl-npz","createdAt":1599600311388,"name":"Etcd pod specification file is owned by root"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"Test rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1665145801235,"filters":[],"queries":[{"query":"@test:true","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"e9v-9k1-5dm","isDefault":false,"name":"Example-Create_a_detection_rule_returns_OK_response"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":true,"message":"test","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1665145785229,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.id"],"query":"*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"uaf-siz-jfo","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_impossible_travel_returns_OK_response"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"Test rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1665145796516,"filters":[],"queries":[{"query":"@test:true","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"3cl-gl3-k7y","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_workload_security_returns_OK_response"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:exchange-server","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user sets up a mail forwarding rule to another email address. An adversary or insider threat could set a forwarding rule to forward all emails to an external email address.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with `@evt.name` value of `Set-Mailbox`, where a value is set for `@Parameters.ForwardingSmtpAddress` and the `@evt.outcome` is `True`.\n\n## Triage and response\n1. Inspect the `@Parameters.ForwardingSmtpAddress` for `{{@usr.email}}` to see if it is sending email to an external non-company owned domain.\n2. Determine if there is a legitimate use case for the mail forwarding rule.\n3. If `{{@usr.email}}` is not aware of the mail forwarding rule, investigate all `{{@usr.email}}` accounts for anomalous activity. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-Mailbox -@Parameters.ForwardingSmtpAddress:\"\" @Parameters.ForwardingSmtpAddress:* @evt.outcome:True","groupByFields":["@usr.id"],"aggregation":"count","name":"forwarding_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"forwarding_rule > 0"}],"type":"log_detection","id":"vmq-1zo-03a","createdAt":1630681822552,"name":"Exchange Online mail forwarding rule enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.2","scope:azure.appservice","framework:iso-27001","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","requirement:Communications-Security","control:4.1","control:9.10","requirement:App-Service","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Azure functions, web, and API services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPs should be required for FTP login for all App Service apps and functions.\n\n## Rationale\n\nAzure FTP deployment endpoints are public. An attacker listening to traffic on a Wi-Fi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if user credentials for deployment are set at the subscription level rather than using the default application credentials which are unique per app.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to the Azure Portal\n2. Select App Services\n3. Click on an app\n4. Select Settings > Configuration\n5. Under Platform Settings, set FTP state to Disabled or FTPS Only\n\n## Impact\n\nDeployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.\n\n## References\n\n1. Azure Web Service Deploy via FTP - https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp\n2. Azure Web Service Deployment - https://docs.microsoft.com/en-us/azure/app-service/overview-security\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n\n## CIS Controls\n\nVersion 7\n\n14.4 Encrypt All Sensitive Information in Transit\n16.5 Encrypt Transmittal of Username and Authentication Credentials - Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.10","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@site_config_ftps_state:AllAllowed","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (@site_config_ftps_state:AllAllowed)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"chw-olp-dfn","createdAt":1631623028308,"name":"FTP deployments are disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:fastly","scope:fastly","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2]. \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:fastly @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dqs-oru-107","createdAt":1587530162282,"name":"Fastly HTTP Requests from Security Scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a file that is not part of the original container image has been created and executed within the container.\n\n## Strategy\nAttackers sometimes add scripts to running containers to exploit some functionality or automate some actions. Normally, containers are meant to be immutable environments, and when you require new scripts or other executable files, you add them to the container image itself and not to the running container. This detection identifies when newly created files are executed shortly after file creation or modification.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage & Response\n1. Determine whether the file executing is expected to be present in the container. \n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether the file was added to multiple containers around the same time, and whether the affected systems follow a pattern. For example, if a file was seen executing in multiple containers, do the containers share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.29 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_binary_execution_in_container","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:new_binary_execution_in_container"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"new_binary_execution_in_container"}],"type":"workload_security","id":"n5d-tm8-kco","createdAt":1652131404468,"name":"File created and executed inside container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","tactic:TA0009-collection","technique:T1530-data-from-cloud-storage-object","scope:google-cloud-storage","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect unauthenticated access to an object in a GCS bucket (`bucket_name`).\n\n## Strategy \nMonitor GCS bucket (`bucket_name`) for get requests(`@evt.name:storage.objects.get`) made by unauthenticated users (`@usr.id`).\n\n## Triage and response\nInvestigate the logs and determine whether or not the accessed bucket: {{bucket_name}} should be accessible to unauthenticated users.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket -@usr.id:* @evt.name:storage.objects.get status:info","groupByFields":["project_id","bucket_name"],"aggregation":"count","name":"get_object","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"get_object","condition":"get_object > 0"}],"type":"log_detection","id":"nmj-sov-f5d","createdAt":1598043413480,"name":"GCP Bucket Contents Downloaded Without Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","source:gcp","scope:google-cloud-storage","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service account lists out GCS Buckets.\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine when a service account invokes the following method:\n\n* `storage.buckets.list`\n\n## Triage and response\n1. Determine whether this service account should be making list bucket calls.\n * If the account was compromised, secure the account and investigate how it was compromised and if the account made other unauthorized calls.\n * If the owner of the service account intended to make the `ListBuckets` API call, consider whether this API call is needed. It could cause a security issue for the application to know the name of the bucket it needs to access. If it's not needed, modify this rule's filter to stop generating signals for this specific service account.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.list @usr.id:*gserviceaccount.com","groupByFields":["project_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cnc-wi1-llf","createdAt":1587592199858,"name":"GCP Bucket enumerated"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an administrative change to a GCS Bucket has been made. This could change the retention policy or bucket lock. For more information, see the [GCS Bucket Lock docs][1].\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine if a bucket has been updated with the following method:\n\n* `storage.buckets.update`\n\n## Triage and response\n1. Review the bucket to ensure that it is properly configured.\n\n[1]: https://cloud.google.com/storage/docs/bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.update","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iz3-sc4-ryy","createdAt":1585871279860,"name":"GCP Bucket modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when permissions have changed on a GCS Bucket.\n\n## Strategy\nMonitor GCS bucket admin activity audit logs to determine the following method is invoked:\n\n* `storage.setIamPermissions`\n\n## Triage and response\n1. Review the bucket permissions and ensure they are not overly permissive.\n\n## Changelog\n5 Septermber 2022 - Updated rule query","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.setIamPermissions -@evt.outcome:ERROR","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fdk-tly-4qr","createdAt":1585871193842,"name":"GCP Bucket permissions modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.cloudsql.database"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Cloud SQL DB has been modified.\n\n## Strategy\nThis rule lets you monitor GCP Cloud SQL admin activity audit logs to determine when one of the following methods are invoked:\n\n* `cloudsql.instances.create`\n* `cloudsql.instances.create`\n* `cloudsql.users.update`\n\n## Triage and response\n1. Review the Cloud SQL DB and ensure it is configured properly with the correct permissions.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.cloudsql.database @evt.name:(cloudsql.instances.create OR cloudsql.instances.create OR cloudsql.users.create OR cloudsql.users.update)","groupByFields":["project_id","database_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ikf-ye8-cnu","createdAt":1585871198921,"name":"GCP Cloud SQL database modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.gce.firewall.rule","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created, modified or deleted. \n\n## Strategy\nMonitor GCP GCE activity audit logs to determine when any of the following methods are invoked:\n\n* `v1.compute.firewalls.delete`\n* `v1.compute.firewalls.insert`\n* `v1.compute.firewalls.patch` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.firewall.rule @evt.name:(v1.compute.firewalls.delete OR v1.compute.firewalls.insert OR v1.compute.firewalls.patch)","groupByFields":["project_id","@data.protoPayload.resourceOriginalState.name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"n1w-sql-apl","createdAt":1585870279610,"name":"GCP GCE Firewall rule modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a VPC network is created. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine when the following method is invoked to create a new VPC network:\n\n* `beta.compute.networks.insert`\n\n## Triage and response\n1. Review the VPC network.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:beta.compute.networks.insert","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"a9z-oic-grb","createdAt":1585871193403,"name":"GCP GCE VPC network modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created or modified. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine if a firewall is being adjusted by showing you when any of the following methods are invoked:\n\n* `beta.compute.routes.insert`\n* `beta.compute.routes.patch`\n\n## Triage and response\n1. Veirify that the GCP route is configured properly and that the user intended to modify the firewall.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:(beta.compute.routes.insert OR beta.compute.routes.patch)","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lht-ml8-u6r","createdAt":1585870282924,"name":"GCP GCE network route created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a custom role is created or modified. \n\n## Strategy\nMonitor GCP IAM activity audit logs to determine when any of the following methods are invoked:\n\n* `google.iam.admin.v1.CreateRole`\n* `google.iam.admin.v1.UpdateRole` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.iam.role @evt.name:(google.iam.admin.v1.CreateRole OR google.iam.admin.v1.UpdateRole)","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rhy-fzm-gwl","createdAt":1585870282410,"name":"GCP IAM custom role created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1098-account-manipulation","scope:gcp.project","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to the IAM policy. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when the `SetIamPolicy` method is invoked. \n\n## Triage and response\n1. Review the log and inspect the policy deltas (`@data.protoPayload.serviceData.policyDelta.bindingDeltas`) and ensure none of the actions are `REMOVE`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:SetIamPolicy","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fgm-8w4-cgx","createdAt":1585870280073,"name":"GCP IAM policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.subscription","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP Pub/Sub Subscription has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.pubsub.v1.Subscriber.UpdateSubscription`\n* `google.pubsub.v1.Subscriber.DeleteSubscription`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.subscription @evt.name:(google.pubsub.v1.Subscriber.UpdateSubscription OR google.pubsub.v1.Subscriber.DeleteSubscription)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tsj-mac-mdc","createdAt":1587592205917,"name":"GCP Pub/Sub Subscriber modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.topic","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP Pub/Sub Subscribtion has been deleted. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when the following method is invoked:\n\n* `google.pubsub.v1.Publisher.DeleteTopic`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.topic @evt.name:google.pubsub.v1.Publisher.DeleteTopic","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dp6-zom-jyv","createdAt":1587592198839,"name":"GCP Pub/Sub topic deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1562-impair-defenses","scope:gcp.project","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP logging sink has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.logging.v2.ConfigServiceV2.UpdateSink`\n* `google.logging.v2.ConfigServiceV2.DeleteSink`\n\n## Triage and response\n1. Review the sink and ensure the sink is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:(google.logging.v2.ConfigServiceV2.UpdateSink OR google.logging.v2.ConfigServiceV2.DeleteSink)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hil-rl3-yxs","createdAt":1585871191688,"name":"GCP logging sink modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","scope:google-cloud-iam","technique:T1850-cloud-infrastructure-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account is compromised.\n\n## Strategy \nInspect the GCP Admin Activity Logs (`@data.logName:*%2Factivity`) and filter for only GCP Service Accounts (`@usr.id:*.iam.gserviceaccount.com`). Count the unique number of GCP API calls (`@evt.name`) which are being made for each service account (`@usr.id`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\nTo read more about GCP Audit Logs, you can read our blog post [here][1].\n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account is compromised.\n\n[1]: https://www.datadoghq.com/blog/monitoring-gcp-audit-logs/","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp* @data.logName:*%2Factivity @usr.id:*.iam.gserviceaccount.com","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"hc1-nv3-hzw","createdAt":1629125255724,"name":"GCP service account accessing anomalous number of GCP APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1136-create-account","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account is created.\n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when a service account is created. \n\n## Triage and response\n1. Contact the user who created the service account and ensure that the account is needed and that the role is scoped properly.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccount","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"szx-4kh-eqs","createdAt":1585870281733,"name":"GCP service account created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account key is created. An attacker could use this key as a backdoor to your account. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to detect the creation of a service account key. \n\n## Triage and response\n1. Contact the user who created the service account key to ensure they're managing the key securely.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccountKey","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"79j-4wh-xlq","createdAt":1585870277946,"name":"GCP service account key created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is unauthorized activity by a service account in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a service account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the service account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the service account:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the service account.\n2. If unauthorized, revoke access of compromised service account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"89d-2v1-fvm","createdAt":1587592191518,"name":"GCP unauthorized service account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when unauthorized activity by a user is detected in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a user account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the user account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the user:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the user account.\n2. If unauthorized, revoke access of compromised user account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 -@usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"stt-ows-yte","createdAt":1587592193834,"name":"GCP unauthorized user activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google accesses your Google Workspace tenant using administrative tools. \n\n## Strategy\nMonitor Google Workspace logs to detect `ACCESS` events, which are part of Google's [Access Transparency][1] logs.\n\n## Triage and response\n1. Determine the scope of Google's access activity, which can be found in the `ACCESS` event in the Google Workspace event log.\n2. Review which Google Workspace user (`@event.parameters.OWNER_EMAIL`) and resources (`@event.parameters.RESOURCE_NAME`) were accessed by Google.\n3. Investigate the resource(s) being accessed to determine if there is a legitimate reason it should be reviewed by Google.\n\n[1]: https://support.google.com/a/answer/9230474?hl=en","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite service:access_transparency","groupByFields":[],"aggregation":"count","name":"workspace_accessed_by_google","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"workspace_accessed_by_google > 0"}],"type":"log_detection","id":"q4c-pxc-lbn","createdAt":1654120270956,"name":"Google Workspace accessed by Google"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","tactic:T1098-account-manipulation","technique:TA0003-persistence","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a new Google Workspace administrative role.\n\n## Strategy\nMonitor Google Workspace logs to detect `CREATE_ROLE` events.\n\n## Triage and response\n1. Determine if there is a legitimate reason for the new administrator role (`@event.parameters.ROLE_NAME`).\n2. If there is not a legitimate reason, investigate activity from around the Google Workspace administrator (`{{@usr.email}}`) and IP that created the role (`{{@network.client.ip}}`). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:CREATE_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_created > 0"}],"type":"log_detection","id":"isw-chn-iqi","createdAt":1654262215364,"name":"Google Workspace admin role created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the super administrator group on Google Workspace.\n\n## Strategy\nMonitor Google Workspace logs to detect `ASSIGN_ROLE` events where `@event.parameters.ROLE_NAME` is `_SEED_ADMIN_ROLE`. \n\n## Triage and response\n1. Verify with the Google admin (`{{@usr.email}}`) if the Google Workspace user in the `@event.parameters.USER_EMAIL` attribute should legitimately be given the super admin role.\n2. If the user in `@event.parameters.USER_EMAIL` was not legitimately added, investigate activity from the IP address (`{{@network.client.ip}}`) that made the role addition.\n3. Review activity around the Google Workspace admin who made the change (`{{@usr.email}}`) and the newly added super admin (`@event.parameters.USER_EMAIL`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:ASSIGN_ROLE @event.parameters.ROLE_NAME:_SEED_ADMIN_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"admin_role_added > 0"}],"type":"log_detection","id":"ort-cx2-jwq","createdAt":1654014456902,"name":"Google Workspace user assigned to super admin role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","tactic:TA0009-collection","technique:T1114-email-collection","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a user setting up mail forwarding to a non-Google Workspace domain.\n\n## Strategy\nMonitor Google Workspace logs to detect when `email_forwarding_out_of_domain` events.\n\n## Triage and response\n1. Determine if the email address defined in `@event.parameters.email_forwarding_destination_address` is legitimate.\n2. If the forwarding destination address is not legitimate, review all activity for `{{@usr.email}}` and all activity around the following IP: `{{@network.client.ip}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:email_forwarding_out_of_domain","groupByFields":["@usr.email"],"aggregation":"count","name":"non_workspace_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"non_workspace_domain > 0"}],"type":"log_detection","id":"ozn-l6x-exp","createdAt":1654021004136,"name":"Google Workspace user forwarding email out of non Google Workspace domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.16","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated.\n\n## Rationale\n\nThe IPC namespace provides separation of IPC between the host and containers. If the host's IPC namespace is shared with the container, it would allow processes within the container to see all of IPC communications on the host system. This would remove the benefit of IPC level isolation between host and containers. An attacker with access to a container could get access to the host at this level with major consequences. The IPC namespace should therefore not be shared between the host and its containers.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: IpcMode={{ .HostConfig.IpcMode }}'` \n\nIf the command returns `host`, it means that the host IPC namespace is shared with the container. Any other result means that it is not shared, and that the system is configured in line with good security practice.\n\n## Remediation\n\nDo not start a container with the `--ipc=host` argument. For example, do not start a container with the command `docker run --interactive --tty --ipc=host centos /bin/bash`\n\n## Impact\n\nShared memory segments are used in order to accelerate interprocess communications, commonly in high-performance applications. If this type of application is containerized into multiple containers, you might need to share the IPC namespace of the containers in order to achieve high performance. Under these circumstances, you should still only share container specific IPC namespaces and not the host IPC namespace. A container's IPC namespace can be shared with another container. For example, `docker run --interactive --tty --ipc=container:e3a7a1a97c58 centos /bin/bash`\n\n## Default value\n\nBy default, all containers have their IPC namespace enabled and host IPC namespace is not shared with any container.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#ipc-settings-ipc\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.16","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qpe-nj2-sl8","createdAt":1599604030036,"name":"Host's IPC namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.20","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUTS namespaces provide isolation between two system identifiers: the hostname and the NIS domain name. It is used to set the hostname and the domain which are visible to running processes in that namespace. Processes running within containers do not typically require to know either the hostname or the domain name. The UTS namespace should therefore not be shared with the host.\n\n## Rationale\n\nSharing the UTS namespace with the host provides full permission for each container to change the hostname of the host. This is not in line with good security practice and should not be permitted.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UTSMode={{ .HostConfig.UTSMode }}'` \n\nIf this command returns `host`, it means the host UTS namespace is shared with the container and this recommendation is non-compliant. If the above command returns nothing, then the host's UTS namespace is not shared. This recommendation is then compliant.\n\n## Remediation\n\nYou should not start a container with the `--uts=host` argument. For example, do not start a container using the command `docker run --rm --interactive --tty --uts=host rhel7.2`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, all containers have the UTS namespace enabled and the host UTS namespace is not shared with any containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#uts-settings-uts\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.20","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j1n-gsx-mlx","createdAt":1599605987292,"name":"Host's UTS namespace is not shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.9","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWhen the networking mode on a container is set to `--net=host`, the container is not placed inside a separate network stack. Effectively, applying this option instructs Docker to not containerize the container's networking. The consequence of this is that the container lives \"outside\" in the main Docker host and has full access to its network interfaces.\n\n## Rationale\n\nSelecting this option is potentially dangerous. It allows the container process to open reserved low numbered ports in the way that any other root process can. It also allows the container to access network services such as D-bus on the Docker host. A container process could potentially carry out undesired actions, such as shutting down the Docker host. This option should not be used unless there is a very specific reason for enabling it.\n\n## Audit\n\nUse this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: NetworkMode={{ .HostConfig.NetworkMode }}'` If this returns `NetworkMode=host`, it means that the `--net=host` option was passed when the container was started.\n\n## Remediation\n\nYou should not pass the --net=host option when starting any container.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers connect to the Docker bridge when starting and do not run in the context of the host's network stack.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/ 2. https://docs.docker.com/engine/reference/run/#network-settings\n\n## CIS controls\n\nVersion 6 12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.9","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1qj-oqa-jau","createdAt":1599605510860,"name":"Host's network namespace is not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.15","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host.\n\n## Rationale\n\nPID namespace provides separation between processes. It prevents system processes from being visible, and allows process ids to be reused including PID 1. If the host's PID namespace is shared with containers, it would basically allow these to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them. This could allow for the host itself being shut down, which could be extremely serious, particularly in a multi-tenanted environment. You should not share the host's process namespace with the containers running on it.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidMode={{ .HostConfig.PidMode }}'` \n\nIf the command returns `host`, it means that the host PID namespace is shared with its containers; any other result means that the system is configured in line with good security practice.\n\n## Remediation\n\nYou should not start a container with the `--pid=host` argument. For example, do not start a container with the command: `docker run --interactive --tty --pid=host centos /bin/bash`\n\n## Impact\n\nContainer processes cannot see processes on the host system. In certain circumstances, you may want your container to share the host's process namespace. For example, you could build a container containing debugging tools such as strace or gdb, and want to use these tools when debugging processes on the host. If this is desired, then share specific host processes using the `-p` switch. For example: `docker run --pid=host rhel7 strace -p 1234`\n\n## Default value\n\nBy default, all containers have the PID namespace enabled and the therefore the host's process namespace is not shared with its containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#pid-settings-pid 2. http://man7.org/linux/man-pages/man7/pid_namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.15","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mk8-jwd-4ag","createdAt":1599600919537,"name":"Host's process namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent","control:5.30"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not share the host's user namespaces with containers running on it.\n\n## Rationale\n\nUser namespaces ensure that a root process inside the container will be mapped to a non-root process outside the container. Sharing the user namespaces of the host with the container does not therefore isolate users on the host from users in the containers.\n\n## Audit\n\nRun this command and ensure that it does not return any value for `UsernsMode`. If it returns a value of `host`, it means that the host user namespace is shared with its containers: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UsernsMode={{ .HostConfig.UsernsMode }}'`\n\n## Remediation\n\nDo not share user namespaces between host and containers. For example, do not run the command `docker run --rm -it --userns=host ubuntu bash`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the host user namespace is shared with containers unless user namespace support is enabled.\n\n## References\n\n1. https://docs.docker.com/engine/security/userns-remap/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://github.com/docker/docker/pull/12648\n4. https://events.linuxfoundation.org/sites/events/files/slides/User%20Namespaces%20-%20ContainerCon%202015%20-%2016-9-final_0.pdf\n\n## CIS controls\n\nVersion 6\n\n12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.30","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"e7c-uzf-jwy","createdAt":1599604878282,"name":"Host's user namespaces are not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","security:compliance","scored:false","source:iam","cloud_provider:aws","control:1.7","control:164.308-a-3-ii-C","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","framework:security-labs","requirement:Information-Access-Management","control:CC6.2","control:164.308-a-4-ii-C","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule identifies IAM access keys that are older than one year and have not been used in the past 30 days.\n\n## Rationale\n\nThis is a good indicator that an access key or IAM user that is not used anymore, and raises a security risk. IAM access keys are static secrets that do not change. This leak represents a common cause for cloud security breaches.\n\n## Remediation\n\n* Verify that the IAM user is still actively used or if it can be removed.\n* Verify that the IAM access key is still actively used or if it can be removed.\n* If the IAM user is still needed, rotate the access key. For more information, see the [AWS documentation][2].\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/cis-aws-1.3.0-1.14/\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlast_rotated_age_threshold := (((365 * 24) * 60) * 60) * 1000\n\nlast_used_age_threshold := (((30 * 24) * 60) * 60) * 1000\n\nhas_active_access_key(credential_report) if {\n\tcredential_report.access_key_1_active\n} else {\n\tcredential_report.access_key_2_active\n}\n\naccess_key_1_used_too_long_ago(credential_report, seen) if {\n\tnot credential_report.access_key_1_last_used_date\n}\n\naccess_key_1_used_too_long_ago(credential_report, seen) if {\n\tseen - credential_report.access_key_1_last_used_date > last_used_age_threshold\n}\n\naccess_key_1_non_compliant(credential_report, seen) if {\n\tcredential_report.access_key_1_active\n\tseen - credential_report.access_key_1_last_rotated > last_rotated_age_threshold\n\taccess_key_1_used_too_long_ago(credential_report, seen)\n}\n\naccess_key_2_used_too_long_ago(credential_report, seen) if {\n\tnot credential_report.access_key_2_last_used_date\n}\n\naccess_key_2_used_too_long_ago(credential_report, seen) if {\n\tseen - credential_report.access_key_2_last_used_date > last_used_age_threshold\n}\n\naccess_key_2_non_compliant(credential_report, seen) if {\n\tcredential_report.access_key_2_active\n\tseen - credential_report.access_key_2_last_rotated > last_rotated_age_threshold\n\taccess_key_2_used_too_long_ago(credential_report, seen)\n}\n\nis_not_compliant(credential_report, seen) if {\n\taccess_key_1_non_compliant(credential_report, seen)\n} else {\n\taccess_key_2_non_compliant(credential_report, seen)\n}\n\nshould_skip(iam_user) if {\n\tcredential_report := iam_user.credential_report[0]\n\tnot credential_report.access_key_1_active\n\tnot credential_report.access_key_2_active\n} else {\n\tcount(iam_user.credential_report) == 0\n}\n\neval(iam_user) = \"skip\" if {\n\tshould_skip(iam_user)\n} else = \"fail\" {\n\tcredential_report := iam_user.credential_report[0]\n\tseen := iam_user.resource_seen_at\n\tis_not_compliant(credential_report, seen)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"jye-nyb-yvd","createdAt":1654722265266,"name":"IAM access keys older than 1 year have not been used in the last 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@user_policies:*","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@user_policies:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qeq-byd-rf5","createdAt":1617159692975,"name":"IAM inline policy is not directly set for users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","security:compliance","cloud_provider:aws","control:1.8","control:8.1","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","control:CC6.3","control:8.1.1","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are a minimum length. The password policy should require a minimum password length of 14 characters.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78907-3\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.8","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.minimum_password_length:<14","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.minimum_password_length:<14)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fyg-ptq-tnx","createdAt":1599573999939,"name":"IAM password policy has 14 or more characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:1.9","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","framework:cis-aws","control:164.312-d","requirement:IAM","control:8.2.5","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.\n\n## Rationale\n\nPreventing password reuse increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78908-1\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\n4.4 Use unique passwords where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2.5","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.9","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"-@password_policy.password_reuse_prevention:24","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (-@password_policy.password_reuse_prevention:24)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"wwj-kny-ll5","createdAt":1599574008460,"name":"IAM password policy prevents password reuse"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM policies are how privileges are granted to users, groups, or roles. It is recommended and considered best practice to give only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges.\n\n## Rationale\n\nIt's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\" should be removed.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2] \n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3] \n3. CCE-78912-3\n4. [http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam][4]\n\n## CIS controls\n\nVersion 7, 4 - Controlled Use of Administrative Privileges\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n[4]: http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_not_compliant(policy_version_statement) if {\n\tresource := policy_version_statement.resource[_]\n\tresource == \"*\"\n}\n\naction_not_compliant(policy_version_statement) if {\n\taction := policy_version_statement.action[_]\n\taction == \"*\"\n}\n\npolicy_version_statement_not_compliant(policy_version_statement) if {\n\tpolicy_version_statement.effect == \"Allow\"\n\tresource_not_compliant(policy_version_statement)\n\taction_not_compliant(policy_version_statement)\n}\n\neval(iam_policy) = \"skip\" if {\n\tiam_policy.scope != \"Local\"\n} else = \"fail\" {\n\tpolicy_version_statement := iam_policy.policy_version_statements[_]\n\tpolicy_version_statement_not_compliant(policy_version_statement)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_policy"]},"validationQuery":"","resourceType":"aws_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"31y-0if-yxo","createdAt":1599574003839,"name":"IAM policies that allow full \"*:*\" administrative privileges are not created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@attached_policies:*","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@attached_policies:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oys-6ti-vv4","createdAt":1599574006153,"name":"IAM policy does not have a user directly attached to it"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:1.12","security:compliance","cloud_provider:aws","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:CC6.3","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can require passwords to be rotated or expired after a given number of days. The password policy should expire passwords after 90 days or less.\n\n## Rationale\n\nReducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help if a password is stolen or compromised without your knowledge. This can happen if your system is compromised, because of a software vulnerability, or if there is an internal threat. Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted. Many people use the same password for many systems such as work, email, and personal. Compromised end-user workstations might have a keystroke logger.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78909-9\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"1.12","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"(-@password_policy:*) OR ((@password_policy.expire_passwords:false) OR (@password_policy.max_password_age:>90))","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account ((-@password_policy:*) OR ((@password_policy.expire_passwords:false) OR (@password_policy.max_password_age:>90)))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"nus-wps-5cc","createdAt":1599574003696,"name":"IAM policy is set to expire passwords within 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78904-0\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.6\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_lowercase_characters:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_lowercase_characters:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yaz-xyw-dr5","createdAt":1599574008777,"name":"IAM policy is set to require at least one lowercase letter"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one number.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78906-5\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.8\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_numbers:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_numbers:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ufg-4pj-olz","createdAt":1599574005590,"name":"IAM policy is set to require at least one number"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are comprised of different character sets. It is recommended that the password policy require at least one symbol.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78905-7\n\n## CIS controls\n\n16 Account Monitoring and Control Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.7\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_symbols:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_symbols:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dwv-hdv-vfe","createdAt":1599573999909,"name":"IAM policy is set to require at least one symbol"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one uppercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78903-2\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.5\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_uppercase_characters:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_uppercase_characters:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jfe-07v-m1n","createdAt":1599573999945,"name":"IAM policy is set to require uppercase characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:iam","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Security-Management-Process","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:CC6.3","requirement:Information-Access-Management","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm there are no [Amazon IAM users][1] (privileged users) with administrator permissions for your AWS account.\n\n## Rationale\n\nA privileged IAM user can access all AWS services and control resources through the [AdministratorAccess IAM managed policy][2]. Any user with administrator access that should not have access can potentially, whether unknowingly or purposefully, cause security issues or data leaks.\n\n## Remediation\n\n### Console\n\nFollow the [Removing a permissions policy from a user][6] docs to revoke AdministratorAccess for a user.\n\n### CLI\n\n1. Run `list-users` to get [a list of current IAM users][3].\n2. Run `list-user-policies` with an IAM `user-name` to find the [users attached policies][4].\n\n ```\n aws iam list-user-policies --user-name Name\n ```\n\n3. Run `detach-user-policy` to [revoke Administrator access][5] for that user.\n\n ```\n aws iam detach-user-policy --user-name Bob --policy-arn arn:aws:iam::123456789012:policy/TesterPolicy\n ```\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-users.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-user-policies.html#examples\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-user-policy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-remove-policy-console\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@attached_policies.policy_name:AdministratorAccess","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@attached_policies.policy_name:AdministratorAccess)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"z8a-10r-rdq","createdAt":1599574005071,"name":"IAM privileged user does have admin permissions to your AWS account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet a principal within your Amazon IAM policy.\n\n## Rationale\n\nA trust policy reduces the risks associated with privilege escalation. Setting a principal within your policy reduces the risk of unauthorized access to a resource.\n\n## Remediation\n\n### Console\n\nFollow the [Editing IAM policies][1] docs to learn how to grant permissions to a specific IAM user or account.\n\n### CLI\n\nFollow the [Editing managed policies (AWS CLI)][2] docs to learn how to grant permissions to a specific IAM or account using the CLI.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html#edit-policies-cli-api","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@role_policy.policy_principal.principal:(\"*\") OR @role_policy.policy_principal.principal_aws:(\"*\"))","resourceType":"aws_iam_role","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_role ((@role_policy.policy_principal.principal:(\"*\") OR @role_policy.policy_principal.principal_aws:(\"*\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q9l-42l-ape","createdAt":1619112188080,"name":"IAM role uses trusted principals"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:A.14.1.3","security:compliance","source:iam","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Data-Protection","requirement:Security-of-Processing","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:A.9.4.3","framework:soc-2","requirement:Cardholder-Data","control:32.1a","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","requirement:Encryption-In-Transit","control:3.6.4","framework:pci","control:25.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your IAM service SSL/TLS certificates are renewed 30 days prior to their validity period ending.\n\n## Rationale\n\nIf a certificate becomes invalid, the communication between the client and AWS resource that implements certificates is no longer secure.\n\n## Remediation\n\n### Console\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n### CLI\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nwithin_30_days(diff) if {\n\tdiff <= thirty_days_ms\n\tdiff > 0\n}\n\neval(iam_server_certificate) = \"pass\" if {\n\tdiff := iam_server_certificate.expiration - iam_server_certificate.resource_seen_at\n\tnot within_30_days(diff)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"nqd-536-xhi","createdAt":1632209935742,"name":"IAM server certificate will expire within 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:1.6","control:7.1","framework:cis-gcp","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","level:1","source:google_service_account","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nVerify that users have the Service Account User (`iam.serviceAccountUser`) and Service Account Token Creator (`iam.serviceAccountTokenCreator`) roles for a specific service account rather than at the project level.\n\n## Rationale\nA service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved. In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.\nUsers with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access. Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/service account.\nBased on business needs, there can be multiple user-managed service accounts configured for a project. Granting the `iam.serviceAccountUser` or `iam.serviceAccountTokenCreator` roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future. These roles can result in an elevation of privileges when someone uses a service account and corresponding Compute Engine instances.\nIn order to implement least privileges best practices, IAM users should not be assigned the Service Account User or Service Account Token Creator roles at the project level. Instead, these roles should be assigned to a user for a specific service account, giving that user access to the service account. The Service Account User role allows a user to bind a service account to a long-running job service, whereas the Service Account Token Creator role allows a user to directly impersonate (or assert) the identity of a service account.\n\n## Impact\nAfter revoking Service Account User or Service Account Token Creator roles at the project level from all impacted user accounts, these roles should be assigned to users for specific service accounts according to business needs.\n\n## Remediation\n\n### From console\n1. Go to the [IAM page][1] in the GCP Console.\n2. In the filter table text bar, enter the text `Role: Service Account User`.\n3. Click the delete bin icon in front of the role `Service Account User` for every user\nlisted as a result of the filter.\n4. In the filter table text bar, enter the text `Role: Service Account Token Creator`.\n5. Click the delete bin icon in front of the role `Service Account Token Creator` for\nevery user listed as a result of the filter.\n\n### From the command line\n1. Using a text editor, remove the bindings with the `roles/iam.serviceAccountUser` or `roles/iam.serviceAccountTokenCreator`.\n For example, you can use the iam.json file shown below as follows:\n ```\n {\n \"bindings\": [\n {\n \"members\": [ \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n ],\n \"role\": \"roles/appengine.appViewer\" },\n {\n \"members\": [\n \"user:email1@gmail.com\"\n ],\n \"role\": \"roles/owner\"\n },\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n \"serviceAccount:123456789012-compute@developer.gserviceaccount.com\" ],\n \"role\": \"roles/editor\"\n }\n ],\n \"etag\": \"BwUjMhCsNvY=\"\n }\n ```\n2. Update the project's IAM policy:\n ```\n gcloud projects set-iam-policy PROJECT_ID iam.json\n ```\n## Default value\nBy default, users do not have the Service Account User or Service Account Token Creator role assigned at the project level.\n\n## References\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][3]\n3. [https://cloud.google.com/iam/docs/understanding-roles][4]\n4. [https://cloud.google.com/iam/docs/granting-changing-revoking-access][5]\n5. [https://console.cloud.google.com/iam-admin/iam][6]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts \n[4]: https://cloud.google.com/iam/docs/understanding-roles\n[5]: https://cloud.google.com/iam/docs/granting-changing-revoking-access \n[6]: https://console.cloud.google.com/iam-admin/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.6","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_role(iam_policy, role) if {\n\tbinding := iam_policy.bindings[_]\n\tbinding.role == role\n\tmember := binding.members[_]\n\tnot endswith(member, \".gserviceaccount.com\")\n}\n\nnon_compliant_policy(iam_policy) if {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountUser\")\n} else {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountTokenCreator\")\n}\n\neval(iam_policy) = \"fail\" if {\n\tnon_compliant_policy(iam_policy)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"x4c-mos-epr","createdAt":1655328785677,"name":"IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:iis","scope:iis","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:iis @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ftm-iao-udy","createdAt":1587530716843,"name":"IIS HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","requirement:Virtual-Machines","security:compliance","control:CC6.6","cloud_provider:gcp","control:4.6","requirement:Communications-Security","control:1.4","framework:cis-gcp","requirement:Compliance","level:1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCompute Engine instance cannot forward a packet unless the source IP address of the\npacket matches the IP address of the instance. Similarly, GCP won't deliver a packet whose\ndestination IP address is different than the IP address of the instance receiving the packet.\nHowever, both capabilities are required if you want to use instances to help route packets.\n\nDisable the forwarding of data packets to prevent data loss or information\ndisclosure.\n\n## Rationale\nTo enable source and destination IP check, disable the `canIpForward` option, which\nallows an instance to send and receive packets with non-matching destination or source\nIPs.\n\n## Impact\nDeleting instances that act as routers or packet forwarders may break network\nconnectivity.\n\n## Exception\nInstances created by GKE should be excluded because they need to have IP forwarding\nenabled and cannot be changed. Instances created by GKE have names that start with `gke-`.\n\n## Remediation\nYou can only edit the `canIpForward` setting at instance creation time. Therefore, if `canIpForward` is set to false for an instance, you must delete the instance and create a new one.\n\n### From console\n1. Go to the `VM Instances` page: \n[https://pantheon.corp.google.com/compute/instances][1].\n2. Select the `VM Instance` you want to remediate.\n3. Click the `Delete` button.\n4. On the `VM Instances` page, click `CREATE INSTANCE`.\n5. Create a new instance with the desired configuration. By default, the instance is\nconfigured to not allow IP forwarding.\n\n### From the command line\n1. Delete the instance:\n ```\n gcloud compute instances delete INSTANCE_NAME\n ```\n2. Create a new instance to replace it, with IP forwarding set to Off\n ```\n gcloud compute instances create\n ```\n\n## Default Value:\nBy default, instances are not configured to allow IP forwarding.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-routes#canipforward][2]\n\n\n## Additional Information:\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is\ncreated, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://pantheon.corp.google.com/compute/instances\n[2]: https://cloud.google.com/vpc/docs/using-routes#canipforward","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.6","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tcompute_instance.can_ip_forward\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nh8-voo-5oy","createdAt":1656620560349,"name":"IP forwarding is not enabled on instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","scope:azure.storage","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1c","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImmutability is enabled for Azure Storage Blobs.\n\n## Rationale\n\nImmutability for Azure Blob enables Writes once read many (WORM) state storage, which protects data from being overwritten or deleted. \n\nThe two types of immutability policies are time-based retention and legal hold. Time-based policies are cleared when the time period expires. Legal holds are cleared when they are manually modified. \n\n## Remediation\n\n### Console\n\nFollow the [Enable version-level immutability support on a storage account - Azure Console][1] guide to enable version-level immutability with the Azure Console.\n\n### CLI\n\nFollow the [Enable version-level immutability support on a storage account - Azure CLI][2] guide to enable version-level immutability with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@hasLegalHold:false @hasImmutabilityPolicy:false","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container (@hasLegalHold:false @hasImmutabilityPolicy:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"8q8-s4l-qhy","createdAt":1645177333114,"name":"Immutable Blob Storage is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","scope:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when two successful authentication events occur in a short time frame.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if the user `{{@usr.name}}` should have authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If `{{@user.name}}` should not authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n* 10 October 2022 - Updated query.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"auth0_impossible_travel","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.name"],"query":"source:auth0 @evt.category:authentication @evt.name:success_login -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"m3u-dhg-c5l","createdAt":1651740293973,"name":"Impossible Travel Auth0 login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate an impossible travel login with permission enumeration of a user.\n\n## Strategy\nCorrelate the [User travel was impossible in AWS CloudTrail IAM log][1] and [A user received multiple AccessDenied errors][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the impossible travel login was is legitimate.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-user-impossible-travel-with-baseline-user-locations\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-access-denied-multiple-events","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"user_travel_was_impossible_in_cloudtrail_iam_log","additionalFilters":"","defaultRuleId":"fc6-4t7-vx9","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"a_user_received_multiple_access_denied_errors","additionalFilters":"","defaultRuleId":"1b1-37a-74c","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"user_travel_was_impossible_in_cloudtrail_iam_log > 0 && a_user_received_multiple_access_denied_errors > 0"}],"type":"signal_correlation","id":"zfw-zxw-uf2","createdAt":1664829682320,"name":"Impossible travel event leads to permission enumeration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the possibility of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 445, commonly used by client/server applications, and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) or man-in-the-middle attacks (MITM), can occur when permitting unrestricted Common Internet File System (CIFS) access. TCP port 445 is the port commonly used by client/server applications as a means of communication between network nodes over TCP.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 445.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 445\n --cidr 0.0.0.0/0\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=445 @to_port:>=445))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=445 @to_port:>=445))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"l9k-64o-mzm","createdAt":1599573999953,"name":"Inbound CIFS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the possibility of a breach by checking EC2 security groups for inbound rules that allow unfettered access to TCP and UDP port 53, commonly used during DNS resolution when a request is sent from DNS clients to DNS servers or between DNS servers.\n\n## Rationale\n\nMalicious activity, such as distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered DNS access.\n\n## Remediation\n\n## Console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n## CLI\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to port 53.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 53, \"ToPort\": 53, \"IpRanges\": [{\"CidrIp\": \"192.0.2.0/24\"}]}]'\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 53\n\trule.to_port >= 53\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kri-ci1-ymo","createdAt":1599573999958,"name":"Inbound DNS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 9200, used by the [Elasticsearch][2], and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered Elasticsearch access.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][3] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. First, remove the security group rule(s) that allow public, unrestricted access to the Elasticsearch database. The rule in question will open port 9200 for ingress from anywhere.\n\n2. Now that the database is contained, authorize only the specific entities that need access to the database like EC2 instances, or lambdas. You can do this by adding inbound security group rules for a specific elastic IP address, a specific range of IP addresses, or by allowing access for entities in another AWS security group.\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://aws.amazon.com/elasticsearch-service/\n[3]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=9200 @to_port:>=9200))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=9200 @to_port:>=9200))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"rns-eiq-lpl","createdAt":1599574008022,"name":"Inbound Elasticsearch access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP ports 20 and 21 (used by client/server applications for communication and file transfer) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and FTP bounce attacks, can occur when permitting unfettered access to these ports.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 20 and 21.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict FTP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=20 @to_port:>=20) OR (@from_port:<=21 @to_port:>=21))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=20 @to_port:>=20) OR (@from_port:<=21 @to_port:>=21))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9lv-1l3-vtp","createdAt":1599574002076,"name":"Inbound FTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 80 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 80.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 80\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=80 @to_port:>=80))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=80 @to_port:>=80))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o4x-exf-xn9","createdAt":1599574008139,"name":"Inbound HTTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 443 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 443.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 443\n\trule.to_port >= 443\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"vud-y9z-ucg","createdAt":1599574003526,"name":"Inbound HTTPS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to host using the Internet Control Message Protocol (ICMP), a protocol commonly used to troubleshoot TCP/IP networks and deliver IP packets, and restrict access.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and Smurf/Fraggle attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][2] docs to learn how to restrict access to host using the ICMP.\n\n### CLI\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to host using ICMP.\n\n ```\n aws ec2 describe-security-groups\n\t --filters Name=ip-permission.protocol,Values=icmp Name=ip-permission.cidr,Values='192.0.2.0/24'\n\t --query 'SecurityGroups[*].{Name:GroupName}'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nunrestricted_protocol(protocol) if {\n\tprotocol == \"icmp\"\n} else {\n\tprotocol == \"all\"\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"ingress\"\n\tunrestricted_protocol(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kyz-e99-tys","createdAt":1599573999911,"name":"Inbound ICMP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1433 (used by the Microsoft SQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1433.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1433 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1433 @to_port:>=1433))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1433 @to_port:>=1433))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5oc-hdq-fx7","createdAt":1599574003135,"name":"Inbound MSSQL access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 27017 (used by the MongoDB database) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 27017.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=27017 @to_port:>=27017))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=27017 @to_port:>=27017))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"lhy-ttz-yif","createdAt":1599574007108,"name":"Inbound MongoDB access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3306 (used by the MySQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3306.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3306 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3306 @to_port:>=3306))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3306 @to_port:>=3306))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yph-h6z-ant","createdAt":1599574008744,"name":"Inbound MySQL access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1521 (used by the Oracle Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1521.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1521 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1521 @to_port:>=1521))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1521 @to_port:>=1521))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2wg-auf-5gz","createdAt":1599574002369,"name":"Inbound Oracle access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 135 (used by Microsoft Message Queuing (MSMQ) and other Windows software) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as backdoor command shell hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 135.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 135 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 135\n\trule.to_port >= 135\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7vm-6f7-nfs","createdAt":1599574003256,"name":"Inbound RPC access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 25 (used by Simple Mail Transfer Protocol (SMTP) for email transmission) and restrict access to IP addresses that require this port.\n\n\n## Rationale\n\nMalicious activity, such as spamming, hacking, Shellshock, and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 25.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 25 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 25\n\trule.to_port >= 25\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fxy-iwb-1ji","createdAt":1599574007156,"name":"Inbound SMTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 22 (used for secure remote login) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as man-in-the-middle (MITM) and brute-force attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 22.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 22 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=22 @to_port:>=22))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=22 @to_port:>=22))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jq1-v7m-jkf","createdAt":1599574005407,"name":"Inbound SSH access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to TCP port 139.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 139\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 139\n\trule.to_port >= 139\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"bls-coy-rpp","createdAt":1599574002491,"name":"Inbound TCP NetBIOS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 23 (used by the Telnet server application) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 23.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 23 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=23 @to_port:>=23))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=23 @to_port:>=23))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"6oq-7ce-kej","createdAt":1599574007874,"name":"Inbound Telnet access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 and UDP ports 137 and 138 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 137 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 137\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 138 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 138\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=137 @to_port:>=137) OR (@from_port:<=138 @to_port:>=138))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=137 @to_port:>=137) OR (@from_port:<=138 @to_port:>=138))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dpw-bar-91p","createdAt":1599574006398,"name":"Inbound UDP NetBIOS access is restricted"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2022-0847 \"Dirty Pipe\". Dirty Pipe is a vulnerability in the Linux kernel which allows underprivileged processes to write to arbitrary readable files, leading to privilege escalation. \n\n## Strategy\n\nThis detection triggers when the `splice()` syscall is made and the `PIPE_BUF_FLAG_CAN_MERGE` flag is set. Explanation of the vulnerability and exploitation can be found in the [public disclosure](https://dirtypipe.cm4all.com/).\n\n## Triage & Response\n\n1. Determine if the host is vulnerable. This vulnerability affects kernel versions starting from 5.8. After its discovery, it was fixed for all currently maintained releases of Linux in versions 5.16.11, 5.15.25, and 5.10.102. The exploit was successful if the field `splice.pipe_exit_flag` is `PIPE_BUF_FLAG_CAN_MERGE`.\n2. Attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. If the host is vulnerable, update the kernel to a patched version.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:dirty_pipe_attempt","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_attempt","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\") -@process.uid:0 -@process.gid:0","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_exploitation","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation (@file.uid:0 OR @file.gid:0) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\") -@process.uid:0 -@process.gid:0","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_root","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation @file.path:(*\\/bin\\/* OR *\\/boot\\/*) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\") -@process.uid:0 -@process.gid:0","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"dirty_pipe_attempt","condition":"dirty_pipe_attempt > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_exploitation","condition":"dirty_pipe_exploitation > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_root","condition":"dirty_pipe_root > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_bin","condition":"dirty_pipe_bin > 0"}],"type":"workload_security","id":"dsi-8cf-mpj","createdAt":1648572788369,"name":"Dirty Pipe exploitation attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet Docker daemon log level to `info`.\n\n## Rationale\n\nSetting up an appropriate log level configures the Docker daemon to log events that you would want to review later. A base log level of `info` and above captures all logs except `debug` logs. Unless required, you should not run Docker daemon at `debug` log level.\n\n## Audit\n\nTo confirm that the log level setting is `info`, review both the `dockerd` startup options, and also the log level settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that either the `--log-level` parameter is not present or if present, that it is set to `info`. \n\nSimilarly, review the `/etc/docker/daemon.json` for the `log-level` setting.\n\n## Remediation\n\nEnsure that the Docker daemon configuration file has the following configuration included:\n\n```\n\"log-level\": \"info\" \n```\n\nAlternatively, run the Docker daemon with the `log-level` specified:\n\n```\ndockerd --log-level=\"info\"\n```\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker daemon is set to log level of `info`.\n\n## References\n\n1. [https://docs.docker.com/edge/engine/reference/commandline/dockerd/][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://docs.docker.com/edge/engine/reference/commandline/dockerd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"q6o-wrf-hf4","createdAt":1602076723155,"name":"Docker daemon logging level is set to 'info'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.5","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use `aufs` as the storage driver for your Docker instance.\n\n## Rationale\n\nThe `aufs` storage driver is the oldest storage driver used on Linux systems. It is based on a Linux kernel patch-set that is unlikely in future to be merged into the main OS kernel. The `aufs` driver is also known to cause some serious kernel crashes. `aufs` has only legacy support within systems using Docker. Most importantly, `aufs` is not a supported driver in many Linux distributions using latest Linux kernels.\n\n## Audit\n\nVerify that `aufs` is not used as storage driver by running this command and ensuring `aufs` is not listed: \n```\ndocker info --format 'Storage Driver: {{ .Driver }}' \n```\n\n## Remediation\n\nDo not explicitly use `aufs` as storage driver. For example, do not start Docker daemon with the `--storage-driver aufs` flag.\n\n## Impact\n\n`aufs` is the only storage driver that allows containers to share executable and shared library memory. It might be useful if you are running thousands of containers with the same program or libraries. However, you should review its use with respect to your organization's security policy.\n\n## Default value\n\nBy default, Docker uses `devicemapper` as the storage driver on most of the platforms. The default storage driver can vary based on your OS vendor. You should use the storage driver that is recommended by your preferred vendor and which is in line with policy around the applications which are being deployed.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems][1]\n2. [http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/][2]\n3. [http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1][3]\n4. [https://docs.docker.com/engine/userguide/storagedriver/][4]\n\n## CIS controls\n\nVersion 6.18 Application Software Security \n\n[1]: https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems \n[2]: http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/ \n[3]: http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1 \n[4]: https://docs.docker.com/engine/userguide/storagedriver/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"n0x-jqo-rof","createdAt":1599601042737,"name":"Docker does not use AUFS storage driver"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe `iptables` firewall is used to set up, maintain, and inspect the tables of IP packet filter rules within the Linux kernel. The Docker daemon should be allowed to make changes to the `iptables` ruleset.\n\n## Rationale\n\nDocker will not make changes to your system `iptables` rules unless you allow it to do so. If you do allow this, Docker server will automatically make any required changes. You should let Docker make changes to `iptables` automatically in order to avoid networking misconfigurations that could affect the communication between containers and with the outside world. Additionally, this reduces the administrative overhead of updating `iptables` every time you add containers or modify networking options.\n\n## Audit\n\nTo confirm that the Docker daemon is allowed to change the `iptables` ruleset, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that the `--iptables` parameter is either not present or not set to `false`. Also review the `/etc/docker/daemon.json` file to check that the `iptables` setting is not set to `false`.\n\n## Remediation\n\nDo not run the Docker daemon with `--iptables=false` parameter. \n\n## Impact\n\nThe Docker daemon service requires `iptables` rules to be enabled before it starts. Any restarts of `iptables` during Docker daemon operation may result in losing Docker-created rules. Adding `iptables-persistent` to your `iptables` install can mitigate.\n\n## Default value\n\nBy default, `iptables` is set to true.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/][1]\n2. [https://fralef.me/docker-and-iptables.html][2]\n\n## CIS controls\n\nVersion 6.5 Controlled Use of Administration Privileges \n\n[1]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/\n[2]: https://fralef.me/docker-and-iptables.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3fv-xgy-7fb","createdAt":1599599453907,"name":"Docker is authorized to make firewall configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.1","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAll Docker containers and their data and metadata are stored in the `/var/lib/docker` directory. By default, `/var/lib/docker` should be mounted under either the `/` or `/var` partitions depending on how the Linux operating system in use is configured.\n\n## Rationale\n\nDocker depends on `/var/lib/docker` as the default directory where all Docker related files, including the images, are stored. This directory could fill up quickly causing both Docker and the host to become unusable. For this reason, you should create a separate partition (logical volume) for storing Docker files.\n\n## Audit\n\nTo see the partition details for the `/var/lib/docker` mount point, at the Docker host run:\n\n```\ngrep '/var/lib/docker\\s' /proc/mounts \n```\n\nAlternatively, to see whether the configured root directory is a mount point, run.\n\n```\nmountpoint -- \"$(docker info -f '{{ .DockerRootDir }}')\" \n```\n\n## Remediation\n\nFor new installations, you should create a separate partition for the `/var/lib/docker` mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, `/var/lib/docker` is mounted under the `/` or `/var` partitions dependent on how the OS is configured.\n\n## References\n\n1. [https://www.projectatomic.io/docs/docker-storage-recommendation/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know \n\n[1]: https://www.projectatomic.io/docs/docker-storage-recommendation/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.1","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wcf-c0t-fkz","createdAt":1602076808377,"name":"Docker local storage is mounted on a separate disk partition"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.5","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various other sensitive files. It should therefore be individual owned and group owned by root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the directory is owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker | grep -v root:root\n``` \n\nThis command does not return any data.\n\n## Remediation\n\nTo resolve this issue, run the following command: `chown root:root /etc/docker`\n\nThis sets the ownership and group ownership for the directory to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for this directory is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.`\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"heb-axz-wdc","createdAt":1599604466531,"name":"Docker related files are owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.6","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory permissions are correctly set to 755 or more restrictively.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various sensitive files. It should therefore only be writeable by root to ensure that it can not be modified by a less privileged user.\n\n## Audit\n\nYou should execute the command below to verify that the directory has permissions of 755+: \n\n```\nstat -c %a /etc/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 755 /etc/docker`\n\nThis sets the permissions for the directory to 755.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for this directory are set to 755.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"een-7do-u18","createdAt":1599604083943,"name":"Docker related files cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.12","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, has permissions of 444 or more restrictive permissions.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It should therefore have permissions of 444 to prevent its modification.\n\n## Audit\n\nVerify that the Docker server certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the command below: `chmod 444 `\n\nThis sets the file permissions of the Docker server certificate file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.12","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"blu-k6b-re1","createdAt":1602076770300,"name":"Docker server certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.31","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker socket docker.sock should not be mounted inside a container.\n\n## Rationale\n\nIf the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep docker.sock` This returns any instances where `docker.sock` has been mapped to a container as a volume.\n\n## Remediation\n\nYou should ensure that no containers mount docker.sock as a volume.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, docker.sock is not mounted inside containers.\n\n## References\n\n1. https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/\n2. https://forums.docker.com/t/docker-in-docker-vs-mounting-var-run-docker-sock/9450/2\n3. https://github.com/docker/docker/issues/21109\n\n## CIS controls\n\nVersion 6\n\n9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.31","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3iw-zus-yz3","createdAt":1599602585460,"name":"Docker socket is not allowed to mount inside any containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","source:dynamodb","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:dynamodb","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement server-side encryption for your AWS DynamoDB data.\n\n## Rationale\n\nServer-side encryption, or encryption at rest, provides an additional layer of data protection by securing your data in an encrypted table. Encryption at rest integrates with AWS Key Management Service (KMS) to manage encryption keys that are used to encrypt these tables.\n\n## Remediation\n\n### From the console\n\nFollow the [Managing Encrypted Tables in DynamoDB tutorial][1] to learn how to create and update a table in the AWS Console.\n\n### From the command line\n\nRun `create-table` with a table configuration to [create a new encrypted table][2]. You can create an encrypted table with the default AWS owned CMK, AWS managed CMK, or customer managed CMK. Refer to the [AWS documentation for examples of each configuration][3]. For example:\n\n aws dynamodb create-table\n --table-name your-table\n ...\n --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=abcd1234-abcd-1234-a123-ab1234a1b234\n\n[1]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/dynamodb/create-table.html\n[3]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(dynamodb) = \"pass\" if {\n\tupper(dynamodb.sse_description.status) == \"ENABLED\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_dynamodb"]},"validationQuery":"","resourceType":"aws_dynamodb","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_dynamodb","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ilq-ifj-zxi","createdAt":1615309114701,"name":"DynamoDB table is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt Amazon Elastic Block Store (EBS) snapshots with volume snapshot encryption keys.\n\n## Rationale\n\nAmazon EBS snapshots contain sensitive data, and publicly accessible snapshots can be copied. Keep your data secure from exploits or unauthorized users by using AWS key management.\n\n## Remediation\n\n### From the console\n\nFollow the [Default key for EBS encryption][1] docs to learn how to encrypt a snapshot in the AWS Console.\n\n### From the command line\n\n1. Run `get-ebs-default-kms-key-id` to describe [the default CMK][2].\n\n2. If you need to create a new key, follow the [Creating keys][3] AWS Console docs or the [create-key][4] AWS CLI docs.\n\n3. Run `modify-ebs-default-kms-key-id` with your `--kms-key-id` to [modify the default CMK used to encrypt EBS volumes][3].\n\nSee the [Set encryption defaults using the API and CLI][6] docs for additional information.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_key_mgmt\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/get-ebs-default-kms-key-id.html\n[3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-ebs-default-kms-key-id.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ebs_snapshot) = \"pass\" if {\n\tebs_snapshot.encrypted\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ebs_snapshot"]},"validationQuery":"","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"i4v-od6-l5r","createdAt":1616090994130,"name":"EBS snapshot is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","requirement:Storage","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable encryption for Elastic Block Store (EBS).\n\n## Rationale\n\nAES-256 encryption, used by EBS, protects data stored on volumes, disk I/O, and the snapshots created from a volume to protect your sensitive data from exploits and unauthorized users.\n\n## Remediation\n\n### From the console\n\nFollow the [EBS encryption][1] docs to learn about the requirements and methods for enabling encryption in the AWS Console.\n\n### From the command line\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#ebs-encryption-requirements\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"2.2.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ebs_volume) = \"pass\" if {\n\tebs_volume.encrypted\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ebs_volume"]},"validationQuery":"","resourceType":"aws_ebs_volume","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_volume","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"2b3-94n-p7e","createdAt":1616090994097,"name":"EBS volume is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","requirement:Credentials","requirement:Compliance","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","framework:pci","control:1.11","security:compliance","source:ebs","control:6.5.3","cloud_provider:aws","requirement:Confidentiality","control:3.4","control:C1.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","framework:security-labs","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure Amazon Elastic Block Store (EBS) snapshots.\n\n## Rationale\n\nPublicly shared Amazon EBS volume snapshots contain sensitive application data that can be seen, copied, and exploited.\n\n## Remediation\n\n### From the console\n\nFollow the [EBS encryption][1] docs to learn how to implement EBS encryption. Public snapshots, which are encrypted by default, are not supported\n\n **Note**: You can share an encrypted snapshot with specific accounts.\n\n### From the command line\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#how-ebs-encryption-works\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.11","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ebs_snapshot) = \"fail\" if {\n\tsome permission in ebs_snapshot.create_volume_permissions\n\tpermission.group == \"all\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ebs_snapshot"]},"validationQuery":"","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"t5f-m5z-oio","createdAt":1616090994084,"name":"EBS volume snapshot is not publicly shared with other AWS accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:route53","iaas:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain has a suspicious TLD.\n\n## Strategy\nInspect the Route 53 logs and determine if the TLD of the DNS question (`@dns.question.name`) matches one of the top 5 TLDs on [Spamhaus's Most Abused Top Level Domains list][1].\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n[1]: https://www.spamhaus.org/statistics/tlds/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@dns.question.name:(*.fit. OR *.work. OR *.webcam. OR *.loan. OR *.cf.) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_tld","distinctFields":[]},{"query":"@dns.question.name:(*.no-ip. OR *.hopto.org OR *.myftp.org OR *.us.to OR *.myvpc.com OR *.dlinkddns.com OR *.myftp.biz) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_ddns","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"TLD","condition":"suspicious_tld > 0"},{"status":"medium","notifications":[],"name":"Dynamic DNS","condition":"suspicious_ddns > 0"}],"type":"log_detection","id":"dus-bf6-3jr","createdAt":1603296605789,"name":"EC2 instance requested a suspicious domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:route53","iaas:aws","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain resolves to the AWS Metadata IP (169.254.169.254).\n\n## Strategy\nInspect the Route 53 logs and determine if the response data for a DNS request matches the AWS Metadata IP (169.254.169.254). This could indicate an attacker is attempting to steal your credentials from the AWS metadata service.\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n## Changelog\n- 19 May 2022 - Updated rule query.\n- 5 Jun 2022 - Updated rule query.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:route53 @answers.Rdata:169.254.169.254 -@route53_edge_location:* -@dns.question.name:instance-data*","groupByFields":["instance-id"],"aggregation":"count","name":"domain_resolve_to_metadata_ip","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"domain_resolve_to_metadata_ip > 0"}],"type":"log_detection","id":"mwi-zj7-db9","createdAt":1603296598998,"name":"EC2 instance resolved a suspicious AWS metadata DNS query"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","requirement:Transmission-Security","scope:ec2","source:ec2","framework:gdpr","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:1.9","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse the IMDSv2 session-oriented communication method to transport instance metadata. \n\n## Rationale\n\nAWS default configurations allow the use of either IMDSv1, IMDSv2, or both. IMDSv1 uses insecure GET request/responses which are at risk for a number of vulnerabilities, whereas IMDSv2 uses session-oriented requests and a secret token that expires after a maximum of six hours. This adds protection against misconfigured-open website application firewalls, misconfigured-open reverse proxies, unpatched Server Side Request Forgery (SSRF) vulnerabilities, and misconfigured-open layer-3 firewalls and network address translation.\n\n## Remediation\n\nFollow the [Transition to using Instance Metadata Service Version 2][1] docs to learn how to transition and reconfigure your software. \n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ec2_instance) = \"pass\" if {\n\tec2_instance.metadata_options.http_tokens == \"required\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ec2_instance"]},"validationQuery":"","resourceType":"aws_ec2_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ec2_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zwp-mxe-p0v","createdAt":1649171077274,"name":"EC2 instance uses IMDSv2"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","source:elb","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","scope:elb","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up logging for your AWS Elastic Load Balancers (ELBs) to identify security issues.\n\n## Rationale\n\nAccess logs allow you to analyze each TCP and HTTP request, which are useful during security audits or troubleshooting.\n\n## Remediation\n\n### From the console\n\nFollow the [Enable access logs for your Classic Load Balancer][1] docs to learn how to enable logging for your ELBs.\n\n### From the command line\n\n1. Run `create-bucket` to [create an S3 bucket][2] that stores the ELB log files.\n\n **Note**: This bucket must be created in the same region as the ELB.\n\n ```\n aws s3api create-bucket\n --region us-west-1\n --bucket your-elb-logging-bucket\n ```\n\n2. Use the [AWS Policy Generator][3] to create a new policy.\n\n3. Run `put-bucket-policy` to [attach the policy document][4] to the S3 bucket.\n\n ```\n aws s3api put-bucket-policy\n --bucket your-elb-logging-bucket\n --policy file://elb-logging-policy.json\n ```\n\n4. Run `modify-load-balancer-attributes` to [enable logging][5] for the selected ELB.\n\n ```\n aws elb modify-load-balancer-attributes\n --region us-west-1\n --load-balancer-name YourLoadBalancerName\n --load-balancer-attributes\n \"{\\\"AccessLog\\\":{\\\"Enabled\\\":true,\\\"EmitInterval\\\":60,\\\"S3BucketName\\\":\\\"your-logging-bucket\\\"}}\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/elb/modify-load-balancer-attributes.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_access_logs(elb_load_balancer) if {\n\tsome attribute in elb_load_balancer.attributes\n\tattribute.access_log_enabled\n} else if {\n\telb_load_balancer.load_balancer_attributes.access_log.enabled\n}\n\neval(elb_load_balancer) = \"fail\" if {\n\tnot compliant_access_logs(elb_load_balancer)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elb_load_balancer"]},"validationQuery":"","resourceType":"aws_elb_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elb_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"orv-wcu-4d4","createdAt":1615309114856,"name":"ELB is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","security:compliance","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Security-of-Processing","scope:elbv2","framework:soc-2","requirement:Security-Management-Process","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","framework:hipaa","requirement:Encryption-In-Transit","control:164.308-a-1-ii-B","control:164.312-e-2-i","source:elbv2","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse HTTPS to secure communication between your application client and an Elastic Load Balancer (ELB) listener.\n\n## Rationale\n\nWithout an HTTPS listener, front-end connections are vulnerable to exploits, such as man-in-the-middle (MITM) attacks. Securing all communication between your application client and ELB listener ensures sensitive data is protected.\n\n## Remediation\n\n### From the console\n\nFollow the [Create an HTTPS listener for your Application Load Balancer][1] doc to learn how to create a listener that checks for connection requests.\n\n### From the command line\n\n1. Run `list-certificates` to retrieve the ARN of your SSL certificate. If you do not have an SSL certificate, follow the [Create or import an SSL/TLS certificate][2] doc.\n2. Run `create-listener` using the [ARN of the load balancer and SSL certificate][3].\n\n ```\n aws elbv2 create-listener \\\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912 \\\n --protocol HTTPS \\\n --port 443 \\\n --certificates CertificateArn=arn:aws:acm:region:123456789012:certificate/1abc0c41-bd73-5445-9ab9-123456a23456 \\\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html#create-certificate-acm\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/create-listener.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_listener(elbv2_load_balancer) if {\n\tsome listener in elbv2_load_balancer.listeners\n\tlistener.protocol == \"HTTPS\"\n} else if {\n\tsome listener in elbv2_load_balancer.listeners\n\tlistener.protocol == \"HTTP\"\n\telbv2_load_balancer.listeners[_].default_actions[_].redirect_config.protocol == \"HTTPS\"\n\telbv2_load_balancer.listeners[_].default_actions[_].type == \"redirect\"\n}\n\neval(elbv2_load_balancer) = \"skip\" if {\n\telbv2_load_balancer.type != \"application\"\n} else = \"fail\" if {\n\tnot compliant_listener(elbv2_load_balancer)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6vz-qof-84o","createdAt":1616090994110,"name":"ELBv2 ALB is using a secure listener"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","source:elb","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","scope:elb","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure Amazon Network Load Balancers so all listeners use either TLS or HTTPS encryption. \n\n## Rationale\n\nUsing TLS or HTTPS helps ensure the communication between your network load balancers (NLBs) and backend servers is protected from decryption, data leaks, and other exploits. NLB's can accept and route TCP connections to Application load balancers(ALBs), this allows AWS customers to directly register an ALB as an NLB target, eliminating the need to actively manage changing ALB IP addresses. Amazon's NLBs can be configured to handle TLS termination. This reduces the workload on your backend systems and localizes TLS configuration to the NLBs, thereby improving both performance and security.\n\n\n## Remediation\n\n### From the console\n\nFollow the [Create a listener for your network load balancer][1] doc to learn how to add a TLS listener to your network load balancer.\n\n### From the command line\n\n1. Run `describe-load-balancers` to retrieve the ARNs of your network load balancers.\n2. Run `list-certificates` to retrieve the ARN of your Amazon ACM TLS certificates, or `list-server-certificates` to retrieve the ARN of your AWS IAM TLS certificates. If you do not have a TLS certificate, follow the [Configure TLS listeners: Certificates][2] doc.\n3. Run `create-listener` using the ARN of the desired load balancer and TLS certificate.\n\n ```\n aws elbv2 create-listener \\\n --load-balancer-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188 \\\n --certificates CertificateArn=arn:aws:acm:us-west-2:123456789012:certificate/3dcb0a41-bd72-4774-9ad9-756919c40557 \\\n --protocol TLS \\\n --port 443 \\\n --ssl-policy ELBSecurityPolicy-2016-08 \\\n --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#tls-listener-certificates\n[3]: https://aws.amazon.com/fr/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_listener(listener) if {\n\tlistener.protocol == \"TCP\"\n\tlistener.port == 443\n}\n\neval(elbv2_load_balancer) = \"skip\" if {\n\tnot elbv2_load_balancer.type == \"network\"\n} else = \"fail\" if {\n\tsome listener in elbv2_load_balancer.listeners\n\tlistener.protocol != \"TLS\"\n\tnot compliant_listener(listener)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cyx-hvk-qq7","createdAt":1649774831020,"name":"ELBv2 Network Load Balancer listeners employ TLS or HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:elbv2","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","source:elbv2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Access Logging for your Amazon Application Load Balancers (ALBs).\n\n## Rationale\n\nLogs contain the time a request was received, a client's IP address, latencies, request paths, and server responses. You can use this information to analyze traffic patterns and troubleshoot issues.\n\n## Remediation\n\n### From the console\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the console.\n\n### From the command line\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_attribute(elbv2_load_balancer) if {\n\tattribute := elbv2_load_balancer.attributes[_]\n\tattribute.key == \"access_logs.s3.enabled\"\n\tattribute.value == \"true\"\n} else if {\n\telbv2_load_balancer.attributes.access_logs_s3_enabled\n}\n\neval(elbv2_load_balancer) = \"pass\" if {\n\tcompliant_attribute(elbv2_load_balancer)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2sn-t47-ywf","createdAt":1632209936547,"name":"ELBv2 is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:elbv2","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","source:elbv2","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Application Load Balancer (ALB) with the latest predefined AWS security policy.\n\n## Rationale\n\nInsecure or deprecated security policies can expose the client and the load balancer to various SSL/TLS vulnerabilities.\n\n## Remediation\n\n### From the console\n\nFollow the [Update security policy][1] docs to learn how to update your HTTPS listener with the latest security policy.\n\n### From the command line\n\nRun `modify-listener` with the [ARN of the listener and the recommended SSL policy][2].\n\n```\naws elbv2 create-listener\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n```\n\nReview the [Security policies][3] docs for Amazon-recommended security policies.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html#update-security-policy\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/modify-listener.html\n[3]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elbv2_load_balancer) = \"skip\" if {\n\telbv2_load_balancer.type != \"application\"\n} else = \"pass\" if {\n\tsome listener in elbv2_load_balancer.listeners\n\tlistener.ssl_policy in [\"ELBSecurityPolicy-TLS-1-1-2017-01\", \"ELBSecurityPolicy-TLS-1-2-Ext-2018-06\", \"ELBSecurityPolicy-FS-1-2-Res-2019-08\", \"ELBSecurityPolicy-FS-1-1-2019-08\", \"ELBSecurityPolicy-FS-1-2-Res-2020-10\"]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"pty-qoz-aa9","createdAt":1616090994247,"name":"ELBv2 load balancer is using the latest security policy"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.3","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse individual service account credentials for each controller.\n\n## Rationale\n\nThe controller manager creates a service account per controller in the kube-system namespace, generates a credential for it, and builds a dedicated API client with that service account credential for each controller loop to use. Setting the `--use-service-account-credentials` to true runs each control loop within the controller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--use-service-account-credentials` argument is set to true.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node to set the below parameter:\n\n```\n--use-service-account-credentials=true\n```\n\n## Impact\n\nWhatever authorizer is configured for the cluster, it must grant sufficient permissions to the service accounts to perform their intended tasks. When using the RBAC authorizer, those roles are created and bound to the appropriate service accounts in the kube-system namespace automatically with default roles and rolebindings that are auto-reconciled on startup. If using other authorization methods (ABAC, Webhook, etc.), the cluster deployer is responsible for granting appropriate permissions to the service accounts (the required permissions can be seen by inspecting the `controller-roles.yaml` and `controller-role-bindings.yaml` files for the RBAC roles.\n\n## Default value\n\nBy default, `--use-service-account-credentials` is set to false.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://kubernetes.io/docs/admin/service-accounts-admin/ ][2]\n3. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml ][3]\n4. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml ][4]\n5. [https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles][5]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://kubernetes.io/docs/admin/service-accounts-admin/ \n[3]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml \n[4]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml \n[5]: https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.3","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"b7m-bho-nat","createdAt":1599602400314,"name":"Each controller uses individual service account credentials"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:A.12.2.1","framework:gdpr","requirement:Default-Security-Parameter","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:25.2","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","source:elasticache","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","scope:elasticache","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nChange your AWS ElastiCache cluster endpoint port to a non-default port.\n\n## Rationale\n\nUsing the default port puts clusters at risk of exploits and attacks. Configure a custom port to add an extra layer of security to your clusters.\n\n## Remediation\n\n### From the console\n\nFollow the [Finding connection endpoints][1] console documentation to learn how to find and modify your cluster's endpoint port.\n\n### From the command line\n\n1. Run `aws elasticache describe-cache-clusters` with your [ElastiCache cluster ID][2] to output the existing cluster configuration.\n\n ```\n\n aws elasticache describe-cache-clusters\n --cache-cluster-id your-cc-id\n\n ```\n\n2. Run `aws elasticache create-cache-cluster` with the cluster data returned in the previous step. Configure the new cache cluster with [a custom value][3] for the endpoint port. This returns new cluster metadata.\n\n ```\n\n aws elasticache create-cache-cluster\n --cache-cluster-id new-cc-id\n ...\n --port 10001\n\n ```\n\n3. Once the cluster endpoint port is updated, remove the old ElastiCache cluster. Run `delete-cache-cluster` with the [original cluster ID][4].\n\n ```\n\n aws elasticache delete-cache-cluster\n --cache-cluster-id your-cc-id\n\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Endpoints.html#Endpoints.Find.Redis\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/describe-cache-clusters.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/delete-cache-cluster.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndefault_port_used(elasticache) if {\n\telasticache.engine == \"memcached\"\n\telasticache.configuration_endpoint.port == 11211\n} else if {\n\telasticache.engine == \"redis\"\n\telasticache.configuration_endpoint.port == 6379\n}\n\neval(elasticache) = \"fail\" if {\n\tdefault_port_used(elasticache)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticache"]},"validationQuery":"","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"skt-e9r-x89","createdAt":1619112189062,"name":"ElastiCache cluster is not using default ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","source:elasticache","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticache","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProvision your AWS EC2-VPC ElastiCache cluster within the AWS ECS-VPC platform.\n\n## Rationale\n\nUsing the EC2-Classic platform minimizes control over cache cluster security and traffic routing. Provisioning with AWS EC2-VPC enables better networking infrastructure, control over VPC security groups, and more.\n\n## Remediation\n\n### From the console\n\nFollow the [Getting started with Amazon VPC][1] docs to configure AWS EC2-VPC for your ElastiCache clusters.\n\n### From the command line\n\n1. Run `create-vpc` to [create a new Virtual Private Cloud (VPC)][2] for your ElastiCache cluster.\n\n ```\n aws ec2 create-vpc\n --cidr-block 10.0.0.0/16\n ```\n\n2. Run `aws ec2 create-internet-gateway` to [create a new AWS Internet Gateway][3] for your new VPC.\n\n3. Run `attach-internet-gateway` with the [VPC ID returned in step 1, and the internet gateway ID returned in step 2][4].\n\n ```\n aws ec2 create-subnet\n --vpc-id vpc-ab12c345\n --cidr-block 10.0.1.0/24\n ```\n\n4. Run `create-route-table` with [your VPC ID][5] created in step 1.\n\n ```\n aws ec2 create-route-table\n --vpc-id vpc-ab12c345\n ```\n\n5. Run `associated-route-table` with the [subnet ID returned in step 3, and the route table ID returned in step 4][6].\n\n ```\n aws ec2 associate-route-table\n --route-table-id rta-12345678\n --subnet-id subnet-ab123c45\n ```\n\n6. Run `create-route` to [add a new route][7] to your new VPC route table.\n\n ```\n aws ec2 create-route\n --route-table-id rta-12345678\n --destination-cidr-block 0.0.0.0/0\n --gateway-id gwi-123a4b56\n ```\n\n7. Run `create-security-group` with your new VPC ID to [create a security group][8] for your new cluster.\n\n ```\n aws ec2 create-security-group\n --group-name ECSecurityGroup\n --description \"Redis CC Security Group\"\n --vpc-id vpc-ab12c345\n ```\n\n8. Run `authorize-security-group-ingress` to [add more inbound rules][9] to the security group created in step 7.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-id se-a12345b0\n --protocol tcp\n --port 1234\n --cidr 10.0.0.0/16\n ```\n\n9. Run `create-cache-cluster` to recreate your EC2-Classic cache cluster within your new AWS VPC. Use the newly created [ElastiCache cluster configuration attributes][10] returned in the steps above.\n\n ```\n aws elasticache create-cache-cluster\n --cache-cluster-id vpccachecluster\n --az-mode single-az\n --cache-node-type cache.m5.large\n --num-cache-nodes 1\n --engine redis\n --engine-version \"2.6.13\"\n --security-group-ids \"se-a12345b0\"\n --port 1234\n --auto-minor-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc.html#synopsis\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-internet-gateway.html#synopsis\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/attach-internet-gateway.html#synopsis\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route-table.html#synopsis\n[6]: https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-route-table.html#synopsis\n[7]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route.html#synopsis\n[8]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-security-group.html#synopsis\n[9]: https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html#synopsis\n[10]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elasticache) = \"pass\" if {\n\tcount(elasticache.cache_subnet_group_name) > 0\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticache"]},"validationQuery":"","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"0uf-cns-jqu","createdAt":1619112189088,"name":"ElastiCache cluster is provisioned in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.5","source:elasticache","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticache","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon ElastiCache cluster to the latest, stable version of the Redis/Memcached cache engine.\n\n## Rationale\n\nUsing the latest version allows for security patches, bug fixes, better performance, and memory management.\n\n## Remediation\n\n### From the console\n\nFollow the [Upgrading engine versions][1] docs to learn how to modify your ElastiCache cluster or replication group in the console.\n\n### From the command line\n\nFollow the [Modify an ElastiCache cluster (AWS CLI)][2] or [Modify a replication group (AWS CLI)][3] docs for configuration options.\n\nFor example, to modify an ElastiCache cluster, run `modify-replication-group` with your replication group ID and enable Multi-AZ.\n\n ```\n aws elasticache modify-replication-group\n --replication-group-id myReplGroup\n --multi-az-enabled = true\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VersionManagement.html\n[2]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.Modify.html#Clusters.Modify.CLI\n[3]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Replication.Modify.html#Replication.Modify.CLI","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_engine_version(elasticache) if {\n\telasticache.engine == \"memcached\"\n\telasticache.engine_version == \"1.6.6\"\n} else if {\n\telasticache.engine == \"redis\"\n\tstartswith(elasticache.engine_version, \"6.\")\n} else if {\n\tnot elasticache.engine in [\"memcached\", \"redis\"]\n}\n\neval(elasticache) = \"pass\" if {\n\tcompliant_engine_version(elasticache)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticache"]},"validationQuery":"","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sw1-liy-ybw","createdAt":1619112188570,"name":"ElastiCache cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.5","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticsearch","framework:soc-2","requirement:Change-Management","source:elasticsearch","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpgrade to the latest version of Amazon Elasticsearch (ES) engine.\n\n## Rationale\n\nUsing the latest version of Amazon ES ensures you receive the latest bug fixes, security patches, and features.\n\n## Remediation\n\n### From the console\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (console)][1] docs to learn about the upgrade process and how to complete an upgrade from the AWS Console.\n\n### From the command line\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (AWS CLI)][1] docs to being an upgrade using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades\n[2]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.common as dd_common\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(version) = \"pass\" if {\n\tformatted_semver := dd_common.format_semver(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"7.10.0\") >= 0\n} else = \"pass\" if {\n\tstartswith(version, \"OpenSearch_\")\n\tformatted_semver := dd_common.format_semver(trim_prefix(version, \"OpenSearch_\"))\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"1.3.0\") >= 0\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource.elasticsearch_version))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-iw7-z3h","createdAt":1619540057479,"name":"Elasticsearch cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","scope:elasticsearch","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate publicly accessible Amazon Elasticsearch domains to block unsigned requests.\n\n## Rationale\n\nUpdating your Amazon Elasticsearch domain to a private domain ensures your data cannot be accessed or altered by unauthorized users.\n\n## Remediation\n\n### OpenSearch\n\nIf you are using OpenSearch Service Domains, refer to Amazon's [guide for creating and managing Amazon OpenSearch Service domains][1] for both console and CLI remediation actions. \n\n### From the console\n\nFollow the [Configuring Access Policies][1] docs to learn how to update your publicly accessible Amazon Elasticsearch domains in the AWS Console.\n\n### From the command line\n\n1. Create a new policy JSON document. You can follow the [Amazon Elasticsearch templated policy][2] to create a custom policy that grants domain access only to a specific IP.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n \"Action\": \"es:*\",\n \"Condition\": {\n \"IpAddress\": {\n \"aws:SourceIp\": [\n \"54.197.25.93/32\"\n ]\n }\n },\n \"Resource\": \"arn:aws:es:123456789123:\n domain/es-cluster/*\"\n }\n ]\n }\n ```\n\n2. Run `update-elasticsearch-domain-config` using the name of the [Elasticsearch domain][3] created in the previous step.\n\n ```\n aws es update-elasticsearch-domain-config\n --domain-name es-cluster\n --access-policies file://ip-based-policy.json\n ```\n\n\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/update-elasticsearch-domain-config.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tsome principal_aws in policy_principal.principal_aws\n\tprincipal_aws == \"*\"\n}\n\neval(elasticsearch_domain) = \"fail\" if {\n\tsome policy in elasticsearch_domain.policies\n\tbad_policy_principal(policy.policy_principal)\n\tpolicy.statement_effect = \"Allow\"\n\tpolicy.statement_has_condition = false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ci6-bcw-l3n","createdAt":1615309114393,"name":"Elasticsearch domain is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticsearch","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure your Amazon Elasticsearch (ES) domain is only accessible from an AWS VPC.\n\n## Rationale\n\nUsing a VPC gives your Amazon ES domains an extra layer of security. Launching your clusters within a VPC ensures communication between your clusters and other AWS services is secure.\n\n## Remediation\n\nOnce a domain is created with a public endpoint, it cannot be switched to VPC access. Follow the [Migrating from Public Access to VPC Access][1] docs to learn how to create a new domain and either manually reindex or migrate your data.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html#es-migrating-public-to-vpc\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elasticsearch_domain) = \"fail\" if {\n\tendswith(elasticsearch_domain.endpoint, \".es.amazonaws.com\")\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"vdg-rky-pye","createdAt":1619540057246,"name":"Elasticsearch domain resides in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement encryption at rest for your Amazon Elasticsearch (ES) domain with the AWS KMS service.\n\n## Rationale\n\nImplementing encryption at rest protects your domain from unauthorized access and ensures security and compliance requirements are met.\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to implement encryption for your domain.\n\n### From the command line\n\n1. Run `describe-elasticsearch-domain` with your ES domain to return configuration metadata.\n\n ```bash\n aws es describe-elasticsearch-domain\n --domain-name your-es-domain\n ```\n\n2. Run `create-elasticsearch-domain` with your domain name and `encryption-at-rest-options`. Use the metadata returned in the previous step to [create and relaunch your ES domain to enable at-rest encryption][3].\n\n ```bash\n aws es create-elasticsearch-domain\n --domain-name your-es-domain\n ...\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html#enabling-ear\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/describe-elasticsearch-domain.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elasticsearch_domain) = \"pass\" if {\n\telasticsearch_domain.encryption_at_rest_options_enabled == true\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"75z-ehk-ced","createdAt":1615309114337,"name":"Elasticsearch domains are encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","control:3.5.2","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt your Amazon Elasticsearch domains with KMS Customer Master Keys (CMKs).\n\n## Rationale\n\nKMS Custom Master Keys protect your domains and allow more granular control over the encryption/decryption process.\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to encrypt Amazon Elasticsearch domains in the AWS Console.\n\n### From the command line\n\n1. Create a new policy JSON document with the following [configuration][2]:\n\n ```\n {\n \"Id\": \"es-custom-key-policy\",\n \"Statement\": [\n {\n \"Sid\": \"Enable IAM User Permissions\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:root\"},\n \"Action\": \"kms:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Grant access to CMK manager\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:role/AmazonESManager\"},\n \"Action\": [\n \"kms:Create*\",\n \"kms:Describe*\",\n \"kms:Enable*\",\n \"kms:List*\",\n \"kms:Put*\",\n \"kms:Update*\",\n \"kms:Revoke*\",\n \"kms:Disable*\",\n \"kms:Get*\",\n \"kms:Delete*\",\n \"kms:ScheduleKeyDeletion\",\n \"kms:CancelKeyDeletion\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow the use of the CMK\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:Decrypt\",\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:DescribeKey\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow attachment of persistent resources\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:CreateGrant\",\n \"kms:ListGrants\",\n \"kms:RevokeGrant\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"Bool\": {\"kms:GrantIsForAWSResource\": \"true\"}\n }\n }\n ]\n }\n ```\n\n2. Run `create-key` to [create a KMS key][3] with the new policy document.\n\n ```\n aws kms create-key\n --description 'KMS CMK policy for encrypting es domain data'\n --policy file://es-kms-cmk-policy.json\n ```\n\n3. Run `create-alias` with the returned ARN key to [attach a new alias][4] to the CMK.\n\n ```\n aws kms create-alias\n --alias-name your-alias/ESCustomCMK\n --target-key-id arn:aws:kms:111122223333:key/abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\n ```\n\n4. Run `create-elasticsearch-domain` with the returned configuration data in step 3 to [create the selected domain][5] with `encryption-at-rest-options` set as `enabled= true` and the `KmsKeyId=your-key-id`.\n\n ```\n aws es create-elasticsearch-domain\n --domain-name your-domain-name\n ....\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-alias.html#options\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html#options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elasticsearch_domain) = \"fail\" if {\n\telasticsearch_domain.encryption_at_rest_options_kms_key_id == \"(Default) aws/es\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"abl-8du-xrn","createdAt":1615309114399,"name":"Elasticsearch domains are encrypted with KMS Customer Master Keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation on controller-manager.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad. \n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--feature-gates` parameter to include `RotateKubeletServerCertificate=true`. \n\n```\n--feature-gates=RotateKubeletServerCe`rtificate=true\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `RotateKubeletServerCertificate` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller ][1]\n2. [https://github.com/kubernetes/features/issues/267 ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/45059 ][3]\n4. [https://kubernetes.io/docs/admin/kube-controller-manager/][4]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller \n[2]: https://github.com/kubernetes/features/issues/267 \n[3]: https://github.com/kubernetes/kubernetes/pull/45059 \n[4]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.6","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"asw-6hh-yc2","createdAt":1599605162809,"name":"Enable kubelet server certificate rotation on controller-manager"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1555-credentials-from-password-stores","scope:ec2","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to retrieve the encrypted Administrator password for a Windows EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to retrieve the encrypted Administrator password for a Windows EC2 instance using the [`GetPasswordData`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n3. If the API call was made by the user:\n * Determine if this user should be accessing this EC2 instance.\n * If Yes, advise the user to speak with the instance owner to resolve the error.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetPasswordData.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetPasswordData @eventSource:ec2.amazonaws.com status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"get_passwordata","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Error","condition":"get_passwordata > 0"}],"type":"log_detection","id":"kyo-yjf-zbm","createdAt":1652796676631,"name":"Encrypted administrator password retrieved for Windows EC2 instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.12","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory ownership is set to `etcd:etcd`.\n\n## Rationale\n\n`etcd` is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir` from the command:\n\n```bash\nps -ef | grep etcd\n```\n\nBased on the etcd data directory found above, run the command:\n\n```bash\nstat -c %U:%G /var/lib/etcd\n```\n\nVerify the ownership is set to `etcd:etcd`.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chown etcd:etcd /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory ownership is set to `etcd:etcd`.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.12","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"25d-zal-sfr","createdAt":1599601968321,"name":"Etcd data directory is owned by the etcd user and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.11","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory has permissions of 700 or more restrictive.\n\n## Rationale\n\netcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should not be readable or writable by any group members or the world.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir`, from the command:\n\n```bash\nps -ef | grep etcd\n```\n\n Based on the etcd data directory found above, run the command:\n \n ```bash\n stat -c %a /var/lib/etcd\n ```\n \n Verify the permissions are `700` or more restrictive.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chmod 700 /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory has permissions of 755.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.11","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qgj-hf0-an1","createdAt":1599601412710,"name":"Etcd data directory permissions cannot be accessed by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.7","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 640.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.7","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vqc-dps-6tp","createdAt":1599605605880,"name":"Etcd pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.8","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to `root:root`.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.8","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oac-lbl-npz","createdAt":1599600311388,"name":"Etcd pod specification file is owned by root"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":true,"message":"test","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1668091740758,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.id"],"query":"*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"co7-ldi-49e","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_impossible_travel_returns_OK_response"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"Test rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1668543986037,"filters":[],"queries":[{"query":"@test:true","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"rje-tku-m3r","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_workload_security_returns_OK_response_1668543985"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:exchange-server","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user sets up a mail forwarding rule to another email address. An adversary or insider threat could set a forwarding rule to forward all emails to an external email address.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with `@evt.name` value of `Set-Mailbox`, where a value is set for `@Parameters.ForwardingSmtpAddress` and the `@evt.outcome` is `True`.\n\n## Triage and response\n1. Inspect the `@Parameters.ForwardingSmtpAddress` for `{{@usr.email}}` to see if it is sending email to an external non-company owned domain.\n2. Determine if there is a legitimate use case for the mail forwarding rule.\n3. If `{{@usr.email}}` is not aware of the mail forwarding rule, investigate all `{{@usr.email}}` accounts for anomalous activity. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-Mailbox -@Parameters.ForwardingSmtpAddress:\"\" @Parameters.ForwardingSmtpAddress:* @evt.outcome:True","groupByFields":["@usr.id"],"aggregation":"count","name":"forwarding_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"forwarding_rule > 0"}],"type":"log_detection","id":"vmq-1zo-03a","createdAt":1630681822552,"name":"Exchange Online mail forwarding rule enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:AppService","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.2","scope:azure.appservice","framework:iso-27001","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","requirement:Communications-Security","control:4.1","control:9.10","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Azure functions, web, and API services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPs should be required for FTP login for all App Service apps and functions.\n\n## Rationale\n\nAzure FTP deployment endpoints are public. An attacker listening to traffic on a Wi-Fi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if user credentials for deployment are set at the subscription level rather than using the default application credentials which are unique per app.\n\n## Remediation\n\n### From the console\n\n1. Go to the Azure Portal\n2. Select App Services\n3. Click on an app\n4. Select Settings > Configuration\n5. Under Platform Settings, set FTP state to Disabled or FTPS Only\n\n## Impact\n\nDeployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.\n\n## References\n\n1. Azure Web Service Deploy via FTP - https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp\n2. Azure Web Service Deployment - https://docs.microsoft.com/en-us/azure/app-service/overview-security\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n\n## CIS Controls\n\nVersion 7\n\n14.4 Encrypt All Sensitive Information in Transit\n16.5 Encrypt Transmittal of Username and Authentication Credentials - Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.10","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ftps_state(app_service) if {\n\tapp_service.site_config_ftps_state == \"AllAllowed\"\n} else if {\n\tapp_service.site_config.ftps_state == \"AllAllowed\"\n}\n\neval(app_service) = \"fail\" if {\n\tnon_compliant_ftps_state(app_service)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"chw-olp-dfn","createdAt":1631623028308,"name":"FTP deployments are disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:fastly","scope:fastly","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2]. \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:fastly @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dqs-oru-107","createdAt":1587530162282,"name":"Fastly HTTP Requests from Security Scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a file that is not part of the original container image has been created and executed within the container.\n\n## Strategy\nAttackers sometimes add scripts to running containers to exploit some functionality or automate some actions. Normally, containers are meant to be immutable environments, and when you require new scripts or other executable files, you add them to the container image itself and not to the running container. This detection identifies when newly created files are executed shortly after file creation or modification.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage & Response\n1. Determine whether the file executing is expected to be present in the container. \n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether the file was added to multiple containers around the same time, and whether the affected systems follow a pattern. For example, if a file was seen executing in multiple containers, do the containers share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.29 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_binary_execution_in_container","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:new_binary_execution_in_container"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"new_binary_execution_in_container"}],"type":"workload_security","id":"n5d-tm8-kco","createdAt":1652131404468,"name":"File created and executed inside container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","tactic:TA0009-collection","technique:T1530-data-from-cloud-storage","scope:google-cloud-storage","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect unauthenticated access to an object in a GCS bucket (`bucket_name`).\n\n## Strategy \nMonitor GCS bucket (`bucket_name`) for get requests(`@evt.name:storage.objects.get`) made by unauthenticated users (`@usr.id`).\n\n## Triage and response\nInvestigate the logs and determine whether or not the accessed bucket: {{bucket_name}} should be accessible to unauthenticated users.\n\n## Changelog\n* 27 October 2022 - updated tags.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket -@usr.id:* @evt.name:storage.objects.get status:info","groupByFields":["project_id","bucket_name"],"aggregation":"count","name":"get_object","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"get_object","condition":"get_object > 0"}],"type":"log_detection","id":"nmj-sov-f5d","createdAt":1598043413480,"name":"GCP Bucket Contents Downloaded Without Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","source:gcp","scope:google-cloud-storage","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service account lists out GCS Buckets.\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine when a service account invokes the following method:\n\n* `storage.buckets.list`\n\n## Triage and response\n1. Determine whether this service account should be making list bucket calls.\n * If the account was compromised, secure the account and investigate how it was compromised and if the account made other unauthorized calls.\n * If the owner of the service account intended to make the `ListBuckets` API call, consider whether this API call is needed. It could cause a security issue for the application to know the name of the bucket it needs to access. If it's not needed, modify this rule's filter to stop generating signals for this specific service account.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.list @usr.id:*gserviceaccount.com","groupByFields":["project_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cnc-wi1-llf","createdAt":1587592199858,"name":"GCP Bucket enumerated"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an administrative change to a GCS Bucket has been made. This could change the retention policy or bucket lock. For more information, see the [GCS Bucket Lock docs][1].\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine if a bucket has been updated with the following method:\n\n* `storage.buckets.update`\n\n## Triage and response\n1. Review the bucket to ensure that it is properly configured.\n\n[1]: https://cloud.google.com/storage/docs/bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.update","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iz3-sc4-ryy","createdAt":1585871279860,"name":"GCP Bucket modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when permissions have changed on a GCS Bucket.\n\n## Strategy\nMonitor GCS bucket admin activity audit logs to determine the following method is invoked:\n\n* `storage.setIamPermissions`\n\n## Triage and response\n1. Review the bucket permissions and ensure they are not overly permissive.\n\n## Changelog\n5 Septermber 2022 - Updated rule query","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.setIamPermissions -@evt.outcome:ERROR","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fdk-tly-4qr","createdAt":1585871193842,"name":"GCP Bucket permissions modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.cloudsql.database"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Cloud SQL DB has been modified.\n\n## Strategy\nThis rule lets you monitor GCP Cloud SQL admin activity audit logs to determine when one of the following methods are invoked:\n\n* `cloudsql.instances.create`\n* `cloudsql.instances.create`\n* `cloudsql.users.update`\n\n## Triage and response\n1. Review the Cloud SQL DB and ensure it is configured properly with the correct permissions.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.cloudsql.database @evt.name:(cloudsql.instances.create OR cloudsql.instances.create OR cloudsql.users.create OR cloudsql.users.update)","groupByFields":["project_id","database_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ikf-ye8-cnu","createdAt":1585871198921,"name":"GCP Cloud SQL database modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.gce.firewall.rule","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created, modified or deleted. \n\n## Strategy\nMonitor GCP GCE activity audit logs to determine when any of the following methods are invoked:\n\n* `v1.compute.firewalls.delete`\n* `v1.compute.firewalls.insert`\n* `v1.compute.firewalls.patch` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.firewall.rule @evt.name:(v1.compute.firewalls.delete OR v1.compute.firewalls.insert OR v1.compute.firewalls.patch)","groupByFields":["project_id","@data.protoPayload.resourceOriginalState.name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"n1w-sql-apl","createdAt":1585870279610,"name":"GCP GCE Firewall rule modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a VPC network is created. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine when the following method is invoked to create a new VPC network:\n\n* `beta.compute.networks.insert`\n\n## Triage and response\n1. Review the VPC network.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:beta.compute.networks.insert","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"a9z-oic-grb","createdAt":1585871193403,"name":"GCP GCE VPC network modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created or modified. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine if a firewall is being adjusted by showing you when any of the following methods are invoked:\n\n* `beta.compute.routes.insert`\n* `beta.compute.routes.patch`\n\n## Triage and response\n1. Veirify that the GCP route is configured properly and that the user intended to modify the firewall.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:(beta.compute.routes.insert OR beta.compute.routes.patch)","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lht-ml8-u6r","createdAt":1585870282924,"name":"GCP GCE network route created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a custom role is created or modified. \n\n## Strategy\nMonitor GCP IAM activity audit logs to determine when any of the following methods are invoked:\n\n* `google.iam.admin.v1.CreateRole`\n* `google.iam.admin.v1.UpdateRole` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.iam.role @evt.name:(google.iam.admin.v1.CreateRole OR google.iam.admin.v1.UpdateRole)","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rhy-fzm-gwl","createdAt":1585870282410,"name":"GCP IAM custom role created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1098-account-manipulation","scope:gcp.project","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to the IAM policy. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when the `SetIamPolicy` method is invoked. \n\n## Triage and response\n1. Review the log and inspect the policy deltas (`@data.protoPayload.serviceData.policyDelta.bindingDeltas`) and ensure none of the actions are `REMOVE`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:SetIamPolicy","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fgm-8w4-cgx","createdAt":1585870280073,"name":"GCP IAM policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.subscription","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP Pub/Sub Subscription has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.pubsub.v1.Subscriber.UpdateSubscription`\n* `google.pubsub.v1.Subscriber.DeleteSubscription`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.subscription @evt.name:(google.pubsub.v1.Subscriber.UpdateSubscription OR google.pubsub.v1.Subscriber.DeleteSubscription)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tsj-mac-mdc","createdAt":1587592205917,"name":"GCP Pub/Sub Subscriber modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.topic","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP Pub/Sub Subscribtion has been deleted. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when the following method is invoked:\n\n* `google.pubsub.v1.Publisher.DeleteTopic`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.topic @evt.name:google.pubsub.v1.Publisher.DeleteTopic","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dp6-zom-jyv","createdAt":1587592198839,"name":"GCP Pub/Sub topic deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","technique:T1078-valid-accounts","scope:gcp-cloud-functions","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect possible GCP service account impersonation activity using the gcploit exploitation framework.\n\n## Strategy\nMonitor GCP Cloud Function Logs `source:gcp.cloud.function` and detect if the following sequence of events has occurred within a one minute window:\n* Function is created - `google.cloud.functions.v1.CloudFunctionsService.CreateFunction` with a timeout of 539s (`@data.protoPayload.request.function.timeout:539s`)\n* Function's IAM access control policy is enumerated - `google.cloud.functions.v1.CloudFunctionsService.GetIamPolicy`\n* Function's IAM access control policy is set - `google.cloud.functions.v1.CloudFunctionsService.SetIamPolicy`\n\n## Triage & Response\n1. Investigate if the function:`{{@function.name}}` was intentionally created by user `{{@usr.id}}`.\n2. If unauthorized:\n * Revoke access of compromised credentials.\n * Remove unauthorized cloud functions.\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard.\n","options":{"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":3600,"keepAlive":300},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.cloud.function @evt.name:google.cloud.functions.v1.CloudFunctionsService.CreateFunction @data.protoPayload.request.function.timeout:539s","groupByFields":["@function.name"],"aggregation":"cardinality","name":"function_creation","distinctFields":["@usr.id"]},{"query":"@evt.name:google.cloud.functions.v1.CloudFunctionsService.GetIamPolicy","groupByFields":["@function.name"],"aggregation":"count","name":"get_iam_policy","distinctFields":[]},{"query":"@evt.name:google.cloud.functions.v1.CloudFunctionsService.SetIamPolicy","groupByFields":["@function.name"],"aggregation":"count","name":"set_iam_policy","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"function_creation > 0 && get_iam_policy > 0 && set_iam_policy >0"}],"type":"log_detection","id":"un3-5tn-fmz","createdAt":1657138827448,"name":"GCP Service Account Impersonation using GCPloit Exploitation Framework"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","scope:google-cloud-iam","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect GCP service account impersonation activity through the use of access tokens.\n\n## Strategy\nMonitor GCP Admin Activity audit logs for event `@evt.name:GenerateAccessToken`:\n* Successful Attempts: `@data.protoPayload.authorizationInfo.granted:true`\n* Failed Attempts: `@evt.outcome:PERMISSION_DENIED`\n\n## Triage & Response\n1. Investigate if the user `{{@usr.id}}` from IP address:`{{@network.client.ip}}` intended to perform this activity.\n2. If unauthorized:\n * Revoke access of compromised user and service account.\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard.\n * Investigate other activities performed by the IP `{{@network.client.ip}}` using the Cloud SIEM - IP Investigation dashboard.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":300},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account service:iamcredentials.googleapis.com @evt.name:GenerateAccessToken @data.protoPayload.authorizationInfo.granted:true","groupByFields":["@network.client.ip","@http.useragent"],"aggregation":"count","name":"generate_access_token_success","distinctFields":[]},{"query":"source:gcp.service.account service:iamcredentials.googleapis.com @evt.name:GenerateAccessToken @evt.outcome:PERMISSION_DENIED","groupByFields":["@network.client.ip","@http.useragent"],"aggregation":"count","name":"generate_access_token_failed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"generate_access_token_failed > 0 && generate_access_token_success > 0"},{"status":"low","notifications":[],"name":"Attempted","condition":"generate_access_token_failed > 0"}],"type":"log_detection","id":"mjs-vof-vtn","createdAt":1662479173677,"name":"GCP Service Account impersonation activity using access token generation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1562-impair-defenses","scope:gcp.project","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP logging sink has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.logging.v2.ConfigServiceV2.UpdateSink`\n* `google.logging.v2.ConfigServiceV2.DeleteSink`\n\n## Triage and response\n1. Review the sink and ensure the sink is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:(google.logging.v2.ConfigServiceV2.UpdateSink OR google.logging.v2.ConfigServiceV2.DeleteSink)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hil-rl3-yxs","createdAt":1585871191688,"name":"GCP logging sink modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","scope:google-cloud-iam","technique:T1580-cloud-infrastructure-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account is compromised.\n\n## Strategy \nInspect the GCP Admin Activity Logs (`@data.logName:*%2Factivity`) and filter for only GCP Service Accounts (`@usr.id:*.iam.gserviceaccount.com`). Count the unique number of GCP API calls (`@evt.name`) which are being made for each service account (`@usr.id`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\nTo read more about GCP Audit Logs, you can read our blog post [here][1].\n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account is compromised.\n\n## Changelog\n* 17 October 2022 - Updated tags.\n\n[1]: https://www.datadoghq.com/blog/monitoring-gcp-audit-logs/","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp* @data.logName:*%2Factivity @usr.id:*.iam.gserviceaccount.com","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"hc1-nv3-hzw","createdAt":1629125255724,"name":"GCP service account accessing anomalous number of GCP APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1136-create-account","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account is created.\n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when a service account is created. \n\n## Triage and response\n1. Contact the user who created the service account and ensure that the account is needed and that the role is scoped properly.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccount","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"szx-4kh-eqs","createdAt":1585870281733,"name":"GCP service account created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account key is created. An attacker could use this key as a backdoor to your account. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to detect the creation of a service account key. \n\n## Triage and response\n1. Contact the user who created the service account key to ensure they're managing the key securely.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccountKey","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"79j-4wh-xlq","createdAt":1585870277946,"name":"GCP service account key created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is unauthorized activity by a service account in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a service account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the service account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the service account:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the service account.\n2. If unauthorized, revoke access of compromised service account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"89d-2v1-fvm","createdAt":1587592191518,"name":"GCP unauthorized service account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when unauthorized activity by a user is detected in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a user account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the user account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the user:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the user account.\n2. If unauthorized, revoke access of compromised user account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 -@usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"stt-ows-yte","createdAt":1587592193834,"name":"GCP unauthorized user activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google accesses your Google Workspace tenant using administrative tools. \n\n## Strategy\nMonitor Google Workspace logs to detect `ACCESS` events, which are part of Google's [Access Transparency][1] logs.\n\n## Triage and response\n1. Determine the scope of Google's access activity, which can be found in the `ACCESS` event in the Google Workspace event log.\n2. Review which Google Workspace user (`@event.parameters.OWNER_EMAIL`) and resources (`@event.parameters.RESOURCE_NAME`) were accessed by Google.\n3. Investigate the resource(s) being accessed to determine if there is a legitimate reason it should be reviewed by Google.\n\n[1]: https://support.google.com/a/answer/9230474?hl=en","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite service:access_transparency","groupByFields":[],"aggregation":"count","name":"workspace_accessed_by_google","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"workspace_accessed_by_google > 0"}],"type":"log_detection","id":"q4c-pxc-lbn","createdAt":1654120270956,"name":"Google Workspace accessed by Google"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a new Google Workspace administrative role.\n\n## Strategy\nMonitor Google Workspace logs to detect `CREATE_ROLE` events.\n\n## Triage and response\n1. Determine if there is a legitimate reason for the new administrator role (`@event.parameters.ROLE_NAME`).\n2. If there is not a legitimate reason, investigate activity from around the Google Workspace administrator (`{{@usr.email}}`) and IP that created the role (`{{@network.client.ip}}`).\n\n## Changelog\n* 17 October 2022 - Updated tags.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:CREATE_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_created > 0"}],"type":"log_detection","id":"isw-chn-iqi","createdAt":1654262215364,"name":"Google Workspace admin role created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the super administrator group on Google Workspace.\n\n## Strategy\nMonitor Google Workspace logs to detect `ASSIGN_ROLE` events where `@event.parameters.ROLE_NAME` is `_SEED_ADMIN_ROLE`. \n\n## Triage and response\n1. Verify with the Google admin (`{{@usr.email}}`) if the Google Workspace user in the `@event.parameters.USER_EMAIL` attribute should legitimately be given the super admin role.\n2. If the user in `@event.parameters.USER_EMAIL` was not legitimately added, investigate activity from the IP address (`{{@network.client.ip}}`) that made the role addition.\n3. Review activity around the Google Workspace admin who made the change (`{{@usr.email}}`) and the newly added super admin (`@event.parameters.USER_EMAIL`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:ASSIGN_ROLE @event.parameters.ROLE_NAME:_SEED_ADMIN_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"admin_role_added > 0"}],"type":"log_detection","id":"ort-cx2-jwq","createdAt":1654014456902,"name":"Google Workspace user assigned to super admin role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","tactic:TA0009-collection","technique:T1114-email-collection","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a user setting up mail forwarding to a non-Google Workspace domain.\n\n## Strategy\nMonitor Google Workspace logs to detect when `email_forwarding_out_of_domain` events.\n\n## Triage and response\n1. Determine if the email address defined in `@event.parameters.email_forwarding_destination_address` is legitimate.\n2. If the forwarding destination address is not legitimate, review all activity for `{{@usr.email}}` and all activity around the following IP: `{{@network.client.ip}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:email_forwarding_out_of_domain","groupByFields":["@usr.email"],"aggregation":"count","name":"non_workspace_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"non_workspace_domain > 0"}],"type":"log_detection","id":"ozn-l6x-exp","createdAt":1654021004136,"name":"Google Workspace user forwarding email out of non Google Workspace domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.16","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated.\n\n## Rationale\n\nThe IPC namespace provides separation of IPC between the host and containers. If the host's IPC namespace is shared with the container, it would allow processes within the container to see all of IPC communications on the host system. This would remove the benefit of IPC level isolation between host and containers. An attacker with access to a container could get access to the host at this level with major consequences. The IPC namespace should therefore not be shared between the host and its containers.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: IpcMode={{ .HostConfig.IpcMode }}'` \n\nIf the command returns `host`, it means that the host IPC namespace is shared with the container. Any other result means that it is not shared, and that the system is configured in line with good security practice.\n\n## Remediation\n\nDo not start a container with the `--ipc=host` argument. For example, do not start a container with the command `docker run --interactive --tty --ipc=host centos /bin/bash`\n\n## Impact\n\nShared memory segments are used in order to accelerate interprocess communications, commonly in high-performance applications. If this type of application is containerized into multiple containers, you might need to share the IPC namespace of the containers in order to achieve high performance. Under these circumstances, you should still only share container specific IPC namespaces and not the host IPC namespace. A container's IPC namespace can be shared with another container. For example, `docker run --interactive --tty --ipc=container:e3a7a1a97c58 centos /bin/bash`\n\n## Default value\n\nBy default, all containers have their IPC namespace enabled and host IPC namespace is not shared with any container.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#ipc-settings-ipc\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.16","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qpe-nj2-sl8","createdAt":1599604030036,"name":"Host's IPC namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.20","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUTS namespaces provide isolation between two system identifiers: the hostname and the NIS domain name. It is used to set the hostname and the domain which are visible to running processes in that namespace. Processes running within containers do not typically require to know either the hostname or the domain name. The UTS namespace should therefore not be shared with the host.\n\n## Rationale\n\nSharing the UTS namespace with the host provides full permission for each container to change the hostname of the host. This is not in line with good security practice and should not be permitted.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UTSMode={{ .HostConfig.UTSMode }}'` \n\nIf this command returns `host`, it means the host UTS namespace is shared with the container and this recommendation is non-compliant. If the above command returns nothing, then the host's UTS namespace is not shared. This recommendation is then compliant.\n\n## Remediation\n\nYou should not start a container with the `--uts=host` argument. For example, do not start a container using the command `docker run --rm --interactive --tty --uts=host rhel7.2`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, all containers have the UTS namespace enabled and the host UTS namespace is not shared with any containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#uts-settings-uts\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.20","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j1n-gsx-mlx","createdAt":1599605987292,"name":"Host's UTS namespace is not shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.9","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWhen the networking mode on a container is set to `--net=host`, the container is not placed inside a separate network stack. Effectively, applying this option instructs Docker to not containerize the container's networking. The consequence of this is that the container lives \"outside\" in the main Docker host and has full access to its network interfaces.\n\n## Rationale\n\nSelecting this option is potentially dangerous. It allows the container process to open reserved low numbered ports in the way that any other root process can. It also allows the container to access network services such as D-bus on the Docker host. A container process could potentially carry out undesired actions, such as shutting down the Docker host. This option should not be used unless there is a very specific reason for enabling it.\n\n## Audit\n\nUse this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: NetworkMode={{ .HostConfig.NetworkMode }}'` If this returns `NetworkMode=host`, it means that the `--net=host` option was passed when the container was started.\n\n## Remediation\n\nYou should not pass the --net=host option when starting any container.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers connect to the Docker bridge when starting and do not run in the context of the host's network stack.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/ 2. https://docs.docker.com/engine/reference/run/#network-settings\n\n## CIS controls\n\nVersion 6 12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.9","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1qj-oqa-jau","createdAt":1599605510860,"name":"Host's network namespace is not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.15","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host.\n\n## Rationale\n\nPID namespace provides separation between processes. It prevents system processes from being visible, and allows process ids to be reused including PID 1. If the host's PID namespace is shared with containers, it would basically allow these to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them. This could allow for the host itself being shut down, which could be extremely serious, particularly in a multi-tenanted environment. You should not share the host's process namespace with the containers running on it.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidMode={{ .HostConfig.PidMode }}'` \n\nIf the command returns `host`, it means that the host PID namespace is shared with its containers; any other result means that the system is configured in line with good security practice.\n\n## Remediation\n\nYou should not start a container with the `--pid=host` argument. For example, do not start a container with the command: `docker run --interactive --tty --pid=host centos /bin/bash`\n\n## Impact\n\nContainer processes cannot see processes on the host system. In certain circumstances, you may want your container to share the host's process namespace. For example, you could build a container containing debugging tools such as strace or gdb, and want to use these tools when debugging processes on the host. If this is desired, then share specific host processes using the `-p` switch. For example: `docker run --pid=host rhel7 strace -p 1234`\n\n## Default value\n\nBy default, all containers have the PID namespace enabled and the therefore the host's process namespace is not shared with its containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#pid-settings-pid 2. http://man7.org/linux/man-pages/man7/pid_namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.15","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mk8-jwd-4ag","createdAt":1599600919537,"name":"Host's process namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent","control:5.30"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not share the host's user namespaces with containers running on it.\n\n## Rationale\n\nUser namespaces ensure that a root process inside the container will be mapped to a non-root process outside the container. Sharing the user namespaces of the host with the container does not therefore isolate users on the host from users in the containers.\n\n## Audit\n\nRun this command and ensure that it does not return any value for `UsernsMode`. If it returns a value of `host`, it means that the host user namespace is shared with its containers: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UsernsMode={{ .HostConfig.UsernsMode }}'`\n\n## Remediation\n\nDo not share user namespaces between host and containers. For example, do not run the command `docker run --rm -it --userns=host ubuntu bash`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the host user namespace is shared with containers unless user namespace support is enabled.\n\n## References\n\n1. https://docs.docker.com/engine/security/userns-remap/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://github.com/docker/docker/pull/12648\n4. https://events.linuxfoundation.org/sites/events/files/slides/User%20Namespaces%20-%20ContainerCon%202015%20-%2016-9-final_0.pdf\n\n## CIS controls\n\nVersion 6\n\n12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.30","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"e7c-uzf-jwy","createdAt":1599604878282,"name":"Host's user namespaces are not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","security:compliance","scored:false","source:iam","cloud_provider:aws","control:1.7","control:164.308-a-3-ii-C","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","framework:security-labs","requirement:Information-Access-Management","control:CC6.2","control:164.308-a-4-ii-C","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule identifies IAM access keys that are older than one year and have not been used in the past 30 days.\n\n## Rationale\n\nThis is a good indicator that an access key or IAM user that is not used anymore, and raises a security risk. IAM access keys are static secrets that do not change. This leak represents a common cause for cloud security breaches.\n\n## Remediation\n\n* Verify that the IAM user is still actively used or if it can be removed.\n* Verify that the IAM access key is still actively used or if it can be removed.\n* If the IAM user is still needed, rotate the access key. For more information, see the [AWS documentation][2].\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/cis-aws-1.3.0-1.14/\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlast_rotated_age_threshold := (((365 * 24) * 60) * 60) * 1000\n\nlast_used_age_threshold := (((30 * 24) * 60) * 60) * 1000\n\naccess_key_used_too_long_ago(credential_report, seen, key_to_check) if {\n\tseen - credential_report[concat(\"\", [\"access_key_\", key_to_check, \"_last_used_date\"])] > last_used_age_threshold\n} else if {\n\tnot credential_report[concat(\"\", [\"access_key_\", key_to_check, \"_last_used_date\"])]\n}\n\naccess_key_non_compliant(credential_report, seen, key_to_check) if {\n\tcredential_report[concat(\"\", [\"access_key_\", key_to_check, \"_active\"])]\n\tseen - credential_report[concat(\"\", [\"access_key_\", key_to_check, \"_last_rotated\"])] > last_rotated_age_threshold\n\taccess_key_used_too_long_ago(credential_report, seen, key_to_check)\n}\n\nnon_compliant_credential_report(credential_report, seen) if {\n\taccess_key_non_compliant(credential_report, seen, \"1\")\n} else if {\n\taccess_key_non_compliant(credential_report, seen, \"2\")\n}\n\nshould_skip(iam_user) if {\n\tsome credential_report in iam_user.credential_report\n\tnot credential_report.access_key_1_active\n\tnot credential_report.access_key_2_active\n} else if {\n\tcount(iam_user.credential_report) == 0\n}\n\neval(iam_user) = \"skip\" if {\n\tshould_skip(iam_user)\n} else = \"fail\" if {\n\tsome credential_report in iam_user.credential_report\n\tseen := iam_user.resource_seen_at\n\tnon_compliant_credential_report(credential_report, seen)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"jye-nyb-yvd","createdAt":1654722265266,"name":"IAM access keys older than 1 year have not been used in the last 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_user) = \"fail\" if {\n\tcount(iam_user.user_policies) > 0\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qeq-byd-rf5","createdAt":1617159692975,"name":"IAM inline policy is not directly set for users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","security:compliance","cloud_provider:aws","control:1.8","control:8.1","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","control:CC6.3","control:8.1.1","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are a minimum length. The password policy should require a minimum password length of 14 characters.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78907-3\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.8","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tsome password_policy in iam_account.password_policy\n\tpassword_policy.minimum_password_length < 14\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fyg-ptq-tnx","createdAt":1599573999939,"name":"IAM password policy has 14 or more characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:1.9","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","framework:cis-aws","control:164.312-d","requirement:Identity-and-Access-Management","control:8.2.5","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.\n\n## Rationale\n\nPreventing password reuse increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78908-1\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\n4.4 Use unique passwords where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2.5","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.9","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\naccount_invalid(iam_account) if {\n\tnot iam_account.password_policy_v2.password_reuse_prevention == 24\n}\n\neval(iam_account) = \"fail\" if {\n\taccount_invalid(iam_account)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"wwj-kny-ll5","createdAt":1599574008460,"name":"IAM password policy prevents password reuse"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:1.2","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM policies are how privileges are granted to users, groups, or roles. It is recommended and considered best practice to give only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges.\n\n## Rationale\n\nIt's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\" should be removed.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2] \n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3] \n3. CCE-78912-3\n4. [http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam][4]\n\n## CIS controls\n\nVersion 7, 4 - Controlled Use of Administrative Privileges\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n[4]: http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.2","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_not_compliant(policy_version_statement) if {\n\tresource := policy_version_statement.resource[_]\n\tresource == \"*\"\n}\n\naction_not_compliant(policy_version_statement) if {\n\taction := policy_version_statement.action[_]\n\taction == \"*\"\n}\n\npolicy_version_statement_not_compliant(policy_version_statement) if {\n\tpolicy_version_statement.effect == \"Allow\"\n\tresource_not_compliant(policy_version_statement)\n\taction_not_compliant(policy_version_statement)\n}\n\neval(iam_policy) = \"skip\" if {\n\tiam_policy.scope != \"Local\"\n} else = \"fail\" if {\n\tpolicy_version_statement := iam_policy.policy_version_statements[_]\n\tpolicy_version_statement_not_compliant(policy_version_statement)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_policy"]},"validationQuery":"","resourceType":"aws_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"31y-0if-yxo","createdAt":1599574003839,"name":"IAM policies that allow full \"*:*\" administrative privileges are not created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","control:A.9.4.3","framework:soc-2","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_user) = \"fail\" if {\n\tsome attached_policy in iam_user.attached_policies\n\tattached_policy\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oys-6ti-vv4","createdAt":1599574006153,"name":"IAM policy does not have a user directly attached to it"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:1.12","security:compliance","cloud_provider:aws","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:CC6.3","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can require passwords to be rotated or expired after a given number of days. The password policy should expire passwords after 90 days or less.\n\n## Rationale\n\nReducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help if a password is stolen or compromised without your knowledge. This can happen if your system is compromised, because of a software vulnerability, or if there is an internal threat. Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted. Many people use the same password for many systems such as work, email, and personal. Compromised end-user workstations might have a keystroke logger.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78909-9\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"1.12","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ninvalid_policy(password_policy) if {\n\tpassword_policy.expire_passwords == false\n} else if {\n\tpassword_policy.max_password_age > 90\n}\n\ninvalid_account(iam_account) if {\n\tinvalid_policy(iam_account.password_policy_v2)\n} else if {\n\tnot iam_account.password_policy_v2\n}\n\neval(iam_account) = \"fail\" if {\n\tinvalid_account(iam_account)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"nus-wps-5cc","createdAt":1599574003696,"name":"IAM policy is set to expire passwords within 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78904-0\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.6\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tiam_account.password_policy_v2.require_lowercase_characters == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yaz-xyw-dr5","createdAt":1599574008777,"name":"IAM policy is set to require at least one lowercase letter"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one number.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78906-5\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.8\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tiam_account.password_policy_v2.require_numbers == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ufg-4pj-olz","createdAt":1599574005590,"name":"IAM policy is set to require at least one number"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are comprised of different character sets. It is recommended that the password policy require at least one symbol.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78905-7\n\n## CIS controls\n\n16 Account Monitoring and Control Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.7\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tiam_account.password_policy_v2.require_symbols == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dwv-hdv-vfe","createdAt":1599573999909,"name":"IAM policy is set to require at least one symbol"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one uppercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78903-2\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.5\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tiam_account.password_policy_v2.require_uppercase_characters == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jfe-07v-m1n","createdAt":1599573999945,"name":"IAM policy is set to require uppercase characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm there are no [Amazon IAM users][1] (privileged users) with administrator permissions for your AWS account.\n\n## Rationale\n\nA privileged IAM user can access all AWS services and control resources through the [AdministratorAccess IAM managed policy][2]. Any user with administrator access that should not have access can potentially, whether unknowingly or purposefully, cause security issues or data leaks.\n\n## Remediation\n\n### From the console\n\nFollow the [Removing a permissions policy from a user][6] docs to revoke AdministratorAccess for a user.\n\n### From the command line\n\n1. Run `list-users` to get [a list of current IAM users][3].\n ```\n aws iam list-users\n ```\n\n2. Run the `list-user-policies` command find the [users attached policies][4].\n ```\n aws iam list-user-policies --user-name Name\n ```\n\n3. Run the `detach-user-policy` command to [revoke Administrator access][5].\n ```\n aws iam detach-user-policy \\\n --user-name insert-username-here \\\n --policy-arn insert-policy-arn-here\n ```\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-users.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-user-policies.html#examples\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-user-policy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-remove-policy-console\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_attached_policy(iam_user) if {\n\tsome attached_policy in iam_user.attached_policies\n\tattached_policy.policy_name == \"AdministratorAccess\"\n}\n\neval(iam_user) = \"fail\" if {\n\tnon_compliant_attached_policy(iam_user)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"z8a-10r-rdq","createdAt":1599574005071,"name":"IAM privileged user does not have admin permissions to your AWS account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","control:1.1","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEach IAM role must have a [trust policy][1] which defines the principals who are trusted to assume that role. It is possible to specify a [wildcard principal][2] which permits any principal, including those outside your organization, the ability to assume the role. It is strongly discouraged to use the wildcard principal in a trust policy unless there is a [`Condition` element][3] to restrict access.\n\n## Rationale\n\nA trust policy with a wildcard principal permits any AWS account the ability to assume the role. It is therefore discouraged.\n\n## Remediation\n\nEnsure the identified role does not have a principal value of `\"AWS\": \"*\"`. If a wildcard principal is necessary, use a `Condition` element to restrict access. Follow the [AWS documentation][4] to properly scope the `Principal` policy element.\n\n### From the console\n\n1. In the AWS Console, navigate to the IAM role you would like to change.\n2. On the IAM role page, click the **Trust relationships** tab.\n3. Click **Edit trust policy**.\n4. Make changes to the trust policy to remediate the risk.\n5. Click **Update policy**.\n\n### From the command line\n\nUse the `update-assume-role-policy` action to [update the role trust policy][5] to remediate the risk.\n\n aws iam update-assume-role-policy\n --role-name Test-Role\n --policy-document file://.json\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#term_trust-policy\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-anonymous\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-assume-role-policy.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.1","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncontains_case_insensitive(array, elem) if {\n\tcandidate := array[_]\n\tlower(candidate) == lower(elem)\n}\n\neval(iam_role) = \"fail\" if {\n\trole_policy := iam_role.role_policy[_]\n\n\tlower(role_policy.statement_effect) == \"allow\"\n\trole_policy.policy_principal.principal_aws[_] == \"*\"\n\n\tcontains_case_insensitive(role_policy.statement_action, \"sts:AssumeRole\")\n\n\tnot role_policy.statement_has_condition\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_role"]},"validationQuery":"","resourceType":"aws_iam_role","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_role","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"q9l-42l-ape","createdAt":1619112188080,"name":"IAM role trust policy does not contain a wildcard principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:A.14.1.3","security:compliance","source:iam","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Data-Protection","requirement:Security-of-Processing","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:A.9.4.3","framework:soc-2","requirement:Cardholder-Data","control:32.1a","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","requirement:Encryption-In-Transit","control:3.6.4","framework:pci","control:25.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your IAM service SSL/TLS certificates are renewed 30 days prior to their validity period ending.\n\n## Rationale\n\nIf a certificate becomes invalid, the communication between the client and AWS resource that implements certificates is no longer secure.\n\n## Remediation\n\n### From the console\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n### From the command line\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nwithin_30_days(diff) if {\n\tdiff <= thirty_days_ms\n\tdiff > 0\n}\n\neval(iam_server_certificate) = \"pass\" if {\n\tdiff := iam_server_certificate.expiration - iam_server_certificate.resource_seen_at\n\tnot within_30_days(diff)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"nqd-536-xhi","createdAt":1632209935742,"name":"IAM server certificate will expire within 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:1.6","control:7.1","framework:cis-gcp","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","level:1","source:google_service_account","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nVerify that users have the Service Account User (`iam.serviceAccountUser`) and Service Account Token Creator (`iam.serviceAccountTokenCreator`) roles for a specific service account rather than at the project level.\n\n## Rationale\nA service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved. In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.\nUsers with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access. Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/service account.\nBased on business needs, there can be multiple user-managed service accounts configured for a project. Granting the `iam.serviceAccountUser` or `iam.serviceAccountTokenCreator` roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future. These roles can result in an elevation of privileges when someone uses a service account and corresponding Compute Engine instances.\nIn order to implement least privileges best practices, IAM users should not be assigned the Service Account User or Service Account Token Creator roles at the project level. Instead, these roles should be assigned to a user for a specific service account, giving that user access to the service account. The Service Account User role allows a user to bind a service account to a long-running job service, whereas the Service Account Token Creator role allows a user to directly impersonate (or assert) the identity of a service account.\n\n## Impact\nAfter revoking Service Account User or Service Account Token Creator roles at the project level from all impacted user accounts, these roles should be assigned to users for specific service accounts according to business needs.\n\n## Remediation\n\n### From the console\n1. Go to the [IAM page][1] in the GCP Console.\n2. In the filter table text bar, enter the text `Role: Service Account User`.\n3. Click the delete bin icon in front of the role `Service Account User` for every user\nlisted as a result of the filter.\n4. In the filter table text bar, enter the text `Role: Service Account Token Creator`.\n5. Click the delete bin icon in front of the role `Service Account Token Creator` for\nevery user listed as a result of the filter.\n\n### From the command line\n1. Using a text editor, remove the bindings with the `roles/iam.serviceAccountUser` or `roles/iam.serviceAccountTokenCreator`.\n For example, you can use the iam.json file shown below as follows:\n ```\n {\n \"bindings\": [\n {\n \"members\": [ \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n ],\n \"role\": \"roles/appengine.appViewer\" },\n {\n \"members\": [\n \"user:email1@gmail.com\"\n ],\n \"role\": \"roles/owner\"\n },\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n \"serviceAccount:123456789012-compute@developer.gserviceaccount.com\" ],\n \"role\": \"roles/editor\"\n }\n ],\n \"etag\": \"BwUjMhCsNvY=\"\n }\n ```\n2. Update the project's IAM policy:\n ```\n gcloud projects set-iam-policy PROJECT_ID iam.json\n ```\n## Default value\nBy default, users do not have the Service Account User or Service Account Token Creator role assigned at the project level.\n\n## References\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][3]\n3. [https://cloud.google.com/iam/docs/understanding-roles][4]\n4. [https://cloud.google.com/iam/docs/granting-changing-revoking-access][5]\n5. [https://console.cloud.google.com/iam-admin/iam][6]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts \n[4]: https://cloud.google.com/iam/docs/understanding-roles\n[5]: https://cloud.google.com/iam/docs/granting-changing-revoking-access \n[6]: https://console.cloud.google.com/iam-admin/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.6","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_role(iam_policy, role) if {\n\tbinding := iam_policy.bindings[_]\n\tbinding.role == role\n\tmember := binding.members[_]\n\tnot endswith(member, \".gserviceaccount.com\")\n}\n\nnon_compliant_policy(iam_policy) if {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountUser\")\n} else if {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountTokenCreator\")\n}\n\neval(iam_policy) = \"fail\" if {\n\tnon_compliant_policy(iam_policy)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"x4c-mos-epr","createdAt":1655328785677,"name":"IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:iis","scope:iis","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:iis @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ftm-iao-udy","createdAt":1587530716843,"name":"IIS HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","requirement:Virtual-Machines","security:compliance","control:CC6.6","cloud_provider:gcp","control:4.6","requirement:Communications-Security","control:1.4","framework:cis-gcp","requirement:Compliance","level:1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCompute Engine instance cannot forward a packet unless the source IP address of the\npacket matches the IP address of the instance. Similarly, GCP won't deliver a packet whose\ndestination IP address is different than the IP address of the instance receiving the packet.\nHowever, both capabilities are required if you want to use instances to help route packets.\n\nDisable the forwarding of data packets to prevent data loss or information\ndisclosure.\n\n## Rationale\nTo enable source and destination IP check, disable the `canIpForward` option, which\nallows an instance to send and receive packets with non-matching destination or source\nIPs.\n\n## Impact\nDeleting instances that act as routers or packet forwarders may break network\nconnectivity.\n\n## Exception\nInstances created by GKE should be excluded because they need to have IP forwarding\nenabled and cannot be changed. Instances created by GKE have names that start with `gke-`.\n\n## Remediation\nYou can only edit the `canIpForward` setting at instance creation time. Therefore, if `canIpForward` is set to false for an instance, you must delete the instance and create a new one.\n\n### From the console\n1. Go to the `VM Instances` page: \n[https://pantheon.corp.google.com/compute/instances][1].\n2. Select the `VM Instance` you want to remediate.\n3. Click the `Delete` button.\n4. On the `VM Instances` page, click `CREATE INSTANCE`.\n5. Create a new instance with the desired configuration. By default, the instance is\nconfigured to not allow IP forwarding.\n\n### From the command line\n1. Delete the instance:\n ```\n gcloud compute instances delete INSTANCE_NAME\n ```\n2. Create a new instance to replace it, with IP forwarding set to Off\n ```\n gcloud compute instances create\n ```\n\n## Default Value:\nBy default, instances are not configured to allow IP forwarding.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-routes#canipforward][2]\n\n\n## Additional Information:\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is\ncreated, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://pantheon.corp.google.com/compute/instances\n[2]: https://cloud.google.com/vpc/docs/using-routes#canipforward","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.6","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" if {\n\tcompute_instance.can_ip_forward\n} else = \"pass\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nh8-voo-5oy","createdAt":1656620560349,"name":"IP forwarding is not enabled on instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","scope:azure.storage","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1c","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImmutability is enabled for Azure Storage Blobs.\n\n## Rationale\n\nImmutability for Azure Blob enables Writes once read many (WORM) state storage, which protects data from being overwritten or deleted. \n\nThe two types of immutability policies are time-based retention and legal hold. Time-based policies are cleared when the time period expires. Legal holds are cleared when they are manually modified. \n\n## Remediation\n\n### From the console\n\nFollow the [Enable version-level immutability support on a storage account - Azure Console][1] guide to enable version-level immutability with the Azure Console.\n\n### From the command line\n\nFollow the [Enable version-level immutability support on a storage account - Azure CLI][2] guide to enable version-level immutability with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_blob_container) = \"fail\" if {\n\tstorage_blob_container.has_immutability_policy == false\n\tstorage_blob_container.has_legal_hold == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_blob_container"]},"validationQuery":"","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"8q8-s4l-qhy","createdAt":1645177333114,"name":"Immutable Blob Storage is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","scope:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when two successful authentication events occur in a short time frame.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if the user `{{@usr.name}}` should have authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If `{{@user.name}}` should not authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n* 10 October 2022 - Updated query.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"auth0_impossible_travel","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.name"],"query":"source:auth0 @evt.category:authentication @evt.name:success_login -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"m3u-dhg-c5l","createdAt":1651740293973,"name":"Impossible Travel Auth0 login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate an impossible travel login with permission enumeration of a user.\n\n## Strategy\nCorrelate the [User travel was impossible in AWS CloudTrail IAM log][1] and [A user received multiple AccessDenied errors][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the impossible travel login was is legitimate.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security/default_rules/aws-cloudtrail-user-impossible-travel-with-baseline-user-locations\n[2]: https://docs.datadoghq.com/security/default_rules/aws-cloudtrail-access-denied-multiple-events","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"user_travel_was_impossible_in_cloudtrail_iam_log","additionalFilters":"","defaultRuleId":"fc6-4t7-vx9","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"a_user_received_multiple_access_denied_errors","additionalFilters":"","defaultRuleId":"1b1-37a-74c","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"user_travel_was_impossible_in_cloudtrail_iam_log > 0 && a_user_received_multiple_access_denied_errors > 0"}],"type":"signal_correlation","id":"zfw-zxw-uf2","createdAt":1664829682320,"name":"Impossible travel event leads to permission enumeration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the possibility of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 445, commonly used by client/server applications, and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) or man-in-the-middle attacks (MITM), can occur when permitting unrestricted Common Internet File System (CIFS) access. TCP port 445 is the port commonly used by client/server applications as a means of communication between network nodes over TCP.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 445.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 445\n --cidr 0.0.0.0/0\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 445\n\trule.to_port >= 445\n}\n\nnon_compliant_protocols_and_ports(rule) if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_ports(rule)\n} else if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\", \"::/0\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome rule in security_group.rules\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocols_and_ports(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"l9k-64o-mzm","createdAt":1599573999953,"name":"Inbound CIFS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the possibility of a breach by checking EC2 security groups for inbound rules that allow unfettered access to TCP and UDP port 53, commonly used during DNS resolution when a request is sent from DNS clients to DNS servers or between DNS servers.\n\n## Rationale\n\nMalicious activity, such as distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered DNS access.\n\n## Remediation\n\n## Console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n## CLI\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to port 53.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 53, \"ToPort\": 53, \"IpRanges\": [{\"CidrIp\": \"192.0.2.0/24\"}]}]'\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 53\n\trule.to_port >= 53\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kri-ci1-ymo","createdAt":1599573999958,"name":"Inbound DNS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP ports 20 and 21 (used by client/server applications for communication and file transfer) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and FTP bounce attacks, can occur when permitting unfettered access to these ports.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 20 and 21.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict FTP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 20\n\trule.to_port >= 20\n} else if {\n\trule.from_port <= 21\n\trule.to_port >= 21\n}\n\nnon_compliant_protocols_and_ports(rule) if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_ports(rule)\n} else if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\", \"::/0\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome rule in security_group.rules\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocols_and_ports(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9lv-1l3-vtp","createdAt":1599574002076,"name":"Inbound FTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 80 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 80.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 80\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 80\n\trule.to_port >= 80\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o4x-exf-xn9","createdAt":1599574008139,"name":"Inbound HTTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 443 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 443.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 443\n\trule.to_port >= 443\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"vud-y9z-ucg","createdAt":1599574003526,"name":"Inbound HTTPS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to host using the Internet Control Message Protocol (ICMP), a protocol commonly used to troubleshoot TCP/IP networks and deliver IP packets, and restrict access.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and Smurf/Fraggle attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][2] docs to learn how to restrict access to host using the ICMP.\n\n### From the command line\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to host using ICMP.\n\n ```\n aws ec2 describe-security-groups\n\t --filters Name=ip-permission.protocol,Values=icmp Name=ip-permission.cidr,Values='192.0.2.0/24'\n\t --query 'SecurityGroups[*].{Name:GroupName}'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nunrestricted_protocol(protocol) if {\n\tprotocol == \"icmp\"\n} else if {\n\tprotocol == \"all\"\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"ingress\"\n\tunrestricted_protocol(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kyz-e99-tys","createdAt":1599573999911,"name":"Inbound ICMP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1433 (used by the Microsoft SQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1433.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1433 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 1433\n\trule.to_port >= 1433\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5oc-hdq-fx7","createdAt":1599574003135,"name":"Inbound MSSQL access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 27017 (used by the MongoDB database) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 27017.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 27017\n\trule.to_port >= 27017\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"lhy-ttz-yif","createdAt":1599574007108,"name":"Inbound MongoDB access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3306 (used by the MySQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3306.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3306 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 3306\n\trule.to_port >= 3306\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yph-h6z-ant","createdAt":1599574008744,"name":"Inbound MySQL access is restricted"}]} headers: Content-Type: - application/json @@ -419,7 +385,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","control:3.7","requirement:Communications-Security","control:4.1","control:2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3","framework:security-labs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nConfigure your instance to use an account other than the default Compute Engine service account, because it has the Editor role on the project.\n\n## Rationale\nThe default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services. \nTo defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended that you not use the default Compute Engine service account. Instead, create a new service account and assign only the permissions needed by your instance. \nThe default Compute Engine service account is named `[PROJECT_NUMBER]-compute@developer.gserviceaccount.com`.\n\n## Exception\nVMs created by GKE are excluded from this guidance. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go to its `VM instance details` page.\n3. Click `STOP` and then click `EDIT`.\n4. Under the section `API and identity management`, select a service account other\nthan the default Compute Engine service account. You may first need to create a new\nservice account.\n5. Click `Save` and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account=\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/service-accounts][2]\n2. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][3]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account][4]\n\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/service-accounts\n[3]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[4]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.7","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tsa := compute_instance.service_accounts[_]\n\tendswith(sa.email, \"compute@developer.gserviceaccount.com\")\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oqw-y1z-sik","createdAt":1655990336323,"name":"Instances are not configured to use the default service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Communications-Security","requirement:Default-Security-Parameter","control:4.2","control:2.1","framework:cis-gcp","control:2.1.1","requirement:Compliance","control:A.13.1.3","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:google_compute_instance","control:CC6.3","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo support the principle of least privileges and to prevent potential privilege escalation, assign instances to a service account other than the default `Compute Engine default service account` with Scope `Allow full access to all Cloud APIs`.\n\n## Rationale\nThe Google `Compute Engine default service account` for an instance can access necessary cloud services, as well as create, manage, and use user-managed custom service accounts. The `Project Editor` role is assigned to `Compute Engine default service account` so it has almost all capabilities over all cloud services except billing. However, when `Compute Engine default service account` is assigned to an instance it can operate in three scopes:\n\n1. Allow default access: Allows the minimum access required to run an\ninstance (least privileges).\n\n2. Allow full access to all Cloud APIs: Allows full access to all cloud\nAPIs and services (too much access).\n\n3. Set access for each API: Allows an instance administrator to choose only\nthose APIs that are needed to perform the specific business functionality\nexpected by instance.\n\nWhen an instance is configured with the `Compute Engine default service account` with\nscope `Allow full access to all Cloud APIs`, depending on the IAM roles assigned to the users\naccessing the instance, it may allow users to perform cloud operations and API calls that they are not\nsupposed to perform, leading to successful privilege escalation.\n\n## Exception\nVMs created by GKE are excluded from this rule. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Impact\nTo change a service account or scope for an instance, the instance must be stopped.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the impacted VM instance.\n3. If the instance is not stopped, click the `Stop` button. Wait for the instance to stop.\n4. Click the `Edit` button.\n5. Scroll down to the `Service Account` section.\n6. Select a different service account or ensure that `Allow full access to all Cloud APIs` is not selected.\n7. Click the `Save` button to save your changes and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account= --scopes [SCOPE1, SCOPE2...]\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][2]\n2. [https://cloud.google.com/compute/docs/access/service-accounts][3]\n\n## Additional Information:\n- User IAM roles override service account scope, but configuring minimal scope\nensures a deeper defence.\n- Non-default service accounts do not offer selection of access scopes like the default\nservice account does. Use IAM roles with non-default service accounts to\ncontrol VM access.\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[3]: https://cloud.google.com/compute/docs/access/service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.2","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tservice_accounts := compute_instance.service_accounts[_]\n\tendswith(service_accounts.email, \"compute@developer.gserviceaccount.com\")\n\tstartswith(service_accounts.scopes[_], \"https://www.googleapis.com/auth/cloud-platform\")\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ica-spj-rua","createdAt":1656620517092,"name":"Instances are not configured to use the default service account with full access to all cloud APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the execution of a shell with the interactive flag (`-i`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to escalate privileges, break out of the container, or exfiltrate secrets by running interative shell utilities inside of the container. This detection triggers when execution of one of a set of common Linux shell utilities (like `bash` or `sh`) is detected in a container with the interactive flag (`-i`). If this is unexpected behavior, it could indicate an attacker attempting to run arbitrary commands inside of your containers and potentially break out onto the host.\n\n## Triage & Response\n1. Inspect the command line arguments of the shell process execution to determine if the shell was run with the `-i` flag.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:interactive_shell_in_container -@process.comm:(hostname OR sed OR find)","groupByFields":["host"],"aggregation":"count","name":"interactive_shell_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"interactive_shell_in_container","condition":"interactive_shell_in_container > 0"}],"type":"workload_security","id":"vc2-nws-ebu","createdAt":1653417817781,"name":"Interactive shell spawned in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a Java process.\n\n## Strategy\nMany applications (like some databases, web servers, and search engines) run as Java processes. Attackers may take advantage of flaws in programs built with these applications (for example, SQL injection on a database running as a Java process). This detection triggers when a Java process spawns common shell utilities, HTTP utilities, or shells. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\n## Triage and response\n1. Determine the nature and purpose of the Java process.\n2. Determine whether there is an approved purpose for the Java process to execute shells and utilities.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:java_shell_execution","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution @process.executable.name:(uname OR cat OR ls)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_suspicious","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution @process.executable.name:(curl OR wget OR whoami)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_unusual","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution @process.envs:CONFLUENCE*","groupByFields":["host"],"aggregation":"count","name":"confluence_server_spawned_shell_potential_rce","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"confluence_server_spawned_shell_potential_rce","condition":"confluence_server_spawned_shell_potential_rce > 0"},{"status":"high","notifications":[],"name":"java_shell_execution_unusual","condition":"java_shell_execution_unusual > 0"},{"status":"medium","notifications":[],"name":"java_shell_execution_suspicious","condition":"java_shell_execution_suspicious > 0"},{"status":"low","notifications":[],"name":"java_shell_execution","condition":"java_shell_execution > 0"}],"type":"workload_security","id":"bax-h0z-d14","createdAt":1617722069224,"name":"Java process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","technique:T1098-account-manipulation","scope:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a JumpCloud user grants administrative privileges on a user endpoint. This is not indicative of malicious activity, but detecting this event is valuable for auditing.\n\n## Strategy\n\nThis rule monitors JumpCloud audit logs to detect when a user triggers the `@evt.name` of `system_admin_grant`.\n\n## Triage and response\n\n1. Reach out to the admin making the change (`{{@usr.email}}`) to confirm that the user `(@usr.name`) should have administrative privileges on the specified resource (`@resource.name`).\n2. If the change was not authorized, reverify there are no other signals from the jumpcloud admin: {{@usr.email}} and the system (`@resource.name`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:system_admin_grant","groupByFields":["@usr.email"],"aggregation":"count","name":"system_admin_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"system_admin_grant > 0"}],"type":"log_detection","id":"0ym-nwo-srl","createdAt":1648844751568,"name":"Jumpcloud admin granted system privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:jumpcloud","requirement:Monitoring","scope:jumpcloud","framework:cis-aws","technique:T1078-valid-accounts","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud administrator authenticates without multi-factor authentication (MFA) enabled. This is not indicative of malicious activity, however as a best practice, administrator accounts should have MFA enabled.\n\n## Strategy\nThis rule monitors JumpCloud audit logs to detect when an admin user successfully authenticates to JumpCloud and the log indicates that `@mfa` is `false`.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables MFA.\n3. If the login wasn\u2019t legitimate, rotate the credentials, enable MFA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:admin_login_attempt @mfa:false @evt.outcome:true","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_login_no_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"admin_login_no_mfa > 0"}],"type":"log_detection","id":"mds-4sd-v5i","createdAt":1648844751569,"name":"Jumpcloud admin login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","scope:jumpcloud","technique:T1078-valid-accounts","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event with a JumpCloud administrator.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last log and the current log to determine if the user (`@usr.name`) traveled more than 500km at over 1,000km/h.\n\n## Triage and response\n1. Determine if {@usr.name}} should be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}} in a short period of time.\n2. If the user should not be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} or {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_admin","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:jumpcloud @usr.type:admin"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"wec-lzg-zau","createdAt":1648844772020,"name":"Jumpcloud admin triggered impossible travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:jumpcloud","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to a JumpCloud user.\n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when administrative privileges are provisioned:\n\n* `user_admin_granted`\n\n## Triage and response\n1. Contact the JumpCloud administrator: `{{@usr.email}}` to confirm that the users or devices should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the JumpCloud administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:user_admin_granted","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_grant > 0"}],"type":"log_detection","id":"goh-o1b-uuo","createdAt":1660796644737,"name":"Jumpcloud administrator role assigned"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is created. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is created:\n\n* `@evt.name:policy_create`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy creation was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_create","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_creation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_creation > 0"}],"type":"log_detection","id":"ht7-5pr-0hf","createdAt":1660809071730,"name":"Jumpcloud policy created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is modified. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is modified:\n\n* `@evt.name:policy_update`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy modification(s) was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_update","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_update > 0"}],"type":"log_detection","id":"epv-mm9-puh","createdAt":1660809071731,"name":"Jumpcloud policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:1.10","scope:google_kms_crypto_key","source:google_kms_crypto_key","requirement:Confidentiality","control:C1.2","framework:cis-gcp","requirement:Compliance","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGoogle Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.\nThe format for the rotation schedule depends on the client library that is used. For the gcloud CLI, the flag `--next-rotation-time` must be in ISO or RFC3339 format; the flag `--rotation-period` must be in the format `INTEGER[UNIT]`, where units can be one of: seconds (s), minutes (m), hours (h), or days (d). For example, `30d` for a rotation period of 30 days.\n\n## Rationale\nSet a key rotation period and starting time. A key can be created with a specified *rotation period*, which is the time between when new key versions are generated automatically. A key can also be created with a specified *next rotation time*. \n\nA key is a named object that represents a cryptographic key and is used for a specific purpose. The key material (the actual bits used for encryption) can change over time as new key versions are created.\nA key is used to protect a *corpus of data*. A collection of files could be encrypted with the same key, and people with `decrypt` permissions on that key would be able to decrypt those files. Therefore, it's necessary to make sure the rotation period is set to a specific time.\n\n## Impact\nAfter a successful key rotation, the older key version is required to decrypt the data encrypted by the previous key version.\n\n## Remediation\n\n### From console\n1. See your cryptographic keys by visiting: [https://console.cloud.google.com/security/kms][1].\n2. Click on the specific key ring.\n3. From the list of keys, locate the key you wish to edit. Click on the three vertical dots under the **Actions** column.\n4. Click on **Edit rotation period**.\n5. In the pop-up window, select a new rotation period. Choose value less than 90 days. Then, choose the date from which the rotation period begins.\n\n### From the command line\n1. Update and schedule rotation by `ROTATION_PERIOD` and `NEXT_ROTATION_TIME` for each key:\n For example, you can use the iam.json file shown below as follows:\n ```\n gcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next- rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD\n ```\n\n## Default value\nBy default, KMS encryption keys are rotated every 90 days.\n\n## References\n1. [https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation][2]\n2. [https://cloud.google.com/kms/docs/re-encrypt-data][3]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/security/kms\n[2]: https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation\n[3]: https://cloud.google.com/kms/docs/re-encrypt-data\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\n# convert rotation period from string to int (number of days)\nparse_rotation_period(str) = parsed if {\n\tendswith(str, \"s\")\n\tparsed := to_number(trim_suffix(str, \"s\")) / 86400\n} else = parsed {\n\tendswith(str, \"m\")\n\tparsed := to_number(trim_suffix(str, \"m\")) / 1440\n} else = parsed {\n\tendswith(str, \"h\")\n\tparsed := to_number(trim_suffix(str, \"h\")) / 24\n} else = parsed {\n\tendswith(str, \"d\")\n\tparsed := to_number(trim_suffix(str, \"d\"))\n}\n\neval(kms_crypto_key) = \"skip\" if {\n\tnot lower(kms_crypto_key.primary.state) == \"enabled\"\n} else = \"pass\" {\n\ttoday := kms_crypto_key.resource_seen_at / 86400000\n\tnext_rotation := kms_crypto_key.next_rotation_time / 86400000\n\tnext_rotation - today <= 90\n\tparse_rotation_period(kms_crypto_key.rotation_period) <= 90\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_kms_crypto_key"]},"validationQuery":"","resourceType":"gcp_kms_crypto_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_kms_crypto_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"l1f-f94-1my","createdAt":1655491486886,"name":"KMS Encryption Keys are rotated within a period of 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1547","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications made to the `/boot/` directory.\n\n## Strategy\nThe /boot/ directory in Linux contains everything required for the system to boot. This includes the kernel and other important boot files and data. Attackers may attempt to modify the /boot/ directory to inject malicious code or configuration. This can allow the attacker to gain persistence, by running the malicious code or configuration at boot time. It can also allow the attacker to run malicious code with elevated system privileges.\n\n## Triage & Response\n1. Check to see what modifications were made to the `/boot/` directory.\n2. Cross-check any changes with known system activity, such as startup scripts, or maintenance.\n3. If these changes are not acceptable, roll back the host or container in question to a known good `/boot/` configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"9cs-fap-2er","createdAt":1606142931057,"name":"Kernel Modification"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux. This detection watches for all new files created under that directory.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check which user or process created the module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(kernel_module OR kernel_module_chmod OR kernel_module_chown OR kernel_module_link OR kernel_module_rename OR kernel_module_open OR kernel_module_unlink OR kernel_module_utimes) -@process.envs:DPKG_FRONTEND_LOCKED","groupByFields":["host"],"aggregation":"count","name":"kernel_module","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"kernel_module","condition":"kernel_module > 0"}],"type":"workload_security","id":"jq9-m1m-spt","createdAt":1598516746168,"name":"Kernel module directory modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.3","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kube-proxy kubeconfig file controls various parameters of the kube-proxy service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system. It is possible to run kube-proxy with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a `. Verify that if a file is specified and it exists, the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates. \n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.3","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"alc-y7j-j9q","createdAt":1599602091672,"name":"Kube-proxy configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.4","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, ensure that the file ownership of its kubeconfig file is set to root:root.\n\n## Rationale\n\nThe kubeconfig file for kube-proxy controls various parameters for the kube-proxy service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n`chown root:root `\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n## Audit\n\nFind the kubeconfig file being used by kube-proxy by running the following command: ps -ef | grep kube-proxy If kube-proxy is running, get the kubeconfig file location from the --kubeconfig parameter. Run the below command (based on the file location on your system) on the each worker node. For example, stat -c %U:%G Verify that the ownership is set to root:root.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.4","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oat-dei-klo","createdAt":1599604401268,"name":"Kube-proxy configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet client certificate rotation.\n\n## Rationale\n\nThe `--rotate-certificates` setting causes the kubelet to rotate its client certificates by creating new CSRs as its existing credentials expire. This automated periodic rotation ensures that the there is no downtime due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself. \n\n*Note*: This feature also requires the `RotateKubeletClientCertificate` feature gate to be enabled (which is the default since Kubernetes v1.7).\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--rotate-certificates` argument is not present, or is set to true. If the `--rotate-certificates` argument is not present, verify that if there is a Kubelet config file specified by `--config`, that file does not contain `rotateCertificates: false`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to add the line `rotateCertificates: true` or remove it altogether to use the default value. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--rotate-certificates=false` argument from the `KUBELET_CERTIFICATE_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet client certificate rotation is enabled.\n\n## References\n\n1. [https://github.com/kubernetes/kubernetes/pull/41912 ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration ][2]\n3. [https://kubernetes.io/docs/imported/release/notes/ ][3]\n4. [https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted - Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/41912\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration\n[3]: https://kubernetes.io/docs/imported/release/notes/\n[4]: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.11","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"9x3-sy5-pte","createdAt":1599605353070,"name":"Kubelet client certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.10","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file is owned by root:root.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %U:%G /var/lib/kubelet/config.yaml`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step): `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/var/lib/kubelet/config.yaml` file as set up by kubeadm is owned by `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.10","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ptl-pla-t0c","createdAt":1599605828233,"name":"Kubelet configuration file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse https for kubelet connections.\n\n## Rationale\n\nConnections from apiserver to kubelets could potentially carry sensitive data such as secrets and keys. It is thus important to use in-transit encryption for any communication between the apiserver and kubelets.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-https` argument either does not exist or is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--kubelet-https` parameter.\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, kubelet connections are over https.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.4","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ftg-h4g-hqj","createdAt":1599600981186,"name":"Kubelet connections use HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.8","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestrict kubelet nodes to reading only objects associated with them.\n\n## Rationale\n\nThe Node authorization mode only allows kubelets to read Secret, ConfigMap, PersistentVolume, and PersistentVolumeClaim objects associated with their nodes.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include Node.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes Node. `--authorization-mode=Node,RBAC`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, Node authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/46076 ][3]\n4. [https://acotten.com/post/kube17-security][4]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/ \n[3]: https://github.com/kubernetes/kubernetes/pull/46076 \n[4]: https://acotten.com/post/kube17-security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.8","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vgg-kwx-7dh","createdAt":1599602338742,"name":"Kubelet nodes are only authorized to read objects they are associated with"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.2","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests. Enable explicit authorization.\n\n## Rationale\n\nKubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the API server. You should restrict this behavior and only allow explicitly authorized requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. If the `--authorization-mode` argument is present check that it is not set to AlwaysAllow. If it is not present check that there is a Kubelet config file specified by `--config`, and that file sets authorization: mode to something other than AlwaysAllow. It is also possible to review the running configuration of a Kubelet via the /configs endpoint on the Kubelet API port (typically `10250/TCP`). Accessing these with appropriate credentials will provide details of the Kubelet's configuration.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set authorization: mode to Webhook. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--authorization-mode=Webhook`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nUnauthorized requests will be denied.\n\n## Default value\n\nBy default, `--authorization-mode` argument is set to `AlwaysAllow`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.2","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"un4-gin-3dq","createdAt":1599600248005,"name":"Kubelet only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable the read-only port.\n\n## Rationale\n\nThe Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--read-only-port` argument exists and is set to 0. If the `--read-only-port` argument is not present, check that there is a Kubelet config file specified by `--config`. Check that if there is a readOnlyPort entry in the file, it is set to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `readOnlyPort` to 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--read-only-port=0`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nRemoval of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.\n\n## Default value\n\nBy default, `--read-only-port` is set to 10255/TCP. However, if a config file is specified by `--config` the default value for `readOnlyPort` is 0.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.4","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dgo-kog-lle","createdAt":1599604369044,"name":"Kubelet read-only port is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.10","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the Kubelets.\n\n## Rationale\n\nKubelet communication contains sensitive parameters that should remain encrypted in transit. Configure the Kubelets to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate. If these arguments are not present, check that there is a Kubelet config specified by `--config` and that it contains appropriate settings for `tlsCertFile` and `tlsPrivateKeyFile`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `tlsCertFile` to the location of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` to the location of the corresponding private key file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameters in K`UBELET_CERTIFICATE_ARGS` variable.\n\n```\n--tls-cert-file=\n--tls-private-key-file=\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set. If `--tls-cert-file` and `--tls-private-key-file` are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to `--cert-dir`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ ][2]\n3. [https://github.com/kelseyhightower/docker-kubernetes-tls-guide ][3]\n4. [https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/\n[3]: https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n[4]: https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.10","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gqg-7cf-6bu","createdAt":1599603572402,"name":"Kubelet requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.12","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nOn the master edit `/var/lib/kubelet/kubeadm-flags.env` and set the parameter `KUBELET_CERTIFICATE_ARGS --feature-gates=RotateKubeletServerCertificate=true` or as an alternative, and suggested as a last resort, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_CERTIFICATE_ARGS` variable:\n\n```\n--feature-gates=RotateKubeletServerCertificate=true\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet server certificate rotation is disabled.\n\n## References\n\n1. https://github.com/kubernetes/kubernetes/pull/45059\n2. https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/45059\n[2]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.12","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afr-qkp-94a","createdAt":1599599105048,"name":"Kubelet server certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.2","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file ownership is set to root:root.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the ownership is set to root:root.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet service file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.2","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sy4-z1k-udc","createdAt":1599605194356,"name":"Kubelet service file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.3","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Kubelet authentication using certificates.\n\n## Rationale\n\nThe connections from the API server to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet's port-forwarding functionality. These connections terminate at the kubelet's HTTPS endpoint. By default, the API server does not verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the API server could authenticate the Kubelet before submitting any requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--client-ca-file` argument exists and is set to the location of the client certificate authority file. If the `--client-ca-file` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets authentication: x509: clientCAFile to the location of the client certificate authority file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: x509: clientCAFile` to the location of the client CA file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--client-ca-file=`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou require TLS to be configured on API server as well as kubelets.\n\n## Default value\n\nBy default, `--client-ca-file argument` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.3","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x6l-4d1-dwh","createdAt":1599600373842,"name":"Kubelet uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.1.20","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that Kubernetes PKI certificate files have permissions of 644 or more restrictive.\n\n## Rationale\n\nKubernetes makes use of a number of certificate files as part of the operation of its components. The permissions on these files should be set to 644 or more restrictive to protect their integrity.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nfind /etc/kubernetes/pki -name \"*.crt\" | xargs stat -c '%n %a'\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod -R 644 /etc/kubernetes/pki/*.crt`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the certificates used by Kubernetes are set to have permissions of 644\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.20","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ion-6fc-xd4","createdAt":1599604147464,"name":"Kubernetes PKI certificate file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.19","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the Kubernetes PKI directory and file ownership is set to root:root.\n\n## Rationale\n\nKubernetes makes use of a number of certificates as part of its operation. You should set the ownership of the directory containing the PKI information and all files in that directory to maintain their integrity. The directory and files should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nls -laR /etc/kubernetes/pki/\n```\n\nVerify the ownership of all files and directories in this hierarchy is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown -R root:root /etc/kubernetes/pki/`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/etc/kubernetes/pki/` directory and all of the files and directories contained within it, are set to be owned by the root user.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.19","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tgm-6a5-ttf","createdAt":1599603695482,"name":"Kubernetes PKI directory is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a pod in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating pods in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for Kubernetes objects which should be readable by unauthenticated users. Thus, a pod should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new pod in one of the default namespaces.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"tvf-ju6-h3i","createdAt":1589376012191,"name":"Kubernetes Pod Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a pod is attached to the host network.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) with the host network `@requestObject.spec.hostNetwork:true` attached.\n\nAttaching the `hostNetwork` permits a pod to access the node's network adapter allowing a pod to listen to all network traffic for all pods on the node and communicate with other pods on the network namespace.\n\n## Triage and response\n1. Determine if the pod needs `hostNetwork` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.hostNetwork:true @http.status_code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.hostNetwork:true @responseStatus.code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"d3g-xpz-cwc","createdAt":1589376007079,"name":"Kubernetes Pod Created with hostNetwork"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","technique:T1536-create-account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a service account in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service account (`@objectRef.resource:serviceaccounts`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating service accounts in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for kubernetes objects which should be readable by unauthenticated users. Thus, a service account should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new service account in one of the default namespaces.\n\n## Changelog\n21 September 2022 - Tuned rule to remove system and EKS service account creations, increased severity, added decrease on environment flag.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:serviceaccounts @http.method:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299] -@user.username:(system\\:* OR eks\\:*)","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:serviceaccounts @verb:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299] -@usr.id:(system\\:* OR eks\\:*)","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"loy-9ka-bc2","createdAt":1589376017036,"name":"Kubernetes Service Account Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service's port is attached to the node's IP.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service (`@objectRef.resource:services`) attaching the service's port to the node's IP `@requestObject.spec.type:NodePort`.\n\nExposing the service's port to the the node's IP allows other hosts on the network namespace to access this service.\n\n## Triage and response\n1. Determine if the service needs to expose it's network connection with `NodePort` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:services @http.method:create @requestObject.spec.type:NodePort @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:services @verb:create @requestObject.spec.type:NodePort @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"cvp-3wz-v3s","createdAt":1589376023160,"name":"Kubernetes Service Created with NodePort"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a user is attempting to enumerate their permissions.\n\n## Strategy\nThis rule identifies when a user attempts to enumerate their permissions, for example, through the use of `kubectl auth can-i --list`. This can be an indicator of an attacker having compromised a Kubernetes service account or user and attempting to determine what permissions it has.\n\n## Triage and response\n1. Determine if enumerating the permissions of the user: `{{@usr.id}}` is suspicious. For example, a service account assigned to a web application and enumerating its privileges is highly suspicious, while a group assigned to operations engineers is likely to represent legitimate activity.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @requestObject.kind:SelfSubjectRulesReview @http.method:create -@usr.id:system\\:serviceaccount\\:*\\:datadog-kube-state-metrics","groupByFields":[],"aggregation":"count","name":"enumeration_attempt","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"enumeration_attempt > 0"}],"type":"log_detection","id":"9ft-ohp-w9w","createdAt":1649702540393,"name":"Kubernetes principal attempted to enumerate their permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","source:lambda","scope:lambda","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure your Amazon Lambda Function to have access to VPC-only resources.\n\n## Rationale\n\nBy default, Amazon Lambda functions run in a secure VPC with access to any AWS service and the internet. Selecting which resources have access secures the connections within your private VPC.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring VPC access (console)][1] docs to configure VPC access for an existing function.\n\n### CLI\n\n1. Run `update-function-configuration` with your [Amazon Lambda function name and VPC configuration][2]. Set network connectivity to AWS resources within the configured VPC.\n\n ```\n aws lambda update-function-configuration\n --function-name your-lambda-function-name\n --vpc-config SubnetIds=\"subnet-ab12cd34\",\"subnet-12345678\",SecurityGroupIds=\"id-0abcd1234abcd5678\"\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-configuring\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@vpc_config_vpc_id:null OR @vpc_config_vpc_id:\"\")","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function ((@vpc_config_vpc_id:null OR @vpc_config_vpc_id:\"\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"byt-pin-xaq","createdAt":1619112188962,"name":"Lambda function has access to VPC resources"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","source:lambda","control:7.2.1","requirement:Compliance","scope:lambda","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS Lambda function access policy to remove access for unauthorized users.\n\n## Rationale\n\nGiving anonymous users the ability to invoke Amazon Lambda functions can lead to data loss, data exposure, and unexpected AWS billing charges.\n\n## Remediation\n\n### Console\n\nFollow the [Using resource-based policies for AWS lambda][1] docs to update your AWS lambda function permissions.\n\n### CLI\n\n1. Run `remove-permission` with your [function name and statement ID][2].\n\n ```\n aws lambda remove-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n ```\n\n2. Run `add-permission` with your [function name, statement ID, principal for the trusted account, and action][3].\n\n ```\n aws lambda add-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n --principal 0123456780123\n --action lambda:InvokeFunction\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/remove-permission.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-permission.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false","resourceType":"aws_lambda_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_policy_statement ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"tko-rvz-akj","createdAt":1624344845094,"name":"Lambda function is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","control:CC6.7","requirement:Transmission-Security","security:compliance","control:CC7.5","cloud_provider:aws","framework:gdpr","control:6.2","requirement:System-Operations","source:lambda","scope:lambda","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","requirement:Security-Management-Process","control:32.1b","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","framework:hipaa","control:164.308-a-1-ii-B","control:164.312-e-2-i","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Lambda Function to the latest runtime environment version.\n\n## Rationale\n\nAs a best practice, Amazon recommends consistently updating your runtime environment to the latest version for security patches, bug fixes, and the latest features.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring functions in the console][1] docs to learn how to update the Lambda runtime that runs your function.\n\n### CLI\n\n1. Run `update-function-configuration` with [your function name and the latest runtime version][2] supported by AWS.\n\n#### python3.9\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"python3.9\"\n ```\n\n#### nodejs16.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"nodejs14.x\"\n ```\n\n#### java11\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"java11\"\n ```\n\n#### go1.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"go1.x\"\n ```\n\n#### dotnet6\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"dotnet6\"\n ```\n\n#### ruby2.7\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"ruby2.7\"\n ```\n\n#### provided.al2\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"provided.al2\"\n ```\n\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@runtime:(\"nodejs16.x\" OR \"python3.9\" OR \"ruby2.7\" OR \"java11\" OR \"go1.x\" OR \"dotnet6\" OR \"provided.al2\")","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function (-@runtime:(\"nodejs16.x\" OR \"python3.9\" OR \"ruby2.7\" OR \"java11\" OR \"go1.x\" OR \"dotnet6\" OR \"provided.al2\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxh-rvp-txm","createdAt":1619112189173,"name":"Lambda function uses latest runtime environment version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","level:1","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","requirement:Communications-Security","control:2.6","control:3.2","control:1.2","control:2.1","control:1.3","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of legacy networks, a project should not have a legacy network\nconfigured. Legacy networks can no longer be created, and their use is not recommended. This recommendation is to check old projects to ensure\nthat they are not using Legacy Networks.\n\n## Rationale\nEach legacy network has a single network IPv4 prefix range, and a single gateway IP address. The network is global in scope and spans all cloud regions.\nSubnetworks cannot be created in a legacy network, and are unable to switch from legacy to\nauto or custom subnet networks. Legacy networks can have an impact on high network\ntraffic projects, and are subject to a single point of contention or failure.\n\n### Default value\nBy default, networks are not created in the legacy mode.\n\n## Remediation\n\nFor each Google Cloud Platform project:\n1. Read [Create and modify Virtual Private Cloud (VPC) networks][3] to create a non-legacy network suitable for the organization's requirements.\n2. Read [Deleting a legacy network][2] to delete the networks in the `legacy` mode.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network][1]\n2. [https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network][2]\n\n[1]: https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network\n[2]: https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network\n[3]: https://cloud.google.com/vpc/docs/create-modify-vpc-networks\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.2","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.ipv4_range\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nzs-hyi-zqr","createdAt":1659405204525,"name":"Legacy networks do not exist for older projects"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostIPC flag set to true.\n\n## Rationale\n\nA container running in the host's IPC namespace can use IPC to interact with processes outside the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host IPC namespace. If you have a requirement to containers that require hostIPC, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostIPC}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostIPC: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.3","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vs4-ja0-gkh","createdAt":1599600435891,"name":"Limit admission of containers sharing the host IPC namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostPID flag set to true.\n\n## Rationale\n\nA container running in the host's PID namespace can inspect processes running outside the container. If the container also has access to ptrace capabilities this can be used to escalate privileges outside of the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host PID namespace. If you need to run containers which require hostPID, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostPID}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostPID` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostPID: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.2","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"flc-1s1-okw","createdAt":1599600559953,"name":"Limit admission of containers sharing the host PID namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the allowPrivilegeEscalation flag set to true.\n\n## Rationale\n\nA container running with the `allowPrivilegeEscalation` flag set to true may have processes that can gain more privileges than their parent. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to allow privilege escalation. The option exists (and is defaulted to true) to permit setuid binaries to run. If you have need to run containers that use setuid binaries or require privilege escalation, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.allowPrivilegeEscalation}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.allowPrivilegeEscalation` field is omitted or set to false.\n\n## Impact\n\nPods defined with `spec.allowPrivilegeEscalation: true` will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.5","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"frf-hog-dra","createdAt":1599601783271,"name":"Limit admission of containers that do not block privilege escalation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.3","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Docker starts containers with a restricted set of Linux kernel capabilities. This means that any process can be granted the required capabilities instead of giving it root access. Using Linux kernel capabilities, processes in general do not need to run as the root user.\n\n## Rationale\n\nDocker supports the addition and removal of capabilities. Remove all capabilities not required for the correct function of the container. Specifically, in the default capability set provided by Docker, the NET_RAW capability should be removed if not explicitly required, as it can give an attacker with access to a container the ability to create spoofed network traffic.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CapAdd={{ .HostConfig.CapAdd }} CapDrop={{ .HostConfig.CapDrop }}'` \n\nVerify that the added and deleted Linux kernel capabilities are in line with the ones needed by the container process in each container instance. Specifically, ensure that the `NET_RAW` capability is removed if not required.\n\n## Remediation\n\nExecute the command `docker run --cap-add={\"Capability 1\",\"Capability 2\"} ` to add required capabilities.\n\nExecute the command `docker run --cap-drop={\"Capability 1\",\"Capability 2\"} ` to remove unneeded capabilities.\n\nAlternatively, remove all the currently configured capabilities and then restore only the ones you specifically use: `docker run --cap-drop=all --cap-add={\"Capability 1\",\"Capability 2\"} `\n\n## Impact\n\nRestrictions on processes within a container are based on which Linux capabilities are in force. Removal of the `NET_RAW` capability prevents the container from creating raw sockets which is good security practice under most circumstances, but may affect some networking utilities.\n\n## Default value\n\nBy default, the capabilities below are applied to containers:\n\n* `AUDIT_WRITE`\n* `CHOWN`\n* `DAC_OVERRIDE`\n* `FOWNER`\n* `FSETID`\n* `KILL`\n* `MKNOD`\n* `NET_BIND_SERVICE`\n* `NET_RAW`\n* `SETFCAP`\n* `SETGID`\n* `SETPCAP`\n* `SETUID`\n* `SYS_CHROOT`\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#linux-kernel-capabilities\n2. http://man7.org/linux/man-pages/man7/capabilities.7.html\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.3","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3j5-bun-deq","createdAt":1599605923399,"name":"Linux kernel capabilities are restricted to only those which are required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect use of the `passwd` or `chpasswd` commands to change account passwords.\n\n## Strategy\nThe `passwd` operating system command is used to change user account passwords. The `chpasswd` does this in bulk. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host machine and achieve persistence. This detection is triggered when execution of the `passwd` or `chpasswd` command is detected.\n\n## Triage and response\n1. Determine which user executed the command and whether or not this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:passwd_execution -@process.args:\"-S\"","groupByFields":["host"],"aggregation":"count","name":"passwd_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"passwd_execution","condition":"passwd_execution > 0"}],"type":"workload_security","id":"yu0-i2l-ilb","createdAt":1617722068383,"name":"Local account password modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the truncation (like the clearing of data within) of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was modified.\n2. Check which user or process modified the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"llg-1g6-q0n","createdAt":1598516746163,"name":"Log data in /var/log/ was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","level:1","cloud:aws","requirement:Monitoring","framework:cis-aws","cloud_provider:datadog","control:4.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReal-time monitoring of API calls can be achieved by directing CloudTrail Logs to Datadog and enabling the default rule [A user received multiple AccessDenied errors][1]. It is recommended that a metric filter and alarm be established for unauthorized API calls.\n\n## Rationale\n\nMonitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.\n\n## Remediation\n\nTo enable default rule [A user received multiple AccessDenied errors][1], navigate to the [Rules page][2]. If you have not yet enabled Security Monitoring, visit the [Setup and Configuration page][3].\n\n## Impact\n\nThis alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don't have permissions. If an excessive number of alerts are being generated then an organization may wish to consider adding read access to the limited IAM user permissions simply to quiet the alerts. In some cases doing this may allow the users to actually view some areas of the system - any additional access given should be reviewed for alignment with the original limited IAM user intent.\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79186-3\n2. https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-access-denied-multiple-events/\n\n**Additional Information**: Configuring log metric filter and alarm on multi-region (global) CloudTrail ensures that activities from all regions (used as well as unused) are monitored.\n\n## CIS controls\n\nVersion 7:\n\n6.5 - Central Log Management - Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.\n\n6.7 - Regularly Review Logs - On a regular basis, review logs to identify anomalies or abnormal events.\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-access-denied-multiple-events/\n[2]: https://app.datadoghq.com/security/configuration/rules?query=una%20ruleId%3Abxz-x3r-zqw&sort=rule\n[3]: https://app.datadoghq.com/security/configuration?detect-threats=apache&secure-cloud-environment=amazon-web-services&secure-hosts-and-containers=kubernetes&selected-products=security_monitoring","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"cis-aws","requirement":"Monitoring","version":"1.3.0"}],"validationQuery":"@disabled_rules:(\"d17-702-f4a\")","resourceType":"datadog_configuration","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:datadog_configuration (@disabled_rules:(\"d17-702-f4a\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"3s1-mb8-7yw","createdAt":1625745858883,"name":"Log metric filter and alarm exist for unauthorized API calls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","source:google_logging_log_sink","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","control:2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","scope:google_logging_log_sink","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nIt is recommended to create a sink that will export copies of all log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).\n\n## Rationale: \nLog entries are held in Cloud Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. To export logs, create a filter that selects the log entries to export, and then choose a destination, such as Cloud Storage, BigQuery, or Cloud Pub/Sub, to which to export them. The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts.\n\n**Note:**\n1. A sink created by [these commands](#from-the-command-line), exports logs to storage buckets. However, sinks can be configured to export logs to BigQuery, or Cloud Pub/Sub, or a `Custom Destination`.\n2. While creating a sink, do not use the sink option `--log-filter` to ensure the sink exports all log entries.\n3. A sink can be created at a folder or organization level that collects the logs of all the projects underneath, bypassing the option `--include-children` in the `gcloud` command.\n\n### Impact: \nThere are no costs or limitations in Cloud Logging for exporting logs, but the destinations to which the logs are exported charge for storing or transmitting the log data.\n\n### Default value:\nBy default, there are no sinks configured.\n\n## Remediation: \n\n### From the console:\n1. Go to the Logs Router page by visiting [https://console.cloud.google.com/logs/router][1].\n2. Click **CREATE SINK**.\n3. Fill out the fields for the Sink details sections.\n4. Select **Cloud Logging bucket** in the Select sink destination dropdown menu.\n5. Select a log bucket in the Sink destination drop down menu.\n6. If an inclusion filter is not provided for this sink, all ingested logs will be routed to the destination provided above. This may result in higher than expected resource usage.\n7. Click **Create Sink**.\n\n### From the command line:\n\n1. To create a sink to export all log entries in a Google Cloud Storage bucket:\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME\n ```\n2. Sinks can be created for a folder or organization, which will include all projects.\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children -- folder=FOLDER_ID | --organization=ORGANIZATION_ID\n ```\n\n## References:\n1. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][2] \n2. [https://cloud.google.com/logging/quotas][3]\n3. [https://cloud.google.com/logging/docs/routing/overview][4]\n4. [https://cloud.google.com/logging/docs/export/using_exported_logs][5]\n5. [https://cloud.google.com/logging/docs/export/configure_export_v2][6]\n6. [https://cloud.google.com/logging/docs/export/aggregated_exports][7]\n7. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list][8]\n\n[1]: https://console.cloud.google.com/logs/router\n[2]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[3]: https://cloud.google.com/logging/quotas\n[4]: https://cloud.google.com/logging/docs/routing/overview\n[5]: https://cloud.google.com/logging/docs/export/using_exported_logs\n[6]: https://cloud.google.com/logging/docs/export/configure_export_v2\n[7]: https://cloud.google.com/logging/docs/export/aggregated_exports\n[8]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nvalid_log_sinks := {logging_log_sink.project_id |\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tvalid_log_filter(logging_log_sink)\n\tvalid_log_exclusions(logging_log_sink)\n\tlogging_log_sink.destination != \"\"\n}\n\nvalid_log_filter(logging_log_sink) if {\n\tnot logging_log_sink.filter\n} else {\n\tlogging_log_sink.filter == \"\"\n}\n\nany_enabled_exclusion(logging_log_sink) if {\n\tlogging_log_sink.exclusions[_].disabled == false\n}\n\nvalid_log_exclusions(logging_log_sink) if {\n\tnot any_enabled_exclusion(logging_log_sink)\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_sinks[project.project_id]\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hig-nyl-7xu","createdAt":1658996677403,"name":"Log sinks are configured for all log entries"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Log4j scanning attempt occurs in your environment.\n\n## Strategy\nRegex search on logs to find specific payloads indicative of Log4j scanning.\n\n## Triage and response\n1. Investigate if the host is running a vulnerable version of the Log4j Java library\n2. Use the [Log4j Investigation Dashboard](https://app.datadoghq.com/dash/integration/cloud_security_platform_log4shell_investigator) to conduct impact analysis\n3. Explore what other services the attacker hit in the last day - Linked to investigation query \n4. Explore Java logs associated with the attacker - linked to investigation query\n","options":{"detectionMethod":"hardcoded","evaluationWindow":300,"maxSignalDuration":3600,"hardcodedEvaluatorType":"log4shell","keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"query":"@http.url:*","groupByFields":["@network.client.ip"],"aggregation":"count","name":"log4shell_payloads_in_http_data","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"log4shell_payloads_in_http_data > 0"}],"type":"log_detection","id":"sdx-qzo-o9z","createdAt":1651680204724,"name":"Log4Shell Scanning Detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0043-reconnaissance","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being scanned for the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `jndi:(ldap OR rmi OR dns)` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. Check if the `Base64 was detected in an http.user_agent or http.referrer` rule was also triggered and follow the `Triage and response` steps in that rule.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.useragent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referrer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http_user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"info","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"2oy-oni-kx6","createdAt":1639665375423,"name":"Log4j Scanner detected in user agent or referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:1.5","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. MFA (multi-factor authentication) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their user name and password and an authentication code from their AWS MFA device.\n\n**Note**: When virtual MFA is used for root accounts, it should not be enabled on a personal device, but rather enable a dedicated and not personally owned mobile device (tablet or phone)(\"non-personal virtual MFA\"). This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and has knowledge of a credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78911-5\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root][3]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions.\n\n## CIS controls\n\nVersion 7, 4.5 - Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.5","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"-@account_mfa_enabled:1","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (-@account_mfa_enabled:1)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dth-jwu-9zo","createdAt":1599573999963,"name":"MFA is enabled for the \"root\" account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP address identified as malicious by Okta's ThreatInsight communicates with your Okta account.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.threat.detected`\n\n## Triage and response\n1. Determine if the `@usr.email` is `Unknown` or is an authenticated user.\n2. If the user is authenticated, conduct an investigation to determine if the IP address that is communicating with Okta is the user's IP address, or if the account is compromised.\n3. Consider switching ThreatInsight from `log mode` to `log and block mode` to block future requests from IP addresses on the ThreatInsight threat intelligence list.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.threat.detected @evt.outcome:ALLOW","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"x5j-v1t-d2r","createdAt":1589315626499,"name":"Malicious IP Communicating with Okta"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1003","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers looking for a specific mission target commonly gain access to a host or container adjacent to their mission target. To move laterally to the planned target, attackers commonly try to find credentials that would give them access to the host or container in question. A technique for finding these credentials is memory dumping. By dumping the contents of system memory to disk, an attacker can often find unencrypted credentials.\n\n## Strategy\nThis detection monitors the access of memory and memory maps that can be accessed from the `/proc/` directory on Linux.\n\n## Triage & Response\n1. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n2. Consider rotating any credentials that were in use on the host/container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"lhm-dok-amc","createdAt":1598516746171,"name":"Memory files in /proc/ were accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","scope:azure","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user creates or modifies a trusted domain object in Microsoft 365.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain`\n- `Set domain authentication`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain.`\n- `Set domain authentication.`\n\nAn attacker can create a new attacker-controlled domain as federated or modify the existing federation settings for a domain by configuring a new, secondary signing certificate. Both of these techniques would allow the attacker to authenticate as any user bypassing authentication requirements like a valid password or MFA.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n - Remove the suspicious domain or settings.\n - Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n - Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Set domain authentication\" OR \"Set domain authentication \" OR \"Set federation settings on domain\" OR \"Set federation settings on domain \") @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_trusted_domain_modified","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Set domain authentication.\" OR \"Set domain authentication. \" OR \"Set federation settings on domain.\" OR \"Set federation settings on domain. \")","groupByFields":["@usr.id"],"aggregation":"count","name":"m365_trusted_domain_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"azure_ad_trusted_domain_modified > 0 || m365_trusted_domain_modified > 0"}],"type":"log_detection","id":"dqm-ikd-5zd","createdAt":1660304700624,"name":"Microsoft 365 - Modification of Trusted Domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0040-impact","scope:exchange-server","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an anomalous amount of emails are deleted from Microsoft 365 Exchange.\n\n## Strategy\nMonitor Microsoft 365 Exchange audit logs to look for events with an `@evt.name` value of `HardDelete`, where the `@Folder.Path` is the inbox (`*Inbox*`).\n\n## Triage and response\n1. Determine if the user `{{@usr.id}}` intended to delete the observed emails.\n2. If `{{@usr.id}}` is not responsible for the email deletions, investigate `{{@usr.id}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:HardDelete @Folder.Path:*Inbox*","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tos-tbi-7dh","createdAt":1619020060666,"name":"Microsoft 365 Anomalous Amount of Deleted Emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 user downloads an anomalous amount of files. This could be an indicator of data exfilteration.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for an anomalous amount of logs with an `@evt.name` value of `@evt.name:FileDownloaded`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to download the files.\n2. If `{{@usr.email}}` is not responsible for file downloads, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:FileDownloaded","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"files_downloaded","distinctFields":["@SourceFileName"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"yhr-gui-v9i","createdAt":1658353411918,"name":"Microsoft 365 Anomalous Amount of Downloaded files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1562-impair-defenses","scope:microsoft-365","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when admin or unified audit logging is disabled. An adversary or insider threat can disable audit logging as a means of defense evasion.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Set-AdminAuditLogConfig`, where `@Parameters.AdminAuditLogEnabled` OR `@Parameters.UnifiedAuditLogIngestionEnabled` is set to `False`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to disable audit logging.\n2. If `{{@usr.email}}` is not responsible for disabling the audit logging, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.UnifiedAuditLogIngestionEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"unified_audit_disabled","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.AdminAuditLogEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_audit_disabled","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Unified Audit Logging Disabled","condition":"unified_audit_disabled > 0"},{"status":"high","notifications":[],"name":"Admin Audit Logging Disabled","condition":"admin_audit_disabled > 0"}],"type":"log_detection","id":"d86-6xx-tbg","createdAt":1630681812369,"name":"Microsoft 365 Audit Logging Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:onedrive","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user creates an anonymous link for a Microsoft 365 document in OneDrive. This would allow any unauthenticated user to access this document, if they had the link.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AnonymousLinkCreated`.\n\n## Triage and response\n1. Determine whether this document should be available anonymously.\n\n## Changelog\n* 4 October 2022 - Updated severity.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:OneDrive @evt.name:AnonymousLinkCreated","groupByFields":["@usr.id","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1h-h20-er6","createdAt":1608766368930,"name":"Microsoft 365 OneDrive Anonymous Link Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0009-collection","technique:T1213-data-from-information-repositories","scope:sharepoint"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user shares a Microsoft 365 Sharepoint document with a guest.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `SharingInvitationCreated` when the `TargetUserOrGroupType` is `Guest`.\n\n## Triage and response\n1. Determine whether this document should be shared with the external user.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:SharePoint @evt.name:(SharingInvitationCreated) @TargetUserOrGroupType:Guest","groupByFields":["@TargetUserOrGroupName","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"v72-psu-eln","createdAt":1608766365850,"name":"Microsoft 365 SharePoint object shared with guest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user installs an app to Microsoft 365 Teams.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AppInstalled`.\n\n## Triage and response\n1. Determine whether this app should be installed to Microsoft 365 teams.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:MicrosoftTeams @evt.name:AppInstalled","groupByFields":["@AddOnName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"i03-grd-ppd","createdAt":1608766367312,"name":"Microsoft 365 Teams app installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostNetwork flag set to true.\n\n## Rationale\n\nA container running in the host's network namespace could access the local loopback device, and could access network traffic to and from other pods. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host network namespace. If you have need to run containers which require hostNetwork, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostNetwork}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostNetwork` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostNetwork: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.4","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mlb-fwt-s80","createdAt":1599604274257,"name":"Minimize the admission of containers wishing to share the host network namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","cloud_provider:aws","control:164.308-a-3-ii-a","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMulti-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password, and for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of the credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://tools.ietf.org/html/rfc6238][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html][3]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users][4]\n4. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html][5]\n5. CCE-78901-6\n\n## CIS controls\n\n4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://tools.ietf.org/html/rfc6238\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.10","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_enabled:true -@mfa_active:true","resourceType":"aws_iam_user","filter":"","queryPath":"credential_report","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@password_enabled:true -@mfa_active:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"zd5-wvv-hv5","createdAt":1599573999956,"name":"Multi-factor authentication is enabled for all IAM users with a console password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"5jr-xi3-uto","createdAt":1587530047261,"name":"NGINX HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","scope:nginx-ingress-controller","source:nginx-ingress-controller","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx-ingress-controller @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oxj-rwr-gxq","createdAt":1587530154864,"name":"NGINX ingress controller HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to nsswitch.conf.\n\n## Strategy\nThe Name Service Switch (nsswitch) configuration file is used to point\u00a0system services and other applications to the sources of name-service information. This name-service information includes where the password file is stored, publickey information, and more. An attacker may attempt to modify nsswitch.conf in order to inject attacker-owned information into the authentication process. For instance, the attacker could point to a malicious password file and then login to privileged user accounts.\n\n## Triage and response\n1. Check to see what changes were made to nsswitch.conf.\n2. Check if critical name-service sources were changed, and whether the changes were a part of known system-setup or maintenance.\n3. If these changes are unauthorized, roll back the host in question to a known good nsswitch.conf, or replace the system with a known-good system image.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chmod)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chmod","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chown)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chown","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_link)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_link","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_rename)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_rename","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_open)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_open","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_unlink)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_unlink","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_utimes)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"nsswitch_conf_mod","condition":"nsswitch_conf_mod_chmod > 0 || nsswitch_conf_mod_chown > 0 || nsswitch_conf_mod_link > 0 || nsswitch_conf_mod_rename > 0 || nsswitch_conf_mod_open > 0 || nsswitch_conf_mod_unlink > 0 || nsswitch_conf_mod_utimes > 0"}],"type":"workload_security","id":"djc-3dp-3qm","createdAt":1606142958657,"name":"Name Service Switch configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:1.3.5","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that enable multiple open ports and limit ingress traffic access based on port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access malicious activities, such as Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks, by opening only the ports that are required by your application.\n\n## Remediation\n\n### Console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### CLI\n\n1. Run `replace-network-acl-entry` to create a rule that only allows ingress traffic from a specific port range.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --ingress\n --rule-number 01\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_lenient(acl_entry) if {\n\tnot acl_entry.egress\n\tacl_entry.rule_action == \"allow\"\n\tnot acl_entry.port_range_from\n\tnot acl_entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tacl_entry := network_acl.entries[_]\n\tacl_lenient(acl_entry)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q0m-mtc-9ks","createdAt":1599574008182,"name":"Network ACL inbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that utilize multiple ports and limit outbound traffic access to a specific port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access by setting a specified port range.\n\n## Remediation\n\n### Console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### CLI\n\n1. Run `replace-network-acl-entry` to create a rule that sets a specific port range for egress traffic.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --egress\n --rule-number 02\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_entry(entry) if {\n\tentry.egress\n\tentry.rule_action == \"allow\"\n\tnot entry.port_range_from\n\tnot entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tentry := network_acl.entries[_]\n\tnon_compliant_entry(entry)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ykz-hrn-ev3","createdAt":1599574004771,"name":"Network ACL outbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","control:CC6.6","requirement:Compliance","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:1.3.5","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Network Access Control List (NACL) function provides stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.\n\n## Rationale\n\nPublic access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.\n\n## Remediation\n\n1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home\n2. In the left pane, click Network ACLs.\n3. For each network ACL to remediate, perform the following: Select the network ACL, Click the Inbound Rules tab, Click Edit inbound rules. Either update the Source field to a range other than `0.0.0.0/0` or click Delete to remove the offending inbound rule. Click save.\n\n## Reference\n\n1. [https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html][1]\n2. [https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison][2]\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"5.1","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"validationQuery":"@egress:false @rule_action:\"allow\" (@cidr_block:\"0.0.0.0/0\" OR @cidr_block:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@port_range_from:* -@port_range_to:*) OR (@port_range_from:<=22 @port_range_to:>=22) OR (@port_range_from:<=3389 @port_range_to:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_network_acl","filter":"","queryPath":"entries","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl (@egress:false @rule_action:\"allow\" (@cidr_block:\"0.0.0.0/0\" OR @cidr_block:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@port_range_from:* -@port_range_to:*) OR (@port_range_from:<=22 @port_range_to:>=22) OR (@port_range_from:<=3389 @port_range_to:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b5p-spa-hx4","createdAt":1619112188801,"name":"Network ACLs do not allow ingress from 0.0.0.0/0 to remote server administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","cloud_provider:azure","framework:gdpr","source:azure.network","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","requirement:Communications-Security","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","scope:azure.network","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Security Group (NSG) is configured to allow specific ports rather than all ports or port ranges.\n\n## Rationale\n\nNSGs should be configured as granularly as possible, allowing only specific and necessary ports. Leaving ranges of ports open can allow access to ports that are vulnerabile to attack. \n\n## Remediation\n\n### Console\n\nFollow the [Work with security rules guide][1] to modify the port ranges associated with a NSG using the Microsoft Azure Console. \n\n### CLI\n\nUse the [Microsft Azure az network nsg rule update module][2] to update the ports associated with a NSG using the Microsoft Azure CLI. \n\n## References\n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#work-with-security-rules\n[2]: https://docs.microsoft.com/en-us/cli/azure/network/nsg/rule?view=azure-cli-latest#az-network-nsg-rule-update","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndestination_port_not_compliant(security_rule) if {\n\tsecurity_rule.destination_port_range == \"*\"\n} else {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tdestination_port_range == \"*\"\n} else {\n\tregex.match(\"([0-9])+-([0-9])+\", security_rule.destination_port_range)\n} else {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tregex.match(\"([0-9])+-([0-9])+\", destination_port_range)\n}\n\nsecurity_rule_not_compliant(security_rule) if {\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.access == \"Allow\"\n\tdestination_port_not_compliant(security_rule)\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule = security_group.security_rules[_]\n\tsecurity_rule_not_compliant(security_rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cis-7ih-ek8","createdAt":1645736563232,"name":"Network Security Group does not use port ranges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1046-network-service-scanning","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of the `nmap` network utility.\n\n## Strategy\n`nmap` is a network utility commonly used by attackers to understand a victim's network topology and vulnerabilities. After an attacker's initial intrusion into a host (for example, through a web shell exploit, container breakout), they may attempt to use `nmap` to do reconnaissance. This detection triggers when an execution of `nmap` is detected on a system. If this is unexpected behavior, it could indicate an attacker attempting to compromise your systems.\n\n## Triage and response\n1. Determine which user executed `nmap` and whether this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and network tools involved. Investigate the security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:common_net_intrusion_util -@process.args:\"-V\"","groupByFields":["host"],"aggregation":"count","name":"common_net_intrusion_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"common_net_intrusion_util","condition":"common_net_intrusion_util > 0"}],"type":"workload_security","id":"yqg-ebh-po2","createdAt":1617722067554,"name":"Network scanning utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all network traffic is allowed between containers on the same host on the default network bridge. You can restrict all inter-container communication and link specific containers together that require communication. Or, you can create a custom network and only join containers that need to communicate to that custom network.\n\n## Rationale\n\nBy default, unrestricted network traffic is enabled between all containers on the same host on the default network bridge. Each container has the potential of reading all packets across the container network on the same host. This might lead to an unintended and unwanted disclosure of information to other containers. Hence, restrict inter-container communication on the default network bridge.\n\n## Audit\n\nVerify that the default network bridge has been configured to restrict inter-container communication by running:\n```\ndocker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}' \n```\nCheck that it returns `com.docker.network.bridge.enable_icc:false` for the default network bridge.\n\n## Remediation\n\nEdit the Docker daemon configuration file to ensure that inter-container communication is disabled:\n\n```\n\"icc\": false\n```\n\nAlternatively, run the Docker daemon directly and pass `--icc=false` as an argument:\n\n```\ndockerd --icc=false \n```\n\nFollow the Docker documentation and create a custom network, and only join containers that need to communicate to that custom network. The `--icc` parameter only applies to the default docker bridge. If you use a custom network, adopt the segmenting networks approach instead.\n\n## Impact\n\nInter-container communication is disabled on the default network bridge. If any communication between containers on the same host is desired, it needs to be explicitly defined using container linking or custom networks.\n\n## Default value\n\nBy default, all inter-container communication is allowed on the default network bridge.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/][1]\n2. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers][2]\n\n## CIS controls\n\nNone \n\n[1]: https://docs.docker.com/engine/userguide/networking/ \n[2]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_network","complianceFrameworks":[{"control":"2.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmd-zy3-5un","createdAt":1599604593277,"name":"Network traffic is restricted between containers on the default network bridge"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a network utility (like `cURL` or `Wget`) is used to access the cloud instance metadata service (IMDS) in an interactive session.\n\n## Strategy\nThe cloud instance metadata service is a link-local HTTP endpoint that provides data about a given cloud instance. One function is to provide temporary security credentials so that they do not need to be stored on the host. Because IMDS can be used to fetch security credentials, attackers may use it to escalate privileges in order to access other cloud resources. This detection identifies when Linux network utilities are used in an interactive session to access the metadata service. Especially in production environments, it is unusual for this activity to occur interactively.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee run commands for an approved reason, or does a configuration management utility use an interactive session?\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Using cloud audit logs, identify if the attached identity was misused.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:aws_metadata_service @process.tty:*","groupByFields":["host"],"aggregation":"count","name":"aws_metadata_service","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"aws_metadata_service","condition":"aws_metadata_service > 0"}],"type":"workload_security","id":"ugv-e7o-qpv","createdAt":1627392836096,"name":"Network utility accessed cloud metadata service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location on a host.\n\n## Strategy\nAfter an attacker's initial intrusion into a host (for example, through a web shell exploit, or a container breakout), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance, or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected on a host. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine which user executed the utility and whether or not this is allowed or expected behavior.\n2. Review the ancestors for unexpected processes or files executed. \n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util @process.ancestors.executable.path:(*\\/tmp\\/* OR *\\/home\\/*)","groupByFields":["host"],"aggregation":"count","name":"net_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"net_util","condition":"net_util > 0"}],"type":"workload_security","id":"med-78m-snu","createdAt":1617722067377,"name":"Network utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected in a container. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your containers and host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. Review the ancestors for unexpected processes or files executed.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util_in_container @process.ancestors.executable.path:(*\\/tmp\\/* OR \\/home\\/* OR \\/run\\/user\\/*)","groupByFields":["@container.id","host"],"aggregation":"count","name":"net_util_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"net_util_in_container","condition":"net_util_in_container > 0"}],"type":"workload_security","id":"idj-fom-4qg","createdAt":1617722068439,"name":"Network utility executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1199-trusted-relationship","source:cloudtrail","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker accesses your AWS account from their AWS Account.\n\n## Strategy\nThis rule lets you monitor AssumeRole (`@evt.name:AssumeRole`) CloudTrail API calls to detect when an external AWS account (`@usr.account_id`) assumes a role into your AWS account (`account`). It does this by learning all AWS accounts from which the AssumeRole call occurs within a 7-day window. Newly detected accounts after this 7-day window will generate security signals.\n\n## Triage and response\n1. Determine if the `@usr.account_id` is an AWS account is managed by your company.\n2. If not, try to determine who is the owner of the AWS account.\n3. Inspect the role the account is assuming. Determine who created this role and who allowed this AWS account to assume this role.\n\n## Changelog\n7 April 2022 - Update rule query and signal message.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @evt.name:AssumeRole"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"xvo-lqg-7bu","createdAt":1614810571081,"name":"New AWS Account Seen Assuming a Role into AWS Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","tactic:TA0040-impact","source:cloudtrail","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker spawns an instance for malicious purposes. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect when a new instance type (`@responseElements.instancesSet.items.instanceType`) is spawned:\n\n* [RunInstances][1]\n\nIt does this by inspecting the AWS Instance types each AWS account are seen over a 7-day window. Newly detected instance types after this 7-day window till generate security signals.\n\n## Triage and response\n1. Determine whether the instance type `{{@responseElements.instancesSet.items.instanceType}}` is expected to be used in your AWS account by checking the [Datadog Infrastructure List][2].\n2. If not, determine who spawned this instance and ask the user whether their activity was legitimate or whether their credentials were compromised and this instance is being used by an attacker.\n\n## Changelog\n7 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html\n[2]: https://app.datadoghq.com/infrastructure?tab=details&tags=instance-type%3A{{@responseElements.instancesSet.items.instanceType}}","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@responseElements.instancesSet.items.instanceType","aggregation":"new_value","metrics":["@responseElements.instancesSet.items.instanceType"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @eventSource:ec2.amazonaws.com @evt.name:RunInstances"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rk5-l8o-jir","createdAt":1619019323550,"name":"New EC2 Instance Type"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a Kubernetes namespace.\n\n## Strategy\nThis rule monitors when a `create` action occurs for the Kubernetes namespace (`@objectRef.resource:namespaces`) to detect when a user is creating a new Kubernetes namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new namespace.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:namespaces @http.method:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:namespaces @verb:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"zgq-pd9-wgw","createdAt":1589376020564,"name":"New Kubernetes Namespace Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:kubernetes","tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a privileged pod is created. Privileged pods remove container isolation which allows privileged actions on the host.\n\n## Strategy\nThis rule monitors when a pod (`@objectRef.resource:pods`) is created (`@http.method:create`) and the privileged security context (`@requestObject.spec.containers.securityContext.privileged`) is `true`.\n\n## Triage & Response\n1. Determine if the pod should be privileged. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"smy-zpp-8hr","createdAt":1626700164544,"name":"New Kubernetes privileged pod created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1525-implant-internal-image","scope:ecr","iaas:aws","source:cloudtrail","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential persistence mechanisms being deployed in the AWS Elastic Container Registry (ECR).\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr:GetAuthorizationToken` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException @threat_intel.indicators_matched:*","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ori-yda-7sc","createdAt":1630665990802,"name":"New Private Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecr","technique:T1567-exfiltration-over-web-service","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new image is uploaded to the public ECR. This could be a potential exfil route of data from the cloud. Could be a supply chain effect as well if a company hosts their containers here for consumers.\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr-public:GetAuthorizationToken` and `sts:GetServiceBearerToken` API through an IAM policy before they can authenticate to a registry and push any images to an Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr-public.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr-public.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3ye-k1x-9mp","createdAt":1630666006819,"name":"New Public Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ecs","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user executes a command on an ECS container for the first time. An attacker may use this as a technique to escalate their privileges\nbecause they can run arbitrary commands on behalf of the container with the role and permissions associated with the\ncontainer.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user is executing a command on an ECS container:\n\n* `ExecuteCommand`\n\n## Triage and response\n1. Investigate the command that the user ({{@userIdentity.arn}}) ran on the container, which is located in the Cloudtrail log at `@requestParameters.container`, if the telemetry exists.\n2. Analyze Cloudtrail logs with {{@userIdentity.arn}} that are within the same time frame as this security signal.\n3. Review any other security signals generated for this container.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":175,"isDefault":true,"filters":[{"action":"suppress","query":"foo"},{"action":"require","query":"bar"}],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @evt.name:ExecuteCommand @requestParameters.interactive:true"}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@me"],"name":""}],"type":"log_detection","id":"o2p-sbu-rlg","createdAt":1615916348842,"name":"New user seen executing a command in an ECS task"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console:\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line:\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_GCM_SHA256\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_GCM_SHA384\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_3DES_EDE_CBC_SHA\")\n}\n\npolicy_align(compute_target_https_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_https_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_https_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_https_proxy, compute_ssl_policy)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_https_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_https_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_https_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wsz-dzl-7cw","createdAt":1664548936030,"name":"No HTTPS proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console:\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line:\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_GCM_SHA256\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_GCM_SHA384\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_3DES_EDE_CBC_SHA\")\n}\n\npolicy_align(compute_target_ssl_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_ssl_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_ssl_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_ssl_proxy, compute_ssl_policy)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_ssl_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_ssl_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_ssl_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kmq-mlb-uhu","createdAt":1664548316871,"name":"No SSL proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","level:1","framework:cis-aws","requirement:Security-Management-Process","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:1.4","control:2.1","control:2.2","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","requirement:Default-Security-Parameters","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:164.312-a-2-i","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed.\n\n## Rationale\n\nRemoving access keys associated with the root account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html][2]\n2. [http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][3]\n3. [http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html][4]\n4. CCE-78910-7\n5. [https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/][5]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables root access only through access-keys (CLI, API methods) for us-gov cloud region.\n\n## CIS controls\n\nVersions 7, 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html\n[3]: http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[4]: http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html\n[5]: https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.4","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-a-2-i","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@access_key_1_active:true OR @access_key_2_active:true","resourceType":"aws_iam_credential_report","filter":"@user:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report @user:\"\" (@access_key_1_active:true OR @access_key_2_active:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"snb-kjs-kgm","createdAt":1599574003908,"name":"No root account access key exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity groups provide stateful filtering of ingress/egress network traffic to AWS resources. You should not allow any security group unrestricted ingress access to port 22.\n\n## Rationale\n\nRemoving unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nIf you are updating an existing environment, ensure that administrators who currently rely on ingress from 0.0.0.0/0 have access to ports 22 and 3389 through another security group.\n\n## Default value\n\nNone\n\n## References\n\nNone\n\n## CIS controls\n\n9.2 Ensure Only Approved Ports, Protocols, and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.1\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 22\n\trule.to_port >= 22\n} else {\n\trule.from_port <= 3389\n\trule.to_port >= 3389\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ueo-zqv-fep","createdAt":1607607222597,"name":"No security groups allow ingress from 0.0.0.0/0 to remote administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:3.8","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","requirement:Communication-and-Information","security:compliance","control:8.1","control:4.4","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","control:4.1.1","control:8.1.4","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling OS Login binds SSH certificates to IAM users and facilitates effective SSH certificate\nmanagement.\n\n## Rationale\nEnabling OS Login ensures that SSH keys used to connect to instances are mapped to IAM\nusers. Revoking access to an IAM user will revoke all the SSH keys associated with that\nparticular user. It facilitates centralized and automated SSH key pair management, which is\nuseful in handling cases like compromised SSH key pairs and/or revocation of\nexternal, third-party, vendor users.\n\nTo use OS Login, the instance using Custom Images must have the latest version\nof the Linux Guest Environment installed. The following image families do not\nsupport OS Login:\n\n - Project cos-cloud (Container-Optimized OS) image family cos-stable.\n - All project coreos-cloud (CoreOS) image families\n - Project suse-cloud (SLES) image family sles-11\n - All Windows Server and SQL Server image families\n\nThe project's `enable-oslogin` can be overridden by setting the `enable-oslogin` parameter to an\ninstance metadata individually.\n\n### Impact\nEnabling OS Login on a project disables metadata-based SSH key configurations on all\ninstances of a project. Disabling OS Login restores SSH keys that you have configured in a\nproject's or an instance's metadata.\n\n### Exception\nVMs created by GKE should be excluded. These VMs have names that start with `gke-`\nand are labeled `goog-gke-node`.\n\n### Default value\nBy default, the parameter `enable-oslogin` is not set, which is equivalent to setting it to `FALSE`.\n\n## Remediation\n\n### From the console:\n\n1. Go to the [VM compute metadata][1] page.\n2. Click **Edit**.\n3. Add a metadata entry for the key `enable-oslogin` with the value `TRUE`.\n4. Click **Save** to apply the changes.\n5. For every instance that overrides the project setting, go to the VM Instance's page at \n https://console.cloud.google.com/compute/instances.\n6. Click the name of the instance from which you want to remove the metadata value.\n7. At the top of the instance's details page, click **Edit** to edit the instance's settings.\n8. Under Custom Metadata, remove any entries with the key `enable-oslogin` set to `FALSE`.\n9. At the bottom of the instance's details page, click **Save** to apply your changes to the instance.\n\n### From the command line:\n\n1. Configure OS Login for the project by running the following command:\n ```\n gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE\n ```\n\n2. Use the following command to remove instance metadata that overrides the project setting:\n ```\n gcloud compute instances remove-metadata --keys=enable-oslogin\n ```\n\nOptionally, you can enable two-factor authentication for OS Login. See [Setting up OS Login with 2-step verification ][2] for more information.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/managing-instance-access][3]\n2. [https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin][4]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata][5]\n4. [https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication][2]\n\n\n\n[1]: https://console.cloud.google.com/compute/metadata\n[2]: https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication\n[3]: https://cloud.google.com/compute/docs/instances/managing-instance-access\n[4]: https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin\n[5]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.8","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" {\n\titem := compute_instance.metadata.items[_]\n\titem.key == \"enable-oslogin\"\n\titem.value == \"true\"\n} else = \"fail\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hpp-bv9-lom","createdAt":1657547711348,"name":"OS Login is enabled for the project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Okta API token is created.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a new Okta API token is created:\n\n* `system.api_token.create`\n\n## Triage and response\n1. Contact the user who created the API token and ensure that the API token is needed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:system.api_token.create","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lpf-tho-8sx","createdAt":1589315541698,"name":"Okta API Token Created or Enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","scope:okta","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Okta session impersonation.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect a user session impersonation:\n\n* `user.session.impersonation.initiate`\n* `user.session.impersonation.end`\n* `user.session.impersonation.grant`\n* `user.session.impersonation.extend`\n* `user.session.impersonation.revoke`\n\nThese events indicate that the user: `{{@usr.email}}` has the effective permissions of the impersonated user. This is likely to occur through [Okta support access][1]. This [blog][2] illustrates the potential impact an attacker can cause by impersonation session.\n\n## Triage and response\n1. Contact your Okta administrator to ensure the user: `{{@usr.email}}` is authorized to impersonate a user session.\n2. If the user impersonation session is not legitimate:\n * Task your Okta administrator to end the impersonation session.\n * Investigate the actions taken by the user `{{@usr.email}}` during the session and revert back to the last known good state.\n * Begin your company's incident response process and investigate.\n\n[1]: https://support.okta.com/help/s/article/Granting-Access-to-Okta-Support?language=en_US\n[2]: https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.session.impersonation.initiate","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_initiate","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.end","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_end","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_grant","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.extend","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_extend","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.revoke","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_revoke","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Session initiated","condition":"user_session_impersonation_initiate > 0"},{"status":"info","notifications":[],"name":"Session ended","condition":"user_session_impersonation_end > 0"},{"status":"info","notifications":[],"name":"Session granted","condition":"user_session_impersonation_grant > 0"},{"status":"info","notifications":[],"name":"Session extended","condition":"user_session_impersonation_extend > 0"},{"status":"info","notifications":[],"name":"Session revoked","condition":"user_session_impersonation_revoke > 0"}],"type":"log_detection","id":"dfw-lx0-cha","createdAt":1647981974902,"name":"Okta Impersonation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to bypass multi-factor authentication (MFA).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user attempts to bypass MFA:\n\n* `user.mfa.attempt_bypass`\n\n## Triage and response\n1. Contact the user who attempted to bypass MFA and ensure the request was legitimate.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.attempt_bypass","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"wbd-slu-e6s","createdAt":1589315643307,"name":"Okta MFA Bypass Attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the multi-factor authentication (MFA) factors for an enrolled Okta user are reset.\n\n## Strategy\nThis rule lets you monitor the following Okta event to determine when a user's MFA factors are reset:\n\n* `user.mfa.factor.reset_all`\n\nAn attacker may attempt to reset MFA factors in a bid to access other user accounts by registering new attacker-controlled MFA factors.\n\n## Triage and response\n1. Determine if the user: `{{@usr.email}}` should have reset the MFA factors of the targeted user.\n2. If the change was not made by the user:\n * Disable the affected user accounts.\n * Rotate user credentials.\n * Return targeted users MFA factors to the last known good state.\n * Begin your organization's incident response process and investigate.\n3. If the change was made by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, ensure the targeted user has new MFA factors assigned in accordance with organization policies.\n * If **No**, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_success","distinctFields":[]},{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:FAILURE","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_failed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Succeeded","condition":"mfa_reset_success > 0"},{"status":"info","notifications":[],"name":"Failed","condition":"mfa_reset_failed > 0"}],"type":"log_detection","id":"ap2-mxs-fyh","createdAt":1622443751239,"name":"Okta MFA reset for user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to sign on to an app based on sign-on policy.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to sign on to an app based on sign-on policy:\n\n* `application.policy.sign_on.deny_access`\n\n## Triage and response\n1. Inspect the `@target` array to determine why the user was denied access to sign on.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:application.policy.sign_on.deny_access","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pjd-jyc-9fb","createdAt":1589315544752,"name":"Okta User Access Denied to Sign On"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to an app.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to an app:\n\n* `app.generic.unauth_app_access_attempt`\n\n## Triage and response\n1. Determine whether or not the user should have access to this app.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:app.generic.unauth_app_access_attempt","groupByFields":["@usr.email","@target_app"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rht-pdf-gyx","createdAt":1607371843994,"name":"Okta User Attempted to Access Unauthorized App"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:okta","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to an Okta user.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when administrative privileges are provisioned:\n\n* `user.account.privilege.grant`\n\n## Triage and response\n1. Contact the Okta administrator: `{{@usr.email}}` to confirm that the user or users should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.account.privilege.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"privilege_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"privilege_grant > 0"}],"type":"log_detection","id":"onl-syw-pqn","createdAt":1622443751733,"name":"Okta administrator role assigned to user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a request is blocked due to a block list rule (such as an IP network zone or location rule).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.request.blocked`\n\n## Triage & Response\n1. Verify with the owner of `{{@usr.name}}` that they were attempting a request to `{{@target_app}}`.\n2. If the request cannot be verified with the user, correlate with other log sources to see if the blocked IP in the `title` of `{{@title}}` has communicated elsewhere on the network.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.request.blocked @evt.outcome:SUCCESS","groupByFields":["@network.client.ip","@target_app"],"aggregation":"count","name":"request_blocked","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"request_blocked > 10"}],"type":"log_detection","id":"y2s-qzk-u0a","createdAt":1622443750820,"name":"Okta blocked numerous requests from a malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta [refresh token][1] is reused.\n\n## Strategy\nThis rule lets you monitor the following Okta events when token reuse is detected:\n\n* `app.oauth2.token.detect_reuse`\n* `app.oauth2.as.token.detect_reuse`\n\nAn attacker that has access to a refresh token could query the organization's authorization server `/token` endpoint to obtain additional access tokens. The additional access tokens potentially allow the attacker to get unauthorized access to applications.\n\n## Triage and response\n1. Determine if the source IP `{{@network.client.ip}}` is anomalous within the organization:\n * Does threat intelligence indicate that this IP has been associated with malicious activity?\n * Is the geo-location or ASN uncommon for the organization?\n * Has the IP created a `app.oauth2.token.detect_reuse` or `app.oauth2.as.token.detect_reuse` event previously?\n2. If the token reuse event has been determined to be malicious, carry out the following actions:\n * [Revoke compromised tokens][2].\n * Recycle the credentials of any impacted clients.\n * Begin your company's incident response process and investigate.\n\n[1]: https://developer.okta.com/docs/guides/refresh-tokens/main/\n[2]: https://developer.okta.com/docs/guides/revoke-tokens/main/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:false","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse","distinctFields":[]},{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:true","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse_threat","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Threat suspected","condition":"refresh_token_reuse_threat > 0"},{"status":"low","notifications":[],"name":"Threat unlikely","condition":"refresh_token_reuse > 0"}],"type":"log_detection","id":"i4t-x8n-ack","createdAt":1622443751931,"name":"Okta one-time refresh token reused"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta policy rule is deleted.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a policy rule is deleted:\n\n* `policy.rule.delete`\n\n## Triage and response\n1. Contact the Okta administrator to confirm that the user: `{{@usr.email}}` should be deleting policy rules.\n2. If the change was **not** authorized, verify there are no other signals from the user: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:policy.rule.delete @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_rule_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"policy_rule_deleted > 0"}],"type":"log_detection","id":"gxx-79h-brk","createdAt":1622443751301,"name":"Okta policy rule deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:onelogin","scope:onelogin","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user with appropriate privileges assumes another OneLogin user's identity. Logging in as another user allows the user to view another OneLogin user's account and perform actions on their behalf. \n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator assumes another OneLogin user's identity:\n\n* `@evt.name:USER_ASSUMED_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) should be legitimately assuming another user's identity.\n2. If the activity was not legitimate, review all activity from `{{@usr.name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_ASSUMED_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"admin_assumed_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admin_assumed_user > 0"}],"type":"log_detection","id":"ohz-g7c-wkp","createdAt":1656426840747,"name":"OneLogin administrator assumed a user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","technique:T1098-account-manipulation","scope:onelogin","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin administrator grants additional privileges to another OneLogin user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator grants additional privileges to another OneLogin user:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@actor_user_name}}`) should be legitimately adding additional roles to `@usr.name`. **Note:** The role granted to the user is not available in OneLogin logs.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:PRIVILEGE_GRANTED_TO_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"user_granted_admin_privileges","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"user_granted_admin_privileges > 0"}],"type":"log_detection","id":"oks-cap-rw1","createdAt":1656426808697,"name":"OneLogin user granted administrative privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user is locked out. This may be common if the user is repeatedly failing to log in. This rule is most useful when correlated with other anomalous activity for the user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to when a user is locked out:\n* `@evt.name:USER_LOCKED`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) was legitimately trying to authenticate and was locked out.\n2. If the activity was not legitimate, review all activity from the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_LOCKED","groupByFields":["@usr.name"],"aggregation":"count","name":"user_locked_out","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_locked_out > 0"}],"type":"log_detection","id":"efg-trs-jzb","createdAt":1656526301026,"name":"OneLogin user locked out"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user views a secure note.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when a user views a secure note:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\nThis rule is useful when correlating its findings with other anomalous events from the same OneLogin user (`{{@actor_user_name}}`).\n\n## Triage and response\n1. Determine whether the OneLogin user (`{{@actor_user_name}}`) should be legitimately accessing secure notes.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_VIEWED_NOTE","groupByFields":["@actor_user_name"],"aggregation":"count","name":"viewed_secure_note","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"viewed_secure_note > 0"}],"type":"log_detection","id":"gl4-z5x-dun","createdAt":1656426832414,"name":"OneLogin user viewed secure note"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","scope:google_service_account","requirement:Confidentiality","control:3.4","control:1.4","control:3.10","control:C1.1","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nUser managed service accounts should not have user-managed keys.\n\n## Rationale: \nAnyone who has access to the keys can access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.\nFor user-managed keys, you are responsible for key management activities including:\n- Key storage\n- Key distribution\n- Key revocation\n- Key rotation\n- Protecting the keys from unauthorized users\n- Key recovery\nEven with key owner precautions, it's easy to leak keys through common development accidents such as checking keys into the source code, leaving them in the Downloads directory, or posting them on support blogs.\nFor these reasons, it is recommended that you don't use user-managed service account keys.\n\n## Impact: \nDeleting user-managed service account keys may break communication with the applications using the keys.\n\n## Remediation: \n\n### From console:\n1. Go to the IAM page in the GCP Console at [https://console.cloud.google.com/iam-admin/iam][1].\n2. In the left navigation pane, click `Service accounts`. All service accounts and their\ncorresponding keys are listed.\n3. Click the service account.\n4. Click `Edit` and delete the keys.\n\n### From command line:\nTo delete a user-managed service account key run:\n```\ngcloud iam service-accounts keys delete --iam-account= \n```\n## Prevention:\nYou can disable service account key creation through the `Disable service account key creation` Organization policy by visiting [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation][2]. Learn more at: [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][3].\n\nIn addition, if you do not need service accounts in your project, you can prevent the creation of service accounts through the `Disable service account creation` Organization policy: [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation][4].\n\n## Default value:\nBy default, there are no user-managed keys created for user-managed service accounts.\n\n## References:\n1. [https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys][5]\n2. [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][6]\n\n## Additional information:\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation\n[3]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation\n[5]: https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n[6]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.4","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.10","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkey_parents_with_user_managed := {key.parent |\n\tkey := input.resources.gcp_iam_service_account_key[_]\n\tkey.key_type == \"USER_MANAGED\"\n}\n\neval(service_account) = \"fail\" if {\n\tkey_parents_with_user_managed[service_account.resource_name]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4cn-bpp-vya","createdAt":1654120292749,"name":"Only GCP-managed service account keys are used for service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.14","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, has permissions of 400.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads. It holds the private key for the Docker server certificate. It must therefore have permissions of 400 to ensure that the certificate key file is not modified.\n\n## Audit\n\nVerify that the Docker server certificate key file has permissions of `400` by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nYou should execute the following command: `chmod 400 `\n\nThis sets the Docker server certificate key file permissions to 400.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate key file might not be 400. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.14","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"z0n-cod-mxi","createdAt":1602077570102,"name":"Only the owner of the server certificate key file can read its contents"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker daemon requires access to the Docker socket which is, by default, owned by the user `root` and the group `docker`.\n\n## Rationale\n\nDocker allows you to share a directory between the Docker host and a guest container without limiting the access rights of the container. This means that you can start a container and map the `/` directory on your host to the container. The container is able to modify your host file system without any restrictions. This means that you could gain elevated privileges simply by being a member of the `docker` group and subsequently start a container which maps the root `/` directory on the host.\n\n\n## Audit\n\nRun the following command on the Docker host to see the members of the `docker` group, and ensure that only trusted users are members:\n\n```\ngetent group docker\n```\n\n## Remediation\n\nYou should remove any untrusted users from the `docker` group. Additionally, you should not create a mapping of sensitive directories from the host to container volumes.\n\n## Impact\n\nProvided the proceeding instructions are implemented, rights to build and execute containers as normal user would be restricted.\n\n## Default value\n\nNot Applicable\n\n## References\n\n1. [https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface]\n2. [https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful]\n3. [http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\n[1]: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface \n[2]: https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful \n[3]: http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.2","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dev-mh8-u1i","createdAt":1599598174666,"name":"Only the root account and Docker group members can control the Docker daemon"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.16","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file has permissions of 660 or are configured more restrictively.\n\n## Rationale\n\nOnly root and the members of the docker group should be allowed to read and write to the default Docker Unix socket. The Docker socket file should therefore have permissions of 660 or more restrictive permissions.\n\n## Audit\n\nVerify that the Docker socket file has permissions of `660` or more restrictive, by running: \n```\nstat -c %a /var/run/docker.sock\n```\n\n## Remediation\n\nRun the command `chmod 660 /var/run/docker.sock`\n\nThis sets the file permissions of the Docker socket file to 660.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker socket file is correctly set to 660.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.16","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jxv-zrr-1c1","createdAt":1599603387716,"name":"Only the root account and Docker group members can read and write to the Docker socket file"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 9200, used by the [Elasticsearch][2], and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered Elasticsearch access.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][3] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. First, remove the security group rule(s) that allow public, unrestricted access to the Elasticsearch database. The rule in question will open port 9200 for ingress from anywhere.\n\n2. Now that the database is contained, authorize only the specific entities that need access to the database like EC2 instances, or lambdas. You can do this by adding inbound security group rules for a specific elastic IP address, a specific range of IP addresses, or by allowing access for entities in another AWS security group.\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://aws.amazon.com/elasticsearch-service/\n[3]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 9200\n\trule.to_port >= 9200\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"rns-eiq-lpl","createdAt":1599574008022,"name":"Inbound OpenSearch access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1521 (used by the Oracle Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1521.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1521 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 1521\n\trule.to_port >= 1521\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2wg-auf-5gz","createdAt":1599574002369,"name":"Inbound Oracle access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 135 (used by Microsoft Message Queuing (MSMQ) and other Windows software) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as backdoor command shell hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 135.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 135 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 135\n\trule.to_port >= 135\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7vm-6f7-nfs","createdAt":1599574003256,"name":"Inbound RPC access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 25 (used by Simple Mail Transfer Protocol (SMTP) for email transmission) and restrict access to IP addresses that require this port.\n\n\n## Rationale\n\nMalicious activity, such as spamming, hacking, Shellshock, and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 25.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 25 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 25\n\trule.to_port >= 25\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fxy-iwb-1ji","createdAt":1599574007156,"name":"Inbound SMTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 22 (used for secure remote login) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as man-in-the-middle (MITM) and brute-force attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 22.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 22 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 22\n\trule.to_port >= 22\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jq1-v7m-jkf","createdAt":1599574005407,"name":"Inbound SSH access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to TCP port 139.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 139\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 139\n\trule.to_port >= 139\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"bls-coy-rpp","createdAt":1599574002491,"name":"Inbound TCP NetBIOS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 23 (used by the Telnet server application) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 23.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 23 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 23\n\trule.to_port >= 23\n}\n\nnon_compliant_protocols_and_ports(rule) if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tnon_compliant_ports(rule)\n} else if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\", \"::/0\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome rule in security_group.rules\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocols_and_ports(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"6oq-7ce-kej","createdAt":1599574007874,"name":"Inbound Telnet access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 and UDP ports 137 and 138 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 137 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 137\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 138 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 138\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 138\n\trule.to_port >= 137\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dpw-bar-91p","createdAt":1599574006398,"name":"Inbound UDP NetBIOS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","control:3.7","requirement:Communications-Security","control:4.1","control:2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3","framework:security-labs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nConfigure your instance to use an account other than the default Compute Engine service account, because it has the Editor role on the project.\n\n## Rationale\nThe default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services. \nTo defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended that you not use the default Compute Engine service account. Instead, create a new service account and assign only the permissions needed by your instance. \nThe default Compute Engine service account is named `[PROJECT_NUMBER]-compute@developer.gserviceaccount.com`.\n\n## Exception\nVMs created by GKE are excluded from this guidance. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go to its `VM instance details` page.\n3. Click `STOP` and then click `EDIT`.\n4. Under the section `API and identity management`, select a service account other\nthan the default Compute Engine service account. You may first need to create a new\nservice account.\n5. Click `Save` and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account=\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/service-accounts][2]\n2. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][3]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account][4]\n\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/service-accounts\n[3]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[4]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.7","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" if {\n\tsa := compute_instance.service_accounts[_]\n\tendswith(sa.email, \"compute@developer.gserviceaccount.com\")\n} else = \"pass\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oqw-y1z-sik","createdAt":1655990336323,"name":"Instances are not configured to use the default service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Communications-Security","requirement:Default-Security-Parameter","control:4.2","control:2.1","framework:cis-gcp","control:2.1.1","requirement:Compliance","control:A.13.1.3","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:google_compute_instance","control:CC6.3","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo support the principle of least privileges and to prevent potential privilege escalation, assign instances to a service account other than the default `Compute Engine default service account` with Scope `Allow full access to all Cloud APIs`.\n\n## Rationale\nThe Google `Compute Engine default service account` for an instance can access necessary cloud services, as well as create, manage, and use user-managed custom service accounts. The `Project Editor` role is assigned to `Compute Engine default service account` so it has almost all capabilities over all cloud services except billing. However, when `Compute Engine default service account` is assigned to an instance it can operate in three scopes:\n\n1. Allow default access: Allows the minimum access required to run an\ninstance (least privileges).\n\n2. Allow full access to all Cloud APIs: Allows full access to all cloud\nAPIs and services (too much access).\n\n3. Set access for each API: Allows an instance administrator to choose only\nthose APIs that are needed to perform the specific business functionality\nexpected by instance.\n\nWhen an instance is configured with the `Compute Engine default service account` with\nscope `Allow full access to all Cloud APIs`, depending on the IAM roles assigned to the users\naccessing the instance, it may allow users to perform cloud operations and API calls that they are not\nsupposed to perform, leading to successful privilege escalation.\n\n## Exception\nVMs created by GKE are excluded from this rule. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Impact\nTo change a service account or scope for an instance, the instance must be stopped.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the impacted VM instance.\n3. If the instance is not stopped, click the `Stop` button. Wait for the instance to stop.\n4. Click the `Edit` button.\n5. Scroll down to the `Service Account` section.\n6. Select a different service account or ensure that `Allow full access to all Cloud APIs` is not selected.\n7. Click the `Save` button to save your changes and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account= --scopes [SCOPE1, SCOPE2...]\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][2]\n2. [https://cloud.google.com/compute/docs/access/service-accounts][3]\n\n## Additional Information:\n- User IAM roles override service account scope, but configuring minimal scope\nensures a deeper defence.\n- Non-default service accounts do not offer selection of access scopes like the default\nservice account does. Use IAM roles with non-default service accounts to\ncontrol VM access.\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[3]: https://cloud.google.com/compute/docs/access/service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.2","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" if {\n\tservice_accounts := compute_instance.service_accounts[_]\n\tendswith(service_accounts.email, \"compute@developer.gserviceaccount.com\")\n\tstartswith(service_accounts.scopes[_], \"https://www.googleapis.com/auth/cloud-platform\")\n} else = \"pass\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ica-spj-rua","createdAt":1656620517092,"name":"Instances are not configured to use the default service account with full access to all cloud APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the execution of a shell with the interactive flag (`-i`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to escalate privileges, break out of the container, or exfiltrate secrets by running interative shell utilities inside of the container. This detection triggers when execution of one of a set of common Linux shell utilities (like `bash` or `sh`) is detected in a container with the interactive flag (`-i`). If this is unexpected behavior, it could indicate an attacker attempting to run arbitrary commands inside of your containers and potentially break out onto the host.\n\n## Triage & Response\n1. Inspect the command line arguments of the shell process execution to determine if the shell was run with the `-i` flag.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:interactive_shell_in_container -@process.comm:(hostname OR sed OR find)","groupByFields":["host"],"aggregation":"count","name":"interactive_shell_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"interactive_shell_in_container","condition":"interactive_shell_in_container > 0"}],"type":"workload_security","id":"vc2-nws-ebu","createdAt":1653417817781,"name":"Interactive shell spawned in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a Java process.\n\n## Strategy\nMany applications (like some databases, web servers, and search engines) run as Java processes. Attackers may take advantage of flaws in programs built with these applications (for example, SQL injection on a database running as a Java process). This detection triggers when a Java process spawns common shell utilities, HTTP utilities, or shells. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\n## Triage and response\n1. Determine the nature and purpose of the Java process.\n2. Determine whether there is an approved purpose for the Java process to execute shells and utilities.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java) @process.args:*\\/dev\\/tcp\\/*","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_known_bad","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java) @process.executable.name:(uname OR cat OR ls OR whoami)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_suspicious","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java) @process.executable.name:(curl OR wget)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_unusual","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java) @process.envs:CONFLUENCE*","groupByFields":["host"],"aggregation":"count","name":"confluence_server_spawned_shell_potential_rce","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"java_shell_execution_known_bad","condition":"java_shell_execution_known_bad > 0"},{"status":"high","notifications":[],"name":"confluence_server_spawned_shell_potential_rce","condition":"confluence_server_spawned_shell_potential_rce > 0"},{"status":"high","notifications":[],"name":"java_shell_execution_unusual","condition":"java_shell_execution_unusual > 0"},{"status":"medium","notifications":[],"name":"java_shell_execution_suspicious","condition":"java_shell_execution_suspicious > 0"},{"status":"low","notifications":[],"name":"java_shell_execution","condition":"java_shell_execution > 0"}],"type":"workload_security","id":"bax-h0z-d14","createdAt":1617722069224,"name":"Java process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","technique:T1098-account-manipulation","scope:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a JumpCloud user grants administrative privileges on a user endpoint. This is not indicative of malicious activity, but detecting this event is valuable for auditing.\n\n## Strategy\n\nThis rule monitors JumpCloud audit logs to detect when a user triggers the `@evt.name` of `system_admin_grant`.\n\n## Triage and response\n\n1. Reach out to the admin making the change (`{{@usr.email}}`) to confirm that the user `(@usr.name`) should have administrative privileges on the specified resource (`@resource.name`).\n2. If the change was not authorized, reverify there are no other signals from the jumpcloud admin: {{@usr.email}} and the system (`@resource.name`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:system_admin_grant","groupByFields":["@usr.email"],"aggregation":"count","name":"system_admin_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"system_admin_grant > 0"}],"type":"log_detection","id":"0ym-nwo-srl","createdAt":1648844751568,"name":"Jumpcloud admin granted system privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:jumpcloud","requirement:Monitoring","scope:jumpcloud","framework:cis-aws","technique:T1078-valid-accounts","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud administrator authenticates without multi-factor authentication (MFA) enabled. This is not indicative of malicious activity, however as a best practice, administrator accounts should have MFA enabled.\n\n## Strategy\nThis rule monitors JumpCloud audit logs to detect when an admin user successfully authenticates to JumpCloud and the log indicates that `@mfa` is `false`.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables MFA.\n3. If the login wasn\u2019t legitimate, rotate the credentials, enable MFA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:admin_login_attempt @mfa:false @evt.outcome:true","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_login_no_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"admin_login_no_mfa > 0"}],"type":"log_detection","id":"mds-4sd-v5i","createdAt":1648844751569,"name":"Jumpcloud admin login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","scope:jumpcloud","technique:T1078-valid-accounts","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event with a JumpCloud administrator.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last log and the current log to determine if the user (`@usr.name`) traveled more than 500km at over 1,000km/h.\n\n## Triage and response\n1. Determine if {@usr.name}} should be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}} in a short period of time.\n2. If the user should not be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} or {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_admin","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:jumpcloud @usr.type:admin"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"wec-lzg-zau","createdAt":1648844772020,"name":"Jumpcloud admin triggered impossible travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:jumpcloud","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to a JumpCloud user.\n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when administrative privileges are provisioned:\n\n* `user_admin_granted`\n\n## Triage and response\n1. Contact the JumpCloud administrator: `{{@usr.email}}` to confirm that the users or devices should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the JumpCloud administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:user_admin_granted","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_grant > 0"}],"type":"log_detection","id":"goh-o1b-uuo","createdAt":1660796644737,"name":"Jumpcloud administrator role assigned"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is created. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is created:\n\n* `@evt.name:policy_create`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy creation was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_create","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_creation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_creation > 0"}],"type":"log_detection","id":"ht7-5pr-0hf","createdAt":1660809071730,"name":"Jumpcloud policy created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is modified. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is modified:\n\n* `@evt.name:policy_update`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy modification(s) was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_update","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_update > 0"}],"type":"log_detection","id":"epv-mm9-puh","createdAt":1660809071731,"name":"Jumpcloud policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:1.10","scope:google_kms_crypto_key","source:google_kms_crypto_key","requirement:Confidentiality","control:C1.2","framework:cis-gcp","requirement:Compliance","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGoogle Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.\nThe format for the rotation schedule depends on the client library that is used. For the gcloud CLI, the flag `--next-rotation-time` must be in ISO or RFC3339 format; the flag `--rotation-period` must be in the format `INTEGER[UNIT]`, where units can be one of: seconds (s), minutes (m), hours (h), or days (d). For example, `30d` for a rotation period of 30 days.\n\n## Rationale\nSet a key rotation period and starting time. A key can be created with a specified *rotation period*, which is the time between when new key versions are generated automatically. A key can also be created with a specified *next rotation time*. \n\nA key is a named object that represents a cryptographic key and is used for a specific purpose. The key material (the actual bits used for encryption) can change over time as new key versions are created.\nA key is used to protect a *corpus of data*. A collection of files could be encrypted with the same key, and people with `decrypt` permissions on that key would be able to decrypt those files. Therefore, it's necessary to make sure the rotation period is set to a specific time.\n\n## Impact\nAfter a successful key rotation, the older key version is required to decrypt the data encrypted by the previous key version.\n\n## Remediation\n\n### From the console\n1. See your cryptographic keys by visiting: [https://console.cloud.google.com/security/kms][1].\n2. Click on the specific key ring.\n3. From the list of keys, locate the key you wish to edit. Click on the three vertical dots under the **Actions** column.\n4. Click on **Edit rotation period**.\n5. In the pop-up window, select a new rotation period. Choose value less than 90 days. Then, choose the date from which the rotation period begins.\n\n### From the command line\n1. Update and schedule rotation by `ROTATION_PERIOD` and `NEXT_ROTATION_TIME` for each key:\n For example, you can use the iam.json file shown below as follows:\n ```\n gcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next- rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD\n ```\n\n## Default value\nBy default, KMS encryption keys are rotated every 90 days.\n\n## References\n1. [https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation][2]\n2. [https://cloud.google.com/kms/docs/re-encrypt-data][3]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/security/kms\n[2]: https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation\n[3]: https://cloud.google.com/kms/docs/re-encrypt-data\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\n# convert rotation period from string to int (number of days)\nparse_rotation_period(str) = parsed if {\n\tendswith(str, \"s\")\n\tparsed := to_number(trim_suffix(str, \"s\")) / 86400\n} else = parsed if {\n\tendswith(str, \"m\")\n\tparsed := to_number(trim_suffix(str, \"m\")) / 1440\n} else = parsed if {\n\tendswith(str, \"h\")\n\tparsed := to_number(trim_suffix(str, \"h\")) / 24\n} else = parsed if {\n\tendswith(str, \"d\")\n\tparsed := to_number(trim_suffix(str, \"d\"))\n}\n\neval(kms_crypto_key) = \"skip\" if {\n\tnot lower(kms_crypto_key.primary.state) == \"enabled\"\n} else = \"pass\" if {\n\ttoday := kms_crypto_key.resource_seen_at / 86400000\n\tnext_rotation := kms_crypto_key.next_rotation_time / 86400000\n\tnext_rotation - today <= 90\n\tparse_rotation_period(kms_crypto_key.rotation_period) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_kms_crypto_key"]},"validationQuery":"","resourceType":"gcp_kms_crypto_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_kms_crypto_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"l1f-f94-1my","createdAt":1655491486886,"name":"KMS Encryption Keys are rotated within a period of 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1547","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications made to the `/boot/` directory.\n\n## Strategy\nThe /boot/ directory in Linux contains everything required for the system to boot. This includes the kernel and other important boot files and data. Attackers may attempt to modify the /boot/ directory to inject malicious code or configuration. This can allow the attacker to gain persistence, by running the malicious code or configuration at boot time. It can also allow the attacker to run malicious code with elevated system privileges.\n\n## Triage & Response\n1. Check to see what modifications were made to the `/boot/` directory.\n2. Cross-check any changes with known system activity, such as startup scripts, or maintenance.\n3. If these changes are not acceptable, roll back the host or container in question to a known good `/boot/` configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"9cs-fap-2er","createdAt":1606142931057,"name":"Kernel Modification"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux. This detection watches for all new files created under that directory.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check which user or process created the module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(kernel_module OR kernel_module_chmod OR kernel_module_chown OR kernel_module_link OR kernel_module_rename OR kernel_module_open OR kernel_module_unlink OR kernel_module_utimes) -@process.envs:DPKG_FRONTEND_LOCKED","groupByFields":["host"],"aggregation":"count","name":"kernel_module","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"kernel_module","condition":"kernel_module > 0"}],"type":"workload_security","id":"jq9-m1m-spt","createdAt":1598516746168,"name":"Kernel module directory modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.3","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kube-proxy kubeconfig file controls various parameters of the kube-proxy service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system. It is possible to run kube-proxy with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a `. Verify that if a file is specified and it exists, the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates. \n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.3","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"alc-y7j-j9q","createdAt":1599602091672,"name":"Kube-proxy configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.4","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, ensure that the file ownership of its kubeconfig file is set to root:root.\n\n## Rationale\n\nThe kubeconfig file for kube-proxy controls various parameters for the kube-proxy service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n`chown root:root `\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n## Audit\n\nFind the kubeconfig file being used by kube-proxy by running the following command: ps -ef | grep kube-proxy If kube-proxy is running, get the kubeconfig file location from the --kubeconfig parameter. Run the below command (based on the file location on your system) on the each worker node. For example, stat -c %U:%G Verify that the ownership is set to root:root.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.4","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oat-dei-klo","createdAt":1599604401268,"name":"Kube-proxy configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet client certificate rotation.\n\n## Rationale\n\nThe `--rotate-certificates` setting causes the kubelet to rotate its client certificates by creating new CSRs as its existing credentials expire. This automated periodic rotation ensures that the there is no downtime due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself. \n\n*Note*: This feature also requires the `RotateKubeletClientCertificate` feature gate to be enabled (which is the default since Kubernetes v1.7).\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--rotate-certificates` argument is not present, or is set to true. If the `--rotate-certificates` argument is not present, verify that if there is a Kubelet config file specified by `--config`, that file does not contain `rotateCertificates: false`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to add the line `rotateCertificates: true` or remove it altogether to use the default value. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--rotate-certificates=false` argument from the `KUBELET_CERTIFICATE_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet client certificate rotation is enabled.\n\n## References\n\n1. [https://github.com/kubernetes/kubernetes/pull/41912 ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration ][2]\n3. [https://kubernetes.io/docs/imported/release/notes/ ][3]\n4. [https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted - Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/41912\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration\n[3]: https://kubernetes.io/docs/imported/release/notes/\n[4]: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.11","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"9x3-sy5-pte","createdAt":1599605353070,"name":"Kubelet client certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.10","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file is owned by root:root.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %U:%G /var/lib/kubelet/config.yaml`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step): `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/var/lib/kubelet/config.yaml` file as set up by kubeadm is owned by `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.10","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ptl-pla-t0c","createdAt":1599605828233,"name":"Kubelet configuration file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse https for kubelet connections.\n\n## Rationale\n\nConnections from apiserver to kubelets could potentially carry sensitive data such as secrets and keys. It is thus important to use in-transit encryption for any communication between the apiserver and kubelets.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-https` argument either does not exist or is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--kubelet-https` parameter.\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, kubelet connections are over https.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.4","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ftg-h4g-hqj","createdAt":1599600981186,"name":"Kubelet connections use HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.8","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestrict kubelet nodes to reading only objects associated with them.\n\n## Rationale\n\nThe Node authorization mode only allows kubelets to read Secret, ConfigMap, PersistentVolume, and PersistentVolumeClaim objects associated with their nodes.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include Node.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes Node. `--authorization-mode=Node,RBAC`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, Node authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/46076 ][3]\n4. [https://acotten.com/post/kube17-security][4]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/ \n[3]: https://github.com/kubernetes/kubernetes/pull/46076 \n[4]: https://acotten.com/post/kube17-security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.8","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vgg-kwx-7dh","createdAt":1599602338742,"name":"Kubelet nodes are only authorized to read objects they are associated with"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.2","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests. Enable explicit authorization.\n\n## Rationale\n\nKubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the API server. You should restrict this behavior and only allow explicitly authorized requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. If the `--authorization-mode` argument is present check that it is not set to AlwaysAllow. If it is not present check that there is a Kubelet config file specified by `--config`, and that file sets authorization: mode to something other than AlwaysAllow. It is also possible to review the running configuration of a Kubelet via the /configs endpoint on the Kubelet API port (typically `10250/TCP`). Accessing these with appropriate credentials will provide details of the Kubelet's configuration.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set authorization: mode to Webhook. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--authorization-mode=Webhook`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nUnauthorized requests will be denied.\n\n## Default value\n\nBy default, `--authorization-mode` argument is set to `AlwaysAllow`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.2","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"un4-gin-3dq","createdAt":1599600248005,"name":"Kubelet only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable the read-only port.\n\n## Rationale\n\nThe Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--read-only-port` argument exists and is set to 0. If the `--read-only-port` argument is not present, check that there is a Kubelet config file specified by `--config`. Check that if there is a readOnlyPort entry in the file, it is set to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `readOnlyPort` to 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--read-only-port=0`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nRemoval of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.\n\n## Default value\n\nBy default, `--read-only-port` is set to 10255/TCP. However, if a config file is specified by `--config` the default value for `readOnlyPort` is 0.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.4","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dgo-kog-lle","createdAt":1599604369044,"name":"Kubelet read-only port is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.10","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the Kubelets.\n\n## Rationale\n\nKubelet communication contains sensitive parameters that should remain encrypted in transit. Configure the Kubelets to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate. If these arguments are not present, check that there is a Kubelet config specified by `--config` and that it contains appropriate settings for `tlsCertFile` and `tlsPrivateKeyFile`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `tlsCertFile` to the location of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` to the location of the corresponding private key file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameters in K`UBELET_CERTIFICATE_ARGS` variable.\n\n```\n--tls-cert-file=\n--tls-private-key-file=\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set. If `--tls-cert-file` and `--tls-private-key-file` are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to `--cert-dir`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ ][2]\n3. [https://github.com/kelseyhightower/docker-kubernetes-tls-guide ][3]\n4. [https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/\n[3]: https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n[4]: https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.10","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gqg-7cf-6bu","createdAt":1599603572402,"name":"Kubelet requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.12","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nOn the master edit `/var/lib/kubelet/kubeadm-flags.env` and set the parameter `KUBELET_CERTIFICATE_ARGS --feature-gates=RotateKubeletServerCertificate=true` or as an alternative, and suggested as a last resort, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_CERTIFICATE_ARGS` variable:\n\n```\n--feature-gates=RotateKubeletServerCertificate=true\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet server certificate rotation is disabled.\n\n## References\n\n1. https://github.com/kubernetes/kubernetes/pull/45059\n2. https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/45059\n[2]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.12","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afr-qkp-94a","createdAt":1599599105048,"name":"Kubelet server certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.2","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file ownership is set to root:root.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the ownership is set to root:root.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet service file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.2","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sy4-z1k-udc","createdAt":1599605194356,"name":"Kubelet service file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.3","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Kubelet authentication using certificates.\n\n## Rationale\n\nThe connections from the API server to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet's port-forwarding functionality. These connections terminate at the kubelet's HTTPS endpoint. By default, the API server does not verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the API server could authenticate the Kubelet before submitting any requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--client-ca-file` argument exists and is set to the location of the client certificate authority file. If the `--client-ca-file` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets authentication: x509: clientCAFile to the location of the client certificate authority file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: x509: clientCAFile` to the location of the client CA file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--client-ca-file=`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou require TLS to be configured on API server as well as kubelets.\n\n## Default value\n\nBy default, `--client-ca-file argument` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.3","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x6l-4d1-dwh","createdAt":1599600373842,"name":"Kubelet uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.1.20","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that Kubernetes PKI certificate files have permissions of 644 or more restrictive.\n\n## Rationale\n\nKubernetes makes use of a number of certificate files as part of the operation of its components. The permissions on these files should be set to 644 or more restrictive to protect their integrity.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nfind /etc/kubernetes/pki -name \"*.crt\" | xargs stat -c '%n %a'\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod -R 644 /etc/kubernetes/pki/*.crt`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the certificates used by Kubernetes are set to have permissions of 644\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.20","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ion-6fc-xd4","createdAt":1599604147464,"name":"Kubernetes PKI certificate file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.19","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the Kubernetes PKI directory and file ownership is set to root:root.\n\n## Rationale\n\nKubernetes makes use of a number of certificates as part of its operation. You should set the ownership of the directory containing the PKI information and all files in that directory to maintain their integrity. The directory and files should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nls -laR /etc/kubernetes/pki/\n```\n\nVerify the ownership of all files and directories in this hierarchy is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown -R root:root /etc/kubernetes/pki/`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/etc/kubernetes/pki/` directory and all of the files and directories contained within it, are set to be owned by the root user.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.19","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tgm-6a5-ttf","createdAt":1599603695482,"name":"Kubernetes PKI directory is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a pod in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating pods in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for Kubernetes objects which should be readable by unauthenticated users. Thus, a pod should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new pod in one of the default namespaces.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"tvf-ju6-h3i","createdAt":1589376012191,"name":"Kubernetes Pod Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a pod is attached to the host network.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) with the host network `@requestObject.spec.hostNetwork:true` attached.\n\nAttaching the `hostNetwork` permits a pod to access the node's network adapter allowing a pod to listen to all network traffic for all pods on the node and communicate with other pods on the network namespace.\n\n## Triage and response\n1. Determine if the pod needs `hostNetwork` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.hostNetwork:true @http.status_code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.hostNetwork:true @responseStatus.code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"d3g-xpz-cwc","createdAt":1589376007079,"name":"Kubernetes Pod Created with hostNetwork"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","technique:T1136-create-account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a service account in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service account (`@objectRef.resource:serviceaccounts`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating service accounts in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for kubernetes objects which should be readable by unauthenticated users. Thus, a service account should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new service account in one of the default namespaces.\n\n## Changelog\n* 21 September 2022 - Tuned rule to remove system and EKS service account creations, increased severity, added decrease on environment flag.\n* 17 October 2022 - Updated tags.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:serviceaccounts @http.method:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299] -@user.username:(system\\:* OR eks\\:*)","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:serviceaccounts @verb:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299] -@usr.id:(system\\:* OR eks\\:*)","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"loy-9ka-bc2","createdAt":1589376017036,"name":"Kubernetes Service Account Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service's port is attached to the node's IP.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service (`@objectRef.resource:services`) attaching the service's port to the node's IP `@requestObject.spec.type:NodePort`.\n\nExposing the service's port to the the node's IP allows other hosts on the network namespace to access this service.\n\n## Triage and response\n1. Determine if the service needs to expose it's network connection with `NodePort` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:services @http.method:create @requestObject.spec.type:NodePort @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:services @verb:create @requestObject.spec.type:NodePort @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"cvp-3wz-v3s","createdAt":1589376023160,"name":"Kubernetes Service Created with NodePort"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a user is attempting to enumerate their permissions.\n\n## Strategy\nThis rule identifies when a user attempts to enumerate their permissions, for example, through the use of `kubectl auth can-i --list`. This can be an indicator of an attacker having compromised a Kubernetes service account or user and attempting to determine what permissions it has.\n\n## Triage and response\n1. Determine if enumerating the permissions of the user: `{{@usr.id}}` is suspicious. For example, a service account assigned to a web application and enumerating its privileges is highly suspicious, while a group assigned to operations engineers is likely to represent legitimate activity.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @requestObject.kind:SelfSubjectRulesReview @http.method:create -@usr.id:system\\:serviceaccount\\:*\\:datadog-kube-state-metrics","groupByFields":[],"aggregation":"count","name":"enumeration_attempt","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"enumeration_attempt > 0"}],"type":"log_detection","id":"9ft-ohp-w9w","createdAt":1649702540393,"name":"Kubernetes principal attempted to enumerate their permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","source:lambda","scope:lambda","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure your Amazon Lambda Function to have access to VPC-only resources.\n\n## Rationale\n\nBy default, Amazon Lambda functions run in a secure VPC with access to any AWS service and the internet. Selecting which resources have access secures the connections within your private VPC.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring VPC access (console)][1] docs to configure VPC access for an existing function.\n\n### From the command line\n\n1. Run `update-function-configuration` with your [Amazon Lambda function name and VPC configuration][2]. Set network connectivity to AWS resources within the configured VPC.\n\n ```\n aws lambda update-function-configuration\n --function-name your-lambda-function-name\n --vpc-config SubnetIds=\"subnet-ab12cd34\",\"subnet-12345678\",SecurityGroupIds=\"id-0abcd1234abcd5678\"\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-configuring\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(lambda_function) = \"pass\" if {\n\tlambda_function.vpc_config_vpc_id != \"\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_lambda_function"]},"validationQuery":"","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"byt-pin-xaq","createdAt":1619112188962,"name":"Lambda function has access to VPC resources"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","source:lambda","control:7.2.1","requirement:Compliance","scope:lambda","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS Lambda function access policy to remove access for unauthorized users.\n\n## Rationale\n\nGiving anonymous users the ability to invoke Amazon Lambda functions can lead to data loss, data exposure, and unexpected AWS billing charges.\n\n## Remediation\n\n### From the console\n\nFollow the [Using resource-based policies for AWS lambda][1] docs to update your AWS lambda function permissions.\n\n### From the command line\n\n1. Run `remove-permission` with your [function name and statement ID][2].\n\n ```\n aws lambda remove-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n ```\n\n2. Run `add-permission` with your [function name, statement ID, principal for the trusted account, and action][3].\n\n ```\n aws lambda add-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n --principal 0123456780123\n --action lambda:InvokeFunction\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/remove-permission.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-permission.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnot_compliant_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tpolicy_principal.principal_aws[_] == \"*\"\n}\n\neval(lambda_policy_statement) = \"fail\" if {\n\tnot_compliant_policy_principal(lambda_policy_statement.policy_principal)\n\tlambda_policy_statement.statement_effect == \"Allow\"\n\tnot lambda_policy_statement.statement_has_condition\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_lambda_policy_statement"]},"validationQuery":"","resourceType":"aws_lambda_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_policy_statement","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"tko-rvz-akj","createdAt":1624344845094,"name":"Lambda function is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","control:CC7.5","framework:gdpr","requirement:Security-Management-Process","requirement:Application-Updates","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","cloud_provider:aws","control:6.2","requirement:System-Operations","source:lambda","scope:lambda","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Lambda Function to the latest runtime environment version.\n\n## Rationale\n\nAs a best practice, Amazon recommends consistently updating your runtime environment to the latest version for security patches, bug fixes, and the latest features.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring functions in the console][1] docs to learn how to update the Lambda runtime that runs your function.\n\n### From the command line\n\n1. Run `update-function-configuration` with [your function name and the latest runtime version][2] supported by AWS.\n\n#### python3.9\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"python3.9\"\n ```\n\n#### nodejs16.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"nodejs14.x\"\n ```\n\n#### java11\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"java11\"\n ```\n\n#### go1.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"go1.x\"\n ```\n\n#### dotnet6\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"dotnet6\"\n ```\n\n#### ruby2.7\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"ruby2.7\"\n ```\n\n#### provided.al2\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"provided.al2\"\n ```\n\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(lambda_function) = \"pass\" if {\n\tlambda_function.runtime in [\"nodejs16.x\", \"python3.9\", \"ruby2.7\", \"java11\", \"go1.x\", \"dotnet6\", \"provided.al2\"]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_lambda_function"]},"validationQuery":"","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxh-rvp-txm","createdAt":1619112189173,"name":"Lambda function uses latest runtime environment version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","level:1","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","requirement:Communications-Security","control:2.6","control:3.2","control:1.2","control:2.1","control:1.3","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of legacy networks, a project should not have a legacy network\nconfigured. Legacy networks can no longer be created, and their use is not recommended. This recommendation is to check old projects to ensure\nthat they are not using Legacy Networks.\n\n## Rationale\nEach legacy network has a single network IPv4 prefix range, and a single gateway IP address. The network is global in scope and spans all cloud regions.\nSubnetworks cannot be created in a legacy network, and are unable to switch from legacy to\nauto or custom subnet networks. Legacy networks can have an impact on high network\ntraffic projects, and are subject to a single point of contention or failure.\n\n### Default value\nBy default, networks are not created in the legacy mode.\n\n## Remediation\n\nFor each Google Cloud Platform project:\n1. Read [Create and modify Virtual Private Cloud (VPC) networks][3] to create a non-legacy network suitable for the organization's requirements.\n2. Read [Deleting a legacy network][2] to delete the networks in the `legacy` mode.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network][1]\n2. [https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network][2]\n\n[1]: https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network\n[2]: https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network\n[3]: https://cloud.google.com/vpc/docs/create-modify-vpc-networks\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.2","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.ipv4_range\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nzs-hyi-zqr","createdAt":1659405204525,"name":"Legacy networks do not exist for older projects"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostIPC flag set to true.\n\n## Rationale\n\nA container running in the host's IPC namespace can use IPC to interact with processes outside the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host IPC namespace. If you have a requirement to containers that require hostIPC, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostIPC}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostIPC: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.3","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vs4-ja0-gkh","createdAt":1599600435891,"name":"Limit admission of containers sharing the host IPC namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostPID flag set to true.\n\n## Rationale\n\nA container running in the host's PID namespace can inspect processes running outside the container. If the container also has access to ptrace capabilities this can be used to escalate privileges outside of the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host PID namespace. If you need to run containers which require hostPID, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostPID}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostPID` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostPID: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.2","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"flc-1s1-okw","createdAt":1599600559953,"name":"Limit admission of containers sharing the host PID namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the allowPrivilegeEscalation flag set to true.\n\n## Rationale\n\nA container running with the `allowPrivilegeEscalation` flag set to true may have processes that can gain more privileges than their parent. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to allow privilege escalation. The option exists (and is defaulted to true) to permit setuid binaries to run. If you have need to run containers that use setuid binaries or require privilege escalation, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.allowPrivilegeEscalation}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.allowPrivilegeEscalation` field is omitted or set to false.\n\n## Impact\n\nPods defined with `spec.allowPrivilegeEscalation: true` will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.5","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"frf-hog-dra","createdAt":1599601783271,"name":"Limit admission of containers that do not block privilege escalation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.3","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Docker starts containers with a restricted set of Linux kernel capabilities. This means that any process can be granted the required capabilities instead of giving it root access. Using Linux kernel capabilities, processes in general do not need to run as the root user.\n\n## Rationale\n\nDocker supports the addition and removal of capabilities. Remove all capabilities not required for the correct function of the container. Specifically, in the default capability set provided by Docker, the NET_RAW capability should be removed if not explicitly required, as it can give an attacker with access to a container the ability to create spoofed network traffic.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CapAdd={{ .HostConfig.CapAdd }} CapDrop={{ .HostConfig.CapDrop }}'` \n\nVerify that the added and deleted Linux kernel capabilities are in line with the ones needed by the container process in each container instance. Specifically, ensure that the `NET_RAW` capability is removed if not required.\n\n## Remediation\n\nExecute the command `docker run --cap-add={\"Capability 1\",\"Capability 2\"} ` to add required capabilities.\n\nExecute the command `docker run --cap-drop={\"Capability 1\",\"Capability 2\"} ` to remove unneeded capabilities.\n\nAlternatively, remove all the currently configured capabilities and then restore only the ones you specifically use: `docker run --cap-drop=all --cap-add={\"Capability 1\",\"Capability 2\"} `\n\n## Impact\n\nRestrictions on processes within a container are based on which Linux capabilities are in force. Removal of the `NET_RAW` capability prevents the container from creating raw sockets which is good security practice under most circumstances, but may affect some networking utilities.\n\n## Default value\n\nBy default, the capabilities below are applied to containers:\n\n* `AUDIT_WRITE`\n* `CHOWN`\n* `DAC_OVERRIDE`\n* `FOWNER`\n* `FSETID`\n* `KILL`\n* `MKNOD`\n* `NET_BIND_SERVICE`\n* `NET_RAW`\n* `SETFCAP`\n* `SETGID`\n* `SETPCAP`\n* `SETUID`\n* `SYS_CHROOT`\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#linux-kernel-capabilities\n2. http://man7.org/linux/man-pages/man7/capabilities.7.html\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.3","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3j5-bun-deq","createdAt":1599605923399,"name":"Linux kernel capabilities are restricted to only those which are required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect use of the `passwd` or `chpasswd` commands to change account passwords.\n\n## Strategy\nThe `passwd` operating system command is used to change user account passwords. The `chpasswd` does this in bulk. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host machine and achieve persistence. This detection is triggered when execution of the `passwd` or `chpasswd` command is detected.\n\n## Triage and response\n1. Determine which user executed the command and whether or not this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:passwd_execution -@process.args:(\"-S\" OR \"-Sa\" OR \"-aS\" OR \"--status\" OR \"--all\")","groupByFields":["host"],"aggregation":"count","name":"passwd_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"passwd_execution","condition":"passwd_execution > 0"}],"type":"workload_security","id":"yu0-i2l-ilb","createdAt":1617722068383,"name":"Local account password modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the truncation (like the clearing of data within) of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was modified.\n2. Check which user or process modified the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"llg-1g6-q0n","createdAt":1598516746163,"name":"Log data in /var/log/ was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","source:google_logging_log_sink","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","control:2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","scope:google_logging_log_sink","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nIt is recommended to create a sink that will export copies of all log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).\n\n## Rationale: \nLog entries are held in Cloud Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. To export logs, create a filter that selects the log entries to export, and then choose a destination, such as Cloud Storage, BigQuery, or Cloud Pub/Sub, to which to export them. The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts.\n\n**Note:**\n1. A sink created by [these commands](#from-the-command-line), exports logs to storage buckets. However, sinks can be configured to export logs to BigQuery, or Cloud Pub/Sub, or a `Custom Destination`.\n2. While creating a sink, do not use the sink option `--log-filter` to ensure the sink exports all log entries.\n3. A sink can be created at a folder or organization level that collects the logs of all the projects underneath, bypassing the option `--include-children` in the `gcloud` command.\n\n### Impact: \nThere are no costs or limitations in Cloud Logging for exporting logs, but the destinations to which the logs are exported charge for storing or transmitting the log data.\n\n### Default value:\nBy default, there are no sinks configured.\n\n## Remediation: \n\n### From the console\n1. Go to the Logs Router page by visiting [https://console.cloud.google.com/logs/router][1].\n2. Click **CREATE SINK**.\n3. Fill out the fields for the Sink details sections.\n4. Select **Cloud Logging bucket** in the Select sink destination dropdown menu.\n5. Select a log bucket in the Sink destination drop down menu.\n6. If an inclusion filter is not provided for this sink, all ingested logs will be routed to the destination provided above. This may result in higher than expected resource usage.\n7. Click **Create Sink**.\n\n### From the command line\n\n1. To create a sink to export all log entries in a Google Cloud Storage bucket:\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME\n ```\n2. Sinks can be created for a folder or organization, which will include all projects.\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children -- folder=FOLDER_ID | --organization=ORGANIZATION_ID\n ```\n\n## References:\n1. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][2] \n2. [https://cloud.google.com/logging/quotas][3]\n3. [https://cloud.google.com/logging/docs/routing/overview][4]\n4. [https://cloud.google.com/logging/docs/export/using_exported_logs][5]\n5. [https://cloud.google.com/logging/docs/export/configure_export_v2][6]\n6. [https://cloud.google.com/logging/docs/export/aggregated_exports][7]\n7. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list][8]\n\n[1]: https://console.cloud.google.com/logs/router\n[2]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[3]: https://cloud.google.com/logging/quotas\n[4]: https://cloud.google.com/logging/docs/routing/overview\n[5]: https://cloud.google.com/logging/docs/export/using_exported_logs\n[6]: https://cloud.google.com/logging/docs/export/configure_export_v2\n[7]: https://cloud.google.com/logging/docs/export/aggregated_exports\n[8]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nvalid_log_sinks := {logging_log_sink.project_id |\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tvalid_log_filter(logging_log_sink)\n\tvalid_log_exclusions(logging_log_sink)\n\tlogging_log_sink.destination != \"\"\n}\n\nvalid_log_filter(logging_log_sink) if {\n\tnot logging_log_sink.filter\n} else if {\n\tlogging_log_sink.filter == \"\"\n}\n\nany_enabled_exclusion(logging_log_sink) if {\n\tlogging_log_sink.exclusions[_].disabled == false\n}\n\nvalid_log_exclusions(logging_log_sink) if {\n\tnot any_enabled_exclusion(logging_log_sink)\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_sinks[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hig-nyl-7xu","createdAt":1658996677403,"name":"Log sinks are configured for all log entries"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Log4j scanning attempt occurs in your environment.\n\n## Strategy\nRegex search on logs to find specific payloads indicative of Log4j scanning.\n\n## Triage and response\n1. Investigate if the host is running a vulnerable version of the Log4j Java library\n2. Use the [Log4j Investigation Dashboard](https://app.datadoghq.com/dash/integration/cloud_security_platform_log4shell_investigator) to conduct impact analysis\n3. Explore what other services the attacker hit in the last day - Linked to investigation query \n4. Explore Java logs associated with the attacker - linked to investigation query\n","options":{"detectionMethod":"hardcoded","evaluationWindow":300,"maxSignalDuration":3600,"hardcodedEvaluatorType":"log4shell","keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"query":"@http.url:*","groupByFields":["@network.client.ip"],"aggregation":"count","name":"log4shell_payloads_in_http_data","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"log4shell_payloads_in_http_data > 0"}],"type":"log_detection","id":"sdx-qzo-o9z","createdAt":1651680204724,"name":"Log4Shell Scanning Detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0043-reconnaissance","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being scanned for the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `jndi:(ldap OR rmi OR dns)` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. Check if the `Base64 was detected in an http.user_agent or http.referrer` rule was also triggered and follow the `Triage and response` steps in that rule.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.useragent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referrer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http_user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"info","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"2oy-oni-kx6","createdAt":1639665375423,"name":"Log4j Scanner detected in user agent or referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:1.5","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. MFA (multi-factor authentication) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their user name and password and an authentication code from their AWS MFA device.\n\n**Note**: When virtual MFA is used for root accounts, it should not be enabled on a personal device, but rather enable a dedicated and not personally owned mobile device (tablet or phone)(\"non-personal virtual MFA\"). This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and has knowledge of a credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78911-5\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root][3]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions.\n\n## CIS controls\n\nVersion 7, 4.5 - Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.5","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tnot iam_account.account_mfa_enabled == 1\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dth-jwu-9zo","createdAt":1599573999963,"name":"MFA is enabled for the \"root\" account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP address identified as malicious by Okta's ThreatInsight communicates with your Okta account.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.threat.detected`\n\n## Triage and response\n1. Determine if the `@usr.email` is `Unknown` or is an authenticated user.\n2. If the user is authenticated, conduct an investigation to determine if the IP address that is communicating with Okta is the user's IP address, or if the account is compromised.\n3. Consider switching ThreatInsight from `log mode` to `log and block mode` to block future requests from IP addresses on the ThreatInsight threat intelligence list.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.threat.detected @evt.outcome:ALLOW","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"x5j-v1t-d2r","createdAt":1589315626499,"name":"Malicious IP Communicating with Okta"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1003","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers looking for a specific mission target commonly gain access to a host or container adjacent to their mission target. To move laterally to the planned target, attackers commonly try to find credentials that would give them access to the host or container in question. A technique for finding these credentials is memory dumping. By dumping the contents of system memory to disk, an attacker can often find unencrypted credentials.\n\n## Strategy\nThis detection monitors the access of memory and memory maps that can be accessed from the `/proc/` directory on Linux.\n\n## Triage & Response\n1. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n2. Consider rotating any credentials that were in use on the host/container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"lhm-dok-amc","createdAt":1598516746171,"name":"Memory files in /proc/ were accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","scope:azure","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user creates or modifies a trusted domain object in Microsoft 365.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain`\n- `Set domain authentication`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain.`\n- `Set domain authentication.`\n\nAn attacker can create a new attacker-controlled domain as federated or modify the existing federation settings for a domain by configuring a new, secondary signing certificate. Both of these techniques would allow the attacker to authenticate as any user bypassing authentication requirements like a valid password or MFA.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n - Remove the suspicious domain or settings.\n - Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n - Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Set domain authentication\" OR \"Set domain authentication \" OR \"Set federation settings on domain\" OR \"Set federation settings on domain \") @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_trusted_domain_modified","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Set domain authentication.\" OR \"Set domain authentication. \" OR \"Set federation settings on domain.\" OR \"Set federation settings on domain. \")","groupByFields":["@usr.id"],"aggregation":"count","name":"m365_trusted_domain_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"azure_ad_trusted_domain_modified > 0 || m365_trusted_domain_modified > 0"}],"type":"log_detection","id":"dqm-ikd-5zd","createdAt":1660304700624,"name":"Microsoft 365 - Modification of Trusted Domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0040-impact","scope:exchange-server","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an anomalous amount of emails are deleted from Microsoft 365 Exchange.\n\n## Strategy\nMonitor Microsoft 365 Exchange audit logs to look for events with an `@evt.name` value of `HardDelete`, where the `@Folder.Path` is the inbox (`*Inbox*`).\n\n## Triage and response\n1. Determine if the user `{{@usr.id}}` intended to delete the observed emails.\n2. If `{{@usr.id}}` is not responsible for the email deletions, investigate `{{@usr.id}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:HardDelete @Folder.Path:*Inbox*","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tos-tbi-7dh","createdAt":1619020060666,"name":"Microsoft 365 Anomalous Amount of Deleted Emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 user downloads an anomalous amount of files. This could be an indicator of data exfilteration.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for an anomalous amount of logs with an `@evt.name` value of `@evt.name:FileDownloaded`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to download the files.\n2. If `{{@usr.email}}` is not responsible for file downloads, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:FileDownloaded","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"files_downloaded","distinctFields":["@SourceFileName"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"yhr-gui-v9i","createdAt":1658353411918,"name":"Microsoft 365 Anomalous Amount of Downloaded files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1562-impair-defenses","scope:microsoft-365","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when admin or unified audit logging is disabled. An adversary or insider threat can disable audit logging as a means of defense evasion.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Set-AdminAuditLogConfig`, where `@Parameters.AdminAuditLogEnabled` OR `@Parameters.UnifiedAuditLogIngestionEnabled` is set to `False`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to disable audit logging.\n2. If `{{@usr.email}}` is not responsible for disabling the audit logging, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.UnifiedAuditLogIngestionEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"unified_audit_disabled","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.AdminAuditLogEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_audit_disabled","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Unified Audit Logging Disabled","condition":"unified_audit_disabled > 0"},{"status":"high","notifications":[],"name":"Admin Audit Logging Disabled","condition":"admin_audit_disabled > 0"}],"type":"log_detection","id":"d86-6xx-tbg","createdAt":1630681812369,"name":"Microsoft 365 Audit Logging Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:onedrive","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user creates an anonymous link for a Microsoft 365 document in OneDrive. This would allow any unauthenticated user to access this document, if they had the link.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AnonymousLinkCreated`.\n\n## Triage and response\n1. Determine whether this document should be available anonymously.\n\n## Changelog\n* 4 October 2022 - Updated severity.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:OneDrive @evt.name:AnonymousLinkCreated","groupByFields":["@usr.id","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1h-h20-er6","createdAt":1608766368930,"name":"Microsoft 365 OneDrive Anonymous Link Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0009-collection","technique:T1213-data-from-information-repositories","scope:sharepoint"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user shares a Microsoft 365 Sharepoint document with a guest.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `SharingInvitationCreated` when the `TargetUserOrGroupType` is `Guest`.\n\n## Triage and response\n1. Determine whether this document should be shared with the external user.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:SharePoint @evt.name:(SharingInvitationCreated) @TargetUserOrGroupType:Guest","groupByFields":["@TargetUserOrGroupName","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"v72-psu-eln","createdAt":1608766365850,"name":"Microsoft 365 SharePoint object shared with guest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user installs an app to Microsoft 365 Teams.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AppInstalled`.\n\n## Triage and response\n1. Determine whether this app should be installed to Microsoft 365 teams.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:MicrosoftTeams @evt.name:AppInstalled","groupByFields":["@AddOnName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"i03-grd-ppd","createdAt":1608766367312,"name":"Microsoft 365 Teams app installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostNetwork flag set to true.\n\n## Rationale\n\nA container running in the host's network namespace could access the local loopback device, and could access network traffic to and from other pods. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host network namespace. If you have need to run containers which require hostNetwork, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostNetwork}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostNetwork` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostNetwork: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.4","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mlb-fwt-s80","createdAt":1599604274257,"name":"Minimize the admission of containers wishing to share the host network namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","cloud_provider:aws","control:164.308-a-3-ii-a","control:1.6","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","framework:security-labs","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMulti-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password, and for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of the credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://tools.ietf.org/html/rfc6238][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html][3]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users][4]\n4. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html][5]\n5. CCE-78901-6\n\n## CIS controls\n\n4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://tools.ietf.org/html/rfc6238\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.6","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"1.10","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_user) = \"fail\" if {\n\tsome report in iam_user.credential_report\n\treport.password_enabled == true\n\treport.mfa_active == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"zd5-wvv-hv5","createdAt":1599573999956,"name":"Multi-factor authentication is enabled for all IAM users with a console password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"5jr-xi3-uto","createdAt":1587530047261,"name":"NGINX HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","scope:nginx-ingress-controller","source:nginx-ingress-controller","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx-ingress-controller @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oxj-rwr-gxq","createdAt":1587530154864,"name":"NGINX ingress controller HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to nsswitch.conf.\n\n## Strategy\nThe Name Service Switch (nsswitch) configuration file is used to point\u00a0system services and other applications to the sources of name-service information. This name-service information includes where the password file is stored, publickey information, and more. An attacker may attempt to modify nsswitch.conf in order to inject attacker-owned information into the authentication process. For instance, the attacker could point to a malicious password file and then login to privileged user accounts.\n\n## Triage and response\n1. Check to see what changes were made to nsswitch.conf.\n2. Check if critical name-service sources were changed, and whether the changes were a part of known system-setup or maintenance.\n3. If these changes are unauthorized, roll back the host in question to a known good nsswitch.conf, or replace the system with a known-good system image.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chmod)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chmod","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chown)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chown","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_link)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_link","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_rename)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_rename","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_open)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_open","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_unlink)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_unlink","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_utimes)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"nsswitch_conf_mod","condition":"nsswitch_conf_mod_chmod > 0 || nsswitch_conf_mod_chown > 0 || nsswitch_conf_mod_link > 0 || nsswitch_conf_mod_rename > 0 || nsswitch_conf_mod_open > 0 || nsswitch_conf_mod_unlink > 0 || nsswitch_conf_mod_utimes > 0"}],"type":"workload_security","id":"djc-3dp-3qm","createdAt":1606142958657,"name":"Name Service Switch configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:1.3.5","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that enable multiple open ports and limit ingress traffic access based on port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access malicious activities, such as Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks, by opening only the ports that are required by your application.\n\n## Remediation\n\n### From the console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### From the command line\n\n1. Run `replace-network-acl-entry` to create a rule that only allows ingress traffic from a specific port range.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --ingress\n --rule-number 01\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_lenient(acl_entry) if {\n\tnot acl_entry.egress\n\tacl_entry.rule_action == \"allow\"\n\tnot acl_entry.port_range_from\n\tnot acl_entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tacl_entry := network_acl.entries[_]\n\tacl_lenient(acl_entry)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q0m-mtc-9ks","createdAt":1599574008182,"name":"Network ACL inbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that utilize multiple ports and limit outbound traffic access to a specific port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access by setting a specified port range.\n\n## Remediation\n\n### From the console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### From the command line\n\n1. Run `replace-network-acl-entry` to create a rule that sets a specific port range for egress traffic.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --egress\n --rule-number 02\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_entry(entry) if {\n\tentry.egress\n\tentry.rule_action == \"allow\"\n\tnot entry.port_range_from\n\tnot entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tentry := network_acl.entries[_]\n\tnon_compliant_entry(entry)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ykz-hrn-ev3","createdAt":1599574004771,"name":"Network ACL outbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Default-Security-Parameter","requirement:Compliance","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:1.3.5","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.1","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Network Access Control List (NACL) function provides stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.\n\n## Rationale\n\nPublic access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.\n\n## Remediation\n\n1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home\n2. In the left pane, click Network ACLs.\n3. For each network ACL to remediate, perform the following: Select the network ACL, Click the Inbound Rules tab, Click Edit inbound rules. Either update the Source field to a range other than `0.0.0.0/0` or click Delete to remove the offending inbound rule. Click save.\n\n## Reference\n\n1. [https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html][1]\n2. [https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison][2]\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"5.1","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(entry) if {\n\tnot entry.port_range_from\n\tnot entry.port_range_to\n} else if {\n\tentry.port_range_from <= 22\n\tentry.port_range_to >= 22\n} else if {\n\tentry.port_range_from <= 3389\n\tentry.port_range_to >= 3389\n}\n\nnon_compliant_protocols_and_ports(entry) if {\n\tentry.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_ports(entry)\n} else if {\n\tnot entry.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_cidr_block(entry) if {\n\tentry.cidr_block == \"0.0.0.0/0\"\n}\n\nnon_compliant_cidr_block(entry) if {\n\tentry.ipv6_cidr_block == \"::/0\"\n}\n\neval(network_acl) = \"fail\" if {\n\tsome entry in network_acl.entries\n\tentry.egress == false\n\tentry.rule_action == \"allow\"\n\tnon_compliant_cidr_block(entry)\n\tnon_compliant_protocols_and_ports(entry)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b5p-spa-hx4","createdAt":1619112188801,"name":"Network ACLs do not allow ingress from 0.0.0.0/0 to remote server administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","cloud_provider:azure","framework:gdpr","source:azure.network","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","requirement:Communications-Security","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","scope:azure.network","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Security Group (NSG) is configured to allow specific ports rather than all ports or port ranges.\n\n## Rationale\n\nNSGs should be configured as granularly as possible, allowing only specific and necessary ports. Leaving ranges of ports open can allow access to ports that are vulnerabile to attack. \n\n## Remediation\n\n### From the console\n\nFollow the [Work with security rules guide][1] to modify the port ranges associated with a NSG using the Microsoft Azure Console. \n\n### From the command line\n\nUse the [Microsft Azure az network nsg rule update module][2] to update the ports associated with a NSG using the Microsoft Azure CLI. \n\n## References\n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#work-with-security-rules\n[2]: https://docs.microsoft.com/en-us/cli/azure/network/nsg/rule?view=azure-cli-latest#az-network-nsg-rule-update","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndestination_port_not_compliant(security_rule) if {\n\tsecurity_rule.destination_port_range == \"*\"\n} else if {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tdestination_port_range == \"*\"\n} else if {\n\tregex.match(\"([0-9])+-([0-9])+\", security_rule.destination_port_range)\n} else if {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tregex.match(\"([0-9])+-([0-9])+\", destination_port_range)\n}\n\nsecurity_rule_not_compliant(security_rule) if {\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.access == \"Allow\"\n\tdestination_port_not_compliant(security_rule)\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule = security_group.security_rules[_]\n\tsecurity_rule_not_compliant(security_rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cis-7ih-ek8","createdAt":1645736563232,"name":"Network Security Group does not use port ranges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1046-network-service-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of the `nmap` network utility.\n\n## Strategy\n`nmap` is a network utility commonly used by attackers to understand a victim's network topology and vulnerabilities. After an attacker's initial intrusion into a host (for example, through a web shell exploit, container breakout), they may attempt to use `nmap` to do reconnaissance. This detection triggers when an execution of `nmap` is detected on a system. If this is unexpected behavior, it could indicate an attacker attempting to compromise your systems.\n\n## Triage and response\n1. Determine which user executed `nmap` and whether this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and network tools involved. Investigate the security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:common_net_intrusion_util -@process.args:(\"-V\" OR \"--version\")","groupByFields":["host"],"aggregation":"count","name":"common_net_intrusion_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"common_net_intrusion_util","condition":"common_net_intrusion_util > 0"}],"type":"workload_security","id":"yqg-ebh-po2","createdAt":1617722067554,"name":"Network scanning utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all network traffic is allowed between containers on the same host on the default network bridge. You can restrict all inter-container communication and link specific containers together that require communication. Or, you can create a custom network and only join containers that need to communicate to that custom network.\n\n## Rationale\n\nBy default, unrestricted network traffic is enabled between all containers on the same host on the default network bridge. Each container has the potential of reading all packets across the container network on the same host. This might lead to an unintended and unwanted disclosure of information to other containers. Hence, restrict inter-container communication on the default network bridge.\n\n## Audit\n\nVerify that the default network bridge has been configured to restrict inter-container communication by running:\n```\ndocker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}' \n```\nCheck that it returns `com.docker.network.bridge.enable_icc:false` for the default network bridge.\n\n## Remediation\n\nEdit the Docker daemon configuration file to ensure that inter-container communication is disabled:\n\n```\n\"icc\": false\n```\n\nAlternatively, run the Docker daemon directly and pass `--icc=false` as an argument:\n\n```\ndockerd --icc=false \n```\n\nFollow the Docker documentation and create a custom network, and only join containers that need to communicate to that custom network. The `--icc` parameter only applies to the default docker bridge. If you use a custom network, adopt the segmenting networks approach instead.\n\n## Impact\n\nInter-container communication is disabled on the default network bridge. If any communication between containers on the same host is desired, it needs to be explicitly defined using container linking or custom networks.\n\n## Default value\n\nBy default, all inter-container communication is allowed on the default network bridge.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/][1]\n2. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers][2]\n\n## CIS controls\n\nNone \n\n[1]: https://docs.docker.com/engine/userguide/networking/ \n[2]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_network","complianceFrameworks":[{"control":"2.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmd-zy3-5un","createdAt":1599604593277,"name":"Network traffic is restricted between containers on the default network bridge"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a network utility (like `cURL` or `Wget`) is used to access the cloud instance metadata service (IMDS) in an interactive session.\n\n## Strategy\nThe cloud instance metadata service is a link-local HTTP endpoint that provides data about a given cloud instance. One function is to provide temporary security credentials so that they do not need to be stored on the host. Because IMDS can be used to fetch security credentials, attackers may use it to escalate privileges in order to access other cloud resources. This detection identifies when Linux network utilities are used in an interactive session to access the metadata service. Especially in production environments, it is unusual for this activity to occur interactively.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee run commands for an approved reason, or does a configuration management utility use an interactive session?\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Using cloud audit logs, identify if the attached identity was misused.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:aws_metadata_service @process.tty:*","groupByFields":["host"],"aggregation":"count","name":"aws_metadata_service","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"aws_metadata_service","condition":"aws_metadata_service > 0"}],"type":"workload_security","id":"ugv-e7o-qpv","createdAt":1627392836096,"name":"Network utility accessed cloud metadata service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location on a host.\n\n## Strategy\nAfter an attacker's initial intrusion into a host (for example, through a web shell exploit, or a container breakout), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance, or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected on a host. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine which user executed the utility and whether or not this is allowed or expected behavior.\n2. Review the ancestors for unexpected processes or files executed. \n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util @process.ancestors.executable.path:(*\\/tmp\\/* OR *\\/home\\/*)","groupByFields":["host"],"aggregation":"count","name":"net_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"net_util","condition":"net_util > 0"}],"type":"workload_security","id":"med-78m-snu","createdAt":1617722067377,"name":"Network utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected in a container. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your containers and host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. Review the ancestors for unexpected processes or files executed.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util_in_container @process.ancestors.executable.path:(*\\/tmp\\/* OR \\/home\\/* OR \\/run\\/user\\/*)","groupByFields":["@container.id","host"],"aggregation":"count","name":"net_util_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"net_util_in_container","condition":"net_util_in_container > 0"}],"type":"workload_security","id":"idj-fom-4qg","createdAt":1617722068439,"name":"Network utility executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1199-trusted-relationship","source:cloudtrail","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker accesses your AWS account from their AWS Account.\n\n## Strategy\nThis rule lets you monitor AssumeRole (`@evt.name:AssumeRole`) CloudTrail API calls to detect when an external AWS account (`@usr.account_id`) assumes a role into your AWS account (`account`). It does this by learning all AWS accounts from which the AssumeRole call occurs within a 7-day window. Newly detected accounts after this 7-day window will generate security signals.\n\n## Triage and response\n1. Determine if the `@usr.account_id` is an AWS account is managed by your company.\n2. If not, try to determine who is the owner of the AWS account.\n3. Inspect the role the account is assuming. Determine who created this role and who allowed this AWS account to assume this role.\n\n## Changelog\n7 April 2022 - Update rule query and signal message.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @evt.name:AssumeRole"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"xvo-lqg-7bu","createdAt":1614810571081,"name":"New AWS Account Seen Assuming a Role into AWS Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","tactic:TA0040-impact","source:cloudtrail","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker spawns an instance for malicious purposes. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect when a new instance type (`@responseElements.instancesSet.items.instanceType`) is spawned:\n\n* [RunInstances][1]\n\nIt does this by inspecting the AWS Instance types each AWS account are seen over a 7-day window. Newly detected instance types after this 7-day window till generate security signals.\n\n## Triage and response\n1. Determine whether the instance type `{{@responseElements.instancesSet.items.instanceType}}` is expected to be used in your AWS account by checking the [Datadog Infrastructure List][2].\n2. If not, determine who spawned this instance and ask the user whether their activity was legitimate or whether their credentials were compromised and this instance is being used by an attacker.\n\n## Changelog\n7 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html\n[2]: https://app.datadoghq.com/infrastructure?tab=details&tags=instance-type%3A{{@responseElements.instancesSet.items.instanceType}}","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@responseElements.instancesSet.items.instanceType","aggregation":"new_value","metrics":["@responseElements.instancesSet.items.instanceType"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @eventSource:ec2.amazonaws.com @evt.name:RunInstances"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rk5-l8o-jir","createdAt":1619019323550,"name":"New EC2 Instance Type"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a Kubernetes namespace.\n\n## Strategy\nThis rule monitors when a `create` action occurs for the Kubernetes namespace (`@objectRef.resource:namespaces`) to detect when a user is creating a new Kubernetes namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new namespace.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:namespaces @http.method:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:namespaces @verb:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"zgq-pd9-wgw","createdAt":1589376020564,"name":"New Kubernetes Namespace Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:kubernetes","tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a privileged pod is created. Privileged pods remove container isolation which allows privileged actions on the host.\n\n## Strategy\nThis rule monitors when a pod (`@objectRef.resource:pods`) is created (`@http.method:create`) and the privileged security context (`@requestObject.spec.containers.securityContext.privileged`) is `true`.\n\n## Triage & Response\n1. Determine if the pod should be privileged. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"smy-zpp-8hr","createdAt":1626700164544,"name":"New Kubernetes privileged pod created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1525-implant-internal-image","scope:ecr","iaas:aws","source:cloudtrail","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential persistence mechanisms being deployed in the AWS Elastic Container Registry (ECR).\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr:GetAuthorizationToken` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException @threat_intel.indicators_matched:*","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ori-yda-7sc","createdAt":1630665990802,"name":"New Private Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecr","technique:T1567-exfiltration-over-web-service","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new image is uploaded to the public ECR. This could be a potential exfil route of data from the cloud. Could be a supply chain effect as well if a company hosts their containers here for consumers.\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr-public:GetAuthorizationToken` and `sts:GetServiceBearerToken` API through an IAM policy before they can authenticate to a registry and push any images to an Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr-public.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr-public.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3ye-k1x-9mp","createdAt":1630666006819,"name":"New Public Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ecs","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user executes a command on an ECS container for the first time. An attacker may use this as a technique to escalate their privileges\nbecause they can run arbitrary commands on behalf of the container with the role and permissions associated with the\ncontainer.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user is executing a command on an ECS container:\n\n* `ExecuteCommand`\n\n## Triage and response\n1. Investigate the command that the user ({{@userIdentity.arn}}) ran on the container, which is located in the Cloudtrail log at `@requestParameters.container`, if the telemetry exists.\n2. Analyze Cloudtrail logs with {{@userIdentity.arn}} that are within the same time frame as this security signal.\n3. Review any other security signals generated for this container.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":175,"isDefault":true,"filters":[{"action":"suppress","query":"foo"},{"action":"require","query":"bar"}],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @evt.name:ExecuteCommand @requestParameters.interactive:true"}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@me"],"name":""}],"type":"log_detection","id":"o2p-sbu-rlg","createdAt":1615916348842,"name":"New user seen executing a command in an ECS task"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_enabled_features(enabled_features) if {\n\tsome enabled_feature in enabled_features\n\tupper(enabled_feature) in [\n\t\t\"TLS_RSA_WITH_AES_128_GCM_SHA256\",\n\t\t\"TLS_RSA_WITH_AES_256_GCM_SHA384\",\n\t\t\"TLS_RSA_WITH_AES_128_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_AES_256_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_3DES_EDE_CBC_SHA\",\n\t]\n}\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else if {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else if {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot non_compliant_enabled_features(compute_ssl_policy.enabled_features)\n}\n\npolicy_align(compute_target_https_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_https_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_https_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_https_proxy, compute_ssl_policy)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_https_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_https_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_https_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wsz-dzl-7cw","createdAt":1664548936030,"name":"No HTTPS proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_enabled_features(enabled_features) if {\n\tsome enabled_feature in enabled_features\n\tupper(enabled_feature) in [\n\t\t\"TLS_RSA_WITH_AES_128_GCM_SHA256\",\n\t\t\"TLS_RSA_WITH_AES_256_GCM_SHA384\",\n\t\t\"TLS_RSA_WITH_AES_128_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_AES_256_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_3DES_EDE_CBC_SHA\",\n\t]\n}\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else if {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else if {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot non_compliant_enabled_features(compute_ssl_policy.enabled_features)\n}\n\npolicy_align(compute_target_ssl_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_ssl_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_ssl_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_ssl_proxy, compute_ssl_policy)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_ssl_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_ssl_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_ssl_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kmq-mlb-uhu","createdAt":1664548316871,"name":"No SSL proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","requirement:Default-Security-Parameter","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","level:1","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:1.4","control:2.1","control:2.2","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:164.312-a-2-i","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed.\n\n## Rationale\n\nRemoving access keys associated with the root account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html][2]\n2. [http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][3]\n3. [http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html][4]\n4. CCE-78910-7\n5. [https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/][5]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables root access only through access-keys (CLI, API methods) for us-gov cloud region.\n\n## CIS controls\n\nVersions 7, 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html\n[3]: http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[4]: http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html\n[5]: https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.4","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-a-2-i","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_credential_report) = \"skip\" if {\n\tiam_credential_report.user != \"\"\n} else = \"pass\" if {\n\tnot iam_credential_report.access_key_1_active\n\tnot iam_credential_report.access_key_2_active\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_credential_report"]},"validationQuery":"","resourceType":"aws_iam_credential_report","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"snb-kjs-kgm","createdAt":1599574003908,"name":"No root account access key exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","requirement:Communications-Security","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access\nto remote server administration ports, such as SSH to port 22 and RDP to port 3389.\n\n## Rationale\n\nPublic access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.\n\n### Impact \n\nWhen updating an existing environment, ensure that administrators have access to\nremote server administration ports through another mechanism before removing access\nby deleting the 0.0.0.0/0 (IPv4) or ::/0 (IPv6) inbound rule.\n\n## Remediation\n\nPerform the following to implement the prescribed state:\n1. Login to the AWS Management Console at\n[https://console.aws.amazon.com/vpc/home][1]\n2. In the left pane, click **Security Groups**\n3. For each security group, perform the following:\n A. Select the security group\n B. Click the **Inbound Rules** tab\n C. Click the **Edit inbound rules** button\n D. Identify the rules to be edited or removed\n E. Either update the **Source** field to a range other than 0.0.0.0/0, or click\n**Delete** to remove the offending inbound rule\n F. Click **Save rules**\n\n\n[1]: https://console.aws.amazon.com/vpc/home\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 22\n\trule.to_port >= 22\n} else if {\n\trule.from_port <= 3389\n\trule.to_port >= 3389\n}\n\nnon_compliant_protocol(rule) if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(rule) if {\n\trule.ip_range == \"0.0.0.0/0\"\n}\n\nnon_compliant_ip_range(rule) if {\n\trule.ipv6_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ueo-zqv-fep","createdAt":1607607222597,"name":"No security groups allow ingress from 0.0.0.0/0 to remote administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:3.8","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","control:8.1","control:4.4","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","control:8.1.4","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling OS Login binds SSH certificates to IAM users and facilitates effective SSH certificate\nmanagement.\n\n## Rationale\nEnabling OS Login ensures that SSH keys used to connect to instances are mapped to IAM\nusers. Revoking access to an IAM user will revoke all the SSH keys associated with that\nparticular user. It facilitates centralized and automated SSH key pair management, which is\nuseful in handling cases like compromised SSH key pairs and/or revocation of\nexternal, third-party, vendor users.\n\nTo use OS Login, the instance using Custom Images must have the latest version\nof the Linux Guest Environment installed. The following image families do not\nsupport OS Login:\n\n - Project cos-cloud (Container-Optimized OS) image family cos-stable.\n - All project coreos-cloud (CoreOS) image families\n - Project suse-cloud (SLES) image family sles-11\n - All Windows Server and SQL Server image families\n\nThe project's `enable-oslogin` can be overridden by setting the `enable-oslogin` parameter to an\ninstance metadata individually.\n\n### Impact\nEnabling OS Login on a project disables metadata-based SSH key configurations on all\ninstances of a project. Disabling OS Login restores SSH keys that you have configured in a\nproject's or an instance's metadata.\n\n### Exception\nVMs created by GKE should be excluded. These VMs have names that start with `gke-`\nand are labeled `goog-gke-node`.\n\n### Default value\nBy default, the parameter `enable-oslogin` is not set, which is equivalent to setting it to `FALSE`.\n\n## Remediation\n\n### From the console\n\n1. Go to the [VM compute metadata][1] page.\n2. Click **Edit**.\n3. Add a metadata entry for the key `enable-oslogin` with the value `TRUE`.\n4. Click **Save** to apply the changes.\n5. For every instance that overrides the project setting, go to the VM Instance's page at \n https://console.cloud.google.com/compute/instances.\n6. Click the name of the instance from which you want to remove the metadata value.\n7. At the top of the instance's details page, click **Edit** to edit the instance's settings.\n8. Under Custom Metadata, remove any entries with the key `enable-oslogin` set to `FALSE`.\n9. At the bottom of the instance's details page, click **Save** to apply your changes to the instance.\n\n### From the command line\n\n1. Configure OS Login for the project by running the following command:\n ```\n gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE\n ```\n\n2. Use the following command to remove instance metadata that overrides the project setting:\n ```\n gcloud compute instances remove-metadata --keys=enable-oslogin\n ```\n\nOptionally, you can enable two-factor authentication for OS Login. See [Setting up OS Login with 2-step verification ][2] for more information.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/managing-instance-access][3]\n2. [https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin][4]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata][5]\n4. [https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication][2]\n\n\n\n[1]: https://console.cloud.google.com/compute/metadata\n[2]: https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication\n[3]: https://cloud.google.com/compute/docs/instances/managing-instance-access\n[4]: https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin\n[5]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.8","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" if {\n\titem := compute_instance.metadata.items[_]\n\titem.key == \"enable-oslogin\"\n\titem.value == \"true\"\n} else = \"fail\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hpp-bv9-lom","createdAt":1657547711348,"name":"OS Login is enabled for the project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Okta API token is created.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a new Okta API token is created:\n\n* `system.api_token.create`\n\n## Triage and response\n1. Contact the user who created the API token and ensure that the API token is needed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:system.api_token.create","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lpf-tho-8sx","createdAt":1589315541698,"name":"Okta API Token Created or Enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","scope:okta","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Okta session impersonation.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect a user session impersonation:\n\n* `user.session.impersonation.initiate`\n* `user.session.impersonation.end`\n* `user.session.impersonation.grant`\n* `user.session.impersonation.extend`\n* `user.session.impersonation.revoke`\n\nThese events indicate that the user: `{{@usr.email}}` has the effective permissions of the impersonated user. This is likely to occur through [Okta support access][1]. This [blog][2] illustrates the potential impact an attacker can cause by impersonation session.\n\n## Triage and response\n1. Contact your Okta administrator to ensure the user: `{{@usr.email}}` is authorized to impersonate a user session.\n2. If the user impersonation session is not legitimate:\n * Task your Okta administrator to end the impersonation session.\n * Investigate the actions taken by the user `{{@usr.email}}` during the session and revert back to the last known good state.\n * Begin your company's incident response process and investigate.\n\n[1]: https://support.okta.com/help/s/article/Granting-Access-to-Okta-Support?language=en_US\n[2]: https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.session.impersonation.initiate","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_initiate","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.end","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_end","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_grant","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.extend","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_extend","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.revoke","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_revoke","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Session initiated","condition":"user_session_impersonation_initiate > 0"},{"status":"info","notifications":[],"name":"Session ended","condition":"user_session_impersonation_end > 0"},{"status":"info","notifications":[],"name":"Session granted","condition":"user_session_impersonation_grant > 0"},{"status":"info","notifications":[],"name":"Session extended","condition":"user_session_impersonation_extend > 0"},{"status":"info","notifications":[],"name":"Session revoked","condition":"user_session_impersonation_revoke > 0"}],"type":"log_detection","id":"dfw-lx0-cha","createdAt":1647981974902,"name":"Okta Impersonation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to bypass multi-factor authentication (MFA).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user attempts to bypass MFA:\n\n* `user.mfa.attempt_bypass`\n\n## Triage and response\n1. Contact the user who attempted to bypass MFA and ensure the request was legitimate.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.attempt_bypass","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"wbd-slu-e6s","createdAt":1589315643307,"name":"Okta MFA Bypass Attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the multi-factor authentication (MFA) factors for an enrolled Okta user are reset.\n\n## Strategy\nThis rule lets you monitor the following Okta event to determine when a user's MFA factors are reset:\n\n* `user.mfa.factor.reset_all`\n\nAn attacker may attempt to reset MFA factors in a bid to access other user accounts by registering new attacker-controlled MFA factors.\n\n## Triage and response\n1. Determine if the user: `{{@usr.email}}` should have reset the MFA factors of the targeted user.\n2. If the change was not made by the user:\n * Disable the affected user accounts.\n * Rotate user credentials.\n * Return targeted users MFA factors to the last known good state.\n * Begin your organization's incident response process and investigate.\n3. If the change was made by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, ensure the targeted user has new MFA factors assigned in accordance with organization policies.\n * If **No**, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_success","distinctFields":[]},{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:FAILURE","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_failed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Succeeded","condition":"mfa_reset_success > 0"},{"status":"info","notifications":[],"name":"Failed","condition":"mfa_reset_failed > 0"}],"type":"log_detection","id":"ap2-mxs-fyh","createdAt":1622443751239,"name":"Okta MFA reset for user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to sign on to an app based on sign-on policy.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to sign on to an app based on sign-on policy:\n\n* `application.policy.sign_on.deny_access`\n\n## Triage and response\n1. Inspect the `@target` array to determine why the user was denied access to sign on.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:application.policy.sign_on.deny_access","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pjd-jyc-9fb","createdAt":1589315544752,"name":"Okta User Access Denied to Sign On"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to an app.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to an app:\n\n* `app.generic.unauth_app_access_attempt`\n\n## Triage and response\n1. Determine whether or not the user should have access to this app.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:app.generic.unauth_app_access_attempt","groupByFields":["@usr.email","@target_app"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rht-pdf-gyx","createdAt":1607371843994,"name":"Okta User Attempted to Access Unauthorized App"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:okta","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to an Okta user.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when administrative privileges are provisioned:\n\n* `user.account.privilege.grant`\n\n## Triage and response\n1. Contact the Okta administrator: `{{@usr.email}}` to confirm that the user or users should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.account.privilege.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"privilege_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"privilege_grant > 0"}],"type":"log_detection","id":"onl-syw-pqn","createdAt":1622443751733,"name":"Okta administrator role assigned to user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a request is blocked due to a block list rule (such as an IP network zone or location rule).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.request.blocked`\n\n## Triage & Response\n1. Verify with the owner of `{{@usr.name}}` that they were attempting a request to `{{@target_app}}`.\n2. If the request cannot be verified with the user, correlate with other log sources to see if the blocked IP in the `title` of `{{@title}}` has communicated elsewhere on the network.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.request.blocked @evt.outcome:SUCCESS","groupByFields":["@network.client.ip","@target_app"],"aggregation":"count","name":"request_blocked","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"request_blocked > 10"}],"type":"log_detection","id":"y2s-qzk-u0a","createdAt":1622443750820,"name":"Okta blocked numerous requests from a malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta [refresh token][1] is reused.\n\n## Strategy\nThis rule lets you monitor the following Okta events when token reuse is detected:\n\n* `app.oauth2.token.detect_reuse`\n* `app.oauth2.as.token.detect_reuse`\n\nAn attacker that has access to a refresh token could query the organization's authorization server `/token` endpoint to obtain additional access tokens. The additional access tokens potentially allow the attacker to get unauthorized access to applications.\n\n## Triage and response\n1. Determine if the source IP `{{@network.client.ip}}` is anomalous within the organization:\n * Does threat intelligence indicate that this IP has been associated with malicious activity?\n * Is the geo-location or ASN uncommon for the organization?\n * Has the IP created a `app.oauth2.token.detect_reuse` or `app.oauth2.as.token.detect_reuse` event previously?\n2. If the token reuse event has been determined to be malicious, carry out the following actions:\n * [Revoke compromised tokens][2].\n * Recycle the credentials of any impacted clients.\n * Begin your company's incident response process and investigate.\n\n[1]: https://developer.okta.com/docs/guides/refresh-tokens/main/\n[2]: https://developer.okta.com/docs/guides/revoke-tokens/main/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:false","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse","distinctFields":[]},{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:true","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse_threat","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Threat suspected","condition":"refresh_token_reuse_threat > 0"},{"status":"low","notifications":[],"name":"Threat unlikely","condition":"refresh_token_reuse > 0"}],"type":"log_detection","id":"i4t-x8n-ack","createdAt":1622443751931,"name":"Okta one-time refresh token reused"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta policy rule is deleted.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a policy rule is deleted:\n\n* `policy.rule.delete`\n\n## Triage and response\n1. Contact the Okta administrator to confirm that the user: `{{@usr.email}}` should be deleting policy rules.\n2. If the change was **not** authorized, verify there are no other signals from the user: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:policy.rule.delete @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_rule_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"policy_rule_deleted > 0"}],"type":"log_detection","id":"gxx-79h-brk","createdAt":1622443751301,"name":"Okta policy rule deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:onelogin","scope:onelogin","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user with appropriate privileges assumes another OneLogin user's identity. Logging in as another user allows the user to view another OneLogin user's account and perform actions on their behalf. \n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator assumes another OneLogin user's identity:\n\n* `@evt.name:USER_ASSUMED_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) should be legitimately assuming another user's identity.\n2. If the activity was not legitimate, review all activity from `{{@usr.name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_ASSUMED_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"admin_assumed_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admin_assumed_user > 0"}],"type":"log_detection","id":"ohz-g7c-wkp","createdAt":1656426840747,"name":"OneLogin administrator assumed a user"}]} headers: Content-Type: - application/json @@ -436,7 +402,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.15","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file is owned by root and group owned by docker.\n\n## Rationale\n\nThe Docker daemon runs as root. The default Unix socket therefore must be owned by root. If any other user or process owns this socket, it might be possible for that non-privileged user or process to interact with the Docker daemon. Additionally, in this case a non-privileged user or process might be able to interact with containers which is neither a secure nor desired behavior. Additionally, the Docker installer creates a Unix group called docker. You can add users to this group, and in this case, those users would be able to read and write to the default Docker Unix socket. The membership of the docker group is tightly controlled by the system administrator. However, ff any other group owns this socket, then it might be possible for members of that group to interact with the Docker daemon. Such a group might not be as tightly controlled as the docker group. Again, this is not in line with good security practice. For these reason, the default Docker Unix socket file should be owned by root and group owned by docker to maintain the integrity of the socket file.\n\n## Audit\n\nVerify that the Docker socket file is owned by root and group-owned by `docker` by running: \n```\nstat -c %U:%G /var/run/docker.sock | grep -v root:docker\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:docker /var/run/docker.sock`\n\nThis sets the ownership to root and group ownership to docker for the default Docker socket file.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for the Docker socket file is correctly set to root:docker.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.15","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysh-lkt-poz","createdAt":1599605574088,"name":"Only the root account and Docker group members have ownership of the Docker socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.2","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kube-apiserver.yaml file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. Version 7 5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.2","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vbb-t30-k0f","createdAt":1599602893246,"name":"Only the root account and group have ownership of the API server pod specification file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.11","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, is individual owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It must therefore be individually owned and group owned by root to prevent modification by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and the group ownership for the Docker server certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for Docker server certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.11","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tkm-izb-xe1","createdAt":1602077837917,"name":"Only the root account and group have ownership of the Docker server certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.13","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, is individually owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads/writes. As it holds the private key for the Docker server certificate, it must be individually owned and group owned by root to ensure that it cannot be accessed by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate key file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the Docker server certificate key file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for the Docker server certificate key file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.13","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oiu-e3x-yg6","createdAt":1602077710804,"name":"Only the root account and group have ownership of the Docker server certificate key file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.9","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert parameter`, is individually owned and group owned by root.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must be therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the TLS CA certificate file is owned and group owned by root: \n\n```\nstat -c %U:%G | grep -v root:root\n```\n\nThis command does not return any data.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the TLS CA certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for TLS CA certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.9","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8nb-ex2-pqe","createdAt":1602076303298,"name":"Only the root account and group have ownership of the TLS CA certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.14","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file ownership is set to root:root.\n\n## Rationale\n\nThe `admin.conf` file contains the admin credentials for the cluster. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/admin.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `admin.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.14","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kcn-wwa-os0","createdAt":1599604720378,"name":"Only the root account and group have ownership of the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.17","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that could alter the behavior of the docker daemon. It should therefore be owned and group owned by root to ensure it can not be modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file is owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/docker/daemon.json | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun `chown root:root /etc/docker/daemon.json`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.17","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hlb-qzw-opk","createdAt":1599603264485,"name":"Only the root account and group have ownership of the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent","control:3.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually and group owned by the root user in order to ensure that it is not modified or corrupted by a less privileged user.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that it is owned and group-owned by root, by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.service | grep -v root:root \n ```\n The command should not return anything.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path, in order to set the ownership and group ownership for the file to root.\n\nFor example, `chown root:root /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone.\n\n## Default value\n\nThis file may not be present on the system and if it is not, this recommendation is not applicable. By default, if the file is present, the correct permissions are for the ownership and group ownership to be set to \"root\".\n\n## References\n\n1. https://docs.docker.com/engine/admin/systemd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mhz-jes-n2m","createdAt":1599601536215,"name":"Only the root account and group have ownership of the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.socket file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. For this reason, it should be owned and group owned by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file is owned and group-owned by root by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.socket | grep -v root:root \n ```\n The command should not return a value.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below, including the correct file path to set the ownership and group ownership for the file to root. For example, `chown root:root /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the ownership and group ownership for it should be set to root.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option 2. https://github.com/docker/docker-ce/blob/master/components/packaging/deb/systemd/docker.socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vc0-12t-fpa","createdAt":1599605321060,"name":"Only the root account and group have ownership over the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.7","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under the `/etc/docker/certs.d/` directory, are individually owned and group owned by root.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must be individually owned and group owned by root to ensure that less privileged users are unable to modify the contents of the directory.\n\n## Audit\n\nYou should execute the command below to verify that the registry certificate files are individually owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker/certs.d/* | grep -v root:root \n```\n\nThis command does not return any data.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/docker/certs.d//*`\n\nThis sets the individual ownership and group ownership for the registry certificate files to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for registry certificate files is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.7","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fbv-qsy-urc","createdAt":1599599454050,"name":"Only the root account and group have ownership over the registry certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.13","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe admin.conf is the administrator kubeconfig file defining various settings for the administration of the cluster. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/admin.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, admin.conf has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.13","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zlc-pqm-t1x","createdAt":1599605384539,"name":"Only the root account has write permissions to the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.18","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that may alter the behavior of the docker daemon. Therefore it should be writeable only by root to ensure it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/docker/daemon.json\n```\n\n## Remediation\n\nRun `chmod 644 /etc/docker/daemon.json`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.18","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7df-4w8-g7l","createdAt":1599602831833,"name":"Only the root account has write permissions to the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.2","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file permissions are either set to 644 or to a more restrictive value.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore not be writable by any other user other than root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or a more restrictive value by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.service\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the file permissions are correctly set to 644.\n\n## References\n\n1. https://docs.docker.com/articles/systemd/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zyv-o6s-69z","createdAt":1599601721176,"name":"Only the root account has write permissions to the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.4","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the file permissions on the docker.socket file are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or more restrictively, by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.socket\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in that case, this recommendation is not applicable. By default, if the file is present, the permissions should be set to 644 or more restrictively.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n2. https://github.com/YungSang/fedora-atomic-packer/blob/master/oem/docker.socket\n3. http://daviddaeschler.com/2014/12/14/centos-7rhel-7-and-docker-containers-on-boot/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myf-zyh-89p","createdAt":1599604656679,"name":"Only the root account has write permissions to the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","control:CC6.7","scope:ec2","security:compliance","source:ec2","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Compliance","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the probability of a breach by checking [EC2 security groups][1] for outbound rules that allow unfettered access to any TCP/UDP ports and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered outbound access.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-egress` to remove IP permissions for the selected EC2 security group.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n2. Run `authorize-security-group-egress` with new parameters to restrict outbound access to specific destinations.\n\n ```\n aws ec2 authorize-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprotocol_icmp_or_1(protocol) if {\n\tprotocol == \"icmp\"\n} else {\n\tprotocol == \"1\"\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"egress\"\n\tnot protocol_icmp_or_1(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7lr-jfm-vcf","createdAt":1599574005188,"name":"Outbound access on all ports is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1497-virtualization-sandbox-evasion","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace system call with the `PTRACE_TRACEME` argument, indicating a program actively attempting to avoid debuggers attaching to the process. This behavior is typically indicative of malware activity.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. One limitation of this system call is that a process can only have one trace, and malicious actors have been observed making use of this limitation to prevent debuggers from attaching to malicious processes for the purpose of forensics or analysis.\n\n## Triage and response\n1. Check the name of the process using TRACEME\n2. If this file is not known or authorized, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_antidebug","groupByFields":["host"],"aggregation":"count","name":"ptrace_antidebug","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_antidebug","condition":"ptrace_antidebug > 0"}],"type":"workload_security","id":"u1r-hw3-pst","createdAt":1650464539514,"name":"PTRACE_TRACEME used to prevent process debugging"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect installation of software using a package management utility (`apt` or `yum`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim's container (for example, through a web shell exploit), they may attempt to install tools and utilities for a variety of malicious purposes. This detection triggers when one of a set of common package management utilities installs a package in a container. Package management in containers is against best practices which highly emphasize immutability. If this is unexpected behavior, it could indicate an attacker attempting to install tools to further compromise your systems.\n\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise. This may be achieved by terminating the workload, depending on the stage of attack.\n3. Look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:package_management_in_container @process.args:(add OR *install OR \"-i\")","groupByFields":["host"],"aggregation":"count","name":"package_management_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"package_management_in_container","condition":"package_management_in_container > 0"}],"type":"workload_security","id":"dgu-gba-tuf","createdAt":1617722067648,"name":"Package installed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1222","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nTo access protected files and directories, attackers may attempt to change the permissions on these files and directories.\n\n## Strategy\nThis detection monitors the permissions changes to sensitive files and directories such as `/etc/` and `/sbin/`.\n\n## Triage & Response\n1. Check to see if the file or directory was made more permissive.\n2. Check which user or process made the change.\n3. If these changes are unexpected, contain the host or container and roll back to the last known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"mj3-ucf-hr6","createdAt":1598516746259,"name":"Permissions were changed on sensitive Linux files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow pods to verify the API server's serving certificate before establishing connections.\n\n## Rationale\n\nProcesses running within pods that need to contact the API server must verify the API server's serving certificate. Failing to do so could be a subject to man-in-the-middle attacks. Providing the root certificate for the API server's serving certificate to the controller manager with the `--root-ca-file` argument allows the controller manager to inject the trusted bundle into pods so that they can verify TLS connections to the API server.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--root-ca-file` argument exists and is set to a certificate bundle file containing the root certificate for the API server's serving certificate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--root-ca-file` parameter to the certificate bundle file: `--root-ca-file=`\n\n## Impact\n\nYou need to setup and maintain root certificate authority file.\n\n## Default value\n\nBy default, `--root-ca-file` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/kubernetes/issues/11000][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/kubernetes/issues/11000\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.5","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"k7t-yxp-axc","createdAt":1599598174692,"name":"Pods utilize `root-ca-file` to pass serving certificates to the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ec2","iaas:aws","technique:T1037-boot-or-logon-initialization-scripts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to modify a [user data script][1] on an EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to modify the user data script on an EC2 instance using the following API calls:\n\n* [`StopInstances`][2]\n* [`ModifyInstanceAttribute`][3]\n* [`StartInstances`][4]\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have modified the user data script associated with `{{host}}`.\n2. If the API calls were not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Follow your company's incident response process to determine the impact to `{{host}}`.\n * Revert the user data script to the last known good state with the `aws-cli` command [modify-instance-attribute][5] or use the [AWS Console][6].\n3. If the API calls were made by the user:\n * Determine if the user should be modifying this user data script.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StopInstances.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartInstances.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-attribute.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-view-change","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StopInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"stop_instance","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:ModifyInstanceAttribute @requestParameters.userData:* ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_instance_attribute","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StartInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"start_instance","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"stop_instance > 0 && modify_instance_attribute > 0 && start_instance > 0"}],"type":"log_detection","id":"suz-czd-zxh","createdAt":1652796652545,"name":"Possible AWS EC2 privilege escalation via the modification of user data"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","iaas:aws","technique:T1078-valid-accounts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to create a password for a specified IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to create a password for an IAM user using the [`CreateLoginProfile`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any passwords generated by the user with the `aws-cli` command [delete-login-profile][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-login-profile.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html#id_credentials_passwords_admin-change-user_console","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:iam.amazonaws.com @eventName:CreateLoginProfile status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"loginprofile","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"loginprofile > 0"}],"type":"log_detection","id":"dkd-gqh-zrs","createdAt":1652796676631,"name":"Possible Privilege Escalation via AWS IAM CreateLoginProfile"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","scope:rds","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to exfiltrate data from an RDS Snapshot.\n\n## Strategy\nThis rule lets you monitor the [ModifyDBClusterSnapshotAttribute][1] CloudTrail API calls to detect when an RDS snapshot is made public.\n\nThis rule also inspects the:\n * `@requestParameters.valuesToAdd` array to determine if the string `all` is contained. This is the indicator which means the RDS snapshot is made public.\n * `@requestParameters.attributeName` array to determine if the string `restore` is contained. This is the indicator which means the RDS snapshot was shared with a new or unkown AWS Account.\n\n## Triage and response\n1. Confirm if the user: `{{@userIdentity.arn}}`intended to make the RDS snaphsot public.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-cluster-snapshot-attribute.html#modify-db-cluster-snapshot-attribute\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:ModifyDBClusterSnapshotAttribute @requestParameters.valuesToAdd:all","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_made_public","distinctFields":[]},{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:(ModifyDBClusterSnapshotAttribute OR ModifyDBSnapshotAttribute) @requestParameters.attributeName:restore -@http.useragent:(*AWS_Lambda* OR *AWS_ECS_FARGATE* OR backup.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Snapshot was shared","condition":"rds_snapshot_shared > 0"},{"status":"high","notifications":[],"name":"Snapshot was made public","condition":"rds_snapshot_made_public > 0"}],"type":"log_detection","id":"jqf-lpu-us1","createdAt":1594140309127,"name":"Possible RDS Snapshot Exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:6.3","framework:cis-azure","control:2.5","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no PostgreSQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nPostgreSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.\n\n### Impact\n\nDisabling Allow access to Azure Services will break all connections to PostgreSQL server and Hosted Databases unless custom IP specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console:\n\n1. Go to PostgreSQL servers\n2. For each PostgreSQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell:\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nNew-AzPostgreSqlFirewallRule -Name \"\" -ResourceGroupName \"\" -ServerName \"\" -EndIPAddress \"\" -StartIPAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules][1]\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"2.5","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255)","resourceType":"azure_postgresql_server","filter":"","queryPath":"firewall_rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"f2j-y8v-pht","createdAt":1635237002781,"name":"PostgreSQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1566-phishing","source:azure","scope:azure","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a user grants an application consent to access their data. An adversary may create an Azure-registered application to access data such as contact information, emails, or documents.\n\n## Strategy\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Consent to application`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Consent to application.`\n\nBecause these are thirty-party applications external to the organization, normal remediation steps like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts are not effective against this type of attack.\n\n## Triage and response\n1. See the official [Microsoft playbook][1] on responding to a potential Illicit Consent Grant.\n2. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out false positives.\n\n[1]: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:AuditLogs @evt.name:\"Consent to application\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_successful_consent_to_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.category:AuditLogs @evt.name:\"Consent to application.\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"o365_successful_consent_to_application","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"azure_ad_successful_consent_to_application > 0 || o365_successful_consent_to_application > 0"}],"type":"log_detection","id":"wu4-vsa-pec","createdAt":1658914589512,"name":"Potential Illicit Consent Grant attack via Azure registered application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with an administrative service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 21 (FTP)\n* 22 (SSH)\n* 23 (Telnet)\n* 445 (SMB)\n* 2375 (Docker daemon)\n* 3389 (RDP)\n* 5900 (VNC)\n* 5985 (WinRM HTTP)\n* 5986 (WinRM HTTPS)\n\nAdministrative ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** There is a separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n## Changelog\n26 August 2022 - Updated rule query\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ipPermissions.items.fromPort:(21 OR 22 OR 3389 OR 5900 OR 2375 OR 5985 OR 5986 OR 23 OR 445) OR @requestParameters.toPort:(21 OR 22 OR 3389 OR 5900 OR 2375 OR 5985 OR 5986 OR 23 OR 445) OR @requestParameters.ipPermissions.items.toPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986)) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:21 OR @requestParameters.ipPermissions.items.fromPort:21 OR @requestParameters.toPort:21 OR @requestParameters.ipPermissions.items.toPort:21)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ftp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:22 OR @requestParameters.ipPermissions.items.fromPort:22 OR @requestParameters.toPort:22 OR @requestParameters.ipPermissions.items.toPort:22)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ssh_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:3389 OR @requestParameters.ipPermissions.items.fromPort:3389 OR @requestParameters.toPort:3389 OR @requestParameters.ipPermissions.items.toPort:3389)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_rdp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5900 OR @requestParameters.ipPermissions.items.fromPort:5900 OR @requestParameters.toPort:5900 OR @requestParameters.ipPermissions.items.toPort:5900)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_vnc_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:2375 OR @requestParameters.ipPermissions.items.fromPort:2375 OR @requestParameters.toPort:2375 OR @requestParameters.ipPermissions.items.toPort:2375)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_dockerd_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5985 OR @requestParameters.ipPermissions.items.fromPort:5985 OR @requestParameters.toPort:5985 OR @requestParameters.ipPermissions.items.toPort:5985)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5986 OR @requestParameters.ipPermissions.items.fromPort:5986 OR @requestParameters.toPort:5986 OR @requestParameters.ipPermissions.items.toPort:5986)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:23 OR @requestParameters.ipPermissions.items.fromPort:23 OR @requestParameters.toPort:23 OR @requestParameters.ipPermissions.items.toPort:23)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_telnet_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:445 OR @requestParameters.ipPermissions.items.fromPort:445 OR @requestParameters.toPort:445 OR @requestParameters.ipPermissions.items.toPort:445)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_smb_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"high","notifications":[],"name":"FTP","condition":"sg_ftp_port > 0"},{"status":"high","notifications":[],"name":"SSH","condition":"sg_ssh_port > 0"},{"status":"high","notifications":[],"name":"RDP","condition":"sg_rdp_port > 0"},{"status":"high","notifications":[],"name":"VNC","condition":"sg_vnc_port > 0"},{"status":"high","notifications":[],"name":"Docker Daemon","condition":"sg_dockerd_port > 0"},{"status":"high","notifications":[],"name":"WinRm HTTP","condition":"sg_winrm_http_port > 0"},{"status":"high","notifications":[],"name":"WinRm HTTPS","condition":"sg_winrm_https_port > 0"},{"status":"high","notifications":[],"name":"Telnet","condition":"sg_telnet_port > 0"},{"status":"high","notifications":[],"name":"SMB","condition":"sg_smb_port > 0"}],"type":"log_detection","id":"d8d-usi-xuo","createdAt":1652796652158,"name":"Potential administrative port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\n This rule monitors CloudTrail and detects when any `@evt.name` has a value of `Console Login`, and `@responseElements.ConsoleLogin` has a value of `Failure`.\n\n## Triage and response\n1. Determine if the user logged in with 2FA.\n2. Reach out to the user and ensure the login was legitimate.\n\n## Changelog \n17 March 2022 - Update rule query.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Failure","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:true","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_with_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful - MFA Unused","condition":"failed_login > 5 && successful_login_without_mfa > 0"},{"status":"info","notifications":[],"name":"Successful Login - MFA Used","condition":"failed_login > 5 && successful_login_with_mfa > 0"},{"status":"info","notifications":[],"name":"Failed Login","condition":"failed_login > 5"}],"type":"log_detection","id":"csj-nez-h1v","createdAt":1584475581986,"name":"Potential brute force attack on AWS ConsoleLogin"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","threat_intel_category:cryptomining","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a host is potentially infected with a cryptominer.\n\n## Strategy\nThis rule compares the `@network.client.ip` standard attribute to a curated list of cryptomining pools.\n\n## Triage and response\n1. Determine if the `{{host}}` host should be contacting a cryptomining pool.\n2. If not, begin your company's IR process.\n\n**Note** You can use the signal sidepanel to assist with the initial investigation by looking at CPU utilization and processes to identify unauthorized activity.\n\n## Changelog\n- 8 April 2022 - Initial beta release to select organizations.\n- 13 April 2022 - Added additional filters for specific ports to reduce false positives. \n- 26 April 2022 - Removed restrictedToOrgs settings, launching rule to all of production.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@threat_intel.results.category:cryptomining @network.destination.port:(6641 OR 6642 OR 9000 OR 9999 OR 14433 OR 10191 OR 20009) host:*","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cgb-2rq-tqx","createdAt":1650989902666,"name":"Potential cryptomining detected through IP callback"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with a database service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 1433 (MSSQL)\n* 3306 (MySQL)\n* 5432 (PostgresSQL)\n* 5984/6984 (CouchDB)\n* 6379 (Redis)\n* 9200 (Elasticsearch)\n* 27017 (MongoDB)\n\nDatabase ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** There is a separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200)) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:3306 OR @requestParameters.ipPermissions.items.fromPort:3306 OR @requestParameters.toPort:3306 OR @requestParameters.ipPermissions.items.toPort:3306)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mysql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5432 OR @requestParameters.ipPermissions.items.fromPort:5432 OR @requestParameters.toPort:5432 OR @requestParameters.ipPermissions.items.toPort:5432)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_postgres_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:1433 OR @requestParameters.ipPermissions.items.fromPort:1433 OR @requestParameters.toPort:1433 OR @requestParameters.ipPermissions.items.toPort:1433)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mssql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:27017 OR @requestParameters.ipPermissions.items.fromPort:27017 OR @requestParameters.toPort:27017 OR @requestParameters.ipPermissions.items.toPort:27017)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mongodb_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:6379 OR @requestParameters.ipPermissions.items.fromPort:6379 OR @requestParameters.toPort:6379 OR @requestParameters.ipPermissions.items.toPort:6379)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_redis_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5984 OR @requestParameters.ipPermissions.items.fromPort:5984 OR @requestParameters.toPort:5984 OR @requestParameters.ipPermissions.items.toPort:5984)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:6984 OR @requestParameters.ipPermissions.items.fromPort:6984 OR @requestParameters.toPort:6984 OR @requestParameters.ipPermissions.items.toPort:6984)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:9200 OR @requestParameters.ipPermissions.items.fromPort:9200 OR @requestParameters.toPort:9200 OR @requestParameters.ipPermissions.items.toPort:9200)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_elastic_search_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"high","notifications":[],"name":"MySQL","condition":"sg_mysql_port > 0"},{"status":"high","notifications":[],"name":"PostgresSQL","condition":"sg_postgres_port > 0"},{"status":"high","notifications":[],"name":"MSSQL","condition":"sg_mssql_port > 0"},{"status":"high","notifications":[],"name":"MongoDB","condition":"sg_mongodb_port > 0"},{"status":"high","notifications":[],"name":"redis","condition":"sg_redis_port > 0"},{"status":"high","notifications":[],"name":"CouchDB HTTP","condition":"sg_couchdb_http_port > 0"},{"status":"high","notifications":[],"name":"CouchDB HTTPS","condition":"sg_couchdb_https_port > 0"},{"status":"high","notifications":[],"name":"Elasticsearch","condition":"sg_elastic_search_port > 0"}],"type":"log_detection","id":"1wf-ivp-q2g","createdAt":1652796776858,"name":"Potential database port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use automatically generated self-signed certificates for TLS connections between peers.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster. Hence, do not use self-signed certificates for authentication.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--peer-auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--peer-auto-tls` parameter or set it to false. \n\n```\n--peer-auto-tls=false\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-auto-tls` argument is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls][3]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.6","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l0y-lyz-foj","createdAt":1599598174666,"name":"Prevent use of self-signed certificates for TLS connections between etcd peers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.4","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDocker considers a private registry either secure or insecure. By default, registries are considered secure.\n\n## Rationale\n\nA secure registry uses TLS. A copy of the registry's CA certificate is placed on the Docker host in the `/etc/docker/certs.d//` directory. An insecure registry is one which does not have a valid registry certificate, or one not not using TLS. You should not use insecure registries because they present a risk of traffic interception and modification. Additionally, once a registry has been marked as insecure, commands such as `docker pull`, `docker push`, and `docker search` will not result in an error message, and users may indefinitely be working with this type of insecure registry without ever being notified of the risk of potential compromise.\n\n## Audit\n\nFind out if any insecure registries are in use by running: \n```\ndocker info --format 'Insecure Registries: {{.RegistryConfig.InsecureRegistryCIDRs}}'\n```\n\n## Remediation\n\nYou should ensure that no insecure registries are in use.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker assumes all registries except local ones are secure.\n\n## References\n\n1. [https://docs.docker.com/registry/insecure/][1]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://docs.docker.com/registry/insecure/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wki-o8r-1ha","createdAt":1599604688564,"name":"Private registry uses TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.4","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUsing the `--privileged` flag provides all Linux kernel capabilities to the container to which it is applied and therefore overwrites the `--cap-add` and `--cap-drop` flags. For this reason, ensure that it is not used.\n\n## Rationale\n\nThe `--privileged` flag provides all capabilities to the container to which it is applied, and also lifts all the limitations enforced by the device cgroup controller. As a consequence this the container has most of the rights of the underlying host. This flag only exists to allow for specific use cases (for example running Docker within Docker) and should not generally be used.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Privileged={{ .HostConfig.Privileged }}'` This command returns `Privileged=false` for each container instance.\n\n## Remediation\n\nDo not run containers with the `--privileged` flag. For example, do not start a container using the command `docker run --interactive --tty --privileged centos /bin/bash`\n\n## Impact\n\nIf you start a container without the `--privileged` flag, it will not have excessive default capabilities.\n\n## Default value\n\nFalse\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.4","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rbd-urm-klo","createdAt":1599602708557,"name":"Privileged containers are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.7","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TCP/IP port numbers below 1024are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Docker does, however allow a container port to be mapped to a privileged port.\n\n## Rationale\n\nBy default, if the user does not specifically declare a container port to host port mapping, Docker automatically and correctly maps the container port to one available in the `49153`-`65535` range on the host. Docker does, however, allow a container port to be mapped to a privileged port on the host if the user explicitly declares it. This is because containers are executed with `NET_BIND_SERVICE` Linux kernel capability which does not restrict privileged port mapping. The privileged ports receive and transmit various pieces of data which are security sensitive and allowing containers to use them is not in line with good security practice.\n\n## Audit\n\nList all running containers instances and their port mappings by executing this command: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'` You should then review the list and ensure that container ports are not mapped to host port numbers below `102.4`.\n\n## Remediation\n\nDo not map container ports to privileged host ports when starting a container. You should also ensure that there is no such container to host privileged port mapping declarations in the Dockerfile.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, mapping a container port to a privileged port on the host is allowed.\n\n**Note**: There might be certain cases where you want to map privileged ports, because if you forbid it, then the corresponding application has to run outside of a container.\n\nFor example: HTTP and HTTPS load balancers have to bind `80/tcp` and `443/tcp` respectively. Forbidding to map privileged ports effectively forbids from running those in a container, and mandates using an external load balancer. In such cases, those containers instances should be marked as exceptions for this recommendation.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.7","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ua5-ygj-jad","createdAt":1599602153218,"name":"Privileged ports are not mapped within containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a process launches with arguments associated with cryptocurrency miners.\n\n## Strategy\n\nCryptocurrency miners are often executed with unique arguments such as `--donate-level`. This can be used to identify suspicious processes with high confidence.\n\n## Triage and response\n\n1. Isolate the workload.\n2. Use host metrics to verify if cryptocurrency mining is taking place. This will be indicated by an increase in CPU usage.\n3. Review the process tree and related signals to determine the initial entry point.\n\n*Requires agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:cryptominer_args","groupByFields":["host"],"aggregation":"count","name":"cryptominer_args","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"cryptominer_args","condition":"cryptominer_args > 0"}],"type":"workload_security","id":"t95-1rc-mwi","createdAt":1660014107186,"name":"Process arguments match cryptocurrency miner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1055-process-injection","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace systemcall to inject code into another process.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. Malicious actors have been observed using ptrace to inject code into another process, for the purposes of defense evasion and privilege escalation.\n\n## Triage and response\n1. Check the name of the process doing the injection (the tracer).\n2. Identify if the file doing the injection (the tracer) is authorized.\n3. If the tracer is not authorized in this environment, or is not normally known to use the ptrace syscall, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_injection","groupByFields":["host"],"aggregation":"count","name":"ptrace_injection","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_injection","condition":"ptrace_injection > 0"}],"type":"workload_security","id":"1p3-rn6-jue","createdAt":1650464539501,"name":"Process injected into another process"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1068-Exploitation-for-Privilege-Escalation","source:runtime-security-agent","tactic:TA0004-Privilege-Escalation","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2021-4034 dubbed PwnKit.\n\n## Strategy\n\nPwnKit is a local privilege escalation vulnerability originally found by [Qualys](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034). It affects PolicyKit\u2019s `pkexec` program, which is a SUID-root program installed by default on many Linux distributions. This detection triggers whenever `pkexec` is executed by a non-root process with the `SHELL` and `PATH` variables set.\n\n## Triage and response\n\n1. Determine the purpose of the process executing `pkexec`.\n2. Look for any suspicious actions or commands being executed after the `pkexec` execution.\n3. If this behavior is unexpected, it could indicate a malicious actor has access to the host and is attempting to increase privileges for post exploitation actions. Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Ensure to update the PolicyKit package to its latest version to mitigate the vulnerability. If updating is not feasible, remove the SUID bit that is set by default on `pkexec` with the following command: `sudo chmod -s \\$(which pkexec)`.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:pwnkit_privilege_escalation","groupByFields":["host"],"aggregation":"count","name":"pwnkit_privilege_escalation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"pwnkit_privilege_escalation","condition":"pwnkit_privilege_escalation > 0"}],"type":"workload_security","id":"yne-n4q-dfs","createdAt":1643646954692,"name":"Pwnkit privilege escalation attempt"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1059-command-and-scripting-interpreter","tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect Python code being provided and executed on the command line using the `-c` flag.\n\n## Strategy\n\nPython code can be specified on the command line using the `-c` flag. Attackers may use this to run \"one-liners\" which establish communication with an attacker-run server, download additional malware, or otherwise advance their mission. Libraries such as `socket` and `subprocess` are commonly used in these attacks and are unlikely to have a legitimate purpose when used in this way.\n\n## Triage and response\n\n1. Review the process tree and identify if the Python command is expected.\n2. If the command is not expected, contain the host or container and roll back to a known good configuration.\n3. Start the incident response process and determine the initial entry point.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:python_cli_code @process.args:(*SOCK_STREAM* OR *subprocess* OR *\\/bash* OR *\\/bin\\/sh* OR *pty.spawn*)","groupByFields":["host"],"aggregation":"count","name":"python_cli_code_suspicious","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"python_cli_code_suspicious","condition":"python_cli_code_suspicious > 0"}],"type":"workload_security","id":"2mr-svj-kxj","createdAt":1655147245805,"name":"Python executed with suspicious arguments"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.9","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTurn on Role Based Access Control.\n\n## Rationale\n\nRole Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the cluster. It is recommended to use the RBAC authorization mode.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include RBAC.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes RBAC, for example: `--authorization-mode=Node,RBAC`\n\n## Impact\n\nWhen RBAC is enabled you will need to ensure that appropriate RBAC settings (including Roles, RoleBindings and ClusterRoleBindings) are configured to allow appropriate access.\n\n## Default value\n\nBy default, RBAC authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/access-authn-authz/rbac/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.9","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bn4-mzo-nyg","createdAt":1599605257601,"name":"RBAC is enabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","level:1","control:8.5","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.4.1","security:compliance","requirement:Least-Privileged-Access","control:7.2","framework:cis-azure","source:azure.kubernetes","control:7.1","control:2.3","requirement:Control-Activities","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","requirement:Other-Security-Considerations","framework:soc-2","control:A.9.2.3","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that RBAC is enabled on all Azure Kubernetes Services instances.\n\n## Rationale\n\nAzure Kubernetes Services can integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. Use this to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls, both to the overarching AKS instance and to the individual resources managed within Kubernetes.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment, your cluster will require recreation.\n\n## Impact\n\nIf RBAC is not enabled, the granularity of permissions granted to Kubernetes resources is diminished, because you are presenting more permissions than needed to users requiring access to your Kubernetes resources in AKS.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/aks/aad-integrationhttps://kubernetes.io/docs/reference/access-authn-authz/rbac/https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-list\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7\n\n4 Controlled Use of Administrative Privileges\n\n14 Controlled Access Based on the Need to Know\n\n9 AppService: This section covers security recommendations for Azure AppService\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.5","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"validationQuery":"@enable_rbac:false","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster (@enable_rbac:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"1ha-sj2-4mw","createdAt":1624867979755,"name":"RBAC within Azure Kubernetes Services is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","control:6.1","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable RDP access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using RDP over the internet is that attackers can use various brute force techniques to access Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct RDP access to your Azure Virtual Machines from the internet. After direct RDP access from the internet is disabled, you have other options you can use to access these virtual machines for remote management.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@access:(\"Allow\") @protocol:(\"TCP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"3389\" OR \"*\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\")","resourceType":"azure_security_group","filter":"","queryPath":"security_rules","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group (@access:(\"Allow\") @protocol:(\"TCP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"3389\" OR \"*\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tna-xfa-yol","createdAt":1624867976964,"name":"RDP access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.7","requirement:Communications-Security","control:1.4","control:3.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow users to specify the type of traffic,\nsuch as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, an IPv4 address or IPv4 block in CIDR notation can be used.\nGeneric (0.0.0.0/0) incoming traffic from the Internet to a VPC or VM instance using RDP\non Port 3389 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic\nfrom instances and incoming (ingress) traffic to instances in the network. Egress and\ningress traffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through RDP with the default\nPort 3389. Generic access from the Internet to a specific IP Range should be restricted.\n\n## Impact\nAll Remote Desktop Protocol (RDP) connections from outside of the network to the\nconcerned VPC(s) are blocked. There could be a business need where secure shell\naccess is required from outside of the network to access resources associated with the VPC.\nIn that case, specific source IP(s) should be mentioned in firewall rules to allow access\nto RDP ports for the concerned VPC(s).\n\n## Remediation\n\n### From console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule to be modified.\n4. Click Edit.\n5. Modify Source IP ranges to your specific IPs.\n6. Click Save.\n\n### From the command line\n1.Update the RDP Firewall rule with a new SOURCE_RANGE using the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with validated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.1","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 3389\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tcontains(allowed.ports[_], \"-\")\n\trange := split(allowed.ports[_], \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else {\n\tto_number(allowed.ports[_]) == target_port\n} else {\n\tallowed.ports[_] == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tallowed := compute_firewall.allowed[_]\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" {\n\tcompute_firewall.source_ranges in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tvo-mpp-0fa","createdAt":1657310084116,"name":"RDP access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","source:rds","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:rds","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your AWS RDS database instances are encrypted.\n\n## Rationale\n\nEncrypting your AWS RDS clusters protects sensitive data from unauthorized access.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling Amazon RDS encryption for a DB instance][1] docs to ensure your database instances are encrypted.\n\n### CLI\n\n1. Run `describe-db-instances` with an instance identifier query to list RDS database names.\n\n ```\n aws rds describe-db-instances\n --query 'DBInstances[*].DBInstanceIdentifier'\n ```\n\n2. Run `create-db-snapshot` with any returned database instance you wish to modify.\n\n ```\n aws rds create-db-snapshot\n --db-snapshot-identifier my-db-snapshot\n --db-instance-identifier my-db-id\n ```\n\n3. Run `list-aliases` to list KMS keys aliases by region.\n\n ```\n aws kms list-aliases\n --region us-west-1\n ```\n\n4. Run `copy-db-snapshot` with the `kms-key-id` returned in step 3.\n\n ```\n aws rds copy-db-snapshot\n --region us-west-1\n --source-db-snapshot-identifier original-db-snapshot-id\n --target-db-snapshot-identifier encrypted-db-snapshot-id\n --copy-tags\n --kms-key-id 01234567-1a2b-1234a-b45c-abcdef123456\n ```\n\n5. Run `restore-db-instance-from-db-snapshot` to restore the previously created snapshot.\n\n ```\n aws rds restore-db-instance-from-db-snapshot\n --region us-west-1\n --db-instance-identifier encrypted-db-id\n --db-snapshot-identifier encrypted-db-snapshot-id\n ```\n\n6. Run `describe-db-instances` with a query to ensure database encryption.\n\n ```\n aws rds describe-db-instances\n --region us-west-1\n --db-instance-identifier encrypted-db-snapshot-id\n --query 'DBInstances[*].StorageEncrypted'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Enabling","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@storage_encrypted:false","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance (@storage_encrypted:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"han-1rs-ghe","createdAt":1599574005316,"name":"RDS database instance is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:rds","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","scope:rds","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your RDS instance, so it is not publicly accessible.\n\n## Rationale\n\nUnrestricted access to your RDS instance allows everyone on the internet to establish a connection with your database. This can lead to brute-force, DoS/DDoS, or SQL injection attacks.\n\n## Remediation\n\n### Console\n\nFollow the [Modifying an Amazon RDS DB instance (Console)][2] docs to learn how to modify your RDS instance in the AWS console.\n\n### CLI\n\nFollow the [Modifying an Amazon RDS DB instance (AWS CLI)][2] docs to learn how to modify your RDS instance connection configuration.\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n[2]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@publicly_accessible:true","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance (@publicly_accessible:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qgu-ris-pnv","createdAt":1619540057520,"name":"RDS instance is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","security:compliance","control:CC6.6","control:164.312-e-1","cloud_provider:aws","framework:gdpr","requirement:Default-Security-Parameter","scope:rds","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","source:rds","requirement:Security-Management-Process","control:32.1a","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Amazon RDS database instances][1] are not using default ports. This includes default ports such as MySQL/Aurora port 3306, SQL Server port 1433, and PostgreSQL port 5432.\n\n## Rationale\n\nUsing a custom port can protect against potential brute-force and dictionary attacks.\n\n## Remediation\n\n### Console\n\nFollow the [Modifying an Amazon RDS DB instance][4] docs to verify you're not using a default. You can modify your port by modifying that [DB instance settings][5].\n\n### CLI\n\n1. Run `create-db-snapshot` with your database instance and snapshot identifiers to [create a snapshot][2].\n\n ```\n aws rds create-db-snapshot \\\n --db-instance-identifier database-mysql \\\n --db-snapshot-identifier snapshotidentifier\n ```\n\n2. Run `modify-db-instance` with a new, valid port number. A [list of port numbers are available][3].\n\n ```\n aws rds modify-db-instance \\\n --db-instance-identifier database-identifier \\\n --option-group-name test-group-name \\\n --db-parameter-group-name test-sqlserver-name \\\n --apply-immediately\n ```\n\n\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-snapshot.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-instance.html#options\n[4]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n[5]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html#USER_ModifyInstance.Settings\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@engine:(\"aurora\" OR \"aurora-mysql\" OR \"mysql\" OR \"mariadb\") @endpoint_port:3306) OR (@engine:(\"postgres\" OR \"aurora-postgresql\") @endpoint_port:5432) OR (@engine:(\"oracle-ee\" OR \"oracle-se2\" OR \"oracle-se1\" OR \"oracle-se\") @endpoint_port:1521) OR (@engine:(\"sqlserver-ee\" OR \"sqlserver-se\" OR \"lserver-ex\" OR \"sqlserver-web\") @endpoint_port:1433)","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance ((@engine:(\"aurora\" OR \"aurora-mysql\" OR \"mysql\" OR \"mariadb\") @endpoint_port:3306) OR (@engine:(\"postgres\" OR \"aurora-postgresql\") @endpoint_port:5432) OR (@engine:(\"oracle-ee\" OR \"oracle-se2\" OR \"oracle-se1\" OR \"oracle-se\") @endpoint_port:1521) OR (@engine:(\"sqlserver-ee\" OR \"sqlserver-se\" OR \"lserver-ex\" OR \"sqlserver-web\") @endpoint_port:1433))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"y0x-lgk-w1h","createdAt":1599574001845,"name":"RDS instance is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","source:rds","requirement:Security-Management-Process","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","scope:rds","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Relational Database Service (RDS) database snapshots.\n\n## Rationale\n\nSnapshots that are publicly available give other AWS accounts permission to copy a snapshot and create database instances from it, potentially exposing your private data.\n\n## Remediation\n\n### Console\n\nFollow the [Stop sharing a manual DB snapshot with an AWS account][1] AWS Console docs.\n\n### CLI\n\nRun `modify-db-snapshot-attribute` with the [snapshot identifier, attribute name, and values to remove][2]. This removes permission from a particular AWS account to restore the DB snapshot.\n\n ```\n aws rds modify-db-snapshot-attribute\n --db-snapshot-identifier yourdbsnapshot\n --attribute-name restore\n --values-to-remove 1111222233333\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Sharing\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-snapshot-attribute.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@db_snapshot_restore_attribute_values:all","resourceType":"aws_rds_db_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_db_snapshot (@db_snapshot_restore_attribute_values:all)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ptv-gce-is5","createdAt":1616090994243,"name":"RDS snapshot is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","control:3.4","scope:google_dns_managed_zone","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note:** The SHA1 algorithm has been removed from general use by Google. If used, it needs to be allowed on a per-project basis through Google, and therefore requires a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records. When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, you can select the DNSSEC signing algorithms and the denial-of-existence type. Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If there is a need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off, and then re-enable it with different settings.\n\n**Note**: RSASHA1 key-signing support may be required for compatibility reasons. The remediation CLI works with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If it is necessary to change the settings for a managed zone where it has been\nenabled, NSSEC must be turned off and re-enabled with different settings. To turn\noff DNSSEC, run the following command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update key-signing for a managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" {\n\tdefault_key_spec := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tdefault_key_spec.algorithm == \"RSASHA1\"\n\tdefault_key_spec.key_type == \"keySigning\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gny-fox-6gg","createdAt":1659339844054,"name":"RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.5","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note**: The SHA1 algorithm has been removed from general use by Google, and if\nbeing used, needs to be safe listed on a project basis by Google, which\nrequire a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records.\nWhen enabling DNSSEC for a managed zone or creating a managed zone with DNSSEC, select the\nDNSSEC signing algorithms and the denial-of-existence type. Changing the\nDNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If\nyou need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off and then re-enable it with different settings.\n\n**note**: RSASHA1 zone-signing support may be required for compatibility reasons.\n**note**: The remediation CLI works well with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If you need to change the settings for a managed zone where it has been\nenabled, DNSSEC must be turned off and then re-enabled with different settings. To\nturn off DNSSEC, run this command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update zone-signing for a reported managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.5","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" {\n\tkeyCheck := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tkeyCheck.algorithm == \"RSASHA1\"\n\tkeyCheck.key_type == \"zoneSigning\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"h57-78j-30x","createdAt":1659396390100,"name":"RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","scope:redshift","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS RedShift clusters are encrypted.\n\n## Rationale\n\nEncrypting Redshift clusters protects your sensitive data from unauthorized access.\n\n## Remediation\n\n### Console\n\nFollow the [Changing cluster encryption][5] docs to ensure your clusters are encrypted.\n\n### CLI\n\n1. Run `describe-clusters` with your [cluster identifier][1].\n\n ```\n aws redshift describe-clusters\n --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` using the configuration details returned in step 1 along with the [`encrypted` flag][2].\n\n ```\n aws redshift create-cluster\n --cluster-identifier cluster-name\n ...\n --encrypted\n ```\n\n3. Run `describe-cluster` with a [query filter][1] to expose the new endpoint address.\n\n ```\n aws redshift describe-clusters\n --cluster-identifier cluster-name\n --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Use the cluster endpoint URL with the [Amazon Redshift Unload/Copy][3] tool.\n\n5. Update your encrypted Redshift cluster configuration with the new Redshift cluster endpoint URL.\n\n6. Once the endpoint is changed, run `delete-cluster` to [remove the old unencrypted cluster][4].\n\n ```\n aws redshift delete-cluster\n --cluster-identifier old-cluster\n --final-cluster-snapshot-identifier old-cluster-finalsnapshot\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster.html\n[3]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@encrypted:true","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (-@encrypted:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o5n-lxt-ayr","createdAt":1599574004941,"name":"Redshift cluster is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.3","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are not publicly available.\n\n## Rationale\n\nPublicly available Redshift clusters have a public IP address, which gives any machine the opportunity to attempt to connect to your clusters. Malicious activity, such as SQL injections or distributed denial-of-service (DDoS) attacks, can occur if a connection is established.\n\n## Remediation\n\n### Console\n\nFollow the [Managing clusters in a VPC][7] docs to learn how to modify public accessibility for your clusters.\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#modify-cluster\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@publicly_accessible:true","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@publicly_accessible:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"syn-jic-zlu","createdAt":1599574002373,"name":"Redshift cluster is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","control:A.9.4.3","framework:soc-2","scope:redshift","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:redshift","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are using a custom master user name, versus the default master user name.\n\n## Rationale\n\nDefault master user names for publicly accessible clusters can be a backdoor for hacking. While setting a customer master user name alone does not fully protect against attacks, restricting the root account only to privileged users and using additional password measures can add an additional layer of protection.\n\n## Remediation\n\n### Console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a master user name of `awsuser`, it is the default master user name. Modify the user name to a custom user name in the console.\n\n### CLI\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` with the returned cluster metadata to [launch a new cluster][3] with the existing metadata and a new master user name.\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t --master-username awsmasterusr\n --vpc-security-group-ids id-012a3b4c\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier new-cluster-identifier\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n5. Use the returned new database cluster endpoint URL from step 3 to update your application's configuration to point to the new cluster endpoint.\n6. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"validationQuery":"@master_username:awsuser","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@master_username:awsuser)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ewv-jbb-gxa","createdAt":1599574001675,"name":"Redshift cluster is not using a custom master user name"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","security:compliance","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are not using default port 5439 to protect against non-targeted attacks.\n\n## Rationale\n\nUsing a custom port can protect your publicly accessible AWS Redshift clusters against potential brute-force and dictionary attacks. Although setting a custom port can help fend off these attacks, it is also recommended to restrict public access, use SSL to encrypt client connections to database clusters, and control cluster access through security groups and Network Access Control Lists (NACLs) to add an additional layer of security for your account.\n\n## Remediation\n\n### Console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a port 5439, it is the default port. Modify the port number in the console.\n\n### CLI\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster-snapshot` with [create a snapshot of your database cluster][3].\n\n ```\n aws redshift create-cluster-snapshot\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n ```\n\n3. Run `restore-from-cluster-snapshot` to [create a new cluster from the snapshot created above][4]. Use the retrieved metadata in step one to configure a new port number.\n\n ```\n aws redshift restore-from-cluster-snapshot\n ...\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n --port 2000\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster-snapshot.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/restore-from-cluster-snapshot.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@endpoint.port:5439 OR @endpoint_port:5439","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@endpoint.port:5439 OR @endpoint_port:5439)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"xrn-s6h-z9s","createdAt":1599574006854,"name":"Redshift cluster is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift Clusters][1] are using the [AWS EC2-VPC platform][2] for better cluster security.\n\n## Rationale\n\nThe AWS EC2-VPC platform offers better security control and traffic routing for clusters than the outdated EC2-Classic platform.\n\n## Remediation\n\n### Console\n\nFollow the [Use EC2-VPC when you create your cluster][7] docs to learn how to use the EC2-VPC platform in the console to secure your clusters.\n\n### CLI\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n ```\n\n2. Run `create-cluster` with the metadata to [launch a new cluster within a VPC][3].\n\n ```\n aws redshift create-cluster\n --cluster-identifier cluster-id\n --vpc-security-group-ids id-012a3b4c\n --port 5439\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n\n5. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.FindDefaultVPC.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#cluster-platforms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@vpc_id:\"\"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@vpc_id:\"\")","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"goz-ys2-tll","createdAt":1599573999940,"name":"Redshift cluster is using the EC2-VPC platform"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","control:10.2.6","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:redshift","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","source:redshift","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable logging for your Amazon Redshift cluster.\n\n## Rationale\n\nLogging data from Amazon Redshift clusters is helpful when troubleshooting or completing security and compliance audits.\n\n## Remediation\n\n### Console\n\nFollow the Amazon Redshift [Configuring auditing using the console][1] docs to enable logging, create audit log files, and store them in an Amazon S3 bucket.\n\n### CLI\n\n1. Run `enable-logging` with your [cluster ID and the S3 bucket][2] where log files are to be stored.\n\n ```\n aws redshift enable-logging\n --cluster-identifier your-cluster-id\n --bucket-name aws-redshift-logs\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/enable-logging.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"}],"validationQuery":"@cluster_logging.logging_enabled:false","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@cluster_logging.logging_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f05-rf3-w5i","createdAt":1619112188003,"name":"Redshift cluster logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","requirement:Least-Privileged-Access","framework:cis-azure","control:7.1","requirement:Credentials","requirement:App-Service","requirement:Compliance","control:8.7","level:1","control:9.5","control:A.18.1.3","framework:soc-2","scope:azure.appservice","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nManaged service identity in App Service makes an app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app connects to other Azure services securely without the need for a username and password.\n\n## Rationale\n\nApp Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.\n\n## References\n\n1. https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Identity\n5. Set Status to On\n\nAzure Command Line Interface:\n\nTo set Register with Azure Active Directory for an existing app, run the following command: `az webapp identity assign --resource-group --name '`\n\n## CIS Controls\n\nVersion 7 16.2 - Configure Centralized Point of Authentication - Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.5","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@identity_principal_id:*","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (-@identity_principal_id:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"t1t-uk4-nxu","createdAt":1631623033118,"name":"Register with Azure Active Directory is enabled on App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.8","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under `/etc/docker/certs.d/ directory`, have permissions of 444 or are set more restrictively.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must have permissions of 444or more restrictive permissions in order to ensure that unprivileged users do not have full access to them..\n\n## Audit\n\nYou should execute the command below to verify that registry certificate files have permissions of 444+.\n\n```\nstat -c %a /etc/docker/certs.d//*\n```\n\n## Remediation\n\nRun the following command: `chmod 444 /etc/docker/certs.d//*`\n\nThis sets the permissions for the registry certificate files to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for registry certificate files might not be 444. The default file permissions are governed by the system or user specific umask values which are defined within the operating system itself.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.8","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sjq-1m3-njp","createdAt":1599605226177,"name":"Registry certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:5.7.4","source:compliance-agent","requirement:General-Policies","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.\n\n## Rationale\n\nResources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources.\n\n## Audit\n\nRun this command to list objects in default namespace: `kubectl get all`\n\nThe only entries there should be system managed resources such as the Kubernetes service.\n\n## Remediation\n\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace.\n\n## Impact\n\nNone\n\n## Default value\n\nUnless a namespace is specific on object creation, the default namespace will be used.\n\n## References\n\nNone\n\n## CIS controls\n\nNone\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.7.4","framework":"cis-kubernetes","requirement":"General-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.7.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gly-1rp-obv","createdAt":1599604941259,"name":"Resources are not created in the default namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.14","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy using the `--restart` flag in the docker run command you can specify a restart policy for how a container should or should not be restarted on exit. You should choose the on-failure restart policy and limit the restart attempts to 5.\n\n## Rationale\n\nIf you indefinitely keep trying to start the container, it could possibly lead to a denial of service on the host. It could be an easy way to do a distributed denial of service attack especially if you have many containers on the same host. Additionally, ignoring the exit status of the container and always attempting to restart the container, leads to non-investigation of the root cause behind containers getting terminated. If a container gets terminated, you should investigate on the reason behind it instead of just attempting to restart it indefinitely. You should use the on-failure restart policy to limit the number of container restarts to a maximum of 5 attempts.\n\n## Audit\n\nExecute this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: RestartPolicyName={{ .HostConfig.RestartPolicy.Name }} MaximumRetryCount={{ .HostConfig.RestartPolicy.MaximumRetryCount }}'` \n\nIf this command returns `RestartPolicyName=always`, then the system is not configured optimally. If this command returns `RestartPolicyName=no` or just `RestartPolicyName=`, then restart policies are not being used and the container would never be restarted automatically. This may be a secure option, but it is not the best option from a usability standpoint. If this command returns `RestartPolicyName=on-failure`, then verify that the number of restart attempts is set to 5 or less by looking at `MaximumRetryCount`.\n\n## Remediation\n\nIf you wish a container to be automatically restarted, use `docker run --detach --restart=on-failure:5 nginx`\n\n## Impact\n\nIf this option is set, a container will only attempt to restart itself 5 times.\n\n## Default value\n\nBy default, containers are not configured with restart policies.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/run/#restart-policies-restart\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.14","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycq-buv-pf8","createdAt":1599598174688,"name":"Restart attempts on container failure is limited to 5 attempts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_logging_log_bucket","control:10.1","requirement:Monitoring","control:10.2.5","control:2.3","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","source:google_logging_log_bucket","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:2","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling retention policies on log buckets protects logs stored in cloud storage buckets\nfrom being overwritten or accidentally deleted. It is recommended to set up retention\npolicies and configure `Bucket Lock` on all storage buckets that are used as log sinks.\n\n### Default value\nBy default, storage buckets used as log sinks do not have retention policies and `Bucket Lock`\nconfigured.\n\n## Rationale\nLogs can be exported by creating one or more sinks that include a log filter and a\ndestination. As Cloud Logging receives new log entries, they are compared against each\nsink. If a log entry matches a sink's filter, then a copy of the log entry is written to the\ndestination.\nSinks can be configured to export logs in storage buckets. It is recommended to configure a\ndata retention policy for these cloud storage buckets and to lock the data retention policy,\nthus permanently preventing the policy from being reduced or removed. This way, if the\nsystem is ever compromised by an attacker or a malicious insider who wants to cover their\ntracks, the activity logs are definitely preserved for forensics and security investigations.\n\n\n### Impact\nLocking a bucket is an irreversible action. Once you lock a bucket, you cannot remove the\nretention policy from the bucket or decrease the retention period for the policy. You\nthen have to wait for the retention period for all items within the bucket before you can\ndelete them, and then delete the bucket.\n\n## Additional Information\n- **Caution**: Locking a retention policy is an irreversible action. Once locked, you must delete\nthe entire bucket in order to \"remove\" the bucket's retention policy. However, before you\ncan delete the bucket, you must be able to delete all the objects in the bucket, which itself is\nonly possible if all the objects have reached the retention period set by the retention policy.\n\n\n## Remediation\n\n### From the console: \n1. If sinks are not configured, first follow the instructions in the recommendation:\nEnsure that sinks are configured for all log entries.\n2. For each storage bucket configured as a sink, go to the Cloud Storage browser at\nhttps://console.cloud.google.com/storage/browser/.\n3. Select the **Protection** tab near the top of the page.\n4. In the **Retention policy** section, click the **Lock** button. The **Lock retention policy?** dialog box appears\n5. Read the `Permanent` notice.\n6. In the **Bucket name** text box, type in the name of your bucket.\n7. Click **Lock policy**\n\n### From the command line:\n1. To list all sinks destined to storage buckets:\n ```\n gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID\n | --project=PROJECT_ID\n ```\n\n2. For each storage bucket listed above, set a retention policy and lock it:\n ```\n gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]\n gsutil retention lock gs://[BUCKET_NAME]\n ```\nFor more information, visit [Set a retention policy on a bucket][1].\n\n## References\n1. [Retention policies and retention policy locks][2]\n2. [Use and lock retention policies ][3]\n\n[1]: https://cloud.google.com/storage/docs/using-bucket-lock#set-policy\n[2]: https://cloud.google.com/storage/docs/bucket-lock\n[3]: https://cloud.google.com/storage/docs/using-bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nvalid_log_filter(logging_log_sink) if {\n\tnot logging_log_sink.filter\n} else {\n\tlogging_log_sink.filter == \"\"\n}\n\ncompliant(logging_log_bucket) if {\n\tlogging_log_bucket.retention_days != \"\"\n\tlogging_log_bucket.locked == true\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tvalid_log_filter(logging_log_sink)\n}\n\ndestination_is_bucket(logging_log_bucket) if {\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tlogging_log_sink.project_number == logging_log_bucket.project_number\n\tbucket_name := split(logging_log_bucket.resource_name, \"buckets/\")[1]\n\tendswith(logging_log_sink.destination, bucket_name)\n}\n\neval(logging_log_bucket) = \"skip\" if {\n\tnot destination_is_bucket(logging_log_bucket)\n} else = \"pass\" {\n\tcompliant(logging_log_bucket)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules.\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_logging_log_bucket","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_logging_log_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_logging_log_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"trq-twi-wxj","createdAt":1664803576934,"name":"Retention policies used for exporting logs are configured using the bucket lock on Cloud Storage buckets"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-ii-B","control:1.7","control:164.308-a-3-i","control:164.308-a-4-i","control:7.2.1","level:1","cloud:aws","framework:soc-2","framework:cis-aws","requirement:IAM","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Information-Access-Management","control:CC6.2","framework:pci","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWith the creation of an AWS account, a root user is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.\n\n## Rationale\n\nThe root user has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.\n\n## Remediation\n\nIf you find that the root user account is being used for daily activity and administrative tasks that do not require the root user, remediate this by doing the following:\n\n1. Change the root user password.\n2. Deactivate or delete access keys associated with the root user.\n**Note**: Anyone who has root user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.\n\n## References\n\n1. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][1]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html][2]\n3. [https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html][3]\n\n**Additional Information**: The root user for us-gov cloud regions is not enabled by default. However, on request AWS support can enable the root user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the root user for us-gov cloud regions is enabled, this recommendation is applicable. Monitor usage of the root user by implementing recommendation *3.3 Ensure a log metric filter and alarm exist for usage of the root user*.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[3]: https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.7","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nnon_compliant_keys(iam_credential_report) if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.password_last_used < thirty_days_ms # Used in last 30 days\n} else {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_1_last_used_date < thirty_days_ms # Used in last 30 days\n} else {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_2_last_used_date < thirty_days_ms # Used in last 30 days\n}\n\neval(iam_credential_report) = \"skip\" if {\n\tnot iam_credential_report.user == \"\"\n} else = \"fail\" {\n\tnon_compliant_keys(iam_credential_report)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_credential_report"]},"validationQuery":"","resourceType":"aws_iam_credential_report","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yid-djj-bng","createdAt":1638865331666,"name":"Root account credentials have not been used in the past 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:kms","source:kms","framework:gdpr","requirement:Logging","level:2","control:3.8","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Security-of-Processing","framework:soc-2","control:3.5.2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:3.6.4","control:CC6.3","control:CC6.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS Key Management Service (KMS) allows customers to rotate the backing key, the key material stored within the KMS. The KMS connects o the key ID of the customer created customer master key (CMK). This backing key is used to perform cryptographic operations such as encryption and decryption. Automatic key rotation currently retains all prior backing keys so that encrypted data can be decrypted transparently. You should enable CMK key rotation.\n\n## Rationale\n\nRotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [https://aws.amazon.com/kms/pricing/][2]\n2. [http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf][3]\n3. CCE-78920-6\n\n## CIS controls\n\nVersion 7, 6 - Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://aws.amazon.com/kms/pricing/\n[3]: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.8","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"validationQuery":"@key_rotation_enabled:false","resourceType":"aws_kms","filter":"@key_manager:CUSTOMER","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_kms @key_manager:CUSTOMER (@key_rotation_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5xm-kxb-jxz","createdAt":1599574002243,"name":"Rotation for customer created CMKs is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:runtime-security-agent","technique:T1611-escape-to-host","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to the `runc` binary outside of the normal package management lifecycle.\n\n## Strategy\n[CVE-2019-5736][1], a vulnerability in `runc` through version 1.0-rc6 could allow attackers to overwrite the host `runc` binary, which allows the attacker to effectively escape a running container, and gain root access on the underlying host.\nAny modifications to `runc` (outside of standard package management upgrades) could be exploiting this vulnerability to gain root access to the system.\n\n## Triage & Response\n1. Check to see which user or process changed the `runc` binary.\n2. If these changes are not acceptable, roll back contain the host in question to an acceptable configuration.\n3. Update `runc` to a version above 1.0-rc6 (or Docker 18.09.2 and above).\n4. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://nvd.nist.gov/vuln/detail/CVE-2019-5736\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:runc_modification","groupByFields":["host"],"aggregation":"count","name":"runc_modification","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"runc_modification","condition":"runc_modification > 0"}],"type":"workload_security","id":"6ru-oyo-uag","createdAt":1627392837049,"name":"Runc binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","requirement:Compliance","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:s3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up the Multi-Factor Authentication (MFA) delete feature to prevent deletion of Amazon S3 objects.\n\n## Rationale\n\n## Remediation\n\nMFA-protected Amazon S3 buckets ensure S3 objects cannot be accidentally or intentionally deleted by AWS users who have access to your bucket.\n\n### Console\n\n`MFA DELETE` [cannot be enabled in the AWS Console][1]. See the CLI remediation below for configuration instructions.\n\n### CLI\n\n1. Run `put-bucket-versioning` with your [bucket name, versioning configuration, and MFA configuration][2].\n\n ```\n aws s3api put-bucket-versioning\n --bucket your-s3-bucket-name\n --versioning-configuration '{\"MFADelete\":\"Enabled\",\"Status\":\"Enabled\"}'\n --mfa 'arn:aws:iam::aws_account_id:mfa/root-account-mfa-device'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"-@versioning_mfa_delete:Enabled","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (-@versioning_mfa_delete:Enabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"f22-rvk-qko","createdAt":1619112188477,"name":"S3 bucket MFA Delete feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.1","requirement:Monitoring","cloud_provider:aws","control:A.12.4.1","control:3.3","requirement:System-Operations","requirement:Logging","level:2","framework:soc-2","scope:cloudtrail","framework:cis-aws","source:cloudtrail","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nS3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.\n\n## Rationale\n\nBy enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.\n\n## Remediation\n\n### Console\n\n1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.\n2. Under All Buckets click on the target S3 bucket\n3. Click on Properties in the top right of the console\n4. Under Bucket: click on Logging\n5. Configure bucket logging and click on the Enabled checkbox\n6. Select Target Bucket from list and enter a Target Prefix\n7. Click Save\n\n## Default value\n\nLogging is disabled.\n\n## References\n\n1. CCE-78918-0\n2. https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html\n\n## CIS controls\n\nVersion 7\n\n6.2 - Activate audit logging: Ensure that local logging has been enabled on all systems and networking devices.\n\n14.9 Enforce Detail Logging for Access or Changes to Sensitive Data: Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbucket_by_name := {bucket.bucket_name: bucket |\n\tbucket := input.resources.aws_s3_bucket[_]\n}\n\neval(cloudtrail_trail) = \"skip\" if {\n\tnot bucket_by_name[cloudtrail_trail.s3_bucket_name]\n} else = \"pass\" {\n\ts3_bucket := bucket_by_name[cloudtrail_trail.s3_bucket_name]\n\tcount(s3_bucket.bucket_logging) > 0\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail","aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@trail_arn"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gzk-vm2-67k","createdAt":1635929074549,"name":"S3 bucket access logging is enabled on the CloudTrail S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS S3 bucket to remove `WRITE` actions for any IAM user or AWS authenticated account.\n\n## Rationale\n\nAuthenticated users with AWS S3 bucket `WRITE` privileges can add, delete, and replace objects without restriction, which can lead to potential data loss or unintended billing charges.\n\n## Remediation\n\n### Console\n\nFollow the [Editing customer managed policies (console)][1] documentation to learn how to edit permissions for your existing policy. In the console, modify **Permissions** for Access Control Lists (ACLs). Deselect **Upload/Delete** for **Any Authenticated AWS User**.\n\n### CLI\n\n1. Run `list-buckets` to [list all available S3 buckets][2] for your account.\n\n ```\n aws s3api list-buckets\n --query \"Buckets[].Name\"\n ```\n\n2. Run `put-bucket-acl` with your [bucket name and the canned ACL to apply to the bucket][3].\n\n ```\n aws s3api put-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html#edit-managed-policy-console\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/list-buckets.html#examples\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"9rz-61l-xiu","createdAt":1619112188824,"name":"S3 bucket cannot be accessed for WRITE actions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your AWS S3 bucket content as it is publicly accessible.\n\n## Rationale\n\nGranting `READ` access to everyone allows unauthorized users to list objects within a bucket. Malicious users can use information exploited during this process to access compromised objects, which can lead to unfettered access to your data.\n\n## Remediation\n\n### Console\n\nFollow the [Blocking public access to your Amazon S3 storage][1] docs to learn how to manage access control lists for existing S3 buckets.\n\n**Note**: By default, new buckets, access points, and objects don't allow public access.\n\n### CLI\n\n1. Run `put-bucket-acl` with [your S3 bucket name][2] and set the ACL of the bucket to `private`.\n\n\t```\n\n\taws s3api put-bucket-acl\n\t\t--bucket webapp-data-repository\n\t\t--acl private\n\n\t```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:READ","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:READ)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"mqm-ntc-bra","createdAt":1619112188104,"name":"S3 bucket cannot be publicly listed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ` access for authenticated AWS accounts or IAM users.\n\n## Rationale\n\n`READ` access allows any authenticated IAM user or AWS authenticated account to list all objects within your bucket and exploit objects with misconfigured ACL permissions.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to deselect the `Bucket ACL - Read` permission and update ACL permissions.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:READ","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:READ)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"73w-cje-dhm","createdAt":1619112189198,"name":"S3 bucket content cannot be listed by users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove public `READ_ACP` access.\n\n## Rationale\n\nPublic `READ_ACP` access gives any user on the internet the `READ` Access Control List (ACL) permission. With this permission, anonymous users can see who controls your objects, and this information can be used to find misconfigured permissions and gain access to your S3 data.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_not_compliant(acl) if {\n\tacl.grantee_permission == \"READ_ACP\"\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AllUsers\"\n}\n\neval(s3_bucket) = \"fail\" if {\n\tacl = s3_bucket.acl[_]\n\tacl_not_compliant(acl)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i2o-7bz-zxc","createdAt":1619112188697,"name":"S3 bucket content permissions cannot be viewed by anonymous users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ_ACP` access for authenticated AWS accounts and AWS IAM users.\n\n## Rationale\n\nAWS authenticated accounts and users with `READ_ACP` access can examine Amazon S3 Access Control Lists (ACLs) configuration details. This information can be used maliciously to find misconfigured permissions and implement methods to access your S3 data.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `READ_ACP` access for AWS signed users.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [Amazon S3 bucket name and ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_not_compliant(acl) if {\n\tacl.grantee_permission == \"READ_ACP\"\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\"\n}\n\neval(s3_bucket) = \"fail\" if {\n\tacl = s3_bucket.acl[_]\n\tacl_not_compliant(acl)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cer-xg1-llv","createdAt":1619112188867,"name":"S3 bucket content permissions cannot be viewed by authenticated users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove `WRITE_ACP` access for anonymous users.\n\n## Rationale\n\nPublic `WRITE_ACP` access gives anonymous users `READ` and `WRITE` Access Control List (ACL) permissions. With these permissions, anonymous users can modify, delete, and update S3 objects, which can lead to data loss or unexpected charges on your AWS bill.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE_ACP","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE_ACP)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"8au-91a-7zf","createdAt":1619112188436,"name":"S3 bucket does not allow anonymous users to modify access control permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","control:164.308-a-3-i","control:7.2.1","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","source:s3","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove `WRITE_ACP` access for authenticated users.\n\n## Rationale\n\n`WRITE_ACP` access gives any authenticated AWS accounts or IAM users `READ` and `WRITE` Access Control List (ACL) permissions. With these permissions, authenticated users can modify, delete, and update S3 objects, which can lead to data loss or unexpected charges on your AWS bill.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE_ACP","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE_ACP)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"yuo-rt1-twl","createdAt":1619112188124,"name":"S3 bucket does not allow authenticated users to modify access controls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `FULL_CONTROL` access for authenticated AWS accounts and AWS IAM users.\n\n## Rationale\n\n`FULL_CONTROL` access allows any IAM user or AWS authenticated account to view, upload, modify and delete S3 objects without restriction.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `FULL_CONTROL` access and update ACL permissions.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:\"FULL_CONTROL\"","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:\"FULL_CONTROL\")","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"qem-nxn-zvw","createdAt":1619112188863,"name":"S3 bucket does not allow users full control access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","requirement:Storage","framework:gdpr","control:2.1.1","requirement:Compliance","level:1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides a variety of no-cost or low-cost encryption options to protect data at rest.\n\n## Rationale\n\nEncrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.\n\n## Remediation\n\n### Console\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/\n2. Select the Check box next to the Bucket.\n3. Click on Properties.\n4. Click on Default Encryption.\n5. Select either AES-256 or AWS-KMS.\n6. Click Save.\n7. Repeat for all the buckets in your AWS account lacking encryption.\n\n### CLI\n\nRun one of the following commands: \n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}''`\n\nor:\n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}''`\n\n**Note**: The `KMSMasterKeyID` can be set to the master key of your choosing; `aws/s3` is an AWS preconfigured default.\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html][1]\n2. [https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources][2]\n\n**Additional Information**: S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does not encrypt objects previously stored within the bucket.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.1.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@bucket_encryption_rules.rules.apply_server_side_encryption_by_default.sse_algorithm:(\"AES256\" OR \"aws:kms\")","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (-@bucket_encryption_rules.rules.apply_server_side_encryption_by_default.sse_algorithm:(\"AES256\" OR \"aws:kms\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i5u-x9l-ytw","createdAt":1619112188944,"name":"S3 bucket employs default encryption at-rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:A.12.1.2","framework:gdpr","control:A.12.4.2","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:3.1","requirement:Control-Activities","control:7.2.1","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Logical-and-Physical-Access-Control","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable versioning on S3 buckets to keep multiple versions of an object in one bucket.\n\n## Rationale\n\nVersioning-enabled buckets help [recover objects in the case of accidental deletion or overwriting][1].\n\n## Remediation\n\n### Console\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning within the S3 console.\n\n### CLI\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning with the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.1.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"-@versioning_status:Enabled","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (-@versioning_status:Enabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hfe-sv1-7ci","createdAt":1632209932330,"name":"S3 bucket has versioning enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","control:1.20","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:cis-aws","requirement:Security-Management-Process","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.8","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you restrict unintended public access to Amazon S3 resources. By default, S3 buckets and objects are created without public access. However, someone with sufficient permissions can enable public access at the bucket or object level, often unexpectedly. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets in the account, and contained objects, from becoming publicly accessible.\n\n## Rationale\n\nAmazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective buckets. Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account. Blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.\n\n### Impact\n\nWhen you apply `Block Public Access` settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.\n\n\n## Remediation\n\n### From the Console:\n\nIf utilizing Block Public Access (account settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Choose **Block public access (account settings)**.\n3. Choose **Edit** to change the block public access settings for all the buckets in your AWS account.\n4. Click on **Block all public access**.\n5. When you're asked for confirmation, enter `confirm`. Then click Confirm to save your changes.\n\nIf utilizing Block public access (bucket settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Select the check box next to the bucket.\n3. Click on **Edit public access settings**.\n4. Click **Block all public access**.\n5. Repeat for all the buckets in your AWS account that contain sensitive data.\n\n\n### From the command line:\n\nIf utilizing Block Public Access (bucket settings):\n\n1. List all of the S3 buckets: `aws s3 ls`\n2. To set the public access to true on a bucket, run: `aws s3api put-public-access-block --bucket --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\"`\n\nIf utilizing Block Public Access (account settings):\n\nTo set Public access settings for this account, run the following command: `aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id '`\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html][2]\n\n[1]: https://console.aws.amazon.com/s3/\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.20","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\naccount_public_access_block_by_account_id = {s3_account_public_access_block.account_id: s3_account_public_access_block |\n\tsome s3_account_public_access_block in input.resources.aws_s3_account_public_access_block\n}\n\nsecure_public_access_block(s3_public_access_block) if {\n\ts3_public_access_block.block_public_acls\n\ts3_public_access_block.block_public_policy\n\ts3_public_access_block.ignore_public_acls\n\ts3_public_access_block.restrict_public_buckets\n}\n\naccess_block_compliant(s3_bucket) if {\n\ts3_account_public_access_block := account_public_access_block_by_account_id[s3_bucket.account_id]\n\tsecure_public_access_block(s3_account_public_access_block)\n} else {\n\tbucket_block := s3_bucket.access_block[_]\n\tsecure_public_access_block(bucket_block)\n}\n\neval(s3_bucket) = \"pass\" if {\n\taccess_block_compliant(s3_bucket)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b1p-nxn-wxx","createdAt":1619112188591,"name":"S3 bucket is configured with 'Block public access'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove public `WRITE` access.\n\n## Rationale\n\nPublic `WRITE` access gives unauthorized users the ability to add, replace, and delete objects within a bucket. Attackers can use these abilities to access your data or incur charges on your AWS bill.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"wyn-eku-mhg","createdAt":1619112188471,"name":"S3 bucket is not publicly accessible for write actions by anonymous users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet your Amazon S3 bucket to private.\n\n## Rationale\n\nPublicly accessible Amazon S3 buckets grant `FULL_CONTROL` access to everyone, including anonymous users. `FULL_CONTROL` grants users the ability to upload, modify, delete, and view S3 objects.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `FULL_CONTROL` access and update ACL permissions.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tacl := s3_bucket.acl[_]\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AllUsers\"\n\tacl.grantee_permission == \"FULL_CONTROL\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"o0d-2zb-qbg","createdAt":1619112188881,"name":"S3 bucket is not publicly accessible to anonymous users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your bucket policy as your Amazon S3 bucket is currently publicly accessible.\n\n## Rationale\n\nPublicly accessible S3 buckets through bucket policies give any AWS user the ability to list, download, delete, and upload objects and edit object permissions.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. To remove the existing public bucket policy, run `delete-bucket-policy` with [your bucket name][2].\n\n ```\n delete-bucket-policy\n --bucket your-bucket-name\n ```\n\n2. Create a new non-public bucket policy using the [AWS Policy Generator][3].\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket-policy.html#synopsis\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false","resourceType":"aws_s3_bucket","filter":"","queryPath":"bucket_policy_statement","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"ftf-6wr-t2z","createdAt":1624344845705,"name":"S3 bucket is publicly accessible (via policy)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","requirement:Monitoring","scope:s3","framework:cis-aws","control:4.8","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a S3 Bucket policy is modified.\n\n## Strategy\nMonitor CloudTrail and detect when S3 policies are being modified via one of the following API calls:\n* [PutBucketAcl][1]\n* [PutBucketPolicy][2]\n* [PutBucketCors][3]\n* [PutBucketLifecycle][4]\n* [PutBucketReplication][5]\n* [DeleteBucketPolicy][6]\n* [DeleteBucketCors][7]\n* [DeleteBucketReplication][8]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html\n [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html\n [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketCors.html\n [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLifecycle.html\n [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html\n [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html\n [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html\n [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html\n\n## Changelog\n18 March 2022 - Updated signal message, query and severity.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(PutBucketAcl OR PutBucketPolicy OR PutBucketCors OR PutBucketLifecycle OR PutBucketReplication OR DeleteBucketPolicy OR DeleteBucketCors OR DeleteBucketReplication)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"s3_bucket_policy_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"A S3 bucket policy was modified","condition":"s3_bucket_policy_modified > 0"}],"type":"log_detection","id":"nl3-oht-jhi","createdAt":1584475579499,"name":"S3 bucket policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when SELinux enforcement is disabled.\n\n## Strategy\nThis detection monitors the change of SELinux enforcing mode.\n\n## Triage & Response\n1. Check which user or process disabled SELinux enforcing mode.\n2. If the change is not expected, roll back to enable SELinux enforcing mode.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the attack.\n\n*Requires Agent version 7.30 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:selinux_disable_enforcement","groupByFields":["host"],"aggregation":"count","name":"selinux_disable_enforcement","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"selinux_disable_enforcement","condition":"selinux_disable_enforcement > 0"}],"type":"workload_security","id":"vvf-qwb-uhj","createdAt":1635332067172,"name":"SELinux enforcement disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.2","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSELinux is an effective and easy-to-use Linux application security system. It is available by default on some distributions such as Red Hat and Fedora.\n\n## Rationale\n\nSELinux provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model. You can therefore add an extra layer of safety to your containers by enabling SELinux on your Linux host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all the security options currently configured on the containers listed.\n\n## Remediation\n\nIf SELinux is applicable for your Linux OS, you should use it.\n\n1. Set the SELinux State.\n2. Set the SELinux Policy.\n3. Create or import a SELinux policy template for Docker containers.\n4. Start Docker in daemon mode with SELinux enabled. For example: `docker daemon --selinux-enabled`\n5. Start your Docker container using the security options. For example, `docker run --interactive --tty --security-opt label=level:TopSecret centos /bin/bash`\n\n## Impact\n\nAny restrictions defined in the SELinux policy will be applied to your containers. It should be noted that if your SELinux policy is misconfigured, this may have an impact on the correct operation of the affected containers.\n\n## Default value\n\nBy default, no SELinux security options are applied on containers.\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/\n4. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/docker_selinux_security_policy\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.2","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"eww-c9f-0hf","createdAt":1599605036108,"name":"SELinux security options are configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic publishing permissions.\n\n## Rationale\n\nSetting the topic publishing permission to `Everyone` gives anyone access to publish on a topic. Unauthenticated users can publish malicious messages.\n\n## Remediation\n\n### Console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### CLI\n\n1. Update your [access control policy][2] with the IAM user ARN. Configure `action` to `SNS:Publish` and include your AWS IAM ARN. Save the file.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_pub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Publish\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```\n aws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name DisplayName\n --attribute-value YourTopicDisplayName\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Publish\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false","resourceType":"aws_sns_topic","filter":"","queryPath":"policies","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic (@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Publish\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mhf-jlo-c49","createdAt":1616090993934,"name":"SNS Topic has restrictions set for publishing"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic subscription permissions.\n\n## Rationale\n\nAnonymous users can subscribe and receive messages that you publish, leaving the security of your application or service at risk.\n\n## Remediation\n\n### Console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### CLI\n\n1. Update your [access control policy][2] with the IAM user ARN. Configure `action` to `SNS:Publish` and include your AWS IAM ARN. Save the file.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_sub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Subscribe\",\n \"SNS:Receive\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```\n aws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name DisplayName\n --attribute-value YourTopicDisplayName\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Subscribe\" OR \"sns:Subscribe\") @statement_action:(\"SNS:Receive\" OR \"sns:Receive\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false","resourceType":"aws_sns_topic","filter":"","queryPath":"policies","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic (@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Subscribe\" OR \"sns:Subscribe\") @statement_action:(\"SNS:Receive\" OR \"sns:Receive\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"bin-p21-78u","createdAt":1616090993824,"name":"SNS Topic has restrictions set for subscription"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","scope:sns","cloud_provider:aws","control:3.4","control:4.1","source:sns","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Server-Side Encryption for your AWS Simple Notification Service (SNS) topics.\n\n## Rationale\n\nServer-Side Encryption (SSE) protects the data of published messages within your SNS topics, which can help adhere to compliance and regulatory requirements.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling server-side encryption (SSE) for an Amazon SNS topic][1] docs to learn how to enable encryption from the AWS Management Console.\n\n### CLI\n\nRun `set-topic-attributes` with the [ARN of the SNS topic][2] and the [KmsMasterKeyId][3].\n\n```\naws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name KmsMasterKeyId\n --attribute-value YourTopicDisplayName\n```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n[3]: https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html#sse-key-terms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@kms_master_key_id:*","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic (-@kms_master_key_id:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"iel-fa4-gpw","createdAt":1623249809232,"name":"SNS Topic has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","control:164.308-a-3-i","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic permissions.\n\n## Rationale\n\nPublicly-accessible topics allow unauthorized users access to receive and publish messages and subscribe to exposed topics.\n\n## Remediation\n\n### Console\n\nFollow the [Using identity-based policies with Amazon SNS][1] docs to learn how to create or add to a policy in the AWS Console.\n\n### CLI\n\nIf you do not have an access control policy, [create one][2].\n\n1. Select `SNS Topic Policy` as the type of policy.\n2. Add a statement to allow only specific IAM users and roles to have access to the topic. For example:\n\n ```\n Effect: `Allow`\n Principal: `arn:aws:iam::123456789012:root`\n Action: `Add permission`\n Amazon Resource Name: `arn:aws:iam::123456789012:root`\n ```\n\nIf you do have an access control policy, follow the [add-permissions][3] docs to add a permission to your existing policy.\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-using-identity-based-policies.html#iam-and-sns-policies\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprincipal_policy_lenient(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else {\n\tpolicy_principal.principal_aws[_] == \"*\"\n}\n\npolicy_lenient(policy) if {\n\tpolicy.statement_effect == \"Allow\"\n\tnot policy.statement_has_condition\n\n\tprincipal_policy_lenient(policy.policy_principal)\n}\n\neval(sns_topic) = \"fail\" if {\n\tpolicy := sns_topic.policies[_]\n\tpolicy_lenient(policy)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"5q9-vwc-cqy","createdAt":1616090993891,"name":"SNS Topic is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:6.5","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nA database server should accept connections only from trusted networks and IPs and\nrestrict access from public IP addresses.\n\n## Rationale: \nTo minimize attack surface on a database server instance, only trusted, known, and\nrequired IPs should be allowed to connect to it.\nAn authorized network should not have IPs or networks configured to `0.0.0.0/0` which\nallows access to the instance from anywhere in the world. Authorized networks\napply only to instances with public IPs.\n\n## Impact: \nThe Cloud SQL database instance would not be available to public IP addresses.\n\n## Remediation: \n\n### From console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Click the instance name to open its `Instance details` page.\n3. Under the `Configuration` section click `Edit configurations`.\n4. Under `Configuration options` expand the `Connectivity` section.\n5. Click the `delete` icon for the authorized network `0.0.0.0/0`.\n6. Click `Save` to update the instance.\n\n### From command line:\nUpdate the authorized network list by removing addresses:\n```\ngcloud sql instances patch --authorized-networks=IP_ADDR1,IP_ADDR2...\n```\n## Prevention:\nTo prevent new SQL instances from being configured to accept incoming connections from\nany IP addresses, set up a `Restrict Authorized Networks on Cloud SQL instances` Organization Policy at: [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][2].\n\n\n## Default value:\nBy default, authorized networks are not configured. Remote connection to Cloud SQL\ndatabase instance is not possible unless authorized networks are configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-ip][3]\n2. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][4] \n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://cloud.google.com/sql/docs/mysql/connection-org-policy][6]\n\n\n## Additional information:\nThere is no IPv6 configuration found for Google cloud SQL server services.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[3]: https://cloud.google.com/sql/docs/mysql/configure-ip\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://cloud.google.com/sql/docs/mysql/connection-org-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"fail\" if {\n\taddress := sql_database_instance.settings.ip_configuration.authorized_networks[_]\n\taddress.value in [\"0.0.0.0\", \"0.0.0.0/0\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"thi-vol-4qb","createdAt":1657138883399,"name":"SQL Database Instances do not implicitly accept all public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:6.3","framework:cis-azure","requirement:Communications-Security","control:2.4","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific data centers. By default for a SQL server, a firewall exists with start IP of 0.0.0.0 and end IP of 0.0.0.0, allowing access to all the Azure services. Additionally a custom rule can be set up with start IP of 0.0.0.0 and end IP of 255.255.255.255, allowing access from ANY IP over the Internet. In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific data centers.\n\n### Impact\n\nDisabling allow access to Azure Services will break all connections to SQL server and hosted databases unless custom IP-specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console:\n\n1. Go to SQL servers\n2. For each SQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell:\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"\" -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nSet-AzureRmSqlServerFirewallRule -ResourceGroupName -ServerName -FirewallRuleName \"\" -StartIpAddress \"\" -EndIpAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017][1]\n2. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0][2]\n3. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0][3]\n4. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0][4] \n5. [https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure][5]\n6. [https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current][6] \n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][7]\n\nAdditional Information: Firewall rules configured on individual SQL Database using Transact-SQL overrides the rules set on SQL server. Azure does not provides any Powershell, API, CLI, Portal option to check database level firewall rules and so far Transact-SQL is the only way to check for the same. For comprehensive control over egress traffic on SQL Databases, firewall rules should be checked using SQL client.\n\n[1]:https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017\n[2]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[3]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[4]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[5]:https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure\n[6]:https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current\n[7]:https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"2.4","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255)","resourceType":"azure_sql_server","filter":"","queryPath":"firewall_rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"5k7-xx0-nje","createdAt":1635237001240,"name":"SQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.2.4","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure `send scan reports to` with the email IDs of concerned data owners and stakeholders for a critical SQL server.\n\n## Rationale\n\nVulnerability Assessment (VA) scan reports and alerts are sent to email IDs configured with `send scan reports to`. This may help in reducing time required for identifying risks and taking corrective measures.\n\n## Impact\n\n**Note**: Enabling the Azure Defender for SQL features incurs additional costs for each SQL server.\n\n## Remediation\n\nAzure Console:\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Ensure that Azure Defender for SQL is enabled\n5. Select Configure next to enabled at subscription-level\n6. In Vulnerability Assessment Settings, configure Storage Accounts\n7. Configure email IDs for concerned data owners and stakeholders in the `send scan reports to` section.\n8. Click Save\n\nAzure PowerShell:\n\nIf not already, enable Advanced Data Security for a SQL: `ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True`\n\n\nTo enable ADS-VA service and set `send scan reports to`:\n\n```bash\nUpdate-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"fiu-woq-ui1","createdAt":1645802555241,"name":"SQL Server Vulnerability Assessments send scan reports to subscribed admins"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","scope:google_sql_database_instance","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","control:6.4","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to enforce all incoming connections to SQL database instances to use SSL.\n\n## Rationale\nSQL database connections, if successfully trapped (MITM), can reveal sensitive data like\ncredentials, database queries, query outputs, and so on. For security, it is recommended to always\nuse SSL encryption when connecting to your instance. This recommendation is applicable\nto PostgreSQL, MySQL generation 1, MySQL generation 2, and SQL Server 2017 instances.\n\n### Additional Information\nBy default, `Settings: ipConfiguration` has no `authorizedNetworks` set or configured. In\nthat case, even if `requireSSL` is not set by default, which is equivalent to `requireSSL:false`,\nthere is no risk as the instance cannot be accessed outside of the network, unless\n`authorizedNetworks` is configured. However, if the default for `requireSSL` is not updated to\n`true`, any `authorizedNetworks` created later on will not enforce SSL-only connections.\n\n### Impact\nAfter enforcing SSL connections, the existing client will not be able to communicate with the SQL\nserver, unless it is configured with appropriate client-certificates to communicate to the SQL\ndatabase instance.\n\n### Default Value\nBy default, the parameter `settings: ipConfiguration: requireSSL` is not set, which is\nequivalent to `requireSSL:false`.\n\n## Remediation\n\n### From the console:\n1. Go to the [Cloud SQL Instances page][1].\n2. Click on an instance name to see its configuration overview.\n3. In the left-side panel, select **Connections**.\n4. In the SSL connections section, click **Allow only SSL connections**.\n5. Under Configure SSL server certificates, click **Create new certificate**.\n6. Under Configure SSL client certificates, click **Create a client certificate**.\n7. Follow the instructions shown to learn how to connect to your instance.\n\n### From the command line:\nTo enforce SSL encryption for an instance, run the command:\n```\ngcloud sql instances patch --require-ssl\n```\n\n**Note:** A **restart** is required for type MySQL Generation 1 Instances (`backendType: FIRST_GEN`) for\nthis configuration to go into effect.\n\n## References\n1. [http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot authorizedNetworksExists(sql_database_instance)\n} else = \"pass\" {\n\tsql_database_instance.settings.ip_configuration.require_ssl\n} else = \"fail\" {\n\ttrue\n}\n\nauthorizedNetworksExists(sql_database_instance) if {\n\tsql_database_instance.settings.ip_configuration.authorized_networks[_]\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"udh-mzm-bhu","createdAt":1658821626960,"name":"SQL database instance uses SSL for all incoming connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","scope:google_cloud_sql_instance","level:2","source:google_cloud_sql_instance","control:3.9","control:6.6","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nDatadog recommends configuring the second generation SQL instance to use private IPs instead of\npublic IPs.\n\n## Rationale: \nTo lower the organization's attack surface, ensure your Cloud SQL databases does not have public IPs.\nPrivate IPs provide improved network security and lower latency for your application.\n\n## Impact: \nRemoving the public IP address on SQL instances may break applications that relied\non it for database connectivity.\n\n## Remediation: \n\n### From console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Click the instance name to open its Instance details page.\n3. Select the `Connections` tab.\n4. Deselect the `Public IP` checkbox.\n5. Click `Save` to update the instance.\n\n### From command line:\n\n1. For every instance, remove the public IP and assign a private IP instead:\n ```\n gcloud sql instances patch --network= --no-assign-ip\n ```\n\n2. Confirm the changes using the following command:\n ```\n gcloud sql instances describe \n ```\n\n## Prevention:\nTo prevent new SQL instances from getting configured with public IP addresses, set up a\n`Restrict Public IP access on Cloud SQL instances` Organization policy at:\n\n\n[https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][2]\n\n## Default value:\nBy default, Cloud Sql instances have a public IP.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-private-ip][3]\n2. [https://cloud.google.com/sql/docs/mysql/private-ip][4]\n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][6]\n\n## Additional information:\nReplicas inherit their private IP status from their primary instance. You cannot configure a private IP directly on a replica.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n[3]: https://cloud.google.com/sql/docs/mysql/configure-private-ip\n[4]: https://cloud.google.com/sql/docs/mysql/private-ip\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.9","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_second_gen_instance(sql_database_instance)\n} else = \"fail\" {\n\tip := sql_database_instance.ip_addresses[_]\n\tip.type == \"PRIMARY\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_second_gen_instance(sql_database_instance) if {\n\tsql_database_instance.backend_type == \"SECOND_GEN\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cns-kbs-qb3","createdAt":1658244446751,"name":"SQL database instances do not have public IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.5","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:C1.1","requirement:Credentials","requirement:System-Operations","requirement:Compliance","level:1","requirement:Database-Services","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","control:3.5.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC7.2","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. With Customer-managed key support for TDE, the DEK can be protected with an asymmetric key stored in the Key Vault. The Key Vault is a highly available and scalable cloud-based key store that offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of keys and data for additional security. Based on business needs or the criticality of data/databases hosted a SQL server, Datadog recommends that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).\n\n## Rationale\n\nCustomer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azures cloud-based external key management system, is the first key management service where TDE has integrated support for customer-managed keys. With customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.\n\n## Remediation\n\nFrom Azure Console:\n1. Go to SQL servers for the desired server instance\n2. Click On Transparent data encryption\n3. Set Use your own key to YES\n4. Browse through your key vaults to select an existing key or create a new key in the key vault.\n5. Check Make selected key the default TDE protector Using Azure CLI. Use the below command to encrypt SQL server's TDE protector with a Customer-managed key: `az sql server tde-key >> Set --resource-group --server --server-key-type {AzureKeyVault} [--kid ]`\n\n## Impact\n\nOnce the TDE protector is encrypted with a customer-managed key, it transfers the entire responsibility of key management to you. Hence, you should be more careful about doing any operations on the particular key to keep data from the corresponding SQL server Databases host accessible. When deploying customer-managed keys, ensure that you deploy an automated toolset for managing these keys (this should include discovery and key rotation), and keys should be stored in an HSM or hardware backed keystore; for example, Azure Key Vault). As far as toolsets go, check with your cryptographic key provider as they may well provide one as an add-on to their service.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-byok-azure-sql\n2. https://azure.microsoft.com/en-in/blog/preview-sql-transparent-data-encryption-tde-with-bring-your-own-key-support/\n3. https://winterdom.com/2017/09/07/azure-sql-tde-protector-keyvault\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: This configuration can be done only on an SQL server. The same configuration will be in effect on SQL Databases hosted on SQL Server. Ensuring yourTDE is protected by a Customer-managed key on SQL Server does not ensure SQL Databases' encryption. Transparent Data Encryption Data Encryption (ON/OFF) setting on individual SQL Database decides whether the database is encrypted or not.\n\n## CIS Controls\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials: Encrypt or hash with a salt all authentication credentials when stored. \n\n5 Logging and Monitoring: This section covers security recommendations to follow to set logging and monitoring policies on an Azure Subscription.\n\n5.1 Configuring Diagnostic Settings: The Azure Diagnostic Settings capture control/management activities performed on a subscription. By default, the Azure Portal retains activity logs only for 90 days. The Diagnostic Settings define the type of stored or streamed events and the output storage account, and the event hub. The Diagnostic Settings, if appropriately configured, can ensure that all activity logs are retained for a longer duration. This section has recommendations for correctly configuring the Diagnostic Settings so that all activity logs captured are retained for longer periods. When configuring Diagnostic Settings, you may choose to export in one of three ways in which you need to ensure appropriate data retention. The options are Log Analytics, Event Hub, and a Storage Account. It is important to ensure you are aware and have set retention as your organization sees fit.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"-(@encryption_protector.kind:(\"azurekeyvault\") @encryption_protector.server_key_type:(\"AzureKeyVault\"))","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-(@encryption_protector.kind:(\"azurekeyvault\") @encryption_protector.server_key_type:(\"AzureKeyVault\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ju5-j5j-p5u","createdAt":1624867975195,"name":"SQL server's TDE protector is encrypted with Customer-managed key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","source:sqs","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","scope:sqs","security:compliance","cloud_provider:aws","control:3.4","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Simple Queue Service (SQS) messages with server-side encryption.\n\n## Rationale\n\nEncryption ensures that Amazon SQS messages, which may contain sensitive data, are not available to anonymous or unauthorized users.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring service-side encryption for a queue(console)][1] docs to learn how to create and use AWS Key Management Service (AWS KMS) to manage customer master keys (CMK) for server-side encryption.\n\n### CLI\n\n1. Define `set-queue-attributes` in [a file][2]. Use your custom KMS Master Key ARN for `KmsMasterKeyID`. Save the file.\n\n ```\n {\n \"KmsMasterKeyId\": \"custom_key_arn\",\n \"KmsDataKeyReusePeriodSeconds\": \"300\"\n }\n ```\n\n2. Run `set-queue-attributes` with the [queue URL and the file][2] created in step 1.\n\n ```\n aws sqs set-queue-attributes\n --queue-url https://us-west-2.queue.amazonaws.com/123456789012/WebWorkerSQSQueue\n --attributes file://sqs-sse-enabled.json\n ```\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html\n[2]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-properties-sqs-queues-syntax\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-(@kms_master_key_id:* OR @sqs_managed_sse_enabled:true)","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue (-(@kms_master_key_id:* OR @sqs_managed_sse_enabled:true))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0m4-moi-xdg","createdAt":1616090993978,"name":"SQS Queue has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:sqs","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security","scope:sqs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate Amazon Simple Queue Service (SQS) queue permissions.\n\n## Rationale\n\nPublicly-available Amazon SQS queues give unauthorized users access to potentially intercept, delete, or send queue messages, which can lead to data leaks.\n\n## Remediation\n\n### Console\n\nFollow the [Managing access to resources][1] docs to learn how to implement a permissions policy in the AWS console.\n\n### CLI\n\n1. Run `list-queues` to get a list of queue URLs.\n2. Run `get-queue-attributes` with a [queue URL][2] returned in step 1.\n\n ```\n aws sqs get-queue-attributes\n --queue-url https://queue.amazonaws.com/123456789012/YourQueue\n --attribute-names Policy\n ```\n\n3. Run `add-permission` to [add a new statement][3] to your queue policy.\n\n ```\n aws sqs add-permission\n --queue-url https://queue.amazonaws.com/123456789012/YourQueue\n --label SendMessages\n --aws-account-ids 123456789012\n --actions SendMessage\n ```\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.html#sqs-managing-access-to-resources\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/get-queue-attributes.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else {\n\tprincipal_aws = policy_principal.principal_aws[_]\n\tprincipal_aws == \"*\"\n}\n\neval(sqs_queue) = \"fail\" if {\n\tpolicy := sqs_queue.policies[_]\n\tbad_policy_principal(policy.policy_principal)\n\tpolicy.statement_effect = \"Allow\"\n\tpolicy.statement_has_condition = false\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sqs_queue"]},"validationQuery":"","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"aqs-n9k-inj","createdAt":1616090993985,"name":"SQS Queue is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:6.2","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable SSH access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using SSH over the internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct SSH access to your Azure Virtual Machines from the internet. After direct SSH access from the internet is disabled, you have other options you can use to access these virtual machines for remote management.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nssh_allowed(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"TCP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.destination_port_range in [\"22\", \"*\"]\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"*/0\", \"Internet\", \"Any\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule := security_group.security_rules[_]\n\tssh_allowed(security_rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tox-iwp-m0l","createdAt":1624867978808,"name":"SSH access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.6","requirement:Communications-Security","control:1.4","control:3.2","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow the user to specify the type of\ntraffic, such as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be\nused. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using\nSSH on Port 22 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from\ninstances and incoming (ingress) traffic to instances in the network. Egress and ingress\ntraffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through SSH with the default\nPort 22. Generic access from the Internet to a specific IP Range needs to be restricted.\n\n## Impact\nAll Secure Shell (SSH) connections from outside of the network to the concerned VPC(s)\nwill be blocked. There could be a business need where SSH access is required from outside\nof the network to access resources associated with the VPC. In that case, specific source\nIP(s) should be mentioned in firewall rules to include access to SSH port for the\nconcerned VPC(s).\n\n## Remediation\n\n### From console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule you want to modify.\n4. Click Edit.\n5. Modify Source IP ranges to specific IP.\n6. Click Save.\n\n### From the command line\n1.Update the Firewall rule with the new SOURCE_RANGE from the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.2","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 22\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tcontains(allowed.ports[_], \"-\")\n\trange := split(allowed.ports[_], \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else {\n\tto_number(allowed.ports[_]) == target_port\n} else {\n\tallowed.ports[_] == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tallowed := compute_firewall.allowed[_]\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" {\n\tcompute_firewall.source_ranges[_] in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"23t-kvk-vbo","createdAt":1657310084964,"name":"SSH access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to authorized SSH keys.\n\n## Strategy\nSSH is a commonly used key-based authentication mechanism. In this system, the authorized_keys file specifies SSH keys that can be used to authenticate as a specific user on the system. Attacker's may modify the authorized_keys file to authorize attacker-owned SSH keys. This allows the attacker to maintain persistence on a system as a specific user.\n\n## Triage and response\n1. Check what changes were made to authorized_keys, and under which user.\n2. Determine whether any keys were added. If so, determine if the added keys belong to known trusted users.\n3. If they keys in question are not acceptable, roll back the host or container in question to a known trusted SSH configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chmod)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chmod","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chown)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chown","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_link)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_link","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_rename)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_rename","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_open)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_open","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_unlink)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_unlink","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_utimes)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"ssh_authorized_keys","condition":"ssh_authorized_keys_chmod > 0 || ssh_authorized_keys_chown > 0 || ssh_authorized_keys_link > 0 || ssh_authorized_keys_rename > 0 || ssh_authorized_keys_open > 0 || ssh_authorized_keys_unlink > 0 || ssh_authorized_keys_utimes > 0"}],"type":"workload_security","id":"iqs-k9p-ivj","createdAt":1606142954844,"name":"SSH authorized keys modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1553-subvert-trust-controls","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential tampering with SSL certificates.\n\n## Strategy\nSSL certificates, and other forms of trust controls establish trust between systems. Attackers may attempt to subvert trust controls such as SSL certificates in order to trick systems or users into trusting attacker-owned assets such as fake websites, or falsely signed applications.\n\n## Triage and response\n1. Check whether there were any planned changed to the SSL certificates stores in your infrastructure.\n2. If these changes are not acceptable, roll back the host or container in question to a known trustworthy configuration.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssl_certificate_tampering OR ssl_certificate_tampering_chmod OR ssl_certificate_tampering_chown OR ssl_certificate_tampering_link OR ssl_certificate_tampering_rename OR ssl_certificate_tampering_open OR ssl_certificate_tampering_unlink OR ssl_certificate_tampering_utimes) -@process.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.parent.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\" -@process.executable.name:runc*","groupByFields":["host"],"aggregation":"count","name":"ssl_certificate_tampering","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"ssl_certificate_tampering","condition":"ssl_certificate_tampering > 0"}],"type":"workload_security","id":"any-phm-6ub","createdAt":1606142980369,"name":"SSL certificate tampering"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","control:4.3.2","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","source:azure.dbformysql","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","scope:azure.dbformysql","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on MySQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for MySQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled for enforce SSL connection \n\nAlternatively, use the Azure Command Line Interface and run the below command to set MYSQL Databases to Enforce SSL connection:\n\n ```bash\n az mysql server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security\n2. https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@ssl_enforcement:(\"Enabled\")","resourceType":"azure_mysql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_mysql_server (-@ssl_enforcement:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cxd-off-x2e","createdAt":1624867976718,"name":"SSL connection on MySQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.3.1","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on PostgreSQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\nFrom Azure Console:\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled to enforce SSL connection \n\nAlternatively, use the Azure Command Line Interface and run the below command to enforce SSL connection for PostgreSQL Database:\n\n ```bash\n az postgres server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@ssl_enforcement:(\"Enabled\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@ssl_enforcement:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"9cp-26e-jdc","createdAt":1624867978968,"name":"SSL connection on PostgreSQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a Salesforce user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login ten times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @status:\"Invalid Password\"","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:salesforce @status:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dm5-uvn-yrr","createdAt":1621929254947,"name":"Salesforce Brute force attack on user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a disabled account attempts to log into Salesforce\n\n## Strategy\nInspect Salesforce logs and determine if there is a login attempt (`@evt.name:LoginEvent`) from from a disabled account (`@status:\\\"User is Inactive\\\"`). If more than ten attempts to authenticate to a disabled account a `MEDIUM` severity signal is created.\n\n## Triage and response\n1. Determine if the IP (`@network.client.ip`) has attempted to log into other accounts.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @evt.name:LoginEvent @status:\"User is Inactive\"","groupByFields":["@usr.id"],"aggregation":"count","name":"disabled_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Single Attempt","condition":"disabled_login > 1"},{"status":"medium","notifications":[],"name":"Multiple Attempts","condition":"disabled_login > 10"}],"type":"log_detection","id":"j57-vod-bnw","createdAt":1621929254817,"name":"Salesforce Login from Disabled Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.4.2","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the scheduler service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.2","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"g1h-91b-y2x","createdAt":1599601351149,"name":"Scheduler API service is bound to localhost"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","technique:T1098-account-manipulation","scope:onelogin","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin administrator grants additional privileges to another OneLogin user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator grants additional privileges to another OneLogin user:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@actor_user_name}}`) should be legitimately adding additional roles to `@usr.name`. **Note:** The role granted to the user is not available in OneLogin logs.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:PRIVILEGE_GRANTED_TO_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"user_granted_admin_privileges","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"user_granted_admin_privileges > 0"}],"type":"log_detection","id":"oks-cap-rw1","createdAt":1656426808697,"name":"OneLogin user granted administrative privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user is locked out. This may be common if the user is repeatedly failing to log in. This rule is most useful when correlated with other anomalous activity for the user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to when a user is locked out:\n* `@evt.name:USER_LOCKED`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) was legitimately trying to authenticate and was locked out.\n2. If the activity was not legitimate, review all activity from the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_LOCKED","groupByFields":["@usr.name"],"aggregation":"count","name":"user_locked_out","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_locked_out > 0"}],"type":"log_detection","id":"efg-trs-jzb","createdAt":1656526301026,"name":"OneLogin user locked out"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user views a secure note.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when a user views a secure note:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\nThis rule is useful when correlating its findings with other anomalous events from the same OneLogin user (`{{@actor_user_name}}`).\n\n## Triage and response\n1. Determine whether the OneLogin user (`{{@actor_user_name}}`) should be legitimately accessing secure notes.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_VIEWED_NOTE","groupByFields":["@actor_user_name"],"aggregation":"count","name":"viewed_secure_note","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"viewed_secure_note > 0"}],"type":"log_detection","id":"gl4-z5x-dun","createdAt":1656426832414,"name":"OneLogin user viewed secure note"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","scope:google_service_account","requirement:Confidentiality","control:3.4","control:1.4","control:3.10","control:C1.1","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nUser managed service accounts should not have user-managed keys.\n\n## Rationale: \nAnyone who has access to the keys can access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.\nFor user-managed keys, you are responsible for key management activities including:\n- Key storage\n- Key distribution\n- Key revocation\n- Key rotation\n- Protecting the keys from unauthorized users\n- Key recovery\nEven with key owner precautions, it's easy to leak keys through common development accidents such as checking keys into the source code, leaving them in the Downloads directory, or posting them on support blogs.\nFor these reasons, it is recommended that you don't use user-managed service account keys.\n\n## Impact: \nDeleting user-managed service account keys may break communication with the applications using the keys.\n\n## Remediation: \n\n### From the console\n1. Go to the IAM page in the GCP Console at [https://console.cloud.google.com/iam-admin/iam][1].\n2. In the left navigation pane, click `Service accounts`. All service accounts and their\ncorresponding keys are listed.\n3. Click the service account.\n4. Click `Edit` and delete the keys.\n\n### From the command line\nTo delete a user-managed service account key run:\n```\ngcloud iam service-accounts keys delete --iam-account= \n```\n## Prevention:\nYou can disable service account key creation through the `Disable service account key creation` Organization policy by visiting [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation][2]. Learn more at: [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][3].\n\nIn addition, if you do not need service accounts in your project, you can prevent the creation of service accounts through the `Disable service account creation` Organization policy: [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation][4].\n\n## Default value:\nBy default, there are no user-managed keys created for user-managed service accounts.\n\n## References:\n1. [https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys][5]\n2. [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][6]\n\n## Additional information:\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation\n[3]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation\n[5]: https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n[6]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.4","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.10","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkey_parents_with_user_managed := {key.parent |\n\tkey := input.resources.gcp_iam_service_account_key[_]\n\tkey.key_type == \"USER_MANAGED\"\n}\n\neval(service_account) = \"fail\" if {\n\tkey_parents_with_user_managed[service_account.resource_name]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4cn-bpp-vya","createdAt":1654120292749,"name":"Only GCP-managed service account keys are used for service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.14","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, has permissions of 400.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads. It holds the private key for the Docker server certificate. It must therefore have permissions of 400 to ensure that the certificate key file is not modified.\n\n## Audit\n\nVerify that the Docker server certificate key file has permissions of `400` by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nYou should execute the following command: `chmod 400 `\n\nThis sets the Docker server certificate key file permissions to 400.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate key file might not be 400. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.14","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"z0n-cod-mxi","createdAt":1602077570102,"name":"Only the owner of the server certificate key file can read its contents"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker daemon requires access to the Docker socket which is, by default, owned by the user `root` and the group `docker`.\n\n## Rationale\n\nDocker allows you to share a directory between the Docker host and a guest container without limiting the access rights of the container. This means that you can start a container and map the `/` directory on your host to the container. The container is able to modify your host file system without any restrictions. This means that you could gain elevated privileges simply by being a member of the `docker` group and subsequently start a container which maps the root `/` directory on the host.\n\n\n## Audit\n\nRun the following command on the Docker host to see the members of the `docker` group, and ensure that only trusted users are members:\n\n```\ngetent group docker\n```\n\n## Remediation\n\nYou should remove any untrusted users from the `docker` group. Additionally, you should not create a mapping of sensitive directories from the host to container volumes.\n\n## Impact\n\nProvided the proceeding instructions are implemented, rights to build and execute containers as normal user would be restricted.\n\n## Default value\n\nNot Applicable\n\n## References\n\n1. [https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface]\n2. [https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful]\n3. [http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\n[1]: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface \n[2]: https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful \n[3]: http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.2","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dev-mh8-u1i","createdAt":1599598174666,"name":"Only the root account and Docker group members can control the Docker daemon"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.16","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file has permissions of 660 or are configured more restrictively.\n\n## Rationale\n\nOnly root and the members of the docker group should be allowed to read and write to the default Docker Unix socket. The Docker socket file should therefore have permissions of 660 or more restrictive permissions.\n\n## Audit\n\nVerify that the Docker socket file has permissions of `660` or more restrictive, by running: \n```\nstat -c %a /var/run/docker.sock\n```\n\n## Remediation\n\nRun the command `chmod 660 /var/run/docker.sock`\n\nThis sets the file permissions of the Docker socket file to 660.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker socket file is correctly set to 660.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.16","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jxv-zrr-1c1","createdAt":1599603387716,"name":"Only the root account and Docker group members can read and write to the Docker socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.15","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file is owned by root and group owned by docker.\n\n## Rationale\n\nThe Docker daemon runs as root. The default Unix socket therefore must be owned by root. If any other user or process owns this socket, it might be possible for that non-privileged user or process to interact with the Docker daemon. Additionally, in this case a non-privileged user or process might be able to interact with containers which is neither a secure nor desired behavior. Additionally, the Docker installer creates a Unix group called docker. You can add users to this group, and in this case, those users would be able to read and write to the default Docker Unix socket. The membership of the docker group is tightly controlled by the system administrator. However, ff any other group owns this socket, then it might be possible for members of that group to interact with the Docker daemon. Such a group might not be as tightly controlled as the docker group. Again, this is not in line with good security practice. For these reason, the default Docker Unix socket file should be owned by root and group owned by docker to maintain the integrity of the socket file.\n\n## Audit\n\nVerify that the Docker socket file is owned by root and group-owned by `docker` by running: \n```\nstat -c %U:%G /var/run/docker.sock | grep -v root:docker\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:docker /var/run/docker.sock`\n\nThis sets the ownership to root and group ownership to docker for the default Docker socket file.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for the Docker socket file is correctly set to root:docker.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.15","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysh-lkt-poz","createdAt":1599605574088,"name":"Only the root account and Docker group members have ownership of the Docker socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.2","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kube-apiserver.yaml file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. Version 7 5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.2","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vbb-t30-k0f","createdAt":1599602893246,"name":"Only the root account and group have ownership of the API server pod specification file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.11","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, is individual owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It must therefore be individually owned and group owned by root to prevent modification by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and the group ownership for the Docker server certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for Docker server certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.11","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tkm-izb-xe1","createdAt":1602077837917,"name":"Only the root account and group have ownership of the Docker server certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.13","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, is individually owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads/writes. As it holds the private key for the Docker server certificate, it must be individually owned and group owned by root to ensure that it cannot be accessed by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate key file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the Docker server certificate key file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for the Docker server certificate key file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.13","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oiu-e3x-yg6","createdAt":1602077710804,"name":"Only the root account and group have ownership of the Docker server certificate key file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.9","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert parameter`, is individually owned and group owned by root.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must be therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the TLS CA certificate file is owned and group owned by root: \n\n```\nstat -c %U:%G | grep -v root:root\n```\n\nThis command does not return any data.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the TLS CA certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for TLS CA certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.9","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8nb-ex2-pqe","createdAt":1602076303298,"name":"Only the root account and group have ownership of the TLS CA certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.14","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file ownership is set to root:root.\n\n## Rationale\n\nThe `admin.conf` file contains the admin credentials for the cluster. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/admin.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `admin.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.14","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kcn-wwa-os0","createdAt":1599604720378,"name":"Only the root account and group have ownership of the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.17","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that could alter the behavior of the docker daemon. It should therefore be owned and group owned by root to ensure it can not be modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file is owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/docker/daemon.json | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun `chown root:root /etc/docker/daemon.json`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.17","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hlb-qzw-opk","createdAt":1599603264485,"name":"Only the root account and group have ownership of the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent","control:3.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually and group owned by the root user in order to ensure that it is not modified or corrupted by a less privileged user.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that it is owned and group-owned by root, by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.service | grep -v root:root \n ```\n The command should not return anything.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path, in order to set the ownership and group ownership for the file to root.\n\nFor example, `chown root:root /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone.\n\n## Default value\n\nThis file may not be present on the system and if it is not, this recommendation is not applicable. By default, if the file is present, the correct permissions are for the ownership and group ownership to be set to \"root\".\n\n## References\n\n1. https://docs.docker.com/engine/admin/systemd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mhz-jes-n2m","createdAt":1599601536215,"name":"Only the root account and group have ownership of the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.socket file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. For this reason, it should be owned and group owned by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file is owned and group-owned by root by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.socket | grep -v root:root \n ```\n The command should not return a value.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below, including the correct file path to set the ownership and group ownership for the file to root. For example, `chown root:root /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the ownership and group ownership for it should be set to root.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option 2. https://github.com/docker/docker-ce/blob/master/components/packaging/deb/systemd/docker.socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vc0-12t-fpa","createdAt":1599605321060,"name":"Only the root account and group have ownership over the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.7","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under the `/etc/docker/certs.d/` directory, are individually owned and group owned by root.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must be individually owned and group owned by root to ensure that less privileged users are unable to modify the contents of the directory.\n\n## Audit\n\nYou should execute the command below to verify that the registry certificate files are individually owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker/certs.d/* | grep -v root:root \n```\n\nThis command does not return any data.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/docker/certs.d//*`\n\nThis sets the individual ownership and group ownership for the registry certificate files to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for registry certificate files is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.7","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fbv-qsy-urc","createdAt":1599599454050,"name":"Only the root account and group have ownership over the registry certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.13","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe admin.conf is the administrator kubeconfig file defining various settings for the administration of the cluster. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/admin.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, admin.conf has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.13","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zlc-pqm-t1x","createdAt":1599605384539,"name":"Only the root account has write permissions to the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.18","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that may alter the behavior of the docker daemon. Therefore it should be writeable only by root to ensure it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/docker/daemon.json\n```\n\n## Remediation\n\nRun `chmod 644 /etc/docker/daemon.json`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.18","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7df-4w8-g7l","createdAt":1599602831833,"name":"Only the root account has write permissions to the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.2","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file permissions are either set to 644 or to a more restrictive value.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore not be writable by any other user other than root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or a more restrictive value by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.service\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the file permissions are correctly set to 644.\n\n## References\n\n1. https://docs.docker.com/articles/systemd/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zyv-o6s-69z","createdAt":1599601721176,"name":"Only the root account has write permissions to the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.4","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the file permissions on the docker.socket file are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or more restrictively, by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.socket\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in that case, this recommendation is not applicable. By default, if the file is present, the permissions should be set to 644 or more restrictively.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n2. https://github.com/YungSang/fedora-atomic-packer/blob/master/oem/docker.socket\n3. http://daviddaeschler.com/2014/12/14/centos-7rhel-7-and-docker-containers-on-boot/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myf-zyh-89p","createdAt":1599604656679,"name":"Only the root account has write permissions to the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","control:CC6.7","scope:ec2","security:compliance","source:ec2","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Compliance","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the probability of a breach by checking [EC2 security groups][1] for outbound rules that allow unfettered access to any TCP/UDP ports and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered outbound access.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-egress` to remove IP permissions for the selected EC2 security group.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n2. Run `authorize-security-group-egress` with new parameters to restrict outbound access to specific destinations.\n\n ```\n aws ec2 authorize-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprotocol_icmp_or_1(protocol) if {\n\tprotocol in [\"icmp\", \"1\"]\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\"]\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"egress\"\n\tnot protocol_icmp_or_1(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7lr-jfm-vcf","createdAt":1599574005188,"name":"Outbound access on all ports is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1497-virtualization-or-sandbox-evasion","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace system call with the `PTRACE_TRACEME` argument, indicating a program actively attempting to avoid debuggers attaching to the process. This behavior is typically indicative of malware activity.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. One limitation of this system call is that a process can only have one trace, and malicious actors have been observed making use of this limitation to prevent debuggers from attaching to malicious processes for the purpose of forensics or analysis.\n\n## Triage and response\n1. Check the name of the process using TRACEME\n2. If this file is not known or authorized, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_antidebug -@process.executable.name(\"dlv\" OR \"dlv-linux-adm64\" OR \"strace\" OR \"gdb\" OR \"lldb-server\")","groupByFields":["host"],"aggregation":"count","name":"ptrace_antidebug_unknown_tracer","distinctFields":[]},{"query":"@agent.rule_id:ptrace_antidebug @process.executable.name(\"dlv\" OR \"dlv-linux-adm64\" OR \"strace\" OR \"gdb\" OR \"lldb-server\")","groupByFields":["host"],"aggregation":"count","name":"ptrace_antidebug_known_tracer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_antidebug_unknown_tracer","condition":"ptrace_antidebug_unknown_tracer > 0"},{"status":"low","notifications":[],"name":"ptrace_antidebug_known_tracer","condition":"ptrace_antidebug_known_tracer > 0"}],"type":"workload_security","id":"u1r-hw3-pst","createdAt":1650464539514,"name":"PTRACE_TRACEME used to prevent process debugging"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect installation of software using a package management utility (`apt` or `yum`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim's container (for example, through a web shell exploit), they may attempt to install tools and utilities for a variety of malicious purposes. This detection triggers when one of a set of common package management utilities installs a package in a container. Package management in containers is against best practices which highly emphasize immutability. If this is unexpected behavior, it could indicate an attacker attempting to install tools to further compromise your systems.\n\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise. This may be achieved by terminating the workload, depending on the stage of attack.\n3. Look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:package_management_in_container @process.args:(add OR *install OR \"-i\")","groupByFields":["host"],"aggregation":"count","name":"package_management_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"package_management_in_container","condition":"package_management_in_container > 0"}],"type":"workload_security","id":"dgu-gba-tuf","createdAt":1617722067648,"name":"Package installed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1222","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nTo access protected files and directories, attackers may attempt to change the permissions on these files and directories.\n\n## Strategy\nThis detection monitors the permissions changes to sensitive files and directories such as `/etc/` and `/sbin/`.\n\n## Triage & Response\n1. Check to see if the file or directory was made more permissive.\n2. Check which user or process made the change.\n3. If these changes are unexpected, contain the host or container and roll back to the last known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"mj3-ucf-hr6","createdAt":1598516746259,"name":"Permissions were changed on sensitive Linux files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow pods to verify the API server's serving certificate before establishing connections.\n\n## Rationale\n\nProcesses running within pods that need to contact the API server must verify the API server's serving certificate. Failing to do so could be a subject to man-in-the-middle attacks. Providing the root certificate for the API server's serving certificate to the controller manager with the `--root-ca-file` argument allows the controller manager to inject the trusted bundle into pods so that they can verify TLS connections to the API server.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--root-ca-file` argument exists and is set to a certificate bundle file containing the root certificate for the API server's serving certificate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--root-ca-file` parameter to the certificate bundle file: `--root-ca-file=`\n\n## Impact\n\nYou need to setup and maintain root certificate authority file.\n\n## Default value\n\nBy default, `--root-ca-file` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/kubernetes/issues/11000][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/kubernetes/issues/11000\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.5","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"k7t-yxp-axc","createdAt":1599598174692,"name":"Pods utilize `root-ca-file` to pass serving certificates to the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ec2","iaas:aws","technique:T1037-boot-or-logon-initialization-scripts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to modify a [user data script][1] on an EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to modify the user data script on an EC2 instance using the following API calls:\n\n* [`StopInstances`][2]\n* [`ModifyInstanceAttribute`][3]\n* [`StartInstances`][4]\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have modified the user data script associated with `{{host}}`.\n2. If the API calls were not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Follow your company's incident response process to determine the impact to `{{host}}`.\n * Revert the user data script to the last known good state with the `aws-cli` command [modify-instance-attribute][5] or use the [AWS Console][6].\n3. If the API calls were made by the user:\n * Determine if the user should be modifying this user data script.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StopInstances.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartInstances.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-attribute.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-view-change","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StopInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"stop_instance","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:ModifyInstanceAttribute @requestParameters.userData:* ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_instance_attribute","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StartInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"start_instance","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"stop_instance > 0 && modify_instance_attribute > 0 && start_instance > 0"}],"type":"log_detection","id":"suz-czd-zxh","createdAt":1652796652545,"name":"Possible AWS EC2 privilege escalation via the modification of user data"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","iaas:aws","technique:T1078-valid-accounts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to create a password for a specified IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to create a password for an IAM user using the [`CreateLoginProfile`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any passwords generated by the user with the `aws-cli` command [delete-login-profile][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-login-profile.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html#id_credentials_passwords_admin-change-user_console","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:iam.amazonaws.com @eventName:CreateLoginProfile status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"loginprofile","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"loginprofile > 0"}],"type":"log_detection","id":"dkd-gqh-zrs","createdAt":1652796676631,"name":"Possible Privilege Escalation via AWS IAM CreateLoginProfile"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","scope:rds","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to exfiltrate data from an RDS Snapshot.\n\n## Strategy\nThis rule lets you monitor the [ModifyDBClusterSnapshotAttribute][1] CloudTrail API calls to detect when an RDS snapshot is made public.\n\nThis rule also inspects the:\n * `@requestParameters.valuesToAdd` array to determine if the string `all` is contained. This is the indicator which means the RDS snapshot is made public.\n * `@requestParameters.attributeName` array to determine if the string `restore` is contained. This is the indicator which means the RDS snapshot was shared with a new or unkown AWS Account.\n\n## Triage and response\n1. Confirm if the user: `{{@userIdentity.arn}}`intended to make the RDS snaphsot public.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-cluster-snapshot-attribute.html#modify-db-cluster-snapshot-attribute\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:ModifyDBClusterSnapshotAttribute @requestParameters.valuesToAdd:all","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_made_public","distinctFields":[]},{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:(ModifyDBClusterSnapshotAttribute OR ModifyDBSnapshotAttribute) @requestParameters.attributeName:restore -@http.useragent:(*AWS_Lambda* OR *AWS_ECS_FARGATE* OR backup.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Snapshot was shared","condition":"rds_snapshot_shared > 0"},{"status":"high","notifications":[],"name":"Snapshot was made public","condition":"rds_snapshot_made_public > 0"}],"type":"log_detection","id":"jqf-lpu-us1","createdAt":1594140309127,"name":"Possible RDS Snapshot Exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:2.5","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no PostgreSQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nPostgreSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.\n\n### Impact\n\nDisabling Allow access to Azure Services will break all connections to PostgreSQL server and Hosted Databases unless custom IP specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console\n\n1. Go to PostgreSQL servers\n2. For each PostgreSQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nNew-AzPostgreSqlFirewallRule -Name \"\" -ResourceGroupName \"\" -ServerName \"\" -EndIPAddress \"\" -StartIPAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules][1]\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.5","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"fail\" if {\n\tsome firewall_rule in postgresql_server.firewall_rules\n\tfirewall_rule.start_ip_address == \"0.0.0.0\"\n\tfirewall_rule.end_ip_address in [\"0.0.0.0\", \"255.255.255.255\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"f2j-y8v-pht","createdAt":1635237002781,"name":"PostgreSQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1566-phishing","source:azure","scope:azure","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a user grants an application consent to access their data. An adversary may create an Azure-registered application to access data such as contact information, emails, or documents.\n\n## Strategy\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Consent to application`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Consent to application.`\n\nBecause these are thirty-party applications external to the organization, normal remediation steps like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts are not effective against this type of attack.\n\n## Triage and response\n1. See the official [Microsoft playbook][1] on responding to a potential Illicit Consent Grant.\n2. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out false positives.\n\n[1]: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:AuditLogs @evt.name:\"Consent to application\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_successful_consent_to_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.category:AuditLogs @evt.name:\"Consent to application.\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"o365_successful_consent_to_application","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"azure_ad_successful_consent_to_application > 0 || o365_successful_consent_to_application > 0"}],"type":"log_detection","id":"wu4-vsa-pec","createdAt":1658914589512,"name":"Potential Illicit Consent Grant attack via Azure registered application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with an administrative service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 21 (FTP)\n* 22 (SSH)\n* 23 (Telnet)\n* 445 (SMB)\n* 2375 (Docker daemon)\n* 3389 (RDP)\n* 5900 (VNC)\n* 5985 (WinRM HTTP)\n* 5986 (WinRM HTTPS)\n\nAdministrative ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** There is a separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n## Changelog\n* 26 August 2022 - Updated rule query\n* 1 November 2022 - Updated rule query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":17,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ipPermissions.items.fromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.toPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ipPermissions.items.toPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986)) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986))) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\")) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:21 OR @requestParameters.ipPermissions.items.fromPort:21 OR @requestParameters.toPort:21 OR @requestParameters.ipPermissions.items.toPort:21) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:21 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:21)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ftp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:22 OR @requestParameters.ipPermissions.items.fromPort:22 OR @requestParameters.toPort:22 OR @requestParameters.ipPermissions.items.toPort:22) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:22 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:22)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ssh_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:3389 OR @requestParameters.ipPermissions.items.fromPort:3389 OR @requestParameters.toPort:3389 OR @requestParameters.ipPermissions.items.toPort:3389) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:3389 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:3389)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_rdp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5900 OR @requestParameters.ipPermissions.items.fromPort:5900 OR @requestParameters.toPort:5900 OR @requestParameters.ipPermissions.items.toPort:5900) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5900 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5900)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_vnc_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:2375 OR @requestParameters.ipPermissions.items.fromPort:2375 OR @requestParameters.toPort:2375 OR @requestParameters.ipPermissions.items.toPort:2375) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:2375 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:2375)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_dockerd_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5985 OR @requestParameters.ipPermissions.items.fromPort:5985 OR @requestParameters.toPort:5985 OR @requestParameters.ipPermissions.items.toPort:5985) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5985 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5985)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5986 OR @requestParameters.ipPermissions.items.fromPort:5986 OR @requestParameters.toPort:5986 OR @requestParameters.ipPermissions.items.toPort:5986) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5986 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5986)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:23 OR @requestParameters.ipPermissions.items.fromPort:23 OR @requestParameters.toPort:23 OR @requestParameters.ipPermissions.items.toPort:23) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:23 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:23)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_telnet_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:445 OR @requestParameters.ipPermissions.items.fromPort:445 OR @requestParameters.toPort:445 OR @requestParameters.ipPermissions.items.toPort:445) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:445 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:445)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_smb_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"medium","notifications":[],"name":"FTP","condition":"sg_ftp_port > 0"},{"status":"medium","notifications":[],"name":"SSH","condition":"sg_ssh_port > 0"},{"status":"medium","notifications":[],"name":"RDP","condition":"sg_rdp_port > 0"},{"status":"medium","notifications":[],"name":"VNC","condition":"sg_vnc_port > 0"},{"status":"medium","notifications":[],"name":"Docker Daemon","condition":"sg_dockerd_port > 0"},{"status":"medium","notifications":[],"name":"WinRm HTTP","condition":"sg_winrm_http_port > 0"},{"status":"medium","notifications":[],"name":"WinRm HTTPS","condition":"sg_winrm_https_port > 0"},{"status":"medium","notifications":[],"name":"Telnet","condition":"sg_telnet_port > 0"},{"status":"medium","notifications":[],"name":"SMB","condition":"sg_smb_port > 0"}],"type":"log_detection","id":"d8d-usi-xuo","createdAt":1652796652158,"name":"Potential administrative port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\n This rule monitors CloudTrail and detects when any `@evt.name` has a value of `Console Login`, and `@responseElements.ConsoleLogin` has a value of `Failure`.\n\n## Triage and response\n1. Determine if the user logged in with 2FA.\n2. Reach out to the user and ensure the login was legitimate.\n\n## Changelog \n17 March 2022 - Update rule query.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Failure","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:true","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_with_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful - MFA Unused","condition":"failed_login > 5 && successful_login_without_mfa > 0"},{"status":"info","notifications":[],"name":"Successful Login - MFA Used","condition":"failed_login > 5 && successful_login_with_mfa > 0"},{"status":"info","notifications":[],"name":"Failed Login","condition":"failed_login > 5"}],"type":"log_detection","id":"csj-nez-h1v","createdAt":1584475581986,"name":"Potential brute force attack on AWS ConsoleLogin"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","threat_intel_category:cryptomining","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a host is potentially infected with a cryptominer.\n\n## Strategy\nThis rule compares the `@network.client.ip` standard attribute to a curated list of cryptomining pools.\n\n## Triage and response\n1. Determine if the `{{host}}` host should be contacting a cryptomining pool.\n2. If not, begin your company's IR process.\n\n**Note** You can use the signal sidepanel to assist with the initial investigation by looking at CPU utilization and processes to identify unauthorized activity.\n\n## Changelog\n- 8 April 2022 - Initial beta release to select organizations.\n- 13 April 2022 - Added additional filters for specific ports to reduce false positives. \n- 26 April 2022 - Removed restrictedToOrgs settings, launching rule to all of production.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@threat_intel.results.category:cryptomining @network.destination.port:(6641 OR 6642 OR 9000 OR 9999 OR 14433 OR 10191 OR 20009) host:*","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cgb-2rq-tqx","createdAt":1650989902666,"name":"Potential cryptomining detected through IP callback"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with a database service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 1433 (MSSQL)\n* 3306 (MySQL)\n* 5432 (PostgresSQL)\n* 5984/6984 (CouchDB)\n* 6379 (Redis)\n* 9200 (Elasticsearch)\n* 27017 (MongoDB)\n\nDatabase ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** A separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n## Changelog\n* 15 December 2022 - Updated rule query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200)) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200))) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\")) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:3306 OR @requestParameters.ipPermissions.items.fromPort:3306 OR @requestParameters.toPort:3306 OR @requestParameters.ipPermissions.items.toPort:3306) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:3306 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:3306)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mysql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5432 OR @requestParameters.ipPermissions.items.fromPort:5432 OR @requestParameters.toPort:5432 OR @requestParameters.ipPermissions.items.toPort:5432) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5432 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5432)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_postgres_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:1433 OR @requestParameters.ipPermissions.items.fromPort:1433 OR @requestParameters.toPort:1433 OR @requestParameters.ipPermissions.items.toPort:1433) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:1433 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:1433)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mssql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:27017 OR @requestParameters.ipPermissions.items.fromPort:27017 OR @requestParameters.toPort:27017 OR @requestParameters.ipPermissions.items.toPort:27017) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:27017 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:27017)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mongodb_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:6379 OR @requestParameters.ipPermissions.items.fromPort:6379 OR @requestParameters.toPort:6379 OR @requestParameters.ipPermissions.items.toPort:6379) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:6379 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:6379)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_redis_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5984 OR @requestParameters.ipPermissions.items.fromPort:5984 OR @requestParameters.toPort:5984 OR @requestParameters.ipPermissions.items.toPort:5984) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5984 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5984)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:6984 OR @requestParameters.ipPermissions.items.fromPort:6984 OR @requestParameters.toPort:6984 OR @requestParameters.ipPermissions.items.toPort:6984) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:6984 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:6984)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:9200 OR @requestParameters.ipPermissions.items.fromPort:9200 OR @requestParameters.toPort:9200 OR @requestParameters.ipPermissions.items.toPort:9200) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:9200 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:9200)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_elastic_search_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"medium","notifications":[],"name":"MySQL","condition":"sg_mysql_port > 0"},{"status":"medium","notifications":[],"name":"PostgresSQL","condition":"sg_postgres_port > 0"},{"status":"medium","notifications":[],"name":"MSSQL","condition":"sg_mssql_port > 0"},{"status":"medium","notifications":[],"name":"MongoDB","condition":"sg_mongodb_port > 0"},{"status":"medium","notifications":[],"name":"redis","condition":"sg_redis_port > 0"},{"status":"medium","notifications":[],"name":"CouchDB HTTP","condition":"sg_couchdb_http_port > 0"},{"status":"medium","notifications":[],"name":"CouchDB HTTPS","condition":"sg_couchdb_https_port > 0"},{"status":"medium","notifications":[],"name":"Elasticsearch","condition":"sg_elastic_search_port > 0"}],"type":"log_detection","id":"1wf-ivp-q2g","createdAt":1652796776858,"name":"Potential database port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use automatically generated self-signed certificates for TLS connections between peers.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster. Hence, do not use self-signed certificates for authentication.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--peer-auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--peer-auto-tls` parameter or set it to false. \n\n```\n--peer-auto-tls=false\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-auto-tls` argument is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls][3]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.6","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l0y-lyz-foj","createdAt":1599598174666,"name":"Prevent use of self-signed certificates for TLS connections between etcd peers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.4","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDocker considers a private registry either secure or insecure. By default, registries are considered secure.\n\n## Rationale\n\nA secure registry uses TLS. A copy of the registry's CA certificate is placed on the Docker host in the `/etc/docker/certs.d//` directory. An insecure registry is one which does not have a valid registry certificate, or one not not using TLS. You should not use insecure registries because they present a risk of traffic interception and modification. Additionally, once a registry has been marked as insecure, commands such as `docker pull`, `docker push`, and `docker search` will not result in an error message, and users may indefinitely be working with this type of insecure registry without ever being notified of the risk of potential compromise.\n\n## Audit\n\nFind out if any insecure registries are in use by running: \n```\ndocker info --format 'Insecure Registries: {{.RegistryConfig.InsecureRegistryCIDRs}}'\n```\n\n## Remediation\n\nYou should ensure that no insecure registries are in use.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker assumes all registries except local ones are secure.\n\n## References\n\n1. [https://docs.docker.com/registry/insecure/][1]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://docs.docker.com/registry/insecure/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wki-o8r-1ha","createdAt":1599604688564,"name":"Private registry uses TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.4","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUsing the `--privileged` flag provides all Linux kernel capabilities to the container to which it is applied and therefore overwrites the `--cap-add` and `--cap-drop` flags. For this reason, ensure that it is not used.\n\n## Rationale\n\nThe `--privileged` flag provides all capabilities to the container to which it is applied, and also lifts all the limitations enforced by the device cgroup controller. As a consequence this the container has most of the rights of the underlying host. This flag only exists to allow for specific use cases (for example running Docker within Docker) and should not generally be used.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Privileged={{ .HostConfig.Privileged }}'` This command returns `Privileged=false` for each container instance.\n\n## Remediation\n\nDo not run containers with the `--privileged` flag. For example, do not start a container using the command `docker run --interactive --tty --privileged centos /bin/bash`\n\n## Impact\n\nIf you start a container without the `--privileged` flag, it will not have excessive default capabilities.\n\n## Default value\n\nFalse\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.4","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rbd-urm-klo","createdAt":1599602708557,"name":"Privileged containers are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.7","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TCP/IP port numbers below 1024are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Docker does, however allow a container port to be mapped to a privileged port.\n\n## Rationale\n\nBy default, if the user does not specifically declare a container port to host port mapping, Docker automatically and correctly maps the container port to one available in the `49153`-`65535` range on the host. Docker does, however, allow a container port to be mapped to a privileged port on the host if the user explicitly declares it. This is because containers are executed with `NET_BIND_SERVICE` Linux kernel capability which does not restrict privileged port mapping. The privileged ports receive and transmit various pieces of data which are security sensitive and allowing containers to use them is not in line with good security practice.\n\n## Audit\n\nList all running containers instances and their port mappings by executing this command: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'` You should then review the list and ensure that container ports are not mapped to host port numbers below `102.4`.\n\n## Remediation\n\nDo not map container ports to privileged host ports when starting a container. You should also ensure that there is no such container to host privileged port mapping declarations in the Dockerfile.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, mapping a container port to a privileged port on the host is allowed.\n\n**Note**: There might be certain cases where you want to map privileged ports, because if you forbid it, then the corresponding application has to run outside of a container.\n\nFor example: HTTP and HTTPS load balancers have to bind `80/tcp` and `443/tcp` respectively. Forbidding to map privileged ports effectively forbids from running those in a container, and mandates using an external load balancer. In such cases, those containers instances should be marked as exceptions for this recommendation.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.7","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ua5-ygj-jad","createdAt":1599602153218,"name":"Privileged ports are not mapped within containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a process launches with arguments associated with cryptocurrency miners.\n\n## Strategy\n\nCryptocurrency miners are often executed with unique arguments such as `--donate-level`. This can be used to identify suspicious processes with high confidence.\n\n## Triage and response\n\n1. Isolate the workload.\n2. Use host metrics to verify if cryptocurrency mining is taking place. This will be indicated by an increase in CPU usage.\n3. Review the process tree and related signals to determine the initial entry point.\n\n*Requires agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:cryptominer_args -@process.executable.path:\"/usr/bin/grep\"","groupByFields":["host"],"aggregation":"count","name":"cryptominer_args","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"cryptominer_args","condition":"cryptominer_args > 0"}],"type":"workload_security","id":"t95-1rc-mwi","createdAt":1660014107186,"name":"Process arguments match cryptocurrency miner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1055-process-injection","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace systemcall to inject code into another process.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. Malicious actors have been observed using ptrace to inject code into another process, for the purposes of defense evasion and privilege escalation.\n\n## Triage and response\n1. Check the name of the process doing the injection (the tracer).\n2. Identify if the file doing the injection (the tracer) is authorized.\n3. If the tracer is not authorized in this environment, or is not normally known to use the ptrace syscall, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_injection -@process.executable.name:(\"dlv\" OR \"dlv-linux-adm64\" OR \"strace\" OR \"gdb\" OR \"lldb-server\")","groupByFields":["host"],"aggregation":"count","name":"ptrace_injection_unknown_tracer","distinctFields":[]},{"query":"@agent.rule_id:ptrace_injection @process.executable.name:(\"dlv\" OR \"dlv-linux-adm64\" OR \"strace\" OR \"gdb\" OR \"lldb-server\")","groupByFields":["host"],"aggregation":"count","name":"ptrace_injection_known_tracer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_injection_unknown_tracer","condition":"ptrace_injection_unknown_tracer > 0"},{"status":"low","notifications":[],"name":"ptrace_injection_known_tracer","condition":"ptrace_injection_known_tracer > 0"}],"type":"workload_security","id":"1p3-rn6-jue","createdAt":1650464539501,"name":"Process injected into another process"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2021-4034 dubbed PwnKit.\n\n## Strategy\n\nPwnKit is a local privilege escalation vulnerability originally found by [Qualys](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034). It affects PolicyKit\u2019s `pkexec` program, which is a SUID-root program installed by default on many Linux distributions. This detection triggers whenever `pkexec` is executed by a non-root process with the `SHELL` and `PATH` variables set.\n\n## Triage and response\n\n1. Determine the purpose of the process executing `pkexec`.\n2. Look for any suspicious actions or commands being executed after the `pkexec` execution.\n3. If this behavior is unexpected, it could indicate a malicious actor has access to the host and is attempting to increase privileges for post exploitation actions. Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Ensure to update the PolicyKit package to its latest version to mitigate the vulnerability. If updating is not feasible, remove the SUID bit that is set by default on `pkexec` with the following command: `sudo chmod -s \\$(which pkexec)`.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:pwnkit_privilege_escalation","groupByFields":["host"],"aggregation":"count","name":"pwnkit_privilege_escalation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"pwnkit_privilege_escalation","condition":"pwnkit_privilege_escalation > 0"}],"type":"workload_security","id":"yne-n4q-dfs","createdAt":1643646954692,"name":"Pwnkit privilege escalation attempt"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1059-command-and-scripting-interpreter","tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect Python code being provided and executed on the command line using the `-c` flag.\n\n## Strategy\n\nPython code can be specified on the command line using the `-c` flag. Attackers may use this to run \"one-liners\" which establish communication with an attacker-run server, download additional malware, or otherwise advance their mission. Libraries such as `socket` and `subprocess` are commonly used in these attacks and are unlikely to have a legitimate purpose when used in this way.\n\n## Triage and response\n\n1. Review the process tree and identify if the Python command is expected.\n2. If the command is not expected, contain the host or container and roll back to a known good configuration.\n3. Start the incident response process and determine the initial entry point.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:python_cli_code @process.args:(*SOCK_STREAM* OR *subprocess* OR *\\/bash* OR *\\/bin\\/sh* OR *pty.spawn*)","groupByFields":["host"],"aggregation":"count","name":"python_cli_code_suspicious","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"python_cli_code_suspicious","condition":"python_cli_code_suspicious > 0"}],"type":"workload_security","id":"2mr-svj-kxj","createdAt":1655147245805,"name":"Python executed with suspicious arguments"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.9","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTurn on Role Based Access Control.\n\n## Rationale\n\nRole Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the cluster. It is recommended to use the RBAC authorization mode.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include RBAC.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes RBAC, for example: `--authorization-mode=Node,RBAC`\n\n## Impact\n\nWhen RBAC is enabled you will need to ensure that appropriate RBAC settings (including Roles, RoleBindings and ClusterRoleBindings) are configured to allow appropriate access.\n\n## Default value\n\nBy default, RBAC authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/access-authn-authz/rbac/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.9","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bn4-mzo-nyg","createdAt":1599605257601,"name":"RBAC is enabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","level:1","control:8.5","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.4.1","security:compliance","requirement:Least-Privileged-Access","control:7.2","framework:cis-azure","source:azure.kubernetes","control:7.1","control:2.3","requirement:Control-Activities","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","requirement:Other-Security-Considerations","framework:soc-2","control:A.9.2.3","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that RBAC is enabled on all Azure Kubernetes Services instances.\n\n## Rationale\n\nAzure Kubernetes Services can integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. Use this to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls, both to the overarching AKS instance and to the individual resources managed within Kubernetes.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment, your cluster will require recreation.\n\n## Impact\n\nIf RBAC is not enabled, the granularity of permissions granted to Kubernetes resources is diminished, because you are presenting more permissions than needed to users requiring access to your Kubernetes resources in AKS.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/aks/aad-integrationhttps://kubernetes.io/docs/reference/access-authn-authz/rbac/https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-list\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7\n\n4 Controlled Use of Administrative Privileges\n\n14 Controlled Access Based on the Need to Know\n\n9 AppService: This section covers security recommendations for Azure AppService\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.5","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aks_cluster) = \"pass\" if {\n\taks_cluster.enable_rbac\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_aks_cluster"]},"validationQuery":"","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"1ha-sj2-4mw","createdAt":1624867979755,"name":"RBAC within Azure Kubernetes Services is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","control:6.1","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable RDP access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using RDP over the internet is that attackers can use various brute force techniques to access Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\n1. [Disable direct RDP access][1] to your Azure Virtual Machines from the internet. \n2. Choose one of the following methods to access the virtual machines for remote management:\n * [Point-to-site VPN][3]\n * [Site-to-site VPN][4]\n * [ExpressRoute][5]\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][2]\n\n[1]: https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n[3]: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal\n[4]: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal\n[5]: https://learn.microsoft.com/en-us/azure/expressroute/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_access(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"TCP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\n\tsome port_range in split(security_rule.destination_port_range, \",\")\n\tcheck_non_compliant_port_range(port_range)\n\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"::/0\", \"Internet\", \"Any\"]\n}\n\ncheck_non_compliant_port_range(port_range) if {\n\tport_range in [\"3389\", \"*\"]\n} else if {\n\tcontains(port_range, \"-\")\n\tsplit_port_range := split(port_range, \"-\")\n\n\tto_number(split_port_range[0]) <= 3389\n\tto_number(split_port_range[1]) >= 3389\n}\n\neval(security_group) = \"fail\" if {\n\tsome security_rule in security_group.security_rules\n\tnon_compliant_access(security_rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tna-xfa-yol","createdAt":1624867976964,"name":"RDP access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.7","requirement:Communications-Security","control:1.4","control:3.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow users to specify the type of traffic,\nsuch as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, an IPv4 address or IPv4 block in CIDR notation can be used.\nGeneric (0.0.0.0/0) incoming traffic from the Internet to a VPC or VM instance using RDP\non Port 3389 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic\nfrom instances and incoming (ingress) traffic to instances in the network. Egress and\ningress traffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through RDP with the default\nPort 3389. Generic access from the Internet to a specific IP Range should be restricted.\n\n## Impact\nAll Remote Desktop Protocol (RDP) connections from outside of the network to the\nconcerned VPC(s) are blocked. There could be a business need where secure shell\naccess is required from outside of the network to access resources associated with the VPC.\nIn that case, specific source IP(s) should be mentioned in firewall rules to allow access\nto RDP ports for the concerned VPC(s).\n\n## Remediation\n\n### From the console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule to be modified.\n4. Click Edit.\n5. Modify Source IP ranges to your specific IPs.\n6. Click Save.\n\n### From the command line\n1.Update the RDP Firewall rule with a new SOURCE_RANGE using the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with validated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.1","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 3389\n\nis_numeric(x) if {\n\tregex.match(`^-?\\d+(\\.\\d+)?$`, x)\n}\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tsome port in allowed.ports\n\tcontains(port, \"-\")\n\trange := split(port, \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else if {\n\tsome port in allowed.ports\n\tport != \"\"\n\tis_numeric(port)\n\tto_number(port) == target_port\n} else if {\n\tsome port in allowed.ports\n\tport == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tsome allowed in compute_firewall.allowed\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" if {\n\tsome source_range in compute_firewall.source_ranges\n\tsource_range in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tvo-mpp-0fa","createdAt":1657310084116,"name":"RDP access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","source:rds","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:rds","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your AWS RDS database instances are encrypted.\n\n## Rationale\n\nEncrypting your AWS RDS clusters protects sensitive data from unauthorized access.\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling Amazon RDS encryption for a DB instance][1] documentation to ensure your database instances are encrypted.\n\n### From the command line\n\n1. Run `describe-db-instances` with an instance identifier query to list RDS database names.\n\n ```\n aws rds describe-db-instances \\\n --query 'DBInstances[*].DBInstanceIdentifier'\n ```\n\n2. Run `create-db-snapshot` with any returned database instance you wish to modify.\n\n ```\n aws rds create-db-snapshot \\\n --db-snapshot-identifier my-db-snapshot \\\n --db-instance-identifier my-db-id\n ```\n\n3. Run `list-aliases` to list KMS keys aliases by region.\n\n ```\n aws kms list-aliases \\\n --region us-west-1\n ```\n\n4. Run `copy-db-snapshot` with the `kms-key-id` returned in step 3.\n\n ```\n aws rds copy-db-snapshot \\\n --region us-west-1 \\\n --source-db-snapshot-identifier original-db-snapshot-id \\\n --target-db-snapshot-identifier encrypted-db-snapshot-id \\\n --copy-tags \\\n --kms-key-id 01234567-1a2b-1234a-b45c-abcdef123456\n ```\n\n5. Run `restore-db-instance-from-db-snapshot` to restore the previously created snapshot.\n\n ```\n aws rds restore-db-instance-from-db-snapshot \\\n --region us-west-1 \\\n --db-instance-identifier encrypted-db-id \\\n --db-snapshot-identifier encrypted-db-snapshot-id\n ```\n\n6. Run `describe-db-instances` with a query to ensure database encryption.\n\n ```\n aws rds describe-db-instances \\\n --region us-west-1 \\\n --db-instance-identifier encrypted-db-snapshot-id \\\n --query 'DBInstances[*].StorageEncrypted'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Enabling","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(rds_instance) = \"pass\" if {\n\trds_instance.storage_encrypted == true\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_rds_instance"]},"validationQuery":"","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"han-1rs-ghe","createdAt":1599574005316,"name":"RDS database instance is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:rds","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","scope:rds","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your RDS instance, so it is not publicly accessible.\n\n## Rationale\n\nUnrestricted access to your RDS instance allows everyone on the internet to establish a connection with your database. This can lead to brute-force, DoS/DDoS, or SQL injection attacks.\n\n## Remediation\n\n### From the command line\n\n1. Run the `modify-db-instance` command to make the instance not publicly accessible.\n\n ```\n aws rds modify-db-instance\n\t --region INSERT_DB_INSTANCE_REGION \\\n\t --db-instance-identifier INSERT_DB_INSTANCE_NAME \\\n\t --no-publicly-accessible \\\n\t --apply-immediately\n ```\n2. Run the `revoke-security-group-ingress` command to block any IPv4 address connecting to port 3306.\n\n ```\n aws ec2 revoke-security-group-ingress\n\t --region INSERT_DB_INSTANCE_REGION \\\n\t --group-id INSERT_SECURITY_GROUP_ID \\\n\t --protocol tcp \\\n\t --port 3306 \\\n\t --cidr 0.0.0.0/0 \n ```\n3. For IPv6 you can use the same command from step 2 but use the `--ip-permissions` option instead. Reference this [aws-cli documentation][1] for more information.\n\n4. After removing the 0.0.0.0/0 or ::/0 cidr ranges from ingress you need to add in better cidr ranges using the `authorize-security-group-ingress` command.\n\n ```\n aws ec2 authorize-security-group-ingress\n \t --region INSERT_DB_INSTANCE_REGION\n\t --group-id INSERT_SECURITY_GROUP_ID\n\t --protocol tcp\n\t --port 3306\n\t --cidr INSERT_SMALLER_CIDR_RANGE\n ```\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html#options","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nsecurity_group_vpc_id_to_compliant = {security_group.vpc_id |\n\tsome security_group in input.resources.aws_security_group\n\tcheck_group_non_compliance(security_group)\n}\n\ncheck_group_non_compliance(security_group) if {\n\tsecurity_group_rules := security_group.rules[_]\n\tlower(security_group_rules.direction) == \"ingress\"\n\tcheck_ip_range(security_group_rules)\n}\n\ncheck_ip_range(security_group_rules) if {\n\tsecurity_group_rules.ip_range == \"0.0.0.0/0\"\n}\n\ncheck_ip_range(security_group_rules) if {\n\tsecurity_group_rules.ipv6_range == \"::/0\"\n}\n\neval(rds_instance) = \"fail\" if {\n\trds_instance.publicly_accessible == true\n\tsecurity_group_vpc_id_to_compliant[rds_instance.db_subnet_group_vpc_id]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_rds_instance","aws_security_group"]},"validationQuery":"","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qgu-ris-pnv","createdAt":1619540057520,"name":"RDS instance is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","security:compliance","control:CC6.6","control:164.312-e-1","cloud_provider:aws","framework:gdpr","requirement:Default-Security-Parameter","scope:rds","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","source:rds","requirement:Security-Management-Process","control:32.1a","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Amazon RDS database instances][1] are not using default ports. This includes default ports such as MySQL/Aurora port 3306, SQL Server port 1433, and PostgreSQL port 5432.\n\n## Rationale\n\nUsing a custom port can protect against potential brute-force and dictionary attacks.\n\n## Remediation\n\n### From the console\n\nFollow the [Modifying an Amazon RDS DB instance][4] docs to verify you're not using a default. You can modify your port by modifying that [DB instance settings][5].\n\n### From the command line\n\n1. Run `create-db-snapshot` with your database instance and snapshot identifiers to [create a snapshot][2].\n\n ```\n aws rds create-db-snapshot \\\n --db-instance-identifier database-mysql \\\n --db-snapshot-identifier snapshotidentifier\n ```\n\n2. Run `modify-db-instance` with a new, valid port number. A [list of port numbers are available][3].\n\n ```\n aws rds modify-db-instance \\\n --db-instance-identifier database-identifier \\\n --option-group-name test-group-name \\\n --db-parameter-group-name test-sqlserver-name \\\n --apply-immediately\n ```\n\n\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-snapshot.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-instance.html#options\n[4]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n[5]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html#USER_ModifyInstance.Settings\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndefault_port_used(rds_instance) if {\n\trds_instance.engine in [\"aurora\", \"aurora-mysql\", \"mysql\", \"mariadb\"]\n\trds_instance.endpoint_port == 3306\n} else if {\n\trds_instance.engine in [\"postgres\", \"aurora-postgresql\"]\n\trds_instance.endpoint_port == 5432\n} else if {\n\trds_instance.engine in [\"oracle-ee\", \"oracle-se2\", \"oracle-se1\", \"oracle-se\"]\n\trds_instance.endpoint_port == 1521\n} else if {\n\trds_instance.engine in [\"sqlserver-ee\", \"sqlserver-se\", \"lserver-ex\", \"sqlserver-web\"]\n\trds_instance.endpoint_port == 1433\n}\n\neval(rds_instance) = \"fail\" if {\n\tdefault_port_used(rds_instance)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_rds_instance"]},"validationQuery":"","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"y0x-lgk-w1h","createdAt":1599574001845,"name":"RDS instance is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","framework:gdpr","control:164.308-a-3-i","source:rds","requirement:Security-Management-Process","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","scope:rds","control:1.4","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Relational Database Service (RDS) database snapshots by ensuring they are not publicly accessible.\n\n## Rationale\n\nRDS Snapshots can be marked as [public][3], allowing anyone the ability to copy the snapshot to their AWS account and create database instances from it. Unless a snapshot is being shared intentionally, it should be deleted.\n\n## Remediation\n\n### From the console\n\nFollow the [Stop sharing a manual DB snapshot with an AWS account][1] AWS Console docs.\n\n### From the command line\n\nRun `modify-db-snapshot-attribute` with the [snapshot identifier, attribute name, and values to remove][2]. This removes permission from a particular AWS account to restore the DB snapshot.\n\n```\naws rds modify-db-snapshot-attribute \\\n --db-snapshot-identifier yourdbsnapshot \\\n --attribute-name restore \\\n --values-to-remove \"all\"\n```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Sharing\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-snapshot-attribute.html#synopsis\n[3]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Public\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.4","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_restore_attributes(db_snapshot_restore_attribute_values) if {\n\tdb_snapshot_restore_attribute_values[_] == \"all\"\n}\n\neval(rds_db_snapshot) = \"fail\" if {\n\tnon_compliant_restore_attributes(rds_db_snapshot.db_snapshot_restore_attribute_values)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_rds_db_snapshot"]},"validationQuery":"","resourceType":"aws_rds_db_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_db_snapshot","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ptv-gce-is5","createdAt":1616090994243,"name":"RDS snapshot is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","control:3.4","scope:google_dns_managed_zone","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note:** The SHA1 algorithm has been removed from general use by Google. If used, it needs to be allowed on a per-project basis through Google, and therefore requires a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records. When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, you can select the DNSSEC signing algorithms and the denial-of-existence type. Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If there is a need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off, and then re-enable it with different settings.\n\n**Note**: RSASHA1 key-signing support may be required for compatibility reasons. The remediation CLI works with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If it is necessary to change the settings for a managed zone where it has been\nenabled, NSSEC must be turned off and re-enabled with different settings. To turn\noff DNSSEC, run the following command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update key-signing for a managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" if {\n\tdefault_key_spec := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tdefault_key_spec.algorithm == \"RSASHA1\"\n\tdefault_key_spec.key_type == \"keySigning\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gny-fox-6gg","createdAt":1659339844054,"name":"RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.5","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note**: The SHA1 algorithm has been removed from general use by Google, and if\nbeing used, needs to be safe listed on a project basis by Google, which\nrequire a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records.\nWhen enabling DNSSEC for a managed zone or creating a managed zone with DNSSEC, select the\nDNSSEC signing algorithms and the denial-of-existence type. Changing the\nDNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If\nyou need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off and then re-enable it with different settings.\n\n**note**: RSASHA1 zone-signing support may be required for compatibility reasons.\n**note**: The remediation CLI works well with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If you need to change the settings for a managed zone where it has been\nenabled, DNSSEC must be turned off and then re-enabled with different settings. To\nturn off DNSSEC, run this command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update zone-signing for a reported managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.5","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" if {\n\tkeyCheck := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tkeyCheck.algorithm == \"RSASHA1\"\n\tkeyCheck.key_type == \"zoneSigning\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"h57-78j-30x","createdAt":1659396390100,"name":"RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","scope:redshift","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS RedShift clusters are encrypted.\n\n## Rationale\n\nEncrypting Redshift clusters protects your sensitive data from unauthorized access.\n\n## Remediation\n\n### From the console\n\nFollow the [Changing cluster encryption][5] docs to ensure your clusters are encrypted.\n\n### From the command line\n\n1. Run `describe-clusters` with your [cluster identifier][1].\n\n ```\n aws redshift describe-clusters \\\n --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` using the configuration details returned in step 1 along with the [`encrypted` flag][2].\n\n ```\n aws redshift create-cluster \\\n --cluster-identifier cluster-name \\\n --encrypted\n ```\n\n3. Run `describe-cluster` with a [query filter][1] to expose the new endpoint address.\n\n ```\n aws redshift describe-clusters \\\n --cluster-identifier cluster-name \\\n --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Use the cluster endpoint URL with the [Amazon Redshift Unload/Copy][3] tool.\n\n5. Update your encrypted Redshift cluster configuration with the new Redshift cluster endpoint URL.\n\n6. Once the endpoint is changed, run `delete-cluster` to [remove the old unencrypted cluster][4].\n\n ```\n aws redshift delete-cluster \\\n --cluster-identifier old-cluster \\\n --final-cluster-snapshot-identifier old-cluster-finalsnapshot\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster.html\n[3]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.encrypted\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o5n-lxt-ayr","createdAt":1599574004941,"name":"Redshift cluster is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.3","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm Redshift clusters are not publicly available.\n\n## Rationale\n\nPublicly available Redshift clusters have a public IP address, which gives any machine the opportunity to attempt to connect to your clusters. Malicious activity, such as SQL injections or distributed denial-of-service (DDoS) attacks, can occur if a connection is established.\n\n## Remediation\n\n### From the console\n\nFollow the [Managing clusters in a VPC][2] docs to learn how to modify public accessibility for your clusters.\n\n[2]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#modify-cluster\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tnot redshift_cluster.publicly_accessible\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"syn-jic-zlu","createdAt":1599574002373,"name":"Redshift cluster is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","control:A.9.4.3","framework:soc-2","scope:redshift","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:redshift","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are using a custom master user name, versus the default master user name.\n\n## Rationale\n\nDefault master user names for publicly accessible clusters can be a backdoor for hacking. While setting a customer master user name alone does not fully protect against attacks, restricting the root account only to privileged users and using additional password measures can add an additional layer of protection.\n\n## Remediation\n\n### From the console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a master user name of `awsuser`, it is the default master user name. Modify the user name to a custom user name in the console.\n\n### From the command line\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` with the returned cluster metadata to [launch a new cluster][3] with the existing metadata and a new master user name.\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t --master-username awsmasterusr\n --vpc-security-group-ids id-012a3b4c\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier new-cluster-identifier\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n5. Use the returned new database cluster endpoint URL from step 3 to update your application's configuration to point to the new cluster endpoint.\n6. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.master_username != \"awsuser\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ewv-jbb-gxa","createdAt":1599574001675,"name":"Redshift cluster is not using a custom master user name"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","security:compliance","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are not using default port 5439 to protect against non-targeted attacks.\n\n## Rationale\n\nUsing a custom port can protect your publicly accessible AWS Redshift clusters against potential brute-force and dictionary attacks. Although setting a custom port can help fend off these attacks, it is also recommended to restrict public access, use SSL to encrypt client connections to database clusters, and control cluster access through security groups and Network Access Control Lists (NACLs) to add an additional layer of security for your account.\n\n## Remediation\n\n### From the console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a port 5439, it is the default port. Modify the port number in the console.\n\n### From the command line\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster-snapshot` with [create a snapshot of your database cluster][3].\n\n ```\n aws redshift create-cluster-snapshot\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n ```\n\n3. Run `restore-from-cluster-snapshot` to [create a new cluster from the snapshot created above][4]. Use the retrieved metadata in step one to configure a new port number.\n\n ```\n aws redshift restore-from-cluster-snapshot\n ...\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n --port 2000\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster-snapshot.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/restore-from-cluster-snapshot.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.endpoint.port != 5439\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"xrn-s6h-z9s","createdAt":1599574006854,"name":"Redshift cluster is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift Clusters][1] are using the [AWS EC2-VPC platform][2] for better cluster security.\n\n## Rationale\n\nThe AWS EC2-VPC platform offers better security control and traffic routing for clusters than the outdated EC2-Classic platform.\n\n## Remediation\n\n### From the console\n\nFollow the [Use EC2-VPC when you create your cluster][7] docs to learn how to use the EC2-VPC platform in the console to secure your clusters.\n\n### From the command line\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n ```\n\n2. Run `create-cluster` with the metadata to [launch a new cluster within a VPC][3].\n\n ```\n aws redshift create-cluster\n --cluster-identifier cluster-id\n --vpc-security-group-ids id-012a3b4c\n --port 5439\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n\n5. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.FindDefaultVPC.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#cluster-platforms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.vpc_id != \"\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"goz-ys2-tll","createdAt":1599573999940,"name":"Redshift cluster is using the EC2-VPC platform"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.6","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:redshift","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","source:redshift","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable logging for your Amazon Redshift cluster.\n\n## Rationale\n\nLogging data from Amazon Redshift clusters is helpful when troubleshooting or completing security and compliance audits.\n\n## Remediation\n\n### From the console\n\nFollow the Amazon Redshift [Configuring auditing using the console][1] docs to enable logging, create audit log files, and store them in an Amazon S3 bucket.\n\n### From the command line\n\n1. Run `enable-logging` with your [cluster ID and the S3 bucket][2] where log files are to be stored.\n\n ```\n aws redshift enable-logging\n --cluster-identifier your-cluster-id\n --bucket-name aws-redshift-logs\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/enable-logging.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.cluster_logging.logging_enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f05-rf3-w5i","createdAt":1619112188003,"name":"Redshift cluster logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","requirement:Least-Privileged-Access","framework:cis-azure","control:7.1","requirement:Credentials","requirement:AppService","requirement:Compliance","control:8.7","level:1","control:9.5","control:A.18.1.3","framework:soc-2","scope:azure.appservice","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nManaged service identity in App Service makes an app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app connects to other Azure services securely without the need for a username and password.\n\n## Rationale\n\nApp Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.\n\n## References\n\n1. https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Identity\n5. Set Status to On\n\n### From the command line\n\nTo set Register with Azure Active Directory for an existing app, run the following command: `az webapp identity assign --resource-group --name '`\n\n## CIS Controls\n\nVersion 7 16.2 - Configure Centralized Point of Authentication - Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.5","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_identity(app_service) if {\n\tapp_service.identity_principal_id\n} else if {\n\tapp_service.identity.principal_id\n}\n\neval(app_service) = \"pass\" if {\n\tcompliant_identity(app_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"t1t-uk4-nxu","createdAt":1631623033118,"name":"Register with Azure Active Directory is enabled on App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.8","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under `/etc/docker/certs.d/ directory`, have permissions of 444 or are set more restrictively.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must have permissions of 444or more restrictive permissions in order to ensure that unprivileged users do not have full access to them..\n\n## Audit\n\nYou should execute the command below to verify that registry certificate files have permissions of 444+.\n\n```\nstat -c %a /etc/docker/certs.d//*\n```\n\n## Remediation\n\nRun the following command: `chmod 444 /etc/docker/certs.d//*`\n\nThis sets the permissions for the registry certificate files to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for registry certificate files might not be 444. The default file permissions are governed by the system or user specific umask values which are defined within the operating system itself.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.8","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sjq-1m3-njp","createdAt":1599605226177,"name":"Registry certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:5.7.4","source:compliance-agent","requirement:General-Policies","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.\n\n## Rationale\n\nResources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources.\n\n## Audit\n\nRun this command to list objects in default namespace: `kubectl get all`\n\nThe only entries there should be system managed resources such as the Kubernetes service.\n\n## Remediation\n\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace.\n\n## Impact\n\nNone\n\n## Default value\n\nUnless a namespace is specific on object creation, the default namespace will be used.\n\n## References\n\nNone\n\n## CIS controls\n\nNone\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.7.4","framework":"cis-kubernetes","requirement":"General-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.7.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gly-1rp-obv","createdAt":1599604941259,"name":"Resources are not created in the default namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.14","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy using the `--restart` flag in the docker run command you can specify a restart policy for how a container should or should not be restarted on exit. You should choose the on-failure restart policy and limit the restart attempts to 5.\n\n## Rationale\n\nIf you indefinitely keep trying to start the container, it could possibly lead to a denial of service on the host. It could be an easy way to do a distributed denial of service attack especially if you have many containers on the same host. Additionally, ignoring the exit status of the container and always attempting to restart the container, leads to non-investigation of the root cause behind containers getting terminated. If a container gets terminated, you should investigate on the reason behind it instead of just attempting to restart it indefinitely. You should use the on-failure restart policy to limit the number of container restarts to a maximum of 5 attempts.\n\n## Audit\n\nExecute this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: RestartPolicyName={{ .HostConfig.RestartPolicy.Name }} MaximumRetryCount={{ .HostConfig.RestartPolicy.MaximumRetryCount }}'` \n\nIf this command returns `RestartPolicyName=always`, then the system is not configured optimally. If this command returns `RestartPolicyName=no` or just `RestartPolicyName=`, then restart policies are not being used and the container would never be restarted automatically. This may be a secure option, but it is not the best option from a usability standpoint. If this command returns `RestartPolicyName=on-failure`, then verify that the number of restart attempts is set to 5 or less by looking at `MaximumRetryCount`.\n\n## Remediation\n\nIf you wish a container to be automatically restarted, use `docker run --detach --restart=on-failure:5 nginx`\n\n## Impact\n\nIf this option is set, a container will only attempt to restart itself 5 times.\n\n## Default value\n\nBy default, containers are not configured with restart policies.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/run/#restart-policies-restart\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.14","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycq-buv-pf8","createdAt":1599598174688,"name":"Restart attempts on container failure is limited to 5 attempts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_logging_log_bucket","control:10.1","requirement:Monitoring","control:10.2.5","control:2.3","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","source:google_logging_log_bucket","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:2","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling retention policies on log buckets protects logs stored in cloud storage buckets\nfrom being overwritten or accidentally deleted. It is recommended to set up retention\npolicies and configure `Bucket Lock` on all storage buckets that are used as log sinks.\n\n### Default value\nBy default, storage buckets used as log sinks do not have retention policies and `Bucket Lock`\nconfigured.\n\n## Rationale\nLogs can be exported by creating one or more sinks that include a log filter and a\ndestination. As Cloud Logging receives new log entries, they are compared against each\nsink. If a log entry matches a sink's filter, then a copy of the log entry is written to the\ndestination.\nSinks can be configured to export logs in storage buckets. It is recommended to configure a\ndata retention policy for these cloud storage buckets and to lock the data retention policy,\nthus permanently preventing the policy from being reduced or removed. This way, if the\nsystem is ever compromised by an attacker or a malicious insider who wants to cover their\ntracks, the activity logs are definitely preserved for forensics and security investigations.\n\n\n### Impact\nLocking a bucket is an irreversible action. Once you lock a bucket, you cannot remove the\nretention policy from the bucket or decrease the retention period for the policy. You\nthen have to wait for the retention period for all items within the bucket before you can\ndelete them, and then delete the bucket.\n\n## Additional Information\n- **Caution**: Locking a retention policy is an irreversible action. Once locked, you must delete\nthe entire bucket in order to \"remove\" the bucket's retention policy. However, before you\ncan delete the bucket, you must be able to delete all the objects in the bucket, which itself is\nonly possible if all the objects have reached the retention period set by the retention policy.\n\n\n## Remediation\n\n### From the console \n1. If sinks are not configured, first follow the instructions in the recommendation:\nEnsure that sinks are configured for all log entries.\n2. For each storage bucket configured as a sink, go to the Cloud Storage browser at\nhttps://console.cloud.google.com/storage/browser/.\n3. Select the **Protection** tab near the top of the page.\n4. In the **Retention policy** section, click the **Lock** button. The **Lock retention policy?** dialog box appears\n5. Read the `Permanent` notice.\n6. In the **Bucket name** text box, type in the name of your bucket.\n7. Click **Lock policy**\n\n### From the command line\n1. To list all sinks destined to storage buckets:\n ```\n gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID\n | --project=PROJECT_ID\n ```\n\n2. For each storage bucket listed above, set a retention policy and lock it:\n ```\n gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]\n gsutil retention lock gs://[BUCKET_NAME]\n ```\nFor more information, visit [Set a retention policy on a bucket][1].\n\n## References\n1. [Retention policies and retention policy locks][2]\n2. [Use and lock retention policies ][3]\n\n[1]: https://cloud.google.com/storage/docs/using-bucket-lock#set-policy\n[2]: https://cloud.google.com/storage/docs/bucket-lock\n[3]: https://cloud.google.com/storage/docs/using-bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(logging_log_bucket) if {\n\tlogging_log_bucket.retention_days != \"\"\n\tlogging_log_bucket.locked == true\n}\n\ndestination_with_filter(logging_log_bucket) if {\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tlogging_log_sink.project_number == logging_log_bucket.project_number\n\tlog_bucket_bucket_name := trim_right(split(logging_log_bucket.resource_name, \"buckets/\")[1], \"\\\"\")\n\tsink_bucket_bucket_name := trim_right(split(logging_log_sink.destination, \"buckets/\")[1], \"\\\"\")\n\tlog_bucket_bucket_name == sink_bucket_bucket_name\n\tlogging_log_sink.filter != \"\"\n}\n\neval(logging_log_bucket) = \"skip\" if {\n\tnot destination_with_filter(logging_log_bucket)\n} else = \"pass\" if {\n\tcompliant(logging_log_bucket)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_logging_log_bucket","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_logging_log_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_logging_log_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"trq-twi-wxj","createdAt":1664803576934,"name":"Retention policies used for exporting logs are configured using the bucket lock on Cloud Storage buckets"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-ii-B","control:1.7","control:164.308-a-3-i","control:164.308-a-4-i","control:7.2.1","level:1","cloud:aws","framework:soc-2","framework:cis-aws","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Information-Access-Management","control:CC6.2","framework:pci","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWith the creation of an AWS account, a root user is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.\n\n## Rationale\n\nThe root user has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.\n\n## Remediation\n\nIf you find that the root user account is being used for daily activity and administrative tasks that do not require the root user, remediate this by doing the following:\n\n1. Change the root user password.\n2. Deactivate or delete access keys associated with the root user.\n**Note**: Anyone who has root user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.\n\n## References\n\n1. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][1]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html][2]\n3. [https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html][3]\n\n**Additional Information**: The root user for us-gov cloud regions is not enabled by default. However, on request AWS support can enable the root user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the root user for us-gov cloud regions is enabled, this recommendation is applicable. Monitor usage of the root user by implementing recommendation *3.3 Ensure a log metric filter and alarm exist for usage of the root user*.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[3]: https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.7","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nnon_compliant_keys(iam_credential_report) if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.password_last_used < thirty_days_ms # Used in last 30 days\n} else if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_1_last_used_date < thirty_days_ms # Used in last 30 days\n} else if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_2_last_used_date < thirty_days_ms # Used in last 30 days\n}\n\neval(iam_credential_report) = \"skip\" if {\n\tnot iam_credential_report.user == \"\"\n} else = \"fail\" if {\n\tnon_compliant_keys(iam_credential_report)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_credential_report"]},"validationQuery":"","resourceType":"aws_iam_credential_report","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yid-djj-bng","createdAt":1638865331666,"name":"Root account credentials have not been used in the past 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:kms","source:kms","framework:gdpr","requirement:Logging","level:2","control:3.8","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Security-of-Processing","framework:soc-2","control:3.5.2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:3.6.4","control:CC6.3","control:CC6.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS Key Management Service (KMS) allows customers to rotate the backing key, the key material stored within the KMS. The KMS connects to the key ID of the customer created customer master key (CMK). This backing key is used to perform cryptographic operations such as encryption and decryption. Automatic key rotation retains all prior backing keys so that encrypted data can be decrypted transparently. You should enable CMK key rotation.\n\n## Rationale\n\nRotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\n\n## Remediation\n\n### From the console\n\n1. Open the [AWS KMS console][1].\n2. To change the AWS region, use the region selector in the upper-right corner of the page.\n3. Choose **Customer managed keys**.\n4. Choose the alias of the key to update in the **Alias** column.\n5. Choose **Key rotation**.\n6. Select **Automatically rotate this KMS key every year** and then choose **Save**.\n\n### From the command line\n\n1. Use the [`enable-key-rotation`][2] command to set an automatic rotation of a KMS key on an annual basis.\n\n ```\n aws kms enable-key-rotation \\\n --region insert-region-here \\\n --key-id insert-kms-key-id-here\n ```\n2. Use the [`get-key-rotation-status'][3] command to verify that you've set the rotation correctly.\n\n ```\n aws kms get-key-rotation-status \\\n --region insert-region-here \\\n --key-id insert-kms-key-id-here\n ```\n\n## References\n\n1. [https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html][4]\n\n[1]: https://console.aws.amazon.com/kms\n[2]: https://docs.aws.amazon.com/cli/latest/reference/kms/enable-key-rotation.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/kms/get-key-rotation-status.html\n[4]: https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.8","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aws_kms) = \"skip\" if {\n\taws_kms.key_manager != \"CUSTOMER\"\n} else = \"fail\" if {\n\tnot aws_kms.key_rotation_enabled\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_kms"]},"validationQuery":"","resourceType":"aws_kms","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_kms","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5xm-kxb-jxz","createdAt":1599574002243,"name":"Rotation for customer created CMKs is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:runtime-security-agent","technique:T1611-escape-to-host","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to the `runc` binary outside of the normal package management lifecycle.\n\n## Strategy\n[CVE-2019-5736][1], a vulnerability in `runc` through version 1.0-rc6 could allow attackers to overwrite the host `runc` binary, which allows the attacker to effectively escape a running container, and gain root access on the underlying host.\nAny modifications to `runc` (outside of standard package management upgrades) could be exploiting this vulnerability to gain root access to the system.\n\n## Triage & Response\n1. Check to see which user or process changed the `runc` binary.\n2. If these changes are not acceptable, roll back contain the host in question to an acceptable configuration.\n3. Update `runc` to a version above 1.0-rc6 (or Docker 18.09.2 and above).\n4. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://nvd.nist.gov/vuln/detail/CVE-2019-5736\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:runc_modification","groupByFields":["host"],"aggregation":"count","name":"runc_modification","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"runc_modification","condition":"runc_modification > 0"}],"type":"workload_security","id":"6ru-oyo-uag","createdAt":1627392837049,"name":"Runc binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your bucket ACL to remove public `READ_ACP`, `READ` access.\n\n## Rationale\n\n* Public `READ_ACP` access gives anyone the ability to read the bucket ACL. With this permission, anyone can see who controls your objects. This information can potentially be used to find misconfigured permissions and gain access to your S3 data.\n\n* Public `READ` access allows the grantee to list all objects within your bucket and exploit objects with misconfigured ACL permissions.\n\n\nFor more information about S3 bucket ACLs, see the [Access control list (ACL) documentation][3].\n\n## Remediation\n\n### From the console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### From the command line\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis\n[3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nsecure_s3_access_block(s3_access_block) if {\n\ts3_access_block.ignore_public_acls == true\n}\n\ninsecure_s3_bucket(s3_bucket) if {\n\tacl := s3_bucket.acl[_]\n\tupper(acl.grantee_permission) in [\"READ\", \"READ_ACP\"]\n\tlower(acl.grantee_uri) in [\"http://acs.amazonaws.com/groups/global/authenticatedusers\", \"http://acs.amazonaws.com/groups/global/allusers\"]\n}\n\ncompliant_s3_bucket(s3_bucket) if {\n\ts3_account_public_access_block := input.resources.aws_s3_account_public_access_block[_]\n\ts3_account_public_access_block.account_id == s3_bucket.account_id\n\tsecure_s3_access_block(s3_account_public_access_block)\n} else if {\n\tsecure_s3_access_block(s3_bucket.access_block[_])\n} else if {\n\tnot insecure_s3_bucket(s3_bucket)\n}\n\neval(s3_bucket) = \"pass\" if {\n\tcompliant_s3_bucket(s3_bucket)\n} else = \"fail\"\n\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"i2o-7bz-zxc","createdAt":1619112188697,"name":"S3 bucket ACL and bucket objects are not publicly readable"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ_ACP` access for authenticated AWS accounts and AWS IAM users.\n\n## Rationale\n\nAWS authenticated accounts and users with `READ_ACP` access can examine Amazon S3 Access Control Lists (ACLs) configuration details. This information can be used maliciously to find misconfigured permissions and implement methods to access your S3 data.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `READ_ACP` access for AWS signed users.\n\n### From the command line\n\n1. Run `put-bucket-acl` with your [Amazon S3 bucket name and ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_not_compliant(acl) if {\n\tacl.grantee_permission == \"READ_ACP\"\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\"\n}\n\neval(s3_bucket) = \"fail\" if {\n\tacl = s3_bucket.acl[_]\n\tacl_not_compliant(acl)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"cer-xg1-llv","createdAt":1619112188867,"name":"S3 bucket ACL is not viewable by all authenticated users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.5","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove `WRITE_ACP`, `WRITE`, or `FULL_CONTROL` access for all AWS users or any authenticated AWS user.\n\n## Rationale\n\n* Public `WRITE_ACP` access gives anyone permissions to change the S3 bucket Access Control List. With these permissions, anyone can grant any permissions they want, such as reading or writing objects inside the bucket.\n\n* Public `WRITE` access allows the grantee to create new objects in the bucket. For the bucket and object owners of existing objects, also allows deletions and overwrites of those objects. \n\n* Public `FULL_CONTROL` access allows the grantee the `READ`, `WRITE`, `READ_ACP`, and `WRITE_ACP` permissions on the bucket.\n\nFor more information about S3 bucket ACLs, see the [Access control list (ACL) documentation][1].\n\n\n## Remediation\n\n### From the console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### From the command line\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.5","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nsecure_s3_access_block(s3_access_block) if {\n\ts3_access_block.ignore_public_acls == true\n}\n\ninsecure_s3_bucket(s3_bucket) if {\n\tacl := s3_bucket.acl[_]\n\tupper(acl.grantee_permission) in [\"WRITE\", \"WRITE_ACP\", \"FULL_CONTROL\"]\n\tlower(acl.grantee_uri) in [\"http://acs.amazonaws.com/groups/global/authenticatedusers\", \"http://acs.amazonaws.com/groups/global/allusers\"]\n}\n\ncompliant_s3_bucket(s3_bucket) if {\n\ts3_account_public_access_block := input.resources.aws_s3_account_public_access_block[_]\n\ts3_account_public_access_block.account_id == s3_bucket.account_id\n\tsecure_s3_access_block(s3_account_public_access_block)\n} else if {\n\tsecure_s3_access_block(s3_bucket.access_block[_])\n} else if {\n\tnot insecure_s3_bucket(s3_bucket)\n}\n\neval(s3_bucket) = \"pass\" if {\n\tcompliant_s3_bucket(s3_bucket)\n} else = \"fail\"\n\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"8au-91a-7zf","createdAt":1619112188436,"name":"S3 bucket ACLs are configured to block public write actions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","requirement:Compliance","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:s3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up the Multi-Factor Authentication (MFA) delete feature to prevent deletion of Amazon S3 objects.\n\n## Rationale\n\n## Remediation\n\nMFA-protected Amazon S3 buckets ensure S3 objects cannot be accidentally or intentionally deleted by AWS users who have access to your bucket.\n\n### From the console\n\n`MFA DELETE` [cannot be enabled in the AWS Console][1]. See the CLI remediation below for configuration instructions.\n\n### From the command line\n\n1. Run `put-bucket-versioning` with your [bucket name, versioning configuration, and MFA configuration][2].\n\n ```\n aws s3api put-bucket-versioning\n --bucket your-s3-bucket-name\n --versioning-configuration '{\"MFADelete\":\"Enabled\",\"Status\":\"Enabled\"}'\n --mfa 'arn:aws:iam::aws_account_id:mfa/root-account-mfa-device'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"pass\" if {\n\ts3_bucket.versioning_mfa_delete == \"Enabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"f22-rvk-qko","createdAt":1619112188477,"name":"S3 bucket MFA Delete feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.1","requirement:Monitoring","cloud_provider:aws","control:A.12.4.1","control:3.3","requirement:System-Operations","requirement:Logging","level:2","framework:soc-2","scope:cloudtrail","framework:cis-aws","source:cloudtrail","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nS3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.\n\n## Rationale\n\nBy enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.\n\n## Remediation\n\n### From the console\n\n1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.\n2. Under All Buckets click on the target S3 bucket\n3. Click on Properties in the top right of the console\n4. Under Bucket: click on Logging\n5. Configure bucket logging and click on the Enabled checkbox\n6. Select Target Bucket from list and enter a Target Prefix\n7. Click Save\n\n## Default value\n\nLogging is disabled.\n\n## References\n\n1. CCE-78918-0\n2. https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html\n\n## CIS controls\n\nVersion 7\n\n6.2 - Activate audit logging: Ensure that local logging has been enabled on all systems and networking devices.\n\n14.9 Enforce Detail Logging for Access or Changes to Sensitive Data: Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbucket_by_name := {bucket.bucket_name: bucket |\n\tbucket := input.resources.aws_s3_bucket[_]\n}\n\neval(cloudtrail_trail) = \"skip\" if {\n\tnot bucket_by_name[cloudtrail_trail.s3_bucket_name]\n} else = \"pass\" if {\n\ts3_bucket := bucket_by_name[cloudtrail_trail.s3_bucket_name]\n\tcount(s3_bucket.bucket_logging) > 0\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail","aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@trail_arn"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gzk-vm2-67k","createdAt":1635929074549,"name":"S3 bucket access logging is enabled on the CloudTrail S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","requirement:Storage","framework:gdpr","control:2.1.1","requirement:Compliance","level:1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides a variety of no-cost or low-cost encryption options to protect data at rest.\n\n## Rationale\n\nEncrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.\n\n## Remediation\n\n### From the console\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/\n2. Select the Check box next to the Bucket.\n3. Click on Properties.\n4. Click on Default Encryption.\n5. Select either AES-256 or AWS-KMS.\n6. Click Save.\n7. Repeat for all the buckets in your AWS account lacking encryption.\n\n### From the command line\n\nRun one of the following commands: \n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}''`\n\nor:\n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}''`\n\n**Note**: The `KMSMasterKeyID` can be set to the master key of your choosing; `aws/s3` is an AWS preconfigured default.\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html][1]\n2. [https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources][2]\n\n**Additional Information**: S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does not encrypt objects previously stored within the bucket.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.1.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ninsecure_sse_algorithm(encryption_configuration) if {\n\tnot encryption_configuration.sse_algorithm in [\"AES256\", \"aws:kms\"]\n}\n\nbad_encryption_rules(s3_bucket) if {\n\tsome encryption_rules in s3_bucket.bucket_encryption_rules\n\tsome rules in encryption_rules.rules\n\tinsecure_sse_algorithm(rules.apply_server_side_encryption_by_default)\n} else if {\n\tnot s3_bucket.bucket_encryption_rules\n}\n\neval(s3_bucket) = \"fail\" if {\n\tbad_encryption_rules(s3_bucket)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i5u-x9l-ytw","createdAt":1619112188944,"name":"S3 bucket employs default encryption at-rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:A.12.1.2","framework:gdpr","control:A.12.4.2","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:3.1","requirement:Control-Activities","control:7.2.1","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Logical-and-Physical-Access-Control","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable versioning on S3 buckets to keep multiple versions of an object in one bucket.\n\n## Rationale\n\nVersioning-enabled buckets help [recover objects in the case of accidental deletion or overwriting][1].\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning within the S3 console.\n\n### From the command line\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning with the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.1.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tnot s3_bucket.versioning_status == \"Enabled\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hfe-sv1-7ci","createdAt":1632209932330,"name":"S3 bucket has versioning enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS S3 bucket ACL to remove public `READ` access.\n\n## Rationale\n\nGranting public `READ` allows anyone to list objects within a bucket. Note that it does not allow to directly read the actual bucket objects.\n\n## Remediation\n\n### From the console\n\nFollow the [Blocking public access to your Amazon S3 storage][1] docs to learn how to manage access control lists for existing S3 buckets.\n\n**Note**: By default, new buckets, access points, and objects don't allow public access.\n\n### From the command line\n\n1. Run `put-bucket-acl` with [your S3 bucket name][2] and set the ACL of the bucket to `private`.\n ```\n\taws s3api put-bucket-acl\n\t\t--bucket webapp-data-repository\n\t\t--acl private\n ```\n\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tsome acl in s3_bucket.acl\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AllUsers\"\n\tacl.grantee_permission == \"READ\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"mqm-ntc-bra","createdAt":1619112188104,"name":"S3 bucket is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.3","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your bucket policy as your Amazon S3 bucket is currently publicly accessible.\n\n## Rationale\n\nPublicly accessible S3 buckets through bucket policies give any AWS user the ability to list, download, delete, and upload objects and edit object permissions.\n\n## Remediation\n\n### From the console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### From the command line\n\n1. Run the [`delete-bucket-policy`][2] command to fully remove any public access to the bucket.\n\n ```\n aws s3api delete-bucket-policy \\\n --bucket insert-bucket-name-here\n ```\n\n2. If you need a bucket policy, create a new non-public bucket policy using the [AWS Policy Generator][3].\n3. Apply the bucket policy from Step 2 with the [`put-bucket-policy`][4] command.\n\n ```\n aws s3api put-bucket-policy\n --bucket insert-bucket-name-here\n --policy file://insert-bucket-policy-file-name-here.json\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket-policy.html#synopsis\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html#","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nsecure_s3_access_block(s3_access_block) if {\n\ts3_access_block.restrict_public_buckets == true\n}\n\ninsecure_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n}\n\ninsecure_policy_principal(policy_principal) if {\n\tprincipal_aws := policy_principal.principal_aws[_]\n\tprincipal_aws == \"*\"\n}\n\ninsecure_policy_statements(s3_bucket) if {\n\tbucket_policy_statement := s3_bucket.bucket_policy_statement[_]\n\tbucket_policy_statement.statement_effect == \"Allow\"\n\tbucket_policy_statement.statement_has_condition == false\n\tinsecure_policy_principal(bucket_policy_statement.policy_principal)\n}\n\ncompliant_s3_bucket_access(s3_bucket) if {\n\taccount_public_access_block := input.resources.aws_s3_account_public_access_block[_]\n\taccount_public_access_block.account_id == s3_bucket.account_id\n\tsecure_s3_access_block(account_public_access_block)\n} else if {\n\tsecure_s3_access_block(s3_bucket.access_block[_])\n} else if {\n\tnot insecure_policy_statements(s3_bucket)\n}\n\neval(s3_bucket) = \"pass\" if {\n\tcompliant_s3_bucket_access(s3_bucket)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"ftf-6wr-t2z","createdAt":1624344845705,"name":"S3 bucket is not publicly exposed via bucket policy"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ` access for authenticated AWS accounts or IAM users.\n\n## Rationale\n\n`READ` access allows any authenticated IAM user or AWS authenticated account to list all objects within your bucket and exploit objects with misconfigured ACL permissions.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to deselect the `Bucket ACL - Read` permission and update ACL permissions.\n\n### From the command line\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tsome acl in s3_bucket.acl\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\"\n\tacl.grantee_permission == \"READ\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"73w-cje-dhm","createdAt":1619112189198,"name":"S3 bucket objects cannot be listed by all authenticated users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","requirement:Monitoring","scope:s3","framework:cis-aws","control:4.8","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a S3 Bucket policy is modified.\n\n## Strategy\nMonitor CloudTrail and detect when S3 policies are being modified via one of the following API calls:\n* [PutBucketAcl][1]\n* [PutBucketPolicy][2]\n* [PutBucketCors][3]\n* [PutBucketLifecycle][4]\n* [PutBucketReplication][5]\n* [DeleteBucketPolicy][6]\n* [DeleteBucketCors][7]\n* [DeleteBucketReplication][8]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n## Changelog\n* 18 March 2022 - Updated signal message, query and severity.\n* 16 November 2022 - Rule query updated.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html\n[3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketCors.html\n[4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLifecycle.html\n[5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html\n[6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html\n[7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html\n[8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:(cloudtrail OR amazon-security-lake) @evt.name:(PutBucketAcl OR PutBucketPolicy OR PutBucketCors OR PutBucketLifecycle OR PutBucketReplication OR DeleteBucketPolicy OR DeleteBucketCors OR DeleteBucketReplication)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"s3_bucket_policy_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"A S3 bucket policy was modified","condition":"s3_bucket_policy_modified > 0"}],"type":"log_detection","id":"nl3-oht-jhi","createdAt":1584475579499,"name":"S3 bucket policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when SELinux enforcement is disabled.\n\n## Strategy\nThis detection monitors the change of SELinux enforcing mode.\n\n## Triage & Response\n1. Check which user or process disabled SELinux enforcing mode.\n2. If the change is not expected, roll back to enable SELinux enforcing mode.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the attack.\n\n*Requires Agent version 7.30 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:selinux_disable_enforcement","groupByFields":["host"],"aggregation":"count","name":"selinux_disable_enforcement","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"selinux_disable_enforcement","condition":"selinux_disable_enforcement > 0"}],"type":"workload_security","id":"vvf-qwb-uhj","createdAt":1635332067172,"name":"SELinux enforcement disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.2","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSELinux is an effective and easy-to-use Linux application security system. It is available by default on some distributions such as Red Hat and Fedora.\n\n## Rationale\n\nSELinux provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model. You can therefore add an extra layer of safety to your containers by enabling SELinux on your Linux host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all the security options currently configured on the containers listed.\n\n## Remediation\n\nIf SELinux is applicable for your Linux OS, you should use it.\n\n1. Set the SELinux State.\n2. Set the SELinux Policy.\n3. Create or import a SELinux policy template for Docker containers.\n4. Start Docker in daemon mode with SELinux enabled. For example: `docker daemon --selinux-enabled`\n5. Start your Docker container using the security options. For example, `docker run --interactive --tty --security-opt label=level:TopSecret centos /bin/bash`\n\n## Impact\n\nAny restrictions defined in the SELinux policy will be applied to your containers. It should be noted that if your SELinux policy is misconfigured, this may have an impact on the correct operation of the affected containers.\n\n## Default value\n\nBy default, no SELinux security options are applied on containers.\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/\n4. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/docker_selinux_security_policy\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.2","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"eww-c9f-0hf","createdAt":1599605036108,"name":"SELinux security options are configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic [resource-based policy][4] to prevent unintended access to the resource.\n\n## Rationale\n\nWhen a `*` is specified as a `Principal`, along with an `Allow` `Effect` it grants [anyone][5] the ability to perform actions on a resource. In this situation, if the policy includes the `sns:Subscribe` `Action`, it would permit anyone the ability to receive messages from the topic, resulting in an impact to the confidentiality of the application.\n\n## Remediation\n\n### From the console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### From the command line\n\n1. Update your [resource-based policy][2] with an appropriate `Principal` ARN or a `Condition` element. Save the file as `policy.json`.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_sub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Subscribe\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```\n aws sns set-topic-attributes \\\n --topic-arn arn:aws:sns:region:123456789012:YourTopic \\\n --attribute-name Policy \\\n --attribute-value file://policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-anonymous\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_policy(policy) if {\n\tpolicy.policy_principal.principal == \"*\"\n} else if {\n\tpolicy.policy_principal.principal_aws[_] == \"*\"\n}\n\nnon_compliant_statement_action(statement_action) if {\n\tlower(statement_action[_]) == \"sns:subscribe\"\n}\n\neval(sns_topic) = \"fail\" if {\n\tsome policy in sns_topic.policies\n\tlower(policy.statement_effect) == \"allow\"\n\tnon_compliant_policy(policy)\n\tnon_compliant_statement_action(policy.statement_action)\n\tpolicy.statement_has_condition == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"bin-p21-78u","createdAt":1616090993824,"name":"SNS Topic has access restrictions set for subscription"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic publishing permissions.\n\n## Rationale\n\nSetting the topic publishing permission to `*` gives anyone access to publish on a topic. Unauthenticated users can publish arbitrary messages, potentially leading to loss of integrity and denial of service.\n\n## Remediation\n\n### From the console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### From the command line\n\n1. Update your [access control policy][2] with an appropriate `Principal` ARN. Save the file as `policy.json`.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_pub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Publish\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```bash\n aws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name Policy\n --attribute-value file://policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tsome principal_aws in policy_principal.principal_aws\n\tprincipal_aws == \"*\"\n}\n\nnon_compliant_statement_action(statement_actions) if {\n\t\"SNS:Publish\" in statement_actions\n}\n\nnon_compliant_policy(policy) if {\n\tpolicy.statement_effect == \"Allow\"\n\tnon_compliant_statement_action(policy.statement_action)\n\tnot policy.statement_has_condition\n\n\tnon_compliant_policy_principal(policy.policy_principal)\n}\n\neval(sns_topic) = \"fail\" if {\n\tsome policy in sns_topic.policies\n\tnon_compliant_policy(policy)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mhf-jlo-c49","createdAt":1616090993934,"name":"SNS Topic has restrictions set for publishing"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","scope:sns","cloud_provider:aws","control:3.4","control:4.1","source:sns","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Server-Side Encryption for your AWS Simple Notification Service (SNS) topics.\n\n## Rationale\n\nServer-Side Encryption (SSE) protects the data of published messages within your SNS topics, which can help adhere to compliance and regulatory requirements.\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling server-side encryption (SSE) for an Amazon SNS topic][1] docs to learn how to enable encryption from the AWS Management Console.\n\n### From the command line\n\nRun `set-topic-attributes` with the [ARN of the SNS topic][2] and the [KmsMasterKeyId][3].\n\n```\naws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name KmsMasterKeyId\n --attribute-value YourTopicDisplayName\n```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n[3]: https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html#sse-key-terms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sns_topic) = \"pass\" if {\n\tsns_topic.kms_master_key_id\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"iel-fa4-gpw","createdAt":1623249809232,"name":"SNS Topic has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","control:164.308-a-3-i","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic permissions.\n\n## Rationale\n\nPublicly-accessible topics allow unauthorized users access to receive and publish messages and subscribe to exposed topics.\n\n## Remediation\n\n### From the console\n\nFollow the [Using identity-based policies with Amazon SNS][1] docs to learn how to create or add to a policy in the AWS Console.\n\n### From the command line\n\nIf you do not have an access control policy, [create one][2].\n\n1. Select `SNS Topic Policy` as the type of policy.\n2. Add a statement to allow only specific IAM users and roles to have access to the topic. For example:\n\n ```\n Effect: `Allow`\n Principal: `arn:aws:iam::123456789012:root`\n Action: `Add permission`\n Amazon Resource Name: `arn:aws:iam::123456789012:root`\n ```\n\nIf you do have an access control policy, follow the [add-permissions][3] docs to add a permission to your existing policy.\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-using-identity-based-policies.html#iam-and-sns-policies\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprincipal_policy_lenient(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tpolicy_principal.principal_aws[_] == \"*\"\n}\n\npolicy_lenient(policy) if {\n\tpolicy.statement_effect == \"Allow\"\n\tnot policy.statement_has_condition\n\n\tprincipal_policy_lenient(policy.policy_principal)\n}\n\neval(sns_topic) = \"fail\" if {\n\tpolicy := sns_topic.policies[_]\n\tpolicy_lenient(policy)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"5q9-vwc-cqy","createdAt":1616090993891,"name":"SNS Topic is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:6.5","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nA database server should accept connections only from trusted networks and IPs and\nrestrict access from public IP addresses.\n\n## Rationale: \nTo minimize attack surface on a database server instance, only trusted, known, and\nrequired IPs should be allowed to connect to it.\nAn authorized network should not have IPs or networks configured to `0.0.0.0/0` which\nallows access to the instance from anywhere in the world. Authorized networks\napply only to instances with public IPs.\n\n## Impact: \nThe Cloud SQL database instance would not be available to public IP addresses.\n\n## Remediation: \n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Click the instance name to open its `Instance details` page.\n3. Under the `Configuration` section click `Edit configurations`.\n4. Under `Configuration options` expand the `Connectivity` section.\n5. Click the `delete` icon for the authorized network `0.0.0.0/0`.\n6. Click `Save` to update the instance.\n\n### From the command line\nUpdate the authorized network list by removing addresses:\n```\ngcloud sql instances patch --authorized-networks=IP_ADDR1,IP_ADDR2...\n```\n## Prevention:\nTo prevent new SQL instances from being configured to accept incoming connections from\nany IP addresses, set up a `Restrict Authorized Networks on Cloud SQL instances` Organization Policy at: [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][2].\n\n\n## Default value:\nBy default, authorized networks are not configured. Remote connection to Cloud SQL\ndatabase instance is not possible unless authorized networks are configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-ip][3]\n2. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][4] \n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://cloud.google.com/sql/docs/mysql/connection-org-policy][6]\n\n\n## Additional information:\nThere is no IPv6 configuration found for Google cloud SQL server services.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[3]: https://cloud.google.com/sql/docs/mysql/configure-ip\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://cloud.google.com/sql/docs/mysql/connection-org-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"fail\" if {\n\taddress := sql_database_instance.settings.ip_configuration.authorized_networks[_]\n\taddress.value in [\"0.0.0.0\", \"0.0.0.0/0\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"thi-vol-4qb","createdAt":1657138883399,"name":"SQL Database Instances do not implicitly accept all public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:6.3","framework:cis-azure","requirement:Communications-Security","control:2.4","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific data centers. By default for a SQL server, a firewall exists with start IP of 0.0.0.0 and end IP of 0.0.0.0, allowing access to all the Azure services. Additionally a custom rule can be set up with start IP of 0.0.0.0 and end IP of 255.255.255.255, allowing access from ANY IP over the Internet. In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific data centers.\n\n### Impact\n\nDisabling allow access to Azure Services will break all connections to SQL server and hosted databases unless custom IP-specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each SQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"\" -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nSet-AzureRmSqlServerFirewallRule -ResourceGroupName -ServerName -FirewallRuleName \"\" -StartIpAddress \"\" -EndIpAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017][1]\n2. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0][2]\n3. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0][3]\n4. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0][4] \n5. [https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure][5]\n6. [https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current][6] \n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][7]\n\nAdditional Information: Firewall rules configured on individual SQL Database using Transact-SQL overrides the rules set on SQL server. Azure does not provides any Powershell, API, CLI, Portal option to check database level firewall rules and so far Transact-SQL is the only way to check for the same. For comprehensive control over egress traffic on SQL Databases, firewall rules should be checked using SQL client.\n\n[1]:https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017\n[2]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[3]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[4]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[5]:https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure\n[6]:https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current\n[7]:https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"2.4","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_server) = \"fail\" if {\n\tsome firewall_rule in sql_server.firewall_rules\n\tfirewall_rule.start_ip_address == \"0.0.0.0\"\n\tfirewall_rule.end_ip_address in [\"0.0.0.0\", \"255.255.255.255\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"5k7-xx0-nje","createdAt":1635237001240,"name":"SQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.2.4","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure `send scan reports to` with the email IDs of concerned data owners and stakeholders for a critical SQL server.\n\n## Rationale\n\nVulnerability Assessment (VA) scan reports and alerts are sent to email IDs configured with `send scan reports to`. This may help in reducing time required for identifying risks and taking corrective measures.\n\n## Impact\n\n**Note**: Enabling the Azure Defender for SQL features incurs additional costs for each SQL server.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Ensure that Azure Defender for SQL is enabled\n5. Select Configure next to enabled at subscription-level\n6. In Vulnerability Assessment Settings, configure Storage Accounts\n7. Configure email IDs for concerned data owners and stakeholders in the `send scan reports to` section.\n8. Click Save\n\n### Using PowerShell\n\nIf not already, enable Advanced Data Security for a SQL: `ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True`\n\n\nTo enable ADS-VA service and set `send scan reports to`:\n\n```bash\nUpdate-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"fiu-woq-ui1","createdAt":1645802555241,"name":"SQL Server Vulnerability Assessments send scan reports to subscribed admins"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","scope:google_sql_database_instance","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","control:6.4","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to enforce all incoming connections to SQL database instances to use SSL.\n\n## Rationale\nSQL database connections, if successfully trapped (MITM), can reveal sensitive data like\ncredentials, database queries, query outputs, and so on. For security, it is recommended to always\nuse SSL encryption when connecting to your instance. This recommendation is applicable\nto PostgreSQL, MySQL generation 1, MySQL generation 2, and SQL Server 2017 instances.\n\n### Additional Information\nBy default, `Settings: ipConfiguration` has no `authorizedNetworks` set or configured. In\nthat case, even if `requireSSL` is not set by default, which is equivalent to `requireSSL:false`,\nthere is no risk as the instance cannot be accessed outside of the network, unless\n`authorizedNetworks` is configured. However, if the default for `requireSSL` is not updated to\n`true`, any `authorizedNetworks` created later on will not enforce SSL-only connections.\n\n### Impact\nAfter enforcing SSL connections, the existing client will not be able to communicate with the SQL\nserver, unless it is configured with appropriate client-certificates to communicate to the SQL\ndatabase instance.\n\n### Default Value\nBy default, the parameter `settings: ipConfiguration: requireSSL` is not set, which is\nequivalent to `requireSSL:false`.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1].\n2. Click on an instance name to see its configuration overview.\n3. In the left-side panel, select **Connections**.\n4. In the SSL connections section, click **Allow only SSL connections**.\n5. Under Configure SSL server certificates, click **Create new certificate**.\n6. Under Configure SSL client certificates, click **Create a client certificate**.\n7. Follow the instructions shown to learn how to connect to your instance.\n\n### From the command line\nTo enforce SSL encryption for an instance, run the command:\n```\ngcloud sql instances patch --require-ssl\n```\n\n**Note:** A **restart** is required for type MySQL Generation 1 Instances (`backendType: FIRST_GEN`) for\nthis configuration to go into effect.\n\n## References\n1. [http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot authorizedNetworksExists(sql_database_instance)\n} else = \"pass\" if {\n\tsql_database_instance.settings.ip_configuration.require_ssl\n} else = \"fail\"\n\nauthorizedNetworksExists(sql_database_instance) if {\n\tsql_database_instance.settings.ip_configuration.authorized_networks[_]\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"udh-mzm-bhu","createdAt":1658821626960,"name":"SQL database instance uses SSL for all incoming connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","scope:google_cloud_sql_instance","level:2","source:google_cloud_sql_instance","control:3.9","control:6.6","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nDatadog recommends configuring the second generation SQL instance to use private IPs instead of\npublic IPs.\n\n## Rationale: \nTo lower the organization's attack surface, ensure your Cloud SQL databases does not have public IPs.\nPrivate IPs provide improved network security and lower latency for your application.\n\n## Impact: \nRemoving the public IP address on SQL instances may break applications that relied\non it for database connectivity.\n\n## Remediation: \n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Click the instance name to open its Instance details page.\n3. Select the `Connections` tab.\n4. Deselect the `Public IP` checkbox.\n5. Click `Save` to update the instance.\n\n### From the command line\n\n1. For every instance, remove the public IP and assign a private IP instead:\n ```\n gcloud sql instances patch --network= --no-assign-ip\n ```\n\n2. Confirm the changes using the following command:\n ```\n gcloud sql instances describe \n ```\n\n## Prevention:\nTo prevent new SQL instances from getting configured with public IP addresses, set up a\n`Restrict Public IP access on Cloud SQL instances` Organization policy at:\n\n\n[https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][2]\n\n## Default value:\nBy default, Cloud Sql instances have a public IP.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-private-ip][3]\n2. [https://cloud.google.com/sql/docs/mysql/private-ip][4]\n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][6]\n\n## Additional information:\nReplicas inherit their private IP status from their primary instance. You cannot configure a private IP directly on a replica.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n[3]: https://cloud.google.com/sql/docs/mysql/configure-private-ip\n[4]: https://cloud.google.com/sql/docs/mysql/private-ip\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.9","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_second_gen_instance(sql_database_instance)\n} else = \"fail\" if {\n\tip := sql_database_instance.ip_addresses[_]\n\tip.type == \"PRIMARY\"\n} else = \"pass\"\n\nis_second_gen_instance(sql_database_instance) if {\n\tsql_database_instance.backend_type == \"SECOND_GEN\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cns-kbs-qb3","createdAt":1658244446751,"name":"SQL database instances do not have public IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.5","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:C1.1","requirement:Credentials","requirement:System-Operations","requirement:Compliance","level:1","requirement:Database-Services","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","control:3.5.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC7.2","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. With Customer-managed key support for TDE, the DEK can be protected with an asymmetric key stored in the Key Vault. The Key Vault is a highly available and scalable cloud-based key store that offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of keys and data for additional security. Based on business needs or the criticality of data/databases hosted a SQL server, Datadog recommends that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).\n\n## Rationale\n\nCustomer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azures cloud-based external key management system, is the first key management service where TDE has integrated support for customer-managed keys. With customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.\n\n## Remediation\n\n### From the console\n1. Go to SQL servers for the desired server instance\n2. Click On Transparent data encryption\n3. Set Use your own key to YES\n4. Browse through your key vaults to select an existing key or create a new key in the key vault.\n5. Check Make selected key the default TDE protector Using Azure CLI. Use the below command to encrypt SQL server's TDE protector with a Customer-managed key: `az sql server tde-key >> Set --resource-group --server --server-key-type {AzureKeyVault} [--kid ]`\n\n## Impact\n\nOnce the TDE protector is encrypted with a customer-managed key, it transfers the entire responsibility of key management to you. Hence, you should be more careful about doing any operations on the particular key to keep data from the corresponding SQL server Databases host accessible. When deploying customer-managed keys, ensure that you deploy an automated toolset for managing these keys (this should include discovery and key rotation), and keys should be stored in an HSM or hardware backed keystore; for example, Azure Key Vault). As far as toolsets go, check with your cryptographic key provider as they may well provide one as an add-on to their service.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-byok-azure-sql\n2. https://azure.microsoft.com/en-in/blog/preview-sql-transparent-data-encryption-tde-with-bring-your-own-key-support/\n3. https://winterdom.com/2017/09/07/azure-sql-tde-protector-keyvault\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: This configuration can be done only on an SQL server. The same configuration will be in effect on SQL Databases hosted on SQL Server. Ensuring yourTDE is protected by a Customer-managed key on SQL Server does not ensure SQL Databases' encryption. Transparent Data Encryption Data Encryption (ON/OFF) setting on individual SQL Database decides whether the database is encrypted or not.\n\n## CIS Controls\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials: Encrypt or hash with a salt all authentication credentials when stored. \n\n5 Logging and Monitoring: This section covers security recommendations to follow to set logging and monitoring policies on an Azure Subscription.\n\n5.1 Configuring Diagnostic Settings: The Azure Diagnostic Settings capture control/management activities performed on a subscription. By default, the Azure Portal retains activity logs only for 90 days. The Diagnostic Settings define the type of stored or streamed events and the output storage account, and the event hub. The Diagnostic Settings, if appropriately configured, can ensure that all activity logs are retained for a longer duration. This section has recommendations for correctly configuring the Diagnostic Settings so that all activity logs captured are retained for longer periods. When configuring Diagnostic Settings, you may choose to export in one of three ways in which you need to ensure appropriate data retention. The options are Log Analytics, Event Hub, and a Storage Account. It is important to ensure you are aware and have set retention as your organization sees fit.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_server) = \"pass\" if {\n\tsql_server.encryption_protector.kind == \"azurekeyvault\"\n\tsql_server.encryption_protector.server_key_type == \"AzureKeyVault\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ju5-j5j-p5u","createdAt":1624867975195,"name":"SQL server's TDE protector is encrypted with Customer-managed key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","source:sqs","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","scope:sqs","security:compliance","cloud_provider:aws","control:3.4","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Simple Queue Service (SQS) messages with server-side encryption.\n\n## Rationale\n\nEncryption ensures that Amazon SQS messages, which may contain sensitive data, are not available to anonymous or unauthorized users.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring service-side encryption for a queue(console)][1] docs to learn how to create and use AWS Key Management Service (AWS KMS) to manage customer master keys (CMK) for server-side encryption.\n\n### From the command line\n\n1. Define `set-queue-attributes` in [a file][2]. Use your custom KMS Master Key ARN for `KmsMasterKeyID`. Save the file.\n\n ```\n {\n \"KmsMasterKeyId\": \"custom_key_arn\",\n \"KmsDataKeyReusePeriodSeconds\": \"300\"\n }\n ```\n\n2. Run `set-queue-attributes` with the [queue URL and the file][2] created in step 1.\n\n ```\n aws sqs set-queue-attributes\n --queue-url https://us-west-2.queue.amazonaws.com//\n --attributes file://sqs-sse-enabled.json\n ```\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html\n[2]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queue.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nhas_server_side_encryption(sqs_queue) if {\n\tsqs_queue.sqs_managed_sse_enabled == true\n} else if {\n\tsqs_queue.kms_master_key_id\n}\n\neval(sqs_queue) = \"pass\" if {\n\thas_server_side_encryption(sqs_queue)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sqs_queue"]},"validationQuery":"","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0m4-moi-xdg","createdAt":1616090993978,"name":"SQS Queue has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:sqs","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security","scope:sqs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate Amazon Simple Queue Service (SQS) queue permissions.\n\n## Rationale\n\nPublicly-available Amazon SQS queues give unauthorized users access to potentially intercept, delete, or send queue messages, which can lead to data leaks.\n\n## Remediation\n\n### From the console\n\nFollow the [Managing access to resources][1] docs to learn how to implement a permissions policy in the AWS console.\n\n### From the command line\n\n1. Run the `list-queues` command to get a list of queue URLs.\n \n ```\n aws sqs list-queues --region insert-your-region-here\n ```\n\n2. Run the `get-queue-attributes` command with a [queue URL][2] returned in step 1.\n\n ```\n aws sqs get-queue-attributes \\\n --queue-url https://queue.amazonaws.com/123456789012/YourQueue \\\n --attribute-names Policy\n ```\n3. Run the `remove-permission` command to [remove any unwanted permissions][3] from your queue policy.\n\n ```\n aws sqs remove-permission \\\n --region insert-your-region-here \\\n --queue-url https://queue.amazonaws.com/YourAccountID/YourQueue \\\n --label insert-label-name \\\n --aws-account-ids insert-aws-account-ids-here \\\n --actions insert-action-to-remove\n\n4. Run the `add-permission` command to [add a new permission][4] to your queue policy.\n\n ```\n aws sqs add-permission \\\n --queue-url https://queue.amazonaws.com/YourAccountID/YourQueue \\\n --label insert-label-name \\\n --aws-account-ids insert-aws-account-ids-here \\\n --actions insert-action-to-add\n ```\n5. Complete steps 2 through 4 for any remaining queue URLs returned from step 1 for each region you have SQS enabled.\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.html#sqs-managing-access-to-resources\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/get-queue-attributes.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/remove-permission.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tprincipal_aws = policy_principal.principal_aws[_]\n\tprincipal_aws == \"*\"\n}\n\neval(sqs_queue) = \"fail\" if {\n\tpolicy := sqs_queue.policies[_]\n\tbad_policy_principal(policy.policy_principal)\n\tpolicy.statement_effect = \"Allow\"\n\tpolicy.statement_has_condition = false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sqs_queue"]},"validationQuery":"","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"aqs-n9k-inj","createdAt":1616090993985,"name":"SQS Queue is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:6.2","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable SSH access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using SSH over the internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\n1. [Disable direct SSH access][1] to your Azure Virtual Machines from the internet. \n2. Choose one of the following methods to access the virtual machines for remote management:\n * [Point-to-site VPN][3]\n * [Site-to-site VPN][4]\n * [ExpressRoute][5]\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][2]\n\n[1]: https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n[3]: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal\n[4]: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal\n[5]: https://learn.microsoft.com/en-us/azure/expressroute/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_access(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"TCP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\n\tsome port_range in split(security_rule.destination_port_range, \",\")\n\tcheck_non_compliant_port_range(port_range)\n\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"::/0\", \"Internet\", \"Any\"]\n}\n\ncheck_non_compliant_port_range(port_range) if {\n\tport_range in [\"22\", \"*\"]\n} else if {\n\tcontains(port_range, \"-\")\n\tsplit_port_range := split(port_range, \"-\")\n\n\tto_number(split_port_range[0]) <= 22\n\tto_number(split_port_range[1]) >= 22\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule := security_group.security_rules[_]\n\tnon_compliant_access(security_rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tox-iwp-m0l","createdAt":1624867978808,"name":"SSH access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.6","requirement:Communications-Security","control:1.4","control:3.2","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow the user to specify the type of\ntraffic, such as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be\nused. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using\nSSH on Port 22 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from\ninstances and incoming (ingress) traffic to instances in the network. Egress and ingress\ntraffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through SSH with the default\nPort 22. Generic access from the Internet to a specific IP Range needs to be restricted.\n\n## Impact\nAll Secure Shell (SSH) connections from outside of the network to the concerned VPC(s)\nwill be blocked. There could be a business need where SSH access is required from outside\nof the network to access resources associated with the VPC. In that case, specific source\nIP(s) should be mentioned in firewall rules to include access to SSH port for the\nconcerned VPC(s).\n\n## Remediation\n\n### From the console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule you want to modify.\n4. Click Edit.\n5. Modify Source IP ranges to specific IP.\n6. Click Save.\n\n### From the command line\n1.Update the Firewall rule with the new SOURCE_RANGE from the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.2","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 22\n\nis_numeric(x) if {\n\tregex.match(`^-?\\d+(\\.\\d+)?$`, x)\n}\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tsome port in allowed.ports\n\tcontains(port, \"-\")\n\trange := split(port, \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else if {\n\tsome port in allowed.ports\n\tport != \"\"\n\tis_numeric(port)\n\tto_number(port) == target_port\n} else if {\n\tsome port in allowed.ports\n\tport == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tsome allowed in compute_firewall.allowed\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" if {\n\tsome source_range in compute_firewall.source_ranges\n\tsource_range in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"23t-kvk-vbo","createdAt":1657310084964,"name":"SSH access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to authorized SSH keys.\n\n## Strategy\nSSH is a commonly used key-based authentication mechanism. In this system, the authorized_keys file specifies SSH keys that can be used to authenticate as a specific user on the system. Attacker's may modify the authorized_keys file to authorize attacker-owned SSH keys. This allows the attacker to maintain persistence on a system as a specific user.\n\n## Triage and response\n1. Check what changes were made to authorized_keys, and under which user.\n2. Determine whether any keys were added. If so, determine if the added keys belong to known trusted users.\n3. If they keys in question are not acceptable, roll back the host or container in question to a known trusted SSH configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chmod)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chmod","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chown)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chown","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_link)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_link","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_rename)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_rename","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_open)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_open","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_unlink)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_unlink","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_utimes)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"ssh_authorized_keys","condition":"ssh_authorized_keys_chmod > 0 || ssh_authorized_keys_chown > 0 || ssh_authorized_keys_link > 0 || ssh_authorized_keys_rename > 0 || ssh_authorized_keys_open > 0 || ssh_authorized_keys_unlink > 0 || ssh_authorized_keys_utimes > 0"}],"type":"workload_security","id":"iqs-k9p-ivj","createdAt":1606142954844,"name":"SSH authorized keys modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1553-subvert-trust-controls","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential tampering with SSL certificates.\n\n## Strategy\nSSL certificates, and other forms of trust controls establish trust between systems. Attackers may attempt to subvert trust controls such as SSL certificates in order to trick systems or users into trusting attacker-owned assets such as fake websites, or falsely signed applications.\n\n## Triage and response\n1. Check whether there were any planned changed to the SSL certificates stores in your infrastructure.\n2. If these changes are not acceptable, roll back the host or container in question to a known trustworthy configuration.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssl_certificate_tampering OR ssl_certificate_tampering_chmod OR ssl_certificate_tampering_chown OR ssl_certificate_tampering_link OR ssl_certificate_tampering_rename OR ssl_certificate_tampering_open OR ssl_certificate_tampering_unlink OR ssl_certificate_tampering_utimes) -@process.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.parent.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\" -@process.executable.name:runc*","groupByFields":["host"],"aggregation":"count","name":"ssl_certificate_tampering","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"ssl_certificate_tampering","condition":"ssl_certificate_tampering > 0"}],"type":"workload_security","id":"any-phm-6ub","createdAt":1606142980369,"name":"SSL certificate tampering"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","control:4.3.2","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","source:azure.dbformysql","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","scope:azure.dbformysql","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on MySQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for MySQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled for enforce SSL connection \n\nAlternatively, use the Azure Command Line Interface and run the below command to set MYSQL Databases to Enforce SSL connection:\n\n ```bash\n az mysql server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security\n2. https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(mysql_server) = \"pass\" if {\n\tmysql_server.ssl_enforcement == \"Enabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_mysql_server"]},"validationQuery":"","resourceType":"azure_mysql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_mysql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cxd-off-x2e","createdAt":1624867976718,"name":"SSL connection on MySQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.3.1","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on PostgreSQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\n### From the console\n1. Login to Azure Portal using [https://portal.azure.com][1]\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled to enforce SSL connection \n\n### From the command line\n\n ```\n az postgres server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security][2]\n2. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit][3]\n\n[1]: https://portal.azure.com\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"pass\" if {\n\tlower(postgresql_server.ssl_enforcement) == \"enabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"9cp-26e-jdc","createdAt":1624867978968,"name":"SSL connection on PostgreSQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a Salesforce user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login ten times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @status:\"Invalid Password\"","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:salesforce @status:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dm5-uvn-yrr","createdAt":1621929254947,"name":"Salesforce Brute force attack on user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a disabled account attempts to log into Salesforce\n\n## Strategy\nInspect Salesforce logs and determine if there is a login attempt (`@evt.name:LoginEvent`) from from a disabled account (`@status:\\\"User is Inactive\\\"`). If more than ten attempts to authenticate to a disabled account a `MEDIUM` severity signal is created.\n\n## Triage and response\n1. Determine if the IP (`@network.client.ip`) has attempted to log into other accounts.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @evt.name:LoginEvent @status:\"User is Inactive\"","groupByFields":["@usr.id"],"aggregation":"count","name":"disabled_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Single Attempt","condition":"disabled_login > 1"},{"status":"medium","notifications":[],"name":"Multiple Attempts","condition":"disabled_login > 10"}],"type":"log_detection","id":"j57-vod-bnw","createdAt":1621929254817,"name":"Salesforce Login from Disabled Account"}]} headers: Content-Type: - application/json @@ -453,7 +419,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.15","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/scheduler.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.15","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fmc-m0d-pe5","createdAt":1599604530000,"name":"Scheduler configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.16","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/scheduler.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.16","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pbp-y4b-dhf","createdAt":1599600185878,"name":"Scheduler configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.5","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the Scheduler service in the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.5","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qxe-hc6-qlm","createdAt":1599604179189,"name":"Scheduler pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.6","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the kube-scheduler service in the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.6","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"y79-4ts-a0k","createdAt":1599603078027,"name":"Scheduler pod specification file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.4.1","security:compliance","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` file on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-scheduler/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-scheduler/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.1","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hya-urf-09b","createdAt":1599603139661,"name":"Scheduler profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.21","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSeccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on a whitelist basis and allows for a large number of common system calls, whilst blocking all others. This filtering should not be disabled unless it causes a problem with your container application usage.\n\n## Rationale\n\nA large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis returns either `` or your modified seccomp profile. If it returns `[seccomp:unconfined]`, the container is running without any seccomp profiles and is therefore not configured in line with good security practices.\n\n## Remediation\n\nBy default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.\n\n## Impact\n\nWith Docker 1.10 and greater, the default seccomp profile blocks syscalls, regardless of `--cap-add passed` to the container. You should create your own custom seccomp profile in such cases. You can also disable the default seccomp profile by passing `--security-opt=seccomp:unconfined` on docker run.\n\n## Default value\n\nWhen you run a container, it uses the default profile unless you override it with the `--security-opt` option.\n\n## References\n\n1. http://blog.scalock.com/new-docker-security-features-and-what-they-mean-seccomp-profiles\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://github.com/docker/docker/blob/master/profiles/seccomp/default.json\n4. https://docs.docker.com/engine/security/seccomp/\n5. https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt\n6. https://github.com/docker/docker/issues/22870\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.21","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hub-v5u-cw0","createdAt":1599604972925,"name":"Seccomp profiles are enabled for filtering incoming system calls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.22","scored:true","control:CC6.7","source:azure.active_directory","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:azure.active_directory","level:1","requirement:IAM","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft security defaults are available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You can enable security defaults in the Azure portal.\n\n## Rationale\n\nSecurity defaults provide secure default settings that are managed on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example:\n\n- Requiring all users and admins to register for MFA\n- Challenging users with MFA, mostly when they show up on a new device or app, but more often for critical roles and tasks.\n- Disabling authentication from legacy authentication clients, which can't do MFA.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Sign in to the Azure portal as a security administrator, conditional access administrator, or global administrator.\n2. Navigate to Azure Active Directory > Properties.\n3. Select Manage security defaults.\n4. Set the Enable security defaults toggle to Yes.\n5. Select Save.\n\n## Impact\n\nEnabling security defaults may negatively impact the functionality of other Microsoft services, such as Microsoft 365. This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults\n2. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414\n\nAdditional Information: The settings in this recommendation are different in the Microsoft 365 Benchmark. This is because the potential impact associated with disabling of security defaults is dependent upon the security settings implemented in the environment. It is recommended that organizations disabling security defaults plan to implement equivalent settings to replace the settings configured by security defaults.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.22","framework":"cis-azure","requirement":"IAM","version":"1.3.0"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@is_enabled:false","resourceType":"azure_ad_security_defaults_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_ad_security_defaults_policy (@is_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@display_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"fub-xjw-qwz","createdAt":1635237007654,"name":"Security Defaults is enabled on Azure Active Directory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a threat on your application.\n\n## Strategy\nThis rule creates a signal for every security incident created by Sqreen.\n\n## Triage and response\n1. Review the incident on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/incidents\n\n## Changelog\n23 June 2022 - Updated groupby count to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:critical @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_critical_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:major @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_major_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:minor @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_minor_incidents","distinctFields":["@sqreen.payload.incident_id"]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical","condition":"sqreen_critical_incidents > 0"},{"status":"high","notifications":[],"name":"Major","condition":"sqreen_major_incidents > 0"},{"status":"medium","notifications":[],"name":"Minor","condition":"sqreen_minor_incidents > 0"}],"type":"log_detection","id":"qyk-emv-hui","createdAt":1620224110121,"name":"Security Incident Detected by Sqreen"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis","source:cloudtrail","technique:T1562-impair-defenses","control:cis-3.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` array to determine if either of the strings are contained:\n* `0.0.0.0/0`\n* `::/0`\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n\n## Changelog\n18 March 2022 - Updated rule query.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:AuthorizeSecurityGroupIngress @requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@usr.account_id"],"aggregation":"count","name":"sg_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"SG open to world","condition":"sg_open_to_world > 0"}],"type":"log_detection","id":"qdm-6uu-gqf","createdAt":1593621503430,"name":"Security group open to the world"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.5","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not allow sensitive host system directories such as those listed below to be mounted as container volumes, especially in read-write mode. `/` `/boot` `/dev` `/etc` `/lib` `/proc` `/sys` `/usr`\n\n## Rationale\n\nIf sensitive directories are mounted in read-write mode, it is possible to make changes to files within them. This has obvious security implications and should be avoided.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}'` This command returns a list of currently mapped directories and indicates whether they are mounted in read-write mode for each container instance.\n\n## Remediation\n\nDo not mount directories which are security sensitive on the host within containers, especially in read-write mode.\n\n## Impact\n\nNone\n\n## Default value\n\nDocker defaults to using a read-write volume but you can also mount a directory read-only. By default, no sensitive host directories are mounted within containers.\n\n## References\n\n1. https://docs.docker.com/engine/tutorials/dockervolumes/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.5","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmq-wqu-2im","createdAt":1599604814929,"name":"Sensitive host system directories are not mounted on containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","source:google_iam_policy","framework:cis-gcp","level:2","framework:iso-27001","requirement:Access-Control","framework:pci","scope:google_iam_policy","control:1.11","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.2.1","control:7.1.3","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.\n\n## Rationale\nThe built-in/predefined IAM role `Cloud KMS Admin` allows the user/identity to create, delete, and manage service account(s). \n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter/Decrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Decrypter` allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).\n\nSeparation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.\n\nNo user(s) should have `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles assigned at the same time.\n\n### Impact\nRemoved roles should be assigned to another user based on business needs.\n\n### Additional Information\nUsers granted Owner (roles/owner) and Editor (roles/editor) roles have privileges equivalent to `Cloud KMS Admin` and `Cloud KMS CryptoKey Encrypter/Decrypter`. To avoid misuse, Owner and Editor roles should be granted to a very limited group of users. Use of these primitive privileges should be minimal. These requirements are addressed in our other rules.\n\n## Remediation\n\n### From the console\n1. Go to **IAM & Admin/IAM** using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles granted/assigned, click the **Delete Bin** icon to remove the role from the member.\n\n## References\n1. [https://cloud.google.com/kms/docs/separation-of-duties][2]\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/kms/docs/separation-of-duties\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_type = \"gcp_iam_policy\"\n\nis_admin_user(gip) if {\n\tmembers_to_roles_array := gip.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/cloudkms.admin\"\n}\n\neval(gip) = \"skip\" if {\n\tnot is_admin_user(gip)\n} else = \"fail\" {\n\trole := gip.member_to_roles[_].roles[_]\n\trole in [\"roles/cloudkms.cryptoKeyDecrypter\", \"roles/cloudkms.cryptoKeyEncrypter\", \"roles/cloudkms.cryptoKeyEncrypterDecrypter\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8uv-2ds-fnx","createdAt":1658410212713,"name":"Separation of duties is enforced while assigning KMS-related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:1.8","control:7.2","control:7.1","requirement:Control-Activities","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity best practices recommend that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users. This is achieved by ensuring that no user has the Service Account Admin and Service Account User roles assigned at the same time.\n\n## Rationale\n\nThe predefined IAM role ``Service Account admin`` allows the user/identity to\ncreate, delete, and manage service account(s). The predefined IAM role ``Service Account User`` allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute instances.\n\nSeparation of duties is the concept of ensuring that one individual does not have all\nnecessary permissions to be able to complete a malicious action. Using Cloud IAM service\naccounts, a malicious user could assume the identity of a service account to access resources that\nthey otherwise cannot access.\n\nSeparation of duties is a business control typically used in larger organizations, meant to\nhelp avoid security or privacy incidents and errors. It is considered a best practice.\n\nNo user should have ``Service Account Admin`` and ``Service Account User`` roles assigned\nat the same time.\n\n## Remediation\n\n1. Go to ``IAM & Admin/IAM`` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having both ``Service Account Admin`` and ``Service Account User`` roles granted/assigned, click the ``Delete Bin`` icon to remove either role from the member.\n\nRemoval of a role should be done based on the business requirements.\n\n## Impact\n\nThe removed role should be assigned to a different user based on business needs.\n\n## References\n\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][4]\n\n## Additional information \n\nUsers granted the Owner (roles/owner) and Editor (roles/editor) roles have privileges\nequivalent to Service Account Admin and Service Account User. To avoid misuse,\nOwner and Editor roles should be granted to a very limited number of users. Use of these primitive\nprivileges should be minimal. These requirements are addressed in separate\nrecommendations.\n\n## CIS controls\n\nVersion 8 3.3 - Configure Data Access Control Lists: Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems, databases, and applications.\n\nVersion 7 14.6 - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"fail\" if {\n\tmembers_to_roles_array := iam_policy.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountAdmin\"\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountUser\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"re5-dlh-43x","createdAt":1656443521016,"name":"Separation of duties is enforced while assigning service account related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.6","cloud_provider:azure","framework:cis-azure","requirement:Default-Security-Parameter","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.4","framework:soc-2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `connection_throttling` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `connection_throttling` helps the PostgreSQL Database to Set the verbosity of logged messages which generates query and error logs about concurrent connections. Too many concurrent connections could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `connection_throttling`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `connection_throttling` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name connection_throttling --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.6","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthrottling_disabled(server_config) if {\n\tserver_config.name == \"connection_throttling\"\n\tserver_config.value != \"on\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tthrottling_disabled(server_config)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"w1l-qav-gcj","createdAt":1624867980066,"name":"Server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","control:10.1","requirement:Monitoring","control:4.3.3","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_checkpoints` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_checkpoints` helps the PostgreSQL Database to log each checkpoint and generate query and error logs. Access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_checkpoints`.\n5. Click ON and save.\n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_checkpoints` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_checkpoints --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"validationQuery":"-@value:(\"on\") @name:(\"log_checkpoints\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"server_configs","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@value:(\"on\") @name:(\"log_checkpoints\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sc0-yfd-hsz","createdAt":1624867976912,"name":"Server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:4.3.4","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_connections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_connections` helps PostgreSQL Database to log an attempted connection to the server, as well as successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_connections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_connections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_connections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nserver_config_not_compliant(server_config) if {\n\tnot server_config.value == \"on\"\n\tserver_config.name == \"log_connections\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config = postgresql_server.server_configs[_]\n\tserver_config_not_compliant(server_config)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gle-oql-wen","createdAt":1624867976676,"name":"Server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","control:10.1","control:4.3.5","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_disconnections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_disconnections` helps your PostgreSQL database to log the end of a session, including duration, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_disconnections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_disconnections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_disconnections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"validationQuery":"-@value:(\"on\") @name:(\"log_disconnections\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"server_configs","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@value:(\"on\") @name:(\"log_disconnections\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"5av-e46-div","createdAt":1624867974164,"name":"Server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","requirement:Records-of-Processing-Activities","cloud:azure","control:A1.1","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses logging to track the time it takes to complete an SQL query.\n\n## Rationale\n\nThe \"log_duration\" parameter allows recording the duration of each completed PostgreSQL statement. Logging this attribute enables administrators to monitor for potential issues in the database.\n\n## Remediation\n\n### Console\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][1] documentation to enable the 'log_duration' logging in the PostgreSQL database. Ensure **log_duration** is selected under **Server Parameters**.\n\n### CLI\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][2] documentation to enable **log_duration** in **Server Parameters**.\n2. Get a list of your PostgreSQL servers by running the following in Azure Powershell:\n\n ```\n az postgres server list\n\t--output table\n\t--query '[*].{name:name, resourceGroup:resourceGroup}'\n ```\n3. Run the 'postgres server configuration set' command:\n\n ```\n az postgres server configuration set\n\t--server-name \"INSERT-SERVER-NAME-HERE-FROM-STEP-2\"\n\t--resource-group \"cloud-shell-storage-westeurope\"\n\t--name log_duration\n\t--value on\n ```\n4. Repeat steps two and three for each server that is not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tserver_config.name == \"log_duration\"\n\tserver_config.value == \"off\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iwo-oh9-bpi","createdAt":1645804679249,"name":"Server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.7","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","control:10.7","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_retention_days` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_retention_days` helps PostgreSQL Database to set the number of days a log file is retained, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_retention_days`.\n5. Enter value in range 4-7 (inclusive) and save. \n\nAlternatively, use the Azure Command Line Interface and run the the below command to update `log_retention_days` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_retention_days --value <4-7>\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n2. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention\n\n## CIS Controls\n\nVersion 7 6.4 Ensure adequate storage for logs: Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.7","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nserver_config_not_compliant(server_config) if {\n\tto_number(server_config.value) < 3\n\tserver_config.name == \"log_retention_days\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config = postgresql_server.server_configs[_]\n\tserver_config_not_compliant(server_config)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"jsy-iuu-a38","createdAt":1624867974261,"name":"Server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:7.1","requirement:Credentials","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","source:google_service_account","framework:soc-2","control:A.9.2.3","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:8.1.2","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA service account is a special Google account that belongs to an application or a VM, instead\nof to an individual end-user. The application uses the service account to call the service's\nGoogle API so that users aren't directly involved. It's recommended not to use admin roles for ServiceAccount.\n\n## Rationale\n\nService accounts represent service-level security of the Resources (application or a VM)\nwhich can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin\nrights gives full access to an assigned application or a VM. A ServiceAccount Access holder\ncan perform critical actions like delete, update, and change settings, etc. without user\nintervention. For this reason, Datadog recommends that service accounts not have an Admin role.\n\n## Remediation\n\n## From Console:\n1. Go to `IAM & admin/IAM` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. Go to the `Members`\n3. Identify `User-Managed user created service account(s)` with roles containing `*Admin or *admin`\n4. Click the `Delete bin` icon to remove the role from the member (service account in this case)\n\n\n## From Command Line: \n\n```bash\ngcloud projects get-iam-policy PROJECT_ID --format json > iam.json\n```\n\n1. Using a text editor, Remove `Role` which contains `roles/ *Admin` or `roles/ *admin`. Add a role to the bindings array that defines the group members and the role for those members.\n2. Update the project's IAM policy:\n\n```bash\ngcloud projects set-iam-policy PROJECT_ID iam.json\n```\n\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/understanding-service-accounts][4] \n\n## CIS Controls\n\nVersion 8 5.4 Restrict Administrator Privileges to Dedicated - Administrator Accounts Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user\u2019s primary, non-privileged account.\n\nVersion 7 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/understanding-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.1.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmembers_with_admin_role := {member |\n\tbinding := input.resources.gcp_iam_policy[_].member_to_roles[_]\n\tstartswith(binding.member, \"serviceAccount:\")\n\trole := binding.roles[_]\n\tcontains(lower(role), \"admin\")\n\tmember := trim_prefix(binding.member, \"serviceAccount:\")\n}\n\neval(iam_service_account) = \"fail\" if {\n\tsplit_name := split(iam_service_account.name, \"/\")\n\tmember := split_name[count(split_name) - 1]\n\tmembers_with_admin_role[member]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"4ea-as1-0bv","createdAt":1655820189596,"name":"Service Accounts are not bound to built-in Administrative roles"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0005-defense_evasion","source:runtime-security-agent","technique:T1070-indicator_removal_on_host","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the tampering of shell command history on a host or container. \n\n## Strategy\nCommands used within a terminal are contained within a local file so users can review applications, scripts, or processes that were previously executed. Adversaries tamper with the integrity of the shell command history by deletion, truncation, or the linking of `/dev/null` by use of a symlink. This allows adversaries to obfuscate their actions and delay the incident response process. \n\n## Triage and response\n1. Review the tampering action taken against the shell command history files.\n2. Review the user or process that performed the action against the shell command history.\n3. Determine whether or not this is expected behavior.\n4. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(shell_history_symlink OR shell_history_truncated OR shell_history_deleted)","groupByFields":["host"],"aggregation":"count","name":"shell_history_tamper","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"shell_history_tamper","condition":"shell_history_tamper > 0"}],"type":"workload_security","id":"5bq-qe4-ctu","createdAt":1661196433820,"name":"Shell command history modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:signal_sciences","scope:signal_sciences"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP is flagged by Signal Sciences.\n\n## Strategy\nThis rule lets you monitor Signal Sciences events submitted through the Signal Sciences [integration][1] to detect when an IP is flagged. \n\n## Triage and response\n1. Determine whether the attack is a false positive.\n2. Determine whether the attack was successful.\n3. If the attack exploited a vulnerability in the application, triage the vulnerability.\n\n[1]: https://app.datadoghq.com/account/settings#integrations/sigsci\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:signal_sciences @title:*flag","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bmg-ftn-dzo","createdAt":1584993292228,"name":"Signal Sciences flagged an IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.2.1","requirement:Compliance","level:1","control:3.8","requirement:Cardholder-Data","framework:iso-27001","scope:azure.storage","framework:pci","requirement:Operations-Security","security:compliance","framework:cis-azure","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Control-Activities","requirement:Storage-Account","source:azure.storage","control:A1.2","control:A.18.1.3","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Storage blobs contain ePHI, financial, secret, or personal data. If erroneously modified or deleted accidentally by an application or other storage account user, data loss or data unavailability can occur. It is recommended that Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.\n\n## Rationale\n\nA user can accidentally run delete commands on Azure Storage blobs or blob snapshots, or an attacker/malicious user can do it deliberately to cause disruption. Deleting an Azure Storage blob leads to immediate data loss or non-accessible data. Enable recoverable blobs configuration in the Azure Storage blob service to ensure that even if blobs/data are deleted from the storage account, the objects remain recoverable for a time set in the retention policy. Retention policies can be 7 days to 365 days.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Storage Account\n2. For each Storage Account, navigate to Data Protection\n3. Select Set soft delete enabled and enter the number of days to retain soft deleted data.\n\nAzure Command-Line Interface:\n\nUpdate retention days with the following command: `az storage blob service-properties delete-policy update --days-retained --account-name --enable true'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete\n\n## CIS Controls\n\nVersion 7 10 - Data Recovery Capabilities\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"(@blob_services.delete_retention_policy_enabled:false OR (-@blob_services.delete_retention_policy_days:*) OR @blob_services.delete_retention_policy_days:0)","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account ((@blob_services.delete_retention_policy_enabled:false OR (-@blob_services.delete_retention_policy_days:*) OR @blob_services.delete_retention_policy_days:0))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"w0h-o5o-lyp","createdAt":1631690471228,"name":"Soft delete is enabled for Azure Storage"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1505-server-software-component","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects attempted post-exploitation activity of [CVE-2022-22965][1] with an HTTP GET parameter.\n\n## Strategy\nThis rule looks for `@http.url_details.path` = .jsp, `@http.url_details.queryString.pwd` = `*`, and `@http.url_details.queryString.cmd` = . If found, it indicates web shell activity observed with successful Spring RCE exploitation. \n\n## Triage and response\nCheck your host to see if the {{@http.url_details.queryString.cmd}} command ran successfully. If so,\n * Refer to your company's Incident Response process since this is detection post-exploitation activity.\n * Refer to the vendor's [advisory][2] for remediation of this Remote Code Execution (RCE) vulnerability.\n\n## Changelog\n- 06 June 2022 - The severity has been lowered due to rule fidelity on just log telemetry.\n- 31 March 2022 - Rule added in response to [CVE-2022-22965][1]\n\n[1]: https://tanzu.vmware.com/security/cve-2022-22965\n[2]: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@http.url_details.path:*.jsp @http.url_details.queryString.pwd:* @http.url_details.queryString.cmd:* @http.method:GET @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_details","distinctFields":[]},{"query":"@http.url:*cmd* @http.url:*pwd* @http.method:GET @http.url:*.jsp* @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_url","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"PWD/CMD request in http.url_details.queryString key","condition":"pwd_cmd_in_details > 0"},{"status":"low","notifications":[],"name":"PWD/CMD request in http.url key","condition":"pwd_cmd_in_url > 0"}],"type":"log_detection","id":"6nf-i0e-ff0","createdAt":1648746485630,"name":"Spring RCE post-exploitation activity attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","framework:cis-azure","requirement:Confidentiality","control:3.4","control:C1.1","requirement:Credentials","requirement:Compliance","requirement:Storage-Account","source:azure.storage","level:1","control:A.18.1.3","framework:soc-2","control:3.9","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","scope:azure.storage","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable sensitive data encryption at rest using customer managed keys rather than Microsoft managed keys.\n\n## Rationale\n\nBy default, data in the storage account is encrypted using Microsoft managed keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. However, if you want to control and manage the encryption key yourself, you can specify a customer-managed key, and that key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated key vault.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Storage Accounts\n2. For each storage account, go to Encryption\n3. Set Customer Managed Keys\n4. Select the encryption key and enter the appropriate setting value\n5. Click Save\n\n## Impact\n\nIf the key expires by setting the activation date and expiration date of the key, you must rotate the key manually. Using customer managed keys may also incur additional effort to create, store, manage, and protect the keys as needed.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest\n3. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption#azure-storage-encryption-versus-disk-encryption\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-1-discovery,-classify-and-label-sensitive-data\n\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"-@encryption.key_source:Microsoft.Keyvault","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@encryption.key_source:Microsoft.Keyvault)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"kh6-wzv-u3s","createdAt":1631690464889,"name":"Storage for critical data is encrypted with Customer Managed Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to `pam.d` directory.\n\n## Strategy\nLinux Pluggable Authentication Modules (PAM) provide authentication for applications and services. Authentication modules in the PAM system are setup and configured under the `/etc/pam.d/` directory. An attacker may attempt to modify or add an authentication module in PAM in order to bypass the authentication process, or reveal system credentials.\n\n## Triage and response\n1. Identify if the changes to the path `{{@file.path}}` were part of known system setup or mainenance.\n2. If these changes were unauthorized, roll back the host in question to a known good PAM configuration, or replace the system with a known-good system image.\n\n*Required agent version 7.27 or higher*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pam_modification OR pam_modification_chmod) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_chown)-@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_link) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_rename) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_open) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_unlink) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_utimes) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"pam_modification","condition":"pam_modification_chmod > 0 || pam_modification_chown > 0 || pam_modification_link > 0 || pam_modification_rename > 0 || pam_modification_open > 0 || pam_modification_unlink > 0 || pam_modification_utimes > 0"}],"type":"workload_security","id":"59x-93j-pek","createdAt":1606142936138,"name":"System authentication files modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1543-create-or-modify-system-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to system services.\n\n## Strategy\nEspecially in production, systems should be generated based on standard images such as AMIs for Amazon EC2, VM images in Azure, or GCP images. Systemd is the default service manager in many Linux distributions. It manages the lifecycle of background processes and services, and can be used by an attacker to establish persistence in the system. Attackers can do this by injecting code into existing systemd services, or by creating new ones. Systemd services can be started on system boot, and therefore attacker code can persist through system reboots.\n\n## Triage and response\n1. Check to see what service was modified of created.\n2. Identify whether it is a known service, being modified by a known user and/or process.\n3. If these changes are not acceptable, roll back the host in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chmod) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chown) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_link) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_rename) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_open) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_unlink) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"systemd_modification","condition":"systemd_modification_chmod > 0 || systemd_modification_chown > 0 || systemd_modification_link > 0 || systemd_modification_rename > 0 || systemd_modification_open > 0 || systemd_modification_unlink > 0 || systemd_modification_utimes > 0"}],"type":"workload_security","id":"vjt-chu-njs","createdAt":1606142929241,"name":"Systemd service modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through brute force attempts.\n\n## Strategy\nTo determine a successful attempt: Detect a high amount of failed logins and at least one successful login for a given IP address. This will generate a `HIGH` severity signal.\nTo determine an attempt: Detect a high amount of failed logins for a given IP address. This will generate an `INFO severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:authentication @evt.outcome:failure","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]},{"query":"@evt.name:authentication @evt.outcome:success","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":["@slack-secops"],"name":"Successful","condition":"a>5 && b>0"},{"status":"info","notifications":[],"name":"Attempted","condition":"a>5"}],"type":"log_detection","id":"wce-cxo-pe4","createdAt":1585870283641,"name":"TEMPLATE - Brute Force Attack Grouped By IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:threat-intel","scope:template"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect when a stolen laptop has been connected to the network.\n\n## Strategy\nUsing the Datadog [Lookup Processor](https://docs.datadoghq.com/logs/processing/processors/?tab=ui#lookup-processor) you can maintain a blocklist of MAC addresses.\nWhen a MAC address connects to the network, the @threat.stolen_laptop attribute is set to `true`.\nThis threat detection rule queries for `@threat.stolen_laptop:true` and generates a security signal. \n\n## Triage and response\nEnter your triage and response process for when a stolen laptop has connected to your network to help users responding to the security signal quickly triage and respond to the signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@threat.stolen_laptop:true @network.client.mac:*","groupByFields":["@network.client.mac"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ap3-xy9-tsm","createdAt":1585870283379,"name":"TEMPLATE - Stolen Laptop Connected to Network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.10","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert` parameter, has permissions of 444 or is set more restrictively.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must therefore have permissions of 444, or more restrictive permissions to ensure that the file cannot be modified by a less privileged user.\n\n## Audit\n\nVerify that the TLS CA certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the following command: `chmod 444 `\n\nThis sets the file permissions on the TLS CA file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the TLS CA certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.10","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hyd-ar9-kzl","createdAt":1602076723625,"name":"TLS CA certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.6","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to make the Docker daemon available remotely over a TCP port. If this is required, you should ensure that TLS authentication is configured in order to restrict access to the Docker daemon via IP address and port.\n\n## Rationale\n\nBy default, the Docker daemon binds to a non-networked Unix socket and runs with root privileges. If you change the default Docker daemon binding to a TCP port or any other Unix socket, anyone with access to that port or socket could have full access to the Docker daemon and therefore in turn to the host system. For this reason, you should not bind the Docker daemon to another IP/port or a Unix socket. If you must expose the Docker daemon via a network socket, you should configure TLS authentication for the daemon and for any Docker Swarm APIs (if they are in use). This type of configuration restricts the connections to your Docker daemon over the network to a limited number of clients who have access to the TLS client credentials.\n\n## Audit\n\nTo confirm that the TLS authentication setting is correct, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nConfirm that the following parameters are present: `--tlsverify --tlscacert --tlscert --tlskey`.\n\nAlso review the `/etc/docker/daemon.json` file to ensure these settings are in place.\n\n## Remediation\n\nFollow the steps mentioned in the Docker documentation or other references.\n\n## Impact\n\nYou would need to manage and guard certificates and keys for the Docker daemon and Docker clients.\n\n## Default value\n\nBy default, TLS authentication is not configured.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rh4-jeh-afu","createdAt":1602077571799,"name":"TLS authentication is configured for Docker daemon"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.18","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller-manager.conf file ownership is set to `root:root`.\n\n## Rationale\n\nThe controller-manager.conf file is the kubeconfig file for the Controller Manager. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/controller-manager.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.18","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bud-aya-umc","createdAt":1599605289575,"name":"The controller-manager.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","requirement:GCP","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","control:3.4","requirement:Communications-Security","control:2.6","control:1.2","control:2.1","control:1.3","control:3.1","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of the `default` network, a project should not have a `default` network.\n\n### Default value\nBy default, for each project, a `default` network is created.\n\n\n## Rationale\nThe `default` network has a preconfigured network configuration and automatically generates the following insecure firewall rules:\n\n - default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.\n - default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.\n - default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.\n - default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.\n\nThese automatically-created firewall rules do not get audit-logged and cannot be configured to enable firewall rule logging.\n\nFurthermore, the `default` network is an auto-mode network, which means that its subnets use the same predefined range of IP addresses. As a result, it's not possible to use Cloud VPN or VPC Network Peering with the `default` network.\n\nBased on organization security and networking requirements, the organization should create a new network and delete the `default` network.\n\n### Impact\nWhen an organization deletes the `default` network, it may need to migrate services onto a new network.\n\n## Remediation\n\n### From the console\n1. Go to the [VPC networks][1] page.\n2. Click the network named `default`.\n3. On the network detail page, click **EDIT**.\n4. Click **DELETE VPC NETWORK**.\n5. If needed, create a new network to replace the `default` network.\n\n### From the command line\n1. Delete the `default` network:\n\n ```\n gcloud compute networks delete default\n ```\n\n2. If needed, create a new network to replace it:\n\n ```\n gcloud compute networks create NETWORK_NAME\n ```\n\n## Prevention\nYou can prevent the `default` network and its insecure firewall rules from being created by setting up an Organization Policy to skip `default` network creation at [https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation][2].\n\n## References\n1. [https://cloud.google.com/compute/docs/networking#firewall_rules][3]\n2. [https://cloud.google.com/compute/docs/reference/latest/networks/insert][4]\n3. [https://cloud.google.com/compute/docs/reference/latest/networks/delete][5]\n4. [https://cloud.google.com/vpc/docs/firewall-rules-logging][6]\n5. [https://cloud.google.com/vpc/docs/vpc#default-network][7]\n6. [https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete][8]\n\n[1]: https://console.cloud.google.com/networking/networks/list\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation\n[3]: https://cloud.google.com/compute/docs/networking#firewall_rules\n[4]: https://cloud.google.com/compute/docs/reference/latest/networks/insert\n[5]: https://cloud.google.com/compute/docs/reference/latest/networks/delete\n[6]: https://cloud.google.com/vpc/docs/firewall-rules-logging\n[7]: https://cloud.google.com/vpc/docs/vpc#default-network\n[8]: https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.4","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.name == \"default\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0j0-lvk-9wm","createdAt":1658410212694,"name":"The default network does not exist in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.9","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %a /var/lib/kubelet/config.yaml`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step:\n\n```\nchmod 644 /var/lib/kubelet/config.yaml\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/var/lib/kubelet/config.yaml` file as set up by kubeadm has permissions of 644.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.9","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tc4-kmy-wlt","createdAt":1599605416397,"name":"The kubelet configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.1","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kubelet service file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.1","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j8k-7ii-fwo","createdAt":1599604432646,"name":"The kubelet service file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.5","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet.conf file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/kubernetes/kubelet.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chmod 644 /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.5","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x88-8vs-ygw","createdAt":1599604783481,"name":"The kubelet.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.6","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `kubelet.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/kubernetes/kubelet.conf`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file ownership is set to `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.6","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrc-waf-mbs","createdAt":1599599696342,"name":"The kubelet.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable timeouts on streaming connections.\n\n## Rationale\n\nSetting idle timeouts ensures that you are protected against denial-of-service attacks, inactive connections, and running out of ephemeral ports.\n\n*Note*: By default, `--streaming-connection-idle-timeout` is set to four hours, which might be too high for your environment. Setting this as appropriate would additionally ensure that such streaming connections are timed out after serving legitimate use cases.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--streaming-connection-idle-timeout` argument is not set to 0. If the argument is not present, and there is a Kubelet config file specified by `--config`, check that it does not set `streamingConnectionIdleTimeout` to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a value other than 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--streaming-connection-idle-timeout=5m`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nLong-lived connections could be interrupted.\n\n## Default value\n\nBy default, `--streaming-connection-idle-timeout` is set to four hours.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://github.com/kubernetes/kubernetes/pull/18552][2]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://github.com/kubernetes/kubernetes/pull/18552\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.5","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xmg-h3a-wj4","createdAt":1599602030157,"name":"Timeouts on streaming connections are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","control:6.6","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable internet exposed UDP ports on network security groups.\n\n## Rationale\n\nThe potential security problem with broadly exposing UDP services over the internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP, and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct UDP access to your Azure Virtual Machines from the internet. After direct UDP access from the internet is disabled, you can use other options to access UDP-based services running on these virtual machines.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#secure-your-critical-azure-service-resources-to-only-your-virtual-networks\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/ddos-best-practices\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n7 Virtual Machines: This section covers security recommendations to follow to set virtual machine policies on an Azure subscription.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@access:(\"Allow\") @protocol:(\"UDP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"*\" OR \"53\" OR \"123\" OR \"161\" OR \"389\" OR \"1900\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\")","resourceType":"azure_security_group","filter":"","queryPath":"security_rules","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group (@access:(\"Allow\") @protocol:(\"UDP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"*\" OR \"53\" OR \"123\" OR \"161\" OR \"389\" OR \"1900\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"1is-0om-n7k","createdAt":1624867977600,"name":"UDP Services are restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect shell utilities, HTTP utilities, or shells spawned by a web server.\n\n## Strategy\nWeb shell attacks often involve attackers loading and running malicious files onto a victim machine, creating a backdoor on the compromised system. Attackers use web shells for a variety of purposes, and they can signal the beginning of an intrusion or wider attack. This detection triggers when shell utilities, HTTP utilities, or shells are spawned by a common web server process.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your web application to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"potential_web_shell","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["host"],"query":"@agent.rule_id:potential_web_shell -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"potential_web_shell"}],"type":"workload_security","id":"aks-ytd-8pf","createdAt":1647265136526,"name":"Unfamiliar command spawned from web server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers can leverage malicious kernel modules to gain persistence on a system, ensuring their malicious code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions and cover their tracks through the use of a rootkit.\n\nLoading a malicious kernel module can be a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default, however attackers may attempt to load kernel modules from other locations as well. This detection detects all kernel module loads. \n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check the name of the process loading the kernel module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":14,"learningThreshold":0},"keepAlive":3600},"version":173,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_kernel_module","metric":"@module.name","aggregation":"new_value","metrics":["@module.name"],"groupByFields":["host"],"query":"@agent.rule_id:(kernel_module_load OR new_kernel_module_audit OR kernel_module_load_container OR new_kernel_module_audit_container) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"new_kernel_module"}],"type":"workload_security","id":"56o-bpk-lkz","createdAt":1656443525724,"name":"Unfamiliar kernel module loaded"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default. In an attempt to thwart forensics, attackers sometimes attempt to load malicious kernel modules from memory so as not to leave artifacts on disk. This detection watches for all new kernel modules being loaded directly from memory. \n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:kernel_module_load_from_memory","groupByFields":["host"],"aggregation":"count","name":"kernel_module_load_from_memory","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"kernel_module_load_from_memory","condition":"kernel_module_load_from_memory > 0"}],"type":"workload_security","id":"dx9-30j-pas","createdAt":1650464539839,"name":"Unfamiliar kernel module loaded from memory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when the AWS EKS service account token has been viewed by a user.\n\n## Strategy\nAWS provides an authentication mechanism called [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to allow Kubernetes workloads such as pods to securely authenticate to AWS without hardcoding credentials.\n\nThe authentication token made available by AWS is located at `/var/run/secrets/eks.amazonaws.com/serviceaccount/token` and can be exchanged for AWS credentials using `sts:AssumeRoleWithWebIdentity`. It is consequently an attractive target for attackers.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"aws_eks_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:aws_eks_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"aws_eks_service_account_token_accessed"}],"type":"workload_security","id":"wq5-pnt-ij8","createdAt":1656443561852,"name":"Unfamiliar process accessed AWS EKS service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"Detects when the Kubernetes pod service account token has been viewed by a user.\n\n## Strategy\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"k8s_pod_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:k8s_pod_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"k8s_pod_service_account_token_accessed"}],"type":"workload_security","id":"7ow-znp-4fx","createdAt":1656443563565,"name":"Unfamiliar process accessed Kubernetes pod service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:active-directory","tactic:TA0004-privilege-escalation","source:microsoft-365","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 Azure AD service principal uses an unusual authentication method.\n\n## Strategy\nUsing the `New Value` detection method, find when a `Microsoft 365 Azure AD service principal` uses a new `@AuthenticationMethod`.\n\n## Triage and response\n1. Determine if the service principal `{{@usr.id}}` should be authenticating using the `{{@AuthenticationMethod}}` authentication method and `{{@ExtendedProperties.RequestType}}` request type.\n2. If `{{@usr.email}}` should not be authenticating using `{{@AuthenticationMethod}}`,\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard \n * If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":3600},"version":41,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AuthenticationMethod","aggregation":"new_value","metrics":["@AuthenticationMethod"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:AzureActiveDirectory @evt.name:UserLoggedIn @evt.outcome:Success @UserDescription:\"A service principal\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"toz-wdr-r1v","createdAt":1660857301768,"name":"Unusual Authentication by Microsoft 365 Azure AD Service Principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attaches to a pod.\n\n## Strategy\nThis rule monitors when a user attaches (`@objectRef.subresource:attach`) to a pod (`@objectRef.resource:pods`).\n\nA user should not need to attach to a pod. Attaching to a pod allows a user to attach to any process in a running container which may give an attacker access to sensitive data.\n\n## Triage and response\n1. Determine if the user should be attaching to a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:attach @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:attach @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"j6t-mva-rul","createdAt":1589375996858,"name":"User Attached to a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user execs into a pod.\n\n## Strategy\nThis rule monitors when a user execs (`@objectRef.subresource:exec`) into to a pod (`@objectRef.resource:pods`).\n\nA user should not need to exec into a pod. Execing into a pod allows a user to execute any process in container which is not already running.\nIt is most common to execute the bash process to gain an interactive shell.\nIf this is an attacker, they can access any data which the pod has permissions to, including secrets.\n\n## Triage and response\n1. Determine if the user should be execing into a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:exec @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:exec @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"hyd-cu4-79x","createdAt":1589376094658,"name":"User Exec into a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs into an application that is using Sqreen from a new country.\n\n## Strategy\nThis rule lets you monitor when a user logs into an application from a country that has not been seen before.\n\n## Triage and response\n1. Review the user activity on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/application/goto/users/\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip.country.name","aggregation":"new_value","metrics":["@network.client.geoip.country.name"],"groupByFields":["@usr.id"],"query":"@evt.name:sq.dd0.user_event.login @sqreen.payload.success:true"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"4xm-2og-l7s","createdAt":1620224109989,"name":"User Logged into an Application from a New Country"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","security:threat-intel","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to log in with a password which is known to be compromised.\n\n## Strategy\nThis rule allows you to monitor this Google Activity API call to detect if an attacker is trying to login with a leaked password: \n\n* [Leaked password][1]\n\n## Triage and response\n1. Determine which user in your organization owns the compromised password.\n2. Contact the user and ensure they rotate the password on Google and any other accounts where they may have reused this password. Ensure the user is aware of strong password guidelines.\n\n[1]: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.category:account_warning @evt.name:account_disabled_password_leak","groupByFields":["@actor.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9zi-bom-nmh","createdAt":1585870280553,"name":"User attempted login with leaked password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-create-account","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation of a new user on the system using an interactive session.\n\n## Strategy\nAttacker's may add local accounts to systems that they have compromised to maintain access to those systems. If an attacker has gained a sufficient level of access (like admin privileges) on a system, they can make a new user for themselves.\nIn production systems, users should be created in the base image of the system (for example, the AMI or other VM image), or they should be created programmatically by configuration management tools. The creation of a new user by an interactive (human) session is suspicious.\n\n## Triage & Response\n1. Determine whether the creation of a new user is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether or not multiple systems had this user added around the same time, and whether the systems impacted follow a pattern. For example, if a user was added to multiple systems, do they share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:user_created_tty -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"user_created_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user_created_tty","condition":"user_created_tty > 0"}],"type":"workload_security","id":"beh-ejq-upe","createdAt":1627392836979,"name":"User created interactively"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of secrets, through Cloudtrail's [`GetSecretValue`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetSecretValue` event, and enables the detection of potentially anomalous activity when a user attempts to retrieve an anomalous volume of secrets.\n\nAn attacker may attempt to enumerate and access the AWS Secrets Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any AWS secrets that were accessed by the user with the `aws-cli` command [`update-secret`][2] or use the [AWS Console][3].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n[1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/update-secret.html\n[3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetSecretValue -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.secretId"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"eg6-ogp-n1f","createdAt":1656426823748,"name":"User enumerated AWS Secrets Manager - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of parameters, through Cloudtrail's [`GetParameter`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetParameter` event, and enables detection of potentially anomalous activity when a user attempts to retrieve an anomalous volume of parameters.\n\nAn attacker may attempt to enumerate and access the AWS Systems Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any parameters that were accessed by the user with the `aws-cli` command [`put-parameter`][2].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n[1]: https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ssm/put-parameter.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ssm.amazonaws.com @evt.name:GetParameter -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.name"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"os3-zft-ung","createdAt":1656426796721,"name":"User enumerated AWS Systems Manager parameters - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:5.2.1","control:A.12.4.1","requirement:Logging","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"\n## Description\n\nCreate an activity log alert for the Create Policy Assignment event.\n\n## Rationale\n\nMonitoring for create policy assignment events gives insight into changes done in \"azure policy - assignments\" and can reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Monitor \n2. Select Alerts \n3. Click On New Alert Rule \n4. Under Scope, click Select resource \n5. Select the appropriate subscription under Filter by subscription \n6. Select Policy Assignment under Filter by resource type \n7. Select All for Filter by location \n8. Click on the subscription resource from the entries populated under Resource \n9. Verify Selection preview shows All Policy assignment (policyAssignments) and your selected subscription name \n10. Click Done \n11. Under Condition click Add Condition \n12. Select Create policy assignment signal \n13. Click Done \n14. Under Action group, select Add action groups and complete creation process or select appropriate action group \n15. Under Alert rule details, enter Alert rule name and Description \n16. Select appropriate resource group to save the alert to \n17. Check Enable alert rule upon creation checkbox \n18. Click Create alert rule Using the Azure Command Line Interface Use the below command to create an Activity Log Alert for Create policy assignment az account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'' Where input.json contains the Request body JSON data as mentioned below. { \"location\"\"Global\", \"tags\"{}, \"properties\"{ \"scopes\"[ \"/subscriptions/\" ], \"enabled\"true, \"condition\"{ \"allOf\"[ { \"containsAny\"null, \"equals\"\"Administrative\", \"field\"\"category\" }, { \"containsAny\"null, \"equals\"\"Microsoft.Authorization/policyAssignments/write\", \"field\"\"operationName\" } ] }, \"actions\"{ \"actionGroups\"[ { \"actionGroupId\"\"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\", \"webhookProperties\"null } ] }, } } Configurable Parameters for command line Configurable Parameters for input.json in scopes in actionGroupId in actionGroupId in actionGroupId'\n\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7\n6.3 Enable Detailed Logging Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.1","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"arc-fhe-mie","createdAt":1645219743755,"name":"User has 'Create Policy Assignement' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"axd-sm2-68f","createdAt":1649972323590,"name":"User has 'Create Update Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbformysql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dbv-9dd-noe","createdAt":1648760551340,"name":"User has 'Create Update MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbforpostgresql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yvw-kk1-tgq","createdAt":1648755639067,"name":"User has 'Create Update PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nActivity log alert exists for the creation or update of a load balancer. \n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Load Balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/loadbalancers/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"20n-ohj-aov","createdAt":1647625355122,"name":"User has 'Create or Update Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:System-Operations","requirement:Logging","level:1","control:5.2.3","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an Activity Log Alert for the Create or Update Network Security Group event.\n\n## Rationale\n\nBy monitoring for creation and updates to network security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name.\n11. Under **Condition**, click **Add Condition**.\n12. Select **Create or Update Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.3","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ape-a9h-0uq","createdAt":1645642194422,"name":"User has 'Create or Update Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.1","control:A.12.4.1","requirement:Logging","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update SQL Server Firewall Rule event.\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the Azure Console:\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window, select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Create/Update server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel.\n * Create action group - If you do not have an existing action group or want to create a new one.\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the Azure CLI:\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.1","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/firewallrules/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zpn-jpa-nzg","createdAt":1645736563954,"name":"User has 'Create or Update SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","control:5.2.7","requirement:Logging","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Security Solution event.\n\n## Rationale\n\nBy monitoring to changes to security solutions, you get insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under Resource. \n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Create or Update Security Solutions** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**. \n\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Security/securitySolutions/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.7","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/securitysolutions/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8wl-yfi-m7y","createdAt":1645731976437,"name":"User has 'Create or Update Security Solutions' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Storage Account event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Storage Account**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Storage/storageAccounts/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Storage Account'\n$Signal = 'Microsoft.Storage/storageAccounts/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fho-nrd-kod","createdAt":1647625355199,"name":"User has 'Create or Update Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wjq-yup-bbt","createdAt":1648803814385,"name":"User has 'Create or Update Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Deallocate Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Deallocate Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/deallocate\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Deallocatete Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/deallocate'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/deallocate\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ox0-4lx-ldg","createdAt":1649702560249,"name":"User has 'Deallocate Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mwl-a79-2lj","createdAt":1649774827099,"name":"User has 'Delete Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activity-log-alerts/delete\n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hf7-wzu-yjg","createdAt":1649774825146,"name":"User has 'Delete Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Load Balancer event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete load balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/loadbalancers/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgu-5yo-cxv","createdAt":1646928388547,"name":"User has 'Delete Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbformysql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nb1-ajv-1w5","createdAt":1648831710685,"name":"User has 'Delete MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:System-Operations","requirement:Logging","level:1","framework:soc-2","control:5.2.4","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Network Security Group event.\n\n## Rationale\n\nBy monitoring for delete betwork security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name \n11. Under **Condition**, click **Add Condition**.\n12. Select **Delete Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n\n18. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.4","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yjc-pc8-ybn","createdAt":1645645262376,"name":"User has 'Delete Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Compliance","requirement:Logging","level:1","control:5.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Communications-Security","requirement:System-Operations","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Policy Assignment event.\n\n## Rationale\n\nBy monitoring delete policy assignment events, you gain insight into changes in the **Policy - Assignments** page and reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Policy Assignment** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription from the entries populated under **Resource**. \n9. Verify that **Selection preview** shows All Policy assignments (`policyAssignments`) and your selected subscription name. \n10. Click **Done**. \n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete policy assignment signal**. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Authorization/policyAssignments/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Policy Assignment'\n$Signal = 'Microsoft.Authorization/policyAssignments/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n\n## References\n\n1. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n2. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n5. https://azure.microsoft.com/en-us/services/blueprints/ \n\n## Additional Information\n\nThis log alert also applies for Azure Blueprints.\n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.2","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qh0-u5z-imx","createdAt":1645642194422,"name":"User has 'Delete Policy Assignement' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbforpostgresql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ras-5h8-nbb","createdAt":1647625355173,"name":"User has 'Delete PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.2","control:A.12.4.1","requirement:Logging","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the \"Delete SQL Server Firewall Rule.\"\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the Azure Console:\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window,select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Delete server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel\n * Create action group - If you do not have an existing action group or want to create a new one\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the Azure CLI:\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.2","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/firewallrules/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6mh-u2h-598","createdAt":1664214570453,"name":"User has 'Delete SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Logging","control:5.2.8","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Security Solution event.\n\n## Rationale\n\nBy monitoring deletion of security solution events, you gain insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**.\n7. Select **All** for **Filter by location**.\n8. Click on the subscription resource from the entries populated under **Resource**.\n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete Security Solutions** signal.\n13. Click **Done**.\n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group.\n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n**Using the Azure CLI:** \n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nwhere `input.json` contains the Request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/securitySolutions/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.8","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/securitysolutions/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dmv-rv8-crn","createdAt":1645733607452,"name":"User has 'Delete Security Solution' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.5.5","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Storage Account event.\n\n## Rationale\n\nBy monitoring for storage accounts deletion events, you gain insight into storage account changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click on **New Alert Rule**.\n4. Under **Scope**, click **Select scope**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Storage Accounts** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the **Include all future resources** checkbox.\n9. Click **Done**. \n10. Under **Condition**, click **Add Condition**.\n11. Select **Delete Storage Account** signal. \n12. Click **Done**. \n13. Under **Actions**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n14. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n15. Select appropriate resource group to save the alert to. \n16. Click on the **Enable alert rule upon creation** checkbox.\n17. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Storage/storageAccounts/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a41-nfr-mlw","createdAt":1646928386487,"name":"User has 'Delete Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2jg-psh-mzj","createdAt":1648803812991,"name":"User has 'Delete Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Power Off Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Power Off Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/powerOff/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Power Off Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/powerOff/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/poweroff/action\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a74-hjg-yok","createdAt":1648760544699,"name":"User has 'Power Off Virtual Machine' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Rename Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Rename Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/move/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Rename Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/move/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/databases/move/action\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgo-i7v-g9b","createdAt":1649774831328,"name":"User has 'Rename Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4ri-hhx-fnd","createdAt":1648803815885,"name":"User has 'Update Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Security Policy event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Security Policy**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/policies/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Security Policy'\n$Signal = 'Microsoft.Security/policies/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/defender-for-cloud/tutorial-security-policy\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/policies/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xjf-qfe-xzs","createdAt":1649774850199,"name":"User has 'Update Security Policy' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.compute","source:azure","tactic:TA0002-execution","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs a command on an Azure Virtual Machine through the Azure CLI or Portal.\n\n## Strategy\nMonitor Azure Compute logs for `MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION` events that have `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Reach out to the user to determine if the activity is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"vm_exec","distinctFields":[]},{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"scaleset_exec","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Virtual Machine","condition":"vm_exec > 0"},{"status":"info","notifications":[],"name":"Virtual Machine Scale Set","condition":"scaleset_exec > 0"}],"type":"log_detection","id":"zsk-t0h-9ll","createdAt":1614973225002,"name":"User ran a command on Azure Compute"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Event Summary\n`@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` had activity from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` which are approximately `{{@impossible_travel.triggering_locations.travel_distance}}km` apart within `{{@impossible_travel.triggering_locations.travel_time_human_readable}}`. This indicates a potential impossible travel.\n\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key in CloudTrail logs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key in CloudTrail logs.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"source:cloudtrail @userIdentity.type:IAMUser"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"gvs-ybz-d25","createdAt":1646247437717,"name":"User travel was impossible in AWS CloudTrail IAM log"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_service_account","control:1.7","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","control:8.2.4","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nService Account keys consist of a key ID (private_key_id) and a private key. These keys are used to sign programmatic requests that users make to Google Cloud services and make them accessible to the particular service account. You should regularly rotate all Service Account keys.\n\n## Rationale\n\nRotating Service Account keys reduces the opportunity window of an access key associated with a compromised or terminated account being used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that may have been lost, cracked, or stolen.\n\nEach service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.\n\nGCP provides the option to create one or more user-managed (also called external) key pairs for use from outside GCP, for example: with Application Default Credentials. When a new key pair is created, the user is required to download the private key, which is not retained by Google. \n\nWith external keys, users are responsible for keeping the private key secure and other management operations such as key rotation. External keys can be managed by the IAM API, the Google Cloud Platform command-line tool, or the Service Accounts page in the Google Cloud Platform Console. GCP facilitates up to 10 external service account keys per service account for key rotation.\n\n## Remediation\n\nDelete any external, user-managed Service Account Keys older than 90 days:\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**.\n2. In the **Service Account Keys** section, click the Delete icon to delete every external, user-managed service account key where the creation date is greater or equal to the past 90 days.\n\nTo create an external, user-managed Service Account Key for a Service Account:\n\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**. \n2. Click **Create Credentials** and **Service Account Key**. \n3. Select the service account from the drop-down menu for every external, user-managed Service Account key you want to create.\n4. Select the desired key type format, such as JSON or P12.\n5. Click **Create**, which downloads the private key. Keep this key safe.\n6. If prompted, click **Close**.\n\nYou are redirected to the **APIs & Services** > **Credentials** page and you can see the new ID displayed in the **Service Account Keys** section.\n\n\n## Impact\n\nRotating service account keys breaks communication for dependent applications. Dependent applications need to be configured manually with the new key ID displayed in the **Service Account Keys** section and the user needs to download the private key.\n\n## References\n\n1. https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n2. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/list\n3. https://cloud.google.com/iam/docs/service-accounts\n\n[1]: https://console.cloud.google.com/apis/credentials\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"8.2.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ej5-n8p-p3x","createdAt":1656445783171,"name":"User-managed or external keys for service accounts are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Confidentiality","control:C1.2","source:google_compute_disk","framework:cis-gcp","requirement:Compliance","level:2","control:A.18.1.3","framework:soc-2","control:4.7","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","scope:google_compute_disk","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCustomer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and\nGoogle Compute Engine. If you supply your own encryption keys, Google uses your key to\nprotect the Google-generated keys used to encrypt and decrypt your data. By default,\nGoogle Compute Engine encrypts all data at rest. Compute Engine handles and manages\nthis encryption for you without any additional actions on your part. However, if you\nwanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\n\n### Default value\nBy default, VM disks are encrypted with Google-managed keys. They are not encrypted\nwith `Customer-Supplied` Encryption Keys.\n\n## Rationale\nBy default, Google Compute Engine encrypts all data at rest. Compute Engine handles and\nmanages this encryption for you without any additional actions on your part. However, if\nyou wanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\nIf you provide your own encryption keys, Compute Engine uses your key to protect the\nGoogle-generated keys used to encrypt and decrypt your data. Only users who can provide\nthe correct key can use resources protected by a customer-supplied encryption key.\nGoogle does not store your keys on its servers and cannot access your protected data\nunless you provide the key. This also means that if you forget or lose your key, there is no\nway for Google to recover the key or to recover any data encrypted with the lost key.\nBusiness critical VMs should have VM disks encrypted with CSEK.\n\n### Impact\nIf you lose your encryption key, you will not be able to recover the data.\n\n## Remediation\nYou cannot update the encryption of an existing disk. Therefore, you\nshould create a new disk with encryption set to **Customer supplied**.\n\n### From the console: \n1. Go to [Compute Engine Disks][1] in your Google Cloud console.\n2. Click **CREATE DISK**.\n3. Set **Encryption type** to `Customer supplied`.\n4. Provide the **Key** in the box.\n5. Select **Wrapped key**.\n6. Click **Create**.\n\n### From the command line:\nYou can use the `gcloud` CLI to encrypt a disk using the `--csek-key-file` flag during instance\ncreation. If you are using an RSA-wrapped key, use the gcloud beta component. See [RSA key wrapping][5] in Google's Compute Engine documentation.\n```\ngcloud compute instances create --csek-key-file \n```\n\nTo encrypt a standalone persistent disk:\n```\ngcloud compute disks create --csek-key-file \n```\n\n## References\n1. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys][2]\n2. [https://cloud.google.com/compute/docs/reference/rest/v1/disks/get][3]\n3. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file][4]\n\n[1]: https://console.cloud.google.com/compute/disks\n[2]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys\n[3]: https://cloud.google.com/compute/docs/reference/rest/v1/disks/get\n[4]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file\n[5]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#rsa-encryption","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.7","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_disk) = \"pass\" if {\n\tcompute_disk.disk_encryption_key.sha256\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_disk"]},"validationQuery":"","resourceType":"gcp_compute_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ltx-1jr-roe","createdAt":1662120164402,"name":"VM disks for critical VMs are encrypted with customer-supplied encryption keys (CSEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","scope:google_compute_subnetwork","level:1","framework:soc-2","control:3.8","source:google_compute_subnetwork","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Networking","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nFlow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in an organization's VPC subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs is enabled for every business-critical VPC subnet.\n\n### Default value\nBy default Flow Logs is set to `Off` when a new VPC network subnet is created.\n\n## Rationale\nVPC networks and subnetworks that are not reserved for internal HTTP(S) load balancing provide logically isolated and secure network partitions from which GCP resources can be launched.\nWhen Flow Logs are enabled for a subnet, VMs within that subnet start reporting on all\nTransmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows. Each VM\nsamples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or\nfrom another VM, a host in the on-premise datacenter, a Google service, or a host on the\nInternet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow\nLogs enabled, both VMs report the flows.\n\nFlow Logs supports the following use cases:\n- Network monitoring\n- Understanding network usage and optimizing network traffic expenses\n- Network forensics\n- Real-time security analysis\n\nFlow Logs provides visibility into network traffic for each VM inside the subnet and can be\nused to detect anomalous traffic or provide insight on security workflows.\nThe Flow Logs must be configured such that all network traffic is logged. The interval of\nlogging is granular enough to provide detailed information on the connections, where no logs are filtered and metadata to facilitate investigations are included.\n\n- Note: Subnets reserved for use by internal HTTP(S) load balancers do not support VPC\nFlow Logs.\n\n### Impact\nStandard pricing for Stackdriver Logging, BigQuery, or Cloud Pub/Sub applies. VPC Flow\nLogs generation will be charged when it's generally available, as described in this reference:\n[https://cloud.google.com/vpc/][1]\n\n## Remediation\n\n### From the console: \n1. Go to the VPC network GCP Console page by visiting:\n[https://console.cloud.google.com/networking/networks/list][2]\n2. Click the name of a **subnet** to display the subnet details page.\n3. Click **EDIT** .\n4. Set Flow Logs to **On**.\n5. Expand the **Configure Logs** section.\n6. Set **Aggregation Interval** to `5 SEC`.\n7. Check the box for **Include metadata**.\n8. Set **Sample rate** to `100`.\n9. Click **Save**.\n\n- Note: You can only configure a log filter from the command line.\n\n### From the command line:\nTo enable VPC Flow Logs for a network subnet, run the following command:\n```\ngcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --\nenable-flow-logs --logging-aggregation-interval=interval-5-sec --logging-\nflow-sampling=1 --logging-metadata=include-all\n```\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging][3]\n2. [https://cloud.google.com/vpc/][1]\n\n[1]: https://cloud.google.com/vpc/\n[2]: https://console.cloud.google.com/networking/networks/list\n[3]: https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_subnetwork) = \"skip\" if {\n\tinternal_HTTPS_LB_subnet(compute_subnetwork)\n} else = \"pass\" {\n\tcompute_subnetwork.enable_flow_logs == true\n\tcompute_subnetwork.purpose == \"PRIVATE\"\n} else = \"fail\" {\n\ttrue\n}\n\ninternal_HTTPS_LB_subnet(compute_subnetwork) if {\n\tcompute_subnetwork.purpose == \"INTERNAL_HTTPS_LOAD_BALANCER\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_subnetwork"]},"validationQuery":"","resourceType":"gcp_compute_subnetwork","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_subnetwork","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q4v-tv4-txv","createdAt":1663355398183,"name":"VPC Flow Logs are enabled for all subnets in the VPC network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","level:2","framework:cis-aws","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.3","control:2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. \n\nSet up your default security group to restrict all traffic. The default VPC in every region should have its default security group updated to comply. Any newly created VPCs automatically contain a default security group that needs remediation to comply with this recommendation. \n\n**Note**: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.\n\n## Rationale\n\nConfiguring all VPC default security groups to restrict all traffic will encourage the least privileged security group development and mindful placement of AWS resources into security groups, which will reduce the exposure of those resources.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nImplementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79201-0\n2. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html][2]\n3. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group][3]\n\n## CIS controls\n\nVersion 7, 14.6 - Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"5.3","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ningress_or_egress(direction) if {\n\tdirection == \"ingress\"\n} else {\n\tdirection == \"egress\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\tingress_or_egress(rule.direction)\n\tstartswith(rule.security_group_name, \"default\")\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"75q-ngx-snx","createdAt":1599574003676,"name":"VPC default security groups restrict all traffic"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:7.2.1","requirement:Firewall-Configuration","scope:vpc","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your VPC endpoint by allowing access to only trusted AWS accounts.\n\n## Rationale\n\nVPC endpoints that are publicly accessible are at risk of data exposure, data loss, and unexpected AWS billing charges.\n\n## Remediation\n\n### Console\n\nFollow the [Add or remove permissions for your endpoint service][1] AWS console docs.\n\n### CLI\n\n1. Edit your existing Amazon VPC endpoint access policy and replace untrusted AWS identifiers. To create a new policy document, [use the AWS policy generator][2].\n\n ```\n {\n \"Id\": \"VPCCrossAccountAccessPolicy\",\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": \"*\",\n \"Effect\": \"Allow\",\n \"Resource\": \"*\",\n \"Principal\": {\n \"AWS\": [\n \"arn:aws:iam::0123456789012:root\"\n ]\n }\n }\n ]\n }\n ```\n\n2. Run `modify-vpc-endpoint` with your [VPC endpoint ID and the updated or new policy document][3] to replace the existing policy.\n\n ```\n aws ec2 modify-vpc-endpoint\n --vpc-endpoint-id vpce-0a12b345\n --policy-document file://vpc-access-policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/privatelink/add-endpoint-service-permissions.html\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-vpc-endpoint.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_has_condition:false","resourceType":"aws_vpc_endpoint_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc_endpoint_policy_statement ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@vpc_endpoint_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"slh-tlx-4m0","createdAt":1619540057529,"name":"VPC endpoint is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","control:3.9","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","scope:vpc","framework:soc-2","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. Enable VPC Flow Logs for packet \"Rejects\" for VPCs.\n\n## Rationale\n\nVPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect unusual traffic or insight during security workflows.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nBy default, CloudWatch Logs will store Logs indefinitely unless you define a specific retention period for the log group. When choosing the number of days to retain, keep in mind that, on average, it takes an organization 210 days to detect a breach. Since additional time is required to research a breach, a minimum 365-day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods: \n\n1. [http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html][2]\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79202-8 \n2. [http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html][2]\n\n## CIS controls\n\nVersion 7:\n\n6.2 - Activate audit logging - Enable local logging on all systems and networking devices.\n\n12.5 - Configure Monitoring Systems to Record Network Packets - Configure monitoring systems to record network packets passing through the boundary at each of the organization's network boundaries.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.9","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"-@flowlogs.flow_log_status:ACTIVE","resourceType":"aws_vpc","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc (-@flowlogs.flow_log_status:ACTIVE)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"hw6-cqk-hrz","createdAt":1599574005318,"name":"VPC flow logging is enabled in all VPCs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault root token is used. Root tokens can perform any activity and have the highest level of privileges in Vault and should only be used in emergencies. \n\n## Strategy\nThis rule lets you monitor Vault Audit Logs (`source:vault`) to detect when `root` is seen in either of these two attributes.\n\n* auth policy (`@auth.policies`)\n* auth display name (`@auth.display_name`)\n\nThis rule also lets you monitor the API endpoint `/sys/generate-root` which is used to create new root keys.\n\n## Triage & Response\n1. Determine who created the root token and when. You can get token creation time using the token accessor with `vault token lookup -accessor `. \n2. Inspect the requests made with the root token and ensure that its usage is valid.\n3. Ensure that after the root token is no longer needed, it is revoked (`vault token revoke -accessor `).\n\n## Change Log\n29 Jun 2022 - Updated queries to reduce noise levels. Replaced initial query with token creation detection.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @auth.policies:root @http.method:create","groupByFields":["@http.url_details.path"],"aggregation":"count","name":"root_token_created","distinctFields":[]},{"query":"source:vault @auth.policies:root","groupByFields":["@http.url_details.path"],"aggregation":"cardinality","name":"root_token_auth_policy","distinctFields":["@http.method"]},{"query":"source:vault @auth.display_name:root","groupByFields":["@http.url_details.path"],"aggregation":"cardinality","name":"root_token_display_name","distinctFields":["@http.method"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"A newly created root token was used","condition":"root_token_created > 0 && root_token_auth_policy > 0"},{"status":"high","notifications":[],"name":"The auth policy is root","condition":"root_token_auth_policy > 0"},{"status":"high","notifications":[],"name":"The auth display name is root","condition":"root_token_display_name > 0"}],"type":"log_detection","id":"oki-am6-qeh","createdAt":1619801884317,"name":"Vault Root Token Used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault token is created with an excessive time-to-live (TTL) which can be indicative of an adversary maintaining persistence. \n\n## Strategy\nMonitoring of vault audit logs where tokens are created with a time-to-live greater than 90000 seconds (25 hours). If the TTL requires modification, clone this rule and update `@auth.token_ttl:>90000` in the query. \n\n## Triage & Response\n1. Verify max TTL for tokens in the appropriate Vault configuration.\n2. If the max TTL is higher than required, modify the max TTL.\n3. Verify with the token creator to confirm that the high TTL token is legitimate.\n4. Revoke the token if it does not have a legitimate use case.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @request.operation:create @auth.token_ttl:>90000","groupByFields":["@usr.id"],"aggregation":"count","name":"high_vault_ttl","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"high_vault_ttl > 0"}],"type":"log_detection","id":"ag8-huz-nlj","createdAt":1619801884333,"name":"Vault Token Created with Excessive TTL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","security:compliance","framework:soc-2","scope:redshift","cloud_provider:aws","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","source:redshift","control:6.2","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm `AllowVersionUpgrade` is enabled so [Redshift clusters][1] can automatically upgrade to the latest version.\n\n## Rationale\n\nEnablement allows the latest version to automatically install, deploying the most recent bug fixes and security patches.\n\n## Remediation\n\n### Console\n\nFollow the [Cluster maintenance][4] docs to permit automatic upgrade for your clusters.\n\n### CLI\n\n1. Run `modify-cluster` to [set `allow-version-upgrade` for a cluster][3].\n\n ```\n aws redshift modify-cluster\n\t --cluster-identifier cluster-id-name\n\t --allow-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/modify-cluster.html\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#rs-cluster-maintenance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@allow_version_upgrade:false","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@allow_version_upgrade:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5wo-2kl-jv1","createdAt":1599574006748,"name":"Version upgrade is enabled for Redshift cluster"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:6.5.3","framework:cis-azure","control:7.1","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Application-Updates","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMigrate blob-based VHDs to managed disks on virtual machines to exploit the default features of this configuration. The features include:\n\n1. Default disk encryption\n2. Resilience, as Microsoft manages the disk storage and moves it if underlying hardware is faulty\n3. Reduction of costs over storage accounts\n\n## Rationale\n\nManaged disks are by default encrypted on the underlying hardware so no additional encryption is required for basic protection. Additional encryption is available if required. Managed disks are more resilient than storage accounts. For ARM deployed virtual machines, Azure Adviser recommends moving VHDs to managed disks from both a security and cost management perspective.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## Remediation\n\nFrom Azure Console:\n\n1. Using the search feature, go to Virtual Machines\n2. Select the virtual machine you would like to convert\n3. Select Disks in the menu for the VM\n4. Select Migrate to managed disks\n5. Follow the prompts to convert the disk and finish by selecting Migrate to start the process\n\n**NOTE**: VMs are stopped and restarted after migration is complete.\n\nPowerShell:\n\n```powershell\nStop-AzVM -ResourceGroupName $rgName -Name $vmName -Force ConvertTo-AzVMManagedDisk -ResourceGroupName $rgName -VMName $vmName Start-AzVM -ResourceGroupName $rgName -Name $vmName\n```\n\n## Impact\n\nThere is no operational impact of migrating to managed disks other than the benefits mentioned above.\n\n**NOTE**: When converting to managed disks, VMs are powered off and back on.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"(-@storage_profile.os_disk.managed_disk_id:*) OR (@storage_profile.os_disk.managed_disk_id:(\"\"))","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance ((-@storage_profile.os_disk.managed_disk_id:*) OR (@storage_profile.os_disk.managed_disk_id:(\"\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mcc-ygq-5xf","createdAt":1631690464170,"name":"Virtual Machines are utilizing Managed Disks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","requirement:Context-of-the-Organization","control:4.2.2","framework:iso-27001","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nEnabling Azure Defender for SQL server does not enable vulnerability assessment capabilities for individual SQL databases unless a storage account is set to store the scanning data and reports. The Vulnerability Assessment service scans databases for known security vulnerabilities and highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally, an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, Click Storage Account\n6. Choose Storage Account (Existing or Create New). Click Ok\n7. Click Save Using Azure PowerShell. If not already, enable Azure Defender for a SQLSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service by setting Storage Account Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"e0l-3r9-cvj","createdAt":1624867975658,"name":"Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the vulnerability assessment (VA) setting, \"Also send email notifications to admins and subscription owners\".\n\n## Rationale\n\nVA scan reports and alerts are sent to admins and subscription owners by enabling the setting, \"Also send email notifications to admins and subscription owners\". This helps to reduce the time required for identifying risks and taking corrective measures.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, configure Storage Accounts\n6. Check/enable \"Also send email notifications to admins and subscription owners\"\n7. Click Save using the Azure PowerShell. If not already set, Enable Advanced Data Security for a SQL:\n\n ```bash\n -ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service and Set ''Also send email notifications to admins and subscription owners'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"gnq-rte-6fy","createdAt":1624867976876,"name":"Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","control:4.2.3","requirement:Default-Security-Parameter","level:1","requirement:Database-Services","requirement:Context-of-the-Organization","requirement:Regular-Testing","framework:iso-27001","control:11.2.1","framework:pci","security:compliance","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC7.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable vulnerability assessment (VA) periodic recurring scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nVA setting \"Periodic recurring scans\" schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Routine vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Security Center\n4. In Section Vulnerability Assessment Settings, set Storage Account\n5. Toggle \"Periodic recurring scans\" to ON.\n6. Click Save using the Azure PowerShell. If not already set, enable Advanced Data Security for a SQL ServerSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service with ''Periodic recurring scans'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"jum-0ht-les","createdAt":1624867977012,"name":"Vulnerability Assessment (VA) setting Periodic Recurring Scans is enabled on a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:9.4","scope:azure.appservice","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:4.1","requirement:App-Service","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nClient certificates allow for an app to request a certificate for incoming requests. Only clients that have a valid certificate can reach the app.\n\n## Rationale\n\nThe TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, only an authenticated client who has valid certificates can access the app.\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Configuration\n5. Under Incoming client certificates, set the Client Certificate Mode option to Require.\n\n\nAzure Command Line Interface:\n\nTo set incoming client certificates value for an existing app, run the following command: `az webapp update --resource-group --name --set clientCertEnabled=true'`\n\n## Impact\n\nUsing and maintaining client certificates requires additional work to obtain and manage key replacement and rotation.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14 - Controlled Access Based on the Need to Know","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.4","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@client_cert_enabled:true","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (-@client_cert_enabled:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"esg-ed4-xa9","createdAt":1631623027807,"name":"Web app has 'Client Certificates (Incoming client certificates)' set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:6.6","control:9.3","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:4.1","requirement:App-Service","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Change-Management","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App Service uses TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.\n\n## Rationale\n\nApp Service currently allows web apps to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for a secure connection.\n\n## Remediation\n\nAzure Console:\n\n 1. Login to Azure Portal using https://portal.azure.com\n 2. Go to App Services\n 3. Click on each app\n 4. Under the Settings section, click on SSL settings\n 5. Under Protocol Settings, set Minimum TLS Version to 1.2\n\nAzure Command Line Interface:\n\nTo set TLS Version for an existing app, run the following command: `az webapp config set --resource-group --name --min-tls-version 1.2'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.3","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"-@site_config_min_tls_version:1.2","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (-@site_config_min_tls_version:1.2)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8iy-ghp-cvk","createdAt":1631623032658,"name":"Web app is using the latest version of TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","control:9.2","control:6.6","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:4.1","requirement:App-Service","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Web Apps allow sites to use both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.\n\n## Rationale\n\nEnabling HTTPS-only traffic redirects all non-secure HTTP request to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated, so it is important to support HTTPS for the security benefits.\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on SSL settings\n5. Under Protocol Settings, set HTTPS Only to On.\n\nAzure Command Line Interface:\n\nTo set the HTTPS-only traffic value for an existing app, run the following command: `az webapp update --resource-group --name --set httpsOnly=true'`\n\n## Impact\n\nWhen enabled, every incoming HTTP request is redirected to the HTTPS port. This adds an extra level of security to the HTTP requests made to the app.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.2","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@https_only:false","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (@https_only:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f9i-ctz-jrp","createdAt":1631623031127,"name":"Web app redirects all HTTP traffic to HTTPS in Azure App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:windows","technique:T1070-indicator-removal-on-host","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user clears Windows Security logs.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `1102`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to clear the security event logs on `{{host}}`. \n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"psn-7zq-iqz","createdAt":1619018680072,"name":"Windows Audit Log Cleared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user resets the Directory Services Restore Mode (DSRM). The DSRM enabled emergency access to a Domain Controller. The DSRM user is a local administrator account that can be utilized for persistence. \n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4794`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to change the DSRM password on `{{host}}`. ","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4794","groupByFields":["host"],"aggregation":"count","name":"standardized","distinctFields":[]},{"query":"@Event.System.EventID:4794","groupByFields":["host"],"aggregation":"count","name":"non_standardized","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized > 0"}],"type":"log_detection","id":"ckw-1ve-anp","createdAt":1619018671358,"name":"Windows Directory Service Restore Mode password changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Domain Administrator group is modified.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is 4737 and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason for changing the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"vtr-u5p-65a","createdAt":1619018671758,"name":"Windows Domain Admin Group Changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","source:windows","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Windows firewall is disabled.\n\n## Strategy\nMonitor the Windows event logs where `@evt.id` is `4950` and the `@Event.EventData.Data.SettingValue:No`.\n\n## Triage and response\nVerify if `{{@Event.System.Computer}}` has a legitimate reason for having the Windows firewall disabled.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"medium","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"5yc-jqo-y3n","createdAt":1619018678867,"name":"Windows Firewall Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1087-account-discovery","source:windows","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs the `net` command to enumerate the `Administrators` group, which could be indicative of adversarial reconnaissance activity.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4799`, `@Event.EventData.Data.CallerProcessName` is `*net1.exe` and `@Event.EventData.Data.TargetUserName` is `Administrators`.\n\n## Triage and response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason to check for users in the Administrator group on `{{host}}`. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"low","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"dqi-uaj-wgy","createdAt":1619018678865,"name":"Windows Net command executed to enumerate administrators"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.4.2","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the scheduler service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.2","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"g1h-91b-y2x","createdAt":1599601351149,"name":"Scheduler API service is bound to localhost"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.15","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/scheduler.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.15","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fmc-m0d-pe5","createdAt":1599604530000,"name":"Scheduler configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.16","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/scheduler.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.16","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pbp-y4b-dhf","createdAt":1599600185878,"name":"Scheduler configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.5","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the Scheduler service in the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.5","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qxe-hc6-qlm","createdAt":1599604179189,"name":"Scheduler pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.6","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the kube-scheduler service in the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.6","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"y79-4ts-a0k","createdAt":1599603078027,"name":"Scheduler pod specification file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.4.1","security:compliance","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` file on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-scheduler/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-scheduler/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.1","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hya-urf-09b","createdAt":1599603139661,"name":"Scheduler profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.21","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSeccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on a whitelist basis and allows for a large number of common system calls, whilst blocking all others. This filtering should not be disabled unless it causes a problem with your container application usage.\n\n## Rationale\n\nA large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis returns either `` or your modified seccomp profile. If it returns `[seccomp:unconfined]`, the container is running without any seccomp profiles and is therefore not configured in line with good security practices.\n\n## Remediation\n\nBy default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.\n\n## Impact\n\nWith Docker 1.10 and greater, the default seccomp profile blocks syscalls, regardless of `--cap-add passed` to the container. You should create your own custom seccomp profile in such cases. You can also disable the default seccomp profile by passing `--security-opt=seccomp:unconfined` on docker run.\n\n## Default value\n\nWhen you run a container, it uses the default profile unless you override it with the `--security-opt` option.\n\n## References\n\n1. http://blog.scalock.com/new-docker-security-features-and-what-they-mean-seccomp-profiles\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://github.com/docker/docker/blob/master/profiles/seccomp/default.json\n4. https://docs.docker.com/engine/security/seccomp/\n5. https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt\n6. https://github.com/docker/docker/issues/22870\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.21","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hub-v5u-cw0","createdAt":1599604972925,"name":"Seccomp profiles are enabled for filtering incoming system calls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.22","scored:true","control:CC6.7","source:azure.active_directory","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:azure.active_directory","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft security defaults are available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You can enable security defaults in the Azure portal.\n\n## Rationale\n\nSecurity defaults provide secure default settings that are managed on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example:\n\n- Requiring all users and admins to register for MFA\n- Challenging users with MFA, mostly when they show up on a new device or app, but more often for critical roles and tasks.\n- Disabling authentication from legacy authentication clients, which can't do MFA.\n\n## Remediation\n\n### From the console\n\n1. Sign in to the Azure portal as a security administrator, conditional access administrator, or global administrator.\n2. Navigate to Azure Active Directory > Properties.\n3. Select Manage security defaults.\n4. Set the Enable security defaults toggle to Yes.\n5. Select Save.\n\n## Impact\n\nEnabling security defaults may negatively impact the functionality of other Microsoft services, such as Microsoft 365. This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults\n2. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414\n\nAdditional Information: The settings in this recommendation are different in the Microsoft 365 Benchmark. This is because the potential impact associated with disabling of security defaults is dependent upon the security settings implemented in the environment. It is recommended that organizations disabling security defaults plan to implement equivalent settings to replace the settings configured by security defaults.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.22","framework":"cis-azure","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ad_security_defaults_policy) = \"pass\" if {\n\tad_security_defaults_policy.is_enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_ad_security_defaults_policy"]},"validationQuery":"","resourceType":"azure_ad_security_defaults_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_ad_security_defaults_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@display_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"fub-xjw-qwz","createdAt":1635237007654,"name":"Security Defaults is enabled on Azure Active Directory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a threat on your application.\n\n## Strategy\nThis rule creates a signal for every security incident created by Sqreen.\n\n## Triage and response\n1. Review the incident on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/incidents\n\n## Changelog\n23 June 2022 - Updated groupby count to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:critical @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_critical_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:major @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_major_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:minor @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_minor_incidents","distinctFields":["@sqreen.payload.incident_id"]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical","condition":"sqreen_critical_incidents > 0"},{"status":"high","notifications":[],"name":"Major","condition":"sqreen_major_incidents > 0"},{"status":"medium","notifications":[],"name":"Minor","condition":"sqreen_minor_incidents > 0"}],"type":"log_detection","id":"qyk-emv-hui","createdAt":1620224110121,"name":"Security Incident Detected by Sqreen"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis","source:cloudtrail","technique:T1562-impair-defenses","control:cis-3.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` array to determine if either of the strings are contained:\n* `0.0.0.0/0`\n* `::/0`\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n\n## Changelog\n18 March 2022 - Updated rule query.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:AuthorizeSecurityGroupIngress @requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@usr.account_id"],"aggregation":"count","name":"sg_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"SG open to world","condition":"sg_open_to_world > 0"}],"type":"log_detection","id":"qdm-6uu-gqf","createdAt":1593621503430,"name":"Security group open to the world"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.5","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not allow sensitive host system directories such as those listed below to be mounted as container volumes, especially in read-write mode. `/` `/boot` `/dev` `/etc` `/lib` `/proc` `/sys` `/usr`\n\n## Rationale\n\nIf sensitive directories are mounted in read-write mode, it is possible to make changes to files within them. This has obvious security implications and should be avoided.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}'` This command returns a list of currently mapped directories and indicates whether they are mounted in read-write mode for each container instance.\n\n## Remediation\n\nDo not mount directories which are security sensitive on the host within containers, especially in read-write mode.\n\n## Impact\n\nNone\n\n## Default value\n\nDocker defaults to using a read-write volume but you can also mount a directory read-only. By default, no sensitive host directories are mounted within containers.\n\n## References\n\n1. https://docs.docker.com/engine/tutorials/dockervolumes/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.5","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmq-wqu-2im","createdAt":1599604814929,"name":"Sensitive host system directories are not mounted on containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","source:google_iam_policy","framework:cis-gcp","level:2","framework:iso-27001","requirement:Access-Control","framework:pci","scope:google_iam_policy","control:1.11","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.2.1","control:7.1.3","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.\n\n## Rationale\nThe built-in/predefined IAM role `Cloud KMS Admin` allows the user/identity to create, delete, and manage service account(s). \n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter/Decrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Decrypter` allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).\n\nSeparation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.\n\nNo user(s) should have `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles assigned at the same time.\n\n### Impact\nRemoved roles should be assigned to another user based on business needs.\n\n### Additional Information\nUsers granted Owner (roles/owner) and Editor (roles/editor) roles have privileges equivalent to `Cloud KMS Admin` and `Cloud KMS CryptoKey Encrypter/Decrypter`. To avoid misuse, Owner and Editor roles should be granted to a very limited group of users. Use of these primitive privileges should be minimal. These requirements are addressed in our other rules.\n\n## Remediation\n\n### From the console\n1. Go to **IAM & Admin/IAM** using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles granted/assigned, click the **Delete Bin** icon to remove the role from the member.\n\n## References\n1. [https://cloud.google.com/kms/docs/separation-of-duties][2]\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/kms/docs/separation-of-duties\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nis_admin_user(gip) if {\n\tmembers_to_roles_array := gip.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/cloudkms.admin\"\n}\n\neval(gip) = \"skip\" if {\n\tnot is_admin_user(gip)\n} else = \"fail\" if {\n\trole := gip.member_to_roles[_].roles[_]\n\trole in [\"roles/cloudkms.cryptoKeyDecrypter\", \"roles/cloudkms.cryptoKeyEncrypter\", \"roles/cloudkms.cryptoKeyEncrypterDecrypter\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8uv-2ds-fnx","createdAt":1658410212713,"name":"Separation of duties is enforced while assigning KMS-related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:1.8","control:7.2","control:7.1","requirement:Control-Activities","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity best practices recommend that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users. This is achieved by ensuring that no user has the Service Account Admin and Service Account User roles assigned at the same time.\n\n## Rationale\n\nThe predefined IAM role ``Service Account admin`` allows the user/identity to\ncreate, delete, and manage service account(s). The predefined IAM role ``Service Account User`` allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute instances.\n\nSeparation of duties is the concept of ensuring that one individual does not have all\nnecessary permissions to be able to complete a malicious action. Using Cloud IAM service\naccounts, a malicious user could assume the identity of a service account to access resources that\nthey otherwise cannot access.\n\nSeparation of duties is a business control typically used in larger organizations, meant to\nhelp avoid security or privacy incidents and errors. It is considered a best practice.\n\nNo user should have ``Service Account Admin`` and ``Service Account User`` roles assigned\nat the same time.\n\n## Remediation\n\n1. Go to ``IAM & Admin/IAM`` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having both ``Service Account Admin`` and ``Service Account User`` roles granted/assigned, click the ``Delete Bin`` icon to remove either role from the member.\n\nRemoval of a role should be done based on the business requirements.\n\n## Impact\n\nThe removed role should be assigned to a different user based on business needs.\n\n## References\n\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][4]\n\n## Additional information \n\nUsers granted the Owner (roles/owner) and Editor (roles/editor) roles have privileges\nequivalent to Service Account Admin and Service Account User. To avoid misuse,\nOwner and Editor roles should be granted to a very limited number of users. Use of these primitive\nprivileges should be minimal. These requirements are addressed in separate\nrecommendations.\n\n## CIS controls\n\nVersion 8 3.3 - Configure Data Access Control Lists: Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems, databases, and applications.\n\nVersion 7 14.6 - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"fail\" if {\n\tmembers_to_roles_array := iam_policy.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountAdmin\"\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountUser\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"re5-dlh-43x","createdAt":1656443521016,"name":"Separation of duties is enforced while assigning service account related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.6","cloud_provider:azure","framework:cis-azure","requirement:Default-Security-Parameter","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.4","framework:soc-2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `connection_throttling` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `connection_throttling` helps the PostgreSQL Database to Set the verbosity of logged messages which generates query and error logs about concurrent connections. Too many concurrent connections could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `connection_throttling`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `connection_throttling` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name connection_throttling --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.6","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthrottling_disabled(server_config) if {\n\tserver_config.name == \"connection_throttling\"\n\tserver_config.value != \"on\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tthrottling_disabled(server_config)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"w1l-qav-gcj","createdAt":1624867980066,"name":"Server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","control:10.1","requirement:Monitoring","control:4.3.3","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_checkpoints` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_checkpoints` helps the PostgreSQL Database to log each checkpoint and generate query and error logs. Access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_checkpoints`.\n5. Click ON and save.\n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_checkpoints` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_checkpoints --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlog_checkpoints_on(server_config) if {\n\tserver_config.name == \"log_checkpoints\"\n\tserver_config.value == \"on\"\n}\n\neval(postgresql_server) = \"pass\" if {\n\tsome server_config in postgresql_server.server_configs\n\tlog_checkpoints_on(server_config)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sc0-yfd-hsz","createdAt":1624867976912,"name":"Server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:4.3.4","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_connections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_connections` helps PostgreSQL Database to log an attempted connection to the server, as well as successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_connections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_connections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_connections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlog_connections_off(server_config) if {\n\tserver_config.name == \"log_connections\"\n\tserver_config.value == \"off\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tsome server_config in postgresql_server.server_configs\n\tlog_connections_off(server_config)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gle-oql-wen","createdAt":1624867976676,"name":"Server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","control:10.1","control:4.3.5","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_disconnections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_disconnections` helps your PostgreSQL database to log the end of a session, including duration, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_disconnections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_disconnections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_disconnections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlog_disconnections_on(server_config) if {\n\tserver_config.name == \"log_disconnections\"\n\tserver_config.value == \"on\"\n}\n\neval(postgresql_server) = \"pass\" if {\n\tsome server_config in postgresql_server.server_configs\n\tlog_disconnections_on(server_config)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"5av-e46-div","createdAt":1624867974164,"name":"Server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","requirement:Records-of-Processing-Activities","cloud:azure","control:A1.1","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses logging to track the time it takes to complete an SQL query.\n\n## Rationale\n\nThe \"log_duration\" parameter allows recording the duration of each completed PostgreSQL statement. Logging this attribute enables administrators to monitor for potential issues in the database.\n\n## Remediation\n\n### From the console\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][1] documentation to enable the 'log_duration' logging in the PostgreSQL database. Ensure **log_duration** is selected under **Server Parameters**.\n\n### From the command line\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][2] documentation to enable **log_duration** in **Server Parameters**.\n2. Get a list of your PostgreSQL servers by running the following in Azure Powershell:\n\n ```\n az postgres server list\n\t--output table\n\t--query '[*].{name:name, resourceGroup:resourceGroup}'\n ```\n3. Run the 'postgres server configuration set' command:\n\n ```\n az postgres server configuration set\n\t--server-name \"INSERT-SERVER-NAME-HERE-FROM-STEP-2\"\n\t--resource-group \"cloud-shell-storage-westeurope\"\n\t--name log_duration\n\t--value on\n ```\n4. Repeat steps two and three for each server that is not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tserver_config.name == \"log_duration\"\n\tserver_config.value == \"off\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iwo-oh9-bpi","createdAt":1645804679249,"name":"Server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.7","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","control:10.7","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_retention_days` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_retention_days` helps PostgreSQL Database to set the number of days a log file is retained, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_retention_days`.\n5. Enter value in range 4-7 (inclusive) and save. \n\nAlternatively, use the Azure Command Line Interface and run the the below command to update `log_retention_days` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_retention_days --value <4-7>\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n2. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention\n\n## CIS Controls\n\nVersion 7 6.4 Ensure adequate storage for logs: Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.7","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nis_numeric(x) if {\n\tregex.match(`^-?\\d+(\\.\\d+)?$`, x)\n}\n\nserver_config_not_compliant(server_config) if {\n\tis_numeric(server_config.value)\n\tto_number(server_config.value) < 3\n\tserver_config.name == \"log_retention_days\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config = postgresql_server.server_configs[_]\n\tserver_config_not_compliant(server_config)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"jsy-iuu-a38","createdAt":1624867974261,"name":"Server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:7.1","requirement:Credentials","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","source:google_service_account","framework:soc-2","control:A.9.2.3","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:8.1.2","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA service account is a special Google account that belongs to an application or a VM, instead\nof to an individual end-user. The application uses the service account to call the service's\nGoogle API so that users aren't directly involved. It's recommended not to use admin roles for ServiceAccount.\n\n## Rationale\n\nService accounts represent service-level security of the Resources (application or a VM)\nwhich can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin\nrights gives full access to an assigned application or a VM. A ServiceAccount Access holder\ncan perform critical actions like delete, update, and change settings, etc. without user\nintervention. For this reason, Datadog recommends that service accounts not have an Admin role.\n\n## Remediation\n\n## From Console:\n1. Go to `IAM & admin/IAM` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. Go to the `Members`\n3. Identify `User-Managed user created service account(s)` with roles containing `*Admin or *admin`\n4. Click the `Delete bin` icon to remove the role from the member (service account in this case)\n\n\n## From Command Line: \n\n```bash\ngcloud projects get-iam-policy PROJECT_ID --format json > iam.json\n```\n\n1. Using a text editor, Remove `Role` which contains `roles/ *Admin` or `roles/ *admin`. Add a role to the bindings array that defines the group members and the role for those members.\n2. Update the project's IAM policy:\n\n```bash\ngcloud projects set-iam-policy PROJECT_ID iam.json\n```\n\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/understanding-service-accounts][4] \n\n## CIS Controls\n\nVersion 8 5.4 Restrict Administrator Privileges to Dedicated - Administrator Accounts Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user\u2019s primary, non-privileged account.\n\nVersion 7 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/understanding-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.1.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmembers_with_admin_role := {member |\n\tbinding := input.resources.gcp_iam_policy[_].member_to_roles[_]\n\tstartswith(binding.member, \"serviceAccount:\")\n\trole := binding.roles[_]\n\tcontains(lower(role), \"admin\")\n\tmember := trim_prefix(binding.member, \"serviceAccount:\")\n}\n\neval(iam_service_account) = \"fail\" if {\n\tsplit_name := split(iam_service_account.name, \"/\")\n\tmember := split_name[count(split_name) - 1]\n\tmembers_with_admin_role[member]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"4ea-as1-0bv","createdAt":1655820189596,"name":"Service Accounts are not bound to built-in Administrative roles"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1070-indicator-removal","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the tampering of shell command history on a host or container. \n\n## Strategy\nCommands used within a terminal are contained within a local file so users can review applications, scripts, or processes that were previously executed. Adversaries tamper with the integrity of the shell command history by deletion, truncation, or the linking of `/dev/null` by use of a symlink. This allows adversaries to obfuscate their actions and delay the incident response process. \n\n## Triage and response\n1. Review the tampering action taken against the shell command history files.\n2. Review the user or process that performed the action against the shell command history.\n3. Determine whether or not this is expected behavior.\n4. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(shell_history_symlink OR shell_history_truncated OR shell_history_deleted)","groupByFields":["host"],"aggregation":"count","name":"shell_history_tamper","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"shell_history_tamper","condition":"shell_history_tamper > 0"}],"type":"workload_security","id":"5bq-qe4-ctu","createdAt":1661196433820,"name":"Shell command history modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:signal_sciences","scope:signal_sciences"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP is flagged by Signal Sciences.\n\n## Strategy\nThis rule lets you monitor Signal Sciences events submitted through the Signal Sciences [integration][1] to detect when an IP is flagged. \n\n## Triage and response\n1. Determine whether the attack is a false positive.\n2. Determine whether the attack was successful.\n3. If the attack exploited a vulnerability in the application, triage the vulnerability.\n\n[1]: https://app.datadoghq.com/account/settings#integrations/sigsci\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:signal_sciences @title:*flag","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bmg-ftn-dzo","createdAt":1584993292228,"name":"Signal Sciences flagged an IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.2.1","requirement:Compliance","level:1","requirement:Storage-Accounts","control:3.8","requirement:Cardholder-Data","framework:iso-27001","scope:azure.storage","framework:pci","requirement:Operations-Security","security:compliance","framework:cis-azure","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Control-Activities","source:azure.storage","control:A1.2","control:A.18.1.3","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Storage blobs contain ePHI, financial, secret, or personal data. If erroneously modified or deleted accidentally by an application or other storage account user, data loss or data unavailability can occur. It is recommended that Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.\n\n## Rationale\n\nA user can accidentally run delete commands on Azure Storage blobs or blob snapshots, or an attacker/malicious user can do it deliberately to cause disruption. Deleting an Azure Storage blob leads to immediate data loss or non-accessible data. Enable recoverable blobs configuration in the Azure Storage blob service to ensure that even if blobs/data are deleted from the storage account, the objects remain recoverable for a time set in the retention policy. Retention policies can be 7 days to 365 days.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Account\n2. For each Storage Account, navigate to Data Protection\n3. Select Set soft delete enabled and enter the number of days to retain soft deleted data.\n\nAzure Command-Line Interface:\n\nUpdate retention days with the following command: `az storage blob service-properties delete-policy update --days-retained --account-name --enable true'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete\n\n## CIS Controls\n\nVersion 7 10 - Data Recovery Capabilities\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_blob_service(blob_service) if {\n\tblob_service.delete_retention_policy_enabled\n\tblob_service.delete_retention_policy_days > 0\n} else if {\n\tblob_service.delete_retention_policy.enabled\n\tblob_service.delete_retention_policy.days > 0\n}\n\neval(storage_account) = \"pass\" if {\n\tsome blob_service in storage_account.blob_services\n\tcompliant_blob_service(blob_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"w0h-o5o-lyp","createdAt":1631690471228,"name":"Soft delete is enabled for Azure Storage"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1505-server-software-component","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects attempted post-exploitation activity of [CVE-2022-22965][1] with an HTTP GET parameter.\n\n## Strategy\nThis rule looks for `@http.url_details.path` = .jsp, `@http.url_details.queryString.pwd` = `*`, and `@http.url_details.queryString.cmd` = . If found, it indicates web shell activity observed with successful Spring RCE exploitation. \n\n## Triage and response\nCheck your host to see if the {{@http.url_details.queryString.cmd}} command ran successfully. If so,\n * Refer to your company's Incident Response process since this is detection post-exploitation activity.\n * Refer to the vendor's [advisory][2] for remediation of this Remote Code Execution (RCE) vulnerability.\n\n## Changelog\n- 06 June 2022 - The severity has been lowered due to rule fidelity on just log telemetry.\n- 31 March 2022 - Rule added in response to [CVE-2022-22965][1]\n\n[1]: https://tanzu.vmware.com/security/cve-2022-22965\n[2]: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@http.url_details.path:*.jsp @http.url_details.queryString.pwd:* @http.url_details.queryString.cmd:* @http.method:GET @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_details","distinctFields":[]},{"query":"@http.url:*cmd* @http.url:*pwd* @http.method:GET @http.url:*.jsp* @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_url","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"PWD/CMD request in http.url_details.queryString key","condition":"pwd_cmd_in_details > 0"},{"status":"low","notifications":[],"name":"PWD/CMD request in http.url key","condition":"pwd_cmd_in_url > 0"}],"type":"log_detection","id":"6nf-i0e-ff0","createdAt":1648746485630,"name":"Spring RCE post-exploitation activity attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","framework:cis-azure","requirement:Confidentiality","control:3.4","control:C1.1","requirement:Credentials","requirement:Compliance","source:azure.storage","level:1","requirement:Storage-Accounts","control:A.18.1.3","framework:soc-2","control:3.9","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","scope:azure.storage","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable sensitive data encryption at rest using customer managed keys rather than Microsoft managed keys.\n\n## Rationale\n\nBy default, data in the storage account is encrypted using Microsoft managed keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. However, if you want to control and manage the encryption key yourself, you can specify a customer-managed key, and that key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated key vault.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Accounts\n2. For each storage account, go to Encryption\n3. Set Customer Managed Keys\n4. Select the encryption key and enter the appropriate setting value\n5. Click Save\n\n## Impact\n\nIf the key expires by setting the activation date and expiration date of the key, you must rotate the key manually. Using customer managed keys may also incur additional effort to create, store, manage, and protect the keys as needed.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest\n3. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption#azure-storage-encryption-versus-disk-encryption\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-1-discovery,-classify-and-label-sensitive-data\n\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_account) = \"pass\" if {\n\tstorage_account.encryption.key_source == \"Microsoft.Keyvault\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"kh6-wzv-u3s","createdAt":1631690464889,"name":"Storage for critical data is encrypted with Customer Managed Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:runtime-security-agent","technique:T1574-hijack-execution-flow","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect attempts to load a malicious library.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container or host (for example, through a web shell exploit), they may attempt to escalate privileges, evade defenses, or establish persistence by hijacking environment variables such as `LD_PRELOAD`, or configuration files such as `/etc/ld.so.preload/`, which the dynamic linker uses to load shared libraries. \n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.39 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:dynamic_linker_config_unlink -@process.executable.path:(\"/usr/bin/dpkg\" OR \"/usr/bin/yum\")","groupByFields":["host"],"aggregation":"count","name":"dynamic_linker_config_unlink","distinctFields":[]},{"query":"@agent.rule_id:dynamic_linker_config_write","groupByFields":["host"],"aggregation":"count","name":"dynamic_linker_config_write","distinctFields":[]},{"query":"@agent.rule_id:ld_preload_unusual_library_path","groupByFields":["host"],"aggregation":"count","name":"ld_preload_unusual_library_path","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"suspected_dynamic_linker_hijacking","condition":"dynamic_linker_config_unlink > 0 || dynamic_linker_config_write > 0 || ld_preload_unusual_library_path > 0"}],"type":"workload_security","id":"qr1-yg4-ab3","createdAt":1670612608535,"name":"Suspected dynamic linker hijacking attempt"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to `pam.d` directory.\n\n## Strategy\nLinux Pluggable Authentication Modules (PAM) provide authentication for applications and services. Authentication modules in the PAM system are setup and configured under the `/etc/pam.d/` directory. An attacker may attempt to modify or add an authentication module in PAM in order to bypass the authentication process, or reveal system credentials.\n\n## Triage and response\n1. Identify if the changes to the path `{{@file.path}}` were part of known system setup or mainenance.\n2. If these changes were unauthorized, roll back the host in question to a known good PAM configuration, or replace the system with a known-good system image.\n\n*Required agent version 7.27 or higher*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pam_modification OR pam_modification_chmod) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_chown)-@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_link) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_rename) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_open) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_unlink) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_utimes) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"pam_modification","condition":"pam_modification_chmod > 0 || pam_modification_chown > 0 || pam_modification_link > 0 || pam_modification_rename > 0 || pam_modification_open > 0 || pam_modification_unlink > 0 || pam_modification_utimes > 0"}],"type":"workload_security","id":"59x-93j-pek","createdAt":1606142936138,"name":"System authentication files modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1543-create-or-modify-system-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to system services.\n\n## Strategy\nEspecially in production, systems should be generated based on standard images such as AMIs for Amazon EC2, VM images in Azure, or GCP images. Systemd is the default service manager in many Linux distributions. It manages the lifecycle of background processes and services, and can be used by an attacker to establish persistence in the system. Attackers can do this by injecting code into existing systemd services, or by creating new ones. Systemd services can be started on system boot, and therefore attacker code can persist through system reboots.\n\n## Triage and response\n1. Check to see what service was modified of created.\n2. Identify whether it is a known service, being modified by a known user and/or process.\n3. If these changes are not acceptable, roll back the host in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chmod) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chown) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_link) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_rename) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_open) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_unlink) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"systemd_modification","condition":"systemd_modification_chmod > 0 || systemd_modification_chown > 0 || systemd_modification_link > 0 || systemd_modification_rename > 0 || systemd_modification_open > 0 || systemd_modification_unlink > 0 || systemd_modification_utimes > 0"}],"type":"workload_security","id":"vjt-chu-njs","createdAt":1606142929241,"name":"Systemd service modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through brute force attempts.\n\n## Strategy\nTo determine a successful attempt: Detect a high amount of failed logins and at least one successful login for a given IP address. This will generate a `HIGH` severity signal.\nTo determine an attempt: Detect a high amount of failed logins for a given IP address. This will generate an `INFO severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:authentication @evt.outcome:failure","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]},{"query":"@evt.name:authentication @evt.outcome:success","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":["@slack-secops"],"name":"Successful","condition":"a>5 && b>0"},{"status":"info","notifications":[],"name":"Attempted","condition":"a>5"}],"type":"log_detection","id":"wce-cxo-pe4","createdAt":1585870283641,"name":"TEMPLATE - Brute Force Attack Grouped By IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:threat-intel","scope:template"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect when a stolen laptop has been connected to the network.\n\n## Strategy\nUsing the Datadog [Lookup Processor](https://docs.datadoghq.com/logs/processing/processors/?tab=ui#lookup-processor) you can maintain a blocklist of MAC addresses.\nWhen a MAC address connects to the network, the @threat.stolen_laptop attribute is set to `true`.\nThis threat detection rule queries for `@threat.stolen_laptop:true` and generates a security signal. \n\n## Triage and response\nEnter your triage and response process for when a stolen laptop has connected to your network to help users responding to the security signal quickly triage and respond to the signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@threat.stolen_laptop:true @network.client.mac:*","groupByFields":["@network.client.mac"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ap3-xy9-tsm","createdAt":1585870283379,"name":"TEMPLATE - Stolen Laptop Connected to Network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.10","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert` parameter, has permissions of 444 or is set more restrictively.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must therefore have permissions of 444, or more restrictive permissions to ensure that the file cannot be modified by a less privileged user.\n\n## Audit\n\nVerify that the TLS CA certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the following command: `chmod 444 `\n\nThis sets the file permissions on the TLS CA file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the TLS CA certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.10","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hyd-ar9-kzl","createdAt":1602076723625,"name":"TLS CA certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.6","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to make the Docker daemon available remotely over a TCP port. If this is required, you should ensure that TLS authentication is configured in order to restrict access to the Docker daemon via IP address and port.\n\n## Rationale\n\nBy default, the Docker daemon binds to a non-networked Unix socket and runs with root privileges. If you change the default Docker daemon binding to a TCP port or any other Unix socket, anyone with access to that port or socket could have full access to the Docker daemon and therefore in turn to the host system. For this reason, you should not bind the Docker daemon to another IP/port or a Unix socket. If you must expose the Docker daemon via a network socket, you should configure TLS authentication for the daemon and for any Docker Swarm APIs (if they are in use). This type of configuration restricts the connections to your Docker daemon over the network to a limited number of clients who have access to the TLS client credentials.\n\n## Audit\n\nTo confirm that the TLS authentication setting is correct, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nConfirm that the following parameters are present: `--tlsverify --tlscacert --tlscert --tlskey`.\n\nAlso review the `/etc/docker/daemon.json` file to ensure these settings are in place.\n\n## Remediation\n\nFollow the steps mentioned in the Docker documentation or other references.\n\n## Impact\n\nYou would need to manage and guard certificates and keys for the Docker daemon and Docker clients.\n\n## Default value\n\nBy default, TLS authentication is not configured.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rh4-jeh-afu","createdAt":1602077571799,"name":"TLS authentication is configured for Docker daemon"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":true,"message":"Test","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":1,"createdAt":1668092249514,"filters":[],"queries":[{"query":"@agent.rule_id:1234","groupByFields":[],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"6pg-sy3-vc5","isDefault":false,"name":"Test"},{"creationAuthorId":1445416,"tags":[],"isEnabled":false,"hasExtendedTitle":false,"message":"Test","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":1,"createdAt":1668092310914,"filters":[],"queries":[{"query":"@agent.rule_id:1234","groupByFields":[],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"c4n-gxt-rmi","isDefault":false,"name":"Test xxx1"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.18","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller-manager.conf file ownership is set to `root:root`.\n\n## Rationale\n\nThe controller-manager.conf file is the kubeconfig file for the Controller Manager. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/controller-manager.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.18","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bud-aya-umc","createdAt":1599605289575,"name":"The controller-manager.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","requirement:GCP","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","control:3.4","requirement:Communications-Security","control:2.6","control:1.2","control:2.1","control:1.3","control:3.1","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of the `default` network, a project should not have a `default` network.\n\n### Default value\nBy default, for each project, a `default` network is created.\n\n\n## Rationale\nThe `default` network has a preconfigured network configuration and automatically generates the following insecure firewall rules:\n\n - default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.\n - default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.\n - default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.\n - default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.\n\nThese automatically-created firewall rules do not get audit-logged and cannot be configured to enable firewall rule logging.\n\nFurthermore, the `default` network is an auto-mode network, which means that its subnets use the same predefined range of IP addresses. As a result, it's not possible to use Cloud VPN or VPC Network Peering with the `default` network.\n\nBased on organization security and networking requirements, the organization should create a new network and delete the `default` network.\n\n### Impact\nWhen an organization deletes the `default` network, it may need to migrate services onto a new network.\n\n## Remediation\n\n### From the console\n1. Go to the [VPC networks][1] page.\n2. Click the network named `default`.\n3. On the network detail page, click **EDIT**.\n4. Click **DELETE VPC NETWORK**.\n5. If needed, create a new network to replace the `default` network.\n\n### From the command line\n1. Delete the `default` network:\n\n ```\n gcloud compute networks delete default\n ```\n\n2. If needed, create a new network to replace it:\n\n ```\n gcloud compute networks create NETWORK_NAME\n ```\n\n## Prevention\nYou can prevent the `default` network and its insecure firewall rules from being created by setting up an Organization Policy to skip `default` network creation at [https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation][2].\n\n## References\n1. [https://cloud.google.com/compute/docs/networking#firewall_rules][3]\n2. [https://cloud.google.com/compute/docs/reference/latest/networks/insert][4]\n3. [https://cloud.google.com/compute/docs/reference/latest/networks/delete][5]\n4. [https://cloud.google.com/vpc/docs/firewall-rules-logging][6]\n5. [https://cloud.google.com/vpc/docs/vpc#default-network][7]\n6. [https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete][8]\n\n[1]: https://console.cloud.google.com/networking/networks/list\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation\n[3]: https://cloud.google.com/compute/docs/networking#firewall_rules\n[4]: https://cloud.google.com/compute/docs/reference/latest/networks/insert\n[5]: https://cloud.google.com/compute/docs/reference/latest/networks/delete\n[6]: https://cloud.google.com/vpc/docs/firewall-rules-logging\n[7]: https://cloud.google.com/vpc/docs/vpc#default-network\n[8]: https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.4","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.name == \"default\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0j0-lvk-9wm","createdAt":1658410212694,"name":"The default network does not exist in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.9","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %a /var/lib/kubelet/config.yaml`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step:\n\n```\nchmod 644 /var/lib/kubelet/config.yaml\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/var/lib/kubelet/config.yaml` file as set up by kubeadm has permissions of 644.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.9","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tc4-kmy-wlt","createdAt":1599605416397,"name":"The kubelet configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.1","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kubelet service file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.1","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j8k-7ii-fwo","createdAt":1599604432646,"name":"The kubelet service file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.5","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet.conf file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/kubernetes/kubelet.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chmod 644 /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.5","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x88-8vs-ygw","createdAt":1599604783481,"name":"The kubelet.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.6","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `kubelet.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/kubernetes/kubelet.conf`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file ownership is set to `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.6","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrc-waf-mbs","createdAt":1599599696342,"name":"The kubelet.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable timeouts on streaming connections.\n\n## Rationale\n\nSetting idle timeouts ensures that you are protected against denial-of-service attacks, inactive connections, and running out of ephemeral ports.\n\n*Note*: By default, `--streaming-connection-idle-timeout` is set to four hours, which might be too high for your environment. Setting this as appropriate would additionally ensure that such streaming connections are timed out after serving legitimate use cases.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--streaming-connection-idle-timeout` argument is not set to 0. If the argument is not present, and there is a Kubelet config file specified by `--config`, check that it does not set `streamingConnectionIdleTimeout` to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a value other than 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--streaming-connection-idle-timeout=5m`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nLong-lived connections could be interrupted.\n\n## Default value\n\nBy default, `--streaming-connection-idle-timeout` is set to four hours.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://github.com/kubernetes/kubernetes/pull/18552][2]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://github.com/kubernetes/kubernetes/pull/18552\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.5","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xmg-h3a-wj4","createdAt":1599602030157,"name":"Timeouts on streaming connections are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","control:6.6","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable internet exposed UDP ports on network security groups.\n\n## Rationale\n\nThe potential security problem with broadly exposing UDP services over the internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP, and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct UDP access to your Azure Virtual Machines from the internet. After direct UDP access from the internet is disabled, you can use other options to access UDP-based services running on these virtual machines.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#secure-your-critical-azure-service-resources-to-only-your-virtual-networks\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/ddos-best-practices\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n7 Virtual Machines: This section covers security recommendations to follow to set virtual machine policies on an Azure subscription.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_access(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"UDP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.destination_port_range in [\"*\", \"53\", \"123\", \"161\", \"389\", \"1900\"]\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"*/0\", \"Internet\", \"Any\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome security_rule in security_group.security_rules\n\tnon_compliant_access(security_rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"1is-0om-n7k","createdAt":1624867977600,"name":"UDP Services are restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect shell utilities, HTTP utilities, or shells spawned by a web server.\n\n## Strategy\nWeb shell attacks often involve attackers loading and running malicious files onto a victim machine, creating a backdoor on the compromised system. Attackers use web shells for a variety of purposes, and they can signal the beginning of an intrusion or wider attack. This detection triggers when shell utilities, HTTP utilities, or shells are spawned by a common web server process.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your web application to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"potential_web_shell","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["host"],"query":"@agent.rule_id:potential_web_shell -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"potential_web_shell"}],"type":"workload_security","id":"aks-ytd-8pf","createdAt":1647265136526,"name":"Unfamiliar command spawned from web server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers can leverage malicious kernel modules to gain persistence on a system, ensuring their malicious code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions and cover their tracks through the use of a rootkit.\n\nLoading a malicious kernel module can be a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default, however attackers may attempt to load kernel modules from other locations as well. This detection detects all kernel module loads. \n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check the name of the process loading the kernel module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":14,"learningThreshold":0},"keepAlive":3600},"version":176,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_kernel_module","metric":"@module.name","aggregation":"new_value","metrics":["@module.name"],"groupByFields":["host"],"query":"@agent.rule_id:(kernel_module_load OR new_kernel_module_audit OR kernel_module_load_container OR new_kernel_module_audit_container) -@process.ancestors.executable.name:\"unattended-upgrade\" -@process.ancestors.executable.name:(\"xtables-legacy-multi\" OR \"apt.systemd.daily\") -@module.name:(\"nf_tables\" OR \"iptable_filter\" OR \"ip6table_filter\" OR \"bpfilter\" OR \"ip6_tables\" OR \"ip6table_nat\" OR \"nf_reject_ipv4\" OR \"ipt_REJECT\" OR \"iptable_raw\")"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"new_kernel_module"}],"type":"workload_security","id":"56o-bpk-lkz","createdAt":1656443525724,"name":"Unfamiliar kernel module loaded"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default. In an attempt to thwart forensics, attackers sometimes attempt to load malicious kernel modules from memory so as not to leave artifacts on disk. This detection watches for all new kernel modules being loaded directly from memory. \n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:kernel_module_load_from_memory","groupByFields":["host"],"aggregation":"count","name":"kernel_module_load_from_memory","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"kernel_module_load_from_memory","condition":"kernel_module_load_from_memory > 0"}],"type":"workload_security","id":"dx9-30j-pas","createdAt":1650464539839,"name":"Unfamiliar kernel module loaded from memory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when the AWS EKS service account token has been viewed by a user.\n\n## Strategy\nAWS provides an authentication mechanism called [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to allow Kubernetes workloads such as pods to securely authenticate to AWS without hardcoding credentials.\n\nThe authentication token made available by AWS is located at `/var/run/secrets/eks.amazonaws.com/serviceaccount/token` and can be exchanged for AWS credentials using `sts:AssumeRoleWithWebIdentity`. It is consequently an attractive target for attackers.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"aws_eks_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:aws_eks_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"aws_eks_service_account_token_accessed"}],"type":"workload_security","id":"wq5-pnt-ij8","createdAt":1656443561852,"name":"Unfamiliar process accessed AWS EKS service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"Detects when the Kubernetes pod service account token has been viewed by a user.\n\n## Strategy\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"k8s_pod_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:k8s_pod_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"k8s_pod_service_account_token_accessed"}],"type":"workload_security","id":"7ow-znp-4fx","createdAt":1656443563565,"name":"Unfamiliar process accessed Kubernetes pod service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:active-directory","tactic:TA0004-privilege-escalation","source:microsoft-365","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 Azure AD service principal uses an unusual authentication method.\n\n## Strategy\nUsing the `New Value` detection method, find when a `Microsoft 365 Azure AD service principal` uses a new `@AuthenticationMethod`.\n\n## Triage and response\n1. Determine if the service principal `{{@usr.id}}` should be authenticating using the `{{@AuthenticationMethod}}` authentication method and `{{@ExtendedProperties.RequestType}}` request type.\n2. If `{{@usr.email}}` should not be authenticating using `{{@AuthenticationMethod}}`,\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard \n * If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":3600},"version":41,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AuthenticationMethod","aggregation":"new_value","metrics":["@AuthenticationMethod"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:AzureActiveDirectory @evt.name:UserLoggedIn @evt.outcome:Success @UserDescription:\"A service principal\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"toz-wdr-r1v","createdAt":1660857301768,"name":"Unusual Authentication by Microsoft 365 Azure AD Service Principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attaches to a pod.\n\n## Strategy\nThis rule monitors when a user attaches (`@objectRef.subresource:attach`) to a pod (`@objectRef.resource:pods`).\n\nA user should not need to attach to a pod. Attaching to a pod allows a user to attach to any process in a running container which may give an attacker access to sensitive data.\n\n## Triage and response\n1. Determine if the user should be attaching to a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:attach @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:attach @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"j6t-mva-rul","createdAt":1589375996858,"name":"User Attached to a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user execs into a pod.\n\n## Strategy\nThis rule monitors when a user execs (`@objectRef.subresource:exec`) into to a pod (`@objectRef.resource:pods`).\n\nA user should not need to exec into a pod. Execing into a pod allows a user to execute any process in container which is not already running.\nIt is most common to execute the bash process to gain an interactive shell.\nIf this is an attacker, they can access any data which the pod has permissions to, including secrets.\n\n## Triage and response\n1. Determine if the user should be execing into a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:exec @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:exec @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"hyd-cu4-79x","createdAt":1589376094658,"name":"User Exec into a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs into an application that is using Sqreen from a new country.\n\n## Strategy\nThis rule lets you monitor when a user logs into an application from a country that has not been seen before.\n\n## Triage and response\n1. Review the user activity on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/application/goto/users/\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip.country.name","aggregation":"new_value","metrics":["@network.client.geoip.country.name"],"groupByFields":["@usr.id"],"query":"@evt.name:sq.dd0.user_event.login @sqreen.payload.success:true"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"4xm-2og-l7s","createdAt":1620224109989,"name":"User Logged into an Application from a New Country"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","security:threat-intel","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to log in with a password which is known to be compromised.\n\n## Strategy\nThis rule allows you to monitor this Google Activity API call to detect if an attacker is trying to login with a leaked password: \n\n* [Leaked password][1]\n\n## Triage and response\n1. Determine which user in your organization owns the compromised password.\n2. Contact the user and ensure they rotate the password on Google and any other accounts where they may have reused this password. Ensure the user is aware of strong password guidelines.\n\n[1]: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.category:account_warning @evt.name:account_disabled_password_leak","groupByFields":["@actor.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9zi-bom-nmh","createdAt":1585870280553,"name":"User attempted login with leaked password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1136-create-account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation of a new user on the system using an interactive session.\n\n## Strategy\nAttacker's may add local accounts to systems that they have compromised to maintain access to those systems. If an attacker has gained a sufficient level of access (like admin privileges) on a system, they can make a new user for themselves.\nIn production systems, users should be created in the base image of the system (for example, the AMI or other VM image), or they should be created programmatically by configuration management tools. The creation of a new user by an interactive (human) session is suspicious.\n\n## Triage & Response\n1. Determine whether the creation of a new user is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether or not multiple systems had this user added around the same time, and whether the systems impacted follow a pattern. For example, if a user was added to multiple systems, do they share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:user_created_tty -@process.ancestors.executable.path:(\"/usr/bin/unattended-upgrade\" OR \"/usr/bin/dpkg\" OR \"/usr/bin/yum\" OR \"/usr/bin/rpm\") -@process.args:\"-D\"","groupByFields":["host"],"aggregation":"count","name":"user_created_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user_created_tty","condition":"user_created_tty > 0"}],"type":"workload_security","id":"beh-ejq-upe","createdAt":1627392836979,"name":"User created interactively"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of secrets while also receiving an error message of `AccessDenied`, through Cloudtrail's [`GetSecretValue`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetSecretValue` event, and enables the detection of potentially anomalous activity when a user receives an anomalous number of `AccessDenied` messages while attempting to retrieve secrets.\n\nAn attacker may attempt to enumerate and access the AWS Secrets Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any AWS secrets that were accessed by the user with the `aws-cli` command [`update-secret`][2] or use the [AWS Console][3].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n## Changelog\n* 25 October 2022 - Updated query.\n\n[1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/update-secret.html\n[3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetSecretValue @error.kind:AccessDenied -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.secretId"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"eg6-ogp-n1f","createdAt":1656426823748,"name":"User enumerated AWS Secrets Manager - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of parameters, through Cloudtrail's [`GetParameter`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetParameter` event, and enables detection of potentially anomalous activity when a user attempts to retrieve an anomalous volume of parameters.\n\nAn attacker may attempt to enumerate and access the AWS Systems Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any parameters that were accessed by the user with the `aws-cli` command [`put-parameter`][2].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n[1]: https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ssm/put-parameter.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ssm.amazonaws.com @evt.name:GetParameter -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.name"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"os3-zft-ung","createdAt":1656426796721,"name":"User enumerated AWS Systems Manager parameters - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:5.2.1","control:A.12.4.1","requirement:Logging-and-Monitoring","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"\n## Description\n\nCreate an activity log alert for the Create Policy Assignment event.\n\n## Rationale\n\nMonitoring for create policy assignment events gives insight into changes done in \"azure policy - assignments\" and can reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\n### From the console\n\n1. Go to **Monitor**.\n2. Select **Alerts**.\n3. Click On **New Alert Rule**.\n4. Under **Scope**, click **Select Resource**.\n5. Select the appropriate subscription under **Filter by Subscription**.\n6. Select **Policy Assignment** under **Filter by Resource Type**.\n7. Select **All** for **Filter by Location**.\n8. Click on the subscription resource from the entries populated under **Resource**.\n9. Verify selection preview shows **All Policy** assignment (policyAssignments) and your selected subscription name.\n10. Click **Done**.\n11. Under **Condition** click **Add Condition**.\n12. Select **Create Policy Assignment** signal.\n13. Click **Done**.\n14. Under **Action Group**, select **Add Action Groups** and complete creation process or select appropriate action group.\n15. Under **Alert Rule Details**, enter **Alert Rule Name** and **Description**.\n16. Select appropriate resource group to save the alert to.\n17. Check **Enable alert rule upon creation** checkbox.\n18. Click **Create Alert Rule**.\n\n### From the Azure Command Line Interface\n\nTo create an Activity Log Alert for Create policy, use this command:\n```\naz account get-access-token --query\n\"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1\nbash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type:\napplication/json\"\nhttps://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"\n```\n\nWhere `input.json` contains the request body JSON data mentioned below:\n\n```json\n{\n\t\"location\": \"Global\",\n\t\"tags\": {},\n\t\"properties\": {\n\t\t\"scopes\": [\n\t\t\t\"/subscriptions/\"\n\t\t],\n\t\t\"enabled\": true,\n\t\t\"condition\": {\n\t\t\t\"allOf\": [{\n\t\t\t\t\t\"containsAny\": null,\n\t\t\t\t\t\"equals\": \"Administrative\",\n\t\t\t\t\t\"field\": \"category\"\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\t\"containsAny\": null,\n\t\t\t\t\t\"equals\": \"Microsoft.Authorization/policyAssignments/write\",\n\t\t\t\t\t\"field\": \"operationName\"\n\t\t\t\t}\n\t\t\t]\n\t\t},\n\t\t\"actions\": {\n\t\t\t\"actionGroups\": [{\n\t\t\t\t\"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\t\t\t\t\"webhookProperties\": null\n\t\t\t}]\n\t\t}\n\t}\n}\n```\n\nConfigurable parameters for the command line include the following: \n- \n- \n \nConfigurable parameters for `input.json` include the following: \n- in scopes \n- in actionGroupId \n- in actionGroupId \n- in actionGroupId\n\n\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2]\n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3]\n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n[5]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.1","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"arc-fhe-mie","createdAt":1645219743755,"name":"User has 'Create Policy Assignment' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"axd-sm2-68f","createdAt":1649972323590,"name":"User has 'Create Update Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.dbformysql/servers/databases/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dbv-9dd-noe","createdAt":1648760551340,"name":"User has 'Create Update MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.dbforpostgresql/servers/databases/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yvw-kk1-tgq","createdAt":1648755639067,"name":"User has 'Create Update PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nActivity log alert exists for the creation or update of a load balancer. \n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Load Balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/loadbalancers/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"20n-ohj-aov","createdAt":1647625355122,"name":"User has 'Create or Update Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:Logging-and-Monitoring","requirement:System-Operations","level:1","control:5.2.3","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an Activity Log Alert for the Create or Update Network Security Group event.\n\n## Rationale\n\nBy monitoring for creation and updates to network security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name.\n11. Under **Condition**, click **Add Condition**.\n12. Select **Create or Update Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.3","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ape-a9h-0uq","createdAt":1645642194422,"name":"User has 'Create or Update Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.1","control:A.12.4.1","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Logging-and-Monitoring","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update SQL Server Firewall Rule event.\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the console\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window, select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Create/Update server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel.\n * Create action group - If you do not have an existing action group or want to create a new one.\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the command line\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.1","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.sql/servers/firewallrules/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zpn-jpa-nzg","createdAt":1645736563954,"name":"User has 'Create or Update SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","control:5.2.7","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Logging-and-Monitoring","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Security Solution event.\n\n## Rationale\n\nBy monitoring to changes to security solutions, you get insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under Resource. \n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Create or Update Security Solutions** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**. \n\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Security/securitySolutions/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.7","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.security/securitysolutions/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8wl-yfi-m7y","createdAt":1645731976437,"name":"User has 'Create or Update Security Solutions' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Storage Account event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Storage Account**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Storage/storageAccounts/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Storage Account'\n$Signal = 'Microsoft.Storage/storageAccounts/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fho-nrd-kod","createdAt":1647625355199,"name":"User has 'Create or Update Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.compute/virtualmachines/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wjq-yup-bbt","createdAt":1648803814385,"name":"User has 'Create or Update Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Deallocate Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Using the Azure Portal search bar, search for **Monitor**. \n2. Select **Alerts** from the left-hand panel.\n3. Click **Create** and from the drop down select **Alert rule**.\n4. Under **Scope**, click **Select scope**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Virtual machines** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows your selected Virtual Machine(s) and subscription name.\n11. Under **Condition**, click **Add Condition**.\n12. Select **Deallocate Virtual Machine** signal name. \n13. Navigate to **Actions**.\n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Navigate to **Details** and select the appropriate resource group to save the alert to. \n16. Enter **Alert rule name** and **Alert rule description**.\n17. Under the **Advanced options** drop-down menu, click on the **Enable alert rule upon creation** checkbox.\n18. Click **Review + create** and verify all of the alert settings are correct.\n19. Click **Create**.\n\n### From the command line\n\n ```bash\n az account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n ```\n\n`input.json` contains the request body JSON data mentioned below. \n\n ```json\n {\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/deallocate\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n }\n ```\n\n**Using PowerShell AZ cmdlets**: \n ```powershell\n $ComplianceName = 'Deallocatete Virtual Machine'\n $Signal = 'Microsoft.Compute/virtualMachines/deallocate'\n $Category = 'Administrative'\n $ResourceGroupName = 'MyResourceGroup'\n $actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n $ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n $Subscription = (Get-AzContext).Subscription\n $location = 'Global'\n $scope = \"/subscriptions/$($Subscription.Id)\"\n $alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n $conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n )\n Set-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/deallocate/action\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ox0-4lx-ldg","createdAt":1649702560249,"name":"User has 'Deallocate Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mwl-a79-2lj","createdAt":1649774827099,"name":"User has 'Delete Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","requirement:Azure","control:164.308-a-3-ii-a","control:2.3","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","framework:security-labs","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activity-log-alerts/delete\n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"2.3","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hf7-wzu-yjg","createdAt":1649774825146,"name":"User has 'Delete Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Load Balancer event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete load balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.network/loadbalancers/delete\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(azure_activity_log_alert)\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgu-5yo-cxv","createdAt":1646928388547,"name":"User has 'Delete Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbformysql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nb1-ajv-1w5","createdAt":1648831710685,"name":"User has 'Delete MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:Logging-and-Monitoring","requirement:System-Operations","level:1","framework:soc-2","control:5.2.4","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Network Security Group event.\n\n## Rationale\n\nBy monitoring for delete betwork security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name \n11. Under **Condition**, click **Add Condition**.\n12. Select **Delete Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n\n18. Click **Create alert rule**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.4","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yjc-pc8-ybn","createdAt":1645645262376,"name":"User has 'Delete Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Compliance","level:1","control:5.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Communications-Security","requirement:Logging-and-Monitoring","requirement:System-Operations","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Policy Assignment event.\n\n## Rationale\n\nBy monitoring delete policy assignment events, you gain insight into changes in the **Policy - Assignments** page and reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Policy Assignment** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription from the entries populated under **Resource**. \n9. Verify that **Selection preview** shows All Policy assignments (`policyAssignments`) and your selected subscription name. \n10. Click **Done**. \n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete policy assignment signal**. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**.\n\n### From the command line\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\"\nhttps://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"\n```\n\nWhere `input.json` contains the request body JSON data below: \n\n```json\n{\n\t\"location\": \"Global\",\n\t\"tags\": {},\n\t\"properties\": {\n\t\t\"scopes\": [\n\t\t\t\"/subscriptions/\"\n\t\t],\n\t\t\"enabled\": true,\n\t\t\"condition\": {\n\t\t\t\"allOf\": [{\n\t\t\t\t\t\"containsAny\": null,\n\t\t\t\t\t\"equals\": \"Administrative\",\n\t\t\t\t\t\"field\": \"category\"\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\t\"containsAny\": null,\n\t\t\t\t\t\"equals\": \"Microsoft.Authorization/policyAssignments/delete\",\n\t\t\t\t\t\"field\": \"operationName\"\n\t\t\t\t}\n\t\t\t]\n\t\t},\n\t\t\"actions\": {\n\t\t\t\"actionGroups\": [{\n\t\t\t\t\"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\t\t\t\t\"webhookProperties\": null\n\t\t\t}]\n\t\t}\n\t}\n}\n```\n\nConfigurable Parameters for command line:\n- ``\n- ``\n\nConfigurable Parameters for `input.json`:\n- `` in scopes\n- `` in actionGroupId\n- `` in actionGroupId\n- `` in actionGroupId\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Policy Assignment'\n$Signal = 'Microsoft.Authorization/policyAssignments/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][1]\n2. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][3] \n4. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources][4] \n5. [https://azure.microsoft.com/en-us/services/blueprints/][5]\n\n[1]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[2]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[4]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n[5]: https://azure.microsoft.com/en-us/services/blueprints/\n\n## Additional Information\n\n- This log alert also applies for Azure Blueprints.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.2","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qh0-u5z-imx","createdAt":1645642194422,"name":"User has 'Delete Policy Assignment' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbforpostgresql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ras-5h8-nbb","createdAt":1647625355173,"name":"User has 'Delete PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.2","control:A.12.4.1","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Logging-and-Monitoring","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the \"Delete SQL Server Firewall Rule.\"\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the console\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window,select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Delete server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel\n * Create action group - If you do not have an existing action group or want to create a new one\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the command line\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.2","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/firewallrules/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6mh-u2h-598","createdAt":1664214570453,"name":"User has 'Delete SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","control:5.2.8","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Logging-and-Monitoring","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Security Solution event.\n\n## Rationale\n\nBy monitoring deletion of security solution events, you gain insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**.\n7. Select **All** for **Filter by location**.\n8. Click on the subscription resource from the entries populated under **Resource**.\n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete Security Solutions** signal.\n13. Click **Done**.\n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group.\n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n### From the command line \n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nwhere `input.json` contains the Request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/securitySolutions/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.8","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/securitysolutions/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dmv-rv8-crn","createdAt":1645733607452,"name":"User has 'Delete Security Solution' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.5.5","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Storage Account event.\n\n## Rationale\n\nBy monitoring for storage accounts deletion events, you gain insight into storage account changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click on **New Alert Rule**.\n4. Under **Scope**, click **Select scope**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Storage Accounts** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the **Include all future resources** checkbox.\n9. Click **Done**. \n10. Under **Condition**, click **Add Condition**.\n11. Select **Delete Storage Account** signal. \n12. Click **Done**. \n13. Under **Actions**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n14. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n15. Select appropriate resource group to save the alert to. \n16. Click on the **Enable alert rule upon creation** checkbox.\n17. Click **Create alert rule**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Storage/storageAccounts/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a41-nfr-mlw","createdAt":1646928386487,"name":"User has 'Delete Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2jg-psh-mzj","createdAt":1648803812991,"name":"User has 'Delete Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Power Off Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Power Off Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/powerOff/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Power Off Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/powerOff/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.compute/virtualmachines/poweroff/action\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tsome activity_log_alert in input.resources.azure_activity_log_alert\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a74-hjg-yok","createdAt":1648760544699,"name":"User has 'Power Off Virtual Machine' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Rename Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Rename Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/move/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Rename Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/move/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.sql/servers/databases/move/action\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(azure_activity_log_alert)\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgo-i7v-g9b","createdAt":1649774831328,"name":"User has 'Rename Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4ri-hhx-fnd","createdAt":1648803815885,"name":"User has 'Update Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Security Policy event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Security Policy**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/policies/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Security Policy'\n$Signal = 'Microsoft.Security/policies/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/defender-for-cloud/tutorial-security-policy\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/policies/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xjf-qfe-xzs","createdAt":1649774850199,"name":"User has 'Update Security Policy' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.compute","source:azure","tactic:TA0002-execution","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs a command on an Azure Virtual Machine through the Azure CLI or Portal.\n\n## Strategy\nMonitor Azure Compute logs for `MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION` events that have `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Reach out to the user to determine if the activity is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"vm_exec","distinctFields":[]},{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"scaleset_exec","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Virtual Machine","condition":"vm_exec > 0"},{"status":"info","notifications":[],"name":"Virtual Machine Scale Set","condition":"scaleset_exec > 0"}],"type":"log_detection","id":"zsk-t0h-9ll","createdAt":1614973225002,"name":"User ran a command on Azure Compute"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Event Summary\n`@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` had activity from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` which are approximately `{{@impossible_travel.triggering_locations.travel_distance}}km` apart within `{{@impossible_travel.triggering_locations.travel_time_human_readable}}`. This indicates a potential impossible travel.\n\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key in CloudTrail logs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key in CloudTrail logs.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"source:cloudtrail @userIdentity.type:IAMUser"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"gvs-ybz-d25","createdAt":1646247437717,"name":"User travel was impossible in AWS CloudTrail IAM log"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_service_account","control:1.7","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","control:8.2.4","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nService Account keys consist of a key ID (private_key_id) and a private key. These keys are used to sign programmatic requests that users make to Google Cloud services and make them accessible to the particular service account. You should regularly rotate all Service Account keys.\n\n## Rationale\n\nRotating Service Account keys reduces the opportunity window of an access key associated with a compromised or terminated account being used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that may have been lost, cracked, or stolen.\n\nEach service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.\n\nGCP provides the option to create one or more user-managed (also called external) key pairs for use from outside GCP, for example: with Application Default Credentials. When a new key pair is created, the user is required to download the private key, which is not retained by Google. \n\nWith external keys, users are responsible for keeping the private key secure and other management operations such as key rotation. External keys can be managed by the IAM API, the Google Cloud Platform command-line tool, or the Service Accounts page in the Google Cloud Platform Console. GCP facilitates up to 10 external service account keys per service account for key rotation.\n\n## Remediation\n\nDelete any external, user-managed Service Account Keys older than 90 days:\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**.\n2. In the **Service Account Keys** section, click the Delete icon to delete every external, user-managed service account key where the creation date is greater or equal to the past 90 days.\n\nTo create an external, user-managed Service Account Key for a Service Account:\n\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**. \n2. Click **Create Credentials** and **Service Account Key**. \n3. Select the service account from the drop-down menu for every external, user-managed Service Account key you want to create.\n4. Select the desired key type format, such as JSON or P12.\n5. Click **Create**, which downloads the private key. Keep this key safe.\n6. If prompted, click **Close**.\n\nYou are redirected to the **APIs & Services** > **Credentials** page and you can see the new ID displayed in the **Service Account Keys** section.\n\n\n## Impact\n\nRotating service account keys breaks communication for dependent applications. Dependent applications need to be configured manually with the new key ID displayed in the **Service Account Keys** section and the user needs to download the private key.\n\n## References\n\n1. https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n2. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/list\n3. https://cloud.google.com/iam/docs/service-accounts\n\n[1]: https://console.cloud.google.com/apis/credentials\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"8.2.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ej5-n8p-p3x","createdAt":1656445783171,"name":"User-managed or external keys for service accounts are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Confidentiality","control:C1.2","source:google_compute_disk","framework:cis-gcp","requirement:Compliance","level:2","control:A.18.1.3","framework:soc-2","control:4.7","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","scope:google_compute_disk","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCustomer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and\nGoogle Compute Engine. If you supply your own encryption keys, Google uses your key to\nprotect the Google-generated keys used to encrypt and decrypt your data. By default,\nGoogle Compute Engine encrypts all data at rest. Compute Engine handles and manages\nthis encryption for you without any additional actions on your part. However, if you\nwanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\n\n### Default value\nBy default, VM disks are encrypted with Google-managed keys. They are not encrypted\nwith `Customer-Supplied` Encryption Keys.\n\n## Rationale\nBy default, Google Compute Engine encrypts all data at rest. Compute Engine handles and\nmanages this encryption for you without any additional actions on your part. However, if\nyou wanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\nIf you provide your own encryption keys, Compute Engine uses your key to protect the\nGoogle-generated keys used to encrypt and decrypt your data. Only users who can provide\nthe correct key can use resources protected by a customer-supplied encryption key.\nGoogle does not store your keys on its servers and cannot access your protected data\nunless you provide the key. This also means that if you forget or lose your key, there is no\nway for Google to recover the key or to recover any data encrypted with the lost key.\nBusiness critical VMs should have VM disks encrypted with CSEK.\n\n### Impact\nIf you lose your encryption key, you will not be able to recover the data.\n\n## Remediation\nYou cannot update the encryption of an existing disk. Therefore, you\nshould create a new disk with encryption set to **Customer supplied**.\n\n### From the console \n1. Go to [Compute Engine Disks][1] in your Google Cloud console.\n2. Click **CREATE DISK**.\n3. Set **Encryption type** to `Customer supplied`.\n4. Provide the **Key** in the box.\n5. Select **Wrapped key**.\n6. Click **Create**.\n\n### From the command line\nYou can use the `gcloud` CLI to encrypt a disk using the `--csek-key-file` flag during instance\ncreation. If you are using an RSA-wrapped key, use the gcloud beta component. See [RSA key wrapping][5] in Google's Compute Engine documentation.\n```\ngcloud compute instances create --csek-key-file \n```\n\nTo encrypt a standalone persistent disk:\n```\ngcloud compute disks create --csek-key-file \n```\n\n## References\n1. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys][2]\n2. [https://cloud.google.com/compute/docs/reference/rest/v1/disks/get][3]\n3. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file][4]\n\n[1]: https://console.cloud.google.com/compute/disks\n[2]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys\n[3]: https://cloud.google.com/compute/docs/reference/rest/v1/disks/get\n[4]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file\n[5]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#rsa-encryption","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.7","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_disk) = \"pass\" if {\n\tcompute_disk.disk_encryption_key.sha256\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_disk"]},"validationQuery":"","resourceType":"gcp_compute_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ltx-1jr-roe","createdAt":1662120164402,"name":"VM disks for critical VMs are encrypted with customer-supplied encryption keys (CSEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","scope:google_compute_subnetwork","level:1","framework:soc-2","control:3.8","source:google_compute_subnetwork","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Networking","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nFlow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in an organization's VPC subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs is enabled for every business-critical VPC subnet.\n\n### Default value\nBy default Flow Logs is set to `Off` when a new VPC network subnet is created.\n\n## Rationale\nVPC networks and subnetworks that are not reserved for internal HTTP(S) load balancing provide logically isolated and secure network partitions from which GCP resources can be launched.\nWhen Flow Logs are enabled for a subnet, VMs within that subnet start reporting on all\nTransmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows. Each VM\nsamples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or\nfrom another VM, a host in the on-premise datacenter, a Google service, or a host on the\nInternet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow\nLogs enabled, both VMs report the flows.\n\nFlow Logs supports the following use cases:\n- Network monitoring\n- Understanding network usage and optimizing network traffic expenses\n- Network forensics\n- Real-time security analysis\n\nFlow Logs provides visibility into network traffic for each VM inside the subnet and can be\nused to detect anomalous traffic or provide insight on security workflows.\nThe Flow Logs must be configured such that all network traffic is logged. The interval of\nlogging is granular enough to provide detailed information on the connections, where no logs are filtered and metadata to facilitate investigations are included.\n\n- Note: Subnets reserved for use by internal HTTP(S) load balancers do not support VPC\nFlow Logs.\n\n### Impact\nStandard pricing for Stackdriver Logging, BigQuery, or Cloud Pub/Sub applies. VPC Flow\nLogs generation will be charged when it's generally available, as described in this reference:\n[https://cloud.google.com/vpc/][1]\n\n## Remediation\n\n### From the console \n1. Go to the VPC network GCP Console page by visiting:\n[https://console.cloud.google.com/networking/networks/list][2]\n2. Click the name of a **subnet** to display the subnet details page.\n3. Click **EDIT** .\n4. Set Flow Logs to **On**.\n5. Expand the **Configure Logs** section.\n6. Set **Aggregation Interval** to `5 SEC`.\n7. Check the box for **Include metadata**.\n8. Set **Sample rate** to `100`.\n9. Click **Save**.\n\n- Note: You can only configure a log filter from the command line.\n\n### From the command line\nTo enable VPC Flow Logs for a network subnet, run the following command:\n```\ngcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --\nenable-flow-logs --logging-aggregation-interval=interval-5-sec --logging-\nflow-sampling=1 --logging-metadata=include-all\n```\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging][3]\n2. [https://cloud.google.com/vpc/][1]\n\n[1]: https://cloud.google.com/vpc/\n[2]: https://console.cloud.google.com/networking/networks/list\n[3]: https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_subnetwork) = \"skip\" if {\n\tinternal_HTTPS_LB_subnet(compute_subnetwork)\n} else = \"pass\" if {\n\tcompute_subnetwork.enable_flow_logs == true\n\tcompute_subnetwork.purpose == \"PRIVATE\"\n} else = \"fail\"\n\ninternal_HTTPS_LB_subnet(compute_subnetwork) if {\n\tcompute_subnetwork.purpose == \"INTERNAL_HTTPS_LOAD_BALANCER\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_subnetwork"]},"validationQuery":"","resourceType":"gcp_compute_subnetwork","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_subnetwork","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q4v-tv4-txv","createdAt":1663355398183,"name":"VPC Flow Logs are enabled for all subnets in the VPC network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Default-Security-Parameter","requirement:Compliance","level:2","framework:cis-aws","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.3","control:2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. \n\nSet up your default security group to restrict all traffic. The default VPC in every region should have its default security group updated to comply. Any newly created VPCs automatically contain a default security group that needs remediation to comply with this recommendation. \n\n**Note**: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.\n\n## Rationale\n\nConfiguring all VPC default security groups to restrict all traffic will encourage the least privileged security group development and mindful placement of AWS resources into security groups, which will reduce the exposure of those resources.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nImplementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79201-0\n2. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html][2]\n3. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group][3]\n\n## CIS controls\n\nVersion 7, 14.6 - Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"5.3","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ningress_or_egress(direction) if {\n\tdirection == \"ingress\"\n} else if {\n\tdirection == \"egress\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\tingress_or_egress(rule.direction)\n\tstartswith(rule.security_group_name, \"default\")\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"75q-ngx-snx","createdAt":1599574003676,"name":"VPC default security groups restrict all traffic"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:7.2.1","requirement:Firewall-Configuration","scope:vpc","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your VPC endpoint by allowing access to only trusted AWS accounts.\n\n## Rationale\n\nVPC endpoints that are publicly accessible are at risk of data exposure, data loss, and unexpected AWS billing charges.\n\n## Remediation\n\n### From the console\n\nFollow the [Add or remove permissions for your endpoint service][1] AWS console docs.\n\n### From the command line\n\n1. Edit your existing Amazon VPC endpoint access policy and replace untrusted AWS identifiers. To create a new policy document, [use the AWS policy generator][2].\n\n ```\n {\n \"Id\": \"insert-vpc-policy-id\",\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": \"*\",\n \"Effect\": \"Allow\",\n \"Resource\": \"*\",\n \"Principal\": {\n \"AWS\": [\n \"insert-allowed-arns\"\n ]\n }\n }\n ]\n }\n ```\n\n2. Run the `modify-vpc-endpoint` command with your [VPC endpoint ID and the updated or new policy document][3] to replace the existing policy.\n\n ```\n aws ec2 modify-vpc-endpoint \\\n --region insert-region-here\n --vpc-endpoint-id insert-vpc-endpoint-id \\\n --policy-document file://insert-new-vpc-policy-filename.json\n ```\n\n3. Repeat steps 1 & 2 for all non-compliant VPC Endpoints in the current region.\n4. Repeat steps 1 & 2 for all non-compliant VPC Endpoints in other regions.\n\n[1]: https://docs.aws.amazon.com/vpc/latest/privatelink/add-endpoint-service-permissions.html\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-vpc-endpoint.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_vpc_endpoint_policy_statement(vpc_endpoint_policy_statement) if {\n\tcheck_principal_conditions(vpc_endpoint_policy_statement)\n\tnon_compliant_policy_statement_conditions(vpc_endpoint_policy_statement)\n}\n\nnon_compliant_policy_statement_conditions(vpc_endpoint_policy_statement) if {\n\tnot vpc_endpoint_policy_statement.statement_has_condition\n\tlower(vpc_endpoint_policy_statement.statement_effect) == \"allow\"\n}\n\ncheck_principal_conditions(vpc_endpoint_policy_statement) if {\n\tvpc_endpoint_policy_statement.policy_principal.principal == \"*\"\n} else if {\n\tvpc_endpoint_policy_statement.policy_principal.principal_aws[_] == \"*\"\n}\n\neval(vpc_endpoint_policy_statement) = \"fail\" if {\n\tnon_compliant_vpc_endpoint_policy_statement(vpc_endpoint_policy_statement)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_vpc_endpoint_policy_statement"]},"validationQuery":"","resourceType":"aws_vpc_endpoint_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc_endpoint_policy_statement","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"slh-tlx-4m0","createdAt":1619540057529,"name":"VPC endpoint is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","control:3.9","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","scope:vpc","framework:soc-2","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. Enable VPC Flow Logs for packet \"Rejects\" for VPCs.\n\n## Rationale\n\nVPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect unusual traffic or insight during security workflows.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nBy default, CloudWatch Logs will store Logs indefinitely unless you define a specific retention period for the log group. When choosing the number of days to retain, keep in mind that, on average, it takes an organization 210 days to detect a breach. Since additional time is required to research a breach, a minimum 365-day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods: \n\n1. [http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html][2]\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79202-8 \n2. [http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html][2]\n\n## CIS controls\n\nVersion 7:\n\n6.2 - Activate audit logging - Enable local logging on all systems and networking devices.\n\n12.5 - Configure Monitoring Systems to Record Network Packets - Configure monitoring systems to record network packets passing through the boundary at each of the organization's network boundaries.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.9","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(vpc) = \"pass\" if {\n\tsome flowlog in vpc.flowlogs\n\tflowlog.flow_log_status == \"ACTIVE\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_vpc"]},"validationQuery":"","resourceType":"aws_vpc","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"hw6-cqk-hrz","createdAt":1599574005318,"name":"VPC flow logging is enabled in all VPCs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault root token is used. Root tokens can perform any activity and have the highest level of privileges in Vault and should only be used in emergencies. \n\n## Strategy\nThis rule monitors Vault Audit Logs (`source:vault`) to detect when `root` is seen in:\n\n* auth policy (`@auth.policies`)\n\nThis rule also monitors the API endpoint `/sys/generate-root` which is used to create new root keys.\n\n## Triage & Response\n1. Determine who created the root token and when. You can get token creation time using the token accessor with `vault token lookup -accessor `. \n2. Inspect the requests made with the root token and ensure that its usage is valid.\n3. Ensure that after the root token is no longer needed, it is revoked (`vault token revoke -accessor `).\n\n## Change Log\n* 29 June 2022 - Updated queries to reduce noise levels. Replaced initial query with token creation detection.\n* 17 October 2022 - Updated queries and cases.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @http.url_details.path:\"sys/generate-root/attempt\" @type:response @http.method:update","groupByFields":["@auth.accessor"],"aggregation":"count","name":"root_token_initialized","distinctFields":[]},{"query":"source:vault @http.url_details.path:\"sys/generate-root/update\" @type:response @http.method:update","groupByFields":["@auth.accessor"],"aggregation":"count","name":"root_token_created","distinctFields":[]},{"query":"source:vault @auth.policies:root @type:response","groupByFields":["@auth.accessor"],"aggregation":"count","name":"root_token_used","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Initialized","condition":"root_token_initialized > 0"},{"status":"high","notifications":[],"name":"Created","condition":"root_token_created > 0"},{"status":"high","notifications":[],"name":"Used","condition":"root_token_used > 0"}],"type":"log_detection","id":"oki-am6-qeh","createdAt":1619801884317,"name":"Vault Root Token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault token is created with an excessive time-to-live (TTL) which can be indicative of an adversary maintaining persistence. \n\n## Strategy\nMonitoring of vault audit logs where tokens are created with a time-to-live greater than 90000 seconds (25 hours). If the TTL requires modification, clone this rule and update `@auth.token_ttl:>90000` in the query. \n\n## Triage & Response\n1. Verify max TTL for tokens in the appropriate Vault configuration.\n2. If the max TTL is higher than required, modify the max TTL.\n3. Verify with the token creator to confirm that the high TTL token is legitimate.\n4. Revoke the token if it does not have a legitimate use case.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @request.operation:create @auth.token_ttl:>90000","groupByFields":["@usr.id"],"aggregation":"count","name":"high_vault_ttl","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"high_vault_ttl > 0"}],"type":"log_detection","id":"ag8-huz-nlj","createdAt":1619801884333,"name":"Vault Token Created with Excessive TTL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","framework:soc-2","scope:redshift","cloud_provider:aws","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","source:redshift","control:6.2","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm `AllowVersionUpgrade` is enabled so [Redshift clusters][1] can automatically upgrade to the latest version.\n\n## Rationale\n\nEnablement allows the latest version to automatically install, deploying the most recent bug fixes and security patches.\n\n## Remediation\n\n### From the console\n\nFollow the [Cluster maintenance][4] docs to permit automatic upgrade for your clusters.\n\n### From the command line\n\n1. Run `modify-cluster` to [set `allow-version-upgrade` for a cluster][3].\n\n ```\n aws redshift modify-cluster\n\t --cluster-identifier cluster-id-name\n\t --allow-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/modify-cluster.html\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#rs-cluster-maintenance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.allow_version_upgrade\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5wo-2kl-jv1","createdAt":1599574006748,"name":"Version upgrade is enabled for Redshift cluster"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:6.5.3","framework:cis-azure","control:7.1","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Application-Updates","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMigrate blob-based VHDs to managed disks on virtual machines to exploit the default features of this configuration. The features include:\n\n1. Default disk encryption\n2. Resilience, as Microsoft manages the disk storage and moves it if underlying hardware is faulty\n3. Reduction of costs over storage accounts\n\n## Rationale\n\nManaged disks are by default encrypted on the underlying hardware so no additional encryption is required for basic protection. Additional encryption is available if required. Managed disks are more resilient than storage accounts. For ARM deployed virtual machines, Azure Adviser recommends moving VHDs to managed disks from both a security and cost management perspective.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## Remediation\n\n### From the console\n\n1. Using the search feature, go to Virtual Machines\n2. Select the virtual machine you would like to convert\n3. Select Disks in the menu for the VM\n4. Select Migrate to managed disks\n5. Follow the prompts to convert the disk and finish by selecting Migrate to start the process\n\n**NOTE**: VMs are stopped and restarted after migration is complete.\n\n### Using PowerShell\n\n```powershell\nStop-AzVM -ResourceGroupName $rgName -Name $vmName -Force ConvertTo-AzVMManagedDisk -ResourceGroupName $rgName -VMName $vmName Start-AzVM -ResourceGroupName $rgName -Name $vmName\n```\n\n## Impact\n\nThere is no operational impact of migrating to managed disks other than the benefits mentioned above.\n\n**NOTE**: When converting to managed disks, VMs are powered off and back on.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(virtual_machine_instance) = \"pass\" if {\n\tvirtual_machine_instance.storage_profile.os_disk.managed_disk_id != \"\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_virtual_machine_instance"]},"validationQuery":"","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mcc-ygq-5xf","createdAt":1631690464170,"name":"Virtual Machines are utilizing Managed Disks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","requirement:Context-of-the-Organization","control:4.2.2","framework:iso-27001","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nEnabling Azure Defender for SQL server does not enable vulnerability assessment capabilities for individual SQL databases unless a storage account is set to store the scanning data and reports. The Vulnerability Assessment service scans databases for known security vulnerabilities and highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally, an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, Click Storage Account\n6. Choose Storage Account (Existing or Create New). Click Ok\n7. Click Save Using Azure PowerShell. If not already, enable Azure Defender for a SQLSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service by setting Storage Account Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"e0l-3r9-cvj","createdAt":1624867975658,"name":"Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the vulnerability assessment (VA) setting, \"Also send email notifications to admins and subscription owners\".\n\n## Rationale\n\nVA scan reports and alerts are sent to admins and subscription owners by enabling the setting, \"Also send email notifications to admins and subscription owners\". This helps to reduce the time required for identifying risks and taking corrective measures.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, configure Storage Accounts\n6. Check/enable \"Also send email notifications to admins and subscription owners\"\n7. Click Save using the Azure PowerShell. If not already set, Enable Advanced Data Security for a SQL:\n\n ```bash\n -ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service and Set ''Also send email notifications to admins and subscription owners'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"gnq-rte-6fy","createdAt":1624867976876,"name":"Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","control:4.2.3","requirement:Default-Security-Parameter","level:1","requirement:Database-Services","requirement:Context-of-the-Organization","requirement:Regular-Testing","framework:iso-27001","control:11.2.1","framework:pci","security:compliance","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC7.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable vulnerability assessment (VA) periodic recurring scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nVA setting \"Periodic recurring scans\" schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Routine vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Security Center\n4. In Section Vulnerability Assessment Settings, set Storage Account\n5. Toggle \"Periodic recurring scans\" to ON.\n6. Click Save using the Azure PowerShell. If not already set, enable Advanced Data Security for a SQL ServerSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service with ''Periodic recurring scans'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"jum-0ht-les","createdAt":1624867977012,"name":"Vulnerability Assessment (VA) setting Periodic Recurring Scans is enabled on a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","requirement:AppService","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:9.4","scope:azure.appservice","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:4.1","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nClient certificates allow for an app to request a certificate for incoming requests. Only clients that have a valid certificate can reach the app.\n\n## Rationale\n\nThe TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, only an authenticated client who has valid certificates can access the app.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Configuration\n5. Under Incoming client certificates, set the Client Certificate Mode option to Require.\n\n\n### From the command line\n\nTo set incoming client certificates value for an existing app, run the following command: `az webapp update --resource-group --name --set clientCertEnabled=true'`\n\n## Impact\n\nUsing and maintaining client certificates requires additional work to obtain and manage key replacement and rotation.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14 - Controlled Access Based on the Need to Know","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.4","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(app_service) = \"pass\" if {\n\tapp_service.client_cert_enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"esg-ed4-xa9","createdAt":1631623027807,"name":"Web app has 'Client Certificates (Incoming client certificates)' set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Credentials","requirement:AppService","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:6.6","control:9.3","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Change-Management","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App Service uses TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.\n\n## Rationale\n\nApp Service currently allows web apps to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for a secure connection.\n\n## Remediation\n\n### From the console\n\n 1. Login to Azure Portal using https://portal.azure.com\n 2. Go to App Services\n 3. Click on each app\n 4. Under the Settings section, click on SSL settings\n 5. Under Protocol Settings, set Minimum TLS Version to 1.2\n\n### From the command line\n\nTo set TLS Version for an existing app, run the following command: `az webapp config set --resource-group --name --min-tls-version 1.2'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.3","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_min_tls_version(app_service) if {\n\tapp_service.site_config_min_tls_version == \"1.2\"\n} else if {\n\tapp_service.site_config.min_tls_version == \"1.2\"\n}\n\neval(app_service) = \"pass\" if {\n\tcompliant_min_tls_version(app_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8iy-ghp-cvk","createdAt":1631623032658,"name":"Web app is using the latest version of TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:AppService","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","control:9.2","control:6.6","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Azure","framework:cis-azure","control:4.1","control:2.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Web Apps allow sites to use both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.\n\n## Rationale\n\nEnabling HTTPS-only traffic redirects all non-secure HTTP request to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated, so it is important to support HTTPS for the security benefits.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on SSL settings\n5. Under Protocol Settings, set HTTPS Only to On.\n\n### From the command line\n\nTo set the HTTPS-only traffic value for an existing app, run the following command: `az webapp update --resource-group --name --set httpsOnly=true'`\n\n## Impact\n\nWhen enabled, every incoming HTTP request is redirected to the HTTPS port. This adds an extra level of security to the HTTP requests made to the app.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.2","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"2.1","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(app_service) = \"pass\" if {\n\tapp_service.https_only\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f9i-ctz-jrp","createdAt":1631623031127,"name":"Web app redirects all HTTP traffic to HTTPS in Azure App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1070-indicator-removal","source:windows","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user clears Windows Security logs.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `1102`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to clear the security event logs on `{{host}}`.\n\n## Changelog\n* 27 October 2022 - updated tags.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"psn-7zq-iqz","createdAt":1619018680072,"name":"Windows Audit Log Cleared"}]} headers: Content-Type: - application/json @@ -470,7 +436,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the Domain Administrator group. A rogue active directory account can added to the Domain Admins group.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4728` and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.TargetUserName}}` should be added to the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"yzx-i3w-40t","createdAt":1619018679429,"name":"Windows User Added to Domain Admin Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"# WARNING: Rule is being deprecated on 10 April 2022\n\n## Goal\nDetect if an entire AWS S3 Lifecycle configuration is deleted from a bucket.\n\n## Strategy\nUsing the `@evt.name`, the Datadog standard attribute that shows the API call, determine if a `DeleteBucketLifecycle` call occurred.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@usr.name}}`, `accountId:` `{{@usr.id}}` of `type:` `{{@userIdentity.type}}`.\n2. If the `{{@evt.name}}` API call accidentally occurred, restore the configuration to the `{{@requestParameters.bucketName}}`. Otherwise, investigate further.\n\n## Changelog\n08 Mar 2022 - Deprecating rule. If a policy is deleted, the data remains forever.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:DeleteBucketLifecycle","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"policy_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"lifecycle policy deleted","condition":"policy_deleted > 0"}],"type":"log_detection","id":"lcn-irr-jo6","createdAt":1638798365190,"name":"[DEPRECATED] An AWS S3 bucket lifecycle policy was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.17","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `controller-manager.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `controller-manager.conf` file is the kubeconfig file for the Controller Manager. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/controller-manager.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.17","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iss-afi-xfp","createdAt":1599599454121,"name":"controller-manager.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use self-signed certificates for TLS.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--auto-tls` parameter or set it to false:\n\n```\n--auto-tls=false\n```\n\n## Impact\n\nClients will not be able to use self-signed certificates for TLS.\n\n## Default value\n\nBy default, `--auto-tls` is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls][3]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.3","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qai-h9s-xgt","createdAt":1599606018741,"name":"etcd does not allow the use of self-signed client certificates"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured for peer authentication.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-client-cert-auth` argument is set to `true`. \n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--peer-client-cert-auth=true\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-client-cert-auth` argument is set to false.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/security.html \n2. https://kubernetes.io/docs/admin/etcd/ \n3. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n\n## CIS controls\n\nVersion 6.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\nVersion 7.14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.5","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l01-5y2-miz","createdAt":1599605099307,"name":"etcd is configured for peer authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.1","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure TLS encryption for the etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--cert-file` and the `--key-file` arguments are set as appropriate.\n\n## Remediation\n\nFollow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--cert-file= \n--key-file=\n```\n\n## Impact\n\nClient connections only over TLS would be served.\n\n## Default value\n\nBy default, TLS encryption is not set.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.1","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ezf-1mn-luf","createdAt":1599604210918,"name":"etcd is configured with TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.2.33","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt etcd key-value store.\n\n## Rationale\n\netcd is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--encryption-provider-config` argument is set to a EncryptionConfig file. Additionally, ensure that the EncryptionConfig file has all the desired resources covered especially any secrets.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--encryption-provider-config` parameter to the path of that file: `--encryption-provider-config=`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--encryption-provider-config` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ \n2. https://acotten.com/post/kube17-security \n3. https://kubernetes.io/docs/admin/kube-apiserver/ \n4. https://github.com/kubernetes/features/issues/92\n\n## CIS controls\n\nVersion 6 14.5 Encrypt At Rest Sensitive Information Sensitive information stored on systems shall be encrypted at rest and require a secondary authentication mechanism, not integrated into the operating system, in order to access the information. \n\nVersion 7 14.8 Encrypt Sensitive Information at Rest Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.33","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.33\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7rg-crl-fs0","createdAt":1599602954959,"name":"etcd is encrypted at rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.29","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a client certificate and key.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-certfile` and `--etcd-keyfile` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate and key file parameters. \n```\n--etcd-certfile= \n--etcd-keyfile=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-certfile` and `--etcd-keyfile` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 9 Limitation and Control of Network Ports, Protocols, and Services\nVersion 7 9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.29","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.29\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2xl-vuo-tud","createdAt":1599606113167,"name":"etcd server requires API servers present a client certificate and key when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.32","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a SSL Certificate Authority file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-cafile` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate authority file parameter: `--etcd-cafile=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-cafile` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.32","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.32\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o8k-9hv-rri","createdAt":1599605669411,"name":"etcd server requires API servers present an SSL CA file when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured to make use of TLS encryption for peer connections.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit and also amongst peers in the etcd clusters.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-cert-file` and `--peer-key-file` arguments are set as appropriate. \n\n## Remediation\n\nFollow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--peer-cert-file= \n--peer-key-file=\n```\n\n## Impact\n\nEtcd cluster peers would need to set up TLS for their communication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, peer communication over TLS is not configured.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.4","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"lzq-1mk-xc7","createdAt":1599603941695,"name":"etcd uses TLS encryption for peer connections"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664268670005,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"0ki-9gf-7vw","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664268668"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664268675445,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"fis-tpv-7e9","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664268673"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664268680145,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"cz4-z0l-x9n","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664268677"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269014836,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rn5-nf5-ksh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269011"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269046838,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"fz1-gx5-cfu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269044"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269050802,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ypr-rnw-joz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269048"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269055831,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"zl4-kr6-djp","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269053"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664777973028,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"kth-eqs-z4b","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664777971"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778122036,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"0fg-gyo-jlu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778119"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778139644,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wee-m6g-g6a","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778135"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778146837,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"3it-fxn-3hr","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778144"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778474235,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"nw9-oof-55y","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778472"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778792415,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"gsl-t9k-ji6","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778790"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664779074513,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"dgt-zts-cbx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664779072"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664779118769,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"oxx-qrx-9b6","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664779116"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664779161311,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"7eo-dyi-vkr","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664779159"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664784675086,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sqx-soj-zop","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664784672"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664894383761,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rgz-io3-obc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664894381"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665500464305,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"py6-vnm-mjb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1665500463"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665500511838,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"bgv-pky-7u4","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1665500511"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":600,"keepAlive":300},"version":2,"isDefault":false,"filters":[{"action":"suppress","query":"does not really suppress (updated)"}],"queries":[{"query":"does not really match much (updated)","groupByFields":["service"],"aggregation":"cardinality","name":"first_updated","distinctFields":["@orgId"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first_updated > 3"},{"status":"high","notifications":[],"name":"warning case (updated)","condition":"first_updated > 0"}],"type":"log_detection","id":"rdc-qe2-jmq","createdAt":1664875756276,"name":"tf-TestAccDatadogSecurityMonitoringRule_Basic-local-1664875755 - updated"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664270708266,"filters":[],"queries":[{"query":"@agent.rule_id:(tf_TestAccDatadogSecurityMonitoringRule_CwsRule_local_1664270705_random_id OR random_id)","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"high case","condition":"first > 3"}],"type":"workload_security","id":"6i5-yop-zhx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_CwsRule-local-1664270705"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664270714195,"filters":[],"queries":[{"query":"@agent.rule_id:(tf_TestAccDatadogSecurityMonitoringRule_CwsRule_local_1664270711_random_id OR random_id)","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"high case","condition":"first > 3"}],"type":"workload_security","id":"h7e-iuc-twh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_CwsRule-local-1664270711"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"query":"@agent.rule_id:(tf_TestAccDatadogSecurityMonitoringRule_CwsRule_local_1664875755_random_id OR random_id)","groupByFields":["service"],"aggregation":"count","name":"first","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first > 10"}],"type":"workload_security","id":"4p6-8dj-vxk","createdAt":1664875756580,"name":"tf-TestAccDatadogSecurityMonitoringRule_CwsRule-local-1664875755"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875508591,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"l2h-irs-i4s","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_Import-local-1664875506"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664890796815,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rdn-on6-f0u","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_Import-local-1664890795"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"impossible travel rule triggered (updated)","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"evaluationWindow":0,"maxSignalDuration":900,"detectionMethod":"impossible_travel","decreaseCriticalityBasedOnEnv":false,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"distinctFields":[],"name":"my_updated_query","metric":"@usr.handle","aggregation":"geo_data","metrics":["@usr.handle"],"groupByFields":["@usr.handle"],"query":"*"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"new case name (updated)","condition":""}],"type":"log_detection","id":"2e6-1vj-hdm","createdAt":1664875756231,"name":"tf-TestAccDatadogSecurityMonitoringRule_ImpossibleTravelRule-local-1664875755"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"newValueOptions":{"learningDuration":0,"learningMethod":"duration","forgetAfter":1,"learningThreshold":0},"evaluationWindow":0,"maxSignalDuration":900,"detectionMethod":"new_value","decreaseCriticalityBasedOnEnv":false,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"distinctFields":[],"name":"first","metric":"@network.bytes_read","aggregation":"new_value","metrics":["@network.bytes_read"],"groupByFields":["service"],"query":"does not really match much (updated)"}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":""}],"type":"log_detection","id":"d3o-dyr-ekr","createdAt":1664875756432,"name":"tf-TestAccDatadogSecurityMonitoringRule_NewValueRule-local-1664875755 - updated"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875438577,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"wtp-e5k-o0m","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875437"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875465554,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bxr-aqc-o02","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875463"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875502543,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lv2-e1f-cec","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875500"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875517305,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"qp0-onn-m2p","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875516"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875546323,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bzi-ilx-fzv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875544"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875579060,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"xul-toc-q1p","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875577"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":600,"keepAlive":300},"version":2,"isDefault":false,"filters":[{"action":"suppress","query":"does not really suppress (updated)"}],"queries":[{"query":"does not really match much (updated)","groupByFields":["service"],"aggregation":"cardinality","name":"first_updated","distinctFields":["@orgId"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first_updated > 3"},{"status":"high","notifications":[],"name":"warning case (updated)","condition":"first_updated > 0"}],"type":"log_detection","id":"l6c-xu1-dnv","createdAt":1664875756561,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875755 - updated"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":600,"keepAlive":300},"version":2,"isDefault":false,"filters":[{"action":"suppress","query":"does not really suppress (updated)"}],"queries":[{"query":"does not really match much (updated)","groupByFields":["service"],"aggregation":"cardinality","name":"first_updated","distinctFields":["@orgId"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first_updated > 3"},{"status":"high","notifications":[],"name":"warning case (updated)","condition":"first_updated > 0"}],"type":"log_detection","id":"e8n-cae-ky2","createdAt":1664883056478,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664883054 - updated"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528193711,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"gbr-ngi-oug","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528189_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528202423,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"uyk-nla-buh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528198_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528210535,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"nqe-0ga-if6","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528205_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528372295,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"m3p-iae-qru","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528368_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528379975,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"r7b-s2q-xnm","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528376_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528389235,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"dbd-bwe-l7e","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528385_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528434444,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"1un-efa-hcu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528429_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528441879,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"2ar-joj-lnc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528437_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528451689,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ajt-mur-fzi","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528446_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529209432,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"heh-hcb-gkz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529203_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529218377,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"zee-ycu-lwy","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529213_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529225654,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vhx-spk-1ho","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529221_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529297426,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"koq-fd2-uwo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529293_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529304614,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"l2l-obs-hre","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529300_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529312691,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"xgn-6s6-kbb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529307_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664550716802,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"w1p-qig-yrs","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664550714_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664550722486,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ipa-wdu-rxp","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664550720_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664550727477,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"jeh-od4-wng","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664550725_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551028985,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wq1-uls-vzk","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551027_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551034504,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"hrv-psy-1lt","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551032_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551039412,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"6jo-jph-rom","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551037_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551131496,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"gpa-wht-hgc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551129_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553855904,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ere-3ih-4hw","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553850_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553865781,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"igs-lhm-bvu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553859_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553874136,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"mkn-3te-hny","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553869_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553997811,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sjp-5hc-wd1","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553993_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664554005892,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"5en-kmi-voy","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664554001_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664554016093,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"jif-umi-il5","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664554010_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555846704,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ayu-n1y-lqx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555844_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555846736,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"95d-moy-b5g","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555844_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555986763,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"qtr-rfo-jyg","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555984_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555986772,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"jtt-tqn-ftb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555984_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557003507,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"l6w-anp-wyx","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"m5n-4i5-vuj","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"4r7-mzb-i0w","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664556999"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557003221,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"l6w-anp-wyx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664556999_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557001385,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"m5n-4i5-vuj","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664556999_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557009505,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"atg-jqy-mel","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"wdi-bm8-1zq","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"fbs-vj5-dgz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557007"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557009232,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"atg-jqy-mel","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557007_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557009200,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wdi-bm8-1zq","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557007_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557015634,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"pra-dle-ewv","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"wgt-akt-j4r","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"o9e-8fc-h5s","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557013"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557015289,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"pra-dle-ewv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557013_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557015280,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wgt-akt-j4r","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557013_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557114930,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"x69-ehr-pdl","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"ypr-isf-4vo","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"oi0-hje-74l","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557112"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557114644,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"x69-ehr-pdl","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557112_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557114607,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ypr-isf-4vo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557112_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557121029,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"ptq-rcm-nwe","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"bg8-5ts-afc","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"f3z-x8q-dcn","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557118"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557120765,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ptq-rcm-nwe","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557118_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557120726,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"bg8-5ts-afc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557118_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557127622,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"wtt-nh6-juo","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"myy-dya-nr5","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"nfo-yne-q60","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557125"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557127340,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wtt-nh6-juo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557125_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557127298,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"myy-dya-nr5","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557125_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557158347,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"riy-u8c-b7c","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"sf3-rrp-eak","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"9zw-k5p-x8b","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557156"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557158069,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"riy-u8c-b7c","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557156_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557158073,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sf3-rrp-eak","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557156_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557164542,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"cur-pie-tfb","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"do1-l3w-hgc","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"yvb-ymn-q2k","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557162"}]} + {"meta":{"page":{"total_filtered_count":30,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user resets the Directory Services Restore Mode (DSRM). The DSRM enabled emergency access to a Domain Controller. The DSRM user is a local administrator account that can be utilized for persistence. \n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4794`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to change the DSRM password on `{{host}}`. ","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4794","groupByFields":["host"],"aggregation":"count","name":"standardized","distinctFields":[]},{"query":"@Event.System.EventID:4794","groupByFields":["host"],"aggregation":"count","name":"non_standardized","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized > 0"}],"type":"log_detection","id":"ckw-1ve-anp","createdAt":1619018671358,"name":"Windows Directory Service Restore Mode password changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Domain Administrator group is modified.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is 4737 and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason for changing the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"vtr-u5p-65a","createdAt":1619018671758,"name":"Windows Domain Admin Group Changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","source:windows","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Windows firewall is disabled.\n\n## Strategy\nMonitor the Windows event logs where `@evt.id` is `4950` and the `@Event.EventData.Data.SettingValue:No`.\n\n## Triage and response\nVerify if `{{@Event.System.Computer}}` has a legitimate reason for having the Windows firewall disabled.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"medium","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"5yc-jqo-y3n","createdAt":1619018678867,"name":"Windows Firewall Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1087-account-discovery","source:windows","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs the `net` command to enumerate the `Administrators` group, which could be indicative of adversarial reconnaissance activity.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4799`, `@Event.EventData.Data.CallerProcessName` is `*net1.exe` and `@Event.EventData.Data.TargetUserName` is `Administrators`.\n\n## Triage and response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason to check for users in the Administrator group on `{{host}}`. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"low","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"dqi-uaj-wgy","createdAt":1619018678865,"name":"Windows Net command executed to enumerate administrators"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the Domain Administrator group. A rogue active directory account can added to the Domain Admins group.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4728` and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.TargetUserName}}` should be added to the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"yzx-i3w-40t","createdAt":1619018679429,"name":"Windows User Added to Domain Admin Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"# WARNING: Rule is being deprecated on 10 April 2022\n\n## Goal\nDetect if an entire AWS S3 Lifecycle configuration is deleted from a bucket.\n\n## Strategy\nUsing the `@evt.name`, the Datadog standard attribute that shows the API call, determine if a `DeleteBucketLifecycle` call occurred.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@usr.name}}`, `accountId:` `{{@usr.id}}` of `type:` `{{@userIdentity.type}}`.\n2. If the `{{@evt.name}}` API call accidentally occurred, restore the configuration to the `{{@requestParameters.bucketName}}`. Otherwise, investigate further.\n\n## Changelog\n08 Mar 2022 - Deprecating rule. If a policy is deleted, the data remains forever.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:DeleteBucketLifecycle","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"policy_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"lifecycle policy deleted","condition":"policy_deleted > 0"}],"type":"log_detection","id":"lcn-irr-jo6","createdAt":1638798365190,"name":"[DEPRECATED] An AWS S3 bucket lifecycle policy was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.17","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `controller-manager.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `controller-manager.conf` file is the kubeconfig file for the Controller Manager. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/controller-manager.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.17","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iss-afi-xfp","createdAt":1599599454121,"name":"controller-manager.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use self-signed certificates for TLS.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--auto-tls` parameter or set it to false:\n\n```\n--auto-tls=false\n```\n\n## Impact\n\nClients will not be able to use self-signed certificates for TLS.\n\n## Default value\n\nBy default, `--auto-tls` is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls][3]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.3","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qai-h9s-xgt","createdAt":1599606018741,"name":"etcd does not allow the use of self-signed client certificates"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured for peer authentication.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-client-cert-auth` argument is set to `true`. \n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--peer-client-cert-auth=true\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-client-cert-auth` argument is set to false.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/security.html \n2. https://kubernetes.io/docs/admin/etcd/ \n3. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n\n## CIS controls\n\nVersion 6.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\nVersion 7.14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.5","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l01-5y2-miz","createdAt":1599605099307,"name":"etcd is configured for peer authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.1","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure TLS encryption for the etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--cert-file` and the `--key-file` arguments are set as appropriate.\n\n## Remediation\n\nFollow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--cert-file= \n--key-file=\n```\n\n## Impact\n\nClient connections only over TLS would be served.\n\n## Default value\n\nBy default, TLS encryption is not set.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.1","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ezf-1mn-luf","createdAt":1599604210918,"name":"etcd is configured with TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.2.33","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt etcd key-value store.\n\n## Rationale\n\netcd is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--encryption-provider-config` argument is set to a EncryptionConfig file. Additionally, ensure that the EncryptionConfig file has all the desired resources covered especially any secrets.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--encryption-provider-config` parameter to the path of that file: `--encryption-provider-config=`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--encryption-provider-config` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ \n2. https://acotten.com/post/kube17-security \n3. https://kubernetes.io/docs/admin/kube-apiserver/ \n4. https://github.com/kubernetes/features/issues/92\n\n## CIS controls\n\nVersion 6 14.5 Encrypt At Rest Sensitive Information Sensitive information stored on systems shall be encrypted at rest and require a secondary authentication mechanism, not integrated into the operating system, in order to access the information. \n\nVersion 7 14.8 Encrypt Sensitive Information at Rest Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.33","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.33\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7rg-crl-fs0","createdAt":1599602954959,"name":"etcd is encrypted at rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.29","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a client certificate and key.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-certfile` and `--etcd-keyfile` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate and key file parameters. \n```\n--etcd-certfile= \n--etcd-keyfile=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-certfile` and `--etcd-keyfile` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 9 Limitation and Control of Network Ports, Protocols, and Services\nVersion 7 9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.29","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.29\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2xl-vuo-tud","createdAt":1599606113167,"name":"etcd server requires API servers present a client certificate and key when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.32","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a SSL Certificate Authority file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-cafile` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate authority file parameter: `--etcd-cafile=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-cafile` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.32","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.32\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o8k-9hv-rri","createdAt":1599605669411,"name":"etcd server requires API servers present an SSL CA file when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured to make use of TLS encryption for peer connections.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit and also amongst peers in the etcd clusters.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-cert-file` and `--peer-key-file` arguments are set as appropriate. \n\n## Remediation\n\nFollow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--peer-cert-file= \n--peer-key-file=\n```\n\n## Impact\n\nEtcd cluster peers would need to set up TLS for their communication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, peer communication over TLS is not configured.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.4","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"lzq-1mk-xc7","createdAt":1599603941695,"name":"etcd uses TLS encryption for peer connections"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671540941284,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"o68-soo-c12","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671540939"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671540946161,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"r7n-huo-4rt","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671540944"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671540952520,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"wth-wau-03b","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671540950"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["terraform:true","test:acceptance-updated"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"Acceptance test TF rule - updated","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_disk","regoRule":{"policy":"package datadog # updated","resourceTypes":["gcp_compute_disk","gcp_compute_instance","gcp_compute_firewall"]},"complexRule":true},"keepAlive":21600},"version":2,"isDefault":false,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":true,"defaultGroupByFields":null,"userGroupByFields":["@resource","@resource_type"]},"cases":[{"status":"high","notifications":["@channel-upd"],"name":"","condition":"a > 0"}],"id":"u2m-agy-swa","createdAt":1671541008003,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671541006 - updated"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671542720397,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"grb-fzj-wqh","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671542718"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671542793321,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"il3-uli-eqq","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671542791"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671552482017,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"77c-zma-o7f","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671552480"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671552551633,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"hop-rqz-f8v","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671552550"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671552663049,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vhn-veo-7mp","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671552661"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671552679840,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"kbd-8wc-8cq","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671552678"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553311788,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"3am-l1f-ved","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553310"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553346438,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vmb-tgh-ihm","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553344"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553410647,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"p3o-o9v-1ha","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553409"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553453803,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"qfz-lca-swv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553452"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553538312,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"zmw-kgv-yds","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553537"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:1.1.6","control:1.2.1","control:4.5","control:2.2.5","requirement:Communications-Security","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nInteracting with a serial port is often referred to as the serial console, which is similar to\nusing a terminal window, in that input and output is entirely in text mode and there is no\ngraphical interface or mouse support.\nIf you enable the interactive serial console on an instance, clients can attempt to connect to\nthat instance from any IP address. Therefore interactive serial console support should be\ndisabled.\n\n## Rationale\nA virtual machine instance has four virtual serial ports. The instance's operating system, BIOS,\nand other system-level entities often write output to the serial ports, and can accept input\nsuch as commands or answers to prompts. Typically, these system-level entities use the\nfirst serial port (port 1) and serial port 1 is often referred to as the serial console.\nThe interactive serial console does not support IP-based access restrictions such as IP\nallow lists. If you enable the interactive serial console on an instance, clients can attempt to\nconnect to that instance from any IP address. This allows anybody to connect to that\ninstance if they know the correct SSH key, username, project ID, zone, and instance name.\nTherefore interactive serial console support should be disabled.\n\n## Remediation\n\n### From the console\n1. Login to Google Cloud console.\n2. Go to Computer Engine.\n3. Go to VM instances.\n4. Click on the specific VM.\n5. Click `EDIT`.\n6. in the `Remote access` section, clear the `Enable connecting to serial ports`.\n7. Click `Save`.\n\n### From the command line\nUse the following command to disable connecting to serial ports:\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=false\n ```\nor\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=0\n ```\n\n## Prevention:\nYou can prevent VMs from having serial port access by enabling the `Disable VM serial port access` organization policy:\n[https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess][1]\n\n## Default value\nBy default, connecting to serial ports is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/interacting-with-serial-console][2]\n\n\n## CIS Controls\n\nVersion 8 - 4.8: Uninstall or Disable Unnecessary Services on Enterprise\nAssets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such\nas an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure Only Approved Ports, Protocols and Services Are Running\n\n[1]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess\n[2]: https://cloud.google.com/compute/docs/instances/interacting-with-serial-console","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"1.1.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"fail\" if {\n\tmeta := compute_instance.metadata.items[_]\n\tmeta.key == \"serial-port-enable\"\n\tmeta.value == \"true\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mv9-8fa-zlf","createdAt":1656531993118,"name":"\u2018connecting to serial ports\u2019 is not enabled for VM Instance"}]} headers: Content-Type: - application/json @@ -487,24 +453,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":24,"total_count":824}},"data":[{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557164250,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"cur-pie-tfb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557162_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557164241,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"do1-l3w-hgc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557162_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557171963,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"vhe-hy6-vz3","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"0mi-hea-lgr","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"i5g-kql-euh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557169"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557171680,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vhe-hy6-vz3","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557169_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557171647,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"0mi-hea-lgr","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557169_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557192391,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"njf-br2-d9z","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"mth-ttg-pke","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"tss-r1h-syz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557188"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557192123,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"njf-br2-d9z","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557188_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557190826,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"mth-ttg-pke","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557188_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664559663240,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"oas-ciy-bcx","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"sem-0mj-yqv","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"uus-bhq-ihb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664559659"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664559662957,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"oas-ciy-bcx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664559659_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664559662131,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sem-0mj-yqv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664559659_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875671210,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"4ja-gok-1x4","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"kp1-lvc-xv8","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"ncd-ps2-wdo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875668"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875670732,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"4ja-gok-1x4","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875668_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875670705,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"kp1-lvc-xv8","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875668_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875700315,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"rvg-pbb-0tm","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"dyi-it0-nj4","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"bew-lfi-qak","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875697"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875700066,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rvg-pbb-0tm","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875697_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875700033,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"dyi-it0-nj4","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875697_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875723289,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"sz5-vsm-3tk","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"slo-i5s-pb3","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"3qe-a0j-8iy","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875721"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875723030,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sz5-vsm-3tk","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875721_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875723034,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"slo-i5s-pb3","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875721_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875756892,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"keh-s9a-uhd","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"rvh-vhq-wjs","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"jy2-9kq-psb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875755"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875756573,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"keh-s9a-uhd","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875755_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875756604,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rvh-vhq-wjs","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875755_rule_1"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:1.1.6","control:1.2.1","control:4.5","control:2.2.5","requirement:Communications-Security","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nInteracting with a serial port is often referred to as the serial console, which is similar to\nusing a terminal window, in that input and output is entirely in text mode and there is no\ngraphical interface or mouse support.\nIf you enable the interactive serial console on an instance, clients can attempt to connect to\nthat instance from any IP address. Therefore interactive serial console support should be\ndisabled.\n\n## Rationale\nA virtual machine instance has four virtual serial ports. The instance's operating system, BIOS,\nand other system-level entities often write output to the serial ports, and can accept input\nsuch as commands or answers to prompts. Typically, these system-level entities use the\nfirst serial port (port 1) and serial port 1 is often referred to as the serial console.\nThe interactive serial console does not support IP-based access restrictions such as IP\nallow lists. If you enable the interactive serial console on an instance, clients can attempt to\nconnect to that instance from any IP address. This allows anybody to connect to that\ninstance if they know the correct SSH key, username, project ID, zone, and instance name.\nTherefore interactive serial console support should be disabled.\n\n## Remediation\n\n### From console\n1. Login to Google Cloud console.\n2. Go to Computer Engine.\n3. Go to VM instances.\n4. Click on the specific VM.\n5. Click `EDIT`.\n6. in the `Remote access` section, clear the `Enable connecting to serial ports`.\n7. Click `Save`.\n\n### From the command line\nUse the following command to disable connecting to serial ports:\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=false\n ```\nor\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=0\n ```\n\n## Prevention:\nYou can prevent VMs from having serial port access by enabling the `Disable VM serial port access` organization policy:\n[https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess][1]\n\n## Default value\nBy default, connecting to serial ports is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/interacting-with-serial-console][2]\n\n\n## CIS Controls\n\nVersion 8 - 4.8: Uninstall or Disable Unnecessary Services on Enterprise\nAssets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such\nas an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure Only Approved Ports, Protocols and Services Are Running\n\n[1]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess\n[2]: https://cloud.google.com/compute/docs/instances/interacting-with-serial-console","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"1.1.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"fail\" if {\n\tmeta := compute_instance.metadata.items[_]\n\tmeta.key == \"serial-port-enable\"\n\tmeta.value == \"true\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mv9-8fa-zlf","createdAt":1656531993118,"name":"\u2018connecting to serial ports\u2019 is not enabled for VM Instance"}]} - headers: - Content-Type: - - application/json - status: 200 OK - code: 200 - duration: "" -- request: - body: "" - form: {} - headers: - Accept: - - application/json - url: https://api.datadoghq.com/api/v2/security_monitoring/rules?page%5Bnumber%5D=9&page%5Bsize%5D=100 - method: GET - response: - body: | - {"meta":{"page":{"total_filtered_count":0,"total_count":824}},"data":[]} + {"meta":{"page":{"total_filtered_count":0,"total_count":730}},"data":[]} headers: Content-Type: - application/json @@ -521,7 +470,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.3.6","source:google_sql_database_instance","control:3.4","requirement:Communications-Security","framework:cis-gcp","requirement:Compliance","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_sql_database_instance","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `3625 (trace flag)` database flag to `off` for GCP SQL Server instance.\n\n## Rationale\n\nMicrosoft SQL trace flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload. All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed. `3625 (trace log)` limits the information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'. Setting this in a Google Cloud flag for the instance allows for security through obscurity and prevents the disclosure of sensitive information. Hence, it is recommended to set this flag to `off` globally to prevent the flag from being left on or turned on by bad actors. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nChanging flags on a database may cause it to be restarted. The best time to do this is when there is low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `3625` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `3625` database flag for every GCP SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"3625=off\"\n```\n\n#### Note\nThis command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n\n## Additional Information\n\n- Configuring the above flag restarts the GCP SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"3625\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"2x0-5oi-nhu","createdAt":1657310084964,"name":"'3625 (trace flag)' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:2.11","cloud_provider:azure","control:A.12.4.1","level:1","source:azure.policy","requirement:Application-Updates","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","requirement:Security-Center","framework:cis-azure","control:6.2","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","scope:azure.policy","control:CC4.1","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable automatic provisioning of the monitoring agent to collect security data.\n\n## Rationale\n\nWhen automatic provisioning of monitoring agent is turned on, Azure Security Center provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Security Center\n2. Click on Pricing & Settings\n3. Click on a subscription\n4. Click on Data Collection\n5. Set Automatic provisioning to On\n6. Click save Repeat the above for any additional subscriptions.\n\nAzure Command Line Interface 2.0:\n\nUse the below command to set automatic provisioning of monitoring agent:\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@\"input.json\"''\n```\n\nWhere input.json contains the Request body json data as mentioned below. \n\n```bash\n{ \"id\"\"/subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default\", \"name\"\"default\", \"type\"\"Microsoft.Security/autoProvisioningSettings\", \"properties\"{ \"autoProvision\"\"On\" } }\n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security \n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection \n3. https://msdn.microsoft.com/en-us/library/mt704062.aspx\n4. https://msdn.microsoft.com/en-us/library/mt704063.aspx\n5. https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list \n6. https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create \n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\nAdditional Information: Excluding any of the entries in `input.json` may disable the specific setting by default Microsoft has recently changed APIs to get and Update Automatic Provisioning setting. This recommendation is updated accordingly.\n\n## CIS Controls\n\nVersion 7 3.1 - Run Automated Vulnerability Scanning Tools: Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.11","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"validationQuery":"@auto_provision:Off","resourceType":"azure_security_center_auto_provisioning","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_center_auto_provisioning (@auto_provision:Off)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ota-kzg-lsb","createdAt":1635237006719,"name":"'Automatic provisioning of monitoring agent' is set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.2","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with a Customer Managed Key (CMK).\n\n## Rationale\n\nEncrypting the IaaS VM's OS disk (boot volume) and data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning.\n\n## Remediation\n\nAzure Console:\n\n**Note**: Disks must be detached from VMs to have encryption changed.\n\n1. Go to Virtual Machines\n2. For each virtual machine, go to Settings\n3. Click on Disks\n4. Click the X to detach the disk from the VM\n5. Search for disks and locate the unattached disk\n6. Click the disk select Encryption\n7. Change your encryption type and select your encryption set\n8. Click Save\n9. Go back to the VM and re-attach the disk\n\nPowerShell:\n\n```powershell\n$KVRGname = ''MyKeyVaultResourceGroup''; $VMRGName = ''MyVirtualMachineResourceGroup''; $vmName = ''MySecureVM''; $KeyVaultName = ''MySecureVault''; $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname; $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri; $KeyVaultResourceId = $KeyVault.ResourceId; Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;\n```\n\n**NOTES**:\n\n- During encryption, a reboot is likely required. It may take up to 15 minutes to complete the process.\n\n- On Linux machines, you may need to set the `-skipVmBackup` parameter.\n\n## Impact\n\nUsing CMK/BYOK entail additional management of keys. You must have your key vault setup to use this.\n\n## References\n\n\n1. https://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n3. https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-resthttps://docs.microsoft.com/azure/virtual-machines/windows/disk-encryption-portal-quickstart\n4. https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n5. https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n7. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-customer-managed-keys-powershell\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@encryption_type:EncryptionAtRestWithCustomerKey","resourceType":"azure_managed_disk","filter":"@disk_state:Attached","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk @disk_state:Attached (-@encryption_type:EncryptionAtRestWithCustomerKey)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i6x-xne-idt","createdAt":1631690475494,"name":"'OS and Data' disks are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Application-Updates","framework:iso-27001","scope:azure.storage","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","control:6.5.3","framework:cis-azure","control:4.1","control:3.1","requirement:Control-Activities","requirement:Storage-Account","source:azure.storage","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable data encryption in transit.\n\n## Rationale\n\nThe secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must be HTTPS. Any requests using HTTP will be rejected when secure transfer required is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Storage Accounts\n2. For each storage account, go to Configuration\n3. Set Secure transfer required to Enabled\n\nAzure Command Line:\n\nInterface 2.0 - Use the below command to enable Secure transfer required for a Storage Account: `az storage account update --name --resource-group --https-only true`\n\n## References\n\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#encryption-in-transit\n2. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_list\n3. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 - 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@supports_https_traffic_only:true","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@supports_https_traffic_only:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"vlg-zuu-zub","createdAt":1635847712936,"name":"'Secure transfer required' is set to 'Enabled'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:3.7","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Storage-Account","source:azure.storage","control:A.13.1.3","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSome Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services use strong authentication to access the storage account. If Allow trusted Microsoft services exception is enabled, the following services, when registered in the subscription, are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse.\n\n## Rationale\n\nTurning on firewall rules for storage account blocks access to incoming requests for data, including from other Azure services. This includes using the portal, writing logs, etc. You can re-enable access to services like Monitor, Networking, Hubs, and Event Grid by enabling Trusted Microsoft Services through exceptions. The exception also supports backing up and restoring virtual machines using unmanaged disks in storage accounts with network rules applied.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Ensure that Allow access from selected networks is enabled.\n4. Enable Allow trusted Microsoft services to access this storage account.\n5. Click Save to apply your changes.\n\nAzure Command Line Interface:\n\nUse the following command to update trusted Microsoft services: `az storage account update --name --resource-group --bypass AzureServices`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n\n## CIS Controls\n\nVersion 7 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@network_acls.bypass:*AzureServices*","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@network_acls.bypass:*AzureServices*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"psg-u8u-lwo","createdAt":1631690476330,"name":"'Trusted Microsoft Services' is enabled for Storage Account access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.3","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that unattached disks in a subscription are encrypted with a customer managed key (CMK).\n\n## Rationale\n\nManaged disks are encrypted by default with platform-managed keys. Using customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks which may lead to sensitive information disclosure and tampering.\n\n## Impact\n\nEncryption is available only on standard tier VMs. This could impact cost. Utilizing and maintaining customer-managed keys requires additional work to create, protect, and rotate keys.\n\n## Remediation\n\nIf data stored in the disk is no longer useful, refer to [Azure documentation][1] to delete unattached data disks. If data stored in the disk is important, encrypt the disk. See the [Disk enable customer managed keys customer][2] or the [Encryption settings][3] documentation.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n3. https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n4. https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n5. https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n6. https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update\n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n\n[1]: https://docs.microsoft.com/en-us/rest/api/compute/disks/delete -https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal\n[3]: https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@encryption_type:EncryptionAtRestWithCustomerKey","resourceType":"azure_managed_disk","filter":"@disk_state:Unattached","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk @disk_state:Unattached (-@encryption_type:EncryptionAtRestWithCustomerKey)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bae-mte-pj5","createdAt":1631690476274,"name":"'Unattached disks' are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","control:10.3.6","control:10.5.4","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","control:10.3.5","control:10.5.3","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.1","control:10.2.5","control:10.3.4","control:A.12.4.1","control:10.2.4","control:10.3.3","control:10.2.3","control:10.3.2","control:A.12.4.3","control:10.2.2","control:10.3.1","framework:cis-gcp","level:1","scope:google_sql_database_instance","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","control:6.2.9","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the `cloudsql.enable_pgaudit` database flag so that each Cloud SQL PostgreSQL instance has centralized logging.\n\n## Rationale\n\nBecause many other recommendations in this section involve turning on flags for logging\npurposes, your organization needs a way to manage these logs. If you do not already have a solution in \nplace, consider enabling database auditing in PostgreSQL by installing the open source pgAudit extension and enabling the `cloudsql.enable_pgaudit` flag. The extension provides\ndetailed session and object logging to comply with government, financial, and ISO standards. It provides \nauditing capabilities to mitigate threats by monitoring security events on the\ninstance. Enabling the flag and the settings described below sends the logs to\nGoogle Logs Explorer so that you can access them in a central location. This\nrecommendation is applicable only to PostgreSQL database instances.\n\n## Impact\n\nEnabling the pgAudit extension can lead to increased data storage requirements. To\nensure durability of pgAudit log records in the event of unexpected storage issues, \nenable the **Enable automatic storage increases** setting on the\ninstance. Enabling flags on the command line will overwrite all existing flags, so you\nshould apply _all_ needed flags in each CLI command. You might need to restart the\nserver to see the effects of enabling flags, so update your servers at a\ntime of low usage.\n\n## Remediation\n\n### Initialize the pgAudit flag\n\n#### From the console\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `cloudsql.enable_pgaudit` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\nRun the following command by providing to enable `cloudsql.enable_pgaudit` flag:\n```\ngcloud sql instances patch --database-flags=cloudsql.enable_pgaudit=on\n```\n \n**Note**: Restart the database server for this configuration change to take effect.\n\n### Create the extension\n1. Connect to the the server running PostgreSQL or through a SQL client of your choice.\n2. Open the PostgreSQL shell. For example, if you're using SSH to access the server, run:\n3. Run the following command as a superuser:\n ```\n CREATE EXTENSION pgaudit;\n ```\n### Update the `pgaudit.log` flag\n\n#### From the console\n**Note**: There are multiple options for updating the flag. The following instructions enable logging for all databases\non a server. Read [Customizing database audit logging][4] for more flag\noptions.\n\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `pgaudit.log=all` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\n\nRun the command:\n```\ngcloud sql instances patch --database-flags \\\ncloudsql.enable_pgaudit=on,pgaudit.log=all\n```\n\n### Check for the logs in Google Logs Explorer\n1. From the Google Console home page, open the menu in the top left.\n2. In the menu's Operations section, select Logs Explorer.\n3. In the query box, copy in the following query:\n\n ```\n resource.type=\"cloudsql_database\"\n logName=\"projects//logs/cloudaudit.googleapis.com%2Fdata_access\"\n protoPayload.request.@type=\"type.googleapis.com/google.cloud.sql.audit.v1.PgAuditEntry\n ```\nIf it returns any log sources, they are correctly set up.\n\n## Default value\nBy default `cloudsql.enable_pgaudit` database flag is set to off and the extension is not enabled.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres][2]\n2. [https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag][3]\n3. [https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging][4]\n4. [https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable][5]\n\n## Additional Information\n**WARNING**: This extension modifies database flag values, which may require your instance to be\nrestarted. Check the [List of supported flags][6] to see if your instance needs to be restarted\nwhen this extension is set up.\n**Note**: Configuring the `cloudsql.enable_pgaudit` database flag requires restarting the Cloud\nSQL PostgreSQL instance.\n\n## CIS controls\n\nVersion 8\n8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n8.9 - Centralize Audit Logs\n- Centralize, to the extent possible, audit log collection and retention across\nenterprise assets.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres\n[3]: https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag\n[4]: https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging\n[5]: https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable\n[6]: https://cloud.google.com/sql/docs/postgres/flags\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.9","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cloudsql.enable_pgaudit\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6hz-owg-7y7","createdAt":1657889011689,"name":"'cloudsql.enable_pgaudit' database flag is set to 'on' for centralized logging on Postgresql Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.4","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.7","requirement:Least-Privileged-Access","requirement:Confidentiality","requirement:Communications-Security","control:7.1","control:C1.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `contained database authentication` database flag for SQL Server instances to `off`.\n\n## Rationale\n\nA contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed. Users can connect to the database without authenticating a login at the Database Engine level. Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server. Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators. Most of the threats are related to the `USER WITH PASSWORD` authentication process, which moves the authentication boundary from the Database Engine level to the database level. Hence, disabling this flag is recommended. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nWhen `contained database authentication` is off (`0`) for the instance, contained databases cannot be created, or attached to the Database Engine. Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via the command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `contained database authentication` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line\n\nConfigure the `contained database authentication` database flag for every SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"contained database authentication=off\"\n```\n\n**Note**: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n\n## Additional Information\n\n- Configuring this flag does not restart the SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15][3]\n3. [https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15][4]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15\n[4]: https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"contained database authentication\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"snw-rsr-ilm","createdAt":1658463161618,"name":"'contained database authentication' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.3.2","security:compliance","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that you set the `cross db ownership chaining` database flag for SQL Server instance to `off`.\n\n## Rationale\nThe `cross db ownership` option is used to configure cross-database ownership chaining for an instance of Microsoft SQL Server. This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases. Enabling `cross db ownership` is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining, and you are aware of the security implications of this setting. This recommendation is applicable to SQL Server database instances.\n\n### Impact\nUpdating flags may cause the database to restart. This may cause the database to be unavailable for a short amount of time, so this is best done at a time of low usage. You should also determine if the tables in your databases reference another table without using credentials for that database, as turning off cross database ownership will break this relationship.\n\n - Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n - Configuring the `cross db ownership chaining` flag does not restart the Cloud SQL instance.\n\n - Note: The command to set database flags overwrites all database flags previously set. To keep the existing settings while adding new flags, include the values for all flags to be set on the instance. Cloud SQL sets any flag not specifically included in the list to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Remediation\n\n### From the console:\n1. Go to the [Cloud SQL Instances page][1] in Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `cross db ownership chaining` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line:\nConfigure the `cross db ownership chaining` database flag for every SQL Server database instance using the below command:\n \n```\ngcloud sql instances patch --database-flags \"cross db ownership chaining=off\"\n```\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cross db ownership chaining\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yje-u1y-rls","createdAt":1657665271111,"name":"'cross db ownership chaining' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.1","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `external scripts enabled` database flag for SQL Server instance to `off`.\n\n## Rationale\n\nThe `external scripts enabled` flag enables the execution of scripts with certain remote language extensions. This flag is `off` by default. When Advanced Analytics Services is installed, during the set up, you can optionally set this flag to `on`. The External Scripts Enabled feature allows scripts external to SQL, such as files located in an R library, to be executed, which could adversely affect the security of the system. Hence, the flag should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances can cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flag section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `external scripts enabled` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `external scripts enabled` database flag for every SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"external scripts enabled=off\"\n```\n\nNote: This command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default Value\n\nBy default `external scripts enabled` is `off`.\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n- Configuring the `external scripts enabled` flag restarts the Cloud SQL instance.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15][2]\n2. [https://cloud.google.com/sql/docs/sqlserver/flags][3]\n3. [https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15][4]\n4. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79347][5]\n\n## CIS Controls\n\nVersion 8 - 2.7 Allowlist Authorized Scripts\n- Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.\n\nVersion 7 - 2.9 Implement Application Whitelisting of Scripts\n- The organization's application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1, *.py, macros, etc) are allowed to run on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15\n[3]: https://cloud.google.com/sql/docs/sqlserver/flags\n[4]: https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15\n[5]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"external scripts enabled\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"14g-yot-4od","createdAt":1657715719319,"name":"'external scripts enabled' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Communication-and-Information","security:compliance","control:6.1.3","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends setting the `local_infile` database flag for a Cloud SQL MySQL instance to off.\n\n## Rationale\n\nThe `local_infile` flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the `local_infile` setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.\n\nTo explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with `local_infile` disabled. `local_infile` can also be set at runtime.\n\nDue to security issues associated with the `local_infile` flag, Datadog recommends disabling it. This recommendation is applicable to MySQL database instances.\n\n## Impact\n\nDisabling `local_infile` causes the server to refuse local data loading by clients that have LOCAL enabled on the client side.\n\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [Cloud SQL Instances page][1].\n2. Select the MySQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the `local_infile` flag from the dropdown menu, and set its value to **off**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From Command Line\n\n1. List all Cloud SQL database instances using \n ```\n `gcloud sql instances list`.\n ```\n2. Configure the `local_infile` database flag for every Cloud SQL MySQL database instance using \n ```\n `gcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off`\n ```\n Note:\n This command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\n\n## Default Value\n\nBy default, `local_infile` is on.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile][3]\n3. [https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html][4]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n \n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/flags\n[3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile\n[4]: https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_mysql(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"local_infile\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_mysql(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"MYSQL_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"e40-q63-udh","createdAt":1657547707503,"name":"'local_infile' database flag is set to 'off' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.2","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy enabling the `log_connections` setting, every attempted server connection is logged along with the successful completion of client authentication. Once the session starts, you cannot change this parameter.\n\n## Rationale\n\nBy default, PostgreSQL does not log attempted connections. By enabling the `log_connections` setting, you can create log entries for every attempted connection as well as the successful completion of client authentication. This can be useful in troubleshooting issues and determining any unusual connection attempts to the server. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\n\nBy turning on logging, the required storage increaess over time. Mismanaged logs may cause your storage costs to increase. \n\nSetting custom flags through the command line on certain instances can cause all omitted flags to reset to defaults. This may cause you to lose\ncustom flags and can result in unforeseen complications or instance restarts. Because of this, Datadog recommends applying these flag changes during a period of low usage.\n\n## Remediation\n\n## From the console\n1. In the Google Cloud Console, navigate to the [Cloud SQL Instances page][1].\n2. Select the PostgreSQL instance that you want to enable the database flag for.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the **log_connections** flag from the dropdown menu, and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From the command line\n\nConfigure the `log_connections` database flag for every Cloud SQL PosgreSQL database instance using the following command:\n\n ```\n gcloud sql instances patch --database-flags\n log_connections=on\n ```\n\nThis command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\nYou do not need to restart the Cloud SQL instance.\n\n## Default Value\n\nBy default, `log_connections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n\nSome database flag settings can affect instance availability or stability, and may remove the instance from the Cloud SQL SLA.\n\nFor information about these flags, see the Operational Guidelines.\n\n## CIS Controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_connections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"84u-fez-kpn","createdAt":1657547707503,"name":"'log_connections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:6.2.3","scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnabling the `log_disconnections` setting logs the end of each session, including the\nsession duration.\n\n## Rationale\n\nPostgreSQL does not log session details such as duration and session end by default.\nEnabling the `log_disconnections` setting will create log entries at the end of each session,\nwhich can be useful in troubleshooting issues and determining any unusual activity across a\ntime period. The `log_disconnections` and `log_connections` settings work together and\ngenerally, the pair would be enabled or disabled together. This recommendation is applicable\nto PostgreSQL database instances.\n\n## Impact\n\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flags changes during a period of low usage.\n\n\n## Remediation\n\n## From the console\n\n1. Go to the [Cloud SQL Instances][1] page.\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_disconnections` from the drop-down menu and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the **Overview** page.\n\n## From the command line\n\n1. Configure the `log_disconnections` database flag for every Cloud SQL PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags\n log_disconnections=on\n ```\n\n **Note:** This command will overwrite all previously set database flags. To keep\n those and add new ones, include the values for all flags to be set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals\n sign (\"=\").\n\n## Default Value\n\nBy default, `log_disconnections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n## Additional Information\n\n- Configuring the `log_disconnections` flag does not require restarting the Cloud SQL instance.\n- Although the `log_disconnections` flag does not require a restart, you might modify other database flag values when you apply this patch. **Many database flags require restarting the Cloud SQL instance.** Before you modify a database flag, check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see [Operational Guidelines][4].\n\n\n## CIS controls\n\nVersion 8, 8.5 Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://console.cloud.google.com/sql/instances\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_disconnections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-b91-wj5","createdAt":1657665210451,"name":"'log_disconnections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:6.2.1","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","control:10.3","control:CC7.2","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_error_verbosity` flag controls the verbosity/details of messages logged. Valid values are:\n- `TERSE`\n- `DEFAULT`\n- `VERBOSE`\n\n`TERSE` excludes the logging of `DETAIL`, `HINT`, `QUERY`, and `CONTEXT` error information.\n`VERBOSE` output includes the `SQLSTATE` error code, source code file name, function name, and line number that generated the error.\n\nEnsure an appropriate value is set to `DEFAULT` or stricter.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_error_verbosity` is not set to the correct value, too many details or too few details\nmay be logged. This flag should be configured with a value of `DEFAULT` or stricter. This\nrecommendation is applicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flag changes during a period of low usage.\n\n- **WARNING**: This patch modifies database flag values, which may require your instance to be restarted. Check the list of supported flags -[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance will be restarted when this patch is submitted.\n- Note: some database flag settings can affect instance availability orn stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n### Default value\nBy default, `log_error_verbosity` is `DEFAULT`.\n\n## Remediation\n\n### From the console: \n1. Go to the Cloud SQL Instances page by visiting [https://console.cloud.google.com/sql/instances][2]\n2. Select the **PostgreSQL instance** for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_error_verbosity` from the drop-down menu and set appropriate **value**.\n6. Click **Save**\n7. Confirm your changes under Flags on the **Overview** page.\n\n### From the command line:\n1. Configure the `log_error_verbosity` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n ```\n gcloud sql instances patch --database-flags\n log_error_verbosity=\n ```\n\n **Note**: This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all flags you want set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_error_verbosity\"\n\tnot lower(db_flags.value) in [\"default\", \"terse\", \"verbose\"]\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"scj-vbv-qiu","createdAt":1660014086758,"name":"'log_error_verbosity' database flag is set to 'DEFAULT or Stricter' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:6.2.5","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nPostgreSQL only logs the IP address of the connecting hosts. The `log_hostname` flag\ncontrols the logging of hostnames, in addition to the IP addresses logged. The performance\nhit depends on the configuration of the environment and the host name resolution\nsetup. This parameter can only be set in the `postgresql.conf` file or on the server's\ncommand line.\n\n## Rationale\nLogging hostnames allows for the association of a hostname with the IP address at the time of\nconnection. This information helps with incident response efforts, particularly in an\nenvironment that utilizes dynamic IP addresses. Logging hostnames may incur overhead\non server performance because DNS resolution will be required to\nconvert the IP address to hostname. Depending on the setup, the overhead may be non-negligible.\nEnabling the log_hostname flag on PostgreSQL databases is recommended.\n\n## Impact\nUsing the command line to set custom flags on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended that you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_hostname` from the drop-down menu and select the value **On**.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n1. Configure the `log_hostname` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\n gcloud sql instances patch --database-flags log_hostname=on\n```\n\nNote: This command will overwrite all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## Default value\nBy default `log_hostname` is off.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of [supported flags][2] to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_hostname\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sco-bi7-twu","createdAt":1657547753389,"name":"'log_hostname' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:6.2.8","requirement:Confidentiality","control:A.12.4.1","control:C1.1","control:C1.2","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_duration_statement` flag defines the minimum execution time (milliseconds) of a\nstatement, where the total duration of the statement is logged. Ensure that\n`log_min_duration_statement` is disabled by setting the value to `-1`. This will disable statement logging.\n\n## Rationale\nSQL statement logs may include sensitive information that should not be recorded in\nthe logs. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting\n[https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_duration_statement` from the drop-down menu and set a value of `-1`.\n6. Click **Save**.\n7. Confirm the changes under the Flags section on the Overview page.\n\n### From the command line\n1. List all Cloud SQL database instances using the following command:\n\n ```\n gcloud sql instances list\n ```\n\n2. Configure the `log_min_duration_statement` flag for every PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags log_min_duration_statement=-1\n ```\n Note: This command will overwrite all database flags previously set. To keep\nthose and add new ones, include the values for all flags to be set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n## Default value\nBy default `log_min_duration_statement` is set to `-1`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.8","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_duration_statement\"\n\tnot database_flags.value == \"-1\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hfp-mu9-szg","createdAt":1658302988596,"name":"'log_min_duration_statement' database flag is set to '-1' (disabled) for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.7","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_error_statement` flag defines the minimum message severity level that is\nconsidered an error statement. Messages for error statements are logged with the SQL\nstatement. Valid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`,\n`WARNING`, `ERROR`, `LOG`, `FATAL`, and `PANIC`. Each severity level includes the subsequent levels\nmentioned above. Ensure a value of `ERROR` or stricter is set.\n\n## Rationale\nAuditing helps with troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. If general log messages are considered as error messages,\nit would be difficult to determine the actual errors. If only stricter severity levels are considered as\nerror messages, true errors might not be logged with their SQL statements. The\n`log_min_error_statement` flag should be set to `ERROR` or stricter. This recommendation is\napplicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From Console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the `Flags` section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_error_statement` from the drop-down menu and set the appropriate\nvalue.\n6. Click `Save` to save your changes.\n7. Confirm your changes under the `Flags` section on the Overview page.\n\n### From Command Line:\n1. Configure the `log_min_error_statement` database flag for every Cloud SQL\nPosgreSQL database instance using the below command.\n\n ```\n gcloud sql instances patch --database-flags log_min_error_statement=\n ```\n\n Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `log_min_error_statement` is `ERROR`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][2] - to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_error_statement\"\n\tnot upper(database_flags.value) in [\"ERROR\", \"LOG\", \"FATAL\", \"PANIC\"]\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dm2-ey8-wr5","createdAt":1657888969813,"name":"'log_min_error_statement' database flag is set to 'ERROR' or stricter for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.3.6","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","source:google_sql_database_instance","requirement:Monitoring","control:6.2.6","control:10.3.4","control:A.12.4.1","control:10.3.2","requirement:System-Operations","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:CC7.2","framework:pci","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_messages` flag defines the minimum message severity level that is considered\nas an error statement. Messages for error statements are logged with the SQL statement.\nValid values include `debug5`, `debug4`, `debug3`, `debug2`, `debug1`, `info`, `notice`, `warning`, `error`,\n`log`, `fatal`, and `panic`. Each severity level includes the subsequent levels mentioned above.\nFor best practices, set the value to `error`. Changes should only be made in accordance\nwith the organization's logging policy.\n\n### Default value\nBy default `log_min_error_statement` is `warning`.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. An organization will need to decide their own threshold\nfor logging `log_min_messages` flag.\n\n### Impact\nSetting the threshold too low will might result in increased log storage size and length,\nmaking it difficult to find actual errors. Setting the threshold to `warning` logs\nmost needed error messages. Setting the threshold to a higher severity level may result in some errors (that need troubleshooting) to not be logged.\n\nNote: To effectively turn off logging failing statements, set this parameter to `panic`.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n## Remediation\n\n### From the console:\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_messages` from the drop-down menu and set appropriate value.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line:\n1. Configure the `log_min_messages` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\ngcloud sql instances patch --database-flags\nlog_min_messages=\n```\n\nNote: This command overwrites all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_min_messages\"\n\tlower(db_flags.value) in [\"debug5\", \"debug4\", \"debug3\", \"debug2\", \"debug1\", \"info\", \"notice\"]\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"wha-a8w-2ic","createdAt":1661377322162,"name":"'log_min_messages' database flag is set to at least 'WARNING' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.2.4","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe value of the `log_statement` flag determines the SQL statements that are logged. Valid\nvalues are:\n\n- `none`\n- `ddl`\n- `mod`\n- `all`\n\nThe value `ddl` logs all data definition statements. The value `mod` logs all `ddl` statements, plus\ndata-modifying statements.\n\nThe statements are logged after a basic parsing is done and the statement type is determined,\nthus log statements with errors are not logged. When using an extended query protocol,\nlogging occurs after an `Execute` message is received and values of the bind parameters are\nincluded.\n\nA value of `ddl` is recommended unless otherwise directed by your organization's logging\npolicy.\n\n## Rationale\nAuditing helps with forensic analysis. If the `log_statement` is not set to the correct value, too\nmany statements may be logged and lead to issues with finding relevant information from\nthe logs, or too few statements may be logged with relevant information missing from the\nlogs. Setting the `log_statement` to align with your organization's security and logging policies\nfacilitates auditing and review of database activities later on. This recommendation is\napplicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n- **WARNING** This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance\nwill be restarted when this patch is submitted.\n- Note: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n\n## Remediation\n\n### From the console:\n1. Go to the Cloud SQL Instances page by visiting: [https://console.cloud.google.com/sql/instances][2]\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**. Choose the flag `log_statement` from the drop-down menu and set the appropriate value.\n6. Click **Save**.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line:\n1. Configure the `log_statement database` flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n ```\n gcloud sql instances patch --database-flags log_statement=\n ```\n\n **Note** This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all the flags that you want to set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n \n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tdb_flags.name == \"log_statement\"\n\tdb_flags.value in [\"ddl\", \"mod\", \"all\"]\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xzi-8ya-6hp","createdAt":1659621705012,"name":"'log_statement' database flag is set appropriately for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:6.3.5","control:2.2.5","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set the `remote access` database flag for Cloud SQL SQL Server instances to `off`.\n\n## Rationale\n\nThe remote access option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running. The default value for this option is 1. This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server. To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled. Remote access functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, so it should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances causes all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `remote access` from the drop-down menu, and set its value to `off`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n### From the command line\n\nConfigure the remote access database flag for every Cloud SQL SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"remote access=off\"\n```\n\n### Note: \nThis command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default Value\n\nRemote access is `on` by default.\n\n## Additional information\n\nConfiguring the remote access database flag does not restart the Cloud SQL instance.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337][4]\n\n## CIS Controls\n\nVersion 8 - 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"remote access\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"tnw-ph8-chr","createdAt":1657296719786,"name":"'remote access' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Communication-and-Information","security:compliance","control:6.1.2","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that for Cloud SQL Instances, you set the `skip_show_database` database flag to `ON`.\n\n## Rationale\n\nThe `skip_show_database` database flag prevents people from using the `SHOW DATABASES`\nstatement if they do not have the `SHOW DATABASES` privilege. This can improve security if\nyou have concerns about users being able to see databases belonging to other users. The `skip_show_database` flag's effect depends on the `SHOW DATABASES` privilege: If the variable value is `ON`, the `SHOW\nDATABASES` statement is permitted only for users who have the `SHOW DATABASES`\nprivilege, and the statement displays all database names. If the value is `OFF`, `SHOW\nDATABASES` is permitted for all users, but displays the names of only those databases for\nwhich the user has `SHOW DATABASES` or other privilege. This recommendation is\napplicable to MySQL database instances.\n\n## Remediation\n\n## Using console\n\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the MySQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `skip_show_database` from the drop-down menu, and set its value to `ON`.\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n\n## Using command line:\n1. To list all Cloud SQL database Instances, run:\n `gcloud sql instances list`\n2. Configure the `skip_show_database` database flag for every Cloud SQL MySQL database instance using the following command:\n \n ```\n gcloud sql instances patch INSTANCE_NAME --database-flags\n skip_show_database=on\n ```\n **Note**: This command overwrites all database flags previously set. To keep the previously set flags and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database][3]\n\n\n## Additional information\n\n**Warning**: This patch modifies database flag values, which may require your instance to be restarted. Check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n\n**Note**: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n**Note**: Configuring the above flag restarts the Cloud SQL instance.\n\n## CIS controls\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\n access control lists, also known as access permissions, to local and remote file systems,\n databases, and applications.\n\n [1]: https://console.cloud.google.com/sql/instances\n [2]: https://cloud.google.com/sql/docs/mysql/flags\n [3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot startswith(sql_database_instance.database_version, \"MYSQL_\")\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"skip_show_database\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qjv-gnn-q3l","createdAt":1657547753389,"name":"'skip_show_database' flag is set to 'on' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.3.3","security:compliance","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Control-Activities","level:1","control:2.2.3","framework:soc-2","scope:google_sql_database_instance","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to check the `user connections` option for a GCP SQL Server instance to\nensure that it is not artificially limiting connections.\n\n## Rationale\n\nThe `user connections` option specifies the maximum number of simultaneous user\nconnections that are allowed on an instance of SQL Server. The actual number of user\nconnections allowed also depends on the version of SQL Server that you are using, and also\nthe limits of your application(s) and hardware. SQL Server allows a maximum\nof 32,767 user connections. Because user connections is by default a self-configuring value,\nSQL Server adjusts the maximum number of user connections automatically as\nneeded, up to the maximum value allowed. For example, if only 10 users are logged in, then 10\nuser connection objects are allocated. In most cases, you do not have to change the value\nfor this option. The default is `0`, which means that the maximum (32,767) user connections\nare allowed. However, if there is a number defined here that limits connections, SQL Server\nwill not allow any connections above this limit. If the connections are at the limit, any new\nrequests will be dropped, potentially causing lost data or outages for those using the\ndatabase.\n\n## Impact\nSetting custom flags using the command line on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### Using the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `user connections` from the drop-down menu, and set its value to your organization's recommended value.\n6. Click **Save** to save your changes.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### Using the command line\n1. Configure the `user connections` database flag for every GCP SQL Server\ndatabase instance using the below command.\n ```\n gcloud sql instances patch --database-flags \"userconnections=[0-32,767]\"\n ```\n \n\n\nNote: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `user connections` is set to '0', which does not limit the number of connections\nand allows the server to facilitate a maximum of 32,767 connections.\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119][4]\n\n## Additional Information\n\nWARNING: This patch modifies database flag values, which may require your instance to be restarted. Check the list of [supported flags][2] to see if your instance will be restarted when this patch is submitted. \n\nNote: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not restart the GCP SQL instance.\n\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user connections\"\n\tnot database_flags.value == \"0\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"suj-vdt-udi","createdAt":1657547707508,"name":"'user connections' database flag is set to a non-limiting value for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.4","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the `user options` database flag for SQL Server instance not be configured.\n\n## Rationale\n\nThe `user options` flag specifies global defaults for all users. A list of default query processing options is established for the duration of a user's work session. The user options flag allows you to change the default values of the SET options (if the server's default settings are not appropriate).\n\nA user can override these defaults by using the SET statement. You can configure user options dynamically for new logins. After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nIn some instances, setting custom flags via the command line causes all omitted flags to be reset to their defaults. This might cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From console\n\n1. Go to the **Cloud SQL Instances** page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance you want to configure.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. Click the **X** next to the **user options** flag shown\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line\n\n1. List all Cloud SQL database Instances:\n \n ```\n gcloud sql instances list\n ```\n\n2. Clear the user options database flag for every Cloud SQL SQL Server database instance using either of the below commands:\n\n - To clear all flags and reset them to their default values:\n\n ```\n gcloud sql instances patch --clear-database-flags\n ```\n\n - To clear only the `user options` database flag, re-enter all of database flags that you want to configure and exclude the `user options` flag and its value:\n\n ```\n gcloud sql instances patch --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]\n ```\n\n **Note**: This command overwrites all database flags previously set. To keep those flags and add new ones, include the values for all flags you want set on the instance. Any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default value\n\nBy default, 'user options' is not configured.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][1]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15][2]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335][3]\n\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see [Operational Guidelines][4].\n\n- Configuring the above flag does not restart the Cloud SQL instance.\n\n[1]: https://cloud.google.com/sql/docs/sqlserver/flags\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15\n[3]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user options\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"l6m-j1r-hz1","createdAt":1657665179501,"name":"'user options' database flag is not configured for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a Kubernetes user attempts to perform a high number of actions that are denied in a short amount of time.\n\n## Strategy\nThis rule identifies responses of the API server where the reason for the error is set to `Forbidden`, indicating that an authenticated user attempted to perform an action that they are not explicitly authorized to perform.\n\nThe rule flags users who receive permission denied errors on several distinct API endpoints in a short amount of time.\n\n## Triage and response\n1. Determine if the user: `{{@usr.id}}` is expected to perform the denied actions. If yes, the alert may be due to a misconfigured application or a service account with insufficient privileges.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @responseStatus.reason:Forbidden -@usr.id:(system\\:serviceaccount\\:*\\:datadog* OR system\\:kube-scheduler OR system\\:anonymous OR eks\\:authenticator OR eks\\:pod-identity-mutating-webhook OR system\\:serviceaccount\\:kube-system\\:root-ca-cert-publisher)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"access_denied","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"access_denied > 10"}],"type":"log_detection","id":"elb-nlu-hso","createdAt":1649948632063,"name":"A Kubernetes user attempted to perform a high number of actions that were denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIdentify when a Kubernetes user is assigned cluster-level administrative permissions.\n\n## Strategy\n\nThis rule monitory when a `ClusterRoleBinding` object is created to bind a Kubernetes user to the `cluster-admin` [default cluster-wide role](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles). This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.\n\n## Triage and response\n\n1. Determine if the Kubernetes user referenced in `@requestObject.subjects` is expected to have been granted administrator permissions on the cluster\n2. Determine if the actor (`@usr.id`) is authorized to assign administrator permissions\n3. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @requestObject.kind:ClusterRoleBinding @requestObject.roleRef.name:cluster-admin -@usr.id:system\\:apiserver","groupByFields":["@usr.id"],"aggregation":"count","name":"cluster_admin_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"cluster_admin_added > 0"}],"type":"log_detection","id":"8ds-sxh-n83","createdAt":1649948626807,"name":"A Kubernetes user was assigned cluster administrator permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","scope:google_bigquery_dataset","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.3","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","source:google_bigquery_dataset","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user. For greater control, _customer-managed encryption keys_ (CMEKs) can be used as an encryption key management solution for BigQuery datasets.\n\n### Default Value\nGoogle-managed keys are used as key encryption keys.\n\n## Rationale\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user.\n\nFor greater control, CMEKs can be used as an encryption key management solution for BigQuery datasets. Setting a default CMEK for a dataset ensures that any tables created in the future will use the specified CMEK, if no others are provided.\n\n## Impact\nUsing CMEKs incurs an additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n**Note**: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n# Remediation\nTo update the default CMEK for existing data sets, specify the default key in the `EncryptionConfiguration.kmsKeyName` field when calling the `datasets.insert` or `datasets.patch` methods.\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_dataset) = \"pass\" if {\n\tbigquery_dataset.default_encryption_configuration.kms_key_name\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_dataset"]},"validationQuery":"","resourceType":"gcp_bigquery_dataset","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_dataset","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fdc-usk-ol3","createdAt":1664548344812,"name":"A default customer-managed encryption key (CMEK) is specified for the BigQuery data set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1158","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nHidden files may be used by attackers to hide from detection mechanisms on hosts and containers. This detection aims at finding the creation of any new hidden files.\n\n## Strategy\nIn Linux, files are hidden from users by prepending `.` to the filename. For example `.some.file`. This detection will monitor for the creation of any file thats name begins with a `.`.\n\n## Triage & Response\n1. Check to see which user or process created the new hidden file.\n3. If these new files are not expected contain the host or container, roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"irl-syq-8wf","createdAt":1598443015169,"name":"A hidden file was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the deletion of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was deleted.\n2. Check which user or process deleted the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"t7t-jio-cms","createdAt":1598516746158,"name":"A log file in /var/log/ was removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Logging","security:compliance","control:3.2.1","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes can audit the details of requests made to the API server. The `--audit-policy-file` flag must be set for this logging to be enabled.\n\n## Rationale\n\nLogging is an important detective control for all systems, to detect potential unauthorised access.\n\n## Audit\n\nRun the following command on one of the cluster master nodes: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-policy-file` is set. Review the contents of the file specified and ensure that it contains a valid audit policy.\n\n## Remediation\n\nCreate an audit policy file for your cluster.\n\n## Impact\n\nAudit logs will be created on the master nodes, which will consume disk space. Care should be taken to avoid generating too large volumes of log information as this could impact the available of the cluster nodes.\n\n## Default value\n\nUnless the `--audit-policy-file` flag is specified, no auditing will be carried out.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/debug-application-cluster/audit/][1]\n\n## CIS controls\n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices.\n\n[1]: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"3.2.1","framework":"cis-kubernetes","requirement":"Logging","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-3.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ehp-xpm-xi3","createdAt":1599602215207,"name":"A minimal audit policy exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a new Kubernetes [admission controller][1] is created in the cluster.\n\nAdmission controllers can intercept all incoming requests to the API server. An attacker can use them to establish persistence or to access sensitive data (such as secrets) sent to the API server.\n\n## Strategy\nThis rule identifies when a `MutatingWebhookConfiguration` or `ValidatingWebhookConfiguration` is created.\n\n## Triage and response\n1. Determine if the admission controller being created is expected.\n2. Determine if the user: `{{@usr.id}}` should be creating the admission controller.\n3. Use the Cloud SIEM `User Investigation` dashboard to review user actions that occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags\n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @objectRef.resource:(mutatingwebhookconfigurations OR validatingwebhookconfigurations) -@usr.id:(eks\\:cluster-bootstrap OR system\\:serviceaccount\\:kyverno\\:kyverno OR system\\:serviceaccount\\:kube-system\\:*)","groupByFields":["@usr.id"],"aggregation":"count","name":"admission_controller_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admission_controller_created > 0"}],"type":"log_detection","id":"jpb-ixq-qbz","createdAt":1649948611129,"name":"A new Kubernetes admission controller was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 teams app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `AppInstalled`, where the `AddOnType` has a value of `4` and a new `@AddOnName` is observed.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@AddOnName}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@AddOnName}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":165,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AddOnName","aggregation":"new_value","metrics":["@AddOnName"],"groupByFields":["@usr.id"],"query":"source:microsoft-365 @evt.name:AppInstalled @AddOnType:4"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"sja-6t5-2xv","createdAt":1636984812148,"name":"A new Microsoft 365 Teams app is observed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Add application.` and event `@evt.outcome` of `Success`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@ObjectId}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@ObjectId}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@ObjectId","aggregation":"new_value","metrics":["@ObjectId"],"groupByFields":["@ObjectId","@usr.id"],"query":"source:microsoft-365 @evt.name:\"Add application.\" @evt.outcome:Success"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"o4m-xqz-5gv","createdAt":1636984818117,"name":"A new Microsoft 365 application was installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:amazon","security:compliance","iaas:aws","framework:cis-aws","source:cloudtrail","control:4.1","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is assessing privileges in AWS through API bruteforcing technique.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect when the error message of `AccessDenied` is returned on more than 5 unique API calls.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be attempting to use {{@evt.name}} API commands.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. Contact the user to see if they intended to make these API calls.\n3. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate to see what API calls might have been made that were successful throughout the rest of the environment.\n\n## Changelog\nRule updated on 3 March 2022.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"unique_events_denied","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"more than 5 APIs AccessDenied","condition":"unique_events_denied > 5"}],"type":"log_detection","id":"3d9-oev-jbm","createdAt":1584475582956,"name":"A user received multiple AccessDenied errors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","security:compliance","control:164.312-e-1","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","requirement:Security-Management-Process","control:32.1a","source:acm","control:164.312-e-2-ii","framework:hipaa","control:164.308-a-1-ii-B","control:164.312-e-2-i","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRemove expired Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates with AWS Certificate Manager (ACM).\n\n## Rationale\n\nExpired AWS ACM SSL/TLS certificates that are deployed to another resource are at risk of triggering front-end errors and compromising the credibility of a web application.\n\n## Remediation\n\n### Console\n\nFollow the [Deleting Certificates Managed by ACM][1] docs to learn how to delete SSL/TLS certifications in the AWS Console.\n\n### CLI\n\n1. Run `delete-certificate` with the [certificate ARN][2].\n\n ```\n aws acm delete-certificate\n --certificate-arn arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012\n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-delete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/delete-certificate.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"EXPIRED\"\n\tacm.status != \"VALIDATION_TIMED_OUT\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qea-4gr-voj","createdAt":1616090994211,"name":"ACM certificate is active"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Security-of-Processing","requirement:Cardholder-Data","cloud_provider:aws","control:32.1a","source:acm","framework:gdpr","scope:acm","control:3.6.4","framework:pci","control:25.2","requirement:Data-Protection"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are 30 days left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### Console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### CLI\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\tthirty_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oc4-dzj-jtg","createdAt":1619112188918,"name":"ACM certificate is valid for 30 or more days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Security-of-Processing","requirement:Cardholder-Data","cloud_provider:aws","control:32.1a","source:acm","framework:gdpr","scope:acm","control:3.6.4","framework:pci","control:25.2","requirement:Data-Protection"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are seven day left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### Console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### CLI\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nseven_days_ms := (((7 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\t# assert that the difference between now (resource seen at) and not after time (certificate expiry) > 7 days\n\tseven_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"32b-dj3-8n2","createdAt":1619112188607,"name":"ACM certificate is valid for 7 or more days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Cardholder-Data","cloud_provider:aws","source:acm","scope:acm","control:3.6.4","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nValidate all Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates in Amazon Certificate Manager (ACM).\n\n## Rationale\n\n[Requests for AMC certificates time out if they are not not validated within 72 hours][1]. If a certificate is not validated, it can interrupt an application or service.\n\n## Remediation\n\n### Console\n\nFollow the [Setting Up DNS Validation][2] or [Resending Validation Email][3] docs to validate a certificate in the AWS Console or by email.\n\n### CLI\n\n1. Run `resend-validation-email` using the ARN of the invalid certificate with your `domain` and `validation-domain`.\n\n ```\n aws acm resend-validation-email\n --certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/a1b2345c-d678-9123-4567-89ab12c2345d\n --domain www.example.com\n --validation-domain example.com\n ```\n\n2. Click the link in the generated email to navigate to the Amazon Certificates Approvals page, and click the `I Approve` button.\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-timed-out.html\n[2]: https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html#setting-up-dns-validation\n[3]: https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html#gs-acm-resend","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"PENDING_VALIDATION\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"lpi-kie-f8h","createdAt":1616090994081,"name":"ACM certificate issue request is validated"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:ec2","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.9.4.5","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIdentify publicly accessible Amazon Machine Images (AMIs).\n\n## Rationale\n\nWhen an AMI is shared publicly, anyone outside your organization can see it in the [list of public AMIs][1] and create an EC2 instance from it, accessing all the files it contains.\n\nAMIs typically contain source code, configuration files and credentials and should not be shared publicly.\n\n## Remediation\n\nStop sharing the AMI publicly. AMIs should be shared only with [specific AWS accounts][2] or [your AWS Organization][3].\n\n### Console\n\nFollow the instructions outlined in the [AWS documentation][4]. Untick the public sharing option.\n\n### CLI\n\nUse the following command to stop sharing the AMI:\n\n```\naws ec2 modify-image-attribute \\\n--image-id ami-xxxx \\\n--launch-permission \"Remove=[{Group=all}]\"\n```\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usingsharedamis-finding.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/share-amis-with-organizations-and-OUs.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.5","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncustomer_owned(ami) if {\n\tami.image_owner_alias != \"aws-marketplace\"\n\tami.image_owner_alias != \"amazon\"\n} else {\n\tnot ami.image_owner_alias\n}\n\neval(ami) = \"skip\" if {\n\tnot customer_owned(ami)\n} else = \"pass\" {\n\tami.public == false\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ami"]},"validationQuery":"","resourceType":"aws_ami","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ami","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6l2-azd-mlu","createdAt":1645630055435,"name":"AMI is not publicly shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.30","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the TLS certificate and private key file parameters. \n```\n--tls-cert-file= \n--tls-private-key-file=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.30","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"m9r-8ka-arc","createdAt":1599604115727,"name":"API Server requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.1","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable anonymous requests to the Kubelet server.\n\n## Rationale\n\nWhen enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests.\n\n## Audit\n\nIf using a Kubelet configuration file, check that there is an entry for authentication: anonymous: enabled set to false. Run the following command on each node: `ps -ef | grep kubelet`. Verify that the `--anonymous-auth` argument is set to false. This executable argument may be omitted, provided there is a corresponding entry set to false in the Kubelet config file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to false. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable:\n\n```\n--anonymous-auth=false\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nAnonymous requests will be rejected.\n\n## Default value\n\nBy default, anonymous access is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.1","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oun-uxo-viy","createdAt":1599606050277,"name":"API server anonymous-auth argument is set to false"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.24","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain 10 or an appropriate number of old log files.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. For example, if you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxbackup` argument is set to `10` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxbackup` parameter to `10` or to an appropriate value: `--audit-log-maxbackup=10`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.24","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"r0g-aai-2xf","createdAt":1599605542630,"name":"API server audit log files are retained for at least 10 log file rotations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.25","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRotate log files on reaching 100 MB or as appropriate.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. If you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxsize` argument is set to `100` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxsize` parameter to an appropriate size in MB. For example, to set it as 100 MB: `--audit-log-maxsize=100`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.25","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qhy-gng-bh4","createdAt":1599603202907,"name":"API server audit log files are rotated once the file reaches 100 MB or more"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.22","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on the Kubernetes API Server and set the desired audit log path.\n\n## Rationale\n\nAuditing the Kubernetes API Server provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system. Even though currently, Kubernetes provides only basic audit capabilities, it should be enabled. You can enable it by setting an appropriate audit log path.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-path` argument is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example: --audit-log-path=/var/log/apiserver/audit.log\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. Version 7 6.2 Activate audit logging Ensure that local logging has been enabled on all systems and networking devices. 6.3 Enable Detailed Logging Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.22","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fny-sti-0dk","createdAt":1599601104396,"name":"API server audit logs are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.23","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain the logs for at least 30 days or as appropriate.\n\n## Rationale\n\nRetaining logs for at least 30 days ensures that you can go back in time and investigate or correlate any events. Set your audit log retention period to 30 days or as per your business requirements.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxage` argument is set to `30` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxage` parameter to `30` or as an appropriate number of days: `--audit-log-maxage=30`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.23","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.23\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jbu-o8v-pku","createdAt":1599605700813,"name":"API server audit logs are retained for at least 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.19","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind to insecure port.\n\n## Rationale\n\nSetting up the apiserver to serve on an insecure port would allow unauthenticated and unencrypted access to your master node. This would allow attackers who could access this port, to easily take control of the cluster.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-port` argument is set to `0`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --insecure-port=0\n\n## Impact\n\nAll components that use the API must connect via the secured port, authenticate themselves, and be authorized to use the API. This includes: kube-controller-manager kube-proxy kube-scheduler kubelets\n\n## Default value\n\nBy default, the insecure port is set to 8080.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.19","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2ci-yqv-wv0","createdAt":1599605796539,"name":"API server does not bind the API service to an insecure port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.18","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the insecure API service.\n\n## Rationale\n\nIf you bind the apiserver to an insecure address, basically anyone who could connect to it over the insecure port, would have unauthenticated and unencrypted access to your master node. The apiserver doesn't do any authentication checking for insecure binds and traffic to the Insecure API port is not encrpyted, allowing attackers to potentially read sensitive data in transit.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-bind-address` argument does not exist.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --insecure-bind-address parameter.\n\n## Impact\n\nConnections to the API server will require valid authentication credentials.\n\n## Default value\n\nBy default, the insecure bind address is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.18","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tzo-x3g-yya","createdAt":1599606081666,"name":"API server does not bind to an insecure API service address"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use token based authentication.\n\n## Rationale\n\nThe token-based authentication utilizes static tokens to authenticate requests to the apiserver. The tokens are stored in clear-text in a file on the apiserver, and cannot be revoked or rotated without restarting the apiserver. Hence, do not use static token-based authentication.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver \n```\nVerify that the `--token-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--token-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as certificates. Static token based authentication could not be used.\n\n## Default value\n\nBy default, `--token-auth-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/authentication/#static-token-file\n2. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.3","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mvv-hb7-ucv","createdAt":1599603449449,"name":"API server does not use token based authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not always authorize all requests.\n\n## Rationale\n\nThe API Server, can be configured to allow all requests. This mode should not be used on any production cluster.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is not set to `AlwaysAllow`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to values other than `AlwaysAllow`. One such example could be as below:\n\n```\n--authorization-mode=RBAC\n```\n\n## Impact\n\nOnly authorized requests will be served.\n\n## Default value\n\nBy default, `AlwaysAllow` is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.7","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kli-btm-jbr","createdAt":1599602646953,"name":"API server only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.1","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node:\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-apiserver.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.1","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8tj-q6g-eyj","createdAt":1599601227733,"name":"API server pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.21","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --profiling=false\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.21","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wk0-7yo-dw9","createdAt":1599602770265,"name":"API server profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.26","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet global request timeout for API server requests as appropriate.\n\n## Rationale\n\nSetting global request timeout allows extending the API server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 60 seconds which might be problematic on slower connections making cluster resources inaccessible once the data volume for requests exceeds what can be transmitted in 60 seconds. But, setting this timeout limit to be too large can exhaust the API server resources making it prone to Denial-of-Service attack. Hence, it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--request-timeout` argument is either not set or set to an appropriate value.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameter as appropriate and if needed. For example, --request-timeout=300s\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, --request-timeout is set to 60 seconds.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/kubernetes/pull/51415\n\n## CIS controls\n\nVersion 6 14.6 Enforce Detailed Audit Logging For Sensitive Information Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. Version 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.26","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1kt-cbt-hvl","createdAt":1599604242564,"name":"API server request timeout exceeds 60 seconds only if required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.20","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable the secure port.\n\n## Rationale\n\nThe secure port is used to serve https with authentication and authorization. If you disable it, no https traffic is served and all traffic is served unencrypted.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--secure-port` argument is either not set or is set to an integer value between `1` and `65535`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --secure-port parameter or set it to a different (non-zero) desired port.\n\n## Impact\n\nYou need to set the API Server up with the right TLS certificates.\n\n## Default value\n\nBy default, port 6443 is used as the secure port.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.20","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5w3-iw4-y16","createdAt":1599603757033,"name":"API server secure port is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.31","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic. If `--client-ca-file` argument is set, any request presenting a client certificate signed by one of the authorities in the `client-ca-file` is authenticated with an identity corresponding to the CommonName of the client certificate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--client-ca-file` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the client certificate authority file: `--client-ca-file=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--client-ca-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.31","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"nad-eon-2rv","createdAt":1599599105054,"name":"API server uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.28","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account public key file for service accounts on the apiserver.\n\n## Rationale\n\nBy default, if no --service-account-key-file is specified to the apiserver, it uses the private key from the TLS serving certificate to verify service account tokens. To ensure that the keys for service account tokens could be rotated as needed, a separate public/private key pair should be used for signing service account tokens. Hence, the public key should be specified to the apiserver with --service-account-key-file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--service-account-key-file` argument exists and is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--service-account-key-file` parameter to the public key file for service accounts: `--service-account-key-file=`\n\n## Impact\n\nThe corresponding private key must be provided to the controller manager. You would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-key-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167\n\n## CIS controls\n\nVersion 6 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers \nVersion 7 5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.28","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xtg-mzn-vft","createdAt":1599604846892,"name":"API server uses a service account public key file for service accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.27","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nValidate service account before validating token.\n\n## Rationale\n\nIf --service-account-lookup is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that if the `--service-account-lookup` argument exists it is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the below parameter. `--service-account-lookup=true` Alternatively, you can delete the `--service-account-lookup` parameter from this file so that the default takes effect.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--service-account-lookup` argument is set to true.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167 \n3. https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.27","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.27\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycp-ppm-trb","createdAt":1599599105043,"name":"API server validates the service account token exists in etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify kubelet's certificate before establishing connection.\n\n## Rationale\n\nThe connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelets port-forwarding functionality. These connections terminate at the kubelets HTTPS endpoint. By default, the apiserver does not verify the kubelets serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-certificate-authority` argument exists and is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--kubelet-certificate-authority` parameter to the path to the cert file for the certificate authority. \n\n```\n--kubelet-certificate-authority=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, `--kubelet-certificate-authority` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n3. https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.6","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sbm-nxt-qv3","createdAt":1599603880124,"name":"API server verifies the kubelet's certificate before establishing connection"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AMI is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an AMI is made public.\n\n* [ModifyImageAttribute][1]\n\nThis rule inspects the `@requestParameters.launchPermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the image is made public.\n\n## Triage and response\n1. Determine if the AMI (`@requestParameters.imageId`) should be made public using CloudTrail logs.\n2. Investigate the following ARN (`{{@userIdentity.arn}}`) that made the AMI public.\n3. Contact the user to see if they intended to make the image public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-image-attribute.html#examples","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifyImageAttribute @requestParameters.launchPermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"eh4-lwa-d9z","createdAt":1594140296319,"name":"AWS AMI Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:cloudtrail","framework:cis-aws","requirement:monitoring","control:4.5","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by modifying CloudTrail.\n\n## Strategy\nThis rule detects if a user is modifying CloudTrail by monitoring the CloudTrail API using [UpdateTrail][1] API calls.\n\n## Triage and response\n1. Review the `@responseElements` in the `UpdateTrail` event to determine the scope of the changes.\n2. Determine if the user ARN (`{{@userIdentity.arn}}`) intended to make a CloudTrail modification.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:UpdateTrail","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"configuration_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"configuration_modified > 0"}],"type":"log_detection","id":"4hv-083-miw","createdAt":1585870283907,"name":"AWS CloudTrail configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch Log Group is deleted. \n\n## Strategy\nDetect when a `@evt.name:DeleteLogGroup` event occurs successfully.\n\n## Triage and response\n1. Ensure that the `{{@requestParameters.logGroupName}}` log group is not used for auditing or security purposes.\n2. If it is then:\n * Ensure that the user: `{{@userIdentity.session_name}}` should be making this type of API call to your `{{env}}` environment.\n * Consider whitelisting the log group name: `{{@requestParameters.logGroupName}}` via a [suppression list][1]\n3. If not, begin your company's IR process and investigate.\n\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1] https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteLogGroup -@level:Error -@http.useragent:(cloudformation.amazonaws.com OR *www.terraform.io*) -@userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"j9h-inc-lg8","createdAt":1631618551008,"name":"AWS CloudWatch log group deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch rule has been disabled or deleted.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if a [`DisableRule`][1] or [`DeleteRule`][2] API call has occurred. An attacker may delete rules in an attempt to evade defenses.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, consider including the EventBus name in a [suppression list][6]: `{{@requestParameters.eventBusName}}`.\n * If **No**, enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], respectively, or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 4 October 2022 - Updated severity\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/events/put-rule.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/events/enable-rule.html\n[5]: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html\n[6]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DisableRule OR DeleteRule) -@userIdentity.invokedBy:(backup.amazonaws.com OR schemas.amazonaws.com OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudwatch_disable_or_delete_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"cloudwatch_disable_or_delete_rule > 0"}],"type":"log_detection","id":"dti-qfr-zle","createdAt":1631618552583,"name":"AWS CloudWatch rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","control:4.9","requirement:Monitoring","framework:cis-aws","scope:amazon-config","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by disabling or modifying AWS Config.\n\n## Strategy\nThis rule lets you monitor these AWS Config API calls per [CIS-AWS-4.9: Ensure a log metric filter and alarm exist for AWS Config configuration changes][5]:\n\n* [StopConfigurationRecorder][1] \n* [DeleteDeliveryChannel][2] \n* [PutDeliveryChannel][3]\n* [PutConfigurationRecorder][4]\n\n## Triage and response\n1. Determine which if {{@userIdentity.arn}} should have done a {{@evt.name}} to AWS Config.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html\n[2]: https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteDeliveryChannel.html\n[3]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutDeliveryChannel.html\n[4]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigurationRecorder.html\n[5]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_2.html\n\n## Changelog\n* 1 April 2022 - Updated rule and signal message.\n\n* 10 October 2022 - Updated severities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(StopConfigurationRecorder OR DeleteDeliveryChannel)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_deleted_or_stopped","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(PutDeliveryChannel OR PutConfigurationRecorder)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Deleted/Stopped","condition":"aws_config_deleted_or_stopped > 0"},{"status":"info","notifications":[],"name":"Modified","condition":"aws_config_modified > 0"}],"type":"log_detection","id":"p1b-9np-rw1","createdAt":1585870283149,"name":"AWS Config modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to your AWS console without multi-factor authentication.\n\n## Strategy\nThis rule monitors CloudTrail and detects when any `IAMUser` or `Root` user does a `Console Login`, and `@userIdentity.sessionContext.attributes.mfaAuthenticated` has a value of `false`. \n\n**Notes:** \n\n- This rule triggers with a `High` severity if the user logging in is a `Root` user.\n- This rule ignores logins using SAML because 2FA is implemented on the IdP and not through AWS.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate. \n * Use Cloud SIEM - User Investigation dashboard to see if the user: {{@usr.name}} with an account type of: {{@userIdentity.type}} has done any actions after logging in. \n2. If the login was legitimate, request that the user enables 2FA. \n3. If the login wasn't legitimate, rotate the credentials, enable 2FA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n\n## Changelog\n3 March 2022 - Rule updated\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:IAMUser -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:Root -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"root_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user console login no mfa","condition":"user_login_without_mfa > 0"},{"status":"high","notifications":[],"name":"root console login no mfa","condition":"root_login_without_mfa > 0"}],"type":"log_detection","id":"wkk-muq-vg8","createdAt":1585870278209,"name":"AWS Console login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the user used MFA.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n10 Mar 2022 - Rule updated.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"@evt.name:ConsoleLogin -@level:Error @userIdentity.sessionContext.attributes.mfaAuthenticated:true -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"impossible travel event for ConsoleLogin with MFA"}],"type":"log_detection","id":"vbv-f3o-8zo","createdAt":1646247475787,"name":"AWS ConsoleLogin with MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the account does not have MFA enabled.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n10 Mar 2022 - Rule updated.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_no_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"@evt.name:ConsoleLogin -@level:Error @userIdentity.sessionContext.attributes.mfaAuthenticated:false -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"a1n-son-6bk","createdAt":1646247437558,"name":"AWS ConsoleLogin without MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1562-impair-defenses","source:cloudtrail","scope:aws-detective","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes an Amazon Detective behavior graph.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted an Amazon Detective behavior graph:\n\n* [DeleteGraph][1]\n\n## Triage and response\n1. Determine if the behavior graph should have been deleted.\n2. Determine which user ({{@userIdentity.arn}}) in your organization deleted the behavior graph.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Updated rule and signal message.\n\n[1]: https://docs.aws.amazon.com/detective/latest/APIReference/API_DeleteGraph.html\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:detective.amazonaws.com @evt.name:DeleteGraph","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oje-vzw-qjp","createdAt":1631642344123,"name":"AWS Detective Graph deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","tactic:TA0005-defence-evasion","scope:cloudtrail","technique:T1562-impair-defences","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when CloudTrail has been disabled by creating an event selector on the Trail.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if an attacker used the [`PutEventSelectors`][1] API call to filter out management events, effectively disabling CloudTrail for the specified Trail.\n\nSee the [public Proof of Concept][2] (PoC) for this attack.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or use the [AWS console][4] to revert the event selector back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, work with the user to ensure that CloudTrail logs for the affected account `{{@usr.account_id}}` are being sent to the Datadog platform.\n * If **No**, remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or reference the [AWS console documentation][4] to revert the event selector back to the last known good state.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_PutEventSelectors.html\n[2]: https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass\n[3]: https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/put-event-selectors.html\n[4]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"disable_cloudtrail_with_event_selectors","distinctFields":[]},{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false @responseElements.eventSelectors.dataResources.type:(\"AWS::S3::Object\" AND \"AWS::Lambda::Function\") @responseElements.eventSelectors.readWriteType:ReadOnly","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_poc","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Public POC","condition":"public_poc > 0"},{"status":"low","notifications":[],"name":"IncludeManagementEvents set to False","condition":"disable_cloudtrail_with_event_selectors > 0"}],"type":"log_detection","id":"jam-62o-d0n","createdAt":1652796620111,"name":"AWS Disable Cloudtrail with event selectors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS snapshot is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an EBS snapshot is made public:\n\n* [ModifySnapshotAttribute][1]\n\nThis rule inspects the `@requestParameters.createVolumePermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the EBS snapshot is made public.\n\n## Triage and response\n1. Determine if the EBS snapshot should be made public.\n2. Determine which user, `{{@@userIdentity.arn}}`, in your organization made the EBS snapshot public.\n3. Contact the user to see if they intended to make the EBS snapshot public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html#examples\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.createVolumePermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kx1-upq-ea2","createdAt":1594140300821,"name":"AWS EBS Snapshot Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1537-transfer-data-to-cloud-account","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the possible exfiltration of an EBS snapshot.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect the following API calls within a 15 minute time window:\n\n* [`CreateSnapshot`][1]\n* [`ModifySnapshotAttribute`][2]\n\nAn attacker can create a EBS snapshot from the EBS volume and modify the permissions of the snapshot to allow it to be shared [publicly][3] or with another AWS account. Using an attacker-controlled account, a new EBS volume can be created from the snapshot and attached to an EC2 instance for analysis.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the API calls.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any snapshot attributes generated by the user with the `aws-cli` command [`modify-snapshot-attribute`][4].\n * Begin your organization's incident response process and investigate.\n3. If the API calls were made by the user:\n * Determine if the user should be performing these API calls.\n * If **No**, see if other API calls were made by the user and determine if they warrant further investigation.\n\n## Changelog\n* 10 October 2022 - Updated query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSnapshot.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html\n[3]: https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-ebs-snapshot-made-public/\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-snapshot-attribute.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":7200,"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSnapshot -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (-@userIdentity.assumed_role:(*orca* OR *wiz*) -@responseElements.description:\"Orca automatically generated snapshot\" -@requestParameters.description:auto-generatedbyWiz -@responseElements.description:\"auto-generated by Wiz\")","groupByFields":["@responseElements.snapshotId"],"aggregation":"count","name":"snapshot_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.attributeType:CREATE_VOLUME_PERMISSION -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (@requestParameters.createVolumePermission.add.items.userId:* OR @requestParameters.createVolumePermission.add.items.group:*) -@requestParameters.createVolumePermission.add.items.userId:(\"135916806842\" OR \"463932680998\" OR \"727815099310\" OR \"553950354547\" OR \"784971140435\" OR \"222606875197\")","groupByFields":["@requestParameters.snapshotId"],"aggregation":"count","name":"snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"EBS Snapshot created then shared","condition":"snapshot_created > 0 && snapshot_shared > 0"},{"status":"info","notifications":[],"name":"EBS Snapshot shared","condition":"snapshot_shared > 0"}],"type":"log_detection","id":"dka-ecn-adr","createdAt":1655223749994,"name":"AWS EBS Snapshot possible exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis-aws","control:2.2.1","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS encryption is disabled by default. \n\n## Strategy\nMonitor CloudTrail and detect when EBS encryption is disabled by default via the following API call:\n\n* [DisableEbsEncryptionByDefault][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user and let them know that it is best practice to enable EBS encryption by default.\n3. Re-enable EBS encryption by default.\n\nFor more information about Amazon EBS Encryption, check out the [Amazon EBS Encryption][2] documentation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html\n\n## Changelog\n18 March 2022 - Rule query and severity updated.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:DisableEbsEncryptionByDefault","groupByFields":["@usr.account_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4s7-uuu-lo8","createdAt":1585870284527,"name":"AWS EBS default encryption disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","security:attack","technique:T1522-cloud-instance-metadata-api"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes a DNS request and resolves to the AWS metadata IP address (169.254.169.254).\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MetadataDNSRebind][2]\n\n\n## Triage and response\n1. Determine which process made the DNS request. The DNS request can be found in the samples.\n2. Ensure the process is not a victim of an SSRF attack to steal the AWS EC2 Instance profile's STS credentials. \n2. If the STS credentials are compromised:\n * Review the AWS [documentation][3] on revoking the session.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#ec2-metadatadnsrebind\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MetadataDNSRebind)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"aad-vqz-7tk","createdAt":1587525387807,"name":"AWS EC2 Instance Victim to Metadata DNS Rebind Attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is compromised and sending spam emails.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Backdoor:EC2/Spambot][2]\n\n\n## Triage and response\n1. Determine if the EC2 should be sending out email over port 25. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor6\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/Spambot)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ecn-gew-dg2","createdAt":1587525385866,"name":"AWS EC2 instance Sending spam emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a malicious server.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/C&CActivity.B!DNS][2]\n* [Trojan:EC2/BlackholeTraffic][3]\n* [Trojan:EC2/DropPoint][4]\n* [Trojan:EC2/BlackholeTraffic!DNS][5]\n* [Trojan:EC2/DriveBySourceTraffic!DNS][6]\n* [Trojan:EC2/DropPoint!DNS][7]\n* [Trojan:EC2/DGADomainRequest.B][8]\n* [Trojan:EC2/DGADomainRequest.C!DNS][9]\n* [Trojan:EC2/DNSDataExfiltration][10]\n* [Trojan:EC2/PhishingDomainRequest!DNS][11]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][12] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor6\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan4\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan5\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan6\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan7\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan8\n[8]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan9\n[9]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan95\n[10]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan10\n[11]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan11\n[12]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Trojan\\:EC2\\/BlackholeTraffic OR Trojan\\:EC2\\/DropPoint OR Trojan\\:EC2\\/BlackholeTraffic\\!DNS OR Trojan\\:EC2\\/DriveBySourceTraffic\\!DNS OR Trojan\\:EC2\\/DropPoint\\!DNS OR Trojan\\:EC2\\/DGADomainRequest.B OR Trojan\\:EC2\\/DGADomainRequest.C\\!DNS OR Backdoor\\:EC2\\/C&CActivity.B\\!DNS OR Trojan\\:EC2\\/PhishingDomainRequest\\!DNS)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9du-jhn-b4f","createdAt":1587525393367,"name":"AWS EC2 instance communicated with a malicious server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0011-command-and-control","technique:T1571-non-standard-port"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating over an unusual port.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/NetworkPortUnusual][2]\n\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_behavior.html#behavior3\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/NetworkPortUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"qfd-ned-cjn","createdAt":1587525391873,"name":"AWS EC2 instance communicating over unusual port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a cryptocurrency server\n\n## Strategy\nThis rule lets you leverage GuardDuty to detect when an EC2 instance has made a DNS request or is communicating with an IP that is associated with cryptocurrency operations. The following GuardDuty Findings trigger this signal:\n\n* [CryptoCurrency:EC2/BitcoinTool.B!DNS][1]\n* [CryptoCurrency:EC2/BitcoinTool.B][2]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples. \n2. If the domain or IP address should not have been requested, open a security investigation, and determine which process requested the domain name or IP address.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_crypto.html#crypto3\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_crypto.html#crypto4\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(CryptoCurrency\\:EC2\\/BitcoinTool.B\\!DNS OR CryptoCurrency\\:EC2\\/BitcoinTool.B)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ky3-ds4-ipb","createdAt":1585870276326,"name":"AWS EC2 instance communicating with a cryptocurrency server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection to a malcious IP address.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MaliciousIPCaller.Custom][2]\n\n## Triage and response\n1. Determine which IP address triggered the signal. This can be found in the sample.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized5\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MaliciousIPCaller.Custom)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"22j-qk6-qv3","createdAt":1587525389461,"name":"AWS EC2 instance communicating with malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-scanning","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is conducting a port scan.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Recon:EC2/Portscan][2]\n\n\n## Triage and response\n1. Determine why traffic from the EC2 instance appears to be conducting a port scan.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n \n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon5\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/Portscan)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1y-h5t-gnp","createdAt":1587525376478,"name":"AWS EC2 instance conducting a port scan"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being used as a TOR relay.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorRelay][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be uses as a TOR relay. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized14\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorRelay)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tpv-3qf-v90","createdAt":1587525388119,"name":"AWS EC2 instance connecting to TOR as a relay"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance receives an inbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorIPCaller][2]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized7\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorIPCaller)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"1ew-u8i-att","createdAt":1587525383148,"name":"AWS EC2 instance inbound connections from TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Brute Force Attacks\n\n## Strategy\nLeverage GuardDuty and detect when an attacker is performing a brute force attack. The following are GuardDuty findings trigger this signal:\n\n* [UnauthorizedAccess:EC2/SSHBruteForce][1]\n* [UnauthorizedAccess:EC2/RDPBruteForce][2]\n\n\n## Triage and response\n1. Inspect the role of the EC2 instance in the attack. Find the role in the signal name - either `ACTOR` or `TARGET`.\n * If you are the `TARGET` and the instance is available on the internet, expect to see IPs scanning your systems.\n * If you are the `TARGET` and the instance is **not** available on the internet, this means a host on your internal network is scanning your EC2 instance. Open an investigation.\n * If you are the `ACTOR`, this means that your instance is performing brute force attacks on other systems. Open an investigation.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized9\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized10\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":18,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:ACTOR","groupByFields":["instance-id"],"aggregation":"count","name":"actor","distinctFields":[]},{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:TARGET","groupByFields":["instance-id"],"aggregation":"count","name":"target","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Actor","condition":"actor > 0"},{"status":"info","notifications":[],"name":"Target","condition":"target > 0"}],"type":"log_detection","id":"vyl-ylc-3io","createdAt":1585870284202,"name":"AWS EC2 instance involved in brute force attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance network traffic volume is unusual.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/TrafficVolumeUnusual][2]\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 10 October 2022 - Updated tags.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_behavior.html#behavior4\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/TrafficVolumeUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipt-dpt-t69","createdAt":1587525393982,"name":"AWS EC2 instance network traffic volume unusual"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","technique:T1188-multi-hop-proxy","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorClient][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be making requests to TOR. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized13\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorClient)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ihd-q9p-mwx","createdAt":1587525381864,"name":"AWS EC2 instance outbound connections to TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is participating in a Denial of Service (DoS) attack.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/DenialOfService.Tcp][2]\n* [Backdoor:EC2/DenialOfService.Udp][3]\n* [Backdoor:EC2/DenialOfService.Dns][4]\n* [Backdoor:EC2/DenialOfService.UdpOnTcpPorts][5]\n* [Backdoor:EC2/DenialOfService.UnusualProtocol][6]\n\n\n## Triage and response\n1. Determine if the EC2 instance is compromised and participating in a DoS attack.\n2. If the instance is compromised:\n * Review the AWS [documentation][7] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor8\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor9\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor10\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor11\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor12\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/DenialOfService.Tcp OR Backdoor\\:EC2\\/DenialOfService.Udp OR Backdoor\\:EC2\\/DenialOfService.Dns OR Backdoor\\:EC2\\/DenialOfService.UdpOnTcpPorts OR Backdoor\\:EC2\\/DenialOfService.UnusualProtocol)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3l6-vrm-iyn","createdAt":1587525383757,"name":"AWS EC2 instance participating in a DoS attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-scanning","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being probed by a scanner.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:EC2/PortProbeUnprotectedPort][2]\n* [Recon:EC2/PortProbeEMRUnprotectedPort][3]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon6\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#PortProbeEMRUnprotectedPort\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/PortProbeUnprotectedPort OR Recon\\:EC2\\/PortProbeEMRUnprotectedPort)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mrq-h3x-jus","createdAt":1587525381084,"name":"AWS EC2 instance probed by scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS EKS node group makes a new API call.\n\n## Strategy\nThis rule sets a baseline for host activity across an AWS EKS node group, and enables detection of potentially anomalous activity when a node group makes a new API call.\n\nA new API call from a node group can indicate an attacker gaining a foothold within the system and trying API calls not normally associated with this node group.\n\n## Triage and response\n1. Investigate API activity for the AWS EKS node group to determine if the specific API call is malicious.\n2. Review any other security signals for the AWS EKS node group.\n3. If the activity is deemed malicious:\n * If possible, isolate the compromised hosts.\n * Determine what other API calls were made by the EKS node group.\n * Begin your organization's incident response process and investigate.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":21,"learningThreshold":0},"keepAlive":3600},"version":187,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["eks_nodegroup-name"],"query":"source:cloudtrail"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"nkn-aw3-xb2","createdAt":1633097159259,"name":"AWS EC2 new event for EKS Node Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an application on a host has a new, unrecognized API call.\n\n## Strategy\nUsing the `New Value` detection method, find when an `application` has a new `@evt.name` on a `host`.\n\n## Triage and response\n1. Determine if the `host: {{host}}` running the `application: {{application}}` should have done the following event(s)`{{@evt.name}}`:\n * If yes, you can `Archive` the signal.\n * If no, investigate further by clicking on the **Suggested Actions** tab for the signal\n2. If necessary, initiate your company's incident response process.\n\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["application"],"query":"source:cloudtrail host:i-*"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"qcg-jbs-kcd","createdAt":1632769125953,"name":"AWS EC2 new event for application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an EC2 subnet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting an EC2 subnet.\n\n* [DeleteSubnet][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be deleting EC2 subnets.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Update rule and signal message\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-subnet.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:DeleteSubnet -@level:Error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ygi-fi5-qns","createdAt":1585870282197,"name":"AWS EC2 subnet deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecs","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an ECS Cluster\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an ECS cluster is deleted:\n\n* [DeleteCluster][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arm}} should be making a {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DeleteCluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecs.amazonaws.com @evt.name:DeleteCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"vwu-6id-9lz","createdAt":1585870279810,"name":"AWS ECS cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:elb","scope:elb","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous `@http.useragent`. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application using an HTTP header from [darkqusar][1]'s [gist][2]. The detection does this using 2 cases:\n* Case 1: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `200 TO 299`\n* Case 2: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `400 TO 499`\n\n## Triage and response\n1. Determine if this IP: {{@network.client.ip}} is making authenticated requests to the application.\n2. Check if these authentication requests are successful.\n * If they are successful, change the status of the signal to `UNDER REVIEW` and begin your company's incident response plan.\n * If they are not successful, `ARCHIVE` the signal.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Update rule cases and signal message.\n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:elb @http.status_code:[400 TO 499] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_400s_and_unique_paths","distinctFields":["@http.url_details.path"]},{"query":"source:elb @http.status_code:[200 TO 299] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_200s_and_unique_paths","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"scan detected returning several 200s","condition":"multiple_200s_and_unique_paths > 10"},{"status":"info","notifications":[],"name":"scan detected returning several 400s","condition":"multiple_400s_and_unique_paths > 10"}],"type":"log_detection","id":"csd-1pb-wxh","createdAt":1587530043452,"name":"AWS ELB HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:eventbridge","iaas:aws","technique:T1089-disabling-security-tools","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting or disabling EventBridge rules.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is modifying or disabling EventBridge rules:\n\n* [DeleteRule][1]\n* [DisableRule][2]\n\n## Triage and response\n1. Determine if the arn: {{@userIdentity.arn}} should have made the {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Rule query, options and signal markdown updated.\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DeleteRule OR DisableRule)","groupByFields":["@userIdentity.arn","@requestParameters.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mq6-cjx-h9o","createdAt":1585870277044,"name":"AWS EventBridge rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","source:amazon-fsx","scope:amazon-fsx","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify users accessing files they do not have permission to access.\n\n## Strategy\nMonitor AWS FSx logs and detect more than 10 occurrences where `@evt.id` is equal to `4656` and `@Event.System.Keywords` is equal to `0x8010000000000000`. \n\n## Triage & Response\n1. Inspect the log and determine if the user should be accessing the file: `{{@ObjectName}}`.\n2. If access is not legitimate, investigate user `({{@usr.id}})` activity. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:aws.fsx @evt.id:4656 @Event.System.Keywords:0x8010000000000000","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"file_deny","distinctFields":["@ObjectName"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"file_deny > 10"}],"type":"log_detection","id":"vsj-4y9-rg1","createdAt":1627668329581,"name":"AWS FSx Excessive File Denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0005-defense-evasion","technique:T1066-indicator-removal-from-tools","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is removing a FlowLogs collector.\n\n## Strategy\nThis rule lets you monitor this EC2 API call:\n\n* [DeleteFlowLogs][1]\n\n## Triage and response\n1. Determine if arn: {{@userIdentity.arn}} should make this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n4 April 2022 - Rule query and signal message updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteFlowLogs -@responseElements.DeleteFlowLogsResponse.unsuccessful:\"\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cws-b4f-uoh","createdAt":1585870278493,"name":"AWS FlowLogs removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1089-disabling-security-tools","scope:guardduty","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty detector.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty Detector:\n\n* [DeleteDetector][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/delete-detector.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteDetector","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pzi-led-yyc","createdAt":1585870279177,"name":"AWS GuardDuty detector deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a publishing destination for a detector which will prevent the exporting of findings. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted a Guard Duty publishing destination.\n\n* [DeletePublishingDestination][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/fr_fr/guardduty/latest/APIReference/API_DeletePublishingDestination.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeletePublishingDestination","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rdm-leo-ndi","createdAt":1631642345554,"name":"AWS GuardDuty publishing destination deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty ThreatIntelSet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty ThreatIntelSet:\n\n* [DeleteThreatIntelSet][1]\n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Replace ThreatIntelSets deleted by the user with the `aws-cli` command [create-threat-intel-set][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call and if it was an authorized change.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteThreatIntelSet.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/guardduty/create-threat-intel-set.html\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteThreatIntelSet","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_guardduty_threatintel_set_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"aws_guardduty_threatintel_set_deleted > 0"}],"type":"log_detection","id":"vzr-qw9-k82","createdAt":1631642339660,"name":"AWS GuardDuty threat intel set deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","technique:T1098-account-manipulation","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.4","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to an AWS IAM Policy.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when any event pertaining to an AWS IAM policy is detected with one of the following API calls:\n\n* [DeleteGroupPolicy][1]\n* [DeleteRolePolicy][16]\n* [DeleteUserPolicy][2]\n* [PutGroupPolicy][3]\n* [PutRolePolicy][4]\n* [PutUserPolicy][5]\n* [CreatePolicy][6]\n* [DeletePolicy][7]\n* [SetPolicyVersion][17]\n* [CreatePolicyVersion][8]\n* [DeletePolicyVersion][9]\n* [AttachRolePolicy][10]\n* [DetachRolePolicy][11]\n* [AttachUserPolicy][12]\n* [DetachUserPolicy][13]\n* [AttachGroupPolicy][14]\n* [DetachGroupPolicy][15]\n\n## Triage and response\n1. Review the IAM Policy change and ensure it does not negatively impact your risk in relation to authentication or authorization controls.\n2. If risk is increased, contact the individual that used the arn: {{@userIdentity.arn}} and determine if {{@evt.name}} API calls were made by them.\n\n## Changelog\n5 April 2022 - Rule modified and signal message updated.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroupPolicy.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPolicy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html\n[5]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html\n[7]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html\n[8]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html\n[9]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicyVersion.html\n[10]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[11]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachRolePolicy.html\n[12]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[13]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachUserPolicy.html\n[14]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[15]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachGroupPolicy.html\n[16]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteRolePolicy.html\n[17]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetDefaultPolicyVersion.html\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteGroupPolicy OR PutGroupPolicy OR AttachGroupPolicy OR DetachGroupPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"group_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteRolePolicy OR PutRolePolicy OR AttachRolePolicy OR DetachRolePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"role_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteUserPolicy OR PutUserPolicy OR AttachUserPolicy OR DetachUserPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"user_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreatePolicy OR DeletePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"account_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(SetPolicyVersion OR CreatePolicyVersion OR DeletePolicyVersion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"policy_version_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"group policy changed","condition":"group_policy_modified > 0"},{"status":"info","notifications":[],"name":"role policy changed","condition":"role_policy_modified > 0"},{"status":"info","notifications":[],"name":"user policy changed","condition":"user_policy_modified > 0"},{"status":"info","notifications":[],"name":"account policy changed","condition":"account_policy_modified > 0"},{"status":"info","notifications":[],"name":"policy version changed","condition":"policy_version_modified > 0"}],"type":"log_detection","id":"z8s-u06-ctu","createdAt":1584475584008,"name":"AWS IAM policy changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM group.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM group using the [`AttachGroupPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.groupName}}` group using the `aws-cli` command [detach-group-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the group `{{@requestParameters.groupName}}` requires the `AdministratorAccess` policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the group to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.groupName","aggregation":"new_value","metrics":["@requestParameters.groupName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachGroupPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"ju1-xlh-bdn","createdAt":1635445988771,"name":"AWS IAM privileged policy was applied to a group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM role.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM role via the [`AttachRolePolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.roleName}}` role using the `aws-cli` command [detach-role-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the role `{{@requestParameters.roleName}}` requires the AdministratorAccess policy to perform its intended function.\n * Advise the user to find the [least privileged][4] policy that allows the role to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-role-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.roleName","aggregation":"new_value","metrics":["@requestParameters.roleName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachRolePolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\" -@userIdentity.invokedBy:sso.amazonaws.com -@http.useragent:sso.amazonaws.com"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"kjs-xra-wzc","createdAt":1635445977216,"name":"AWS IAM privileged policy was applied to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to an AWS IAM user using the [`AttachUserPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.userName}}` user using the `aws-cli` command [detach-user-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the user `{{@requestParameters.userName}}` requires the AdministratorAccess policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the user to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-user-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":173,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.userName","aggregation":"new_value","metrics":["@requestParameters.userName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachUserPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"bxi-o7h-c79","createdAt":1635445981975,"name":"AWS IAM privileged policy was applied to a user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","technique:T1089-disabling-security-tools","source:guardduty","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is changing sensitive configurations and has no prior history of invoking these APIs.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Stealth:IAMUser/S3ServerAccessLoggingDisabled][2]\n* [Stealth:IAMUser/PasswordPolicyChange][3]\n* [Stealth:IAMUser/CloudTrailLoggingDisabled][4]\n* [Stealth:IAMUser/LoggingConfigurationModified][5]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][6] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth4\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth1\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth2\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth3\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Stealth\\:IAMUser\\/S3ServerAccessLoggingDisabled OR Stealth\\:IAMUser\\/PasswordPolicyChange OR Stealth\\:IAMUser\\/CloudTrailLoggingDisabled OR Stealth\\:IAMUser\\/LoggingConfigurationModified)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"48o-8me-0mo","createdAt":1587525385196,"name":"AWS IAM user changing sensitive configurations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user disables [S3 Block Public Access][1]\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][2] finding:\n\n* [Policy:IAMUser/S3BlockPublicAccessDisabled][3]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Contact the user and determine why the user disabled the S3 Block Access feature. \n3. Re-enable S3 Block Public Access.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n[2]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_policy.html#policy2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/S3BlockPublicAccessDisabled)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"loc-nk4-pkc","createdAt":1587525377921,"name":"AWS IAM user disabled S3 Block Public Access"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.3.6","source:google_sql_database_instance","control:3.4","requirement:Communications-Security","framework:cis-gcp","requirement:Compliance","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_sql_database_instance","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `3625 (trace flag)` database flag to `off` for GCP SQL Server instance.\n\n## Rationale\n\nMicrosoft SQL trace flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload. All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed. `3625 (trace log)` limits the information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'. Setting this in a Google Cloud flag for the instance allows for security through obscurity and prevents the disclosure of sensitive information. Hence, it is recommended to set this flag to `off` globally to prevent the flag from being left on or turned on by bad actors. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nChanging flags on a database may cause it to be restarted. The best time to do this is when there is low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `3625` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `3625` database flag for every GCP SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"3625=off\"\n```\n\n#### Note\nThis command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n\n## Additional Information\n\n- Configuring the above flag restarts the GCP SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"3625\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"2x0-5oi-nhu","createdAt":1657310084964,"name":"'3625 (trace flag)' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:2.11","cloud_provider:azure","control:A.12.4.1","level:1","source:azure.policy","requirement:Application-Updates","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","requirement:Security-Center","framework:cis-azure","control:6.2","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","scope:azure.policy","control:CC4.1","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable automatic provisioning of the monitoring agent to collect security data.\n\n## Rationale\n\nWhen automatic provisioning of monitoring agent is turned on, Azure Security Center provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.\n\n## Remediation\n\n### From the console\n\n1. Go to **Microsoft Defender for Cloud**\n2. Click on **Environment Settings**\n3. Click on a subscription\n4. Click on **Auto Provisioning** in the left column.\n5. Ensure that **Log Analytics agent for Azure VMs** is set to **On**\n\n### From the command line\n\nUse the below command to set automatic provisioning of monitoring agent:\n\n```bash\naz account get-access-token --query\n\"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" \nhttps://management.azure.com/subscriptions/$0/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@\"input.json\"'\n```\n\nWhere `input.json` contains the Request body JSON data as mentioned below: \n\n```bash\n{\n\t\"id\": \"/subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default \",\n\t\"name\": \"default\",\n\t\"type\": \"Microsoft.Security/autoProvisioningSettings\",\n\t\"properties\": {\n\t\t\"autoProvision\": \"On\"\n\t}\n}\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security][1]\n2. [https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection][2]\n3. [https://msdn.microsoft.com/en-us/library/mt704062.aspx][3]\n4. [https://msdn.microsoft.com/en-us/library/mt704063.aspx][4]\n5. [https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list][5]\n6. [https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create][6]\n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification][7]\n\n[1]: https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security\n[2]: https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection\n[3]: https://msdn.microsoft.com/en-us/library/mt704062.aspx\n[4]: https://msdn.microsoft.com/en-us/library/mt704063.aspx\n[5]: https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list\n[6]: https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create\n[7]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n## Additional Information\n- Excluding any of the entries in `input.json` may disable the specific setting by default.\n- Microsoft has recently changed APIs to get and Update Automatic Provisioning setting. This recommendation is updated accordingly.\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.11","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(security_center_auto_provisioning) = \"fail\" if {\n\tsecurity_center_auto_provisioning.auto_provision == \"Off\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_center_auto_provisioning"]},"validationQuery":"","resourceType":"azure_security_center_auto_provisioning","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_center_auto_provisioning","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ota-kzg-lsb","createdAt":1635237006719,"name":"'Automatic provisioning of monitoring agent' is set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","control:1.20","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.8","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you restrict unintended public access to Amazon S3 resources. By default, S3 buckets and objects are created without public access. However, someone with sufficient permissions can enable public access at the bucket or object level, often unexpectedly. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets in the account, and contained objects, from becoming publicly accessible.\n\n## Rationale\n\nAmazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective buckets. Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account. Blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.\n\n### Impact\n\nWhen you apply `Block Public Access` settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.\n\n\n## Remediation\n\n### From the console\n\nIf utilizing Block Public Access (account settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Choose **Block public access (account settings)**.\n3. Choose **Edit** to change the block public access settings for all the buckets in your AWS account.\n4. Click on **Block all public access**.\n5. When you're asked for confirmation, enter `confirm`. Then click Confirm to save your changes.\n\nIf utilizing Block public access (bucket settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Select the check box next to the bucket.\n3. Click on **Edit public access settings**.\n4. Click **Block all public access**.\n5. Repeat for all the buckets in your AWS account that contain sensitive data.\n\n\n### From the command line\n\nIf utilizing Block Public Access (bucket settings):\n\n1. List all of the S3 buckets: `aws s3 ls`\n2. To set the public access to true on a bucket, run: `aws s3api put-public-access-block --bucket --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\"`\n\nIf utilizing Block Public Access (account settings):\n\nTo set Public access settings for this account, run the following command: `aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id '`\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html][2]\n\n[1]: https://console.aws.amazon.com/s3/\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.20","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\naccount_public_access_block_by_account_id = {s3_account_public_access_block.account_id: s3_account_public_access_block |\n\tsome s3_account_public_access_block in input.resources.aws_s3_account_public_access_block\n}\n\nsecure_public_access_block(s3_account_public_access_block) if {\n\ts3_account_public_access_block.block_public_acls\n\ts3_account_public_access_block.block_public_policy\n\ts3_account_public_access_block.ignore_public_acls\n\ts3_account_public_access_block.restrict_public_buckets\n}\n\naccess_block_compliant(s3_bucket) if {\n\ts3_account_public_access_block := account_public_access_block_by_account_id[s3_bucket.account_id]\n\tsecure_public_access_block(s3_account_public_access_block)\n} else if {\n\tbucket_block := s3_bucket.access_block[_]\n\tsecure_public_access_block(bucket_block)\n}\n\neval(s3_bucket) = \"pass\" if {\n\taccess_block_compliant(s3_bucket)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b1p-nxn-wxx","createdAt":1619112188591,"name":"'Block Public Access' feature is enabled for S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.2","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with a Customer Managed Key (CMK).\n\n## Rationale\n\nEncrypting the IaaS VM's OS disk (boot volume) and data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning.\n\n## Remediation\n\n### From the console\n\n**Note**: Disks must be detached from VMs to have encryption changed.\n\n1. Go to Virtual Machines\n2. For each virtual machine, go to Settings\n3. Click on Disks\n4. Click the X to detach the disk from the VM\n5. Search for disks and locate the unattached disk\n6. Click the disk select Encryption\n7. Change your encryption type and select your encryption set\n8. Click Save\n9. Go back to the VM and re-attach the disk\n\n### Using PowerShell\n\n```powershell\n$KVRGname = ''MyKeyVaultResourceGroup''; $VMRGName = ''MyVirtualMachineResourceGroup''; $vmName = ''MySecureVM''; $KeyVaultName = ''MySecureVault''; $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname; $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri; $KeyVaultResourceId = $KeyVault.ResourceId; Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;\n```\n\n**NOTES**:\n\n- During encryption, a reboot is likely required. It may take up to 15 minutes to complete the process.\n\n- On Linux machines, you may need to set the `-skipVmBackup` parameter.\n\n## Impact\n\nUsing CMK/BYOK entail additional management of keys. You must have your key vault setup to use this.\n\n## References\n\n\n1. https://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n3. https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-resthttps://docs.microsoft.com/azure/virtual-machines/windows/disk-encryption-portal-quickstart\n4. https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n5. https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n7. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-customer-managed-keys-powershell\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_encryption_type(managed_disk) if {\n\tmanaged_disk.encryption_type == \"EncryptionAtRestWithCustomerKey\"\n} else if {\n\tmanaged_disk.encryption.type == \"EncryptionAtRestWithCustomerKey\"\n}\n\neval(managed_disk) = \"skip\" if {\n\tmanaged_disk.disk_state != \"Attached\"\n} else = \"pass\" if {\n\tcompliant_encryption_type(managed_disk)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_managed_disk"]},"validationQuery":"","resourceType":"azure_managed_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i6x-xne-idt","createdAt":1631690475494,"name":"'OS and Data' disks are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:Storage-Accounts","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Application-Updates","framework:iso-27001","scope:azure.storage","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Azure","control:6.5.3","framework:cis-azure","control:2.6","control:4.1","control:3.1","requirement:Control-Activities","source:azure.storage","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable data encryption in transit.\n\n## Rationale\n\nThe secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must be HTTPS. Any requests using HTTP will be rejected when secure transfer required is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Accounts\n2. For each storage account, go to Configuration\n3. Set Secure transfer required to Enabled\n\n### From the command line\n\nInterface 2.0 - Use the below command to enable Secure transfer required for a Storage Account: `az storage account update --name --resource-group --https-only true`\n\n## References\n\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#encryption-in-transit\n2. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_list\n3. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 - 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"2.6","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_account) = \"pass\" if {\n\tstorage_account.supports_https_traffic_only\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"vlg-zuu-zub","createdAt":1635847712936,"name":"'Secure transfer required' is set to 'Enabled'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Compliance","level:1","requirement:Storage-Accounts","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:3.7","framework:cis-azure","requirement:Communications-Security","control:7.2.1","source:azure.storage","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSome Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services use strong authentication to access the storage account. If Allow trusted Microsoft services exception is enabled, the following services, when registered in the subscription, are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse.\n\n## Rationale\n\nTurning on firewall rules for storage account blocks access to incoming requests for data, including from other Azure services. This includes using the portal, writing logs, etc. You can re-enable access to services like Monitor, Networking, Hubs, and Event Grid by enabling Trusted Microsoft Services through exceptions. The exception also supports backing up and restoring virtual machines using unmanaged disks in storage accounts with network rules applied.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Ensure that Allow access from selected networks is enabled.\n4. Enable Allow trusted Microsoft services to access this storage account.\n5. Click Save to apply your changes.\n\n### From the command line\n\nUse the following command to update trusted Microsoft services: `az storage account update --name --resource-group --bypass AzureServices`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n\n## CIS Controls\n\nVersion 7 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_account) = \"pass\" if {\n\tcontains(storage_account.network_acls.bypass, \"AzureServices\")\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"psg-u8u-lwo","createdAt":1631690476330,"name":"'Trusted Microsoft Services' is enabled for Storage Account access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.3","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that unattached disks in a subscription are encrypted with a customer managed key (CMK).\n\n## Rationale\n\nManaged disks are encrypted by default with platform-managed keys. Using customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks which may lead to sensitive information disclosure and tampering.\n\n## Impact\n\nEncryption is available only on standard tier VMs. This could impact cost. Utilizing and maintaining customer-managed keys requires additional work to create, protect, and rotate keys.\n\n## Remediation\n\n### From the console\n\n**Note:** Disks must be detached from VMs to have encryption changed. If data stored in the disk is no longer useful, refer to [Azure documentation][1] to delete unattached data disks. If data stored in the disk is important, encrypt the disk. See the [Disk enable customer managed keys customer][2] or the [Encryption settings][3] documentation.\n\n1. Go to `Virtual machines`\n2. For each virtual machine, go to `Settings`\n3. Click on `Disks`\n4. Click the `X` to detach the disk from the VM\n5. Now search for `Disks` and locate the unattached disk\n6. Click the disk then select `Encryption`\n7. Change your encryption type, then select your encryption set\n8. Click `Save`\n9. Go back to the VM and re-attach the disk\n\n### From the commandline\n\n```powershell\n$KVRGname = 'MyKeyVaultResourceGroup';\n$VMRGName = 'MyVirtualMachineResourceGroup';\n$vmName = 'MySecureVM';\n$KeyVaultName = 'MySecureVault';\n$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName\n$KVRGname;\n$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;\n$KeyVaultResourceId = $KeyVault.ResourceId;\nSet-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss][4]\n2. [https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json][5]\n3. [https://docs.microsoft.com/en-us/rest/api/compute/disks/delete][6]\n4. [https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete][7]\n5. [https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings][8]\n6. [https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update][9]\n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest][10]\n\n\n[1]: https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal\n[3]: https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n[4]: https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n[5]: https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n[6]: https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n[7]: https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n[8]: https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n[9]: https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update\n[10]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_encryption(managed_disk) if {\n\tmanaged_disk.encryption_type == \"EncryptionAtRestWithCustomerKey\"\n} else if {\n\tmanaged_disk.encryption.type == \"EncryptionAtRestWithCustomerKey\"\n}\n\neval(managed_disk) = \"skip\" if {\n\tmanaged_disk.disk_state != \"Unattached\"\n} else = \"pass\" if {\n\tcompliant_encryption(managed_disk)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_managed_disk"]},"validationQuery":"","resourceType":"azure_managed_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bae-mte-pj5","createdAt":1631690476274,"name":"'Unattached disks' are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","control:10.3.6","control:10.5.4","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","control:10.3.5","control:10.5.3","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.1","control:10.2.5","control:10.3.4","control:A.12.4.1","control:10.2.4","control:10.3.3","control:10.2.3","control:10.3.2","control:A.12.4.3","control:10.2.2","control:10.3.1","framework:cis-gcp","level:1","scope:google_sql_database_instance","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","control:6.2.9","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the `cloudsql.enable_pgaudit` database flag so that each Cloud SQL PostgreSQL instance has centralized logging.\n\n## Rationale\n\nBecause many other recommendations in this section involve turning on flags for logging\npurposes, your organization needs a way to manage these logs. If you do not already have a solution in \nplace, consider enabling database auditing in PostgreSQL by installing the open source pgAudit extension and enabling the `cloudsql.enable_pgaudit` flag. The extension provides\ndetailed session and object logging to comply with government, financial, and ISO standards. It provides \nauditing capabilities to mitigate threats by monitoring security events on the\ninstance. Enabling the flag and the settings described below sends the logs to\nGoogle Logs Explorer so that you can access them in a central location. This\nrecommendation is applicable only to PostgreSQL database instances.\n\n## Impact\n\nEnabling the pgAudit extension can lead to increased data storage requirements. To\nensure durability of pgAudit log records in the event of unexpected storage issues, \nenable the **Enable automatic storage increases** setting on the\ninstance. Enabling flags on the command line will overwrite all existing flags, so you\nshould apply _all_ needed flags in each CLI command. You might need to restart the\nserver to see the effects of enabling flags, so update your servers at a\ntime of low usage.\n\n## Remediation\n\n### Initialize the pgAudit flag\n\n#### From the console\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `cloudsql.enable_pgaudit` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\nRun the following command by providing to enable `cloudsql.enable_pgaudit` flag:\n```\ngcloud sql instances patch --database-flags=cloudsql.enable_pgaudit=on\n```\n \n**Note**: Restart the database server for this configuration change to take effect.\n\n### Create the extension\n1. Connect to the the server running PostgreSQL or through a SQL client of your choice.\n2. Open the PostgreSQL shell. For example, if you're using SSH to access the server, run:\n3. Run the following command as a superuser:\n ```\n CREATE EXTENSION pgaudit;\n ```\n### Update the `pgaudit.log` flag\n\n#### From the console\n**Note**: There are multiple options for updating the flag. The following instructions enable logging for all databases\non a server. Read [Customizing database audit logging][4] for more flag\noptions.\n\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `pgaudit.log=all` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\n\nRun the command:\n```\ngcloud sql instances patch --database-flags \\\ncloudsql.enable_pgaudit=on,pgaudit.log=all\n```\n\n### Check for the logs in Google Logs Explorer\n1. From the Google Console home page, open the menu in the top left.\n2. In the menu's Operations section, select Logs Explorer.\n3. In the query box, copy in the following query:\n\n ```\n resource.type=\"cloudsql_database\"\n logName=\"projects//logs/cloudaudit.googleapis.com%2Fdata_access\"\n protoPayload.request.@type=\"type.googleapis.com/google.cloud.sql.audit.v1.PgAuditEntry\n ```\nIf it returns any log sources, they are correctly set up.\n\n## Default value\nBy default `cloudsql.enable_pgaudit` database flag is set to off and the extension is not enabled.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres][2]\n2. [https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag][3]\n3. [https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging][4]\n4. [https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable][5]\n\n## Additional Information\n**WARNING**: This extension modifies database flag values, which may require your instance to be\nrestarted. Check the [List of supported flags][6] to see if your instance needs to be restarted\nwhen this extension is set up.\n**Note**: Configuring the `cloudsql.enable_pgaudit` database flag requires restarting the Cloud\nSQL PostgreSQL instance.\n\n## CIS controls\n\nVersion 8\n8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n8.9 - Centralize Audit Logs\n- Centralize, to the extent possible, audit log collection and retention across\nenterprise assets.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres\n[3]: https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag\n[4]: https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging\n[5]: https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable\n[6]: https://cloud.google.com/sql/docs/postgres/flags\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.9","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cloudsql.enable_pgaudit\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6hz-owg-7y7","createdAt":1657889011689,"name":"'cloudsql.enable_pgaudit' database flag is set to 'on' for centralized logging on Postgresql Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.4","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.7","requirement:Least-Privileged-Access","requirement:Confidentiality","requirement:Communications-Security","control:7.1","control:C1.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `contained database authentication` database flag for SQL Server instances to `off`.\n\n## Rationale\n\nA contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed. Users can connect to the database without authenticating a login at the Database Engine level. Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server. Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators. Most of the threats are related to the `USER WITH PASSWORD` authentication process, which moves the authentication boundary from the Database Engine level to the database level. Hence, disabling this flag is recommended. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nWhen `contained database authentication` is off (`0`) for the instance, contained databases cannot be created, or attached to the Database Engine. Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via the command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `contained database authentication` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line\n\nConfigure the `contained database authentication` database flag for every SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"contained database authentication=off\"\n```\n\n**Note**: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n\n## Additional Information\n\n- Configuring this flag does not restart the SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15][3]\n3. [https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15][4]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15\n[4]: https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"contained database authentication\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"snw-rsr-ilm","createdAt":1658463161618,"name":"'contained database authentication' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.3.2","security:compliance","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that you set the `cross db ownership chaining` database flag for SQL Server instance to `off`.\n\n## Rationale\nThe `cross db ownership` option is used to configure cross-database ownership chaining for an instance of Microsoft SQL Server. This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases. Enabling `cross db ownership` is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining, and you are aware of the security implications of this setting. This recommendation is applicable to SQL Server database instances.\n\n### Impact\nUpdating flags may cause the database to restart. This may cause the database to be unavailable for a short amount of time, so this is best done at a time of low usage. You should also determine if the tables in your databases reference another table without using credentials for that database, as turning off cross database ownership will break this relationship.\n\n - Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n - Configuring the `cross db ownership chaining` flag does not restart the Cloud SQL instance.\n\n - Note: The command to set database flags overwrites all database flags previously set. To keep the existing settings while adding new flags, include the values for all flags to be set on the instance. Cloud SQL sets any flag not specifically included in the list to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `cross db ownership chaining` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line\nConfigure the `cross db ownership chaining` database flag for every SQL Server database instance using the below command:\n \n```\ngcloud sql instances patch --database-flags \"cross db ownership chaining=off\"\n```\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cross db ownership chaining\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yje-u1y-rls","createdAt":1657665271111,"name":"'cross db ownership chaining' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.1","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `external scripts enabled` database flag for SQL Server instance to `off`.\n\n## Rationale\n\nThe `external scripts enabled` flag enables the execution of scripts with certain remote language extensions. This flag is `off` by default. When Advanced Analytics Services is installed, during the set up, you can optionally set this flag to `on`. The External Scripts Enabled feature allows scripts external to SQL, such as files located in an R library, to be executed, which could adversely affect the security of the system. Hence, the flag should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances can cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flag section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `external scripts enabled` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `external scripts enabled` database flag for every SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"external scripts enabled=off\"\n```\n\nNote: This command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default Value\n\nBy default `external scripts enabled` is `off`.\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n- Configuring the `external scripts enabled` flag restarts the Cloud SQL instance.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15][2]\n2. [https://cloud.google.com/sql/docs/sqlserver/flags][3]\n3. [https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15][4]\n4. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79347][5]\n\n## CIS Controls\n\nVersion 8 - 2.7 Allowlist Authorized Scripts\n- Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.\n\nVersion 7 - 2.9 Implement Application Whitelisting of Scripts\n- The organization's application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1, *.py, macros, etc) are allowed to run on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15\n[3]: https://cloud.google.com/sql/docs/sqlserver/flags\n[4]: https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15\n[5]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"external scripts enabled\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"14g-yot-4od","createdAt":1657715719319,"name":"'external scripts enabled' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.1.3","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends setting the `local_infile` database flag for a Cloud SQL MySQL instance to off.\n\n## Rationale\n\nThe `local_infile` flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the `local_infile` setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.\n\nTo explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with `local_infile` disabled. `local_infile` can also be set at runtime.\n\nDue to security issues associated with the `local_infile` flag, Datadog recommends disabling it. This recommendation is applicable to MySQL database instances.\n\n## Impact\n\nDisabling `local_infile` causes the server to refuse local data loading by clients that have LOCAL enabled on the client side.\n\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [Cloud SQL Instances page][1].\n2. Select the MySQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the `local_infile` flag from the dropdown menu, and set its value to **off**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From Command Line\n\n1. List all Cloud SQL database instances using \n ```\n `gcloud sql instances list`.\n ```\n2. Configure the `local_infile` database flag for every Cloud SQL MySQL database instance using \n ```\n `gcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off`\n ```\n Note:\n This command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\n\n## Default Value\n\nBy default, `local_infile` is on.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile][3]\n3. [https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html][4]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n \n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/flags\n[3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile\n[4]: https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_mysql(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"local_infile\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\"\n\nis_mysql(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"MYSQL_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"e40-q63-udh","createdAt":1657547707503,"name":"'local_infile' database flag is set to 'off' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.2","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy enabling the `log_connections` setting, every attempted server connection is logged along with the successful completion of client authentication. Once the session starts, you cannot change this parameter.\n\n## Rationale\n\nBy default, PostgreSQL does not log attempted connections. By enabling the `log_connections` setting, you can create log entries for every attempted connection as well as the successful completion of client authentication. This can be useful in troubleshooting issues and determining any unusual connection attempts to the server. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\n\nBy turning on logging, the required storage increaess over time. Mismanaged logs may cause your storage costs to increase. \n\nSetting custom flags through the command line on certain instances can cause all omitted flags to reset to defaults. This may cause you to lose\ncustom flags and can result in unforeseen complications or instance restarts. Because of this, Datadog recommends applying these flag changes during a period of low usage.\n\n## Remediation\n\n## From the console\n1. In the Google Cloud Console, navigate to the [Cloud SQL Instances page][1].\n2. Select the PostgreSQL instance that you want to enable the database flag for.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the **log_connections** flag from the dropdown menu, and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From the command line\n\nConfigure the `log_connections` database flag for every Cloud SQL PosgreSQL database instance using the following command:\n\n ```\n gcloud sql instances patch --database-flags\n log_connections=on\n ```\n\nThis command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\nYou do not need to restart the Cloud SQL instance.\n\n## Default Value\n\nBy default, `log_connections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n\nSome database flag settings can affect instance availability or stability, and may remove the instance from the Cloud SQL SLA.\n\nFor information about these flags, see the Operational Guidelines.\n\n## CIS Controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_connections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"84u-fez-kpn","createdAt":1657547707503,"name":"'log_connections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:6.2.3","scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnabling the `log_disconnections` setting logs the end of each session, including the\nsession duration.\n\n## Rationale\n\nPostgreSQL does not log session details such as duration and session end by default.\nEnabling the `log_disconnections` setting will create log entries at the end of each session,\nwhich can be useful in troubleshooting issues and determining any unusual activity across a\ntime period. The `log_disconnections` and `log_connections` settings work together and\ngenerally, the pair would be enabled or disabled together. This recommendation is applicable\nto PostgreSQL database instances.\n\n## Impact\n\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flags changes during a period of low usage.\n\n\n## Remediation\n\n## From the console\n\n1. Go to the [Cloud SQL Instances][1] page.\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_disconnections` from the drop-down menu and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the **Overview** page.\n\n## From the command line\n\n1. Configure the `log_disconnections` database flag for every Cloud SQL PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags\n log_disconnections=on\n ```\n\n **Note:** This command will overwrite all previously set database flags. To keep\n those and add new ones, include the values for all flags to be set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals\n sign (\"=\").\n\n## Default Value\n\nBy default, `log_disconnections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n## Additional Information\n\n- Configuring the `log_disconnections` flag does not require restarting the Cloud SQL instance.\n- Although the `log_disconnections` flag does not require a restart, you might modify other database flag values when you apply this patch. **Many database flags require restarting the Cloud SQL instance.** Before you modify a database flag, check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see [Operational Guidelines][4].\n\n\n## CIS controls\n\nVersion 8, 8.5 Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://console.cloud.google.com/sql/instances\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_disconnections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-b91-wj5","createdAt":1657665210451,"name":"'log_disconnections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:6.2.1","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","control:10.3","control:CC7.2","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_error_verbosity` flag controls the verbosity/details of messages logged. Valid values are:\n- `TERSE`\n- `DEFAULT`\n- `VERBOSE`\n\n`TERSE` excludes the logging of `DETAIL`, `HINT`, `QUERY`, and `CONTEXT` error information.\n`VERBOSE` output includes the `SQLSTATE` error code, source code file name, function name, and line number that generated the error.\n\nEnsure an appropriate value is set to `DEFAULT` or stricter.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_error_verbosity` is not set to the correct value, too many details or too few details\nmay be logged. This flag should be configured with a value of `DEFAULT` or stricter. This\nrecommendation is applicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flag changes during a period of low usage.\n\n- **WARNING**: This patch modifies database flag values, which may require your instance to be restarted. Check the list of supported flags -[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance will be restarted when this patch is submitted.\n- Note: some database flag settings can affect instance availability orn stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n### Default value\nBy default, `log_error_verbosity` is `DEFAULT`.\n\n## Remediation\n\n### From the console \n1. Go to the Cloud SQL Instances page by visiting [https://console.cloud.google.com/sql/instances][2]\n2. Select the **PostgreSQL instance** for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_error_verbosity` from the drop-down menu and set appropriate **value**.\n6. Click **Save**\n7. Confirm your changes under Flags on the **Overview** page.\n\n### From the command line\n1. Configure the `log_error_verbosity` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n ```\n gcloud sql instances patch --database-flags\n log_error_verbosity=\n ```\n\n **Note**: This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all flags you want set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" if {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_error_verbosity\"\n\tnot lower(db_flags.value) in [\"default\", \"terse\", \"verbose\"]\n} else = \"pass\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"scj-vbv-qiu","createdAt":1660014086758,"name":"'log_error_verbosity' database flag is set to 'DEFAULT or Stricter' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:6.2.5","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nPostgreSQL only logs the IP address of the connecting hosts. The `log_hostname` flag\ncontrols the logging of hostnames, in addition to the IP addresses logged. The performance\nhit depends on the configuration of the environment and the host name resolution\nsetup. This parameter can only be set in the `postgresql.conf` file or on the server's\ncommand line.\n\n## Rationale\nLogging hostnames allows for the association of a hostname with the IP address at the time of\nconnection. This information helps with incident response efforts, particularly in an\nenvironment that utilizes dynamic IP addresses. Logging hostnames may incur overhead\non server performance because DNS resolution will be required to\nconvert the IP address to hostname. Depending on the setup, the overhead may be non-negligible.\nEnabling the log_hostname flag on PostgreSQL databases is recommended.\n\n## Impact\nUsing the command line to set custom flags on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended that you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_hostname` from the drop-down menu and select the value **On**.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n1. Configure the `log_hostname` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\n gcloud sql instances patch --database-flags log_hostname=on\n```\n\nNote: This command will overwrite all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## Default value\nBy default `log_hostname` is off.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of [supported flags][2] to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_hostname\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sco-bi7-twu","createdAt":1657547753389,"name":"'log_hostname' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:6.2.8","requirement:Confidentiality","control:A.12.4.1","control:C1.1","control:C1.2","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_duration_statement` flag defines the minimum execution time (milliseconds) of a\nstatement, where the total duration of the statement is logged. Ensure that\n`log_min_duration_statement` is disabled by setting the value to `-1`. This will disable statement logging.\n\n## Rationale\nSQL statement logs may include sensitive information that should not be recorded in\nthe logs. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting\n[https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_duration_statement` from the drop-down menu and set a value of `-1`.\n6. Click **Save**.\n7. Confirm the changes under the Flags section on the Overview page.\n\n### From the command line\n1. List all Cloud SQL database instances using the following command:\n\n ```\n gcloud sql instances list\n ```\n\n2. Configure the `log_min_duration_statement` flag for every PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags log_min_duration_statement=-1\n ```\n Note: This command will overwrite all database flags previously set. To keep\nthose and add new ones, include the values for all flags to be set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n## Default value\nBy default `log_min_duration_statement` is set to `-1`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.8","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_duration_statement\"\n\tnot database_flags.value == \"-1\"\n} else = \"pass\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hfp-mu9-szg","createdAt":1658302988596,"name":"'log_min_duration_statement' database flag is set to '-1' (disabled) for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.7","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_error_statement` flag defines the minimum message severity level that is\nconsidered an error statement. Messages for error statements are logged with the SQL\nstatement. Valid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`,\n`WARNING`, `ERROR`, `LOG`, `FATAL`, and `PANIC`. Each severity level includes the subsequent levels\nmentioned above. Ensure a value of `ERROR` or stricter is set.\n\n## Rationale\nAuditing helps with troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. If general log messages are considered as error messages,\nit would be difficult to determine the actual errors. If only stricter severity levels are considered as\nerror messages, true errors might not be logged with their SQL statements. The\n`log_min_error_statement` flag should be set to `ERROR` or stricter. This recommendation is\napplicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the `Flags` section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_error_statement` from the drop-down menu and set the appropriate\nvalue.\n6. Click `Save` to save your changes.\n7. Confirm your changes under the `Flags` section on the Overview page.\n\n### From Command Line:\n1. Configure the `log_min_error_statement` database flag for every Cloud SQL\nPosgreSQL database instance using the below command.\n\n ```\n gcloud sql instances patch --database-flags log_min_error_statement=\n ```\n\n Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `log_min_error_statement` is `ERROR`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][2] - to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_error_statement\"\n\tnot upper(database_flags.value) in [\"ERROR\", \"LOG\", \"FATAL\", \"PANIC\"]\n} else = \"pass\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dm2-ey8-wr5","createdAt":1657888969813,"name":"'log_min_error_statement' database flag is set to 'ERROR' or stricter for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.3.6","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","source:google_sql_database_instance","requirement:Monitoring","control:6.2.6","control:10.3.4","control:A.12.4.1","control:10.3.2","requirement:System-Operations","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:CC7.2","framework:pci","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_messages` flag defines the minimum message severity level that is considered\nas an error statement. Messages for error statements are logged with the SQL statement.\nValid values include `debug5`, `debug4`, `debug3`, `debug2`, `debug1`, `info`, `notice`, `warning`, `error`,\n`log`, `fatal`, and `panic`. Each severity level includes the subsequent levels mentioned above.\nFor best practices, set the value to `error`. Changes should only be made in accordance\nwith the organization's logging policy.\n\n### Default value\nBy default `log_min_error_statement` is `warning`.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. An organization will need to decide their own threshold\nfor logging `log_min_messages` flag.\n\n### Impact\nSetting the threshold too low will might result in increased log storage size and length,\nmaking it difficult to find actual errors. Setting the threshold to `warning` logs\nmost needed error messages. Setting the threshold to a higher severity level may result in some errors (that need troubleshooting) to not be logged.\n\nNote: To effectively turn off logging failing statements, set this parameter to `panic`.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_messages` from the drop-down menu and set appropriate value.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n1. Configure the `log_min_messages` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\ngcloud sql instances patch --database-flags\nlog_min_messages=\n```\n\nNote: This command overwrites all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" if {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_min_messages\"\n\tlower(db_flags.value) in [\"debug5\", \"debug4\", \"debug3\", \"debug2\", \"debug1\", \"info\", \"notice\"]\n} else = \"pass\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"wha-a8w-2ic","createdAt":1661377322162,"name":"'log_min_messages' database flag is set to at least 'WARNING' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.2.4","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe value of the `log_statement` flag determines the SQL statements that are logged. Valid\nvalues are:\n\n- `none`\n- `ddl`\n- `mod`\n- `all`\n\nThe value `ddl` logs all data definition statements. The value `mod` logs all `ddl` statements, plus\ndata-modifying statements.\n\nThe statements are logged after a basic parsing is done and the statement type is determined,\nthus log statements with errors are not logged. When using an extended query protocol,\nlogging occurs after an `Execute` message is received and values of the bind parameters are\nincluded.\n\nA value of `ddl` is recommended unless otherwise directed by your organization's logging\npolicy.\n\n## Rationale\nAuditing helps with forensic analysis. If the `log_statement` is not set to the correct value, too\nmany statements may be logged and lead to issues with finding relevant information from\nthe logs, or too few statements may be logged with relevant information missing from the\nlogs. Setting the `log_statement` to align with your organization's security and logging policies\nfacilitates auditing and review of database activities later on. This recommendation is\napplicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n- **WARNING** This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance\nwill be restarted when this patch is submitted.\n- Note: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page by visiting: [https://console.cloud.google.com/sql/instances][2]\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**. Choose the flag `log_statement` from the drop-down menu and set the appropriate value.\n6. Click **Save**.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line\n1. Configure the `log_statement database` flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n ```\n gcloud sql instances patch --database-flags log_statement=\n ```\n\n **Note** This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all the flags that you want to set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n \n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tdb_flags.name == \"log_statement\"\n\tdb_flags.value in [\"ddl\", \"mod\", \"all\"]\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xzi-8ya-6hp","createdAt":1659621705012,"name":"'log_statement' database flag is set appropriately for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:6.3.5","control:2.2.5","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set the `remote access` database flag for Cloud SQL SQL Server instances to `off`.\n\n## Rationale\n\nThe remote access option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running. The default value for this option is 1. This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server. To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled. Remote access functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, so it should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances causes all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `remote access` from the drop-down menu, and set its value to `off`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n### From the command line\n\nConfigure the remote access database flag for every Cloud SQL SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"remote access=off\"\n```\n\n### Note: \nThis command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default Value\n\nRemote access is `on` by default.\n\n## Additional information\n\nConfiguring the remote access database flag does not restart the Cloud SQL instance.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337][4]\n\n## CIS Controls\n\nVersion 8 - 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"remote access\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"tnw-ph8-chr","createdAt":1657296719786,"name":"'remote access' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.1.2","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that for Cloud SQL Instances, you set the `skip_show_database` database flag to `ON`.\n\n## Rationale\n\nThe `skip_show_database` database flag prevents people from using the `SHOW DATABASES`\nstatement if they do not have the `SHOW DATABASES` privilege. This can improve security if\nyou have concerns about users being able to see databases belonging to other users. The `skip_show_database` flag's effect depends on the `SHOW DATABASES` privilege: If the variable value is `ON`, the `SHOW\nDATABASES` statement is permitted only for users who have the `SHOW DATABASES`\nprivilege, and the statement displays all database names. If the value is `OFF`, `SHOW\nDATABASES` is permitted for all users, but displays the names of only those databases for\nwhich the user has `SHOW DATABASES` or other privilege. This recommendation is\napplicable to MySQL database instances.\n\n## Remediation\n\n## Using console\n\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the MySQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `skip_show_database` from the drop-down menu, and set its value to `ON`.\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n\n## Using command line:\n1. To list all Cloud SQL database Instances, run:\n `gcloud sql instances list`\n2. Configure the `skip_show_database` database flag for every Cloud SQL MySQL database instance using the following command:\n \n ```\n gcloud sql instances patch INSTANCE_NAME --database-flags\n skip_show_database=on\n ```\n **Note**: This command overwrites all database flags previously set. To keep the previously set flags and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database][3]\n\n\n## Additional information\n\n**Warning**: This patch modifies database flag values, which may require your instance to be restarted. Check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n\n**Note**: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n**Note**: Configuring the above flag restarts the Cloud SQL instance.\n\n## CIS controls\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\n access control lists, also known as access permissions, to local and remote file systems,\n databases, and applications.\n\n [1]: https://console.cloud.google.com/sql/instances\n [2]: https://cloud.google.com/sql/docs/mysql/flags\n [3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot startswith(sql_database_instance.database_version, \"MYSQL_\")\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"skip_show_database\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qjv-gnn-q3l","createdAt":1657547753389,"name":"'skip_show_database' flag is set to 'on' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.3.3","security:compliance","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Control-Activities","level:1","control:2.2.3","framework:soc-2","scope:google_sql_database_instance","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to check the `user connections` option for a GCP SQL Server instance to\nensure that it is not artificially limiting connections.\n\n## Rationale\n\nThe `user connections` option specifies the maximum number of simultaneous user\nconnections that are allowed on an instance of SQL Server. The actual number of user\nconnections allowed also depends on the version of SQL Server that you are using, and also\nthe limits of your application(s) and hardware. SQL Server allows a maximum\nof 32,767 user connections. Because user connections is by default a self-configuring value,\nSQL Server adjusts the maximum number of user connections automatically as\nneeded, up to the maximum value allowed. For example, if only 10 users are logged in, then 10\nuser connection objects are allocated. In most cases, you do not have to change the value\nfor this option. The default is `0`, which means that the maximum (32,767) user connections\nare allowed. However, if there is a number defined here that limits connections, SQL Server\nwill not allow any connections above this limit. If the connections are at the limit, any new\nrequests will be dropped, potentially causing lost data or outages for those using the\ndatabase.\n\n## Impact\nSetting custom flags using the command line on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### Using the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `user connections` from the drop-down menu, and set its value to your organization's recommended value.\n6. Click **Save** to save your changes.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### Using the command line\n1. Configure the `user connections` database flag for every GCP SQL Server\ndatabase instance using the below command.\n ```\n gcloud sql instances patch --database-flags \"userconnections=[0-32,767]\"\n ```\n \n\n\nNote: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `user connections` is set to '0', which does not limit the number of connections\nand allows the server to facilitate a maximum of 32,767 connections.\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119][4]\n\n## Additional Information\n\nWARNING: This patch modifies database flag values, which may require your instance to be restarted. Check the list of [supported flags][2] to see if your instance will be restarted when this patch is submitted. \n\nNote: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not restart the GCP SQL instance.\n\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user connections\"\n\tnot database_flags.value == \"0\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"suj-vdt-udi","createdAt":1657547707508,"name":"'user connections' database flag is set to a non-limiting value for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.4","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the `user options` database flag for SQL Server instance not be configured.\n\n## Rationale\n\nThe `user options` flag specifies global defaults for all users. A list of default query processing options is established for the duration of a user's work session. The user options flag allows you to change the default values of the SET options (if the server's default settings are not appropriate).\n\nA user can override these defaults by using the SET statement. You can configure user options dynamically for new logins. After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nIn some instances, setting custom flags via the command line causes all omitted flags to be reset to their defaults. This might cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the **Cloud SQL Instances** page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance you want to configure.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. Click the **X** next to the **user options** flag shown\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line\n\n1. List all Cloud SQL database Instances:\n \n ```\n gcloud sql instances list\n ```\n\n2. Clear the user options database flag for every Cloud SQL SQL Server database instance using either of the below commands:\n\n - To clear all flags and reset them to their default values:\n\n ```\n gcloud sql instances patch --clear-database-flags\n ```\n\n - To clear only the `user options` database flag, re-enter all of database flags that you want to configure and exclude the `user options` flag and its value:\n\n ```\n gcloud sql instances patch --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]\n ```\n\n **Note**: This command overwrites all database flags previously set. To keep those flags and add new ones, include the values for all flags you want set on the instance. Any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default value\n\nBy default, 'user options' is not configured.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][1]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15][2]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335][3]\n\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see [Operational Guidelines][4].\n\n- Configuring the above flag does not restart the Cloud SQL instance.\n\n[1]: https://cloud.google.com/sql/docs/sqlserver/flags\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15\n[3]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user options\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"l6m-j1r-hz1","createdAt":1657665179501,"name":"'user options' database flag is not configured for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a Kubernetes user attempts to perform a high number of actions that are denied in a short amount of time.\n\n## Strategy\nThis rule identifies responses of the API server where the reason for the error is set to `Forbidden`, indicating that an authenticated user attempted to perform an action that they are not explicitly authorized to perform.\n\nThe rule flags users who receive permission denied errors on several distinct API endpoints in a short amount of time.\n\n## Triage and response\n1. Determine if the user: `{{@usr.id}}` is expected to perform the denied actions. If yes, the alert may be due to a misconfigured application or a service account with insufficient privileges.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @responseStatus.reason:Forbidden -@usr.id:(system\\:serviceaccount\\:*\\:datadog* OR system\\:kube-scheduler OR system\\:anonymous OR eks\\:authenticator OR eks\\:pod-identity-mutating-webhook OR system\\:serviceaccount\\:kube-system\\:root-ca-cert-publisher)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"access_denied","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"access_denied > 10"}],"type":"log_detection","id":"elb-nlu-hso","createdAt":1649948632063,"name":"A Kubernetes user attempted to perform a high number of actions that were denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIdentify when a Kubernetes user is assigned cluster-level administrative permissions.\n\n## Strategy\n\nThis rule monitory when a `ClusterRoleBinding` object is created to bind a Kubernetes user to the `cluster-admin` [default cluster-wide role](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles). This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.\n\n## Triage and response\n\n1. Determine if the Kubernetes user referenced in `@requestObject.subjects` is expected to have been granted administrator permissions on the cluster\n2. Determine if the actor (`@usr.id`) is authorized to assign administrator permissions\n3. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @requestObject.kind:ClusterRoleBinding @requestObject.roleRef.name:cluster-admin -@usr.id:system\\:apiserver","groupByFields":["@usr.id"],"aggregation":"count","name":"cluster_admin_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"cluster_admin_added > 0"}],"type":"log_detection","id":"8ds-sxh-n83","createdAt":1649948626807,"name":"A Kubernetes user was assigned cluster administrator permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","scope:google_bigquery_dataset","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.3","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","source:google_bigquery_dataset","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user. For greater control, _customer-managed encryption keys_ (CMEKs) can be used as an encryption key management solution for BigQuery datasets.\n\n### Default Value\nGoogle-managed keys are used as key encryption keys.\n\n## Rationale\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user.\n\nFor greater control, CMEKs can be used as an encryption key management solution for BigQuery datasets. Setting a default CMEK for a dataset ensures that any tables created in the future will use the specified CMEK, if no others are provided.\n\n## Impact\nUsing CMEKs incurs an additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n**Note**: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n# Remediation\nTo update the default CMEK for existing data sets, specify the default key in the `EncryptionConfiguration.kmsKeyName` field when calling the `datasets.insert` or `datasets.patch` methods.\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_dataset) = \"pass\" if {\n\tbigquery_dataset.default_encryption_configuration.kms_key_name\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_dataset"]},"validationQuery":"","resourceType":"gcp_bigquery_dataset","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_dataset","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fdc-usk-ol3","createdAt":1664548344812,"name":"A default customer-managed encryption key (CMEK) is specified for the BigQuery data set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1158","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nHidden files may be used by attackers to hide from detection mechanisms on hosts and containers. This detection aims at finding the creation of any new hidden files.\n\n## Strategy\nIn Linux, files are hidden from users by prepending `.` to the filename. For example `.some.file`. This detection will monitor for the creation of any file thats name begins with a `.`.\n\n## Triage & Response\n1. Check to see which user or process created the new hidden file.\n3. If these new files are not expected contain the host or container, roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"irl-syq-8wf","createdAt":1598443015169,"name":"A hidden file was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the deletion of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was deleted.\n2. Check which user or process deleted the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"t7t-jio-cms","createdAt":1598516746158,"name":"A log file in /var/log/ was removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:2.11","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be set up for SQL instance\nconfiguration changes.\n\n## Rationale\nMonitoring changes to SQL instance configuration changes may reduce the time needed to\ndetect and correct SQL server misconfigurations.\nBelow are a few configurable options that may impact the security posture of an\nSQL instance:\n \u2022 Enable auto backups and high availability: Misconfiguration may adversely impact\n business continuity, disaster recovery, and high availability\n \u2022 Authorize networks: Misconfiguration may increase exposure to untrusted networks\n\n### Impact \nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation \n\n### From the console\n#### Create the prescribed log metric\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and clicking **CREATE METRIC**.\n2. Click the down arrow icon on the **Filter Bar** at the top right corner and select **Convert to Advanced Filter**.\n3. Clear any text and add:\n\n ```\n protoPayload.methodName=\"cloudsql.instances.update\"\n ```\n\n4. Click **Submit Filter**. Display logs appear based on the filter text.\n5. In the **Metric Editor** menu on the right, fill out the name field. Set **Units** to `1` (default) and **Type** to `Counter`. \nThis ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n6. Click **Create Metric**.\n\n#### Create the prescribed alert policy\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every SQL instance configuration change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n1. Create the prescribed log metric using the following command: \n ```\n gcloud beta logging metrics create\n ```\n [Reference for command usage][9]\n2. Create the prescribed alert policy using the following command:\n ```\n gcloud alpha monitoring policies create\n ```\n [Reference for command usage][10]\n\n\n\n## References\n1. [https://console.cloud.google.com/logs/metrics][1] \n2. [https://cloud.google.com/monitoring/custom-metrics/][2]\n3. [https://cloud.google.com/monitoring/alerts/][3]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][4]\n5. [https://cloud.google.com/storage/docs/overview][5]\n6. [https://cloud.google.com/sql/docs/][6]\n7. [https://cloud.google.com/sql/docs/mysql/][7]\n8. [https://cloud.google.com/sql/docs/postgres/][8]\n9. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][9]\n10. [https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][10]\n\n\n[1]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[2]: https://cloud.google.com/monitoring/custom-metrics/\n[3]: https://cloud.google.com/monitoring/alerts/\n[4]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[5]: https://cloud.google.com/storage/docs/overview\n[6]: https://cloud.google.com/sql/docs/\n[7]: https://cloud.google.com/sql/docs/mysql/\n[8]: https://cloud.google.com/sql/docs/postgres/\n[9]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[10]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.11","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_method_name_constant := upper(\"protoPayload.methodName=\\\"cloudsql.instances.update\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, filter_method_name_constant)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"rtu-ij2-tg6","createdAt":1666265090604,"name":"A log metric filter and alert exists for SQL instance configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","control:2.9","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be set up for Virtual Private Cloud (VPC) network changes.\n\n## Rationale\nIt is possible to have more than one VPC within a project. \nIn addition, it is also possible to create a peer connection between two VPCs to enable network traffic routing between VPCs.\n\nMonitoring changes to a VPC helps to ensure that VPC traffic flow is not getting impacted.\n\n### Impact\nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console\n#### Create the prescribed log metric\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and click **CREATE METRIC**.\n2. Set **Metric Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n3. Fill out the **Log metric name** field.\n4. Set the **Units** to `1` (default).\n5. Under **Filter selection**, add the following text to the **Build filter** block: \n ```\n resource.type=gce_network\n AND (protoPayload.methodName:\"compute.networks.insert\"\n OR protoPayload.methodName:\"compute.networks.patch\"\n OR protoPayload.methodName:\"compute.networks.delete\"\n OR protoPayload.methodName:\"compute.networks.removePeering\"\n OR protoPayload.methodName:\"compute.networks.addPeering\")\n ```\n6. Click **Create Metric**.\n\n#### Create the prescribed alert policy\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every VPC network change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n1. Create the prescribed log metric using the following command: \n ```\n gcloud beta logging metrics create\n ```\n [Reference for command usage][6]\n2. Create the prescribed alert policy using the following command:\n ```\n gcloud alpha monitoring policies create\n ```\n [Reference for command usage][7]\n\n\n\n## References\n1. [https://console.cloud.google.com/logs/metrics][1] \n2. [https://cloud.google.com/monitoring/custom-metrics/][2]\n3. [https://cloud.google.com/monitoring/alerts/][3]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][4]\n5. [https://cloud.google.com/vpc/docs/overview][5]\n6. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][6]\n7. [https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][7]\n\n\n[1]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[2]: https://cloud.google.com/monitoring/custom-metrics/\n[3]: https://cloud.google.com/monitoring/alerts/\n[4]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[5]: https://cloud.google.com/vpc/docs/overview\n[6]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[7]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.9","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_resource_type := upper(\"resource.type=gce_network\")\n\nfilter_method_name_1 := upper(\"protoPayload.methodName:\\\"compute.networks.insert\\\"\")\n\nfilter_method_name_2 := upper(\"protoPayload.methodName:\\\"compute.networks.patch\\\"\")\n\nfilter_method_name_3 := upper(\"protoPayload.methodName:\\\"compute.networks.delete\\\"\")\n\nfilter_method_name_4 := upper(\"protoPayload.methodName:\\\"compute.networks.removePeering\\\"\")\n\nfilter_method_name_5 := upper(\"protoPayload.methodName:\\\"compute.networks.addPeering\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, \"OR\")\n\tcontains(filter_parsed, filter_resource_type)\n\tcontains(filter_parsed, filter_method_name_1)\n\tcontains(filter_parsed, filter_method_name_2)\n\tcontains(filter_parsed, filter_method_name_3)\n\tcontains(filter_parsed, filter_method_name_4)\n\tcontains(filter_parsed, filter_method_name_5)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"zv2-vh1-ixx","createdAt":1665677590865,"name":"A log metric filter and alert exists for VPC network changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:2.5","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGoogle Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data\nAccess logs to help answer the question of \"Who did what, where, and when?\" within GCP\nprojects.\nCloud audit logging records information such as the identity of the API caller, the time of\nthe API call, the source IP address of the API caller, the request parameters, and the\nresponse elements returned by GCP services. Cloud audit logging provides a history of GCP\nAPI calls for an account, including API calls made through the console, SDKs, command-line\ntools, and other GCP services.\n\n## Rationale\nCloud audit logging to Admin Activity and Data Access logs enables security\nanalysis, resource change tracking, and compliance auditing.\nConfiguring the metric filter and alerts for audit configuration changes ensures that the\nrecommended state of audit configuration is maintained so that all activities in the project\ncan be audited at any point in time.\n\n\n### Impact\nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console\n#### Create the prescribed log metric\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and click **CREATE METRIC**.\n2. Set **Metric Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n3. Fill out the **Log metric name** field.\n4. Set the **Units** to `1` (default).\n5. Under **Filter selection**, add the following text to the **Build filter** block: \n ```\n protoPayload.methodName=\"SetIamPolicy\" AND\n protoPayload.serviceData.policyDelta.auditConfigDeltas:*\n ```\n6. Click **Create Metric**.\n\n#### Create a prescribed alert policy\n\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every audit configuration change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n#### Create a prescribed log metric\n\nUse the command: `gcloud beta logging metrics create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][3]\n\n#### Create a prescribed alert policy\nUse the command: `gcloud alpha monitoring policies create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][4]\n\n## References\n1. [https://cloud.google.com/logging/docs/logs-based-metrics/][5]\n2. [https://cloud.google.com/monitoring/custom-metrics/][6]\n3. [https://cloud.google.com/monitoring/alerts/][7]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][8]\n5. [https://cloud.google.com/logging/docs/audit/configure-data-access#getiampolicy-setiampolicy][9]\n\n[1]: https://console.cloud.google.com/logs/metrics\n[2]: https://console.cloud.google.com/logs/metrics\n[3]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[4]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n[5]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[6]: https://cloud.google.com/monitoring/custom-metrics/\n[7]: https://cloud.google.com/monitoring/alerts/\n[8]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[9]: https://cloud.google.com/logging/docs/audit/configure-data-access#getiampolicy-setiampolicy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.5","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_methodname_constant := upper(\"protoPayload.methodName=\\\"SetIamPolicy\\\"\")\n\nfilter_servicedata_constant := upper(\"protoPayload.serviceData.policyDelta.auditConfigDeltas:*\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, filter_methodname_constant)\n\tcontains(filter_parsed, filter_servicedata_constant)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sni-qbq-wix","createdAt":1665677774002,"name":"A log metric filter and alert exists for audit configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:2.8","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be established for Virtual Private Cloud\n(VPC) network route changes.\n\n## Rationale\nGoogle Cloud Platform (GCP) routes define the paths taken by network traffic from a VM instance to another destination. The other destination can be inside the organization VPC network (such as another VM) or outside of it. Every route consists of a destination and a next hop. Traffic whose destination IP is within the destination range is sent to the next hop\nfor delivery.\nMonitoring changes to route tables helps to ensure that all VPC traffic flows through an expected path.\n\n### Impact\nEnabling of logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console:\n\n#### Create the prescribed Log Metric:\n1. Go to [Logs-based Metrics][1] within **Logging** in the Google Cloud console and click **CREATE METRIC**.\n2. Click the down arrow symbol on the filter bar at the rightmost corner and select\n**Convert to Advanced Filter**.\n3. Clear any text and add:\n ```\n resource.type=\"gce_route\"\n AND (protoPayload.methodName:\"compute.routes.delete\"\n OR protoPayload.methodName:\"compute.routes.insert\"\n ```\n4. Click **Submit Filter**. Display logs appear based on the entered filter text.\n5. In the `Metric Editor` menu on the right, fill out the name field. Set `Units` to `1`\n(default) and `Type` to `Counter`. This ensures that the log metric counts the number of\nlog entries matching the advanced logs query.\n6. Click **Create Metric**.\n\n#### Create the prescribed alert policy:\n\n1. Identify the newly created metric under the section `User-defined Metrics` in the\n[Logs-based Metrics][1] page in the Google Cloud console.\n2. Click the 3-dot icon in the rightmost column for the new metric and select `Create\nalert from Metric`. A new page appears.\n3. Fill out the alert policy configuration and click **Save**. Choose the alerting threshold\nand configuration that makes sense for your organization. For example, a\nthreshold of zero(0) for the most recent value ensures that a notification is triggered\nfor every owner change in the project:\n ```\n Set `Aggregator` to `Count`\n Set `Configuration`:\n - Condition: above\n - Threshold: 0\n - For: most recent value\n ```\n4. Configure the desired notification channels in the section **Notifications**.\n5. Name the `policy` and click **Save**.\n\n### From the command line:\n\n#### Create the prescribed Log Metric: \n\nUse the command `gcloud beta logging metrics create`. Read the [usage reference][2] in the Google Cloud documentation for more information.\n\n#### Create the prescribed alert policy:\n\nUse the command `gcloud alpha monitoring policies create`. Read the [usage reference][3] in the Google Cloud documentation for more information.\n\n## References\n\n1. [https://cloud.google.com/logging/docs/logs-based-metrics/][4]\n2. [https://cloud.google.com/monitoring/custom-metrics/][5]\n3. [https://cloud.google.com/monitoring/alerts/][6]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][7]\n5. [https://cloud.google.com/storage/docs/access-control/iam][8]\n\n[1]: https://console.cloud.google.com/logs/metrics\n[2]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[3]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n[4]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[5]: https://cloud.google.com/monitoring/custom-metrics/\n[6]: https://cloud.google.com/monitoring/alerts/\n[7]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[8]: https://cloud.google.com/storage/docs/access-control/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.8","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_resource_type := upper(\"resource.type=\\\"gce_route\\\"\")\n\nfilter_method_name_delete_beta := upper(\"protoPayload.methodName:\\\"beta.compute.routes.delete\\\"\")\n\nfilter_method_name_delete := upper(\"protoPayload.methodName:\\\"compute.routes.delete\\\"\")\n\nfilter_method_name_insert_beta := upper(\"protoPayload.methodName:\\\"beta.compute.routes.insert\\\"\")\n\nfilter_method_name_insert := upper(\"protoPayload.methodName:\\\"compute.routes.insert\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_filter(filter_parsed, filter_method_name_beta, filter_method_name) if {\n\tcontains(filter_parsed, filter_method_name_beta)\n} else if {\n\tcontains(filter_parsed, filter_method_name)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, \"OR\")\n\n\tcontains(filter_parsed, filter_resource_type)\n\n\tvalid_filter(filter_parsed, filter_method_name_delete_beta, filter_method_name_delete)\n\tvalid_filter(filter_parsed, filter_method_name_insert_beta, filter_method_name_insert)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.notification_channels[_]\n\tmonitoring_alert_policy.enabled == true\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"o0d-dyl-9lb","createdAt":1668685067568,"name":"A log metric filter and alerts exist for VPC Network route changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:2.7","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be established for Virtual Private Cloud\n(VPC) network firewall rule changes.\n\n## Rationale\nMonitoring create or update firewall rule events gives insight to network access\nchanges and may reduce the time it takes to detect suspicious activity.\n\n\n### Impact\nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console\n\n#### Create the prescribed log metric\n\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and click **CREATE METRIC**.\n2. Set **Metric Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n3. Fill out the **Log metric name** field.\n4. Set the **Units** to `1` (default).\n5. Under **Filter selection**, add the following text to the **Build filter** block: \n\n ```\n resource.type=\"gce_firewall_rule\"\n AND protoPayload.methodName:\"compute.firewalls.patch\"\n OR protoPayload.methodName:\"compute.firewalls.insert\"\n OR protoPayload.methodName:\"compute.firewalls.delete\"\n ```\n \n6. Click **Create Metric**\n\n#### Create a prescribed alert policy\n\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every VPC network firewall rule change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n#### Create a prescribed log metric\n\nUse the command: `gcloud beta logging metrics create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][3]\n\n#### Create a prescribed alert policy\nUse the command: `gcloud alpha monitoring policies create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][4]\n\n## References\n1. [https://cloud.google.com/logging/docs/logs-based-metrics/][5]\n2. [https://cloud.google.com/monitoring/custom-metrics/][6]\n3. [https://cloud.google.com/monitoring/alerts/][7]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][8]\n5. [https://cloud.google.com/vpc/docs/firewalls][9]\n\n[1]: https://console.cloud.google.com/logs/metrics\n[2]: https://console.cloud.google.com/logs/metrics\n[3]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[4]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n[5]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[6]: https://cloud.google.com/monitoring/custom-metrics/\n[7]: https://cloud.google.com/monitoring/alerts/\n[8]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[9]: https://cloud.google.com/vpc/docs/firewalls\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.7","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_resource_type_constant := upper(\"resource.type=\\\"gce_firewall_rule\\\"\")\n\nfilter_patch_constant := upper(\"protoPayload.methodName:\\\"compute.firewalls.patch\\\"\")\n\nfilter_insert_constant := upper(\"protoPayload.methodName:\\\"compute.firewalls.insert\\\"\")\n\nfilter_delete_constant := upper(\"protoPayload.methodName:\\\"compute.firewalls.delete\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, \"OR\")\n\tcontains(filter_parsed, filter_resource_type_constant)\n\tcontains(filter_parsed, filter_patch_constant)\n\tcontains(filter_parsed, filter_insert_constant)\n\tcontains(filter_parsed, filter_delete_constant)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"xrg-k52-qt3","createdAt":1665677775464,"name":"A log metric filter and alerts exist for VPC network firewall rule changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:2.6","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be established for changes to Identity and\nAccess Management (IAM) role creation, deletion and updating activities.\n\n## Rationale\nGoogle Cloud IAM provides predefined roles that give granular access to specific Google\nCloud Platform resources and prevent unwanted access to other resources. However, to\ncater to organization-specific needs, Cloud IAM also provides the ability to create custom\nroles. Project owners and administrators with the Organization Role Administrator role or\nthe IAM Role Administrator role can create custom roles. Monitoring role creation, deletion\nand updating activities helps identify any over-privileged role an early stage.\n\n\n### Impact\nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console\n\n#### Create the prescribed log metric\n\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and click **CREATE METRIC**.\n2. Set **Metric Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n3. Fill out the **Log metric name** field.\n4. Set the **Units** to `1` (default).\n5. Under **Filter selection**, add the following text to the **Build filter** block: \n\n ```\n resource.type=\"iam_role\"\n AND protoPayload.methodName = \"google.iam.admin.v1.CreateRole\"\n OR protoPayload.methodName=\"google.iam.admin.v1.DeleteRole\"\n OR protoPayload.methodName=\"google.iam.admin.v1.UpdateRole\"\n ```\n6. Click **Create Metric**\n\n#### Create a prescribed alert policy\n\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every custom role change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n#### Create a prescribed log metric\n\nUse the command: `gcloud beta logging metrics create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][3]\n\n#### Create a prescribed alert policy\nUse the command: `gcloud alpha monitoring policies create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][4]\n\n## References\n1. [https://cloud.google.com/logging/docs/logs-based-metrics/][5]\n2. [https://cloud.google.com/monitoring/custom-metrics/][6]\n3. [https://cloud.google.com/monitoring/alerts/][7]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][8]\n5. [https://cloud.google.com/iam/docs/understanding-custom-roles][9]\n\n[1]: https://console.cloud.google.com/logs/metrics\n[2]: https://console.cloud.google.com/logs/metrics\n[3]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[4]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n[5]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[6]: https://cloud.google.com/monitoring/custom-metrics/\n[7]: https://cloud.google.com/monitoring/alerts/\n[8]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[9]: https://cloud.google.com/iam/docs/understanding-custom-roles\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.6","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_resource_type_constant := upper(\"resource.type=\\\"iam_role\\\"\")\n\nfilter_create_constant := upper(\"protoPayload.methodName=\\\"google.iam.admin.v1.CreateRole\\\"\")\n\nfilter_delete_constant := upper(\"protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\"\")\n\nfilter_update_constant := upper(\"protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, \"OR\")\n\tcontains(filter_parsed, filter_resource_type_constant)\n\tcontains(filter_parsed, filter_create_constant)\n\tcontains(filter_parsed, filter_delete_constant)\n\tcontains(filter_parsed, filter_update_constant)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"8jp-b4x-ubz","createdAt":1665677984333,"name":"A log metric filter and alerts exist for custom role changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Logging","security:compliance","control:3.2.1","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes can audit the details of requests made to the API server. The `--audit-policy-file` flag must be set for this logging to be enabled.\n\n## Rationale\n\nLogging is an important detective control for all systems, to detect potential unauthorised access.\n\n## Audit\n\nRun the following command on one of the cluster master nodes: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-policy-file` is set. Review the contents of the file specified and ensure that it contains a valid audit policy.\n\n## Remediation\n\nCreate an audit policy file for your cluster.\n\n## Impact\n\nAudit logs will be created on the master nodes, which will consume disk space. Care should be taken to avoid generating too large volumes of log information as this could impact the available of the cluster nodes.\n\n## Default value\n\nUnless the `--audit-policy-file` flag is specified, no auditing will be carried out.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/debug-application-cluster/audit/][1]\n\n## CIS controls\n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices.\n\n[1]: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"3.2.1","framework":"cis-kubernetes","requirement":"Logging","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-3.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ehp-xpm-xi3","createdAt":1599602215207,"name":"A minimal audit policy exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a new Kubernetes [admission controller][1] is created in the cluster.\n\nAdmission controllers can intercept all incoming requests to the API server. An attacker can use them to establish persistence or to access sensitive data (such as secrets) sent to the API server.\n\n## Strategy\nThis rule identifies when a `MutatingWebhookConfiguration` or `ValidatingWebhookConfiguration` is created.\n\n## Triage and response\n1. Determine if the admission controller being created is expected.\n2. Determine if the user: `{{@usr.id}}` should be creating the admission controller.\n3. Use the Cloud SIEM `User Investigation` dashboard to review user actions that occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags\n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @objectRef.resource:(mutatingwebhookconfigurations OR validatingwebhookconfigurations) -@usr.id:(eks\\:cluster-bootstrap OR system\\:serviceaccount\\:kyverno\\:kyverno OR system\\:serviceaccount\\:kube-system\\:*)","groupByFields":["@usr.id"],"aggregation":"count","name":"admission_controller_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admission_controller_created > 0"}],"type":"log_detection","id":"jpb-ixq-qbz","createdAt":1649948611129,"name":"A new Kubernetes admission controller was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 teams app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `AppInstalled`, where the `AddOnType` has a value of `4` and a new `@AddOnName` is observed.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@AddOnName}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@AddOnName}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":165,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AddOnName","aggregation":"new_value","metrics":["@AddOnName"],"groupByFields":["@usr.id"],"query":"source:microsoft-365 @evt.name:AppInstalled @AddOnType:4"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"sja-6t5-2xv","createdAt":1636984812148,"name":"A new Microsoft 365 Teams app is observed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Add application.` and event `@evt.outcome` of `Success`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@ObjectId}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@ObjectId}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@ObjectId","aggregation":"new_value","metrics":["@ObjectId"],"groupByFields":["@ObjectId","@usr.id"],"query":"source:microsoft-365 @evt.name:\"Add application.\" @evt.outcome:Success"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"o4m-xqz-5gv","createdAt":1636984818117,"name":"A new Microsoft 365 application was installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:amazon","security:compliance","iaas:aws","framework:cis-aws","source:cloudtrail","control:4.1","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is assessing privileges in AWS through API bruteforcing technique.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect when the error message of `AccessDenied` is returned on more than 5 unique API calls.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be attempting to use {{@evt.name}} API commands.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. Contact the user to see if they intended to make these API calls.\n3. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate to see what API calls might have been made that were successful throughout the rest of the environment.\n\n## Changelog\nRule updated on 3 March 2022.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"unique_events_denied","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"more than 5 APIs AccessDenied","condition":"unique_events_denied > 5"}],"type":"log_detection","id":"3d9-oev-jbm","createdAt":1584475582956,"name":"A user received multiple AccessDenied errors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","control:32.1a","source:acm","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are seven day left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### From the console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### From the command line\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nseven_days_ms := (((7 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\t# assert that the difference between now (resource seen at) and not after time (certificate expiry) > 7 days\n\tseven_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"32b-dj3-8n2","createdAt":1619112188607,"name":"ACM certificate does not expire within the next 7 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","security:compliance","control:164.312-e-1","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","requirement:Security-Management-Process","control:32.1a","source:acm","control:164.312-e-2-ii","framework:hipaa","control:164.308-a-1-ii-B","control:164.312-e-2-i","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRemove expired Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates with AWS Certificate Manager (ACM).\n\n## Rationale\n\nExpired AWS ACM SSL/TLS certificates that are deployed to another resource are at risk of triggering front-end errors and compromising the credibility of a web application.\n\n## Remediation\n\n### From the console\n\nFollow the [Deleting Certificates Managed by ACM][1] docs to learn how to delete SSL/TLS certifications in the AWS Console.\n\n### From the command line\n\n1. Run the [`delete-certificate`][2] command to remove the invalid certificate.\n\n ```\n aws acm delete-certificate --certificate-arn insert-certificate-arn-here\n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-delete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/delete-certificate.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"EXPIRED\"\n\tacm.status != \"VALIDATION_TIMED_OUT\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qea-4gr-voj","createdAt":1616090994211,"name":"ACM certificate is active"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","control:32.1a","source:acm","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are 30 days left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### From the console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### From the command line\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\tthirty_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oc4-dzj-jtg","createdAt":1619112188918,"name":"ACM certificate is valid for 30 or more days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cardholder-Data","cloud_provider:aws","source:acm","scope:acm","control:3.6.4","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAll Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates in Amazon Certificate Manager (ACM) should be validated.\n\n## Rationale\n\n[Requests for ACM certificates time out if they are not validated within 72 hours][1]. ACM provides managed renewal for your Amazon-issued SSL/TLS certificates that are used with other AWS resources. \n\n[ACM either renews your certificates automatically (if you are using DNS validation)][2], or it sends you email notices when expiration is approaching. These services are provided for both public and private ACM certificates. However, renewal for other certificates must be done manually. If a certificate is not validated, it can interrupt an application or service. \n\n## Remediation\n\n### From the console\n\nFollow the [Setting Up DNS Validation][3] or [Resending Validation Email][4] docs to validate a certificate in the AWS Console or by email.\n\n### From the command line\n\n1. Run `resend-validation-email` using the ARN of the invalid certificate with your `domain` and `validation-domain`.\n\n ```\n aws acm resend-validation-email\n --certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/a1b2345c-d678-9123-4567-89ab12c2345d\n --domain www.example.com\n --validation-domain example.com\n ```\n\n2. Click the link in the generated email to navigate to the Amazon Certificates Approvals page, and click the `I Approve` button.\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-timed-out.html\n[2]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[3]: https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html#setting-up-dns-validation\n[4]: https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html#gs-acm-resend\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"PENDING_VALIDATION\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"lpi-kie-f8h","createdAt":1616090994081,"name":"ACM certificate issue request is not pending validation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:ec2","source:ec2","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.9.4.5","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIdentify publicly accessible Amazon Machine Images (AMIs).\n\n## Rationale\n\nWhen an AMI is shared publicly, anyone outside your organization can see it in the [list of public AMIs][1] and create an EC2 instance from it, accessing all the files it contains.\n\nAMIs typically contain source code, configuration files and credentials and should not be shared publicly. AMIs should only be shared with [specific AWS accounts][2] or [your AWS Organization][3].\n\n## Remediation\n\n### From the console\n\nFollow the instructions outlined in the [AWS documentation][4].\n\n### From the command line\n\nUse the following command to stop sharing the AMI:\n\n ```bash\n aws ec2 modify-image-attribute \\\n --image-id ami-xxxx \\\n --launch-permission \"Remove=[{Group=all}]\"\n ```\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usingsharedamis-finding.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/share-amis-with-organizations-and-OUs.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.5","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncustomer_owned(ami) if {\n\tnot ami.image_owner_alias in [\"aws-marketplace\", \"amazon\"]\n} else if {\n\tnot ami.image_owner_alias\n}\n\neval(ami) = \"skip\" if {\n\tnot customer_owned(ami)\n} else = \"pass\" if {\n\tami.public == false\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ami"]},"validationQuery":"","resourceType":"aws_ami","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ami","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6l2-azd-mlu","createdAt":1645630055435,"name":"AMI is not publicly shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.30","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the TLS certificate and private key file parameters. \n```\n--tls-cert-file= \n--tls-private-key-file=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.30","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"m9r-8ka-arc","createdAt":1599604115727,"name":"API Server requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.1","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable anonymous requests to the Kubelet server.\n\n## Rationale\n\nWhen enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests.\n\n## Audit\n\nIf using a Kubelet configuration file, check that there is an entry for authentication: anonymous: enabled set to false. Run the following command on each node: `ps -ef | grep kubelet`. Verify that the `--anonymous-auth` argument is set to false. This executable argument may be omitted, provided there is a corresponding entry set to false in the Kubelet config file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to false. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable:\n\n```\n--anonymous-auth=false\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nAnonymous requests will be rejected.\n\n## Default value\n\nBy default, anonymous access is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.1","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oun-uxo-viy","createdAt":1599606050277,"name":"API server anonymous-auth argument is set to false"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.24","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain 10 or an appropriate number of old log files.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. For example, if you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxbackup` argument is set to `10` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxbackup` parameter to `10` or to an appropriate value: `--audit-log-maxbackup=10`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.24","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"r0g-aai-2xf","createdAt":1599605542630,"name":"API server audit log files are retained for at least 10 log file rotations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.25","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRotate log files on reaching 100 MB or as appropriate.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. If you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxsize` argument is set to `100` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxsize` parameter to an appropriate size in MB. For example, to set it as 100 MB: `--audit-log-maxsize=100`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.25","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qhy-gng-bh4","createdAt":1599603202907,"name":"API server audit log files are rotated once the file reaches 100 MB or more"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.22","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on the Kubernetes API Server and set the desired audit log path.\n\n## Rationale\n\nAuditing the Kubernetes API Server provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system. Even though currently, Kubernetes provides only basic audit capabilities, it should be enabled. You can enable it by setting an appropriate audit log path.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-path` argument is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example: --audit-log-path=/var/log/apiserver/audit.log\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. Version 7 6.2 Activate audit logging Ensure that local logging has been enabled on all systems and networking devices. 6.3 Enable Detailed Logging Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.22","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fny-sti-0dk","createdAt":1599601104396,"name":"API server audit logs are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.23","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain the logs for at least 30 days or as appropriate.\n\n## Rationale\n\nRetaining logs for at least 30 days ensures that you can go back in time and investigate or correlate any events. Set your audit log retention period to 30 days or as per your business requirements.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxage` argument is set to `30` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxage` parameter to `30` or as an appropriate number of days: `--audit-log-maxage=30`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.23","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.23\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jbu-o8v-pku","createdAt":1599605700813,"name":"API server audit logs are retained for at least 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.19","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind to insecure port.\n\n## Rationale\n\nSetting up the apiserver to serve on an insecure port would allow unauthenticated and unencrypted access to your master node. This would allow attackers who could access this port, to easily take control of the cluster.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-port` argument is set to `0`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --insecure-port=0\n\n## Impact\n\nAll components that use the API must connect via the secured port, authenticate themselves, and be authorized to use the API. This includes: kube-controller-manager kube-proxy kube-scheduler kubelets\n\n## Default value\n\nBy default, the insecure port is set to 8080.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.19","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2ci-yqv-wv0","createdAt":1599605796539,"name":"API server does not bind the API service to an insecure port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.18","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the insecure API service.\n\n## Rationale\n\nIf you bind the apiserver to an insecure address, basically anyone who could connect to it over the insecure port, would have unauthenticated and unencrypted access to your master node. The apiserver doesn't do any authentication checking for insecure binds and traffic to the Insecure API port is not encrpyted, allowing attackers to potentially read sensitive data in transit.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-bind-address` argument does not exist.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --insecure-bind-address parameter.\n\n## Impact\n\nConnections to the API server will require valid authentication credentials.\n\n## Default value\n\nBy default, the insecure bind address is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.18","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tzo-x3g-yya","createdAt":1599606081666,"name":"API server does not bind to an insecure API service address"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use token based authentication.\n\n## Rationale\n\nThe token-based authentication utilizes static tokens to authenticate requests to the apiserver. The tokens are stored in clear-text in a file on the apiserver, and cannot be revoked or rotated without restarting the apiserver. Hence, do not use static token-based authentication.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver \n```\nVerify that the `--token-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--token-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as certificates. Static token based authentication could not be used.\n\n## Default value\n\nBy default, `--token-auth-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/authentication/#static-token-file\n2. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.3","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mvv-hb7-ucv","createdAt":1599603449449,"name":"API server does not use token based authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not always authorize all requests.\n\n## Rationale\n\nThe API Server, can be configured to allow all requests. This mode should not be used on any production cluster.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is not set to `AlwaysAllow`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to values other than `AlwaysAllow`. One such example could be as below:\n\n```\n--authorization-mode=RBAC\n```\n\n## Impact\n\nOnly authorized requests will be served.\n\n## Default value\n\nBy default, `AlwaysAllow` is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.7","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kli-btm-jbr","createdAt":1599602646953,"name":"API server only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.1","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node:\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-apiserver.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.1","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8tj-q6g-eyj","createdAt":1599601227733,"name":"API server pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.21","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --profiling=false\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.21","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wk0-7yo-dw9","createdAt":1599602770265,"name":"API server profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.26","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet global request timeout for API server requests as appropriate.\n\n## Rationale\n\nSetting global request timeout allows extending the API server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 60 seconds which might be problematic on slower connections making cluster resources inaccessible once the data volume for requests exceeds what can be transmitted in 60 seconds. But, setting this timeout limit to be too large can exhaust the API server resources making it prone to Denial-of-Service attack. Hence, it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--request-timeout` argument is either not set or set to an appropriate value.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameter as appropriate and if needed. For example, --request-timeout=300s\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, --request-timeout is set to 60 seconds.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/kubernetes/pull/51415\n\n## CIS controls\n\nVersion 6 14.6 Enforce Detailed Audit Logging For Sensitive Information Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. Version 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.26","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1kt-cbt-hvl","createdAt":1599604242564,"name":"API server request timeout exceeds 60 seconds only if required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.20","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable the secure port.\n\n## Rationale\n\nThe secure port is used to serve https with authentication and authorization. If you disable it, no https traffic is served and all traffic is served unencrypted.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--secure-port` argument is either not set or is set to an integer value between `1` and `65535`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --secure-port parameter or set it to a different (non-zero) desired port.\n\n## Impact\n\nYou need to set the API Server up with the right TLS certificates.\n\n## Default value\n\nBy default, port 6443 is used as the secure port.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.20","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5w3-iw4-y16","createdAt":1599603757033,"name":"API server secure port is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.31","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic. If `--client-ca-file` argument is set, any request presenting a client certificate signed by one of the authorities in the `client-ca-file` is authenticated with an identity corresponding to the CommonName of the client certificate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--client-ca-file` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the client certificate authority file: `--client-ca-file=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--client-ca-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.31","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"nad-eon-2rv","createdAt":1599599105054,"name":"API server uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.28","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account public key file for service accounts on the apiserver.\n\n## Rationale\n\nBy default, if no --service-account-key-file is specified to the apiserver, it uses the private key from the TLS serving certificate to verify service account tokens. To ensure that the keys for service account tokens could be rotated as needed, a separate public/private key pair should be used for signing service account tokens. Hence, the public key should be specified to the apiserver with --service-account-key-file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--service-account-key-file` argument exists and is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--service-account-key-file` parameter to the public key file for service accounts: `--service-account-key-file=`\n\n## Impact\n\nThe corresponding private key must be provided to the controller manager. You would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-key-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167\n\n## CIS controls\n\nVersion 6 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers \nVersion 7 5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.28","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xtg-mzn-vft","createdAt":1599604846892,"name":"API server uses a service account public key file for service accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.27","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nValidate service account before validating token.\n\n## Rationale\n\nIf --service-account-lookup is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that if the `--service-account-lookup` argument exists it is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the below parameter. `--service-account-lookup=true` Alternatively, you can delete the `--service-account-lookup` parameter from this file so that the default takes effect.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--service-account-lookup` argument is set to true.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167 \n3. https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.27","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.27\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycp-ppm-trb","createdAt":1599599105043,"name":"API server validates the service account token exists in etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify kubelet's certificate before establishing connection.\n\n## Rationale\n\nThe connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelets port-forwarding functionality. These connections terminate at the kubelets HTTPS endpoint. By default, the apiserver does not verify the kubelets serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-certificate-authority` argument exists and is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--kubelet-certificate-authority` parameter to the path to the cert file for the certificate authority. \n\n```\n--kubelet-certificate-authority=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, `--kubelet-certificate-authority` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n3. https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.6","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sbm-nxt-qv3","createdAt":1599603880124,"name":"API server verifies the kubelet's certificate before establishing connection"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AMI is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an AMI is made public.\n\n* [ModifyImageAttribute][1]\n\nThis rule inspects the `@requestParameters.launchPermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the image is made public.\n\n## Triage and response\n1. Determine if the AMI (`@requestParameters.imageId`) should be made public using CloudTrail logs.\n2. Investigate the following ARN (`{{@userIdentity.arn}}`) that made the AMI public.\n3. Contact the user to see if they intended to make the image public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n * Revert AMI permissions to the original state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 11 November 2022 - Add steps to Triage and response section.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-image-attribute.html#examples","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":18,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifyImageAttribute @requestParameters.launchPermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"eh4-lwa-d9z","createdAt":1594140296319,"name":"AWS AMI Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:cloudtrail","framework:cis-aws","requirement:monitoring","control:4.5","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by modifying CloudTrail.\n\n## Strategy\nThis rule detects if a user is modifying CloudTrail by monitoring the CloudTrail API using [UpdateTrail][1] API calls.\n\n## Triage and response\n1. Review the `@responseElements` in the `UpdateTrail` event to determine the scope of the changes.\n2. Determine if the user ARN (`{{@userIdentity.arn}}`) intended to make a CloudTrail modification.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:UpdateTrail","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"configuration_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"configuration_modified > 0"}],"type":"log_detection","id":"4hv-083-miw","createdAt":1585870283907,"name":"AWS CloudTrail configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch Log Group is deleted. \n\n## Strategy\nDetect a successful `@evt.name:DeleteLogGroup` event.\n\n## Triage and response\n1. Ensure that the `{{@requestParameters.logGroupName}}` log group is not used for auditing or security purposes.\n2. If it is then:\n * Ensure that the user: `{{@userIdentity.session_name}}` should be making this API call to your `{{env}}` environment.\n * Consider whitelisting the log group name: `{{@requestParameters.logGroupName}}` through a [suppression list][1]\n3. If not, begin your company's IR process and investigate.\n\n<<<<<<< HEAD\n[1]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment\n=======\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1] https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment\n>>>>>>> main\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteLogGroup -@level:Error -@http.useragent:(cloudformation.amazonaws.com OR *www.terraform.io*) -@userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"j9h-inc-lg8","createdAt":1631618551008,"name":"AWS CloudWatch log group deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch rule has been disabled or deleted.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if a [`DisableRule`][1] or [`DeleteRule`][2] API call has occurred. An attacker may delete rules in an attempt to evade defenses.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, consider including the EventBus name in a [suppression list][6]: `{{@requestParameters.eventBusName}}`.\n * If **No**, enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], respectively, or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 4 October 2022 - Updated severity\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/events/put-rule.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/events/enable-rule.html\n[5]: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html\n[6]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DisableRule OR DeleteRule) -@userIdentity.invokedBy:(backup.amazonaws.com OR schemas.amazonaws.com OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudwatch_disable_or_delete_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"cloudwatch_disable_or_delete_rule > 0"}],"type":"log_detection","id":"dti-qfr-zle","createdAt":1631618552583,"name":"AWS CloudWatch rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","control:4.9","requirement:Monitoring","framework:cis-aws","scope:amazon-config","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by disabling or modifying AWS Config.\n\n## Strategy\nThis rule lets you monitor these AWS Config API calls per [CIS-AWS-4.9: Ensure a log metric filter and alarm exist for AWS Config configuration changes][5]:\n\n* [StopConfigurationRecorder][1] \n* [DeleteDeliveryChannel][2] \n* [PutDeliveryChannel][3]\n* [PutConfigurationRecorder][4]\n\n## Triage and response\n1. Determine which if {{@userIdentity.arn}} should have done a {{@evt.name}} to AWS Config.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html\n[2]: https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteDeliveryChannel.html\n[3]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutDeliveryChannel.html\n[4]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigurationRecorder.html\n[5]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_2.html\n\n## Changelog\n* 1 April 2022 - Updated rule and signal message.\n\n* 10 October 2022 - Updated severities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(StopConfigurationRecorder OR DeleteDeliveryChannel)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_deleted_or_stopped","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(PutDeliveryChannel OR PutConfigurationRecorder)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Deleted/Stopped","condition":"aws_config_deleted_or_stopped > 0"},{"status":"info","notifications":[],"name":"Modified","condition":"aws_config_modified > 0"}],"type":"log_detection","id":"p1b-9np-rw1","createdAt":1585870283149,"name":"AWS Config modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to your AWS console without multi-factor authentication.\n\n## Strategy\nThis rule monitors CloudTrail and detects when any `IAMUser` or `Root` user does a `Console Login`, and `@userIdentity.sessionContext.attributes.mfaAuthenticated` has a value of `false`. \n\n**Notes:** \n\n- This rule triggers with a `High` severity if the user logging in is a `Root` user.\n- This rule ignores logins using SAML because 2FA is implemented on the IdP and not through AWS.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate. \n * Use Cloud SIEM - User Investigation dashboard to see if the user: {{@usr.name}} with an account type of: {{@userIdentity.type}} has done any actions after logging in. \n2. If the login was legitimate, request that the user enables 2FA. \n3. If the login wasn't legitimate, rotate the credentials, enable 2FA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n\n## Changelog\n3 March 2022 - Rule updated\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:IAMUser -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:Root -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"root_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user console login no mfa","condition":"user_login_without_mfa > 0"},{"status":"high","notifications":[],"name":"root console login no mfa","condition":"root_login_without_mfa > 0"}],"type":"log_detection","id":"wkk-muq-vg8","createdAt":1585870278209,"name":"AWS Console login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the user used MFA.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n* 10 March 2022 - Rule updated.\n* 15 December 2022 - Rule updated to cover edge case.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @evt.name:ConsoleLogin -@level:Error (@userIdentity.sessionContext.attributes.mfaAuthenticated:true OR @additionalEventData.MFAUsed:Yes) -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"impossible travel event for ConsoleLogin with MFA"}],"type":"log_detection","id":"vbv-f3o-8zo","createdAt":1646247475787,"name":"AWS ConsoleLogin with MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the account does not have MFA enabled.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n10 Mar 2022 - Rule updated.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_no_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"@evt.name:ConsoleLogin -@level:Error @userIdentity.sessionContext.attributes.mfaAuthenticated:false -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"a1n-son-6bk","createdAt":1646247437558,"name":"AWS ConsoleLogin without MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1562-impair-defenses","source:cloudtrail","scope:aws-detective","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes an Amazon Detective behavior graph.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted an Amazon Detective behavior graph:\n\n* [DeleteGraph][1]\n\n## Triage and response\n1. Determine if the behavior graph should have been deleted.\n2. Determine which user ({{@userIdentity.arn}}) in your organization deleted the behavior graph.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 1 April 2022 - Updated rule and signal message.\n* 18 November 2022 - Updated severity.\n\n[1]: https://docs.aws.amazon.com/detective/latest/APIReference/API_DeleteGraph.html\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:detective.amazonaws.com @evt.name:DeleteGraph","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oje-vzw-qjp","createdAt":1631642344123,"name":"AWS Detective Graph deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when CloudTrail has been disabled by creating an event selector on the Trail.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if an attacker used the [`PutEventSelectors`][1] API call to filter out management events, effectively disabling CloudTrail for the specified Trail.\n\nSee the [public Proof of Concept][2] (PoC) for this attack.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or use the [AWS console][4] to revert the event selector back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, work with the user to ensure that CloudTrail logs for the affected account `{{@usr.account_id}}` are being sent to the Datadog platform.\n * If **No**, remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or reference the [AWS console documentation][4] to revert the event selector back to the last known good state.\n\n## Changelog\n* 17 October 2022 - Updated tags.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_PutEventSelectors.html\n[2]: https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass\n[3]: https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/put-event-selectors.html\n[4]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"disable_cloudtrail_with_event_selectors","distinctFields":[]},{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false @responseElements.eventSelectors.dataResources.type:(\"AWS::S3::Object\" AND \"AWS::Lambda::Function\") @responseElements.eventSelectors.readWriteType:ReadOnly","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_poc","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Public POC","condition":"public_poc > 0"},{"status":"low","notifications":[],"name":"IncludeManagementEvents set to False","condition":"disable_cloudtrail_with_event_selectors > 0"}],"type":"log_detection","id":"jam-62o-d0n","createdAt":1652796620111,"name":"AWS Disable Cloudtrail with event selectors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS snapshot is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an EBS snapshot is made public:\n\n* [ModifySnapshotAttribute][1]\n\nThis rule inspects the `@requestParameters.createVolumePermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the EBS snapshot is made public.\n\n## Triage and response\n1. Determine if the EBS snapshot should be made public.\n2. Determine which user, `{{@@userIdentity.arn}}`, in your organization made the EBS snapshot public.\n3. Contact the user to see if they intended to make the EBS snapshot public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n * Revert AMI permissions to the original state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 11 November 2022 - Add additional triage and response steps.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html#examples\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":17,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.createVolumePermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kx1-upq-ea2","createdAt":1594140300821,"name":"AWS EBS Snapshot Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1537-transfer-data-to-cloud-account","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the possible exfiltration of an EBS snapshot.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect the following API calls within a 15 minute time window:\n\n* [`CreateSnapshot`][1]\n* [`ModifySnapshotAttribute`][2]\n\nAn attacker can create a EBS snapshot from the EBS volume and modify the permissions of the snapshot to allow it to be shared [publicly][3] or with another AWS account. Using an attacker-controlled account, a new EBS volume can be created from the snapshot and attached to an EC2 instance for analysis.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the API calls.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any snapshot attributes generated by the user with the `aws-cli` command [`modify-snapshot-attribute`][4].\n * Begin your organization's incident response process and investigate.\n3. If the API calls were made by the user:\n * Determine if the user should be performing these API calls.\n * If **No**, see if other API calls were made by the user and determine if they warrant further investigation.\n\n## Changelog\n* 10 October 2022 - Updated query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSnapshot.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html\n[3]: https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-ebs-snapshot-made-public/\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-snapshot-attribute.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":7200,"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSnapshot -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (-@userIdentity.assumed_role:(*orca* OR *wiz*) -@responseElements.description:\"Orca automatically generated snapshot\" -@requestParameters.description:auto-generatedbyWiz -@responseElements.description:\"auto-generated by Wiz\")","groupByFields":["@responseElements.snapshotId"],"aggregation":"count","name":"snapshot_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.attributeType:CREATE_VOLUME_PERMISSION -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (@requestParameters.createVolumePermission.add.items.userId:* OR @requestParameters.createVolumePermission.add.items.group:*) -@requestParameters.createVolumePermission.add.items.userId:(\"135916806842\" OR \"463932680998\" OR \"727815099310\" OR \"553950354547\" OR \"784971140435\" OR \"222606875197\")","groupByFields":["@requestParameters.snapshotId"],"aggregation":"count","name":"snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"EBS Snapshot created then shared","condition":"snapshot_created > 0 && snapshot_shared > 0"},{"status":"info","notifications":[],"name":"EBS Snapshot shared","condition":"snapshot_shared > 0"}],"type":"log_detection","id":"dka-ecn-adr","createdAt":1655223749994,"name":"AWS EBS Snapshot possible exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis-aws","control:2.2.1","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS encryption is disabled by default. \n\n## Strategy\nMonitor CloudTrail and detect when EBS encryption is disabled by default via the following API call:\n\n* [DisableEbsEncryptionByDefault][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user and let them know that it is best practice to enable EBS encryption by default.\n3. Re-enable EBS encryption by default.\n\nFor more information about Amazon EBS Encryption, check out the [Amazon EBS Encryption][2] documentation.\n\n## Changelog\n* 18 March 2022 - Rule query and severity updated.\n* 16 November 2022 - Rule query updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:(cloudtrail OR amazon-security-lake) @eventSource:ec2.amazonaws.com @evt.name:DisableEbsEncryptionByDefault","groupByFields":["@usr.account_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4s7-uuu-lo8","createdAt":1585870284527,"name":"AWS EBS default encryption disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","security:attack","technique:T1522-cloud-instance-metadata-api"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes a DNS request and resolves to the AWS metadata IP address (169.254.169.254).\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MetadataDNSRebind][2]\n\n\n## Triage and response\n1. Determine which process made the DNS request. The DNS request can be found in the samples.\n2. Ensure the process is not a victim of an SSRF attack to steal the AWS EC2 Instance profile's STS credentials. \n2. If the STS credentials are compromised:\n * Review the AWS [documentation][3] on revoking the session.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-metadatadnsrebind\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MetadataDNSRebind)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"aad-vqz-7tk","createdAt":1587525387807,"name":"AWS EC2 Instance Victim to Metadata DNS Rebind Attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is compromised and sending spam emails.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Backdoor:EC2/Spambot][2]\n\n\n## Triage and response\n1. Determine if the EC2 should be sending out email over port 25. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-spambot\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/Spambot)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ecn-gew-dg2","createdAt":1587525385866,"name":"AWS EC2 instance Sending spam emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a malicious server.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/C&CActivity.B!DNS][2]\n* [Trojan:EC2/BlackholeTraffic][3]\n* [Trojan:EC2/DropPoint][4]\n* [Trojan:EC2/BlackholeTraffic!DNS][5]\n* [Trojan:EC2/DriveBySourceTraffic!DNS][6]\n* [Trojan:EC2/DropPoint!DNS][7]\n* [Trojan:EC2/DGADomainRequest.B][8]\n* [Trojan:EC2/DGADomainRequest.C!DNS][9]\n* [Trojan:EC2/DNSDataExfiltration][10]\n* [Trojan:EC2/PhishingDomainRequest!DNS][11]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][12] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-ccactivitybdns\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-blackholetraffic\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-droppoint\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-blackholetrafficdns\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-drivebysourcetrafficdns\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-droppointdns\n[8]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestb\n[9]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestcdns\n[10]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dnsdataexfiltration\n[11]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-phishingdomainrequestdns\n[12]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Trojan\\:EC2\\/BlackholeTraffic OR Trojan\\:EC2\\/DropPoint OR Trojan\\:EC2\\/BlackholeTraffic\\!DNS OR Trojan\\:EC2\\/DriveBySourceTraffic\\!DNS OR Trojan\\:EC2\\/DropPoint\\!DNS OR Trojan\\:EC2\\/DGADomainRequest.B OR Trojan\\:EC2\\/DGADomainRequest.C\\!DNS OR Backdoor\\:EC2\\/C&CActivity.B\\!DNS OR Trojan\\:EC2\\/PhishingDomainRequest\\!DNS)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9du-jhn-b4f","createdAt":1587525393367,"name":"AWS EC2 instance communicated with a malicious server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0011-command-and-control","technique:T1571-non-standard-port"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating over an unusual port.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/NetworkPortUnusual][2]\n\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#behavior-ec2-networkportunusual\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/NetworkPortUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"qfd-ned-cjn","createdAt":1587525391873,"name":"AWS EC2 instance communicating over unusual port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a cryptocurrency server\n\n## Strategy\nThis rule lets you leverage GuardDuty to detect when an EC2 instance has made a DNS request or is communicating with an IP that is associated with cryptocurrency operations. The following GuardDuty Findings trigger this signal:\n\n* [CryptoCurrency:EC2/BitcoinTool.B!DNS][1]\n* [CryptoCurrency:EC2/BitcoinTool.B][2]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples. \n2. If the domain or IP address should not have been requested, open a security investigation, and determine which process requested the domain name or IP address.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#cryptocurrency-ec2-bitcointoolbdns\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#cryptocurrency-ec2-bitcointoolb\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(CryptoCurrency\\:EC2\\/BitcoinTool.B\\!DNS OR CryptoCurrency\\:EC2\\/BitcoinTool.B)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ky3-ds4-ipb","createdAt":1585870276326,"name":"AWS EC2 instance communicating with a cryptocurrency server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection to a malcious IP address.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MaliciousIPCaller.Custom][2]\n\n## Triage and response\n1. Determine which IP address triggered the signal. This can be found in the sample.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-maliciousipcallercustom\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MaliciousIPCaller.Custom)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"22j-qk6-qv3","createdAt":1587525389461,"name":"AWS EC2 instance communicating with malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is conducting a port scan.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Recon:EC2/Portscan][2]\n\n\n## Triage and response\n1. Determine why traffic from the EC2 instance appears to be conducting a port scan.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 17 October 2022 - Updated tags.\n* 1 November 2022 - Updated links.\n \n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/Portscan)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1y-h5t-gnp","createdAt":1587525376478,"name":"AWS EC2 instance conducting a port scan"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being used as a TOR relay.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorRelay][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be uses as a TOR relay. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance. \n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torrelay\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorRelay)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tpv-3qf-v90","createdAt":1587525388119,"name":"AWS EC2 instance connecting to TOR as a relay"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance receives an inbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorIPCaller][2]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized7\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorIPCaller)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"1ew-u8i-att","createdAt":1587525383148,"name":"AWS EC2 instance inbound connections from TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Brute Force Attacks\n\n## Strategy\nLeverage GuardDuty and detect when an attacker is performing a brute force attack. The following are GuardDuty findings trigger this signal:\n\n* [UnauthorizedAccess:EC2/SSHBruteForce][1]\n* [UnauthorizedAccess:EC2/RDPBruteForce][2]\n\n\n## Triage and response\n1. Inspect the role of the EC2 instance in the attack. Find the role in the signal name - either `ACTOR` or `TARGET`.\n * If you are the `TARGET` and the instance is available on the internet, expect to see IPs scanning your systems.\n * If you are the `TARGET` and the instance is **not** available on the internet, this means a host on your internal network is scanning your EC2 instance. Open an investigation.\n * If you are the `ACTOR`, this means that your instance is performing brute force attacks on other systems. Open an investigation.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-sshbruteforce\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-rdpbruteforce\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":20,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:ACTOR","groupByFields":["instance-id"],"aggregation":"count","name":"actor","distinctFields":[]},{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:TARGET","groupByFields":["instance-id"],"aggregation":"count","name":"target","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Actor","condition":"actor > 0"},{"status":"info","notifications":[],"name":"Target","condition":"target > 0"}],"type":"log_detection","id":"vyl-ylc-3io","createdAt":1585870284202,"name":"AWS EC2 instance involved in brute force attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance network traffic volume is unusual.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/TrafficVolumeUnusual][2]\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 10 October 2022 - Updated tags.\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#behavior-ec2-trafficvolumeunusual\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/TrafficVolumeUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipt-dpt-t69","createdAt":1587525393982,"name":"AWS EC2 instance network traffic volume unusual"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","technique:T1188-multi-hop-proxy","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorClient][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be making requests to TOR. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torclient\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorClient)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ihd-q9p-mwx","createdAt":1587525381864,"name":"AWS EC2 instance outbound connections to TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is participating in a Denial of Service (DoS) attack.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/DenialOfService.Tcp][2]\n* [Backdoor:EC2/DenialOfService.Udp][3]\n* [Backdoor:EC2/DenialOfService.Dns][4]\n* [Backdoor:EC2/DenialOfService.UdpOnTcpPorts][5]\n* [Backdoor:EC2/DenialOfService.UnusualProtocol][6]\n\n\n## Triage and response\n1. Determine if the EC2 instance is compromised and participating in a DoS attack.\n2. If the instance is compromised:\n * Review the AWS [documentation][7] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofservicetcp\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceudp\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofservicedns\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceudpontcpports\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceunusualprotocol\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/DenialOfService.Tcp OR Backdoor\\:EC2\\/DenialOfService.Udp OR Backdoor\\:EC2\\/DenialOfService.Dns OR Backdoor\\:EC2\\/DenialOfService.UdpOnTcpPorts OR Backdoor\\:EC2\\/DenialOfService.UnusualProtocol)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3l6-vrm-iyn","createdAt":1587525383757,"name":"AWS EC2 instance participating in a DoS attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being probed by a scanner.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:EC2/PortProbeUnprotectedPort][2]\n* [Recon:EC2/PortProbeEMRUnprotectedPort][3]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeunprotectedport\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeemrunprotectedport\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/PortProbeUnprotectedPort OR Recon\\:EC2\\/PortProbeEMRUnprotectedPort)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mrq-h3x-jus","createdAt":1587525381084,"name":"AWS EC2 instance probed by scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS EKS node group makes a new API call.\n\n## Strategy\nThis rule sets a baseline for host activity across an AWS EKS node group, and enables detection of potentially anomalous activity when a node group makes a new API call.\n\nA new API call from a node group can indicate an attacker gaining a foothold within the system and trying API calls not normally associated with this node group.\n\n## Triage and response\n1. Investigate API activity for the AWS EKS node group to determine if the specific API call is malicious.\n2. Review any other security signals for the AWS EKS node group.\n3. If the activity is deemed malicious:\n * If possible, isolate the compromised hosts.\n * Determine what other API calls were made by the EKS node group.\n * Begin your organization's incident response process and investigate.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":21,"learningThreshold":0},"keepAlive":3600},"version":187,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["eks_nodegroup-name"],"query":"source:cloudtrail"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"nkn-aw3-xb2","createdAt":1633097159259,"name":"AWS EC2 new event for EKS Node Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an application on a host has a new, unrecognized API call.\n\n## Strategy\nUsing the `New Value` detection method, find when an `application` has a new `@evt.name` on a `host`.\n\n## Triage and response\n1. Determine if the `host: {{host}}` running the `application: {{application}}` should have done the following event(s)`{{@evt.name}}`:\n * If yes, you can `Archive` the signal.\n * If no, investigate further by clicking on the **Suggested Actions** tab for the signal\n2. If necessary, initiate your company's incident response process.\n\n## Changelog\n* 14 November 2022 - Updated severity.\n\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["application"],"query":"source:cloudtrail host:i-*"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"qcg-jbs-kcd","createdAt":1632769125953,"name":"AWS EC2 new event for application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an EC2 subnet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting an EC2 subnet.\n\n* [DeleteSubnet][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be deleting EC2 subnets.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Update rule and signal message\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-subnet.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:DeleteSubnet -@level:Error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ygi-fi5-qns","createdAt":1585870282197,"name":"AWS EC2 subnet deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecs","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an ECS Cluster\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an ECS cluster is deleted:\n\n* [DeleteCluster][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arm}} should be making a {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DeleteCluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecs.amazonaws.com @evt.name:DeleteCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"vwu-6id-9lz","createdAt":1585870279810,"name":"AWS ECS cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:elb","scope:elb","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous `@http.useragent`. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application using an HTTP header from [darkqusar][1]'s [gist][2]. The detection does this using 2 cases:\n* Case 1: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `200 TO 299`\n* Case 2: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `400 TO 499`\n\n## Triage and response\n1. Determine if this IP: {{@network.client.ip}} is making authenticated requests to the application.\n2. Check if these authentication requests are successful.\n * If they are successful, change the status of the signal to `UNDER REVIEW` and begin your company's incident response plan.\n * If they are not successful, `ARCHIVE` the signal.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Update rule cases and signal message.\n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:elb @http.status_code:[400 TO 499] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_400s_and_unique_paths","distinctFields":["@http.url_details.path"]},{"query":"source:elb @http.status_code:[200 TO 299] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_200s_and_unique_paths","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"scan detected returning several 200s","condition":"multiple_200s_and_unique_paths > 10"},{"status":"info","notifications":[],"name":"scan detected returning several 400s","condition":"multiple_400s_and_unique_paths > 10"}],"type":"log_detection","id":"csd-1pb-wxh","createdAt":1587530043452,"name":"AWS ELB HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:eventbridge","iaas:aws","technique:T1089-disabling-security-tools","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting or disabling EventBridge rules.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is modifying or disabling EventBridge rules:\n\n* [DeleteRule][1]\n* [DisableRule][2]\n\n## Triage and response\n1. Determine if the arn: {{@userIdentity.arn}} should have made the {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Rule query, options and signal markdown updated.\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DeleteRule OR DisableRule)","groupByFields":["@userIdentity.arn","@requestParameters.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mq6-cjx-h9o","createdAt":1585870277044,"name":"AWS EventBridge rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","source:amazon-fsx","scope:amazon-fsx","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify users accessing files they do not have permission to access.\n\n## Strategy\nMonitor AWS FSx logs and detect more than 10 occurrences where `@evt.id` is equal to `4656` and `@Event.System.Keywords` is equal to `0x8010000000000000`. \n\n## Triage & Response\n1. Inspect the log and determine if the user should be accessing the file: `{{@ObjectName}}`.\n2. If access is not legitimate, investigate user `({{@usr.id}})` activity. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:aws.fsx @evt.id:4656 @Event.System.Keywords:0x8010000000000000","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"file_deny","distinctFields":["@ObjectName"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"file_deny > 10"}],"type":"log_detection","id":"vsj-4y9-rg1","createdAt":1627668329581,"name":"AWS FSx Excessive File Denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0005-defense-evasion","technique:T1066-indicator-removal-from-tools","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is removing a FlowLogs collector.\n\n## Strategy\nThis rule lets you monitor this EC2 API call:\n\n* [DeleteFlowLogs][1]\n\n## Triage and response\n1. Determine if arn: {{@userIdentity.arn}} should make this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 4 April 2022 - Rule query and signal message updated.\n* 16 November 2022 - Rule query updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:(cloudtrail OR amazon-security-lake) @evt.name:DeleteFlowLogs -@responseElements.DeleteFlowLogsResponse.unsuccessful:\"\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cws-b4f-uoh","createdAt":1585870278493,"name":"AWS FlowLogs removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1089-disabling-security-tools","scope:guardduty","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty detector.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty Detector:\n\n* [DeleteDetector][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/delete-detector.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteDetector","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pzi-led-yyc","createdAt":1585870279177,"name":"AWS GuardDuty detector deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a publishing destination for a detector which will prevent the exporting of findings. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted a Guard Duty publishing destination.\n\n* [DeletePublishingDestination][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/fr_fr/guardduty/latest/APIReference/API_DeletePublishingDestination.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeletePublishingDestination","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rdm-leo-ndi","createdAt":1631642345554,"name":"AWS GuardDuty publishing destination deleted"}]} headers: Content-Type: - application/json @@ -538,7 +487,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","source:guardduty","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is attempting to escalate permissions.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [PrivilegeEscalation:IAMUser/AdministrativePermissions][2]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_privilegeescalation.html#privilegeescalation1\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PrivilegeEscalation\\:IAMUser\\/AdministrativePermissions)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dsb-ciq-vrt","createdAt":1587525384559,"name":"AWS IAM user escalating privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","tactic:TA0007-disocvery","technique:T1580-cloud-infrastructure-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests with hacking tools.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [PenTest:IAMUser/KaliLinux][2]\n* [PenTest:IAMUser/ParrotLinux][3]\n* [PenTest:IAMUser/PentooLinux][4]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][5] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_pentest.html#pentest1\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_pentest.html#pentest2\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_pentest.html#pentest3\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PenTest\\:IAMUser\\/KaliLinux OR PenTest\\:IAMUser\\/ParrotLinux OR PenTest\\:IAMUser\\/PentooLinux)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ocf-ys6-78v","createdAt":1587525392995,"name":"AWS IAM user making API requests with hacking tools"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:threat-intel","source:guardduty","tactic:TA0007-discovery","security:attack","technique:T1526-cloud-service-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests from a malicious IP.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:IAMUser/TorIPCaller][2]\n* [Recon:IAMUser/MaliciousIPCaller.Custom][3]\n* [Recon:IAMUser/MaliciousIPCaller][4]\n* [UnauthorizedAccess:IAMUser/MaliciousIPCaller][5]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][6] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon1\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon2\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon3\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized5\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:IAMUser\\/TorIPCaller OR Recon\\:IAMUser\\/MaliciousIPCaller.Custom OR Recon\\:IAMUser\\/MaliciousIPCaller OR UnauthorizedAccess\\:IAMUser\\/MaliciousIPCaller)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"8w7-aaz-ojp","createdAt":1587525380153,"name":"AWS IAM user requests from malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","security:anomaly","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user login is suspicious.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B][2]\n* [UnauthorizedAccess:IAMUser/ConsoleLogin][3]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][4] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized4\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized12\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:IAMUser\\/ConsoleLoginSuccess.B OR UnauthorizedAccess\\:IAMUser\\/ConsoleLogin)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kme-i0z-ylv","createdAt":1587525388403,"name":"AWS IAM user suspicious login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:kms","requirement:Monitoring","tactic:TA0040-impact","framework:cis-aws","control:4.7","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a KMS (Key Management Service) key is deleted or scheduled for deletion.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is deleting KMS keys:\n* [DisableKey][1]\n* [ScheduleKeyDeletion][2]\n\n## Triage and response\n1. Determine if `user ARN:` {{@userIdentity.arn}} in your organization should be making this call.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Use the `Cloud SIEM - User Investigation` OOTB dashboard to investigate other potential unauthorized API calls from this user.\n\n[1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html\n[2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html \n\n## Changelog\n16 March 2022 - Rule severity and markdown updated.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(DisableKey OR ScheduleKeyDeletion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iff-hhm-bd3","createdAt":1584475576501,"name":"AWS KMS key deleted or scheduled for deletion"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","scope:firehose"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an AWS Kinesis Firehose Destination is modified.\n\n## Strategy\nThe rule monitors AWS Kinesis Firehose logs `@eventSource:firehose.amazonaws.com` and detects when the `@evt.name` is `UpdateDestination`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:firehose.amazonaws.com @evt.name:UpdateDestination -@http.useragent:(cloudformation.amazonaws.com OR APN\\/*)","groupByFields":["@requestParameters.deliveryStreamName"],"aggregation":"count","name":"firehose_destination_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"firehose_destination_modified","condition":"firehose_destination_modified > 0"}],"type":"log_detection","id":"jwi-qgm-ncc","createdAt":1632158028824,"name":"AWS Kinesis Firehose stream destination modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.11"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Access Control List (NACL) has been created, deleted or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS NACL has been created, deleted or modified with one of the following API calls:\n* [CreateNetworkAcl][1] \n* [CreateNetworkAclEntry][2] \n* [DeleteNetworkAcl][3] \n* [DeleteNetworkAclEntry][4] \n* [ReplaceNetworkAclEntry][5] \n* [ReplaceNetworkAclAssociation][6]\n\n## Triage and response\n1. Determine if the usr with arn: {{@userIdentity.arn}} should have used the API call: {{@evt.name}}.\n2. Contact the user and see if this API call was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n## Changelog\n5 April 2022 - Rule queries, cases and signal message updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html\n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclEntry.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclAssociation.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateNetworkAcl OR CreateNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteNetworkAcl OR DeleteNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_deleted","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceNetworkAclEntry OR ReplaceNetworkAclAssociation)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_updated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"network ACL/ACL entry created","condition":"nacl_created > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry deleted","condition":"nacl_deleted > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry updated","condition":"nacl_updated > 0"}],"type":"log_detection","id":"pcs-k05-rbc","createdAt":1584475579808,"name":"AWS Network Access Control List created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.12","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Gateway has been created or modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS Network Gateway has been created or modified with one of the following API calls:\n* [CreateCustomerGateway][1] \n* [DeleteCustomerGateway][2] \n* [AttachInternetGateway][3] \n* [CreateInternetGateway][4]\n* [DeleteInternetGateway][5] \n* [DetachInternetGateway][6]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule cases and signal message.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCustomerGateway \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteCustomerGateway \n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AttachInternetGateway \n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInternetGateway \n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteInternetGateway \n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DetachInternetGateway.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(CreateCustomerGateway OR CreateInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"create_gateway","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteCustomerGateway OR DeleteInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"delete_gateway","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AttachInternetGateway OR DetachInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_gateway","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"create gateway","condition":"create_gateway > 0"},{"status":"info","notifications":[],"name":"delete gateway","condition":"delete_gateway > 0"},{"status":"info","notifications":[],"name":"modify gateway","condition":"modify_gateway > 0"}],"type":"log_detection","id":"umr-47s-eyj","createdAt":1584475581301,"name":"AWS Network Gateway created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","scope:rds","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deleted a database cluster in RDS.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a RDS cluster:\n\n* [DeleteDBCluster][1]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/rds/delete-db-cluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteDBCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"6ng-pk1-ukh","createdAt":1585870276546,"name":"AWS RDS Cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","control:cis-1.1","framework:cis-aws","technique:T1078-valid-accounts","control:cis-3.3","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the AWS root user credentials are used.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Policy:IAMUser/RootCredentialUsage][2]\n\n## Triage and response\n1. Determine whether the root account activity was legitimate. \n * Review the sample for context. \n * Review CloudTrail logs for a full investigation. \n3. If the root user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n**[Root Account Best Practices][4]**\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_policy.html#policy1\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/RootCredentialUsage)","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cjm-gyr-zxb","createdAt":1587525393683,"name":"AWS Root credential activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a Route 53 query logging configuration.\n\n## Strategy\nMonitor cloudtrail logs where `@evt.name` is `DeleteResolverQueryLogConfig` which would stop Route53 Query logging for all of the Amazon VPCs that are associated with the configuration.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n7 April 2022 - Updated rule query and signal message.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"0pz-0jr-nfz","createdAt":1631642351057,"name":"AWS Route 53 DNS query logging disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disassociates a VPC from the query logging configuration.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disassociated.\n\n* [DisassociateResolverQueryLogConfig][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Update rule and signal message.\n\n[1]: https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DisassociateResolverQueryLogConfig.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DisassociateResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"nmk-a8n-zig","createdAt":1631642344888,"name":"AWS Route 53 VPC disassociated from query logging configuration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.13","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Route Table has been created or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS Route Table has been created or modified with one of the following API calls:\n* [CreateRoute][1] \n* [CreateRouteTable][2] \n* [ReplaceRoute][3] \n* [ReplaceRouteTableAssociation][4] \n* [DeleteRouteTable][5] \n* [DeleteRoute][6] \n* [DisassociateRouteTable][7]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call which was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n6 April 2022 - Update signal message. Updated rule query/case layout\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html \n [7]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateRoute OR CreateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceRoute OR ReplaceRouteTableAssociation OR DisassociateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteRouteTable OR DeleteRoute)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"VPC route table created","condition":"route_created > 0"},{"status":"info","notifications":[],"name":"VPC route table modified","condition":"route_modified > 0"},{"status":"info","notifications":[],"name":"VPC route table deleted","condition":"route_deleted > 0"}],"type":"log_detection","id":"qgo-jqs-03x","createdAt":1584475582644,"name":"AWS Route Table created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket policy is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an AWS bucket is made public:\n\n* [PutBucketAcl][1]\n\nThis rule inspects the `@requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI` array to determine if either of the strings are contained:\n* `http://acs.amazonaws.com/groups/global/AuthenticatedUsers`\n* `http://acs.amazonaws.com/groups/global/AllUsers`\n\nA match of either of these string indicates the S3 bucket policy is made public.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Update rule and signal message.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:PutBucketAcl -@level:Error @requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI:(\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" OR \"http://acs.amazonaws.com/groups/global/AllUsers\")","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"zdk-9gu-nrg","createdAt":1594140279364,"name":"AWS S3 Bucket ACL Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:7.2.1","iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","framework:pci","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the S3 Public Access Block configuration has been removed \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting the S3 Public Access Block configuration:\n\n* [DeleteAccountPublicAccessBlock][1]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and inform them of best practices of enabling Public Access Block on S3 buckets.\n3. Re-enable Public Access Block on the S3 bucket.\n\nMore details on S3 Public Block Public Access can be found [here][2].\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-public-access-block.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n\n## Changelog\n18 March 2022 - updated severity and query.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:error @evt.name:DeleteAccountPublicAccessBlock","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_access_block_removed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"User removed public access block","condition":"public_access_block_removed > 0"}],"type":"log_detection","id":"uxr-5wk-8hk","createdAt":1585870280316,"name":"AWS S3 Public Access Block removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disables AWS Security Hub.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disabled AWS Security Hub:\n\n* [DisableSecurityHub][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query and signal message.\n\n[1]: https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisableSecurityHub.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"not_cloudformation_action","distinctFields":[]},{"query":"source:cloudtrail @network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudformation_action","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"not a cloudformation action","condition":"not_cloudformation_action > 0"},{"status":"low","notifications":[],"name":"cloudformation action","condition":"cloudformation_action > 0"}],"type":"log_detection","id":"obj-kmn-bsa","createdAt":1631642348526,"name":"AWS Security Hub disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:vpc","iaas:aws","requirement:Monitoring","framework:cis-aws","control:4.14","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying a VPC.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a VPC:\n\n* [DeleteVpc][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query, cases and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteVpc OR DeleteVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_deleted","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreateVpc OR CreateVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_created","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(ModifyVpcAttribute OR AcceptVpcPeeringConnection OR RejectVpcPeeringConnection OR AttachClassicLinkVpc OR DetachClassicLinkVpc OR DisableVpcClassicLink OR EnableVpcClassicLink)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"vpc deleted","condition":"vpc_deleted > 0"},{"status":"info","notifications":[],"name":"vpc created","condition":"vpc_created > 0"},{"status":"info","notifications":[],"name":"vpc modified","condition":"vpc_modified > 0"}],"type":"log_detection","id":"igj-dr4-ico","createdAt":1585870280906,"name":"AWS VPC created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a specific AWS Web Application Firewall (WAF) rule blocks an anomalous amount of traffic.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@webaclId`: `{{@webaclId}}` logs to confirm if the observed traffic should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"count","name":"waf_traffic_block","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"scr-lzp-wrd","createdAt":1632158031553,"name":"AWS WAF traffic blocked by specific rule"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a specific AWS Web Application Firewall (WAF) rule blocks traffic from multiple IPs.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@http.request_id`: `{{@http.request_id}}` to confirm if this request should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"cardinality","name":"waf_traffic_block","distinctFields":["@network.client.ip"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"imr-goq-uww","createdAt":1634658977105,"name":"AWS WAF traffic blocked by specific rule on multiple IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is deleted.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `DeleteWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:DeleteWebACL -@http.useragent:\\APN\\/*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_deletion","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"waf_webacl_deletion > 0"}],"type":"log_detection","id":"8js-pr5-qga","createdAt":1632158029295,"name":"AWS WAF web access control list deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is updated.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `UpdateWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made legitimately by the user, rotate the user's credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:UpdateWebACL -@http.useragent:(\\APN\\/* OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"waf_webacl_update > 0"}],"type":"log_detection","id":"pmp-fqa-lwy","createdAt":1632158031800,"name":"AWS WAF web access control list modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:3.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect AWS root user activity. \n\n## Strategy\nMonitor CloudTrail and detect when any `@userIdentity.type` has a value of `Root`, but is not invoked by an AWS service or SAML provider.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate. \n2. If the login wasn't legitimate, rotate the credentials, enable 2FA, and open an investigation. \n\n* For best practices, check out the [AWS Root Account Best Practices][1] documentation.\n* For compliance, check out the [CIS AWS Foundations Benchmark controls][2] documentation.\n\n## Changelog\n30 March 2022 - Updated query and signal message.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[2]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:Root -@userIdentity.sessionContext.attributes.mfaAuthenticated:false -@userIdentity.invokedBy:* -@eventType:AwsServiceEvent -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"2kn-z6k-6kf","createdAt":1585870281964,"name":"AWS root account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group has been modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1] \n* [AuthorizeSecurityGroupEgress][2] \n* [RevokeSecurityGroupIngress][3] \n* [RevokeSecurityGroupEgress][4] \n* [CreateSecurityGroup][5] \n* [DeleteSecurityGroup][6]\n\n\n**Note:** There is a separate rule to detect AWS Security Group Open to the World.\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html \n [2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupEgress.html \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupIngress.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupEgress.html \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteSecurityGroup.html\n\n## Changelog\n18 March 2022 - Updated severity, split query into multiple queries, and split the single case into multiple cases.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AuthorizeSecurityGroupIngress OR AuthorizeSecurityGroupEgress OR RevokeSecurityGroupIngress OR RevokeSecurityGroupEgress) -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:DeleteSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"security group created","condition":"security_group_created > 0"},{"status":"info","notifications":[],"name":"security group modified","condition":"security_group_modified > 0"},{"status":"info","notifications":[],"name":"security group deleted","condition":"security_group_deleted > 0"}],"type":"log_detection","id":"bax-btp-3ct","createdAt":1584475583507,"name":"AWS security group created, modified or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1078-valid-accounts","scope:exchange-server","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event by a user logging in to Microsoft Exchange.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last and the current Microsoft-365 mailbox login event (`@evt.name:MailboxLogin`) to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if `{{@usr.name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. ","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":192,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:Exchange @evt.name:MailboxLogin @evt.outcome:Succeeded @threat_intel.results.category:*"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"9xi-6r1-5o5","createdAt":1638460550019,"name":"Abnormal successful Microsoft 365 Exchange login event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","scope:google-cloud-iam","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account (`@usr.id:*.iam.gserviceaccount.com`) exhibits access denied behavior that deviates from normal.\n\n## Strategy \nInspect the GCP Service Account (`@usr.id:*.iam.gserviceaccount.com`) for errors (`@data.protoPayload.status.code:7`) caused by denied permissions (`@evt.outcome`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account {{@usr.id}} is compromised.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"count","name":"access_denied","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"access_denied"}],"type":"log_detection","id":"jsg-pwu-sfv","createdAt":1605263719237,"name":"Access denied for GCP Service Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.11","scope:iam","scored:true","security:compliance","source:iam","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:7.1.1","control:7.1.2","control:7.1.3","level:1","framework:soc-2","framework:cis-aws","control:A.9.2.3","requirement:IAM","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM user credentials, you have to determine what type of access they require.\n\n**Programmatic access**: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.\n\n**AWS Management Console access**: If the user needs to access the AWS Management Console, create a password for the user.\n\n## Rationale\n\nRequiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are necessary for their work and once the access key is established on an account that the keys may be in use somewhere in the organization.\n\n**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html][2]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html][3]\n\n**Additional Information**: Credential report does not appear to contain \"Key Creation Date\"\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkeys_created_during_setup(credential_report) if {\n\tnot credential_report.access_key_1_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_1_last_rotated\n} else {\n\tnot credential_report.access_key_2_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_2_last_rotated\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot keys_created_during_setup(credential_report)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yuh-0pg-pqy","createdAt":1619112188582,"name":"Access keys are not created for IAM user during initial set up"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-C","requirement:Credentials","level:1","framework:cis-aws","requirement:Cardholder-Data","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.14","cloud_provider:aws","requirement:Control-Activities","framework:soc-2","control:A.9.2.3","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:3.6.4","control:CC6.2","control:CC5.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAccess keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. You should regularly rotate all access keys.\n\n## Rationale\n\nRotating access keys reduces the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78902-4\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html][3]\n4. [https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][4]\n5. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html][5]\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html\n[4]: https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"1.14","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\nmore_than_ninety(timestamp, resource_seen_at) if {\n\tresource_seen_at - timestamp > ninety_days_ms # Not rotated in last 90 days\n}\n\nactive_and_rotated_more_than_90(credential_report, resource_seen_at) if {\n\tcredential_report.access_key_1_active\n\tmore_than_ninety(credential_report.access_key_1_last_rotated, resource_seen_at)\n} else {\n\tcredential_report.access_key_2_active\n\tmore_than_ninety(credential_report.access_key_2_last_rotated, resource_seen_at)\n}\n\neval(iam_user) = \"pass\" if {\n\tresource_seen_at := iam_user.resource_seen_at\n\tcredential_report := iam_user.credential_report[_]\n\tnot active_and_rotated_more_than_90(credential_report, resource_seen_at)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5se-kvq-6mk","createdAt":1599574003833,"name":"Access keys are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:4.3.8","scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.6","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable access from Azure services to PostgreSQL Database Server\n\n## Rationale\n\nIf access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, set up firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In Firewall rules, ensure Allow access to Azure services is set to OFF.\n5. Click Save to apply the changed rule. \n\nAlternatively, use the Azure Command Line Interface and run the below command to delete the `AllowAllAzureIps` rule for PostgreSQL Database:\n\n ```bash\n az postgres server firewall-rule delete --name AllowAllAzureIps --resource-group --server-name \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-manage-firewall-using-cli\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-4-protect-applications-and-services-from-external-network-attacks\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.4 Apply Host-based Firewalls or Port Filtering: Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.\n\n9.5 Implement Application Firewalls: Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.\n\n14.2 Enable Firewall Filtering Between VLANs: Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.8","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@name:(\"AllowAllAzureIps\") OR @name:(\"ALL\") OR (@start_ip_address:(\"0.0.0.0\") @end_ip_address:(\"0.0.0.0\"))","resourceType":"azure_postgresql_firewall_rule","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_firewall_rule (@name:(\"AllowAllAzureIps\") OR @name:(\"ALL\") OR (@start_ip_address:(\"0.0.0.0\") @end_ip_address:(\"0.0.0.0\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"fn7-ase-uyc","createdAt":1624867979051,"name":"Access to Azure services for PostgreSQL Database Server is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 5432 (used by the PostgreSQL Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\nMalicious activity, such as hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 5432.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 5432 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=5432 @to_port:>=5432))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=5432 @to_port:>=5432))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2ca-hhj-wzj","createdAt":1599574007949,"name":"Access to PostgreSQL Database Server port is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3389 (used to connect a remote Remote Desktop Protocol (RDP) client application with an RDP server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as pass-the-hash (PtH) and man-in-the-middle attacks (MITM), can occur when permitting unfettered access to this port.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3389.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3389 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.2\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3389 @to_port:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3389 @to_port:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oia-snq-ar0","createdAt":1599574006239,"name":"Access to port 3389 is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests.\n\n## Rationale\n\nSetting admission control plugin AlwaysAdmit allows all requests and do not filter any requests. The AlwaysAdmit admission controller was deprecated in Kubernetes v1.13. Its behavior was equivalent to turning off all admission controllers.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--enable-admission-plugins` argument's value (if set) does not include `AlwaysAdmit`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --enable-admission-plugins parameter, or set it to a value that does not include AlwaysAdmit.\n\n## Impact\n\nOnly requests explicitly allowed by the admissions control plugins would be served.\n\n## Default value\n\nAlwaysAdmit is not in the list of default admission plugins.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#alwaysadmit\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.11","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysr-4gg-vu5","createdAt":1599599454382,"name":"Admission controller AlwaysAdmin is not enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.15","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating objects in a namespace that is undergoing termination.\n\n## Rationale\n\nSetting admission control policy to NamespaceLifecycle ensures that objects cannot be created in non-existent namespaces, and that namespaces undergoing termination are not used for creating the new objects. This is recommended to enforce the integrity of the namespace termination process and also for the availability of the newer objects.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--disable-admission-plugins` argument is set to a value that does not include `NamespaceLifecycle`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --disable-admission-plugins parameter to ensure it does not include NamespaceLifecycle.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NamespaceLifecycle is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#namespacelifecycle\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.15","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"elk-zj3-p6m","createdAt":1599605447784,"name":"Admission controller NamespaceLifecycle is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.17","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nLimit the Node and Pod objects that a kubelet could modify.\n\n## Rationale\n\nUsing the NodeRestriction plug-in ensures that the kubelet is restricted to the Node and Pod objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node API object, and only modify Pod API objects that are bound to their node.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `NodeRestriction`.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes NodeRestriction. --enable-admission-plugins=...,NodeRestriction,...\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NodeRestriction is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#noderestriction 3. https://kubernetes.io/docs/admin/authorization/node/ 4. https://acotten.com/post/kube17-security\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.17","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jre-tn7-yma","createdAt":1599601166101,"name":"Admission controller NodeRestriction is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.16","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating pods that do not match Pod Security Policies.\n\n## Rationale\n\nA Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions. Note: When the PodSecurityPolicy admission plugin is in use, there needs to be at least one PodSecurityPolicy in place for ANY pods to be admitted. See section 1.7 for recommendations on PodSecurityPolicy settings.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `PodSecurityPolicy`.\n\n## Remediation\n\nFollow the documentation and create Pod Security Policy objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes PodSecurityPolicy: --enable-admission-plugins=...,PodSecurityPolicy,... Then restart the API Server.\n\n## Impact\n\nThe policy objects must be created and granted before pod creation would be allowed.\n\n## Default value\n\nBy default, PodSecurityPolicy is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#podsecuritypolicy 3. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.16","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vwz-aw9-c09","createdAt":1599604624793,"name":"Admission controller PodSecurityPolicy is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.14","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAutomate service accounts management.\n\n## Rationale\n\nWhen you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. You should create your own service account and let the API server manage its security tokens.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--disable-admission-plugins` argument is set to a value that does not include `ServiceAccount`.\n\n## Remediation\n\nFollow the documentation and create ServiceAccount objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and ensure that the --disable-admission-plugins parameter is set to a value that does not include ServiceAccount.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, ServiceAccount is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#serviceaccount 3. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.14","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wrk-jrm-u8h","createdAt":1599601597784,"name":"Admission controller ServiceAccount is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","source:google_bigquery_table","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.2","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","scope:google_bigquery_table","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery encrypts data at rest by employing `Envelope Encryption` using\nGoogle managed cryptographic keys. The data is encrypted using the `data encryption keys` and data encryption keys themselves are further encrypted using `key encryption keys`. This is done automatically and does not require any additional input from the user. However, if you want to have greater control, customer-managed encryption keys (CMEK) can be used as an encryption key management solution for BigQuery datasets. If CMEK is used, the CMEK is used to encrypt the data encryption keys, instead of using google-managed encryption keys.\n\n### Default Value\nGoogle-managed keys are used as `key encryption keys`.\n\n## Rationale\nFor greater control over the encryption, customer-managed encryption keys (CMEK) can\nbe used as encryption key management solution for BigQuery tables. CMEK is used to\nencrypt the data encryption keys instead of using google-managed encryption keys.\nBigQuery stores the table and CMEK association. The encryption/decryption is done\nautomatically.\n\nApply the default customer-managed keys on BigQuery datasets to ensure that all\nnew tables created in the future will be encrypted using CMEK. However, existing tables need to be updated individually to use CMEK.\n\n## Impact\nUsing customer-managed encryption keys (CMEK) will incur additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n- Note: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n## Remediation\nCurrently, there is no way to update the encryption of existing data in the table. The data\nneeds to be copied to either an original table or another table. Either option requires the specification of the\ncustomer managed encryption key (CMEK).\n\n### From the command line:\nUse the following command to copy the data to the original table and encrypt it with the CMEK. The source and the destination needs to be same when copying to the original table.\n\n```\nbq cp --destination_kms_key source_dataset.source_table destination_dataset.destination_table\n```\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_table) = \"pass\" if {\n\tbigquery_table.encryption_configuration.kms_key_name\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_table"]},"validationQuery":"","resourceType":"gcp_bigquery_table","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_table","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4r0-dtx-hnw","createdAt":1659621698841,"name":"All BigQuery tables are encrypted with customer-managed encryption keys (CMEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Azure","cloud_provider:azure","control:2.7","control:8.1","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","scope:azure.keyvault","requirement:Cardholder-Data","requirement:Logical-and-Physical-Access-Control","control:3.6.4","source:azure.keyvault","framework:security-labs","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all keys in your Azure Key Vault have an expiration time set.\n\n## Rationale\n\nAzure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The `exp` (expiration time) attribute identifies the expiration time on or after which the key **must not** be used for a cryptographic operation. By default, keys never expire. Datadog recommends that keys be rotated in the key vault and set an explicit expiration time for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Key vaults\n2. For each Key vault, click on Keys.\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all keys. Using the Azure Command Line Interface, update the expiration date for the key using below command:\n\n ```bash\n az keyvault key set-attributes --name --vault-name --expires Y-m-d''T''H:M:S''Z''\n ```\n\n **Note**: To access expiration time on all keys in Azure Key Vault using Microsoft API requires \"List\" Key permission. To provide required access follow below steps:\n\n 1. Go to Key Vaults\n 2. For each Key Vault, click on Access Policy.\n 3. Add access policy with Key permission as List\n\n## Impact\n\nKeys cannot be used beyond their assigned expiration times respectively. Keys need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## CIS Controls\n\nVersion 7 13 Data Protection Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.7","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_type := \"azure_key_vault_key\"\n\ncompliant(key_vault_key) if {\n\tkey_vault_key.attributes_enabled == true\n\tnot key_vault_key.attributes_exp == 0\n\tnot key_vault_key.attributes_exp == \"\"\n}\n\neval(key_vault_key) = \"pass\" if {\n\tcompliant(key_vault_key)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_key"]},"validationQuery":"","resourceType":"azure_key_vault_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"op6-3uk-40w","createdAt":1624867980258,"name":"All keys in Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Network-Policies-and-CNI","control:5.3.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse network policies to isolate traffic in your cluster network.\n\n## Rationale\n\nRunning different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. A network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints. Network Policies are namespace scoped. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace, all traffic will be allowed into and out of the pods in that namespace.\n\n## Audit\n\nRun the following command and review the NetworkPolicy objects created in the cluster: `kubectl --all-namespaces get networkpolicy`\n\nEnsure that each namespace defined in the cluster has at least one Network Policy.\n\n## Remediation\n\nFollow the documentation and create network policy objects as you need them.\n\n## Impact\n\nOnce network policies are in use within a given namespace, traffic not explicitly allowed by a network policy will be denied. It is important to ensure that, when introducing network policies, legitimate traffic is not blocked.\n\n## Default value\n\nBy default, network policies are not created.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/services-networking/networkpolicies/ ][1]\n2. [https://octetz.com/posts/k8s-network-policy-apis ][2]\n3. [https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/][3]\n\n## CIS controls\n\nVersion 6.14.1 Implement Network Segmentation Based On Information Class Segment - The network based on the label or classification level of the information stored on the servers. Locate all sensitive information on separated VLANS with firewall filtering to ensure that only authorized individuals are only able to communicate with systems necessary to fulfill their specific responsibilities.\n\nVersion 7.14.1 Segment the Network Based on Sensitivity - Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).\n\nVersion 7.14.2 Enable Firewall Filtering Between VLANs - Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n\n[1]: https://kubernetes.io/docs/concepts/services-networking/networkpolicies/\n[2]: https://octetz.com/posts/k8s-network-policy-apis\n[3]: https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.3.2","framework":"cis-kubernetes","requirement":"Network-Policies-and-CNI","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrw-bae-anz","createdAt":1604312181303,"name":"All namespaces have network policies defined"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:2.10","requirement:Azure","cloud_provider:azure","control:8.2","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","requirement:Change-Management","scope:azure.keyvault","requirement:Logical-and-Physical-Access-Control","source:azure.keyvault","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all Secrets in the Azure Key Vault have an expiration time set.\n\n## Rationale\n\nThe Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The `exp` (expiration time) attribute identifies the expiration time on or after which the secret **must not** be used. By default, secrets never expire. Datadog recommends rotating secrets in the key vault and setting an explicit expiration time for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Key vaults\n2. For each Key vault, click on Secrets\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all secrets. Using the Azure Command Line Interface, use the below command to set expiration date on the all secrets:\n\n ```bash\n az keyvault secret set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z'\n ```\n\n## Impact\n\nSecrets cannot be used beyond their assigned expiry times respectively. Secrets need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-4-set-up-emergency-access-in-azure-ad\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-8-choose-approval-process-for-microsoft-support\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy\n\n## CIS Controls\n\nVersion 7 16 Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.10","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_type := \"azure_key_vault_secret\"\n\ncompliant(key_vault_secret) if {\n\tkey_vault_secret.id\n\tkey_vault_secret.attributes_enabled == true\n\tnot key_vault_secret.attributes_exp == 0\n\tnot key_vault_secret.attributes_exp == \"\"\n}\n\neval(key_vault_secret) = \"pass\" if {\n\tcompliant(key_vault_secret)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_secret"]},"validationQuery":"","resourceType":"azure_key_vault_secret","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_secret","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bbc-1aj-wsr","createdAt":1624867976874,"name":"All secrets in the Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:CC6.7","source:iam","requirement:Storage","requirement:Credentials","control:2.1.1","level:1","requirement:System-Acquisition-Development-and-Maintenance","framework:cis-aws","control:1.19","requirement:IAM","framework:iso-27001","requirement:Access-Control","framework:pci","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.\n\n## Rationale\n\nRemoving expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.\n\n## Remediation\n\nAWS Console:\n\nRemoving expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).\n\nAWS CLI:\n\nTo delete an expired certificate, run the following command by replacing `` with the name of the certificate to delete: `aws iam delete-server-certificate --server-certificate-name `.\n\n**Note**: When the preceding command is successful, it does not return any output.\n\n## Impact\n\nDeleting a certificate can have implications for your application. If you are using an expired server certificate with Elastic Load Balancing, Cloudfront, etc., you must update the configuration of the respective service to ensure there is no application interruption.\n\n## References\n\n1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html\n2. https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.19","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Storage","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_server_certificate) = \"pass\" if {\n\tiam_server_certificate.expiration - iam_server_certificate.resource_seen_at > 0\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"dih-stb-3p8","createdAt":1632209932850,"name":"All the expired SSL/TLS certificates stored in AWS IAM are removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow Kubelet to manage `iptables`.\n\n## Rationale\n\nKubelets can automatically manage the required changes to `iptables` based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to `iptables`. This ensures that the `iptables` configuration remains in sync with pods networking configuration. Manually configuring `iptables` with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have `iptables` rules too restrictive or too open.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that if the `--make-iptables-util-chains` argument exists then it is set to true. If the `--make-iptables-util-chains` argument does not exist, and there is a Kubelet config file specified by `--config`, verify that the file does not set `makeIPTablesUtilChains` to `false`.\n\n## Remediation\n\nIf using a kubelet config file, edit the file to set `makeIPTablesUtilChains: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--make-iptables-util-chains` argument from the `KUBELET_SYSTEM_PODS_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nKubelet would manage the `iptables` on the system and keep it in sync. If you are using any other `iptables` management solution, then there might be some conflicts.\n\n## Default value\n\nBy default, `--make-iptables-util-chains argument` is set to true.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.7","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"f3g-zcg-jm0","createdAt":1599605004390,"name":"Allow Kubelets to manage changes to the iptables"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an AWS S3 lifecycle expiration policy is set to disabled in your CloudTrail logs.\n\n## Strategy\nCheck if `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days`, `@requestParameters.LifecycleConfiguration.Status:Disabled` and `@evt.name:PutBucketLifecycle` fields are present in your S3 Lifecycle configuration log. If these fields are present together, a bucket's lifecycle configuration has been turned off.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n2. If the `{{@requestParameters.bucketName}}` should not be disabled, escalate to engineering so they can re-enable it.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketLifecycle @requestParameters.LifecycleConfiguration.Rule.Expiration:* @requestParameters.LifecycleConfiguration.Rule.Status:Disabled","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4gy-sks-edk","createdAt":1638798373598,"name":"An AWS S3 bucket lifecycle expiration policy was set to disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket has a lifecycle configuration set with an expiration policy of less than 90 days.\n\n## Strategy\nLook for `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90` in your Cloudtrail logs.\n\n**NOTE**: This rule should be set to logs that this policy applies to. The `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days` key path must be set as a measure to do a query.\n\n\n## Triage & response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}` and that the `{{@requestParameters.bucketName}}` bucket should have a file expiration of less than 90 days.\n2. If `{{@requestParameters.bucketName}}` is equal to `{{@aws.s3.bucket}}`, the CloudTrail bucket, consider escalating to higher severity and investigating further.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:PutBucketLifecycle -status:error @eventSource:s3.amazonaws.com @requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hdo-qqk-njz","createdAt":1638798329769,"name":"An AWS S3 bucket lifecycle policy expiration is set to < 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if versioning or MFA delete was disabled within an AWS S3 bucket's Lifecycle configuration.\n\n## Strategy\nThis rule has two separate queries. The first query determines if `@requestParameters.VersioningConfiguration.MfaDelete` is set to `Disabled`. The second query determines if `@requestParameters.VersioningConfiguration.Status` is set to `Suspended`. For generating a signal, there are two cases. Case one generates a `Medium` signal if query one AND two return `true`. Case two will generate a `Low` signal if query one OR two returns `true`.\n\n**NOTE**: Versioning cannot be disabled permanently; only suspended until turned back on, once it has been enabled on a bucket.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.MfaDelete:Disabled","groupByFields":["@aws.s3.bucket"],"aggregation":"count","name":"mfadelete_disabled","distinctFields":[]},{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.Status:Suspended","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"versioning_suspended","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"mfaDelete and Versioning are Disabled/Suspended","condition":"versioning_suspended > 0 && mfadelete_disabled > 0"},{"status":"low","notifications":[],"name":"mfaDelete or versioning are disabled","condition":"mfadelete_disabled > 0 || versioning_suspended > 0"}],"type":"log_detection","id":"qo0-ly0-8ls","createdAt":1638798322732,"name":"An AWS S3 bucket mfaDelete is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an AWS account attempting to leave an AWS organization.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to have an AWS account leave an AWS organization using the [LeaveOrganization][1] API call.\n\nAn attacker may attempt this API call for several reasons, such as:\n\n* Target security configurations that are often defined at the organization level. Leaving an organization can disrupt or disable these controls.\n* Perform a denial of service (DoS) attack on the victim's account that prevents the victim's organization to access it.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Initiate your company's incident response (IR) process.\n3. If the API call was made legitimately by the user:\n * Communicate with the user to understand if this was a planned action.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n * Initiate your company's incident response (IR) process.\n\n[1]: https://docs.aws.amazon.com/organizations/latest/APIReference/API_LeaveOrganization.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privileg","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:LeaveOrganization @eventSource:organizations.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"leave_organization","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"leave_organization > 0"}],"type":"log_detection","id":"9ku-enz-m7d","createdAt":1644595191484,"name":"An AWS account attempted to leave the AWS Organization"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","scope:s3","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an API call to AWS to list all of the S3 Buckets.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect a [ListBuckets][1] API call with the session name prefixed with `i-`. A session name prefixed with `i-` typically indicates that it is an EC2 instance using an [Instance Profile][2] to communicate with other AWS services, which is a common attacker technique to see the full list of S3 buckets in your AWS account.\n\n## Triage and response\n1. Determine if the EC2 instance should be making this API call.\n* If **not a legitimate** user/application, rotate the credentials, verify what else may have been accessed and open an investigation into how this instance was compromised.\n* If a **legitimate** user/application on the EC2 instance is making the `ListBuckets` API call, consider whether this API call is really needed. \n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profile\n\n## Changelog\n18 March 2022 - Updated rule severity and rule name.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_access_denied","distinctFields":[]},{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets -@error.kind:*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Access denied for ListBuckets","condition":"list_buckets_access_denied > 0"},{"status":"medium","notifications":[],"name":"Successful ListBuckets","condition":"list_buckets_success > 0"}],"type":"log_detection","id":"t6r-kqt-hxb","createdAt":1585870281123,"name":"An EC2 instance attempted to enumerate S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is enumerating API Gateway API keys.\n\n## Strategy\nBaseline `GetApiKeys` events by `@userIdentity.session_name` to surface anomalous `GetApiKeys` calls. \n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetApiKeys","groupByFields":["@userIdentity.session_name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"cc8-ljp-wwt","createdAt":1624968912281,"name":"Anomalous API Gateway API key reads by user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","tactic:TA0009-collection","scope:s3","source:cloudtrail","technique:T1530-data-from-cloud-storage-object","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS user performs S3 bucket write activities they do not usually perform. \n\n## Strategy\nMonitor cloudtrail logs for S3 Data Plane events (`@eventCategory:Data`) to detect when an AWS User (`@userIdentity.arn`) is detected performing anomalous S3 Write `(@evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*))` API calls. \n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should be performing the: `{{@evt.name}}` API calls.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. If not, investigate the user: `{{@userIdentity.arn}}` for indicators of account compromise and rotate credentials as necessary.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventCategory:Data @eventSource:s3.amazonaws.com @evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"s3_write_events","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"s3_write_events"}],"type":"log_detection","id":"mxi-syi-zeg","createdAt":1637613300981,"name":"Anomalous S3 bucket activity from user ARN"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is attempting to hijack an EC2 AutoScaling Group.\n\n## Strategy\nThis rule lets you monitor AWS EC2 Autoscaling logs (`@eventSource:autoscaling.amazonaws.com`) to detect when an Autoscaling group receives an anomalous amount of API calls (`{{@evt.name}}`).\n\n## Triage and response\n1. Confirm if the user `{{@userIdentity.arn}}` intended to make the `{{@evt.name}}` API calls.\n2. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:autoscaling.amazonaws.com","groupByFields":["@evt.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"1fj-e0d-mcy","createdAt":1632769123714,"name":"Anomalous amount of Autoscaling Group events"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","scope:salesforce","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a spike in Salesforce query results for a user. A large query can be an early warning sign of a user attempting to exfiltrate Salesforce data. \n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a spike in the number of rows returned (`@rows_returned`). \n\n## Triage and response\n1. Determine if the user should be legitimately performing large queries.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@rows_returned","aggregation":"sum","metrics":["@rows_returned"],"groupByFields":["@usr.id"],"query":"source:salesforce @rows_returned:*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"kls-bnv-ip8","createdAt":1621929255172,"name":"Anomalous amount of Salesforce query results"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","source:salesforce","tactic:TA0040-impact","scope:salesforce","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a significant increase in deleted records in Salesforce.\n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a significant increase in successful (`@evt.outcome:Success`) delete operations (`@operation:Delete`).\n\n## Triage and response\n1. Determine if the user should be legitimately deleting Salesforce records.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @operation:Delete @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"1x7-fhs-sdy","createdAt":1621929255178,"name":"Anomalous amount of Salesforce records deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is assessing privileges in AWS through various enumeration and discovery techniques.\n\n## Strategy\nMonitor CloudTrail logs to identify when an EC2 instance (`@userIdentity.session_name:i-*\"`) generates an anomalous amount of `AccessDenied` events.\n\n## Triage and response\n1. Determine what events the EC2 instance `{{@userIdentity.session_name}}` are generating in the time frame of the signal.\n2. If the root cause is not a misconfiguration, investigate any other signals around the same time of the signal by looking at the Host Investigation dashboard.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied @userIdentity.session_name:i-*","groupByFields":["@userIdentity.assumed_role"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"qyw-re3-iuf","createdAt":1605263699569,"name":"Anomalous amount of access denied events for AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","technique:T1619-cloud-storage-object-disovery","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS assumed role accesses S3 buckets that they do not usually access. \n\n## Strategy\nMonitor cloudtrail logs to identify when a `@userIdentity.assumed_role` makes an anomalous amount of `GetObject` calls to a unique number of S3 buckets (`@requestParameters.bucketName`).\n\n## Triage and response\n1. Determine if the user using the assumed role: {{@userIdentity.assumed_role}} should be accessing a bunch of random buckets.\n * Here is a list of buckets that were accessed (up to 10): {{@requestParameters.bucketName}}\n\n## Changelog\n30 Mar 2022 - Updated query and signal message.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":17,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetObject -status:error","groupByFields":["@userIdentity.assumed_role"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"i41-jb1-c8r","createdAt":1608050033941,"name":"Anomalous number of S3 buckets accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user has attempted to assume an anomalous number of unique roles.\n\n## Strategy\nThis rule sets a baseline for user activity for the [`AssumeRole`][1] API call, and enables detection of potentially anomalous activity.\n\nAn attacker may attempt this for the following reasons:\n\n* To identify which roles the user account has access to.\n* To identify what AWS services are being used internally.\n* To identify third party integrations and internal software.\n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response process and investigate.\n\n[1]: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:IAMUser @evt.name:AssumeRole","groupByFields":["@usr.name"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.roleArn"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rov-8oq-1fd","createdAt":1624968910002,"name":"Anomalous number of assumed roles from user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an unauthenticated request user is permitted in Kubernetes.\n\n## Strategy\nThis rule monitors when any action is permitted (`@http.status_code:[100 TO 299]`) for an unauthenticated user (`@user.username:\\\"system:anonymous\\\"`).\nThe `/healthz` endpoint is commonly accessed unauthenticated and it is excluded in the query filter.\n\n## Triage and response\n1. Inspect all of the HTTP paths accessed and determine if any of the path should be permitted by unauthenticated users.\n2. Determine what IP addresses accessed Kubernetes endpoints which may contain sensitive data.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@apiVersion:audit.k8s.io* @usr.name:\"system:anonymous\" @http.status_code:[100 TO 299] -@http.url_details.path:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @user.username:\"system:anonymous\" @responseStatus.code:[100 TO 299] -@requestURI:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"f1o-py5-a50","createdAt":1589376002149,"name":"Anonymous Request Authorized"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:apache","technique:T1190-exploit-public-facing-application","source:apache","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[{"action":"require","query":"source:foo"}],"queries":[{"query":"source:apache @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipl-oaz-eqf","createdAt":1587530038000,"name":"Apache HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1562-Impair-Defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modification of AppArmor profiles using an interactive session.\n\n## Strategy\nAfter an initial intrusion, attackers may attempt to disable security tools to avoid possible detection of their offensive tools and activities. [AppArmor][1] is a Linux Security Module (LSM) feature that confines programs to a limited set of resources. Disabling AppArmor could help an attacker run disallowed tools and gain access to resources that are otherwise blocked. This detection looks for commands that disable or modify AppArmor during interactive sessions, which is highly irregular in production environments.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://wiki.ubuntu.com/AppArmor\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:apparmor_modified_tty","groupByFields":["host"],"aggregation":"count","name":"apparmor_modified_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"apparmor_modified_tty","condition":"apparmor_modified_tty > 0"}],"type":"workload_security","id":"byn-fwk-eyv","createdAt":1627392836162,"name":"AppArmor profile modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","source:azure.sql","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Database-Services","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","framework:cis-azure","scope:azure.sql","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:4.1.3","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSQL Server Audit Retention should be configured to be greater than 90 days.\n\n## Rationale\n\nUse Audit Logs to check for anomalies and to get insight into suspected breaches or misuse of information and access.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Select Storage Details\n5. Set Retention (days) setting greater than 90 days\n6. Select OK\n7. Select Save using Azure PowerShell. For each server, set retention policy for more than or equal to 90 days:\n\n ```bash\n set-AzureRmSqlServerAuditing -ResourceGroupName -ServerName -RetentionInDays \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing\n2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditing?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention\n\n## CIS controls\n\nVersion 7\n\n6.4 Ensure adequate storage for logs: Ensure that all systems that store logs have adequate storage space for the logs generated.\n\n4.2 SQL Server: Azure Defender for SQL Azure Defender for SQL provides a layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. Users will receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. SQL Server Threat Detection alerts provide details of suspicious activity and recommend action on how to investigate and mitigate the threat. Azure Defender for SQL may incur additional cost per SQL server.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@audit_setting.retention_days:0 -@audit_setting.retention_days:>=90","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-@audit_setting.retention_days:0 -@audit_setting.retention_days:>=90)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"r6e-x2g-rfb","createdAt":1624867973932,"name":"Audit data for Azure SQL is retained for at least 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","source:google_iam_policy","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","scope:google_iam_policy","security:compliance","requirement:Logging-and-Monitoring","control:2.1","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that Cloud Audit Logging is configured to track all admin activities and\nread or write access to user data.\n\n### Default value\nAdmin Activity logs are always enabled. They cannot be disabled. Data Access audit logs are\ndisabled by default because they can be quite large.\n\n## Rationale\nCloud Audit Logging maintains two audit logs for each project, folder, and organization:\n**Admin Activity** and **Data Access**.\n\nAdmin Activity logs contain log entries for API calls or other administrative actions\nthat modify the configuration or metadata of resources. Admin Activity audit logs\nare enabled for all services and cannot be configured.\n\nData Access audit logs record API calls that create, modify, or read user-provided\ndata. These are disabled by default and should be enabled.\n\nThere are three kinds of Data Access audit log information:\n* Admin read: Records operations that read metadata or configuration\ninformation. Admin Activity audit logs record writes of metadata and\nconfiguration information. This cannot be disabled.\n* Data read: Records operations that read user-provided data.\n* Data write: Records operations that write user-provided data.\n\nIt is recommended to configure audit logging such that:\n\n* Log type is set to `DATA_READ` (to log user activity tracking) and `DATA_WRITES` (to\nlog changes/tampering to user data).\n* Audit config is enabled for all the services supported by the Data Access audit logs\nfeature.\n* Logs are captured for all users\u2014that is, there are no exempted users in any of the\naudit config sections. This ensures overriding the audit config does not contradict\nthe requirement.\n\n### Impact\nThere is no charge for Admin Activity audit logs. Enabling the Data Access audit logs might\nresult in your project being charged for the additional logs usage.\n- Note: Admin Activity Logs are not listed here, as they are enabled by default and cannot be disabled.\n `exemptedMembers` is not set, as audit logging should be enabled for all users.\n\n## Remediation\n\n### From the console: \n1. Go to the [Audit Logs page][1] in Google Cloud Console.\n2. Follow the steps in Google's [Configure Data Access audit logs][2] documentation to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.\n\n### From the command line:\n1. To read the project's IAM policy and store it in a file, run the following command:\n ```\n gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml\n ```\nAlternatively, the policy can be set at the organization or folder level. If you are setting the policy at\nthe organization level, it is not necessary to also set it for each folder or project.\n ```\n gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml\n gcloud resource-manager folders get-iam-policy FOLDER_ID >\n /tmp/folder_policy.yaml\n ```\n2. Edit the policy in `/tmp/policy.yaml`. Adding or change only the audit logs\nconfiguration to:\n ```\n auditConfigs:\n - auditLogConfigs:\n - logType: DATA_WRITE\n - logType: DATA_READ\n - service: allServices\n ```\n\n3. To write new IAM policy, run the following commands:\n ```\n gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml\n gcloud resource-manager folders set-iam-policy FOLDER_ID\n /tmp/folder_policy.yaml\n gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml\n ```\nIf the preceding command reports a conflict with another change, then repeat these steps,\nstarting with the first step.\n\n## Additional information\n* To track detailed user activities, the log type `DATA_READ` is as important as the log type `DATA_WRITE`.\n* BigQuery Data Access logs are handled differently than other data access logs.\n BigQuery logs are enabled by default and cannot be disabled. They do not count against logs allotment and do not result in extra logs charges.\n\n## References\n1. [https://cloud.google.com/logging/docs/audit/][1]\n2. [https://cloud.google.com/logging/docs/audit/configure-data-access][2]\n\n[1]: https://cloud.google.com/logging/docs/audit/\n[2]: https://cloud.google.com/logging/docs/audit/configure-data-access\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(iam_policy) if {\n\tnot has_exempted_members(iam_policy)\n\taudit_config := iam_policy.audit_configs[_]\n\taudit_config.service == \"allServices\"\n\taudit_config.audit_log_configs[_].log_type == \"ADMIN_READ\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_WRITE\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_READ\"\n}\n\nhas_exempted_members(iam_policy) if {\n\tiam_policy.audit_configs[_].audit_log_configs[_].exempted_members[_]\n}\n\nis_project(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_project\"\n}\n\neval(iam_policy) = \"skip\" if {\n\tnot is_project(iam_policy)\n} else = \"pass\" {\n\tcompliant(iam_policy)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mtc-xf1-a6x","createdAt":1664804019062,"name":"Audit logging is properly configured across all services and users in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit all Docker daemon activities.\n\n## Rationale\n\nAs well as auditing the normal Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges. It is very important to audit its activities and usage.\n\n## Audit\n\nVerify that there are audit rules for the Docker daemon. To see the rules associated with the Docker daemon, run: \n\n```\nauditctl -l | grep /usr/bin/dockerd\n```\n\n## Remediation\n\nYou should add rules for the Docker daemon. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /usr/bin/dockerd -k docker \n```\n\nThen restart the audit daemon using the following command:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, the Docker daemon is not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.3","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fpu-oe5-feu","createdAt":1599604305682,"name":"Auditing for Docker Daemon executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.4","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/var/lib/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories. For example, audit `/var/lib/docker`, which holds all the information about containers it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/var/lib/docker` directory. To see the rule for the `/var/lib/docker` directory, run: \n\n```\nauditctl -l | grep /var/lib/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/var/lib/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /var/lib/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.4","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tfa-927-tto","createdAt":1599602523672,"name":"Auditing for Docker local storage is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.10","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker/daemon.json`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/docker/daemon.json`. This holds various parameters for the Docker daemon, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/docker/daemon.json` file. To display the rule for the `/etc/docker/daemon.json` file, run: \n\n```\nauditctl -l | grep /etc/docker/daemon.json\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker/daemon.json` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/docker/daemon.json -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/docker/daemon.json` may not exist on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file][2]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.10","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"v2o-aio-i0e","createdAt":1599601474412,"name":"Auditing for the Docker daemon configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.11","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/bin/containerd`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/bin/containerd`, so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/bin/containerd` file. To display the rule for the `/usr/bin/containerd` file, run: \n\n```\nauditctl -l | grep /usr/bin/containerd\n```\n\n## Remediation\n\nYou should add a rule for the `/usr/bin/containerd` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/bin/containerd -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/usr/bin/containerd` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.11","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tor-6yx-oyz","createdAt":1599605637503,"name":"Auditing for the containerd executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.8"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/default/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/default/docker`. It holds various parameters related to the Docker daemon and should therefore be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/default/docker` file. To see the rule for the `/etc/default/docker` file, run: \n```\nauditctl -l | grep /etc/default/docker \n```\n\n## Remediation\n\nYou should add a rule for the `/etc/default/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/default/docker -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited so these defaults should be changed in line with organizational security policy. The file `/etc/default/docker` may not be present, and if so, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.8","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qfi-cgy-a6e","createdAt":1599601659531,"name":"Auditing for the default Docker configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.9"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/sysconfig/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including `/etc/sysconfig/docker`. It contains various parameters related to the Docker daemon when run on CentOS and RHEL based distributions. If present, it is important that it is audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/sysconfig/docker` file. To see the rule for the `/etc/sysconfig/docker` file, run: \n```\nauditctl -l | grep /etc/sysconfig/docker\n```\n\n## Remediation\n\nYou should add a rule for `/etc/sysconfig/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/sysconfig/docker -k docker\n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/sysconfig/docker` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.9","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ps6-vb4-bim","createdAt":1599604561498,"name":"Auditing for the default Docker configuration file is configured - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit the `docker.service` if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `docker.service`. The `docker.service` file might be present if the daemon parameters have been changed by an administrator. If so, it holds various parameters for the Docker daemon and should be audited.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n\n2. If the file does not exist, this recommendation does not apply. If the file does exist, verify that there is an audit rule corresponding to the `docker.service` file by running: \n\n ```\n auditctl -l | grep docker.service\n ```\n\n## Remediation\n\nIf the file exists, a rule for it should be added. For example, add the following line to the `/etc/audit/audit.rules` file: \n```\n-w /usr/lib/systemd/system/docker.service -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.service` may not be present on the system.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.6","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myy-dsj-omk","createdAt":1599605764788,"name":"Auditing for the docker.service file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.7","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `docker.socket`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including the `docker.socket` file, which holds various parameters for the Docker daemon, it should be audited.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the `docker.socket` file exists, verify that there is an audit rule corresponding to the `docker.socket` file by running: \n ```\n auditctl -l | grep docker.socket \n ```\n\n## Remediation\n\nIf the file exists, you should add a rule for it. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/lib/systemd/system/docker.socket -k docker \n```\n\nThen restart the audit daemon: \n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.socket` may not be present, but if it is, it should be audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.7","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afg-qbt-7uw","createdAt":1599600857858,"name":"Auditing for the docker.socket file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.12","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/sbin/runc`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/sbin/runc`, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/sbin/runc` file. To display the rule for the `/usr/sbin/runc` file, run:\n\n```\nauditctl -l | grep /usr/sbin/runc\n```\n\n## Remediation\n\nYou should add a rule for `/usr/sbin/runc` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/sbin/runc -k docker\n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The `file/usr/sbin/runc` may not be present on the system, and in that case this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n4. [https://github.com/opencontainers/runc][4]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/ \n[4]: https://github.com/opencontainers/runc\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.12","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ksp-ylk-dub","createdAt":1599603510904,"name":"Auditing for the runc executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.5","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privilege and its behavior depends on some key files and directories, including `/etc/docker`. This holds various certificates and keys used for TLS communication between Docker daemon and Docker client and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/etc/docker` directory. To see the rule for the `/etc/docker` directory, run: \n\n```\nauditctl -l | grep /etc/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.5","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5ns-uab-zcf","createdAt":1599604003342,"name":"Auditing is configured for Docker-related files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.6","cloud_provider:azure","control:10.1","requirement:Monitoring","source:azure.sql","control:A.12.4.1","control:A.12.4.3","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","scope:azure.sql","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:4.1.1","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on SQL Servers.\n\n## Rationale\n\nThe Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. The auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Set Auditing to On using Azure PowerShell.\n5. Get the list of all SQL Servers: `Get-AzureRmSqlServer`. For each Server, enable auditing:\n\n ```bash\n Set-AzureRmSqlServerAuditingPolicy -ResourceGroupName -ServerName -AuditType -StorageAccountName \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-servers\n2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n**Note**: A server policy applies to all existing and newly created databases on the server. If server blob auditing is enabled, it always applies to the database. The database is audited, regardless of the database auditing settings. The auditing type table is deprecated, leaving only the type blob available. Enabling blob auditing on the database, and enabling it on the server, does not override or change any of the settings of the server blob auditing. Both audits exist side by side. So, the database is audited twice in parallel; once by the server policy, and once by the database policy.\n\n## CIS controls\n\nVersion 7 6.3 Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"validationQuery":"-@audit_setting.state:(\"Enabled\")","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-@audit_setting.state:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"gxl-2f7-dso","createdAt":1624867978477,"name":"Auditing on SQL Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs in with a breached password.\n\n## Strategy\nAuth0 logs an event when a user logs in with a breached password. When this event is detected, Datadog generates a `MEDIUM` severity Security Signal.\n\nYou can see more information on how Auth0 detects breached passwords on their [documentation][1].\n\n## Triage and response\n1. Inspect the policy and user location to see if this was a login from approved location\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n[1][https://auth0.com/docs/anomaly-detection/brute-force-protection]\n","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:breached_password","groupByFields":["@usr.id"],"aggregation":"count","name":"breached_password","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"breached_password > 0"}],"type":"log_detection","id":"yhw-avf-dz0","createdAt":1597422957145,"name":"Auth0 user logged in with a breached password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","requirement:Cloud-SQL","cloud_provider:gcp","control:CC7.4","source:google_sql_database_instance","control:6.4.5.4","framework:cis-gcp","requirement:Compliance","level:1","control:6.7","scope:google_sql_database_instance","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Additional-Criteria-for-Availability","requirement:Communications-Security","requirement:System-Operations","control:3.1","requirement:Control-Activities","control:A1.1","control:A1.2","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:CC5.1","control:A.9.1.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nAll SQL database instances should have automated backups enabled.\n\n## Rationale: \nBackups provide a way to restore a Cloud SQL instance, to recover lost data, or to recover from\na problem with that instance. Enable automated backups for any instance that\ncontains data that should be protected from loss or damage. This recommendation is\napplicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2\ninstances.\n\n## Impact: \nAutomated backups increase the required storage size and may affect the costs associated with it.\n\n## Remediation: \n\n### From the console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Select the instance where the backups need to be configured.\n3. Click `Edit`.\n4. In the `Backups` section, check 'Enable automated backups', and choose a backup window.\n5. Click `Save`.\n\n### From the command line:\n\n1. List all Cloud SQL database instances using the following command:\n ```\n gcloud sql instances list\n ```\n2. Enable automated backups for a Cloud SQL database instance by running:\n ```\n gcloud sql instances patch --backup-start-time <[HH:MM]>\n ```\n\nThe `backup-start-time` parameter is specified in 24-hour time, in the UTC\u00b100 time zone,\nand specifies the start of a 4-hour backup window. Backups can start any time during the\nbackup window.\n\n## Default value:\nBy default, automated backups are not configured for Cloud SQL instances. Data backup is\nnot possible on any Cloud SQL instance unless Automated Backup is configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/backup-recovery/backups][2]\n2. [https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/backup-recovery/backups\n[3]: https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up\n\n## CIS controls:\n\nVersion 8: _11.2 Perform Automated Backups_. Perform automated backups of in-scope enterprise assets. Run backups weekly,\nor more frequently, based on the sensitivity of the data.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.4.5.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.1","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"pass\" if {\n\tsql_database_instance.settings.backup_configuration.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iir-4sf-rxn","createdAt":1657665285362,"name":"Automated backups are configured for SQL Database Instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to Azure AD without multi-factor authentication.\n\n## Strategy\nThis rule monitors Azure Activity logs for Active Directory logs and detects when any `@evt.category` has a value of `SignInLogs`, and `@properties.authenticationRequirement` has a value of `singleFactorAuthentication`.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables 2FA.\n3. If the login wasn't legitimate, rotate the credentials.\n4. Review all user accounts to ensure MFA is enabled.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:singleFactorAuthentication","groupByFields":["@usr.id"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_login_without_mfa > 0"}],"type":"log_detection","id":"c8i-66d-m7u","createdAt":1598468815267,"name":"Azure AD Login Without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to the [Global Administrator][1] role.\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\"`\n\nThe Global Administrator role can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. An adversary can add users as Global Administrators in order to maintain access to Azure AD.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][2] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.category:AuditLogs @evt.name:\"Add member to role\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_global_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"member_assigned_global_administrator_role > 0"}],"type":"log_detection","id":"bdq-rcs-dn5","createdAt":1658756175450,"name":"Azure AD member assigned Global Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to a [built-in Administrative role][1].\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:*Administrator*`\n\nAzure AD uses roles to assign privileges to users. There are over 80 roles available, the list below details some of the highest privileged roles that adversaries could target:\n\n* [Application Administrator][2]\n* [Cloud Application Administrator][3]\n* [Exchange Administrator][4]\n* [Privileged Role Administrator][5]\n* [User Administrator][6]\n* [Sharepoint Administrator][7]\n* [Hybrid Identity Administrator][8]\n\nThis [whitepaper][9] from Mandiant describes the abuse of Azure AD privileged roles.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][10] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator\n[3]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-application-administrator\n[4]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#exchange-administrator\n[5]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-role-administrator\n[6]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator\n[7]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#sharepoint-administrator\n[8]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#hybrid-identity-administrator\n[9]: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf\n[10]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:*Administrator* @evt.category:AuditLogs @evt.name:\"Add member to role\" -@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_built_in_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"member_assigned_built_in_administrator_role > 0"}],"type":"log_detection","id":"61p-mwe-rxm","createdAt":1658756175462,"name":"Azure AD member assigned built-in Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","control:8.7","level:1","requirement:Database-Services","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","scope:azure.sql","control:4.4","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse Azure Active Directory Authentication for authentication with SQL Database.\n\n## Rationale\n\nAzure Active Directory authentication is a mechanism to connect to the Microsoft Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). With Azure AD authentication, manage identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage database users and simplifies permission management in the following ways:\n\n- Provides an alternative to SQL Server authentication. \n- Helps stop the proliferation of user identities across database servers. \n- Allows password rotation in a single place. \n- Customers can manage database permissions using external (AAD) groups. \n- Eliminates storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure Active Directory. \n- Uses contained database users to authenticate identities at the database level. \n- Token-based authentication for applications connecting to SQL Database. \n- ADFS (domain federation) or native user/password authentication for a local Azure Active Directory without domain synchronization. \n- Connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication (MFA). MFA includes strong authentication with a range of easy verification options phone call, text message, smart cards with a pin, or mobile app notification.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each SQL server, click on Active Directory admin\n3. Click on Set admin\n4. Select an admin\n5. Click Save\n6. Using the Azure PowerShell for each Server, set `AD Admin Set-AzureRmSqlServerActiveDirectoryAdministrator -ResourceGroupName -ServerName -DisplayName \"\"`.\n6. From Azure Command Line Interface, get the ObjectID of user: `az ad user list --query \"[?mail==].{mail:mail, userPrincipal`.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure\n2. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: Assigning an administrator in Azure Active Directory (AAD) is just the first step. When using AAD for central authentication there are many other groups and roles that need to be configured base on the needs of your organization. To determine what roles should be assigned and what groups should be created to manage permissions and access to resources, see the How-to Guides.\n\n## CIS Controls\n\nVersion 7 16.2 Configure Centralized Point of Authentication: Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-(@name:(\"ActiveDirectory\") @administrator_type:(\"ActiveDirectory\"))","resourceType":"azure_sql_server","filter":"","queryPath":"active_directory_administrators","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-(@name:(\"ActiveDirectory\") @administrator_type:(\"ActiveDirectory\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kiv-p8l-5mk","createdAt":1624867977317,"name":"Azure Active Directory Admin is configured for Azure SQL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure-active-directory","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect whenever Azure Identity Protection categorizes an Azure Active Directory login as risky.\n\n## Strategy\nMonitor Azure Active Directory sign in activity (`@evt.name:\"Sign-in activity\"`) and generate a signal when Azure identifies the user as risky or compromised (`@properties.riskState:\"atRisk\" OR \"confirmedCompromised\"`). \n\n## Triage and response\n1. Analyze the location (`@network.client.geoip.subdivision.name`) of `{{@usr.id}}` to determine if they're logging into from their usual location. \n2. If log in activity is not legitimate, disable `{{@usr.id}}` account.\n3. Investigate any devices owned by `{{@usr.id}}`.\n\n## Changelog\n14 June 2022 - Fixed bug in rule query.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":167,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelDuringSignIn:high @properties.riskLevelDuringSignIn:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_during_signin_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:high @properties.riskLevelAggregated:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_aggregated_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:medium @properties.riskLevelDuringSignIn:medium","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_medium","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"High Risk Aggregated","condition":"risk_level_aggregated_high > 0"},{"status":"high","notifications":[],"name":"High Risk During Sign-In","condition":"risk_level_during_signin_high > 0"},{"status":"medium","notifications":[],"name":"Medium Risk","condition":"risk_level_medium > 0"}],"type":"log_detection","id":"h1h-4to-2ka","createdAt":1629464257705,"name":"Azure Active Directory Risky Sign-In"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.6","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-7-ii-A","control:164.312-a-2-ii","control:2.2.4","scope:azure.appservice","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Risk-Mitigation","requirement:Logical-and-Physical-Access-Control","control:CC9.1","control:CC6.3","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'remote debugging' **disabled** to enhance security and protect applications.\n\n## Rationale\n\nIf remote debugging is enabled, this can allow an attacker access to your applications.\n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services web apps by running the following in Azure Powershell:\n\n ```\n az webapp list\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n\n az webapp config show\n\t--ids \"\"\n\t--query 'remoteDebuggingEnabled'\n3. Disable the web app's remote debugging capability with the command:\n\n ```\n az webapp config set\n\t--ids \"\"\n\t--remote-debugging-enabled false\n ```\n4. Repeat steps one through three for each server that is not configured correctly.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@site_config_remote_debugging_enabled:true","resourceType":"azure_app_service","filter":"@site_config_remote_debugging_enabled:*","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service @site_config_remote_debugging_enabled:* (@site_config_remote_debugging_enabled:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ciw-6dd-ffz","createdAt":1645807220230,"name":"Azure App Service has remote debugging enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","scope:azure.app_service","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","framework:soc-2","source:azure.app_service","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'always on' **enabled** for web apps.\n\n## Rationale\n\nEnabling 'always on' will enhance your Azure Apps web apps' availability.\n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services by running the following in Azure Powershell:\n\n ```\n az webapp list\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n \n ```\n az webapp config show\n\t--ids \"\"\n\t--query 'alwaysOn'\n ```\n3. Enable the web app's 'always on' capability with the command:\n\n ```\n az webapp config set\n\t--ids \"\"\n\t--always-on true\n ```\n4. Repeat steps one through three for each server that is not configured correctly.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@site_config_always_on:false","resourceType":"azure_app_service","filter":"@site_config_always_on:*","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service @site_config_always_on:* (@site_config_always_on:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xmp-jgo-xdo","createdAt":1645807220325,"name":"Azure App Service is set to always on"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Datadog Azure function is deleted which will prevent Azure logs from being sent to Datadog.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.WEB/SITES/DELETE\"`, `@evt.outcome` is `Success`, and the `@resourceID` contains `DATADOG` and `LOG`. This rule does not work if the the Azure resource group or Azure function does not contain `DATADOG` or `LOG`.\n\n## Triage and response\n1. Verify the Azure function (`@resourceId`) is responsible for forwarding logs to Datadog.\n2. Determine if there is a legitimate reason for deleting the Azure function.\n3. If activity is not expected, investigate activity from the service principal (`@identity.authorization.evidence`) or user (`{{@usr.id}}`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.web @evt.name:\"MICROSOFT.WEB/SITES/DELETE\" @resourceId:(*DATADOG* AND *LOG*) @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"sit-o2a-uov","createdAt":1634570142022,"name":"Azure Datadog Log Forwarder Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","security:threat-intel"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure firewall threat intelligence alert is received.\n\n## Strategy\nMonitor Azure Network Diagnostic logs and detect when `@evt.name` is equal to `AzureFirewallThreatIntelLog`.\n\n## Triage and response\n1. Inspect the threat intelligence log.\n2. Investigate the activity from this IP address.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:AzureFirewallThreatIntelLog","groupByFields":["@network.client.ip"],"aggregation":"count","name":"azure_firewall_threat_intel_alert","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"azure_firewall_threat_intel_alert > 0"}],"type":"log_detection","id":"z0v-yfr-qat","createdAt":1607106300940,"name":"Azure Firewall Threat Intelligence Alert"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) blocks a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Block`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Block","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_blocked_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_blocked_a_request > 0"}],"type":"log_detection","id":"xyt-fqh-myv","createdAt":1598468816869,"name":"Azure Frontdoor WAF Blocked a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) logs a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Log`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Log","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_logged_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_logged_a_request > 0"}],"type":"log_detection","id":"bkk-48l-vem","createdAt":1598468815399,"name":"Azure Frontdoor WAF Logged a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","control:9.9","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","scope:azure.appservice","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nNew versions of HTTP are released periodically to address security issues and/or to include additional functionality. Using the latest version of HTTP for web apps takes advantage of security fixes and new functionality.\n\n## Rationale\n\nUsing the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software update, your organization needs to determine if the latest update meets your requirements.\n\nFor example, HTTP 2.0 has performance improvements for the head-of-line blocking problem, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism because it provides its own, more efficient mechanism for data streaming.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\nAzure Console:\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click *Configuration**.\n5. Set HTTP version to 2.0 under **General settings**.\n\n**Note**: Most modern browsers support HTTP 2.0 protocol over TLS, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third party certificate.\n\nAzure CLI:\n\nTo set the HTTP version to 2.0 for an existing app, run the following command:\n\n`az webapp config set --resource-group --name --http20-enabled true'`\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.9","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"@site_config_http20_enabled:false","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (@site_config_http20_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"y1o-cvu-xc7","createdAt":1645813490516,"name":"Azure HTTP version is the latest available"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.3.1","level:1","scope:azure.keyvault","control:8.4","requirement:Cardholder-Data","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","requirement:Azure","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:2.2","control:A1.2","requirement:Other-Security-Considerations","framework:soc-2","requirement:Risk-Mitigation","control:3.5.3","requirement:Logical-and-Physical-Access-Control","control:CC9.1","source:azure.keyvault","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe key vault contains object keys, secrets, and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. Datadog recommends the key vault be made recoverable by enabling the \"Do Not Purge\" and \"Soft Delete\" functions. This is to prevent loss of encrypted data including storage accounts, SQL databases, and dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.\n\n### Default value \n\nWhen a new Key Vault is created, both the parameters `enableSoftDelete` and `enablePurgeProtection` are set to `null`, disabling both the features.\n\n## Rationale\n\nThere could be scenarios where users accidentally run delete and purge commands on key vault or attacker or malicious user does it deliberately to cause disruption. Deleting or purging a key vault leads to immediate data loss as keys encrypting data and secrets and certificates causing access and services to become non-accessible. There are two key vault properties that plays role in permanent unavailability of a key vault:\n\n1. Setting the `enableSoftDeleteSetting` parameter to true for a key vault ensures that even if key vault is deleted, the key vault itself or its objects are recoverable for next 90 days. In this span of 90 days either key vault and objects can be recovered or purged (permanent deletion). If no action is taken, after 90 days, the key vault and its objects are purged.\n\n2. `enablePurgeProtectionenableSoftDelete` only ensures that the key vault is not deleted permanently and will be recoverable for 90 days from the deletion date. However, there is a chance that the key vault or objects are accidentally purged and are not recoverable. Setting `enablePurgeProtection` to \"true\" ensures that the key vault and its objects cannot be purged. Enabling both the parameters on key vaults ensures that key vaults and their objects cannot be deleted or purged permanently.\n\n### Impact\n\nOnce purge-protection and soft-delete is enabled for a key vault, the action is irreversible.\n\n- Note: When a key is used for the SQL server TDE or Encrypting Storage account, the corresponding key vault features \"Do Not Purge\" and \"Soft Delete\" are enabled by default by your Azure backend.\n\n## Remediation\n\n### From the command line \n\nTo enable \"Do Not Purge\" and \"Soft Delete\" for a key vault using Azure CLI:\n\n```bash\naz resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.KeyVault /vaults/ --set properties.enablePurgeProtection=true properties.enableSoftDelete=true\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli][1]\n2. [https://blogs.technet.microsoft.com/kv/2017/05/10/azure-key-vault-recovery-options/][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-8-define-backup-and-recovery-strategy][3]\n\n\n[1]: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli\n[2]: https://blogs.technet.microsoft.com/kv/2017/05/10/azure-key-vault-recovery-options/\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-8-define-backup-and-recovery-strategy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.4","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.2","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"3.5.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.3.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_key_vault_attributes(key_vault) if {\n\tkey_vault.enable_soft_delete\n} else {\n\tkey_vault.enable_purge_protection\n}\n\neval(key_vault) = \"pass\" if {\n\tcompliant_key_vault_attributes(key_vault)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault"]},"validationQuery":"","resourceType":"azure_key_vault","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"4tq-la5-9ei","createdAt":1624867975393,"name":"Azure Key Vault is recoverable"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","control:1.3.5","control:1.3.6","control:1.3.7","framework:pci","control:6.4.1","security:compliance","control:1.3.4","control:1.2.1","source:azure.kubernetes","requirement:Communications-Security","control:1.2","control:1.3","cloud:azure","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Private Cluster feature for Azure Kubernetes Service (AKS) cluster is enabled.\n\n## Rationale\n\nThe Private Cluster feature ensures that network traffic between your API server and your node pools remains solely on the private network. The API server is not exposed over the internet as it is with the standard AKS deployment. This configuration is a common requirement in many regulatory and industry compliance standards.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment. Changing the setting requires recreating your cluster.\n\n## Impact\n\nCreating and managing a Private AKS Cluster requires additional considerations when compared to a standard AKS deployment. It requires understanding how Azure Private Link and Private Endpoints work. It also requires a thorough assessment of your AKS networking architecture and dependencies. If your AKS cluster is on an isolated Azure Virtual Network (VNET), the Private Cluster feature requires additional configurations to allow connectivity between your AKS Cluster and your management VNET. Microsoft's official documentation, which is included in ``references``, helps you navigate the deployment of Private AKS Clusters.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/aks/private-clusters][1]\n2. [https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview][2]\n3. [https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/aks/private-clusters\n[2]: https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview\n[3]: https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.7","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aks_cluster) = \"fail\" if {\n\tnot aks_cluster.api_server_access_profile_enable_private_cluster\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_aks_cluster"]},"validationQuery":"","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxc-7gb-6q2","createdAt":1656924134424,"name":"Azure Kubernetes Service (AKS) Private Cluster Feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify the network IP address when multiple user accounts failed to complete the MFA process.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, `@properties.authenticationRequirement` is equal to `multiFactorAuthentication` and `@evt.outcome` is equal to `failure`.\n\n## Triage and response \n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:multiFactorAuthentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"failed_login_mfa_denied_w_multiple_user_accounts","distinctFields":["@usr.email"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Greater than 10 unique users","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 10"},{"status":"low","notifications":[],"name":"Greater than 3 unique user","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 3"}],"type":"log_detection","id":"zgm-z7i-mhu","createdAt":1607106317340,"name":"Azure Login Explicitly Denied MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group allows inbound traffic from all IP Addresses.\n\n## Strategy\nThis rule monitors Azure Activity logs for network changes and detects when the `@evt.name` has a value of `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`, `@properties.securityRules.properties.direction` has a value of `Inbound`, `@properties.securityRules.properties.access` has a value of `Allow`, and `@properties.securityRules.properties.sourceAddressPrefix` has a value of either `0.0.0.0/0` OR `*`.\n\n## Triage and response\n1. Inspect which Virtual Machines are associated with this security group.\n2. Determine whether this security group and the VMs should permit inbound traffic from all IP addresses.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\" @properties.securityRules.properties.direction:Inbound @properties.securityRules.properties.access:Allow @properties.securityRules.properties.sourceAddressPrefix:(\"0.0.0.0/0\" OR \"*\")","groupByFields":["@resourceId"],"aggregation":"count","name":"security_group_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"security_group_open_to_world > 0"}],"type":"log_detection","id":"owu-2uz-8cb","createdAt":1598468816111,"name":"Azure Network Security Group Open to the World"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group or an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any one of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security group or security rule and determine if it exposes any Azure resources that should not be exposed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:(\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\") @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mju-ynx-i1h","createdAt":1607106297216,"name":"Azure Network Security Groups or Rules Created, Modified, or Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added as a new owner for an Active Directory application which could be used as a persistence mechanism. \n\n## Strategy\nMonitor Azure Active Directory logs for `@evt.name: \"Add owner to application\"` has an `@evt.outcome` of `success`. \n\n## Triage and response\n1. Review evidence of anomalous activity for the user being added as an owner (`@properties.targetResources`) for the Active Directory application.\n2. Determine if there is a legitimate reason for the user being added to the application.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to application\" @evt.outcome:success @usr.name:* -@identity:*","groupByFields":[],"aggregation":"count","name":"new_owner","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner > 0"}],"type":"log_detection","id":"8vm-rcm-ss1","createdAt":1630591816193,"name":"Azure New Owner added to Azure Active Directory application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a new service principal is created in Azure, which applies to a persistence mechanism.\n\n## Strategy\n\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n\n1. Inspect the new service principal in `@properties.targetResources`.\n2. Verify with the user (`{{$usr.name}}`) to determine if the service principal is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_sp > 0"}],"type":"log_detection","id":"bog-iak-dms","createdAt":1630591822167,"name":"Azure New Service Principal created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure policy assignment has been created.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to `MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE` and `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the policy assignment and determine if an unsolicited change was made on any Azure resources.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure @evt.name:\"MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE\" @evt.outcome:Success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uvd-ets-ju9","createdAt":1607106302885,"name":"Azure Policy Assignment Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, and `@evt.outcome` is equal to `failure`.\n\n## Triage and response\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Successful login","condition":"failed_login > 5 && successful_login > 0"},{"status":"info","notifications":[],"name":"Unsuccessful","condition":"failed_login > 5"}],"type":"log_detection","id":"y0f-vsz-xms","createdAt":1607106309289,"name":"Azure Portal brute force login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses SSL/TLS in-transit encryption.\n\n## Rationale\n\nUsing in-transit encryption with PostgreSQL protects data from attacks like Man-In-The-Middle (MITM), by ensuring that data is encrypted with Transport Layer Security (SSL/TLS) while moving between endpoints. This is the default option with Azure. \n\n## Remediation\n\n### Console\n\n1. Follow the instructions listed at [Configure TLS connectivity in Azure Database for PostgreSQL - Single Server][1] to transition to SSL/TLS encyrption in-transit. \n\n### CLI\n\n1. Follow the steps listed at [Configure TLS connectivity in Azure Database for PostgreSQL - Single Server][2] to use the CLI to transition to SSL/TLS encyrption in-transit. \n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security#using-the-azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security#using-azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@ssl_enforcement:Disabled","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (@ssl_enforcement:Disabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"t58-y4w-igs","createdAt":1645642196325,"name":"Azure PostgreSQL Database Server uses In-Transit Encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.4","cloud_provider:azure","control:6.2","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","control:CC7.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL is using the most recent major version available.\n\n## Rationale\n\nPostegreSQL employs both minor and major version updates. Using the most recent version available (particularly the most recent major version) ensures that you are using the most secure, feature rich, and supported version available. Azure Database Migration Service can help minimize downtime when performing version upgrades in Azure Database for PostgreSQL - Single Server. \n\n## Remediation\n\n### Console\n\n1. Use Azure's [Configure server parameters in Azure Database for PostgreSQL - Single Server via the Azure portal][1] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate/Upgrade Azure DB for PostgreSQL - Single Server to Azure DB for PostgreSQL - Single Server online using DMS via the Azure portal][2] to migrate the old database to the new database.\n\n### CLI\n\n1. Use Azure's [Customize server configuration parameters for Azure Database for PostgreSQL - Single Server using Azure CLI][3] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate PostgreSQL to Azure DB for PostgreSQL online using DMS via the Azure CLI][4] to migrate the old database to the new database.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/dms/tutorial-azure-postgresql-to-azure-postgresql-online-portal\n[3]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli\n[4]: https://docs.microsoft.com/en-us/azure/dms/tutorial-postgresql-azure-postgresql-online","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"-@version:(\"11\" OR \"12\" OR \"13\" OR \"14\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@version:(\"11\" OR \"12\" OR \"13\" OR \"14\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"4ns-zxg-wye","createdAt":1645642207320,"name":"Azure PostgreSQL Database Server uses the current major PostgreSQL version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:A.12.3.1","source:azure.dbforpostgresql","control:164.308-a-7-ii-A","requirement:Compliance","scope:azure.dbforpostgresql","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","control:A.18.1.3","framework:soc-2","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses geo-redundant backups.\n\n## Rationale\n\nUsing geo-redundancy with PostgreSQL creates geographically distributed replicas by default. These replicas assist with achieving data durability, as they protect against data becoming unavailable because of a regional event, such as a natural disaster. You can select this option only at the time of database creation. To modify an existing database to use geo-redundancy, recreate the database.\n\n## Remediation\n\n### Console\n\n1. Follow the instructions listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using the Azure portal][1] to create a new PostgreSQL database. Ensure **Geo-redundant** is selected under **Backup redundancy options**.\n\n### CLI\n\n1. Follow the steps listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using Azure CLI][2] to create and deploy a PostgreSQL server.\n2. When configuring the [`az postgres server create` Microsoft Azure Module][3] ensure that `geoRedundantBackup` is set to `Enabled`, as shown in the example below. \n\n ```\n az postgres server create \n -l northeurope \n -g mygroup \n -n mysvr \n -u username \n -p password \n --sku-name my_sku\n --ssl-enforcement Enabled \n --minimal-tls-version TLS1_0 \n --public-network-access Disabled \n --backup-retention 10 \n --geo-redundant-backup Enabled \n --storage-size 51200 \n --tags \"key=value\" \n --version 11\n ```\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-cli\n[3]: https://docs.microsoft.com/en-us/cli/azure/postgres/server?view=azure-cli-latest#az-postgres-server-create","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.3.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@storage_profile_geo_redundant_backup:Disabled","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (@storage_profile_geo_redundant_backup:Disabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"9t5-0qz-cj3","createdAt":1645642195699,"name":"Azure PostgreSQL database server uses geo-redundant backups"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security rule and determine if it exposes any Azure resources that should not be made public.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.sql @evt.name:\"MICROSOFT.SQL/SERVERS/FIREWALLRULES/WRITE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kbv-sau-dwv","createdAt":1607106319051,"name":"Azure SQL Server Firewall Rules Created or Modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.15","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable security alert emails to subscription owners.\n\n## Rationale\n\nEnabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can quickly mitigate security risks.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. In the drop down of the All users with the following roles field, select Owner\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set Send email also to subscription owners:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management Storage Accounts: This section covers security recommendations to follow to set storage account policies on an Azure subscription. An Azure storage account provides a unique namespace to store and access Azure Storage data objects.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.15","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"validationQuery":"-(@properties.notifications_by_role.roles:(\"Owner\") AND @properties.notifications_by_role.state:(\"On\"))","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact (-(@properties.notifications_by_role.roles:(\"Owner\") AND @properties.notifications_by_role.state:(\"On\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qjw-pnm-kfh","createdAt":1625738237090,"name":"Azure Security Center is configured to send email notifications about security alerts to subscription owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.14","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule enables emailing security alerts to the email subscription owner or other designated security contact.\n\n## Rationale\n\nEnabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. Under Notification types, check the check box next to Notify about alerts with the following severity (or higher) and select High from the drop-down menu\n6. Click save using the Azure Command Line Interface\n7. Use the below command to set Send email notification for high severity alerts:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. And replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default. Microsoft has recently changed their REST APIs to get and update security contact information. This recommendation is updated accordingly.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.14","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"validationQuery":"-(@properties.alert_notifications.state:(\"On\") AND @properties.alert_notifications.minimal_severity:(\"High\"))","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact (-(@properties.alert_notifications.state:(\"On\") AND @properties.alert_notifications.minimal_severity:(\"High\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"cv4-lxu-yt1","createdAt":1625738237834,"name":"Azure Security Center is configured to send email notifications about security alerts with High severity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity Center emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.\n\n## Rationale\n\nAzure Security Center emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the \"Additional email addresses\" field ensures that your organization's security team is included in these alerts. This ensures that the proper people are aware of any potential compromise to mitigate the risk in a timely fashion.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email Notifications\n5. Enter a valid security contact email address (or multiple addresses separated by commas) in the additional email addresses field\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set security contact emails:\n\n ``` bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data, as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default\", \"name\"\"default\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details \n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list \n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"validationQuery":"((-@properties.emails:*) OR (@properties.emails:(\"\")))","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact (((-@properties.emails:*) OR (@properties.emails:(\"\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"1vo-ezv-ztj","createdAt":1625738244720,"name":"Azure Security Center is configured with a security contact email"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty ThreatIntelSet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty ThreatIntelSet:\n\n* [DeleteThreatIntelSet][1]\n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Replace ThreatIntelSets deleted by the user with the `aws-cli` command [create-threat-intel-set][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call and if it was an authorized change.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteThreatIntelSet.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/guardduty/create-threat-intel-set.html\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteThreatIntelSet","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_guardduty_threatintel_set_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"aws_guardduty_threatintel_set_deleted > 0"}],"type":"log_detection","id":"vzr-qw9-k82","createdAt":1631642339660,"name":"AWS GuardDuty threat intel set deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","technique:T1098-account-manipulation","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.4","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to an AWS IAM Policy.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when any event pertaining to an AWS IAM policy is detected with one of the following API calls:\n\n* [DeleteGroupPolicy][1]\n* [DeleteRolePolicy][16]\n* [DeleteUserPolicy][2]\n* [PutGroupPolicy][3]\n* [PutRolePolicy][4]\n* [PutUserPolicy][5]\n* [CreatePolicy][6]\n* [DeletePolicy][7]\n* [SetPolicyVersion][17]\n* [CreatePolicyVersion][8]\n* [DeletePolicyVersion][9]\n* [AttachRolePolicy][10]\n* [DetachRolePolicy][11]\n* [AttachUserPolicy][12]\n* [DetachUserPolicy][13]\n* [AttachGroupPolicy][14]\n* [DetachGroupPolicy][15]\n\n## Triage and response\n1. Review the IAM Policy change and ensure it does not negatively impact your risk in relation to authentication or authorization controls.\n2. If risk is increased, contact the individual that used the arn: {{@userIdentity.arn}} and determine if {{@evt.name}} API calls were made by them.\n\n## Changelog\n5 April 2022 - Rule modified and signal message updated.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroupPolicy.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPolicy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html\n[5]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html\n[7]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html\n[8]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html\n[9]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicyVersion.html\n[10]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[11]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachRolePolicy.html\n[12]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[13]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachUserPolicy.html\n[14]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[15]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachGroupPolicy.html\n[16]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteRolePolicy.html\n[17]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetDefaultPolicyVersion.html\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteGroupPolicy OR PutGroupPolicy OR AttachGroupPolicy OR DetachGroupPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"group_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteRolePolicy OR PutRolePolicy OR AttachRolePolicy OR DetachRolePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"role_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteUserPolicy OR PutUserPolicy OR AttachUserPolicy OR DetachUserPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"user_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreatePolicy OR DeletePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"account_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(SetPolicyVersion OR CreatePolicyVersion OR DeletePolicyVersion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"policy_version_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"group policy changed","condition":"group_policy_modified > 0"},{"status":"info","notifications":[],"name":"role policy changed","condition":"role_policy_modified > 0"},{"status":"info","notifications":[],"name":"user policy changed","condition":"user_policy_modified > 0"},{"status":"info","notifications":[],"name":"account policy changed","condition":"account_policy_modified > 0"},{"status":"info","notifications":[],"name":"policy version changed","condition":"policy_version_modified > 0"}],"type":"log_detection","id":"z8s-u06-ctu","createdAt":1584475584008,"name":"AWS IAM policy changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM group.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM group using the [`AttachGroupPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.groupName}}` group using the `aws-cli` command [detach-group-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the group `{{@requestParameters.groupName}}` requires the `AdministratorAccess` policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the group to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.groupName","aggregation":"new_value","metrics":["@requestParameters.groupName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachGroupPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"ju1-xlh-bdn","createdAt":1635445988771,"name":"AWS IAM privileged policy was applied to a group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM role.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM role via the [`AttachRolePolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.roleName}}` role using the `aws-cli` command [detach-role-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the role `{{@requestParameters.roleName}}` requires the AdministratorAccess policy to perform its intended function.\n * Advise the user to find the [least privileged][4] policy that allows the role to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-role-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.roleName","aggregation":"new_value","metrics":["@requestParameters.roleName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachRolePolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\" -@userIdentity.invokedBy:sso.amazonaws.com -@http.useragent:sso.amazonaws.com"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"kjs-xra-wzc","createdAt":1635445977216,"name":"AWS IAM privileged policy was applied to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to an AWS IAM user using the [`AttachUserPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.userName}}` user using the `aws-cli` command [detach-user-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the user `{{@requestParameters.userName}}` requires the AdministratorAccess policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the user to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-user-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":173,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.userName","aggregation":"new_value","metrics":["@requestParameters.userName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachUserPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"bxi-o7h-c79","createdAt":1635445981975,"name":"AWS IAM privileged policy was applied to a user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","technique:T1089-disabling-security-tools","source:guardduty","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is changing sensitive configurations and has no prior history of invoking these APIs.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Stealth:IAMUser/S3ServerAccessLoggingDisabled][2]\n* [Stealth:IAMUser/PasswordPolicyChange][3]\n* [Stealth:IAMUser/CloudTrailLoggingDisabled][4]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][5] on remediating compromised AWS credentials.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#stealth-s3-serveraccessloggingdisabled\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-passwordpolicychange\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-cloudtrailloggingdisabled\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Stealth\\:IAMUser\\/S3ServerAccessLoggingDisabled OR Stealth\\:IAMUser\\/PasswordPolicyChange OR Stealth\\:IAMUser\\/CloudTrailLoggingDisabled OR Stealth\\:IAMUser\\/LoggingConfigurationModified)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"48o-8me-0mo","createdAt":1587525385196,"name":"AWS IAM user changing sensitive configurations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user disables [S3 Block Public Access][1]\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][2] finding:\n\n* [Policy:S3/AccountBlockPublicAccessDisabled][3]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Contact the user and determine why the user disabled the S3 Block Access feature. \n3. Re-enable S3 Block Public Access.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n[2]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-accountblockpublicaccessdisabled\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/S3BlockPublicAccessDisabled)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"loc-nk4-pkc","createdAt":1587525377921,"name":"AWS IAM user disabled S3 Block Public Access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","source:guardduty","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is attempting to escalate permissions.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [PrivilegeEscalation:IAMUser/AdministrativePermissions][2]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_privilegeescalation.html#privilegeescalation1\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PrivilegeEscalation\\:IAMUser\\/AdministrativePermissions)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dsb-ciq-vrt","createdAt":1587525384559,"name":"AWS IAM user escalating privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","technique:T1580-cloud-infrastructure-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests with hacking tools.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [PenTest:IAMUser/KaliLinux][2]\n* [PenTest:IAMUser/ParrotLinux][3]\n* [PenTest:IAMUser/PentooLinux][4]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][5] on remediating compromised AWS credentials.\n\n## Changelog\n* 17 October 2022 - Updated tags.\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-kalilinux\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-parrotlinux\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-pentoolinux\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PenTest\\:IAMUser\\/KaliLinux OR PenTest\\:IAMUser\\/ParrotLinux OR PenTest\\:IAMUser\\/PentooLinux)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ocf-ys6-78v","createdAt":1587525392995,"name":"AWS IAM user making API requests with hacking tools"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:threat-intel","source:guardduty","tactic:TA0007-discovery","security:attack","technique:T1526-cloud-service-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests from a malicious IP.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:IAMUser/TorIPCaller][2]\n* [Recon:IAMUser/MaliciousIPCaller.Custom][3]\n* [Recon:IAMUser/MaliciousIPCaller][4]\n* [UnauthorizedAccess:IAMUser/MaliciousIPCaller][5]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][6] on remediating compromised AWS credentials.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-toripcaller\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-maliciousipcallercustom\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-toripcaller\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-maliciousipcaller\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:IAMUser\\/TorIPCaller OR Recon\\:IAMUser\\/MaliciousIPCaller.Custom OR Recon\\:IAMUser\\/MaliciousIPCaller OR UnauthorizedAccess\\:IAMUser\\/MaliciousIPCaller)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"8w7-aaz-ojp","createdAt":1587525380153,"name":"AWS IAM user requests from malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","security:anomaly","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user login is suspicious.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B][2]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-consoleloginsuccessb\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:IAMUser\\/ConsoleLoginSuccess.B OR UnauthorizedAccess\\:IAMUser\\/ConsoleLogin)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kme-i0z-ylv","createdAt":1587525388403,"name":"AWS IAM user suspicious login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:kms","requirement:Monitoring","tactic:TA0040-impact","framework:cis-aws","control:4.7","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a KMS (Key Management Service) key is deleted or scheduled for deletion.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is deleting KMS keys:\n* [DisableKey][1]\n* [ScheduleKeyDeletion][2]\n\n## Triage and response\n1. Determine if `user ARN:` {{@userIdentity.arn}} in your organization should be making this call.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Use the `Cloud SIEM - User Investigation` OOTB dashboard to investigate other potential unauthorized API calls from this user.\n\n## Changelog\n* 16 March 2022 - Rule severity and markdown updated.\n* 16 November 2022 - Rule query updated.\n\n[1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html\n[2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:(cloudtrail OR amazon-security-lake) @evt.name:(DisableKey OR ScheduleKeyDeletion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iff-hhm-bd3","createdAt":1584475576501,"name":"AWS KMS key deleted or scheduled for deletion"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","scope:firehose"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an AWS Kinesis Firehose Destination is modified.\n\n## Strategy\nThe rule monitors AWS Kinesis Firehose logs `@eventSource:firehose.amazonaws.com` and detects when the `@evt.name` is `UpdateDestination`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:firehose.amazonaws.com @evt.name:UpdateDestination -@http.useragent:(cloudformation.amazonaws.com OR APN\\/*)","groupByFields":["@requestParameters.deliveryStreamName"],"aggregation":"count","name":"firehose_destination_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"firehose_destination_modified","condition":"firehose_destination_modified > 0"}],"type":"log_detection","id":"jwi-qgm-ncc","createdAt":1632158028824,"name":"AWS Kinesis Firehose stream destination modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.11"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Access Control List (NACL) has been created, deleted or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS NACL has been created, deleted or modified with one of the following API calls:\n* [CreateNetworkAcl][1] \n* [CreateNetworkAclEntry][2] \n* [DeleteNetworkAcl][3] \n* [DeleteNetworkAclEntry][4] \n* [ReplaceNetworkAclEntry][5] \n* [ReplaceNetworkAclAssociation][6]\n\n## Triage and response\n1. Determine if the usr with arn: {{@userIdentity.arn}} should have used the API call: {{@evt.name}}.\n2. Contact the user and see if this API call was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n## Changelog\n5 April 2022 - Rule queries, cases and signal message updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html\n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclEntry.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclAssociation.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateNetworkAcl OR CreateNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteNetworkAcl OR DeleteNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_deleted","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceNetworkAclEntry OR ReplaceNetworkAclAssociation)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_updated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"network ACL/ACL entry created","condition":"nacl_created > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry deleted","condition":"nacl_deleted > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry updated","condition":"nacl_updated > 0"}],"type":"log_detection","id":"pcs-k05-rbc","createdAt":1584475579808,"name":"AWS Network Access Control List created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.12","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Gateway has been created or modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS Network Gateway has been created or modified with one of the following API calls:\n* [CreateCustomerGateway][1] \n* [DeleteCustomerGateway][2] \n* [AttachInternetGateway][3] \n* [CreateInternetGateway][4]\n* [DeleteInternetGateway][5] \n* [DetachInternetGateway][6]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule cases and signal message.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCustomerGateway \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteCustomerGateway \n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AttachInternetGateway \n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInternetGateway \n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteInternetGateway \n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DetachInternetGateway.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(CreateCustomerGateway OR CreateInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"create_gateway","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteCustomerGateway OR DeleteInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"delete_gateway","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AttachInternetGateway OR DetachInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_gateway","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"create gateway","condition":"create_gateway > 0"},{"status":"info","notifications":[],"name":"delete gateway","condition":"delete_gateway > 0"},{"status":"info","notifications":[],"name":"modify gateway","condition":"modify_gateway > 0"}],"type":"log_detection","id":"umr-47s-eyj","createdAt":1584475581301,"name":"AWS Network Gateway created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","scope:rds","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deleted a database cluster in RDS.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a RDS cluster:\n\n* [DeleteDBCluster][1]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/rds/delete-db-cluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteDBCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"6ng-pk1-ukh","createdAt":1585870276546,"name":"AWS RDS Cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","control:cis-1.1","framework:cis-aws","technique:T1078-valid-accounts","control:cis-3.3","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the AWS root user credentials are used.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Policy:IAMUser/RootCredentialUsage][2]\n\n## Triage and response\n1. Determine whether the root account activity was legitimate. \n * Review the sample for context. \n * Review CloudTrail logs for a full investigation. \n3. If the root user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n**[Root Account Best Practices][4]**\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#policy-iam-rootcredentialusage\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/RootCredentialUsage)","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cjm-gyr-zxb","createdAt":1587525393683,"name":"AWS Root credential activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a Route 53 query logging configuration.\n\n## Strategy\nMonitor cloudtrail logs where `@evt.name` is `DeleteResolverQueryLogConfig` which would stop Route53 Query logging for all of the Amazon VPCs that are associated with the configuration.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n* 7 April 2022 - Updated rule query and signal message.\n* 5 January 2023 - Updated severity.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"0pz-0jr-nfz","createdAt":1631642351057,"name":"AWS Route 53 DNS query logging disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disassociates a VPC from the query logging configuration.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disassociated.\n\n* [DisassociateResolverQueryLogConfig][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 7 April 2022 - Update rule and signal message.\n* 15 December 2022 - Update query to include Access Denied events and reduce severity.\n\n[1]: https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DisassociateResolverQueryLogConfig.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DisassociateResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_route53_querylogging_disassociated","distinctFields":[]},{"query":"source:cloudtrail @error.kind:AccessDenied @evt.name:DisassociateResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_route53_querylogging_disassociated_access_denied","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Successful","condition":"aws_route53_querylogging_disassociated > 0"},{"status":"info","notifications":[],"name":"Access Denied","condition":"aws_route53_querylogging_disassociated_access_denied > 0"}],"type":"log_detection","id":"nmk-a8n-zig","createdAt":1631642344888,"name":"AWS Route 53 VPC disassociated from query logging configuration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.13","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Route Table has been created or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS Route Table has been created or modified with one of the following API calls:\n* [CreateRoute][1] \n* [CreateRouteTable][2] \n* [ReplaceRoute][3] \n* [ReplaceRouteTableAssociation][4] \n* [DeleteRouteTable][5] \n* [DeleteRoute][6] \n* [DisassociateRouteTable][7]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call which was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n6 April 2022 - Update signal message. Updated rule query/case layout\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html \n [7]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateRoute OR CreateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceRoute OR ReplaceRouteTableAssociation OR DisassociateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteRouteTable OR DeleteRoute)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"VPC route table created","condition":"route_created > 0"},{"status":"info","notifications":[],"name":"VPC route table modified","condition":"route_modified > 0"},{"status":"info","notifications":[],"name":"VPC route table deleted","condition":"route_deleted > 0"}],"type":"log_detection","id":"qgo-jqs-03x","createdAt":1584475582644,"name":"AWS Route Table created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket policy is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an AWS bucket is made public:\n\n* [PutBucketAcl][1]\n\nThis rule inspects the `@requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI` array to determine if either of the strings are contained:\n* `http://acs.amazonaws.com/groups/global/AuthenticatedUsers`\n* `http://acs.amazonaws.com/groups/global/AllUsers`\n\nA match of either of these string indicates the S3 bucket policy is made public.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Update rule and signal message.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:PutBucketAcl -@level:Error @requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI:(\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" OR \"http://acs.amazonaws.com/groups/global/AllUsers\")","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"zdk-9gu-nrg","createdAt":1594140279364,"name":"AWS S3 Bucket ACL Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:7.2.1","iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","framework:pci","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the S3 Public Access Block configuration has been removed \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting the S3 Public Access Block configuration:\n\n* [DeleteAccountPublicAccessBlock][1]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and inform them of best practices of enabling Public Access Block on S3 buckets.\n3. Re-enable Public Access Block on the S3 bucket.\n\nMore details on S3 Public Block Public Access can be found [here][2].\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-public-access-block.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n\n## Changelog\n18 March 2022 - updated severity and query.\n31 October 2022 - updated severity.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:error @evt.name:DeleteAccountPublicAccessBlock","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_access_block_removed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"User removed public access block","condition":"public_access_block_removed > 0"}],"type":"log_detection","id":"uxr-5wk-8hk","createdAt":1585870280316,"name":"AWS S3 Public Access Block removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disables AWS Security Hub.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disabled AWS Security Hub:\n\n* [DisableSecurityHub][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query and signal message.\n\n[1]: https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisableSecurityHub.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"not_cloudformation_action","distinctFields":[]},{"query":"source:cloudtrail @network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudformation_action","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"not a cloudformation action","condition":"not_cloudformation_action > 0"},{"status":"low","notifications":[],"name":"cloudformation action","condition":"cloudformation_action > 0"}],"type":"log_detection","id":"obj-kmn-bsa","createdAt":1631642348526,"name":"AWS Security Hub disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:vpc","iaas:aws","requirement:Monitoring","framework:cis-aws","control:4.14","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying a VPC.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a VPC:\n\n* [DeleteVpc][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query, cases and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteVpc OR DeleteVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_deleted","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreateVpc OR CreateVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_created","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(ModifyVpcAttribute OR AcceptVpcPeeringConnection OR RejectVpcPeeringConnection OR AttachClassicLinkVpc OR DetachClassicLinkVpc OR DisableVpcClassicLink OR EnableVpcClassicLink)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"vpc deleted","condition":"vpc_deleted > 0"},{"status":"info","notifications":[],"name":"vpc created","condition":"vpc_created > 0"},{"status":"info","notifications":[],"name":"vpc modified","condition":"vpc_modified > 0"}],"type":"log_detection","id":"igj-dr4-ico","createdAt":1585870280906,"name":"AWS VPC created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a specific AWS Web Application Firewall (WAF) rule blocks an anomalous amount of traffic.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@webaclId`: `{{@webaclId}}` logs to confirm if the observed traffic should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"count","name":"waf_traffic_block","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"scr-lzp-wrd","createdAt":1632158031553,"name":"AWS WAF traffic blocked by specific rule"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a specific AWS Web Application Firewall (WAF) rule blocks traffic from multiple IPs.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@http.request_id`: `{{@http.request_id}}` to confirm if this request should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"cardinality","name":"waf_traffic_block","distinctFields":["@network.client.ip"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"imr-goq-uww","createdAt":1634658977105,"name":"AWS WAF traffic blocked by specific rule on multiple IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is deleted.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `DeleteWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:DeleteWebACL -@http.useragent:\\APN\\/*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_deletion","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"waf_webacl_deletion > 0"}],"type":"log_detection","id":"8js-pr5-qga","createdAt":1632158029295,"name":"AWS WAF web access control list deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is updated.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `UpdateWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made legitimately by the user, rotate the user's credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:UpdateWebACL -@http.useragent:(\\APN\\/* OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"waf_webacl_update > 0"}],"type":"log_detection","id":"pmp-fqa-lwy","createdAt":1632158031800,"name":"AWS WAF web access control list modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:3.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect AWS root user activity. \n\n## Strategy\nMonitor CloudTrail and detect when any `@userIdentity.type` has a value of `Root`, but is not invoked by an AWS service or SAML provider.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate. \n2. If the login wasn't legitimate, rotate the credentials, enable 2FA, and open an investigation. \n\n* For best practices, check out the [AWS Root Account Best Practices][1] documentation.\n* For compliance, check out the [CIS AWS Foundations Benchmark controls][2] documentation.\n\n## Changelog\n* 30 March 2022 - Updated query and signal message.\n* 14 November 2022 - Updated options.\n\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[2]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:Root -@userIdentity.sessionContext.attributes.mfaAuthenticated:false -@userIdentity.invokedBy:* -@eventType:AwsServiceEvent -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"2kn-z6k-6kf","createdAt":1585870281964,"name":"AWS root account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group has been modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1] \n* [AuthorizeSecurityGroupEgress][2] \n* [RevokeSecurityGroupIngress][3] \n* [RevokeSecurityGroupEgress][4] \n* [CreateSecurityGroup][5] \n* [DeleteSecurityGroup][6]\n\n\n**Note:** There is a separate rule to detect AWS Security Group Open to the World.\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html \n [2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupEgress.html \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupIngress.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupEgress.html \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteSecurityGroup.html\n\n## Changelog\n18 March 2022 - Updated severity, split query into multiple queries, and split the single case into multiple cases.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AuthorizeSecurityGroupIngress OR AuthorizeSecurityGroupEgress OR RevokeSecurityGroupIngress OR RevokeSecurityGroupEgress) -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:DeleteSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"security group created","condition":"security_group_created > 0"},{"status":"info","notifications":[],"name":"security group modified","condition":"security_group_modified > 0"},{"status":"info","notifications":[],"name":"security group deleted","condition":"security_group_deleted > 0"}],"type":"log_detection","id":"bax-btp-3ct","createdAt":1584475583507,"name":"AWS security group created, modified or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1078-valid-accounts","scope:exchange-server","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event by a user logging in to Microsoft Exchange.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last and the current Microsoft-365 mailbox login event (`@evt.name:MailboxLogin`) to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if `{{@usr.name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. ","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":192,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:Exchange @evt.name:MailboxLogin @evt.outcome:Succeeded @threat_intel.results.category:*"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"9xi-6r1-5o5","createdAt":1638460550019,"name":"Abnormal successful Microsoft 365 Exchange login event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","scope:google-cloud-iam","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account (`@usr.id:*.iam.gserviceaccount.com`) exhibits access denied behavior that deviates from normal.\n\n## Strategy \nInspect the GCP Service Account (`@usr.id:*.iam.gserviceaccount.com`) for errors (`@data.protoPayload.status.code:7`) caused by denied permissions (`@evt.outcome`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account {{@usr.id}} is compromised.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"count","name":"access_denied","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"access_denied"}],"type":"log_detection","id":"jsg-pwu-sfv","createdAt":1605263719237,"name":"Access denied for GCP Service Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.11","scope:iam","scored:true","security:compliance","source:iam","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:7.1.1","control:7.1.2","control:7.1.3","level:1","framework:soc-2","framework:cis-aws","control:A.9.2.3","requirement:Identity-and-Access-Management","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM user credentials, you have to determine what type of access they require.\n\n**Programmatic access**: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.\n\n**AWS Management Console access**: If the user needs to access the AWS Management Console, create a password for the user.\n\n## Rationale\n\nRequiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are necessary for their work and once the access key is established on an account that the keys may be in use somewhere in the organization.\n\n**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html][2]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html][3]\n\n**Additional Information**: Credential report does not appear to contain \"Key Creation Date\"\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkeys_created_during_setup(credential_report) if {\n\tnot credential_report.access_key_1_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_1_last_rotated\n} else if {\n\tnot credential_report.access_key_2_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_2_last_rotated\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot keys_created_during_setup(credential_report)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yuh-0pg-pqy","createdAt":1619112188582,"name":"Access keys are not created for IAM user during initial set up"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-C","requirement:Credentials","level:1","framework:cis-aws","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.14","cloud_provider:aws","requirement:Control-Activities","framework:soc-2","control:A.9.2.3","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:3.6.4","control:CC6.2","control:CC5.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAccess keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. You should regularly rotate all access keys.\n\n## Rationale\n\nRotating access keys reduces the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78902-4\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html][3]\n4. [https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][4]\n5. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html][5]\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html\n[4]: https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"1.14","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\nmore_than_ninety(timestamp, resource_seen_at) if {\n\tresource_seen_at - timestamp > ninety_days_ms # Not rotated in last 90 days\n}\n\nactive_and_rotated_more_than_90(credential_report, resource_seen_at) if {\n\tcredential_report.access_key_1_active\n\tmore_than_ninety(credential_report.access_key_1_last_rotated, resource_seen_at)\n} else if {\n\tcredential_report.access_key_2_active\n\tmore_than_ninety(credential_report.access_key_2_last_rotated, resource_seen_at)\n}\n\neval(iam_user) = \"pass\" if {\n\tresource_seen_at := iam_user.resource_seen_at\n\tcredential_report := iam_user.credential_report[_]\n\tnot active_and_rotated_more_than_90(credential_report, resource_seen_at)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5se-kvq-6mk","createdAt":1599574003833,"name":"Access keys are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:4.3.8","scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Default-Security-Parameter","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.6","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable access from Azure services to PostgreSQL Database Server\n\n## Rationale\n\nIf access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, set up firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In Firewall rules, ensure Allow access to Azure services is set to OFF.\n5. Click Save to apply the changed rule. \n\nAlternatively, use the Azure Command Line Interface and run the below command to delete the `AllowAllAzureIps` rule for PostgreSQL Database:\n\n ```bash\n az postgres server firewall-rule delete --name AllowAllAzureIps --resource-group --server-name \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-manage-firewall-using-cli\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-4-protect-applications-and-services-from-external-network-attacks\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.4 Apply Host-based Firewalls or Port Filtering: Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.\n\n9.5 Implement Application Firewalls: Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.\n\n14.2 Enable Firewall Filtering Between VLANs: Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.8","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_ip_addresses(azure_postgresql_firewall_rule) if {\n\tazure_postgresql_firewall_rule.start_ip_address != \"0.0.0.0\"\n} else if {\n\tazure_postgresql_firewall_rule.end_ip_address != \"0.0.0.0\"\n}\n\neval(azure_postgresql_firewall_rule) = \"pass\" if {\n\tnot azure_postgresql_firewall_rule.name in [\"ALL\", \"AllowAllAzureIps\"]\n\tcompliant_ip_addresses(azure_postgresql_firewall_rule)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_firewall_rule"]},"validationQuery":"","resourceType":"azure_postgresql_firewall_rule","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_firewall_rule","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"fn7-ase-uyc","createdAt":1624867979051,"name":"Access to Azure services for PostgreSQL Database Server is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 5432 (used by the PostgreSQL Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\nMalicious activity, such as hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 5432.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 5432 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 5432\n\trule.to_port >= 5432\n}\n\nnon_compliant_protocols_and_ports(rule) if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tnon_compliant_ports(rule)\n} else if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\", \"::/0\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome rule in security_group.rules\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocols_and_ports(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2ca-hhj-wzj","createdAt":1599574007949,"name":"Access to PostgreSQL Database Server port is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3389 (used to connect a remote Remote Desktop Protocol (RDP) client application with an RDP server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as pass-the-hash (PtH) and man-in-the-middle attacks (MITM), can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\nTo update a security group rule: \n\n1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/][2]\n2. In the navigation pane, choose **Security Groups**.\n3. Select the security group to update, then choose **Actions**.\n4. Choose **Edit inbound rules** to remove an inbound rule, or **Edit outbound rules** to remove an outbound rule.\n5. Update the rule as required.\n6. Choose **Preview changes**, **Confirm**.\n\nTo delete a security group rule: \n1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/][2].\n2. In the navigation pane, choose **Security Groups**.\n3. Choose the **Delete** button to the right of the rule to delete.\n4. Choose **Preview changes**, **Confirm**.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3389.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3389 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.2\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 3389\n\trule.to_port >= 3389\n}\n\nnon_compliant_protocol(rule) if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(rule) if {\n\trule.ip_range == \"0.0.0.0/0\"\n}\n\nnon_compliant_ip_range(rule) if {\n\trule.ipv6_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oia-snq-ar0","createdAt":1599574006239,"name":"Access to port 3389 is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests.\n\n## Rationale\n\nSetting admission control plugin AlwaysAdmit allows all requests and do not filter any requests. The AlwaysAdmit admission controller was deprecated in Kubernetes v1.13. Its behavior was equivalent to turning off all admission controllers.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--enable-admission-plugins` argument's value (if set) does not include `AlwaysAdmit`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --enable-admission-plugins parameter, or set it to a value that does not include AlwaysAdmit.\n\n## Impact\n\nOnly requests explicitly allowed by the admissions control plugins would be served.\n\n## Default value\n\nAlwaysAdmit is not in the list of default admission plugins.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#alwaysadmit\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.11","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysr-4gg-vu5","createdAt":1599599454382,"name":"Admission controller AlwaysAdmin is not enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.15","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating objects in a namespace that is undergoing termination.\n\n## Rationale\n\nSetting admission control policy to NamespaceLifecycle ensures that objects cannot be created in non-existent namespaces, and that namespaces undergoing termination are not used for creating the new objects. This is recommended to enforce the integrity of the namespace termination process and also for the availability of the newer objects.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--disable-admission-plugins` argument is set to a value that does not include `NamespaceLifecycle`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --disable-admission-plugins parameter to ensure it does not include NamespaceLifecycle.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NamespaceLifecycle is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#namespacelifecycle\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.15","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"elk-zj3-p6m","createdAt":1599605447784,"name":"Admission controller NamespaceLifecycle is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.17","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nLimit the Node and Pod objects that a kubelet could modify.\n\n## Rationale\n\nUsing the NodeRestriction plug-in ensures that the kubelet is restricted to the Node and Pod objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node API object, and only modify Pod API objects that are bound to their node.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `NodeRestriction`.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes NodeRestriction. --enable-admission-plugins=...,NodeRestriction,...\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NodeRestriction is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#noderestriction 3. https://kubernetes.io/docs/admin/authorization/node/ 4. https://acotten.com/post/kube17-security\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.17","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jre-tn7-yma","createdAt":1599601166101,"name":"Admission controller NodeRestriction is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.16","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating pods that do not match Pod Security Policies.\n\n## Rationale\n\nA Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions. Note: When the PodSecurityPolicy admission plugin is in use, there needs to be at least one PodSecurityPolicy in place for ANY pods to be admitted. See section 1.7 for recommendations on PodSecurityPolicy settings.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `PodSecurityPolicy`.\n\n## Remediation\n\nFollow the documentation and create Pod Security Policy objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes PodSecurityPolicy: --enable-admission-plugins=...,PodSecurityPolicy,... Then restart the API Server.\n\n## Impact\n\nThe policy objects must be created and granted before pod creation would be allowed.\n\n## Default value\n\nBy default, PodSecurityPolicy is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#podsecuritypolicy 3. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.16","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vwz-aw9-c09","createdAt":1599604624793,"name":"Admission controller PodSecurityPolicy is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.14","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAutomate service accounts management.\n\n## Rationale\n\nWhen you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. You should create your own service account and let the API server manage its security tokens.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--disable-admission-plugins` argument is set to a value that does not include `ServiceAccount`.\n\n## Remediation\n\nFollow the documentation and create ServiceAccount objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and ensure that the --disable-admission-plugins parameter is set to a value that does not include ServiceAccount.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, ServiceAccount is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#serviceaccount 3. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.14","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wrk-jrm-u8h","createdAt":1599601597784,"name":"Admission controller ServiceAccount is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","source:google_bigquery_table","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.2","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","scope:google_bigquery_table","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery encrypts data at rest by employing `Envelope Encryption` using\nGoogle managed cryptographic keys. The data is encrypted using the `data encryption keys` and data encryption keys themselves are further encrypted using `key encryption keys`. This is done automatically and does not require any additional input from the user. However, if you want to have greater control, customer-managed encryption keys (CMEK) can be used as an encryption key management solution for BigQuery datasets. If CMEK is used, the CMEK is used to encrypt the data encryption keys, instead of using google-managed encryption keys.\n\n### Default Value\nGoogle-managed keys are used as `key encryption keys`.\n\n## Rationale\nFor greater control over the encryption, customer-managed encryption keys (CMEK) can\nbe used as encryption key management solution for BigQuery tables. CMEK is used to\nencrypt the data encryption keys instead of using google-managed encryption keys.\nBigQuery stores the table and CMEK association. The encryption/decryption is done\nautomatically.\n\nApply the default customer-managed keys on BigQuery datasets to ensure that all\nnew tables created in the future will be encrypted using CMEK. However, existing tables need to be updated individually to use CMEK.\n\n## Impact\nUsing customer-managed encryption keys (CMEK) will incur additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n- Note: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n## Remediation\nCurrently, there is no way to update the encryption of existing data in the table. The data\nneeds to be copied to either an original table or another table. Either option requires the specification of the\ncustomer managed encryption key (CMEK).\n\n### From the command line\nUse the following command to copy the data to the original table and encrypt it with the CMEK. The source and the destination needs to be same when copying to the original table.\n\n```\nbq cp --destination_kms_key source_dataset.source_table destination_dataset.destination_table\n```\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_table) = \"pass\" if {\n\tbigquery_table.encryption_configuration.kms_key_name\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_table"]},"validationQuery":"","resourceType":"gcp_bigquery_table","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_table","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4r0-dtx-hnw","createdAt":1659621698841,"name":"All BigQuery tables are encrypted with customer-managed encryption keys (CMEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Azure","cloud_provider:azure","control:2.7","control:8.1","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","scope:azure.keyvault","requirement:Cardholder-Data","requirement:Logical-and-Physical-Access-Control","control:3.6.4","source:azure.keyvault","framework:security-labs","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all keys in your Azure Key Vault have an expiration time set.\n\n## Rationale\n\nAzure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The `exp` (expiration time) attribute identifies the expiration time on or after which the key **must not** be used for a cryptographic operation. By default, keys never expire. Datadog recommends that keys be rotated in the key vault and set an explicit expiration time for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\n### From the console\n\n1. Go to Key vaults\n2. For each Key vault, click on Keys.\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all keys. Using the Azure Command Line Interface, update the expiration date for the key using below command:\n\n ```bash\n az keyvault key set-attributes --name --vault-name --expires Y-m-d''T''H:M:S''Z''\n ```\n\n **Note**: To access expiration time on all keys in Azure Key Vault using Microsoft API requires \"List\" Key permission. To provide required access follow below steps:\n\n 1. Go to Key Vaults\n 2. For each Key Vault, click on Access Policy.\n 3. Add access policy with Key permission as List\n\n## Impact\n\nKeys cannot be used beyond their assigned expiration times respectively. Keys need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## CIS Controls\n\nVersion 7 13 Data Protection Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.7","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(key_vault_key) if {\n\tkey_vault_key.attributes_enabled == true\n\tnot key_vault_key.attributes_exp == 0\n\tnot key_vault_key.attributes_exp == \"\"\n} else if {\n\tkey_vault_key.attributes.enabled == true\n\tnot key_vault_key.attributes.exp == 0\n\tnot key_vault_key.attributes.exp == \"\"\n}\n\neval(key_vault_key) = \"pass\" if {\n\tcompliant(key_vault_key)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_key"]},"validationQuery":"","resourceType":"azure_key_vault_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"op6-3uk-40w","createdAt":1624867980258,"name":"All keys in Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Network-Policies-and-CNI","control:5.3.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse network policies to isolate traffic in your cluster network.\n\n## Rationale\n\nRunning different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. A network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints. Network Policies are namespace scoped. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace, all traffic will be allowed into and out of the pods in that namespace.\n\n## Audit\n\nRun the following command and review the NetworkPolicy objects created in the cluster: `kubectl --all-namespaces get networkpolicy`\n\nEnsure that each namespace defined in the cluster has at least one Network Policy.\n\n## Remediation\n\nFollow the documentation and create network policy objects as you need them.\n\n## Impact\n\nOnce network policies are in use within a given namespace, traffic not explicitly allowed by a network policy will be denied. It is important to ensure that, when introducing network policies, legitimate traffic is not blocked.\n\n## Default value\n\nBy default, network policies are not created.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/services-networking/networkpolicies/ ][1]\n2. [https://octetz.com/posts/k8s-network-policy-apis ][2]\n3. [https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/][3]\n\n## CIS controls\n\nVersion 6.14.1 Implement Network Segmentation Based On Information Class Segment - The network based on the label or classification level of the information stored on the servers. Locate all sensitive information on separated VLANS with firewall filtering to ensure that only authorized individuals are only able to communicate with systems necessary to fulfill their specific responsibilities.\n\nVersion 7.14.1 Segment the Network Based on Sensitivity - Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).\n\nVersion 7.14.2 Enable Firewall Filtering Between VLANs - Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n\n[1]: https://kubernetes.io/docs/concepts/services-networking/networkpolicies/\n[2]: https://octetz.com/posts/k8s-network-policy-apis\n[3]: https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.3.2","framework":"cis-kubernetes","requirement":"Network-Policies-and-CNI","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrw-bae-anz","createdAt":1604312181303,"name":"All namespaces have network policies defined"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:2.10","requirement:Azure","cloud_provider:azure","control:8.2","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","requirement:Change-Management","scope:azure.keyvault","requirement:Logical-and-Physical-Access-Control","source:azure.keyvault","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all Secrets in the Azure Key Vault have an expiration time set.\n\n## Rationale\n\nThe Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The `exp` (expiration time) attribute identifies the expiration time on or after which the secret **must not** be used. By default, secrets never expire. Datadog recommends rotating secrets in the key vault and setting an explicit expiration time for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\n### From the console\n\n1. Go to Key vaults\n2. For each Key vault, click on Secrets\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all secrets. Using the Azure Command Line Interface, use the below command to set expiration date on the all secrets:\n\n ```bash\n az keyvault secret set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z'\n ```\n\n## Impact\n\nSecrets cannot be used beyond their assigned expiry times respectively. Secrets need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-4-set-up-emergency-access-in-azure-ad\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-8-choose-approval-process-for-microsoft-support\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy\n\n## CIS Controls\n\nVersion 7 16 Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.10","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(key_vault_secret) if {\n\tkey_vault_secret.id\n\tkey_vault_secret.attributes_enabled == true\n\tkey_vault_secret.attributes_exp\n\tnot key_vault_secret.attributes_exp == 0\n} else if {\n\tkey_vault_secret.id\n\tkey_vault_secret.attributes.enabled == true\n\tkey_vault_secret.attributes.exp\n\tnot key_vault_secret.attributes.exp == 0\n}\n\neval(key_vault_secret) = \"pass\" if {\n\tcompliant(key_vault_secret)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_secret"]},"validationQuery":"","resourceType":"azure_key_vault_secret","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_secret","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bbc-1aj-wsr","createdAt":1624867976874,"name":"All secrets in the Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:CC6.7","source:iam","requirement:Default-Security-Parameter","requirement:Credentials","control:2.1.1","level:1","requirement:System-Acquisition-Development-and-Maintenance","framework:cis-aws","control:1.19","framework:iso-27001","requirement:Access-Control","framework:pci","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","control:A.9.4.3","framework:soc-2","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.\n\n## Rationale\n\nRemoving expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.\n\n## Remediation\n\nAWS Console:\n\nRemoving expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).\n\nAWS CLI:\n\nTo delete an expired certificate, run the following command by replacing `` with the name of the certificate to delete: `aws iam delete-server-certificate --server-certificate-name `.\n\n**Note**: When the preceding command is successful, it does not return any output.\n\n## Impact\n\nDeleting a certificate can have implications for your application. If you are using an expired server certificate with Elastic Load Balancing, Cloudfront, etc., you must update the configuration of the respective service to ensure there is no application interruption.\n\n## References\n\n1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html\n2. https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.19","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_server_certificate) = \"pass\" if {\n\tiam_server_certificate.expiration - iam_server_certificate.resource_seen_at > 0\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"dih-stb-3p8","createdAt":1632209932850,"name":"All the expired SSL/TLS certificates stored in AWS IAM are removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow Kubelet to manage `iptables`.\n\n## Rationale\n\nKubelets can automatically manage the required changes to `iptables` based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to `iptables`. This ensures that the `iptables` configuration remains in sync with pods networking configuration. Manually configuring `iptables` with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have `iptables` rules too restrictive or too open.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that if the `--make-iptables-util-chains` argument exists then it is set to true. If the `--make-iptables-util-chains` argument does not exist, and there is a Kubelet config file specified by `--config`, verify that the file does not set `makeIPTablesUtilChains` to `false`.\n\n## Remediation\n\nIf using a kubelet config file, edit the file to set `makeIPTablesUtilChains: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--make-iptables-util-chains` argument from the `KUBELET_SYSTEM_PODS_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nKubelet would manage the `iptables` on the system and keep it in sync. If you are using any other `iptables` management solution, then there might be some conflicts.\n\n## Default value\n\nBy default, `--make-iptables-util-chains argument` is set to true.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.7","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"f3g-zcg-jm0","createdAt":1599605004390,"name":"Allow Kubelets to manage changes to the iptables"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an AWS S3 lifecycle expiration policy is set to disabled in your CloudTrail logs.\n\n## Strategy\nCheck if `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days`, `@requestParameters.LifecycleConfiguration.Status:Disabled` and `@evt.name:PutBucketLifecycle` fields are present in your S3 Lifecycle configuration log. If these fields are present together, a bucket's lifecycle configuration has been turned off.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n2. If the `{{@requestParameters.bucketName}}` should not be disabled, escalate to engineering so they can re-enable it.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketLifecycle @requestParameters.LifecycleConfiguration.Rule.Expiration:* @requestParameters.LifecycleConfiguration.Rule.Status:Disabled","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4gy-sks-edk","createdAt":1638798373598,"name":"An AWS S3 bucket lifecycle expiration policy was set to disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket has a lifecycle configuration set with an expiration policy of less than 90 days.\n\n## Strategy\nLook for `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90` in your Cloudtrail logs.\n\n**NOTE**: This rule should be set to logs that this policy applies to. The `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days` key path must be set as a measure to do a query.\n\n\n## Triage & response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}` and that the `{{@requestParameters.bucketName}}` bucket should have a file expiration of less than 90 days.\n2. If `{{@requestParameters.bucketName}}` is equal to `{{@aws.s3.bucket}}`, the CloudTrail bucket, consider escalating to higher severity and investigating further.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:PutBucketLifecycle -status:error @eventSource:s3.amazonaws.com @requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hdo-qqk-njz","createdAt":1638798329769,"name":"An AWS S3 bucket lifecycle policy expiration is set to < 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if versioning or MFA delete was disabled within an AWS S3 bucket's Lifecycle configuration.\n\n## Strategy\nThis rule has two separate queries. The first query determines if `@requestParameters.VersioningConfiguration.MfaDelete` is set to `Disabled`. The second query determines if `@requestParameters.VersioningConfiguration.Status` is set to `Suspended`. For generating a signal, there are two cases. Case one generates a `Medium` signal if query one AND two return `true`. Case two will generate a `Low` signal if query one OR two returns `true`.\n\n**NOTE**: Versioning cannot be disabled permanently; only suspended until turned back on, once it has been enabled on a bucket.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.MfaDelete:Disabled","groupByFields":["@aws.s3.bucket"],"aggregation":"count","name":"mfadelete_disabled","distinctFields":[]},{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.Status:Suspended","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"versioning_suspended","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"mfaDelete and Versioning are Disabled/Suspended","condition":"versioning_suspended > 0 && mfadelete_disabled > 0"},{"status":"low","notifications":[],"name":"mfaDelete or versioning are disabled","condition":"mfadelete_disabled > 0 || versioning_suspended > 0"}],"type":"log_detection","id":"qo0-ly0-8ls","createdAt":1638798322732,"name":"An AWS S3 bucket mfaDelete is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an AWS account attempting to leave an AWS organization.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to have an AWS account leave an AWS organization using the [LeaveOrganization][1] API call.\n\nAn attacker may attempt this API call for several reasons, such as:\n\n* Target security configurations that are often defined at the organization level. Leaving an organization can disrupt or disable these controls.\n* Perform a denial of service (DoS) attack on the victim's account that prevents the victim's organization to access it.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Initiate your company's incident response (IR) process.\n3. If the API call was made legitimately by the user:\n * Communicate with the user to understand if this was a planned action.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n * Initiate your company's incident response (IR) process.\n\n[1]: https://docs.aws.amazon.com/organizations/latest/APIReference/API_LeaveOrganization.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privileg","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:LeaveOrganization @eventSource:organizations.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"leave_organization","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"leave_organization > 0"}],"type":"log_detection","id":"9ku-enz-m7d","createdAt":1644595191484,"name":"An AWS account attempted to leave the AWS Organization"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","scope:s3","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an API call to AWS to list all of the S3 Buckets.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect a [ListBuckets][1] API call with the session name prefixed with `i-`. A session name prefixed with `i-` typically indicates that it is an EC2 instance using an [Instance Profile][2] to communicate with other AWS services, which is a common attacker technique to see the full list of S3 buckets in your AWS account.\n\n## Triage and response\n1. Determine if the EC2 instance should be making this API call.\n* If **not a legitimate** user/application, rotate the credentials, verify what else may have been accessed and open an investigation into how this instance was compromised.\n* If a **legitimate** user/application on the EC2 instance is making the `ListBuckets` API call, consider whether this API call is really needed. \n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profile\n\n## Changelog\n18 March 2022 - Updated rule severity and rule name.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_access_denied","distinctFields":[]},{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets -@error.kind:*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Access denied for ListBuckets","condition":"list_buckets_access_denied > 0"},{"status":"medium","notifications":[],"name":"Successful ListBuckets","condition":"list_buckets_success > 0"}],"type":"log_detection","id":"t6r-kqt-hxb","createdAt":1585870281123,"name":"An EC2 instance attempted to enumerate S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is enumerating API Gateway API keys.\n\n## Strategy\nBaseline `GetApiKeys` events by `@userIdentity.session_name` to surface anomalous `GetApiKeys` calls. \n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetApiKeys","groupByFields":["@userIdentity.session_name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"cc8-ljp-wwt","createdAt":1624968912281,"name":"Anomalous API Gateway API key reads by user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","tactic:TA0009-collection","scope:s3","source:cloudtrail","technique:T1530-data-from-cloud-storage","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS user performs S3 bucket write activities they do not usually perform. \n\n## Strategy\nMonitor cloudtrail logs for S3 Data Plane events (`@eventCategory:Data`) to detect when an AWS User (`@userIdentity.arn`) is detected performing anomalous S3 Write `(@evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*))` API calls. \n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should be performing the: `{{@evt.name}}` API calls.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. If not, investigate the user: `{{@userIdentity.arn}}` for indicators of account compromise and rotate credentials as necessary.\n\n## Changelog\n* 27 October 2022 - updated tags.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventCategory:Data @eventSource:s3.amazonaws.com @evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"s3_write_events","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"s3_write_events"}],"type":"log_detection","id":"mxi-syi-zeg","createdAt":1637613300981,"name":"Anomalous S3 bucket activity from user ARN"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is attempting to hijack an EC2 AutoScaling Group.\n\n## Strategy\nThis rule lets you monitor AWS EC2 Autoscaling logs (`@eventSource:autoscaling.amazonaws.com`) to detect when an Autoscaling group receives an anomalous amount of API calls (`{{@evt.name}}`).\n\n## Triage and response\n1. Confirm if the user `{{@userIdentity.arn}}` intended to make the `{{@evt.name}}` API calls.\n2. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:autoscaling.amazonaws.com","groupByFields":["@evt.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"1fj-e0d-mcy","createdAt":1632769123714,"name":"Anomalous amount of Autoscaling Group events"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","scope:salesforce","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a spike in Salesforce query results for a user. A large query can be an early warning sign of a user attempting to exfiltrate Salesforce data. \n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a spike in the number of rows returned (`@rows_returned`). \n\n## Triage and response\n1. Determine if the user should be legitimately performing large queries.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@rows_returned","aggregation":"sum","metrics":["@rows_returned"],"groupByFields":["@usr.id"],"query":"source:salesforce @rows_returned:*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"kls-bnv-ip8","createdAt":1621929255172,"name":"Anomalous amount of Salesforce query results"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","source:salesforce","tactic:TA0040-impact","scope:salesforce","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a significant increase in deleted records in Salesforce.\n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a significant increase in successful (`@evt.outcome:Success`) delete operations (`@operation:Delete`).\n\n## Triage and response\n1. Determine if the user should be legitimately deleting Salesforce records.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @operation:Delete @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"1x7-fhs-sdy","createdAt":1621929255178,"name":"Anomalous amount of Salesforce records deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is assessing privileges in AWS through various enumeration and discovery techniques.\n\n## Strategy\nMonitor CloudTrail logs to identify when an EC2 instance (`@userIdentity.session_name:i-*\"`) generates an anomalous amount of `AccessDenied` events.\n\n## Triage and response\n1. Determine what events the EC2 instance `{{@userIdentity.session_name}}` are generating in the time frame of the signal.\n2. If the root cause is not a misconfiguration, investigate any other signals around the same time of the signal by looking at the Host Investigation dashboard.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied @userIdentity.session_name:i-*","groupByFields":["@userIdentity.assumed_role"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"qyw-re3-iuf","createdAt":1605263699569,"name":"Anomalous amount of access denied events for AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","technique:T1619-cloud-storage-object-discovery","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS assumed role accesses S3 buckets that they do not usually access. \n\n## Strategy\nMonitor cloudtrail logs to identify when a `@userIdentity.assumed_role` makes an anomalous amount of `GetObject` calls to a unique number of S3 buckets (`@requestParameters.bucketName`).\n\n## Triage and response\n1. Determine if the user using the assumed role: {{@userIdentity.assumed_role}} should be accessing a bunch of random buckets.\n * Here is a list of buckets that were accessed (up to 10): {{@requestParameters.bucketName}}\n\n## Changelog\n* 30 March 2022 - Updated query and signal message.\n* 17 October 2022 - Updated tags.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":19,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetObject -status:error","groupByFields":["@userIdentity.assumed_role"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"i41-jb1-c8r","createdAt":1608050033941,"name":"Anomalous number of S3 buckets accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user has attempted to assume an anomalous number of unique roles.\n\n## Strategy\nThis rule sets a baseline for user activity for the [`AssumeRole`][1] API call, and enables detection of potentially anomalous activity.\n\nAn attacker may attempt this for the following reasons:\n\n* To identify which roles the user account has access to.\n* To identify what AWS services are being used internally.\n* To identify third party integrations and internal software.\n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response process and investigate.\n\n[1]: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:IAMUser @evt.name:AssumeRole","groupByFields":["@usr.name"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.roleArn"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rov-8oq-1fd","createdAt":1624968910002,"name":"Anomalous number of assumed roles from user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an unauthenticated request user is permitted in Kubernetes.\n\n## Strategy\nThis rule monitors when any action is permitted (`@http.status_code:[100 TO 299]`) for an unauthenticated user (`@user.username:\\\"system:anonymous\\\"`).\nThe `/healthz` endpoint is commonly accessed unauthenticated and it is excluded in the query filter.\n\n## Triage and response\n1. Inspect all of the HTTP paths accessed and determine if any of the path should be permitted by unauthenticated users.\n2. Determine what IP addresses accessed Kubernetes endpoints which may contain sensitive data.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@apiVersion:audit.k8s.io* @usr.name:\"system:anonymous\" @http.status_code:[100 TO 299] -@http.url_details.path:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @user.username:\"system:anonymous\" @responseStatus.code:[100 TO 299] -@requestURI:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"f1o-py5-a50","createdAt":1589376002149,"name":"Anonymous Request Authorized"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:apache","technique:T1190-exploit-public-facing-application","source:apache","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[{"action":"require","query":"source:foo"}],"queries":[{"query":"source:apache @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipl-oaz-eqf","createdAt":1587530038000,"name":"Apache HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modification of AppArmor profiles using an interactive session.\n\n## Strategy\nAfter an initial intrusion, attackers may attempt to disable security tools to avoid possible detection of their offensive tools and activities. [AppArmor][1] is a Linux Security Module (LSM) feature that confines programs to a limited set of resources. Disabling AppArmor could help an attacker run disallowed tools and gain access to resources that are otherwise blocked. This detection looks for commands that disable or modify AppArmor during interactive sessions, which is highly irregular in production environments.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://wiki.ubuntu.com/AppArmor\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:apparmor_modified_tty","groupByFields":["host"],"aggregation":"count","name":"apparmor_modified_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"apparmor_modified_tty","condition":"apparmor_modified_tty > 0"}],"type":"workload_security","id":"byn-fwk-eyv","createdAt":1627392836162,"name":"AppArmor profile modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","source:azure.sql","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Database-Services","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","framework:cis-azure","scope:azure.sql","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:4.1.3","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSQL Server Audit Retention should be configured to be greater than 90 days.\n\n## Rationale\n\nUse Audit Logs to check for anomalies and to get insight into suspected breaches or misuse of information and access.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Select Storage Details\n5. Set Retention (days) setting greater than 90 days\n6. Select OK\n7. Select Save using Azure PowerShell. \n\n### From the commandline\n\n1. For each server, [set retention policy][3] for more than or equal to 90 days.\n\n ```powershell\n Set-AzSqlServerAuditing -State Enabled -ServerName \"\" -ResourceGroupName \"\" -StorageAccountName \"abcd1234abcd1234abcd1234\" -RetentionInDays \n ```\n\n**Note:** You can set the number of days to 0 for unlimited retention.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing][1]\n2. [https://learn.microsoft.com/en-us/powershell/module/az.sql/get-azsqlserveraudit?view=azps-9.2.0][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention][4]\n\n[https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing][1]\n[https://learn.microsoft.com/en-us/powershell/module/az.sql/get-azsqlserveraudit?view=azps-9.2.0][2]\n[https://learn.microsoft.com/en-us/powershell/module/az.sql/set-azsqlserveraudit?view=azps-9.2.0][3]\n[https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention][4]","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_retention_period(audit_setting) if {\n\taudit_setting.retention_days == 0\n} else if {\n\taudit_setting.retention_days >= 90\n}\n\neval(sql_server) = \"pass\" if {\n\tlower(sql_server.audit_setting.state) == \"enabled\"\n\tcompliant_retention_period(sql_server.audit_setting)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"r6e-x2g-rfb","createdAt":1624867973932,"name":"Audit data for Azure SQL is retained for at least 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","source:google_iam_policy","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","scope:google_iam_policy","security:compliance","requirement:Logging-and-Monitoring","control:2.1","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that Cloud Audit Logging is configured to track all admin activities and\nread or write access to user data.\n\n### Default value\nAdmin Activity logs are always enabled. They cannot be disabled. Data Access audit logs are\ndisabled by default because they can be quite large.\n\n## Rationale\nCloud Audit Logging maintains two audit logs for each project, folder, and organization:\n**Admin Activity** and **Data Access**.\n\nAdmin Activity logs contain log entries for API calls or other administrative actions\nthat modify the configuration or metadata of resources. Admin Activity audit logs\nare enabled for all services and cannot be configured.\n\nData Access audit logs record API calls that create, modify, or read user-provided\ndata. These are disabled by default and should be enabled.\n\nThere are three kinds of Data Access audit log information:\n* Admin read: Records operations that read metadata or configuration\ninformation. Admin Activity audit logs record writes of metadata and\nconfiguration information. This cannot be disabled.\n* Data read: Records operations that read user-provided data.\n* Data write: Records operations that write user-provided data.\n\nIt is recommended to configure audit logging such that:\n\n* Log type is set to `DATA_READ` (to log user activity tracking) and `DATA_WRITES` (to\nlog changes/tampering to user data).\n* Audit config is enabled for all the services supported by the Data Access audit logs\nfeature.\n* Logs are captured for all users\u2014that is, there are no exempted users in any of the\naudit config sections. This ensures overriding the audit config does not contradict\nthe requirement.\n\n### Impact\nThere is no charge for Admin Activity audit logs. Enabling the Data Access audit logs might\nresult in your project being charged for the additional logs usage.\n- Note: Admin Activity Logs are not listed here, as they are enabled by default and cannot be disabled.\n `exemptedMembers` is not set, as audit logging should be enabled for all users.\n\n## Remediation\n\n### From the console \n1. Go to the [Audit Logs page][1] in Google Cloud Console.\n2. Follow the steps in Google's [Configure Data Access audit logs][2] documentation to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.\n\n### From the command line\n1. To read the project's IAM policy and store it in a file, run the following command:\n ```\n gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml\n ```\nAlternatively, the policy can be set at the organization or folder level. If you are setting the policy at\nthe organization level, it is not necessary to also set it for each folder or project.\n ```\n gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml\n gcloud resource-manager folders get-iam-policy FOLDER_ID >\n /tmp/folder_policy.yaml\n ```\n2. Edit the policy in `/tmp/policy.yaml`. Adding or change only the audit logs\nconfiguration to:\n ```\n auditConfigs:\n - auditLogConfigs:\n - logType: DATA_WRITE\n - logType: DATA_READ\n - service: allServices\n ```\n\n3. To write new IAM policy, run the following commands:\n ```\n gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml\n gcloud resource-manager folders set-iam-policy FOLDER_ID\n /tmp/folder_policy.yaml\n gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml\n ```\nIf the preceding command reports a conflict with another change, then repeat these steps,\nstarting with the first step.\n\n## Additional information\n* To track detailed user activities, the log type `DATA_READ` is as important as the log type `DATA_WRITE`.\n* BigQuery Data Access logs are handled differently than other data access logs.\n BigQuery logs are enabled by default and cannot be disabled. They do not count against logs allotment and do not result in extra logs charges.\n\n## References\n1. [https://cloud.google.com/logging/docs/audit/][1]\n2. [https://cloud.google.com/logging/docs/audit/configure-data-access][2]\n\n[1]: https://cloud.google.com/logging/docs/audit/\n[2]: https://cloud.google.com/logging/docs/audit/configure-data-access\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(iam_policy) if {\n\tnot has_exempted_members(iam_policy)\n\taudit_config := iam_policy.audit_configs[_]\n\taudit_config.service == \"allServices\"\n\taudit_config.audit_log_configs[_].log_type == \"ADMIN_READ\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_WRITE\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_READ\"\n}\n\nhas_exempted_members(iam_policy) if {\n\tiam_policy.audit_configs[_].audit_log_configs[_].exempted_members[_]\n}\n\nis_project(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_project\"\n}\n\neval(iam_policy) = \"skip\" if {\n\tnot is_project(iam_policy)\n} else = \"pass\" if {\n\tcompliant(iam_policy)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mtc-xf1-a6x","createdAt":1664804019062,"name":"Audit logging is properly configured across all services and users in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit all Docker daemon activities.\n\n## Rationale\n\nAs well as auditing the normal Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges. It is very important to audit its activities and usage.\n\n## Audit\n\nVerify that there are audit rules for the Docker daemon. To see the rules associated with the Docker daemon, run: \n\n```\nauditctl -l | grep /usr/bin/dockerd\n```\n\n## Remediation\n\nYou should add rules for the Docker daemon. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /usr/bin/dockerd -k docker \n```\n\nThen restart the audit daemon using the following command:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, the Docker daemon is not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.3","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fpu-oe5-feu","createdAt":1599604305682,"name":"Auditing for Docker Daemon executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.4","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/var/lib/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories. For example, audit `/var/lib/docker`, which holds all the information about containers it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/var/lib/docker` directory. To see the rule for the `/var/lib/docker` directory, run: \n\n```\nauditctl -l | grep /var/lib/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/var/lib/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /var/lib/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.4","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tfa-927-tto","createdAt":1599602523672,"name":"Auditing for Docker local storage is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.10","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker/daemon.json`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/docker/daemon.json`. This holds various parameters for the Docker daemon, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/docker/daemon.json` file. To display the rule for the `/etc/docker/daemon.json` file, run: \n\n```\nauditctl -l | grep /etc/docker/daemon.json\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker/daemon.json` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/docker/daemon.json -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/docker/daemon.json` may not exist on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file][2]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.10","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"v2o-aio-i0e","createdAt":1599601474412,"name":"Auditing for the Docker daemon configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.11","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/bin/containerd`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/bin/containerd`, so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/bin/containerd` file. To display the rule for the `/usr/bin/containerd` file, run: \n\n```\nauditctl -l | grep /usr/bin/containerd\n```\n\n## Remediation\n\nYou should add a rule for the `/usr/bin/containerd` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/bin/containerd -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/usr/bin/containerd` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.11","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tor-6yx-oyz","createdAt":1599605637503,"name":"Auditing for the containerd executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.8"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/default/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/default/docker`. It holds various parameters related to the Docker daemon and should therefore be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/default/docker` file. To see the rule for the `/etc/default/docker` file, run: \n```\nauditctl -l | grep /etc/default/docker \n```\n\n## Remediation\n\nYou should add a rule for the `/etc/default/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/default/docker -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited so these defaults should be changed in line with organizational security policy. The file `/etc/default/docker` may not be present, and if so, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.8","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qfi-cgy-a6e","createdAt":1599601659531,"name":"Auditing for the default Docker configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.9"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/sysconfig/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including `/etc/sysconfig/docker`. It contains various parameters related to the Docker daemon when run on CentOS and RHEL based distributions. If present, it is important that it is audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/sysconfig/docker` file. To see the rule for the `/etc/sysconfig/docker` file, run: \n```\nauditctl -l | grep /etc/sysconfig/docker\n```\n\n## Remediation\n\nYou should add a rule for `/etc/sysconfig/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/sysconfig/docker -k docker\n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/sysconfig/docker` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.9","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ps6-vb4-bim","createdAt":1599604561498,"name":"Auditing for the default Docker configuration file is configured - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit the `docker.service` if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `docker.service`. The `docker.service` file might be present if the daemon parameters have been changed by an administrator. If so, it holds various parameters for the Docker daemon and should be audited.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n\n2. If the file does not exist, this recommendation does not apply. If the file does exist, verify that there is an audit rule corresponding to the `docker.service` file by running: \n\n ```\n auditctl -l | grep docker.service\n ```\n\n## Remediation\n\nIf the file exists, a rule for it should be added. For example, add the following line to the `/etc/audit/audit.rules` file: \n```\n-w /usr/lib/systemd/system/docker.service -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.service` may not be present on the system.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.6","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myy-dsj-omk","createdAt":1599605764788,"name":"Auditing for the docker.service file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.7","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `docker.socket`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including the `docker.socket` file, which holds various parameters for the Docker daemon, it should be audited.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the `docker.socket` file exists, verify that there is an audit rule corresponding to the `docker.socket` file by running: \n ```\n auditctl -l | grep docker.socket \n ```\n\n## Remediation\n\nIf the file exists, you should add a rule for it. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/lib/systemd/system/docker.socket -k docker \n```\n\nThen restart the audit daemon: \n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.socket` may not be present, but if it is, it should be audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.7","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afg-qbt-7uw","createdAt":1599600857858,"name":"Auditing for the docker.socket file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.12","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/sbin/runc`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/sbin/runc`, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/sbin/runc` file. To display the rule for the `/usr/sbin/runc` file, run:\n\n```\nauditctl -l | grep /usr/sbin/runc\n```\n\n## Remediation\n\nYou should add a rule for `/usr/sbin/runc` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/sbin/runc -k docker\n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The `file/usr/sbin/runc` may not be present on the system, and in that case this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n4. [https://github.com/opencontainers/runc][4]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/ \n[4]: https://github.com/opencontainers/runc\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.12","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ksp-ylk-dub","createdAt":1599603510904,"name":"Auditing for the runc executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.5","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privilege and its behavior depends on some key files and directories, including `/etc/docker`. This holds various certificates and keys used for TLS communication between Docker daemon and Docker client and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/etc/docker` directory. To see the rule for the `/etc/docker` directory, run: \n\n```\nauditctl -l | grep /etc/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.5","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5ns-uab-zcf","createdAt":1599604003342,"name":"Auditing is configured for Docker-related files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.6","cloud_provider:azure","control:10.1","requirement:Monitoring","source:azure.sql","control:A.12.4.1","control:A.12.4.3","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","scope:azure.sql","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:4.1.1","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on SQL Servers.\n\n## Rationale\n\nThe Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. The auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Set Auditing to On using Azure PowerShell.\n5. Get the list of all SQL Servers: `Get-AzureRmSqlServer`. For each Server, enable auditing:\n\n ```bash\n Set-AzureRmSqlServerAuditingPolicy -ResourceGroupName -ServerName -AuditType -StorageAccountName \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-servers\n2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n**Note**: A server policy applies to all existing and newly created databases on the server. If server blob auditing is enabled, it always applies to the database. The database is audited, regardless of the database auditing settings. The auditing type table is deprecated, leaving only the type blob available. Enabling blob auditing on the database, and enabling it on the server, does not override or change any of the settings of the server blob auditing. Both audits exist side by side. So, the database is audited twice in parallel; once by the server policy, and once by the database policy.\n\n## CIS controls\n\nVersion 7 6.3 Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_server) = \"pass\" if {\n\tsql_server.audit_setting.state == \"Enabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"gxl-2f7-dso","createdAt":1624867978477,"name":"Auditing on SQL Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs in with a breached password.\n\n## Strategy\nAuth0 logs an event when a user logs in with a breached password. When this event is detected, Datadog generates a `MEDIUM` severity Security Signal.\n\nYou can see more information on how Auth0 detects breached passwords on their [documentation][1].\n\n## Triage and response\n1. Inspect the policy and user location to see if this was a login from approved location\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n[1][https://auth0.com/docs/anomaly-detection/brute-force-protection]\n","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:breached_password","groupByFields":["@usr.id"],"aggregation":"count","name":"breached_password","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"breached_password > 0"}],"type":"log_detection","id":"yhw-avf-dz0","createdAt":1597422957145,"name":"Auth0 user logged in with a breached password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","requirement:Cloud-SQL","cloud_provider:gcp","control:CC7.4","source:google_sql_database_instance","control:6.4.5.4","framework:cis-gcp","requirement:Compliance","level:1","control:6.7","scope:google_sql_database_instance","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Additional-Criteria-for-Availability","requirement:Communications-Security","requirement:System-Operations","control:3.1","requirement:Control-Activities","control:A1.1","control:A1.2","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:CC5.1","control:A.9.1.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nAll SQL database instances should have automated backups enabled.\n\n## Rationale: \nBackups provide a way to restore a Cloud SQL instance, to recover lost data, or to recover from\na problem with that instance. Enable automated backups for any instance that\ncontains data that should be protected from loss or damage. This recommendation is\napplicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2\ninstances.\n\n## Impact: \nAutomated backups increase the required storage size and may affect the costs associated with it.\n\n## Remediation: \n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Select the instance where the backups need to be configured.\n3. Click `Edit`.\n4. In the `Backups` section, check 'Enable automated backups', and choose a backup window.\n5. Click `Save`.\n\n### From the command line\n\n1. List all Cloud SQL database instances using the following command:\n ```\n gcloud sql instances list\n ```\n2. Enable automated backups for a Cloud SQL database instance by running:\n ```\n gcloud sql instances patch --backup-start-time <[HH:MM]>\n ```\n\nThe `backup-start-time` parameter is specified in 24-hour time, in the UTC\u00b100 time zone,\nand specifies the start of a 4-hour backup window. Backups can start any time during the\nbackup window.\n\n## Default value:\nBy default, automated backups are not configured for Cloud SQL instances. Data backup is\nnot possible on any Cloud SQL instance unless Automated Backup is configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/backup-recovery/backups][2]\n2. [https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/backup-recovery/backups\n[3]: https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up\n\n## CIS controls:\n\nVersion 8: _11.2 Perform Automated Backups_. Perform automated backups of in-scope enterprise assets. Run backups weekly,\nor more frequently, based on the sensitivity of the data.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.4.5.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.1","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"pass\" if {\n\tsql_database_instance.settings.backup_configuration.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iir-4sf-rxn","createdAt":1657665285362,"name":"Automated backups are configured for SQL Database Instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to Azure AD without multi-factor authentication.\n\n## Strategy\nThis rule monitors Azure Activity logs for Active Directory logs and detects when any `@evt.category` has a value of `SignInLogs`, and `@properties.authenticationRequirement` has a value of `singleFactorAuthentication`.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables 2FA.\n3. If the login wasn't legitimate, rotate the credentials.\n4. Review all user accounts to ensure MFA is enabled.\n\n## Changelog\n* 15 November 2022 - Updated query to reduce false positives, updated option values.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:singleFactorAuthentication @evt.outcome:success ((-@properties.authenticationDetails.authenticationMethod:\"Previously satisfied\" -@properties.authenticationDetails.authenticationStepResultDetail:\"First factor requirement satisfied by claim in the token\") OR -message:(\"MFA requirement satisfied by claim in the token\" OR \"MFA requirement satisfied by strong authentication\" OR \"MFA requirement skipped due to remembered device\" OR \"MFA requirement satisfied by claim provided by external provider\") OR -@properties.authenticationDetails.authenticationMethod:\"Windows Hello for Business\") @properties.authenticationDetails.authenticationStepRequirement:\"Primary authentication\"","groupByFields":["@usr.id"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_login_without_mfa > 0"}],"type":"log_detection","id":"c8i-66d-m7u","createdAt":1598468815267,"name":"Azure AD Login Without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, and `@evt.outcome` is equal to `failure`.\n\n## Triage and response\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n\n## Changelog\n* 26 October 2022 - Updated query.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure @properties.status.errorCode:(50126 OR 50053 OR 53003 OR 50135 OR 50055)","groupByFields":["@usr.id","@properties.appId"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success -message:(\"MFA requirement satisfied by claim in the token\" OR \"MFA requirement satisfied by strong authentication\" OR \"MFA requirement skipped due to remembered device\" OR \"MFA requirement satisfied by claim provided by external provider\" OR \"MFA completed in Azure AD\")","groupByFields":["@usr.id","@properties.appId"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Successful login","condition":"failed_login > 4 && successful_login > 0"},{"status":"info","notifications":[],"name":"Unsuccessful","condition":"failed_login > 4"}],"type":"log_detection","id":"y0f-vsz-xms","createdAt":1607106309289,"name":"Azure AD brute force login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to the [Global Administrator][1] role.\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\"`\n\nThe Global Administrator role can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. An adversary can add users as Global Administrators in order to maintain access to Azure AD.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][2] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.category:AuditLogs @evt.name:\"Add member to role\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_global_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"member_assigned_global_administrator_role > 0"}],"type":"log_detection","id":"bdq-rcs-dn5","createdAt":1658756175450,"name":"Azure AD member assigned Global Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to a [built-in Administrative role][1].\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:*Administrator*`\n\nAzure AD uses roles to assign privileges to users. There are over 80 roles available, the list below details some of the highest privileged roles that adversaries could target:\n\n* [Application Administrator][2]\n* [Cloud Application Administrator][3]\n* [Exchange Administrator][4]\n* [Privileged Role Administrator][5]\n* [User Administrator][6]\n* [Sharepoint Administrator][7]\n* [Hybrid Identity Administrator][8]\n\nThis [whitepaper][9] from Mandiant describes the abuse of Azure AD privileged roles.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][10] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator\n[3]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-application-administrator\n[4]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#exchange-administrator\n[5]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-role-administrator\n[6]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator\n[7]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#sharepoint-administrator\n[8]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#hybrid-identity-administrator\n[9]: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf\n[10]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:*Administrator* @evt.category:AuditLogs @evt.name:\"Add member to role\" -@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_built_in_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"member_assigned_built_in_administrator_role > 0"}],"type":"log_detection","id":"61p-mwe-rxm","createdAt":1658756175462,"name":"Azure AD member assigned built-in Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","control:8.7","level:1","requirement:Database-Services","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","scope:azure.sql","control:4.4","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse Azure Active Directory Authentication for authentication with SQL Database.\n\n## Rationale\n\nAzure Active Directory authentication is a mechanism to connect to the Microsoft Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). With Azure AD authentication, manage identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage database users and simplifies permission management in the following ways:\n\n- Provides an alternative to SQL Server authentication. \n- Helps stop the proliferation of user identities across database servers. \n- Allows password rotation in a single place. \n- Customers can manage database permissions using external (AAD) groups. \n- Eliminates storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure Active Directory. \n- Uses contained database users to authenticate identities at the database level. \n- Token-based authentication for applications connecting to SQL Database. \n- ADFS (domain federation) or native user/password authentication for a local Azure Active Directory without domain synchronization. \n- Connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication (MFA). MFA includes strong authentication with a range of easy verification options phone call, text message, smart cards with a pin, or mobile app notification.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each SQL server, click on Active Directory admin\n3. Click on Set admin\n4. Select an admin\n5. Click Save\n6. Using the Azure PowerShell for each Server, set `AD Admin Set-AzureRmSqlServerActiveDirectoryAdministrator -ResourceGroupName -ServerName -DisplayName \"\"`.\n6. From Azure Command Line Interface, get the ObjectID of user: `az ad user list --query \"[?mail==].{mail:mail, userPrincipal`.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure\n2. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: Assigning an administrator in Azure Active Directory (AAD) is just the first step. When using AAD for central authentication there are many other groups and roles that need to be configured base on the needs of your organization. To determine what roles should be assigned and what groups should be created to manage permissions and access to resources, see the How-to Guides.\n\n## CIS Controls\n\nVersion 7 16.2 Configure Centralized Point of Authentication: Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_active_directory_administrators(sql_server) if {\n\tsome active_directory_administrator in sql_server.active_directory_administrators\n\tactive_directory_administrator.administrator_type == \"ActiveDirectory\"\n\tactive_directory_administrator.name == \"ActiveDirectory\"\n} else if {\n\tnot sql_server.active_directory_administrators\n}\n\neval(sql_server) = \"pass\" if {\n\tcompliant_active_directory_administrators(sql_server)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kiv-p8l-5mk","createdAt":1624867977317,"name":"Azure Active Directory Admin is configured for Azure SQL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure-active-directory","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect whenever Azure Identity Protection categorizes an Azure Active Directory login as risky.\n\n## Strategy\nMonitor Azure Active Directory sign in activity (`@evt.name:\"Sign-in activity\"`) and generate a signal when Azure identifies the user as risky or compromised (`@properties.riskState:\"atRisk\" OR \"confirmedCompromised\"`). \n\n## Triage and response\n1. Analyze the location (`@network.client.geoip.subdivision.name`) of `{{@usr.id}}` to determine if they're logging into from their usual location. \n2. If log in activity is not legitimate, disable `{{@usr.id}}` account.\n3. Investigate any devices owned by `{{@usr.id}}`.\n\n## Changelog\n14 June 2022 - Fixed bug in rule query.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":167,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelDuringSignIn:high @properties.riskLevelDuringSignIn:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_during_signin_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:high @properties.riskLevelAggregated:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_aggregated_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:medium @properties.riskLevelDuringSignIn:medium","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_medium","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"High Risk Aggregated","condition":"risk_level_aggregated_high > 0"},{"status":"high","notifications":[],"name":"High Risk During Sign-In","condition":"risk_level_during_signin_high > 0"},{"status":"medium","notifications":[],"name":"Medium Risk","condition":"risk_level_medium > 0"}],"type":"log_detection","id":"h1h-4to-2ka","createdAt":1629464257705,"name":"Azure Active Directory Risky Sign-In"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-7-ii-A","control:164.312-a-2-ii","control:2.2.4","scope:azure.appservice","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Risk-Mitigation","requirement:Logical-and-Physical-Access-Control","control:CC9.1","control:CC6.3","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'remote debugging' **disabled** to enhance security and protect applications.\n\n## Rationale\n\nIf [remote debugging][1] is enabled, this can allow an attacker access to your applications. To reduce your attack surface, disable remote debugging when not actively needed. \n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services web apps by running the following in Azure Powershell:\n\n ```\n az webapp list \\\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n\n ```\n az webapp config show \\\n\t--ids \"\" \\\n\t--query 'remoteDebuggingEnabled'\n ```\n3. Disable the web app's remote debugging capability with the command:\n\n ```\n az webapp config set \\\n\t--ids \"\" \\\n\t--remote-debugging-enabled false\n ```\n4. Repeat steps one through three for each server that is not configured correctly.\n\n\n## References\n1. [Azure webapp config set][2]\n\n[1]: https://devblogs.microsoft.com/premier-developer/remote-debugging-azure-app-services/\n[2]: https://learn.microsoft.com/en-us/cli/azure/webapp/config?view=azure-cli-latest#az-webapp-config-set\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_app_service(app_service) if {\n\tapp_service.site_config_remote_debugging_enabled == true\n} else if {\n\tapp_service.site_config.remote_debugging_enabled == true\n}\n\neval(app_service) = \"fail\" if {\n\tnon_compliant_app_service(app_service)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ciw-6dd-ffz","createdAt":1645807220230,"name":"Azure App Service has remote debugging disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","scope:azure.app_service","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","framework:soc-2","source:azure.app_service","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'always on' **enabled** for web apps.\n\n## Rationale\n\nEnabling 'always on' will enhance your Azure Apps web apps' availability.\n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services by running the following in Azure Powershell:\n\n ```\n az webapp list\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n \n ```\n az webapp config show\n\t--ids \"\"\n\t--query 'alwaysOn'\n ```\n3. Enable the web app's 'always on' capability with the command:\n\n ```\n az webapp config set\n\t--ids \"\"\n\t--always-on true\n ```\n4. Repeat steps one through three for each server that is not configured correctly.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_app_service(app_service) if {\n\tapp_service.site_config_always_on == false\n} else if {\n\tapp_service.site_config.always_on == false\n}\n\ncompliant_app_service(app_service) if {\n\tapp_service.site_config_always_on == true\n} else if {\n\tapp_service.site_config.always_on == true\n}\n\neval(app_service) = \"fail\" if {\n\tnon_compliant_app_service(app_service)\n} else = \"pass\" if {\n\tcompliant_app_service(app_service)\n} else = \"skip\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xmp-jgo-xdo","createdAt":1645807220325,"name":"Azure App Service is set to always on"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Datadog Azure function is deleted which will prevent Azure logs from being sent to Datadog.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.WEB/SITES/DELETE\"`, `@evt.outcome` is `Success`, and the `@resourceID` contains `DATADOG` and `LOG`. This rule does not work if the the Azure resource group or Azure function does not contain `DATADOG` or `LOG`.\n\n## Triage and response\n1. Verify the Azure function (`@resourceId`) is responsible for forwarding logs to Datadog.\n2. Determine if there is a legitimate reason for deleting the Azure function.\n3. If activity is not expected, investigate activity from the service principal (`@identity.authorization.evidence`) or user (`{{@usr.id}}`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.web @evt.name:\"MICROSOFT.WEB/SITES/DELETE\" @resourceId:(*DATADOG* AND *LOG*) @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"sit-o2a-uov","createdAt":1634570142022,"name":"Azure Datadog Log Forwarder Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","security:threat-intel"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure firewall threat intelligence alert is received.\n\n## Strategy\nMonitor Azure Network Diagnostic logs and detect when `@evt.name` is equal to `AzureFirewallThreatIntelLog`.\n\n## Triage and response\n1. Inspect the threat intelligence log.\n2. Investigate the activity from this IP address.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:AzureFirewallThreatIntelLog","groupByFields":["@network.client.ip"],"aggregation":"count","name":"azure_firewall_threat_intel_alert","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"azure_firewall_threat_intel_alert > 0"}],"type":"log_detection","id":"z0v-yfr-qat","createdAt":1607106300940,"name":"Azure Firewall Threat Intelligence Alert"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) blocks a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Block`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Block","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_blocked_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_blocked_a_request > 0"}],"type":"log_detection","id":"xyt-fqh-myv","createdAt":1598468816869,"name":"Azure Frontdoor WAF Blocked a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) logs a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Log`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Log","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_logged_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_logged_a_request > 0"}],"type":"log_detection","id":"bkk-48l-vem","createdAt":1598468815399,"name":"Azure Frontdoor WAF Logged a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","framework:cis-azure","control:6.2","requirement:Control-Activities","control:9.9","requirement:AppService","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","scope:azure.appservice","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nNew versions of HTTP are released periodically to address security issues and/or to include additional functionality. Using the latest version of HTTP for web apps takes advantage of security fixes and new functionality.\n\n## Rationale\n\nUsing the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software update, your organization needs to determine if the latest update meets your requirements.\n\nFor example, HTTP 2.0 has performance improvements for the head-of-line blocking problem, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism because it provides its own, more efficient mechanism for data streaming.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\n### From the console\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click *Configuration**.\n5. Set HTTP version to 2.0 under **General settings**.\n\n**Note**: Most modern browsers support HTTP 2.0 protocol over TLS, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third party certificate.\n\n### From the command line\n\nTo set the HTTP version to 2.0 for an existing app, run the following command:\n\n`az webapp config set --resource-group --name --http20-enabled true'`\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.9","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_site_config(app_service) if {\n\tapp_service.site_config_http20_enabled\n} else if {\n\tapp_service.site_config.http20_enabled\n}\n\neval(app_service) = \"pass\" if {\n\tcompliant_site_config(app_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"y1o-cvu-xc7","createdAt":1645813490516,"name":"Azure HTTP version is the latest available"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.3.1","level:1","scope:azure.keyvault","control:8.4","requirement:Cardholder-Data","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","requirement:Azure","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:2.2","control:A1.2","requirement:Other-Security-Considerations","framework:soc-2","requirement:Risk-Mitigation","control:3.5.3","requirement:Logical-and-Physical-Access-Control","control:CC9.1","source:azure.keyvault","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects. It is recommended the Key Vault be made recoverable by enabling the \"Do Not Purge\"\nand \"Soft Delete\" functions. This is to prevent loss of encrypted data, including storage accounts, SQL databases, and dependent services provided by Key Vault objects (keys, secrets, certificates, etc.), which may occur due to accidental deletion by a user or from disruptive activity by a malicious user.\n\n### Default value \n\nWhen a new Key Vault is created, both the parameters `enableSoftDelete` and `enablePurgeProtection` are set to `null`, disabling both the features.\n\n## Rationale\n\nThere could be scenarios where users accidentally run delete and purge commands on key vault or attacker or malicious user does it deliberately to cause disruption. Deleting or purging a key vault leads to immediate data loss as keys encrypting data and secrets and certificates causing access and services to become non-accessible. There are two key vault properties that plays role in permanent unavailability of a key vault:\n\n1. Setting the `enableSoftDeleteSetting` parameter to true for a key vault ensures that even if key vault is deleted, the key vault itself or its objects are recoverable for next 90 days. In this span of 90 days either key vault and objects can be recovered or purged (permanent deletion). If no action is taken, after 90 days, the key vault and its objects are purged.\n\n2. `enablePurgeProtectionenableSoftDelete` only ensures that the key vault is not deleted permanently and will be recoverable for 90 days from the deletion date. However, there is a chance that the key vault or objects are accidentally purged and are not recoverable. Setting `enablePurgeProtection` to \"true\" ensures that the key vault and its objects cannot be purged. \n\nEnabling both parameters on key vaults ensures that key vaults and their objects cannot be deleted or purged permanently.\n\n### Impact\n\nOnce purge protection and soft-delete is enabled for a key vault, the action is irreversible.\n\n- Note: When a key is used for the SQL server TDE or Encrypting Storage account, the corresponding key vault features \"Do Not Purge\" and \"Soft Delete\" are enabled by default by your Azure backend.\n\n**WARNING**: A current limitation of the soft-delete feature across all Azure services is that role assignments disappear when a Key Vault is deleted. All role assignments will need to be recreated after recovery.\n\n## Remediation\n\nEnable \"Do Not Purge\" and \"Soft Delete\" for a key vault.\n\n### From the console\n\n1. Go to **Key Vaults**.\n2. Click **Properties**.\n3. Ensure the status of soft-delete reads **'Soft delete has been enabled on this key vault'**.\n4. At the bottom of the page, click **'Enable Purge Protection'**.\n\n### From the command line \n\n ```bash\n az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.KeyVault/vaults/ --set properties.enablePurgeProtection=true properties.enableSoftDelete=true\n ```\n\n### From Powershell\n\n ```powershell\n Update-AzKeyVault -VaultName 0"}],"id":"4tq-la5-9ei","createdAt":1624867975393,"name":"Azure Key Vault is recoverable"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","control:1.3.5","control:1.3.6","control:1.3.7","framework:pci","control:6.4.1","security:compliance","control:1.3.4","control:1.2.1","source:azure.kubernetes","requirement:Communications-Security","control:1.2","control:1.3","cloud:azure","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Private Cluster feature for Azure Kubernetes Service (AKS) cluster is enabled.\n\n## Rationale\n\nThe Private Cluster feature ensures that network traffic between your API server and your node pools remains solely on the private network. The API server is not exposed over the internet as it is with the standard AKS deployment. This configuration is a common requirement in many regulatory and industry compliance standards.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment. Changing the setting requires recreating your cluster.\n\n## Impact\n\nCreating and managing a Private AKS Cluster requires additional considerations when compared to a standard AKS deployment. It requires understanding how Azure Private Link and Private Endpoints work. It also requires a thorough assessment of your AKS networking architecture and dependencies. If your AKS cluster is on an isolated Azure Virtual Network (VNET), the Private Cluster feature requires additional configurations to allow connectivity between your AKS Cluster and your management VNET. Microsoft's official documentation, which is included in ``references``, helps you navigate the deployment of Private AKS Clusters.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/aks/private-clusters][1]\n2. [https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview][2]\n3. [https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/aks/private-clusters\n[2]: https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview\n[3]: https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.7","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aks_cluster) = \"fail\" if {\n\tnot aks_cluster.api_server_access_profile_enable_private_cluster\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_aks_cluster"]},"validationQuery":"","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxc-7gb-6q2","createdAt":1656924134424,"name":"Azure Kubernetes Service (AKS) Private Cluster Feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify the network IP address when multiple user accounts failed to complete the MFA process.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, `@properties.authenticationRequirement` is equal to `multiFactorAuthentication` and `@evt.outcome` is equal to `failure`.\n\n## Triage and response \n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:multiFactorAuthentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"failed_login_mfa_denied_w_multiple_user_accounts","distinctFields":["@usr.email"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Greater than 10 unique users","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 10"},{"status":"low","notifications":[],"name":"Greater than 3 unique user","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 3"}],"type":"log_detection","id":"zgm-z7i-mhu","createdAt":1607106317340,"name":"Azure Login Explicitly Denied MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group allows inbound traffic from all IP Addresses.\n\n## Strategy\nThis rule monitors Azure Activity logs for network changes and detects when the `@evt.name` has a value of `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`, `@properties.securityRules.properties.direction` has a value of `Inbound`, `@properties.securityRules.properties.access` has a value of `Allow`, and `@properties.securityRules.properties.sourceAddressPrefix` has a value of either `0.0.0.0/0` OR `*`.\n\n## Triage and response\n1. Inspect which Virtual Machines are associated with this security group.\n2. Determine whether this security group and the VMs should permit inbound traffic from all IP addresses.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\" @properties.securityRules.properties.direction:Inbound @properties.securityRules.properties.access:Allow @properties.securityRules.properties.sourceAddressPrefix:(\"0.0.0.0/0\" OR \"*\")","groupByFields":["@resourceId"],"aggregation":"count","name":"security_group_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"security_group_open_to_world > 0"}],"type":"log_detection","id":"owu-2uz-8cb","createdAt":1598468816111,"name":"Azure Network Security Group Open to the World"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group or an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any one of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security group or security rule and determine if it exposes any Azure resources that should not be exposed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:(\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\") @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mju-ynx-i1h","createdAt":1607106297216,"name":"Azure Network Security Groups or Rules Created, Modified, or Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added as a new owner for an Active Directory application which could be used as a persistence mechanism. \n\n## Strategy\nMonitor Azure Active Directory logs for `@evt.name: \"Add owner to application\"` has an `@evt.outcome` of `success`. \n\n## Triage and response\n1. Review evidence of anomalous activity for the user being added as an owner (`@properties.targetResources`) for the Active Directory application.\n2. Determine if there is a legitimate reason for the user being added to the application.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to application\" @evt.outcome:success @usr.name:* -@identity:*","groupByFields":[],"aggregation":"count","name":"new_owner","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner > 0"}],"type":"log_detection","id":"8vm-rcm-ss1","createdAt":1630591816193,"name":"Azure New Owner added to Azure Active Directory application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a new service principal is created in Azure, which applies to a persistence mechanism.\n\n## Strategy\n\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n\n1. Inspect the new service principal in `@properties.targetResources`.\n2. Verify with the user (`{{$usr.name}}`) to determine if the service principal is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_sp > 0"}],"type":"log_detection","id":"bog-iak-dms","createdAt":1630591822167,"name":"Azure New Service Principal created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure policy assignment has been created.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to `MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE` and `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the policy assignment and determine if an unsolicited change was made on any Azure resources.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure @evt.name:\"MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE\" @evt.outcome:Success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uvd-ets-ju9","createdAt":1607106302885,"name":"Azure Policy Assignment Created"}]} headers: Content-Type: - application/json @@ -555,7 +504,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scope:iam","scored:true","requirement:Transmission-Security","source:iam","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","control:2.1.1","requirement:Compliance","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","control:4.1","control:1.2","control:1.3","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse SSH authentication keys to secure Linux virtual machines.\n\n## Rationale\n\nUsing SSH to secure authentications is a security best practice, as traditional username and password authentication is vulnerable to malicious tactics such as brute-force attacks. SSH uses a combination of public and private key pairs to secure the authentication process. Access to the private key is automated and tightly controlled, without both keys SSH access will not be granted. This also eliminates the need for users to memorize complex passwords for virtual machine access.\n\n## Remediation\n\n### CLI\n\n1. Follow the steps listed at [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure][1] to create and deploy VMs using SSH.\n2. If needing to transition from Username and Password authentication, to SSH, there is no way to transition directly. You must deprovision the current VM and create an image of it with SSH as the authentication method. Follow the steps on [How to create a managed image of a virtual machine or VHD][2]. \n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-ssh-keys-detailed\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/capture-image","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@os_profile.linux_configuration.disable_password_authentication:false","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance (@os_profile.linux_configuration.disable_password_authentication:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"p52-zrd-xlt","createdAt":1645813490150,"name":"Azure VM requires SSH Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.21","source:azure.active_directory","cloud_provider:azure","requirement:Compliance","scope:azure.active_directory","level:1","requirement:IAM","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:6.4","framework:cis-azure","requirement:Control-Activities","cloud:azure","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC8.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSubscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.\n\n## Rationale\n\nClassic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended.\n\n## Remediation\n\nUsing Azure Command Line Interface 2.0, list all roles with the `az role definition list` command. Check the output for any entries with an `assignableScope` of `/` or a `subscription`, and an action of `*`. Verify the usage and impact of removing the role identified. You can delete a role with the `az role definition delete --name \"rolename\"` command.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator \n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management \n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems \n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n8. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n9. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges 16 Account Monitoring and Control Account Monitoring and Control","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.21","framework":"cis-azure","requirement":"IAM","version":"1.3.0"},{"control":"6.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"@permissions.actions:\"*\" @assignable_scopes:(\\/ OR \\/subscriptions*)","resourceType":"azure_role_definition","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_role_definition (@permissions.actions:\"*\" @assignable_scopes:(\\/ OR \\/subscriptions*))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"til-md3-xoz","createdAt":1645802554619,"name":"Azure custom subscription owner roles do not exist"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a diagnostic setting is deleted which can disable centralized logging and metrics on Azure.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Inspect the diagnostic setting resource which is found in `@resourceId`.\n2. Verify that the user (`{{@usr.id}}`) to determine if the removal of the resource is legitimate.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uhp-qsj-h45","createdAt":1615578377631,"name":"Azure diagnostic setting deleted or disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure disk is successfully exported. Export URLs generated in Azure are accessible to anyone with the URI. This could be utilized as an exfiltration method that would allow an attacker to download an Azure Compute VM's disk as a VHD file.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/SNAPSHOTS/DISKS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the disk (`{{@resourceId}}`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URI.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"export_uri_generated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"export_uri_generated > 0"}],"type":"log_detection","id":"ggf-4ew-mxl","createdAt":1635258347843,"name":"Azure disk export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.8","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and new functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, your organization needs to determine if a given update meets your requirements and also verify the compatibility and support provided for any additional software against the update version.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Under General Settings, set Java version to latest version available\n6. Set Java minor version to latest version available\n7. Set Java web container to the latest version of web container available \n\n**NOTE**: No action is required if Java version is set to off as Java is not used by your web app.\n\nAzure CLI:\n\nTo see the list of supported runtimes, run the following command: `timesaz webapp list-runtimes | grep java`\n\nTo set latest Java version for an existing app, run the following command:\n\n```azurecli\naz webapp config set --resource-group --name --java-version ''\n1.8'' --java-container ''Tomcat'' --java-container-version '''''\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.8","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@site_config_java_version:11","resourceType":"azure_app_service","filter":"-@site_config_java_version:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service -@site_config_java_version:\"\" (-@site_config_java_version:11)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qhc-mac-fyy","createdAt":1645813490324,"name":"Azure is using the latest version of Java to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.6","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, a new version of PHP is released to address security issues and/or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes and additional functionalities.\n\n## Rationale\n\nNew versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software update, organizations need to determine if the update meets their requirements and also verify the new version's compatibility with other software.\n\n## Remediation\n\nAzure Console:\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click **Configuration**.\n5. Set PHP version to latest version available under **General Settings**.\n\n**Note**: No action is required if PHP version is set to off because PHP is not used by your web app.\n\nAzure CLI: To see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep php To set latest PHP version for an existing app, run the following commandaz webapp config set --resource-group --name --php-version \n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n# CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.6","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@site_config_php_version:7.4","resourceType":"azure_app_service","filter":"-@site_config_php_version:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service -@site_config_php_version:\"\" (-@site_config_php_version:7.4)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"sja-htc-xkm","createdAt":1645813490100,"name":"Azure is using the latest version of PHP to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.7","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Set Python version to latest version available under General Settings\n\n**Note**: No action is required if Python version is set to off as Python is not used by your web app.\n\nAzure CLI:\n\nTo see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep python To set latest Python version for an existing app, run the following commandaz webapp config set --resource-group --name --python-version '\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.7","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@site_config_python_version:3.6","resourceType":"azure_app_service","filter":"-@site_config_python_version:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service -@site_config_python_version:\"\" (-@site_config_python_version:3.6)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kuq-3pj-gyn","createdAt":1645813504306,"name":"Azure is using the latest version of Python to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","source:azure.networkwatcher","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","scope:azure.networkwatcher","framework:soc-2","control:10.3","control:CC2.1","control:164.312-e-2-i","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Watcher can use flow logs so that you can monitor traffic from resources. This rule generates a finding if there is no retention policy set with a duration over 90 days. \n\nNote: 0 days means unlimited retention.\n\n## Rationale\n\nSetting this attribute enables flow logs to be retained for an appropriate amount of time that enables a better security posture for your organization. These logs should be retained critical resources in your environment.\n\n## Remediation\n\n### Console\n\n1. Follow the instructions in [Tutorial: Log network traffic to and from a virtual machine using the Azure portal][1] to enable the 'flow logs' in Network Watcher.\n\n### CLI\n\n1. Follow the steps in [Configuring Network Security Group Flow logs with Azure CLI][2] to enable the 'flow logs' in Network Watcher.\n2. Ensure Insights provider is registered by running the following command to check:\n\n ```\n az provider register --namespace Microsoft.Insights\n ```\n3. Enable `flow logs`:\n Note: You will need to have a storage account setup prior to this.\n ```\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location --format JSON --log-version 2\n ```\n4. Repeat steps 2 and 3 for resources that are not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal#enable-nsg-flow-log\n[2]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-cli\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nflow_log_not_compliant(flow_log) if {\n\tflow_log.retention_policy_enabled == true\n\tflow_log.retention_policy_days >= 1\n\tflow_log.retention_policy_days <= 89\n} else {\n\tflow_log.retention_policy_enabled == false\n}\n\nflow_log_retention_policy_enabled_true_or_false(flow_log) if {\n\tflow_log.retention_policy_enabled == true\n} else {\n\tflow_log.retention_policy_enabled == false\n}\n\neval(network_watcher) = \"fail\" if {\n\tflow_log = network_watcher.flow_logs[_]\n\tflow_log_not_compliant(flow_log)\n} else = \"pass\" {\n\tflow_log = network_watcher.flow_logs[_]\n\tflow_log_retention_policy_enabled_true_or_false(flow_log)\n} else = \"skip\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_network_watcher"]},"validationQuery":"","resourceType":"azure_network_watcher","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_network_watcher","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"s5c-rsc-fkl","createdAt":1645572632106,"name":"Azure network service group log retention is properly set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new owner is added to a service principal, which applies to privilege escalation or persistence.\n\n## Strategy\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add owner to service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Inspect that the user is added to a service principal in `@properties.targetResources`.\n2. Verify with the user (`{{@usr.name}}`) to determine if the owner addition is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_owner_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner_sp > 0"}],"type":"log_detection","id":"rtl-xes-5he","createdAt":1632250370345,"name":"Azure new owner added for service principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an Azure snapshot is exported. Export URLs generated in Azure are accessible to anyone with the URL.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the snapshot (`@resourceId`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URL.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"export_uri","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"export_uri > 0"}],"type":"log_detection","id":"9tg-wsg-ung","createdAt":1635255178153,"name":"Azure snapshot export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an invitation is sent to an external user.\n\n## Strategy\nMonitor Azure Active Directory Audit logs and detect when any `@evt.name` is equal to `Invite external user` and the `@evt.outcome` is equal to `success`.\n\n## Triage and response\n1. Review and determine if the invitation and its recipient are valid.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Invite external user\" @evt.outcome:success","groupByFields":["@usr.id","@properties.targetResources.userPrincipalName"],"aggregation":"count","name":"invite_external_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"invite_external_user > 0"}],"type":"log_detection","id":"msq-9pm-ift","createdAt":1607106320758,"name":"Azure user invited an external user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure-containerinstances","source:azure","tactic:TA0002-execution","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a command is executed on a container instance with the Azure API.\n\n## Strategy\nMonitor Azure container instance logs where `@evt.name` is `\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.id}}`) should be executing commands on the container (`@resourceId`).\n2. If the activity is not expected, investigate the activity around the container (`@resourceId`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"container_exec_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"container_exec_success > 0"}],"type":"log_detection","id":"zgp-pfn-i0z","createdAt":1635255187164,"name":"Azure user ran command on container instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB access key with the Azure API. An attacker with the appropriate privileges can view an access key and use it to access and manage the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\\\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the access key for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB Database ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_keys","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_keys > 0"}],"type":"log_detection","id":"xtk-lr5-ryf","createdAt":1635356621176,"name":"Azure user viewed CosmosDB access keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB connection string with the Azure API. An attacker with the appropriate privileges can view a connection string and use it to access or modify data in the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the connection string for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_connectionstrings","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_connectionstrings > 0"}],"type":"log_detection","id":"h9n-pkk-zy9","createdAt":1635356624429,"name":"Azure user viewed CosmosDB connection string"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being exploited using the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `Base64` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. If you are not patched, decode the base64 string and look for any successful traffic to the malicious server.\n3. If a connection was successful to the malicious server, begin your company's IR procedures to remediate.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http.user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"medium","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"vfx-wnb-bkc","createdAt":1639665358897,"name":"Base64 was detected in an http.user_agent or http.referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","scored:true","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use basic authentication.\n\n## Rationale\n\nBasic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting the API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--basic-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--basic-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as tokens and certificates. Username and password for basic authentication could no longer be used.\n\n## Default value\n\nBy default, basic authentication is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n2. https://kubernetes.io/docs/admin/authentication/#static-password-file\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.2","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oug-uvq-sti","createdAt":1599605479472,"name":"Basic authentication is disabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:azure","requirement:Monitoring","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-3-i","control:10.5.1","requirement:Compliance","level:1","control:2.2.4","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","scope:azure.storage","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Azure","requirement:Least-Privileged-Access","control:2.8","requirement:Control-Activities","requirement:Data-Protection","control:7.2.1","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAnonymous read access is disabled for Azure Storage Blobs.\n\n## Rationale\n\nAnonymous access to Azure storage blob containers allows un-authenticated users to perform operations against your storage account. Datadog recommends only allowing authenticated users access to storage blobs. \n\n## Remediation\n\n### From the Console\n\nFollow the [Set the public access level for a container - Azure Console][1] guide to disable anonymous read access with the Azure Console.\n\n### From the Azure CLI\n\nFollow the [Set the public access level for a container - Azure CLI][2] guide to disable anonymous read access with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"10.5.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"2.8","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_blob_container) = \"pass\" if {\n\tstorage_blob_container.public_access == \"None\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_blob_container"]},"validationQuery":"","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"nlq-obf-whr","createdAt":1645177311610,"name":"Blob Containers do not allow anonymous access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:8.1","control:4.3","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","control:8.1.4","control:8.2.3","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends using instance-specific SSH key(s) instead of common or shared project-wide SSH key(s) to access instances.\n\n## Rationale\n\nProject-wide SSH keys are stored in compute or project-meta-data. Project-wide SSH keys can be used to log into all instances within a project. Using project-wide SSH keys facilitates SSH key management, but if compromised, poses a security risk which can impact all instances within a project. Datadog recommmends using instance-specific SSH keys, which can limit the attack surface if SSH keys are compromised.\n\n## Impact\n\nUsers already having project-wide SSH key pairs and are using third-party SSH clients will lose access to the impacted instances. For project users using Google Cloud or GCP Console-based SSH options, no manual key creation and distribution is required, this is all handled by Google Compute Engine (GCE) itself. To access an instance using third-party SSH clients, the instance-specific SSH key pairs need to be created and distributed to the required users.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. For every instance, click on the instance name.\n3. Under **SSH Keys**, ensure **Block project-wide SSH keys** is selected.\n\n## From command line\n\n1. List the instances in your project and get details on each instance using `gcloud compute instances list --format=json`.\n\n2. Ensure the `block-project-ssh-keys` key is set to true.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. Click on the impacted instance name.\n3. Click **Edit** in the toolbar.\n4. To block users with project-wide SSH keys from connecting to this instance, select **Block project-wide SSH keys** under **SSH Keys**.\n5. Click **Save** at the bottom of the page.\n6. Repeat these steps for every impacted instance.\n\n## From Command Line\n\nTo block project-wide public SSH keys, set the metadata value to true using `gcloud compute instances add-metadata --metadata block-project-ssh-keys=TRUE`.\n\n## Default Value\n\nBy default, Block Project-wide SSH keys is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n2. [https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n\n\n## Additional Information\n\nIf OS Login is enabled, SSH keys in the instance metadata are ignored, which means you do not need to block project-wide SSH keys.\n\n## CIS Controls\n\nVersion 8\n \n3.10 - Encrypt Sensitive Data in Transit\n- Encrypt sensitive data in transit. Example implementations can include: Transport\nLayer Security (TLS) and Open Secure Shell (OpenSSH).\n\n5.2 - Use Unique Passwords\n- Use unique passwords for all enterprise assets. Best practice implementation\nincludes, at a minimum, an 8-character password for accounts using MFA and a 14-\ncharacter password for accounts not using MFA.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n[3]: https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_item(item) if {\n\titem.key == \"block-project-ssh-keys\"\n} else {\n\titem.key == \"enable-oslogin\"\n}\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" {\n\titem := compute_instance.metadata.items[_]\n\tnon_compliant_item(item)\n\titem.value == \"true\"\n} else = \"fail\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"v8z-9ik-mjr","createdAt":1657296719827,"name":"Block project-wide SSH keys is enabled for VM instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login five times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n","options":{"detectionMethod":"threshold","evaluationWindow":600,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dde-oia-yjr","createdAt":1597422956269,"name":"Brute force attack on an Auth0 user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a bruteforce login with a user attempting to assume an anomalous number of roles.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [Anomalous number of assumed roles from user][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-user-attempted-to-assumerole-anomaly\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"anomalous_assumed_roles_from_user","additionalFilters":"","defaultRuleId":"fwu-obr-c9n","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to assumed role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && anomalous_assumed_roles_from_user > 0"}],"type":"signal_correlation","id":"vjo-1hm-1eg","createdAt":1664829839144,"name":"Brute forced ConsoleLogin event correlates with an assumed role event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","iaas:azure","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a successful credential stuffing login with a user assumed a role.\n\n## Strategy\nCorrelate the [Credential Stuffing Attack on Azure][1] and [Azure AD member assigned Global Administrator role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the credential stuffing attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the credential stuffed account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/azure_credential_stuffing_attack\n[2]: https://docs.datadoghq.com/security_platform/default_rules/azure-ad-user-assigned-global-admin-role","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"azure_credential_stuffing","correlatedQueryIndex":1,"additionalFilters":"","defaultRuleId":"ljt-3f4-8ty","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"admin_role_assigned","additionalFilters":"","defaultRuleId":"psm-gpc-pgy","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Brute-forced user has assigned a role","condition":"azure_credential_stuffing > 0 && admin_role_assigned > 0"}],"type":"signal_correlation","id":"it0-1kg-8pj","createdAt":1664829839146,"name":"Brute-forced user has assigned a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.11","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host you can control the host CPU resources that a container may consume.\n\n## Rationale\n\nBy default, CPU time is divided between containers equally. If you wish to control available CPU resources amongst container instances, you can use the CPU sharing feature. CPU sharing allows you to prioritize one container over others and prevents lower priority containers from absorbing CPU resources which may be required by other processes. This ensures that high priority containers are able to claim the CPU runtime they require.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CpuShares={{ .HostConfig.CpuShares }}'` \n\nIf this command returns 0 or 1024, it means that CPU shares are not in place. If it returns a non-zero value other than 1024, it means that they are in place.\n\n## Remediation\n\nYou should manage the CPU runtime between your containers dependent on their priority within your organization. To do so, start the container using the `--cpu-shares` argument. For example, you could run a container as `docker run --interactive --tty --cpu-shares 512 centos /bin/bash` The container is started with CPU shares of 50% of what other containers use. So if the other container has CPU shares of 80%, this container will have CPU shares of 40%. Every new container will have 1024 shares of CPU by default. However, this value is shown as 0 if you run the command mentioned in the audit section.\n\n\nAlternatively:\n\n1. Navigate to the `/sys/fs/cgroup/cpu/system.slice/` directory.\n2. Check your container instance ID using docker ps.\n3. Inside the above directory (in step 1), call a directory. For example: `docker-.scope` or `docker-4acae729e8659c6be696ee35b2237cc1fe4edd2672e9186434c5116e1a6fbed6.scope`. Navigate to this directory.\n4. You will find a file named `cpu.shares`. Execute `cat cpu.shares`. This will always give you the CPU share value based on the system. Even if there are no CPU shares configured using the `-c` or `--cpu-shares` argument in the docker run command, this file will have a value of 1024. If you set one containers CPU shares to 512 it will receive half of the CPU time compared to the other containers. So if you take 1024 as 100% you can then derive the number that you should set for respective CPU shares. For example, use 512 if you want to set it to 50% and 256 if you want to set it 25%.\n\n## Impact\n\nIf you do not correctly assign CPU thresholds, the container process may run out of resources and become unresponsive. If CPU resources on the host are not constrained, CPU shares do not place any restrictions on individual resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally. No CPU shares are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.11","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gfh-gqy-log","createdAt":1599605955638,"name":"CPU priorities are set to ensure critical containers do not become unresponsive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.7","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %a `. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command to modify the file permissions of the `--client-ca-file`:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7 14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.7","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qtd-deo-dgb","createdAt":1599600622129,"name":"Certificate authorities file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable certificate based kubelet authentication.\n\n## Rationale\n\nThe apiserver, by default, does not authenticate itself to the kubelet's HTTPS endpoints. The requests from the apiserver are treated anonymously. You should set up certificate-based kubelet authentication to ensure that the apiserver authenticates itself to kubelets when submitting requests.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-client-certificate` and `--kubelet-client-key` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the kubelet client certificate and key parameters as below. \n\n```\n--kubelet-client-certificate= \n--kubelet-client-key=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, certificate-based kubelet authentication is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ ][2]\n3. [https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet][3]\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n[3]: https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.5","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ruj-lze-13b","createdAt":1599605732980,"name":"Certificate-based kubelet authentication is required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.2","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable client authentication on etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--client-cert-auth` argument is set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--client-cert-auth=\"true\"\n```\n\n## Impact\n\nAll clients attempting to access the etcd server will require a valid client certificate.\n\n## Default value\n\nBy default, the etcd service can be queried by unauthenticated clients.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][`]\n2. [https://kubernetes.io/docs/admin/etcd/ ][1]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.2","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"joa-fjx-1li","createdAt":1599605891818,"name":"Client authentication is enabled for etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.8","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file ownership is set to `root:root`.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command to modify the ownership of the `--client-ca-file`:\n\n```\nchown root:root \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.8","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ifc-9ej-k7k","createdAt":1599603326156,"name":"Client certificate authorities file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","cloud_provider:gcp","control:9.9.1","source:google_cloud_asset_inventory","requirement:Logging-and-Monitoring","framework:cis-gcp","requirement:Control-Activities","scope:google_cloud_asset_inventory","requirement:Firewall-Configuration","level:2","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Cloud Asset Inventory is a service that provides a historical view of GCP resources and\nIAM policies through a time-series database. The information recorded includes metadata\non Google Cloud resources, metadata on policies set on Google Cloud projects or resources,\nand runtime information gathered within a Google Cloud resource.\n\n## Rationale\nThe GCP resources and IAM policies captured by GCP Cloud Asset Inventory enables\nsecurity analysis, resource change tracking, and compliance auditing. It is recommended GCP Cloud Asset Inventory be enabled for all GCP projects.\n\n### Additional Information\n - Cloud Asset Inventory only keeps a five-week history of Google Cloud asset metadata. If you need a longer history, consider building automation to export the history to Cloud Storage or BigQuery.\n\n### Default Value\nThe Cloud Asset Inventory API is disabled by default in each project.\n\n## Remediation\n\n### From the console:\n\n1. Go to **API & Services/Library** by visiting [https://console.cloud.google.com/apis/library][1]\n2. Search for `Cloud Asset API` and select the result for Cloud Asset API\n3. Click the **ENABLE** button.\n\n### From the command line:\n\n1. Enable the Cloud Asset API through the services interface\n ```\n gcloud services enable cloudasset.googleapis.com\n ```\n\n## References\n1. [https://cloud.google.com/asset-inventory/docs][2]\n\n[1]: https://cloud.google.com/asset-inventory/docs\n[2]: https://console.cloud.google.com/apis/library","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"9.9.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(project) = \"pass\" if {\n\tproject.project_id\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"g71-wcx-ugx","createdAt":1659396390100,"name":"Cloud Asset Inventory is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:2.12","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:2","framework:iso-27001","scope:google_dns_policy","framework:pci","requirement:Operations-Security","security:compliance","requirement:Logging-and-Monitoring","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","source:google_dns_policy","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud DNS logging records the queries from the name servers within your VPC to\nStackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other\nGCP resources provisioned within the VPC.\n\n### Default value\nCloud DNS logging is disabled by default on each network.\n\n## Rationale\nSecurity monitoring and forensics cannot depend solely on IP addresses from VPC flow\nlogs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual\nhost routing, and other technology that can obscure the DNS name used by a client from the\nIP address. Monitoring Cloud DNS logs provides visibility into DNS names requested by the\nclients within the VPC. These logs can be monitored for anomalous domain names and\nevaluated against threat intelligence.\n\nTo fully capture DNS logging records, your firewall must block egress for UDP/53 (DNS) and TCP/443 (DNS\nover HTTPS) to prevent the client from using an external DNS name server for resolution.\n\nOnly queries that reach a name server are logged. Cloud DNS resolvers cache\nresponses, queries answered from caches, and direct queries to an external DNS\nresolver outside the VPC are not logged.\n\n### Impact\nEnabling of Cloud DNS logging might result in your project being charged for the additional\nlogs usage.\n\n## Remediation\n\n### From the command line:\nFor VPC networks that need a new DNS policy with logging enabled, run the following:\n```\ngcloud dns policies create enable-dns-logging --enable-logging --\ndescription=\"Enable DNS Logging\" --networks=VPC_NETWORK_NAME\n```\n\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\nFor VPC networks that have existing DNS policies, run the following to enable logging:\n```\ngcloud dns policies update POLICY_NAME --enable-logging --\nnetworks=VPC_NETWORK_NAME\n```\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\n\n## References\n1. [https://cloud.google.com/dns/docs/monitoring][1]\n\n[1]: https://cloud.google.com/dns/docs/monitoring\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.12","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(dns_policy) = \"pass\" if {\n\tdns_policy.enable_logging\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_policy"]},"validationQuery":"","resourceType":"gcp_dns_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kcx-kad-uvs","createdAt":1662120179391,"name":"Cloud DNS logging is enabled for VPC networks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:7.2","control:1.9","control:3.5","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that the IAM policy on Cloud KMS `cryptokeys` should restrict anonymous and/or public access.\n\n## Rationale\n\nGranting permissions to `allUsers` or `allAuthenticatedUsers` allows anyone to access the\ndataset. Such access might not be desirable if sensitive data is stored at the location. In this\ncase, ensure that anonymous and/or public access to a Cloud KMS `cryptokey` is not\nallowed.\n\n### Default Value:\nBy default Cloud KMS does not allow access to `allUsers` or `allAuthenticatedUsers`.\n\n### Impact\nRemoving the binding for `allUsers` and `allAuthenticatedUsers` members denies anonymous and public users access to `cryptokeys`.\n\n`key_ring_name` is the resource ID of the key ring, which is the fully-qualified key ring name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING`\nYou can retrieve the key ring resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n3. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`key_name` is the resource ID of the key, which is the fully-qualified CryptoKey name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY`\nYou can retrieve the key resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. Click the name of the key ring that contains the key.\n3. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n4. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`role` is the role to remove the member from.\n\n## Remediation\n\n### From the command line:\n\n1. List all Cloud KMS `Cryptokeys`.\n ```\n gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'\n ```\n2. To remove access to `allUsers` and `allAuthenticatedUsers`, remove the IAM policy binding for a KMS key using the below command.\n ```\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'\n\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'\n ```\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding][1]\n2. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy][2]\n3. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy][3]\n4. [https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id][4]\n\n[1]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding\n[2]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy\n[3]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy\n[4]: https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot contains(iam_policy.resource_name, \"/keyRings/\")\n} else = \"fail\" {\n\tiam_policy.bindings[_].members[_] in [\"allAuthenticatedUsers\", \"allUsers\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kg9-ypa-tmt","createdAt":1658879416757,"name":"Cloud KMS cryptokeys are not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Storage","source:google_iam_policy","framework:cis-gcp","requirement:Compliance","level:1","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","scope:google_iam_policy","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:3.5","control:7.1","control:5.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that IAM policies on Cloud Storage buckets do not allow anonymous or public access.\n\n## Rationale\nWith anonymous or public access, anyone has permission to access bucket content. Such access might not be desired if you are storing sensitive data, so ensure that anonymous or public access to a bucket is not allowed.\n\n### Additional Information\nTo implement access restrictions on buckets, configuring Bucket IAM is preferred over configuring Bucket ACL. In the GCP console, the **Edit Permissions** button for a bucket exposes IAM configurations only. Bucket ACLs are configured to automatically implement and support user-enforced Bucket IAM policies. If an administrator changes a Bucket ACL using command-line gsutils or the API, the associated bucket IAM policy is also updated automatically.\n\n### Impact\nStorage buckets are not publicly accessible. You have to explicitly administer bucket access.\n\n### Prevention\nYou can prevent Storage buckets from becoming publicly accessible by setting up the `Domain restricted sharing` organization policy at:\n[https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains][2]\n\n### Default value\nBy default, Storage buckets are not publicly accessible.\n\n## Remediation\n\n### From the console:\n1. Go to `Storage browser` at [https://console.cloud.google.com/storage/browser][1].\n2. Click on the bucket name to access the `Bucket details` page.\n3. Click on the `Permissions` tab.\n4. Click the `Delete` button in front of `allUsers` and `allAuthenticatedUsers` to remove that particular role assignment.\n\n### From the command line:\nRemove `allUsers` and `allAuthenticatedUsers` access.\n``` \ngsutil iam ch -d allUsers gs://BUCKET_NAME\ngsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME\n```\n\n## References\n1. [https://cloud.google.com/storage/docs/access-control/iam-reference][3]\n2. [https://cloud.google.com/storage/docs/access-control/making-data-public][4]\n3. [https://cloud.google.com/storage/docs/gsutil/commands/iam][5]\n\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains\n[3]: https://cloud.google.com/storage/docs/access-control/iam-reference\n[4]: https://cloud.google.com/storage/docs/access-control/making-data-public\n[5]: https://cloud.google.com/storage/docs/gsutil/commands/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1","framework":"cis-gcp","requirement":"Storage","version":"1.3.0"},{"control":"3.5","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot isBucket(iam_policy)\n} else = \"fail\" {\n\tiam_policy.bindings[_].members[_] in [\"allUsers\", \"allAuthenticatedUsers\"]\n} else = \"pass\" {\n\ttrue\n}\n\nisBucket(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_storage_bucket\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"c2m-9sq-pbl","createdAt":1658821626959,"name":"Cloud storage bucket is not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","requirement:Logging","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:5.2","requirement:Communications-Security","control:7.1","control:3.3","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","source:google_storage_bucket","control:A.18.1.3","framework:soc-2","scope:google_storage_bucket","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUniform bucket-level access is enabled on Cloud Storage buckets.\n\n## Rationale\n\nYou should use uniform bucket-level access to unify and simplify how you grant\naccess to your Cloud Storage resources.\nCloud Storage offers two systems for granting users permission to access your buckets and\nobjects: \n- **Cloud Identity and Access Management (Cloud IAM)**: Used throughout Google Cloud, and allows you to grant a variety of permissions at the bucket and project levels. \n- **Access Control Lists(ACLs)**: Used only by Cloud Storage and has limited permission options, but allows you to grant permissions on a per-object basis.\n\nThese systems act in parallel. A user needs only one of the systems to grant them permission in order to access a Cloud Storage resource. \n\nTo facilitate maintaining consistent permissions, Cloud Storage provides an option called Uniform bucket-\nlevel access. Using this feature disables ACLs for all Cloud Storage resources. Access to\n\nCloud Storage resources then is granted exclusively through Cloud IAM. Enabling uniform\nbucket-level access guarantees that if a Storage bucket is not publicly accessible, no object\nin the bucket is publicly accessible either.\n\n## Impact\nIf you enable uniform bucket-level access, you revoke access from users who gain their\naccess solely through object ACLs.\nCertain Google Cloud services, such as Stackdriver, Cloud Audit Logs, and Datastore, cannot\nexport to Cloud Storage buckets that have uniform bucket-level access enabled.\n\n## Remediation\n\n## From the console:\n1. Open the Cloud Storage browser by visiting [https://console.cloud.google.com/storage/browser][1].\n2. In the list of buckets, select the name of the desired bucket.\n3. Select the Permissions tab.\n4. In the text box that starts with This bucket uses fine-grained access control..., click **Edit**.\n5. In the pop-up menu that appears, select Uniform.\n6. Click **Save**.\n\n## From the command line:\n\nRun the following command: \n ```\n `gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/`\n ```\n\n\n## Prevention\nSet up an Organization Policy to enforce that any new bucket has uniform bucket-level access enabled. Read more about [Organization Policy constraints][2].\n\n## Default\n\nBy default, Cloud Storage buckets do not have uniform bucket-level access enabled.\n\n\n## References\n1. [https://cloud.google.com/storage/docs/uniform-bucket-level-access][3]\n2. [https://cloud.google.com/storage/docs/using-uniform-bucket-level-access][4]\n3. [https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket][5]\n\n## Additional Information\nUniform bucket-level access cannot be disabled if it has been active on a bucket for 90 consecutive days.\n\n## CIS controls\n\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems,\ndatabases, and applications.\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket\n[3]: https://cloud.google.com/storage/docs/uniform-bucket-level-access\n[4]: https://cloud.google.com/storage/docs/using-uniform-bucket-level-access\n[5]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2","framework":"cis-gcp","requirement":"Logging","version":"1.3.0"},{"control":"3.3","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_bucket) = \"pass\" if {\n\tstorage_bucket.iam_configuration.uniform_bucket_level_access.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_storage_bucket"]},"validationQuery":"","resourceType":"gcp_storage_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_storage_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dwn-5mi-cjt","createdAt":1657547752494,"name":"Cloud storage buckets have uniform bucket-level access enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Secure-Applications","control:CC6.7","security:compliance","control:CC6.6","scope:cloudfront","cloud_provider:aws","control:A.12.2.1","requirement:Communications-Security","control:A.12.4.1","control:A.13.1.1","framework:soc-2","control:6.6","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that your [AWS CloudFront][1] distributions are integrated with [AWS Web Application Firewall][2] (AWS WAF).\n\n## Rationale\n\nAWS WAF helps protect web applications from common exploits, such as SQL injection or cross-site scripting.\n\n## Remediation\n\n### Console\n\nFollow the [associate or disassociate an AWS WAF web ACL and an existing CloudFront distribution by using the CloudFront console][3] docs to integrate with AWS WAF.\n\n### CLI\n\n1. Run `aws waf get-change-token` to generate a token.\n2. Run `aws waf create-ip-set` with your newly generated token. Additional information can be found in the [create-ip-set AWS documentation][4].\n\n ```\n create-ip-set\n --name test_ipset\n --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n3. Create an `IPSetDescriptor` JSON object in a new document and define the IP address or ranges you wish to block. Save the file.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"IPSetDescriptor\": {\n \"Type\": \"IPV4\" | \"IPV6\",\n \"Value\": \"192.0.2.0/24\"\n }\n }\n ]\n ```\n\n4. Run `aws waf update-ip-set` with the `change-token` (generated in step 1), `ip-set-id` (generated in step 2), and the file you just created. Additional information can be found in the [update-ip-set AWS documentation][5].\n\n ```\n aws waf update-ip-set\n --ip-set-id bd12ea6c-012a-4b7c-9342-80ab96e4b291\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n\t --updates file://ip-set-descriptor.json\n ```\n\n5. Run `aws waf create-rule` with a new rule `name` and your `change-token` (generated in step 1). Additional information can be found in the [create-rule AWS documentation][6].\n\n ```\n aws waf create-rule\n\t --name NameOfRule\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n6. Run `aws waf create-web-acl` with a `name` and your `change-token` (generated in step 1), and set the default action to block. Additional information can be found in the [create-web-acl AWS documentation][7].\n\n ```\n aws waf create-web-acl\n\t --name NameOfACL\n --default-action Type=BLOCK\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n7. Create a new JSON file and define `ActivatedRule` as an object that references the ACL rule created in step 6. Assign it a default action, `INSERT`.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"ActivatedRule\": {\n \"RuleId\": \"your-rule-id\",\n \"Action\": {\n \"Type\": \"BLOCK\"\n }\n }\n }\n ]\n ```\n\n8. Run `update-web-acl` with the `web-acl-id` (generated in step 5), `change-token` (generated in step 1), and the file you just created in step 7.\n\n ```\n aws waf update-web-acl\n --web-acl-id webaclid\n --change-token 96836241-b667-4f0a-a655-e4bc49eaa2c4\n --update activated-rule.json\n ```\n\n9. Run `get-distribution-config`.\n10. In a new JSON file, modify the returned configuration information to attach the WAF ACL. Set the `WebACLId` as the ID you returned in step 5. Save the file.\n\n ```\n {\n \"ETag\": \"etag\",\n \"DistributionConfig\": {\n ...\n \"WebACLId\": \"webaclid\",\n ...\n }\n }\n ```\n\n11. Run `update-distribution` with the `id` and `etag` previously returned in step 9. Additional information can be found in the [update-distribution AWS documentation][8].\n\n ```\n aws cloudfront update-distribution\n --id webaclid\n --distribution-config activated-ruled.json\n --if-match etag\n ```\n\n[1]: https://aws.amazon.com/cloudfront/\n[2]: https://aws.amazon.com/waf/\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/wafv2/create-ip-set.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/waf/update-ip-set.html\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-rule.html\n[7]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-web-acl.html\n[8]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"pci","requirement":"Secure-Applications","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"validationQuery":"(@distribution_config.web_acl_id:\"\" OR @distribution_config_web_acl_id:\"\")","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.web_acl_id:\"\" OR @distribution_config_web_acl_id:\"\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"qo4-jsd-nfn","createdAt":1599574008896,"name":"CloudFront distribution is integrated with WAF"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that AWS CloudFront distributions have a security policy of TLS v1.1 or greater.\n\n## Rationale\n\nTLS v1.1, the minimum protocol recommended for AWS CloudFront, and the cipher used to encrypt this content, improve application security.\n\n## Remediation\n\n### Console\n\nFollow the [Values That You Specify When You Create or Update a Distribution][3] docs to update your CloudFront distribution's [Minimum Origin SSL Protocol][3] to TLS v1.1 or greater.\n\n### CLI\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration by setting the minimum protocol version to TLC v1.1 (2016) or v1.2 (2018).\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n ...\n \"ViewerCertificate\": {\n ...\n \"MinimumProtocolVersion\": \"TLSv1.1_2016\",\n },\n ...\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config tls-version.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginSSLProtocols\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.viewer_certificate.minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\") OR @distribution_config_viewer_certificate_minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\"))","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.viewer_certificate.minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\") OR @distribution_config_viewer_certificate_minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2np-sw5-cre","createdAt":1599574001774,"name":"CloudFront distribution's security policy is TLS v1.1 or greater"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","source:cloudfront","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","scope:cloudfront","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure logging is enabled for AWS CloudFront to track things like client IP addresses and access points.\n\n## Rationale\n\nLogging tracks requests made through the CDN. With this information, you can detect changes in requests, complete security audits, and use other AWS tooling such as AWS WAF to block requests from certain IP addresses.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring and using standard logs][4] docs to enable logging for AWS CloudFront.\n\n### CLI\n\n1. Run `create-bucket` to [create an S3 bucket][1] for your CloudFront log files.\n\n ```\n aws s3api create-bucket\n --bucket your-bucket-name\n ```\n\n2. Once the S3 bucket location is returned, run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][2].\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n3. Create a new JSON file with the returned configuration. Enable logging and set an S3 bucket location (returned in step 1) to configure where the logs will be located. Save the file.\n\n ```\n {\n \"ETag\": \"ID000000000000\",\n \"DistributionConfig\": {\n ...\n \"Logging\": {\n \"Bucket\": \"your-bucket-name.s3.amazonaws.com\",\n \"Enabled\": true,\n },\n ...\n }\n }\n }\n ```\n\n4. Run `update-distribution` to [update your distribution][3] with your distribution `id`, the path of the configuration file (created in step 3), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config logging-enabled.json\n --if-match ETAG1000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[4]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(-@distribution_config.logging.enabled:true OR -@distribution_config_logging_enabled:true)","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((-@distribution_config.logging.enabled:true OR -@distribution_config_logging_enabled:true))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"e1l-f7w-llc","createdAt":1599574007739,"name":"CloudFront logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that an AWS CloudTrail trail has file integration validation enabled.\n\n### Rationale\n\nAWS CloudTrail file integration validation can verify whether files were modified or changed once delivered to an S3 bucket.\n\n### Remediation\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [enable-log-file-validation][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --enable-log-file-validation\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@log_file_validation_enabled:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ubl-mrs-ket","createdAt":1599574002238,"name":"CloudTrail Log File Integrity Validation Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that AWS CloudTrail logs are encrypted.\n\n### Rationale\n\nEncrypting AWS CloudTrail logs with a KMS encryption key helps protect your data and ensures only certain IAM users can access these logs.\n\n### Remediation\n\n1. Create a new policy configuration file that enables CloudTrail [encrypting and decrypting permissions][1].\n2. Run `create-key` using the policy file path.\n\n ```\n aws kms create-key\n --policy new-policy-file.json\n ```\n\n3. Run `create-alias` with a [newly created alias name][2] and the `target-key-id` as the KMS key returned in step 2.\n\n ```\n aws kms create-alias\n --alias-name alias/CloudTrailKSM\n --target-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n4. Run `update-trail` on [the trail name you wish to update][3] and the KMS key returned in step 2.\n\n ```\n aws cloudtrail update-trail\n --name MyGlobalTrail\n --kms-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@kms_key_id:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"cww-xfw-no7","createdAt":1599574002335,"name":"CloudTrail Logs Not Encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","control:A.12.4.2","requirement:Security-Incident-Procedures","control:10.3.2","control:10.3.1","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that an AWS CloudTrail trail has global service events enabled.\n\n## Rationale\n\nEasily troubleshoot security issues for global services that aren't region-specific.\n\n## Remediation\n\n### Console\n\nBy default, trail logs created in the CloudTrail console log global service events. For more information, see the [About global service events][2] docs.\n\n### CLI\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [include-global-service-events][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --include-global-service-events\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-update-trail.html\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":" @include_global_service_events:false","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail ( @include_global_service_events:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7ak-zke-f64","createdAt":1599574004589,"name":"CloudTrail global services are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.5.5","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","control:164.312-c-2","requirement:Integrity","control:164.312-c-1","security:compliance","cloud_provider:aws","control:3.2","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. Use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. You should enable file validation on all CloudTrails.\n\n## Rationale\n\nEnabling log file validation will provide additional integrity checking of CloudTrail logs.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNot Enabled\n\n## References\n\n1. [http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html][2]\n2. CCE-78914-9\n\n## CIS controls\n\nVersion 7, 6 - Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.2","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.312-c-2","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"}],"validationQuery":"-@log_file_validation_enabled:true @log_file_validation_enabled:*","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail (-@log_file_validation_enabled:true @log_file_validation_enabled:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9we-gmy-kne","createdAt":1599574003762,"name":"CloudTrail log file validation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Logging","requirement:System-Acquisition-Development-and-Maintenance","level:2","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.7","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:cloudtrail","control:A.9.2.3","control:32.1a","control:3.5.2","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources per IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data. It uses Hardware Security Modules (HSMs) to protect the security of encryption keys. Configure your CloudTrail logs to leverage server-side encryption (SSE), and KMS customer-created master keys (CMK) to further protect CloudTrail logs. You should set up CloudTrail to use SSE-KMS.\n\n## Rationale\n\nConfiguring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data. A given user must have S3 read permission on the corresponding log bucket and have decrypt permission by the CMK policy.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nCustomer created keys incur an additional cost. See [https://aws.amazon.com/kms/pricing/][2] for more information.\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html][3]\n2. [https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html][4]\n3. CCE-78919-8\n\n## CIS controls\n\nVersion 7 - 6 Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://aws.amazon.com/kms/pricing/\n[3]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html\n[4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.7","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@kms_key_id:*","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail (-@kms_key_id:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kah-ejb-3v1","createdAt":1599574006065,"name":"CloudTrail logs are encrypted at rest using KMS CMKs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:164.308-a-7-i","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","control:10.2.1","framework:gdpr","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS CloudTrail is enabled.\n\n## Rationale\n\nAWS CloudTrail enables you to configure regions from one location to maintain infrastructure security.\n\n## Remediation\n\n### Console\n\nFollow the [AWS CloudTrail tutorial][1] docs to get started with CloudTrail.\n\n### CLI\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [enable multi-region-trail][2].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --is-multi-region-trail\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-tutorial.html#tutorial-step2\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-update-trail.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-7-i","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@is_multi_region_trail:true","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail (-@is_multi_region_trail:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"v41-4ht-rxo","createdAt":1599573999944,"name":"CloudTrail multi-region is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that HTTPS is used to secure AWS CloudFront distributions communications.\n\n## Rationale\n\nHTTPS ensures that malicious activity cannot occur when data is sent within AWS CloudFront's Content Distribution Network (CDN).\n\n## Remediation\n\n### Console\n\nFollow the [configure CloudFront to require HTTPS between CloudFront and your custom origin][3] docs to change your Origin Protocol Policy to HTTPS only.\n\n### CLI\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `OriginProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"Items\": [\n {\n \"CustomOriginConfig\": {\n \"OriginProtocolPolicy\": \"https-only\",\n ...\n }\n }\n ]\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.origins.items.custom_origin_config.origin_protocol_policy:(\"http-only\" OR \"match-viewer\") OR @distribution_config.origins.items.custom_origin_config_origin_protocol_policy:(\"http-only\" OR \"match-viewer\"))","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.origins.items.custom_origin_config.origin_protocol_policy:(\"http-only\" OR \"match-viewer\") OR @distribution_config.origins.items.custom_origin_config_origin_protocol_policy:(\"http-only\" OR \"match-viewer\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q5e-clj-mow","createdAt":1599574006435,"name":"Cloudfront distribution is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS CloudFront field-level encryption is enabled.\n\n## Rationale\n\nField-level encryption ensures sensitive data, such as identification and credit card numbers, is protected across your services and applications.\n\n## Remediation\n\n### Console\n\nFollow the [Setting Up Field-Level Encryption][1] docs to enable field-level encryption.\n\n### CLI\n\n1. Generate a RSA key pair. Run `ssh-keygen -t rsa`.\n\n2. Run `create-public-key` with the generated key.\n\n ```\n aws cloudfront create-public-key\n --public-key-config CallerReference=\"0123456789012\",Name=\"public-key\",EncodedKey=\"-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----\",Comment=\"Field-level encryption public key.\"\n ```\n\n3. Modify the returned configuration in a new JSON file by setting `PublicKeyID` as your public ID key. Configure any other options you require and save the file.\n\n ```\n {\n \"PublicKey\": {\n ...\n \"Id\": \"PUBKEYID000000\",\n ...\n }\n }\n ```\n\n4. Run `create-field-level-encryption-profile` using the path of the configuration file saved in step 3.\n\n ```\n aws cloudfront create-field-level-encryption-profile\n --field-level-encryption-profile-config public-key-id.json\n ```\n\n5. Modify the returned configuration in a new JSON file by setting `ProfileID` as your profile ID. Configure any other options you require and save the file.\n\n ```\n {\n ...\n \"ContentTypeProfileConfig\": {\n ...\n \"Items\": [\n {\n \"ProfileId\": \"ABCD1234567890\",\n }\n ]\n }\n }\n ```\n\n6. Run `create-field-level-encryption-config` using the path of the configuration file saved in step 5.\n\n ```\n aws cloudfront create-field-level-encryption-config\n --field-level-encryption-config profile-id.json\n ```\n\n7. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your distribution's configuration information.\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n8. Modify the returned configuration in a new JSON file by setting `FieldLevelEncryptionID` as your field level encryption ID. Configure any other options you require and save the file.\n\n**Note**: Viewer Protocol Policy and Origin Protocol Policy must both be set to HTTPS.\n\n ```\n {\n \"DistributionConfig\": {\n ...\n \"Origins\": {\n \"Items\": [\n {\n ...,\n \"OriginProtocolPolicy\": \"https-only\",\n },\n ],\n ...\n },\n \"DefaultCacheBehavior\": {\n \"FieldLevelEncryptionId\": \"ACBD1234567890\",\n \"ViewerProtocolPolicy\" : \"https-only\"\n },\n ...\n }\n }\n ```\n\n9. Run `update-distribution` with your AWS CloudFront distribution `id`, the configuration file saved in step 8, and `etag` to enable field-level encryption.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config field-level-encryption-id.json\n --if-match E1000000000000\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.default_cache_behavior.field_level_encryption_id:\"\" OR @dist_config_default_cache_behavior_field_level_encryption_id:\"\")","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.default_cache_behavior.field_level_encryption_id:\"\" OR @dist_config_default_cache_behavior_field_level_encryption_id:\"\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"udh-nqo-4ct","createdAt":1599574007140,"name":"Cloudfront distribution is field-level encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the AWS CloudFront Content Delivery Network (CDN) for your distribution is using HTTPS to send and receive content.\n\n## Rationale\n\nHTTPS ensures encrypted communication for your AWS CloudFront distribution, alleviating the possibility of malicious attacks like packet interception.\n\n## Remediation\n\n### Console\n\nFollow the [configure CloudFront to require HTTPS between viewers and CloudFront][3] docs to change your Viewer Protocol Policy to HTTPS only.\n\n### CLI\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `ViewerProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"ViewerProtocolPolicy\": \"https-only\",\n ...\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.default_cache_behavior.viewer_protocol_policy:\"allow-all\" OR @dist_config_default_cache_behavior_viewer_protocol_policy:\"allow-all\")","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.default_cache_behavior.viewer_protocol_policy:\"allow-all\" OR @dist_config_default_cache_behavior_viewer_protocol_policy:\"allow-all\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fei-uz9-zhw","createdAt":1599574003275,"name":"Cloudfront viewer is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1027-obfuscated-files-or-information","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a compiler (like `clang` or `bcc`) is executed inside of a container.\n\n## Strategy\nAfter an initial compromise, attackers may attempt to download additional tools to their victim's infrastructure. In order to make these additional tools difficult to detect or analyze, attackers sometimes deliver their tools as uncompiled code, and then compile their malicious binaries directly on the victim's infrastructure. In containerized environments, the use of compilers is especially suspicious because in production it is best practice to make containers immutable. The use of a compiler in a production container could indicate an attacker staging tools, or unwanted container configuration drift. \n\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee compile a tool inside of a container for an approved reason, or does an approved software compile additional files on startup?\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:compiler_in_container","groupByFields":["host"],"aggregation":"count","name":"compiler_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"compiler_in_container","condition":"compiler_in_container > 0"}],"type":"workload_security","id":"cu1-ji1-azm","createdAt":1627392836759,"name":"Compiler executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS EC2 access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the EC2 instance with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS EC2 access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` instance should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the EC2 access key should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`., then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n7 April 2022 - Updated rule name and signal message.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId"],"query":"source:cloudtrail -@level:Error @userIdentity.type:AssumedRole @userIdentity.session_name:i-* -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"5cf-9yq-zxn","createdAt":1646247437871,"name":"Compromised AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.\n\n## Changelog\n- 7 April 2022 - Updated signal message.\n- 3 August 2022 - Fixed null groupby field in query.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId","@usr.name"],"query":"source:cloudtrail -@level:Error @userIdentity.type:IAMUser -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tln-vhi-j2e","createdAt":1646247475808,"name":"Compromised AWS IAM User Access Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:4.8","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, Datadog recommends launching compute instances with Shielded VM enabled.\n\n## Rationale\n\nShielded VMs are virtual machines on the Google Cloud Platform that are hardened by a set of security controls and help defend against rootkits and bootkits. Shielded VM offers verifiable integrity of your Compute Engine VM instances through Secure Boot, a virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring. This ensures your instances are not compromised by boot- or kernel-level malware, or rootkits. \n\nShielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishes trust for Secure Boot.\n\nIntegrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, also known as the integrity policy baseline. The integrity policy baseline is used to compare measurements from subsequent VM boots to determine if anything has changed.\n\nSecure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halts the boot process if signature verification fails.\n\n## Remediation\n\nTo turn on Shielded VM on an instance, your instance must use an image with Shielded VM support.\n\n### From console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project. \n2. Click on the instance name to see a VM Instance Details page.\n3. Click **Stop** to stop the instance.\n4. When the instance has stopped, click **Edit**.\n5. In the **Shielded VM** section, select **Turn on vTPM** and **Turn on Integrity Monitoring**.\n6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select **Turn on Secure Boot**.\n7. Click the **Save** button to modify the instance and click **Start** to restart it.\n\n### From the command line\n\nYou can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:\n\n```\ngcloud compute images list --project gce-uefi-images --no-standard-images\n```\n\n1. Stop the instance using `gcloud compute instances stop `.\n2. Update the instance using `gcloud compute instances update --shielded-vtpm --shielded-vm-integrity-monitoring`.\n3. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on Secure Boot using `gcloud compute instances update --shielded-vm-secure-boot`.\n4. Restart the instance using `gcloud compute instances start `.\n\n## Prevention\n\nTo ensure that all new VMs are created with Shielded VM enabled, create an Organization Policy for Shielded VM in the [Organization Policies page][2]. \n\nFor more information, see the [Google Cloud documentation][3].\n\n## Default Value\n\nBy default, Compute Instances do not have Shielded VM enabled.\n\n## References\n\n1. [https://cloud.google.com/compute/docs/instances/modifying-shielded-vm][4]\n2. [https://cloud.google.com/shielded-vm][5]\n3. [https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint][6]\n\n## Additional Information\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is created, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-requireShieldedVm\n[3]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n[4]: https://cloud.google.com/compute/docs/instances/modifying-shielded-vm\n[5]: https://cloud.google.com/shielded-vm\n[6]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.8","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"pass\" if {\n\tshieldedConfig := compute_instance.shielded_instance_config\n\tshieldedConfig.enable_integrity_monitoring\n\tshieldedConfig.enable_vtpm\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hwa-bzq-nzg","createdAt":1656620517029,"name":"Compute Instances are launched with Shielded VM enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","control:4.9","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:3.6","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCompute instances should not be configured to have external IP addresses.\n\n## Rationale\n\nTo reduce your attack surface, Compute instances should not have public IP addresses.\nInstead, instances should be configured behind load balancers, to minimize the instance's\nexposure to the internet.\n\nYou can connect to Linux VMs that do not have public IP addresses by using Identity-Aware Proxy for TCP forwarding. Learn more at\n[https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][8].\n\nFor Windows VMs, see [https://cloud.google.com/compute/docs/instances/connecting-to-instance][9].\n\n### Impact\n\nRemoving the external IP address from your Compute instance may cause some\napplications to stop working.\n\n### Prevention\n\nYou can configure the \"Define allowed external IPs for VM instances\" organization policy to prevent VMs from being configured with public IP addresses. Learn more at:\n[https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address][2]\n\n### Exception\n\nInstances created by GKE should be excluded because some of them have external IP\naddresses and cannot be changed by editing the instance settings. Instances created by GKE\nshould be excluded. These instances have names that start with \"gke-\" and are labeled\n\"goog-gke-node\".\n\n## Remediation\n\n### From the console:\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go the the Instance detail page.\n3. Click **Edit**.\n4. For each Network interface, ensure that **External IP** is set to None.\n5. Click **Done** and then click **Save**.\n\n### From the command line:\n\n1. Describe the instance properties:\n\n ```\n gcloud compute instances describe --zone=\n ```\n2. Identify the access config name that contains the external IP address. This access config appears in the following format:\n\n ```\n networkInterfaces:\n - accessConfigs:\n - kind: compute#accessConfig\n name: External NAT\n natIP: 130.211.181.55\n type: ONE_TO_ONE_NAT\n ```\n3. Delete the access config:\n\n ```\n gcloud compute instances delete-access-config --zone= --access-config-name \n ```\n\nIn the above example, the `ACCESS_CONFIG_NAME` is `External NAT`. The name of your access config might be different.\n\n## References\n\n1. [https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses][3]\n2. [https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][4]\n3. [https://cloud.google.com/compute/docs/instances/connecting-to-instance][5]\n4. [https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip][6]\n5. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][7]\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address\n[3]: https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses\n[4]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[5]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n[6]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip\n[7]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[8]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[9]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.9","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tcompute_instance.network_interfaces[_].access_configs[_]\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"zxk-7n9-rtz","createdAt":1657888953309,"name":"Compute instances do not have public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","control:4.11","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:3.5.2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:3.5.4","source:google_compute_instance","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nGoogle Cloud encrypts both stored and in-transit data, but customer data needs to be decrypted while it is processed. Confidential Computing is a Google technology that protects data by encrypting it while it is in use. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).\n\nConfidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD\nEPYCTM CPUs, keeping customer data encrypted while it is used, indexed, queried, or\ntrained on. Encryption keys are generated in hardware, per VM, and not exportable. There is no significant performance penalty to Confidential Computing workloads because of built-in hardware optimizations.\n\n## Rationale\n\nConfidential Computing enables customers' sensitive code and other data to be encrypted in\nmemory during processing. Google does not have access to the encryption keys.\nConfidential VMs can help alleviate concerns about risk related to either dependency on\nGoogle infrastructure or Google insiders' access to customer data in the clear.\n\n## Impact\n\n- Confidential Computing for Compute instances does not support live migration. Unlike regular Compute instances, Confidential VMs experience disruptions during maintenance events like a software or hardware update.\n\n- Additional charges may be incurred when enabling this security feature. See [https://cloud.google.com/compute/confidential-vm/pricing][1] for more info.\n\n## Remediation\n\nConfidential Computing can only be enabled when an instance is created. You must delete\nthe current instance and create a new one.\n\n### From console\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][2].\n2. Click **Create instance**.\n3. Fill out the desired configuration for your instance.\n4. Under the **Confidential VM service** section, click **Enable** > **Enable** to enable the Confidential Computing service on this VM instance.\n5. Click **Create**.\n\n### From the command line\n\nCreate a new instance with Confidential Compute enabled.\n\n ```\n gcloud beta compute instances create --zone --confidential-compute --maintenance-policy=TERMINATE\n ```\n## Default Value\n\nBy default, Confidential Computing is disabled for Compute instances.\n\n## References\n\n1. [https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance][3]\n2. [https://cloud.google.com/compute/confidential-vm/docs/about-cvm][4]\n3. [https://cloud.google.com/confidential-computing][5]\n4. [https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms][6]\n\n## CIS Controls\n\nVersion 8 - 3.11: Encrypt Sensitive Data at Rest\n- Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.\n\nVersion 7 - 14.8: Encrypt Sensitive Information at Rest\n- Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n\n[1]: https://cloud.google.com/compute/confidential-vm/pricing\n[2]: https://console.cloud.google.com/compute/instances\n[3]: https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance\n[4]: https://cloud.google.com/compute/confidential-vm/docs/about-cvm\n[5]: https://cloud.google.com/confidential-computing\n[6]: https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.11","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tnot machineType(compute_instance)\n} else = \"pass\" {\n\tcompute_instance.confidential_instance_config.enable_confidential_compute\n} else = \"fail\" {\n\ttrue\n}\n\nmachineType(compute_instance) if {\n\tcontains(compute_instance.machine_type, \"n2d-\")\n} else {\n\tcontains(compute_instance.machine_type, \"c2d-\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ofu-7xv-iqz","createdAt":1657888955714,"name":"Compute instances have confidential computing enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a brute force login with a privileged policy being applied to a role.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [AWS IAM privileged policy was applied to a role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Revert the privileged policy change\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-iam-priv-policy-applied-to-role/","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"aws_iam_privileged_policy_was_applied_to_a_role","additionalFilters":"","defaultRuleId":"1np-ggw-qpo","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to privileged policy applying to a role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && aws_iam_privileged_policy_was_applied_to_a_role > 0"}],"type":"signal_correlation","id":"z65-vsm-leu","createdAt":1664829682321,"name":"ConsoleLogin event correlates privileged policy applying to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.10","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host, you can control the amount of memory that a container is able to use.\n\n## Rationale\n\nBy default a container can use all of the memory on the host. You can use memory limit mechanisms to prevent a denial of service occurring where one container consumes all of the hosts resources and other containers on the same host are therefore not able to function. Having no limit on memory usage can lead to issues where one container can easily make the whole system unstable and as a result unusable.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Memory={{ .HostConfig.Memory }}'` \n\nIf this command returns 0, it means that memory limits are not in place; if it returns a non-zero value, it means that they are in place.\n\n## Remediation\n\nYou should run the container with only as much memory as it requires by using the `--memory argument`. For example, you could run a container using the command `docker run --interactive --tty --memory 256m centos /bin/bash`\n\nIn this example, the container is started with a memory limit of 256 MB. Note that the output of the command below returns values in scientific notation if memory limits are in place. `docker inspect --format='{{.Config.Memory}}' 7c5a2d4c7fe0`\n\nFor example, if the memory limit is set to 256 MB for a container instance, the output of the command above would be `2.68435456e+08` and NOT `256m`. You should convert this value using a scientific calculator.\n\n## Impact\n\nIf correct memory limits are not set on each container, one process can expand its usage and cause other containers to run out of resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally and no memory limits are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.10","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ecn-mmt-tqe","createdAt":1599605860081,"name":"Container has memory usage limits configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.26","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf the container image does not have an HEALTHCHECK instruction defined, you should use the `--health-cmd` parameter at container runtime to check container health.\n\n## Rationale\n\nIf the container image you are using does not have a pre-defined HEALTHCHECK instruction, use the `--health-cmd` parameter to check container health at runtime. Based on the reported health status, remedial actions can be taken if necessary.\n\n## Audit\n\nRun this command and ensure that all containers are reporting their health status: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}'`\n\n## Remediation\n\nYou should run the container using the `--health-cmd` parameter. For example, `docker run -d --health-cmd='stat /etc/passwd || exit 1' nginx`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, health checks are not carried out at container runtime.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.26","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ojg-sb1-nso","createdAt":1599605067593,"name":"Container health is monitored when not supported by default"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should add the `HEALTHCHECK` instruction to your Docker container images in order to ensure that health checks are executed against running containers.\n\n## Rationale\n\nAn important security control is that of availability. Adding the `HEALTHCHECK` instruction to your container image ensures that the Docker engine periodically checks the running container instances against that instruction to ensure that containers are still operational. Based on the results of the health check, the Docker engine could terminate containers which are not responding correctly, and instantiate new ones.\n\n## Audit\n\nRun this command to ensure that Docker images have the appropriate `HEALTHCHECK` instruction configured: `docker inspect --format='{{ .Config.Healthcheck }}' `\n\n## Remediation\n\nYou should follow the Docker documentation and rebuild your container images to include the `HEALTHCHECK` instruction.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `HEALTHCHECK` is not set.\n\n## References\n\n1. https://docs.docker.com/engine/reference/builder/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_image","complianceFrameworks":[{"control":"4.6","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5xs-afd-sfx","createdAt":1599604909942,"name":"Container image includes HealthCheck instructions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect vulnerabilities in container images.\n\n## Strategy\nThis rule lets you monitor Twistlock logs `(@vulnerability.log_type:vulnerability)` to detect vulnerabilities in a container image. \n\n## Triage and response\n1. Determine the impact of this vulnerability.\n2. Update the container image in the registry with a patched version of the software.\n3. Deploy the new image to all containers running the vulnerable image.\n\n## Change Log\n29 Jun 2022 - Added queries for various vulnerability severity levels.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:medium","groupByFields":["container_name"],"aggregation":"count","name":"medium_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:low","groupByFields":["container_name"],"aggregation":"count","name":"low_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerabiluty","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerabiluty","condition":"high_severity_vulnerability > 0"},{"status":"medium","notifications":[],"name":"Medium Severity Vulnerabiluty","condition":"medium_severity_vulnerability > 0"},{"status":"low","notifications":[],"name":"Low Severity Vulnerabiluty","condition":"low_severity_vulnerability > 0"}],"type":"log_detection","id":"d7s-rex-gjv","createdAt":1585870278701,"name":"Container image vulnerability detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.25","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should restrict the container from acquiring additional privileges via SUID or SGID bits.\n\n## Rationale\n\nA process can set the `no_new_priv` bit in the kernel and this persists across forks, clones and execve. The `no_new_priv` bit ensures that the process and its child processes do not gain any additional privileges via SUID or SGID bits. This reduces the danger associated with many operations because the possibility of subverting privileged binaries is lessened.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all of the security options currently configured for containers. The option `no-new-privileges` should be one of them.\n\n## Remediation\n\nStart your container with the options `docker run --rm -it --security-opt=no-new-privileges ubuntu bash`\n\n## Impact\n\nThe `no_new_priv` option prevents LSMs like SELinux from allowing processes to acquire new privileges.\n\n## Default value\n\nBy default, new privileges are not restricted.\n\n## References\n\n1. https://github.com/projectatomic/atomic-site/issues/269\n2. https://github.com/docker/docker/pull/20727\n3. https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt\n4. https://lwn.net/Articles/475678/\n5. https://lwn.net/Articles/475362/\n\n## CIS controls\n\nVersion 6\n\n5 Controlled Use of Administration Privileges Controlled Use of Administration Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.25","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"cft-3kh-z3l","createdAt":1599604337425,"name":"Container is restricted from acquiring additional privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a container management utility (e.g., `kubectl`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to escalate privileges, break out of the container, or exfiltrate secrets by running container management/orchestration utilities. This detection triggers when execution of one of a set of common container management utilities (like `kubectl` or `kubelet`) is detected in a container. If this is unexpected behavior, it could indicate an attacker attempting to compromise your containers and host.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires version 7.27 or higher*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:suspicious_container_client","groupByFields":["host"],"aggregation":"count","name":"suspicious_container_client","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"suspicious_container_client","condition":"suspicious_container_client > 0"}],"type":"workload_security","id":"ll8-gx6-k15","createdAt":1617722068555,"name":"Container management utility in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.12","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe container's root filesystem should be treated as a 'golden image' by using Docker run's `--read-only` option. This prevents any writes to the container's root filesystem at container runtime and enforces the principle of immutable infrastructure.\n\n## Rationale\n\nEnabling this option forces containers at runtime to explicitly define their data writing strategy to persist or not persist their data. This also reduces security attack vectors since the container instance's filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories.\n\n## Audit\n\nRun this command on the docker host: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: ReadonlyRootfs={{ .HostConfig.ReadonlyRootfs }}'` \n\nIf this command returns `true`, it means the container's root filesystem is mounted read-only. If the above command returns `false`, it means the container's root filesystem is writeable.\n\n## Remediation\n\nAdd a `--read-only` flag at a container's runtime to enforce the container's root filesystem being mounted as read only. For example, `docker run --read-only `\n\nEnabling the `--read-only` option at a container's runtime should be used by administrators to force a container's executable processes to only write container data to explicit storage locations during its lifetime. \n\nExamples of explicit storage locations during a container's runtime include, but are not limited to:\n\n1. Using the `--tmpfs` option to mount a temporary file system for non-persistent data writes. `docker run --interactive --tty --read-only --tmpfs \"/run\" --tmpfs \"/tmp\" centos /bin/bash`\n2. Enabling Docker rw mounts at a container's runtime to persist container data directly on the Docker host filesystem. For example, `docker run --interactive --tty --read-only -v /opt/app/data:/run/app/data:rw centos /bin/bash`\n\n3. Utilizing the Docker shared-storage volume plugin for Docker data volume to persist container data. For example, `docker volume create -d convoy --opt o=size=20GB my-named-volume docker run --interactive --tty --read-only -v my-named-volume:/run/app/data centos /bin/bash`\n\n3. Transmitting container data outside of the Docker controlled area during the container's runtime for container data in order to ensure that it is persistent. Examples include hosted databases, network file shares and APIs.\n\n## Impact\n\nEnabling `--read-only` at container runtime may break some container OS packages if a data writing strategy is not defined. You should define what the container's data should and should not persist at runtime in order to decide which strategy to use. Example: Enable use `--tmpfs` for temporary file writes to /tmp Use Docker shared data volumes for persistent data writes\n\n## Default value\n\nBy default, a container has its root filesystem writeable, allowing all container processes to write files owned by the container's actual runtime user.\n\n## References\n\n1. http://docs.docker.com/reference/commandline/cli/#run\n2. https://docs.docker.com/engine/tutorials/dockervolumes/\n3. http://www.projectatomic.io/blog/2015/12/making-docker-images-write-only-in-production/\n4. https://docs.docker.com/engine/reference/commandline/run/#mount-tmpfs-tmpfs\n5. https://docs.docker.com/engine/tutorials/dockervolumes/#creating-and-mounting-a-data-volume-container\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.12","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"635-mc8-3mr","createdAt":1599602276896,"name":"Container root file sytem is set to read-only"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a container is not running within compliance standards.\n\n## Strategy\nThis rule lets you monitor Twistlock logs to detect when a `High` or `Critical` severity compliance issue is discovered in a running container. \n\n## Triage and response\n1. Determine the impact of the compliance finding.\n2. Remediate the compliance finding.\n\n## Change Log\n27 Jun 2022 - Updated Rule and added findings for critical vulnerabilities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerability","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerability","condition":"high_severity_vulnerability > 0"}],"type":"log_detection","id":"9vp-d1j-kwp","createdAt":1585870281390,"name":"Container violated compliance standards"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:5.28","security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should use the `--pids-limit` flag at container runtime.\n\n## Rationale\n\nAttackers could launch a fork bomb with a single command inside the container. This fork bomb could crash the entire system and would require a restart of the host to make the system functional again. Using the PIDs cgroup parameter --pids-limit would prevent this kind of attack by restricting the number of forks that can happen inside a container within a specified time frame.\n\n## Audit\n\nRun this command and ensure that `PidsLimit` is not set to 0 or -\n1. A PidsLimit of 0 or -1 means that any number of processes can be forked concurrently inside the container. \n\n```\ndocker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidsLimit={{ .HostConfig.PidsLimit }}'\n```\n\n## Remediation\n\nUse `--pids-limit` flag with an appropriate value when launching the container. For example, `docker run -it --pids-limit 100 `\n\nIn the above example, the number of processes allowed to run at any given time is set to 100. After a limit of 100 concurrently running processes is reached, Docker would restrict any new process creation.\n\n## Impact\n\nSet the PIDs limit value as appropriate. Incorrect values might leave containers unusable.\n\n## Default value\n\nThe Default value for `--pids-limit` is 0 which means there is no restriction on the number of forks. Note that the PIDs cgroup limit works only for kernel versions 4.3 and higher.\n\n## References\n\n1. https://github.com/docker/docker/pull/18697\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.28","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tmp-lms-u8p","createdAt":1599603016485,"name":"Container's PIDs cgroup limit parameter is set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nContainers should run as a non-root user.\n\n## Rationale\n\nIt is good practice to run the container as a non-root user, where possible. This can be done either via the USER directive in the Dockerfile or through [gosu][1] or similar where used as part of the CMD or ENTRYPOINT directives.\n\n## Remediation\n\nEnsure that the Dockerfile for each container image contains `USER `\n\nIn this case, the user name or ID refers to the user that was found in the container base image. If there is no specific user created in the container base image, then make use of the `useradd` command to add a specific user before the USER instruction in the Dockerfile. \n\nFor example, add the below lines in the Dockerfile to create a user in the container:\n`RUN useradd -d /home/username -m -s /bin/bash username USER username`\n\n**Note**: If there are users in the image that are not needed, you should consider deleting them. After deleting those users, commit the image and then generate new instances of the containers. Alternatively, if it is not possible to set the USER directive in the Dockerfile, a script running as part of the CMD or ENTRYPOINT sections of the Dockerfile should be used to ensure that the container process switches to a non-root user.\n\n## Impact\n\nRunning as a non-root user can present challenges when binding mount volumes from the underlying host. In this case, ensure that the user running the contained process can read and write to the bound directory, according to their requirements.\n\n## Default value\n\nBy default, containers are run with root privileges and also run as the root user inside the container.\n\n## References\n\n1. https://github.com/docker/docker/issues/2918\n2. https://github.com/docker/docker/pull/4572\n3. https://github.com/docker/docker/issues/7906\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://github.com/tianon/gosu\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"4.1","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iml-sbn-bao","createdAt":1599605130883,"name":"Containers do not use the root user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","control:5.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.\n\n## Rationale\n\nAppArmor protects the Linux OS and applications from various threats by enforcing a security policy which is also known as an AppArmor profile. You can create your own AppArmor profile for containers or use Docker's default profile. Enabling this feature enforces security policies on containers as defined in the profile.\n\n## Audit\n\nYou should run this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: AppArmorProfile={{ .AppArmorProfile }}'` \n\nThis command returns a valid AppArmor Profile for each container instance.\n\n## Remediation\n\nIf AppArmor is applicable for your Linux OS, enable it.\n\n1. Verify AppArmor is installed.\n2. Create or import a AppArmor profile for Docker containers.\n3. Enable enforcement of the policy.\n4. Start your Docker container using the customized AppArmor profile. For example: `docker run --interactive --tty --security-opt=\"apparmor:PROFILENAME\" ubuntu /bin/bash` Alternatively, Docker's default AppArmor policy can be used.\n\n## Impact\n\nThe container will have the security controls defined in the AppArmor profile. It should be noted that if the AppArmor profile is misconfigured, this may cause issues with the operation of the container.\n\n## Default value\n\nBy default, the docker-default AppArmor profile is applied to running containers. This profile can be found at `/etc/apparmor.d/docker`\n\n## References\n\n1. https://docs.docker.com/engine/security/apparmor/\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.1","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"s4z-dsj-llz","createdAt":1599600498264,"name":"Containers have an AppArmor profile enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.24","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to attach to a particular `cgroup` when a container is instantiated. Confirming `cgroup` usage would ensure that containers are running in defined `cgroup`s.\n\n## Rationale\n\nSystem administrators typically define `cgroup`s in which containers are supposed to run. If `cgroup`s are not explicitly defined by the system administrator, containers run in the docker `cgroup` by default. At run time, it is possible to attach a container to a different `cgroup` other than the one originally defined. This usage should be monitored and confirmed, as by attaching to a different `cgroup`, excess permissions and resources might be granted to the container and this can therefore prove to be a security risk.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}'` \n\nThis command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n\n## Remediation\n\nYou should not use the `--cgroup-parent` option within the docker run command unless strictly required.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers run under docker `cgroup`.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#specify-custom-cgroups\n2. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/ch01.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n\n## Audit\n\nYou should run the following command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}' The above command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.24","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"maa-bf8-zan","createdAt":1599601906764,"name":"Containers use the cgroup configured in Docker"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","source:compliance-agent","control:1.3.7","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the Controller Manager service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Controller Manager API service which runs on port 10252/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ \n\n*Notes*: Although the current Kubernetes documentation site says that `--address` is deprecated in favour of `--bind-address`. Kubeadm 1.11 still makes use of `--address`.\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.7","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pvo-5un-k18","createdAt":1599603818624,"name":"Controller Manager API service is bound to localhost"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.3.2","security:compliance","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.2","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1ie-ddf-7wm","createdAt":1599604031896,"name":"Controller Manager profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.4","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account private key file for service accounts on the controller manager.\n\n## Rationale\n\nTo ensure that keys for service account tokens can be rotated as needed, a separate public/private key pair should be used for signing service account tokens. The private key should be specified to the controller manager with `--service-account-private-key-file` as appropriate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--service-account-private-key-file` argument is set as appropriate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--service-account-private-key-file parameter` to the private key file for service accounts:\n\n```\n--service-account-private-key-file=\n```\n\n## Impact\n\nYou would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-private-key-file` it not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.4","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mj1-ode-sln","createdAt":1599600796213,"name":"Controller manager has a service account private key file set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.1.3","scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of the Controller Manager on the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-controller-manager.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.3","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pr0-hcf-xkw","createdAt":1599603633988,"name":"Controller manager pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.1.4","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of various components of the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-controller-manager.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.4","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jwf-xdm-mi9","createdAt":1599599105053,"name":"Controller manager pod specification file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect and identify the network IP address when multiple user accounts have login attempt activities recorded.\n\n## Strategy\n\nMonitor Azure Active Directory and detect when any `@evt.category` is equal to `SignInLogs` and more than 10 of the `@evt.outcome` are equal to `false` by the same network IP address.\n\nSecurity Signal returns **HIGH** if`@evt.outcome` has value of `success` after 10 multiple failed logins by the same network IP address.\n\n## Triage and response\n\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n\n## Changelog\n14 June 2022 - Updated triggering cases to align with other credential stuffing rules. Also updated other backend options to reduce noise levels.","options":{"detectionMethod":"threshold","evaluationWindow":3600,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"failed_login_multiple_user_accounts_same_ip_address","distinctFields":["@usr.id"]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login_same_ip_address","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful login after multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 10 && successful_login_same_ip_address > 0"},{"status":"medium","notifications":[],"name":"Multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 10 "}],"type":"log_detection","id":"igg-0ve-xxc","createdAt":1607106304164,"name":"Credential Stuffing Attack on Azure"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:success @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials.\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application_o365","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"credential_added_azure_ad_application > 0 || credential_added_azure_ad_application_o365 > 0"}],"type":"log_detection","id":"myf-gpu-vqf","createdAt":1659365955026,"name":"Credential added to Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application that is not regularly updated.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it. An attacker may target an application that is seldom changed to avoid detection. Using the `New Value` detection method, a signal is raised when an application not seen in the previous 7 days has credentials added.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.","options":{"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"evaluationWindow":0,"maxSignalDuration":86400,"detectionMethod":"new_value","decreaseCriticalityBasedOnEnv":true,"keepAlive":3600},"version":54,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@properties.targetResources.displayName","aggregation":"new_value","metrics":["@properties.targetResources.displayName"],"groupByFields":["@usr.id"],"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @evt.outcome:success @evt.category:AuditLogs"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"1p0-9ix-ig2","createdAt":1660304687805,"name":"Credential added to rarely used Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["category:authentication","tactic:TA0006-credential-access","template:true","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least 25 unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\nUse [this Datadog runbook](https://app.datadoghq.com/notebook/credentialstuffingrunbook) to assist in your investigation.\n\n1. Determine if it is a legitimate attack or a false positive\n2. Determine compromised users\n3. Remediate compromised user accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@evt.category:authentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"@evt.category:authentication @evt.outcome:success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful - Greater than 50","condition":"unique_users_failing_to_login>50 && successful_login>=1"},{"status":"medium","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>25 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>25"}],"type":"log_detection","id":"ypo-jbm-p2s","createdAt":1608750331867,"name":"Credential stuffing attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user. This generates a `HIGH` severity signal.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n## Changelog\n13 June 2022 - Updated Keep Alive window and evaluation window to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":3600,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>10 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>10"}],"type":"log_detection","id":"ryo-snu-uva","createdAt":1597422958108,"name":"Credential stuffing attack on Auth0"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through credential stuffing attack against a Salesforce account.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\n1. Determine if it is a legitimate attack or a false positive.\n2. Determine compromised users.\n3. Remediate compromised user accounts.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @status:\"Invalid Password\"","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.email"]},{"query":"source:salesforce @status:\"Success\"","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login > 10 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login > 10 "}],"type":"log_detection","id":"y0t-wg6-3nq","createdAt":1621929255278,"name":"Credential stuffing attack on Salesforce"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1003-os-credential-dumping","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to sensitive credential files from non-standard processes.\n\n## Strategy\nEspecially in production, all credentials should be either defined as code, or static. Drift and unmonitored changes to these credentials can open up attack vectors for adversaries, and cause your organization to be out of compliance with any frameworks or regulations that you are subject to. This detection watches for the modification of sensitive credential files which should not be changed outside of their definitions as code (or static definitions). The Linux commands `vipw` and `vigr` are the standard way to modify shadow and gshadow files respectively. Other processes interacting with these sensitive credential files is highly suspicious and should be investigated.\n\n## Triage and response\n1. Identify the user or process that changed the credential file(s).\n2. Identify what was changed in the credential files.\n3. If these changes are not acceptable, roll back contain the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd","groupByFields":["host"],"aggregation":"count","name":"credential_modified","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd @process.comm:(adduser OR useradd OR groupadd OR userdel OR deluser OR chage)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_standard","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.executable.path:(\\/usr\\/sbin\\/* OR \\/usr\\/bin\\/* OR \\/bin\\/*)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_non_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"credential_modified_non_bin","condition":"credential_modified_non_bin > 0"},{"status":"info","notifications":[],"name":"credential_modified_standard","condition":"credential_modified_standard > 0"},{"status":"low","notifications":[],"name":"credential_modified","condition":"credential_modified > 0"}],"type":"workload_security","id":"srd-2ub-jov","createdAt":1598516746271,"name":"Credentials file modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","level:1","cloud:aws","cloud_provider:aws","control:8.1.4","framework:hipaa","requirement:Information-Access-Management","framework:pci","requirement:Credentials","control:164.308-a-4-ii-C"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. You should remove or deactivate all credentials that have been unused in 90+ days.\n\n## Rationale\n\nDisabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78900-8 2. CIS CSC v6.0 #16.6\n\n## CIS controls\n\n16.9 Disable Dormant Accounts Automatically - Disable dormant accounts after a set period of inactivity.\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\npassword_used_recently(resource_seen_at, credential_report) if {\n\tcredential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_used > ninety_days_ms\n} else {\n\tnot credential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_changed > ninety_days_ms\n}\n\nkey_used_recently(resource_seen_at, credential_report, key_name) if {\n\tcredential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_used_date\"])] > ninety_days_ms\n} else {\n\tnot credential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_rotated\"])] > ninety_days_ms\n}\n\npassword_or_access_key_is_enabled(resource_seen_at, credential_report) if {\n\tcredential_report.password_enabled\n\tpassword_used_recently(resource_seen_at, credential_report)\n} else {\n\tcredential_report.access_key_1_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_1\")\n} else {\n\tcredential_report.access_key_2_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_2\")\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot password_or_access_key_is_enabled(iam_user.resource_seen_at, credential_report)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"credential_report","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cl8-844-szh","createdAt":1621238614316,"name":"Credentials have been used within the last 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","framework_version:3.2","control:11.5","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications of critical system binaries.\n\n## Strategy\nPCI-DSS is the payment-card industry's compliance framework. Any systems that handle credit card data and transactions from the major credit card companies must be PCI-DSS compliance. Control 11.5 of the PCI-DSS framework states that organizations must \"alert personnel to unauthorized modifications (including changes, additions, and deletions) of critical system files, configuration files, or content files\". On Linux, critical system binaries are typically stored in `/bin/`, `/sbin/`, or `/usr/sbin/`. This rule tracks any modifications to those directories.\n\n## Triage and response\n1. Identify which user or process changed the critical system binaries.\n2. If these changes were not authorized, and you cannot confirm the safety of the changes, roll back the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chmod) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chown) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chown","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_link) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_link","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_rename) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_rename","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_open) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_open","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_unlink) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_utimes) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"pci_11_5_critical_binaries","condition":"pci_11_5_critical_binaries_chmod > 0 || pci_11_5_critical_binaries_chown > 0 || pci_11_5_critical_binaries_link > 0 || pci_11_5_critical_binaries_rename > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_unlink > 0 || pci_11_5_critical_binaries_utimes > 0"}],"type":"workload_security","id":"3rk-f4l-c7j","createdAt":1606142933669,"name":"Critical system binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation or modification of new cron jobs on a system.\n\n## Strategy\nCron is a task scheduling system that runs tasks on a time-based schedule. Attackers can use cron jobs to gain persistence on a system, or even to run malicious code at system-boot. Cron jobs can also be used for remote code execution, or to run a process under a different user-context.\n\n## Triage and response\n1. Check to see which cron task was created or modified.\n2. Check whether the cron task was created or modified by a known user or process.\n3. If these changes are not acceptable, roll back the host or container in question to an acceptable configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(cron_at_job_creation OR cron_at_job_creation_chmod OR cron_at_job_creation_chown OR cron_at_job_creation_link OR cron_at_job_creation_rename OR cron_at_job_creation_open OR cron_at_job_creation_utimes) -(@file.name:*.dpkg-new AND @process.executable.name:dpkg) -@process.ancestors.executable.path:\"/usr/bin/unattended-upgrade\" -@process.executable.path:\"/usr/bin/dockerd\"","groupByFields":["host"],"aggregation":"count","name":"cron_at_job_creation","distinctFields":[]},{"query":"@agent.rule_id:cron_at_job_creation_unlink","groupByFields":["host"],"aggregation":"count","name":"cron_at_job_deletion","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"cron_at_job_creation","condition":"cron_at_job_creation > 0"},{"status":"low","notifications":[],"name":"cron_at_job_deletion","condition":"cron_at_job_deletion > 0"}],"type":"workload_security","id":"qqk-vqp-6xt","createdAt":1606142961130,"name":"Cron job modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIP check services return the public IP of the client. They are used legitimately for configuration purposes when utilizing infrastructure as code. They can be abused by attackers to determine the organization they have compromised.\n\n## Strategy\n\nDetect when a DNS lookup is done for a domain belonging to an IP check service.\n\n## Triage and response\n\n1. Determine if `{{@process.executable.name}}` is expected to make a connection to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Start incident response and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ip_check_domain","groupByFields":["host"],"aggregation":"count","name":"ip_check_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"ip_check_domain","condition":"ip_check_domain > 0"}],"type":"workload_security","id":"v7i-jqs-gcx","createdAt":1653417825959,"name":"DNS lookup for IP lookup service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nAttackers often use compromised cloud infrastructure to mine cryptocurrency. \n\n## Strategy\n\nDetect when a process performs a DNS lookup for a domain related to cryptomining.\n\n## Triage and response\n\n`{{@process.executable.name}}` performed a DNS lookup for `{{@dns.question.name}}`\n\n1. Contain the host or container and roll back to a known good configuration.\n2. Review the process tree and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:potential_cryptominer","groupByFields":["host"],"aggregation":"count","name":"potential_cryptominer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"potential_cryptominer","condition":"potential_cryptominer > 0"}],"type":"workload_security","id":"8am-wzf-ixk","createdAt":1653417822316,"name":"DNS lookup for cryptocurrency mining pool"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nPaste sites such as pastebin.com can be used by attackers to host malicious scripts, configuration files, and other text data. The files are then downloaded to the host using a network utility such as `wget` or `curl`. These sites may also be used to exfiltrate data.\n\n## Strategy\n\nDetect when a process performs a DNS lookup for a paste site.\n\n## Triage and response\n1. Check if the application `{{@process.executable.name}}` is expected to make connections to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Follow your organization's internal processes for investigating and remediating compromised systems.\n\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:paste_site","groupByFields":["host"],"aggregation":"count","name":"paste_site","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"paste_site","condition":"paste_site > 0"}],"type":"workload_security","id":"bze-mml-h8r","createdAt":1653417817764,"name":"DNS lookup for paste service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.3","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","framework:pci","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud Domain Name System (DNS) is a fast, reliable, and cost-effective domain name system\nthat powers millions of domains on the internet. Domain Name System Security Extensions\n(DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains\nagainst DNS hijacking, man-in-the-middle attacks, and more.\n\n## Rationale\nDomain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling the DNS responses to be validated. A trustworthy DNS that translates a domain name like `www.example.com` into its associated IP address is an increasingly important building block for modern web-based applications. \n\nAttackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records to prevent attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.\n\nBy default, DNSSEC is not enabled.\n\n## Remediation\n\n### From the console:\n1. Navigate to the [Cloud DNS page][1].\n2. For each Type Public zone, set `DNSSEC` to **On**.\n\n### From the command line:\nUse this command to enable DNSSEC for Cloud DNS Zone Name:\n\n```\ngcloud dns managed-zones update ZONE_NAME --dnssec-state on\n```\n\n\n## References\n1. [https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html][2]\n2. [https://cloud.google.com/dns/dnssec-config#enabling][3]\n3. [https://cloud.google.com/dns/dnssec][4]\n\n\n[1]: https://console.cloud.google.com/net-services/dns/zones\n[2]: https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html\n[3]: https://cloud.google.com/dns/dnssec-config#enabling\n[4]: https://cloud.google.com/dns/dnssec\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-gcp","requirement":"Cardholder-Data","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nisZonePublic(dns_managed_zone) if {\n\tupper(dns_managed_zone.visibility) == \"PUBLIC\"\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot isZonePublic(dns_managed_zone)\n} else = \"pass\" {\n\tupper(dns_managed_zone.dnssec_config.state) == \"ON\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"crl-ytf-ohh","createdAt":1659621733035,"name":"DNSSEC is enabled for Cloud DNS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Credentials","requirement:Compliance","level:1","requirement:Database-Services","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","framework:pci","security:compliance","control:6.5.3","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:3.4","control:C1.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Transparent Data Encryption on every SQL server.\n\n## Rationale\n\nAzure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL databases\n2. For each DB instance\n3. Click on Transparent data encryption\n4. Set Data encryption to On using the Azure Command Line Interface\n5. Use the below command to enable Transparent data encryption for SQL DB instance:\n\n ```bash\n --resource-group --server --database --status\n ```\n\n **Note**: TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases. Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n\n**Note**: Transparent Data Encryption (TDE) can be enabled or disabled on individual SQL Database level and not on the SQL Server level. TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.\n\n# CIS Controls\n\nVersion 7 14.8 Encrypt Sensitive Information at Rest: Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"-@transparent_data_encryption.status:(\"Enabled\")","resourceType":"azure_sql_server_database","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server_database (-@transparent_data_encryption.status:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ahw-tol-knx","createdAt":1624867974429,"name":"Data encryption on SQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a database process (e.g., MySQL, PostgreSQL, MongoDB).\n\n## Strategy\nAttacks on databases often take advantage of oversights in I/O sanitization and validation to run attacker statements and commands. For example, these attacks could take the form of database query injection, which can signal the beginning of an intrusion and wider attack, by establishing a web shell or exfiltrating data. This detection triggers when common shell utilities, HTTP utilities, or shells are spawned by one of a set of database processes (e.g., MySQL, MongoDB, PostgreSQL). This is atypical behavior for a database. If this is unexpected behavior, it could indicate an attacker attempting to compromise your database or host machine.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your database to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:database_shell_execution -@process.ancestors.executable.name:initdb -@process.args:\"locale -a\"","groupByFields":["host"],"aggregation":"count","name":"database_shell_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"database_shell_execution","condition":"database_shell_execution > 0"}],"type":"workload_security","id":"4ni-kny-z5x","createdAt":1617722069155,"name":"Database process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:2","requirement:Cardholder-Data","control:1.17","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Confidentiality","control:3.5","control:7.1","control:C1.2","control:7.2.1","control:7.2.2","source:google_dataproc_cluster","control:7.2.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:3.6.1","scope:google_dataproc_cluster","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:3.6.4","control:3.6.5","control:CC6.3","control:CC6.2","control:3.6.7","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nWhen you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated\nwith the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This\nPD and bucket data is encrypted using a Google-generated data encryption key (DEK) and\nkey encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key\nencryption key (KEK). Google still controls the data encryption key (DEK).\n\n## Rationale\nCloud services offer the ability to protect data related to those services using encryption\nkeys managed by the customer within Cloud KMS. These encryption keys are called\ncustomer-managed encryption keys (CMEK). When customers protect data in Google Cloud\nservices with CMEK, the CMEK key is within the customer's control.\n\n## Remediation\n\n### From the console:\n1. Log in to the GCP Console and navigate to the **Dataproc Cluster** page by visiting [https://console.cloud.google.com/dataproc/clusters][1].\n2. Select the project from the projects dropdown list.\n3. On the **Dataproc Cluster** page, click on the **Create Cluster** to create a new cluster with customer-managed encryption keys.\n4. On the **Create a cluster** page, perform the following steps:\n 1. Inside **Set up cluster** section perform these steps:\n 1. In the **Name** textbox, provide a name for your cluster.\n 2. From **Location** select the location in which you want to deploy a cluster.\n 3. Configure other configurations as per your requirements.\n 2. Inside **Configure Nodes** and **Customize cluster** section configure the settings as\nper your requirements.\n 3. Inside the **Manage security** section, perform these steps:\n 1. From **Encryption**, select **Customer-managed key**.\n 2. Select a customer-managed key from dropdown list.\n 3. Ensure that the selected KMS Key has the **Cloud KMS CryptoKey Encrypter/Decrypter** role assigned to the Dataproc Cluster service account (`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n 4. Click on **Create** to create a cluster.\n5. Once the cluster is created, migrate all of your workloads from the old cluster to the new cluster and delete the old cluster by performing the following steps:\n 1. On the **Clusters** page, select the old cluster and click on **Delete cluster**.\n 2. On the **Confirm deletion** window, click **Confirm** to delete the cluster.\n6. Repeat the steps above for other Dataproc clusters available in the selected project.\n7. Change the project from the project dropdown list and repeat the remediation procedure for other Dataproc clusters available in other projects.\n\n### From the command line:\nBefore creating a cluster, ensure that the selected KMS Key has the **Cloud KMS CryptoKey\nEncrypter/Decrypter** role assigned to the Dataproc Cluster service account\n(`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n\nRun the `clusters create` command to create a new cluster with a customer-managed key:\n\n```\ngcloud dataproc clusters create --region=us-central1 --gce-pd-kms-key=\n```\n\nThe above command creates a new cluster in the selected region.\nAfter the cluster is created, migrate all your workloads from the older cluster to the new\ncluster and run the `clusters delete` command to delete the cluster:\n\n```\ngcloud dataproc clusters delete --region=us-central1\n```\n\nRepeat step no. 1 to create a new Dataproc cluster.\nChange the project by running the following command and repeat the remediation procedure\nfor other projects:\n\n```\ngcloud config set project \n```\n\n## References\n1. [https://cloud.google.com/docs/security/encryption/default-encryption][2]\n\n[1]: https://console.cloud.google.com/dataproc/clusters\n[2]: https://cloud.google.com/docs/security/encryption/default-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.17","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.7","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(gdc) = \"pass\" if {\n\tgdc.config.encryption_config.gce_pd_kms_key_name\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dataproc_cluster"]},"validationQuery":"","resourceType":"gcp_dataproc_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dataproc_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"7qp-kby-dut","createdAt":1659396397166,"name":"Dataproc cluster is encrypted using customer-managed encryption key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.22","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file permissions are set to `644` or more restrictively, by running: \n```\nstat -c %a /etc/default/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/default/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.22","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pqb-2cq-piw","createdAt":1599601845070,"name":"Default Docker configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.21","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/sysconfig/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/sysconfig/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.21","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"au3-ayl-tdm","createdAt":1599601289420,"name":"Default Docker configuration file cannot be altered by non-owners - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.19","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file ownership and group-ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/default/docker | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/default/docker`\n\nThis sets the ownership and group ownership of the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.19","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o5w-d8y-ka1","createdAt":1599604751728,"name":"Default Docker configuration file is owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.20","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/sysconfig/docker | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root /etc/sysconfig/docker`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.20","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xrt-uiz-s7o","createdAt":1599604498138,"name":"Default Docker configuration file is owned by the root account and group - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProtect tuned kernel parameters from overriding kubelet default kernel parameter values.\n\n## Rationale\n\nKernel parameters are usually tuned and hardened by the system administrators before putting the systems into production. These parameters protect the kernel and the system. Your kubelet kernel defaults that rely on such parameters should be appropriately set to match the desired secured system state. Ignoring this could potentially lead to running pods with undesired kernel behavior.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--protect-kernel-defaults` argument is set to true. If the `--protect-kernel-defaults` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets `protectKernelDefaults` to `true`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `protectKernelDefaults: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--protect-kernel-defaults=true`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou would have to re-tune kernel parameters to match kubelet parameters.\n\n## Default value\n\nBy default, `--protect-kernel-defaults` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.6","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"uiw-kms-wwu","createdAt":1599602462044,"name":"Default Kubelet kernel parameter values are protected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","control:2.9","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","control:1.3.1","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","requirement:Least-Privileged-Access","control:1.2.1","control:3.6","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Storage-Account","source:azure.storage","control:A.13.1.3","requirement:Default-Security-Parameters","control:7.2.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestricting default network access provides a layer of security, because storage accounts accept connections from clients on any network. To limit access to selected networks, change the default action.\n\n## Rationale\n\nConfigure storage accounts to deny access to traffic from all networks (including internet traffic). Grant access to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.\n\n## Remediation\n\n### From the console:\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Enable Allow access from selected networks.\n4. Add rules to allow traffic from a specific network.\n5. Click Save to apply your changes.\n\n### From the command line:\n\nUse the following command to update the default action to deny: \n```\naz storage account update --name --resource-group --default-action Deny\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security][1]\n2. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"2.9","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@network_acls.default_action:Deny","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@network_acls.default_action:Deny)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"hxy-syh-ofi","createdAt":1631690465637,"name":"Default network access rule for Storage Accounts is set to deny"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:RBAC-and-Service-Accounts","scored:true","security:compliance","control:5.1.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe default service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed.\n\n## Rationale\n\nKubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.\n\n## Audit\n\nFor each namespace in the cluster, review the rights assigned to the default service account and ensure that it has no roles or cluster roles bound to it apart from the defaults. Additionally ensure that the `automountServiceAccountToken: false` setting is in place for each default service account.\n\n## Remediation\n\nCreate explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value `automountServiceAccountToken: false`.\n\n## Impact\n\nAll workloads which require access to the Kubernetes API will require an explicit service account to be created.\n\n## Default value\n\nBy default the default service account allows for its service account token to be mounted in pods in its namespace.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/][1]\n\n## CIS controls\n\nNone\n\n[1]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.1.5","framework":"cis-kubernetes","requirement":"RBAC-and-Service-Accounts","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3yv-aqm-bxc","createdAt":1604312204438,"name":"Default service accounts are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Logging-Monitoring","source:azure.monitor","level:1","requirement:Regular-Testing","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","control:5.1.2","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","control:11.4","control:CC4.1","scope:azure.monitor","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure the diagnostic setting to log the appropriate activities from the control/management plane.\n\n## Rationale\n\nA diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Azure Monitor\n2. Click Activity log\n3. Click on Diagnostic settings\n4. Click on Edit Settings for the diagnostic settings entry\n5. Ensure that the following categories are checked: Administrative, Alert, Policy, and Security\n\nARM Template with AZ PowerShell cmdlets:\n\nCreate a file to hold the following JSON:\n\n```json\n{ \"$schema\"\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\", \"contentVersion\"\"\n1.0.0.0\", \"parameters\"{ \"settingName\"{ \"type\"\"String\" }, \"workspaceId\"{ \"type\"\"String\" } }, \"resources\"[ { \"type\"\"Microsoft.Insights/diagnosticSettings\", \"apiVersion\"\"2017-05-01-preview\", \"name\"\"[parameters(''settingName'')]\", \"dependsOn\"[], \"properties\"{ \"workspaceId\"\"[parameters(''workspaceId'')]\", \"logs\"[ { \"category\"\"Administrative\", \"enabled\"true }, { \"category\"\"Alert\", \"enabled\"true }, { \"category\"\"Autoscale\", \"enabled\"false }, { \"category\"\"Policy\", \"enabled\"true }, { \"category\"\"Recommendation\", \"enabled\"false }, { \"category\"\"ResourceHealth\", \"enabled\"false }, { \"category\"\"Security\", \"enabled\"true }, { \"category\"\"ServiceHealth\", \"enabled\"false } ] } } ] }\n```\n\nReference the JSON. In the `New-AzSubscriptionDeployment`, call `$OMSWorkspace`:\n\n```powershell\nGet-AzResource -ResourceType \"Microsoft.OperationalInsights/workspaces\" -Name New-AzSubscriptionDeployment -Name CreateDiagnosticSetting -location eastus -TemplateFile CreateDiagnosticSetting.jsonc -settingName \"Send Activity log to workspace\" -workspaceId $OMSWorkspace.ResourceId'\n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings\n2. https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource-manager-diagnostic-settings\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.3 - Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1.2","framework":"cis-azure","requirement":"Logging-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"11.4","framework":"pci","requirement":"Regular-Testing","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"validationQuery":"(@category:Administrative -@enabled:true) OR (@category:Alert -@enabled:true) OR (@category:Policy -@enabled:true) OR (@category:Security -@enabled:true)","resourceType":"azure_diagnostic_setting","filter":"","queryPath":"logs","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_diagnostic_setting ((@category:Administrative -@enabled:true) OR (@category:Alert -@enabled:true) OR (@category:Policy -@enabled:true) OR (@category:Security -@enabled:true))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q7k-c4u-n6i","createdAt":1635847719443,"name":"Diagnostic Setting captures appropriate categories"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2022-0847 \"Dirty Pipe\". Dirty Pipe is a vulnerability in the Linux kernel which allows underprivileged processes to write to arbitrary readable files, leading to privilege escalation. \n\n## Strategy\n\nThis detection triggers when the `splice()` syscall is made and the `PIPE_BUF_FLAG_CAN_MERGE` flag is set. Explanation of the vulnerability and exploitation can be found in the [public disclosure](https://dirtypipe.cm4all.com/).\n\n## Triage & Response\n\n1. Determine if the host is vulnerable. This vulnerability affects kernel versions starting from 5.8. After its discovery, it was fixed for all currently maintained releases of Linux in versions 5.16.11, 5.15.25, and 5.10.102. The exploit was successful if the field `splice.pipe_exit_flag` is `PIPE_BUF_FLAG_CAN_MERGE`.\n2. Attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. If the host is vulnerable, update the kernel to a patched version.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:dirty_pipe_attempt","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_attempt","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\")","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_exploitation","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation (@file.uid:0 OR @file.gid:0) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\")","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_root","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation @file.path:(*\\/bin\\/* OR *\\/boot\\/*) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\")","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"dirty_pipe_attempt","condition":"dirty_pipe_attempt > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_exploitation","condition":"dirty_pipe_exploitation > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_root","condition":"dirty_pipe_root > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_bin","condition":"dirty_pipe_bin > 0"}],"type":"workload_security","id":"dsi-8cf-mpj","createdAt":1648572788369,"name":"Dirty Pipe exploitation attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet Docker daemon log level to `info`.\n\n## Rationale\n\nSetting up an appropriate log level configures the Docker daemon to log events that you would want to review later. A base log level of `info` and above captures all logs except `debug` logs. Unless required, you should not run Docker daemon at `debug` log level.\n\n## Audit\n\nTo confirm that the log level setting is `info`, review both the `dockerd` startup options, and also the log level settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that either the `--log-level` parameter is not present or if present, that it is set to `info`. \n\nSimilarly, review the `/etc/docker/daemon.json` for the `log-level` setting.\n\n## Remediation\n\nEnsure that the Docker daemon configuration file has the following configuration included:\n\n```\n\"log-level\": \"info\" \n```\n\nAlternatively, run the Docker daemon with the `log-level` specified:\n\n```\ndockerd --log-level=\"info\"\n```\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker daemon is set to log level of `info`.\n\n## References\n\n1. [https://docs.docker.com/edge/engine/reference/commandline/dockerd/][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://docs.docker.com/edge/engine/reference/commandline/dockerd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"q6o-wrf-hf4","createdAt":1602076723155,"name":"Docker daemon logging level is set to 'info'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.5","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use `aufs` as the storage driver for your Docker instance.\n\n## Rationale\n\nThe `aufs` storage driver is the oldest storage driver used on Linux systems. It is based on a Linux kernel patch-set that is unlikely in future to be merged into the main OS kernel. The `aufs` driver is also known to cause some serious kernel crashes. `aufs` has only legacy support within systems using Docker. Most importantly, `aufs` is not a supported driver in many Linux distributions using latest Linux kernels.\n\n## Audit\n\nVerify that `aufs` is not used as storage driver by running this command and ensuring `aufs` is not listed: \n```\ndocker info --format 'Storage Driver: {{ .Driver }}' \n```\n\n## Remediation\n\nDo not explicitly use `aufs` as storage driver. For example, do not start Docker daemon with the `--storage-driver aufs` flag.\n\n## Impact\n\n`aufs` is the only storage driver that allows containers to share executable and shared library memory. It might be useful if you are running thousands of containers with the same program or libraries. However, you should review its use with respect to your organization's security policy.\n\n## Default value\n\nBy default, Docker uses `devicemapper` as the storage driver on most of the platforms. The default storage driver can vary based on your OS vendor. You should use the storage driver that is recommended by your preferred vendor and which is in line with policy around the applications which are being deployed.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems][1]\n2. [http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/][2]\n3. [http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1][3]\n4. [https://docs.docker.com/engine/userguide/storagedriver/][4]\n\n## CIS controls\n\nVersion 6.18 Application Software Security \n\n[1]: https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems \n[2]: http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/ \n[3]: http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1 \n[4]: https://docs.docker.com/engine/userguide/storagedriver/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"n0x-jqo-rof","createdAt":1599601042737,"name":"Docker does not use AUFS storage driver"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe `iptables` firewall is used to set up, maintain, and inspect the tables of IP packet filter rules within the Linux kernel. The Docker daemon should be allowed to make changes to the `iptables` ruleset.\n\n## Rationale\n\nDocker will not make changes to your system `iptables` rules unless you allow it to do so. If you do allow this, Docker server will automatically make any required changes. You should let Docker make changes to `iptables` automatically in order to avoid networking misconfigurations that could affect the communication between containers and with the outside world. Additionally, this reduces the administrative overhead of updating `iptables` every time you add containers or modify networking options.\n\n## Audit\n\nTo confirm that the Docker daemon is allowed to change the `iptables` ruleset, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that the `--iptables` parameter is either not present or not set to `false`. Also review the `/etc/docker/daemon.json` file to check that the `iptables` setting is not set to `false`.\n\n## Remediation\n\nDo not run the Docker daemon with `--iptables=false` parameter. \n\n## Impact\n\nThe Docker daemon service requires `iptables` rules to be enabled before it starts. Any restarts of `iptables` during Docker daemon operation may result in losing Docker-created rules. Adding `iptables-persistent` to your `iptables` install can mitigate.\n\n## Default value\n\nBy default, `iptables` is set to true.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/][1]\n2. [https://fralef.me/docker-and-iptables.html][2]\n\n## CIS controls\n\nVersion 6.5 Controlled Use of Administration Privileges \n\n[1]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/\n[2]: https://fralef.me/docker-and-iptables.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3fv-xgy-7fb","createdAt":1599599453907,"name":"Docker is authorized to make firewall configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.1","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAll Docker containers and their data and metadata are stored in the `/var/lib/docker` directory. By default, `/var/lib/docker` should be mounted under either the `/` or `/var` partitions depending on how the Linux operating system in use is configured.\n\n## Rationale\n\nDocker depends on `/var/lib/docker` as the default directory where all Docker related files, including the images, are stored. This directory could fill up quickly causing both Docker and the host to become unusable. For this reason, you should create a separate partition (logical volume) for storing Docker files.\n\n## Audit\n\nTo see the partition details for the `/var/lib/docker` mount point, at the Docker host run:\n\n```\ngrep '/var/lib/docker\\s' /proc/mounts \n```\n\nAlternatively, to see whether the configured root directory is a mount point, run.\n\n```\nmountpoint -- \"$(docker info -f '{{ .DockerRootDir }}')\" \n```\n\n## Remediation\n\nFor new installations, you should create a separate partition for the `/var/lib/docker` mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, `/var/lib/docker` is mounted under the `/` or `/var` partitions dependent on how the OS is configured.\n\n## References\n\n1. [https://www.projectatomic.io/docs/docker-storage-recommendation/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know \n\n[1]: https://www.projectatomic.io/docs/docker-storage-recommendation/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.1","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wcf-c0t-fkz","createdAt":1602076808377,"name":"Docker local storage is mounted on a separate disk partition"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.5","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various other sensitive files. It should therefore be individual owned and group owned by root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the directory is owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker | grep -v root:root\n``` \n\nThis command does not return any data.\n\n## Remediation\n\nTo resolve this issue, run the following command: `chown root:root /etc/docker`\n\nThis sets the ownership and group ownership for the directory to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for this directory is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.`\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"heb-axz-wdc","createdAt":1599604466531,"name":"Docker related files are owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.6","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory permissions are correctly set to 755 or more restrictively.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various sensitive files. It should therefore only be writeable by root to ensure that it can not be modified by a less privileged user.\n\n## Audit\n\nYou should execute the command below to verify that the directory has permissions of 755+: \n\n```\nstat -c %a /etc/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 755 /etc/docker`\n\nThis sets the permissions for the directory to 755.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for this directory are set to 755.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"een-7do-u18","createdAt":1599604083943,"name":"Docker related files cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.12","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, has permissions of 444 or more restrictive permissions.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It should therefore have permissions of 444 to prevent its modification.\n\n## Audit\n\nVerify that the Docker server certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the command below: `chmod 444 `\n\nThis sets the file permissions of the Docker server certificate file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.12","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"blu-k6b-re1","createdAt":1602076770300,"name":"Docker server certificate file permissions are set to read-only or more restrictive"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.4","cloud_provider:azure","control:6.2","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","control:CC7.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL is using the most recent major version available.\n\n## Rationale\n\nPostegreSQL employs both minor and major version updates. Using the most recent version available (particularly the most recent major version) ensures that you are using the most secure, feature rich, and supported version available. Azure Database Migration Service can help minimize downtime when performing version upgrades in Azure Database for PostgreSQL - Single Server. \n\n## Remediation\n\n### From the console\n\n1. Use Azure's [Configure server parameters in Azure Database for PostgreSQL - Single Server via the Azure portal][1] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate/Upgrade Azure DB for PostgreSQL - Single Server to Azure DB for PostgreSQL - Single Server online using DMS via the Azure portal][2] to migrate the old database to the new database.\n\n### From the command line\n\n1. Use Azure's [Customize server configuration parameters for Azure Database for PostgreSQL - Single Server using Azure CLI][3] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate PostgreSQL to Azure DB for PostgreSQL online using DMS via the Azure CLI][4] to migrate the old database to the new database.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/dms/tutorial-azure-postgresql-to-azure-postgresql-online-portal\n[3]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli\n[4]: https://docs.microsoft.com/en-us/azure/dms/tutorial-postgresql-azure-postgresql-online","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"pass\" if {\n\tto_number(postgresql_server.version) >= 11\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"4ns-zxg-wye","createdAt":1645642207320,"name":"Azure PostgreSQL Database Server uses the current major PostgreSQL version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:A.12.3.1","source:azure.dbforpostgresql","control:164.308-a-7-ii-A","requirement:Compliance","scope:azure.dbforpostgresql","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","control:A.18.1.3","framework:soc-2","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses geo-redundant backups.\n\n## Rationale\n\nUsing geo-redundancy with PostgreSQL creates geographically distributed replicas by default. These replicas assist with achieving data durability, as they protect against data becoming unavailable because of a regional event, such as a natural disaster. You can select this option only at the time of database creation. To modify an existing database to use geo-redundancy, recreate the database.\n\n## Remediation\n\n### From the console\n\n1. Follow the instructions listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using the Azure portal][1] to create a new PostgreSQL database. Ensure **Geo-redundant** is selected under **Backup redundancy options**.\n\n### From the command line\n\n1. Follow the steps listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using Azure CLI][2] to create and deploy a PostgreSQL server.\n2. When configuring the [`az postgres server create` Microsoft Azure Module][3] ensure that `geoRedundantBackup` is set to `Enabled`, as shown in the example below. \n\n ```\n az postgres server create \n -l northeurope \n -g mygroup \n -n mysvr \n -u username \n -p password \n --sku-name my_sku\n --ssl-enforcement Enabled \n --minimal-tls-version TLS1_0 \n --public-network-access Disabled \n --backup-retention 10 \n --geo-redundant-backup Enabled \n --storage-size 51200 \n --tags \"key=value\" \n --version 11\n ```\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-cli\n[3]: https://docs.microsoft.com/en-us/cli/azure/postgres/server?view=azure-cli-latest#az-postgres-server-create\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.3.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"pass\" if {\n\tpostgresql_server.storage_profile_geo_redundant_backup != \"Disabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"9t5-0qz-cj3","createdAt":1645642195699,"name":"Azure PostgreSQL database server uses geo-redundant backups"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security rule and determine if it exposes any Azure resources that should not be made public.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.sql @evt.name:\"MICROSOFT.SQL/SERVERS/FIREWALLRULES/WRITE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kbv-sau-dwv","createdAt":1607106319051,"name":"Azure SQL Server Firewall Rules Created or Modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.15","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable security alert emails to subscription owners.\n\n## Rationale\n\nEnabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can quickly mitigate security risks.\n\n## Remediation\n\n### From the console\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. In the drop down of the All users with the following roles field, select Owner\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set Send email also to subscription owners:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management Storage Accounts: This section covers security recommendations to follow to set storage account policies on an Azure subscription. An Azure storage account provides a unique namespace to store and access Azure Storage data objects.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.15","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(security_contact) = \"pass\" if {\n\tsecurity_contact.properties.notifications_by_role.state == \"On\"\n\t\"Owner\" in security_contact.properties.notifications_by_role.roles\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_contact"]},"validationQuery":"","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qjw-pnm-kfh","createdAt":1625738237090,"name":"Azure Security Center is configured to send email notifications about security alerts to subscription owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.14","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule enables emailing security alerts to the email subscription owner or other designated security contact.\n\n## Rationale\n\nEnabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.\n\n## Remediation\n\n### From the console\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. Under Notification types, check the check box next to Notify about alerts with the following severity (or higher) and select High from the drop-down menu\n6. Click save using the Azure Command Line Interface\n7. Use the below command to set Send email notification for high severity alerts:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. And replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default. Microsoft has recently changed their REST APIs to get and update security contact information. This recommendation is updated accordingly.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.14","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(security_contact) = \"pass\" if {\n\tsecurity_contact.properties.alert_notifications.minimal_severity == \"High\"\n\tsecurity_contact.properties.alert_notifications.state == \"On\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_contact"]},"validationQuery":"","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"cv4-lxu-yt1","createdAt":1625738237834,"name":"Azure Security Center is configured to send email notifications about security alerts with High severity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity Center emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.\n\n## Rationale\n\nAzure Security Center emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the \"Additional email addresses\" field ensures that your organization's security team is included in these alerts. This ensures that the proper people are aware of any potential compromise to mitigate the risk in a timely fashion.\n\n## Remediation\n\n### From the console\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email Notifications\n5. Enter a valid security contact email address (or multiple addresses separated by commas) in the additional email addresses field\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set security contact emails:\n\n ``` bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data, as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default\", \"name\"\"default\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details \n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list \n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(security_contact) = \"pass\" if {\n\tsecurity_contact.properties.emails != \"\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_contact"]},"validationQuery":"","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"1vo-ezv-ztj","createdAt":1625738244720,"name":"Azure Security Center is configured with a security contact email"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:azure","scope:azure-active-directory","technique:T1098-account-manipulation","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure service principal being assigned an Azure role.\n\n## Strategy\nMonitor Azure Activity logs for the following operations:\n\n* `@evt.name:\"MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE\"`\n* `@properties.requestbody:*ServicePrincipal*`\n\n## Triage and response\n1. Determine if this activity is legitimate by investigating the: \n * Source IP of this activity: `{{@network.client.ip}}`\n * The user who made this request: `@identity.claims.name`\n * The role that was assigned to the application or service principal.\n2. If this user should not be assigning this Azure role and if the service principal should not be assigned this role:\n * Revoke access of compromised credentials.\n * Remove unauthorized app registration and/or service principal.\n * Investigate other activities performed by the source IP `{{@network.client.ip}}` in the IP Investigation Dashboard.\n * Investigate other activities performed by the user `{{@usr.id}}` in the User Investigation Dashboard.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.authorization @evt.name:\"MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE\" @properties.requestbody:*ServicePrincipal*","groupByFields":["@usr.id","@network.client.ip"],"aggregation":"count","name":"role_assignment","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"role_assignment > 0"}],"type":"log_detection","id":"vu1-3je-k6m","createdAt":1661900093294,"name":"Azure Service Principal was assigned a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","control:2.1.1","requirement:Compliance","scope:azure.compute","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","control:4.1","control:1.2","control:1.3","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.2","source:azure.compute","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse SSH authentication keys to secure Linux virtual machines.\n\n## Rationale\n\nUsing SSH to secure authentications is a security best practice, as traditional username and password authentication is vulnerable to malicious tactics such as brute-force attacks. SSH uses a combination of public and private key pairs to secure the authentication process. Access to the private key is automated and tightly controlled, without both keys SSH access will not be granted. This also eliminates the need for users to memorize complex passwords for virtual machine access.\n\n## Remediation\n\n### From the command line\n\n1. Follow the steps listed at [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure][1] to create and deploy VMs using SSH.\n2. If needing to transition from Username and Password authentication, to SSH, there is no way to transition directly. You must deprovision the current VM and create an image of it with SSH as the authentication method. Follow the steps on [How to create a managed image of a virtual machine or VHD][2]. \n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-ssh-keys-detailed\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/capture-image","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(virtual_machine_instance) = \"skip\" if {\n\tnot virtual_machine_instance.os_profile.linux_configuration\n} else = \"pass\" if {\n\tvirtual_machine_instance.os_profile.linux_configuration.disable_password_authentication == true\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_virtual_machine_instance"]},"validationQuery":"","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"p52-zrd-xlt","createdAt":1645813490150,"name":"Azure VM requires SSH Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.21","source:azure.active_directory","cloud_provider:azure","requirement:Compliance","scope:azure.active_directory","level:1","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:6.4","framework:cis-azure","requirement:Control-Activities","cloud:azure","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:A.9.2.3","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC8.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSubscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.\n\n## Rationale\n\nClassic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended.\n\n## Remediation\n\nUsing Azure Command Line Interface 2.0, list all roles with the `az role definition list` command. Check the output for any entries with an `assignableScope` of `/` or a `subscription`, and an action of `*`. Verify the usage and impact of removing the role identified. You can delete a role with the `az role definition delete --name \"rolename\"` command.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator \n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management \n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems \n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n8. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n9. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges 16 Account Monitoring and Control Account Monitoring and Control","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.21","framework":"cis-azure","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"6.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_assignable_scope(assignable_scope) if {\n\tassignable_scope == \"/\"\n} else if {\n\tstartswith(assignable_scope, \"/subscriptions\")\n}\n\nnon_compliant_type(role_definition) if {\n\tlower(role_definition.properties_type) == \"customrole\"\n} else if {\n\tlower(role_definition.type) == \"customrole\"\n}\n\nnon_compliant_role_definition(role_definition) if {\n\tnon_compliant_type(role_definition)\n\tsome permission in role_definition.permissions\n\tsome action in permission.actions\n\taction == \"*\"\n\tsome assignable_scope in role_definition.assignable_scopes\n\tnon_compliant_assignable_scope(assignable_scope)\n}\n\neval(role_definition) = \"fail\" if {\n\tnon_compliant_role_definition(role_definition)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_role_definition"]},"validationQuery":"","resourceType":"azure_role_definition","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_role_definition","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"til-md3-xoz","createdAt":1645802554619,"name":"Azure custom subscription owner roles do not exist"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a diagnostic setting is deleted which can disable centralized logging and metrics on Azure.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Inspect the diagnostic setting resource which is found in `@resourceId`.\n2. Verify that the user (`{{@usr.id}}`) to determine if the removal of the resource is legitimate.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uhp-qsj-h45","createdAt":1615578377631,"name":"Azure diagnostic setting deleted or disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure disk is successfully exported. Export URLs generated in Azure are accessible to anyone with the URI. This could be utilized as an exfiltration method that would allow an attacker to download an Azure Compute VM's disk as a VHD file.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the disk (`{{@resourceId}}`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URI.\n\n## Changelog\n* 2 November 2022 - Update strategy.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"export_uri_generated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"export_uri_generated > 0"}],"type":"log_detection","id":"ggf-4ew-mxl","createdAt":1635258347843,"name":"Azure disk export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.8","requirement:AppService","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and new functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, your organization needs to determine if a given update meets your requirements and also verify the compatibility and support provided for any additional software against the update version.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Under General Settings, set Java version to latest version available\n6. Set Java minor version to latest version available\n7. Set Java web container to the latest version of web container available \n\n**NOTE**: No action is required if Java version is set to off as Java is not used by your web app.\n\n### From the command line\n\nTo see the list of supported runtimes, run the following command: `timesaz webapp list-runtimes | grep java`\n\nTo set latest Java version for an existing app, run the following command:\n\n```azurecli\naz webapp config set --resource-group --name --java-version ''\n1.8'' --java-container ''Tomcat'' --java-container-version '''''\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.8","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nshould_skip_app_service(app_service) if {\n\tapp_service.site_config_java_version == \"\"\n} else if {\n\tapp_service.site_config.java_version == \"\"\n}\n\ncompliant_app_service(app_service) if {\n\tapp_service.site_config_java_version == \"11\"\n} else if {\n\tapp_service.site_config.java_version == \"11\"\n}\n\neval(app_service) = \"skip\" if {\n\tshould_skip_app_service(app_service)\n} else = \"pass\" if {\n\tcompliant_app_service(app_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qhc-mac-fyy","createdAt":1645813490324,"name":"Azure is using the latest version of Java to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:AppService","control:9.6","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, a new version of PHP is released to address security issues and/or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes and additional functionalities.\n\n## Rationale\n\nNew versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software update, organizations need to determine if the update meets their requirements and also verify the new version's compatibility with other software.\n\n## Remediation\n\n### From the console\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click **Configuration**.\n5. Set PHP version to latest version available under **General Settings**.\n\n**Note**: No action is required if PHP version is set to off because PHP is not used by your web app.\n\n### From the command line\nTo see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep php To set latest PHP version for an existing app, run the following commandaz webapp config set --resource-group --name --php-version \n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n# CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.6","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.common as dd_common\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nshould_skip_app_service(app_service) if {\n\tapp_service.site_config_php_version == \"\"\n} else if {\n\tapp_service.site_config.php_version == \"\"\n}\n\nnon_compliant_version(version) if {\n\tformatted_semver := dd_common.format_semver(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"7.4.0\") < 0\n}\n\nnon_compliant_app_service(app_service) if {\n\tnon_compliant_version(app_service.site_config_php_version)\n} else if {\n\tnon_compliant_version(app_service.site_config.php_version)\n}\n\neval(app_service) = \"skip\" if {\n\tshould_skip_app_service(app_service)\n} else = \"fail\" if {\n\tnon_compliant_app_service(app_service)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"sja-htc-xkm","createdAt":1645813490100,"name":"Azure is using the latest version of PHP to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:AppService","control:9.7","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Set Python version to latest version available under General Settings\n\n**Note**: No action is required if Python version is set to off as Python is not used by your web app.\n\n### From the command line\n\nTo see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep python To set latest Python version for an existing app, run the following commandaz webapp config set --resource-group --name --python-version '\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.7","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.common as dd_common\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nshould_skip_app_service(app_service) if {\n\tapp_service.site_config_python_version == \"\"\n} else if {\n\tapp_service.site_config.python_version == \"\"\n}\n\nnon_compliant_version(version) if {\n\tformatted_semver := dd_common.format_semver(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"3.6.0\") < 0\n}\n\nnon_compliant_app_service(app_service) if {\n\tnon_compliant_version(app_service.site_config_python_version)\n} else if {\n\tnon_compliant_version(app_service.site_config.python_version)\n}\n\neval(app_service) = \"skip\" if {\n\tshould_skip_app_service(app_service)\n} else = \"fail\" if {\n\tnon_compliant_app_service(app_service)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kuq-3pj-gyn","createdAt":1645813504306,"name":"Azure is using the latest version of Python to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","source:azure.networkwatcher","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","scope:azure.networkwatcher","framework:soc-2","control:10.3","control:CC2.1","control:164.312-e-2-i","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Watcher can use flow logs so that you can monitor traffic from resources. This rule generates a finding if there is no retention policy set with a duration over 90 days. \n\nNote: 0 days means unlimited retention.\n\n## Rationale\n\nSetting this attribute enables flow logs to be retained for an appropriate amount of time that enables a better security posture for your organization. These logs should be retained critical resources in your environment.\n\n## Remediation\n\n### From the console\n\n1. Follow the instructions in [Tutorial: Log network traffic to and from a virtual machine using the Azure portal][1] to enable the 'flow logs' in Network Watcher.\n\n### From the command line\n\n1. Follow the steps in [Configuring Network Security Group Flow logs with Azure CLI][2] to enable the 'flow logs' in Network Watcher.\n2. Ensure Insights provider is registered by running the following command to check:\n\n ```\n az provider register --namespace Microsoft.Insights\n ```\n3. Enable `flow logs`:\n Note: You will need to have a storage account setup prior to this.\n ```\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location --format JSON --log-version 2\n ```\n4. Repeat steps 2 and 3 for resources that are not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal#enable-nsg-flow-log\n[2]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-cli\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nretention_policy_not_compliant(enabled, days) if {\n\tenabled == true\n\tdays >= 1\n\tdays <= 89\n} else if {\n\tenabled == false\n}\n\nflow_log_not_compliant(flow_log) if {\n\tretention_policy_not_compliant(flow_log.retention_policy_enabled, flow_log.retention_policy_days)\n} else if {\n\tretention_policy_not_compliant(flow_log.retention_policy.enabled, flow_log.retention_policy.days)\n}\n\nflow_log_retention_policy_enabled(flow_log) if {\n\tflow_log.retention_policy_enabled == true\n} else if {\n\tflow_log.retention_policy.enabled == true\n}\n\neval(network_watcher) = \"fail\" if {\n\tsome flow_log in network_watcher.flow_logs\n\tflow_log_not_compliant(flow_log)\n} else = \"pass\" if {\n\tsome flow_log in network_watcher.flow_logs\n\tflow_log_retention_policy_enabled(flow_log)\n} else = \"skip\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_network_watcher"]},"validationQuery":"","resourceType":"azure_network_watcher","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_network_watcher","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"s5c-rsc-fkl","createdAt":1645572632106,"name":"Azure network service group log retention is properly set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new owner is added to a service principal, which applies to privilege escalation or persistence.\n\n## Strategy\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add owner to service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Inspect that the user is added to a service principal in `@properties.targetResources`.\n2. Verify with the user (`{{@usr.name}}`) to determine if the owner addition is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_owner_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner_sp > 0"}],"type":"log_detection","id":"rtl-xes-5he","createdAt":1632250370345,"name":"Azure new owner added for service principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an Azure snapshot is exported. Export URLs generated in Azure are accessible to anyone with the URL.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the snapshot (`@resourceId`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URL.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"export_uri","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"export_uri > 0"}],"type":"log_detection","id":"9tg-wsg-ung","createdAt":1635255178153,"name":"Azure snapshot export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an invitation is sent to an external user.\n\n## Strategy\nMonitor Azure Active Directory Audit logs and detect when any `@evt.name` is equal to `Invite external user` and the `@evt.outcome` is equal to `success`.\n\n## Triage and response\n1. Review and determine if the invitation and its recipient are valid.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Invite external user\" @evt.outcome:success","groupByFields":["@usr.id","@properties.targetResources.userPrincipalName"],"aggregation":"count","name":"invite_external_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"invite_external_user > 0"}],"type":"log_detection","id":"msq-9pm-ift","createdAt":1607106320758,"name":"Azure user invited an external user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure-containerinstances","source:azure","tactic:TA0002-execution","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a command is executed on a container instance with the Azure API.\n\n## Strategy\nMonitor Azure container instance logs where `@evt.name` is `\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.id}}`) should be executing commands on the container (`@resourceId`).\n2. If the activity is not expected, investigate the activity around the container (`@resourceId`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"container_exec_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"container_exec_success > 0"}],"type":"log_detection","id":"zgp-pfn-i0z","createdAt":1635255187164,"name":"Azure user ran command on container instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB access key with the Azure API. An attacker with the appropriate privileges can view an access key and use it to access and manage the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\\\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the access key for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB Database ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_keys","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_keys > 0"}],"type":"log_detection","id":"xtk-lr5-ryf","createdAt":1635356621176,"name":"Azure user viewed CosmosDB access keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB connection string with the Azure API. An attacker with the appropriate privileges can view a connection string and use it to access or modify data in the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the connection string for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_connectionstrings","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_connectionstrings > 0"}],"type":"log_detection","id":"h9n-pkk-zy9","createdAt":1635356624429,"name":"Azure user viewed CosmosDB connection string"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being exploited using the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `Base64` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. If you are not patched, decode the base64 string and look for any successful traffic to the malicious server.\n3. If a connection was successful to the malicious server, begin your company's IR procedures to remediate.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http.user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"medium","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"vfx-wnb-bkc","createdAt":1639665358897,"name":"Base64 was detected in an http.user_agent or http.referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","scored:true","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use basic authentication.\n\n## Rationale\n\nBasic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting the API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--basic-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--basic-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as tokens and certificates. Username and password for basic authentication could no longer be used.\n\n## Default value\n\nBy default, basic authentication is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n2. https://kubernetes.io/docs/admin/authentication/#static-password-file\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.2","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oug-uvq-sti","createdAt":1599605479472,"name":"Basic authentication is disabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:azure","requirement:Monitoring","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-3-i","control:10.5.1","requirement:Compliance","level:1","control:2.2.4","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","scope:azure.storage","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Azure","requirement:Least-Privileged-Access","control:2.8","requirement:Control-Activities","requirement:Data-Protection","control:7.2.1","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAnonymous read access is disabled for Azure Storage Blobs.\n\n## Rationale\n\nAnonymous access to Azure storage blob containers allows un-authenticated users to perform operations against your storage account. Datadog recommends only allowing authenticated users access to storage blobs. \n\n## Remediation\n\n### From the Console\n\nFollow the [Set the public access level for a container - Azure Console][1] guide to disable anonymous read access with the Azure Console.\n\n### From the Azure CLI\n\nFollow the [Set the public access level for a container - Azure CLI][2] guide to disable anonymous read access with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"10.5.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"2.8","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_blob_container) = \"pass\" if {\n\tstorage_blob_container.public_access == \"None\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_blob_container"]},"validationQuery":"","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"nlq-obf-whr","createdAt":1645177311610,"name":"Blob Containers do not allow anonymous access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:8.1","control:4.3","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","control:8.1.4","control:8.2.3","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends using instance-specific SSH key(s) instead of common or shared project-wide SSH key(s) to access instances.\n\n## Rationale\n\nProject-wide SSH keys are stored in compute or project-meta-data. Project-wide SSH keys can be used to log into all instances within a project. Using project-wide SSH keys facilitates SSH key management, but if compromised, poses a security risk which can impact all instances within a project. Datadog recommmends using instance-specific SSH keys, which can limit the attack surface if SSH keys are compromised.\n\n## Impact\n\nUsers already having project-wide SSH key pairs and are using third-party SSH clients will lose access to the impacted instances. For project users using Google Cloud or GCP Console-based SSH options, no manual key creation and distribution is required, this is all handled by Google Compute Engine (GCE) itself. To access an instance using third-party SSH clients, the instance-specific SSH key pairs need to be created and distributed to the required users.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. For every instance, click on the instance name.\n3. Under **SSH Keys**, ensure **Block project-wide SSH keys** is selected.\n\n## From the command line\n\n1. List the instances in your project and get details on each instance using `gcloud compute instances list --format=json`.\n\n2. Ensure the `block-project-ssh-keys` key is set to true.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. Click on the impacted instance name.\n3. Click **Edit** in the toolbar.\n4. To block users with project-wide SSH keys from connecting to this instance, select **Block project-wide SSH keys** under **SSH Keys**.\n5. Click **Save** at the bottom of the page.\n6. Repeat these steps for every impacted instance.\n\n## From Command Line\n\nTo block project-wide public SSH keys, set the metadata value to true using `gcloud compute instances add-metadata --metadata block-project-ssh-keys=TRUE`.\n\n## Default Value\n\nBy default, Block Project-wide SSH keys is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n2. [https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n\n\n## Additional Information\n\nIf OS Login is enabled, SSH keys in the instance metadata are ignored, which means you do not need to block project-wide SSH keys.\n\n## CIS Controls\n\nVersion 8\n \n3.10 - Encrypt Sensitive Data in Transit\n- Encrypt sensitive data in transit. Example implementations can include: Transport\nLayer Security (TLS) and Open Secure Shell (OpenSSH).\n\n5.2 - Use Unique Passwords\n- Use unique passwords for all enterprise assets. Best practice implementation\nincludes, at a minimum, an 8-character password for accounts using MFA and a 14-\ncharacter password for accounts not using MFA.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n[3]: https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_item(item) if {\n\titem.key == \"block-project-ssh-keys\"\n} else if {\n\titem.key == \"enable-oslogin\"\n}\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" if {\n\titem := compute_instance.metadata.items[_]\n\tnon_compliant_item(item)\n\titem.value == \"true\"\n} else = \"fail\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"v8z-9ik-mjr","createdAt":1657296719827,"name":"Block project-wide SSH keys is enabled for VM instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login five times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n","options":{"detectionMethod":"threshold","evaluationWindow":600,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dde-oia-yjr","createdAt":1597422956269,"name":"Brute force attack on an Auth0 user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a bruteforce login with a user attempting to assume an anomalous number of roles.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [Anomalous number of assumed roles from user][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-user-attempted-to-assumerole-anomaly\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":2,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"anomalous_assumed_roles_from_user","additionalFilters":"","defaultRuleId":"fwu-obr-c9n","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to assumed role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && anomalous_assumed_roles_from_user > 0"}],"type":"signal_correlation","id":"vjo-1hm-1eg","createdAt":1664829839144,"name":"Brute forced ConsoleLogin event correlates with an assumed role event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","iaas:azure","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a successful credential stuffing login with a user assumed a role.\n\n## Strategy\nCorrelate the [Credential Stuffing Attack on Azure][1] and [Azure AD member assigned Global Administrator role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the credential stuffing attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the credential stuffed account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security/default_rules/azure_credential_stuffing_attack\n[2]: https://docs.datadoghq.com/security/default_rules/azure-ad-user-assigned-global-admin-role","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"azure_credential_stuffing","correlatedQueryIndex":1,"additionalFilters":"","defaultRuleId":"ljt-3f4-8ty","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"admin_role_assigned","additionalFilters":"","defaultRuleId":"psm-gpc-pgy","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Brute-forced user has assigned a role","condition":"azure_credential_stuffing > 0 && admin_role_assigned > 0"}],"type":"signal_correlation","id":"it0-1kg-8pj","createdAt":1664829839146,"name":"Brute-forced user has assigned a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.11","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host you can control the host CPU resources that a container may consume.\n\n## Rationale\n\nBy default, CPU time is divided between containers equally. If you wish to control available CPU resources amongst container instances, you can use the CPU sharing feature. CPU sharing allows you to prioritize one container over others and prevents lower priority containers from absorbing CPU resources which may be required by other processes. This ensures that high priority containers are able to claim the CPU runtime they require.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CpuShares={{ .HostConfig.CpuShares }}'` \n\nIf this command returns 0 or 1024, it means that CPU shares are not in place. If it returns a non-zero value other than 1024, it means that they are in place.\n\n## Remediation\n\nYou should manage the CPU runtime between your containers dependent on their priority within your organization. To do so, start the container using the `--cpu-shares` argument. For example, you could run a container as `docker run --interactive --tty --cpu-shares 512 centos /bin/bash` The container is started with CPU shares of 50% of what other containers use. So if the other container has CPU shares of 80%, this container will have CPU shares of 40%. Every new container will have 1024 shares of CPU by default. However, this value is shown as 0 if you run the command mentioned in the audit section.\n\n\nAlternatively:\n\n1. Navigate to the `/sys/fs/cgroup/cpu/system.slice/` directory.\n2. Check your container instance ID using docker ps.\n3. Inside the above directory (in step 1), call a directory. For example: `docker-.scope` or `docker-4acae729e8659c6be696ee35b2237cc1fe4edd2672e9186434c5116e1a6fbed6.scope`. Navigate to this directory.\n4. You will find a file named `cpu.shares`. Execute `cat cpu.shares`. This will always give you the CPU share value based on the system. Even if there are no CPU shares configured using the `-c` or `--cpu-shares` argument in the docker run command, this file will have a value of 1024. If you set one containers CPU shares to 512 it will receive half of the CPU time compared to the other containers. So if you take 1024 as 100% you can then derive the number that you should set for respective CPU shares. For example, use 512 if you want to set it to 50% and 256 if you want to set it 25%.\n\n## Impact\n\nIf you do not correctly assign CPU thresholds, the container process may run out of resources and become unresponsive. If CPU resources on the host are not constrained, CPU shares do not place any restrictions on individual resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally. No CPU shares are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.11","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gfh-gqy-log","createdAt":1599605955638,"name":"CPU priorities are set to ensure critical containers do not become unresponsive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.7","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %a `. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command to modify the file permissions of the `--client-ca-file`:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7 14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.7","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qtd-deo-dgb","createdAt":1599600622129,"name":"Certificate authorities file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable certificate based kubelet authentication.\n\n## Rationale\n\nThe apiserver, by default, does not authenticate itself to the kubelet's HTTPS endpoints. The requests from the apiserver are treated anonymously. You should set up certificate-based kubelet authentication to ensure that the apiserver authenticates itself to kubelets when submitting requests.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-client-certificate` and `--kubelet-client-key` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the kubelet client certificate and key parameters as below. \n\n```\n--kubelet-client-certificate= \n--kubelet-client-key=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, certificate-based kubelet authentication is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ ][2]\n3. [https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet][3]\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n[3]: https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.5","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ruj-lze-13b","createdAt":1599605732980,"name":"Certificate-based kubelet authentication is required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","source:elb","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","scope:elb","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse a secure protocol and cipher to protect communication between the client and your Classic Elastic Load Balancers (ELBs). TLS 1.0 and 1.1 are vulnerable to attacks due to multiple insecurities, for this reason we recommend the use of `ELBSecurityPolicy-TLS-1-2-2017-01` which authorizes TLS 1.2. \n\n## Rationale\n\nInsecure communication channels increase the risk of attacks, such as man-in-the-middle, downgrade attacks, and sensitive data breaches. It is recommended to configure listeners to use HTTPS, or SSL, and `ELBSecurityPolicy-TLS-1-2-2017-01`, or a custom policy with an equivalent or more secure [configuration][1]. TLS on port 443 will generate a `pass` condition for this rule only if a secure policy is attached to the listener.\n\n### Protocol and cipher details\n\nThis configuration check tests for a listener configured using HTTPS, SSL, or TLS on port 443, as well as for the absence of [ciphers][6] and [protocols][1] for secure listener configurations that are not recommended by AWS.\n\n\n## Remediation\n\nIt is recommended to modify listeners configured to use TLS on port 443, to HTTPS on port 443, and select a secure policy.\n\n### From the console\n\n1. Follow the [Create an HTTPS/SSL load balancer using the console][2] documentation to learn how to create an HTTPS/SSL load balancer in the AWS console. \n2. Follow the [Update the SSL negotiation configuration using the console][4] documentation to apply `ELBSecurityPolicy-TLS-1-2-2017-01` or a Custom Security Policy that is as or more secure. \n\n### From the command line\n\n1. Follow the [Create an HTTPS/SSL load balancer using the AWS CLI][3] documentation to learn how to create an HTTPS/SSL load balancer in the AWS command line. \n2. Follow the [Update the SSL negotiation configuration using the console][5] documentation to apply `ELBSecurityPolicy-TLS-1-2-2017-01` or a Custom Security Policy that is as or more secure. \n\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html#create-https-lb-console\n[3]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html#create-https-lb-clt\n[4]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-config-update.html#ssl-config-update-console\n[5]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-config-update.html#ssl-config-update-cli\n[6]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nweak_ciphers_and_protocols := {\n\t\"Protocol-SSLv2\", \"Protocol-SSLv3\",\n\t\"Protocol-TLSv1.1\", \"Protocol-TLSv1\",\n\t\"CAMELLIA128-SHA\", \"EDH-RSA-DES-CBC3-SHA\", \"DES-CBC3-SHA\", \"ECDHE-RSA-RC4-SHA\", \"RC4-SHA\", \"ECDHE-ECDSA-RC4-SHA\", \"DHE-DSS-AES256-GCM-SHA384\",\n\t\"DHE-RSA-AES256-GCM-SHA384\", \"DHE-RSA-AES256-SHA256\", \"DHE-DSS-AES256-SHA256\", \"DHE-RSA-AES256-SHA\", \"DHE-DSS-AES256-SHA\",\n\t\"DHE-RSA-CAMELLIA256-SHA\", \"DHE-DSS-CAMELLIA256-SHA\", \"CAMELLIA256-SHA\", \"EDH-DSS-DES-CBC3-SHA\", \"DHE-DSS-AES128-GCM-SHA256\",\n\t\"DHE-RSA-AES128-GCM-SHA256\", \"DHE-RSA-AES128-SHA256\", \"DHE-DSS-AES128-SHA256\", \"DHE-RSA-CAMELLIA128-SHA\", \"DHE-DSS-CAMELLIA128-SHA\",\n\t\"ADH-AES128-GCM-SHA256\", \"ADH-AES128-SHA\", \"ADH-AES128-SHA256\", \"ADH-AES256-GCM-SHA384\", \"ADH-AES256-SHA\", \"ADH-AES256-SHA256\",\n\t\"ADH-CAMELLIA128-SHA\", \"ADH-CAMELLIA256-SHA\", \"ADH-DES-CBC3-SHA\", \"ADH-DES-CBC-SHA\", \"ADH-RC4-MD5\", \"ADH-SEED-SHA\", \"DES-CBC-SHA\",\n\t\"DHE-DSS-SEED-SHA\", \"DHE-RSA-SEED-SHA\", \"EDH-DSS-DES-CBC-SHA\", \"EDH-RSA-DES-CBC-SHA\", \"IDEA-CBC-SHA\", \"RC4-MD5\", \"SEED-SHA\", \"DES-CBC3-MD5\",\n\t\"DES-CBC-MD5\", \"RC2-CBC-MD5\", \"PSK-AES256-CBC-SHA\", \"PSK-3DES-EDE-CBC-SHA\", \"KRB5-DES-CBC3-SHA\", \"KRB5-DES-CBC3-MD5\", \"PSK-AES128-CBC-SHA\",\n\t\"PSK-RC4-SHA\", \"KRB5-RC4-SHA\", \"KRB5-RC4-MD5\", \"KRB5-DES-CBC-SHA\", \"KRB5-DES-CBC-MD5\", \"EXP-EDH-RSA-DES-CBC-SHA\", \"EXP-EDH-DSS-DES-CBC-SHA\",\n\t\"EXP-ADH-DES-CBC-SHA\", \"EXP-DES-CBC-SHA\", \"EXP-RC2-CBC-MD5\", \"EXP-KRB5-RC2-CBC-SHA\", \"EXP-KRB5-DES-CBC-SHA\", \"EXP-KRB5-RC2-CBC-MD5\",\n\t\"EXP-KRB5-DES-CBC-MD5\", \"EXP-ADH-RC4-MD5\", \"EXP-RC4-MD5\", \"EXP-KRB5-RC4-SHA\", \"EXP-KRB5-RC4-MD5\", \"DHE-RSA-AES128-SHA\", \"ECDHE-RSA-AES128-SHA\",\n\t\"ECDHE-ECDSA-AES128-SHA\", \"DHE-DSS-AES128-SHA\",\n}\n\ncompliant_protocol(elb_load_balancer) if {\n\tupper(elb_load_balancer.listener_descriptions[_].listener.protocol) == \"HTTPS\"\n} else if {\n\tupper(elb_load_balancer.listener_descriptions[_].listener.protocol) == \"SSL\"\n} else if {\n\tupper(elb_load_balancer.listener_descriptions[_].listener.protocol) == \"TCP\"\n\telb_load_balancer.listener_descriptions[_].listener.load_balancer_port == 443\n}\n\nnon_compliant_encryption(elb_load_balancer) if {\n\tprotocol := elb_load_balancer.policy_descriptions[_].policy_attribute_descriptions[_]\n\tprotocol.attribute_name in weak_ciphers_and_protocols\n\tlower(protocol.attribute_value) == \"true\"\n}\n\npolicy_exists(elb_load_balancer) if {\n\telb_load_balancer.listener_descriptions[_].policy_names[_]\n}\n\neval(elb_load_balancer) = \"pass\" if {\n\tcompliant_protocol(elb_load_balancer)\n\tpolicy_exists(elb_load_balancer)\n\tnot non_compliant_encryption(elb_load_balancer)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elb_load_balancer"]},"validationQuery":"","resourceType":"aws_elb_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elb_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"wco-bmg-rfd","createdAt":1670369344591,"name":"Classic Load Balancer listener is securely configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.2","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable client authentication on etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--client-cert-auth` argument is set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--client-cert-auth=\"true\"\n```\n\n## Impact\n\nAll clients attempting to access the etcd server will require a valid client certificate.\n\n## Default value\n\nBy default, the etcd service can be queried by unauthenticated clients.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][`]\n2. [https://kubernetes.io/docs/admin/etcd/ ][1]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.2","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"joa-fjx-1li","createdAt":1599605891818,"name":"Client authentication is enabled for etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.8","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file ownership is set to `root:root`.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command to modify the ownership of the `--client-ca-file`:\n\n```\nchown root:root \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.8","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ifc-9ej-k7k","createdAt":1599603326156,"name":"Client certificate authorities file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","cloud_provider:gcp","control:9.9.1","source:google_cloud_asset_inventory","requirement:Logging-and-Monitoring","framework:cis-gcp","requirement:Control-Activities","scope:google_cloud_asset_inventory","requirement:Firewall-Configuration","level:2","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Cloud Asset Inventory is a service that provides a historical view of GCP resources and\nIAM policies through a time-series database. The information recorded includes metadata\non Google Cloud resources, metadata on policies set on Google Cloud projects or resources,\nand runtime information gathered within a Google Cloud resource.\n\n## Rationale\nThe GCP resources and IAM policies captured by GCP Cloud Asset Inventory enables\nsecurity analysis, resource change tracking, and compliance auditing. It is recommended GCP Cloud Asset Inventory be enabled for all GCP projects.\n\n### Additional Information\n - Cloud Asset Inventory only keeps a five-week history of Google Cloud asset metadata. If you need a longer history, consider building automation to export the history to Cloud Storage or BigQuery.\n\n### Default Value\nThe Cloud Asset Inventory API is disabled by default in each project.\n\n## Remediation\n\n### From the console\n\n1. Go to **API & Services/Library** by visiting [https://console.cloud.google.com/apis/library][1]\n2. Search for `Cloud Asset API` and select the result for Cloud Asset API\n3. Click the **ENABLE** button.\n\n### From the command line\n\n1. Enable the Cloud Asset API through the services interface\n ```\n gcloud services enable cloudasset.googleapis.com\n ```\n\n## References\n1. [https://cloud.google.com/asset-inventory/docs][2]\n\n[1]: https://cloud.google.com/asset-inventory/docs\n[2]: https://console.cloud.google.com/apis/library","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"9.9.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(project) = \"pass\" if {\n\tproject.project_id\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"g71-wcx-ugx","createdAt":1659396390100,"name":"Cloud Asset Inventory is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:2.12","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:2","framework:iso-27001","scope:google_dns_policy","framework:pci","requirement:Operations-Security","security:compliance","requirement:Logging-and-Monitoring","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","source:google_dns_policy","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud DNS logging records the queries from the name servers within your VPC to\nStackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other\nGCP resources provisioned within the VPC.\n\n### Default value\nCloud DNS logging is disabled by default on each network.\n\n## Rationale\nSecurity monitoring and forensics cannot depend solely on IP addresses from VPC flow\nlogs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual\nhost routing, and other technology that can obscure the DNS name used by a client from the\nIP address. Monitoring Cloud DNS logs provides visibility into DNS names requested by the\nclients within the VPC. These logs can be monitored for anomalous domain names and\nevaluated against threat intelligence.\n\nTo fully capture DNS logging records, your firewall must block egress for UDP/53 (DNS) and TCP/443 (DNS\nover HTTPS) to prevent the client from using an external DNS name server for resolution.\n\nOnly queries that reach a name server are logged. Cloud DNS resolvers cache\nresponses, queries answered from caches, and direct queries to an external DNS\nresolver outside the VPC are not logged.\n\n### Impact\nEnabling of Cloud DNS logging might result in your project being charged for the additional\nlogs usage.\n\n## Remediation\n\n### From the command line\nFor VPC networks that need a new DNS policy with logging enabled, run the following:\n```\ngcloud dns policies create enable-dns-logging --enable-logging --\ndescription=\"Enable DNS Logging\" --networks=VPC_NETWORK_NAME\n```\n\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\nFor VPC networks that have existing DNS policies, run the following to enable logging:\n```\ngcloud dns policies update POLICY_NAME --enable-logging --\nnetworks=VPC_NETWORK_NAME\n```\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\n\n## References\n1. [https://cloud.google.com/dns/docs/monitoring][1]\n\n[1]: https://cloud.google.com/dns/docs/monitoring\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.12","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(dns_policy) = \"pass\" if {\n\tdns_policy.enable_logging\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_policy"]},"validationQuery":"","resourceType":"gcp_dns_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kcx-kad-uvs","createdAt":1662120179391,"name":"Cloud DNS logging is enabled for VPC networks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:7.2","control:1.9","control:3.5","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that the IAM policy on Cloud KMS `cryptokeys` should restrict anonymous and/or public access.\n\n## Rationale\n\nGranting permissions to `allUsers` or `allAuthenticatedUsers` allows anyone to access the\ndataset. Such access might not be desirable if sensitive data is stored at the location. In this\ncase, ensure that anonymous and/or public access to a Cloud KMS `cryptokey` is not\nallowed.\n\n### Default Value:\nBy default Cloud KMS does not allow access to `allUsers` or `allAuthenticatedUsers`.\n\n### Impact\nRemoving the binding for `allUsers` and `allAuthenticatedUsers` members denies anonymous and public users access to `cryptokeys`.\n\n`key_ring_name` is the resource ID of the key ring, which is the fully-qualified key ring name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING`\nYou can retrieve the key ring resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n3. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`key_name` is the resource ID of the key, which is the fully-qualified CryptoKey name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY`\nYou can retrieve the key resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. Click the name of the key ring that contains the key.\n3. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n4. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`role` is the role to remove the member from.\n\n## Remediation\n\n### From the command line\n\n1. List all Cloud KMS `Cryptokeys`.\n ```\n gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'\n ```\n2. To remove access to `allUsers` and `allAuthenticatedUsers`, remove the IAM policy binding for a KMS key using the below command.\n ```\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'\n\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'\n ```\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding][1]\n2. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy][2]\n3. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy][3]\n4. [https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id][4]\n\n[1]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding\n[2]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy\n[3]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy\n[4]: https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot contains(iam_policy.resource_name, \"/keyRings/\")\n} else = \"fail\" if {\n\tiam_policy.bindings[_].members[_] in [\"allAuthenticatedUsers\", \"allUsers\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kg9-ypa-tmt","createdAt":1658879416757,"name":"Cloud KMS cryptokeys are not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Storage","source:google_iam_policy","framework:cis-gcp","requirement:Compliance","level:1","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","scope:google_iam_policy","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:3.5","control:7.1","control:5.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that IAM policies on Cloud Storage buckets do not allow anonymous or public access.\n\n## Rationale\nWith anonymous or public access, anyone has permission to access bucket content. Such access might not be desired if you are storing sensitive data, so ensure that anonymous or public access to a bucket is not allowed.\n\n### Additional Information\nTo implement access restrictions on buckets, configuring Bucket IAM is preferred over configuring Bucket ACL. In the GCP console, the **Edit Permissions** button for a bucket exposes IAM configurations only. Bucket ACLs are configured to automatically implement and support user-enforced Bucket IAM policies. If an administrator changes a Bucket ACL using command-line gsutils or the API, the associated bucket IAM policy is also updated automatically.\n\n### Impact\nStorage buckets are not publicly accessible. You have to explicitly administer bucket access.\n\n### Prevention\nYou can prevent Storage buckets from becoming publicly accessible by setting up the `Domain restricted sharing` organization policy at:\n[https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains][2]\n\n### Default value\nBy default, Storage buckets are not publicly accessible.\n\n## Remediation\n\n### From the console\n1. Go to `Storage browser` at [https://console.cloud.google.com/storage/browser][1].\n2. Click on the bucket name to access the `Bucket details` page.\n3. Click on the `Permissions` tab.\n4. Click the `Delete` button in front of `allUsers` and `allAuthenticatedUsers` to remove that particular role assignment.\n\n### From the command line\nRemove `allUsers` and `allAuthenticatedUsers` access.\n``` \ngsutil iam ch -d allUsers gs://BUCKET_NAME\ngsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME\n```\n\n## References\n1. [https://cloud.google.com/storage/docs/access-control/iam-reference][3]\n2. [https://cloud.google.com/storage/docs/access-control/making-data-public][4]\n3. [https://cloud.google.com/storage/docs/gsutil/commands/iam][5]\n\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains\n[3]: https://cloud.google.com/storage/docs/access-control/iam-reference\n[4]: https://cloud.google.com/storage/docs/access-control/making-data-public\n[5]: https://cloud.google.com/storage/docs/gsutil/commands/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1","framework":"cis-gcp","requirement":"Storage","version":"1.3.0"},{"control":"3.5","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot isBucket(iam_policy)\n} else = \"fail\" if {\n\tiam_policy.bindings[_].members[_] in [\"allUsers\", \"allAuthenticatedUsers\"]\n} else = \"pass\"\n\nisBucket(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_storage_bucket\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"c2m-9sq-pbl","createdAt":1658821626959,"name":"Cloud storage bucket is not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Storage","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:5.2","requirement:Communications-Security","control:7.1","control:3.3","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","source:google_storage_bucket","control:A.18.1.3","framework:soc-2","scope:google_storage_bucket","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUniform bucket-level access is enabled on Cloud Storage buckets.\n\n## Rationale\n\nYou should use uniform bucket-level access to unify and simplify how you grant\naccess to your Cloud Storage resources.\nCloud Storage offers two systems for granting users permission to access your buckets and\nobjects: \n- **Cloud Identity and Access Management (Cloud IAM)**: Used throughout Google Cloud, and allows you to grant a variety of permissions at the bucket and project levels. \n- **Access Control Lists(ACLs)**: Used only by Cloud Storage and has limited permission options, but allows you to grant permissions on a per-object basis.\n\nThese systems act in parallel. A user needs only one of the systems to grant them permission in order to access a Cloud Storage resource. \n\nTo facilitate maintaining consistent permissions, Cloud Storage provides an option called Uniform bucket-\nlevel access. Using this feature disables ACLs for all Cloud Storage resources. Access to\n\nCloud Storage resources then is granted exclusively through Cloud IAM. Enabling uniform\nbucket-level access guarantees that if a Storage bucket is not publicly accessible, no object\nin the bucket is publicly accessible either.\n\n## Impact\nIf you enable uniform bucket-level access, you revoke access from users who gain their\naccess solely through object ACLs.\nCertain Google Cloud services, such as Stackdriver, Cloud Audit Logs, and Datastore, cannot\nexport to Cloud Storage buckets that have uniform bucket-level access enabled.\n\n## Remediation\n\n## From the console\n1. Open the Cloud Storage browser by visiting [https://console.cloud.google.com/storage/browser][1].\n2. In the list of buckets, select the name of the desired bucket.\n3. Select the Permissions tab.\n4. In the text box that starts with This bucket uses fine-grained access control..., click **Edit**.\n5. In the pop-up menu that appears, select Uniform.\n6. Click **Save**.\n\n## From the command line\n\nRun the following command: \n ```\n `gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/`\n ```\n\n\n## Prevention\nSet up an Organization Policy to enforce that any new bucket has uniform bucket-level access enabled. Read more about [Organization Policy constraints][2].\n\n## Default\n\nBy default, Cloud Storage buckets do not have uniform bucket-level access enabled.\n\n\n## References\n1. [https://cloud.google.com/storage/docs/uniform-bucket-level-access][3]\n2. [https://cloud.google.com/storage/docs/using-uniform-bucket-level-access][4]\n3. [https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket][5]\n\n## Additional Information\nUniform bucket-level access cannot be disabled if it has been active on a bucket for 90 consecutive days.\n\n## CIS controls\n\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems,\ndatabases, and applications.\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket\n[3]: https://cloud.google.com/storage/docs/uniform-bucket-level-access\n[4]: https://cloud.google.com/storage/docs/using-uniform-bucket-level-access\n[5]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2","framework":"cis-gcp","requirement":"Storage","version":"1.3.0"},{"control":"3.3","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_bucket) = \"pass\" if {\n\tstorage_bucket.iam_configuration.uniform_bucket_level_access.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_storage_bucket"]},"validationQuery":"","resourceType":"gcp_storage_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_storage_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dwn-5mi-cjt","createdAt":1657547752494,"name":"Cloud storage buckets have uniform bucket-level access enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","security:compliance","control:CC6.6","scope:cloudfront","cloud_provider:aws","control:A.12.2.1","requirement:Communications-Security","control:A.12.4.1","control:A.13.1.1","framework:soc-2","control:6.6","requirement:Security-Management-Process","source:cloudfront","requirement:Application-Updates","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that your [AWS CloudFront][1] distributions are integrated with [AWS Web Application Firewall][2] (AWS WAF).\n\n## Rationale\n\nAWS WAF helps protect web applications from common exploits, such as SQL injection or cross-site scripting.\n\n## Remediation\n\n### From the console\n\nFollow the [associate or disassociate an AWS WAF web ACL and an existing CloudFront distribution by using the CloudFront console][3] docs to integrate with AWS WAF.\n\n### From the command line\n\n1. Run `aws waf get-change-token` to generate a token.\n2. Run `aws waf create-ip-set` with your newly generated token. Additional information can be found in the [create-ip-set AWS documentation][4].\n\n ```\n create-ip-set\n --name test_ipset\n --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n3. Create an `IPSetDescriptor` JSON object in a new document and define the IP address or ranges you wish to block. Save the file.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"IPSetDescriptor\": {\n \"Type\": \"IPV4\" | \"IPV6\",\n \"Value\": \"192.0.2.0/24\"\n }\n }\n ]\n ```\n\n4. Run `aws waf update-ip-set` with the `change-token` (generated in step 1), `ip-set-id` (generated in step 2), and the file you just created. Additional information can be found in the [update-ip-set AWS documentation][5].\n\n ```\n aws waf update-ip-set\n --ip-set-id bd12ea6c-012a-4b7c-9342-80ab96e4b291\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n\t --updates file://ip-set-descriptor.json\n ```\n\n5. Run `aws waf create-rule` with a new rule `name` and your `change-token` (generated in step 1). Additional information can be found in the [create-rule AWS documentation][6].\n\n ```\n aws waf create-rule\n\t --name NameOfRule\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n6. Run `aws waf create-web-acl` with a `name` and your `change-token` (generated in step 1), and set the default action to block. Additional information can be found in the [create-web-acl AWS documentation][7].\n\n ```\n aws waf create-web-acl\n\t --name NameOfACL\n --default-action Type=BLOCK\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n7. Create a new JSON file and define `ActivatedRule` as an object that references the ACL rule created in step 6. Assign it a default action, `INSERT`.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"ActivatedRule\": {\n \"RuleId\": \"your-rule-id\",\n \"Action\": {\n \"Type\": \"BLOCK\"\n }\n }\n }\n ]\n ```\n\n8. Run `update-web-acl` with the `web-acl-id` (generated in step 5), `change-token` (generated in step 1), and the file you just created in step 7.\n\n ```\n aws waf update-web-acl\n --web-acl-id webaclid\n --change-token 96836241-b667-4f0a-a655-e4bc49eaa2c4\n --update activated-rule.json\n ```\n\n9. Run `get-distribution-config`.\n10. In a new JSON file, modify the returned configuration information to attach the WAF ACL. Set the `WebACLId` as the ID you returned in step 5. Save the file.\n\n ```\n {\n \"ETag\": \"etag\",\n \"DistributionConfig\": {\n ...\n \"WebACLId\": \"webaclid\",\n ...\n }\n }\n ```\n\n11. Run `update-distribution` with the `id` and `etag` previously returned in step 9. Additional information can be found in the [update-distribution AWS documentation][8].\n\n ```\n aws cloudfront update-distribution\n --id webaclid\n --distribution-config activated-ruled.json\n --if-match etag\n ```\n\n[1]: https://aws.amazon.com/cloudfront/\n[2]: https://aws.amazon.com/waf/\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/wafv2/create-ip-set.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/waf/update-ip-set.html\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-rule.html\n[7]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-web-acl.html\n[8]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudfront_distribution) = \"fail\" if {\n\tcloudfront_distribution.distribution_config.web_acl_id == \"\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"qo4-jsd-nfn","createdAt":1599574008896,"name":"CloudFront distribution is integrated with WAF"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that AWS CloudFront distributions have a security policy of TLS v1.1 or greater.\n\n## Rationale\n\nTLS v1.1, the minimum protocol recommended for AWS CloudFront, and the cipher used to encrypt this content, improve application security.\n\n## Remediation\n\n### From the console\n\nFollow the [Values That You Specify When You Create or Update a Distribution][3] docs to update your CloudFront distribution's [Minimum Origin SSL Protocol][3] to TLS v1.1 or greater.\n\n### From the command line\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration by setting the minimum protocol version to TLC v1.1 (2016) or v1.2 (2018).\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n ...\n \"ViewerCertificate\": {\n ...\n \"MinimumProtocolVersion\": \"TLSv1.1_2016\",\n },\n ...\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config tls-version.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginSSLProtocols\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_distribution_config(origin_protocol_policy) if {\n\torigin_protocol_policy == \"TLSv1\"\n} else if {\n\torigin_protocol_policy == \"TLSv1_2016\"\n}\n\neval(cloudfront_distribution) = \"fail\" if {\n\tnon_compliant_distribution_config(cloudfront_distribution.distribution_config.viewer_certificate.minimum_protocol_version)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2np-sw5-cre","createdAt":1599574001774,"name":"CloudFront distribution's security policy is TLS v1.1 or greater"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","source:cloudfront","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","scope:cloudfront","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure logging is enabled for AWS CloudFront to track things like client IP addresses and access points.\n\n## Rationale\n\nLogging tracks requests made through the CDN. With this information, you can detect changes in requests, complete security audits, and use other AWS tooling such as AWS WAF to block requests from certain IP addresses.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring and using standard logs][4] docs to enable logging for AWS CloudFront.\n\n### From the command line\n\n1. Run `create-bucket` to [create an S3 bucket][1] for your CloudFront log files.\n\n ```\n aws s3api create-bucket\n --bucket your-bucket-name\n ```\n\n2. Once the S3 bucket location is returned, run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][2].\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n3. Create a new JSON file with the returned configuration. Enable logging and set an S3 bucket location (returned in step 1) to configure where the logs will be located. Save the file.\n\n ```\n {\n \"ETag\": \"ID000000000000\",\n \"DistributionConfig\": {\n ...\n \"Logging\": {\n \"Bucket\": \"your-bucket-name.s3.amazonaws.com\",\n \"Enabled\": true,\n },\n ...\n }\n }\n }\n ```\n\n4. Run `update-distribution` to [update your distribution][3] with your distribution `id`, the path of the configuration file (created in step 3), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config logging-enabled.json\n --if-match ETAG1000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[4]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudfront_distribution) = \"fail\" if {\n\tnot cloudfront_distribution.distribution_config.logging.enabled\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"e1l-f7w-llc","createdAt":1599574007739,"name":"CloudFront logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that an AWS CloudTrail trail has file integration validation enabled.\n\n### Rationale\n\nAWS CloudTrail file integration validation can verify whether files were modified or changed once delivered to an S3 bucket.\n\n### Remediation\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [enable-log-file-validation][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --enable-log-file-validation\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@log_file_validation_enabled:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ubl-mrs-ket","createdAt":1599574002238,"name":"CloudTrail Log File Integrity Validation Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that AWS CloudTrail logs are encrypted.\n\n### Rationale\n\nEncrypting AWS CloudTrail logs with a KMS encryption key helps protect your data and ensures only certain IAM users can access these logs.\n\n### Remediation\n\n1. Create a new policy configuration file that enables CloudTrail [encrypting and decrypting permissions][1].\n2. Run `create-key` using the policy file path.\n\n ```\n aws kms create-key\n --policy new-policy-file.json\n ```\n\n3. Run `create-alias` with a [newly created alias name][2] and the `target-key-id` as the KMS key returned in step 2.\n\n ```\n aws kms create-alias\n --alias-name alias/CloudTrailKSM\n --target-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n4. Run `update-trail` on [the trail name you wish to update][3] and the KMS key returned in step 2.\n\n ```\n aws cloudtrail update-trail\n --name MyGlobalTrail\n --kms-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@kms_key_id:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"cww-xfw-no7","createdAt":1599574002335,"name":"CloudTrail Logs Not Encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","control:A.12.4.2","requirement:Security-Incident-Procedures","control:10.3.2","control:10.3.1","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that an AWS CloudTrail trail has global service events enabled.\n\n## Rationale\n\nEasily troubleshoot security issues for global services that aren't region-specific.\n\n## Remediation\n\n### From the console\n\nBy default, trail logs created in the CloudTrail console log global service events. For more information, see the [About global service events][2] docs.\n\n### From the command line\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [include-global-service-events][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --include-global-service-events\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-update-trail.html\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudtrail_trail) = \"pass\" if {\n\tcloudtrail_trail.include_global_service_events\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7ak-zke-f64","createdAt":1599574004589,"name":"CloudTrail global services are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.5.5","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","control:164.312-c-2","requirement:Integrity","control:164.312-c-1","security:compliance","cloud_provider:aws","control:3.2","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. Use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. You should enable file validation on all CloudTrails.\n\n## Rationale\n\nEnabling log file validation will provide additional integrity checking of CloudTrail logs.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNot Enabled\n\n## References\n\n1. [http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html][2]\n2. CCE-78914-9\n\n## CIS controls\n\nVersion 7, 6 - Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.2","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.312-c-2","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudtrail_trail) = \"pass\" if {\n\tcloudtrail_trail.log_file_validation_enabled == true\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9we-gmy-kne","createdAt":1599574003762,"name":"CloudTrail log file validation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Logging","requirement:System-Acquisition-Development-and-Maintenance","level:2","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.7","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:cloudtrail","control:A.9.2.3","control:32.1a","control:3.5.2","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources per IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data. It uses Hardware Security Modules (HSMs) to protect the security of encryption keys. Configure your CloudTrail logs to leverage server-side encryption (SSE), and KMS customer-created master keys (CMK) to further protect CloudTrail logs. You should set up CloudTrail to use SSE-KMS.\n\n## Rationale\n\nConfiguring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data. A given user must have S3 read permission on the corresponding log bucket and have decrypt permission by the CMK policy.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nCustomer created keys incur an additional cost. See [https://aws.amazon.com/kms/pricing/][2] for more information.\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html][3]\n2. [https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html][4]\n3. CCE-78919-8\n\n## CIS controls\n\nVersion 7 - 6 Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://aws.amazon.com/kms/pricing/\n[3]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html\n[4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.7","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudtrail_trail) = \"pass\" if {\n\tcloudtrail_trail.kms_key_id\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kah-ejb-3v1","createdAt":1599574006065,"name":"CloudTrail logs are encrypted at rest using KMS CMKs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:164.308-a-7-i","scored:true","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","control:10.2.1","framework:gdpr","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsures AWS CloudTrail is enabled across all AWS regions.\n\n## Rationale\n\nAWS CloudTrail has the ability to deliver log files from multiple regions to a single S3 bucket, and a single CloudWatch Logs log group. This centralizes storage and control of logs data. \n\n## Remediation\n\nIt is beneficial to create an Organization trail, as that will create a trail with that name in every region, in every account belonging to the Organization. See the [Creating a trail for an organization][1] documentation for additional details.\n\nIf you are not using AWS Organizations, you can create a multi-region CloudTrail trail directly in the affected AWS account.\n\n### From the console\n\nTo create an Organization trail:\n1. Follow the [Creating a trail for an organization][2] instructions to get started with CloudTrail.\n\nTo create a multi-region trail in an AWS account:\n1. Follow the [Creating and updating a trail with the console][3] instructions to get started with CloudTrail. This will enable a multi-region CloudTrail by default. \n\n### From the command line\n\nTo convert a single-region trail to multi-region using the command line:\n\n1. Run `aws cloudtrail describe-trails` to investigate your current CloudTrail configuration.\n2. Run `update-trail` with the following arguments on your selected trail to [enable multi-region-trail][4].\n ```\n aws cloudtrail update-trail\n --name my-trail\n --is-multi-region-trail\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html\n[3]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-console.html\n[4]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-7-i","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudtrail_trail) = \"pass\" if {\n\tcloudtrail_trail.is_multi_region_trail\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":21,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"v41-4ht-rxo","createdAt":1599573999944,"name":"CloudTrail multi-region is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that HTTPS is used to secure AWS CloudFront distributions communications.\n\n## Rationale\n\nHTTPS ensures that malicious activity cannot occur when data is sent within AWS CloudFront's Content Distribution Network (CDN).\n\n## Remediation\n\n### From the console\n\nFollow the [configure CloudFront to require HTTPS between CloudFront and your custom origin][3] docs to change your Origin Protocol Policy to HTTPS only.\n\n### From the command line\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `OriginProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"Items\": [\n {\n \"CustomOriginConfig\": {\n \"OriginProtocolPolicy\": \"https-only\",\n ...\n }\n }\n ]\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_origin_protocol_policy(origin_protocol_policy) if {\n\torigin_protocol_policy == \"http-only\"\n} else if {\n\torigin_protocol_policy == \"match-viewer\"\n}\n\nnon_compliant_distribution_config(cloudfront_distribution) if {\n\tsome item in cloudfront_distribution.distribution_config.origins.items\n\tnon_compliant_origin_protocol_policy(item.custom_origin_config.origin_protocol_policy)\n}\n\neval(cloudfront_distribution) = \"fail\" if {\n\tnon_compliant_distribution_config(cloudfront_distribution)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q5e-clj-mow","createdAt":1599574006435,"name":"Cloudfront distribution is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS CloudFront field-level encryption is enabled.\n\n## Rationale\n\nField-level encryption ensures sensitive data, such as identification and credit card numbers, is protected across your services and applications.\n\n## Remediation\n\n### From the console\n\nFollow the [Setting Up Field-Level Encryption][1] docs to enable field-level encryption.\n\n### From the command line\n\n1. Generate a RSA key pair. Run `ssh-keygen -t rsa`.\n\n2. Run `create-public-key` with the generated key.\n\n ```\n aws cloudfront create-public-key\n --public-key-config CallerReference=\"0123456789012\",Name=\"public-key\",EncodedKey=\"-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----\",Comment=\"Field-level encryption public key.\"\n ```\n\n3. Modify the returned configuration in a new JSON file by setting `PublicKeyID` as your public ID key. Configure any other options you require and save the file.\n\n ```\n {\n \"PublicKey\": {\n ...\n \"Id\": \"PUBKEYID000000\",\n ...\n }\n }\n ```\n\n4. Run `create-field-level-encryption-profile` using the path of the configuration file saved in step 3.\n\n ```\n aws cloudfront create-field-level-encryption-profile\n --field-level-encryption-profile-config public-key-id.json\n ```\n\n5. Modify the returned configuration in a new JSON file by setting `ProfileID` as your profile ID. Configure any other options you require and save the file.\n\n ```\n {\n ...\n \"ContentTypeProfileConfig\": {\n ...\n \"Items\": [\n {\n \"ProfileId\": \"ABCD1234567890\",\n }\n ]\n }\n }\n ```\n\n6. Run `create-field-level-encryption-config` using the path of the configuration file saved in step 5.\n\n ```\n aws cloudfront create-field-level-encryption-config\n --field-level-encryption-config profile-id.json\n ```\n\n7. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your distribution's configuration information.\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n8. Modify the returned configuration in a new JSON file by setting `FieldLevelEncryptionID` as your field level encryption ID. Configure any other options you require and save the file.\n\n**Note**: Viewer Protocol Policy and Origin Protocol Policy must both be set to HTTPS.\n\n ```\n {\n \"DistributionConfig\": {\n ...\n \"Origins\": {\n \"Items\": [\n {\n ...,\n \"OriginProtocolPolicy\": \"https-only\",\n },\n ],\n ...\n },\n \"DefaultCacheBehavior\": {\n \"FieldLevelEncryptionId\": \"ACBD1234567890\",\n \"ViewerProtocolPolicy\" : \"https-only\"\n },\n ...\n }\n }\n ```\n\n9. Run `update-distribution` with your AWS CloudFront distribution `id`, the configuration file saved in step 8, and `etag` to enable field-level encryption.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config field-level-encryption-id.json\n --if-match E1000000000000\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudfront_distribution) = \"fail\" if {\n\tcloudfront_distribution.distribution_config.default_cache_behavior.field_level_encryption_id == \"\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"udh-nqo-4ct","createdAt":1599574007140,"name":"Cloudfront distribution is field-level encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the AWS CloudFront Content Delivery Network (CDN) for your distribution is using HTTPS to send and receive content.\n\n## Rationale\n\nHTTPS ensures encrypted communication for your AWS CloudFront distribution, alleviating the possibility of malicious attacks like packet interception.\n\n## Remediation\n\n### From the console\n\nFollow the [configure CloudFront to require HTTPS between viewers and CloudFront][3] docs to change your Viewer Protocol Policy to HTTPS only.\n\n### From the command line\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `ViewerProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"ViewerProtocolPolicy\": \"https-only\",\n ...\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudfront_distribution) = \"fail\" if {\n\tcloudfront_distribution.distribution_config.default_cache_behavior.viewer_protocol_policy == \"allow-all\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fei-uz9-zhw","createdAt":1599574003275,"name":"Cloudfront viewer is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1027-obfuscated-files-or-information","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a compiler (like `clang` or `bcc`) is executed inside of a container.\n\n## Strategy\nAfter an initial compromise, attackers may attempt to download additional tools to their victim's infrastructure. In order to make these additional tools difficult to detect or analyze, attackers sometimes deliver their tools as uncompiled code, and then compile their malicious binaries directly on the victim's infrastructure. In containerized environments, the use of compilers is especially suspicious because in production it is best practice to make containers immutable. The use of a compiler in a production container could indicate an attacker staging tools, or unwanted container configuration drift. \n\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee compile a tool inside of a container for an approved reason, or does an approved software compile additional files on startup?\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:compiler_in_container","groupByFields":["host"],"aggregation":"count","name":"compiler_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"compiler_in_container","condition":"compiler_in_container > 0"}],"type":"workload_security","id":"cu1-ji1-azm","createdAt":1627392836759,"name":"Compiler executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS EC2 access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the EC2 instance with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS EC2 access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` instance should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the EC2 access key should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`., then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n7 April 2022 - Updated rule name and signal message.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId"],"query":"source:cloudtrail -@level:Error @userIdentity.type:AssumedRole @userIdentity.session_name:i-* -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"5cf-9yq-zxn","createdAt":1646247437871,"name":"Compromised AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.\n\n## Changelog\n- 7 April 2022 - Updated signal message.\n- 3 August 2022 - Fixed null groupby field in query.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId","@usr.name"],"query":"source:cloudtrail -@level:Error @userIdentity.type:IAMUser -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tln-vhi-j2e","createdAt":1646247475808,"name":"Compromised AWS IAM User Access Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:4.8","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, Datadog recommends launching compute instances with Shielded VM enabled.\n\n## Rationale\n\nShielded VMs are virtual machines on the Google Cloud Platform that are hardened by a set of security controls and help defend against rootkits and bootkits. Shielded VM offers verifiable integrity of your Compute Engine VM instances through Secure Boot, a virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring. This ensures your instances are not compromised by boot- or kernel-level malware, or rootkits. \n\nShielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishes trust for Secure Boot.\n\nIntegrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, also known as the integrity policy baseline. The integrity policy baseline is used to compare measurements from subsequent VM boots to determine if anything has changed.\n\nSecure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halts the boot process if signature verification fails.\n\n## Remediation\n\nTo turn on Shielded VM on an instance, your instance must use an image with Shielded VM support.\n\n### From the console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project. \n2. Click on the instance name to see a VM Instance Details page.\n3. Click **Stop** to stop the instance.\n4. When the instance has stopped, click **Edit**.\n5. In the **Shielded VM** section, select **Turn on vTPM** and **Turn on Integrity Monitoring**.\n6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select **Turn on Secure Boot**.\n7. Click the **Save** button to modify the instance and click **Start** to restart it.\n\n### From the command line\n\nYou can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:\n\n```\ngcloud compute images list --project gce-uefi-images --no-standard-images\n```\n\n1. Stop the instance using `gcloud compute instances stop `.\n2. Update the instance using `gcloud compute instances update --shielded-vtpm --shielded-vm-integrity-monitoring`.\n3. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on Secure Boot using `gcloud compute instances update --shielded-vm-secure-boot`.\n4. Restart the instance using `gcloud compute instances start `.\n\n## Prevention\n\nTo ensure that all new VMs are created with Shielded VM enabled, create an Organization Policy for Shielded VM in the [Organization Policies page][2]. \n\nFor more information, see the [Google Cloud documentation][3].\n\n## Default Value\n\nBy default, Compute Instances do not have Shielded VM enabled.\n\n## References\n\n1. [https://cloud.google.com/compute/docs/instances/modifying-shielded-vm][4]\n2. [https://cloud.google.com/shielded-vm][5]\n3. [https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint][6]\n\n## Additional Information\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is created, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-requireShieldedVm\n[3]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n[4]: https://cloud.google.com/compute/docs/instances/modifying-shielded-vm\n[5]: https://cloud.google.com/shielded-vm\n[6]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.8","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"pass\" if {\n\tshieldedConfig := compute_instance.shielded_instance_config\n\tshieldedConfig.enable_integrity_monitoring\n\tshieldedConfig.enable_vtpm\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hwa-bzq-nzg","createdAt":1656620517029,"name":"Compute Instances are launched with Shielded VM enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","control:4.9","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:3.6","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCompute instances should not be configured to have external IP addresses.\n\n## Rationale\n\nTo reduce your attack surface, Compute instances should not have public IP addresses.\nInstead, instances should be configured behind load balancers, to minimize the instance's\nexposure to the internet.\n\nYou can connect to Linux VMs that do not have public IP addresses by using Identity-Aware Proxy for TCP forwarding. Learn more at\n[https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][8].\n\nFor Windows VMs, see [https://cloud.google.com/compute/docs/instances/connecting-to-instance][9].\n\n### Impact\n\nRemoving the external IP address from your Compute instance may cause some\napplications to stop working.\n\n### Prevention\n\nYou can configure the \"Define allowed external IPs for VM instances\" organization policy to prevent VMs from being configured with public IP addresses. Learn more at:\n[https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address][2]\n\n### Exception\n\nInstances created by GKE should be excluded because some of them have external IP\naddresses and cannot be changed by editing the instance settings. Instances created by GKE\nshould be excluded. These instances have names that start with \"gke-\" and are labeled\n\"goog-gke-node\".\n\n## Remediation\n\n### From the console\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go the the Instance detail page.\n3. Click **Edit**.\n4. For each Network interface, ensure that **External IP** is set to None.\n5. Click **Done** and then click **Save**.\n\n### From the command line\n\n1. Describe the instance properties:\n\n ```\n gcloud compute instances describe --zone=\n ```\n2. Identify the access config name that contains the external IP address. This access config appears in the following format:\n\n ```\n networkInterfaces:\n - accessConfigs:\n - kind: compute#accessConfig\n name: External NAT\n natIP: 130.211.181.55\n type: ONE_TO_ONE_NAT\n ```\n3. Delete the access config:\n\n ```\n gcloud compute instances delete-access-config --zone= --access-config-name \n ```\n\nIn the above example, the `ACCESS_CONFIG_NAME` is `External NAT`. The name of your access config might be different.\n\n## References\n\n1. [https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses][3]\n2. [https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][4]\n3. [https://cloud.google.com/compute/docs/instances/connecting-to-instance][5]\n4. [https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip][6]\n5. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][7]\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address\n[3]: https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses\n[4]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[5]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n[6]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip\n[7]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[8]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[9]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.9","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" if {\n\tcompute_instance.network_interfaces[_].access_configs[_]\n} else = \"pass\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"zxk-7n9-rtz","createdAt":1657888953309,"name":"Compute instances do not have public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","control:4.11","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:3.5.2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:3.5.4","source:google_compute_instance","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nGoogle Cloud encrypts both stored and in-transit data, but customer data needs to be decrypted while it is processed. Confidential Computing is a Google technology that protects data by encrypting it while it is in use. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).\n\nConfidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD\nEPYCTM CPUs, keeping customer data encrypted while it is used, indexed, queried, or\ntrained on. Encryption keys are generated in hardware, per VM, and not exportable. There is no significant performance penalty to Confidential Computing workloads because of built-in hardware optimizations.\n\n## Rationale\n\nConfidential Computing enables customers' sensitive code and other data to be encrypted in\nmemory during processing. Google does not have access to the encryption keys.\nConfidential VMs can help alleviate concerns about risk related to either dependency on\nGoogle infrastructure or Google insiders' access to customer data in the clear.\n\n## Impact\n\n- Confidential Computing for Compute instances does not support live migration. Unlike regular Compute instances, Confidential VMs experience disruptions during maintenance events like a software or hardware update.\n\n- Additional charges may be incurred when enabling this security feature. See [https://cloud.google.com/compute/confidential-vm/pricing][1] for more info.\n\n## Remediation\n\nConfidential Computing can only be enabled when an instance is created. You must delete\nthe current instance and create a new one.\n\n### From the console\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][2].\n2. Click **Create instance**.\n3. Fill out the desired configuration for your instance.\n4. Under the **Confidential VM service** section, click **Enable** > **Enable** to enable the Confidential Computing service on this VM instance.\n5. Click **Create**.\n\n### From the command line\n\nCreate a new instance with Confidential Compute enabled.\n\n ```\n gcloud beta compute instances create --zone --confidential-compute --maintenance-policy=TERMINATE\n ```\n## Default Value\n\nBy default, Confidential Computing is disabled for Compute instances.\n\n## References\n\n1. [https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance][3]\n2. [https://cloud.google.com/compute/confidential-vm/docs/about-cvm][4]\n3. [https://cloud.google.com/confidential-computing][5]\n4. [https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms][6]\n\n## CIS Controls\n\nVersion 8 - 3.11: Encrypt Sensitive Data at Rest\n- Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.\n\nVersion 7 - 14.8: Encrypt Sensitive Information at Rest\n- Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n\n[1]: https://cloud.google.com/compute/confidential-vm/pricing\n[2]: https://console.cloud.google.com/compute/instances\n[3]: https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance\n[4]: https://cloud.google.com/compute/confidential-vm/docs/about-cvm\n[5]: https://cloud.google.com/confidential-computing\n[6]: https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.11","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tnot machineType(compute_instance)\n} else = \"pass\" if {\n\tcompute_instance.confidential_instance_config.enable_confidential_compute\n} else = \"fail\"\n\nmachineType(compute_instance) if {\n\tcontains(compute_instance.machine_type, \"n2d-\")\n} else if {\n\tcontains(compute_instance.machine_type, \"c2d-\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ofu-7xv-iqz","createdAt":1657888955714,"name":"Compute instances have confidential computing enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a brute force login with a privileged policy being applied to a role.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [AWS IAM privileged policy was applied to a role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Revert the privileged policy change\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security/default_rules/aws-iam-priv-policy-applied-to-role/","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":2,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"aws_iam_privileged_policy_was_applied_to_a_role","additionalFilters":"","defaultRuleId":"1np-ggw-qpo","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to privileged policy applying to a role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && aws_iam_privileged_policy_was_applied_to_a_role > 0"}],"type":"signal_correlation","id":"z65-vsm-leu","createdAt":1664829682321,"name":"ConsoleLogin event correlates privileged policy applying to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.10","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host, you can control the amount of memory that a container is able to use.\n\n## Rationale\n\nBy default a container can use all of the memory on the host. You can use memory limit mechanisms to prevent a denial of service occurring where one container consumes all of the hosts resources and other containers on the same host are therefore not able to function. Having no limit on memory usage can lead to issues where one container can easily make the whole system unstable and as a result unusable.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Memory={{ .HostConfig.Memory }}'` \n\nIf this command returns 0, it means that memory limits are not in place; if it returns a non-zero value, it means that they are in place.\n\n## Remediation\n\nYou should run the container with only as much memory as it requires by using the `--memory argument`. For example, you could run a container using the command `docker run --interactive --tty --memory 256m centos /bin/bash`\n\nIn this example, the container is started with a memory limit of 256 MB. Note that the output of the command below returns values in scientific notation if memory limits are in place. `docker inspect --format='{{.Config.Memory}}' 7c5a2d4c7fe0`\n\nFor example, if the memory limit is set to 256 MB for a container instance, the output of the command above would be `2.68435456e+08` and NOT `256m`. You should convert this value using a scientific calculator.\n\n## Impact\n\nIf correct memory limits are not set on each container, one process can expand its usage and cause other containers to run out of resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally and no memory limits are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.10","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ecn-mmt-tqe","createdAt":1599605860081,"name":"Container has memory usage limits configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.26","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf the container image does not have an HEALTHCHECK instruction defined, you should use the `--health-cmd` parameter at container runtime to check container health.\n\n## Rationale\n\nIf the container image you are using does not have a pre-defined HEALTHCHECK instruction, use the `--health-cmd` parameter to check container health at runtime. Based on the reported health status, remedial actions can be taken if necessary.\n\n## Audit\n\nRun this command and ensure that all containers are reporting their health status: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}'`\n\n## Remediation\n\nYou should run the container using the `--health-cmd` parameter. For example, `docker run -d --health-cmd='stat /etc/passwd || exit 1' nginx`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, health checks are not carried out at container runtime.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.26","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ojg-sb1-nso","createdAt":1599605067593,"name":"Container health is monitored when not supported by default"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should add the `HEALTHCHECK` instruction to your Docker container images in order to ensure that health checks are executed against running containers.\n\n## Rationale\n\nAn important security control is that of availability. Adding the `HEALTHCHECK` instruction to your container image ensures that the Docker engine periodically checks the running container instances against that instruction to ensure that containers are still operational. Based on the results of the health check, the Docker engine could terminate containers which are not responding correctly, and instantiate new ones.\n\n## Audit\n\nRun this command to ensure that Docker images have the appropriate `HEALTHCHECK` instruction configured: `docker inspect --format='{{ .Config.Healthcheck }}' `\n\n## Remediation\n\nYou should follow the Docker documentation and rebuild your container images to include the `HEALTHCHECK` instruction.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `HEALTHCHECK` is not set.\n\n## References\n\n1. https://docs.docker.com/engine/reference/builder/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_image","complianceFrameworks":[{"control":"4.6","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5xs-afd-sfx","createdAt":1599604909942,"name":"Container image includes HealthCheck instructions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect vulnerabilities in container images.\n\n## Strategy\nThis rule lets you monitor Twistlock logs `(@vulnerability.log_type:vulnerability)` to detect vulnerabilities in a container image. \n\n## Triage and response\n1. Determine the impact of this vulnerability.\n2. Update the container image in the registry with a patched version of the software.\n3. Deploy the new image to all containers running the vulnerable image.\n\n## Change Log\n29 Jun 2022 - Added queries for various vulnerability severity levels.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:medium","groupByFields":["container_name"],"aggregation":"count","name":"medium_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:low","groupByFields":["container_name"],"aggregation":"count","name":"low_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerabiluty","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerabiluty","condition":"high_severity_vulnerability > 0"},{"status":"medium","notifications":[],"name":"Medium Severity Vulnerabiluty","condition":"medium_severity_vulnerability > 0"},{"status":"low","notifications":[],"name":"Low Severity Vulnerabiluty","condition":"low_severity_vulnerability > 0"}],"type":"log_detection","id":"d7s-rex-gjv","createdAt":1585870278701,"name":"Container image vulnerability detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.25","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should restrict the container from acquiring additional privileges via SUID or SGID bits.\n\n## Rationale\n\nA process can set the `no_new_priv` bit in the kernel and this persists across forks, clones and execve. The `no_new_priv` bit ensures that the process and its child processes do not gain any additional privileges via SUID or SGID bits. This reduces the danger associated with many operations because the possibility of subverting privileged binaries is lessened.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all of the security options currently configured for containers. The option `no-new-privileges` should be one of them.\n\n## Remediation\n\nStart your container with the options `docker run --rm -it --security-opt=no-new-privileges ubuntu bash`\n\n## Impact\n\nThe `no_new_priv` option prevents LSMs like SELinux from allowing processes to acquire new privileges.\n\n## Default value\n\nBy default, new privileges are not restricted.\n\n## References\n\n1. https://github.com/projectatomic/atomic-site/issues/269\n2. https://github.com/docker/docker/pull/20727\n3. https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt\n4. https://lwn.net/Articles/475678/\n5. https://lwn.net/Articles/475362/\n\n## CIS controls\n\nVersion 6\n\n5 Controlled Use of Administration Privileges Controlled Use of Administration Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.25","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"cft-3kh-z3l","createdAt":1599604337425,"name":"Container is restricted from acquiring additional privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a container management utility (for example, `kubectl` or `docker`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to enumerate other pods or containers, escalate privileges, or exfiltrate secrets by running container management orchestration utilities. This detection triggers when execution of one of a set of common container management utilities (like `kubectl` or `docker`) executes with specific process arguments detected in a container. If this is unexpected behavior, it could indicate an attacker attempting to compromise your pods, containers, and hosts.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires version 7.27 or higher*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:suspicious_container_client @process.executable.path:\"/usr/bin/kubectl\" (@process.args:(\"get\" AND \"--all-namespaces\") OR @process.args:(\"cluster-info\") OR @process.args:(\"auth\" AND \"can-i\"))","groupByFields":["host"],"aggregation":"count","name":"kubectl_enumeration","distinctFields":[]},{"query":"@agent.rule_id:suspicious_container_client @process.executable.path:\"/usr/bin/kubectl\" (@process.args:(\"create\" AND \"namespace\") OR @process.args:(\"run\" AND \"image=\") OR @process.args:(\"port-forward\") OR @process.args:(\"attach\") OR @process.args:(\"exec\"))","groupByFields":["host"],"aggregation":"count","name":"kubectl_provision","distinctFields":[]},{"query":"@agent.rule_id:suspicious_container_client @process.executable.path:\"/usr/bin/docker\" (@process.args:(\"run\" AND \"--privileged\") OR @process.args:(\"exec\" AND \"-it\") OR @process.args:(\"run\" AND \"--cap-add\") OR @process.args:(\"apparmor=unconfined\") OR @process.args:(\"attach\"))","groupByFields":["host"],"aggregation":"count","name":"docker_provision","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"kubectl_enumeration","condition":"kubectl_enumeration > 0"},{"status":"medium","notifications":[],"name":"kubectl_provision","condition":"kubectl_provision > 0"},{"status":"medium","notifications":[],"name":"docker_provision","condition":"docker_provision > 0"}],"type":"workload_security","id":"ll8-gx6-k15","createdAt":1617722068555,"name":"Container management utility in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.12","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe container's root filesystem should be treated as a 'golden image' by using Docker run's `--read-only` option. This prevents any writes to the container's root filesystem at container runtime and enforces the principle of immutable infrastructure.\n\n## Rationale\n\nEnabling this option forces containers at runtime to explicitly define their data writing strategy to persist or not persist their data. This also reduces security attack vectors since the container instance's filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories.\n\n## Audit\n\nRun this command on the docker host: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: ReadonlyRootfs={{ .HostConfig.ReadonlyRootfs }}'` \n\nIf this command returns `true`, it means the container's root filesystem is mounted read-only. If the above command returns `false`, it means the container's root filesystem is writeable.\n\n## Remediation\n\nAdd a `--read-only` flag at a container's runtime to enforce the container's root filesystem being mounted as read only. For example, `docker run --read-only `\n\nEnabling the `--read-only` option at a container's runtime should be used by administrators to force a container's executable processes to only write container data to explicit storage locations during its lifetime. \n\nExamples of explicit storage locations during a container's runtime include, but are not limited to:\n\n1. Using the `--tmpfs` option to mount a temporary file system for non-persistent data writes. `docker run --interactive --tty --read-only --tmpfs \"/run\" --tmpfs \"/tmp\" centos /bin/bash`\n2. Enabling Docker rw mounts at a container's runtime to persist container data directly on the Docker host filesystem. For example, `docker run --interactive --tty --read-only -v /opt/app/data:/run/app/data:rw centos /bin/bash`\n\n3. Utilizing the Docker shared-storage volume plugin for Docker data volume to persist container data. For example, `docker volume create -d convoy --opt o=size=20GB my-named-volume docker run --interactive --tty --read-only -v my-named-volume:/run/app/data centos /bin/bash`\n\n3. Transmitting container data outside of the Docker controlled area during the container's runtime for container data in order to ensure that it is persistent. Examples include hosted databases, network file shares and APIs.\n\n## Impact\n\nEnabling `--read-only` at container runtime may break some container OS packages if a data writing strategy is not defined. You should define what the container's data should and should not persist at runtime in order to decide which strategy to use. Example: Enable use `--tmpfs` for temporary file writes to /tmp Use Docker shared data volumes for persistent data writes\n\n## Default value\n\nBy default, a container has its root filesystem writeable, allowing all container processes to write files owned by the container's actual runtime user.\n\n## References\n\n1. http://docs.docker.com/reference/commandline/cli/#run\n2. https://docs.docker.com/engine/tutorials/dockervolumes/\n3. http://www.projectatomic.io/blog/2015/12/making-docker-images-write-only-in-production/\n4. https://docs.docker.com/engine/reference/commandline/run/#mount-tmpfs-tmpfs\n5. https://docs.docker.com/engine/tutorials/dockervolumes/#creating-and-mounting-a-data-volume-container\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.12","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"635-mc8-3mr","createdAt":1599602276896,"name":"Container root file sytem is set to read-only"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a container is not running within compliance standards.\n\n## Strategy\nThis rule lets you monitor Twistlock logs to detect when a `High` or `Critical` severity compliance issue is discovered in a running container. \n\n## Triage and response\n1. Determine the impact of the compliance finding.\n2. Remediate the compliance finding.\n\n## Change Log\n27 Jun 2022 - Updated Rule and added findings for critical vulnerabilities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerability","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerability","condition":"high_severity_vulnerability > 0"}],"type":"log_detection","id":"9vp-d1j-kwp","createdAt":1585870281390,"name":"Container violated compliance standards"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:5.28","security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should use the `--pids-limit` flag at container runtime.\n\n## Rationale\n\nAttackers could launch a fork bomb with a single command inside the container. This fork bomb could crash the entire system and would require a restart of the host to make the system functional again. Using the PIDs cgroup parameter --pids-limit would prevent this kind of attack by restricting the number of forks that can happen inside a container within a specified time frame.\n\n## Audit\n\nRun this command and ensure that `PidsLimit` is not set to 0 or -\n1. A PidsLimit of 0 or -1 means that any number of processes can be forked concurrently inside the container. \n\n```\ndocker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidsLimit={{ .HostConfig.PidsLimit }}'\n```\n\n## Remediation\n\nUse `--pids-limit` flag with an appropriate value when launching the container. For example, `docker run -it --pids-limit 100 `\n\nIn the above example, the number of processes allowed to run at any given time is set to 100. After a limit of 100 concurrently running processes is reached, Docker would restrict any new process creation.\n\n## Impact\n\nSet the PIDs limit value as appropriate. Incorrect values might leave containers unusable.\n\n## Default value\n\nThe Default value for `--pids-limit` is 0 which means there is no restriction on the number of forks. Note that the PIDs cgroup limit works only for kernel versions 4.3 and higher.\n\n## References\n\n1. https://github.com/docker/docker/pull/18697\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.28","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tmp-lms-u8p","createdAt":1599603016485,"name":"Container's PIDs cgroup limit parameter is set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nContainers should run as a non-root user.\n\n## Rationale\n\nIt is good practice to run the container as a non-root user, where possible. This can be done either via the USER directive in the Dockerfile or through [gosu][1] or similar where used as part of the CMD or ENTRYPOINT directives.\n\n## Remediation\n\nEnsure that the Dockerfile for each container image contains `USER `\n\nIn this case, the user name or ID refers to the user that was found in the container base image. If there is no specific user created in the container base image, then make use of the `useradd` command to add a specific user before the USER instruction in the Dockerfile. \n\nFor example, add the below lines in the Dockerfile to create a user in the container:\n`RUN useradd -d /home/username -m -s /bin/bash username USER username`\n\n**Note**: If there are users in the image that are not needed, you should consider deleting them. After deleting those users, commit the image and then generate new instances of the containers. Alternatively, if it is not possible to set the USER directive in the Dockerfile, a script running as part of the CMD or ENTRYPOINT sections of the Dockerfile should be used to ensure that the container process switches to a non-root user.\n\n## Impact\n\nRunning as a non-root user can present challenges when binding mount volumes from the underlying host. In this case, ensure that the user running the contained process can read and write to the bound directory, according to their requirements.\n\n## Default value\n\nBy default, containers are run with root privileges and also run as the root user inside the container.\n\n## References\n\n1. https://github.com/docker/docker/issues/2918\n2. https://github.com/docker/docker/pull/4572\n3. https://github.com/docker/docker/issues/7906\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://github.com/tianon/gosu\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"4.1","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iml-sbn-bao","createdAt":1599605130883,"name":"Containers do not use the root user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","control:5.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.\n\n## Rationale\n\nAppArmor protects the Linux OS and applications from various threats by enforcing a security policy which is also known as an AppArmor profile. You can create your own AppArmor profile for containers or use Docker's default profile. Enabling this feature enforces security policies on containers as defined in the profile.\n\n## Audit\n\nYou should run this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: AppArmorProfile={{ .AppArmorProfile }}'` \n\nThis command returns a valid AppArmor Profile for each container instance.\n\n## Remediation\n\nIf AppArmor is applicable for your Linux OS, enable it.\n\n1. Verify AppArmor is installed.\n2. Create or import a AppArmor profile for Docker containers.\n3. Enable enforcement of the policy.\n4. Start your Docker container using the customized AppArmor profile. For example: `docker run --interactive --tty --security-opt=\"apparmor:PROFILENAME\" ubuntu /bin/bash` Alternatively, Docker's default AppArmor policy can be used.\n\n## Impact\n\nThe container will have the security controls defined in the AppArmor profile. It should be noted that if the AppArmor profile is misconfigured, this may cause issues with the operation of the container.\n\n## Default value\n\nBy default, the docker-default AppArmor profile is applied to running containers. This profile can be found at `/etc/apparmor.d/docker`\n\n## References\n\n1. https://docs.docker.com/engine/security/apparmor/\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.1","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"s4z-dsj-llz","createdAt":1599600498264,"name":"Containers have an AppArmor profile enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.24","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to attach to a particular `cgroup` when a container is instantiated. Confirming `cgroup` usage would ensure that containers are running in defined `cgroup`s.\n\n## Rationale\n\nSystem administrators typically define `cgroup`s in which containers are supposed to run. If `cgroup`s are not explicitly defined by the system administrator, containers run in the docker `cgroup` by default. At run time, it is possible to attach a container to a different `cgroup` other than the one originally defined. This usage should be monitored and confirmed, as by attaching to a different `cgroup`, excess permissions and resources might be granted to the container and this can therefore prove to be a security risk.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}'` \n\nThis command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n\n## Remediation\n\nYou should not use the `--cgroup-parent` option within the docker run command unless strictly required.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers run under docker `cgroup`.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#specify-custom-cgroups\n2. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/ch01.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n\n## Audit\n\nYou should run the following command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}' The above command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.24","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"maa-bf8-zan","createdAt":1599601906764,"name":"Containers use the cgroup configured in Docker"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","source:compliance-agent","control:1.3.7","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the Controller Manager service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Controller Manager API service which runs on port 10252/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ \n\n*Notes*: Although the current Kubernetes documentation site says that `--address` is deprecated in favour of `--bind-address`. Kubeadm 1.11 still makes use of `--address`.\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.7","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pvo-5un-k18","createdAt":1599603818624,"name":"Controller Manager API service is bound to localhost"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.3.2","security:compliance","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.2","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1ie-ddf-7wm","createdAt":1599604031896,"name":"Controller Manager profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.4","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account private key file for service accounts on the controller manager.\n\n## Rationale\n\nTo ensure that keys for service account tokens can be rotated as needed, a separate public/private key pair should be used for signing service account tokens. The private key should be specified to the controller manager with `--service-account-private-key-file` as appropriate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--service-account-private-key-file` argument is set as appropriate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--service-account-private-key-file parameter` to the private key file for service accounts:\n\n```\n--service-account-private-key-file=\n```\n\n## Impact\n\nYou would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-private-key-file` it not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.4","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mj1-ode-sln","createdAt":1599600796213,"name":"Controller manager has a service account private key file set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.1.3","scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of the Controller Manager on the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-controller-manager.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.3","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pr0-hcf-xkw","createdAt":1599603633988,"name":"Controller manager pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.1.4","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of various components of the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-controller-manager.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.4","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jwf-xdm-mi9","createdAt":1599599105053,"name":"Controller manager pod specification file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect and identify the network IP address or user agent when multiple user accounts have login attempt activities recorded.\n\n## Strategy\n\nMonitor Azure Active Directory and detect when any `@evt.category` is equal to `SignInLogs` and at least 5 of the `@evt.outcome` are equal to `false` by the same network IP address or user agent.\n\nSecurity Signal returns **MEDIUM** if`@evt.outcome` has value of `success` after 5 multiple failed logins by the same network IP address or user agent.\n\n## Triage and response\n\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n\n## Changelog\n* 14 June 2022 - Updated triggering cases to align with other credential stuffing rules. Also updated other backend options to reduce noise levels.\n* 26 October 2022 - Updated query.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure @properties.status.errorCode:(50126 OR 50053 OR 53003 OR 50135 OR 50055)","groupByFields":["@network.client.ip","@properties.appId"],"aggregation":"cardinality","name":"failed_login_multiple_user_accounts_same_ip_address","distinctFields":["@usr.id"]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success -message:(\"MFA requirement satisfied by claim in the token\" OR \"MFA requirement satisfied by strong authentication\" OR \"MFA requirement skipped due to remembered device\" OR \"MFA requirement satisfied by claim provided by external provider\" OR \"MFA completed in Azure AD\")","groupByFields":["@network.client.ip","@properties.appId"],"aggregation":"count","name":"successful_login_same_ip_address","distinctFields":[]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure @properties.status.errorCode:(50126 OR 50053 OR 53003 OR 50135 OR 50055)","groupByFields":["@http.useragent","@properties.appId"],"aggregation":"cardinality","name":"failed_login_multiple_user_accounts_same_user_agent","distinctFields":["@usr.id"]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success -message:(\"MFA requirement satisfied by claim in the token\" OR \"MFA requirement satisfied by strong authentication\" OR \"MFA requirement skipped due to remembered device\" OR \"MFA requirement satisfied by claim provided by external provider\" OR \"MFA completed in Azure AD\")","groupByFields":["@http.useragent","@properties.appId"],"aggregation":"count","name":"successful_login_same_user_agent","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful login after multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 4 && successful_login_same_ip_address > 0"},{"status":"medium","notifications":[],"name":"Successful login after multiple failed login attempts from the same user agent","condition":"failed_login_multiple_user_accounts_same_user_agent > 4 && successful_login_same_user_agent > 0"},{"status":"info","notifications":[],"name":"Multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 4"},{"status":"info","notifications":[],"name":"Multiple failed login attempts from the same user agent","condition":"failed_login_multiple_user_accounts_same_user_agent > 4"}],"type":"log_detection","id":"igg-0ve-xxc","createdAt":1607106304164,"name":"Credential Stuffing Attack on Azure"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:success @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials.\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application_o365","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"credential_added_azure_ad_application > 0 || credential_added_azure_ad_application_o365 > 0"}],"type":"log_detection","id":"myf-gpu-vqf","createdAt":1659365955026,"name":"Credential added to Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application that is not regularly updated.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it. An attacker may target an application that is seldom changed to avoid detection. Using the `New Value` detection method, a signal is raised when an application not seen in the previous 7 days has credentials added.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.\n\n## Changelog\n* 2 November 2022 - Updated severity.","options":{"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"evaluationWindow":0,"maxSignalDuration":86400,"detectionMethod":"new_value","decreaseCriticalityBasedOnEnv":true,"keepAlive":3600},"version":56,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@properties.targetResources.displayName","aggregation":"new_value","metrics":["@properties.targetResources.displayName"],"groupByFields":["@usr.id"],"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @evt.outcome:success @evt.category:AuditLogs"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"1p0-9ix-ig2","createdAt":1660304687805,"name":"Credential added to rarely used Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["category:authentication","tactic:TA0006-credential-access","template:true","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least 25 unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\nUse [this Datadog runbook](https://app.datadoghq.com/notebook/credentialstuffingrunbook) to assist in your investigation.\n\n1. Determine if it is a legitimate attack or a false positive\n2. Determine compromised users\n3. Remediate compromised user accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@evt.category:authentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"@evt.category:authentication @evt.outcome:success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful - Greater than 50","condition":"unique_users_failing_to_login>50 && successful_login>=1"},{"status":"medium","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>25 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>25"}],"type":"log_detection","id":"ypo-jbm-p2s","createdAt":1608750331867,"name":"Credential stuffing attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user. This generates a `HIGH` severity signal.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n## Changelog\n13 June 2022 - Updated Keep Alive window and evaluation window to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":3600,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>10 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>10"}],"type":"log_detection","id":"ryo-snu-uva","createdAt":1597422958108,"name":"Credential stuffing attack on Auth0"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through credential stuffing attack against a Salesforce account.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\n1. Determine if it is a legitimate attack or a false positive.\n2. Determine compromised users.\n3. Remediate compromised user accounts.\n\n## Changelog\n* 5 January 2023 - Updated query, severity of cases, and group by values.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @evt.name:LoginEvent @status:(\"Invalid Password\" OR \"User is Inactive\")","groupByFields":["@network.client.ip","@login_url"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.email"]},{"query":"source:salesforce @evt.name:LoginEvent @status:\"Success\"","groupByFields":["@network.client.ip","@login_url"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"at least 1 unique login success from a single IP","condition":"unique_users_failing_to_login >= 5 && successful_login>=1"},{"status":"low","notifications":[],"name":"at least 5 unique users have failed to login from a single IP","condition":"unique_users_failing_to_login >= 5"}],"type":"log_detection","id":"y0t-wg6-3nq","createdAt":1621929255278,"name":"Credential stuffing attack on Salesforce"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1003-os-credential-dumping","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to sensitive credential files from non-standard processes.\n\n## Strategy\nEspecially in production, all credentials should be either defined as code, or static. Drift and unmonitored changes to these credentials can open up attack vectors for adversaries, and cause your organization to be out of compliance with any frameworks or regulations that you are subject to. This detection watches for the modification of sensitive credential files which should not be changed outside of their definitions as code (or static definitions). The Linux commands `vipw` and `vigr` are the standard way to modify shadow and gshadow files respectively. Other processes interacting with these sensitive credential files is highly suspicious and should be investigated.\n\n## Triage and response\n1. Identify the user or process that changed the credential file(s).\n2. Identify what was changed in the credential files.\n3. If these changes are not acceptable, roll back contain the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd","groupByFields":["host"],"aggregation":"count","name":"credential_modified","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd @process.comm:(adduser OR useradd OR groupadd OR userdel OR deluser OR chage)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_standard","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.executable.path:(\\/usr\\/sbin\\/* OR \\/usr\\/bin\\/* OR \\/bin\\/*)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_non_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"credential_modified_non_bin","condition":"credential_modified_non_bin > 0"},{"status":"info","notifications":[],"name":"credential_modified_standard","condition":"credential_modified_standard > 0"},{"status":"low","notifications":[],"name":"credential_modified","condition":"credential_modified > 0"}],"type":"workload_security","id":"srd-2ub-jov","createdAt":1598516746271,"name":"Credentials file modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","level:1","cloud:aws","cloud_provider:aws","control:8.1.4","framework:hipaa","requirement:Information-Access-Management","framework:pci","requirement:Credentials","control:164.308-a-4-ii-C"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. You should remove or deactivate all credentials that have been unused in 90+ days.\n\n## Rationale\n\nDisabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78900-8 2. CIS CSC v6.0 #16.6\n\n## CIS controls\n\n16.9 Disable Dormant Accounts Automatically - Disable dormant accounts after a set period of inactivity.\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\npassword_used_recently(resource_seen_at, credential_report) if {\n\tcredential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_used > ninety_days_ms\n} else if {\n\tnot credential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_changed > ninety_days_ms\n}\n\nkey_used_recently(resource_seen_at, credential_report, key_name) if {\n\tcredential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_used_date\"])] > ninety_days_ms\n} else if {\n\tnot credential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_rotated\"])] > ninety_days_ms\n}\n\npassword_or_access_key_is_enabled(resource_seen_at, credential_report) if {\n\tcredential_report.password_enabled\n\tpassword_used_recently(resource_seen_at, credential_report)\n} else if {\n\tcredential_report.access_key_1_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_1\")\n} else if {\n\tcredential_report.access_key_2_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_2\")\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot password_or_access_key_is_enabled(iam_user.resource_seen_at, credential_report)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"credential_report","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cl8-844-szh","createdAt":1621238614316,"name":"Credentials have been used within the last 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","framework_version:3.2","control:11.5","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications of critical system binaries.\n\n## Strategy\nPCI-DSS is the payment-card industry's compliance framework. Any systems that handle credit card data and transactions from the major credit card companies must be PCI-DSS compliance. Control 11.5 of the PCI-DSS framework states that organizations must \"alert personnel to unauthorized modifications (including changes, additions, and deletions) of critical system files, configuration files, or content files\". On Linux, critical system binaries are typically stored in `/bin/`, `/sbin/`, or `/usr/sbin/`. This rule tracks any modifications to those directories.\n\n## Triage and response\n1. Identify which user or process changed the critical system binaries.\n2. If these changes were not authorized, and you cannot confirm the safety of the changes, roll back the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chmod) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chown) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chown","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_link) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_link","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_rename) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_rename","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_open) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_open","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_unlink) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_utimes) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"pci_11_5_critical_binaries","condition":"pci_11_5_critical_binaries_chmod > 0 || pci_11_5_critical_binaries_chown > 0 || pci_11_5_critical_binaries_link > 0 || pci_11_5_critical_binaries_rename > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_unlink > 0 || pci_11_5_critical_binaries_utimes > 0"}],"type":"workload_security","id":"3rk-f4l-c7j","createdAt":1606142933669,"name":"Critical system binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation or modification of new cron jobs on a system.\n\n## Strategy\nCron is a task scheduling system that runs tasks on a time-based schedule. Attackers can use cron jobs to gain persistence on a system, or even to run malicious code at system-boot. Cron jobs can also be used for remote code execution, or to run a process under a different user-context.\n\n## Triage and response\n1. Check to see which cron task was created or modified.\n2. Check whether the cron task was created or modified by a known user or process.\n3. If these changes are not acceptable, roll back the host or container in question to an acceptable configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(cron_at_job_creation OR cron_at_job_creation_chmod OR cron_at_job_creation_chown OR cron_at_job_creation_link OR cron_at_job_creation_rename OR cron_at_job_creation_open OR cron_at_job_creation_utimes) -(@file.name:*.dpkg-new AND @process.executable.name:dpkg) -@process.ancestors.executable.path:\"/usr/bin/unattended-upgrade\" -@process.executable.path:\"/usr/bin/dockerd\" -(@process.executable.path:\"/usr/bin/touch\" @file.path:\"/var/spool/cron/lastrun\")","groupByFields":["host"],"aggregation":"count","name":"cron_at_job_creation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"cron_at_job_creation","condition":"cron_at_job_creation > 0"}],"type":"workload_security","id":"qqk-vqp-6xt","createdAt":1606142961130,"name":"Cron job modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIP check services return the public IP of the client. They are used legitimately for configuration purposes when utilizing infrastructure as code. They can be abused by attackers to determine the organization they have compromised.\n\n## Strategy\n\nDetect when a DNS lookup is done for a domain belonging to an IP check service.\n\n## Triage and response\n\n1. Determine if `{{@process.executable.name}}` is expected to make a connection to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Start incident response and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ip_check_domain","groupByFields":["host"],"aggregation":"count","name":"ip_check_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"ip_check_domain","condition":"ip_check_domain > 0"}],"type":"workload_security","id":"v7i-jqs-gcx","createdAt":1653417825959,"name":"DNS lookup for IP lookup service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nAttackers often use compromised cloud infrastructure to mine cryptocurrency. \n\n## Strategy\n\nDetect when a process performs a DNS lookup for a domain related to cryptomining.\n\n## Triage and response\n\n`{{@process.executable.name}}` performed a DNS lookup for `{{@dns.question.name}}`\n\n1. Contain the host or container and roll back to a known good configuration.\n2. Review the process tree and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:potential_cryptominer","groupByFields":["host"],"aggregation":"count","name":"potential_cryptominer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"potential_cryptominer","condition":"potential_cryptominer > 0"}],"type":"workload_security","id":"8am-wzf-ixk","createdAt":1653417822316,"name":"DNS lookup for cryptocurrency mining pool"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nPaste sites such as pastebin.com can be used by attackers to host malicious scripts, configuration files, and other text data. The files are then downloaded to the host using a network utility such as `wget` or `curl`. These sites may also be used to exfiltrate data.\n\n## Strategy\n\nDetect when a process performs a DNS lookup for a paste site.\n\n## Triage and response\n1. Check if the application `{{@process.executable.name}}` is expected to make connections to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Follow your organization's internal processes for investigating and remediating compromised systems.\n\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:paste_site","groupByFields":["host"],"aggregation":"count","name":"paste_site","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"paste_site","condition":"paste_site > 0"}],"type":"workload_security","id":"bze-mml-h8r","createdAt":1653417817764,"name":"DNS lookup for paste service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.3","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud Domain Name System (DNS) is a fast, reliable, and cost-effective domain name system\nthat powers millions of domains on the internet. Domain Name System Security Extensions\n(DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains\nagainst DNS hijacking, man-in-the-middle attacks, and more.\n\n## Rationale\nDomain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling the DNS responses to be validated. A trustworthy DNS that translates a domain name like `www.example.com` into its associated IP address is an increasingly important building block for modern web-based applications. \n\nAttackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records to prevent attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.\n\nBy default, DNSSEC is not enabled.\n\n## Remediation\n\n### From the console\n1. Navigate to the [Cloud DNS page][1].\n2. For each Type Public zone, set `DNSSEC` to **On**.\n\n### From the command line\nUse this command to enable DNSSEC for Cloud DNS Zone Name:\n\n```\ngcloud dns managed-zones update ZONE_NAME --dnssec-state on\n```\n\n\n## References\n1. [https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html][2]\n2. [https://cloud.google.com/dns/dnssec-config#enabling][3]\n3. [https://cloud.google.com/dns/dnssec][4]\n\n\n[1]: https://console.cloud.google.com/net-services/dns/zones\n[2]: https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html\n[3]: https://cloud.google.com/dns/dnssec-config#enabling\n[4]: https://cloud.google.com/dns/dnssec\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nisZonePublic(dns_managed_zone) if {\n\tupper(dns_managed_zone.visibility) == \"PUBLIC\"\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot isZonePublic(dns_managed_zone)\n} else = \"pass\" if {\n\tupper(dns_managed_zone.dnssec_config.state) == \"ON\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"crl-ytf-ohh","createdAt":1659621733035,"name":"DNSSEC is enabled for Cloud DNS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Credentials","requirement:Compliance","level:1","requirement:Database-Services","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","framework:pci","security:compliance","control:6.5.3","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:3.4","control:C1.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Transparent Data Encryption on every SQL server.\n\n## Rationale\n\nAzure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL databases\n2. For each DB instance\n3. Click on Transparent data encryption\n4. Set Data encryption to On using the Azure Command Line Interface\n5. Use the below command to enable Transparent data encryption for SQL DB instance:\n\n ```bash\n --resource-group --server --database --status\n ```\n\n **Note**: TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases. Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n\n**Note**: Transparent Data Encryption (TDE) can be enabled or disabled on individual SQL Database level and not on the SQL Server level. TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.\n\n# CIS Controls\n\nVersion 7 14.8 Encrypt Sensitive Information at Rest: Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_transparent_data_encryption(transparent_data_encryption) if {\n\ttransparent_data_encryption.status == \"Enabled\"\n} else if {\n\ttransparent_data_encryption.state == \"Enabled\"\n}\n\neval(sql_server_database) = \"pass\" if {\n\tcompliant_transparent_data_encryption(sql_server_database.transparent_data_encryption)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server_database"]},"validationQuery":"","resourceType":"azure_sql_server_database","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server_database","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ahw-tol-knx","createdAt":1624867974429,"name":"Data encryption on SQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a database process (e.g., MySQL, PostgreSQL, MongoDB).\n\n## Strategy\nAttacks on databases often take advantage of oversights in I/O sanitization and validation to run attacker statements and commands. For example, these attacks could take the form of database query injection, which can signal the beginning of an intrusion and wider attack, by establishing a web shell or exfiltrating data. This detection triggers when common shell utilities, HTTP utilities, or shells are spawned by one of a set of database processes (e.g., MySQL, MongoDB, PostgreSQL). This is atypical behavior for a database. If this is unexpected behavior, it could indicate an attacker attempting to compromise your database or host machine.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your database to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:database_shell_execution -@process.ancestors.executable.name:initdb -@process.args:\"locale -a\" -(@process.ancestors.executable.name:postgres @process.args:*pg_wal*)","groupByFields":["host"],"aggregation":"count","name":"database_shell_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"database_shell_execution","condition":"database_shell_execution > 0"}],"type":"workload_security","id":"4ni-kny-z5x","createdAt":1617722069155,"name":"Database process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:2","requirement:Cardholder-Data","control:1.17","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Confidentiality","control:3.5","control:7.1","control:C1.2","control:7.2.1","control:7.2.2","source:google_dataproc_cluster","control:7.2.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:3.6.1","scope:google_dataproc_cluster","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:3.6.4","control:3.6.5","control:CC6.3","control:CC6.2","control:3.6.7","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nWhen you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated\nwith the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This\nPD and bucket data is encrypted using a Google-generated data encryption key (DEK) and\nkey encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key\nencryption key (KEK). Google still controls the data encryption key (DEK).\n\n## Rationale\nCloud services offer the ability to protect data related to those services using encryption\nkeys managed by the customer within Cloud KMS. These encryption keys are called\ncustomer-managed encryption keys (CMEK). When customers protect data in Google Cloud\nservices with CMEK, the CMEK key is within the customer's control.\n\n## Remediation\n\n### From the console\n\n1. Log in to the GCP Console and navigate to the **Dataproc Cluster** page by visiting [https://console.cloud.google.com/dataproc/clusters][1].\n2. Select the project from the projects dropdown list.\n3. On the **Dataproc Cluster** page, click on the **Create Cluster** to create a new cluster with customer-managed encryption keys.\n4. On the **Create a cluster** page, perform the following steps:\n 1. Inside **Set up cluster** section perform these steps:\n 1. In the **Name** textbox, provide a name for your cluster.\n 2. From **Location** select the location in which you want to deploy a cluster.\n 3. Configure other configurations as per your requirements.\n 2. Inside **Configure Nodes** and **Customize cluster** section configure the settings as\nper your requirements.\n 3. Inside the **Manage security** section, perform these steps:\n 1. From **Encryption**, select **Customer-managed key**.\n 2. Select a customer-managed key from dropdown list.\n 3. Ensure that the selected KMS Key has the **Cloud KMS CryptoKey Encrypter/Decrypter** role assigned to the Dataproc Cluster service account (`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n 4. Click on **Create** to create a cluster.\n5. Once the cluster is created, migrate all of your workloads from the old cluster to the new cluster and delete the old cluster by performing the following steps:\n 1. On the **Clusters** page, select the old cluster and click on **Delete cluster**.\n 2. On the **Confirm deletion** window, click **Confirm** to delete the cluster.\n6. Repeat the steps above for other Dataproc clusters available in the selected project.\n7. Change the project from the project dropdown list and repeat the remediation procedure for other Dataproc clusters available in other projects.\n\n### From the command line\nBefore creating a cluster, ensure that the selected KMS Key has the **Cloud KMS CryptoKey\nEncrypter/Decrypter** role assigned to the Dataproc Cluster service account\n(`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n\nRun the `clusters create` command to create a new cluster with a customer-managed key:\n\n```\ngcloud dataproc clusters create --region=us-central1 --gce-pd-kms-key=\n```\n\nThe above command creates a new cluster in the selected region.\nAfter the cluster is created, migrate all your workloads from the older cluster to the new\ncluster and run the `clusters delete` command to delete the cluster:\n\n```\ngcloud dataproc clusters delete --region=us-central1\n```\n\nRepeat step no. 1 to create a new Dataproc cluster.\nChange the project by running the following command and repeat the remediation procedure\nfor other projects:\n\n```\ngcloud config set project \n```\n\n## References\n1. [https://cloud.google.com/docs/security/encryption/default-encryption][2]\n\n[1]: https://console.cloud.google.com/dataproc/clusters\n[2]: https://cloud.google.com/docs/security/encryption/default-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.17","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.7","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(gdc) = \"pass\" if {\n\tgdc.config.encryption_config.gce_pd_kms_key_name\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dataproc_cluster"]},"validationQuery":"","resourceType":"gcp_dataproc_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dataproc_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"7qp-kby-dut","createdAt":1659396397166,"name":"Dataproc cluster is encrypted using customer-managed encryption key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.22","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file permissions are set to `644` or more restrictively, by running: \n```\nstat -c %a /etc/default/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/default/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.22","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pqb-2cq-piw","createdAt":1599601845070,"name":"Default Docker configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.21","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/sysconfig/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/sysconfig/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.21","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"au3-ayl-tdm","createdAt":1599601289420,"name":"Default Docker configuration file cannot be altered by non-owners - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.19","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file ownership and group-ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/default/docker | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/default/docker`\n\nThis sets the ownership and group ownership of the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.19","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o5w-d8y-ka1","createdAt":1599604751728,"name":"Default Docker configuration file is owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.20","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/sysconfig/docker | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root /etc/sysconfig/docker`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.20","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xrt-uiz-s7o","createdAt":1599604498138,"name":"Default Docker configuration file is owned by the root account and group - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProtect tuned kernel parameters from overriding kubelet default kernel parameter values.\n\n## Rationale\n\nKernel parameters are usually tuned and hardened by the system administrators before putting the systems into production. These parameters protect the kernel and the system. Your kubelet kernel defaults that rely on such parameters should be appropriately set to match the desired secured system state. Ignoring this could potentially lead to running pods with undesired kernel behavior.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--protect-kernel-defaults` argument is set to true. If the `--protect-kernel-defaults` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets `protectKernelDefaults` to `true`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `protectKernelDefaults: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--protect-kernel-defaults=true`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou would have to re-tune kernel parameters to match kubelet parameters.\n\n## Default value\n\nBy default, `--protect-kernel-defaults` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.6","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"uiw-kms-wwu","createdAt":1599602462044,"name":"Default Kubelet kernel parameter values are protected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Compliance","level:1","requirement:Storage-Accounts","control:2.9","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","control:1.3.1","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","requirement:Least-Privileged-Access","control:1.2.1","control:3.6","framework:cis-azure","requirement:Communications-Security","control:7.2.1","source:azure.storage","control:A.13.1.3","control:7.2.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestricting default network access provides a layer of security, because storage accounts accept connections from clients on any network. To limit access to selected networks, change the default action.\n\n## Rationale\n\nConfigure storage accounts to deny access to traffic from all networks (including internet traffic). Grant access to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Enable Allow access from selected networks.\n4. Add rules to allow traffic from a specific network.\n5. Click Save to apply your changes.\n\n### From the command line\n\nUse the following command to update the default action to deny: \n```\naz storage account update --name --resource-group --default-action Deny\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security][1]\n2. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"2.9","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_account) = \"pass\" if {\n\tstorage_account.network_acls.default_action == \"Deny\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"hxy-syh-ofi","createdAt":1631690465637,"name":"Default network access rule for Storage Accounts is set to deny"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:RBAC-and-Service-Accounts","scored:true","security:compliance","control:5.1.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe default service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed.\n\n## Rationale\n\nKubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.\n\n## Audit\n\nFor each namespace in the cluster, review the rights assigned to the default service account and ensure that it has no roles or cluster roles bound to it apart from the defaults. Additionally ensure that the `automountServiceAccountToken: false` setting is in place for each default service account.\n\n## Remediation\n\nCreate explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value `automountServiceAccountToken: false`.\n\n## Impact\n\nAll workloads which require access to the Kubernetes API will require an explicit service account to be created.\n\n## Default value\n\nBy default the default service account allows for its service account token to be mounted in pods in its namespace.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/][1]\n\n## CIS controls\n\nNone\n\n[1]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.1.5","framework":"cis-kubernetes","requirement":"RBAC-and-Service-Accounts","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3yv-aqm-bxc","createdAt":1604312204438,"name":"Default service accounts are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","source:azure.monitor","level:1","requirement:Regular-Testing","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","control:5.1.2","requirement:Logging-and-Monitoring","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","control:11.4","control:CC4.1","scope:azure.monitor","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure the diagnostic setting to log the appropriate activities from the control/management plane.\n\n## Rationale\n\nA diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.\n\n## Remediation\n\n### From the console\n\n1. Go to Azure Monitor\n2. Click Activity log\n3. Click on Diagnostic settings\n4. Click on Edit Settings for the diagnostic settings entry\n5. Ensure that the following categories are checked: Administrative, Alert, Policy, and Security\n\nARM Template with AZ PowerShell cmdlets:\n\nCreate a file to hold the following JSON:\n\n```json\n{ \"$schema\"\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\", \"contentVersion\"\"\n1.0.0.0\", \"parameters\"{ \"settingName\"{ \"type\"\"String\" }, \"workspaceId\"{ \"type\"\"String\" } }, \"resources\"[ { \"type\"\"Microsoft.Insights/diagnosticSettings\", \"apiVersion\"\"2017-05-01-preview\", \"name\"\"[parameters(''settingName'')]\", \"dependsOn\"[], \"properties\"{ \"workspaceId\"\"[parameters(''workspaceId'')]\", \"logs\"[ { \"category\"\"Administrative\", \"enabled\"true }, { \"category\"\"Alert\", \"enabled\"true }, { \"category\"\"Autoscale\", \"enabled\"false }, { \"category\"\"Policy\", \"enabled\"true }, { \"category\"\"Recommendation\", \"enabled\"false }, { \"category\"\"ResourceHealth\", \"enabled\"false }, { \"category\"\"Security\", \"enabled\"true }, { \"category\"\"ServiceHealth\", \"enabled\"false } ] } } ] }\n```\n\nReference the JSON. In the `New-AzSubscriptionDeployment`, call `$OMSWorkspace`:\n\n```powershell\nGet-AzResource -ResourceType \"Microsoft.OperationalInsights/workspaces\" -Name New-AzSubscriptionDeployment -Name CreateDiagnosticSetting -location eastus -TemplateFile CreateDiagnosticSetting.jsonc -settingName \"Send Activity log to workspace\" -workspaceId $OMSWorkspace.ResourceId'\n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings\n2. https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource-manager-diagnostic-settings\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.3 - Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1.2","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"11.4","framework":"pci","requirement":"Regular-Testing","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(diagnostic_setting) = \"fail\" if {\n\tsome log in diagnostic_setting.logs\n\tlog.category in [\"Administrative\", \"Alert\", \"Policy\", \"Security\"]\n\tlog.enabled == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_diagnostic_setting"]},"validationQuery":"","resourceType":"azure_diagnostic_setting","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_diagnostic_setting","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q7k-c4u-n6i","createdAt":1635847719443,"name":"Diagnostic Setting captures appropriate categories"}]} headers: Content-Type: - application/json @@ -572,7 +521,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.31","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker socket docker.sock should not be mounted inside a container.\n\n## Rationale\n\nIf the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep docker.sock` This returns any instances where `docker.sock` has been mapped to a container as a volume.\n\n## Remediation\n\nYou should ensure that no containers mount docker.sock as a volume.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, docker.sock is not mounted inside containers.\n\n## References\n\n1. https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/\n2. https://forums.docker.com/t/docker-in-docker-vs-mounting-var-run-docker-sock/9450/2\n3. https://github.com/docker/docker/issues/21109\n\n## CIS controls\n\nVersion 6\n\n9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.31","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3iw-zus-yz3","createdAt":1599602585460,"name":"Docker socket is not allowed to mount inside any containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","source:dynamodb","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:dynamodb","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement server-side encryption for your AWS DynamoDB data.\n\n## Rationale\n\nServer-side encryption, or encryption at rest, provides an additional layer of data protection by securing your data in an encrypted table. Encryption at rest integrates with AWS Key Management Service (KMS) to manage encryption keys that are used to encrypt these tables.\n\n## Remediation\n\n### Console\n\nFollow the [Managing Encrypted Tables in DynamoDB tutorial][1] to learn how to create and update a table in the AWS Console.\n\n### CLI\n\nRun `create-table` with a table configuration to [create a new encrypted table][2]. You can create an encrypted table with the default AWS owned CMK, AWS managed CMK, or customer managed CMK. Refer to the [AWS documentation for examples of each configuration][3]. For example:\n\n ```\n aws dynamodb create-table\n --table-name your-table\n ...\n --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=abcd1234-abcd-1234-a123-ab1234a1b234\n ```\n\n[1]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/dynamodb/create-table.html\n[3]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html#encryption.tutorial-creating\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@sse_description_status:DISABLED","resourceType":"aws_dynamodb","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_dynamodb (@sse_description_status:DISABLED)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ilq-ifj-zxi","createdAt":1615309114701,"name":"DynamoDB table is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt Amazon Elastic Block Store (EBS) snapshots with volume snapshot encryption keys.\n\n## Rationale\n\nAmazon EBS snapshots contain sensitive data, and publicly accessible snapshots can be copied. Keep your data secure from exploits or unauthorized users by using AWS key management.\n\n## Remediation\n\n### Console\n\nFollow the [Default key for EBS encryption][1] docs to learn how to encrypt a snapshot in the AWS Console.\n\n### CLI\n\n1. Run `get-ebs-default-kms-key-id` to describe [the default CMK][2].\n\n2. If you need to create a new key, follow the [Creating keys][3] AWS Console docs or the [create-key][4] AWS CLI docs.\n\n3. Run `modify-ebs-default-kms-key-id` with your `--kms-key-id` to [modify the default CMK used to encrypt EBS volumes][3].\n\nSee the [Set encryption defaults using the API and CLI][6] docs for additional information.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_key_mgmt\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/get-ebs-default-kms-key-id.html\n[3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-ebs-default-kms-key-id.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encrypted:false","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot (@encrypted:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"i4v-od6-l5r","createdAt":1616090994130,"name":"EBS snapshot is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","requirement:Storage","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable encryption for Elastic Block Store (EBS).\n\n## Rationale\n\nAES-256 encryption, used by EBS, protects data stored on volumes, disk I/O, and the snapshots created from a volume to protect your sensitive data from exploits and unauthorized users.\n\n## Remediation\n\n### Console\n\nFollow the [EBS encryption][1] docs to learn about the requirements and methods for enabling encryption in the AWS Console.\n\n### CLI\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#ebs-encryption-requirements\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"2.2.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encrypted:false","resourceType":"aws_ebs_volume","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_volume (@encrypted:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"2b3-94n-p7e","createdAt":1616090994097,"name":"EBS volume is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","source:ebs","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.9.4.5","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure Amazon Elastic Block Store (EBS) snapshots.\n\n## Rationale\n\nPublicly shared Amazon EBS volume snapshots contain sensitive application data that can be seen, copied, and exploited.\n\n## Remediation\n\n### Console\n\nFollow the [EBS encryption][1] docs to learn how to implement EBS encryption. Public snapshots, which are encrypted by default, are not supported\n\n **Note**: You can share an encrypted snapshot with specific accounts.\n\n### CLI\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#how-ebs-encryption-works\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.5","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@attributes.create_volume_permission_group:all","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot (@attributes.create_volume_permission_group:all)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"t5f-m5z-oio","createdAt":1616090994084,"name":"EBS volume snapshot is not publicly shared with other AWS accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:route53","iaas:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain has a suspicious TLD.\n\n## Strategy\nInspect the Route 53 logs and determine if the TLD of the DNS question (`@dns.question.name`) matches one of the top 5 TLDs on [Spamhaus's Most Abused Top Level Domains list][1].\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n[1]: https://www.spamhaus.org/statistics/tlds/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@dns.question.name:(*.fit. OR *.work. OR *.webcam. OR *.loan. OR *.cf.) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_tld","distinctFields":[]},{"query":"@dns.question.name:(*.no-ip. OR *.hopto.org OR *.myftp.org OR *.us.to OR *.myvpc.com OR *.dlinkddns.com OR *.myftp.biz) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_ddns","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"TLD","condition":"suspicious_tld > 0"},{"status":"medium","notifications":[],"name":"Dynamic DNS","condition":"suspicious_ddns > 0"}],"type":"log_detection","id":"dus-bf6-3jr","createdAt":1603296605789,"name":"EC2 instance requested a suspicious domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:route53","iaas:aws","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain resolves to the AWS Metadata IP (169.254.169.254).\n\n## Strategy\nInspect the Route 53 logs and determine if the response data for a DNS request matches the AWS Metadata IP (169.254.169.254). This could indicate an attacker is attempting to steal your credentials from the AWS metadata service.\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n## Changelog\n- 19 May 2022 - Updated rule query.\n- 5 Jun 2022 - Updated rule query.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:route53 @answers.Rdata:169.254.169.254 -@route53_edge_location:* -@dns.question.name:instance-data*","groupByFields":["instance-id"],"aggregation":"count","name":"domain_resolve_to_metadata_ip","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"domain_resolve_to_metadata_ip > 0"}],"type":"log_detection","id":"mwi-zj7-db9","createdAt":1603296598998,"name":"EC2 instance resolved a suspicious AWS metadata DNS query"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","requirement:Transmission-Security","scope:ec2","source:ec2","framework:gdpr","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:1.9","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse the IMDSv2 session-oriented communication method to transport instance metadata. \n\n## Rationale\n\nAWS default configurations allow the use of either IMDSv1, IMDSv2, or both. IMDSv1 uses insecure GET request/responses which are at risk for a number of vulnerabilities, whereas IMDSv2 uses session-oriented requests and a secret token that expires after a maximum of six hours. This adds protection against misconfigured-open website application firewalls, misconfigured-open reverse proxies, unpatched Server Side Request Forgery (SSRF) vulnerabilities, and misconfigured-open layer-3 firewalls and network address translation.\n\n## Remediation\n\nFollow the [Transition to using Instance Metadata Service Version 2][1] docs to learn how to transition and reconfigure your software. \n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@metadata_options_http_tokens:required","resourceType":"aws_ec2_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ec2_instance (-@metadata_options_http_tokens:required)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zwp-mxe-p0v","createdAt":1649171077274,"name":"EC2 instance uses IMDSv2"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","source:elb","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","scope:elb","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up logging for your AWS Elastic Load Balancers (ELBs) to identify security issues.\n\n## Rationale\n\nAccess logs allow you to analyze each TCP and HTTP request, which are useful during security audits or troubleshooting.\n\n## Remediation\n\n### Console\n\nFollow the [Enable access logs for your Classic Load Balancer][1] docs to learn how to enable logging for your ELBs.\n\n### CLI\n\n1. Run `create-bucket` to [create an S3 bucket][2] that stores the ELB log files.\n\n **Note**: This bucket must be created in the same region as the ELB.\n\n ```\n aws s3api create-bucket\n --region us-west-1\n --bucket your-elb-logging-bucket\n ```\n\n2. Use the [AWS Policy Generator][3] to create a new policy.\n\n3. Run `put-bucket-policy` to [attach the policy document][4] to the S3 bucket.\n\n ```\n aws s3api put-bucket-policy\n --bucket your-elb-logging-bucket\n --policy file://elb-logging-policy.json\n ```\n\n4. Run `modify-load-balancer-attributes` to [enable logging][5] for the selected ELB.\n\n ```\n aws elb modify-load-balancer-attributes\n --region us-west-1\n --load-balancer-name YourLoadBalancerName\n --load-balancer-attributes\n \"{\\\"AccessLog\\\":{\\\"Enabled\\\":true,\\\"EmitInterval\\\":60,\\\"S3BucketName\\\":\\\"your-logging-bucket\\\"}}\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/elb/modify-load-balancer-attributes.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@attributes.access_log_enabled:false OR @load_balancer_attributes.access_log.enabled:false","resourceType":"aws_elb_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elb_load_balancer (@attributes.access_log_enabled:false OR @load_balancer_attributes.access_log.enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"orv-wcu-4d4","createdAt":1615309114856,"name":"ELB is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","security:compliance","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Security-of-Processing","scope:elbv2","framework:soc-2","requirement:Security-Management-Process","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","framework:hipaa","requirement:Encryption-In-Transit","control:164.308-a-1-ii-B","control:164.312-e-2-i","source:elbv2","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse HTTPS to secure communication between your application client and an Elastic Load Balancer (ELB) listener.\n\n## Rationale\n\nWithout an HTTPS listener, front-end connections are vulnerable to exploits, such as man-in-the-middle (MITM) attacks. Securing all communication between your application client and ELB listener ensures sensitive data is protected.\n\n## Remediation\n\n### Console\n\nFollow the [Create an HTTPS listener for your Application Load Balancer][1] docs to learn how to create a listener that checks for connection requests.\n\n### CLI\n\n1. Run `list-certificates` to retrieve the ARN of your SSL certificate. If you do not have an SSL certificate, follow the [Create or import an SSL/TLS certificate][2] docs.\n2. Run `create-listener` using the [ARN of the load balancer and SSL certificate][3].\n\n ```\n aws elbv2 create-listener\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912\n --protocol HTTPS\n --port 443\n --certificates CertificateArn=arn:aws:acm:region:123456789012:certificate/1abc0c41-bd73-5445-9ab9-123456a23456\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html#create-certificate-acm\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/create-listener.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@listeners.protocol:HTTPS","resourceType":"aws_elbv2_load_balancer","filter":"@type:application","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer @type:application (-@listeners.protocol:HTTPS)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6vz-qof-84o","createdAt":1616090994110,"name":"ELBv2 ALB is using a secure listener"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","source:elb","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","scope:elb","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure Amazon Network Load Balancers so all listeners use either TLS or HTTPS encryption. \n\n## Rationale\n\nUsing TLS or HTTPS helps ensure the communication between your network load balancers (NLBs) and backend servers is protected from decryption, data leaks, and other exploits. NLS's can accept and route TCP connections to Application load balancers(ALBs), this allows AWS customers to directly register an ALB as an NLB target, eliminating the need to actively manage changing ALB IP addresses. Amazon's NLBs can be configured to handle TLS termination. This reduces the workload on your backend systems and localizes TLS configuration to the NLBs, thereby improving both performance and security.\n\n\n\n## Remediation\n\n### Console\n\nFollow the [Create a listener for your network load balancer][1] docs to learn how to add a TLS listener to your network load balancer.\n\n### CLI\n\n1. Run `describe-load-balancers` to retrieve the ARNs of your network load balancers.\n2. Run `list-certificates` to retrieve the ARN of your Amazon ACM TLS certificates, or `list-server-certificates` to retrieve the ARN of your AWS IAM TLS certificates. If you do not have a TLS certificate, follow the [Configure TLS listeners: Certificates][2] docs.\n3. Run `create-listener` using the ARN of the desired load balancer and TLS certificate.\n\n ```\n aws elbv2 create-listener \n --load-balancer-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188 \n --certificates CertificateArn=arn:aws:acm:us-west-2:123456789012:certificate/3dcb0a41-bd72-4774-9ad9-756919c40557 \n --protocol TLS\n --port 443\n --ssl-policy ELBSecurityPolicy-2016-08 \n --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#tls-listener-certificates\n[3]: https://aws.amazon.com/fr/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@protocol:\"TLS\" -(@protocol:\"TCP\" @port:443)","resourceType":"aws_elbv2_load_balancer","filter":"@type:network","queryPath":"listeners","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer @type:network (-@protocol:\"TLS\" -(@protocol:\"TCP\" @port:443))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cyx-hvk-qq7","createdAt":1649774831020,"name":"ELBv2 Network Load Balancer listeners employ TLS or HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:elbv2","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","source:elbv2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Access Logging for your Amazon Application Load Balancers (ALBs).\n\n## Rationale\n\nLogs contain the time a request was received, a client's IP address, latencies, request paths, and server responses. You can use this information to analyze traffic patterns and troubleshoot issues.\n\n## Remediation\n\n### Console\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the console.\n\n### CLI\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_attribute(elbv2_load_balancer) if {\n\tattribute := elbv2_load_balancer.attributes[_]\n\tattribute.key == \"access_logs.s3.enabled\"\n\tattribute.value == \"true\"\n} else {\n\telbv2_load_balancer.attributes.access_logs_s3_enabled\n}\n\neval(elbv2_load_balancer) = \"pass\" if {\n\tcompliant_attribute(elbv2_load_balancer)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2sn-t47-ywf","createdAt":1632209936547,"name":"ELBv2 is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","control:CC6.6","framework:gdpr","requirement:Compliance","scope:elbv2","requirement:System-Acquisition-Development-and-Maintenance","framework:iso-27001","control:1.3.5","source:elbv2","framework:pci","control:A.14.1.2","security:compliance","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:1.3","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Application Load Balancers (ALB) or Network Load Balancers (NLB) with an internal ELBv2 load balancer.\n\n## Rationale\n\nInternet-facing load balancers receive a public DNS name. Secure your connection by using an ELBv2 load balancer instead.\n\n## Remediation\n\n### Console\n\nFollow the [Create an application load balancer][1] docs to learn how to create an internal load balancer that routes requests to targets using private IP addresses.\n\n### CLI\n\nRun `create-load-balancer` with a [load balancer name, scheme, and subnet][2].\n\n```\naws elbv2 create-load-balancer\n--name my-internal-load-balancer\n--scheme internal\n--subnets subnet-b7d581c0 subnet-8360a9e7\n```\n\nSee the [create-load-balancer][2] AWS CLI docs to create a load balancer for a network or gateway.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-application-load-balancer.html#configure-load-balancer\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/create-load-balancer.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"validationQuery":"@scheme:internet-facing","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer (@scheme:internet-facing)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"3wl-huh-f7v","createdAt":1616090994241,"name":"ELBv2 load balancer is not internet facing"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:elbv2","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","source:elbv2","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Application Load Balancer (ALB) with the latest predefined AWS security policy.\n\n## Rationale\n\nInsecure or deprecated security policies can expose the client and the load balancer to various SSL/TLS vulnerabilities.\n\n## Remediation\n\n### Console\n\nFollow the [Update security policy][1] docs to learn how to update your HTTPS listener with the latest security policy.\n\n### CLI\n\nRun `modify-listener` with the [ARN of the listener and the recommended SSL policy][2].\n\n```\naws elbv2 create-listener\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n```\n\nReview the [Security policies][3] docs for Amazon-recommended security policies.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html#update-security-policy\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/modify-listener.html\n[3]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-1-2017-01 -@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-2-Ext-2018-06 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-1-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2020-10","resourceType":"aws_elbv2_load_balancer","filter":"@type:application","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer @type:application (-@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-1-2017-01 -@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-2-Ext-2018-06 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-1-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2020-10)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"pty-qoz-aa9","createdAt":1616090994247,"name":"ELBv2 load balancer is using the latest security policy"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.3","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse individual service account credentials for each controller.\n\n## Rationale\n\nThe controller manager creates a service account per controller in the kube-system namespace, generates a credential for it, and builds a dedicated API client with that service account credential for each controller loop to use. Setting the `--use-service-account-credentials` to true runs each control loop within the controller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--use-service-account-credentials` argument is set to true.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node to set the below parameter:\n\n```\n--use-service-account-credentials=true\n```\n\n## Impact\n\nWhatever authorizer is configured for the cluster, it must grant sufficient permissions to the service accounts to perform their intended tasks. When using the RBAC authorizer, those roles are created and bound to the appropriate service accounts in the kube-system namespace automatically with default roles and rolebindings that are auto-reconciled on startup. If using other authorization methods (ABAC, Webhook, etc.), the cluster deployer is responsible for granting appropriate permissions to the service accounts (the required permissions can be seen by inspecting the `controller-roles.yaml` and `controller-role-bindings.yaml` files for the RBAC roles.\n\n## Default value\n\nBy default, `--use-service-account-credentials` is set to false.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://kubernetes.io/docs/admin/service-accounts-admin/ ][2]\n3. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml ][3]\n4. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml ][4]\n5. [https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles][5]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://kubernetes.io/docs/admin/service-accounts-admin/ \n[3]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml \n[4]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml \n[5]: https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.3","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"b7m-bho-nat","createdAt":1599602400314,"name":"Each controller uses individual service account credentials"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:A.12.2.1","framework:gdpr","requirement:Default-Security-Parameter","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:25.2","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","source:elasticache","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","scope:elasticache","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nChange your AWS ElastiCache cluster endpoint port to a non-default port.\n\n## Rationale\n\nUsing the default port puts clusters at risk of exploits and attacks. Configure a custom port to add an extra layer of security to your clusters.\n\n## Remediation\n\n### Console\n\nFollow the [Finding connection endpoints][1] console documentation to learn how to find and modify your cluster's endpoint port.\n\n### CLI\n\n1. Run `aws elasticache describe-cache-clusters` with your [ElastiCache cluster ID][2] to output the existing cluster configuration.\n\n ```\n\n aws elasticache describe-cache-clusters\n --cache-cluster-id your-cc-id\n\n ```\n\n2. Run `aws elasticache create-cache-cluster` with the cluster data returned in the previous step. Configure the new cache cluster with [a custom value][3] for the endpoint port. This returns new cluster metadata.\n\n ```\n\n aws elasticache create-cache-cluster\n --cache-cluster-id new-cc-id\n ...\n --port 10001\n\n ```\n\n3. Once the cluster endpoint port is updated, remove the old ElastiCache cluster. Run `delete-cache-cluster` with the [original cluster ID][4].\n\n ```\n\n aws elasticache delete-cache-cluster\n --cache-cluster-id your-cc-id\n\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Endpoints.html#Endpoints.Find.Redis\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/describe-cache-clusters.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/delete-cache-cluster.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@engine:memcached @configuration_endpoint_port:11211) OR (@engine:redis @configuration_endpoint_port:6379)","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache ((@engine:memcached @configuration_endpoint_port:11211) OR (@engine:redis @configuration_endpoint_port:6379))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"skt-e9r-x89","createdAt":1619112189062,"name":"ElastiCache cluster is not using default ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","source:elasticache","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticache","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProvision your AWS EC2-VPC ElastiCache cluster within the AWS ECS-VPC platform.\n\n## Rationale\n\nUsing the EC2-Classic platform minimizes control over cache cluster security and traffic routing. Provisioning with AWS EC2-VPC enables better networking infrastructure, control over VPC security groups, and more.\n\n## Remediation\n\n### Console\n\nFollow the [Getting started with Amazon VPC][1] docs to configure AWS EC2-VPC for your ElastiCache clusters.\n\n### CLI\n\n1. Run `create-vpc` to [create a new Virtual Private Cloud (VPC)][2] for your ElastiCache cluster.\n\n ```\n aws ec2 create-vpc\n --cidr-block 10.0.0.0/16\n ```\n\n2. Run `aws ec2 create-internet-gateway` to [create a new AWS Internet Gateway][3] for your new VPC.\n\n3. Run `attach-internet-gateway` with the [VPC ID returned in step 1, and the internet gateway ID returned in step 2][4].\n\n ```\n aws ec2 create-subnet\n --vpc-id vpc-ab12c345\n --cidr-block 10.0.1.0/24\n ```\n\n4. Run `create-route-table` with [your VPC ID][5] created in step 1.\n\n ```\n aws ec2 create-route-table\n --vpc-id vpc-ab12c345\n ```\n\n5. Run `associated-route-table` with the [subnet ID returned in step 3, and the route table ID returned in step 4][6].\n\n ```\n aws ec2 associate-route-table\n --route-table-id rta-12345678\n --subnet-id subnet-ab123c45\n ```\n\n6. Run `create-route` to [add a new route][7] to your new VPC route table.\n\n ```\n aws ec2 create-route\n --route-table-id rta-12345678\n --destination-cidr-block 0.0.0.0/0\n --gateway-id gwi-123a4b56\n ```\n\n7. Run `create-security-group` with your new VPC ID to [create a security group][8] for your new cluster.\n\n ```\n aws ec2 create-security-group\n --group-name ECSecurityGroup\n --description \"Redis CC Security Group\"\n --vpc-id vpc-ab12c345\n ```\n\n8. Run `authorize-security-group-ingress` to [add more inbound rules][9] to the security group created in step 7.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-id se-a12345b0\n --protocol tcp\n --port 1234\n --cidr 10.0.0.0/16\n ```\n\n9. Run `create-cache-cluster` to recreate your EC2-Classic cache cluster within your new AWS VPC. Use the newly created [ElastiCache cluster configuration attributes][10] returned in the steps above.\n\n ```\n aws elasticache create-cache-cluster\n --cache-cluster-id vpccachecluster\n --az-mode single-az\n --cache-node-type cache.m5.large\n --num-cache-nodes 1\n --engine redis\n --engine-version \"2.6.13\"\n --security-group-ids \"se-a12345b0\"\n --port 1234\n --auto-minor-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc.html#synopsis\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-internet-gateway.html#synopsis\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/attach-internet-gateway.html#synopsis\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route-table.html#synopsis\n[6]: https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-route-table.html#synopsis\n[7]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route.html#synopsis\n[8]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-security-group.html#synopsis\n[9]: https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html#synopsis\n[10]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@cache_subnet_group_name:\"\" OR (-@cache_subnet_group_name:*)","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache (@cache_subnet_group_name:\"\" OR (-@cache_subnet_group_name:*))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"0uf-cns-jqu","createdAt":1619112189088,"name":"ElastiCache cluster is provisioned in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","security:compliance","control:CC7.5","source:elasticache","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticache","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon ElastiCache cluster to the latest, stable version of the Redis/Memcached cache engine.\n\n## Rationale\n\nUsing the latest version allows for security patches, bug fixes, better performance, and memory management.\n\n## Remediation\n\n### Console\n\nFollow the [Upgrading engine versions][1] docs to learn how to modify your ElastiCache cluster or replication group in the console.\n\n### CLI\n\nFollow the [Modify an ElastiCache cluster (AWS CLI)][2] or [Modify a replication group (AWS CLI)][3] docs for configuration options.\n\nFor example, to modify an ElastiCache cluster, run `modify-replication-group` with your replication group ID and enable Multi-AZ.\n\n ```\n aws elasticache modify-replication-group\n --replication-group-id myReplGroup\n --multi-az-enabled = true\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VersionManagement.html\n[2]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.Modify.html#Clusters.Modify.CLI\n[3]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Replication.Modify.html#Replication.Modify.CLI","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"(@engine:memcached -@engine_version:1.6.6) OR (@engine:redis -@engine_version:6.*)","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache ((@engine:memcached -@engine_version:1.6.6) OR (@engine:redis -@engine_version:6.*))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sw1-liy-ybw","createdAt":1619112188570,"name":"ElastiCache cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","security:compliance","control:CC7.5","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticsearch","framework:soc-2","requirement:Change-Management","source:elasticsearch","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpgrade to the latest version of Amazon Elasticsearch (ES) engine.\n\n## Rationale\n\nUsing the latest version of Amazon ES ensures you receive the latest bug fixes, security patches, and features.\n\n## Remediation\n\n### Console\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (console)][1] docs to learn about the upgrade process and how to complete an upgrade from the AWS Console.\n\n### CLI\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (AWS CLI)][1] docs to being an upgrade using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades\n[2]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nformat(version) = semver if {\n\tcount(indexof_n(version, \".\")) == 0\n\tsemver := concat(\"\", [version, \".0.0\"])\n} else = semver {\n\tcount(indexof_n(version, \".\")) == 1\n\tsemver := concat(\"\", [version, \".0\"])\n} else = semver {\n\tsemver := version\n}\n\neval(version) = \"pass\" if {\n\tformatted_semver := format(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"7.10.0\") >= 0\n} else = \"pass\" {\n\tstartswith(version, \"OpenSearch_\")\n\tformatted_semver := format(trim_prefix(version, \"OpenSearch_\"))\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"1.3.0\") >= 0\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource.elasticsearch_version))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-iw7-z3h","createdAt":1619540057479,"name":"Elasticsearch cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","scope:elasticsearch","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate publicly accessible Amazon Elasticsearch domains to block unsigned requests.\n\n## Rationale\n\nUpdating your Amazon Elasticsearch domain to a private domain ensures your data cannot be accessed or altered by unauthorized users.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring Access Policies][1] docs to learn how to update your publicly accessible Amazon Elasticsearch domains in the AWS Console.\n\n### CLI\n\n1. Create a new policy JSON document. You can follow the [Amazon Elasticsearch templated policy][2] to create a custom policy that grants domain access only to a specific IP.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n \"Action\": \"es:*\",\n \"Condition\": {\n \"IpAddress\": {\n \"aws:SourceIp\": [\n \"54.197.25.93/32\"\n ]\n }\n },\n \"Resource\": \"arn:aws:es:123456789123:\n domain/es-cluster/*\"\n }\n ]\n }\n ```\n\n2. Run `update-elasticsearch-domain-config` using the name of the [Elasticsearch domain][3] created in the previous step.\n\n ```\n aws es update-elasticsearch-domain-config\n --domain-name es-cluster\n --access-policies file://ip-based-policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/update-elasticsearch-domain-config.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"policies","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ci6-bcw-l3n","createdAt":1615309114393,"name":"Elasticsearch domain is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticsearch","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure your Amazon Elasticsearch (ES) domain is only accessible from an AWS VPC.\n\n## Rationale\n\nUsing a VPC gives your Amazon ES domains an extra layer of security. Launching your clusters within a VPC ensures communication between your clusters and other AWS services is secure.\n\n## Remediation\n\nOnce a domain is created with a public endpoint, it cannot be switched to VPC access. Follow the [Migrating from Public Access to VPC Access][1] docs to learn how to create a new domain and either manually reindex or migrate your data.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html#es-migrating-public-to-vpc\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@endpoint:*\\.es\\.amazonaws\\.com","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain (@endpoint:*\\.es\\.amazonaws\\.com)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"vdg-rky-pye","createdAt":1619540057246,"name":"Elasticsearch domain resides in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement at-rest encryption for your Amazon Elasticsearch (ES) domain with the AWS KMS service.\n\n## Rationale\n\nImplementing encryption at-rest protects your domain from unauthorized access and ensures security and compliance requirements are met.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to implement encryption for your domain.\n\n### CLI\n\n1. Run `describe-elasticsearch-domain` with your ES domain to return configuration metadata.\n\n ```\n aws es describe-elasticsearch-domain\n --domain-name your-es-domain\n ```\n\n2. Run `create-elasticsearch-domain` with your domain name and `encryption-at-rest-options`. Use the metadata returned in the previous step to [create and relaunch your ES domain to enable at-rest encryption][3].\n\n ```\n aws es create-elasticsearch-domain\n --domain-name your-es-domain\n ...\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html#enabling-ear\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/describe-elasticsearch-domain.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encryption_at_rest_options_enabled:false","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain (@encryption_at_rest_options_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"75z-ehk-ced","createdAt":1615309114337,"name":"Elasticsearch domains are encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","control:3.5.2","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt your Amazon Elasticsearch domains with KMS Customer Master Keys (CMKs).\n\n## Rationale\n\nKMS Custom Master Keys protect your domains and allow more granular control over the encryption/decryption process.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to encrypt Amazon Elasticsearch domains in the AWS Console.\n\n### CLI\n\n1. Create a new policy JSON document with the following [configuration][2]:\n\n ```\n {\n \"Id\": \"es-custom-key-policy\",\n \"Statement\": [\n {\n \"Sid\": \"Enable IAM User Permissions\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:root\"},\n \"Action\": \"kms:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Grant access to CMK manager\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:role/AmazonESManager\"},\n \"Action\": [\n \"kms:Create*\",\n \"kms:Describe*\",\n \"kms:Enable*\",\n \"kms:List*\",\n \"kms:Put*\",\n \"kms:Update*\",\n \"kms:Revoke*\",\n \"kms:Disable*\",\n \"kms:Get*\",\n \"kms:Delete*\",\n \"kms:ScheduleKeyDeletion\",\n \"kms:CancelKeyDeletion\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow the use of the CMK\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:Decrypt\",\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:DescribeKey\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow attachment of persistent resources\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:CreateGrant\",\n \"kms:ListGrants\",\n \"kms:RevokeGrant\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"Bool\": {\"kms:GrantIsForAWSResource\": \"true\"}\n }\n }\n ]\n }\n ```\n\n2. Run `create-key` to [create a KMS key][3] with the new policy document.\n\n ```\n aws kms create-key\n --description 'KMS CMK policy for encrypting es domain data'\n --policy file://es-kms-cmk-policy.json\n ```\n\n3. Run `create-alias` with the returned ARN key to [attach a new alias][4] to the CMK.\n\n ```\n aws kms create-alias\n --alias-name your-alias/ESCustomCMK\n --target-key-id arn:aws:kms:111122223333:key/abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\n ```\n\n4. Run `create-elasticsearch-domain` with the returned configuration data in step 3 to [create the selected domain][5] with `encryption-at-rest-options` set as `enabled= true` and the `KmsKeyId=your-key-id`.\n\n ```\n aws es create-elasticsearch-domain\n --domain-name your-domain-name\n ....\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-alias.html#options\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html#options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encryption_at_rest_options_kms_key_id:\"(Default) aws/es\"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain (@encryption_at_rest_options_kms_key_id:\"(Default) aws/es\")","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"abl-8du-xrn","createdAt":1615309114399,"name":"Elasticsearch domains are encrypted with KMS Customer Master Keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation on controller-manager.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad. \n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--feature-gates` parameter to include `RotateKubeletServerCertificate=true`. \n\n```\n--feature-gates=RotateKubeletServerCe`rtificate=true\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `RotateKubeletServerCertificate` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller ][1]\n2. [https://github.com/kubernetes/features/issues/267 ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/45059 ][3]\n4. [https://kubernetes.io/docs/admin/kube-controller-manager/][4]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller \n[2]: https://github.com/kubernetes/features/issues/267 \n[3]: https://github.com/kubernetes/kubernetes/pull/45059 \n[4]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.6","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"asw-6hh-yc2","createdAt":1599605162809,"name":"Enable kubelet server certificate rotation on controller-manager"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1555-credentials-from-password-stores","scope:ec2","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to retrieve the encrypted Administrator password for a Windows EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to retrieve the encrypted Administrator password for a Windows EC2 instance using the [`GetPasswordData`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n3. If the API call was made by the user:\n * Determine if this user should be accessing this EC2 instance.\n * If Yes, advise the user to speak with the instance owner to resolve the error.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetPasswordData.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetPasswordData @eventSource:ec2.amazonaws.com status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"get_passwordata","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Error","condition":"get_passwordata > 0"}],"type":"log_detection","id":"kyo-yjf-zbm","createdAt":1652796676631,"name":"Encrypted administrator password retrieved for Windows EC2 instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.12","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory ownership is set to `etcd:etcd`.\n\n## Rationale\n\n`etcd` is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir` from the command:\n\n```bash\nps -ef | grep etcd\n```\n\nBased on the etcd data directory found above, run the command:\n\n```bash\nstat -c %U:%G /var/lib/etcd\n```\n\nVerify the ownership is set to `etcd:etcd`.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chown etcd:etcd /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory ownership is set to `etcd:etcd`.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.12","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"25d-zal-sfr","createdAt":1599601968321,"name":"Etcd data directory is owned by the etcd user and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.11","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory has permissions of 700 or more restrictive.\n\n## Rationale\n\netcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should not be readable or writable by any group members or the world.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir`, from the command:\n\n```bash\nps -ef | grep etcd\n```\n\n Based on the etcd data directory found above, run the command:\n \n ```bash\n stat -c %a /var/lib/etcd\n ```\n \n Verify the permissions are `700` or more restrictive.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chmod 700 /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory has permissions of 755.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.11","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qgj-hf0-an1","createdAt":1599601412710,"name":"Etcd data directory permissions cannot be accessed by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.7","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 640.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.7","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vqc-dps-6tp","createdAt":1599605605880,"name":"Etcd pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.8","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to `root:root`.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.8","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oac-lbl-npz","createdAt":1599600311388,"name":"Etcd pod specification file is owned by root"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"Test rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1665145801235,"filters":[],"queries":[{"query":"@test:true","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"e9v-9k1-5dm","isDefault":false,"name":"Example-Create_a_detection_rule_returns_OK_response"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":true,"message":"test","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1665145785229,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.id"],"query":"*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"uaf-siz-jfo","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_impossible_travel_returns_OK_response"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"Test rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1665145796516,"filters":[],"queries":[{"query":"@test:true","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"3cl-gl3-k7y","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_workload_security_returns_OK_response"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:exchange-server","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user sets up a mail forwarding rule to another email address. An adversary or insider threat could set a forwarding rule to forward all emails to an external email address.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with `@evt.name` value of `Set-Mailbox`, where a value is set for `@Parameters.ForwardingSmtpAddress` and the `@evt.outcome` is `True`.\n\n## Triage and response\n1. Inspect the `@Parameters.ForwardingSmtpAddress` for `{{@usr.email}}` to see if it is sending email to an external non-company owned domain.\n2. Determine if there is a legitimate use case for the mail forwarding rule.\n3. If `{{@usr.email}}` is not aware of the mail forwarding rule, investigate all `{{@usr.email}}` accounts for anomalous activity. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-Mailbox -@Parameters.ForwardingSmtpAddress:\"\" @Parameters.ForwardingSmtpAddress:* @evt.outcome:True","groupByFields":["@usr.id"],"aggregation":"count","name":"forwarding_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"forwarding_rule > 0"}],"type":"log_detection","id":"vmq-1zo-03a","createdAt":1630681822552,"name":"Exchange Online mail forwarding rule enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.2","scope:azure.appservice","framework:iso-27001","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","requirement:Communications-Security","control:4.1","control:9.10","requirement:App-Service","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Azure functions, web, and API services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPs should be required for FTP login for all App Service apps and functions.\n\n## Rationale\n\nAzure FTP deployment endpoints are public. An attacker listening to traffic on a Wi-Fi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if user credentials for deployment are set at the subscription level rather than using the default application credentials which are unique per app.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to the Azure Portal\n2. Select App Services\n3. Click on an app\n4. Select Settings > Configuration\n5. Under Platform Settings, set FTP state to Disabled or FTPS Only\n\n## Impact\n\nDeployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.\n\n## References\n\n1. Azure Web Service Deploy via FTP - https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp\n2. Azure Web Service Deployment - https://docs.microsoft.com/en-us/azure/app-service/overview-security\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n\n## CIS Controls\n\nVersion 7\n\n14.4 Encrypt All Sensitive Information in Transit\n16.5 Encrypt Transmittal of Username and Authentication Credentials - Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.10","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@site_config_ftps_state:AllAllowed","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (@site_config_ftps_state:AllAllowed)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"chw-olp-dfn","createdAt":1631623028308,"name":"FTP deployments are disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:fastly","scope:fastly","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2]. \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:fastly @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dqs-oru-107","createdAt":1587530162282,"name":"Fastly HTTP Requests from Security Scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a file that is not part of the original container image has been created and executed within the container.\n\n## Strategy\nAttackers sometimes add scripts to running containers to exploit some functionality or automate some actions. Normally, containers are meant to be immutable environments, and when you require new scripts or other executable files, you add them to the container image itself and not to the running container. This detection identifies when newly created files are executed shortly after file creation or modification.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage & Response\n1. Determine whether the file executing is expected to be present in the container. \n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether the file was added to multiple containers around the same time, and whether the affected systems follow a pattern. For example, if a file was seen executing in multiple containers, do the containers share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.29 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_binary_execution_in_container","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:new_binary_execution_in_container"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"new_binary_execution_in_container"}],"type":"workload_security","id":"n5d-tm8-kco","createdAt":1652131404468,"name":"File created and executed inside container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","tactic:TA0009-collection","technique:T1530-data-from-cloud-storage-object","scope:google-cloud-storage","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect unauthenticated access to an object in a GCS bucket (`bucket_name`).\n\n## Strategy \nMonitor GCS bucket (`bucket_name`) for get requests(`@evt.name:storage.objects.get`) made by unauthenticated users (`@usr.id`).\n\n## Triage and response\nInvestigate the logs and determine whether or not the accessed bucket: {{bucket_name}} should be accessible to unauthenticated users.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket -@usr.id:* @evt.name:storage.objects.get status:info","groupByFields":["project_id","bucket_name"],"aggregation":"count","name":"get_object","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"get_object","condition":"get_object > 0"}],"type":"log_detection","id":"nmj-sov-f5d","createdAt":1598043413480,"name":"GCP Bucket Contents Downloaded Without Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","source:gcp","scope:google-cloud-storage","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service account lists out GCS Buckets.\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine when a service account invokes the following method:\n\n* `storage.buckets.list`\n\n## Triage and response\n1. Determine whether this service account should be making list bucket calls.\n * If the account was compromised, secure the account and investigate how it was compromised and if the account made other unauthorized calls.\n * If the owner of the service account intended to make the `ListBuckets` API call, consider whether this API call is needed. It could cause a security issue for the application to know the name of the bucket it needs to access. If it's not needed, modify this rule's filter to stop generating signals for this specific service account.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.list @usr.id:*gserviceaccount.com","groupByFields":["project_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cnc-wi1-llf","createdAt":1587592199858,"name":"GCP Bucket enumerated"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an administrative change to a GCS Bucket has been made. This could change the retention policy or bucket lock. For more information, see the [GCS Bucket Lock docs][1].\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine if a bucket has been updated with the following method:\n\n* `storage.buckets.update`\n\n## Triage and response\n1. Review the bucket to ensure that it is properly configured.\n\n[1]: https://cloud.google.com/storage/docs/bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.update","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iz3-sc4-ryy","createdAt":1585871279860,"name":"GCP Bucket modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when permissions have changed on a GCS Bucket.\n\n## Strategy\nMonitor GCS bucket admin activity audit logs to determine the following method is invoked:\n\n* `storage.setIamPermissions`\n\n## Triage and response\n1. Review the bucket permissions and ensure they are not overly permissive.\n\n## Changelog\n5 Septermber 2022 - Updated rule query","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.setIamPermissions -@evt.outcome:ERROR","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fdk-tly-4qr","createdAt":1585871193842,"name":"GCP Bucket permissions modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.cloudsql.database"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Cloud SQL DB has been modified.\n\n## Strategy\nThis rule lets you monitor GCP Cloud SQL admin activity audit logs to determine when one of the following methods are invoked:\n\n* `cloudsql.instances.create`\n* `cloudsql.instances.create`\n* `cloudsql.users.update`\n\n## Triage and response\n1. Review the Cloud SQL DB and ensure it is configured properly with the correct permissions.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.cloudsql.database @evt.name:(cloudsql.instances.create OR cloudsql.instances.create OR cloudsql.users.create OR cloudsql.users.update)","groupByFields":["project_id","database_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ikf-ye8-cnu","createdAt":1585871198921,"name":"GCP Cloud SQL database modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.gce.firewall.rule","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created, modified or deleted. \n\n## Strategy\nMonitor GCP GCE activity audit logs to determine when any of the following methods are invoked:\n\n* `v1.compute.firewalls.delete`\n* `v1.compute.firewalls.insert`\n* `v1.compute.firewalls.patch` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.firewall.rule @evt.name:(v1.compute.firewalls.delete OR v1.compute.firewalls.insert OR v1.compute.firewalls.patch)","groupByFields":["project_id","@data.protoPayload.resourceOriginalState.name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"n1w-sql-apl","createdAt":1585870279610,"name":"GCP GCE Firewall rule modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a VPC network is created. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine when the following method is invoked to create a new VPC network:\n\n* `beta.compute.networks.insert`\n\n## Triage and response\n1. Review the VPC network.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:beta.compute.networks.insert","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"a9z-oic-grb","createdAt":1585871193403,"name":"GCP GCE VPC network modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created or modified. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine if a firewall is being adjusted by showing you when any of the following methods are invoked:\n\n* `beta.compute.routes.insert`\n* `beta.compute.routes.patch`\n\n## Triage and response\n1. Veirify that the GCP route is configured properly and that the user intended to modify the firewall.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:(beta.compute.routes.insert OR beta.compute.routes.patch)","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lht-ml8-u6r","createdAt":1585870282924,"name":"GCP GCE network route created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a custom role is created or modified. \n\n## Strategy\nMonitor GCP IAM activity audit logs to determine when any of the following methods are invoked:\n\n* `google.iam.admin.v1.CreateRole`\n* `google.iam.admin.v1.UpdateRole` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.iam.role @evt.name:(google.iam.admin.v1.CreateRole OR google.iam.admin.v1.UpdateRole)","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rhy-fzm-gwl","createdAt":1585870282410,"name":"GCP IAM custom role created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1098-account-manipulation","scope:gcp.project","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to the IAM policy. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when the `SetIamPolicy` method is invoked. \n\n## Triage and response\n1. Review the log and inspect the policy deltas (`@data.protoPayload.serviceData.policyDelta.bindingDeltas`) and ensure none of the actions are `REMOVE`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:SetIamPolicy","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fgm-8w4-cgx","createdAt":1585870280073,"name":"GCP IAM policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.subscription","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP Pub/Sub Subscription has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.pubsub.v1.Subscriber.UpdateSubscription`\n* `google.pubsub.v1.Subscriber.DeleteSubscription`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.subscription @evt.name:(google.pubsub.v1.Subscriber.UpdateSubscription OR google.pubsub.v1.Subscriber.DeleteSubscription)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tsj-mac-mdc","createdAt":1587592205917,"name":"GCP Pub/Sub Subscriber modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.topic","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP Pub/Sub Subscribtion has been deleted. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when the following method is invoked:\n\n* `google.pubsub.v1.Publisher.DeleteTopic`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.topic @evt.name:google.pubsub.v1.Publisher.DeleteTopic","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dp6-zom-jyv","createdAt":1587592198839,"name":"GCP Pub/Sub topic deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1562-impair-defenses","scope:gcp.project","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP logging sink has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.logging.v2.ConfigServiceV2.UpdateSink`\n* `google.logging.v2.ConfigServiceV2.DeleteSink`\n\n## Triage and response\n1. Review the sink and ensure the sink is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:(google.logging.v2.ConfigServiceV2.UpdateSink OR google.logging.v2.ConfigServiceV2.DeleteSink)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hil-rl3-yxs","createdAt":1585871191688,"name":"GCP logging sink modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","scope:google-cloud-iam","technique:T1850-cloud-infrastructure-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account is compromised.\n\n## Strategy \nInspect the GCP Admin Activity Logs (`@data.logName:*%2Factivity`) and filter for only GCP Service Accounts (`@usr.id:*.iam.gserviceaccount.com`). Count the unique number of GCP API calls (`@evt.name`) which are being made for each service account (`@usr.id`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\nTo read more about GCP Audit Logs, you can read our blog post [here][1].\n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account is compromised.\n\n[1]: https://www.datadoghq.com/blog/monitoring-gcp-audit-logs/","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp* @data.logName:*%2Factivity @usr.id:*.iam.gserviceaccount.com","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"hc1-nv3-hzw","createdAt":1629125255724,"name":"GCP service account accessing anomalous number of GCP APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1136-create-account","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account is created.\n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when a service account is created. \n\n## Triage and response\n1. Contact the user who created the service account and ensure that the account is needed and that the role is scoped properly.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccount","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"szx-4kh-eqs","createdAt":1585870281733,"name":"GCP service account created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account key is created. An attacker could use this key as a backdoor to your account. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to detect the creation of a service account key. \n\n## Triage and response\n1. Contact the user who created the service account key to ensure they're managing the key securely.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccountKey","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"79j-4wh-xlq","createdAt":1585870277946,"name":"GCP service account key created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is unauthorized activity by a service account in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a service account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the service account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the service account:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the service account.\n2. If unauthorized, revoke access of compromised service account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"89d-2v1-fvm","createdAt":1587592191518,"name":"GCP unauthorized service account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when unauthorized activity by a user is detected in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a user account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the user account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the user:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the user account.\n2. If unauthorized, revoke access of compromised user account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 -@usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"stt-ows-yte","createdAt":1587592193834,"name":"GCP unauthorized user activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google accesses your Google Workspace tenant using administrative tools. \n\n## Strategy\nMonitor Google Workspace logs to detect `ACCESS` events, which are part of Google's [Access Transparency][1] logs.\n\n## Triage and response\n1. Determine the scope of Google's access activity, which can be found in the `ACCESS` event in the Google Workspace event log.\n2. Review which Google Workspace user (`@event.parameters.OWNER_EMAIL`) and resources (`@event.parameters.RESOURCE_NAME`) were accessed by Google.\n3. Investigate the resource(s) being accessed to determine if there is a legitimate reason it should be reviewed by Google.\n\n[1]: https://support.google.com/a/answer/9230474?hl=en","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite service:access_transparency","groupByFields":[],"aggregation":"count","name":"workspace_accessed_by_google","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"workspace_accessed_by_google > 0"}],"type":"log_detection","id":"q4c-pxc-lbn","createdAt":1654120270956,"name":"Google Workspace accessed by Google"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","tactic:T1098-account-manipulation","technique:TA0003-persistence","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a new Google Workspace administrative role.\n\n## Strategy\nMonitor Google Workspace logs to detect `CREATE_ROLE` events.\n\n## Triage and response\n1. Determine if there is a legitimate reason for the new administrator role (`@event.parameters.ROLE_NAME`).\n2. If there is not a legitimate reason, investigate activity from around the Google Workspace administrator (`{{@usr.email}}`) and IP that created the role (`{{@network.client.ip}}`). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:CREATE_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_created > 0"}],"type":"log_detection","id":"isw-chn-iqi","createdAt":1654262215364,"name":"Google Workspace admin role created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the super administrator group on Google Workspace.\n\n## Strategy\nMonitor Google Workspace logs to detect `ASSIGN_ROLE` events where `@event.parameters.ROLE_NAME` is `_SEED_ADMIN_ROLE`. \n\n## Triage and response\n1. Verify with the Google admin (`{{@usr.email}}`) if the Google Workspace user in the `@event.parameters.USER_EMAIL` attribute should legitimately be given the super admin role.\n2. If the user in `@event.parameters.USER_EMAIL` was not legitimately added, investigate activity from the IP address (`{{@network.client.ip}}`) that made the role addition.\n3. Review activity around the Google Workspace admin who made the change (`{{@usr.email}}`) and the newly added super admin (`@event.parameters.USER_EMAIL`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:ASSIGN_ROLE @event.parameters.ROLE_NAME:_SEED_ADMIN_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"admin_role_added > 0"}],"type":"log_detection","id":"ort-cx2-jwq","createdAt":1654014456902,"name":"Google Workspace user assigned to super admin role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","tactic:TA0009-collection","technique:T1114-email-collection","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a user setting up mail forwarding to a non-Google Workspace domain.\n\n## Strategy\nMonitor Google Workspace logs to detect when `email_forwarding_out_of_domain` events.\n\n## Triage and response\n1. Determine if the email address defined in `@event.parameters.email_forwarding_destination_address` is legitimate.\n2. If the forwarding destination address is not legitimate, review all activity for `{{@usr.email}}` and all activity around the following IP: `{{@network.client.ip}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:email_forwarding_out_of_domain","groupByFields":["@usr.email"],"aggregation":"count","name":"non_workspace_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"non_workspace_domain > 0"}],"type":"log_detection","id":"ozn-l6x-exp","createdAt":1654021004136,"name":"Google Workspace user forwarding email out of non Google Workspace domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.16","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated.\n\n## Rationale\n\nThe IPC namespace provides separation of IPC between the host and containers. If the host's IPC namespace is shared with the container, it would allow processes within the container to see all of IPC communications on the host system. This would remove the benefit of IPC level isolation between host and containers. An attacker with access to a container could get access to the host at this level with major consequences. The IPC namespace should therefore not be shared between the host and its containers.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: IpcMode={{ .HostConfig.IpcMode }}'` \n\nIf the command returns `host`, it means that the host IPC namespace is shared with the container. Any other result means that it is not shared, and that the system is configured in line with good security practice.\n\n## Remediation\n\nDo not start a container with the `--ipc=host` argument. For example, do not start a container with the command `docker run --interactive --tty --ipc=host centos /bin/bash`\n\n## Impact\n\nShared memory segments are used in order to accelerate interprocess communications, commonly in high-performance applications. If this type of application is containerized into multiple containers, you might need to share the IPC namespace of the containers in order to achieve high performance. Under these circumstances, you should still only share container specific IPC namespaces and not the host IPC namespace. A container's IPC namespace can be shared with another container. For example, `docker run --interactive --tty --ipc=container:e3a7a1a97c58 centos /bin/bash`\n\n## Default value\n\nBy default, all containers have their IPC namespace enabled and host IPC namespace is not shared with any container.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#ipc-settings-ipc\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.16","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qpe-nj2-sl8","createdAt":1599604030036,"name":"Host's IPC namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.20","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUTS namespaces provide isolation between two system identifiers: the hostname and the NIS domain name. It is used to set the hostname and the domain which are visible to running processes in that namespace. Processes running within containers do not typically require to know either the hostname or the domain name. The UTS namespace should therefore not be shared with the host.\n\n## Rationale\n\nSharing the UTS namespace with the host provides full permission for each container to change the hostname of the host. This is not in line with good security practice and should not be permitted.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UTSMode={{ .HostConfig.UTSMode }}'` \n\nIf this command returns `host`, it means the host UTS namespace is shared with the container and this recommendation is non-compliant. If the above command returns nothing, then the host's UTS namespace is not shared. This recommendation is then compliant.\n\n## Remediation\n\nYou should not start a container with the `--uts=host` argument. For example, do not start a container using the command `docker run --rm --interactive --tty --uts=host rhel7.2`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, all containers have the UTS namespace enabled and the host UTS namespace is not shared with any containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#uts-settings-uts\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.20","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j1n-gsx-mlx","createdAt":1599605987292,"name":"Host's UTS namespace is not shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.9","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWhen the networking mode on a container is set to `--net=host`, the container is not placed inside a separate network stack. Effectively, applying this option instructs Docker to not containerize the container's networking. The consequence of this is that the container lives \"outside\" in the main Docker host and has full access to its network interfaces.\n\n## Rationale\n\nSelecting this option is potentially dangerous. It allows the container process to open reserved low numbered ports in the way that any other root process can. It also allows the container to access network services such as D-bus on the Docker host. A container process could potentially carry out undesired actions, such as shutting down the Docker host. This option should not be used unless there is a very specific reason for enabling it.\n\n## Audit\n\nUse this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: NetworkMode={{ .HostConfig.NetworkMode }}'` If this returns `NetworkMode=host`, it means that the `--net=host` option was passed when the container was started.\n\n## Remediation\n\nYou should not pass the --net=host option when starting any container.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers connect to the Docker bridge when starting and do not run in the context of the host's network stack.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/ 2. https://docs.docker.com/engine/reference/run/#network-settings\n\n## CIS controls\n\nVersion 6 12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.9","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1qj-oqa-jau","createdAt":1599605510860,"name":"Host's network namespace is not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.15","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host.\n\n## Rationale\n\nPID namespace provides separation between processes. It prevents system processes from being visible, and allows process ids to be reused including PID 1. If the host's PID namespace is shared with containers, it would basically allow these to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them. This could allow for the host itself being shut down, which could be extremely serious, particularly in a multi-tenanted environment. You should not share the host's process namespace with the containers running on it.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidMode={{ .HostConfig.PidMode }}'` \n\nIf the command returns `host`, it means that the host PID namespace is shared with its containers; any other result means that the system is configured in line with good security practice.\n\n## Remediation\n\nYou should not start a container with the `--pid=host` argument. For example, do not start a container with the command: `docker run --interactive --tty --pid=host centos /bin/bash`\n\n## Impact\n\nContainer processes cannot see processes on the host system. In certain circumstances, you may want your container to share the host's process namespace. For example, you could build a container containing debugging tools such as strace or gdb, and want to use these tools when debugging processes on the host. If this is desired, then share specific host processes using the `-p` switch. For example: `docker run --pid=host rhel7 strace -p 1234`\n\n## Default value\n\nBy default, all containers have the PID namespace enabled and the therefore the host's process namespace is not shared with its containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#pid-settings-pid 2. http://man7.org/linux/man-pages/man7/pid_namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.15","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mk8-jwd-4ag","createdAt":1599600919537,"name":"Host's process namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent","control:5.30"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not share the host's user namespaces with containers running on it.\n\n## Rationale\n\nUser namespaces ensure that a root process inside the container will be mapped to a non-root process outside the container. Sharing the user namespaces of the host with the container does not therefore isolate users on the host from users in the containers.\n\n## Audit\n\nRun this command and ensure that it does not return any value for `UsernsMode`. If it returns a value of `host`, it means that the host user namespace is shared with its containers: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UsernsMode={{ .HostConfig.UsernsMode }}'`\n\n## Remediation\n\nDo not share user namespaces between host and containers. For example, do not run the command `docker run --rm -it --userns=host ubuntu bash`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the host user namespace is shared with containers unless user namespace support is enabled.\n\n## References\n\n1. https://docs.docker.com/engine/security/userns-remap/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://github.com/docker/docker/pull/12648\n4. https://events.linuxfoundation.org/sites/events/files/slides/User%20Namespaces%20-%20ContainerCon%202015%20-%2016-9-final_0.pdf\n\n## CIS controls\n\nVersion 6\n\n12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.30","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"e7c-uzf-jwy","createdAt":1599604878282,"name":"Host's user namespaces are not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","security:compliance","scored:false","source:iam","cloud_provider:aws","control:1.7","control:164.308-a-3-ii-C","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","framework:security-labs","requirement:Information-Access-Management","control:CC6.2","control:164.308-a-4-ii-C","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule identifies IAM access keys that are older than one year and have not been used in the past 30 days.\n\n## Rationale\n\nThis is a good indicator that an access key or IAM user that is not used anymore, and raises a security risk. IAM access keys are static secrets that do not change. This leak represents a common cause for cloud security breaches.\n\n## Remediation\n\n* Verify that the IAM user is still actively used or if it can be removed.\n* Verify that the IAM access key is still actively used or if it can be removed.\n* If the IAM user is still needed, rotate the access key. For more information, see the [AWS documentation][2].\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/cis-aws-1.3.0-1.14/\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlast_rotated_age_threshold := (((365 * 24) * 60) * 60) * 1000\n\nlast_used_age_threshold := (((30 * 24) * 60) * 60) * 1000\n\nhas_active_access_key(credential_report) if {\n\tcredential_report.access_key_1_active\n} else {\n\tcredential_report.access_key_2_active\n}\n\naccess_key_1_used_too_long_ago(credential_report, seen) if {\n\tnot credential_report.access_key_1_last_used_date\n}\n\naccess_key_1_used_too_long_ago(credential_report, seen) if {\n\tseen - credential_report.access_key_1_last_used_date > last_used_age_threshold\n}\n\naccess_key_1_non_compliant(credential_report, seen) if {\n\tcredential_report.access_key_1_active\n\tseen - credential_report.access_key_1_last_rotated > last_rotated_age_threshold\n\taccess_key_1_used_too_long_ago(credential_report, seen)\n}\n\naccess_key_2_used_too_long_ago(credential_report, seen) if {\n\tnot credential_report.access_key_2_last_used_date\n}\n\naccess_key_2_used_too_long_ago(credential_report, seen) if {\n\tseen - credential_report.access_key_2_last_used_date > last_used_age_threshold\n}\n\naccess_key_2_non_compliant(credential_report, seen) if {\n\tcredential_report.access_key_2_active\n\tseen - credential_report.access_key_2_last_rotated > last_rotated_age_threshold\n\taccess_key_2_used_too_long_ago(credential_report, seen)\n}\n\nis_not_compliant(credential_report, seen) if {\n\taccess_key_1_non_compliant(credential_report, seen)\n} else {\n\taccess_key_2_non_compliant(credential_report, seen)\n}\n\nshould_skip(iam_user) if {\n\tcredential_report := iam_user.credential_report[0]\n\tnot credential_report.access_key_1_active\n\tnot credential_report.access_key_2_active\n} else {\n\tcount(iam_user.credential_report) == 0\n}\n\neval(iam_user) = \"skip\" if {\n\tshould_skip(iam_user)\n} else = \"fail\" {\n\tcredential_report := iam_user.credential_report[0]\n\tseen := iam_user.resource_seen_at\n\tis_not_compliant(credential_report, seen)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"jye-nyb-yvd","createdAt":1654722265266,"name":"IAM access keys older than 1 year have not been used in the last 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@user_policies:*","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@user_policies:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qeq-byd-rf5","createdAt":1617159692975,"name":"IAM inline policy is not directly set for users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","security:compliance","cloud_provider:aws","control:1.8","control:8.1","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","control:CC6.3","control:8.1.1","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are a minimum length. The password policy should require a minimum password length of 14 characters.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78907-3\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.8","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.minimum_password_length:<14","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.minimum_password_length:<14)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fyg-ptq-tnx","createdAt":1599573999939,"name":"IAM password policy has 14 or more characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:1.9","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","framework:cis-aws","control:164.312-d","requirement:IAM","control:8.2.5","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.\n\n## Rationale\n\nPreventing password reuse increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78908-1\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\n4.4 Use unique passwords where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2.5","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.9","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"-@password_policy.password_reuse_prevention:24","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (-@password_policy.password_reuse_prevention:24)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"wwj-kny-ll5","createdAt":1599574008460,"name":"IAM password policy prevents password reuse"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM policies are how privileges are granted to users, groups, or roles. It is recommended and considered best practice to give only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges.\n\n## Rationale\n\nIt's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\" should be removed.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2] \n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3] \n3. CCE-78912-3\n4. [http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam][4]\n\n## CIS controls\n\nVersion 7, 4 - Controlled Use of Administrative Privileges\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n[4]: http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_not_compliant(policy_version_statement) if {\n\tresource := policy_version_statement.resource[_]\n\tresource == \"*\"\n}\n\naction_not_compliant(policy_version_statement) if {\n\taction := policy_version_statement.action[_]\n\taction == \"*\"\n}\n\npolicy_version_statement_not_compliant(policy_version_statement) if {\n\tpolicy_version_statement.effect == \"Allow\"\n\tresource_not_compliant(policy_version_statement)\n\taction_not_compliant(policy_version_statement)\n}\n\neval(iam_policy) = \"skip\" if {\n\tiam_policy.scope != \"Local\"\n} else = \"fail\" {\n\tpolicy_version_statement := iam_policy.policy_version_statements[_]\n\tpolicy_version_statement_not_compliant(policy_version_statement)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_policy"]},"validationQuery":"","resourceType":"aws_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"31y-0if-yxo","createdAt":1599574003839,"name":"IAM policies that allow full \"*:*\" administrative privileges are not created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@attached_policies:*","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@attached_policies:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oys-6ti-vv4","createdAt":1599574006153,"name":"IAM policy does not have a user directly attached to it"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:1.12","security:compliance","cloud_provider:aws","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:CC6.3","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can require passwords to be rotated or expired after a given number of days. The password policy should expire passwords after 90 days or less.\n\n## Rationale\n\nReducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help if a password is stolen or compromised without your knowledge. This can happen if your system is compromised, because of a software vulnerability, or if there is an internal threat. Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted. Many people use the same password for many systems such as work, email, and personal. Compromised end-user workstations might have a keystroke logger.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78909-9\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"1.12","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"(-@password_policy:*) OR ((@password_policy.expire_passwords:false) OR (@password_policy.max_password_age:>90))","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account ((-@password_policy:*) OR ((@password_policy.expire_passwords:false) OR (@password_policy.max_password_age:>90)))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"nus-wps-5cc","createdAt":1599574003696,"name":"IAM policy is set to expire passwords within 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78904-0\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.6\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_lowercase_characters:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_lowercase_characters:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yaz-xyw-dr5","createdAt":1599574008777,"name":"IAM policy is set to require at least one lowercase letter"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one number.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78906-5\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.8\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_numbers:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_numbers:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ufg-4pj-olz","createdAt":1599574005590,"name":"IAM policy is set to require at least one number"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are comprised of different character sets. It is recommended that the password policy require at least one symbol.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78905-7\n\n## CIS controls\n\n16 Account Monitoring and Control Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.7\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_symbols:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_symbols:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dwv-hdv-vfe","createdAt":1599573999909,"name":"IAM policy is set to require at least one symbol"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one uppercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78903-2\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.5\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_uppercase_characters:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_uppercase_characters:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jfe-07v-m1n","createdAt":1599573999945,"name":"IAM policy is set to require uppercase characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:iam","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Security-Management-Process","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:CC6.3","requirement:Information-Access-Management","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm there are no [Amazon IAM users][1] (privileged users) with administrator permissions for your AWS account.\n\n## Rationale\n\nA privileged IAM user can access all AWS services and control resources through the [AdministratorAccess IAM managed policy][2]. Any user with administrator access that should not have access can potentially, whether unknowingly or purposefully, cause security issues or data leaks.\n\n## Remediation\n\n### Console\n\nFollow the [Removing a permissions policy from a user][6] docs to revoke AdministratorAccess for a user.\n\n### CLI\n\n1. Run `list-users` to get [a list of current IAM users][3].\n2. Run `list-user-policies` with an IAM `user-name` to find the [users attached policies][4].\n\n ```\n aws iam list-user-policies --user-name Name\n ```\n\n3. Run `detach-user-policy` to [revoke Administrator access][5] for that user.\n\n ```\n aws iam detach-user-policy --user-name Bob --policy-arn arn:aws:iam::123456789012:policy/TesterPolicy\n ```\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-users.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-user-policies.html#examples\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-user-policy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-remove-policy-console\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@attached_policies.policy_name:AdministratorAccess","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@attached_policies.policy_name:AdministratorAccess)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"z8a-10r-rdq","createdAt":1599574005071,"name":"IAM privileged user does have admin permissions to your AWS account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet a principal within your Amazon IAM policy.\n\n## Rationale\n\nA trust policy reduces the risks associated with privilege escalation. Setting a principal within your policy reduces the risk of unauthorized access to a resource.\n\n## Remediation\n\n### Console\n\nFollow the [Editing IAM policies][1] docs to learn how to grant permissions to a specific IAM user or account.\n\n### CLI\n\nFollow the [Editing managed policies (AWS CLI)][2] docs to learn how to grant permissions to a specific IAM or account using the CLI.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html#edit-policies-cli-api","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@role_policy.policy_principal.principal:(\"*\") OR @role_policy.policy_principal.principal_aws:(\"*\"))","resourceType":"aws_iam_role","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_role ((@role_policy.policy_principal.principal:(\"*\") OR @role_policy.policy_principal.principal_aws:(\"*\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q9l-42l-ape","createdAt":1619112188080,"name":"IAM role uses trusted principals"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:A.14.1.3","security:compliance","source:iam","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Data-Protection","requirement:Security-of-Processing","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:A.9.4.3","framework:soc-2","requirement:Cardholder-Data","control:32.1a","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","requirement:Encryption-In-Transit","control:3.6.4","framework:pci","control:25.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your IAM service SSL/TLS certificates are renewed 30 days prior to their validity period ending.\n\n## Rationale\n\nIf a certificate becomes invalid, the communication between the client and AWS resource that implements certificates is no longer secure.\n\n## Remediation\n\n### Console\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n### CLI\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nwithin_30_days(diff) if {\n\tdiff <= thirty_days_ms\n\tdiff > 0\n}\n\neval(iam_server_certificate) = \"pass\" if {\n\tdiff := iam_server_certificate.expiration - iam_server_certificate.resource_seen_at\n\tnot within_30_days(diff)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"nqd-536-xhi","createdAt":1632209935742,"name":"IAM server certificate will expire within 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:1.6","control:7.1","framework:cis-gcp","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","level:1","source:google_service_account","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nVerify that users have the Service Account User (`iam.serviceAccountUser`) and Service Account Token Creator (`iam.serviceAccountTokenCreator`) roles for a specific service account rather than at the project level.\n\n## Rationale\nA service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved. In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.\nUsers with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access. Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/service account.\nBased on business needs, there can be multiple user-managed service accounts configured for a project. Granting the `iam.serviceAccountUser` or `iam.serviceAccountTokenCreator` roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future. These roles can result in an elevation of privileges when someone uses a service account and corresponding Compute Engine instances.\nIn order to implement least privileges best practices, IAM users should not be assigned the Service Account User or Service Account Token Creator roles at the project level. Instead, these roles should be assigned to a user for a specific service account, giving that user access to the service account. The Service Account User role allows a user to bind a service account to a long-running job service, whereas the Service Account Token Creator role allows a user to directly impersonate (or assert) the identity of a service account.\n\n## Impact\nAfter revoking Service Account User or Service Account Token Creator roles at the project level from all impacted user accounts, these roles should be assigned to users for specific service accounts according to business needs.\n\n## Remediation\n\n### From console\n1. Go to the [IAM page][1] in the GCP Console.\n2. In the filter table text bar, enter the text `Role: Service Account User`.\n3. Click the delete bin icon in front of the role `Service Account User` for every user\nlisted as a result of the filter.\n4. In the filter table text bar, enter the text `Role: Service Account Token Creator`.\n5. Click the delete bin icon in front of the role `Service Account Token Creator` for\nevery user listed as a result of the filter.\n\n### From the command line\n1. Using a text editor, remove the bindings with the `roles/iam.serviceAccountUser` or `roles/iam.serviceAccountTokenCreator`.\n For example, you can use the iam.json file shown below as follows:\n ```\n {\n \"bindings\": [\n {\n \"members\": [ \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n ],\n \"role\": \"roles/appengine.appViewer\" },\n {\n \"members\": [\n \"user:email1@gmail.com\"\n ],\n \"role\": \"roles/owner\"\n },\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n \"serviceAccount:123456789012-compute@developer.gserviceaccount.com\" ],\n \"role\": \"roles/editor\"\n }\n ],\n \"etag\": \"BwUjMhCsNvY=\"\n }\n ```\n2. Update the project's IAM policy:\n ```\n gcloud projects set-iam-policy PROJECT_ID iam.json\n ```\n## Default value\nBy default, users do not have the Service Account User or Service Account Token Creator role assigned at the project level.\n\n## References\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][3]\n3. [https://cloud.google.com/iam/docs/understanding-roles][4]\n4. [https://cloud.google.com/iam/docs/granting-changing-revoking-access][5]\n5. [https://console.cloud.google.com/iam-admin/iam][6]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts \n[4]: https://cloud.google.com/iam/docs/understanding-roles\n[5]: https://cloud.google.com/iam/docs/granting-changing-revoking-access \n[6]: https://console.cloud.google.com/iam-admin/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.6","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_role(iam_policy, role) if {\n\tbinding := iam_policy.bindings[_]\n\tbinding.role == role\n\tmember := binding.members[_]\n\tnot endswith(member, \".gserviceaccount.com\")\n}\n\nnon_compliant_policy(iam_policy) if {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountUser\")\n} else {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountTokenCreator\")\n}\n\neval(iam_policy) = \"fail\" if {\n\tnon_compliant_policy(iam_policy)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"x4c-mos-epr","createdAt":1655328785677,"name":"IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:iis","scope:iis","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:iis @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ftm-iao-udy","createdAt":1587530716843,"name":"IIS HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","requirement:Virtual-Machines","security:compliance","control:CC6.6","cloud_provider:gcp","control:4.6","requirement:Communications-Security","control:1.4","framework:cis-gcp","requirement:Compliance","level:1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCompute Engine instance cannot forward a packet unless the source IP address of the\npacket matches the IP address of the instance. Similarly, GCP won't deliver a packet whose\ndestination IP address is different than the IP address of the instance receiving the packet.\nHowever, both capabilities are required if you want to use instances to help route packets.\n\nDisable the forwarding of data packets to prevent data loss or information\ndisclosure.\n\n## Rationale\nTo enable source and destination IP check, disable the `canIpForward` option, which\nallows an instance to send and receive packets with non-matching destination or source\nIPs.\n\n## Impact\nDeleting instances that act as routers or packet forwarders may break network\nconnectivity.\n\n## Exception\nInstances created by GKE should be excluded because they need to have IP forwarding\nenabled and cannot be changed. Instances created by GKE have names that start with `gke-`.\n\n## Remediation\nYou can only edit the `canIpForward` setting at instance creation time. Therefore, if `canIpForward` is set to false for an instance, you must delete the instance and create a new one.\n\n### From console\n1. Go to the `VM Instances` page: \n[https://pantheon.corp.google.com/compute/instances][1].\n2. Select the `VM Instance` you want to remediate.\n3. Click the `Delete` button.\n4. On the `VM Instances` page, click `CREATE INSTANCE`.\n5. Create a new instance with the desired configuration. By default, the instance is\nconfigured to not allow IP forwarding.\n\n### From the command line\n1. Delete the instance:\n ```\n gcloud compute instances delete INSTANCE_NAME\n ```\n2. Create a new instance to replace it, with IP forwarding set to Off\n ```\n gcloud compute instances create\n ```\n\n## Default Value:\nBy default, instances are not configured to allow IP forwarding.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-routes#canipforward][2]\n\n\n## Additional Information:\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is\ncreated, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://pantheon.corp.google.com/compute/instances\n[2]: https://cloud.google.com/vpc/docs/using-routes#canipforward","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.6","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tcompute_instance.can_ip_forward\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nh8-voo-5oy","createdAt":1656620560349,"name":"IP forwarding is not enabled on instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","scope:azure.storage","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1c","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImmutability is enabled for Azure Storage Blobs.\n\n## Rationale\n\nImmutability for Azure Blob enables Writes once read many (WORM) state storage, which protects data from being overwritten or deleted. \n\nThe two types of immutability policies are time-based retention and legal hold. Time-based policies are cleared when the time period expires. Legal holds are cleared when they are manually modified. \n\n## Remediation\n\n### Console\n\nFollow the [Enable version-level immutability support on a storage account - Azure Console][1] guide to enable version-level immutability with the Azure Console.\n\n### CLI\n\nFollow the [Enable version-level immutability support on a storage account - Azure CLI][2] guide to enable version-level immutability with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@hasLegalHold:false @hasImmutabilityPolicy:false","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container (@hasLegalHold:false @hasImmutabilityPolicy:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"8q8-s4l-qhy","createdAt":1645177333114,"name":"Immutable Blob Storage is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","scope:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when two successful authentication events occur in a short time frame.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if the user `{{@usr.name}}` should have authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If `{{@user.name}}` should not authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n* 10 October 2022 - Updated query.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"auth0_impossible_travel","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.name"],"query":"source:auth0 @evt.category:authentication @evt.name:success_login -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"m3u-dhg-c5l","createdAt":1651740293973,"name":"Impossible Travel Auth0 login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate an impossible travel login with permission enumeration of a user.\n\n## Strategy\nCorrelate the [User travel was impossible in AWS CloudTrail IAM log][1] and [A user received multiple AccessDenied errors][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the impossible travel login was is legitimate.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-user-impossible-travel-with-baseline-user-locations\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-access-denied-multiple-events","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"user_travel_was_impossible_in_cloudtrail_iam_log","additionalFilters":"","defaultRuleId":"fc6-4t7-vx9","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"a_user_received_multiple_access_denied_errors","additionalFilters":"","defaultRuleId":"1b1-37a-74c","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"user_travel_was_impossible_in_cloudtrail_iam_log > 0 && a_user_received_multiple_access_denied_errors > 0"}],"type":"signal_correlation","id":"zfw-zxw-uf2","createdAt":1664829682320,"name":"Impossible travel event leads to permission enumeration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the possibility of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 445, commonly used by client/server applications, and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) or man-in-the-middle attacks (MITM), can occur when permitting unrestricted Common Internet File System (CIFS) access. TCP port 445 is the port commonly used by client/server applications as a means of communication between network nodes over TCP.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 445.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 445\n --cidr 0.0.0.0/0\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=445 @to_port:>=445))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=445 @to_port:>=445))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"l9k-64o-mzm","createdAt":1599573999953,"name":"Inbound CIFS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the possibility of a breach by checking EC2 security groups for inbound rules that allow unfettered access to TCP and UDP port 53, commonly used during DNS resolution when a request is sent from DNS clients to DNS servers or between DNS servers.\n\n## Rationale\n\nMalicious activity, such as distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered DNS access.\n\n## Remediation\n\n## Console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n## CLI\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to port 53.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 53, \"ToPort\": 53, \"IpRanges\": [{\"CidrIp\": \"192.0.2.0/24\"}]}]'\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 53\n\trule.to_port >= 53\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kri-ci1-ymo","createdAt":1599573999958,"name":"Inbound DNS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 9200, used by the [Elasticsearch][2], and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered Elasticsearch access.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][3] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. First, remove the security group rule(s) that allow public, unrestricted access to the Elasticsearch database. The rule in question will open port 9200 for ingress from anywhere.\n\n2. Now that the database is contained, authorize only the specific entities that need access to the database like EC2 instances, or lambdas. You can do this by adding inbound security group rules for a specific elastic IP address, a specific range of IP addresses, or by allowing access for entities in another AWS security group.\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://aws.amazon.com/elasticsearch-service/\n[3]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=9200 @to_port:>=9200))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=9200 @to_port:>=9200))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"rns-eiq-lpl","createdAt":1599574008022,"name":"Inbound Elasticsearch access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP ports 20 and 21 (used by client/server applications for communication and file transfer) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and FTP bounce attacks, can occur when permitting unfettered access to these ports.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 20 and 21.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict FTP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=20 @to_port:>=20) OR (@from_port:<=21 @to_port:>=21))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=20 @to_port:>=20) OR (@from_port:<=21 @to_port:>=21))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9lv-1l3-vtp","createdAt":1599574002076,"name":"Inbound FTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 80 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 80.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 80\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=80 @to_port:>=80))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=80 @to_port:>=80))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o4x-exf-xn9","createdAt":1599574008139,"name":"Inbound HTTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 443 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 443.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 443\n\trule.to_port >= 443\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"vud-y9z-ucg","createdAt":1599574003526,"name":"Inbound HTTPS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to host using the Internet Control Message Protocol (ICMP), a protocol commonly used to troubleshoot TCP/IP networks and deliver IP packets, and restrict access.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and Smurf/Fraggle attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][2] docs to learn how to restrict access to host using the ICMP.\n\n### CLI\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to host using ICMP.\n\n ```\n aws ec2 describe-security-groups\n\t --filters Name=ip-permission.protocol,Values=icmp Name=ip-permission.cidr,Values='192.0.2.0/24'\n\t --query 'SecurityGroups[*].{Name:GroupName}'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nunrestricted_protocol(protocol) if {\n\tprotocol == \"icmp\"\n} else {\n\tprotocol == \"all\"\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"ingress\"\n\tunrestricted_protocol(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kyz-e99-tys","createdAt":1599573999911,"name":"Inbound ICMP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1433 (used by the Microsoft SQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1433.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1433 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1433 @to_port:>=1433))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1433 @to_port:>=1433))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5oc-hdq-fx7","createdAt":1599574003135,"name":"Inbound MSSQL access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 27017 (used by the MongoDB database) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 27017.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=27017 @to_port:>=27017))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=27017 @to_port:>=27017))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"lhy-ttz-yif","createdAt":1599574007108,"name":"Inbound MongoDB access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3306 (used by the MySQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3306.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3306 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3306 @to_port:>=3306))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3306 @to_port:>=3306))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yph-h6z-ant","createdAt":1599574008744,"name":"Inbound MySQL access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1521 (used by the Oracle Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1521.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1521 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1521 @to_port:>=1521))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1521 @to_port:>=1521))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2wg-auf-5gz","createdAt":1599574002369,"name":"Inbound Oracle access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 135 (used by Microsoft Message Queuing (MSMQ) and other Windows software) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as backdoor command shell hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 135.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 135 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 135\n\trule.to_port >= 135\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7vm-6f7-nfs","createdAt":1599574003256,"name":"Inbound RPC access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 25 (used by Simple Mail Transfer Protocol (SMTP) for email transmission) and restrict access to IP addresses that require this port.\n\n\n## Rationale\n\nMalicious activity, such as spamming, hacking, Shellshock, and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 25.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 25 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 25\n\trule.to_port >= 25\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fxy-iwb-1ji","createdAt":1599574007156,"name":"Inbound SMTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 22 (used for secure remote login) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as man-in-the-middle (MITM) and brute-force attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 22.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 22 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=22 @to_port:>=22))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=22 @to_port:>=22))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jq1-v7m-jkf","createdAt":1599574005407,"name":"Inbound SSH access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to TCP port 139.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 139\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 139\n\trule.to_port >= 139\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"bls-coy-rpp","createdAt":1599574002491,"name":"Inbound TCP NetBIOS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 23 (used by the Telnet server application) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 23.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 23 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=23 @to_port:>=23))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=23 @to_port:>=23))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"6oq-7ce-kej","createdAt":1599574007874,"name":"Inbound Telnet access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 and UDP ports 137 and 138 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 137 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 137\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 138 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 138\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=137 @to_port:>=137) OR (@from_port:<=138 @to_port:>=138))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=137 @to_port:>=137) OR (@from_port:<=138 @to_port:>=138))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dpw-bar-91p","createdAt":1599574006398,"name":"Inbound UDP NetBIOS access is restricted"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2022-0847 \"Dirty Pipe\". Dirty Pipe is a vulnerability in the Linux kernel which allows underprivileged processes to write to arbitrary readable files, leading to privilege escalation. \n\n## Strategy\n\nThis detection triggers when the `splice()` syscall is made and the `PIPE_BUF_FLAG_CAN_MERGE` flag is set. Explanation of the vulnerability and exploitation can be found in the [public disclosure](https://dirtypipe.cm4all.com/).\n\n## Triage & Response\n\n1. Determine if the host is vulnerable. This vulnerability affects kernel versions starting from 5.8. After its discovery, it was fixed for all currently maintained releases of Linux in versions 5.16.11, 5.15.25, and 5.10.102. The exploit was successful if the field `splice.pipe_exit_flag` is `PIPE_BUF_FLAG_CAN_MERGE`.\n2. Attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. If the host is vulnerable, update the kernel to a patched version.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:dirty_pipe_attempt","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_attempt","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\") -@process.uid:0 -@process.gid:0","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_exploitation","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation (@file.uid:0 OR @file.gid:0) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\") -@process.uid:0 -@process.gid:0","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_root","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation @file.path:(*\\/bin\\/* OR *\\/boot\\/*) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\") -@process.uid:0 -@process.gid:0","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"dirty_pipe_attempt","condition":"dirty_pipe_attempt > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_exploitation","condition":"dirty_pipe_exploitation > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_root","condition":"dirty_pipe_root > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_bin","condition":"dirty_pipe_bin > 0"}],"type":"workload_security","id":"dsi-8cf-mpj","createdAt":1648572788369,"name":"Dirty Pipe exploitation attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet Docker daemon log level to `info`.\n\n## Rationale\n\nSetting up an appropriate log level configures the Docker daemon to log events that you would want to review later. A base log level of `info` and above captures all logs except `debug` logs. Unless required, you should not run Docker daemon at `debug` log level.\n\n## Audit\n\nTo confirm that the log level setting is `info`, review both the `dockerd` startup options, and also the log level settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that either the `--log-level` parameter is not present or if present, that it is set to `info`. \n\nSimilarly, review the `/etc/docker/daemon.json` for the `log-level` setting.\n\n## Remediation\n\nEnsure that the Docker daemon configuration file has the following configuration included:\n\n```\n\"log-level\": \"info\" \n```\n\nAlternatively, run the Docker daemon with the `log-level` specified:\n\n```\ndockerd --log-level=\"info\"\n```\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker daemon is set to log level of `info`.\n\n## References\n\n1. [https://docs.docker.com/edge/engine/reference/commandline/dockerd/][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://docs.docker.com/edge/engine/reference/commandline/dockerd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"q6o-wrf-hf4","createdAt":1602076723155,"name":"Docker daemon logging level is set to 'info'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.5","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use `aufs` as the storage driver for your Docker instance.\n\n## Rationale\n\nThe `aufs` storage driver is the oldest storage driver used on Linux systems. It is based on a Linux kernel patch-set that is unlikely in future to be merged into the main OS kernel. The `aufs` driver is also known to cause some serious kernel crashes. `aufs` has only legacy support within systems using Docker. Most importantly, `aufs` is not a supported driver in many Linux distributions using latest Linux kernels.\n\n## Audit\n\nVerify that `aufs` is not used as storage driver by running this command and ensuring `aufs` is not listed: \n```\ndocker info --format 'Storage Driver: {{ .Driver }}' \n```\n\n## Remediation\n\nDo not explicitly use `aufs` as storage driver. For example, do not start Docker daemon with the `--storage-driver aufs` flag.\n\n## Impact\n\n`aufs` is the only storage driver that allows containers to share executable and shared library memory. It might be useful if you are running thousands of containers with the same program or libraries. However, you should review its use with respect to your organization's security policy.\n\n## Default value\n\nBy default, Docker uses `devicemapper` as the storage driver on most of the platforms. The default storage driver can vary based on your OS vendor. You should use the storage driver that is recommended by your preferred vendor and which is in line with policy around the applications which are being deployed.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems][1]\n2. [http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/][2]\n3. [http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1][3]\n4. [https://docs.docker.com/engine/userguide/storagedriver/][4]\n\n## CIS controls\n\nVersion 6.18 Application Software Security \n\n[1]: https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems \n[2]: http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/ \n[3]: http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1 \n[4]: https://docs.docker.com/engine/userguide/storagedriver/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"n0x-jqo-rof","createdAt":1599601042737,"name":"Docker does not use AUFS storage driver"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe `iptables` firewall is used to set up, maintain, and inspect the tables of IP packet filter rules within the Linux kernel. The Docker daemon should be allowed to make changes to the `iptables` ruleset.\n\n## Rationale\n\nDocker will not make changes to your system `iptables` rules unless you allow it to do so. If you do allow this, Docker server will automatically make any required changes. You should let Docker make changes to `iptables` automatically in order to avoid networking misconfigurations that could affect the communication between containers and with the outside world. Additionally, this reduces the administrative overhead of updating `iptables` every time you add containers or modify networking options.\n\n## Audit\n\nTo confirm that the Docker daemon is allowed to change the `iptables` ruleset, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that the `--iptables` parameter is either not present or not set to `false`. Also review the `/etc/docker/daemon.json` file to check that the `iptables` setting is not set to `false`.\n\n## Remediation\n\nDo not run the Docker daemon with `--iptables=false` parameter. \n\n## Impact\n\nThe Docker daemon service requires `iptables` rules to be enabled before it starts. Any restarts of `iptables` during Docker daemon operation may result in losing Docker-created rules. Adding `iptables-persistent` to your `iptables` install can mitigate.\n\n## Default value\n\nBy default, `iptables` is set to true.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/][1]\n2. [https://fralef.me/docker-and-iptables.html][2]\n\n## CIS controls\n\nVersion 6.5 Controlled Use of Administration Privileges \n\n[1]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/\n[2]: https://fralef.me/docker-and-iptables.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3fv-xgy-7fb","createdAt":1599599453907,"name":"Docker is authorized to make firewall configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.1","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAll Docker containers and their data and metadata are stored in the `/var/lib/docker` directory. By default, `/var/lib/docker` should be mounted under either the `/` or `/var` partitions depending on how the Linux operating system in use is configured.\n\n## Rationale\n\nDocker depends on `/var/lib/docker` as the default directory where all Docker related files, including the images, are stored. This directory could fill up quickly causing both Docker and the host to become unusable. For this reason, you should create a separate partition (logical volume) for storing Docker files.\n\n## Audit\n\nTo see the partition details for the `/var/lib/docker` mount point, at the Docker host run:\n\n```\ngrep '/var/lib/docker\\s' /proc/mounts \n```\n\nAlternatively, to see whether the configured root directory is a mount point, run.\n\n```\nmountpoint -- \"$(docker info -f '{{ .DockerRootDir }}')\" \n```\n\n## Remediation\n\nFor new installations, you should create a separate partition for the `/var/lib/docker` mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, `/var/lib/docker` is mounted under the `/` or `/var` partitions dependent on how the OS is configured.\n\n## References\n\n1. [https://www.projectatomic.io/docs/docker-storage-recommendation/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know \n\n[1]: https://www.projectatomic.io/docs/docker-storage-recommendation/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.1","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wcf-c0t-fkz","createdAt":1602076808377,"name":"Docker local storage is mounted on a separate disk partition"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.5","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various other sensitive files. It should therefore be individual owned and group owned by root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the directory is owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker | grep -v root:root\n``` \n\nThis command does not return any data.\n\n## Remediation\n\nTo resolve this issue, run the following command: `chown root:root /etc/docker`\n\nThis sets the ownership and group ownership for the directory to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for this directory is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.`\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"heb-axz-wdc","createdAt":1599604466531,"name":"Docker related files are owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.6","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory permissions are correctly set to 755 or more restrictively.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various sensitive files. It should therefore only be writeable by root to ensure that it can not be modified by a less privileged user.\n\n## Audit\n\nYou should execute the command below to verify that the directory has permissions of 755+: \n\n```\nstat -c %a /etc/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 755 /etc/docker`\n\nThis sets the permissions for the directory to 755.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for this directory are set to 755.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"een-7do-u18","createdAt":1599604083943,"name":"Docker related files cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.12","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, has permissions of 444 or more restrictive permissions.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It should therefore have permissions of 444 to prevent its modification.\n\n## Audit\n\nVerify that the Docker server certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the command below: `chmod 444 `\n\nThis sets the file permissions of the Docker server certificate file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.12","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"blu-k6b-re1","createdAt":1602076770300,"name":"Docker server certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.31","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker socket docker.sock should not be mounted inside a container.\n\n## Rationale\n\nIf the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep docker.sock` This returns any instances where `docker.sock` has been mapped to a container as a volume.\n\n## Remediation\n\nYou should ensure that no containers mount docker.sock as a volume.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, docker.sock is not mounted inside containers.\n\n## References\n\n1. https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/\n2. https://forums.docker.com/t/docker-in-docker-vs-mounting-var-run-docker-sock/9450/2\n3. https://github.com/docker/docker/issues/21109\n\n## CIS controls\n\nVersion 6\n\n9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.31","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3iw-zus-yz3","createdAt":1599602585460,"name":"Docker socket is not allowed to mount inside any containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","source:dynamodb","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:dynamodb","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement server-side encryption for your AWS DynamoDB data.\n\n## Rationale\n\nServer-side encryption, or encryption at rest, provides an additional layer of data protection by securing your data in an encrypted table. Encryption at rest integrates with AWS Key Management Service (KMS) to manage encryption keys that are used to encrypt these tables.\n\n## Remediation\n\n### From the console\n\nFollow the [Managing Encrypted Tables in DynamoDB tutorial][1] to learn how to create and update a table in the AWS Console.\n\n### From the command line\n\nRun `create-table` with a table configuration to [create a new encrypted table][2]. You can create an encrypted table with the default AWS owned CMK, AWS managed CMK, or customer managed CMK. Refer to the [AWS documentation for examples of each configuration][3]. For example:\n\n aws dynamodb create-table\n --table-name your-table\n ...\n --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=abcd1234-abcd-1234-a123-ab1234a1b234\n\n[1]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/dynamodb/create-table.html\n[3]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(dynamodb) = \"pass\" if {\n\tupper(dynamodb.sse_description.status) == \"ENABLED\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_dynamodb"]},"validationQuery":"","resourceType":"aws_dynamodb","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_dynamodb","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ilq-ifj-zxi","createdAt":1615309114701,"name":"DynamoDB table is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt Amazon Elastic Block Store (EBS) snapshots with volume snapshot encryption keys.\n\n## Rationale\n\nAmazon EBS snapshots contain sensitive data, and publicly accessible snapshots can be copied. Keep your data secure from exploits or unauthorized users by using AWS key management.\n\n## Remediation\n\n### From the console\n\nFollow the [Default key for EBS encryption][1] docs to learn how to encrypt a snapshot in the AWS Console.\n\n### From the command line\n\n1. Run `get-ebs-default-kms-key-id` to describe [the default CMK][2].\n\n2. If you need to create a new key, follow the [Creating keys][3] AWS Console docs or the [create-key][4] AWS CLI docs.\n\n3. Run `modify-ebs-default-kms-key-id` with your `--kms-key-id` to [modify the default CMK used to encrypt EBS volumes][3].\n\nSee the [Set encryption defaults using the API and CLI][6] docs for additional information.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_key_mgmt\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/get-ebs-default-kms-key-id.html\n[3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-ebs-default-kms-key-id.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ebs_snapshot) = \"pass\" if {\n\tebs_snapshot.encrypted\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ebs_snapshot"]},"validationQuery":"","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"i4v-od6-l5r","createdAt":1616090994130,"name":"EBS snapshot is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","requirement:Storage","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable encryption for Elastic Block Store (EBS).\n\n## Rationale\n\nAES-256 encryption, used by EBS, protects data stored on volumes, disk I/O, and the snapshots created from a volume to protect your sensitive data from exploits and unauthorized users.\n\n## Remediation\n\n### From the console\n\nFollow the [EBS encryption][1] docs to learn about the requirements and methods for enabling encryption in the AWS Console.\n\n### From the command line\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#ebs-encryption-requirements\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"2.2.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ebs_volume) = \"pass\" if {\n\tebs_volume.encrypted\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ebs_volume"]},"validationQuery":"","resourceType":"aws_ebs_volume","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_volume","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"2b3-94n-p7e","createdAt":1616090994097,"name":"EBS volume is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","requirement:Credentials","requirement:Compliance","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","framework:pci","control:1.11","security:compliance","source:ebs","control:6.5.3","cloud_provider:aws","requirement:Confidentiality","control:3.4","control:C1.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","framework:security-labs","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure Amazon Elastic Block Store (EBS) snapshots.\n\n## Rationale\n\nPublicly shared Amazon EBS volume snapshots contain sensitive application data that can be seen, copied, and exploited.\n\n## Remediation\n\n### From the console\n\nFollow the [EBS encryption][1] docs to learn how to implement EBS encryption. Public snapshots, which are encrypted by default, are not supported\n\n **Note**: You can share an encrypted snapshot with specific accounts.\n\n### From the command line\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#how-ebs-encryption-works\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.11","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ebs_snapshot) = \"fail\" if {\n\tsome permission in ebs_snapshot.create_volume_permissions\n\tpermission.group == \"all\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ebs_snapshot"]},"validationQuery":"","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"t5f-m5z-oio","createdAt":1616090994084,"name":"EBS volume snapshot is not publicly shared with other AWS accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:route53","iaas:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain has a suspicious TLD.\n\n## Strategy\nInspect the Route 53 logs and determine if the TLD of the DNS question (`@dns.question.name`) matches one of the top 5 TLDs on [Spamhaus's Most Abused Top Level Domains list][1].\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n[1]: https://www.spamhaus.org/statistics/tlds/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@dns.question.name:(*.fit. OR *.work. OR *.webcam. OR *.loan. OR *.cf.) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_tld","distinctFields":[]},{"query":"@dns.question.name:(*.no-ip. OR *.hopto.org OR *.myftp.org OR *.us.to OR *.myvpc.com OR *.dlinkddns.com OR *.myftp.biz) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_ddns","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"TLD","condition":"suspicious_tld > 0"},{"status":"medium","notifications":[],"name":"Dynamic DNS","condition":"suspicious_ddns > 0"}],"type":"log_detection","id":"dus-bf6-3jr","createdAt":1603296605789,"name":"EC2 instance requested a suspicious domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:route53","iaas:aws","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain resolves to the AWS Metadata IP (169.254.169.254).\n\n## Strategy\nInspect the Route 53 logs and determine if the response data for a DNS request matches the AWS Metadata IP (169.254.169.254). This could indicate an attacker is attempting to steal your credentials from the AWS metadata service.\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n## Changelog\n- 19 May 2022 - Updated rule query.\n- 5 Jun 2022 - Updated rule query.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:route53 @answers.Rdata:169.254.169.254 -@route53_edge_location:* -@dns.question.name:instance-data*","groupByFields":["instance-id"],"aggregation":"count","name":"domain_resolve_to_metadata_ip","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"domain_resolve_to_metadata_ip > 0"}],"type":"log_detection","id":"mwi-zj7-db9","createdAt":1603296598998,"name":"EC2 instance resolved a suspicious AWS metadata DNS query"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","requirement:Transmission-Security","scope:ec2","source:ec2","framework:gdpr","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:1.9","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse the IMDSv2 session-oriented communication method to transport instance metadata. \n\n## Rationale\n\nAWS default configurations allow the use of either IMDSv1, IMDSv2, or both. IMDSv1 uses insecure GET request/responses which are at risk for a number of vulnerabilities, whereas IMDSv2 uses session-oriented requests and a secret token that expires after a maximum of six hours. This adds protection against misconfigured-open website application firewalls, misconfigured-open reverse proxies, unpatched Server Side Request Forgery (SSRF) vulnerabilities, and misconfigured-open layer-3 firewalls and network address translation.\n\n## Remediation\n\nFollow the [Transition to using Instance Metadata Service Version 2][1] docs to learn how to transition and reconfigure your software. \n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ec2_instance) = \"pass\" if {\n\tec2_instance.metadata_options.http_tokens == \"required\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ec2_instance"]},"validationQuery":"","resourceType":"aws_ec2_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ec2_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zwp-mxe-p0v","createdAt":1649171077274,"name":"EC2 instance uses IMDSv2"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","source:elb","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","scope:elb","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up logging for your AWS Elastic Load Balancers (ELBs) to identify security issues.\n\n## Rationale\n\nAccess logs allow you to analyze each TCP and HTTP request, which are useful during security audits or troubleshooting.\n\n## Remediation\n\n### From the console\n\nFollow the [Enable access logs for your Classic Load Balancer][1] docs to learn how to enable logging for your ELBs.\n\n### From the command line\n\n1. Run `create-bucket` to [create an S3 bucket][2] that stores the ELB log files.\n\n **Note**: This bucket must be created in the same region as the ELB.\n\n ```\n aws s3api create-bucket\n --region us-west-1\n --bucket your-elb-logging-bucket\n ```\n\n2. Use the [AWS Policy Generator][3] to create a new policy.\n\n3. Run `put-bucket-policy` to [attach the policy document][4] to the S3 bucket.\n\n ```\n aws s3api put-bucket-policy\n --bucket your-elb-logging-bucket\n --policy file://elb-logging-policy.json\n ```\n\n4. Run `modify-load-balancer-attributes` to [enable logging][5] for the selected ELB.\n\n ```\n aws elb modify-load-balancer-attributes\n --region us-west-1\n --load-balancer-name YourLoadBalancerName\n --load-balancer-attributes\n \"{\\\"AccessLog\\\":{\\\"Enabled\\\":true,\\\"EmitInterval\\\":60,\\\"S3BucketName\\\":\\\"your-logging-bucket\\\"}}\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/elb/modify-load-balancer-attributes.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_access_logs(elb_load_balancer) if {\n\tsome attribute in elb_load_balancer.attributes\n\tattribute.access_log_enabled\n} else if {\n\telb_load_balancer.load_balancer_attributes.access_log.enabled\n}\n\neval(elb_load_balancer) = \"fail\" if {\n\tnot compliant_access_logs(elb_load_balancer)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elb_load_balancer"]},"validationQuery":"","resourceType":"aws_elb_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elb_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"orv-wcu-4d4","createdAt":1615309114856,"name":"ELB is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","security:compliance","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Security-of-Processing","scope:elbv2","framework:soc-2","requirement:Security-Management-Process","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","framework:hipaa","requirement:Encryption-In-Transit","control:164.308-a-1-ii-B","control:164.312-e-2-i","source:elbv2","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse HTTPS to secure communication between your application client and an Elastic Load Balancer (ELB) listener.\n\n## Rationale\n\nWithout an HTTPS listener, front-end connections are vulnerable to exploits, such as man-in-the-middle (MITM) attacks. Securing all communication between your application client and ELB listener ensures sensitive data is protected.\n\n## Remediation\n\n### From the console\n\nFollow the [Create an HTTPS listener for your Application Load Balancer][1] doc to learn how to create a listener that checks for connection requests.\n\n### From the command line\n\n1. Run `list-certificates` to retrieve the ARN of your SSL certificate. If you do not have an SSL certificate, follow the [Create or import an SSL/TLS certificate][2] doc.\n2. Run `create-listener` using the [ARN of the load balancer and SSL certificate][3].\n\n ```\n aws elbv2 create-listener \\\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912 \\\n --protocol HTTPS \\\n --port 443 \\\n --certificates CertificateArn=arn:aws:acm:region:123456789012:certificate/1abc0c41-bd73-5445-9ab9-123456a23456 \\\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html#create-certificate-acm\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/create-listener.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_listener(elbv2_load_balancer) if {\n\tsome listener in elbv2_load_balancer.listeners\n\tlistener.protocol == \"HTTPS\"\n} else if {\n\tsome listener in elbv2_load_balancer.listeners\n\tlistener.protocol == \"HTTP\"\n\telbv2_load_balancer.listeners[_].default_actions[_].redirect_config.protocol == \"HTTPS\"\n\telbv2_load_balancer.listeners[_].default_actions[_].type == \"redirect\"\n}\n\neval(elbv2_load_balancer) = \"skip\" if {\n\telbv2_load_balancer.type != \"application\"\n} else = \"fail\" if {\n\tnot compliant_listener(elbv2_load_balancer)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6vz-qof-84o","createdAt":1616090994110,"name":"ELBv2 ALB is using a secure listener"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","source:elb","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","scope:elb","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure Amazon Network Load Balancers so all listeners use either TLS or HTTPS encryption. \n\n## Rationale\n\nUsing TLS or HTTPS helps ensure the communication between your network load balancers (NLBs) and backend servers is protected from decryption, data leaks, and other exploits. NLB's can accept and route TCP connections to Application load balancers(ALBs), this allows AWS customers to directly register an ALB as an NLB target, eliminating the need to actively manage changing ALB IP addresses. Amazon's NLBs can be configured to handle TLS termination. This reduces the workload on your backend systems and localizes TLS configuration to the NLBs, thereby improving both performance and security.\n\n\n## Remediation\n\n### From the console\n\nFollow the [Create a listener for your network load balancer][1] doc to learn how to add a TLS listener to your network load balancer.\n\n### From the command line\n\n1. Run `describe-load-balancers` to retrieve the ARNs of your network load balancers.\n2. Run `list-certificates` to retrieve the ARN of your Amazon ACM TLS certificates, or `list-server-certificates` to retrieve the ARN of your AWS IAM TLS certificates. If you do not have a TLS certificate, follow the [Configure TLS listeners: Certificates][2] doc.\n3. Run `create-listener` using the ARN of the desired load balancer and TLS certificate.\n\n ```\n aws elbv2 create-listener \\\n --load-balancer-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188 \\\n --certificates CertificateArn=arn:aws:acm:us-west-2:123456789012:certificate/3dcb0a41-bd72-4774-9ad9-756919c40557 \\\n --protocol TLS \\\n --port 443 \\\n --ssl-policy ELBSecurityPolicy-2016-08 \\\n --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#tls-listener-certificates\n[3]: https://aws.amazon.com/fr/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_listener(listener) if {\n\tlistener.protocol == \"TCP\"\n\tlistener.port == 443\n}\n\neval(elbv2_load_balancer) = \"skip\" if {\n\tnot elbv2_load_balancer.type == \"network\"\n} else = \"fail\" if {\n\tsome listener in elbv2_load_balancer.listeners\n\tlistener.protocol != \"TLS\"\n\tnot compliant_listener(listener)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cyx-hvk-qq7","createdAt":1649774831020,"name":"ELBv2 Network Load Balancer listeners employ TLS or HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:elbv2","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","source:elbv2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Access Logging for your Amazon Application Load Balancers (ALBs).\n\n## Rationale\n\nLogs contain the time a request was received, a client's IP address, latencies, request paths, and server responses. You can use this information to analyze traffic patterns and troubleshoot issues.\n\n## Remediation\n\n### From the console\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the console.\n\n### From the command line\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_attribute(elbv2_load_balancer) if {\n\tattribute := elbv2_load_balancer.attributes[_]\n\tattribute.key == \"access_logs.s3.enabled\"\n\tattribute.value == \"true\"\n} else if {\n\telbv2_load_balancer.attributes.access_logs_s3_enabled\n}\n\neval(elbv2_load_balancer) = \"pass\" if {\n\tcompliant_attribute(elbv2_load_balancer)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2sn-t47-ywf","createdAt":1632209936547,"name":"ELBv2 is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:elbv2","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","source:elbv2","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Application Load Balancer (ALB) with the latest predefined AWS security policy.\n\n## Rationale\n\nInsecure or deprecated security policies can expose the client and the load balancer to various SSL/TLS vulnerabilities.\n\n## Remediation\n\n### From the console\n\nFollow the [Update security policy][1] docs to learn how to update your HTTPS listener with the latest security policy.\n\n### From the command line\n\nRun `modify-listener` with the [ARN of the listener and the recommended SSL policy][2].\n\n```\naws elbv2 create-listener\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n```\n\nReview the [Security policies][3] docs for Amazon-recommended security policies.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html#update-security-policy\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/modify-listener.html\n[3]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elbv2_load_balancer) = \"skip\" if {\n\telbv2_load_balancer.type != \"application\"\n} else = \"pass\" if {\n\tsome listener in elbv2_load_balancer.listeners\n\tlistener.ssl_policy in [\"ELBSecurityPolicy-TLS-1-1-2017-01\", \"ELBSecurityPolicy-TLS-1-2-Ext-2018-06\", \"ELBSecurityPolicy-FS-1-2-Res-2019-08\", \"ELBSecurityPolicy-FS-1-1-2019-08\", \"ELBSecurityPolicy-FS-1-2-Res-2020-10\"]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"pty-qoz-aa9","createdAt":1616090994247,"name":"ELBv2 load balancer is using the latest security policy"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.3","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse individual service account credentials for each controller.\n\n## Rationale\n\nThe controller manager creates a service account per controller in the kube-system namespace, generates a credential for it, and builds a dedicated API client with that service account credential for each controller loop to use. Setting the `--use-service-account-credentials` to true runs each control loop within the controller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--use-service-account-credentials` argument is set to true.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node to set the below parameter:\n\n```\n--use-service-account-credentials=true\n```\n\n## Impact\n\nWhatever authorizer is configured for the cluster, it must grant sufficient permissions to the service accounts to perform their intended tasks. When using the RBAC authorizer, those roles are created and bound to the appropriate service accounts in the kube-system namespace automatically with default roles and rolebindings that are auto-reconciled on startup. If using other authorization methods (ABAC, Webhook, etc.), the cluster deployer is responsible for granting appropriate permissions to the service accounts (the required permissions can be seen by inspecting the `controller-roles.yaml` and `controller-role-bindings.yaml` files for the RBAC roles.\n\n## Default value\n\nBy default, `--use-service-account-credentials` is set to false.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://kubernetes.io/docs/admin/service-accounts-admin/ ][2]\n3. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml ][3]\n4. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml ][4]\n5. [https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles][5]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://kubernetes.io/docs/admin/service-accounts-admin/ \n[3]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml \n[4]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml \n[5]: https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.3","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"b7m-bho-nat","createdAt":1599602400314,"name":"Each controller uses individual service account credentials"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:A.12.2.1","framework:gdpr","requirement:Default-Security-Parameter","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:25.2","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","source:elasticache","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","scope:elasticache","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nChange your AWS ElastiCache cluster endpoint port to a non-default port.\n\n## Rationale\n\nUsing the default port puts clusters at risk of exploits and attacks. Configure a custom port to add an extra layer of security to your clusters.\n\n## Remediation\n\n### From the console\n\nFollow the [Finding connection endpoints][1] console documentation to learn how to find and modify your cluster's endpoint port.\n\n### From the command line\n\n1. Run `aws elasticache describe-cache-clusters` with your [ElastiCache cluster ID][2] to output the existing cluster configuration.\n\n ```\n\n aws elasticache describe-cache-clusters\n --cache-cluster-id your-cc-id\n\n ```\n\n2. Run `aws elasticache create-cache-cluster` with the cluster data returned in the previous step. Configure the new cache cluster with [a custom value][3] for the endpoint port. This returns new cluster metadata.\n\n ```\n\n aws elasticache create-cache-cluster\n --cache-cluster-id new-cc-id\n ...\n --port 10001\n\n ```\n\n3. Once the cluster endpoint port is updated, remove the old ElastiCache cluster. Run `delete-cache-cluster` with the [original cluster ID][4].\n\n ```\n\n aws elasticache delete-cache-cluster\n --cache-cluster-id your-cc-id\n\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Endpoints.html#Endpoints.Find.Redis\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/describe-cache-clusters.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/delete-cache-cluster.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndefault_port_used(elasticache) if {\n\telasticache.engine == \"memcached\"\n\telasticache.configuration_endpoint.port == 11211\n} else if {\n\telasticache.engine == \"redis\"\n\telasticache.configuration_endpoint.port == 6379\n}\n\neval(elasticache) = \"fail\" if {\n\tdefault_port_used(elasticache)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticache"]},"validationQuery":"","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"skt-e9r-x89","createdAt":1619112189062,"name":"ElastiCache cluster is not using default ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","source:elasticache","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticache","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProvision your AWS EC2-VPC ElastiCache cluster within the AWS ECS-VPC platform.\n\n## Rationale\n\nUsing the EC2-Classic platform minimizes control over cache cluster security and traffic routing. Provisioning with AWS EC2-VPC enables better networking infrastructure, control over VPC security groups, and more.\n\n## Remediation\n\n### From the console\n\nFollow the [Getting started with Amazon VPC][1] docs to configure AWS EC2-VPC for your ElastiCache clusters.\n\n### From the command line\n\n1. Run `create-vpc` to [create a new Virtual Private Cloud (VPC)][2] for your ElastiCache cluster.\n\n ```\n aws ec2 create-vpc\n --cidr-block 10.0.0.0/16\n ```\n\n2. Run `aws ec2 create-internet-gateway` to [create a new AWS Internet Gateway][3] for your new VPC.\n\n3. Run `attach-internet-gateway` with the [VPC ID returned in step 1, and the internet gateway ID returned in step 2][4].\n\n ```\n aws ec2 create-subnet\n --vpc-id vpc-ab12c345\n --cidr-block 10.0.1.0/24\n ```\n\n4. Run `create-route-table` with [your VPC ID][5] created in step 1.\n\n ```\n aws ec2 create-route-table\n --vpc-id vpc-ab12c345\n ```\n\n5. Run `associated-route-table` with the [subnet ID returned in step 3, and the route table ID returned in step 4][6].\n\n ```\n aws ec2 associate-route-table\n --route-table-id rta-12345678\n --subnet-id subnet-ab123c45\n ```\n\n6. Run `create-route` to [add a new route][7] to your new VPC route table.\n\n ```\n aws ec2 create-route\n --route-table-id rta-12345678\n --destination-cidr-block 0.0.0.0/0\n --gateway-id gwi-123a4b56\n ```\n\n7. Run `create-security-group` with your new VPC ID to [create a security group][8] for your new cluster.\n\n ```\n aws ec2 create-security-group\n --group-name ECSecurityGroup\n --description \"Redis CC Security Group\"\n --vpc-id vpc-ab12c345\n ```\n\n8. Run `authorize-security-group-ingress` to [add more inbound rules][9] to the security group created in step 7.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-id se-a12345b0\n --protocol tcp\n --port 1234\n --cidr 10.0.0.0/16\n ```\n\n9. Run `create-cache-cluster` to recreate your EC2-Classic cache cluster within your new AWS VPC. Use the newly created [ElastiCache cluster configuration attributes][10] returned in the steps above.\n\n ```\n aws elasticache create-cache-cluster\n --cache-cluster-id vpccachecluster\n --az-mode single-az\n --cache-node-type cache.m5.large\n --num-cache-nodes 1\n --engine redis\n --engine-version \"2.6.13\"\n --security-group-ids \"se-a12345b0\"\n --port 1234\n --auto-minor-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc.html#synopsis\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-internet-gateway.html#synopsis\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/attach-internet-gateway.html#synopsis\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route-table.html#synopsis\n[6]: https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-route-table.html#synopsis\n[7]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route.html#synopsis\n[8]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-security-group.html#synopsis\n[9]: https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html#synopsis\n[10]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elasticache) = \"pass\" if {\n\tcount(elasticache.cache_subnet_group_name) > 0\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticache"]},"validationQuery":"","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"0uf-cns-jqu","createdAt":1619112189088,"name":"ElastiCache cluster is provisioned in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.5","source:elasticache","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticache","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon ElastiCache cluster to the latest, stable version of the Redis/Memcached cache engine.\n\n## Rationale\n\nUsing the latest version allows for security patches, bug fixes, better performance, and memory management.\n\n## Remediation\n\n### From the console\n\nFollow the [Upgrading engine versions][1] docs to learn how to modify your ElastiCache cluster or replication group in the console.\n\n### From the command line\n\nFollow the [Modify an ElastiCache cluster (AWS CLI)][2] or [Modify a replication group (AWS CLI)][3] docs for configuration options.\n\nFor example, to modify an ElastiCache cluster, run `modify-replication-group` with your replication group ID and enable Multi-AZ.\n\n ```\n aws elasticache modify-replication-group\n --replication-group-id myReplGroup\n --multi-az-enabled = true\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VersionManagement.html\n[2]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.Modify.html#Clusters.Modify.CLI\n[3]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Replication.Modify.html#Replication.Modify.CLI","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_engine_version(elasticache) if {\n\telasticache.engine == \"memcached\"\n\telasticache.engine_version == \"1.6.6\"\n} else if {\n\telasticache.engine == \"redis\"\n\tstartswith(elasticache.engine_version, \"6.\")\n} else if {\n\tnot elasticache.engine in [\"memcached\", \"redis\"]\n}\n\neval(elasticache) = \"pass\" if {\n\tcompliant_engine_version(elasticache)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticache"]},"validationQuery":"","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sw1-liy-ybw","createdAt":1619112188570,"name":"ElastiCache cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.5","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticsearch","framework:soc-2","requirement:Change-Management","source:elasticsearch","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpgrade to the latest version of Amazon Elasticsearch (ES) engine.\n\n## Rationale\n\nUsing the latest version of Amazon ES ensures you receive the latest bug fixes, security patches, and features.\n\n## Remediation\n\n### From the console\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (console)][1] docs to learn about the upgrade process and how to complete an upgrade from the AWS Console.\n\n### From the command line\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (AWS CLI)][1] docs to being an upgrade using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades\n[2]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.common as dd_common\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(version) = \"pass\" if {\n\tformatted_semver := dd_common.format_semver(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"7.10.0\") >= 0\n} else = \"pass\" if {\n\tstartswith(version, \"OpenSearch_\")\n\tformatted_semver := dd_common.format_semver(trim_prefix(version, \"OpenSearch_\"))\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"1.3.0\") >= 0\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource.elasticsearch_version))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-iw7-z3h","createdAt":1619540057479,"name":"Elasticsearch cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","scope:elasticsearch","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate publicly accessible Amazon Elasticsearch domains to block unsigned requests.\n\n## Rationale\n\nUpdating your Amazon Elasticsearch domain to a private domain ensures your data cannot be accessed or altered by unauthorized users.\n\n## Remediation\n\n### OpenSearch\n\nIf you are using OpenSearch Service Domains, refer to Amazon's [guide for creating and managing Amazon OpenSearch Service domains][1] for both console and CLI remediation actions. \n\n### From the console\n\nFollow the [Configuring Access Policies][1] docs to learn how to update your publicly accessible Amazon Elasticsearch domains in the AWS Console.\n\n### From the command line\n\n1. Create a new policy JSON document. You can follow the [Amazon Elasticsearch templated policy][2] to create a custom policy that grants domain access only to a specific IP.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n \"Action\": \"es:*\",\n \"Condition\": {\n \"IpAddress\": {\n \"aws:SourceIp\": [\n \"54.197.25.93/32\"\n ]\n }\n },\n \"Resource\": \"arn:aws:es:123456789123:\n domain/es-cluster/*\"\n }\n ]\n }\n ```\n\n2. Run `update-elasticsearch-domain-config` using the name of the [Elasticsearch domain][3] created in the previous step.\n\n ```\n aws es update-elasticsearch-domain-config\n --domain-name es-cluster\n --access-policies file://ip-based-policy.json\n ```\n\n\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/update-elasticsearch-domain-config.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tsome principal_aws in policy_principal.principal_aws\n\tprincipal_aws == \"*\"\n}\n\neval(elasticsearch_domain) = \"fail\" if {\n\tsome policy in elasticsearch_domain.policies\n\tbad_policy_principal(policy.policy_principal)\n\tpolicy.statement_effect = \"Allow\"\n\tpolicy.statement_has_condition = false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ci6-bcw-l3n","createdAt":1615309114393,"name":"Elasticsearch domain is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticsearch","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure your Amazon Elasticsearch (ES) domain is only accessible from an AWS VPC.\n\n## Rationale\n\nUsing a VPC gives your Amazon ES domains an extra layer of security. Launching your clusters within a VPC ensures communication between your clusters and other AWS services is secure.\n\n## Remediation\n\nOnce a domain is created with a public endpoint, it cannot be switched to VPC access. Follow the [Migrating from Public Access to VPC Access][1] docs to learn how to create a new domain and either manually reindex or migrate your data.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html#es-migrating-public-to-vpc\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elasticsearch_domain) = \"fail\" if {\n\tendswith(elasticsearch_domain.endpoint, \".es.amazonaws.com\")\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"vdg-rky-pye","createdAt":1619540057246,"name":"Elasticsearch domain resides in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement encryption at rest for your Amazon Elasticsearch (ES) domain with the AWS KMS service.\n\n## Rationale\n\nImplementing encryption at rest protects your domain from unauthorized access and ensures security and compliance requirements are met.\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to implement encryption for your domain.\n\n### From the command line\n\n1. Run `describe-elasticsearch-domain` with your ES domain to return configuration metadata.\n\n ```bash\n aws es describe-elasticsearch-domain\n --domain-name your-es-domain\n ```\n\n2. Run `create-elasticsearch-domain` with your domain name and `encryption-at-rest-options`. Use the metadata returned in the previous step to [create and relaunch your ES domain to enable at-rest encryption][3].\n\n ```bash\n aws es create-elasticsearch-domain\n --domain-name your-es-domain\n ...\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html#enabling-ear\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/describe-elasticsearch-domain.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elasticsearch_domain) = \"pass\" if {\n\telasticsearch_domain.encryption_at_rest_options_enabled == true\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"75z-ehk-ced","createdAt":1615309114337,"name":"Elasticsearch domains are encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","control:3.5.2","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt your Amazon Elasticsearch domains with KMS Customer Master Keys (CMKs).\n\n## Rationale\n\nKMS Custom Master Keys protect your domains and allow more granular control over the encryption/decryption process.\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to encrypt Amazon Elasticsearch domains in the AWS Console.\n\n### From the command line\n\n1. Create a new policy JSON document with the following [configuration][2]:\n\n ```\n {\n \"Id\": \"es-custom-key-policy\",\n \"Statement\": [\n {\n \"Sid\": \"Enable IAM User Permissions\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:root\"},\n \"Action\": \"kms:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Grant access to CMK manager\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:role/AmazonESManager\"},\n \"Action\": [\n \"kms:Create*\",\n \"kms:Describe*\",\n \"kms:Enable*\",\n \"kms:List*\",\n \"kms:Put*\",\n \"kms:Update*\",\n \"kms:Revoke*\",\n \"kms:Disable*\",\n \"kms:Get*\",\n \"kms:Delete*\",\n \"kms:ScheduleKeyDeletion\",\n \"kms:CancelKeyDeletion\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow the use of the CMK\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:Decrypt\",\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:DescribeKey\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow attachment of persistent resources\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:CreateGrant\",\n \"kms:ListGrants\",\n \"kms:RevokeGrant\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"Bool\": {\"kms:GrantIsForAWSResource\": \"true\"}\n }\n }\n ]\n }\n ```\n\n2. Run `create-key` to [create a KMS key][3] with the new policy document.\n\n ```\n aws kms create-key\n --description 'KMS CMK policy for encrypting es domain data'\n --policy file://es-kms-cmk-policy.json\n ```\n\n3. Run `create-alias` with the returned ARN key to [attach a new alias][4] to the CMK.\n\n ```\n aws kms create-alias\n --alias-name your-alias/ESCustomCMK\n --target-key-id arn:aws:kms:111122223333:key/abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\n ```\n\n4. Run `create-elasticsearch-domain` with the returned configuration data in step 3 to [create the selected domain][5] with `encryption-at-rest-options` set as `enabled= true` and the `KmsKeyId=your-key-id`.\n\n ```\n aws es create-elasticsearch-domain\n --domain-name your-domain-name\n ....\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-alias.html#options\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html#options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elasticsearch_domain) = \"fail\" if {\n\telasticsearch_domain.encryption_at_rest_options_kms_key_id == \"(Default) aws/es\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"abl-8du-xrn","createdAt":1615309114399,"name":"Elasticsearch domains are encrypted with KMS Customer Master Keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation on controller-manager.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad. \n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--feature-gates` parameter to include `RotateKubeletServerCertificate=true`. \n\n```\n--feature-gates=RotateKubeletServerCe`rtificate=true\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `RotateKubeletServerCertificate` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller ][1]\n2. [https://github.com/kubernetes/features/issues/267 ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/45059 ][3]\n4. [https://kubernetes.io/docs/admin/kube-controller-manager/][4]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller \n[2]: https://github.com/kubernetes/features/issues/267 \n[3]: https://github.com/kubernetes/kubernetes/pull/45059 \n[4]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.6","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"asw-6hh-yc2","createdAt":1599605162809,"name":"Enable kubelet server certificate rotation on controller-manager"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1555-credentials-from-password-stores","scope:ec2","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to retrieve the encrypted Administrator password for a Windows EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to retrieve the encrypted Administrator password for a Windows EC2 instance using the [`GetPasswordData`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n3. If the API call was made by the user:\n * Determine if this user should be accessing this EC2 instance.\n * If Yes, advise the user to speak with the instance owner to resolve the error.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetPasswordData.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetPasswordData @eventSource:ec2.amazonaws.com status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"get_passwordata","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Error","condition":"get_passwordata > 0"}],"type":"log_detection","id":"kyo-yjf-zbm","createdAt":1652796676631,"name":"Encrypted administrator password retrieved for Windows EC2 instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.12","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory ownership is set to `etcd:etcd`.\n\n## Rationale\n\n`etcd` is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir` from the command:\n\n```bash\nps -ef | grep etcd\n```\n\nBased on the etcd data directory found above, run the command:\n\n```bash\nstat -c %U:%G /var/lib/etcd\n```\n\nVerify the ownership is set to `etcd:etcd`.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chown etcd:etcd /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory ownership is set to `etcd:etcd`.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.12","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"25d-zal-sfr","createdAt":1599601968321,"name":"Etcd data directory is owned by the etcd user and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.11","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory has permissions of 700 or more restrictive.\n\n## Rationale\n\netcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should not be readable or writable by any group members or the world.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir`, from the command:\n\n```bash\nps -ef | grep etcd\n```\n\n Based on the etcd data directory found above, run the command:\n \n ```bash\n stat -c %a /var/lib/etcd\n ```\n \n Verify the permissions are `700` or more restrictive.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chmod 700 /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory has permissions of 755.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.11","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qgj-hf0-an1","createdAt":1599601412710,"name":"Etcd data directory permissions cannot be accessed by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.7","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 640.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.7","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vqc-dps-6tp","createdAt":1599605605880,"name":"Etcd pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.8","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to `root:root`.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.8","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oac-lbl-npz","createdAt":1599600311388,"name":"Etcd pod specification file is owned by root"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":true,"message":"test","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1668091740758,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.id"],"query":"*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"co7-ldi-49e","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_impossible_travel_returns_OK_response"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"Test rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1668543986037,"filters":[],"queries":[{"query":"@test:true","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"rje-tku-m3r","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_workload_security_returns_OK_response_1668543985"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:exchange-server","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user sets up a mail forwarding rule to another email address. An adversary or insider threat could set a forwarding rule to forward all emails to an external email address.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with `@evt.name` value of `Set-Mailbox`, where a value is set for `@Parameters.ForwardingSmtpAddress` and the `@evt.outcome` is `True`.\n\n## Triage and response\n1. Inspect the `@Parameters.ForwardingSmtpAddress` for `{{@usr.email}}` to see if it is sending email to an external non-company owned domain.\n2. Determine if there is a legitimate use case for the mail forwarding rule.\n3. If `{{@usr.email}}` is not aware of the mail forwarding rule, investigate all `{{@usr.email}}` accounts for anomalous activity. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-Mailbox -@Parameters.ForwardingSmtpAddress:\"\" @Parameters.ForwardingSmtpAddress:* @evt.outcome:True","groupByFields":["@usr.id"],"aggregation":"count","name":"forwarding_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"forwarding_rule > 0"}],"type":"log_detection","id":"vmq-1zo-03a","createdAt":1630681822552,"name":"Exchange Online mail forwarding rule enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:AppService","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.2","scope:azure.appservice","framework:iso-27001","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","requirement:Communications-Security","control:4.1","control:9.10","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Azure functions, web, and API services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPs should be required for FTP login for all App Service apps and functions.\n\n## Rationale\n\nAzure FTP deployment endpoints are public. An attacker listening to traffic on a Wi-Fi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if user credentials for deployment are set at the subscription level rather than using the default application credentials which are unique per app.\n\n## Remediation\n\n### From the console\n\n1. Go to the Azure Portal\n2. Select App Services\n3. Click on an app\n4. Select Settings > Configuration\n5. Under Platform Settings, set FTP state to Disabled or FTPS Only\n\n## Impact\n\nDeployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.\n\n## References\n\n1. Azure Web Service Deploy via FTP - https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp\n2. Azure Web Service Deployment - https://docs.microsoft.com/en-us/azure/app-service/overview-security\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n\n## CIS Controls\n\nVersion 7\n\n14.4 Encrypt All Sensitive Information in Transit\n16.5 Encrypt Transmittal of Username and Authentication Credentials - Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.10","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ftps_state(app_service) if {\n\tapp_service.site_config_ftps_state == \"AllAllowed\"\n} else if {\n\tapp_service.site_config.ftps_state == \"AllAllowed\"\n}\n\neval(app_service) = \"fail\" if {\n\tnon_compliant_ftps_state(app_service)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"chw-olp-dfn","createdAt":1631623028308,"name":"FTP deployments are disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:fastly","scope:fastly","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2]. \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:fastly @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dqs-oru-107","createdAt":1587530162282,"name":"Fastly HTTP Requests from Security Scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a file that is not part of the original container image has been created and executed within the container.\n\n## Strategy\nAttackers sometimes add scripts to running containers to exploit some functionality or automate some actions. Normally, containers are meant to be immutable environments, and when you require new scripts or other executable files, you add them to the container image itself and not to the running container. This detection identifies when newly created files are executed shortly after file creation or modification.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage & Response\n1. Determine whether the file executing is expected to be present in the container. \n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether the file was added to multiple containers around the same time, and whether the affected systems follow a pattern. For example, if a file was seen executing in multiple containers, do the containers share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.29 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_binary_execution_in_container","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:new_binary_execution_in_container"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"new_binary_execution_in_container"}],"type":"workload_security","id":"n5d-tm8-kco","createdAt":1652131404468,"name":"File created and executed inside container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","tactic:TA0009-collection","technique:T1530-data-from-cloud-storage","scope:google-cloud-storage","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect unauthenticated access to an object in a GCS bucket (`bucket_name`).\n\n## Strategy \nMonitor GCS bucket (`bucket_name`) for get requests(`@evt.name:storage.objects.get`) made by unauthenticated users (`@usr.id`).\n\n## Triage and response\nInvestigate the logs and determine whether or not the accessed bucket: {{bucket_name}} should be accessible to unauthenticated users.\n\n## Changelog\n* 27 October 2022 - updated tags.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket -@usr.id:* @evt.name:storage.objects.get status:info","groupByFields":["project_id","bucket_name"],"aggregation":"count","name":"get_object","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"get_object","condition":"get_object > 0"}],"type":"log_detection","id":"nmj-sov-f5d","createdAt":1598043413480,"name":"GCP Bucket Contents Downloaded Without Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","source:gcp","scope:google-cloud-storage","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service account lists out GCS Buckets.\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine when a service account invokes the following method:\n\n* `storage.buckets.list`\n\n## Triage and response\n1. Determine whether this service account should be making list bucket calls.\n * If the account was compromised, secure the account and investigate how it was compromised and if the account made other unauthorized calls.\n * If the owner of the service account intended to make the `ListBuckets` API call, consider whether this API call is needed. It could cause a security issue for the application to know the name of the bucket it needs to access. If it's not needed, modify this rule's filter to stop generating signals for this specific service account.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.list @usr.id:*gserviceaccount.com","groupByFields":["project_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cnc-wi1-llf","createdAt":1587592199858,"name":"GCP Bucket enumerated"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an administrative change to a GCS Bucket has been made. This could change the retention policy or bucket lock. For more information, see the [GCS Bucket Lock docs][1].\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine if a bucket has been updated with the following method:\n\n* `storage.buckets.update`\n\n## Triage and response\n1. Review the bucket to ensure that it is properly configured.\n\n[1]: https://cloud.google.com/storage/docs/bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.update","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iz3-sc4-ryy","createdAt":1585871279860,"name":"GCP Bucket modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when permissions have changed on a GCS Bucket.\n\n## Strategy\nMonitor GCS bucket admin activity audit logs to determine the following method is invoked:\n\n* `storage.setIamPermissions`\n\n## Triage and response\n1. Review the bucket permissions and ensure they are not overly permissive.\n\n## Changelog\n5 Septermber 2022 - Updated rule query","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.setIamPermissions -@evt.outcome:ERROR","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fdk-tly-4qr","createdAt":1585871193842,"name":"GCP Bucket permissions modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.cloudsql.database"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Cloud SQL DB has been modified.\n\n## Strategy\nThis rule lets you monitor GCP Cloud SQL admin activity audit logs to determine when one of the following methods are invoked:\n\n* `cloudsql.instances.create`\n* `cloudsql.instances.create`\n* `cloudsql.users.update`\n\n## Triage and response\n1. Review the Cloud SQL DB and ensure it is configured properly with the correct permissions.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.cloudsql.database @evt.name:(cloudsql.instances.create OR cloudsql.instances.create OR cloudsql.users.create OR cloudsql.users.update)","groupByFields":["project_id","database_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ikf-ye8-cnu","createdAt":1585871198921,"name":"GCP Cloud SQL database modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.gce.firewall.rule","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created, modified or deleted. \n\n## Strategy\nMonitor GCP GCE activity audit logs to determine when any of the following methods are invoked:\n\n* `v1.compute.firewalls.delete`\n* `v1.compute.firewalls.insert`\n* `v1.compute.firewalls.patch` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.firewall.rule @evt.name:(v1.compute.firewalls.delete OR v1.compute.firewalls.insert OR v1.compute.firewalls.patch)","groupByFields":["project_id","@data.protoPayload.resourceOriginalState.name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"n1w-sql-apl","createdAt":1585870279610,"name":"GCP GCE Firewall rule modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a VPC network is created. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine when the following method is invoked to create a new VPC network:\n\n* `beta.compute.networks.insert`\n\n## Triage and response\n1. Review the VPC network.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:beta.compute.networks.insert","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"a9z-oic-grb","createdAt":1585871193403,"name":"GCP GCE VPC network modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created or modified. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine if a firewall is being adjusted by showing you when any of the following methods are invoked:\n\n* `beta.compute.routes.insert`\n* `beta.compute.routes.patch`\n\n## Triage and response\n1. Veirify that the GCP route is configured properly and that the user intended to modify the firewall.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:(beta.compute.routes.insert OR beta.compute.routes.patch)","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lht-ml8-u6r","createdAt":1585870282924,"name":"GCP GCE network route created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a custom role is created or modified. \n\n## Strategy\nMonitor GCP IAM activity audit logs to determine when any of the following methods are invoked:\n\n* `google.iam.admin.v1.CreateRole`\n* `google.iam.admin.v1.UpdateRole` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.iam.role @evt.name:(google.iam.admin.v1.CreateRole OR google.iam.admin.v1.UpdateRole)","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rhy-fzm-gwl","createdAt":1585870282410,"name":"GCP IAM custom role created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1098-account-manipulation","scope:gcp.project","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to the IAM policy. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when the `SetIamPolicy` method is invoked. \n\n## Triage and response\n1. Review the log and inspect the policy deltas (`@data.protoPayload.serviceData.policyDelta.bindingDeltas`) and ensure none of the actions are `REMOVE`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:SetIamPolicy","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fgm-8w4-cgx","createdAt":1585870280073,"name":"GCP IAM policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.subscription","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP Pub/Sub Subscription has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.pubsub.v1.Subscriber.UpdateSubscription`\n* `google.pubsub.v1.Subscriber.DeleteSubscription`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.subscription @evt.name:(google.pubsub.v1.Subscriber.UpdateSubscription OR google.pubsub.v1.Subscriber.DeleteSubscription)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tsj-mac-mdc","createdAt":1587592205917,"name":"GCP Pub/Sub Subscriber modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.topic","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP Pub/Sub Subscribtion has been deleted. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when the following method is invoked:\n\n* `google.pubsub.v1.Publisher.DeleteTopic`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.topic @evt.name:google.pubsub.v1.Publisher.DeleteTopic","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dp6-zom-jyv","createdAt":1587592198839,"name":"GCP Pub/Sub topic deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","technique:T1078-valid-accounts","scope:gcp-cloud-functions","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect possible GCP service account impersonation activity using the gcploit exploitation framework.\n\n## Strategy\nMonitor GCP Cloud Function Logs `source:gcp.cloud.function` and detect if the following sequence of events has occurred within a one minute window:\n* Function is created - `google.cloud.functions.v1.CloudFunctionsService.CreateFunction` with a timeout of 539s (`@data.protoPayload.request.function.timeout:539s`)\n* Function's IAM access control policy is enumerated - `google.cloud.functions.v1.CloudFunctionsService.GetIamPolicy`\n* Function's IAM access control policy is set - `google.cloud.functions.v1.CloudFunctionsService.SetIamPolicy`\n\n## Triage & Response\n1. Investigate if the function:`{{@function.name}}` was intentionally created by user `{{@usr.id}}`.\n2. If unauthorized:\n * Revoke access of compromised credentials.\n * Remove unauthorized cloud functions.\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard.\n","options":{"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":3600,"keepAlive":300},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.cloud.function @evt.name:google.cloud.functions.v1.CloudFunctionsService.CreateFunction @data.protoPayload.request.function.timeout:539s","groupByFields":["@function.name"],"aggregation":"cardinality","name":"function_creation","distinctFields":["@usr.id"]},{"query":"@evt.name:google.cloud.functions.v1.CloudFunctionsService.GetIamPolicy","groupByFields":["@function.name"],"aggregation":"count","name":"get_iam_policy","distinctFields":[]},{"query":"@evt.name:google.cloud.functions.v1.CloudFunctionsService.SetIamPolicy","groupByFields":["@function.name"],"aggregation":"count","name":"set_iam_policy","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"function_creation > 0 && get_iam_policy > 0 && set_iam_policy >0"}],"type":"log_detection","id":"un3-5tn-fmz","createdAt":1657138827448,"name":"GCP Service Account Impersonation using GCPloit Exploitation Framework"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","scope:google-cloud-iam","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect GCP service account impersonation activity through the use of access tokens.\n\n## Strategy\nMonitor GCP Admin Activity audit logs for event `@evt.name:GenerateAccessToken`:\n* Successful Attempts: `@data.protoPayload.authorizationInfo.granted:true`\n* Failed Attempts: `@evt.outcome:PERMISSION_DENIED`\n\n## Triage & Response\n1. Investigate if the user `{{@usr.id}}` from IP address:`{{@network.client.ip}}` intended to perform this activity.\n2. If unauthorized:\n * Revoke access of compromised user and service account.\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard.\n * Investigate other activities performed by the IP `{{@network.client.ip}}` using the Cloud SIEM - IP Investigation dashboard.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":300},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account service:iamcredentials.googleapis.com @evt.name:GenerateAccessToken @data.protoPayload.authorizationInfo.granted:true","groupByFields":["@network.client.ip","@http.useragent"],"aggregation":"count","name":"generate_access_token_success","distinctFields":[]},{"query":"source:gcp.service.account service:iamcredentials.googleapis.com @evt.name:GenerateAccessToken @evt.outcome:PERMISSION_DENIED","groupByFields":["@network.client.ip","@http.useragent"],"aggregation":"count","name":"generate_access_token_failed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"generate_access_token_failed > 0 && generate_access_token_success > 0"},{"status":"low","notifications":[],"name":"Attempted","condition":"generate_access_token_failed > 0"}],"type":"log_detection","id":"mjs-vof-vtn","createdAt":1662479173677,"name":"GCP Service Account impersonation activity using access token generation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1562-impair-defenses","scope:gcp.project","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP logging sink has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.logging.v2.ConfigServiceV2.UpdateSink`\n* `google.logging.v2.ConfigServiceV2.DeleteSink`\n\n## Triage and response\n1. Review the sink and ensure the sink is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:(google.logging.v2.ConfigServiceV2.UpdateSink OR google.logging.v2.ConfigServiceV2.DeleteSink)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hil-rl3-yxs","createdAt":1585871191688,"name":"GCP logging sink modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","scope:google-cloud-iam","technique:T1580-cloud-infrastructure-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account is compromised.\n\n## Strategy \nInspect the GCP Admin Activity Logs (`@data.logName:*%2Factivity`) and filter for only GCP Service Accounts (`@usr.id:*.iam.gserviceaccount.com`). Count the unique number of GCP API calls (`@evt.name`) which are being made for each service account (`@usr.id`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\nTo read more about GCP Audit Logs, you can read our blog post [here][1].\n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account is compromised.\n\n## Changelog\n* 17 October 2022 - Updated tags.\n\n[1]: https://www.datadoghq.com/blog/monitoring-gcp-audit-logs/","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp* @data.logName:*%2Factivity @usr.id:*.iam.gserviceaccount.com","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"hc1-nv3-hzw","createdAt":1629125255724,"name":"GCP service account accessing anomalous number of GCP APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1136-create-account","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account is created.\n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when a service account is created. \n\n## Triage and response\n1. Contact the user who created the service account and ensure that the account is needed and that the role is scoped properly.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccount","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"szx-4kh-eqs","createdAt":1585870281733,"name":"GCP service account created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account key is created. An attacker could use this key as a backdoor to your account. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to detect the creation of a service account key. \n\n## Triage and response\n1. Contact the user who created the service account key to ensure they're managing the key securely.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccountKey","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"79j-4wh-xlq","createdAt":1585870277946,"name":"GCP service account key created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is unauthorized activity by a service account in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a service account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the service account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the service account:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the service account.\n2. If unauthorized, revoke access of compromised service account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"89d-2v1-fvm","createdAt":1587592191518,"name":"GCP unauthorized service account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when unauthorized activity by a user is detected in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a user account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the user account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the user:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the user account.\n2. If unauthorized, revoke access of compromised user account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 -@usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"stt-ows-yte","createdAt":1587592193834,"name":"GCP unauthorized user activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google accesses your Google Workspace tenant using administrative tools. \n\n## Strategy\nMonitor Google Workspace logs to detect `ACCESS` events, which are part of Google's [Access Transparency][1] logs.\n\n## Triage and response\n1. Determine the scope of Google's access activity, which can be found in the `ACCESS` event in the Google Workspace event log.\n2. Review which Google Workspace user (`@event.parameters.OWNER_EMAIL`) and resources (`@event.parameters.RESOURCE_NAME`) were accessed by Google.\n3. Investigate the resource(s) being accessed to determine if there is a legitimate reason it should be reviewed by Google.\n\n[1]: https://support.google.com/a/answer/9230474?hl=en","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite service:access_transparency","groupByFields":[],"aggregation":"count","name":"workspace_accessed_by_google","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"workspace_accessed_by_google > 0"}],"type":"log_detection","id":"q4c-pxc-lbn","createdAt":1654120270956,"name":"Google Workspace accessed by Google"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a new Google Workspace administrative role.\n\n## Strategy\nMonitor Google Workspace logs to detect `CREATE_ROLE` events.\n\n## Triage and response\n1. Determine if there is a legitimate reason for the new administrator role (`@event.parameters.ROLE_NAME`).\n2. If there is not a legitimate reason, investigate activity from around the Google Workspace administrator (`{{@usr.email}}`) and IP that created the role (`{{@network.client.ip}}`).\n\n## Changelog\n* 17 October 2022 - Updated tags.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:CREATE_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_created > 0"}],"type":"log_detection","id":"isw-chn-iqi","createdAt":1654262215364,"name":"Google Workspace admin role created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the super administrator group on Google Workspace.\n\n## Strategy\nMonitor Google Workspace logs to detect `ASSIGN_ROLE` events where `@event.parameters.ROLE_NAME` is `_SEED_ADMIN_ROLE`. \n\n## Triage and response\n1. Verify with the Google admin (`{{@usr.email}}`) if the Google Workspace user in the `@event.parameters.USER_EMAIL` attribute should legitimately be given the super admin role.\n2. If the user in `@event.parameters.USER_EMAIL` was not legitimately added, investigate activity from the IP address (`{{@network.client.ip}}`) that made the role addition.\n3. Review activity around the Google Workspace admin who made the change (`{{@usr.email}}`) and the newly added super admin (`@event.parameters.USER_EMAIL`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:ASSIGN_ROLE @event.parameters.ROLE_NAME:_SEED_ADMIN_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"admin_role_added > 0"}],"type":"log_detection","id":"ort-cx2-jwq","createdAt":1654014456902,"name":"Google Workspace user assigned to super admin role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","tactic:TA0009-collection","technique:T1114-email-collection","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a user setting up mail forwarding to a non-Google Workspace domain.\n\n## Strategy\nMonitor Google Workspace logs to detect when `email_forwarding_out_of_domain` events.\n\n## Triage and response\n1. Determine if the email address defined in `@event.parameters.email_forwarding_destination_address` is legitimate.\n2. If the forwarding destination address is not legitimate, review all activity for `{{@usr.email}}` and all activity around the following IP: `{{@network.client.ip}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:email_forwarding_out_of_domain","groupByFields":["@usr.email"],"aggregation":"count","name":"non_workspace_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"non_workspace_domain > 0"}],"type":"log_detection","id":"ozn-l6x-exp","createdAt":1654021004136,"name":"Google Workspace user forwarding email out of non Google Workspace domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.16","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated.\n\n## Rationale\n\nThe IPC namespace provides separation of IPC between the host and containers. If the host's IPC namespace is shared with the container, it would allow processes within the container to see all of IPC communications on the host system. This would remove the benefit of IPC level isolation between host and containers. An attacker with access to a container could get access to the host at this level with major consequences. The IPC namespace should therefore not be shared between the host and its containers.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: IpcMode={{ .HostConfig.IpcMode }}'` \n\nIf the command returns `host`, it means that the host IPC namespace is shared with the container. Any other result means that it is not shared, and that the system is configured in line with good security practice.\n\n## Remediation\n\nDo not start a container with the `--ipc=host` argument. For example, do not start a container with the command `docker run --interactive --tty --ipc=host centos /bin/bash`\n\n## Impact\n\nShared memory segments are used in order to accelerate interprocess communications, commonly in high-performance applications. If this type of application is containerized into multiple containers, you might need to share the IPC namespace of the containers in order to achieve high performance. Under these circumstances, you should still only share container specific IPC namespaces and not the host IPC namespace. A container's IPC namespace can be shared with another container. For example, `docker run --interactive --tty --ipc=container:e3a7a1a97c58 centos /bin/bash`\n\n## Default value\n\nBy default, all containers have their IPC namespace enabled and host IPC namespace is not shared with any container.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#ipc-settings-ipc\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.16","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qpe-nj2-sl8","createdAt":1599604030036,"name":"Host's IPC namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.20","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUTS namespaces provide isolation between two system identifiers: the hostname and the NIS domain name. It is used to set the hostname and the domain which are visible to running processes in that namespace. Processes running within containers do not typically require to know either the hostname or the domain name. The UTS namespace should therefore not be shared with the host.\n\n## Rationale\n\nSharing the UTS namespace with the host provides full permission for each container to change the hostname of the host. This is not in line with good security practice and should not be permitted.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UTSMode={{ .HostConfig.UTSMode }}'` \n\nIf this command returns `host`, it means the host UTS namespace is shared with the container and this recommendation is non-compliant. If the above command returns nothing, then the host's UTS namespace is not shared. This recommendation is then compliant.\n\n## Remediation\n\nYou should not start a container with the `--uts=host` argument. For example, do not start a container using the command `docker run --rm --interactive --tty --uts=host rhel7.2`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, all containers have the UTS namespace enabled and the host UTS namespace is not shared with any containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#uts-settings-uts\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.20","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j1n-gsx-mlx","createdAt":1599605987292,"name":"Host's UTS namespace is not shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.9","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWhen the networking mode on a container is set to `--net=host`, the container is not placed inside a separate network stack. Effectively, applying this option instructs Docker to not containerize the container's networking. The consequence of this is that the container lives \"outside\" in the main Docker host and has full access to its network interfaces.\n\n## Rationale\n\nSelecting this option is potentially dangerous. It allows the container process to open reserved low numbered ports in the way that any other root process can. It also allows the container to access network services such as D-bus on the Docker host. A container process could potentially carry out undesired actions, such as shutting down the Docker host. This option should not be used unless there is a very specific reason for enabling it.\n\n## Audit\n\nUse this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: NetworkMode={{ .HostConfig.NetworkMode }}'` If this returns `NetworkMode=host`, it means that the `--net=host` option was passed when the container was started.\n\n## Remediation\n\nYou should not pass the --net=host option when starting any container.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers connect to the Docker bridge when starting and do not run in the context of the host's network stack.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/ 2. https://docs.docker.com/engine/reference/run/#network-settings\n\n## CIS controls\n\nVersion 6 12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.9","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1qj-oqa-jau","createdAt":1599605510860,"name":"Host's network namespace is not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.15","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host.\n\n## Rationale\n\nPID namespace provides separation between processes. It prevents system processes from being visible, and allows process ids to be reused including PID 1. If the host's PID namespace is shared with containers, it would basically allow these to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them. This could allow for the host itself being shut down, which could be extremely serious, particularly in a multi-tenanted environment. You should not share the host's process namespace with the containers running on it.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidMode={{ .HostConfig.PidMode }}'` \n\nIf the command returns `host`, it means that the host PID namespace is shared with its containers; any other result means that the system is configured in line with good security practice.\n\n## Remediation\n\nYou should not start a container with the `--pid=host` argument. For example, do not start a container with the command: `docker run --interactive --tty --pid=host centos /bin/bash`\n\n## Impact\n\nContainer processes cannot see processes on the host system. In certain circumstances, you may want your container to share the host's process namespace. For example, you could build a container containing debugging tools such as strace or gdb, and want to use these tools when debugging processes on the host. If this is desired, then share specific host processes using the `-p` switch. For example: `docker run --pid=host rhel7 strace -p 1234`\n\n## Default value\n\nBy default, all containers have the PID namespace enabled and the therefore the host's process namespace is not shared with its containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#pid-settings-pid 2. http://man7.org/linux/man-pages/man7/pid_namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.15","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mk8-jwd-4ag","createdAt":1599600919537,"name":"Host's process namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent","control:5.30"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not share the host's user namespaces with containers running on it.\n\n## Rationale\n\nUser namespaces ensure that a root process inside the container will be mapped to a non-root process outside the container. Sharing the user namespaces of the host with the container does not therefore isolate users on the host from users in the containers.\n\n## Audit\n\nRun this command and ensure that it does not return any value for `UsernsMode`. If it returns a value of `host`, it means that the host user namespace is shared with its containers: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UsernsMode={{ .HostConfig.UsernsMode }}'`\n\n## Remediation\n\nDo not share user namespaces between host and containers. For example, do not run the command `docker run --rm -it --userns=host ubuntu bash`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the host user namespace is shared with containers unless user namespace support is enabled.\n\n## References\n\n1. https://docs.docker.com/engine/security/userns-remap/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://github.com/docker/docker/pull/12648\n4. https://events.linuxfoundation.org/sites/events/files/slides/User%20Namespaces%20-%20ContainerCon%202015%20-%2016-9-final_0.pdf\n\n## CIS controls\n\nVersion 6\n\n12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.30","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"e7c-uzf-jwy","createdAt":1599604878282,"name":"Host's user namespaces are not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","security:compliance","scored:false","source:iam","cloud_provider:aws","control:1.7","control:164.308-a-3-ii-C","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","framework:security-labs","requirement:Information-Access-Management","control:CC6.2","control:164.308-a-4-ii-C","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule identifies IAM access keys that are older than one year and have not been used in the past 30 days.\n\n## Rationale\n\nThis is a good indicator that an access key or IAM user that is not used anymore, and raises a security risk. IAM access keys are static secrets that do not change. This leak represents a common cause for cloud security breaches.\n\n## Remediation\n\n* Verify that the IAM user is still actively used or if it can be removed.\n* Verify that the IAM access key is still actively used or if it can be removed.\n* If the IAM user is still needed, rotate the access key. For more information, see the [AWS documentation][2].\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/cis-aws-1.3.0-1.14/\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlast_rotated_age_threshold := (((365 * 24) * 60) * 60) * 1000\n\nlast_used_age_threshold := (((30 * 24) * 60) * 60) * 1000\n\naccess_key_used_too_long_ago(credential_report, seen, key_to_check) if {\n\tseen - credential_report[concat(\"\", [\"access_key_\", key_to_check, \"_last_used_date\"])] > last_used_age_threshold\n} else if {\n\tnot credential_report[concat(\"\", [\"access_key_\", key_to_check, \"_last_used_date\"])]\n}\n\naccess_key_non_compliant(credential_report, seen, key_to_check) if {\n\tcredential_report[concat(\"\", [\"access_key_\", key_to_check, \"_active\"])]\n\tseen - credential_report[concat(\"\", [\"access_key_\", key_to_check, \"_last_rotated\"])] > last_rotated_age_threshold\n\taccess_key_used_too_long_ago(credential_report, seen, key_to_check)\n}\n\nnon_compliant_credential_report(credential_report, seen) if {\n\taccess_key_non_compliant(credential_report, seen, \"1\")\n} else if {\n\taccess_key_non_compliant(credential_report, seen, \"2\")\n}\n\nshould_skip(iam_user) if {\n\tsome credential_report in iam_user.credential_report\n\tnot credential_report.access_key_1_active\n\tnot credential_report.access_key_2_active\n} else if {\n\tcount(iam_user.credential_report) == 0\n}\n\neval(iam_user) = \"skip\" if {\n\tshould_skip(iam_user)\n} else = \"fail\" if {\n\tsome credential_report in iam_user.credential_report\n\tseen := iam_user.resource_seen_at\n\tnon_compliant_credential_report(credential_report, seen)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"jye-nyb-yvd","createdAt":1654722265266,"name":"IAM access keys older than 1 year have not been used in the last 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_user) = \"fail\" if {\n\tcount(iam_user.user_policies) > 0\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qeq-byd-rf5","createdAt":1617159692975,"name":"IAM inline policy is not directly set for users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","security:compliance","cloud_provider:aws","control:1.8","control:8.1","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","control:CC6.3","control:8.1.1","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are a minimum length. The password policy should require a minimum password length of 14 characters.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78907-3\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.8","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tsome password_policy in iam_account.password_policy\n\tpassword_policy.minimum_password_length < 14\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fyg-ptq-tnx","createdAt":1599573999939,"name":"IAM password policy has 14 or more characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:1.9","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","framework:cis-aws","control:164.312-d","requirement:Identity-and-Access-Management","control:8.2.5","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.\n\n## Rationale\n\nPreventing password reuse increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78908-1\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\n4.4 Use unique passwords where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2.5","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.9","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\naccount_invalid(iam_account) if {\n\tnot iam_account.password_policy_v2.password_reuse_prevention == 24\n}\n\neval(iam_account) = \"fail\" if {\n\taccount_invalid(iam_account)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"wwj-kny-ll5","createdAt":1599574008460,"name":"IAM password policy prevents password reuse"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:1.2","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM policies are how privileges are granted to users, groups, or roles. It is recommended and considered best practice to give only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges.\n\n## Rationale\n\nIt's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\" should be removed.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2] \n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3] \n3. CCE-78912-3\n4. [http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam][4]\n\n## CIS controls\n\nVersion 7, 4 - Controlled Use of Administrative Privileges\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n[4]: http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.2","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_not_compliant(policy_version_statement) if {\n\tresource := policy_version_statement.resource[_]\n\tresource == \"*\"\n}\n\naction_not_compliant(policy_version_statement) if {\n\taction := policy_version_statement.action[_]\n\taction == \"*\"\n}\n\npolicy_version_statement_not_compliant(policy_version_statement) if {\n\tpolicy_version_statement.effect == \"Allow\"\n\tresource_not_compliant(policy_version_statement)\n\taction_not_compliant(policy_version_statement)\n}\n\neval(iam_policy) = \"skip\" if {\n\tiam_policy.scope != \"Local\"\n} else = \"fail\" if {\n\tpolicy_version_statement := iam_policy.policy_version_statements[_]\n\tpolicy_version_statement_not_compliant(policy_version_statement)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_policy"]},"validationQuery":"","resourceType":"aws_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"31y-0if-yxo","createdAt":1599574003839,"name":"IAM policies that allow full \"*:*\" administrative privileges are not created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","control:A.9.4.3","framework:soc-2","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_user) = \"fail\" if {\n\tsome attached_policy in iam_user.attached_policies\n\tattached_policy\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oys-6ti-vv4","createdAt":1599574006153,"name":"IAM policy does not have a user directly attached to it"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:1.12","security:compliance","cloud_provider:aws","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:CC6.3","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can require passwords to be rotated or expired after a given number of days. The password policy should expire passwords after 90 days or less.\n\n## Rationale\n\nReducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help if a password is stolen or compromised without your knowledge. This can happen if your system is compromised, because of a software vulnerability, or if there is an internal threat. Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted. Many people use the same password for many systems such as work, email, and personal. Compromised end-user workstations might have a keystroke logger.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78909-9\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"1.12","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ninvalid_policy(password_policy) if {\n\tpassword_policy.expire_passwords == false\n} else if {\n\tpassword_policy.max_password_age > 90\n}\n\ninvalid_account(iam_account) if {\n\tinvalid_policy(iam_account.password_policy_v2)\n} else if {\n\tnot iam_account.password_policy_v2\n}\n\neval(iam_account) = \"fail\" if {\n\tinvalid_account(iam_account)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"nus-wps-5cc","createdAt":1599574003696,"name":"IAM policy is set to expire passwords within 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78904-0\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.6\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tiam_account.password_policy_v2.require_lowercase_characters == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yaz-xyw-dr5","createdAt":1599574008777,"name":"IAM policy is set to require at least one lowercase letter"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one number.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78906-5\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.8\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tiam_account.password_policy_v2.require_numbers == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ufg-4pj-olz","createdAt":1599574005590,"name":"IAM policy is set to require at least one number"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are comprised of different character sets. It is recommended that the password policy require at least one symbol.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78905-7\n\n## CIS controls\n\n16 Account Monitoring and Control Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.7\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tiam_account.password_policy_v2.require_symbols == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dwv-hdv-vfe","createdAt":1599573999909,"name":"IAM policy is set to require at least one symbol"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one uppercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78903-2\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.5\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tiam_account.password_policy_v2.require_uppercase_characters == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jfe-07v-m1n","createdAt":1599573999945,"name":"IAM policy is set to require uppercase characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm there are no [Amazon IAM users][1] (privileged users) with administrator permissions for your AWS account.\n\n## Rationale\n\nA privileged IAM user can access all AWS services and control resources through the [AdministratorAccess IAM managed policy][2]. Any user with administrator access that should not have access can potentially, whether unknowingly or purposefully, cause security issues or data leaks.\n\n## Remediation\n\n### From the console\n\nFollow the [Removing a permissions policy from a user][6] docs to revoke AdministratorAccess for a user.\n\n### From the command line\n\n1. Run `list-users` to get [a list of current IAM users][3].\n ```\n aws iam list-users\n ```\n\n2. Run the `list-user-policies` command find the [users attached policies][4].\n ```\n aws iam list-user-policies --user-name Name\n ```\n\n3. Run the `detach-user-policy` command to [revoke Administrator access][5].\n ```\n aws iam detach-user-policy \\\n --user-name insert-username-here \\\n --policy-arn insert-policy-arn-here\n ```\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-users.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-user-policies.html#examples\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-user-policy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-remove-policy-console\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_attached_policy(iam_user) if {\n\tsome attached_policy in iam_user.attached_policies\n\tattached_policy.policy_name == \"AdministratorAccess\"\n}\n\neval(iam_user) = \"fail\" if {\n\tnon_compliant_attached_policy(iam_user)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"z8a-10r-rdq","createdAt":1599574005071,"name":"IAM privileged user does not have admin permissions to your AWS account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","control:1.1","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEach IAM role must have a [trust policy][1] which defines the principals who are trusted to assume that role. It is possible to specify a [wildcard principal][2] which permits any principal, including those outside your organization, the ability to assume the role. It is strongly discouraged to use the wildcard principal in a trust policy unless there is a [`Condition` element][3] to restrict access.\n\n## Rationale\n\nA trust policy with a wildcard principal permits any AWS account the ability to assume the role. It is therefore discouraged.\n\n## Remediation\n\nEnsure the identified role does not have a principal value of `\"AWS\": \"*\"`. If a wildcard principal is necessary, use a `Condition` element to restrict access. Follow the [AWS documentation][4] to properly scope the `Principal` policy element.\n\n### From the console\n\n1. In the AWS Console, navigate to the IAM role you would like to change.\n2. On the IAM role page, click the **Trust relationships** tab.\n3. Click **Edit trust policy**.\n4. Make changes to the trust policy to remediate the risk.\n5. Click **Update policy**.\n\n### From the command line\n\nUse the `update-assume-role-policy` action to [update the role trust policy][5] to remediate the risk.\n\n aws iam update-assume-role-policy\n --role-name Test-Role\n --policy-document file://.json\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#term_trust-policy\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-anonymous\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-assume-role-policy.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.1","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncontains_case_insensitive(array, elem) if {\n\tcandidate := array[_]\n\tlower(candidate) == lower(elem)\n}\n\neval(iam_role) = \"fail\" if {\n\trole_policy := iam_role.role_policy[_]\n\n\tlower(role_policy.statement_effect) == \"allow\"\n\trole_policy.policy_principal.principal_aws[_] == \"*\"\n\n\tcontains_case_insensitive(role_policy.statement_action, \"sts:AssumeRole\")\n\n\tnot role_policy.statement_has_condition\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_role"]},"validationQuery":"","resourceType":"aws_iam_role","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_role","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"q9l-42l-ape","createdAt":1619112188080,"name":"IAM role trust policy does not contain a wildcard principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:A.14.1.3","security:compliance","source:iam","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Data-Protection","requirement:Security-of-Processing","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:A.9.4.3","framework:soc-2","requirement:Cardholder-Data","control:32.1a","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","requirement:Encryption-In-Transit","control:3.6.4","framework:pci","control:25.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your IAM service SSL/TLS certificates are renewed 30 days prior to their validity period ending.\n\n## Rationale\n\nIf a certificate becomes invalid, the communication between the client and AWS resource that implements certificates is no longer secure.\n\n## Remediation\n\n### From the console\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n### From the command line\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nwithin_30_days(diff) if {\n\tdiff <= thirty_days_ms\n\tdiff > 0\n}\n\neval(iam_server_certificate) = \"pass\" if {\n\tdiff := iam_server_certificate.expiration - iam_server_certificate.resource_seen_at\n\tnot within_30_days(diff)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"nqd-536-xhi","createdAt":1632209935742,"name":"IAM server certificate will expire within 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:1.6","control:7.1","framework:cis-gcp","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","level:1","source:google_service_account","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nVerify that users have the Service Account User (`iam.serviceAccountUser`) and Service Account Token Creator (`iam.serviceAccountTokenCreator`) roles for a specific service account rather than at the project level.\n\n## Rationale\nA service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved. In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.\nUsers with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access. Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/service account.\nBased on business needs, there can be multiple user-managed service accounts configured for a project. Granting the `iam.serviceAccountUser` or `iam.serviceAccountTokenCreator` roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future. These roles can result in an elevation of privileges when someone uses a service account and corresponding Compute Engine instances.\nIn order to implement least privileges best practices, IAM users should not be assigned the Service Account User or Service Account Token Creator roles at the project level. Instead, these roles should be assigned to a user for a specific service account, giving that user access to the service account. The Service Account User role allows a user to bind a service account to a long-running job service, whereas the Service Account Token Creator role allows a user to directly impersonate (or assert) the identity of a service account.\n\n## Impact\nAfter revoking Service Account User or Service Account Token Creator roles at the project level from all impacted user accounts, these roles should be assigned to users for specific service accounts according to business needs.\n\n## Remediation\n\n### From the console\n1. Go to the [IAM page][1] in the GCP Console.\n2. In the filter table text bar, enter the text `Role: Service Account User`.\n3. Click the delete bin icon in front of the role `Service Account User` for every user\nlisted as a result of the filter.\n4. In the filter table text bar, enter the text `Role: Service Account Token Creator`.\n5. Click the delete bin icon in front of the role `Service Account Token Creator` for\nevery user listed as a result of the filter.\n\n### From the command line\n1. Using a text editor, remove the bindings with the `roles/iam.serviceAccountUser` or `roles/iam.serviceAccountTokenCreator`.\n For example, you can use the iam.json file shown below as follows:\n ```\n {\n \"bindings\": [\n {\n \"members\": [ \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n ],\n \"role\": \"roles/appengine.appViewer\" },\n {\n \"members\": [\n \"user:email1@gmail.com\"\n ],\n \"role\": \"roles/owner\"\n },\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n \"serviceAccount:123456789012-compute@developer.gserviceaccount.com\" ],\n \"role\": \"roles/editor\"\n }\n ],\n \"etag\": \"BwUjMhCsNvY=\"\n }\n ```\n2. Update the project's IAM policy:\n ```\n gcloud projects set-iam-policy PROJECT_ID iam.json\n ```\n## Default value\nBy default, users do not have the Service Account User or Service Account Token Creator role assigned at the project level.\n\n## References\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][3]\n3. [https://cloud.google.com/iam/docs/understanding-roles][4]\n4. [https://cloud.google.com/iam/docs/granting-changing-revoking-access][5]\n5. [https://console.cloud.google.com/iam-admin/iam][6]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts \n[4]: https://cloud.google.com/iam/docs/understanding-roles\n[5]: https://cloud.google.com/iam/docs/granting-changing-revoking-access \n[6]: https://console.cloud.google.com/iam-admin/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.6","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_role(iam_policy, role) if {\n\tbinding := iam_policy.bindings[_]\n\tbinding.role == role\n\tmember := binding.members[_]\n\tnot endswith(member, \".gserviceaccount.com\")\n}\n\nnon_compliant_policy(iam_policy) if {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountUser\")\n} else if {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountTokenCreator\")\n}\n\neval(iam_policy) = \"fail\" if {\n\tnon_compliant_policy(iam_policy)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"x4c-mos-epr","createdAt":1655328785677,"name":"IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:iis","scope:iis","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:iis @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ftm-iao-udy","createdAt":1587530716843,"name":"IIS HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","requirement:Virtual-Machines","security:compliance","control:CC6.6","cloud_provider:gcp","control:4.6","requirement:Communications-Security","control:1.4","framework:cis-gcp","requirement:Compliance","level:1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCompute Engine instance cannot forward a packet unless the source IP address of the\npacket matches the IP address of the instance. Similarly, GCP won't deliver a packet whose\ndestination IP address is different than the IP address of the instance receiving the packet.\nHowever, both capabilities are required if you want to use instances to help route packets.\n\nDisable the forwarding of data packets to prevent data loss or information\ndisclosure.\n\n## Rationale\nTo enable source and destination IP check, disable the `canIpForward` option, which\nallows an instance to send and receive packets with non-matching destination or source\nIPs.\n\n## Impact\nDeleting instances that act as routers or packet forwarders may break network\nconnectivity.\n\n## Exception\nInstances created by GKE should be excluded because they need to have IP forwarding\nenabled and cannot be changed. Instances created by GKE have names that start with `gke-`.\n\n## Remediation\nYou can only edit the `canIpForward` setting at instance creation time. Therefore, if `canIpForward` is set to false for an instance, you must delete the instance and create a new one.\n\n### From the console\n1. Go to the `VM Instances` page: \n[https://pantheon.corp.google.com/compute/instances][1].\n2. Select the `VM Instance` you want to remediate.\n3. Click the `Delete` button.\n4. On the `VM Instances` page, click `CREATE INSTANCE`.\n5. Create a new instance with the desired configuration. By default, the instance is\nconfigured to not allow IP forwarding.\n\n### From the command line\n1. Delete the instance:\n ```\n gcloud compute instances delete INSTANCE_NAME\n ```\n2. Create a new instance to replace it, with IP forwarding set to Off\n ```\n gcloud compute instances create\n ```\n\n## Default Value:\nBy default, instances are not configured to allow IP forwarding.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-routes#canipforward][2]\n\n\n## Additional Information:\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is\ncreated, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://pantheon.corp.google.com/compute/instances\n[2]: https://cloud.google.com/vpc/docs/using-routes#canipforward","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.6","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" if {\n\tcompute_instance.can_ip_forward\n} else = \"pass\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nh8-voo-5oy","createdAt":1656620560349,"name":"IP forwarding is not enabled on instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","scope:azure.storage","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1c","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImmutability is enabled for Azure Storage Blobs.\n\n## Rationale\n\nImmutability for Azure Blob enables Writes once read many (WORM) state storage, which protects data from being overwritten or deleted. \n\nThe two types of immutability policies are time-based retention and legal hold. Time-based policies are cleared when the time period expires. Legal holds are cleared when they are manually modified. \n\n## Remediation\n\n### From the console\n\nFollow the [Enable version-level immutability support on a storage account - Azure Console][1] guide to enable version-level immutability with the Azure Console.\n\n### From the command line\n\nFollow the [Enable version-level immutability support on a storage account - Azure CLI][2] guide to enable version-level immutability with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_blob_container) = \"fail\" if {\n\tstorage_blob_container.has_immutability_policy == false\n\tstorage_blob_container.has_legal_hold == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_blob_container"]},"validationQuery":"","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"8q8-s4l-qhy","createdAt":1645177333114,"name":"Immutable Blob Storage is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","scope:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when two successful authentication events occur in a short time frame.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if the user `{{@usr.name}}` should have authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If `{{@user.name}}` should not authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n* 10 October 2022 - Updated query.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"auth0_impossible_travel","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.name"],"query":"source:auth0 @evt.category:authentication @evt.name:success_login -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"m3u-dhg-c5l","createdAt":1651740293973,"name":"Impossible Travel Auth0 login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate an impossible travel login with permission enumeration of a user.\n\n## Strategy\nCorrelate the [User travel was impossible in AWS CloudTrail IAM log][1] and [A user received multiple AccessDenied errors][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the impossible travel login was is legitimate.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security/default_rules/aws-cloudtrail-user-impossible-travel-with-baseline-user-locations\n[2]: https://docs.datadoghq.com/security/default_rules/aws-cloudtrail-access-denied-multiple-events","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"user_travel_was_impossible_in_cloudtrail_iam_log","additionalFilters":"","defaultRuleId":"fc6-4t7-vx9","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"a_user_received_multiple_access_denied_errors","additionalFilters":"","defaultRuleId":"1b1-37a-74c","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"user_travel_was_impossible_in_cloudtrail_iam_log > 0 && a_user_received_multiple_access_denied_errors > 0"}],"type":"signal_correlation","id":"zfw-zxw-uf2","createdAt":1664829682320,"name":"Impossible travel event leads to permission enumeration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the possibility of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 445, commonly used by client/server applications, and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) or man-in-the-middle attacks (MITM), can occur when permitting unrestricted Common Internet File System (CIFS) access. TCP port 445 is the port commonly used by client/server applications as a means of communication between network nodes over TCP.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 445.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 445\n --cidr 0.0.0.0/0\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 445\n\trule.to_port >= 445\n}\n\nnon_compliant_protocols_and_ports(rule) if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_ports(rule)\n} else if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\", \"::/0\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome rule in security_group.rules\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocols_and_ports(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"l9k-64o-mzm","createdAt":1599573999953,"name":"Inbound CIFS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the possibility of a breach by checking EC2 security groups for inbound rules that allow unfettered access to TCP and UDP port 53, commonly used during DNS resolution when a request is sent from DNS clients to DNS servers or between DNS servers.\n\n## Rationale\n\nMalicious activity, such as distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered DNS access.\n\n## Remediation\n\n## Console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n## CLI\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to port 53.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 53, \"ToPort\": 53, \"IpRanges\": [{\"CidrIp\": \"192.0.2.0/24\"}]}]'\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 53\n\trule.to_port >= 53\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kri-ci1-ymo","createdAt":1599573999958,"name":"Inbound DNS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP ports 20 and 21 (used by client/server applications for communication and file transfer) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and FTP bounce attacks, can occur when permitting unfettered access to these ports.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 20 and 21.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict FTP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 20\n\trule.to_port >= 20\n} else if {\n\trule.from_port <= 21\n\trule.to_port >= 21\n}\n\nnon_compliant_protocols_and_ports(rule) if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_ports(rule)\n} else if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\", \"::/0\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome rule in security_group.rules\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocols_and_ports(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9lv-1l3-vtp","createdAt":1599574002076,"name":"Inbound FTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 80 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 80.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 80\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 80\n\trule.to_port >= 80\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o4x-exf-xn9","createdAt":1599574008139,"name":"Inbound HTTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 443 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 443.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 443\n\trule.to_port >= 443\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"vud-y9z-ucg","createdAt":1599574003526,"name":"Inbound HTTPS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to host using the Internet Control Message Protocol (ICMP), a protocol commonly used to troubleshoot TCP/IP networks and deliver IP packets, and restrict access.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and Smurf/Fraggle attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][2] docs to learn how to restrict access to host using the ICMP.\n\n### From the command line\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to host using ICMP.\n\n ```\n aws ec2 describe-security-groups\n\t --filters Name=ip-permission.protocol,Values=icmp Name=ip-permission.cidr,Values='192.0.2.0/24'\n\t --query 'SecurityGroups[*].{Name:GroupName}'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nunrestricted_protocol(protocol) if {\n\tprotocol == \"icmp\"\n} else if {\n\tprotocol == \"all\"\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"ingress\"\n\tunrestricted_protocol(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kyz-e99-tys","createdAt":1599573999911,"name":"Inbound ICMP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1433 (used by the Microsoft SQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1433.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1433 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 1433\n\trule.to_port >= 1433\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5oc-hdq-fx7","createdAt":1599574003135,"name":"Inbound MSSQL access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 27017 (used by the MongoDB database) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 27017.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 27017\n\trule.to_port >= 27017\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"lhy-ttz-yif","createdAt":1599574007108,"name":"Inbound MongoDB access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3306 (used by the MySQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3306.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3306 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 3306\n\trule.to_port >= 3306\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yph-h6z-ant","createdAt":1599574008744,"name":"Inbound MySQL access is restricted"}]} headers: Content-Type: - application/json @@ -589,7 +538,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","control:3.7","requirement:Communications-Security","control:4.1","control:2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3","framework:security-labs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nConfigure your instance to use an account other than the default Compute Engine service account, because it has the Editor role on the project.\n\n## Rationale\nThe default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services. \nTo defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended that you not use the default Compute Engine service account. Instead, create a new service account and assign only the permissions needed by your instance. \nThe default Compute Engine service account is named `[PROJECT_NUMBER]-compute@developer.gserviceaccount.com`.\n\n## Exception\nVMs created by GKE are excluded from this guidance. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go to its `VM instance details` page.\n3. Click `STOP` and then click `EDIT`.\n4. Under the section `API and identity management`, select a service account other\nthan the default Compute Engine service account. You may first need to create a new\nservice account.\n5. Click `Save` and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account=\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/service-accounts][2]\n2. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][3]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account][4]\n\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/service-accounts\n[3]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[4]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.7","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tsa := compute_instance.service_accounts[_]\n\tendswith(sa.email, \"compute@developer.gserviceaccount.com\")\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oqw-y1z-sik","createdAt":1655990336323,"name":"Instances are not configured to use the default service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Communications-Security","requirement:Default-Security-Parameter","control:4.2","control:2.1","framework:cis-gcp","control:2.1.1","requirement:Compliance","control:A.13.1.3","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:google_compute_instance","control:CC6.3","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo support the principle of least privileges and to prevent potential privilege escalation, assign instances to a service account other than the default `Compute Engine default service account` with Scope `Allow full access to all Cloud APIs`.\n\n## Rationale\nThe Google `Compute Engine default service account` for an instance can access necessary cloud services, as well as create, manage, and use user-managed custom service accounts. The `Project Editor` role is assigned to `Compute Engine default service account` so it has almost all capabilities over all cloud services except billing. However, when `Compute Engine default service account` is assigned to an instance it can operate in three scopes:\n\n1. Allow default access: Allows the minimum access required to run an\ninstance (least privileges).\n\n2. Allow full access to all Cloud APIs: Allows full access to all cloud\nAPIs and services (too much access).\n\n3. Set access for each API: Allows an instance administrator to choose only\nthose APIs that are needed to perform the specific business functionality\nexpected by instance.\n\nWhen an instance is configured with the `Compute Engine default service account` with\nscope `Allow full access to all Cloud APIs`, depending on the IAM roles assigned to the users\naccessing the instance, it may allow users to perform cloud operations and API calls that they are not\nsupposed to perform, leading to successful privilege escalation.\n\n## Exception\nVMs created by GKE are excluded from this rule. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Impact\nTo change a service account or scope for an instance, the instance must be stopped.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the impacted VM instance.\n3. If the instance is not stopped, click the `Stop` button. Wait for the instance to stop.\n4. Click the `Edit` button.\n5. Scroll down to the `Service Account` section.\n6. Select a different service account or ensure that `Allow full access to all Cloud APIs` is not selected.\n7. Click the `Save` button to save your changes and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account= --scopes [SCOPE1, SCOPE2...]\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][2]\n2. [https://cloud.google.com/compute/docs/access/service-accounts][3]\n\n## Additional Information:\n- User IAM roles override service account scope, but configuring minimal scope\nensures a deeper defence.\n- Non-default service accounts do not offer selection of access scopes like the default\nservice account does. Use IAM roles with non-default service accounts to\ncontrol VM access.\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[3]: https://cloud.google.com/compute/docs/access/service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.2","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tservice_accounts := compute_instance.service_accounts[_]\n\tendswith(service_accounts.email, \"compute@developer.gserviceaccount.com\")\n\tstartswith(service_accounts.scopes[_], \"https://www.googleapis.com/auth/cloud-platform\")\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ica-spj-rua","createdAt":1656620517092,"name":"Instances are not configured to use the default service account with full access to all cloud APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the execution of a shell with the interactive flag (`-i`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to escalate privileges, break out of the container, or exfiltrate secrets by running interative shell utilities inside of the container. This detection triggers when execution of one of a set of common Linux shell utilities (like `bash` or `sh`) is detected in a container with the interactive flag (`-i`). If this is unexpected behavior, it could indicate an attacker attempting to run arbitrary commands inside of your containers and potentially break out onto the host.\n\n## Triage & Response\n1. Inspect the command line arguments of the shell process execution to determine if the shell was run with the `-i` flag.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:interactive_shell_in_container -@process.comm:(hostname OR sed OR find)","groupByFields":["host"],"aggregation":"count","name":"interactive_shell_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"interactive_shell_in_container","condition":"interactive_shell_in_container > 0"}],"type":"workload_security","id":"vc2-nws-ebu","createdAt":1653417817781,"name":"Interactive shell spawned in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a Java process.\n\n## Strategy\nMany applications (like some databases, web servers, and search engines) run as Java processes. Attackers may take advantage of flaws in programs built with these applications (for example, SQL injection on a database running as a Java process). This detection triggers when a Java process spawns common shell utilities, HTTP utilities, or shells. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\n## Triage and response\n1. Determine the nature and purpose of the Java process.\n2. Determine whether there is an approved purpose for the Java process to execute shells and utilities.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:java_shell_execution","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution @process.executable.name:(uname OR cat OR ls)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_suspicious","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution @process.executable.name:(curl OR wget OR whoami)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_unusual","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution @process.envs:CONFLUENCE*","groupByFields":["host"],"aggregation":"count","name":"confluence_server_spawned_shell_potential_rce","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"confluence_server_spawned_shell_potential_rce","condition":"confluence_server_spawned_shell_potential_rce > 0"},{"status":"high","notifications":[],"name":"java_shell_execution_unusual","condition":"java_shell_execution_unusual > 0"},{"status":"medium","notifications":[],"name":"java_shell_execution_suspicious","condition":"java_shell_execution_suspicious > 0"},{"status":"low","notifications":[],"name":"java_shell_execution","condition":"java_shell_execution > 0"}],"type":"workload_security","id":"bax-h0z-d14","createdAt":1617722069224,"name":"Java process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","technique:T1098-account-manipulation","scope:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a JumpCloud user grants administrative privileges on a user endpoint. This is not indicative of malicious activity, but detecting this event is valuable for auditing.\n\n## Strategy\n\nThis rule monitors JumpCloud audit logs to detect when a user triggers the `@evt.name` of `system_admin_grant`.\n\n## Triage and response\n\n1. Reach out to the admin making the change (`{{@usr.email}}`) to confirm that the user `(@usr.name`) should have administrative privileges on the specified resource (`@resource.name`).\n2. If the change was not authorized, reverify there are no other signals from the jumpcloud admin: {{@usr.email}} and the system (`@resource.name`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:system_admin_grant","groupByFields":["@usr.email"],"aggregation":"count","name":"system_admin_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"system_admin_grant > 0"}],"type":"log_detection","id":"0ym-nwo-srl","createdAt":1648844751568,"name":"Jumpcloud admin granted system privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:jumpcloud","requirement:Monitoring","scope:jumpcloud","framework:cis-aws","technique:T1078-valid-accounts","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud administrator authenticates without multi-factor authentication (MFA) enabled. This is not indicative of malicious activity, however as a best practice, administrator accounts should have MFA enabled.\n\n## Strategy\nThis rule monitors JumpCloud audit logs to detect when an admin user successfully authenticates to JumpCloud and the log indicates that `@mfa` is `false`.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables MFA.\n3. If the login wasn\u2019t legitimate, rotate the credentials, enable MFA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:admin_login_attempt @mfa:false @evt.outcome:true","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_login_no_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"admin_login_no_mfa > 0"}],"type":"log_detection","id":"mds-4sd-v5i","createdAt":1648844751569,"name":"Jumpcloud admin login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","scope:jumpcloud","technique:T1078-valid-accounts","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event with a JumpCloud administrator.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last log and the current log to determine if the user (`@usr.name`) traveled more than 500km at over 1,000km/h.\n\n## Triage and response\n1. Determine if {@usr.name}} should be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}} in a short period of time.\n2. If the user should not be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} or {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_admin","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:jumpcloud @usr.type:admin"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"wec-lzg-zau","createdAt":1648844772020,"name":"Jumpcloud admin triggered impossible travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:jumpcloud","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to a JumpCloud user.\n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when administrative privileges are provisioned:\n\n* `user_admin_granted`\n\n## Triage and response\n1. Contact the JumpCloud administrator: `{{@usr.email}}` to confirm that the users or devices should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the JumpCloud administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:user_admin_granted","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_grant > 0"}],"type":"log_detection","id":"goh-o1b-uuo","createdAt":1660796644737,"name":"Jumpcloud administrator role assigned"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is created. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is created:\n\n* `@evt.name:policy_create`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy creation was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_create","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_creation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_creation > 0"}],"type":"log_detection","id":"ht7-5pr-0hf","createdAt":1660809071730,"name":"Jumpcloud policy created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is modified. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is modified:\n\n* `@evt.name:policy_update`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy modification(s) was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_update","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_update > 0"}],"type":"log_detection","id":"epv-mm9-puh","createdAt":1660809071731,"name":"Jumpcloud policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:1.10","scope:google_kms_crypto_key","source:google_kms_crypto_key","requirement:Confidentiality","control:C1.2","framework:cis-gcp","requirement:Compliance","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGoogle Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.\nThe format for the rotation schedule depends on the client library that is used. For the gcloud CLI, the flag `--next-rotation-time` must be in ISO or RFC3339 format; the flag `--rotation-period` must be in the format `INTEGER[UNIT]`, where units can be one of: seconds (s), minutes (m), hours (h), or days (d). For example, `30d` for a rotation period of 30 days.\n\n## Rationale\nSet a key rotation period and starting time. A key can be created with a specified *rotation period*, which is the time between when new key versions are generated automatically. A key can also be created with a specified *next rotation time*. \n\nA key is a named object that represents a cryptographic key and is used for a specific purpose. The key material (the actual bits used for encryption) can change over time as new key versions are created.\nA key is used to protect a *corpus of data*. A collection of files could be encrypted with the same key, and people with `decrypt` permissions on that key would be able to decrypt those files. Therefore, it's necessary to make sure the rotation period is set to a specific time.\n\n## Impact\nAfter a successful key rotation, the older key version is required to decrypt the data encrypted by the previous key version.\n\n## Remediation\n\n### From console\n1. See your cryptographic keys by visiting: [https://console.cloud.google.com/security/kms][1].\n2. Click on the specific key ring.\n3. From the list of keys, locate the key you wish to edit. Click on the three vertical dots under the **Actions** column.\n4. Click on **Edit rotation period**.\n5. In the pop-up window, select a new rotation period. Choose value less than 90 days. Then, choose the date from which the rotation period begins.\n\n### From the command line\n1. Update and schedule rotation by `ROTATION_PERIOD` and `NEXT_ROTATION_TIME` for each key:\n For example, you can use the iam.json file shown below as follows:\n ```\n gcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next- rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD\n ```\n\n## Default value\nBy default, KMS encryption keys are rotated every 90 days.\n\n## References\n1. [https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation][2]\n2. [https://cloud.google.com/kms/docs/re-encrypt-data][3]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/security/kms\n[2]: https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation\n[3]: https://cloud.google.com/kms/docs/re-encrypt-data\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\n# convert rotation period from string to int (number of days)\nparse_rotation_period(str) = parsed if {\n\tendswith(str, \"s\")\n\tparsed := to_number(trim_suffix(str, \"s\")) / 86400\n} else = parsed {\n\tendswith(str, \"m\")\n\tparsed := to_number(trim_suffix(str, \"m\")) / 1440\n} else = parsed {\n\tendswith(str, \"h\")\n\tparsed := to_number(trim_suffix(str, \"h\")) / 24\n} else = parsed {\n\tendswith(str, \"d\")\n\tparsed := to_number(trim_suffix(str, \"d\"))\n}\n\neval(kms_crypto_key) = \"skip\" if {\n\tnot lower(kms_crypto_key.primary.state) == \"enabled\"\n} else = \"pass\" {\n\ttoday := kms_crypto_key.resource_seen_at / 86400000\n\tnext_rotation := kms_crypto_key.next_rotation_time / 86400000\n\tnext_rotation - today <= 90\n\tparse_rotation_period(kms_crypto_key.rotation_period) <= 90\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_kms_crypto_key"]},"validationQuery":"","resourceType":"gcp_kms_crypto_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_kms_crypto_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"l1f-f94-1my","createdAt":1655491486886,"name":"KMS Encryption Keys are rotated within a period of 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1547","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications made to the `/boot/` directory.\n\n## Strategy\nThe /boot/ directory in Linux contains everything required for the system to boot. This includes the kernel and other important boot files and data. Attackers may attempt to modify the /boot/ directory to inject malicious code or configuration. This can allow the attacker to gain persistence, by running the malicious code or configuration at boot time. It can also allow the attacker to run malicious code with elevated system privileges.\n\n## Triage & Response\n1. Check to see what modifications were made to the `/boot/` directory.\n2. Cross-check any changes with known system activity, such as startup scripts, or maintenance.\n3. If these changes are not acceptable, roll back the host or container in question to a known good `/boot/` configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"9cs-fap-2er","createdAt":1606142931057,"name":"Kernel Modification"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux. This detection watches for all new files created under that directory.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check which user or process created the module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(kernel_module OR kernel_module_chmod OR kernel_module_chown OR kernel_module_link OR kernel_module_rename OR kernel_module_open OR kernel_module_unlink OR kernel_module_utimes) -@process.envs:DPKG_FRONTEND_LOCKED","groupByFields":["host"],"aggregation":"count","name":"kernel_module","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"kernel_module","condition":"kernel_module > 0"}],"type":"workload_security","id":"jq9-m1m-spt","createdAt":1598516746168,"name":"Kernel module directory modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.3","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kube-proxy kubeconfig file controls various parameters of the kube-proxy service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system. It is possible to run kube-proxy with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a `. Verify that if a file is specified and it exists, the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates. \n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.3","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"alc-y7j-j9q","createdAt":1599602091672,"name":"Kube-proxy configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.4","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, ensure that the file ownership of its kubeconfig file is set to root:root.\n\n## Rationale\n\nThe kubeconfig file for kube-proxy controls various parameters for the kube-proxy service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n`chown root:root `\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n## Audit\n\nFind the kubeconfig file being used by kube-proxy by running the following command: ps -ef | grep kube-proxy If kube-proxy is running, get the kubeconfig file location from the --kubeconfig parameter. Run the below command (based on the file location on your system) on the each worker node. For example, stat -c %U:%G Verify that the ownership is set to root:root.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.4","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oat-dei-klo","createdAt":1599604401268,"name":"Kube-proxy configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet client certificate rotation.\n\n## Rationale\n\nThe `--rotate-certificates` setting causes the kubelet to rotate its client certificates by creating new CSRs as its existing credentials expire. This automated periodic rotation ensures that the there is no downtime due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself. \n\n*Note*: This feature also requires the `RotateKubeletClientCertificate` feature gate to be enabled (which is the default since Kubernetes v1.7).\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--rotate-certificates` argument is not present, or is set to true. If the `--rotate-certificates` argument is not present, verify that if there is a Kubelet config file specified by `--config`, that file does not contain `rotateCertificates: false`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to add the line `rotateCertificates: true` or remove it altogether to use the default value. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--rotate-certificates=false` argument from the `KUBELET_CERTIFICATE_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet client certificate rotation is enabled.\n\n## References\n\n1. [https://github.com/kubernetes/kubernetes/pull/41912 ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration ][2]\n3. [https://kubernetes.io/docs/imported/release/notes/ ][3]\n4. [https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted - Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/41912\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration\n[3]: https://kubernetes.io/docs/imported/release/notes/\n[4]: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.11","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"9x3-sy5-pte","createdAt":1599605353070,"name":"Kubelet client certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.10","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file is owned by root:root.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %U:%G /var/lib/kubelet/config.yaml`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step): `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/var/lib/kubelet/config.yaml` file as set up by kubeadm is owned by `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.10","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ptl-pla-t0c","createdAt":1599605828233,"name":"Kubelet configuration file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse https for kubelet connections.\n\n## Rationale\n\nConnections from apiserver to kubelets could potentially carry sensitive data such as secrets and keys. It is thus important to use in-transit encryption for any communication between the apiserver and kubelets.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-https` argument either does not exist or is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--kubelet-https` parameter.\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, kubelet connections are over https.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.4","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ftg-h4g-hqj","createdAt":1599600981186,"name":"Kubelet connections use HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.8","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestrict kubelet nodes to reading only objects associated with them.\n\n## Rationale\n\nThe Node authorization mode only allows kubelets to read Secret, ConfigMap, PersistentVolume, and PersistentVolumeClaim objects associated with their nodes.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include Node.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes Node. `--authorization-mode=Node,RBAC`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, Node authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/46076 ][3]\n4. [https://acotten.com/post/kube17-security][4]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/ \n[3]: https://github.com/kubernetes/kubernetes/pull/46076 \n[4]: https://acotten.com/post/kube17-security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.8","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vgg-kwx-7dh","createdAt":1599602338742,"name":"Kubelet nodes are only authorized to read objects they are associated with"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.2","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests. Enable explicit authorization.\n\n## Rationale\n\nKubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the API server. You should restrict this behavior and only allow explicitly authorized requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. If the `--authorization-mode` argument is present check that it is not set to AlwaysAllow. If it is not present check that there is a Kubelet config file specified by `--config`, and that file sets authorization: mode to something other than AlwaysAllow. It is also possible to review the running configuration of a Kubelet via the /configs endpoint on the Kubelet API port (typically `10250/TCP`). Accessing these with appropriate credentials will provide details of the Kubelet's configuration.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set authorization: mode to Webhook. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--authorization-mode=Webhook`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nUnauthorized requests will be denied.\n\n## Default value\n\nBy default, `--authorization-mode` argument is set to `AlwaysAllow`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.2","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"un4-gin-3dq","createdAt":1599600248005,"name":"Kubelet only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable the read-only port.\n\n## Rationale\n\nThe Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--read-only-port` argument exists and is set to 0. If the `--read-only-port` argument is not present, check that there is a Kubelet config file specified by `--config`. Check that if there is a readOnlyPort entry in the file, it is set to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `readOnlyPort` to 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--read-only-port=0`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nRemoval of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.\n\n## Default value\n\nBy default, `--read-only-port` is set to 10255/TCP. However, if a config file is specified by `--config` the default value for `readOnlyPort` is 0.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.4","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dgo-kog-lle","createdAt":1599604369044,"name":"Kubelet read-only port is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.10","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the Kubelets.\n\n## Rationale\n\nKubelet communication contains sensitive parameters that should remain encrypted in transit. Configure the Kubelets to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate. If these arguments are not present, check that there is a Kubelet config specified by `--config` and that it contains appropriate settings for `tlsCertFile` and `tlsPrivateKeyFile`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `tlsCertFile` to the location of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` to the location of the corresponding private key file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameters in K`UBELET_CERTIFICATE_ARGS` variable.\n\n```\n--tls-cert-file=\n--tls-private-key-file=\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set. If `--tls-cert-file` and `--tls-private-key-file` are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to `--cert-dir`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ ][2]\n3. [https://github.com/kelseyhightower/docker-kubernetes-tls-guide ][3]\n4. [https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/\n[3]: https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n[4]: https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.10","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gqg-7cf-6bu","createdAt":1599603572402,"name":"Kubelet requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.12","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nOn the master edit `/var/lib/kubelet/kubeadm-flags.env` and set the parameter `KUBELET_CERTIFICATE_ARGS --feature-gates=RotateKubeletServerCertificate=true` or as an alternative, and suggested as a last resort, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_CERTIFICATE_ARGS` variable:\n\n```\n--feature-gates=RotateKubeletServerCertificate=true\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet server certificate rotation is disabled.\n\n## References\n\n1. https://github.com/kubernetes/kubernetes/pull/45059\n2. https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/45059\n[2]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.12","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afr-qkp-94a","createdAt":1599599105048,"name":"Kubelet server certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.2","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file ownership is set to root:root.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the ownership is set to root:root.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet service file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.2","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sy4-z1k-udc","createdAt":1599605194356,"name":"Kubelet service file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.3","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Kubelet authentication using certificates.\n\n## Rationale\n\nThe connections from the API server to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet's port-forwarding functionality. These connections terminate at the kubelet's HTTPS endpoint. By default, the API server does not verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the API server could authenticate the Kubelet before submitting any requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--client-ca-file` argument exists and is set to the location of the client certificate authority file. If the `--client-ca-file` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets authentication: x509: clientCAFile to the location of the client certificate authority file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: x509: clientCAFile` to the location of the client CA file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--client-ca-file=`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou require TLS to be configured on API server as well as kubelets.\n\n## Default value\n\nBy default, `--client-ca-file argument` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.3","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x6l-4d1-dwh","createdAt":1599600373842,"name":"Kubelet uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.1.20","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that Kubernetes PKI certificate files have permissions of 644 or more restrictive.\n\n## Rationale\n\nKubernetes makes use of a number of certificate files as part of the operation of its components. The permissions on these files should be set to 644 or more restrictive to protect their integrity.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nfind /etc/kubernetes/pki -name \"*.crt\" | xargs stat -c '%n %a'\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod -R 644 /etc/kubernetes/pki/*.crt`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the certificates used by Kubernetes are set to have permissions of 644\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.20","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ion-6fc-xd4","createdAt":1599604147464,"name":"Kubernetes PKI certificate file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.19","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the Kubernetes PKI directory and file ownership is set to root:root.\n\n## Rationale\n\nKubernetes makes use of a number of certificates as part of its operation. You should set the ownership of the directory containing the PKI information and all files in that directory to maintain their integrity. The directory and files should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nls -laR /etc/kubernetes/pki/\n```\n\nVerify the ownership of all files and directories in this hierarchy is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown -R root:root /etc/kubernetes/pki/`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/etc/kubernetes/pki/` directory and all of the files and directories contained within it, are set to be owned by the root user.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.19","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tgm-6a5-ttf","createdAt":1599603695482,"name":"Kubernetes PKI directory is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a pod in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating pods in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for Kubernetes objects which should be readable by unauthenticated users. Thus, a pod should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new pod in one of the default namespaces.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"tvf-ju6-h3i","createdAt":1589376012191,"name":"Kubernetes Pod Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a pod is attached to the host network.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) with the host network `@requestObject.spec.hostNetwork:true` attached.\n\nAttaching the `hostNetwork` permits a pod to access the node's network adapter allowing a pod to listen to all network traffic for all pods on the node and communicate with other pods on the network namespace.\n\n## Triage and response\n1. Determine if the pod needs `hostNetwork` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.hostNetwork:true @http.status_code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.hostNetwork:true @responseStatus.code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"d3g-xpz-cwc","createdAt":1589376007079,"name":"Kubernetes Pod Created with hostNetwork"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","technique:T1536-create-account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a service account in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service account (`@objectRef.resource:serviceaccounts`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating service accounts in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for kubernetes objects which should be readable by unauthenticated users. Thus, a service account should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new service account in one of the default namespaces.\n\n## Changelog\n21 September 2022 - Tuned rule to remove system and EKS service account creations, increased severity, added decrease on environment flag.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:serviceaccounts @http.method:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299] -@user.username:(system\\:* OR eks\\:*)","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:serviceaccounts @verb:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299] -@usr.id:(system\\:* OR eks\\:*)","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"loy-9ka-bc2","createdAt":1589376017036,"name":"Kubernetes Service Account Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service's port is attached to the node's IP.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service (`@objectRef.resource:services`) attaching the service's port to the node's IP `@requestObject.spec.type:NodePort`.\n\nExposing the service's port to the the node's IP allows other hosts on the network namespace to access this service.\n\n## Triage and response\n1. Determine if the service needs to expose it's network connection with `NodePort` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:services @http.method:create @requestObject.spec.type:NodePort @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:services @verb:create @requestObject.spec.type:NodePort @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"cvp-3wz-v3s","createdAt":1589376023160,"name":"Kubernetes Service Created with NodePort"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a user is attempting to enumerate their permissions.\n\n## Strategy\nThis rule identifies when a user attempts to enumerate their permissions, for example, through the use of `kubectl auth can-i --list`. This can be an indicator of an attacker having compromised a Kubernetes service account or user and attempting to determine what permissions it has.\n\n## Triage and response\n1. Determine if enumerating the permissions of the user: `{{@usr.id}}` is suspicious. For example, a service account assigned to a web application and enumerating its privileges is highly suspicious, while a group assigned to operations engineers is likely to represent legitimate activity.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @requestObject.kind:SelfSubjectRulesReview @http.method:create -@usr.id:system\\:serviceaccount\\:*\\:datadog-kube-state-metrics","groupByFields":[],"aggregation":"count","name":"enumeration_attempt","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"enumeration_attempt > 0"}],"type":"log_detection","id":"9ft-ohp-w9w","createdAt":1649702540393,"name":"Kubernetes principal attempted to enumerate their permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","source:lambda","scope:lambda","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure your Amazon Lambda Function to have access to VPC-only resources.\n\n## Rationale\n\nBy default, Amazon Lambda functions run in a secure VPC with access to any AWS service and the internet. Selecting which resources have access secures the connections within your private VPC.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring VPC access (console)][1] docs to configure VPC access for an existing function.\n\n### CLI\n\n1. Run `update-function-configuration` with your [Amazon Lambda function name and VPC configuration][2]. Set network connectivity to AWS resources within the configured VPC.\n\n ```\n aws lambda update-function-configuration\n --function-name your-lambda-function-name\n --vpc-config SubnetIds=\"subnet-ab12cd34\",\"subnet-12345678\",SecurityGroupIds=\"id-0abcd1234abcd5678\"\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-configuring\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@vpc_config_vpc_id:null OR @vpc_config_vpc_id:\"\")","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function ((@vpc_config_vpc_id:null OR @vpc_config_vpc_id:\"\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"byt-pin-xaq","createdAt":1619112188962,"name":"Lambda function has access to VPC resources"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","source:lambda","control:7.2.1","requirement:Compliance","scope:lambda","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS Lambda function access policy to remove access for unauthorized users.\n\n## Rationale\n\nGiving anonymous users the ability to invoke Amazon Lambda functions can lead to data loss, data exposure, and unexpected AWS billing charges.\n\n## Remediation\n\n### Console\n\nFollow the [Using resource-based policies for AWS lambda][1] docs to update your AWS lambda function permissions.\n\n### CLI\n\n1. Run `remove-permission` with your [function name and statement ID][2].\n\n ```\n aws lambda remove-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n ```\n\n2. Run `add-permission` with your [function name, statement ID, principal for the trusted account, and action][3].\n\n ```\n aws lambda add-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n --principal 0123456780123\n --action lambda:InvokeFunction\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/remove-permission.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-permission.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false","resourceType":"aws_lambda_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_policy_statement ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"tko-rvz-akj","createdAt":1624344845094,"name":"Lambda function is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","control:CC6.7","requirement:Transmission-Security","security:compliance","control:CC7.5","cloud_provider:aws","framework:gdpr","control:6.2","requirement:System-Operations","source:lambda","scope:lambda","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","requirement:Security-Management-Process","control:32.1b","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","framework:hipaa","control:164.308-a-1-ii-B","control:164.312-e-2-i","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Lambda Function to the latest runtime environment version.\n\n## Rationale\n\nAs a best practice, Amazon recommends consistently updating your runtime environment to the latest version for security patches, bug fixes, and the latest features.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring functions in the console][1] docs to learn how to update the Lambda runtime that runs your function.\n\n### CLI\n\n1. Run `update-function-configuration` with [your function name and the latest runtime version][2] supported by AWS.\n\n#### python3.9\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"python3.9\"\n ```\n\n#### nodejs16.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"nodejs14.x\"\n ```\n\n#### java11\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"java11\"\n ```\n\n#### go1.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"go1.x\"\n ```\n\n#### dotnet6\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"dotnet6\"\n ```\n\n#### ruby2.7\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"ruby2.7\"\n ```\n\n#### provided.al2\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"provided.al2\"\n ```\n\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@runtime:(\"nodejs16.x\" OR \"python3.9\" OR \"ruby2.7\" OR \"java11\" OR \"go1.x\" OR \"dotnet6\" OR \"provided.al2\")","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function (-@runtime:(\"nodejs16.x\" OR \"python3.9\" OR \"ruby2.7\" OR \"java11\" OR \"go1.x\" OR \"dotnet6\" OR \"provided.al2\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxh-rvp-txm","createdAt":1619112189173,"name":"Lambda function uses latest runtime environment version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","level:1","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","requirement:Communications-Security","control:2.6","control:3.2","control:1.2","control:2.1","control:1.3","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of legacy networks, a project should not have a legacy network\nconfigured. Legacy networks can no longer be created, and their use is not recommended. This recommendation is to check old projects to ensure\nthat they are not using Legacy Networks.\n\n## Rationale\nEach legacy network has a single network IPv4 prefix range, and a single gateway IP address. The network is global in scope and spans all cloud regions.\nSubnetworks cannot be created in a legacy network, and are unable to switch from legacy to\nauto or custom subnet networks. Legacy networks can have an impact on high network\ntraffic projects, and are subject to a single point of contention or failure.\n\n### Default value\nBy default, networks are not created in the legacy mode.\n\n## Remediation\n\nFor each Google Cloud Platform project:\n1. Read [Create and modify Virtual Private Cloud (VPC) networks][3] to create a non-legacy network suitable for the organization's requirements.\n2. Read [Deleting a legacy network][2] to delete the networks in the `legacy` mode.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network][1]\n2. [https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network][2]\n\n[1]: https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network\n[2]: https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network\n[3]: https://cloud.google.com/vpc/docs/create-modify-vpc-networks\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.2","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.ipv4_range\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nzs-hyi-zqr","createdAt":1659405204525,"name":"Legacy networks do not exist for older projects"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostIPC flag set to true.\n\n## Rationale\n\nA container running in the host's IPC namespace can use IPC to interact with processes outside the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host IPC namespace. If you have a requirement to containers that require hostIPC, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostIPC}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostIPC: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.3","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vs4-ja0-gkh","createdAt":1599600435891,"name":"Limit admission of containers sharing the host IPC namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostPID flag set to true.\n\n## Rationale\n\nA container running in the host's PID namespace can inspect processes running outside the container. If the container also has access to ptrace capabilities this can be used to escalate privileges outside of the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host PID namespace. If you need to run containers which require hostPID, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostPID}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostPID` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostPID: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.2","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"flc-1s1-okw","createdAt":1599600559953,"name":"Limit admission of containers sharing the host PID namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the allowPrivilegeEscalation flag set to true.\n\n## Rationale\n\nA container running with the `allowPrivilegeEscalation` flag set to true may have processes that can gain more privileges than their parent. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to allow privilege escalation. The option exists (and is defaulted to true) to permit setuid binaries to run. If you have need to run containers that use setuid binaries or require privilege escalation, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.allowPrivilegeEscalation}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.allowPrivilegeEscalation` field is omitted or set to false.\n\n## Impact\n\nPods defined with `spec.allowPrivilegeEscalation: true` will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.5","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"frf-hog-dra","createdAt":1599601783271,"name":"Limit admission of containers that do not block privilege escalation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.3","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Docker starts containers with a restricted set of Linux kernel capabilities. This means that any process can be granted the required capabilities instead of giving it root access. Using Linux kernel capabilities, processes in general do not need to run as the root user.\n\n## Rationale\n\nDocker supports the addition and removal of capabilities. Remove all capabilities not required for the correct function of the container. Specifically, in the default capability set provided by Docker, the NET_RAW capability should be removed if not explicitly required, as it can give an attacker with access to a container the ability to create spoofed network traffic.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CapAdd={{ .HostConfig.CapAdd }} CapDrop={{ .HostConfig.CapDrop }}'` \n\nVerify that the added and deleted Linux kernel capabilities are in line with the ones needed by the container process in each container instance. Specifically, ensure that the `NET_RAW` capability is removed if not required.\n\n## Remediation\n\nExecute the command `docker run --cap-add={\"Capability 1\",\"Capability 2\"} ` to add required capabilities.\n\nExecute the command `docker run --cap-drop={\"Capability 1\",\"Capability 2\"} ` to remove unneeded capabilities.\n\nAlternatively, remove all the currently configured capabilities and then restore only the ones you specifically use: `docker run --cap-drop=all --cap-add={\"Capability 1\",\"Capability 2\"} `\n\n## Impact\n\nRestrictions on processes within a container are based on which Linux capabilities are in force. Removal of the `NET_RAW` capability prevents the container from creating raw sockets which is good security practice under most circumstances, but may affect some networking utilities.\n\n## Default value\n\nBy default, the capabilities below are applied to containers:\n\n* `AUDIT_WRITE`\n* `CHOWN`\n* `DAC_OVERRIDE`\n* `FOWNER`\n* `FSETID`\n* `KILL`\n* `MKNOD`\n* `NET_BIND_SERVICE`\n* `NET_RAW`\n* `SETFCAP`\n* `SETGID`\n* `SETPCAP`\n* `SETUID`\n* `SYS_CHROOT`\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#linux-kernel-capabilities\n2. http://man7.org/linux/man-pages/man7/capabilities.7.html\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.3","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3j5-bun-deq","createdAt":1599605923399,"name":"Linux kernel capabilities are restricted to only those which are required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect use of the `passwd` or `chpasswd` commands to change account passwords.\n\n## Strategy\nThe `passwd` operating system command is used to change user account passwords. The `chpasswd` does this in bulk. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host machine and achieve persistence. This detection is triggered when execution of the `passwd` or `chpasswd` command is detected.\n\n## Triage and response\n1. Determine which user executed the command and whether or not this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:passwd_execution -@process.args:\"-S\"","groupByFields":["host"],"aggregation":"count","name":"passwd_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"passwd_execution","condition":"passwd_execution > 0"}],"type":"workload_security","id":"yu0-i2l-ilb","createdAt":1617722068383,"name":"Local account password modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the truncation (like the clearing of data within) of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was modified.\n2. Check which user or process modified the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"llg-1g6-q0n","createdAt":1598516746163,"name":"Log data in /var/log/ was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","level:1","cloud:aws","requirement:Monitoring","framework:cis-aws","cloud_provider:datadog","control:4.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReal-time monitoring of API calls can be achieved by directing CloudTrail Logs to Datadog and enabling the default rule [A user received multiple AccessDenied errors][1]. It is recommended that a metric filter and alarm be established for unauthorized API calls.\n\n## Rationale\n\nMonitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.\n\n## Remediation\n\nTo enable default rule [A user received multiple AccessDenied errors][1], navigate to the [Rules page][2]. If you have not yet enabled Security Monitoring, visit the [Setup and Configuration page][3].\n\n## Impact\n\nThis alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don't have permissions. If an excessive number of alerts are being generated then an organization may wish to consider adding read access to the limited IAM user permissions simply to quiet the alerts. In some cases doing this may allow the users to actually view some areas of the system - any additional access given should be reviewed for alignment with the original limited IAM user intent.\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79186-3\n2. https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-access-denied-multiple-events/\n\n**Additional Information**: Configuring log metric filter and alarm on multi-region (global) CloudTrail ensures that activities from all regions (used as well as unused) are monitored.\n\n## CIS controls\n\nVersion 7:\n\n6.5 - Central Log Management - Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.\n\n6.7 - Regularly Review Logs - On a regular basis, review logs to identify anomalies or abnormal events.\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-access-denied-multiple-events/\n[2]: https://app.datadoghq.com/security/configuration/rules?query=una%20ruleId%3Abxz-x3r-zqw&sort=rule\n[3]: https://app.datadoghq.com/security/configuration?detect-threats=apache&secure-cloud-environment=amazon-web-services&secure-hosts-and-containers=kubernetes&selected-products=security_monitoring","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"cis-aws","requirement":"Monitoring","version":"1.3.0"}],"validationQuery":"@disabled_rules:(\"d17-702-f4a\")","resourceType":"datadog_configuration","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:datadog_configuration (@disabled_rules:(\"d17-702-f4a\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"3s1-mb8-7yw","createdAt":1625745858883,"name":"Log metric filter and alarm exist for unauthorized API calls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","source:google_logging_log_sink","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","control:2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","scope:google_logging_log_sink","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nIt is recommended to create a sink that will export copies of all log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).\n\n## Rationale: \nLog entries are held in Cloud Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. To export logs, create a filter that selects the log entries to export, and then choose a destination, such as Cloud Storage, BigQuery, or Cloud Pub/Sub, to which to export them. The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts.\n\n**Note:**\n1. A sink created by [these commands](#from-the-command-line), exports logs to storage buckets. However, sinks can be configured to export logs to BigQuery, or Cloud Pub/Sub, or a `Custom Destination`.\n2. While creating a sink, do not use the sink option `--log-filter` to ensure the sink exports all log entries.\n3. A sink can be created at a folder or organization level that collects the logs of all the projects underneath, bypassing the option `--include-children` in the `gcloud` command.\n\n### Impact: \nThere are no costs or limitations in Cloud Logging for exporting logs, but the destinations to which the logs are exported charge for storing or transmitting the log data.\n\n### Default value:\nBy default, there are no sinks configured.\n\n## Remediation: \n\n### From the console:\n1. Go to the Logs Router page by visiting [https://console.cloud.google.com/logs/router][1].\n2. Click **CREATE SINK**.\n3. Fill out the fields for the Sink details sections.\n4. Select **Cloud Logging bucket** in the Select sink destination dropdown menu.\n5. Select a log bucket in the Sink destination drop down menu.\n6. If an inclusion filter is not provided for this sink, all ingested logs will be routed to the destination provided above. This may result in higher than expected resource usage.\n7. Click **Create Sink**.\n\n### From the command line:\n\n1. To create a sink to export all log entries in a Google Cloud Storage bucket:\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME\n ```\n2. Sinks can be created for a folder or organization, which will include all projects.\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children -- folder=FOLDER_ID | --organization=ORGANIZATION_ID\n ```\n\n## References:\n1. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][2] \n2. [https://cloud.google.com/logging/quotas][3]\n3. [https://cloud.google.com/logging/docs/routing/overview][4]\n4. [https://cloud.google.com/logging/docs/export/using_exported_logs][5]\n5. [https://cloud.google.com/logging/docs/export/configure_export_v2][6]\n6. [https://cloud.google.com/logging/docs/export/aggregated_exports][7]\n7. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list][8]\n\n[1]: https://console.cloud.google.com/logs/router\n[2]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[3]: https://cloud.google.com/logging/quotas\n[4]: https://cloud.google.com/logging/docs/routing/overview\n[5]: https://cloud.google.com/logging/docs/export/using_exported_logs\n[6]: https://cloud.google.com/logging/docs/export/configure_export_v2\n[7]: https://cloud.google.com/logging/docs/export/aggregated_exports\n[8]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nvalid_log_sinks := {logging_log_sink.project_id |\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tvalid_log_filter(logging_log_sink)\n\tvalid_log_exclusions(logging_log_sink)\n\tlogging_log_sink.destination != \"\"\n}\n\nvalid_log_filter(logging_log_sink) if {\n\tnot logging_log_sink.filter\n} else {\n\tlogging_log_sink.filter == \"\"\n}\n\nany_enabled_exclusion(logging_log_sink) if {\n\tlogging_log_sink.exclusions[_].disabled == false\n}\n\nvalid_log_exclusions(logging_log_sink) if {\n\tnot any_enabled_exclusion(logging_log_sink)\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_sinks[project.project_id]\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hig-nyl-7xu","createdAt":1658996677403,"name":"Log sinks are configured for all log entries"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Log4j scanning attempt occurs in your environment.\n\n## Strategy\nRegex search on logs to find specific payloads indicative of Log4j scanning.\n\n## Triage and response\n1. Investigate if the host is running a vulnerable version of the Log4j Java library\n2. Use the [Log4j Investigation Dashboard](https://app.datadoghq.com/dash/integration/cloud_security_platform_log4shell_investigator) to conduct impact analysis\n3. Explore what other services the attacker hit in the last day - Linked to investigation query \n4. Explore Java logs associated with the attacker - linked to investigation query\n","options":{"detectionMethod":"hardcoded","evaluationWindow":300,"maxSignalDuration":3600,"hardcodedEvaluatorType":"log4shell","keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"query":"@http.url:*","groupByFields":["@network.client.ip"],"aggregation":"count","name":"log4shell_payloads_in_http_data","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"log4shell_payloads_in_http_data > 0"}],"type":"log_detection","id":"sdx-qzo-o9z","createdAt":1651680204724,"name":"Log4Shell Scanning Detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0043-reconnaissance","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being scanned for the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `jndi:(ldap OR rmi OR dns)` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. Check if the `Base64 was detected in an http.user_agent or http.referrer` rule was also triggered and follow the `Triage and response` steps in that rule.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.useragent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referrer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http_user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"info","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"2oy-oni-kx6","createdAt":1639665375423,"name":"Log4j Scanner detected in user agent or referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:1.5","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. MFA (multi-factor authentication) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their user name and password and an authentication code from their AWS MFA device.\n\n**Note**: When virtual MFA is used for root accounts, it should not be enabled on a personal device, but rather enable a dedicated and not personally owned mobile device (tablet or phone)(\"non-personal virtual MFA\"). This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and has knowledge of a credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78911-5\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root][3]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions.\n\n## CIS controls\n\nVersion 7, 4.5 - Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.5","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"-@account_mfa_enabled:1","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (-@account_mfa_enabled:1)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dth-jwu-9zo","createdAt":1599573999963,"name":"MFA is enabled for the \"root\" account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP address identified as malicious by Okta's ThreatInsight communicates with your Okta account.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.threat.detected`\n\n## Triage and response\n1. Determine if the `@usr.email` is `Unknown` or is an authenticated user.\n2. If the user is authenticated, conduct an investigation to determine if the IP address that is communicating with Okta is the user's IP address, or if the account is compromised.\n3. Consider switching ThreatInsight from `log mode` to `log and block mode` to block future requests from IP addresses on the ThreatInsight threat intelligence list.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.threat.detected @evt.outcome:ALLOW","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"x5j-v1t-d2r","createdAt":1589315626499,"name":"Malicious IP Communicating with Okta"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1003","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers looking for a specific mission target commonly gain access to a host or container adjacent to their mission target. To move laterally to the planned target, attackers commonly try to find credentials that would give them access to the host or container in question. A technique for finding these credentials is memory dumping. By dumping the contents of system memory to disk, an attacker can often find unencrypted credentials.\n\n## Strategy\nThis detection monitors the access of memory and memory maps that can be accessed from the `/proc/` directory on Linux.\n\n## Triage & Response\n1. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n2. Consider rotating any credentials that were in use on the host/container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"lhm-dok-amc","createdAt":1598516746171,"name":"Memory files in /proc/ were accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","scope:azure","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user creates or modifies a trusted domain object in Microsoft 365.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain`\n- `Set domain authentication`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain.`\n- `Set domain authentication.`\n\nAn attacker can create a new attacker-controlled domain as federated or modify the existing federation settings for a domain by configuring a new, secondary signing certificate. Both of these techniques would allow the attacker to authenticate as any user bypassing authentication requirements like a valid password or MFA.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n - Remove the suspicious domain or settings.\n - Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n - Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Set domain authentication\" OR \"Set domain authentication \" OR \"Set federation settings on domain\" OR \"Set federation settings on domain \") @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_trusted_domain_modified","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Set domain authentication.\" OR \"Set domain authentication. \" OR \"Set federation settings on domain.\" OR \"Set federation settings on domain. \")","groupByFields":["@usr.id"],"aggregation":"count","name":"m365_trusted_domain_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"azure_ad_trusted_domain_modified > 0 || m365_trusted_domain_modified > 0"}],"type":"log_detection","id":"dqm-ikd-5zd","createdAt":1660304700624,"name":"Microsoft 365 - Modification of Trusted Domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0040-impact","scope:exchange-server","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an anomalous amount of emails are deleted from Microsoft 365 Exchange.\n\n## Strategy\nMonitor Microsoft 365 Exchange audit logs to look for events with an `@evt.name` value of `HardDelete`, where the `@Folder.Path` is the inbox (`*Inbox*`).\n\n## Triage and response\n1. Determine if the user `{{@usr.id}}` intended to delete the observed emails.\n2. If `{{@usr.id}}` is not responsible for the email deletions, investigate `{{@usr.id}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:HardDelete @Folder.Path:*Inbox*","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tos-tbi-7dh","createdAt":1619020060666,"name":"Microsoft 365 Anomalous Amount of Deleted Emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 user downloads an anomalous amount of files. This could be an indicator of data exfilteration.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for an anomalous amount of logs with an `@evt.name` value of `@evt.name:FileDownloaded`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to download the files.\n2. If `{{@usr.email}}` is not responsible for file downloads, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:FileDownloaded","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"files_downloaded","distinctFields":["@SourceFileName"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"yhr-gui-v9i","createdAt":1658353411918,"name":"Microsoft 365 Anomalous Amount of Downloaded files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1562-impair-defenses","scope:microsoft-365","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when admin or unified audit logging is disabled. An adversary or insider threat can disable audit logging as a means of defense evasion.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Set-AdminAuditLogConfig`, where `@Parameters.AdminAuditLogEnabled` OR `@Parameters.UnifiedAuditLogIngestionEnabled` is set to `False`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to disable audit logging.\n2. If `{{@usr.email}}` is not responsible for disabling the audit logging, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.UnifiedAuditLogIngestionEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"unified_audit_disabled","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.AdminAuditLogEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_audit_disabled","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Unified Audit Logging Disabled","condition":"unified_audit_disabled > 0"},{"status":"high","notifications":[],"name":"Admin Audit Logging Disabled","condition":"admin_audit_disabled > 0"}],"type":"log_detection","id":"d86-6xx-tbg","createdAt":1630681812369,"name":"Microsoft 365 Audit Logging Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:onedrive","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user creates an anonymous link for a Microsoft 365 document in OneDrive. This would allow any unauthenticated user to access this document, if they had the link.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AnonymousLinkCreated`.\n\n## Triage and response\n1. Determine whether this document should be available anonymously.\n\n## Changelog\n* 4 October 2022 - Updated severity.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:OneDrive @evt.name:AnonymousLinkCreated","groupByFields":["@usr.id","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1h-h20-er6","createdAt":1608766368930,"name":"Microsoft 365 OneDrive Anonymous Link Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0009-collection","technique:T1213-data-from-information-repositories","scope:sharepoint"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user shares a Microsoft 365 Sharepoint document with a guest.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `SharingInvitationCreated` when the `TargetUserOrGroupType` is `Guest`.\n\n## Triage and response\n1. Determine whether this document should be shared with the external user.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:SharePoint @evt.name:(SharingInvitationCreated) @TargetUserOrGroupType:Guest","groupByFields":["@TargetUserOrGroupName","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"v72-psu-eln","createdAt":1608766365850,"name":"Microsoft 365 SharePoint object shared with guest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user installs an app to Microsoft 365 Teams.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AppInstalled`.\n\n## Triage and response\n1. Determine whether this app should be installed to Microsoft 365 teams.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:MicrosoftTeams @evt.name:AppInstalled","groupByFields":["@AddOnName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"i03-grd-ppd","createdAt":1608766367312,"name":"Microsoft 365 Teams app installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostNetwork flag set to true.\n\n## Rationale\n\nA container running in the host's network namespace could access the local loopback device, and could access network traffic to and from other pods. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host network namespace. If you have need to run containers which require hostNetwork, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostNetwork}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostNetwork` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostNetwork: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.4","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mlb-fwt-s80","createdAt":1599604274257,"name":"Minimize the admission of containers wishing to share the host network namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","cloud_provider:aws","control:164.308-a-3-ii-a","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMulti-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password, and for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of the credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://tools.ietf.org/html/rfc6238][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html][3]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users][4]\n4. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html][5]\n5. CCE-78901-6\n\n## CIS controls\n\n4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://tools.ietf.org/html/rfc6238\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.10","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_enabled:true -@mfa_active:true","resourceType":"aws_iam_user","filter":"","queryPath":"credential_report","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@password_enabled:true -@mfa_active:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"zd5-wvv-hv5","createdAt":1599573999956,"name":"Multi-factor authentication is enabled for all IAM users with a console password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"5jr-xi3-uto","createdAt":1587530047261,"name":"NGINX HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","scope:nginx-ingress-controller","source:nginx-ingress-controller","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx-ingress-controller @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oxj-rwr-gxq","createdAt":1587530154864,"name":"NGINX ingress controller HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to nsswitch.conf.\n\n## Strategy\nThe Name Service Switch (nsswitch) configuration file is used to point\u00a0system services and other applications to the sources of name-service information. This name-service information includes where the password file is stored, publickey information, and more. An attacker may attempt to modify nsswitch.conf in order to inject attacker-owned information into the authentication process. For instance, the attacker could point to a malicious password file and then login to privileged user accounts.\n\n## Triage and response\n1. Check to see what changes were made to nsswitch.conf.\n2. Check if critical name-service sources were changed, and whether the changes were a part of known system-setup or maintenance.\n3. If these changes are unauthorized, roll back the host in question to a known good nsswitch.conf, or replace the system with a known-good system image.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chmod)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chmod","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chown)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chown","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_link)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_link","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_rename)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_rename","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_open)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_open","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_unlink)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_unlink","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_utimes)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"nsswitch_conf_mod","condition":"nsswitch_conf_mod_chmod > 0 || nsswitch_conf_mod_chown > 0 || nsswitch_conf_mod_link > 0 || nsswitch_conf_mod_rename > 0 || nsswitch_conf_mod_open > 0 || nsswitch_conf_mod_unlink > 0 || nsswitch_conf_mod_utimes > 0"}],"type":"workload_security","id":"djc-3dp-3qm","createdAt":1606142958657,"name":"Name Service Switch configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:1.3.5","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that enable multiple open ports and limit ingress traffic access based on port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access malicious activities, such as Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks, by opening only the ports that are required by your application.\n\n## Remediation\n\n### Console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### CLI\n\n1. Run `replace-network-acl-entry` to create a rule that only allows ingress traffic from a specific port range.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --ingress\n --rule-number 01\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_lenient(acl_entry) if {\n\tnot acl_entry.egress\n\tacl_entry.rule_action == \"allow\"\n\tnot acl_entry.port_range_from\n\tnot acl_entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tacl_entry := network_acl.entries[_]\n\tacl_lenient(acl_entry)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q0m-mtc-9ks","createdAt":1599574008182,"name":"Network ACL inbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that utilize multiple ports and limit outbound traffic access to a specific port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access by setting a specified port range.\n\n## Remediation\n\n### Console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### CLI\n\n1. Run `replace-network-acl-entry` to create a rule that sets a specific port range for egress traffic.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --egress\n --rule-number 02\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_entry(entry) if {\n\tentry.egress\n\tentry.rule_action == \"allow\"\n\tnot entry.port_range_from\n\tnot entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tentry := network_acl.entries[_]\n\tnon_compliant_entry(entry)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ykz-hrn-ev3","createdAt":1599574004771,"name":"Network ACL outbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","control:CC6.6","requirement:Compliance","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:1.3.5","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Network Access Control List (NACL) function provides stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.\n\n## Rationale\n\nPublic access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.\n\n## Remediation\n\n1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home\n2. In the left pane, click Network ACLs.\n3. For each network ACL to remediate, perform the following: Select the network ACL, Click the Inbound Rules tab, Click Edit inbound rules. Either update the Source field to a range other than `0.0.0.0/0` or click Delete to remove the offending inbound rule. Click save.\n\n## Reference\n\n1. [https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html][1]\n2. [https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison][2]\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"5.1","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"validationQuery":"@egress:false @rule_action:\"allow\" (@cidr_block:\"0.0.0.0/0\" OR @cidr_block:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@port_range_from:* -@port_range_to:*) OR (@port_range_from:<=22 @port_range_to:>=22) OR (@port_range_from:<=3389 @port_range_to:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_network_acl","filter":"","queryPath":"entries","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl (@egress:false @rule_action:\"allow\" (@cidr_block:\"0.0.0.0/0\" OR @cidr_block:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@port_range_from:* -@port_range_to:*) OR (@port_range_from:<=22 @port_range_to:>=22) OR (@port_range_from:<=3389 @port_range_to:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b5p-spa-hx4","createdAt":1619112188801,"name":"Network ACLs do not allow ingress from 0.0.0.0/0 to remote server administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","cloud_provider:azure","framework:gdpr","source:azure.network","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","requirement:Communications-Security","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","scope:azure.network","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Security Group (NSG) is configured to allow specific ports rather than all ports or port ranges.\n\n## Rationale\n\nNSGs should be configured as granularly as possible, allowing only specific and necessary ports. Leaving ranges of ports open can allow access to ports that are vulnerabile to attack. \n\n## Remediation\n\n### Console\n\nFollow the [Work with security rules guide][1] to modify the port ranges associated with a NSG using the Microsoft Azure Console. \n\n### CLI\n\nUse the [Microsft Azure az network nsg rule update module][2] to update the ports associated with a NSG using the Microsoft Azure CLI. \n\n## References\n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#work-with-security-rules\n[2]: https://docs.microsoft.com/en-us/cli/azure/network/nsg/rule?view=azure-cli-latest#az-network-nsg-rule-update","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndestination_port_not_compliant(security_rule) if {\n\tsecurity_rule.destination_port_range == \"*\"\n} else {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tdestination_port_range == \"*\"\n} else {\n\tregex.match(\"([0-9])+-([0-9])+\", security_rule.destination_port_range)\n} else {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tregex.match(\"([0-9])+-([0-9])+\", destination_port_range)\n}\n\nsecurity_rule_not_compliant(security_rule) if {\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.access == \"Allow\"\n\tdestination_port_not_compliant(security_rule)\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule = security_group.security_rules[_]\n\tsecurity_rule_not_compliant(security_rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cis-7ih-ek8","createdAt":1645736563232,"name":"Network Security Group does not use port ranges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1046-network-service-scanning","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of the `nmap` network utility.\n\n## Strategy\n`nmap` is a network utility commonly used by attackers to understand a victim's network topology and vulnerabilities. After an attacker's initial intrusion into a host (for example, through a web shell exploit, container breakout), they may attempt to use `nmap` to do reconnaissance. This detection triggers when an execution of `nmap` is detected on a system. If this is unexpected behavior, it could indicate an attacker attempting to compromise your systems.\n\n## Triage and response\n1. Determine which user executed `nmap` and whether this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and network tools involved. Investigate the security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:common_net_intrusion_util -@process.args:\"-V\"","groupByFields":["host"],"aggregation":"count","name":"common_net_intrusion_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"common_net_intrusion_util","condition":"common_net_intrusion_util > 0"}],"type":"workload_security","id":"yqg-ebh-po2","createdAt":1617722067554,"name":"Network scanning utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all network traffic is allowed between containers on the same host on the default network bridge. You can restrict all inter-container communication and link specific containers together that require communication. Or, you can create a custom network and only join containers that need to communicate to that custom network.\n\n## Rationale\n\nBy default, unrestricted network traffic is enabled between all containers on the same host on the default network bridge. Each container has the potential of reading all packets across the container network on the same host. This might lead to an unintended and unwanted disclosure of information to other containers. Hence, restrict inter-container communication on the default network bridge.\n\n## Audit\n\nVerify that the default network bridge has been configured to restrict inter-container communication by running:\n```\ndocker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}' \n```\nCheck that it returns `com.docker.network.bridge.enable_icc:false` for the default network bridge.\n\n## Remediation\n\nEdit the Docker daemon configuration file to ensure that inter-container communication is disabled:\n\n```\n\"icc\": false\n```\n\nAlternatively, run the Docker daemon directly and pass `--icc=false` as an argument:\n\n```\ndockerd --icc=false \n```\n\nFollow the Docker documentation and create a custom network, and only join containers that need to communicate to that custom network. The `--icc` parameter only applies to the default docker bridge. If you use a custom network, adopt the segmenting networks approach instead.\n\n## Impact\n\nInter-container communication is disabled on the default network bridge. If any communication between containers on the same host is desired, it needs to be explicitly defined using container linking or custom networks.\n\n## Default value\n\nBy default, all inter-container communication is allowed on the default network bridge.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/][1]\n2. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers][2]\n\n## CIS controls\n\nNone \n\n[1]: https://docs.docker.com/engine/userguide/networking/ \n[2]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_network","complianceFrameworks":[{"control":"2.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmd-zy3-5un","createdAt":1599604593277,"name":"Network traffic is restricted between containers on the default network bridge"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a network utility (like `cURL` or `Wget`) is used to access the cloud instance metadata service (IMDS) in an interactive session.\n\n## Strategy\nThe cloud instance metadata service is a link-local HTTP endpoint that provides data about a given cloud instance. One function is to provide temporary security credentials so that they do not need to be stored on the host. Because IMDS can be used to fetch security credentials, attackers may use it to escalate privileges in order to access other cloud resources. This detection identifies when Linux network utilities are used in an interactive session to access the metadata service. Especially in production environments, it is unusual for this activity to occur interactively.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee run commands for an approved reason, or does a configuration management utility use an interactive session?\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Using cloud audit logs, identify if the attached identity was misused.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:aws_metadata_service @process.tty:*","groupByFields":["host"],"aggregation":"count","name":"aws_metadata_service","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"aws_metadata_service","condition":"aws_metadata_service > 0"}],"type":"workload_security","id":"ugv-e7o-qpv","createdAt":1627392836096,"name":"Network utility accessed cloud metadata service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location on a host.\n\n## Strategy\nAfter an attacker's initial intrusion into a host (for example, through a web shell exploit, or a container breakout), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance, or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected on a host. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine which user executed the utility and whether or not this is allowed or expected behavior.\n2. Review the ancestors for unexpected processes or files executed. \n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util @process.ancestors.executable.path:(*\\/tmp\\/* OR *\\/home\\/*)","groupByFields":["host"],"aggregation":"count","name":"net_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"net_util","condition":"net_util > 0"}],"type":"workload_security","id":"med-78m-snu","createdAt":1617722067377,"name":"Network utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected in a container. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your containers and host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. Review the ancestors for unexpected processes or files executed.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util_in_container @process.ancestors.executable.path:(*\\/tmp\\/* OR \\/home\\/* OR \\/run\\/user\\/*)","groupByFields":["@container.id","host"],"aggregation":"count","name":"net_util_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"net_util_in_container","condition":"net_util_in_container > 0"}],"type":"workload_security","id":"idj-fom-4qg","createdAt":1617722068439,"name":"Network utility executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1199-trusted-relationship","source:cloudtrail","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker accesses your AWS account from their AWS Account.\n\n## Strategy\nThis rule lets you monitor AssumeRole (`@evt.name:AssumeRole`) CloudTrail API calls to detect when an external AWS account (`@usr.account_id`) assumes a role into your AWS account (`account`). It does this by learning all AWS accounts from which the AssumeRole call occurs within a 7-day window. Newly detected accounts after this 7-day window will generate security signals.\n\n## Triage and response\n1. Determine if the `@usr.account_id` is an AWS account is managed by your company.\n2. If not, try to determine who is the owner of the AWS account.\n3. Inspect the role the account is assuming. Determine who created this role and who allowed this AWS account to assume this role.\n\n## Changelog\n7 April 2022 - Update rule query and signal message.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @evt.name:AssumeRole"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"xvo-lqg-7bu","createdAt":1614810571081,"name":"New AWS Account Seen Assuming a Role into AWS Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","tactic:TA0040-impact","source:cloudtrail","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker spawns an instance for malicious purposes. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect when a new instance type (`@responseElements.instancesSet.items.instanceType`) is spawned:\n\n* [RunInstances][1]\n\nIt does this by inspecting the AWS Instance types each AWS account are seen over a 7-day window. Newly detected instance types after this 7-day window till generate security signals.\n\n## Triage and response\n1. Determine whether the instance type `{{@responseElements.instancesSet.items.instanceType}}` is expected to be used in your AWS account by checking the [Datadog Infrastructure List][2].\n2. If not, determine who spawned this instance and ask the user whether their activity was legitimate or whether their credentials were compromised and this instance is being used by an attacker.\n\n## Changelog\n7 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html\n[2]: https://app.datadoghq.com/infrastructure?tab=details&tags=instance-type%3A{{@responseElements.instancesSet.items.instanceType}}","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@responseElements.instancesSet.items.instanceType","aggregation":"new_value","metrics":["@responseElements.instancesSet.items.instanceType"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @eventSource:ec2.amazonaws.com @evt.name:RunInstances"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rk5-l8o-jir","createdAt":1619019323550,"name":"New EC2 Instance Type"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a Kubernetes namespace.\n\n## Strategy\nThis rule monitors when a `create` action occurs for the Kubernetes namespace (`@objectRef.resource:namespaces`) to detect when a user is creating a new Kubernetes namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new namespace.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:namespaces @http.method:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:namespaces @verb:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"zgq-pd9-wgw","createdAt":1589376020564,"name":"New Kubernetes Namespace Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:kubernetes","tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a privileged pod is created. Privileged pods remove container isolation which allows privileged actions on the host.\n\n## Strategy\nThis rule monitors when a pod (`@objectRef.resource:pods`) is created (`@http.method:create`) and the privileged security context (`@requestObject.spec.containers.securityContext.privileged`) is `true`.\n\n## Triage & Response\n1. Determine if the pod should be privileged. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"smy-zpp-8hr","createdAt":1626700164544,"name":"New Kubernetes privileged pod created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1525-implant-internal-image","scope:ecr","iaas:aws","source:cloudtrail","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential persistence mechanisms being deployed in the AWS Elastic Container Registry (ECR).\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr:GetAuthorizationToken` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException @threat_intel.indicators_matched:*","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ori-yda-7sc","createdAt":1630665990802,"name":"New Private Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecr","technique:T1567-exfiltration-over-web-service","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new image is uploaded to the public ECR. This could be a potential exfil route of data from the cloud. Could be a supply chain effect as well if a company hosts their containers here for consumers.\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr-public:GetAuthorizationToken` and `sts:GetServiceBearerToken` API through an IAM policy before they can authenticate to a registry and push any images to an Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr-public.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr-public.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3ye-k1x-9mp","createdAt":1630666006819,"name":"New Public Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ecs","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user executes a command on an ECS container for the first time. An attacker may use this as a technique to escalate their privileges\nbecause they can run arbitrary commands on behalf of the container with the role and permissions associated with the\ncontainer.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user is executing a command on an ECS container:\n\n* `ExecuteCommand`\n\n## Triage and response\n1. Investigate the command that the user ({{@userIdentity.arn}}) ran on the container, which is located in the Cloudtrail log at `@requestParameters.container`, if the telemetry exists.\n2. Analyze Cloudtrail logs with {{@userIdentity.arn}} that are within the same time frame as this security signal.\n3. Review any other security signals generated for this container.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":175,"isDefault":true,"filters":[{"action":"suppress","query":"foo"},{"action":"require","query":"bar"}],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @evt.name:ExecuteCommand @requestParameters.interactive:true"}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@me"],"name":""}],"type":"log_detection","id":"o2p-sbu-rlg","createdAt":1615916348842,"name":"New user seen executing a command in an ECS task"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console:\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line:\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_GCM_SHA256\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_GCM_SHA384\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_3DES_EDE_CBC_SHA\")\n}\n\npolicy_align(compute_target_https_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_https_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_https_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_https_proxy, compute_ssl_policy)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_https_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_https_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_https_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wsz-dzl-7cw","createdAt":1664548936030,"name":"No HTTPS proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console:\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line:\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_GCM_SHA256\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_GCM_SHA384\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_3DES_EDE_CBC_SHA\")\n}\n\npolicy_align(compute_target_ssl_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_ssl_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_ssl_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_ssl_proxy, compute_ssl_policy)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_ssl_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_ssl_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_ssl_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kmq-mlb-uhu","createdAt":1664548316871,"name":"No SSL proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","level:1","framework:cis-aws","requirement:Security-Management-Process","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:1.4","control:2.1","control:2.2","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","requirement:Default-Security-Parameters","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:164.312-a-2-i","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed.\n\n## Rationale\n\nRemoving access keys associated with the root account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html][2]\n2. [http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][3]\n3. [http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html][4]\n4. CCE-78910-7\n5. [https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/][5]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables root access only through access-keys (CLI, API methods) for us-gov cloud region.\n\n## CIS controls\n\nVersions 7, 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html\n[3]: http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[4]: http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html\n[5]: https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.4","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-a-2-i","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@access_key_1_active:true OR @access_key_2_active:true","resourceType":"aws_iam_credential_report","filter":"@user:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report @user:\"\" (@access_key_1_active:true OR @access_key_2_active:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"snb-kjs-kgm","createdAt":1599574003908,"name":"No root account access key exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity groups provide stateful filtering of ingress/egress network traffic to AWS resources. You should not allow any security group unrestricted ingress access to port 22.\n\n## Rationale\n\nRemoving unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nIf you are updating an existing environment, ensure that administrators who currently rely on ingress from 0.0.0.0/0 have access to ports 22 and 3389 through another security group.\n\n## Default value\n\nNone\n\n## References\n\nNone\n\n## CIS controls\n\n9.2 Ensure Only Approved Ports, Protocols, and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.1\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 22\n\trule.to_port >= 22\n} else {\n\trule.from_port <= 3389\n\trule.to_port >= 3389\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ueo-zqv-fep","createdAt":1607607222597,"name":"No security groups allow ingress from 0.0.0.0/0 to remote administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:3.8","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","requirement:Communication-and-Information","security:compliance","control:8.1","control:4.4","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","control:4.1.1","control:8.1.4","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling OS Login binds SSH certificates to IAM users and facilitates effective SSH certificate\nmanagement.\n\n## Rationale\nEnabling OS Login ensures that SSH keys used to connect to instances are mapped to IAM\nusers. Revoking access to an IAM user will revoke all the SSH keys associated with that\nparticular user. It facilitates centralized and automated SSH key pair management, which is\nuseful in handling cases like compromised SSH key pairs and/or revocation of\nexternal, third-party, vendor users.\n\nTo use OS Login, the instance using Custom Images must have the latest version\nof the Linux Guest Environment installed. The following image families do not\nsupport OS Login:\n\n - Project cos-cloud (Container-Optimized OS) image family cos-stable.\n - All project coreos-cloud (CoreOS) image families\n - Project suse-cloud (SLES) image family sles-11\n - All Windows Server and SQL Server image families\n\nThe project's `enable-oslogin` can be overridden by setting the `enable-oslogin` parameter to an\ninstance metadata individually.\n\n### Impact\nEnabling OS Login on a project disables metadata-based SSH key configurations on all\ninstances of a project. Disabling OS Login restores SSH keys that you have configured in a\nproject's or an instance's metadata.\n\n### Exception\nVMs created by GKE should be excluded. These VMs have names that start with `gke-`\nand are labeled `goog-gke-node`.\n\n### Default value\nBy default, the parameter `enable-oslogin` is not set, which is equivalent to setting it to `FALSE`.\n\n## Remediation\n\n### From the console:\n\n1. Go to the [VM compute metadata][1] page.\n2. Click **Edit**.\n3. Add a metadata entry for the key `enable-oslogin` with the value `TRUE`.\n4. Click **Save** to apply the changes.\n5. For every instance that overrides the project setting, go to the VM Instance's page at \n https://console.cloud.google.com/compute/instances.\n6. Click the name of the instance from which you want to remove the metadata value.\n7. At the top of the instance's details page, click **Edit** to edit the instance's settings.\n8. Under Custom Metadata, remove any entries with the key `enable-oslogin` set to `FALSE`.\n9. At the bottom of the instance's details page, click **Save** to apply your changes to the instance.\n\n### From the command line:\n\n1. Configure OS Login for the project by running the following command:\n ```\n gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE\n ```\n\n2. Use the following command to remove instance metadata that overrides the project setting:\n ```\n gcloud compute instances remove-metadata --keys=enable-oslogin\n ```\n\nOptionally, you can enable two-factor authentication for OS Login. See [Setting up OS Login with 2-step verification ][2] for more information.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/managing-instance-access][3]\n2. [https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin][4]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata][5]\n4. [https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication][2]\n\n\n\n[1]: https://console.cloud.google.com/compute/metadata\n[2]: https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication\n[3]: https://cloud.google.com/compute/docs/instances/managing-instance-access\n[4]: https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin\n[5]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.8","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" {\n\titem := compute_instance.metadata.items[_]\n\titem.key == \"enable-oslogin\"\n\titem.value == \"true\"\n} else = \"fail\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hpp-bv9-lom","createdAt":1657547711348,"name":"OS Login is enabled for the project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Okta API token is created.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a new Okta API token is created:\n\n* `system.api_token.create`\n\n## Triage and response\n1. Contact the user who created the API token and ensure that the API token is needed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:system.api_token.create","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lpf-tho-8sx","createdAt":1589315541698,"name":"Okta API Token Created or Enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","scope:okta","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Okta session impersonation.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect a user session impersonation:\n\n* `user.session.impersonation.initiate`\n* `user.session.impersonation.end`\n* `user.session.impersonation.grant`\n* `user.session.impersonation.extend`\n* `user.session.impersonation.revoke`\n\nThese events indicate that the user: `{{@usr.email}}` has the effective permissions of the impersonated user. This is likely to occur through [Okta support access][1]. This [blog][2] illustrates the potential impact an attacker can cause by impersonation session.\n\n## Triage and response\n1. Contact your Okta administrator to ensure the user: `{{@usr.email}}` is authorized to impersonate a user session.\n2. If the user impersonation session is not legitimate:\n * Task your Okta administrator to end the impersonation session.\n * Investigate the actions taken by the user `{{@usr.email}}` during the session and revert back to the last known good state.\n * Begin your company's incident response process and investigate.\n\n[1]: https://support.okta.com/help/s/article/Granting-Access-to-Okta-Support?language=en_US\n[2]: https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.session.impersonation.initiate","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_initiate","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.end","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_end","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_grant","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.extend","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_extend","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.revoke","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_revoke","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Session initiated","condition":"user_session_impersonation_initiate > 0"},{"status":"info","notifications":[],"name":"Session ended","condition":"user_session_impersonation_end > 0"},{"status":"info","notifications":[],"name":"Session granted","condition":"user_session_impersonation_grant > 0"},{"status":"info","notifications":[],"name":"Session extended","condition":"user_session_impersonation_extend > 0"},{"status":"info","notifications":[],"name":"Session revoked","condition":"user_session_impersonation_revoke > 0"}],"type":"log_detection","id":"dfw-lx0-cha","createdAt":1647981974902,"name":"Okta Impersonation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to bypass multi-factor authentication (MFA).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user attempts to bypass MFA:\n\n* `user.mfa.attempt_bypass`\n\n## Triage and response\n1. Contact the user who attempted to bypass MFA and ensure the request was legitimate.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.attempt_bypass","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"wbd-slu-e6s","createdAt":1589315643307,"name":"Okta MFA Bypass Attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the multi-factor authentication (MFA) factors for an enrolled Okta user are reset.\n\n## Strategy\nThis rule lets you monitor the following Okta event to determine when a user's MFA factors are reset:\n\n* `user.mfa.factor.reset_all`\n\nAn attacker may attempt to reset MFA factors in a bid to access other user accounts by registering new attacker-controlled MFA factors.\n\n## Triage and response\n1. Determine if the user: `{{@usr.email}}` should have reset the MFA factors of the targeted user.\n2. If the change was not made by the user:\n * Disable the affected user accounts.\n * Rotate user credentials.\n * Return targeted users MFA factors to the last known good state.\n * Begin your organization's incident response process and investigate.\n3. If the change was made by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, ensure the targeted user has new MFA factors assigned in accordance with organization policies.\n * If **No**, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_success","distinctFields":[]},{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:FAILURE","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_failed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Succeeded","condition":"mfa_reset_success > 0"},{"status":"info","notifications":[],"name":"Failed","condition":"mfa_reset_failed > 0"}],"type":"log_detection","id":"ap2-mxs-fyh","createdAt":1622443751239,"name":"Okta MFA reset for user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to sign on to an app based on sign-on policy.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to sign on to an app based on sign-on policy:\n\n* `application.policy.sign_on.deny_access`\n\n## Triage and response\n1. Inspect the `@target` array to determine why the user was denied access to sign on.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:application.policy.sign_on.deny_access","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pjd-jyc-9fb","createdAt":1589315544752,"name":"Okta User Access Denied to Sign On"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to an app.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to an app:\n\n* `app.generic.unauth_app_access_attempt`\n\n## Triage and response\n1. Determine whether or not the user should have access to this app.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:app.generic.unauth_app_access_attempt","groupByFields":["@usr.email","@target_app"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rht-pdf-gyx","createdAt":1607371843994,"name":"Okta User Attempted to Access Unauthorized App"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:okta","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to an Okta user.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when administrative privileges are provisioned:\n\n* `user.account.privilege.grant`\n\n## Triage and response\n1. Contact the Okta administrator: `{{@usr.email}}` to confirm that the user or users should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.account.privilege.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"privilege_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"privilege_grant > 0"}],"type":"log_detection","id":"onl-syw-pqn","createdAt":1622443751733,"name":"Okta administrator role assigned to user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a request is blocked due to a block list rule (such as an IP network zone or location rule).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.request.blocked`\n\n## Triage & Response\n1. Verify with the owner of `{{@usr.name}}` that they were attempting a request to `{{@target_app}}`.\n2. If the request cannot be verified with the user, correlate with other log sources to see if the blocked IP in the `title` of `{{@title}}` has communicated elsewhere on the network.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.request.blocked @evt.outcome:SUCCESS","groupByFields":["@network.client.ip","@target_app"],"aggregation":"count","name":"request_blocked","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"request_blocked > 10"}],"type":"log_detection","id":"y2s-qzk-u0a","createdAt":1622443750820,"name":"Okta blocked numerous requests from a malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta [refresh token][1] is reused.\n\n## Strategy\nThis rule lets you monitor the following Okta events when token reuse is detected:\n\n* `app.oauth2.token.detect_reuse`\n* `app.oauth2.as.token.detect_reuse`\n\nAn attacker that has access to a refresh token could query the organization's authorization server `/token` endpoint to obtain additional access tokens. The additional access tokens potentially allow the attacker to get unauthorized access to applications.\n\n## Triage and response\n1. Determine if the source IP `{{@network.client.ip}}` is anomalous within the organization:\n * Does threat intelligence indicate that this IP has been associated with malicious activity?\n * Is the geo-location or ASN uncommon for the organization?\n * Has the IP created a `app.oauth2.token.detect_reuse` or `app.oauth2.as.token.detect_reuse` event previously?\n2. If the token reuse event has been determined to be malicious, carry out the following actions:\n * [Revoke compromised tokens][2].\n * Recycle the credentials of any impacted clients.\n * Begin your company's incident response process and investigate.\n\n[1]: https://developer.okta.com/docs/guides/refresh-tokens/main/\n[2]: https://developer.okta.com/docs/guides/revoke-tokens/main/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:false","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse","distinctFields":[]},{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:true","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse_threat","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Threat suspected","condition":"refresh_token_reuse_threat > 0"},{"status":"low","notifications":[],"name":"Threat unlikely","condition":"refresh_token_reuse > 0"}],"type":"log_detection","id":"i4t-x8n-ack","createdAt":1622443751931,"name":"Okta one-time refresh token reused"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta policy rule is deleted.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a policy rule is deleted:\n\n* `policy.rule.delete`\n\n## Triage and response\n1. Contact the Okta administrator to confirm that the user: `{{@usr.email}}` should be deleting policy rules.\n2. If the change was **not** authorized, verify there are no other signals from the user: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:policy.rule.delete @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_rule_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"policy_rule_deleted > 0"}],"type":"log_detection","id":"gxx-79h-brk","createdAt":1622443751301,"name":"Okta policy rule deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:onelogin","scope:onelogin","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user with appropriate privileges assumes another OneLogin user's identity. Logging in as another user allows the user to view another OneLogin user's account and perform actions on their behalf. \n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator assumes another OneLogin user's identity:\n\n* `@evt.name:USER_ASSUMED_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) should be legitimately assuming another user's identity.\n2. If the activity was not legitimate, review all activity from `{{@usr.name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_ASSUMED_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"admin_assumed_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admin_assumed_user > 0"}],"type":"log_detection","id":"ohz-g7c-wkp","createdAt":1656426840747,"name":"OneLogin administrator assumed a user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","technique:T1098-account-manipulation","scope:onelogin","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin administrator grants additional privileges to another OneLogin user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator grants additional privileges to another OneLogin user:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@actor_user_name}}`) should be legitimately adding additional roles to `@usr.name`. **Note:** The role granted to the user is not available in OneLogin logs.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:PRIVILEGE_GRANTED_TO_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"user_granted_admin_privileges","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"user_granted_admin_privileges > 0"}],"type":"log_detection","id":"oks-cap-rw1","createdAt":1656426808697,"name":"OneLogin user granted administrative privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user is locked out. This may be common if the user is repeatedly failing to log in. This rule is most useful when correlated with other anomalous activity for the user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to when a user is locked out:\n* `@evt.name:USER_LOCKED`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) was legitimately trying to authenticate and was locked out.\n2. If the activity was not legitimate, review all activity from the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_LOCKED","groupByFields":["@usr.name"],"aggregation":"count","name":"user_locked_out","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_locked_out > 0"}],"type":"log_detection","id":"efg-trs-jzb","createdAt":1656526301026,"name":"OneLogin user locked out"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user views a secure note.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when a user views a secure note:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\nThis rule is useful when correlating its findings with other anomalous events from the same OneLogin user (`{{@actor_user_name}}`).\n\n## Triage and response\n1. Determine whether the OneLogin user (`{{@actor_user_name}}`) should be legitimately accessing secure notes.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_VIEWED_NOTE","groupByFields":["@actor_user_name"],"aggregation":"count","name":"viewed_secure_note","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"viewed_secure_note > 0"}],"type":"log_detection","id":"gl4-z5x-dun","createdAt":1656426832414,"name":"OneLogin user viewed secure note"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","scope:google_service_account","requirement:Confidentiality","control:3.4","control:1.4","control:3.10","control:C1.1","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nUser managed service accounts should not have user-managed keys.\n\n## Rationale: \nAnyone who has access to the keys can access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.\nFor user-managed keys, you are responsible for key management activities including:\n- Key storage\n- Key distribution\n- Key revocation\n- Key rotation\n- Protecting the keys from unauthorized users\n- Key recovery\nEven with key owner precautions, it's easy to leak keys through common development accidents such as checking keys into the source code, leaving them in the Downloads directory, or posting them on support blogs.\nFor these reasons, it is recommended that you don't use user-managed service account keys.\n\n## Impact: \nDeleting user-managed service account keys may break communication with the applications using the keys.\n\n## Remediation: \n\n### From console:\n1. Go to the IAM page in the GCP Console at [https://console.cloud.google.com/iam-admin/iam][1].\n2. In the left navigation pane, click `Service accounts`. All service accounts and their\ncorresponding keys are listed.\n3. Click the service account.\n4. Click `Edit` and delete the keys.\n\n### From command line:\nTo delete a user-managed service account key run:\n```\ngcloud iam service-accounts keys delete --iam-account= \n```\n## Prevention:\nYou can disable service account key creation through the `Disable service account key creation` Organization policy by visiting [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation][2]. Learn more at: [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][3].\n\nIn addition, if you do not need service accounts in your project, you can prevent the creation of service accounts through the `Disable service account creation` Organization policy: [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation][4].\n\n## Default value:\nBy default, there are no user-managed keys created for user-managed service accounts.\n\n## References:\n1. [https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys][5]\n2. [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][6]\n\n## Additional information:\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation\n[3]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation\n[5]: https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n[6]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.4","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.10","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkey_parents_with_user_managed := {key.parent |\n\tkey := input.resources.gcp_iam_service_account_key[_]\n\tkey.key_type == \"USER_MANAGED\"\n}\n\neval(service_account) = \"fail\" if {\n\tkey_parents_with_user_managed[service_account.resource_name]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4cn-bpp-vya","createdAt":1654120292749,"name":"Only GCP-managed service account keys are used for service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.14","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, has permissions of 400.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads. It holds the private key for the Docker server certificate. It must therefore have permissions of 400 to ensure that the certificate key file is not modified.\n\n## Audit\n\nVerify that the Docker server certificate key file has permissions of `400` by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nYou should execute the following command: `chmod 400 `\n\nThis sets the Docker server certificate key file permissions to 400.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate key file might not be 400. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.14","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"z0n-cod-mxi","createdAt":1602077570102,"name":"Only the owner of the server certificate key file can read its contents"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker daemon requires access to the Docker socket which is, by default, owned by the user `root` and the group `docker`.\n\n## Rationale\n\nDocker allows you to share a directory between the Docker host and a guest container without limiting the access rights of the container. This means that you can start a container and map the `/` directory on your host to the container. The container is able to modify your host file system without any restrictions. This means that you could gain elevated privileges simply by being a member of the `docker` group and subsequently start a container which maps the root `/` directory on the host.\n\n\n## Audit\n\nRun the following command on the Docker host to see the members of the `docker` group, and ensure that only trusted users are members:\n\n```\ngetent group docker\n```\n\n## Remediation\n\nYou should remove any untrusted users from the `docker` group. Additionally, you should not create a mapping of sensitive directories from the host to container volumes.\n\n## Impact\n\nProvided the proceeding instructions are implemented, rights to build and execute containers as normal user would be restricted.\n\n## Default value\n\nNot Applicable\n\n## References\n\n1. [https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface]\n2. [https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful]\n3. [http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\n[1]: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface \n[2]: https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful \n[3]: http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.2","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dev-mh8-u1i","createdAt":1599598174666,"name":"Only the root account and Docker group members can control the Docker daemon"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.16","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file has permissions of 660 or are configured more restrictively.\n\n## Rationale\n\nOnly root and the members of the docker group should be allowed to read and write to the default Docker Unix socket. The Docker socket file should therefore have permissions of 660 or more restrictive permissions.\n\n## Audit\n\nVerify that the Docker socket file has permissions of `660` or more restrictive, by running: \n```\nstat -c %a /var/run/docker.sock\n```\n\n## Remediation\n\nRun the command `chmod 660 /var/run/docker.sock`\n\nThis sets the file permissions of the Docker socket file to 660.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker socket file is correctly set to 660.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.16","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jxv-zrr-1c1","createdAt":1599603387716,"name":"Only the root account and Docker group members can read and write to the Docker socket file"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 9200, used by the [Elasticsearch][2], and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered Elasticsearch access.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][3] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. First, remove the security group rule(s) that allow public, unrestricted access to the Elasticsearch database. The rule in question will open port 9200 for ingress from anywhere.\n\n2. Now that the database is contained, authorize only the specific entities that need access to the database like EC2 instances, or lambdas. You can do this by adding inbound security group rules for a specific elastic IP address, a specific range of IP addresses, or by allowing access for entities in another AWS security group.\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://aws.amazon.com/elasticsearch-service/\n[3]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 9200\n\trule.to_port >= 9200\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"rns-eiq-lpl","createdAt":1599574008022,"name":"Inbound OpenSearch access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1521 (used by the Oracle Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1521.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1521 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 1521\n\trule.to_port >= 1521\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2wg-auf-5gz","createdAt":1599574002369,"name":"Inbound Oracle access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 135 (used by Microsoft Message Queuing (MSMQ) and other Windows software) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as backdoor command shell hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 135.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 135 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 135\n\trule.to_port >= 135\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7vm-6f7-nfs","createdAt":1599574003256,"name":"Inbound RPC access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 25 (used by Simple Mail Transfer Protocol (SMTP) for email transmission) and restrict access to IP addresses that require this port.\n\n\n## Rationale\n\nMalicious activity, such as spamming, hacking, Shellshock, and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 25.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 25 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 25\n\trule.to_port >= 25\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fxy-iwb-1ji","createdAt":1599574007156,"name":"Inbound SMTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 22 (used for secure remote login) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as man-in-the-middle (MITM) and brute-force attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 22.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 22 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 22\n\trule.to_port >= 22\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jq1-v7m-jkf","createdAt":1599574005407,"name":"Inbound SSH access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to TCP port 139.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 139\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 139\n\trule.to_port >= 139\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"bls-coy-rpp","createdAt":1599574002491,"name":"Inbound TCP NetBIOS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 23 (used by the Telnet server application) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 23.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 23 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 23\n\trule.to_port >= 23\n}\n\nnon_compliant_protocols_and_ports(rule) if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tnon_compliant_ports(rule)\n} else if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\", \"::/0\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome rule in security_group.rules\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocols_and_ports(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"6oq-7ce-kej","createdAt":1599574007874,"name":"Inbound Telnet access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 and UDP ports 137 and 138 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 137 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 137\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 138 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 138\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 138\n\trule.to_port >= 137\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dpw-bar-91p","createdAt":1599574006398,"name":"Inbound UDP NetBIOS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","control:3.7","requirement:Communications-Security","control:4.1","control:2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3","framework:security-labs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nConfigure your instance to use an account other than the default Compute Engine service account, because it has the Editor role on the project.\n\n## Rationale\nThe default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services. \nTo defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended that you not use the default Compute Engine service account. Instead, create a new service account and assign only the permissions needed by your instance. \nThe default Compute Engine service account is named `[PROJECT_NUMBER]-compute@developer.gserviceaccount.com`.\n\n## Exception\nVMs created by GKE are excluded from this guidance. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go to its `VM instance details` page.\n3. Click `STOP` and then click `EDIT`.\n4. Under the section `API and identity management`, select a service account other\nthan the default Compute Engine service account. You may first need to create a new\nservice account.\n5. Click `Save` and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account=\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/service-accounts][2]\n2. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][3]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account][4]\n\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/service-accounts\n[3]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[4]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.7","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" if {\n\tsa := compute_instance.service_accounts[_]\n\tendswith(sa.email, \"compute@developer.gserviceaccount.com\")\n} else = \"pass\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oqw-y1z-sik","createdAt":1655990336323,"name":"Instances are not configured to use the default service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Communications-Security","requirement:Default-Security-Parameter","control:4.2","control:2.1","framework:cis-gcp","control:2.1.1","requirement:Compliance","control:A.13.1.3","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:google_compute_instance","control:CC6.3","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo support the principle of least privileges and to prevent potential privilege escalation, assign instances to a service account other than the default `Compute Engine default service account` with Scope `Allow full access to all Cloud APIs`.\n\n## Rationale\nThe Google `Compute Engine default service account` for an instance can access necessary cloud services, as well as create, manage, and use user-managed custom service accounts. The `Project Editor` role is assigned to `Compute Engine default service account` so it has almost all capabilities over all cloud services except billing. However, when `Compute Engine default service account` is assigned to an instance it can operate in three scopes:\n\n1. Allow default access: Allows the minimum access required to run an\ninstance (least privileges).\n\n2. Allow full access to all Cloud APIs: Allows full access to all cloud\nAPIs and services (too much access).\n\n3. Set access for each API: Allows an instance administrator to choose only\nthose APIs that are needed to perform the specific business functionality\nexpected by instance.\n\nWhen an instance is configured with the `Compute Engine default service account` with\nscope `Allow full access to all Cloud APIs`, depending on the IAM roles assigned to the users\naccessing the instance, it may allow users to perform cloud operations and API calls that they are not\nsupposed to perform, leading to successful privilege escalation.\n\n## Exception\nVMs created by GKE are excluded from this rule. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Impact\nTo change a service account or scope for an instance, the instance must be stopped.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the impacted VM instance.\n3. If the instance is not stopped, click the `Stop` button. Wait for the instance to stop.\n4. Click the `Edit` button.\n5. Scroll down to the `Service Account` section.\n6. Select a different service account or ensure that `Allow full access to all Cloud APIs` is not selected.\n7. Click the `Save` button to save your changes and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account= --scopes [SCOPE1, SCOPE2...]\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][2]\n2. [https://cloud.google.com/compute/docs/access/service-accounts][3]\n\n## Additional Information:\n- User IAM roles override service account scope, but configuring minimal scope\nensures a deeper defence.\n- Non-default service accounts do not offer selection of access scopes like the default\nservice account does. Use IAM roles with non-default service accounts to\ncontrol VM access.\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[3]: https://cloud.google.com/compute/docs/access/service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.2","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" if {\n\tservice_accounts := compute_instance.service_accounts[_]\n\tendswith(service_accounts.email, \"compute@developer.gserviceaccount.com\")\n\tstartswith(service_accounts.scopes[_], \"https://www.googleapis.com/auth/cloud-platform\")\n} else = \"pass\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ica-spj-rua","createdAt":1656620517092,"name":"Instances are not configured to use the default service account with full access to all cloud APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the execution of a shell with the interactive flag (`-i`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to escalate privileges, break out of the container, or exfiltrate secrets by running interative shell utilities inside of the container. This detection triggers when execution of one of a set of common Linux shell utilities (like `bash` or `sh`) is detected in a container with the interactive flag (`-i`). If this is unexpected behavior, it could indicate an attacker attempting to run arbitrary commands inside of your containers and potentially break out onto the host.\n\n## Triage & Response\n1. Inspect the command line arguments of the shell process execution to determine if the shell was run with the `-i` flag.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:interactive_shell_in_container -@process.comm:(hostname OR sed OR find)","groupByFields":["host"],"aggregation":"count","name":"interactive_shell_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"interactive_shell_in_container","condition":"interactive_shell_in_container > 0"}],"type":"workload_security","id":"vc2-nws-ebu","createdAt":1653417817781,"name":"Interactive shell spawned in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a Java process.\n\n## Strategy\nMany applications (like some databases, web servers, and search engines) run as Java processes. Attackers may take advantage of flaws in programs built with these applications (for example, SQL injection on a database running as a Java process). This detection triggers when a Java process spawns common shell utilities, HTTP utilities, or shells. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\n## Triage and response\n1. Determine the nature and purpose of the Java process.\n2. Determine whether there is an approved purpose for the Java process to execute shells and utilities.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java) @process.args:*\\/dev\\/tcp\\/*","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_known_bad","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java) @process.executable.name:(uname OR cat OR ls OR whoami)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_suspicious","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java) @process.executable.name:(curl OR wget)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_unusual","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java) @process.envs:CONFLUENCE*","groupByFields":["host"],"aggregation":"count","name":"confluence_server_spawned_shell_potential_rce","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"java_shell_execution_known_bad","condition":"java_shell_execution_known_bad > 0"},{"status":"high","notifications":[],"name":"confluence_server_spawned_shell_potential_rce","condition":"confluence_server_spawned_shell_potential_rce > 0"},{"status":"high","notifications":[],"name":"java_shell_execution_unusual","condition":"java_shell_execution_unusual > 0"},{"status":"medium","notifications":[],"name":"java_shell_execution_suspicious","condition":"java_shell_execution_suspicious > 0"},{"status":"low","notifications":[],"name":"java_shell_execution","condition":"java_shell_execution > 0"}],"type":"workload_security","id":"bax-h0z-d14","createdAt":1617722069224,"name":"Java process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","technique:T1098-account-manipulation","scope:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a JumpCloud user grants administrative privileges on a user endpoint. This is not indicative of malicious activity, but detecting this event is valuable for auditing.\n\n## Strategy\n\nThis rule monitors JumpCloud audit logs to detect when a user triggers the `@evt.name` of `system_admin_grant`.\n\n## Triage and response\n\n1. Reach out to the admin making the change (`{{@usr.email}}`) to confirm that the user `(@usr.name`) should have administrative privileges on the specified resource (`@resource.name`).\n2. If the change was not authorized, reverify there are no other signals from the jumpcloud admin: {{@usr.email}} and the system (`@resource.name`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:system_admin_grant","groupByFields":["@usr.email"],"aggregation":"count","name":"system_admin_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"system_admin_grant > 0"}],"type":"log_detection","id":"0ym-nwo-srl","createdAt":1648844751568,"name":"Jumpcloud admin granted system privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:jumpcloud","requirement:Monitoring","scope:jumpcloud","framework:cis-aws","technique:T1078-valid-accounts","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud administrator authenticates without multi-factor authentication (MFA) enabled. This is not indicative of malicious activity, however as a best practice, administrator accounts should have MFA enabled.\n\n## Strategy\nThis rule monitors JumpCloud audit logs to detect when an admin user successfully authenticates to JumpCloud and the log indicates that `@mfa` is `false`.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables MFA.\n3. If the login wasn\u2019t legitimate, rotate the credentials, enable MFA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:admin_login_attempt @mfa:false @evt.outcome:true","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_login_no_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"admin_login_no_mfa > 0"}],"type":"log_detection","id":"mds-4sd-v5i","createdAt":1648844751569,"name":"Jumpcloud admin login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","scope:jumpcloud","technique:T1078-valid-accounts","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event with a JumpCloud administrator.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last log and the current log to determine if the user (`@usr.name`) traveled more than 500km at over 1,000km/h.\n\n## Triage and response\n1. Determine if {@usr.name}} should be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}} in a short period of time.\n2. If the user should not be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} or {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_admin","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:jumpcloud @usr.type:admin"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"wec-lzg-zau","createdAt":1648844772020,"name":"Jumpcloud admin triggered impossible travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:jumpcloud","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to a JumpCloud user.\n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when administrative privileges are provisioned:\n\n* `user_admin_granted`\n\n## Triage and response\n1. Contact the JumpCloud administrator: `{{@usr.email}}` to confirm that the users or devices should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the JumpCloud administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:user_admin_granted","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_grant > 0"}],"type":"log_detection","id":"goh-o1b-uuo","createdAt":1660796644737,"name":"Jumpcloud administrator role assigned"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is created. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is created:\n\n* `@evt.name:policy_create`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy creation was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_create","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_creation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_creation > 0"}],"type":"log_detection","id":"ht7-5pr-0hf","createdAt":1660809071730,"name":"Jumpcloud policy created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is modified. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is modified:\n\n* `@evt.name:policy_update`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy modification(s) was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_update","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_update > 0"}],"type":"log_detection","id":"epv-mm9-puh","createdAt":1660809071731,"name":"Jumpcloud policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:1.10","scope:google_kms_crypto_key","source:google_kms_crypto_key","requirement:Confidentiality","control:C1.2","framework:cis-gcp","requirement:Compliance","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGoogle Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.\nThe format for the rotation schedule depends on the client library that is used. For the gcloud CLI, the flag `--next-rotation-time` must be in ISO or RFC3339 format; the flag `--rotation-period` must be in the format `INTEGER[UNIT]`, where units can be one of: seconds (s), minutes (m), hours (h), or days (d). For example, `30d` for a rotation period of 30 days.\n\n## Rationale\nSet a key rotation period and starting time. A key can be created with a specified *rotation period*, which is the time between when new key versions are generated automatically. A key can also be created with a specified *next rotation time*. \n\nA key is a named object that represents a cryptographic key and is used for a specific purpose. The key material (the actual bits used for encryption) can change over time as new key versions are created.\nA key is used to protect a *corpus of data*. A collection of files could be encrypted with the same key, and people with `decrypt` permissions on that key would be able to decrypt those files. Therefore, it's necessary to make sure the rotation period is set to a specific time.\n\n## Impact\nAfter a successful key rotation, the older key version is required to decrypt the data encrypted by the previous key version.\n\n## Remediation\n\n### From the console\n1. See your cryptographic keys by visiting: [https://console.cloud.google.com/security/kms][1].\n2. Click on the specific key ring.\n3. From the list of keys, locate the key you wish to edit. Click on the three vertical dots under the **Actions** column.\n4. Click on **Edit rotation period**.\n5. In the pop-up window, select a new rotation period. Choose value less than 90 days. Then, choose the date from which the rotation period begins.\n\n### From the command line\n1. Update and schedule rotation by `ROTATION_PERIOD` and `NEXT_ROTATION_TIME` for each key:\n For example, you can use the iam.json file shown below as follows:\n ```\n gcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next- rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD\n ```\n\n## Default value\nBy default, KMS encryption keys are rotated every 90 days.\n\n## References\n1. [https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation][2]\n2. [https://cloud.google.com/kms/docs/re-encrypt-data][3]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/security/kms\n[2]: https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation\n[3]: https://cloud.google.com/kms/docs/re-encrypt-data\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\n# convert rotation period from string to int (number of days)\nparse_rotation_period(str) = parsed if {\n\tendswith(str, \"s\")\n\tparsed := to_number(trim_suffix(str, \"s\")) / 86400\n} else = parsed if {\n\tendswith(str, \"m\")\n\tparsed := to_number(trim_suffix(str, \"m\")) / 1440\n} else = parsed if {\n\tendswith(str, \"h\")\n\tparsed := to_number(trim_suffix(str, \"h\")) / 24\n} else = parsed if {\n\tendswith(str, \"d\")\n\tparsed := to_number(trim_suffix(str, \"d\"))\n}\n\neval(kms_crypto_key) = \"skip\" if {\n\tnot lower(kms_crypto_key.primary.state) == \"enabled\"\n} else = \"pass\" if {\n\ttoday := kms_crypto_key.resource_seen_at / 86400000\n\tnext_rotation := kms_crypto_key.next_rotation_time / 86400000\n\tnext_rotation - today <= 90\n\tparse_rotation_period(kms_crypto_key.rotation_period) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_kms_crypto_key"]},"validationQuery":"","resourceType":"gcp_kms_crypto_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_kms_crypto_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"l1f-f94-1my","createdAt":1655491486886,"name":"KMS Encryption Keys are rotated within a period of 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1547","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications made to the `/boot/` directory.\n\n## Strategy\nThe /boot/ directory in Linux contains everything required for the system to boot. This includes the kernel and other important boot files and data. Attackers may attempt to modify the /boot/ directory to inject malicious code or configuration. This can allow the attacker to gain persistence, by running the malicious code or configuration at boot time. It can also allow the attacker to run malicious code with elevated system privileges.\n\n## Triage & Response\n1. Check to see what modifications were made to the `/boot/` directory.\n2. Cross-check any changes with known system activity, such as startup scripts, or maintenance.\n3. If these changes are not acceptable, roll back the host or container in question to a known good `/boot/` configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"9cs-fap-2er","createdAt":1606142931057,"name":"Kernel Modification"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux. This detection watches for all new files created under that directory.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check which user or process created the module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(kernel_module OR kernel_module_chmod OR kernel_module_chown OR kernel_module_link OR kernel_module_rename OR kernel_module_open OR kernel_module_unlink OR kernel_module_utimes) -@process.envs:DPKG_FRONTEND_LOCKED","groupByFields":["host"],"aggregation":"count","name":"kernel_module","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"kernel_module","condition":"kernel_module > 0"}],"type":"workload_security","id":"jq9-m1m-spt","createdAt":1598516746168,"name":"Kernel module directory modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.3","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kube-proxy kubeconfig file controls various parameters of the kube-proxy service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system. It is possible to run kube-proxy with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a `. Verify that if a file is specified and it exists, the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates. \n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.3","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"alc-y7j-j9q","createdAt":1599602091672,"name":"Kube-proxy configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.4","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, ensure that the file ownership of its kubeconfig file is set to root:root.\n\n## Rationale\n\nThe kubeconfig file for kube-proxy controls various parameters for the kube-proxy service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n`chown root:root `\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n## Audit\n\nFind the kubeconfig file being used by kube-proxy by running the following command: ps -ef | grep kube-proxy If kube-proxy is running, get the kubeconfig file location from the --kubeconfig parameter. Run the below command (based on the file location on your system) on the each worker node. For example, stat -c %U:%G Verify that the ownership is set to root:root.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.4","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oat-dei-klo","createdAt":1599604401268,"name":"Kube-proxy configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet client certificate rotation.\n\n## Rationale\n\nThe `--rotate-certificates` setting causes the kubelet to rotate its client certificates by creating new CSRs as its existing credentials expire. This automated periodic rotation ensures that the there is no downtime due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself. \n\n*Note*: This feature also requires the `RotateKubeletClientCertificate` feature gate to be enabled (which is the default since Kubernetes v1.7).\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--rotate-certificates` argument is not present, or is set to true. If the `--rotate-certificates` argument is not present, verify that if there is a Kubelet config file specified by `--config`, that file does not contain `rotateCertificates: false`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to add the line `rotateCertificates: true` or remove it altogether to use the default value. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--rotate-certificates=false` argument from the `KUBELET_CERTIFICATE_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet client certificate rotation is enabled.\n\n## References\n\n1. [https://github.com/kubernetes/kubernetes/pull/41912 ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration ][2]\n3. [https://kubernetes.io/docs/imported/release/notes/ ][3]\n4. [https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted - Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/41912\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration\n[3]: https://kubernetes.io/docs/imported/release/notes/\n[4]: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.11","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"9x3-sy5-pte","createdAt":1599605353070,"name":"Kubelet client certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.10","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file is owned by root:root.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %U:%G /var/lib/kubelet/config.yaml`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step): `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/var/lib/kubelet/config.yaml` file as set up by kubeadm is owned by `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.10","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ptl-pla-t0c","createdAt":1599605828233,"name":"Kubelet configuration file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse https for kubelet connections.\n\n## Rationale\n\nConnections from apiserver to kubelets could potentially carry sensitive data such as secrets and keys. It is thus important to use in-transit encryption for any communication between the apiserver and kubelets.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-https` argument either does not exist or is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--kubelet-https` parameter.\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, kubelet connections are over https.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.4","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ftg-h4g-hqj","createdAt":1599600981186,"name":"Kubelet connections use HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.8","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestrict kubelet nodes to reading only objects associated with them.\n\n## Rationale\n\nThe Node authorization mode only allows kubelets to read Secret, ConfigMap, PersistentVolume, and PersistentVolumeClaim objects associated with their nodes.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include Node.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes Node. `--authorization-mode=Node,RBAC`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, Node authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/46076 ][3]\n4. [https://acotten.com/post/kube17-security][4]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/ \n[3]: https://github.com/kubernetes/kubernetes/pull/46076 \n[4]: https://acotten.com/post/kube17-security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.8","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vgg-kwx-7dh","createdAt":1599602338742,"name":"Kubelet nodes are only authorized to read objects they are associated with"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.2","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests. Enable explicit authorization.\n\n## Rationale\n\nKubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the API server. You should restrict this behavior and only allow explicitly authorized requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. If the `--authorization-mode` argument is present check that it is not set to AlwaysAllow. If it is not present check that there is a Kubelet config file specified by `--config`, and that file sets authorization: mode to something other than AlwaysAllow. It is also possible to review the running configuration of a Kubelet via the /configs endpoint on the Kubelet API port (typically `10250/TCP`). Accessing these with appropriate credentials will provide details of the Kubelet's configuration.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set authorization: mode to Webhook. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--authorization-mode=Webhook`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nUnauthorized requests will be denied.\n\n## Default value\n\nBy default, `--authorization-mode` argument is set to `AlwaysAllow`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.2","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"un4-gin-3dq","createdAt":1599600248005,"name":"Kubelet only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable the read-only port.\n\n## Rationale\n\nThe Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--read-only-port` argument exists and is set to 0. If the `--read-only-port` argument is not present, check that there is a Kubelet config file specified by `--config`. Check that if there is a readOnlyPort entry in the file, it is set to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `readOnlyPort` to 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--read-only-port=0`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nRemoval of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.\n\n## Default value\n\nBy default, `--read-only-port` is set to 10255/TCP. However, if a config file is specified by `--config` the default value for `readOnlyPort` is 0.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.4","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dgo-kog-lle","createdAt":1599604369044,"name":"Kubelet read-only port is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.10","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the Kubelets.\n\n## Rationale\n\nKubelet communication contains sensitive parameters that should remain encrypted in transit. Configure the Kubelets to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate. If these arguments are not present, check that there is a Kubelet config specified by `--config` and that it contains appropriate settings for `tlsCertFile` and `tlsPrivateKeyFile`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `tlsCertFile` to the location of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` to the location of the corresponding private key file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameters in K`UBELET_CERTIFICATE_ARGS` variable.\n\n```\n--tls-cert-file=\n--tls-private-key-file=\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set. If `--tls-cert-file` and `--tls-private-key-file` are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to `--cert-dir`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ ][2]\n3. [https://github.com/kelseyhightower/docker-kubernetes-tls-guide ][3]\n4. [https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/\n[3]: https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n[4]: https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.10","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gqg-7cf-6bu","createdAt":1599603572402,"name":"Kubelet requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.12","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nOn the master edit `/var/lib/kubelet/kubeadm-flags.env` and set the parameter `KUBELET_CERTIFICATE_ARGS --feature-gates=RotateKubeletServerCertificate=true` or as an alternative, and suggested as a last resort, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_CERTIFICATE_ARGS` variable:\n\n```\n--feature-gates=RotateKubeletServerCertificate=true\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet server certificate rotation is disabled.\n\n## References\n\n1. https://github.com/kubernetes/kubernetes/pull/45059\n2. https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/45059\n[2]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.12","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afr-qkp-94a","createdAt":1599599105048,"name":"Kubelet server certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.2","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file ownership is set to root:root.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the ownership is set to root:root.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet service file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.2","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sy4-z1k-udc","createdAt":1599605194356,"name":"Kubelet service file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.3","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Kubelet authentication using certificates.\n\n## Rationale\n\nThe connections from the API server to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet's port-forwarding functionality. These connections terminate at the kubelet's HTTPS endpoint. By default, the API server does not verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the API server could authenticate the Kubelet before submitting any requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--client-ca-file` argument exists and is set to the location of the client certificate authority file. If the `--client-ca-file` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets authentication: x509: clientCAFile to the location of the client certificate authority file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: x509: clientCAFile` to the location of the client CA file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--client-ca-file=`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou require TLS to be configured on API server as well as kubelets.\n\n## Default value\n\nBy default, `--client-ca-file argument` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.3","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x6l-4d1-dwh","createdAt":1599600373842,"name":"Kubelet uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.1.20","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that Kubernetes PKI certificate files have permissions of 644 or more restrictive.\n\n## Rationale\n\nKubernetes makes use of a number of certificate files as part of the operation of its components. The permissions on these files should be set to 644 or more restrictive to protect their integrity.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nfind /etc/kubernetes/pki -name \"*.crt\" | xargs stat -c '%n %a'\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod -R 644 /etc/kubernetes/pki/*.crt`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the certificates used by Kubernetes are set to have permissions of 644\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.20","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ion-6fc-xd4","createdAt":1599604147464,"name":"Kubernetes PKI certificate file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.19","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the Kubernetes PKI directory and file ownership is set to root:root.\n\n## Rationale\n\nKubernetes makes use of a number of certificates as part of its operation. You should set the ownership of the directory containing the PKI information and all files in that directory to maintain their integrity. The directory and files should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nls -laR /etc/kubernetes/pki/\n```\n\nVerify the ownership of all files and directories in this hierarchy is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown -R root:root /etc/kubernetes/pki/`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/etc/kubernetes/pki/` directory and all of the files and directories contained within it, are set to be owned by the root user.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.19","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tgm-6a5-ttf","createdAt":1599603695482,"name":"Kubernetes PKI directory is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a pod in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating pods in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for Kubernetes objects which should be readable by unauthenticated users. Thus, a pod should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new pod in one of the default namespaces.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"tvf-ju6-h3i","createdAt":1589376012191,"name":"Kubernetes Pod Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a pod is attached to the host network.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) with the host network `@requestObject.spec.hostNetwork:true` attached.\n\nAttaching the `hostNetwork` permits a pod to access the node's network adapter allowing a pod to listen to all network traffic for all pods on the node and communicate with other pods on the network namespace.\n\n## Triage and response\n1. Determine if the pod needs `hostNetwork` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.hostNetwork:true @http.status_code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.hostNetwork:true @responseStatus.code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"d3g-xpz-cwc","createdAt":1589376007079,"name":"Kubernetes Pod Created with hostNetwork"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","technique:T1136-create-account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a service account in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service account (`@objectRef.resource:serviceaccounts`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating service accounts in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for kubernetes objects which should be readable by unauthenticated users. Thus, a service account should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new service account in one of the default namespaces.\n\n## Changelog\n* 21 September 2022 - Tuned rule to remove system and EKS service account creations, increased severity, added decrease on environment flag.\n* 17 October 2022 - Updated tags.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:serviceaccounts @http.method:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299] -@user.username:(system\\:* OR eks\\:*)","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:serviceaccounts @verb:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299] -@usr.id:(system\\:* OR eks\\:*)","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"loy-9ka-bc2","createdAt":1589376017036,"name":"Kubernetes Service Account Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service's port is attached to the node's IP.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service (`@objectRef.resource:services`) attaching the service's port to the node's IP `@requestObject.spec.type:NodePort`.\n\nExposing the service's port to the the node's IP allows other hosts on the network namespace to access this service.\n\n## Triage and response\n1. Determine if the service needs to expose it's network connection with `NodePort` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:services @http.method:create @requestObject.spec.type:NodePort @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:services @verb:create @requestObject.spec.type:NodePort @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"cvp-3wz-v3s","createdAt":1589376023160,"name":"Kubernetes Service Created with NodePort"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a user is attempting to enumerate their permissions.\n\n## Strategy\nThis rule identifies when a user attempts to enumerate their permissions, for example, through the use of `kubectl auth can-i --list`. This can be an indicator of an attacker having compromised a Kubernetes service account or user and attempting to determine what permissions it has.\n\n## Triage and response\n1. Determine if enumerating the permissions of the user: `{{@usr.id}}` is suspicious. For example, a service account assigned to a web application and enumerating its privileges is highly suspicious, while a group assigned to operations engineers is likely to represent legitimate activity.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @requestObject.kind:SelfSubjectRulesReview @http.method:create -@usr.id:system\\:serviceaccount\\:*\\:datadog-kube-state-metrics","groupByFields":[],"aggregation":"count","name":"enumeration_attempt","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"enumeration_attempt > 0"}],"type":"log_detection","id":"9ft-ohp-w9w","createdAt":1649702540393,"name":"Kubernetes principal attempted to enumerate their permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","source:lambda","scope:lambda","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure your Amazon Lambda Function to have access to VPC-only resources.\n\n## Rationale\n\nBy default, Amazon Lambda functions run in a secure VPC with access to any AWS service and the internet. Selecting which resources have access secures the connections within your private VPC.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring VPC access (console)][1] docs to configure VPC access for an existing function.\n\n### From the command line\n\n1. Run `update-function-configuration` with your [Amazon Lambda function name and VPC configuration][2]. Set network connectivity to AWS resources within the configured VPC.\n\n ```\n aws lambda update-function-configuration\n --function-name your-lambda-function-name\n --vpc-config SubnetIds=\"subnet-ab12cd34\",\"subnet-12345678\",SecurityGroupIds=\"id-0abcd1234abcd5678\"\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-configuring\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(lambda_function) = \"pass\" if {\n\tlambda_function.vpc_config_vpc_id != \"\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_lambda_function"]},"validationQuery":"","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"byt-pin-xaq","createdAt":1619112188962,"name":"Lambda function has access to VPC resources"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","source:lambda","control:7.2.1","requirement:Compliance","scope:lambda","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS Lambda function access policy to remove access for unauthorized users.\n\n## Rationale\n\nGiving anonymous users the ability to invoke Amazon Lambda functions can lead to data loss, data exposure, and unexpected AWS billing charges.\n\n## Remediation\n\n### From the console\n\nFollow the [Using resource-based policies for AWS lambda][1] docs to update your AWS lambda function permissions.\n\n### From the command line\n\n1. Run `remove-permission` with your [function name and statement ID][2].\n\n ```\n aws lambda remove-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n ```\n\n2. Run `add-permission` with your [function name, statement ID, principal for the trusted account, and action][3].\n\n ```\n aws lambda add-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n --principal 0123456780123\n --action lambda:InvokeFunction\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/remove-permission.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-permission.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnot_compliant_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tpolicy_principal.principal_aws[_] == \"*\"\n}\n\neval(lambda_policy_statement) = \"fail\" if {\n\tnot_compliant_policy_principal(lambda_policy_statement.policy_principal)\n\tlambda_policy_statement.statement_effect == \"Allow\"\n\tnot lambda_policy_statement.statement_has_condition\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_lambda_policy_statement"]},"validationQuery":"","resourceType":"aws_lambda_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_policy_statement","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"tko-rvz-akj","createdAt":1624344845094,"name":"Lambda function is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","control:CC7.5","framework:gdpr","requirement:Security-Management-Process","requirement:Application-Updates","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","cloud_provider:aws","control:6.2","requirement:System-Operations","source:lambda","scope:lambda","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Lambda Function to the latest runtime environment version.\n\n## Rationale\n\nAs a best practice, Amazon recommends consistently updating your runtime environment to the latest version for security patches, bug fixes, and the latest features.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring functions in the console][1] docs to learn how to update the Lambda runtime that runs your function.\n\n### From the command line\n\n1. Run `update-function-configuration` with [your function name and the latest runtime version][2] supported by AWS.\n\n#### python3.9\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"python3.9\"\n ```\n\n#### nodejs16.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"nodejs14.x\"\n ```\n\n#### java11\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"java11\"\n ```\n\n#### go1.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"go1.x\"\n ```\n\n#### dotnet6\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"dotnet6\"\n ```\n\n#### ruby2.7\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"ruby2.7\"\n ```\n\n#### provided.al2\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"provided.al2\"\n ```\n\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(lambda_function) = \"pass\" if {\n\tlambda_function.runtime in [\"nodejs16.x\", \"python3.9\", \"ruby2.7\", \"java11\", \"go1.x\", \"dotnet6\", \"provided.al2\"]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_lambda_function"]},"validationQuery":"","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxh-rvp-txm","createdAt":1619112189173,"name":"Lambda function uses latest runtime environment version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","level:1","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","requirement:Communications-Security","control:2.6","control:3.2","control:1.2","control:2.1","control:1.3","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of legacy networks, a project should not have a legacy network\nconfigured. Legacy networks can no longer be created, and their use is not recommended. This recommendation is to check old projects to ensure\nthat they are not using Legacy Networks.\n\n## Rationale\nEach legacy network has a single network IPv4 prefix range, and a single gateway IP address. The network is global in scope and spans all cloud regions.\nSubnetworks cannot be created in a legacy network, and are unable to switch from legacy to\nauto or custom subnet networks. Legacy networks can have an impact on high network\ntraffic projects, and are subject to a single point of contention or failure.\n\n### Default value\nBy default, networks are not created in the legacy mode.\n\n## Remediation\n\nFor each Google Cloud Platform project:\n1. Read [Create and modify Virtual Private Cloud (VPC) networks][3] to create a non-legacy network suitable for the organization's requirements.\n2. Read [Deleting a legacy network][2] to delete the networks in the `legacy` mode.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network][1]\n2. [https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network][2]\n\n[1]: https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network\n[2]: https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network\n[3]: https://cloud.google.com/vpc/docs/create-modify-vpc-networks\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.2","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.ipv4_range\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nzs-hyi-zqr","createdAt":1659405204525,"name":"Legacy networks do not exist for older projects"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostIPC flag set to true.\n\n## Rationale\n\nA container running in the host's IPC namespace can use IPC to interact with processes outside the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host IPC namespace. If you have a requirement to containers that require hostIPC, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostIPC}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostIPC: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.3","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vs4-ja0-gkh","createdAt":1599600435891,"name":"Limit admission of containers sharing the host IPC namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostPID flag set to true.\n\n## Rationale\n\nA container running in the host's PID namespace can inspect processes running outside the container. If the container also has access to ptrace capabilities this can be used to escalate privileges outside of the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host PID namespace. If you need to run containers which require hostPID, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostPID}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostPID` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostPID: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.2","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"flc-1s1-okw","createdAt":1599600559953,"name":"Limit admission of containers sharing the host PID namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the allowPrivilegeEscalation flag set to true.\n\n## Rationale\n\nA container running with the `allowPrivilegeEscalation` flag set to true may have processes that can gain more privileges than their parent. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to allow privilege escalation. The option exists (and is defaulted to true) to permit setuid binaries to run. If you have need to run containers that use setuid binaries or require privilege escalation, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.allowPrivilegeEscalation}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.allowPrivilegeEscalation` field is omitted or set to false.\n\n## Impact\n\nPods defined with `spec.allowPrivilegeEscalation: true` will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.5","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"frf-hog-dra","createdAt":1599601783271,"name":"Limit admission of containers that do not block privilege escalation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.3","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Docker starts containers with a restricted set of Linux kernel capabilities. This means that any process can be granted the required capabilities instead of giving it root access. Using Linux kernel capabilities, processes in general do not need to run as the root user.\n\n## Rationale\n\nDocker supports the addition and removal of capabilities. Remove all capabilities not required for the correct function of the container. Specifically, in the default capability set provided by Docker, the NET_RAW capability should be removed if not explicitly required, as it can give an attacker with access to a container the ability to create spoofed network traffic.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CapAdd={{ .HostConfig.CapAdd }} CapDrop={{ .HostConfig.CapDrop }}'` \n\nVerify that the added and deleted Linux kernel capabilities are in line with the ones needed by the container process in each container instance. Specifically, ensure that the `NET_RAW` capability is removed if not required.\n\n## Remediation\n\nExecute the command `docker run --cap-add={\"Capability 1\",\"Capability 2\"} ` to add required capabilities.\n\nExecute the command `docker run --cap-drop={\"Capability 1\",\"Capability 2\"} ` to remove unneeded capabilities.\n\nAlternatively, remove all the currently configured capabilities and then restore only the ones you specifically use: `docker run --cap-drop=all --cap-add={\"Capability 1\",\"Capability 2\"} `\n\n## Impact\n\nRestrictions on processes within a container are based on which Linux capabilities are in force. Removal of the `NET_RAW` capability prevents the container from creating raw sockets which is good security practice under most circumstances, but may affect some networking utilities.\n\n## Default value\n\nBy default, the capabilities below are applied to containers:\n\n* `AUDIT_WRITE`\n* `CHOWN`\n* `DAC_OVERRIDE`\n* `FOWNER`\n* `FSETID`\n* `KILL`\n* `MKNOD`\n* `NET_BIND_SERVICE`\n* `NET_RAW`\n* `SETFCAP`\n* `SETGID`\n* `SETPCAP`\n* `SETUID`\n* `SYS_CHROOT`\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#linux-kernel-capabilities\n2. http://man7.org/linux/man-pages/man7/capabilities.7.html\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.3","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3j5-bun-deq","createdAt":1599605923399,"name":"Linux kernel capabilities are restricted to only those which are required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect use of the `passwd` or `chpasswd` commands to change account passwords.\n\n## Strategy\nThe `passwd` operating system command is used to change user account passwords. The `chpasswd` does this in bulk. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host machine and achieve persistence. This detection is triggered when execution of the `passwd` or `chpasswd` command is detected.\n\n## Triage and response\n1. Determine which user executed the command and whether or not this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:passwd_execution -@process.args:(\"-S\" OR \"-Sa\" OR \"-aS\" OR \"--status\" OR \"--all\")","groupByFields":["host"],"aggregation":"count","name":"passwd_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"passwd_execution","condition":"passwd_execution > 0"}],"type":"workload_security","id":"yu0-i2l-ilb","createdAt":1617722068383,"name":"Local account password modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the truncation (like the clearing of data within) of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was modified.\n2. Check which user or process modified the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"llg-1g6-q0n","createdAt":1598516746163,"name":"Log data in /var/log/ was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","source:google_logging_log_sink","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","control:2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","scope:google_logging_log_sink","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nIt is recommended to create a sink that will export copies of all log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).\n\n## Rationale: \nLog entries are held in Cloud Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. To export logs, create a filter that selects the log entries to export, and then choose a destination, such as Cloud Storage, BigQuery, or Cloud Pub/Sub, to which to export them. The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts.\n\n**Note:**\n1. A sink created by [these commands](#from-the-command-line), exports logs to storage buckets. However, sinks can be configured to export logs to BigQuery, or Cloud Pub/Sub, or a `Custom Destination`.\n2. While creating a sink, do not use the sink option `--log-filter` to ensure the sink exports all log entries.\n3. A sink can be created at a folder or organization level that collects the logs of all the projects underneath, bypassing the option `--include-children` in the `gcloud` command.\n\n### Impact: \nThere are no costs or limitations in Cloud Logging for exporting logs, but the destinations to which the logs are exported charge for storing or transmitting the log data.\n\n### Default value:\nBy default, there are no sinks configured.\n\n## Remediation: \n\n### From the console\n1. Go to the Logs Router page by visiting [https://console.cloud.google.com/logs/router][1].\n2. Click **CREATE SINK**.\n3. Fill out the fields for the Sink details sections.\n4. Select **Cloud Logging bucket** in the Select sink destination dropdown menu.\n5. Select a log bucket in the Sink destination drop down menu.\n6. If an inclusion filter is not provided for this sink, all ingested logs will be routed to the destination provided above. This may result in higher than expected resource usage.\n7. Click **Create Sink**.\n\n### From the command line\n\n1. To create a sink to export all log entries in a Google Cloud Storage bucket:\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME\n ```\n2. Sinks can be created for a folder or organization, which will include all projects.\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children -- folder=FOLDER_ID | --organization=ORGANIZATION_ID\n ```\n\n## References:\n1. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][2] \n2. [https://cloud.google.com/logging/quotas][3]\n3. [https://cloud.google.com/logging/docs/routing/overview][4]\n4. [https://cloud.google.com/logging/docs/export/using_exported_logs][5]\n5. [https://cloud.google.com/logging/docs/export/configure_export_v2][6]\n6. [https://cloud.google.com/logging/docs/export/aggregated_exports][7]\n7. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list][8]\n\n[1]: https://console.cloud.google.com/logs/router\n[2]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[3]: https://cloud.google.com/logging/quotas\n[4]: https://cloud.google.com/logging/docs/routing/overview\n[5]: https://cloud.google.com/logging/docs/export/using_exported_logs\n[6]: https://cloud.google.com/logging/docs/export/configure_export_v2\n[7]: https://cloud.google.com/logging/docs/export/aggregated_exports\n[8]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nvalid_log_sinks := {logging_log_sink.project_id |\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tvalid_log_filter(logging_log_sink)\n\tvalid_log_exclusions(logging_log_sink)\n\tlogging_log_sink.destination != \"\"\n}\n\nvalid_log_filter(logging_log_sink) if {\n\tnot logging_log_sink.filter\n} else if {\n\tlogging_log_sink.filter == \"\"\n}\n\nany_enabled_exclusion(logging_log_sink) if {\n\tlogging_log_sink.exclusions[_].disabled == false\n}\n\nvalid_log_exclusions(logging_log_sink) if {\n\tnot any_enabled_exclusion(logging_log_sink)\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_sinks[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hig-nyl-7xu","createdAt":1658996677403,"name":"Log sinks are configured for all log entries"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Log4j scanning attempt occurs in your environment.\n\n## Strategy\nRegex search on logs to find specific payloads indicative of Log4j scanning.\n\n## Triage and response\n1. Investigate if the host is running a vulnerable version of the Log4j Java library\n2. Use the [Log4j Investigation Dashboard](https://app.datadoghq.com/dash/integration/cloud_security_platform_log4shell_investigator) to conduct impact analysis\n3. Explore what other services the attacker hit in the last day - Linked to investigation query \n4. Explore Java logs associated with the attacker - linked to investigation query\n","options":{"detectionMethod":"hardcoded","evaluationWindow":300,"maxSignalDuration":3600,"hardcodedEvaluatorType":"log4shell","keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"query":"@http.url:*","groupByFields":["@network.client.ip"],"aggregation":"count","name":"log4shell_payloads_in_http_data","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"log4shell_payloads_in_http_data > 0"}],"type":"log_detection","id":"sdx-qzo-o9z","createdAt":1651680204724,"name":"Log4Shell Scanning Detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0043-reconnaissance","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being scanned for the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `jndi:(ldap OR rmi OR dns)` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. Check if the `Base64 was detected in an http.user_agent or http.referrer` rule was also triggered and follow the `Triage and response` steps in that rule.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.useragent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referrer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http_user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"info","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"2oy-oni-kx6","createdAt":1639665375423,"name":"Log4j Scanner detected in user agent or referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:1.5","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. MFA (multi-factor authentication) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their user name and password and an authentication code from their AWS MFA device.\n\n**Note**: When virtual MFA is used for root accounts, it should not be enabled on a personal device, but rather enable a dedicated and not personally owned mobile device (tablet or phone)(\"non-personal virtual MFA\"). This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and has knowledge of a credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78911-5\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root][3]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions.\n\n## CIS controls\n\nVersion 7, 4.5 - Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.5","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tnot iam_account.account_mfa_enabled == 1\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dth-jwu-9zo","createdAt":1599573999963,"name":"MFA is enabled for the \"root\" account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP address identified as malicious by Okta's ThreatInsight communicates with your Okta account.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.threat.detected`\n\n## Triage and response\n1. Determine if the `@usr.email` is `Unknown` or is an authenticated user.\n2. If the user is authenticated, conduct an investigation to determine if the IP address that is communicating with Okta is the user's IP address, or if the account is compromised.\n3. Consider switching ThreatInsight from `log mode` to `log and block mode` to block future requests from IP addresses on the ThreatInsight threat intelligence list.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.threat.detected @evt.outcome:ALLOW","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"x5j-v1t-d2r","createdAt":1589315626499,"name":"Malicious IP Communicating with Okta"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1003","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers looking for a specific mission target commonly gain access to a host or container adjacent to their mission target. To move laterally to the planned target, attackers commonly try to find credentials that would give them access to the host or container in question. A technique for finding these credentials is memory dumping. By dumping the contents of system memory to disk, an attacker can often find unencrypted credentials.\n\n## Strategy\nThis detection monitors the access of memory and memory maps that can be accessed from the `/proc/` directory on Linux.\n\n## Triage & Response\n1. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n2. Consider rotating any credentials that were in use on the host/container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"lhm-dok-amc","createdAt":1598516746171,"name":"Memory files in /proc/ were accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","scope:azure","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user creates or modifies a trusted domain object in Microsoft 365.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain`\n- `Set domain authentication`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain.`\n- `Set domain authentication.`\n\nAn attacker can create a new attacker-controlled domain as federated or modify the existing federation settings for a domain by configuring a new, secondary signing certificate. Both of these techniques would allow the attacker to authenticate as any user bypassing authentication requirements like a valid password or MFA.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n - Remove the suspicious domain or settings.\n - Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n - Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Set domain authentication\" OR \"Set domain authentication \" OR \"Set federation settings on domain\" OR \"Set federation settings on domain \") @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_trusted_domain_modified","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Set domain authentication.\" OR \"Set domain authentication. \" OR \"Set federation settings on domain.\" OR \"Set federation settings on domain. \")","groupByFields":["@usr.id"],"aggregation":"count","name":"m365_trusted_domain_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"azure_ad_trusted_domain_modified > 0 || m365_trusted_domain_modified > 0"}],"type":"log_detection","id":"dqm-ikd-5zd","createdAt":1660304700624,"name":"Microsoft 365 - Modification of Trusted Domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0040-impact","scope:exchange-server","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an anomalous amount of emails are deleted from Microsoft 365 Exchange.\n\n## Strategy\nMonitor Microsoft 365 Exchange audit logs to look for events with an `@evt.name` value of `HardDelete`, where the `@Folder.Path` is the inbox (`*Inbox*`).\n\n## Triage and response\n1. Determine if the user `{{@usr.id}}` intended to delete the observed emails.\n2. If `{{@usr.id}}` is not responsible for the email deletions, investigate `{{@usr.id}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:HardDelete @Folder.Path:*Inbox*","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tos-tbi-7dh","createdAt":1619020060666,"name":"Microsoft 365 Anomalous Amount of Deleted Emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 user downloads an anomalous amount of files. This could be an indicator of data exfilteration.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for an anomalous amount of logs with an `@evt.name` value of `@evt.name:FileDownloaded`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to download the files.\n2. If `{{@usr.email}}` is not responsible for file downloads, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:FileDownloaded","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"files_downloaded","distinctFields":["@SourceFileName"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"yhr-gui-v9i","createdAt":1658353411918,"name":"Microsoft 365 Anomalous Amount of Downloaded files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1562-impair-defenses","scope:microsoft-365","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when admin or unified audit logging is disabled. An adversary or insider threat can disable audit logging as a means of defense evasion.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Set-AdminAuditLogConfig`, where `@Parameters.AdminAuditLogEnabled` OR `@Parameters.UnifiedAuditLogIngestionEnabled` is set to `False`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to disable audit logging.\n2. If `{{@usr.email}}` is not responsible for disabling the audit logging, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.UnifiedAuditLogIngestionEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"unified_audit_disabled","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.AdminAuditLogEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_audit_disabled","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Unified Audit Logging Disabled","condition":"unified_audit_disabled > 0"},{"status":"high","notifications":[],"name":"Admin Audit Logging Disabled","condition":"admin_audit_disabled > 0"}],"type":"log_detection","id":"d86-6xx-tbg","createdAt":1630681812369,"name":"Microsoft 365 Audit Logging Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:onedrive","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user creates an anonymous link for a Microsoft 365 document in OneDrive. This would allow any unauthenticated user to access this document, if they had the link.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AnonymousLinkCreated`.\n\n## Triage and response\n1. Determine whether this document should be available anonymously.\n\n## Changelog\n* 4 October 2022 - Updated severity.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:OneDrive @evt.name:AnonymousLinkCreated","groupByFields":["@usr.id","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1h-h20-er6","createdAt":1608766368930,"name":"Microsoft 365 OneDrive Anonymous Link Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0009-collection","technique:T1213-data-from-information-repositories","scope:sharepoint"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user shares a Microsoft 365 Sharepoint document with a guest.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `SharingInvitationCreated` when the `TargetUserOrGroupType` is `Guest`.\n\n## Triage and response\n1. Determine whether this document should be shared with the external user.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:SharePoint @evt.name:(SharingInvitationCreated) @TargetUserOrGroupType:Guest","groupByFields":["@TargetUserOrGroupName","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"v72-psu-eln","createdAt":1608766365850,"name":"Microsoft 365 SharePoint object shared with guest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user installs an app to Microsoft 365 Teams.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AppInstalled`.\n\n## Triage and response\n1. Determine whether this app should be installed to Microsoft 365 teams.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:MicrosoftTeams @evt.name:AppInstalled","groupByFields":["@AddOnName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"i03-grd-ppd","createdAt":1608766367312,"name":"Microsoft 365 Teams app installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostNetwork flag set to true.\n\n## Rationale\n\nA container running in the host's network namespace could access the local loopback device, and could access network traffic to and from other pods. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host network namespace. If you have need to run containers which require hostNetwork, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostNetwork}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostNetwork` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostNetwork: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.4","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mlb-fwt-s80","createdAt":1599604274257,"name":"Minimize the admission of containers wishing to share the host network namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","cloud_provider:aws","control:164.308-a-3-ii-a","control:1.6","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","framework:security-labs","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMulti-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password, and for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of the credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://tools.ietf.org/html/rfc6238][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html][3]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users][4]\n4. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html][5]\n5. CCE-78901-6\n\n## CIS controls\n\n4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://tools.ietf.org/html/rfc6238\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.6","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"1.10","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_user) = \"fail\" if {\n\tsome report in iam_user.credential_report\n\treport.password_enabled == true\n\treport.mfa_active == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"zd5-wvv-hv5","createdAt":1599573999956,"name":"Multi-factor authentication is enabled for all IAM users with a console password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"5jr-xi3-uto","createdAt":1587530047261,"name":"NGINX HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","scope:nginx-ingress-controller","source:nginx-ingress-controller","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx-ingress-controller @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oxj-rwr-gxq","createdAt":1587530154864,"name":"NGINX ingress controller HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to nsswitch.conf.\n\n## Strategy\nThe Name Service Switch (nsswitch) configuration file is used to point\u00a0system services and other applications to the sources of name-service information. This name-service information includes where the password file is stored, publickey information, and more. An attacker may attempt to modify nsswitch.conf in order to inject attacker-owned information into the authentication process. For instance, the attacker could point to a malicious password file and then login to privileged user accounts.\n\n## Triage and response\n1. Check to see what changes were made to nsswitch.conf.\n2. Check if critical name-service sources were changed, and whether the changes were a part of known system-setup or maintenance.\n3. If these changes are unauthorized, roll back the host in question to a known good nsswitch.conf, or replace the system with a known-good system image.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chmod)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chmod","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chown)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chown","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_link)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_link","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_rename)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_rename","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_open)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_open","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_unlink)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_unlink","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_utimes)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"nsswitch_conf_mod","condition":"nsswitch_conf_mod_chmod > 0 || nsswitch_conf_mod_chown > 0 || nsswitch_conf_mod_link > 0 || nsswitch_conf_mod_rename > 0 || nsswitch_conf_mod_open > 0 || nsswitch_conf_mod_unlink > 0 || nsswitch_conf_mod_utimes > 0"}],"type":"workload_security","id":"djc-3dp-3qm","createdAt":1606142958657,"name":"Name Service Switch configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:1.3.5","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that enable multiple open ports and limit ingress traffic access based on port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access malicious activities, such as Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks, by opening only the ports that are required by your application.\n\n## Remediation\n\n### From the console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### From the command line\n\n1. Run `replace-network-acl-entry` to create a rule that only allows ingress traffic from a specific port range.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --ingress\n --rule-number 01\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_lenient(acl_entry) if {\n\tnot acl_entry.egress\n\tacl_entry.rule_action == \"allow\"\n\tnot acl_entry.port_range_from\n\tnot acl_entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tacl_entry := network_acl.entries[_]\n\tacl_lenient(acl_entry)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q0m-mtc-9ks","createdAt":1599574008182,"name":"Network ACL inbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that utilize multiple ports and limit outbound traffic access to a specific port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access by setting a specified port range.\n\n## Remediation\n\n### From the console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### From the command line\n\n1. Run `replace-network-acl-entry` to create a rule that sets a specific port range for egress traffic.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --egress\n --rule-number 02\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_entry(entry) if {\n\tentry.egress\n\tentry.rule_action == \"allow\"\n\tnot entry.port_range_from\n\tnot entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tentry := network_acl.entries[_]\n\tnon_compliant_entry(entry)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ykz-hrn-ev3","createdAt":1599574004771,"name":"Network ACL outbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Default-Security-Parameter","requirement:Compliance","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:1.3.5","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.1","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Network Access Control List (NACL) function provides stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.\n\n## Rationale\n\nPublic access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.\n\n## Remediation\n\n1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home\n2. In the left pane, click Network ACLs.\n3. For each network ACL to remediate, perform the following: Select the network ACL, Click the Inbound Rules tab, Click Edit inbound rules. Either update the Source field to a range other than `0.0.0.0/0` or click Delete to remove the offending inbound rule. Click save.\n\n## Reference\n\n1. [https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html][1]\n2. [https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison][2]\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"5.1","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(entry) if {\n\tnot entry.port_range_from\n\tnot entry.port_range_to\n} else if {\n\tentry.port_range_from <= 22\n\tentry.port_range_to >= 22\n} else if {\n\tentry.port_range_from <= 3389\n\tentry.port_range_to >= 3389\n}\n\nnon_compliant_protocols_and_ports(entry) if {\n\tentry.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_ports(entry)\n} else if {\n\tnot entry.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_cidr_block(entry) if {\n\tentry.cidr_block == \"0.0.0.0/0\"\n}\n\nnon_compliant_cidr_block(entry) if {\n\tentry.ipv6_cidr_block == \"::/0\"\n}\n\neval(network_acl) = \"fail\" if {\n\tsome entry in network_acl.entries\n\tentry.egress == false\n\tentry.rule_action == \"allow\"\n\tnon_compliant_cidr_block(entry)\n\tnon_compliant_protocols_and_ports(entry)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b5p-spa-hx4","createdAt":1619112188801,"name":"Network ACLs do not allow ingress from 0.0.0.0/0 to remote server administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","cloud_provider:azure","framework:gdpr","source:azure.network","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","requirement:Communications-Security","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","scope:azure.network","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Security Group (NSG) is configured to allow specific ports rather than all ports or port ranges.\n\n## Rationale\n\nNSGs should be configured as granularly as possible, allowing only specific and necessary ports. Leaving ranges of ports open can allow access to ports that are vulnerabile to attack. \n\n## Remediation\n\n### From the console\n\nFollow the [Work with security rules guide][1] to modify the port ranges associated with a NSG using the Microsoft Azure Console. \n\n### From the command line\n\nUse the [Microsft Azure az network nsg rule update module][2] to update the ports associated with a NSG using the Microsoft Azure CLI. \n\n## References\n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#work-with-security-rules\n[2]: https://docs.microsoft.com/en-us/cli/azure/network/nsg/rule?view=azure-cli-latest#az-network-nsg-rule-update","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndestination_port_not_compliant(security_rule) if {\n\tsecurity_rule.destination_port_range == \"*\"\n} else if {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tdestination_port_range == \"*\"\n} else if {\n\tregex.match(\"([0-9])+-([0-9])+\", security_rule.destination_port_range)\n} else if {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tregex.match(\"([0-9])+-([0-9])+\", destination_port_range)\n}\n\nsecurity_rule_not_compliant(security_rule) if {\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.access == \"Allow\"\n\tdestination_port_not_compliant(security_rule)\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule = security_group.security_rules[_]\n\tsecurity_rule_not_compliant(security_rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cis-7ih-ek8","createdAt":1645736563232,"name":"Network Security Group does not use port ranges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1046-network-service-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of the `nmap` network utility.\n\n## Strategy\n`nmap` is a network utility commonly used by attackers to understand a victim's network topology and vulnerabilities. After an attacker's initial intrusion into a host (for example, through a web shell exploit, container breakout), they may attempt to use `nmap` to do reconnaissance. This detection triggers when an execution of `nmap` is detected on a system. If this is unexpected behavior, it could indicate an attacker attempting to compromise your systems.\n\n## Triage and response\n1. Determine which user executed `nmap` and whether this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and network tools involved. Investigate the security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:common_net_intrusion_util -@process.args:(\"-V\" OR \"--version\")","groupByFields":["host"],"aggregation":"count","name":"common_net_intrusion_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"common_net_intrusion_util","condition":"common_net_intrusion_util > 0"}],"type":"workload_security","id":"yqg-ebh-po2","createdAt":1617722067554,"name":"Network scanning utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all network traffic is allowed between containers on the same host on the default network bridge. You can restrict all inter-container communication and link specific containers together that require communication. Or, you can create a custom network and only join containers that need to communicate to that custom network.\n\n## Rationale\n\nBy default, unrestricted network traffic is enabled between all containers on the same host on the default network bridge. Each container has the potential of reading all packets across the container network on the same host. This might lead to an unintended and unwanted disclosure of information to other containers. Hence, restrict inter-container communication on the default network bridge.\n\n## Audit\n\nVerify that the default network bridge has been configured to restrict inter-container communication by running:\n```\ndocker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}' \n```\nCheck that it returns `com.docker.network.bridge.enable_icc:false` for the default network bridge.\n\n## Remediation\n\nEdit the Docker daemon configuration file to ensure that inter-container communication is disabled:\n\n```\n\"icc\": false\n```\n\nAlternatively, run the Docker daemon directly and pass `--icc=false` as an argument:\n\n```\ndockerd --icc=false \n```\n\nFollow the Docker documentation and create a custom network, and only join containers that need to communicate to that custom network. The `--icc` parameter only applies to the default docker bridge. If you use a custom network, adopt the segmenting networks approach instead.\n\n## Impact\n\nInter-container communication is disabled on the default network bridge. If any communication between containers on the same host is desired, it needs to be explicitly defined using container linking or custom networks.\n\n## Default value\n\nBy default, all inter-container communication is allowed on the default network bridge.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/][1]\n2. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers][2]\n\n## CIS controls\n\nNone \n\n[1]: https://docs.docker.com/engine/userguide/networking/ \n[2]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_network","complianceFrameworks":[{"control":"2.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmd-zy3-5un","createdAt":1599604593277,"name":"Network traffic is restricted between containers on the default network bridge"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a network utility (like `cURL` or `Wget`) is used to access the cloud instance metadata service (IMDS) in an interactive session.\n\n## Strategy\nThe cloud instance metadata service is a link-local HTTP endpoint that provides data about a given cloud instance. One function is to provide temporary security credentials so that they do not need to be stored on the host. Because IMDS can be used to fetch security credentials, attackers may use it to escalate privileges in order to access other cloud resources. This detection identifies when Linux network utilities are used in an interactive session to access the metadata service. Especially in production environments, it is unusual for this activity to occur interactively.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee run commands for an approved reason, or does a configuration management utility use an interactive session?\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Using cloud audit logs, identify if the attached identity was misused.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:aws_metadata_service @process.tty:*","groupByFields":["host"],"aggregation":"count","name":"aws_metadata_service","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"aws_metadata_service","condition":"aws_metadata_service > 0"}],"type":"workload_security","id":"ugv-e7o-qpv","createdAt":1627392836096,"name":"Network utility accessed cloud metadata service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location on a host.\n\n## Strategy\nAfter an attacker's initial intrusion into a host (for example, through a web shell exploit, or a container breakout), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance, or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected on a host. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine which user executed the utility and whether or not this is allowed or expected behavior.\n2. Review the ancestors for unexpected processes or files executed. \n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util @process.ancestors.executable.path:(*\\/tmp\\/* OR *\\/home\\/*)","groupByFields":["host"],"aggregation":"count","name":"net_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"net_util","condition":"net_util > 0"}],"type":"workload_security","id":"med-78m-snu","createdAt":1617722067377,"name":"Network utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected in a container. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your containers and host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. Review the ancestors for unexpected processes or files executed.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util_in_container @process.ancestors.executable.path:(*\\/tmp\\/* OR \\/home\\/* OR \\/run\\/user\\/*)","groupByFields":["@container.id","host"],"aggregation":"count","name":"net_util_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"net_util_in_container","condition":"net_util_in_container > 0"}],"type":"workload_security","id":"idj-fom-4qg","createdAt":1617722068439,"name":"Network utility executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1199-trusted-relationship","source:cloudtrail","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker accesses your AWS account from their AWS Account.\n\n## Strategy\nThis rule lets you monitor AssumeRole (`@evt.name:AssumeRole`) CloudTrail API calls to detect when an external AWS account (`@usr.account_id`) assumes a role into your AWS account (`account`). It does this by learning all AWS accounts from which the AssumeRole call occurs within a 7-day window. Newly detected accounts after this 7-day window will generate security signals.\n\n## Triage and response\n1. Determine if the `@usr.account_id` is an AWS account is managed by your company.\n2. If not, try to determine who is the owner of the AWS account.\n3. Inspect the role the account is assuming. Determine who created this role and who allowed this AWS account to assume this role.\n\n## Changelog\n7 April 2022 - Update rule query and signal message.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @evt.name:AssumeRole"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"xvo-lqg-7bu","createdAt":1614810571081,"name":"New AWS Account Seen Assuming a Role into AWS Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","tactic:TA0040-impact","source:cloudtrail","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker spawns an instance for malicious purposes. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect when a new instance type (`@responseElements.instancesSet.items.instanceType`) is spawned:\n\n* [RunInstances][1]\n\nIt does this by inspecting the AWS Instance types each AWS account are seen over a 7-day window. Newly detected instance types after this 7-day window till generate security signals.\n\n## Triage and response\n1. Determine whether the instance type `{{@responseElements.instancesSet.items.instanceType}}` is expected to be used in your AWS account by checking the [Datadog Infrastructure List][2].\n2. If not, determine who spawned this instance and ask the user whether their activity was legitimate or whether their credentials were compromised and this instance is being used by an attacker.\n\n## Changelog\n7 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html\n[2]: https://app.datadoghq.com/infrastructure?tab=details&tags=instance-type%3A{{@responseElements.instancesSet.items.instanceType}}","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@responseElements.instancesSet.items.instanceType","aggregation":"new_value","metrics":["@responseElements.instancesSet.items.instanceType"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @eventSource:ec2.amazonaws.com @evt.name:RunInstances"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rk5-l8o-jir","createdAt":1619019323550,"name":"New EC2 Instance Type"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a Kubernetes namespace.\n\n## Strategy\nThis rule monitors when a `create` action occurs for the Kubernetes namespace (`@objectRef.resource:namespaces`) to detect when a user is creating a new Kubernetes namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new namespace.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:namespaces @http.method:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:namespaces @verb:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"zgq-pd9-wgw","createdAt":1589376020564,"name":"New Kubernetes Namespace Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:kubernetes","tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a privileged pod is created. Privileged pods remove container isolation which allows privileged actions on the host.\n\n## Strategy\nThis rule monitors when a pod (`@objectRef.resource:pods`) is created (`@http.method:create`) and the privileged security context (`@requestObject.spec.containers.securityContext.privileged`) is `true`.\n\n## Triage & Response\n1. Determine if the pod should be privileged. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"smy-zpp-8hr","createdAt":1626700164544,"name":"New Kubernetes privileged pod created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1525-implant-internal-image","scope:ecr","iaas:aws","source:cloudtrail","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential persistence mechanisms being deployed in the AWS Elastic Container Registry (ECR).\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr:GetAuthorizationToken` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException @threat_intel.indicators_matched:*","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ori-yda-7sc","createdAt":1630665990802,"name":"New Private Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecr","technique:T1567-exfiltration-over-web-service","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new image is uploaded to the public ECR. This could be a potential exfil route of data from the cloud. Could be a supply chain effect as well if a company hosts their containers here for consumers.\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr-public:GetAuthorizationToken` and `sts:GetServiceBearerToken` API through an IAM policy before they can authenticate to a registry and push any images to an Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr-public.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr-public.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3ye-k1x-9mp","createdAt":1630666006819,"name":"New Public Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ecs","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user executes a command on an ECS container for the first time. An attacker may use this as a technique to escalate their privileges\nbecause they can run arbitrary commands on behalf of the container with the role and permissions associated with the\ncontainer.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user is executing a command on an ECS container:\n\n* `ExecuteCommand`\n\n## Triage and response\n1. Investigate the command that the user ({{@userIdentity.arn}}) ran on the container, which is located in the Cloudtrail log at `@requestParameters.container`, if the telemetry exists.\n2. Analyze Cloudtrail logs with {{@userIdentity.arn}} that are within the same time frame as this security signal.\n3. Review any other security signals generated for this container.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":175,"isDefault":true,"filters":[{"action":"suppress","query":"foo"},{"action":"require","query":"bar"}],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @evt.name:ExecuteCommand @requestParameters.interactive:true"}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@me"],"name":""}],"type":"log_detection","id":"o2p-sbu-rlg","createdAt":1615916348842,"name":"New user seen executing a command in an ECS task"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_enabled_features(enabled_features) if {\n\tsome enabled_feature in enabled_features\n\tupper(enabled_feature) in [\n\t\t\"TLS_RSA_WITH_AES_128_GCM_SHA256\",\n\t\t\"TLS_RSA_WITH_AES_256_GCM_SHA384\",\n\t\t\"TLS_RSA_WITH_AES_128_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_AES_256_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_3DES_EDE_CBC_SHA\",\n\t]\n}\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else if {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else if {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot non_compliant_enabled_features(compute_ssl_policy.enabled_features)\n}\n\npolicy_align(compute_target_https_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_https_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_https_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_https_proxy, compute_ssl_policy)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_https_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_https_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_https_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wsz-dzl-7cw","createdAt":1664548936030,"name":"No HTTPS proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_enabled_features(enabled_features) if {\n\tsome enabled_feature in enabled_features\n\tupper(enabled_feature) in [\n\t\t\"TLS_RSA_WITH_AES_128_GCM_SHA256\",\n\t\t\"TLS_RSA_WITH_AES_256_GCM_SHA384\",\n\t\t\"TLS_RSA_WITH_AES_128_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_AES_256_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_3DES_EDE_CBC_SHA\",\n\t]\n}\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else if {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else if {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot non_compliant_enabled_features(compute_ssl_policy.enabled_features)\n}\n\npolicy_align(compute_target_ssl_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_ssl_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_ssl_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_ssl_proxy, compute_ssl_policy)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_ssl_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_ssl_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_ssl_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kmq-mlb-uhu","createdAt":1664548316871,"name":"No SSL proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","requirement:Default-Security-Parameter","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","level:1","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:1.4","control:2.1","control:2.2","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:164.312-a-2-i","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed.\n\n## Rationale\n\nRemoving access keys associated with the root account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html][2]\n2. [http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][3]\n3. [http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html][4]\n4. CCE-78910-7\n5. [https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/][5]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables root access only through access-keys (CLI, API methods) for us-gov cloud region.\n\n## CIS controls\n\nVersions 7, 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html\n[3]: http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[4]: http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html\n[5]: https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.4","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-a-2-i","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_credential_report) = \"skip\" if {\n\tiam_credential_report.user != \"\"\n} else = \"pass\" if {\n\tnot iam_credential_report.access_key_1_active\n\tnot iam_credential_report.access_key_2_active\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_credential_report"]},"validationQuery":"","resourceType":"aws_iam_credential_report","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"snb-kjs-kgm","createdAt":1599574003908,"name":"No root account access key exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","requirement:Communications-Security","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access\nto remote server administration ports, such as SSH to port 22 and RDP to port 3389.\n\n## Rationale\n\nPublic access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.\n\n### Impact \n\nWhen updating an existing environment, ensure that administrators have access to\nremote server administration ports through another mechanism before removing access\nby deleting the 0.0.0.0/0 (IPv4) or ::/0 (IPv6) inbound rule.\n\n## Remediation\n\nPerform the following to implement the prescribed state:\n1. Login to the AWS Management Console at\n[https://console.aws.amazon.com/vpc/home][1]\n2. In the left pane, click **Security Groups**\n3. For each security group, perform the following:\n A. Select the security group\n B. Click the **Inbound Rules** tab\n C. Click the **Edit inbound rules** button\n D. Identify the rules to be edited or removed\n E. Either update the **Source** field to a range other than 0.0.0.0/0, or click\n**Delete** to remove the offending inbound rule\n F. Click **Save rules**\n\n\n[1]: https://console.aws.amazon.com/vpc/home\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 22\n\trule.to_port >= 22\n} else if {\n\trule.from_port <= 3389\n\trule.to_port >= 3389\n}\n\nnon_compliant_protocol(rule) if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(rule) if {\n\trule.ip_range == \"0.0.0.0/0\"\n}\n\nnon_compliant_ip_range(rule) if {\n\trule.ipv6_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ueo-zqv-fep","createdAt":1607607222597,"name":"No security groups allow ingress from 0.0.0.0/0 to remote administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:3.8","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","control:8.1","control:4.4","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","control:8.1.4","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling OS Login binds SSH certificates to IAM users and facilitates effective SSH certificate\nmanagement.\n\n## Rationale\nEnabling OS Login ensures that SSH keys used to connect to instances are mapped to IAM\nusers. Revoking access to an IAM user will revoke all the SSH keys associated with that\nparticular user. It facilitates centralized and automated SSH key pair management, which is\nuseful in handling cases like compromised SSH key pairs and/or revocation of\nexternal, third-party, vendor users.\n\nTo use OS Login, the instance using Custom Images must have the latest version\nof the Linux Guest Environment installed. The following image families do not\nsupport OS Login:\n\n - Project cos-cloud (Container-Optimized OS) image family cos-stable.\n - All project coreos-cloud (CoreOS) image families\n - Project suse-cloud (SLES) image family sles-11\n - All Windows Server and SQL Server image families\n\nThe project's `enable-oslogin` can be overridden by setting the `enable-oslogin` parameter to an\ninstance metadata individually.\n\n### Impact\nEnabling OS Login on a project disables metadata-based SSH key configurations on all\ninstances of a project. Disabling OS Login restores SSH keys that you have configured in a\nproject's or an instance's metadata.\n\n### Exception\nVMs created by GKE should be excluded. These VMs have names that start with `gke-`\nand are labeled `goog-gke-node`.\n\n### Default value\nBy default, the parameter `enable-oslogin` is not set, which is equivalent to setting it to `FALSE`.\n\n## Remediation\n\n### From the console\n\n1. Go to the [VM compute metadata][1] page.\n2. Click **Edit**.\n3. Add a metadata entry for the key `enable-oslogin` with the value `TRUE`.\n4. Click **Save** to apply the changes.\n5. For every instance that overrides the project setting, go to the VM Instance's page at \n https://console.cloud.google.com/compute/instances.\n6. Click the name of the instance from which you want to remove the metadata value.\n7. At the top of the instance's details page, click **Edit** to edit the instance's settings.\n8. Under Custom Metadata, remove any entries with the key `enable-oslogin` set to `FALSE`.\n9. At the bottom of the instance's details page, click **Save** to apply your changes to the instance.\n\n### From the command line\n\n1. Configure OS Login for the project by running the following command:\n ```\n gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE\n ```\n\n2. Use the following command to remove instance metadata that overrides the project setting:\n ```\n gcloud compute instances remove-metadata --keys=enable-oslogin\n ```\n\nOptionally, you can enable two-factor authentication for OS Login. See [Setting up OS Login with 2-step verification ][2] for more information.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/managing-instance-access][3]\n2. [https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin][4]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata][5]\n4. [https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication][2]\n\n\n\n[1]: https://console.cloud.google.com/compute/metadata\n[2]: https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication\n[3]: https://cloud.google.com/compute/docs/instances/managing-instance-access\n[4]: https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin\n[5]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.8","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" if {\n\titem := compute_instance.metadata.items[_]\n\titem.key == \"enable-oslogin\"\n\titem.value == \"true\"\n} else = \"fail\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hpp-bv9-lom","createdAt":1657547711348,"name":"OS Login is enabled for the project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Okta API token is created.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a new Okta API token is created:\n\n* `system.api_token.create`\n\n## Triage and response\n1. Contact the user who created the API token and ensure that the API token is needed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:system.api_token.create","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lpf-tho-8sx","createdAt":1589315541698,"name":"Okta API Token Created or Enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","scope:okta","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Okta session impersonation.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect a user session impersonation:\n\n* `user.session.impersonation.initiate`\n* `user.session.impersonation.end`\n* `user.session.impersonation.grant`\n* `user.session.impersonation.extend`\n* `user.session.impersonation.revoke`\n\nThese events indicate that the user: `{{@usr.email}}` has the effective permissions of the impersonated user. This is likely to occur through [Okta support access][1]. This [blog][2] illustrates the potential impact an attacker can cause by impersonation session.\n\n## Triage and response\n1. Contact your Okta administrator to ensure the user: `{{@usr.email}}` is authorized to impersonate a user session.\n2. If the user impersonation session is not legitimate:\n * Task your Okta administrator to end the impersonation session.\n * Investigate the actions taken by the user `{{@usr.email}}` during the session and revert back to the last known good state.\n * Begin your company's incident response process and investigate.\n\n[1]: https://support.okta.com/help/s/article/Granting-Access-to-Okta-Support?language=en_US\n[2]: https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.session.impersonation.initiate","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_initiate","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.end","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_end","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_grant","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.extend","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_extend","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.revoke","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_revoke","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Session initiated","condition":"user_session_impersonation_initiate > 0"},{"status":"info","notifications":[],"name":"Session ended","condition":"user_session_impersonation_end > 0"},{"status":"info","notifications":[],"name":"Session granted","condition":"user_session_impersonation_grant > 0"},{"status":"info","notifications":[],"name":"Session extended","condition":"user_session_impersonation_extend > 0"},{"status":"info","notifications":[],"name":"Session revoked","condition":"user_session_impersonation_revoke > 0"}],"type":"log_detection","id":"dfw-lx0-cha","createdAt":1647981974902,"name":"Okta Impersonation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to bypass multi-factor authentication (MFA).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user attempts to bypass MFA:\n\n* `user.mfa.attempt_bypass`\n\n## Triage and response\n1. Contact the user who attempted to bypass MFA and ensure the request was legitimate.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.attempt_bypass","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"wbd-slu-e6s","createdAt":1589315643307,"name":"Okta MFA Bypass Attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the multi-factor authentication (MFA) factors for an enrolled Okta user are reset.\n\n## Strategy\nThis rule lets you monitor the following Okta event to determine when a user's MFA factors are reset:\n\n* `user.mfa.factor.reset_all`\n\nAn attacker may attempt to reset MFA factors in a bid to access other user accounts by registering new attacker-controlled MFA factors.\n\n## Triage and response\n1. Determine if the user: `{{@usr.email}}` should have reset the MFA factors of the targeted user.\n2. If the change was not made by the user:\n * Disable the affected user accounts.\n * Rotate user credentials.\n * Return targeted users MFA factors to the last known good state.\n * Begin your organization's incident response process and investigate.\n3. If the change was made by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, ensure the targeted user has new MFA factors assigned in accordance with organization policies.\n * If **No**, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_success","distinctFields":[]},{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:FAILURE","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_failed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Succeeded","condition":"mfa_reset_success > 0"},{"status":"info","notifications":[],"name":"Failed","condition":"mfa_reset_failed > 0"}],"type":"log_detection","id":"ap2-mxs-fyh","createdAt":1622443751239,"name":"Okta MFA reset for user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to sign on to an app based on sign-on policy.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to sign on to an app based on sign-on policy:\n\n* `application.policy.sign_on.deny_access`\n\n## Triage and response\n1. Inspect the `@target` array to determine why the user was denied access to sign on.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:application.policy.sign_on.deny_access","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pjd-jyc-9fb","createdAt":1589315544752,"name":"Okta User Access Denied to Sign On"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to an app.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to an app:\n\n* `app.generic.unauth_app_access_attempt`\n\n## Triage and response\n1. Determine whether or not the user should have access to this app.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:app.generic.unauth_app_access_attempt","groupByFields":["@usr.email","@target_app"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rht-pdf-gyx","createdAt":1607371843994,"name":"Okta User Attempted to Access Unauthorized App"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:okta","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to an Okta user.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when administrative privileges are provisioned:\n\n* `user.account.privilege.grant`\n\n## Triage and response\n1. Contact the Okta administrator: `{{@usr.email}}` to confirm that the user or users should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.account.privilege.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"privilege_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"privilege_grant > 0"}],"type":"log_detection","id":"onl-syw-pqn","createdAt":1622443751733,"name":"Okta administrator role assigned to user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a request is blocked due to a block list rule (such as an IP network zone or location rule).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.request.blocked`\n\n## Triage & Response\n1. Verify with the owner of `{{@usr.name}}` that they were attempting a request to `{{@target_app}}`.\n2. If the request cannot be verified with the user, correlate with other log sources to see if the blocked IP in the `title` of `{{@title}}` has communicated elsewhere on the network.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.request.blocked @evt.outcome:SUCCESS","groupByFields":["@network.client.ip","@target_app"],"aggregation":"count","name":"request_blocked","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"request_blocked > 10"}],"type":"log_detection","id":"y2s-qzk-u0a","createdAt":1622443750820,"name":"Okta blocked numerous requests from a malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta [refresh token][1] is reused.\n\n## Strategy\nThis rule lets you monitor the following Okta events when token reuse is detected:\n\n* `app.oauth2.token.detect_reuse`\n* `app.oauth2.as.token.detect_reuse`\n\nAn attacker that has access to a refresh token could query the organization's authorization server `/token` endpoint to obtain additional access tokens. The additional access tokens potentially allow the attacker to get unauthorized access to applications.\n\n## Triage and response\n1. Determine if the source IP `{{@network.client.ip}}` is anomalous within the organization:\n * Does threat intelligence indicate that this IP has been associated with malicious activity?\n * Is the geo-location or ASN uncommon for the organization?\n * Has the IP created a `app.oauth2.token.detect_reuse` or `app.oauth2.as.token.detect_reuse` event previously?\n2. If the token reuse event has been determined to be malicious, carry out the following actions:\n * [Revoke compromised tokens][2].\n * Recycle the credentials of any impacted clients.\n * Begin your company's incident response process and investigate.\n\n[1]: https://developer.okta.com/docs/guides/refresh-tokens/main/\n[2]: https://developer.okta.com/docs/guides/revoke-tokens/main/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:false","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse","distinctFields":[]},{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:true","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse_threat","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Threat suspected","condition":"refresh_token_reuse_threat > 0"},{"status":"low","notifications":[],"name":"Threat unlikely","condition":"refresh_token_reuse > 0"}],"type":"log_detection","id":"i4t-x8n-ack","createdAt":1622443751931,"name":"Okta one-time refresh token reused"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta policy rule is deleted.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a policy rule is deleted:\n\n* `policy.rule.delete`\n\n## Triage and response\n1. Contact the Okta administrator to confirm that the user: `{{@usr.email}}` should be deleting policy rules.\n2. If the change was **not** authorized, verify there are no other signals from the user: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:policy.rule.delete @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_rule_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"policy_rule_deleted > 0"}],"type":"log_detection","id":"gxx-79h-brk","createdAt":1622443751301,"name":"Okta policy rule deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:onelogin","scope:onelogin","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user with appropriate privileges assumes another OneLogin user's identity. Logging in as another user allows the user to view another OneLogin user's account and perform actions on their behalf. \n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator assumes another OneLogin user's identity:\n\n* `@evt.name:USER_ASSUMED_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) should be legitimately assuming another user's identity.\n2. If the activity was not legitimate, review all activity from `{{@usr.name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_ASSUMED_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"admin_assumed_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admin_assumed_user > 0"}],"type":"log_detection","id":"ohz-g7c-wkp","createdAt":1656426840747,"name":"OneLogin administrator assumed a user"}]} headers: Content-Type: - application/json @@ -606,7 +555,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.15","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file is owned by root and group owned by docker.\n\n## Rationale\n\nThe Docker daemon runs as root. The default Unix socket therefore must be owned by root. If any other user or process owns this socket, it might be possible for that non-privileged user or process to interact with the Docker daemon. Additionally, in this case a non-privileged user or process might be able to interact with containers which is neither a secure nor desired behavior. Additionally, the Docker installer creates a Unix group called docker. You can add users to this group, and in this case, those users would be able to read and write to the default Docker Unix socket. The membership of the docker group is tightly controlled by the system administrator. However, ff any other group owns this socket, then it might be possible for members of that group to interact with the Docker daemon. Such a group might not be as tightly controlled as the docker group. Again, this is not in line with good security practice. For these reason, the default Docker Unix socket file should be owned by root and group owned by docker to maintain the integrity of the socket file.\n\n## Audit\n\nVerify that the Docker socket file is owned by root and group-owned by `docker` by running: \n```\nstat -c %U:%G /var/run/docker.sock | grep -v root:docker\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:docker /var/run/docker.sock`\n\nThis sets the ownership to root and group ownership to docker for the default Docker socket file.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for the Docker socket file is correctly set to root:docker.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.15","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysh-lkt-poz","createdAt":1599605574088,"name":"Only the root account and Docker group members have ownership of the Docker socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.2","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kube-apiserver.yaml file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. Version 7 5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.2","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vbb-t30-k0f","createdAt":1599602893246,"name":"Only the root account and group have ownership of the API server pod specification file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.11","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, is individual owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It must therefore be individually owned and group owned by root to prevent modification by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and the group ownership for the Docker server certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for Docker server certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.11","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tkm-izb-xe1","createdAt":1602077837917,"name":"Only the root account and group have ownership of the Docker server certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.13","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, is individually owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads/writes. As it holds the private key for the Docker server certificate, it must be individually owned and group owned by root to ensure that it cannot be accessed by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate key file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the Docker server certificate key file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for the Docker server certificate key file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.13","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oiu-e3x-yg6","createdAt":1602077710804,"name":"Only the root account and group have ownership of the Docker server certificate key file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.9","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert parameter`, is individually owned and group owned by root.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must be therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the TLS CA certificate file is owned and group owned by root: \n\n```\nstat -c %U:%G | grep -v root:root\n```\n\nThis command does not return any data.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the TLS CA certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for TLS CA certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.9","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8nb-ex2-pqe","createdAt":1602076303298,"name":"Only the root account and group have ownership of the TLS CA certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.14","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file ownership is set to root:root.\n\n## Rationale\n\nThe `admin.conf` file contains the admin credentials for the cluster. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/admin.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `admin.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.14","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kcn-wwa-os0","createdAt":1599604720378,"name":"Only the root account and group have ownership of the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.17","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that could alter the behavior of the docker daemon. It should therefore be owned and group owned by root to ensure it can not be modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file is owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/docker/daemon.json | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun `chown root:root /etc/docker/daemon.json`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.17","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hlb-qzw-opk","createdAt":1599603264485,"name":"Only the root account and group have ownership of the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent","control:3.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually and group owned by the root user in order to ensure that it is not modified or corrupted by a less privileged user.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that it is owned and group-owned by root, by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.service | grep -v root:root \n ```\n The command should not return anything.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path, in order to set the ownership and group ownership for the file to root.\n\nFor example, `chown root:root /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone.\n\n## Default value\n\nThis file may not be present on the system and if it is not, this recommendation is not applicable. By default, if the file is present, the correct permissions are for the ownership and group ownership to be set to \"root\".\n\n## References\n\n1. https://docs.docker.com/engine/admin/systemd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mhz-jes-n2m","createdAt":1599601536215,"name":"Only the root account and group have ownership of the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.socket file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. For this reason, it should be owned and group owned by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file is owned and group-owned by root by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.socket | grep -v root:root \n ```\n The command should not return a value.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below, including the correct file path to set the ownership and group ownership for the file to root. For example, `chown root:root /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the ownership and group ownership for it should be set to root.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option 2. https://github.com/docker/docker-ce/blob/master/components/packaging/deb/systemd/docker.socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vc0-12t-fpa","createdAt":1599605321060,"name":"Only the root account and group have ownership over the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.7","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under the `/etc/docker/certs.d/` directory, are individually owned and group owned by root.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must be individually owned and group owned by root to ensure that less privileged users are unable to modify the contents of the directory.\n\n## Audit\n\nYou should execute the command below to verify that the registry certificate files are individually owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker/certs.d/* | grep -v root:root \n```\n\nThis command does not return any data.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/docker/certs.d//*`\n\nThis sets the individual ownership and group ownership for the registry certificate files to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for registry certificate files is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.7","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fbv-qsy-urc","createdAt":1599599454050,"name":"Only the root account and group have ownership over the registry certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.13","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe admin.conf is the administrator kubeconfig file defining various settings for the administration of the cluster. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/admin.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, admin.conf has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.13","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zlc-pqm-t1x","createdAt":1599605384539,"name":"Only the root account has write permissions to the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.18","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that may alter the behavior of the docker daemon. Therefore it should be writeable only by root to ensure it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/docker/daemon.json\n```\n\n## Remediation\n\nRun `chmod 644 /etc/docker/daemon.json`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.18","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7df-4w8-g7l","createdAt":1599602831833,"name":"Only the root account has write permissions to the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.2","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file permissions are either set to 644 or to a more restrictive value.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore not be writable by any other user other than root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or a more restrictive value by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.service\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the file permissions are correctly set to 644.\n\n## References\n\n1. https://docs.docker.com/articles/systemd/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zyv-o6s-69z","createdAt":1599601721176,"name":"Only the root account has write permissions to the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.4","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the file permissions on the docker.socket file are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or more restrictively, by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.socket\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in that case, this recommendation is not applicable. By default, if the file is present, the permissions should be set to 644 or more restrictively.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n2. https://github.com/YungSang/fedora-atomic-packer/blob/master/oem/docker.socket\n3. http://daviddaeschler.com/2014/12/14/centos-7rhel-7-and-docker-containers-on-boot/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myf-zyh-89p","createdAt":1599604656679,"name":"Only the root account has write permissions to the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","control:CC6.7","scope:ec2","security:compliance","source:ec2","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Compliance","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the probability of a breach by checking [EC2 security groups][1] for outbound rules that allow unfettered access to any TCP/UDP ports and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered outbound access.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-egress` to remove IP permissions for the selected EC2 security group.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n2. Run `authorize-security-group-egress` with new parameters to restrict outbound access to specific destinations.\n\n ```\n aws ec2 authorize-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprotocol_icmp_or_1(protocol) if {\n\tprotocol == \"icmp\"\n} else {\n\tprotocol == \"1\"\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"egress\"\n\tnot protocol_icmp_or_1(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7lr-jfm-vcf","createdAt":1599574005188,"name":"Outbound access on all ports is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1497-virtualization-sandbox-evasion","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace system call with the `PTRACE_TRACEME` argument, indicating a program actively attempting to avoid debuggers attaching to the process. This behavior is typically indicative of malware activity.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. One limitation of this system call is that a process can only have one trace, and malicious actors have been observed making use of this limitation to prevent debuggers from attaching to malicious processes for the purpose of forensics or analysis.\n\n## Triage and response\n1. Check the name of the process using TRACEME\n2. If this file is not known or authorized, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_antidebug","groupByFields":["host"],"aggregation":"count","name":"ptrace_antidebug","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_antidebug","condition":"ptrace_antidebug > 0"}],"type":"workload_security","id":"u1r-hw3-pst","createdAt":1650464539514,"name":"PTRACE_TRACEME used to prevent process debugging"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect installation of software using a package management utility (`apt` or `yum`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim's container (for example, through a web shell exploit), they may attempt to install tools and utilities for a variety of malicious purposes. This detection triggers when one of a set of common package management utilities installs a package in a container. Package management in containers is against best practices which highly emphasize immutability. If this is unexpected behavior, it could indicate an attacker attempting to install tools to further compromise your systems.\n\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise. This may be achieved by terminating the workload, depending on the stage of attack.\n3. Look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:package_management_in_container @process.args:(add OR *install OR \"-i\")","groupByFields":["host"],"aggregation":"count","name":"package_management_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"package_management_in_container","condition":"package_management_in_container > 0"}],"type":"workload_security","id":"dgu-gba-tuf","createdAt":1617722067648,"name":"Package installed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1222","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nTo access protected files and directories, attackers may attempt to change the permissions on these files and directories.\n\n## Strategy\nThis detection monitors the permissions changes to sensitive files and directories such as `/etc/` and `/sbin/`.\n\n## Triage & Response\n1. Check to see if the file or directory was made more permissive.\n2. Check which user or process made the change.\n3. If these changes are unexpected, contain the host or container and roll back to the last known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"mj3-ucf-hr6","createdAt":1598516746259,"name":"Permissions were changed on sensitive Linux files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow pods to verify the API server's serving certificate before establishing connections.\n\n## Rationale\n\nProcesses running within pods that need to contact the API server must verify the API server's serving certificate. Failing to do so could be a subject to man-in-the-middle attacks. Providing the root certificate for the API server's serving certificate to the controller manager with the `--root-ca-file` argument allows the controller manager to inject the trusted bundle into pods so that they can verify TLS connections to the API server.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--root-ca-file` argument exists and is set to a certificate bundle file containing the root certificate for the API server's serving certificate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--root-ca-file` parameter to the certificate bundle file: `--root-ca-file=`\n\n## Impact\n\nYou need to setup and maintain root certificate authority file.\n\n## Default value\n\nBy default, `--root-ca-file` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/kubernetes/issues/11000][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/kubernetes/issues/11000\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.5","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"k7t-yxp-axc","createdAt":1599598174692,"name":"Pods utilize `root-ca-file` to pass serving certificates to the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ec2","iaas:aws","technique:T1037-boot-or-logon-initialization-scripts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to modify a [user data script][1] on an EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to modify the user data script on an EC2 instance using the following API calls:\n\n* [`StopInstances`][2]\n* [`ModifyInstanceAttribute`][3]\n* [`StartInstances`][4]\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have modified the user data script associated with `{{host}}`.\n2. If the API calls were not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Follow your company's incident response process to determine the impact to `{{host}}`.\n * Revert the user data script to the last known good state with the `aws-cli` command [modify-instance-attribute][5] or use the [AWS Console][6].\n3. If the API calls were made by the user:\n * Determine if the user should be modifying this user data script.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StopInstances.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartInstances.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-attribute.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-view-change","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StopInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"stop_instance","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:ModifyInstanceAttribute @requestParameters.userData:* ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_instance_attribute","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StartInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"start_instance","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"stop_instance > 0 && modify_instance_attribute > 0 && start_instance > 0"}],"type":"log_detection","id":"suz-czd-zxh","createdAt":1652796652545,"name":"Possible AWS EC2 privilege escalation via the modification of user data"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","iaas:aws","technique:T1078-valid-accounts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to create a password for a specified IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to create a password for an IAM user using the [`CreateLoginProfile`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any passwords generated by the user with the `aws-cli` command [delete-login-profile][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-login-profile.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html#id_credentials_passwords_admin-change-user_console","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:iam.amazonaws.com @eventName:CreateLoginProfile status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"loginprofile","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"loginprofile > 0"}],"type":"log_detection","id":"dkd-gqh-zrs","createdAt":1652796676631,"name":"Possible Privilege Escalation via AWS IAM CreateLoginProfile"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","scope:rds","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to exfiltrate data from an RDS Snapshot.\n\n## Strategy\nThis rule lets you monitor the [ModifyDBClusterSnapshotAttribute][1] CloudTrail API calls to detect when an RDS snapshot is made public.\n\nThis rule also inspects the:\n * `@requestParameters.valuesToAdd` array to determine if the string `all` is contained. This is the indicator which means the RDS snapshot is made public.\n * `@requestParameters.attributeName` array to determine if the string `restore` is contained. This is the indicator which means the RDS snapshot was shared with a new or unkown AWS Account.\n\n## Triage and response\n1. Confirm if the user: `{{@userIdentity.arn}}`intended to make the RDS snaphsot public.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-cluster-snapshot-attribute.html#modify-db-cluster-snapshot-attribute\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:ModifyDBClusterSnapshotAttribute @requestParameters.valuesToAdd:all","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_made_public","distinctFields":[]},{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:(ModifyDBClusterSnapshotAttribute OR ModifyDBSnapshotAttribute) @requestParameters.attributeName:restore -@http.useragent:(*AWS_Lambda* OR *AWS_ECS_FARGATE* OR backup.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Snapshot was shared","condition":"rds_snapshot_shared > 0"},{"status":"high","notifications":[],"name":"Snapshot was made public","condition":"rds_snapshot_made_public > 0"}],"type":"log_detection","id":"jqf-lpu-us1","createdAt":1594140309127,"name":"Possible RDS Snapshot Exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:6.3","framework:cis-azure","control:2.5","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no PostgreSQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nPostgreSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.\n\n### Impact\n\nDisabling Allow access to Azure Services will break all connections to PostgreSQL server and Hosted Databases unless custom IP specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console:\n\n1. Go to PostgreSQL servers\n2. For each PostgreSQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell:\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nNew-AzPostgreSqlFirewallRule -Name \"\" -ResourceGroupName \"\" -ServerName \"\" -EndIPAddress \"\" -StartIPAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules][1]\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"2.5","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255)","resourceType":"azure_postgresql_server","filter":"","queryPath":"firewall_rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"f2j-y8v-pht","createdAt":1635237002781,"name":"PostgreSQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1566-phishing","source:azure","scope:azure","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a user grants an application consent to access their data. An adversary may create an Azure-registered application to access data such as contact information, emails, or documents.\n\n## Strategy\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Consent to application`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Consent to application.`\n\nBecause these are thirty-party applications external to the organization, normal remediation steps like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts are not effective against this type of attack.\n\n## Triage and response\n1. See the official [Microsoft playbook][1] on responding to a potential Illicit Consent Grant.\n2. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out false positives.\n\n[1]: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:AuditLogs @evt.name:\"Consent to application\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_successful_consent_to_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.category:AuditLogs @evt.name:\"Consent to application.\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"o365_successful_consent_to_application","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"azure_ad_successful_consent_to_application > 0 || o365_successful_consent_to_application > 0"}],"type":"log_detection","id":"wu4-vsa-pec","createdAt":1658914589512,"name":"Potential Illicit Consent Grant attack via Azure registered application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with an administrative service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 21 (FTP)\n* 22 (SSH)\n* 23 (Telnet)\n* 445 (SMB)\n* 2375 (Docker daemon)\n* 3389 (RDP)\n* 5900 (VNC)\n* 5985 (WinRM HTTP)\n* 5986 (WinRM HTTPS)\n\nAdministrative ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** There is a separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n## Changelog\n26 August 2022 - Updated rule query\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ipPermissions.items.fromPort:(21 OR 22 OR 3389 OR 5900 OR 2375 OR 5985 OR 5986 OR 23 OR 445) OR @requestParameters.toPort:(21 OR 22 OR 3389 OR 5900 OR 2375 OR 5985 OR 5986 OR 23 OR 445) OR @requestParameters.ipPermissions.items.toPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986)) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:21 OR @requestParameters.ipPermissions.items.fromPort:21 OR @requestParameters.toPort:21 OR @requestParameters.ipPermissions.items.toPort:21)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ftp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:22 OR @requestParameters.ipPermissions.items.fromPort:22 OR @requestParameters.toPort:22 OR @requestParameters.ipPermissions.items.toPort:22)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ssh_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:3389 OR @requestParameters.ipPermissions.items.fromPort:3389 OR @requestParameters.toPort:3389 OR @requestParameters.ipPermissions.items.toPort:3389)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_rdp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5900 OR @requestParameters.ipPermissions.items.fromPort:5900 OR @requestParameters.toPort:5900 OR @requestParameters.ipPermissions.items.toPort:5900)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_vnc_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:2375 OR @requestParameters.ipPermissions.items.fromPort:2375 OR @requestParameters.toPort:2375 OR @requestParameters.ipPermissions.items.toPort:2375)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_dockerd_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5985 OR @requestParameters.ipPermissions.items.fromPort:5985 OR @requestParameters.toPort:5985 OR @requestParameters.ipPermissions.items.toPort:5985)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5986 OR @requestParameters.ipPermissions.items.fromPort:5986 OR @requestParameters.toPort:5986 OR @requestParameters.ipPermissions.items.toPort:5986)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:23 OR @requestParameters.ipPermissions.items.fromPort:23 OR @requestParameters.toPort:23 OR @requestParameters.ipPermissions.items.toPort:23)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_telnet_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:445 OR @requestParameters.ipPermissions.items.fromPort:445 OR @requestParameters.toPort:445 OR @requestParameters.ipPermissions.items.toPort:445)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_smb_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"high","notifications":[],"name":"FTP","condition":"sg_ftp_port > 0"},{"status":"high","notifications":[],"name":"SSH","condition":"sg_ssh_port > 0"},{"status":"high","notifications":[],"name":"RDP","condition":"sg_rdp_port > 0"},{"status":"high","notifications":[],"name":"VNC","condition":"sg_vnc_port > 0"},{"status":"high","notifications":[],"name":"Docker Daemon","condition":"sg_dockerd_port > 0"},{"status":"high","notifications":[],"name":"WinRm HTTP","condition":"sg_winrm_http_port > 0"},{"status":"high","notifications":[],"name":"WinRm HTTPS","condition":"sg_winrm_https_port > 0"},{"status":"high","notifications":[],"name":"Telnet","condition":"sg_telnet_port > 0"},{"status":"high","notifications":[],"name":"SMB","condition":"sg_smb_port > 0"}],"type":"log_detection","id":"d8d-usi-xuo","createdAt":1652796652158,"name":"Potential administrative port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\n This rule monitors CloudTrail and detects when any `@evt.name` has a value of `Console Login`, and `@responseElements.ConsoleLogin` has a value of `Failure`.\n\n## Triage and response\n1. Determine if the user logged in with 2FA.\n2. Reach out to the user and ensure the login was legitimate.\n\n## Changelog \n17 March 2022 - Update rule query.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Failure","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:true","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_with_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful - MFA Unused","condition":"failed_login > 5 && successful_login_without_mfa > 0"},{"status":"info","notifications":[],"name":"Successful Login - MFA Used","condition":"failed_login > 5 && successful_login_with_mfa > 0"},{"status":"info","notifications":[],"name":"Failed Login","condition":"failed_login > 5"}],"type":"log_detection","id":"csj-nez-h1v","createdAt":1584475581986,"name":"Potential brute force attack on AWS ConsoleLogin"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","threat_intel_category:cryptomining","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a host is potentially infected with a cryptominer.\n\n## Strategy\nThis rule compares the `@network.client.ip` standard attribute to a curated list of cryptomining pools.\n\n## Triage and response\n1. Determine if the `{{host}}` host should be contacting a cryptomining pool.\n2. If not, begin your company's IR process.\n\n**Note** You can use the signal sidepanel to assist with the initial investigation by looking at CPU utilization and processes to identify unauthorized activity.\n\n## Changelog\n- 8 April 2022 - Initial beta release to select organizations.\n- 13 April 2022 - Added additional filters for specific ports to reduce false positives. \n- 26 April 2022 - Removed restrictedToOrgs settings, launching rule to all of production.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@threat_intel.results.category:cryptomining @network.destination.port:(6641 OR 6642 OR 9000 OR 9999 OR 14433 OR 10191 OR 20009) host:*","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cgb-2rq-tqx","createdAt":1650989902666,"name":"Potential cryptomining detected through IP callback"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with a database service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 1433 (MSSQL)\n* 3306 (MySQL)\n* 5432 (PostgresSQL)\n* 5984/6984 (CouchDB)\n* 6379 (Redis)\n* 9200 (Elasticsearch)\n* 27017 (MongoDB)\n\nDatabase ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** There is a separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200)) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:3306 OR @requestParameters.ipPermissions.items.fromPort:3306 OR @requestParameters.toPort:3306 OR @requestParameters.ipPermissions.items.toPort:3306)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mysql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5432 OR @requestParameters.ipPermissions.items.fromPort:5432 OR @requestParameters.toPort:5432 OR @requestParameters.ipPermissions.items.toPort:5432)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_postgres_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:1433 OR @requestParameters.ipPermissions.items.fromPort:1433 OR @requestParameters.toPort:1433 OR @requestParameters.ipPermissions.items.toPort:1433)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mssql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:27017 OR @requestParameters.ipPermissions.items.fromPort:27017 OR @requestParameters.toPort:27017 OR @requestParameters.ipPermissions.items.toPort:27017)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mongodb_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:6379 OR @requestParameters.ipPermissions.items.fromPort:6379 OR @requestParameters.toPort:6379 OR @requestParameters.ipPermissions.items.toPort:6379)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_redis_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5984 OR @requestParameters.ipPermissions.items.fromPort:5984 OR @requestParameters.toPort:5984 OR @requestParameters.ipPermissions.items.toPort:5984)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:6984 OR @requestParameters.ipPermissions.items.fromPort:6984 OR @requestParameters.toPort:6984 OR @requestParameters.ipPermissions.items.toPort:6984)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:9200 OR @requestParameters.ipPermissions.items.fromPort:9200 OR @requestParameters.toPort:9200 OR @requestParameters.ipPermissions.items.toPort:9200)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_elastic_search_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"high","notifications":[],"name":"MySQL","condition":"sg_mysql_port > 0"},{"status":"high","notifications":[],"name":"PostgresSQL","condition":"sg_postgres_port > 0"},{"status":"high","notifications":[],"name":"MSSQL","condition":"sg_mssql_port > 0"},{"status":"high","notifications":[],"name":"MongoDB","condition":"sg_mongodb_port > 0"},{"status":"high","notifications":[],"name":"redis","condition":"sg_redis_port > 0"},{"status":"high","notifications":[],"name":"CouchDB HTTP","condition":"sg_couchdb_http_port > 0"},{"status":"high","notifications":[],"name":"CouchDB HTTPS","condition":"sg_couchdb_https_port > 0"},{"status":"high","notifications":[],"name":"Elasticsearch","condition":"sg_elastic_search_port > 0"}],"type":"log_detection","id":"1wf-ivp-q2g","createdAt":1652796776858,"name":"Potential database port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use automatically generated self-signed certificates for TLS connections between peers.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster. Hence, do not use self-signed certificates for authentication.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--peer-auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--peer-auto-tls` parameter or set it to false. \n\n```\n--peer-auto-tls=false\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-auto-tls` argument is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls][3]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.6","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l0y-lyz-foj","createdAt":1599598174666,"name":"Prevent use of self-signed certificates for TLS connections between etcd peers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.4","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDocker considers a private registry either secure or insecure. By default, registries are considered secure.\n\n## Rationale\n\nA secure registry uses TLS. A copy of the registry's CA certificate is placed on the Docker host in the `/etc/docker/certs.d//` directory. An insecure registry is one which does not have a valid registry certificate, or one not not using TLS. You should not use insecure registries because they present a risk of traffic interception and modification. Additionally, once a registry has been marked as insecure, commands such as `docker pull`, `docker push`, and `docker search` will not result in an error message, and users may indefinitely be working with this type of insecure registry without ever being notified of the risk of potential compromise.\n\n## Audit\n\nFind out if any insecure registries are in use by running: \n```\ndocker info --format 'Insecure Registries: {{.RegistryConfig.InsecureRegistryCIDRs}}'\n```\n\n## Remediation\n\nYou should ensure that no insecure registries are in use.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker assumes all registries except local ones are secure.\n\n## References\n\n1. [https://docs.docker.com/registry/insecure/][1]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://docs.docker.com/registry/insecure/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wki-o8r-1ha","createdAt":1599604688564,"name":"Private registry uses TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.4","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUsing the `--privileged` flag provides all Linux kernel capabilities to the container to which it is applied and therefore overwrites the `--cap-add` and `--cap-drop` flags. For this reason, ensure that it is not used.\n\n## Rationale\n\nThe `--privileged` flag provides all capabilities to the container to which it is applied, and also lifts all the limitations enforced by the device cgroup controller. As a consequence this the container has most of the rights of the underlying host. This flag only exists to allow for specific use cases (for example running Docker within Docker) and should not generally be used.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Privileged={{ .HostConfig.Privileged }}'` This command returns `Privileged=false` for each container instance.\n\n## Remediation\n\nDo not run containers with the `--privileged` flag. For example, do not start a container using the command `docker run --interactive --tty --privileged centos /bin/bash`\n\n## Impact\n\nIf you start a container without the `--privileged` flag, it will not have excessive default capabilities.\n\n## Default value\n\nFalse\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.4","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rbd-urm-klo","createdAt":1599602708557,"name":"Privileged containers are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.7","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TCP/IP port numbers below 1024are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Docker does, however allow a container port to be mapped to a privileged port.\n\n## Rationale\n\nBy default, if the user does not specifically declare a container port to host port mapping, Docker automatically and correctly maps the container port to one available in the `49153`-`65535` range on the host. Docker does, however, allow a container port to be mapped to a privileged port on the host if the user explicitly declares it. This is because containers are executed with `NET_BIND_SERVICE` Linux kernel capability which does not restrict privileged port mapping. The privileged ports receive and transmit various pieces of data which are security sensitive and allowing containers to use them is not in line with good security practice.\n\n## Audit\n\nList all running containers instances and their port mappings by executing this command: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'` You should then review the list and ensure that container ports are not mapped to host port numbers below `102.4`.\n\n## Remediation\n\nDo not map container ports to privileged host ports when starting a container. You should also ensure that there is no such container to host privileged port mapping declarations in the Dockerfile.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, mapping a container port to a privileged port on the host is allowed.\n\n**Note**: There might be certain cases where you want to map privileged ports, because if you forbid it, then the corresponding application has to run outside of a container.\n\nFor example: HTTP and HTTPS load balancers have to bind `80/tcp` and `443/tcp` respectively. Forbidding to map privileged ports effectively forbids from running those in a container, and mandates using an external load balancer. In such cases, those containers instances should be marked as exceptions for this recommendation.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.7","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ua5-ygj-jad","createdAt":1599602153218,"name":"Privileged ports are not mapped within containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a process launches with arguments associated with cryptocurrency miners.\n\n## Strategy\n\nCryptocurrency miners are often executed with unique arguments such as `--donate-level`. This can be used to identify suspicious processes with high confidence.\n\n## Triage and response\n\n1. Isolate the workload.\n2. Use host metrics to verify if cryptocurrency mining is taking place. This will be indicated by an increase in CPU usage.\n3. Review the process tree and related signals to determine the initial entry point.\n\n*Requires agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:cryptominer_args","groupByFields":["host"],"aggregation":"count","name":"cryptominer_args","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"cryptominer_args","condition":"cryptominer_args > 0"}],"type":"workload_security","id":"t95-1rc-mwi","createdAt":1660014107186,"name":"Process arguments match cryptocurrency miner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1055-process-injection","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace systemcall to inject code into another process.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. Malicious actors have been observed using ptrace to inject code into another process, for the purposes of defense evasion and privilege escalation.\n\n## Triage and response\n1. Check the name of the process doing the injection (the tracer).\n2. Identify if the file doing the injection (the tracer) is authorized.\n3. If the tracer is not authorized in this environment, or is not normally known to use the ptrace syscall, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_injection","groupByFields":["host"],"aggregation":"count","name":"ptrace_injection","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_injection","condition":"ptrace_injection > 0"}],"type":"workload_security","id":"1p3-rn6-jue","createdAt":1650464539501,"name":"Process injected into another process"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1068-Exploitation-for-Privilege-Escalation","source:runtime-security-agent","tactic:TA0004-Privilege-Escalation","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2021-4034 dubbed PwnKit.\n\n## Strategy\n\nPwnKit is a local privilege escalation vulnerability originally found by [Qualys](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034). It affects PolicyKit\u2019s `pkexec` program, which is a SUID-root program installed by default on many Linux distributions. This detection triggers whenever `pkexec` is executed by a non-root process with the `SHELL` and `PATH` variables set.\n\n## Triage and response\n\n1. Determine the purpose of the process executing `pkexec`.\n2. Look for any suspicious actions or commands being executed after the `pkexec` execution.\n3. If this behavior is unexpected, it could indicate a malicious actor has access to the host and is attempting to increase privileges for post exploitation actions. Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Ensure to update the PolicyKit package to its latest version to mitigate the vulnerability. If updating is not feasible, remove the SUID bit that is set by default on `pkexec` with the following command: `sudo chmod -s \\$(which pkexec)`.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:pwnkit_privilege_escalation","groupByFields":["host"],"aggregation":"count","name":"pwnkit_privilege_escalation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"pwnkit_privilege_escalation","condition":"pwnkit_privilege_escalation > 0"}],"type":"workload_security","id":"yne-n4q-dfs","createdAt":1643646954692,"name":"Pwnkit privilege escalation attempt"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1059-command-and-scripting-interpreter","tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect Python code being provided and executed on the command line using the `-c` flag.\n\n## Strategy\n\nPython code can be specified on the command line using the `-c` flag. Attackers may use this to run \"one-liners\" which establish communication with an attacker-run server, download additional malware, or otherwise advance their mission. Libraries such as `socket` and `subprocess` are commonly used in these attacks and are unlikely to have a legitimate purpose when used in this way.\n\n## Triage and response\n\n1. Review the process tree and identify if the Python command is expected.\n2. If the command is not expected, contain the host or container and roll back to a known good configuration.\n3. Start the incident response process and determine the initial entry point.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:python_cli_code @process.args:(*SOCK_STREAM* OR *subprocess* OR *\\/bash* OR *\\/bin\\/sh* OR *pty.spawn*)","groupByFields":["host"],"aggregation":"count","name":"python_cli_code_suspicious","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"python_cli_code_suspicious","condition":"python_cli_code_suspicious > 0"}],"type":"workload_security","id":"2mr-svj-kxj","createdAt":1655147245805,"name":"Python executed with suspicious arguments"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.9","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTurn on Role Based Access Control.\n\n## Rationale\n\nRole Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the cluster. It is recommended to use the RBAC authorization mode.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include RBAC.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes RBAC, for example: `--authorization-mode=Node,RBAC`\n\n## Impact\n\nWhen RBAC is enabled you will need to ensure that appropriate RBAC settings (including Roles, RoleBindings and ClusterRoleBindings) are configured to allow appropriate access.\n\n## Default value\n\nBy default, RBAC authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/access-authn-authz/rbac/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.9","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bn4-mzo-nyg","createdAt":1599605257601,"name":"RBAC is enabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","level:1","control:8.5","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.4.1","security:compliance","requirement:Least-Privileged-Access","control:7.2","framework:cis-azure","source:azure.kubernetes","control:7.1","control:2.3","requirement:Control-Activities","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","requirement:Other-Security-Considerations","framework:soc-2","control:A.9.2.3","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that RBAC is enabled on all Azure Kubernetes Services instances.\n\n## Rationale\n\nAzure Kubernetes Services can integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. Use this to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls, both to the overarching AKS instance and to the individual resources managed within Kubernetes.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment, your cluster will require recreation.\n\n## Impact\n\nIf RBAC is not enabled, the granularity of permissions granted to Kubernetes resources is diminished, because you are presenting more permissions than needed to users requiring access to your Kubernetes resources in AKS.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/aks/aad-integrationhttps://kubernetes.io/docs/reference/access-authn-authz/rbac/https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-list\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7\n\n4 Controlled Use of Administrative Privileges\n\n14 Controlled Access Based on the Need to Know\n\n9 AppService: This section covers security recommendations for Azure AppService\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.5","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"validationQuery":"@enable_rbac:false","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster (@enable_rbac:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"1ha-sj2-4mw","createdAt":1624867979755,"name":"RBAC within Azure Kubernetes Services is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","control:6.1","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable RDP access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using RDP over the internet is that attackers can use various brute force techniques to access Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct RDP access to your Azure Virtual Machines from the internet. After direct RDP access from the internet is disabled, you have other options you can use to access these virtual machines for remote management.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@access:(\"Allow\") @protocol:(\"TCP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"3389\" OR \"*\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\")","resourceType":"azure_security_group","filter":"","queryPath":"security_rules","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group (@access:(\"Allow\") @protocol:(\"TCP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"3389\" OR \"*\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tna-xfa-yol","createdAt":1624867976964,"name":"RDP access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.7","requirement:Communications-Security","control:1.4","control:3.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow users to specify the type of traffic,\nsuch as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, an IPv4 address or IPv4 block in CIDR notation can be used.\nGeneric (0.0.0.0/0) incoming traffic from the Internet to a VPC or VM instance using RDP\non Port 3389 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic\nfrom instances and incoming (ingress) traffic to instances in the network. Egress and\ningress traffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through RDP with the default\nPort 3389. Generic access from the Internet to a specific IP Range should be restricted.\n\n## Impact\nAll Remote Desktop Protocol (RDP) connections from outside of the network to the\nconcerned VPC(s) are blocked. There could be a business need where secure shell\naccess is required from outside of the network to access resources associated with the VPC.\nIn that case, specific source IP(s) should be mentioned in firewall rules to allow access\nto RDP ports for the concerned VPC(s).\n\n## Remediation\n\n### From console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule to be modified.\n4. Click Edit.\n5. Modify Source IP ranges to your specific IPs.\n6. Click Save.\n\n### From the command line\n1.Update the RDP Firewall rule with a new SOURCE_RANGE using the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with validated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.1","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 3389\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tcontains(allowed.ports[_], \"-\")\n\trange := split(allowed.ports[_], \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else {\n\tto_number(allowed.ports[_]) == target_port\n} else {\n\tallowed.ports[_] == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tallowed := compute_firewall.allowed[_]\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" {\n\tcompute_firewall.source_ranges in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tvo-mpp-0fa","createdAt":1657310084116,"name":"RDP access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","source:rds","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:rds","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your AWS RDS database instances are encrypted.\n\n## Rationale\n\nEncrypting your AWS RDS clusters protects sensitive data from unauthorized access.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling Amazon RDS encryption for a DB instance][1] docs to ensure your database instances are encrypted.\n\n### CLI\n\n1. Run `describe-db-instances` with an instance identifier query to list RDS database names.\n\n ```\n aws rds describe-db-instances\n --query 'DBInstances[*].DBInstanceIdentifier'\n ```\n\n2. Run `create-db-snapshot` with any returned database instance you wish to modify.\n\n ```\n aws rds create-db-snapshot\n --db-snapshot-identifier my-db-snapshot\n --db-instance-identifier my-db-id\n ```\n\n3. Run `list-aliases` to list KMS keys aliases by region.\n\n ```\n aws kms list-aliases\n --region us-west-1\n ```\n\n4. Run `copy-db-snapshot` with the `kms-key-id` returned in step 3.\n\n ```\n aws rds copy-db-snapshot\n --region us-west-1\n --source-db-snapshot-identifier original-db-snapshot-id\n --target-db-snapshot-identifier encrypted-db-snapshot-id\n --copy-tags\n --kms-key-id 01234567-1a2b-1234a-b45c-abcdef123456\n ```\n\n5. Run `restore-db-instance-from-db-snapshot` to restore the previously created snapshot.\n\n ```\n aws rds restore-db-instance-from-db-snapshot\n --region us-west-1\n --db-instance-identifier encrypted-db-id\n --db-snapshot-identifier encrypted-db-snapshot-id\n ```\n\n6. Run `describe-db-instances` with a query to ensure database encryption.\n\n ```\n aws rds describe-db-instances\n --region us-west-1\n --db-instance-identifier encrypted-db-snapshot-id\n --query 'DBInstances[*].StorageEncrypted'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Enabling","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@storage_encrypted:false","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance (@storage_encrypted:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"han-1rs-ghe","createdAt":1599574005316,"name":"RDS database instance is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:rds","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","scope:rds","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your RDS instance, so it is not publicly accessible.\n\n## Rationale\n\nUnrestricted access to your RDS instance allows everyone on the internet to establish a connection with your database. This can lead to brute-force, DoS/DDoS, or SQL injection attacks.\n\n## Remediation\n\n### Console\n\nFollow the [Modifying an Amazon RDS DB instance (Console)][2] docs to learn how to modify your RDS instance in the AWS console.\n\n### CLI\n\nFollow the [Modifying an Amazon RDS DB instance (AWS CLI)][2] docs to learn how to modify your RDS instance connection configuration.\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n[2]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@publicly_accessible:true","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance (@publicly_accessible:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qgu-ris-pnv","createdAt":1619540057520,"name":"RDS instance is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","security:compliance","control:CC6.6","control:164.312-e-1","cloud_provider:aws","framework:gdpr","requirement:Default-Security-Parameter","scope:rds","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","source:rds","requirement:Security-Management-Process","control:32.1a","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Amazon RDS database instances][1] are not using default ports. This includes default ports such as MySQL/Aurora port 3306, SQL Server port 1433, and PostgreSQL port 5432.\n\n## Rationale\n\nUsing a custom port can protect against potential brute-force and dictionary attacks.\n\n## Remediation\n\n### Console\n\nFollow the [Modifying an Amazon RDS DB instance][4] docs to verify you're not using a default. You can modify your port by modifying that [DB instance settings][5].\n\n### CLI\n\n1. Run `create-db-snapshot` with your database instance and snapshot identifiers to [create a snapshot][2].\n\n ```\n aws rds create-db-snapshot \\\n --db-instance-identifier database-mysql \\\n --db-snapshot-identifier snapshotidentifier\n ```\n\n2. Run `modify-db-instance` with a new, valid port number. A [list of port numbers are available][3].\n\n ```\n aws rds modify-db-instance \\\n --db-instance-identifier database-identifier \\\n --option-group-name test-group-name \\\n --db-parameter-group-name test-sqlserver-name \\\n --apply-immediately\n ```\n\n\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-snapshot.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-instance.html#options\n[4]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n[5]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html#USER_ModifyInstance.Settings\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@engine:(\"aurora\" OR \"aurora-mysql\" OR \"mysql\" OR \"mariadb\") @endpoint_port:3306) OR (@engine:(\"postgres\" OR \"aurora-postgresql\") @endpoint_port:5432) OR (@engine:(\"oracle-ee\" OR \"oracle-se2\" OR \"oracle-se1\" OR \"oracle-se\") @endpoint_port:1521) OR (@engine:(\"sqlserver-ee\" OR \"sqlserver-se\" OR \"lserver-ex\" OR \"sqlserver-web\") @endpoint_port:1433)","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance ((@engine:(\"aurora\" OR \"aurora-mysql\" OR \"mysql\" OR \"mariadb\") @endpoint_port:3306) OR (@engine:(\"postgres\" OR \"aurora-postgresql\") @endpoint_port:5432) OR (@engine:(\"oracle-ee\" OR \"oracle-se2\" OR \"oracle-se1\" OR \"oracle-se\") @endpoint_port:1521) OR (@engine:(\"sqlserver-ee\" OR \"sqlserver-se\" OR \"lserver-ex\" OR \"sqlserver-web\") @endpoint_port:1433))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"y0x-lgk-w1h","createdAt":1599574001845,"name":"RDS instance is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","source:rds","requirement:Security-Management-Process","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","scope:rds","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Relational Database Service (RDS) database snapshots.\n\n## Rationale\n\nSnapshots that are publicly available give other AWS accounts permission to copy a snapshot and create database instances from it, potentially exposing your private data.\n\n## Remediation\n\n### Console\n\nFollow the [Stop sharing a manual DB snapshot with an AWS account][1] AWS Console docs.\n\n### CLI\n\nRun `modify-db-snapshot-attribute` with the [snapshot identifier, attribute name, and values to remove][2]. This removes permission from a particular AWS account to restore the DB snapshot.\n\n ```\n aws rds modify-db-snapshot-attribute\n --db-snapshot-identifier yourdbsnapshot\n --attribute-name restore\n --values-to-remove 1111222233333\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Sharing\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-snapshot-attribute.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@db_snapshot_restore_attribute_values:all","resourceType":"aws_rds_db_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_db_snapshot (@db_snapshot_restore_attribute_values:all)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ptv-gce-is5","createdAt":1616090994243,"name":"RDS snapshot is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","control:3.4","scope:google_dns_managed_zone","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note:** The SHA1 algorithm has been removed from general use by Google. If used, it needs to be allowed on a per-project basis through Google, and therefore requires a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records. When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, you can select the DNSSEC signing algorithms and the denial-of-existence type. Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If there is a need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off, and then re-enable it with different settings.\n\n**Note**: RSASHA1 key-signing support may be required for compatibility reasons. The remediation CLI works with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If it is necessary to change the settings for a managed zone where it has been\nenabled, NSSEC must be turned off and re-enabled with different settings. To turn\noff DNSSEC, run the following command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update key-signing for a managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" {\n\tdefault_key_spec := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tdefault_key_spec.algorithm == \"RSASHA1\"\n\tdefault_key_spec.key_type == \"keySigning\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gny-fox-6gg","createdAt":1659339844054,"name":"RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.5","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note**: The SHA1 algorithm has been removed from general use by Google, and if\nbeing used, needs to be safe listed on a project basis by Google, which\nrequire a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records.\nWhen enabling DNSSEC for a managed zone or creating a managed zone with DNSSEC, select the\nDNSSEC signing algorithms and the denial-of-existence type. Changing the\nDNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If\nyou need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off and then re-enable it with different settings.\n\n**note**: RSASHA1 zone-signing support may be required for compatibility reasons.\n**note**: The remediation CLI works well with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If you need to change the settings for a managed zone where it has been\nenabled, DNSSEC must be turned off and then re-enabled with different settings. To\nturn off DNSSEC, run this command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update zone-signing for a reported managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.5","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" {\n\tkeyCheck := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tkeyCheck.algorithm == \"RSASHA1\"\n\tkeyCheck.key_type == \"zoneSigning\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"h57-78j-30x","createdAt":1659396390100,"name":"RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","scope:redshift","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS RedShift clusters are encrypted.\n\n## Rationale\n\nEncrypting Redshift clusters protects your sensitive data from unauthorized access.\n\n## Remediation\n\n### Console\n\nFollow the [Changing cluster encryption][5] docs to ensure your clusters are encrypted.\n\n### CLI\n\n1. Run `describe-clusters` with your [cluster identifier][1].\n\n ```\n aws redshift describe-clusters\n --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` using the configuration details returned in step 1 along with the [`encrypted` flag][2].\n\n ```\n aws redshift create-cluster\n --cluster-identifier cluster-name\n ...\n --encrypted\n ```\n\n3. Run `describe-cluster` with a [query filter][1] to expose the new endpoint address.\n\n ```\n aws redshift describe-clusters\n --cluster-identifier cluster-name\n --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Use the cluster endpoint URL with the [Amazon Redshift Unload/Copy][3] tool.\n\n5. Update your encrypted Redshift cluster configuration with the new Redshift cluster endpoint URL.\n\n6. Once the endpoint is changed, run `delete-cluster` to [remove the old unencrypted cluster][4].\n\n ```\n aws redshift delete-cluster\n --cluster-identifier old-cluster\n --final-cluster-snapshot-identifier old-cluster-finalsnapshot\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster.html\n[3]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@encrypted:true","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (-@encrypted:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o5n-lxt-ayr","createdAt":1599574004941,"name":"Redshift cluster is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.3","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are not publicly available.\n\n## Rationale\n\nPublicly available Redshift clusters have a public IP address, which gives any machine the opportunity to attempt to connect to your clusters. Malicious activity, such as SQL injections or distributed denial-of-service (DDoS) attacks, can occur if a connection is established.\n\n## Remediation\n\n### Console\n\nFollow the [Managing clusters in a VPC][7] docs to learn how to modify public accessibility for your clusters.\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#modify-cluster\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@publicly_accessible:true","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@publicly_accessible:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"syn-jic-zlu","createdAt":1599574002373,"name":"Redshift cluster is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","control:A.9.4.3","framework:soc-2","scope:redshift","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:redshift","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are using a custom master user name, versus the default master user name.\n\n## Rationale\n\nDefault master user names for publicly accessible clusters can be a backdoor for hacking. While setting a customer master user name alone does not fully protect against attacks, restricting the root account only to privileged users and using additional password measures can add an additional layer of protection.\n\n## Remediation\n\n### Console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a master user name of `awsuser`, it is the default master user name. Modify the user name to a custom user name in the console.\n\n### CLI\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` with the returned cluster metadata to [launch a new cluster][3] with the existing metadata and a new master user name.\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t --master-username awsmasterusr\n --vpc-security-group-ids id-012a3b4c\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier new-cluster-identifier\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n5. Use the returned new database cluster endpoint URL from step 3 to update your application's configuration to point to the new cluster endpoint.\n6. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"validationQuery":"@master_username:awsuser","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@master_username:awsuser)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ewv-jbb-gxa","createdAt":1599574001675,"name":"Redshift cluster is not using a custom master user name"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","security:compliance","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are not using default port 5439 to protect against non-targeted attacks.\n\n## Rationale\n\nUsing a custom port can protect your publicly accessible AWS Redshift clusters against potential brute-force and dictionary attacks. Although setting a custom port can help fend off these attacks, it is also recommended to restrict public access, use SSL to encrypt client connections to database clusters, and control cluster access through security groups and Network Access Control Lists (NACLs) to add an additional layer of security for your account.\n\n## Remediation\n\n### Console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a port 5439, it is the default port. Modify the port number in the console.\n\n### CLI\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster-snapshot` with [create a snapshot of your database cluster][3].\n\n ```\n aws redshift create-cluster-snapshot\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n ```\n\n3. Run `restore-from-cluster-snapshot` to [create a new cluster from the snapshot created above][4]. Use the retrieved metadata in step one to configure a new port number.\n\n ```\n aws redshift restore-from-cluster-snapshot\n ...\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n --port 2000\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster-snapshot.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/restore-from-cluster-snapshot.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@endpoint.port:5439 OR @endpoint_port:5439","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@endpoint.port:5439 OR @endpoint_port:5439)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"xrn-s6h-z9s","createdAt":1599574006854,"name":"Redshift cluster is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift Clusters][1] are using the [AWS EC2-VPC platform][2] for better cluster security.\n\n## Rationale\n\nThe AWS EC2-VPC platform offers better security control and traffic routing for clusters than the outdated EC2-Classic platform.\n\n## Remediation\n\n### Console\n\nFollow the [Use EC2-VPC when you create your cluster][7] docs to learn how to use the EC2-VPC platform in the console to secure your clusters.\n\n### CLI\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n ```\n\n2. Run `create-cluster` with the metadata to [launch a new cluster within a VPC][3].\n\n ```\n aws redshift create-cluster\n --cluster-identifier cluster-id\n --vpc-security-group-ids id-012a3b4c\n --port 5439\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n\n5. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.FindDefaultVPC.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#cluster-platforms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@vpc_id:\"\"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@vpc_id:\"\")","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"goz-ys2-tll","createdAt":1599573999940,"name":"Redshift cluster is using the EC2-VPC platform"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","control:10.2.6","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:redshift","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","source:redshift","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable logging for your Amazon Redshift cluster.\n\n## Rationale\n\nLogging data from Amazon Redshift clusters is helpful when troubleshooting or completing security and compliance audits.\n\n## Remediation\n\n### Console\n\nFollow the Amazon Redshift [Configuring auditing using the console][1] docs to enable logging, create audit log files, and store them in an Amazon S3 bucket.\n\n### CLI\n\n1. Run `enable-logging` with your [cluster ID and the S3 bucket][2] where log files are to be stored.\n\n ```\n aws redshift enable-logging\n --cluster-identifier your-cluster-id\n --bucket-name aws-redshift-logs\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/enable-logging.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"}],"validationQuery":"@cluster_logging.logging_enabled:false","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@cluster_logging.logging_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f05-rf3-w5i","createdAt":1619112188003,"name":"Redshift cluster logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","requirement:Least-Privileged-Access","framework:cis-azure","control:7.1","requirement:Credentials","requirement:App-Service","requirement:Compliance","control:8.7","level:1","control:9.5","control:A.18.1.3","framework:soc-2","scope:azure.appservice","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nManaged service identity in App Service makes an app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app connects to other Azure services securely without the need for a username and password.\n\n## Rationale\n\nApp Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.\n\n## References\n\n1. https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Identity\n5. Set Status to On\n\nAzure Command Line Interface:\n\nTo set Register with Azure Active Directory for an existing app, run the following command: `az webapp identity assign --resource-group --name '`\n\n## CIS Controls\n\nVersion 7 16.2 - Configure Centralized Point of Authentication - Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.5","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@identity_principal_id:*","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (-@identity_principal_id:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"t1t-uk4-nxu","createdAt":1631623033118,"name":"Register with Azure Active Directory is enabled on App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.8","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under `/etc/docker/certs.d/ directory`, have permissions of 444 or are set more restrictively.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must have permissions of 444or more restrictive permissions in order to ensure that unprivileged users do not have full access to them..\n\n## Audit\n\nYou should execute the command below to verify that registry certificate files have permissions of 444+.\n\n```\nstat -c %a /etc/docker/certs.d//*\n```\n\n## Remediation\n\nRun the following command: `chmod 444 /etc/docker/certs.d//*`\n\nThis sets the permissions for the registry certificate files to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for registry certificate files might not be 444. The default file permissions are governed by the system or user specific umask values which are defined within the operating system itself.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.8","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sjq-1m3-njp","createdAt":1599605226177,"name":"Registry certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:5.7.4","source:compliance-agent","requirement:General-Policies","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.\n\n## Rationale\n\nResources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources.\n\n## Audit\n\nRun this command to list objects in default namespace: `kubectl get all`\n\nThe only entries there should be system managed resources such as the Kubernetes service.\n\n## Remediation\n\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace.\n\n## Impact\n\nNone\n\n## Default value\n\nUnless a namespace is specific on object creation, the default namespace will be used.\n\n## References\n\nNone\n\n## CIS controls\n\nNone\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.7.4","framework":"cis-kubernetes","requirement":"General-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.7.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gly-1rp-obv","createdAt":1599604941259,"name":"Resources are not created in the default namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.14","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy using the `--restart` flag in the docker run command you can specify a restart policy for how a container should or should not be restarted on exit. You should choose the on-failure restart policy and limit the restart attempts to 5.\n\n## Rationale\n\nIf you indefinitely keep trying to start the container, it could possibly lead to a denial of service on the host. It could be an easy way to do a distributed denial of service attack especially if you have many containers on the same host. Additionally, ignoring the exit status of the container and always attempting to restart the container, leads to non-investigation of the root cause behind containers getting terminated. If a container gets terminated, you should investigate on the reason behind it instead of just attempting to restart it indefinitely. You should use the on-failure restart policy to limit the number of container restarts to a maximum of 5 attempts.\n\n## Audit\n\nExecute this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: RestartPolicyName={{ .HostConfig.RestartPolicy.Name }} MaximumRetryCount={{ .HostConfig.RestartPolicy.MaximumRetryCount }}'` \n\nIf this command returns `RestartPolicyName=always`, then the system is not configured optimally. If this command returns `RestartPolicyName=no` or just `RestartPolicyName=`, then restart policies are not being used and the container would never be restarted automatically. This may be a secure option, but it is not the best option from a usability standpoint. If this command returns `RestartPolicyName=on-failure`, then verify that the number of restart attempts is set to 5 or less by looking at `MaximumRetryCount`.\n\n## Remediation\n\nIf you wish a container to be automatically restarted, use `docker run --detach --restart=on-failure:5 nginx`\n\n## Impact\n\nIf this option is set, a container will only attempt to restart itself 5 times.\n\n## Default value\n\nBy default, containers are not configured with restart policies.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/run/#restart-policies-restart\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.14","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycq-buv-pf8","createdAt":1599598174688,"name":"Restart attempts on container failure is limited to 5 attempts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_logging_log_bucket","control:10.1","requirement:Monitoring","control:10.2.5","control:2.3","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","source:google_logging_log_bucket","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:2","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling retention policies on log buckets protects logs stored in cloud storage buckets\nfrom being overwritten or accidentally deleted. It is recommended to set up retention\npolicies and configure `Bucket Lock` on all storage buckets that are used as log sinks.\n\n### Default value\nBy default, storage buckets used as log sinks do not have retention policies and `Bucket Lock`\nconfigured.\n\n## Rationale\nLogs can be exported by creating one or more sinks that include a log filter and a\ndestination. As Cloud Logging receives new log entries, they are compared against each\nsink. If a log entry matches a sink's filter, then a copy of the log entry is written to the\ndestination.\nSinks can be configured to export logs in storage buckets. It is recommended to configure a\ndata retention policy for these cloud storage buckets and to lock the data retention policy,\nthus permanently preventing the policy from being reduced or removed. This way, if the\nsystem is ever compromised by an attacker or a malicious insider who wants to cover their\ntracks, the activity logs are definitely preserved for forensics and security investigations.\n\n\n### Impact\nLocking a bucket is an irreversible action. Once you lock a bucket, you cannot remove the\nretention policy from the bucket or decrease the retention period for the policy. You\nthen have to wait for the retention period for all items within the bucket before you can\ndelete them, and then delete the bucket.\n\n## Additional Information\n- **Caution**: Locking a retention policy is an irreversible action. Once locked, you must delete\nthe entire bucket in order to \"remove\" the bucket's retention policy. However, before you\ncan delete the bucket, you must be able to delete all the objects in the bucket, which itself is\nonly possible if all the objects have reached the retention period set by the retention policy.\n\n\n## Remediation\n\n### From the console: \n1. If sinks are not configured, first follow the instructions in the recommendation:\nEnsure that sinks are configured for all log entries.\n2. For each storage bucket configured as a sink, go to the Cloud Storage browser at\nhttps://console.cloud.google.com/storage/browser/.\n3. Select the **Protection** tab near the top of the page.\n4. In the **Retention policy** section, click the **Lock** button. The **Lock retention policy?** dialog box appears\n5. Read the `Permanent` notice.\n6. In the **Bucket name** text box, type in the name of your bucket.\n7. Click **Lock policy**\n\n### From the command line:\n1. To list all sinks destined to storage buckets:\n ```\n gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID\n | --project=PROJECT_ID\n ```\n\n2. For each storage bucket listed above, set a retention policy and lock it:\n ```\n gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]\n gsutil retention lock gs://[BUCKET_NAME]\n ```\nFor more information, visit [Set a retention policy on a bucket][1].\n\n## References\n1. [Retention policies and retention policy locks][2]\n2. [Use and lock retention policies ][3]\n\n[1]: https://cloud.google.com/storage/docs/using-bucket-lock#set-policy\n[2]: https://cloud.google.com/storage/docs/bucket-lock\n[3]: https://cloud.google.com/storage/docs/using-bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nvalid_log_filter(logging_log_sink) if {\n\tnot logging_log_sink.filter\n} else {\n\tlogging_log_sink.filter == \"\"\n}\n\ncompliant(logging_log_bucket) if {\n\tlogging_log_bucket.retention_days != \"\"\n\tlogging_log_bucket.locked == true\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tvalid_log_filter(logging_log_sink)\n}\n\ndestination_is_bucket(logging_log_bucket) if {\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tlogging_log_sink.project_number == logging_log_bucket.project_number\n\tbucket_name := split(logging_log_bucket.resource_name, \"buckets/\")[1]\n\tendswith(logging_log_sink.destination, bucket_name)\n}\n\neval(logging_log_bucket) = \"skip\" if {\n\tnot destination_is_bucket(logging_log_bucket)\n} else = \"pass\" {\n\tcompliant(logging_log_bucket)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules.\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_logging_log_bucket","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_logging_log_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_logging_log_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"trq-twi-wxj","createdAt":1664803576934,"name":"Retention policies used for exporting logs are configured using the bucket lock on Cloud Storage buckets"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-ii-B","control:1.7","control:164.308-a-3-i","control:164.308-a-4-i","control:7.2.1","level:1","cloud:aws","framework:soc-2","framework:cis-aws","requirement:IAM","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Information-Access-Management","control:CC6.2","framework:pci","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWith the creation of an AWS account, a root user is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.\n\n## Rationale\n\nThe root user has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.\n\n## Remediation\n\nIf you find that the root user account is being used for daily activity and administrative tasks that do not require the root user, remediate this by doing the following:\n\n1. Change the root user password.\n2. Deactivate or delete access keys associated with the root user.\n**Note**: Anyone who has root user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.\n\n## References\n\n1. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][1]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html][2]\n3. [https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html][3]\n\n**Additional Information**: The root user for us-gov cloud regions is not enabled by default. However, on request AWS support can enable the root user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the root user for us-gov cloud regions is enabled, this recommendation is applicable. Monitor usage of the root user by implementing recommendation *3.3 Ensure a log metric filter and alarm exist for usage of the root user*.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[3]: https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.7","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nnon_compliant_keys(iam_credential_report) if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.password_last_used < thirty_days_ms # Used in last 30 days\n} else {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_1_last_used_date < thirty_days_ms # Used in last 30 days\n} else {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_2_last_used_date < thirty_days_ms # Used in last 30 days\n}\n\neval(iam_credential_report) = \"skip\" if {\n\tnot iam_credential_report.user == \"\"\n} else = \"fail\" {\n\tnon_compliant_keys(iam_credential_report)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_credential_report"]},"validationQuery":"","resourceType":"aws_iam_credential_report","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yid-djj-bng","createdAt":1638865331666,"name":"Root account credentials have not been used in the past 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:kms","source:kms","framework:gdpr","requirement:Logging","level:2","control:3.8","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Security-of-Processing","framework:soc-2","control:3.5.2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:3.6.4","control:CC6.3","control:CC6.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS Key Management Service (KMS) allows customers to rotate the backing key, the key material stored within the KMS. The KMS connects o the key ID of the customer created customer master key (CMK). This backing key is used to perform cryptographic operations such as encryption and decryption. Automatic key rotation currently retains all prior backing keys so that encrypted data can be decrypted transparently. You should enable CMK key rotation.\n\n## Rationale\n\nRotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [https://aws.amazon.com/kms/pricing/][2]\n2. [http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf][3]\n3. CCE-78920-6\n\n## CIS controls\n\nVersion 7, 6 - Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://aws.amazon.com/kms/pricing/\n[3]: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.8","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"validationQuery":"@key_rotation_enabled:false","resourceType":"aws_kms","filter":"@key_manager:CUSTOMER","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_kms @key_manager:CUSTOMER (@key_rotation_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5xm-kxb-jxz","createdAt":1599574002243,"name":"Rotation for customer created CMKs is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:runtime-security-agent","technique:T1611-escape-to-host","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to the `runc` binary outside of the normal package management lifecycle.\n\n## Strategy\n[CVE-2019-5736][1], a vulnerability in `runc` through version 1.0-rc6 could allow attackers to overwrite the host `runc` binary, which allows the attacker to effectively escape a running container, and gain root access on the underlying host.\nAny modifications to `runc` (outside of standard package management upgrades) could be exploiting this vulnerability to gain root access to the system.\n\n## Triage & Response\n1. Check to see which user or process changed the `runc` binary.\n2. If these changes are not acceptable, roll back contain the host in question to an acceptable configuration.\n3. Update `runc` to a version above 1.0-rc6 (or Docker 18.09.2 and above).\n4. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://nvd.nist.gov/vuln/detail/CVE-2019-5736\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:runc_modification","groupByFields":["host"],"aggregation":"count","name":"runc_modification","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"runc_modification","condition":"runc_modification > 0"}],"type":"workload_security","id":"6ru-oyo-uag","createdAt":1627392837049,"name":"Runc binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","requirement:Compliance","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:s3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up the Multi-Factor Authentication (MFA) delete feature to prevent deletion of Amazon S3 objects.\n\n## Rationale\n\n## Remediation\n\nMFA-protected Amazon S3 buckets ensure S3 objects cannot be accidentally or intentionally deleted by AWS users who have access to your bucket.\n\n### Console\n\n`MFA DELETE` [cannot be enabled in the AWS Console][1]. See the CLI remediation below for configuration instructions.\n\n### CLI\n\n1. Run `put-bucket-versioning` with your [bucket name, versioning configuration, and MFA configuration][2].\n\n ```\n aws s3api put-bucket-versioning\n --bucket your-s3-bucket-name\n --versioning-configuration '{\"MFADelete\":\"Enabled\",\"Status\":\"Enabled\"}'\n --mfa 'arn:aws:iam::aws_account_id:mfa/root-account-mfa-device'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"-@versioning_mfa_delete:Enabled","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (-@versioning_mfa_delete:Enabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"f22-rvk-qko","createdAt":1619112188477,"name":"S3 bucket MFA Delete feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.1","requirement:Monitoring","cloud_provider:aws","control:A.12.4.1","control:3.3","requirement:System-Operations","requirement:Logging","level:2","framework:soc-2","scope:cloudtrail","framework:cis-aws","source:cloudtrail","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nS3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.\n\n## Rationale\n\nBy enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.\n\n## Remediation\n\n### Console\n\n1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.\n2. Under All Buckets click on the target S3 bucket\n3. Click on Properties in the top right of the console\n4. Under Bucket: click on Logging\n5. Configure bucket logging and click on the Enabled checkbox\n6. Select Target Bucket from list and enter a Target Prefix\n7. Click Save\n\n## Default value\n\nLogging is disabled.\n\n## References\n\n1. CCE-78918-0\n2. https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html\n\n## CIS controls\n\nVersion 7\n\n6.2 - Activate audit logging: Ensure that local logging has been enabled on all systems and networking devices.\n\n14.9 Enforce Detail Logging for Access or Changes to Sensitive Data: Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbucket_by_name := {bucket.bucket_name: bucket |\n\tbucket := input.resources.aws_s3_bucket[_]\n}\n\neval(cloudtrail_trail) = \"skip\" if {\n\tnot bucket_by_name[cloudtrail_trail.s3_bucket_name]\n} else = \"pass\" {\n\ts3_bucket := bucket_by_name[cloudtrail_trail.s3_bucket_name]\n\tcount(s3_bucket.bucket_logging) > 0\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail","aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@trail_arn"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gzk-vm2-67k","createdAt":1635929074549,"name":"S3 bucket access logging is enabled on the CloudTrail S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS S3 bucket to remove `WRITE` actions for any IAM user or AWS authenticated account.\n\n## Rationale\n\nAuthenticated users with AWS S3 bucket `WRITE` privileges can add, delete, and replace objects without restriction, which can lead to potential data loss or unintended billing charges.\n\n## Remediation\n\n### Console\n\nFollow the [Editing customer managed policies (console)][1] documentation to learn how to edit permissions for your existing policy. In the console, modify **Permissions** for Access Control Lists (ACLs). Deselect **Upload/Delete** for **Any Authenticated AWS User**.\n\n### CLI\n\n1. Run `list-buckets` to [list all available S3 buckets][2] for your account.\n\n ```\n aws s3api list-buckets\n --query \"Buckets[].Name\"\n ```\n\n2. Run `put-bucket-acl` with your [bucket name and the canned ACL to apply to the bucket][3].\n\n ```\n aws s3api put-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html#edit-managed-policy-console\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/list-buckets.html#examples\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"9rz-61l-xiu","createdAt":1619112188824,"name":"S3 bucket cannot be accessed for WRITE actions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your AWS S3 bucket content as it is publicly accessible.\n\n## Rationale\n\nGranting `READ` access to everyone allows unauthorized users to list objects within a bucket. Malicious users can use information exploited during this process to access compromised objects, which can lead to unfettered access to your data.\n\n## Remediation\n\n### Console\n\nFollow the [Blocking public access to your Amazon S3 storage][1] docs to learn how to manage access control lists for existing S3 buckets.\n\n**Note**: By default, new buckets, access points, and objects don't allow public access.\n\n### CLI\n\n1. Run `put-bucket-acl` with [your S3 bucket name][2] and set the ACL of the bucket to `private`.\n\n\t```\n\n\taws s3api put-bucket-acl\n\t\t--bucket webapp-data-repository\n\t\t--acl private\n\n\t```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:READ","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:READ)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"mqm-ntc-bra","createdAt":1619112188104,"name":"S3 bucket cannot be publicly listed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ` access for authenticated AWS accounts or IAM users.\n\n## Rationale\n\n`READ` access allows any authenticated IAM user or AWS authenticated account to list all objects within your bucket and exploit objects with misconfigured ACL permissions.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to deselect the `Bucket ACL - Read` permission and update ACL permissions.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:READ","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:READ)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"73w-cje-dhm","createdAt":1619112189198,"name":"S3 bucket content cannot be listed by users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove public `READ_ACP` access.\n\n## Rationale\n\nPublic `READ_ACP` access gives any user on the internet the `READ` Access Control List (ACL) permission. With this permission, anonymous users can see who controls your objects, and this information can be used to find misconfigured permissions and gain access to your S3 data.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_not_compliant(acl) if {\n\tacl.grantee_permission == \"READ_ACP\"\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AllUsers\"\n}\n\neval(s3_bucket) = \"fail\" if {\n\tacl = s3_bucket.acl[_]\n\tacl_not_compliant(acl)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i2o-7bz-zxc","createdAt":1619112188697,"name":"S3 bucket content permissions cannot be viewed by anonymous users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ_ACP` access for authenticated AWS accounts and AWS IAM users.\n\n## Rationale\n\nAWS authenticated accounts and users with `READ_ACP` access can examine Amazon S3 Access Control Lists (ACLs) configuration details. This information can be used maliciously to find misconfigured permissions and implement methods to access your S3 data.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `READ_ACP` access for AWS signed users.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [Amazon S3 bucket name and ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_not_compliant(acl) if {\n\tacl.grantee_permission == \"READ_ACP\"\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\"\n}\n\neval(s3_bucket) = \"fail\" if {\n\tacl = s3_bucket.acl[_]\n\tacl_not_compliant(acl)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cer-xg1-llv","createdAt":1619112188867,"name":"S3 bucket content permissions cannot be viewed by authenticated users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove `WRITE_ACP` access for anonymous users.\n\n## Rationale\n\nPublic `WRITE_ACP` access gives anonymous users `READ` and `WRITE` Access Control List (ACL) permissions. With these permissions, anonymous users can modify, delete, and update S3 objects, which can lead to data loss or unexpected charges on your AWS bill.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE_ACP","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE_ACP)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"8au-91a-7zf","createdAt":1619112188436,"name":"S3 bucket does not allow anonymous users to modify access control permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","control:164.308-a-3-i","control:7.2.1","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","source:s3","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove `WRITE_ACP` access for authenticated users.\n\n## Rationale\n\n`WRITE_ACP` access gives any authenticated AWS accounts or IAM users `READ` and `WRITE` Access Control List (ACL) permissions. With these permissions, authenticated users can modify, delete, and update S3 objects, which can lead to data loss or unexpected charges on your AWS bill.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE_ACP","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE_ACP)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"yuo-rt1-twl","createdAt":1619112188124,"name":"S3 bucket does not allow authenticated users to modify access controls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `FULL_CONTROL` access for authenticated AWS accounts and AWS IAM users.\n\n## Rationale\n\n`FULL_CONTROL` access allows any IAM user or AWS authenticated account to view, upload, modify and delete S3 objects without restriction.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `FULL_CONTROL` access and update ACL permissions.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:\"FULL_CONTROL\"","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:\"FULL_CONTROL\")","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"qem-nxn-zvw","createdAt":1619112188863,"name":"S3 bucket does not allow users full control access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","requirement:Storage","framework:gdpr","control:2.1.1","requirement:Compliance","level:1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides a variety of no-cost or low-cost encryption options to protect data at rest.\n\n## Rationale\n\nEncrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.\n\n## Remediation\n\n### Console\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/\n2. Select the Check box next to the Bucket.\n3. Click on Properties.\n4. Click on Default Encryption.\n5. Select either AES-256 or AWS-KMS.\n6. Click Save.\n7. Repeat for all the buckets in your AWS account lacking encryption.\n\n### CLI\n\nRun one of the following commands: \n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}''`\n\nor:\n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}''`\n\n**Note**: The `KMSMasterKeyID` can be set to the master key of your choosing; `aws/s3` is an AWS preconfigured default.\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html][1]\n2. [https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources][2]\n\n**Additional Information**: S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does not encrypt objects previously stored within the bucket.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.1.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@bucket_encryption_rules.rules.apply_server_side_encryption_by_default.sse_algorithm:(\"AES256\" OR \"aws:kms\")","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (-@bucket_encryption_rules.rules.apply_server_side_encryption_by_default.sse_algorithm:(\"AES256\" OR \"aws:kms\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i5u-x9l-ytw","createdAt":1619112188944,"name":"S3 bucket employs default encryption at-rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:A.12.1.2","framework:gdpr","control:A.12.4.2","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:3.1","requirement:Control-Activities","control:7.2.1","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Logical-and-Physical-Access-Control","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable versioning on S3 buckets to keep multiple versions of an object in one bucket.\n\n## Rationale\n\nVersioning-enabled buckets help [recover objects in the case of accidental deletion or overwriting][1].\n\n## Remediation\n\n### Console\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning within the S3 console.\n\n### CLI\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning with the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.1.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"-@versioning_status:Enabled","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (-@versioning_status:Enabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hfe-sv1-7ci","createdAt":1632209932330,"name":"S3 bucket has versioning enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","control:1.20","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:cis-aws","requirement:Security-Management-Process","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.8","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you restrict unintended public access to Amazon S3 resources. By default, S3 buckets and objects are created without public access. However, someone with sufficient permissions can enable public access at the bucket or object level, often unexpectedly. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets in the account, and contained objects, from becoming publicly accessible.\n\n## Rationale\n\nAmazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective buckets. Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account. Blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.\n\n### Impact\n\nWhen you apply `Block Public Access` settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.\n\n\n## Remediation\n\n### From the Console:\n\nIf utilizing Block Public Access (account settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Choose **Block public access (account settings)**.\n3. Choose **Edit** to change the block public access settings for all the buckets in your AWS account.\n4. Click on **Block all public access**.\n5. When you're asked for confirmation, enter `confirm`. Then click Confirm to save your changes.\n\nIf utilizing Block public access (bucket settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Select the check box next to the bucket.\n3. Click on **Edit public access settings**.\n4. Click **Block all public access**.\n5. Repeat for all the buckets in your AWS account that contain sensitive data.\n\n\n### From the command line:\n\nIf utilizing Block Public Access (bucket settings):\n\n1. List all of the S3 buckets: `aws s3 ls`\n2. To set the public access to true on a bucket, run: `aws s3api put-public-access-block --bucket --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\"`\n\nIf utilizing Block Public Access (account settings):\n\nTo set Public access settings for this account, run the following command: `aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id '`\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html][2]\n\n[1]: https://console.aws.amazon.com/s3/\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.20","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\naccount_public_access_block_by_account_id = {s3_account_public_access_block.account_id: s3_account_public_access_block |\n\tsome s3_account_public_access_block in input.resources.aws_s3_account_public_access_block\n}\n\nsecure_public_access_block(s3_public_access_block) if {\n\ts3_public_access_block.block_public_acls\n\ts3_public_access_block.block_public_policy\n\ts3_public_access_block.ignore_public_acls\n\ts3_public_access_block.restrict_public_buckets\n}\n\naccess_block_compliant(s3_bucket) if {\n\ts3_account_public_access_block := account_public_access_block_by_account_id[s3_bucket.account_id]\n\tsecure_public_access_block(s3_account_public_access_block)\n} else {\n\tbucket_block := s3_bucket.access_block[_]\n\tsecure_public_access_block(bucket_block)\n}\n\neval(s3_bucket) = \"pass\" if {\n\taccess_block_compliant(s3_bucket)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b1p-nxn-wxx","createdAt":1619112188591,"name":"S3 bucket is configured with 'Block public access'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove public `WRITE` access.\n\n## Rationale\n\nPublic `WRITE` access gives unauthorized users the ability to add, replace, and delete objects within a bucket. Attackers can use these abilities to access your data or incur charges on your AWS bill.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"wyn-eku-mhg","createdAt":1619112188471,"name":"S3 bucket is not publicly accessible for write actions by anonymous users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet your Amazon S3 bucket to private.\n\n## Rationale\n\nPublicly accessible Amazon S3 buckets grant `FULL_CONTROL` access to everyone, including anonymous users. `FULL_CONTROL` grants users the ability to upload, modify, delete, and view S3 objects.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `FULL_CONTROL` access and update ACL permissions.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tacl := s3_bucket.acl[_]\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AllUsers\"\n\tacl.grantee_permission == \"FULL_CONTROL\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"o0d-2zb-qbg","createdAt":1619112188881,"name":"S3 bucket is not publicly accessible to anonymous users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your bucket policy as your Amazon S3 bucket is currently publicly accessible.\n\n## Rationale\n\nPublicly accessible S3 buckets through bucket policies give any AWS user the ability to list, download, delete, and upload objects and edit object permissions.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. To remove the existing public bucket policy, run `delete-bucket-policy` with [your bucket name][2].\n\n ```\n delete-bucket-policy\n --bucket your-bucket-name\n ```\n\n2. Create a new non-public bucket policy using the [AWS Policy Generator][3].\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket-policy.html#synopsis\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false","resourceType":"aws_s3_bucket","filter":"","queryPath":"bucket_policy_statement","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"ftf-6wr-t2z","createdAt":1624344845705,"name":"S3 bucket is publicly accessible (via policy)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","requirement:Monitoring","scope:s3","framework:cis-aws","control:4.8","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a S3 Bucket policy is modified.\n\n## Strategy\nMonitor CloudTrail and detect when S3 policies are being modified via one of the following API calls:\n* [PutBucketAcl][1]\n* [PutBucketPolicy][2]\n* [PutBucketCors][3]\n* [PutBucketLifecycle][4]\n* [PutBucketReplication][5]\n* [DeleteBucketPolicy][6]\n* [DeleteBucketCors][7]\n* [DeleteBucketReplication][8]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html\n [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html\n [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketCors.html\n [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLifecycle.html\n [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html\n [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html\n [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html\n [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html\n\n## Changelog\n18 March 2022 - Updated signal message, query and severity.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(PutBucketAcl OR PutBucketPolicy OR PutBucketCors OR PutBucketLifecycle OR PutBucketReplication OR DeleteBucketPolicy OR DeleteBucketCors OR DeleteBucketReplication)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"s3_bucket_policy_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"A S3 bucket policy was modified","condition":"s3_bucket_policy_modified > 0"}],"type":"log_detection","id":"nl3-oht-jhi","createdAt":1584475579499,"name":"S3 bucket policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when SELinux enforcement is disabled.\n\n## Strategy\nThis detection monitors the change of SELinux enforcing mode.\n\n## Triage & Response\n1. Check which user or process disabled SELinux enforcing mode.\n2. If the change is not expected, roll back to enable SELinux enforcing mode.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the attack.\n\n*Requires Agent version 7.30 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:selinux_disable_enforcement","groupByFields":["host"],"aggregation":"count","name":"selinux_disable_enforcement","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"selinux_disable_enforcement","condition":"selinux_disable_enforcement > 0"}],"type":"workload_security","id":"vvf-qwb-uhj","createdAt":1635332067172,"name":"SELinux enforcement disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.2","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSELinux is an effective and easy-to-use Linux application security system. It is available by default on some distributions such as Red Hat and Fedora.\n\n## Rationale\n\nSELinux provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model. You can therefore add an extra layer of safety to your containers by enabling SELinux on your Linux host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all the security options currently configured on the containers listed.\n\n## Remediation\n\nIf SELinux is applicable for your Linux OS, you should use it.\n\n1. Set the SELinux State.\n2. Set the SELinux Policy.\n3. Create or import a SELinux policy template for Docker containers.\n4. Start Docker in daemon mode with SELinux enabled. For example: `docker daemon --selinux-enabled`\n5. Start your Docker container using the security options. For example, `docker run --interactive --tty --security-opt label=level:TopSecret centos /bin/bash`\n\n## Impact\n\nAny restrictions defined in the SELinux policy will be applied to your containers. It should be noted that if your SELinux policy is misconfigured, this may have an impact on the correct operation of the affected containers.\n\n## Default value\n\nBy default, no SELinux security options are applied on containers.\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/\n4. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/docker_selinux_security_policy\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.2","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"eww-c9f-0hf","createdAt":1599605036108,"name":"SELinux security options are configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic publishing permissions.\n\n## Rationale\n\nSetting the topic publishing permission to `Everyone` gives anyone access to publish on a topic. Unauthenticated users can publish malicious messages.\n\n## Remediation\n\n### Console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### CLI\n\n1. Update your [access control policy][2] with the IAM user ARN. Configure `action` to `SNS:Publish` and include your AWS IAM ARN. Save the file.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_pub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Publish\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```\n aws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name DisplayName\n --attribute-value YourTopicDisplayName\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Publish\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false","resourceType":"aws_sns_topic","filter":"","queryPath":"policies","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic (@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Publish\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mhf-jlo-c49","createdAt":1616090993934,"name":"SNS Topic has restrictions set for publishing"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic subscription permissions.\n\n## Rationale\n\nAnonymous users can subscribe and receive messages that you publish, leaving the security of your application or service at risk.\n\n## Remediation\n\n### Console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### CLI\n\n1. Update your [access control policy][2] with the IAM user ARN. Configure `action` to `SNS:Publish` and include your AWS IAM ARN. Save the file.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_sub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Subscribe\",\n \"SNS:Receive\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```\n aws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name DisplayName\n --attribute-value YourTopicDisplayName\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Subscribe\" OR \"sns:Subscribe\") @statement_action:(\"SNS:Receive\" OR \"sns:Receive\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false","resourceType":"aws_sns_topic","filter":"","queryPath":"policies","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic (@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Subscribe\" OR \"sns:Subscribe\") @statement_action:(\"SNS:Receive\" OR \"sns:Receive\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"bin-p21-78u","createdAt":1616090993824,"name":"SNS Topic has restrictions set for subscription"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","scope:sns","cloud_provider:aws","control:3.4","control:4.1","source:sns","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Server-Side Encryption for your AWS Simple Notification Service (SNS) topics.\n\n## Rationale\n\nServer-Side Encryption (SSE) protects the data of published messages within your SNS topics, which can help adhere to compliance and regulatory requirements.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling server-side encryption (SSE) for an Amazon SNS topic][1] docs to learn how to enable encryption from the AWS Management Console.\n\n### CLI\n\nRun `set-topic-attributes` with the [ARN of the SNS topic][2] and the [KmsMasterKeyId][3].\n\n```\naws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name KmsMasterKeyId\n --attribute-value YourTopicDisplayName\n```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n[3]: https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html#sse-key-terms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@kms_master_key_id:*","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic (-@kms_master_key_id:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"iel-fa4-gpw","createdAt":1623249809232,"name":"SNS Topic has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","control:164.308-a-3-i","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic permissions.\n\n## Rationale\n\nPublicly-accessible topics allow unauthorized users access to receive and publish messages and subscribe to exposed topics.\n\n## Remediation\n\n### Console\n\nFollow the [Using identity-based policies with Amazon SNS][1] docs to learn how to create or add to a policy in the AWS Console.\n\n### CLI\n\nIf you do not have an access control policy, [create one][2].\n\n1. Select `SNS Topic Policy` as the type of policy.\n2. Add a statement to allow only specific IAM users and roles to have access to the topic. For example:\n\n ```\n Effect: `Allow`\n Principal: `arn:aws:iam::123456789012:root`\n Action: `Add permission`\n Amazon Resource Name: `arn:aws:iam::123456789012:root`\n ```\n\nIf you do have an access control policy, follow the [add-permissions][3] docs to add a permission to your existing policy.\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-using-identity-based-policies.html#iam-and-sns-policies\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprincipal_policy_lenient(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else {\n\tpolicy_principal.principal_aws[_] == \"*\"\n}\n\npolicy_lenient(policy) if {\n\tpolicy.statement_effect == \"Allow\"\n\tnot policy.statement_has_condition\n\n\tprincipal_policy_lenient(policy.policy_principal)\n}\n\neval(sns_topic) = \"fail\" if {\n\tpolicy := sns_topic.policies[_]\n\tpolicy_lenient(policy)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"5q9-vwc-cqy","createdAt":1616090993891,"name":"SNS Topic is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:6.5","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nA database server should accept connections only from trusted networks and IPs and\nrestrict access from public IP addresses.\n\n## Rationale: \nTo minimize attack surface on a database server instance, only trusted, known, and\nrequired IPs should be allowed to connect to it.\nAn authorized network should not have IPs or networks configured to `0.0.0.0/0` which\nallows access to the instance from anywhere in the world. Authorized networks\napply only to instances with public IPs.\n\n## Impact: \nThe Cloud SQL database instance would not be available to public IP addresses.\n\n## Remediation: \n\n### From console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Click the instance name to open its `Instance details` page.\n3. Under the `Configuration` section click `Edit configurations`.\n4. Under `Configuration options` expand the `Connectivity` section.\n5. Click the `delete` icon for the authorized network `0.0.0.0/0`.\n6. Click `Save` to update the instance.\n\n### From command line:\nUpdate the authorized network list by removing addresses:\n```\ngcloud sql instances patch --authorized-networks=IP_ADDR1,IP_ADDR2...\n```\n## Prevention:\nTo prevent new SQL instances from being configured to accept incoming connections from\nany IP addresses, set up a `Restrict Authorized Networks on Cloud SQL instances` Organization Policy at: [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][2].\n\n\n## Default value:\nBy default, authorized networks are not configured. Remote connection to Cloud SQL\ndatabase instance is not possible unless authorized networks are configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-ip][3]\n2. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][4] \n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://cloud.google.com/sql/docs/mysql/connection-org-policy][6]\n\n\n## Additional information:\nThere is no IPv6 configuration found for Google cloud SQL server services.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[3]: https://cloud.google.com/sql/docs/mysql/configure-ip\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://cloud.google.com/sql/docs/mysql/connection-org-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"fail\" if {\n\taddress := sql_database_instance.settings.ip_configuration.authorized_networks[_]\n\taddress.value in [\"0.0.0.0\", \"0.0.0.0/0\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"thi-vol-4qb","createdAt":1657138883399,"name":"SQL Database Instances do not implicitly accept all public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:6.3","framework:cis-azure","requirement:Communications-Security","control:2.4","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific data centers. By default for a SQL server, a firewall exists with start IP of 0.0.0.0 and end IP of 0.0.0.0, allowing access to all the Azure services. Additionally a custom rule can be set up with start IP of 0.0.0.0 and end IP of 255.255.255.255, allowing access from ANY IP over the Internet. In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific data centers.\n\n### Impact\n\nDisabling allow access to Azure Services will break all connections to SQL server and hosted databases unless custom IP-specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console:\n\n1. Go to SQL servers\n2. For each SQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell:\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"\" -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nSet-AzureRmSqlServerFirewallRule -ResourceGroupName -ServerName -FirewallRuleName \"\" -StartIpAddress \"\" -EndIpAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017][1]\n2. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0][2]\n3. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0][3]\n4. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0][4] \n5. [https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure][5]\n6. [https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current][6] \n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][7]\n\nAdditional Information: Firewall rules configured on individual SQL Database using Transact-SQL overrides the rules set on SQL server. Azure does not provides any Powershell, API, CLI, Portal option to check database level firewall rules and so far Transact-SQL is the only way to check for the same. For comprehensive control over egress traffic on SQL Databases, firewall rules should be checked using SQL client.\n\n[1]:https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017\n[2]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[3]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[4]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[5]:https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure\n[6]:https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current\n[7]:https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"2.4","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255)","resourceType":"azure_sql_server","filter":"","queryPath":"firewall_rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"5k7-xx0-nje","createdAt":1635237001240,"name":"SQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.2.4","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure `send scan reports to` with the email IDs of concerned data owners and stakeholders for a critical SQL server.\n\n## Rationale\n\nVulnerability Assessment (VA) scan reports and alerts are sent to email IDs configured with `send scan reports to`. This may help in reducing time required for identifying risks and taking corrective measures.\n\n## Impact\n\n**Note**: Enabling the Azure Defender for SQL features incurs additional costs for each SQL server.\n\n## Remediation\n\nAzure Console:\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Ensure that Azure Defender for SQL is enabled\n5. Select Configure next to enabled at subscription-level\n6. In Vulnerability Assessment Settings, configure Storage Accounts\n7. Configure email IDs for concerned data owners and stakeholders in the `send scan reports to` section.\n8. Click Save\n\nAzure PowerShell:\n\nIf not already, enable Advanced Data Security for a SQL: `ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True`\n\n\nTo enable ADS-VA service and set `send scan reports to`:\n\n```bash\nUpdate-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"fiu-woq-ui1","createdAt":1645802555241,"name":"SQL Server Vulnerability Assessments send scan reports to subscribed admins"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","scope:google_sql_database_instance","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","control:6.4","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to enforce all incoming connections to SQL database instances to use SSL.\n\n## Rationale\nSQL database connections, if successfully trapped (MITM), can reveal sensitive data like\ncredentials, database queries, query outputs, and so on. For security, it is recommended to always\nuse SSL encryption when connecting to your instance. This recommendation is applicable\nto PostgreSQL, MySQL generation 1, MySQL generation 2, and SQL Server 2017 instances.\n\n### Additional Information\nBy default, `Settings: ipConfiguration` has no `authorizedNetworks` set or configured. In\nthat case, even if `requireSSL` is not set by default, which is equivalent to `requireSSL:false`,\nthere is no risk as the instance cannot be accessed outside of the network, unless\n`authorizedNetworks` is configured. However, if the default for `requireSSL` is not updated to\n`true`, any `authorizedNetworks` created later on will not enforce SSL-only connections.\n\n### Impact\nAfter enforcing SSL connections, the existing client will not be able to communicate with the SQL\nserver, unless it is configured with appropriate client-certificates to communicate to the SQL\ndatabase instance.\n\n### Default Value\nBy default, the parameter `settings: ipConfiguration: requireSSL` is not set, which is\nequivalent to `requireSSL:false`.\n\n## Remediation\n\n### From the console:\n1. Go to the [Cloud SQL Instances page][1].\n2. Click on an instance name to see its configuration overview.\n3. In the left-side panel, select **Connections**.\n4. In the SSL connections section, click **Allow only SSL connections**.\n5. Under Configure SSL server certificates, click **Create new certificate**.\n6. Under Configure SSL client certificates, click **Create a client certificate**.\n7. Follow the instructions shown to learn how to connect to your instance.\n\n### From the command line:\nTo enforce SSL encryption for an instance, run the command:\n```\ngcloud sql instances patch --require-ssl\n```\n\n**Note:** A **restart** is required for type MySQL Generation 1 Instances (`backendType: FIRST_GEN`) for\nthis configuration to go into effect.\n\n## References\n1. [http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot authorizedNetworksExists(sql_database_instance)\n} else = \"pass\" {\n\tsql_database_instance.settings.ip_configuration.require_ssl\n} else = \"fail\" {\n\ttrue\n}\n\nauthorizedNetworksExists(sql_database_instance) if {\n\tsql_database_instance.settings.ip_configuration.authorized_networks[_]\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"udh-mzm-bhu","createdAt":1658821626960,"name":"SQL database instance uses SSL for all incoming connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","scope:google_cloud_sql_instance","level:2","source:google_cloud_sql_instance","control:3.9","control:6.6","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nDatadog recommends configuring the second generation SQL instance to use private IPs instead of\npublic IPs.\n\n## Rationale: \nTo lower the organization's attack surface, ensure your Cloud SQL databases does not have public IPs.\nPrivate IPs provide improved network security and lower latency for your application.\n\n## Impact: \nRemoving the public IP address on SQL instances may break applications that relied\non it for database connectivity.\n\n## Remediation: \n\n### From console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Click the instance name to open its Instance details page.\n3. Select the `Connections` tab.\n4. Deselect the `Public IP` checkbox.\n5. Click `Save` to update the instance.\n\n### From command line:\n\n1. For every instance, remove the public IP and assign a private IP instead:\n ```\n gcloud sql instances patch --network= --no-assign-ip\n ```\n\n2. Confirm the changes using the following command:\n ```\n gcloud sql instances describe \n ```\n\n## Prevention:\nTo prevent new SQL instances from getting configured with public IP addresses, set up a\n`Restrict Public IP access on Cloud SQL instances` Organization policy at:\n\n\n[https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][2]\n\n## Default value:\nBy default, Cloud Sql instances have a public IP.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-private-ip][3]\n2. [https://cloud.google.com/sql/docs/mysql/private-ip][4]\n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][6]\n\n## Additional information:\nReplicas inherit their private IP status from their primary instance. You cannot configure a private IP directly on a replica.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n[3]: https://cloud.google.com/sql/docs/mysql/configure-private-ip\n[4]: https://cloud.google.com/sql/docs/mysql/private-ip\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.9","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_second_gen_instance(sql_database_instance)\n} else = \"fail\" {\n\tip := sql_database_instance.ip_addresses[_]\n\tip.type == \"PRIMARY\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_second_gen_instance(sql_database_instance) if {\n\tsql_database_instance.backend_type == \"SECOND_GEN\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cns-kbs-qb3","createdAt":1658244446751,"name":"SQL database instances do not have public IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.5","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:C1.1","requirement:Credentials","requirement:System-Operations","requirement:Compliance","level:1","requirement:Database-Services","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","control:3.5.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC7.2","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. With Customer-managed key support for TDE, the DEK can be protected with an asymmetric key stored in the Key Vault. The Key Vault is a highly available and scalable cloud-based key store that offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of keys and data for additional security. Based on business needs or the criticality of data/databases hosted a SQL server, Datadog recommends that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).\n\n## Rationale\n\nCustomer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azures cloud-based external key management system, is the first key management service where TDE has integrated support for customer-managed keys. With customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.\n\n## Remediation\n\nFrom Azure Console:\n1. Go to SQL servers for the desired server instance\n2. Click On Transparent data encryption\n3. Set Use your own key to YES\n4. Browse through your key vaults to select an existing key or create a new key in the key vault.\n5. Check Make selected key the default TDE protector Using Azure CLI. Use the below command to encrypt SQL server's TDE protector with a Customer-managed key: `az sql server tde-key >> Set --resource-group --server --server-key-type {AzureKeyVault} [--kid ]`\n\n## Impact\n\nOnce the TDE protector is encrypted with a customer-managed key, it transfers the entire responsibility of key management to you. Hence, you should be more careful about doing any operations on the particular key to keep data from the corresponding SQL server Databases host accessible. When deploying customer-managed keys, ensure that you deploy an automated toolset for managing these keys (this should include discovery and key rotation), and keys should be stored in an HSM or hardware backed keystore; for example, Azure Key Vault). As far as toolsets go, check with your cryptographic key provider as they may well provide one as an add-on to their service.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-byok-azure-sql\n2. https://azure.microsoft.com/en-in/blog/preview-sql-transparent-data-encryption-tde-with-bring-your-own-key-support/\n3. https://winterdom.com/2017/09/07/azure-sql-tde-protector-keyvault\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: This configuration can be done only on an SQL server. The same configuration will be in effect on SQL Databases hosted on SQL Server. Ensuring yourTDE is protected by a Customer-managed key on SQL Server does not ensure SQL Databases' encryption. Transparent Data Encryption Data Encryption (ON/OFF) setting on individual SQL Database decides whether the database is encrypted or not.\n\n## CIS Controls\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials: Encrypt or hash with a salt all authentication credentials when stored. \n\n5 Logging and Monitoring: This section covers security recommendations to follow to set logging and monitoring policies on an Azure Subscription.\n\n5.1 Configuring Diagnostic Settings: The Azure Diagnostic Settings capture control/management activities performed on a subscription. By default, the Azure Portal retains activity logs only for 90 days. The Diagnostic Settings define the type of stored or streamed events and the output storage account, and the event hub. The Diagnostic Settings, if appropriately configured, can ensure that all activity logs are retained for a longer duration. This section has recommendations for correctly configuring the Diagnostic Settings so that all activity logs captured are retained for longer periods. When configuring Diagnostic Settings, you may choose to export in one of three ways in which you need to ensure appropriate data retention. The options are Log Analytics, Event Hub, and a Storage Account. It is important to ensure you are aware and have set retention as your organization sees fit.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"-(@encryption_protector.kind:(\"azurekeyvault\") @encryption_protector.server_key_type:(\"AzureKeyVault\"))","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-(@encryption_protector.kind:(\"azurekeyvault\") @encryption_protector.server_key_type:(\"AzureKeyVault\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ju5-j5j-p5u","createdAt":1624867975195,"name":"SQL server's TDE protector is encrypted with Customer-managed key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","source:sqs","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","scope:sqs","security:compliance","cloud_provider:aws","control:3.4","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Simple Queue Service (SQS) messages with server-side encryption.\n\n## Rationale\n\nEncryption ensures that Amazon SQS messages, which may contain sensitive data, are not available to anonymous or unauthorized users.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring service-side encryption for a queue(console)][1] docs to learn how to create and use AWS Key Management Service (AWS KMS) to manage customer master keys (CMK) for server-side encryption.\n\n### CLI\n\n1. Define `set-queue-attributes` in [a file][2]. Use your custom KMS Master Key ARN for `KmsMasterKeyID`. Save the file.\n\n ```\n {\n \"KmsMasterKeyId\": \"custom_key_arn\",\n \"KmsDataKeyReusePeriodSeconds\": \"300\"\n }\n ```\n\n2. Run `set-queue-attributes` with the [queue URL and the file][2] created in step 1.\n\n ```\n aws sqs set-queue-attributes\n --queue-url https://us-west-2.queue.amazonaws.com/123456789012/WebWorkerSQSQueue\n --attributes file://sqs-sse-enabled.json\n ```\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html\n[2]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-properties-sqs-queues-syntax\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-(@kms_master_key_id:* OR @sqs_managed_sse_enabled:true)","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue (-(@kms_master_key_id:* OR @sqs_managed_sse_enabled:true))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0m4-moi-xdg","createdAt":1616090993978,"name":"SQS Queue has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:sqs","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security","scope:sqs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate Amazon Simple Queue Service (SQS) queue permissions.\n\n## Rationale\n\nPublicly-available Amazon SQS queues give unauthorized users access to potentially intercept, delete, or send queue messages, which can lead to data leaks.\n\n## Remediation\n\n### Console\n\nFollow the [Managing access to resources][1] docs to learn how to implement a permissions policy in the AWS console.\n\n### CLI\n\n1. Run `list-queues` to get a list of queue URLs.\n2. Run `get-queue-attributes` with a [queue URL][2] returned in step 1.\n\n ```\n aws sqs get-queue-attributes\n --queue-url https://queue.amazonaws.com/123456789012/YourQueue\n --attribute-names Policy\n ```\n\n3. Run `add-permission` to [add a new statement][3] to your queue policy.\n\n ```\n aws sqs add-permission\n --queue-url https://queue.amazonaws.com/123456789012/YourQueue\n --label SendMessages\n --aws-account-ids 123456789012\n --actions SendMessage\n ```\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.html#sqs-managing-access-to-resources\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/get-queue-attributes.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else {\n\tprincipal_aws = policy_principal.principal_aws[_]\n\tprincipal_aws == \"*\"\n}\n\neval(sqs_queue) = \"fail\" if {\n\tpolicy := sqs_queue.policies[_]\n\tbad_policy_principal(policy.policy_principal)\n\tpolicy.statement_effect = \"Allow\"\n\tpolicy.statement_has_condition = false\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sqs_queue"]},"validationQuery":"","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"aqs-n9k-inj","createdAt":1616090993985,"name":"SQS Queue is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:6.2","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable SSH access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using SSH over the internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct SSH access to your Azure Virtual Machines from the internet. After direct SSH access from the internet is disabled, you have other options you can use to access these virtual machines for remote management.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nssh_allowed(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"TCP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.destination_port_range in [\"22\", \"*\"]\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"*/0\", \"Internet\", \"Any\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule := security_group.security_rules[_]\n\tssh_allowed(security_rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tox-iwp-m0l","createdAt":1624867978808,"name":"SSH access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.6","requirement:Communications-Security","control:1.4","control:3.2","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow the user to specify the type of\ntraffic, such as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be\nused. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using\nSSH on Port 22 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from\ninstances and incoming (ingress) traffic to instances in the network. Egress and ingress\ntraffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through SSH with the default\nPort 22. Generic access from the Internet to a specific IP Range needs to be restricted.\n\n## Impact\nAll Secure Shell (SSH) connections from outside of the network to the concerned VPC(s)\nwill be blocked. There could be a business need where SSH access is required from outside\nof the network to access resources associated with the VPC. In that case, specific source\nIP(s) should be mentioned in firewall rules to include access to SSH port for the\nconcerned VPC(s).\n\n## Remediation\n\n### From console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule you want to modify.\n4. Click Edit.\n5. Modify Source IP ranges to specific IP.\n6. Click Save.\n\n### From the command line\n1.Update the Firewall rule with the new SOURCE_RANGE from the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.2","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 22\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tcontains(allowed.ports[_], \"-\")\n\trange := split(allowed.ports[_], \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else {\n\tto_number(allowed.ports[_]) == target_port\n} else {\n\tallowed.ports[_] == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tallowed := compute_firewall.allowed[_]\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" {\n\tcompute_firewall.source_ranges[_] in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"23t-kvk-vbo","createdAt":1657310084964,"name":"SSH access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to authorized SSH keys.\n\n## Strategy\nSSH is a commonly used key-based authentication mechanism. In this system, the authorized_keys file specifies SSH keys that can be used to authenticate as a specific user on the system. Attacker's may modify the authorized_keys file to authorize attacker-owned SSH keys. This allows the attacker to maintain persistence on a system as a specific user.\n\n## Triage and response\n1. Check what changes were made to authorized_keys, and under which user.\n2. Determine whether any keys were added. If so, determine if the added keys belong to known trusted users.\n3. If they keys in question are not acceptable, roll back the host or container in question to a known trusted SSH configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chmod)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chmod","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chown)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chown","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_link)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_link","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_rename)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_rename","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_open)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_open","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_unlink)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_unlink","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_utimes)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"ssh_authorized_keys","condition":"ssh_authorized_keys_chmod > 0 || ssh_authorized_keys_chown > 0 || ssh_authorized_keys_link > 0 || ssh_authorized_keys_rename > 0 || ssh_authorized_keys_open > 0 || ssh_authorized_keys_unlink > 0 || ssh_authorized_keys_utimes > 0"}],"type":"workload_security","id":"iqs-k9p-ivj","createdAt":1606142954844,"name":"SSH authorized keys modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1553-subvert-trust-controls","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential tampering with SSL certificates.\n\n## Strategy\nSSL certificates, and other forms of trust controls establish trust between systems. Attackers may attempt to subvert trust controls such as SSL certificates in order to trick systems or users into trusting attacker-owned assets such as fake websites, or falsely signed applications.\n\n## Triage and response\n1. Check whether there were any planned changed to the SSL certificates stores in your infrastructure.\n2. If these changes are not acceptable, roll back the host or container in question to a known trustworthy configuration.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssl_certificate_tampering OR ssl_certificate_tampering_chmod OR ssl_certificate_tampering_chown OR ssl_certificate_tampering_link OR ssl_certificate_tampering_rename OR ssl_certificate_tampering_open OR ssl_certificate_tampering_unlink OR ssl_certificate_tampering_utimes) -@process.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.parent.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\" -@process.executable.name:runc*","groupByFields":["host"],"aggregation":"count","name":"ssl_certificate_tampering","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"ssl_certificate_tampering","condition":"ssl_certificate_tampering > 0"}],"type":"workload_security","id":"any-phm-6ub","createdAt":1606142980369,"name":"SSL certificate tampering"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","control:4.3.2","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","source:azure.dbformysql","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","scope:azure.dbformysql","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on MySQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for MySQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled for enforce SSL connection \n\nAlternatively, use the Azure Command Line Interface and run the below command to set MYSQL Databases to Enforce SSL connection:\n\n ```bash\n az mysql server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security\n2. https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@ssl_enforcement:(\"Enabled\")","resourceType":"azure_mysql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_mysql_server (-@ssl_enforcement:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cxd-off-x2e","createdAt":1624867976718,"name":"SSL connection on MySQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.3.1","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on PostgreSQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\nFrom Azure Console:\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled to enforce SSL connection \n\nAlternatively, use the Azure Command Line Interface and run the below command to enforce SSL connection for PostgreSQL Database:\n\n ```bash\n az postgres server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@ssl_enforcement:(\"Enabled\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@ssl_enforcement:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"9cp-26e-jdc","createdAt":1624867978968,"name":"SSL connection on PostgreSQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a Salesforce user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login ten times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @status:\"Invalid Password\"","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:salesforce @status:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dm5-uvn-yrr","createdAt":1621929254947,"name":"Salesforce Brute force attack on user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a disabled account attempts to log into Salesforce\n\n## Strategy\nInspect Salesforce logs and determine if there is a login attempt (`@evt.name:LoginEvent`) from from a disabled account (`@status:\\\"User is Inactive\\\"`). If more than ten attempts to authenticate to a disabled account a `MEDIUM` severity signal is created.\n\n## Triage and response\n1. Determine if the IP (`@network.client.ip`) has attempted to log into other accounts.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @evt.name:LoginEvent @status:\"User is Inactive\"","groupByFields":["@usr.id"],"aggregation":"count","name":"disabled_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Single Attempt","condition":"disabled_login > 1"},{"status":"medium","notifications":[],"name":"Multiple Attempts","condition":"disabled_login > 10"}],"type":"log_detection","id":"j57-vod-bnw","createdAt":1621929254817,"name":"Salesforce Login from Disabled Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.4.2","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the scheduler service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.2","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"g1h-91b-y2x","createdAt":1599601351149,"name":"Scheduler API service is bound to localhost"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","technique:T1098-account-manipulation","scope:onelogin","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin administrator grants additional privileges to another OneLogin user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator grants additional privileges to another OneLogin user:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@actor_user_name}}`) should be legitimately adding additional roles to `@usr.name`. **Note:** The role granted to the user is not available in OneLogin logs.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:PRIVILEGE_GRANTED_TO_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"user_granted_admin_privileges","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"user_granted_admin_privileges > 0"}],"type":"log_detection","id":"oks-cap-rw1","createdAt":1656426808697,"name":"OneLogin user granted administrative privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user is locked out. This may be common if the user is repeatedly failing to log in. This rule is most useful when correlated with other anomalous activity for the user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to when a user is locked out:\n* `@evt.name:USER_LOCKED`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) was legitimately trying to authenticate and was locked out.\n2. If the activity was not legitimate, review all activity from the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_LOCKED","groupByFields":["@usr.name"],"aggregation":"count","name":"user_locked_out","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_locked_out > 0"}],"type":"log_detection","id":"efg-trs-jzb","createdAt":1656526301026,"name":"OneLogin user locked out"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user views a secure note.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when a user views a secure note:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\nThis rule is useful when correlating its findings with other anomalous events from the same OneLogin user (`{{@actor_user_name}}`).\n\n## Triage and response\n1. Determine whether the OneLogin user (`{{@actor_user_name}}`) should be legitimately accessing secure notes.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_VIEWED_NOTE","groupByFields":["@actor_user_name"],"aggregation":"count","name":"viewed_secure_note","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"viewed_secure_note > 0"}],"type":"log_detection","id":"gl4-z5x-dun","createdAt":1656426832414,"name":"OneLogin user viewed secure note"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","scope:google_service_account","requirement:Confidentiality","control:3.4","control:1.4","control:3.10","control:C1.1","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nUser managed service accounts should not have user-managed keys.\n\n## Rationale: \nAnyone who has access to the keys can access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.\nFor user-managed keys, you are responsible for key management activities including:\n- Key storage\n- Key distribution\n- Key revocation\n- Key rotation\n- Protecting the keys from unauthorized users\n- Key recovery\nEven with key owner precautions, it's easy to leak keys through common development accidents such as checking keys into the source code, leaving them in the Downloads directory, or posting them on support blogs.\nFor these reasons, it is recommended that you don't use user-managed service account keys.\n\n## Impact: \nDeleting user-managed service account keys may break communication with the applications using the keys.\n\n## Remediation: \n\n### From the console\n1. Go to the IAM page in the GCP Console at [https://console.cloud.google.com/iam-admin/iam][1].\n2. In the left navigation pane, click `Service accounts`. All service accounts and their\ncorresponding keys are listed.\n3. Click the service account.\n4. Click `Edit` and delete the keys.\n\n### From the command line\nTo delete a user-managed service account key run:\n```\ngcloud iam service-accounts keys delete --iam-account= \n```\n## Prevention:\nYou can disable service account key creation through the `Disable service account key creation` Organization policy by visiting [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation][2]. Learn more at: [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][3].\n\nIn addition, if you do not need service accounts in your project, you can prevent the creation of service accounts through the `Disable service account creation` Organization policy: [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation][4].\n\n## Default value:\nBy default, there are no user-managed keys created for user-managed service accounts.\n\n## References:\n1. [https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys][5]\n2. [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][6]\n\n## Additional information:\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation\n[3]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation\n[5]: https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n[6]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.4","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.10","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkey_parents_with_user_managed := {key.parent |\n\tkey := input.resources.gcp_iam_service_account_key[_]\n\tkey.key_type == \"USER_MANAGED\"\n}\n\neval(service_account) = \"fail\" if {\n\tkey_parents_with_user_managed[service_account.resource_name]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4cn-bpp-vya","createdAt":1654120292749,"name":"Only GCP-managed service account keys are used for service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.14","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, has permissions of 400.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads. It holds the private key for the Docker server certificate. It must therefore have permissions of 400 to ensure that the certificate key file is not modified.\n\n## Audit\n\nVerify that the Docker server certificate key file has permissions of `400` by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nYou should execute the following command: `chmod 400 `\n\nThis sets the Docker server certificate key file permissions to 400.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate key file might not be 400. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.14","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"z0n-cod-mxi","createdAt":1602077570102,"name":"Only the owner of the server certificate key file can read its contents"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker daemon requires access to the Docker socket which is, by default, owned by the user `root` and the group `docker`.\n\n## Rationale\n\nDocker allows you to share a directory between the Docker host and a guest container without limiting the access rights of the container. This means that you can start a container and map the `/` directory on your host to the container. The container is able to modify your host file system without any restrictions. This means that you could gain elevated privileges simply by being a member of the `docker` group and subsequently start a container which maps the root `/` directory on the host.\n\n\n## Audit\n\nRun the following command on the Docker host to see the members of the `docker` group, and ensure that only trusted users are members:\n\n```\ngetent group docker\n```\n\n## Remediation\n\nYou should remove any untrusted users from the `docker` group. Additionally, you should not create a mapping of sensitive directories from the host to container volumes.\n\n## Impact\n\nProvided the proceeding instructions are implemented, rights to build and execute containers as normal user would be restricted.\n\n## Default value\n\nNot Applicable\n\n## References\n\n1. [https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface]\n2. [https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful]\n3. [http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\n[1]: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface \n[2]: https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful \n[3]: http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.2","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dev-mh8-u1i","createdAt":1599598174666,"name":"Only the root account and Docker group members can control the Docker daemon"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.16","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file has permissions of 660 or are configured more restrictively.\n\n## Rationale\n\nOnly root and the members of the docker group should be allowed to read and write to the default Docker Unix socket. The Docker socket file should therefore have permissions of 660 or more restrictive permissions.\n\n## Audit\n\nVerify that the Docker socket file has permissions of `660` or more restrictive, by running: \n```\nstat -c %a /var/run/docker.sock\n```\n\n## Remediation\n\nRun the command `chmod 660 /var/run/docker.sock`\n\nThis sets the file permissions of the Docker socket file to 660.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker socket file is correctly set to 660.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.16","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jxv-zrr-1c1","createdAt":1599603387716,"name":"Only the root account and Docker group members can read and write to the Docker socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.15","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file is owned by root and group owned by docker.\n\n## Rationale\n\nThe Docker daemon runs as root. The default Unix socket therefore must be owned by root. If any other user or process owns this socket, it might be possible for that non-privileged user or process to interact with the Docker daemon. Additionally, in this case a non-privileged user or process might be able to interact with containers which is neither a secure nor desired behavior. Additionally, the Docker installer creates a Unix group called docker. You can add users to this group, and in this case, those users would be able to read and write to the default Docker Unix socket. The membership of the docker group is tightly controlled by the system administrator. However, ff any other group owns this socket, then it might be possible for members of that group to interact with the Docker daemon. Such a group might not be as tightly controlled as the docker group. Again, this is not in line with good security practice. For these reason, the default Docker Unix socket file should be owned by root and group owned by docker to maintain the integrity of the socket file.\n\n## Audit\n\nVerify that the Docker socket file is owned by root and group-owned by `docker` by running: \n```\nstat -c %U:%G /var/run/docker.sock | grep -v root:docker\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:docker /var/run/docker.sock`\n\nThis sets the ownership to root and group ownership to docker for the default Docker socket file.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for the Docker socket file is correctly set to root:docker.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.15","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysh-lkt-poz","createdAt":1599605574088,"name":"Only the root account and Docker group members have ownership of the Docker socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.2","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kube-apiserver.yaml file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. Version 7 5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.2","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vbb-t30-k0f","createdAt":1599602893246,"name":"Only the root account and group have ownership of the API server pod specification file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.11","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, is individual owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It must therefore be individually owned and group owned by root to prevent modification by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and the group ownership for the Docker server certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for Docker server certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.11","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tkm-izb-xe1","createdAt":1602077837917,"name":"Only the root account and group have ownership of the Docker server certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.13","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, is individually owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads/writes. As it holds the private key for the Docker server certificate, it must be individually owned and group owned by root to ensure that it cannot be accessed by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate key file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the Docker server certificate key file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for the Docker server certificate key file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.13","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oiu-e3x-yg6","createdAt":1602077710804,"name":"Only the root account and group have ownership of the Docker server certificate key file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.9","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert parameter`, is individually owned and group owned by root.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must be therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the TLS CA certificate file is owned and group owned by root: \n\n```\nstat -c %U:%G | grep -v root:root\n```\n\nThis command does not return any data.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the TLS CA certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for TLS CA certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.9","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8nb-ex2-pqe","createdAt":1602076303298,"name":"Only the root account and group have ownership of the TLS CA certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.14","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file ownership is set to root:root.\n\n## Rationale\n\nThe `admin.conf` file contains the admin credentials for the cluster. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/admin.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `admin.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.14","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kcn-wwa-os0","createdAt":1599604720378,"name":"Only the root account and group have ownership of the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.17","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that could alter the behavior of the docker daemon. It should therefore be owned and group owned by root to ensure it can not be modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file is owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/docker/daemon.json | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun `chown root:root /etc/docker/daemon.json`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.17","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hlb-qzw-opk","createdAt":1599603264485,"name":"Only the root account and group have ownership of the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent","control:3.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually and group owned by the root user in order to ensure that it is not modified or corrupted by a less privileged user.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that it is owned and group-owned by root, by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.service | grep -v root:root \n ```\n The command should not return anything.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path, in order to set the ownership and group ownership for the file to root.\n\nFor example, `chown root:root /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone.\n\n## Default value\n\nThis file may not be present on the system and if it is not, this recommendation is not applicable. By default, if the file is present, the correct permissions are for the ownership and group ownership to be set to \"root\".\n\n## References\n\n1. https://docs.docker.com/engine/admin/systemd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mhz-jes-n2m","createdAt":1599601536215,"name":"Only the root account and group have ownership of the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.socket file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. For this reason, it should be owned and group owned by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file is owned and group-owned by root by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.socket | grep -v root:root \n ```\n The command should not return a value.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below, including the correct file path to set the ownership and group ownership for the file to root. For example, `chown root:root /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the ownership and group ownership for it should be set to root.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option 2. https://github.com/docker/docker-ce/blob/master/components/packaging/deb/systemd/docker.socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vc0-12t-fpa","createdAt":1599605321060,"name":"Only the root account and group have ownership over the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.7","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under the `/etc/docker/certs.d/` directory, are individually owned and group owned by root.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must be individually owned and group owned by root to ensure that less privileged users are unable to modify the contents of the directory.\n\n## Audit\n\nYou should execute the command below to verify that the registry certificate files are individually owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker/certs.d/* | grep -v root:root \n```\n\nThis command does not return any data.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/docker/certs.d//*`\n\nThis sets the individual ownership and group ownership for the registry certificate files to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for registry certificate files is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.7","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fbv-qsy-urc","createdAt":1599599454050,"name":"Only the root account and group have ownership over the registry certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.13","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe admin.conf is the administrator kubeconfig file defining various settings for the administration of the cluster. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/admin.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, admin.conf has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.13","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zlc-pqm-t1x","createdAt":1599605384539,"name":"Only the root account has write permissions to the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.18","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that may alter the behavior of the docker daemon. Therefore it should be writeable only by root to ensure it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/docker/daemon.json\n```\n\n## Remediation\n\nRun `chmod 644 /etc/docker/daemon.json`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.18","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7df-4w8-g7l","createdAt":1599602831833,"name":"Only the root account has write permissions to the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.2","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file permissions are either set to 644 or to a more restrictive value.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore not be writable by any other user other than root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or a more restrictive value by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.service\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the file permissions are correctly set to 644.\n\n## References\n\n1. https://docs.docker.com/articles/systemd/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zyv-o6s-69z","createdAt":1599601721176,"name":"Only the root account has write permissions to the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.4","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the file permissions on the docker.socket file are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or more restrictively, by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.socket\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in that case, this recommendation is not applicable. By default, if the file is present, the permissions should be set to 644 or more restrictively.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n2. https://github.com/YungSang/fedora-atomic-packer/blob/master/oem/docker.socket\n3. http://daviddaeschler.com/2014/12/14/centos-7rhel-7-and-docker-containers-on-boot/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myf-zyh-89p","createdAt":1599604656679,"name":"Only the root account has write permissions to the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","control:CC6.7","scope:ec2","security:compliance","source:ec2","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Compliance","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the probability of a breach by checking [EC2 security groups][1] for outbound rules that allow unfettered access to any TCP/UDP ports and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered outbound access.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-egress` to remove IP permissions for the selected EC2 security group.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n2. Run `authorize-security-group-egress` with new parameters to restrict outbound access to specific destinations.\n\n ```\n aws ec2 authorize-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprotocol_icmp_or_1(protocol) if {\n\tprotocol in [\"icmp\", \"1\"]\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\"]\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"egress\"\n\tnot protocol_icmp_or_1(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7lr-jfm-vcf","createdAt":1599574005188,"name":"Outbound access on all ports is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1497-virtualization-or-sandbox-evasion","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace system call with the `PTRACE_TRACEME` argument, indicating a program actively attempting to avoid debuggers attaching to the process. This behavior is typically indicative of malware activity.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. One limitation of this system call is that a process can only have one trace, and malicious actors have been observed making use of this limitation to prevent debuggers from attaching to malicious processes for the purpose of forensics or analysis.\n\n## Triage and response\n1. Check the name of the process using TRACEME\n2. If this file is not known or authorized, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_antidebug -@process.executable.name(\"dlv\" OR \"dlv-linux-adm64\" OR \"strace\" OR \"gdb\" OR \"lldb-server\")","groupByFields":["host"],"aggregation":"count","name":"ptrace_antidebug_unknown_tracer","distinctFields":[]},{"query":"@agent.rule_id:ptrace_antidebug @process.executable.name(\"dlv\" OR \"dlv-linux-adm64\" OR \"strace\" OR \"gdb\" OR \"lldb-server\")","groupByFields":["host"],"aggregation":"count","name":"ptrace_antidebug_known_tracer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_antidebug_unknown_tracer","condition":"ptrace_antidebug_unknown_tracer > 0"},{"status":"low","notifications":[],"name":"ptrace_antidebug_known_tracer","condition":"ptrace_antidebug_known_tracer > 0"}],"type":"workload_security","id":"u1r-hw3-pst","createdAt":1650464539514,"name":"PTRACE_TRACEME used to prevent process debugging"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect installation of software using a package management utility (`apt` or `yum`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim's container (for example, through a web shell exploit), they may attempt to install tools and utilities for a variety of malicious purposes. This detection triggers when one of a set of common package management utilities installs a package in a container. Package management in containers is against best practices which highly emphasize immutability. If this is unexpected behavior, it could indicate an attacker attempting to install tools to further compromise your systems.\n\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise. This may be achieved by terminating the workload, depending on the stage of attack.\n3. Look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:package_management_in_container @process.args:(add OR *install OR \"-i\")","groupByFields":["host"],"aggregation":"count","name":"package_management_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"package_management_in_container","condition":"package_management_in_container > 0"}],"type":"workload_security","id":"dgu-gba-tuf","createdAt":1617722067648,"name":"Package installed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1222","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nTo access protected files and directories, attackers may attempt to change the permissions on these files and directories.\n\n## Strategy\nThis detection monitors the permissions changes to sensitive files and directories such as `/etc/` and `/sbin/`.\n\n## Triage & Response\n1. Check to see if the file or directory was made more permissive.\n2. Check which user or process made the change.\n3. If these changes are unexpected, contain the host or container and roll back to the last known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"mj3-ucf-hr6","createdAt":1598516746259,"name":"Permissions were changed on sensitive Linux files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow pods to verify the API server's serving certificate before establishing connections.\n\n## Rationale\n\nProcesses running within pods that need to contact the API server must verify the API server's serving certificate. Failing to do so could be a subject to man-in-the-middle attacks. Providing the root certificate for the API server's serving certificate to the controller manager with the `--root-ca-file` argument allows the controller manager to inject the trusted bundle into pods so that they can verify TLS connections to the API server.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--root-ca-file` argument exists and is set to a certificate bundle file containing the root certificate for the API server's serving certificate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--root-ca-file` parameter to the certificate bundle file: `--root-ca-file=`\n\n## Impact\n\nYou need to setup and maintain root certificate authority file.\n\n## Default value\n\nBy default, `--root-ca-file` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/kubernetes/issues/11000][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/kubernetes/issues/11000\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.5","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"k7t-yxp-axc","createdAt":1599598174692,"name":"Pods utilize `root-ca-file` to pass serving certificates to the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ec2","iaas:aws","technique:T1037-boot-or-logon-initialization-scripts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to modify a [user data script][1] on an EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to modify the user data script on an EC2 instance using the following API calls:\n\n* [`StopInstances`][2]\n* [`ModifyInstanceAttribute`][3]\n* [`StartInstances`][4]\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have modified the user data script associated with `{{host}}`.\n2. If the API calls were not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Follow your company's incident response process to determine the impact to `{{host}}`.\n * Revert the user data script to the last known good state with the `aws-cli` command [modify-instance-attribute][5] or use the [AWS Console][6].\n3. If the API calls were made by the user:\n * Determine if the user should be modifying this user data script.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StopInstances.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartInstances.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-attribute.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-view-change","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StopInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"stop_instance","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:ModifyInstanceAttribute @requestParameters.userData:* ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_instance_attribute","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StartInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"start_instance","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"stop_instance > 0 && modify_instance_attribute > 0 && start_instance > 0"}],"type":"log_detection","id":"suz-czd-zxh","createdAt":1652796652545,"name":"Possible AWS EC2 privilege escalation via the modification of user data"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","iaas:aws","technique:T1078-valid-accounts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to create a password for a specified IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to create a password for an IAM user using the [`CreateLoginProfile`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any passwords generated by the user with the `aws-cli` command [delete-login-profile][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-login-profile.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html#id_credentials_passwords_admin-change-user_console","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:iam.amazonaws.com @eventName:CreateLoginProfile status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"loginprofile","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"loginprofile > 0"}],"type":"log_detection","id":"dkd-gqh-zrs","createdAt":1652796676631,"name":"Possible Privilege Escalation via AWS IAM CreateLoginProfile"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","scope:rds","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to exfiltrate data from an RDS Snapshot.\n\n## Strategy\nThis rule lets you monitor the [ModifyDBClusterSnapshotAttribute][1] CloudTrail API calls to detect when an RDS snapshot is made public.\n\nThis rule also inspects the:\n * `@requestParameters.valuesToAdd` array to determine if the string `all` is contained. This is the indicator which means the RDS snapshot is made public.\n * `@requestParameters.attributeName` array to determine if the string `restore` is contained. This is the indicator which means the RDS snapshot was shared with a new or unkown AWS Account.\n\n## Triage and response\n1. Confirm if the user: `{{@userIdentity.arn}}`intended to make the RDS snaphsot public.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-cluster-snapshot-attribute.html#modify-db-cluster-snapshot-attribute\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:ModifyDBClusterSnapshotAttribute @requestParameters.valuesToAdd:all","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_made_public","distinctFields":[]},{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:(ModifyDBClusterSnapshotAttribute OR ModifyDBSnapshotAttribute) @requestParameters.attributeName:restore -@http.useragent:(*AWS_Lambda* OR *AWS_ECS_FARGATE* OR backup.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Snapshot was shared","condition":"rds_snapshot_shared > 0"},{"status":"high","notifications":[],"name":"Snapshot was made public","condition":"rds_snapshot_made_public > 0"}],"type":"log_detection","id":"jqf-lpu-us1","createdAt":1594140309127,"name":"Possible RDS Snapshot Exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:2.5","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no PostgreSQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nPostgreSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.\n\n### Impact\n\nDisabling Allow access to Azure Services will break all connections to PostgreSQL server and Hosted Databases unless custom IP specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console\n\n1. Go to PostgreSQL servers\n2. For each PostgreSQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nNew-AzPostgreSqlFirewallRule -Name \"\" -ResourceGroupName \"\" -ServerName \"\" -EndIPAddress \"\" -StartIPAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules][1]\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.5","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"fail\" if {\n\tsome firewall_rule in postgresql_server.firewall_rules\n\tfirewall_rule.start_ip_address == \"0.0.0.0\"\n\tfirewall_rule.end_ip_address in [\"0.0.0.0\", \"255.255.255.255\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"f2j-y8v-pht","createdAt":1635237002781,"name":"PostgreSQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1566-phishing","source:azure","scope:azure","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a user grants an application consent to access their data. An adversary may create an Azure-registered application to access data such as contact information, emails, or documents.\n\n## Strategy\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Consent to application`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Consent to application.`\n\nBecause these are thirty-party applications external to the organization, normal remediation steps like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts are not effective against this type of attack.\n\n## Triage and response\n1. See the official [Microsoft playbook][1] on responding to a potential Illicit Consent Grant.\n2. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out false positives.\n\n[1]: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:AuditLogs @evt.name:\"Consent to application\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_successful_consent_to_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.category:AuditLogs @evt.name:\"Consent to application.\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"o365_successful_consent_to_application","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"azure_ad_successful_consent_to_application > 0 || o365_successful_consent_to_application > 0"}],"type":"log_detection","id":"wu4-vsa-pec","createdAt":1658914589512,"name":"Potential Illicit Consent Grant attack via Azure registered application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with an administrative service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 21 (FTP)\n* 22 (SSH)\n* 23 (Telnet)\n* 445 (SMB)\n* 2375 (Docker daemon)\n* 3389 (RDP)\n* 5900 (VNC)\n* 5985 (WinRM HTTP)\n* 5986 (WinRM HTTPS)\n\nAdministrative ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** There is a separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n## Changelog\n* 26 August 2022 - Updated rule query\n* 1 November 2022 - Updated rule query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":17,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ipPermissions.items.fromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.toPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ipPermissions.items.toPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986)) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986))) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\")) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:21 OR @requestParameters.ipPermissions.items.fromPort:21 OR @requestParameters.toPort:21 OR @requestParameters.ipPermissions.items.toPort:21) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:21 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:21)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ftp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:22 OR @requestParameters.ipPermissions.items.fromPort:22 OR @requestParameters.toPort:22 OR @requestParameters.ipPermissions.items.toPort:22) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:22 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:22)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ssh_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:3389 OR @requestParameters.ipPermissions.items.fromPort:3389 OR @requestParameters.toPort:3389 OR @requestParameters.ipPermissions.items.toPort:3389) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:3389 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:3389)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_rdp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5900 OR @requestParameters.ipPermissions.items.fromPort:5900 OR @requestParameters.toPort:5900 OR @requestParameters.ipPermissions.items.toPort:5900) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5900 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5900)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_vnc_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:2375 OR @requestParameters.ipPermissions.items.fromPort:2375 OR @requestParameters.toPort:2375 OR @requestParameters.ipPermissions.items.toPort:2375) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:2375 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:2375)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_dockerd_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5985 OR @requestParameters.ipPermissions.items.fromPort:5985 OR @requestParameters.toPort:5985 OR @requestParameters.ipPermissions.items.toPort:5985) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5985 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5985)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5986 OR @requestParameters.ipPermissions.items.fromPort:5986 OR @requestParameters.toPort:5986 OR @requestParameters.ipPermissions.items.toPort:5986) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5986 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5986)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:23 OR @requestParameters.ipPermissions.items.fromPort:23 OR @requestParameters.toPort:23 OR @requestParameters.ipPermissions.items.toPort:23) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:23 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:23)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_telnet_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:445 OR @requestParameters.ipPermissions.items.fromPort:445 OR @requestParameters.toPort:445 OR @requestParameters.ipPermissions.items.toPort:445) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:445 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:445)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_smb_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"medium","notifications":[],"name":"FTP","condition":"sg_ftp_port > 0"},{"status":"medium","notifications":[],"name":"SSH","condition":"sg_ssh_port > 0"},{"status":"medium","notifications":[],"name":"RDP","condition":"sg_rdp_port > 0"},{"status":"medium","notifications":[],"name":"VNC","condition":"sg_vnc_port > 0"},{"status":"medium","notifications":[],"name":"Docker Daemon","condition":"sg_dockerd_port > 0"},{"status":"medium","notifications":[],"name":"WinRm HTTP","condition":"sg_winrm_http_port > 0"},{"status":"medium","notifications":[],"name":"WinRm HTTPS","condition":"sg_winrm_https_port > 0"},{"status":"medium","notifications":[],"name":"Telnet","condition":"sg_telnet_port > 0"},{"status":"medium","notifications":[],"name":"SMB","condition":"sg_smb_port > 0"}],"type":"log_detection","id":"d8d-usi-xuo","createdAt":1652796652158,"name":"Potential administrative port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\n This rule monitors CloudTrail and detects when any `@evt.name` has a value of `Console Login`, and `@responseElements.ConsoleLogin` has a value of `Failure`.\n\n## Triage and response\n1. Determine if the user logged in with 2FA.\n2. Reach out to the user and ensure the login was legitimate.\n\n## Changelog \n17 March 2022 - Update rule query.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Failure","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:true","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_with_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful - MFA Unused","condition":"failed_login > 5 && successful_login_without_mfa > 0"},{"status":"info","notifications":[],"name":"Successful Login - MFA Used","condition":"failed_login > 5 && successful_login_with_mfa > 0"},{"status":"info","notifications":[],"name":"Failed Login","condition":"failed_login > 5"}],"type":"log_detection","id":"csj-nez-h1v","createdAt":1584475581986,"name":"Potential brute force attack on AWS ConsoleLogin"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","threat_intel_category:cryptomining","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a host is potentially infected with a cryptominer.\n\n## Strategy\nThis rule compares the `@network.client.ip` standard attribute to a curated list of cryptomining pools.\n\n## Triage and response\n1. Determine if the `{{host}}` host should be contacting a cryptomining pool.\n2. If not, begin your company's IR process.\n\n**Note** You can use the signal sidepanel to assist with the initial investigation by looking at CPU utilization and processes to identify unauthorized activity.\n\n## Changelog\n- 8 April 2022 - Initial beta release to select organizations.\n- 13 April 2022 - Added additional filters for specific ports to reduce false positives. \n- 26 April 2022 - Removed restrictedToOrgs settings, launching rule to all of production.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@threat_intel.results.category:cryptomining @network.destination.port:(6641 OR 6642 OR 9000 OR 9999 OR 14433 OR 10191 OR 20009) host:*","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cgb-2rq-tqx","createdAt":1650989902666,"name":"Potential cryptomining detected through IP callback"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with a database service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 1433 (MSSQL)\n* 3306 (MySQL)\n* 5432 (PostgresSQL)\n* 5984/6984 (CouchDB)\n* 6379 (Redis)\n* 9200 (Elasticsearch)\n* 27017 (MongoDB)\n\nDatabase ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** A separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n## Changelog\n* 15 December 2022 - Updated rule query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200)) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200))) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\")) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:3306 OR @requestParameters.ipPermissions.items.fromPort:3306 OR @requestParameters.toPort:3306 OR @requestParameters.ipPermissions.items.toPort:3306) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:3306 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:3306)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mysql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5432 OR @requestParameters.ipPermissions.items.fromPort:5432 OR @requestParameters.toPort:5432 OR @requestParameters.ipPermissions.items.toPort:5432) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5432 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5432)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_postgres_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:1433 OR @requestParameters.ipPermissions.items.fromPort:1433 OR @requestParameters.toPort:1433 OR @requestParameters.ipPermissions.items.toPort:1433) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:1433 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:1433)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mssql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:27017 OR @requestParameters.ipPermissions.items.fromPort:27017 OR @requestParameters.toPort:27017 OR @requestParameters.ipPermissions.items.toPort:27017) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:27017 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:27017)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mongodb_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:6379 OR @requestParameters.ipPermissions.items.fromPort:6379 OR @requestParameters.toPort:6379 OR @requestParameters.ipPermissions.items.toPort:6379) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:6379 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:6379)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_redis_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5984 OR @requestParameters.ipPermissions.items.fromPort:5984 OR @requestParameters.toPort:5984 OR @requestParameters.ipPermissions.items.toPort:5984) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5984 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5984)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:6984 OR @requestParameters.ipPermissions.items.fromPort:6984 OR @requestParameters.toPort:6984 OR @requestParameters.ipPermissions.items.toPort:6984) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:6984 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:6984)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:9200 OR @requestParameters.ipPermissions.items.fromPort:9200 OR @requestParameters.toPort:9200 OR @requestParameters.ipPermissions.items.toPort:9200) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:9200 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:9200)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_elastic_search_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"medium","notifications":[],"name":"MySQL","condition":"sg_mysql_port > 0"},{"status":"medium","notifications":[],"name":"PostgresSQL","condition":"sg_postgres_port > 0"},{"status":"medium","notifications":[],"name":"MSSQL","condition":"sg_mssql_port > 0"},{"status":"medium","notifications":[],"name":"MongoDB","condition":"sg_mongodb_port > 0"},{"status":"medium","notifications":[],"name":"redis","condition":"sg_redis_port > 0"},{"status":"medium","notifications":[],"name":"CouchDB HTTP","condition":"sg_couchdb_http_port > 0"},{"status":"medium","notifications":[],"name":"CouchDB HTTPS","condition":"sg_couchdb_https_port > 0"},{"status":"medium","notifications":[],"name":"Elasticsearch","condition":"sg_elastic_search_port > 0"}],"type":"log_detection","id":"1wf-ivp-q2g","createdAt":1652796776858,"name":"Potential database port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use automatically generated self-signed certificates for TLS connections between peers.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster. Hence, do not use self-signed certificates for authentication.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--peer-auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--peer-auto-tls` parameter or set it to false. \n\n```\n--peer-auto-tls=false\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-auto-tls` argument is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls][3]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.6","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l0y-lyz-foj","createdAt":1599598174666,"name":"Prevent use of self-signed certificates for TLS connections between etcd peers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.4","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDocker considers a private registry either secure or insecure. By default, registries are considered secure.\n\n## Rationale\n\nA secure registry uses TLS. A copy of the registry's CA certificate is placed on the Docker host in the `/etc/docker/certs.d//` directory. An insecure registry is one which does not have a valid registry certificate, or one not not using TLS. You should not use insecure registries because they present a risk of traffic interception and modification. Additionally, once a registry has been marked as insecure, commands such as `docker pull`, `docker push`, and `docker search` will not result in an error message, and users may indefinitely be working with this type of insecure registry without ever being notified of the risk of potential compromise.\n\n## Audit\n\nFind out if any insecure registries are in use by running: \n```\ndocker info --format 'Insecure Registries: {{.RegistryConfig.InsecureRegistryCIDRs}}'\n```\n\n## Remediation\n\nYou should ensure that no insecure registries are in use.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker assumes all registries except local ones are secure.\n\n## References\n\n1. [https://docs.docker.com/registry/insecure/][1]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://docs.docker.com/registry/insecure/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wki-o8r-1ha","createdAt":1599604688564,"name":"Private registry uses TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.4","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUsing the `--privileged` flag provides all Linux kernel capabilities to the container to which it is applied and therefore overwrites the `--cap-add` and `--cap-drop` flags. For this reason, ensure that it is not used.\n\n## Rationale\n\nThe `--privileged` flag provides all capabilities to the container to which it is applied, and also lifts all the limitations enforced by the device cgroup controller. As a consequence this the container has most of the rights of the underlying host. This flag only exists to allow for specific use cases (for example running Docker within Docker) and should not generally be used.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Privileged={{ .HostConfig.Privileged }}'` This command returns `Privileged=false` for each container instance.\n\n## Remediation\n\nDo not run containers with the `--privileged` flag. For example, do not start a container using the command `docker run --interactive --tty --privileged centos /bin/bash`\n\n## Impact\n\nIf you start a container without the `--privileged` flag, it will not have excessive default capabilities.\n\n## Default value\n\nFalse\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.4","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rbd-urm-klo","createdAt":1599602708557,"name":"Privileged containers are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.7","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TCP/IP port numbers below 1024are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Docker does, however allow a container port to be mapped to a privileged port.\n\n## Rationale\n\nBy default, if the user does not specifically declare a container port to host port mapping, Docker automatically and correctly maps the container port to one available in the `49153`-`65535` range on the host. Docker does, however, allow a container port to be mapped to a privileged port on the host if the user explicitly declares it. This is because containers are executed with `NET_BIND_SERVICE` Linux kernel capability which does not restrict privileged port mapping. The privileged ports receive and transmit various pieces of data which are security sensitive and allowing containers to use them is not in line with good security practice.\n\n## Audit\n\nList all running containers instances and their port mappings by executing this command: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'` You should then review the list and ensure that container ports are not mapped to host port numbers below `102.4`.\n\n## Remediation\n\nDo not map container ports to privileged host ports when starting a container. You should also ensure that there is no such container to host privileged port mapping declarations in the Dockerfile.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, mapping a container port to a privileged port on the host is allowed.\n\n**Note**: There might be certain cases where you want to map privileged ports, because if you forbid it, then the corresponding application has to run outside of a container.\n\nFor example: HTTP and HTTPS load balancers have to bind `80/tcp` and `443/tcp` respectively. Forbidding to map privileged ports effectively forbids from running those in a container, and mandates using an external load balancer. In such cases, those containers instances should be marked as exceptions for this recommendation.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.7","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ua5-ygj-jad","createdAt":1599602153218,"name":"Privileged ports are not mapped within containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a process launches with arguments associated with cryptocurrency miners.\n\n## Strategy\n\nCryptocurrency miners are often executed with unique arguments such as `--donate-level`. This can be used to identify suspicious processes with high confidence.\n\n## Triage and response\n\n1. Isolate the workload.\n2. Use host metrics to verify if cryptocurrency mining is taking place. This will be indicated by an increase in CPU usage.\n3. Review the process tree and related signals to determine the initial entry point.\n\n*Requires agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:cryptominer_args -@process.executable.path:\"/usr/bin/grep\"","groupByFields":["host"],"aggregation":"count","name":"cryptominer_args","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"cryptominer_args","condition":"cryptominer_args > 0"}],"type":"workload_security","id":"t95-1rc-mwi","createdAt":1660014107186,"name":"Process arguments match cryptocurrency miner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1055-process-injection","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace systemcall to inject code into another process.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. Malicious actors have been observed using ptrace to inject code into another process, for the purposes of defense evasion and privilege escalation.\n\n## Triage and response\n1. Check the name of the process doing the injection (the tracer).\n2. Identify if the file doing the injection (the tracer) is authorized.\n3. If the tracer is not authorized in this environment, or is not normally known to use the ptrace syscall, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_injection -@process.executable.name:(\"dlv\" OR \"dlv-linux-adm64\" OR \"strace\" OR \"gdb\" OR \"lldb-server\")","groupByFields":["host"],"aggregation":"count","name":"ptrace_injection_unknown_tracer","distinctFields":[]},{"query":"@agent.rule_id:ptrace_injection @process.executable.name:(\"dlv\" OR \"dlv-linux-adm64\" OR \"strace\" OR \"gdb\" OR \"lldb-server\")","groupByFields":["host"],"aggregation":"count","name":"ptrace_injection_known_tracer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_injection_unknown_tracer","condition":"ptrace_injection_unknown_tracer > 0"},{"status":"low","notifications":[],"name":"ptrace_injection_known_tracer","condition":"ptrace_injection_known_tracer > 0"}],"type":"workload_security","id":"1p3-rn6-jue","createdAt":1650464539501,"name":"Process injected into another process"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2021-4034 dubbed PwnKit.\n\n## Strategy\n\nPwnKit is a local privilege escalation vulnerability originally found by [Qualys](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034). It affects PolicyKit\u2019s `pkexec` program, which is a SUID-root program installed by default on many Linux distributions. This detection triggers whenever `pkexec` is executed by a non-root process with the `SHELL` and `PATH` variables set.\n\n## Triage and response\n\n1. Determine the purpose of the process executing `pkexec`.\n2. Look for any suspicious actions or commands being executed after the `pkexec` execution.\n3. If this behavior is unexpected, it could indicate a malicious actor has access to the host and is attempting to increase privileges for post exploitation actions. Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Ensure to update the PolicyKit package to its latest version to mitigate the vulnerability. If updating is not feasible, remove the SUID bit that is set by default on `pkexec` with the following command: `sudo chmod -s \\$(which pkexec)`.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:pwnkit_privilege_escalation","groupByFields":["host"],"aggregation":"count","name":"pwnkit_privilege_escalation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"pwnkit_privilege_escalation","condition":"pwnkit_privilege_escalation > 0"}],"type":"workload_security","id":"yne-n4q-dfs","createdAt":1643646954692,"name":"Pwnkit privilege escalation attempt"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1059-command-and-scripting-interpreter","tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect Python code being provided and executed on the command line using the `-c` flag.\n\n## Strategy\n\nPython code can be specified on the command line using the `-c` flag. Attackers may use this to run \"one-liners\" which establish communication with an attacker-run server, download additional malware, or otherwise advance their mission. Libraries such as `socket` and `subprocess` are commonly used in these attacks and are unlikely to have a legitimate purpose when used in this way.\n\n## Triage and response\n\n1. Review the process tree and identify if the Python command is expected.\n2. If the command is not expected, contain the host or container and roll back to a known good configuration.\n3. Start the incident response process and determine the initial entry point.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:python_cli_code @process.args:(*SOCK_STREAM* OR *subprocess* OR *\\/bash* OR *\\/bin\\/sh* OR *pty.spawn*)","groupByFields":["host"],"aggregation":"count","name":"python_cli_code_suspicious","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"python_cli_code_suspicious","condition":"python_cli_code_suspicious > 0"}],"type":"workload_security","id":"2mr-svj-kxj","createdAt":1655147245805,"name":"Python executed with suspicious arguments"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.9","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTurn on Role Based Access Control.\n\n## Rationale\n\nRole Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the cluster. It is recommended to use the RBAC authorization mode.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include RBAC.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes RBAC, for example: `--authorization-mode=Node,RBAC`\n\n## Impact\n\nWhen RBAC is enabled you will need to ensure that appropriate RBAC settings (including Roles, RoleBindings and ClusterRoleBindings) are configured to allow appropriate access.\n\n## Default value\n\nBy default, RBAC authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/access-authn-authz/rbac/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.9","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bn4-mzo-nyg","createdAt":1599605257601,"name":"RBAC is enabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","level:1","control:8.5","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.4.1","security:compliance","requirement:Least-Privileged-Access","control:7.2","framework:cis-azure","source:azure.kubernetes","control:7.1","control:2.3","requirement:Control-Activities","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","requirement:Other-Security-Considerations","framework:soc-2","control:A.9.2.3","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that RBAC is enabled on all Azure Kubernetes Services instances.\n\n## Rationale\n\nAzure Kubernetes Services can integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. Use this to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls, both to the overarching AKS instance and to the individual resources managed within Kubernetes.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment, your cluster will require recreation.\n\n## Impact\n\nIf RBAC is not enabled, the granularity of permissions granted to Kubernetes resources is diminished, because you are presenting more permissions than needed to users requiring access to your Kubernetes resources in AKS.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/aks/aad-integrationhttps://kubernetes.io/docs/reference/access-authn-authz/rbac/https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-list\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7\n\n4 Controlled Use of Administrative Privileges\n\n14 Controlled Access Based on the Need to Know\n\n9 AppService: This section covers security recommendations for Azure AppService\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.5","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aks_cluster) = \"pass\" if {\n\taks_cluster.enable_rbac\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_aks_cluster"]},"validationQuery":"","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"1ha-sj2-4mw","createdAt":1624867979755,"name":"RBAC within Azure Kubernetes Services is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","control:6.1","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable RDP access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using RDP over the internet is that attackers can use various brute force techniques to access Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\n1. [Disable direct RDP access][1] to your Azure Virtual Machines from the internet. \n2. Choose one of the following methods to access the virtual machines for remote management:\n * [Point-to-site VPN][3]\n * [Site-to-site VPN][4]\n * [ExpressRoute][5]\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][2]\n\n[1]: https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n[3]: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal\n[4]: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal\n[5]: https://learn.microsoft.com/en-us/azure/expressroute/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_access(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"TCP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\n\tsome port_range in split(security_rule.destination_port_range, \",\")\n\tcheck_non_compliant_port_range(port_range)\n\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"::/0\", \"Internet\", \"Any\"]\n}\n\ncheck_non_compliant_port_range(port_range) if {\n\tport_range in [\"3389\", \"*\"]\n} else if {\n\tcontains(port_range, \"-\")\n\tsplit_port_range := split(port_range, \"-\")\n\n\tto_number(split_port_range[0]) <= 3389\n\tto_number(split_port_range[1]) >= 3389\n}\n\neval(security_group) = \"fail\" if {\n\tsome security_rule in security_group.security_rules\n\tnon_compliant_access(security_rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tna-xfa-yol","createdAt":1624867976964,"name":"RDP access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.7","requirement:Communications-Security","control:1.4","control:3.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow users to specify the type of traffic,\nsuch as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, an IPv4 address or IPv4 block in CIDR notation can be used.\nGeneric (0.0.0.0/0) incoming traffic from the Internet to a VPC or VM instance using RDP\non Port 3389 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic\nfrom instances and incoming (ingress) traffic to instances in the network. Egress and\ningress traffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through RDP with the default\nPort 3389. Generic access from the Internet to a specific IP Range should be restricted.\n\n## Impact\nAll Remote Desktop Protocol (RDP) connections from outside of the network to the\nconcerned VPC(s) are blocked. There could be a business need where secure shell\naccess is required from outside of the network to access resources associated with the VPC.\nIn that case, specific source IP(s) should be mentioned in firewall rules to allow access\nto RDP ports for the concerned VPC(s).\n\n## Remediation\n\n### From the console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule to be modified.\n4. Click Edit.\n5. Modify Source IP ranges to your specific IPs.\n6. Click Save.\n\n### From the command line\n1.Update the RDP Firewall rule with a new SOURCE_RANGE using the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with validated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.1","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 3389\n\nis_numeric(x) if {\n\tregex.match(`^-?\\d+(\\.\\d+)?$`, x)\n}\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tsome port in allowed.ports\n\tcontains(port, \"-\")\n\trange := split(port, \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else if {\n\tsome port in allowed.ports\n\tport != \"\"\n\tis_numeric(port)\n\tto_number(port) == target_port\n} else if {\n\tsome port in allowed.ports\n\tport == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tsome allowed in compute_firewall.allowed\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" if {\n\tsome source_range in compute_firewall.source_ranges\n\tsource_range in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tvo-mpp-0fa","createdAt":1657310084116,"name":"RDP access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","source:rds","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:rds","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your AWS RDS database instances are encrypted.\n\n## Rationale\n\nEncrypting your AWS RDS clusters protects sensitive data from unauthorized access.\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling Amazon RDS encryption for a DB instance][1] documentation to ensure your database instances are encrypted.\n\n### From the command line\n\n1. Run `describe-db-instances` with an instance identifier query to list RDS database names.\n\n ```\n aws rds describe-db-instances \\\n --query 'DBInstances[*].DBInstanceIdentifier'\n ```\n\n2. Run `create-db-snapshot` with any returned database instance you wish to modify.\n\n ```\n aws rds create-db-snapshot \\\n --db-snapshot-identifier my-db-snapshot \\\n --db-instance-identifier my-db-id\n ```\n\n3. Run `list-aliases` to list KMS keys aliases by region.\n\n ```\n aws kms list-aliases \\\n --region us-west-1\n ```\n\n4. Run `copy-db-snapshot` with the `kms-key-id` returned in step 3.\n\n ```\n aws rds copy-db-snapshot \\\n --region us-west-1 \\\n --source-db-snapshot-identifier original-db-snapshot-id \\\n --target-db-snapshot-identifier encrypted-db-snapshot-id \\\n --copy-tags \\\n --kms-key-id 01234567-1a2b-1234a-b45c-abcdef123456\n ```\n\n5. Run `restore-db-instance-from-db-snapshot` to restore the previously created snapshot.\n\n ```\n aws rds restore-db-instance-from-db-snapshot \\\n --region us-west-1 \\\n --db-instance-identifier encrypted-db-id \\\n --db-snapshot-identifier encrypted-db-snapshot-id\n ```\n\n6. Run `describe-db-instances` with a query to ensure database encryption.\n\n ```\n aws rds describe-db-instances \\\n --region us-west-1 \\\n --db-instance-identifier encrypted-db-snapshot-id \\\n --query 'DBInstances[*].StorageEncrypted'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Enabling","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(rds_instance) = \"pass\" if {\n\trds_instance.storage_encrypted == true\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_rds_instance"]},"validationQuery":"","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"han-1rs-ghe","createdAt":1599574005316,"name":"RDS database instance is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:rds","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","scope:rds","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your RDS instance, so it is not publicly accessible.\n\n## Rationale\n\nUnrestricted access to your RDS instance allows everyone on the internet to establish a connection with your database. This can lead to brute-force, DoS/DDoS, or SQL injection attacks.\n\n## Remediation\n\n### From the command line\n\n1. Run the `modify-db-instance` command to make the instance not publicly accessible.\n\n ```\n aws rds modify-db-instance\n\t --region INSERT_DB_INSTANCE_REGION \\\n\t --db-instance-identifier INSERT_DB_INSTANCE_NAME \\\n\t --no-publicly-accessible \\\n\t --apply-immediately\n ```\n2. Run the `revoke-security-group-ingress` command to block any IPv4 address connecting to port 3306.\n\n ```\n aws ec2 revoke-security-group-ingress\n\t --region INSERT_DB_INSTANCE_REGION \\\n\t --group-id INSERT_SECURITY_GROUP_ID \\\n\t --protocol tcp \\\n\t --port 3306 \\\n\t --cidr 0.0.0.0/0 \n ```\n3. For IPv6 you can use the same command from step 2 but use the `--ip-permissions` option instead. Reference this [aws-cli documentation][1] for more information.\n\n4. After removing the 0.0.0.0/0 or ::/0 cidr ranges from ingress you need to add in better cidr ranges using the `authorize-security-group-ingress` command.\n\n ```\n aws ec2 authorize-security-group-ingress\n \t --region INSERT_DB_INSTANCE_REGION\n\t --group-id INSERT_SECURITY_GROUP_ID\n\t --protocol tcp\n\t --port 3306\n\t --cidr INSERT_SMALLER_CIDR_RANGE\n ```\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html#options","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nsecurity_group_vpc_id_to_compliant = {security_group.vpc_id |\n\tsome security_group in input.resources.aws_security_group\n\tcheck_group_non_compliance(security_group)\n}\n\ncheck_group_non_compliance(security_group) if {\n\tsecurity_group_rules := security_group.rules[_]\n\tlower(security_group_rules.direction) == \"ingress\"\n\tcheck_ip_range(security_group_rules)\n}\n\ncheck_ip_range(security_group_rules) if {\n\tsecurity_group_rules.ip_range == \"0.0.0.0/0\"\n}\n\ncheck_ip_range(security_group_rules) if {\n\tsecurity_group_rules.ipv6_range == \"::/0\"\n}\n\neval(rds_instance) = \"fail\" if {\n\trds_instance.publicly_accessible == true\n\tsecurity_group_vpc_id_to_compliant[rds_instance.db_subnet_group_vpc_id]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_rds_instance","aws_security_group"]},"validationQuery":"","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qgu-ris-pnv","createdAt":1619540057520,"name":"RDS instance is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","security:compliance","control:CC6.6","control:164.312-e-1","cloud_provider:aws","framework:gdpr","requirement:Default-Security-Parameter","scope:rds","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","source:rds","requirement:Security-Management-Process","control:32.1a","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Amazon RDS database instances][1] are not using default ports. This includes default ports such as MySQL/Aurora port 3306, SQL Server port 1433, and PostgreSQL port 5432.\n\n## Rationale\n\nUsing a custom port can protect against potential brute-force and dictionary attacks.\n\n## Remediation\n\n### From the console\n\nFollow the [Modifying an Amazon RDS DB instance][4] docs to verify you're not using a default. You can modify your port by modifying that [DB instance settings][5].\n\n### From the command line\n\n1. Run `create-db-snapshot` with your database instance and snapshot identifiers to [create a snapshot][2].\n\n ```\n aws rds create-db-snapshot \\\n --db-instance-identifier database-mysql \\\n --db-snapshot-identifier snapshotidentifier\n ```\n\n2. Run `modify-db-instance` with a new, valid port number. A [list of port numbers are available][3].\n\n ```\n aws rds modify-db-instance \\\n --db-instance-identifier database-identifier \\\n --option-group-name test-group-name \\\n --db-parameter-group-name test-sqlserver-name \\\n --apply-immediately\n ```\n\n\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-snapshot.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-instance.html#options\n[4]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n[5]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html#USER_ModifyInstance.Settings\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndefault_port_used(rds_instance) if {\n\trds_instance.engine in [\"aurora\", \"aurora-mysql\", \"mysql\", \"mariadb\"]\n\trds_instance.endpoint_port == 3306\n} else if {\n\trds_instance.engine in [\"postgres\", \"aurora-postgresql\"]\n\trds_instance.endpoint_port == 5432\n} else if {\n\trds_instance.engine in [\"oracle-ee\", \"oracle-se2\", \"oracle-se1\", \"oracle-se\"]\n\trds_instance.endpoint_port == 1521\n} else if {\n\trds_instance.engine in [\"sqlserver-ee\", \"sqlserver-se\", \"lserver-ex\", \"sqlserver-web\"]\n\trds_instance.endpoint_port == 1433\n}\n\neval(rds_instance) = \"fail\" if {\n\tdefault_port_used(rds_instance)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_rds_instance"]},"validationQuery":"","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"y0x-lgk-w1h","createdAt":1599574001845,"name":"RDS instance is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","framework:gdpr","control:164.308-a-3-i","source:rds","requirement:Security-Management-Process","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","scope:rds","control:1.4","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Relational Database Service (RDS) database snapshots by ensuring they are not publicly accessible.\n\n## Rationale\n\nRDS Snapshots can be marked as [public][3], allowing anyone the ability to copy the snapshot to their AWS account and create database instances from it. Unless a snapshot is being shared intentionally, it should be deleted.\n\n## Remediation\n\n### From the console\n\nFollow the [Stop sharing a manual DB snapshot with an AWS account][1] AWS Console docs.\n\n### From the command line\n\nRun `modify-db-snapshot-attribute` with the [snapshot identifier, attribute name, and values to remove][2]. This removes permission from a particular AWS account to restore the DB snapshot.\n\n```\naws rds modify-db-snapshot-attribute \\\n --db-snapshot-identifier yourdbsnapshot \\\n --attribute-name restore \\\n --values-to-remove \"all\"\n```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Sharing\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-snapshot-attribute.html#synopsis\n[3]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Public\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.4","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_restore_attributes(db_snapshot_restore_attribute_values) if {\n\tdb_snapshot_restore_attribute_values[_] == \"all\"\n}\n\neval(rds_db_snapshot) = \"fail\" if {\n\tnon_compliant_restore_attributes(rds_db_snapshot.db_snapshot_restore_attribute_values)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_rds_db_snapshot"]},"validationQuery":"","resourceType":"aws_rds_db_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_db_snapshot","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ptv-gce-is5","createdAt":1616090994243,"name":"RDS snapshot is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","control:3.4","scope:google_dns_managed_zone","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note:** The SHA1 algorithm has been removed from general use by Google. If used, it needs to be allowed on a per-project basis through Google, and therefore requires a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records. When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, you can select the DNSSEC signing algorithms and the denial-of-existence type. Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If there is a need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off, and then re-enable it with different settings.\n\n**Note**: RSASHA1 key-signing support may be required for compatibility reasons. The remediation CLI works with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If it is necessary to change the settings for a managed zone where it has been\nenabled, NSSEC must be turned off and re-enabled with different settings. To turn\noff DNSSEC, run the following command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update key-signing for a managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" if {\n\tdefault_key_spec := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tdefault_key_spec.algorithm == \"RSASHA1\"\n\tdefault_key_spec.key_type == \"keySigning\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gny-fox-6gg","createdAt":1659339844054,"name":"RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.5","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note**: The SHA1 algorithm has been removed from general use by Google, and if\nbeing used, needs to be safe listed on a project basis by Google, which\nrequire a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records.\nWhen enabling DNSSEC for a managed zone or creating a managed zone with DNSSEC, select the\nDNSSEC signing algorithms and the denial-of-existence type. Changing the\nDNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If\nyou need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off and then re-enable it with different settings.\n\n**note**: RSASHA1 zone-signing support may be required for compatibility reasons.\n**note**: The remediation CLI works well with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If you need to change the settings for a managed zone where it has been\nenabled, DNSSEC must be turned off and then re-enabled with different settings. To\nturn off DNSSEC, run this command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update zone-signing for a reported managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.5","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" if {\n\tkeyCheck := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tkeyCheck.algorithm == \"RSASHA1\"\n\tkeyCheck.key_type == \"zoneSigning\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"h57-78j-30x","createdAt":1659396390100,"name":"RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","scope:redshift","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS RedShift clusters are encrypted.\n\n## Rationale\n\nEncrypting Redshift clusters protects your sensitive data from unauthorized access.\n\n## Remediation\n\n### From the console\n\nFollow the [Changing cluster encryption][5] docs to ensure your clusters are encrypted.\n\n### From the command line\n\n1. Run `describe-clusters` with your [cluster identifier][1].\n\n ```\n aws redshift describe-clusters \\\n --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` using the configuration details returned in step 1 along with the [`encrypted` flag][2].\n\n ```\n aws redshift create-cluster \\\n --cluster-identifier cluster-name \\\n --encrypted\n ```\n\n3. Run `describe-cluster` with a [query filter][1] to expose the new endpoint address.\n\n ```\n aws redshift describe-clusters \\\n --cluster-identifier cluster-name \\\n --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Use the cluster endpoint URL with the [Amazon Redshift Unload/Copy][3] tool.\n\n5. Update your encrypted Redshift cluster configuration with the new Redshift cluster endpoint URL.\n\n6. Once the endpoint is changed, run `delete-cluster` to [remove the old unencrypted cluster][4].\n\n ```\n aws redshift delete-cluster \\\n --cluster-identifier old-cluster \\\n --final-cluster-snapshot-identifier old-cluster-finalsnapshot\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster.html\n[3]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.encrypted\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o5n-lxt-ayr","createdAt":1599574004941,"name":"Redshift cluster is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.3","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm Redshift clusters are not publicly available.\n\n## Rationale\n\nPublicly available Redshift clusters have a public IP address, which gives any machine the opportunity to attempt to connect to your clusters. Malicious activity, such as SQL injections or distributed denial-of-service (DDoS) attacks, can occur if a connection is established.\n\n## Remediation\n\n### From the console\n\nFollow the [Managing clusters in a VPC][2] docs to learn how to modify public accessibility for your clusters.\n\n[2]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#modify-cluster\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tnot redshift_cluster.publicly_accessible\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"syn-jic-zlu","createdAt":1599574002373,"name":"Redshift cluster is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","control:A.9.4.3","framework:soc-2","scope:redshift","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:redshift","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are using a custom master user name, versus the default master user name.\n\n## Rationale\n\nDefault master user names for publicly accessible clusters can be a backdoor for hacking. While setting a customer master user name alone does not fully protect against attacks, restricting the root account only to privileged users and using additional password measures can add an additional layer of protection.\n\n## Remediation\n\n### From the console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a master user name of `awsuser`, it is the default master user name. Modify the user name to a custom user name in the console.\n\n### From the command line\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` with the returned cluster metadata to [launch a new cluster][3] with the existing metadata and a new master user name.\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t --master-username awsmasterusr\n --vpc-security-group-ids id-012a3b4c\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier new-cluster-identifier\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n5. Use the returned new database cluster endpoint URL from step 3 to update your application's configuration to point to the new cluster endpoint.\n6. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.master_username != \"awsuser\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ewv-jbb-gxa","createdAt":1599574001675,"name":"Redshift cluster is not using a custom master user name"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","security:compliance","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are not using default port 5439 to protect against non-targeted attacks.\n\n## Rationale\n\nUsing a custom port can protect your publicly accessible AWS Redshift clusters against potential brute-force and dictionary attacks. Although setting a custom port can help fend off these attacks, it is also recommended to restrict public access, use SSL to encrypt client connections to database clusters, and control cluster access through security groups and Network Access Control Lists (NACLs) to add an additional layer of security for your account.\n\n## Remediation\n\n### From the console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a port 5439, it is the default port. Modify the port number in the console.\n\n### From the command line\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster-snapshot` with [create a snapshot of your database cluster][3].\n\n ```\n aws redshift create-cluster-snapshot\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n ```\n\n3. Run `restore-from-cluster-snapshot` to [create a new cluster from the snapshot created above][4]. Use the retrieved metadata in step one to configure a new port number.\n\n ```\n aws redshift restore-from-cluster-snapshot\n ...\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n --port 2000\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster-snapshot.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/restore-from-cluster-snapshot.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.endpoint.port != 5439\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"xrn-s6h-z9s","createdAt":1599574006854,"name":"Redshift cluster is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift Clusters][1] are using the [AWS EC2-VPC platform][2] for better cluster security.\n\n## Rationale\n\nThe AWS EC2-VPC platform offers better security control and traffic routing for clusters than the outdated EC2-Classic platform.\n\n## Remediation\n\n### From the console\n\nFollow the [Use EC2-VPC when you create your cluster][7] docs to learn how to use the EC2-VPC platform in the console to secure your clusters.\n\n### From the command line\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n ```\n\n2. Run `create-cluster` with the metadata to [launch a new cluster within a VPC][3].\n\n ```\n aws redshift create-cluster\n --cluster-identifier cluster-id\n --vpc-security-group-ids id-012a3b4c\n --port 5439\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n\n5. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.FindDefaultVPC.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#cluster-platforms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.vpc_id != \"\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"goz-ys2-tll","createdAt":1599573999940,"name":"Redshift cluster is using the EC2-VPC platform"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.6","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:redshift","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","source:redshift","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable logging for your Amazon Redshift cluster.\n\n## Rationale\n\nLogging data from Amazon Redshift clusters is helpful when troubleshooting or completing security and compliance audits.\n\n## Remediation\n\n### From the console\n\nFollow the Amazon Redshift [Configuring auditing using the console][1] docs to enable logging, create audit log files, and store them in an Amazon S3 bucket.\n\n### From the command line\n\n1. Run `enable-logging` with your [cluster ID and the S3 bucket][2] where log files are to be stored.\n\n ```\n aws redshift enable-logging\n --cluster-identifier your-cluster-id\n --bucket-name aws-redshift-logs\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/enable-logging.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.cluster_logging.logging_enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f05-rf3-w5i","createdAt":1619112188003,"name":"Redshift cluster logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","requirement:Least-Privileged-Access","framework:cis-azure","control:7.1","requirement:Credentials","requirement:AppService","requirement:Compliance","control:8.7","level:1","control:9.5","control:A.18.1.3","framework:soc-2","scope:azure.appservice","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nManaged service identity in App Service makes an app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app connects to other Azure services securely without the need for a username and password.\n\n## Rationale\n\nApp Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.\n\n## References\n\n1. https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Identity\n5. Set Status to On\n\n### From the command line\n\nTo set Register with Azure Active Directory for an existing app, run the following command: `az webapp identity assign --resource-group --name '`\n\n## CIS Controls\n\nVersion 7 16.2 - Configure Centralized Point of Authentication - Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.5","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_identity(app_service) if {\n\tapp_service.identity_principal_id\n} else if {\n\tapp_service.identity.principal_id\n}\n\neval(app_service) = \"pass\" if {\n\tcompliant_identity(app_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"t1t-uk4-nxu","createdAt":1631623033118,"name":"Register with Azure Active Directory is enabled on App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.8","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under `/etc/docker/certs.d/ directory`, have permissions of 444 or are set more restrictively.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must have permissions of 444or more restrictive permissions in order to ensure that unprivileged users do not have full access to them..\n\n## Audit\n\nYou should execute the command below to verify that registry certificate files have permissions of 444+.\n\n```\nstat -c %a /etc/docker/certs.d//*\n```\n\n## Remediation\n\nRun the following command: `chmod 444 /etc/docker/certs.d//*`\n\nThis sets the permissions for the registry certificate files to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for registry certificate files might not be 444. The default file permissions are governed by the system or user specific umask values which are defined within the operating system itself.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.8","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sjq-1m3-njp","createdAt":1599605226177,"name":"Registry certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:5.7.4","source:compliance-agent","requirement:General-Policies","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.\n\n## Rationale\n\nResources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources.\n\n## Audit\n\nRun this command to list objects in default namespace: `kubectl get all`\n\nThe only entries there should be system managed resources such as the Kubernetes service.\n\n## Remediation\n\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace.\n\n## Impact\n\nNone\n\n## Default value\n\nUnless a namespace is specific on object creation, the default namespace will be used.\n\n## References\n\nNone\n\n## CIS controls\n\nNone\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.7.4","framework":"cis-kubernetes","requirement":"General-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.7.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gly-1rp-obv","createdAt":1599604941259,"name":"Resources are not created in the default namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.14","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy using the `--restart` flag in the docker run command you can specify a restart policy for how a container should or should not be restarted on exit. You should choose the on-failure restart policy and limit the restart attempts to 5.\n\n## Rationale\n\nIf you indefinitely keep trying to start the container, it could possibly lead to a denial of service on the host. It could be an easy way to do a distributed denial of service attack especially if you have many containers on the same host. Additionally, ignoring the exit status of the container and always attempting to restart the container, leads to non-investigation of the root cause behind containers getting terminated. If a container gets terminated, you should investigate on the reason behind it instead of just attempting to restart it indefinitely. You should use the on-failure restart policy to limit the number of container restarts to a maximum of 5 attempts.\n\n## Audit\n\nExecute this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: RestartPolicyName={{ .HostConfig.RestartPolicy.Name }} MaximumRetryCount={{ .HostConfig.RestartPolicy.MaximumRetryCount }}'` \n\nIf this command returns `RestartPolicyName=always`, then the system is not configured optimally. If this command returns `RestartPolicyName=no` or just `RestartPolicyName=`, then restart policies are not being used and the container would never be restarted automatically. This may be a secure option, but it is not the best option from a usability standpoint. If this command returns `RestartPolicyName=on-failure`, then verify that the number of restart attempts is set to 5 or less by looking at `MaximumRetryCount`.\n\n## Remediation\n\nIf you wish a container to be automatically restarted, use `docker run --detach --restart=on-failure:5 nginx`\n\n## Impact\n\nIf this option is set, a container will only attempt to restart itself 5 times.\n\n## Default value\n\nBy default, containers are not configured with restart policies.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/run/#restart-policies-restart\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.14","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycq-buv-pf8","createdAt":1599598174688,"name":"Restart attempts on container failure is limited to 5 attempts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_logging_log_bucket","control:10.1","requirement:Monitoring","control:10.2.5","control:2.3","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","source:google_logging_log_bucket","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:2","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling retention policies on log buckets protects logs stored in cloud storage buckets\nfrom being overwritten or accidentally deleted. It is recommended to set up retention\npolicies and configure `Bucket Lock` on all storage buckets that are used as log sinks.\n\n### Default value\nBy default, storage buckets used as log sinks do not have retention policies and `Bucket Lock`\nconfigured.\n\n## Rationale\nLogs can be exported by creating one or more sinks that include a log filter and a\ndestination. As Cloud Logging receives new log entries, they are compared against each\nsink. If a log entry matches a sink's filter, then a copy of the log entry is written to the\ndestination.\nSinks can be configured to export logs in storage buckets. It is recommended to configure a\ndata retention policy for these cloud storage buckets and to lock the data retention policy,\nthus permanently preventing the policy from being reduced or removed. This way, if the\nsystem is ever compromised by an attacker or a malicious insider who wants to cover their\ntracks, the activity logs are definitely preserved for forensics and security investigations.\n\n\n### Impact\nLocking a bucket is an irreversible action. Once you lock a bucket, you cannot remove the\nretention policy from the bucket or decrease the retention period for the policy. You\nthen have to wait for the retention period for all items within the bucket before you can\ndelete them, and then delete the bucket.\n\n## Additional Information\n- **Caution**: Locking a retention policy is an irreversible action. Once locked, you must delete\nthe entire bucket in order to \"remove\" the bucket's retention policy. However, before you\ncan delete the bucket, you must be able to delete all the objects in the bucket, which itself is\nonly possible if all the objects have reached the retention period set by the retention policy.\n\n\n## Remediation\n\n### From the console \n1. If sinks are not configured, first follow the instructions in the recommendation:\nEnsure that sinks are configured for all log entries.\n2. For each storage bucket configured as a sink, go to the Cloud Storage browser at\nhttps://console.cloud.google.com/storage/browser/.\n3. Select the **Protection** tab near the top of the page.\n4. In the **Retention policy** section, click the **Lock** button. The **Lock retention policy?** dialog box appears\n5. Read the `Permanent` notice.\n6. In the **Bucket name** text box, type in the name of your bucket.\n7. Click **Lock policy**\n\n### From the command line\n1. To list all sinks destined to storage buckets:\n ```\n gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID\n | --project=PROJECT_ID\n ```\n\n2. For each storage bucket listed above, set a retention policy and lock it:\n ```\n gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]\n gsutil retention lock gs://[BUCKET_NAME]\n ```\nFor more information, visit [Set a retention policy on a bucket][1].\n\n## References\n1. [Retention policies and retention policy locks][2]\n2. [Use and lock retention policies ][3]\n\n[1]: https://cloud.google.com/storage/docs/using-bucket-lock#set-policy\n[2]: https://cloud.google.com/storage/docs/bucket-lock\n[3]: https://cloud.google.com/storage/docs/using-bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(logging_log_bucket) if {\n\tlogging_log_bucket.retention_days != \"\"\n\tlogging_log_bucket.locked == true\n}\n\ndestination_with_filter(logging_log_bucket) if {\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tlogging_log_sink.project_number == logging_log_bucket.project_number\n\tlog_bucket_bucket_name := trim_right(split(logging_log_bucket.resource_name, \"buckets/\")[1], \"\\\"\")\n\tsink_bucket_bucket_name := trim_right(split(logging_log_sink.destination, \"buckets/\")[1], \"\\\"\")\n\tlog_bucket_bucket_name == sink_bucket_bucket_name\n\tlogging_log_sink.filter != \"\"\n}\n\neval(logging_log_bucket) = \"skip\" if {\n\tnot destination_with_filter(logging_log_bucket)\n} else = \"pass\" if {\n\tcompliant(logging_log_bucket)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_logging_log_bucket","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_logging_log_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_logging_log_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"trq-twi-wxj","createdAt":1664803576934,"name":"Retention policies used for exporting logs are configured using the bucket lock on Cloud Storage buckets"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-ii-B","control:1.7","control:164.308-a-3-i","control:164.308-a-4-i","control:7.2.1","level:1","cloud:aws","framework:soc-2","framework:cis-aws","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Information-Access-Management","control:CC6.2","framework:pci","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWith the creation of an AWS account, a root user is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.\n\n## Rationale\n\nThe root user has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.\n\n## Remediation\n\nIf you find that the root user account is being used for daily activity and administrative tasks that do not require the root user, remediate this by doing the following:\n\n1. Change the root user password.\n2. Deactivate or delete access keys associated with the root user.\n**Note**: Anyone who has root user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.\n\n## References\n\n1. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][1]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html][2]\n3. [https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html][3]\n\n**Additional Information**: The root user for us-gov cloud regions is not enabled by default. However, on request AWS support can enable the root user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the root user for us-gov cloud regions is enabled, this recommendation is applicable. Monitor usage of the root user by implementing recommendation *3.3 Ensure a log metric filter and alarm exist for usage of the root user*.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[3]: https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.7","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nnon_compliant_keys(iam_credential_report) if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.password_last_used < thirty_days_ms # Used in last 30 days\n} else if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_1_last_used_date < thirty_days_ms # Used in last 30 days\n} else if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_2_last_used_date < thirty_days_ms # Used in last 30 days\n}\n\neval(iam_credential_report) = \"skip\" if {\n\tnot iam_credential_report.user == \"\"\n} else = \"fail\" if {\n\tnon_compliant_keys(iam_credential_report)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_credential_report"]},"validationQuery":"","resourceType":"aws_iam_credential_report","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yid-djj-bng","createdAt":1638865331666,"name":"Root account credentials have not been used in the past 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:kms","source:kms","framework:gdpr","requirement:Logging","level:2","control:3.8","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Security-of-Processing","framework:soc-2","control:3.5.2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:3.6.4","control:CC6.3","control:CC6.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS Key Management Service (KMS) allows customers to rotate the backing key, the key material stored within the KMS. The KMS connects to the key ID of the customer created customer master key (CMK). This backing key is used to perform cryptographic operations such as encryption and decryption. Automatic key rotation retains all prior backing keys so that encrypted data can be decrypted transparently. You should enable CMK key rotation.\n\n## Rationale\n\nRotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\n\n## Remediation\n\n### From the console\n\n1. Open the [AWS KMS console][1].\n2. To change the AWS region, use the region selector in the upper-right corner of the page.\n3. Choose **Customer managed keys**.\n4. Choose the alias of the key to update in the **Alias** column.\n5. Choose **Key rotation**.\n6. Select **Automatically rotate this KMS key every year** and then choose **Save**.\n\n### From the command line\n\n1. Use the [`enable-key-rotation`][2] command to set an automatic rotation of a KMS key on an annual basis.\n\n ```\n aws kms enable-key-rotation \\\n --region insert-region-here \\\n --key-id insert-kms-key-id-here\n ```\n2. Use the [`get-key-rotation-status'][3] command to verify that you've set the rotation correctly.\n\n ```\n aws kms get-key-rotation-status \\\n --region insert-region-here \\\n --key-id insert-kms-key-id-here\n ```\n\n## References\n\n1. [https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html][4]\n\n[1]: https://console.aws.amazon.com/kms\n[2]: https://docs.aws.amazon.com/cli/latest/reference/kms/enable-key-rotation.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/kms/get-key-rotation-status.html\n[4]: https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.8","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aws_kms) = \"skip\" if {\n\taws_kms.key_manager != \"CUSTOMER\"\n} else = \"fail\" if {\n\tnot aws_kms.key_rotation_enabled\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_kms"]},"validationQuery":"","resourceType":"aws_kms","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_kms","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5xm-kxb-jxz","createdAt":1599574002243,"name":"Rotation for customer created CMKs is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:runtime-security-agent","technique:T1611-escape-to-host","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to the `runc` binary outside of the normal package management lifecycle.\n\n## Strategy\n[CVE-2019-5736][1], a vulnerability in `runc` through version 1.0-rc6 could allow attackers to overwrite the host `runc` binary, which allows the attacker to effectively escape a running container, and gain root access on the underlying host.\nAny modifications to `runc` (outside of standard package management upgrades) could be exploiting this vulnerability to gain root access to the system.\n\n## Triage & Response\n1. Check to see which user or process changed the `runc` binary.\n2. If these changes are not acceptable, roll back contain the host in question to an acceptable configuration.\n3. Update `runc` to a version above 1.0-rc6 (or Docker 18.09.2 and above).\n4. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://nvd.nist.gov/vuln/detail/CVE-2019-5736\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:runc_modification","groupByFields":["host"],"aggregation":"count","name":"runc_modification","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"runc_modification","condition":"runc_modification > 0"}],"type":"workload_security","id":"6ru-oyo-uag","createdAt":1627392837049,"name":"Runc binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your bucket ACL to remove public `READ_ACP`, `READ` access.\n\n## Rationale\n\n* Public `READ_ACP` access gives anyone the ability to read the bucket ACL. With this permission, anyone can see who controls your objects. This information can potentially be used to find misconfigured permissions and gain access to your S3 data.\n\n* Public `READ` access allows the grantee to list all objects within your bucket and exploit objects with misconfigured ACL permissions.\n\n\nFor more information about S3 bucket ACLs, see the [Access control list (ACL) documentation][3].\n\n## Remediation\n\n### From the console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### From the command line\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis\n[3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nsecure_s3_access_block(s3_access_block) if {\n\ts3_access_block.ignore_public_acls == true\n}\n\ninsecure_s3_bucket(s3_bucket) if {\n\tacl := s3_bucket.acl[_]\n\tupper(acl.grantee_permission) in [\"READ\", \"READ_ACP\"]\n\tlower(acl.grantee_uri) in [\"http://acs.amazonaws.com/groups/global/authenticatedusers\", \"http://acs.amazonaws.com/groups/global/allusers\"]\n}\n\ncompliant_s3_bucket(s3_bucket) if {\n\ts3_account_public_access_block := input.resources.aws_s3_account_public_access_block[_]\n\ts3_account_public_access_block.account_id == s3_bucket.account_id\n\tsecure_s3_access_block(s3_account_public_access_block)\n} else if {\n\tsecure_s3_access_block(s3_bucket.access_block[_])\n} else if {\n\tnot insecure_s3_bucket(s3_bucket)\n}\n\neval(s3_bucket) = \"pass\" if {\n\tcompliant_s3_bucket(s3_bucket)\n} else = \"fail\"\n\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"i2o-7bz-zxc","createdAt":1619112188697,"name":"S3 bucket ACL and bucket objects are not publicly readable"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ_ACP` access for authenticated AWS accounts and AWS IAM users.\n\n## Rationale\n\nAWS authenticated accounts and users with `READ_ACP` access can examine Amazon S3 Access Control Lists (ACLs) configuration details. This information can be used maliciously to find misconfigured permissions and implement methods to access your S3 data.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `READ_ACP` access for AWS signed users.\n\n### From the command line\n\n1. Run `put-bucket-acl` with your [Amazon S3 bucket name and ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_not_compliant(acl) if {\n\tacl.grantee_permission == \"READ_ACP\"\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\"\n}\n\neval(s3_bucket) = \"fail\" if {\n\tacl = s3_bucket.acl[_]\n\tacl_not_compliant(acl)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"cer-xg1-llv","createdAt":1619112188867,"name":"S3 bucket ACL is not viewable by all authenticated users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.5","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove `WRITE_ACP`, `WRITE`, or `FULL_CONTROL` access for all AWS users or any authenticated AWS user.\n\n## Rationale\n\n* Public `WRITE_ACP` access gives anyone permissions to change the S3 bucket Access Control List. With these permissions, anyone can grant any permissions they want, such as reading or writing objects inside the bucket.\n\n* Public `WRITE` access allows the grantee to create new objects in the bucket. For the bucket and object owners of existing objects, also allows deletions and overwrites of those objects. \n\n* Public `FULL_CONTROL` access allows the grantee the `READ`, `WRITE`, `READ_ACP`, and `WRITE_ACP` permissions on the bucket.\n\nFor more information about S3 bucket ACLs, see the [Access control list (ACL) documentation][1].\n\n\n## Remediation\n\n### From the console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### From the command line\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.5","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nsecure_s3_access_block(s3_access_block) if {\n\ts3_access_block.ignore_public_acls == true\n}\n\ninsecure_s3_bucket(s3_bucket) if {\n\tacl := s3_bucket.acl[_]\n\tupper(acl.grantee_permission) in [\"WRITE\", \"WRITE_ACP\", \"FULL_CONTROL\"]\n\tlower(acl.grantee_uri) in [\"http://acs.amazonaws.com/groups/global/authenticatedusers\", \"http://acs.amazonaws.com/groups/global/allusers\"]\n}\n\ncompliant_s3_bucket(s3_bucket) if {\n\ts3_account_public_access_block := input.resources.aws_s3_account_public_access_block[_]\n\ts3_account_public_access_block.account_id == s3_bucket.account_id\n\tsecure_s3_access_block(s3_account_public_access_block)\n} else if {\n\tsecure_s3_access_block(s3_bucket.access_block[_])\n} else if {\n\tnot insecure_s3_bucket(s3_bucket)\n}\n\neval(s3_bucket) = \"pass\" if {\n\tcompliant_s3_bucket(s3_bucket)\n} else = \"fail\"\n\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"8au-91a-7zf","createdAt":1619112188436,"name":"S3 bucket ACLs are configured to block public write actions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","requirement:Compliance","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:s3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up the Multi-Factor Authentication (MFA) delete feature to prevent deletion of Amazon S3 objects.\n\n## Rationale\n\n## Remediation\n\nMFA-protected Amazon S3 buckets ensure S3 objects cannot be accidentally or intentionally deleted by AWS users who have access to your bucket.\n\n### From the console\n\n`MFA DELETE` [cannot be enabled in the AWS Console][1]. See the CLI remediation below for configuration instructions.\n\n### From the command line\n\n1. Run `put-bucket-versioning` with your [bucket name, versioning configuration, and MFA configuration][2].\n\n ```\n aws s3api put-bucket-versioning\n --bucket your-s3-bucket-name\n --versioning-configuration '{\"MFADelete\":\"Enabled\",\"Status\":\"Enabled\"}'\n --mfa 'arn:aws:iam::aws_account_id:mfa/root-account-mfa-device'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"pass\" if {\n\ts3_bucket.versioning_mfa_delete == \"Enabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"f22-rvk-qko","createdAt":1619112188477,"name":"S3 bucket MFA Delete feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.1","requirement:Monitoring","cloud_provider:aws","control:A.12.4.1","control:3.3","requirement:System-Operations","requirement:Logging","level:2","framework:soc-2","scope:cloudtrail","framework:cis-aws","source:cloudtrail","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nS3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.\n\n## Rationale\n\nBy enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.\n\n## Remediation\n\n### From the console\n\n1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.\n2. Under All Buckets click on the target S3 bucket\n3. Click on Properties in the top right of the console\n4. Under Bucket: click on Logging\n5. Configure bucket logging and click on the Enabled checkbox\n6. Select Target Bucket from list and enter a Target Prefix\n7. Click Save\n\n## Default value\n\nLogging is disabled.\n\n## References\n\n1. CCE-78918-0\n2. https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html\n\n## CIS controls\n\nVersion 7\n\n6.2 - Activate audit logging: Ensure that local logging has been enabled on all systems and networking devices.\n\n14.9 Enforce Detail Logging for Access or Changes to Sensitive Data: Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbucket_by_name := {bucket.bucket_name: bucket |\n\tbucket := input.resources.aws_s3_bucket[_]\n}\n\neval(cloudtrail_trail) = \"skip\" if {\n\tnot bucket_by_name[cloudtrail_trail.s3_bucket_name]\n} else = \"pass\" if {\n\ts3_bucket := bucket_by_name[cloudtrail_trail.s3_bucket_name]\n\tcount(s3_bucket.bucket_logging) > 0\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail","aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@trail_arn"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gzk-vm2-67k","createdAt":1635929074549,"name":"S3 bucket access logging is enabled on the CloudTrail S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","requirement:Storage","framework:gdpr","control:2.1.1","requirement:Compliance","level:1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides a variety of no-cost or low-cost encryption options to protect data at rest.\n\n## Rationale\n\nEncrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.\n\n## Remediation\n\n### From the console\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/\n2. Select the Check box next to the Bucket.\n3. Click on Properties.\n4. Click on Default Encryption.\n5. Select either AES-256 or AWS-KMS.\n6. Click Save.\n7. Repeat for all the buckets in your AWS account lacking encryption.\n\n### From the command line\n\nRun one of the following commands: \n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}''`\n\nor:\n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}''`\n\n**Note**: The `KMSMasterKeyID` can be set to the master key of your choosing; `aws/s3` is an AWS preconfigured default.\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html][1]\n2. [https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources][2]\n\n**Additional Information**: S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does not encrypt objects previously stored within the bucket.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.1.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ninsecure_sse_algorithm(encryption_configuration) if {\n\tnot encryption_configuration.sse_algorithm in [\"AES256\", \"aws:kms\"]\n}\n\nbad_encryption_rules(s3_bucket) if {\n\tsome encryption_rules in s3_bucket.bucket_encryption_rules\n\tsome rules in encryption_rules.rules\n\tinsecure_sse_algorithm(rules.apply_server_side_encryption_by_default)\n} else if {\n\tnot s3_bucket.bucket_encryption_rules\n}\n\neval(s3_bucket) = \"fail\" if {\n\tbad_encryption_rules(s3_bucket)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i5u-x9l-ytw","createdAt":1619112188944,"name":"S3 bucket employs default encryption at-rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:A.12.1.2","framework:gdpr","control:A.12.4.2","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:3.1","requirement:Control-Activities","control:7.2.1","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Logical-and-Physical-Access-Control","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable versioning on S3 buckets to keep multiple versions of an object in one bucket.\n\n## Rationale\n\nVersioning-enabled buckets help [recover objects in the case of accidental deletion or overwriting][1].\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning within the S3 console.\n\n### From the command line\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning with the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.1.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tnot s3_bucket.versioning_status == \"Enabled\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hfe-sv1-7ci","createdAt":1632209932330,"name":"S3 bucket has versioning enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS S3 bucket ACL to remove public `READ` access.\n\n## Rationale\n\nGranting public `READ` allows anyone to list objects within a bucket. Note that it does not allow to directly read the actual bucket objects.\n\n## Remediation\n\n### From the console\n\nFollow the [Blocking public access to your Amazon S3 storage][1] docs to learn how to manage access control lists for existing S3 buckets.\n\n**Note**: By default, new buckets, access points, and objects don't allow public access.\n\n### From the command line\n\n1. Run `put-bucket-acl` with [your S3 bucket name][2] and set the ACL of the bucket to `private`.\n ```\n\taws s3api put-bucket-acl\n\t\t--bucket webapp-data-repository\n\t\t--acl private\n ```\n\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tsome acl in s3_bucket.acl\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AllUsers\"\n\tacl.grantee_permission == \"READ\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"mqm-ntc-bra","createdAt":1619112188104,"name":"S3 bucket is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.3","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your bucket policy as your Amazon S3 bucket is currently publicly accessible.\n\n## Rationale\n\nPublicly accessible S3 buckets through bucket policies give any AWS user the ability to list, download, delete, and upload objects and edit object permissions.\n\n## Remediation\n\n### From the console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### From the command line\n\n1. Run the [`delete-bucket-policy`][2] command to fully remove any public access to the bucket.\n\n ```\n aws s3api delete-bucket-policy \\\n --bucket insert-bucket-name-here\n ```\n\n2. If you need a bucket policy, create a new non-public bucket policy using the [AWS Policy Generator][3].\n3. Apply the bucket policy from Step 2 with the [`put-bucket-policy`][4] command.\n\n ```\n aws s3api put-bucket-policy\n --bucket insert-bucket-name-here\n --policy file://insert-bucket-policy-file-name-here.json\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket-policy.html#synopsis\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html#","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nsecure_s3_access_block(s3_access_block) if {\n\ts3_access_block.restrict_public_buckets == true\n}\n\ninsecure_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n}\n\ninsecure_policy_principal(policy_principal) if {\n\tprincipal_aws := policy_principal.principal_aws[_]\n\tprincipal_aws == \"*\"\n}\n\ninsecure_policy_statements(s3_bucket) if {\n\tbucket_policy_statement := s3_bucket.bucket_policy_statement[_]\n\tbucket_policy_statement.statement_effect == \"Allow\"\n\tbucket_policy_statement.statement_has_condition == false\n\tinsecure_policy_principal(bucket_policy_statement.policy_principal)\n}\n\ncompliant_s3_bucket_access(s3_bucket) if {\n\taccount_public_access_block := input.resources.aws_s3_account_public_access_block[_]\n\taccount_public_access_block.account_id == s3_bucket.account_id\n\tsecure_s3_access_block(account_public_access_block)\n} else if {\n\tsecure_s3_access_block(s3_bucket.access_block[_])\n} else if {\n\tnot insecure_policy_statements(s3_bucket)\n}\n\neval(s3_bucket) = \"pass\" if {\n\tcompliant_s3_bucket_access(s3_bucket)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"ftf-6wr-t2z","createdAt":1624344845705,"name":"S3 bucket is not publicly exposed via bucket policy"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ` access for authenticated AWS accounts or IAM users.\n\n## Rationale\n\n`READ` access allows any authenticated IAM user or AWS authenticated account to list all objects within your bucket and exploit objects with misconfigured ACL permissions.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to deselect the `Bucket ACL - Read` permission and update ACL permissions.\n\n### From the command line\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tsome acl in s3_bucket.acl\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\"\n\tacl.grantee_permission == \"READ\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"73w-cje-dhm","createdAt":1619112189198,"name":"S3 bucket objects cannot be listed by all authenticated users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","requirement:Monitoring","scope:s3","framework:cis-aws","control:4.8","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a S3 Bucket policy is modified.\n\n## Strategy\nMonitor CloudTrail and detect when S3 policies are being modified via one of the following API calls:\n* [PutBucketAcl][1]\n* [PutBucketPolicy][2]\n* [PutBucketCors][3]\n* [PutBucketLifecycle][4]\n* [PutBucketReplication][5]\n* [DeleteBucketPolicy][6]\n* [DeleteBucketCors][7]\n* [DeleteBucketReplication][8]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n## Changelog\n* 18 March 2022 - Updated signal message, query and severity.\n* 16 November 2022 - Rule query updated.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html\n[3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketCors.html\n[4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLifecycle.html\n[5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html\n[6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html\n[7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html\n[8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:(cloudtrail OR amazon-security-lake) @evt.name:(PutBucketAcl OR PutBucketPolicy OR PutBucketCors OR PutBucketLifecycle OR PutBucketReplication OR DeleteBucketPolicy OR DeleteBucketCors OR DeleteBucketReplication)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"s3_bucket_policy_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"A S3 bucket policy was modified","condition":"s3_bucket_policy_modified > 0"}],"type":"log_detection","id":"nl3-oht-jhi","createdAt":1584475579499,"name":"S3 bucket policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when SELinux enforcement is disabled.\n\n## Strategy\nThis detection monitors the change of SELinux enforcing mode.\n\n## Triage & Response\n1. Check which user or process disabled SELinux enforcing mode.\n2. If the change is not expected, roll back to enable SELinux enforcing mode.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the attack.\n\n*Requires Agent version 7.30 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:selinux_disable_enforcement","groupByFields":["host"],"aggregation":"count","name":"selinux_disable_enforcement","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"selinux_disable_enforcement","condition":"selinux_disable_enforcement > 0"}],"type":"workload_security","id":"vvf-qwb-uhj","createdAt":1635332067172,"name":"SELinux enforcement disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.2","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSELinux is an effective and easy-to-use Linux application security system. It is available by default on some distributions such as Red Hat and Fedora.\n\n## Rationale\n\nSELinux provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model. You can therefore add an extra layer of safety to your containers by enabling SELinux on your Linux host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all the security options currently configured on the containers listed.\n\n## Remediation\n\nIf SELinux is applicable for your Linux OS, you should use it.\n\n1. Set the SELinux State.\n2. Set the SELinux Policy.\n3. Create or import a SELinux policy template for Docker containers.\n4. Start Docker in daemon mode with SELinux enabled. For example: `docker daemon --selinux-enabled`\n5. Start your Docker container using the security options. For example, `docker run --interactive --tty --security-opt label=level:TopSecret centos /bin/bash`\n\n## Impact\n\nAny restrictions defined in the SELinux policy will be applied to your containers. It should be noted that if your SELinux policy is misconfigured, this may have an impact on the correct operation of the affected containers.\n\n## Default value\n\nBy default, no SELinux security options are applied on containers.\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/\n4. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/docker_selinux_security_policy\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.2","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"eww-c9f-0hf","createdAt":1599605036108,"name":"SELinux security options are configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic [resource-based policy][4] to prevent unintended access to the resource.\n\n## Rationale\n\nWhen a `*` is specified as a `Principal`, along with an `Allow` `Effect` it grants [anyone][5] the ability to perform actions on a resource. In this situation, if the policy includes the `sns:Subscribe` `Action`, it would permit anyone the ability to receive messages from the topic, resulting in an impact to the confidentiality of the application.\n\n## Remediation\n\n### From the console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### From the command line\n\n1. Update your [resource-based policy][2] with an appropriate `Principal` ARN or a `Condition` element. Save the file as `policy.json`.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_sub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Subscribe\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```\n aws sns set-topic-attributes \\\n --topic-arn arn:aws:sns:region:123456789012:YourTopic \\\n --attribute-name Policy \\\n --attribute-value file://policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-anonymous\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_policy(policy) if {\n\tpolicy.policy_principal.principal == \"*\"\n} else if {\n\tpolicy.policy_principal.principal_aws[_] == \"*\"\n}\n\nnon_compliant_statement_action(statement_action) if {\n\tlower(statement_action[_]) == \"sns:subscribe\"\n}\n\neval(sns_topic) = \"fail\" if {\n\tsome policy in sns_topic.policies\n\tlower(policy.statement_effect) == \"allow\"\n\tnon_compliant_policy(policy)\n\tnon_compliant_statement_action(policy.statement_action)\n\tpolicy.statement_has_condition == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"bin-p21-78u","createdAt":1616090993824,"name":"SNS Topic has access restrictions set for subscription"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic publishing permissions.\n\n## Rationale\n\nSetting the topic publishing permission to `*` gives anyone access to publish on a topic. Unauthenticated users can publish arbitrary messages, potentially leading to loss of integrity and denial of service.\n\n## Remediation\n\n### From the console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### From the command line\n\n1. Update your [access control policy][2] with an appropriate `Principal` ARN. Save the file as `policy.json`.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_pub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Publish\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```bash\n aws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name Policy\n --attribute-value file://policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tsome principal_aws in policy_principal.principal_aws\n\tprincipal_aws == \"*\"\n}\n\nnon_compliant_statement_action(statement_actions) if {\n\t\"SNS:Publish\" in statement_actions\n}\n\nnon_compliant_policy(policy) if {\n\tpolicy.statement_effect == \"Allow\"\n\tnon_compliant_statement_action(policy.statement_action)\n\tnot policy.statement_has_condition\n\n\tnon_compliant_policy_principal(policy.policy_principal)\n}\n\neval(sns_topic) = \"fail\" if {\n\tsome policy in sns_topic.policies\n\tnon_compliant_policy(policy)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mhf-jlo-c49","createdAt":1616090993934,"name":"SNS Topic has restrictions set for publishing"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","scope:sns","cloud_provider:aws","control:3.4","control:4.1","source:sns","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Server-Side Encryption for your AWS Simple Notification Service (SNS) topics.\n\n## Rationale\n\nServer-Side Encryption (SSE) protects the data of published messages within your SNS topics, which can help adhere to compliance and regulatory requirements.\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling server-side encryption (SSE) for an Amazon SNS topic][1] docs to learn how to enable encryption from the AWS Management Console.\n\n### From the command line\n\nRun `set-topic-attributes` with the [ARN of the SNS topic][2] and the [KmsMasterKeyId][3].\n\n```\naws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name KmsMasterKeyId\n --attribute-value YourTopicDisplayName\n```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n[3]: https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html#sse-key-terms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sns_topic) = \"pass\" if {\n\tsns_topic.kms_master_key_id\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"iel-fa4-gpw","createdAt":1623249809232,"name":"SNS Topic has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","control:164.308-a-3-i","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic permissions.\n\n## Rationale\n\nPublicly-accessible topics allow unauthorized users access to receive and publish messages and subscribe to exposed topics.\n\n## Remediation\n\n### From the console\n\nFollow the [Using identity-based policies with Amazon SNS][1] docs to learn how to create or add to a policy in the AWS Console.\n\n### From the command line\n\nIf you do not have an access control policy, [create one][2].\n\n1. Select `SNS Topic Policy` as the type of policy.\n2. Add a statement to allow only specific IAM users and roles to have access to the topic. For example:\n\n ```\n Effect: `Allow`\n Principal: `arn:aws:iam::123456789012:root`\n Action: `Add permission`\n Amazon Resource Name: `arn:aws:iam::123456789012:root`\n ```\n\nIf you do have an access control policy, follow the [add-permissions][3] docs to add a permission to your existing policy.\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-using-identity-based-policies.html#iam-and-sns-policies\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprincipal_policy_lenient(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tpolicy_principal.principal_aws[_] == \"*\"\n}\n\npolicy_lenient(policy) if {\n\tpolicy.statement_effect == \"Allow\"\n\tnot policy.statement_has_condition\n\n\tprincipal_policy_lenient(policy.policy_principal)\n}\n\neval(sns_topic) = \"fail\" if {\n\tpolicy := sns_topic.policies[_]\n\tpolicy_lenient(policy)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"5q9-vwc-cqy","createdAt":1616090993891,"name":"SNS Topic is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:6.5","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nA database server should accept connections only from trusted networks and IPs and\nrestrict access from public IP addresses.\n\n## Rationale: \nTo minimize attack surface on a database server instance, only trusted, known, and\nrequired IPs should be allowed to connect to it.\nAn authorized network should not have IPs or networks configured to `0.0.0.0/0` which\nallows access to the instance from anywhere in the world. Authorized networks\napply only to instances with public IPs.\n\n## Impact: \nThe Cloud SQL database instance would not be available to public IP addresses.\n\n## Remediation: \n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Click the instance name to open its `Instance details` page.\n3. Under the `Configuration` section click `Edit configurations`.\n4. Under `Configuration options` expand the `Connectivity` section.\n5. Click the `delete` icon for the authorized network `0.0.0.0/0`.\n6. Click `Save` to update the instance.\n\n### From the command line\nUpdate the authorized network list by removing addresses:\n```\ngcloud sql instances patch --authorized-networks=IP_ADDR1,IP_ADDR2...\n```\n## Prevention:\nTo prevent new SQL instances from being configured to accept incoming connections from\nany IP addresses, set up a `Restrict Authorized Networks on Cloud SQL instances` Organization Policy at: [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][2].\n\n\n## Default value:\nBy default, authorized networks are not configured. Remote connection to Cloud SQL\ndatabase instance is not possible unless authorized networks are configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-ip][3]\n2. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][4] \n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://cloud.google.com/sql/docs/mysql/connection-org-policy][6]\n\n\n## Additional information:\nThere is no IPv6 configuration found for Google cloud SQL server services.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[3]: https://cloud.google.com/sql/docs/mysql/configure-ip\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://cloud.google.com/sql/docs/mysql/connection-org-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"fail\" if {\n\taddress := sql_database_instance.settings.ip_configuration.authorized_networks[_]\n\taddress.value in [\"0.0.0.0\", \"0.0.0.0/0\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"thi-vol-4qb","createdAt":1657138883399,"name":"SQL Database Instances do not implicitly accept all public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:6.3","framework:cis-azure","requirement:Communications-Security","control:2.4","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific data centers. By default for a SQL server, a firewall exists with start IP of 0.0.0.0 and end IP of 0.0.0.0, allowing access to all the Azure services. Additionally a custom rule can be set up with start IP of 0.0.0.0 and end IP of 255.255.255.255, allowing access from ANY IP over the Internet. In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific data centers.\n\n### Impact\n\nDisabling allow access to Azure Services will break all connections to SQL server and hosted databases unless custom IP-specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each SQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"\" -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nSet-AzureRmSqlServerFirewallRule -ResourceGroupName -ServerName -FirewallRuleName \"\" -StartIpAddress \"\" -EndIpAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017][1]\n2. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0][2]\n3. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0][3]\n4. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0][4] \n5. [https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure][5]\n6. [https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current][6] \n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][7]\n\nAdditional Information: Firewall rules configured on individual SQL Database using Transact-SQL overrides the rules set on SQL server. Azure does not provides any Powershell, API, CLI, Portal option to check database level firewall rules and so far Transact-SQL is the only way to check for the same. For comprehensive control over egress traffic on SQL Databases, firewall rules should be checked using SQL client.\n\n[1]:https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017\n[2]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[3]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[4]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[5]:https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure\n[6]:https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current\n[7]:https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"2.4","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_server) = \"fail\" if {\n\tsome firewall_rule in sql_server.firewall_rules\n\tfirewall_rule.start_ip_address == \"0.0.0.0\"\n\tfirewall_rule.end_ip_address in [\"0.0.0.0\", \"255.255.255.255\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"5k7-xx0-nje","createdAt":1635237001240,"name":"SQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.2.4","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure `send scan reports to` with the email IDs of concerned data owners and stakeholders for a critical SQL server.\n\n## Rationale\n\nVulnerability Assessment (VA) scan reports and alerts are sent to email IDs configured with `send scan reports to`. This may help in reducing time required for identifying risks and taking corrective measures.\n\n## Impact\n\n**Note**: Enabling the Azure Defender for SQL features incurs additional costs for each SQL server.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Ensure that Azure Defender for SQL is enabled\n5. Select Configure next to enabled at subscription-level\n6. In Vulnerability Assessment Settings, configure Storage Accounts\n7. Configure email IDs for concerned data owners and stakeholders in the `send scan reports to` section.\n8. Click Save\n\n### Using PowerShell\n\nIf not already, enable Advanced Data Security for a SQL: `ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True`\n\n\nTo enable ADS-VA service and set `send scan reports to`:\n\n```bash\nUpdate-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"fiu-woq-ui1","createdAt":1645802555241,"name":"SQL Server Vulnerability Assessments send scan reports to subscribed admins"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","scope:google_sql_database_instance","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","control:6.4","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to enforce all incoming connections to SQL database instances to use SSL.\n\n## Rationale\nSQL database connections, if successfully trapped (MITM), can reveal sensitive data like\ncredentials, database queries, query outputs, and so on. For security, it is recommended to always\nuse SSL encryption when connecting to your instance. This recommendation is applicable\nto PostgreSQL, MySQL generation 1, MySQL generation 2, and SQL Server 2017 instances.\n\n### Additional Information\nBy default, `Settings: ipConfiguration` has no `authorizedNetworks` set or configured. In\nthat case, even if `requireSSL` is not set by default, which is equivalent to `requireSSL:false`,\nthere is no risk as the instance cannot be accessed outside of the network, unless\n`authorizedNetworks` is configured. However, if the default for `requireSSL` is not updated to\n`true`, any `authorizedNetworks` created later on will not enforce SSL-only connections.\n\n### Impact\nAfter enforcing SSL connections, the existing client will not be able to communicate with the SQL\nserver, unless it is configured with appropriate client-certificates to communicate to the SQL\ndatabase instance.\n\n### Default Value\nBy default, the parameter `settings: ipConfiguration: requireSSL` is not set, which is\nequivalent to `requireSSL:false`.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1].\n2. Click on an instance name to see its configuration overview.\n3. In the left-side panel, select **Connections**.\n4. In the SSL connections section, click **Allow only SSL connections**.\n5. Under Configure SSL server certificates, click **Create new certificate**.\n6. Under Configure SSL client certificates, click **Create a client certificate**.\n7. Follow the instructions shown to learn how to connect to your instance.\n\n### From the command line\nTo enforce SSL encryption for an instance, run the command:\n```\ngcloud sql instances patch --require-ssl\n```\n\n**Note:** A **restart** is required for type MySQL Generation 1 Instances (`backendType: FIRST_GEN`) for\nthis configuration to go into effect.\n\n## References\n1. [http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot authorizedNetworksExists(sql_database_instance)\n} else = \"pass\" if {\n\tsql_database_instance.settings.ip_configuration.require_ssl\n} else = \"fail\"\n\nauthorizedNetworksExists(sql_database_instance) if {\n\tsql_database_instance.settings.ip_configuration.authorized_networks[_]\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"udh-mzm-bhu","createdAt":1658821626960,"name":"SQL database instance uses SSL for all incoming connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","scope:google_cloud_sql_instance","level:2","source:google_cloud_sql_instance","control:3.9","control:6.6","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nDatadog recommends configuring the second generation SQL instance to use private IPs instead of\npublic IPs.\n\n## Rationale: \nTo lower the organization's attack surface, ensure your Cloud SQL databases does not have public IPs.\nPrivate IPs provide improved network security and lower latency for your application.\n\n## Impact: \nRemoving the public IP address on SQL instances may break applications that relied\non it for database connectivity.\n\n## Remediation: \n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Click the instance name to open its Instance details page.\n3. Select the `Connections` tab.\n4. Deselect the `Public IP` checkbox.\n5. Click `Save` to update the instance.\n\n### From the command line\n\n1. For every instance, remove the public IP and assign a private IP instead:\n ```\n gcloud sql instances patch --network= --no-assign-ip\n ```\n\n2. Confirm the changes using the following command:\n ```\n gcloud sql instances describe \n ```\n\n## Prevention:\nTo prevent new SQL instances from getting configured with public IP addresses, set up a\n`Restrict Public IP access on Cloud SQL instances` Organization policy at:\n\n\n[https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][2]\n\n## Default value:\nBy default, Cloud Sql instances have a public IP.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-private-ip][3]\n2. [https://cloud.google.com/sql/docs/mysql/private-ip][4]\n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][6]\n\n## Additional information:\nReplicas inherit their private IP status from their primary instance. You cannot configure a private IP directly on a replica.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n[3]: https://cloud.google.com/sql/docs/mysql/configure-private-ip\n[4]: https://cloud.google.com/sql/docs/mysql/private-ip\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.9","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_second_gen_instance(sql_database_instance)\n} else = \"fail\" if {\n\tip := sql_database_instance.ip_addresses[_]\n\tip.type == \"PRIMARY\"\n} else = \"pass\"\n\nis_second_gen_instance(sql_database_instance) if {\n\tsql_database_instance.backend_type == \"SECOND_GEN\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cns-kbs-qb3","createdAt":1658244446751,"name":"SQL database instances do not have public IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.5","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:C1.1","requirement:Credentials","requirement:System-Operations","requirement:Compliance","level:1","requirement:Database-Services","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","control:3.5.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC7.2","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. With Customer-managed key support for TDE, the DEK can be protected with an asymmetric key stored in the Key Vault. The Key Vault is a highly available and scalable cloud-based key store that offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of keys and data for additional security. Based on business needs or the criticality of data/databases hosted a SQL server, Datadog recommends that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).\n\n## Rationale\n\nCustomer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azures cloud-based external key management system, is the first key management service where TDE has integrated support for customer-managed keys. With customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.\n\n## Remediation\n\n### From the console\n1. Go to SQL servers for the desired server instance\n2. Click On Transparent data encryption\n3. Set Use your own key to YES\n4. Browse through your key vaults to select an existing key or create a new key in the key vault.\n5. Check Make selected key the default TDE protector Using Azure CLI. Use the below command to encrypt SQL server's TDE protector with a Customer-managed key: `az sql server tde-key >> Set --resource-group --server --server-key-type {AzureKeyVault} [--kid ]`\n\n## Impact\n\nOnce the TDE protector is encrypted with a customer-managed key, it transfers the entire responsibility of key management to you. Hence, you should be more careful about doing any operations on the particular key to keep data from the corresponding SQL server Databases host accessible. When deploying customer-managed keys, ensure that you deploy an automated toolset for managing these keys (this should include discovery and key rotation), and keys should be stored in an HSM or hardware backed keystore; for example, Azure Key Vault). As far as toolsets go, check with your cryptographic key provider as they may well provide one as an add-on to their service.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-byok-azure-sql\n2. https://azure.microsoft.com/en-in/blog/preview-sql-transparent-data-encryption-tde-with-bring-your-own-key-support/\n3. https://winterdom.com/2017/09/07/azure-sql-tde-protector-keyvault\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: This configuration can be done only on an SQL server. The same configuration will be in effect on SQL Databases hosted on SQL Server. Ensuring yourTDE is protected by a Customer-managed key on SQL Server does not ensure SQL Databases' encryption. Transparent Data Encryption Data Encryption (ON/OFF) setting on individual SQL Database decides whether the database is encrypted or not.\n\n## CIS Controls\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials: Encrypt or hash with a salt all authentication credentials when stored. \n\n5 Logging and Monitoring: This section covers security recommendations to follow to set logging and monitoring policies on an Azure Subscription.\n\n5.1 Configuring Diagnostic Settings: The Azure Diagnostic Settings capture control/management activities performed on a subscription. By default, the Azure Portal retains activity logs only for 90 days. The Diagnostic Settings define the type of stored or streamed events and the output storage account, and the event hub. The Diagnostic Settings, if appropriately configured, can ensure that all activity logs are retained for a longer duration. This section has recommendations for correctly configuring the Diagnostic Settings so that all activity logs captured are retained for longer periods. When configuring Diagnostic Settings, you may choose to export in one of three ways in which you need to ensure appropriate data retention. The options are Log Analytics, Event Hub, and a Storage Account. It is important to ensure you are aware and have set retention as your organization sees fit.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_server) = \"pass\" if {\n\tsql_server.encryption_protector.kind == \"azurekeyvault\"\n\tsql_server.encryption_protector.server_key_type == \"AzureKeyVault\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ju5-j5j-p5u","createdAt":1624867975195,"name":"SQL server's TDE protector is encrypted with Customer-managed key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","source:sqs","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","scope:sqs","security:compliance","cloud_provider:aws","control:3.4","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Simple Queue Service (SQS) messages with server-side encryption.\n\n## Rationale\n\nEncryption ensures that Amazon SQS messages, which may contain sensitive data, are not available to anonymous or unauthorized users.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring service-side encryption for a queue(console)][1] docs to learn how to create and use AWS Key Management Service (AWS KMS) to manage customer master keys (CMK) for server-side encryption.\n\n### From the command line\n\n1. Define `set-queue-attributes` in [a file][2]. Use your custom KMS Master Key ARN for `KmsMasterKeyID`. Save the file.\n\n ```\n {\n \"KmsMasterKeyId\": \"custom_key_arn\",\n \"KmsDataKeyReusePeriodSeconds\": \"300\"\n }\n ```\n\n2. Run `set-queue-attributes` with the [queue URL and the file][2] created in step 1.\n\n ```\n aws sqs set-queue-attributes\n --queue-url https://us-west-2.queue.amazonaws.com//\n --attributes file://sqs-sse-enabled.json\n ```\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html\n[2]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queue.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nhas_server_side_encryption(sqs_queue) if {\n\tsqs_queue.sqs_managed_sse_enabled == true\n} else if {\n\tsqs_queue.kms_master_key_id\n}\n\neval(sqs_queue) = \"pass\" if {\n\thas_server_side_encryption(sqs_queue)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sqs_queue"]},"validationQuery":"","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0m4-moi-xdg","createdAt":1616090993978,"name":"SQS Queue has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:sqs","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security","scope:sqs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate Amazon Simple Queue Service (SQS) queue permissions.\n\n## Rationale\n\nPublicly-available Amazon SQS queues give unauthorized users access to potentially intercept, delete, or send queue messages, which can lead to data leaks.\n\n## Remediation\n\n### From the console\n\nFollow the [Managing access to resources][1] docs to learn how to implement a permissions policy in the AWS console.\n\n### From the command line\n\n1. Run the `list-queues` command to get a list of queue URLs.\n \n ```\n aws sqs list-queues --region insert-your-region-here\n ```\n\n2. Run the `get-queue-attributes` command with a [queue URL][2] returned in step 1.\n\n ```\n aws sqs get-queue-attributes \\\n --queue-url https://queue.amazonaws.com/123456789012/YourQueue \\\n --attribute-names Policy\n ```\n3. Run the `remove-permission` command to [remove any unwanted permissions][3] from your queue policy.\n\n ```\n aws sqs remove-permission \\\n --region insert-your-region-here \\\n --queue-url https://queue.amazonaws.com/YourAccountID/YourQueue \\\n --label insert-label-name \\\n --aws-account-ids insert-aws-account-ids-here \\\n --actions insert-action-to-remove\n\n4. Run the `add-permission` command to [add a new permission][4] to your queue policy.\n\n ```\n aws sqs add-permission \\\n --queue-url https://queue.amazonaws.com/YourAccountID/YourQueue \\\n --label insert-label-name \\\n --aws-account-ids insert-aws-account-ids-here \\\n --actions insert-action-to-add\n ```\n5. Complete steps 2 through 4 for any remaining queue URLs returned from step 1 for each region you have SQS enabled.\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.html#sqs-managing-access-to-resources\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/get-queue-attributes.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/remove-permission.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tprincipal_aws = policy_principal.principal_aws[_]\n\tprincipal_aws == \"*\"\n}\n\neval(sqs_queue) = \"fail\" if {\n\tpolicy := sqs_queue.policies[_]\n\tbad_policy_principal(policy.policy_principal)\n\tpolicy.statement_effect = \"Allow\"\n\tpolicy.statement_has_condition = false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sqs_queue"]},"validationQuery":"","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"aqs-n9k-inj","createdAt":1616090993985,"name":"SQS Queue is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:6.2","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable SSH access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using SSH over the internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\n1. [Disable direct SSH access][1] to your Azure Virtual Machines from the internet. \n2. Choose one of the following methods to access the virtual machines for remote management:\n * [Point-to-site VPN][3]\n * [Site-to-site VPN][4]\n * [ExpressRoute][5]\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][2]\n\n[1]: https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n[3]: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal\n[4]: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal\n[5]: https://learn.microsoft.com/en-us/azure/expressroute/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_access(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"TCP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\n\tsome port_range in split(security_rule.destination_port_range, \",\")\n\tcheck_non_compliant_port_range(port_range)\n\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"::/0\", \"Internet\", \"Any\"]\n}\n\ncheck_non_compliant_port_range(port_range) if {\n\tport_range in [\"22\", \"*\"]\n} else if {\n\tcontains(port_range, \"-\")\n\tsplit_port_range := split(port_range, \"-\")\n\n\tto_number(split_port_range[0]) <= 22\n\tto_number(split_port_range[1]) >= 22\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule := security_group.security_rules[_]\n\tnon_compliant_access(security_rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tox-iwp-m0l","createdAt":1624867978808,"name":"SSH access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.6","requirement:Communications-Security","control:1.4","control:3.2","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow the user to specify the type of\ntraffic, such as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be\nused. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using\nSSH on Port 22 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from\ninstances and incoming (ingress) traffic to instances in the network. Egress and ingress\ntraffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through SSH with the default\nPort 22. Generic access from the Internet to a specific IP Range needs to be restricted.\n\n## Impact\nAll Secure Shell (SSH) connections from outside of the network to the concerned VPC(s)\nwill be blocked. There could be a business need where SSH access is required from outside\nof the network to access resources associated with the VPC. In that case, specific source\nIP(s) should be mentioned in firewall rules to include access to SSH port for the\nconcerned VPC(s).\n\n## Remediation\n\n### From the console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule you want to modify.\n4. Click Edit.\n5. Modify Source IP ranges to specific IP.\n6. Click Save.\n\n### From the command line\n1.Update the Firewall rule with the new SOURCE_RANGE from the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.2","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 22\n\nis_numeric(x) if {\n\tregex.match(`^-?\\d+(\\.\\d+)?$`, x)\n}\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tsome port in allowed.ports\n\tcontains(port, \"-\")\n\trange := split(port, \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else if {\n\tsome port in allowed.ports\n\tport != \"\"\n\tis_numeric(port)\n\tto_number(port) == target_port\n} else if {\n\tsome port in allowed.ports\n\tport == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tsome allowed in compute_firewall.allowed\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" if {\n\tsome source_range in compute_firewall.source_ranges\n\tsource_range in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"23t-kvk-vbo","createdAt":1657310084964,"name":"SSH access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to authorized SSH keys.\n\n## Strategy\nSSH is a commonly used key-based authentication mechanism. In this system, the authorized_keys file specifies SSH keys that can be used to authenticate as a specific user on the system. Attacker's may modify the authorized_keys file to authorize attacker-owned SSH keys. This allows the attacker to maintain persistence on a system as a specific user.\n\n## Triage and response\n1. Check what changes were made to authorized_keys, and under which user.\n2. Determine whether any keys were added. If so, determine if the added keys belong to known trusted users.\n3. If they keys in question are not acceptable, roll back the host or container in question to a known trusted SSH configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chmod)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chmod","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chown)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chown","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_link)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_link","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_rename)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_rename","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_open)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_open","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_unlink)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_unlink","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_utimes)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"ssh_authorized_keys","condition":"ssh_authorized_keys_chmod > 0 || ssh_authorized_keys_chown > 0 || ssh_authorized_keys_link > 0 || ssh_authorized_keys_rename > 0 || ssh_authorized_keys_open > 0 || ssh_authorized_keys_unlink > 0 || ssh_authorized_keys_utimes > 0"}],"type":"workload_security","id":"iqs-k9p-ivj","createdAt":1606142954844,"name":"SSH authorized keys modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1553-subvert-trust-controls","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential tampering with SSL certificates.\n\n## Strategy\nSSL certificates, and other forms of trust controls establish trust between systems. Attackers may attempt to subvert trust controls such as SSL certificates in order to trick systems or users into trusting attacker-owned assets such as fake websites, or falsely signed applications.\n\n## Triage and response\n1. Check whether there were any planned changed to the SSL certificates stores in your infrastructure.\n2. If these changes are not acceptable, roll back the host or container in question to a known trustworthy configuration.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssl_certificate_tampering OR ssl_certificate_tampering_chmod OR ssl_certificate_tampering_chown OR ssl_certificate_tampering_link OR ssl_certificate_tampering_rename OR ssl_certificate_tampering_open OR ssl_certificate_tampering_unlink OR ssl_certificate_tampering_utimes) -@process.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.parent.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\" -@process.executable.name:runc*","groupByFields":["host"],"aggregation":"count","name":"ssl_certificate_tampering","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"ssl_certificate_tampering","condition":"ssl_certificate_tampering > 0"}],"type":"workload_security","id":"any-phm-6ub","createdAt":1606142980369,"name":"SSL certificate tampering"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","control:4.3.2","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","source:azure.dbformysql","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","scope:azure.dbformysql","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on MySQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for MySQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled for enforce SSL connection \n\nAlternatively, use the Azure Command Line Interface and run the below command to set MYSQL Databases to Enforce SSL connection:\n\n ```bash\n az mysql server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security\n2. https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(mysql_server) = \"pass\" if {\n\tmysql_server.ssl_enforcement == \"Enabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_mysql_server"]},"validationQuery":"","resourceType":"azure_mysql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_mysql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cxd-off-x2e","createdAt":1624867976718,"name":"SSL connection on MySQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.3.1","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on PostgreSQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\n### From the console\n1. Login to Azure Portal using [https://portal.azure.com][1]\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled to enforce SSL connection \n\n### From the command line\n\n ```\n az postgres server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security][2]\n2. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit][3]\n\n[1]: https://portal.azure.com\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"pass\" if {\n\tlower(postgresql_server.ssl_enforcement) == \"enabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"9cp-26e-jdc","createdAt":1624867978968,"name":"SSL connection on PostgreSQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a Salesforce user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login ten times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @status:\"Invalid Password\"","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:salesforce @status:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dm5-uvn-yrr","createdAt":1621929254947,"name":"Salesforce Brute force attack on user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a disabled account attempts to log into Salesforce\n\n## Strategy\nInspect Salesforce logs and determine if there is a login attempt (`@evt.name:LoginEvent`) from from a disabled account (`@status:\\\"User is Inactive\\\"`). If more than ten attempts to authenticate to a disabled account a `MEDIUM` severity signal is created.\n\n## Triage and response\n1. Determine if the IP (`@network.client.ip`) has attempted to log into other accounts.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @evt.name:LoginEvent @status:\"User is Inactive\"","groupByFields":["@usr.id"],"aggregation":"count","name":"disabled_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Single Attempt","condition":"disabled_login > 1"},{"status":"medium","notifications":[],"name":"Multiple Attempts","condition":"disabled_login > 10"}],"type":"log_detection","id":"j57-vod-bnw","createdAt":1621929254817,"name":"Salesforce Login from Disabled Account"}]} headers: Content-Type: - application/json @@ -623,7 +572,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.15","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/scheduler.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.15","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fmc-m0d-pe5","createdAt":1599604530000,"name":"Scheduler configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.16","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/scheduler.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.16","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pbp-y4b-dhf","createdAt":1599600185878,"name":"Scheduler configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.5","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the Scheduler service in the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.5","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qxe-hc6-qlm","createdAt":1599604179189,"name":"Scheduler pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.6","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the kube-scheduler service in the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.6","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"y79-4ts-a0k","createdAt":1599603078027,"name":"Scheduler pod specification file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.4.1","security:compliance","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` file on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-scheduler/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-scheduler/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.1","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hya-urf-09b","createdAt":1599603139661,"name":"Scheduler profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.21","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSeccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on a whitelist basis and allows for a large number of common system calls, whilst blocking all others. This filtering should not be disabled unless it causes a problem with your container application usage.\n\n## Rationale\n\nA large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis returns either `` or your modified seccomp profile. If it returns `[seccomp:unconfined]`, the container is running without any seccomp profiles and is therefore not configured in line with good security practices.\n\n## Remediation\n\nBy default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.\n\n## Impact\n\nWith Docker 1.10 and greater, the default seccomp profile blocks syscalls, regardless of `--cap-add passed` to the container. You should create your own custom seccomp profile in such cases. You can also disable the default seccomp profile by passing `--security-opt=seccomp:unconfined` on docker run.\n\n## Default value\n\nWhen you run a container, it uses the default profile unless you override it with the `--security-opt` option.\n\n## References\n\n1. http://blog.scalock.com/new-docker-security-features-and-what-they-mean-seccomp-profiles\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://github.com/docker/docker/blob/master/profiles/seccomp/default.json\n4. https://docs.docker.com/engine/security/seccomp/\n5. https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt\n6. https://github.com/docker/docker/issues/22870\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.21","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hub-v5u-cw0","createdAt":1599604972925,"name":"Seccomp profiles are enabled for filtering incoming system calls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.22","scored:true","control:CC6.7","source:azure.active_directory","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:azure.active_directory","level:1","requirement:IAM","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft security defaults are available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You can enable security defaults in the Azure portal.\n\n## Rationale\n\nSecurity defaults provide secure default settings that are managed on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example:\n\n- Requiring all users and admins to register for MFA\n- Challenging users with MFA, mostly when they show up on a new device or app, but more often for critical roles and tasks.\n- Disabling authentication from legacy authentication clients, which can't do MFA.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Sign in to the Azure portal as a security administrator, conditional access administrator, or global administrator.\n2. Navigate to Azure Active Directory > Properties.\n3. Select Manage security defaults.\n4. Set the Enable security defaults toggle to Yes.\n5. Select Save.\n\n## Impact\n\nEnabling security defaults may negatively impact the functionality of other Microsoft services, such as Microsoft 365. This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults\n2. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414\n\nAdditional Information: The settings in this recommendation are different in the Microsoft 365 Benchmark. This is because the potential impact associated with disabling of security defaults is dependent upon the security settings implemented in the environment. It is recommended that organizations disabling security defaults plan to implement equivalent settings to replace the settings configured by security defaults.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.22","framework":"cis-azure","requirement":"IAM","version":"1.3.0"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@is_enabled:false","resourceType":"azure_ad_security_defaults_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_ad_security_defaults_policy (@is_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@display_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"fub-xjw-qwz","createdAt":1635237007654,"name":"Security Defaults is enabled on Azure Active Directory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a threat on your application.\n\n## Strategy\nThis rule creates a signal for every security incident created by Sqreen.\n\n## Triage and response\n1. Review the incident on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/incidents\n\n## Changelog\n23 June 2022 - Updated groupby count to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:critical @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_critical_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:major @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_major_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:minor @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_minor_incidents","distinctFields":["@sqreen.payload.incident_id"]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical","condition":"sqreen_critical_incidents > 0"},{"status":"high","notifications":[],"name":"Major","condition":"sqreen_major_incidents > 0"},{"status":"medium","notifications":[],"name":"Minor","condition":"sqreen_minor_incidents > 0"}],"type":"log_detection","id":"qyk-emv-hui","createdAt":1620224110121,"name":"Security Incident Detected by Sqreen"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis","source:cloudtrail","technique:T1562-impair-defenses","control:cis-3.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` array to determine if either of the strings are contained:\n* `0.0.0.0/0`\n* `::/0`\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n\n## Changelog\n18 March 2022 - Updated rule query.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:AuthorizeSecurityGroupIngress @requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@usr.account_id"],"aggregation":"count","name":"sg_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"SG open to world","condition":"sg_open_to_world > 0"}],"type":"log_detection","id":"qdm-6uu-gqf","createdAt":1593621503430,"name":"Security group open to the world"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.5","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not allow sensitive host system directories such as those listed below to be mounted as container volumes, especially in read-write mode. `/` `/boot` `/dev` `/etc` `/lib` `/proc` `/sys` `/usr`\n\n## Rationale\n\nIf sensitive directories are mounted in read-write mode, it is possible to make changes to files within them. This has obvious security implications and should be avoided.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}'` This command returns a list of currently mapped directories and indicates whether they are mounted in read-write mode for each container instance.\n\n## Remediation\n\nDo not mount directories which are security sensitive on the host within containers, especially in read-write mode.\n\n## Impact\n\nNone\n\n## Default value\n\nDocker defaults to using a read-write volume but you can also mount a directory read-only. By default, no sensitive host directories are mounted within containers.\n\n## References\n\n1. https://docs.docker.com/engine/tutorials/dockervolumes/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.5","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmq-wqu-2im","createdAt":1599604814929,"name":"Sensitive host system directories are not mounted on containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","source:google_iam_policy","framework:cis-gcp","level:2","framework:iso-27001","requirement:Access-Control","framework:pci","scope:google_iam_policy","control:1.11","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.2.1","control:7.1.3","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.\n\n## Rationale\nThe built-in/predefined IAM role `Cloud KMS Admin` allows the user/identity to create, delete, and manage service account(s). \n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter/Decrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Decrypter` allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).\n\nSeparation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.\n\nNo user(s) should have `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles assigned at the same time.\n\n### Impact\nRemoved roles should be assigned to another user based on business needs.\n\n### Additional Information\nUsers granted Owner (roles/owner) and Editor (roles/editor) roles have privileges equivalent to `Cloud KMS Admin` and `Cloud KMS CryptoKey Encrypter/Decrypter`. To avoid misuse, Owner and Editor roles should be granted to a very limited group of users. Use of these primitive privileges should be minimal. These requirements are addressed in our other rules.\n\n## Remediation\n\n### From the console\n1. Go to **IAM & Admin/IAM** using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles granted/assigned, click the **Delete Bin** icon to remove the role from the member.\n\n## References\n1. [https://cloud.google.com/kms/docs/separation-of-duties][2]\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/kms/docs/separation-of-duties\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_type = \"gcp_iam_policy\"\n\nis_admin_user(gip) if {\n\tmembers_to_roles_array := gip.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/cloudkms.admin\"\n}\n\neval(gip) = \"skip\" if {\n\tnot is_admin_user(gip)\n} else = \"fail\" {\n\trole := gip.member_to_roles[_].roles[_]\n\trole in [\"roles/cloudkms.cryptoKeyDecrypter\", \"roles/cloudkms.cryptoKeyEncrypter\", \"roles/cloudkms.cryptoKeyEncrypterDecrypter\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8uv-2ds-fnx","createdAt":1658410212713,"name":"Separation of duties is enforced while assigning KMS-related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:1.8","control:7.2","control:7.1","requirement:Control-Activities","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity best practices recommend that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users. This is achieved by ensuring that no user has the Service Account Admin and Service Account User roles assigned at the same time.\n\n## Rationale\n\nThe predefined IAM role ``Service Account admin`` allows the user/identity to\ncreate, delete, and manage service account(s). The predefined IAM role ``Service Account User`` allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute instances.\n\nSeparation of duties is the concept of ensuring that one individual does not have all\nnecessary permissions to be able to complete a malicious action. Using Cloud IAM service\naccounts, a malicious user could assume the identity of a service account to access resources that\nthey otherwise cannot access.\n\nSeparation of duties is a business control typically used in larger organizations, meant to\nhelp avoid security or privacy incidents and errors. It is considered a best practice.\n\nNo user should have ``Service Account Admin`` and ``Service Account User`` roles assigned\nat the same time.\n\n## Remediation\n\n1. Go to ``IAM & Admin/IAM`` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having both ``Service Account Admin`` and ``Service Account User`` roles granted/assigned, click the ``Delete Bin`` icon to remove either role from the member.\n\nRemoval of a role should be done based on the business requirements.\n\n## Impact\n\nThe removed role should be assigned to a different user based on business needs.\n\n## References\n\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][4]\n\n## Additional information \n\nUsers granted the Owner (roles/owner) and Editor (roles/editor) roles have privileges\nequivalent to Service Account Admin and Service Account User. To avoid misuse,\nOwner and Editor roles should be granted to a very limited number of users. Use of these primitive\nprivileges should be minimal. These requirements are addressed in separate\nrecommendations.\n\n## CIS controls\n\nVersion 8 3.3 - Configure Data Access Control Lists: Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems, databases, and applications.\n\nVersion 7 14.6 - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"fail\" if {\n\tmembers_to_roles_array := iam_policy.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountAdmin\"\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountUser\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"re5-dlh-43x","createdAt":1656443521016,"name":"Separation of duties is enforced while assigning service account related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.6","cloud_provider:azure","framework:cis-azure","requirement:Default-Security-Parameter","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.4","framework:soc-2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `connection_throttling` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `connection_throttling` helps the PostgreSQL Database to Set the verbosity of logged messages which generates query and error logs about concurrent connections. Too many concurrent connections could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `connection_throttling`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `connection_throttling` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name connection_throttling --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.6","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthrottling_disabled(server_config) if {\n\tserver_config.name == \"connection_throttling\"\n\tserver_config.value != \"on\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tthrottling_disabled(server_config)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"w1l-qav-gcj","createdAt":1624867980066,"name":"Server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","control:10.1","requirement:Monitoring","control:4.3.3","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_checkpoints` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_checkpoints` helps the PostgreSQL Database to log each checkpoint and generate query and error logs. Access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_checkpoints`.\n5. Click ON and save.\n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_checkpoints` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_checkpoints --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"validationQuery":"-@value:(\"on\") @name:(\"log_checkpoints\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"server_configs","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@value:(\"on\") @name:(\"log_checkpoints\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sc0-yfd-hsz","createdAt":1624867976912,"name":"Server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:4.3.4","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_connections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_connections` helps PostgreSQL Database to log an attempted connection to the server, as well as successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_connections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_connections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_connections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nserver_config_not_compliant(server_config) if {\n\tnot server_config.value == \"on\"\n\tserver_config.name == \"log_connections\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config = postgresql_server.server_configs[_]\n\tserver_config_not_compliant(server_config)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gle-oql-wen","createdAt":1624867976676,"name":"Server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","control:10.1","control:4.3.5","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_disconnections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_disconnections` helps your PostgreSQL database to log the end of a session, including duration, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_disconnections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_disconnections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_disconnections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"validationQuery":"-@value:(\"on\") @name:(\"log_disconnections\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"server_configs","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@value:(\"on\") @name:(\"log_disconnections\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"5av-e46-div","createdAt":1624867974164,"name":"Server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","requirement:Records-of-Processing-Activities","cloud:azure","control:A1.1","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses logging to track the time it takes to complete an SQL query.\n\n## Rationale\n\nThe \"log_duration\" parameter allows recording the duration of each completed PostgreSQL statement. Logging this attribute enables administrators to monitor for potential issues in the database.\n\n## Remediation\n\n### Console\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][1] documentation to enable the 'log_duration' logging in the PostgreSQL database. Ensure **log_duration** is selected under **Server Parameters**.\n\n### CLI\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][2] documentation to enable **log_duration** in **Server Parameters**.\n2. Get a list of your PostgreSQL servers by running the following in Azure Powershell:\n\n ```\n az postgres server list\n\t--output table\n\t--query '[*].{name:name, resourceGroup:resourceGroup}'\n ```\n3. Run the 'postgres server configuration set' command:\n\n ```\n az postgres server configuration set\n\t--server-name \"INSERT-SERVER-NAME-HERE-FROM-STEP-2\"\n\t--resource-group \"cloud-shell-storage-westeurope\"\n\t--name log_duration\n\t--value on\n ```\n4. Repeat steps two and three for each server that is not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tserver_config.name == \"log_duration\"\n\tserver_config.value == \"off\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iwo-oh9-bpi","createdAt":1645804679249,"name":"Server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.7","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","control:10.7","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_retention_days` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_retention_days` helps PostgreSQL Database to set the number of days a log file is retained, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_retention_days`.\n5. Enter value in range 4-7 (inclusive) and save. \n\nAlternatively, use the Azure Command Line Interface and run the the below command to update `log_retention_days` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_retention_days --value <4-7>\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n2. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention\n\n## CIS Controls\n\nVersion 7 6.4 Ensure adequate storage for logs: Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.7","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nserver_config_not_compliant(server_config) if {\n\tto_number(server_config.value) < 3\n\tserver_config.name == \"log_retention_days\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config = postgresql_server.server_configs[_]\n\tserver_config_not_compliant(server_config)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"jsy-iuu-a38","createdAt":1624867974261,"name":"Server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:7.1","requirement:Credentials","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","source:google_service_account","framework:soc-2","control:A.9.2.3","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:8.1.2","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA service account is a special Google account that belongs to an application or a VM, instead\nof to an individual end-user. The application uses the service account to call the service's\nGoogle API so that users aren't directly involved. It's recommended not to use admin roles for ServiceAccount.\n\n## Rationale\n\nService accounts represent service-level security of the Resources (application or a VM)\nwhich can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin\nrights gives full access to an assigned application or a VM. A ServiceAccount Access holder\ncan perform critical actions like delete, update, and change settings, etc. without user\nintervention. For this reason, Datadog recommends that service accounts not have an Admin role.\n\n## Remediation\n\n## From Console:\n1. Go to `IAM & admin/IAM` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. Go to the `Members`\n3. Identify `User-Managed user created service account(s)` with roles containing `*Admin or *admin`\n4. Click the `Delete bin` icon to remove the role from the member (service account in this case)\n\n\n## From Command Line: \n\n```bash\ngcloud projects get-iam-policy PROJECT_ID --format json > iam.json\n```\n\n1. Using a text editor, Remove `Role` which contains `roles/ *Admin` or `roles/ *admin`. Add a role to the bindings array that defines the group members and the role for those members.\n2. Update the project's IAM policy:\n\n```bash\ngcloud projects set-iam-policy PROJECT_ID iam.json\n```\n\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/understanding-service-accounts][4] \n\n## CIS Controls\n\nVersion 8 5.4 Restrict Administrator Privileges to Dedicated - Administrator Accounts Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user\u2019s primary, non-privileged account.\n\nVersion 7 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/understanding-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.1.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmembers_with_admin_role := {member |\n\tbinding := input.resources.gcp_iam_policy[_].member_to_roles[_]\n\tstartswith(binding.member, \"serviceAccount:\")\n\trole := binding.roles[_]\n\tcontains(lower(role), \"admin\")\n\tmember := trim_prefix(binding.member, \"serviceAccount:\")\n}\n\neval(iam_service_account) = \"fail\" if {\n\tsplit_name := split(iam_service_account.name, \"/\")\n\tmember := split_name[count(split_name) - 1]\n\tmembers_with_admin_role[member]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"4ea-as1-0bv","createdAt":1655820189596,"name":"Service Accounts are not bound to built-in Administrative roles"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0005-defense_evasion","source:runtime-security-agent","technique:T1070-indicator_removal_on_host","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the tampering of shell command history on a host or container. \n\n## Strategy\nCommands used within a terminal are contained within a local file so users can review applications, scripts, or processes that were previously executed. Adversaries tamper with the integrity of the shell command history by deletion, truncation, or the linking of `/dev/null` by use of a symlink. This allows adversaries to obfuscate their actions and delay the incident response process. \n\n## Triage and response\n1. Review the tampering action taken against the shell command history files.\n2. Review the user or process that performed the action against the shell command history.\n3. Determine whether or not this is expected behavior.\n4. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(shell_history_symlink OR shell_history_truncated OR shell_history_deleted)","groupByFields":["host"],"aggregation":"count","name":"shell_history_tamper","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"shell_history_tamper","condition":"shell_history_tamper > 0"}],"type":"workload_security","id":"5bq-qe4-ctu","createdAt":1661196433820,"name":"Shell command history modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:signal_sciences","scope:signal_sciences"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP is flagged by Signal Sciences.\n\n## Strategy\nThis rule lets you monitor Signal Sciences events submitted through the Signal Sciences [integration][1] to detect when an IP is flagged. \n\n## Triage and response\n1. Determine whether the attack is a false positive.\n2. Determine whether the attack was successful.\n3. If the attack exploited a vulnerability in the application, triage the vulnerability.\n\n[1]: https://app.datadoghq.com/account/settings#integrations/sigsci\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:signal_sciences @title:*flag","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bmg-ftn-dzo","createdAt":1584993292228,"name":"Signal Sciences flagged an IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.2.1","requirement:Compliance","level:1","control:3.8","requirement:Cardholder-Data","framework:iso-27001","scope:azure.storage","framework:pci","requirement:Operations-Security","security:compliance","framework:cis-azure","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Control-Activities","requirement:Storage-Account","source:azure.storage","control:A1.2","control:A.18.1.3","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Storage blobs contain ePHI, financial, secret, or personal data. If erroneously modified or deleted accidentally by an application or other storage account user, data loss or data unavailability can occur. It is recommended that Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.\n\n## Rationale\n\nA user can accidentally run delete commands on Azure Storage blobs or blob snapshots, or an attacker/malicious user can do it deliberately to cause disruption. Deleting an Azure Storage blob leads to immediate data loss or non-accessible data. Enable recoverable blobs configuration in the Azure Storage blob service to ensure that even if blobs/data are deleted from the storage account, the objects remain recoverable for a time set in the retention policy. Retention policies can be 7 days to 365 days.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Storage Account\n2. For each Storage Account, navigate to Data Protection\n3. Select Set soft delete enabled and enter the number of days to retain soft deleted data.\n\nAzure Command-Line Interface:\n\nUpdate retention days with the following command: `az storage blob service-properties delete-policy update --days-retained --account-name --enable true'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete\n\n## CIS Controls\n\nVersion 7 10 - Data Recovery Capabilities\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"(@blob_services.delete_retention_policy_enabled:false OR (-@blob_services.delete_retention_policy_days:*) OR @blob_services.delete_retention_policy_days:0)","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account ((@blob_services.delete_retention_policy_enabled:false OR (-@blob_services.delete_retention_policy_days:*) OR @blob_services.delete_retention_policy_days:0))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"w0h-o5o-lyp","createdAt":1631690471228,"name":"Soft delete is enabled for Azure Storage"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1505-server-software-component","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects attempted post-exploitation activity of [CVE-2022-22965][1] with an HTTP GET parameter.\n\n## Strategy\nThis rule looks for `@http.url_details.path` = .jsp, `@http.url_details.queryString.pwd` = `*`, and `@http.url_details.queryString.cmd` = . If found, it indicates web shell activity observed with successful Spring RCE exploitation. \n\n## Triage and response\nCheck your host to see if the {{@http.url_details.queryString.cmd}} command ran successfully. If so,\n * Refer to your company's Incident Response process since this is detection post-exploitation activity.\n * Refer to the vendor's [advisory][2] for remediation of this Remote Code Execution (RCE) vulnerability.\n\n## Changelog\n- 06 June 2022 - The severity has been lowered due to rule fidelity on just log telemetry.\n- 31 March 2022 - Rule added in response to [CVE-2022-22965][1]\n\n[1]: https://tanzu.vmware.com/security/cve-2022-22965\n[2]: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@http.url_details.path:*.jsp @http.url_details.queryString.pwd:* @http.url_details.queryString.cmd:* @http.method:GET @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_details","distinctFields":[]},{"query":"@http.url:*cmd* @http.url:*pwd* @http.method:GET @http.url:*.jsp* @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_url","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"PWD/CMD request in http.url_details.queryString key","condition":"pwd_cmd_in_details > 0"},{"status":"low","notifications":[],"name":"PWD/CMD request in http.url key","condition":"pwd_cmd_in_url > 0"}],"type":"log_detection","id":"6nf-i0e-ff0","createdAt":1648746485630,"name":"Spring RCE post-exploitation activity attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","framework:cis-azure","requirement:Confidentiality","control:3.4","control:C1.1","requirement:Credentials","requirement:Compliance","requirement:Storage-Account","source:azure.storage","level:1","control:A.18.1.3","framework:soc-2","control:3.9","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","scope:azure.storage","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable sensitive data encryption at rest using customer managed keys rather than Microsoft managed keys.\n\n## Rationale\n\nBy default, data in the storage account is encrypted using Microsoft managed keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. However, if you want to control and manage the encryption key yourself, you can specify a customer-managed key, and that key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated key vault.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Storage Accounts\n2. For each storage account, go to Encryption\n3. Set Customer Managed Keys\n4. Select the encryption key and enter the appropriate setting value\n5. Click Save\n\n## Impact\n\nIf the key expires by setting the activation date and expiration date of the key, you must rotate the key manually. Using customer managed keys may also incur additional effort to create, store, manage, and protect the keys as needed.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest\n3. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption#azure-storage-encryption-versus-disk-encryption\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-1-discovery,-classify-and-label-sensitive-data\n\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"-@encryption.key_source:Microsoft.Keyvault","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@encryption.key_source:Microsoft.Keyvault)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"kh6-wzv-u3s","createdAt":1631690464889,"name":"Storage for critical data is encrypted with Customer Managed Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to `pam.d` directory.\n\n## Strategy\nLinux Pluggable Authentication Modules (PAM) provide authentication for applications and services. Authentication modules in the PAM system are setup and configured under the `/etc/pam.d/` directory. An attacker may attempt to modify or add an authentication module in PAM in order to bypass the authentication process, or reveal system credentials.\n\n## Triage and response\n1. Identify if the changes to the path `{{@file.path}}` were part of known system setup or mainenance.\n2. If these changes were unauthorized, roll back the host in question to a known good PAM configuration, or replace the system with a known-good system image.\n\n*Required agent version 7.27 or higher*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pam_modification OR pam_modification_chmod) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_chown)-@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_link) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_rename) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_open) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_unlink) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_utimes) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"pam_modification","condition":"pam_modification_chmod > 0 || pam_modification_chown > 0 || pam_modification_link > 0 || pam_modification_rename > 0 || pam_modification_open > 0 || pam_modification_unlink > 0 || pam_modification_utimes > 0"}],"type":"workload_security","id":"59x-93j-pek","createdAt":1606142936138,"name":"System authentication files modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1543-create-or-modify-system-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to system services.\n\n## Strategy\nEspecially in production, systems should be generated based on standard images such as AMIs for Amazon EC2, VM images in Azure, or GCP images. Systemd is the default service manager in many Linux distributions. It manages the lifecycle of background processes and services, and can be used by an attacker to establish persistence in the system. Attackers can do this by injecting code into existing systemd services, or by creating new ones. Systemd services can be started on system boot, and therefore attacker code can persist through system reboots.\n\n## Triage and response\n1. Check to see what service was modified of created.\n2. Identify whether it is a known service, being modified by a known user and/or process.\n3. If these changes are not acceptable, roll back the host in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chmod) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chown) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_link) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_rename) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_open) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_unlink) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"systemd_modification","condition":"systemd_modification_chmod > 0 || systemd_modification_chown > 0 || systemd_modification_link > 0 || systemd_modification_rename > 0 || systemd_modification_open > 0 || systemd_modification_unlink > 0 || systemd_modification_utimes > 0"}],"type":"workload_security","id":"vjt-chu-njs","createdAt":1606142929241,"name":"Systemd service modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through brute force attempts.\n\n## Strategy\nTo determine a successful attempt: Detect a high amount of failed logins and at least one successful login for a given IP address. This will generate a `HIGH` severity signal.\nTo determine an attempt: Detect a high amount of failed logins for a given IP address. This will generate an `INFO severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:authentication @evt.outcome:failure","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]},{"query":"@evt.name:authentication @evt.outcome:success","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":["@slack-secops"],"name":"Successful","condition":"a>5 && b>0"},{"status":"info","notifications":[],"name":"Attempted","condition":"a>5"}],"type":"log_detection","id":"wce-cxo-pe4","createdAt":1585870283641,"name":"TEMPLATE - Brute Force Attack Grouped By IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:threat-intel","scope:template"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect when a stolen laptop has been connected to the network.\n\n## Strategy\nUsing the Datadog [Lookup Processor](https://docs.datadoghq.com/logs/processing/processors/?tab=ui#lookup-processor) you can maintain a blocklist of MAC addresses.\nWhen a MAC address connects to the network, the @threat.stolen_laptop attribute is set to `true`.\nThis threat detection rule queries for `@threat.stolen_laptop:true` and generates a security signal. \n\n## Triage and response\nEnter your triage and response process for when a stolen laptop has connected to your network to help users responding to the security signal quickly triage and respond to the signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@threat.stolen_laptop:true @network.client.mac:*","groupByFields":["@network.client.mac"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ap3-xy9-tsm","createdAt":1585870283379,"name":"TEMPLATE - Stolen Laptop Connected to Network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.10","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert` parameter, has permissions of 444 or is set more restrictively.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must therefore have permissions of 444, or more restrictive permissions to ensure that the file cannot be modified by a less privileged user.\n\n## Audit\n\nVerify that the TLS CA certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the following command: `chmod 444 `\n\nThis sets the file permissions on the TLS CA file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the TLS CA certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.10","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hyd-ar9-kzl","createdAt":1602076723625,"name":"TLS CA certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.6","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to make the Docker daemon available remotely over a TCP port. If this is required, you should ensure that TLS authentication is configured in order to restrict access to the Docker daemon via IP address and port.\n\n## Rationale\n\nBy default, the Docker daemon binds to a non-networked Unix socket and runs with root privileges. If you change the default Docker daemon binding to a TCP port or any other Unix socket, anyone with access to that port or socket could have full access to the Docker daemon and therefore in turn to the host system. For this reason, you should not bind the Docker daemon to another IP/port or a Unix socket. If you must expose the Docker daemon via a network socket, you should configure TLS authentication for the daemon and for any Docker Swarm APIs (if they are in use). This type of configuration restricts the connections to your Docker daemon over the network to a limited number of clients who have access to the TLS client credentials.\n\n## Audit\n\nTo confirm that the TLS authentication setting is correct, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nConfirm that the following parameters are present: `--tlsverify --tlscacert --tlscert --tlskey`.\n\nAlso review the `/etc/docker/daemon.json` file to ensure these settings are in place.\n\n## Remediation\n\nFollow the steps mentioned in the Docker documentation or other references.\n\n## Impact\n\nYou would need to manage and guard certificates and keys for the Docker daemon and Docker clients.\n\n## Default value\n\nBy default, TLS authentication is not configured.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rh4-jeh-afu","createdAt":1602077571799,"name":"TLS authentication is configured for Docker daemon"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.18","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller-manager.conf file ownership is set to `root:root`.\n\n## Rationale\n\nThe controller-manager.conf file is the kubeconfig file for the Controller Manager. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/controller-manager.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.18","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bud-aya-umc","createdAt":1599605289575,"name":"The controller-manager.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","requirement:GCP","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","control:3.4","requirement:Communications-Security","control:2.6","control:1.2","control:2.1","control:1.3","control:3.1","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of the `default` network, a project should not have a `default` network.\n\n### Default value\nBy default, for each project, a `default` network is created.\n\n\n## Rationale\nThe `default` network has a preconfigured network configuration and automatically generates the following insecure firewall rules:\n\n - default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.\n - default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.\n - default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.\n - default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.\n\nThese automatically-created firewall rules do not get audit-logged and cannot be configured to enable firewall rule logging.\n\nFurthermore, the `default` network is an auto-mode network, which means that its subnets use the same predefined range of IP addresses. As a result, it's not possible to use Cloud VPN or VPC Network Peering with the `default` network.\n\nBased on organization security and networking requirements, the organization should create a new network and delete the `default` network.\n\n### Impact\nWhen an organization deletes the `default` network, it may need to migrate services onto a new network.\n\n## Remediation\n\n### From the console\n1. Go to the [VPC networks][1] page.\n2. Click the network named `default`.\n3. On the network detail page, click **EDIT**.\n4. Click **DELETE VPC NETWORK**.\n5. If needed, create a new network to replace the `default` network.\n\n### From the command line\n1. Delete the `default` network:\n\n ```\n gcloud compute networks delete default\n ```\n\n2. If needed, create a new network to replace it:\n\n ```\n gcloud compute networks create NETWORK_NAME\n ```\n\n## Prevention\nYou can prevent the `default` network and its insecure firewall rules from being created by setting up an Organization Policy to skip `default` network creation at [https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation][2].\n\n## References\n1. [https://cloud.google.com/compute/docs/networking#firewall_rules][3]\n2. [https://cloud.google.com/compute/docs/reference/latest/networks/insert][4]\n3. [https://cloud.google.com/compute/docs/reference/latest/networks/delete][5]\n4. [https://cloud.google.com/vpc/docs/firewall-rules-logging][6]\n5. [https://cloud.google.com/vpc/docs/vpc#default-network][7]\n6. [https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete][8]\n\n[1]: https://console.cloud.google.com/networking/networks/list\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation\n[3]: https://cloud.google.com/compute/docs/networking#firewall_rules\n[4]: https://cloud.google.com/compute/docs/reference/latest/networks/insert\n[5]: https://cloud.google.com/compute/docs/reference/latest/networks/delete\n[6]: https://cloud.google.com/vpc/docs/firewall-rules-logging\n[7]: https://cloud.google.com/vpc/docs/vpc#default-network\n[8]: https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.4","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.name == \"default\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0j0-lvk-9wm","createdAt":1658410212694,"name":"The default network does not exist in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.9","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %a /var/lib/kubelet/config.yaml`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step:\n\n```\nchmod 644 /var/lib/kubelet/config.yaml\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/var/lib/kubelet/config.yaml` file as set up by kubeadm has permissions of 644.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.9","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tc4-kmy-wlt","createdAt":1599605416397,"name":"The kubelet configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.1","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kubelet service file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.1","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j8k-7ii-fwo","createdAt":1599604432646,"name":"The kubelet service file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.5","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet.conf file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/kubernetes/kubelet.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chmod 644 /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.5","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x88-8vs-ygw","createdAt":1599604783481,"name":"The kubelet.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.6","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `kubelet.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/kubernetes/kubelet.conf`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file ownership is set to `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.6","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrc-waf-mbs","createdAt":1599599696342,"name":"The kubelet.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable timeouts on streaming connections.\n\n## Rationale\n\nSetting idle timeouts ensures that you are protected against denial-of-service attacks, inactive connections, and running out of ephemeral ports.\n\n*Note*: By default, `--streaming-connection-idle-timeout` is set to four hours, which might be too high for your environment. Setting this as appropriate would additionally ensure that such streaming connections are timed out after serving legitimate use cases.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--streaming-connection-idle-timeout` argument is not set to 0. If the argument is not present, and there is a Kubelet config file specified by `--config`, check that it does not set `streamingConnectionIdleTimeout` to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a value other than 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--streaming-connection-idle-timeout=5m`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nLong-lived connections could be interrupted.\n\n## Default value\n\nBy default, `--streaming-connection-idle-timeout` is set to four hours.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://github.com/kubernetes/kubernetes/pull/18552][2]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://github.com/kubernetes/kubernetes/pull/18552\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.5","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xmg-h3a-wj4","createdAt":1599602030157,"name":"Timeouts on streaming connections are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","control:6.6","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable internet exposed UDP ports on network security groups.\n\n## Rationale\n\nThe potential security problem with broadly exposing UDP services over the internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP, and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct UDP access to your Azure Virtual Machines from the internet. After direct UDP access from the internet is disabled, you can use other options to access UDP-based services running on these virtual machines.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#secure-your-critical-azure-service-resources-to-only-your-virtual-networks\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/ddos-best-practices\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n7 Virtual Machines: This section covers security recommendations to follow to set virtual machine policies on an Azure subscription.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@access:(\"Allow\") @protocol:(\"UDP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"*\" OR \"53\" OR \"123\" OR \"161\" OR \"389\" OR \"1900\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\")","resourceType":"azure_security_group","filter":"","queryPath":"security_rules","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group (@access:(\"Allow\") @protocol:(\"UDP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"*\" OR \"53\" OR \"123\" OR \"161\" OR \"389\" OR \"1900\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"1is-0om-n7k","createdAt":1624867977600,"name":"UDP Services are restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect shell utilities, HTTP utilities, or shells spawned by a web server.\n\n## Strategy\nWeb shell attacks often involve attackers loading and running malicious files onto a victim machine, creating a backdoor on the compromised system. Attackers use web shells for a variety of purposes, and they can signal the beginning of an intrusion or wider attack. This detection triggers when shell utilities, HTTP utilities, or shells are spawned by a common web server process.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your web application to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"potential_web_shell","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["host"],"query":"@agent.rule_id:potential_web_shell -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"potential_web_shell"}],"type":"workload_security","id":"aks-ytd-8pf","createdAt":1647265136526,"name":"Unfamiliar command spawned from web server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers can leverage malicious kernel modules to gain persistence on a system, ensuring their malicious code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions and cover their tracks through the use of a rootkit.\n\nLoading a malicious kernel module can be a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default, however attackers may attempt to load kernel modules from other locations as well. This detection detects all kernel module loads. \n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check the name of the process loading the kernel module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":14,"learningThreshold":0},"keepAlive":3600},"version":173,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_kernel_module","metric":"@module.name","aggregation":"new_value","metrics":["@module.name"],"groupByFields":["host"],"query":"@agent.rule_id:(kernel_module_load OR new_kernel_module_audit OR kernel_module_load_container OR new_kernel_module_audit_container) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"new_kernel_module"}],"type":"workload_security","id":"56o-bpk-lkz","createdAt":1656443525724,"name":"Unfamiliar kernel module loaded"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default. In an attempt to thwart forensics, attackers sometimes attempt to load malicious kernel modules from memory so as not to leave artifacts on disk. This detection watches for all new kernel modules being loaded directly from memory. \n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:kernel_module_load_from_memory","groupByFields":["host"],"aggregation":"count","name":"kernel_module_load_from_memory","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"kernel_module_load_from_memory","condition":"kernel_module_load_from_memory > 0"}],"type":"workload_security","id":"dx9-30j-pas","createdAt":1650464539839,"name":"Unfamiliar kernel module loaded from memory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when the AWS EKS service account token has been viewed by a user.\n\n## Strategy\nAWS provides an authentication mechanism called [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to allow Kubernetes workloads such as pods to securely authenticate to AWS without hardcoding credentials.\n\nThe authentication token made available by AWS is located at `/var/run/secrets/eks.amazonaws.com/serviceaccount/token` and can be exchanged for AWS credentials using `sts:AssumeRoleWithWebIdentity`. It is consequently an attractive target for attackers.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"aws_eks_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:aws_eks_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"aws_eks_service_account_token_accessed"}],"type":"workload_security","id":"wq5-pnt-ij8","createdAt":1656443561852,"name":"Unfamiliar process accessed AWS EKS service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"Detects when the Kubernetes pod service account token has been viewed by a user.\n\n## Strategy\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"k8s_pod_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:k8s_pod_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"k8s_pod_service_account_token_accessed"}],"type":"workload_security","id":"7ow-znp-4fx","createdAt":1656443563565,"name":"Unfamiliar process accessed Kubernetes pod service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:active-directory","tactic:TA0004-privilege-escalation","source:microsoft-365","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 Azure AD service principal uses an unusual authentication method.\n\n## Strategy\nUsing the `New Value` detection method, find when a `Microsoft 365 Azure AD service principal` uses a new `@AuthenticationMethod`.\n\n## Triage and response\n1. Determine if the service principal `{{@usr.id}}` should be authenticating using the `{{@AuthenticationMethod}}` authentication method and `{{@ExtendedProperties.RequestType}}` request type.\n2. If `{{@usr.email}}` should not be authenticating using `{{@AuthenticationMethod}}`,\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard \n * If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":3600},"version":41,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AuthenticationMethod","aggregation":"new_value","metrics":["@AuthenticationMethod"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:AzureActiveDirectory @evt.name:UserLoggedIn @evt.outcome:Success @UserDescription:\"A service principal\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"toz-wdr-r1v","createdAt":1660857301768,"name":"Unusual Authentication by Microsoft 365 Azure AD Service Principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attaches to a pod.\n\n## Strategy\nThis rule monitors when a user attaches (`@objectRef.subresource:attach`) to a pod (`@objectRef.resource:pods`).\n\nA user should not need to attach to a pod. Attaching to a pod allows a user to attach to any process in a running container which may give an attacker access to sensitive data.\n\n## Triage and response\n1. Determine if the user should be attaching to a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:attach @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:attach @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"j6t-mva-rul","createdAt":1589375996858,"name":"User Attached to a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user execs into a pod.\n\n## Strategy\nThis rule monitors when a user execs (`@objectRef.subresource:exec`) into to a pod (`@objectRef.resource:pods`).\n\nA user should not need to exec into a pod. Execing into a pod allows a user to execute any process in container which is not already running.\nIt is most common to execute the bash process to gain an interactive shell.\nIf this is an attacker, they can access any data which the pod has permissions to, including secrets.\n\n## Triage and response\n1. Determine if the user should be execing into a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:exec @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:exec @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"hyd-cu4-79x","createdAt":1589376094658,"name":"User Exec into a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs into an application that is using Sqreen from a new country.\n\n## Strategy\nThis rule lets you monitor when a user logs into an application from a country that has not been seen before.\n\n## Triage and response\n1. Review the user activity on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/application/goto/users/\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip.country.name","aggregation":"new_value","metrics":["@network.client.geoip.country.name"],"groupByFields":["@usr.id"],"query":"@evt.name:sq.dd0.user_event.login @sqreen.payload.success:true"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"4xm-2og-l7s","createdAt":1620224109989,"name":"User Logged into an Application from a New Country"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","security:threat-intel","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to log in with a password which is known to be compromised.\n\n## Strategy\nThis rule allows you to monitor this Google Activity API call to detect if an attacker is trying to login with a leaked password: \n\n* [Leaked password][1]\n\n## Triage and response\n1. Determine which user in your organization owns the compromised password.\n2. Contact the user and ensure they rotate the password on Google and any other accounts where they may have reused this password. Ensure the user is aware of strong password guidelines.\n\n[1]: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.category:account_warning @evt.name:account_disabled_password_leak","groupByFields":["@actor.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9zi-bom-nmh","createdAt":1585870280553,"name":"User attempted login with leaked password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-create-account","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation of a new user on the system using an interactive session.\n\n## Strategy\nAttacker's may add local accounts to systems that they have compromised to maintain access to those systems. If an attacker has gained a sufficient level of access (like admin privileges) on a system, they can make a new user for themselves.\nIn production systems, users should be created in the base image of the system (for example, the AMI or other VM image), or they should be created programmatically by configuration management tools. The creation of a new user by an interactive (human) session is suspicious.\n\n## Triage & Response\n1. Determine whether the creation of a new user is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether or not multiple systems had this user added around the same time, and whether the systems impacted follow a pattern. For example, if a user was added to multiple systems, do they share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:user_created_tty -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"user_created_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user_created_tty","condition":"user_created_tty > 0"}],"type":"workload_security","id":"beh-ejq-upe","createdAt":1627392836979,"name":"User created interactively"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of secrets, through Cloudtrail's [`GetSecretValue`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetSecretValue` event, and enables the detection of potentially anomalous activity when a user attempts to retrieve an anomalous volume of secrets.\n\nAn attacker may attempt to enumerate and access the AWS Secrets Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any AWS secrets that were accessed by the user with the `aws-cli` command [`update-secret`][2] or use the [AWS Console][3].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n[1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/update-secret.html\n[3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetSecretValue -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.secretId"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"eg6-ogp-n1f","createdAt":1656426823748,"name":"User enumerated AWS Secrets Manager - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of parameters, through Cloudtrail's [`GetParameter`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetParameter` event, and enables detection of potentially anomalous activity when a user attempts to retrieve an anomalous volume of parameters.\n\nAn attacker may attempt to enumerate and access the AWS Systems Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any parameters that were accessed by the user with the `aws-cli` command [`put-parameter`][2].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n[1]: https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ssm/put-parameter.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ssm.amazonaws.com @evt.name:GetParameter -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.name"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"os3-zft-ung","createdAt":1656426796721,"name":"User enumerated AWS Systems Manager parameters - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:5.2.1","control:A.12.4.1","requirement:Logging","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"\n## Description\n\nCreate an activity log alert for the Create Policy Assignment event.\n\n## Rationale\n\nMonitoring for create policy assignment events gives insight into changes done in \"azure policy - assignments\" and can reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Monitor \n2. Select Alerts \n3. Click On New Alert Rule \n4. Under Scope, click Select resource \n5. Select the appropriate subscription under Filter by subscription \n6. Select Policy Assignment under Filter by resource type \n7. Select All for Filter by location \n8. Click on the subscription resource from the entries populated under Resource \n9. Verify Selection preview shows All Policy assignment (policyAssignments) and your selected subscription name \n10. Click Done \n11. Under Condition click Add Condition \n12. Select Create policy assignment signal \n13. Click Done \n14. Under Action group, select Add action groups and complete creation process or select appropriate action group \n15. Under Alert rule details, enter Alert rule name and Description \n16. Select appropriate resource group to save the alert to \n17. Check Enable alert rule upon creation checkbox \n18. Click Create alert rule Using the Azure Command Line Interface Use the below command to create an Activity Log Alert for Create policy assignment az account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'' Where input.json contains the Request body JSON data as mentioned below. { \"location\"\"Global\", \"tags\"{}, \"properties\"{ \"scopes\"[ \"/subscriptions/\" ], \"enabled\"true, \"condition\"{ \"allOf\"[ { \"containsAny\"null, \"equals\"\"Administrative\", \"field\"\"category\" }, { \"containsAny\"null, \"equals\"\"Microsoft.Authorization/policyAssignments/write\", \"field\"\"operationName\" } ] }, \"actions\"{ \"actionGroups\"[ { \"actionGroupId\"\"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\", \"webhookProperties\"null } ] }, } } Configurable Parameters for command line Configurable Parameters for input.json in scopes in actionGroupId in actionGroupId in actionGroupId'\n\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7\n6.3 Enable Detailed Logging Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.1","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"arc-fhe-mie","createdAt":1645219743755,"name":"User has 'Create Policy Assignement' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"axd-sm2-68f","createdAt":1649972323590,"name":"User has 'Create Update Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbformysql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dbv-9dd-noe","createdAt":1648760551340,"name":"User has 'Create Update MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbforpostgresql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yvw-kk1-tgq","createdAt":1648755639067,"name":"User has 'Create Update PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nActivity log alert exists for the creation or update of a load balancer. \n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Load Balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/loadbalancers/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"20n-ohj-aov","createdAt":1647625355122,"name":"User has 'Create or Update Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:System-Operations","requirement:Logging","level:1","control:5.2.3","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an Activity Log Alert for the Create or Update Network Security Group event.\n\n## Rationale\n\nBy monitoring for creation and updates to network security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name.\n11. Under **Condition**, click **Add Condition**.\n12. Select **Create or Update Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.3","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ape-a9h-0uq","createdAt":1645642194422,"name":"User has 'Create or Update Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.1","control:A.12.4.1","requirement:Logging","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update SQL Server Firewall Rule event.\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the Azure Console:\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window, select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Create/Update server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel.\n * Create action group - If you do not have an existing action group or want to create a new one.\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the Azure CLI:\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.1","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/firewallrules/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zpn-jpa-nzg","createdAt":1645736563954,"name":"User has 'Create or Update SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","control:5.2.7","requirement:Logging","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Security Solution event.\n\n## Rationale\n\nBy monitoring to changes to security solutions, you get insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under Resource. \n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Create or Update Security Solutions** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**. \n\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Security/securitySolutions/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.7","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/securitysolutions/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8wl-yfi-m7y","createdAt":1645731976437,"name":"User has 'Create or Update Security Solutions' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Storage Account event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Storage Account**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Storage/storageAccounts/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Storage Account'\n$Signal = 'Microsoft.Storage/storageAccounts/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fho-nrd-kod","createdAt":1647625355199,"name":"User has 'Create or Update Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wjq-yup-bbt","createdAt":1648803814385,"name":"User has 'Create or Update Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Deallocate Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Deallocate Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/deallocate\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Deallocatete Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/deallocate'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/deallocate\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ox0-4lx-ldg","createdAt":1649702560249,"name":"User has 'Deallocate Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mwl-a79-2lj","createdAt":1649774827099,"name":"User has 'Delete Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activity-log-alerts/delete\n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hf7-wzu-yjg","createdAt":1649774825146,"name":"User has 'Delete Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Load Balancer event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete load balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/loadbalancers/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgu-5yo-cxv","createdAt":1646928388547,"name":"User has 'Delete Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbformysql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nb1-ajv-1w5","createdAt":1648831710685,"name":"User has 'Delete MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:System-Operations","requirement:Logging","level:1","framework:soc-2","control:5.2.4","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Network Security Group event.\n\n## Rationale\n\nBy monitoring for delete betwork security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name \n11. Under **Condition**, click **Add Condition**.\n12. Select **Delete Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n\n18. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.4","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yjc-pc8-ybn","createdAt":1645645262376,"name":"User has 'Delete Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Compliance","requirement:Logging","level:1","control:5.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Communications-Security","requirement:System-Operations","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Policy Assignment event.\n\n## Rationale\n\nBy monitoring delete policy assignment events, you gain insight into changes in the **Policy - Assignments** page and reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Policy Assignment** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription from the entries populated under **Resource**. \n9. Verify that **Selection preview** shows All Policy assignments (`policyAssignments`) and your selected subscription name. \n10. Click **Done**. \n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete policy assignment signal**. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Authorization/policyAssignments/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Policy Assignment'\n$Signal = 'Microsoft.Authorization/policyAssignments/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n\n## References\n\n1. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n2. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n5. https://azure.microsoft.com/en-us/services/blueprints/ \n\n## Additional Information\n\nThis log alert also applies for Azure Blueprints.\n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.2","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qh0-u5z-imx","createdAt":1645642194422,"name":"User has 'Delete Policy Assignement' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbforpostgresql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ras-5h8-nbb","createdAt":1647625355173,"name":"User has 'Delete PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.2","control:A.12.4.1","requirement:Logging","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the \"Delete SQL Server Firewall Rule.\"\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the Azure Console:\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window,select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Delete server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel\n * Create action group - If you do not have an existing action group or want to create a new one\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the Azure CLI:\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.2","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/firewallrules/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6mh-u2h-598","createdAt":1664214570453,"name":"User has 'Delete SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Logging","control:5.2.8","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Security Solution event.\n\n## Rationale\n\nBy monitoring deletion of security solution events, you gain insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**.\n7. Select **All** for **Filter by location**.\n8. Click on the subscription resource from the entries populated under **Resource**.\n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete Security Solutions** signal.\n13. Click **Done**.\n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group.\n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n**Using the Azure CLI:** \n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nwhere `input.json` contains the Request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/securitySolutions/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.8","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/securitysolutions/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dmv-rv8-crn","createdAt":1645733607452,"name":"User has 'Delete Security Solution' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.5.5","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Storage Account event.\n\n## Rationale\n\nBy monitoring for storage accounts deletion events, you gain insight into storage account changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click on **New Alert Rule**.\n4. Under **Scope**, click **Select scope**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Storage Accounts** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the **Include all future resources** checkbox.\n9. Click **Done**. \n10. Under **Condition**, click **Add Condition**.\n11. Select **Delete Storage Account** signal. \n12. Click **Done**. \n13. Under **Actions**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n14. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n15. Select appropriate resource group to save the alert to. \n16. Click on the **Enable alert rule upon creation** checkbox.\n17. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Storage/storageAccounts/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a41-nfr-mlw","createdAt":1646928386487,"name":"User has 'Delete Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2jg-psh-mzj","createdAt":1648803812991,"name":"User has 'Delete Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Power Off Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Power Off Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/powerOff/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Power Off Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/powerOff/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/poweroff/action\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a74-hjg-yok","createdAt":1648760544699,"name":"User has 'Power Off Virtual Machine' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Rename Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Rename Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/move/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Rename Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/move/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/databases/move/action\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgo-i7v-g9b","createdAt":1649774831328,"name":"User has 'Rename Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4ri-hhx-fnd","createdAt":1648803815885,"name":"User has 'Update Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Security Policy event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Security Policy**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/policies/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Security Policy'\n$Signal = 'Microsoft.Security/policies/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/defender-for-cloud/tutorial-security-policy\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/policies/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xjf-qfe-xzs","createdAt":1649774850199,"name":"User has 'Update Security Policy' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.compute","source:azure","tactic:TA0002-execution","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs a command on an Azure Virtual Machine through the Azure CLI or Portal.\n\n## Strategy\nMonitor Azure Compute logs for `MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION` events that have `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Reach out to the user to determine if the activity is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"vm_exec","distinctFields":[]},{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"scaleset_exec","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Virtual Machine","condition":"vm_exec > 0"},{"status":"info","notifications":[],"name":"Virtual Machine Scale Set","condition":"scaleset_exec > 0"}],"type":"log_detection","id":"zsk-t0h-9ll","createdAt":1614973225002,"name":"User ran a command on Azure Compute"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Event Summary\n`@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` had activity from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` which are approximately `{{@impossible_travel.triggering_locations.travel_distance}}km` apart within `{{@impossible_travel.triggering_locations.travel_time_human_readable}}`. This indicates a potential impossible travel.\n\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key in CloudTrail logs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key in CloudTrail logs.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"source:cloudtrail @userIdentity.type:IAMUser"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"gvs-ybz-d25","createdAt":1646247437717,"name":"User travel was impossible in AWS CloudTrail IAM log"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_service_account","control:1.7","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","control:8.2.4","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nService Account keys consist of a key ID (private_key_id) and a private key. These keys are used to sign programmatic requests that users make to Google Cloud services and make them accessible to the particular service account. You should regularly rotate all Service Account keys.\n\n## Rationale\n\nRotating Service Account keys reduces the opportunity window of an access key associated with a compromised or terminated account being used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that may have been lost, cracked, or stolen.\n\nEach service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.\n\nGCP provides the option to create one or more user-managed (also called external) key pairs for use from outside GCP, for example: with Application Default Credentials. When a new key pair is created, the user is required to download the private key, which is not retained by Google. \n\nWith external keys, users are responsible for keeping the private key secure and other management operations such as key rotation. External keys can be managed by the IAM API, the Google Cloud Platform command-line tool, or the Service Accounts page in the Google Cloud Platform Console. GCP facilitates up to 10 external service account keys per service account for key rotation.\n\n## Remediation\n\nDelete any external, user-managed Service Account Keys older than 90 days:\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**.\n2. In the **Service Account Keys** section, click the Delete icon to delete every external, user-managed service account key where the creation date is greater or equal to the past 90 days.\n\nTo create an external, user-managed Service Account Key for a Service Account:\n\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**. \n2. Click **Create Credentials** and **Service Account Key**. \n3. Select the service account from the drop-down menu for every external, user-managed Service Account key you want to create.\n4. Select the desired key type format, such as JSON or P12.\n5. Click **Create**, which downloads the private key. Keep this key safe.\n6. If prompted, click **Close**.\n\nYou are redirected to the **APIs & Services** > **Credentials** page and you can see the new ID displayed in the **Service Account Keys** section.\n\n\n## Impact\n\nRotating service account keys breaks communication for dependent applications. Dependent applications need to be configured manually with the new key ID displayed in the **Service Account Keys** section and the user needs to download the private key.\n\n## References\n\n1. https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n2. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/list\n3. https://cloud.google.com/iam/docs/service-accounts\n\n[1]: https://console.cloud.google.com/apis/credentials\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"8.2.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ej5-n8p-p3x","createdAt":1656445783171,"name":"User-managed or external keys for service accounts are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Confidentiality","control:C1.2","source:google_compute_disk","framework:cis-gcp","requirement:Compliance","level:2","control:A.18.1.3","framework:soc-2","control:4.7","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","scope:google_compute_disk","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCustomer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and\nGoogle Compute Engine. If you supply your own encryption keys, Google uses your key to\nprotect the Google-generated keys used to encrypt and decrypt your data. By default,\nGoogle Compute Engine encrypts all data at rest. Compute Engine handles and manages\nthis encryption for you without any additional actions on your part. However, if you\nwanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\n\n### Default value\nBy default, VM disks are encrypted with Google-managed keys. They are not encrypted\nwith `Customer-Supplied` Encryption Keys.\n\n## Rationale\nBy default, Google Compute Engine encrypts all data at rest. Compute Engine handles and\nmanages this encryption for you without any additional actions on your part. However, if\nyou wanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\nIf you provide your own encryption keys, Compute Engine uses your key to protect the\nGoogle-generated keys used to encrypt and decrypt your data. Only users who can provide\nthe correct key can use resources protected by a customer-supplied encryption key.\nGoogle does not store your keys on its servers and cannot access your protected data\nunless you provide the key. This also means that if you forget or lose your key, there is no\nway for Google to recover the key or to recover any data encrypted with the lost key.\nBusiness critical VMs should have VM disks encrypted with CSEK.\n\n### Impact\nIf you lose your encryption key, you will not be able to recover the data.\n\n## Remediation\nYou cannot update the encryption of an existing disk. Therefore, you\nshould create a new disk with encryption set to **Customer supplied**.\n\n### From the console: \n1. Go to [Compute Engine Disks][1] in your Google Cloud console.\n2. Click **CREATE DISK**.\n3. Set **Encryption type** to `Customer supplied`.\n4. Provide the **Key** in the box.\n5. Select **Wrapped key**.\n6. Click **Create**.\n\n### From the command line:\nYou can use the `gcloud` CLI to encrypt a disk using the `--csek-key-file` flag during instance\ncreation. If you are using an RSA-wrapped key, use the gcloud beta component. See [RSA key wrapping][5] in Google's Compute Engine documentation.\n```\ngcloud compute instances create --csek-key-file \n```\n\nTo encrypt a standalone persistent disk:\n```\ngcloud compute disks create --csek-key-file \n```\n\n## References\n1. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys][2]\n2. [https://cloud.google.com/compute/docs/reference/rest/v1/disks/get][3]\n3. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file][4]\n\n[1]: https://console.cloud.google.com/compute/disks\n[2]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys\n[3]: https://cloud.google.com/compute/docs/reference/rest/v1/disks/get\n[4]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file\n[5]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#rsa-encryption","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.7","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_disk) = \"pass\" if {\n\tcompute_disk.disk_encryption_key.sha256\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_disk"]},"validationQuery":"","resourceType":"gcp_compute_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ltx-1jr-roe","createdAt":1662120164402,"name":"VM disks for critical VMs are encrypted with customer-supplied encryption keys (CSEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","scope:google_compute_subnetwork","level:1","framework:soc-2","control:3.8","source:google_compute_subnetwork","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Networking","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nFlow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in an organization's VPC subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs is enabled for every business-critical VPC subnet.\n\n### Default value\nBy default Flow Logs is set to `Off` when a new VPC network subnet is created.\n\n## Rationale\nVPC networks and subnetworks that are not reserved for internal HTTP(S) load balancing provide logically isolated and secure network partitions from which GCP resources can be launched.\nWhen Flow Logs are enabled for a subnet, VMs within that subnet start reporting on all\nTransmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows. Each VM\nsamples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or\nfrom another VM, a host in the on-premise datacenter, a Google service, or a host on the\nInternet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow\nLogs enabled, both VMs report the flows.\n\nFlow Logs supports the following use cases:\n- Network monitoring\n- Understanding network usage and optimizing network traffic expenses\n- Network forensics\n- Real-time security analysis\n\nFlow Logs provides visibility into network traffic for each VM inside the subnet and can be\nused to detect anomalous traffic or provide insight on security workflows.\nThe Flow Logs must be configured such that all network traffic is logged. The interval of\nlogging is granular enough to provide detailed information on the connections, where no logs are filtered and metadata to facilitate investigations are included.\n\n- Note: Subnets reserved for use by internal HTTP(S) load balancers do not support VPC\nFlow Logs.\n\n### Impact\nStandard pricing for Stackdriver Logging, BigQuery, or Cloud Pub/Sub applies. VPC Flow\nLogs generation will be charged when it's generally available, as described in this reference:\n[https://cloud.google.com/vpc/][1]\n\n## Remediation\n\n### From the console: \n1. Go to the VPC network GCP Console page by visiting:\n[https://console.cloud.google.com/networking/networks/list][2]\n2. Click the name of a **subnet** to display the subnet details page.\n3. Click **EDIT** .\n4. Set Flow Logs to **On**.\n5. Expand the **Configure Logs** section.\n6. Set **Aggregation Interval** to `5 SEC`.\n7. Check the box for **Include metadata**.\n8. Set **Sample rate** to `100`.\n9. Click **Save**.\n\n- Note: You can only configure a log filter from the command line.\n\n### From the command line:\nTo enable VPC Flow Logs for a network subnet, run the following command:\n```\ngcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --\nenable-flow-logs --logging-aggregation-interval=interval-5-sec --logging-\nflow-sampling=1 --logging-metadata=include-all\n```\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging][3]\n2. [https://cloud.google.com/vpc/][1]\n\n[1]: https://cloud.google.com/vpc/\n[2]: https://console.cloud.google.com/networking/networks/list\n[3]: https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_subnetwork) = \"skip\" if {\n\tinternal_HTTPS_LB_subnet(compute_subnetwork)\n} else = \"pass\" {\n\tcompute_subnetwork.enable_flow_logs == true\n\tcompute_subnetwork.purpose == \"PRIVATE\"\n} else = \"fail\" {\n\ttrue\n}\n\ninternal_HTTPS_LB_subnet(compute_subnetwork) if {\n\tcompute_subnetwork.purpose == \"INTERNAL_HTTPS_LOAD_BALANCER\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_subnetwork"]},"validationQuery":"","resourceType":"gcp_compute_subnetwork","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_subnetwork","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q4v-tv4-txv","createdAt":1663355398183,"name":"VPC Flow Logs are enabled for all subnets in the VPC network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","level:2","framework:cis-aws","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.3","control:2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. \n\nSet up your default security group to restrict all traffic. The default VPC in every region should have its default security group updated to comply. Any newly created VPCs automatically contain a default security group that needs remediation to comply with this recommendation. \n\n**Note**: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.\n\n## Rationale\n\nConfiguring all VPC default security groups to restrict all traffic will encourage the least privileged security group development and mindful placement of AWS resources into security groups, which will reduce the exposure of those resources.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nImplementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79201-0\n2. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html][2]\n3. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group][3]\n\n## CIS controls\n\nVersion 7, 14.6 - Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"5.3","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ningress_or_egress(direction) if {\n\tdirection == \"ingress\"\n} else {\n\tdirection == \"egress\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\tingress_or_egress(rule.direction)\n\tstartswith(rule.security_group_name, \"default\")\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"75q-ngx-snx","createdAt":1599574003676,"name":"VPC default security groups restrict all traffic"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:7.2.1","requirement:Firewall-Configuration","scope:vpc","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your VPC endpoint by allowing access to only trusted AWS accounts.\n\n## Rationale\n\nVPC endpoints that are publicly accessible are at risk of data exposure, data loss, and unexpected AWS billing charges.\n\n## Remediation\n\n### Console\n\nFollow the [Add or remove permissions for your endpoint service][1] AWS console docs.\n\n### CLI\n\n1. Edit your existing Amazon VPC endpoint access policy and replace untrusted AWS identifiers. To create a new policy document, [use the AWS policy generator][2].\n\n ```\n {\n \"Id\": \"VPCCrossAccountAccessPolicy\",\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": \"*\",\n \"Effect\": \"Allow\",\n \"Resource\": \"*\",\n \"Principal\": {\n \"AWS\": [\n \"arn:aws:iam::0123456789012:root\"\n ]\n }\n }\n ]\n }\n ```\n\n2. Run `modify-vpc-endpoint` with your [VPC endpoint ID and the updated or new policy document][3] to replace the existing policy.\n\n ```\n aws ec2 modify-vpc-endpoint\n --vpc-endpoint-id vpce-0a12b345\n --policy-document file://vpc-access-policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/privatelink/add-endpoint-service-permissions.html\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-vpc-endpoint.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_has_condition:false","resourceType":"aws_vpc_endpoint_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc_endpoint_policy_statement ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@vpc_endpoint_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"slh-tlx-4m0","createdAt":1619540057529,"name":"VPC endpoint is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","control:3.9","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","scope:vpc","framework:soc-2","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. Enable VPC Flow Logs for packet \"Rejects\" for VPCs.\n\n## Rationale\n\nVPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect unusual traffic or insight during security workflows.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nBy default, CloudWatch Logs will store Logs indefinitely unless you define a specific retention period for the log group. When choosing the number of days to retain, keep in mind that, on average, it takes an organization 210 days to detect a breach. Since additional time is required to research a breach, a minimum 365-day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods: \n\n1. [http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html][2]\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79202-8 \n2. [http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html][2]\n\n## CIS controls\n\nVersion 7:\n\n6.2 - Activate audit logging - Enable local logging on all systems and networking devices.\n\n12.5 - Configure Monitoring Systems to Record Network Packets - Configure monitoring systems to record network packets passing through the boundary at each of the organization's network boundaries.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.9","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"-@flowlogs.flow_log_status:ACTIVE","resourceType":"aws_vpc","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc (-@flowlogs.flow_log_status:ACTIVE)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"hw6-cqk-hrz","createdAt":1599574005318,"name":"VPC flow logging is enabled in all VPCs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault root token is used. Root tokens can perform any activity and have the highest level of privileges in Vault and should only be used in emergencies. \n\n## Strategy\nThis rule lets you monitor Vault Audit Logs (`source:vault`) to detect when `root` is seen in either of these two attributes.\n\n* auth policy (`@auth.policies`)\n* auth display name (`@auth.display_name`)\n\nThis rule also lets you monitor the API endpoint `/sys/generate-root` which is used to create new root keys.\n\n## Triage & Response\n1. Determine who created the root token and when. You can get token creation time using the token accessor with `vault token lookup -accessor `. \n2. Inspect the requests made with the root token and ensure that its usage is valid.\n3. Ensure that after the root token is no longer needed, it is revoked (`vault token revoke -accessor `).\n\n## Change Log\n29 Jun 2022 - Updated queries to reduce noise levels. Replaced initial query with token creation detection.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @auth.policies:root @http.method:create","groupByFields":["@http.url_details.path"],"aggregation":"count","name":"root_token_created","distinctFields":[]},{"query":"source:vault @auth.policies:root","groupByFields":["@http.url_details.path"],"aggregation":"cardinality","name":"root_token_auth_policy","distinctFields":["@http.method"]},{"query":"source:vault @auth.display_name:root","groupByFields":["@http.url_details.path"],"aggregation":"cardinality","name":"root_token_display_name","distinctFields":["@http.method"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"A newly created root token was used","condition":"root_token_created > 0 && root_token_auth_policy > 0"},{"status":"high","notifications":[],"name":"The auth policy is root","condition":"root_token_auth_policy > 0"},{"status":"high","notifications":[],"name":"The auth display name is root","condition":"root_token_display_name > 0"}],"type":"log_detection","id":"oki-am6-qeh","createdAt":1619801884317,"name":"Vault Root Token Used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault token is created with an excessive time-to-live (TTL) which can be indicative of an adversary maintaining persistence. \n\n## Strategy\nMonitoring of vault audit logs where tokens are created with a time-to-live greater than 90000 seconds (25 hours). If the TTL requires modification, clone this rule and update `@auth.token_ttl:>90000` in the query. \n\n## Triage & Response\n1. Verify max TTL for tokens in the appropriate Vault configuration.\n2. If the max TTL is higher than required, modify the max TTL.\n3. Verify with the token creator to confirm that the high TTL token is legitimate.\n4. Revoke the token if it does not have a legitimate use case.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @request.operation:create @auth.token_ttl:>90000","groupByFields":["@usr.id"],"aggregation":"count","name":"high_vault_ttl","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"high_vault_ttl > 0"}],"type":"log_detection","id":"ag8-huz-nlj","createdAt":1619801884333,"name":"Vault Token Created with Excessive TTL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","security:compliance","framework:soc-2","scope:redshift","cloud_provider:aws","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","source:redshift","control:6.2","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm `AllowVersionUpgrade` is enabled so [Redshift clusters][1] can automatically upgrade to the latest version.\n\n## Rationale\n\nEnablement allows the latest version to automatically install, deploying the most recent bug fixes and security patches.\n\n## Remediation\n\n### Console\n\nFollow the [Cluster maintenance][4] docs to permit automatic upgrade for your clusters.\n\n### CLI\n\n1. Run `modify-cluster` to [set `allow-version-upgrade` for a cluster][3].\n\n ```\n aws redshift modify-cluster\n\t --cluster-identifier cluster-id-name\n\t --allow-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/modify-cluster.html\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#rs-cluster-maintenance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@allow_version_upgrade:false","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@allow_version_upgrade:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5wo-2kl-jv1","createdAt":1599574006748,"name":"Version upgrade is enabled for Redshift cluster"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:6.5.3","framework:cis-azure","control:7.1","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Application-Updates","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMigrate blob-based VHDs to managed disks on virtual machines to exploit the default features of this configuration. The features include:\n\n1. Default disk encryption\n2. Resilience, as Microsoft manages the disk storage and moves it if underlying hardware is faulty\n3. Reduction of costs over storage accounts\n\n## Rationale\n\nManaged disks are by default encrypted on the underlying hardware so no additional encryption is required for basic protection. Additional encryption is available if required. Managed disks are more resilient than storage accounts. For ARM deployed virtual machines, Azure Adviser recommends moving VHDs to managed disks from both a security and cost management perspective.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## Remediation\n\nFrom Azure Console:\n\n1. Using the search feature, go to Virtual Machines\n2. Select the virtual machine you would like to convert\n3. Select Disks in the menu for the VM\n4. Select Migrate to managed disks\n5. Follow the prompts to convert the disk and finish by selecting Migrate to start the process\n\n**NOTE**: VMs are stopped and restarted after migration is complete.\n\nPowerShell:\n\n```powershell\nStop-AzVM -ResourceGroupName $rgName -Name $vmName -Force ConvertTo-AzVMManagedDisk -ResourceGroupName $rgName -VMName $vmName Start-AzVM -ResourceGroupName $rgName -Name $vmName\n```\n\n## Impact\n\nThere is no operational impact of migrating to managed disks other than the benefits mentioned above.\n\n**NOTE**: When converting to managed disks, VMs are powered off and back on.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"(-@storage_profile.os_disk.managed_disk_id:*) OR (@storage_profile.os_disk.managed_disk_id:(\"\"))","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance ((-@storage_profile.os_disk.managed_disk_id:*) OR (@storage_profile.os_disk.managed_disk_id:(\"\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mcc-ygq-5xf","createdAt":1631690464170,"name":"Virtual Machines are utilizing Managed Disks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","requirement:Context-of-the-Organization","control:4.2.2","framework:iso-27001","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nEnabling Azure Defender for SQL server does not enable vulnerability assessment capabilities for individual SQL databases unless a storage account is set to store the scanning data and reports. The Vulnerability Assessment service scans databases for known security vulnerabilities and highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally, an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, Click Storage Account\n6. Choose Storage Account (Existing or Create New). Click Ok\n7. Click Save Using Azure PowerShell. If not already, enable Azure Defender for a SQLSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service by setting Storage Account Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"e0l-3r9-cvj","createdAt":1624867975658,"name":"Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the vulnerability assessment (VA) setting, \"Also send email notifications to admins and subscription owners\".\n\n## Rationale\n\nVA scan reports and alerts are sent to admins and subscription owners by enabling the setting, \"Also send email notifications to admins and subscription owners\". This helps to reduce the time required for identifying risks and taking corrective measures.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, configure Storage Accounts\n6. Check/enable \"Also send email notifications to admins and subscription owners\"\n7. Click Save using the Azure PowerShell. If not already set, Enable Advanced Data Security for a SQL:\n\n ```bash\n -ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service and Set ''Also send email notifications to admins and subscription owners'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"gnq-rte-6fy","createdAt":1624867976876,"name":"Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","control:4.2.3","requirement:Default-Security-Parameter","level:1","requirement:Database-Services","requirement:Context-of-the-Organization","requirement:Regular-Testing","framework:iso-27001","control:11.2.1","framework:pci","security:compliance","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC7.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable vulnerability assessment (VA) periodic recurring scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nVA setting \"Periodic recurring scans\" schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Routine vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Security Center\n4. In Section Vulnerability Assessment Settings, set Storage Account\n5. Toggle \"Periodic recurring scans\" to ON.\n6. Click Save using the Azure PowerShell. If not already set, enable Advanced Data Security for a SQL ServerSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service with ''Periodic recurring scans'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"jum-0ht-les","createdAt":1624867977012,"name":"Vulnerability Assessment (VA) setting Periodic Recurring Scans is enabled on a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:9.4","scope:azure.appservice","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:4.1","requirement:App-Service","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nClient certificates allow for an app to request a certificate for incoming requests. Only clients that have a valid certificate can reach the app.\n\n## Rationale\n\nThe TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, only an authenticated client who has valid certificates can access the app.\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Configuration\n5. Under Incoming client certificates, set the Client Certificate Mode option to Require.\n\n\nAzure Command Line Interface:\n\nTo set incoming client certificates value for an existing app, run the following command: `az webapp update --resource-group --name --set clientCertEnabled=true'`\n\n## Impact\n\nUsing and maintaining client certificates requires additional work to obtain and manage key replacement and rotation.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14 - Controlled Access Based on the Need to Know","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.4","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@client_cert_enabled:true","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (-@client_cert_enabled:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"esg-ed4-xa9","createdAt":1631623027807,"name":"Web app has 'Client Certificates (Incoming client certificates)' set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:6.6","control:9.3","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:4.1","requirement:App-Service","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Change-Management","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App Service uses TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.\n\n## Rationale\n\nApp Service currently allows web apps to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for a secure connection.\n\n## Remediation\n\nAzure Console:\n\n 1. Login to Azure Portal using https://portal.azure.com\n 2. Go to App Services\n 3. Click on each app\n 4. Under the Settings section, click on SSL settings\n 5. Under Protocol Settings, set Minimum TLS Version to 1.2\n\nAzure Command Line Interface:\n\nTo set TLS Version for an existing app, run the following command: `az webapp config set --resource-group --name --min-tls-version 1.2'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.3","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"-@site_config_min_tls_version:1.2","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (-@site_config_min_tls_version:1.2)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8iy-ghp-cvk","createdAt":1631623032658,"name":"Web app is using the latest version of TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","control:9.2","control:6.6","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:4.1","requirement:App-Service","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Web Apps allow sites to use both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.\n\n## Rationale\n\nEnabling HTTPS-only traffic redirects all non-secure HTTP request to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated, so it is important to support HTTPS for the security benefits.\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on SSL settings\n5. Under Protocol Settings, set HTTPS Only to On.\n\nAzure Command Line Interface:\n\nTo set the HTTPS-only traffic value for an existing app, run the following command: `az webapp update --resource-group --name --set httpsOnly=true'`\n\n## Impact\n\nWhen enabled, every incoming HTTP request is redirected to the HTTPS port. This adds an extra level of security to the HTTP requests made to the app.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.2","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@https_only:false","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (@https_only:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f9i-ctz-jrp","createdAt":1631623031127,"name":"Web app redirects all HTTP traffic to HTTPS in Azure App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:windows","technique:T1070-indicator-removal-on-host","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user clears Windows Security logs.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `1102`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to clear the security event logs on `{{host}}`. \n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"psn-7zq-iqz","createdAt":1619018680072,"name":"Windows Audit Log Cleared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user resets the Directory Services Restore Mode (DSRM). The DSRM enabled emergency access to a Domain Controller. The DSRM user is a local administrator account that can be utilized for persistence. \n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4794`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to change the DSRM password on `{{host}}`. ","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4794","groupByFields":["host"],"aggregation":"count","name":"standardized","distinctFields":[]},{"query":"@Event.System.EventID:4794","groupByFields":["host"],"aggregation":"count","name":"non_standardized","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized > 0"}],"type":"log_detection","id":"ckw-1ve-anp","createdAt":1619018671358,"name":"Windows Directory Service Restore Mode password changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Domain Administrator group is modified.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is 4737 and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason for changing the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"vtr-u5p-65a","createdAt":1619018671758,"name":"Windows Domain Admin Group Changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","source:windows","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Windows firewall is disabled.\n\n## Strategy\nMonitor the Windows event logs where `@evt.id` is `4950` and the `@Event.EventData.Data.SettingValue:No`.\n\n## Triage and response\nVerify if `{{@Event.System.Computer}}` has a legitimate reason for having the Windows firewall disabled.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"medium","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"5yc-jqo-y3n","createdAt":1619018678867,"name":"Windows Firewall Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1087-account-discovery","source:windows","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs the `net` command to enumerate the `Administrators` group, which could be indicative of adversarial reconnaissance activity.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4799`, `@Event.EventData.Data.CallerProcessName` is `*net1.exe` and `@Event.EventData.Data.TargetUserName` is `Administrators`.\n\n## Triage and response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason to check for users in the Administrator group on `{{host}}`. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"low","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"dqi-uaj-wgy","createdAt":1619018678865,"name":"Windows Net command executed to enumerate administrators"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.4.2","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the scheduler service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.2","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"g1h-91b-y2x","createdAt":1599601351149,"name":"Scheduler API service is bound to localhost"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.15","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/scheduler.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.15","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fmc-m0d-pe5","createdAt":1599604530000,"name":"Scheduler configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.16","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/scheduler.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.16","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pbp-y4b-dhf","createdAt":1599600185878,"name":"Scheduler configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.5","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the Scheduler service in the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.5","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qxe-hc6-qlm","createdAt":1599604179189,"name":"Scheduler pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.6","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the kube-scheduler service in the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.6","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"y79-4ts-a0k","createdAt":1599603078027,"name":"Scheduler pod specification file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.4.1","security:compliance","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` file on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-scheduler/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-scheduler/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.1","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hya-urf-09b","createdAt":1599603139661,"name":"Scheduler profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.21","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSeccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on a whitelist basis and allows for a large number of common system calls, whilst blocking all others. This filtering should not be disabled unless it causes a problem with your container application usage.\n\n## Rationale\n\nA large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis returns either `` or your modified seccomp profile. If it returns `[seccomp:unconfined]`, the container is running without any seccomp profiles and is therefore not configured in line with good security practices.\n\n## Remediation\n\nBy default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.\n\n## Impact\n\nWith Docker 1.10 and greater, the default seccomp profile blocks syscalls, regardless of `--cap-add passed` to the container. You should create your own custom seccomp profile in such cases. You can also disable the default seccomp profile by passing `--security-opt=seccomp:unconfined` on docker run.\n\n## Default value\n\nWhen you run a container, it uses the default profile unless you override it with the `--security-opt` option.\n\n## References\n\n1. http://blog.scalock.com/new-docker-security-features-and-what-they-mean-seccomp-profiles\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://github.com/docker/docker/blob/master/profiles/seccomp/default.json\n4. https://docs.docker.com/engine/security/seccomp/\n5. https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt\n6. https://github.com/docker/docker/issues/22870\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.21","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hub-v5u-cw0","createdAt":1599604972925,"name":"Seccomp profiles are enabled for filtering incoming system calls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.22","scored:true","control:CC6.7","source:azure.active_directory","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:azure.active_directory","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft security defaults are available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You can enable security defaults in the Azure portal.\n\n## Rationale\n\nSecurity defaults provide secure default settings that are managed on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example:\n\n- Requiring all users and admins to register for MFA\n- Challenging users with MFA, mostly when they show up on a new device or app, but more often for critical roles and tasks.\n- Disabling authentication from legacy authentication clients, which can't do MFA.\n\n## Remediation\n\n### From the console\n\n1. Sign in to the Azure portal as a security administrator, conditional access administrator, or global administrator.\n2. Navigate to Azure Active Directory > Properties.\n3. Select Manage security defaults.\n4. Set the Enable security defaults toggle to Yes.\n5. Select Save.\n\n## Impact\n\nEnabling security defaults may negatively impact the functionality of other Microsoft services, such as Microsoft 365. This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults\n2. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414\n\nAdditional Information: The settings in this recommendation are different in the Microsoft 365 Benchmark. This is because the potential impact associated with disabling of security defaults is dependent upon the security settings implemented in the environment. It is recommended that organizations disabling security defaults plan to implement equivalent settings to replace the settings configured by security defaults.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.22","framework":"cis-azure","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ad_security_defaults_policy) = \"pass\" if {\n\tad_security_defaults_policy.is_enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_ad_security_defaults_policy"]},"validationQuery":"","resourceType":"azure_ad_security_defaults_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_ad_security_defaults_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@display_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"fub-xjw-qwz","createdAt":1635237007654,"name":"Security Defaults is enabled on Azure Active Directory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a threat on your application.\n\n## Strategy\nThis rule creates a signal for every security incident created by Sqreen.\n\n## Triage and response\n1. Review the incident on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/incidents\n\n## Changelog\n23 June 2022 - Updated groupby count to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:critical @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_critical_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:major @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_major_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:minor @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_minor_incidents","distinctFields":["@sqreen.payload.incident_id"]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical","condition":"sqreen_critical_incidents > 0"},{"status":"high","notifications":[],"name":"Major","condition":"sqreen_major_incidents > 0"},{"status":"medium","notifications":[],"name":"Minor","condition":"sqreen_minor_incidents > 0"}],"type":"log_detection","id":"qyk-emv-hui","createdAt":1620224110121,"name":"Security Incident Detected by Sqreen"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis","source:cloudtrail","technique:T1562-impair-defenses","control:cis-3.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` array to determine if either of the strings are contained:\n* `0.0.0.0/0`\n* `::/0`\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n\n## Changelog\n18 March 2022 - Updated rule query.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:AuthorizeSecurityGroupIngress @requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@usr.account_id"],"aggregation":"count","name":"sg_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"SG open to world","condition":"sg_open_to_world > 0"}],"type":"log_detection","id":"qdm-6uu-gqf","createdAt":1593621503430,"name":"Security group open to the world"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.5","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not allow sensitive host system directories such as those listed below to be mounted as container volumes, especially in read-write mode. `/` `/boot` `/dev` `/etc` `/lib` `/proc` `/sys` `/usr`\n\n## Rationale\n\nIf sensitive directories are mounted in read-write mode, it is possible to make changes to files within them. This has obvious security implications and should be avoided.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}'` This command returns a list of currently mapped directories and indicates whether they are mounted in read-write mode for each container instance.\n\n## Remediation\n\nDo not mount directories which are security sensitive on the host within containers, especially in read-write mode.\n\n## Impact\n\nNone\n\n## Default value\n\nDocker defaults to using a read-write volume but you can also mount a directory read-only. By default, no sensitive host directories are mounted within containers.\n\n## References\n\n1. https://docs.docker.com/engine/tutorials/dockervolumes/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.5","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmq-wqu-2im","createdAt":1599604814929,"name":"Sensitive host system directories are not mounted on containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","source:google_iam_policy","framework:cis-gcp","level:2","framework:iso-27001","requirement:Access-Control","framework:pci","scope:google_iam_policy","control:1.11","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.2.1","control:7.1.3","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.\n\n## Rationale\nThe built-in/predefined IAM role `Cloud KMS Admin` allows the user/identity to create, delete, and manage service account(s). \n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter/Decrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Decrypter` allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).\n\nSeparation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.\n\nNo user(s) should have `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles assigned at the same time.\n\n### Impact\nRemoved roles should be assigned to another user based on business needs.\n\n### Additional Information\nUsers granted Owner (roles/owner) and Editor (roles/editor) roles have privileges equivalent to `Cloud KMS Admin` and `Cloud KMS CryptoKey Encrypter/Decrypter`. To avoid misuse, Owner and Editor roles should be granted to a very limited group of users. Use of these primitive privileges should be minimal. These requirements are addressed in our other rules.\n\n## Remediation\n\n### From the console\n1. Go to **IAM & Admin/IAM** using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles granted/assigned, click the **Delete Bin** icon to remove the role from the member.\n\n## References\n1. [https://cloud.google.com/kms/docs/separation-of-duties][2]\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/kms/docs/separation-of-duties\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nis_admin_user(gip) if {\n\tmembers_to_roles_array := gip.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/cloudkms.admin\"\n}\n\neval(gip) = \"skip\" if {\n\tnot is_admin_user(gip)\n} else = \"fail\" if {\n\trole := gip.member_to_roles[_].roles[_]\n\trole in [\"roles/cloudkms.cryptoKeyDecrypter\", \"roles/cloudkms.cryptoKeyEncrypter\", \"roles/cloudkms.cryptoKeyEncrypterDecrypter\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8uv-2ds-fnx","createdAt":1658410212713,"name":"Separation of duties is enforced while assigning KMS-related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:1.8","control:7.2","control:7.1","requirement:Control-Activities","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity best practices recommend that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users. This is achieved by ensuring that no user has the Service Account Admin and Service Account User roles assigned at the same time.\n\n## Rationale\n\nThe predefined IAM role ``Service Account admin`` allows the user/identity to\ncreate, delete, and manage service account(s). The predefined IAM role ``Service Account User`` allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute instances.\n\nSeparation of duties is the concept of ensuring that one individual does not have all\nnecessary permissions to be able to complete a malicious action. Using Cloud IAM service\naccounts, a malicious user could assume the identity of a service account to access resources that\nthey otherwise cannot access.\n\nSeparation of duties is a business control typically used in larger organizations, meant to\nhelp avoid security or privacy incidents and errors. It is considered a best practice.\n\nNo user should have ``Service Account Admin`` and ``Service Account User`` roles assigned\nat the same time.\n\n## Remediation\n\n1. Go to ``IAM & Admin/IAM`` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having both ``Service Account Admin`` and ``Service Account User`` roles granted/assigned, click the ``Delete Bin`` icon to remove either role from the member.\n\nRemoval of a role should be done based on the business requirements.\n\n## Impact\n\nThe removed role should be assigned to a different user based on business needs.\n\n## References\n\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][4]\n\n## Additional information \n\nUsers granted the Owner (roles/owner) and Editor (roles/editor) roles have privileges\nequivalent to Service Account Admin and Service Account User. To avoid misuse,\nOwner and Editor roles should be granted to a very limited number of users. Use of these primitive\nprivileges should be minimal. These requirements are addressed in separate\nrecommendations.\n\n## CIS controls\n\nVersion 8 3.3 - Configure Data Access Control Lists: Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems, databases, and applications.\n\nVersion 7 14.6 - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"fail\" if {\n\tmembers_to_roles_array := iam_policy.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountAdmin\"\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountUser\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"re5-dlh-43x","createdAt":1656443521016,"name":"Separation of duties is enforced while assigning service account related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.6","cloud_provider:azure","framework:cis-azure","requirement:Default-Security-Parameter","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.4","framework:soc-2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `connection_throttling` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `connection_throttling` helps the PostgreSQL Database to Set the verbosity of logged messages which generates query and error logs about concurrent connections. Too many concurrent connections could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `connection_throttling`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `connection_throttling` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name connection_throttling --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.6","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthrottling_disabled(server_config) if {\n\tserver_config.name == \"connection_throttling\"\n\tserver_config.value != \"on\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tthrottling_disabled(server_config)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"w1l-qav-gcj","createdAt":1624867980066,"name":"Server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","control:10.1","requirement:Monitoring","control:4.3.3","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_checkpoints` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_checkpoints` helps the PostgreSQL Database to log each checkpoint and generate query and error logs. Access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_checkpoints`.\n5. Click ON and save.\n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_checkpoints` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_checkpoints --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlog_checkpoints_on(server_config) if {\n\tserver_config.name == \"log_checkpoints\"\n\tserver_config.value == \"on\"\n}\n\neval(postgresql_server) = \"pass\" if {\n\tsome server_config in postgresql_server.server_configs\n\tlog_checkpoints_on(server_config)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sc0-yfd-hsz","createdAt":1624867976912,"name":"Server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:4.3.4","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_connections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_connections` helps PostgreSQL Database to log an attempted connection to the server, as well as successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_connections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_connections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_connections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlog_connections_off(server_config) if {\n\tserver_config.name == \"log_connections\"\n\tserver_config.value == \"off\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tsome server_config in postgresql_server.server_configs\n\tlog_connections_off(server_config)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gle-oql-wen","createdAt":1624867976676,"name":"Server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","control:10.1","control:4.3.5","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_disconnections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_disconnections` helps your PostgreSQL database to log the end of a session, including duration, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_disconnections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_disconnections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_disconnections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlog_disconnections_on(server_config) if {\n\tserver_config.name == \"log_disconnections\"\n\tserver_config.value == \"on\"\n}\n\neval(postgresql_server) = \"pass\" if {\n\tsome server_config in postgresql_server.server_configs\n\tlog_disconnections_on(server_config)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"5av-e46-div","createdAt":1624867974164,"name":"Server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","requirement:Records-of-Processing-Activities","cloud:azure","control:A1.1","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses logging to track the time it takes to complete an SQL query.\n\n## Rationale\n\nThe \"log_duration\" parameter allows recording the duration of each completed PostgreSQL statement. Logging this attribute enables administrators to monitor for potential issues in the database.\n\n## Remediation\n\n### From the console\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][1] documentation to enable the 'log_duration' logging in the PostgreSQL database. Ensure **log_duration** is selected under **Server Parameters**.\n\n### From the command line\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][2] documentation to enable **log_duration** in **Server Parameters**.\n2. Get a list of your PostgreSQL servers by running the following in Azure Powershell:\n\n ```\n az postgres server list\n\t--output table\n\t--query '[*].{name:name, resourceGroup:resourceGroup}'\n ```\n3. Run the 'postgres server configuration set' command:\n\n ```\n az postgres server configuration set\n\t--server-name \"INSERT-SERVER-NAME-HERE-FROM-STEP-2\"\n\t--resource-group \"cloud-shell-storage-westeurope\"\n\t--name log_duration\n\t--value on\n ```\n4. Repeat steps two and three for each server that is not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tserver_config.name == \"log_duration\"\n\tserver_config.value == \"off\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iwo-oh9-bpi","createdAt":1645804679249,"name":"Server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.7","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","control:10.7","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_retention_days` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_retention_days` helps PostgreSQL Database to set the number of days a log file is retained, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_retention_days`.\n5. Enter value in range 4-7 (inclusive) and save. \n\nAlternatively, use the Azure Command Line Interface and run the the below command to update `log_retention_days` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_retention_days --value <4-7>\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n2. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention\n\n## CIS Controls\n\nVersion 7 6.4 Ensure adequate storage for logs: Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.7","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nis_numeric(x) if {\n\tregex.match(`^-?\\d+(\\.\\d+)?$`, x)\n}\n\nserver_config_not_compliant(server_config) if {\n\tis_numeric(server_config.value)\n\tto_number(server_config.value) < 3\n\tserver_config.name == \"log_retention_days\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config = postgresql_server.server_configs[_]\n\tserver_config_not_compliant(server_config)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"jsy-iuu-a38","createdAt":1624867974261,"name":"Server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:7.1","requirement:Credentials","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","source:google_service_account","framework:soc-2","control:A.9.2.3","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:8.1.2","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA service account is a special Google account that belongs to an application or a VM, instead\nof to an individual end-user. The application uses the service account to call the service's\nGoogle API so that users aren't directly involved. It's recommended not to use admin roles for ServiceAccount.\n\n## Rationale\n\nService accounts represent service-level security of the Resources (application or a VM)\nwhich can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin\nrights gives full access to an assigned application or a VM. A ServiceAccount Access holder\ncan perform critical actions like delete, update, and change settings, etc. without user\nintervention. For this reason, Datadog recommends that service accounts not have an Admin role.\n\n## Remediation\n\n## From Console:\n1. Go to `IAM & admin/IAM` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. Go to the `Members`\n3. Identify `User-Managed user created service account(s)` with roles containing `*Admin or *admin`\n4. Click the `Delete bin` icon to remove the role from the member (service account in this case)\n\n\n## From Command Line: \n\n```bash\ngcloud projects get-iam-policy PROJECT_ID --format json > iam.json\n```\n\n1. Using a text editor, Remove `Role` which contains `roles/ *Admin` or `roles/ *admin`. Add a role to the bindings array that defines the group members and the role for those members.\n2. Update the project's IAM policy:\n\n```bash\ngcloud projects set-iam-policy PROJECT_ID iam.json\n```\n\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/understanding-service-accounts][4] \n\n## CIS Controls\n\nVersion 8 5.4 Restrict Administrator Privileges to Dedicated - Administrator Accounts Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user\u2019s primary, non-privileged account.\n\nVersion 7 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/understanding-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.1.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmembers_with_admin_role := {member |\n\tbinding := input.resources.gcp_iam_policy[_].member_to_roles[_]\n\tstartswith(binding.member, \"serviceAccount:\")\n\trole := binding.roles[_]\n\tcontains(lower(role), \"admin\")\n\tmember := trim_prefix(binding.member, \"serviceAccount:\")\n}\n\neval(iam_service_account) = \"fail\" if {\n\tsplit_name := split(iam_service_account.name, \"/\")\n\tmember := split_name[count(split_name) - 1]\n\tmembers_with_admin_role[member]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"4ea-as1-0bv","createdAt":1655820189596,"name":"Service Accounts are not bound to built-in Administrative roles"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1070-indicator-removal","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the tampering of shell command history on a host or container. \n\n## Strategy\nCommands used within a terminal are contained within a local file so users can review applications, scripts, or processes that were previously executed. Adversaries tamper with the integrity of the shell command history by deletion, truncation, or the linking of `/dev/null` by use of a symlink. This allows adversaries to obfuscate their actions and delay the incident response process. \n\n## Triage and response\n1. Review the tampering action taken against the shell command history files.\n2. Review the user or process that performed the action against the shell command history.\n3. Determine whether or not this is expected behavior.\n4. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(shell_history_symlink OR shell_history_truncated OR shell_history_deleted)","groupByFields":["host"],"aggregation":"count","name":"shell_history_tamper","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"shell_history_tamper","condition":"shell_history_tamper > 0"}],"type":"workload_security","id":"5bq-qe4-ctu","createdAt":1661196433820,"name":"Shell command history modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:signal_sciences","scope:signal_sciences"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP is flagged by Signal Sciences.\n\n## Strategy\nThis rule lets you monitor Signal Sciences events submitted through the Signal Sciences [integration][1] to detect when an IP is flagged. \n\n## Triage and response\n1. Determine whether the attack is a false positive.\n2. Determine whether the attack was successful.\n3. If the attack exploited a vulnerability in the application, triage the vulnerability.\n\n[1]: https://app.datadoghq.com/account/settings#integrations/sigsci\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:signal_sciences @title:*flag","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bmg-ftn-dzo","createdAt":1584993292228,"name":"Signal Sciences flagged an IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.2.1","requirement:Compliance","level:1","requirement:Storage-Accounts","control:3.8","requirement:Cardholder-Data","framework:iso-27001","scope:azure.storage","framework:pci","requirement:Operations-Security","security:compliance","framework:cis-azure","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Control-Activities","source:azure.storage","control:A1.2","control:A.18.1.3","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Storage blobs contain ePHI, financial, secret, or personal data. If erroneously modified or deleted accidentally by an application or other storage account user, data loss or data unavailability can occur. It is recommended that Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.\n\n## Rationale\n\nA user can accidentally run delete commands on Azure Storage blobs or blob snapshots, or an attacker/malicious user can do it deliberately to cause disruption. Deleting an Azure Storage blob leads to immediate data loss or non-accessible data. Enable recoverable blobs configuration in the Azure Storage blob service to ensure that even if blobs/data are deleted from the storage account, the objects remain recoverable for a time set in the retention policy. Retention policies can be 7 days to 365 days.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Account\n2. For each Storage Account, navigate to Data Protection\n3. Select Set soft delete enabled and enter the number of days to retain soft deleted data.\n\nAzure Command-Line Interface:\n\nUpdate retention days with the following command: `az storage blob service-properties delete-policy update --days-retained --account-name --enable true'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete\n\n## CIS Controls\n\nVersion 7 10 - Data Recovery Capabilities\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_blob_service(blob_service) if {\n\tblob_service.delete_retention_policy_enabled\n\tblob_service.delete_retention_policy_days > 0\n} else if {\n\tblob_service.delete_retention_policy.enabled\n\tblob_service.delete_retention_policy.days > 0\n}\n\neval(storage_account) = \"pass\" if {\n\tsome blob_service in storage_account.blob_services\n\tcompliant_blob_service(blob_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"w0h-o5o-lyp","createdAt":1631690471228,"name":"Soft delete is enabled for Azure Storage"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1505-server-software-component","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects attempted post-exploitation activity of [CVE-2022-22965][1] with an HTTP GET parameter.\n\n## Strategy\nThis rule looks for `@http.url_details.path` = .jsp, `@http.url_details.queryString.pwd` = `*`, and `@http.url_details.queryString.cmd` = . If found, it indicates web shell activity observed with successful Spring RCE exploitation. \n\n## Triage and response\nCheck your host to see if the {{@http.url_details.queryString.cmd}} command ran successfully. If so,\n * Refer to your company's Incident Response process since this is detection post-exploitation activity.\n * Refer to the vendor's [advisory][2] for remediation of this Remote Code Execution (RCE) vulnerability.\n\n## Changelog\n- 06 June 2022 - The severity has been lowered due to rule fidelity on just log telemetry.\n- 31 March 2022 - Rule added in response to [CVE-2022-22965][1]\n\n[1]: https://tanzu.vmware.com/security/cve-2022-22965\n[2]: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@http.url_details.path:*.jsp @http.url_details.queryString.pwd:* @http.url_details.queryString.cmd:* @http.method:GET @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_details","distinctFields":[]},{"query":"@http.url:*cmd* @http.url:*pwd* @http.method:GET @http.url:*.jsp* @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_url","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"PWD/CMD request in http.url_details.queryString key","condition":"pwd_cmd_in_details > 0"},{"status":"low","notifications":[],"name":"PWD/CMD request in http.url key","condition":"pwd_cmd_in_url > 0"}],"type":"log_detection","id":"6nf-i0e-ff0","createdAt":1648746485630,"name":"Spring RCE post-exploitation activity attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","framework:cis-azure","requirement:Confidentiality","control:3.4","control:C1.1","requirement:Credentials","requirement:Compliance","source:azure.storage","level:1","requirement:Storage-Accounts","control:A.18.1.3","framework:soc-2","control:3.9","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","scope:azure.storage","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable sensitive data encryption at rest using customer managed keys rather than Microsoft managed keys.\n\n## Rationale\n\nBy default, data in the storage account is encrypted using Microsoft managed keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. However, if you want to control and manage the encryption key yourself, you can specify a customer-managed key, and that key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated key vault.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Accounts\n2. For each storage account, go to Encryption\n3. Set Customer Managed Keys\n4. Select the encryption key and enter the appropriate setting value\n5. Click Save\n\n## Impact\n\nIf the key expires by setting the activation date and expiration date of the key, you must rotate the key manually. Using customer managed keys may also incur additional effort to create, store, manage, and protect the keys as needed.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest\n3. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption#azure-storage-encryption-versus-disk-encryption\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-1-discovery,-classify-and-label-sensitive-data\n\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_account) = \"pass\" if {\n\tstorage_account.encryption.key_source == \"Microsoft.Keyvault\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"kh6-wzv-u3s","createdAt":1631690464889,"name":"Storage for critical data is encrypted with Customer Managed Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:runtime-security-agent","technique:T1574-hijack-execution-flow","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect attempts to load a malicious library.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container or host (for example, through a web shell exploit), they may attempt to escalate privileges, evade defenses, or establish persistence by hijacking environment variables such as `LD_PRELOAD`, or configuration files such as `/etc/ld.so.preload/`, which the dynamic linker uses to load shared libraries. \n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.39 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:dynamic_linker_config_unlink -@process.executable.path:(\"/usr/bin/dpkg\" OR \"/usr/bin/yum\")","groupByFields":["host"],"aggregation":"count","name":"dynamic_linker_config_unlink","distinctFields":[]},{"query":"@agent.rule_id:dynamic_linker_config_write","groupByFields":["host"],"aggregation":"count","name":"dynamic_linker_config_write","distinctFields":[]},{"query":"@agent.rule_id:ld_preload_unusual_library_path","groupByFields":["host"],"aggregation":"count","name":"ld_preload_unusual_library_path","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"suspected_dynamic_linker_hijacking","condition":"dynamic_linker_config_unlink > 0 || dynamic_linker_config_write > 0 || ld_preload_unusual_library_path > 0"}],"type":"workload_security","id":"qr1-yg4-ab3","createdAt":1670612608535,"name":"Suspected dynamic linker hijacking attempt"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to `pam.d` directory.\n\n## Strategy\nLinux Pluggable Authentication Modules (PAM) provide authentication for applications and services. Authentication modules in the PAM system are setup and configured under the `/etc/pam.d/` directory. An attacker may attempt to modify or add an authentication module in PAM in order to bypass the authentication process, or reveal system credentials.\n\n## Triage and response\n1. Identify if the changes to the path `{{@file.path}}` were part of known system setup or mainenance.\n2. If these changes were unauthorized, roll back the host in question to a known good PAM configuration, or replace the system with a known-good system image.\n\n*Required agent version 7.27 or higher*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pam_modification OR pam_modification_chmod) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_chown)-@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_link) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_rename) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_open) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_unlink) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_utimes) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"pam_modification","condition":"pam_modification_chmod > 0 || pam_modification_chown > 0 || pam_modification_link > 0 || pam_modification_rename > 0 || pam_modification_open > 0 || pam_modification_unlink > 0 || pam_modification_utimes > 0"}],"type":"workload_security","id":"59x-93j-pek","createdAt":1606142936138,"name":"System authentication files modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1543-create-or-modify-system-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to system services.\n\n## Strategy\nEspecially in production, systems should be generated based on standard images such as AMIs for Amazon EC2, VM images in Azure, or GCP images. Systemd is the default service manager in many Linux distributions. It manages the lifecycle of background processes and services, and can be used by an attacker to establish persistence in the system. Attackers can do this by injecting code into existing systemd services, or by creating new ones. Systemd services can be started on system boot, and therefore attacker code can persist through system reboots.\n\n## Triage and response\n1. Check to see what service was modified of created.\n2. Identify whether it is a known service, being modified by a known user and/or process.\n3. If these changes are not acceptable, roll back the host in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chmod) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chown) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_link) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_rename) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_open) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_unlink) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"systemd_modification","condition":"systemd_modification_chmod > 0 || systemd_modification_chown > 0 || systemd_modification_link > 0 || systemd_modification_rename > 0 || systemd_modification_open > 0 || systemd_modification_unlink > 0 || systemd_modification_utimes > 0"}],"type":"workload_security","id":"vjt-chu-njs","createdAt":1606142929241,"name":"Systemd service modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through brute force attempts.\n\n## Strategy\nTo determine a successful attempt: Detect a high amount of failed logins and at least one successful login for a given IP address. This will generate a `HIGH` severity signal.\nTo determine an attempt: Detect a high amount of failed logins for a given IP address. This will generate an `INFO severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:authentication @evt.outcome:failure","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]},{"query":"@evt.name:authentication @evt.outcome:success","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":["@slack-secops"],"name":"Successful","condition":"a>5 && b>0"},{"status":"info","notifications":[],"name":"Attempted","condition":"a>5"}],"type":"log_detection","id":"wce-cxo-pe4","createdAt":1585870283641,"name":"TEMPLATE - Brute Force Attack Grouped By IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:threat-intel","scope:template"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect when a stolen laptop has been connected to the network.\n\n## Strategy\nUsing the Datadog [Lookup Processor](https://docs.datadoghq.com/logs/processing/processors/?tab=ui#lookup-processor) you can maintain a blocklist of MAC addresses.\nWhen a MAC address connects to the network, the @threat.stolen_laptop attribute is set to `true`.\nThis threat detection rule queries for `@threat.stolen_laptop:true` and generates a security signal. \n\n## Triage and response\nEnter your triage and response process for when a stolen laptop has connected to your network to help users responding to the security signal quickly triage and respond to the signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@threat.stolen_laptop:true @network.client.mac:*","groupByFields":["@network.client.mac"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ap3-xy9-tsm","createdAt":1585870283379,"name":"TEMPLATE - Stolen Laptop Connected to Network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.10","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert` parameter, has permissions of 444 or is set more restrictively.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must therefore have permissions of 444, or more restrictive permissions to ensure that the file cannot be modified by a less privileged user.\n\n## Audit\n\nVerify that the TLS CA certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the following command: `chmod 444 `\n\nThis sets the file permissions on the TLS CA file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the TLS CA certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.10","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hyd-ar9-kzl","createdAt":1602076723625,"name":"TLS CA certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.6","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to make the Docker daemon available remotely over a TCP port. If this is required, you should ensure that TLS authentication is configured in order to restrict access to the Docker daemon via IP address and port.\n\n## Rationale\n\nBy default, the Docker daemon binds to a non-networked Unix socket and runs with root privileges. If you change the default Docker daemon binding to a TCP port or any other Unix socket, anyone with access to that port or socket could have full access to the Docker daemon and therefore in turn to the host system. For this reason, you should not bind the Docker daemon to another IP/port or a Unix socket. If you must expose the Docker daemon via a network socket, you should configure TLS authentication for the daemon and for any Docker Swarm APIs (if they are in use). This type of configuration restricts the connections to your Docker daemon over the network to a limited number of clients who have access to the TLS client credentials.\n\n## Audit\n\nTo confirm that the TLS authentication setting is correct, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nConfirm that the following parameters are present: `--tlsverify --tlscacert --tlscert --tlskey`.\n\nAlso review the `/etc/docker/daemon.json` file to ensure these settings are in place.\n\n## Remediation\n\nFollow the steps mentioned in the Docker documentation or other references.\n\n## Impact\n\nYou would need to manage and guard certificates and keys for the Docker daemon and Docker clients.\n\n## Default value\n\nBy default, TLS authentication is not configured.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rh4-jeh-afu","createdAt":1602077571799,"name":"TLS authentication is configured for Docker daemon"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":true,"message":"Test","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":1,"createdAt":1668092249514,"filters":[],"queries":[{"query":"@agent.rule_id:1234","groupByFields":[],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"6pg-sy3-vc5","isDefault":false,"name":"Test"},{"creationAuthorId":1445416,"tags":[],"isEnabled":false,"hasExtendedTitle":false,"message":"Test","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":1,"createdAt":1668092310914,"filters":[],"queries":[{"query":"@agent.rule_id:1234","groupByFields":[],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"c4n-gxt-rmi","isDefault":false,"name":"Test xxx1"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.18","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller-manager.conf file ownership is set to `root:root`.\n\n## Rationale\n\nThe controller-manager.conf file is the kubeconfig file for the Controller Manager. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/controller-manager.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.18","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bud-aya-umc","createdAt":1599605289575,"name":"The controller-manager.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","requirement:GCP","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","control:3.4","requirement:Communications-Security","control:2.6","control:1.2","control:2.1","control:1.3","control:3.1","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of the `default` network, a project should not have a `default` network.\n\n### Default value\nBy default, for each project, a `default` network is created.\n\n\n## Rationale\nThe `default` network has a preconfigured network configuration and automatically generates the following insecure firewall rules:\n\n - default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.\n - default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.\n - default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.\n - default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.\n\nThese automatically-created firewall rules do not get audit-logged and cannot be configured to enable firewall rule logging.\n\nFurthermore, the `default` network is an auto-mode network, which means that its subnets use the same predefined range of IP addresses. As a result, it's not possible to use Cloud VPN or VPC Network Peering with the `default` network.\n\nBased on organization security and networking requirements, the organization should create a new network and delete the `default` network.\n\n### Impact\nWhen an organization deletes the `default` network, it may need to migrate services onto a new network.\n\n## Remediation\n\n### From the console\n1. Go to the [VPC networks][1] page.\n2. Click the network named `default`.\n3. On the network detail page, click **EDIT**.\n4. Click **DELETE VPC NETWORK**.\n5. If needed, create a new network to replace the `default` network.\n\n### From the command line\n1. Delete the `default` network:\n\n ```\n gcloud compute networks delete default\n ```\n\n2. If needed, create a new network to replace it:\n\n ```\n gcloud compute networks create NETWORK_NAME\n ```\n\n## Prevention\nYou can prevent the `default` network and its insecure firewall rules from being created by setting up an Organization Policy to skip `default` network creation at [https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation][2].\n\n## References\n1. [https://cloud.google.com/compute/docs/networking#firewall_rules][3]\n2. [https://cloud.google.com/compute/docs/reference/latest/networks/insert][4]\n3. [https://cloud.google.com/compute/docs/reference/latest/networks/delete][5]\n4. [https://cloud.google.com/vpc/docs/firewall-rules-logging][6]\n5. [https://cloud.google.com/vpc/docs/vpc#default-network][7]\n6. [https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete][8]\n\n[1]: https://console.cloud.google.com/networking/networks/list\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation\n[3]: https://cloud.google.com/compute/docs/networking#firewall_rules\n[4]: https://cloud.google.com/compute/docs/reference/latest/networks/insert\n[5]: https://cloud.google.com/compute/docs/reference/latest/networks/delete\n[6]: https://cloud.google.com/vpc/docs/firewall-rules-logging\n[7]: https://cloud.google.com/vpc/docs/vpc#default-network\n[8]: https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.4","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.name == \"default\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0j0-lvk-9wm","createdAt":1658410212694,"name":"The default network does not exist in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.9","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %a /var/lib/kubelet/config.yaml`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step:\n\n```\nchmod 644 /var/lib/kubelet/config.yaml\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/var/lib/kubelet/config.yaml` file as set up by kubeadm has permissions of 644.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.9","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tc4-kmy-wlt","createdAt":1599605416397,"name":"The kubelet configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.1","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kubelet service file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.1","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j8k-7ii-fwo","createdAt":1599604432646,"name":"The kubelet service file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.5","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet.conf file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/kubernetes/kubelet.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chmod 644 /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.5","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x88-8vs-ygw","createdAt":1599604783481,"name":"The kubelet.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.6","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `kubelet.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/kubernetes/kubelet.conf`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file ownership is set to `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.6","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrc-waf-mbs","createdAt":1599599696342,"name":"The kubelet.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable timeouts on streaming connections.\n\n## Rationale\n\nSetting idle timeouts ensures that you are protected against denial-of-service attacks, inactive connections, and running out of ephemeral ports.\n\n*Note*: By default, `--streaming-connection-idle-timeout` is set to four hours, which might be too high for your environment. Setting this as appropriate would additionally ensure that such streaming connections are timed out after serving legitimate use cases.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--streaming-connection-idle-timeout` argument is not set to 0. If the argument is not present, and there is a Kubelet config file specified by `--config`, check that it does not set `streamingConnectionIdleTimeout` to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a value other than 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--streaming-connection-idle-timeout=5m`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nLong-lived connections could be interrupted.\n\n## Default value\n\nBy default, `--streaming-connection-idle-timeout` is set to four hours.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://github.com/kubernetes/kubernetes/pull/18552][2]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://github.com/kubernetes/kubernetes/pull/18552\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.5","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xmg-h3a-wj4","createdAt":1599602030157,"name":"Timeouts on streaming connections are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","control:6.6","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable internet exposed UDP ports on network security groups.\n\n## Rationale\n\nThe potential security problem with broadly exposing UDP services over the internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP, and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct UDP access to your Azure Virtual Machines from the internet. After direct UDP access from the internet is disabled, you can use other options to access UDP-based services running on these virtual machines.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#secure-your-critical-azure-service-resources-to-only-your-virtual-networks\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/ddos-best-practices\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n7 Virtual Machines: This section covers security recommendations to follow to set virtual machine policies on an Azure subscription.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_access(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"UDP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.destination_port_range in [\"*\", \"53\", \"123\", \"161\", \"389\", \"1900\"]\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"*/0\", \"Internet\", \"Any\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome security_rule in security_group.security_rules\n\tnon_compliant_access(security_rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"1is-0om-n7k","createdAt":1624867977600,"name":"UDP Services are restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect shell utilities, HTTP utilities, or shells spawned by a web server.\n\n## Strategy\nWeb shell attacks often involve attackers loading and running malicious files onto a victim machine, creating a backdoor on the compromised system. Attackers use web shells for a variety of purposes, and they can signal the beginning of an intrusion or wider attack. This detection triggers when shell utilities, HTTP utilities, or shells are spawned by a common web server process.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your web application to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"potential_web_shell","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["host"],"query":"@agent.rule_id:potential_web_shell -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"potential_web_shell"}],"type":"workload_security","id":"aks-ytd-8pf","createdAt":1647265136526,"name":"Unfamiliar command spawned from web server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers can leverage malicious kernel modules to gain persistence on a system, ensuring their malicious code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions and cover their tracks through the use of a rootkit.\n\nLoading a malicious kernel module can be a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default, however attackers may attempt to load kernel modules from other locations as well. This detection detects all kernel module loads. \n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check the name of the process loading the kernel module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":14,"learningThreshold":0},"keepAlive":3600},"version":176,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_kernel_module","metric":"@module.name","aggregation":"new_value","metrics":["@module.name"],"groupByFields":["host"],"query":"@agent.rule_id:(kernel_module_load OR new_kernel_module_audit OR kernel_module_load_container OR new_kernel_module_audit_container) -@process.ancestors.executable.name:\"unattended-upgrade\" -@process.ancestors.executable.name:(\"xtables-legacy-multi\" OR \"apt.systemd.daily\") -@module.name:(\"nf_tables\" OR \"iptable_filter\" OR \"ip6table_filter\" OR \"bpfilter\" OR \"ip6_tables\" OR \"ip6table_nat\" OR \"nf_reject_ipv4\" OR \"ipt_REJECT\" OR \"iptable_raw\")"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"new_kernel_module"}],"type":"workload_security","id":"56o-bpk-lkz","createdAt":1656443525724,"name":"Unfamiliar kernel module loaded"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default. In an attempt to thwart forensics, attackers sometimes attempt to load malicious kernel modules from memory so as not to leave artifacts on disk. This detection watches for all new kernel modules being loaded directly from memory. \n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:kernel_module_load_from_memory","groupByFields":["host"],"aggregation":"count","name":"kernel_module_load_from_memory","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"kernel_module_load_from_memory","condition":"kernel_module_load_from_memory > 0"}],"type":"workload_security","id":"dx9-30j-pas","createdAt":1650464539839,"name":"Unfamiliar kernel module loaded from memory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when the AWS EKS service account token has been viewed by a user.\n\n## Strategy\nAWS provides an authentication mechanism called [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to allow Kubernetes workloads such as pods to securely authenticate to AWS without hardcoding credentials.\n\nThe authentication token made available by AWS is located at `/var/run/secrets/eks.amazonaws.com/serviceaccount/token` and can be exchanged for AWS credentials using `sts:AssumeRoleWithWebIdentity`. It is consequently an attractive target for attackers.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"aws_eks_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:aws_eks_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"aws_eks_service_account_token_accessed"}],"type":"workload_security","id":"wq5-pnt-ij8","createdAt":1656443561852,"name":"Unfamiliar process accessed AWS EKS service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"Detects when the Kubernetes pod service account token has been viewed by a user.\n\n## Strategy\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"k8s_pod_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:k8s_pod_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"k8s_pod_service_account_token_accessed"}],"type":"workload_security","id":"7ow-znp-4fx","createdAt":1656443563565,"name":"Unfamiliar process accessed Kubernetes pod service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:active-directory","tactic:TA0004-privilege-escalation","source:microsoft-365","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 Azure AD service principal uses an unusual authentication method.\n\n## Strategy\nUsing the `New Value` detection method, find when a `Microsoft 365 Azure AD service principal` uses a new `@AuthenticationMethod`.\n\n## Triage and response\n1. Determine if the service principal `{{@usr.id}}` should be authenticating using the `{{@AuthenticationMethod}}` authentication method and `{{@ExtendedProperties.RequestType}}` request type.\n2. If `{{@usr.email}}` should not be authenticating using `{{@AuthenticationMethod}}`,\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard \n * If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":3600},"version":41,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AuthenticationMethod","aggregation":"new_value","metrics":["@AuthenticationMethod"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:AzureActiveDirectory @evt.name:UserLoggedIn @evt.outcome:Success @UserDescription:\"A service principal\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"toz-wdr-r1v","createdAt":1660857301768,"name":"Unusual Authentication by Microsoft 365 Azure AD Service Principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attaches to a pod.\n\n## Strategy\nThis rule monitors when a user attaches (`@objectRef.subresource:attach`) to a pod (`@objectRef.resource:pods`).\n\nA user should not need to attach to a pod. Attaching to a pod allows a user to attach to any process in a running container which may give an attacker access to sensitive data.\n\n## Triage and response\n1. Determine if the user should be attaching to a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:attach @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:attach @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"j6t-mva-rul","createdAt":1589375996858,"name":"User Attached to a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user execs into a pod.\n\n## Strategy\nThis rule monitors when a user execs (`@objectRef.subresource:exec`) into to a pod (`@objectRef.resource:pods`).\n\nA user should not need to exec into a pod. Execing into a pod allows a user to execute any process in container which is not already running.\nIt is most common to execute the bash process to gain an interactive shell.\nIf this is an attacker, they can access any data which the pod has permissions to, including secrets.\n\n## Triage and response\n1. Determine if the user should be execing into a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:exec @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:exec @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"hyd-cu4-79x","createdAt":1589376094658,"name":"User Exec into a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs into an application that is using Sqreen from a new country.\n\n## Strategy\nThis rule lets you monitor when a user logs into an application from a country that has not been seen before.\n\n## Triage and response\n1. Review the user activity on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/application/goto/users/\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip.country.name","aggregation":"new_value","metrics":["@network.client.geoip.country.name"],"groupByFields":["@usr.id"],"query":"@evt.name:sq.dd0.user_event.login @sqreen.payload.success:true"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"4xm-2og-l7s","createdAt":1620224109989,"name":"User Logged into an Application from a New Country"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","security:threat-intel","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to log in with a password which is known to be compromised.\n\n## Strategy\nThis rule allows you to monitor this Google Activity API call to detect if an attacker is trying to login with a leaked password: \n\n* [Leaked password][1]\n\n## Triage and response\n1. Determine which user in your organization owns the compromised password.\n2. Contact the user and ensure they rotate the password on Google and any other accounts where they may have reused this password. Ensure the user is aware of strong password guidelines.\n\n[1]: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.category:account_warning @evt.name:account_disabled_password_leak","groupByFields":["@actor.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9zi-bom-nmh","createdAt":1585870280553,"name":"User attempted login with leaked password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1136-create-account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation of a new user on the system using an interactive session.\n\n## Strategy\nAttacker's may add local accounts to systems that they have compromised to maintain access to those systems. If an attacker has gained a sufficient level of access (like admin privileges) on a system, they can make a new user for themselves.\nIn production systems, users should be created in the base image of the system (for example, the AMI or other VM image), or they should be created programmatically by configuration management tools. The creation of a new user by an interactive (human) session is suspicious.\n\n## Triage & Response\n1. Determine whether the creation of a new user is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether or not multiple systems had this user added around the same time, and whether the systems impacted follow a pattern. For example, if a user was added to multiple systems, do they share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:user_created_tty -@process.ancestors.executable.path:(\"/usr/bin/unattended-upgrade\" OR \"/usr/bin/dpkg\" OR \"/usr/bin/yum\" OR \"/usr/bin/rpm\") -@process.args:\"-D\"","groupByFields":["host"],"aggregation":"count","name":"user_created_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user_created_tty","condition":"user_created_tty > 0"}],"type":"workload_security","id":"beh-ejq-upe","createdAt":1627392836979,"name":"User created interactively"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of secrets while also receiving an error message of `AccessDenied`, through Cloudtrail's [`GetSecretValue`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetSecretValue` event, and enables the detection of potentially anomalous activity when a user receives an anomalous number of `AccessDenied` messages while attempting to retrieve secrets.\n\nAn attacker may attempt to enumerate and access the AWS Secrets Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any AWS secrets that were accessed by the user with the `aws-cli` command [`update-secret`][2] or use the [AWS Console][3].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n## Changelog\n* 25 October 2022 - Updated query.\n\n[1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/update-secret.html\n[3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetSecretValue @error.kind:AccessDenied -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.secretId"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"eg6-ogp-n1f","createdAt":1656426823748,"name":"User enumerated AWS Secrets Manager - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of parameters, through Cloudtrail's [`GetParameter`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetParameter` event, and enables detection of potentially anomalous activity when a user attempts to retrieve an anomalous volume of parameters.\n\nAn attacker may attempt to enumerate and access the AWS Systems Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any parameters that were accessed by the user with the `aws-cli` command [`put-parameter`][2].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n[1]: https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ssm/put-parameter.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ssm.amazonaws.com @evt.name:GetParameter -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.name"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"os3-zft-ung","createdAt":1656426796721,"name":"User enumerated AWS Systems Manager parameters - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:5.2.1","control:A.12.4.1","requirement:Logging-and-Monitoring","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"\n## Description\n\nCreate an activity log alert for the Create Policy Assignment event.\n\n## Rationale\n\nMonitoring for create policy assignment events gives insight into changes done in \"azure policy - assignments\" and can reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\n### From the console\n\n1. Go to **Monitor**.\n2. Select **Alerts**.\n3. Click On **New Alert Rule**.\n4. Under **Scope**, click **Select Resource**.\n5. Select the appropriate subscription under **Filter by Subscription**.\n6. Select **Policy Assignment** under **Filter by Resource Type**.\n7. Select **All** for **Filter by Location**.\n8. Click on the subscription resource from the entries populated under **Resource**.\n9. Verify selection preview shows **All Policy** assignment (policyAssignments) and your selected subscription name.\n10. Click **Done**.\n11. Under **Condition** click **Add Condition**.\n12. Select **Create Policy Assignment** signal.\n13. Click **Done**.\n14. Under **Action Group**, select **Add Action Groups** and complete creation process or select appropriate action group.\n15. Under **Alert Rule Details**, enter **Alert Rule Name** and **Description**.\n16. Select appropriate resource group to save the alert to.\n17. Check **Enable alert rule upon creation** checkbox.\n18. Click **Create Alert Rule**.\n\n### From the Azure Command Line Interface\n\nTo create an Activity Log Alert for Create policy, use this command:\n```\naz account get-access-token --query\n\"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1\nbash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type:\napplication/json\"\nhttps://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"\n```\n\nWhere `input.json` contains the request body JSON data mentioned below:\n\n```json\n{\n\t\"location\": \"Global\",\n\t\"tags\": {},\n\t\"properties\": {\n\t\t\"scopes\": [\n\t\t\t\"/subscriptions/\"\n\t\t],\n\t\t\"enabled\": true,\n\t\t\"condition\": {\n\t\t\t\"allOf\": [{\n\t\t\t\t\t\"containsAny\": null,\n\t\t\t\t\t\"equals\": \"Administrative\",\n\t\t\t\t\t\"field\": \"category\"\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\t\"containsAny\": null,\n\t\t\t\t\t\"equals\": \"Microsoft.Authorization/policyAssignments/write\",\n\t\t\t\t\t\"field\": \"operationName\"\n\t\t\t\t}\n\t\t\t]\n\t\t},\n\t\t\"actions\": {\n\t\t\t\"actionGroups\": [{\n\t\t\t\t\"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\t\t\t\t\"webhookProperties\": null\n\t\t\t}]\n\t\t}\n\t}\n}\n```\n\nConfigurable parameters for the command line include the following: \n- \n- \n \nConfigurable parameters for `input.json` include the following: \n- in scopes \n- in actionGroupId \n- in actionGroupId \n- in actionGroupId\n\n\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2]\n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3]\n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n[5]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.1","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"arc-fhe-mie","createdAt":1645219743755,"name":"User has 'Create Policy Assignment' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"axd-sm2-68f","createdAt":1649972323590,"name":"User has 'Create Update Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.dbformysql/servers/databases/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dbv-9dd-noe","createdAt":1648760551340,"name":"User has 'Create Update MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.dbforpostgresql/servers/databases/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yvw-kk1-tgq","createdAt":1648755639067,"name":"User has 'Create Update PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nActivity log alert exists for the creation or update of a load balancer. \n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Load Balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/loadbalancers/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"20n-ohj-aov","createdAt":1647625355122,"name":"User has 'Create or Update Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:Logging-and-Monitoring","requirement:System-Operations","level:1","control:5.2.3","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an Activity Log Alert for the Create or Update Network Security Group event.\n\n## Rationale\n\nBy monitoring for creation and updates to network security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name.\n11. Under **Condition**, click **Add Condition**.\n12. Select **Create or Update Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.3","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ape-a9h-0uq","createdAt":1645642194422,"name":"User has 'Create or Update Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.1","control:A.12.4.1","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Logging-and-Monitoring","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update SQL Server Firewall Rule event.\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the console\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window, select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Create/Update server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel.\n * Create action group - If you do not have an existing action group or want to create a new one.\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the command line\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.1","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.sql/servers/firewallrules/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zpn-jpa-nzg","createdAt":1645736563954,"name":"User has 'Create or Update SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","control:5.2.7","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Logging-and-Monitoring","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Security Solution event.\n\n## Rationale\n\nBy monitoring to changes to security solutions, you get insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under Resource. \n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Create or Update Security Solutions** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**. \n\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Security/securitySolutions/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.7","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.security/securitysolutions/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8wl-yfi-m7y","createdAt":1645731976437,"name":"User has 'Create or Update Security Solutions' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Storage Account event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Storage Account**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Storage/storageAccounts/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Storage Account'\n$Signal = 'Microsoft.Storage/storageAccounts/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fho-nrd-kod","createdAt":1647625355199,"name":"User has 'Create or Update Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.compute/virtualmachines/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wjq-yup-bbt","createdAt":1648803814385,"name":"User has 'Create or Update Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Deallocate Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Using the Azure Portal search bar, search for **Monitor**. \n2. Select **Alerts** from the left-hand panel.\n3. Click **Create** and from the drop down select **Alert rule**.\n4. Under **Scope**, click **Select scope**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Virtual machines** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows your selected Virtual Machine(s) and subscription name.\n11. Under **Condition**, click **Add Condition**.\n12. Select **Deallocate Virtual Machine** signal name. \n13. Navigate to **Actions**.\n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Navigate to **Details** and select the appropriate resource group to save the alert to. \n16. Enter **Alert rule name** and **Alert rule description**.\n17. Under the **Advanced options** drop-down menu, click on the **Enable alert rule upon creation** checkbox.\n18. Click **Review + create** and verify all of the alert settings are correct.\n19. Click **Create**.\n\n### From the command line\n\n ```bash\n az account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n ```\n\n`input.json` contains the request body JSON data mentioned below. \n\n ```json\n {\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/deallocate\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n }\n ```\n\n**Using PowerShell AZ cmdlets**: \n ```powershell\n $ComplianceName = 'Deallocatete Virtual Machine'\n $Signal = 'Microsoft.Compute/virtualMachines/deallocate'\n $Category = 'Administrative'\n $ResourceGroupName = 'MyResourceGroup'\n $actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n $ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n $Subscription = (Get-AzContext).Subscription\n $location = 'Global'\n $scope = \"/subscriptions/$($Subscription.Id)\"\n $alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n $conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n )\n Set-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/deallocate/action\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ox0-4lx-ldg","createdAt":1649702560249,"name":"User has 'Deallocate Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mwl-a79-2lj","createdAt":1649774827099,"name":"User has 'Delete Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","requirement:Azure","control:164.308-a-3-ii-a","control:2.3","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","framework:security-labs","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activity-log-alerts/delete\n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"2.3","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hf7-wzu-yjg","createdAt":1649774825146,"name":"User has 'Delete Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Load Balancer event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete load balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.network/loadbalancers/delete\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(azure_activity_log_alert)\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgu-5yo-cxv","createdAt":1646928388547,"name":"User has 'Delete Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbformysql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nb1-ajv-1w5","createdAt":1648831710685,"name":"User has 'Delete MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:Logging-and-Monitoring","requirement:System-Operations","level:1","framework:soc-2","control:5.2.4","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Network Security Group event.\n\n## Rationale\n\nBy monitoring for delete betwork security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name \n11. Under **Condition**, click **Add Condition**.\n12. Select **Delete Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n\n18. Click **Create alert rule**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.4","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yjc-pc8-ybn","createdAt":1645645262376,"name":"User has 'Delete Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Compliance","level:1","control:5.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Communications-Security","requirement:Logging-and-Monitoring","requirement:System-Operations","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Policy Assignment event.\n\n## Rationale\n\nBy monitoring delete policy assignment events, you gain insight into changes in the **Policy - Assignments** page and reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Policy Assignment** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription from the entries populated under **Resource**. \n9. Verify that **Selection preview** shows All Policy assignments (`policyAssignments`) and your selected subscription name. \n10. Click **Done**. \n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete policy assignment signal**. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**.\n\n### From the command line\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\"\nhttps://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"\n```\n\nWhere `input.json` contains the request body JSON data below: \n\n```json\n{\n\t\"location\": \"Global\",\n\t\"tags\": {},\n\t\"properties\": {\n\t\t\"scopes\": [\n\t\t\t\"/subscriptions/\"\n\t\t],\n\t\t\"enabled\": true,\n\t\t\"condition\": {\n\t\t\t\"allOf\": [{\n\t\t\t\t\t\"containsAny\": null,\n\t\t\t\t\t\"equals\": \"Administrative\",\n\t\t\t\t\t\"field\": \"category\"\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\t\"containsAny\": null,\n\t\t\t\t\t\"equals\": \"Microsoft.Authorization/policyAssignments/delete\",\n\t\t\t\t\t\"field\": \"operationName\"\n\t\t\t\t}\n\t\t\t]\n\t\t},\n\t\t\"actions\": {\n\t\t\t\"actionGroups\": [{\n\t\t\t\t\"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\t\t\t\t\"webhookProperties\": null\n\t\t\t}]\n\t\t}\n\t}\n}\n```\n\nConfigurable Parameters for command line:\n- ``\n- ``\n\nConfigurable Parameters for `input.json`:\n- `` in scopes\n- `` in actionGroupId\n- `` in actionGroupId\n- `` in actionGroupId\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Policy Assignment'\n$Signal = 'Microsoft.Authorization/policyAssignments/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][1]\n2. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][3] \n4. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources][4] \n5. [https://azure.microsoft.com/en-us/services/blueprints/][5]\n\n[1]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[2]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[4]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n[5]: https://azure.microsoft.com/en-us/services/blueprints/\n\n## Additional Information\n\n- This log alert also applies for Azure Blueprints.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.2","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qh0-u5z-imx","createdAt":1645642194422,"name":"User has 'Delete Policy Assignment' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbforpostgresql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ras-5h8-nbb","createdAt":1647625355173,"name":"User has 'Delete PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.2","control:A.12.4.1","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Logging-and-Monitoring","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the \"Delete SQL Server Firewall Rule.\"\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the console\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window,select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Delete server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel\n * Create action group - If you do not have an existing action group or want to create a new one\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the command line\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.2","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/firewallrules/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6mh-u2h-598","createdAt":1664214570453,"name":"User has 'Delete SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","control:5.2.8","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Logging-and-Monitoring","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Security Solution event.\n\n## Rationale\n\nBy monitoring deletion of security solution events, you gain insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**.\n7. Select **All** for **Filter by location**.\n8. Click on the subscription resource from the entries populated under **Resource**.\n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete Security Solutions** signal.\n13. Click **Done**.\n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group.\n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n### From the command line \n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nwhere `input.json` contains the Request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/securitySolutions/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.8","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/securitysolutions/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dmv-rv8-crn","createdAt":1645733607452,"name":"User has 'Delete Security Solution' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.5.5","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Storage Account event.\n\n## Rationale\n\nBy monitoring for storage accounts deletion events, you gain insight into storage account changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click on **New Alert Rule**.\n4. Under **Scope**, click **Select scope**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Storage Accounts** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the **Include all future resources** checkbox.\n9. Click **Done**. \n10. Under **Condition**, click **Add Condition**.\n11. Select **Delete Storage Account** signal. \n12. Click **Done**. \n13. Under **Actions**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n14. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n15. Select appropriate resource group to save the alert to. \n16. Click on the **Enable alert rule upon creation** checkbox.\n17. Click **Create alert rule**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Storage/storageAccounts/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a41-nfr-mlw","createdAt":1646928386487,"name":"User has 'Delete Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2jg-psh-mzj","createdAt":1648803812991,"name":"User has 'Delete Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Power Off Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Power Off Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/powerOff/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Power Off Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/powerOff/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.compute/virtualmachines/poweroff/action\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tsome activity_log_alert in input.resources.azure_activity_log_alert\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a74-hjg-yok","createdAt":1648760544699,"name":"User has 'Power Off Virtual Machine' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Rename Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Rename Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/move/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Rename Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/move/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.sql/servers/databases/move/action\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(azure_activity_log_alert)\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgo-i7v-g9b","createdAt":1649774831328,"name":"User has 'Rename Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4ri-hhx-fnd","createdAt":1648803815885,"name":"User has 'Update Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Security Policy event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Security Policy**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/policies/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Security Policy'\n$Signal = 'Microsoft.Security/policies/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/defender-for-cloud/tutorial-security-policy\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/policies/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xjf-qfe-xzs","createdAt":1649774850199,"name":"User has 'Update Security Policy' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.compute","source:azure","tactic:TA0002-execution","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs a command on an Azure Virtual Machine through the Azure CLI or Portal.\n\n## Strategy\nMonitor Azure Compute logs for `MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION` events that have `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Reach out to the user to determine if the activity is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"vm_exec","distinctFields":[]},{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"scaleset_exec","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Virtual Machine","condition":"vm_exec > 0"},{"status":"info","notifications":[],"name":"Virtual Machine Scale Set","condition":"scaleset_exec > 0"}],"type":"log_detection","id":"zsk-t0h-9ll","createdAt":1614973225002,"name":"User ran a command on Azure Compute"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Event Summary\n`@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` had activity from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` which are approximately `{{@impossible_travel.triggering_locations.travel_distance}}km` apart within `{{@impossible_travel.triggering_locations.travel_time_human_readable}}`. This indicates a potential impossible travel.\n\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key in CloudTrail logs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key in CloudTrail logs.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"source:cloudtrail @userIdentity.type:IAMUser"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"gvs-ybz-d25","createdAt":1646247437717,"name":"User travel was impossible in AWS CloudTrail IAM log"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_service_account","control:1.7","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","control:8.2.4","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nService Account keys consist of a key ID (private_key_id) and a private key. These keys are used to sign programmatic requests that users make to Google Cloud services and make them accessible to the particular service account. You should regularly rotate all Service Account keys.\n\n## Rationale\n\nRotating Service Account keys reduces the opportunity window of an access key associated with a compromised or terminated account being used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that may have been lost, cracked, or stolen.\n\nEach service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.\n\nGCP provides the option to create one or more user-managed (also called external) key pairs for use from outside GCP, for example: with Application Default Credentials. When a new key pair is created, the user is required to download the private key, which is not retained by Google. \n\nWith external keys, users are responsible for keeping the private key secure and other management operations such as key rotation. External keys can be managed by the IAM API, the Google Cloud Platform command-line tool, or the Service Accounts page in the Google Cloud Platform Console. GCP facilitates up to 10 external service account keys per service account for key rotation.\n\n## Remediation\n\nDelete any external, user-managed Service Account Keys older than 90 days:\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**.\n2. In the **Service Account Keys** section, click the Delete icon to delete every external, user-managed service account key where the creation date is greater or equal to the past 90 days.\n\nTo create an external, user-managed Service Account Key for a Service Account:\n\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**. \n2. Click **Create Credentials** and **Service Account Key**. \n3. Select the service account from the drop-down menu for every external, user-managed Service Account key you want to create.\n4. Select the desired key type format, such as JSON or P12.\n5. Click **Create**, which downloads the private key. Keep this key safe.\n6. If prompted, click **Close**.\n\nYou are redirected to the **APIs & Services** > **Credentials** page and you can see the new ID displayed in the **Service Account Keys** section.\n\n\n## Impact\n\nRotating service account keys breaks communication for dependent applications. Dependent applications need to be configured manually with the new key ID displayed in the **Service Account Keys** section and the user needs to download the private key.\n\n## References\n\n1. https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n2. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/list\n3. https://cloud.google.com/iam/docs/service-accounts\n\n[1]: https://console.cloud.google.com/apis/credentials\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"8.2.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ej5-n8p-p3x","createdAt":1656445783171,"name":"User-managed or external keys for service accounts are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Confidentiality","control:C1.2","source:google_compute_disk","framework:cis-gcp","requirement:Compliance","level:2","control:A.18.1.3","framework:soc-2","control:4.7","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","scope:google_compute_disk","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCustomer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and\nGoogle Compute Engine. If you supply your own encryption keys, Google uses your key to\nprotect the Google-generated keys used to encrypt and decrypt your data. By default,\nGoogle Compute Engine encrypts all data at rest. Compute Engine handles and manages\nthis encryption for you without any additional actions on your part. However, if you\nwanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\n\n### Default value\nBy default, VM disks are encrypted with Google-managed keys. They are not encrypted\nwith `Customer-Supplied` Encryption Keys.\n\n## Rationale\nBy default, Google Compute Engine encrypts all data at rest. Compute Engine handles and\nmanages this encryption for you without any additional actions on your part. However, if\nyou wanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\nIf you provide your own encryption keys, Compute Engine uses your key to protect the\nGoogle-generated keys used to encrypt and decrypt your data. Only users who can provide\nthe correct key can use resources protected by a customer-supplied encryption key.\nGoogle does not store your keys on its servers and cannot access your protected data\nunless you provide the key. This also means that if you forget or lose your key, there is no\nway for Google to recover the key or to recover any data encrypted with the lost key.\nBusiness critical VMs should have VM disks encrypted with CSEK.\n\n### Impact\nIf you lose your encryption key, you will not be able to recover the data.\n\n## Remediation\nYou cannot update the encryption of an existing disk. Therefore, you\nshould create a new disk with encryption set to **Customer supplied**.\n\n### From the console \n1. Go to [Compute Engine Disks][1] in your Google Cloud console.\n2. Click **CREATE DISK**.\n3. Set **Encryption type** to `Customer supplied`.\n4. Provide the **Key** in the box.\n5. Select **Wrapped key**.\n6. Click **Create**.\n\n### From the command line\nYou can use the `gcloud` CLI to encrypt a disk using the `--csek-key-file` flag during instance\ncreation. If you are using an RSA-wrapped key, use the gcloud beta component. See [RSA key wrapping][5] in Google's Compute Engine documentation.\n```\ngcloud compute instances create --csek-key-file \n```\n\nTo encrypt a standalone persistent disk:\n```\ngcloud compute disks create --csek-key-file \n```\n\n## References\n1. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys][2]\n2. [https://cloud.google.com/compute/docs/reference/rest/v1/disks/get][3]\n3. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file][4]\n\n[1]: https://console.cloud.google.com/compute/disks\n[2]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys\n[3]: https://cloud.google.com/compute/docs/reference/rest/v1/disks/get\n[4]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file\n[5]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#rsa-encryption","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.7","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_disk) = \"pass\" if {\n\tcompute_disk.disk_encryption_key.sha256\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_disk"]},"validationQuery":"","resourceType":"gcp_compute_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ltx-1jr-roe","createdAt":1662120164402,"name":"VM disks for critical VMs are encrypted with customer-supplied encryption keys (CSEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","scope:google_compute_subnetwork","level:1","framework:soc-2","control:3.8","source:google_compute_subnetwork","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Networking","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nFlow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in an organization's VPC subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs is enabled for every business-critical VPC subnet.\n\n### Default value\nBy default Flow Logs is set to `Off` when a new VPC network subnet is created.\n\n## Rationale\nVPC networks and subnetworks that are not reserved for internal HTTP(S) load balancing provide logically isolated and secure network partitions from which GCP resources can be launched.\nWhen Flow Logs are enabled for a subnet, VMs within that subnet start reporting on all\nTransmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows. Each VM\nsamples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or\nfrom another VM, a host in the on-premise datacenter, a Google service, or a host on the\nInternet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow\nLogs enabled, both VMs report the flows.\n\nFlow Logs supports the following use cases:\n- Network monitoring\n- Understanding network usage and optimizing network traffic expenses\n- Network forensics\n- Real-time security analysis\n\nFlow Logs provides visibility into network traffic for each VM inside the subnet and can be\nused to detect anomalous traffic or provide insight on security workflows.\nThe Flow Logs must be configured such that all network traffic is logged. The interval of\nlogging is granular enough to provide detailed information on the connections, where no logs are filtered and metadata to facilitate investigations are included.\n\n- Note: Subnets reserved for use by internal HTTP(S) load balancers do not support VPC\nFlow Logs.\n\n### Impact\nStandard pricing for Stackdriver Logging, BigQuery, or Cloud Pub/Sub applies. VPC Flow\nLogs generation will be charged when it's generally available, as described in this reference:\n[https://cloud.google.com/vpc/][1]\n\n## Remediation\n\n### From the console \n1. Go to the VPC network GCP Console page by visiting:\n[https://console.cloud.google.com/networking/networks/list][2]\n2. Click the name of a **subnet** to display the subnet details page.\n3. Click **EDIT** .\n4. Set Flow Logs to **On**.\n5. Expand the **Configure Logs** section.\n6. Set **Aggregation Interval** to `5 SEC`.\n7. Check the box for **Include metadata**.\n8. Set **Sample rate** to `100`.\n9. Click **Save**.\n\n- Note: You can only configure a log filter from the command line.\n\n### From the command line\nTo enable VPC Flow Logs for a network subnet, run the following command:\n```\ngcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --\nenable-flow-logs --logging-aggregation-interval=interval-5-sec --logging-\nflow-sampling=1 --logging-metadata=include-all\n```\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging][3]\n2. [https://cloud.google.com/vpc/][1]\n\n[1]: https://cloud.google.com/vpc/\n[2]: https://console.cloud.google.com/networking/networks/list\n[3]: https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_subnetwork) = \"skip\" if {\n\tinternal_HTTPS_LB_subnet(compute_subnetwork)\n} else = \"pass\" if {\n\tcompute_subnetwork.enable_flow_logs == true\n\tcompute_subnetwork.purpose == \"PRIVATE\"\n} else = \"fail\"\n\ninternal_HTTPS_LB_subnet(compute_subnetwork) if {\n\tcompute_subnetwork.purpose == \"INTERNAL_HTTPS_LOAD_BALANCER\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_subnetwork"]},"validationQuery":"","resourceType":"gcp_compute_subnetwork","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_subnetwork","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q4v-tv4-txv","createdAt":1663355398183,"name":"VPC Flow Logs are enabled for all subnets in the VPC network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Default-Security-Parameter","requirement:Compliance","level:2","framework:cis-aws","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.3","control:2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. \n\nSet up your default security group to restrict all traffic. The default VPC in every region should have its default security group updated to comply. Any newly created VPCs automatically contain a default security group that needs remediation to comply with this recommendation. \n\n**Note**: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.\n\n## Rationale\n\nConfiguring all VPC default security groups to restrict all traffic will encourage the least privileged security group development and mindful placement of AWS resources into security groups, which will reduce the exposure of those resources.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nImplementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79201-0\n2. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html][2]\n3. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group][3]\n\n## CIS controls\n\nVersion 7, 14.6 - Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"5.3","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ningress_or_egress(direction) if {\n\tdirection == \"ingress\"\n} else if {\n\tdirection == \"egress\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\tingress_or_egress(rule.direction)\n\tstartswith(rule.security_group_name, \"default\")\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"75q-ngx-snx","createdAt":1599574003676,"name":"VPC default security groups restrict all traffic"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:7.2.1","requirement:Firewall-Configuration","scope:vpc","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your VPC endpoint by allowing access to only trusted AWS accounts.\n\n## Rationale\n\nVPC endpoints that are publicly accessible are at risk of data exposure, data loss, and unexpected AWS billing charges.\n\n## Remediation\n\n### From the console\n\nFollow the [Add or remove permissions for your endpoint service][1] AWS console docs.\n\n### From the command line\n\n1. Edit your existing Amazon VPC endpoint access policy and replace untrusted AWS identifiers. To create a new policy document, [use the AWS policy generator][2].\n\n ```\n {\n \"Id\": \"insert-vpc-policy-id\",\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": \"*\",\n \"Effect\": \"Allow\",\n \"Resource\": \"*\",\n \"Principal\": {\n \"AWS\": [\n \"insert-allowed-arns\"\n ]\n }\n }\n ]\n }\n ```\n\n2. Run the `modify-vpc-endpoint` command with your [VPC endpoint ID and the updated or new policy document][3] to replace the existing policy.\n\n ```\n aws ec2 modify-vpc-endpoint \\\n --region insert-region-here\n --vpc-endpoint-id insert-vpc-endpoint-id \\\n --policy-document file://insert-new-vpc-policy-filename.json\n ```\n\n3. Repeat steps 1 & 2 for all non-compliant VPC Endpoints in the current region.\n4. Repeat steps 1 & 2 for all non-compliant VPC Endpoints in other regions.\n\n[1]: https://docs.aws.amazon.com/vpc/latest/privatelink/add-endpoint-service-permissions.html\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-vpc-endpoint.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_vpc_endpoint_policy_statement(vpc_endpoint_policy_statement) if {\n\tcheck_principal_conditions(vpc_endpoint_policy_statement)\n\tnon_compliant_policy_statement_conditions(vpc_endpoint_policy_statement)\n}\n\nnon_compliant_policy_statement_conditions(vpc_endpoint_policy_statement) if {\n\tnot vpc_endpoint_policy_statement.statement_has_condition\n\tlower(vpc_endpoint_policy_statement.statement_effect) == \"allow\"\n}\n\ncheck_principal_conditions(vpc_endpoint_policy_statement) if {\n\tvpc_endpoint_policy_statement.policy_principal.principal == \"*\"\n} else if {\n\tvpc_endpoint_policy_statement.policy_principal.principal_aws[_] == \"*\"\n}\n\neval(vpc_endpoint_policy_statement) = \"fail\" if {\n\tnon_compliant_vpc_endpoint_policy_statement(vpc_endpoint_policy_statement)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_vpc_endpoint_policy_statement"]},"validationQuery":"","resourceType":"aws_vpc_endpoint_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc_endpoint_policy_statement","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"slh-tlx-4m0","createdAt":1619540057529,"name":"VPC endpoint is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","control:3.9","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","scope:vpc","framework:soc-2","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. Enable VPC Flow Logs for packet \"Rejects\" for VPCs.\n\n## Rationale\n\nVPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect unusual traffic or insight during security workflows.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nBy default, CloudWatch Logs will store Logs indefinitely unless you define a specific retention period for the log group. When choosing the number of days to retain, keep in mind that, on average, it takes an organization 210 days to detect a breach. Since additional time is required to research a breach, a minimum 365-day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods: \n\n1. [http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html][2]\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79202-8 \n2. [http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html][2]\n\n## CIS controls\n\nVersion 7:\n\n6.2 - Activate audit logging - Enable local logging on all systems and networking devices.\n\n12.5 - Configure Monitoring Systems to Record Network Packets - Configure monitoring systems to record network packets passing through the boundary at each of the organization's network boundaries.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.9","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(vpc) = \"pass\" if {\n\tsome flowlog in vpc.flowlogs\n\tflowlog.flow_log_status == \"ACTIVE\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_vpc"]},"validationQuery":"","resourceType":"aws_vpc","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"hw6-cqk-hrz","createdAt":1599574005318,"name":"VPC flow logging is enabled in all VPCs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault root token is used. Root tokens can perform any activity and have the highest level of privileges in Vault and should only be used in emergencies. \n\n## Strategy\nThis rule monitors Vault Audit Logs (`source:vault`) to detect when `root` is seen in:\n\n* auth policy (`@auth.policies`)\n\nThis rule also monitors the API endpoint `/sys/generate-root` which is used to create new root keys.\n\n## Triage & Response\n1. Determine who created the root token and when. You can get token creation time using the token accessor with `vault token lookup -accessor `. \n2. Inspect the requests made with the root token and ensure that its usage is valid.\n3. Ensure that after the root token is no longer needed, it is revoked (`vault token revoke -accessor `).\n\n## Change Log\n* 29 June 2022 - Updated queries to reduce noise levels. Replaced initial query with token creation detection.\n* 17 October 2022 - Updated queries and cases.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @http.url_details.path:\"sys/generate-root/attempt\" @type:response @http.method:update","groupByFields":["@auth.accessor"],"aggregation":"count","name":"root_token_initialized","distinctFields":[]},{"query":"source:vault @http.url_details.path:\"sys/generate-root/update\" @type:response @http.method:update","groupByFields":["@auth.accessor"],"aggregation":"count","name":"root_token_created","distinctFields":[]},{"query":"source:vault @auth.policies:root @type:response","groupByFields":["@auth.accessor"],"aggregation":"count","name":"root_token_used","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Initialized","condition":"root_token_initialized > 0"},{"status":"high","notifications":[],"name":"Created","condition":"root_token_created > 0"},{"status":"high","notifications":[],"name":"Used","condition":"root_token_used > 0"}],"type":"log_detection","id":"oki-am6-qeh","createdAt":1619801884317,"name":"Vault Root Token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault token is created with an excessive time-to-live (TTL) which can be indicative of an adversary maintaining persistence. \n\n## Strategy\nMonitoring of vault audit logs where tokens are created with a time-to-live greater than 90000 seconds (25 hours). If the TTL requires modification, clone this rule and update `@auth.token_ttl:>90000` in the query. \n\n## Triage & Response\n1. Verify max TTL for tokens in the appropriate Vault configuration.\n2. If the max TTL is higher than required, modify the max TTL.\n3. Verify with the token creator to confirm that the high TTL token is legitimate.\n4. Revoke the token if it does not have a legitimate use case.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @request.operation:create @auth.token_ttl:>90000","groupByFields":["@usr.id"],"aggregation":"count","name":"high_vault_ttl","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"high_vault_ttl > 0"}],"type":"log_detection","id":"ag8-huz-nlj","createdAt":1619801884333,"name":"Vault Token Created with Excessive TTL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","framework:soc-2","scope:redshift","cloud_provider:aws","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","source:redshift","control:6.2","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm `AllowVersionUpgrade` is enabled so [Redshift clusters][1] can automatically upgrade to the latest version.\n\n## Rationale\n\nEnablement allows the latest version to automatically install, deploying the most recent bug fixes and security patches.\n\n## Remediation\n\n### From the console\n\nFollow the [Cluster maintenance][4] docs to permit automatic upgrade for your clusters.\n\n### From the command line\n\n1. Run `modify-cluster` to [set `allow-version-upgrade` for a cluster][3].\n\n ```\n aws redshift modify-cluster\n\t --cluster-identifier cluster-id-name\n\t --allow-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/modify-cluster.html\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#rs-cluster-maintenance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.allow_version_upgrade\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5wo-2kl-jv1","createdAt":1599574006748,"name":"Version upgrade is enabled for Redshift cluster"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:6.5.3","framework:cis-azure","control:7.1","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Application-Updates","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMigrate blob-based VHDs to managed disks on virtual machines to exploit the default features of this configuration. The features include:\n\n1. Default disk encryption\n2. Resilience, as Microsoft manages the disk storage and moves it if underlying hardware is faulty\n3. Reduction of costs over storage accounts\n\n## Rationale\n\nManaged disks are by default encrypted on the underlying hardware so no additional encryption is required for basic protection. Additional encryption is available if required. Managed disks are more resilient than storage accounts. For ARM deployed virtual machines, Azure Adviser recommends moving VHDs to managed disks from both a security and cost management perspective.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## Remediation\n\n### From the console\n\n1. Using the search feature, go to Virtual Machines\n2. Select the virtual machine you would like to convert\n3. Select Disks in the menu for the VM\n4. Select Migrate to managed disks\n5. Follow the prompts to convert the disk and finish by selecting Migrate to start the process\n\n**NOTE**: VMs are stopped and restarted after migration is complete.\n\n### Using PowerShell\n\n```powershell\nStop-AzVM -ResourceGroupName $rgName -Name $vmName -Force ConvertTo-AzVMManagedDisk -ResourceGroupName $rgName -VMName $vmName Start-AzVM -ResourceGroupName $rgName -Name $vmName\n```\n\n## Impact\n\nThere is no operational impact of migrating to managed disks other than the benefits mentioned above.\n\n**NOTE**: When converting to managed disks, VMs are powered off and back on.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(virtual_machine_instance) = \"pass\" if {\n\tvirtual_machine_instance.storage_profile.os_disk.managed_disk_id != \"\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_virtual_machine_instance"]},"validationQuery":"","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mcc-ygq-5xf","createdAt":1631690464170,"name":"Virtual Machines are utilizing Managed Disks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","requirement:Context-of-the-Organization","control:4.2.2","framework:iso-27001","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nEnabling Azure Defender for SQL server does not enable vulnerability assessment capabilities for individual SQL databases unless a storage account is set to store the scanning data and reports. The Vulnerability Assessment service scans databases for known security vulnerabilities and highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally, an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, Click Storage Account\n6. Choose Storage Account (Existing or Create New). Click Ok\n7. Click Save Using Azure PowerShell. If not already, enable Azure Defender for a SQLSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service by setting Storage Account Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"e0l-3r9-cvj","createdAt":1624867975658,"name":"Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the vulnerability assessment (VA) setting, \"Also send email notifications to admins and subscription owners\".\n\n## Rationale\n\nVA scan reports and alerts are sent to admins and subscription owners by enabling the setting, \"Also send email notifications to admins and subscription owners\". This helps to reduce the time required for identifying risks and taking corrective measures.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, configure Storage Accounts\n6. Check/enable \"Also send email notifications to admins and subscription owners\"\n7. Click Save using the Azure PowerShell. If not already set, Enable Advanced Data Security for a SQL:\n\n ```bash\n -ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service and Set ''Also send email notifications to admins and subscription owners'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"gnq-rte-6fy","createdAt":1624867976876,"name":"Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","control:4.2.3","requirement:Default-Security-Parameter","level:1","requirement:Database-Services","requirement:Context-of-the-Organization","requirement:Regular-Testing","framework:iso-27001","control:11.2.1","framework:pci","security:compliance","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC7.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable vulnerability assessment (VA) periodic recurring scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nVA setting \"Periodic recurring scans\" schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Routine vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Security Center\n4. In Section Vulnerability Assessment Settings, set Storage Account\n5. Toggle \"Periodic recurring scans\" to ON.\n6. Click Save using the Azure PowerShell. If not already set, enable Advanced Data Security for a SQL ServerSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service with ''Periodic recurring scans'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"jum-0ht-les","createdAt":1624867977012,"name":"Vulnerability Assessment (VA) setting Periodic Recurring Scans is enabled on a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","requirement:AppService","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:9.4","scope:azure.appservice","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:4.1","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nClient certificates allow for an app to request a certificate for incoming requests. Only clients that have a valid certificate can reach the app.\n\n## Rationale\n\nThe TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, only an authenticated client who has valid certificates can access the app.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Configuration\n5. Under Incoming client certificates, set the Client Certificate Mode option to Require.\n\n\n### From the command line\n\nTo set incoming client certificates value for an existing app, run the following command: `az webapp update --resource-group --name --set clientCertEnabled=true'`\n\n## Impact\n\nUsing and maintaining client certificates requires additional work to obtain and manage key replacement and rotation.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14 - Controlled Access Based on the Need to Know","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.4","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(app_service) = \"pass\" if {\n\tapp_service.client_cert_enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"esg-ed4-xa9","createdAt":1631623027807,"name":"Web app has 'Client Certificates (Incoming client certificates)' set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Credentials","requirement:AppService","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:6.6","control:9.3","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Change-Management","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App Service uses TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.\n\n## Rationale\n\nApp Service currently allows web apps to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for a secure connection.\n\n## Remediation\n\n### From the console\n\n 1. Login to Azure Portal using https://portal.azure.com\n 2. Go to App Services\n 3. Click on each app\n 4. Under the Settings section, click on SSL settings\n 5. Under Protocol Settings, set Minimum TLS Version to 1.2\n\n### From the command line\n\nTo set TLS Version for an existing app, run the following command: `az webapp config set --resource-group --name --min-tls-version 1.2'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.3","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_min_tls_version(app_service) if {\n\tapp_service.site_config_min_tls_version == \"1.2\"\n} else if {\n\tapp_service.site_config.min_tls_version == \"1.2\"\n}\n\neval(app_service) = \"pass\" if {\n\tcompliant_min_tls_version(app_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8iy-ghp-cvk","createdAt":1631623032658,"name":"Web app is using the latest version of TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:AppService","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","control:9.2","control:6.6","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Azure","framework:cis-azure","control:4.1","control:2.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Web Apps allow sites to use both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.\n\n## Rationale\n\nEnabling HTTPS-only traffic redirects all non-secure HTTP request to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated, so it is important to support HTTPS for the security benefits.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on SSL settings\n5. Under Protocol Settings, set HTTPS Only to On.\n\n### From the command line\n\nTo set the HTTPS-only traffic value for an existing app, run the following command: `az webapp update --resource-group --name --set httpsOnly=true'`\n\n## Impact\n\nWhen enabled, every incoming HTTP request is redirected to the HTTPS port. This adds an extra level of security to the HTTP requests made to the app.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.2","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"2.1","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(app_service) = \"pass\" if {\n\tapp_service.https_only\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f9i-ctz-jrp","createdAt":1631623031127,"name":"Web app redirects all HTTP traffic to HTTPS in Azure App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1070-indicator-removal","source:windows","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user clears Windows Security logs.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `1102`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to clear the security event logs on `{{host}}`.\n\n## Changelog\n* 27 October 2022 - updated tags.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"psn-7zq-iqz","createdAt":1619018680072,"name":"Windows Audit Log Cleared"}]} headers: Content-Type: - application/json @@ -640,7 +589,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the Domain Administrator group. A rogue active directory account can added to the Domain Admins group.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4728` and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.TargetUserName}}` should be added to the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"yzx-i3w-40t","createdAt":1619018679429,"name":"Windows User Added to Domain Admin Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"# WARNING: Rule is being deprecated on 10 April 2022\n\n## Goal\nDetect if an entire AWS S3 Lifecycle configuration is deleted from a bucket.\n\n## Strategy\nUsing the `@evt.name`, the Datadog standard attribute that shows the API call, determine if a `DeleteBucketLifecycle` call occurred.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@usr.name}}`, `accountId:` `{{@usr.id}}` of `type:` `{{@userIdentity.type}}`.\n2. If the `{{@evt.name}}` API call accidentally occurred, restore the configuration to the `{{@requestParameters.bucketName}}`. Otherwise, investigate further.\n\n## Changelog\n08 Mar 2022 - Deprecating rule. If a policy is deleted, the data remains forever.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:DeleteBucketLifecycle","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"policy_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"lifecycle policy deleted","condition":"policy_deleted > 0"}],"type":"log_detection","id":"lcn-irr-jo6","createdAt":1638798365190,"name":"[DEPRECATED] An AWS S3 bucket lifecycle policy was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.17","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `controller-manager.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `controller-manager.conf` file is the kubeconfig file for the Controller Manager. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/controller-manager.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.17","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iss-afi-xfp","createdAt":1599599454121,"name":"controller-manager.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use self-signed certificates for TLS.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--auto-tls` parameter or set it to false:\n\n```\n--auto-tls=false\n```\n\n## Impact\n\nClients will not be able to use self-signed certificates for TLS.\n\n## Default value\n\nBy default, `--auto-tls` is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls][3]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.3","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qai-h9s-xgt","createdAt":1599606018741,"name":"etcd does not allow the use of self-signed client certificates"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured for peer authentication.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-client-cert-auth` argument is set to `true`. \n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--peer-client-cert-auth=true\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-client-cert-auth` argument is set to false.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/security.html \n2. https://kubernetes.io/docs/admin/etcd/ \n3. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n\n## CIS controls\n\nVersion 6.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\nVersion 7.14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.5","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l01-5y2-miz","createdAt":1599605099307,"name":"etcd is configured for peer authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.1","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure TLS encryption for the etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--cert-file` and the `--key-file` arguments are set as appropriate.\n\n## Remediation\n\nFollow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--cert-file= \n--key-file=\n```\n\n## Impact\n\nClient connections only over TLS would be served.\n\n## Default value\n\nBy default, TLS encryption is not set.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.1","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ezf-1mn-luf","createdAt":1599604210918,"name":"etcd is configured with TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.2.33","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt etcd key-value store.\n\n## Rationale\n\netcd is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--encryption-provider-config` argument is set to a EncryptionConfig file. Additionally, ensure that the EncryptionConfig file has all the desired resources covered especially any secrets.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--encryption-provider-config` parameter to the path of that file: `--encryption-provider-config=`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--encryption-provider-config` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ \n2. https://acotten.com/post/kube17-security \n3. https://kubernetes.io/docs/admin/kube-apiserver/ \n4. https://github.com/kubernetes/features/issues/92\n\n## CIS controls\n\nVersion 6 14.5 Encrypt At Rest Sensitive Information Sensitive information stored on systems shall be encrypted at rest and require a secondary authentication mechanism, not integrated into the operating system, in order to access the information. \n\nVersion 7 14.8 Encrypt Sensitive Information at Rest Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.33","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.33\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7rg-crl-fs0","createdAt":1599602954959,"name":"etcd is encrypted at rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.29","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a client certificate and key.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-certfile` and `--etcd-keyfile` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate and key file parameters. \n```\n--etcd-certfile= \n--etcd-keyfile=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-certfile` and `--etcd-keyfile` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 9 Limitation and Control of Network Ports, Protocols, and Services\nVersion 7 9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.29","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.29\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2xl-vuo-tud","createdAt":1599606113167,"name":"etcd server requires API servers present a client certificate and key when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.32","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a SSL Certificate Authority file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-cafile` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate authority file parameter: `--etcd-cafile=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-cafile` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.32","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.32\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o8k-9hv-rri","createdAt":1599605669411,"name":"etcd server requires API servers present an SSL CA file when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured to make use of TLS encryption for peer connections.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit and also amongst peers in the etcd clusters.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-cert-file` and `--peer-key-file` arguments are set as appropriate. \n\n## Remediation\n\nFollow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--peer-cert-file= \n--peer-key-file=\n```\n\n## Impact\n\nEtcd cluster peers would need to set up TLS for their communication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, peer communication over TLS is not configured.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.4","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"lzq-1mk-xc7","createdAt":1599603941695,"name":"etcd uses TLS encryption for peer connections"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664268670005,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"0ki-9gf-7vw","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664268668"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664268675445,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"fis-tpv-7e9","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664268673"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664268680145,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"cz4-z0l-x9n","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664268677"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269014836,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rn5-nf5-ksh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269011"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269046838,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"fz1-gx5-cfu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269044"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269050802,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ypr-rnw-joz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269048"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269055831,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"zl4-kr6-djp","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269053"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664777973028,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"kth-eqs-z4b","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664777971"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778122036,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"0fg-gyo-jlu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778119"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778139644,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wee-m6g-g6a","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778135"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778146837,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"3it-fxn-3hr","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778144"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778474235,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"nw9-oof-55y","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778472"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778792415,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"gsl-t9k-ji6","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778790"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664779074513,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"dgt-zts-cbx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664779072"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664779118769,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"oxx-qrx-9b6","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664779116"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664779161311,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"7eo-dyi-vkr","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664779159"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664784675086,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sqx-soj-zop","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664784672"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664894383761,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rgz-io3-obc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664894381"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665500464305,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"py6-vnm-mjb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1665500463"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665500511838,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"bgv-pky-7u4","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1665500511"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":600,"keepAlive":300},"version":2,"isDefault":false,"filters":[{"action":"suppress","query":"does not really suppress (updated)"}],"queries":[{"query":"does not really match much (updated)","groupByFields":["service"],"aggregation":"cardinality","name":"first_updated","distinctFields":["@orgId"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first_updated > 3"},{"status":"high","notifications":[],"name":"warning case (updated)","condition":"first_updated > 0"}],"type":"log_detection","id":"rdc-qe2-jmq","createdAt":1664875756276,"name":"tf-TestAccDatadogSecurityMonitoringRule_Basic-local-1664875755 - updated"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664270708266,"filters":[],"queries":[{"query":"@agent.rule_id:(tf_TestAccDatadogSecurityMonitoringRule_CwsRule_local_1664270705_random_id OR random_id)","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"high case","condition":"first > 3"}],"type":"workload_security","id":"6i5-yop-zhx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_CwsRule-local-1664270705"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664270714195,"filters":[],"queries":[{"query":"@agent.rule_id:(tf_TestAccDatadogSecurityMonitoringRule_CwsRule_local_1664270711_random_id OR random_id)","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"high case","condition":"first > 3"}],"type":"workload_security","id":"h7e-iuc-twh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_CwsRule-local-1664270711"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"query":"@agent.rule_id:(tf_TestAccDatadogSecurityMonitoringRule_CwsRule_local_1664875755_random_id OR random_id)","groupByFields":["service"],"aggregation":"count","name":"first","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first > 10"}],"type":"workload_security","id":"4p6-8dj-vxk","createdAt":1664875756580,"name":"tf-TestAccDatadogSecurityMonitoringRule_CwsRule-local-1664875755"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875508591,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"l2h-irs-i4s","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_Import-local-1664875506"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664890796815,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rdn-on6-f0u","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_Import-local-1664890795"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"impossible travel rule triggered (updated)","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"evaluationWindow":0,"maxSignalDuration":900,"detectionMethod":"impossible_travel","decreaseCriticalityBasedOnEnv":false,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"distinctFields":[],"name":"my_updated_query","metric":"@usr.handle","aggregation":"geo_data","metrics":["@usr.handle"],"groupByFields":["@usr.handle"],"query":"*"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"new case name (updated)","condition":""}],"type":"log_detection","id":"2e6-1vj-hdm","createdAt":1664875756231,"name":"tf-TestAccDatadogSecurityMonitoringRule_ImpossibleTravelRule-local-1664875755"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"newValueOptions":{"learningDuration":0,"learningMethod":"duration","forgetAfter":1,"learningThreshold":0},"evaluationWindow":0,"maxSignalDuration":900,"detectionMethod":"new_value","decreaseCriticalityBasedOnEnv":false,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"distinctFields":[],"name":"first","metric":"@network.bytes_read","aggregation":"new_value","metrics":["@network.bytes_read"],"groupByFields":["service"],"query":"does not really match much (updated)"}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":""}],"type":"log_detection","id":"d3o-dyr-ekr","createdAt":1664875756432,"name":"tf-TestAccDatadogSecurityMonitoringRule_NewValueRule-local-1664875755 - updated"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875438577,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"wtp-e5k-o0m","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875437"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875465554,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bxr-aqc-o02","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875463"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875502543,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lv2-e1f-cec","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875500"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875517305,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"qp0-onn-m2p","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875516"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875546323,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bzi-ilx-fzv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875544"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875579060,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"xul-toc-q1p","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875577"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":600,"keepAlive":300},"version":2,"isDefault":false,"filters":[{"action":"suppress","query":"does not really suppress (updated)"}],"queries":[{"query":"does not really match much (updated)","groupByFields":["service"],"aggregation":"cardinality","name":"first_updated","distinctFields":["@orgId"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first_updated > 3"},{"status":"high","notifications":[],"name":"warning case (updated)","condition":"first_updated > 0"}],"type":"log_detection","id":"l6c-xu1-dnv","createdAt":1664875756561,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875755 - updated"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":600,"keepAlive":300},"version":2,"isDefault":false,"filters":[{"action":"suppress","query":"does not really suppress (updated)"}],"queries":[{"query":"does not really match much (updated)","groupByFields":["service"],"aggregation":"cardinality","name":"first_updated","distinctFields":["@orgId"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first_updated > 3"},{"status":"high","notifications":[],"name":"warning case (updated)","condition":"first_updated > 0"}],"type":"log_detection","id":"e8n-cae-ky2","createdAt":1664883056478,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664883054 - updated"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528193711,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"gbr-ngi-oug","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528189_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528202423,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"uyk-nla-buh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528198_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528210535,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"nqe-0ga-if6","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528205_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528372295,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"m3p-iae-qru","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528368_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528379975,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"r7b-s2q-xnm","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528376_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528389235,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"dbd-bwe-l7e","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528385_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528434444,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"1un-efa-hcu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528429_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528441879,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"2ar-joj-lnc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528437_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528451689,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ajt-mur-fzi","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528446_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529209432,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"heh-hcb-gkz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529203_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529218377,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"zee-ycu-lwy","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529213_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529225654,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vhx-spk-1ho","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529221_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529297426,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"koq-fd2-uwo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529293_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529304614,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"l2l-obs-hre","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529300_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529312691,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"xgn-6s6-kbb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529307_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664550716802,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"w1p-qig-yrs","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664550714_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664550722486,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ipa-wdu-rxp","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664550720_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664550727477,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"jeh-od4-wng","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664550725_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551028985,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wq1-uls-vzk","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551027_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551034504,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"hrv-psy-1lt","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551032_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551039412,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"6jo-jph-rom","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551037_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551131496,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"gpa-wht-hgc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551129_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553855904,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ere-3ih-4hw","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553850_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553865781,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"igs-lhm-bvu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553859_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553874136,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"mkn-3te-hny","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553869_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553997811,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sjp-5hc-wd1","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553993_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664554005892,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"5en-kmi-voy","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664554001_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664554016093,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"jif-umi-il5","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664554010_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555846704,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ayu-n1y-lqx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555844_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555846736,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"95d-moy-b5g","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555844_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555986763,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"qtr-rfo-jyg","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555984_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555986772,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"jtt-tqn-ftb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555984_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557003507,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"l6w-anp-wyx","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"m5n-4i5-vuj","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"4r7-mzb-i0w","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664556999"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557003221,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"l6w-anp-wyx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664556999_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557001385,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"m5n-4i5-vuj","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664556999_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557009505,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"atg-jqy-mel","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"wdi-bm8-1zq","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"fbs-vj5-dgz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557007"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557009232,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"atg-jqy-mel","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557007_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557009200,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wdi-bm8-1zq","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557007_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557015634,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"pra-dle-ewv","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"wgt-akt-j4r","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"o9e-8fc-h5s","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557013"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557015289,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"pra-dle-ewv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557013_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557015280,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wgt-akt-j4r","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557013_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557114930,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"x69-ehr-pdl","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"ypr-isf-4vo","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"oi0-hje-74l","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557112"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557114644,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"x69-ehr-pdl","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557112_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557114607,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ypr-isf-4vo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557112_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557121029,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"ptq-rcm-nwe","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"bg8-5ts-afc","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"f3z-x8q-dcn","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557118"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557120765,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ptq-rcm-nwe","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557118_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557120726,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"bg8-5ts-afc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557118_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557127622,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"wtt-nh6-juo","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"myy-dya-nr5","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"nfo-yne-q60","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557125"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557127340,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wtt-nh6-juo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557125_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557127298,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"myy-dya-nr5","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557125_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557158347,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"riy-u8c-b7c","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"sf3-rrp-eak","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"9zw-k5p-x8b","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557156"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557158069,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"riy-u8c-b7c","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557156_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557158073,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sf3-rrp-eak","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557156_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557164542,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"cur-pie-tfb","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"do1-l3w-hgc","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"yvb-ymn-q2k","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557162"}]} + {"meta":{"page":{"total_filtered_count":30,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user resets the Directory Services Restore Mode (DSRM). The DSRM enabled emergency access to a Domain Controller. The DSRM user is a local administrator account that can be utilized for persistence. \n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4794`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to change the DSRM password on `{{host}}`. ","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4794","groupByFields":["host"],"aggregation":"count","name":"standardized","distinctFields":[]},{"query":"@Event.System.EventID:4794","groupByFields":["host"],"aggregation":"count","name":"non_standardized","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized > 0"}],"type":"log_detection","id":"ckw-1ve-anp","createdAt":1619018671358,"name":"Windows Directory Service Restore Mode password changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Domain Administrator group is modified.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is 4737 and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason for changing the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"vtr-u5p-65a","createdAt":1619018671758,"name":"Windows Domain Admin Group Changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","source:windows","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Windows firewall is disabled.\n\n## Strategy\nMonitor the Windows event logs where `@evt.id` is `4950` and the `@Event.EventData.Data.SettingValue:No`.\n\n## Triage and response\nVerify if `{{@Event.System.Computer}}` has a legitimate reason for having the Windows firewall disabled.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"medium","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"5yc-jqo-y3n","createdAt":1619018678867,"name":"Windows Firewall Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1087-account-discovery","source:windows","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs the `net` command to enumerate the `Administrators` group, which could be indicative of adversarial reconnaissance activity.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4799`, `@Event.EventData.Data.CallerProcessName` is `*net1.exe` and `@Event.EventData.Data.TargetUserName` is `Administrators`.\n\n## Triage and response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason to check for users in the Administrator group on `{{host}}`. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"low","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"dqi-uaj-wgy","createdAt":1619018678865,"name":"Windows Net command executed to enumerate administrators"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the Domain Administrator group. A rogue active directory account can added to the Domain Admins group.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4728` and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.TargetUserName}}` should be added to the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"yzx-i3w-40t","createdAt":1619018679429,"name":"Windows User Added to Domain Admin Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"# WARNING: Rule is being deprecated on 10 April 2022\n\n## Goal\nDetect if an entire AWS S3 Lifecycle configuration is deleted from a bucket.\n\n## Strategy\nUsing the `@evt.name`, the Datadog standard attribute that shows the API call, determine if a `DeleteBucketLifecycle` call occurred.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@usr.name}}`, `accountId:` `{{@usr.id}}` of `type:` `{{@userIdentity.type}}`.\n2. If the `{{@evt.name}}` API call accidentally occurred, restore the configuration to the `{{@requestParameters.bucketName}}`. Otherwise, investigate further.\n\n## Changelog\n08 Mar 2022 - Deprecating rule. If a policy is deleted, the data remains forever.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:DeleteBucketLifecycle","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"policy_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"lifecycle policy deleted","condition":"policy_deleted > 0"}],"type":"log_detection","id":"lcn-irr-jo6","createdAt":1638798365190,"name":"[DEPRECATED] An AWS S3 bucket lifecycle policy was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.17","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `controller-manager.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `controller-manager.conf` file is the kubeconfig file for the Controller Manager. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/controller-manager.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.17","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iss-afi-xfp","createdAt":1599599454121,"name":"controller-manager.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use self-signed certificates for TLS.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--auto-tls` parameter or set it to false:\n\n```\n--auto-tls=false\n```\n\n## Impact\n\nClients will not be able to use self-signed certificates for TLS.\n\n## Default value\n\nBy default, `--auto-tls` is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls][3]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.3","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qai-h9s-xgt","createdAt":1599606018741,"name":"etcd does not allow the use of self-signed client certificates"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured for peer authentication.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-client-cert-auth` argument is set to `true`. \n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--peer-client-cert-auth=true\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-client-cert-auth` argument is set to false.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/security.html \n2. https://kubernetes.io/docs/admin/etcd/ \n3. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n\n## CIS controls\n\nVersion 6.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\nVersion 7.14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.5","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l01-5y2-miz","createdAt":1599605099307,"name":"etcd is configured for peer authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.1","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure TLS encryption for the etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--cert-file` and the `--key-file` arguments are set as appropriate.\n\n## Remediation\n\nFollow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--cert-file= \n--key-file=\n```\n\n## Impact\n\nClient connections only over TLS would be served.\n\n## Default value\n\nBy default, TLS encryption is not set.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.1","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ezf-1mn-luf","createdAt":1599604210918,"name":"etcd is configured with TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.2.33","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt etcd key-value store.\n\n## Rationale\n\netcd is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--encryption-provider-config` argument is set to a EncryptionConfig file. Additionally, ensure that the EncryptionConfig file has all the desired resources covered especially any secrets.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--encryption-provider-config` parameter to the path of that file: `--encryption-provider-config=`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--encryption-provider-config` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ \n2. https://acotten.com/post/kube17-security \n3. https://kubernetes.io/docs/admin/kube-apiserver/ \n4. https://github.com/kubernetes/features/issues/92\n\n## CIS controls\n\nVersion 6 14.5 Encrypt At Rest Sensitive Information Sensitive information stored on systems shall be encrypted at rest and require a secondary authentication mechanism, not integrated into the operating system, in order to access the information. \n\nVersion 7 14.8 Encrypt Sensitive Information at Rest Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.33","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.33\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7rg-crl-fs0","createdAt":1599602954959,"name":"etcd is encrypted at rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.29","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a client certificate and key.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-certfile` and `--etcd-keyfile` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate and key file parameters. \n```\n--etcd-certfile= \n--etcd-keyfile=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-certfile` and `--etcd-keyfile` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 9 Limitation and Control of Network Ports, Protocols, and Services\nVersion 7 9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.29","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.29\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2xl-vuo-tud","createdAt":1599606113167,"name":"etcd server requires API servers present a client certificate and key when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.32","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a SSL Certificate Authority file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-cafile` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate authority file parameter: `--etcd-cafile=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-cafile` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.32","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.32\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o8k-9hv-rri","createdAt":1599605669411,"name":"etcd server requires API servers present an SSL CA file when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured to make use of TLS encryption for peer connections.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit and also amongst peers in the etcd clusters.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-cert-file` and `--peer-key-file` arguments are set as appropriate. \n\n## Remediation\n\nFollow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--peer-cert-file= \n--peer-key-file=\n```\n\n## Impact\n\nEtcd cluster peers would need to set up TLS for their communication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, peer communication over TLS is not configured.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.4","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"lzq-1mk-xc7","createdAt":1599603941695,"name":"etcd uses TLS encryption for peer connections"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671540941284,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"o68-soo-c12","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671540939"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671540946161,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"r7n-huo-4rt","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671540944"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671540952520,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"wth-wau-03b","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671540950"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["terraform:true","test:acceptance-updated"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"Acceptance test TF rule - updated","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_disk","regoRule":{"policy":"package datadog # updated","resourceTypes":["gcp_compute_disk","gcp_compute_instance","gcp_compute_firewall"]},"complexRule":true},"keepAlive":21600},"version":2,"isDefault":false,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":true,"defaultGroupByFields":null,"userGroupByFields":["@resource","@resource_type"]},"cases":[{"status":"high","notifications":["@channel-upd"],"name":"","condition":"a > 0"}],"id":"u2m-agy-swa","createdAt":1671541008003,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671541006 - updated"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671542720397,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"grb-fzj-wqh","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671542718"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671542793321,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"il3-uli-eqq","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671542791"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671552482017,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"77c-zma-o7f","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671552480"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671552551633,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"hop-rqz-f8v","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671552550"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671552663049,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vhn-veo-7mp","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671552661"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671552679840,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"kbd-8wc-8cq","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671552678"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553311788,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"3am-l1f-ved","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553310"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553346438,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vmb-tgh-ihm","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553344"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553410647,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"p3o-o9v-1ha","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553409"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553453803,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"qfz-lca-swv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553452"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553538312,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"zmw-kgv-yds","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553537"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:1.1.6","control:1.2.1","control:4.5","control:2.2.5","requirement:Communications-Security","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nInteracting with a serial port is often referred to as the serial console, which is similar to\nusing a terminal window, in that input and output is entirely in text mode and there is no\ngraphical interface or mouse support.\nIf you enable the interactive serial console on an instance, clients can attempt to connect to\nthat instance from any IP address. Therefore interactive serial console support should be\ndisabled.\n\n## Rationale\nA virtual machine instance has four virtual serial ports. The instance's operating system, BIOS,\nand other system-level entities often write output to the serial ports, and can accept input\nsuch as commands or answers to prompts. Typically, these system-level entities use the\nfirst serial port (port 1) and serial port 1 is often referred to as the serial console.\nThe interactive serial console does not support IP-based access restrictions such as IP\nallow lists. If you enable the interactive serial console on an instance, clients can attempt to\nconnect to that instance from any IP address. This allows anybody to connect to that\ninstance if they know the correct SSH key, username, project ID, zone, and instance name.\nTherefore interactive serial console support should be disabled.\n\n## Remediation\n\n### From the console\n1. Login to Google Cloud console.\n2. Go to Computer Engine.\n3. Go to VM instances.\n4. Click on the specific VM.\n5. Click `EDIT`.\n6. in the `Remote access` section, clear the `Enable connecting to serial ports`.\n7. Click `Save`.\n\n### From the command line\nUse the following command to disable connecting to serial ports:\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=false\n ```\nor\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=0\n ```\n\n## Prevention:\nYou can prevent VMs from having serial port access by enabling the `Disable VM serial port access` organization policy:\n[https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess][1]\n\n## Default value\nBy default, connecting to serial ports is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/interacting-with-serial-console][2]\n\n\n## CIS Controls\n\nVersion 8 - 4.8: Uninstall or Disable Unnecessary Services on Enterprise\nAssets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such\nas an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure Only Approved Ports, Protocols and Services Are Running\n\n[1]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess\n[2]: https://cloud.google.com/compute/docs/instances/interacting-with-serial-console","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"1.1.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"fail\" if {\n\tmeta := compute_instance.metadata.items[_]\n\tmeta.key == \"serial-port-enable\"\n\tmeta.value == \"true\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mv9-8fa-zlf","createdAt":1656531993118,"name":"\u2018connecting to serial ports\u2019 is not enabled for VM Instance"}]} headers: Content-Type: - application/json @@ -657,24 +606,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":24,"total_count":824}},"data":[{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557164250,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"cur-pie-tfb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557162_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557164241,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"do1-l3w-hgc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557162_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557171963,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"vhe-hy6-vz3","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"0mi-hea-lgr","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"i5g-kql-euh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557169"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557171680,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vhe-hy6-vz3","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557169_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557171647,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"0mi-hea-lgr","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557169_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557192391,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"njf-br2-d9z","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"mth-ttg-pke","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"tss-r1h-syz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557188"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557192123,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"njf-br2-d9z","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557188_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557190826,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"mth-ttg-pke","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557188_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664559663240,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"oas-ciy-bcx","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"sem-0mj-yqv","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"uus-bhq-ihb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664559659"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664559662957,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"oas-ciy-bcx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664559659_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664559662131,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sem-0mj-yqv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664559659_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875671210,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"4ja-gok-1x4","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"kp1-lvc-xv8","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"ncd-ps2-wdo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875668"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875670732,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"4ja-gok-1x4","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875668_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875670705,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"kp1-lvc-xv8","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875668_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875700315,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"rvg-pbb-0tm","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"dyi-it0-nj4","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"bew-lfi-qak","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875697"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875700066,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rvg-pbb-0tm","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875697_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875700033,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"dyi-it0-nj4","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875697_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875723289,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"sz5-vsm-3tk","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"slo-i5s-pb3","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"3qe-a0j-8iy","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875721"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875723030,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sz5-vsm-3tk","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875721_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875723034,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"slo-i5s-pb3","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875721_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875756892,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"keh-s9a-uhd","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"rvh-vhq-wjs","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"jy2-9kq-psb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875755"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875756573,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"keh-s9a-uhd","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875755_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875756604,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rvh-vhq-wjs","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875755_rule_1"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:1.1.6","control:1.2.1","control:4.5","control:2.2.5","requirement:Communications-Security","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nInteracting with a serial port is often referred to as the serial console, which is similar to\nusing a terminal window, in that input and output is entirely in text mode and there is no\ngraphical interface or mouse support.\nIf you enable the interactive serial console on an instance, clients can attempt to connect to\nthat instance from any IP address. Therefore interactive serial console support should be\ndisabled.\n\n## Rationale\nA virtual machine instance has four virtual serial ports. The instance's operating system, BIOS,\nand other system-level entities often write output to the serial ports, and can accept input\nsuch as commands or answers to prompts. Typically, these system-level entities use the\nfirst serial port (port 1) and serial port 1 is often referred to as the serial console.\nThe interactive serial console does not support IP-based access restrictions such as IP\nallow lists. If you enable the interactive serial console on an instance, clients can attempt to\nconnect to that instance from any IP address. This allows anybody to connect to that\ninstance if they know the correct SSH key, username, project ID, zone, and instance name.\nTherefore interactive serial console support should be disabled.\n\n## Remediation\n\n### From console\n1. Login to Google Cloud console.\n2. Go to Computer Engine.\n3. Go to VM instances.\n4. Click on the specific VM.\n5. Click `EDIT`.\n6. in the `Remote access` section, clear the `Enable connecting to serial ports`.\n7. Click `Save`.\n\n### From the command line\nUse the following command to disable connecting to serial ports:\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=false\n ```\nor\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=0\n ```\n\n## Prevention:\nYou can prevent VMs from having serial port access by enabling the `Disable VM serial port access` organization policy:\n[https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess][1]\n\n## Default value\nBy default, connecting to serial ports is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/interacting-with-serial-console][2]\n\n\n## CIS Controls\n\nVersion 8 - 4.8: Uninstall or Disable Unnecessary Services on Enterprise\nAssets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such\nas an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure Only Approved Ports, Protocols and Services Are Running\n\n[1]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess\n[2]: https://cloud.google.com/compute/docs/instances/interacting-with-serial-console","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"1.1.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"fail\" if {\n\tmeta := compute_instance.metadata.items[_]\n\tmeta.key == \"serial-port-enable\"\n\tmeta.value == \"true\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mv9-8fa-zlf","createdAt":1656531993118,"name":"\u2018connecting to serial ports\u2019 is not enabled for VM Instance"}]} - headers: - Content-Type: - - application/json - status: 200 OK - code: 200 - duration: "" -- request: - body: "" - form: {} - headers: - Accept: - - application/json - url: https://api.datadoghq.com/api/v2/security_monitoring/rules?page%5Bnumber%5D=9&page%5Bsize%5D=100 - method: GET - response: - body: | - {"meta":{"page":{"total_filtered_count":0,"total_count":824}},"data":[]} + {"meta":{"page":{"total_filtered_count":0,"total_count":730}},"data":[]} headers: Content-Type: - application/json @@ -691,7 +623,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.3.6","source:google_sql_database_instance","control:3.4","requirement:Communications-Security","framework:cis-gcp","requirement:Compliance","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_sql_database_instance","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `3625 (trace flag)` database flag to `off` for GCP SQL Server instance.\n\n## Rationale\n\nMicrosoft SQL trace flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload. All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed. `3625 (trace log)` limits the information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'. Setting this in a Google Cloud flag for the instance allows for security through obscurity and prevents the disclosure of sensitive information. Hence, it is recommended to set this flag to `off` globally to prevent the flag from being left on or turned on by bad actors. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nChanging flags on a database may cause it to be restarted. The best time to do this is when there is low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `3625` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `3625` database flag for every GCP SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"3625=off\"\n```\n\n#### Note\nThis command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n\n## Additional Information\n\n- Configuring the above flag restarts the GCP SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"3625\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"2x0-5oi-nhu","createdAt":1657310084964,"name":"'3625 (trace flag)' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:2.11","cloud_provider:azure","control:A.12.4.1","level:1","source:azure.policy","requirement:Application-Updates","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","requirement:Security-Center","framework:cis-azure","control:6.2","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","scope:azure.policy","control:CC4.1","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable automatic provisioning of the monitoring agent to collect security data.\n\n## Rationale\n\nWhen automatic provisioning of monitoring agent is turned on, Azure Security Center provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Security Center\n2. Click on Pricing & Settings\n3. Click on a subscription\n4. Click on Data Collection\n5. Set Automatic provisioning to On\n6. Click save Repeat the above for any additional subscriptions.\n\nAzure Command Line Interface 2.0:\n\nUse the below command to set automatic provisioning of monitoring agent:\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@\"input.json\"''\n```\n\nWhere input.json contains the Request body json data as mentioned below. \n\n```bash\n{ \"id\"\"/subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default\", \"name\"\"default\", \"type\"\"Microsoft.Security/autoProvisioningSettings\", \"properties\"{ \"autoProvision\"\"On\" } }\n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security \n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection \n3. https://msdn.microsoft.com/en-us/library/mt704062.aspx\n4. https://msdn.microsoft.com/en-us/library/mt704063.aspx\n5. https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list \n6. https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create \n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\nAdditional Information: Excluding any of the entries in `input.json` may disable the specific setting by default Microsoft has recently changed APIs to get and Update Automatic Provisioning setting. This recommendation is updated accordingly.\n\n## CIS Controls\n\nVersion 7 3.1 - Run Automated Vulnerability Scanning Tools: Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.11","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"validationQuery":"@auto_provision:Off","resourceType":"azure_security_center_auto_provisioning","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_center_auto_provisioning (@auto_provision:Off)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ota-kzg-lsb","createdAt":1635237006719,"name":"'Automatic provisioning of monitoring agent' is set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.2","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with a Customer Managed Key (CMK).\n\n## Rationale\n\nEncrypting the IaaS VM's OS disk (boot volume) and data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning.\n\n## Remediation\n\nAzure Console:\n\n**Note**: Disks must be detached from VMs to have encryption changed.\n\n1. Go to Virtual Machines\n2. For each virtual machine, go to Settings\n3. Click on Disks\n4. Click the X to detach the disk from the VM\n5. Search for disks and locate the unattached disk\n6. Click the disk select Encryption\n7. Change your encryption type and select your encryption set\n8. Click Save\n9. Go back to the VM and re-attach the disk\n\nPowerShell:\n\n```powershell\n$KVRGname = ''MyKeyVaultResourceGroup''; $VMRGName = ''MyVirtualMachineResourceGroup''; $vmName = ''MySecureVM''; $KeyVaultName = ''MySecureVault''; $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname; $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri; $KeyVaultResourceId = $KeyVault.ResourceId; Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;\n```\n\n**NOTES**:\n\n- During encryption, a reboot is likely required. It may take up to 15 minutes to complete the process.\n\n- On Linux machines, you may need to set the `-skipVmBackup` parameter.\n\n## Impact\n\nUsing CMK/BYOK entail additional management of keys. You must have your key vault setup to use this.\n\n## References\n\n\n1. https://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n3. https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-resthttps://docs.microsoft.com/azure/virtual-machines/windows/disk-encryption-portal-quickstart\n4. https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n5. https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n7. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-customer-managed-keys-powershell\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@encryption_type:EncryptionAtRestWithCustomerKey","resourceType":"azure_managed_disk","filter":"@disk_state:Attached","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk @disk_state:Attached (-@encryption_type:EncryptionAtRestWithCustomerKey)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i6x-xne-idt","createdAt":1631690475494,"name":"'OS and Data' disks are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Application-Updates","framework:iso-27001","scope:azure.storage","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","control:6.5.3","framework:cis-azure","control:4.1","control:3.1","requirement:Control-Activities","requirement:Storage-Account","source:azure.storage","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable data encryption in transit.\n\n## Rationale\n\nThe secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must be HTTPS. Any requests using HTTP will be rejected when secure transfer required is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Storage Accounts\n2. For each storage account, go to Configuration\n3. Set Secure transfer required to Enabled\n\nAzure Command Line:\n\nInterface 2.0 - Use the below command to enable Secure transfer required for a Storage Account: `az storage account update --name --resource-group --https-only true`\n\n## References\n\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#encryption-in-transit\n2. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_list\n3. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 - 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@supports_https_traffic_only:true","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@supports_https_traffic_only:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"vlg-zuu-zub","createdAt":1635847712936,"name":"'Secure transfer required' is set to 'Enabled'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:3.7","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Storage-Account","source:azure.storage","control:A.13.1.3","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSome Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services use strong authentication to access the storage account. If Allow trusted Microsoft services exception is enabled, the following services, when registered in the subscription, are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse.\n\n## Rationale\n\nTurning on firewall rules for storage account blocks access to incoming requests for data, including from other Azure services. This includes using the portal, writing logs, etc. You can re-enable access to services like Monitor, Networking, Hubs, and Event Grid by enabling Trusted Microsoft Services through exceptions. The exception also supports backing up and restoring virtual machines using unmanaged disks in storage accounts with network rules applied.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Ensure that Allow access from selected networks is enabled.\n4. Enable Allow trusted Microsoft services to access this storage account.\n5. Click Save to apply your changes.\n\nAzure Command Line Interface:\n\nUse the following command to update trusted Microsoft services: `az storage account update --name --resource-group --bypass AzureServices`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n\n## CIS Controls\n\nVersion 7 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@network_acls.bypass:*AzureServices*","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@network_acls.bypass:*AzureServices*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"psg-u8u-lwo","createdAt":1631690476330,"name":"'Trusted Microsoft Services' is enabled for Storage Account access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.3","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that unattached disks in a subscription are encrypted with a customer managed key (CMK).\n\n## Rationale\n\nManaged disks are encrypted by default with platform-managed keys. Using customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks which may lead to sensitive information disclosure and tampering.\n\n## Impact\n\nEncryption is available only on standard tier VMs. This could impact cost. Utilizing and maintaining customer-managed keys requires additional work to create, protect, and rotate keys.\n\n## Remediation\n\nIf data stored in the disk is no longer useful, refer to [Azure documentation][1] to delete unattached data disks. If data stored in the disk is important, encrypt the disk. See the [Disk enable customer managed keys customer][2] or the [Encryption settings][3] documentation.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n3. https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n4. https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n5. https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n6. https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update\n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n\n[1]: https://docs.microsoft.com/en-us/rest/api/compute/disks/delete -https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal\n[3]: https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@encryption_type:EncryptionAtRestWithCustomerKey","resourceType":"azure_managed_disk","filter":"@disk_state:Unattached","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk @disk_state:Unattached (-@encryption_type:EncryptionAtRestWithCustomerKey)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bae-mte-pj5","createdAt":1631690476274,"name":"'Unattached disks' are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","control:10.3.6","control:10.5.4","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","control:10.3.5","control:10.5.3","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.1","control:10.2.5","control:10.3.4","control:A.12.4.1","control:10.2.4","control:10.3.3","control:10.2.3","control:10.3.2","control:A.12.4.3","control:10.2.2","control:10.3.1","framework:cis-gcp","level:1","scope:google_sql_database_instance","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","control:6.2.9","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the `cloudsql.enable_pgaudit` database flag so that each Cloud SQL PostgreSQL instance has centralized logging.\n\n## Rationale\n\nBecause many other recommendations in this section involve turning on flags for logging\npurposes, your organization needs a way to manage these logs. If you do not already have a solution in \nplace, consider enabling database auditing in PostgreSQL by installing the open source pgAudit extension and enabling the `cloudsql.enable_pgaudit` flag. The extension provides\ndetailed session and object logging to comply with government, financial, and ISO standards. It provides \nauditing capabilities to mitigate threats by monitoring security events on the\ninstance. Enabling the flag and the settings described below sends the logs to\nGoogle Logs Explorer so that you can access them in a central location. This\nrecommendation is applicable only to PostgreSQL database instances.\n\n## Impact\n\nEnabling the pgAudit extension can lead to increased data storage requirements. To\nensure durability of pgAudit log records in the event of unexpected storage issues, \nenable the **Enable automatic storage increases** setting on the\ninstance. Enabling flags on the command line will overwrite all existing flags, so you\nshould apply _all_ needed flags in each CLI command. You might need to restart the\nserver to see the effects of enabling flags, so update your servers at a\ntime of low usage.\n\n## Remediation\n\n### Initialize the pgAudit flag\n\n#### From the console\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `cloudsql.enable_pgaudit` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\nRun the following command by providing to enable `cloudsql.enable_pgaudit` flag:\n```\ngcloud sql instances patch --database-flags=cloudsql.enable_pgaudit=on\n```\n \n**Note**: Restart the database server for this configuration change to take effect.\n\n### Create the extension\n1. Connect to the the server running PostgreSQL or through a SQL client of your choice.\n2. Open the PostgreSQL shell. For example, if you're using SSH to access the server, run:\n3. Run the following command as a superuser:\n ```\n CREATE EXTENSION pgaudit;\n ```\n### Update the `pgaudit.log` flag\n\n#### From the console\n**Note**: There are multiple options for updating the flag. The following instructions enable logging for all databases\non a server. Read [Customizing database audit logging][4] for more flag\noptions.\n\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `pgaudit.log=all` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\n\nRun the command:\n```\ngcloud sql instances patch --database-flags \\\ncloudsql.enable_pgaudit=on,pgaudit.log=all\n```\n\n### Check for the logs in Google Logs Explorer\n1. From the Google Console home page, open the menu in the top left.\n2. In the menu's Operations section, select Logs Explorer.\n3. In the query box, copy in the following query:\n\n ```\n resource.type=\"cloudsql_database\"\n logName=\"projects//logs/cloudaudit.googleapis.com%2Fdata_access\"\n protoPayload.request.@type=\"type.googleapis.com/google.cloud.sql.audit.v1.PgAuditEntry\n ```\nIf it returns any log sources, they are correctly set up.\n\n## Default value\nBy default `cloudsql.enable_pgaudit` database flag is set to off and the extension is not enabled.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres][2]\n2. [https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag][3]\n3. [https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging][4]\n4. [https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable][5]\n\n## Additional Information\n**WARNING**: This extension modifies database flag values, which may require your instance to be\nrestarted. Check the [List of supported flags][6] to see if your instance needs to be restarted\nwhen this extension is set up.\n**Note**: Configuring the `cloudsql.enable_pgaudit` database flag requires restarting the Cloud\nSQL PostgreSQL instance.\n\n## CIS controls\n\nVersion 8\n8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n8.9 - Centralize Audit Logs\n- Centralize, to the extent possible, audit log collection and retention across\nenterprise assets.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres\n[3]: https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag\n[4]: https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging\n[5]: https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable\n[6]: https://cloud.google.com/sql/docs/postgres/flags\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.9","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cloudsql.enable_pgaudit\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6hz-owg-7y7","createdAt":1657889011689,"name":"'cloudsql.enable_pgaudit' database flag is set to 'on' for centralized logging on Postgresql Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.4","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.7","requirement:Least-Privileged-Access","requirement:Confidentiality","requirement:Communications-Security","control:7.1","control:C1.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `contained database authentication` database flag for SQL Server instances to `off`.\n\n## Rationale\n\nA contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed. Users can connect to the database without authenticating a login at the Database Engine level. Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server. Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators. Most of the threats are related to the `USER WITH PASSWORD` authentication process, which moves the authentication boundary from the Database Engine level to the database level. Hence, disabling this flag is recommended. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nWhen `contained database authentication` is off (`0`) for the instance, contained databases cannot be created, or attached to the Database Engine. Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via the command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `contained database authentication` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line\n\nConfigure the `contained database authentication` database flag for every SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"contained database authentication=off\"\n```\n\n**Note**: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n\n## Additional Information\n\n- Configuring this flag does not restart the SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15][3]\n3. [https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15][4]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15\n[4]: https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"contained database authentication\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"snw-rsr-ilm","createdAt":1658463161618,"name":"'contained database authentication' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.3.2","security:compliance","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that you set the `cross db ownership chaining` database flag for SQL Server instance to `off`.\n\n## Rationale\nThe `cross db ownership` option is used to configure cross-database ownership chaining for an instance of Microsoft SQL Server. This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases. Enabling `cross db ownership` is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining, and you are aware of the security implications of this setting. This recommendation is applicable to SQL Server database instances.\n\n### Impact\nUpdating flags may cause the database to restart. This may cause the database to be unavailable for a short amount of time, so this is best done at a time of low usage. You should also determine if the tables in your databases reference another table without using credentials for that database, as turning off cross database ownership will break this relationship.\n\n - Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n - Configuring the `cross db ownership chaining` flag does not restart the Cloud SQL instance.\n\n - Note: The command to set database flags overwrites all database flags previously set. To keep the existing settings while adding new flags, include the values for all flags to be set on the instance. Cloud SQL sets any flag not specifically included in the list to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Remediation\n\n### From the console:\n1. Go to the [Cloud SQL Instances page][1] in Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `cross db ownership chaining` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line:\nConfigure the `cross db ownership chaining` database flag for every SQL Server database instance using the below command:\n \n```\ngcloud sql instances patch --database-flags \"cross db ownership chaining=off\"\n```\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cross db ownership chaining\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yje-u1y-rls","createdAt":1657665271111,"name":"'cross db ownership chaining' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.1","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `external scripts enabled` database flag for SQL Server instance to `off`.\n\n## Rationale\n\nThe `external scripts enabled` flag enables the execution of scripts with certain remote language extensions. This flag is `off` by default. When Advanced Analytics Services is installed, during the set up, you can optionally set this flag to `on`. The External Scripts Enabled feature allows scripts external to SQL, such as files located in an R library, to be executed, which could adversely affect the security of the system. Hence, the flag should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances can cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flag section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `external scripts enabled` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `external scripts enabled` database flag for every SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"external scripts enabled=off\"\n```\n\nNote: This command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default Value\n\nBy default `external scripts enabled` is `off`.\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n- Configuring the `external scripts enabled` flag restarts the Cloud SQL instance.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15][2]\n2. [https://cloud.google.com/sql/docs/sqlserver/flags][3]\n3. [https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15][4]\n4. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79347][5]\n\n## CIS Controls\n\nVersion 8 - 2.7 Allowlist Authorized Scripts\n- Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.\n\nVersion 7 - 2.9 Implement Application Whitelisting of Scripts\n- The organization's application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1, *.py, macros, etc) are allowed to run on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15\n[3]: https://cloud.google.com/sql/docs/sqlserver/flags\n[4]: https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15\n[5]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"external scripts enabled\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"14g-yot-4od","createdAt":1657715719319,"name":"'external scripts enabled' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Communication-and-Information","security:compliance","control:6.1.3","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends setting the `local_infile` database flag for a Cloud SQL MySQL instance to off.\n\n## Rationale\n\nThe `local_infile` flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the `local_infile` setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.\n\nTo explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with `local_infile` disabled. `local_infile` can also be set at runtime.\n\nDue to security issues associated with the `local_infile` flag, Datadog recommends disabling it. This recommendation is applicable to MySQL database instances.\n\n## Impact\n\nDisabling `local_infile` causes the server to refuse local data loading by clients that have LOCAL enabled on the client side.\n\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [Cloud SQL Instances page][1].\n2. Select the MySQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the `local_infile` flag from the dropdown menu, and set its value to **off**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From Command Line\n\n1. List all Cloud SQL database instances using \n ```\n `gcloud sql instances list`.\n ```\n2. Configure the `local_infile` database flag for every Cloud SQL MySQL database instance using \n ```\n `gcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off`\n ```\n Note:\n This command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\n\n## Default Value\n\nBy default, `local_infile` is on.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile][3]\n3. [https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html][4]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n \n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/flags\n[3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile\n[4]: https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_mysql(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"local_infile\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_mysql(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"MYSQL_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"e40-q63-udh","createdAt":1657547707503,"name":"'local_infile' database flag is set to 'off' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.2","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy enabling the `log_connections` setting, every attempted server connection is logged along with the successful completion of client authentication. Once the session starts, you cannot change this parameter.\n\n## Rationale\n\nBy default, PostgreSQL does not log attempted connections. By enabling the `log_connections` setting, you can create log entries for every attempted connection as well as the successful completion of client authentication. This can be useful in troubleshooting issues and determining any unusual connection attempts to the server. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\n\nBy turning on logging, the required storage increaess over time. Mismanaged logs may cause your storage costs to increase. \n\nSetting custom flags through the command line on certain instances can cause all omitted flags to reset to defaults. This may cause you to lose\ncustom flags and can result in unforeseen complications or instance restarts. Because of this, Datadog recommends applying these flag changes during a period of low usage.\n\n## Remediation\n\n## From the console\n1. In the Google Cloud Console, navigate to the [Cloud SQL Instances page][1].\n2. Select the PostgreSQL instance that you want to enable the database flag for.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the **log_connections** flag from the dropdown menu, and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From the command line\n\nConfigure the `log_connections` database flag for every Cloud SQL PosgreSQL database instance using the following command:\n\n ```\n gcloud sql instances patch --database-flags\n log_connections=on\n ```\n\nThis command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\nYou do not need to restart the Cloud SQL instance.\n\n## Default Value\n\nBy default, `log_connections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n\nSome database flag settings can affect instance availability or stability, and may remove the instance from the Cloud SQL SLA.\n\nFor information about these flags, see the Operational Guidelines.\n\n## CIS Controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_connections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"84u-fez-kpn","createdAt":1657547707503,"name":"'log_connections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:6.2.3","scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnabling the `log_disconnections` setting logs the end of each session, including the\nsession duration.\n\n## Rationale\n\nPostgreSQL does not log session details such as duration and session end by default.\nEnabling the `log_disconnections` setting will create log entries at the end of each session,\nwhich can be useful in troubleshooting issues and determining any unusual activity across a\ntime period. The `log_disconnections` and `log_connections` settings work together and\ngenerally, the pair would be enabled or disabled together. This recommendation is applicable\nto PostgreSQL database instances.\n\n## Impact\n\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flags changes during a period of low usage.\n\n\n## Remediation\n\n## From the console\n\n1. Go to the [Cloud SQL Instances][1] page.\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_disconnections` from the drop-down menu and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the **Overview** page.\n\n## From the command line\n\n1. Configure the `log_disconnections` database flag for every Cloud SQL PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags\n log_disconnections=on\n ```\n\n **Note:** This command will overwrite all previously set database flags. To keep\n those and add new ones, include the values for all flags to be set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals\n sign (\"=\").\n\n## Default Value\n\nBy default, `log_disconnections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n## Additional Information\n\n- Configuring the `log_disconnections` flag does not require restarting the Cloud SQL instance.\n- Although the `log_disconnections` flag does not require a restart, you might modify other database flag values when you apply this patch. **Many database flags require restarting the Cloud SQL instance.** Before you modify a database flag, check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see [Operational Guidelines][4].\n\n\n## CIS controls\n\nVersion 8, 8.5 Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://console.cloud.google.com/sql/instances\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_disconnections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-b91-wj5","createdAt":1657665210451,"name":"'log_disconnections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:6.2.1","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","control:10.3","control:CC7.2","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_error_verbosity` flag controls the verbosity/details of messages logged. Valid values are:\n- `TERSE`\n- `DEFAULT`\n- `VERBOSE`\n\n`TERSE` excludes the logging of `DETAIL`, `HINT`, `QUERY`, and `CONTEXT` error information.\n`VERBOSE` output includes the `SQLSTATE` error code, source code file name, function name, and line number that generated the error.\n\nEnsure an appropriate value is set to `DEFAULT` or stricter.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_error_verbosity` is not set to the correct value, too many details or too few details\nmay be logged. This flag should be configured with a value of `DEFAULT` or stricter. This\nrecommendation is applicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flag changes during a period of low usage.\n\n- **WARNING**: This patch modifies database flag values, which may require your instance to be restarted. Check the list of supported flags -[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance will be restarted when this patch is submitted.\n- Note: some database flag settings can affect instance availability orn stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n### Default value\nBy default, `log_error_verbosity` is `DEFAULT`.\n\n## Remediation\n\n### From the console: \n1. Go to the Cloud SQL Instances page by visiting [https://console.cloud.google.com/sql/instances][2]\n2. Select the **PostgreSQL instance** for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_error_verbosity` from the drop-down menu and set appropriate **value**.\n6. Click **Save**\n7. Confirm your changes under Flags on the **Overview** page.\n\n### From the command line:\n1. Configure the `log_error_verbosity` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n ```\n gcloud sql instances patch --database-flags\n log_error_verbosity=\n ```\n\n **Note**: This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all flags you want set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_error_verbosity\"\n\tnot lower(db_flags.value) in [\"default\", \"terse\", \"verbose\"]\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"scj-vbv-qiu","createdAt":1660014086758,"name":"'log_error_verbosity' database flag is set to 'DEFAULT or Stricter' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:6.2.5","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nPostgreSQL only logs the IP address of the connecting hosts. The `log_hostname` flag\ncontrols the logging of hostnames, in addition to the IP addresses logged. The performance\nhit depends on the configuration of the environment and the host name resolution\nsetup. This parameter can only be set in the `postgresql.conf` file or on the server's\ncommand line.\n\n## Rationale\nLogging hostnames allows for the association of a hostname with the IP address at the time of\nconnection. This information helps with incident response efforts, particularly in an\nenvironment that utilizes dynamic IP addresses. Logging hostnames may incur overhead\non server performance because DNS resolution will be required to\nconvert the IP address to hostname. Depending on the setup, the overhead may be non-negligible.\nEnabling the log_hostname flag on PostgreSQL databases is recommended.\n\n## Impact\nUsing the command line to set custom flags on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended that you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_hostname` from the drop-down menu and select the value **On**.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n1. Configure the `log_hostname` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\n gcloud sql instances patch --database-flags log_hostname=on\n```\n\nNote: This command will overwrite all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## Default value\nBy default `log_hostname` is off.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of [supported flags][2] to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_hostname\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sco-bi7-twu","createdAt":1657547753389,"name":"'log_hostname' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:6.2.8","requirement:Confidentiality","control:A.12.4.1","control:C1.1","control:C1.2","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_duration_statement` flag defines the minimum execution time (milliseconds) of a\nstatement, where the total duration of the statement is logged. Ensure that\n`log_min_duration_statement` is disabled by setting the value to `-1`. This will disable statement logging.\n\n## Rationale\nSQL statement logs may include sensitive information that should not be recorded in\nthe logs. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting\n[https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_duration_statement` from the drop-down menu and set a value of `-1`.\n6. Click **Save**.\n7. Confirm the changes under the Flags section on the Overview page.\n\n### From the command line\n1. List all Cloud SQL database instances using the following command:\n\n ```\n gcloud sql instances list\n ```\n\n2. Configure the `log_min_duration_statement` flag for every PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags log_min_duration_statement=-1\n ```\n Note: This command will overwrite all database flags previously set. To keep\nthose and add new ones, include the values for all flags to be set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n## Default value\nBy default `log_min_duration_statement` is set to `-1`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.8","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_duration_statement\"\n\tnot database_flags.value == \"-1\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hfp-mu9-szg","createdAt":1658302988596,"name":"'log_min_duration_statement' database flag is set to '-1' (disabled) for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.7","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_error_statement` flag defines the minimum message severity level that is\nconsidered an error statement. Messages for error statements are logged with the SQL\nstatement. Valid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`,\n`WARNING`, `ERROR`, `LOG`, `FATAL`, and `PANIC`. Each severity level includes the subsequent levels\nmentioned above. Ensure a value of `ERROR` or stricter is set.\n\n## Rationale\nAuditing helps with troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. If general log messages are considered as error messages,\nit would be difficult to determine the actual errors. If only stricter severity levels are considered as\nerror messages, true errors might not be logged with their SQL statements. The\n`log_min_error_statement` flag should be set to `ERROR` or stricter. This recommendation is\napplicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From Console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the `Flags` section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_error_statement` from the drop-down menu and set the appropriate\nvalue.\n6. Click `Save` to save your changes.\n7. Confirm your changes under the `Flags` section on the Overview page.\n\n### From Command Line:\n1. Configure the `log_min_error_statement` database flag for every Cloud SQL\nPosgreSQL database instance using the below command.\n\n ```\n gcloud sql instances patch --database-flags log_min_error_statement=\n ```\n\n Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `log_min_error_statement` is `ERROR`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][2] - to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_error_statement\"\n\tnot upper(database_flags.value) in [\"ERROR\", \"LOG\", \"FATAL\", \"PANIC\"]\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dm2-ey8-wr5","createdAt":1657888969813,"name":"'log_min_error_statement' database flag is set to 'ERROR' or stricter for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.3.6","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","source:google_sql_database_instance","requirement:Monitoring","control:6.2.6","control:10.3.4","control:A.12.4.1","control:10.3.2","requirement:System-Operations","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:CC7.2","framework:pci","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_messages` flag defines the minimum message severity level that is considered\nas an error statement. Messages for error statements are logged with the SQL statement.\nValid values include `debug5`, `debug4`, `debug3`, `debug2`, `debug1`, `info`, `notice`, `warning`, `error`,\n`log`, `fatal`, and `panic`. Each severity level includes the subsequent levels mentioned above.\nFor best practices, set the value to `error`. Changes should only be made in accordance\nwith the organization's logging policy.\n\n### Default value\nBy default `log_min_error_statement` is `warning`.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. An organization will need to decide their own threshold\nfor logging `log_min_messages` flag.\n\n### Impact\nSetting the threshold too low will might result in increased log storage size and length,\nmaking it difficult to find actual errors. Setting the threshold to `warning` logs\nmost needed error messages. Setting the threshold to a higher severity level may result in some errors (that need troubleshooting) to not be logged.\n\nNote: To effectively turn off logging failing statements, set this parameter to `panic`.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n## Remediation\n\n### From the console:\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_messages` from the drop-down menu and set appropriate value.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line:\n1. Configure the `log_min_messages` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\ngcloud sql instances patch --database-flags\nlog_min_messages=\n```\n\nNote: This command overwrites all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_min_messages\"\n\tlower(db_flags.value) in [\"debug5\", \"debug4\", \"debug3\", \"debug2\", \"debug1\", \"info\", \"notice\"]\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"wha-a8w-2ic","createdAt":1661377322162,"name":"'log_min_messages' database flag is set to at least 'WARNING' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.2.4","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe value of the `log_statement` flag determines the SQL statements that are logged. Valid\nvalues are:\n\n- `none`\n- `ddl`\n- `mod`\n- `all`\n\nThe value `ddl` logs all data definition statements. The value `mod` logs all `ddl` statements, plus\ndata-modifying statements.\n\nThe statements are logged after a basic parsing is done and the statement type is determined,\nthus log statements with errors are not logged. When using an extended query protocol,\nlogging occurs after an `Execute` message is received and values of the bind parameters are\nincluded.\n\nA value of `ddl` is recommended unless otherwise directed by your organization's logging\npolicy.\n\n## Rationale\nAuditing helps with forensic analysis. If the `log_statement` is not set to the correct value, too\nmany statements may be logged and lead to issues with finding relevant information from\nthe logs, or too few statements may be logged with relevant information missing from the\nlogs. Setting the `log_statement` to align with your organization's security and logging policies\nfacilitates auditing and review of database activities later on. This recommendation is\napplicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n- **WARNING** This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance\nwill be restarted when this patch is submitted.\n- Note: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n\n## Remediation\n\n### From the console:\n1. Go to the Cloud SQL Instances page by visiting: [https://console.cloud.google.com/sql/instances][2]\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**. Choose the flag `log_statement` from the drop-down menu and set the appropriate value.\n6. Click **Save**.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line:\n1. Configure the `log_statement database` flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n ```\n gcloud sql instances patch --database-flags log_statement=\n ```\n\n **Note** This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all the flags that you want to set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n \n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tdb_flags.name == \"log_statement\"\n\tdb_flags.value in [\"ddl\", \"mod\", \"all\"]\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xzi-8ya-6hp","createdAt":1659621705012,"name":"'log_statement' database flag is set appropriately for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:6.3.5","control:2.2.5","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set the `remote access` database flag for Cloud SQL SQL Server instances to `off`.\n\n## Rationale\n\nThe remote access option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running. The default value for this option is 1. This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server. To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled. Remote access functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, so it should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances causes all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `remote access` from the drop-down menu, and set its value to `off`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n### From the command line\n\nConfigure the remote access database flag for every Cloud SQL SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"remote access=off\"\n```\n\n### Note: \nThis command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default Value\n\nRemote access is `on` by default.\n\n## Additional information\n\nConfiguring the remote access database flag does not restart the Cloud SQL instance.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337][4]\n\n## CIS Controls\n\nVersion 8 - 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"remote access\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"tnw-ph8-chr","createdAt":1657296719786,"name":"'remote access' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Communication-and-Information","security:compliance","control:6.1.2","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that for Cloud SQL Instances, you set the `skip_show_database` database flag to `ON`.\n\n## Rationale\n\nThe `skip_show_database` database flag prevents people from using the `SHOW DATABASES`\nstatement if they do not have the `SHOW DATABASES` privilege. This can improve security if\nyou have concerns about users being able to see databases belonging to other users. The `skip_show_database` flag's effect depends on the `SHOW DATABASES` privilege: If the variable value is `ON`, the `SHOW\nDATABASES` statement is permitted only for users who have the `SHOW DATABASES`\nprivilege, and the statement displays all database names. If the value is `OFF`, `SHOW\nDATABASES` is permitted for all users, but displays the names of only those databases for\nwhich the user has `SHOW DATABASES` or other privilege. This recommendation is\napplicable to MySQL database instances.\n\n## Remediation\n\n## Using console\n\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the MySQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `skip_show_database` from the drop-down menu, and set its value to `ON`.\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n\n## Using command line:\n1. To list all Cloud SQL database Instances, run:\n `gcloud sql instances list`\n2. Configure the `skip_show_database` database flag for every Cloud SQL MySQL database instance using the following command:\n \n ```\n gcloud sql instances patch INSTANCE_NAME --database-flags\n skip_show_database=on\n ```\n **Note**: This command overwrites all database flags previously set. To keep the previously set flags and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database][3]\n\n\n## Additional information\n\n**Warning**: This patch modifies database flag values, which may require your instance to be restarted. Check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n\n**Note**: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n**Note**: Configuring the above flag restarts the Cloud SQL instance.\n\n## CIS controls\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\n access control lists, also known as access permissions, to local and remote file systems,\n databases, and applications.\n\n [1]: https://console.cloud.google.com/sql/instances\n [2]: https://cloud.google.com/sql/docs/mysql/flags\n [3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot startswith(sql_database_instance.database_version, \"MYSQL_\")\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"skip_show_database\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qjv-gnn-q3l","createdAt":1657547753389,"name":"'skip_show_database' flag is set to 'on' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.3.3","security:compliance","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Control-Activities","level:1","control:2.2.3","framework:soc-2","scope:google_sql_database_instance","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to check the `user connections` option for a GCP SQL Server instance to\nensure that it is not artificially limiting connections.\n\n## Rationale\n\nThe `user connections` option specifies the maximum number of simultaneous user\nconnections that are allowed on an instance of SQL Server. The actual number of user\nconnections allowed also depends on the version of SQL Server that you are using, and also\nthe limits of your application(s) and hardware. SQL Server allows a maximum\nof 32,767 user connections. Because user connections is by default a self-configuring value,\nSQL Server adjusts the maximum number of user connections automatically as\nneeded, up to the maximum value allowed. For example, if only 10 users are logged in, then 10\nuser connection objects are allocated. In most cases, you do not have to change the value\nfor this option. The default is `0`, which means that the maximum (32,767) user connections\nare allowed. However, if there is a number defined here that limits connections, SQL Server\nwill not allow any connections above this limit. If the connections are at the limit, any new\nrequests will be dropped, potentially causing lost data or outages for those using the\ndatabase.\n\n## Impact\nSetting custom flags using the command line on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### Using the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `user connections` from the drop-down menu, and set its value to your organization's recommended value.\n6. Click **Save** to save your changes.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### Using the command line\n1. Configure the `user connections` database flag for every GCP SQL Server\ndatabase instance using the below command.\n ```\n gcloud sql instances patch --database-flags \"userconnections=[0-32,767]\"\n ```\n \n\n\nNote: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `user connections` is set to '0', which does not limit the number of connections\nand allows the server to facilitate a maximum of 32,767 connections.\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119][4]\n\n## Additional Information\n\nWARNING: This patch modifies database flag values, which may require your instance to be restarted. Check the list of [supported flags][2] to see if your instance will be restarted when this patch is submitted. \n\nNote: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not restart the GCP SQL instance.\n\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user connections\"\n\tnot database_flags.value == \"0\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"suj-vdt-udi","createdAt":1657547707508,"name":"'user connections' database flag is set to a non-limiting value for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.4","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the `user options` database flag for SQL Server instance not be configured.\n\n## Rationale\n\nThe `user options` flag specifies global defaults for all users. A list of default query processing options is established for the duration of a user's work session. The user options flag allows you to change the default values of the SET options (if the server's default settings are not appropriate).\n\nA user can override these defaults by using the SET statement. You can configure user options dynamically for new logins. After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nIn some instances, setting custom flags via the command line causes all omitted flags to be reset to their defaults. This might cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From console\n\n1. Go to the **Cloud SQL Instances** page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance you want to configure.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. Click the **X** next to the **user options** flag shown\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line\n\n1. List all Cloud SQL database Instances:\n \n ```\n gcloud sql instances list\n ```\n\n2. Clear the user options database flag for every Cloud SQL SQL Server database instance using either of the below commands:\n\n - To clear all flags and reset them to their default values:\n\n ```\n gcloud sql instances patch --clear-database-flags\n ```\n\n - To clear only the `user options` database flag, re-enter all of database flags that you want to configure and exclude the `user options` flag and its value:\n\n ```\n gcloud sql instances patch --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]\n ```\n\n **Note**: This command overwrites all database flags previously set. To keep those flags and add new ones, include the values for all flags you want set on the instance. Any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default value\n\nBy default, 'user options' is not configured.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][1]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15][2]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335][3]\n\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see [Operational Guidelines][4].\n\n- Configuring the above flag does not restart the Cloud SQL instance.\n\n[1]: https://cloud.google.com/sql/docs/sqlserver/flags\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15\n[3]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user options\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"l6m-j1r-hz1","createdAt":1657665179501,"name":"'user options' database flag is not configured for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a Kubernetes user attempts to perform a high number of actions that are denied in a short amount of time.\n\n## Strategy\nThis rule identifies responses of the API server where the reason for the error is set to `Forbidden`, indicating that an authenticated user attempted to perform an action that they are not explicitly authorized to perform.\n\nThe rule flags users who receive permission denied errors on several distinct API endpoints in a short amount of time.\n\n## Triage and response\n1. Determine if the user: `{{@usr.id}}` is expected to perform the denied actions. If yes, the alert may be due to a misconfigured application or a service account with insufficient privileges.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @responseStatus.reason:Forbidden -@usr.id:(system\\:serviceaccount\\:*\\:datadog* OR system\\:kube-scheduler OR system\\:anonymous OR eks\\:authenticator OR eks\\:pod-identity-mutating-webhook OR system\\:serviceaccount\\:kube-system\\:root-ca-cert-publisher)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"access_denied","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"access_denied > 10"}],"type":"log_detection","id":"elb-nlu-hso","createdAt":1649948632063,"name":"A Kubernetes user attempted to perform a high number of actions that were denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIdentify when a Kubernetes user is assigned cluster-level administrative permissions.\n\n## Strategy\n\nThis rule monitory when a `ClusterRoleBinding` object is created to bind a Kubernetes user to the `cluster-admin` [default cluster-wide role](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles). This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.\n\n## Triage and response\n\n1. Determine if the Kubernetes user referenced in `@requestObject.subjects` is expected to have been granted administrator permissions on the cluster\n2. Determine if the actor (`@usr.id`) is authorized to assign administrator permissions\n3. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @requestObject.kind:ClusterRoleBinding @requestObject.roleRef.name:cluster-admin -@usr.id:system\\:apiserver","groupByFields":["@usr.id"],"aggregation":"count","name":"cluster_admin_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"cluster_admin_added > 0"}],"type":"log_detection","id":"8ds-sxh-n83","createdAt":1649948626807,"name":"A Kubernetes user was assigned cluster administrator permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","scope:google_bigquery_dataset","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.3","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","source:google_bigquery_dataset","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user. For greater control, _customer-managed encryption keys_ (CMEKs) can be used as an encryption key management solution for BigQuery datasets.\n\n### Default Value\nGoogle-managed keys are used as key encryption keys.\n\n## Rationale\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user.\n\nFor greater control, CMEKs can be used as an encryption key management solution for BigQuery datasets. Setting a default CMEK for a dataset ensures that any tables created in the future will use the specified CMEK, if no others are provided.\n\n## Impact\nUsing CMEKs incurs an additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n**Note**: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n# Remediation\nTo update the default CMEK for existing data sets, specify the default key in the `EncryptionConfiguration.kmsKeyName` field when calling the `datasets.insert` or `datasets.patch` methods.\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_dataset) = \"pass\" if {\n\tbigquery_dataset.default_encryption_configuration.kms_key_name\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_dataset"]},"validationQuery":"","resourceType":"gcp_bigquery_dataset","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_dataset","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fdc-usk-ol3","createdAt":1664548344812,"name":"A default customer-managed encryption key (CMEK) is specified for the BigQuery data set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1158","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nHidden files may be used by attackers to hide from detection mechanisms on hosts and containers. This detection aims at finding the creation of any new hidden files.\n\n## Strategy\nIn Linux, files are hidden from users by prepending `.` to the filename. For example `.some.file`. This detection will monitor for the creation of any file thats name begins with a `.`.\n\n## Triage & Response\n1. Check to see which user or process created the new hidden file.\n3. If these new files are not expected contain the host or container, roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"irl-syq-8wf","createdAt":1598443015169,"name":"A hidden file was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the deletion of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was deleted.\n2. Check which user or process deleted the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"t7t-jio-cms","createdAt":1598516746158,"name":"A log file in /var/log/ was removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Logging","security:compliance","control:3.2.1","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes can audit the details of requests made to the API server. The `--audit-policy-file` flag must be set for this logging to be enabled.\n\n## Rationale\n\nLogging is an important detective control for all systems, to detect potential unauthorised access.\n\n## Audit\n\nRun the following command on one of the cluster master nodes: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-policy-file` is set. Review the contents of the file specified and ensure that it contains a valid audit policy.\n\n## Remediation\n\nCreate an audit policy file for your cluster.\n\n## Impact\n\nAudit logs will be created on the master nodes, which will consume disk space. Care should be taken to avoid generating too large volumes of log information as this could impact the available of the cluster nodes.\n\n## Default value\n\nUnless the `--audit-policy-file` flag is specified, no auditing will be carried out.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/debug-application-cluster/audit/][1]\n\n## CIS controls\n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices.\n\n[1]: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"3.2.1","framework":"cis-kubernetes","requirement":"Logging","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-3.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ehp-xpm-xi3","createdAt":1599602215207,"name":"A minimal audit policy exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a new Kubernetes [admission controller][1] is created in the cluster.\n\nAdmission controllers can intercept all incoming requests to the API server. An attacker can use them to establish persistence or to access sensitive data (such as secrets) sent to the API server.\n\n## Strategy\nThis rule identifies when a `MutatingWebhookConfiguration` or `ValidatingWebhookConfiguration` is created.\n\n## Triage and response\n1. Determine if the admission controller being created is expected.\n2. Determine if the user: `{{@usr.id}}` should be creating the admission controller.\n3. Use the Cloud SIEM `User Investigation` dashboard to review user actions that occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags\n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @objectRef.resource:(mutatingwebhookconfigurations OR validatingwebhookconfigurations) -@usr.id:(eks\\:cluster-bootstrap OR system\\:serviceaccount\\:kyverno\\:kyverno OR system\\:serviceaccount\\:kube-system\\:*)","groupByFields":["@usr.id"],"aggregation":"count","name":"admission_controller_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admission_controller_created > 0"}],"type":"log_detection","id":"jpb-ixq-qbz","createdAt":1649948611129,"name":"A new Kubernetes admission controller was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 teams app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `AppInstalled`, where the `AddOnType` has a value of `4` and a new `@AddOnName` is observed.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@AddOnName}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@AddOnName}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":165,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AddOnName","aggregation":"new_value","metrics":["@AddOnName"],"groupByFields":["@usr.id"],"query":"source:microsoft-365 @evt.name:AppInstalled @AddOnType:4"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"sja-6t5-2xv","createdAt":1636984812148,"name":"A new Microsoft 365 Teams app is observed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Add application.` and event `@evt.outcome` of `Success`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@ObjectId}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@ObjectId}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@ObjectId","aggregation":"new_value","metrics":["@ObjectId"],"groupByFields":["@ObjectId","@usr.id"],"query":"source:microsoft-365 @evt.name:\"Add application.\" @evt.outcome:Success"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"o4m-xqz-5gv","createdAt":1636984818117,"name":"A new Microsoft 365 application was installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:amazon","security:compliance","iaas:aws","framework:cis-aws","source:cloudtrail","control:4.1","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is assessing privileges in AWS through API bruteforcing technique.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect when the error message of `AccessDenied` is returned on more than 5 unique API calls.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be attempting to use {{@evt.name}} API commands.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. Contact the user to see if they intended to make these API calls.\n3. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate to see what API calls might have been made that were successful throughout the rest of the environment.\n\n## Changelog\nRule updated on 3 March 2022.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"unique_events_denied","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"more than 5 APIs AccessDenied","condition":"unique_events_denied > 5"}],"type":"log_detection","id":"3d9-oev-jbm","createdAt":1584475582956,"name":"A user received multiple AccessDenied errors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","security:compliance","control:164.312-e-1","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","requirement:Security-Management-Process","control:32.1a","source:acm","control:164.312-e-2-ii","framework:hipaa","control:164.308-a-1-ii-B","control:164.312-e-2-i","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRemove expired Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates with AWS Certificate Manager (ACM).\n\n## Rationale\n\nExpired AWS ACM SSL/TLS certificates that are deployed to another resource are at risk of triggering front-end errors and compromising the credibility of a web application.\n\n## Remediation\n\n### Console\n\nFollow the [Deleting Certificates Managed by ACM][1] docs to learn how to delete SSL/TLS certifications in the AWS Console.\n\n### CLI\n\n1. Run `delete-certificate` with the [certificate ARN][2].\n\n ```\n aws acm delete-certificate\n --certificate-arn arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012\n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-delete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/delete-certificate.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"EXPIRED\"\n\tacm.status != \"VALIDATION_TIMED_OUT\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qea-4gr-voj","createdAt":1616090994211,"name":"ACM certificate is active"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Security-of-Processing","requirement:Cardholder-Data","cloud_provider:aws","control:32.1a","source:acm","framework:gdpr","scope:acm","control:3.6.4","framework:pci","control:25.2","requirement:Data-Protection"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are 30 days left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### Console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### CLI\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\tthirty_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oc4-dzj-jtg","createdAt":1619112188918,"name":"ACM certificate is valid for 30 or more days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Security-of-Processing","requirement:Cardholder-Data","cloud_provider:aws","control:32.1a","source:acm","framework:gdpr","scope:acm","control:3.6.4","framework:pci","control:25.2","requirement:Data-Protection"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are seven day left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### Console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### CLI\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nseven_days_ms := (((7 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\t# assert that the difference between now (resource seen at) and not after time (certificate expiry) > 7 days\n\tseven_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"32b-dj3-8n2","createdAt":1619112188607,"name":"ACM certificate is valid for 7 or more days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Cardholder-Data","cloud_provider:aws","source:acm","scope:acm","control:3.6.4","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nValidate all Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates in Amazon Certificate Manager (ACM).\n\n## Rationale\n\n[Requests for AMC certificates time out if they are not not validated within 72 hours][1]. If a certificate is not validated, it can interrupt an application or service.\n\n## Remediation\n\n### Console\n\nFollow the [Setting Up DNS Validation][2] or [Resending Validation Email][3] docs to validate a certificate in the AWS Console or by email.\n\n### CLI\n\n1. Run `resend-validation-email` using the ARN of the invalid certificate with your `domain` and `validation-domain`.\n\n ```\n aws acm resend-validation-email\n --certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/a1b2345c-d678-9123-4567-89ab12c2345d\n --domain www.example.com\n --validation-domain example.com\n ```\n\n2. Click the link in the generated email to navigate to the Amazon Certificates Approvals page, and click the `I Approve` button.\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-timed-out.html\n[2]: https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html#setting-up-dns-validation\n[3]: https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html#gs-acm-resend","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"PENDING_VALIDATION\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"lpi-kie-f8h","createdAt":1616090994081,"name":"ACM certificate issue request is validated"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:ec2","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.9.4.5","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIdentify publicly accessible Amazon Machine Images (AMIs).\n\n## Rationale\n\nWhen an AMI is shared publicly, anyone outside your organization can see it in the [list of public AMIs][1] and create an EC2 instance from it, accessing all the files it contains.\n\nAMIs typically contain source code, configuration files and credentials and should not be shared publicly.\n\n## Remediation\n\nStop sharing the AMI publicly. AMIs should be shared only with [specific AWS accounts][2] or [your AWS Organization][3].\n\n### Console\n\nFollow the instructions outlined in the [AWS documentation][4]. Untick the public sharing option.\n\n### CLI\n\nUse the following command to stop sharing the AMI:\n\n```\naws ec2 modify-image-attribute \\\n--image-id ami-xxxx \\\n--launch-permission \"Remove=[{Group=all}]\"\n```\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usingsharedamis-finding.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/share-amis-with-organizations-and-OUs.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.5","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncustomer_owned(ami) if {\n\tami.image_owner_alias != \"aws-marketplace\"\n\tami.image_owner_alias != \"amazon\"\n} else {\n\tnot ami.image_owner_alias\n}\n\neval(ami) = \"skip\" if {\n\tnot customer_owned(ami)\n} else = \"pass\" {\n\tami.public == false\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ami"]},"validationQuery":"","resourceType":"aws_ami","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ami","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6l2-azd-mlu","createdAt":1645630055435,"name":"AMI is not publicly shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.30","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the TLS certificate and private key file parameters. \n```\n--tls-cert-file= \n--tls-private-key-file=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.30","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"m9r-8ka-arc","createdAt":1599604115727,"name":"API Server requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.1","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable anonymous requests to the Kubelet server.\n\n## Rationale\n\nWhen enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests.\n\n## Audit\n\nIf using a Kubelet configuration file, check that there is an entry for authentication: anonymous: enabled set to false. Run the following command on each node: `ps -ef | grep kubelet`. Verify that the `--anonymous-auth` argument is set to false. This executable argument may be omitted, provided there is a corresponding entry set to false in the Kubelet config file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to false. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable:\n\n```\n--anonymous-auth=false\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nAnonymous requests will be rejected.\n\n## Default value\n\nBy default, anonymous access is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.1","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oun-uxo-viy","createdAt":1599606050277,"name":"API server anonymous-auth argument is set to false"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.24","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain 10 or an appropriate number of old log files.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. For example, if you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxbackup` argument is set to `10` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxbackup` parameter to `10` or to an appropriate value: `--audit-log-maxbackup=10`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.24","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"r0g-aai-2xf","createdAt":1599605542630,"name":"API server audit log files are retained for at least 10 log file rotations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.25","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRotate log files on reaching 100 MB or as appropriate.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. If you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxsize` argument is set to `100` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxsize` parameter to an appropriate size in MB. For example, to set it as 100 MB: `--audit-log-maxsize=100`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.25","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qhy-gng-bh4","createdAt":1599603202907,"name":"API server audit log files are rotated once the file reaches 100 MB or more"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.22","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on the Kubernetes API Server and set the desired audit log path.\n\n## Rationale\n\nAuditing the Kubernetes API Server provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system. Even though currently, Kubernetes provides only basic audit capabilities, it should be enabled. You can enable it by setting an appropriate audit log path.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-path` argument is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example: --audit-log-path=/var/log/apiserver/audit.log\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. Version 7 6.2 Activate audit logging Ensure that local logging has been enabled on all systems and networking devices. 6.3 Enable Detailed Logging Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.22","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fny-sti-0dk","createdAt":1599601104396,"name":"API server audit logs are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.23","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain the logs for at least 30 days or as appropriate.\n\n## Rationale\n\nRetaining logs for at least 30 days ensures that you can go back in time and investigate or correlate any events. Set your audit log retention period to 30 days or as per your business requirements.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxage` argument is set to `30` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxage` parameter to `30` or as an appropriate number of days: `--audit-log-maxage=30`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.23","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.23\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jbu-o8v-pku","createdAt":1599605700813,"name":"API server audit logs are retained for at least 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.19","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind to insecure port.\n\n## Rationale\n\nSetting up the apiserver to serve on an insecure port would allow unauthenticated and unencrypted access to your master node. This would allow attackers who could access this port, to easily take control of the cluster.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-port` argument is set to `0`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --insecure-port=0\n\n## Impact\n\nAll components that use the API must connect via the secured port, authenticate themselves, and be authorized to use the API. This includes: kube-controller-manager kube-proxy kube-scheduler kubelets\n\n## Default value\n\nBy default, the insecure port is set to 8080.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.19","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2ci-yqv-wv0","createdAt":1599605796539,"name":"API server does not bind the API service to an insecure port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.18","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the insecure API service.\n\n## Rationale\n\nIf you bind the apiserver to an insecure address, basically anyone who could connect to it over the insecure port, would have unauthenticated and unencrypted access to your master node. The apiserver doesn't do any authentication checking for insecure binds and traffic to the Insecure API port is not encrpyted, allowing attackers to potentially read sensitive data in transit.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-bind-address` argument does not exist.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --insecure-bind-address parameter.\n\n## Impact\n\nConnections to the API server will require valid authentication credentials.\n\n## Default value\n\nBy default, the insecure bind address is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.18","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tzo-x3g-yya","createdAt":1599606081666,"name":"API server does not bind to an insecure API service address"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use token based authentication.\n\n## Rationale\n\nThe token-based authentication utilizes static tokens to authenticate requests to the apiserver. The tokens are stored in clear-text in a file on the apiserver, and cannot be revoked or rotated without restarting the apiserver. Hence, do not use static token-based authentication.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver \n```\nVerify that the `--token-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--token-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as certificates. Static token based authentication could not be used.\n\n## Default value\n\nBy default, `--token-auth-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/authentication/#static-token-file\n2. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.3","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mvv-hb7-ucv","createdAt":1599603449449,"name":"API server does not use token based authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not always authorize all requests.\n\n## Rationale\n\nThe API Server, can be configured to allow all requests. This mode should not be used on any production cluster.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is not set to `AlwaysAllow`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to values other than `AlwaysAllow`. One such example could be as below:\n\n```\n--authorization-mode=RBAC\n```\n\n## Impact\n\nOnly authorized requests will be served.\n\n## Default value\n\nBy default, `AlwaysAllow` is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.7","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kli-btm-jbr","createdAt":1599602646953,"name":"API server only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.1","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node:\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-apiserver.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.1","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8tj-q6g-eyj","createdAt":1599601227733,"name":"API server pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.21","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --profiling=false\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.21","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wk0-7yo-dw9","createdAt":1599602770265,"name":"API server profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.26","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet global request timeout for API server requests as appropriate.\n\n## Rationale\n\nSetting global request timeout allows extending the API server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 60 seconds which might be problematic on slower connections making cluster resources inaccessible once the data volume for requests exceeds what can be transmitted in 60 seconds. But, setting this timeout limit to be too large can exhaust the API server resources making it prone to Denial-of-Service attack. Hence, it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--request-timeout` argument is either not set or set to an appropriate value.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameter as appropriate and if needed. For example, --request-timeout=300s\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, --request-timeout is set to 60 seconds.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/kubernetes/pull/51415\n\n## CIS controls\n\nVersion 6 14.6 Enforce Detailed Audit Logging For Sensitive Information Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. Version 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.26","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1kt-cbt-hvl","createdAt":1599604242564,"name":"API server request timeout exceeds 60 seconds only if required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.20","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable the secure port.\n\n## Rationale\n\nThe secure port is used to serve https with authentication and authorization. If you disable it, no https traffic is served and all traffic is served unencrypted.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--secure-port` argument is either not set or is set to an integer value between `1` and `65535`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --secure-port parameter or set it to a different (non-zero) desired port.\n\n## Impact\n\nYou need to set the API Server up with the right TLS certificates.\n\n## Default value\n\nBy default, port 6443 is used as the secure port.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.20","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5w3-iw4-y16","createdAt":1599603757033,"name":"API server secure port is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.31","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic. If `--client-ca-file` argument is set, any request presenting a client certificate signed by one of the authorities in the `client-ca-file` is authenticated with an identity corresponding to the CommonName of the client certificate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--client-ca-file` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the client certificate authority file: `--client-ca-file=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--client-ca-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.31","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"nad-eon-2rv","createdAt":1599599105054,"name":"API server uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.28","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account public key file for service accounts on the apiserver.\n\n## Rationale\n\nBy default, if no --service-account-key-file is specified to the apiserver, it uses the private key from the TLS serving certificate to verify service account tokens. To ensure that the keys for service account tokens could be rotated as needed, a separate public/private key pair should be used for signing service account tokens. Hence, the public key should be specified to the apiserver with --service-account-key-file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--service-account-key-file` argument exists and is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--service-account-key-file` parameter to the public key file for service accounts: `--service-account-key-file=`\n\n## Impact\n\nThe corresponding private key must be provided to the controller manager. You would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-key-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167\n\n## CIS controls\n\nVersion 6 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers \nVersion 7 5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.28","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xtg-mzn-vft","createdAt":1599604846892,"name":"API server uses a service account public key file for service accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.27","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nValidate service account before validating token.\n\n## Rationale\n\nIf --service-account-lookup is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that if the `--service-account-lookup` argument exists it is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the below parameter. `--service-account-lookup=true` Alternatively, you can delete the `--service-account-lookup` parameter from this file so that the default takes effect.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--service-account-lookup` argument is set to true.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167 \n3. https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.27","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.27\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycp-ppm-trb","createdAt":1599599105043,"name":"API server validates the service account token exists in etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify kubelet's certificate before establishing connection.\n\n## Rationale\n\nThe connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelets port-forwarding functionality. These connections terminate at the kubelets HTTPS endpoint. By default, the apiserver does not verify the kubelets serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-certificate-authority` argument exists and is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--kubelet-certificate-authority` parameter to the path to the cert file for the certificate authority. \n\n```\n--kubelet-certificate-authority=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, `--kubelet-certificate-authority` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n3. https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.6","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sbm-nxt-qv3","createdAt":1599603880124,"name":"API server verifies the kubelet's certificate before establishing connection"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AMI is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an AMI is made public.\n\n* [ModifyImageAttribute][1]\n\nThis rule inspects the `@requestParameters.launchPermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the image is made public.\n\n## Triage and response\n1. Determine if the AMI (`@requestParameters.imageId`) should be made public using CloudTrail logs.\n2. Investigate the following ARN (`{{@userIdentity.arn}}`) that made the AMI public.\n3. Contact the user to see if they intended to make the image public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-image-attribute.html#examples","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifyImageAttribute @requestParameters.launchPermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"eh4-lwa-d9z","createdAt":1594140296319,"name":"AWS AMI Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:cloudtrail","framework:cis-aws","requirement:monitoring","control:4.5","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by modifying CloudTrail.\n\n## Strategy\nThis rule detects if a user is modifying CloudTrail by monitoring the CloudTrail API using [UpdateTrail][1] API calls.\n\n## Triage and response\n1. Review the `@responseElements` in the `UpdateTrail` event to determine the scope of the changes.\n2. Determine if the user ARN (`{{@userIdentity.arn}}`) intended to make a CloudTrail modification.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:UpdateTrail","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"configuration_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"configuration_modified > 0"}],"type":"log_detection","id":"4hv-083-miw","createdAt":1585870283907,"name":"AWS CloudTrail configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch Log Group is deleted. \n\n## Strategy\nDetect when a `@evt.name:DeleteLogGroup` event occurs successfully.\n\n## Triage and response\n1. Ensure that the `{{@requestParameters.logGroupName}}` log group is not used for auditing or security purposes.\n2. If it is then:\n * Ensure that the user: `{{@userIdentity.session_name}}` should be making this type of API call to your `{{env}}` environment.\n * Consider whitelisting the log group name: `{{@requestParameters.logGroupName}}` via a [suppression list][1]\n3. If not, begin your company's IR process and investigate.\n\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1] https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteLogGroup -@level:Error -@http.useragent:(cloudformation.amazonaws.com OR *www.terraform.io*) -@userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"j9h-inc-lg8","createdAt":1631618551008,"name":"AWS CloudWatch log group deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch rule has been disabled or deleted.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if a [`DisableRule`][1] or [`DeleteRule`][2] API call has occurred. An attacker may delete rules in an attempt to evade defenses.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, consider including the EventBus name in a [suppression list][6]: `{{@requestParameters.eventBusName}}`.\n * If **No**, enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], respectively, or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 4 October 2022 - Updated severity\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/events/put-rule.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/events/enable-rule.html\n[5]: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html\n[6]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DisableRule OR DeleteRule) -@userIdentity.invokedBy:(backup.amazonaws.com OR schemas.amazonaws.com OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudwatch_disable_or_delete_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"cloudwatch_disable_or_delete_rule > 0"}],"type":"log_detection","id":"dti-qfr-zle","createdAt":1631618552583,"name":"AWS CloudWatch rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","control:4.9","requirement:Monitoring","framework:cis-aws","scope:amazon-config","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by disabling or modifying AWS Config.\n\n## Strategy\nThis rule lets you monitor these AWS Config API calls per [CIS-AWS-4.9: Ensure a log metric filter and alarm exist for AWS Config configuration changes][5]:\n\n* [StopConfigurationRecorder][1] \n* [DeleteDeliveryChannel][2] \n* [PutDeliveryChannel][3]\n* [PutConfigurationRecorder][4]\n\n## Triage and response\n1. Determine which if {{@userIdentity.arn}} should have done a {{@evt.name}} to AWS Config.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html\n[2]: https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteDeliveryChannel.html\n[3]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutDeliveryChannel.html\n[4]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigurationRecorder.html\n[5]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_2.html\n\n## Changelog\n* 1 April 2022 - Updated rule and signal message.\n\n* 10 October 2022 - Updated severities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(StopConfigurationRecorder OR DeleteDeliveryChannel)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_deleted_or_stopped","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(PutDeliveryChannel OR PutConfigurationRecorder)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Deleted/Stopped","condition":"aws_config_deleted_or_stopped > 0"},{"status":"info","notifications":[],"name":"Modified","condition":"aws_config_modified > 0"}],"type":"log_detection","id":"p1b-9np-rw1","createdAt":1585870283149,"name":"AWS Config modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to your AWS console without multi-factor authentication.\n\n## Strategy\nThis rule monitors CloudTrail and detects when any `IAMUser` or `Root` user does a `Console Login`, and `@userIdentity.sessionContext.attributes.mfaAuthenticated` has a value of `false`. \n\n**Notes:** \n\n- This rule triggers with a `High` severity if the user logging in is a `Root` user.\n- This rule ignores logins using SAML because 2FA is implemented on the IdP and not through AWS.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate. \n * Use Cloud SIEM - User Investigation dashboard to see if the user: {{@usr.name}} with an account type of: {{@userIdentity.type}} has done any actions after logging in. \n2. If the login was legitimate, request that the user enables 2FA. \n3. If the login wasn't legitimate, rotate the credentials, enable 2FA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n\n## Changelog\n3 March 2022 - Rule updated\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:IAMUser -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:Root -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"root_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user console login no mfa","condition":"user_login_without_mfa > 0"},{"status":"high","notifications":[],"name":"root console login no mfa","condition":"root_login_without_mfa > 0"}],"type":"log_detection","id":"wkk-muq-vg8","createdAt":1585870278209,"name":"AWS Console login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the user used MFA.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n10 Mar 2022 - Rule updated.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"@evt.name:ConsoleLogin -@level:Error @userIdentity.sessionContext.attributes.mfaAuthenticated:true -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"impossible travel event for ConsoleLogin with MFA"}],"type":"log_detection","id":"vbv-f3o-8zo","createdAt":1646247475787,"name":"AWS ConsoleLogin with MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the account does not have MFA enabled.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n10 Mar 2022 - Rule updated.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_no_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"@evt.name:ConsoleLogin -@level:Error @userIdentity.sessionContext.attributes.mfaAuthenticated:false -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"a1n-son-6bk","createdAt":1646247437558,"name":"AWS ConsoleLogin without MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1562-impair-defenses","source:cloudtrail","scope:aws-detective","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes an Amazon Detective behavior graph.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted an Amazon Detective behavior graph:\n\n* [DeleteGraph][1]\n\n## Triage and response\n1. Determine if the behavior graph should have been deleted.\n2. Determine which user ({{@userIdentity.arn}}) in your organization deleted the behavior graph.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Updated rule and signal message.\n\n[1]: https://docs.aws.amazon.com/detective/latest/APIReference/API_DeleteGraph.html\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:detective.amazonaws.com @evt.name:DeleteGraph","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oje-vzw-qjp","createdAt":1631642344123,"name":"AWS Detective Graph deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","tactic:TA0005-defence-evasion","scope:cloudtrail","technique:T1562-impair-defences","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when CloudTrail has been disabled by creating an event selector on the Trail.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if an attacker used the [`PutEventSelectors`][1] API call to filter out management events, effectively disabling CloudTrail for the specified Trail.\n\nSee the [public Proof of Concept][2] (PoC) for this attack.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or use the [AWS console][4] to revert the event selector back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, work with the user to ensure that CloudTrail logs for the affected account `{{@usr.account_id}}` are being sent to the Datadog platform.\n * If **No**, remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or reference the [AWS console documentation][4] to revert the event selector back to the last known good state.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_PutEventSelectors.html\n[2]: https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass\n[3]: https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/put-event-selectors.html\n[4]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"disable_cloudtrail_with_event_selectors","distinctFields":[]},{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false @responseElements.eventSelectors.dataResources.type:(\"AWS::S3::Object\" AND \"AWS::Lambda::Function\") @responseElements.eventSelectors.readWriteType:ReadOnly","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_poc","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Public POC","condition":"public_poc > 0"},{"status":"low","notifications":[],"name":"IncludeManagementEvents set to False","condition":"disable_cloudtrail_with_event_selectors > 0"}],"type":"log_detection","id":"jam-62o-d0n","createdAt":1652796620111,"name":"AWS Disable Cloudtrail with event selectors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS snapshot is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an EBS snapshot is made public:\n\n* [ModifySnapshotAttribute][1]\n\nThis rule inspects the `@requestParameters.createVolumePermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the EBS snapshot is made public.\n\n## Triage and response\n1. Determine if the EBS snapshot should be made public.\n2. Determine which user, `{{@@userIdentity.arn}}`, in your organization made the EBS snapshot public.\n3. Contact the user to see if they intended to make the EBS snapshot public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html#examples\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.createVolumePermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kx1-upq-ea2","createdAt":1594140300821,"name":"AWS EBS Snapshot Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1537-transfer-data-to-cloud-account","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the possible exfiltration of an EBS snapshot.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect the following API calls within a 15 minute time window:\n\n* [`CreateSnapshot`][1]\n* [`ModifySnapshotAttribute`][2]\n\nAn attacker can create a EBS snapshot from the EBS volume and modify the permissions of the snapshot to allow it to be shared [publicly][3] or with another AWS account. Using an attacker-controlled account, a new EBS volume can be created from the snapshot and attached to an EC2 instance for analysis.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the API calls.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any snapshot attributes generated by the user with the `aws-cli` command [`modify-snapshot-attribute`][4].\n * Begin your organization's incident response process and investigate.\n3. If the API calls were made by the user:\n * Determine if the user should be performing these API calls.\n * If **No**, see if other API calls were made by the user and determine if they warrant further investigation.\n\n## Changelog\n* 10 October 2022 - Updated query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSnapshot.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html\n[3]: https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-ebs-snapshot-made-public/\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-snapshot-attribute.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":7200,"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSnapshot -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (-@userIdentity.assumed_role:(*orca* OR *wiz*) -@responseElements.description:\"Orca automatically generated snapshot\" -@requestParameters.description:auto-generatedbyWiz -@responseElements.description:\"auto-generated by Wiz\")","groupByFields":["@responseElements.snapshotId"],"aggregation":"count","name":"snapshot_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.attributeType:CREATE_VOLUME_PERMISSION -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (@requestParameters.createVolumePermission.add.items.userId:* OR @requestParameters.createVolumePermission.add.items.group:*) -@requestParameters.createVolumePermission.add.items.userId:(\"135916806842\" OR \"463932680998\" OR \"727815099310\" OR \"553950354547\" OR \"784971140435\" OR \"222606875197\")","groupByFields":["@requestParameters.snapshotId"],"aggregation":"count","name":"snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"EBS Snapshot created then shared","condition":"snapshot_created > 0 && snapshot_shared > 0"},{"status":"info","notifications":[],"name":"EBS Snapshot shared","condition":"snapshot_shared > 0"}],"type":"log_detection","id":"dka-ecn-adr","createdAt":1655223749994,"name":"AWS EBS Snapshot possible exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis-aws","control:2.2.1","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS encryption is disabled by default. \n\n## Strategy\nMonitor CloudTrail and detect when EBS encryption is disabled by default via the following API call:\n\n* [DisableEbsEncryptionByDefault][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user and let them know that it is best practice to enable EBS encryption by default.\n3. Re-enable EBS encryption by default.\n\nFor more information about Amazon EBS Encryption, check out the [Amazon EBS Encryption][2] documentation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html\n\n## Changelog\n18 March 2022 - Rule query and severity updated.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:DisableEbsEncryptionByDefault","groupByFields":["@usr.account_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4s7-uuu-lo8","createdAt":1585870284527,"name":"AWS EBS default encryption disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","security:attack","technique:T1522-cloud-instance-metadata-api"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes a DNS request and resolves to the AWS metadata IP address (169.254.169.254).\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MetadataDNSRebind][2]\n\n\n## Triage and response\n1. Determine which process made the DNS request. The DNS request can be found in the samples.\n2. Ensure the process is not a victim of an SSRF attack to steal the AWS EC2 Instance profile's STS credentials. \n2. If the STS credentials are compromised:\n * Review the AWS [documentation][3] on revoking the session.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#ec2-metadatadnsrebind\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MetadataDNSRebind)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"aad-vqz-7tk","createdAt":1587525387807,"name":"AWS EC2 Instance Victim to Metadata DNS Rebind Attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is compromised and sending spam emails.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Backdoor:EC2/Spambot][2]\n\n\n## Triage and response\n1. Determine if the EC2 should be sending out email over port 25. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor6\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/Spambot)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ecn-gew-dg2","createdAt":1587525385866,"name":"AWS EC2 instance Sending spam emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a malicious server.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/C&CActivity.B!DNS][2]\n* [Trojan:EC2/BlackholeTraffic][3]\n* [Trojan:EC2/DropPoint][4]\n* [Trojan:EC2/BlackholeTraffic!DNS][5]\n* [Trojan:EC2/DriveBySourceTraffic!DNS][6]\n* [Trojan:EC2/DropPoint!DNS][7]\n* [Trojan:EC2/DGADomainRequest.B][8]\n* [Trojan:EC2/DGADomainRequest.C!DNS][9]\n* [Trojan:EC2/DNSDataExfiltration][10]\n* [Trojan:EC2/PhishingDomainRequest!DNS][11]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][12] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor6\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan4\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan5\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan6\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan7\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan8\n[8]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan9\n[9]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan95\n[10]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan10\n[11]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan11\n[12]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Trojan\\:EC2\\/BlackholeTraffic OR Trojan\\:EC2\\/DropPoint OR Trojan\\:EC2\\/BlackholeTraffic\\!DNS OR Trojan\\:EC2\\/DriveBySourceTraffic\\!DNS OR Trojan\\:EC2\\/DropPoint\\!DNS OR Trojan\\:EC2\\/DGADomainRequest.B OR Trojan\\:EC2\\/DGADomainRequest.C\\!DNS OR Backdoor\\:EC2\\/C&CActivity.B\\!DNS OR Trojan\\:EC2\\/PhishingDomainRequest\\!DNS)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9du-jhn-b4f","createdAt":1587525393367,"name":"AWS EC2 instance communicated with a malicious server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0011-command-and-control","technique:T1571-non-standard-port"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating over an unusual port.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/NetworkPortUnusual][2]\n\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_behavior.html#behavior3\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/NetworkPortUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"qfd-ned-cjn","createdAt":1587525391873,"name":"AWS EC2 instance communicating over unusual port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a cryptocurrency server\n\n## Strategy\nThis rule lets you leverage GuardDuty to detect when an EC2 instance has made a DNS request or is communicating with an IP that is associated with cryptocurrency operations. The following GuardDuty Findings trigger this signal:\n\n* [CryptoCurrency:EC2/BitcoinTool.B!DNS][1]\n* [CryptoCurrency:EC2/BitcoinTool.B][2]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples. \n2. If the domain or IP address should not have been requested, open a security investigation, and determine which process requested the domain name or IP address.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_crypto.html#crypto3\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_crypto.html#crypto4\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(CryptoCurrency\\:EC2\\/BitcoinTool.B\\!DNS OR CryptoCurrency\\:EC2\\/BitcoinTool.B)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ky3-ds4-ipb","createdAt":1585870276326,"name":"AWS EC2 instance communicating with a cryptocurrency server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection to a malcious IP address.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MaliciousIPCaller.Custom][2]\n\n## Triage and response\n1. Determine which IP address triggered the signal. This can be found in the sample.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized5\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MaliciousIPCaller.Custom)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"22j-qk6-qv3","createdAt":1587525389461,"name":"AWS EC2 instance communicating with malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-scanning","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is conducting a port scan.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Recon:EC2/Portscan][2]\n\n\n## Triage and response\n1. Determine why traffic from the EC2 instance appears to be conducting a port scan.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n \n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon5\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/Portscan)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1y-h5t-gnp","createdAt":1587525376478,"name":"AWS EC2 instance conducting a port scan"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being used as a TOR relay.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorRelay][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be uses as a TOR relay. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized14\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorRelay)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tpv-3qf-v90","createdAt":1587525388119,"name":"AWS EC2 instance connecting to TOR as a relay"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance receives an inbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorIPCaller][2]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized7\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorIPCaller)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"1ew-u8i-att","createdAt":1587525383148,"name":"AWS EC2 instance inbound connections from TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Brute Force Attacks\n\n## Strategy\nLeverage GuardDuty and detect when an attacker is performing a brute force attack. The following are GuardDuty findings trigger this signal:\n\n* [UnauthorizedAccess:EC2/SSHBruteForce][1]\n* [UnauthorizedAccess:EC2/RDPBruteForce][2]\n\n\n## Triage and response\n1. Inspect the role of the EC2 instance in the attack. Find the role in the signal name - either `ACTOR` or `TARGET`.\n * If you are the `TARGET` and the instance is available on the internet, expect to see IPs scanning your systems.\n * If you are the `TARGET` and the instance is **not** available on the internet, this means a host on your internal network is scanning your EC2 instance. Open an investigation.\n * If you are the `ACTOR`, this means that your instance is performing brute force attacks on other systems. Open an investigation.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized9\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized10\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":18,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:ACTOR","groupByFields":["instance-id"],"aggregation":"count","name":"actor","distinctFields":[]},{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:TARGET","groupByFields":["instance-id"],"aggregation":"count","name":"target","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Actor","condition":"actor > 0"},{"status":"info","notifications":[],"name":"Target","condition":"target > 0"}],"type":"log_detection","id":"vyl-ylc-3io","createdAt":1585870284202,"name":"AWS EC2 instance involved in brute force attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance network traffic volume is unusual.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/TrafficVolumeUnusual][2]\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 10 October 2022 - Updated tags.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_behavior.html#behavior4\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/TrafficVolumeUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipt-dpt-t69","createdAt":1587525393982,"name":"AWS EC2 instance network traffic volume unusual"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","technique:T1188-multi-hop-proxy","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorClient][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be making requests to TOR. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized13\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorClient)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ihd-q9p-mwx","createdAt":1587525381864,"name":"AWS EC2 instance outbound connections to TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is participating in a Denial of Service (DoS) attack.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/DenialOfService.Tcp][2]\n* [Backdoor:EC2/DenialOfService.Udp][3]\n* [Backdoor:EC2/DenialOfService.Dns][4]\n* [Backdoor:EC2/DenialOfService.UdpOnTcpPorts][5]\n* [Backdoor:EC2/DenialOfService.UnusualProtocol][6]\n\n\n## Triage and response\n1. Determine if the EC2 instance is compromised and participating in a DoS attack.\n2. If the instance is compromised:\n * Review the AWS [documentation][7] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor8\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor9\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor10\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor11\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor12\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/DenialOfService.Tcp OR Backdoor\\:EC2\\/DenialOfService.Udp OR Backdoor\\:EC2\\/DenialOfService.Dns OR Backdoor\\:EC2\\/DenialOfService.UdpOnTcpPorts OR Backdoor\\:EC2\\/DenialOfService.UnusualProtocol)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3l6-vrm-iyn","createdAt":1587525383757,"name":"AWS EC2 instance participating in a DoS attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-scanning","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being probed by a scanner.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:EC2/PortProbeUnprotectedPort][2]\n* [Recon:EC2/PortProbeEMRUnprotectedPort][3]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon6\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#PortProbeEMRUnprotectedPort\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/PortProbeUnprotectedPort OR Recon\\:EC2\\/PortProbeEMRUnprotectedPort)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mrq-h3x-jus","createdAt":1587525381084,"name":"AWS EC2 instance probed by scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS EKS node group makes a new API call.\n\n## Strategy\nThis rule sets a baseline for host activity across an AWS EKS node group, and enables detection of potentially anomalous activity when a node group makes a new API call.\n\nA new API call from a node group can indicate an attacker gaining a foothold within the system and trying API calls not normally associated with this node group.\n\n## Triage and response\n1. Investigate API activity for the AWS EKS node group to determine if the specific API call is malicious.\n2. Review any other security signals for the AWS EKS node group.\n3. If the activity is deemed malicious:\n * If possible, isolate the compromised hosts.\n * Determine what other API calls were made by the EKS node group.\n * Begin your organization's incident response process and investigate.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":21,"learningThreshold":0},"keepAlive":3600},"version":187,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["eks_nodegroup-name"],"query":"source:cloudtrail"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"nkn-aw3-xb2","createdAt":1633097159259,"name":"AWS EC2 new event for EKS Node Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an application on a host has a new, unrecognized API call.\n\n## Strategy\nUsing the `New Value` detection method, find when an `application` has a new `@evt.name` on a `host`.\n\n## Triage and response\n1. Determine if the `host: {{host}}` running the `application: {{application}}` should have done the following event(s)`{{@evt.name}}`:\n * If yes, you can `Archive` the signal.\n * If no, investigate further by clicking on the **Suggested Actions** tab for the signal\n2. If necessary, initiate your company's incident response process.\n\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["application"],"query":"source:cloudtrail host:i-*"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"qcg-jbs-kcd","createdAt":1632769125953,"name":"AWS EC2 new event for application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an EC2 subnet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting an EC2 subnet.\n\n* [DeleteSubnet][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be deleting EC2 subnets.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Update rule and signal message\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-subnet.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:DeleteSubnet -@level:Error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ygi-fi5-qns","createdAt":1585870282197,"name":"AWS EC2 subnet deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecs","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an ECS Cluster\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an ECS cluster is deleted:\n\n* [DeleteCluster][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arm}} should be making a {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DeleteCluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecs.amazonaws.com @evt.name:DeleteCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"vwu-6id-9lz","createdAt":1585870279810,"name":"AWS ECS cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:elb","scope:elb","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous `@http.useragent`. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application using an HTTP header from [darkqusar][1]'s [gist][2]. The detection does this using 2 cases:\n* Case 1: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `200 TO 299`\n* Case 2: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `400 TO 499`\n\n## Triage and response\n1. Determine if this IP: {{@network.client.ip}} is making authenticated requests to the application.\n2. Check if these authentication requests are successful.\n * If they are successful, change the status of the signal to `UNDER REVIEW` and begin your company's incident response plan.\n * If they are not successful, `ARCHIVE` the signal.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Update rule cases and signal message.\n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:elb @http.status_code:[400 TO 499] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_400s_and_unique_paths","distinctFields":["@http.url_details.path"]},{"query":"source:elb @http.status_code:[200 TO 299] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_200s_and_unique_paths","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"scan detected returning several 200s","condition":"multiple_200s_and_unique_paths > 10"},{"status":"info","notifications":[],"name":"scan detected returning several 400s","condition":"multiple_400s_and_unique_paths > 10"}],"type":"log_detection","id":"csd-1pb-wxh","createdAt":1587530043452,"name":"AWS ELB HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:eventbridge","iaas:aws","technique:T1089-disabling-security-tools","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting or disabling EventBridge rules.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is modifying or disabling EventBridge rules:\n\n* [DeleteRule][1]\n* [DisableRule][2]\n\n## Triage and response\n1. Determine if the arn: {{@userIdentity.arn}} should have made the {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Rule query, options and signal markdown updated.\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DeleteRule OR DisableRule)","groupByFields":["@userIdentity.arn","@requestParameters.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mq6-cjx-h9o","createdAt":1585870277044,"name":"AWS EventBridge rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","source:amazon-fsx","scope:amazon-fsx","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify users accessing files they do not have permission to access.\n\n## Strategy\nMonitor AWS FSx logs and detect more than 10 occurrences where `@evt.id` is equal to `4656` and `@Event.System.Keywords` is equal to `0x8010000000000000`. \n\n## Triage & Response\n1. Inspect the log and determine if the user should be accessing the file: `{{@ObjectName}}`.\n2. If access is not legitimate, investigate user `({{@usr.id}})` activity. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:aws.fsx @evt.id:4656 @Event.System.Keywords:0x8010000000000000","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"file_deny","distinctFields":["@ObjectName"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"file_deny > 10"}],"type":"log_detection","id":"vsj-4y9-rg1","createdAt":1627668329581,"name":"AWS FSx Excessive File Denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0005-defense-evasion","technique:T1066-indicator-removal-from-tools","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is removing a FlowLogs collector.\n\n## Strategy\nThis rule lets you monitor this EC2 API call:\n\n* [DeleteFlowLogs][1]\n\n## Triage and response\n1. Determine if arn: {{@userIdentity.arn}} should make this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n4 April 2022 - Rule query and signal message updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteFlowLogs -@responseElements.DeleteFlowLogsResponse.unsuccessful:\"\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cws-b4f-uoh","createdAt":1585870278493,"name":"AWS FlowLogs removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1089-disabling-security-tools","scope:guardduty","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty detector.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty Detector:\n\n* [DeleteDetector][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/delete-detector.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteDetector","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pzi-led-yyc","createdAt":1585870279177,"name":"AWS GuardDuty detector deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a publishing destination for a detector which will prevent the exporting of findings. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted a Guard Duty publishing destination.\n\n* [DeletePublishingDestination][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/fr_fr/guardduty/latest/APIReference/API_DeletePublishingDestination.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeletePublishingDestination","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rdm-leo-ndi","createdAt":1631642345554,"name":"AWS GuardDuty publishing destination deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty ThreatIntelSet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty ThreatIntelSet:\n\n* [DeleteThreatIntelSet][1]\n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Replace ThreatIntelSets deleted by the user with the `aws-cli` command [create-threat-intel-set][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call and if it was an authorized change.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteThreatIntelSet.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/guardduty/create-threat-intel-set.html\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteThreatIntelSet","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_guardduty_threatintel_set_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"aws_guardduty_threatintel_set_deleted > 0"}],"type":"log_detection","id":"vzr-qw9-k82","createdAt":1631642339660,"name":"AWS GuardDuty threat intel set deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","technique:T1098-account-manipulation","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.4","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to an AWS IAM Policy.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when any event pertaining to an AWS IAM policy is detected with one of the following API calls:\n\n* [DeleteGroupPolicy][1]\n* [DeleteRolePolicy][16]\n* [DeleteUserPolicy][2]\n* [PutGroupPolicy][3]\n* [PutRolePolicy][4]\n* [PutUserPolicy][5]\n* [CreatePolicy][6]\n* [DeletePolicy][7]\n* [SetPolicyVersion][17]\n* [CreatePolicyVersion][8]\n* [DeletePolicyVersion][9]\n* [AttachRolePolicy][10]\n* [DetachRolePolicy][11]\n* [AttachUserPolicy][12]\n* [DetachUserPolicy][13]\n* [AttachGroupPolicy][14]\n* [DetachGroupPolicy][15]\n\n## Triage and response\n1. Review the IAM Policy change and ensure it does not negatively impact your risk in relation to authentication or authorization controls.\n2. If risk is increased, contact the individual that used the arn: {{@userIdentity.arn}} and determine if {{@evt.name}} API calls were made by them.\n\n## Changelog\n5 April 2022 - Rule modified and signal message updated.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroupPolicy.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPolicy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html\n[5]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html\n[7]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html\n[8]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html\n[9]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicyVersion.html\n[10]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[11]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachRolePolicy.html\n[12]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[13]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachUserPolicy.html\n[14]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[15]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachGroupPolicy.html\n[16]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteRolePolicy.html\n[17]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetDefaultPolicyVersion.html\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteGroupPolicy OR PutGroupPolicy OR AttachGroupPolicy OR DetachGroupPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"group_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteRolePolicy OR PutRolePolicy OR AttachRolePolicy OR DetachRolePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"role_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteUserPolicy OR PutUserPolicy OR AttachUserPolicy OR DetachUserPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"user_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreatePolicy OR DeletePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"account_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(SetPolicyVersion OR CreatePolicyVersion OR DeletePolicyVersion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"policy_version_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"group policy changed","condition":"group_policy_modified > 0"},{"status":"info","notifications":[],"name":"role policy changed","condition":"role_policy_modified > 0"},{"status":"info","notifications":[],"name":"user policy changed","condition":"user_policy_modified > 0"},{"status":"info","notifications":[],"name":"account policy changed","condition":"account_policy_modified > 0"},{"status":"info","notifications":[],"name":"policy version changed","condition":"policy_version_modified > 0"}],"type":"log_detection","id":"z8s-u06-ctu","createdAt":1584475584008,"name":"AWS IAM policy changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM group.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM group using the [`AttachGroupPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.groupName}}` group using the `aws-cli` command [detach-group-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the group `{{@requestParameters.groupName}}` requires the `AdministratorAccess` policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the group to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.groupName","aggregation":"new_value","metrics":["@requestParameters.groupName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachGroupPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"ju1-xlh-bdn","createdAt":1635445988771,"name":"AWS IAM privileged policy was applied to a group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM role.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM role via the [`AttachRolePolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.roleName}}` role using the `aws-cli` command [detach-role-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the role `{{@requestParameters.roleName}}` requires the AdministratorAccess policy to perform its intended function.\n * Advise the user to find the [least privileged][4] policy that allows the role to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-role-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.roleName","aggregation":"new_value","metrics":["@requestParameters.roleName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachRolePolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\" -@userIdentity.invokedBy:sso.amazonaws.com -@http.useragent:sso.amazonaws.com"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"kjs-xra-wzc","createdAt":1635445977216,"name":"AWS IAM privileged policy was applied to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to an AWS IAM user using the [`AttachUserPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.userName}}` user using the `aws-cli` command [detach-user-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the user `{{@requestParameters.userName}}` requires the AdministratorAccess policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the user to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-user-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":173,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.userName","aggregation":"new_value","metrics":["@requestParameters.userName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachUserPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"bxi-o7h-c79","createdAt":1635445981975,"name":"AWS IAM privileged policy was applied to a user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","technique:T1089-disabling-security-tools","source:guardduty","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is changing sensitive configurations and has no prior history of invoking these APIs.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Stealth:IAMUser/S3ServerAccessLoggingDisabled][2]\n* [Stealth:IAMUser/PasswordPolicyChange][3]\n* [Stealth:IAMUser/CloudTrailLoggingDisabled][4]\n* [Stealth:IAMUser/LoggingConfigurationModified][5]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][6] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth4\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth1\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth2\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth3\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Stealth\\:IAMUser\\/S3ServerAccessLoggingDisabled OR Stealth\\:IAMUser\\/PasswordPolicyChange OR Stealth\\:IAMUser\\/CloudTrailLoggingDisabled OR Stealth\\:IAMUser\\/LoggingConfigurationModified)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"48o-8me-0mo","createdAt":1587525385196,"name":"AWS IAM user changing sensitive configurations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user disables [S3 Block Public Access][1]\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][2] finding:\n\n* [Policy:IAMUser/S3BlockPublicAccessDisabled][3]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Contact the user and determine why the user disabled the S3 Block Access feature. \n3. Re-enable S3 Block Public Access.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n[2]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_policy.html#policy2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/S3BlockPublicAccessDisabled)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"loc-nk4-pkc","createdAt":1587525377921,"name":"AWS IAM user disabled S3 Block Public Access"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.3.6","source:google_sql_database_instance","control:3.4","requirement:Communications-Security","framework:cis-gcp","requirement:Compliance","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_sql_database_instance","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `3625 (trace flag)` database flag to `off` for GCP SQL Server instance.\n\n## Rationale\n\nMicrosoft SQL trace flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload. All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed. `3625 (trace log)` limits the information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'. Setting this in a Google Cloud flag for the instance allows for security through obscurity and prevents the disclosure of sensitive information. Hence, it is recommended to set this flag to `off` globally to prevent the flag from being left on or turned on by bad actors. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nChanging flags on a database may cause it to be restarted. The best time to do this is when there is low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `3625` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `3625` database flag for every GCP SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"3625=off\"\n```\n\n#### Note\nThis command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n\n## Additional Information\n\n- Configuring the above flag restarts the GCP SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"3625\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"2x0-5oi-nhu","createdAt":1657310084964,"name":"'3625 (trace flag)' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:2.11","cloud_provider:azure","control:A.12.4.1","level:1","source:azure.policy","requirement:Application-Updates","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","requirement:Security-Center","framework:cis-azure","control:6.2","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","scope:azure.policy","control:CC4.1","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable automatic provisioning of the monitoring agent to collect security data.\n\n## Rationale\n\nWhen automatic provisioning of monitoring agent is turned on, Azure Security Center provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.\n\n## Remediation\n\n### From the console\n\n1. Go to **Microsoft Defender for Cloud**\n2. Click on **Environment Settings**\n3. Click on a subscription\n4. Click on **Auto Provisioning** in the left column.\n5. Ensure that **Log Analytics agent for Azure VMs** is set to **On**\n\n### From the command line\n\nUse the below command to set automatic provisioning of monitoring agent:\n\n```bash\naz account get-access-token --query\n\"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" \nhttps://management.azure.com/subscriptions/$0/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@\"input.json\"'\n```\n\nWhere `input.json` contains the Request body JSON data as mentioned below: \n\n```bash\n{\n\t\"id\": \"/subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default \",\n\t\"name\": \"default\",\n\t\"type\": \"Microsoft.Security/autoProvisioningSettings\",\n\t\"properties\": {\n\t\t\"autoProvision\": \"On\"\n\t}\n}\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security][1]\n2. [https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection][2]\n3. [https://msdn.microsoft.com/en-us/library/mt704062.aspx][3]\n4. [https://msdn.microsoft.com/en-us/library/mt704063.aspx][4]\n5. [https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list][5]\n6. [https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create][6]\n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification][7]\n\n[1]: https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security\n[2]: https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection\n[3]: https://msdn.microsoft.com/en-us/library/mt704062.aspx\n[4]: https://msdn.microsoft.com/en-us/library/mt704063.aspx\n[5]: https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list\n[6]: https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create\n[7]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n## Additional Information\n- Excluding any of the entries in `input.json` may disable the specific setting by default.\n- Microsoft has recently changed APIs to get and Update Automatic Provisioning setting. This recommendation is updated accordingly.\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.11","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(security_center_auto_provisioning) = \"fail\" if {\n\tsecurity_center_auto_provisioning.auto_provision == \"Off\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_center_auto_provisioning"]},"validationQuery":"","resourceType":"azure_security_center_auto_provisioning","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_center_auto_provisioning","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ota-kzg-lsb","createdAt":1635237006719,"name":"'Automatic provisioning of monitoring agent' is set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","control:1.20","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.8","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you restrict unintended public access to Amazon S3 resources. By default, S3 buckets and objects are created without public access. However, someone with sufficient permissions can enable public access at the bucket or object level, often unexpectedly. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets in the account, and contained objects, from becoming publicly accessible.\n\n## Rationale\n\nAmazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective buckets. Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account. Blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.\n\n### Impact\n\nWhen you apply `Block Public Access` settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.\n\n\n## Remediation\n\n### From the console\n\nIf utilizing Block Public Access (account settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Choose **Block public access (account settings)**.\n3. Choose **Edit** to change the block public access settings for all the buckets in your AWS account.\n4. Click on **Block all public access**.\n5. When you're asked for confirmation, enter `confirm`. Then click Confirm to save your changes.\n\nIf utilizing Block public access (bucket settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Select the check box next to the bucket.\n3. Click on **Edit public access settings**.\n4. Click **Block all public access**.\n5. Repeat for all the buckets in your AWS account that contain sensitive data.\n\n\n### From the command line\n\nIf utilizing Block Public Access (bucket settings):\n\n1. List all of the S3 buckets: `aws s3 ls`\n2. To set the public access to true on a bucket, run: `aws s3api put-public-access-block --bucket --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\"`\n\nIf utilizing Block Public Access (account settings):\n\nTo set Public access settings for this account, run the following command: `aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id '`\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html][2]\n\n[1]: https://console.aws.amazon.com/s3/\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.20","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\naccount_public_access_block_by_account_id = {s3_account_public_access_block.account_id: s3_account_public_access_block |\n\tsome s3_account_public_access_block in input.resources.aws_s3_account_public_access_block\n}\n\nsecure_public_access_block(s3_account_public_access_block) if {\n\ts3_account_public_access_block.block_public_acls\n\ts3_account_public_access_block.block_public_policy\n\ts3_account_public_access_block.ignore_public_acls\n\ts3_account_public_access_block.restrict_public_buckets\n}\n\naccess_block_compliant(s3_bucket) if {\n\ts3_account_public_access_block := account_public_access_block_by_account_id[s3_bucket.account_id]\n\tsecure_public_access_block(s3_account_public_access_block)\n} else if {\n\tbucket_block := s3_bucket.access_block[_]\n\tsecure_public_access_block(bucket_block)\n}\n\neval(s3_bucket) = \"pass\" if {\n\taccess_block_compliant(s3_bucket)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b1p-nxn-wxx","createdAt":1619112188591,"name":"'Block Public Access' feature is enabled for S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.2","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with a Customer Managed Key (CMK).\n\n## Rationale\n\nEncrypting the IaaS VM's OS disk (boot volume) and data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning.\n\n## Remediation\n\n### From the console\n\n**Note**: Disks must be detached from VMs to have encryption changed.\n\n1. Go to Virtual Machines\n2. For each virtual machine, go to Settings\n3. Click on Disks\n4. Click the X to detach the disk from the VM\n5. Search for disks and locate the unattached disk\n6. Click the disk select Encryption\n7. Change your encryption type and select your encryption set\n8. Click Save\n9. Go back to the VM and re-attach the disk\n\n### Using PowerShell\n\n```powershell\n$KVRGname = ''MyKeyVaultResourceGroup''; $VMRGName = ''MyVirtualMachineResourceGroup''; $vmName = ''MySecureVM''; $KeyVaultName = ''MySecureVault''; $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname; $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri; $KeyVaultResourceId = $KeyVault.ResourceId; Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;\n```\n\n**NOTES**:\n\n- During encryption, a reboot is likely required. It may take up to 15 minutes to complete the process.\n\n- On Linux machines, you may need to set the `-skipVmBackup` parameter.\n\n## Impact\n\nUsing CMK/BYOK entail additional management of keys. You must have your key vault setup to use this.\n\n## References\n\n\n1. https://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n3. https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-resthttps://docs.microsoft.com/azure/virtual-machines/windows/disk-encryption-portal-quickstart\n4. https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n5. https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n7. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-customer-managed-keys-powershell\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_encryption_type(managed_disk) if {\n\tmanaged_disk.encryption_type == \"EncryptionAtRestWithCustomerKey\"\n} else if {\n\tmanaged_disk.encryption.type == \"EncryptionAtRestWithCustomerKey\"\n}\n\neval(managed_disk) = \"skip\" if {\n\tmanaged_disk.disk_state != \"Attached\"\n} else = \"pass\" if {\n\tcompliant_encryption_type(managed_disk)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_managed_disk"]},"validationQuery":"","resourceType":"azure_managed_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i6x-xne-idt","createdAt":1631690475494,"name":"'OS and Data' disks are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:Storage-Accounts","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Application-Updates","framework:iso-27001","scope:azure.storage","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Azure","control:6.5.3","framework:cis-azure","control:2.6","control:4.1","control:3.1","requirement:Control-Activities","source:azure.storage","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable data encryption in transit.\n\n## Rationale\n\nThe secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must be HTTPS. Any requests using HTTP will be rejected when secure transfer required is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Accounts\n2. For each storage account, go to Configuration\n3. Set Secure transfer required to Enabled\n\n### From the command line\n\nInterface 2.0 - Use the below command to enable Secure transfer required for a Storage Account: `az storage account update --name --resource-group --https-only true`\n\n## References\n\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#encryption-in-transit\n2. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_list\n3. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 - 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"2.6","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_account) = \"pass\" if {\n\tstorage_account.supports_https_traffic_only\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"vlg-zuu-zub","createdAt":1635847712936,"name":"'Secure transfer required' is set to 'Enabled'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Compliance","level:1","requirement:Storage-Accounts","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:3.7","framework:cis-azure","requirement:Communications-Security","control:7.2.1","source:azure.storage","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSome Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services use strong authentication to access the storage account. If Allow trusted Microsoft services exception is enabled, the following services, when registered in the subscription, are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse.\n\n## Rationale\n\nTurning on firewall rules for storage account blocks access to incoming requests for data, including from other Azure services. This includes using the portal, writing logs, etc. You can re-enable access to services like Monitor, Networking, Hubs, and Event Grid by enabling Trusted Microsoft Services through exceptions. The exception also supports backing up and restoring virtual machines using unmanaged disks in storage accounts with network rules applied.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Ensure that Allow access from selected networks is enabled.\n4. Enable Allow trusted Microsoft services to access this storage account.\n5. Click Save to apply your changes.\n\n### From the command line\n\nUse the following command to update trusted Microsoft services: `az storage account update --name --resource-group --bypass AzureServices`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n\n## CIS Controls\n\nVersion 7 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_account) = \"pass\" if {\n\tcontains(storage_account.network_acls.bypass, \"AzureServices\")\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"psg-u8u-lwo","createdAt":1631690476330,"name":"'Trusted Microsoft Services' is enabled for Storage Account access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.3","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that unattached disks in a subscription are encrypted with a customer managed key (CMK).\n\n## Rationale\n\nManaged disks are encrypted by default with platform-managed keys. Using customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks which may lead to sensitive information disclosure and tampering.\n\n## Impact\n\nEncryption is available only on standard tier VMs. This could impact cost. Utilizing and maintaining customer-managed keys requires additional work to create, protect, and rotate keys.\n\n## Remediation\n\n### From the console\n\n**Note:** Disks must be detached from VMs to have encryption changed. If data stored in the disk is no longer useful, refer to [Azure documentation][1] to delete unattached data disks. If data stored in the disk is important, encrypt the disk. See the [Disk enable customer managed keys customer][2] or the [Encryption settings][3] documentation.\n\n1. Go to `Virtual machines`\n2. For each virtual machine, go to `Settings`\n3. Click on `Disks`\n4. Click the `X` to detach the disk from the VM\n5. Now search for `Disks` and locate the unattached disk\n6. Click the disk then select `Encryption`\n7. Change your encryption type, then select your encryption set\n8. Click `Save`\n9. Go back to the VM and re-attach the disk\n\n### From the commandline\n\n```powershell\n$KVRGname = 'MyKeyVaultResourceGroup';\n$VMRGName = 'MyVirtualMachineResourceGroup';\n$vmName = 'MySecureVM';\n$KeyVaultName = 'MySecureVault';\n$KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName\n$KVRGname;\n$diskEncryptionKeyVaultUrl = $KeyVault.VaultUri;\n$KeyVaultResourceId = $KeyVault.ResourceId;\nSet-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss][4]\n2. [https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json][5]\n3. [https://docs.microsoft.com/en-us/rest/api/compute/disks/delete][6]\n4. [https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete][7]\n5. [https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings][8]\n6. [https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update][9]\n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest][10]\n\n\n[1]: https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal\n[3]: https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n[4]: https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n[5]: https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n[6]: https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n[7]: https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n[8]: https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n[9]: https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update\n[10]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_encryption(managed_disk) if {\n\tmanaged_disk.encryption_type == \"EncryptionAtRestWithCustomerKey\"\n} else if {\n\tmanaged_disk.encryption.type == \"EncryptionAtRestWithCustomerKey\"\n}\n\neval(managed_disk) = \"skip\" if {\n\tmanaged_disk.disk_state != \"Unattached\"\n} else = \"pass\" if {\n\tcompliant_encryption(managed_disk)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_managed_disk"]},"validationQuery":"","resourceType":"azure_managed_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bae-mte-pj5","createdAt":1631690476274,"name":"'Unattached disks' are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","control:10.3.6","control:10.5.4","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","control:10.3.5","control:10.5.3","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.1","control:10.2.5","control:10.3.4","control:A.12.4.1","control:10.2.4","control:10.3.3","control:10.2.3","control:10.3.2","control:A.12.4.3","control:10.2.2","control:10.3.1","framework:cis-gcp","level:1","scope:google_sql_database_instance","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","control:6.2.9","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the `cloudsql.enable_pgaudit` database flag so that each Cloud SQL PostgreSQL instance has centralized logging.\n\n## Rationale\n\nBecause many other recommendations in this section involve turning on flags for logging\npurposes, your organization needs a way to manage these logs. If you do not already have a solution in \nplace, consider enabling database auditing in PostgreSQL by installing the open source pgAudit extension and enabling the `cloudsql.enable_pgaudit` flag. The extension provides\ndetailed session and object logging to comply with government, financial, and ISO standards. It provides \nauditing capabilities to mitigate threats by monitoring security events on the\ninstance. Enabling the flag and the settings described below sends the logs to\nGoogle Logs Explorer so that you can access them in a central location. This\nrecommendation is applicable only to PostgreSQL database instances.\n\n## Impact\n\nEnabling the pgAudit extension can lead to increased data storage requirements. To\nensure durability of pgAudit log records in the event of unexpected storage issues, \nenable the **Enable automatic storage increases** setting on the\ninstance. Enabling flags on the command line will overwrite all existing flags, so you\nshould apply _all_ needed flags in each CLI command. You might need to restart the\nserver to see the effects of enabling flags, so update your servers at a\ntime of low usage.\n\n## Remediation\n\n### Initialize the pgAudit flag\n\n#### From the console\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `cloudsql.enable_pgaudit` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\nRun the following command by providing to enable `cloudsql.enable_pgaudit` flag:\n```\ngcloud sql instances patch --database-flags=cloudsql.enable_pgaudit=on\n```\n \n**Note**: Restart the database server for this configuration change to take effect.\n\n### Create the extension\n1. Connect to the the server running PostgreSQL or through a SQL client of your choice.\n2. Open the PostgreSQL shell. For example, if you're using SSH to access the server, run:\n3. Run the following command as a superuser:\n ```\n CREATE EXTENSION pgaudit;\n ```\n### Update the `pgaudit.log` flag\n\n#### From the console\n**Note**: There are multiple options for updating the flag. The following instructions enable logging for all databases\non a server. Read [Customizing database audit logging][4] for more flag\noptions.\n\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `pgaudit.log=all` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\n\nRun the command:\n```\ngcloud sql instances patch --database-flags \\\ncloudsql.enable_pgaudit=on,pgaudit.log=all\n```\n\n### Check for the logs in Google Logs Explorer\n1. From the Google Console home page, open the menu in the top left.\n2. In the menu's Operations section, select Logs Explorer.\n3. In the query box, copy in the following query:\n\n ```\n resource.type=\"cloudsql_database\"\n logName=\"projects//logs/cloudaudit.googleapis.com%2Fdata_access\"\n protoPayload.request.@type=\"type.googleapis.com/google.cloud.sql.audit.v1.PgAuditEntry\n ```\nIf it returns any log sources, they are correctly set up.\n\n## Default value\nBy default `cloudsql.enable_pgaudit` database flag is set to off and the extension is not enabled.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres][2]\n2. [https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag][3]\n3. [https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging][4]\n4. [https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable][5]\n\n## Additional Information\n**WARNING**: This extension modifies database flag values, which may require your instance to be\nrestarted. Check the [List of supported flags][6] to see if your instance needs to be restarted\nwhen this extension is set up.\n**Note**: Configuring the `cloudsql.enable_pgaudit` database flag requires restarting the Cloud\nSQL PostgreSQL instance.\n\n## CIS controls\n\nVersion 8\n8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n8.9 - Centralize Audit Logs\n- Centralize, to the extent possible, audit log collection and retention across\nenterprise assets.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres\n[3]: https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag\n[4]: https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging\n[5]: https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable\n[6]: https://cloud.google.com/sql/docs/postgres/flags\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.9","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cloudsql.enable_pgaudit\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6hz-owg-7y7","createdAt":1657889011689,"name":"'cloudsql.enable_pgaudit' database flag is set to 'on' for centralized logging on Postgresql Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.4","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.7","requirement:Least-Privileged-Access","requirement:Confidentiality","requirement:Communications-Security","control:7.1","control:C1.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `contained database authentication` database flag for SQL Server instances to `off`.\n\n## Rationale\n\nA contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed. Users can connect to the database without authenticating a login at the Database Engine level. Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server. Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators. Most of the threats are related to the `USER WITH PASSWORD` authentication process, which moves the authentication boundary from the Database Engine level to the database level. Hence, disabling this flag is recommended. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nWhen `contained database authentication` is off (`0`) for the instance, contained databases cannot be created, or attached to the Database Engine. Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via the command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `contained database authentication` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line\n\nConfigure the `contained database authentication` database flag for every SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"contained database authentication=off\"\n```\n\n**Note**: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n\n## Additional Information\n\n- Configuring this flag does not restart the SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15][3]\n3. [https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15][4]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15\n[4]: https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"contained database authentication\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"snw-rsr-ilm","createdAt":1658463161618,"name":"'contained database authentication' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.3.2","security:compliance","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that you set the `cross db ownership chaining` database flag for SQL Server instance to `off`.\n\n## Rationale\nThe `cross db ownership` option is used to configure cross-database ownership chaining for an instance of Microsoft SQL Server. This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases. Enabling `cross db ownership` is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining, and you are aware of the security implications of this setting. This recommendation is applicable to SQL Server database instances.\n\n### Impact\nUpdating flags may cause the database to restart. This may cause the database to be unavailable for a short amount of time, so this is best done at a time of low usage. You should also determine if the tables in your databases reference another table without using credentials for that database, as turning off cross database ownership will break this relationship.\n\n - Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n - Configuring the `cross db ownership chaining` flag does not restart the Cloud SQL instance.\n\n - Note: The command to set database flags overwrites all database flags previously set. To keep the existing settings while adding new flags, include the values for all flags to be set on the instance. Cloud SQL sets any flag not specifically included in the list to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `cross db ownership chaining` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line\nConfigure the `cross db ownership chaining` database flag for every SQL Server database instance using the below command:\n \n```\ngcloud sql instances patch --database-flags \"cross db ownership chaining=off\"\n```\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cross db ownership chaining\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yje-u1y-rls","createdAt":1657665271111,"name":"'cross db ownership chaining' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.1","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `external scripts enabled` database flag for SQL Server instance to `off`.\n\n## Rationale\n\nThe `external scripts enabled` flag enables the execution of scripts with certain remote language extensions. This flag is `off` by default. When Advanced Analytics Services is installed, during the set up, you can optionally set this flag to `on`. The External Scripts Enabled feature allows scripts external to SQL, such as files located in an R library, to be executed, which could adversely affect the security of the system. Hence, the flag should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances can cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flag section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `external scripts enabled` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `external scripts enabled` database flag for every SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"external scripts enabled=off\"\n```\n\nNote: This command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default Value\n\nBy default `external scripts enabled` is `off`.\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n- Configuring the `external scripts enabled` flag restarts the Cloud SQL instance.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15][2]\n2. [https://cloud.google.com/sql/docs/sqlserver/flags][3]\n3. [https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15][4]\n4. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79347][5]\n\n## CIS Controls\n\nVersion 8 - 2.7 Allowlist Authorized Scripts\n- Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.\n\nVersion 7 - 2.9 Implement Application Whitelisting of Scripts\n- The organization's application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1, *.py, macros, etc) are allowed to run on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15\n[3]: https://cloud.google.com/sql/docs/sqlserver/flags\n[4]: https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15\n[5]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"external scripts enabled\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"14g-yot-4od","createdAt":1657715719319,"name":"'external scripts enabled' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.1.3","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends setting the `local_infile` database flag for a Cloud SQL MySQL instance to off.\n\n## Rationale\n\nThe `local_infile` flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the `local_infile` setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.\n\nTo explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with `local_infile` disabled. `local_infile` can also be set at runtime.\n\nDue to security issues associated with the `local_infile` flag, Datadog recommends disabling it. This recommendation is applicable to MySQL database instances.\n\n## Impact\n\nDisabling `local_infile` causes the server to refuse local data loading by clients that have LOCAL enabled on the client side.\n\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [Cloud SQL Instances page][1].\n2. Select the MySQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the `local_infile` flag from the dropdown menu, and set its value to **off**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From Command Line\n\n1. List all Cloud SQL database instances using \n ```\n `gcloud sql instances list`.\n ```\n2. Configure the `local_infile` database flag for every Cloud SQL MySQL database instance using \n ```\n `gcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off`\n ```\n Note:\n This command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\n\n## Default Value\n\nBy default, `local_infile` is on.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile][3]\n3. [https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html][4]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n \n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/flags\n[3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile\n[4]: https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_mysql(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"local_infile\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\"\n\nis_mysql(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"MYSQL_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"e40-q63-udh","createdAt":1657547707503,"name":"'local_infile' database flag is set to 'off' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.2","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy enabling the `log_connections` setting, every attempted server connection is logged along with the successful completion of client authentication. Once the session starts, you cannot change this parameter.\n\n## Rationale\n\nBy default, PostgreSQL does not log attempted connections. By enabling the `log_connections` setting, you can create log entries for every attempted connection as well as the successful completion of client authentication. This can be useful in troubleshooting issues and determining any unusual connection attempts to the server. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\n\nBy turning on logging, the required storage increaess over time. Mismanaged logs may cause your storage costs to increase. \n\nSetting custom flags through the command line on certain instances can cause all omitted flags to reset to defaults. This may cause you to lose\ncustom flags and can result in unforeseen complications or instance restarts. Because of this, Datadog recommends applying these flag changes during a period of low usage.\n\n## Remediation\n\n## From the console\n1. In the Google Cloud Console, navigate to the [Cloud SQL Instances page][1].\n2. Select the PostgreSQL instance that you want to enable the database flag for.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the **log_connections** flag from the dropdown menu, and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From the command line\n\nConfigure the `log_connections` database flag for every Cloud SQL PosgreSQL database instance using the following command:\n\n ```\n gcloud sql instances patch --database-flags\n log_connections=on\n ```\n\nThis command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\nYou do not need to restart the Cloud SQL instance.\n\n## Default Value\n\nBy default, `log_connections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n\nSome database flag settings can affect instance availability or stability, and may remove the instance from the Cloud SQL SLA.\n\nFor information about these flags, see the Operational Guidelines.\n\n## CIS Controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_connections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"84u-fez-kpn","createdAt":1657547707503,"name":"'log_connections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:6.2.3","scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnabling the `log_disconnections` setting logs the end of each session, including the\nsession duration.\n\n## Rationale\n\nPostgreSQL does not log session details such as duration and session end by default.\nEnabling the `log_disconnections` setting will create log entries at the end of each session,\nwhich can be useful in troubleshooting issues and determining any unusual activity across a\ntime period. The `log_disconnections` and `log_connections` settings work together and\ngenerally, the pair would be enabled or disabled together. This recommendation is applicable\nto PostgreSQL database instances.\n\n## Impact\n\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flags changes during a period of low usage.\n\n\n## Remediation\n\n## From the console\n\n1. Go to the [Cloud SQL Instances][1] page.\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_disconnections` from the drop-down menu and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the **Overview** page.\n\n## From the command line\n\n1. Configure the `log_disconnections` database flag for every Cloud SQL PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags\n log_disconnections=on\n ```\n\n **Note:** This command will overwrite all previously set database flags. To keep\n those and add new ones, include the values for all flags to be set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals\n sign (\"=\").\n\n## Default Value\n\nBy default, `log_disconnections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n## Additional Information\n\n- Configuring the `log_disconnections` flag does not require restarting the Cloud SQL instance.\n- Although the `log_disconnections` flag does not require a restart, you might modify other database flag values when you apply this patch. **Many database flags require restarting the Cloud SQL instance.** Before you modify a database flag, check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see [Operational Guidelines][4].\n\n\n## CIS controls\n\nVersion 8, 8.5 Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://console.cloud.google.com/sql/instances\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_disconnections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-b91-wj5","createdAt":1657665210451,"name":"'log_disconnections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:6.2.1","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","control:10.3","control:CC7.2","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_error_verbosity` flag controls the verbosity/details of messages logged. Valid values are:\n- `TERSE`\n- `DEFAULT`\n- `VERBOSE`\n\n`TERSE` excludes the logging of `DETAIL`, `HINT`, `QUERY`, and `CONTEXT` error information.\n`VERBOSE` output includes the `SQLSTATE` error code, source code file name, function name, and line number that generated the error.\n\nEnsure an appropriate value is set to `DEFAULT` or stricter.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_error_verbosity` is not set to the correct value, too many details or too few details\nmay be logged. This flag should be configured with a value of `DEFAULT` or stricter. This\nrecommendation is applicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flag changes during a period of low usage.\n\n- **WARNING**: This patch modifies database flag values, which may require your instance to be restarted. Check the list of supported flags -[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance will be restarted when this patch is submitted.\n- Note: some database flag settings can affect instance availability orn stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n### Default value\nBy default, `log_error_verbosity` is `DEFAULT`.\n\n## Remediation\n\n### From the console \n1. Go to the Cloud SQL Instances page by visiting [https://console.cloud.google.com/sql/instances][2]\n2. Select the **PostgreSQL instance** for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_error_verbosity` from the drop-down menu and set appropriate **value**.\n6. Click **Save**\n7. Confirm your changes under Flags on the **Overview** page.\n\n### From the command line\n1. Configure the `log_error_verbosity` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n ```\n gcloud sql instances patch --database-flags\n log_error_verbosity=\n ```\n\n **Note**: This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all flags you want set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" if {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_error_verbosity\"\n\tnot lower(db_flags.value) in [\"default\", \"terse\", \"verbose\"]\n} else = \"pass\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"scj-vbv-qiu","createdAt":1660014086758,"name":"'log_error_verbosity' database flag is set to 'DEFAULT or Stricter' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:6.2.5","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nPostgreSQL only logs the IP address of the connecting hosts. The `log_hostname` flag\ncontrols the logging of hostnames, in addition to the IP addresses logged. The performance\nhit depends on the configuration of the environment and the host name resolution\nsetup. This parameter can only be set in the `postgresql.conf` file or on the server's\ncommand line.\n\n## Rationale\nLogging hostnames allows for the association of a hostname with the IP address at the time of\nconnection. This information helps with incident response efforts, particularly in an\nenvironment that utilizes dynamic IP addresses. Logging hostnames may incur overhead\non server performance because DNS resolution will be required to\nconvert the IP address to hostname. Depending on the setup, the overhead may be non-negligible.\nEnabling the log_hostname flag on PostgreSQL databases is recommended.\n\n## Impact\nUsing the command line to set custom flags on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended that you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_hostname` from the drop-down menu and select the value **On**.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n1. Configure the `log_hostname` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\n gcloud sql instances patch --database-flags log_hostname=on\n```\n\nNote: This command will overwrite all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## Default value\nBy default `log_hostname` is off.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of [supported flags][2] to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_hostname\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sco-bi7-twu","createdAt":1657547753389,"name":"'log_hostname' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:6.2.8","requirement:Confidentiality","control:A.12.4.1","control:C1.1","control:C1.2","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_duration_statement` flag defines the minimum execution time (milliseconds) of a\nstatement, where the total duration of the statement is logged. Ensure that\n`log_min_duration_statement` is disabled by setting the value to `-1`. This will disable statement logging.\n\n## Rationale\nSQL statement logs may include sensitive information that should not be recorded in\nthe logs. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting\n[https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_duration_statement` from the drop-down menu and set a value of `-1`.\n6. Click **Save**.\n7. Confirm the changes under the Flags section on the Overview page.\n\n### From the command line\n1. List all Cloud SQL database instances using the following command:\n\n ```\n gcloud sql instances list\n ```\n\n2. Configure the `log_min_duration_statement` flag for every PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags log_min_duration_statement=-1\n ```\n Note: This command will overwrite all database flags previously set. To keep\nthose and add new ones, include the values for all flags to be set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n## Default value\nBy default `log_min_duration_statement` is set to `-1`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.8","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_duration_statement\"\n\tnot database_flags.value == \"-1\"\n} else = \"pass\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hfp-mu9-szg","createdAt":1658302988596,"name":"'log_min_duration_statement' database flag is set to '-1' (disabled) for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.7","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_error_statement` flag defines the minimum message severity level that is\nconsidered an error statement. Messages for error statements are logged with the SQL\nstatement. Valid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`,\n`WARNING`, `ERROR`, `LOG`, `FATAL`, and `PANIC`. Each severity level includes the subsequent levels\nmentioned above. Ensure a value of `ERROR` or stricter is set.\n\n## Rationale\nAuditing helps with troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. If general log messages are considered as error messages,\nit would be difficult to determine the actual errors. If only stricter severity levels are considered as\nerror messages, true errors might not be logged with their SQL statements. The\n`log_min_error_statement` flag should be set to `ERROR` or stricter. This recommendation is\napplicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the `Flags` section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_error_statement` from the drop-down menu and set the appropriate\nvalue.\n6. Click `Save` to save your changes.\n7. Confirm your changes under the `Flags` section on the Overview page.\n\n### From Command Line:\n1. Configure the `log_min_error_statement` database flag for every Cloud SQL\nPosgreSQL database instance using the below command.\n\n ```\n gcloud sql instances patch --database-flags log_min_error_statement=\n ```\n\n Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `log_min_error_statement` is `ERROR`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][2] - to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_error_statement\"\n\tnot upper(database_flags.value) in [\"ERROR\", \"LOG\", \"FATAL\", \"PANIC\"]\n} else = \"pass\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dm2-ey8-wr5","createdAt":1657888969813,"name":"'log_min_error_statement' database flag is set to 'ERROR' or stricter for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.3.6","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","source:google_sql_database_instance","requirement:Monitoring","control:6.2.6","control:10.3.4","control:A.12.4.1","control:10.3.2","requirement:System-Operations","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:CC7.2","framework:pci","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_messages` flag defines the minimum message severity level that is considered\nas an error statement. Messages for error statements are logged with the SQL statement.\nValid values include `debug5`, `debug4`, `debug3`, `debug2`, `debug1`, `info`, `notice`, `warning`, `error`,\n`log`, `fatal`, and `panic`. Each severity level includes the subsequent levels mentioned above.\nFor best practices, set the value to `error`. Changes should only be made in accordance\nwith the organization's logging policy.\n\n### Default value\nBy default `log_min_error_statement` is `warning`.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. An organization will need to decide their own threshold\nfor logging `log_min_messages` flag.\n\n### Impact\nSetting the threshold too low will might result in increased log storage size and length,\nmaking it difficult to find actual errors. Setting the threshold to `warning` logs\nmost needed error messages. Setting the threshold to a higher severity level may result in some errors (that need troubleshooting) to not be logged.\n\nNote: To effectively turn off logging failing statements, set this parameter to `panic`.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_messages` from the drop-down menu and set appropriate value.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n1. Configure the `log_min_messages` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\ngcloud sql instances patch --database-flags\nlog_min_messages=\n```\n\nNote: This command overwrites all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" if {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_min_messages\"\n\tlower(db_flags.value) in [\"debug5\", \"debug4\", \"debug3\", \"debug2\", \"debug1\", \"info\", \"notice\"]\n} else = \"pass\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"wha-a8w-2ic","createdAt":1661377322162,"name":"'log_min_messages' database flag is set to at least 'WARNING' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.2.4","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe value of the `log_statement` flag determines the SQL statements that are logged. Valid\nvalues are:\n\n- `none`\n- `ddl`\n- `mod`\n- `all`\n\nThe value `ddl` logs all data definition statements. The value `mod` logs all `ddl` statements, plus\ndata-modifying statements.\n\nThe statements are logged after a basic parsing is done and the statement type is determined,\nthus log statements with errors are not logged. When using an extended query protocol,\nlogging occurs after an `Execute` message is received and values of the bind parameters are\nincluded.\n\nA value of `ddl` is recommended unless otherwise directed by your organization's logging\npolicy.\n\n## Rationale\nAuditing helps with forensic analysis. If the `log_statement` is not set to the correct value, too\nmany statements may be logged and lead to issues with finding relevant information from\nthe logs, or too few statements may be logged with relevant information missing from the\nlogs. Setting the `log_statement` to align with your organization's security and logging policies\nfacilitates auditing and review of database activities later on. This recommendation is\napplicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n- **WARNING** This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance\nwill be restarted when this patch is submitted.\n- Note: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page by visiting: [https://console.cloud.google.com/sql/instances][2]\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**. Choose the flag `log_statement` from the drop-down menu and set the appropriate value.\n6. Click **Save**.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line\n1. Configure the `log_statement database` flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n ```\n gcloud sql instances patch --database-flags log_statement=\n ```\n\n **Note** This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all the flags that you want to set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n \n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" if {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tdb_flags.name == \"log_statement\"\n\tdb_flags.value in [\"ddl\", \"mod\", \"all\"]\n} else = \"fail\"\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xzi-8ya-6hp","createdAt":1659621705012,"name":"'log_statement' database flag is set appropriately for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:6.3.5","control:2.2.5","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set the `remote access` database flag for Cloud SQL SQL Server instances to `off`.\n\n## Rationale\n\nThe remote access option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running. The default value for this option is 1. This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server. To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled. Remote access functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, so it should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances causes all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `remote access` from the drop-down menu, and set its value to `off`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n### From the command line\n\nConfigure the remote access database flag for every Cloud SQL SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"remote access=off\"\n```\n\n### Note: \nThis command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default Value\n\nRemote access is `on` by default.\n\n## Additional information\n\nConfiguring the remote access database flag does not restart the Cloud SQL instance.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337][4]\n\n## CIS Controls\n\nVersion 8 - 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"remote access\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"tnw-ph8-chr","createdAt":1657296719786,"name":"'remote access' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.1.2","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that for Cloud SQL Instances, you set the `skip_show_database` database flag to `ON`.\n\n## Rationale\n\nThe `skip_show_database` database flag prevents people from using the `SHOW DATABASES`\nstatement if they do not have the `SHOW DATABASES` privilege. This can improve security if\nyou have concerns about users being able to see databases belonging to other users. The `skip_show_database` flag's effect depends on the `SHOW DATABASES` privilege: If the variable value is `ON`, the `SHOW\nDATABASES` statement is permitted only for users who have the `SHOW DATABASES`\nprivilege, and the statement displays all database names. If the value is `OFF`, `SHOW\nDATABASES` is permitted for all users, but displays the names of only those databases for\nwhich the user has `SHOW DATABASES` or other privilege. This recommendation is\napplicable to MySQL database instances.\n\n## Remediation\n\n## Using console\n\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the MySQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `skip_show_database` from the drop-down menu, and set its value to `ON`.\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n\n## Using command line:\n1. To list all Cloud SQL database Instances, run:\n `gcloud sql instances list`\n2. Configure the `skip_show_database` database flag for every Cloud SQL MySQL database instance using the following command:\n \n ```\n gcloud sql instances patch INSTANCE_NAME --database-flags\n skip_show_database=on\n ```\n **Note**: This command overwrites all database flags previously set. To keep the previously set flags and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database][3]\n\n\n## Additional information\n\n**Warning**: This patch modifies database flag values, which may require your instance to be restarted. Check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n\n**Note**: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n**Note**: Configuring the above flag restarts the Cloud SQL instance.\n\n## CIS controls\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\n access control lists, also known as access permissions, to local and remote file systems,\n databases, and applications.\n\n [1]: https://console.cloud.google.com/sql/instances\n [2]: https://cloud.google.com/sql/docs/mysql/flags\n [3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot startswith(sql_database_instance.database_version, \"MYSQL_\")\n} else = \"pass\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"skip_show_database\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qjv-gnn-q3l","createdAt":1657547753389,"name":"'skip_show_database' flag is set to 'on' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.3.3","security:compliance","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Control-Activities","level:1","control:2.2.3","framework:soc-2","scope:google_sql_database_instance","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to check the `user connections` option for a GCP SQL Server instance to\nensure that it is not artificially limiting connections.\n\n## Rationale\n\nThe `user connections` option specifies the maximum number of simultaneous user\nconnections that are allowed on an instance of SQL Server. The actual number of user\nconnections allowed also depends on the version of SQL Server that you are using, and also\nthe limits of your application(s) and hardware. SQL Server allows a maximum\nof 32,767 user connections. Because user connections is by default a self-configuring value,\nSQL Server adjusts the maximum number of user connections automatically as\nneeded, up to the maximum value allowed. For example, if only 10 users are logged in, then 10\nuser connection objects are allocated. In most cases, you do not have to change the value\nfor this option. The default is `0`, which means that the maximum (32,767) user connections\nare allowed. However, if there is a number defined here that limits connections, SQL Server\nwill not allow any connections above this limit. If the connections are at the limit, any new\nrequests will be dropped, potentially causing lost data or outages for those using the\ndatabase.\n\n## Impact\nSetting custom flags using the command line on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### Using the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `user connections` from the drop-down menu, and set its value to your organization's recommended value.\n6. Click **Save** to save your changes.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### Using the command line\n1. Configure the `user connections` database flag for every GCP SQL Server\ndatabase instance using the below command.\n ```\n gcloud sql instances patch --database-flags \"userconnections=[0-32,767]\"\n ```\n \n\n\nNote: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `user connections` is set to '0', which does not limit the number of connections\nand allows the server to facilitate a maximum of 32,767 connections.\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119][4]\n\n## Additional Information\n\nWARNING: This patch modifies database flag values, which may require your instance to be restarted. Check the list of [supported flags][2] to see if your instance will be restarted when this patch is submitted. \n\nNote: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not restart the GCP SQL instance.\n\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user connections\"\n\tnot database_flags.value == \"0\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"suj-vdt-udi","createdAt":1657547707508,"name":"'user connections' database flag is set to a non-limiting value for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.4","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the `user options` database flag for SQL Server instance not be configured.\n\n## Rationale\n\nThe `user options` flag specifies global defaults for all users. A list of default query processing options is established for the duration of a user's work session. The user options flag allows you to change the default values of the SET options (if the server's default settings are not appropriate).\n\nA user can override these defaults by using the SET statement. You can configure user options dynamically for new logins. After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nIn some instances, setting custom flags via the command line causes all omitted flags to be reset to their defaults. This might cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the **Cloud SQL Instances** page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance you want to configure.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. Click the **X** next to the **user options** flag shown\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line\n\n1. List all Cloud SQL database Instances:\n \n ```\n gcloud sql instances list\n ```\n\n2. Clear the user options database flag for every Cloud SQL SQL Server database instance using either of the below commands:\n\n - To clear all flags and reset them to their default values:\n\n ```\n gcloud sql instances patch --clear-database-flags\n ```\n\n - To clear only the `user options` database flag, re-enter all of database flags that you want to configure and exclude the `user options` flag and its value:\n\n ```\n gcloud sql instances patch --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]\n ```\n\n **Note**: This command overwrites all database flags previously set. To keep those flags and add new ones, include the values for all flags you want set on the instance. Any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default value\n\nBy default, 'user options' is not configured.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][1]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15][2]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335][3]\n\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see [Operational Guidelines][4].\n\n- Configuring the above flag does not restart the Cloud SQL instance.\n\n[1]: https://cloud.google.com/sql/docs/sqlserver/flags\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15\n[3]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" if {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user options\"\n} else = \"pass\"\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"l6m-j1r-hz1","createdAt":1657665179501,"name":"'user options' database flag is not configured for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a Kubernetes user attempts to perform a high number of actions that are denied in a short amount of time.\n\n## Strategy\nThis rule identifies responses of the API server where the reason for the error is set to `Forbidden`, indicating that an authenticated user attempted to perform an action that they are not explicitly authorized to perform.\n\nThe rule flags users who receive permission denied errors on several distinct API endpoints in a short amount of time.\n\n## Triage and response\n1. Determine if the user: `{{@usr.id}}` is expected to perform the denied actions. If yes, the alert may be due to a misconfigured application or a service account with insufficient privileges.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @responseStatus.reason:Forbidden -@usr.id:(system\\:serviceaccount\\:*\\:datadog* OR system\\:kube-scheduler OR system\\:anonymous OR eks\\:authenticator OR eks\\:pod-identity-mutating-webhook OR system\\:serviceaccount\\:kube-system\\:root-ca-cert-publisher)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"access_denied","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"access_denied > 10"}],"type":"log_detection","id":"elb-nlu-hso","createdAt":1649948632063,"name":"A Kubernetes user attempted to perform a high number of actions that were denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIdentify when a Kubernetes user is assigned cluster-level administrative permissions.\n\n## Strategy\n\nThis rule monitory when a `ClusterRoleBinding` object is created to bind a Kubernetes user to the `cluster-admin` [default cluster-wide role](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles). This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.\n\n## Triage and response\n\n1. Determine if the Kubernetes user referenced in `@requestObject.subjects` is expected to have been granted administrator permissions on the cluster\n2. Determine if the actor (`@usr.id`) is authorized to assign administrator permissions\n3. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @requestObject.kind:ClusterRoleBinding @requestObject.roleRef.name:cluster-admin -@usr.id:system\\:apiserver","groupByFields":["@usr.id"],"aggregation":"count","name":"cluster_admin_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"cluster_admin_added > 0"}],"type":"log_detection","id":"8ds-sxh-n83","createdAt":1649948626807,"name":"A Kubernetes user was assigned cluster administrator permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","scope:google_bigquery_dataset","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.3","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","source:google_bigquery_dataset","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user. For greater control, _customer-managed encryption keys_ (CMEKs) can be used as an encryption key management solution for BigQuery datasets.\n\n### Default Value\nGoogle-managed keys are used as key encryption keys.\n\n## Rationale\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user.\n\nFor greater control, CMEKs can be used as an encryption key management solution for BigQuery datasets. Setting a default CMEK for a dataset ensures that any tables created in the future will use the specified CMEK, if no others are provided.\n\n## Impact\nUsing CMEKs incurs an additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n**Note**: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n# Remediation\nTo update the default CMEK for existing data sets, specify the default key in the `EncryptionConfiguration.kmsKeyName` field when calling the `datasets.insert` or `datasets.patch` methods.\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_dataset) = \"pass\" if {\n\tbigquery_dataset.default_encryption_configuration.kms_key_name\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_dataset"]},"validationQuery":"","resourceType":"gcp_bigquery_dataset","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_dataset","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fdc-usk-ol3","createdAt":1664548344812,"name":"A default customer-managed encryption key (CMEK) is specified for the BigQuery data set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1158","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nHidden files may be used by attackers to hide from detection mechanisms on hosts and containers. This detection aims at finding the creation of any new hidden files.\n\n## Strategy\nIn Linux, files are hidden from users by prepending `.` to the filename. For example `.some.file`. This detection will monitor for the creation of any file thats name begins with a `.`.\n\n## Triage & Response\n1. Check to see which user or process created the new hidden file.\n3. If these new files are not expected contain the host or container, roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"irl-syq-8wf","createdAt":1598443015169,"name":"A hidden file was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the deletion of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was deleted.\n2. Check which user or process deleted the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"t7t-jio-cms","createdAt":1598516746158,"name":"A log file in /var/log/ was removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:2.11","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be set up for SQL instance\nconfiguration changes.\n\n## Rationale\nMonitoring changes to SQL instance configuration changes may reduce the time needed to\ndetect and correct SQL server misconfigurations.\nBelow are a few configurable options that may impact the security posture of an\nSQL instance:\n \u2022 Enable auto backups and high availability: Misconfiguration may adversely impact\n business continuity, disaster recovery, and high availability\n \u2022 Authorize networks: Misconfiguration may increase exposure to untrusted networks\n\n### Impact \nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation \n\n### From the console\n#### Create the prescribed log metric\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and clicking **CREATE METRIC**.\n2. Click the down arrow icon on the **Filter Bar** at the top right corner and select **Convert to Advanced Filter**.\n3. Clear any text and add:\n\n ```\n protoPayload.methodName=\"cloudsql.instances.update\"\n ```\n\n4. Click **Submit Filter**. Display logs appear based on the filter text.\n5. In the **Metric Editor** menu on the right, fill out the name field. Set **Units** to `1` (default) and **Type** to `Counter`. \nThis ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n6. Click **Create Metric**.\n\n#### Create the prescribed alert policy\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every SQL instance configuration change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n1. Create the prescribed log metric using the following command: \n ```\n gcloud beta logging metrics create\n ```\n [Reference for command usage][9]\n2. Create the prescribed alert policy using the following command:\n ```\n gcloud alpha monitoring policies create\n ```\n [Reference for command usage][10]\n\n\n\n## References\n1. [https://console.cloud.google.com/logs/metrics][1] \n2. [https://cloud.google.com/monitoring/custom-metrics/][2]\n3. [https://cloud.google.com/monitoring/alerts/][3]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][4]\n5. [https://cloud.google.com/storage/docs/overview][5]\n6. [https://cloud.google.com/sql/docs/][6]\n7. [https://cloud.google.com/sql/docs/mysql/][7]\n8. [https://cloud.google.com/sql/docs/postgres/][8]\n9. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][9]\n10. [https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][10]\n\n\n[1]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[2]: https://cloud.google.com/monitoring/custom-metrics/\n[3]: https://cloud.google.com/monitoring/alerts/\n[4]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[5]: https://cloud.google.com/storage/docs/overview\n[6]: https://cloud.google.com/sql/docs/\n[7]: https://cloud.google.com/sql/docs/mysql/\n[8]: https://cloud.google.com/sql/docs/postgres/\n[9]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[10]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.11","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_method_name_constant := upper(\"protoPayload.methodName=\\\"cloudsql.instances.update\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, filter_method_name_constant)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"rtu-ij2-tg6","createdAt":1666265090604,"name":"A log metric filter and alert exists for SQL instance configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","control:2.9","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be set up for Virtual Private Cloud (VPC) network changes.\n\n## Rationale\nIt is possible to have more than one VPC within a project. \nIn addition, it is also possible to create a peer connection between two VPCs to enable network traffic routing between VPCs.\n\nMonitoring changes to a VPC helps to ensure that VPC traffic flow is not getting impacted.\n\n### Impact\nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console\n#### Create the prescribed log metric\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and click **CREATE METRIC**.\n2. Set **Metric Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n3. Fill out the **Log metric name** field.\n4. Set the **Units** to `1` (default).\n5. Under **Filter selection**, add the following text to the **Build filter** block: \n ```\n resource.type=gce_network\n AND (protoPayload.methodName:\"compute.networks.insert\"\n OR protoPayload.methodName:\"compute.networks.patch\"\n OR protoPayload.methodName:\"compute.networks.delete\"\n OR protoPayload.methodName:\"compute.networks.removePeering\"\n OR protoPayload.methodName:\"compute.networks.addPeering\")\n ```\n6. Click **Create Metric**.\n\n#### Create the prescribed alert policy\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every VPC network change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n1. Create the prescribed log metric using the following command: \n ```\n gcloud beta logging metrics create\n ```\n [Reference for command usage][6]\n2. Create the prescribed alert policy using the following command:\n ```\n gcloud alpha monitoring policies create\n ```\n [Reference for command usage][7]\n\n\n\n## References\n1. [https://console.cloud.google.com/logs/metrics][1] \n2. [https://cloud.google.com/monitoring/custom-metrics/][2]\n3. [https://cloud.google.com/monitoring/alerts/][3]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][4]\n5. [https://cloud.google.com/vpc/docs/overview][5]\n6. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][6]\n7. [https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][7]\n\n\n[1]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[2]: https://cloud.google.com/monitoring/custom-metrics/\n[3]: https://cloud.google.com/monitoring/alerts/\n[4]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[5]: https://cloud.google.com/vpc/docs/overview\n[6]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[7]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.9","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_resource_type := upper(\"resource.type=gce_network\")\n\nfilter_method_name_1 := upper(\"protoPayload.methodName:\\\"compute.networks.insert\\\"\")\n\nfilter_method_name_2 := upper(\"protoPayload.methodName:\\\"compute.networks.patch\\\"\")\n\nfilter_method_name_3 := upper(\"protoPayload.methodName:\\\"compute.networks.delete\\\"\")\n\nfilter_method_name_4 := upper(\"protoPayload.methodName:\\\"compute.networks.removePeering\\\"\")\n\nfilter_method_name_5 := upper(\"protoPayload.methodName:\\\"compute.networks.addPeering\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, \"OR\")\n\tcontains(filter_parsed, filter_resource_type)\n\tcontains(filter_parsed, filter_method_name_1)\n\tcontains(filter_parsed, filter_method_name_2)\n\tcontains(filter_parsed, filter_method_name_3)\n\tcontains(filter_parsed, filter_method_name_4)\n\tcontains(filter_parsed, filter_method_name_5)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"zv2-vh1-ixx","createdAt":1665677590865,"name":"A log metric filter and alert exists for VPC network changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:2.5","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGoogle Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data\nAccess logs to help answer the question of \"Who did what, where, and when?\" within GCP\nprojects.\nCloud audit logging records information such as the identity of the API caller, the time of\nthe API call, the source IP address of the API caller, the request parameters, and the\nresponse elements returned by GCP services. Cloud audit logging provides a history of GCP\nAPI calls for an account, including API calls made through the console, SDKs, command-line\ntools, and other GCP services.\n\n## Rationale\nCloud audit logging to Admin Activity and Data Access logs enables security\nanalysis, resource change tracking, and compliance auditing.\nConfiguring the metric filter and alerts for audit configuration changes ensures that the\nrecommended state of audit configuration is maintained so that all activities in the project\ncan be audited at any point in time.\n\n\n### Impact\nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console\n#### Create the prescribed log metric\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and click **CREATE METRIC**.\n2. Set **Metric Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n3. Fill out the **Log metric name** field.\n4. Set the **Units** to `1` (default).\n5. Under **Filter selection**, add the following text to the **Build filter** block: \n ```\n protoPayload.methodName=\"SetIamPolicy\" AND\n protoPayload.serviceData.policyDelta.auditConfigDeltas:*\n ```\n6. Click **Create Metric**.\n\n#### Create a prescribed alert policy\n\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every audit configuration change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n#### Create a prescribed log metric\n\nUse the command: `gcloud beta logging metrics create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][3]\n\n#### Create a prescribed alert policy\nUse the command: `gcloud alpha monitoring policies create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][4]\n\n## References\n1. [https://cloud.google.com/logging/docs/logs-based-metrics/][5]\n2. [https://cloud.google.com/monitoring/custom-metrics/][6]\n3. [https://cloud.google.com/monitoring/alerts/][7]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][8]\n5. [https://cloud.google.com/logging/docs/audit/configure-data-access#getiampolicy-setiampolicy][9]\n\n[1]: https://console.cloud.google.com/logs/metrics\n[2]: https://console.cloud.google.com/logs/metrics\n[3]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[4]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n[5]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[6]: https://cloud.google.com/monitoring/custom-metrics/\n[7]: https://cloud.google.com/monitoring/alerts/\n[8]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[9]: https://cloud.google.com/logging/docs/audit/configure-data-access#getiampolicy-setiampolicy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.5","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_methodname_constant := upper(\"protoPayload.methodName=\\\"SetIamPolicy\\\"\")\n\nfilter_servicedata_constant := upper(\"protoPayload.serviceData.policyDelta.auditConfigDeltas:*\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, filter_methodname_constant)\n\tcontains(filter_parsed, filter_servicedata_constant)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sni-qbq-wix","createdAt":1665677774002,"name":"A log metric filter and alert exists for audit configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:2.8","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be established for Virtual Private Cloud\n(VPC) network route changes.\n\n## Rationale\nGoogle Cloud Platform (GCP) routes define the paths taken by network traffic from a VM instance to another destination. The other destination can be inside the organization VPC network (such as another VM) or outside of it. Every route consists of a destination and a next hop. Traffic whose destination IP is within the destination range is sent to the next hop\nfor delivery.\nMonitoring changes to route tables helps to ensure that all VPC traffic flows through an expected path.\n\n### Impact\nEnabling of logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console:\n\n#### Create the prescribed Log Metric:\n1. Go to [Logs-based Metrics][1] within **Logging** in the Google Cloud console and click **CREATE METRIC**.\n2. Click the down arrow symbol on the filter bar at the rightmost corner and select\n**Convert to Advanced Filter**.\n3. Clear any text and add:\n ```\n resource.type=\"gce_route\"\n AND (protoPayload.methodName:\"compute.routes.delete\"\n OR protoPayload.methodName:\"compute.routes.insert\"\n ```\n4. Click **Submit Filter**. Display logs appear based on the entered filter text.\n5. In the `Metric Editor` menu on the right, fill out the name field. Set `Units` to `1`\n(default) and `Type` to `Counter`. This ensures that the log metric counts the number of\nlog entries matching the advanced logs query.\n6. Click **Create Metric**.\n\n#### Create the prescribed alert policy:\n\n1. Identify the newly created metric under the section `User-defined Metrics` in the\n[Logs-based Metrics][1] page in the Google Cloud console.\n2. Click the 3-dot icon in the rightmost column for the new metric and select `Create\nalert from Metric`. A new page appears.\n3. Fill out the alert policy configuration and click **Save**. Choose the alerting threshold\nand configuration that makes sense for your organization. For example, a\nthreshold of zero(0) for the most recent value ensures that a notification is triggered\nfor every owner change in the project:\n ```\n Set `Aggregator` to `Count`\n Set `Configuration`:\n - Condition: above\n - Threshold: 0\n - For: most recent value\n ```\n4. Configure the desired notification channels in the section **Notifications**.\n5. Name the `policy` and click **Save**.\n\n### From the command line:\n\n#### Create the prescribed Log Metric: \n\nUse the command `gcloud beta logging metrics create`. Read the [usage reference][2] in the Google Cloud documentation for more information.\n\n#### Create the prescribed alert policy:\n\nUse the command `gcloud alpha monitoring policies create`. Read the [usage reference][3] in the Google Cloud documentation for more information.\n\n## References\n\n1. [https://cloud.google.com/logging/docs/logs-based-metrics/][4]\n2. [https://cloud.google.com/monitoring/custom-metrics/][5]\n3. [https://cloud.google.com/monitoring/alerts/][6]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][7]\n5. [https://cloud.google.com/storage/docs/access-control/iam][8]\n\n[1]: https://console.cloud.google.com/logs/metrics\n[2]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[3]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n[4]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[5]: https://cloud.google.com/monitoring/custom-metrics/\n[6]: https://cloud.google.com/monitoring/alerts/\n[7]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[8]: https://cloud.google.com/storage/docs/access-control/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.8","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_resource_type := upper(\"resource.type=\\\"gce_route\\\"\")\n\nfilter_method_name_delete_beta := upper(\"protoPayload.methodName:\\\"beta.compute.routes.delete\\\"\")\n\nfilter_method_name_delete := upper(\"protoPayload.methodName:\\\"compute.routes.delete\\\"\")\n\nfilter_method_name_insert_beta := upper(\"protoPayload.methodName:\\\"beta.compute.routes.insert\\\"\")\n\nfilter_method_name_insert := upper(\"protoPayload.methodName:\\\"compute.routes.insert\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_filter(filter_parsed, filter_method_name_beta, filter_method_name) if {\n\tcontains(filter_parsed, filter_method_name_beta)\n} else if {\n\tcontains(filter_parsed, filter_method_name)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, \"OR\")\n\n\tcontains(filter_parsed, filter_resource_type)\n\n\tvalid_filter(filter_parsed, filter_method_name_delete_beta, filter_method_name_delete)\n\tvalid_filter(filter_parsed, filter_method_name_insert_beta, filter_method_name_insert)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.notification_channels[_]\n\tmonitoring_alert_policy.enabled == true\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"o0d-dyl-9lb","createdAt":1668685067568,"name":"A log metric filter and alerts exist for VPC Network route changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:2.7","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be established for Virtual Private Cloud\n(VPC) network firewall rule changes.\n\n## Rationale\nMonitoring create or update firewall rule events gives insight to network access\nchanges and may reduce the time it takes to detect suspicious activity.\n\n\n### Impact\nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console\n\n#### Create the prescribed log metric\n\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and click **CREATE METRIC**.\n2. Set **Metric Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n3. Fill out the **Log metric name** field.\n4. Set the **Units** to `1` (default).\n5. Under **Filter selection**, add the following text to the **Build filter** block: \n\n ```\n resource.type=\"gce_firewall_rule\"\n AND protoPayload.methodName:\"compute.firewalls.patch\"\n OR protoPayload.methodName:\"compute.firewalls.insert\"\n OR protoPayload.methodName:\"compute.firewalls.delete\"\n ```\n \n6. Click **Create Metric**\n\n#### Create a prescribed alert policy\n\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every VPC network firewall rule change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n#### Create a prescribed log metric\n\nUse the command: `gcloud beta logging metrics create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][3]\n\n#### Create a prescribed alert policy\nUse the command: `gcloud alpha monitoring policies create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][4]\n\n## References\n1. [https://cloud.google.com/logging/docs/logs-based-metrics/][5]\n2. [https://cloud.google.com/monitoring/custom-metrics/][6]\n3. [https://cloud.google.com/monitoring/alerts/][7]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][8]\n5. [https://cloud.google.com/vpc/docs/firewalls][9]\n\n[1]: https://console.cloud.google.com/logs/metrics\n[2]: https://console.cloud.google.com/logs/metrics\n[3]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[4]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n[5]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[6]: https://cloud.google.com/monitoring/custom-metrics/\n[7]: https://cloud.google.com/monitoring/alerts/\n[8]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[9]: https://cloud.google.com/vpc/docs/firewalls\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.7","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_resource_type_constant := upper(\"resource.type=\\\"gce_firewall_rule\\\"\")\n\nfilter_patch_constant := upper(\"protoPayload.methodName:\\\"compute.firewalls.patch\\\"\")\n\nfilter_insert_constant := upper(\"protoPayload.methodName:\\\"compute.firewalls.insert\\\"\")\n\nfilter_delete_constant := upper(\"protoPayload.methodName:\\\"compute.firewalls.delete\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, \"OR\")\n\tcontains(filter_parsed, filter_resource_type_constant)\n\tcontains(filter_parsed, filter_patch_constant)\n\tcontains(filter_parsed, filter_insert_constant)\n\tcontains(filter_parsed, filter_delete_constant)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"xrg-k52-qt3","createdAt":1665677775464,"name":"A log metric filter and alerts exist for VPC network firewall rule changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","scope:google_logging_log_metric","control:2.6","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","source:google_logging_log_metric","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that a metric filter and alarm be established for changes to Identity and\nAccess Management (IAM) role creation, deletion and updating activities.\n\n## Rationale\nGoogle Cloud IAM provides predefined roles that give granular access to specific Google\nCloud Platform resources and prevent unwanted access to other resources. However, to\ncater to organization-specific needs, Cloud IAM also provides the ability to create custom\nroles. Project owners and administrators with the Organization Role Administrator role or\nthe IAM Role Administrator role can create custom roles. Monitoring role creation, deletion\nand updating activities helps identify any over-privileged role an early stage.\n\n\n### Impact\nEnabling logging may result in your project being charged for the additional logs usage.\n\n## Remediation\n\n### From the console\n\n#### Create the prescribed log metric\n\n1. Go to Logging/Logs-based Metrics by visiting [https://console.cloud.google.com/logs/metrics][1] and click **CREATE METRIC**.\n2. Set **Metric Type** to `Counter`. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.\n3. Fill out the **Log metric name** field.\n4. Set the **Units** to `1` (default).\n5. Under **Filter selection**, add the following text to the **Build filter** block: \n\n ```\n resource.type=\"iam_role\"\n AND protoPayload.methodName = \"google.iam.admin.v1.CreateRole\"\n OR protoPayload.methodName=\"google.iam.admin.v1.DeleteRole\"\n OR protoPayload.methodName=\"google.iam.admin.v1.UpdateRole\"\n ```\n6. Click **Create Metric**\n\n#### Create a prescribed alert policy\n\n1. Go to [https://console.cloud.google.com/logs/metrics][1]. Under the **User-defined Metrics** section, identify the newly created metric.\n2. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.\n3. Leave the **Enter a Monitoring filter** field as is.\n4. Set **Rolling window function** to `delta`.\n5. Under **Across time series**, set the **Time series aggregation** field to `count`. \n6. Navigate to **Configure trigger** using the left-hand panel and leave the default value of `threshold` for **Condition type**. \n7. Choose the alerting threshold and trigger conditions that make most sense for your organization. For example, a **Threshold value** of `0` and an **Alert trigger** of `Any time series violates` ensures that a notification is triggered for every custom role change in the project.\n8. Navigate to **Notifications and name** to configure your desired notification channel and alerting policy name. \n9. Navigate to **Review alert** and validate that all values look as expected. Then, click **CREATE POLICY**.\n\n### From the command line\n\n#### Create a prescribed log metric\n\nUse the command: `gcloud beta logging metrics create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create][3]\n\n#### Create a prescribed alert policy\nUse the command: `gcloud alpha monitoring policies create`\nReference for command usage:\n[https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create][4]\n\n## References\n1. [https://cloud.google.com/logging/docs/logs-based-metrics/][5]\n2. [https://cloud.google.com/monitoring/custom-metrics/][6]\n3. [https://cloud.google.com/monitoring/alerts/][7]\n4. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][8]\n5. [https://cloud.google.com/iam/docs/understanding-custom-roles][9]\n\n[1]: https://console.cloud.google.com/logs/metrics\n[2]: https://console.cloud.google.com/logs/metrics\n[3]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create\n[4]: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create\n[5]: https://cloud.google.com/logging/docs/logs-based-metrics/\n[6]: https://cloud.google.com/monitoring/custom-metrics/\n[7]: https://cloud.google.com/monitoring/alerts/\n[8]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[9]: https://cloud.google.com/iam/docs/understanding-custom-roles\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.6","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nfilter_resource_type_constant := upper(\"resource.type=\\\"iam_role\\\"\")\n\nfilter_create_constant := upper(\"protoPayload.methodName=\\\"google.iam.admin.v1.CreateRole\\\"\")\n\nfilter_delete_constant := upper(\"protoPayload.methodName=\\\"google.iam.admin.v1.DeleteRole\\\"\")\n\nfilter_update_constant := upper(\"protoPayload.methodName=\\\"google.iam.admin.v1.UpdateRole\\\"\")\n\nvalid_log_metric := {logging_log_metric.project_id |\n\tlogging_log_metric := input.resources.gcp_logging_log_metric[_]\n\tmonitoring_alert_policy := input.resources.gcp_monitoring_alert_policy[_]\n\tvalid_log_metric_filter(logging_log_metric)\n\tmetric_and_alert_align(logging_log_metric, monitoring_alert_policy)\n}\n\nvalid_log_metric_filter(logging_log_metric) if {\n\tfilter_parsed := upper(strings.replace_n({\" \": \"\", \"\\n\": \"\", \"\\r\": \"\"}, logging_log_metric.filter))\n\tcontains(filter_parsed, \"AND\")\n\tcontains(filter_parsed, \"OR\")\n\tcontains(filter_parsed, filter_resource_type_constant)\n\tcontains(filter_parsed, filter_create_constant)\n\tcontains(filter_parsed, filter_delete_constant)\n\tcontains(filter_parsed, filter_update_constant)\n}\n\nmetric_and_alert_align(logging_log_metric, monitoring_alert_policy) if {\n\talert_policy_name := trim_right(split(monitoring_alert_policy.conditions[_].condition_threshold.filter, \"/user/\")[1], \"\\\"\")\n\talert_policy_name == logging_log_metric.name\n\tconditions(monitoring_alert_policy)\n}\n\nconditions(monitoring_alert_policy) if {\n\tmonitoring_alert_policy.conditions[_].condition_threshold.trigger.count >= 0\n\tmonitoring_alert_policy.enabled == true\n\tmonitoring_alert_policy.notification_channels[_]\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_metric[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_monitoring_alert_policy","gcp_logging_log_metric"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"8jp-b4x-ubz","createdAt":1665677984333,"name":"A log metric filter and alerts exist for custom role changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Logging","security:compliance","control:3.2.1","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes can audit the details of requests made to the API server. The `--audit-policy-file` flag must be set for this logging to be enabled.\n\n## Rationale\n\nLogging is an important detective control for all systems, to detect potential unauthorised access.\n\n## Audit\n\nRun the following command on one of the cluster master nodes: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-policy-file` is set. Review the contents of the file specified and ensure that it contains a valid audit policy.\n\n## Remediation\n\nCreate an audit policy file for your cluster.\n\n## Impact\n\nAudit logs will be created on the master nodes, which will consume disk space. Care should be taken to avoid generating too large volumes of log information as this could impact the available of the cluster nodes.\n\n## Default value\n\nUnless the `--audit-policy-file` flag is specified, no auditing will be carried out.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/debug-application-cluster/audit/][1]\n\n## CIS controls\n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices.\n\n[1]: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"3.2.1","framework":"cis-kubernetes","requirement":"Logging","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-3.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ehp-xpm-xi3","createdAt":1599602215207,"name":"A minimal audit policy exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a new Kubernetes [admission controller][1] is created in the cluster.\n\nAdmission controllers can intercept all incoming requests to the API server. An attacker can use them to establish persistence or to access sensitive data (such as secrets) sent to the API server.\n\n## Strategy\nThis rule identifies when a `MutatingWebhookConfiguration` or `ValidatingWebhookConfiguration` is created.\n\n## Triage and response\n1. Determine if the admission controller being created is expected.\n2. Determine if the user: `{{@usr.id}}` should be creating the admission controller.\n3. Use the Cloud SIEM `User Investigation` dashboard to review user actions that occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags\n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @objectRef.resource:(mutatingwebhookconfigurations OR validatingwebhookconfigurations) -@usr.id:(eks\\:cluster-bootstrap OR system\\:serviceaccount\\:kyverno\\:kyverno OR system\\:serviceaccount\\:kube-system\\:*)","groupByFields":["@usr.id"],"aggregation":"count","name":"admission_controller_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admission_controller_created > 0"}],"type":"log_detection","id":"jpb-ixq-qbz","createdAt":1649948611129,"name":"A new Kubernetes admission controller was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 teams app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `AppInstalled`, where the `AddOnType` has a value of `4` and a new `@AddOnName` is observed.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@AddOnName}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@AddOnName}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":165,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AddOnName","aggregation":"new_value","metrics":["@AddOnName"],"groupByFields":["@usr.id"],"query":"source:microsoft-365 @evt.name:AppInstalled @AddOnType:4"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"sja-6t5-2xv","createdAt":1636984812148,"name":"A new Microsoft 365 Teams app is observed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Add application.` and event `@evt.outcome` of `Success`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@ObjectId}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@ObjectId}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@ObjectId","aggregation":"new_value","metrics":["@ObjectId"],"groupByFields":["@ObjectId","@usr.id"],"query":"source:microsoft-365 @evt.name:\"Add application.\" @evt.outcome:Success"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"o4m-xqz-5gv","createdAt":1636984818117,"name":"A new Microsoft 365 application was installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:amazon","security:compliance","iaas:aws","framework:cis-aws","source:cloudtrail","control:4.1","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is assessing privileges in AWS through API bruteforcing technique.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect when the error message of `AccessDenied` is returned on more than 5 unique API calls.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be attempting to use {{@evt.name}} API commands.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. Contact the user to see if they intended to make these API calls.\n3. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate to see what API calls might have been made that were successful throughout the rest of the environment.\n\n## Changelog\nRule updated on 3 March 2022.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"unique_events_denied","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"more than 5 APIs AccessDenied","condition":"unique_events_denied > 5"}],"type":"log_detection","id":"3d9-oev-jbm","createdAt":1584475582956,"name":"A user received multiple AccessDenied errors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","control:32.1a","source:acm","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are seven day left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### From the console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### From the command line\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nseven_days_ms := (((7 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\t# assert that the difference between now (resource seen at) and not after time (certificate expiry) > 7 days\n\tseven_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"32b-dj3-8n2","createdAt":1619112188607,"name":"ACM certificate does not expire within the next 7 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","security:compliance","control:164.312-e-1","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","requirement:Security-Management-Process","control:32.1a","source:acm","control:164.312-e-2-ii","framework:hipaa","control:164.308-a-1-ii-B","control:164.312-e-2-i","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRemove expired Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates with AWS Certificate Manager (ACM).\n\n## Rationale\n\nExpired AWS ACM SSL/TLS certificates that are deployed to another resource are at risk of triggering front-end errors and compromising the credibility of a web application.\n\n## Remediation\n\n### From the console\n\nFollow the [Deleting Certificates Managed by ACM][1] docs to learn how to delete SSL/TLS certifications in the AWS Console.\n\n### From the command line\n\n1. Run the [`delete-certificate`][2] command to remove the invalid certificate.\n\n ```\n aws acm delete-certificate --certificate-arn insert-certificate-arn-here\n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-delete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/delete-certificate.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"EXPIRED\"\n\tacm.status != \"VALIDATION_TIMED_OUT\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qea-4gr-voj","createdAt":1616090994211,"name":"ACM certificate is active"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","control:32.1a","source:acm","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are 30 days left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### From the console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### From the command line\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\tthirty_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oc4-dzj-jtg","createdAt":1619112188918,"name":"ACM certificate is valid for 30 or more days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cardholder-Data","cloud_provider:aws","source:acm","scope:acm","control:3.6.4","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAll Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates in Amazon Certificate Manager (ACM) should be validated.\n\n## Rationale\n\n[Requests for ACM certificates time out if they are not validated within 72 hours][1]. ACM provides managed renewal for your Amazon-issued SSL/TLS certificates that are used with other AWS resources. \n\n[ACM either renews your certificates automatically (if you are using DNS validation)][2], or it sends you email notices when expiration is approaching. These services are provided for both public and private ACM certificates. However, renewal for other certificates must be done manually. If a certificate is not validated, it can interrupt an application or service. \n\n## Remediation\n\n### From the console\n\nFollow the [Setting Up DNS Validation][3] or [Resending Validation Email][4] docs to validate a certificate in the AWS Console or by email.\n\n### From the command line\n\n1. Run `resend-validation-email` using the ARN of the invalid certificate with your `domain` and `validation-domain`.\n\n ```\n aws acm resend-validation-email\n --certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/a1b2345c-d678-9123-4567-89ab12c2345d\n --domain www.example.com\n --validation-domain example.com\n ```\n\n2. Click the link in the generated email to navigate to the Amazon Certificates Approvals page, and click the `I Approve` button.\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-timed-out.html\n[2]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[3]: https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html#setting-up-dns-validation\n[4]: https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html#gs-acm-resend\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"PENDING_VALIDATION\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"lpi-kie-f8h","createdAt":1616090994081,"name":"ACM certificate issue request is not pending validation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:ec2","source:ec2","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.9.4.5","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIdentify publicly accessible Amazon Machine Images (AMIs).\n\n## Rationale\n\nWhen an AMI is shared publicly, anyone outside your organization can see it in the [list of public AMIs][1] and create an EC2 instance from it, accessing all the files it contains.\n\nAMIs typically contain source code, configuration files and credentials and should not be shared publicly. AMIs should only be shared with [specific AWS accounts][2] or [your AWS Organization][3].\n\n## Remediation\n\n### From the console\n\nFollow the instructions outlined in the [AWS documentation][4].\n\n### From the command line\n\nUse the following command to stop sharing the AMI:\n\n ```bash\n aws ec2 modify-image-attribute \\\n --image-id ami-xxxx \\\n --launch-permission \"Remove=[{Group=all}]\"\n ```\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usingsharedamis-finding.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/share-amis-with-organizations-and-OUs.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.5","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncustomer_owned(ami) if {\n\tnot ami.image_owner_alias in [\"aws-marketplace\", \"amazon\"]\n} else if {\n\tnot ami.image_owner_alias\n}\n\neval(ami) = \"skip\" if {\n\tnot customer_owned(ami)\n} else = \"pass\" if {\n\tami.public == false\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ami"]},"validationQuery":"","resourceType":"aws_ami","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ami","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6l2-azd-mlu","createdAt":1645630055435,"name":"AMI is not publicly shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.30","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the TLS certificate and private key file parameters. \n```\n--tls-cert-file= \n--tls-private-key-file=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.30","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"m9r-8ka-arc","createdAt":1599604115727,"name":"API Server requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.1","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable anonymous requests to the Kubelet server.\n\n## Rationale\n\nWhen enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests.\n\n## Audit\n\nIf using a Kubelet configuration file, check that there is an entry for authentication: anonymous: enabled set to false. Run the following command on each node: `ps -ef | grep kubelet`. Verify that the `--anonymous-auth` argument is set to false. This executable argument may be omitted, provided there is a corresponding entry set to false in the Kubelet config file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to false. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable:\n\n```\n--anonymous-auth=false\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nAnonymous requests will be rejected.\n\n## Default value\n\nBy default, anonymous access is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.1","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oun-uxo-viy","createdAt":1599606050277,"name":"API server anonymous-auth argument is set to false"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.24","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain 10 or an appropriate number of old log files.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. For example, if you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxbackup` argument is set to `10` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxbackup` parameter to `10` or to an appropriate value: `--audit-log-maxbackup=10`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.24","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"r0g-aai-2xf","createdAt":1599605542630,"name":"API server audit log files are retained for at least 10 log file rotations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.25","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRotate log files on reaching 100 MB or as appropriate.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. If you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxsize` argument is set to `100` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxsize` parameter to an appropriate size in MB. For example, to set it as 100 MB: `--audit-log-maxsize=100`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.25","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qhy-gng-bh4","createdAt":1599603202907,"name":"API server audit log files are rotated once the file reaches 100 MB or more"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.22","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on the Kubernetes API Server and set the desired audit log path.\n\n## Rationale\n\nAuditing the Kubernetes API Server provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system. Even though currently, Kubernetes provides only basic audit capabilities, it should be enabled. You can enable it by setting an appropriate audit log path.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-path` argument is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example: --audit-log-path=/var/log/apiserver/audit.log\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. Version 7 6.2 Activate audit logging Ensure that local logging has been enabled on all systems and networking devices. 6.3 Enable Detailed Logging Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.22","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fny-sti-0dk","createdAt":1599601104396,"name":"API server audit logs are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.23","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain the logs for at least 30 days or as appropriate.\n\n## Rationale\n\nRetaining logs for at least 30 days ensures that you can go back in time and investigate or correlate any events. Set your audit log retention period to 30 days or as per your business requirements.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxage` argument is set to `30` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxage` parameter to `30` or as an appropriate number of days: `--audit-log-maxage=30`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.23","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.23\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jbu-o8v-pku","createdAt":1599605700813,"name":"API server audit logs are retained for at least 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.19","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind to insecure port.\n\n## Rationale\n\nSetting up the apiserver to serve on an insecure port would allow unauthenticated and unencrypted access to your master node. This would allow attackers who could access this port, to easily take control of the cluster.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-port` argument is set to `0`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --insecure-port=0\n\n## Impact\n\nAll components that use the API must connect via the secured port, authenticate themselves, and be authorized to use the API. This includes: kube-controller-manager kube-proxy kube-scheduler kubelets\n\n## Default value\n\nBy default, the insecure port is set to 8080.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.19","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2ci-yqv-wv0","createdAt":1599605796539,"name":"API server does not bind the API service to an insecure port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.18","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the insecure API service.\n\n## Rationale\n\nIf you bind the apiserver to an insecure address, basically anyone who could connect to it over the insecure port, would have unauthenticated and unencrypted access to your master node. The apiserver doesn't do any authentication checking for insecure binds and traffic to the Insecure API port is not encrpyted, allowing attackers to potentially read sensitive data in transit.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-bind-address` argument does not exist.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --insecure-bind-address parameter.\n\n## Impact\n\nConnections to the API server will require valid authentication credentials.\n\n## Default value\n\nBy default, the insecure bind address is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.18","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tzo-x3g-yya","createdAt":1599606081666,"name":"API server does not bind to an insecure API service address"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use token based authentication.\n\n## Rationale\n\nThe token-based authentication utilizes static tokens to authenticate requests to the apiserver. The tokens are stored in clear-text in a file on the apiserver, and cannot be revoked or rotated without restarting the apiserver. Hence, do not use static token-based authentication.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver \n```\nVerify that the `--token-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--token-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as certificates. Static token based authentication could not be used.\n\n## Default value\n\nBy default, `--token-auth-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/authentication/#static-token-file\n2. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.3","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mvv-hb7-ucv","createdAt":1599603449449,"name":"API server does not use token based authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not always authorize all requests.\n\n## Rationale\n\nThe API Server, can be configured to allow all requests. This mode should not be used on any production cluster.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is not set to `AlwaysAllow`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to values other than `AlwaysAllow`. One such example could be as below:\n\n```\n--authorization-mode=RBAC\n```\n\n## Impact\n\nOnly authorized requests will be served.\n\n## Default value\n\nBy default, `AlwaysAllow` is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.7","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kli-btm-jbr","createdAt":1599602646953,"name":"API server only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.1","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node:\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-apiserver.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.1","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8tj-q6g-eyj","createdAt":1599601227733,"name":"API server pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.21","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --profiling=false\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.21","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wk0-7yo-dw9","createdAt":1599602770265,"name":"API server profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.26","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet global request timeout for API server requests as appropriate.\n\n## Rationale\n\nSetting global request timeout allows extending the API server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 60 seconds which might be problematic on slower connections making cluster resources inaccessible once the data volume for requests exceeds what can be transmitted in 60 seconds. But, setting this timeout limit to be too large can exhaust the API server resources making it prone to Denial-of-Service attack. Hence, it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--request-timeout` argument is either not set or set to an appropriate value.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameter as appropriate and if needed. For example, --request-timeout=300s\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, --request-timeout is set to 60 seconds.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/kubernetes/pull/51415\n\n## CIS controls\n\nVersion 6 14.6 Enforce Detailed Audit Logging For Sensitive Information Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. Version 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.26","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1kt-cbt-hvl","createdAt":1599604242564,"name":"API server request timeout exceeds 60 seconds only if required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.20","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable the secure port.\n\n## Rationale\n\nThe secure port is used to serve https with authentication and authorization. If you disable it, no https traffic is served and all traffic is served unencrypted.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--secure-port` argument is either not set or is set to an integer value between `1` and `65535`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --secure-port parameter or set it to a different (non-zero) desired port.\n\n## Impact\n\nYou need to set the API Server up with the right TLS certificates.\n\n## Default value\n\nBy default, port 6443 is used as the secure port.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.20","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5w3-iw4-y16","createdAt":1599603757033,"name":"API server secure port is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.31","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic. If `--client-ca-file` argument is set, any request presenting a client certificate signed by one of the authorities in the `client-ca-file` is authenticated with an identity corresponding to the CommonName of the client certificate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--client-ca-file` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the client certificate authority file: `--client-ca-file=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--client-ca-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.31","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"nad-eon-2rv","createdAt":1599599105054,"name":"API server uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.28","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account public key file for service accounts on the apiserver.\n\n## Rationale\n\nBy default, if no --service-account-key-file is specified to the apiserver, it uses the private key from the TLS serving certificate to verify service account tokens. To ensure that the keys for service account tokens could be rotated as needed, a separate public/private key pair should be used for signing service account tokens. Hence, the public key should be specified to the apiserver with --service-account-key-file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--service-account-key-file` argument exists and is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--service-account-key-file` parameter to the public key file for service accounts: `--service-account-key-file=`\n\n## Impact\n\nThe corresponding private key must be provided to the controller manager. You would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-key-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167\n\n## CIS controls\n\nVersion 6 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers \nVersion 7 5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.28","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xtg-mzn-vft","createdAt":1599604846892,"name":"API server uses a service account public key file for service accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.27","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nValidate service account before validating token.\n\n## Rationale\n\nIf --service-account-lookup is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that if the `--service-account-lookup` argument exists it is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the below parameter. `--service-account-lookup=true` Alternatively, you can delete the `--service-account-lookup` parameter from this file so that the default takes effect.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--service-account-lookup` argument is set to true.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167 \n3. https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.27","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.27\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycp-ppm-trb","createdAt":1599599105043,"name":"API server validates the service account token exists in etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify kubelet's certificate before establishing connection.\n\n## Rationale\n\nThe connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelets port-forwarding functionality. These connections terminate at the kubelets HTTPS endpoint. By default, the apiserver does not verify the kubelets serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-certificate-authority` argument exists and is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--kubelet-certificate-authority` parameter to the path to the cert file for the certificate authority. \n\n```\n--kubelet-certificate-authority=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, `--kubelet-certificate-authority` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n3. https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.6","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sbm-nxt-qv3","createdAt":1599603880124,"name":"API server verifies the kubelet's certificate before establishing connection"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AMI is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an AMI is made public.\n\n* [ModifyImageAttribute][1]\n\nThis rule inspects the `@requestParameters.launchPermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the image is made public.\n\n## Triage and response\n1. Determine if the AMI (`@requestParameters.imageId`) should be made public using CloudTrail logs.\n2. Investigate the following ARN (`{{@userIdentity.arn}}`) that made the AMI public.\n3. Contact the user to see if they intended to make the image public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n * Revert AMI permissions to the original state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 11 November 2022 - Add steps to Triage and response section.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-image-attribute.html#examples","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":18,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifyImageAttribute @requestParameters.launchPermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"eh4-lwa-d9z","createdAt":1594140296319,"name":"AWS AMI Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:cloudtrail","framework:cis-aws","requirement:monitoring","control:4.5","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by modifying CloudTrail.\n\n## Strategy\nThis rule detects if a user is modifying CloudTrail by monitoring the CloudTrail API using [UpdateTrail][1] API calls.\n\n## Triage and response\n1. Review the `@responseElements` in the `UpdateTrail` event to determine the scope of the changes.\n2. Determine if the user ARN (`{{@userIdentity.arn}}`) intended to make a CloudTrail modification.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:UpdateTrail","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"configuration_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"configuration_modified > 0"}],"type":"log_detection","id":"4hv-083-miw","createdAt":1585870283907,"name":"AWS CloudTrail configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch Log Group is deleted. \n\n## Strategy\nDetect a successful `@evt.name:DeleteLogGroup` event.\n\n## Triage and response\n1. Ensure that the `{{@requestParameters.logGroupName}}` log group is not used for auditing or security purposes.\n2. If it is then:\n * Ensure that the user: `{{@userIdentity.session_name}}` should be making this API call to your `{{env}}` environment.\n * Consider whitelisting the log group name: `{{@requestParameters.logGroupName}}` through a [suppression list][1]\n3. If not, begin your company's IR process and investigate.\n\n<<<<<<< HEAD\n[1]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment\n=======\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1] https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment\n>>>>>>> main\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteLogGroup -@level:Error -@http.useragent:(cloudformation.amazonaws.com OR *www.terraform.io*) -@userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"j9h-inc-lg8","createdAt":1631618551008,"name":"AWS CloudWatch log group deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch rule has been disabled or deleted.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if a [`DisableRule`][1] or [`DeleteRule`][2] API call has occurred. An attacker may delete rules in an attempt to evade defenses.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, consider including the EventBus name in a [suppression list][6]: `{{@requestParameters.eventBusName}}`.\n * If **No**, enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], respectively, or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 4 October 2022 - Updated severity\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/events/put-rule.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/events/enable-rule.html\n[5]: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html\n[6]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DisableRule OR DeleteRule) -@userIdentity.invokedBy:(backup.amazonaws.com OR schemas.amazonaws.com OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudwatch_disable_or_delete_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"cloudwatch_disable_or_delete_rule > 0"}],"type":"log_detection","id":"dti-qfr-zle","createdAt":1631618552583,"name":"AWS CloudWatch rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","control:4.9","requirement:Monitoring","framework:cis-aws","scope:amazon-config","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by disabling or modifying AWS Config.\n\n## Strategy\nThis rule lets you monitor these AWS Config API calls per [CIS-AWS-4.9: Ensure a log metric filter and alarm exist for AWS Config configuration changes][5]:\n\n* [StopConfigurationRecorder][1] \n* [DeleteDeliveryChannel][2] \n* [PutDeliveryChannel][3]\n* [PutConfigurationRecorder][4]\n\n## Triage and response\n1. Determine which if {{@userIdentity.arn}} should have done a {{@evt.name}} to AWS Config.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html\n[2]: https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteDeliveryChannel.html\n[3]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutDeliveryChannel.html\n[4]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigurationRecorder.html\n[5]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_2.html\n\n## Changelog\n* 1 April 2022 - Updated rule and signal message.\n\n* 10 October 2022 - Updated severities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(StopConfigurationRecorder OR DeleteDeliveryChannel)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_deleted_or_stopped","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(PutDeliveryChannel OR PutConfigurationRecorder)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Deleted/Stopped","condition":"aws_config_deleted_or_stopped > 0"},{"status":"info","notifications":[],"name":"Modified","condition":"aws_config_modified > 0"}],"type":"log_detection","id":"p1b-9np-rw1","createdAt":1585870283149,"name":"AWS Config modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to your AWS console without multi-factor authentication.\n\n## Strategy\nThis rule monitors CloudTrail and detects when any `IAMUser` or `Root` user does a `Console Login`, and `@userIdentity.sessionContext.attributes.mfaAuthenticated` has a value of `false`. \n\n**Notes:** \n\n- This rule triggers with a `High` severity if the user logging in is a `Root` user.\n- This rule ignores logins using SAML because 2FA is implemented on the IdP and not through AWS.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate. \n * Use Cloud SIEM - User Investigation dashboard to see if the user: {{@usr.name}} with an account type of: {{@userIdentity.type}} has done any actions after logging in. \n2. If the login was legitimate, request that the user enables 2FA. \n3. If the login wasn't legitimate, rotate the credentials, enable 2FA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n\n## Changelog\n3 March 2022 - Rule updated\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:IAMUser -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:Root -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"root_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user console login no mfa","condition":"user_login_without_mfa > 0"},{"status":"high","notifications":[],"name":"root console login no mfa","condition":"root_login_without_mfa > 0"}],"type":"log_detection","id":"wkk-muq-vg8","createdAt":1585870278209,"name":"AWS Console login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the user used MFA.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n* 10 March 2022 - Rule updated.\n* 15 December 2022 - Rule updated to cover edge case.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @evt.name:ConsoleLogin -@level:Error (@userIdentity.sessionContext.attributes.mfaAuthenticated:true OR @additionalEventData.MFAUsed:Yes) -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"impossible travel event for ConsoleLogin with MFA"}],"type":"log_detection","id":"vbv-f3o-8zo","createdAt":1646247475787,"name":"AWS ConsoleLogin with MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the account does not have MFA enabled.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n10 Mar 2022 - Rule updated.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_no_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"@evt.name:ConsoleLogin -@level:Error @userIdentity.sessionContext.attributes.mfaAuthenticated:false -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"a1n-son-6bk","createdAt":1646247437558,"name":"AWS ConsoleLogin without MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1562-impair-defenses","source:cloudtrail","scope:aws-detective","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes an Amazon Detective behavior graph.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted an Amazon Detective behavior graph:\n\n* [DeleteGraph][1]\n\n## Triage and response\n1. Determine if the behavior graph should have been deleted.\n2. Determine which user ({{@userIdentity.arn}}) in your organization deleted the behavior graph.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 1 April 2022 - Updated rule and signal message.\n* 18 November 2022 - Updated severity.\n\n[1]: https://docs.aws.amazon.com/detective/latest/APIReference/API_DeleteGraph.html\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:detective.amazonaws.com @evt.name:DeleteGraph","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oje-vzw-qjp","createdAt":1631642344123,"name":"AWS Detective Graph deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when CloudTrail has been disabled by creating an event selector on the Trail.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if an attacker used the [`PutEventSelectors`][1] API call to filter out management events, effectively disabling CloudTrail for the specified Trail.\n\nSee the [public Proof of Concept][2] (PoC) for this attack.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or use the [AWS console][4] to revert the event selector back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, work with the user to ensure that CloudTrail logs for the affected account `{{@usr.account_id}}` are being sent to the Datadog platform.\n * If **No**, remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or reference the [AWS console documentation][4] to revert the event selector back to the last known good state.\n\n## Changelog\n* 17 October 2022 - Updated tags.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_PutEventSelectors.html\n[2]: https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass\n[3]: https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/put-event-selectors.html\n[4]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"disable_cloudtrail_with_event_selectors","distinctFields":[]},{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false @responseElements.eventSelectors.dataResources.type:(\"AWS::S3::Object\" AND \"AWS::Lambda::Function\") @responseElements.eventSelectors.readWriteType:ReadOnly","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_poc","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Public POC","condition":"public_poc > 0"},{"status":"low","notifications":[],"name":"IncludeManagementEvents set to False","condition":"disable_cloudtrail_with_event_selectors > 0"}],"type":"log_detection","id":"jam-62o-d0n","createdAt":1652796620111,"name":"AWS Disable Cloudtrail with event selectors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS snapshot is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an EBS snapshot is made public:\n\n* [ModifySnapshotAttribute][1]\n\nThis rule inspects the `@requestParameters.createVolumePermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the EBS snapshot is made public.\n\n## Triage and response\n1. Determine if the EBS snapshot should be made public.\n2. Determine which user, `{{@@userIdentity.arn}}`, in your organization made the EBS snapshot public.\n3. Contact the user to see if they intended to make the EBS snapshot public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n * Revert AMI permissions to the original state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 11 November 2022 - Add additional triage and response steps.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html#examples\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":17,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.createVolumePermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kx1-upq-ea2","createdAt":1594140300821,"name":"AWS EBS Snapshot Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1537-transfer-data-to-cloud-account","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the possible exfiltration of an EBS snapshot.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect the following API calls within a 15 minute time window:\n\n* [`CreateSnapshot`][1]\n* [`ModifySnapshotAttribute`][2]\n\nAn attacker can create a EBS snapshot from the EBS volume and modify the permissions of the snapshot to allow it to be shared [publicly][3] or with another AWS account. Using an attacker-controlled account, a new EBS volume can be created from the snapshot and attached to an EC2 instance for analysis.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the API calls.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any snapshot attributes generated by the user with the `aws-cli` command [`modify-snapshot-attribute`][4].\n * Begin your organization's incident response process and investigate.\n3. If the API calls were made by the user:\n * Determine if the user should be performing these API calls.\n * If **No**, see if other API calls were made by the user and determine if they warrant further investigation.\n\n## Changelog\n* 10 October 2022 - Updated query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSnapshot.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html\n[3]: https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-ebs-snapshot-made-public/\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-snapshot-attribute.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":7200,"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSnapshot -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (-@userIdentity.assumed_role:(*orca* OR *wiz*) -@responseElements.description:\"Orca automatically generated snapshot\" -@requestParameters.description:auto-generatedbyWiz -@responseElements.description:\"auto-generated by Wiz\")","groupByFields":["@responseElements.snapshotId"],"aggregation":"count","name":"snapshot_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.attributeType:CREATE_VOLUME_PERMISSION -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (@requestParameters.createVolumePermission.add.items.userId:* OR @requestParameters.createVolumePermission.add.items.group:*) -@requestParameters.createVolumePermission.add.items.userId:(\"135916806842\" OR \"463932680998\" OR \"727815099310\" OR \"553950354547\" OR \"784971140435\" OR \"222606875197\")","groupByFields":["@requestParameters.snapshotId"],"aggregation":"count","name":"snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"EBS Snapshot created then shared","condition":"snapshot_created > 0 && snapshot_shared > 0"},{"status":"info","notifications":[],"name":"EBS Snapshot shared","condition":"snapshot_shared > 0"}],"type":"log_detection","id":"dka-ecn-adr","createdAt":1655223749994,"name":"AWS EBS Snapshot possible exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis-aws","control:2.2.1","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS encryption is disabled by default. \n\n## Strategy\nMonitor CloudTrail and detect when EBS encryption is disabled by default via the following API call:\n\n* [DisableEbsEncryptionByDefault][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user and let them know that it is best practice to enable EBS encryption by default.\n3. Re-enable EBS encryption by default.\n\nFor more information about Amazon EBS Encryption, check out the [Amazon EBS Encryption][2] documentation.\n\n## Changelog\n* 18 March 2022 - Rule query and severity updated.\n* 16 November 2022 - Rule query updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:(cloudtrail OR amazon-security-lake) @eventSource:ec2.amazonaws.com @evt.name:DisableEbsEncryptionByDefault","groupByFields":["@usr.account_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4s7-uuu-lo8","createdAt":1585870284527,"name":"AWS EBS default encryption disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","security:attack","technique:T1522-cloud-instance-metadata-api"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes a DNS request and resolves to the AWS metadata IP address (169.254.169.254).\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MetadataDNSRebind][2]\n\n\n## Triage and response\n1. Determine which process made the DNS request. The DNS request can be found in the samples.\n2. Ensure the process is not a victim of an SSRF attack to steal the AWS EC2 Instance profile's STS credentials. \n2. If the STS credentials are compromised:\n * Review the AWS [documentation][3] on revoking the session.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-metadatadnsrebind\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MetadataDNSRebind)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"aad-vqz-7tk","createdAt":1587525387807,"name":"AWS EC2 Instance Victim to Metadata DNS Rebind Attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is compromised and sending spam emails.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Backdoor:EC2/Spambot][2]\n\n\n## Triage and response\n1. Determine if the EC2 should be sending out email over port 25. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-spambot\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/Spambot)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ecn-gew-dg2","createdAt":1587525385866,"name":"AWS EC2 instance Sending spam emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a malicious server.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/C&CActivity.B!DNS][2]\n* [Trojan:EC2/BlackholeTraffic][3]\n* [Trojan:EC2/DropPoint][4]\n* [Trojan:EC2/BlackholeTraffic!DNS][5]\n* [Trojan:EC2/DriveBySourceTraffic!DNS][6]\n* [Trojan:EC2/DropPoint!DNS][7]\n* [Trojan:EC2/DGADomainRequest.B][8]\n* [Trojan:EC2/DGADomainRequest.C!DNS][9]\n* [Trojan:EC2/DNSDataExfiltration][10]\n* [Trojan:EC2/PhishingDomainRequest!DNS][11]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][12] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-ccactivitybdns\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-blackholetraffic\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-droppoint\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-blackholetrafficdns\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-drivebysourcetrafficdns\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-droppointdns\n[8]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestb\n[9]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestcdns\n[10]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dnsdataexfiltration\n[11]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-phishingdomainrequestdns\n[12]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Trojan\\:EC2\\/BlackholeTraffic OR Trojan\\:EC2\\/DropPoint OR Trojan\\:EC2\\/BlackholeTraffic\\!DNS OR Trojan\\:EC2\\/DriveBySourceTraffic\\!DNS OR Trojan\\:EC2\\/DropPoint\\!DNS OR Trojan\\:EC2\\/DGADomainRequest.B OR Trojan\\:EC2\\/DGADomainRequest.C\\!DNS OR Backdoor\\:EC2\\/C&CActivity.B\\!DNS OR Trojan\\:EC2\\/PhishingDomainRequest\\!DNS)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9du-jhn-b4f","createdAt":1587525393367,"name":"AWS EC2 instance communicated with a malicious server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0011-command-and-control","technique:T1571-non-standard-port"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating over an unusual port.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/NetworkPortUnusual][2]\n\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#behavior-ec2-networkportunusual\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/NetworkPortUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"qfd-ned-cjn","createdAt":1587525391873,"name":"AWS EC2 instance communicating over unusual port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a cryptocurrency server\n\n## Strategy\nThis rule lets you leverage GuardDuty to detect when an EC2 instance has made a DNS request or is communicating with an IP that is associated with cryptocurrency operations. The following GuardDuty Findings trigger this signal:\n\n* [CryptoCurrency:EC2/BitcoinTool.B!DNS][1]\n* [CryptoCurrency:EC2/BitcoinTool.B][2]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples. \n2. If the domain or IP address should not have been requested, open a security investigation, and determine which process requested the domain name or IP address.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#cryptocurrency-ec2-bitcointoolbdns\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#cryptocurrency-ec2-bitcointoolb\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(CryptoCurrency\\:EC2\\/BitcoinTool.B\\!DNS OR CryptoCurrency\\:EC2\\/BitcoinTool.B)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ky3-ds4-ipb","createdAt":1585870276326,"name":"AWS EC2 instance communicating with a cryptocurrency server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection to a malcious IP address.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MaliciousIPCaller.Custom][2]\n\n## Triage and response\n1. Determine which IP address triggered the signal. This can be found in the sample.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-maliciousipcallercustom\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MaliciousIPCaller.Custom)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"22j-qk6-qv3","createdAt":1587525389461,"name":"AWS EC2 instance communicating with malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is conducting a port scan.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Recon:EC2/Portscan][2]\n\n\n## Triage and response\n1. Determine why traffic from the EC2 instance appears to be conducting a port scan.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 17 October 2022 - Updated tags.\n* 1 November 2022 - Updated links.\n \n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/Portscan)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1y-h5t-gnp","createdAt":1587525376478,"name":"AWS EC2 instance conducting a port scan"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being used as a TOR relay.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorRelay][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be uses as a TOR relay. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance. \n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torrelay\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorRelay)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tpv-3qf-v90","createdAt":1587525388119,"name":"AWS EC2 instance connecting to TOR as a relay"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance receives an inbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorIPCaller][2]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized7\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorIPCaller)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"1ew-u8i-att","createdAt":1587525383148,"name":"AWS EC2 instance inbound connections from TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Brute Force Attacks\n\n## Strategy\nLeverage GuardDuty and detect when an attacker is performing a brute force attack. The following are GuardDuty findings trigger this signal:\n\n* [UnauthorizedAccess:EC2/SSHBruteForce][1]\n* [UnauthorizedAccess:EC2/RDPBruteForce][2]\n\n\n## Triage and response\n1. Inspect the role of the EC2 instance in the attack. Find the role in the signal name - either `ACTOR` or `TARGET`.\n * If you are the `TARGET` and the instance is available on the internet, expect to see IPs scanning your systems.\n * If you are the `TARGET` and the instance is **not** available on the internet, this means a host on your internal network is scanning your EC2 instance. Open an investigation.\n * If you are the `ACTOR`, this means that your instance is performing brute force attacks on other systems. Open an investigation.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-sshbruteforce\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-rdpbruteforce\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":20,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:ACTOR","groupByFields":["instance-id"],"aggregation":"count","name":"actor","distinctFields":[]},{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:TARGET","groupByFields":["instance-id"],"aggregation":"count","name":"target","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Actor","condition":"actor > 0"},{"status":"info","notifications":[],"name":"Target","condition":"target > 0"}],"type":"log_detection","id":"vyl-ylc-3io","createdAt":1585870284202,"name":"AWS EC2 instance involved in brute force attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance network traffic volume is unusual.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/TrafficVolumeUnusual][2]\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 10 October 2022 - Updated tags.\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#behavior-ec2-trafficvolumeunusual\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/TrafficVolumeUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipt-dpt-t69","createdAt":1587525393982,"name":"AWS EC2 instance network traffic volume unusual"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","technique:T1188-multi-hop-proxy","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorClient][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be making requests to TOR. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torclient\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorClient)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ihd-q9p-mwx","createdAt":1587525381864,"name":"AWS EC2 instance outbound connections to TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is participating in a Denial of Service (DoS) attack.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/DenialOfService.Tcp][2]\n* [Backdoor:EC2/DenialOfService.Udp][3]\n* [Backdoor:EC2/DenialOfService.Dns][4]\n* [Backdoor:EC2/DenialOfService.UdpOnTcpPorts][5]\n* [Backdoor:EC2/DenialOfService.UnusualProtocol][6]\n\n\n## Triage and response\n1. Determine if the EC2 instance is compromised and participating in a DoS attack.\n2. If the instance is compromised:\n * Review the AWS [documentation][7] on remediating a compromised EC2 instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofservicetcp\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceudp\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofservicedns\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceudpontcpports\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceunusualprotocol\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/DenialOfService.Tcp OR Backdoor\\:EC2\\/DenialOfService.Udp OR Backdoor\\:EC2\\/DenialOfService.Dns OR Backdoor\\:EC2\\/DenialOfService.UdpOnTcpPorts OR Backdoor\\:EC2\\/DenialOfService.UnusualProtocol)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3l6-vrm-iyn","createdAt":1587525383757,"name":"AWS EC2 instance participating in a DoS attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being probed by a scanner.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:EC2/PortProbeUnprotectedPort][2]\n* [Recon:EC2/PortProbeEMRUnprotectedPort][3]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeunprotectedport\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeemrunprotectedport\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/PortProbeUnprotectedPort OR Recon\\:EC2\\/PortProbeEMRUnprotectedPort)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mrq-h3x-jus","createdAt":1587525381084,"name":"AWS EC2 instance probed by scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS EKS node group makes a new API call.\n\n## Strategy\nThis rule sets a baseline for host activity across an AWS EKS node group, and enables detection of potentially anomalous activity when a node group makes a new API call.\n\nA new API call from a node group can indicate an attacker gaining a foothold within the system and trying API calls not normally associated with this node group.\n\n## Triage and response\n1. Investigate API activity for the AWS EKS node group to determine if the specific API call is malicious.\n2. Review any other security signals for the AWS EKS node group.\n3. If the activity is deemed malicious:\n * If possible, isolate the compromised hosts.\n * Determine what other API calls were made by the EKS node group.\n * Begin your organization's incident response process and investigate.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":21,"learningThreshold":0},"keepAlive":3600},"version":187,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["eks_nodegroup-name"],"query":"source:cloudtrail"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"nkn-aw3-xb2","createdAt":1633097159259,"name":"AWS EC2 new event for EKS Node Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an application on a host has a new, unrecognized API call.\n\n## Strategy\nUsing the `New Value` detection method, find when an `application` has a new `@evt.name` on a `host`.\n\n## Triage and response\n1. Determine if the `host: {{host}}` running the `application: {{application}}` should have done the following event(s)`{{@evt.name}}`:\n * If yes, you can `Archive` the signal.\n * If no, investigate further by clicking on the **Suggested Actions** tab for the signal\n2. If necessary, initiate your company's incident response process.\n\n## Changelog\n* 14 November 2022 - Updated severity.\n\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["application"],"query":"source:cloudtrail host:i-*"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"qcg-jbs-kcd","createdAt":1632769125953,"name":"AWS EC2 new event for application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an EC2 subnet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting an EC2 subnet.\n\n* [DeleteSubnet][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be deleting EC2 subnets.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Update rule and signal message\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-subnet.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:DeleteSubnet -@level:Error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ygi-fi5-qns","createdAt":1585870282197,"name":"AWS EC2 subnet deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecs","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an ECS Cluster\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an ECS cluster is deleted:\n\n* [DeleteCluster][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arm}} should be making a {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DeleteCluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecs.amazonaws.com @evt.name:DeleteCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"vwu-6id-9lz","createdAt":1585870279810,"name":"AWS ECS cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:elb","scope:elb","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous `@http.useragent`. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application using an HTTP header from [darkqusar][1]'s [gist][2]. The detection does this using 2 cases:\n* Case 1: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `200 TO 299`\n* Case 2: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `400 TO 499`\n\n## Triage and response\n1. Determine if this IP: {{@network.client.ip}} is making authenticated requests to the application.\n2. Check if these authentication requests are successful.\n * If they are successful, change the status of the signal to `UNDER REVIEW` and begin your company's incident response plan.\n * If they are not successful, `ARCHIVE` the signal.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Update rule cases and signal message.\n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:elb @http.status_code:[400 TO 499] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_400s_and_unique_paths","distinctFields":["@http.url_details.path"]},{"query":"source:elb @http.status_code:[200 TO 299] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_200s_and_unique_paths","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"scan detected returning several 200s","condition":"multiple_200s_and_unique_paths > 10"},{"status":"info","notifications":[],"name":"scan detected returning several 400s","condition":"multiple_400s_and_unique_paths > 10"}],"type":"log_detection","id":"csd-1pb-wxh","createdAt":1587530043452,"name":"AWS ELB HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:eventbridge","iaas:aws","technique:T1089-disabling-security-tools","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting or disabling EventBridge rules.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is modifying or disabling EventBridge rules:\n\n* [DeleteRule][1]\n* [DisableRule][2]\n\n## Triage and response\n1. Determine if the arn: {{@userIdentity.arn}} should have made the {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Rule query, options and signal markdown updated.\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DeleteRule OR DisableRule)","groupByFields":["@userIdentity.arn","@requestParameters.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mq6-cjx-h9o","createdAt":1585870277044,"name":"AWS EventBridge rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","source:amazon-fsx","scope:amazon-fsx","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify users accessing files they do not have permission to access.\n\n## Strategy\nMonitor AWS FSx logs and detect more than 10 occurrences where `@evt.id` is equal to `4656` and `@Event.System.Keywords` is equal to `0x8010000000000000`. \n\n## Triage & Response\n1. Inspect the log and determine if the user should be accessing the file: `{{@ObjectName}}`.\n2. If access is not legitimate, investigate user `({{@usr.id}})` activity. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:aws.fsx @evt.id:4656 @Event.System.Keywords:0x8010000000000000","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"file_deny","distinctFields":["@ObjectName"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"file_deny > 10"}],"type":"log_detection","id":"vsj-4y9-rg1","createdAt":1627668329581,"name":"AWS FSx Excessive File Denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0005-defense-evasion","technique:T1066-indicator-removal-from-tools","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is removing a FlowLogs collector.\n\n## Strategy\nThis rule lets you monitor this EC2 API call:\n\n* [DeleteFlowLogs][1]\n\n## Triage and response\n1. Determine if arn: {{@userIdentity.arn}} should make this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 4 April 2022 - Rule query and signal message updated.\n* 16 November 2022 - Rule query updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:(cloudtrail OR amazon-security-lake) @evt.name:DeleteFlowLogs -@responseElements.DeleteFlowLogsResponse.unsuccessful:\"\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cws-b4f-uoh","createdAt":1585870278493,"name":"AWS FlowLogs removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1089-disabling-security-tools","scope:guardduty","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty detector.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty Detector:\n\n* [DeleteDetector][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/delete-detector.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteDetector","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pzi-led-yyc","createdAt":1585870279177,"name":"AWS GuardDuty detector deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a publishing destination for a detector which will prevent the exporting of findings. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted a Guard Duty publishing destination.\n\n* [DeletePublishingDestination][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/fr_fr/guardduty/latest/APIReference/API_DeletePublishingDestination.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeletePublishingDestination","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rdm-leo-ndi","createdAt":1631642345554,"name":"AWS GuardDuty publishing destination deleted"}]} headers: Content-Type: - application/json @@ -708,7 +640,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","source:guardduty","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is attempting to escalate permissions.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [PrivilegeEscalation:IAMUser/AdministrativePermissions][2]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_privilegeescalation.html#privilegeescalation1\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PrivilegeEscalation\\:IAMUser\\/AdministrativePermissions)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dsb-ciq-vrt","createdAt":1587525384559,"name":"AWS IAM user escalating privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","tactic:TA0007-disocvery","technique:T1580-cloud-infrastructure-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests with hacking tools.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [PenTest:IAMUser/KaliLinux][2]\n* [PenTest:IAMUser/ParrotLinux][3]\n* [PenTest:IAMUser/PentooLinux][4]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][5] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_pentest.html#pentest1\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_pentest.html#pentest2\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_pentest.html#pentest3\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PenTest\\:IAMUser\\/KaliLinux OR PenTest\\:IAMUser\\/ParrotLinux OR PenTest\\:IAMUser\\/PentooLinux)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ocf-ys6-78v","createdAt":1587525392995,"name":"AWS IAM user making API requests with hacking tools"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:threat-intel","source:guardduty","tactic:TA0007-discovery","security:attack","technique:T1526-cloud-service-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests from a malicious IP.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:IAMUser/TorIPCaller][2]\n* [Recon:IAMUser/MaliciousIPCaller.Custom][3]\n* [Recon:IAMUser/MaliciousIPCaller][4]\n* [UnauthorizedAccess:IAMUser/MaliciousIPCaller][5]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][6] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon1\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon2\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon3\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized5\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:IAMUser\\/TorIPCaller OR Recon\\:IAMUser\\/MaliciousIPCaller.Custom OR Recon\\:IAMUser\\/MaliciousIPCaller OR UnauthorizedAccess\\:IAMUser\\/MaliciousIPCaller)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"8w7-aaz-ojp","createdAt":1587525380153,"name":"AWS IAM user requests from malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","security:anomaly","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user login is suspicious.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B][2]\n* [UnauthorizedAccess:IAMUser/ConsoleLogin][3]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][4] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized4\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized12\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:IAMUser\\/ConsoleLoginSuccess.B OR UnauthorizedAccess\\:IAMUser\\/ConsoleLogin)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kme-i0z-ylv","createdAt":1587525388403,"name":"AWS IAM user suspicious login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:kms","requirement:Monitoring","tactic:TA0040-impact","framework:cis-aws","control:4.7","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a KMS (Key Management Service) key is deleted or scheduled for deletion.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is deleting KMS keys:\n* [DisableKey][1]\n* [ScheduleKeyDeletion][2]\n\n## Triage and response\n1. Determine if `user ARN:` {{@userIdentity.arn}} in your organization should be making this call.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Use the `Cloud SIEM - User Investigation` OOTB dashboard to investigate other potential unauthorized API calls from this user.\n\n[1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html\n[2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html \n\n## Changelog\n16 March 2022 - Rule severity and markdown updated.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(DisableKey OR ScheduleKeyDeletion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iff-hhm-bd3","createdAt":1584475576501,"name":"AWS KMS key deleted or scheduled for deletion"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","scope:firehose"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an AWS Kinesis Firehose Destination is modified.\n\n## Strategy\nThe rule monitors AWS Kinesis Firehose logs `@eventSource:firehose.amazonaws.com` and detects when the `@evt.name` is `UpdateDestination`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:firehose.amazonaws.com @evt.name:UpdateDestination -@http.useragent:(cloudformation.amazonaws.com OR APN\\/*)","groupByFields":["@requestParameters.deliveryStreamName"],"aggregation":"count","name":"firehose_destination_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"firehose_destination_modified","condition":"firehose_destination_modified > 0"}],"type":"log_detection","id":"jwi-qgm-ncc","createdAt":1632158028824,"name":"AWS Kinesis Firehose stream destination modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.11"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Access Control List (NACL) has been created, deleted or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS NACL has been created, deleted or modified with one of the following API calls:\n* [CreateNetworkAcl][1] \n* [CreateNetworkAclEntry][2] \n* [DeleteNetworkAcl][3] \n* [DeleteNetworkAclEntry][4] \n* [ReplaceNetworkAclEntry][5] \n* [ReplaceNetworkAclAssociation][6]\n\n## Triage and response\n1. Determine if the usr with arn: {{@userIdentity.arn}} should have used the API call: {{@evt.name}}.\n2. Contact the user and see if this API call was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n## Changelog\n5 April 2022 - Rule queries, cases and signal message updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html\n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclEntry.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclAssociation.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateNetworkAcl OR CreateNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteNetworkAcl OR DeleteNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_deleted","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceNetworkAclEntry OR ReplaceNetworkAclAssociation)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_updated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"network ACL/ACL entry created","condition":"nacl_created > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry deleted","condition":"nacl_deleted > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry updated","condition":"nacl_updated > 0"}],"type":"log_detection","id":"pcs-k05-rbc","createdAt":1584475579808,"name":"AWS Network Access Control List created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.12","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Gateway has been created or modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS Network Gateway has been created or modified with one of the following API calls:\n* [CreateCustomerGateway][1] \n* [DeleteCustomerGateway][2] \n* [AttachInternetGateway][3] \n* [CreateInternetGateway][4]\n* [DeleteInternetGateway][5] \n* [DetachInternetGateway][6]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule cases and signal message.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCustomerGateway \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteCustomerGateway \n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AttachInternetGateway \n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInternetGateway \n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteInternetGateway \n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DetachInternetGateway.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(CreateCustomerGateway OR CreateInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"create_gateway","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteCustomerGateway OR DeleteInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"delete_gateway","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AttachInternetGateway OR DetachInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_gateway","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"create gateway","condition":"create_gateway > 0"},{"status":"info","notifications":[],"name":"delete gateway","condition":"delete_gateway > 0"},{"status":"info","notifications":[],"name":"modify gateway","condition":"modify_gateway > 0"}],"type":"log_detection","id":"umr-47s-eyj","createdAt":1584475581301,"name":"AWS Network Gateway created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","scope:rds","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deleted a database cluster in RDS.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a RDS cluster:\n\n* [DeleteDBCluster][1]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/rds/delete-db-cluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteDBCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"6ng-pk1-ukh","createdAt":1585870276546,"name":"AWS RDS Cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","control:cis-1.1","framework:cis-aws","technique:T1078-valid-accounts","control:cis-3.3","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the AWS root user credentials are used.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Policy:IAMUser/RootCredentialUsage][2]\n\n## Triage and response\n1. Determine whether the root account activity was legitimate. \n * Review the sample for context. \n * Review CloudTrail logs for a full investigation. \n3. If the root user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n**[Root Account Best Practices][4]**\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_policy.html#policy1\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/RootCredentialUsage)","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cjm-gyr-zxb","createdAt":1587525393683,"name":"AWS Root credential activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a Route 53 query logging configuration.\n\n## Strategy\nMonitor cloudtrail logs where `@evt.name` is `DeleteResolverQueryLogConfig` which would stop Route53 Query logging for all of the Amazon VPCs that are associated with the configuration.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n7 April 2022 - Updated rule query and signal message.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"0pz-0jr-nfz","createdAt":1631642351057,"name":"AWS Route 53 DNS query logging disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disassociates a VPC from the query logging configuration.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disassociated.\n\n* [DisassociateResolverQueryLogConfig][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Update rule and signal message.\n\n[1]: https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DisassociateResolverQueryLogConfig.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DisassociateResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"nmk-a8n-zig","createdAt":1631642344888,"name":"AWS Route 53 VPC disassociated from query logging configuration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.13","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Route Table has been created or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS Route Table has been created or modified with one of the following API calls:\n* [CreateRoute][1] \n* [CreateRouteTable][2] \n* [ReplaceRoute][3] \n* [ReplaceRouteTableAssociation][4] \n* [DeleteRouteTable][5] \n* [DeleteRoute][6] \n* [DisassociateRouteTable][7]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call which was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n6 April 2022 - Update signal message. Updated rule query/case layout\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html \n [7]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateRoute OR CreateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceRoute OR ReplaceRouteTableAssociation OR DisassociateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteRouteTable OR DeleteRoute)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"VPC route table created","condition":"route_created > 0"},{"status":"info","notifications":[],"name":"VPC route table modified","condition":"route_modified > 0"},{"status":"info","notifications":[],"name":"VPC route table deleted","condition":"route_deleted > 0"}],"type":"log_detection","id":"qgo-jqs-03x","createdAt":1584475582644,"name":"AWS Route Table created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket policy is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an AWS bucket is made public:\n\n* [PutBucketAcl][1]\n\nThis rule inspects the `@requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI` array to determine if either of the strings are contained:\n* `http://acs.amazonaws.com/groups/global/AuthenticatedUsers`\n* `http://acs.amazonaws.com/groups/global/AllUsers`\n\nA match of either of these string indicates the S3 bucket policy is made public.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Update rule and signal message.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:PutBucketAcl -@level:Error @requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI:(\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" OR \"http://acs.amazonaws.com/groups/global/AllUsers\")","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"zdk-9gu-nrg","createdAt":1594140279364,"name":"AWS S3 Bucket ACL Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:7.2.1","iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","framework:pci","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the S3 Public Access Block configuration has been removed \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting the S3 Public Access Block configuration:\n\n* [DeleteAccountPublicAccessBlock][1]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and inform them of best practices of enabling Public Access Block on S3 buckets.\n3. Re-enable Public Access Block on the S3 bucket.\n\nMore details on S3 Public Block Public Access can be found [here][2].\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-public-access-block.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n\n## Changelog\n18 March 2022 - updated severity and query.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:error @evt.name:DeleteAccountPublicAccessBlock","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_access_block_removed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"User removed public access block","condition":"public_access_block_removed > 0"}],"type":"log_detection","id":"uxr-5wk-8hk","createdAt":1585870280316,"name":"AWS S3 Public Access Block removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disables AWS Security Hub.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disabled AWS Security Hub:\n\n* [DisableSecurityHub][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query and signal message.\n\n[1]: https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisableSecurityHub.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"not_cloudformation_action","distinctFields":[]},{"query":"source:cloudtrail @network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudformation_action","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"not a cloudformation action","condition":"not_cloudformation_action > 0"},{"status":"low","notifications":[],"name":"cloudformation action","condition":"cloudformation_action > 0"}],"type":"log_detection","id":"obj-kmn-bsa","createdAt":1631642348526,"name":"AWS Security Hub disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:vpc","iaas:aws","requirement:Monitoring","framework:cis-aws","control:4.14","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying a VPC.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a VPC:\n\n* [DeleteVpc][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query, cases and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteVpc OR DeleteVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_deleted","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreateVpc OR CreateVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_created","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(ModifyVpcAttribute OR AcceptVpcPeeringConnection OR RejectVpcPeeringConnection OR AttachClassicLinkVpc OR DetachClassicLinkVpc OR DisableVpcClassicLink OR EnableVpcClassicLink)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"vpc deleted","condition":"vpc_deleted > 0"},{"status":"info","notifications":[],"name":"vpc created","condition":"vpc_created > 0"},{"status":"info","notifications":[],"name":"vpc modified","condition":"vpc_modified > 0"}],"type":"log_detection","id":"igj-dr4-ico","createdAt":1585870280906,"name":"AWS VPC created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a specific AWS Web Application Firewall (WAF) rule blocks an anomalous amount of traffic.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@webaclId`: `{{@webaclId}}` logs to confirm if the observed traffic should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"count","name":"waf_traffic_block","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"scr-lzp-wrd","createdAt":1632158031553,"name":"AWS WAF traffic blocked by specific rule"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a specific AWS Web Application Firewall (WAF) rule blocks traffic from multiple IPs.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@http.request_id`: `{{@http.request_id}}` to confirm if this request should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"cardinality","name":"waf_traffic_block","distinctFields":["@network.client.ip"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"imr-goq-uww","createdAt":1634658977105,"name":"AWS WAF traffic blocked by specific rule on multiple IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is deleted.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `DeleteWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:DeleteWebACL -@http.useragent:\\APN\\/*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_deletion","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"waf_webacl_deletion > 0"}],"type":"log_detection","id":"8js-pr5-qga","createdAt":1632158029295,"name":"AWS WAF web access control list deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is updated.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `UpdateWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made legitimately by the user, rotate the user's credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:UpdateWebACL -@http.useragent:(\\APN\\/* OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"waf_webacl_update > 0"}],"type":"log_detection","id":"pmp-fqa-lwy","createdAt":1632158031800,"name":"AWS WAF web access control list modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:3.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect AWS root user activity. \n\n## Strategy\nMonitor CloudTrail and detect when any `@userIdentity.type` has a value of `Root`, but is not invoked by an AWS service or SAML provider.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate. \n2. If the login wasn't legitimate, rotate the credentials, enable 2FA, and open an investigation. \n\n* For best practices, check out the [AWS Root Account Best Practices][1] documentation.\n* For compliance, check out the [CIS AWS Foundations Benchmark controls][2] documentation.\n\n## Changelog\n30 March 2022 - Updated query and signal message.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[2]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:Root -@userIdentity.sessionContext.attributes.mfaAuthenticated:false -@userIdentity.invokedBy:* -@eventType:AwsServiceEvent -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"2kn-z6k-6kf","createdAt":1585870281964,"name":"AWS root account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group has been modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1] \n* [AuthorizeSecurityGroupEgress][2] \n* [RevokeSecurityGroupIngress][3] \n* [RevokeSecurityGroupEgress][4] \n* [CreateSecurityGroup][5] \n* [DeleteSecurityGroup][6]\n\n\n**Note:** There is a separate rule to detect AWS Security Group Open to the World.\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html \n [2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupEgress.html \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupIngress.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupEgress.html \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteSecurityGroup.html\n\n## Changelog\n18 March 2022 - Updated severity, split query into multiple queries, and split the single case into multiple cases.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AuthorizeSecurityGroupIngress OR AuthorizeSecurityGroupEgress OR RevokeSecurityGroupIngress OR RevokeSecurityGroupEgress) -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:DeleteSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"security group created","condition":"security_group_created > 0"},{"status":"info","notifications":[],"name":"security group modified","condition":"security_group_modified > 0"},{"status":"info","notifications":[],"name":"security group deleted","condition":"security_group_deleted > 0"}],"type":"log_detection","id":"bax-btp-3ct","createdAt":1584475583507,"name":"AWS security group created, modified or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1078-valid-accounts","scope:exchange-server","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event by a user logging in to Microsoft Exchange.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last and the current Microsoft-365 mailbox login event (`@evt.name:MailboxLogin`) to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if `{{@usr.name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. ","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":192,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:Exchange @evt.name:MailboxLogin @evt.outcome:Succeeded @threat_intel.results.category:*"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"9xi-6r1-5o5","createdAt":1638460550019,"name":"Abnormal successful Microsoft 365 Exchange login event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","scope:google-cloud-iam","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account (`@usr.id:*.iam.gserviceaccount.com`) exhibits access denied behavior that deviates from normal.\n\n## Strategy \nInspect the GCP Service Account (`@usr.id:*.iam.gserviceaccount.com`) for errors (`@data.protoPayload.status.code:7`) caused by denied permissions (`@evt.outcome`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account {{@usr.id}} is compromised.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"count","name":"access_denied","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"access_denied"}],"type":"log_detection","id":"jsg-pwu-sfv","createdAt":1605263719237,"name":"Access denied for GCP Service Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.11","scope:iam","scored:true","security:compliance","source:iam","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:7.1.1","control:7.1.2","control:7.1.3","level:1","framework:soc-2","framework:cis-aws","control:A.9.2.3","requirement:IAM","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM user credentials, you have to determine what type of access they require.\n\n**Programmatic access**: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.\n\n**AWS Management Console access**: If the user needs to access the AWS Management Console, create a password for the user.\n\n## Rationale\n\nRequiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are necessary for their work and once the access key is established on an account that the keys may be in use somewhere in the organization.\n\n**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html][2]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html][3]\n\n**Additional Information**: Credential report does not appear to contain \"Key Creation Date\"\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkeys_created_during_setup(credential_report) if {\n\tnot credential_report.access_key_1_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_1_last_rotated\n} else {\n\tnot credential_report.access_key_2_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_2_last_rotated\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot keys_created_during_setup(credential_report)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yuh-0pg-pqy","createdAt":1619112188582,"name":"Access keys are not created for IAM user during initial set up"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-C","requirement:Credentials","level:1","framework:cis-aws","requirement:Cardholder-Data","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.14","cloud_provider:aws","requirement:Control-Activities","framework:soc-2","control:A.9.2.3","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:3.6.4","control:CC6.2","control:CC5.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAccess keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. You should regularly rotate all access keys.\n\n## Rationale\n\nRotating access keys reduces the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78902-4\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html][3]\n4. [https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][4]\n5. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html][5]\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html\n[4]: https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"1.14","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\nmore_than_ninety(timestamp, resource_seen_at) if {\n\tresource_seen_at - timestamp > ninety_days_ms # Not rotated in last 90 days\n}\n\nactive_and_rotated_more_than_90(credential_report, resource_seen_at) if {\n\tcredential_report.access_key_1_active\n\tmore_than_ninety(credential_report.access_key_1_last_rotated, resource_seen_at)\n} else {\n\tcredential_report.access_key_2_active\n\tmore_than_ninety(credential_report.access_key_2_last_rotated, resource_seen_at)\n}\n\neval(iam_user) = \"pass\" if {\n\tresource_seen_at := iam_user.resource_seen_at\n\tcredential_report := iam_user.credential_report[_]\n\tnot active_and_rotated_more_than_90(credential_report, resource_seen_at)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5se-kvq-6mk","createdAt":1599574003833,"name":"Access keys are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:4.3.8","scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.6","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable access from Azure services to PostgreSQL Database Server\n\n## Rationale\n\nIf access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, set up firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In Firewall rules, ensure Allow access to Azure services is set to OFF.\n5. Click Save to apply the changed rule. \n\nAlternatively, use the Azure Command Line Interface and run the below command to delete the `AllowAllAzureIps` rule for PostgreSQL Database:\n\n ```bash\n az postgres server firewall-rule delete --name AllowAllAzureIps --resource-group --server-name \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-manage-firewall-using-cli\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-4-protect-applications-and-services-from-external-network-attacks\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.4 Apply Host-based Firewalls or Port Filtering: Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.\n\n9.5 Implement Application Firewalls: Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.\n\n14.2 Enable Firewall Filtering Between VLANs: Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.8","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@name:(\"AllowAllAzureIps\") OR @name:(\"ALL\") OR (@start_ip_address:(\"0.0.0.0\") @end_ip_address:(\"0.0.0.0\"))","resourceType":"azure_postgresql_firewall_rule","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_firewall_rule (@name:(\"AllowAllAzureIps\") OR @name:(\"ALL\") OR (@start_ip_address:(\"0.0.0.0\") @end_ip_address:(\"0.0.0.0\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"fn7-ase-uyc","createdAt":1624867979051,"name":"Access to Azure services for PostgreSQL Database Server is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 5432 (used by the PostgreSQL Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\nMalicious activity, such as hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 5432.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 5432 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=5432 @to_port:>=5432))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=5432 @to_port:>=5432))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2ca-hhj-wzj","createdAt":1599574007949,"name":"Access to PostgreSQL Database Server port is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3389 (used to connect a remote Remote Desktop Protocol (RDP) client application with an RDP server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as pass-the-hash (PtH) and man-in-the-middle attacks (MITM), can occur when permitting unfettered access to this port.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3389.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3389 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.2\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3389 @to_port:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3389 @to_port:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oia-snq-ar0","createdAt":1599574006239,"name":"Access to port 3389 is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests.\n\n## Rationale\n\nSetting admission control plugin AlwaysAdmit allows all requests and do not filter any requests. The AlwaysAdmit admission controller was deprecated in Kubernetes v1.13. Its behavior was equivalent to turning off all admission controllers.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--enable-admission-plugins` argument's value (if set) does not include `AlwaysAdmit`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --enable-admission-plugins parameter, or set it to a value that does not include AlwaysAdmit.\n\n## Impact\n\nOnly requests explicitly allowed by the admissions control plugins would be served.\n\n## Default value\n\nAlwaysAdmit is not in the list of default admission plugins.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#alwaysadmit\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.11","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysr-4gg-vu5","createdAt":1599599454382,"name":"Admission controller AlwaysAdmin is not enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.15","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating objects in a namespace that is undergoing termination.\n\n## Rationale\n\nSetting admission control policy to NamespaceLifecycle ensures that objects cannot be created in non-existent namespaces, and that namespaces undergoing termination are not used for creating the new objects. This is recommended to enforce the integrity of the namespace termination process and also for the availability of the newer objects.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--disable-admission-plugins` argument is set to a value that does not include `NamespaceLifecycle`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --disable-admission-plugins parameter to ensure it does not include NamespaceLifecycle.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NamespaceLifecycle is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#namespacelifecycle\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.15","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"elk-zj3-p6m","createdAt":1599605447784,"name":"Admission controller NamespaceLifecycle is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.17","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nLimit the Node and Pod objects that a kubelet could modify.\n\n## Rationale\n\nUsing the NodeRestriction plug-in ensures that the kubelet is restricted to the Node and Pod objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node API object, and only modify Pod API objects that are bound to their node.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `NodeRestriction`.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes NodeRestriction. --enable-admission-plugins=...,NodeRestriction,...\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NodeRestriction is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#noderestriction 3. https://kubernetes.io/docs/admin/authorization/node/ 4. https://acotten.com/post/kube17-security\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.17","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jre-tn7-yma","createdAt":1599601166101,"name":"Admission controller NodeRestriction is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.16","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating pods that do not match Pod Security Policies.\n\n## Rationale\n\nA Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions. Note: When the PodSecurityPolicy admission plugin is in use, there needs to be at least one PodSecurityPolicy in place for ANY pods to be admitted. See section 1.7 for recommendations on PodSecurityPolicy settings.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `PodSecurityPolicy`.\n\n## Remediation\n\nFollow the documentation and create Pod Security Policy objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes PodSecurityPolicy: --enable-admission-plugins=...,PodSecurityPolicy,... Then restart the API Server.\n\n## Impact\n\nThe policy objects must be created and granted before pod creation would be allowed.\n\n## Default value\n\nBy default, PodSecurityPolicy is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#podsecuritypolicy 3. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.16","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vwz-aw9-c09","createdAt":1599604624793,"name":"Admission controller PodSecurityPolicy is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.14","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAutomate service accounts management.\n\n## Rationale\n\nWhen you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. You should create your own service account and let the API server manage its security tokens.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--disable-admission-plugins` argument is set to a value that does not include `ServiceAccount`.\n\n## Remediation\n\nFollow the documentation and create ServiceAccount objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and ensure that the --disable-admission-plugins parameter is set to a value that does not include ServiceAccount.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, ServiceAccount is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#serviceaccount 3. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.14","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wrk-jrm-u8h","createdAt":1599601597784,"name":"Admission controller ServiceAccount is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","source:google_bigquery_table","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.2","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","scope:google_bigquery_table","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery encrypts data at rest by employing `Envelope Encryption` using\nGoogle managed cryptographic keys. The data is encrypted using the `data encryption keys` and data encryption keys themselves are further encrypted using `key encryption keys`. This is done automatically and does not require any additional input from the user. However, if you want to have greater control, customer-managed encryption keys (CMEK) can be used as an encryption key management solution for BigQuery datasets. If CMEK is used, the CMEK is used to encrypt the data encryption keys, instead of using google-managed encryption keys.\n\n### Default Value\nGoogle-managed keys are used as `key encryption keys`.\n\n## Rationale\nFor greater control over the encryption, customer-managed encryption keys (CMEK) can\nbe used as encryption key management solution for BigQuery tables. CMEK is used to\nencrypt the data encryption keys instead of using google-managed encryption keys.\nBigQuery stores the table and CMEK association. The encryption/decryption is done\nautomatically.\n\nApply the default customer-managed keys on BigQuery datasets to ensure that all\nnew tables created in the future will be encrypted using CMEK. However, existing tables need to be updated individually to use CMEK.\n\n## Impact\nUsing customer-managed encryption keys (CMEK) will incur additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n- Note: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n## Remediation\nCurrently, there is no way to update the encryption of existing data in the table. The data\nneeds to be copied to either an original table or another table. Either option requires the specification of the\ncustomer managed encryption key (CMEK).\n\n### From the command line:\nUse the following command to copy the data to the original table and encrypt it with the CMEK. The source and the destination needs to be same when copying to the original table.\n\n```\nbq cp --destination_kms_key source_dataset.source_table destination_dataset.destination_table\n```\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_table) = \"pass\" if {\n\tbigquery_table.encryption_configuration.kms_key_name\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_table"]},"validationQuery":"","resourceType":"gcp_bigquery_table","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_table","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4r0-dtx-hnw","createdAt":1659621698841,"name":"All BigQuery tables are encrypted with customer-managed encryption keys (CMEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Azure","cloud_provider:azure","control:2.7","control:8.1","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","scope:azure.keyvault","requirement:Cardholder-Data","requirement:Logical-and-Physical-Access-Control","control:3.6.4","source:azure.keyvault","framework:security-labs","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all keys in your Azure Key Vault have an expiration time set.\n\n## Rationale\n\nAzure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The `exp` (expiration time) attribute identifies the expiration time on or after which the key **must not** be used for a cryptographic operation. By default, keys never expire. Datadog recommends that keys be rotated in the key vault and set an explicit expiration time for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Key vaults\n2. For each Key vault, click on Keys.\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all keys. Using the Azure Command Line Interface, update the expiration date for the key using below command:\n\n ```bash\n az keyvault key set-attributes --name --vault-name --expires Y-m-d''T''H:M:S''Z''\n ```\n\n **Note**: To access expiration time on all keys in Azure Key Vault using Microsoft API requires \"List\" Key permission. To provide required access follow below steps:\n\n 1. Go to Key Vaults\n 2. For each Key Vault, click on Access Policy.\n 3. Add access policy with Key permission as List\n\n## Impact\n\nKeys cannot be used beyond their assigned expiration times respectively. Keys need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## CIS Controls\n\nVersion 7 13 Data Protection Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.7","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_type := \"azure_key_vault_key\"\n\ncompliant(key_vault_key) if {\n\tkey_vault_key.attributes_enabled == true\n\tnot key_vault_key.attributes_exp == 0\n\tnot key_vault_key.attributes_exp == \"\"\n}\n\neval(key_vault_key) = \"pass\" if {\n\tcompliant(key_vault_key)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_key"]},"validationQuery":"","resourceType":"azure_key_vault_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"op6-3uk-40w","createdAt":1624867980258,"name":"All keys in Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Network-Policies-and-CNI","control:5.3.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse network policies to isolate traffic in your cluster network.\n\n## Rationale\n\nRunning different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. A network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints. Network Policies are namespace scoped. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace, all traffic will be allowed into and out of the pods in that namespace.\n\n## Audit\n\nRun the following command and review the NetworkPolicy objects created in the cluster: `kubectl --all-namespaces get networkpolicy`\n\nEnsure that each namespace defined in the cluster has at least one Network Policy.\n\n## Remediation\n\nFollow the documentation and create network policy objects as you need them.\n\n## Impact\n\nOnce network policies are in use within a given namespace, traffic not explicitly allowed by a network policy will be denied. It is important to ensure that, when introducing network policies, legitimate traffic is not blocked.\n\n## Default value\n\nBy default, network policies are not created.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/services-networking/networkpolicies/ ][1]\n2. [https://octetz.com/posts/k8s-network-policy-apis ][2]\n3. [https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/][3]\n\n## CIS controls\n\nVersion 6.14.1 Implement Network Segmentation Based On Information Class Segment - The network based on the label or classification level of the information stored on the servers. Locate all sensitive information on separated VLANS with firewall filtering to ensure that only authorized individuals are only able to communicate with systems necessary to fulfill their specific responsibilities.\n\nVersion 7.14.1 Segment the Network Based on Sensitivity - Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).\n\nVersion 7.14.2 Enable Firewall Filtering Between VLANs - Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n\n[1]: https://kubernetes.io/docs/concepts/services-networking/networkpolicies/\n[2]: https://octetz.com/posts/k8s-network-policy-apis\n[3]: https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.3.2","framework":"cis-kubernetes","requirement":"Network-Policies-and-CNI","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrw-bae-anz","createdAt":1604312181303,"name":"All namespaces have network policies defined"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:2.10","requirement:Azure","cloud_provider:azure","control:8.2","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","requirement:Change-Management","scope:azure.keyvault","requirement:Logical-and-Physical-Access-Control","source:azure.keyvault","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all Secrets in the Azure Key Vault have an expiration time set.\n\n## Rationale\n\nThe Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The `exp` (expiration time) attribute identifies the expiration time on or after which the secret **must not** be used. By default, secrets never expire. Datadog recommends rotating secrets in the key vault and setting an explicit expiration time for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Key vaults\n2. For each Key vault, click on Secrets\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all secrets. Using the Azure Command Line Interface, use the below command to set expiration date on the all secrets:\n\n ```bash\n az keyvault secret set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z'\n ```\n\n## Impact\n\nSecrets cannot be used beyond their assigned expiry times respectively. Secrets need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-4-set-up-emergency-access-in-azure-ad\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-8-choose-approval-process-for-microsoft-support\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy\n\n## CIS Controls\n\nVersion 7 16 Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.10","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_type := \"azure_key_vault_secret\"\n\ncompliant(key_vault_secret) if {\n\tkey_vault_secret.id\n\tkey_vault_secret.attributes_enabled == true\n\tnot key_vault_secret.attributes_exp == 0\n\tnot key_vault_secret.attributes_exp == \"\"\n}\n\neval(key_vault_secret) = \"pass\" if {\n\tcompliant(key_vault_secret)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_secret"]},"validationQuery":"","resourceType":"azure_key_vault_secret","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_secret","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bbc-1aj-wsr","createdAt":1624867976874,"name":"All secrets in the Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:CC6.7","source:iam","requirement:Storage","requirement:Credentials","control:2.1.1","level:1","requirement:System-Acquisition-Development-and-Maintenance","framework:cis-aws","control:1.19","requirement:IAM","framework:iso-27001","requirement:Access-Control","framework:pci","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.\n\n## Rationale\n\nRemoving expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.\n\n## Remediation\n\nAWS Console:\n\nRemoving expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).\n\nAWS CLI:\n\nTo delete an expired certificate, run the following command by replacing `` with the name of the certificate to delete: `aws iam delete-server-certificate --server-certificate-name `.\n\n**Note**: When the preceding command is successful, it does not return any output.\n\n## Impact\n\nDeleting a certificate can have implications for your application. If you are using an expired server certificate with Elastic Load Balancing, Cloudfront, etc., you must update the configuration of the respective service to ensure there is no application interruption.\n\n## References\n\n1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html\n2. https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.19","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Storage","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_server_certificate) = \"pass\" if {\n\tiam_server_certificate.expiration - iam_server_certificate.resource_seen_at > 0\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"dih-stb-3p8","createdAt":1632209932850,"name":"All the expired SSL/TLS certificates stored in AWS IAM are removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow Kubelet to manage `iptables`.\n\n## Rationale\n\nKubelets can automatically manage the required changes to `iptables` based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to `iptables`. This ensures that the `iptables` configuration remains in sync with pods networking configuration. Manually configuring `iptables` with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have `iptables` rules too restrictive or too open.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that if the `--make-iptables-util-chains` argument exists then it is set to true. If the `--make-iptables-util-chains` argument does not exist, and there is a Kubelet config file specified by `--config`, verify that the file does not set `makeIPTablesUtilChains` to `false`.\n\n## Remediation\n\nIf using a kubelet config file, edit the file to set `makeIPTablesUtilChains: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--make-iptables-util-chains` argument from the `KUBELET_SYSTEM_PODS_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nKubelet would manage the `iptables` on the system and keep it in sync. If you are using any other `iptables` management solution, then there might be some conflicts.\n\n## Default value\n\nBy default, `--make-iptables-util-chains argument` is set to true.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.7","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"f3g-zcg-jm0","createdAt":1599605004390,"name":"Allow Kubelets to manage changes to the iptables"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an AWS S3 lifecycle expiration policy is set to disabled in your CloudTrail logs.\n\n## Strategy\nCheck if `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days`, `@requestParameters.LifecycleConfiguration.Status:Disabled` and `@evt.name:PutBucketLifecycle` fields are present in your S3 Lifecycle configuration log. If these fields are present together, a bucket's lifecycle configuration has been turned off.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n2. If the `{{@requestParameters.bucketName}}` should not be disabled, escalate to engineering so they can re-enable it.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketLifecycle @requestParameters.LifecycleConfiguration.Rule.Expiration:* @requestParameters.LifecycleConfiguration.Rule.Status:Disabled","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4gy-sks-edk","createdAt":1638798373598,"name":"An AWS S3 bucket lifecycle expiration policy was set to disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket has a lifecycle configuration set with an expiration policy of less than 90 days.\n\n## Strategy\nLook for `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90` in your Cloudtrail logs.\n\n**NOTE**: This rule should be set to logs that this policy applies to. The `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days` key path must be set as a measure to do a query.\n\n\n## Triage & response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}` and that the `{{@requestParameters.bucketName}}` bucket should have a file expiration of less than 90 days.\n2. If `{{@requestParameters.bucketName}}` is equal to `{{@aws.s3.bucket}}`, the CloudTrail bucket, consider escalating to higher severity and investigating further.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:PutBucketLifecycle -status:error @eventSource:s3.amazonaws.com @requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hdo-qqk-njz","createdAt":1638798329769,"name":"An AWS S3 bucket lifecycle policy expiration is set to < 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if versioning or MFA delete was disabled within an AWS S3 bucket's Lifecycle configuration.\n\n## Strategy\nThis rule has two separate queries. The first query determines if `@requestParameters.VersioningConfiguration.MfaDelete` is set to `Disabled`. The second query determines if `@requestParameters.VersioningConfiguration.Status` is set to `Suspended`. For generating a signal, there are two cases. Case one generates a `Medium` signal if query one AND two return `true`. Case two will generate a `Low` signal if query one OR two returns `true`.\n\n**NOTE**: Versioning cannot be disabled permanently; only suspended until turned back on, once it has been enabled on a bucket.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.MfaDelete:Disabled","groupByFields":["@aws.s3.bucket"],"aggregation":"count","name":"mfadelete_disabled","distinctFields":[]},{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.Status:Suspended","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"versioning_suspended","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"mfaDelete and Versioning are Disabled/Suspended","condition":"versioning_suspended > 0 && mfadelete_disabled > 0"},{"status":"low","notifications":[],"name":"mfaDelete or versioning are disabled","condition":"mfadelete_disabled > 0 || versioning_suspended > 0"}],"type":"log_detection","id":"qo0-ly0-8ls","createdAt":1638798322732,"name":"An AWS S3 bucket mfaDelete is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an AWS account attempting to leave an AWS organization.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to have an AWS account leave an AWS organization using the [LeaveOrganization][1] API call.\n\nAn attacker may attempt this API call for several reasons, such as:\n\n* Target security configurations that are often defined at the organization level. Leaving an organization can disrupt or disable these controls.\n* Perform a denial of service (DoS) attack on the victim's account that prevents the victim's organization to access it.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Initiate your company's incident response (IR) process.\n3. If the API call was made legitimately by the user:\n * Communicate with the user to understand if this was a planned action.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n * Initiate your company's incident response (IR) process.\n\n[1]: https://docs.aws.amazon.com/organizations/latest/APIReference/API_LeaveOrganization.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privileg","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:LeaveOrganization @eventSource:organizations.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"leave_organization","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"leave_organization > 0"}],"type":"log_detection","id":"9ku-enz-m7d","createdAt":1644595191484,"name":"An AWS account attempted to leave the AWS Organization"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","scope:s3","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an API call to AWS to list all of the S3 Buckets.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect a [ListBuckets][1] API call with the session name prefixed with `i-`. A session name prefixed with `i-` typically indicates that it is an EC2 instance using an [Instance Profile][2] to communicate with other AWS services, which is a common attacker technique to see the full list of S3 buckets in your AWS account.\n\n## Triage and response\n1. Determine if the EC2 instance should be making this API call.\n* If **not a legitimate** user/application, rotate the credentials, verify what else may have been accessed and open an investigation into how this instance was compromised.\n* If a **legitimate** user/application on the EC2 instance is making the `ListBuckets` API call, consider whether this API call is really needed. \n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profile\n\n## Changelog\n18 March 2022 - Updated rule severity and rule name.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_access_denied","distinctFields":[]},{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets -@error.kind:*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Access denied for ListBuckets","condition":"list_buckets_access_denied > 0"},{"status":"medium","notifications":[],"name":"Successful ListBuckets","condition":"list_buckets_success > 0"}],"type":"log_detection","id":"t6r-kqt-hxb","createdAt":1585870281123,"name":"An EC2 instance attempted to enumerate S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is enumerating API Gateway API keys.\n\n## Strategy\nBaseline `GetApiKeys` events by `@userIdentity.session_name` to surface anomalous `GetApiKeys` calls. \n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetApiKeys","groupByFields":["@userIdentity.session_name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"cc8-ljp-wwt","createdAt":1624968912281,"name":"Anomalous API Gateway API key reads by user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","tactic:TA0009-collection","scope:s3","source:cloudtrail","technique:T1530-data-from-cloud-storage-object","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS user performs S3 bucket write activities they do not usually perform. \n\n## Strategy\nMonitor cloudtrail logs for S3 Data Plane events (`@eventCategory:Data`) to detect when an AWS User (`@userIdentity.arn`) is detected performing anomalous S3 Write `(@evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*))` API calls. \n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should be performing the: `{{@evt.name}}` API calls.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. If not, investigate the user: `{{@userIdentity.arn}}` for indicators of account compromise and rotate credentials as necessary.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventCategory:Data @eventSource:s3.amazonaws.com @evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"s3_write_events","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"s3_write_events"}],"type":"log_detection","id":"mxi-syi-zeg","createdAt":1637613300981,"name":"Anomalous S3 bucket activity from user ARN"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is attempting to hijack an EC2 AutoScaling Group.\n\n## Strategy\nThis rule lets you monitor AWS EC2 Autoscaling logs (`@eventSource:autoscaling.amazonaws.com`) to detect when an Autoscaling group receives an anomalous amount of API calls (`{{@evt.name}}`).\n\n## Triage and response\n1. Confirm if the user `{{@userIdentity.arn}}` intended to make the `{{@evt.name}}` API calls.\n2. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:autoscaling.amazonaws.com","groupByFields":["@evt.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"1fj-e0d-mcy","createdAt":1632769123714,"name":"Anomalous amount of Autoscaling Group events"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","scope:salesforce","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a spike in Salesforce query results for a user. A large query can be an early warning sign of a user attempting to exfiltrate Salesforce data. \n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a spike in the number of rows returned (`@rows_returned`). \n\n## Triage and response\n1. Determine if the user should be legitimately performing large queries.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@rows_returned","aggregation":"sum","metrics":["@rows_returned"],"groupByFields":["@usr.id"],"query":"source:salesforce @rows_returned:*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"kls-bnv-ip8","createdAt":1621929255172,"name":"Anomalous amount of Salesforce query results"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","source:salesforce","tactic:TA0040-impact","scope:salesforce","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a significant increase in deleted records in Salesforce.\n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a significant increase in successful (`@evt.outcome:Success`) delete operations (`@operation:Delete`).\n\n## Triage and response\n1. Determine if the user should be legitimately deleting Salesforce records.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @operation:Delete @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"1x7-fhs-sdy","createdAt":1621929255178,"name":"Anomalous amount of Salesforce records deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is assessing privileges in AWS through various enumeration and discovery techniques.\n\n## Strategy\nMonitor CloudTrail logs to identify when an EC2 instance (`@userIdentity.session_name:i-*\"`) generates an anomalous amount of `AccessDenied` events.\n\n## Triage and response\n1. Determine what events the EC2 instance `{{@userIdentity.session_name}}` are generating in the time frame of the signal.\n2. If the root cause is not a misconfiguration, investigate any other signals around the same time of the signal by looking at the Host Investigation dashboard.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied @userIdentity.session_name:i-*","groupByFields":["@userIdentity.assumed_role"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"qyw-re3-iuf","createdAt":1605263699569,"name":"Anomalous amount of access denied events for AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","technique:T1619-cloud-storage-object-disovery","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS assumed role accesses S3 buckets that they do not usually access. \n\n## Strategy\nMonitor cloudtrail logs to identify when a `@userIdentity.assumed_role` makes an anomalous amount of `GetObject` calls to a unique number of S3 buckets (`@requestParameters.bucketName`).\n\n## Triage and response\n1. Determine if the user using the assumed role: {{@userIdentity.assumed_role}} should be accessing a bunch of random buckets.\n * Here is a list of buckets that were accessed (up to 10): {{@requestParameters.bucketName}}\n\n## Changelog\n30 Mar 2022 - Updated query and signal message.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":17,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetObject -status:error","groupByFields":["@userIdentity.assumed_role"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"i41-jb1-c8r","createdAt":1608050033941,"name":"Anomalous number of S3 buckets accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user has attempted to assume an anomalous number of unique roles.\n\n## Strategy\nThis rule sets a baseline for user activity for the [`AssumeRole`][1] API call, and enables detection of potentially anomalous activity.\n\nAn attacker may attempt this for the following reasons:\n\n* To identify which roles the user account has access to.\n* To identify what AWS services are being used internally.\n* To identify third party integrations and internal software.\n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response process and investigate.\n\n[1]: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:IAMUser @evt.name:AssumeRole","groupByFields":["@usr.name"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.roleArn"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rov-8oq-1fd","createdAt":1624968910002,"name":"Anomalous number of assumed roles from user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an unauthenticated request user is permitted in Kubernetes.\n\n## Strategy\nThis rule monitors when any action is permitted (`@http.status_code:[100 TO 299]`) for an unauthenticated user (`@user.username:\\\"system:anonymous\\\"`).\nThe `/healthz` endpoint is commonly accessed unauthenticated and it is excluded in the query filter.\n\n## Triage and response\n1. Inspect all of the HTTP paths accessed and determine if any of the path should be permitted by unauthenticated users.\n2. Determine what IP addresses accessed Kubernetes endpoints which may contain sensitive data.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@apiVersion:audit.k8s.io* @usr.name:\"system:anonymous\" @http.status_code:[100 TO 299] -@http.url_details.path:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @user.username:\"system:anonymous\" @responseStatus.code:[100 TO 299] -@requestURI:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"f1o-py5-a50","createdAt":1589376002149,"name":"Anonymous Request Authorized"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:apache","technique:T1190-exploit-public-facing-application","source:apache","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[{"action":"require","query":"source:foo"}],"queries":[{"query":"source:apache @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipl-oaz-eqf","createdAt":1587530038000,"name":"Apache HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1562-Impair-Defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modification of AppArmor profiles using an interactive session.\n\n## Strategy\nAfter an initial intrusion, attackers may attempt to disable security tools to avoid possible detection of their offensive tools and activities. [AppArmor][1] is a Linux Security Module (LSM) feature that confines programs to a limited set of resources. Disabling AppArmor could help an attacker run disallowed tools and gain access to resources that are otherwise blocked. This detection looks for commands that disable or modify AppArmor during interactive sessions, which is highly irregular in production environments.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://wiki.ubuntu.com/AppArmor\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:apparmor_modified_tty","groupByFields":["host"],"aggregation":"count","name":"apparmor_modified_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"apparmor_modified_tty","condition":"apparmor_modified_tty > 0"}],"type":"workload_security","id":"byn-fwk-eyv","createdAt":1627392836162,"name":"AppArmor profile modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","source:azure.sql","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Database-Services","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","framework:cis-azure","scope:azure.sql","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:4.1.3","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSQL Server Audit Retention should be configured to be greater than 90 days.\n\n## Rationale\n\nUse Audit Logs to check for anomalies and to get insight into suspected breaches or misuse of information and access.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Select Storage Details\n5. Set Retention (days) setting greater than 90 days\n6. Select OK\n7. Select Save using Azure PowerShell. For each server, set retention policy for more than or equal to 90 days:\n\n ```bash\n set-AzureRmSqlServerAuditing -ResourceGroupName -ServerName -RetentionInDays \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing\n2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditing?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention\n\n## CIS controls\n\nVersion 7\n\n6.4 Ensure adequate storage for logs: Ensure that all systems that store logs have adequate storage space for the logs generated.\n\n4.2 SQL Server: Azure Defender for SQL Azure Defender for SQL provides a layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. Users will receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. SQL Server Threat Detection alerts provide details of suspicious activity and recommend action on how to investigate and mitigate the threat. Azure Defender for SQL may incur additional cost per SQL server.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@audit_setting.retention_days:0 -@audit_setting.retention_days:>=90","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-@audit_setting.retention_days:0 -@audit_setting.retention_days:>=90)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"r6e-x2g-rfb","createdAt":1624867973932,"name":"Audit data for Azure SQL is retained for at least 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","source:google_iam_policy","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","scope:google_iam_policy","security:compliance","requirement:Logging-and-Monitoring","control:2.1","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that Cloud Audit Logging is configured to track all admin activities and\nread or write access to user data.\n\n### Default value\nAdmin Activity logs are always enabled. They cannot be disabled. Data Access audit logs are\ndisabled by default because they can be quite large.\n\n## Rationale\nCloud Audit Logging maintains two audit logs for each project, folder, and organization:\n**Admin Activity** and **Data Access**.\n\nAdmin Activity logs contain log entries for API calls or other administrative actions\nthat modify the configuration or metadata of resources. Admin Activity audit logs\nare enabled for all services and cannot be configured.\n\nData Access audit logs record API calls that create, modify, or read user-provided\ndata. These are disabled by default and should be enabled.\n\nThere are three kinds of Data Access audit log information:\n* Admin read: Records operations that read metadata or configuration\ninformation. Admin Activity audit logs record writes of metadata and\nconfiguration information. This cannot be disabled.\n* Data read: Records operations that read user-provided data.\n* Data write: Records operations that write user-provided data.\n\nIt is recommended to configure audit logging such that:\n\n* Log type is set to `DATA_READ` (to log user activity tracking) and `DATA_WRITES` (to\nlog changes/tampering to user data).\n* Audit config is enabled for all the services supported by the Data Access audit logs\nfeature.\n* Logs are captured for all users\u2014that is, there are no exempted users in any of the\naudit config sections. This ensures overriding the audit config does not contradict\nthe requirement.\n\n### Impact\nThere is no charge for Admin Activity audit logs. Enabling the Data Access audit logs might\nresult in your project being charged for the additional logs usage.\n- Note: Admin Activity Logs are not listed here, as they are enabled by default and cannot be disabled.\n `exemptedMembers` is not set, as audit logging should be enabled for all users.\n\n## Remediation\n\n### From the console: \n1. Go to the [Audit Logs page][1] in Google Cloud Console.\n2. Follow the steps in Google's [Configure Data Access audit logs][2] documentation to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.\n\n### From the command line:\n1. To read the project's IAM policy and store it in a file, run the following command:\n ```\n gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml\n ```\nAlternatively, the policy can be set at the organization or folder level. If you are setting the policy at\nthe organization level, it is not necessary to also set it for each folder or project.\n ```\n gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml\n gcloud resource-manager folders get-iam-policy FOLDER_ID >\n /tmp/folder_policy.yaml\n ```\n2. Edit the policy in `/tmp/policy.yaml`. Adding or change only the audit logs\nconfiguration to:\n ```\n auditConfigs:\n - auditLogConfigs:\n - logType: DATA_WRITE\n - logType: DATA_READ\n - service: allServices\n ```\n\n3. To write new IAM policy, run the following commands:\n ```\n gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml\n gcloud resource-manager folders set-iam-policy FOLDER_ID\n /tmp/folder_policy.yaml\n gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml\n ```\nIf the preceding command reports a conflict with another change, then repeat these steps,\nstarting with the first step.\n\n## Additional information\n* To track detailed user activities, the log type `DATA_READ` is as important as the log type `DATA_WRITE`.\n* BigQuery Data Access logs are handled differently than other data access logs.\n BigQuery logs are enabled by default and cannot be disabled. They do not count against logs allotment and do not result in extra logs charges.\n\n## References\n1. [https://cloud.google.com/logging/docs/audit/][1]\n2. [https://cloud.google.com/logging/docs/audit/configure-data-access][2]\n\n[1]: https://cloud.google.com/logging/docs/audit/\n[2]: https://cloud.google.com/logging/docs/audit/configure-data-access\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(iam_policy) if {\n\tnot has_exempted_members(iam_policy)\n\taudit_config := iam_policy.audit_configs[_]\n\taudit_config.service == \"allServices\"\n\taudit_config.audit_log_configs[_].log_type == \"ADMIN_READ\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_WRITE\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_READ\"\n}\n\nhas_exempted_members(iam_policy) if {\n\tiam_policy.audit_configs[_].audit_log_configs[_].exempted_members[_]\n}\n\nis_project(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_project\"\n}\n\neval(iam_policy) = \"skip\" if {\n\tnot is_project(iam_policy)\n} else = \"pass\" {\n\tcompliant(iam_policy)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mtc-xf1-a6x","createdAt":1664804019062,"name":"Audit logging is properly configured across all services and users in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit all Docker daemon activities.\n\n## Rationale\n\nAs well as auditing the normal Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges. It is very important to audit its activities and usage.\n\n## Audit\n\nVerify that there are audit rules for the Docker daemon. To see the rules associated with the Docker daemon, run: \n\n```\nauditctl -l | grep /usr/bin/dockerd\n```\n\n## Remediation\n\nYou should add rules for the Docker daemon. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /usr/bin/dockerd -k docker \n```\n\nThen restart the audit daemon using the following command:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, the Docker daemon is not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.3","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fpu-oe5-feu","createdAt":1599604305682,"name":"Auditing for Docker Daemon executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.4","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/var/lib/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories. For example, audit `/var/lib/docker`, which holds all the information about containers it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/var/lib/docker` directory. To see the rule for the `/var/lib/docker` directory, run: \n\n```\nauditctl -l | grep /var/lib/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/var/lib/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /var/lib/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.4","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tfa-927-tto","createdAt":1599602523672,"name":"Auditing for Docker local storage is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.10","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker/daemon.json`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/docker/daemon.json`. This holds various parameters for the Docker daemon, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/docker/daemon.json` file. To display the rule for the `/etc/docker/daemon.json` file, run: \n\n```\nauditctl -l | grep /etc/docker/daemon.json\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker/daemon.json` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/docker/daemon.json -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/docker/daemon.json` may not exist on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file][2]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.10","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"v2o-aio-i0e","createdAt":1599601474412,"name":"Auditing for the Docker daemon configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.11","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/bin/containerd`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/bin/containerd`, so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/bin/containerd` file. To display the rule for the `/usr/bin/containerd` file, run: \n\n```\nauditctl -l | grep /usr/bin/containerd\n```\n\n## Remediation\n\nYou should add a rule for the `/usr/bin/containerd` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/bin/containerd -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/usr/bin/containerd` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.11","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tor-6yx-oyz","createdAt":1599605637503,"name":"Auditing for the containerd executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.8"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/default/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/default/docker`. It holds various parameters related to the Docker daemon and should therefore be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/default/docker` file. To see the rule for the `/etc/default/docker` file, run: \n```\nauditctl -l | grep /etc/default/docker \n```\n\n## Remediation\n\nYou should add a rule for the `/etc/default/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/default/docker -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited so these defaults should be changed in line with organizational security policy. The file `/etc/default/docker` may not be present, and if so, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.8","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qfi-cgy-a6e","createdAt":1599601659531,"name":"Auditing for the default Docker configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.9"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/sysconfig/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including `/etc/sysconfig/docker`. It contains various parameters related to the Docker daemon when run on CentOS and RHEL based distributions. If present, it is important that it is audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/sysconfig/docker` file. To see the rule for the `/etc/sysconfig/docker` file, run: \n```\nauditctl -l | grep /etc/sysconfig/docker\n```\n\n## Remediation\n\nYou should add a rule for `/etc/sysconfig/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/sysconfig/docker -k docker\n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/sysconfig/docker` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.9","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ps6-vb4-bim","createdAt":1599604561498,"name":"Auditing for the default Docker configuration file is configured - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit the `docker.service` if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `docker.service`. The `docker.service` file might be present if the daemon parameters have been changed by an administrator. If so, it holds various parameters for the Docker daemon and should be audited.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n\n2. If the file does not exist, this recommendation does not apply. If the file does exist, verify that there is an audit rule corresponding to the `docker.service` file by running: \n\n ```\n auditctl -l | grep docker.service\n ```\n\n## Remediation\n\nIf the file exists, a rule for it should be added. For example, add the following line to the `/etc/audit/audit.rules` file: \n```\n-w /usr/lib/systemd/system/docker.service -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.service` may not be present on the system.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.6","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myy-dsj-omk","createdAt":1599605764788,"name":"Auditing for the docker.service file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.7","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `docker.socket`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including the `docker.socket` file, which holds various parameters for the Docker daemon, it should be audited.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the `docker.socket` file exists, verify that there is an audit rule corresponding to the `docker.socket` file by running: \n ```\n auditctl -l | grep docker.socket \n ```\n\n## Remediation\n\nIf the file exists, you should add a rule for it. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/lib/systemd/system/docker.socket -k docker \n```\n\nThen restart the audit daemon: \n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.socket` may not be present, but if it is, it should be audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.7","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afg-qbt-7uw","createdAt":1599600857858,"name":"Auditing for the docker.socket file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.12","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/sbin/runc`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/sbin/runc`, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/sbin/runc` file. To display the rule for the `/usr/sbin/runc` file, run:\n\n```\nauditctl -l | grep /usr/sbin/runc\n```\n\n## Remediation\n\nYou should add a rule for `/usr/sbin/runc` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/sbin/runc -k docker\n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The `file/usr/sbin/runc` may not be present on the system, and in that case this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n4. [https://github.com/opencontainers/runc][4]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/ \n[4]: https://github.com/opencontainers/runc\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.12","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ksp-ylk-dub","createdAt":1599603510904,"name":"Auditing for the runc executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.5","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privilege and its behavior depends on some key files and directories, including `/etc/docker`. This holds various certificates and keys used for TLS communication between Docker daemon and Docker client and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/etc/docker` directory. To see the rule for the `/etc/docker` directory, run: \n\n```\nauditctl -l | grep /etc/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.5","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5ns-uab-zcf","createdAt":1599604003342,"name":"Auditing is configured for Docker-related files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.6","cloud_provider:azure","control:10.1","requirement:Monitoring","source:azure.sql","control:A.12.4.1","control:A.12.4.3","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","scope:azure.sql","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:4.1.1","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on SQL Servers.\n\n## Rationale\n\nThe Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. The auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Set Auditing to On using Azure PowerShell.\n5. Get the list of all SQL Servers: `Get-AzureRmSqlServer`. For each Server, enable auditing:\n\n ```bash\n Set-AzureRmSqlServerAuditingPolicy -ResourceGroupName -ServerName -AuditType -StorageAccountName \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-servers\n2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n**Note**: A server policy applies to all existing and newly created databases on the server. If server blob auditing is enabled, it always applies to the database. The database is audited, regardless of the database auditing settings. The auditing type table is deprecated, leaving only the type blob available. Enabling blob auditing on the database, and enabling it on the server, does not override or change any of the settings of the server blob auditing. Both audits exist side by side. So, the database is audited twice in parallel; once by the server policy, and once by the database policy.\n\n## CIS controls\n\nVersion 7 6.3 Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"validationQuery":"-@audit_setting.state:(\"Enabled\")","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-@audit_setting.state:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"gxl-2f7-dso","createdAt":1624867978477,"name":"Auditing on SQL Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs in with a breached password.\n\n## Strategy\nAuth0 logs an event when a user logs in with a breached password. When this event is detected, Datadog generates a `MEDIUM` severity Security Signal.\n\nYou can see more information on how Auth0 detects breached passwords on their [documentation][1].\n\n## Triage and response\n1. Inspect the policy and user location to see if this was a login from approved location\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n[1][https://auth0.com/docs/anomaly-detection/brute-force-protection]\n","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:breached_password","groupByFields":["@usr.id"],"aggregation":"count","name":"breached_password","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"breached_password > 0"}],"type":"log_detection","id":"yhw-avf-dz0","createdAt":1597422957145,"name":"Auth0 user logged in with a breached password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","requirement:Cloud-SQL","cloud_provider:gcp","control:CC7.4","source:google_sql_database_instance","control:6.4.5.4","framework:cis-gcp","requirement:Compliance","level:1","control:6.7","scope:google_sql_database_instance","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Additional-Criteria-for-Availability","requirement:Communications-Security","requirement:System-Operations","control:3.1","requirement:Control-Activities","control:A1.1","control:A1.2","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:CC5.1","control:A.9.1.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nAll SQL database instances should have automated backups enabled.\n\n## Rationale: \nBackups provide a way to restore a Cloud SQL instance, to recover lost data, or to recover from\na problem with that instance. Enable automated backups for any instance that\ncontains data that should be protected from loss or damage. This recommendation is\napplicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2\ninstances.\n\n## Impact: \nAutomated backups increase the required storage size and may affect the costs associated with it.\n\n## Remediation: \n\n### From the console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Select the instance where the backups need to be configured.\n3. Click `Edit`.\n4. In the `Backups` section, check 'Enable automated backups', and choose a backup window.\n5. Click `Save`.\n\n### From the command line:\n\n1. List all Cloud SQL database instances using the following command:\n ```\n gcloud sql instances list\n ```\n2. Enable automated backups for a Cloud SQL database instance by running:\n ```\n gcloud sql instances patch --backup-start-time <[HH:MM]>\n ```\n\nThe `backup-start-time` parameter is specified in 24-hour time, in the UTC\u00b100 time zone,\nand specifies the start of a 4-hour backup window. Backups can start any time during the\nbackup window.\n\n## Default value:\nBy default, automated backups are not configured for Cloud SQL instances. Data backup is\nnot possible on any Cloud SQL instance unless Automated Backup is configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/backup-recovery/backups][2]\n2. [https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/backup-recovery/backups\n[3]: https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up\n\n## CIS controls:\n\nVersion 8: _11.2 Perform Automated Backups_. Perform automated backups of in-scope enterprise assets. Run backups weekly,\nor more frequently, based on the sensitivity of the data.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.4.5.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.1","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"pass\" if {\n\tsql_database_instance.settings.backup_configuration.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iir-4sf-rxn","createdAt":1657665285362,"name":"Automated backups are configured for SQL Database Instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to Azure AD without multi-factor authentication.\n\n## Strategy\nThis rule monitors Azure Activity logs for Active Directory logs and detects when any `@evt.category` has a value of `SignInLogs`, and `@properties.authenticationRequirement` has a value of `singleFactorAuthentication`.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables 2FA.\n3. If the login wasn't legitimate, rotate the credentials.\n4. Review all user accounts to ensure MFA is enabled.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:singleFactorAuthentication","groupByFields":["@usr.id"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_login_without_mfa > 0"}],"type":"log_detection","id":"c8i-66d-m7u","createdAt":1598468815267,"name":"Azure AD Login Without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to the [Global Administrator][1] role.\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\"`\n\nThe Global Administrator role can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. An adversary can add users as Global Administrators in order to maintain access to Azure AD.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][2] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.category:AuditLogs @evt.name:\"Add member to role\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_global_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"member_assigned_global_administrator_role > 0"}],"type":"log_detection","id":"bdq-rcs-dn5","createdAt":1658756175450,"name":"Azure AD member assigned Global Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to a [built-in Administrative role][1].\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:*Administrator*`\n\nAzure AD uses roles to assign privileges to users. There are over 80 roles available, the list below details some of the highest privileged roles that adversaries could target:\n\n* [Application Administrator][2]\n* [Cloud Application Administrator][3]\n* [Exchange Administrator][4]\n* [Privileged Role Administrator][5]\n* [User Administrator][6]\n* [Sharepoint Administrator][7]\n* [Hybrid Identity Administrator][8]\n\nThis [whitepaper][9] from Mandiant describes the abuse of Azure AD privileged roles.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][10] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator\n[3]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-application-administrator\n[4]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#exchange-administrator\n[5]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-role-administrator\n[6]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator\n[7]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#sharepoint-administrator\n[8]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#hybrid-identity-administrator\n[9]: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf\n[10]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:*Administrator* @evt.category:AuditLogs @evt.name:\"Add member to role\" -@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_built_in_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"member_assigned_built_in_administrator_role > 0"}],"type":"log_detection","id":"61p-mwe-rxm","createdAt":1658756175462,"name":"Azure AD member assigned built-in Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","control:8.7","level:1","requirement:Database-Services","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","scope:azure.sql","control:4.4","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse Azure Active Directory Authentication for authentication with SQL Database.\n\n## Rationale\n\nAzure Active Directory authentication is a mechanism to connect to the Microsoft Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). With Azure AD authentication, manage identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage database users and simplifies permission management in the following ways:\n\n- Provides an alternative to SQL Server authentication. \n- Helps stop the proliferation of user identities across database servers. \n- Allows password rotation in a single place. \n- Customers can manage database permissions using external (AAD) groups. \n- Eliminates storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure Active Directory. \n- Uses contained database users to authenticate identities at the database level. \n- Token-based authentication for applications connecting to SQL Database. \n- ADFS (domain federation) or native user/password authentication for a local Azure Active Directory without domain synchronization. \n- Connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication (MFA). MFA includes strong authentication with a range of easy verification options phone call, text message, smart cards with a pin, or mobile app notification.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each SQL server, click on Active Directory admin\n3. Click on Set admin\n4. Select an admin\n5. Click Save\n6. Using the Azure PowerShell for each Server, set `AD Admin Set-AzureRmSqlServerActiveDirectoryAdministrator -ResourceGroupName -ServerName -DisplayName \"\"`.\n6. From Azure Command Line Interface, get the ObjectID of user: `az ad user list --query \"[?mail==].{mail:mail, userPrincipal`.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure\n2. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: Assigning an administrator in Azure Active Directory (AAD) is just the first step. When using AAD for central authentication there are many other groups and roles that need to be configured base on the needs of your organization. To determine what roles should be assigned and what groups should be created to manage permissions and access to resources, see the How-to Guides.\n\n## CIS Controls\n\nVersion 7 16.2 Configure Centralized Point of Authentication: Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-(@name:(\"ActiveDirectory\") @administrator_type:(\"ActiveDirectory\"))","resourceType":"azure_sql_server","filter":"","queryPath":"active_directory_administrators","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-(@name:(\"ActiveDirectory\") @administrator_type:(\"ActiveDirectory\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kiv-p8l-5mk","createdAt":1624867977317,"name":"Azure Active Directory Admin is configured for Azure SQL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure-active-directory","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect whenever Azure Identity Protection categorizes an Azure Active Directory login as risky.\n\n## Strategy\nMonitor Azure Active Directory sign in activity (`@evt.name:\"Sign-in activity\"`) and generate a signal when Azure identifies the user as risky or compromised (`@properties.riskState:\"atRisk\" OR \"confirmedCompromised\"`). \n\n## Triage and response\n1. Analyze the location (`@network.client.geoip.subdivision.name`) of `{{@usr.id}}` to determine if they're logging into from their usual location. \n2. If log in activity is not legitimate, disable `{{@usr.id}}` account.\n3. Investigate any devices owned by `{{@usr.id}}`.\n\n## Changelog\n14 June 2022 - Fixed bug in rule query.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":167,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelDuringSignIn:high @properties.riskLevelDuringSignIn:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_during_signin_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:high @properties.riskLevelAggregated:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_aggregated_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:medium @properties.riskLevelDuringSignIn:medium","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_medium","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"High Risk Aggregated","condition":"risk_level_aggregated_high > 0"},{"status":"high","notifications":[],"name":"High Risk During Sign-In","condition":"risk_level_during_signin_high > 0"},{"status":"medium","notifications":[],"name":"Medium Risk","condition":"risk_level_medium > 0"}],"type":"log_detection","id":"h1h-4to-2ka","createdAt":1629464257705,"name":"Azure Active Directory Risky Sign-In"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.6","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-7-ii-A","control:164.312-a-2-ii","control:2.2.4","scope:azure.appservice","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Risk-Mitigation","requirement:Logical-and-Physical-Access-Control","control:CC9.1","control:CC6.3","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'remote debugging' **disabled** to enhance security and protect applications.\n\n## Rationale\n\nIf remote debugging is enabled, this can allow an attacker access to your applications.\n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services web apps by running the following in Azure Powershell:\n\n ```\n az webapp list\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n\n az webapp config show\n\t--ids \"\"\n\t--query 'remoteDebuggingEnabled'\n3. Disable the web app's remote debugging capability with the command:\n\n ```\n az webapp config set\n\t--ids \"\"\n\t--remote-debugging-enabled false\n ```\n4. Repeat steps one through three for each server that is not configured correctly.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@site_config_remote_debugging_enabled:true","resourceType":"azure_app_service","filter":"@site_config_remote_debugging_enabled:*","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service @site_config_remote_debugging_enabled:* (@site_config_remote_debugging_enabled:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ciw-6dd-ffz","createdAt":1645807220230,"name":"Azure App Service has remote debugging enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","scope:azure.app_service","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","framework:soc-2","source:azure.app_service","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'always on' **enabled** for web apps.\n\n## Rationale\n\nEnabling 'always on' will enhance your Azure Apps web apps' availability.\n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services by running the following in Azure Powershell:\n\n ```\n az webapp list\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n \n ```\n az webapp config show\n\t--ids \"\"\n\t--query 'alwaysOn'\n ```\n3. Enable the web app's 'always on' capability with the command:\n\n ```\n az webapp config set\n\t--ids \"\"\n\t--always-on true\n ```\n4. Repeat steps one through three for each server that is not configured correctly.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@site_config_always_on:false","resourceType":"azure_app_service","filter":"@site_config_always_on:*","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service @site_config_always_on:* (@site_config_always_on:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xmp-jgo-xdo","createdAt":1645807220325,"name":"Azure App Service is set to always on"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Datadog Azure function is deleted which will prevent Azure logs from being sent to Datadog.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.WEB/SITES/DELETE\"`, `@evt.outcome` is `Success`, and the `@resourceID` contains `DATADOG` and `LOG`. This rule does not work if the the Azure resource group or Azure function does not contain `DATADOG` or `LOG`.\n\n## Triage and response\n1. Verify the Azure function (`@resourceId`) is responsible for forwarding logs to Datadog.\n2. Determine if there is a legitimate reason for deleting the Azure function.\n3. If activity is not expected, investigate activity from the service principal (`@identity.authorization.evidence`) or user (`{{@usr.id}}`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.web @evt.name:\"MICROSOFT.WEB/SITES/DELETE\" @resourceId:(*DATADOG* AND *LOG*) @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"sit-o2a-uov","createdAt":1634570142022,"name":"Azure Datadog Log Forwarder Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","security:threat-intel"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure firewall threat intelligence alert is received.\n\n## Strategy\nMonitor Azure Network Diagnostic logs and detect when `@evt.name` is equal to `AzureFirewallThreatIntelLog`.\n\n## Triage and response\n1. Inspect the threat intelligence log.\n2. Investigate the activity from this IP address.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:AzureFirewallThreatIntelLog","groupByFields":["@network.client.ip"],"aggregation":"count","name":"azure_firewall_threat_intel_alert","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"azure_firewall_threat_intel_alert > 0"}],"type":"log_detection","id":"z0v-yfr-qat","createdAt":1607106300940,"name":"Azure Firewall Threat Intelligence Alert"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) blocks a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Block`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Block","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_blocked_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_blocked_a_request > 0"}],"type":"log_detection","id":"xyt-fqh-myv","createdAt":1598468816869,"name":"Azure Frontdoor WAF Blocked a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) logs a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Log`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Log","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_logged_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_logged_a_request > 0"}],"type":"log_detection","id":"bkk-48l-vem","createdAt":1598468815399,"name":"Azure Frontdoor WAF Logged a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","control:9.9","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","scope:azure.appservice","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nNew versions of HTTP are released periodically to address security issues and/or to include additional functionality. Using the latest version of HTTP for web apps takes advantage of security fixes and new functionality.\n\n## Rationale\n\nUsing the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software update, your organization needs to determine if the latest update meets your requirements.\n\nFor example, HTTP 2.0 has performance improvements for the head-of-line blocking problem, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism because it provides its own, more efficient mechanism for data streaming.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\nAzure Console:\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click *Configuration**.\n5. Set HTTP version to 2.0 under **General settings**.\n\n**Note**: Most modern browsers support HTTP 2.0 protocol over TLS, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third party certificate.\n\nAzure CLI:\n\nTo set the HTTP version to 2.0 for an existing app, run the following command:\n\n`az webapp config set --resource-group --name --http20-enabled true'`\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.9","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"@site_config_http20_enabled:false","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (@site_config_http20_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"y1o-cvu-xc7","createdAt":1645813490516,"name":"Azure HTTP version is the latest available"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.3.1","level:1","scope:azure.keyvault","control:8.4","requirement:Cardholder-Data","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","requirement:Azure","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:2.2","control:A1.2","requirement:Other-Security-Considerations","framework:soc-2","requirement:Risk-Mitigation","control:3.5.3","requirement:Logical-and-Physical-Access-Control","control:CC9.1","source:azure.keyvault","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe key vault contains object keys, secrets, and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. Datadog recommends the key vault be made recoverable by enabling the \"Do Not Purge\" and \"Soft Delete\" functions. This is to prevent loss of encrypted data including storage accounts, SQL databases, and dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.\n\n### Default value \n\nWhen a new Key Vault is created, both the parameters `enableSoftDelete` and `enablePurgeProtection` are set to `null`, disabling both the features.\n\n## Rationale\n\nThere could be scenarios where users accidentally run delete and purge commands on key vault or attacker or malicious user does it deliberately to cause disruption. Deleting or purging a key vault leads to immediate data loss as keys encrypting data and secrets and certificates causing access and services to become non-accessible. There are two key vault properties that plays role in permanent unavailability of a key vault:\n\n1. Setting the `enableSoftDeleteSetting` parameter to true for a key vault ensures that even if key vault is deleted, the key vault itself or its objects are recoverable for next 90 days. In this span of 90 days either key vault and objects can be recovered or purged (permanent deletion). If no action is taken, after 90 days, the key vault and its objects are purged.\n\n2. `enablePurgeProtectionenableSoftDelete` only ensures that the key vault is not deleted permanently and will be recoverable for 90 days from the deletion date. However, there is a chance that the key vault or objects are accidentally purged and are not recoverable. Setting `enablePurgeProtection` to \"true\" ensures that the key vault and its objects cannot be purged. Enabling both the parameters on key vaults ensures that key vaults and their objects cannot be deleted or purged permanently.\n\n### Impact\n\nOnce purge-protection and soft-delete is enabled for a key vault, the action is irreversible.\n\n- Note: When a key is used for the SQL server TDE or Encrypting Storage account, the corresponding key vault features \"Do Not Purge\" and \"Soft Delete\" are enabled by default by your Azure backend.\n\n## Remediation\n\n### From the command line \n\nTo enable \"Do Not Purge\" and \"Soft Delete\" for a key vault using Azure CLI:\n\n```bash\naz resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.KeyVault /vaults/ --set properties.enablePurgeProtection=true properties.enableSoftDelete=true\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli][1]\n2. [https://blogs.technet.microsoft.com/kv/2017/05/10/azure-key-vault-recovery-options/][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-8-define-backup-and-recovery-strategy][3]\n\n\n[1]: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli\n[2]: https://blogs.technet.microsoft.com/kv/2017/05/10/azure-key-vault-recovery-options/\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-8-define-backup-and-recovery-strategy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.4","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.2","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"3.5.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.3.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_key_vault_attributes(key_vault) if {\n\tkey_vault.enable_soft_delete\n} else {\n\tkey_vault.enable_purge_protection\n}\n\neval(key_vault) = \"pass\" if {\n\tcompliant_key_vault_attributes(key_vault)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault"]},"validationQuery":"","resourceType":"azure_key_vault","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"4tq-la5-9ei","createdAt":1624867975393,"name":"Azure Key Vault is recoverable"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","control:1.3.5","control:1.3.6","control:1.3.7","framework:pci","control:6.4.1","security:compliance","control:1.3.4","control:1.2.1","source:azure.kubernetes","requirement:Communications-Security","control:1.2","control:1.3","cloud:azure","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Private Cluster feature for Azure Kubernetes Service (AKS) cluster is enabled.\n\n## Rationale\n\nThe Private Cluster feature ensures that network traffic between your API server and your node pools remains solely on the private network. The API server is not exposed over the internet as it is with the standard AKS deployment. This configuration is a common requirement in many regulatory and industry compliance standards.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment. Changing the setting requires recreating your cluster.\n\n## Impact\n\nCreating and managing a Private AKS Cluster requires additional considerations when compared to a standard AKS deployment. It requires understanding how Azure Private Link and Private Endpoints work. It also requires a thorough assessment of your AKS networking architecture and dependencies. If your AKS cluster is on an isolated Azure Virtual Network (VNET), the Private Cluster feature requires additional configurations to allow connectivity between your AKS Cluster and your management VNET. Microsoft's official documentation, which is included in ``references``, helps you navigate the deployment of Private AKS Clusters.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/aks/private-clusters][1]\n2. [https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview][2]\n3. [https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/aks/private-clusters\n[2]: https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview\n[3]: https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.7","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aks_cluster) = \"fail\" if {\n\tnot aks_cluster.api_server_access_profile_enable_private_cluster\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_aks_cluster"]},"validationQuery":"","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxc-7gb-6q2","createdAt":1656924134424,"name":"Azure Kubernetes Service (AKS) Private Cluster Feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify the network IP address when multiple user accounts failed to complete the MFA process.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, `@properties.authenticationRequirement` is equal to `multiFactorAuthentication` and `@evt.outcome` is equal to `failure`.\n\n## Triage and response \n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:multiFactorAuthentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"failed_login_mfa_denied_w_multiple_user_accounts","distinctFields":["@usr.email"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Greater than 10 unique users","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 10"},{"status":"low","notifications":[],"name":"Greater than 3 unique user","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 3"}],"type":"log_detection","id":"zgm-z7i-mhu","createdAt":1607106317340,"name":"Azure Login Explicitly Denied MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group allows inbound traffic from all IP Addresses.\n\n## Strategy\nThis rule monitors Azure Activity logs for network changes and detects when the `@evt.name` has a value of `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`, `@properties.securityRules.properties.direction` has a value of `Inbound`, `@properties.securityRules.properties.access` has a value of `Allow`, and `@properties.securityRules.properties.sourceAddressPrefix` has a value of either `0.0.0.0/0` OR `*`.\n\n## Triage and response\n1. Inspect which Virtual Machines are associated with this security group.\n2. Determine whether this security group and the VMs should permit inbound traffic from all IP addresses.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\" @properties.securityRules.properties.direction:Inbound @properties.securityRules.properties.access:Allow @properties.securityRules.properties.sourceAddressPrefix:(\"0.0.0.0/0\" OR \"*\")","groupByFields":["@resourceId"],"aggregation":"count","name":"security_group_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"security_group_open_to_world > 0"}],"type":"log_detection","id":"owu-2uz-8cb","createdAt":1598468816111,"name":"Azure Network Security Group Open to the World"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group or an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any one of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security group or security rule and determine if it exposes any Azure resources that should not be exposed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:(\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\") @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mju-ynx-i1h","createdAt":1607106297216,"name":"Azure Network Security Groups or Rules Created, Modified, or Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added as a new owner for an Active Directory application which could be used as a persistence mechanism. \n\n## Strategy\nMonitor Azure Active Directory logs for `@evt.name: \"Add owner to application\"` has an `@evt.outcome` of `success`. \n\n## Triage and response\n1. Review evidence of anomalous activity for the user being added as an owner (`@properties.targetResources`) for the Active Directory application.\n2. Determine if there is a legitimate reason for the user being added to the application.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to application\" @evt.outcome:success @usr.name:* -@identity:*","groupByFields":[],"aggregation":"count","name":"new_owner","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner > 0"}],"type":"log_detection","id":"8vm-rcm-ss1","createdAt":1630591816193,"name":"Azure New Owner added to Azure Active Directory application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a new service principal is created in Azure, which applies to a persistence mechanism.\n\n## Strategy\n\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n\n1. Inspect the new service principal in `@properties.targetResources`.\n2. Verify with the user (`{{$usr.name}}`) to determine if the service principal is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_sp > 0"}],"type":"log_detection","id":"bog-iak-dms","createdAt":1630591822167,"name":"Azure New Service Principal created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure policy assignment has been created.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to `MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE` and `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the policy assignment and determine if an unsolicited change was made on any Azure resources.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure @evt.name:\"MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE\" @evt.outcome:Success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uvd-ets-ju9","createdAt":1607106302885,"name":"Azure Policy Assignment Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, and `@evt.outcome` is equal to `failure`.\n\n## Triage and response\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Successful login","condition":"failed_login > 5 && successful_login > 0"},{"status":"info","notifications":[],"name":"Unsuccessful","condition":"failed_login > 5"}],"type":"log_detection","id":"y0f-vsz-xms","createdAt":1607106309289,"name":"Azure Portal brute force login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses SSL/TLS in-transit encryption.\n\n## Rationale\n\nUsing in-transit encryption with PostgreSQL protects data from attacks like Man-In-The-Middle (MITM), by ensuring that data is encrypted with Transport Layer Security (SSL/TLS) while moving between endpoints. This is the default option with Azure. \n\n## Remediation\n\n### Console\n\n1. Follow the instructions listed at [Configure TLS connectivity in Azure Database for PostgreSQL - Single Server][1] to transition to SSL/TLS encyrption in-transit. \n\n### CLI\n\n1. Follow the steps listed at [Configure TLS connectivity in Azure Database for PostgreSQL - Single Server][2] to use the CLI to transition to SSL/TLS encyrption in-transit. \n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security#using-the-azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security#using-azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@ssl_enforcement:Disabled","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (@ssl_enforcement:Disabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"t58-y4w-igs","createdAt":1645642196325,"name":"Azure PostgreSQL Database Server uses In-Transit Encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.4","cloud_provider:azure","control:6.2","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","control:CC7.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL is using the most recent major version available.\n\n## Rationale\n\nPostegreSQL employs both minor and major version updates. Using the most recent version available (particularly the most recent major version) ensures that you are using the most secure, feature rich, and supported version available. Azure Database Migration Service can help minimize downtime when performing version upgrades in Azure Database for PostgreSQL - Single Server. \n\n## Remediation\n\n### Console\n\n1. Use Azure's [Configure server parameters in Azure Database for PostgreSQL - Single Server via the Azure portal][1] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate/Upgrade Azure DB for PostgreSQL - Single Server to Azure DB for PostgreSQL - Single Server online using DMS via the Azure portal][2] to migrate the old database to the new database.\n\n### CLI\n\n1. Use Azure's [Customize server configuration parameters for Azure Database for PostgreSQL - Single Server using Azure CLI][3] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate PostgreSQL to Azure DB for PostgreSQL online using DMS via the Azure CLI][4] to migrate the old database to the new database.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/dms/tutorial-azure-postgresql-to-azure-postgresql-online-portal\n[3]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli\n[4]: https://docs.microsoft.com/en-us/azure/dms/tutorial-postgresql-azure-postgresql-online","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"-@version:(\"11\" OR \"12\" OR \"13\" OR \"14\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@version:(\"11\" OR \"12\" OR \"13\" OR \"14\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"4ns-zxg-wye","createdAt":1645642207320,"name":"Azure PostgreSQL Database Server uses the current major PostgreSQL version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:A.12.3.1","source:azure.dbforpostgresql","control:164.308-a-7-ii-A","requirement:Compliance","scope:azure.dbforpostgresql","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","control:A.18.1.3","framework:soc-2","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses geo-redundant backups.\n\n## Rationale\n\nUsing geo-redundancy with PostgreSQL creates geographically distributed replicas by default. These replicas assist with achieving data durability, as they protect against data becoming unavailable because of a regional event, such as a natural disaster. You can select this option only at the time of database creation. To modify an existing database to use geo-redundancy, recreate the database.\n\n## Remediation\n\n### Console\n\n1. Follow the instructions listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using the Azure portal][1] to create a new PostgreSQL database. Ensure **Geo-redundant** is selected under **Backup redundancy options**.\n\n### CLI\n\n1. Follow the steps listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using Azure CLI][2] to create and deploy a PostgreSQL server.\n2. When configuring the [`az postgres server create` Microsoft Azure Module][3] ensure that `geoRedundantBackup` is set to `Enabled`, as shown in the example below. \n\n ```\n az postgres server create \n -l northeurope \n -g mygroup \n -n mysvr \n -u username \n -p password \n --sku-name my_sku\n --ssl-enforcement Enabled \n --minimal-tls-version TLS1_0 \n --public-network-access Disabled \n --backup-retention 10 \n --geo-redundant-backup Enabled \n --storage-size 51200 \n --tags \"key=value\" \n --version 11\n ```\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-cli\n[3]: https://docs.microsoft.com/en-us/cli/azure/postgres/server?view=azure-cli-latest#az-postgres-server-create","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.3.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@storage_profile_geo_redundant_backup:Disabled","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (@storage_profile_geo_redundant_backup:Disabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"9t5-0qz-cj3","createdAt":1645642195699,"name":"Azure PostgreSQL database server uses geo-redundant backups"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security rule and determine if it exposes any Azure resources that should not be made public.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.sql @evt.name:\"MICROSOFT.SQL/SERVERS/FIREWALLRULES/WRITE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kbv-sau-dwv","createdAt":1607106319051,"name":"Azure SQL Server Firewall Rules Created or Modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.15","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable security alert emails to subscription owners.\n\n## Rationale\n\nEnabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can quickly mitigate security risks.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. In the drop down of the All users with the following roles field, select Owner\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set Send email also to subscription owners:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management Storage Accounts: This section covers security recommendations to follow to set storage account policies on an Azure subscription. An Azure storage account provides a unique namespace to store and access Azure Storage data objects.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.15","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"validationQuery":"-(@properties.notifications_by_role.roles:(\"Owner\") AND @properties.notifications_by_role.state:(\"On\"))","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact (-(@properties.notifications_by_role.roles:(\"Owner\") AND @properties.notifications_by_role.state:(\"On\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qjw-pnm-kfh","createdAt":1625738237090,"name":"Azure Security Center is configured to send email notifications about security alerts to subscription owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.14","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule enables emailing security alerts to the email subscription owner or other designated security contact.\n\n## Rationale\n\nEnabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. Under Notification types, check the check box next to Notify about alerts with the following severity (or higher) and select High from the drop-down menu\n6. Click save using the Azure Command Line Interface\n7. Use the below command to set Send email notification for high severity alerts:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. And replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default. Microsoft has recently changed their REST APIs to get and update security contact information. This recommendation is updated accordingly.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.14","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"validationQuery":"-(@properties.alert_notifications.state:(\"On\") AND @properties.alert_notifications.minimal_severity:(\"High\"))","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact (-(@properties.alert_notifications.state:(\"On\") AND @properties.alert_notifications.minimal_severity:(\"High\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"cv4-lxu-yt1","createdAt":1625738237834,"name":"Azure Security Center is configured to send email notifications about security alerts with High severity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity Center emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.\n\n## Rationale\n\nAzure Security Center emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the \"Additional email addresses\" field ensures that your organization's security team is included in these alerts. This ensures that the proper people are aware of any potential compromise to mitigate the risk in a timely fashion.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email Notifications\n5. Enter a valid security contact email address (or multiple addresses separated by commas) in the additional email addresses field\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set security contact emails:\n\n ``` bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data, as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default\", \"name\"\"default\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details \n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list \n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"validationQuery":"((-@properties.emails:*) OR (@properties.emails:(\"\")))","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact (((-@properties.emails:*) OR (@properties.emails:(\"\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"1vo-ezv-ztj","createdAt":1625738244720,"name":"Azure Security Center is configured with a security contact email"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty ThreatIntelSet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty ThreatIntelSet:\n\n* [DeleteThreatIntelSet][1]\n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Replace ThreatIntelSets deleted by the user with the `aws-cli` command [create-threat-intel-set][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call and if it was an authorized change.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteThreatIntelSet.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/guardduty/create-threat-intel-set.html\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteThreatIntelSet","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_guardduty_threatintel_set_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"aws_guardduty_threatintel_set_deleted > 0"}],"type":"log_detection","id":"vzr-qw9-k82","createdAt":1631642339660,"name":"AWS GuardDuty threat intel set deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","technique:T1098-account-manipulation","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.4","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to an AWS IAM Policy.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when any event pertaining to an AWS IAM policy is detected with one of the following API calls:\n\n* [DeleteGroupPolicy][1]\n* [DeleteRolePolicy][16]\n* [DeleteUserPolicy][2]\n* [PutGroupPolicy][3]\n* [PutRolePolicy][4]\n* [PutUserPolicy][5]\n* [CreatePolicy][6]\n* [DeletePolicy][7]\n* [SetPolicyVersion][17]\n* [CreatePolicyVersion][8]\n* [DeletePolicyVersion][9]\n* [AttachRolePolicy][10]\n* [DetachRolePolicy][11]\n* [AttachUserPolicy][12]\n* [DetachUserPolicy][13]\n* [AttachGroupPolicy][14]\n* [DetachGroupPolicy][15]\n\n## Triage and response\n1. Review the IAM Policy change and ensure it does not negatively impact your risk in relation to authentication or authorization controls.\n2. If risk is increased, contact the individual that used the arn: {{@userIdentity.arn}} and determine if {{@evt.name}} API calls were made by them.\n\n## Changelog\n5 April 2022 - Rule modified and signal message updated.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroupPolicy.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPolicy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html\n[5]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html\n[7]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html\n[8]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html\n[9]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicyVersion.html\n[10]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[11]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachRolePolicy.html\n[12]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[13]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachUserPolicy.html\n[14]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[15]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachGroupPolicy.html\n[16]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteRolePolicy.html\n[17]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetDefaultPolicyVersion.html\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteGroupPolicy OR PutGroupPolicy OR AttachGroupPolicy OR DetachGroupPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"group_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteRolePolicy OR PutRolePolicy OR AttachRolePolicy OR DetachRolePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"role_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteUserPolicy OR PutUserPolicy OR AttachUserPolicy OR DetachUserPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"user_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreatePolicy OR DeletePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"account_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(SetPolicyVersion OR CreatePolicyVersion OR DeletePolicyVersion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"policy_version_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"group policy changed","condition":"group_policy_modified > 0"},{"status":"info","notifications":[],"name":"role policy changed","condition":"role_policy_modified > 0"},{"status":"info","notifications":[],"name":"user policy changed","condition":"user_policy_modified > 0"},{"status":"info","notifications":[],"name":"account policy changed","condition":"account_policy_modified > 0"},{"status":"info","notifications":[],"name":"policy version changed","condition":"policy_version_modified > 0"}],"type":"log_detection","id":"z8s-u06-ctu","createdAt":1584475584008,"name":"AWS IAM policy changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM group.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM group using the [`AttachGroupPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.groupName}}` group using the `aws-cli` command [detach-group-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the group `{{@requestParameters.groupName}}` requires the `AdministratorAccess` policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the group to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.groupName","aggregation":"new_value","metrics":["@requestParameters.groupName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachGroupPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"ju1-xlh-bdn","createdAt":1635445988771,"name":"AWS IAM privileged policy was applied to a group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM role.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM role via the [`AttachRolePolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.roleName}}` role using the `aws-cli` command [detach-role-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the role `{{@requestParameters.roleName}}` requires the AdministratorAccess policy to perform its intended function.\n * Advise the user to find the [least privileged][4] policy that allows the role to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-role-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.roleName","aggregation":"new_value","metrics":["@requestParameters.roleName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachRolePolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\" -@userIdentity.invokedBy:sso.amazonaws.com -@http.useragent:sso.amazonaws.com"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"kjs-xra-wzc","createdAt":1635445977216,"name":"AWS IAM privileged policy was applied to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to an AWS IAM user using the [`AttachUserPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.userName}}` user using the `aws-cli` command [detach-user-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the user `{{@requestParameters.userName}}` requires the AdministratorAccess policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the user to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-user-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":173,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.userName","aggregation":"new_value","metrics":["@requestParameters.userName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachUserPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"bxi-o7h-c79","createdAt":1635445981975,"name":"AWS IAM privileged policy was applied to a user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","technique:T1089-disabling-security-tools","source:guardduty","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is changing sensitive configurations and has no prior history of invoking these APIs.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Stealth:IAMUser/S3ServerAccessLoggingDisabled][2]\n* [Stealth:IAMUser/PasswordPolicyChange][3]\n* [Stealth:IAMUser/CloudTrailLoggingDisabled][4]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][5] on remediating compromised AWS credentials.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#stealth-s3-serveraccessloggingdisabled\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-passwordpolicychange\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-cloudtrailloggingdisabled\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Stealth\\:IAMUser\\/S3ServerAccessLoggingDisabled OR Stealth\\:IAMUser\\/PasswordPolicyChange OR Stealth\\:IAMUser\\/CloudTrailLoggingDisabled OR Stealth\\:IAMUser\\/LoggingConfigurationModified)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"48o-8me-0mo","createdAt":1587525385196,"name":"AWS IAM user changing sensitive configurations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user disables [S3 Block Public Access][1]\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][2] finding:\n\n* [Policy:S3/AccountBlockPublicAccessDisabled][3]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Contact the user and determine why the user disabled the S3 Block Access feature. \n3. Re-enable S3 Block Public Access.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n[2]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-accountblockpublicaccessdisabled\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/S3BlockPublicAccessDisabled)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"loc-nk4-pkc","createdAt":1587525377921,"name":"AWS IAM user disabled S3 Block Public Access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","source:guardduty","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is attempting to escalate permissions.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [PrivilegeEscalation:IAMUser/AdministrativePermissions][2]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_privilegeescalation.html#privilegeescalation1\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PrivilegeEscalation\\:IAMUser\\/AdministrativePermissions)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dsb-ciq-vrt","createdAt":1587525384559,"name":"AWS IAM user escalating privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","technique:T1580-cloud-infrastructure-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests with hacking tools.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [PenTest:IAMUser/KaliLinux][2]\n* [PenTest:IAMUser/ParrotLinux][3]\n* [PenTest:IAMUser/PentooLinux][4]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][5] on remediating compromised AWS credentials.\n\n## Changelog\n* 17 October 2022 - Updated tags.\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-kalilinux\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-parrotlinux\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-pentoolinux\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PenTest\\:IAMUser\\/KaliLinux OR PenTest\\:IAMUser\\/ParrotLinux OR PenTest\\:IAMUser\\/PentooLinux)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ocf-ys6-78v","createdAt":1587525392995,"name":"AWS IAM user making API requests with hacking tools"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:threat-intel","source:guardduty","tactic:TA0007-discovery","security:attack","technique:T1526-cloud-service-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests from a malicious IP.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:IAMUser/TorIPCaller][2]\n* [Recon:IAMUser/MaliciousIPCaller.Custom][3]\n* [Recon:IAMUser/MaliciousIPCaller][4]\n* [UnauthorizedAccess:IAMUser/MaliciousIPCaller][5]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][6] on remediating compromised AWS credentials.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-toripcaller\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-maliciousipcallercustom\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-toripcaller\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-maliciousipcaller\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:IAMUser\\/TorIPCaller OR Recon\\:IAMUser\\/MaliciousIPCaller.Custom OR Recon\\:IAMUser\\/MaliciousIPCaller OR UnauthorizedAccess\\:IAMUser\\/MaliciousIPCaller)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"8w7-aaz-ojp","createdAt":1587525380153,"name":"AWS IAM user requests from malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","security:anomaly","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user login is suspicious.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B][2]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-consoleloginsuccessb\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:IAMUser\\/ConsoleLoginSuccess.B OR UnauthorizedAccess\\:IAMUser\\/ConsoleLogin)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kme-i0z-ylv","createdAt":1587525388403,"name":"AWS IAM user suspicious login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:kms","requirement:Monitoring","tactic:TA0040-impact","framework:cis-aws","control:4.7","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a KMS (Key Management Service) key is deleted or scheduled for deletion.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is deleting KMS keys:\n* [DisableKey][1]\n* [ScheduleKeyDeletion][2]\n\n## Triage and response\n1. Determine if `user ARN:` {{@userIdentity.arn}} in your organization should be making this call.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Use the `Cloud SIEM - User Investigation` OOTB dashboard to investigate other potential unauthorized API calls from this user.\n\n## Changelog\n* 16 March 2022 - Rule severity and markdown updated.\n* 16 November 2022 - Rule query updated.\n\n[1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html\n[2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:(cloudtrail OR amazon-security-lake) @evt.name:(DisableKey OR ScheduleKeyDeletion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iff-hhm-bd3","createdAt":1584475576501,"name":"AWS KMS key deleted or scheduled for deletion"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","scope:firehose"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an AWS Kinesis Firehose Destination is modified.\n\n## Strategy\nThe rule monitors AWS Kinesis Firehose logs `@eventSource:firehose.amazonaws.com` and detects when the `@evt.name` is `UpdateDestination`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:firehose.amazonaws.com @evt.name:UpdateDestination -@http.useragent:(cloudformation.amazonaws.com OR APN\\/*)","groupByFields":["@requestParameters.deliveryStreamName"],"aggregation":"count","name":"firehose_destination_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"firehose_destination_modified","condition":"firehose_destination_modified > 0"}],"type":"log_detection","id":"jwi-qgm-ncc","createdAt":1632158028824,"name":"AWS Kinesis Firehose stream destination modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.11"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Access Control List (NACL) has been created, deleted or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS NACL has been created, deleted or modified with one of the following API calls:\n* [CreateNetworkAcl][1] \n* [CreateNetworkAclEntry][2] \n* [DeleteNetworkAcl][3] \n* [DeleteNetworkAclEntry][4] \n* [ReplaceNetworkAclEntry][5] \n* [ReplaceNetworkAclAssociation][6]\n\n## Triage and response\n1. Determine if the usr with arn: {{@userIdentity.arn}} should have used the API call: {{@evt.name}}.\n2. Contact the user and see if this API call was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n## Changelog\n5 April 2022 - Rule queries, cases and signal message updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html\n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclEntry.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclAssociation.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateNetworkAcl OR CreateNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteNetworkAcl OR DeleteNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_deleted","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceNetworkAclEntry OR ReplaceNetworkAclAssociation)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_updated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"network ACL/ACL entry created","condition":"nacl_created > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry deleted","condition":"nacl_deleted > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry updated","condition":"nacl_updated > 0"}],"type":"log_detection","id":"pcs-k05-rbc","createdAt":1584475579808,"name":"AWS Network Access Control List created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.12","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Gateway has been created or modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS Network Gateway has been created or modified with one of the following API calls:\n* [CreateCustomerGateway][1] \n* [DeleteCustomerGateway][2] \n* [AttachInternetGateway][3] \n* [CreateInternetGateway][4]\n* [DeleteInternetGateway][5] \n* [DetachInternetGateway][6]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule cases and signal message.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCustomerGateway \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteCustomerGateway \n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AttachInternetGateway \n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInternetGateway \n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteInternetGateway \n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DetachInternetGateway.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(CreateCustomerGateway OR CreateInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"create_gateway","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteCustomerGateway OR DeleteInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"delete_gateway","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AttachInternetGateway OR DetachInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_gateway","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"create gateway","condition":"create_gateway > 0"},{"status":"info","notifications":[],"name":"delete gateway","condition":"delete_gateway > 0"},{"status":"info","notifications":[],"name":"modify gateway","condition":"modify_gateway > 0"}],"type":"log_detection","id":"umr-47s-eyj","createdAt":1584475581301,"name":"AWS Network Gateway created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","scope:rds","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deleted a database cluster in RDS.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a RDS cluster:\n\n* [DeleteDBCluster][1]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/rds/delete-db-cluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteDBCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"6ng-pk1-ukh","createdAt":1585870276546,"name":"AWS RDS Cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","control:cis-1.1","framework:cis-aws","technique:T1078-valid-accounts","control:cis-3.3","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the AWS root user credentials are used.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Policy:IAMUser/RootCredentialUsage][2]\n\n## Triage and response\n1. Determine whether the root account activity was legitimate. \n * Review the sample for context. \n * Review CloudTrail logs for a full investigation. \n3. If the root user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n**[Root Account Best Practices][4]**\n\n## Changelog\n* 1 November 2022 - Updated links.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#policy-iam-rootcredentialusage\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/RootCredentialUsage)","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cjm-gyr-zxb","createdAt":1587525393683,"name":"AWS Root credential activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a Route 53 query logging configuration.\n\n## Strategy\nMonitor cloudtrail logs where `@evt.name` is `DeleteResolverQueryLogConfig` which would stop Route53 Query logging for all of the Amazon VPCs that are associated with the configuration.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n* 7 April 2022 - Updated rule query and signal message.\n* 5 January 2023 - Updated severity.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"0pz-0jr-nfz","createdAt":1631642351057,"name":"AWS Route 53 DNS query logging disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disassociates a VPC from the query logging configuration.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disassociated.\n\n* [DisassociateResolverQueryLogConfig][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 7 April 2022 - Update rule and signal message.\n* 15 December 2022 - Update query to include Access Denied events and reduce severity.\n\n[1]: https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DisassociateResolverQueryLogConfig.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DisassociateResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_route53_querylogging_disassociated","distinctFields":[]},{"query":"source:cloudtrail @error.kind:AccessDenied @evt.name:DisassociateResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_route53_querylogging_disassociated_access_denied","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Successful","condition":"aws_route53_querylogging_disassociated > 0"},{"status":"info","notifications":[],"name":"Access Denied","condition":"aws_route53_querylogging_disassociated_access_denied > 0"}],"type":"log_detection","id":"nmk-a8n-zig","createdAt":1631642344888,"name":"AWS Route 53 VPC disassociated from query logging configuration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.13","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Route Table has been created or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS Route Table has been created or modified with one of the following API calls:\n* [CreateRoute][1] \n* [CreateRouteTable][2] \n* [ReplaceRoute][3] \n* [ReplaceRouteTableAssociation][4] \n* [DeleteRouteTable][5] \n* [DeleteRoute][6] \n* [DisassociateRouteTable][7]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call which was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n6 April 2022 - Update signal message. Updated rule query/case layout\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html \n [7]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateRoute OR CreateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceRoute OR ReplaceRouteTableAssociation OR DisassociateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteRouteTable OR DeleteRoute)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"VPC route table created","condition":"route_created > 0"},{"status":"info","notifications":[],"name":"VPC route table modified","condition":"route_modified > 0"},{"status":"info","notifications":[],"name":"VPC route table deleted","condition":"route_deleted > 0"}],"type":"log_detection","id":"qgo-jqs-03x","createdAt":1584475582644,"name":"AWS Route Table created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket policy is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an AWS bucket is made public:\n\n* [PutBucketAcl][1]\n\nThis rule inspects the `@requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI` array to determine if either of the strings are contained:\n* `http://acs.amazonaws.com/groups/global/AuthenticatedUsers`\n* `http://acs.amazonaws.com/groups/global/AllUsers`\n\nA match of either of these string indicates the S3 bucket policy is made public.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Update rule and signal message.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:PutBucketAcl -@level:Error @requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI:(\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" OR \"http://acs.amazonaws.com/groups/global/AllUsers\")","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"zdk-9gu-nrg","createdAt":1594140279364,"name":"AWS S3 Bucket ACL Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:7.2.1","iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","framework:pci","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the S3 Public Access Block configuration has been removed \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting the S3 Public Access Block configuration:\n\n* [DeleteAccountPublicAccessBlock][1]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and inform them of best practices of enabling Public Access Block on S3 buckets.\n3. Re-enable Public Access Block on the S3 bucket.\n\nMore details on S3 Public Block Public Access can be found [here][2].\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-public-access-block.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n\n## Changelog\n18 March 2022 - updated severity and query.\n31 October 2022 - updated severity.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:error @evt.name:DeleteAccountPublicAccessBlock","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_access_block_removed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"User removed public access block","condition":"public_access_block_removed > 0"}],"type":"log_detection","id":"uxr-5wk-8hk","createdAt":1585870280316,"name":"AWS S3 Public Access Block removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disables AWS Security Hub.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disabled AWS Security Hub:\n\n* [DisableSecurityHub][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query and signal message.\n\n[1]: https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisableSecurityHub.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"not_cloudformation_action","distinctFields":[]},{"query":"source:cloudtrail @network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudformation_action","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"not a cloudformation action","condition":"not_cloudformation_action > 0"},{"status":"low","notifications":[],"name":"cloudformation action","condition":"cloudformation_action > 0"}],"type":"log_detection","id":"obj-kmn-bsa","createdAt":1631642348526,"name":"AWS Security Hub disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:vpc","iaas:aws","requirement:Monitoring","framework:cis-aws","control:4.14","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying a VPC.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a VPC:\n\n* [DeleteVpc][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query, cases and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteVpc OR DeleteVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_deleted","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreateVpc OR CreateVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_created","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(ModifyVpcAttribute OR AcceptVpcPeeringConnection OR RejectVpcPeeringConnection OR AttachClassicLinkVpc OR DetachClassicLinkVpc OR DisableVpcClassicLink OR EnableVpcClassicLink)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"vpc deleted","condition":"vpc_deleted > 0"},{"status":"info","notifications":[],"name":"vpc created","condition":"vpc_created > 0"},{"status":"info","notifications":[],"name":"vpc modified","condition":"vpc_modified > 0"}],"type":"log_detection","id":"igj-dr4-ico","createdAt":1585870280906,"name":"AWS VPC created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a specific AWS Web Application Firewall (WAF) rule blocks an anomalous amount of traffic.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@webaclId`: `{{@webaclId}}` logs to confirm if the observed traffic should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"count","name":"waf_traffic_block","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"scr-lzp-wrd","createdAt":1632158031553,"name":"AWS WAF traffic blocked by specific rule"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a specific AWS Web Application Firewall (WAF) rule blocks traffic from multiple IPs.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@http.request_id`: `{{@http.request_id}}` to confirm if this request should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"cardinality","name":"waf_traffic_block","distinctFields":["@network.client.ip"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"imr-goq-uww","createdAt":1634658977105,"name":"AWS WAF traffic blocked by specific rule on multiple IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is deleted.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `DeleteWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:DeleteWebACL -@http.useragent:\\APN\\/*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_deletion","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"waf_webacl_deletion > 0"}],"type":"log_detection","id":"8js-pr5-qga","createdAt":1632158029295,"name":"AWS WAF web access control list deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is updated.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `UpdateWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made legitimately by the user, rotate the user's credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:UpdateWebACL -@http.useragent:(\\APN\\/* OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"waf_webacl_update > 0"}],"type":"log_detection","id":"pmp-fqa-lwy","createdAt":1632158031800,"name":"AWS WAF web access control list modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:3.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect AWS root user activity. \n\n## Strategy\nMonitor CloudTrail and detect when any `@userIdentity.type` has a value of `Root`, but is not invoked by an AWS service or SAML provider.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate. \n2. If the login wasn't legitimate, rotate the credentials, enable 2FA, and open an investigation. \n\n* For best practices, check out the [AWS Root Account Best Practices][1] documentation.\n* For compliance, check out the [CIS AWS Foundations Benchmark controls][2] documentation.\n\n## Changelog\n* 30 March 2022 - Updated query and signal message.\n* 14 November 2022 - Updated options.\n\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[2]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:Root -@userIdentity.sessionContext.attributes.mfaAuthenticated:false -@userIdentity.invokedBy:* -@eventType:AwsServiceEvent -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"2kn-z6k-6kf","createdAt":1585870281964,"name":"AWS root account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group has been modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1] \n* [AuthorizeSecurityGroupEgress][2] \n* [RevokeSecurityGroupIngress][3] \n* [RevokeSecurityGroupEgress][4] \n* [CreateSecurityGroup][5] \n* [DeleteSecurityGroup][6]\n\n\n**Note:** There is a separate rule to detect AWS Security Group Open to the World.\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html \n [2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupEgress.html \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupIngress.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupEgress.html \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteSecurityGroup.html\n\n## Changelog\n18 March 2022 - Updated severity, split query into multiple queries, and split the single case into multiple cases.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AuthorizeSecurityGroupIngress OR AuthorizeSecurityGroupEgress OR RevokeSecurityGroupIngress OR RevokeSecurityGroupEgress) -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:DeleteSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"security group created","condition":"security_group_created > 0"},{"status":"info","notifications":[],"name":"security group modified","condition":"security_group_modified > 0"},{"status":"info","notifications":[],"name":"security group deleted","condition":"security_group_deleted > 0"}],"type":"log_detection","id":"bax-btp-3ct","createdAt":1584475583507,"name":"AWS security group created, modified or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1078-valid-accounts","scope:exchange-server","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event by a user logging in to Microsoft Exchange.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last and the current Microsoft-365 mailbox login event (`@evt.name:MailboxLogin`) to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if `{{@usr.name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. ","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":192,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:Exchange @evt.name:MailboxLogin @evt.outcome:Succeeded @threat_intel.results.category:*"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"9xi-6r1-5o5","createdAt":1638460550019,"name":"Abnormal successful Microsoft 365 Exchange login event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","scope:google-cloud-iam","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account (`@usr.id:*.iam.gserviceaccount.com`) exhibits access denied behavior that deviates from normal.\n\n## Strategy \nInspect the GCP Service Account (`@usr.id:*.iam.gserviceaccount.com`) for errors (`@data.protoPayload.status.code:7`) caused by denied permissions (`@evt.outcome`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account {{@usr.id}} is compromised.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"count","name":"access_denied","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"access_denied"}],"type":"log_detection","id":"jsg-pwu-sfv","createdAt":1605263719237,"name":"Access denied for GCP Service Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.11","scope:iam","scored:true","security:compliance","source:iam","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:7.1.1","control:7.1.2","control:7.1.3","level:1","framework:soc-2","framework:cis-aws","control:A.9.2.3","requirement:Identity-and-Access-Management","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM user credentials, you have to determine what type of access they require.\n\n**Programmatic access**: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.\n\n**AWS Management Console access**: If the user needs to access the AWS Management Console, create a password for the user.\n\n## Rationale\n\nRequiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are necessary for their work and once the access key is established on an account that the keys may be in use somewhere in the organization.\n\n**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html][2]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html][3]\n\n**Additional Information**: Credential report does not appear to contain \"Key Creation Date\"\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkeys_created_during_setup(credential_report) if {\n\tnot credential_report.access_key_1_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_1_last_rotated\n} else if {\n\tnot credential_report.access_key_2_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_2_last_rotated\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot keys_created_during_setup(credential_report)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yuh-0pg-pqy","createdAt":1619112188582,"name":"Access keys are not created for IAM user during initial set up"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-C","requirement:Credentials","level:1","framework:cis-aws","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.14","cloud_provider:aws","requirement:Control-Activities","framework:soc-2","control:A.9.2.3","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:3.6.4","control:CC6.2","control:CC5.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAccess keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. You should regularly rotate all access keys.\n\n## Rationale\n\nRotating access keys reduces the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78902-4\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html][3]\n4. [https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][4]\n5. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html][5]\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html\n[4]: https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"1.14","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\nmore_than_ninety(timestamp, resource_seen_at) if {\n\tresource_seen_at - timestamp > ninety_days_ms # Not rotated in last 90 days\n}\n\nactive_and_rotated_more_than_90(credential_report, resource_seen_at) if {\n\tcredential_report.access_key_1_active\n\tmore_than_ninety(credential_report.access_key_1_last_rotated, resource_seen_at)\n} else if {\n\tcredential_report.access_key_2_active\n\tmore_than_ninety(credential_report.access_key_2_last_rotated, resource_seen_at)\n}\n\neval(iam_user) = \"pass\" if {\n\tresource_seen_at := iam_user.resource_seen_at\n\tcredential_report := iam_user.credential_report[_]\n\tnot active_and_rotated_more_than_90(credential_report, resource_seen_at)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5se-kvq-6mk","createdAt":1599574003833,"name":"Access keys are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:4.3.8","scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Default-Security-Parameter","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.6","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable access from Azure services to PostgreSQL Database Server\n\n## Rationale\n\nIf access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, set up firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In Firewall rules, ensure Allow access to Azure services is set to OFF.\n5. Click Save to apply the changed rule. \n\nAlternatively, use the Azure Command Line Interface and run the below command to delete the `AllowAllAzureIps` rule for PostgreSQL Database:\n\n ```bash\n az postgres server firewall-rule delete --name AllowAllAzureIps --resource-group --server-name \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-manage-firewall-using-cli\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-4-protect-applications-and-services-from-external-network-attacks\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.4 Apply Host-based Firewalls or Port Filtering: Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.\n\n9.5 Implement Application Firewalls: Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.\n\n14.2 Enable Firewall Filtering Between VLANs: Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.8","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_ip_addresses(azure_postgresql_firewall_rule) if {\n\tazure_postgresql_firewall_rule.start_ip_address != \"0.0.0.0\"\n} else if {\n\tazure_postgresql_firewall_rule.end_ip_address != \"0.0.0.0\"\n}\n\neval(azure_postgresql_firewall_rule) = \"pass\" if {\n\tnot azure_postgresql_firewall_rule.name in [\"ALL\", \"AllowAllAzureIps\"]\n\tcompliant_ip_addresses(azure_postgresql_firewall_rule)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_firewall_rule"]},"validationQuery":"","resourceType":"azure_postgresql_firewall_rule","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_firewall_rule","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"fn7-ase-uyc","createdAt":1624867979051,"name":"Access to Azure services for PostgreSQL Database Server is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 5432 (used by the PostgreSQL Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\nMalicious activity, such as hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 5432.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 5432 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 5432\n\trule.to_port >= 5432\n}\n\nnon_compliant_protocols_and_ports(rule) if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tnon_compliant_ports(rule)\n} else if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\", \"::/0\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome rule in security_group.rules\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocols_and_ports(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2ca-hhj-wzj","createdAt":1599574007949,"name":"Access to PostgreSQL Database Server port is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3389 (used to connect a remote Remote Desktop Protocol (RDP) client application with an RDP server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as pass-the-hash (PtH) and man-in-the-middle attacks (MITM), can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\nTo update a security group rule: \n\n1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/][2]\n2. In the navigation pane, choose **Security Groups**.\n3. Select the security group to update, then choose **Actions**.\n4. Choose **Edit inbound rules** to remove an inbound rule, or **Edit outbound rules** to remove an outbound rule.\n5. Update the rule as required.\n6. Choose **Preview changes**, **Confirm**.\n\nTo delete a security group rule: \n1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/][2].\n2. In the navigation pane, choose **Security Groups**.\n3. Choose the **Delete** button to the right of the rule to delete.\n4. Choose **Preview changes**, **Confirm**.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3389.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3389 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.2\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 3389\n\trule.to_port >= 3389\n}\n\nnon_compliant_protocol(rule) if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(rule) if {\n\trule.ip_range == \"0.0.0.0/0\"\n}\n\nnon_compliant_ip_range(rule) if {\n\trule.ipv6_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oia-snq-ar0","createdAt":1599574006239,"name":"Access to port 3389 is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests.\n\n## Rationale\n\nSetting admission control plugin AlwaysAdmit allows all requests and do not filter any requests. The AlwaysAdmit admission controller was deprecated in Kubernetes v1.13. Its behavior was equivalent to turning off all admission controllers.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--enable-admission-plugins` argument's value (if set) does not include `AlwaysAdmit`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --enable-admission-plugins parameter, or set it to a value that does not include AlwaysAdmit.\n\n## Impact\n\nOnly requests explicitly allowed by the admissions control plugins would be served.\n\n## Default value\n\nAlwaysAdmit is not in the list of default admission plugins.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#alwaysadmit\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.11","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysr-4gg-vu5","createdAt":1599599454382,"name":"Admission controller AlwaysAdmin is not enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.15","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating objects in a namespace that is undergoing termination.\n\n## Rationale\n\nSetting admission control policy to NamespaceLifecycle ensures that objects cannot be created in non-existent namespaces, and that namespaces undergoing termination are not used for creating the new objects. This is recommended to enforce the integrity of the namespace termination process and also for the availability of the newer objects.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--disable-admission-plugins` argument is set to a value that does not include `NamespaceLifecycle`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --disable-admission-plugins parameter to ensure it does not include NamespaceLifecycle.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NamespaceLifecycle is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#namespacelifecycle\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.15","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"elk-zj3-p6m","createdAt":1599605447784,"name":"Admission controller NamespaceLifecycle is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.17","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nLimit the Node and Pod objects that a kubelet could modify.\n\n## Rationale\n\nUsing the NodeRestriction plug-in ensures that the kubelet is restricted to the Node and Pod objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node API object, and only modify Pod API objects that are bound to their node.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `NodeRestriction`.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes NodeRestriction. --enable-admission-plugins=...,NodeRestriction,...\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NodeRestriction is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#noderestriction 3. https://kubernetes.io/docs/admin/authorization/node/ 4. https://acotten.com/post/kube17-security\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.17","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jre-tn7-yma","createdAt":1599601166101,"name":"Admission controller NodeRestriction is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.16","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating pods that do not match Pod Security Policies.\n\n## Rationale\n\nA Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions. Note: When the PodSecurityPolicy admission plugin is in use, there needs to be at least one PodSecurityPolicy in place for ANY pods to be admitted. See section 1.7 for recommendations on PodSecurityPolicy settings.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `PodSecurityPolicy`.\n\n## Remediation\n\nFollow the documentation and create Pod Security Policy objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes PodSecurityPolicy: --enable-admission-plugins=...,PodSecurityPolicy,... Then restart the API Server.\n\n## Impact\n\nThe policy objects must be created and granted before pod creation would be allowed.\n\n## Default value\n\nBy default, PodSecurityPolicy is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#podsecuritypolicy 3. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.16","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vwz-aw9-c09","createdAt":1599604624793,"name":"Admission controller PodSecurityPolicy is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.14","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAutomate service accounts management.\n\n## Rationale\n\nWhen you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. You should create your own service account and let the API server manage its security tokens.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--disable-admission-plugins` argument is set to a value that does not include `ServiceAccount`.\n\n## Remediation\n\nFollow the documentation and create ServiceAccount objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and ensure that the --disable-admission-plugins parameter is set to a value that does not include ServiceAccount.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, ServiceAccount is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#serviceaccount 3. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.14","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wrk-jrm-u8h","createdAt":1599601597784,"name":"Admission controller ServiceAccount is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","source:google_bigquery_table","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.2","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","scope:google_bigquery_table","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery encrypts data at rest by employing `Envelope Encryption` using\nGoogle managed cryptographic keys. The data is encrypted using the `data encryption keys` and data encryption keys themselves are further encrypted using `key encryption keys`. This is done automatically and does not require any additional input from the user. However, if you want to have greater control, customer-managed encryption keys (CMEK) can be used as an encryption key management solution for BigQuery datasets. If CMEK is used, the CMEK is used to encrypt the data encryption keys, instead of using google-managed encryption keys.\n\n### Default Value\nGoogle-managed keys are used as `key encryption keys`.\n\n## Rationale\nFor greater control over the encryption, customer-managed encryption keys (CMEK) can\nbe used as encryption key management solution for BigQuery tables. CMEK is used to\nencrypt the data encryption keys instead of using google-managed encryption keys.\nBigQuery stores the table and CMEK association. The encryption/decryption is done\nautomatically.\n\nApply the default customer-managed keys on BigQuery datasets to ensure that all\nnew tables created in the future will be encrypted using CMEK. However, existing tables need to be updated individually to use CMEK.\n\n## Impact\nUsing customer-managed encryption keys (CMEK) will incur additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n- Note: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n## Remediation\nCurrently, there is no way to update the encryption of existing data in the table. The data\nneeds to be copied to either an original table or another table. Either option requires the specification of the\ncustomer managed encryption key (CMEK).\n\n### From the command line\nUse the following command to copy the data to the original table and encrypt it with the CMEK. The source and the destination needs to be same when copying to the original table.\n\n```\nbq cp --destination_kms_key source_dataset.source_table destination_dataset.destination_table\n```\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_table) = \"pass\" if {\n\tbigquery_table.encryption_configuration.kms_key_name\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_table"]},"validationQuery":"","resourceType":"gcp_bigquery_table","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_table","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4r0-dtx-hnw","createdAt":1659621698841,"name":"All BigQuery tables are encrypted with customer-managed encryption keys (CMEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Azure","cloud_provider:azure","control:2.7","control:8.1","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","scope:azure.keyvault","requirement:Cardholder-Data","requirement:Logical-and-Physical-Access-Control","control:3.6.4","source:azure.keyvault","framework:security-labs","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all keys in your Azure Key Vault have an expiration time set.\n\n## Rationale\n\nAzure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The `exp` (expiration time) attribute identifies the expiration time on or after which the key **must not** be used for a cryptographic operation. By default, keys never expire. Datadog recommends that keys be rotated in the key vault and set an explicit expiration time for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\n### From the console\n\n1. Go to Key vaults\n2. For each Key vault, click on Keys.\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all keys. Using the Azure Command Line Interface, update the expiration date for the key using below command:\n\n ```bash\n az keyvault key set-attributes --name --vault-name --expires Y-m-d''T''H:M:S''Z''\n ```\n\n **Note**: To access expiration time on all keys in Azure Key Vault using Microsoft API requires \"List\" Key permission. To provide required access follow below steps:\n\n 1. Go to Key Vaults\n 2. For each Key Vault, click on Access Policy.\n 3. Add access policy with Key permission as List\n\n## Impact\n\nKeys cannot be used beyond their assigned expiration times respectively. Keys need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## CIS Controls\n\nVersion 7 13 Data Protection Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.7","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(key_vault_key) if {\n\tkey_vault_key.attributes_enabled == true\n\tnot key_vault_key.attributes_exp == 0\n\tnot key_vault_key.attributes_exp == \"\"\n} else if {\n\tkey_vault_key.attributes.enabled == true\n\tnot key_vault_key.attributes.exp == 0\n\tnot key_vault_key.attributes.exp == \"\"\n}\n\neval(key_vault_key) = \"pass\" if {\n\tcompliant(key_vault_key)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_key"]},"validationQuery":"","resourceType":"azure_key_vault_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"op6-3uk-40w","createdAt":1624867980258,"name":"All keys in Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Network-Policies-and-CNI","control:5.3.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse network policies to isolate traffic in your cluster network.\n\n## Rationale\n\nRunning different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. A network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints. Network Policies are namespace scoped. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace, all traffic will be allowed into and out of the pods in that namespace.\n\n## Audit\n\nRun the following command and review the NetworkPolicy objects created in the cluster: `kubectl --all-namespaces get networkpolicy`\n\nEnsure that each namespace defined in the cluster has at least one Network Policy.\n\n## Remediation\n\nFollow the documentation and create network policy objects as you need them.\n\n## Impact\n\nOnce network policies are in use within a given namespace, traffic not explicitly allowed by a network policy will be denied. It is important to ensure that, when introducing network policies, legitimate traffic is not blocked.\n\n## Default value\n\nBy default, network policies are not created.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/services-networking/networkpolicies/ ][1]\n2. [https://octetz.com/posts/k8s-network-policy-apis ][2]\n3. [https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/][3]\n\n## CIS controls\n\nVersion 6.14.1 Implement Network Segmentation Based On Information Class Segment - The network based on the label or classification level of the information stored on the servers. Locate all sensitive information on separated VLANS with firewall filtering to ensure that only authorized individuals are only able to communicate with systems necessary to fulfill their specific responsibilities.\n\nVersion 7.14.1 Segment the Network Based on Sensitivity - Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).\n\nVersion 7.14.2 Enable Firewall Filtering Between VLANs - Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n\n[1]: https://kubernetes.io/docs/concepts/services-networking/networkpolicies/\n[2]: https://octetz.com/posts/k8s-network-policy-apis\n[3]: https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.3.2","framework":"cis-kubernetes","requirement":"Network-Policies-and-CNI","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrw-bae-anz","createdAt":1604312181303,"name":"All namespaces have network policies defined"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:2.10","requirement:Azure","cloud_provider:azure","control:8.2","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","requirement:Change-Management","scope:azure.keyvault","requirement:Logical-and-Physical-Access-Control","source:azure.keyvault","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all Secrets in the Azure Key Vault have an expiration time set.\n\n## Rationale\n\nThe Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The `exp` (expiration time) attribute identifies the expiration time on or after which the secret **must not** be used. By default, secrets never expire. Datadog recommends rotating secrets in the key vault and setting an explicit expiration time for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\n### From the console\n\n1. Go to Key vaults\n2. For each Key vault, click on Secrets\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all secrets. Using the Azure Command Line Interface, use the below command to set expiration date on the all secrets:\n\n ```bash\n az keyvault secret set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z'\n ```\n\n## Impact\n\nSecrets cannot be used beyond their assigned expiry times respectively. Secrets need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-4-set-up-emergency-access-in-azure-ad\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-8-choose-approval-process-for-microsoft-support\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy\n\n## CIS Controls\n\nVersion 7 16 Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.10","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(key_vault_secret) if {\n\tkey_vault_secret.id\n\tkey_vault_secret.attributes_enabled == true\n\tkey_vault_secret.attributes_exp\n\tnot key_vault_secret.attributes_exp == 0\n} else if {\n\tkey_vault_secret.id\n\tkey_vault_secret.attributes.enabled == true\n\tkey_vault_secret.attributes.exp\n\tnot key_vault_secret.attributes.exp == 0\n}\n\neval(key_vault_secret) = \"pass\" if {\n\tcompliant(key_vault_secret)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_secret"]},"validationQuery":"","resourceType":"azure_key_vault_secret","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_secret","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bbc-1aj-wsr","createdAt":1624867976874,"name":"All secrets in the Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:CC6.7","source:iam","requirement:Default-Security-Parameter","requirement:Credentials","control:2.1.1","level:1","requirement:System-Acquisition-Development-and-Maintenance","framework:cis-aws","control:1.19","framework:iso-27001","requirement:Access-Control","framework:pci","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","control:A.9.4.3","framework:soc-2","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.\n\n## Rationale\n\nRemoving expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.\n\n## Remediation\n\nAWS Console:\n\nRemoving expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).\n\nAWS CLI:\n\nTo delete an expired certificate, run the following command by replacing `` with the name of the certificate to delete: `aws iam delete-server-certificate --server-certificate-name `.\n\n**Note**: When the preceding command is successful, it does not return any output.\n\n## Impact\n\nDeleting a certificate can have implications for your application. If you are using an expired server certificate with Elastic Load Balancing, Cloudfront, etc., you must update the configuration of the respective service to ensure there is no application interruption.\n\n## References\n\n1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html\n2. https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.19","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_server_certificate) = \"pass\" if {\n\tiam_server_certificate.expiration - iam_server_certificate.resource_seen_at > 0\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"dih-stb-3p8","createdAt":1632209932850,"name":"All the expired SSL/TLS certificates stored in AWS IAM are removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow Kubelet to manage `iptables`.\n\n## Rationale\n\nKubelets can automatically manage the required changes to `iptables` based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to `iptables`. This ensures that the `iptables` configuration remains in sync with pods networking configuration. Manually configuring `iptables` with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have `iptables` rules too restrictive or too open.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that if the `--make-iptables-util-chains` argument exists then it is set to true. If the `--make-iptables-util-chains` argument does not exist, and there is a Kubelet config file specified by `--config`, verify that the file does not set `makeIPTablesUtilChains` to `false`.\n\n## Remediation\n\nIf using a kubelet config file, edit the file to set `makeIPTablesUtilChains: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--make-iptables-util-chains` argument from the `KUBELET_SYSTEM_PODS_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nKubelet would manage the `iptables` on the system and keep it in sync. If you are using any other `iptables` management solution, then there might be some conflicts.\n\n## Default value\n\nBy default, `--make-iptables-util-chains argument` is set to true.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.7","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"f3g-zcg-jm0","createdAt":1599605004390,"name":"Allow Kubelets to manage changes to the iptables"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an AWS S3 lifecycle expiration policy is set to disabled in your CloudTrail logs.\n\n## Strategy\nCheck if `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days`, `@requestParameters.LifecycleConfiguration.Status:Disabled` and `@evt.name:PutBucketLifecycle` fields are present in your S3 Lifecycle configuration log. If these fields are present together, a bucket's lifecycle configuration has been turned off.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n2. If the `{{@requestParameters.bucketName}}` should not be disabled, escalate to engineering so they can re-enable it.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketLifecycle @requestParameters.LifecycleConfiguration.Rule.Expiration:* @requestParameters.LifecycleConfiguration.Rule.Status:Disabled","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4gy-sks-edk","createdAt":1638798373598,"name":"An AWS S3 bucket lifecycle expiration policy was set to disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket has a lifecycle configuration set with an expiration policy of less than 90 days.\n\n## Strategy\nLook for `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90` in your Cloudtrail logs.\n\n**NOTE**: This rule should be set to logs that this policy applies to. The `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days` key path must be set as a measure to do a query.\n\n\n## Triage & response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}` and that the `{{@requestParameters.bucketName}}` bucket should have a file expiration of less than 90 days.\n2. If `{{@requestParameters.bucketName}}` is equal to `{{@aws.s3.bucket}}`, the CloudTrail bucket, consider escalating to higher severity and investigating further.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:PutBucketLifecycle -status:error @eventSource:s3.amazonaws.com @requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hdo-qqk-njz","createdAt":1638798329769,"name":"An AWS S3 bucket lifecycle policy expiration is set to < 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if versioning or MFA delete was disabled within an AWS S3 bucket's Lifecycle configuration.\n\n## Strategy\nThis rule has two separate queries. The first query determines if `@requestParameters.VersioningConfiguration.MfaDelete` is set to `Disabled`. The second query determines if `@requestParameters.VersioningConfiguration.Status` is set to `Suspended`. For generating a signal, there are two cases. Case one generates a `Medium` signal if query one AND two return `true`. Case two will generate a `Low` signal if query one OR two returns `true`.\n\n**NOTE**: Versioning cannot be disabled permanently; only suspended until turned back on, once it has been enabled on a bucket.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.MfaDelete:Disabled","groupByFields":["@aws.s3.bucket"],"aggregation":"count","name":"mfadelete_disabled","distinctFields":[]},{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.Status:Suspended","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"versioning_suspended","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"mfaDelete and Versioning are Disabled/Suspended","condition":"versioning_suspended > 0 && mfadelete_disabled > 0"},{"status":"low","notifications":[],"name":"mfaDelete or versioning are disabled","condition":"mfadelete_disabled > 0 || versioning_suspended > 0"}],"type":"log_detection","id":"qo0-ly0-8ls","createdAt":1638798322732,"name":"An AWS S3 bucket mfaDelete is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an AWS account attempting to leave an AWS organization.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to have an AWS account leave an AWS organization using the [LeaveOrganization][1] API call.\n\nAn attacker may attempt this API call for several reasons, such as:\n\n* Target security configurations that are often defined at the organization level. Leaving an organization can disrupt or disable these controls.\n* Perform a denial of service (DoS) attack on the victim's account that prevents the victim's organization to access it.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Initiate your company's incident response (IR) process.\n3. If the API call was made legitimately by the user:\n * Communicate with the user to understand if this was a planned action.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n * Initiate your company's incident response (IR) process.\n\n[1]: https://docs.aws.amazon.com/organizations/latest/APIReference/API_LeaveOrganization.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privileg","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:LeaveOrganization @eventSource:organizations.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"leave_organization","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"leave_organization > 0"}],"type":"log_detection","id":"9ku-enz-m7d","createdAt":1644595191484,"name":"An AWS account attempted to leave the AWS Organization"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","scope:s3","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an API call to AWS to list all of the S3 Buckets.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect a [ListBuckets][1] API call with the session name prefixed with `i-`. A session name prefixed with `i-` typically indicates that it is an EC2 instance using an [Instance Profile][2] to communicate with other AWS services, which is a common attacker technique to see the full list of S3 buckets in your AWS account.\n\n## Triage and response\n1. Determine if the EC2 instance should be making this API call.\n* If **not a legitimate** user/application, rotate the credentials, verify what else may have been accessed and open an investigation into how this instance was compromised.\n* If a **legitimate** user/application on the EC2 instance is making the `ListBuckets` API call, consider whether this API call is really needed. \n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profile\n\n## Changelog\n18 March 2022 - Updated rule severity and rule name.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_access_denied","distinctFields":[]},{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets -@error.kind:*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Access denied for ListBuckets","condition":"list_buckets_access_denied > 0"},{"status":"medium","notifications":[],"name":"Successful ListBuckets","condition":"list_buckets_success > 0"}],"type":"log_detection","id":"t6r-kqt-hxb","createdAt":1585870281123,"name":"An EC2 instance attempted to enumerate S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is enumerating API Gateway API keys.\n\n## Strategy\nBaseline `GetApiKeys` events by `@userIdentity.session_name` to surface anomalous `GetApiKeys` calls. \n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetApiKeys","groupByFields":["@userIdentity.session_name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"cc8-ljp-wwt","createdAt":1624968912281,"name":"Anomalous API Gateway API key reads by user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","tactic:TA0009-collection","scope:s3","source:cloudtrail","technique:T1530-data-from-cloud-storage","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS user performs S3 bucket write activities they do not usually perform. \n\n## Strategy\nMonitor cloudtrail logs for S3 Data Plane events (`@eventCategory:Data`) to detect when an AWS User (`@userIdentity.arn`) is detected performing anomalous S3 Write `(@evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*))` API calls. \n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should be performing the: `{{@evt.name}}` API calls.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. If not, investigate the user: `{{@userIdentity.arn}}` for indicators of account compromise and rotate credentials as necessary.\n\n## Changelog\n* 27 October 2022 - updated tags.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventCategory:Data @eventSource:s3.amazonaws.com @evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"s3_write_events","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"s3_write_events"}],"type":"log_detection","id":"mxi-syi-zeg","createdAt":1637613300981,"name":"Anomalous S3 bucket activity from user ARN"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is attempting to hijack an EC2 AutoScaling Group.\n\n## Strategy\nThis rule lets you monitor AWS EC2 Autoscaling logs (`@eventSource:autoscaling.amazonaws.com`) to detect when an Autoscaling group receives an anomalous amount of API calls (`{{@evt.name}}`).\n\n## Triage and response\n1. Confirm if the user `{{@userIdentity.arn}}` intended to make the `{{@evt.name}}` API calls.\n2. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:autoscaling.amazonaws.com","groupByFields":["@evt.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"1fj-e0d-mcy","createdAt":1632769123714,"name":"Anomalous amount of Autoscaling Group events"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","scope:salesforce","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a spike in Salesforce query results for a user. A large query can be an early warning sign of a user attempting to exfiltrate Salesforce data. \n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a spike in the number of rows returned (`@rows_returned`). \n\n## Triage and response\n1. Determine if the user should be legitimately performing large queries.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@rows_returned","aggregation":"sum","metrics":["@rows_returned"],"groupByFields":["@usr.id"],"query":"source:salesforce @rows_returned:*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"kls-bnv-ip8","createdAt":1621929255172,"name":"Anomalous amount of Salesforce query results"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","source:salesforce","tactic:TA0040-impact","scope:salesforce","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a significant increase in deleted records in Salesforce.\n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a significant increase in successful (`@evt.outcome:Success`) delete operations (`@operation:Delete`).\n\n## Triage and response\n1. Determine if the user should be legitimately deleting Salesforce records.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @operation:Delete @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"1x7-fhs-sdy","createdAt":1621929255178,"name":"Anomalous amount of Salesforce records deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is assessing privileges in AWS through various enumeration and discovery techniques.\n\n## Strategy\nMonitor CloudTrail logs to identify when an EC2 instance (`@userIdentity.session_name:i-*\"`) generates an anomalous amount of `AccessDenied` events.\n\n## Triage and response\n1. Determine what events the EC2 instance `{{@userIdentity.session_name}}` are generating in the time frame of the signal.\n2. If the root cause is not a misconfiguration, investigate any other signals around the same time of the signal by looking at the Host Investigation dashboard.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied @userIdentity.session_name:i-*","groupByFields":["@userIdentity.assumed_role"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"qyw-re3-iuf","createdAt":1605263699569,"name":"Anomalous amount of access denied events for AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","technique:T1619-cloud-storage-object-discovery","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS assumed role accesses S3 buckets that they do not usually access. \n\n## Strategy\nMonitor cloudtrail logs to identify when a `@userIdentity.assumed_role` makes an anomalous amount of `GetObject` calls to a unique number of S3 buckets (`@requestParameters.bucketName`).\n\n## Triage and response\n1. Determine if the user using the assumed role: {{@userIdentity.assumed_role}} should be accessing a bunch of random buckets.\n * Here is a list of buckets that were accessed (up to 10): {{@requestParameters.bucketName}}\n\n## Changelog\n* 30 March 2022 - Updated query and signal message.\n* 17 October 2022 - Updated tags.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":19,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetObject -status:error","groupByFields":["@userIdentity.assumed_role"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"i41-jb1-c8r","createdAt":1608050033941,"name":"Anomalous number of S3 buckets accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user has attempted to assume an anomalous number of unique roles.\n\n## Strategy\nThis rule sets a baseline for user activity for the [`AssumeRole`][1] API call, and enables detection of potentially anomalous activity.\n\nAn attacker may attempt this for the following reasons:\n\n* To identify which roles the user account has access to.\n* To identify what AWS services are being used internally.\n* To identify third party integrations and internal software.\n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response process and investigate.\n\n[1]: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:IAMUser @evt.name:AssumeRole","groupByFields":["@usr.name"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.roleArn"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rov-8oq-1fd","createdAt":1624968910002,"name":"Anomalous number of assumed roles from user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an unauthenticated request user is permitted in Kubernetes.\n\n## Strategy\nThis rule monitors when any action is permitted (`@http.status_code:[100 TO 299]`) for an unauthenticated user (`@user.username:\\\"system:anonymous\\\"`).\nThe `/healthz` endpoint is commonly accessed unauthenticated and it is excluded in the query filter.\n\n## Triage and response\n1. Inspect all of the HTTP paths accessed and determine if any of the path should be permitted by unauthenticated users.\n2. Determine what IP addresses accessed Kubernetes endpoints which may contain sensitive data.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@apiVersion:audit.k8s.io* @usr.name:\"system:anonymous\" @http.status_code:[100 TO 299] -@http.url_details.path:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @user.username:\"system:anonymous\" @responseStatus.code:[100 TO 299] -@requestURI:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"f1o-py5-a50","createdAt":1589376002149,"name":"Anonymous Request Authorized"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:apache","technique:T1190-exploit-public-facing-application","source:apache","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[{"action":"require","query":"source:foo"}],"queries":[{"query":"source:apache @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipl-oaz-eqf","createdAt":1587530038000,"name":"Apache HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modification of AppArmor profiles using an interactive session.\n\n## Strategy\nAfter an initial intrusion, attackers may attempt to disable security tools to avoid possible detection of their offensive tools and activities. [AppArmor][1] is a Linux Security Module (LSM) feature that confines programs to a limited set of resources. Disabling AppArmor could help an attacker run disallowed tools and gain access to resources that are otherwise blocked. This detection looks for commands that disable or modify AppArmor during interactive sessions, which is highly irregular in production environments.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://wiki.ubuntu.com/AppArmor\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:apparmor_modified_tty","groupByFields":["host"],"aggregation":"count","name":"apparmor_modified_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"apparmor_modified_tty","condition":"apparmor_modified_tty > 0"}],"type":"workload_security","id":"byn-fwk-eyv","createdAt":1627392836162,"name":"AppArmor profile modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","source:azure.sql","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Database-Services","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","framework:cis-azure","scope:azure.sql","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:4.1.3","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSQL Server Audit Retention should be configured to be greater than 90 days.\n\n## Rationale\n\nUse Audit Logs to check for anomalies and to get insight into suspected breaches or misuse of information and access.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Select Storage Details\n5. Set Retention (days) setting greater than 90 days\n6. Select OK\n7. Select Save using Azure PowerShell. \n\n### From the commandline\n\n1. For each server, [set retention policy][3] for more than or equal to 90 days.\n\n ```powershell\n Set-AzSqlServerAuditing -State Enabled -ServerName \"\" -ResourceGroupName \"\" -StorageAccountName \"abcd1234abcd1234abcd1234\" -RetentionInDays \n ```\n\n**Note:** You can set the number of days to 0 for unlimited retention.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing][1]\n2. [https://learn.microsoft.com/en-us/powershell/module/az.sql/get-azsqlserveraudit?view=azps-9.2.0][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention][4]\n\n[https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing][1]\n[https://learn.microsoft.com/en-us/powershell/module/az.sql/get-azsqlserveraudit?view=azps-9.2.0][2]\n[https://learn.microsoft.com/en-us/powershell/module/az.sql/set-azsqlserveraudit?view=azps-9.2.0][3]\n[https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention][4]","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_retention_period(audit_setting) if {\n\taudit_setting.retention_days == 0\n} else if {\n\taudit_setting.retention_days >= 90\n}\n\neval(sql_server) = \"pass\" if {\n\tlower(sql_server.audit_setting.state) == \"enabled\"\n\tcompliant_retention_period(sql_server.audit_setting)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"r6e-x2g-rfb","createdAt":1624867973932,"name":"Audit data for Azure SQL is retained for at least 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","source:google_iam_policy","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","scope:google_iam_policy","security:compliance","requirement:Logging-and-Monitoring","control:2.1","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that Cloud Audit Logging is configured to track all admin activities and\nread or write access to user data.\n\n### Default value\nAdmin Activity logs are always enabled. They cannot be disabled. Data Access audit logs are\ndisabled by default because they can be quite large.\n\n## Rationale\nCloud Audit Logging maintains two audit logs for each project, folder, and organization:\n**Admin Activity** and **Data Access**.\n\nAdmin Activity logs contain log entries for API calls or other administrative actions\nthat modify the configuration or metadata of resources. Admin Activity audit logs\nare enabled for all services and cannot be configured.\n\nData Access audit logs record API calls that create, modify, or read user-provided\ndata. These are disabled by default and should be enabled.\n\nThere are three kinds of Data Access audit log information:\n* Admin read: Records operations that read metadata or configuration\ninformation. Admin Activity audit logs record writes of metadata and\nconfiguration information. This cannot be disabled.\n* Data read: Records operations that read user-provided data.\n* Data write: Records operations that write user-provided data.\n\nIt is recommended to configure audit logging such that:\n\n* Log type is set to `DATA_READ` (to log user activity tracking) and `DATA_WRITES` (to\nlog changes/tampering to user data).\n* Audit config is enabled for all the services supported by the Data Access audit logs\nfeature.\n* Logs are captured for all users\u2014that is, there are no exempted users in any of the\naudit config sections. This ensures overriding the audit config does not contradict\nthe requirement.\n\n### Impact\nThere is no charge for Admin Activity audit logs. Enabling the Data Access audit logs might\nresult in your project being charged for the additional logs usage.\n- Note: Admin Activity Logs are not listed here, as they are enabled by default and cannot be disabled.\n `exemptedMembers` is not set, as audit logging should be enabled for all users.\n\n## Remediation\n\n### From the console \n1. Go to the [Audit Logs page][1] in Google Cloud Console.\n2. Follow the steps in Google's [Configure Data Access audit logs][2] documentation to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.\n\n### From the command line\n1. To read the project's IAM policy and store it in a file, run the following command:\n ```\n gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml\n ```\nAlternatively, the policy can be set at the organization or folder level. If you are setting the policy at\nthe organization level, it is not necessary to also set it for each folder or project.\n ```\n gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml\n gcloud resource-manager folders get-iam-policy FOLDER_ID >\n /tmp/folder_policy.yaml\n ```\n2. Edit the policy in `/tmp/policy.yaml`. Adding or change only the audit logs\nconfiguration to:\n ```\n auditConfigs:\n - auditLogConfigs:\n - logType: DATA_WRITE\n - logType: DATA_READ\n - service: allServices\n ```\n\n3. To write new IAM policy, run the following commands:\n ```\n gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml\n gcloud resource-manager folders set-iam-policy FOLDER_ID\n /tmp/folder_policy.yaml\n gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml\n ```\nIf the preceding command reports a conflict with another change, then repeat these steps,\nstarting with the first step.\n\n## Additional information\n* To track detailed user activities, the log type `DATA_READ` is as important as the log type `DATA_WRITE`.\n* BigQuery Data Access logs are handled differently than other data access logs.\n BigQuery logs are enabled by default and cannot be disabled. They do not count against logs allotment and do not result in extra logs charges.\n\n## References\n1. [https://cloud.google.com/logging/docs/audit/][1]\n2. [https://cloud.google.com/logging/docs/audit/configure-data-access][2]\n\n[1]: https://cloud.google.com/logging/docs/audit/\n[2]: https://cloud.google.com/logging/docs/audit/configure-data-access\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(iam_policy) if {\n\tnot has_exempted_members(iam_policy)\n\taudit_config := iam_policy.audit_configs[_]\n\taudit_config.service == \"allServices\"\n\taudit_config.audit_log_configs[_].log_type == \"ADMIN_READ\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_WRITE\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_READ\"\n}\n\nhas_exempted_members(iam_policy) if {\n\tiam_policy.audit_configs[_].audit_log_configs[_].exempted_members[_]\n}\n\nis_project(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_project\"\n}\n\neval(iam_policy) = \"skip\" if {\n\tnot is_project(iam_policy)\n} else = \"pass\" if {\n\tcompliant(iam_policy)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mtc-xf1-a6x","createdAt":1664804019062,"name":"Audit logging is properly configured across all services and users in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit all Docker daemon activities.\n\n## Rationale\n\nAs well as auditing the normal Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges. It is very important to audit its activities and usage.\n\n## Audit\n\nVerify that there are audit rules for the Docker daemon. To see the rules associated with the Docker daemon, run: \n\n```\nauditctl -l | grep /usr/bin/dockerd\n```\n\n## Remediation\n\nYou should add rules for the Docker daemon. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /usr/bin/dockerd -k docker \n```\n\nThen restart the audit daemon using the following command:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, the Docker daemon is not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.3","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fpu-oe5-feu","createdAt":1599604305682,"name":"Auditing for Docker Daemon executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.4","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/var/lib/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories. For example, audit `/var/lib/docker`, which holds all the information about containers it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/var/lib/docker` directory. To see the rule for the `/var/lib/docker` directory, run: \n\n```\nauditctl -l | grep /var/lib/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/var/lib/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /var/lib/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.4","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tfa-927-tto","createdAt":1599602523672,"name":"Auditing for Docker local storage is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.10","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker/daemon.json`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/docker/daemon.json`. This holds various parameters for the Docker daemon, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/docker/daemon.json` file. To display the rule for the `/etc/docker/daemon.json` file, run: \n\n```\nauditctl -l | grep /etc/docker/daemon.json\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker/daemon.json` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/docker/daemon.json -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/docker/daemon.json` may not exist on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file][2]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.10","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"v2o-aio-i0e","createdAt":1599601474412,"name":"Auditing for the Docker daemon configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.11","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/bin/containerd`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/bin/containerd`, so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/bin/containerd` file. To display the rule for the `/usr/bin/containerd` file, run: \n\n```\nauditctl -l | grep /usr/bin/containerd\n```\n\n## Remediation\n\nYou should add a rule for the `/usr/bin/containerd` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/bin/containerd -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/usr/bin/containerd` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.11","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tor-6yx-oyz","createdAt":1599605637503,"name":"Auditing for the containerd executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.8"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/default/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/default/docker`. It holds various parameters related to the Docker daemon and should therefore be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/default/docker` file. To see the rule for the `/etc/default/docker` file, run: \n```\nauditctl -l | grep /etc/default/docker \n```\n\n## Remediation\n\nYou should add a rule for the `/etc/default/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/default/docker -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited so these defaults should be changed in line with organizational security policy. The file `/etc/default/docker` may not be present, and if so, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.8","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qfi-cgy-a6e","createdAt":1599601659531,"name":"Auditing for the default Docker configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.9"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/sysconfig/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including `/etc/sysconfig/docker`. It contains various parameters related to the Docker daemon when run on CentOS and RHEL based distributions. If present, it is important that it is audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/sysconfig/docker` file. To see the rule for the `/etc/sysconfig/docker` file, run: \n```\nauditctl -l | grep /etc/sysconfig/docker\n```\n\n## Remediation\n\nYou should add a rule for `/etc/sysconfig/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/sysconfig/docker -k docker\n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/sysconfig/docker` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.9","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ps6-vb4-bim","createdAt":1599604561498,"name":"Auditing for the default Docker configuration file is configured - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit the `docker.service` if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `docker.service`. The `docker.service` file might be present if the daemon parameters have been changed by an administrator. If so, it holds various parameters for the Docker daemon and should be audited.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n\n2. If the file does not exist, this recommendation does not apply. If the file does exist, verify that there is an audit rule corresponding to the `docker.service` file by running: \n\n ```\n auditctl -l | grep docker.service\n ```\n\n## Remediation\n\nIf the file exists, a rule for it should be added. For example, add the following line to the `/etc/audit/audit.rules` file: \n```\n-w /usr/lib/systemd/system/docker.service -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.service` may not be present on the system.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.6","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myy-dsj-omk","createdAt":1599605764788,"name":"Auditing for the docker.service file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.7","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `docker.socket`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including the `docker.socket` file, which holds various parameters for the Docker daemon, it should be audited.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the `docker.socket` file exists, verify that there is an audit rule corresponding to the `docker.socket` file by running: \n ```\n auditctl -l | grep docker.socket \n ```\n\n## Remediation\n\nIf the file exists, you should add a rule for it. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/lib/systemd/system/docker.socket -k docker \n```\n\nThen restart the audit daemon: \n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.socket` may not be present, but if it is, it should be audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.7","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afg-qbt-7uw","createdAt":1599600857858,"name":"Auditing for the docker.socket file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.12","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/sbin/runc`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/sbin/runc`, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/sbin/runc` file. To display the rule for the `/usr/sbin/runc` file, run:\n\n```\nauditctl -l | grep /usr/sbin/runc\n```\n\n## Remediation\n\nYou should add a rule for `/usr/sbin/runc` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/sbin/runc -k docker\n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The `file/usr/sbin/runc` may not be present on the system, and in that case this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n4. [https://github.com/opencontainers/runc][4]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/ \n[4]: https://github.com/opencontainers/runc\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.12","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ksp-ylk-dub","createdAt":1599603510904,"name":"Auditing for the runc executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.5","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privilege and its behavior depends on some key files and directories, including `/etc/docker`. This holds various certificates and keys used for TLS communication between Docker daemon and Docker client and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/etc/docker` directory. To see the rule for the `/etc/docker` directory, run: \n\n```\nauditctl -l | grep /etc/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.5","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5ns-uab-zcf","createdAt":1599604003342,"name":"Auditing is configured for Docker-related files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.6","cloud_provider:azure","control:10.1","requirement:Monitoring","source:azure.sql","control:A.12.4.1","control:A.12.4.3","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","scope:azure.sql","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:4.1.1","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on SQL Servers.\n\n## Rationale\n\nThe Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. The auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Set Auditing to On using Azure PowerShell.\n5. Get the list of all SQL Servers: `Get-AzureRmSqlServer`. For each Server, enable auditing:\n\n ```bash\n Set-AzureRmSqlServerAuditingPolicy -ResourceGroupName -ServerName -AuditType -StorageAccountName \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-servers\n2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n**Note**: A server policy applies to all existing and newly created databases on the server. If server blob auditing is enabled, it always applies to the database. The database is audited, regardless of the database auditing settings. The auditing type table is deprecated, leaving only the type blob available. Enabling blob auditing on the database, and enabling it on the server, does not override or change any of the settings of the server blob auditing. Both audits exist side by side. So, the database is audited twice in parallel; once by the server policy, and once by the database policy.\n\n## CIS controls\n\nVersion 7 6.3 Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_server) = \"pass\" if {\n\tsql_server.audit_setting.state == \"Enabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"gxl-2f7-dso","createdAt":1624867978477,"name":"Auditing on SQL Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs in with a breached password.\n\n## Strategy\nAuth0 logs an event when a user logs in with a breached password. When this event is detected, Datadog generates a `MEDIUM` severity Security Signal.\n\nYou can see more information on how Auth0 detects breached passwords on their [documentation][1].\n\n## Triage and response\n1. Inspect the policy and user location to see if this was a login from approved location\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n[1][https://auth0.com/docs/anomaly-detection/brute-force-protection]\n","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:breached_password","groupByFields":["@usr.id"],"aggregation":"count","name":"breached_password","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"breached_password > 0"}],"type":"log_detection","id":"yhw-avf-dz0","createdAt":1597422957145,"name":"Auth0 user logged in with a breached password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","requirement:Cloud-SQL","cloud_provider:gcp","control:CC7.4","source:google_sql_database_instance","control:6.4.5.4","framework:cis-gcp","requirement:Compliance","level:1","control:6.7","scope:google_sql_database_instance","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Additional-Criteria-for-Availability","requirement:Communications-Security","requirement:System-Operations","control:3.1","requirement:Control-Activities","control:A1.1","control:A1.2","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:CC5.1","control:A.9.1.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nAll SQL database instances should have automated backups enabled.\n\n## Rationale: \nBackups provide a way to restore a Cloud SQL instance, to recover lost data, or to recover from\na problem with that instance. Enable automated backups for any instance that\ncontains data that should be protected from loss or damage. This recommendation is\napplicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2\ninstances.\n\n## Impact: \nAutomated backups increase the required storage size and may affect the costs associated with it.\n\n## Remediation: \n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Select the instance where the backups need to be configured.\n3. Click `Edit`.\n4. In the `Backups` section, check 'Enable automated backups', and choose a backup window.\n5. Click `Save`.\n\n### From the command line\n\n1. List all Cloud SQL database instances using the following command:\n ```\n gcloud sql instances list\n ```\n2. Enable automated backups for a Cloud SQL database instance by running:\n ```\n gcloud sql instances patch --backup-start-time <[HH:MM]>\n ```\n\nThe `backup-start-time` parameter is specified in 24-hour time, in the UTC\u00b100 time zone,\nand specifies the start of a 4-hour backup window. Backups can start any time during the\nbackup window.\n\n## Default value:\nBy default, automated backups are not configured for Cloud SQL instances. Data backup is\nnot possible on any Cloud SQL instance unless Automated Backup is configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/backup-recovery/backups][2]\n2. [https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/backup-recovery/backups\n[3]: https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up\n\n## CIS controls:\n\nVersion 8: _11.2 Perform Automated Backups_. Perform automated backups of in-scope enterprise assets. Run backups weekly,\nor more frequently, based on the sensitivity of the data.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.4.5.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.1","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"pass\" if {\n\tsql_database_instance.settings.backup_configuration.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iir-4sf-rxn","createdAt":1657665285362,"name":"Automated backups are configured for SQL Database Instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to Azure AD without multi-factor authentication.\n\n## Strategy\nThis rule monitors Azure Activity logs for Active Directory logs and detects when any `@evt.category` has a value of `SignInLogs`, and `@properties.authenticationRequirement` has a value of `singleFactorAuthentication`.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables 2FA.\n3. If the login wasn't legitimate, rotate the credentials.\n4. Review all user accounts to ensure MFA is enabled.\n\n## Changelog\n* 15 November 2022 - Updated query to reduce false positives, updated option values.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:singleFactorAuthentication @evt.outcome:success ((-@properties.authenticationDetails.authenticationMethod:\"Previously satisfied\" -@properties.authenticationDetails.authenticationStepResultDetail:\"First factor requirement satisfied by claim in the token\") OR -message:(\"MFA requirement satisfied by claim in the token\" OR \"MFA requirement satisfied by strong authentication\" OR \"MFA requirement skipped due to remembered device\" OR \"MFA requirement satisfied by claim provided by external provider\") OR -@properties.authenticationDetails.authenticationMethod:\"Windows Hello for Business\") @properties.authenticationDetails.authenticationStepRequirement:\"Primary authentication\"","groupByFields":["@usr.id"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_login_without_mfa > 0"}],"type":"log_detection","id":"c8i-66d-m7u","createdAt":1598468815267,"name":"Azure AD Login Without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, and `@evt.outcome` is equal to `failure`.\n\n## Triage and response\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n\n## Changelog\n* 26 October 2022 - Updated query.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure @properties.status.errorCode:(50126 OR 50053 OR 53003 OR 50135 OR 50055)","groupByFields":["@usr.id","@properties.appId"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success -message:(\"MFA requirement satisfied by claim in the token\" OR \"MFA requirement satisfied by strong authentication\" OR \"MFA requirement skipped due to remembered device\" OR \"MFA requirement satisfied by claim provided by external provider\" OR \"MFA completed in Azure AD\")","groupByFields":["@usr.id","@properties.appId"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Successful login","condition":"failed_login > 4 && successful_login > 0"},{"status":"info","notifications":[],"name":"Unsuccessful","condition":"failed_login > 4"}],"type":"log_detection","id":"y0f-vsz-xms","createdAt":1607106309289,"name":"Azure AD brute force login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to the [Global Administrator][1] role.\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\"`\n\nThe Global Administrator role can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. An adversary can add users as Global Administrators in order to maintain access to Azure AD.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][2] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.category:AuditLogs @evt.name:\"Add member to role\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_global_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"member_assigned_global_administrator_role > 0"}],"type":"log_detection","id":"bdq-rcs-dn5","createdAt":1658756175450,"name":"Azure AD member assigned Global Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to a [built-in Administrative role][1].\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:*Administrator*`\n\nAzure AD uses roles to assign privileges to users. There are over 80 roles available, the list below details some of the highest privileged roles that adversaries could target:\n\n* [Application Administrator][2]\n* [Cloud Application Administrator][3]\n* [Exchange Administrator][4]\n* [Privileged Role Administrator][5]\n* [User Administrator][6]\n* [Sharepoint Administrator][7]\n* [Hybrid Identity Administrator][8]\n\nThis [whitepaper][9] from Mandiant describes the abuse of Azure AD privileged roles.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][10] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator\n[3]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-application-administrator\n[4]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#exchange-administrator\n[5]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-role-administrator\n[6]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator\n[7]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#sharepoint-administrator\n[8]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#hybrid-identity-administrator\n[9]: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf\n[10]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:*Administrator* @evt.category:AuditLogs @evt.name:\"Add member to role\" -@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_built_in_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"member_assigned_built_in_administrator_role > 0"}],"type":"log_detection","id":"61p-mwe-rxm","createdAt":1658756175462,"name":"Azure AD member assigned built-in Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","control:8.7","level:1","requirement:Database-Services","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","scope:azure.sql","control:4.4","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse Azure Active Directory Authentication for authentication with SQL Database.\n\n## Rationale\n\nAzure Active Directory authentication is a mechanism to connect to the Microsoft Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). With Azure AD authentication, manage identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage database users and simplifies permission management in the following ways:\n\n- Provides an alternative to SQL Server authentication. \n- Helps stop the proliferation of user identities across database servers. \n- Allows password rotation in a single place. \n- Customers can manage database permissions using external (AAD) groups. \n- Eliminates storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure Active Directory. \n- Uses contained database users to authenticate identities at the database level. \n- Token-based authentication for applications connecting to SQL Database. \n- ADFS (domain federation) or native user/password authentication for a local Azure Active Directory without domain synchronization. \n- Connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication (MFA). MFA includes strong authentication with a range of easy verification options phone call, text message, smart cards with a pin, or mobile app notification.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each SQL server, click on Active Directory admin\n3. Click on Set admin\n4. Select an admin\n5. Click Save\n6. Using the Azure PowerShell for each Server, set `AD Admin Set-AzureRmSqlServerActiveDirectoryAdministrator -ResourceGroupName -ServerName -DisplayName \"\"`.\n6. From Azure Command Line Interface, get the ObjectID of user: `az ad user list --query \"[?mail==].{mail:mail, userPrincipal`.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure\n2. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: Assigning an administrator in Azure Active Directory (AAD) is just the first step. When using AAD for central authentication there are many other groups and roles that need to be configured base on the needs of your organization. To determine what roles should be assigned and what groups should be created to manage permissions and access to resources, see the How-to Guides.\n\n## CIS Controls\n\nVersion 7 16.2 Configure Centralized Point of Authentication: Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_active_directory_administrators(sql_server) if {\n\tsome active_directory_administrator in sql_server.active_directory_administrators\n\tactive_directory_administrator.administrator_type == \"ActiveDirectory\"\n\tactive_directory_administrator.name == \"ActiveDirectory\"\n} else if {\n\tnot sql_server.active_directory_administrators\n}\n\neval(sql_server) = \"pass\" if {\n\tcompliant_active_directory_administrators(sql_server)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kiv-p8l-5mk","createdAt":1624867977317,"name":"Azure Active Directory Admin is configured for Azure SQL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure-active-directory","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect whenever Azure Identity Protection categorizes an Azure Active Directory login as risky.\n\n## Strategy\nMonitor Azure Active Directory sign in activity (`@evt.name:\"Sign-in activity\"`) and generate a signal when Azure identifies the user as risky or compromised (`@properties.riskState:\"atRisk\" OR \"confirmedCompromised\"`). \n\n## Triage and response\n1. Analyze the location (`@network.client.geoip.subdivision.name`) of `{{@usr.id}}` to determine if they're logging into from their usual location. \n2. If log in activity is not legitimate, disable `{{@usr.id}}` account.\n3. Investigate any devices owned by `{{@usr.id}}`.\n\n## Changelog\n14 June 2022 - Fixed bug in rule query.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":167,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelDuringSignIn:high @properties.riskLevelDuringSignIn:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_during_signin_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:high @properties.riskLevelAggregated:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_aggregated_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:medium @properties.riskLevelDuringSignIn:medium","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_medium","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"High Risk Aggregated","condition":"risk_level_aggregated_high > 0"},{"status":"high","notifications":[],"name":"High Risk During Sign-In","condition":"risk_level_during_signin_high > 0"},{"status":"medium","notifications":[],"name":"Medium Risk","condition":"risk_level_medium > 0"}],"type":"log_detection","id":"h1h-4to-2ka","createdAt":1629464257705,"name":"Azure Active Directory Risky Sign-In"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-7-ii-A","control:164.312-a-2-ii","control:2.2.4","scope:azure.appservice","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Risk-Mitigation","requirement:Logical-and-Physical-Access-Control","control:CC9.1","control:CC6.3","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'remote debugging' **disabled** to enhance security and protect applications.\n\n## Rationale\n\nIf [remote debugging][1] is enabled, this can allow an attacker access to your applications. To reduce your attack surface, disable remote debugging when not actively needed. \n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services web apps by running the following in Azure Powershell:\n\n ```\n az webapp list \\\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n\n ```\n az webapp config show \\\n\t--ids \"\" \\\n\t--query 'remoteDebuggingEnabled'\n ```\n3. Disable the web app's remote debugging capability with the command:\n\n ```\n az webapp config set \\\n\t--ids \"\" \\\n\t--remote-debugging-enabled false\n ```\n4. Repeat steps one through three for each server that is not configured correctly.\n\n\n## References\n1. [Azure webapp config set][2]\n\n[1]: https://devblogs.microsoft.com/premier-developer/remote-debugging-azure-app-services/\n[2]: https://learn.microsoft.com/en-us/cli/azure/webapp/config?view=azure-cli-latest#az-webapp-config-set\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_app_service(app_service) if {\n\tapp_service.site_config_remote_debugging_enabled == true\n} else if {\n\tapp_service.site_config.remote_debugging_enabled == true\n}\n\neval(app_service) = \"fail\" if {\n\tnon_compliant_app_service(app_service)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ciw-6dd-ffz","createdAt":1645807220230,"name":"Azure App Service has remote debugging disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","scope:azure.app_service","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","framework:soc-2","source:azure.app_service","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'always on' **enabled** for web apps.\n\n## Rationale\n\nEnabling 'always on' will enhance your Azure Apps web apps' availability.\n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services by running the following in Azure Powershell:\n\n ```\n az webapp list\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n \n ```\n az webapp config show\n\t--ids \"\"\n\t--query 'alwaysOn'\n ```\n3. Enable the web app's 'always on' capability with the command:\n\n ```\n az webapp config set\n\t--ids \"\"\n\t--always-on true\n ```\n4. Repeat steps one through three for each server that is not configured correctly.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_app_service(app_service) if {\n\tapp_service.site_config_always_on == false\n} else if {\n\tapp_service.site_config.always_on == false\n}\n\ncompliant_app_service(app_service) if {\n\tapp_service.site_config_always_on == true\n} else if {\n\tapp_service.site_config.always_on == true\n}\n\neval(app_service) = \"fail\" if {\n\tnon_compliant_app_service(app_service)\n} else = \"pass\" if {\n\tcompliant_app_service(app_service)\n} else = \"skip\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xmp-jgo-xdo","createdAt":1645807220325,"name":"Azure App Service is set to always on"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Datadog Azure function is deleted which will prevent Azure logs from being sent to Datadog.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.WEB/SITES/DELETE\"`, `@evt.outcome` is `Success`, and the `@resourceID` contains `DATADOG` and `LOG`. This rule does not work if the the Azure resource group or Azure function does not contain `DATADOG` or `LOG`.\n\n## Triage and response\n1. Verify the Azure function (`@resourceId`) is responsible for forwarding logs to Datadog.\n2. Determine if there is a legitimate reason for deleting the Azure function.\n3. If activity is not expected, investigate activity from the service principal (`@identity.authorization.evidence`) or user (`{{@usr.id}}`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.web @evt.name:\"MICROSOFT.WEB/SITES/DELETE\" @resourceId:(*DATADOG* AND *LOG*) @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"sit-o2a-uov","createdAt":1634570142022,"name":"Azure Datadog Log Forwarder Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","security:threat-intel"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure firewall threat intelligence alert is received.\n\n## Strategy\nMonitor Azure Network Diagnostic logs and detect when `@evt.name` is equal to `AzureFirewallThreatIntelLog`.\n\n## Triage and response\n1. Inspect the threat intelligence log.\n2. Investigate the activity from this IP address.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:AzureFirewallThreatIntelLog","groupByFields":["@network.client.ip"],"aggregation":"count","name":"azure_firewall_threat_intel_alert","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"azure_firewall_threat_intel_alert > 0"}],"type":"log_detection","id":"z0v-yfr-qat","createdAt":1607106300940,"name":"Azure Firewall Threat Intelligence Alert"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) blocks a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Block`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Block","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_blocked_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_blocked_a_request > 0"}],"type":"log_detection","id":"xyt-fqh-myv","createdAt":1598468816869,"name":"Azure Frontdoor WAF Blocked a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) logs a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Log`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Log","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_logged_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_logged_a_request > 0"}],"type":"log_detection","id":"bkk-48l-vem","createdAt":1598468815399,"name":"Azure Frontdoor WAF Logged a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","framework:cis-azure","control:6.2","requirement:Control-Activities","control:9.9","requirement:AppService","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","scope:azure.appservice","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nNew versions of HTTP are released periodically to address security issues and/or to include additional functionality. Using the latest version of HTTP for web apps takes advantage of security fixes and new functionality.\n\n## Rationale\n\nUsing the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software update, your organization needs to determine if the latest update meets your requirements.\n\nFor example, HTTP 2.0 has performance improvements for the head-of-line blocking problem, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism because it provides its own, more efficient mechanism for data streaming.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\n### From the console\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click *Configuration**.\n5. Set HTTP version to 2.0 under **General settings**.\n\n**Note**: Most modern browsers support HTTP 2.0 protocol over TLS, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third party certificate.\n\n### From the command line\n\nTo set the HTTP version to 2.0 for an existing app, run the following command:\n\n`az webapp config set --resource-group --name --http20-enabled true'`\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.9","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_site_config(app_service) if {\n\tapp_service.site_config_http20_enabled\n} else if {\n\tapp_service.site_config.http20_enabled\n}\n\neval(app_service) = \"pass\" if {\n\tcompliant_site_config(app_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"y1o-cvu-xc7","createdAt":1645813490516,"name":"Azure HTTP version is the latest available"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.3.1","level:1","scope:azure.keyvault","control:8.4","requirement:Cardholder-Data","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","requirement:Azure","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:2.2","control:A1.2","requirement:Other-Security-Considerations","framework:soc-2","requirement:Risk-Mitigation","control:3.5.3","requirement:Logical-and-Physical-Access-Control","control:CC9.1","source:azure.keyvault","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects. It is recommended the Key Vault be made recoverable by enabling the \"Do Not Purge\"\nand \"Soft Delete\" functions. This is to prevent loss of encrypted data, including storage accounts, SQL databases, and dependent services provided by Key Vault objects (keys, secrets, certificates, etc.), which may occur due to accidental deletion by a user or from disruptive activity by a malicious user.\n\n### Default value \n\nWhen a new Key Vault is created, both the parameters `enableSoftDelete` and `enablePurgeProtection` are set to `null`, disabling both the features.\n\n## Rationale\n\nThere could be scenarios where users accidentally run delete and purge commands on key vault or attacker or malicious user does it deliberately to cause disruption. Deleting or purging a key vault leads to immediate data loss as keys encrypting data and secrets and certificates causing access and services to become non-accessible. There are two key vault properties that plays role in permanent unavailability of a key vault:\n\n1. Setting the `enableSoftDeleteSetting` parameter to true for a key vault ensures that even if key vault is deleted, the key vault itself or its objects are recoverable for next 90 days. In this span of 90 days either key vault and objects can be recovered or purged (permanent deletion). If no action is taken, after 90 days, the key vault and its objects are purged.\n\n2. `enablePurgeProtectionenableSoftDelete` only ensures that the key vault is not deleted permanently and will be recoverable for 90 days from the deletion date. However, there is a chance that the key vault or objects are accidentally purged and are not recoverable. Setting `enablePurgeProtection` to \"true\" ensures that the key vault and its objects cannot be purged. \n\nEnabling both parameters on key vaults ensures that key vaults and their objects cannot be deleted or purged permanently.\n\n### Impact\n\nOnce purge protection and soft-delete is enabled for a key vault, the action is irreversible.\n\n- Note: When a key is used for the SQL server TDE or Encrypting Storage account, the corresponding key vault features \"Do Not Purge\" and \"Soft Delete\" are enabled by default by your Azure backend.\n\n**WARNING**: A current limitation of the soft-delete feature across all Azure services is that role assignments disappear when a Key Vault is deleted. All role assignments will need to be recreated after recovery.\n\n## Remediation\n\nEnable \"Do Not Purge\" and \"Soft Delete\" for a key vault.\n\n### From the console\n\n1. Go to **Key Vaults**.\n2. Click **Properties**.\n3. Ensure the status of soft-delete reads **'Soft delete has been enabled on this key vault'**.\n4. At the bottom of the page, click **'Enable Purge Protection'**.\n\n### From the command line \n\n ```bash\n az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.KeyVault/vaults/ --set properties.enablePurgeProtection=true properties.enableSoftDelete=true\n ```\n\n### From Powershell\n\n ```powershell\n Update-AzKeyVault -VaultName 0"}],"id":"4tq-la5-9ei","createdAt":1624867975393,"name":"Azure Key Vault is recoverable"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","control:1.3.5","control:1.3.6","control:1.3.7","framework:pci","control:6.4.1","security:compliance","control:1.3.4","control:1.2.1","source:azure.kubernetes","requirement:Communications-Security","control:1.2","control:1.3","cloud:azure","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Private Cluster feature for Azure Kubernetes Service (AKS) cluster is enabled.\n\n## Rationale\n\nThe Private Cluster feature ensures that network traffic between your API server and your node pools remains solely on the private network. The API server is not exposed over the internet as it is with the standard AKS deployment. This configuration is a common requirement in many regulatory and industry compliance standards.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment. Changing the setting requires recreating your cluster.\n\n## Impact\n\nCreating and managing a Private AKS Cluster requires additional considerations when compared to a standard AKS deployment. It requires understanding how Azure Private Link and Private Endpoints work. It also requires a thorough assessment of your AKS networking architecture and dependencies. If your AKS cluster is on an isolated Azure Virtual Network (VNET), the Private Cluster feature requires additional configurations to allow connectivity between your AKS Cluster and your management VNET. Microsoft's official documentation, which is included in ``references``, helps you navigate the deployment of Private AKS Clusters.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/aks/private-clusters][1]\n2. [https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview][2]\n3. [https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/aks/private-clusters\n[2]: https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview\n[3]: https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.7","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aks_cluster) = \"fail\" if {\n\tnot aks_cluster.api_server_access_profile_enable_private_cluster\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_aks_cluster"]},"validationQuery":"","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxc-7gb-6q2","createdAt":1656924134424,"name":"Azure Kubernetes Service (AKS) Private Cluster Feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify the network IP address when multiple user accounts failed to complete the MFA process.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, `@properties.authenticationRequirement` is equal to `multiFactorAuthentication` and `@evt.outcome` is equal to `failure`.\n\n## Triage and response \n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:multiFactorAuthentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"failed_login_mfa_denied_w_multiple_user_accounts","distinctFields":["@usr.email"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Greater than 10 unique users","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 10"},{"status":"low","notifications":[],"name":"Greater than 3 unique user","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 3"}],"type":"log_detection","id":"zgm-z7i-mhu","createdAt":1607106317340,"name":"Azure Login Explicitly Denied MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group allows inbound traffic from all IP Addresses.\n\n## Strategy\nThis rule monitors Azure Activity logs for network changes and detects when the `@evt.name` has a value of `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`, `@properties.securityRules.properties.direction` has a value of `Inbound`, `@properties.securityRules.properties.access` has a value of `Allow`, and `@properties.securityRules.properties.sourceAddressPrefix` has a value of either `0.0.0.0/0` OR `*`.\n\n## Triage and response\n1. Inspect which Virtual Machines are associated with this security group.\n2. Determine whether this security group and the VMs should permit inbound traffic from all IP addresses.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\" @properties.securityRules.properties.direction:Inbound @properties.securityRules.properties.access:Allow @properties.securityRules.properties.sourceAddressPrefix:(\"0.0.0.0/0\" OR \"*\")","groupByFields":["@resourceId"],"aggregation":"count","name":"security_group_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"security_group_open_to_world > 0"}],"type":"log_detection","id":"owu-2uz-8cb","createdAt":1598468816111,"name":"Azure Network Security Group Open to the World"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group or an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any one of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security group or security rule and determine if it exposes any Azure resources that should not be exposed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:(\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\") @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mju-ynx-i1h","createdAt":1607106297216,"name":"Azure Network Security Groups or Rules Created, Modified, or Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added as a new owner for an Active Directory application which could be used as a persistence mechanism. \n\n## Strategy\nMonitor Azure Active Directory logs for `@evt.name: \"Add owner to application\"` has an `@evt.outcome` of `success`. \n\n## Triage and response\n1. Review evidence of anomalous activity for the user being added as an owner (`@properties.targetResources`) for the Active Directory application.\n2. Determine if there is a legitimate reason for the user being added to the application.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to application\" @evt.outcome:success @usr.name:* -@identity:*","groupByFields":[],"aggregation":"count","name":"new_owner","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner > 0"}],"type":"log_detection","id":"8vm-rcm-ss1","createdAt":1630591816193,"name":"Azure New Owner added to Azure Active Directory application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a new service principal is created in Azure, which applies to a persistence mechanism.\n\n## Strategy\n\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n\n1. Inspect the new service principal in `@properties.targetResources`.\n2. Verify with the user (`{{$usr.name}}`) to determine if the service principal is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_sp > 0"}],"type":"log_detection","id":"bog-iak-dms","createdAt":1630591822167,"name":"Azure New Service Principal created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure policy assignment has been created.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to `MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE` and `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the policy assignment and determine if an unsolicited change was made on any Azure resources.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure @evt.name:\"MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE\" @evt.outcome:Success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uvd-ets-ju9","createdAt":1607106302885,"name":"Azure Policy Assignment Created"}]} headers: Content-Type: - application/json @@ -725,7 +657,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scope:iam","scored:true","requirement:Transmission-Security","source:iam","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","control:2.1.1","requirement:Compliance","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","control:4.1","control:1.2","control:1.3","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse SSH authentication keys to secure Linux virtual machines.\n\n## Rationale\n\nUsing SSH to secure authentications is a security best practice, as traditional username and password authentication is vulnerable to malicious tactics such as brute-force attacks. SSH uses a combination of public and private key pairs to secure the authentication process. Access to the private key is automated and tightly controlled, without both keys SSH access will not be granted. This also eliminates the need for users to memorize complex passwords for virtual machine access.\n\n## Remediation\n\n### CLI\n\n1. Follow the steps listed at [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure][1] to create and deploy VMs using SSH.\n2. If needing to transition from Username and Password authentication, to SSH, there is no way to transition directly. You must deprovision the current VM and create an image of it with SSH as the authentication method. Follow the steps on [How to create a managed image of a virtual machine or VHD][2]. \n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-ssh-keys-detailed\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/capture-image","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@os_profile.linux_configuration.disable_password_authentication:false","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance (@os_profile.linux_configuration.disable_password_authentication:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"p52-zrd-xlt","createdAt":1645813490150,"name":"Azure VM requires SSH Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.21","source:azure.active_directory","cloud_provider:azure","requirement:Compliance","scope:azure.active_directory","level:1","requirement:IAM","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:6.4","framework:cis-azure","requirement:Control-Activities","cloud:azure","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC8.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSubscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.\n\n## Rationale\n\nClassic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended.\n\n## Remediation\n\nUsing Azure Command Line Interface 2.0, list all roles with the `az role definition list` command. Check the output for any entries with an `assignableScope` of `/` or a `subscription`, and an action of `*`. Verify the usage and impact of removing the role identified. You can delete a role with the `az role definition delete --name \"rolename\"` command.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator \n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management \n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems \n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n8. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n9. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges 16 Account Monitoring and Control Account Monitoring and Control","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.21","framework":"cis-azure","requirement":"IAM","version":"1.3.0"},{"control":"6.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"@permissions.actions:\"*\" @assignable_scopes:(\\/ OR \\/subscriptions*)","resourceType":"azure_role_definition","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_role_definition (@permissions.actions:\"*\" @assignable_scopes:(\\/ OR \\/subscriptions*))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"til-md3-xoz","createdAt":1645802554619,"name":"Azure custom subscription owner roles do not exist"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a diagnostic setting is deleted which can disable centralized logging and metrics on Azure.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Inspect the diagnostic setting resource which is found in `@resourceId`.\n2. Verify that the user (`{{@usr.id}}`) to determine if the removal of the resource is legitimate.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uhp-qsj-h45","createdAt":1615578377631,"name":"Azure diagnostic setting deleted or disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure disk is successfully exported. Export URLs generated in Azure are accessible to anyone with the URI. This could be utilized as an exfiltration method that would allow an attacker to download an Azure Compute VM's disk as a VHD file.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/SNAPSHOTS/DISKS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the disk (`{{@resourceId}}`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URI.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"export_uri_generated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"export_uri_generated > 0"}],"type":"log_detection","id":"ggf-4ew-mxl","createdAt":1635258347843,"name":"Azure disk export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.8","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and new functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, your organization needs to determine if a given update meets your requirements and also verify the compatibility and support provided for any additional software against the update version.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Under General Settings, set Java version to latest version available\n6. Set Java minor version to latest version available\n7. Set Java web container to the latest version of web container available \n\n**NOTE**: No action is required if Java version is set to off as Java is not used by your web app.\n\nAzure CLI:\n\nTo see the list of supported runtimes, run the following command: `timesaz webapp list-runtimes | grep java`\n\nTo set latest Java version for an existing app, run the following command:\n\n```azurecli\naz webapp config set --resource-group --name --java-version ''\n1.8'' --java-container ''Tomcat'' --java-container-version '''''\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.8","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@site_config_java_version:11","resourceType":"azure_app_service","filter":"-@site_config_java_version:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service -@site_config_java_version:\"\" (-@site_config_java_version:11)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qhc-mac-fyy","createdAt":1645813490324,"name":"Azure is using the latest version of Java to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.6","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, a new version of PHP is released to address security issues and/or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes and additional functionalities.\n\n## Rationale\n\nNew versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software update, organizations need to determine if the update meets their requirements and also verify the new version's compatibility with other software.\n\n## Remediation\n\nAzure Console:\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click **Configuration**.\n5. Set PHP version to latest version available under **General Settings**.\n\n**Note**: No action is required if PHP version is set to off because PHP is not used by your web app.\n\nAzure CLI: To see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep php To set latest PHP version for an existing app, run the following commandaz webapp config set --resource-group --name --php-version \n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n# CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.6","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@site_config_php_version:7.4","resourceType":"azure_app_service","filter":"-@site_config_php_version:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service -@site_config_php_version:\"\" (-@site_config_php_version:7.4)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"sja-htc-xkm","createdAt":1645813490100,"name":"Azure is using the latest version of PHP to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.7","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Set Python version to latest version available under General Settings\n\n**Note**: No action is required if Python version is set to off as Python is not used by your web app.\n\nAzure CLI:\n\nTo see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep python To set latest Python version for an existing app, run the following commandaz webapp config set --resource-group --name --python-version '\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.7","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@site_config_python_version:3.6","resourceType":"azure_app_service","filter":"-@site_config_python_version:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service -@site_config_python_version:\"\" (-@site_config_python_version:3.6)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kuq-3pj-gyn","createdAt":1645813504306,"name":"Azure is using the latest version of Python to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","source:azure.networkwatcher","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","scope:azure.networkwatcher","framework:soc-2","control:10.3","control:CC2.1","control:164.312-e-2-i","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Watcher can use flow logs so that you can monitor traffic from resources. This rule generates a finding if there is no retention policy set with a duration over 90 days. \n\nNote: 0 days means unlimited retention.\n\n## Rationale\n\nSetting this attribute enables flow logs to be retained for an appropriate amount of time that enables a better security posture for your organization. These logs should be retained critical resources in your environment.\n\n## Remediation\n\n### Console\n\n1. Follow the instructions in [Tutorial: Log network traffic to and from a virtual machine using the Azure portal][1] to enable the 'flow logs' in Network Watcher.\n\n### CLI\n\n1. Follow the steps in [Configuring Network Security Group Flow logs with Azure CLI][2] to enable the 'flow logs' in Network Watcher.\n2. Ensure Insights provider is registered by running the following command to check:\n\n ```\n az provider register --namespace Microsoft.Insights\n ```\n3. Enable `flow logs`:\n Note: You will need to have a storage account setup prior to this.\n ```\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location --format JSON --log-version 2\n ```\n4. Repeat steps 2 and 3 for resources that are not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal#enable-nsg-flow-log\n[2]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-cli\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nflow_log_not_compliant(flow_log) if {\n\tflow_log.retention_policy_enabled == true\n\tflow_log.retention_policy_days >= 1\n\tflow_log.retention_policy_days <= 89\n} else {\n\tflow_log.retention_policy_enabled == false\n}\n\nflow_log_retention_policy_enabled_true_or_false(flow_log) if {\n\tflow_log.retention_policy_enabled == true\n} else {\n\tflow_log.retention_policy_enabled == false\n}\n\neval(network_watcher) = \"fail\" if {\n\tflow_log = network_watcher.flow_logs[_]\n\tflow_log_not_compliant(flow_log)\n} else = \"pass\" {\n\tflow_log = network_watcher.flow_logs[_]\n\tflow_log_retention_policy_enabled_true_or_false(flow_log)\n} else = \"skip\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_network_watcher"]},"validationQuery":"","resourceType":"azure_network_watcher","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_network_watcher","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"s5c-rsc-fkl","createdAt":1645572632106,"name":"Azure network service group log retention is properly set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new owner is added to a service principal, which applies to privilege escalation or persistence.\n\n## Strategy\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add owner to service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Inspect that the user is added to a service principal in `@properties.targetResources`.\n2. Verify with the user (`{{@usr.name}}`) to determine if the owner addition is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_owner_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner_sp > 0"}],"type":"log_detection","id":"rtl-xes-5he","createdAt":1632250370345,"name":"Azure new owner added for service principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an Azure snapshot is exported. Export URLs generated in Azure are accessible to anyone with the URL.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the snapshot (`@resourceId`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URL.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"export_uri","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"export_uri > 0"}],"type":"log_detection","id":"9tg-wsg-ung","createdAt":1635255178153,"name":"Azure snapshot export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an invitation is sent to an external user.\n\n## Strategy\nMonitor Azure Active Directory Audit logs and detect when any `@evt.name` is equal to `Invite external user` and the `@evt.outcome` is equal to `success`.\n\n## Triage and response\n1. Review and determine if the invitation and its recipient are valid.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Invite external user\" @evt.outcome:success","groupByFields":["@usr.id","@properties.targetResources.userPrincipalName"],"aggregation":"count","name":"invite_external_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"invite_external_user > 0"}],"type":"log_detection","id":"msq-9pm-ift","createdAt":1607106320758,"name":"Azure user invited an external user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure-containerinstances","source:azure","tactic:TA0002-execution","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a command is executed on a container instance with the Azure API.\n\n## Strategy\nMonitor Azure container instance logs where `@evt.name` is `\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.id}}`) should be executing commands on the container (`@resourceId`).\n2. If the activity is not expected, investigate the activity around the container (`@resourceId`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"container_exec_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"container_exec_success > 0"}],"type":"log_detection","id":"zgp-pfn-i0z","createdAt":1635255187164,"name":"Azure user ran command on container instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB access key with the Azure API. An attacker with the appropriate privileges can view an access key and use it to access and manage the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\\\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the access key for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB Database ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_keys","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_keys > 0"}],"type":"log_detection","id":"xtk-lr5-ryf","createdAt":1635356621176,"name":"Azure user viewed CosmosDB access keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB connection string with the Azure API. An attacker with the appropriate privileges can view a connection string and use it to access or modify data in the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the connection string for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_connectionstrings","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_connectionstrings > 0"}],"type":"log_detection","id":"h9n-pkk-zy9","createdAt":1635356624429,"name":"Azure user viewed CosmosDB connection string"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being exploited using the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `Base64` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. If you are not patched, decode the base64 string and look for any successful traffic to the malicious server.\n3. If a connection was successful to the malicious server, begin your company's IR procedures to remediate.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http.user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"medium","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"vfx-wnb-bkc","createdAt":1639665358897,"name":"Base64 was detected in an http.user_agent or http.referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","scored:true","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use basic authentication.\n\n## Rationale\n\nBasic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting the API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--basic-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--basic-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as tokens and certificates. Username and password for basic authentication could no longer be used.\n\n## Default value\n\nBy default, basic authentication is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n2. https://kubernetes.io/docs/admin/authentication/#static-password-file\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.2","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oug-uvq-sti","createdAt":1599605479472,"name":"Basic authentication is disabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:azure","requirement:Monitoring","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-3-i","control:10.5.1","requirement:Compliance","level:1","control:2.2.4","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","scope:azure.storage","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Azure","requirement:Least-Privileged-Access","control:2.8","requirement:Control-Activities","requirement:Data-Protection","control:7.2.1","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAnonymous read access is disabled for Azure Storage Blobs.\n\n## Rationale\n\nAnonymous access to Azure storage blob containers allows un-authenticated users to perform operations against your storage account. Datadog recommends only allowing authenticated users access to storage blobs. \n\n## Remediation\n\n### From the Console\n\nFollow the [Set the public access level for a container - Azure Console][1] guide to disable anonymous read access with the Azure Console.\n\n### From the Azure CLI\n\nFollow the [Set the public access level for a container - Azure CLI][2] guide to disable anonymous read access with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"10.5.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"2.8","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_blob_container) = \"pass\" if {\n\tstorage_blob_container.public_access == \"None\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_blob_container"]},"validationQuery":"","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"nlq-obf-whr","createdAt":1645177311610,"name":"Blob Containers do not allow anonymous access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:8.1","control:4.3","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","control:8.1.4","control:8.2.3","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends using instance-specific SSH key(s) instead of common or shared project-wide SSH key(s) to access instances.\n\n## Rationale\n\nProject-wide SSH keys are stored in compute or project-meta-data. Project-wide SSH keys can be used to log into all instances within a project. Using project-wide SSH keys facilitates SSH key management, but if compromised, poses a security risk which can impact all instances within a project. Datadog recommmends using instance-specific SSH keys, which can limit the attack surface if SSH keys are compromised.\n\n## Impact\n\nUsers already having project-wide SSH key pairs and are using third-party SSH clients will lose access to the impacted instances. For project users using Google Cloud or GCP Console-based SSH options, no manual key creation and distribution is required, this is all handled by Google Compute Engine (GCE) itself. To access an instance using third-party SSH clients, the instance-specific SSH key pairs need to be created and distributed to the required users.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. For every instance, click on the instance name.\n3. Under **SSH Keys**, ensure **Block project-wide SSH keys** is selected.\n\n## From command line\n\n1. List the instances in your project and get details on each instance using `gcloud compute instances list --format=json`.\n\n2. Ensure the `block-project-ssh-keys` key is set to true.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. Click on the impacted instance name.\n3. Click **Edit** in the toolbar.\n4. To block users with project-wide SSH keys from connecting to this instance, select **Block project-wide SSH keys** under **SSH Keys**.\n5. Click **Save** at the bottom of the page.\n6. Repeat these steps for every impacted instance.\n\n## From Command Line\n\nTo block project-wide public SSH keys, set the metadata value to true using `gcloud compute instances add-metadata --metadata block-project-ssh-keys=TRUE`.\n\n## Default Value\n\nBy default, Block Project-wide SSH keys is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n2. [https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n\n\n## Additional Information\n\nIf OS Login is enabled, SSH keys in the instance metadata are ignored, which means you do not need to block project-wide SSH keys.\n\n## CIS Controls\n\nVersion 8\n \n3.10 - Encrypt Sensitive Data in Transit\n- Encrypt sensitive data in transit. Example implementations can include: Transport\nLayer Security (TLS) and Open Secure Shell (OpenSSH).\n\n5.2 - Use Unique Passwords\n- Use unique passwords for all enterprise assets. Best practice implementation\nincludes, at a minimum, an 8-character password for accounts using MFA and a 14-\ncharacter password for accounts not using MFA.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n[3]: https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_item(item) if {\n\titem.key == \"block-project-ssh-keys\"\n} else {\n\titem.key == \"enable-oslogin\"\n}\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" {\n\titem := compute_instance.metadata.items[_]\n\tnon_compliant_item(item)\n\titem.value == \"true\"\n} else = \"fail\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"v8z-9ik-mjr","createdAt":1657296719827,"name":"Block project-wide SSH keys is enabled for VM instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login five times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n","options":{"detectionMethod":"threshold","evaluationWindow":600,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dde-oia-yjr","createdAt":1597422956269,"name":"Brute force attack on an Auth0 user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a bruteforce login with a user attempting to assume an anomalous number of roles.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [Anomalous number of assumed roles from user][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-user-attempted-to-assumerole-anomaly\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"anomalous_assumed_roles_from_user","additionalFilters":"","defaultRuleId":"fwu-obr-c9n","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to assumed role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && anomalous_assumed_roles_from_user > 0"}],"type":"signal_correlation","id":"vjo-1hm-1eg","createdAt":1664829839144,"name":"Brute forced ConsoleLogin event correlates with an assumed role event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","iaas:azure","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a successful credential stuffing login with a user assumed a role.\n\n## Strategy\nCorrelate the [Credential Stuffing Attack on Azure][1] and [Azure AD member assigned Global Administrator role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the credential stuffing attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the credential stuffed account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/azure_credential_stuffing_attack\n[2]: https://docs.datadoghq.com/security_platform/default_rules/azure-ad-user-assigned-global-admin-role","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"azure_credential_stuffing","correlatedQueryIndex":1,"additionalFilters":"","defaultRuleId":"ljt-3f4-8ty","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"admin_role_assigned","additionalFilters":"","defaultRuleId":"psm-gpc-pgy","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Brute-forced user has assigned a role","condition":"azure_credential_stuffing > 0 && admin_role_assigned > 0"}],"type":"signal_correlation","id":"it0-1kg-8pj","createdAt":1664829839146,"name":"Brute-forced user has assigned a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.11","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host you can control the host CPU resources that a container may consume.\n\n## Rationale\n\nBy default, CPU time is divided between containers equally. If you wish to control available CPU resources amongst container instances, you can use the CPU sharing feature. CPU sharing allows you to prioritize one container over others and prevents lower priority containers from absorbing CPU resources which may be required by other processes. This ensures that high priority containers are able to claim the CPU runtime they require.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CpuShares={{ .HostConfig.CpuShares }}'` \n\nIf this command returns 0 or 1024, it means that CPU shares are not in place. If it returns a non-zero value other than 1024, it means that they are in place.\n\n## Remediation\n\nYou should manage the CPU runtime between your containers dependent on their priority within your organization. To do so, start the container using the `--cpu-shares` argument. For example, you could run a container as `docker run --interactive --tty --cpu-shares 512 centos /bin/bash` The container is started with CPU shares of 50% of what other containers use. So if the other container has CPU shares of 80%, this container will have CPU shares of 40%. Every new container will have 1024 shares of CPU by default. However, this value is shown as 0 if you run the command mentioned in the audit section.\n\n\nAlternatively:\n\n1. Navigate to the `/sys/fs/cgroup/cpu/system.slice/` directory.\n2. Check your container instance ID using docker ps.\n3. Inside the above directory (in step 1), call a directory. For example: `docker-.scope` or `docker-4acae729e8659c6be696ee35b2237cc1fe4edd2672e9186434c5116e1a6fbed6.scope`. Navigate to this directory.\n4. You will find a file named `cpu.shares`. Execute `cat cpu.shares`. This will always give you the CPU share value based on the system. Even if there are no CPU shares configured using the `-c` or `--cpu-shares` argument in the docker run command, this file will have a value of 1024. If you set one containers CPU shares to 512 it will receive half of the CPU time compared to the other containers. So if you take 1024 as 100% you can then derive the number that you should set for respective CPU shares. For example, use 512 if you want to set it to 50% and 256 if you want to set it 25%.\n\n## Impact\n\nIf you do not correctly assign CPU thresholds, the container process may run out of resources and become unresponsive. If CPU resources on the host are not constrained, CPU shares do not place any restrictions on individual resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally. No CPU shares are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.11","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gfh-gqy-log","createdAt":1599605955638,"name":"CPU priorities are set to ensure critical containers do not become unresponsive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.7","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %a `. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command to modify the file permissions of the `--client-ca-file`:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7 14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.7","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qtd-deo-dgb","createdAt":1599600622129,"name":"Certificate authorities file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable certificate based kubelet authentication.\n\n## Rationale\n\nThe apiserver, by default, does not authenticate itself to the kubelet's HTTPS endpoints. The requests from the apiserver are treated anonymously. You should set up certificate-based kubelet authentication to ensure that the apiserver authenticates itself to kubelets when submitting requests.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-client-certificate` and `--kubelet-client-key` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the kubelet client certificate and key parameters as below. \n\n```\n--kubelet-client-certificate= \n--kubelet-client-key=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, certificate-based kubelet authentication is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ ][2]\n3. [https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet][3]\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n[3]: https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.5","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ruj-lze-13b","createdAt":1599605732980,"name":"Certificate-based kubelet authentication is required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.2","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable client authentication on etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--client-cert-auth` argument is set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--client-cert-auth=\"true\"\n```\n\n## Impact\n\nAll clients attempting to access the etcd server will require a valid client certificate.\n\n## Default value\n\nBy default, the etcd service can be queried by unauthenticated clients.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][`]\n2. [https://kubernetes.io/docs/admin/etcd/ ][1]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.2","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"joa-fjx-1li","createdAt":1599605891818,"name":"Client authentication is enabled for etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.8","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file ownership is set to `root:root`.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command to modify the ownership of the `--client-ca-file`:\n\n```\nchown root:root \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.8","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ifc-9ej-k7k","createdAt":1599603326156,"name":"Client certificate authorities file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","cloud_provider:gcp","control:9.9.1","source:google_cloud_asset_inventory","requirement:Logging-and-Monitoring","framework:cis-gcp","requirement:Control-Activities","scope:google_cloud_asset_inventory","requirement:Firewall-Configuration","level:2","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Cloud Asset Inventory is a service that provides a historical view of GCP resources and\nIAM policies through a time-series database. The information recorded includes metadata\non Google Cloud resources, metadata on policies set on Google Cloud projects or resources,\nand runtime information gathered within a Google Cloud resource.\n\n## Rationale\nThe GCP resources and IAM policies captured by GCP Cloud Asset Inventory enables\nsecurity analysis, resource change tracking, and compliance auditing. It is recommended GCP Cloud Asset Inventory be enabled for all GCP projects.\n\n### Additional Information\n - Cloud Asset Inventory only keeps a five-week history of Google Cloud asset metadata. If you need a longer history, consider building automation to export the history to Cloud Storage or BigQuery.\n\n### Default Value\nThe Cloud Asset Inventory API is disabled by default in each project.\n\n## Remediation\n\n### From the console:\n\n1. Go to **API & Services/Library** by visiting [https://console.cloud.google.com/apis/library][1]\n2. Search for `Cloud Asset API` and select the result for Cloud Asset API\n3. Click the **ENABLE** button.\n\n### From the command line:\n\n1. Enable the Cloud Asset API through the services interface\n ```\n gcloud services enable cloudasset.googleapis.com\n ```\n\n## References\n1. [https://cloud.google.com/asset-inventory/docs][2]\n\n[1]: https://cloud.google.com/asset-inventory/docs\n[2]: https://console.cloud.google.com/apis/library","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"9.9.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(project) = \"pass\" if {\n\tproject.project_id\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"g71-wcx-ugx","createdAt":1659396390100,"name":"Cloud Asset Inventory is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:2.12","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:2","framework:iso-27001","scope:google_dns_policy","framework:pci","requirement:Operations-Security","security:compliance","requirement:Logging-and-Monitoring","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","source:google_dns_policy","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud DNS logging records the queries from the name servers within your VPC to\nStackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other\nGCP resources provisioned within the VPC.\n\n### Default value\nCloud DNS logging is disabled by default on each network.\n\n## Rationale\nSecurity monitoring and forensics cannot depend solely on IP addresses from VPC flow\nlogs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual\nhost routing, and other technology that can obscure the DNS name used by a client from the\nIP address. Monitoring Cloud DNS logs provides visibility into DNS names requested by the\nclients within the VPC. These logs can be monitored for anomalous domain names and\nevaluated against threat intelligence.\n\nTo fully capture DNS logging records, your firewall must block egress for UDP/53 (DNS) and TCP/443 (DNS\nover HTTPS) to prevent the client from using an external DNS name server for resolution.\n\nOnly queries that reach a name server are logged. Cloud DNS resolvers cache\nresponses, queries answered from caches, and direct queries to an external DNS\nresolver outside the VPC are not logged.\n\n### Impact\nEnabling of Cloud DNS logging might result in your project being charged for the additional\nlogs usage.\n\n## Remediation\n\n### From the command line:\nFor VPC networks that need a new DNS policy with logging enabled, run the following:\n```\ngcloud dns policies create enable-dns-logging --enable-logging --\ndescription=\"Enable DNS Logging\" --networks=VPC_NETWORK_NAME\n```\n\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\nFor VPC networks that have existing DNS policies, run the following to enable logging:\n```\ngcloud dns policies update POLICY_NAME --enable-logging --\nnetworks=VPC_NETWORK_NAME\n```\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\n\n## References\n1. [https://cloud.google.com/dns/docs/monitoring][1]\n\n[1]: https://cloud.google.com/dns/docs/monitoring\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.12","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(dns_policy) = \"pass\" if {\n\tdns_policy.enable_logging\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_policy"]},"validationQuery":"","resourceType":"gcp_dns_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kcx-kad-uvs","createdAt":1662120179391,"name":"Cloud DNS logging is enabled for VPC networks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:7.2","control:1.9","control:3.5","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that the IAM policy on Cloud KMS `cryptokeys` should restrict anonymous and/or public access.\n\n## Rationale\n\nGranting permissions to `allUsers` or `allAuthenticatedUsers` allows anyone to access the\ndataset. Such access might not be desirable if sensitive data is stored at the location. In this\ncase, ensure that anonymous and/or public access to a Cloud KMS `cryptokey` is not\nallowed.\n\n### Default Value:\nBy default Cloud KMS does not allow access to `allUsers` or `allAuthenticatedUsers`.\n\n### Impact\nRemoving the binding for `allUsers` and `allAuthenticatedUsers` members denies anonymous and public users access to `cryptokeys`.\n\n`key_ring_name` is the resource ID of the key ring, which is the fully-qualified key ring name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING`\nYou can retrieve the key ring resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n3. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`key_name` is the resource ID of the key, which is the fully-qualified CryptoKey name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY`\nYou can retrieve the key resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. Click the name of the key ring that contains the key.\n3. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n4. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`role` is the role to remove the member from.\n\n## Remediation\n\n### From the command line:\n\n1. List all Cloud KMS `Cryptokeys`.\n ```\n gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'\n ```\n2. To remove access to `allUsers` and `allAuthenticatedUsers`, remove the IAM policy binding for a KMS key using the below command.\n ```\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'\n\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'\n ```\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding][1]\n2. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy][2]\n3. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy][3]\n4. [https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id][4]\n\n[1]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding\n[2]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy\n[3]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy\n[4]: https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot contains(iam_policy.resource_name, \"/keyRings/\")\n} else = \"fail\" {\n\tiam_policy.bindings[_].members[_] in [\"allAuthenticatedUsers\", \"allUsers\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kg9-ypa-tmt","createdAt":1658879416757,"name":"Cloud KMS cryptokeys are not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Storage","source:google_iam_policy","framework:cis-gcp","requirement:Compliance","level:1","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","scope:google_iam_policy","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:3.5","control:7.1","control:5.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that IAM policies on Cloud Storage buckets do not allow anonymous or public access.\n\n## Rationale\nWith anonymous or public access, anyone has permission to access bucket content. Such access might not be desired if you are storing sensitive data, so ensure that anonymous or public access to a bucket is not allowed.\n\n### Additional Information\nTo implement access restrictions on buckets, configuring Bucket IAM is preferred over configuring Bucket ACL. In the GCP console, the **Edit Permissions** button for a bucket exposes IAM configurations only. Bucket ACLs are configured to automatically implement and support user-enforced Bucket IAM policies. If an administrator changes a Bucket ACL using command-line gsutils or the API, the associated bucket IAM policy is also updated automatically.\n\n### Impact\nStorage buckets are not publicly accessible. You have to explicitly administer bucket access.\n\n### Prevention\nYou can prevent Storage buckets from becoming publicly accessible by setting up the `Domain restricted sharing` organization policy at:\n[https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains][2]\n\n### Default value\nBy default, Storage buckets are not publicly accessible.\n\n## Remediation\n\n### From the console:\n1. Go to `Storage browser` at [https://console.cloud.google.com/storage/browser][1].\n2. Click on the bucket name to access the `Bucket details` page.\n3. Click on the `Permissions` tab.\n4. Click the `Delete` button in front of `allUsers` and `allAuthenticatedUsers` to remove that particular role assignment.\n\n### From the command line:\nRemove `allUsers` and `allAuthenticatedUsers` access.\n``` \ngsutil iam ch -d allUsers gs://BUCKET_NAME\ngsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME\n```\n\n## References\n1. [https://cloud.google.com/storage/docs/access-control/iam-reference][3]\n2. [https://cloud.google.com/storage/docs/access-control/making-data-public][4]\n3. [https://cloud.google.com/storage/docs/gsutil/commands/iam][5]\n\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains\n[3]: https://cloud.google.com/storage/docs/access-control/iam-reference\n[4]: https://cloud.google.com/storage/docs/access-control/making-data-public\n[5]: https://cloud.google.com/storage/docs/gsutil/commands/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1","framework":"cis-gcp","requirement":"Storage","version":"1.3.0"},{"control":"3.5","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot isBucket(iam_policy)\n} else = \"fail\" {\n\tiam_policy.bindings[_].members[_] in [\"allUsers\", \"allAuthenticatedUsers\"]\n} else = \"pass\" {\n\ttrue\n}\n\nisBucket(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_storage_bucket\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"c2m-9sq-pbl","createdAt":1658821626959,"name":"Cloud storage bucket is not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","requirement:Logging","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:5.2","requirement:Communications-Security","control:7.1","control:3.3","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","source:google_storage_bucket","control:A.18.1.3","framework:soc-2","scope:google_storage_bucket","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUniform bucket-level access is enabled on Cloud Storage buckets.\n\n## Rationale\n\nYou should use uniform bucket-level access to unify and simplify how you grant\naccess to your Cloud Storage resources.\nCloud Storage offers two systems for granting users permission to access your buckets and\nobjects: \n- **Cloud Identity and Access Management (Cloud IAM)**: Used throughout Google Cloud, and allows you to grant a variety of permissions at the bucket and project levels. \n- **Access Control Lists(ACLs)**: Used only by Cloud Storage and has limited permission options, but allows you to grant permissions on a per-object basis.\n\nThese systems act in parallel. A user needs only one of the systems to grant them permission in order to access a Cloud Storage resource. \n\nTo facilitate maintaining consistent permissions, Cloud Storage provides an option called Uniform bucket-\nlevel access. Using this feature disables ACLs for all Cloud Storage resources. Access to\n\nCloud Storage resources then is granted exclusively through Cloud IAM. Enabling uniform\nbucket-level access guarantees that if a Storage bucket is not publicly accessible, no object\nin the bucket is publicly accessible either.\n\n## Impact\nIf you enable uniform bucket-level access, you revoke access from users who gain their\naccess solely through object ACLs.\nCertain Google Cloud services, such as Stackdriver, Cloud Audit Logs, and Datastore, cannot\nexport to Cloud Storage buckets that have uniform bucket-level access enabled.\n\n## Remediation\n\n## From the console:\n1. Open the Cloud Storage browser by visiting [https://console.cloud.google.com/storage/browser][1].\n2. In the list of buckets, select the name of the desired bucket.\n3. Select the Permissions tab.\n4. In the text box that starts with This bucket uses fine-grained access control..., click **Edit**.\n5. In the pop-up menu that appears, select Uniform.\n6. Click **Save**.\n\n## From the command line:\n\nRun the following command: \n ```\n `gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/`\n ```\n\n\n## Prevention\nSet up an Organization Policy to enforce that any new bucket has uniform bucket-level access enabled. Read more about [Organization Policy constraints][2].\n\n## Default\n\nBy default, Cloud Storage buckets do not have uniform bucket-level access enabled.\n\n\n## References\n1. [https://cloud.google.com/storage/docs/uniform-bucket-level-access][3]\n2. [https://cloud.google.com/storage/docs/using-uniform-bucket-level-access][4]\n3. [https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket][5]\n\n## Additional Information\nUniform bucket-level access cannot be disabled if it has been active on a bucket for 90 consecutive days.\n\n## CIS controls\n\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems,\ndatabases, and applications.\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket\n[3]: https://cloud.google.com/storage/docs/uniform-bucket-level-access\n[4]: https://cloud.google.com/storage/docs/using-uniform-bucket-level-access\n[5]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2","framework":"cis-gcp","requirement":"Logging","version":"1.3.0"},{"control":"3.3","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_bucket) = \"pass\" if {\n\tstorage_bucket.iam_configuration.uniform_bucket_level_access.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_storage_bucket"]},"validationQuery":"","resourceType":"gcp_storage_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_storage_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dwn-5mi-cjt","createdAt":1657547752494,"name":"Cloud storage buckets have uniform bucket-level access enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Secure-Applications","control:CC6.7","security:compliance","control:CC6.6","scope:cloudfront","cloud_provider:aws","control:A.12.2.1","requirement:Communications-Security","control:A.12.4.1","control:A.13.1.1","framework:soc-2","control:6.6","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that your [AWS CloudFront][1] distributions are integrated with [AWS Web Application Firewall][2] (AWS WAF).\n\n## Rationale\n\nAWS WAF helps protect web applications from common exploits, such as SQL injection or cross-site scripting.\n\n## Remediation\n\n### Console\n\nFollow the [associate or disassociate an AWS WAF web ACL and an existing CloudFront distribution by using the CloudFront console][3] docs to integrate with AWS WAF.\n\n### CLI\n\n1. Run `aws waf get-change-token` to generate a token.\n2. Run `aws waf create-ip-set` with your newly generated token. Additional information can be found in the [create-ip-set AWS documentation][4].\n\n ```\n create-ip-set\n --name test_ipset\n --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n3. Create an `IPSetDescriptor` JSON object in a new document and define the IP address or ranges you wish to block. Save the file.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"IPSetDescriptor\": {\n \"Type\": \"IPV4\" | \"IPV6\",\n \"Value\": \"192.0.2.0/24\"\n }\n }\n ]\n ```\n\n4. Run `aws waf update-ip-set` with the `change-token` (generated in step 1), `ip-set-id` (generated in step 2), and the file you just created. Additional information can be found in the [update-ip-set AWS documentation][5].\n\n ```\n aws waf update-ip-set\n --ip-set-id bd12ea6c-012a-4b7c-9342-80ab96e4b291\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n\t --updates file://ip-set-descriptor.json\n ```\n\n5. Run `aws waf create-rule` with a new rule `name` and your `change-token` (generated in step 1). Additional information can be found in the [create-rule AWS documentation][6].\n\n ```\n aws waf create-rule\n\t --name NameOfRule\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n6. Run `aws waf create-web-acl` with a `name` and your `change-token` (generated in step 1), and set the default action to block. Additional information can be found in the [create-web-acl AWS documentation][7].\n\n ```\n aws waf create-web-acl\n\t --name NameOfACL\n --default-action Type=BLOCK\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n7. Create a new JSON file and define `ActivatedRule` as an object that references the ACL rule created in step 6. Assign it a default action, `INSERT`.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"ActivatedRule\": {\n \"RuleId\": \"your-rule-id\",\n \"Action\": {\n \"Type\": \"BLOCK\"\n }\n }\n }\n ]\n ```\n\n8. Run `update-web-acl` with the `web-acl-id` (generated in step 5), `change-token` (generated in step 1), and the file you just created in step 7.\n\n ```\n aws waf update-web-acl\n --web-acl-id webaclid\n --change-token 96836241-b667-4f0a-a655-e4bc49eaa2c4\n --update activated-rule.json\n ```\n\n9. Run `get-distribution-config`.\n10. In a new JSON file, modify the returned configuration information to attach the WAF ACL. Set the `WebACLId` as the ID you returned in step 5. Save the file.\n\n ```\n {\n \"ETag\": \"etag\",\n \"DistributionConfig\": {\n ...\n \"WebACLId\": \"webaclid\",\n ...\n }\n }\n ```\n\n11. Run `update-distribution` with the `id` and `etag` previously returned in step 9. Additional information can be found in the [update-distribution AWS documentation][8].\n\n ```\n aws cloudfront update-distribution\n --id webaclid\n --distribution-config activated-ruled.json\n --if-match etag\n ```\n\n[1]: https://aws.amazon.com/cloudfront/\n[2]: https://aws.amazon.com/waf/\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/wafv2/create-ip-set.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/waf/update-ip-set.html\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-rule.html\n[7]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-web-acl.html\n[8]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"pci","requirement":"Secure-Applications","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"validationQuery":"(@distribution_config.web_acl_id:\"\" OR @distribution_config_web_acl_id:\"\")","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.web_acl_id:\"\" OR @distribution_config_web_acl_id:\"\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"qo4-jsd-nfn","createdAt":1599574008896,"name":"CloudFront distribution is integrated with WAF"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that AWS CloudFront distributions have a security policy of TLS v1.1 or greater.\n\n## Rationale\n\nTLS v1.1, the minimum protocol recommended for AWS CloudFront, and the cipher used to encrypt this content, improve application security.\n\n## Remediation\n\n### Console\n\nFollow the [Values That You Specify When You Create or Update a Distribution][3] docs to update your CloudFront distribution's [Minimum Origin SSL Protocol][3] to TLS v1.1 or greater.\n\n### CLI\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration by setting the minimum protocol version to TLC v1.1 (2016) or v1.2 (2018).\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n ...\n \"ViewerCertificate\": {\n ...\n \"MinimumProtocolVersion\": \"TLSv1.1_2016\",\n },\n ...\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config tls-version.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginSSLProtocols\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.viewer_certificate.minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\") OR @distribution_config_viewer_certificate_minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\"))","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.viewer_certificate.minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\") OR @distribution_config_viewer_certificate_minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2np-sw5-cre","createdAt":1599574001774,"name":"CloudFront distribution's security policy is TLS v1.1 or greater"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","source:cloudfront","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","scope:cloudfront","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure logging is enabled for AWS CloudFront to track things like client IP addresses and access points.\n\n## Rationale\n\nLogging tracks requests made through the CDN. With this information, you can detect changes in requests, complete security audits, and use other AWS tooling such as AWS WAF to block requests from certain IP addresses.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring and using standard logs][4] docs to enable logging for AWS CloudFront.\n\n### CLI\n\n1. Run `create-bucket` to [create an S3 bucket][1] for your CloudFront log files.\n\n ```\n aws s3api create-bucket\n --bucket your-bucket-name\n ```\n\n2. Once the S3 bucket location is returned, run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][2].\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n3. Create a new JSON file with the returned configuration. Enable logging and set an S3 bucket location (returned in step 1) to configure where the logs will be located. Save the file.\n\n ```\n {\n \"ETag\": \"ID000000000000\",\n \"DistributionConfig\": {\n ...\n \"Logging\": {\n \"Bucket\": \"your-bucket-name.s3.amazonaws.com\",\n \"Enabled\": true,\n },\n ...\n }\n }\n }\n ```\n\n4. Run `update-distribution` to [update your distribution][3] with your distribution `id`, the path of the configuration file (created in step 3), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config logging-enabled.json\n --if-match ETAG1000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[4]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(-@distribution_config.logging.enabled:true OR -@distribution_config_logging_enabled:true)","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((-@distribution_config.logging.enabled:true OR -@distribution_config_logging_enabled:true))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"e1l-f7w-llc","createdAt":1599574007739,"name":"CloudFront logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that an AWS CloudTrail trail has file integration validation enabled.\n\n### Rationale\n\nAWS CloudTrail file integration validation can verify whether files were modified or changed once delivered to an S3 bucket.\n\n### Remediation\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [enable-log-file-validation][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --enable-log-file-validation\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@log_file_validation_enabled:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ubl-mrs-ket","createdAt":1599574002238,"name":"CloudTrail Log File Integrity Validation Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that AWS CloudTrail logs are encrypted.\n\n### Rationale\n\nEncrypting AWS CloudTrail logs with a KMS encryption key helps protect your data and ensures only certain IAM users can access these logs.\n\n### Remediation\n\n1. Create a new policy configuration file that enables CloudTrail [encrypting and decrypting permissions][1].\n2. Run `create-key` using the policy file path.\n\n ```\n aws kms create-key\n --policy new-policy-file.json\n ```\n\n3. Run `create-alias` with a [newly created alias name][2] and the `target-key-id` as the KMS key returned in step 2.\n\n ```\n aws kms create-alias\n --alias-name alias/CloudTrailKSM\n --target-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n4. Run `update-trail` on [the trail name you wish to update][3] and the KMS key returned in step 2.\n\n ```\n aws cloudtrail update-trail\n --name MyGlobalTrail\n --kms-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@kms_key_id:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"cww-xfw-no7","createdAt":1599574002335,"name":"CloudTrail Logs Not Encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","control:A.12.4.2","requirement:Security-Incident-Procedures","control:10.3.2","control:10.3.1","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that an AWS CloudTrail trail has global service events enabled.\n\n## Rationale\n\nEasily troubleshoot security issues for global services that aren't region-specific.\n\n## Remediation\n\n### Console\n\nBy default, trail logs created in the CloudTrail console log global service events. For more information, see the [About global service events][2] docs.\n\n### CLI\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [include-global-service-events][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --include-global-service-events\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-update-trail.html\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":" @include_global_service_events:false","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail ( @include_global_service_events:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7ak-zke-f64","createdAt":1599574004589,"name":"CloudTrail global services are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.5.5","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","control:164.312-c-2","requirement:Integrity","control:164.312-c-1","security:compliance","cloud_provider:aws","control:3.2","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. Use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. You should enable file validation on all CloudTrails.\n\n## Rationale\n\nEnabling log file validation will provide additional integrity checking of CloudTrail logs.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNot Enabled\n\n## References\n\n1. [http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html][2]\n2. CCE-78914-9\n\n## CIS controls\n\nVersion 7, 6 - Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.2","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.312-c-2","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"}],"validationQuery":"-@log_file_validation_enabled:true @log_file_validation_enabled:*","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail (-@log_file_validation_enabled:true @log_file_validation_enabled:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9we-gmy-kne","createdAt":1599574003762,"name":"CloudTrail log file validation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Logging","requirement:System-Acquisition-Development-and-Maintenance","level:2","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.7","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:cloudtrail","control:A.9.2.3","control:32.1a","control:3.5.2","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources per IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data. It uses Hardware Security Modules (HSMs) to protect the security of encryption keys. Configure your CloudTrail logs to leverage server-side encryption (SSE), and KMS customer-created master keys (CMK) to further protect CloudTrail logs. You should set up CloudTrail to use SSE-KMS.\n\n## Rationale\n\nConfiguring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data. A given user must have S3 read permission on the corresponding log bucket and have decrypt permission by the CMK policy.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nCustomer created keys incur an additional cost. See [https://aws.amazon.com/kms/pricing/][2] for more information.\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html][3]\n2. [https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html][4]\n3. CCE-78919-8\n\n## CIS controls\n\nVersion 7 - 6 Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://aws.amazon.com/kms/pricing/\n[3]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html\n[4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.7","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@kms_key_id:*","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail (-@kms_key_id:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kah-ejb-3v1","createdAt":1599574006065,"name":"CloudTrail logs are encrypted at rest using KMS CMKs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:164.308-a-7-i","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","control:10.2.1","framework:gdpr","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS CloudTrail is enabled.\n\n## Rationale\n\nAWS CloudTrail enables you to configure regions from one location to maintain infrastructure security.\n\n## Remediation\n\n### Console\n\nFollow the [AWS CloudTrail tutorial][1] docs to get started with CloudTrail.\n\n### CLI\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [enable multi-region-trail][2].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --is-multi-region-trail\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-tutorial.html#tutorial-step2\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-update-trail.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-7-i","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@is_multi_region_trail:true","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail (-@is_multi_region_trail:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"v41-4ht-rxo","createdAt":1599573999944,"name":"CloudTrail multi-region is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that HTTPS is used to secure AWS CloudFront distributions communications.\n\n## Rationale\n\nHTTPS ensures that malicious activity cannot occur when data is sent within AWS CloudFront's Content Distribution Network (CDN).\n\n## Remediation\n\n### Console\n\nFollow the [configure CloudFront to require HTTPS between CloudFront and your custom origin][3] docs to change your Origin Protocol Policy to HTTPS only.\n\n### CLI\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `OriginProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"Items\": [\n {\n \"CustomOriginConfig\": {\n \"OriginProtocolPolicy\": \"https-only\",\n ...\n }\n }\n ]\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.origins.items.custom_origin_config.origin_protocol_policy:(\"http-only\" OR \"match-viewer\") OR @distribution_config.origins.items.custom_origin_config_origin_protocol_policy:(\"http-only\" OR \"match-viewer\"))","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.origins.items.custom_origin_config.origin_protocol_policy:(\"http-only\" OR \"match-viewer\") OR @distribution_config.origins.items.custom_origin_config_origin_protocol_policy:(\"http-only\" OR \"match-viewer\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q5e-clj-mow","createdAt":1599574006435,"name":"Cloudfront distribution is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS CloudFront field-level encryption is enabled.\n\n## Rationale\n\nField-level encryption ensures sensitive data, such as identification and credit card numbers, is protected across your services and applications.\n\n## Remediation\n\n### Console\n\nFollow the [Setting Up Field-Level Encryption][1] docs to enable field-level encryption.\n\n### CLI\n\n1. Generate a RSA key pair. Run `ssh-keygen -t rsa`.\n\n2. Run `create-public-key` with the generated key.\n\n ```\n aws cloudfront create-public-key\n --public-key-config CallerReference=\"0123456789012\",Name=\"public-key\",EncodedKey=\"-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----\",Comment=\"Field-level encryption public key.\"\n ```\n\n3. Modify the returned configuration in a new JSON file by setting `PublicKeyID` as your public ID key. Configure any other options you require and save the file.\n\n ```\n {\n \"PublicKey\": {\n ...\n \"Id\": \"PUBKEYID000000\",\n ...\n }\n }\n ```\n\n4. Run `create-field-level-encryption-profile` using the path of the configuration file saved in step 3.\n\n ```\n aws cloudfront create-field-level-encryption-profile\n --field-level-encryption-profile-config public-key-id.json\n ```\n\n5. Modify the returned configuration in a new JSON file by setting `ProfileID` as your profile ID. Configure any other options you require and save the file.\n\n ```\n {\n ...\n \"ContentTypeProfileConfig\": {\n ...\n \"Items\": [\n {\n \"ProfileId\": \"ABCD1234567890\",\n }\n ]\n }\n }\n ```\n\n6. Run `create-field-level-encryption-config` using the path of the configuration file saved in step 5.\n\n ```\n aws cloudfront create-field-level-encryption-config\n --field-level-encryption-config profile-id.json\n ```\n\n7. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your distribution's configuration information.\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n8. Modify the returned configuration in a new JSON file by setting `FieldLevelEncryptionID` as your field level encryption ID. Configure any other options you require and save the file.\n\n**Note**: Viewer Protocol Policy and Origin Protocol Policy must both be set to HTTPS.\n\n ```\n {\n \"DistributionConfig\": {\n ...\n \"Origins\": {\n \"Items\": [\n {\n ...,\n \"OriginProtocolPolicy\": \"https-only\",\n },\n ],\n ...\n },\n \"DefaultCacheBehavior\": {\n \"FieldLevelEncryptionId\": \"ACBD1234567890\",\n \"ViewerProtocolPolicy\" : \"https-only\"\n },\n ...\n }\n }\n ```\n\n9. Run `update-distribution` with your AWS CloudFront distribution `id`, the configuration file saved in step 8, and `etag` to enable field-level encryption.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config field-level-encryption-id.json\n --if-match E1000000000000\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.default_cache_behavior.field_level_encryption_id:\"\" OR @dist_config_default_cache_behavior_field_level_encryption_id:\"\")","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.default_cache_behavior.field_level_encryption_id:\"\" OR @dist_config_default_cache_behavior_field_level_encryption_id:\"\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"udh-nqo-4ct","createdAt":1599574007140,"name":"Cloudfront distribution is field-level encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the AWS CloudFront Content Delivery Network (CDN) for your distribution is using HTTPS to send and receive content.\n\n## Rationale\n\nHTTPS ensures encrypted communication for your AWS CloudFront distribution, alleviating the possibility of malicious attacks like packet interception.\n\n## Remediation\n\n### Console\n\nFollow the [configure CloudFront to require HTTPS between viewers and CloudFront][3] docs to change your Viewer Protocol Policy to HTTPS only.\n\n### CLI\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `ViewerProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"ViewerProtocolPolicy\": \"https-only\",\n ...\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.default_cache_behavior.viewer_protocol_policy:\"allow-all\" OR @dist_config_default_cache_behavior_viewer_protocol_policy:\"allow-all\")","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.default_cache_behavior.viewer_protocol_policy:\"allow-all\" OR @dist_config_default_cache_behavior_viewer_protocol_policy:\"allow-all\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fei-uz9-zhw","createdAt":1599574003275,"name":"Cloudfront viewer is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1027-obfuscated-files-or-information","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a compiler (like `clang` or `bcc`) is executed inside of a container.\n\n## Strategy\nAfter an initial compromise, attackers may attempt to download additional tools to their victim's infrastructure. In order to make these additional tools difficult to detect or analyze, attackers sometimes deliver their tools as uncompiled code, and then compile their malicious binaries directly on the victim's infrastructure. In containerized environments, the use of compilers is especially suspicious because in production it is best practice to make containers immutable. The use of a compiler in a production container could indicate an attacker staging tools, or unwanted container configuration drift. \n\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee compile a tool inside of a container for an approved reason, or does an approved software compile additional files on startup?\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:compiler_in_container","groupByFields":["host"],"aggregation":"count","name":"compiler_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"compiler_in_container","condition":"compiler_in_container > 0"}],"type":"workload_security","id":"cu1-ji1-azm","createdAt":1627392836759,"name":"Compiler executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS EC2 access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the EC2 instance with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS EC2 access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` instance should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the EC2 access key should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`., then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n7 April 2022 - Updated rule name and signal message.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId"],"query":"source:cloudtrail -@level:Error @userIdentity.type:AssumedRole @userIdentity.session_name:i-* -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"5cf-9yq-zxn","createdAt":1646247437871,"name":"Compromised AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.\n\n## Changelog\n- 7 April 2022 - Updated signal message.\n- 3 August 2022 - Fixed null groupby field in query.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId","@usr.name"],"query":"source:cloudtrail -@level:Error @userIdentity.type:IAMUser -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tln-vhi-j2e","createdAt":1646247475808,"name":"Compromised AWS IAM User Access Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:4.8","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, Datadog recommends launching compute instances with Shielded VM enabled.\n\n## Rationale\n\nShielded VMs are virtual machines on the Google Cloud Platform that are hardened by a set of security controls and help defend against rootkits and bootkits. Shielded VM offers verifiable integrity of your Compute Engine VM instances through Secure Boot, a virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring. This ensures your instances are not compromised by boot- or kernel-level malware, or rootkits. \n\nShielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishes trust for Secure Boot.\n\nIntegrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, also known as the integrity policy baseline. The integrity policy baseline is used to compare measurements from subsequent VM boots to determine if anything has changed.\n\nSecure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halts the boot process if signature verification fails.\n\n## Remediation\n\nTo turn on Shielded VM on an instance, your instance must use an image with Shielded VM support.\n\n### From console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project. \n2. Click on the instance name to see a VM Instance Details page.\n3. Click **Stop** to stop the instance.\n4. When the instance has stopped, click **Edit**.\n5. In the **Shielded VM** section, select **Turn on vTPM** and **Turn on Integrity Monitoring**.\n6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select **Turn on Secure Boot**.\n7. Click the **Save** button to modify the instance and click **Start** to restart it.\n\n### From the command line\n\nYou can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:\n\n```\ngcloud compute images list --project gce-uefi-images --no-standard-images\n```\n\n1. Stop the instance using `gcloud compute instances stop `.\n2. Update the instance using `gcloud compute instances update --shielded-vtpm --shielded-vm-integrity-monitoring`.\n3. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on Secure Boot using `gcloud compute instances update --shielded-vm-secure-boot`.\n4. Restart the instance using `gcloud compute instances start `.\n\n## Prevention\n\nTo ensure that all new VMs are created with Shielded VM enabled, create an Organization Policy for Shielded VM in the [Organization Policies page][2]. \n\nFor more information, see the [Google Cloud documentation][3].\n\n## Default Value\n\nBy default, Compute Instances do not have Shielded VM enabled.\n\n## References\n\n1. [https://cloud.google.com/compute/docs/instances/modifying-shielded-vm][4]\n2. [https://cloud.google.com/shielded-vm][5]\n3. [https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint][6]\n\n## Additional Information\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is created, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-requireShieldedVm\n[3]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n[4]: https://cloud.google.com/compute/docs/instances/modifying-shielded-vm\n[5]: https://cloud.google.com/shielded-vm\n[6]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.8","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"pass\" if {\n\tshieldedConfig := compute_instance.shielded_instance_config\n\tshieldedConfig.enable_integrity_monitoring\n\tshieldedConfig.enable_vtpm\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hwa-bzq-nzg","createdAt":1656620517029,"name":"Compute Instances are launched with Shielded VM enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","control:4.9","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:3.6","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCompute instances should not be configured to have external IP addresses.\n\n## Rationale\n\nTo reduce your attack surface, Compute instances should not have public IP addresses.\nInstead, instances should be configured behind load balancers, to minimize the instance's\nexposure to the internet.\n\nYou can connect to Linux VMs that do not have public IP addresses by using Identity-Aware Proxy for TCP forwarding. Learn more at\n[https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][8].\n\nFor Windows VMs, see [https://cloud.google.com/compute/docs/instances/connecting-to-instance][9].\n\n### Impact\n\nRemoving the external IP address from your Compute instance may cause some\napplications to stop working.\n\n### Prevention\n\nYou can configure the \"Define allowed external IPs for VM instances\" organization policy to prevent VMs from being configured with public IP addresses. Learn more at:\n[https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address][2]\n\n### Exception\n\nInstances created by GKE should be excluded because some of them have external IP\naddresses and cannot be changed by editing the instance settings. Instances created by GKE\nshould be excluded. These instances have names that start with \"gke-\" and are labeled\n\"goog-gke-node\".\n\n## Remediation\n\n### From the console:\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go the the Instance detail page.\n3. Click **Edit**.\n4. For each Network interface, ensure that **External IP** is set to None.\n5. Click **Done** and then click **Save**.\n\n### From the command line:\n\n1. Describe the instance properties:\n\n ```\n gcloud compute instances describe --zone=\n ```\n2. Identify the access config name that contains the external IP address. This access config appears in the following format:\n\n ```\n networkInterfaces:\n - accessConfigs:\n - kind: compute#accessConfig\n name: External NAT\n natIP: 130.211.181.55\n type: ONE_TO_ONE_NAT\n ```\n3. Delete the access config:\n\n ```\n gcloud compute instances delete-access-config --zone= --access-config-name \n ```\n\nIn the above example, the `ACCESS_CONFIG_NAME` is `External NAT`. The name of your access config might be different.\n\n## References\n\n1. [https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses][3]\n2. [https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][4]\n3. [https://cloud.google.com/compute/docs/instances/connecting-to-instance][5]\n4. [https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip][6]\n5. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][7]\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address\n[3]: https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses\n[4]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[5]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n[6]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip\n[7]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[8]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[9]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.9","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tcompute_instance.network_interfaces[_].access_configs[_]\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"zxk-7n9-rtz","createdAt":1657888953309,"name":"Compute instances do not have public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","control:4.11","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:3.5.2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:3.5.4","source:google_compute_instance","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nGoogle Cloud encrypts both stored and in-transit data, but customer data needs to be decrypted while it is processed. Confidential Computing is a Google technology that protects data by encrypting it while it is in use. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).\n\nConfidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD\nEPYCTM CPUs, keeping customer data encrypted while it is used, indexed, queried, or\ntrained on. Encryption keys are generated in hardware, per VM, and not exportable. There is no significant performance penalty to Confidential Computing workloads because of built-in hardware optimizations.\n\n## Rationale\n\nConfidential Computing enables customers' sensitive code and other data to be encrypted in\nmemory during processing. Google does not have access to the encryption keys.\nConfidential VMs can help alleviate concerns about risk related to either dependency on\nGoogle infrastructure or Google insiders' access to customer data in the clear.\n\n## Impact\n\n- Confidential Computing for Compute instances does not support live migration. Unlike regular Compute instances, Confidential VMs experience disruptions during maintenance events like a software or hardware update.\n\n- Additional charges may be incurred when enabling this security feature. See [https://cloud.google.com/compute/confidential-vm/pricing][1] for more info.\n\n## Remediation\n\nConfidential Computing can only be enabled when an instance is created. You must delete\nthe current instance and create a new one.\n\n### From console\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][2].\n2. Click **Create instance**.\n3. Fill out the desired configuration for your instance.\n4. Under the **Confidential VM service** section, click **Enable** > **Enable** to enable the Confidential Computing service on this VM instance.\n5. Click **Create**.\n\n### From the command line\n\nCreate a new instance with Confidential Compute enabled.\n\n ```\n gcloud beta compute instances create --zone --confidential-compute --maintenance-policy=TERMINATE\n ```\n## Default Value\n\nBy default, Confidential Computing is disabled for Compute instances.\n\n## References\n\n1. [https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance][3]\n2. [https://cloud.google.com/compute/confidential-vm/docs/about-cvm][4]\n3. [https://cloud.google.com/confidential-computing][5]\n4. [https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms][6]\n\n## CIS Controls\n\nVersion 8 - 3.11: Encrypt Sensitive Data at Rest\n- Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.\n\nVersion 7 - 14.8: Encrypt Sensitive Information at Rest\n- Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n\n[1]: https://cloud.google.com/compute/confidential-vm/pricing\n[2]: https://console.cloud.google.com/compute/instances\n[3]: https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance\n[4]: https://cloud.google.com/compute/confidential-vm/docs/about-cvm\n[5]: https://cloud.google.com/confidential-computing\n[6]: https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.11","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tnot machineType(compute_instance)\n} else = \"pass\" {\n\tcompute_instance.confidential_instance_config.enable_confidential_compute\n} else = \"fail\" {\n\ttrue\n}\n\nmachineType(compute_instance) if {\n\tcontains(compute_instance.machine_type, \"n2d-\")\n} else {\n\tcontains(compute_instance.machine_type, \"c2d-\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ofu-7xv-iqz","createdAt":1657888955714,"name":"Compute instances have confidential computing enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a brute force login with a privileged policy being applied to a role.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [AWS IAM privileged policy was applied to a role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Revert the privileged policy change\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-iam-priv-policy-applied-to-role/","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"aws_iam_privileged_policy_was_applied_to_a_role","additionalFilters":"","defaultRuleId":"1np-ggw-qpo","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to privileged policy applying to a role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && aws_iam_privileged_policy_was_applied_to_a_role > 0"}],"type":"signal_correlation","id":"z65-vsm-leu","createdAt":1664829682321,"name":"ConsoleLogin event correlates privileged policy applying to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.10","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host, you can control the amount of memory that a container is able to use.\n\n## Rationale\n\nBy default a container can use all of the memory on the host. You can use memory limit mechanisms to prevent a denial of service occurring where one container consumes all of the hosts resources and other containers on the same host are therefore not able to function. Having no limit on memory usage can lead to issues where one container can easily make the whole system unstable and as a result unusable.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Memory={{ .HostConfig.Memory }}'` \n\nIf this command returns 0, it means that memory limits are not in place; if it returns a non-zero value, it means that they are in place.\n\n## Remediation\n\nYou should run the container with only as much memory as it requires by using the `--memory argument`. For example, you could run a container using the command `docker run --interactive --tty --memory 256m centos /bin/bash`\n\nIn this example, the container is started with a memory limit of 256 MB. Note that the output of the command below returns values in scientific notation if memory limits are in place. `docker inspect --format='{{.Config.Memory}}' 7c5a2d4c7fe0`\n\nFor example, if the memory limit is set to 256 MB for a container instance, the output of the command above would be `2.68435456e+08` and NOT `256m`. You should convert this value using a scientific calculator.\n\n## Impact\n\nIf correct memory limits are not set on each container, one process can expand its usage and cause other containers to run out of resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally and no memory limits are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.10","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ecn-mmt-tqe","createdAt":1599605860081,"name":"Container has memory usage limits configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.26","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf the container image does not have an HEALTHCHECK instruction defined, you should use the `--health-cmd` parameter at container runtime to check container health.\n\n## Rationale\n\nIf the container image you are using does not have a pre-defined HEALTHCHECK instruction, use the `--health-cmd` parameter to check container health at runtime. Based on the reported health status, remedial actions can be taken if necessary.\n\n## Audit\n\nRun this command and ensure that all containers are reporting their health status: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}'`\n\n## Remediation\n\nYou should run the container using the `--health-cmd` parameter. For example, `docker run -d --health-cmd='stat /etc/passwd || exit 1' nginx`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, health checks are not carried out at container runtime.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.26","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ojg-sb1-nso","createdAt":1599605067593,"name":"Container health is monitored when not supported by default"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should add the `HEALTHCHECK` instruction to your Docker container images in order to ensure that health checks are executed against running containers.\n\n## Rationale\n\nAn important security control is that of availability. Adding the `HEALTHCHECK` instruction to your container image ensures that the Docker engine periodically checks the running container instances against that instruction to ensure that containers are still operational. Based on the results of the health check, the Docker engine could terminate containers which are not responding correctly, and instantiate new ones.\n\n## Audit\n\nRun this command to ensure that Docker images have the appropriate `HEALTHCHECK` instruction configured: `docker inspect --format='{{ .Config.Healthcheck }}' `\n\n## Remediation\n\nYou should follow the Docker documentation and rebuild your container images to include the `HEALTHCHECK` instruction.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `HEALTHCHECK` is not set.\n\n## References\n\n1. https://docs.docker.com/engine/reference/builder/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_image","complianceFrameworks":[{"control":"4.6","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5xs-afd-sfx","createdAt":1599604909942,"name":"Container image includes HealthCheck instructions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect vulnerabilities in container images.\n\n## Strategy\nThis rule lets you monitor Twistlock logs `(@vulnerability.log_type:vulnerability)` to detect vulnerabilities in a container image. \n\n## Triage and response\n1. Determine the impact of this vulnerability.\n2. Update the container image in the registry with a patched version of the software.\n3. Deploy the new image to all containers running the vulnerable image.\n\n## Change Log\n29 Jun 2022 - Added queries for various vulnerability severity levels.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:medium","groupByFields":["container_name"],"aggregation":"count","name":"medium_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:low","groupByFields":["container_name"],"aggregation":"count","name":"low_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerabiluty","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerabiluty","condition":"high_severity_vulnerability > 0"},{"status":"medium","notifications":[],"name":"Medium Severity Vulnerabiluty","condition":"medium_severity_vulnerability > 0"},{"status":"low","notifications":[],"name":"Low Severity Vulnerabiluty","condition":"low_severity_vulnerability > 0"}],"type":"log_detection","id":"d7s-rex-gjv","createdAt":1585870278701,"name":"Container image vulnerability detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.25","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should restrict the container from acquiring additional privileges via SUID or SGID bits.\n\n## Rationale\n\nA process can set the `no_new_priv` bit in the kernel and this persists across forks, clones and execve. The `no_new_priv` bit ensures that the process and its child processes do not gain any additional privileges via SUID or SGID bits. This reduces the danger associated with many operations because the possibility of subverting privileged binaries is lessened.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all of the security options currently configured for containers. The option `no-new-privileges` should be one of them.\n\n## Remediation\n\nStart your container with the options `docker run --rm -it --security-opt=no-new-privileges ubuntu bash`\n\n## Impact\n\nThe `no_new_priv` option prevents LSMs like SELinux from allowing processes to acquire new privileges.\n\n## Default value\n\nBy default, new privileges are not restricted.\n\n## References\n\n1. https://github.com/projectatomic/atomic-site/issues/269\n2. https://github.com/docker/docker/pull/20727\n3. https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt\n4. https://lwn.net/Articles/475678/\n5. https://lwn.net/Articles/475362/\n\n## CIS controls\n\nVersion 6\n\n5 Controlled Use of Administration Privileges Controlled Use of Administration Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.25","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"cft-3kh-z3l","createdAt":1599604337425,"name":"Container is restricted from acquiring additional privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a container management utility (e.g., `kubectl`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to escalate privileges, break out of the container, or exfiltrate secrets by running container management/orchestration utilities. This detection triggers when execution of one of a set of common container management utilities (like `kubectl` or `kubelet`) is detected in a container. If this is unexpected behavior, it could indicate an attacker attempting to compromise your containers and host.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires version 7.27 or higher*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:suspicious_container_client","groupByFields":["host"],"aggregation":"count","name":"suspicious_container_client","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"suspicious_container_client","condition":"suspicious_container_client > 0"}],"type":"workload_security","id":"ll8-gx6-k15","createdAt":1617722068555,"name":"Container management utility in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.12","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe container's root filesystem should be treated as a 'golden image' by using Docker run's `--read-only` option. This prevents any writes to the container's root filesystem at container runtime and enforces the principle of immutable infrastructure.\n\n## Rationale\n\nEnabling this option forces containers at runtime to explicitly define their data writing strategy to persist or not persist their data. This also reduces security attack vectors since the container instance's filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories.\n\n## Audit\n\nRun this command on the docker host: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: ReadonlyRootfs={{ .HostConfig.ReadonlyRootfs }}'` \n\nIf this command returns `true`, it means the container's root filesystem is mounted read-only. If the above command returns `false`, it means the container's root filesystem is writeable.\n\n## Remediation\n\nAdd a `--read-only` flag at a container's runtime to enforce the container's root filesystem being mounted as read only. For example, `docker run --read-only `\n\nEnabling the `--read-only` option at a container's runtime should be used by administrators to force a container's executable processes to only write container data to explicit storage locations during its lifetime. \n\nExamples of explicit storage locations during a container's runtime include, but are not limited to:\n\n1. Using the `--tmpfs` option to mount a temporary file system for non-persistent data writes. `docker run --interactive --tty --read-only --tmpfs \"/run\" --tmpfs \"/tmp\" centos /bin/bash`\n2. Enabling Docker rw mounts at a container's runtime to persist container data directly on the Docker host filesystem. For example, `docker run --interactive --tty --read-only -v /opt/app/data:/run/app/data:rw centos /bin/bash`\n\n3. Utilizing the Docker shared-storage volume plugin for Docker data volume to persist container data. For example, `docker volume create -d convoy --opt o=size=20GB my-named-volume docker run --interactive --tty --read-only -v my-named-volume:/run/app/data centos /bin/bash`\n\n3. Transmitting container data outside of the Docker controlled area during the container's runtime for container data in order to ensure that it is persistent. Examples include hosted databases, network file shares and APIs.\n\n## Impact\n\nEnabling `--read-only` at container runtime may break some container OS packages if a data writing strategy is not defined. You should define what the container's data should and should not persist at runtime in order to decide which strategy to use. Example: Enable use `--tmpfs` for temporary file writes to /tmp Use Docker shared data volumes for persistent data writes\n\n## Default value\n\nBy default, a container has its root filesystem writeable, allowing all container processes to write files owned by the container's actual runtime user.\n\n## References\n\n1. http://docs.docker.com/reference/commandline/cli/#run\n2. https://docs.docker.com/engine/tutorials/dockervolumes/\n3. http://www.projectatomic.io/blog/2015/12/making-docker-images-write-only-in-production/\n4. https://docs.docker.com/engine/reference/commandline/run/#mount-tmpfs-tmpfs\n5. https://docs.docker.com/engine/tutorials/dockervolumes/#creating-and-mounting-a-data-volume-container\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.12","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"635-mc8-3mr","createdAt":1599602276896,"name":"Container root file sytem is set to read-only"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a container is not running within compliance standards.\n\n## Strategy\nThis rule lets you monitor Twistlock logs to detect when a `High` or `Critical` severity compliance issue is discovered in a running container. \n\n## Triage and response\n1. Determine the impact of the compliance finding.\n2. Remediate the compliance finding.\n\n## Change Log\n27 Jun 2022 - Updated Rule and added findings for critical vulnerabilities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerability","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerability","condition":"high_severity_vulnerability > 0"}],"type":"log_detection","id":"9vp-d1j-kwp","createdAt":1585870281390,"name":"Container violated compliance standards"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:5.28","security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should use the `--pids-limit` flag at container runtime.\n\n## Rationale\n\nAttackers could launch a fork bomb with a single command inside the container. This fork bomb could crash the entire system and would require a restart of the host to make the system functional again. Using the PIDs cgroup parameter --pids-limit would prevent this kind of attack by restricting the number of forks that can happen inside a container within a specified time frame.\n\n## Audit\n\nRun this command and ensure that `PidsLimit` is not set to 0 or -\n1. A PidsLimit of 0 or -1 means that any number of processes can be forked concurrently inside the container. \n\n```\ndocker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidsLimit={{ .HostConfig.PidsLimit }}'\n```\n\n## Remediation\n\nUse `--pids-limit` flag with an appropriate value when launching the container. For example, `docker run -it --pids-limit 100 `\n\nIn the above example, the number of processes allowed to run at any given time is set to 100. After a limit of 100 concurrently running processes is reached, Docker would restrict any new process creation.\n\n## Impact\n\nSet the PIDs limit value as appropriate. Incorrect values might leave containers unusable.\n\n## Default value\n\nThe Default value for `--pids-limit` is 0 which means there is no restriction on the number of forks. Note that the PIDs cgroup limit works only for kernel versions 4.3 and higher.\n\n## References\n\n1. https://github.com/docker/docker/pull/18697\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.28","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tmp-lms-u8p","createdAt":1599603016485,"name":"Container's PIDs cgroup limit parameter is set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nContainers should run as a non-root user.\n\n## Rationale\n\nIt is good practice to run the container as a non-root user, where possible. This can be done either via the USER directive in the Dockerfile or through [gosu][1] or similar where used as part of the CMD or ENTRYPOINT directives.\n\n## Remediation\n\nEnsure that the Dockerfile for each container image contains `USER `\n\nIn this case, the user name or ID refers to the user that was found in the container base image. If there is no specific user created in the container base image, then make use of the `useradd` command to add a specific user before the USER instruction in the Dockerfile. \n\nFor example, add the below lines in the Dockerfile to create a user in the container:\n`RUN useradd -d /home/username -m -s /bin/bash username USER username`\n\n**Note**: If there are users in the image that are not needed, you should consider deleting them. After deleting those users, commit the image and then generate new instances of the containers. Alternatively, if it is not possible to set the USER directive in the Dockerfile, a script running as part of the CMD or ENTRYPOINT sections of the Dockerfile should be used to ensure that the container process switches to a non-root user.\n\n## Impact\n\nRunning as a non-root user can present challenges when binding mount volumes from the underlying host. In this case, ensure that the user running the contained process can read and write to the bound directory, according to their requirements.\n\n## Default value\n\nBy default, containers are run with root privileges and also run as the root user inside the container.\n\n## References\n\n1. https://github.com/docker/docker/issues/2918\n2. https://github.com/docker/docker/pull/4572\n3. https://github.com/docker/docker/issues/7906\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://github.com/tianon/gosu\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"4.1","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iml-sbn-bao","createdAt":1599605130883,"name":"Containers do not use the root user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","control:5.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.\n\n## Rationale\n\nAppArmor protects the Linux OS and applications from various threats by enforcing a security policy which is also known as an AppArmor profile. You can create your own AppArmor profile for containers or use Docker's default profile. Enabling this feature enforces security policies on containers as defined in the profile.\n\n## Audit\n\nYou should run this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: AppArmorProfile={{ .AppArmorProfile }}'` \n\nThis command returns a valid AppArmor Profile for each container instance.\n\n## Remediation\n\nIf AppArmor is applicable for your Linux OS, enable it.\n\n1. Verify AppArmor is installed.\n2. Create or import a AppArmor profile for Docker containers.\n3. Enable enforcement of the policy.\n4. Start your Docker container using the customized AppArmor profile. For example: `docker run --interactive --tty --security-opt=\"apparmor:PROFILENAME\" ubuntu /bin/bash` Alternatively, Docker's default AppArmor policy can be used.\n\n## Impact\n\nThe container will have the security controls defined in the AppArmor profile. It should be noted that if the AppArmor profile is misconfigured, this may cause issues with the operation of the container.\n\n## Default value\n\nBy default, the docker-default AppArmor profile is applied to running containers. This profile can be found at `/etc/apparmor.d/docker`\n\n## References\n\n1. https://docs.docker.com/engine/security/apparmor/\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.1","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"s4z-dsj-llz","createdAt":1599600498264,"name":"Containers have an AppArmor profile enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.24","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to attach to a particular `cgroup` when a container is instantiated. Confirming `cgroup` usage would ensure that containers are running in defined `cgroup`s.\n\n## Rationale\n\nSystem administrators typically define `cgroup`s in which containers are supposed to run. If `cgroup`s are not explicitly defined by the system administrator, containers run in the docker `cgroup` by default. At run time, it is possible to attach a container to a different `cgroup` other than the one originally defined. This usage should be monitored and confirmed, as by attaching to a different `cgroup`, excess permissions and resources might be granted to the container and this can therefore prove to be a security risk.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}'` \n\nThis command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n\n## Remediation\n\nYou should not use the `--cgroup-parent` option within the docker run command unless strictly required.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers run under docker `cgroup`.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#specify-custom-cgroups\n2. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/ch01.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n\n## Audit\n\nYou should run the following command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}' The above command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.24","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"maa-bf8-zan","createdAt":1599601906764,"name":"Containers use the cgroup configured in Docker"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","source:compliance-agent","control:1.3.7","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the Controller Manager service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Controller Manager API service which runs on port 10252/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ \n\n*Notes*: Although the current Kubernetes documentation site says that `--address` is deprecated in favour of `--bind-address`. Kubeadm 1.11 still makes use of `--address`.\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.7","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pvo-5un-k18","createdAt":1599603818624,"name":"Controller Manager API service is bound to localhost"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.3.2","security:compliance","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.2","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1ie-ddf-7wm","createdAt":1599604031896,"name":"Controller Manager profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.4","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account private key file for service accounts on the controller manager.\n\n## Rationale\n\nTo ensure that keys for service account tokens can be rotated as needed, a separate public/private key pair should be used for signing service account tokens. The private key should be specified to the controller manager with `--service-account-private-key-file` as appropriate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--service-account-private-key-file` argument is set as appropriate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--service-account-private-key-file parameter` to the private key file for service accounts:\n\n```\n--service-account-private-key-file=\n```\n\n## Impact\n\nYou would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-private-key-file` it not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.4","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mj1-ode-sln","createdAt":1599600796213,"name":"Controller manager has a service account private key file set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.1.3","scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of the Controller Manager on the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-controller-manager.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.3","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pr0-hcf-xkw","createdAt":1599603633988,"name":"Controller manager pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.1.4","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of various components of the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-controller-manager.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.4","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jwf-xdm-mi9","createdAt":1599599105053,"name":"Controller manager pod specification file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect and identify the network IP address when multiple user accounts have login attempt activities recorded.\n\n## Strategy\n\nMonitor Azure Active Directory and detect when any `@evt.category` is equal to `SignInLogs` and more than 10 of the `@evt.outcome` are equal to `false` by the same network IP address.\n\nSecurity Signal returns **HIGH** if`@evt.outcome` has value of `success` after 10 multiple failed logins by the same network IP address.\n\n## Triage and response\n\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n\n## Changelog\n14 June 2022 - Updated triggering cases to align with other credential stuffing rules. Also updated other backend options to reduce noise levels.","options":{"detectionMethod":"threshold","evaluationWindow":3600,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"failed_login_multiple_user_accounts_same_ip_address","distinctFields":["@usr.id"]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login_same_ip_address","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful login after multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 10 && successful_login_same_ip_address > 0"},{"status":"medium","notifications":[],"name":"Multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 10 "}],"type":"log_detection","id":"igg-0ve-xxc","createdAt":1607106304164,"name":"Credential Stuffing Attack on Azure"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:success @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials.\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application_o365","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"credential_added_azure_ad_application > 0 || credential_added_azure_ad_application_o365 > 0"}],"type":"log_detection","id":"myf-gpu-vqf","createdAt":1659365955026,"name":"Credential added to Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application that is not regularly updated.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it. An attacker may target an application that is seldom changed to avoid detection. Using the `New Value` detection method, a signal is raised when an application not seen in the previous 7 days has credentials added.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.","options":{"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"evaluationWindow":0,"maxSignalDuration":86400,"detectionMethod":"new_value","decreaseCriticalityBasedOnEnv":true,"keepAlive":3600},"version":54,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@properties.targetResources.displayName","aggregation":"new_value","metrics":["@properties.targetResources.displayName"],"groupByFields":["@usr.id"],"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @evt.outcome:success @evt.category:AuditLogs"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"1p0-9ix-ig2","createdAt":1660304687805,"name":"Credential added to rarely used Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["category:authentication","tactic:TA0006-credential-access","template:true","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least 25 unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\nUse [this Datadog runbook](https://app.datadoghq.com/notebook/credentialstuffingrunbook) to assist in your investigation.\n\n1. Determine if it is a legitimate attack or a false positive\n2. Determine compromised users\n3. Remediate compromised user accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@evt.category:authentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"@evt.category:authentication @evt.outcome:success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful - Greater than 50","condition":"unique_users_failing_to_login>50 && successful_login>=1"},{"status":"medium","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>25 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>25"}],"type":"log_detection","id":"ypo-jbm-p2s","createdAt":1608750331867,"name":"Credential stuffing attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user. This generates a `HIGH` severity signal.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n## Changelog\n13 June 2022 - Updated Keep Alive window and evaluation window to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":3600,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>10 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>10"}],"type":"log_detection","id":"ryo-snu-uva","createdAt":1597422958108,"name":"Credential stuffing attack on Auth0"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through credential stuffing attack against a Salesforce account.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\n1. Determine if it is a legitimate attack or a false positive.\n2. Determine compromised users.\n3. Remediate compromised user accounts.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @status:\"Invalid Password\"","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.email"]},{"query":"source:salesforce @status:\"Success\"","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login > 10 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login > 10 "}],"type":"log_detection","id":"y0t-wg6-3nq","createdAt":1621929255278,"name":"Credential stuffing attack on Salesforce"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1003-os-credential-dumping","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to sensitive credential files from non-standard processes.\n\n## Strategy\nEspecially in production, all credentials should be either defined as code, or static. Drift and unmonitored changes to these credentials can open up attack vectors for adversaries, and cause your organization to be out of compliance with any frameworks or regulations that you are subject to. This detection watches for the modification of sensitive credential files which should not be changed outside of their definitions as code (or static definitions). The Linux commands `vipw` and `vigr` are the standard way to modify shadow and gshadow files respectively. Other processes interacting with these sensitive credential files is highly suspicious and should be investigated.\n\n## Triage and response\n1. Identify the user or process that changed the credential file(s).\n2. Identify what was changed in the credential files.\n3. If these changes are not acceptable, roll back contain the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd","groupByFields":["host"],"aggregation":"count","name":"credential_modified","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd @process.comm:(adduser OR useradd OR groupadd OR userdel OR deluser OR chage)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_standard","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.executable.path:(\\/usr\\/sbin\\/* OR \\/usr\\/bin\\/* OR \\/bin\\/*)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_non_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"credential_modified_non_bin","condition":"credential_modified_non_bin > 0"},{"status":"info","notifications":[],"name":"credential_modified_standard","condition":"credential_modified_standard > 0"},{"status":"low","notifications":[],"name":"credential_modified","condition":"credential_modified > 0"}],"type":"workload_security","id":"srd-2ub-jov","createdAt":1598516746271,"name":"Credentials file modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","level:1","cloud:aws","cloud_provider:aws","control:8.1.4","framework:hipaa","requirement:Information-Access-Management","framework:pci","requirement:Credentials","control:164.308-a-4-ii-C"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. You should remove or deactivate all credentials that have been unused in 90+ days.\n\n## Rationale\n\nDisabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78900-8 2. CIS CSC v6.0 #16.6\n\n## CIS controls\n\n16.9 Disable Dormant Accounts Automatically - Disable dormant accounts after a set period of inactivity.\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\npassword_used_recently(resource_seen_at, credential_report) if {\n\tcredential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_used > ninety_days_ms\n} else {\n\tnot credential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_changed > ninety_days_ms\n}\n\nkey_used_recently(resource_seen_at, credential_report, key_name) if {\n\tcredential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_used_date\"])] > ninety_days_ms\n} else {\n\tnot credential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_rotated\"])] > ninety_days_ms\n}\n\npassword_or_access_key_is_enabled(resource_seen_at, credential_report) if {\n\tcredential_report.password_enabled\n\tpassword_used_recently(resource_seen_at, credential_report)\n} else {\n\tcredential_report.access_key_1_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_1\")\n} else {\n\tcredential_report.access_key_2_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_2\")\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot password_or_access_key_is_enabled(iam_user.resource_seen_at, credential_report)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"credential_report","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cl8-844-szh","createdAt":1621238614316,"name":"Credentials have been used within the last 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","framework_version:3.2","control:11.5","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications of critical system binaries.\n\n## Strategy\nPCI-DSS is the payment-card industry's compliance framework. Any systems that handle credit card data and transactions from the major credit card companies must be PCI-DSS compliance. Control 11.5 of the PCI-DSS framework states that organizations must \"alert personnel to unauthorized modifications (including changes, additions, and deletions) of critical system files, configuration files, or content files\". On Linux, critical system binaries are typically stored in `/bin/`, `/sbin/`, or `/usr/sbin/`. This rule tracks any modifications to those directories.\n\n## Triage and response\n1. Identify which user or process changed the critical system binaries.\n2. If these changes were not authorized, and you cannot confirm the safety of the changes, roll back the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chmod) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chown) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chown","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_link) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_link","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_rename) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_rename","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_open) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_open","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_unlink) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_utimes) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"pci_11_5_critical_binaries","condition":"pci_11_5_critical_binaries_chmod > 0 || pci_11_5_critical_binaries_chown > 0 || pci_11_5_critical_binaries_link > 0 || pci_11_5_critical_binaries_rename > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_unlink > 0 || pci_11_5_critical_binaries_utimes > 0"}],"type":"workload_security","id":"3rk-f4l-c7j","createdAt":1606142933669,"name":"Critical system binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation or modification of new cron jobs on a system.\n\n## Strategy\nCron is a task scheduling system that runs tasks on a time-based schedule. Attackers can use cron jobs to gain persistence on a system, or even to run malicious code at system-boot. Cron jobs can also be used for remote code execution, or to run a process under a different user-context.\n\n## Triage and response\n1. Check to see which cron task was created or modified.\n2. Check whether the cron task was created or modified by a known user or process.\n3. If these changes are not acceptable, roll back the host or container in question to an acceptable configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(cron_at_job_creation OR cron_at_job_creation_chmod OR cron_at_job_creation_chown OR cron_at_job_creation_link OR cron_at_job_creation_rename OR cron_at_job_creation_open OR cron_at_job_creation_utimes) -(@file.name:*.dpkg-new AND @process.executable.name:dpkg) -@process.ancestors.executable.path:\"/usr/bin/unattended-upgrade\" -@process.executable.path:\"/usr/bin/dockerd\"","groupByFields":["host"],"aggregation":"count","name":"cron_at_job_creation","distinctFields":[]},{"query":"@agent.rule_id:cron_at_job_creation_unlink","groupByFields":["host"],"aggregation":"count","name":"cron_at_job_deletion","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"cron_at_job_creation","condition":"cron_at_job_creation > 0"},{"status":"low","notifications":[],"name":"cron_at_job_deletion","condition":"cron_at_job_deletion > 0"}],"type":"workload_security","id":"qqk-vqp-6xt","createdAt":1606142961130,"name":"Cron job modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIP check services return the public IP of the client. They are used legitimately for configuration purposes when utilizing infrastructure as code. They can be abused by attackers to determine the organization they have compromised.\n\n## Strategy\n\nDetect when a DNS lookup is done for a domain belonging to an IP check service.\n\n## Triage and response\n\n1. Determine if `{{@process.executable.name}}` is expected to make a connection to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Start incident response and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ip_check_domain","groupByFields":["host"],"aggregation":"count","name":"ip_check_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"ip_check_domain","condition":"ip_check_domain > 0"}],"type":"workload_security","id":"v7i-jqs-gcx","createdAt":1653417825959,"name":"DNS lookup for IP lookup service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nAttackers often use compromised cloud infrastructure to mine cryptocurrency. \n\n## Strategy\n\nDetect when a process performs a DNS lookup for a domain related to cryptomining.\n\n## Triage and response\n\n`{{@process.executable.name}}` performed a DNS lookup for `{{@dns.question.name}}`\n\n1. Contain the host or container and roll back to a known good configuration.\n2. Review the process tree and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:potential_cryptominer","groupByFields":["host"],"aggregation":"count","name":"potential_cryptominer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"potential_cryptominer","condition":"potential_cryptominer > 0"}],"type":"workload_security","id":"8am-wzf-ixk","createdAt":1653417822316,"name":"DNS lookup for cryptocurrency mining pool"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nPaste sites such as pastebin.com can be used by attackers to host malicious scripts, configuration files, and other text data. The files are then downloaded to the host using a network utility such as `wget` or `curl`. These sites may also be used to exfiltrate data.\n\n## Strategy\n\nDetect when a process performs a DNS lookup for a paste site.\n\n## Triage and response\n1. Check if the application `{{@process.executable.name}}` is expected to make connections to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Follow your organization's internal processes for investigating and remediating compromised systems.\n\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:paste_site","groupByFields":["host"],"aggregation":"count","name":"paste_site","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"paste_site","condition":"paste_site > 0"}],"type":"workload_security","id":"bze-mml-h8r","createdAt":1653417817764,"name":"DNS lookup for paste service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.3","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","framework:pci","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud Domain Name System (DNS) is a fast, reliable, and cost-effective domain name system\nthat powers millions of domains on the internet. Domain Name System Security Extensions\n(DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains\nagainst DNS hijacking, man-in-the-middle attacks, and more.\n\n## Rationale\nDomain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling the DNS responses to be validated. A trustworthy DNS that translates a domain name like `www.example.com` into its associated IP address is an increasingly important building block for modern web-based applications. \n\nAttackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records to prevent attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.\n\nBy default, DNSSEC is not enabled.\n\n## Remediation\n\n### From the console:\n1. Navigate to the [Cloud DNS page][1].\n2. For each Type Public zone, set `DNSSEC` to **On**.\n\n### From the command line:\nUse this command to enable DNSSEC for Cloud DNS Zone Name:\n\n```\ngcloud dns managed-zones update ZONE_NAME --dnssec-state on\n```\n\n\n## References\n1. [https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html][2]\n2. [https://cloud.google.com/dns/dnssec-config#enabling][3]\n3. [https://cloud.google.com/dns/dnssec][4]\n\n\n[1]: https://console.cloud.google.com/net-services/dns/zones\n[2]: https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html\n[3]: https://cloud.google.com/dns/dnssec-config#enabling\n[4]: https://cloud.google.com/dns/dnssec\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-gcp","requirement":"Cardholder-Data","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nisZonePublic(dns_managed_zone) if {\n\tupper(dns_managed_zone.visibility) == \"PUBLIC\"\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot isZonePublic(dns_managed_zone)\n} else = \"pass\" {\n\tupper(dns_managed_zone.dnssec_config.state) == \"ON\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"crl-ytf-ohh","createdAt":1659621733035,"name":"DNSSEC is enabled for Cloud DNS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Credentials","requirement:Compliance","level:1","requirement:Database-Services","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","framework:pci","security:compliance","control:6.5.3","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:3.4","control:C1.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Transparent Data Encryption on every SQL server.\n\n## Rationale\n\nAzure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL databases\n2. For each DB instance\n3. Click on Transparent data encryption\n4. Set Data encryption to On using the Azure Command Line Interface\n5. Use the below command to enable Transparent data encryption for SQL DB instance:\n\n ```bash\n --resource-group --server --database --status\n ```\n\n **Note**: TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases. Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n\n**Note**: Transparent Data Encryption (TDE) can be enabled or disabled on individual SQL Database level and not on the SQL Server level. TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.\n\n# CIS Controls\n\nVersion 7 14.8 Encrypt Sensitive Information at Rest: Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"-@transparent_data_encryption.status:(\"Enabled\")","resourceType":"azure_sql_server_database","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server_database (-@transparent_data_encryption.status:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ahw-tol-knx","createdAt":1624867974429,"name":"Data encryption on SQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a database process (e.g., MySQL, PostgreSQL, MongoDB).\n\n## Strategy\nAttacks on databases often take advantage of oversights in I/O sanitization and validation to run attacker statements and commands. For example, these attacks could take the form of database query injection, which can signal the beginning of an intrusion and wider attack, by establishing a web shell or exfiltrating data. This detection triggers when common shell utilities, HTTP utilities, or shells are spawned by one of a set of database processes (e.g., MySQL, MongoDB, PostgreSQL). This is atypical behavior for a database. If this is unexpected behavior, it could indicate an attacker attempting to compromise your database or host machine.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your database to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:database_shell_execution -@process.ancestors.executable.name:initdb -@process.args:\"locale -a\"","groupByFields":["host"],"aggregation":"count","name":"database_shell_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"database_shell_execution","condition":"database_shell_execution > 0"}],"type":"workload_security","id":"4ni-kny-z5x","createdAt":1617722069155,"name":"Database process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:2","requirement:Cardholder-Data","control:1.17","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Confidentiality","control:3.5","control:7.1","control:C1.2","control:7.2.1","control:7.2.2","source:google_dataproc_cluster","control:7.2.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:3.6.1","scope:google_dataproc_cluster","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:3.6.4","control:3.6.5","control:CC6.3","control:CC6.2","control:3.6.7","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nWhen you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated\nwith the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This\nPD and bucket data is encrypted using a Google-generated data encryption key (DEK) and\nkey encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key\nencryption key (KEK). Google still controls the data encryption key (DEK).\n\n## Rationale\nCloud services offer the ability to protect data related to those services using encryption\nkeys managed by the customer within Cloud KMS. These encryption keys are called\ncustomer-managed encryption keys (CMEK). When customers protect data in Google Cloud\nservices with CMEK, the CMEK key is within the customer's control.\n\n## Remediation\n\n### From the console:\n1. Log in to the GCP Console and navigate to the **Dataproc Cluster** page by visiting [https://console.cloud.google.com/dataproc/clusters][1].\n2. Select the project from the projects dropdown list.\n3. On the **Dataproc Cluster** page, click on the **Create Cluster** to create a new cluster with customer-managed encryption keys.\n4. On the **Create a cluster** page, perform the following steps:\n 1. Inside **Set up cluster** section perform these steps:\n 1. In the **Name** textbox, provide a name for your cluster.\n 2. From **Location** select the location in which you want to deploy a cluster.\n 3. Configure other configurations as per your requirements.\n 2. Inside **Configure Nodes** and **Customize cluster** section configure the settings as\nper your requirements.\n 3. Inside the **Manage security** section, perform these steps:\n 1. From **Encryption**, select **Customer-managed key**.\n 2. Select a customer-managed key from dropdown list.\n 3. Ensure that the selected KMS Key has the **Cloud KMS CryptoKey Encrypter/Decrypter** role assigned to the Dataproc Cluster service account (`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n 4. Click on **Create** to create a cluster.\n5. Once the cluster is created, migrate all of your workloads from the old cluster to the new cluster and delete the old cluster by performing the following steps:\n 1. On the **Clusters** page, select the old cluster and click on **Delete cluster**.\n 2. On the **Confirm deletion** window, click **Confirm** to delete the cluster.\n6. Repeat the steps above for other Dataproc clusters available in the selected project.\n7. Change the project from the project dropdown list and repeat the remediation procedure for other Dataproc clusters available in other projects.\n\n### From the command line:\nBefore creating a cluster, ensure that the selected KMS Key has the **Cloud KMS CryptoKey\nEncrypter/Decrypter** role assigned to the Dataproc Cluster service account\n(`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n\nRun the `clusters create` command to create a new cluster with a customer-managed key:\n\n```\ngcloud dataproc clusters create --region=us-central1 --gce-pd-kms-key=\n```\n\nThe above command creates a new cluster in the selected region.\nAfter the cluster is created, migrate all your workloads from the older cluster to the new\ncluster and run the `clusters delete` command to delete the cluster:\n\n```\ngcloud dataproc clusters delete --region=us-central1\n```\n\nRepeat step no. 1 to create a new Dataproc cluster.\nChange the project by running the following command and repeat the remediation procedure\nfor other projects:\n\n```\ngcloud config set project \n```\n\n## References\n1. [https://cloud.google.com/docs/security/encryption/default-encryption][2]\n\n[1]: https://console.cloud.google.com/dataproc/clusters\n[2]: https://cloud.google.com/docs/security/encryption/default-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.17","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.7","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(gdc) = \"pass\" if {\n\tgdc.config.encryption_config.gce_pd_kms_key_name\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dataproc_cluster"]},"validationQuery":"","resourceType":"gcp_dataproc_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dataproc_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"7qp-kby-dut","createdAt":1659396397166,"name":"Dataproc cluster is encrypted using customer-managed encryption key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.22","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file permissions are set to `644` or more restrictively, by running: \n```\nstat -c %a /etc/default/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/default/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.22","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pqb-2cq-piw","createdAt":1599601845070,"name":"Default Docker configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.21","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/sysconfig/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/sysconfig/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.21","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"au3-ayl-tdm","createdAt":1599601289420,"name":"Default Docker configuration file cannot be altered by non-owners - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.19","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file ownership and group-ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/default/docker | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/default/docker`\n\nThis sets the ownership and group ownership of the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.19","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o5w-d8y-ka1","createdAt":1599604751728,"name":"Default Docker configuration file is owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.20","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/sysconfig/docker | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root /etc/sysconfig/docker`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.20","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xrt-uiz-s7o","createdAt":1599604498138,"name":"Default Docker configuration file is owned by the root account and group - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProtect tuned kernel parameters from overriding kubelet default kernel parameter values.\n\n## Rationale\n\nKernel parameters are usually tuned and hardened by the system administrators before putting the systems into production. These parameters protect the kernel and the system. Your kubelet kernel defaults that rely on such parameters should be appropriately set to match the desired secured system state. Ignoring this could potentially lead to running pods with undesired kernel behavior.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--protect-kernel-defaults` argument is set to true. If the `--protect-kernel-defaults` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets `protectKernelDefaults` to `true`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `protectKernelDefaults: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--protect-kernel-defaults=true`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou would have to re-tune kernel parameters to match kubelet parameters.\n\n## Default value\n\nBy default, `--protect-kernel-defaults` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.6","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"uiw-kms-wwu","createdAt":1599602462044,"name":"Default Kubelet kernel parameter values are protected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","control:2.9","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","control:1.3.1","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","requirement:Least-Privileged-Access","control:1.2.1","control:3.6","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Storage-Account","source:azure.storage","control:A.13.1.3","requirement:Default-Security-Parameters","control:7.2.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestricting default network access provides a layer of security, because storage accounts accept connections from clients on any network. To limit access to selected networks, change the default action.\n\n## Rationale\n\nConfigure storage accounts to deny access to traffic from all networks (including internet traffic). Grant access to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.\n\n## Remediation\n\n### From the console:\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Enable Allow access from selected networks.\n4. Add rules to allow traffic from a specific network.\n5. Click Save to apply your changes.\n\n### From the command line:\n\nUse the following command to update the default action to deny: \n```\naz storage account update --name --resource-group --default-action Deny\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security][1]\n2. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"2.9","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@network_acls.default_action:Deny","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@network_acls.default_action:Deny)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"hxy-syh-ofi","createdAt":1631690465637,"name":"Default network access rule for Storage Accounts is set to deny"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:RBAC-and-Service-Accounts","scored:true","security:compliance","control:5.1.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe default service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed.\n\n## Rationale\n\nKubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.\n\n## Audit\n\nFor each namespace in the cluster, review the rights assigned to the default service account and ensure that it has no roles or cluster roles bound to it apart from the defaults. Additionally ensure that the `automountServiceAccountToken: false` setting is in place for each default service account.\n\n## Remediation\n\nCreate explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value `automountServiceAccountToken: false`.\n\n## Impact\n\nAll workloads which require access to the Kubernetes API will require an explicit service account to be created.\n\n## Default value\n\nBy default the default service account allows for its service account token to be mounted in pods in its namespace.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/][1]\n\n## CIS controls\n\nNone\n\n[1]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.1.5","framework":"cis-kubernetes","requirement":"RBAC-and-Service-Accounts","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3yv-aqm-bxc","createdAt":1604312204438,"name":"Default service accounts are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Logging-Monitoring","source:azure.monitor","level:1","requirement:Regular-Testing","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","control:5.1.2","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","control:11.4","control:CC4.1","scope:azure.monitor","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure the diagnostic setting to log the appropriate activities from the control/management plane.\n\n## Rationale\n\nA diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Azure Monitor\n2. Click Activity log\n3. Click on Diagnostic settings\n4. Click on Edit Settings for the diagnostic settings entry\n5. Ensure that the following categories are checked: Administrative, Alert, Policy, and Security\n\nARM Template with AZ PowerShell cmdlets:\n\nCreate a file to hold the following JSON:\n\n```json\n{ \"$schema\"\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\", \"contentVersion\"\"\n1.0.0.0\", \"parameters\"{ \"settingName\"{ \"type\"\"String\" }, \"workspaceId\"{ \"type\"\"String\" } }, \"resources\"[ { \"type\"\"Microsoft.Insights/diagnosticSettings\", \"apiVersion\"\"2017-05-01-preview\", \"name\"\"[parameters(''settingName'')]\", \"dependsOn\"[], \"properties\"{ \"workspaceId\"\"[parameters(''workspaceId'')]\", \"logs\"[ { \"category\"\"Administrative\", \"enabled\"true }, { \"category\"\"Alert\", \"enabled\"true }, { \"category\"\"Autoscale\", \"enabled\"false }, { \"category\"\"Policy\", \"enabled\"true }, { \"category\"\"Recommendation\", \"enabled\"false }, { \"category\"\"ResourceHealth\", \"enabled\"false }, { \"category\"\"Security\", \"enabled\"true }, { \"category\"\"ServiceHealth\", \"enabled\"false } ] } } ] }\n```\n\nReference the JSON. In the `New-AzSubscriptionDeployment`, call `$OMSWorkspace`:\n\n```powershell\nGet-AzResource -ResourceType \"Microsoft.OperationalInsights/workspaces\" -Name New-AzSubscriptionDeployment -Name CreateDiagnosticSetting -location eastus -TemplateFile CreateDiagnosticSetting.jsonc -settingName \"Send Activity log to workspace\" -workspaceId $OMSWorkspace.ResourceId'\n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings\n2. https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource-manager-diagnostic-settings\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.3 - Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1.2","framework":"cis-azure","requirement":"Logging-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"11.4","framework":"pci","requirement":"Regular-Testing","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"validationQuery":"(@category:Administrative -@enabled:true) OR (@category:Alert -@enabled:true) OR (@category:Policy -@enabled:true) OR (@category:Security -@enabled:true)","resourceType":"azure_diagnostic_setting","filter":"","queryPath":"logs","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_diagnostic_setting ((@category:Administrative -@enabled:true) OR (@category:Alert -@enabled:true) OR (@category:Policy -@enabled:true) OR (@category:Security -@enabled:true))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q7k-c4u-n6i","createdAt":1635847719443,"name":"Diagnostic Setting captures appropriate categories"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2022-0847 \"Dirty Pipe\". Dirty Pipe is a vulnerability in the Linux kernel which allows underprivileged processes to write to arbitrary readable files, leading to privilege escalation. \n\n## Strategy\n\nThis detection triggers when the `splice()` syscall is made and the `PIPE_BUF_FLAG_CAN_MERGE` flag is set. Explanation of the vulnerability and exploitation can be found in the [public disclosure](https://dirtypipe.cm4all.com/).\n\n## Triage & Response\n\n1. Determine if the host is vulnerable. This vulnerability affects kernel versions starting from 5.8. After its discovery, it was fixed for all currently maintained releases of Linux in versions 5.16.11, 5.15.25, and 5.10.102. The exploit was successful if the field `splice.pipe_exit_flag` is `PIPE_BUF_FLAG_CAN_MERGE`.\n2. Attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. If the host is vulnerable, update the kernel to a patched version.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:dirty_pipe_attempt","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_attempt","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\")","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_exploitation","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation (@file.uid:0 OR @file.gid:0) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\")","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_root","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation @file.path:(*\\/bin\\/* OR *\\/boot\\/*) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\")","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"dirty_pipe_attempt","condition":"dirty_pipe_attempt > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_exploitation","condition":"dirty_pipe_exploitation > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_root","condition":"dirty_pipe_root > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_bin","condition":"dirty_pipe_bin > 0"}],"type":"workload_security","id":"dsi-8cf-mpj","createdAt":1648572788369,"name":"Dirty Pipe exploitation attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet Docker daemon log level to `info`.\n\n## Rationale\n\nSetting up an appropriate log level configures the Docker daemon to log events that you would want to review later. A base log level of `info` and above captures all logs except `debug` logs. Unless required, you should not run Docker daemon at `debug` log level.\n\n## Audit\n\nTo confirm that the log level setting is `info`, review both the `dockerd` startup options, and also the log level settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that either the `--log-level` parameter is not present or if present, that it is set to `info`. \n\nSimilarly, review the `/etc/docker/daemon.json` for the `log-level` setting.\n\n## Remediation\n\nEnsure that the Docker daemon configuration file has the following configuration included:\n\n```\n\"log-level\": \"info\" \n```\n\nAlternatively, run the Docker daemon with the `log-level` specified:\n\n```\ndockerd --log-level=\"info\"\n```\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker daemon is set to log level of `info`.\n\n## References\n\n1. [https://docs.docker.com/edge/engine/reference/commandline/dockerd/][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://docs.docker.com/edge/engine/reference/commandline/dockerd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"q6o-wrf-hf4","createdAt":1602076723155,"name":"Docker daemon logging level is set to 'info'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.5","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use `aufs` as the storage driver for your Docker instance.\n\n## Rationale\n\nThe `aufs` storage driver is the oldest storage driver used on Linux systems. It is based on a Linux kernel patch-set that is unlikely in future to be merged into the main OS kernel. The `aufs` driver is also known to cause some serious kernel crashes. `aufs` has only legacy support within systems using Docker. Most importantly, `aufs` is not a supported driver in many Linux distributions using latest Linux kernels.\n\n## Audit\n\nVerify that `aufs` is not used as storage driver by running this command and ensuring `aufs` is not listed: \n```\ndocker info --format 'Storage Driver: {{ .Driver }}' \n```\n\n## Remediation\n\nDo not explicitly use `aufs` as storage driver. For example, do not start Docker daemon with the `--storage-driver aufs` flag.\n\n## Impact\n\n`aufs` is the only storage driver that allows containers to share executable and shared library memory. It might be useful if you are running thousands of containers with the same program or libraries. However, you should review its use with respect to your organization's security policy.\n\n## Default value\n\nBy default, Docker uses `devicemapper` as the storage driver on most of the platforms. The default storage driver can vary based on your OS vendor. You should use the storage driver that is recommended by your preferred vendor and which is in line with policy around the applications which are being deployed.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems][1]\n2. [http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/][2]\n3. [http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1][3]\n4. [https://docs.docker.com/engine/userguide/storagedriver/][4]\n\n## CIS controls\n\nVersion 6.18 Application Software Security \n\n[1]: https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems \n[2]: http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/ \n[3]: http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1 \n[4]: https://docs.docker.com/engine/userguide/storagedriver/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"n0x-jqo-rof","createdAt":1599601042737,"name":"Docker does not use AUFS storage driver"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe `iptables` firewall is used to set up, maintain, and inspect the tables of IP packet filter rules within the Linux kernel. The Docker daemon should be allowed to make changes to the `iptables` ruleset.\n\n## Rationale\n\nDocker will not make changes to your system `iptables` rules unless you allow it to do so. If you do allow this, Docker server will automatically make any required changes. You should let Docker make changes to `iptables` automatically in order to avoid networking misconfigurations that could affect the communication between containers and with the outside world. Additionally, this reduces the administrative overhead of updating `iptables` every time you add containers or modify networking options.\n\n## Audit\n\nTo confirm that the Docker daemon is allowed to change the `iptables` ruleset, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that the `--iptables` parameter is either not present or not set to `false`. Also review the `/etc/docker/daemon.json` file to check that the `iptables` setting is not set to `false`.\n\n## Remediation\n\nDo not run the Docker daemon with `--iptables=false` parameter. \n\n## Impact\n\nThe Docker daemon service requires `iptables` rules to be enabled before it starts. Any restarts of `iptables` during Docker daemon operation may result in losing Docker-created rules. Adding `iptables-persistent` to your `iptables` install can mitigate.\n\n## Default value\n\nBy default, `iptables` is set to true.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/][1]\n2. [https://fralef.me/docker-and-iptables.html][2]\n\n## CIS controls\n\nVersion 6.5 Controlled Use of Administration Privileges \n\n[1]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/\n[2]: https://fralef.me/docker-and-iptables.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3fv-xgy-7fb","createdAt":1599599453907,"name":"Docker is authorized to make firewall configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.1","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAll Docker containers and their data and metadata are stored in the `/var/lib/docker` directory. By default, `/var/lib/docker` should be mounted under either the `/` or `/var` partitions depending on how the Linux operating system in use is configured.\n\n## Rationale\n\nDocker depends on `/var/lib/docker` as the default directory where all Docker related files, including the images, are stored. This directory could fill up quickly causing both Docker and the host to become unusable. For this reason, you should create a separate partition (logical volume) for storing Docker files.\n\n## Audit\n\nTo see the partition details for the `/var/lib/docker` mount point, at the Docker host run:\n\n```\ngrep '/var/lib/docker\\s' /proc/mounts \n```\n\nAlternatively, to see whether the configured root directory is a mount point, run.\n\n```\nmountpoint -- \"$(docker info -f '{{ .DockerRootDir }}')\" \n```\n\n## Remediation\n\nFor new installations, you should create a separate partition for the `/var/lib/docker` mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, `/var/lib/docker` is mounted under the `/` or `/var` partitions dependent on how the OS is configured.\n\n## References\n\n1. [https://www.projectatomic.io/docs/docker-storage-recommendation/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know \n\n[1]: https://www.projectatomic.io/docs/docker-storage-recommendation/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.1","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wcf-c0t-fkz","createdAt":1602076808377,"name":"Docker local storage is mounted on a separate disk partition"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.5","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various other sensitive files. It should therefore be individual owned and group owned by root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the directory is owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker | grep -v root:root\n``` \n\nThis command does not return any data.\n\n## Remediation\n\nTo resolve this issue, run the following command: `chown root:root /etc/docker`\n\nThis sets the ownership and group ownership for the directory to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for this directory is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.`\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"heb-axz-wdc","createdAt":1599604466531,"name":"Docker related files are owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.6","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory permissions are correctly set to 755 or more restrictively.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various sensitive files. It should therefore only be writeable by root to ensure that it can not be modified by a less privileged user.\n\n## Audit\n\nYou should execute the command below to verify that the directory has permissions of 755+: \n\n```\nstat -c %a /etc/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 755 /etc/docker`\n\nThis sets the permissions for the directory to 755.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for this directory are set to 755.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"een-7do-u18","createdAt":1599604083943,"name":"Docker related files cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.12","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, has permissions of 444 or more restrictive permissions.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It should therefore have permissions of 444 to prevent its modification.\n\n## Audit\n\nVerify that the Docker server certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the command below: `chmod 444 `\n\nThis sets the file permissions of the Docker server certificate file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.12","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"blu-k6b-re1","createdAt":1602076770300,"name":"Docker server certificate file permissions are set to read-only or more restrictive"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.4","cloud_provider:azure","control:6.2","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","control:CC7.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL is using the most recent major version available.\n\n## Rationale\n\nPostegreSQL employs both minor and major version updates. Using the most recent version available (particularly the most recent major version) ensures that you are using the most secure, feature rich, and supported version available. Azure Database Migration Service can help minimize downtime when performing version upgrades in Azure Database for PostgreSQL - Single Server. \n\n## Remediation\n\n### From the console\n\n1. Use Azure's [Configure server parameters in Azure Database for PostgreSQL - Single Server via the Azure portal][1] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate/Upgrade Azure DB for PostgreSQL - Single Server to Azure DB for PostgreSQL - Single Server online using DMS via the Azure portal][2] to migrate the old database to the new database.\n\n### From the command line\n\n1. Use Azure's [Customize server configuration parameters for Azure Database for PostgreSQL - Single Server using Azure CLI][3] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate PostgreSQL to Azure DB for PostgreSQL online using DMS via the Azure CLI][4] to migrate the old database to the new database.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/dms/tutorial-azure-postgresql-to-azure-postgresql-online-portal\n[3]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli\n[4]: https://docs.microsoft.com/en-us/azure/dms/tutorial-postgresql-azure-postgresql-online","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"pass\" if {\n\tto_number(postgresql_server.version) >= 11\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"4ns-zxg-wye","createdAt":1645642207320,"name":"Azure PostgreSQL Database Server uses the current major PostgreSQL version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:A.12.3.1","source:azure.dbforpostgresql","control:164.308-a-7-ii-A","requirement:Compliance","scope:azure.dbforpostgresql","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","control:A.18.1.3","framework:soc-2","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses geo-redundant backups.\n\n## Rationale\n\nUsing geo-redundancy with PostgreSQL creates geographically distributed replicas by default. These replicas assist with achieving data durability, as they protect against data becoming unavailable because of a regional event, such as a natural disaster. You can select this option only at the time of database creation. To modify an existing database to use geo-redundancy, recreate the database.\n\n## Remediation\n\n### From the console\n\n1. Follow the instructions listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using the Azure portal][1] to create a new PostgreSQL database. Ensure **Geo-redundant** is selected under **Backup redundancy options**.\n\n### From the command line\n\n1. Follow the steps listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using Azure CLI][2] to create and deploy a PostgreSQL server.\n2. When configuring the [`az postgres server create` Microsoft Azure Module][3] ensure that `geoRedundantBackup` is set to `Enabled`, as shown in the example below. \n\n ```\n az postgres server create \n -l northeurope \n -g mygroup \n -n mysvr \n -u username \n -p password \n --sku-name my_sku\n --ssl-enforcement Enabled \n --minimal-tls-version TLS1_0 \n --public-network-access Disabled \n --backup-retention 10 \n --geo-redundant-backup Enabled \n --storage-size 51200 \n --tags \"key=value\" \n --version 11\n ```\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-cli\n[3]: https://docs.microsoft.com/en-us/cli/azure/postgres/server?view=azure-cli-latest#az-postgres-server-create\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.3.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"pass\" if {\n\tpostgresql_server.storage_profile_geo_redundant_backup != \"Disabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"9t5-0qz-cj3","createdAt":1645642195699,"name":"Azure PostgreSQL database server uses geo-redundant backups"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security rule and determine if it exposes any Azure resources that should not be made public.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.sql @evt.name:\"MICROSOFT.SQL/SERVERS/FIREWALLRULES/WRITE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kbv-sau-dwv","createdAt":1607106319051,"name":"Azure SQL Server Firewall Rules Created or Modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.15","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable security alert emails to subscription owners.\n\n## Rationale\n\nEnabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can quickly mitigate security risks.\n\n## Remediation\n\n### From the console\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. In the drop down of the All users with the following roles field, select Owner\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set Send email also to subscription owners:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management Storage Accounts: This section covers security recommendations to follow to set storage account policies on an Azure subscription. An Azure storage account provides a unique namespace to store and access Azure Storage data objects.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.15","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(security_contact) = \"pass\" if {\n\tsecurity_contact.properties.notifications_by_role.state == \"On\"\n\t\"Owner\" in security_contact.properties.notifications_by_role.roles\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_contact"]},"validationQuery":"","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qjw-pnm-kfh","createdAt":1625738237090,"name":"Azure Security Center is configured to send email notifications about security alerts to subscription owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.14","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule enables emailing security alerts to the email subscription owner or other designated security contact.\n\n## Rationale\n\nEnabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.\n\n## Remediation\n\n### From the console\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. Under Notification types, check the check box next to Notify about alerts with the following severity (or higher) and select High from the drop-down menu\n6. Click save using the Azure Command Line Interface\n7. Use the below command to set Send email notification for high severity alerts:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. And replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default. Microsoft has recently changed their REST APIs to get and update security contact information. This recommendation is updated accordingly.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.14","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(security_contact) = \"pass\" if {\n\tsecurity_contact.properties.alert_notifications.minimal_severity == \"High\"\n\tsecurity_contact.properties.alert_notifications.state == \"On\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_contact"]},"validationQuery":"","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"cv4-lxu-yt1","createdAt":1625738237834,"name":"Azure Security Center is configured to send email notifications about security alerts with High severity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity Center emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.\n\n## Rationale\n\nAzure Security Center emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the \"Additional email addresses\" field ensures that your organization's security team is included in these alerts. This ensures that the proper people are aware of any potential compromise to mitigate the risk in a timely fashion.\n\n## Remediation\n\n### From the console\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email Notifications\n5. Enter a valid security contact email address (or multiple addresses separated by commas) in the additional email addresses field\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set security contact emails:\n\n ``` bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data, as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default\", \"name\"\"default\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details \n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list \n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(security_contact) = \"pass\" if {\n\tsecurity_contact.properties.emails != \"\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_contact"]},"validationQuery":"","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"1vo-ezv-ztj","createdAt":1625738244720,"name":"Azure Security Center is configured with a security contact email"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:azure","scope:azure-active-directory","technique:T1098-account-manipulation","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure service principal being assigned an Azure role.\n\n## Strategy\nMonitor Azure Activity logs for the following operations:\n\n* `@evt.name:\"MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE\"`\n* `@properties.requestbody:*ServicePrincipal*`\n\n## Triage and response\n1. Determine if this activity is legitimate by investigating the: \n * Source IP of this activity: `{{@network.client.ip}}`\n * The user who made this request: `@identity.claims.name`\n * The role that was assigned to the application or service principal.\n2. If this user should not be assigning this Azure role and if the service principal should not be assigned this role:\n * Revoke access of compromised credentials.\n * Remove unauthorized app registration and/or service principal.\n * Investigate other activities performed by the source IP `{{@network.client.ip}}` in the IP Investigation Dashboard.\n * Investigate other activities performed by the user `{{@usr.id}}` in the User Investigation Dashboard.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.authorization @evt.name:\"MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE\" @properties.requestbody:*ServicePrincipal*","groupByFields":["@usr.id","@network.client.ip"],"aggregation":"count","name":"role_assignment","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"role_assignment > 0"}],"type":"log_detection","id":"vu1-3je-k6m","createdAt":1661900093294,"name":"Azure Service Principal was assigned a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","control:2.1.1","requirement:Compliance","scope:azure.compute","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","control:4.1","control:1.2","control:1.3","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.2","source:azure.compute","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse SSH authentication keys to secure Linux virtual machines.\n\n## Rationale\n\nUsing SSH to secure authentications is a security best practice, as traditional username and password authentication is vulnerable to malicious tactics such as brute-force attacks. SSH uses a combination of public and private key pairs to secure the authentication process. Access to the private key is automated and tightly controlled, without both keys SSH access will not be granted. This also eliminates the need for users to memorize complex passwords for virtual machine access.\n\n## Remediation\n\n### From the command line\n\n1. Follow the steps listed at [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure][1] to create and deploy VMs using SSH.\n2. If needing to transition from Username and Password authentication, to SSH, there is no way to transition directly. You must deprovision the current VM and create an image of it with SSH as the authentication method. Follow the steps on [How to create a managed image of a virtual machine or VHD][2]. \n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-ssh-keys-detailed\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/capture-image","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(virtual_machine_instance) = \"skip\" if {\n\tnot virtual_machine_instance.os_profile.linux_configuration\n} else = \"pass\" if {\n\tvirtual_machine_instance.os_profile.linux_configuration.disable_password_authentication == true\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_virtual_machine_instance"]},"validationQuery":"","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"p52-zrd-xlt","createdAt":1645813490150,"name":"Azure VM requires SSH Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.21","source:azure.active_directory","cloud_provider:azure","requirement:Compliance","scope:azure.active_directory","level:1","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:6.4","framework:cis-azure","requirement:Control-Activities","cloud:azure","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:A.9.2.3","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC8.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSubscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.\n\n## Rationale\n\nClassic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended.\n\n## Remediation\n\nUsing Azure Command Line Interface 2.0, list all roles with the `az role definition list` command. Check the output for any entries with an `assignableScope` of `/` or a `subscription`, and an action of `*`. Verify the usage and impact of removing the role identified. You can delete a role with the `az role definition delete --name \"rolename\"` command.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator \n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management \n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems \n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n8. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n9. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges 16 Account Monitoring and Control Account Monitoring and Control","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.21","framework":"cis-azure","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"6.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_assignable_scope(assignable_scope) if {\n\tassignable_scope == \"/\"\n} else if {\n\tstartswith(assignable_scope, \"/subscriptions\")\n}\n\nnon_compliant_type(role_definition) if {\n\tlower(role_definition.properties_type) == \"customrole\"\n} else if {\n\tlower(role_definition.type) == \"customrole\"\n}\n\nnon_compliant_role_definition(role_definition) if {\n\tnon_compliant_type(role_definition)\n\tsome permission in role_definition.permissions\n\tsome action in permission.actions\n\taction == \"*\"\n\tsome assignable_scope in role_definition.assignable_scopes\n\tnon_compliant_assignable_scope(assignable_scope)\n}\n\neval(role_definition) = \"fail\" if {\n\tnon_compliant_role_definition(role_definition)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_role_definition"]},"validationQuery":"","resourceType":"azure_role_definition","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_role_definition","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"til-md3-xoz","createdAt":1645802554619,"name":"Azure custom subscription owner roles do not exist"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a diagnostic setting is deleted which can disable centralized logging and metrics on Azure.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Inspect the diagnostic setting resource which is found in `@resourceId`.\n2. Verify that the user (`{{@usr.id}}`) to determine if the removal of the resource is legitimate.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uhp-qsj-h45","createdAt":1615578377631,"name":"Azure diagnostic setting deleted or disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure disk is successfully exported. Export URLs generated in Azure are accessible to anyone with the URI. This could be utilized as an exfiltration method that would allow an attacker to download an Azure Compute VM's disk as a VHD file.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the disk (`{{@resourceId}}`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URI.\n\n## Changelog\n* 2 November 2022 - Update strategy.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"export_uri_generated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"export_uri_generated > 0"}],"type":"log_detection","id":"ggf-4ew-mxl","createdAt":1635258347843,"name":"Azure disk export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.8","requirement:AppService","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and new functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, your organization needs to determine if a given update meets your requirements and also verify the compatibility and support provided for any additional software against the update version.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Under General Settings, set Java version to latest version available\n6. Set Java minor version to latest version available\n7. Set Java web container to the latest version of web container available \n\n**NOTE**: No action is required if Java version is set to off as Java is not used by your web app.\n\n### From the command line\n\nTo see the list of supported runtimes, run the following command: `timesaz webapp list-runtimes | grep java`\n\nTo set latest Java version for an existing app, run the following command:\n\n```azurecli\naz webapp config set --resource-group --name --java-version ''\n1.8'' --java-container ''Tomcat'' --java-container-version '''''\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.8","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nshould_skip_app_service(app_service) if {\n\tapp_service.site_config_java_version == \"\"\n} else if {\n\tapp_service.site_config.java_version == \"\"\n}\n\ncompliant_app_service(app_service) if {\n\tapp_service.site_config_java_version == \"11\"\n} else if {\n\tapp_service.site_config.java_version == \"11\"\n}\n\neval(app_service) = \"skip\" if {\n\tshould_skip_app_service(app_service)\n} else = \"pass\" if {\n\tcompliant_app_service(app_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qhc-mac-fyy","createdAt":1645813490324,"name":"Azure is using the latest version of Java to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:AppService","control:9.6","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, a new version of PHP is released to address security issues and/or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes and additional functionalities.\n\n## Rationale\n\nNew versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software update, organizations need to determine if the update meets their requirements and also verify the new version's compatibility with other software.\n\n## Remediation\n\n### From the console\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click **Configuration**.\n5. Set PHP version to latest version available under **General Settings**.\n\n**Note**: No action is required if PHP version is set to off because PHP is not used by your web app.\n\n### From the command line\nTo see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep php To set latest PHP version for an existing app, run the following commandaz webapp config set --resource-group --name --php-version \n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n# CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.6","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.common as dd_common\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nshould_skip_app_service(app_service) if {\n\tapp_service.site_config_php_version == \"\"\n} else if {\n\tapp_service.site_config.php_version == \"\"\n}\n\nnon_compliant_version(version) if {\n\tformatted_semver := dd_common.format_semver(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"7.4.0\") < 0\n}\n\nnon_compliant_app_service(app_service) if {\n\tnon_compliant_version(app_service.site_config_php_version)\n} else if {\n\tnon_compliant_version(app_service.site_config.php_version)\n}\n\neval(app_service) = \"skip\" if {\n\tshould_skip_app_service(app_service)\n} else = \"fail\" if {\n\tnon_compliant_app_service(app_service)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"sja-htc-xkm","createdAt":1645813490100,"name":"Azure is using the latest version of PHP to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:AppService","control:9.7","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Set Python version to latest version available under General Settings\n\n**Note**: No action is required if Python version is set to off as Python is not used by your web app.\n\n### From the command line\n\nTo see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep python To set latest Python version for an existing app, run the following commandaz webapp config set --resource-group --name --python-version '\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.7","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.common as dd_common\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nshould_skip_app_service(app_service) if {\n\tapp_service.site_config_python_version == \"\"\n} else if {\n\tapp_service.site_config.python_version == \"\"\n}\n\nnon_compliant_version(version) if {\n\tformatted_semver := dd_common.format_semver(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"3.6.0\") < 0\n}\n\nnon_compliant_app_service(app_service) if {\n\tnon_compliant_version(app_service.site_config_python_version)\n} else if {\n\tnon_compliant_version(app_service.site_config.python_version)\n}\n\neval(app_service) = \"skip\" if {\n\tshould_skip_app_service(app_service)\n} else = \"fail\" if {\n\tnon_compliant_app_service(app_service)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kuq-3pj-gyn","createdAt":1645813504306,"name":"Azure is using the latest version of Python to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","source:azure.networkwatcher","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","scope:azure.networkwatcher","framework:soc-2","control:10.3","control:CC2.1","control:164.312-e-2-i","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Watcher can use flow logs so that you can monitor traffic from resources. This rule generates a finding if there is no retention policy set with a duration over 90 days. \n\nNote: 0 days means unlimited retention.\n\n## Rationale\n\nSetting this attribute enables flow logs to be retained for an appropriate amount of time that enables a better security posture for your organization. These logs should be retained critical resources in your environment.\n\n## Remediation\n\n### From the console\n\n1. Follow the instructions in [Tutorial: Log network traffic to and from a virtual machine using the Azure portal][1] to enable the 'flow logs' in Network Watcher.\n\n### From the command line\n\n1. Follow the steps in [Configuring Network Security Group Flow logs with Azure CLI][2] to enable the 'flow logs' in Network Watcher.\n2. Ensure Insights provider is registered by running the following command to check:\n\n ```\n az provider register --namespace Microsoft.Insights\n ```\n3. Enable `flow logs`:\n Note: You will need to have a storage account setup prior to this.\n ```\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location --format JSON --log-version 2\n ```\n4. Repeat steps 2 and 3 for resources that are not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal#enable-nsg-flow-log\n[2]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-cli\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nretention_policy_not_compliant(enabled, days) if {\n\tenabled == true\n\tdays >= 1\n\tdays <= 89\n} else if {\n\tenabled == false\n}\n\nflow_log_not_compliant(flow_log) if {\n\tretention_policy_not_compliant(flow_log.retention_policy_enabled, flow_log.retention_policy_days)\n} else if {\n\tretention_policy_not_compliant(flow_log.retention_policy.enabled, flow_log.retention_policy.days)\n}\n\nflow_log_retention_policy_enabled(flow_log) if {\n\tflow_log.retention_policy_enabled == true\n} else if {\n\tflow_log.retention_policy.enabled == true\n}\n\neval(network_watcher) = \"fail\" if {\n\tsome flow_log in network_watcher.flow_logs\n\tflow_log_not_compliant(flow_log)\n} else = \"pass\" if {\n\tsome flow_log in network_watcher.flow_logs\n\tflow_log_retention_policy_enabled(flow_log)\n} else = \"skip\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_network_watcher"]},"validationQuery":"","resourceType":"azure_network_watcher","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_network_watcher","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"s5c-rsc-fkl","createdAt":1645572632106,"name":"Azure network service group log retention is properly set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new owner is added to a service principal, which applies to privilege escalation or persistence.\n\n## Strategy\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add owner to service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Inspect that the user is added to a service principal in `@properties.targetResources`.\n2. Verify with the user (`{{@usr.name}}`) to determine if the owner addition is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_owner_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner_sp > 0"}],"type":"log_detection","id":"rtl-xes-5he","createdAt":1632250370345,"name":"Azure new owner added for service principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an Azure snapshot is exported. Export URLs generated in Azure are accessible to anyone with the URL.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the snapshot (`@resourceId`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URL.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"export_uri","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"export_uri > 0"}],"type":"log_detection","id":"9tg-wsg-ung","createdAt":1635255178153,"name":"Azure snapshot export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an invitation is sent to an external user.\n\n## Strategy\nMonitor Azure Active Directory Audit logs and detect when any `@evt.name` is equal to `Invite external user` and the `@evt.outcome` is equal to `success`.\n\n## Triage and response\n1. Review and determine if the invitation and its recipient are valid.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Invite external user\" @evt.outcome:success","groupByFields":["@usr.id","@properties.targetResources.userPrincipalName"],"aggregation":"count","name":"invite_external_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"invite_external_user > 0"}],"type":"log_detection","id":"msq-9pm-ift","createdAt":1607106320758,"name":"Azure user invited an external user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure-containerinstances","source:azure","tactic:TA0002-execution","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a command is executed on a container instance with the Azure API.\n\n## Strategy\nMonitor Azure container instance logs where `@evt.name` is `\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.id}}`) should be executing commands on the container (`@resourceId`).\n2. If the activity is not expected, investigate the activity around the container (`@resourceId`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"container_exec_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"container_exec_success > 0"}],"type":"log_detection","id":"zgp-pfn-i0z","createdAt":1635255187164,"name":"Azure user ran command on container instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB access key with the Azure API. An attacker with the appropriate privileges can view an access key and use it to access and manage the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\\\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the access key for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB Database ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_keys","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_keys > 0"}],"type":"log_detection","id":"xtk-lr5-ryf","createdAt":1635356621176,"name":"Azure user viewed CosmosDB access keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB connection string with the Azure API. An attacker with the appropriate privileges can view a connection string and use it to access or modify data in the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the connection string for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_connectionstrings","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_connectionstrings > 0"}],"type":"log_detection","id":"h9n-pkk-zy9","createdAt":1635356624429,"name":"Azure user viewed CosmosDB connection string"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being exploited using the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `Base64` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. If you are not patched, decode the base64 string and look for any successful traffic to the malicious server.\n3. If a connection was successful to the malicious server, begin your company's IR procedures to remediate.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http.user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"medium","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"vfx-wnb-bkc","createdAt":1639665358897,"name":"Base64 was detected in an http.user_agent or http.referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","scored:true","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use basic authentication.\n\n## Rationale\n\nBasic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting the API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--basic-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--basic-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as tokens and certificates. Username and password for basic authentication could no longer be used.\n\n## Default value\n\nBy default, basic authentication is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n2. https://kubernetes.io/docs/admin/authentication/#static-password-file\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.2","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oug-uvq-sti","createdAt":1599605479472,"name":"Basic authentication is disabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:azure","requirement:Monitoring","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-3-i","control:10.5.1","requirement:Compliance","level:1","control:2.2.4","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","scope:azure.storage","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Azure","requirement:Least-Privileged-Access","control:2.8","requirement:Control-Activities","requirement:Data-Protection","control:7.2.1","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAnonymous read access is disabled for Azure Storage Blobs.\n\n## Rationale\n\nAnonymous access to Azure storage blob containers allows un-authenticated users to perform operations against your storage account. Datadog recommends only allowing authenticated users access to storage blobs. \n\n## Remediation\n\n### From the Console\n\nFollow the [Set the public access level for a container - Azure Console][1] guide to disable anonymous read access with the Azure Console.\n\n### From the Azure CLI\n\nFollow the [Set the public access level for a container - Azure CLI][2] guide to disable anonymous read access with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"10.5.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"2.8","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_blob_container) = \"pass\" if {\n\tstorage_blob_container.public_access == \"None\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_blob_container"]},"validationQuery":"","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"nlq-obf-whr","createdAt":1645177311610,"name":"Blob Containers do not allow anonymous access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:8.1","control:4.3","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","control:8.1.4","control:8.2.3","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends using instance-specific SSH key(s) instead of common or shared project-wide SSH key(s) to access instances.\n\n## Rationale\n\nProject-wide SSH keys are stored in compute or project-meta-data. Project-wide SSH keys can be used to log into all instances within a project. Using project-wide SSH keys facilitates SSH key management, but if compromised, poses a security risk which can impact all instances within a project. Datadog recommmends using instance-specific SSH keys, which can limit the attack surface if SSH keys are compromised.\n\n## Impact\n\nUsers already having project-wide SSH key pairs and are using third-party SSH clients will lose access to the impacted instances. For project users using Google Cloud or GCP Console-based SSH options, no manual key creation and distribution is required, this is all handled by Google Compute Engine (GCE) itself. To access an instance using third-party SSH clients, the instance-specific SSH key pairs need to be created and distributed to the required users.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. For every instance, click on the instance name.\n3. Under **SSH Keys**, ensure **Block project-wide SSH keys** is selected.\n\n## From the command line\n\n1. List the instances in your project and get details on each instance using `gcloud compute instances list --format=json`.\n\n2. Ensure the `block-project-ssh-keys` key is set to true.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. Click on the impacted instance name.\n3. Click **Edit** in the toolbar.\n4. To block users with project-wide SSH keys from connecting to this instance, select **Block project-wide SSH keys** under **SSH Keys**.\n5. Click **Save** at the bottom of the page.\n6. Repeat these steps for every impacted instance.\n\n## From Command Line\n\nTo block project-wide public SSH keys, set the metadata value to true using `gcloud compute instances add-metadata --metadata block-project-ssh-keys=TRUE`.\n\n## Default Value\n\nBy default, Block Project-wide SSH keys is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n2. [https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n\n\n## Additional Information\n\nIf OS Login is enabled, SSH keys in the instance metadata are ignored, which means you do not need to block project-wide SSH keys.\n\n## CIS Controls\n\nVersion 8\n \n3.10 - Encrypt Sensitive Data in Transit\n- Encrypt sensitive data in transit. Example implementations can include: Transport\nLayer Security (TLS) and Open Secure Shell (OpenSSH).\n\n5.2 - Use Unique Passwords\n- Use unique passwords for all enterprise assets. Best practice implementation\nincludes, at a minimum, an 8-character password for accounts using MFA and a 14-\ncharacter password for accounts not using MFA.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n[3]: https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_item(item) if {\n\titem.key == \"block-project-ssh-keys\"\n} else if {\n\titem.key == \"enable-oslogin\"\n}\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" if {\n\titem := compute_instance.metadata.items[_]\n\tnon_compliant_item(item)\n\titem.value == \"true\"\n} else = \"fail\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"v8z-9ik-mjr","createdAt":1657296719827,"name":"Block project-wide SSH keys is enabled for VM instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login five times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n","options":{"detectionMethod":"threshold","evaluationWindow":600,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dde-oia-yjr","createdAt":1597422956269,"name":"Brute force attack on an Auth0 user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a bruteforce login with a user attempting to assume an anomalous number of roles.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [Anomalous number of assumed roles from user][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-user-attempted-to-assumerole-anomaly\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":2,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"anomalous_assumed_roles_from_user","additionalFilters":"","defaultRuleId":"fwu-obr-c9n","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to assumed role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && anomalous_assumed_roles_from_user > 0"}],"type":"signal_correlation","id":"vjo-1hm-1eg","createdAt":1664829839144,"name":"Brute forced ConsoleLogin event correlates with an assumed role event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","iaas:azure","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a successful credential stuffing login with a user assumed a role.\n\n## Strategy\nCorrelate the [Credential Stuffing Attack on Azure][1] and [Azure AD member assigned Global Administrator role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the credential stuffing attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the credential stuffed account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security/default_rules/azure_credential_stuffing_attack\n[2]: https://docs.datadoghq.com/security/default_rules/azure-ad-user-assigned-global-admin-role","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"azure_credential_stuffing","correlatedQueryIndex":1,"additionalFilters":"","defaultRuleId":"ljt-3f4-8ty","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"admin_role_assigned","additionalFilters":"","defaultRuleId":"psm-gpc-pgy","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Brute-forced user has assigned a role","condition":"azure_credential_stuffing > 0 && admin_role_assigned > 0"}],"type":"signal_correlation","id":"it0-1kg-8pj","createdAt":1664829839146,"name":"Brute-forced user has assigned a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.11","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host you can control the host CPU resources that a container may consume.\n\n## Rationale\n\nBy default, CPU time is divided between containers equally. If you wish to control available CPU resources amongst container instances, you can use the CPU sharing feature. CPU sharing allows you to prioritize one container over others and prevents lower priority containers from absorbing CPU resources which may be required by other processes. This ensures that high priority containers are able to claim the CPU runtime they require.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CpuShares={{ .HostConfig.CpuShares }}'` \n\nIf this command returns 0 or 1024, it means that CPU shares are not in place. If it returns a non-zero value other than 1024, it means that they are in place.\n\n## Remediation\n\nYou should manage the CPU runtime between your containers dependent on their priority within your organization. To do so, start the container using the `--cpu-shares` argument. For example, you could run a container as `docker run --interactive --tty --cpu-shares 512 centos /bin/bash` The container is started with CPU shares of 50% of what other containers use. So if the other container has CPU shares of 80%, this container will have CPU shares of 40%. Every new container will have 1024 shares of CPU by default. However, this value is shown as 0 if you run the command mentioned in the audit section.\n\n\nAlternatively:\n\n1. Navigate to the `/sys/fs/cgroup/cpu/system.slice/` directory.\n2. Check your container instance ID using docker ps.\n3. Inside the above directory (in step 1), call a directory. For example: `docker-.scope` or `docker-4acae729e8659c6be696ee35b2237cc1fe4edd2672e9186434c5116e1a6fbed6.scope`. Navigate to this directory.\n4. You will find a file named `cpu.shares`. Execute `cat cpu.shares`. This will always give you the CPU share value based on the system. Even if there are no CPU shares configured using the `-c` or `--cpu-shares` argument in the docker run command, this file will have a value of 1024. If you set one containers CPU shares to 512 it will receive half of the CPU time compared to the other containers. So if you take 1024 as 100% you can then derive the number that you should set for respective CPU shares. For example, use 512 if you want to set it to 50% and 256 if you want to set it 25%.\n\n## Impact\n\nIf you do not correctly assign CPU thresholds, the container process may run out of resources and become unresponsive. If CPU resources on the host are not constrained, CPU shares do not place any restrictions on individual resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally. No CPU shares are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.11","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gfh-gqy-log","createdAt":1599605955638,"name":"CPU priorities are set to ensure critical containers do not become unresponsive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.7","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %a `. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command to modify the file permissions of the `--client-ca-file`:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7 14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.7","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qtd-deo-dgb","createdAt":1599600622129,"name":"Certificate authorities file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable certificate based kubelet authentication.\n\n## Rationale\n\nThe apiserver, by default, does not authenticate itself to the kubelet's HTTPS endpoints. The requests from the apiserver are treated anonymously. You should set up certificate-based kubelet authentication to ensure that the apiserver authenticates itself to kubelets when submitting requests.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-client-certificate` and `--kubelet-client-key` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the kubelet client certificate and key parameters as below. \n\n```\n--kubelet-client-certificate= \n--kubelet-client-key=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, certificate-based kubelet authentication is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ ][2]\n3. [https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet][3]\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n[3]: https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.5","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ruj-lze-13b","createdAt":1599605732980,"name":"Certificate-based kubelet authentication is required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","source:elb","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","scope:elb","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse a secure protocol and cipher to protect communication between the client and your Classic Elastic Load Balancers (ELBs). TLS 1.0 and 1.1 are vulnerable to attacks due to multiple insecurities, for this reason we recommend the use of `ELBSecurityPolicy-TLS-1-2-2017-01` which authorizes TLS 1.2. \n\n## Rationale\n\nInsecure communication channels increase the risk of attacks, such as man-in-the-middle, downgrade attacks, and sensitive data breaches. It is recommended to configure listeners to use HTTPS, or SSL, and `ELBSecurityPolicy-TLS-1-2-2017-01`, or a custom policy with an equivalent or more secure [configuration][1]. TLS on port 443 will generate a `pass` condition for this rule only if a secure policy is attached to the listener.\n\n### Protocol and cipher details\n\nThis configuration check tests for a listener configured using HTTPS, SSL, or TLS on port 443, as well as for the absence of [ciphers][6] and [protocols][1] for secure listener configurations that are not recommended by AWS.\n\n\n## Remediation\n\nIt is recommended to modify listeners configured to use TLS on port 443, to HTTPS on port 443, and select a secure policy.\n\n### From the console\n\n1. Follow the [Create an HTTPS/SSL load balancer using the console][2] documentation to learn how to create an HTTPS/SSL load balancer in the AWS console. \n2. Follow the [Update the SSL negotiation configuration using the console][4] documentation to apply `ELBSecurityPolicy-TLS-1-2-2017-01` or a Custom Security Policy that is as or more secure. \n\n### From the command line\n\n1. Follow the [Create an HTTPS/SSL load balancer using the AWS CLI][3] documentation to learn how to create an HTTPS/SSL load balancer in the AWS command line. \n2. Follow the [Update the SSL negotiation configuration using the console][5] documentation to apply `ELBSecurityPolicy-TLS-1-2-2017-01` or a Custom Security Policy that is as or more secure. \n\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html#create-https-lb-console\n[3]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html#create-https-lb-clt\n[4]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-config-update.html#ssl-config-update-console\n[5]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-config-update.html#ssl-config-update-cli\n[6]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-ssl-security-policy.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nweak_ciphers_and_protocols := {\n\t\"Protocol-SSLv2\", \"Protocol-SSLv3\",\n\t\"Protocol-TLSv1.1\", \"Protocol-TLSv1\",\n\t\"CAMELLIA128-SHA\", \"EDH-RSA-DES-CBC3-SHA\", \"DES-CBC3-SHA\", \"ECDHE-RSA-RC4-SHA\", \"RC4-SHA\", \"ECDHE-ECDSA-RC4-SHA\", \"DHE-DSS-AES256-GCM-SHA384\",\n\t\"DHE-RSA-AES256-GCM-SHA384\", \"DHE-RSA-AES256-SHA256\", \"DHE-DSS-AES256-SHA256\", \"DHE-RSA-AES256-SHA\", \"DHE-DSS-AES256-SHA\",\n\t\"DHE-RSA-CAMELLIA256-SHA\", \"DHE-DSS-CAMELLIA256-SHA\", \"CAMELLIA256-SHA\", \"EDH-DSS-DES-CBC3-SHA\", \"DHE-DSS-AES128-GCM-SHA256\",\n\t\"DHE-RSA-AES128-GCM-SHA256\", \"DHE-RSA-AES128-SHA256\", \"DHE-DSS-AES128-SHA256\", \"DHE-RSA-CAMELLIA128-SHA\", \"DHE-DSS-CAMELLIA128-SHA\",\n\t\"ADH-AES128-GCM-SHA256\", \"ADH-AES128-SHA\", \"ADH-AES128-SHA256\", \"ADH-AES256-GCM-SHA384\", \"ADH-AES256-SHA\", \"ADH-AES256-SHA256\",\n\t\"ADH-CAMELLIA128-SHA\", \"ADH-CAMELLIA256-SHA\", \"ADH-DES-CBC3-SHA\", \"ADH-DES-CBC-SHA\", \"ADH-RC4-MD5\", \"ADH-SEED-SHA\", \"DES-CBC-SHA\",\n\t\"DHE-DSS-SEED-SHA\", \"DHE-RSA-SEED-SHA\", \"EDH-DSS-DES-CBC-SHA\", \"EDH-RSA-DES-CBC-SHA\", \"IDEA-CBC-SHA\", \"RC4-MD5\", \"SEED-SHA\", \"DES-CBC3-MD5\",\n\t\"DES-CBC-MD5\", \"RC2-CBC-MD5\", \"PSK-AES256-CBC-SHA\", \"PSK-3DES-EDE-CBC-SHA\", \"KRB5-DES-CBC3-SHA\", \"KRB5-DES-CBC3-MD5\", \"PSK-AES128-CBC-SHA\",\n\t\"PSK-RC4-SHA\", \"KRB5-RC4-SHA\", \"KRB5-RC4-MD5\", \"KRB5-DES-CBC-SHA\", \"KRB5-DES-CBC-MD5\", \"EXP-EDH-RSA-DES-CBC-SHA\", \"EXP-EDH-DSS-DES-CBC-SHA\",\n\t\"EXP-ADH-DES-CBC-SHA\", \"EXP-DES-CBC-SHA\", \"EXP-RC2-CBC-MD5\", \"EXP-KRB5-RC2-CBC-SHA\", \"EXP-KRB5-DES-CBC-SHA\", \"EXP-KRB5-RC2-CBC-MD5\",\n\t\"EXP-KRB5-DES-CBC-MD5\", \"EXP-ADH-RC4-MD5\", \"EXP-RC4-MD5\", \"EXP-KRB5-RC4-SHA\", \"EXP-KRB5-RC4-MD5\", \"DHE-RSA-AES128-SHA\", \"ECDHE-RSA-AES128-SHA\",\n\t\"ECDHE-ECDSA-AES128-SHA\", \"DHE-DSS-AES128-SHA\",\n}\n\ncompliant_protocol(elb_load_balancer) if {\n\tupper(elb_load_balancer.listener_descriptions[_].listener.protocol) == \"HTTPS\"\n} else if {\n\tupper(elb_load_balancer.listener_descriptions[_].listener.protocol) == \"SSL\"\n} else if {\n\tupper(elb_load_balancer.listener_descriptions[_].listener.protocol) == \"TCP\"\n\telb_load_balancer.listener_descriptions[_].listener.load_balancer_port == 443\n}\n\nnon_compliant_encryption(elb_load_balancer) if {\n\tprotocol := elb_load_balancer.policy_descriptions[_].policy_attribute_descriptions[_]\n\tprotocol.attribute_name in weak_ciphers_and_protocols\n\tlower(protocol.attribute_value) == \"true\"\n}\n\npolicy_exists(elb_load_balancer) if {\n\telb_load_balancer.listener_descriptions[_].policy_names[_]\n}\n\neval(elb_load_balancer) = \"pass\" if {\n\tcompliant_protocol(elb_load_balancer)\n\tpolicy_exists(elb_load_balancer)\n\tnot non_compliant_encryption(elb_load_balancer)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elb_load_balancer"]},"validationQuery":"","resourceType":"aws_elb_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elb_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"wco-bmg-rfd","createdAt":1670369344591,"name":"Classic Load Balancer listener is securely configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.2","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable client authentication on etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--client-cert-auth` argument is set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--client-cert-auth=\"true\"\n```\n\n## Impact\n\nAll clients attempting to access the etcd server will require a valid client certificate.\n\n## Default value\n\nBy default, the etcd service can be queried by unauthenticated clients.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][`]\n2. [https://kubernetes.io/docs/admin/etcd/ ][1]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.2","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"joa-fjx-1li","createdAt":1599605891818,"name":"Client authentication is enabled for etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.8","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file ownership is set to `root:root`.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command to modify the ownership of the `--client-ca-file`:\n\n```\nchown root:root \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.8","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ifc-9ej-k7k","createdAt":1599603326156,"name":"Client certificate authorities file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","cloud_provider:gcp","control:9.9.1","source:google_cloud_asset_inventory","requirement:Logging-and-Monitoring","framework:cis-gcp","requirement:Control-Activities","scope:google_cloud_asset_inventory","requirement:Firewall-Configuration","level:2","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Cloud Asset Inventory is a service that provides a historical view of GCP resources and\nIAM policies through a time-series database. The information recorded includes metadata\non Google Cloud resources, metadata on policies set on Google Cloud projects or resources,\nand runtime information gathered within a Google Cloud resource.\n\n## Rationale\nThe GCP resources and IAM policies captured by GCP Cloud Asset Inventory enables\nsecurity analysis, resource change tracking, and compliance auditing. It is recommended GCP Cloud Asset Inventory be enabled for all GCP projects.\n\n### Additional Information\n - Cloud Asset Inventory only keeps a five-week history of Google Cloud asset metadata. If you need a longer history, consider building automation to export the history to Cloud Storage or BigQuery.\n\n### Default Value\nThe Cloud Asset Inventory API is disabled by default in each project.\n\n## Remediation\n\n### From the console\n\n1. Go to **API & Services/Library** by visiting [https://console.cloud.google.com/apis/library][1]\n2. Search for `Cloud Asset API` and select the result for Cloud Asset API\n3. Click the **ENABLE** button.\n\n### From the command line\n\n1. Enable the Cloud Asset API through the services interface\n ```\n gcloud services enable cloudasset.googleapis.com\n ```\n\n## References\n1. [https://cloud.google.com/asset-inventory/docs][2]\n\n[1]: https://cloud.google.com/asset-inventory/docs\n[2]: https://console.cloud.google.com/apis/library","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"9.9.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(project) = \"pass\" if {\n\tproject.project_id\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"g71-wcx-ugx","createdAt":1659396390100,"name":"Cloud Asset Inventory is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:2.12","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:2","framework:iso-27001","scope:google_dns_policy","framework:pci","requirement:Operations-Security","security:compliance","requirement:Logging-and-Monitoring","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","source:google_dns_policy","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud DNS logging records the queries from the name servers within your VPC to\nStackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other\nGCP resources provisioned within the VPC.\n\n### Default value\nCloud DNS logging is disabled by default on each network.\n\n## Rationale\nSecurity monitoring and forensics cannot depend solely on IP addresses from VPC flow\nlogs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual\nhost routing, and other technology that can obscure the DNS name used by a client from the\nIP address. Monitoring Cloud DNS logs provides visibility into DNS names requested by the\nclients within the VPC. These logs can be monitored for anomalous domain names and\nevaluated against threat intelligence.\n\nTo fully capture DNS logging records, your firewall must block egress for UDP/53 (DNS) and TCP/443 (DNS\nover HTTPS) to prevent the client from using an external DNS name server for resolution.\n\nOnly queries that reach a name server are logged. Cloud DNS resolvers cache\nresponses, queries answered from caches, and direct queries to an external DNS\nresolver outside the VPC are not logged.\n\n### Impact\nEnabling of Cloud DNS logging might result in your project being charged for the additional\nlogs usage.\n\n## Remediation\n\n### From the command line\nFor VPC networks that need a new DNS policy with logging enabled, run the following:\n```\ngcloud dns policies create enable-dns-logging --enable-logging --\ndescription=\"Enable DNS Logging\" --networks=VPC_NETWORK_NAME\n```\n\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\nFor VPC networks that have existing DNS policies, run the following to enable logging:\n```\ngcloud dns policies update POLICY_NAME --enable-logging --\nnetworks=VPC_NETWORK_NAME\n```\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\n\n## References\n1. [https://cloud.google.com/dns/docs/monitoring][1]\n\n[1]: https://cloud.google.com/dns/docs/monitoring\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.12","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(dns_policy) = \"pass\" if {\n\tdns_policy.enable_logging\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_policy"]},"validationQuery":"","resourceType":"gcp_dns_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kcx-kad-uvs","createdAt":1662120179391,"name":"Cloud DNS logging is enabled for VPC networks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:7.2","control:1.9","control:3.5","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that the IAM policy on Cloud KMS `cryptokeys` should restrict anonymous and/or public access.\n\n## Rationale\n\nGranting permissions to `allUsers` or `allAuthenticatedUsers` allows anyone to access the\ndataset. Such access might not be desirable if sensitive data is stored at the location. In this\ncase, ensure that anonymous and/or public access to a Cloud KMS `cryptokey` is not\nallowed.\n\n### Default Value:\nBy default Cloud KMS does not allow access to `allUsers` or `allAuthenticatedUsers`.\n\n### Impact\nRemoving the binding for `allUsers` and `allAuthenticatedUsers` members denies anonymous and public users access to `cryptokeys`.\n\n`key_ring_name` is the resource ID of the key ring, which is the fully-qualified key ring name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING`\nYou can retrieve the key ring resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n3. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`key_name` is the resource ID of the key, which is the fully-qualified CryptoKey name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY`\nYou can retrieve the key resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. Click the name of the key ring that contains the key.\n3. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n4. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`role` is the role to remove the member from.\n\n## Remediation\n\n### From the command line\n\n1. List all Cloud KMS `Cryptokeys`.\n ```\n gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'\n ```\n2. To remove access to `allUsers` and `allAuthenticatedUsers`, remove the IAM policy binding for a KMS key using the below command.\n ```\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'\n\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'\n ```\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding][1]\n2. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy][2]\n3. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy][3]\n4. [https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id][4]\n\n[1]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding\n[2]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy\n[3]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy\n[4]: https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot contains(iam_policy.resource_name, \"/keyRings/\")\n} else = \"fail\" if {\n\tiam_policy.bindings[_].members[_] in [\"allAuthenticatedUsers\", \"allUsers\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kg9-ypa-tmt","createdAt":1658879416757,"name":"Cloud KMS cryptokeys are not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Storage","source:google_iam_policy","framework:cis-gcp","requirement:Compliance","level:1","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","scope:google_iam_policy","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:3.5","control:7.1","control:5.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that IAM policies on Cloud Storage buckets do not allow anonymous or public access.\n\n## Rationale\nWith anonymous or public access, anyone has permission to access bucket content. Such access might not be desired if you are storing sensitive data, so ensure that anonymous or public access to a bucket is not allowed.\n\n### Additional Information\nTo implement access restrictions on buckets, configuring Bucket IAM is preferred over configuring Bucket ACL. In the GCP console, the **Edit Permissions** button for a bucket exposes IAM configurations only. Bucket ACLs are configured to automatically implement and support user-enforced Bucket IAM policies. If an administrator changes a Bucket ACL using command-line gsutils or the API, the associated bucket IAM policy is also updated automatically.\n\n### Impact\nStorage buckets are not publicly accessible. You have to explicitly administer bucket access.\n\n### Prevention\nYou can prevent Storage buckets from becoming publicly accessible by setting up the `Domain restricted sharing` organization policy at:\n[https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains][2]\n\n### Default value\nBy default, Storage buckets are not publicly accessible.\n\n## Remediation\n\n### From the console\n1. Go to `Storage browser` at [https://console.cloud.google.com/storage/browser][1].\n2. Click on the bucket name to access the `Bucket details` page.\n3. Click on the `Permissions` tab.\n4. Click the `Delete` button in front of `allUsers` and `allAuthenticatedUsers` to remove that particular role assignment.\n\n### From the command line\nRemove `allUsers` and `allAuthenticatedUsers` access.\n``` \ngsutil iam ch -d allUsers gs://BUCKET_NAME\ngsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME\n```\n\n## References\n1. [https://cloud.google.com/storage/docs/access-control/iam-reference][3]\n2. [https://cloud.google.com/storage/docs/access-control/making-data-public][4]\n3. [https://cloud.google.com/storage/docs/gsutil/commands/iam][5]\n\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains\n[3]: https://cloud.google.com/storage/docs/access-control/iam-reference\n[4]: https://cloud.google.com/storage/docs/access-control/making-data-public\n[5]: https://cloud.google.com/storage/docs/gsutil/commands/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1","framework":"cis-gcp","requirement":"Storage","version":"1.3.0"},{"control":"3.5","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot isBucket(iam_policy)\n} else = \"fail\" if {\n\tiam_policy.bindings[_].members[_] in [\"allUsers\", \"allAuthenticatedUsers\"]\n} else = \"pass\"\n\nisBucket(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_storage_bucket\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"c2m-9sq-pbl","createdAt":1658821626959,"name":"Cloud storage bucket is not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Storage","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:5.2","requirement:Communications-Security","control:7.1","control:3.3","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","source:google_storage_bucket","control:A.18.1.3","framework:soc-2","scope:google_storage_bucket","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUniform bucket-level access is enabled on Cloud Storage buckets.\n\n## Rationale\n\nYou should use uniform bucket-level access to unify and simplify how you grant\naccess to your Cloud Storage resources.\nCloud Storage offers two systems for granting users permission to access your buckets and\nobjects: \n- **Cloud Identity and Access Management (Cloud IAM)**: Used throughout Google Cloud, and allows you to grant a variety of permissions at the bucket and project levels. \n- **Access Control Lists(ACLs)**: Used only by Cloud Storage and has limited permission options, but allows you to grant permissions on a per-object basis.\n\nThese systems act in parallel. A user needs only one of the systems to grant them permission in order to access a Cloud Storage resource. \n\nTo facilitate maintaining consistent permissions, Cloud Storage provides an option called Uniform bucket-\nlevel access. Using this feature disables ACLs for all Cloud Storage resources. Access to\n\nCloud Storage resources then is granted exclusively through Cloud IAM. Enabling uniform\nbucket-level access guarantees that if a Storage bucket is not publicly accessible, no object\nin the bucket is publicly accessible either.\n\n## Impact\nIf you enable uniform bucket-level access, you revoke access from users who gain their\naccess solely through object ACLs.\nCertain Google Cloud services, such as Stackdriver, Cloud Audit Logs, and Datastore, cannot\nexport to Cloud Storage buckets that have uniform bucket-level access enabled.\n\n## Remediation\n\n## From the console\n1. Open the Cloud Storage browser by visiting [https://console.cloud.google.com/storage/browser][1].\n2. In the list of buckets, select the name of the desired bucket.\n3. Select the Permissions tab.\n4. In the text box that starts with This bucket uses fine-grained access control..., click **Edit**.\n5. In the pop-up menu that appears, select Uniform.\n6. Click **Save**.\n\n## From the command line\n\nRun the following command: \n ```\n `gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/`\n ```\n\n\n## Prevention\nSet up an Organization Policy to enforce that any new bucket has uniform bucket-level access enabled. Read more about [Organization Policy constraints][2].\n\n## Default\n\nBy default, Cloud Storage buckets do not have uniform bucket-level access enabled.\n\n\n## References\n1. [https://cloud.google.com/storage/docs/uniform-bucket-level-access][3]\n2. [https://cloud.google.com/storage/docs/using-uniform-bucket-level-access][4]\n3. [https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket][5]\n\n## Additional Information\nUniform bucket-level access cannot be disabled if it has been active on a bucket for 90 consecutive days.\n\n## CIS controls\n\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems,\ndatabases, and applications.\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket\n[3]: https://cloud.google.com/storage/docs/uniform-bucket-level-access\n[4]: https://cloud.google.com/storage/docs/using-uniform-bucket-level-access\n[5]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2","framework":"cis-gcp","requirement":"Storage","version":"1.3.0"},{"control":"3.3","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_bucket) = \"pass\" if {\n\tstorage_bucket.iam_configuration.uniform_bucket_level_access.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_storage_bucket"]},"validationQuery":"","resourceType":"gcp_storage_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_storage_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dwn-5mi-cjt","createdAt":1657547752494,"name":"Cloud storage buckets have uniform bucket-level access enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","security:compliance","control:CC6.6","scope:cloudfront","cloud_provider:aws","control:A.12.2.1","requirement:Communications-Security","control:A.12.4.1","control:A.13.1.1","framework:soc-2","control:6.6","requirement:Security-Management-Process","source:cloudfront","requirement:Application-Updates","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that your [AWS CloudFront][1] distributions are integrated with [AWS Web Application Firewall][2] (AWS WAF).\n\n## Rationale\n\nAWS WAF helps protect web applications from common exploits, such as SQL injection or cross-site scripting.\n\n## Remediation\n\n### From the console\n\nFollow the [associate or disassociate an AWS WAF web ACL and an existing CloudFront distribution by using the CloudFront console][3] docs to integrate with AWS WAF.\n\n### From the command line\n\n1. Run `aws waf get-change-token` to generate a token.\n2. Run `aws waf create-ip-set` with your newly generated token. Additional information can be found in the [create-ip-set AWS documentation][4].\n\n ```\n create-ip-set\n --name test_ipset\n --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n3. Create an `IPSetDescriptor` JSON object in a new document and define the IP address or ranges you wish to block. Save the file.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"IPSetDescriptor\": {\n \"Type\": \"IPV4\" | \"IPV6\",\n \"Value\": \"192.0.2.0/24\"\n }\n }\n ]\n ```\n\n4. Run `aws waf update-ip-set` with the `change-token` (generated in step 1), `ip-set-id` (generated in step 2), and the file you just created. Additional information can be found in the [update-ip-set AWS documentation][5].\n\n ```\n aws waf update-ip-set\n --ip-set-id bd12ea6c-012a-4b7c-9342-80ab96e4b291\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n\t --updates file://ip-set-descriptor.json\n ```\n\n5. Run `aws waf create-rule` with a new rule `name` and your `change-token` (generated in step 1). Additional information can be found in the [create-rule AWS documentation][6].\n\n ```\n aws waf create-rule\n\t --name NameOfRule\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n6. Run `aws waf create-web-acl` with a `name` and your `change-token` (generated in step 1), and set the default action to block. Additional information can be found in the [create-web-acl AWS documentation][7].\n\n ```\n aws waf create-web-acl\n\t --name NameOfACL\n --default-action Type=BLOCK\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n7. Create a new JSON file and define `ActivatedRule` as an object that references the ACL rule created in step 6. Assign it a default action, `INSERT`.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"ActivatedRule\": {\n \"RuleId\": \"your-rule-id\",\n \"Action\": {\n \"Type\": \"BLOCK\"\n }\n }\n }\n ]\n ```\n\n8. Run `update-web-acl` with the `web-acl-id` (generated in step 5), `change-token` (generated in step 1), and the file you just created in step 7.\n\n ```\n aws waf update-web-acl\n --web-acl-id webaclid\n --change-token 96836241-b667-4f0a-a655-e4bc49eaa2c4\n --update activated-rule.json\n ```\n\n9. Run `get-distribution-config`.\n10. In a new JSON file, modify the returned configuration information to attach the WAF ACL. Set the `WebACLId` as the ID you returned in step 5. Save the file.\n\n ```\n {\n \"ETag\": \"etag\",\n \"DistributionConfig\": {\n ...\n \"WebACLId\": \"webaclid\",\n ...\n }\n }\n ```\n\n11. Run `update-distribution` with the `id` and `etag` previously returned in step 9. Additional information can be found in the [update-distribution AWS documentation][8].\n\n ```\n aws cloudfront update-distribution\n --id webaclid\n --distribution-config activated-ruled.json\n --if-match etag\n ```\n\n[1]: https://aws.amazon.com/cloudfront/\n[2]: https://aws.amazon.com/waf/\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/wafv2/create-ip-set.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/waf/update-ip-set.html\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-rule.html\n[7]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-web-acl.html\n[8]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudfront_distribution) = \"fail\" if {\n\tcloudfront_distribution.distribution_config.web_acl_id == \"\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"qo4-jsd-nfn","createdAt":1599574008896,"name":"CloudFront distribution is integrated with WAF"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that AWS CloudFront distributions have a security policy of TLS v1.1 or greater.\n\n## Rationale\n\nTLS v1.1, the minimum protocol recommended for AWS CloudFront, and the cipher used to encrypt this content, improve application security.\n\n## Remediation\n\n### From the console\n\nFollow the [Values That You Specify When You Create or Update a Distribution][3] docs to update your CloudFront distribution's [Minimum Origin SSL Protocol][3] to TLS v1.1 or greater.\n\n### From the command line\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration by setting the minimum protocol version to TLC v1.1 (2016) or v1.2 (2018).\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n ...\n \"ViewerCertificate\": {\n ...\n \"MinimumProtocolVersion\": \"TLSv1.1_2016\",\n },\n ...\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config tls-version.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginSSLProtocols\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_distribution_config(origin_protocol_policy) if {\n\torigin_protocol_policy == \"TLSv1\"\n} else if {\n\torigin_protocol_policy == \"TLSv1_2016\"\n}\n\neval(cloudfront_distribution) = \"fail\" if {\n\tnon_compliant_distribution_config(cloudfront_distribution.distribution_config.viewer_certificate.minimum_protocol_version)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2np-sw5-cre","createdAt":1599574001774,"name":"CloudFront distribution's security policy is TLS v1.1 or greater"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","source:cloudfront","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","scope:cloudfront","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure logging is enabled for AWS CloudFront to track things like client IP addresses and access points.\n\n## Rationale\n\nLogging tracks requests made through the CDN. With this information, you can detect changes in requests, complete security audits, and use other AWS tooling such as AWS WAF to block requests from certain IP addresses.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring and using standard logs][4] docs to enable logging for AWS CloudFront.\n\n### From the command line\n\n1. Run `create-bucket` to [create an S3 bucket][1] for your CloudFront log files.\n\n ```\n aws s3api create-bucket\n --bucket your-bucket-name\n ```\n\n2. Once the S3 bucket location is returned, run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][2].\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n3. Create a new JSON file with the returned configuration. Enable logging and set an S3 bucket location (returned in step 1) to configure where the logs will be located. Save the file.\n\n ```\n {\n \"ETag\": \"ID000000000000\",\n \"DistributionConfig\": {\n ...\n \"Logging\": {\n \"Bucket\": \"your-bucket-name.s3.amazonaws.com\",\n \"Enabled\": true,\n },\n ...\n }\n }\n }\n ```\n\n4. Run `update-distribution` to [update your distribution][3] with your distribution `id`, the path of the configuration file (created in step 3), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config logging-enabled.json\n --if-match ETAG1000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[4]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudfront_distribution) = \"fail\" if {\n\tnot cloudfront_distribution.distribution_config.logging.enabled\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"e1l-f7w-llc","createdAt":1599574007739,"name":"CloudFront logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that an AWS CloudTrail trail has file integration validation enabled.\n\n### Rationale\n\nAWS CloudTrail file integration validation can verify whether files were modified or changed once delivered to an S3 bucket.\n\n### Remediation\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [enable-log-file-validation][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --enable-log-file-validation\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@log_file_validation_enabled:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ubl-mrs-ket","createdAt":1599574002238,"name":"CloudTrail Log File Integrity Validation Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that AWS CloudTrail logs are encrypted.\n\n### Rationale\n\nEncrypting AWS CloudTrail logs with a KMS encryption key helps protect your data and ensures only certain IAM users can access these logs.\n\n### Remediation\n\n1. Create a new policy configuration file that enables CloudTrail [encrypting and decrypting permissions][1].\n2. Run `create-key` using the policy file path.\n\n ```\n aws kms create-key\n --policy new-policy-file.json\n ```\n\n3. Run `create-alias` with a [newly created alias name][2] and the `target-key-id` as the KMS key returned in step 2.\n\n ```\n aws kms create-alias\n --alias-name alias/CloudTrailKSM\n --target-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n4. Run `update-trail` on [the trail name you wish to update][3] and the KMS key returned in step 2.\n\n ```\n aws cloudtrail update-trail\n --name MyGlobalTrail\n --kms-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@kms_key_id:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"cww-xfw-no7","createdAt":1599574002335,"name":"CloudTrail Logs Not Encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","control:A.12.4.2","requirement:Security-Incident-Procedures","control:10.3.2","control:10.3.1","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that an AWS CloudTrail trail has global service events enabled.\n\n## Rationale\n\nEasily troubleshoot security issues for global services that aren't region-specific.\n\n## Remediation\n\n### From the console\n\nBy default, trail logs created in the CloudTrail console log global service events. For more information, see the [About global service events][2] docs.\n\n### From the command line\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [include-global-service-events][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --include-global-service-events\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-update-trail.html\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudtrail_trail) = \"pass\" if {\n\tcloudtrail_trail.include_global_service_events\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7ak-zke-f64","createdAt":1599574004589,"name":"CloudTrail global services are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.5.5","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","control:164.312-c-2","requirement:Integrity","control:164.312-c-1","security:compliance","cloud_provider:aws","control:3.2","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. Use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. You should enable file validation on all CloudTrails.\n\n## Rationale\n\nEnabling log file validation will provide additional integrity checking of CloudTrail logs.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNot Enabled\n\n## References\n\n1. [http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html][2]\n2. CCE-78914-9\n\n## CIS controls\n\nVersion 7, 6 - Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.2","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.312-c-2","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudtrail_trail) = \"pass\" if {\n\tcloudtrail_trail.log_file_validation_enabled == true\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9we-gmy-kne","createdAt":1599574003762,"name":"CloudTrail log file validation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Logging","requirement:System-Acquisition-Development-and-Maintenance","level:2","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.7","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:cloudtrail","control:A.9.2.3","control:32.1a","control:3.5.2","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources per IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data. It uses Hardware Security Modules (HSMs) to protect the security of encryption keys. Configure your CloudTrail logs to leverage server-side encryption (SSE), and KMS customer-created master keys (CMK) to further protect CloudTrail logs. You should set up CloudTrail to use SSE-KMS.\n\n## Rationale\n\nConfiguring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data. A given user must have S3 read permission on the corresponding log bucket and have decrypt permission by the CMK policy.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nCustomer created keys incur an additional cost. See [https://aws.amazon.com/kms/pricing/][2] for more information.\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html][3]\n2. [https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html][4]\n3. CCE-78919-8\n\n## CIS controls\n\nVersion 7 - 6 Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://aws.amazon.com/kms/pricing/\n[3]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html\n[4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.7","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudtrail_trail) = \"pass\" if {\n\tcloudtrail_trail.kms_key_id\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kah-ejb-3v1","createdAt":1599574006065,"name":"CloudTrail logs are encrypted at rest using KMS CMKs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:164.308-a-7-i","scored:true","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","control:10.2.1","framework:gdpr","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsures AWS CloudTrail is enabled across all AWS regions.\n\n## Rationale\n\nAWS CloudTrail has the ability to deliver log files from multiple regions to a single S3 bucket, and a single CloudWatch Logs log group. This centralizes storage and control of logs data. \n\n## Remediation\n\nIt is beneficial to create an Organization trail, as that will create a trail with that name in every region, in every account belonging to the Organization. See the [Creating a trail for an organization][1] documentation for additional details.\n\nIf you are not using AWS Organizations, you can create a multi-region CloudTrail trail directly in the affected AWS account.\n\n### From the console\n\nTo create an Organization trail:\n1. Follow the [Creating a trail for an organization][2] instructions to get started with CloudTrail.\n\nTo create a multi-region trail in an AWS account:\n1. Follow the [Creating and updating a trail with the console][3] instructions to get started with CloudTrail. This will enable a multi-region CloudTrail by default. \n\n### From the command line\n\nTo convert a single-region trail to multi-region using the command line:\n\n1. Run `aws cloudtrail describe-trails` to investigate your current CloudTrail configuration.\n2. Run `update-trail` with the following arguments on your selected trail to [enable multi-region-trail][4].\n ```\n aws cloudtrail update-trail\n --name my-trail\n --is-multi-region-trail\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html\n[3]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-console.html\n[4]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-7-i","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudtrail_trail) = \"pass\" if {\n\tcloudtrail_trail.is_multi_region_trail\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":21,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"v41-4ht-rxo","createdAt":1599573999944,"name":"CloudTrail multi-region is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that HTTPS is used to secure AWS CloudFront distributions communications.\n\n## Rationale\n\nHTTPS ensures that malicious activity cannot occur when data is sent within AWS CloudFront's Content Distribution Network (CDN).\n\n## Remediation\n\n### From the console\n\nFollow the [configure CloudFront to require HTTPS between CloudFront and your custom origin][3] docs to change your Origin Protocol Policy to HTTPS only.\n\n### From the command line\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `OriginProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"Items\": [\n {\n \"CustomOriginConfig\": {\n \"OriginProtocolPolicy\": \"https-only\",\n ...\n }\n }\n ]\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_origin_protocol_policy(origin_protocol_policy) if {\n\torigin_protocol_policy == \"http-only\"\n} else if {\n\torigin_protocol_policy == \"match-viewer\"\n}\n\nnon_compliant_distribution_config(cloudfront_distribution) if {\n\tsome item in cloudfront_distribution.distribution_config.origins.items\n\tnon_compliant_origin_protocol_policy(item.custom_origin_config.origin_protocol_policy)\n}\n\neval(cloudfront_distribution) = \"fail\" if {\n\tnon_compliant_distribution_config(cloudfront_distribution)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q5e-clj-mow","createdAt":1599574006435,"name":"Cloudfront distribution is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS CloudFront field-level encryption is enabled.\n\n## Rationale\n\nField-level encryption ensures sensitive data, such as identification and credit card numbers, is protected across your services and applications.\n\n## Remediation\n\n### From the console\n\nFollow the [Setting Up Field-Level Encryption][1] docs to enable field-level encryption.\n\n### From the command line\n\n1. Generate a RSA key pair. Run `ssh-keygen -t rsa`.\n\n2. Run `create-public-key` with the generated key.\n\n ```\n aws cloudfront create-public-key\n --public-key-config CallerReference=\"0123456789012\",Name=\"public-key\",EncodedKey=\"-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----\",Comment=\"Field-level encryption public key.\"\n ```\n\n3. Modify the returned configuration in a new JSON file by setting `PublicKeyID` as your public ID key. Configure any other options you require and save the file.\n\n ```\n {\n \"PublicKey\": {\n ...\n \"Id\": \"PUBKEYID000000\",\n ...\n }\n }\n ```\n\n4. Run `create-field-level-encryption-profile` using the path of the configuration file saved in step 3.\n\n ```\n aws cloudfront create-field-level-encryption-profile\n --field-level-encryption-profile-config public-key-id.json\n ```\n\n5. Modify the returned configuration in a new JSON file by setting `ProfileID` as your profile ID. Configure any other options you require and save the file.\n\n ```\n {\n ...\n \"ContentTypeProfileConfig\": {\n ...\n \"Items\": [\n {\n \"ProfileId\": \"ABCD1234567890\",\n }\n ]\n }\n }\n ```\n\n6. Run `create-field-level-encryption-config` using the path of the configuration file saved in step 5.\n\n ```\n aws cloudfront create-field-level-encryption-config\n --field-level-encryption-config profile-id.json\n ```\n\n7. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your distribution's configuration information.\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n8. Modify the returned configuration in a new JSON file by setting `FieldLevelEncryptionID` as your field level encryption ID. Configure any other options you require and save the file.\n\n**Note**: Viewer Protocol Policy and Origin Protocol Policy must both be set to HTTPS.\n\n ```\n {\n \"DistributionConfig\": {\n ...\n \"Origins\": {\n \"Items\": [\n {\n ...,\n \"OriginProtocolPolicy\": \"https-only\",\n },\n ],\n ...\n },\n \"DefaultCacheBehavior\": {\n \"FieldLevelEncryptionId\": \"ACBD1234567890\",\n \"ViewerProtocolPolicy\" : \"https-only\"\n },\n ...\n }\n }\n ```\n\n9. Run `update-distribution` with your AWS CloudFront distribution `id`, the configuration file saved in step 8, and `etag` to enable field-level encryption.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config field-level-encryption-id.json\n --if-match E1000000000000\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudfront_distribution) = \"fail\" if {\n\tcloudfront_distribution.distribution_config.default_cache_behavior.field_level_encryption_id == \"\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"udh-nqo-4ct","createdAt":1599574007140,"name":"Cloudfront distribution is field-level encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the AWS CloudFront Content Delivery Network (CDN) for your distribution is using HTTPS to send and receive content.\n\n## Rationale\n\nHTTPS ensures encrypted communication for your AWS CloudFront distribution, alleviating the possibility of malicious attacks like packet interception.\n\n## Remediation\n\n### From the console\n\nFollow the [configure CloudFront to require HTTPS between viewers and CloudFront][3] docs to change your Viewer Protocol Policy to HTTPS only.\n\n### From the command line\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `ViewerProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"ViewerProtocolPolicy\": \"https-only\",\n ...\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(cloudfront_distribution) = \"fail\" if {\n\tcloudfront_distribution.distribution_config.default_cache_behavior.viewer_protocol_policy == \"allow-all\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudfront_distribution"]},"validationQuery":"","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fei-uz9-zhw","createdAt":1599574003275,"name":"Cloudfront viewer is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1027-obfuscated-files-or-information","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a compiler (like `clang` or `bcc`) is executed inside of a container.\n\n## Strategy\nAfter an initial compromise, attackers may attempt to download additional tools to their victim's infrastructure. In order to make these additional tools difficult to detect or analyze, attackers sometimes deliver their tools as uncompiled code, and then compile their malicious binaries directly on the victim's infrastructure. In containerized environments, the use of compilers is especially suspicious because in production it is best practice to make containers immutable. The use of a compiler in a production container could indicate an attacker staging tools, or unwanted container configuration drift. \n\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee compile a tool inside of a container for an approved reason, or does an approved software compile additional files on startup?\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:compiler_in_container","groupByFields":["host"],"aggregation":"count","name":"compiler_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"compiler_in_container","condition":"compiler_in_container > 0"}],"type":"workload_security","id":"cu1-ji1-azm","createdAt":1627392836759,"name":"Compiler executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS EC2 access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the EC2 instance with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS EC2 access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` instance should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the EC2 access key should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`., then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n7 April 2022 - Updated rule name and signal message.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId"],"query":"source:cloudtrail -@level:Error @userIdentity.type:AssumedRole @userIdentity.session_name:i-* -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"5cf-9yq-zxn","createdAt":1646247437871,"name":"Compromised AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.\n\n## Changelog\n- 7 April 2022 - Updated signal message.\n- 3 August 2022 - Fixed null groupby field in query.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId","@usr.name"],"query":"source:cloudtrail -@level:Error @userIdentity.type:IAMUser -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tln-vhi-j2e","createdAt":1646247475808,"name":"Compromised AWS IAM User Access Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:4.8","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, Datadog recommends launching compute instances with Shielded VM enabled.\n\n## Rationale\n\nShielded VMs are virtual machines on the Google Cloud Platform that are hardened by a set of security controls and help defend against rootkits and bootkits. Shielded VM offers verifiable integrity of your Compute Engine VM instances through Secure Boot, a virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring. This ensures your instances are not compromised by boot- or kernel-level malware, or rootkits. \n\nShielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishes trust for Secure Boot.\n\nIntegrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, also known as the integrity policy baseline. The integrity policy baseline is used to compare measurements from subsequent VM boots to determine if anything has changed.\n\nSecure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halts the boot process if signature verification fails.\n\n## Remediation\n\nTo turn on Shielded VM on an instance, your instance must use an image with Shielded VM support.\n\n### From the console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project. \n2. Click on the instance name to see a VM Instance Details page.\n3. Click **Stop** to stop the instance.\n4. When the instance has stopped, click **Edit**.\n5. In the **Shielded VM** section, select **Turn on vTPM** and **Turn on Integrity Monitoring**.\n6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select **Turn on Secure Boot**.\n7. Click the **Save** button to modify the instance and click **Start** to restart it.\n\n### From the command line\n\nYou can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:\n\n```\ngcloud compute images list --project gce-uefi-images --no-standard-images\n```\n\n1. Stop the instance using `gcloud compute instances stop `.\n2. Update the instance using `gcloud compute instances update --shielded-vtpm --shielded-vm-integrity-monitoring`.\n3. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on Secure Boot using `gcloud compute instances update --shielded-vm-secure-boot`.\n4. Restart the instance using `gcloud compute instances start `.\n\n## Prevention\n\nTo ensure that all new VMs are created with Shielded VM enabled, create an Organization Policy for Shielded VM in the [Organization Policies page][2]. \n\nFor more information, see the [Google Cloud documentation][3].\n\n## Default Value\n\nBy default, Compute Instances do not have Shielded VM enabled.\n\n## References\n\n1. [https://cloud.google.com/compute/docs/instances/modifying-shielded-vm][4]\n2. [https://cloud.google.com/shielded-vm][5]\n3. [https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint][6]\n\n## Additional Information\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is created, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-requireShieldedVm\n[3]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n[4]: https://cloud.google.com/compute/docs/instances/modifying-shielded-vm\n[5]: https://cloud.google.com/shielded-vm\n[6]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.8","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"pass\" if {\n\tshieldedConfig := compute_instance.shielded_instance_config\n\tshieldedConfig.enable_integrity_monitoring\n\tshieldedConfig.enable_vtpm\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hwa-bzq-nzg","createdAt":1656620517029,"name":"Compute Instances are launched with Shielded VM enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","control:4.9","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:3.6","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCompute instances should not be configured to have external IP addresses.\n\n## Rationale\n\nTo reduce your attack surface, Compute instances should not have public IP addresses.\nInstead, instances should be configured behind load balancers, to minimize the instance's\nexposure to the internet.\n\nYou can connect to Linux VMs that do not have public IP addresses by using Identity-Aware Proxy for TCP forwarding. Learn more at\n[https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][8].\n\nFor Windows VMs, see [https://cloud.google.com/compute/docs/instances/connecting-to-instance][9].\n\n### Impact\n\nRemoving the external IP address from your Compute instance may cause some\napplications to stop working.\n\n### Prevention\n\nYou can configure the \"Define allowed external IPs for VM instances\" organization policy to prevent VMs from being configured with public IP addresses. Learn more at:\n[https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address][2]\n\n### Exception\n\nInstances created by GKE should be excluded because some of them have external IP\naddresses and cannot be changed by editing the instance settings. Instances created by GKE\nshould be excluded. These instances have names that start with \"gke-\" and are labeled\n\"goog-gke-node\".\n\n## Remediation\n\n### From the console\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go the the Instance detail page.\n3. Click **Edit**.\n4. For each Network interface, ensure that **External IP** is set to None.\n5. Click **Done** and then click **Save**.\n\n### From the command line\n\n1. Describe the instance properties:\n\n ```\n gcloud compute instances describe --zone=\n ```\n2. Identify the access config name that contains the external IP address. This access config appears in the following format:\n\n ```\n networkInterfaces:\n - accessConfigs:\n - kind: compute#accessConfig\n name: External NAT\n natIP: 130.211.181.55\n type: ONE_TO_ONE_NAT\n ```\n3. Delete the access config:\n\n ```\n gcloud compute instances delete-access-config --zone= --access-config-name \n ```\n\nIn the above example, the `ACCESS_CONFIG_NAME` is `External NAT`. The name of your access config might be different.\n\n## References\n\n1. [https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses][3]\n2. [https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][4]\n3. [https://cloud.google.com/compute/docs/instances/connecting-to-instance][5]\n4. [https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip][6]\n5. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][7]\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address\n[3]: https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses\n[4]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[5]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n[6]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip\n[7]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[8]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[9]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.9","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" if {\n\tcompute_instance.network_interfaces[_].access_configs[_]\n} else = \"pass\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"zxk-7n9-rtz","createdAt":1657888953309,"name":"Compute instances do not have public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","control:4.11","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:3.5.2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:3.5.4","source:google_compute_instance","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nGoogle Cloud encrypts both stored and in-transit data, but customer data needs to be decrypted while it is processed. Confidential Computing is a Google technology that protects data by encrypting it while it is in use. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).\n\nConfidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD\nEPYCTM CPUs, keeping customer data encrypted while it is used, indexed, queried, or\ntrained on. Encryption keys are generated in hardware, per VM, and not exportable. There is no significant performance penalty to Confidential Computing workloads because of built-in hardware optimizations.\n\n## Rationale\n\nConfidential Computing enables customers' sensitive code and other data to be encrypted in\nmemory during processing. Google does not have access to the encryption keys.\nConfidential VMs can help alleviate concerns about risk related to either dependency on\nGoogle infrastructure or Google insiders' access to customer data in the clear.\n\n## Impact\n\n- Confidential Computing for Compute instances does not support live migration. Unlike regular Compute instances, Confidential VMs experience disruptions during maintenance events like a software or hardware update.\n\n- Additional charges may be incurred when enabling this security feature. See [https://cloud.google.com/compute/confidential-vm/pricing][1] for more info.\n\n## Remediation\n\nConfidential Computing can only be enabled when an instance is created. You must delete\nthe current instance and create a new one.\n\n### From the console\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][2].\n2. Click **Create instance**.\n3. Fill out the desired configuration for your instance.\n4. Under the **Confidential VM service** section, click **Enable** > **Enable** to enable the Confidential Computing service on this VM instance.\n5. Click **Create**.\n\n### From the command line\n\nCreate a new instance with Confidential Compute enabled.\n\n ```\n gcloud beta compute instances create --zone --confidential-compute --maintenance-policy=TERMINATE\n ```\n## Default Value\n\nBy default, Confidential Computing is disabled for Compute instances.\n\n## References\n\n1. [https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance][3]\n2. [https://cloud.google.com/compute/confidential-vm/docs/about-cvm][4]\n3. [https://cloud.google.com/confidential-computing][5]\n4. [https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms][6]\n\n## CIS Controls\n\nVersion 8 - 3.11: Encrypt Sensitive Data at Rest\n- Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.\n\nVersion 7 - 14.8: Encrypt Sensitive Information at Rest\n- Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n\n[1]: https://cloud.google.com/compute/confidential-vm/pricing\n[2]: https://console.cloud.google.com/compute/instances\n[3]: https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance\n[4]: https://cloud.google.com/compute/confidential-vm/docs/about-cvm\n[5]: https://cloud.google.com/confidential-computing\n[6]: https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.11","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tnot machineType(compute_instance)\n} else = \"pass\" if {\n\tcompute_instance.confidential_instance_config.enable_confidential_compute\n} else = \"fail\"\n\nmachineType(compute_instance) if {\n\tcontains(compute_instance.machine_type, \"n2d-\")\n} else if {\n\tcontains(compute_instance.machine_type, \"c2d-\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ofu-7xv-iqz","createdAt":1657888955714,"name":"Compute instances have confidential computing enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a brute force login with a privileged policy being applied to a role.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [AWS IAM privileged policy was applied to a role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Revert the privileged policy change\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security/default_rules/aws-iam-priv-policy-applied-to-role/","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":2,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"aws_iam_privileged_policy_was_applied_to_a_role","additionalFilters":"","defaultRuleId":"1np-ggw-qpo","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to privileged policy applying to a role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && aws_iam_privileged_policy_was_applied_to_a_role > 0"}],"type":"signal_correlation","id":"z65-vsm-leu","createdAt":1664829682321,"name":"ConsoleLogin event correlates privileged policy applying to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.10","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host, you can control the amount of memory that a container is able to use.\n\n## Rationale\n\nBy default a container can use all of the memory on the host. You can use memory limit mechanisms to prevent a denial of service occurring where one container consumes all of the hosts resources and other containers on the same host are therefore not able to function. Having no limit on memory usage can lead to issues where one container can easily make the whole system unstable and as a result unusable.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Memory={{ .HostConfig.Memory }}'` \n\nIf this command returns 0, it means that memory limits are not in place; if it returns a non-zero value, it means that they are in place.\n\n## Remediation\n\nYou should run the container with only as much memory as it requires by using the `--memory argument`. For example, you could run a container using the command `docker run --interactive --tty --memory 256m centos /bin/bash`\n\nIn this example, the container is started with a memory limit of 256 MB. Note that the output of the command below returns values in scientific notation if memory limits are in place. `docker inspect --format='{{.Config.Memory}}' 7c5a2d4c7fe0`\n\nFor example, if the memory limit is set to 256 MB for a container instance, the output of the command above would be `2.68435456e+08` and NOT `256m`. You should convert this value using a scientific calculator.\n\n## Impact\n\nIf correct memory limits are not set on each container, one process can expand its usage and cause other containers to run out of resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally and no memory limits are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.10","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ecn-mmt-tqe","createdAt":1599605860081,"name":"Container has memory usage limits configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.26","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf the container image does not have an HEALTHCHECK instruction defined, you should use the `--health-cmd` parameter at container runtime to check container health.\n\n## Rationale\n\nIf the container image you are using does not have a pre-defined HEALTHCHECK instruction, use the `--health-cmd` parameter to check container health at runtime. Based on the reported health status, remedial actions can be taken if necessary.\n\n## Audit\n\nRun this command and ensure that all containers are reporting their health status: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}'`\n\n## Remediation\n\nYou should run the container using the `--health-cmd` parameter. For example, `docker run -d --health-cmd='stat /etc/passwd || exit 1' nginx`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, health checks are not carried out at container runtime.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.26","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ojg-sb1-nso","createdAt":1599605067593,"name":"Container health is monitored when not supported by default"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should add the `HEALTHCHECK` instruction to your Docker container images in order to ensure that health checks are executed against running containers.\n\n## Rationale\n\nAn important security control is that of availability. Adding the `HEALTHCHECK` instruction to your container image ensures that the Docker engine periodically checks the running container instances against that instruction to ensure that containers are still operational. Based on the results of the health check, the Docker engine could terminate containers which are not responding correctly, and instantiate new ones.\n\n## Audit\n\nRun this command to ensure that Docker images have the appropriate `HEALTHCHECK` instruction configured: `docker inspect --format='{{ .Config.Healthcheck }}' `\n\n## Remediation\n\nYou should follow the Docker documentation and rebuild your container images to include the `HEALTHCHECK` instruction.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `HEALTHCHECK` is not set.\n\n## References\n\n1. https://docs.docker.com/engine/reference/builder/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_image","complianceFrameworks":[{"control":"4.6","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5xs-afd-sfx","createdAt":1599604909942,"name":"Container image includes HealthCheck instructions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect vulnerabilities in container images.\n\n## Strategy\nThis rule lets you monitor Twistlock logs `(@vulnerability.log_type:vulnerability)` to detect vulnerabilities in a container image. \n\n## Triage and response\n1. Determine the impact of this vulnerability.\n2. Update the container image in the registry with a patched version of the software.\n3. Deploy the new image to all containers running the vulnerable image.\n\n## Change Log\n29 Jun 2022 - Added queries for various vulnerability severity levels.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:medium","groupByFields":["container_name"],"aggregation":"count","name":"medium_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:low","groupByFields":["container_name"],"aggregation":"count","name":"low_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerabiluty","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerabiluty","condition":"high_severity_vulnerability > 0"},{"status":"medium","notifications":[],"name":"Medium Severity Vulnerabiluty","condition":"medium_severity_vulnerability > 0"},{"status":"low","notifications":[],"name":"Low Severity Vulnerabiluty","condition":"low_severity_vulnerability > 0"}],"type":"log_detection","id":"d7s-rex-gjv","createdAt":1585870278701,"name":"Container image vulnerability detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.25","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should restrict the container from acquiring additional privileges via SUID or SGID bits.\n\n## Rationale\n\nA process can set the `no_new_priv` bit in the kernel and this persists across forks, clones and execve. The `no_new_priv` bit ensures that the process and its child processes do not gain any additional privileges via SUID or SGID bits. This reduces the danger associated with many operations because the possibility of subverting privileged binaries is lessened.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all of the security options currently configured for containers. The option `no-new-privileges` should be one of them.\n\n## Remediation\n\nStart your container with the options `docker run --rm -it --security-opt=no-new-privileges ubuntu bash`\n\n## Impact\n\nThe `no_new_priv` option prevents LSMs like SELinux from allowing processes to acquire new privileges.\n\n## Default value\n\nBy default, new privileges are not restricted.\n\n## References\n\n1. https://github.com/projectatomic/atomic-site/issues/269\n2. https://github.com/docker/docker/pull/20727\n3. https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt\n4. https://lwn.net/Articles/475678/\n5. https://lwn.net/Articles/475362/\n\n## CIS controls\n\nVersion 6\n\n5 Controlled Use of Administration Privileges Controlled Use of Administration Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.25","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"cft-3kh-z3l","createdAt":1599604337425,"name":"Container is restricted from acquiring additional privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a container management utility (for example, `kubectl` or `docker`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to enumerate other pods or containers, escalate privileges, or exfiltrate secrets by running container management orchestration utilities. This detection triggers when execution of one of a set of common container management utilities (like `kubectl` or `docker`) executes with specific process arguments detected in a container. If this is unexpected behavior, it could indicate an attacker attempting to compromise your pods, containers, and hosts.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires version 7.27 or higher*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:suspicious_container_client @process.executable.path:\"/usr/bin/kubectl\" (@process.args:(\"get\" AND \"--all-namespaces\") OR @process.args:(\"cluster-info\") OR @process.args:(\"auth\" AND \"can-i\"))","groupByFields":["host"],"aggregation":"count","name":"kubectl_enumeration","distinctFields":[]},{"query":"@agent.rule_id:suspicious_container_client @process.executable.path:\"/usr/bin/kubectl\" (@process.args:(\"create\" AND \"namespace\") OR @process.args:(\"run\" AND \"image=\") OR @process.args:(\"port-forward\") OR @process.args:(\"attach\") OR @process.args:(\"exec\"))","groupByFields":["host"],"aggregation":"count","name":"kubectl_provision","distinctFields":[]},{"query":"@agent.rule_id:suspicious_container_client @process.executable.path:\"/usr/bin/docker\" (@process.args:(\"run\" AND \"--privileged\") OR @process.args:(\"exec\" AND \"-it\") OR @process.args:(\"run\" AND \"--cap-add\") OR @process.args:(\"apparmor=unconfined\") OR @process.args:(\"attach\"))","groupByFields":["host"],"aggregation":"count","name":"docker_provision","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"kubectl_enumeration","condition":"kubectl_enumeration > 0"},{"status":"medium","notifications":[],"name":"kubectl_provision","condition":"kubectl_provision > 0"},{"status":"medium","notifications":[],"name":"docker_provision","condition":"docker_provision > 0"}],"type":"workload_security","id":"ll8-gx6-k15","createdAt":1617722068555,"name":"Container management utility in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.12","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe container's root filesystem should be treated as a 'golden image' by using Docker run's `--read-only` option. This prevents any writes to the container's root filesystem at container runtime and enforces the principle of immutable infrastructure.\n\n## Rationale\n\nEnabling this option forces containers at runtime to explicitly define their data writing strategy to persist or not persist their data. This also reduces security attack vectors since the container instance's filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories.\n\n## Audit\n\nRun this command on the docker host: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: ReadonlyRootfs={{ .HostConfig.ReadonlyRootfs }}'` \n\nIf this command returns `true`, it means the container's root filesystem is mounted read-only. If the above command returns `false`, it means the container's root filesystem is writeable.\n\n## Remediation\n\nAdd a `--read-only` flag at a container's runtime to enforce the container's root filesystem being mounted as read only. For example, `docker run --read-only `\n\nEnabling the `--read-only` option at a container's runtime should be used by administrators to force a container's executable processes to only write container data to explicit storage locations during its lifetime. \n\nExamples of explicit storage locations during a container's runtime include, but are not limited to:\n\n1. Using the `--tmpfs` option to mount a temporary file system for non-persistent data writes. `docker run --interactive --tty --read-only --tmpfs \"/run\" --tmpfs \"/tmp\" centos /bin/bash`\n2. Enabling Docker rw mounts at a container's runtime to persist container data directly on the Docker host filesystem. For example, `docker run --interactive --tty --read-only -v /opt/app/data:/run/app/data:rw centos /bin/bash`\n\n3. Utilizing the Docker shared-storage volume plugin for Docker data volume to persist container data. For example, `docker volume create -d convoy --opt o=size=20GB my-named-volume docker run --interactive --tty --read-only -v my-named-volume:/run/app/data centos /bin/bash`\n\n3. Transmitting container data outside of the Docker controlled area during the container's runtime for container data in order to ensure that it is persistent. Examples include hosted databases, network file shares and APIs.\n\n## Impact\n\nEnabling `--read-only` at container runtime may break some container OS packages if a data writing strategy is not defined. You should define what the container's data should and should not persist at runtime in order to decide which strategy to use. Example: Enable use `--tmpfs` for temporary file writes to /tmp Use Docker shared data volumes for persistent data writes\n\n## Default value\n\nBy default, a container has its root filesystem writeable, allowing all container processes to write files owned by the container's actual runtime user.\n\n## References\n\n1. http://docs.docker.com/reference/commandline/cli/#run\n2. https://docs.docker.com/engine/tutorials/dockervolumes/\n3. http://www.projectatomic.io/blog/2015/12/making-docker-images-write-only-in-production/\n4. https://docs.docker.com/engine/reference/commandline/run/#mount-tmpfs-tmpfs\n5. https://docs.docker.com/engine/tutorials/dockervolumes/#creating-and-mounting-a-data-volume-container\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.12","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"635-mc8-3mr","createdAt":1599602276896,"name":"Container root file sytem is set to read-only"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a container is not running within compliance standards.\n\n## Strategy\nThis rule lets you monitor Twistlock logs to detect when a `High` or `Critical` severity compliance issue is discovered in a running container. \n\n## Triage and response\n1. Determine the impact of the compliance finding.\n2. Remediate the compliance finding.\n\n## Change Log\n27 Jun 2022 - Updated Rule and added findings for critical vulnerabilities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerability","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerability","condition":"high_severity_vulnerability > 0"}],"type":"log_detection","id":"9vp-d1j-kwp","createdAt":1585870281390,"name":"Container violated compliance standards"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:5.28","security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should use the `--pids-limit` flag at container runtime.\n\n## Rationale\n\nAttackers could launch a fork bomb with a single command inside the container. This fork bomb could crash the entire system and would require a restart of the host to make the system functional again. Using the PIDs cgroup parameter --pids-limit would prevent this kind of attack by restricting the number of forks that can happen inside a container within a specified time frame.\n\n## Audit\n\nRun this command and ensure that `PidsLimit` is not set to 0 or -\n1. A PidsLimit of 0 or -1 means that any number of processes can be forked concurrently inside the container. \n\n```\ndocker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidsLimit={{ .HostConfig.PidsLimit }}'\n```\n\n## Remediation\n\nUse `--pids-limit` flag with an appropriate value when launching the container. For example, `docker run -it --pids-limit 100 `\n\nIn the above example, the number of processes allowed to run at any given time is set to 100. After a limit of 100 concurrently running processes is reached, Docker would restrict any new process creation.\n\n## Impact\n\nSet the PIDs limit value as appropriate. Incorrect values might leave containers unusable.\n\n## Default value\n\nThe Default value for `--pids-limit` is 0 which means there is no restriction on the number of forks. Note that the PIDs cgroup limit works only for kernel versions 4.3 and higher.\n\n## References\n\n1. https://github.com/docker/docker/pull/18697\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.28","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tmp-lms-u8p","createdAt":1599603016485,"name":"Container's PIDs cgroup limit parameter is set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nContainers should run as a non-root user.\n\n## Rationale\n\nIt is good practice to run the container as a non-root user, where possible. This can be done either via the USER directive in the Dockerfile or through [gosu][1] or similar where used as part of the CMD or ENTRYPOINT directives.\n\n## Remediation\n\nEnsure that the Dockerfile for each container image contains `USER `\n\nIn this case, the user name or ID refers to the user that was found in the container base image. If there is no specific user created in the container base image, then make use of the `useradd` command to add a specific user before the USER instruction in the Dockerfile. \n\nFor example, add the below lines in the Dockerfile to create a user in the container:\n`RUN useradd -d /home/username -m -s /bin/bash username USER username`\n\n**Note**: If there are users in the image that are not needed, you should consider deleting them. After deleting those users, commit the image and then generate new instances of the containers. Alternatively, if it is not possible to set the USER directive in the Dockerfile, a script running as part of the CMD or ENTRYPOINT sections of the Dockerfile should be used to ensure that the container process switches to a non-root user.\n\n## Impact\n\nRunning as a non-root user can present challenges when binding mount volumes from the underlying host. In this case, ensure that the user running the contained process can read and write to the bound directory, according to their requirements.\n\n## Default value\n\nBy default, containers are run with root privileges and also run as the root user inside the container.\n\n## References\n\n1. https://github.com/docker/docker/issues/2918\n2. https://github.com/docker/docker/pull/4572\n3. https://github.com/docker/docker/issues/7906\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://github.com/tianon/gosu\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"4.1","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iml-sbn-bao","createdAt":1599605130883,"name":"Containers do not use the root user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","control:5.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.\n\n## Rationale\n\nAppArmor protects the Linux OS and applications from various threats by enforcing a security policy which is also known as an AppArmor profile. You can create your own AppArmor profile for containers or use Docker's default profile. Enabling this feature enforces security policies on containers as defined in the profile.\n\n## Audit\n\nYou should run this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: AppArmorProfile={{ .AppArmorProfile }}'` \n\nThis command returns a valid AppArmor Profile for each container instance.\n\n## Remediation\n\nIf AppArmor is applicable for your Linux OS, enable it.\n\n1. Verify AppArmor is installed.\n2. Create or import a AppArmor profile for Docker containers.\n3. Enable enforcement of the policy.\n4. Start your Docker container using the customized AppArmor profile. For example: `docker run --interactive --tty --security-opt=\"apparmor:PROFILENAME\" ubuntu /bin/bash` Alternatively, Docker's default AppArmor policy can be used.\n\n## Impact\n\nThe container will have the security controls defined in the AppArmor profile. It should be noted that if the AppArmor profile is misconfigured, this may cause issues with the operation of the container.\n\n## Default value\n\nBy default, the docker-default AppArmor profile is applied to running containers. This profile can be found at `/etc/apparmor.d/docker`\n\n## References\n\n1. https://docs.docker.com/engine/security/apparmor/\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.1","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"s4z-dsj-llz","createdAt":1599600498264,"name":"Containers have an AppArmor profile enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.24","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to attach to a particular `cgroup` when a container is instantiated. Confirming `cgroup` usage would ensure that containers are running in defined `cgroup`s.\n\n## Rationale\n\nSystem administrators typically define `cgroup`s in which containers are supposed to run. If `cgroup`s are not explicitly defined by the system administrator, containers run in the docker `cgroup` by default. At run time, it is possible to attach a container to a different `cgroup` other than the one originally defined. This usage should be monitored and confirmed, as by attaching to a different `cgroup`, excess permissions and resources might be granted to the container and this can therefore prove to be a security risk.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}'` \n\nThis command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n\n## Remediation\n\nYou should not use the `--cgroup-parent` option within the docker run command unless strictly required.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers run under docker `cgroup`.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#specify-custom-cgroups\n2. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/ch01.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n\n## Audit\n\nYou should run the following command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}' The above command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.24","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"maa-bf8-zan","createdAt":1599601906764,"name":"Containers use the cgroup configured in Docker"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","source:compliance-agent","control:1.3.7","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the Controller Manager service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Controller Manager API service which runs on port 10252/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ \n\n*Notes*: Although the current Kubernetes documentation site says that `--address` is deprecated in favour of `--bind-address`. Kubeadm 1.11 still makes use of `--address`.\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.7","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pvo-5un-k18","createdAt":1599603818624,"name":"Controller Manager API service is bound to localhost"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.3.2","security:compliance","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.2","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1ie-ddf-7wm","createdAt":1599604031896,"name":"Controller Manager profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.4","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account private key file for service accounts on the controller manager.\n\n## Rationale\n\nTo ensure that keys for service account tokens can be rotated as needed, a separate public/private key pair should be used for signing service account tokens. The private key should be specified to the controller manager with `--service-account-private-key-file` as appropriate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--service-account-private-key-file` argument is set as appropriate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--service-account-private-key-file parameter` to the private key file for service accounts:\n\n```\n--service-account-private-key-file=\n```\n\n## Impact\n\nYou would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-private-key-file` it not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.4","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mj1-ode-sln","createdAt":1599600796213,"name":"Controller manager has a service account private key file set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.1.3","scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of the Controller Manager on the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-controller-manager.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.3","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pr0-hcf-xkw","createdAt":1599603633988,"name":"Controller manager pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.1.4","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of various components of the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-controller-manager.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.4","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jwf-xdm-mi9","createdAt":1599599105053,"name":"Controller manager pod specification file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect and identify the network IP address or user agent when multiple user accounts have login attempt activities recorded.\n\n## Strategy\n\nMonitor Azure Active Directory and detect when any `@evt.category` is equal to `SignInLogs` and at least 5 of the `@evt.outcome` are equal to `false` by the same network IP address or user agent.\n\nSecurity Signal returns **MEDIUM** if`@evt.outcome` has value of `success` after 5 multiple failed logins by the same network IP address or user agent.\n\n## Triage and response\n\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n\n## Changelog\n* 14 June 2022 - Updated triggering cases to align with other credential stuffing rules. Also updated other backend options to reduce noise levels.\n* 26 October 2022 - Updated query.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure @properties.status.errorCode:(50126 OR 50053 OR 53003 OR 50135 OR 50055)","groupByFields":["@network.client.ip","@properties.appId"],"aggregation":"cardinality","name":"failed_login_multiple_user_accounts_same_ip_address","distinctFields":["@usr.id"]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success -message:(\"MFA requirement satisfied by claim in the token\" OR \"MFA requirement satisfied by strong authentication\" OR \"MFA requirement skipped due to remembered device\" OR \"MFA requirement satisfied by claim provided by external provider\" OR \"MFA completed in Azure AD\")","groupByFields":["@network.client.ip","@properties.appId"],"aggregation":"count","name":"successful_login_same_ip_address","distinctFields":[]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure @properties.status.errorCode:(50126 OR 50053 OR 53003 OR 50135 OR 50055)","groupByFields":["@http.useragent","@properties.appId"],"aggregation":"cardinality","name":"failed_login_multiple_user_accounts_same_user_agent","distinctFields":["@usr.id"]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success -message:(\"MFA requirement satisfied by claim in the token\" OR \"MFA requirement satisfied by strong authentication\" OR \"MFA requirement skipped due to remembered device\" OR \"MFA requirement satisfied by claim provided by external provider\" OR \"MFA completed in Azure AD\")","groupByFields":["@http.useragent","@properties.appId"],"aggregation":"count","name":"successful_login_same_user_agent","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful login after multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 4 && successful_login_same_ip_address > 0"},{"status":"medium","notifications":[],"name":"Successful login after multiple failed login attempts from the same user agent","condition":"failed_login_multiple_user_accounts_same_user_agent > 4 && successful_login_same_user_agent > 0"},{"status":"info","notifications":[],"name":"Multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 4"},{"status":"info","notifications":[],"name":"Multiple failed login attempts from the same user agent","condition":"failed_login_multiple_user_accounts_same_user_agent > 4"}],"type":"log_detection","id":"igg-0ve-xxc","createdAt":1607106304164,"name":"Credential Stuffing Attack on Azure"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:success @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials.\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application_o365","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"credential_added_azure_ad_application > 0 || credential_added_azure_ad_application_o365 > 0"}],"type":"log_detection","id":"myf-gpu-vqf","createdAt":1659365955026,"name":"Credential added to Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application that is not regularly updated.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it. An attacker may target an application that is seldom changed to avoid detection. Using the `New Value` detection method, a signal is raised when an application not seen in the previous 7 days has credentials added.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.\n\n## Changelog\n* 2 November 2022 - Updated severity.","options":{"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"evaluationWindow":0,"maxSignalDuration":86400,"detectionMethod":"new_value","decreaseCriticalityBasedOnEnv":true,"keepAlive":3600},"version":56,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@properties.targetResources.displayName","aggregation":"new_value","metrics":["@properties.targetResources.displayName"],"groupByFields":["@usr.id"],"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @evt.outcome:success @evt.category:AuditLogs"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"1p0-9ix-ig2","createdAt":1660304687805,"name":"Credential added to rarely used Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["category:authentication","tactic:TA0006-credential-access","template:true","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least 25 unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\nUse [this Datadog runbook](https://app.datadoghq.com/notebook/credentialstuffingrunbook) to assist in your investigation.\n\n1. Determine if it is a legitimate attack or a false positive\n2. Determine compromised users\n3. Remediate compromised user accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@evt.category:authentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"@evt.category:authentication @evt.outcome:success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful - Greater than 50","condition":"unique_users_failing_to_login>50 && successful_login>=1"},{"status":"medium","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>25 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>25"}],"type":"log_detection","id":"ypo-jbm-p2s","createdAt":1608750331867,"name":"Credential stuffing attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user. This generates a `HIGH` severity signal.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n## Changelog\n13 June 2022 - Updated Keep Alive window and evaluation window to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":3600,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>10 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>10"}],"type":"log_detection","id":"ryo-snu-uva","createdAt":1597422958108,"name":"Credential stuffing attack on Auth0"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through credential stuffing attack against a Salesforce account.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\n1. Determine if it is a legitimate attack or a false positive.\n2. Determine compromised users.\n3. Remediate compromised user accounts.\n\n## Changelog\n* 5 January 2023 - Updated query, severity of cases, and group by values.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @evt.name:LoginEvent @status:(\"Invalid Password\" OR \"User is Inactive\")","groupByFields":["@network.client.ip","@login_url"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.email"]},{"query":"source:salesforce @evt.name:LoginEvent @status:\"Success\"","groupByFields":["@network.client.ip","@login_url"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"at least 1 unique login success from a single IP","condition":"unique_users_failing_to_login >= 5 && successful_login>=1"},{"status":"low","notifications":[],"name":"at least 5 unique users have failed to login from a single IP","condition":"unique_users_failing_to_login >= 5"}],"type":"log_detection","id":"y0t-wg6-3nq","createdAt":1621929255278,"name":"Credential stuffing attack on Salesforce"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1003-os-credential-dumping","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to sensitive credential files from non-standard processes.\n\n## Strategy\nEspecially in production, all credentials should be either defined as code, or static. Drift and unmonitored changes to these credentials can open up attack vectors for adversaries, and cause your organization to be out of compliance with any frameworks or regulations that you are subject to. This detection watches for the modification of sensitive credential files which should not be changed outside of their definitions as code (or static definitions). The Linux commands `vipw` and `vigr` are the standard way to modify shadow and gshadow files respectively. Other processes interacting with these sensitive credential files is highly suspicious and should be investigated.\n\n## Triage and response\n1. Identify the user or process that changed the credential file(s).\n2. Identify what was changed in the credential files.\n3. If these changes are not acceptable, roll back contain the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd","groupByFields":["host"],"aggregation":"count","name":"credential_modified","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd @process.comm:(adduser OR useradd OR groupadd OR userdel OR deluser OR chage)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_standard","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.executable.path:(\\/usr\\/sbin\\/* OR \\/usr\\/bin\\/* OR \\/bin\\/*)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_non_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"credential_modified_non_bin","condition":"credential_modified_non_bin > 0"},{"status":"info","notifications":[],"name":"credential_modified_standard","condition":"credential_modified_standard > 0"},{"status":"low","notifications":[],"name":"credential_modified","condition":"credential_modified > 0"}],"type":"workload_security","id":"srd-2ub-jov","createdAt":1598516746271,"name":"Credentials file modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","level:1","cloud:aws","cloud_provider:aws","control:8.1.4","framework:hipaa","requirement:Information-Access-Management","framework:pci","requirement:Credentials","control:164.308-a-4-ii-C"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. You should remove or deactivate all credentials that have been unused in 90+ days.\n\n## Rationale\n\nDisabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78900-8 2. CIS CSC v6.0 #16.6\n\n## CIS controls\n\n16.9 Disable Dormant Accounts Automatically - Disable dormant accounts after a set period of inactivity.\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\npassword_used_recently(resource_seen_at, credential_report) if {\n\tcredential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_used > ninety_days_ms\n} else if {\n\tnot credential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_changed > ninety_days_ms\n}\n\nkey_used_recently(resource_seen_at, credential_report, key_name) if {\n\tcredential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_used_date\"])] > ninety_days_ms\n} else if {\n\tnot credential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_rotated\"])] > ninety_days_ms\n}\n\npassword_or_access_key_is_enabled(resource_seen_at, credential_report) if {\n\tcredential_report.password_enabled\n\tpassword_used_recently(resource_seen_at, credential_report)\n} else if {\n\tcredential_report.access_key_1_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_1\")\n} else if {\n\tcredential_report.access_key_2_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_2\")\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot password_or_access_key_is_enabled(iam_user.resource_seen_at, credential_report)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"credential_report","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cl8-844-szh","createdAt":1621238614316,"name":"Credentials have been used within the last 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","framework_version:3.2","control:11.5","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications of critical system binaries.\n\n## Strategy\nPCI-DSS is the payment-card industry's compliance framework. Any systems that handle credit card data and transactions from the major credit card companies must be PCI-DSS compliance. Control 11.5 of the PCI-DSS framework states that organizations must \"alert personnel to unauthorized modifications (including changes, additions, and deletions) of critical system files, configuration files, or content files\". On Linux, critical system binaries are typically stored in `/bin/`, `/sbin/`, or `/usr/sbin/`. This rule tracks any modifications to those directories.\n\n## Triage and response\n1. Identify which user or process changed the critical system binaries.\n2. If these changes were not authorized, and you cannot confirm the safety of the changes, roll back the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chmod) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chown) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chown","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_link) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_link","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_rename) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_rename","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_open) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_open","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_unlink) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_utimes) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"pci_11_5_critical_binaries","condition":"pci_11_5_critical_binaries_chmod > 0 || pci_11_5_critical_binaries_chown > 0 || pci_11_5_critical_binaries_link > 0 || pci_11_5_critical_binaries_rename > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_unlink > 0 || pci_11_5_critical_binaries_utimes > 0"}],"type":"workload_security","id":"3rk-f4l-c7j","createdAt":1606142933669,"name":"Critical system binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation or modification of new cron jobs on a system.\n\n## Strategy\nCron is a task scheduling system that runs tasks on a time-based schedule. Attackers can use cron jobs to gain persistence on a system, or even to run malicious code at system-boot. Cron jobs can also be used for remote code execution, or to run a process under a different user-context.\n\n## Triage and response\n1. Check to see which cron task was created or modified.\n2. Check whether the cron task was created or modified by a known user or process.\n3. If these changes are not acceptable, roll back the host or container in question to an acceptable configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(cron_at_job_creation OR cron_at_job_creation_chmod OR cron_at_job_creation_chown OR cron_at_job_creation_link OR cron_at_job_creation_rename OR cron_at_job_creation_open OR cron_at_job_creation_utimes) -(@file.name:*.dpkg-new AND @process.executable.name:dpkg) -@process.ancestors.executable.path:\"/usr/bin/unattended-upgrade\" -@process.executable.path:\"/usr/bin/dockerd\" -(@process.executable.path:\"/usr/bin/touch\" @file.path:\"/var/spool/cron/lastrun\")","groupByFields":["host"],"aggregation":"count","name":"cron_at_job_creation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"cron_at_job_creation","condition":"cron_at_job_creation > 0"}],"type":"workload_security","id":"qqk-vqp-6xt","createdAt":1606142961130,"name":"Cron job modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIP check services return the public IP of the client. They are used legitimately for configuration purposes when utilizing infrastructure as code. They can be abused by attackers to determine the organization they have compromised.\n\n## Strategy\n\nDetect when a DNS lookup is done for a domain belonging to an IP check service.\n\n## Triage and response\n\n1. Determine if `{{@process.executable.name}}` is expected to make a connection to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Start incident response and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ip_check_domain","groupByFields":["host"],"aggregation":"count","name":"ip_check_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"ip_check_domain","condition":"ip_check_domain > 0"}],"type":"workload_security","id":"v7i-jqs-gcx","createdAt":1653417825959,"name":"DNS lookup for IP lookup service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nAttackers often use compromised cloud infrastructure to mine cryptocurrency. \n\n## Strategy\n\nDetect when a process performs a DNS lookup for a domain related to cryptomining.\n\n## Triage and response\n\n`{{@process.executable.name}}` performed a DNS lookup for `{{@dns.question.name}}`\n\n1. Contain the host or container and roll back to a known good configuration.\n2. Review the process tree and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:potential_cryptominer","groupByFields":["host"],"aggregation":"count","name":"potential_cryptominer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"potential_cryptominer","condition":"potential_cryptominer > 0"}],"type":"workload_security","id":"8am-wzf-ixk","createdAt":1653417822316,"name":"DNS lookup for cryptocurrency mining pool"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nPaste sites such as pastebin.com can be used by attackers to host malicious scripts, configuration files, and other text data. The files are then downloaded to the host using a network utility such as `wget` or `curl`. These sites may also be used to exfiltrate data.\n\n## Strategy\n\nDetect when a process performs a DNS lookup for a paste site.\n\n## Triage and response\n1. Check if the application `{{@process.executable.name}}` is expected to make connections to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Follow your organization's internal processes for investigating and remediating compromised systems.\n\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:paste_site","groupByFields":["host"],"aggregation":"count","name":"paste_site","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"paste_site","condition":"paste_site > 0"}],"type":"workload_security","id":"bze-mml-h8r","createdAt":1653417817764,"name":"DNS lookup for paste service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.3","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud Domain Name System (DNS) is a fast, reliable, and cost-effective domain name system\nthat powers millions of domains on the internet. Domain Name System Security Extensions\n(DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains\nagainst DNS hijacking, man-in-the-middle attacks, and more.\n\n## Rationale\nDomain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling the DNS responses to be validated. A trustworthy DNS that translates a domain name like `www.example.com` into its associated IP address is an increasingly important building block for modern web-based applications. \n\nAttackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records to prevent attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.\n\nBy default, DNSSEC is not enabled.\n\n## Remediation\n\n### From the console\n1. Navigate to the [Cloud DNS page][1].\n2. For each Type Public zone, set `DNSSEC` to **On**.\n\n### From the command line\nUse this command to enable DNSSEC for Cloud DNS Zone Name:\n\n```\ngcloud dns managed-zones update ZONE_NAME --dnssec-state on\n```\n\n\n## References\n1. [https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html][2]\n2. [https://cloud.google.com/dns/dnssec-config#enabling][3]\n3. [https://cloud.google.com/dns/dnssec][4]\n\n\n[1]: https://console.cloud.google.com/net-services/dns/zones\n[2]: https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html\n[3]: https://cloud.google.com/dns/dnssec-config#enabling\n[4]: https://cloud.google.com/dns/dnssec\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nisZonePublic(dns_managed_zone) if {\n\tupper(dns_managed_zone.visibility) == \"PUBLIC\"\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot isZonePublic(dns_managed_zone)\n} else = \"pass\" if {\n\tupper(dns_managed_zone.dnssec_config.state) == \"ON\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"crl-ytf-ohh","createdAt":1659621733035,"name":"DNSSEC is enabled for Cloud DNS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Credentials","requirement:Compliance","level:1","requirement:Database-Services","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","framework:pci","security:compliance","control:6.5.3","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:3.4","control:C1.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Transparent Data Encryption on every SQL server.\n\n## Rationale\n\nAzure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL databases\n2. For each DB instance\n3. Click on Transparent data encryption\n4. Set Data encryption to On using the Azure Command Line Interface\n5. Use the below command to enable Transparent data encryption for SQL DB instance:\n\n ```bash\n --resource-group --server --database --status\n ```\n\n **Note**: TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases. Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n\n**Note**: Transparent Data Encryption (TDE) can be enabled or disabled on individual SQL Database level and not on the SQL Server level. TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.\n\n# CIS Controls\n\nVersion 7 14.8 Encrypt Sensitive Information at Rest: Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_transparent_data_encryption(transparent_data_encryption) if {\n\ttransparent_data_encryption.status == \"Enabled\"\n} else if {\n\ttransparent_data_encryption.state == \"Enabled\"\n}\n\neval(sql_server_database) = \"pass\" if {\n\tcompliant_transparent_data_encryption(sql_server_database.transparent_data_encryption)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server_database"]},"validationQuery":"","resourceType":"azure_sql_server_database","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server_database","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ahw-tol-knx","createdAt":1624867974429,"name":"Data encryption on SQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a database process (e.g., MySQL, PostgreSQL, MongoDB).\n\n## Strategy\nAttacks on databases often take advantage of oversights in I/O sanitization and validation to run attacker statements and commands. For example, these attacks could take the form of database query injection, which can signal the beginning of an intrusion and wider attack, by establishing a web shell or exfiltrating data. This detection triggers when common shell utilities, HTTP utilities, or shells are spawned by one of a set of database processes (e.g., MySQL, MongoDB, PostgreSQL). This is atypical behavior for a database. If this is unexpected behavior, it could indicate an attacker attempting to compromise your database or host machine.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your database to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:database_shell_execution -@process.ancestors.executable.name:initdb -@process.args:\"locale -a\" -(@process.ancestors.executable.name:postgres @process.args:*pg_wal*)","groupByFields":["host"],"aggregation":"count","name":"database_shell_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"database_shell_execution","condition":"database_shell_execution > 0"}],"type":"workload_security","id":"4ni-kny-z5x","createdAt":1617722069155,"name":"Database process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:2","requirement:Cardholder-Data","control:1.17","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Confidentiality","control:3.5","control:7.1","control:C1.2","control:7.2.1","control:7.2.2","source:google_dataproc_cluster","control:7.2.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:3.6.1","scope:google_dataproc_cluster","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:3.6.4","control:3.6.5","control:CC6.3","control:CC6.2","control:3.6.7","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nWhen you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated\nwith the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This\nPD and bucket data is encrypted using a Google-generated data encryption key (DEK) and\nkey encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key\nencryption key (KEK). Google still controls the data encryption key (DEK).\n\n## Rationale\nCloud services offer the ability to protect data related to those services using encryption\nkeys managed by the customer within Cloud KMS. These encryption keys are called\ncustomer-managed encryption keys (CMEK). When customers protect data in Google Cloud\nservices with CMEK, the CMEK key is within the customer's control.\n\n## Remediation\n\n### From the console\n\n1. Log in to the GCP Console and navigate to the **Dataproc Cluster** page by visiting [https://console.cloud.google.com/dataproc/clusters][1].\n2. Select the project from the projects dropdown list.\n3. On the **Dataproc Cluster** page, click on the **Create Cluster** to create a new cluster with customer-managed encryption keys.\n4. On the **Create a cluster** page, perform the following steps:\n 1. Inside **Set up cluster** section perform these steps:\n 1. In the **Name** textbox, provide a name for your cluster.\n 2. From **Location** select the location in which you want to deploy a cluster.\n 3. Configure other configurations as per your requirements.\n 2. Inside **Configure Nodes** and **Customize cluster** section configure the settings as\nper your requirements.\n 3. Inside the **Manage security** section, perform these steps:\n 1. From **Encryption**, select **Customer-managed key**.\n 2. Select a customer-managed key from dropdown list.\n 3. Ensure that the selected KMS Key has the **Cloud KMS CryptoKey Encrypter/Decrypter** role assigned to the Dataproc Cluster service account (`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n 4. Click on **Create** to create a cluster.\n5. Once the cluster is created, migrate all of your workloads from the old cluster to the new cluster and delete the old cluster by performing the following steps:\n 1. On the **Clusters** page, select the old cluster and click on **Delete cluster**.\n 2. On the **Confirm deletion** window, click **Confirm** to delete the cluster.\n6. Repeat the steps above for other Dataproc clusters available in the selected project.\n7. Change the project from the project dropdown list and repeat the remediation procedure for other Dataproc clusters available in other projects.\n\n### From the command line\nBefore creating a cluster, ensure that the selected KMS Key has the **Cloud KMS CryptoKey\nEncrypter/Decrypter** role assigned to the Dataproc Cluster service account\n(`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n\nRun the `clusters create` command to create a new cluster with a customer-managed key:\n\n```\ngcloud dataproc clusters create --region=us-central1 --gce-pd-kms-key=\n```\n\nThe above command creates a new cluster in the selected region.\nAfter the cluster is created, migrate all your workloads from the older cluster to the new\ncluster and run the `clusters delete` command to delete the cluster:\n\n```\ngcloud dataproc clusters delete --region=us-central1\n```\n\nRepeat step no. 1 to create a new Dataproc cluster.\nChange the project by running the following command and repeat the remediation procedure\nfor other projects:\n\n```\ngcloud config set project \n```\n\n## References\n1. [https://cloud.google.com/docs/security/encryption/default-encryption][2]\n\n[1]: https://console.cloud.google.com/dataproc/clusters\n[2]: https://cloud.google.com/docs/security/encryption/default-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.17","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.7","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(gdc) = \"pass\" if {\n\tgdc.config.encryption_config.gce_pd_kms_key_name\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dataproc_cluster"]},"validationQuery":"","resourceType":"gcp_dataproc_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dataproc_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"7qp-kby-dut","createdAt":1659396397166,"name":"Dataproc cluster is encrypted using customer-managed encryption key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.22","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file permissions are set to `644` or more restrictively, by running: \n```\nstat -c %a /etc/default/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/default/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.22","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pqb-2cq-piw","createdAt":1599601845070,"name":"Default Docker configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.21","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/sysconfig/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/sysconfig/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.21","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"au3-ayl-tdm","createdAt":1599601289420,"name":"Default Docker configuration file cannot be altered by non-owners - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.19","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file ownership and group-ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/default/docker | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/default/docker`\n\nThis sets the ownership and group ownership of the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.19","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o5w-d8y-ka1","createdAt":1599604751728,"name":"Default Docker configuration file is owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.20","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/sysconfig/docker | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root /etc/sysconfig/docker`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.20","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xrt-uiz-s7o","createdAt":1599604498138,"name":"Default Docker configuration file is owned by the root account and group - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProtect tuned kernel parameters from overriding kubelet default kernel parameter values.\n\n## Rationale\n\nKernel parameters are usually tuned and hardened by the system administrators before putting the systems into production. These parameters protect the kernel and the system. Your kubelet kernel defaults that rely on such parameters should be appropriately set to match the desired secured system state. Ignoring this could potentially lead to running pods with undesired kernel behavior.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--protect-kernel-defaults` argument is set to true. If the `--protect-kernel-defaults` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets `protectKernelDefaults` to `true`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `protectKernelDefaults: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--protect-kernel-defaults=true`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou would have to re-tune kernel parameters to match kubelet parameters.\n\n## Default value\n\nBy default, `--protect-kernel-defaults` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.6","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"uiw-kms-wwu","createdAt":1599602462044,"name":"Default Kubelet kernel parameter values are protected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Compliance","level:1","requirement:Storage-Accounts","control:2.9","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","control:1.3.1","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","requirement:Least-Privileged-Access","control:1.2.1","control:3.6","framework:cis-azure","requirement:Communications-Security","control:7.2.1","source:azure.storage","control:A.13.1.3","control:7.2.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestricting default network access provides a layer of security, because storage accounts accept connections from clients on any network. To limit access to selected networks, change the default action.\n\n## Rationale\n\nConfigure storage accounts to deny access to traffic from all networks (including internet traffic). Grant access to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Enable Allow access from selected networks.\n4. Add rules to allow traffic from a specific network.\n5. Click Save to apply your changes.\n\n### From the command line\n\nUse the following command to update the default action to deny: \n```\naz storage account update --name --resource-group --default-action Deny\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security][1]\n2. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"2.9","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_account) = \"pass\" if {\n\tstorage_account.network_acls.default_action == \"Deny\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"hxy-syh-ofi","createdAt":1631690465637,"name":"Default network access rule for Storage Accounts is set to deny"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:RBAC-and-Service-Accounts","scored:true","security:compliance","control:5.1.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe default service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed.\n\n## Rationale\n\nKubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.\n\n## Audit\n\nFor each namespace in the cluster, review the rights assigned to the default service account and ensure that it has no roles or cluster roles bound to it apart from the defaults. Additionally ensure that the `automountServiceAccountToken: false` setting is in place for each default service account.\n\n## Remediation\n\nCreate explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value `automountServiceAccountToken: false`.\n\n## Impact\n\nAll workloads which require access to the Kubernetes API will require an explicit service account to be created.\n\n## Default value\n\nBy default the default service account allows for its service account token to be mounted in pods in its namespace.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/][1]\n\n## CIS controls\n\nNone\n\n[1]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.1.5","framework":"cis-kubernetes","requirement":"RBAC-and-Service-Accounts","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3yv-aqm-bxc","createdAt":1604312204438,"name":"Default service accounts are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","source:azure.monitor","level:1","requirement:Regular-Testing","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","control:5.1.2","requirement:Logging-and-Monitoring","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","control:11.4","control:CC4.1","scope:azure.monitor","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure the diagnostic setting to log the appropriate activities from the control/management plane.\n\n## Rationale\n\nA diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.\n\n## Remediation\n\n### From the console\n\n1. Go to Azure Monitor\n2. Click Activity log\n3. Click on Diagnostic settings\n4. Click on Edit Settings for the diagnostic settings entry\n5. Ensure that the following categories are checked: Administrative, Alert, Policy, and Security\n\nARM Template with AZ PowerShell cmdlets:\n\nCreate a file to hold the following JSON:\n\n```json\n{ \"$schema\"\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\", \"contentVersion\"\"\n1.0.0.0\", \"parameters\"{ \"settingName\"{ \"type\"\"String\" }, \"workspaceId\"{ \"type\"\"String\" } }, \"resources\"[ { \"type\"\"Microsoft.Insights/diagnosticSettings\", \"apiVersion\"\"2017-05-01-preview\", \"name\"\"[parameters(''settingName'')]\", \"dependsOn\"[], \"properties\"{ \"workspaceId\"\"[parameters(''workspaceId'')]\", \"logs\"[ { \"category\"\"Administrative\", \"enabled\"true }, { \"category\"\"Alert\", \"enabled\"true }, { \"category\"\"Autoscale\", \"enabled\"false }, { \"category\"\"Policy\", \"enabled\"true }, { \"category\"\"Recommendation\", \"enabled\"false }, { \"category\"\"ResourceHealth\", \"enabled\"false }, { \"category\"\"Security\", \"enabled\"true }, { \"category\"\"ServiceHealth\", \"enabled\"false } ] } } ] }\n```\n\nReference the JSON. In the `New-AzSubscriptionDeployment`, call `$OMSWorkspace`:\n\n```powershell\nGet-AzResource -ResourceType \"Microsoft.OperationalInsights/workspaces\" -Name New-AzSubscriptionDeployment -Name CreateDiagnosticSetting -location eastus -TemplateFile CreateDiagnosticSetting.jsonc -settingName \"Send Activity log to workspace\" -workspaceId $OMSWorkspace.ResourceId'\n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings\n2. https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource-manager-diagnostic-settings\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.3 - Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1.2","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"11.4","framework":"pci","requirement":"Regular-Testing","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(diagnostic_setting) = \"fail\" if {\n\tsome log in diagnostic_setting.logs\n\tlog.category in [\"Administrative\", \"Alert\", \"Policy\", \"Security\"]\n\tlog.enabled == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_diagnostic_setting"]},"validationQuery":"","resourceType":"azure_diagnostic_setting","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_diagnostic_setting","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q7k-c4u-n6i","createdAt":1635847719443,"name":"Diagnostic Setting captures appropriate categories"}]} headers: Content-Type: - application/json @@ -742,7 +674,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.31","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker socket docker.sock should not be mounted inside a container.\n\n## Rationale\n\nIf the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep docker.sock` This returns any instances where `docker.sock` has been mapped to a container as a volume.\n\n## Remediation\n\nYou should ensure that no containers mount docker.sock as a volume.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, docker.sock is not mounted inside containers.\n\n## References\n\n1. https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/\n2. https://forums.docker.com/t/docker-in-docker-vs-mounting-var-run-docker-sock/9450/2\n3. https://github.com/docker/docker/issues/21109\n\n## CIS controls\n\nVersion 6\n\n9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.31","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3iw-zus-yz3","createdAt":1599602585460,"name":"Docker socket is not allowed to mount inside any containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","source:dynamodb","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:dynamodb","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement server-side encryption for your AWS DynamoDB data.\n\n## Rationale\n\nServer-side encryption, or encryption at rest, provides an additional layer of data protection by securing your data in an encrypted table. Encryption at rest integrates with AWS Key Management Service (KMS) to manage encryption keys that are used to encrypt these tables.\n\n## Remediation\n\n### Console\n\nFollow the [Managing Encrypted Tables in DynamoDB tutorial][1] to learn how to create and update a table in the AWS Console.\n\n### CLI\n\nRun `create-table` with a table configuration to [create a new encrypted table][2]. You can create an encrypted table with the default AWS owned CMK, AWS managed CMK, or customer managed CMK. Refer to the [AWS documentation for examples of each configuration][3]. For example:\n\n ```\n aws dynamodb create-table\n --table-name your-table\n ...\n --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=abcd1234-abcd-1234-a123-ab1234a1b234\n ```\n\n[1]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/dynamodb/create-table.html\n[3]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html#encryption.tutorial-creating\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@sse_description_status:DISABLED","resourceType":"aws_dynamodb","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_dynamodb (@sse_description_status:DISABLED)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ilq-ifj-zxi","createdAt":1615309114701,"name":"DynamoDB table is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt Amazon Elastic Block Store (EBS) snapshots with volume snapshot encryption keys.\n\n## Rationale\n\nAmazon EBS snapshots contain sensitive data, and publicly accessible snapshots can be copied. Keep your data secure from exploits or unauthorized users by using AWS key management.\n\n## Remediation\n\n### Console\n\nFollow the [Default key for EBS encryption][1] docs to learn how to encrypt a snapshot in the AWS Console.\n\n### CLI\n\n1. Run `get-ebs-default-kms-key-id` to describe [the default CMK][2].\n\n2. If you need to create a new key, follow the [Creating keys][3] AWS Console docs or the [create-key][4] AWS CLI docs.\n\n3. Run `modify-ebs-default-kms-key-id` with your `--kms-key-id` to [modify the default CMK used to encrypt EBS volumes][3].\n\nSee the [Set encryption defaults using the API and CLI][6] docs for additional information.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_key_mgmt\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/get-ebs-default-kms-key-id.html\n[3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-ebs-default-kms-key-id.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encrypted:false","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot (@encrypted:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"i4v-od6-l5r","createdAt":1616090994130,"name":"EBS snapshot is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","requirement:Storage","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable encryption for Elastic Block Store (EBS).\n\n## Rationale\n\nAES-256 encryption, used by EBS, protects data stored on volumes, disk I/O, and the snapshots created from a volume to protect your sensitive data from exploits and unauthorized users.\n\n## Remediation\n\n### Console\n\nFollow the [EBS encryption][1] docs to learn about the requirements and methods for enabling encryption in the AWS Console.\n\n### CLI\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#ebs-encryption-requirements\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"2.2.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encrypted:false","resourceType":"aws_ebs_volume","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_volume (@encrypted:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"2b3-94n-p7e","createdAt":1616090994097,"name":"EBS volume is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","source:ebs","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.9.4.5","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure Amazon Elastic Block Store (EBS) snapshots.\n\n## Rationale\n\nPublicly shared Amazon EBS volume snapshots contain sensitive application data that can be seen, copied, and exploited.\n\n## Remediation\n\n### Console\n\nFollow the [EBS encryption][1] docs to learn how to implement EBS encryption. Public snapshots, which are encrypted by default, are not supported\n\n **Note**: You can share an encrypted snapshot with specific accounts.\n\n### CLI\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#how-ebs-encryption-works\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.5","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@attributes.create_volume_permission_group:all","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot (@attributes.create_volume_permission_group:all)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"t5f-m5z-oio","createdAt":1616090994084,"name":"EBS volume snapshot is not publicly shared with other AWS accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:route53","iaas:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain has a suspicious TLD.\n\n## Strategy\nInspect the Route 53 logs and determine if the TLD of the DNS question (`@dns.question.name`) matches one of the top 5 TLDs on [Spamhaus's Most Abused Top Level Domains list][1].\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n[1]: https://www.spamhaus.org/statistics/tlds/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@dns.question.name:(*.fit. OR *.work. OR *.webcam. OR *.loan. OR *.cf.) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_tld","distinctFields":[]},{"query":"@dns.question.name:(*.no-ip. OR *.hopto.org OR *.myftp.org OR *.us.to OR *.myvpc.com OR *.dlinkddns.com OR *.myftp.biz) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_ddns","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"TLD","condition":"suspicious_tld > 0"},{"status":"medium","notifications":[],"name":"Dynamic DNS","condition":"suspicious_ddns > 0"}],"type":"log_detection","id":"dus-bf6-3jr","createdAt":1603296605789,"name":"EC2 instance requested a suspicious domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:route53","iaas:aws","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain resolves to the AWS Metadata IP (169.254.169.254).\n\n## Strategy\nInspect the Route 53 logs and determine if the response data for a DNS request matches the AWS Metadata IP (169.254.169.254). This could indicate an attacker is attempting to steal your credentials from the AWS metadata service.\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n## Changelog\n- 19 May 2022 - Updated rule query.\n- 5 Jun 2022 - Updated rule query.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:route53 @answers.Rdata:169.254.169.254 -@route53_edge_location:* -@dns.question.name:instance-data*","groupByFields":["instance-id"],"aggregation":"count","name":"domain_resolve_to_metadata_ip","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"domain_resolve_to_metadata_ip > 0"}],"type":"log_detection","id":"mwi-zj7-db9","createdAt":1603296598998,"name":"EC2 instance resolved a suspicious AWS metadata DNS query"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","requirement:Transmission-Security","scope:ec2","source:ec2","framework:gdpr","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:1.9","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse the IMDSv2 session-oriented communication method to transport instance metadata. \n\n## Rationale\n\nAWS default configurations allow the use of either IMDSv1, IMDSv2, or both. IMDSv1 uses insecure GET request/responses which are at risk for a number of vulnerabilities, whereas IMDSv2 uses session-oriented requests and a secret token that expires after a maximum of six hours. This adds protection against misconfigured-open website application firewalls, misconfigured-open reverse proxies, unpatched Server Side Request Forgery (SSRF) vulnerabilities, and misconfigured-open layer-3 firewalls and network address translation.\n\n## Remediation\n\nFollow the [Transition to using Instance Metadata Service Version 2][1] docs to learn how to transition and reconfigure your software. \n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@metadata_options_http_tokens:required","resourceType":"aws_ec2_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ec2_instance (-@metadata_options_http_tokens:required)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zwp-mxe-p0v","createdAt":1649171077274,"name":"EC2 instance uses IMDSv2"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","source:elb","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","scope:elb","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up logging for your AWS Elastic Load Balancers (ELBs) to identify security issues.\n\n## Rationale\n\nAccess logs allow you to analyze each TCP and HTTP request, which are useful during security audits or troubleshooting.\n\n## Remediation\n\n### Console\n\nFollow the [Enable access logs for your Classic Load Balancer][1] docs to learn how to enable logging for your ELBs.\n\n### CLI\n\n1. Run `create-bucket` to [create an S3 bucket][2] that stores the ELB log files.\n\n **Note**: This bucket must be created in the same region as the ELB.\n\n ```\n aws s3api create-bucket\n --region us-west-1\n --bucket your-elb-logging-bucket\n ```\n\n2. Use the [AWS Policy Generator][3] to create a new policy.\n\n3. Run `put-bucket-policy` to [attach the policy document][4] to the S3 bucket.\n\n ```\n aws s3api put-bucket-policy\n --bucket your-elb-logging-bucket\n --policy file://elb-logging-policy.json\n ```\n\n4. Run `modify-load-balancer-attributes` to [enable logging][5] for the selected ELB.\n\n ```\n aws elb modify-load-balancer-attributes\n --region us-west-1\n --load-balancer-name YourLoadBalancerName\n --load-balancer-attributes\n \"{\\\"AccessLog\\\":{\\\"Enabled\\\":true,\\\"EmitInterval\\\":60,\\\"S3BucketName\\\":\\\"your-logging-bucket\\\"}}\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/elb/modify-load-balancer-attributes.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@attributes.access_log_enabled:false OR @load_balancer_attributes.access_log.enabled:false","resourceType":"aws_elb_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elb_load_balancer (@attributes.access_log_enabled:false OR @load_balancer_attributes.access_log.enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"orv-wcu-4d4","createdAt":1615309114856,"name":"ELB is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","security:compliance","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Security-of-Processing","scope:elbv2","framework:soc-2","requirement:Security-Management-Process","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","framework:hipaa","requirement:Encryption-In-Transit","control:164.308-a-1-ii-B","control:164.312-e-2-i","source:elbv2","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse HTTPS to secure communication between your application client and an Elastic Load Balancer (ELB) listener.\n\n## Rationale\n\nWithout an HTTPS listener, front-end connections are vulnerable to exploits, such as man-in-the-middle (MITM) attacks. Securing all communication between your application client and ELB listener ensures sensitive data is protected.\n\n## Remediation\n\n### Console\n\nFollow the [Create an HTTPS listener for your Application Load Balancer][1] docs to learn how to create a listener that checks for connection requests.\n\n### CLI\n\n1. Run `list-certificates` to retrieve the ARN of your SSL certificate. If you do not have an SSL certificate, follow the [Create or import an SSL/TLS certificate][2] docs.\n2. Run `create-listener` using the [ARN of the load balancer and SSL certificate][3].\n\n ```\n aws elbv2 create-listener\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912\n --protocol HTTPS\n --port 443\n --certificates CertificateArn=arn:aws:acm:region:123456789012:certificate/1abc0c41-bd73-5445-9ab9-123456a23456\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html#create-certificate-acm\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/create-listener.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@listeners.protocol:HTTPS","resourceType":"aws_elbv2_load_balancer","filter":"@type:application","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer @type:application (-@listeners.protocol:HTTPS)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6vz-qof-84o","createdAt":1616090994110,"name":"ELBv2 ALB is using a secure listener"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","source:elb","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","scope:elb","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure Amazon Network Load Balancers so all listeners use either TLS or HTTPS encryption. \n\n## Rationale\n\nUsing TLS or HTTPS helps ensure the communication between your network load balancers (NLBs) and backend servers is protected from decryption, data leaks, and other exploits. NLS's can accept and route TCP connections to Application load balancers(ALBs), this allows AWS customers to directly register an ALB as an NLB target, eliminating the need to actively manage changing ALB IP addresses. Amazon's NLBs can be configured to handle TLS termination. This reduces the workload on your backend systems and localizes TLS configuration to the NLBs, thereby improving both performance and security.\n\n\n\n## Remediation\n\n### Console\n\nFollow the [Create a listener for your network load balancer][1] docs to learn how to add a TLS listener to your network load balancer.\n\n### CLI\n\n1. Run `describe-load-balancers` to retrieve the ARNs of your network load balancers.\n2. Run `list-certificates` to retrieve the ARN of your Amazon ACM TLS certificates, or `list-server-certificates` to retrieve the ARN of your AWS IAM TLS certificates. If you do not have a TLS certificate, follow the [Configure TLS listeners: Certificates][2] docs.\n3. Run `create-listener` using the ARN of the desired load balancer and TLS certificate.\n\n ```\n aws elbv2 create-listener \n --load-balancer-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188 \n --certificates CertificateArn=arn:aws:acm:us-west-2:123456789012:certificate/3dcb0a41-bd72-4774-9ad9-756919c40557 \n --protocol TLS\n --port 443\n --ssl-policy ELBSecurityPolicy-2016-08 \n --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#tls-listener-certificates\n[3]: https://aws.amazon.com/fr/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@protocol:\"TLS\" -(@protocol:\"TCP\" @port:443)","resourceType":"aws_elbv2_load_balancer","filter":"@type:network","queryPath":"listeners","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer @type:network (-@protocol:\"TLS\" -(@protocol:\"TCP\" @port:443))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cyx-hvk-qq7","createdAt":1649774831020,"name":"ELBv2 Network Load Balancer listeners employ TLS or HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:elbv2","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","source:elbv2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Access Logging for your Amazon Application Load Balancers (ALBs).\n\n## Rationale\n\nLogs contain the time a request was received, a client's IP address, latencies, request paths, and server responses. You can use this information to analyze traffic patterns and troubleshoot issues.\n\n## Remediation\n\n### Console\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the console.\n\n### CLI\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_attribute(elbv2_load_balancer) if {\n\tattribute := elbv2_load_balancer.attributes[_]\n\tattribute.key == \"access_logs.s3.enabled\"\n\tattribute.value == \"true\"\n} else {\n\telbv2_load_balancer.attributes.access_logs_s3_enabled\n}\n\neval(elbv2_load_balancer) = \"pass\" if {\n\tcompliant_attribute(elbv2_load_balancer)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2sn-t47-ywf","createdAt":1632209936547,"name":"ELBv2 is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","control:CC6.6","framework:gdpr","requirement:Compliance","scope:elbv2","requirement:System-Acquisition-Development-and-Maintenance","framework:iso-27001","control:1.3.5","source:elbv2","framework:pci","control:A.14.1.2","security:compliance","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:1.3","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Application Load Balancers (ALB) or Network Load Balancers (NLB) with an internal ELBv2 load balancer.\n\n## Rationale\n\nInternet-facing load balancers receive a public DNS name. Secure your connection by using an ELBv2 load balancer instead.\n\n## Remediation\n\n### Console\n\nFollow the [Create an application load balancer][1] docs to learn how to create an internal load balancer that routes requests to targets using private IP addresses.\n\n### CLI\n\nRun `create-load-balancer` with a [load balancer name, scheme, and subnet][2].\n\n```\naws elbv2 create-load-balancer\n--name my-internal-load-balancer\n--scheme internal\n--subnets subnet-b7d581c0 subnet-8360a9e7\n```\n\nSee the [create-load-balancer][2] AWS CLI docs to create a load balancer for a network or gateway.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-application-load-balancer.html#configure-load-balancer\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/create-load-balancer.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"validationQuery":"@scheme:internet-facing","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer (@scheme:internet-facing)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"3wl-huh-f7v","createdAt":1616090994241,"name":"ELBv2 load balancer is not internet facing"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:elbv2","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","source:elbv2","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Application Load Balancer (ALB) with the latest predefined AWS security policy.\n\n## Rationale\n\nInsecure or deprecated security policies can expose the client and the load balancer to various SSL/TLS vulnerabilities.\n\n## Remediation\n\n### Console\n\nFollow the [Update security policy][1] docs to learn how to update your HTTPS listener with the latest security policy.\n\n### CLI\n\nRun `modify-listener` with the [ARN of the listener and the recommended SSL policy][2].\n\n```\naws elbv2 create-listener\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n```\n\nReview the [Security policies][3] docs for Amazon-recommended security policies.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html#update-security-policy\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/modify-listener.html\n[3]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-1-2017-01 -@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-2-Ext-2018-06 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-1-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2020-10","resourceType":"aws_elbv2_load_balancer","filter":"@type:application","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer @type:application (-@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-1-2017-01 -@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-2-Ext-2018-06 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-1-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2020-10)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"pty-qoz-aa9","createdAt":1616090994247,"name":"ELBv2 load balancer is using the latest security policy"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.3","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse individual service account credentials for each controller.\n\n## Rationale\n\nThe controller manager creates a service account per controller in the kube-system namespace, generates a credential for it, and builds a dedicated API client with that service account credential for each controller loop to use. Setting the `--use-service-account-credentials` to true runs each control loop within the controller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--use-service-account-credentials` argument is set to true.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node to set the below parameter:\n\n```\n--use-service-account-credentials=true\n```\n\n## Impact\n\nWhatever authorizer is configured for the cluster, it must grant sufficient permissions to the service accounts to perform their intended tasks. When using the RBAC authorizer, those roles are created and bound to the appropriate service accounts in the kube-system namespace automatically with default roles and rolebindings that are auto-reconciled on startup. If using other authorization methods (ABAC, Webhook, etc.), the cluster deployer is responsible for granting appropriate permissions to the service accounts (the required permissions can be seen by inspecting the `controller-roles.yaml` and `controller-role-bindings.yaml` files for the RBAC roles.\n\n## Default value\n\nBy default, `--use-service-account-credentials` is set to false.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://kubernetes.io/docs/admin/service-accounts-admin/ ][2]\n3. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml ][3]\n4. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml ][4]\n5. [https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles][5]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://kubernetes.io/docs/admin/service-accounts-admin/ \n[3]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml \n[4]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml \n[5]: https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.3","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"b7m-bho-nat","createdAt":1599602400314,"name":"Each controller uses individual service account credentials"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:A.12.2.1","framework:gdpr","requirement:Default-Security-Parameter","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:25.2","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","source:elasticache","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","scope:elasticache","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nChange your AWS ElastiCache cluster endpoint port to a non-default port.\n\n## Rationale\n\nUsing the default port puts clusters at risk of exploits and attacks. Configure a custom port to add an extra layer of security to your clusters.\n\n## Remediation\n\n### Console\n\nFollow the [Finding connection endpoints][1] console documentation to learn how to find and modify your cluster's endpoint port.\n\n### CLI\n\n1. Run `aws elasticache describe-cache-clusters` with your [ElastiCache cluster ID][2] to output the existing cluster configuration.\n\n ```\n\n aws elasticache describe-cache-clusters\n --cache-cluster-id your-cc-id\n\n ```\n\n2. Run `aws elasticache create-cache-cluster` with the cluster data returned in the previous step. Configure the new cache cluster with [a custom value][3] for the endpoint port. This returns new cluster metadata.\n\n ```\n\n aws elasticache create-cache-cluster\n --cache-cluster-id new-cc-id\n ...\n --port 10001\n\n ```\n\n3. Once the cluster endpoint port is updated, remove the old ElastiCache cluster. Run `delete-cache-cluster` with the [original cluster ID][4].\n\n ```\n\n aws elasticache delete-cache-cluster\n --cache-cluster-id your-cc-id\n\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Endpoints.html#Endpoints.Find.Redis\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/describe-cache-clusters.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/delete-cache-cluster.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@engine:memcached @configuration_endpoint_port:11211) OR (@engine:redis @configuration_endpoint_port:6379)","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache ((@engine:memcached @configuration_endpoint_port:11211) OR (@engine:redis @configuration_endpoint_port:6379))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"skt-e9r-x89","createdAt":1619112189062,"name":"ElastiCache cluster is not using default ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","source:elasticache","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticache","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProvision your AWS EC2-VPC ElastiCache cluster within the AWS ECS-VPC platform.\n\n## Rationale\n\nUsing the EC2-Classic platform minimizes control over cache cluster security and traffic routing. Provisioning with AWS EC2-VPC enables better networking infrastructure, control over VPC security groups, and more.\n\n## Remediation\n\n### Console\n\nFollow the [Getting started with Amazon VPC][1] docs to configure AWS EC2-VPC for your ElastiCache clusters.\n\n### CLI\n\n1. Run `create-vpc` to [create a new Virtual Private Cloud (VPC)][2] for your ElastiCache cluster.\n\n ```\n aws ec2 create-vpc\n --cidr-block 10.0.0.0/16\n ```\n\n2. Run `aws ec2 create-internet-gateway` to [create a new AWS Internet Gateway][3] for your new VPC.\n\n3. Run `attach-internet-gateway` with the [VPC ID returned in step 1, and the internet gateway ID returned in step 2][4].\n\n ```\n aws ec2 create-subnet\n --vpc-id vpc-ab12c345\n --cidr-block 10.0.1.0/24\n ```\n\n4. Run `create-route-table` with [your VPC ID][5] created in step 1.\n\n ```\n aws ec2 create-route-table\n --vpc-id vpc-ab12c345\n ```\n\n5. Run `associated-route-table` with the [subnet ID returned in step 3, and the route table ID returned in step 4][6].\n\n ```\n aws ec2 associate-route-table\n --route-table-id rta-12345678\n --subnet-id subnet-ab123c45\n ```\n\n6. Run `create-route` to [add a new route][7] to your new VPC route table.\n\n ```\n aws ec2 create-route\n --route-table-id rta-12345678\n --destination-cidr-block 0.0.0.0/0\n --gateway-id gwi-123a4b56\n ```\n\n7. Run `create-security-group` with your new VPC ID to [create a security group][8] for your new cluster.\n\n ```\n aws ec2 create-security-group\n --group-name ECSecurityGroup\n --description \"Redis CC Security Group\"\n --vpc-id vpc-ab12c345\n ```\n\n8. Run `authorize-security-group-ingress` to [add more inbound rules][9] to the security group created in step 7.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-id se-a12345b0\n --protocol tcp\n --port 1234\n --cidr 10.0.0.0/16\n ```\n\n9. Run `create-cache-cluster` to recreate your EC2-Classic cache cluster within your new AWS VPC. Use the newly created [ElastiCache cluster configuration attributes][10] returned in the steps above.\n\n ```\n aws elasticache create-cache-cluster\n --cache-cluster-id vpccachecluster\n --az-mode single-az\n --cache-node-type cache.m5.large\n --num-cache-nodes 1\n --engine redis\n --engine-version \"2.6.13\"\n --security-group-ids \"se-a12345b0\"\n --port 1234\n --auto-minor-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc.html#synopsis\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-internet-gateway.html#synopsis\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/attach-internet-gateway.html#synopsis\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route-table.html#synopsis\n[6]: https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-route-table.html#synopsis\n[7]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route.html#synopsis\n[8]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-security-group.html#synopsis\n[9]: https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html#synopsis\n[10]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@cache_subnet_group_name:\"\" OR (-@cache_subnet_group_name:*)","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache (@cache_subnet_group_name:\"\" OR (-@cache_subnet_group_name:*))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"0uf-cns-jqu","createdAt":1619112189088,"name":"ElastiCache cluster is provisioned in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","security:compliance","control:CC7.5","source:elasticache","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticache","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon ElastiCache cluster to the latest, stable version of the Redis/Memcached cache engine.\n\n## Rationale\n\nUsing the latest version allows for security patches, bug fixes, better performance, and memory management.\n\n## Remediation\n\n### Console\n\nFollow the [Upgrading engine versions][1] docs to learn how to modify your ElastiCache cluster or replication group in the console.\n\n### CLI\n\nFollow the [Modify an ElastiCache cluster (AWS CLI)][2] or [Modify a replication group (AWS CLI)][3] docs for configuration options.\n\nFor example, to modify an ElastiCache cluster, run `modify-replication-group` with your replication group ID and enable Multi-AZ.\n\n ```\n aws elasticache modify-replication-group\n --replication-group-id myReplGroup\n --multi-az-enabled = true\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VersionManagement.html\n[2]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.Modify.html#Clusters.Modify.CLI\n[3]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Replication.Modify.html#Replication.Modify.CLI","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"(@engine:memcached -@engine_version:1.6.6) OR (@engine:redis -@engine_version:6.*)","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache ((@engine:memcached -@engine_version:1.6.6) OR (@engine:redis -@engine_version:6.*))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sw1-liy-ybw","createdAt":1619112188570,"name":"ElastiCache cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","security:compliance","control:CC7.5","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticsearch","framework:soc-2","requirement:Change-Management","source:elasticsearch","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpgrade to the latest version of Amazon Elasticsearch (ES) engine.\n\n## Rationale\n\nUsing the latest version of Amazon ES ensures you receive the latest bug fixes, security patches, and features.\n\n## Remediation\n\n### Console\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (console)][1] docs to learn about the upgrade process and how to complete an upgrade from the AWS Console.\n\n### CLI\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (AWS CLI)][1] docs to being an upgrade using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades\n[2]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nformat(version) = semver if {\n\tcount(indexof_n(version, \".\")) == 0\n\tsemver := concat(\"\", [version, \".0.0\"])\n} else = semver {\n\tcount(indexof_n(version, \".\")) == 1\n\tsemver := concat(\"\", [version, \".0\"])\n} else = semver {\n\tsemver := version\n}\n\neval(version) = \"pass\" if {\n\tformatted_semver := format(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"7.10.0\") >= 0\n} else = \"pass\" {\n\tstartswith(version, \"OpenSearch_\")\n\tformatted_semver := format(trim_prefix(version, \"OpenSearch_\"))\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"1.3.0\") >= 0\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource.elasticsearch_version))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-iw7-z3h","createdAt":1619540057479,"name":"Elasticsearch cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","scope:elasticsearch","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate publicly accessible Amazon Elasticsearch domains to block unsigned requests.\n\n## Rationale\n\nUpdating your Amazon Elasticsearch domain to a private domain ensures your data cannot be accessed or altered by unauthorized users.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring Access Policies][1] docs to learn how to update your publicly accessible Amazon Elasticsearch domains in the AWS Console.\n\n### CLI\n\n1. Create a new policy JSON document. You can follow the [Amazon Elasticsearch templated policy][2] to create a custom policy that grants domain access only to a specific IP.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n \"Action\": \"es:*\",\n \"Condition\": {\n \"IpAddress\": {\n \"aws:SourceIp\": [\n \"54.197.25.93/32\"\n ]\n }\n },\n \"Resource\": \"arn:aws:es:123456789123:\n domain/es-cluster/*\"\n }\n ]\n }\n ```\n\n2. Run `update-elasticsearch-domain-config` using the name of the [Elasticsearch domain][3] created in the previous step.\n\n ```\n aws es update-elasticsearch-domain-config\n --domain-name es-cluster\n --access-policies file://ip-based-policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/update-elasticsearch-domain-config.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"policies","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ci6-bcw-l3n","createdAt":1615309114393,"name":"Elasticsearch domain is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticsearch","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure your Amazon Elasticsearch (ES) domain is only accessible from an AWS VPC.\n\n## Rationale\n\nUsing a VPC gives your Amazon ES domains an extra layer of security. Launching your clusters within a VPC ensures communication between your clusters and other AWS services is secure.\n\n## Remediation\n\nOnce a domain is created with a public endpoint, it cannot be switched to VPC access. Follow the [Migrating from Public Access to VPC Access][1] docs to learn how to create a new domain and either manually reindex or migrate your data.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html#es-migrating-public-to-vpc\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@endpoint:*\\.es\\.amazonaws\\.com","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain (@endpoint:*\\.es\\.amazonaws\\.com)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"vdg-rky-pye","createdAt":1619540057246,"name":"Elasticsearch domain resides in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement at-rest encryption for your Amazon Elasticsearch (ES) domain with the AWS KMS service.\n\n## Rationale\n\nImplementing encryption at-rest protects your domain from unauthorized access and ensures security and compliance requirements are met.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to implement encryption for your domain.\n\n### CLI\n\n1. Run `describe-elasticsearch-domain` with your ES domain to return configuration metadata.\n\n ```\n aws es describe-elasticsearch-domain\n --domain-name your-es-domain\n ```\n\n2. Run `create-elasticsearch-domain` with your domain name and `encryption-at-rest-options`. Use the metadata returned in the previous step to [create and relaunch your ES domain to enable at-rest encryption][3].\n\n ```\n aws es create-elasticsearch-domain\n --domain-name your-es-domain\n ...\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html#enabling-ear\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/describe-elasticsearch-domain.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encryption_at_rest_options_enabled:false","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain (@encryption_at_rest_options_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"75z-ehk-ced","createdAt":1615309114337,"name":"Elasticsearch domains are encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","control:3.5.2","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt your Amazon Elasticsearch domains with KMS Customer Master Keys (CMKs).\n\n## Rationale\n\nKMS Custom Master Keys protect your domains and allow more granular control over the encryption/decryption process.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to encrypt Amazon Elasticsearch domains in the AWS Console.\n\n### CLI\n\n1. Create a new policy JSON document with the following [configuration][2]:\n\n ```\n {\n \"Id\": \"es-custom-key-policy\",\n \"Statement\": [\n {\n \"Sid\": \"Enable IAM User Permissions\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:root\"},\n \"Action\": \"kms:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Grant access to CMK manager\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:role/AmazonESManager\"},\n \"Action\": [\n \"kms:Create*\",\n \"kms:Describe*\",\n \"kms:Enable*\",\n \"kms:List*\",\n \"kms:Put*\",\n \"kms:Update*\",\n \"kms:Revoke*\",\n \"kms:Disable*\",\n \"kms:Get*\",\n \"kms:Delete*\",\n \"kms:ScheduleKeyDeletion\",\n \"kms:CancelKeyDeletion\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow the use of the CMK\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:Decrypt\",\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:DescribeKey\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow attachment of persistent resources\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:CreateGrant\",\n \"kms:ListGrants\",\n \"kms:RevokeGrant\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"Bool\": {\"kms:GrantIsForAWSResource\": \"true\"}\n }\n }\n ]\n }\n ```\n\n2. Run `create-key` to [create a KMS key][3] with the new policy document.\n\n ```\n aws kms create-key\n --description 'KMS CMK policy for encrypting es domain data'\n --policy file://es-kms-cmk-policy.json\n ```\n\n3. Run `create-alias` with the returned ARN key to [attach a new alias][4] to the CMK.\n\n ```\n aws kms create-alias\n --alias-name your-alias/ESCustomCMK\n --target-key-id arn:aws:kms:111122223333:key/abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\n ```\n\n4. Run `create-elasticsearch-domain` with the returned configuration data in step 3 to [create the selected domain][5] with `encryption-at-rest-options` set as `enabled= true` and the `KmsKeyId=your-key-id`.\n\n ```\n aws es create-elasticsearch-domain\n --domain-name your-domain-name\n ....\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-alias.html#options\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html#options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encryption_at_rest_options_kms_key_id:\"(Default) aws/es\"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain (@encryption_at_rest_options_kms_key_id:\"(Default) aws/es\")","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"abl-8du-xrn","createdAt":1615309114399,"name":"Elasticsearch domains are encrypted with KMS Customer Master Keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation on controller-manager.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad. \n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--feature-gates` parameter to include `RotateKubeletServerCertificate=true`. \n\n```\n--feature-gates=RotateKubeletServerCe`rtificate=true\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `RotateKubeletServerCertificate` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller ][1]\n2. [https://github.com/kubernetes/features/issues/267 ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/45059 ][3]\n4. [https://kubernetes.io/docs/admin/kube-controller-manager/][4]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller \n[2]: https://github.com/kubernetes/features/issues/267 \n[3]: https://github.com/kubernetes/kubernetes/pull/45059 \n[4]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.6","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"asw-6hh-yc2","createdAt":1599605162809,"name":"Enable kubelet server certificate rotation on controller-manager"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1555-credentials-from-password-stores","scope:ec2","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to retrieve the encrypted Administrator password for a Windows EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to retrieve the encrypted Administrator password for a Windows EC2 instance using the [`GetPasswordData`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n3. If the API call was made by the user:\n * Determine if this user should be accessing this EC2 instance.\n * If Yes, advise the user to speak with the instance owner to resolve the error.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetPasswordData.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetPasswordData @eventSource:ec2.amazonaws.com status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"get_passwordata","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Error","condition":"get_passwordata > 0"}],"type":"log_detection","id":"kyo-yjf-zbm","createdAt":1652796676631,"name":"Encrypted administrator password retrieved for Windows EC2 instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.12","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory ownership is set to `etcd:etcd`.\n\n## Rationale\n\n`etcd` is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir` from the command:\n\n```bash\nps -ef | grep etcd\n```\n\nBased on the etcd data directory found above, run the command:\n\n```bash\nstat -c %U:%G /var/lib/etcd\n```\n\nVerify the ownership is set to `etcd:etcd`.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chown etcd:etcd /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory ownership is set to `etcd:etcd`.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.12","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"25d-zal-sfr","createdAt":1599601968321,"name":"Etcd data directory is owned by the etcd user and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.11","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory has permissions of 700 or more restrictive.\n\n## Rationale\n\netcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should not be readable or writable by any group members or the world.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir`, from the command:\n\n```bash\nps -ef | grep etcd\n```\n\n Based on the etcd data directory found above, run the command:\n \n ```bash\n stat -c %a /var/lib/etcd\n ```\n \n Verify the permissions are `700` or more restrictive.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chmod 700 /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory has permissions of 755.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.11","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qgj-hf0-an1","createdAt":1599601412710,"name":"Etcd data directory permissions cannot be accessed by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.7","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 640.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.7","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vqc-dps-6tp","createdAt":1599605605880,"name":"Etcd pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.8","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to `root:root`.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.8","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oac-lbl-npz","createdAt":1599600311388,"name":"Etcd pod specification file is owned by root"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"Test rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1665145801235,"filters":[],"queries":[{"query":"@test:true","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"e9v-9k1-5dm","isDefault":false,"name":"Example-Create_a_detection_rule_returns_OK_response"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":true,"message":"test","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1665145785229,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.id"],"query":"*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"uaf-siz-jfo","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_impossible_travel_returns_OK_response"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"Test rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1665145796516,"filters":[],"queries":[{"query":"@test:true","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"3cl-gl3-k7y","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_workload_security_returns_OK_response"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:exchange-server","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user sets up a mail forwarding rule to another email address. An adversary or insider threat could set a forwarding rule to forward all emails to an external email address.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with `@evt.name` value of `Set-Mailbox`, where a value is set for `@Parameters.ForwardingSmtpAddress` and the `@evt.outcome` is `True`.\n\n## Triage and response\n1. Inspect the `@Parameters.ForwardingSmtpAddress` for `{{@usr.email}}` to see if it is sending email to an external non-company owned domain.\n2. Determine if there is a legitimate use case for the mail forwarding rule.\n3. If `{{@usr.email}}` is not aware of the mail forwarding rule, investigate all `{{@usr.email}}` accounts for anomalous activity. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-Mailbox -@Parameters.ForwardingSmtpAddress:\"\" @Parameters.ForwardingSmtpAddress:* @evt.outcome:True","groupByFields":["@usr.id"],"aggregation":"count","name":"forwarding_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"forwarding_rule > 0"}],"type":"log_detection","id":"vmq-1zo-03a","createdAt":1630681822552,"name":"Exchange Online mail forwarding rule enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.2","scope:azure.appservice","framework:iso-27001","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","requirement:Communications-Security","control:4.1","control:9.10","requirement:App-Service","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Azure functions, web, and API services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPs should be required for FTP login for all App Service apps and functions.\n\n## Rationale\n\nAzure FTP deployment endpoints are public. An attacker listening to traffic on a Wi-Fi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if user credentials for deployment are set at the subscription level rather than using the default application credentials which are unique per app.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to the Azure Portal\n2. Select App Services\n3. Click on an app\n4. Select Settings > Configuration\n5. Under Platform Settings, set FTP state to Disabled or FTPS Only\n\n## Impact\n\nDeployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.\n\n## References\n\n1. Azure Web Service Deploy via FTP - https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp\n2. Azure Web Service Deployment - https://docs.microsoft.com/en-us/azure/app-service/overview-security\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n\n## CIS Controls\n\nVersion 7\n\n14.4 Encrypt All Sensitive Information in Transit\n16.5 Encrypt Transmittal of Username and Authentication Credentials - Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.10","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@site_config_ftps_state:AllAllowed","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (@site_config_ftps_state:AllAllowed)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"chw-olp-dfn","createdAt":1631623028308,"name":"FTP deployments are disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:fastly","scope:fastly","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2]. \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:fastly @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dqs-oru-107","createdAt":1587530162282,"name":"Fastly HTTP Requests from Security Scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a file that is not part of the original container image has been created and executed within the container.\n\n## Strategy\nAttackers sometimes add scripts to running containers to exploit some functionality or automate some actions. Normally, containers are meant to be immutable environments, and when you require new scripts or other executable files, you add them to the container image itself and not to the running container. This detection identifies when newly created files are executed shortly after file creation or modification.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage & Response\n1. Determine whether the file executing is expected to be present in the container. \n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether the file was added to multiple containers around the same time, and whether the affected systems follow a pattern. For example, if a file was seen executing in multiple containers, do the containers share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.29 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_binary_execution_in_container","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:new_binary_execution_in_container"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"new_binary_execution_in_container"}],"type":"workload_security","id":"n5d-tm8-kco","createdAt":1652131404468,"name":"File created and executed inside container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","tactic:TA0009-collection","technique:T1530-data-from-cloud-storage-object","scope:google-cloud-storage","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect unauthenticated access to an object in a GCS bucket (`bucket_name`).\n\n## Strategy \nMonitor GCS bucket (`bucket_name`) for get requests(`@evt.name:storage.objects.get`) made by unauthenticated users (`@usr.id`).\n\n## Triage and response\nInvestigate the logs and determine whether or not the accessed bucket: {{bucket_name}} should be accessible to unauthenticated users.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket -@usr.id:* @evt.name:storage.objects.get status:info","groupByFields":["project_id","bucket_name"],"aggregation":"count","name":"get_object","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"get_object","condition":"get_object > 0"}],"type":"log_detection","id":"nmj-sov-f5d","createdAt":1598043413480,"name":"GCP Bucket Contents Downloaded Without Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","source:gcp","scope:google-cloud-storage","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service account lists out GCS Buckets.\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine when a service account invokes the following method:\n\n* `storage.buckets.list`\n\n## Triage and response\n1. Determine whether this service account should be making list bucket calls.\n * If the account was compromised, secure the account and investigate how it was compromised and if the account made other unauthorized calls.\n * If the owner of the service account intended to make the `ListBuckets` API call, consider whether this API call is needed. It could cause a security issue for the application to know the name of the bucket it needs to access. If it's not needed, modify this rule's filter to stop generating signals for this specific service account.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.list @usr.id:*gserviceaccount.com","groupByFields":["project_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cnc-wi1-llf","createdAt":1587592199858,"name":"GCP Bucket enumerated"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an administrative change to a GCS Bucket has been made. This could change the retention policy or bucket lock. For more information, see the [GCS Bucket Lock docs][1].\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine if a bucket has been updated with the following method:\n\n* `storage.buckets.update`\n\n## Triage and response\n1. Review the bucket to ensure that it is properly configured.\n\n[1]: https://cloud.google.com/storage/docs/bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.update","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iz3-sc4-ryy","createdAt":1585871279860,"name":"GCP Bucket modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when permissions have changed on a GCS Bucket.\n\n## Strategy\nMonitor GCS bucket admin activity audit logs to determine the following method is invoked:\n\n* `storage.setIamPermissions`\n\n## Triage and response\n1. Review the bucket permissions and ensure they are not overly permissive.\n\n## Changelog\n5 Septermber 2022 - Updated rule query","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.setIamPermissions -@evt.outcome:ERROR","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fdk-tly-4qr","createdAt":1585871193842,"name":"GCP Bucket permissions modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.cloudsql.database"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Cloud SQL DB has been modified.\n\n## Strategy\nThis rule lets you monitor GCP Cloud SQL admin activity audit logs to determine when one of the following methods are invoked:\n\n* `cloudsql.instances.create`\n* `cloudsql.instances.create`\n* `cloudsql.users.update`\n\n## Triage and response\n1. Review the Cloud SQL DB and ensure it is configured properly with the correct permissions.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.cloudsql.database @evt.name:(cloudsql.instances.create OR cloudsql.instances.create OR cloudsql.users.create OR cloudsql.users.update)","groupByFields":["project_id","database_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ikf-ye8-cnu","createdAt":1585871198921,"name":"GCP Cloud SQL database modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.gce.firewall.rule","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created, modified or deleted. \n\n## Strategy\nMonitor GCP GCE activity audit logs to determine when any of the following methods are invoked:\n\n* `v1.compute.firewalls.delete`\n* `v1.compute.firewalls.insert`\n* `v1.compute.firewalls.patch` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.firewall.rule @evt.name:(v1.compute.firewalls.delete OR v1.compute.firewalls.insert OR v1.compute.firewalls.patch)","groupByFields":["project_id","@data.protoPayload.resourceOriginalState.name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"n1w-sql-apl","createdAt":1585870279610,"name":"GCP GCE Firewall rule modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a VPC network is created. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine when the following method is invoked to create a new VPC network:\n\n* `beta.compute.networks.insert`\n\n## Triage and response\n1. Review the VPC network.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:beta.compute.networks.insert","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"a9z-oic-grb","createdAt":1585871193403,"name":"GCP GCE VPC network modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created or modified. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine if a firewall is being adjusted by showing you when any of the following methods are invoked:\n\n* `beta.compute.routes.insert`\n* `beta.compute.routes.patch`\n\n## Triage and response\n1. Veirify that the GCP route is configured properly and that the user intended to modify the firewall.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:(beta.compute.routes.insert OR beta.compute.routes.patch)","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lht-ml8-u6r","createdAt":1585870282924,"name":"GCP GCE network route created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a custom role is created or modified. \n\n## Strategy\nMonitor GCP IAM activity audit logs to determine when any of the following methods are invoked:\n\n* `google.iam.admin.v1.CreateRole`\n* `google.iam.admin.v1.UpdateRole` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.iam.role @evt.name:(google.iam.admin.v1.CreateRole OR google.iam.admin.v1.UpdateRole)","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rhy-fzm-gwl","createdAt":1585870282410,"name":"GCP IAM custom role created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1098-account-manipulation","scope:gcp.project","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to the IAM policy. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when the `SetIamPolicy` method is invoked. \n\n## Triage and response\n1. Review the log and inspect the policy deltas (`@data.protoPayload.serviceData.policyDelta.bindingDeltas`) and ensure none of the actions are `REMOVE`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:SetIamPolicy","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fgm-8w4-cgx","createdAt":1585870280073,"name":"GCP IAM policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.subscription","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP Pub/Sub Subscription has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.pubsub.v1.Subscriber.UpdateSubscription`\n* `google.pubsub.v1.Subscriber.DeleteSubscription`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.subscription @evt.name:(google.pubsub.v1.Subscriber.UpdateSubscription OR google.pubsub.v1.Subscriber.DeleteSubscription)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tsj-mac-mdc","createdAt":1587592205917,"name":"GCP Pub/Sub Subscriber modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.topic","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP Pub/Sub Subscribtion has been deleted. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when the following method is invoked:\n\n* `google.pubsub.v1.Publisher.DeleteTopic`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.topic @evt.name:google.pubsub.v1.Publisher.DeleteTopic","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dp6-zom-jyv","createdAt":1587592198839,"name":"GCP Pub/Sub topic deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1562-impair-defenses","scope:gcp.project","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP logging sink has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.logging.v2.ConfigServiceV2.UpdateSink`\n* `google.logging.v2.ConfigServiceV2.DeleteSink`\n\n## Triage and response\n1. Review the sink and ensure the sink is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:(google.logging.v2.ConfigServiceV2.UpdateSink OR google.logging.v2.ConfigServiceV2.DeleteSink)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hil-rl3-yxs","createdAt":1585871191688,"name":"GCP logging sink modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","scope:google-cloud-iam","technique:T1850-cloud-infrastructure-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account is compromised.\n\n## Strategy \nInspect the GCP Admin Activity Logs (`@data.logName:*%2Factivity`) and filter for only GCP Service Accounts (`@usr.id:*.iam.gserviceaccount.com`). Count the unique number of GCP API calls (`@evt.name`) which are being made for each service account (`@usr.id`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\nTo read more about GCP Audit Logs, you can read our blog post [here][1].\n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account is compromised.\n\n[1]: https://www.datadoghq.com/blog/monitoring-gcp-audit-logs/","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp* @data.logName:*%2Factivity @usr.id:*.iam.gserviceaccount.com","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"hc1-nv3-hzw","createdAt":1629125255724,"name":"GCP service account accessing anomalous number of GCP APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1136-create-account","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account is created.\n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when a service account is created. \n\n## Triage and response\n1. Contact the user who created the service account and ensure that the account is needed and that the role is scoped properly.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccount","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"szx-4kh-eqs","createdAt":1585870281733,"name":"GCP service account created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account key is created. An attacker could use this key as a backdoor to your account. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to detect the creation of a service account key. \n\n## Triage and response\n1. Contact the user who created the service account key to ensure they're managing the key securely.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccountKey","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"79j-4wh-xlq","createdAt":1585870277946,"name":"GCP service account key created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is unauthorized activity by a service account in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a service account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the service account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the service account:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the service account.\n2. If unauthorized, revoke access of compromised service account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"89d-2v1-fvm","createdAt":1587592191518,"name":"GCP unauthorized service account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when unauthorized activity by a user is detected in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a user account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the user account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the user:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the user account.\n2. If unauthorized, revoke access of compromised user account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 -@usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"stt-ows-yte","createdAt":1587592193834,"name":"GCP unauthorized user activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google accesses your Google Workspace tenant using administrative tools. \n\n## Strategy\nMonitor Google Workspace logs to detect `ACCESS` events, which are part of Google's [Access Transparency][1] logs.\n\n## Triage and response\n1. Determine the scope of Google's access activity, which can be found in the `ACCESS` event in the Google Workspace event log.\n2. Review which Google Workspace user (`@event.parameters.OWNER_EMAIL`) and resources (`@event.parameters.RESOURCE_NAME`) were accessed by Google.\n3. Investigate the resource(s) being accessed to determine if there is a legitimate reason it should be reviewed by Google.\n\n[1]: https://support.google.com/a/answer/9230474?hl=en","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite service:access_transparency","groupByFields":[],"aggregation":"count","name":"workspace_accessed_by_google","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"workspace_accessed_by_google > 0"}],"type":"log_detection","id":"q4c-pxc-lbn","createdAt":1654120270956,"name":"Google Workspace accessed by Google"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","tactic:T1098-account-manipulation","technique:TA0003-persistence","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a new Google Workspace administrative role.\n\n## Strategy\nMonitor Google Workspace logs to detect `CREATE_ROLE` events.\n\n## Triage and response\n1. Determine if there is a legitimate reason for the new administrator role (`@event.parameters.ROLE_NAME`).\n2. If there is not a legitimate reason, investigate activity from around the Google Workspace administrator (`{{@usr.email}}`) and IP that created the role (`{{@network.client.ip}}`). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:CREATE_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_created > 0"}],"type":"log_detection","id":"isw-chn-iqi","createdAt":1654262215364,"name":"Google Workspace admin role created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the super administrator group on Google Workspace.\n\n## Strategy\nMonitor Google Workspace logs to detect `ASSIGN_ROLE` events where `@event.parameters.ROLE_NAME` is `_SEED_ADMIN_ROLE`. \n\n## Triage and response\n1. Verify with the Google admin (`{{@usr.email}}`) if the Google Workspace user in the `@event.parameters.USER_EMAIL` attribute should legitimately be given the super admin role.\n2. If the user in `@event.parameters.USER_EMAIL` was not legitimately added, investigate activity from the IP address (`{{@network.client.ip}}`) that made the role addition.\n3. Review activity around the Google Workspace admin who made the change (`{{@usr.email}}`) and the newly added super admin (`@event.parameters.USER_EMAIL`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:ASSIGN_ROLE @event.parameters.ROLE_NAME:_SEED_ADMIN_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"admin_role_added > 0"}],"type":"log_detection","id":"ort-cx2-jwq","createdAt":1654014456902,"name":"Google Workspace user assigned to super admin role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","tactic:TA0009-collection","technique:T1114-email-collection","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a user setting up mail forwarding to a non-Google Workspace domain.\n\n## Strategy\nMonitor Google Workspace logs to detect when `email_forwarding_out_of_domain` events.\n\n## Triage and response\n1. Determine if the email address defined in `@event.parameters.email_forwarding_destination_address` is legitimate.\n2. If the forwarding destination address is not legitimate, review all activity for `{{@usr.email}}` and all activity around the following IP: `{{@network.client.ip}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:email_forwarding_out_of_domain","groupByFields":["@usr.email"],"aggregation":"count","name":"non_workspace_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"non_workspace_domain > 0"}],"type":"log_detection","id":"ozn-l6x-exp","createdAt":1654021004136,"name":"Google Workspace user forwarding email out of non Google Workspace domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.16","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated.\n\n## Rationale\n\nThe IPC namespace provides separation of IPC between the host and containers. If the host's IPC namespace is shared with the container, it would allow processes within the container to see all of IPC communications on the host system. This would remove the benefit of IPC level isolation between host and containers. An attacker with access to a container could get access to the host at this level with major consequences. The IPC namespace should therefore not be shared between the host and its containers.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: IpcMode={{ .HostConfig.IpcMode }}'` \n\nIf the command returns `host`, it means that the host IPC namespace is shared with the container. Any other result means that it is not shared, and that the system is configured in line with good security practice.\n\n## Remediation\n\nDo not start a container with the `--ipc=host` argument. For example, do not start a container with the command `docker run --interactive --tty --ipc=host centos /bin/bash`\n\n## Impact\n\nShared memory segments are used in order to accelerate interprocess communications, commonly in high-performance applications. If this type of application is containerized into multiple containers, you might need to share the IPC namespace of the containers in order to achieve high performance. Under these circumstances, you should still only share container specific IPC namespaces and not the host IPC namespace. A container's IPC namespace can be shared with another container. For example, `docker run --interactive --tty --ipc=container:e3a7a1a97c58 centos /bin/bash`\n\n## Default value\n\nBy default, all containers have their IPC namespace enabled and host IPC namespace is not shared with any container.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#ipc-settings-ipc\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.16","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qpe-nj2-sl8","createdAt":1599604030036,"name":"Host's IPC namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.20","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUTS namespaces provide isolation between two system identifiers: the hostname and the NIS domain name. It is used to set the hostname and the domain which are visible to running processes in that namespace. Processes running within containers do not typically require to know either the hostname or the domain name. The UTS namespace should therefore not be shared with the host.\n\n## Rationale\n\nSharing the UTS namespace with the host provides full permission for each container to change the hostname of the host. This is not in line with good security practice and should not be permitted.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UTSMode={{ .HostConfig.UTSMode }}'` \n\nIf this command returns `host`, it means the host UTS namespace is shared with the container and this recommendation is non-compliant. If the above command returns nothing, then the host's UTS namespace is not shared. This recommendation is then compliant.\n\n## Remediation\n\nYou should not start a container with the `--uts=host` argument. For example, do not start a container using the command `docker run --rm --interactive --tty --uts=host rhel7.2`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, all containers have the UTS namespace enabled and the host UTS namespace is not shared with any containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#uts-settings-uts\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.20","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j1n-gsx-mlx","createdAt":1599605987292,"name":"Host's UTS namespace is not shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.9","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWhen the networking mode on a container is set to `--net=host`, the container is not placed inside a separate network stack. Effectively, applying this option instructs Docker to not containerize the container's networking. The consequence of this is that the container lives \"outside\" in the main Docker host and has full access to its network interfaces.\n\n## Rationale\n\nSelecting this option is potentially dangerous. It allows the container process to open reserved low numbered ports in the way that any other root process can. It also allows the container to access network services such as D-bus on the Docker host. A container process could potentially carry out undesired actions, such as shutting down the Docker host. This option should not be used unless there is a very specific reason for enabling it.\n\n## Audit\n\nUse this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: NetworkMode={{ .HostConfig.NetworkMode }}'` If this returns `NetworkMode=host`, it means that the `--net=host` option was passed when the container was started.\n\n## Remediation\n\nYou should not pass the --net=host option when starting any container.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers connect to the Docker bridge when starting and do not run in the context of the host's network stack.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/ 2. https://docs.docker.com/engine/reference/run/#network-settings\n\n## CIS controls\n\nVersion 6 12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.9","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1qj-oqa-jau","createdAt":1599605510860,"name":"Host's network namespace is not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.15","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host.\n\n## Rationale\n\nPID namespace provides separation between processes. It prevents system processes from being visible, and allows process ids to be reused including PID 1. If the host's PID namespace is shared with containers, it would basically allow these to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them. This could allow for the host itself being shut down, which could be extremely serious, particularly in a multi-tenanted environment. You should not share the host's process namespace with the containers running on it.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidMode={{ .HostConfig.PidMode }}'` \n\nIf the command returns `host`, it means that the host PID namespace is shared with its containers; any other result means that the system is configured in line with good security practice.\n\n## Remediation\n\nYou should not start a container with the `--pid=host` argument. For example, do not start a container with the command: `docker run --interactive --tty --pid=host centos /bin/bash`\n\n## Impact\n\nContainer processes cannot see processes on the host system. In certain circumstances, you may want your container to share the host's process namespace. For example, you could build a container containing debugging tools such as strace or gdb, and want to use these tools when debugging processes on the host. If this is desired, then share specific host processes using the `-p` switch. For example: `docker run --pid=host rhel7 strace -p 1234`\n\n## Default value\n\nBy default, all containers have the PID namespace enabled and the therefore the host's process namespace is not shared with its containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#pid-settings-pid 2. http://man7.org/linux/man-pages/man7/pid_namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.15","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mk8-jwd-4ag","createdAt":1599600919537,"name":"Host's process namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent","control:5.30"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not share the host's user namespaces with containers running on it.\n\n## Rationale\n\nUser namespaces ensure that a root process inside the container will be mapped to a non-root process outside the container. Sharing the user namespaces of the host with the container does not therefore isolate users on the host from users in the containers.\n\n## Audit\n\nRun this command and ensure that it does not return any value for `UsernsMode`. If it returns a value of `host`, it means that the host user namespace is shared with its containers: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UsernsMode={{ .HostConfig.UsernsMode }}'`\n\n## Remediation\n\nDo not share user namespaces between host and containers. For example, do not run the command `docker run --rm -it --userns=host ubuntu bash`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the host user namespace is shared with containers unless user namespace support is enabled.\n\n## References\n\n1. https://docs.docker.com/engine/security/userns-remap/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://github.com/docker/docker/pull/12648\n4. https://events.linuxfoundation.org/sites/events/files/slides/User%20Namespaces%20-%20ContainerCon%202015%20-%2016-9-final_0.pdf\n\n## CIS controls\n\nVersion 6\n\n12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.30","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"e7c-uzf-jwy","createdAt":1599604878282,"name":"Host's user namespaces are not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","security:compliance","scored:false","source:iam","cloud_provider:aws","control:1.7","control:164.308-a-3-ii-C","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","framework:security-labs","requirement:Information-Access-Management","control:CC6.2","control:164.308-a-4-ii-C","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule identifies IAM access keys that are older than one year and have not been used in the past 30 days.\n\n## Rationale\n\nThis is a good indicator that an access key or IAM user that is not used anymore, and raises a security risk. IAM access keys are static secrets that do not change. This leak represents a common cause for cloud security breaches.\n\n## Remediation\n\n* Verify that the IAM user is still actively used or if it can be removed.\n* Verify that the IAM access key is still actively used or if it can be removed.\n* If the IAM user is still needed, rotate the access key. For more information, see the [AWS documentation][2].\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/cis-aws-1.3.0-1.14/\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlast_rotated_age_threshold := (((365 * 24) * 60) * 60) * 1000\n\nlast_used_age_threshold := (((30 * 24) * 60) * 60) * 1000\n\nhas_active_access_key(credential_report) if {\n\tcredential_report.access_key_1_active\n} else {\n\tcredential_report.access_key_2_active\n}\n\naccess_key_1_used_too_long_ago(credential_report, seen) if {\n\tnot credential_report.access_key_1_last_used_date\n}\n\naccess_key_1_used_too_long_ago(credential_report, seen) if {\n\tseen - credential_report.access_key_1_last_used_date > last_used_age_threshold\n}\n\naccess_key_1_non_compliant(credential_report, seen) if {\n\tcredential_report.access_key_1_active\n\tseen - credential_report.access_key_1_last_rotated > last_rotated_age_threshold\n\taccess_key_1_used_too_long_ago(credential_report, seen)\n}\n\naccess_key_2_used_too_long_ago(credential_report, seen) if {\n\tnot credential_report.access_key_2_last_used_date\n}\n\naccess_key_2_used_too_long_ago(credential_report, seen) if {\n\tseen - credential_report.access_key_2_last_used_date > last_used_age_threshold\n}\n\naccess_key_2_non_compliant(credential_report, seen) if {\n\tcredential_report.access_key_2_active\n\tseen - credential_report.access_key_2_last_rotated > last_rotated_age_threshold\n\taccess_key_2_used_too_long_ago(credential_report, seen)\n}\n\nis_not_compliant(credential_report, seen) if {\n\taccess_key_1_non_compliant(credential_report, seen)\n} else {\n\taccess_key_2_non_compliant(credential_report, seen)\n}\n\nshould_skip(iam_user) if {\n\tcredential_report := iam_user.credential_report[0]\n\tnot credential_report.access_key_1_active\n\tnot credential_report.access_key_2_active\n} else {\n\tcount(iam_user.credential_report) == 0\n}\n\neval(iam_user) = \"skip\" if {\n\tshould_skip(iam_user)\n} else = \"fail\" {\n\tcredential_report := iam_user.credential_report[0]\n\tseen := iam_user.resource_seen_at\n\tis_not_compliant(credential_report, seen)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"jye-nyb-yvd","createdAt":1654722265266,"name":"IAM access keys older than 1 year have not been used in the last 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@user_policies:*","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@user_policies:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qeq-byd-rf5","createdAt":1617159692975,"name":"IAM inline policy is not directly set for users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","security:compliance","cloud_provider:aws","control:1.8","control:8.1","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","control:CC6.3","control:8.1.1","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are a minimum length. The password policy should require a minimum password length of 14 characters.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78907-3\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.8","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.minimum_password_length:<14","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.minimum_password_length:<14)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fyg-ptq-tnx","createdAt":1599573999939,"name":"IAM password policy has 14 or more characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:1.9","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","framework:cis-aws","control:164.312-d","requirement:IAM","control:8.2.5","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.\n\n## Rationale\n\nPreventing password reuse increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78908-1\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\n4.4 Use unique passwords where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2.5","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.9","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"-@password_policy.password_reuse_prevention:24","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (-@password_policy.password_reuse_prevention:24)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"wwj-kny-ll5","createdAt":1599574008460,"name":"IAM password policy prevents password reuse"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM policies are how privileges are granted to users, groups, or roles. It is recommended and considered best practice to give only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges.\n\n## Rationale\n\nIt's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\" should be removed.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2] \n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3] \n3. CCE-78912-3\n4. [http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam][4]\n\n## CIS controls\n\nVersion 7, 4 - Controlled Use of Administrative Privileges\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n[4]: http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_not_compliant(policy_version_statement) if {\n\tresource := policy_version_statement.resource[_]\n\tresource == \"*\"\n}\n\naction_not_compliant(policy_version_statement) if {\n\taction := policy_version_statement.action[_]\n\taction == \"*\"\n}\n\npolicy_version_statement_not_compliant(policy_version_statement) if {\n\tpolicy_version_statement.effect == \"Allow\"\n\tresource_not_compliant(policy_version_statement)\n\taction_not_compliant(policy_version_statement)\n}\n\neval(iam_policy) = \"skip\" if {\n\tiam_policy.scope != \"Local\"\n} else = \"fail\" {\n\tpolicy_version_statement := iam_policy.policy_version_statements[_]\n\tpolicy_version_statement_not_compliant(policy_version_statement)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_policy"]},"validationQuery":"","resourceType":"aws_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"31y-0if-yxo","createdAt":1599574003839,"name":"IAM policies that allow full \"*:*\" administrative privileges are not created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@attached_policies:*","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@attached_policies:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oys-6ti-vv4","createdAt":1599574006153,"name":"IAM policy does not have a user directly attached to it"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:1.12","security:compliance","cloud_provider:aws","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:CC6.3","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can require passwords to be rotated or expired after a given number of days. The password policy should expire passwords after 90 days or less.\n\n## Rationale\n\nReducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help if a password is stolen or compromised without your knowledge. This can happen if your system is compromised, because of a software vulnerability, or if there is an internal threat. Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted. Many people use the same password for many systems such as work, email, and personal. Compromised end-user workstations might have a keystroke logger.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78909-9\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"1.12","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"(-@password_policy:*) OR ((@password_policy.expire_passwords:false) OR (@password_policy.max_password_age:>90))","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account ((-@password_policy:*) OR ((@password_policy.expire_passwords:false) OR (@password_policy.max_password_age:>90)))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"nus-wps-5cc","createdAt":1599574003696,"name":"IAM policy is set to expire passwords within 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78904-0\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.6\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_lowercase_characters:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_lowercase_characters:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yaz-xyw-dr5","createdAt":1599574008777,"name":"IAM policy is set to require at least one lowercase letter"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one number.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78906-5\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.8\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_numbers:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_numbers:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ufg-4pj-olz","createdAt":1599574005590,"name":"IAM policy is set to require at least one number"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are comprised of different character sets. It is recommended that the password policy require at least one symbol.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78905-7\n\n## CIS controls\n\n16 Account Monitoring and Control Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.7\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_symbols:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_symbols:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dwv-hdv-vfe","createdAt":1599573999909,"name":"IAM policy is set to require at least one symbol"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one uppercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78903-2\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.5\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_uppercase_characters:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_uppercase_characters:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jfe-07v-m1n","createdAt":1599573999945,"name":"IAM policy is set to require uppercase characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:iam","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Security-Management-Process","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:CC6.3","requirement:Information-Access-Management","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm there are no [Amazon IAM users][1] (privileged users) with administrator permissions for your AWS account.\n\n## Rationale\n\nA privileged IAM user can access all AWS services and control resources through the [AdministratorAccess IAM managed policy][2]. Any user with administrator access that should not have access can potentially, whether unknowingly or purposefully, cause security issues or data leaks.\n\n## Remediation\n\n### Console\n\nFollow the [Removing a permissions policy from a user][6] docs to revoke AdministratorAccess for a user.\n\n### CLI\n\n1. Run `list-users` to get [a list of current IAM users][3].\n2. Run `list-user-policies` with an IAM `user-name` to find the [users attached policies][4].\n\n ```\n aws iam list-user-policies --user-name Name\n ```\n\n3. Run `detach-user-policy` to [revoke Administrator access][5] for that user.\n\n ```\n aws iam detach-user-policy --user-name Bob --policy-arn arn:aws:iam::123456789012:policy/TesterPolicy\n ```\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-users.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-user-policies.html#examples\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-user-policy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-remove-policy-console\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@attached_policies.policy_name:AdministratorAccess","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@attached_policies.policy_name:AdministratorAccess)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"z8a-10r-rdq","createdAt":1599574005071,"name":"IAM privileged user does have admin permissions to your AWS account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet a principal within your Amazon IAM policy.\n\n## Rationale\n\nA trust policy reduces the risks associated with privilege escalation. Setting a principal within your policy reduces the risk of unauthorized access to a resource.\n\n## Remediation\n\n### Console\n\nFollow the [Editing IAM policies][1] docs to learn how to grant permissions to a specific IAM user or account.\n\n### CLI\n\nFollow the [Editing managed policies (AWS CLI)][2] docs to learn how to grant permissions to a specific IAM or account using the CLI.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html#edit-policies-cli-api","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@role_policy.policy_principal.principal:(\"*\") OR @role_policy.policy_principal.principal_aws:(\"*\"))","resourceType":"aws_iam_role","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_role ((@role_policy.policy_principal.principal:(\"*\") OR @role_policy.policy_principal.principal_aws:(\"*\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q9l-42l-ape","createdAt":1619112188080,"name":"IAM role uses trusted principals"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:A.14.1.3","security:compliance","source:iam","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Data-Protection","requirement:Security-of-Processing","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:A.9.4.3","framework:soc-2","requirement:Cardholder-Data","control:32.1a","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","requirement:Encryption-In-Transit","control:3.6.4","framework:pci","control:25.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your IAM service SSL/TLS certificates are renewed 30 days prior to their validity period ending.\n\n## Rationale\n\nIf a certificate becomes invalid, the communication between the client and AWS resource that implements certificates is no longer secure.\n\n## Remediation\n\n### Console\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n### CLI\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nwithin_30_days(diff) if {\n\tdiff <= thirty_days_ms\n\tdiff > 0\n}\n\neval(iam_server_certificate) = \"pass\" if {\n\tdiff := iam_server_certificate.expiration - iam_server_certificate.resource_seen_at\n\tnot within_30_days(diff)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"nqd-536-xhi","createdAt":1632209935742,"name":"IAM server certificate will expire within 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:1.6","control:7.1","framework:cis-gcp","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","level:1","source:google_service_account","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nVerify that users have the Service Account User (`iam.serviceAccountUser`) and Service Account Token Creator (`iam.serviceAccountTokenCreator`) roles for a specific service account rather than at the project level.\n\n## Rationale\nA service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved. In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.\nUsers with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access. Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/service account.\nBased on business needs, there can be multiple user-managed service accounts configured for a project. Granting the `iam.serviceAccountUser` or `iam.serviceAccountTokenCreator` roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future. These roles can result in an elevation of privileges when someone uses a service account and corresponding Compute Engine instances.\nIn order to implement least privileges best practices, IAM users should not be assigned the Service Account User or Service Account Token Creator roles at the project level. Instead, these roles should be assigned to a user for a specific service account, giving that user access to the service account. The Service Account User role allows a user to bind a service account to a long-running job service, whereas the Service Account Token Creator role allows a user to directly impersonate (or assert) the identity of a service account.\n\n## Impact\nAfter revoking Service Account User or Service Account Token Creator roles at the project level from all impacted user accounts, these roles should be assigned to users for specific service accounts according to business needs.\n\n## Remediation\n\n### From console\n1. Go to the [IAM page][1] in the GCP Console.\n2. In the filter table text bar, enter the text `Role: Service Account User`.\n3. Click the delete bin icon in front of the role `Service Account User` for every user\nlisted as a result of the filter.\n4. In the filter table text bar, enter the text `Role: Service Account Token Creator`.\n5. Click the delete bin icon in front of the role `Service Account Token Creator` for\nevery user listed as a result of the filter.\n\n### From the command line\n1. Using a text editor, remove the bindings with the `roles/iam.serviceAccountUser` or `roles/iam.serviceAccountTokenCreator`.\n For example, you can use the iam.json file shown below as follows:\n ```\n {\n \"bindings\": [\n {\n \"members\": [ \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n ],\n \"role\": \"roles/appengine.appViewer\" },\n {\n \"members\": [\n \"user:email1@gmail.com\"\n ],\n \"role\": \"roles/owner\"\n },\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n \"serviceAccount:123456789012-compute@developer.gserviceaccount.com\" ],\n \"role\": \"roles/editor\"\n }\n ],\n \"etag\": \"BwUjMhCsNvY=\"\n }\n ```\n2. Update the project's IAM policy:\n ```\n gcloud projects set-iam-policy PROJECT_ID iam.json\n ```\n## Default value\nBy default, users do not have the Service Account User or Service Account Token Creator role assigned at the project level.\n\n## References\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][3]\n3. [https://cloud.google.com/iam/docs/understanding-roles][4]\n4. [https://cloud.google.com/iam/docs/granting-changing-revoking-access][5]\n5. [https://console.cloud.google.com/iam-admin/iam][6]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts \n[4]: https://cloud.google.com/iam/docs/understanding-roles\n[5]: https://cloud.google.com/iam/docs/granting-changing-revoking-access \n[6]: https://console.cloud.google.com/iam-admin/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.6","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_role(iam_policy, role) if {\n\tbinding := iam_policy.bindings[_]\n\tbinding.role == role\n\tmember := binding.members[_]\n\tnot endswith(member, \".gserviceaccount.com\")\n}\n\nnon_compliant_policy(iam_policy) if {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountUser\")\n} else {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountTokenCreator\")\n}\n\neval(iam_policy) = \"fail\" if {\n\tnon_compliant_policy(iam_policy)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"x4c-mos-epr","createdAt":1655328785677,"name":"IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:iis","scope:iis","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:iis @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ftm-iao-udy","createdAt":1587530716843,"name":"IIS HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","requirement:Virtual-Machines","security:compliance","control:CC6.6","cloud_provider:gcp","control:4.6","requirement:Communications-Security","control:1.4","framework:cis-gcp","requirement:Compliance","level:1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCompute Engine instance cannot forward a packet unless the source IP address of the\npacket matches the IP address of the instance. Similarly, GCP won't deliver a packet whose\ndestination IP address is different than the IP address of the instance receiving the packet.\nHowever, both capabilities are required if you want to use instances to help route packets.\n\nDisable the forwarding of data packets to prevent data loss or information\ndisclosure.\n\n## Rationale\nTo enable source and destination IP check, disable the `canIpForward` option, which\nallows an instance to send and receive packets with non-matching destination or source\nIPs.\n\n## Impact\nDeleting instances that act as routers or packet forwarders may break network\nconnectivity.\n\n## Exception\nInstances created by GKE should be excluded because they need to have IP forwarding\nenabled and cannot be changed. Instances created by GKE have names that start with `gke-`.\n\n## Remediation\nYou can only edit the `canIpForward` setting at instance creation time. Therefore, if `canIpForward` is set to false for an instance, you must delete the instance and create a new one.\n\n### From console\n1. Go to the `VM Instances` page: \n[https://pantheon.corp.google.com/compute/instances][1].\n2. Select the `VM Instance` you want to remediate.\n3. Click the `Delete` button.\n4. On the `VM Instances` page, click `CREATE INSTANCE`.\n5. Create a new instance with the desired configuration. By default, the instance is\nconfigured to not allow IP forwarding.\n\n### From the command line\n1. Delete the instance:\n ```\n gcloud compute instances delete INSTANCE_NAME\n ```\n2. Create a new instance to replace it, with IP forwarding set to Off\n ```\n gcloud compute instances create\n ```\n\n## Default Value:\nBy default, instances are not configured to allow IP forwarding.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-routes#canipforward][2]\n\n\n## Additional Information:\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is\ncreated, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://pantheon.corp.google.com/compute/instances\n[2]: https://cloud.google.com/vpc/docs/using-routes#canipforward","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.6","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tcompute_instance.can_ip_forward\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nh8-voo-5oy","createdAt":1656620560349,"name":"IP forwarding is not enabled on instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","scope:azure.storage","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1c","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImmutability is enabled for Azure Storage Blobs.\n\n## Rationale\n\nImmutability for Azure Blob enables Writes once read many (WORM) state storage, which protects data from being overwritten or deleted. \n\nThe two types of immutability policies are time-based retention and legal hold. Time-based policies are cleared when the time period expires. Legal holds are cleared when they are manually modified. \n\n## Remediation\n\n### Console\n\nFollow the [Enable version-level immutability support on a storage account - Azure Console][1] guide to enable version-level immutability with the Azure Console.\n\n### CLI\n\nFollow the [Enable version-level immutability support on a storage account - Azure CLI][2] guide to enable version-level immutability with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@hasLegalHold:false @hasImmutabilityPolicy:false","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container (@hasLegalHold:false @hasImmutabilityPolicy:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"8q8-s4l-qhy","createdAt":1645177333114,"name":"Immutable Blob Storage is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","scope:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when two successful authentication events occur in a short time frame.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if the user `{{@usr.name}}` should have authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If `{{@user.name}}` should not authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n* 10 October 2022 - Updated query.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"auth0_impossible_travel","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.name"],"query":"source:auth0 @evt.category:authentication @evt.name:success_login -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"m3u-dhg-c5l","createdAt":1651740293973,"name":"Impossible Travel Auth0 login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate an impossible travel login with permission enumeration of a user.\n\n## Strategy\nCorrelate the [User travel was impossible in AWS CloudTrail IAM log][1] and [A user received multiple AccessDenied errors][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the impossible travel login was is legitimate.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-user-impossible-travel-with-baseline-user-locations\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-access-denied-multiple-events","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"user_travel_was_impossible_in_cloudtrail_iam_log","additionalFilters":"","defaultRuleId":"fc6-4t7-vx9","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"a_user_received_multiple_access_denied_errors","additionalFilters":"","defaultRuleId":"1b1-37a-74c","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"user_travel_was_impossible_in_cloudtrail_iam_log > 0 && a_user_received_multiple_access_denied_errors > 0"}],"type":"signal_correlation","id":"zfw-zxw-uf2","createdAt":1664829682320,"name":"Impossible travel event leads to permission enumeration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the possibility of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 445, commonly used by client/server applications, and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) or man-in-the-middle attacks (MITM), can occur when permitting unrestricted Common Internet File System (CIFS) access. TCP port 445 is the port commonly used by client/server applications as a means of communication between network nodes over TCP.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 445.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 445\n --cidr 0.0.0.0/0\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=445 @to_port:>=445))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=445 @to_port:>=445))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"l9k-64o-mzm","createdAt":1599573999953,"name":"Inbound CIFS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the possibility of a breach by checking EC2 security groups for inbound rules that allow unfettered access to TCP and UDP port 53, commonly used during DNS resolution when a request is sent from DNS clients to DNS servers or between DNS servers.\n\n## Rationale\n\nMalicious activity, such as distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered DNS access.\n\n## Remediation\n\n## Console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n## CLI\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to port 53.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 53, \"ToPort\": 53, \"IpRanges\": [{\"CidrIp\": \"192.0.2.0/24\"}]}]'\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 53\n\trule.to_port >= 53\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kri-ci1-ymo","createdAt":1599573999958,"name":"Inbound DNS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 9200, used by the [Elasticsearch][2], and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered Elasticsearch access.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][3] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. First, remove the security group rule(s) that allow public, unrestricted access to the Elasticsearch database. The rule in question will open port 9200 for ingress from anywhere.\n\n2. Now that the database is contained, authorize only the specific entities that need access to the database like EC2 instances, or lambdas. You can do this by adding inbound security group rules for a specific elastic IP address, a specific range of IP addresses, or by allowing access for entities in another AWS security group.\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://aws.amazon.com/elasticsearch-service/\n[3]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=9200 @to_port:>=9200))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=9200 @to_port:>=9200))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"rns-eiq-lpl","createdAt":1599574008022,"name":"Inbound Elasticsearch access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP ports 20 and 21 (used by client/server applications for communication and file transfer) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and FTP bounce attacks, can occur when permitting unfettered access to these ports.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 20 and 21.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict FTP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=20 @to_port:>=20) OR (@from_port:<=21 @to_port:>=21))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=20 @to_port:>=20) OR (@from_port:<=21 @to_port:>=21))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9lv-1l3-vtp","createdAt":1599574002076,"name":"Inbound FTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 80 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 80.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 80\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=80 @to_port:>=80))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=80 @to_port:>=80))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o4x-exf-xn9","createdAt":1599574008139,"name":"Inbound HTTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 443 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 443.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 443\n\trule.to_port >= 443\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"vud-y9z-ucg","createdAt":1599574003526,"name":"Inbound HTTPS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to host using the Internet Control Message Protocol (ICMP), a protocol commonly used to troubleshoot TCP/IP networks and deliver IP packets, and restrict access.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and Smurf/Fraggle attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][2] docs to learn how to restrict access to host using the ICMP.\n\n### CLI\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to host using ICMP.\n\n ```\n aws ec2 describe-security-groups\n\t --filters Name=ip-permission.protocol,Values=icmp Name=ip-permission.cidr,Values='192.0.2.0/24'\n\t --query 'SecurityGroups[*].{Name:GroupName}'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nunrestricted_protocol(protocol) if {\n\tprotocol == \"icmp\"\n} else {\n\tprotocol == \"all\"\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"ingress\"\n\tunrestricted_protocol(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kyz-e99-tys","createdAt":1599573999911,"name":"Inbound ICMP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1433 (used by the Microsoft SQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1433.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1433 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1433 @to_port:>=1433))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1433 @to_port:>=1433))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5oc-hdq-fx7","createdAt":1599574003135,"name":"Inbound MSSQL access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 27017 (used by the MongoDB database) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 27017.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=27017 @to_port:>=27017))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=27017 @to_port:>=27017))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"lhy-ttz-yif","createdAt":1599574007108,"name":"Inbound MongoDB access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3306 (used by the MySQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3306.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3306 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3306 @to_port:>=3306))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3306 @to_port:>=3306))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yph-h6z-ant","createdAt":1599574008744,"name":"Inbound MySQL access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1521 (used by the Oracle Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1521.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1521 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1521 @to_port:>=1521))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1521 @to_port:>=1521))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2wg-auf-5gz","createdAt":1599574002369,"name":"Inbound Oracle access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 135 (used by Microsoft Message Queuing (MSMQ) and other Windows software) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as backdoor command shell hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 135.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 135 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 135\n\trule.to_port >= 135\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7vm-6f7-nfs","createdAt":1599574003256,"name":"Inbound RPC access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 25 (used by Simple Mail Transfer Protocol (SMTP) for email transmission) and restrict access to IP addresses that require this port.\n\n\n## Rationale\n\nMalicious activity, such as spamming, hacking, Shellshock, and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 25.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 25 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 25\n\trule.to_port >= 25\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fxy-iwb-1ji","createdAt":1599574007156,"name":"Inbound SMTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 22 (used for secure remote login) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as man-in-the-middle (MITM) and brute-force attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 22.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 22 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=22 @to_port:>=22))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=22 @to_port:>=22))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jq1-v7m-jkf","createdAt":1599574005407,"name":"Inbound SSH access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to TCP port 139.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 139\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 139\n\trule.to_port >= 139\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"bls-coy-rpp","createdAt":1599574002491,"name":"Inbound TCP NetBIOS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 23 (used by the Telnet server application) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 23.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 23 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=23 @to_port:>=23))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=23 @to_port:>=23))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"6oq-7ce-kej","createdAt":1599574007874,"name":"Inbound Telnet access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 and UDP ports 137 and 138 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 137 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 137\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 138 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 138\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=137 @to_port:>=137) OR (@from_port:<=138 @to_port:>=138))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=137 @to_port:>=137) OR (@from_port:<=138 @to_port:>=138))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dpw-bar-91p","createdAt":1599574006398,"name":"Inbound UDP NetBIOS access is restricted"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2022-0847 \"Dirty Pipe\". Dirty Pipe is a vulnerability in the Linux kernel which allows underprivileged processes to write to arbitrary readable files, leading to privilege escalation. \n\n## Strategy\n\nThis detection triggers when the `splice()` syscall is made and the `PIPE_BUF_FLAG_CAN_MERGE` flag is set. Explanation of the vulnerability and exploitation can be found in the [public disclosure](https://dirtypipe.cm4all.com/).\n\n## Triage & Response\n\n1. Determine if the host is vulnerable. This vulnerability affects kernel versions starting from 5.8. After its discovery, it was fixed for all currently maintained releases of Linux in versions 5.16.11, 5.15.25, and 5.10.102. The exploit was successful if the field `splice.pipe_exit_flag` is `PIPE_BUF_FLAG_CAN_MERGE`.\n2. Attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. If the host is vulnerable, update the kernel to a patched version.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:dirty_pipe_attempt","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_attempt","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\") -@process.uid:0 -@process.gid:0","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_exploitation","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation (@file.uid:0 OR @file.gid:0) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\") -@process.uid:0 -@process.gid:0","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_root","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation @file.path:(*\\/bin\\/* OR *\\/boot\\/*) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\") -@process.uid:0 -@process.gid:0","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"dirty_pipe_attempt","condition":"dirty_pipe_attempt > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_exploitation","condition":"dirty_pipe_exploitation > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_root","condition":"dirty_pipe_root > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_bin","condition":"dirty_pipe_bin > 0"}],"type":"workload_security","id":"dsi-8cf-mpj","createdAt":1648572788369,"name":"Dirty Pipe exploitation attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet Docker daemon log level to `info`.\n\n## Rationale\n\nSetting up an appropriate log level configures the Docker daemon to log events that you would want to review later. A base log level of `info` and above captures all logs except `debug` logs. Unless required, you should not run Docker daemon at `debug` log level.\n\n## Audit\n\nTo confirm that the log level setting is `info`, review both the `dockerd` startup options, and also the log level settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that either the `--log-level` parameter is not present or if present, that it is set to `info`. \n\nSimilarly, review the `/etc/docker/daemon.json` for the `log-level` setting.\n\n## Remediation\n\nEnsure that the Docker daemon configuration file has the following configuration included:\n\n```\n\"log-level\": \"info\" \n```\n\nAlternatively, run the Docker daemon with the `log-level` specified:\n\n```\ndockerd --log-level=\"info\"\n```\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker daemon is set to log level of `info`.\n\n## References\n\n1. [https://docs.docker.com/edge/engine/reference/commandline/dockerd/][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://docs.docker.com/edge/engine/reference/commandline/dockerd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"q6o-wrf-hf4","createdAt":1602076723155,"name":"Docker daemon logging level is set to 'info'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.5","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use `aufs` as the storage driver for your Docker instance.\n\n## Rationale\n\nThe `aufs` storage driver is the oldest storage driver used on Linux systems. It is based on a Linux kernel patch-set that is unlikely in future to be merged into the main OS kernel. The `aufs` driver is also known to cause some serious kernel crashes. `aufs` has only legacy support within systems using Docker. Most importantly, `aufs` is not a supported driver in many Linux distributions using latest Linux kernels.\n\n## Audit\n\nVerify that `aufs` is not used as storage driver by running this command and ensuring `aufs` is not listed: \n```\ndocker info --format 'Storage Driver: {{ .Driver }}' \n```\n\n## Remediation\n\nDo not explicitly use `aufs` as storage driver. For example, do not start Docker daemon with the `--storage-driver aufs` flag.\n\n## Impact\n\n`aufs` is the only storage driver that allows containers to share executable and shared library memory. It might be useful if you are running thousands of containers with the same program or libraries. However, you should review its use with respect to your organization's security policy.\n\n## Default value\n\nBy default, Docker uses `devicemapper` as the storage driver on most of the platforms. The default storage driver can vary based on your OS vendor. You should use the storage driver that is recommended by your preferred vendor and which is in line with policy around the applications which are being deployed.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems][1]\n2. [http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/][2]\n3. [http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1][3]\n4. [https://docs.docker.com/engine/userguide/storagedriver/][4]\n\n## CIS controls\n\nVersion 6.18 Application Software Security \n\n[1]: https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems \n[2]: http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/ \n[3]: http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1 \n[4]: https://docs.docker.com/engine/userguide/storagedriver/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"n0x-jqo-rof","createdAt":1599601042737,"name":"Docker does not use AUFS storage driver"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe `iptables` firewall is used to set up, maintain, and inspect the tables of IP packet filter rules within the Linux kernel. The Docker daemon should be allowed to make changes to the `iptables` ruleset.\n\n## Rationale\n\nDocker will not make changes to your system `iptables` rules unless you allow it to do so. If you do allow this, Docker server will automatically make any required changes. You should let Docker make changes to `iptables` automatically in order to avoid networking misconfigurations that could affect the communication between containers and with the outside world. Additionally, this reduces the administrative overhead of updating `iptables` every time you add containers or modify networking options.\n\n## Audit\n\nTo confirm that the Docker daemon is allowed to change the `iptables` ruleset, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that the `--iptables` parameter is either not present or not set to `false`. Also review the `/etc/docker/daemon.json` file to check that the `iptables` setting is not set to `false`.\n\n## Remediation\n\nDo not run the Docker daemon with `--iptables=false` parameter. \n\n## Impact\n\nThe Docker daemon service requires `iptables` rules to be enabled before it starts. Any restarts of `iptables` during Docker daemon operation may result in losing Docker-created rules. Adding `iptables-persistent` to your `iptables` install can mitigate.\n\n## Default value\n\nBy default, `iptables` is set to true.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/][1]\n2. [https://fralef.me/docker-and-iptables.html][2]\n\n## CIS controls\n\nVersion 6.5 Controlled Use of Administration Privileges \n\n[1]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/\n[2]: https://fralef.me/docker-and-iptables.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3fv-xgy-7fb","createdAt":1599599453907,"name":"Docker is authorized to make firewall configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.1","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAll Docker containers and their data and metadata are stored in the `/var/lib/docker` directory. By default, `/var/lib/docker` should be mounted under either the `/` or `/var` partitions depending on how the Linux operating system in use is configured.\n\n## Rationale\n\nDocker depends on `/var/lib/docker` as the default directory where all Docker related files, including the images, are stored. This directory could fill up quickly causing both Docker and the host to become unusable. For this reason, you should create a separate partition (logical volume) for storing Docker files.\n\n## Audit\n\nTo see the partition details for the `/var/lib/docker` mount point, at the Docker host run:\n\n```\ngrep '/var/lib/docker\\s' /proc/mounts \n```\n\nAlternatively, to see whether the configured root directory is a mount point, run.\n\n```\nmountpoint -- \"$(docker info -f '{{ .DockerRootDir }}')\" \n```\n\n## Remediation\n\nFor new installations, you should create a separate partition for the `/var/lib/docker` mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, `/var/lib/docker` is mounted under the `/` or `/var` partitions dependent on how the OS is configured.\n\n## References\n\n1. [https://www.projectatomic.io/docs/docker-storage-recommendation/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know \n\n[1]: https://www.projectatomic.io/docs/docker-storage-recommendation/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.1","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wcf-c0t-fkz","createdAt":1602076808377,"name":"Docker local storage is mounted on a separate disk partition"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.5","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various other sensitive files. It should therefore be individual owned and group owned by root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the directory is owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker | grep -v root:root\n``` \n\nThis command does not return any data.\n\n## Remediation\n\nTo resolve this issue, run the following command: `chown root:root /etc/docker`\n\nThis sets the ownership and group ownership for the directory to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for this directory is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.`\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"heb-axz-wdc","createdAt":1599604466531,"name":"Docker related files are owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.6","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory permissions are correctly set to 755 or more restrictively.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various sensitive files. It should therefore only be writeable by root to ensure that it can not be modified by a less privileged user.\n\n## Audit\n\nYou should execute the command below to verify that the directory has permissions of 755+: \n\n```\nstat -c %a /etc/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 755 /etc/docker`\n\nThis sets the permissions for the directory to 755.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for this directory are set to 755.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"een-7do-u18","createdAt":1599604083943,"name":"Docker related files cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.12","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, has permissions of 444 or more restrictive permissions.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It should therefore have permissions of 444 to prevent its modification.\n\n## Audit\n\nVerify that the Docker server certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the command below: `chmod 444 `\n\nThis sets the file permissions of the Docker server certificate file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.12","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"blu-k6b-re1","createdAt":1602076770300,"name":"Docker server certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.31","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker socket docker.sock should not be mounted inside a container.\n\n## Rationale\n\nIf the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep docker.sock` This returns any instances where `docker.sock` has been mapped to a container as a volume.\n\n## Remediation\n\nYou should ensure that no containers mount docker.sock as a volume.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, docker.sock is not mounted inside containers.\n\n## References\n\n1. https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/\n2. https://forums.docker.com/t/docker-in-docker-vs-mounting-var-run-docker-sock/9450/2\n3. https://github.com/docker/docker/issues/21109\n\n## CIS controls\n\nVersion 6\n\n9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.31","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3iw-zus-yz3","createdAt":1599602585460,"name":"Docker socket is not allowed to mount inside any containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","source:dynamodb","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:dynamodb","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement server-side encryption for your AWS DynamoDB data.\n\n## Rationale\n\nServer-side encryption, or encryption at rest, provides an additional layer of data protection by securing your data in an encrypted table. Encryption at rest integrates with AWS Key Management Service (KMS) to manage encryption keys that are used to encrypt these tables.\n\n## Remediation\n\n### From the console\n\nFollow the [Managing Encrypted Tables in DynamoDB tutorial][1] to learn how to create and update a table in the AWS Console.\n\n### From the command line\n\nRun `create-table` with a table configuration to [create a new encrypted table][2]. You can create an encrypted table with the default AWS owned CMK, AWS managed CMK, or customer managed CMK. Refer to the [AWS documentation for examples of each configuration][3]. For example:\n\n aws dynamodb create-table\n --table-name your-table\n ...\n --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=abcd1234-abcd-1234-a123-ab1234a1b234\n\n[1]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/dynamodb/create-table.html\n[3]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(dynamodb) = \"pass\" if {\n\tupper(dynamodb.sse_description.status) == \"ENABLED\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_dynamodb"]},"validationQuery":"","resourceType":"aws_dynamodb","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_dynamodb","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ilq-ifj-zxi","createdAt":1615309114701,"name":"DynamoDB table is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt Amazon Elastic Block Store (EBS) snapshots with volume snapshot encryption keys.\n\n## Rationale\n\nAmazon EBS snapshots contain sensitive data, and publicly accessible snapshots can be copied. Keep your data secure from exploits or unauthorized users by using AWS key management.\n\n## Remediation\n\n### From the console\n\nFollow the [Default key for EBS encryption][1] docs to learn how to encrypt a snapshot in the AWS Console.\n\n### From the command line\n\n1. Run `get-ebs-default-kms-key-id` to describe [the default CMK][2].\n\n2. If you need to create a new key, follow the [Creating keys][3] AWS Console docs or the [create-key][4] AWS CLI docs.\n\n3. Run `modify-ebs-default-kms-key-id` with your `--kms-key-id` to [modify the default CMK used to encrypt EBS volumes][3].\n\nSee the [Set encryption defaults using the API and CLI][6] docs for additional information.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_key_mgmt\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/get-ebs-default-kms-key-id.html\n[3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-ebs-default-kms-key-id.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ebs_snapshot) = \"pass\" if {\n\tebs_snapshot.encrypted\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ebs_snapshot"]},"validationQuery":"","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"i4v-od6-l5r","createdAt":1616090994130,"name":"EBS snapshot is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","requirement:Storage","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable encryption for Elastic Block Store (EBS).\n\n## Rationale\n\nAES-256 encryption, used by EBS, protects data stored on volumes, disk I/O, and the snapshots created from a volume to protect your sensitive data from exploits and unauthorized users.\n\n## Remediation\n\n### From the console\n\nFollow the [EBS encryption][1] docs to learn about the requirements and methods for enabling encryption in the AWS Console.\n\n### From the command line\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#ebs-encryption-requirements\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"2.2.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ebs_volume) = \"pass\" if {\n\tebs_volume.encrypted\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ebs_volume"]},"validationQuery":"","resourceType":"aws_ebs_volume","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_volume","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"2b3-94n-p7e","createdAt":1616090994097,"name":"EBS volume is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","requirement:Credentials","requirement:Compliance","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","framework:pci","control:1.11","security:compliance","source:ebs","control:6.5.3","cloud_provider:aws","requirement:Confidentiality","control:3.4","control:C1.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","framework:security-labs","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure Amazon Elastic Block Store (EBS) snapshots.\n\n## Rationale\n\nPublicly shared Amazon EBS volume snapshots contain sensitive application data that can be seen, copied, and exploited.\n\n## Remediation\n\n### From the console\n\nFollow the [EBS encryption][1] docs to learn how to implement EBS encryption. Public snapshots, which are encrypted by default, are not supported\n\n **Note**: You can share an encrypted snapshot with specific accounts.\n\n### From the command line\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#how-ebs-encryption-works\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.11","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ebs_snapshot) = \"fail\" if {\n\tsome permission in ebs_snapshot.create_volume_permissions\n\tpermission.group == \"all\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ebs_snapshot"]},"validationQuery":"","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"t5f-m5z-oio","createdAt":1616090994084,"name":"EBS volume snapshot is not publicly shared with other AWS accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:route53","iaas:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain has a suspicious TLD.\n\n## Strategy\nInspect the Route 53 logs and determine if the TLD of the DNS question (`@dns.question.name`) matches one of the top 5 TLDs on [Spamhaus's Most Abused Top Level Domains list][1].\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n[1]: https://www.spamhaus.org/statistics/tlds/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@dns.question.name:(*.fit. OR *.work. OR *.webcam. OR *.loan. OR *.cf.) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_tld","distinctFields":[]},{"query":"@dns.question.name:(*.no-ip. OR *.hopto.org OR *.myftp.org OR *.us.to OR *.myvpc.com OR *.dlinkddns.com OR *.myftp.biz) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_ddns","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"TLD","condition":"suspicious_tld > 0"},{"status":"medium","notifications":[],"name":"Dynamic DNS","condition":"suspicious_ddns > 0"}],"type":"log_detection","id":"dus-bf6-3jr","createdAt":1603296605789,"name":"EC2 instance requested a suspicious domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:route53","iaas:aws","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain resolves to the AWS Metadata IP (169.254.169.254).\n\n## Strategy\nInspect the Route 53 logs and determine if the response data for a DNS request matches the AWS Metadata IP (169.254.169.254). This could indicate an attacker is attempting to steal your credentials from the AWS metadata service.\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n## Changelog\n- 19 May 2022 - Updated rule query.\n- 5 Jun 2022 - Updated rule query.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:route53 @answers.Rdata:169.254.169.254 -@route53_edge_location:* -@dns.question.name:instance-data*","groupByFields":["instance-id"],"aggregation":"count","name":"domain_resolve_to_metadata_ip","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"domain_resolve_to_metadata_ip > 0"}],"type":"log_detection","id":"mwi-zj7-db9","createdAt":1603296598998,"name":"EC2 instance resolved a suspicious AWS metadata DNS query"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","requirement:Transmission-Security","scope:ec2","source:ec2","framework:gdpr","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:1.9","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse the IMDSv2 session-oriented communication method to transport instance metadata. \n\n## Rationale\n\nAWS default configurations allow the use of either IMDSv1, IMDSv2, or both. IMDSv1 uses insecure GET request/responses which are at risk for a number of vulnerabilities, whereas IMDSv2 uses session-oriented requests and a secret token that expires after a maximum of six hours. This adds protection against misconfigured-open website application firewalls, misconfigured-open reverse proxies, unpatched Server Side Request Forgery (SSRF) vulnerabilities, and misconfigured-open layer-3 firewalls and network address translation.\n\n## Remediation\n\nFollow the [Transition to using Instance Metadata Service Version 2][1] docs to learn how to transition and reconfigure your software. \n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ec2_instance) = \"pass\" if {\n\tec2_instance.metadata_options.http_tokens == \"required\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ec2_instance"]},"validationQuery":"","resourceType":"aws_ec2_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ec2_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zwp-mxe-p0v","createdAt":1649171077274,"name":"EC2 instance uses IMDSv2"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","source:elb","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","scope:elb","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up logging for your AWS Elastic Load Balancers (ELBs) to identify security issues.\n\n## Rationale\n\nAccess logs allow you to analyze each TCP and HTTP request, which are useful during security audits or troubleshooting.\n\n## Remediation\n\n### From the console\n\nFollow the [Enable access logs for your Classic Load Balancer][1] docs to learn how to enable logging for your ELBs.\n\n### From the command line\n\n1. Run `create-bucket` to [create an S3 bucket][2] that stores the ELB log files.\n\n **Note**: This bucket must be created in the same region as the ELB.\n\n ```\n aws s3api create-bucket\n --region us-west-1\n --bucket your-elb-logging-bucket\n ```\n\n2. Use the [AWS Policy Generator][3] to create a new policy.\n\n3. Run `put-bucket-policy` to [attach the policy document][4] to the S3 bucket.\n\n ```\n aws s3api put-bucket-policy\n --bucket your-elb-logging-bucket\n --policy file://elb-logging-policy.json\n ```\n\n4. Run `modify-load-balancer-attributes` to [enable logging][5] for the selected ELB.\n\n ```\n aws elb modify-load-balancer-attributes\n --region us-west-1\n --load-balancer-name YourLoadBalancerName\n --load-balancer-attributes\n \"{\\\"AccessLog\\\":{\\\"Enabled\\\":true,\\\"EmitInterval\\\":60,\\\"S3BucketName\\\":\\\"your-logging-bucket\\\"}}\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/elb/modify-load-balancer-attributes.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_access_logs(elb_load_balancer) if {\n\tsome attribute in elb_load_balancer.attributes\n\tattribute.access_log_enabled\n} else if {\n\telb_load_balancer.load_balancer_attributes.access_log.enabled\n}\n\neval(elb_load_balancer) = \"fail\" if {\n\tnot compliant_access_logs(elb_load_balancer)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elb_load_balancer"]},"validationQuery":"","resourceType":"aws_elb_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elb_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"orv-wcu-4d4","createdAt":1615309114856,"name":"ELB is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","security:compliance","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Security-of-Processing","scope:elbv2","framework:soc-2","requirement:Security-Management-Process","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","framework:hipaa","requirement:Encryption-In-Transit","control:164.308-a-1-ii-B","control:164.312-e-2-i","source:elbv2","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse HTTPS to secure communication between your application client and an Elastic Load Balancer (ELB) listener.\n\n## Rationale\n\nWithout an HTTPS listener, front-end connections are vulnerable to exploits, such as man-in-the-middle (MITM) attacks. Securing all communication between your application client and ELB listener ensures sensitive data is protected.\n\n## Remediation\n\n### From the console\n\nFollow the [Create an HTTPS listener for your Application Load Balancer][1] doc to learn how to create a listener that checks for connection requests.\n\n### From the command line\n\n1. Run `list-certificates` to retrieve the ARN of your SSL certificate. If you do not have an SSL certificate, follow the [Create or import an SSL/TLS certificate][2] doc.\n2. Run `create-listener` using the [ARN of the load balancer and SSL certificate][3].\n\n ```\n aws elbv2 create-listener \\\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912 \\\n --protocol HTTPS \\\n --port 443 \\\n --certificates CertificateArn=arn:aws:acm:region:123456789012:certificate/1abc0c41-bd73-5445-9ab9-123456a23456 \\\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html#create-certificate-acm\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/create-listener.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_listener(elbv2_load_balancer) if {\n\tsome listener in elbv2_load_balancer.listeners\n\tlistener.protocol == \"HTTPS\"\n} else if {\n\tsome listener in elbv2_load_balancer.listeners\n\tlistener.protocol == \"HTTP\"\n\telbv2_load_balancer.listeners[_].default_actions[_].redirect_config.protocol == \"HTTPS\"\n\telbv2_load_balancer.listeners[_].default_actions[_].type == \"redirect\"\n}\n\neval(elbv2_load_balancer) = \"skip\" if {\n\telbv2_load_balancer.type != \"application\"\n} else = \"fail\" if {\n\tnot compliant_listener(elbv2_load_balancer)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6vz-qof-84o","createdAt":1616090994110,"name":"ELBv2 ALB is using a secure listener"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","source:elb","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","scope:elb","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure Amazon Network Load Balancers so all listeners use either TLS or HTTPS encryption. \n\n## Rationale\n\nUsing TLS or HTTPS helps ensure the communication between your network load balancers (NLBs) and backend servers is protected from decryption, data leaks, and other exploits. NLB's can accept and route TCP connections to Application load balancers(ALBs), this allows AWS customers to directly register an ALB as an NLB target, eliminating the need to actively manage changing ALB IP addresses. Amazon's NLBs can be configured to handle TLS termination. This reduces the workload on your backend systems and localizes TLS configuration to the NLBs, thereby improving both performance and security.\n\n\n## Remediation\n\n### From the console\n\nFollow the [Create a listener for your network load balancer][1] doc to learn how to add a TLS listener to your network load balancer.\n\n### From the command line\n\n1. Run `describe-load-balancers` to retrieve the ARNs of your network load balancers.\n2. Run `list-certificates` to retrieve the ARN of your Amazon ACM TLS certificates, or `list-server-certificates` to retrieve the ARN of your AWS IAM TLS certificates. If you do not have a TLS certificate, follow the [Configure TLS listeners: Certificates][2] doc.\n3. Run `create-listener` using the ARN of the desired load balancer and TLS certificate.\n\n ```\n aws elbv2 create-listener \\\n --load-balancer-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188 \\\n --certificates CertificateArn=arn:aws:acm:us-west-2:123456789012:certificate/3dcb0a41-bd72-4774-9ad9-756919c40557 \\\n --protocol TLS \\\n --port 443 \\\n --ssl-policy ELBSecurityPolicy-2016-08 \\\n --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#tls-listener-certificates\n[3]: https://aws.amazon.com/fr/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_listener(listener) if {\n\tlistener.protocol == \"TCP\"\n\tlistener.port == 443\n}\n\neval(elbv2_load_balancer) = \"skip\" if {\n\tnot elbv2_load_balancer.type == \"network\"\n} else = \"fail\" if {\n\tsome listener in elbv2_load_balancer.listeners\n\tlistener.protocol != \"TLS\"\n\tnot compliant_listener(listener)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cyx-hvk-qq7","createdAt":1649774831020,"name":"ELBv2 Network Load Balancer listeners employ TLS or HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:elbv2","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","source:elbv2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Access Logging for your Amazon Application Load Balancers (ALBs).\n\n## Rationale\n\nLogs contain the time a request was received, a client's IP address, latencies, request paths, and server responses. You can use this information to analyze traffic patterns and troubleshoot issues.\n\n## Remediation\n\n### From the console\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the console.\n\n### From the command line\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_attribute(elbv2_load_balancer) if {\n\tattribute := elbv2_load_balancer.attributes[_]\n\tattribute.key == \"access_logs.s3.enabled\"\n\tattribute.value == \"true\"\n} else if {\n\telbv2_load_balancer.attributes.access_logs_s3_enabled\n}\n\neval(elbv2_load_balancer) = \"pass\" if {\n\tcompliant_attribute(elbv2_load_balancer)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2sn-t47-ywf","createdAt":1632209936547,"name":"ELBv2 is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:elbv2","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","source:elbv2","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Application Load Balancer (ALB) with the latest predefined AWS security policy.\n\n## Rationale\n\nInsecure or deprecated security policies can expose the client and the load balancer to various SSL/TLS vulnerabilities.\n\n## Remediation\n\n### From the console\n\nFollow the [Update security policy][1] docs to learn how to update your HTTPS listener with the latest security policy.\n\n### From the command line\n\nRun `modify-listener` with the [ARN of the listener and the recommended SSL policy][2].\n\n```\naws elbv2 create-listener\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n```\n\nReview the [Security policies][3] docs for Amazon-recommended security policies.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html#update-security-policy\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/modify-listener.html\n[3]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elbv2_load_balancer) = \"skip\" if {\n\telbv2_load_balancer.type != \"application\"\n} else = \"pass\" if {\n\tsome listener in elbv2_load_balancer.listeners\n\tlistener.ssl_policy in [\"ELBSecurityPolicy-TLS-1-1-2017-01\", \"ELBSecurityPolicy-TLS-1-2-Ext-2018-06\", \"ELBSecurityPolicy-FS-1-2-Res-2019-08\", \"ELBSecurityPolicy-FS-1-1-2019-08\", \"ELBSecurityPolicy-FS-1-2-Res-2020-10\"]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"pty-qoz-aa9","createdAt":1616090994247,"name":"ELBv2 load balancer is using the latest security policy"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.3","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse individual service account credentials for each controller.\n\n## Rationale\n\nThe controller manager creates a service account per controller in the kube-system namespace, generates a credential for it, and builds a dedicated API client with that service account credential for each controller loop to use. Setting the `--use-service-account-credentials` to true runs each control loop within the controller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--use-service-account-credentials` argument is set to true.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node to set the below parameter:\n\n```\n--use-service-account-credentials=true\n```\n\n## Impact\n\nWhatever authorizer is configured for the cluster, it must grant sufficient permissions to the service accounts to perform their intended tasks. When using the RBAC authorizer, those roles are created and bound to the appropriate service accounts in the kube-system namespace automatically with default roles and rolebindings that are auto-reconciled on startup. If using other authorization methods (ABAC, Webhook, etc.), the cluster deployer is responsible for granting appropriate permissions to the service accounts (the required permissions can be seen by inspecting the `controller-roles.yaml` and `controller-role-bindings.yaml` files for the RBAC roles.\n\n## Default value\n\nBy default, `--use-service-account-credentials` is set to false.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://kubernetes.io/docs/admin/service-accounts-admin/ ][2]\n3. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml ][3]\n4. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml ][4]\n5. [https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles][5]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://kubernetes.io/docs/admin/service-accounts-admin/ \n[3]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml \n[4]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml \n[5]: https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.3","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"b7m-bho-nat","createdAt":1599602400314,"name":"Each controller uses individual service account credentials"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:A.12.2.1","framework:gdpr","requirement:Default-Security-Parameter","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:25.2","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","source:elasticache","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","scope:elasticache","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nChange your AWS ElastiCache cluster endpoint port to a non-default port.\n\n## Rationale\n\nUsing the default port puts clusters at risk of exploits and attacks. Configure a custom port to add an extra layer of security to your clusters.\n\n## Remediation\n\n### From the console\n\nFollow the [Finding connection endpoints][1] console documentation to learn how to find and modify your cluster's endpoint port.\n\n### From the command line\n\n1. Run `aws elasticache describe-cache-clusters` with your [ElastiCache cluster ID][2] to output the existing cluster configuration.\n\n ```\n\n aws elasticache describe-cache-clusters\n --cache-cluster-id your-cc-id\n\n ```\n\n2. Run `aws elasticache create-cache-cluster` with the cluster data returned in the previous step. Configure the new cache cluster with [a custom value][3] for the endpoint port. This returns new cluster metadata.\n\n ```\n\n aws elasticache create-cache-cluster\n --cache-cluster-id new-cc-id\n ...\n --port 10001\n\n ```\n\n3. Once the cluster endpoint port is updated, remove the old ElastiCache cluster. Run `delete-cache-cluster` with the [original cluster ID][4].\n\n ```\n\n aws elasticache delete-cache-cluster\n --cache-cluster-id your-cc-id\n\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Endpoints.html#Endpoints.Find.Redis\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/describe-cache-clusters.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/delete-cache-cluster.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndefault_port_used(elasticache) if {\n\telasticache.engine == \"memcached\"\n\telasticache.configuration_endpoint.port == 11211\n} else if {\n\telasticache.engine == \"redis\"\n\telasticache.configuration_endpoint.port == 6379\n}\n\neval(elasticache) = \"fail\" if {\n\tdefault_port_used(elasticache)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticache"]},"validationQuery":"","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"skt-e9r-x89","createdAt":1619112189062,"name":"ElastiCache cluster is not using default ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","source:elasticache","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticache","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProvision your AWS EC2-VPC ElastiCache cluster within the AWS ECS-VPC platform.\n\n## Rationale\n\nUsing the EC2-Classic platform minimizes control over cache cluster security and traffic routing. Provisioning with AWS EC2-VPC enables better networking infrastructure, control over VPC security groups, and more.\n\n## Remediation\n\n### From the console\n\nFollow the [Getting started with Amazon VPC][1] docs to configure AWS EC2-VPC for your ElastiCache clusters.\n\n### From the command line\n\n1. Run `create-vpc` to [create a new Virtual Private Cloud (VPC)][2] for your ElastiCache cluster.\n\n ```\n aws ec2 create-vpc\n --cidr-block 10.0.0.0/16\n ```\n\n2. Run `aws ec2 create-internet-gateway` to [create a new AWS Internet Gateway][3] for your new VPC.\n\n3. Run `attach-internet-gateway` with the [VPC ID returned in step 1, and the internet gateway ID returned in step 2][4].\n\n ```\n aws ec2 create-subnet\n --vpc-id vpc-ab12c345\n --cidr-block 10.0.1.0/24\n ```\n\n4. Run `create-route-table` with [your VPC ID][5] created in step 1.\n\n ```\n aws ec2 create-route-table\n --vpc-id vpc-ab12c345\n ```\n\n5. Run `associated-route-table` with the [subnet ID returned in step 3, and the route table ID returned in step 4][6].\n\n ```\n aws ec2 associate-route-table\n --route-table-id rta-12345678\n --subnet-id subnet-ab123c45\n ```\n\n6. Run `create-route` to [add a new route][7] to your new VPC route table.\n\n ```\n aws ec2 create-route\n --route-table-id rta-12345678\n --destination-cidr-block 0.0.0.0/0\n --gateway-id gwi-123a4b56\n ```\n\n7. Run `create-security-group` with your new VPC ID to [create a security group][8] for your new cluster.\n\n ```\n aws ec2 create-security-group\n --group-name ECSecurityGroup\n --description \"Redis CC Security Group\"\n --vpc-id vpc-ab12c345\n ```\n\n8. Run `authorize-security-group-ingress` to [add more inbound rules][9] to the security group created in step 7.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-id se-a12345b0\n --protocol tcp\n --port 1234\n --cidr 10.0.0.0/16\n ```\n\n9. Run `create-cache-cluster` to recreate your EC2-Classic cache cluster within your new AWS VPC. Use the newly created [ElastiCache cluster configuration attributes][10] returned in the steps above.\n\n ```\n aws elasticache create-cache-cluster\n --cache-cluster-id vpccachecluster\n --az-mode single-az\n --cache-node-type cache.m5.large\n --num-cache-nodes 1\n --engine redis\n --engine-version \"2.6.13\"\n --security-group-ids \"se-a12345b0\"\n --port 1234\n --auto-minor-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc.html#synopsis\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-internet-gateway.html#synopsis\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/attach-internet-gateway.html#synopsis\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route-table.html#synopsis\n[6]: https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-route-table.html#synopsis\n[7]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route.html#synopsis\n[8]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-security-group.html#synopsis\n[9]: https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html#synopsis\n[10]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elasticache) = \"pass\" if {\n\tcount(elasticache.cache_subnet_group_name) > 0\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticache"]},"validationQuery":"","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"0uf-cns-jqu","createdAt":1619112189088,"name":"ElastiCache cluster is provisioned in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.5","source:elasticache","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticache","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon ElastiCache cluster to the latest, stable version of the Redis/Memcached cache engine.\n\n## Rationale\n\nUsing the latest version allows for security patches, bug fixes, better performance, and memory management.\n\n## Remediation\n\n### From the console\n\nFollow the [Upgrading engine versions][1] docs to learn how to modify your ElastiCache cluster or replication group in the console.\n\n### From the command line\n\nFollow the [Modify an ElastiCache cluster (AWS CLI)][2] or [Modify a replication group (AWS CLI)][3] docs for configuration options.\n\nFor example, to modify an ElastiCache cluster, run `modify-replication-group` with your replication group ID and enable Multi-AZ.\n\n ```\n aws elasticache modify-replication-group\n --replication-group-id myReplGroup\n --multi-az-enabled = true\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VersionManagement.html\n[2]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.Modify.html#Clusters.Modify.CLI\n[3]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Replication.Modify.html#Replication.Modify.CLI","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_engine_version(elasticache) if {\n\telasticache.engine == \"memcached\"\n\telasticache.engine_version == \"1.6.6\"\n} else if {\n\telasticache.engine == \"redis\"\n\tstartswith(elasticache.engine_version, \"6.\")\n} else if {\n\tnot elasticache.engine in [\"memcached\", \"redis\"]\n}\n\neval(elasticache) = \"pass\" if {\n\tcompliant_engine_version(elasticache)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticache"]},"validationQuery":"","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sw1-liy-ybw","createdAt":1619112188570,"name":"ElastiCache cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.5","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticsearch","framework:soc-2","requirement:Change-Management","source:elasticsearch","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpgrade to the latest version of Amazon Elasticsearch (ES) engine.\n\n## Rationale\n\nUsing the latest version of Amazon ES ensures you receive the latest bug fixes, security patches, and features.\n\n## Remediation\n\n### From the console\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (console)][1] docs to learn about the upgrade process and how to complete an upgrade from the AWS Console.\n\n### From the command line\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (AWS CLI)][1] docs to being an upgrade using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades\n[2]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.common as dd_common\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(version) = \"pass\" if {\n\tformatted_semver := dd_common.format_semver(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"7.10.0\") >= 0\n} else = \"pass\" if {\n\tstartswith(version, \"OpenSearch_\")\n\tformatted_semver := dd_common.format_semver(trim_prefix(version, \"OpenSearch_\"))\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"1.3.0\") >= 0\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource.elasticsearch_version))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-iw7-z3h","createdAt":1619540057479,"name":"Elasticsearch cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","scope:elasticsearch","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate publicly accessible Amazon Elasticsearch domains to block unsigned requests.\n\n## Rationale\n\nUpdating your Amazon Elasticsearch domain to a private domain ensures your data cannot be accessed or altered by unauthorized users.\n\n## Remediation\n\n### OpenSearch\n\nIf you are using OpenSearch Service Domains, refer to Amazon's [guide for creating and managing Amazon OpenSearch Service domains][1] for both console and CLI remediation actions. \n\n### From the console\n\nFollow the [Configuring Access Policies][1] docs to learn how to update your publicly accessible Amazon Elasticsearch domains in the AWS Console.\n\n### From the command line\n\n1. Create a new policy JSON document. You can follow the [Amazon Elasticsearch templated policy][2] to create a custom policy that grants domain access only to a specific IP.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n \"Action\": \"es:*\",\n \"Condition\": {\n \"IpAddress\": {\n \"aws:SourceIp\": [\n \"54.197.25.93/32\"\n ]\n }\n },\n \"Resource\": \"arn:aws:es:123456789123:\n domain/es-cluster/*\"\n }\n ]\n }\n ```\n\n2. Run `update-elasticsearch-domain-config` using the name of the [Elasticsearch domain][3] created in the previous step.\n\n ```\n aws es update-elasticsearch-domain-config\n --domain-name es-cluster\n --access-policies file://ip-based-policy.json\n ```\n\n\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/update-elasticsearch-domain-config.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tsome principal_aws in policy_principal.principal_aws\n\tprincipal_aws == \"*\"\n}\n\neval(elasticsearch_domain) = \"fail\" if {\n\tsome policy in elasticsearch_domain.policies\n\tbad_policy_principal(policy.policy_principal)\n\tpolicy.statement_effect = \"Allow\"\n\tpolicy.statement_has_condition = false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ci6-bcw-l3n","createdAt":1615309114393,"name":"Elasticsearch domain is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticsearch","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure your Amazon Elasticsearch (ES) domain is only accessible from an AWS VPC.\n\n## Rationale\n\nUsing a VPC gives your Amazon ES domains an extra layer of security. Launching your clusters within a VPC ensures communication between your clusters and other AWS services is secure.\n\n## Remediation\n\nOnce a domain is created with a public endpoint, it cannot be switched to VPC access. Follow the [Migrating from Public Access to VPC Access][1] docs to learn how to create a new domain and either manually reindex or migrate your data.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html#es-migrating-public-to-vpc\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elasticsearch_domain) = \"fail\" if {\n\tendswith(elasticsearch_domain.endpoint, \".es.amazonaws.com\")\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"vdg-rky-pye","createdAt":1619540057246,"name":"Elasticsearch domain resides in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement encryption at rest for your Amazon Elasticsearch (ES) domain with the AWS KMS service.\n\n## Rationale\n\nImplementing encryption at rest protects your domain from unauthorized access and ensures security and compliance requirements are met.\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to implement encryption for your domain.\n\n### From the command line\n\n1. Run `describe-elasticsearch-domain` with your ES domain to return configuration metadata.\n\n ```bash\n aws es describe-elasticsearch-domain\n --domain-name your-es-domain\n ```\n\n2. Run `create-elasticsearch-domain` with your domain name and `encryption-at-rest-options`. Use the metadata returned in the previous step to [create and relaunch your ES domain to enable at-rest encryption][3].\n\n ```bash\n aws es create-elasticsearch-domain\n --domain-name your-es-domain\n ...\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html#enabling-ear\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/describe-elasticsearch-domain.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elasticsearch_domain) = \"pass\" if {\n\telasticsearch_domain.encryption_at_rest_options_enabled == true\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"75z-ehk-ced","createdAt":1615309114337,"name":"Elasticsearch domains are encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","control:3.5.2","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt your Amazon Elasticsearch domains with KMS Customer Master Keys (CMKs).\n\n## Rationale\n\nKMS Custom Master Keys protect your domains and allow more granular control over the encryption/decryption process.\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to encrypt Amazon Elasticsearch domains in the AWS Console.\n\n### From the command line\n\n1. Create a new policy JSON document with the following [configuration][2]:\n\n ```\n {\n \"Id\": \"es-custom-key-policy\",\n \"Statement\": [\n {\n \"Sid\": \"Enable IAM User Permissions\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:root\"},\n \"Action\": \"kms:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Grant access to CMK manager\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:role/AmazonESManager\"},\n \"Action\": [\n \"kms:Create*\",\n \"kms:Describe*\",\n \"kms:Enable*\",\n \"kms:List*\",\n \"kms:Put*\",\n \"kms:Update*\",\n \"kms:Revoke*\",\n \"kms:Disable*\",\n \"kms:Get*\",\n \"kms:Delete*\",\n \"kms:ScheduleKeyDeletion\",\n \"kms:CancelKeyDeletion\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow the use of the CMK\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:Decrypt\",\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:DescribeKey\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow attachment of persistent resources\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:CreateGrant\",\n \"kms:ListGrants\",\n \"kms:RevokeGrant\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"Bool\": {\"kms:GrantIsForAWSResource\": \"true\"}\n }\n }\n ]\n }\n ```\n\n2. Run `create-key` to [create a KMS key][3] with the new policy document.\n\n ```\n aws kms create-key\n --description 'KMS CMK policy for encrypting es domain data'\n --policy file://es-kms-cmk-policy.json\n ```\n\n3. Run `create-alias` with the returned ARN key to [attach a new alias][4] to the CMK.\n\n ```\n aws kms create-alias\n --alias-name your-alias/ESCustomCMK\n --target-key-id arn:aws:kms:111122223333:key/abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\n ```\n\n4. Run `create-elasticsearch-domain` with the returned configuration data in step 3 to [create the selected domain][5] with `encryption-at-rest-options` set as `enabled= true` and the `KmsKeyId=your-key-id`.\n\n ```\n aws es create-elasticsearch-domain\n --domain-name your-domain-name\n ....\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-alias.html#options\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html#options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(elasticsearch_domain) = \"fail\" if {\n\telasticsearch_domain.encryption_at_rest_options_kms_key_id == \"(Default) aws/es\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"abl-8du-xrn","createdAt":1615309114399,"name":"Elasticsearch domains are encrypted with KMS Customer Master Keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation on controller-manager.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad. \n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--feature-gates` parameter to include `RotateKubeletServerCertificate=true`. \n\n```\n--feature-gates=RotateKubeletServerCe`rtificate=true\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `RotateKubeletServerCertificate` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller ][1]\n2. [https://github.com/kubernetes/features/issues/267 ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/45059 ][3]\n4. [https://kubernetes.io/docs/admin/kube-controller-manager/][4]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller \n[2]: https://github.com/kubernetes/features/issues/267 \n[3]: https://github.com/kubernetes/kubernetes/pull/45059 \n[4]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.6","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"asw-6hh-yc2","createdAt":1599605162809,"name":"Enable kubelet server certificate rotation on controller-manager"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1555-credentials-from-password-stores","scope:ec2","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to retrieve the encrypted Administrator password for a Windows EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to retrieve the encrypted Administrator password for a Windows EC2 instance using the [`GetPasswordData`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n3. If the API call was made by the user:\n * Determine if this user should be accessing this EC2 instance.\n * If Yes, advise the user to speak with the instance owner to resolve the error.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetPasswordData.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetPasswordData @eventSource:ec2.amazonaws.com status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"get_passwordata","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Error","condition":"get_passwordata > 0"}],"type":"log_detection","id":"kyo-yjf-zbm","createdAt":1652796676631,"name":"Encrypted administrator password retrieved for Windows EC2 instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.12","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory ownership is set to `etcd:etcd`.\n\n## Rationale\n\n`etcd` is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir` from the command:\n\n```bash\nps -ef | grep etcd\n```\n\nBased on the etcd data directory found above, run the command:\n\n```bash\nstat -c %U:%G /var/lib/etcd\n```\n\nVerify the ownership is set to `etcd:etcd`.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chown etcd:etcd /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory ownership is set to `etcd:etcd`.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.12","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"25d-zal-sfr","createdAt":1599601968321,"name":"Etcd data directory is owned by the etcd user and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.11","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory has permissions of 700 or more restrictive.\n\n## Rationale\n\netcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should not be readable or writable by any group members or the world.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir`, from the command:\n\n```bash\nps -ef | grep etcd\n```\n\n Based on the etcd data directory found above, run the command:\n \n ```bash\n stat -c %a /var/lib/etcd\n ```\n \n Verify the permissions are `700` or more restrictive.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chmod 700 /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory has permissions of 755.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.11","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qgj-hf0-an1","createdAt":1599601412710,"name":"Etcd data directory permissions cannot be accessed by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.7","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 640.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.7","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vqc-dps-6tp","createdAt":1599605605880,"name":"Etcd pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.8","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to `root:root`.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.8","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oac-lbl-npz","createdAt":1599600311388,"name":"Etcd pod specification file is owned by root"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":true,"message":"test","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1668091740758,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.id"],"query":"*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"co7-ldi-49e","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_impossible_travel_returns_OK_response"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"Test rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1668543986037,"filters":[],"queries":[{"query":"@test:true","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"rje-tku-m3r","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_workload_security_returns_OK_response_1668543985"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:exchange-server","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user sets up a mail forwarding rule to another email address. An adversary or insider threat could set a forwarding rule to forward all emails to an external email address.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with `@evt.name` value of `Set-Mailbox`, where a value is set for `@Parameters.ForwardingSmtpAddress` and the `@evt.outcome` is `True`.\n\n## Triage and response\n1. Inspect the `@Parameters.ForwardingSmtpAddress` for `{{@usr.email}}` to see if it is sending email to an external non-company owned domain.\n2. Determine if there is a legitimate use case for the mail forwarding rule.\n3. If `{{@usr.email}}` is not aware of the mail forwarding rule, investigate all `{{@usr.email}}` accounts for anomalous activity. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-Mailbox -@Parameters.ForwardingSmtpAddress:\"\" @Parameters.ForwardingSmtpAddress:* @evt.outcome:True","groupByFields":["@usr.id"],"aggregation":"count","name":"forwarding_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"forwarding_rule > 0"}],"type":"log_detection","id":"vmq-1zo-03a","createdAt":1630681822552,"name":"Exchange Online mail forwarding rule enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:AppService","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.2","scope:azure.appservice","framework:iso-27001","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","requirement:Communications-Security","control:4.1","control:9.10","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Azure functions, web, and API services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPs should be required for FTP login for all App Service apps and functions.\n\n## Rationale\n\nAzure FTP deployment endpoints are public. An attacker listening to traffic on a Wi-Fi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if user credentials for deployment are set at the subscription level rather than using the default application credentials which are unique per app.\n\n## Remediation\n\n### From the console\n\n1. Go to the Azure Portal\n2. Select App Services\n3. Click on an app\n4. Select Settings > Configuration\n5. Under Platform Settings, set FTP state to Disabled or FTPS Only\n\n## Impact\n\nDeployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.\n\n## References\n\n1. Azure Web Service Deploy via FTP - https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp\n2. Azure Web Service Deployment - https://docs.microsoft.com/en-us/azure/app-service/overview-security\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n\n## CIS Controls\n\nVersion 7\n\n14.4 Encrypt All Sensitive Information in Transit\n16.5 Encrypt Transmittal of Username and Authentication Credentials - Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.10","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ftps_state(app_service) if {\n\tapp_service.site_config_ftps_state == \"AllAllowed\"\n} else if {\n\tapp_service.site_config.ftps_state == \"AllAllowed\"\n}\n\neval(app_service) = \"fail\" if {\n\tnon_compliant_ftps_state(app_service)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"chw-olp-dfn","createdAt":1631623028308,"name":"FTP deployments are disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:fastly","scope:fastly","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2]. \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:fastly @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dqs-oru-107","createdAt":1587530162282,"name":"Fastly HTTP Requests from Security Scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a file that is not part of the original container image has been created and executed within the container.\n\n## Strategy\nAttackers sometimes add scripts to running containers to exploit some functionality or automate some actions. Normally, containers are meant to be immutable environments, and when you require new scripts or other executable files, you add them to the container image itself and not to the running container. This detection identifies when newly created files are executed shortly after file creation or modification.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage & Response\n1. Determine whether the file executing is expected to be present in the container. \n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether the file was added to multiple containers around the same time, and whether the affected systems follow a pattern. For example, if a file was seen executing in multiple containers, do the containers share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.29 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_binary_execution_in_container","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:new_binary_execution_in_container"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"new_binary_execution_in_container"}],"type":"workload_security","id":"n5d-tm8-kco","createdAt":1652131404468,"name":"File created and executed inside container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","tactic:TA0009-collection","technique:T1530-data-from-cloud-storage","scope:google-cloud-storage","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect unauthenticated access to an object in a GCS bucket (`bucket_name`).\n\n## Strategy \nMonitor GCS bucket (`bucket_name`) for get requests(`@evt.name:storage.objects.get`) made by unauthenticated users (`@usr.id`).\n\n## Triage and response\nInvestigate the logs and determine whether or not the accessed bucket: {{bucket_name}} should be accessible to unauthenticated users.\n\n## Changelog\n* 27 October 2022 - updated tags.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket -@usr.id:* @evt.name:storage.objects.get status:info","groupByFields":["project_id","bucket_name"],"aggregation":"count","name":"get_object","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"get_object","condition":"get_object > 0"}],"type":"log_detection","id":"nmj-sov-f5d","createdAt":1598043413480,"name":"GCP Bucket Contents Downloaded Without Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","source:gcp","scope:google-cloud-storage","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service account lists out GCS Buckets.\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine when a service account invokes the following method:\n\n* `storage.buckets.list`\n\n## Triage and response\n1. Determine whether this service account should be making list bucket calls.\n * If the account was compromised, secure the account and investigate how it was compromised and if the account made other unauthorized calls.\n * If the owner of the service account intended to make the `ListBuckets` API call, consider whether this API call is needed. It could cause a security issue for the application to know the name of the bucket it needs to access. If it's not needed, modify this rule's filter to stop generating signals for this specific service account.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.list @usr.id:*gserviceaccount.com","groupByFields":["project_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cnc-wi1-llf","createdAt":1587592199858,"name":"GCP Bucket enumerated"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an administrative change to a GCS Bucket has been made. This could change the retention policy or bucket lock. For more information, see the [GCS Bucket Lock docs][1].\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine if a bucket has been updated with the following method:\n\n* `storage.buckets.update`\n\n## Triage and response\n1. Review the bucket to ensure that it is properly configured.\n\n[1]: https://cloud.google.com/storage/docs/bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.update","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iz3-sc4-ryy","createdAt":1585871279860,"name":"GCP Bucket modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when permissions have changed on a GCS Bucket.\n\n## Strategy\nMonitor GCS bucket admin activity audit logs to determine the following method is invoked:\n\n* `storage.setIamPermissions`\n\n## Triage and response\n1. Review the bucket permissions and ensure they are not overly permissive.\n\n## Changelog\n5 Septermber 2022 - Updated rule query","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.setIamPermissions -@evt.outcome:ERROR","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fdk-tly-4qr","createdAt":1585871193842,"name":"GCP Bucket permissions modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.cloudsql.database"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Cloud SQL DB has been modified.\n\n## Strategy\nThis rule lets you monitor GCP Cloud SQL admin activity audit logs to determine when one of the following methods are invoked:\n\n* `cloudsql.instances.create`\n* `cloudsql.instances.create`\n* `cloudsql.users.update`\n\n## Triage and response\n1. Review the Cloud SQL DB and ensure it is configured properly with the correct permissions.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.cloudsql.database @evt.name:(cloudsql.instances.create OR cloudsql.instances.create OR cloudsql.users.create OR cloudsql.users.update)","groupByFields":["project_id","database_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ikf-ye8-cnu","createdAt":1585871198921,"name":"GCP Cloud SQL database modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.gce.firewall.rule","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created, modified or deleted. \n\n## Strategy\nMonitor GCP GCE activity audit logs to determine when any of the following methods are invoked:\n\n* `v1.compute.firewalls.delete`\n* `v1.compute.firewalls.insert`\n* `v1.compute.firewalls.patch` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.firewall.rule @evt.name:(v1.compute.firewalls.delete OR v1.compute.firewalls.insert OR v1.compute.firewalls.patch)","groupByFields":["project_id","@data.protoPayload.resourceOriginalState.name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"n1w-sql-apl","createdAt":1585870279610,"name":"GCP GCE Firewall rule modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a VPC network is created. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine when the following method is invoked to create a new VPC network:\n\n* `beta.compute.networks.insert`\n\n## Triage and response\n1. Review the VPC network.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:beta.compute.networks.insert","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"a9z-oic-grb","createdAt":1585871193403,"name":"GCP GCE VPC network modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created or modified. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine if a firewall is being adjusted by showing you when any of the following methods are invoked:\n\n* `beta.compute.routes.insert`\n* `beta.compute.routes.patch`\n\n## Triage and response\n1. Veirify that the GCP route is configured properly and that the user intended to modify the firewall.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:(beta.compute.routes.insert OR beta.compute.routes.patch)","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lht-ml8-u6r","createdAt":1585870282924,"name":"GCP GCE network route created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a custom role is created or modified. \n\n## Strategy\nMonitor GCP IAM activity audit logs to determine when any of the following methods are invoked:\n\n* `google.iam.admin.v1.CreateRole`\n* `google.iam.admin.v1.UpdateRole` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.iam.role @evt.name:(google.iam.admin.v1.CreateRole OR google.iam.admin.v1.UpdateRole)","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rhy-fzm-gwl","createdAt":1585870282410,"name":"GCP IAM custom role created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1098-account-manipulation","scope:gcp.project","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to the IAM policy. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when the `SetIamPolicy` method is invoked. \n\n## Triage and response\n1. Review the log and inspect the policy deltas (`@data.protoPayload.serviceData.policyDelta.bindingDeltas`) and ensure none of the actions are `REMOVE`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:SetIamPolicy","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fgm-8w4-cgx","createdAt":1585870280073,"name":"GCP IAM policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.subscription","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP Pub/Sub Subscription has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.pubsub.v1.Subscriber.UpdateSubscription`\n* `google.pubsub.v1.Subscriber.DeleteSubscription`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.subscription @evt.name:(google.pubsub.v1.Subscriber.UpdateSubscription OR google.pubsub.v1.Subscriber.DeleteSubscription)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tsj-mac-mdc","createdAt":1587592205917,"name":"GCP Pub/Sub Subscriber modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.topic","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP Pub/Sub Subscribtion has been deleted. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when the following method is invoked:\n\n* `google.pubsub.v1.Publisher.DeleteTopic`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.topic @evt.name:google.pubsub.v1.Publisher.DeleteTopic","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dp6-zom-jyv","createdAt":1587592198839,"name":"GCP Pub/Sub topic deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","technique:T1078-valid-accounts","scope:gcp-cloud-functions","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect possible GCP service account impersonation activity using the gcploit exploitation framework.\n\n## Strategy\nMonitor GCP Cloud Function Logs `source:gcp.cloud.function` and detect if the following sequence of events has occurred within a one minute window:\n* Function is created - `google.cloud.functions.v1.CloudFunctionsService.CreateFunction` with a timeout of 539s (`@data.protoPayload.request.function.timeout:539s`)\n* Function's IAM access control policy is enumerated - `google.cloud.functions.v1.CloudFunctionsService.GetIamPolicy`\n* Function's IAM access control policy is set - `google.cloud.functions.v1.CloudFunctionsService.SetIamPolicy`\n\n## Triage & Response\n1. Investigate if the function:`{{@function.name}}` was intentionally created by user `{{@usr.id}}`.\n2. If unauthorized:\n * Revoke access of compromised credentials.\n * Remove unauthorized cloud functions.\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard.\n","options":{"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":3600,"keepAlive":300},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.cloud.function @evt.name:google.cloud.functions.v1.CloudFunctionsService.CreateFunction @data.protoPayload.request.function.timeout:539s","groupByFields":["@function.name"],"aggregation":"cardinality","name":"function_creation","distinctFields":["@usr.id"]},{"query":"@evt.name:google.cloud.functions.v1.CloudFunctionsService.GetIamPolicy","groupByFields":["@function.name"],"aggregation":"count","name":"get_iam_policy","distinctFields":[]},{"query":"@evt.name:google.cloud.functions.v1.CloudFunctionsService.SetIamPolicy","groupByFields":["@function.name"],"aggregation":"count","name":"set_iam_policy","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"function_creation > 0 && get_iam_policy > 0 && set_iam_policy >0"}],"type":"log_detection","id":"un3-5tn-fmz","createdAt":1657138827448,"name":"GCP Service Account Impersonation using GCPloit Exploitation Framework"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","scope:google-cloud-iam","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect GCP service account impersonation activity through the use of access tokens.\n\n## Strategy\nMonitor GCP Admin Activity audit logs for event `@evt.name:GenerateAccessToken`:\n* Successful Attempts: `@data.protoPayload.authorizationInfo.granted:true`\n* Failed Attempts: `@evt.outcome:PERMISSION_DENIED`\n\n## Triage & Response\n1. Investigate if the user `{{@usr.id}}` from IP address:`{{@network.client.ip}}` intended to perform this activity.\n2. If unauthorized:\n * Revoke access of compromised user and service account.\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard.\n * Investigate other activities performed by the IP `{{@network.client.ip}}` using the Cloud SIEM - IP Investigation dashboard.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":300},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account service:iamcredentials.googleapis.com @evt.name:GenerateAccessToken @data.protoPayload.authorizationInfo.granted:true","groupByFields":["@network.client.ip","@http.useragent"],"aggregation":"count","name":"generate_access_token_success","distinctFields":[]},{"query":"source:gcp.service.account service:iamcredentials.googleapis.com @evt.name:GenerateAccessToken @evt.outcome:PERMISSION_DENIED","groupByFields":["@network.client.ip","@http.useragent"],"aggregation":"count","name":"generate_access_token_failed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"generate_access_token_failed > 0 && generate_access_token_success > 0"},{"status":"low","notifications":[],"name":"Attempted","condition":"generate_access_token_failed > 0"}],"type":"log_detection","id":"mjs-vof-vtn","createdAt":1662479173677,"name":"GCP Service Account impersonation activity using access token generation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1562-impair-defenses","scope:gcp.project","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP logging sink has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.logging.v2.ConfigServiceV2.UpdateSink`\n* `google.logging.v2.ConfigServiceV2.DeleteSink`\n\n## Triage and response\n1. Review the sink and ensure the sink is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:(google.logging.v2.ConfigServiceV2.UpdateSink OR google.logging.v2.ConfigServiceV2.DeleteSink)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hil-rl3-yxs","createdAt":1585871191688,"name":"GCP logging sink modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","scope:google-cloud-iam","technique:T1580-cloud-infrastructure-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account is compromised.\n\n## Strategy \nInspect the GCP Admin Activity Logs (`@data.logName:*%2Factivity`) and filter for only GCP Service Accounts (`@usr.id:*.iam.gserviceaccount.com`). Count the unique number of GCP API calls (`@evt.name`) which are being made for each service account (`@usr.id`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\nTo read more about GCP Audit Logs, you can read our blog post [here][1].\n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account is compromised.\n\n## Changelog\n* 17 October 2022 - Updated tags.\n\n[1]: https://www.datadoghq.com/blog/monitoring-gcp-audit-logs/","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp* @data.logName:*%2Factivity @usr.id:*.iam.gserviceaccount.com","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"hc1-nv3-hzw","createdAt":1629125255724,"name":"GCP service account accessing anomalous number of GCP APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1136-create-account","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account is created.\n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when a service account is created. \n\n## Triage and response\n1. Contact the user who created the service account and ensure that the account is needed and that the role is scoped properly.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccount","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"szx-4kh-eqs","createdAt":1585870281733,"name":"GCP service account created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account key is created. An attacker could use this key as a backdoor to your account. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to detect the creation of a service account key. \n\n## Triage and response\n1. Contact the user who created the service account key to ensure they're managing the key securely.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccountKey","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"79j-4wh-xlq","createdAt":1585870277946,"name":"GCP service account key created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is unauthorized activity by a service account in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a service account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the service account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the service account:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the service account.\n2. If unauthorized, revoke access of compromised service account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"89d-2v1-fvm","createdAt":1587592191518,"name":"GCP unauthorized service account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when unauthorized activity by a user is detected in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a user account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the user account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the user:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the user account.\n2. If unauthorized, revoke access of compromised user account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 -@usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"stt-ows-yte","createdAt":1587592193834,"name":"GCP unauthorized user activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google accesses your Google Workspace tenant using administrative tools. \n\n## Strategy\nMonitor Google Workspace logs to detect `ACCESS` events, which are part of Google's [Access Transparency][1] logs.\n\n## Triage and response\n1. Determine the scope of Google's access activity, which can be found in the `ACCESS` event in the Google Workspace event log.\n2. Review which Google Workspace user (`@event.parameters.OWNER_EMAIL`) and resources (`@event.parameters.RESOURCE_NAME`) were accessed by Google.\n3. Investigate the resource(s) being accessed to determine if there is a legitimate reason it should be reviewed by Google.\n\n[1]: https://support.google.com/a/answer/9230474?hl=en","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite service:access_transparency","groupByFields":[],"aggregation":"count","name":"workspace_accessed_by_google","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"workspace_accessed_by_google > 0"}],"type":"log_detection","id":"q4c-pxc-lbn","createdAt":1654120270956,"name":"Google Workspace accessed by Google"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a new Google Workspace administrative role.\n\n## Strategy\nMonitor Google Workspace logs to detect `CREATE_ROLE` events.\n\n## Triage and response\n1. Determine if there is a legitimate reason for the new administrator role (`@event.parameters.ROLE_NAME`).\n2. If there is not a legitimate reason, investigate activity from around the Google Workspace administrator (`{{@usr.email}}`) and IP that created the role (`{{@network.client.ip}}`).\n\n## Changelog\n* 17 October 2022 - Updated tags.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:CREATE_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_created > 0"}],"type":"log_detection","id":"isw-chn-iqi","createdAt":1654262215364,"name":"Google Workspace admin role created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the super administrator group on Google Workspace.\n\n## Strategy\nMonitor Google Workspace logs to detect `ASSIGN_ROLE` events where `@event.parameters.ROLE_NAME` is `_SEED_ADMIN_ROLE`. \n\n## Triage and response\n1. Verify with the Google admin (`{{@usr.email}}`) if the Google Workspace user in the `@event.parameters.USER_EMAIL` attribute should legitimately be given the super admin role.\n2. If the user in `@event.parameters.USER_EMAIL` was not legitimately added, investigate activity from the IP address (`{{@network.client.ip}}`) that made the role addition.\n3. Review activity around the Google Workspace admin who made the change (`{{@usr.email}}`) and the newly added super admin (`@event.parameters.USER_EMAIL`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:ASSIGN_ROLE @event.parameters.ROLE_NAME:_SEED_ADMIN_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"admin_role_added > 0"}],"type":"log_detection","id":"ort-cx2-jwq","createdAt":1654014456902,"name":"Google Workspace user assigned to super admin role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","tactic:TA0009-collection","technique:T1114-email-collection","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a user setting up mail forwarding to a non-Google Workspace domain.\n\n## Strategy\nMonitor Google Workspace logs to detect when `email_forwarding_out_of_domain` events.\n\n## Triage and response\n1. Determine if the email address defined in `@event.parameters.email_forwarding_destination_address` is legitimate.\n2. If the forwarding destination address is not legitimate, review all activity for `{{@usr.email}}` and all activity around the following IP: `{{@network.client.ip}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:email_forwarding_out_of_domain","groupByFields":["@usr.email"],"aggregation":"count","name":"non_workspace_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"non_workspace_domain > 0"}],"type":"log_detection","id":"ozn-l6x-exp","createdAt":1654021004136,"name":"Google Workspace user forwarding email out of non Google Workspace domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.16","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated.\n\n## Rationale\n\nThe IPC namespace provides separation of IPC between the host and containers. If the host's IPC namespace is shared with the container, it would allow processes within the container to see all of IPC communications on the host system. This would remove the benefit of IPC level isolation between host and containers. An attacker with access to a container could get access to the host at this level with major consequences. The IPC namespace should therefore not be shared between the host and its containers.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: IpcMode={{ .HostConfig.IpcMode }}'` \n\nIf the command returns `host`, it means that the host IPC namespace is shared with the container. Any other result means that it is not shared, and that the system is configured in line with good security practice.\n\n## Remediation\n\nDo not start a container with the `--ipc=host` argument. For example, do not start a container with the command `docker run --interactive --tty --ipc=host centos /bin/bash`\n\n## Impact\n\nShared memory segments are used in order to accelerate interprocess communications, commonly in high-performance applications. If this type of application is containerized into multiple containers, you might need to share the IPC namespace of the containers in order to achieve high performance. Under these circumstances, you should still only share container specific IPC namespaces and not the host IPC namespace. A container's IPC namespace can be shared with another container. For example, `docker run --interactive --tty --ipc=container:e3a7a1a97c58 centos /bin/bash`\n\n## Default value\n\nBy default, all containers have their IPC namespace enabled and host IPC namespace is not shared with any container.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#ipc-settings-ipc\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.16","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qpe-nj2-sl8","createdAt":1599604030036,"name":"Host's IPC namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.20","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUTS namespaces provide isolation between two system identifiers: the hostname and the NIS domain name. It is used to set the hostname and the domain which are visible to running processes in that namespace. Processes running within containers do not typically require to know either the hostname or the domain name. The UTS namespace should therefore not be shared with the host.\n\n## Rationale\n\nSharing the UTS namespace with the host provides full permission for each container to change the hostname of the host. This is not in line with good security practice and should not be permitted.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UTSMode={{ .HostConfig.UTSMode }}'` \n\nIf this command returns `host`, it means the host UTS namespace is shared with the container and this recommendation is non-compliant. If the above command returns nothing, then the host's UTS namespace is not shared. This recommendation is then compliant.\n\n## Remediation\n\nYou should not start a container with the `--uts=host` argument. For example, do not start a container using the command `docker run --rm --interactive --tty --uts=host rhel7.2`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, all containers have the UTS namespace enabled and the host UTS namespace is not shared with any containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#uts-settings-uts\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.20","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j1n-gsx-mlx","createdAt":1599605987292,"name":"Host's UTS namespace is not shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.9","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWhen the networking mode on a container is set to `--net=host`, the container is not placed inside a separate network stack. Effectively, applying this option instructs Docker to not containerize the container's networking. The consequence of this is that the container lives \"outside\" in the main Docker host and has full access to its network interfaces.\n\n## Rationale\n\nSelecting this option is potentially dangerous. It allows the container process to open reserved low numbered ports in the way that any other root process can. It also allows the container to access network services such as D-bus on the Docker host. A container process could potentially carry out undesired actions, such as shutting down the Docker host. This option should not be used unless there is a very specific reason for enabling it.\n\n## Audit\n\nUse this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: NetworkMode={{ .HostConfig.NetworkMode }}'` If this returns `NetworkMode=host`, it means that the `--net=host` option was passed when the container was started.\n\n## Remediation\n\nYou should not pass the --net=host option when starting any container.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers connect to the Docker bridge when starting and do not run in the context of the host's network stack.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/ 2. https://docs.docker.com/engine/reference/run/#network-settings\n\n## CIS controls\n\nVersion 6 12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.9","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1qj-oqa-jau","createdAt":1599605510860,"name":"Host's network namespace is not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.15","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host.\n\n## Rationale\n\nPID namespace provides separation between processes. It prevents system processes from being visible, and allows process ids to be reused including PID 1. If the host's PID namespace is shared with containers, it would basically allow these to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them. This could allow for the host itself being shut down, which could be extremely serious, particularly in a multi-tenanted environment. You should not share the host's process namespace with the containers running on it.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidMode={{ .HostConfig.PidMode }}'` \n\nIf the command returns `host`, it means that the host PID namespace is shared with its containers; any other result means that the system is configured in line with good security practice.\n\n## Remediation\n\nYou should not start a container with the `--pid=host` argument. For example, do not start a container with the command: `docker run --interactive --tty --pid=host centos /bin/bash`\n\n## Impact\n\nContainer processes cannot see processes on the host system. In certain circumstances, you may want your container to share the host's process namespace. For example, you could build a container containing debugging tools such as strace or gdb, and want to use these tools when debugging processes on the host. If this is desired, then share specific host processes using the `-p` switch. For example: `docker run --pid=host rhel7 strace -p 1234`\n\n## Default value\n\nBy default, all containers have the PID namespace enabled and the therefore the host's process namespace is not shared with its containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#pid-settings-pid 2. http://man7.org/linux/man-pages/man7/pid_namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.15","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mk8-jwd-4ag","createdAt":1599600919537,"name":"Host's process namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent","control:5.30"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not share the host's user namespaces with containers running on it.\n\n## Rationale\n\nUser namespaces ensure that a root process inside the container will be mapped to a non-root process outside the container. Sharing the user namespaces of the host with the container does not therefore isolate users on the host from users in the containers.\n\n## Audit\n\nRun this command and ensure that it does not return any value for `UsernsMode`. If it returns a value of `host`, it means that the host user namespace is shared with its containers: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UsernsMode={{ .HostConfig.UsernsMode }}'`\n\n## Remediation\n\nDo not share user namespaces between host and containers. For example, do not run the command `docker run --rm -it --userns=host ubuntu bash`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the host user namespace is shared with containers unless user namespace support is enabled.\n\n## References\n\n1. https://docs.docker.com/engine/security/userns-remap/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://github.com/docker/docker/pull/12648\n4. https://events.linuxfoundation.org/sites/events/files/slides/User%20Namespaces%20-%20ContainerCon%202015%20-%2016-9-final_0.pdf\n\n## CIS controls\n\nVersion 6\n\n12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.30","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"e7c-uzf-jwy","createdAt":1599604878282,"name":"Host's user namespaces are not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","security:compliance","scored:false","source:iam","cloud_provider:aws","control:1.7","control:164.308-a-3-ii-C","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","framework:security-labs","requirement:Information-Access-Management","control:CC6.2","control:164.308-a-4-ii-C","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule identifies IAM access keys that are older than one year and have not been used in the past 30 days.\n\n## Rationale\n\nThis is a good indicator that an access key or IAM user that is not used anymore, and raises a security risk. IAM access keys are static secrets that do not change. This leak represents a common cause for cloud security breaches.\n\n## Remediation\n\n* Verify that the IAM user is still actively used or if it can be removed.\n* Verify that the IAM access key is still actively used or if it can be removed.\n* If the IAM user is still needed, rotate the access key. For more information, see the [AWS documentation][2].\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/cis-aws-1.3.0-1.14/\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlast_rotated_age_threshold := (((365 * 24) * 60) * 60) * 1000\n\nlast_used_age_threshold := (((30 * 24) * 60) * 60) * 1000\n\naccess_key_used_too_long_ago(credential_report, seen, key_to_check) if {\n\tseen - credential_report[concat(\"\", [\"access_key_\", key_to_check, \"_last_used_date\"])] > last_used_age_threshold\n} else if {\n\tnot credential_report[concat(\"\", [\"access_key_\", key_to_check, \"_last_used_date\"])]\n}\n\naccess_key_non_compliant(credential_report, seen, key_to_check) if {\n\tcredential_report[concat(\"\", [\"access_key_\", key_to_check, \"_active\"])]\n\tseen - credential_report[concat(\"\", [\"access_key_\", key_to_check, \"_last_rotated\"])] > last_rotated_age_threshold\n\taccess_key_used_too_long_ago(credential_report, seen, key_to_check)\n}\n\nnon_compliant_credential_report(credential_report, seen) if {\n\taccess_key_non_compliant(credential_report, seen, \"1\")\n} else if {\n\taccess_key_non_compliant(credential_report, seen, \"2\")\n}\n\nshould_skip(iam_user) if {\n\tsome credential_report in iam_user.credential_report\n\tnot credential_report.access_key_1_active\n\tnot credential_report.access_key_2_active\n} else if {\n\tcount(iam_user.credential_report) == 0\n}\n\neval(iam_user) = \"skip\" if {\n\tshould_skip(iam_user)\n} else = \"fail\" if {\n\tsome credential_report in iam_user.credential_report\n\tseen := iam_user.resource_seen_at\n\tnon_compliant_credential_report(credential_report, seen)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"jye-nyb-yvd","createdAt":1654722265266,"name":"IAM access keys older than 1 year have not been used in the last 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_user) = \"fail\" if {\n\tcount(iam_user.user_policies) > 0\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qeq-byd-rf5","createdAt":1617159692975,"name":"IAM inline policy is not directly set for users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","security:compliance","cloud_provider:aws","control:1.8","control:8.1","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","control:CC6.3","control:8.1.1","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are a minimum length. The password policy should require a minimum password length of 14 characters.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78907-3\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.8","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tsome password_policy in iam_account.password_policy\n\tpassword_policy.minimum_password_length < 14\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fyg-ptq-tnx","createdAt":1599573999939,"name":"IAM password policy has 14 or more characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:1.9","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","framework:cis-aws","control:164.312-d","requirement:Identity-and-Access-Management","control:8.2.5","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.\n\n## Rationale\n\nPreventing password reuse increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78908-1\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\n4.4 Use unique passwords where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2.5","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.9","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\naccount_invalid(iam_account) if {\n\tnot iam_account.password_policy_v2.password_reuse_prevention == 24\n}\n\neval(iam_account) = \"fail\" if {\n\taccount_invalid(iam_account)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"wwj-kny-ll5","createdAt":1599574008460,"name":"IAM password policy prevents password reuse"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:1.2","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM policies are how privileges are granted to users, groups, or roles. It is recommended and considered best practice to give only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges.\n\n## Rationale\n\nIt's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\" should be removed.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2] \n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3] \n3. CCE-78912-3\n4. [http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam][4]\n\n## CIS controls\n\nVersion 7, 4 - Controlled Use of Administrative Privileges\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n[4]: http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.2","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_not_compliant(policy_version_statement) if {\n\tresource := policy_version_statement.resource[_]\n\tresource == \"*\"\n}\n\naction_not_compliant(policy_version_statement) if {\n\taction := policy_version_statement.action[_]\n\taction == \"*\"\n}\n\npolicy_version_statement_not_compliant(policy_version_statement) if {\n\tpolicy_version_statement.effect == \"Allow\"\n\tresource_not_compliant(policy_version_statement)\n\taction_not_compliant(policy_version_statement)\n}\n\neval(iam_policy) = \"skip\" if {\n\tiam_policy.scope != \"Local\"\n} else = \"fail\" if {\n\tpolicy_version_statement := iam_policy.policy_version_statements[_]\n\tpolicy_version_statement_not_compliant(policy_version_statement)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_policy"]},"validationQuery":"","resourceType":"aws_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"31y-0if-yxo","createdAt":1599574003839,"name":"IAM policies that allow full \"*:*\" administrative privileges are not created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","control:A.9.4.3","framework:soc-2","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_user) = \"fail\" if {\n\tsome attached_policy in iam_user.attached_policies\n\tattached_policy\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oys-6ti-vv4","createdAt":1599574006153,"name":"IAM policy does not have a user directly attached to it"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:1.12","security:compliance","cloud_provider:aws","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:CC6.3","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can require passwords to be rotated or expired after a given number of days. The password policy should expire passwords after 90 days or less.\n\n## Rationale\n\nReducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help if a password is stolen or compromised without your knowledge. This can happen if your system is compromised, because of a software vulnerability, or if there is an internal threat. Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted. Many people use the same password for many systems such as work, email, and personal. Compromised end-user workstations might have a keystroke logger.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78909-9\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"1.12","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ninvalid_policy(password_policy) if {\n\tpassword_policy.expire_passwords == false\n} else if {\n\tpassword_policy.max_password_age > 90\n}\n\ninvalid_account(iam_account) if {\n\tinvalid_policy(iam_account.password_policy_v2)\n} else if {\n\tnot iam_account.password_policy_v2\n}\n\neval(iam_account) = \"fail\" if {\n\tinvalid_account(iam_account)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"nus-wps-5cc","createdAt":1599574003696,"name":"IAM policy is set to expire passwords within 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78904-0\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.6\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tiam_account.password_policy_v2.require_lowercase_characters == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yaz-xyw-dr5","createdAt":1599574008777,"name":"IAM policy is set to require at least one lowercase letter"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one number.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78906-5\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.8\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tiam_account.password_policy_v2.require_numbers == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ufg-4pj-olz","createdAt":1599574005590,"name":"IAM policy is set to require at least one number"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are comprised of different character sets. It is recommended that the password policy require at least one symbol.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78905-7\n\n## CIS controls\n\n16 Account Monitoring and Control Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.7\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tiam_account.password_policy_v2.require_symbols == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dwv-hdv-vfe","createdAt":1599573999909,"name":"IAM policy is set to require at least one symbol"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one uppercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78903-2\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.5\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tiam_account.password_policy_v2.require_uppercase_characters == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jfe-07v-m1n","createdAt":1599573999945,"name":"IAM policy is set to require uppercase characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm there are no [Amazon IAM users][1] (privileged users) with administrator permissions for your AWS account.\n\n## Rationale\n\nA privileged IAM user can access all AWS services and control resources through the [AdministratorAccess IAM managed policy][2]. Any user with administrator access that should not have access can potentially, whether unknowingly or purposefully, cause security issues or data leaks.\n\n## Remediation\n\n### From the console\n\nFollow the [Removing a permissions policy from a user][6] docs to revoke AdministratorAccess for a user.\n\n### From the command line\n\n1. Run `list-users` to get [a list of current IAM users][3].\n ```\n aws iam list-users\n ```\n\n2. Run the `list-user-policies` command find the [users attached policies][4].\n ```\n aws iam list-user-policies --user-name Name\n ```\n\n3. Run the `detach-user-policy` command to [revoke Administrator access][5].\n ```\n aws iam detach-user-policy \\\n --user-name insert-username-here \\\n --policy-arn insert-policy-arn-here\n ```\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-users.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-user-policies.html#examples\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-user-policy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-remove-policy-console\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_attached_policy(iam_user) if {\n\tsome attached_policy in iam_user.attached_policies\n\tattached_policy.policy_name == \"AdministratorAccess\"\n}\n\neval(iam_user) = \"fail\" if {\n\tnon_compliant_attached_policy(iam_user)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"z8a-10r-rdq","createdAt":1599574005071,"name":"IAM privileged user does not have admin permissions to your AWS account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","control:1.1","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEach IAM role must have a [trust policy][1] which defines the principals who are trusted to assume that role. It is possible to specify a [wildcard principal][2] which permits any principal, including those outside your organization, the ability to assume the role. It is strongly discouraged to use the wildcard principal in a trust policy unless there is a [`Condition` element][3] to restrict access.\n\n## Rationale\n\nA trust policy with a wildcard principal permits any AWS account the ability to assume the role. It is therefore discouraged.\n\n## Remediation\n\nEnsure the identified role does not have a principal value of `\"AWS\": \"*\"`. If a wildcard principal is necessary, use a `Condition` element to restrict access. Follow the [AWS documentation][4] to properly scope the `Principal` policy element.\n\n### From the console\n\n1. In the AWS Console, navigate to the IAM role you would like to change.\n2. On the IAM role page, click the **Trust relationships** tab.\n3. Click **Edit trust policy**.\n4. Make changes to the trust policy to remediate the risk.\n5. Click **Update policy**.\n\n### From the command line\n\nUse the `update-assume-role-policy` action to [update the role trust policy][5] to remediate the risk.\n\n aws iam update-assume-role-policy\n --role-name Test-Role\n --policy-document file://.json\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#term_trust-policy\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-anonymous\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/update-assume-role-policy.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.1","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncontains_case_insensitive(array, elem) if {\n\tcandidate := array[_]\n\tlower(candidate) == lower(elem)\n}\n\neval(iam_role) = \"fail\" if {\n\trole_policy := iam_role.role_policy[_]\n\n\tlower(role_policy.statement_effect) == \"allow\"\n\trole_policy.policy_principal.principal_aws[_] == \"*\"\n\n\tcontains_case_insensitive(role_policy.statement_action, \"sts:AssumeRole\")\n\n\tnot role_policy.statement_has_condition\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_role"]},"validationQuery":"","resourceType":"aws_iam_role","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_role","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"q9l-42l-ape","createdAt":1619112188080,"name":"IAM role trust policy does not contain a wildcard principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:A.14.1.3","security:compliance","source:iam","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Data-Protection","requirement:Security-of-Processing","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:A.9.4.3","framework:soc-2","requirement:Cardholder-Data","control:32.1a","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","requirement:Encryption-In-Transit","control:3.6.4","framework:pci","control:25.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your IAM service SSL/TLS certificates are renewed 30 days prior to their validity period ending.\n\n## Rationale\n\nIf a certificate becomes invalid, the communication between the client and AWS resource that implements certificates is no longer secure.\n\n## Remediation\n\n### From the console\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n### From the command line\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nwithin_30_days(diff) if {\n\tdiff <= thirty_days_ms\n\tdiff > 0\n}\n\neval(iam_server_certificate) = \"pass\" if {\n\tdiff := iam_server_certificate.expiration - iam_server_certificate.resource_seen_at\n\tnot within_30_days(diff)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"nqd-536-xhi","createdAt":1632209935742,"name":"IAM server certificate will expire within 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:1.6","control:7.1","framework:cis-gcp","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","level:1","source:google_service_account","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nVerify that users have the Service Account User (`iam.serviceAccountUser`) and Service Account Token Creator (`iam.serviceAccountTokenCreator`) roles for a specific service account rather than at the project level.\n\n## Rationale\nA service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved. In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.\nUsers with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access. Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/service account.\nBased on business needs, there can be multiple user-managed service accounts configured for a project. Granting the `iam.serviceAccountUser` or `iam.serviceAccountTokenCreator` roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future. These roles can result in an elevation of privileges when someone uses a service account and corresponding Compute Engine instances.\nIn order to implement least privileges best practices, IAM users should not be assigned the Service Account User or Service Account Token Creator roles at the project level. Instead, these roles should be assigned to a user for a specific service account, giving that user access to the service account. The Service Account User role allows a user to bind a service account to a long-running job service, whereas the Service Account Token Creator role allows a user to directly impersonate (or assert) the identity of a service account.\n\n## Impact\nAfter revoking Service Account User or Service Account Token Creator roles at the project level from all impacted user accounts, these roles should be assigned to users for specific service accounts according to business needs.\n\n## Remediation\n\n### From the console\n1. Go to the [IAM page][1] in the GCP Console.\n2. In the filter table text bar, enter the text `Role: Service Account User`.\n3. Click the delete bin icon in front of the role `Service Account User` for every user\nlisted as a result of the filter.\n4. In the filter table text bar, enter the text `Role: Service Account Token Creator`.\n5. Click the delete bin icon in front of the role `Service Account Token Creator` for\nevery user listed as a result of the filter.\n\n### From the command line\n1. Using a text editor, remove the bindings with the `roles/iam.serviceAccountUser` or `roles/iam.serviceAccountTokenCreator`.\n For example, you can use the iam.json file shown below as follows:\n ```\n {\n \"bindings\": [\n {\n \"members\": [ \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n ],\n \"role\": \"roles/appengine.appViewer\" },\n {\n \"members\": [\n \"user:email1@gmail.com\"\n ],\n \"role\": \"roles/owner\"\n },\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n \"serviceAccount:123456789012-compute@developer.gserviceaccount.com\" ],\n \"role\": \"roles/editor\"\n }\n ],\n \"etag\": \"BwUjMhCsNvY=\"\n }\n ```\n2. Update the project's IAM policy:\n ```\n gcloud projects set-iam-policy PROJECT_ID iam.json\n ```\n## Default value\nBy default, users do not have the Service Account User or Service Account Token Creator role assigned at the project level.\n\n## References\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][3]\n3. [https://cloud.google.com/iam/docs/understanding-roles][4]\n4. [https://cloud.google.com/iam/docs/granting-changing-revoking-access][5]\n5. [https://console.cloud.google.com/iam-admin/iam][6]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts \n[4]: https://cloud.google.com/iam/docs/understanding-roles\n[5]: https://cloud.google.com/iam/docs/granting-changing-revoking-access \n[6]: https://console.cloud.google.com/iam-admin/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.6","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_role(iam_policy, role) if {\n\tbinding := iam_policy.bindings[_]\n\tbinding.role == role\n\tmember := binding.members[_]\n\tnot endswith(member, \".gserviceaccount.com\")\n}\n\nnon_compliant_policy(iam_policy) if {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountUser\")\n} else if {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountTokenCreator\")\n}\n\neval(iam_policy) = \"fail\" if {\n\tnon_compliant_policy(iam_policy)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"x4c-mos-epr","createdAt":1655328785677,"name":"IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:iis","scope:iis","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:iis @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ftm-iao-udy","createdAt":1587530716843,"name":"IIS HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","requirement:Virtual-Machines","security:compliance","control:CC6.6","cloud_provider:gcp","control:4.6","requirement:Communications-Security","control:1.4","framework:cis-gcp","requirement:Compliance","level:1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCompute Engine instance cannot forward a packet unless the source IP address of the\npacket matches the IP address of the instance. Similarly, GCP won't deliver a packet whose\ndestination IP address is different than the IP address of the instance receiving the packet.\nHowever, both capabilities are required if you want to use instances to help route packets.\n\nDisable the forwarding of data packets to prevent data loss or information\ndisclosure.\n\n## Rationale\nTo enable source and destination IP check, disable the `canIpForward` option, which\nallows an instance to send and receive packets with non-matching destination or source\nIPs.\n\n## Impact\nDeleting instances that act as routers or packet forwarders may break network\nconnectivity.\n\n## Exception\nInstances created by GKE should be excluded because they need to have IP forwarding\nenabled and cannot be changed. Instances created by GKE have names that start with `gke-`.\n\n## Remediation\nYou can only edit the `canIpForward` setting at instance creation time. Therefore, if `canIpForward` is set to false for an instance, you must delete the instance and create a new one.\n\n### From the console\n1. Go to the `VM Instances` page: \n[https://pantheon.corp.google.com/compute/instances][1].\n2. Select the `VM Instance` you want to remediate.\n3. Click the `Delete` button.\n4. On the `VM Instances` page, click `CREATE INSTANCE`.\n5. Create a new instance with the desired configuration. By default, the instance is\nconfigured to not allow IP forwarding.\n\n### From the command line\n1. Delete the instance:\n ```\n gcloud compute instances delete INSTANCE_NAME\n ```\n2. Create a new instance to replace it, with IP forwarding set to Off\n ```\n gcloud compute instances create\n ```\n\n## Default Value:\nBy default, instances are not configured to allow IP forwarding.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-routes#canipforward][2]\n\n\n## Additional Information:\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is\ncreated, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://pantheon.corp.google.com/compute/instances\n[2]: https://cloud.google.com/vpc/docs/using-routes#canipforward","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.6","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" if {\n\tcompute_instance.can_ip_forward\n} else = \"pass\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nh8-voo-5oy","createdAt":1656620560349,"name":"IP forwarding is not enabled on instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","scope:azure.storage","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1c","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImmutability is enabled for Azure Storage Blobs.\n\n## Rationale\n\nImmutability for Azure Blob enables Writes once read many (WORM) state storage, which protects data from being overwritten or deleted. \n\nThe two types of immutability policies are time-based retention and legal hold. Time-based policies are cleared when the time period expires. Legal holds are cleared when they are manually modified. \n\n## Remediation\n\n### From the console\n\nFollow the [Enable version-level immutability support on a storage account - Azure Console][1] guide to enable version-level immutability with the Azure Console.\n\n### From the command line\n\nFollow the [Enable version-level immutability support on a storage account - Azure CLI][2] guide to enable version-level immutability with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_blob_container) = \"fail\" if {\n\tstorage_blob_container.has_immutability_policy == false\n\tstorage_blob_container.has_legal_hold == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_blob_container"]},"validationQuery":"","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"8q8-s4l-qhy","createdAt":1645177333114,"name":"Immutable Blob Storage is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","scope:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when two successful authentication events occur in a short time frame.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if the user `{{@usr.name}}` should have authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If `{{@user.name}}` should not authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n* 10 October 2022 - Updated query.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"auth0_impossible_travel","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.name"],"query":"source:auth0 @evt.category:authentication @evt.name:success_login -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"m3u-dhg-c5l","createdAt":1651740293973,"name":"Impossible Travel Auth0 login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate an impossible travel login with permission enumeration of a user.\n\n## Strategy\nCorrelate the [User travel was impossible in AWS CloudTrail IAM log][1] and [A user received multiple AccessDenied errors][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the impossible travel login was is legitimate.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security/default_rules/aws-cloudtrail-user-impossible-travel-with-baseline-user-locations\n[2]: https://docs.datadoghq.com/security/default_rules/aws-cloudtrail-access-denied-multiple-events","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"user_travel_was_impossible_in_cloudtrail_iam_log","additionalFilters":"","defaultRuleId":"fc6-4t7-vx9","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"a_user_received_multiple_access_denied_errors","additionalFilters":"","defaultRuleId":"1b1-37a-74c","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"user_travel_was_impossible_in_cloudtrail_iam_log > 0 && a_user_received_multiple_access_denied_errors > 0"}],"type":"signal_correlation","id":"zfw-zxw-uf2","createdAt":1664829682320,"name":"Impossible travel event leads to permission enumeration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the possibility of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 445, commonly used by client/server applications, and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) or man-in-the-middle attacks (MITM), can occur when permitting unrestricted Common Internet File System (CIFS) access. TCP port 445 is the port commonly used by client/server applications as a means of communication between network nodes over TCP.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 445.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 445\n --cidr 0.0.0.0/0\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 445\n\trule.to_port >= 445\n}\n\nnon_compliant_protocols_and_ports(rule) if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_ports(rule)\n} else if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\", \"::/0\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome rule in security_group.rules\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocols_and_ports(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"l9k-64o-mzm","createdAt":1599573999953,"name":"Inbound CIFS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the possibility of a breach by checking EC2 security groups for inbound rules that allow unfettered access to TCP and UDP port 53, commonly used during DNS resolution when a request is sent from DNS clients to DNS servers or between DNS servers.\n\n## Rationale\n\nMalicious activity, such as distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered DNS access.\n\n## Remediation\n\n## Console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n## CLI\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to port 53.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 53, \"ToPort\": 53, \"IpRanges\": [{\"CidrIp\": \"192.0.2.0/24\"}]}]'\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 53\n\trule.to_port >= 53\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kri-ci1-ymo","createdAt":1599573999958,"name":"Inbound DNS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP ports 20 and 21 (used by client/server applications for communication and file transfer) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and FTP bounce attacks, can occur when permitting unfettered access to these ports.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 20 and 21.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict FTP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 20\n\trule.to_port >= 20\n} else if {\n\trule.from_port <= 21\n\trule.to_port >= 21\n}\n\nnon_compliant_protocols_and_ports(rule) if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_ports(rule)\n} else if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\", \"::/0\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome rule in security_group.rules\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocols_and_ports(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9lv-1l3-vtp","createdAt":1599574002076,"name":"Inbound FTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 80 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 80.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 80\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 80\n\trule.to_port >= 80\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o4x-exf-xn9","createdAt":1599574008139,"name":"Inbound HTTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 443 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 443.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 443\n\trule.to_port >= 443\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"vud-y9z-ucg","createdAt":1599574003526,"name":"Inbound HTTPS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to host using the Internet Control Message Protocol (ICMP), a protocol commonly used to troubleshoot TCP/IP networks and deliver IP packets, and restrict access.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and Smurf/Fraggle attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][2] docs to learn how to restrict access to host using the ICMP.\n\n### From the command line\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to host using ICMP.\n\n ```\n aws ec2 describe-security-groups\n\t --filters Name=ip-permission.protocol,Values=icmp Name=ip-permission.cidr,Values='192.0.2.0/24'\n\t --query 'SecurityGroups[*].{Name:GroupName}'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nunrestricted_protocol(protocol) if {\n\tprotocol == \"icmp\"\n} else if {\n\tprotocol == \"all\"\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"ingress\"\n\tunrestricted_protocol(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kyz-e99-tys","createdAt":1599573999911,"name":"Inbound ICMP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1433 (used by the Microsoft SQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1433.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1433 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 1433\n\trule.to_port >= 1433\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5oc-hdq-fx7","createdAt":1599574003135,"name":"Inbound MSSQL access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 27017 (used by the MongoDB database) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 27017.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 27017\n\trule.to_port >= 27017\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"lhy-ttz-yif","createdAt":1599574007108,"name":"Inbound MongoDB access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3306 (used by the MySQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3306.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3306 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 3306\n\trule.to_port >= 3306\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yph-h6z-ant","createdAt":1599574008744,"name":"Inbound MySQL access is restricted"}]} headers: Content-Type: - application/json @@ -759,7 +691,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","control:3.7","requirement:Communications-Security","control:4.1","control:2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3","framework:security-labs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nConfigure your instance to use an account other than the default Compute Engine service account, because it has the Editor role on the project.\n\n## Rationale\nThe default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services. \nTo defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended that you not use the default Compute Engine service account. Instead, create a new service account and assign only the permissions needed by your instance. \nThe default Compute Engine service account is named `[PROJECT_NUMBER]-compute@developer.gserviceaccount.com`.\n\n## Exception\nVMs created by GKE are excluded from this guidance. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go to its `VM instance details` page.\n3. Click `STOP` and then click `EDIT`.\n4. Under the section `API and identity management`, select a service account other\nthan the default Compute Engine service account. You may first need to create a new\nservice account.\n5. Click `Save` and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account=\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/service-accounts][2]\n2. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][3]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account][4]\n\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/service-accounts\n[3]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[4]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.7","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tsa := compute_instance.service_accounts[_]\n\tendswith(sa.email, \"compute@developer.gserviceaccount.com\")\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oqw-y1z-sik","createdAt":1655990336323,"name":"Instances are not configured to use the default service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Communications-Security","requirement:Default-Security-Parameter","control:4.2","control:2.1","framework:cis-gcp","control:2.1.1","requirement:Compliance","control:A.13.1.3","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:google_compute_instance","control:CC6.3","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo support the principle of least privileges and to prevent potential privilege escalation, assign instances to a service account other than the default `Compute Engine default service account` with Scope `Allow full access to all Cloud APIs`.\n\n## Rationale\nThe Google `Compute Engine default service account` for an instance can access necessary cloud services, as well as create, manage, and use user-managed custom service accounts. The `Project Editor` role is assigned to `Compute Engine default service account` so it has almost all capabilities over all cloud services except billing. However, when `Compute Engine default service account` is assigned to an instance it can operate in three scopes:\n\n1. Allow default access: Allows the minimum access required to run an\ninstance (least privileges).\n\n2. Allow full access to all Cloud APIs: Allows full access to all cloud\nAPIs and services (too much access).\n\n3. Set access for each API: Allows an instance administrator to choose only\nthose APIs that are needed to perform the specific business functionality\nexpected by instance.\n\nWhen an instance is configured with the `Compute Engine default service account` with\nscope `Allow full access to all Cloud APIs`, depending on the IAM roles assigned to the users\naccessing the instance, it may allow users to perform cloud operations and API calls that they are not\nsupposed to perform, leading to successful privilege escalation.\n\n## Exception\nVMs created by GKE are excluded from this rule. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Impact\nTo change a service account or scope for an instance, the instance must be stopped.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the impacted VM instance.\n3. If the instance is not stopped, click the `Stop` button. Wait for the instance to stop.\n4. Click the `Edit` button.\n5. Scroll down to the `Service Account` section.\n6. Select a different service account or ensure that `Allow full access to all Cloud APIs` is not selected.\n7. Click the `Save` button to save your changes and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account= --scopes [SCOPE1, SCOPE2...]\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][2]\n2. [https://cloud.google.com/compute/docs/access/service-accounts][3]\n\n## Additional Information:\n- User IAM roles override service account scope, but configuring minimal scope\nensures a deeper defence.\n- Non-default service accounts do not offer selection of access scopes like the default\nservice account does. Use IAM roles with non-default service accounts to\ncontrol VM access.\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[3]: https://cloud.google.com/compute/docs/access/service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.2","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tservice_accounts := compute_instance.service_accounts[_]\n\tendswith(service_accounts.email, \"compute@developer.gserviceaccount.com\")\n\tstartswith(service_accounts.scopes[_], \"https://www.googleapis.com/auth/cloud-platform\")\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ica-spj-rua","createdAt":1656620517092,"name":"Instances are not configured to use the default service account with full access to all cloud APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the execution of a shell with the interactive flag (`-i`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to escalate privileges, break out of the container, or exfiltrate secrets by running interative shell utilities inside of the container. This detection triggers when execution of one of a set of common Linux shell utilities (like `bash` or `sh`) is detected in a container with the interactive flag (`-i`). If this is unexpected behavior, it could indicate an attacker attempting to run arbitrary commands inside of your containers and potentially break out onto the host.\n\n## Triage & Response\n1. Inspect the command line arguments of the shell process execution to determine if the shell was run with the `-i` flag.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:interactive_shell_in_container -@process.comm:(hostname OR sed OR find)","groupByFields":["host"],"aggregation":"count","name":"interactive_shell_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"interactive_shell_in_container","condition":"interactive_shell_in_container > 0"}],"type":"workload_security","id":"vc2-nws-ebu","createdAt":1653417817781,"name":"Interactive shell spawned in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a Java process.\n\n## Strategy\nMany applications (like some databases, web servers, and search engines) run as Java processes. Attackers may take advantage of flaws in programs built with these applications (for example, SQL injection on a database running as a Java process). This detection triggers when a Java process spawns common shell utilities, HTTP utilities, or shells. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\n## Triage and response\n1. Determine the nature and purpose of the Java process.\n2. Determine whether there is an approved purpose for the Java process to execute shells and utilities.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:java_shell_execution","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution @process.executable.name:(uname OR cat OR ls)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_suspicious","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution @process.executable.name:(curl OR wget OR whoami)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_unusual","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution @process.envs:CONFLUENCE*","groupByFields":["host"],"aggregation":"count","name":"confluence_server_spawned_shell_potential_rce","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"confluence_server_spawned_shell_potential_rce","condition":"confluence_server_spawned_shell_potential_rce > 0"},{"status":"high","notifications":[],"name":"java_shell_execution_unusual","condition":"java_shell_execution_unusual > 0"},{"status":"medium","notifications":[],"name":"java_shell_execution_suspicious","condition":"java_shell_execution_suspicious > 0"},{"status":"low","notifications":[],"name":"java_shell_execution","condition":"java_shell_execution > 0"}],"type":"workload_security","id":"bax-h0z-d14","createdAt":1617722069224,"name":"Java process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","technique:T1098-account-manipulation","scope:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a JumpCloud user grants administrative privileges on a user endpoint. This is not indicative of malicious activity, but detecting this event is valuable for auditing.\n\n## Strategy\n\nThis rule monitors JumpCloud audit logs to detect when a user triggers the `@evt.name` of `system_admin_grant`.\n\n## Triage and response\n\n1. Reach out to the admin making the change (`{{@usr.email}}`) to confirm that the user `(@usr.name`) should have administrative privileges on the specified resource (`@resource.name`).\n2. If the change was not authorized, reverify there are no other signals from the jumpcloud admin: {{@usr.email}} and the system (`@resource.name`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:system_admin_grant","groupByFields":["@usr.email"],"aggregation":"count","name":"system_admin_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"system_admin_grant > 0"}],"type":"log_detection","id":"0ym-nwo-srl","createdAt":1648844751568,"name":"Jumpcloud admin granted system privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:jumpcloud","requirement:Monitoring","scope:jumpcloud","framework:cis-aws","technique:T1078-valid-accounts","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud administrator authenticates without multi-factor authentication (MFA) enabled. This is not indicative of malicious activity, however as a best practice, administrator accounts should have MFA enabled.\n\n## Strategy\nThis rule monitors JumpCloud audit logs to detect when an admin user successfully authenticates to JumpCloud and the log indicates that `@mfa` is `false`.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables MFA.\n3. If the login wasn\u2019t legitimate, rotate the credentials, enable MFA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:admin_login_attempt @mfa:false @evt.outcome:true","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_login_no_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"admin_login_no_mfa > 0"}],"type":"log_detection","id":"mds-4sd-v5i","createdAt":1648844751569,"name":"Jumpcloud admin login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","scope:jumpcloud","technique:T1078-valid-accounts","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event with a JumpCloud administrator.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last log and the current log to determine if the user (`@usr.name`) traveled more than 500km at over 1,000km/h.\n\n## Triage and response\n1. Determine if {@usr.name}} should be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}} in a short period of time.\n2. If the user should not be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} or {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_admin","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:jumpcloud @usr.type:admin"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"wec-lzg-zau","createdAt":1648844772020,"name":"Jumpcloud admin triggered impossible travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:jumpcloud","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to a JumpCloud user.\n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when administrative privileges are provisioned:\n\n* `user_admin_granted`\n\n## Triage and response\n1. Contact the JumpCloud administrator: `{{@usr.email}}` to confirm that the users or devices should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the JumpCloud administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:user_admin_granted","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_grant > 0"}],"type":"log_detection","id":"goh-o1b-uuo","createdAt":1660796644737,"name":"Jumpcloud administrator role assigned"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is created. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is created:\n\n* `@evt.name:policy_create`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy creation was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_create","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_creation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_creation > 0"}],"type":"log_detection","id":"ht7-5pr-0hf","createdAt":1660809071730,"name":"Jumpcloud policy created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is modified. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is modified:\n\n* `@evt.name:policy_update`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy modification(s) was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_update","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_update > 0"}],"type":"log_detection","id":"epv-mm9-puh","createdAt":1660809071731,"name":"Jumpcloud policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:1.10","scope:google_kms_crypto_key","source:google_kms_crypto_key","requirement:Confidentiality","control:C1.2","framework:cis-gcp","requirement:Compliance","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGoogle Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.\nThe format for the rotation schedule depends on the client library that is used. For the gcloud CLI, the flag `--next-rotation-time` must be in ISO or RFC3339 format; the flag `--rotation-period` must be in the format `INTEGER[UNIT]`, where units can be one of: seconds (s), minutes (m), hours (h), or days (d). For example, `30d` for a rotation period of 30 days.\n\n## Rationale\nSet a key rotation period and starting time. A key can be created with a specified *rotation period*, which is the time between when new key versions are generated automatically. A key can also be created with a specified *next rotation time*. \n\nA key is a named object that represents a cryptographic key and is used for a specific purpose. The key material (the actual bits used for encryption) can change over time as new key versions are created.\nA key is used to protect a *corpus of data*. A collection of files could be encrypted with the same key, and people with `decrypt` permissions on that key would be able to decrypt those files. Therefore, it's necessary to make sure the rotation period is set to a specific time.\n\n## Impact\nAfter a successful key rotation, the older key version is required to decrypt the data encrypted by the previous key version.\n\n## Remediation\n\n### From console\n1. See your cryptographic keys by visiting: [https://console.cloud.google.com/security/kms][1].\n2. Click on the specific key ring.\n3. From the list of keys, locate the key you wish to edit. Click on the three vertical dots under the **Actions** column.\n4. Click on **Edit rotation period**.\n5. In the pop-up window, select a new rotation period. Choose value less than 90 days. Then, choose the date from which the rotation period begins.\n\n### From the command line\n1. Update and schedule rotation by `ROTATION_PERIOD` and `NEXT_ROTATION_TIME` for each key:\n For example, you can use the iam.json file shown below as follows:\n ```\n gcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next- rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD\n ```\n\n## Default value\nBy default, KMS encryption keys are rotated every 90 days.\n\n## References\n1. [https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation][2]\n2. [https://cloud.google.com/kms/docs/re-encrypt-data][3]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/security/kms\n[2]: https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation\n[3]: https://cloud.google.com/kms/docs/re-encrypt-data\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\n# convert rotation period from string to int (number of days)\nparse_rotation_period(str) = parsed if {\n\tendswith(str, \"s\")\n\tparsed := to_number(trim_suffix(str, \"s\")) / 86400\n} else = parsed {\n\tendswith(str, \"m\")\n\tparsed := to_number(trim_suffix(str, \"m\")) / 1440\n} else = parsed {\n\tendswith(str, \"h\")\n\tparsed := to_number(trim_suffix(str, \"h\")) / 24\n} else = parsed {\n\tendswith(str, \"d\")\n\tparsed := to_number(trim_suffix(str, \"d\"))\n}\n\neval(kms_crypto_key) = \"skip\" if {\n\tnot lower(kms_crypto_key.primary.state) == \"enabled\"\n} else = \"pass\" {\n\ttoday := kms_crypto_key.resource_seen_at / 86400000\n\tnext_rotation := kms_crypto_key.next_rotation_time / 86400000\n\tnext_rotation - today <= 90\n\tparse_rotation_period(kms_crypto_key.rotation_period) <= 90\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_kms_crypto_key"]},"validationQuery":"","resourceType":"gcp_kms_crypto_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_kms_crypto_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"l1f-f94-1my","createdAt":1655491486886,"name":"KMS Encryption Keys are rotated within a period of 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1547","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications made to the `/boot/` directory.\n\n## Strategy\nThe /boot/ directory in Linux contains everything required for the system to boot. This includes the kernel and other important boot files and data. Attackers may attempt to modify the /boot/ directory to inject malicious code or configuration. This can allow the attacker to gain persistence, by running the malicious code or configuration at boot time. It can also allow the attacker to run malicious code with elevated system privileges.\n\n## Triage & Response\n1. Check to see what modifications were made to the `/boot/` directory.\n2. Cross-check any changes with known system activity, such as startup scripts, or maintenance.\n3. If these changes are not acceptable, roll back the host or container in question to a known good `/boot/` configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"9cs-fap-2er","createdAt":1606142931057,"name":"Kernel Modification"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux. This detection watches for all new files created under that directory.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check which user or process created the module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(kernel_module OR kernel_module_chmod OR kernel_module_chown OR kernel_module_link OR kernel_module_rename OR kernel_module_open OR kernel_module_unlink OR kernel_module_utimes) -@process.envs:DPKG_FRONTEND_LOCKED","groupByFields":["host"],"aggregation":"count","name":"kernel_module","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"kernel_module","condition":"kernel_module > 0"}],"type":"workload_security","id":"jq9-m1m-spt","createdAt":1598516746168,"name":"Kernel module directory modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.3","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kube-proxy kubeconfig file controls various parameters of the kube-proxy service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system. It is possible to run kube-proxy with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a `. Verify that if a file is specified and it exists, the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates. \n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.3","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"alc-y7j-j9q","createdAt":1599602091672,"name":"Kube-proxy configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.4","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, ensure that the file ownership of its kubeconfig file is set to root:root.\n\n## Rationale\n\nThe kubeconfig file for kube-proxy controls various parameters for the kube-proxy service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n`chown root:root `\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n## Audit\n\nFind the kubeconfig file being used by kube-proxy by running the following command: ps -ef | grep kube-proxy If kube-proxy is running, get the kubeconfig file location from the --kubeconfig parameter. Run the below command (based on the file location on your system) on the each worker node. For example, stat -c %U:%G Verify that the ownership is set to root:root.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.4","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oat-dei-klo","createdAt":1599604401268,"name":"Kube-proxy configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet client certificate rotation.\n\n## Rationale\n\nThe `--rotate-certificates` setting causes the kubelet to rotate its client certificates by creating new CSRs as its existing credentials expire. This automated periodic rotation ensures that the there is no downtime due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself. \n\n*Note*: This feature also requires the `RotateKubeletClientCertificate` feature gate to be enabled (which is the default since Kubernetes v1.7).\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--rotate-certificates` argument is not present, or is set to true. If the `--rotate-certificates` argument is not present, verify that if there is a Kubelet config file specified by `--config`, that file does not contain `rotateCertificates: false`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to add the line `rotateCertificates: true` or remove it altogether to use the default value. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--rotate-certificates=false` argument from the `KUBELET_CERTIFICATE_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet client certificate rotation is enabled.\n\n## References\n\n1. [https://github.com/kubernetes/kubernetes/pull/41912 ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration ][2]\n3. [https://kubernetes.io/docs/imported/release/notes/ ][3]\n4. [https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted - Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/41912\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration\n[3]: https://kubernetes.io/docs/imported/release/notes/\n[4]: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.11","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"9x3-sy5-pte","createdAt":1599605353070,"name":"Kubelet client certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.10","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file is owned by root:root.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %U:%G /var/lib/kubelet/config.yaml`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step): `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/var/lib/kubelet/config.yaml` file as set up by kubeadm is owned by `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.10","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ptl-pla-t0c","createdAt":1599605828233,"name":"Kubelet configuration file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse https for kubelet connections.\n\n## Rationale\n\nConnections from apiserver to kubelets could potentially carry sensitive data such as secrets and keys. It is thus important to use in-transit encryption for any communication between the apiserver and kubelets.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-https` argument either does not exist or is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--kubelet-https` parameter.\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, kubelet connections are over https.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.4","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ftg-h4g-hqj","createdAt":1599600981186,"name":"Kubelet connections use HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.8","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestrict kubelet nodes to reading only objects associated with them.\n\n## Rationale\n\nThe Node authorization mode only allows kubelets to read Secret, ConfigMap, PersistentVolume, and PersistentVolumeClaim objects associated with their nodes.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include Node.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes Node. `--authorization-mode=Node,RBAC`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, Node authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/46076 ][3]\n4. [https://acotten.com/post/kube17-security][4]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/ \n[3]: https://github.com/kubernetes/kubernetes/pull/46076 \n[4]: https://acotten.com/post/kube17-security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.8","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vgg-kwx-7dh","createdAt":1599602338742,"name":"Kubelet nodes are only authorized to read objects they are associated with"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.2","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests. Enable explicit authorization.\n\n## Rationale\n\nKubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the API server. You should restrict this behavior and only allow explicitly authorized requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. If the `--authorization-mode` argument is present check that it is not set to AlwaysAllow. If it is not present check that there is a Kubelet config file specified by `--config`, and that file sets authorization: mode to something other than AlwaysAllow. It is also possible to review the running configuration of a Kubelet via the /configs endpoint on the Kubelet API port (typically `10250/TCP`). Accessing these with appropriate credentials will provide details of the Kubelet's configuration.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set authorization: mode to Webhook. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--authorization-mode=Webhook`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nUnauthorized requests will be denied.\n\n## Default value\n\nBy default, `--authorization-mode` argument is set to `AlwaysAllow`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.2","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"un4-gin-3dq","createdAt":1599600248005,"name":"Kubelet only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable the read-only port.\n\n## Rationale\n\nThe Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--read-only-port` argument exists and is set to 0. If the `--read-only-port` argument is not present, check that there is a Kubelet config file specified by `--config`. Check that if there is a readOnlyPort entry in the file, it is set to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `readOnlyPort` to 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--read-only-port=0`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nRemoval of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.\n\n## Default value\n\nBy default, `--read-only-port` is set to 10255/TCP. However, if a config file is specified by `--config` the default value for `readOnlyPort` is 0.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.4","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dgo-kog-lle","createdAt":1599604369044,"name":"Kubelet read-only port is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.10","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the Kubelets.\n\n## Rationale\n\nKubelet communication contains sensitive parameters that should remain encrypted in transit. Configure the Kubelets to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate. If these arguments are not present, check that there is a Kubelet config specified by `--config` and that it contains appropriate settings for `tlsCertFile` and `tlsPrivateKeyFile`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `tlsCertFile` to the location of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` to the location of the corresponding private key file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameters in K`UBELET_CERTIFICATE_ARGS` variable.\n\n```\n--tls-cert-file=\n--tls-private-key-file=\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set. If `--tls-cert-file` and `--tls-private-key-file` are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to `--cert-dir`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ ][2]\n3. [https://github.com/kelseyhightower/docker-kubernetes-tls-guide ][3]\n4. [https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/\n[3]: https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n[4]: https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.10","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gqg-7cf-6bu","createdAt":1599603572402,"name":"Kubelet requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.12","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nOn the master edit `/var/lib/kubelet/kubeadm-flags.env` and set the parameter `KUBELET_CERTIFICATE_ARGS --feature-gates=RotateKubeletServerCertificate=true` or as an alternative, and suggested as a last resort, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_CERTIFICATE_ARGS` variable:\n\n```\n--feature-gates=RotateKubeletServerCertificate=true\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet server certificate rotation is disabled.\n\n## References\n\n1. https://github.com/kubernetes/kubernetes/pull/45059\n2. https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/45059\n[2]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.12","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afr-qkp-94a","createdAt":1599599105048,"name":"Kubelet server certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.2","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file ownership is set to root:root.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the ownership is set to root:root.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet service file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.2","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sy4-z1k-udc","createdAt":1599605194356,"name":"Kubelet service file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.3","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Kubelet authentication using certificates.\n\n## Rationale\n\nThe connections from the API server to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet's port-forwarding functionality. These connections terminate at the kubelet's HTTPS endpoint. By default, the API server does not verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the API server could authenticate the Kubelet before submitting any requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--client-ca-file` argument exists and is set to the location of the client certificate authority file. If the `--client-ca-file` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets authentication: x509: clientCAFile to the location of the client certificate authority file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: x509: clientCAFile` to the location of the client CA file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--client-ca-file=`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou require TLS to be configured on API server as well as kubelets.\n\n## Default value\n\nBy default, `--client-ca-file argument` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.3","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x6l-4d1-dwh","createdAt":1599600373842,"name":"Kubelet uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.1.20","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that Kubernetes PKI certificate files have permissions of 644 or more restrictive.\n\n## Rationale\n\nKubernetes makes use of a number of certificate files as part of the operation of its components. The permissions on these files should be set to 644 or more restrictive to protect their integrity.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nfind /etc/kubernetes/pki -name \"*.crt\" | xargs stat -c '%n %a'\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod -R 644 /etc/kubernetes/pki/*.crt`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the certificates used by Kubernetes are set to have permissions of 644\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.20","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ion-6fc-xd4","createdAt":1599604147464,"name":"Kubernetes PKI certificate file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.19","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the Kubernetes PKI directory and file ownership is set to root:root.\n\n## Rationale\n\nKubernetes makes use of a number of certificates as part of its operation. You should set the ownership of the directory containing the PKI information and all files in that directory to maintain their integrity. The directory and files should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nls -laR /etc/kubernetes/pki/\n```\n\nVerify the ownership of all files and directories in this hierarchy is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown -R root:root /etc/kubernetes/pki/`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/etc/kubernetes/pki/` directory and all of the files and directories contained within it, are set to be owned by the root user.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.19","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tgm-6a5-ttf","createdAt":1599603695482,"name":"Kubernetes PKI directory is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a pod in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating pods in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for Kubernetes objects which should be readable by unauthenticated users. Thus, a pod should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new pod in one of the default namespaces.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"tvf-ju6-h3i","createdAt":1589376012191,"name":"Kubernetes Pod Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a pod is attached to the host network.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) with the host network `@requestObject.spec.hostNetwork:true` attached.\n\nAttaching the `hostNetwork` permits a pod to access the node's network adapter allowing a pod to listen to all network traffic for all pods on the node and communicate with other pods on the network namespace.\n\n## Triage and response\n1. Determine if the pod needs `hostNetwork` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.hostNetwork:true @http.status_code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.hostNetwork:true @responseStatus.code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"d3g-xpz-cwc","createdAt":1589376007079,"name":"Kubernetes Pod Created with hostNetwork"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","technique:T1536-create-account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a service account in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service account (`@objectRef.resource:serviceaccounts`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating service accounts in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for kubernetes objects which should be readable by unauthenticated users. Thus, a service account should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new service account in one of the default namespaces.\n\n## Changelog\n21 September 2022 - Tuned rule to remove system and EKS service account creations, increased severity, added decrease on environment flag.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:serviceaccounts @http.method:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299] -@user.username:(system\\:* OR eks\\:*)","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:serviceaccounts @verb:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299] -@usr.id:(system\\:* OR eks\\:*)","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"loy-9ka-bc2","createdAt":1589376017036,"name":"Kubernetes Service Account Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service's port is attached to the node's IP.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service (`@objectRef.resource:services`) attaching the service's port to the node's IP `@requestObject.spec.type:NodePort`.\n\nExposing the service's port to the the node's IP allows other hosts on the network namespace to access this service.\n\n## Triage and response\n1. Determine if the service needs to expose it's network connection with `NodePort` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:services @http.method:create @requestObject.spec.type:NodePort @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:services @verb:create @requestObject.spec.type:NodePort @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"cvp-3wz-v3s","createdAt":1589376023160,"name":"Kubernetes Service Created with NodePort"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a user is attempting to enumerate their permissions.\n\n## Strategy\nThis rule identifies when a user attempts to enumerate their permissions, for example, through the use of `kubectl auth can-i --list`. This can be an indicator of an attacker having compromised a Kubernetes service account or user and attempting to determine what permissions it has.\n\n## Triage and response\n1. Determine if enumerating the permissions of the user: `{{@usr.id}}` is suspicious. For example, a service account assigned to a web application and enumerating its privileges is highly suspicious, while a group assigned to operations engineers is likely to represent legitimate activity.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @requestObject.kind:SelfSubjectRulesReview @http.method:create -@usr.id:system\\:serviceaccount\\:*\\:datadog-kube-state-metrics","groupByFields":[],"aggregation":"count","name":"enumeration_attempt","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"enumeration_attempt > 0"}],"type":"log_detection","id":"9ft-ohp-w9w","createdAt":1649702540393,"name":"Kubernetes principal attempted to enumerate their permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","source:lambda","scope:lambda","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure your Amazon Lambda Function to have access to VPC-only resources.\n\n## Rationale\n\nBy default, Amazon Lambda functions run in a secure VPC with access to any AWS service and the internet. Selecting which resources have access secures the connections within your private VPC.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring VPC access (console)][1] docs to configure VPC access for an existing function.\n\n### CLI\n\n1. Run `update-function-configuration` with your [Amazon Lambda function name and VPC configuration][2]. Set network connectivity to AWS resources within the configured VPC.\n\n ```\n aws lambda update-function-configuration\n --function-name your-lambda-function-name\n --vpc-config SubnetIds=\"subnet-ab12cd34\",\"subnet-12345678\",SecurityGroupIds=\"id-0abcd1234abcd5678\"\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-configuring\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@vpc_config_vpc_id:null OR @vpc_config_vpc_id:\"\")","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function ((@vpc_config_vpc_id:null OR @vpc_config_vpc_id:\"\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"byt-pin-xaq","createdAt":1619112188962,"name":"Lambda function has access to VPC resources"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","source:lambda","control:7.2.1","requirement:Compliance","scope:lambda","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS Lambda function access policy to remove access for unauthorized users.\n\n## Rationale\n\nGiving anonymous users the ability to invoke Amazon Lambda functions can lead to data loss, data exposure, and unexpected AWS billing charges.\n\n## Remediation\n\n### Console\n\nFollow the [Using resource-based policies for AWS lambda][1] docs to update your AWS lambda function permissions.\n\n### CLI\n\n1. Run `remove-permission` with your [function name and statement ID][2].\n\n ```\n aws lambda remove-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n ```\n\n2. Run `add-permission` with your [function name, statement ID, principal for the trusted account, and action][3].\n\n ```\n aws lambda add-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n --principal 0123456780123\n --action lambda:InvokeFunction\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/remove-permission.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-permission.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false","resourceType":"aws_lambda_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_policy_statement ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"tko-rvz-akj","createdAt":1624344845094,"name":"Lambda function is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","control:CC6.7","requirement:Transmission-Security","security:compliance","control:CC7.5","cloud_provider:aws","framework:gdpr","control:6.2","requirement:System-Operations","source:lambda","scope:lambda","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","requirement:Security-Management-Process","control:32.1b","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","framework:hipaa","control:164.308-a-1-ii-B","control:164.312-e-2-i","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Lambda Function to the latest runtime environment version.\n\n## Rationale\n\nAs a best practice, Amazon recommends consistently updating your runtime environment to the latest version for security patches, bug fixes, and the latest features.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring functions in the console][1] docs to learn how to update the Lambda runtime that runs your function.\n\n### CLI\n\n1. Run `update-function-configuration` with [your function name and the latest runtime version][2] supported by AWS.\n\n#### python3.9\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"python3.9\"\n ```\n\n#### nodejs16.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"nodejs14.x\"\n ```\n\n#### java11\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"java11\"\n ```\n\n#### go1.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"go1.x\"\n ```\n\n#### dotnet6\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"dotnet6\"\n ```\n\n#### ruby2.7\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"ruby2.7\"\n ```\n\n#### provided.al2\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"provided.al2\"\n ```\n\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@runtime:(\"nodejs16.x\" OR \"python3.9\" OR \"ruby2.7\" OR \"java11\" OR \"go1.x\" OR \"dotnet6\" OR \"provided.al2\")","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function (-@runtime:(\"nodejs16.x\" OR \"python3.9\" OR \"ruby2.7\" OR \"java11\" OR \"go1.x\" OR \"dotnet6\" OR \"provided.al2\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxh-rvp-txm","createdAt":1619112189173,"name":"Lambda function uses latest runtime environment version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","level:1","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","requirement:Communications-Security","control:2.6","control:3.2","control:1.2","control:2.1","control:1.3","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of legacy networks, a project should not have a legacy network\nconfigured. Legacy networks can no longer be created, and their use is not recommended. This recommendation is to check old projects to ensure\nthat they are not using Legacy Networks.\n\n## Rationale\nEach legacy network has a single network IPv4 prefix range, and a single gateway IP address. The network is global in scope and spans all cloud regions.\nSubnetworks cannot be created in a legacy network, and are unable to switch from legacy to\nauto or custom subnet networks. Legacy networks can have an impact on high network\ntraffic projects, and are subject to a single point of contention or failure.\n\n### Default value\nBy default, networks are not created in the legacy mode.\n\n## Remediation\n\nFor each Google Cloud Platform project:\n1. Read [Create and modify Virtual Private Cloud (VPC) networks][3] to create a non-legacy network suitable for the organization's requirements.\n2. Read [Deleting a legacy network][2] to delete the networks in the `legacy` mode.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network][1]\n2. [https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network][2]\n\n[1]: https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network\n[2]: https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network\n[3]: https://cloud.google.com/vpc/docs/create-modify-vpc-networks\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.2","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.ipv4_range\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nzs-hyi-zqr","createdAt":1659405204525,"name":"Legacy networks do not exist for older projects"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostIPC flag set to true.\n\n## Rationale\n\nA container running in the host's IPC namespace can use IPC to interact with processes outside the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host IPC namespace. If you have a requirement to containers that require hostIPC, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostIPC}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostIPC: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.3","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vs4-ja0-gkh","createdAt":1599600435891,"name":"Limit admission of containers sharing the host IPC namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostPID flag set to true.\n\n## Rationale\n\nA container running in the host's PID namespace can inspect processes running outside the container. If the container also has access to ptrace capabilities this can be used to escalate privileges outside of the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host PID namespace. If you need to run containers which require hostPID, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostPID}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostPID` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostPID: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.2","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"flc-1s1-okw","createdAt":1599600559953,"name":"Limit admission of containers sharing the host PID namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the allowPrivilegeEscalation flag set to true.\n\n## Rationale\n\nA container running with the `allowPrivilegeEscalation` flag set to true may have processes that can gain more privileges than their parent. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to allow privilege escalation. The option exists (and is defaulted to true) to permit setuid binaries to run. If you have need to run containers that use setuid binaries or require privilege escalation, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.allowPrivilegeEscalation}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.allowPrivilegeEscalation` field is omitted or set to false.\n\n## Impact\n\nPods defined with `spec.allowPrivilegeEscalation: true` will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.5","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"frf-hog-dra","createdAt":1599601783271,"name":"Limit admission of containers that do not block privilege escalation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.3","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Docker starts containers with a restricted set of Linux kernel capabilities. This means that any process can be granted the required capabilities instead of giving it root access. Using Linux kernel capabilities, processes in general do not need to run as the root user.\n\n## Rationale\n\nDocker supports the addition and removal of capabilities. Remove all capabilities not required for the correct function of the container. Specifically, in the default capability set provided by Docker, the NET_RAW capability should be removed if not explicitly required, as it can give an attacker with access to a container the ability to create spoofed network traffic.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CapAdd={{ .HostConfig.CapAdd }} CapDrop={{ .HostConfig.CapDrop }}'` \n\nVerify that the added and deleted Linux kernel capabilities are in line with the ones needed by the container process in each container instance. Specifically, ensure that the `NET_RAW` capability is removed if not required.\n\n## Remediation\n\nExecute the command `docker run --cap-add={\"Capability 1\",\"Capability 2\"} ` to add required capabilities.\n\nExecute the command `docker run --cap-drop={\"Capability 1\",\"Capability 2\"} ` to remove unneeded capabilities.\n\nAlternatively, remove all the currently configured capabilities and then restore only the ones you specifically use: `docker run --cap-drop=all --cap-add={\"Capability 1\",\"Capability 2\"} `\n\n## Impact\n\nRestrictions on processes within a container are based on which Linux capabilities are in force. Removal of the `NET_RAW` capability prevents the container from creating raw sockets which is good security practice under most circumstances, but may affect some networking utilities.\n\n## Default value\n\nBy default, the capabilities below are applied to containers:\n\n* `AUDIT_WRITE`\n* `CHOWN`\n* `DAC_OVERRIDE`\n* `FOWNER`\n* `FSETID`\n* `KILL`\n* `MKNOD`\n* `NET_BIND_SERVICE`\n* `NET_RAW`\n* `SETFCAP`\n* `SETGID`\n* `SETPCAP`\n* `SETUID`\n* `SYS_CHROOT`\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#linux-kernel-capabilities\n2. http://man7.org/linux/man-pages/man7/capabilities.7.html\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.3","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3j5-bun-deq","createdAt":1599605923399,"name":"Linux kernel capabilities are restricted to only those which are required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect use of the `passwd` or `chpasswd` commands to change account passwords.\n\n## Strategy\nThe `passwd` operating system command is used to change user account passwords. The `chpasswd` does this in bulk. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host machine and achieve persistence. This detection is triggered when execution of the `passwd` or `chpasswd` command is detected.\n\n## Triage and response\n1. Determine which user executed the command and whether or not this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:passwd_execution -@process.args:\"-S\"","groupByFields":["host"],"aggregation":"count","name":"passwd_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"passwd_execution","condition":"passwd_execution > 0"}],"type":"workload_security","id":"yu0-i2l-ilb","createdAt":1617722068383,"name":"Local account password modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the truncation (like the clearing of data within) of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was modified.\n2. Check which user or process modified the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"llg-1g6-q0n","createdAt":1598516746163,"name":"Log data in /var/log/ was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","level:1","cloud:aws","requirement:Monitoring","framework:cis-aws","cloud_provider:datadog","control:4.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReal-time monitoring of API calls can be achieved by directing CloudTrail Logs to Datadog and enabling the default rule [A user received multiple AccessDenied errors][1]. It is recommended that a metric filter and alarm be established for unauthorized API calls.\n\n## Rationale\n\nMonitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.\n\n## Remediation\n\nTo enable default rule [A user received multiple AccessDenied errors][1], navigate to the [Rules page][2]. If you have not yet enabled Security Monitoring, visit the [Setup and Configuration page][3].\n\n## Impact\n\nThis alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don't have permissions. If an excessive number of alerts are being generated then an organization may wish to consider adding read access to the limited IAM user permissions simply to quiet the alerts. In some cases doing this may allow the users to actually view some areas of the system - any additional access given should be reviewed for alignment with the original limited IAM user intent.\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79186-3\n2. https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-access-denied-multiple-events/\n\n**Additional Information**: Configuring log metric filter and alarm on multi-region (global) CloudTrail ensures that activities from all regions (used as well as unused) are monitored.\n\n## CIS controls\n\nVersion 7:\n\n6.5 - Central Log Management - Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.\n\n6.7 - Regularly Review Logs - On a regular basis, review logs to identify anomalies or abnormal events.\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-access-denied-multiple-events/\n[2]: https://app.datadoghq.com/security/configuration/rules?query=una%20ruleId%3Abxz-x3r-zqw&sort=rule\n[3]: https://app.datadoghq.com/security/configuration?detect-threats=apache&secure-cloud-environment=amazon-web-services&secure-hosts-and-containers=kubernetes&selected-products=security_monitoring","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"cis-aws","requirement":"Monitoring","version":"1.3.0"}],"validationQuery":"@disabled_rules:(\"d17-702-f4a\")","resourceType":"datadog_configuration","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:datadog_configuration (@disabled_rules:(\"d17-702-f4a\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"3s1-mb8-7yw","createdAt":1625745858883,"name":"Log metric filter and alarm exist for unauthorized API calls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","source:google_logging_log_sink","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","control:2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","scope:google_logging_log_sink","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nIt is recommended to create a sink that will export copies of all log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).\n\n## Rationale: \nLog entries are held in Cloud Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. To export logs, create a filter that selects the log entries to export, and then choose a destination, such as Cloud Storage, BigQuery, or Cloud Pub/Sub, to which to export them. The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts.\n\n**Note:**\n1. A sink created by [these commands](#from-the-command-line), exports logs to storage buckets. However, sinks can be configured to export logs to BigQuery, or Cloud Pub/Sub, or a `Custom Destination`.\n2. While creating a sink, do not use the sink option `--log-filter` to ensure the sink exports all log entries.\n3. A sink can be created at a folder or organization level that collects the logs of all the projects underneath, bypassing the option `--include-children` in the `gcloud` command.\n\n### Impact: \nThere are no costs or limitations in Cloud Logging for exporting logs, but the destinations to which the logs are exported charge for storing or transmitting the log data.\n\n### Default value:\nBy default, there are no sinks configured.\n\n## Remediation: \n\n### From the console:\n1. Go to the Logs Router page by visiting [https://console.cloud.google.com/logs/router][1].\n2. Click **CREATE SINK**.\n3. Fill out the fields for the Sink details sections.\n4. Select **Cloud Logging bucket** in the Select sink destination dropdown menu.\n5. Select a log bucket in the Sink destination drop down menu.\n6. If an inclusion filter is not provided for this sink, all ingested logs will be routed to the destination provided above. This may result in higher than expected resource usage.\n7. Click **Create Sink**.\n\n### From the command line:\n\n1. To create a sink to export all log entries in a Google Cloud Storage bucket:\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME\n ```\n2. Sinks can be created for a folder or organization, which will include all projects.\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children -- folder=FOLDER_ID | --organization=ORGANIZATION_ID\n ```\n\n## References:\n1. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][2] \n2. [https://cloud.google.com/logging/quotas][3]\n3. [https://cloud.google.com/logging/docs/routing/overview][4]\n4. [https://cloud.google.com/logging/docs/export/using_exported_logs][5]\n5. [https://cloud.google.com/logging/docs/export/configure_export_v2][6]\n6. [https://cloud.google.com/logging/docs/export/aggregated_exports][7]\n7. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list][8]\n\n[1]: https://console.cloud.google.com/logs/router\n[2]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[3]: https://cloud.google.com/logging/quotas\n[4]: https://cloud.google.com/logging/docs/routing/overview\n[5]: https://cloud.google.com/logging/docs/export/using_exported_logs\n[6]: https://cloud.google.com/logging/docs/export/configure_export_v2\n[7]: https://cloud.google.com/logging/docs/export/aggregated_exports\n[8]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nvalid_log_sinks := {logging_log_sink.project_id |\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tvalid_log_filter(logging_log_sink)\n\tvalid_log_exclusions(logging_log_sink)\n\tlogging_log_sink.destination != \"\"\n}\n\nvalid_log_filter(logging_log_sink) if {\n\tnot logging_log_sink.filter\n} else {\n\tlogging_log_sink.filter == \"\"\n}\n\nany_enabled_exclusion(logging_log_sink) if {\n\tlogging_log_sink.exclusions[_].disabled == false\n}\n\nvalid_log_exclusions(logging_log_sink) if {\n\tnot any_enabled_exclusion(logging_log_sink)\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_sinks[project.project_id]\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hig-nyl-7xu","createdAt":1658996677403,"name":"Log sinks are configured for all log entries"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Log4j scanning attempt occurs in your environment.\n\n## Strategy\nRegex search on logs to find specific payloads indicative of Log4j scanning.\n\n## Triage and response\n1. Investigate if the host is running a vulnerable version of the Log4j Java library\n2. Use the [Log4j Investigation Dashboard](https://app.datadoghq.com/dash/integration/cloud_security_platform_log4shell_investigator) to conduct impact analysis\n3. Explore what other services the attacker hit in the last day - Linked to investigation query \n4. Explore Java logs associated with the attacker - linked to investigation query\n","options":{"detectionMethod":"hardcoded","evaluationWindow":300,"maxSignalDuration":3600,"hardcodedEvaluatorType":"log4shell","keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"query":"@http.url:*","groupByFields":["@network.client.ip"],"aggregation":"count","name":"log4shell_payloads_in_http_data","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"log4shell_payloads_in_http_data > 0"}],"type":"log_detection","id":"sdx-qzo-o9z","createdAt":1651680204724,"name":"Log4Shell Scanning Detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0043-reconnaissance","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being scanned for the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `jndi:(ldap OR rmi OR dns)` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. Check if the `Base64 was detected in an http.user_agent or http.referrer` rule was also triggered and follow the `Triage and response` steps in that rule.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.useragent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referrer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http_user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"info","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"2oy-oni-kx6","createdAt":1639665375423,"name":"Log4j Scanner detected in user agent or referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:1.5","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. MFA (multi-factor authentication) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their user name and password and an authentication code from their AWS MFA device.\n\n**Note**: When virtual MFA is used for root accounts, it should not be enabled on a personal device, but rather enable a dedicated and not personally owned mobile device (tablet or phone)(\"non-personal virtual MFA\"). This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and has knowledge of a credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78911-5\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root][3]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions.\n\n## CIS controls\n\nVersion 7, 4.5 - Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.5","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"-@account_mfa_enabled:1","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (-@account_mfa_enabled:1)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dth-jwu-9zo","createdAt":1599573999963,"name":"MFA is enabled for the \"root\" account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP address identified as malicious by Okta's ThreatInsight communicates with your Okta account.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.threat.detected`\n\n## Triage and response\n1. Determine if the `@usr.email` is `Unknown` or is an authenticated user.\n2. If the user is authenticated, conduct an investigation to determine if the IP address that is communicating with Okta is the user's IP address, or if the account is compromised.\n3. Consider switching ThreatInsight from `log mode` to `log and block mode` to block future requests from IP addresses on the ThreatInsight threat intelligence list.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.threat.detected @evt.outcome:ALLOW","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"x5j-v1t-d2r","createdAt":1589315626499,"name":"Malicious IP Communicating with Okta"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1003","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers looking for a specific mission target commonly gain access to a host or container adjacent to their mission target. To move laterally to the planned target, attackers commonly try to find credentials that would give them access to the host or container in question. A technique for finding these credentials is memory dumping. By dumping the contents of system memory to disk, an attacker can often find unencrypted credentials.\n\n## Strategy\nThis detection monitors the access of memory and memory maps that can be accessed from the `/proc/` directory on Linux.\n\n## Triage & Response\n1. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n2. Consider rotating any credentials that were in use on the host/container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"lhm-dok-amc","createdAt":1598516746171,"name":"Memory files in /proc/ were accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","scope:azure","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user creates or modifies a trusted domain object in Microsoft 365.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain`\n- `Set domain authentication`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain.`\n- `Set domain authentication.`\n\nAn attacker can create a new attacker-controlled domain as federated or modify the existing federation settings for a domain by configuring a new, secondary signing certificate. Both of these techniques would allow the attacker to authenticate as any user bypassing authentication requirements like a valid password or MFA.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n - Remove the suspicious domain or settings.\n - Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n - Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Set domain authentication\" OR \"Set domain authentication \" OR \"Set federation settings on domain\" OR \"Set federation settings on domain \") @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_trusted_domain_modified","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Set domain authentication.\" OR \"Set domain authentication. \" OR \"Set federation settings on domain.\" OR \"Set federation settings on domain. \")","groupByFields":["@usr.id"],"aggregation":"count","name":"m365_trusted_domain_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"azure_ad_trusted_domain_modified > 0 || m365_trusted_domain_modified > 0"}],"type":"log_detection","id":"dqm-ikd-5zd","createdAt":1660304700624,"name":"Microsoft 365 - Modification of Trusted Domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0040-impact","scope:exchange-server","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an anomalous amount of emails are deleted from Microsoft 365 Exchange.\n\n## Strategy\nMonitor Microsoft 365 Exchange audit logs to look for events with an `@evt.name` value of `HardDelete`, where the `@Folder.Path` is the inbox (`*Inbox*`).\n\n## Triage and response\n1. Determine if the user `{{@usr.id}}` intended to delete the observed emails.\n2. If `{{@usr.id}}` is not responsible for the email deletions, investigate `{{@usr.id}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:HardDelete @Folder.Path:*Inbox*","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tos-tbi-7dh","createdAt":1619020060666,"name":"Microsoft 365 Anomalous Amount of Deleted Emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 user downloads an anomalous amount of files. This could be an indicator of data exfilteration.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for an anomalous amount of logs with an `@evt.name` value of `@evt.name:FileDownloaded`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to download the files.\n2. If `{{@usr.email}}` is not responsible for file downloads, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:FileDownloaded","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"files_downloaded","distinctFields":["@SourceFileName"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"yhr-gui-v9i","createdAt":1658353411918,"name":"Microsoft 365 Anomalous Amount of Downloaded files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1562-impair-defenses","scope:microsoft-365","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when admin or unified audit logging is disabled. An adversary or insider threat can disable audit logging as a means of defense evasion.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Set-AdminAuditLogConfig`, where `@Parameters.AdminAuditLogEnabled` OR `@Parameters.UnifiedAuditLogIngestionEnabled` is set to `False`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to disable audit logging.\n2. If `{{@usr.email}}` is not responsible for disabling the audit logging, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.UnifiedAuditLogIngestionEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"unified_audit_disabled","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.AdminAuditLogEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_audit_disabled","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Unified Audit Logging Disabled","condition":"unified_audit_disabled > 0"},{"status":"high","notifications":[],"name":"Admin Audit Logging Disabled","condition":"admin_audit_disabled > 0"}],"type":"log_detection","id":"d86-6xx-tbg","createdAt":1630681812369,"name":"Microsoft 365 Audit Logging Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:onedrive","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user creates an anonymous link for a Microsoft 365 document in OneDrive. This would allow any unauthenticated user to access this document, if they had the link.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AnonymousLinkCreated`.\n\n## Triage and response\n1. Determine whether this document should be available anonymously.\n\n## Changelog\n* 4 October 2022 - Updated severity.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:OneDrive @evt.name:AnonymousLinkCreated","groupByFields":["@usr.id","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1h-h20-er6","createdAt":1608766368930,"name":"Microsoft 365 OneDrive Anonymous Link Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0009-collection","technique:T1213-data-from-information-repositories","scope:sharepoint"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user shares a Microsoft 365 Sharepoint document with a guest.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `SharingInvitationCreated` when the `TargetUserOrGroupType` is `Guest`.\n\n## Triage and response\n1. Determine whether this document should be shared with the external user.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:SharePoint @evt.name:(SharingInvitationCreated) @TargetUserOrGroupType:Guest","groupByFields":["@TargetUserOrGroupName","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"v72-psu-eln","createdAt":1608766365850,"name":"Microsoft 365 SharePoint object shared with guest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user installs an app to Microsoft 365 Teams.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AppInstalled`.\n\n## Triage and response\n1. Determine whether this app should be installed to Microsoft 365 teams.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:MicrosoftTeams @evt.name:AppInstalled","groupByFields":["@AddOnName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"i03-grd-ppd","createdAt":1608766367312,"name":"Microsoft 365 Teams app installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostNetwork flag set to true.\n\n## Rationale\n\nA container running in the host's network namespace could access the local loopback device, and could access network traffic to and from other pods. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host network namespace. If you have need to run containers which require hostNetwork, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostNetwork}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostNetwork` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostNetwork: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.4","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mlb-fwt-s80","createdAt":1599604274257,"name":"Minimize the admission of containers wishing to share the host network namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","cloud_provider:aws","control:164.308-a-3-ii-a","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMulti-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password, and for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of the credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://tools.ietf.org/html/rfc6238][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html][3]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users][4]\n4. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html][5]\n5. CCE-78901-6\n\n## CIS controls\n\n4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://tools.ietf.org/html/rfc6238\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.10","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_enabled:true -@mfa_active:true","resourceType":"aws_iam_user","filter":"","queryPath":"credential_report","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@password_enabled:true -@mfa_active:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"zd5-wvv-hv5","createdAt":1599573999956,"name":"Multi-factor authentication is enabled for all IAM users with a console password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"5jr-xi3-uto","createdAt":1587530047261,"name":"NGINX HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","scope:nginx-ingress-controller","source:nginx-ingress-controller","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx-ingress-controller @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oxj-rwr-gxq","createdAt":1587530154864,"name":"NGINX ingress controller HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to nsswitch.conf.\n\n## Strategy\nThe Name Service Switch (nsswitch) configuration file is used to point\u00a0system services and other applications to the sources of name-service information. This name-service information includes where the password file is stored, publickey information, and more. An attacker may attempt to modify nsswitch.conf in order to inject attacker-owned information into the authentication process. For instance, the attacker could point to a malicious password file and then login to privileged user accounts.\n\n## Triage and response\n1. Check to see what changes were made to nsswitch.conf.\n2. Check if critical name-service sources were changed, and whether the changes were a part of known system-setup or maintenance.\n3. If these changes are unauthorized, roll back the host in question to a known good nsswitch.conf, or replace the system with a known-good system image.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chmod)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chmod","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chown)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chown","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_link)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_link","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_rename)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_rename","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_open)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_open","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_unlink)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_unlink","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_utimes)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"nsswitch_conf_mod","condition":"nsswitch_conf_mod_chmod > 0 || nsswitch_conf_mod_chown > 0 || nsswitch_conf_mod_link > 0 || nsswitch_conf_mod_rename > 0 || nsswitch_conf_mod_open > 0 || nsswitch_conf_mod_unlink > 0 || nsswitch_conf_mod_utimes > 0"}],"type":"workload_security","id":"djc-3dp-3qm","createdAt":1606142958657,"name":"Name Service Switch configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:1.3.5","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that enable multiple open ports and limit ingress traffic access based on port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access malicious activities, such as Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks, by opening only the ports that are required by your application.\n\n## Remediation\n\n### Console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### CLI\n\n1. Run `replace-network-acl-entry` to create a rule that only allows ingress traffic from a specific port range.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --ingress\n --rule-number 01\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_lenient(acl_entry) if {\n\tnot acl_entry.egress\n\tacl_entry.rule_action == \"allow\"\n\tnot acl_entry.port_range_from\n\tnot acl_entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tacl_entry := network_acl.entries[_]\n\tacl_lenient(acl_entry)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q0m-mtc-9ks","createdAt":1599574008182,"name":"Network ACL inbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that utilize multiple ports and limit outbound traffic access to a specific port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access by setting a specified port range.\n\n## Remediation\n\n### Console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### CLI\n\n1. Run `replace-network-acl-entry` to create a rule that sets a specific port range for egress traffic.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --egress\n --rule-number 02\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_entry(entry) if {\n\tentry.egress\n\tentry.rule_action == \"allow\"\n\tnot entry.port_range_from\n\tnot entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tentry := network_acl.entries[_]\n\tnon_compliant_entry(entry)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ykz-hrn-ev3","createdAt":1599574004771,"name":"Network ACL outbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","control:CC6.6","requirement:Compliance","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:1.3.5","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Network Access Control List (NACL) function provides stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.\n\n## Rationale\n\nPublic access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.\n\n## Remediation\n\n1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home\n2. In the left pane, click Network ACLs.\n3. For each network ACL to remediate, perform the following: Select the network ACL, Click the Inbound Rules tab, Click Edit inbound rules. Either update the Source field to a range other than `0.0.0.0/0` or click Delete to remove the offending inbound rule. Click save.\n\n## Reference\n\n1. [https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html][1]\n2. [https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison][2]\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"5.1","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"validationQuery":"@egress:false @rule_action:\"allow\" (@cidr_block:\"0.0.0.0/0\" OR @cidr_block:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@port_range_from:* -@port_range_to:*) OR (@port_range_from:<=22 @port_range_to:>=22) OR (@port_range_from:<=3389 @port_range_to:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_network_acl","filter":"","queryPath":"entries","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl (@egress:false @rule_action:\"allow\" (@cidr_block:\"0.0.0.0/0\" OR @cidr_block:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@port_range_from:* -@port_range_to:*) OR (@port_range_from:<=22 @port_range_to:>=22) OR (@port_range_from:<=3389 @port_range_to:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b5p-spa-hx4","createdAt":1619112188801,"name":"Network ACLs do not allow ingress from 0.0.0.0/0 to remote server administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","cloud_provider:azure","framework:gdpr","source:azure.network","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","requirement:Communications-Security","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","scope:azure.network","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Security Group (NSG) is configured to allow specific ports rather than all ports or port ranges.\n\n## Rationale\n\nNSGs should be configured as granularly as possible, allowing only specific and necessary ports. Leaving ranges of ports open can allow access to ports that are vulnerabile to attack. \n\n## Remediation\n\n### Console\n\nFollow the [Work with security rules guide][1] to modify the port ranges associated with a NSG using the Microsoft Azure Console. \n\n### CLI\n\nUse the [Microsft Azure az network nsg rule update module][2] to update the ports associated with a NSG using the Microsoft Azure CLI. \n\n## References\n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#work-with-security-rules\n[2]: https://docs.microsoft.com/en-us/cli/azure/network/nsg/rule?view=azure-cli-latest#az-network-nsg-rule-update","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndestination_port_not_compliant(security_rule) if {\n\tsecurity_rule.destination_port_range == \"*\"\n} else {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tdestination_port_range == \"*\"\n} else {\n\tregex.match(\"([0-9])+-([0-9])+\", security_rule.destination_port_range)\n} else {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tregex.match(\"([0-9])+-([0-9])+\", destination_port_range)\n}\n\nsecurity_rule_not_compliant(security_rule) if {\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.access == \"Allow\"\n\tdestination_port_not_compliant(security_rule)\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule = security_group.security_rules[_]\n\tsecurity_rule_not_compliant(security_rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cis-7ih-ek8","createdAt":1645736563232,"name":"Network Security Group does not use port ranges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1046-network-service-scanning","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of the `nmap` network utility.\n\n## Strategy\n`nmap` is a network utility commonly used by attackers to understand a victim's network topology and vulnerabilities. After an attacker's initial intrusion into a host (for example, through a web shell exploit, container breakout), they may attempt to use `nmap` to do reconnaissance. This detection triggers when an execution of `nmap` is detected on a system. If this is unexpected behavior, it could indicate an attacker attempting to compromise your systems.\n\n## Triage and response\n1. Determine which user executed `nmap` and whether this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and network tools involved. Investigate the security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:common_net_intrusion_util -@process.args:\"-V\"","groupByFields":["host"],"aggregation":"count","name":"common_net_intrusion_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"common_net_intrusion_util","condition":"common_net_intrusion_util > 0"}],"type":"workload_security","id":"yqg-ebh-po2","createdAt":1617722067554,"name":"Network scanning utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all network traffic is allowed between containers on the same host on the default network bridge. You can restrict all inter-container communication and link specific containers together that require communication. Or, you can create a custom network and only join containers that need to communicate to that custom network.\n\n## Rationale\n\nBy default, unrestricted network traffic is enabled between all containers on the same host on the default network bridge. Each container has the potential of reading all packets across the container network on the same host. This might lead to an unintended and unwanted disclosure of information to other containers. Hence, restrict inter-container communication on the default network bridge.\n\n## Audit\n\nVerify that the default network bridge has been configured to restrict inter-container communication by running:\n```\ndocker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}' \n```\nCheck that it returns `com.docker.network.bridge.enable_icc:false` for the default network bridge.\n\n## Remediation\n\nEdit the Docker daemon configuration file to ensure that inter-container communication is disabled:\n\n```\n\"icc\": false\n```\n\nAlternatively, run the Docker daemon directly and pass `--icc=false` as an argument:\n\n```\ndockerd --icc=false \n```\n\nFollow the Docker documentation and create a custom network, and only join containers that need to communicate to that custom network. The `--icc` parameter only applies to the default docker bridge. If you use a custom network, adopt the segmenting networks approach instead.\n\n## Impact\n\nInter-container communication is disabled on the default network bridge. If any communication between containers on the same host is desired, it needs to be explicitly defined using container linking or custom networks.\n\n## Default value\n\nBy default, all inter-container communication is allowed on the default network bridge.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/][1]\n2. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers][2]\n\n## CIS controls\n\nNone \n\n[1]: https://docs.docker.com/engine/userguide/networking/ \n[2]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_network","complianceFrameworks":[{"control":"2.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmd-zy3-5un","createdAt":1599604593277,"name":"Network traffic is restricted between containers on the default network bridge"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a network utility (like `cURL` or `Wget`) is used to access the cloud instance metadata service (IMDS) in an interactive session.\n\n## Strategy\nThe cloud instance metadata service is a link-local HTTP endpoint that provides data about a given cloud instance. One function is to provide temporary security credentials so that they do not need to be stored on the host. Because IMDS can be used to fetch security credentials, attackers may use it to escalate privileges in order to access other cloud resources. This detection identifies when Linux network utilities are used in an interactive session to access the metadata service. Especially in production environments, it is unusual for this activity to occur interactively.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee run commands for an approved reason, or does a configuration management utility use an interactive session?\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Using cloud audit logs, identify if the attached identity was misused.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:aws_metadata_service @process.tty:*","groupByFields":["host"],"aggregation":"count","name":"aws_metadata_service","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"aws_metadata_service","condition":"aws_metadata_service > 0"}],"type":"workload_security","id":"ugv-e7o-qpv","createdAt":1627392836096,"name":"Network utility accessed cloud metadata service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location on a host.\n\n## Strategy\nAfter an attacker's initial intrusion into a host (for example, through a web shell exploit, or a container breakout), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance, or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected on a host. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine which user executed the utility and whether or not this is allowed or expected behavior.\n2. Review the ancestors for unexpected processes or files executed. \n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util @process.ancestors.executable.path:(*\\/tmp\\/* OR *\\/home\\/*)","groupByFields":["host"],"aggregation":"count","name":"net_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"net_util","condition":"net_util > 0"}],"type":"workload_security","id":"med-78m-snu","createdAt":1617722067377,"name":"Network utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected in a container. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your containers and host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. Review the ancestors for unexpected processes or files executed.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util_in_container @process.ancestors.executable.path:(*\\/tmp\\/* OR \\/home\\/* OR \\/run\\/user\\/*)","groupByFields":["@container.id","host"],"aggregation":"count","name":"net_util_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"net_util_in_container","condition":"net_util_in_container > 0"}],"type":"workload_security","id":"idj-fom-4qg","createdAt":1617722068439,"name":"Network utility executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1199-trusted-relationship","source:cloudtrail","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker accesses your AWS account from their AWS Account.\n\n## Strategy\nThis rule lets you monitor AssumeRole (`@evt.name:AssumeRole`) CloudTrail API calls to detect when an external AWS account (`@usr.account_id`) assumes a role into your AWS account (`account`). It does this by learning all AWS accounts from which the AssumeRole call occurs within a 7-day window. Newly detected accounts after this 7-day window will generate security signals.\n\n## Triage and response\n1. Determine if the `@usr.account_id` is an AWS account is managed by your company.\n2. If not, try to determine who is the owner of the AWS account.\n3. Inspect the role the account is assuming. Determine who created this role and who allowed this AWS account to assume this role.\n\n## Changelog\n7 April 2022 - Update rule query and signal message.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @evt.name:AssumeRole"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"xvo-lqg-7bu","createdAt":1614810571081,"name":"New AWS Account Seen Assuming a Role into AWS Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","tactic:TA0040-impact","source:cloudtrail","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker spawns an instance for malicious purposes. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect when a new instance type (`@responseElements.instancesSet.items.instanceType`) is spawned:\n\n* [RunInstances][1]\n\nIt does this by inspecting the AWS Instance types each AWS account are seen over a 7-day window. Newly detected instance types after this 7-day window till generate security signals.\n\n## Triage and response\n1. Determine whether the instance type `{{@responseElements.instancesSet.items.instanceType}}` is expected to be used in your AWS account by checking the [Datadog Infrastructure List][2].\n2. If not, determine who spawned this instance and ask the user whether their activity was legitimate or whether their credentials were compromised and this instance is being used by an attacker.\n\n## Changelog\n7 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html\n[2]: https://app.datadoghq.com/infrastructure?tab=details&tags=instance-type%3A{{@responseElements.instancesSet.items.instanceType}}","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@responseElements.instancesSet.items.instanceType","aggregation":"new_value","metrics":["@responseElements.instancesSet.items.instanceType"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @eventSource:ec2.amazonaws.com @evt.name:RunInstances"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rk5-l8o-jir","createdAt":1619019323550,"name":"New EC2 Instance Type"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a Kubernetes namespace.\n\n## Strategy\nThis rule monitors when a `create` action occurs for the Kubernetes namespace (`@objectRef.resource:namespaces`) to detect when a user is creating a new Kubernetes namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new namespace.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:namespaces @http.method:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:namespaces @verb:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"zgq-pd9-wgw","createdAt":1589376020564,"name":"New Kubernetes Namespace Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:kubernetes","tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a privileged pod is created. Privileged pods remove container isolation which allows privileged actions on the host.\n\n## Strategy\nThis rule monitors when a pod (`@objectRef.resource:pods`) is created (`@http.method:create`) and the privileged security context (`@requestObject.spec.containers.securityContext.privileged`) is `true`.\n\n## Triage & Response\n1. Determine if the pod should be privileged. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"smy-zpp-8hr","createdAt":1626700164544,"name":"New Kubernetes privileged pod created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1525-implant-internal-image","scope:ecr","iaas:aws","source:cloudtrail","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential persistence mechanisms being deployed in the AWS Elastic Container Registry (ECR).\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr:GetAuthorizationToken` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException @threat_intel.indicators_matched:*","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ori-yda-7sc","createdAt":1630665990802,"name":"New Private Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecr","technique:T1567-exfiltration-over-web-service","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new image is uploaded to the public ECR. This could be a potential exfil route of data from the cloud. Could be a supply chain effect as well if a company hosts their containers here for consumers.\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr-public:GetAuthorizationToken` and `sts:GetServiceBearerToken` API through an IAM policy before they can authenticate to a registry and push any images to an Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr-public.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr-public.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3ye-k1x-9mp","createdAt":1630666006819,"name":"New Public Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ecs","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user executes a command on an ECS container for the first time. An attacker may use this as a technique to escalate their privileges\nbecause they can run arbitrary commands on behalf of the container with the role and permissions associated with the\ncontainer.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user is executing a command on an ECS container:\n\n* `ExecuteCommand`\n\n## Triage and response\n1. Investigate the command that the user ({{@userIdentity.arn}}) ran on the container, which is located in the Cloudtrail log at `@requestParameters.container`, if the telemetry exists.\n2. Analyze Cloudtrail logs with {{@userIdentity.arn}} that are within the same time frame as this security signal.\n3. Review any other security signals generated for this container.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":175,"isDefault":true,"filters":[{"action":"suppress","query":"foo"},{"action":"require","query":"bar"}],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @evt.name:ExecuteCommand @requestParameters.interactive:true"}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@me"],"name":""}],"type":"log_detection","id":"o2p-sbu-rlg","createdAt":1615916348842,"name":"New user seen executing a command in an ECS task"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console:\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line:\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_GCM_SHA256\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_GCM_SHA384\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_3DES_EDE_CBC_SHA\")\n}\n\npolicy_align(compute_target_https_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_https_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_https_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_https_proxy, compute_ssl_policy)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_https_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_https_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_https_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wsz-dzl-7cw","createdAt":1664548936030,"name":"No HTTPS proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console:\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line:\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_GCM_SHA256\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_GCM_SHA384\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_3DES_EDE_CBC_SHA\")\n}\n\npolicy_align(compute_target_ssl_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_ssl_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_ssl_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_ssl_proxy, compute_ssl_policy)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_ssl_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_ssl_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_ssl_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kmq-mlb-uhu","createdAt":1664548316871,"name":"No SSL proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","level:1","framework:cis-aws","requirement:Security-Management-Process","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:1.4","control:2.1","control:2.2","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","requirement:Default-Security-Parameters","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:164.312-a-2-i","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed.\n\n## Rationale\n\nRemoving access keys associated with the root account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html][2]\n2. [http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][3]\n3. [http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html][4]\n4. CCE-78910-7\n5. [https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/][5]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables root access only through access-keys (CLI, API methods) for us-gov cloud region.\n\n## CIS controls\n\nVersions 7, 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html\n[3]: http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[4]: http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html\n[5]: https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.4","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-a-2-i","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@access_key_1_active:true OR @access_key_2_active:true","resourceType":"aws_iam_credential_report","filter":"@user:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report @user:\"\" (@access_key_1_active:true OR @access_key_2_active:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"snb-kjs-kgm","createdAt":1599574003908,"name":"No root account access key exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity groups provide stateful filtering of ingress/egress network traffic to AWS resources. You should not allow any security group unrestricted ingress access to port 22.\n\n## Rationale\n\nRemoving unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nIf you are updating an existing environment, ensure that administrators who currently rely on ingress from 0.0.0.0/0 have access to ports 22 and 3389 through another security group.\n\n## Default value\n\nNone\n\n## References\n\nNone\n\n## CIS controls\n\n9.2 Ensure Only Approved Ports, Protocols, and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.1\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 22\n\trule.to_port >= 22\n} else {\n\trule.from_port <= 3389\n\trule.to_port >= 3389\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ueo-zqv-fep","createdAt":1607607222597,"name":"No security groups allow ingress from 0.0.0.0/0 to remote administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:3.8","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","requirement:Communication-and-Information","security:compliance","control:8.1","control:4.4","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","control:4.1.1","control:8.1.4","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling OS Login binds SSH certificates to IAM users and facilitates effective SSH certificate\nmanagement.\n\n## Rationale\nEnabling OS Login ensures that SSH keys used to connect to instances are mapped to IAM\nusers. Revoking access to an IAM user will revoke all the SSH keys associated with that\nparticular user. It facilitates centralized and automated SSH key pair management, which is\nuseful in handling cases like compromised SSH key pairs and/or revocation of\nexternal, third-party, vendor users.\n\nTo use OS Login, the instance using Custom Images must have the latest version\nof the Linux Guest Environment installed. The following image families do not\nsupport OS Login:\n\n - Project cos-cloud (Container-Optimized OS) image family cos-stable.\n - All project coreos-cloud (CoreOS) image families\n - Project suse-cloud (SLES) image family sles-11\n - All Windows Server and SQL Server image families\n\nThe project's `enable-oslogin` can be overridden by setting the `enable-oslogin` parameter to an\ninstance metadata individually.\n\n### Impact\nEnabling OS Login on a project disables metadata-based SSH key configurations on all\ninstances of a project. Disabling OS Login restores SSH keys that you have configured in a\nproject's or an instance's metadata.\n\n### Exception\nVMs created by GKE should be excluded. These VMs have names that start with `gke-`\nand are labeled `goog-gke-node`.\n\n### Default value\nBy default, the parameter `enable-oslogin` is not set, which is equivalent to setting it to `FALSE`.\n\n## Remediation\n\n### From the console:\n\n1. Go to the [VM compute metadata][1] page.\n2. Click **Edit**.\n3. Add a metadata entry for the key `enable-oslogin` with the value `TRUE`.\n4. Click **Save** to apply the changes.\n5. For every instance that overrides the project setting, go to the VM Instance's page at \n https://console.cloud.google.com/compute/instances.\n6. Click the name of the instance from which you want to remove the metadata value.\n7. At the top of the instance's details page, click **Edit** to edit the instance's settings.\n8. Under Custom Metadata, remove any entries with the key `enable-oslogin` set to `FALSE`.\n9. At the bottom of the instance's details page, click **Save** to apply your changes to the instance.\n\n### From the command line:\n\n1. Configure OS Login for the project by running the following command:\n ```\n gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE\n ```\n\n2. Use the following command to remove instance metadata that overrides the project setting:\n ```\n gcloud compute instances remove-metadata --keys=enable-oslogin\n ```\n\nOptionally, you can enable two-factor authentication for OS Login. See [Setting up OS Login with 2-step verification ][2] for more information.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/managing-instance-access][3]\n2. [https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin][4]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata][5]\n4. [https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication][2]\n\n\n\n[1]: https://console.cloud.google.com/compute/metadata\n[2]: https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication\n[3]: https://cloud.google.com/compute/docs/instances/managing-instance-access\n[4]: https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin\n[5]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.8","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" {\n\titem := compute_instance.metadata.items[_]\n\titem.key == \"enable-oslogin\"\n\titem.value == \"true\"\n} else = \"fail\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hpp-bv9-lom","createdAt":1657547711348,"name":"OS Login is enabled for the project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Okta API token is created.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a new Okta API token is created:\n\n* `system.api_token.create`\n\n## Triage and response\n1. Contact the user who created the API token and ensure that the API token is needed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:system.api_token.create","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lpf-tho-8sx","createdAt":1589315541698,"name":"Okta API Token Created or Enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","scope:okta","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Okta session impersonation.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect a user session impersonation:\n\n* `user.session.impersonation.initiate`\n* `user.session.impersonation.end`\n* `user.session.impersonation.grant`\n* `user.session.impersonation.extend`\n* `user.session.impersonation.revoke`\n\nThese events indicate that the user: `{{@usr.email}}` has the effective permissions of the impersonated user. This is likely to occur through [Okta support access][1]. This [blog][2] illustrates the potential impact an attacker can cause by impersonation session.\n\n## Triage and response\n1. Contact your Okta administrator to ensure the user: `{{@usr.email}}` is authorized to impersonate a user session.\n2. If the user impersonation session is not legitimate:\n * Task your Okta administrator to end the impersonation session.\n * Investigate the actions taken by the user `{{@usr.email}}` during the session and revert back to the last known good state.\n * Begin your company's incident response process and investigate.\n\n[1]: https://support.okta.com/help/s/article/Granting-Access-to-Okta-Support?language=en_US\n[2]: https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.session.impersonation.initiate","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_initiate","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.end","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_end","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_grant","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.extend","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_extend","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.revoke","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_revoke","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Session initiated","condition":"user_session_impersonation_initiate > 0"},{"status":"info","notifications":[],"name":"Session ended","condition":"user_session_impersonation_end > 0"},{"status":"info","notifications":[],"name":"Session granted","condition":"user_session_impersonation_grant > 0"},{"status":"info","notifications":[],"name":"Session extended","condition":"user_session_impersonation_extend > 0"},{"status":"info","notifications":[],"name":"Session revoked","condition":"user_session_impersonation_revoke > 0"}],"type":"log_detection","id":"dfw-lx0-cha","createdAt":1647981974902,"name":"Okta Impersonation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to bypass multi-factor authentication (MFA).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user attempts to bypass MFA:\n\n* `user.mfa.attempt_bypass`\n\n## Triage and response\n1. Contact the user who attempted to bypass MFA and ensure the request was legitimate.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.attempt_bypass","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"wbd-slu-e6s","createdAt":1589315643307,"name":"Okta MFA Bypass Attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the multi-factor authentication (MFA) factors for an enrolled Okta user are reset.\n\n## Strategy\nThis rule lets you monitor the following Okta event to determine when a user's MFA factors are reset:\n\n* `user.mfa.factor.reset_all`\n\nAn attacker may attempt to reset MFA factors in a bid to access other user accounts by registering new attacker-controlled MFA factors.\n\n## Triage and response\n1. Determine if the user: `{{@usr.email}}` should have reset the MFA factors of the targeted user.\n2. If the change was not made by the user:\n * Disable the affected user accounts.\n * Rotate user credentials.\n * Return targeted users MFA factors to the last known good state.\n * Begin your organization's incident response process and investigate.\n3. If the change was made by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, ensure the targeted user has new MFA factors assigned in accordance with organization policies.\n * If **No**, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_success","distinctFields":[]},{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:FAILURE","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_failed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Succeeded","condition":"mfa_reset_success > 0"},{"status":"info","notifications":[],"name":"Failed","condition":"mfa_reset_failed > 0"}],"type":"log_detection","id":"ap2-mxs-fyh","createdAt":1622443751239,"name":"Okta MFA reset for user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to sign on to an app based on sign-on policy.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to sign on to an app based on sign-on policy:\n\n* `application.policy.sign_on.deny_access`\n\n## Triage and response\n1. Inspect the `@target` array to determine why the user was denied access to sign on.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:application.policy.sign_on.deny_access","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pjd-jyc-9fb","createdAt":1589315544752,"name":"Okta User Access Denied to Sign On"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to an app.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to an app:\n\n* `app.generic.unauth_app_access_attempt`\n\n## Triage and response\n1. Determine whether or not the user should have access to this app.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:app.generic.unauth_app_access_attempt","groupByFields":["@usr.email","@target_app"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rht-pdf-gyx","createdAt":1607371843994,"name":"Okta User Attempted to Access Unauthorized App"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:okta","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to an Okta user.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when administrative privileges are provisioned:\n\n* `user.account.privilege.grant`\n\n## Triage and response\n1. Contact the Okta administrator: `{{@usr.email}}` to confirm that the user or users should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.account.privilege.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"privilege_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"privilege_grant > 0"}],"type":"log_detection","id":"onl-syw-pqn","createdAt":1622443751733,"name":"Okta administrator role assigned to user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a request is blocked due to a block list rule (such as an IP network zone or location rule).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.request.blocked`\n\n## Triage & Response\n1. Verify with the owner of `{{@usr.name}}` that they were attempting a request to `{{@target_app}}`.\n2. If the request cannot be verified with the user, correlate with other log sources to see if the blocked IP in the `title` of `{{@title}}` has communicated elsewhere on the network.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.request.blocked @evt.outcome:SUCCESS","groupByFields":["@network.client.ip","@target_app"],"aggregation":"count","name":"request_blocked","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"request_blocked > 10"}],"type":"log_detection","id":"y2s-qzk-u0a","createdAt":1622443750820,"name":"Okta blocked numerous requests from a malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta [refresh token][1] is reused.\n\n## Strategy\nThis rule lets you monitor the following Okta events when token reuse is detected:\n\n* `app.oauth2.token.detect_reuse`\n* `app.oauth2.as.token.detect_reuse`\n\nAn attacker that has access to a refresh token could query the organization's authorization server `/token` endpoint to obtain additional access tokens. The additional access tokens potentially allow the attacker to get unauthorized access to applications.\n\n## Triage and response\n1. Determine if the source IP `{{@network.client.ip}}` is anomalous within the organization:\n * Does threat intelligence indicate that this IP has been associated with malicious activity?\n * Is the geo-location or ASN uncommon for the organization?\n * Has the IP created a `app.oauth2.token.detect_reuse` or `app.oauth2.as.token.detect_reuse` event previously?\n2. If the token reuse event has been determined to be malicious, carry out the following actions:\n * [Revoke compromised tokens][2].\n * Recycle the credentials of any impacted clients.\n * Begin your company's incident response process and investigate.\n\n[1]: https://developer.okta.com/docs/guides/refresh-tokens/main/\n[2]: https://developer.okta.com/docs/guides/revoke-tokens/main/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:false","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse","distinctFields":[]},{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:true","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse_threat","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Threat suspected","condition":"refresh_token_reuse_threat > 0"},{"status":"low","notifications":[],"name":"Threat unlikely","condition":"refresh_token_reuse > 0"}],"type":"log_detection","id":"i4t-x8n-ack","createdAt":1622443751931,"name":"Okta one-time refresh token reused"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta policy rule is deleted.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a policy rule is deleted:\n\n* `policy.rule.delete`\n\n## Triage and response\n1. Contact the Okta administrator to confirm that the user: `{{@usr.email}}` should be deleting policy rules.\n2. If the change was **not** authorized, verify there are no other signals from the user: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:policy.rule.delete @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_rule_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"policy_rule_deleted > 0"}],"type":"log_detection","id":"gxx-79h-brk","createdAt":1622443751301,"name":"Okta policy rule deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:onelogin","scope:onelogin","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user with appropriate privileges assumes another OneLogin user's identity. Logging in as another user allows the user to view another OneLogin user's account and perform actions on their behalf. \n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator assumes another OneLogin user's identity:\n\n* `@evt.name:USER_ASSUMED_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) should be legitimately assuming another user's identity.\n2. If the activity was not legitimate, review all activity from `{{@usr.name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_ASSUMED_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"admin_assumed_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admin_assumed_user > 0"}],"type":"log_detection","id":"ohz-g7c-wkp","createdAt":1656426840747,"name":"OneLogin administrator assumed a user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","technique:T1098-account-manipulation","scope:onelogin","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin administrator grants additional privileges to another OneLogin user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator grants additional privileges to another OneLogin user:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@actor_user_name}}`) should be legitimately adding additional roles to `@usr.name`. **Note:** The role granted to the user is not available in OneLogin logs.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:PRIVILEGE_GRANTED_TO_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"user_granted_admin_privileges","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"user_granted_admin_privileges > 0"}],"type":"log_detection","id":"oks-cap-rw1","createdAt":1656426808697,"name":"OneLogin user granted administrative privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user is locked out. This may be common if the user is repeatedly failing to log in. This rule is most useful when correlated with other anomalous activity for the user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to when a user is locked out:\n* `@evt.name:USER_LOCKED`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) was legitimately trying to authenticate and was locked out.\n2. If the activity was not legitimate, review all activity from the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_LOCKED","groupByFields":["@usr.name"],"aggregation":"count","name":"user_locked_out","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_locked_out > 0"}],"type":"log_detection","id":"efg-trs-jzb","createdAt":1656526301026,"name":"OneLogin user locked out"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user views a secure note.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when a user views a secure note:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\nThis rule is useful when correlating its findings with other anomalous events from the same OneLogin user (`{{@actor_user_name}}`).\n\n## Triage and response\n1. Determine whether the OneLogin user (`{{@actor_user_name}}`) should be legitimately accessing secure notes.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_VIEWED_NOTE","groupByFields":["@actor_user_name"],"aggregation":"count","name":"viewed_secure_note","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"viewed_secure_note > 0"}],"type":"log_detection","id":"gl4-z5x-dun","createdAt":1656426832414,"name":"OneLogin user viewed secure note"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","scope:google_service_account","requirement:Confidentiality","control:3.4","control:1.4","control:3.10","control:C1.1","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nUser managed service accounts should not have user-managed keys.\n\n## Rationale: \nAnyone who has access to the keys can access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.\nFor user-managed keys, you are responsible for key management activities including:\n- Key storage\n- Key distribution\n- Key revocation\n- Key rotation\n- Protecting the keys from unauthorized users\n- Key recovery\nEven with key owner precautions, it's easy to leak keys through common development accidents such as checking keys into the source code, leaving them in the Downloads directory, or posting them on support blogs.\nFor these reasons, it is recommended that you don't use user-managed service account keys.\n\n## Impact: \nDeleting user-managed service account keys may break communication with the applications using the keys.\n\n## Remediation: \n\n### From console:\n1. Go to the IAM page in the GCP Console at [https://console.cloud.google.com/iam-admin/iam][1].\n2. In the left navigation pane, click `Service accounts`. All service accounts and their\ncorresponding keys are listed.\n3. Click the service account.\n4. Click `Edit` and delete the keys.\n\n### From command line:\nTo delete a user-managed service account key run:\n```\ngcloud iam service-accounts keys delete --iam-account= \n```\n## Prevention:\nYou can disable service account key creation through the `Disable service account key creation` Organization policy by visiting [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation][2]. Learn more at: [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][3].\n\nIn addition, if you do not need service accounts in your project, you can prevent the creation of service accounts through the `Disable service account creation` Organization policy: [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation][4].\n\n## Default value:\nBy default, there are no user-managed keys created for user-managed service accounts.\n\n## References:\n1. [https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys][5]\n2. [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][6]\n\n## Additional information:\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation\n[3]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation\n[5]: https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n[6]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.4","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.10","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkey_parents_with_user_managed := {key.parent |\n\tkey := input.resources.gcp_iam_service_account_key[_]\n\tkey.key_type == \"USER_MANAGED\"\n}\n\neval(service_account) = \"fail\" if {\n\tkey_parents_with_user_managed[service_account.resource_name]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4cn-bpp-vya","createdAt":1654120292749,"name":"Only GCP-managed service account keys are used for service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.14","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, has permissions of 400.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads. It holds the private key for the Docker server certificate. It must therefore have permissions of 400 to ensure that the certificate key file is not modified.\n\n## Audit\n\nVerify that the Docker server certificate key file has permissions of `400` by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nYou should execute the following command: `chmod 400 `\n\nThis sets the Docker server certificate key file permissions to 400.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate key file might not be 400. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.14","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"z0n-cod-mxi","createdAt":1602077570102,"name":"Only the owner of the server certificate key file can read its contents"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker daemon requires access to the Docker socket which is, by default, owned by the user `root` and the group `docker`.\n\n## Rationale\n\nDocker allows you to share a directory between the Docker host and a guest container without limiting the access rights of the container. This means that you can start a container and map the `/` directory on your host to the container. The container is able to modify your host file system without any restrictions. This means that you could gain elevated privileges simply by being a member of the `docker` group and subsequently start a container which maps the root `/` directory on the host.\n\n\n## Audit\n\nRun the following command on the Docker host to see the members of the `docker` group, and ensure that only trusted users are members:\n\n```\ngetent group docker\n```\n\n## Remediation\n\nYou should remove any untrusted users from the `docker` group. Additionally, you should not create a mapping of sensitive directories from the host to container volumes.\n\n## Impact\n\nProvided the proceeding instructions are implemented, rights to build and execute containers as normal user would be restricted.\n\n## Default value\n\nNot Applicable\n\n## References\n\n1. [https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface]\n2. [https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful]\n3. [http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\n[1]: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface \n[2]: https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful \n[3]: http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.2","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dev-mh8-u1i","createdAt":1599598174666,"name":"Only the root account and Docker group members can control the Docker daemon"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.16","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file has permissions of 660 or are configured more restrictively.\n\n## Rationale\n\nOnly root and the members of the docker group should be allowed to read and write to the default Docker Unix socket. The Docker socket file should therefore have permissions of 660 or more restrictive permissions.\n\n## Audit\n\nVerify that the Docker socket file has permissions of `660` or more restrictive, by running: \n```\nstat -c %a /var/run/docker.sock\n```\n\n## Remediation\n\nRun the command `chmod 660 /var/run/docker.sock`\n\nThis sets the file permissions of the Docker socket file to 660.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker socket file is correctly set to 660.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.16","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jxv-zrr-1c1","createdAt":1599603387716,"name":"Only the root account and Docker group members can read and write to the Docker socket file"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 9200, used by the [Elasticsearch][2], and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered Elasticsearch access.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][3] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. First, remove the security group rule(s) that allow public, unrestricted access to the Elasticsearch database. The rule in question will open port 9200 for ingress from anywhere.\n\n2. Now that the database is contained, authorize only the specific entities that need access to the database like EC2 instances, or lambdas. You can do this by adding inbound security group rules for a specific elastic IP address, a specific range of IP addresses, or by allowing access for entities in another AWS security group.\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://aws.amazon.com/elasticsearch-service/\n[3]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 9200\n\trule.to_port >= 9200\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"rns-eiq-lpl","createdAt":1599574008022,"name":"Inbound OpenSearch access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1521 (used by the Oracle Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1521.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1521 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 1521\n\trule.to_port >= 1521\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2wg-auf-5gz","createdAt":1599574002369,"name":"Inbound Oracle access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 135 (used by Microsoft Message Queuing (MSMQ) and other Windows software) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as backdoor command shell hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 135.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 135 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 135\n\trule.to_port >= 135\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7vm-6f7-nfs","createdAt":1599574003256,"name":"Inbound RPC access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 25 (used by Simple Mail Transfer Protocol (SMTP) for email transmission) and restrict access to IP addresses that require this port.\n\n\n## Rationale\n\nMalicious activity, such as spamming, hacking, Shellshock, and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 25.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 25 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 25\n\trule.to_port >= 25\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fxy-iwb-1ji","createdAt":1599574007156,"name":"Inbound SMTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 22 (used for secure remote login) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as man-in-the-middle (MITM) and brute-force attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 22.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 22 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 22\n\trule.to_port >= 22\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jq1-v7m-jkf","createdAt":1599574005407,"name":"Inbound SSH access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to TCP port 139.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 139\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 139\n\trule.to_port >= 139\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"bls-coy-rpp","createdAt":1599574002491,"name":"Inbound TCP NetBIOS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 23 (used by the Telnet server application) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 23.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 23 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 23\n\trule.to_port >= 23\n}\n\nnon_compliant_protocols_and_ports(rule) if {\n\trule.protocol in [\"tcp\", \"6\"]\n\tnon_compliant_ports(rule)\n} else if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\", \"::/0\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome rule in security_group.rules\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocols_and_ports(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"6oq-7ce-kej","createdAt":1599574007874,"name":"Inbound Telnet access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 and UDP ports 137 and 138 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### From the command line\n\n1. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 137 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 137\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 138 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 138\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 138\n\trule.to_port >= 137\n}\n\nnon_compliant_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else if {\n\trule.protocol in [\"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else if {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule.ip_range)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dpw-bar-91p","createdAt":1599574006398,"name":"Inbound UDP NetBIOS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","control:3.7","requirement:Communications-Security","control:4.1","control:2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3","framework:security-labs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nConfigure your instance to use an account other than the default Compute Engine service account, because it has the Editor role on the project.\n\n## Rationale\nThe default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services. \nTo defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended that you not use the default Compute Engine service account. Instead, create a new service account and assign only the permissions needed by your instance. \nThe default Compute Engine service account is named `[PROJECT_NUMBER]-compute@developer.gserviceaccount.com`.\n\n## Exception\nVMs created by GKE are excluded from this guidance. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go to its `VM instance details` page.\n3. Click `STOP` and then click `EDIT`.\n4. Under the section `API and identity management`, select a service account other\nthan the default Compute Engine service account. You may first need to create a new\nservice account.\n5. Click `Save` and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account=\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/service-accounts][2]\n2. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][3]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account][4]\n\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/service-accounts\n[3]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[4]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.7","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" if {\n\tsa := compute_instance.service_accounts[_]\n\tendswith(sa.email, \"compute@developer.gserviceaccount.com\")\n} else = \"pass\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oqw-y1z-sik","createdAt":1655990336323,"name":"Instances are not configured to use the default service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Communications-Security","requirement:Default-Security-Parameter","control:4.2","control:2.1","framework:cis-gcp","control:2.1.1","requirement:Compliance","control:A.13.1.3","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:google_compute_instance","control:CC6.3","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo support the principle of least privileges and to prevent potential privilege escalation, assign instances to a service account other than the default `Compute Engine default service account` with Scope `Allow full access to all Cloud APIs`.\n\n## Rationale\nThe Google `Compute Engine default service account` for an instance can access necessary cloud services, as well as create, manage, and use user-managed custom service accounts. The `Project Editor` role is assigned to `Compute Engine default service account` so it has almost all capabilities over all cloud services except billing. However, when `Compute Engine default service account` is assigned to an instance it can operate in three scopes:\n\n1. Allow default access: Allows the minimum access required to run an\ninstance (least privileges).\n\n2. Allow full access to all Cloud APIs: Allows full access to all cloud\nAPIs and services (too much access).\n\n3. Set access for each API: Allows an instance administrator to choose only\nthose APIs that are needed to perform the specific business functionality\nexpected by instance.\n\nWhen an instance is configured with the `Compute Engine default service account` with\nscope `Allow full access to all Cloud APIs`, depending on the IAM roles assigned to the users\naccessing the instance, it may allow users to perform cloud operations and API calls that they are not\nsupposed to perform, leading to successful privilege escalation.\n\n## Exception\nVMs created by GKE are excluded from this rule. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Impact\nTo change a service account or scope for an instance, the instance must be stopped.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the impacted VM instance.\n3. If the instance is not stopped, click the `Stop` button. Wait for the instance to stop.\n4. Click the `Edit` button.\n5. Scroll down to the `Service Account` section.\n6. Select a different service account or ensure that `Allow full access to all Cloud APIs` is not selected.\n7. Click the `Save` button to save your changes and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account= --scopes [SCOPE1, SCOPE2...]\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][2]\n2. [https://cloud.google.com/compute/docs/access/service-accounts][3]\n\n## Additional Information:\n- User IAM roles override service account scope, but configuring minimal scope\nensures a deeper defence.\n- Non-default service accounts do not offer selection of access scopes like the default\nservice account does. Use IAM roles with non-default service accounts to\ncontrol VM access.\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[3]: https://cloud.google.com/compute/docs/access/service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.2","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" if {\n\tservice_accounts := compute_instance.service_accounts[_]\n\tendswith(service_accounts.email, \"compute@developer.gserviceaccount.com\")\n\tstartswith(service_accounts.scopes[_], \"https://www.googleapis.com/auth/cloud-platform\")\n} else = \"pass\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ica-spj-rua","createdAt":1656620517092,"name":"Instances are not configured to use the default service account with full access to all cloud APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the execution of a shell with the interactive flag (`-i`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to escalate privileges, break out of the container, or exfiltrate secrets by running interative shell utilities inside of the container. This detection triggers when execution of one of a set of common Linux shell utilities (like `bash` or `sh`) is detected in a container with the interactive flag (`-i`). If this is unexpected behavior, it could indicate an attacker attempting to run arbitrary commands inside of your containers and potentially break out onto the host.\n\n## Triage & Response\n1. Inspect the command line arguments of the shell process execution to determine if the shell was run with the `-i` flag.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:interactive_shell_in_container -@process.comm:(hostname OR sed OR find)","groupByFields":["host"],"aggregation":"count","name":"interactive_shell_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"interactive_shell_in_container","condition":"interactive_shell_in_container > 0"}],"type":"workload_security","id":"vc2-nws-ebu","createdAt":1653417817781,"name":"Interactive shell spawned in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a Java process.\n\n## Strategy\nMany applications (like some databases, web servers, and search engines) run as Java processes. Attackers may take advantage of flaws in programs built with these applications (for example, SQL injection on a database running as a Java process). This detection triggers when a Java process spawns common shell utilities, HTTP utilities, or shells. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\n## Triage and response\n1. Determine the nature and purpose of the Java process.\n2. Determine whether there is an approved purpose for the Java process to execute shells and utilities.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java) @process.args:*\\/dev\\/tcp\\/*","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_known_bad","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java) @process.executable.name:(uname OR cat OR ls OR whoami)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_suspicious","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java) @process.executable.name:(curl OR wget)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_unusual","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution (@process.parent.executable.name:java OR @process.ancestors.1.executable.name:java) @process.envs:CONFLUENCE*","groupByFields":["host"],"aggregation":"count","name":"confluence_server_spawned_shell_potential_rce","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"java_shell_execution_known_bad","condition":"java_shell_execution_known_bad > 0"},{"status":"high","notifications":[],"name":"confluence_server_spawned_shell_potential_rce","condition":"confluence_server_spawned_shell_potential_rce > 0"},{"status":"high","notifications":[],"name":"java_shell_execution_unusual","condition":"java_shell_execution_unusual > 0"},{"status":"medium","notifications":[],"name":"java_shell_execution_suspicious","condition":"java_shell_execution_suspicious > 0"},{"status":"low","notifications":[],"name":"java_shell_execution","condition":"java_shell_execution > 0"}],"type":"workload_security","id":"bax-h0z-d14","createdAt":1617722069224,"name":"Java process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","technique:T1098-account-manipulation","scope:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a JumpCloud user grants administrative privileges on a user endpoint. This is not indicative of malicious activity, but detecting this event is valuable for auditing.\n\n## Strategy\n\nThis rule monitors JumpCloud audit logs to detect when a user triggers the `@evt.name` of `system_admin_grant`.\n\n## Triage and response\n\n1. Reach out to the admin making the change (`{{@usr.email}}`) to confirm that the user `(@usr.name`) should have administrative privileges on the specified resource (`@resource.name`).\n2. If the change was not authorized, reverify there are no other signals from the jumpcloud admin: {{@usr.email}} and the system (`@resource.name`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:system_admin_grant","groupByFields":["@usr.email"],"aggregation":"count","name":"system_admin_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"system_admin_grant > 0"}],"type":"log_detection","id":"0ym-nwo-srl","createdAt":1648844751568,"name":"Jumpcloud admin granted system privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:jumpcloud","requirement:Monitoring","scope:jumpcloud","framework:cis-aws","technique:T1078-valid-accounts","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud administrator authenticates without multi-factor authentication (MFA) enabled. This is not indicative of malicious activity, however as a best practice, administrator accounts should have MFA enabled.\n\n## Strategy\nThis rule monitors JumpCloud audit logs to detect when an admin user successfully authenticates to JumpCloud and the log indicates that `@mfa` is `false`.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables MFA.\n3. If the login wasn\u2019t legitimate, rotate the credentials, enable MFA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:admin_login_attempt @mfa:false @evt.outcome:true","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_login_no_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"admin_login_no_mfa > 0"}],"type":"log_detection","id":"mds-4sd-v5i","createdAt":1648844751569,"name":"Jumpcloud admin login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","scope:jumpcloud","technique:T1078-valid-accounts","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event with a JumpCloud administrator.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last log and the current log to determine if the user (`@usr.name`) traveled more than 500km at over 1,000km/h.\n\n## Triage and response\n1. Determine if {@usr.name}} should be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}} in a short period of time.\n2. If the user should not be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} or {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_admin","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:jumpcloud @usr.type:admin"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"wec-lzg-zau","createdAt":1648844772020,"name":"Jumpcloud admin triggered impossible travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:jumpcloud","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to a JumpCloud user.\n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when administrative privileges are provisioned:\n\n* `user_admin_granted`\n\n## Triage and response\n1. Contact the JumpCloud administrator: `{{@usr.email}}` to confirm that the users or devices should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the JumpCloud administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:user_admin_granted","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_grant > 0"}],"type":"log_detection","id":"goh-o1b-uuo","createdAt":1660796644737,"name":"Jumpcloud administrator role assigned"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is created. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is created:\n\n* `@evt.name:policy_create`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy creation was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_create","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_creation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_creation > 0"}],"type":"log_detection","id":"ht7-5pr-0hf","createdAt":1660809071730,"name":"Jumpcloud policy created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is modified. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is modified:\n\n* `@evt.name:policy_update`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy modification(s) was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_update","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_update > 0"}],"type":"log_detection","id":"epv-mm9-puh","createdAt":1660809071731,"name":"Jumpcloud policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:1.10","scope:google_kms_crypto_key","source:google_kms_crypto_key","requirement:Confidentiality","control:C1.2","framework:cis-gcp","requirement:Compliance","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGoogle Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.\nThe format for the rotation schedule depends on the client library that is used. For the gcloud CLI, the flag `--next-rotation-time` must be in ISO or RFC3339 format; the flag `--rotation-period` must be in the format `INTEGER[UNIT]`, where units can be one of: seconds (s), minutes (m), hours (h), or days (d). For example, `30d` for a rotation period of 30 days.\n\n## Rationale\nSet a key rotation period and starting time. A key can be created with a specified *rotation period*, which is the time between when new key versions are generated automatically. A key can also be created with a specified *next rotation time*. \n\nA key is a named object that represents a cryptographic key and is used for a specific purpose. The key material (the actual bits used for encryption) can change over time as new key versions are created.\nA key is used to protect a *corpus of data*. A collection of files could be encrypted with the same key, and people with `decrypt` permissions on that key would be able to decrypt those files. Therefore, it's necessary to make sure the rotation period is set to a specific time.\n\n## Impact\nAfter a successful key rotation, the older key version is required to decrypt the data encrypted by the previous key version.\n\n## Remediation\n\n### From the console\n1. See your cryptographic keys by visiting: [https://console.cloud.google.com/security/kms][1].\n2. Click on the specific key ring.\n3. From the list of keys, locate the key you wish to edit. Click on the three vertical dots under the **Actions** column.\n4. Click on **Edit rotation period**.\n5. In the pop-up window, select a new rotation period. Choose value less than 90 days. Then, choose the date from which the rotation period begins.\n\n### From the command line\n1. Update and schedule rotation by `ROTATION_PERIOD` and `NEXT_ROTATION_TIME` for each key:\n For example, you can use the iam.json file shown below as follows:\n ```\n gcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next- rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD\n ```\n\n## Default value\nBy default, KMS encryption keys are rotated every 90 days.\n\n## References\n1. [https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation][2]\n2. [https://cloud.google.com/kms/docs/re-encrypt-data][3]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/security/kms\n[2]: https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation\n[3]: https://cloud.google.com/kms/docs/re-encrypt-data\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\n# convert rotation period from string to int (number of days)\nparse_rotation_period(str) = parsed if {\n\tendswith(str, \"s\")\n\tparsed := to_number(trim_suffix(str, \"s\")) / 86400\n} else = parsed if {\n\tendswith(str, \"m\")\n\tparsed := to_number(trim_suffix(str, \"m\")) / 1440\n} else = parsed if {\n\tendswith(str, \"h\")\n\tparsed := to_number(trim_suffix(str, \"h\")) / 24\n} else = parsed if {\n\tendswith(str, \"d\")\n\tparsed := to_number(trim_suffix(str, \"d\"))\n}\n\neval(kms_crypto_key) = \"skip\" if {\n\tnot lower(kms_crypto_key.primary.state) == \"enabled\"\n} else = \"pass\" if {\n\ttoday := kms_crypto_key.resource_seen_at / 86400000\n\tnext_rotation := kms_crypto_key.next_rotation_time / 86400000\n\tnext_rotation - today <= 90\n\tparse_rotation_period(kms_crypto_key.rotation_period) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_kms_crypto_key"]},"validationQuery":"","resourceType":"gcp_kms_crypto_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_kms_crypto_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"l1f-f94-1my","createdAt":1655491486886,"name":"KMS Encryption Keys are rotated within a period of 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1547","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications made to the `/boot/` directory.\n\n## Strategy\nThe /boot/ directory in Linux contains everything required for the system to boot. This includes the kernel and other important boot files and data. Attackers may attempt to modify the /boot/ directory to inject malicious code or configuration. This can allow the attacker to gain persistence, by running the malicious code or configuration at boot time. It can also allow the attacker to run malicious code with elevated system privileges.\n\n## Triage & Response\n1. Check to see what modifications were made to the `/boot/` directory.\n2. Cross-check any changes with known system activity, such as startup scripts, or maintenance.\n3. If these changes are not acceptable, roll back the host or container in question to a known good `/boot/` configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"9cs-fap-2er","createdAt":1606142931057,"name":"Kernel Modification"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux. This detection watches for all new files created under that directory.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check which user or process created the module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(kernel_module OR kernel_module_chmod OR kernel_module_chown OR kernel_module_link OR kernel_module_rename OR kernel_module_open OR kernel_module_unlink OR kernel_module_utimes) -@process.envs:DPKG_FRONTEND_LOCKED","groupByFields":["host"],"aggregation":"count","name":"kernel_module","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"kernel_module","condition":"kernel_module > 0"}],"type":"workload_security","id":"jq9-m1m-spt","createdAt":1598516746168,"name":"Kernel module directory modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.3","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kube-proxy kubeconfig file controls various parameters of the kube-proxy service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system. It is possible to run kube-proxy with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a `. Verify that if a file is specified and it exists, the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates. \n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.3","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"alc-y7j-j9q","createdAt":1599602091672,"name":"Kube-proxy configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.4","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, ensure that the file ownership of its kubeconfig file is set to root:root.\n\n## Rationale\n\nThe kubeconfig file for kube-proxy controls various parameters for the kube-proxy service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n`chown root:root `\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n## Audit\n\nFind the kubeconfig file being used by kube-proxy by running the following command: ps -ef | grep kube-proxy If kube-proxy is running, get the kubeconfig file location from the --kubeconfig parameter. Run the below command (based on the file location on your system) on the each worker node. For example, stat -c %U:%G Verify that the ownership is set to root:root.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.4","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oat-dei-klo","createdAt":1599604401268,"name":"Kube-proxy configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet client certificate rotation.\n\n## Rationale\n\nThe `--rotate-certificates` setting causes the kubelet to rotate its client certificates by creating new CSRs as its existing credentials expire. This automated periodic rotation ensures that the there is no downtime due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself. \n\n*Note*: This feature also requires the `RotateKubeletClientCertificate` feature gate to be enabled (which is the default since Kubernetes v1.7).\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--rotate-certificates` argument is not present, or is set to true. If the `--rotate-certificates` argument is not present, verify that if there is a Kubelet config file specified by `--config`, that file does not contain `rotateCertificates: false`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to add the line `rotateCertificates: true` or remove it altogether to use the default value. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--rotate-certificates=false` argument from the `KUBELET_CERTIFICATE_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet client certificate rotation is enabled.\n\n## References\n\n1. [https://github.com/kubernetes/kubernetes/pull/41912 ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration ][2]\n3. [https://kubernetes.io/docs/imported/release/notes/ ][3]\n4. [https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted - Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/41912\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration\n[3]: https://kubernetes.io/docs/imported/release/notes/\n[4]: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.11","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"9x3-sy5-pte","createdAt":1599605353070,"name":"Kubelet client certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.10","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file is owned by root:root.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %U:%G /var/lib/kubelet/config.yaml`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step): `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/var/lib/kubelet/config.yaml` file as set up by kubeadm is owned by `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.10","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ptl-pla-t0c","createdAt":1599605828233,"name":"Kubelet configuration file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse https for kubelet connections.\n\n## Rationale\n\nConnections from apiserver to kubelets could potentially carry sensitive data such as secrets and keys. It is thus important to use in-transit encryption for any communication between the apiserver and kubelets.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-https` argument either does not exist or is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--kubelet-https` parameter.\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, kubelet connections are over https.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.4","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ftg-h4g-hqj","createdAt":1599600981186,"name":"Kubelet connections use HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.8","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestrict kubelet nodes to reading only objects associated with them.\n\n## Rationale\n\nThe Node authorization mode only allows kubelets to read Secret, ConfigMap, PersistentVolume, and PersistentVolumeClaim objects associated with their nodes.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include Node.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes Node. `--authorization-mode=Node,RBAC`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, Node authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/46076 ][3]\n4. [https://acotten.com/post/kube17-security][4]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/ \n[3]: https://github.com/kubernetes/kubernetes/pull/46076 \n[4]: https://acotten.com/post/kube17-security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.8","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vgg-kwx-7dh","createdAt":1599602338742,"name":"Kubelet nodes are only authorized to read objects they are associated with"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.2","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests. Enable explicit authorization.\n\n## Rationale\n\nKubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the API server. You should restrict this behavior and only allow explicitly authorized requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. If the `--authorization-mode` argument is present check that it is not set to AlwaysAllow. If it is not present check that there is a Kubelet config file specified by `--config`, and that file sets authorization: mode to something other than AlwaysAllow. It is also possible to review the running configuration of a Kubelet via the /configs endpoint on the Kubelet API port (typically `10250/TCP`). Accessing these with appropriate credentials will provide details of the Kubelet's configuration.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set authorization: mode to Webhook. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--authorization-mode=Webhook`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nUnauthorized requests will be denied.\n\n## Default value\n\nBy default, `--authorization-mode` argument is set to `AlwaysAllow`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.2","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"un4-gin-3dq","createdAt":1599600248005,"name":"Kubelet only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable the read-only port.\n\n## Rationale\n\nThe Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--read-only-port` argument exists and is set to 0. If the `--read-only-port` argument is not present, check that there is a Kubelet config file specified by `--config`. Check that if there is a readOnlyPort entry in the file, it is set to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `readOnlyPort` to 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--read-only-port=0`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nRemoval of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.\n\n## Default value\n\nBy default, `--read-only-port` is set to 10255/TCP. However, if a config file is specified by `--config` the default value for `readOnlyPort` is 0.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.4","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dgo-kog-lle","createdAt":1599604369044,"name":"Kubelet read-only port is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.10","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the Kubelets.\n\n## Rationale\n\nKubelet communication contains sensitive parameters that should remain encrypted in transit. Configure the Kubelets to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate. If these arguments are not present, check that there is a Kubelet config specified by `--config` and that it contains appropriate settings for `tlsCertFile` and `tlsPrivateKeyFile`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `tlsCertFile` to the location of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` to the location of the corresponding private key file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameters in K`UBELET_CERTIFICATE_ARGS` variable.\n\n```\n--tls-cert-file=\n--tls-private-key-file=\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set. If `--tls-cert-file` and `--tls-private-key-file` are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to `--cert-dir`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ ][2]\n3. [https://github.com/kelseyhightower/docker-kubernetes-tls-guide ][3]\n4. [https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/\n[3]: https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n[4]: https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.10","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gqg-7cf-6bu","createdAt":1599603572402,"name":"Kubelet requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.12","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nOn the master edit `/var/lib/kubelet/kubeadm-flags.env` and set the parameter `KUBELET_CERTIFICATE_ARGS --feature-gates=RotateKubeletServerCertificate=true` or as an alternative, and suggested as a last resort, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_CERTIFICATE_ARGS` variable:\n\n```\n--feature-gates=RotateKubeletServerCertificate=true\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet server certificate rotation is disabled.\n\n## References\n\n1. https://github.com/kubernetes/kubernetes/pull/45059\n2. https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/45059\n[2]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.12","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afr-qkp-94a","createdAt":1599599105048,"name":"Kubelet server certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.2","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file ownership is set to root:root.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the ownership is set to root:root.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet service file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.2","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sy4-z1k-udc","createdAt":1599605194356,"name":"Kubelet service file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.3","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Kubelet authentication using certificates.\n\n## Rationale\n\nThe connections from the API server to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet's port-forwarding functionality. These connections terminate at the kubelet's HTTPS endpoint. By default, the API server does not verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the API server could authenticate the Kubelet before submitting any requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--client-ca-file` argument exists and is set to the location of the client certificate authority file. If the `--client-ca-file` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets authentication: x509: clientCAFile to the location of the client certificate authority file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: x509: clientCAFile` to the location of the client CA file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--client-ca-file=`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou require TLS to be configured on API server as well as kubelets.\n\n## Default value\n\nBy default, `--client-ca-file argument` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.3","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x6l-4d1-dwh","createdAt":1599600373842,"name":"Kubelet uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.1.20","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that Kubernetes PKI certificate files have permissions of 644 or more restrictive.\n\n## Rationale\n\nKubernetes makes use of a number of certificate files as part of the operation of its components. The permissions on these files should be set to 644 or more restrictive to protect their integrity.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nfind /etc/kubernetes/pki -name \"*.crt\" | xargs stat -c '%n %a'\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod -R 644 /etc/kubernetes/pki/*.crt`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the certificates used by Kubernetes are set to have permissions of 644\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.20","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ion-6fc-xd4","createdAt":1599604147464,"name":"Kubernetes PKI certificate file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.19","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the Kubernetes PKI directory and file ownership is set to root:root.\n\n## Rationale\n\nKubernetes makes use of a number of certificates as part of its operation. You should set the ownership of the directory containing the PKI information and all files in that directory to maintain their integrity. The directory and files should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nls -laR /etc/kubernetes/pki/\n```\n\nVerify the ownership of all files and directories in this hierarchy is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown -R root:root /etc/kubernetes/pki/`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/etc/kubernetes/pki/` directory and all of the files and directories contained within it, are set to be owned by the root user.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.19","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tgm-6a5-ttf","createdAt":1599603695482,"name":"Kubernetes PKI directory is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a pod in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating pods in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for Kubernetes objects which should be readable by unauthenticated users. Thus, a pod should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new pod in one of the default namespaces.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"tvf-ju6-h3i","createdAt":1589376012191,"name":"Kubernetes Pod Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a pod is attached to the host network.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) with the host network `@requestObject.spec.hostNetwork:true` attached.\n\nAttaching the `hostNetwork` permits a pod to access the node's network adapter allowing a pod to listen to all network traffic for all pods on the node and communicate with other pods on the network namespace.\n\n## Triage and response\n1. Determine if the pod needs `hostNetwork` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.hostNetwork:true @http.status_code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.hostNetwork:true @responseStatus.code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"d3g-xpz-cwc","createdAt":1589376007079,"name":"Kubernetes Pod Created with hostNetwork"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","technique:T1136-create-account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a service account in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service account (`@objectRef.resource:serviceaccounts`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating service accounts in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for kubernetes objects which should be readable by unauthenticated users. Thus, a service account should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new service account in one of the default namespaces.\n\n## Changelog\n* 21 September 2022 - Tuned rule to remove system and EKS service account creations, increased severity, added decrease on environment flag.\n* 17 October 2022 - Updated tags.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:serviceaccounts @http.method:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299] -@user.username:(system\\:* OR eks\\:*)","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:serviceaccounts @verb:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299] -@usr.id:(system\\:* OR eks\\:*)","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"loy-9ka-bc2","createdAt":1589376017036,"name":"Kubernetes Service Account Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service's port is attached to the node's IP.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service (`@objectRef.resource:services`) attaching the service's port to the node's IP `@requestObject.spec.type:NodePort`.\n\nExposing the service's port to the the node's IP allows other hosts on the network namespace to access this service.\n\n## Triage and response\n1. Determine if the service needs to expose it's network connection with `NodePort` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:services @http.method:create @requestObject.spec.type:NodePort @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:services @verb:create @requestObject.spec.type:NodePort @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"cvp-3wz-v3s","createdAt":1589376023160,"name":"Kubernetes Service Created with NodePort"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a user is attempting to enumerate their permissions.\n\n## Strategy\nThis rule identifies when a user attempts to enumerate their permissions, for example, through the use of `kubectl auth can-i --list`. This can be an indicator of an attacker having compromised a Kubernetes service account or user and attempting to determine what permissions it has.\n\n## Triage and response\n1. Determine if enumerating the permissions of the user: `{{@usr.id}}` is suspicious. For example, a service account assigned to a web application and enumerating its privileges is highly suspicious, while a group assigned to operations engineers is likely to represent legitimate activity.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @requestObject.kind:SelfSubjectRulesReview @http.method:create -@usr.id:system\\:serviceaccount\\:*\\:datadog-kube-state-metrics","groupByFields":[],"aggregation":"count","name":"enumeration_attempt","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"enumeration_attempt > 0"}],"type":"log_detection","id":"9ft-ohp-w9w","createdAt":1649702540393,"name":"Kubernetes principal attempted to enumerate their permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","source:lambda","scope:lambda","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure your Amazon Lambda Function to have access to VPC-only resources.\n\n## Rationale\n\nBy default, Amazon Lambda functions run in a secure VPC with access to any AWS service and the internet. Selecting which resources have access secures the connections within your private VPC.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring VPC access (console)][1] docs to configure VPC access for an existing function.\n\n### From the command line\n\n1. Run `update-function-configuration` with your [Amazon Lambda function name and VPC configuration][2]. Set network connectivity to AWS resources within the configured VPC.\n\n ```\n aws lambda update-function-configuration\n --function-name your-lambda-function-name\n --vpc-config SubnetIds=\"subnet-ab12cd34\",\"subnet-12345678\",SecurityGroupIds=\"id-0abcd1234abcd5678\"\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-configuring\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(lambda_function) = \"pass\" if {\n\tlambda_function.vpc_config_vpc_id != \"\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_lambda_function"]},"validationQuery":"","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"byt-pin-xaq","createdAt":1619112188962,"name":"Lambda function has access to VPC resources"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","source:lambda","control:7.2.1","requirement:Compliance","scope:lambda","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS Lambda function access policy to remove access for unauthorized users.\n\n## Rationale\n\nGiving anonymous users the ability to invoke Amazon Lambda functions can lead to data loss, data exposure, and unexpected AWS billing charges.\n\n## Remediation\n\n### From the console\n\nFollow the [Using resource-based policies for AWS lambda][1] docs to update your AWS lambda function permissions.\n\n### From the command line\n\n1. Run `remove-permission` with your [function name and statement ID][2].\n\n ```\n aws lambda remove-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n ```\n\n2. Run `add-permission` with your [function name, statement ID, principal for the trusted account, and action][3].\n\n ```\n aws lambda add-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n --principal 0123456780123\n --action lambda:InvokeFunction\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/remove-permission.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-permission.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnot_compliant_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tpolicy_principal.principal_aws[_] == \"*\"\n}\n\neval(lambda_policy_statement) = \"fail\" if {\n\tnot_compliant_policy_principal(lambda_policy_statement.policy_principal)\n\tlambda_policy_statement.statement_effect == \"Allow\"\n\tnot lambda_policy_statement.statement_has_condition\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_lambda_policy_statement"]},"validationQuery":"","resourceType":"aws_lambda_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_policy_statement","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"tko-rvz-akj","createdAt":1624344845094,"name":"Lambda function is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","control:CC7.5","framework:gdpr","requirement:Security-Management-Process","requirement:Application-Updates","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","cloud_provider:aws","control:6.2","requirement:System-Operations","source:lambda","scope:lambda","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Lambda Function to the latest runtime environment version.\n\n## Rationale\n\nAs a best practice, Amazon recommends consistently updating your runtime environment to the latest version for security patches, bug fixes, and the latest features.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring functions in the console][1] docs to learn how to update the Lambda runtime that runs your function.\n\n### From the command line\n\n1. Run `update-function-configuration` with [your function name and the latest runtime version][2] supported by AWS.\n\n#### python3.9\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"python3.9\"\n ```\n\n#### nodejs16.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"nodejs14.x\"\n ```\n\n#### java11\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"java11\"\n ```\n\n#### go1.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"go1.x\"\n ```\n\n#### dotnet6\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"dotnet6\"\n ```\n\n#### ruby2.7\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"ruby2.7\"\n ```\n\n#### provided.al2\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"provided.al2\"\n ```\n\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(lambda_function) = \"pass\" if {\n\tlambda_function.runtime in [\"nodejs16.x\", \"python3.9\", \"ruby2.7\", \"java11\", \"go1.x\", \"dotnet6\", \"provided.al2\"]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_lambda_function"]},"validationQuery":"","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxh-rvp-txm","createdAt":1619112189173,"name":"Lambda function uses latest runtime environment version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","level:1","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","requirement:Communications-Security","control:2.6","control:3.2","control:1.2","control:2.1","control:1.3","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of legacy networks, a project should not have a legacy network\nconfigured. Legacy networks can no longer be created, and their use is not recommended. This recommendation is to check old projects to ensure\nthat they are not using Legacy Networks.\n\n## Rationale\nEach legacy network has a single network IPv4 prefix range, and a single gateway IP address. The network is global in scope and spans all cloud regions.\nSubnetworks cannot be created in a legacy network, and are unable to switch from legacy to\nauto or custom subnet networks. Legacy networks can have an impact on high network\ntraffic projects, and are subject to a single point of contention or failure.\n\n### Default value\nBy default, networks are not created in the legacy mode.\n\n## Remediation\n\nFor each Google Cloud Platform project:\n1. Read [Create and modify Virtual Private Cloud (VPC) networks][3] to create a non-legacy network suitable for the organization's requirements.\n2. Read [Deleting a legacy network][2] to delete the networks in the `legacy` mode.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network][1]\n2. [https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network][2]\n\n[1]: https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network\n[2]: https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network\n[3]: https://cloud.google.com/vpc/docs/create-modify-vpc-networks\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.2","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.ipv4_range\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nzs-hyi-zqr","createdAt":1659405204525,"name":"Legacy networks do not exist for older projects"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostIPC flag set to true.\n\n## Rationale\n\nA container running in the host's IPC namespace can use IPC to interact with processes outside the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host IPC namespace. If you have a requirement to containers that require hostIPC, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostIPC}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostIPC: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.3","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vs4-ja0-gkh","createdAt":1599600435891,"name":"Limit admission of containers sharing the host IPC namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostPID flag set to true.\n\n## Rationale\n\nA container running in the host's PID namespace can inspect processes running outside the container. If the container also has access to ptrace capabilities this can be used to escalate privileges outside of the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host PID namespace. If you need to run containers which require hostPID, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostPID}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostPID` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostPID: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.2","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"flc-1s1-okw","createdAt":1599600559953,"name":"Limit admission of containers sharing the host PID namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the allowPrivilegeEscalation flag set to true.\n\n## Rationale\n\nA container running with the `allowPrivilegeEscalation` flag set to true may have processes that can gain more privileges than their parent. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to allow privilege escalation. The option exists (and is defaulted to true) to permit setuid binaries to run. If you have need to run containers that use setuid binaries or require privilege escalation, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.allowPrivilegeEscalation}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.allowPrivilegeEscalation` field is omitted or set to false.\n\n## Impact\n\nPods defined with `spec.allowPrivilegeEscalation: true` will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.5","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"frf-hog-dra","createdAt":1599601783271,"name":"Limit admission of containers that do not block privilege escalation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.3","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Docker starts containers with a restricted set of Linux kernel capabilities. This means that any process can be granted the required capabilities instead of giving it root access. Using Linux kernel capabilities, processes in general do not need to run as the root user.\n\n## Rationale\n\nDocker supports the addition and removal of capabilities. Remove all capabilities not required for the correct function of the container. Specifically, in the default capability set provided by Docker, the NET_RAW capability should be removed if not explicitly required, as it can give an attacker with access to a container the ability to create spoofed network traffic.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CapAdd={{ .HostConfig.CapAdd }} CapDrop={{ .HostConfig.CapDrop }}'` \n\nVerify that the added and deleted Linux kernel capabilities are in line with the ones needed by the container process in each container instance. Specifically, ensure that the `NET_RAW` capability is removed if not required.\n\n## Remediation\n\nExecute the command `docker run --cap-add={\"Capability 1\",\"Capability 2\"} ` to add required capabilities.\n\nExecute the command `docker run --cap-drop={\"Capability 1\",\"Capability 2\"} ` to remove unneeded capabilities.\n\nAlternatively, remove all the currently configured capabilities and then restore only the ones you specifically use: `docker run --cap-drop=all --cap-add={\"Capability 1\",\"Capability 2\"} `\n\n## Impact\n\nRestrictions on processes within a container are based on which Linux capabilities are in force. Removal of the `NET_RAW` capability prevents the container from creating raw sockets which is good security practice under most circumstances, but may affect some networking utilities.\n\n## Default value\n\nBy default, the capabilities below are applied to containers:\n\n* `AUDIT_WRITE`\n* `CHOWN`\n* `DAC_OVERRIDE`\n* `FOWNER`\n* `FSETID`\n* `KILL`\n* `MKNOD`\n* `NET_BIND_SERVICE`\n* `NET_RAW`\n* `SETFCAP`\n* `SETGID`\n* `SETPCAP`\n* `SETUID`\n* `SYS_CHROOT`\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#linux-kernel-capabilities\n2. http://man7.org/linux/man-pages/man7/capabilities.7.html\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.3","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3j5-bun-deq","createdAt":1599605923399,"name":"Linux kernel capabilities are restricted to only those which are required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect use of the `passwd` or `chpasswd` commands to change account passwords.\n\n## Strategy\nThe `passwd` operating system command is used to change user account passwords. The `chpasswd` does this in bulk. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host machine and achieve persistence. This detection is triggered when execution of the `passwd` or `chpasswd` command is detected.\n\n## Triage and response\n1. Determine which user executed the command and whether or not this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:passwd_execution -@process.args:(\"-S\" OR \"-Sa\" OR \"-aS\" OR \"--status\" OR \"--all\")","groupByFields":["host"],"aggregation":"count","name":"passwd_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"passwd_execution","condition":"passwd_execution > 0"}],"type":"workload_security","id":"yu0-i2l-ilb","createdAt":1617722068383,"name":"Local account password modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the truncation (like the clearing of data within) of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was modified.\n2. Check which user or process modified the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"llg-1g6-q0n","createdAt":1598516746163,"name":"Log data in /var/log/ was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","source:google_logging_log_sink","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","control:2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","scope:google_logging_log_sink","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nIt is recommended to create a sink that will export copies of all log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).\n\n## Rationale: \nLog entries are held in Cloud Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. To export logs, create a filter that selects the log entries to export, and then choose a destination, such as Cloud Storage, BigQuery, or Cloud Pub/Sub, to which to export them. The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts.\n\n**Note:**\n1. A sink created by [these commands](#from-the-command-line), exports logs to storage buckets. However, sinks can be configured to export logs to BigQuery, or Cloud Pub/Sub, or a `Custom Destination`.\n2. While creating a sink, do not use the sink option `--log-filter` to ensure the sink exports all log entries.\n3. A sink can be created at a folder or organization level that collects the logs of all the projects underneath, bypassing the option `--include-children` in the `gcloud` command.\n\n### Impact: \nThere are no costs or limitations in Cloud Logging for exporting logs, but the destinations to which the logs are exported charge for storing or transmitting the log data.\n\n### Default value:\nBy default, there are no sinks configured.\n\n## Remediation: \n\n### From the console\n1. Go to the Logs Router page by visiting [https://console.cloud.google.com/logs/router][1].\n2. Click **CREATE SINK**.\n3. Fill out the fields for the Sink details sections.\n4. Select **Cloud Logging bucket** in the Select sink destination dropdown menu.\n5. Select a log bucket in the Sink destination drop down menu.\n6. If an inclusion filter is not provided for this sink, all ingested logs will be routed to the destination provided above. This may result in higher than expected resource usage.\n7. Click **Create Sink**.\n\n### From the command line\n\n1. To create a sink to export all log entries in a Google Cloud Storage bucket:\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME\n ```\n2. Sinks can be created for a folder or organization, which will include all projects.\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children -- folder=FOLDER_ID | --organization=ORGANIZATION_ID\n ```\n\n## References:\n1. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][2] \n2. [https://cloud.google.com/logging/quotas][3]\n3. [https://cloud.google.com/logging/docs/routing/overview][4]\n4. [https://cloud.google.com/logging/docs/export/using_exported_logs][5]\n5. [https://cloud.google.com/logging/docs/export/configure_export_v2][6]\n6. [https://cloud.google.com/logging/docs/export/aggregated_exports][7]\n7. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list][8]\n\n[1]: https://console.cloud.google.com/logs/router\n[2]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[3]: https://cloud.google.com/logging/quotas\n[4]: https://cloud.google.com/logging/docs/routing/overview\n[5]: https://cloud.google.com/logging/docs/export/using_exported_logs\n[6]: https://cloud.google.com/logging/docs/export/configure_export_v2\n[7]: https://cloud.google.com/logging/docs/export/aggregated_exports\n[8]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nvalid_log_sinks := {logging_log_sink.project_id |\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tvalid_log_filter(logging_log_sink)\n\tvalid_log_exclusions(logging_log_sink)\n\tlogging_log_sink.destination != \"\"\n}\n\nvalid_log_filter(logging_log_sink) if {\n\tnot logging_log_sink.filter\n} else if {\n\tlogging_log_sink.filter == \"\"\n}\n\nany_enabled_exclusion(logging_log_sink) if {\n\tlogging_log_sink.exclusions[_].disabled == false\n}\n\nvalid_log_exclusions(logging_log_sink) if {\n\tnot any_enabled_exclusion(logging_log_sink)\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_sinks[project.project_id]\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hig-nyl-7xu","createdAt":1658996677403,"name":"Log sinks are configured for all log entries"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Log4j scanning attempt occurs in your environment.\n\n## Strategy\nRegex search on logs to find specific payloads indicative of Log4j scanning.\n\n## Triage and response\n1. Investigate if the host is running a vulnerable version of the Log4j Java library\n2. Use the [Log4j Investigation Dashboard](https://app.datadoghq.com/dash/integration/cloud_security_platform_log4shell_investigator) to conduct impact analysis\n3. Explore what other services the attacker hit in the last day - Linked to investigation query \n4. Explore Java logs associated with the attacker - linked to investigation query\n","options":{"detectionMethod":"hardcoded","evaluationWindow":300,"maxSignalDuration":3600,"hardcodedEvaluatorType":"log4shell","keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"query":"@http.url:*","groupByFields":["@network.client.ip"],"aggregation":"count","name":"log4shell_payloads_in_http_data","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"log4shell_payloads_in_http_data > 0"}],"type":"log_detection","id":"sdx-qzo-o9z","createdAt":1651680204724,"name":"Log4Shell Scanning Detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0043-reconnaissance","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being scanned for the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `jndi:(ldap OR rmi OR dns)` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. Check if the `Base64 was detected in an http.user_agent or http.referrer` rule was also triggered and follow the `Triage and response` steps in that rule.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.useragent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referrer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http_user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"info","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"2oy-oni-kx6","createdAt":1639665375423,"name":"Log4j Scanner detected in user agent or referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:1.5","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. MFA (multi-factor authentication) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their user name and password and an authentication code from their AWS MFA device.\n\n**Note**: When virtual MFA is used for root accounts, it should not be enabled on a personal device, but rather enable a dedicated and not personally owned mobile device (tablet or phone)(\"non-personal virtual MFA\"). This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and has knowledge of a credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78911-5\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root][3]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions.\n\n## CIS controls\n\nVersion 7, 4.5 - Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.5","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_account) = \"fail\" if {\n\tnot iam_account.account_mfa_enabled == 1\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_account"]},"validationQuery":"","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dth-jwu-9zo","createdAt":1599573999963,"name":"MFA is enabled for the \"root\" account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP address identified as malicious by Okta's ThreatInsight communicates with your Okta account.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.threat.detected`\n\n## Triage and response\n1. Determine if the `@usr.email` is `Unknown` or is an authenticated user.\n2. If the user is authenticated, conduct an investigation to determine if the IP address that is communicating with Okta is the user's IP address, or if the account is compromised.\n3. Consider switching ThreatInsight from `log mode` to `log and block mode` to block future requests from IP addresses on the ThreatInsight threat intelligence list.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.threat.detected @evt.outcome:ALLOW","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"x5j-v1t-d2r","createdAt":1589315626499,"name":"Malicious IP Communicating with Okta"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1003","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers looking for a specific mission target commonly gain access to a host or container adjacent to their mission target. To move laterally to the planned target, attackers commonly try to find credentials that would give them access to the host or container in question. A technique for finding these credentials is memory dumping. By dumping the contents of system memory to disk, an attacker can often find unencrypted credentials.\n\n## Strategy\nThis detection monitors the access of memory and memory maps that can be accessed from the `/proc/` directory on Linux.\n\n## Triage & Response\n1. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n2. Consider rotating any credentials that were in use on the host/container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"lhm-dok-amc","createdAt":1598516746171,"name":"Memory files in /proc/ were accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","scope:azure","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user creates or modifies a trusted domain object in Microsoft 365.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain`\n- `Set domain authentication`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain.`\n- `Set domain authentication.`\n\nAn attacker can create a new attacker-controlled domain as federated or modify the existing federation settings for a domain by configuring a new, secondary signing certificate. Both of these techniques would allow the attacker to authenticate as any user bypassing authentication requirements like a valid password or MFA.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n - Remove the suspicious domain or settings.\n - Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n - Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Set domain authentication\" OR \"Set domain authentication \" OR \"Set federation settings on domain\" OR \"Set federation settings on domain \") @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_trusted_domain_modified","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Set domain authentication.\" OR \"Set domain authentication. \" OR \"Set federation settings on domain.\" OR \"Set federation settings on domain. \")","groupByFields":["@usr.id"],"aggregation":"count","name":"m365_trusted_domain_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"azure_ad_trusted_domain_modified > 0 || m365_trusted_domain_modified > 0"}],"type":"log_detection","id":"dqm-ikd-5zd","createdAt":1660304700624,"name":"Microsoft 365 - Modification of Trusted Domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0040-impact","scope:exchange-server","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an anomalous amount of emails are deleted from Microsoft 365 Exchange.\n\n## Strategy\nMonitor Microsoft 365 Exchange audit logs to look for events with an `@evt.name` value of `HardDelete`, where the `@Folder.Path` is the inbox (`*Inbox*`).\n\n## Triage and response\n1. Determine if the user `{{@usr.id}}` intended to delete the observed emails.\n2. If `{{@usr.id}}` is not responsible for the email deletions, investigate `{{@usr.id}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:HardDelete @Folder.Path:*Inbox*","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tos-tbi-7dh","createdAt":1619020060666,"name":"Microsoft 365 Anomalous Amount of Deleted Emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 user downloads an anomalous amount of files. This could be an indicator of data exfilteration.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for an anomalous amount of logs with an `@evt.name` value of `@evt.name:FileDownloaded`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to download the files.\n2. If `{{@usr.email}}` is not responsible for file downloads, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:FileDownloaded","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"files_downloaded","distinctFields":["@SourceFileName"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"yhr-gui-v9i","createdAt":1658353411918,"name":"Microsoft 365 Anomalous Amount of Downloaded files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1562-impair-defenses","scope:microsoft-365","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when admin or unified audit logging is disabled. An adversary or insider threat can disable audit logging as a means of defense evasion.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Set-AdminAuditLogConfig`, where `@Parameters.AdminAuditLogEnabled` OR `@Parameters.UnifiedAuditLogIngestionEnabled` is set to `False`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to disable audit logging.\n2. If `{{@usr.email}}` is not responsible for disabling the audit logging, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.UnifiedAuditLogIngestionEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"unified_audit_disabled","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.AdminAuditLogEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_audit_disabled","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Unified Audit Logging Disabled","condition":"unified_audit_disabled > 0"},{"status":"high","notifications":[],"name":"Admin Audit Logging Disabled","condition":"admin_audit_disabled > 0"}],"type":"log_detection","id":"d86-6xx-tbg","createdAt":1630681812369,"name":"Microsoft 365 Audit Logging Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:onedrive","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user creates an anonymous link for a Microsoft 365 document in OneDrive. This would allow any unauthenticated user to access this document, if they had the link.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AnonymousLinkCreated`.\n\n## Triage and response\n1. Determine whether this document should be available anonymously.\n\n## Changelog\n* 4 October 2022 - Updated severity.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:OneDrive @evt.name:AnonymousLinkCreated","groupByFields":["@usr.id","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1h-h20-er6","createdAt":1608766368930,"name":"Microsoft 365 OneDrive Anonymous Link Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0009-collection","technique:T1213-data-from-information-repositories","scope:sharepoint"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user shares a Microsoft 365 Sharepoint document with a guest.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `SharingInvitationCreated` when the `TargetUserOrGroupType` is `Guest`.\n\n## Triage and response\n1. Determine whether this document should be shared with the external user.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:SharePoint @evt.name:(SharingInvitationCreated) @TargetUserOrGroupType:Guest","groupByFields":["@TargetUserOrGroupName","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"v72-psu-eln","createdAt":1608766365850,"name":"Microsoft 365 SharePoint object shared with guest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user installs an app to Microsoft 365 Teams.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AppInstalled`.\n\n## Triage and response\n1. Determine whether this app should be installed to Microsoft 365 teams.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:MicrosoftTeams @evt.name:AppInstalled","groupByFields":["@AddOnName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"i03-grd-ppd","createdAt":1608766367312,"name":"Microsoft 365 Teams app installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostNetwork flag set to true.\n\n## Rationale\n\nA container running in the host's network namespace could access the local loopback device, and could access network traffic to and from other pods. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host network namespace. If you have need to run containers which require hostNetwork, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostNetwork}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostNetwork` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostNetwork: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.4","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mlb-fwt-s80","createdAt":1599604274257,"name":"Minimize the admission of containers wishing to share the host network namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","cloud_provider:aws","control:164.308-a-3-ii-a","control:1.6","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Identity-and-Access-Management","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","framework:security-labs","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMulti-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password, and for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of the credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://tools.ietf.org/html/rfc6238][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html][3]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users][4]\n4. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html][5]\n5. CCE-78901-6\n\n## CIS controls\n\n4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://tools.ietf.org/html/rfc6238\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.6","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"1.10","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_user) = \"fail\" if {\n\tsome report in iam_user.credential_report\n\treport.password_enabled == true\n\treport.mfa_active == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"zd5-wvv-hv5","createdAt":1599573999956,"name":"Multi-factor authentication is enabled for all IAM users with a console password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"5jr-xi3-uto","createdAt":1587530047261,"name":"NGINX HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","scope:nginx-ingress-controller","source:nginx-ingress-controller","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx-ingress-controller @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oxj-rwr-gxq","createdAt":1587530154864,"name":"NGINX ingress controller HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to nsswitch.conf.\n\n## Strategy\nThe Name Service Switch (nsswitch) configuration file is used to point\u00a0system services and other applications to the sources of name-service information. This name-service information includes where the password file is stored, publickey information, and more. An attacker may attempt to modify nsswitch.conf in order to inject attacker-owned information into the authentication process. For instance, the attacker could point to a malicious password file and then login to privileged user accounts.\n\n## Triage and response\n1. Check to see what changes were made to nsswitch.conf.\n2. Check if critical name-service sources were changed, and whether the changes were a part of known system-setup or maintenance.\n3. If these changes are unauthorized, roll back the host in question to a known good nsswitch.conf, or replace the system with a known-good system image.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chmod)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chmod","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chown)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chown","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_link)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_link","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_rename)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_rename","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_open)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_open","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_unlink)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_unlink","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_utimes)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"nsswitch_conf_mod","condition":"nsswitch_conf_mod_chmod > 0 || nsswitch_conf_mod_chown > 0 || nsswitch_conf_mod_link > 0 || nsswitch_conf_mod_rename > 0 || nsswitch_conf_mod_open > 0 || nsswitch_conf_mod_unlink > 0 || nsswitch_conf_mod_utimes > 0"}],"type":"workload_security","id":"djc-3dp-3qm","createdAt":1606142958657,"name":"Name Service Switch configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:1.3.5","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that enable multiple open ports and limit ingress traffic access based on port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access malicious activities, such as Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks, by opening only the ports that are required by your application.\n\n## Remediation\n\n### From the console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### From the command line\n\n1. Run `replace-network-acl-entry` to create a rule that only allows ingress traffic from a specific port range.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --ingress\n --rule-number 01\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_lenient(acl_entry) if {\n\tnot acl_entry.egress\n\tacl_entry.rule_action == \"allow\"\n\tnot acl_entry.port_range_from\n\tnot acl_entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tacl_entry := network_acl.entries[_]\n\tacl_lenient(acl_entry)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q0m-mtc-9ks","createdAt":1599574008182,"name":"Network ACL inbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that utilize multiple ports and limit outbound traffic access to a specific port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access by setting a specified port range.\n\n## Remediation\n\n### From the console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### From the command line\n\n1. Run `replace-network-acl-entry` to create a rule that sets a specific port range for egress traffic.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --egress\n --rule-number 02\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_entry(entry) if {\n\tentry.egress\n\tentry.rule_action == \"allow\"\n\tnot entry.port_range_from\n\tnot entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tentry := network_acl.entries[_]\n\tnon_compliant_entry(entry)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ykz-hrn-ev3","createdAt":1599574004771,"name":"Network ACL outbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Default-Security-Parameter","requirement:Compliance","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:1.3.5","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.1","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Network Access Control List (NACL) function provides stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.\n\n## Rationale\n\nPublic access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.\n\n## Remediation\n\n1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home\n2. In the left pane, click Network ACLs.\n3. For each network ACL to remediate, perform the following: Select the network ACL, Click the Inbound Rules tab, Click Edit inbound rules. Either update the Source field to a range other than `0.0.0.0/0` or click Delete to remove the offending inbound rule. Click save.\n\n## Reference\n\n1. [https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html][1]\n2. [https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison][2]\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"5.1","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_ports(entry) if {\n\tnot entry.port_range_from\n\tnot entry.port_range_to\n} else if {\n\tentry.port_range_from <= 22\n\tentry.port_range_to >= 22\n} else if {\n\tentry.port_range_from <= 3389\n\tentry.port_range_to >= 3389\n}\n\nnon_compliant_protocols_and_ports(entry) if {\n\tentry.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_ports(entry)\n} else if {\n\tnot entry.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n}\n\nnon_compliant_cidr_block(entry) if {\n\tentry.cidr_block == \"0.0.0.0/0\"\n}\n\nnon_compliant_cidr_block(entry) if {\n\tentry.ipv6_cidr_block == \"::/0\"\n}\n\neval(network_acl) = \"fail\" if {\n\tsome entry in network_acl.entries\n\tentry.egress == false\n\tentry.rule_action == \"allow\"\n\tnon_compliant_cidr_block(entry)\n\tnon_compliant_protocols_and_ports(entry)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b5p-spa-hx4","createdAt":1619112188801,"name":"Network ACLs do not allow ingress from 0.0.0.0/0 to remote server administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","cloud_provider:azure","framework:gdpr","source:azure.network","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","requirement:Communications-Security","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","scope:azure.network","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Security Group (NSG) is configured to allow specific ports rather than all ports or port ranges.\n\n## Rationale\n\nNSGs should be configured as granularly as possible, allowing only specific and necessary ports. Leaving ranges of ports open can allow access to ports that are vulnerabile to attack. \n\n## Remediation\n\n### From the console\n\nFollow the [Work with security rules guide][1] to modify the port ranges associated with a NSG using the Microsoft Azure Console. \n\n### From the command line\n\nUse the [Microsft Azure az network nsg rule update module][2] to update the ports associated with a NSG using the Microsoft Azure CLI. \n\n## References\n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#work-with-security-rules\n[2]: https://docs.microsoft.com/en-us/cli/azure/network/nsg/rule?view=azure-cli-latest#az-network-nsg-rule-update","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndestination_port_not_compliant(security_rule) if {\n\tsecurity_rule.destination_port_range == \"*\"\n} else if {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tdestination_port_range == \"*\"\n} else if {\n\tregex.match(\"([0-9])+-([0-9])+\", security_rule.destination_port_range)\n} else if {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tregex.match(\"([0-9])+-([0-9])+\", destination_port_range)\n}\n\nsecurity_rule_not_compliant(security_rule) if {\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.access == \"Allow\"\n\tdestination_port_not_compliant(security_rule)\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule = security_group.security_rules[_]\n\tsecurity_rule_not_compliant(security_rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cis-7ih-ek8","createdAt":1645736563232,"name":"Network Security Group does not use port ranges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1046-network-service-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of the `nmap` network utility.\n\n## Strategy\n`nmap` is a network utility commonly used by attackers to understand a victim's network topology and vulnerabilities. After an attacker's initial intrusion into a host (for example, through a web shell exploit, container breakout), they may attempt to use `nmap` to do reconnaissance. This detection triggers when an execution of `nmap` is detected on a system. If this is unexpected behavior, it could indicate an attacker attempting to compromise your systems.\n\n## Triage and response\n1. Determine which user executed `nmap` and whether this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and network tools involved. Investigate the security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:common_net_intrusion_util -@process.args:(\"-V\" OR \"--version\")","groupByFields":["host"],"aggregation":"count","name":"common_net_intrusion_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"common_net_intrusion_util","condition":"common_net_intrusion_util > 0"}],"type":"workload_security","id":"yqg-ebh-po2","createdAt":1617722067554,"name":"Network scanning utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all network traffic is allowed between containers on the same host on the default network bridge. You can restrict all inter-container communication and link specific containers together that require communication. Or, you can create a custom network and only join containers that need to communicate to that custom network.\n\n## Rationale\n\nBy default, unrestricted network traffic is enabled between all containers on the same host on the default network bridge. Each container has the potential of reading all packets across the container network on the same host. This might lead to an unintended and unwanted disclosure of information to other containers. Hence, restrict inter-container communication on the default network bridge.\n\n## Audit\n\nVerify that the default network bridge has been configured to restrict inter-container communication by running:\n```\ndocker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}' \n```\nCheck that it returns `com.docker.network.bridge.enable_icc:false` for the default network bridge.\n\n## Remediation\n\nEdit the Docker daemon configuration file to ensure that inter-container communication is disabled:\n\n```\n\"icc\": false\n```\n\nAlternatively, run the Docker daemon directly and pass `--icc=false` as an argument:\n\n```\ndockerd --icc=false \n```\n\nFollow the Docker documentation and create a custom network, and only join containers that need to communicate to that custom network. The `--icc` parameter only applies to the default docker bridge. If you use a custom network, adopt the segmenting networks approach instead.\n\n## Impact\n\nInter-container communication is disabled on the default network bridge. If any communication between containers on the same host is desired, it needs to be explicitly defined using container linking or custom networks.\n\n## Default value\n\nBy default, all inter-container communication is allowed on the default network bridge.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/][1]\n2. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers][2]\n\n## CIS controls\n\nNone \n\n[1]: https://docs.docker.com/engine/userguide/networking/ \n[2]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_network","complianceFrameworks":[{"control":"2.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmd-zy3-5un","createdAt":1599604593277,"name":"Network traffic is restricted between containers on the default network bridge"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a network utility (like `cURL` or `Wget`) is used to access the cloud instance metadata service (IMDS) in an interactive session.\n\n## Strategy\nThe cloud instance metadata service is a link-local HTTP endpoint that provides data about a given cloud instance. One function is to provide temporary security credentials so that they do not need to be stored on the host. Because IMDS can be used to fetch security credentials, attackers may use it to escalate privileges in order to access other cloud resources. This detection identifies when Linux network utilities are used in an interactive session to access the metadata service. Especially in production environments, it is unusual for this activity to occur interactively.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee run commands for an approved reason, or does a configuration management utility use an interactive session?\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Using cloud audit logs, identify if the attached identity was misused.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:aws_metadata_service @process.tty:*","groupByFields":["host"],"aggregation":"count","name":"aws_metadata_service","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"aws_metadata_service","condition":"aws_metadata_service > 0"}],"type":"workload_security","id":"ugv-e7o-qpv","createdAt":1627392836096,"name":"Network utility accessed cloud metadata service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location on a host.\n\n## Strategy\nAfter an attacker's initial intrusion into a host (for example, through a web shell exploit, or a container breakout), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance, or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected on a host. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine which user executed the utility and whether or not this is allowed or expected behavior.\n2. Review the ancestors for unexpected processes or files executed. \n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util @process.ancestors.executable.path:(*\\/tmp\\/* OR *\\/home\\/*)","groupByFields":["host"],"aggregation":"count","name":"net_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"net_util","condition":"net_util > 0"}],"type":"workload_security","id":"med-78m-snu","createdAt":1617722067377,"name":"Network utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected in a container. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your containers and host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. Review the ancestors for unexpected processes or files executed.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util_in_container @process.ancestors.executable.path:(*\\/tmp\\/* OR \\/home\\/* OR \\/run\\/user\\/*)","groupByFields":["@container.id","host"],"aggregation":"count","name":"net_util_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"net_util_in_container","condition":"net_util_in_container > 0"}],"type":"workload_security","id":"idj-fom-4qg","createdAt":1617722068439,"name":"Network utility executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1199-trusted-relationship","source:cloudtrail","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker accesses your AWS account from their AWS Account.\n\n## Strategy\nThis rule lets you monitor AssumeRole (`@evt.name:AssumeRole`) CloudTrail API calls to detect when an external AWS account (`@usr.account_id`) assumes a role into your AWS account (`account`). It does this by learning all AWS accounts from which the AssumeRole call occurs within a 7-day window. Newly detected accounts after this 7-day window will generate security signals.\n\n## Triage and response\n1. Determine if the `@usr.account_id` is an AWS account is managed by your company.\n2. If not, try to determine who is the owner of the AWS account.\n3. Inspect the role the account is assuming. Determine who created this role and who allowed this AWS account to assume this role.\n\n## Changelog\n7 April 2022 - Update rule query and signal message.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @evt.name:AssumeRole"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"xvo-lqg-7bu","createdAt":1614810571081,"name":"New AWS Account Seen Assuming a Role into AWS Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","tactic:TA0040-impact","source:cloudtrail","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker spawns an instance for malicious purposes. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect when a new instance type (`@responseElements.instancesSet.items.instanceType`) is spawned:\n\n* [RunInstances][1]\n\nIt does this by inspecting the AWS Instance types each AWS account are seen over a 7-day window. Newly detected instance types after this 7-day window till generate security signals.\n\n## Triage and response\n1. Determine whether the instance type `{{@responseElements.instancesSet.items.instanceType}}` is expected to be used in your AWS account by checking the [Datadog Infrastructure List][2].\n2. If not, determine who spawned this instance and ask the user whether their activity was legitimate or whether their credentials were compromised and this instance is being used by an attacker.\n\n## Changelog\n7 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html\n[2]: https://app.datadoghq.com/infrastructure?tab=details&tags=instance-type%3A{{@responseElements.instancesSet.items.instanceType}}","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@responseElements.instancesSet.items.instanceType","aggregation":"new_value","metrics":["@responseElements.instancesSet.items.instanceType"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @eventSource:ec2.amazonaws.com @evt.name:RunInstances"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rk5-l8o-jir","createdAt":1619019323550,"name":"New EC2 Instance Type"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a Kubernetes namespace.\n\n## Strategy\nThis rule monitors when a `create` action occurs for the Kubernetes namespace (`@objectRef.resource:namespaces`) to detect when a user is creating a new Kubernetes namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new namespace.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:namespaces @http.method:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:namespaces @verb:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"zgq-pd9-wgw","createdAt":1589376020564,"name":"New Kubernetes Namespace Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:kubernetes","tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a privileged pod is created. Privileged pods remove container isolation which allows privileged actions on the host.\n\n## Strategy\nThis rule monitors when a pod (`@objectRef.resource:pods`) is created (`@http.method:create`) and the privileged security context (`@requestObject.spec.containers.securityContext.privileged`) is `true`.\n\n## Triage & Response\n1. Determine if the pod should be privileged. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"smy-zpp-8hr","createdAt":1626700164544,"name":"New Kubernetes privileged pod created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1525-implant-internal-image","scope:ecr","iaas:aws","source:cloudtrail","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential persistence mechanisms being deployed in the AWS Elastic Container Registry (ECR).\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr:GetAuthorizationToken` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException @threat_intel.indicators_matched:*","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ori-yda-7sc","createdAt":1630665990802,"name":"New Private Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecr","technique:T1567-exfiltration-over-web-service","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new image is uploaded to the public ECR. This could be a potential exfil route of data from the cloud. Could be a supply chain effect as well if a company hosts their containers here for consumers.\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr-public:GetAuthorizationToken` and `sts:GetServiceBearerToken` API through an IAM policy before they can authenticate to a registry and push any images to an Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr-public.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr-public.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3ye-k1x-9mp","createdAt":1630666006819,"name":"New Public Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ecs","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user executes a command on an ECS container for the first time. An attacker may use this as a technique to escalate their privileges\nbecause they can run arbitrary commands on behalf of the container with the role and permissions associated with the\ncontainer.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user is executing a command on an ECS container:\n\n* `ExecuteCommand`\n\n## Triage and response\n1. Investigate the command that the user ({{@userIdentity.arn}}) ran on the container, which is located in the Cloudtrail log at `@requestParameters.container`, if the telemetry exists.\n2. Analyze Cloudtrail logs with {{@userIdentity.arn}} that are within the same time frame as this security signal.\n3. Review any other security signals generated for this container.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":175,"isDefault":true,"filters":[{"action":"suppress","query":"foo"},{"action":"require","query":"bar"}],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @evt.name:ExecuteCommand @requestParameters.interactive:true"}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@me"],"name":""}],"type":"log_detection","id":"o2p-sbu-rlg","createdAt":1615916348842,"name":"New user seen executing a command in an ECS task"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_enabled_features(enabled_features) if {\n\tsome enabled_feature in enabled_features\n\tupper(enabled_feature) in [\n\t\t\"TLS_RSA_WITH_AES_128_GCM_SHA256\",\n\t\t\"TLS_RSA_WITH_AES_256_GCM_SHA384\",\n\t\t\"TLS_RSA_WITH_AES_128_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_AES_256_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_3DES_EDE_CBC_SHA\",\n\t]\n}\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else if {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else if {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot non_compliant_enabled_features(compute_ssl_policy.enabled_features)\n}\n\npolicy_align(compute_target_https_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_https_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_https_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_https_proxy, compute_ssl_policy)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_https_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_https_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_https_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wsz-dzl-7cw","createdAt":1664548936030,"name":"No HTTPS proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_enabled_features(enabled_features) if {\n\tsome enabled_feature in enabled_features\n\tupper(enabled_feature) in [\n\t\t\"TLS_RSA_WITH_AES_128_GCM_SHA256\",\n\t\t\"TLS_RSA_WITH_AES_256_GCM_SHA384\",\n\t\t\"TLS_RSA_WITH_AES_128_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_AES_256_CBC_SHA\",\n\t\t\"TLS_RSA_WITH_3DES_EDE_CBC_SHA\",\n\t]\n}\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else if {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else if {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot non_compliant_enabled_features(compute_ssl_policy.enabled_features)\n}\n\npolicy_align(compute_target_ssl_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_ssl_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_ssl_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_ssl_proxy, compute_ssl_policy)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_ssl_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_ssl_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_ssl_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kmq-mlb-uhu","createdAt":1664548316871,"name":"No SSL proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","requirement:Default-Security-Parameter","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","level:1","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:1.4","control:2.1","control:2.2","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:164.312-a-2-i","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed.\n\n## Rationale\n\nRemoving access keys associated with the root account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html][2]\n2. [http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][3]\n3. [http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html][4]\n4. CCE-78910-7\n5. [https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/][5]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables root access only through access-keys (CLI, API methods) for us-gov cloud region.\n\n## CIS controls\n\nVersions 7, 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html\n[3]: http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[4]: http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html\n[5]: https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.4","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-a-2-i","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_credential_report) = \"skip\" if {\n\tiam_credential_report.user != \"\"\n} else = \"pass\" if {\n\tnot iam_credential_report.access_key_1_active\n\tnot iam_credential_report.access_key_2_active\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_credential_report"]},"validationQuery":"","resourceType":"aws_iam_credential_report","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"snb-kjs-kgm","createdAt":1599574003908,"name":"No root account access key exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","requirement:Communications-Security","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access\nto remote server administration ports, such as SSH to port 22 and RDP to port 3389.\n\n## Rationale\n\nPublic access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.\n\n### Impact \n\nWhen updating an existing environment, ensure that administrators have access to\nremote server administration ports through another mechanism before removing access\nby deleting the 0.0.0.0/0 (IPv4) or ::/0 (IPv6) inbound rule.\n\n## Remediation\n\nPerform the following to implement the prescribed state:\n1. Login to the AWS Management Console at\n[https://console.aws.amazon.com/vpc/home][1]\n2. In the left pane, click **Security Groups**\n3. For each security group, perform the following:\n A. Select the security group\n B. Click the **Inbound Rules** tab\n C. Click the **Edit inbound rules** button\n D. Identify the rules to be edited or removed\n E. Either update the **Source** field to a range other than 0.0.0.0/0, or click\n**Delete** to remove the offending inbound rule\n F. Click **Save rules**\n\n\n[1]: https://console.aws.amazon.com/vpc/home\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else if {\n\trule.from_port <= 22\n\trule.to_port >= 22\n} else if {\n\trule.from_port <= 3389\n\trule.to_port >= 3389\n}\n\nnon_compliant_protocol(rule) if {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tnon_compliant_port(rule)\n}\n\nnon_compliant_ip_range(rule) if {\n\trule.ip_range == \"0.0.0.0/0\"\n}\n\nnon_compliant_ip_range(rule) if {\n\trule.ipv6_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tnon_compliant_ip_range(rule)\n\tnon_compliant_protocol(rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ueo-zqv-fep","createdAt":1607607222597,"name":"No security groups allow ingress from 0.0.0.0/0 to remote administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:3.8","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","control:8.1","control:4.4","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","control:8.1.4","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling OS Login binds SSH certificates to IAM users and facilitates effective SSH certificate\nmanagement.\n\n## Rationale\nEnabling OS Login ensures that SSH keys used to connect to instances are mapped to IAM\nusers. Revoking access to an IAM user will revoke all the SSH keys associated with that\nparticular user. It facilitates centralized and automated SSH key pair management, which is\nuseful in handling cases like compromised SSH key pairs and/or revocation of\nexternal, third-party, vendor users.\n\nTo use OS Login, the instance using Custom Images must have the latest version\nof the Linux Guest Environment installed. The following image families do not\nsupport OS Login:\n\n - Project cos-cloud (Container-Optimized OS) image family cos-stable.\n - All project coreos-cloud (CoreOS) image families\n - Project suse-cloud (SLES) image family sles-11\n - All Windows Server and SQL Server image families\n\nThe project's `enable-oslogin` can be overridden by setting the `enable-oslogin` parameter to an\ninstance metadata individually.\n\n### Impact\nEnabling OS Login on a project disables metadata-based SSH key configurations on all\ninstances of a project. Disabling OS Login restores SSH keys that you have configured in a\nproject's or an instance's metadata.\n\n### Exception\nVMs created by GKE should be excluded. These VMs have names that start with `gke-`\nand are labeled `goog-gke-node`.\n\n### Default value\nBy default, the parameter `enable-oslogin` is not set, which is equivalent to setting it to `FALSE`.\n\n## Remediation\n\n### From the console\n\n1. Go to the [VM compute metadata][1] page.\n2. Click **Edit**.\n3. Add a metadata entry for the key `enable-oslogin` with the value `TRUE`.\n4. Click **Save** to apply the changes.\n5. For every instance that overrides the project setting, go to the VM Instance's page at \n https://console.cloud.google.com/compute/instances.\n6. Click the name of the instance from which you want to remove the metadata value.\n7. At the top of the instance's details page, click **Edit** to edit the instance's settings.\n8. Under Custom Metadata, remove any entries with the key `enable-oslogin` set to `FALSE`.\n9. At the bottom of the instance's details page, click **Save** to apply your changes to the instance.\n\n### From the command line\n\n1. Configure OS Login for the project by running the following command:\n ```\n gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE\n ```\n\n2. Use the following command to remove instance metadata that overrides the project setting:\n ```\n gcloud compute instances remove-metadata --keys=enable-oslogin\n ```\n\nOptionally, you can enable two-factor authentication for OS Login. See [Setting up OS Login with 2-step verification ][2] for more information.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/managing-instance-access][3]\n2. [https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin][4]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata][5]\n4. [https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication][2]\n\n\n\n[1]: https://console.cloud.google.com/compute/metadata\n[2]: https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication\n[3]: https://cloud.google.com/compute/docs/instances/managing-instance-access\n[4]: https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin\n[5]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.8","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" if {\n\titem := compute_instance.metadata.items[_]\n\titem.key == \"enable-oslogin\"\n\titem.value == \"true\"\n} else = \"fail\"\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else if {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hpp-bv9-lom","createdAt":1657547711348,"name":"OS Login is enabled for the project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Okta API token is created.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a new Okta API token is created:\n\n* `system.api_token.create`\n\n## Triage and response\n1. Contact the user who created the API token and ensure that the API token is needed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:system.api_token.create","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lpf-tho-8sx","createdAt":1589315541698,"name":"Okta API Token Created or Enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","scope:okta","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Okta session impersonation.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect a user session impersonation:\n\n* `user.session.impersonation.initiate`\n* `user.session.impersonation.end`\n* `user.session.impersonation.grant`\n* `user.session.impersonation.extend`\n* `user.session.impersonation.revoke`\n\nThese events indicate that the user: `{{@usr.email}}` has the effective permissions of the impersonated user. This is likely to occur through [Okta support access][1]. This [blog][2] illustrates the potential impact an attacker can cause by impersonation session.\n\n## Triage and response\n1. Contact your Okta administrator to ensure the user: `{{@usr.email}}` is authorized to impersonate a user session.\n2. If the user impersonation session is not legitimate:\n * Task your Okta administrator to end the impersonation session.\n * Investigate the actions taken by the user `{{@usr.email}}` during the session and revert back to the last known good state.\n * Begin your company's incident response process and investigate.\n\n[1]: https://support.okta.com/help/s/article/Granting-Access-to-Okta-Support?language=en_US\n[2]: https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.session.impersonation.initiate","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_initiate","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.end","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_end","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_grant","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.extend","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_extend","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.revoke","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_revoke","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Session initiated","condition":"user_session_impersonation_initiate > 0"},{"status":"info","notifications":[],"name":"Session ended","condition":"user_session_impersonation_end > 0"},{"status":"info","notifications":[],"name":"Session granted","condition":"user_session_impersonation_grant > 0"},{"status":"info","notifications":[],"name":"Session extended","condition":"user_session_impersonation_extend > 0"},{"status":"info","notifications":[],"name":"Session revoked","condition":"user_session_impersonation_revoke > 0"}],"type":"log_detection","id":"dfw-lx0-cha","createdAt":1647981974902,"name":"Okta Impersonation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to bypass multi-factor authentication (MFA).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user attempts to bypass MFA:\n\n* `user.mfa.attempt_bypass`\n\n## Triage and response\n1. Contact the user who attempted to bypass MFA and ensure the request was legitimate.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.attempt_bypass","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"wbd-slu-e6s","createdAt":1589315643307,"name":"Okta MFA Bypass Attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the multi-factor authentication (MFA) factors for an enrolled Okta user are reset.\n\n## Strategy\nThis rule lets you monitor the following Okta event to determine when a user's MFA factors are reset:\n\n* `user.mfa.factor.reset_all`\n\nAn attacker may attempt to reset MFA factors in a bid to access other user accounts by registering new attacker-controlled MFA factors.\n\n## Triage and response\n1. Determine if the user: `{{@usr.email}}` should have reset the MFA factors of the targeted user.\n2. If the change was not made by the user:\n * Disable the affected user accounts.\n * Rotate user credentials.\n * Return targeted users MFA factors to the last known good state.\n * Begin your organization's incident response process and investigate.\n3. If the change was made by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, ensure the targeted user has new MFA factors assigned in accordance with organization policies.\n * If **No**, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_success","distinctFields":[]},{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:FAILURE","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_failed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Succeeded","condition":"mfa_reset_success > 0"},{"status":"info","notifications":[],"name":"Failed","condition":"mfa_reset_failed > 0"}],"type":"log_detection","id":"ap2-mxs-fyh","createdAt":1622443751239,"name":"Okta MFA reset for user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to sign on to an app based on sign-on policy.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to sign on to an app based on sign-on policy:\n\n* `application.policy.sign_on.deny_access`\n\n## Triage and response\n1. Inspect the `@target` array to determine why the user was denied access to sign on.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:application.policy.sign_on.deny_access","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pjd-jyc-9fb","createdAt":1589315544752,"name":"Okta User Access Denied to Sign On"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to an app.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to an app:\n\n* `app.generic.unauth_app_access_attempt`\n\n## Triage and response\n1. Determine whether or not the user should have access to this app.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:app.generic.unauth_app_access_attempt","groupByFields":["@usr.email","@target_app"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rht-pdf-gyx","createdAt":1607371843994,"name":"Okta User Attempted to Access Unauthorized App"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:okta","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to an Okta user.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when administrative privileges are provisioned:\n\n* `user.account.privilege.grant`\n\n## Triage and response\n1. Contact the Okta administrator: `{{@usr.email}}` to confirm that the user or users should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.account.privilege.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"privilege_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"privilege_grant > 0"}],"type":"log_detection","id":"onl-syw-pqn","createdAt":1622443751733,"name":"Okta administrator role assigned to user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a request is blocked due to a block list rule (such as an IP network zone or location rule).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.request.blocked`\n\n## Triage & Response\n1. Verify with the owner of `{{@usr.name}}` that they were attempting a request to `{{@target_app}}`.\n2. If the request cannot be verified with the user, correlate with other log sources to see if the blocked IP in the `title` of `{{@title}}` has communicated elsewhere on the network.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.request.blocked @evt.outcome:SUCCESS","groupByFields":["@network.client.ip","@target_app"],"aggregation":"count","name":"request_blocked","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"request_blocked > 10"}],"type":"log_detection","id":"y2s-qzk-u0a","createdAt":1622443750820,"name":"Okta blocked numerous requests from a malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta [refresh token][1] is reused.\n\n## Strategy\nThis rule lets you monitor the following Okta events when token reuse is detected:\n\n* `app.oauth2.token.detect_reuse`\n* `app.oauth2.as.token.detect_reuse`\n\nAn attacker that has access to a refresh token could query the organization's authorization server `/token` endpoint to obtain additional access tokens. The additional access tokens potentially allow the attacker to get unauthorized access to applications.\n\n## Triage and response\n1. Determine if the source IP `{{@network.client.ip}}` is anomalous within the organization:\n * Does threat intelligence indicate that this IP has been associated with malicious activity?\n * Is the geo-location or ASN uncommon for the organization?\n * Has the IP created a `app.oauth2.token.detect_reuse` or `app.oauth2.as.token.detect_reuse` event previously?\n2. If the token reuse event has been determined to be malicious, carry out the following actions:\n * [Revoke compromised tokens][2].\n * Recycle the credentials of any impacted clients.\n * Begin your company's incident response process and investigate.\n\n[1]: https://developer.okta.com/docs/guides/refresh-tokens/main/\n[2]: https://developer.okta.com/docs/guides/revoke-tokens/main/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:false","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse","distinctFields":[]},{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:true","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse_threat","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Threat suspected","condition":"refresh_token_reuse_threat > 0"},{"status":"low","notifications":[],"name":"Threat unlikely","condition":"refresh_token_reuse > 0"}],"type":"log_detection","id":"i4t-x8n-ack","createdAt":1622443751931,"name":"Okta one-time refresh token reused"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta policy rule is deleted.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a policy rule is deleted:\n\n* `policy.rule.delete`\n\n## Triage and response\n1. Contact the Okta administrator to confirm that the user: `{{@usr.email}}` should be deleting policy rules.\n2. If the change was **not** authorized, verify there are no other signals from the user: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:policy.rule.delete @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_rule_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"policy_rule_deleted > 0"}],"type":"log_detection","id":"gxx-79h-brk","createdAt":1622443751301,"name":"Okta policy rule deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:onelogin","scope:onelogin","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user with appropriate privileges assumes another OneLogin user's identity. Logging in as another user allows the user to view another OneLogin user's account and perform actions on their behalf. \n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator assumes another OneLogin user's identity:\n\n* `@evt.name:USER_ASSUMED_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) should be legitimately assuming another user's identity.\n2. If the activity was not legitimate, review all activity from `{{@usr.name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_ASSUMED_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"admin_assumed_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admin_assumed_user > 0"}],"type":"log_detection","id":"ohz-g7c-wkp","createdAt":1656426840747,"name":"OneLogin administrator assumed a user"}]} headers: Content-Type: - application/json @@ -776,7 +708,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.15","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file is owned by root and group owned by docker.\n\n## Rationale\n\nThe Docker daemon runs as root. The default Unix socket therefore must be owned by root. If any other user or process owns this socket, it might be possible for that non-privileged user or process to interact with the Docker daemon. Additionally, in this case a non-privileged user or process might be able to interact with containers which is neither a secure nor desired behavior. Additionally, the Docker installer creates a Unix group called docker. You can add users to this group, and in this case, those users would be able to read and write to the default Docker Unix socket. The membership of the docker group is tightly controlled by the system administrator. However, ff any other group owns this socket, then it might be possible for members of that group to interact with the Docker daemon. Such a group might not be as tightly controlled as the docker group. Again, this is not in line with good security practice. For these reason, the default Docker Unix socket file should be owned by root and group owned by docker to maintain the integrity of the socket file.\n\n## Audit\n\nVerify that the Docker socket file is owned by root and group-owned by `docker` by running: \n```\nstat -c %U:%G /var/run/docker.sock | grep -v root:docker\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:docker /var/run/docker.sock`\n\nThis sets the ownership to root and group ownership to docker for the default Docker socket file.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for the Docker socket file is correctly set to root:docker.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.15","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysh-lkt-poz","createdAt":1599605574088,"name":"Only the root account and Docker group members have ownership of the Docker socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.2","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kube-apiserver.yaml file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. Version 7 5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.2","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vbb-t30-k0f","createdAt":1599602893246,"name":"Only the root account and group have ownership of the API server pod specification file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.11","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, is individual owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It must therefore be individually owned and group owned by root to prevent modification by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and the group ownership for the Docker server certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for Docker server certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.11","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tkm-izb-xe1","createdAt":1602077837917,"name":"Only the root account and group have ownership of the Docker server certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.13","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, is individually owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads/writes. As it holds the private key for the Docker server certificate, it must be individually owned and group owned by root to ensure that it cannot be accessed by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate key file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the Docker server certificate key file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for the Docker server certificate key file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.13","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oiu-e3x-yg6","createdAt":1602077710804,"name":"Only the root account and group have ownership of the Docker server certificate key file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.9","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert parameter`, is individually owned and group owned by root.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must be therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the TLS CA certificate file is owned and group owned by root: \n\n```\nstat -c %U:%G | grep -v root:root\n```\n\nThis command does not return any data.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the TLS CA certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for TLS CA certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.9","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8nb-ex2-pqe","createdAt":1602076303298,"name":"Only the root account and group have ownership of the TLS CA certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.14","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file ownership is set to root:root.\n\n## Rationale\n\nThe `admin.conf` file contains the admin credentials for the cluster. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/admin.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `admin.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.14","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kcn-wwa-os0","createdAt":1599604720378,"name":"Only the root account and group have ownership of the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.17","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that could alter the behavior of the docker daemon. It should therefore be owned and group owned by root to ensure it can not be modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file is owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/docker/daemon.json | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun `chown root:root /etc/docker/daemon.json`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.17","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hlb-qzw-opk","createdAt":1599603264485,"name":"Only the root account and group have ownership of the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent","control:3.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually and group owned by the root user in order to ensure that it is not modified or corrupted by a less privileged user.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that it is owned and group-owned by root, by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.service | grep -v root:root \n ```\n The command should not return anything.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path, in order to set the ownership and group ownership for the file to root.\n\nFor example, `chown root:root /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone.\n\n## Default value\n\nThis file may not be present on the system and if it is not, this recommendation is not applicable. By default, if the file is present, the correct permissions are for the ownership and group ownership to be set to \"root\".\n\n## References\n\n1. https://docs.docker.com/engine/admin/systemd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mhz-jes-n2m","createdAt":1599601536215,"name":"Only the root account and group have ownership of the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.socket file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. For this reason, it should be owned and group owned by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file is owned and group-owned by root by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.socket | grep -v root:root \n ```\n The command should not return a value.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below, including the correct file path to set the ownership and group ownership for the file to root. For example, `chown root:root /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the ownership and group ownership for it should be set to root.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option 2. https://github.com/docker/docker-ce/blob/master/components/packaging/deb/systemd/docker.socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vc0-12t-fpa","createdAt":1599605321060,"name":"Only the root account and group have ownership over the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.7","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under the `/etc/docker/certs.d/` directory, are individually owned and group owned by root.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must be individually owned and group owned by root to ensure that less privileged users are unable to modify the contents of the directory.\n\n## Audit\n\nYou should execute the command below to verify that the registry certificate files are individually owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker/certs.d/* | grep -v root:root \n```\n\nThis command does not return any data.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/docker/certs.d//*`\n\nThis sets the individual ownership and group ownership for the registry certificate files to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for registry certificate files is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.7","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fbv-qsy-urc","createdAt":1599599454050,"name":"Only the root account and group have ownership over the registry certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.13","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe admin.conf is the administrator kubeconfig file defining various settings for the administration of the cluster. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/admin.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, admin.conf has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.13","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zlc-pqm-t1x","createdAt":1599605384539,"name":"Only the root account has write permissions to the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.18","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that may alter the behavior of the docker daemon. Therefore it should be writeable only by root to ensure it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/docker/daemon.json\n```\n\n## Remediation\n\nRun `chmod 644 /etc/docker/daemon.json`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.18","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7df-4w8-g7l","createdAt":1599602831833,"name":"Only the root account has write permissions to the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.2","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file permissions are either set to 644 or to a more restrictive value.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore not be writable by any other user other than root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or a more restrictive value by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.service\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the file permissions are correctly set to 644.\n\n## References\n\n1. https://docs.docker.com/articles/systemd/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zyv-o6s-69z","createdAt":1599601721176,"name":"Only the root account has write permissions to the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.4","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the file permissions on the docker.socket file are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or more restrictively, by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.socket\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in that case, this recommendation is not applicable. By default, if the file is present, the permissions should be set to 644 or more restrictively.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n2. https://github.com/YungSang/fedora-atomic-packer/blob/master/oem/docker.socket\n3. http://daviddaeschler.com/2014/12/14/centos-7rhel-7-and-docker-containers-on-boot/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myf-zyh-89p","createdAt":1599604656679,"name":"Only the root account has write permissions to the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","control:CC6.7","scope:ec2","security:compliance","source:ec2","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Compliance","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the probability of a breach by checking [EC2 security groups][1] for outbound rules that allow unfettered access to any TCP/UDP ports and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered outbound access.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-egress` to remove IP permissions for the selected EC2 security group.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n2. Run `authorize-security-group-egress` with new parameters to restrict outbound access to specific destinations.\n\n ```\n aws ec2 authorize-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprotocol_icmp_or_1(protocol) if {\n\tprotocol == \"icmp\"\n} else {\n\tprotocol == \"1\"\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"egress\"\n\tnot protocol_icmp_or_1(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7lr-jfm-vcf","createdAt":1599574005188,"name":"Outbound access on all ports is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1497-virtualization-sandbox-evasion","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace system call with the `PTRACE_TRACEME` argument, indicating a program actively attempting to avoid debuggers attaching to the process. This behavior is typically indicative of malware activity.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. One limitation of this system call is that a process can only have one trace, and malicious actors have been observed making use of this limitation to prevent debuggers from attaching to malicious processes for the purpose of forensics or analysis.\n\n## Triage and response\n1. Check the name of the process using TRACEME\n2. If this file is not known or authorized, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_antidebug","groupByFields":["host"],"aggregation":"count","name":"ptrace_antidebug","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_antidebug","condition":"ptrace_antidebug > 0"}],"type":"workload_security","id":"u1r-hw3-pst","createdAt":1650464539514,"name":"PTRACE_TRACEME used to prevent process debugging"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect installation of software using a package management utility (`apt` or `yum`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim's container (for example, through a web shell exploit), they may attempt to install tools and utilities for a variety of malicious purposes. This detection triggers when one of a set of common package management utilities installs a package in a container. Package management in containers is against best practices which highly emphasize immutability. If this is unexpected behavior, it could indicate an attacker attempting to install tools to further compromise your systems.\n\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise. This may be achieved by terminating the workload, depending on the stage of attack.\n3. Look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:package_management_in_container @process.args:(add OR *install OR \"-i\")","groupByFields":["host"],"aggregation":"count","name":"package_management_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"package_management_in_container","condition":"package_management_in_container > 0"}],"type":"workload_security","id":"dgu-gba-tuf","createdAt":1617722067648,"name":"Package installed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1222","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nTo access protected files and directories, attackers may attempt to change the permissions on these files and directories.\n\n## Strategy\nThis detection monitors the permissions changes to sensitive files and directories such as `/etc/` and `/sbin/`.\n\n## Triage & Response\n1. Check to see if the file or directory was made more permissive.\n2. Check which user or process made the change.\n3. If these changes are unexpected, contain the host or container and roll back to the last known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"mj3-ucf-hr6","createdAt":1598516746259,"name":"Permissions were changed on sensitive Linux files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow pods to verify the API server's serving certificate before establishing connections.\n\n## Rationale\n\nProcesses running within pods that need to contact the API server must verify the API server's serving certificate. Failing to do so could be a subject to man-in-the-middle attacks. Providing the root certificate for the API server's serving certificate to the controller manager with the `--root-ca-file` argument allows the controller manager to inject the trusted bundle into pods so that they can verify TLS connections to the API server.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--root-ca-file` argument exists and is set to a certificate bundle file containing the root certificate for the API server's serving certificate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--root-ca-file` parameter to the certificate bundle file: `--root-ca-file=`\n\n## Impact\n\nYou need to setup and maintain root certificate authority file.\n\n## Default value\n\nBy default, `--root-ca-file` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/kubernetes/issues/11000][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/kubernetes/issues/11000\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.5","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"k7t-yxp-axc","createdAt":1599598174692,"name":"Pods utilize `root-ca-file` to pass serving certificates to the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ec2","iaas:aws","technique:T1037-boot-or-logon-initialization-scripts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to modify a [user data script][1] on an EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to modify the user data script on an EC2 instance using the following API calls:\n\n* [`StopInstances`][2]\n* [`ModifyInstanceAttribute`][3]\n* [`StartInstances`][4]\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have modified the user data script associated with `{{host}}`.\n2. If the API calls were not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Follow your company's incident response process to determine the impact to `{{host}}`.\n * Revert the user data script to the last known good state with the `aws-cli` command [modify-instance-attribute][5] or use the [AWS Console][6].\n3. If the API calls were made by the user:\n * Determine if the user should be modifying this user data script.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StopInstances.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartInstances.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-attribute.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-view-change","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StopInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"stop_instance","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:ModifyInstanceAttribute @requestParameters.userData:* ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_instance_attribute","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StartInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"start_instance","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"stop_instance > 0 && modify_instance_attribute > 0 && start_instance > 0"}],"type":"log_detection","id":"suz-czd-zxh","createdAt":1652796652545,"name":"Possible AWS EC2 privilege escalation via the modification of user data"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","iaas:aws","technique:T1078-valid-accounts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to create a password for a specified IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to create a password for an IAM user using the [`CreateLoginProfile`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any passwords generated by the user with the `aws-cli` command [delete-login-profile][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-login-profile.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html#id_credentials_passwords_admin-change-user_console","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:iam.amazonaws.com @eventName:CreateLoginProfile status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"loginprofile","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"loginprofile > 0"}],"type":"log_detection","id":"dkd-gqh-zrs","createdAt":1652796676631,"name":"Possible Privilege Escalation via AWS IAM CreateLoginProfile"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","scope:rds","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to exfiltrate data from an RDS Snapshot.\n\n## Strategy\nThis rule lets you monitor the [ModifyDBClusterSnapshotAttribute][1] CloudTrail API calls to detect when an RDS snapshot is made public.\n\nThis rule also inspects the:\n * `@requestParameters.valuesToAdd` array to determine if the string `all` is contained. This is the indicator which means the RDS snapshot is made public.\n * `@requestParameters.attributeName` array to determine if the string `restore` is contained. This is the indicator which means the RDS snapshot was shared with a new or unkown AWS Account.\n\n## Triage and response\n1. Confirm if the user: `{{@userIdentity.arn}}`intended to make the RDS snaphsot public.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-cluster-snapshot-attribute.html#modify-db-cluster-snapshot-attribute\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:ModifyDBClusterSnapshotAttribute @requestParameters.valuesToAdd:all","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_made_public","distinctFields":[]},{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:(ModifyDBClusterSnapshotAttribute OR ModifyDBSnapshotAttribute) @requestParameters.attributeName:restore -@http.useragent:(*AWS_Lambda* OR *AWS_ECS_FARGATE* OR backup.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Snapshot was shared","condition":"rds_snapshot_shared > 0"},{"status":"high","notifications":[],"name":"Snapshot was made public","condition":"rds_snapshot_made_public > 0"}],"type":"log_detection","id":"jqf-lpu-us1","createdAt":1594140309127,"name":"Possible RDS Snapshot Exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:6.3","framework:cis-azure","control:2.5","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no PostgreSQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nPostgreSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.\n\n### Impact\n\nDisabling Allow access to Azure Services will break all connections to PostgreSQL server and Hosted Databases unless custom IP specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console:\n\n1. Go to PostgreSQL servers\n2. For each PostgreSQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell:\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nNew-AzPostgreSqlFirewallRule -Name \"\" -ResourceGroupName \"\" -ServerName \"\" -EndIPAddress \"\" -StartIPAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules][1]\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"2.5","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255)","resourceType":"azure_postgresql_server","filter":"","queryPath":"firewall_rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"f2j-y8v-pht","createdAt":1635237002781,"name":"PostgreSQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1566-phishing","source:azure","scope:azure","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a user grants an application consent to access their data. An adversary may create an Azure-registered application to access data such as contact information, emails, or documents.\n\n## Strategy\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Consent to application`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Consent to application.`\n\nBecause these are thirty-party applications external to the organization, normal remediation steps like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts are not effective against this type of attack.\n\n## Triage and response\n1. See the official [Microsoft playbook][1] on responding to a potential Illicit Consent Grant.\n2. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out false positives.\n\n[1]: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:AuditLogs @evt.name:\"Consent to application\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_successful_consent_to_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.category:AuditLogs @evt.name:\"Consent to application.\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"o365_successful_consent_to_application","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"azure_ad_successful_consent_to_application > 0 || o365_successful_consent_to_application > 0"}],"type":"log_detection","id":"wu4-vsa-pec","createdAt":1658914589512,"name":"Potential Illicit Consent Grant attack via Azure registered application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with an administrative service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 21 (FTP)\n* 22 (SSH)\n* 23 (Telnet)\n* 445 (SMB)\n* 2375 (Docker daemon)\n* 3389 (RDP)\n* 5900 (VNC)\n* 5985 (WinRM HTTP)\n* 5986 (WinRM HTTPS)\n\nAdministrative ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** There is a separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n## Changelog\n26 August 2022 - Updated rule query\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ipPermissions.items.fromPort:(21 OR 22 OR 3389 OR 5900 OR 2375 OR 5985 OR 5986 OR 23 OR 445) OR @requestParameters.toPort:(21 OR 22 OR 3389 OR 5900 OR 2375 OR 5985 OR 5986 OR 23 OR 445) OR @requestParameters.ipPermissions.items.toPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986)) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:21 OR @requestParameters.ipPermissions.items.fromPort:21 OR @requestParameters.toPort:21 OR @requestParameters.ipPermissions.items.toPort:21)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ftp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:22 OR @requestParameters.ipPermissions.items.fromPort:22 OR @requestParameters.toPort:22 OR @requestParameters.ipPermissions.items.toPort:22)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ssh_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:3389 OR @requestParameters.ipPermissions.items.fromPort:3389 OR @requestParameters.toPort:3389 OR @requestParameters.ipPermissions.items.toPort:3389)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_rdp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5900 OR @requestParameters.ipPermissions.items.fromPort:5900 OR @requestParameters.toPort:5900 OR @requestParameters.ipPermissions.items.toPort:5900)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_vnc_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:2375 OR @requestParameters.ipPermissions.items.fromPort:2375 OR @requestParameters.toPort:2375 OR @requestParameters.ipPermissions.items.toPort:2375)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_dockerd_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5985 OR @requestParameters.ipPermissions.items.fromPort:5985 OR @requestParameters.toPort:5985 OR @requestParameters.ipPermissions.items.toPort:5985)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5986 OR @requestParameters.ipPermissions.items.fromPort:5986 OR @requestParameters.toPort:5986 OR @requestParameters.ipPermissions.items.toPort:5986)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:23 OR @requestParameters.ipPermissions.items.fromPort:23 OR @requestParameters.toPort:23 OR @requestParameters.ipPermissions.items.toPort:23)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_telnet_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:445 OR @requestParameters.ipPermissions.items.fromPort:445 OR @requestParameters.toPort:445 OR @requestParameters.ipPermissions.items.toPort:445)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_smb_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"high","notifications":[],"name":"FTP","condition":"sg_ftp_port > 0"},{"status":"high","notifications":[],"name":"SSH","condition":"sg_ssh_port > 0"},{"status":"high","notifications":[],"name":"RDP","condition":"sg_rdp_port > 0"},{"status":"high","notifications":[],"name":"VNC","condition":"sg_vnc_port > 0"},{"status":"high","notifications":[],"name":"Docker Daemon","condition":"sg_dockerd_port > 0"},{"status":"high","notifications":[],"name":"WinRm HTTP","condition":"sg_winrm_http_port > 0"},{"status":"high","notifications":[],"name":"WinRm HTTPS","condition":"sg_winrm_https_port > 0"},{"status":"high","notifications":[],"name":"Telnet","condition":"sg_telnet_port > 0"},{"status":"high","notifications":[],"name":"SMB","condition":"sg_smb_port > 0"}],"type":"log_detection","id":"d8d-usi-xuo","createdAt":1652796652158,"name":"Potential administrative port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\n This rule monitors CloudTrail and detects when any `@evt.name` has a value of `Console Login`, and `@responseElements.ConsoleLogin` has a value of `Failure`.\n\n## Triage and response\n1. Determine if the user logged in with 2FA.\n2. Reach out to the user and ensure the login was legitimate.\n\n## Changelog \n17 March 2022 - Update rule query.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Failure","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:true","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_with_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful - MFA Unused","condition":"failed_login > 5 && successful_login_without_mfa > 0"},{"status":"info","notifications":[],"name":"Successful Login - MFA Used","condition":"failed_login > 5 && successful_login_with_mfa > 0"},{"status":"info","notifications":[],"name":"Failed Login","condition":"failed_login > 5"}],"type":"log_detection","id":"csj-nez-h1v","createdAt":1584475581986,"name":"Potential brute force attack on AWS ConsoleLogin"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","threat_intel_category:cryptomining","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a host is potentially infected with a cryptominer.\n\n## Strategy\nThis rule compares the `@network.client.ip` standard attribute to a curated list of cryptomining pools.\n\n## Triage and response\n1. Determine if the `{{host}}` host should be contacting a cryptomining pool.\n2. If not, begin your company's IR process.\n\n**Note** You can use the signal sidepanel to assist with the initial investigation by looking at CPU utilization and processes to identify unauthorized activity.\n\n## Changelog\n- 8 April 2022 - Initial beta release to select organizations.\n- 13 April 2022 - Added additional filters for specific ports to reduce false positives. \n- 26 April 2022 - Removed restrictedToOrgs settings, launching rule to all of production.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@threat_intel.results.category:cryptomining @network.destination.port:(6641 OR 6642 OR 9000 OR 9999 OR 14433 OR 10191 OR 20009) host:*","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cgb-2rq-tqx","createdAt":1650989902666,"name":"Potential cryptomining detected through IP callback"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with a database service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 1433 (MSSQL)\n* 3306 (MySQL)\n* 5432 (PostgresSQL)\n* 5984/6984 (CouchDB)\n* 6379 (Redis)\n* 9200 (Elasticsearch)\n* 27017 (MongoDB)\n\nDatabase ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** There is a separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200)) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:3306 OR @requestParameters.ipPermissions.items.fromPort:3306 OR @requestParameters.toPort:3306 OR @requestParameters.ipPermissions.items.toPort:3306)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mysql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5432 OR @requestParameters.ipPermissions.items.fromPort:5432 OR @requestParameters.toPort:5432 OR @requestParameters.ipPermissions.items.toPort:5432)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_postgres_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:1433 OR @requestParameters.ipPermissions.items.fromPort:1433 OR @requestParameters.toPort:1433 OR @requestParameters.ipPermissions.items.toPort:1433)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mssql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:27017 OR @requestParameters.ipPermissions.items.fromPort:27017 OR @requestParameters.toPort:27017 OR @requestParameters.ipPermissions.items.toPort:27017)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mongodb_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:6379 OR @requestParameters.ipPermissions.items.fromPort:6379 OR @requestParameters.toPort:6379 OR @requestParameters.ipPermissions.items.toPort:6379)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_redis_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5984 OR @requestParameters.ipPermissions.items.fromPort:5984 OR @requestParameters.toPort:5984 OR @requestParameters.ipPermissions.items.toPort:5984)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:6984 OR @requestParameters.ipPermissions.items.fromPort:6984 OR @requestParameters.toPort:6984 OR @requestParameters.ipPermissions.items.toPort:6984)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:9200 OR @requestParameters.ipPermissions.items.fromPort:9200 OR @requestParameters.toPort:9200 OR @requestParameters.ipPermissions.items.toPort:9200)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_elastic_search_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"high","notifications":[],"name":"MySQL","condition":"sg_mysql_port > 0"},{"status":"high","notifications":[],"name":"PostgresSQL","condition":"sg_postgres_port > 0"},{"status":"high","notifications":[],"name":"MSSQL","condition":"sg_mssql_port > 0"},{"status":"high","notifications":[],"name":"MongoDB","condition":"sg_mongodb_port > 0"},{"status":"high","notifications":[],"name":"redis","condition":"sg_redis_port > 0"},{"status":"high","notifications":[],"name":"CouchDB HTTP","condition":"sg_couchdb_http_port > 0"},{"status":"high","notifications":[],"name":"CouchDB HTTPS","condition":"sg_couchdb_https_port > 0"},{"status":"high","notifications":[],"name":"Elasticsearch","condition":"sg_elastic_search_port > 0"}],"type":"log_detection","id":"1wf-ivp-q2g","createdAt":1652796776858,"name":"Potential database port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use automatically generated self-signed certificates for TLS connections between peers.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster. Hence, do not use self-signed certificates for authentication.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--peer-auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--peer-auto-tls` parameter or set it to false. \n\n```\n--peer-auto-tls=false\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-auto-tls` argument is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls][3]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.6","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l0y-lyz-foj","createdAt":1599598174666,"name":"Prevent use of self-signed certificates for TLS connections between etcd peers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.4","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDocker considers a private registry either secure or insecure. By default, registries are considered secure.\n\n## Rationale\n\nA secure registry uses TLS. A copy of the registry's CA certificate is placed on the Docker host in the `/etc/docker/certs.d//` directory. An insecure registry is one which does not have a valid registry certificate, or one not not using TLS. You should not use insecure registries because they present a risk of traffic interception and modification. Additionally, once a registry has been marked as insecure, commands such as `docker pull`, `docker push`, and `docker search` will not result in an error message, and users may indefinitely be working with this type of insecure registry without ever being notified of the risk of potential compromise.\n\n## Audit\n\nFind out if any insecure registries are in use by running: \n```\ndocker info --format 'Insecure Registries: {{.RegistryConfig.InsecureRegistryCIDRs}}'\n```\n\n## Remediation\n\nYou should ensure that no insecure registries are in use.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker assumes all registries except local ones are secure.\n\n## References\n\n1. [https://docs.docker.com/registry/insecure/][1]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://docs.docker.com/registry/insecure/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wki-o8r-1ha","createdAt":1599604688564,"name":"Private registry uses TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.4","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUsing the `--privileged` flag provides all Linux kernel capabilities to the container to which it is applied and therefore overwrites the `--cap-add` and `--cap-drop` flags. For this reason, ensure that it is not used.\n\n## Rationale\n\nThe `--privileged` flag provides all capabilities to the container to which it is applied, and also lifts all the limitations enforced by the device cgroup controller. As a consequence this the container has most of the rights of the underlying host. This flag only exists to allow for specific use cases (for example running Docker within Docker) and should not generally be used.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Privileged={{ .HostConfig.Privileged }}'` This command returns `Privileged=false` for each container instance.\n\n## Remediation\n\nDo not run containers with the `--privileged` flag. For example, do not start a container using the command `docker run --interactive --tty --privileged centos /bin/bash`\n\n## Impact\n\nIf you start a container without the `--privileged` flag, it will not have excessive default capabilities.\n\n## Default value\n\nFalse\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.4","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rbd-urm-klo","createdAt":1599602708557,"name":"Privileged containers are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.7","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TCP/IP port numbers below 1024are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Docker does, however allow a container port to be mapped to a privileged port.\n\n## Rationale\n\nBy default, if the user does not specifically declare a container port to host port mapping, Docker automatically and correctly maps the container port to one available in the `49153`-`65535` range on the host. Docker does, however, allow a container port to be mapped to a privileged port on the host if the user explicitly declares it. This is because containers are executed with `NET_BIND_SERVICE` Linux kernel capability which does not restrict privileged port mapping. The privileged ports receive and transmit various pieces of data which are security sensitive and allowing containers to use them is not in line with good security practice.\n\n## Audit\n\nList all running containers instances and their port mappings by executing this command: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'` You should then review the list and ensure that container ports are not mapped to host port numbers below `102.4`.\n\n## Remediation\n\nDo not map container ports to privileged host ports when starting a container. You should also ensure that there is no such container to host privileged port mapping declarations in the Dockerfile.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, mapping a container port to a privileged port on the host is allowed.\n\n**Note**: There might be certain cases where you want to map privileged ports, because if you forbid it, then the corresponding application has to run outside of a container.\n\nFor example: HTTP and HTTPS load balancers have to bind `80/tcp` and `443/tcp` respectively. Forbidding to map privileged ports effectively forbids from running those in a container, and mandates using an external load balancer. In such cases, those containers instances should be marked as exceptions for this recommendation.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.7","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ua5-ygj-jad","createdAt":1599602153218,"name":"Privileged ports are not mapped within containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a process launches with arguments associated with cryptocurrency miners.\n\n## Strategy\n\nCryptocurrency miners are often executed with unique arguments such as `--donate-level`. This can be used to identify suspicious processes with high confidence.\n\n## Triage and response\n\n1. Isolate the workload.\n2. Use host metrics to verify if cryptocurrency mining is taking place. This will be indicated by an increase in CPU usage.\n3. Review the process tree and related signals to determine the initial entry point.\n\n*Requires agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:cryptominer_args","groupByFields":["host"],"aggregation":"count","name":"cryptominer_args","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"cryptominer_args","condition":"cryptominer_args > 0"}],"type":"workload_security","id":"t95-1rc-mwi","createdAt":1660014107186,"name":"Process arguments match cryptocurrency miner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1055-process-injection","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace systemcall to inject code into another process.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. Malicious actors have been observed using ptrace to inject code into another process, for the purposes of defense evasion and privilege escalation.\n\n## Triage and response\n1. Check the name of the process doing the injection (the tracer).\n2. Identify if the file doing the injection (the tracer) is authorized.\n3. If the tracer is not authorized in this environment, or is not normally known to use the ptrace syscall, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_injection","groupByFields":["host"],"aggregation":"count","name":"ptrace_injection","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_injection","condition":"ptrace_injection > 0"}],"type":"workload_security","id":"1p3-rn6-jue","createdAt":1650464539501,"name":"Process injected into another process"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1068-Exploitation-for-Privilege-Escalation","source:runtime-security-agent","tactic:TA0004-Privilege-Escalation","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2021-4034 dubbed PwnKit.\n\n## Strategy\n\nPwnKit is a local privilege escalation vulnerability originally found by [Qualys](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034). It affects PolicyKit\u2019s `pkexec` program, which is a SUID-root program installed by default on many Linux distributions. This detection triggers whenever `pkexec` is executed by a non-root process with the `SHELL` and `PATH` variables set.\n\n## Triage and response\n\n1. Determine the purpose of the process executing `pkexec`.\n2. Look for any suspicious actions or commands being executed after the `pkexec` execution.\n3. If this behavior is unexpected, it could indicate a malicious actor has access to the host and is attempting to increase privileges for post exploitation actions. Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Ensure to update the PolicyKit package to its latest version to mitigate the vulnerability. If updating is not feasible, remove the SUID bit that is set by default on `pkexec` with the following command: `sudo chmod -s \\$(which pkexec)`.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:pwnkit_privilege_escalation","groupByFields":["host"],"aggregation":"count","name":"pwnkit_privilege_escalation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"pwnkit_privilege_escalation","condition":"pwnkit_privilege_escalation > 0"}],"type":"workload_security","id":"yne-n4q-dfs","createdAt":1643646954692,"name":"Pwnkit privilege escalation attempt"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1059-command-and-scripting-interpreter","tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect Python code being provided and executed on the command line using the `-c` flag.\n\n## Strategy\n\nPython code can be specified on the command line using the `-c` flag. Attackers may use this to run \"one-liners\" which establish communication with an attacker-run server, download additional malware, or otherwise advance their mission. Libraries such as `socket` and `subprocess` are commonly used in these attacks and are unlikely to have a legitimate purpose when used in this way.\n\n## Triage and response\n\n1. Review the process tree and identify if the Python command is expected.\n2. If the command is not expected, contain the host or container and roll back to a known good configuration.\n3. Start the incident response process and determine the initial entry point.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:python_cli_code @process.args:(*SOCK_STREAM* OR *subprocess* OR *\\/bash* OR *\\/bin\\/sh* OR *pty.spawn*)","groupByFields":["host"],"aggregation":"count","name":"python_cli_code_suspicious","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"python_cli_code_suspicious","condition":"python_cli_code_suspicious > 0"}],"type":"workload_security","id":"2mr-svj-kxj","createdAt":1655147245805,"name":"Python executed with suspicious arguments"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.9","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTurn on Role Based Access Control.\n\n## Rationale\n\nRole Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the cluster. It is recommended to use the RBAC authorization mode.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include RBAC.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes RBAC, for example: `--authorization-mode=Node,RBAC`\n\n## Impact\n\nWhen RBAC is enabled you will need to ensure that appropriate RBAC settings (including Roles, RoleBindings and ClusterRoleBindings) are configured to allow appropriate access.\n\n## Default value\n\nBy default, RBAC authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/access-authn-authz/rbac/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.9","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bn4-mzo-nyg","createdAt":1599605257601,"name":"RBAC is enabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","level:1","control:8.5","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.4.1","security:compliance","requirement:Least-Privileged-Access","control:7.2","framework:cis-azure","source:azure.kubernetes","control:7.1","control:2.3","requirement:Control-Activities","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","requirement:Other-Security-Considerations","framework:soc-2","control:A.9.2.3","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that RBAC is enabled on all Azure Kubernetes Services instances.\n\n## Rationale\n\nAzure Kubernetes Services can integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. Use this to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls, both to the overarching AKS instance and to the individual resources managed within Kubernetes.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment, your cluster will require recreation.\n\n## Impact\n\nIf RBAC is not enabled, the granularity of permissions granted to Kubernetes resources is diminished, because you are presenting more permissions than needed to users requiring access to your Kubernetes resources in AKS.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/aks/aad-integrationhttps://kubernetes.io/docs/reference/access-authn-authz/rbac/https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-list\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7\n\n4 Controlled Use of Administrative Privileges\n\n14 Controlled Access Based on the Need to Know\n\n9 AppService: This section covers security recommendations for Azure AppService\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.5","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"validationQuery":"@enable_rbac:false","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster (@enable_rbac:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"1ha-sj2-4mw","createdAt":1624867979755,"name":"RBAC within Azure Kubernetes Services is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","control:6.1","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable RDP access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using RDP over the internet is that attackers can use various brute force techniques to access Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct RDP access to your Azure Virtual Machines from the internet. After direct RDP access from the internet is disabled, you have other options you can use to access these virtual machines for remote management.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@access:(\"Allow\") @protocol:(\"TCP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"3389\" OR \"*\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\")","resourceType":"azure_security_group","filter":"","queryPath":"security_rules","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group (@access:(\"Allow\") @protocol:(\"TCP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"3389\" OR \"*\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tna-xfa-yol","createdAt":1624867976964,"name":"RDP access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.7","requirement:Communications-Security","control:1.4","control:3.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow users to specify the type of traffic,\nsuch as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, an IPv4 address or IPv4 block in CIDR notation can be used.\nGeneric (0.0.0.0/0) incoming traffic from the Internet to a VPC or VM instance using RDP\non Port 3389 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic\nfrom instances and incoming (ingress) traffic to instances in the network. Egress and\ningress traffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through RDP with the default\nPort 3389. Generic access from the Internet to a specific IP Range should be restricted.\n\n## Impact\nAll Remote Desktop Protocol (RDP) connections from outside of the network to the\nconcerned VPC(s) are blocked. There could be a business need where secure shell\naccess is required from outside of the network to access resources associated with the VPC.\nIn that case, specific source IP(s) should be mentioned in firewall rules to allow access\nto RDP ports for the concerned VPC(s).\n\n## Remediation\n\n### From console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule to be modified.\n4. Click Edit.\n5. Modify Source IP ranges to your specific IPs.\n6. Click Save.\n\n### From the command line\n1.Update the RDP Firewall rule with a new SOURCE_RANGE using the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with validated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.1","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 3389\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tcontains(allowed.ports[_], \"-\")\n\trange := split(allowed.ports[_], \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else {\n\tto_number(allowed.ports[_]) == target_port\n} else {\n\tallowed.ports[_] == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tallowed := compute_firewall.allowed[_]\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" {\n\tcompute_firewall.source_ranges in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tvo-mpp-0fa","createdAt":1657310084116,"name":"RDP access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","source:rds","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:rds","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your AWS RDS database instances are encrypted.\n\n## Rationale\n\nEncrypting your AWS RDS clusters protects sensitive data from unauthorized access.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling Amazon RDS encryption for a DB instance][1] docs to ensure your database instances are encrypted.\n\n### CLI\n\n1. Run `describe-db-instances` with an instance identifier query to list RDS database names.\n\n ```\n aws rds describe-db-instances\n --query 'DBInstances[*].DBInstanceIdentifier'\n ```\n\n2. Run `create-db-snapshot` with any returned database instance you wish to modify.\n\n ```\n aws rds create-db-snapshot\n --db-snapshot-identifier my-db-snapshot\n --db-instance-identifier my-db-id\n ```\n\n3. Run `list-aliases` to list KMS keys aliases by region.\n\n ```\n aws kms list-aliases\n --region us-west-1\n ```\n\n4. Run `copy-db-snapshot` with the `kms-key-id` returned in step 3.\n\n ```\n aws rds copy-db-snapshot\n --region us-west-1\n --source-db-snapshot-identifier original-db-snapshot-id\n --target-db-snapshot-identifier encrypted-db-snapshot-id\n --copy-tags\n --kms-key-id 01234567-1a2b-1234a-b45c-abcdef123456\n ```\n\n5. Run `restore-db-instance-from-db-snapshot` to restore the previously created snapshot.\n\n ```\n aws rds restore-db-instance-from-db-snapshot\n --region us-west-1\n --db-instance-identifier encrypted-db-id\n --db-snapshot-identifier encrypted-db-snapshot-id\n ```\n\n6. Run `describe-db-instances` with a query to ensure database encryption.\n\n ```\n aws rds describe-db-instances\n --region us-west-1\n --db-instance-identifier encrypted-db-snapshot-id\n --query 'DBInstances[*].StorageEncrypted'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Enabling","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@storage_encrypted:false","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance (@storage_encrypted:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"han-1rs-ghe","createdAt":1599574005316,"name":"RDS database instance is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:rds","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","scope:rds","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your RDS instance, so it is not publicly accessible.\n\n## Rationale\n\nUnrestricted access to your RDS instance allows everyone on the internet to establish a connection with your database. This can lead to brute-force, DoS/DDoS, or SQL injection attacks.\n\n## Remediation\n\n### Console\n\nFollow the [Modifying an Amazon RDS DB instance (Console)][2] docs to learn how to modify your RDS instance in the AWS console.\n\n### CLI\n\nFollow the [Modifying an Amazon RDS DB instance (AWS CLI)][2] docs to learn how to modify your RDS instance connection configuration.\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n[2]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@publicly_accessible:true","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance (@publicly_accessible:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qgu-ris-pnv","createdAt":1619540057520,"name":"RDS instance is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","security:compliance","control:CC6.6","control:164.312-e-1","cloud_provider:aws","framework:gdpr","requirement:Default-Security-Parameter","scope:rds","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","source:rds","requirement:Security-Management-Process","control:32.1a","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Amazon RDS database instances][1] are not using default ports. This includes default ports such as MySQL/Aurora port 3306, SQL Server port 1433, and PostgreSQL port 5432.\n\n## Rationale\n\nUsing a custom port can protect against potential brute-force and dictionary attacks.\n\n## Remediation\n\n### Console\n\nFollow the [Modifying an Amazon RDS DB instance][4] docs to verify you're not using a default. You can modify your port by modifying that [DB instance settings][5].\n\n### CLI\n\n1. Run `create-db-snapshot` with your database instance and snapshot identifiers to [create a snapshot][2].\n\n ```\n aws rds create-db-snapshot \\\n --db-instance-identifier database-mysql \\\n --db-snapshot-identifier snapshotidentifier\n ```\n\n2. Run `modify-db-instance` with a new, valid port number. A [list of port numbers are available][3].\n\n ```\n aws rds modify-db-instance \\\n --db-instance-identifier database-identifier \\\n --option-group-name test-group-name \\\n --db-parameter-group-name test-sqlserver-name \\\n --apply-immediately\n ```\n\n\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-snapshot.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-instance.html#options\n[4]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n[5]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html#USER_ModifyInstance.Settings\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@engine:(\"aurora\" OR \"aurora-mysql\" OR \"mysql\" OR \"mariadb\") @endpoint_port:3306) OR (@engine:(\"postgres\" OR \"aurora-postgresql\") @endpoint_port:5432) OR (@engine:(\"oracle-ee\" OR \"oracle-se2\" OR \"oracle-se1\" OR \"oracle-se\") @endpoint_port:1521) OR (@engine:(\"sqlserver-ee\" OR \"sqlserver-se\" OR \"lserver-ex\" OR \"sqlserver-web\") @endpoint_port:1433)","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance ((@engine:(\"aurora\" OR \"aurora-mysql\" OR \"mysql\" OR \"mariadb\") @endpoint_port:3306) OR (@engine:(\"postgres\" OR \"aurora-postgresql\") @endpoint_port:5432) OR (@engine:(\"oracle-ee\" OR \"oracle-se2\" OR \"oracle-se1\" OR \"oracle-se\") @endpoint_port:1521) OR (@engine:(\"sqlserver-ee\" OR \"sqlserver-se\" OR \"lserver-ex\" OR \"sqlserver-web\") @endpoint_port:1433))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"y0x-lgk-w1h","createdAt":1599574001845,"name":"RDS instance is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","source:rds","requirement:Security-Management-Process","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","scope:rds","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Relational Database Service (RDS) database snapshots.\n\n## Rationale\n\nSnapshots that are publicly available give other AWS accounts permission to copy a snapshot and create database instances from it, potentially exposing your private data.\n\n## Remediation\n\n### Console\n\nFollow the [Stop sharing a manual DB snapshot with an AWS account][1] AWS Console docs.\n\n### CLI\n\nRun `modify-db-snapshot-attribute` with the [snapshot identifier, attribute name, and values to remove][2]. This removes permission from a particular AWS account to restore the DB snapshot.\n\n ```\n aws rds modify-db-snapshot-attribute\n --db-snapshot-identifier yourdbsnapshot\n --attribute-name restore\n --values-to-remove 1111222233333\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Sharing\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-snapshot-attribute.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@db_snapshot_restore_attribute_values:all","resourceType":"aws_rds_db_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_db_snapshot (@db_snapshot_restore_attribute_values:all)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ptv-gce-is5","createdAt":1616090994243,"name":"RDS snapshot is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","control:3.4","scope:google_dns_managed_zone","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note:** The SHA1 algorithm has been removed from general use by Google. If used, it needs to be allowed on a per-project basis through Google, and therefore requires a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records. When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, you can select the DNSSEC signing algorithms and the denial-of-existence type. Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If there is a need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off, and then re-enable it with different settings.\n\n**Note**: RSASHA1 key-signing support may be required for compatibility reasons. The remediation CLI works with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If it is necessary to change the settings for a managed zone where it has been\nenabled, NSSEC must be turned off and re-enabled with different settings. To turn\noff DNSSEC, run the following command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update key-signing for a managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" {\n\tdefault_key_spec := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tdefault_key_spec.algorithm == \"RSASHA1\"\n\tdefault_key_spec.key_type == \"keySigning\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gny-fox-6gg","createdAt":1659339844054,"name":"RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.5","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note**: The SHA1 algorithm has been removed from general use by Google, and if\nbeing used, needs to be safe listed on a project basis by Google, which\nrequire a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records.\nWhen enabling DNSSEC for a managed zone or creating a managed zone with DNSSEC, select the\nDNSSEC signing algorithms and the denial-of-existence type. Changing the\nDNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If\nyou need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off and then re-enable it with different settings.\n\n**note**: RSASHA1 zone-signing support may be required for compatibility reasons.\n**note**: The remediation CLI works well with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If you need to change the settings for a managed zone where it has been\nenabled, DNSSEC must be turned off and then re-enabled with different settings. To\nturn off DNSSEC, run this command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update zone-signing for a reported managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.5","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" {\n\tkeyCheck := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tkeyCheck.algorithm == \"RSASHA1\"\n\tkeyCheck.key_type == \"zoneSigning\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"h57-78j-30x","createdAt":1659396390100,"name":"RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","scope:redshift","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS RedShift clusters are encrypted.\n\n## Rationale\n\nEncrypting Redshift clusters protects your sensitive data from unauthorized access.\n\n## Remediation\n\n### Console\n\nFollow the [Changing cluster encryption][5] docs to ensure your clusters are encrypted.\n\n### CLI\n\n1. Run `describe-clusters` with your [cluster identifier][1].\n\n ```\n aws redshift describe-clusters\n --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` using the configuration details returned in step 1 along with the [`encrypted` flag][2].\n\n ```\n aws redshift create-cluster\n --cluster-identifier cluster-name\n ...\n --encrypted\n ```\n\n3. Run `describe-cluster` with a [query filter][1] to expose the new endpoint address.\n\n ```\n aws redshift describe-clusters\n --cluster-identifier cluster-name\n --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Use the cluster endpoint URL with the [Amazon Redshift Unload/Copy][3] tool.\n\n5. Update your encrypted Redshift cluster configuration with the new Redshift cluster endpoint URL.\n\n6. Once the endpoint is changed, run `delete-cluster` to [remove the old unencrypted cluster][4].\n\n ```\n aws redshift delete-cluster\n --cluster-identifier old-cluster\n --final-cluster-snapshot-identifier old-cluster-finalsnapshot\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster.html\n[3]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@encrypted:true","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (-@encrypted:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o5n-lxt-ayr","createdAt":1599574004941,"name":"Redshift cluster is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.3","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are not publicly available.\n\n## Rationale\n\nPublicly available Redshift clusters have a public IP address, which gives any machine the opportunity to attempt to connect to your clusters. Malicious activity, such as SQL injections or distributed denial-of-service (DDoS) attacks, can occur if a connection is established.\n\n## Remediation\n\n### Console\n\nFollow the [Managing clusters in a VPC][7] docs to learn how to modify public accessibility for your clusters.\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#modify-cluster\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@publicly_accessible:true","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@publicly_accessible:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"syn-jic-zlu","createdAt":1599574002373,"name":"Redshift cluster is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","control:A.9.4.3","framework:soc-2","scope:redshift","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:redshift","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are using a custom master user name, versus the default master user name.\n\n## Rationale\n\nDefault master user names for publicly accessible clusters can be a backdoor for hacking. While setting a customer master user name alone does not fully protect against attacks, restricting the root account only to privileged users and using additional password measures can add an additional layer of protection.\n\n## Remediation\n\n### Console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a master user name of `awsuser`, it is the default master user name. Modify the user name to a custom user name in the console.\n\n### CLI\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` with the returned cluster metadata to [launch a new cluster][3] with the existing metadata and a new master user name.\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t --master-username awsmasterusr\n --vpc-security-group-ids id-012a3b4c\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier new-cluster-identifier\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n5. Use the returned new database cluster endpoint URL from step 3 to update your application's configuration to point to the new cluster endpoint.\n6. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"validationQuery":"@master_username:awsuser","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@master_username:awsuser)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ewv-jbb-gxa","createdAt":1599574001675,"name":"Redshift cluster is not using a custom master user name"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","security:compliance","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are not using default port 5439 to protect against non-targeted attacks.\n\n## Rationale\n\nUsing a custom port can protect your publicly accessible AWS Redshift clusters against potential brute-force and dictionary attacks. Although setting a custom port can help fend off these attacks, it is also recommended to restrict public access, use SSL to encrypt client connections to database clusters, and control cluster access through security groups and Network Access Control Lists (NACLs) to add an additional layer of security for your account.\n\n## Remediation\n\n### Console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a port 5439, it is the default port. Modify the port number in the console.\n\n### CLI\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster-snapshot` with [create a snapshot of your database cluster][3].\n\n ```\n aws redshift create-cluster-snapshot\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n ```\n\n3. Run `restore-from-cluster-snapshot` to [create a new cluster from the snapshot created above][4]. Use the retrieved metadata in step one to configure a new port number.\n\n ```\n aws redshift restore-from-cluster-snapshot\n ...\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n --port 2000\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster-snapshot.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/restore-from-cluster-snapshot.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@endpoint.port:5439 OR @endpoint_port:5439","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@endpoint.port:5439 OR @endpoint_port:5439)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"xrn-s6h-z9s","createdAt":1599574006854,"name":"Redshift cluster is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift Clusters][1] are using the [AWS EC2-VPC platform][2] for better cluster security.\n\n## Rationale\n\nThe AWS EC2-VPC platform offers better security control and traffic routing for clusters than the outdated EC2-Classic platform.\n\n## Remediation\n\n### Console\n\nFollow the [Use EC2-VPC when you create your cluster][7] docs to learn how to use the EC2-VPC platform in the console to secure your clusters.\n\n### CLI\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n ```\n\n2. Run `create-cluster` with the metadata to [launch a new cluster within a VPC][3].\n\n ```\n aws redshift create-cluster\n --cluster-identifier cluster-id\n --vpc-security-group-ids id-012a3b4c\n --port 5439\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n\n5. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.FindDefaultVPC.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#cluster-platforms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@vpc_id:\"\"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@vpc_id:\"\")","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"goz-ys2-tll","createdAt":1599573999940,"name":"Redshift cluster is using the EC2-VPC platform"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","control:10.2.6","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:redshift","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","source:redshift","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable logging for your Amazon Redshift cluster.\n\n## Rationale\n\nLogging data from Amazon Redshift clusters is helpful when troubleshooting or completing security and compliance audits.\n\n## Remediation\n\n### Console\n\nFollow the Amazon Redshift [Configuring auditing using the console][1] docs to enable logging, create audit log files, and store them in an Amazon S3 bucket.\n\n### CLI\n\n1. Run `enable-logging` with your [cluster ID and the S3 bucket][2] where log files are to be stored.\n\n ```\n aws redshift enable-logging\n --cluster-identifier your-cluster-id\n --bucket-name aws-redshift-logs\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/enable-logging.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"}],"validationQuery":"@cluster_logging.logging_enabled:false","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@cluster_logging.logging_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f05-rf3-w5i","createdAt":1619112188003,"name":"Redshift cluster logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","requirement:Least-Privileged-Access","framework:cis-azure","control:7.1","requirement:Credentials","requirement:App-Service","requirement:Compliance","control:8.7","level:1","control:9.5","control:A.18.1.3","framework:soc-2","scope:azure.appservice","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nManaged service identity in App Service makes an app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app connects to other Azure services securely without the need for a username and password.\n\n## Rationale\n\nApp Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.\n\n## References\n\n1. https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Identity\n5. Set Status to On\n\nAzure Command Line Interface:\n\nTo set Register with Azure Active Directory for an existing app, run the following command: `az webapp identity assign --resource-group --name '`\n\n## CIS Controls\n\nVersion 7 16.2 - Configure Centralized Point of Authentication - Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.5","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@identity_principal_id:*","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (-@identity_principal_id:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"t1t-uk4-nxu","createdAt":1631623033118,"name":"Register with Azure Active Directory is enabled on App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.8","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under `/etc/docker/certs.d/ directory`, have permissions of 444 or are set more restrictively.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must have permissions of 444or more restrictive permissions in order to ensure that unprivileged users do not have full access to them..\n\n## Audit\n\nYou should execute the command below to verify that registry certificate files have permissions of 444+.\n\n```\nstat -c %a /etc/docker/certs.d//*\n```\n\n## Remediation\n\nRun the following command: `chmod 444 /etc/docker/certs.d//*`\n\nThis sets the permissions for the registry certificate files to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for registry certificate files might not be 444. The default file permissions are governed by the system or user specific umask values which are defined within the operating system itself.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.8","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sjq-1m3-njp","createdAt":1599605226177,"name":"Registry certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:5.7.4","source:compliance-agent","requirement:General-Policies","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.\n\n## Rationale\n\nResources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources.\n\n## Audit\n\nRun this command to list objects in default namespace: `kubectl get all`\n\nThe only entries there should be system managed resources such as the Kubernetes service.\n\n## Remediation\n\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace.\n\n## Impact\n\nNone\n\n## Default value\n\nUnless a namespace is specific on object creation, the default namespace will be used.\n\n## References\n\nNone\n\n## CIS controls\n\nNone\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.7.4","framework":"cis-kubernetes","requirement":"General-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.7.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gly-1rp-obv","createdAt":1599604941259,"name":"Resources are not created in the default namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.14","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy using the `--restart` flag in the docker run command you can specify a restart policy for how a container should or should not be restarted on exit. You should choose the on-failure restart policy and limit the restart attempts to 5.\n\n## Rationale\n\nIf you indefinitely keep trying to start the container, it could possibly lead to a denial of service on the host. It could be an easy way to do a distributed denial of service attack especially if you have many containers on the same host. Additionally, ignoring the exit status of the container and always attempting to restart the container, leads to non-investigation of the root cause behind containers getting terminated. If a container gets terminated, you should investigate on the reason behind it instead of just attempting to restart it indefinitely. You should use the on-failure restart policy to limit the number of container restarts to a maximum of 5 attempts.\n\n## Audit\n\nExecute this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: RestartPolicyName={{ .HostConfig.RestartPolicy.Name }} MaximumRetryCount={{ .HostConfig.RestartPolicy.MaximumRetryCount }}'` \n\nIf this command returns `RestartPolicyName=always`, then the system is not configured optimally. If this command returns `RestartPolicyName=no` or just `RestartPolicyName=`, then restart policies are not being used and the container would never be restarted automatically. This may be a secure option, but it is not the best option from a usability standpoint. If this command returns `RestartPolicyName=on-failure`, then verify that the number of restart attempts is set to 5 or less by looking at `MaximumRetryCount`.\n\n## Remediation\n\nIf you wish a container to be automatically restarted, use `docker run --detach --restart=on-failure:5 nginx`\n\n## Impact\n\nIf this option is set, a container will only attempt to restart itself 5 times.\n\n## Default value\n\nBy default, containers are not configured with restart policies.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/run/#restart-policies-restart\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.14","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycq-buv-pf8","createdAt":1599598174688,"name":"Restart attempts on container failure is limited to 5 attempts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_logging_log_bucket","control:10.1","requirement:Monitoring","control:10.2.5","control:2.3","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","source:google_logging_log_bucket","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:2","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling retention policies on log buckets protects logs stored in cloud storage buckets\nfrom being overwritten or accidentally deleted. It is recommended to set up retention\npolicies and configure `Bucket Lock` on all storage buckets that are used as log sinks.\n\n### Default value\nBy default, storage buckets used as log sinks do not have retention policies and `Bucket Lock`\nconfigured.\n\n## Rationale\nLogs can be exported by creating one or more sinks that include a log filter and a\ndestination. As Cloud Logging receives new log entries, they are compared against each\nsink. If a log entry matches a sink's filter, then a copy of the log entry is written to the\ndestination.\nSinks can be configured to export logs in storage buckets. It is recommended to configure a\ndata retention policy for these cloud storage buckets and to lock the data retention policy,\nthus permanently preventing the policy from being reduced or removed. This way, if the\nsystem is ever compromised by an attacker or a malicious insider who wants to cover their\ntracks, the activity logs are definitely preserved for forensics and security investigations.\n\n\n### Impact\nLocking a bucket is an irreversible action. Once you lock a bucket, you cannot remove the\nretention policy from the bucket or decrease the retention period for the policy. You\nthen have to wait for the retention period for all items within the bucket before you can\ndelete them, and then delete the bucket.\n\n## Additional Information\n- **Caution**: Locking a retention policy is an irreversible action. Once locked, you must delete\nthe entire bucket in order to \"remove\" the bucket's retention policy. However, before you\ncan delete the bucket, you must be able to delete all the objects in the bucket, which itself is\nonly possible if all the objects have reached the retention period set by the retention policy.\n\n\n## Remediation\n\n### From the console: \n1. If sinks are not configured, first follow the instructions in the recommendation:\nEnsure that sinks are configured for all log entries.\n2. For each storage bucket configured as a sink, go to the Cloud Storage browser at\nhttps://console.cloud.google.com/storage/browser/.\n3. Select the **Protection** tab near the top of the page.\n4. In the **Retention policy** section, click the **Lock** button. The **Lock retention policy?** dialog box appears\n5. Read the `Permanent` notice.\n6. In the **Bucket name** text box, type in the name of your bucket.\n7. Click **Lock policy**\n\n### From the command line:\n1. To list all sinks destined to storage buckets:\n ```\n gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID\n | --project=PROJECT_ID\n ```\n\n2. For each storage bucket listed above, set a retention policy and lock it:\n ```\n gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]\n gsutil retention lock gs://[BUCKET_NAME]\n ```\nFor more information, visit [Set a retention policy on a bucket][1].\n\n## References\n1. [Retention policies and retention policy locks][2]\n2. [Use and lock retention policies ][3]\n\n[1]: https://cloud.google.com/storage/docs/using-bucket-lock#set-policy\n[2]: https://cloud.google.com/storage/docs/bucket-lock\n[3]: https://cloud.google.com/storage/docs/using-bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nvalid_log_filter(logging_log_sink) if {\n\tnot logging_log_sink.filter\n} else {\n\tlogging_log_sink.filter == \"\"\n}\n\ncompliant(logging_log_bucket) if {\n\tlogging_log_bucket.retention_days != \"\"\n\tlogging_log_bucket.locked == true\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tvalid_log_filter(logging_log_sink)\n}\n\ndestination_is_bucket(logging_log_bucket) if {\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tlogging_log_sink.project_number == logging_log_bucket.project_number\n\tbucket_name := split(logging_log_bucket.resource_name, \"buckets/\")[1]\n\tendswith(logging_log_sink.destination, bucket_name)\n}\n\neval(logging_log_bucket) = \"skip\" if {\n\tnot destination_is_bucket(logging_log_bucket)\n} else = \"pass\" {\n\tcompliant(logging_log_bucket)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules.\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_logging_log_bucket","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_logging_log_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_logging_log_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"trq-twi-wxj","createdAt":1664803576934,"name":"Retention policies used for exporting logs are configured using the bucket lock on Cloud Storage buckets"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-ii-B","control:1.7","control:164.308-a-3-i","control:164.308-a-4-i","control:7.2.1","level:1","cloud:aws","framework:soc-2","framework:cis-aws","requirement:IAM","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Information-Access-Management","control:CC6.2","framework:pci","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWith the creation of an AWS account, a root user is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.\n\n## Rationale\n\nThe root user has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.\n\n## Remediation\n\nIf you find that the root user account is being used for daily activity and administrative tasks that do not require the root user, remediate this by doing the following:\n\n1. Change the root user password.\n2. Deactivate or delete access keys associated with the root user.\n**Note**: Anyone who has root user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.\n\n## References\n\n1. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][1]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html][2]\n3. [https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html][3]\n\n**Additional Information**: The root user for us-gov cloud regions is not enabled by default. However, on request AWS support can enable the root user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the root user for us-gov cloud regions is enabled, this recommendation is applicable. Monitor usage of the root user by implementing recommendation *3.3 Ensure a log metric filter and alarm exist for usage of the root user*.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[3]: https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.7","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nnon_compliant_keys(iam_credential_report) if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.password_last_used < thirty_days_ms # Used in last 30 days\n} else {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_1_last_used_date < thirty_days_ms # Used in last 30 days\n} else {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_2_last_used_date < thirty_days_ms # Used in last 30 days\n}\n\neval(iam_credential_report) = \"skip\" if {\n\tnot iam_credential_report.user == \"\"\n} else = \"fail\" {\n\tnon_compliant_keys(iam_credential_report)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_credential_report"]},"validationQuery":"","resourceType":"aws_iam_credential_report","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yid-djj-bng","createdAt":1638865331666,"name":"Root account credentials have not been used in the past 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:kms","source:kms","framework:gdpr","requirement:Logging","level:2","control:3.8","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Security-of-Processing","framework:soc-2","control:3.5.2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:3.6.4","control:CC6.3","control:CC6.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS Key Management Service (KMS) allows customers to rotate the backing key, the key material stored within the KMS. The KMS connects o the key ID of the customer created customer master key (CMK). This backing key is used to perform cryptographic operations such as encryption and decryption. Automatic key rotation currently retains all prior backing keys so that encrypted data can be decrypted transparently. You should enable CMK key rotation.\n\n## Rationale\n\nRotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [https://aws.amazon.com/kms/pricing/][2]\n2. [http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf][3]\n3. CCE-78920-6\n\n## CIS controls\n\nVersion 7, 6 - Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://aws.amazon.com/kms/pricing/\n[3]: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.8","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"validationQuery":"@key_rotation_enabled:false","resourceType":"aws_kms","filter":"@key_manager:CUSTOMER","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_kms @key_manager:CUSTOMER (@key_rotation_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5xm-kxb-jxz","createdAt":1599574002243,"name":"Rotation for customer created CMKs is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:runtime-security-agent","technique:T1611-escape-to-host","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to the `runc` binary outside of the normal package management lifecycle.\n\n## Strategy\n[CVE-2019-5736][1], a vulnerability in `runc` through version 1.0-rc6 could allow attackers to overwrite the host `runc` binary, which allows the attacker to effectively escape a running container, and gain root access on the underlying host.\nAny modifications to `runc` (outside of standard package management upgrades) could be exploiting this vulnerability to gain root access to the system.\n\n## Triage & Response\n1. Check to see which user or process changed the `runc` binary.\n2. If these changes are not acceptable, roll back contain the host in question to an acceptable configuration.\n3. Update `runc` to a version above 1.0-rc6 (or Docker 18.09.2 and above).\n4. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://nvd.nist.gov/vuln/detail/CVE-2019-5736\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:runc_modification","groupByFields":["host"],"aggregation":"count","name":"runc_modification","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"runc_modification","condition":"runc_modification > 0"}],"type":"workload_security","id":"6ru-oyo-uag","createdAt":1627392837049,"name":"Runc binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","requirement:Compliance","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:s3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up the Multi-Factor Authentication (MFA) delete feature to prevent deletion of Amazon S3 objects.\n\n## Rationale\n\n## Remediation\n\nMFA-protected Amazon S3 buckets ensure S3 objects cannot be accidentally or intentionally deleted by AWS users who have access to your bucket.\n\n### Console\n\n`MFA DELETE` [cannot be enabled in the AWS Console][1]. See the CLI remediation below for configuration instructions.\n\n### CLI\n\n1. Run `put-bucket-versioning` with your [bucket name, versioning configuration, and MFA configuration][2].\n\n ```\n aws s3api put-bucket-versioning\n --bucket your-s3-bucket-name\n --versioning-configuration '{\"MFADelete\":\"Enabled\",\"Status\":\"Enabled\"}'\n --mfa 'arn:aws:iam::aws_account_id:mfa/root-account-mfa-device'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"-@versioning_mfa_delete:Enabled","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (-@versioning_mfa_delete:Enabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"f22-rvk-qko","createdAt":1619112188477,"name":"S3 bucket MFA Delete feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.1","requirement:Monitoring","cloud_provider:aws","control:A.12.4.1","control:3.3","requirement:System-Operations","requirement:Logging","level:2","framework:soc-2","scope:cloudtrail","framework:cis-aws","source:cloudtrail","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nS3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.\n\n## Rationale\n\nBy enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.\n\n## Remediation\n\n### Console\n\n1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.\n2. Under All Buckets click on the target S3 bucket\n3. Click on Properties in the top right of the console\n4. Under Bucket: click on Logging\n5. Configure bucket logging and click on the Enabled checkbox\n6. Select Target Bucket from list and enter a Target Prefix\n7. Click Save\n\n## Default value\n\nLogging is disabled.\n\n## References\n\n1. CCE-78918-0\n2. https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html\n\n## CIS controls\n\nVersion 7\n\n6.2 - Activate audit logging: Ensure that local logging has been enabled on all systems and networking devices.\n\n14.9 Enforce Detail Logging for Access or Changes to Sensitive Data: Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbucket_by_name := {bucket.bucket_name: bucket |\n\tbucket := input.resources.aws_s3_bucket[_]\n}\n\neval(cloudtrail_trail) = \"skip\" if {\n\tnot bucket_by_name[cloudtrail_trail.s3_bucket_name]\n} else = \"pass\" {\n\ts3_bucket := bucket_by_name[cloudtrail_trail.s3_bucket_name]\n\tcount(s3_bucket.bucket_logging) > 0\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail","aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@trail_arn"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gzk-vm2-67k","createdAt":1635929074549,"name":"S3 bucket access logging is enabled on the CloudTrail S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS S3 bucket to remove `WRITE` actions for any IAM user or AWS authenticated account.\n\n## Rationale\n\nAuthenticated users with AWS S3 bucket `WRITE` privileges can add, delete, and replace objects without restriction, which can lead to potential data loss or unintended billing charges.\n\n## Remediation\n\n### Console\n\nFollow the [Editing customer managed policies (console)][1] documentation to learn how to edit permissions for your existing policy. In the console, modify **Permissions** for Access Control Lists (ACLs). Deselect **Upload/Delete** for **Any Authenticated AWS User**.\n\n### CLI\n\n1. Run `list-buckets` to [list all available S3 buckets][2] for your account.\n\n ```\n aws s3api list-buckets\n --query \"Buckets[].Name\"\n ```\n\n2. Run `put-bucket-acl` with your [bucket name and the canned ACL to apply to the bucket][3].\n\n ```\n aws s3api put-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html#edit-managed-policy-console\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/list-buckets.html#examples\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"9rz-61l-xiu","createdAt":1619112188824,"name":"S3 bucket cannot be accessed for WRITE actions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your AWS S3 bucket content as it is publicly accessible.\n\n## Rationale\n\nGranting `READ` access to everyone allows unauthorized users to list objects within a bucket. Malicious users can use information exploited during this process to access compromised objects, which can lead to unfettered access to your data.\n\n## Remediation\n\n### Console\n\nFollow the [Blocking public access to your Amazon S3 storage][1] docs to learn how to manage access control lists for existing S3 buckets.\n\n**Note**: By default, new buckets, access points, and objects don't allow public access.\n\n### CLI\n\n1. Run `put-bucket-acl` with [your S3 bucket name][2] and set the ACL of the bucket to `private`.\n\n\t```\n\n\taws s3api put-bucket-acl\n\t\t--bucket webapp-data-repository\n\t\t--acl private\n\n\t```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:READ","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:READ)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"mqm-ntc-bra","createdAt":1619112188104,"name":"S3 bucket cannot be publicly listed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ` access for authenticated AWS accounts or IAM users.\n\n## Rationale\n\n`READ` access allows any authenticated IAM user or AWS authenticated account to list all objects within your bucket and exploit objects with misconfigured ACL permissions.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to deselect the `Bucket ACL - Read` permission and update ACL permissions.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:READ","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:READ)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"73w-cje-dhm","createdAt":1619112189198,"name":"S3 bucket content cannot be listed by users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove public `READ_ACP` access.\n\n## Rationale\n\nPublic `READ_ACP` access gives any user on the internet the `READ` Access Control List (ACL) permission. With this permission, anonymous users can see who controls your objects, and this information can be used to find misconfigured permissions and gain access to your S3 data.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_not_compliant(acl) if {\n\tacl.grantee_permission == \"READ_ACP\"\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AllUsers\"\n}\n\neval(s3_bucket) = \"fail\" if {\n\tacl = s3_bucket.acl[_]\n\tacl_not_compliant(acl)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i2o-7bz-zxc","createdAt":1619112188697,"name":"S3 bucket content permissions cannot be viewed by anonymous users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ_ACP` access for authenticated AWS accounts and AWS IAM users.\n\n## Rationale\n\nAWS authenticated accounts and users with `READ_ACP` access can examine Amazon S3 Access Control Lists (ACLs) configuration details. This information can be used maliciously to find misconfigured permissions and implement methods to access your S3 data.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `READ_ACP` access for AWS signed users.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [Amazon S3 bucket name and ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_not_compliant(acl) if {\n\tacl.grantee_permission == \"READ_ACP\"\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\"\n}\n\neval(s3_bucket) = \"fail\" if {\n\tacl = s3_bucket.acl[_]\n\tacl_not_compliant(acl)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cer-xg1-llv","createdAt":1619112188867,"name":"S3 bucket content permissions cannot be viewed by authenticated users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove `WRITE_ACP` access for anonymous users.\n\n## Rationale\n\nPublic `WRITE_ACP` access gives anonymous users `READ` and `WRITE` Access Control List (ACL) permissions. With these permissions, anonymous users can modify, delete, and update S3 objects, which can lead to data loss or unexpected charges on your AWS bill.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE_ACP","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE_ACP)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"8au-91a-7zf","createdAt":1619112188436,"name":"S3 bucket does not allow anonymous users to modify access control permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","control:164.308-a-3-i","control:7.2.1","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","source:s3","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove `WRITE_ACP` access for authenticated users.\n\n## Rationale\n\n`WRITE_ACP` access gives any authenticated AWS accounts or IAM users `READ` and `WRITE` Access Control List (ACL) permissions. With these permissions, authenticated users can modify, delete, and update S3 objects, which can lead to data loss or unexpected charges on your AWS bill.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE_ACP","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE_ACP)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"yuo-rt1-twl","createdAt":1619112188124,"name":"S3 bucket does not allow authenticated users to modify access controls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `FULL_CONTROL` access for authenticated AWS accounts and AWS IAM users.\n\n## Rationale\n\n`FULL_CONTROL` access allows any IAM user or AWS authenticated account to view, upload, modify and delete S3 objects without restriction.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `FULL_CONTROL` access and update ACL permissions.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:\"FULL_CONTROL\"","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:\"FULL_CONTROL\")","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"qem-nxn-zvw","createdAt":1619112188863,"name":"S3 bucket does not allow users full control access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","requirement:Storage","framework:gdpr","control:2.1.1","requirement:Compliance","level:1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides a variety of no-cost or low-cost encryption options to protect data at rest.\n\n## Rationale\n\nEncrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.\n\n## Remediation\n\n### Console\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/\n2. Select the Check box next to the Bucket.\n3. Click on Properties.\n4. Click on Default Encryption.\n5. Select either AES-256 or AWS-KMS.\n6. Click Save.\n7. Repeat for all the buckets in your AWS account lacking encryption.\n\n### CLI\n\nRun one of the following commands: \n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}''`\n\nor:\n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}''`\n\n**Note**: The `KMSMasterKeyID` can be set to the master key of your choosing; `aws/s3` is an AWS preconfigured default.\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html][1]\n2. [https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources][2]\n\n**Additional Information**: S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does not encrypt objects previously stored within the bucket.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.1.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@bucket_encryption_rules.rules.apply_server_side_encryption_by_default.sse_algorithm:(\"AES256\" OR \"aws:kms\")","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (-@bucket_encryption_rules.rules.apply_server_side_encryption_by_default.sse_algorithm:(\"AES256\" OR \"aws:kms\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i5u-x9l-ytw","createdAt":1619112188944,"name":"S3 bucket employs default encryption at-rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:A.12.1.2","framework:gdpr","control:A.12.4.2","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:3.1","requirement:Control-Activities","control:7.2.1","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Logical-and-Physical-Access-Control","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable versioning on S3 buckets to keep multiple versions of an object in one bucket.\n\n## Rationale\n\nVersioning-enabled buckets help [recover objects in the case of accidental deletion or overwriting][1].\n\n## Remediation\n\n### Console\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning within the S3 console.\n\n### CLI\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning with the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.1.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"-@versioning_status:Enabled","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (-@versioning_status:Enabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hfe-sv1-7ci","createdAt":1632209932330,"name":"S3 bucket has versioning enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","control:1.20","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:cis-aws","requirement:Security-Management-Process","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.8","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you restrict unintended public access to Amazon S3 resources. By default, S3 buckets and objects are created without public access. However, someone with sufficient permissions can enable public access at the bucket or object level, often unexpectedly. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets in the account, and contained objects, from becoming publicly accessible.\n\n## Rationale\n\nAmazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective buckets. Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account. Blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.\n\n### Impact\n\nWhen you apply `Block Public Access` settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.\n\n\n## Remediation\n\n### From the Console:\n\nIf utilizing Block Public Access (account settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Choose **Block public access (account settings)**.\n3. Choose **Edit** to change the block public access settings for all the buckets in your AWS account.\n4. Click on **Block all public access**.\n5. When you're asked for confirmation, enter `confirm`. Then click Confirm to save your changes.\n\nIf utilizing Block public access (bucket settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Select the check box next to the bucket.\n3. Click on **Edit public access settings**.\n4. Click **Block all public access**.\n5. Repeat for all the buckets in your AWS account that contain sensitive data.\n\n\n### From the command line:\n\nIf utilizing Block Public Access (bucket settings):\n\n1. List all of the S3 buckets: `aws s3 ls`\n2. To set the public access to true on a bucket, run: `aws s3api put-public-access-block --bucket --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\"`\n\nIf utilizing Block Public Access (account settings):\n\nTo set Public access settings for this account, run the following command: `aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id '`\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html][2]\n\n[1]: https://console.aws.amazon.com/s3/\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.20","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\naccount_public_access_block_by_account_id = {s3_account_public_access_block.account_id: s3_account_public_access_block |\n\tsome s3_account_public_access_block in input.resources.aws_s3_account_public_access_block\n}\n\nsecure_public_access_block(s3_public_access_block) if {\n\ts3_public_access_block.block_public_acls\n\ts3_public_access_block.block_public_policy\n\ts3_public_access_block.ignore_public_acls\n\ts3_public_access_block.restrict_public_buckets\n}\n\naccess_block_compliant(s3_bucket) if {\n\ts3_account_public_access_block := account_public_access_block_by_account_id[s3_bucket.account_id]\n\tsecure_public_access_block(s3_account_public_access_block)\n} else {\n\tbucket_block := s3_bucket.access_block[_]\n\tsecure_public_access_block(bucket_block)\n}\n\neval(s3_bucket) = \"pass\" if {\n\taccess_block_compliant(s3_bucket)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b1p-nxn-wxx","createdAt":1619112188591,"name":"S3 bucket is configured with 'Block public access'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove public `WRITE` access.\n\n## Rationale\n\nPublic `WRITE` access gives unauthorized users the ability to add, replace, and delete objects within a bucket. Attackers can use these abilities to access your data or incur charges on your AWS bill.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"wyn-eku-mhg","createdAt":1619112188471,"name":"S3 bucket is not publicly accessible for write actions by anonymous users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet your Amazon S3 bucket to private.\n\n## Rationale\n\nPublicly accessible Amazon S3 buckets grant `FULL_CONTROL` access to everyone, including anonymous users. `FULL_CONTROL` grants users the ability to upload, modify, delete, and view S3 objects.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `FULL_CONTROL` access and update ACL permissions.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tacl := s3_bucket.acl[_]\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AllUsers\"\n\tacl.grantee_permission == \"FULL_CONTROL\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"o0d-2zb-qbg","createdAt":1619112188881,"name":"S3 bucket is not publicly accessible to anonymous users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your bucket policy as your Amazon S3 bucket is currently publicly accessible.\n\n## Rationale\n\nPublicly accessible S3 buckets through bucket policies give any AWS user the ability to list, download, delete, and upload objects and edit object permissions.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. To remove the existing public bucket policy, run `delete-bucket-policy` with [your bucket name][2].\n\n ```\n delete-bucket-policy\n --bucket your-bucket-name\n ```\n\n2. Create a new non-public bucket policy using the [AWS Policy Generator][3].\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket-policy.html#synopsis\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false","resourceType":"aws_s3_bucket","filter":"","queryPath":"bucket_policy_statement","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"ftf-6wr-t2z","createdAt":1624344845705,"name":"S3 bucket is publicly accessible (via policy)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","requirement:Monitoring","scope:s3","framework:cis-aws","control:4.8","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a S3 Bucket policy is modified.\n\n## Strategy\nMonitor CloudTrail and detect when S3 policies are being modified via one of the following API calls:\n* [PutBucketAcl][1]\n* [PutBucketPolicy][2]\n* [PutBucketCors][3]\n* [PutBucketLifecycle][4]\n* [PutBucketReplication][5]\n* [DeleteBucketPolicy][6]\n* [DeleteBucketCors][7]\n* [DeleteBucketReplication][8]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html\n [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html\n [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketCors.html\n [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLifecycle.html\n [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html\n [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html\n [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html\n [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html\n\n## Changelog\n18 March 2022 - Updated signal message, query and severity.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(PutBucketAcl OR PutBucketPolicy OR PutBucketCors OR PutBucketLifecycle OR PutBucketReplication OR DeleteBucketPolicy OR DeleteBucketCors OR DeleteBucketReplication)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"s3_bucket_policy_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"A S3 bucket policy was modified","condition":"s3_bucket_policy_modified > 0"}],"type":"log_detection","id":"nl3-oht-jhi","createdAt":1584475579499,"name":"S3 bucket policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when SELinux enforcement is disabled.\n\n## Strategy\nThis detection monitors the change of SELinux enforcing mode.\n\n## Triage & Response\n1. Check which user or process disabled SELinux enforcing mode.\n2. If the change is not expected, roll back to enable SELinux enforcing mode.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the attack.\n\n*Requires Agent version 7.30 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:selinux_disable_enforcement","groupByFields":["host"],"aggregation":"count","name":"selinux_disable_enforcement","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"selinux_disable_enforcement","condition":"selinux_disable_enforcement > 0"}],"type":"workload_security","id":"vvf-qwb-uhj","createdAt":1635332067172,"name":"SELinux enforcement disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.2","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSELinux is an effective and easy-to-use Linux application security system. It is available by default on some distributions such as Red Hat and Fedora.\n\n## Rationale\n\nSELinux provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model. You can therefore add an extra layer of safety to your containers by enabling SELinux on your Linux host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all the security options currently configured on the containers listed.\n\n## Remediation\n\nIf SELinux is applicable for your Linux OS, you should use it.\n\n1. Set the SELinux State.\n2. Set the SELinux Policy.\n3. Create or import a SELinux policy template for Docker containers.\n4. Start Docker in daemon mode with SELinux enabled. For example: `docker daemon --selinux-enabled`\n5. Start your Docker container using the security options. For example, `docker run --interactive --tty --security-opt label=level:TopSecret centos /bin/bash`\n\n## Impact\n\nAny restrictions defined in the SELinux policy will be applied to your containers. It should be noted that if your SELinux policy is misconfigured, this may have an impact on the correct operation of the affected containers.\n\n## Default value\n\nBy default, no SELinux security options are applied on containers.\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/\n4. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/docker_selinux_security_policy\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.2","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"eww-c9f-0hf","createdAt":1599605036108,"name":"SELinux security options are configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic publishing permissions.\n\n## Rationale\n\nSetting the topic publishing permission to `Everyone` gives anyone access to publish on a topic. Unauthenticated users can publish malicious messages.\n\n## Remediation\n\n### Console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### CLI\n\n1. Update your [access control policy][2] with the IAM user ARN. Configure `action` to `SNS:Publish` and include your AWS IAM ARN. Save the file.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_pub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Publish\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```\n aws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name DisplayName\n --attribute-value YourTopicDisplayName\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Publish\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false","resourceType":"aws_sns_topic","filter":"","queryPath":"policies","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic (@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Publish\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mhf-jlo-c49","createdAt":1616090993934,"name":"SNS Topic has restrictions set for publishing"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic subscription permissions.\n\n## Rationale\n\nAnonymous users can subscribe and receive messages that you publish, leaving the security of your application or service at risk.\n\n## Remediation\n\n### Console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### CLI\n\n1. Update your [access control policy][2] with the IAM user ARN. Configure `action` to `SNS:Publish` and include your AWS IAM ARN. Save the file.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_sub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Subscribe\",\n \"SNS:Receive\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```\n aws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name DisplayName\n --attribute-value YourTopicDisplayName\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Subscribe\" OR \"sns:Subscribe\") @statement_action:(\"SNS:Receive\" OR \"sns:Receive\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false","resourceType":"aws_sns_topic","filter":"","queryPath":"policies","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic (@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Subscribe\" OR \"sns:Subscribe\") @statement_action:(\"SNS:Receive\" OR \"sns:Receive\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"bin-p21-78u","createdAt":1616090993824,"name":"SNS Topic has restrictions set for subscription"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","scope:sns","cloud_provider:aws","control:3.4","control:4.1","source:sns","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Server-Side Encryption for your AWS Simple Notification Service (SNS) topics.\n\n## Rationale\n\nServer-Side Encryption (SSE) protects the data of published messages within your SNS topics, which can help adhere to compliance and regulatory requirements.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling server-side encryption (SSE) for an Amazon SNS topic][1] docs to learn how to enable encryption from the AWS Management Console.\n\n### CLI\n\nRun `set-topic-attributes` with the [ARN of the SNS topic][2] and the [KmsMasterKeyId][3].\n\n```\naws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name KmsMasterKeyId\n --attribute-value YourTopicDisplayName\n```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n[3]: https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html#sse-key-terms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@kms_master_key_id:*","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic (-@kms_master_key_id:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"iel-fa4-gpw","createdAt":1623249809232,"name":"SNS Topic has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","control:164.308-a-3-i","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic permissions.\n\n## Rationale\n\nPublicly-accessible topics allow unauthorized users access to receive and publish messages and subscribe to exposed topics.\n\n## Remediation\n\n### Console\n\nFollow the [Using identity-based policies with Amazon SNS][1] docs to learn how to create or add to a policy in the AWS Console.\n\n### CLI\n\nIf you do not have an access control policy, [create one][2].\n\n1. Select `SNS Topic Policy` as the type of policy.\n2. Add a statement to allow only specific IAM users and roles to have access to the topic. For example:\n\n ```\n Effect: `Allow`\n Principal: `arn:aws:iam::123456789012:root`\n Action: `Add permission`\n Amazon Resource Name: `arn:aws:iam::123456789012:root`\n ```\n\nIf you do have an access control policy, follow the [add-permissions][3] docs to add a permission to your existing policy.\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-using-identity-based-policies.html#iam-and-sns-policies\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprincipal_policy_lenient(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else {\n\tpolicy_principal.principal_aws[_] == \"*\"\n}\n\npolicy_lenient(policy) if {\n\tpolicy.statement_effect == \"Allow\"\n\tnot policy.statement_has_condition\n\n\tprincipal_policy_lenient(policy.policy_principal)\n}\n\neval(sns_topic) = \"fail\" if {\n\tpolicy := sns_topic.policies[_]\n\tpolicy_lenient(policy)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"5q9-vwc-cqy","createdAt":1616090993891,"name":"SNS Topic is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:6.5","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nA database server should accept connections only from trusted networks and IPs and\nrestrict access from public IP addresses.\n\n## Rationale: \nTo minimize attack surface on a database server instance, only trusted, known, and\nrequired IPs should be allowed to connect to it.\nAn authorized network should not have IPs or networks configured to `0.0.0.0/0` which\nallows access to the instance from anywhere in the world. Authorized networks\napply only to instances with public IPs.\n\n## Impact: \nThe Cloud SQL database instance would not be available to public IP addresses.\n\n## Remediation: \n\n### From console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Click the instance name to open its `Instance details` page.\n3. Under the `Configuration` section click `Edit configurations`.\n4. Under `Configuration options` expand the `Connectivity` section.\n5. Click the `delete` icon for the authorized network `0.0.0.0/0`.\n6. Click `Save` to update the instance.\n\n### From command line:\nUpdate the authorized network list by removing addresses:\n```\ngcloud sql instances patch --authorized-networks=IP_ADDR1,IP_ADDR2...\n```\n## Prevention:\nTo prevent new SQL instances from being configured to accept incoming connections from\nany IP addresses, set up a `Restrict Authorized Networks on Cloud SQL instances` Organization Policy at: [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][2].\n\n\n## Default value:\nBy default, authorized networks are not configured. Remote connection to Cloud SQL\ndatabase instance is not possible unless authorized networks are configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-ip][3]\n2. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][4] \n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://cloud.google.com/sql/docs/mysql/connection-org-policy][6]\n\n\n## Additional information:\nThere is no IPv6 configuration found for Google cloud SQL server services.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[3]: https://cloud.google.com/sql/docs/mysql/configure-ip\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://cloud.google.com/sql/docs/mysql/connection-org-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"fail\" if {\n\taddress := sql_database_instance.settings.ip_configuration.authorized_networks[_]\n\taddress.value in [\"0.0.0.0\", \"0.0.0.0/0\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"thi-vol-4qb","createdAt":1657138883399,"name":"SQL Database Instances do not implicitly accept all public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:6.3","framework:cis-azure","requirement:Communications-Security","control:2.4","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific data centers. By default for a SQL server, a firewall exists with start IP of 0.0.0.0 and end IP of 0.0.0.0, allowing access to all the Azure services. Additionally a custom rule can be set up with start IP of 0.0.0.0 and end IP of 255.255.255.255, allowing access from ANY IP over the Internet. In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific data centers.\n\n### Impact\n\nDisabling allow access to Azure Services will break all connections to SQL server and hosted databases unless custom IP-specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console:\n\n1. Go to SQL servers\n2. For each SQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell:\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"\" -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nSet-AzureRmSqlServerFirewallRule -ResourceGroupName -ServerName -FirewallRuleName \"\" -StartIpAddress \"\" -EndIpAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017][1]\n2. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0][2]\n3. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0][3]\n4. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0][4] \n5. [https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure][5]\n6. [https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current][6] \n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][7]\n\nAdditional Information: Firewall rules configured on individual SQL Database using Transact-SQL overrides the rules set on SQL server. Azure does not provides any Powershell, API, CLI, Portal option to check database level firewall rules and so far Transact-SQL is the only way to check for the same. For comprehensive control over egress traffic on SQL Databases, firewall rules should be checked using SQL client.\n\n[1]:https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017\n[2]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[3]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[4]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[5]:https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure\n[6]:https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current\n[7]:https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"2.4","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255)","resourceType":"azure_sql_server","filter":"","queryPath":"firewall_rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"5k7-xx0-nje","createdAt":1635237001240,"name":"SQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.2.4","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure `send scan reports to` with the email IDs of concerned data owners and stakeholders for a critical SQL server.\n\n## Rationale\n\nVulnerability Assessment (VA) scan reports and alerts are sent to email IDs configured with `send scan reports to`. This may help in reducing time required for identifying risks and taking corrective measures.\n\n## Impact\n\n**Note**: Enabling the Azure Defender for SQL features incurs additional costs for each SQL server.\n\n## Remediation\n\nAzure Console:\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Ensure that Azure Defender for SQL is enabled\n5. Select Configure next to enabled at subscription-level\n6. In Vulnerability Assessment Settings, configure Storage Accounts\n7. Configure email IDs for concerned data owners and stakeholders in the `send scan reports to` section.\n8. Click Save\n\nAzure PowerShell:\n\nIf not already, enable Advanced Data Security for a SQL: `ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True`\n\n\nTo enable ADS-VA service and set `send scan reports to`:\n\n```bash\nUpdate-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"fiu-woq-ui1","createdAt":1645802555241,"name":"SQL Server Vulnerability Assessments send scan reports to subscribed admins"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","scope:google_sql_database_instance","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","control:6.4","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to enforce all incoming connections to SQL database instances to use SSL.\n\n## Rationale\nSQL database connections, if successfully trapped (MITM), can reveal sensitive data like\ncredentials, database queries, query outputs, and so on. For security, it is recommended to always\nuse SSL encryption when connecting to your instance. This recommendation is applicable\nto PostgreSQL, MySQL generation 1, MySQL generation 2, and SQL Server 2017 instances.\n\n### Additional Information\nBy default, `Settings: ipConfiguration` has no `authorizedNetworks` set or configured. In\nthat case, even if `requireSSL` is not set by default, which is equivalent to `requireSSL:false`,\nthere is no risk as the instance cannot be accessed outside of the network, unless\n`authorizedNetworks` is configured. However, if the default for `requireSSL` is not updated to\n`true`, any `authorizedNetworks` created later on will not enforce SSL-only connections.\n\n### Impact\nAfter enforcing SSL connections, the existing client will not be able to communicate with the SQL\nserver, unless it is configured with appropriate client-certificates to communicate to the SQL\ndatabase instance.\n\n### Default Value\nBy default, the parameter `settings: ipConfiguration: requireSSL` is not set, which is\nequivalent to `requireSSL:false`.\n\n## Remediation\n\n### From the console:\n1. Go to the [Cloud SQL Instances page][1].\n2. Click on an instance name to see its configuration overview.\n3. In the left-side panel, select **Connections**.\n4. In the SSL connections section, click **Allow only SSL connections**.\n5. Under Configure SSL server certificates, click **Create new certificate**.\n6. Under Configure SSL client certificates, click **Create a client certificate**.\n7. Follow the instructions shown to learn how to connect to your instance.\n\n### From the command line:\nTo enforce SSL encryption for an instance, run the command:\n```\ngcloud sql instances patch --require-ssl\n```\n\n**Note:** A **restart** is required for type MySQL Generation 1 Instances (`backendType: FIRST_GEN`) for\nthis configuration to go into effect.\n\n## References\n1. [http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot authorizedNetworksExists(sql_database_instance)\n} else = \"pass\" {\n\tsql_database_instance.settings.ip_configuration.require_ssl\n} else = \"fail\" {\n\ttrue\n}\n\nauthorizedNetworksExists(sql_database_instance) if {\n\tsql_database_instance.settings.ip_configuration.authorized_networks[_]\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"udh-mzm-bhu","createdAt":1658821626960,"name":"SQL database instance uses SSL for all incoming connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","scope:google_cloud_sql_instance","level:2","source:google_cloud_sql_instance","control:3.9","control:6.6","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nDatadog recommends configuring the second generation SQL instance to use private IPs instead of\npublic IPs.\n\n## Rationale: \nTo lower the organization's attack surface, ensure your Cloud SQL databases does not have public IPs.\nPrivate IPs provide improved network security and lower latency for your application.\n\n## Impact: \nRemoving the public IP address on SQL instances may break applications that relied\non it for database connectivity.\n\n## Remediation: \n\n### From console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Click the instance name to open its Instance details page.\n3. Select the `Connections` tab.\n4. Deselect the `Public IP` checkbox.\n5. Click `Save` to update the instance.\n\n### From command line:\n\n1. For every instance, remove the public IP and assign a private IP instead:\n ```\n gcloud sql instances patch --network= --no-assign-ip\n ```\n\n2. Confirm the changes using the following command:\n ```\n gcloud sql instances describe \n ```\n\n## Prevention:\nTo prevent new SQL instances from getting configured with public IP addresses, set up a\n`Restrict Public IP access on Cloud SQL instances` Organization policy at:\n\n\n[https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][2]\n\n## Default value:\nBy default, Cloud Sql instances have a public IP.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-private-ip][3]\n2. [https://cloud.google.com/sql/docs/mysql/private-ip][4]\n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][6]\n\n## Additional information:\nReplicas inherit their private IP status from their primary instance. You cannot configure a private IP directly on a replica.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n[3]: https://cloud.google.com/sql/docs/mysql/configure-private-ip\n[4]: https://cloud.google.com/sql/docs/mysql/private-ip\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.9","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_second_gen_instance(sql_database_instance)\n} else = \"fail\" {\n\tip := sql_database_instance.ip_addresses[_]\n\tip.type == \"PRIMARY\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_second_gen_instance(sql_database_instance) if {\n\tsql_database_instance.backend_type == \"SECOND_GEN\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cns-kbs-qb3","createdAt":1658244446751,"name":"SQL database instances do not have public IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.5","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:C1.1","requirement:Credentials","requirement:System-Operations","requirement:Compliance","level:1","requirement:Database-Services","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","control:3.5.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC7.2","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. With Customer-managed key support for TDE, the DEK can be protected with an asymmetric key stored in the Key Vault. The Key Vault is a highly available and scalable cloud-based key store that offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of keys and data for additional security. Based on business needs or the criticality of data/databases hosted a SQL server, Datadog recommends that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).\n\n## Rationale\n\nCustomer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azures cloud-based external key management system, is the first key management service where TDE has integrated support for customer-managed keys. With customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.\n\n## Remediation\n\nFrom Azure Console:\n1. Go to SQL servers for the desired server instance\n2. Click On Transparent data encryption\n3. Set Use your own key to YES\n4. Browse through your key vaults to select an existing key or create a new key in the key vault.\n5. Check Make selected key the default TDE protector Using Azure CLI. Use the below command to encrypt SQL server's TDE protector with a Customer-managed key: `az sql server tde-key >> Set --resource-group --server --server-key-type {AzureKeyVault} [--kid ]`\n\n## Impact\n\nOnce the TDE protector is encrypted with a customer-managed key, it transfers the entire responsibility of key management to you. Hence, you should be more careful about doing any operations on the particular key to keep data from the corresponding SQL server Databases host accessible. When deploying customer-managed keys, ensure that you deploy an automated toolset for managing these keys (this should include discovery and key rotation), and keys should be stored in an HSM or hardware backed keystore; for example, Azure Key Vault). As far as toolsets go, check with your cryptographic key provider as they may well provide one as an add-on to their service.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-byok-azure-sql\n2. https://azure.microsoft.com/en-in/blog/preview-sql-transparent-data-encryption-tde-with-bring-your-own-key-support/\n3. https://winterdom.com/2017/09/07/azure-sql-tde-protector-keyvault\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: This configuration can be done only on an SQL server. The same configuration will be in effect on SQL Databases hosted on SQL Server. Ensuring yourTDE is protected by a Customer-managed key on SQL Server does not ensure SQL Databases' encryption. Transparent Data Encryption Data Encryption (ON/OFF) setting on individual SQL Database decides whether the database is encrypted or not.\n\n## CIS Controls\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials: Encrypt or hash with a salt all authentication credentials when stored. \n\n5 Logging and Monitoring: This section covers security recommendations to follow to set logging and monitoring policies on an Azure Subscription.\n\n5.1 Configuring Diagnostic Settings: The Azure Diagnostic Settings capture control/management activities performed on a subscription. By default, the Azure Portal retains activity logs only for 90 days. The Diagnostic Settings define the type of stored or streamed events and the output storage account, and the event hub. The Diagnostic Settings, if appropriately configured, can ensure that all activity logs are retained for a longer duration. This section has recommendations for correctly configuring the Diagnostic Settings so that all activity logs captured are retained for longer periods. When configuring Diagnostic Settings, you may choose to export in one of three ways in which you need to ensure appropriate data retention. The options are Log Analytics, Event Hub, and a Storage Account. It is important to ensure you are aware and have set retention as your organization sees fit.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"-(@encryption_protector.kind:(\"azurekeyvault\") @encryption_protector.server_key_type:(\"AzureKeyVault\"))","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-(@encryption_protector.kind:(\"azurekeyvault\") @encryption_protector.server_key_type:(\"AzureKeyVault\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ju5-j5j-p5u","createdAt":1624867975195,"name":"SQL server's TDE protector is encrypted with Customer-managed key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","source:sqs","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","scope:sqs","security:compliance","cloud_provider:aws","control:3.4","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Simple Queue Service (SQS) messages with server-side encryption.\n\n## Rationale\n\nEncryption ensures that Amazon SQS messages, which may contain sensitive data, are not available to anonymous or unauthorized users.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring service-side encryption for a queue(console)][1] docs to learn how to create and use AWS Key Management Service (AWS KMS) to manage customer master keys (CMK) for server-side encryption.\n\n### CLI\n\n1. Define `set-queue-attributes` in [a file][2]. Use your custom KMS Master Key ARN for `KmsMasterKeyID`. Save the file.\n\n ```\n {\n \"KmsMasterKeyId\": \"custom_key_arn\",\n \"KmsDataKeyReusePeriodSeconds\": \"300\"\n }\n ```\n\n2. Run `set-queue-attributes` with the [queue URL and the file][2] created in step 1.\n\n ```\n aws sqs set-queue-attributes\n --queue-url https://us-west-2.queue.amazonaws.com/123456789012/WebWorkerSQSQueue\n --attributes file://sqs-sse-enabled.json\n ```\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html\n[2]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-properties-sqs-queues-syntax\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-(@kms_master_key_id:* OR @sqs_managed_sse_enabled:true)","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue (-(@kms_master_key_id:* OR @sqs_managed_sse_enabled:true))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0m4-moi-xdg","createdAt":1616090993978,"name":"SQS Queue has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:sqs","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security","scope:sqs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate Amazon Simple Queue Service (SQS) queue permissions.\n\n## Rationale\n\nPublicly-available Amazon SQS queues give unauthorized users access to potentially intercept, delete, or send queue messages, which can lead to data leaks.\n\n## Remediation\n\n### Console\n\nFollow the [Managing access to resources][1] docs to learn how to implement a permissions policy in the AWS console.\n\n### CLI\n\n1. Run `list-queues` to get a list of queue URLs.\n2. Run `get-queue-attributes` with a [queue URL][2] returned in step 1.\n\n ```\n aws sqs get-queue-attributes\n --queue-url https://queue.amazonaws.com/123456789012/YourQueue\n --attribute-names Policy\n ```\n\n3. Run `add-permission` to [add a new statement][3] to your queue policy.\n\n ```\n aws sqs add-permission\n --queue-url https://queue.amazonaws.com/123456789012/YourQueue\n --label SendMessages\n --aws-account-ids 123456789012\n --actions SendMessage\n ```\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.html#sqs-managing-access-to-resources\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/get-queue-attributes.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else {\n\tprincipal_aws = policy_principal.principal_aws[_]\n\tprincipal_aws == \"*\"\n}\n\neval(sqs_queue) = \"fail\" if {\n\tpolicy := sqs_queue.policies[_]\n\tbad_policy_principal(policy.policy_principal)\n\tpolicy.statement_effect = \"Allow\"\n\tpolicy.statement_has_condition = false\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sqs_queue"]},"validationQuery":"","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"aqs-n9k-inj","createdAt":1616090993985,"name":"SQS Queue is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:6.2","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable SSH access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using SSH over the internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct SSH access to your Azure Virtual Machines from the internet. After direct SSH access from the internet is disabled, you have other options you can use to access these virtual machines for remote management.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nssh_allowed(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"TCP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.destination_port_range in [\"22\", \"*\"]\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"*/0\", \"Internet\", \"Any\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule := security_group.security_rules[_]\n\tssh_allowed(security_rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tox-iwp-m0l","createdAt":1624867978808,"name":"SSH access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.6","requirement:Communications-Security","control:1.4","control:3.2","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow the user to specify the type of\ntraffic, such as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be\nused. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using\nSSH on Port 22 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from\ninstances and incoming (ingress) traffic to instances in the network. Egress and ingress\ntraffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through SSH with the default\nPort 22. Generic access from the Internet to a specific IP Range needs to be restricted.\n\n## Impact\nAll Secure Shell (SSH) connections from outside of the network to the concerned VPC(s)\nwill be blocked. There could be a business need where SSH access is required from outside\nof the network to access resources associated with the VPC. In that case, specific source\nIP(s) should be mentioned in firewall rules to include access to SSH port for the\nconcerned VPC(s).\n\n## Remediation\n\n### From console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule you want to modify.\n4. Click Edit.\n5. Modify Source IP ranges to specific IP.\n6. Click Save.\n\n### From the command line\n1.Update the Firewall rule with the new SOURCE_RANGE from the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.2","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 22\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tcontains(allowed.ports[_], \"-\")\n\trange := split(allowed.ports[_], \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else {\n\tto_number(allowed.ports[_]) == target_port\n} else {\n\tallowed.ports[_] == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tallowed := compute_firewall.allowed[_]\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" {\n\tcompute_firewall.source_ranges[_] in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"23t-kvk-vbo","createdAt":1657310084964,"name":"SSH access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to authorized SSH keys.\n\n## Strategy\nSSH is a commonly used key-based authentication mechanism. In this system, the authorized_keys file specifies SSH keys that can be used to authenticate as a specific user on the system. Attacker's may modify the authorized_keys file to authorize attacker-owned SSH keys. This allows the attacker to maintain persistence on a system as a specific user.\n\n## Triage and response\n1. Check what changes were made to authorized_keys, and under which user.\n2. Determine whether any keys were added. If so, determine if the added keys belong to known trusted users.\n3. If they keys in question are not acceptable, roll back the host or container in question to a known trusted SSH configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chmod)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chmod","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chown)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chown","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_link)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_link","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_rename)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_rename","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_open)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_open","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_unlink)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_unlink","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_utimes)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"ssh_authorized_keys","condition":"ssh_authorized_keys_chmod > 0 || ssh_authorized_keys_chown > 0 || ssh_authorized_keys_link > 0 || ssh_authorized_keys_rename > 0 || ssh_authorized_keys_open > 0 || ssh_authorized_keys_unlink > 0 || ssh_authorized_keys_utimes > 0"}],"type":"workload_security","id":"iqs-k9p-ivj","createdAt":1606142954844,"name":"SSH authorized keys modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1553-subvert-trust-controls","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential tampering with SSL certificates.\n\n## Strategy\nSSL certificates, and other forms of trust controls establish trust between systems. Attackers may attempt to subvert trust controls such as SSL certificates in order to trick systems or users into trusting attacker-owned assets such as fake websites, or falsely signed applications.\n\n## Triage and response\n1. Check whether there were any planned changed to the SSL certificates stores in your infrastructure.\n2. If these changes are not acceptable, roll back the host or container in question to a known trustworthy configuration.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssl_certificate_tampering OR ssl_certificate_tampering_chmod OR ssl_certificate_tampering_chown OR ssl_certificate_tampering_link OR ssl_certificate_tampering_rename OR ssl_certificate_tampering_open OR ssl_certificate_tampering_unlink OR ssl_certificate_tampering_utimes) -@process.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.parent.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\" -@process.executable.name:runc*","groupByFields":["host"],"aggregation":"count","name":"ssl_certificate_tampering","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"ssl_certificate_tampering","condition":"ssl_certificate_tampering > 0"}],"type":"workload_security","id":"any-phm-6ub","createdAt":1606142980369,"name":"SSL certificate tampering"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","control:4.3.2","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","source:azure.dbformysql","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","scope:azure.dbformysql","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on MySQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for MySQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled for enforce SSL connection \n\nAlternatively, use the Azure Command Line Interface and run the below command to set MYSQL Databases to Enforce SSL connection:\n\n ```bash\n az mysql server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security\n2. https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@ssl_enforcement:(\"Enabled\")","resourceType":"azure_mysql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_mysql_server (-@ssl_enforcement:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cxd-off-x2e","createdAt":1624867976718,"name":"SSL connection on MySQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.3.1","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on PostgreSQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\nFrom Azure Console:\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled to enforce SSL connection \n\nAlternatively, use the Azure Command Line Interface and run the below command to enforce SSL connection for PostgreSQL Database:\n\n ```bash\n az postgres server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@ssl_enforcement:(\"Enabled\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@ssl_enforcement:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"9cp-26e-jdc","createdAt":1624867978968,"name":"SSL connection on PostgreSQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a Salesforce user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login ten times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @status:\"Invalid Password\"","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:salesforce @status:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dm5-uvn-yrr","createdAt":1621929254947,"name":"Salesforce Brute force attack on user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a disabled account attempts to log into Salesforce\n\n## Strategy\nInspect Salesforce logs and determine if there is a login attempt (`@evt.name:LoginEvent`) from from a disabled account (`@status:\\\"User is Inactive\\\"`). If more than ten attempts to authenticate to a disabled account a `MEDIUM` severity signal is created.\n\n## Triage and response\n1. Determine if the IP (`@network.client.ip`) has attempted to log into other accounts.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @evt.name:LoginEvent @status:\"User is Inactive\"","groupByFields":["@usr.id"],"aggregation":"count","name":"disabled_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Single Attempt","condition":"disabled_login > 1"},{"status":"medium","notifications":[],"name":"Multiple Attempts","condition":"disabled_login > 10"}],"type":"log_detection","id":"j57-vod-bnw","createdAt":1621929254817,"name":"Salesforce Login from Disabled Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.4.2","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the scheduler service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.2","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"g1h-91b-y2x","createdAt":1599601351149,"name":"Scheduler API service is bound to localhost"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","technique:T1098-account-manipulation","scope:onelogin","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin administrator grants additional privileges to another OneLogin user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator grants additional privileges to another OneLogin user:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@actor_user_name}}`) should be legitimately adding additional roles to `@usr.name`. **Note:** The role granted to the user is not available in OneLogin logs.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:PRIVILEGE_GRANTED_TO_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"user_granted_admin_privileges","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"user_granted_admin_privileges > 0"}],"type":"log_detection","id":"oks-cap-rw1","createdAt":1656426808697,"name":"OneLogin user granted administrative privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user is locked out. This may be common if the user is repeatedly failing to log in. This rule is most useful when correlated with other anomalous activity for the user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to when a user is locked out:\n* `@evt.name:USER_LOCKED`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) was legitimately trying to authenticate and was locked out.\n2. If the activity was not legitimate, review all activity from the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_LOCKED","groupByFields":["@usr.name"],"aggregation":"count","name":"user_locked_out","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_locked_out > 0"}],"type":"log_detection","id":"efg-trs-jzb","createdAt":1656526301026,"name":"OneLogin user locked out"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user views a secure note.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when a user views a secure note:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\nThis rule is useful when correlating its findings with other anomalous events from the same OneLogin user (`{{@actor_user_name}}`).\n\n## Triage and response\n1. Determine whether the OneLogin user (`{{@actor_user_name}}`) should be legitimately accessing secure notes.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_VIEWED_NOTE","groupByFields":["@actor_user_name"],"aggregation":"count","name":"viewed_secure_note","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"viewed_secure_note > 0"}],"type":"log_detection","id":"gl4-z5x-dun","createdAt":1656426832414,"name":"OneLogin user viewed secure note"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","scope:google_service_account","requirement:Confidentiality","control:3.4","control:1.4","control:3.10","control:C1.1","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nUser managed service accounts should not have user-managed keys.\n\n## Rationale: \nAnyone who has access to the keys can access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.\nFor user-managed keys, you are responsible for key management activities including:\n- Key storage\n- Key distribution\n- Key revocation\n- Key rotation\n- Protecting the keys from unauthorized users\n- Key recovery\nEven with key owner precautions, it's easy to leak keys through common development accidents such as checking keys into the source code, leaving them in the Downloads directory, or posting them on support blogs.\nFor these reasons, it is recommended that you don't use user-managed service account keys.\n\n## Impact: \nDeleting user-managed service account keys may break communication with the applications using the keys.\n\n## Remediation: \n\n### From the console\n1. Go to the IAM page in the GCP Console at [https://console.cloud.google.com/iam-admin/iam][1].\n2. In the left navigation pane, click `Service accounts`. All service accounts and their\ncorresponding keys are listed.\n3. Click the service account.\n4. Click `Edit` and delete the keys.\n\n### From the command line\nTo delete a user-managed service account key run:\n```\ngcloud iam service-accounts keys delete --iam-account= \n```\n## Prevention:\nYou can disable service account key creation through the `Disable service account key creation` Organization policy by visiting [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation][2]. Learn more at: [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][3].\n\nIn addition, if you do not need service accounts in your project, you can prevent the creation of service accounts through the `Disable service account creation` Organization policy: [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation][4].\n\n## Default value:\nBy default, there are no user-managed keys created for user-managed service accounts.\n\n## References:\n1. [https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys][5]\n2. [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][6]\n\n## Additional information:\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation\n[3]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation\n[5]: https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n[6]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.4","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.10","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkey_parents_with_user_managed := {key.parent |\n\tkey := input.resources.gcp_iam_service_account_key[_]\n\tkey.key_type == \"USER_MANAGED\"\n}\n\neval(service_account) = \"fail\" if {\n\tkey_parents_with_user_managed[service_account.resource_name]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4cn-bpp-vya","createdAt":1654120292749,"name":"Only GCP-managed service account keys are used for service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.14","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, has permissions of 400.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads. It holds the private key for the Docker server certificate. It must therefore have permissions of 400 to ensure that the certificate key file is not modified.\n\n## Audit\n\nVerify that the Docker server certificate key file has permissions of `400` by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nYou should execute the following command: `chmod 400 `\n\nThis sets the Docker server certificate key file permissions to 400.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate key file might not be 400. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.14","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"z0n-cod-mxi","createdAt":1602077570102,"name":"Only the owner of the server certificate key file can read its contents"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker daemon requires access to the Docker socket which is, by default, owned by the user `root` and the group `docker`.\n\n## Rationale\n\nDocker allows you to share a directory between the Docker host and a guest container without limiting the access rights of the container. This means that you can start a container and map the `/` directory on your host to the container. The container is able to modify your host file system without any restrictions. This means that you could gain elevated privileges simply by being a member of the `docker` group and subsequently start a container which maps the root `/` directory on the host.\n\n\n## Audit\n\nRun the following command on the Docker host to see the members of the `docker` group, and ensure that only trusted users are members:\n\n```\ngetent group docker\n```\n\n## Remediation\n\nYou should remove any untrusted users from the `docker` group. Additionally, you should not create a mapping of sensitive directories from the host to container volumes.\n\n## Impact\n\nProvided the proceeding instructions are implemented, rights to build and execute containers as normal user would be restricted.\n\n## Default value\n\nNot Applicable\n\n## References\n\n1. [https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface]\n2. [https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful]\n3. [http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\n[1]: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface \n[2]: https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful \n[3]: http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.2","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dev-mh8-u1i","createdAt":1599598174666,"name":"Only the root account and Docker group members can control the Docker daemon"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.16","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file has permissions of 660 or are configured more restrictively.\n\n## Rationale\n\nOnly root and the members of the docker group should be allowed to read and write to the default Docker Unix socket. The Docker socket file should therefore have permissions of 660 or more restrictive permissions.\n\n## Audit\n\nVerify that the Docker socket file has permissions of `660` or more restrictive, by running: \n```\nstat -c %a /var/run/docker.sock\n```\n\n## Remediation\n\nRun the command `chmod 660 /var/run/docker.sock`\n\nThis sets the file permissions of the Docker socket file to 660.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker socket file is correctly set to 660.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.16","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jxv-zrr-1c1","createdAt":1599603387716,"name":"Only the root account and Docker group members can read and write to the Docker socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.15","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file is owned by root and group owned by docker.\n\n## Rationale\n\nThe Docker daemon runs as root. The default Unix socket therefore must be owned by root. If any other user or process owns this socket, it might be possible for that non-privileged user or process to interact with the Docker daemon. Additionally, in this case a non-privileged user or process might be able to interact with containers which is neither a secure nor desired behavior. Additionally, the Docker installer creates a Unix group called docker. You can add users to this group, and in this case, those users would be able to read and write to the default Docker Unix socket. The membership of the docker group is tightly controlled by the system administrator. However, ff any other group owns this socket, then it might be possible for members of that group to interact with the Docker daemon. Such a group might not be as tightly controlled as the docker group. Again, this is not in line with good security practice. For these reason, the default Docker Unix socket file should be owned by root and group owned by docker to maintain the integrity of the socket file.\n\n## Audit\n\nVerify that the Docker socket file is owned by root and group-owned by `docker` by running: \n```\nstat -c %U:%G /var/run/docker.sock | grep -v root:docker\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:docker /var/run/docker.sock`\n\nThis sets the ownership to root and group ownership to docker for the default Docker socket file.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for the Docker socket file is correctly set to root:docker.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.15","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysh-lkt-poz","createdAt":1599605574088,"name":"Only the root account and Docker group members have ownership of the Docker socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.2","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kube-apiserver.yaml file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. Version 7 5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.2","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vbb-t30-k0f","createdAt":1599602893246,"name":"Only the root account and group have ownership of the API server pod specification file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.11","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, is individual owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It must therefore be individually owned and group owned by root to prevent modification by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and the group ownership for the Docker server certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for Docker server certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.11","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tkm-izb-xe1","createdAt":1602077837917,"name":"Only the root account and group have ownership of the Docker server certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.13","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, is individually owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads/writes. As it holds the private key for the Docker server certificate, it must be individually owned and group owned by root to ensure that it cannot be accessed by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate key file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the Docker server certificate key file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for the Docker server certificate key file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.13","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oiu-e3x-yg6","createdAt":1602077710804,"name":"Only the root account and group have ownership of the Docker server certificate key file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.9","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert parameter`, is individually owned and group owned by root.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must be therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the TLS CA certificate file is owned and group owned by root: \n\n```\nstat -c %U:%G | grep -v root:root\n```\n\nThis command does not return any data.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the TLS CA certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for TLS CA certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.9","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8nb-ex2-pqe","createdAt":1602076303298,"name":"Only the root account and group have ownership of the TLS CA certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.14","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file ownership is set to root:root.\n\n## Rationale\n\nThe `admin.conf` file contains the admin credentials for the cluster. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/admin.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `admin.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.14","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kcn-wwa-os0","createdAt":1599604720378,"name":"Only the root account and group have ownership of the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.17","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that could alter the behavior of the docker daemon. It should therefore be owned and group owned by root to ensure it can not be modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file is owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/docker/daemon.json | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun `chown root:root /etc/docker/daemon.json`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.17","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hlb-qzw-opk","createdAt":1599603264485,"name":"Only the root account and group have ownership of the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent","control:3.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually and group owned by the root user in order to ensure that it is not modified or corrupted by a less privileged user.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that it is owned and group-owned by root, by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.service | grep -v root:root \n ```\n The command should not return anything.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path, in order to set the ownership and group ownership for the file to root.\n\nFor example, `chown root:root /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone.\n\n## Default value\n\nThis file may not be present on the system and if it is not, this recommendation is not applicable. By default, if the file is present, the correct permissions are for the ownership and group ownership to be set to \"root\".\n\n## References\n\n1. https://docs.docker.com/engine/admin/systemd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mhz-jes-n2m","createdAt":1599601536215,"name":"Only the root account and group have ownership of the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.socket file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. For this reason, it should be owned and group owned by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file is owned and group-owned by root by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.socket | grep -v root:root \n ```\n The command should not return a value.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below, including the correct file path to set the ownership and group ownership for the file to root. For example, `chown root:root /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the ownership and group ownership for it should be set to root.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option 2. https://github.com/docker/docker-ce/blob/master/components/packaging/deb/systemd/docker.socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vc0-12t-fpa","createdAt":1599605321060,"name":"Only the root account and group have ownership over the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.7","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under the `/etc/docker/certs.d/` directory, are individually owned and group owned by root.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must be individually owned and group owned by root to ensure that less privileged users are unable to modify the contents of the directory.\n\n## Audit\n\nYou should execute the command below to verify that the registry certificate files are individually owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker/certs.d/* | grep -v root:root \n```\n\nThis command does not return any data.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/docker/certs.d//*`\n\nThis sets the individual ownership and group ownership for the registry certificate files to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for registry certificate files is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.7","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fbv-qsy-urc","createdAt":1599599454050,"name":"Only the root account and group have ownership over the registry certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.13","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe admin.conf is the administrator kubeconfig file defining various settings for the administration of the cluster. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/admin.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, admin.conf has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.13","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zlc-pqm-t1x","createdAt":1599605384539,"name":"Only the root account has write permissions to the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.18","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that may alter the behavior of the docker daemon. Therefore it should be writeable only by root to ensure it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/docker/daemon.json\n```\n\n## Remediation\n\nRun `chmod 644 /etc/docker/daemon.json`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.18","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7df-4w8-g7l","createdAt":1599602831833,"name":"Only the root account has write permissions to the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.2","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file permissions are either set to 644 or to a more restrictive value.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore not be writable by any other user other than root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or a more restrictive value by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.service\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the file permissions are correctly set to 644.\n\n## References\n\n1. https://docs.docker.com/articles/systemd/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zyv-o6s-69z","createdAt":1599601721176,"name":"Only the root account has write permissions to the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.4","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the file permissions on the docker.socket file are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or more restrictively, by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.socket\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in that case, this recommendation is not applicable. By default, if the file is present, the permissions should be set to 644 or more restrictively.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n2. https://github.com/YungSang/fedora-atomic-packer/blob/master/oem/docker.socket\n3. http://daviddaeschler.com/2014/12/14/centos-7rhel-7-and-docker-containers-on-boot/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myf-zyh-89p","createdAt":1599604656679,"name":"Only the root account has write permissions to the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","control:CC6.7","scope:ec2","security:compliance","source:ec2","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Compliance","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the probability of a breach by checking [EC2 security groups][1] for outbound rules that allow unfettered access to any TCP/UDP ports and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered outbound access.\n\n## Remediation\n\n### From the console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### From the command line\n\n1. Run `revoke-security-group-egress` to remove IP permissions for the selected EC2 security group.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n2. Run `authorize-security-group-egress` with new parameters to restrict outbound access to specific destinations.\n\n ```\n aws ec2 authorize-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprotocol_icmp_or_1(protocol) if {\n\tprotocol in [\"icmp\", \"1\"]\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range in [\"0.0.0.0/0\"]\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"egress\"\n\tnot protocol_icmp_or_1(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7lr-jfm-vcf","createdAt":1599574005188,"name":"Outbound access on all ports is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1497-virtualization-or-sandbox-evasion","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace system call with the `PTRACE_TRACEME` argument, indicating a program actively attempting to avoid debuggers attaching to the process. This behavior is typically indicative of malware activity.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. One limitation of this system call is that a process can only have one trace, and malicious actors have been observed making use of this limitation to prevent debuggers from attaching to malicious processes for the purpose of forensics or analysis.\n\n## Triage and response\n1. Check the name of the process using TRACEME\n2. If this file is not known or authorized, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_antidebug -@process.executable.name(\"dlv\" OR \"dlv-linux-adm64\" OR \"strace\" OR \"gdb\" OR \"lldb-server\")","groupByFields":["host"],"aggregation":"count","name":"ptrace_antidebug_unknown_tracer","distinctFields":[]},{"query":"@agent.rule_id:ptrace_antidebug @process.executable.name(\"dlv\" OR \"dlv-linux-adm64\" OR \"strace\" OR \"gdb\" OR \"lldb-server\")","groupByFields":["host"],"aggregation":"count","name":"ptrace_antidebug_known_tracer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_antidebug_unknown_tracer","condition":"ptrace_antidebug_unknown_tracer > 0"},{"status":"low","notifications":[],"name":"ptrace_antidebug_known_tracer","condition":"ptrace_antidebug_known_tracer > 0"}],"type":"workload_security","id":"u1r-hw3-pst","createdAt":1650464539514,"name":"PTRACE_TRACEME used to prevent process debugging"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect installation of software using a package management utility (`apt` or `yum`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim's container (for example, through a web shell exploit), they may attempt to install tools and utilities for a variety of malicious purposes. This detection triggers when one of a set of common package management utilities installs a package in a container. Package management in containers is against best practices which highly emphasize immutability. If this is unexpected behavior, it could indicate an attacker attempting to install tools to further compromise your systems.\n\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise. This may be achieved by terminating the workload, depending on the stage of attack.\n3. Look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:package_management_in_container @process.args:(add OR *install OR \"-i\")","groupByFields":["host"],"aggregation":"count","name":"package_management_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"package_management_in_container","condition":"package_management_in_container > 0"}],"type":"workload_security","id":"dgu-gba-tuf","createdAt":1617722067648,"name":"Package installed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1222","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nTo access protected files and directories, attackers may attempt to change the permissions on these files and directories.\n\n## Strategy\nThis detection monitors the permissions changes to sensitive files and directories such as `/etc/` and `/sbin/`.\n\n## Triage & Response\n1. Check to see if the file or directory was made more permissive.\n2. Check which user or process made the change.\n3. If these changes are unexpected, contain the host or container and roll back to the last known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"mj3-ucf-hr6","createdAt":1598516746259,"name":"Permissions were changed on sensitive Linux files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow pods to verify the API server's serving certificate before establishing connections.\n\n## Rationale\n\nProcesses running within pods that need to contact the API server must verify the API server's serving certificate. Failing to do so could be a subject to man-in-the-middle attacks. Providing the root certificate for the API server's serving certificate to the controller manager with the `--root-ca-file` argument allows the controller manager to inject the trusted bundle into pods so that they can verify TLS connections to the API server.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--root-ca-file` argument exists and is set to a certificate bundle file containing the root certificate for the API server's serving certificate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--root-ca-file` parameter to the certificate bundle file: `--root-ca-file=`\n\n## Impact\n\nYou need to setup and maintain root certificate authority file.\n\n## Default value\n\nBy default, `--root-ca-file` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/kubernetes/issues/11000][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/kubernetes/issues/11000\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.5","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"k7t-yxp-axc","createdAt":1599598174692,"name":"Pods utilize `root-ca-file` to pass serving certificates to the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ec2","iaas:aws","technique:T1037-boot-or-logon-initialization-scripts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to modify a [user data script][1] on an EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to modify the user data script on an EC2 instance using the following API calls:\n\n* [`StopInstances`][2]\n* [`ModifyInstanceAttribute`][3]\n* [`StartInstances`][4]\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have modified the user data script associated with `{{host}}`.\n2. If the API calls were not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Follow your company's incident response process to determine the impact to `{{host}}`.\n * Revert the user data script to the last known good state with the `aws-cli` command [modify-instance-attribute][5] or use the [AWS Console][6].\n3. If the API calls were made by the user:\n * Determine if the user should be modifying this user data script.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StopInstances.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartInstances.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-attribute.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-view-change","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StopInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"stop_instance","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:ModifyInstanceAttribute @requestParameters.userData:* ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_instance_attribute","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StartInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"start_instance","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"stop_instance > 0 && modify_instance_attribute > 0 && start_instance > 0"}],"type":"log_detection","id":"suz-czd-zxh","createdAt":1652796652545,"name":"Possible AWS EC2 privilege escalation via the modification of user data"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","iaas:aws","technique:T1078-valid-accounts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to create a password for a specified IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to create a password for an IAM user using the [`CreateLoginProfile`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any passwords generated by the user with the `aws-cli` command [delete-login-profile][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-login-profile.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html#id_credentials_passwords_admin-change-user_console","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:iam.amazonaws.com @eventName:CreateLoginProfile status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"loginprofile","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"loginprofile > 0"}],"type":"log_detection","id":"dkd-gqh-zrs","createdAt":1652796676631,"name":"Possible Privilege Escalation via AWS IAM CreateLoginProfile"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","scope:rds","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to exfiltrate data from an RDS Snapshot.\n\n## Strategy\nThis rule lets you monitor the [ModifyDBClusterSnapshotAttribute][1] CloudTrail API calls to detect when an RDS snapshot is made public.\n\nThis rule also inspects the:\n * `@requestParameters.valuesToAdd` array to determine if the string `all` is contained. This is the indicator which means the RDS snapshot is made public.\n * `@requestParameters.attributeName` array to determine if the string `restore` is contained. This is the indicator which means the RDS snapshot was shared with a new or unkown AWS Account.\n\n## Triage and response\n1. Confirm if the user: `{{@userIdentity.arn}}`intended to make the RDS snaphsot public.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-cluster-snapshot-attribute.html#modify-db-cluster-snapshot-attribute\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:ModifyDBClusterSnapshotAttribute @requestParameters.valuesToAdd:all","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_made_public","distinctFields":[]},{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:(ModifyDBClusterSnapshotAttribute OR ModifyDBSnapshotAttribute) @requestParameters.attributeName:restore -@http.useragent:(*AWS_Lambda* OR *AWS_ECS_FARGATE* OR backup.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Snapshot was shared","condition":"rds_snapshot_shared > 0"},{"status":"high","notifications":[],"name":"Snapshot was made public","condition":"rds_snapshot_made_public > 0"}],"type":"log_detection","id":"jqf-lpu-us1","createdAt":1594140309127,"name":"Possible RDS Snapshot Exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:2.5","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no PostgreSQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nPostgreSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.\n\n### Impact\n\nDisabling Allow access to Azure Services will break all connections to PostgreSQL server and Hosted Databases unless custom IP specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console\n\n1. Go to PostgreSQL servers\n2. For each PostgreSQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nNew-AzPostgreSqlFirewallRule -Name \"\" -ResourceGroupName \"\" -ServerName \"\" -EndIPAddress \"\" -StartIPAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules][1]\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.5","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"fail\" if {\n\tsome firewall_rule in postgresql_server.firewall_rules\n\tfirewall_rule.start_ip_address == \"0.0.0.0\"\n\tfirewall_rule.end_ip_address in [\"0.0.0.0\", \"255.255.255.255\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"f2j-y8v-pht","createdAt":1635237002781,"name":"PostgreSQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1566-phishing","source:azure","scope:azure","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a user grants an application consent to access their data. An adversary may create an Azure-registered application to access data such as contact information, emails, or documents.\n\n## Strategy\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Consent to application`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Consent to application.`\n\nBecause these are thirty-party applications external to the organization, normal remediation steps like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts are not effective against this type of attack.\n\n## Triage and response\n1. See the official [Microsoft playbook][1] on responding to a potential Illicit Consent Grant.\n2. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out false positives.\n\n[1]: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:AuditLogs @evt.name:\"Consent to application\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_successful_consent_to_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.category:AuditLogs @evt.name:\"Consent to application.\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"o365_successful_consent_to_application","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"azure_ad_successful_consent_to_application > 0 || o365_successful_consent_to_application > 0"}],"type":"log_detection","id":"wu4-vsa-pec","createdAt":1658914589512,"name":"Potential Illicit Consent Grant attack via Azure registered application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with an administrative service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 21 (FTP)\n* 22 (SSH)\n* 23 (Telnet)\n* 445 (SMB)\n* 2375 (Docker daemon)\n* 3389 (RDP)\n* 5900 (VNC)\n* 5985 (WinRM HTTP)\n* 5986 (WinRM HTTPS)\n\nAdministrative ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** There is a separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n## Changelog\n* 26 August 2022 - Updated rule query\n* 1 November 2022 - Updated rule query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":17,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ipPermissions.items.fromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.toPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ipPermissions.items.toPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986)) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986))) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\")) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:21 OR @requestParameters.ipPermissions.items.fromPort:21 OR @requestParameters.toPort:21 OR @requestParameters.ipPermissions.items.toPort:21) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:21 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:21)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ftp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:22 OR @requestParameters.ipPermissions.items.fromPort:22 OR @requestParameters.toPort:22 OR @requestParameters.ipPermissions.items.toPort:22) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:22 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:22)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ssh_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:3389 OR @requestParameters.ipPermissions.items.fromPort:3389 OR @requestParameters.toPort:3389 OR @requestParameters.ipPermissions.items.toPort:3389) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:3389 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:3389)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_rdp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5900 OR @requestParameters.ipPermissions.items.fromPort:5900 OR @requestParameters.toPort:5900 OR @requestParameters.ipPermissions.items.toPort:5900) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5900 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5900)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_vnc_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:2375 OR @requestParameters.ipPermissions.items.fromPort:2375 OR @requestParameters.toPort:2375 OR @requestParameters.ipPermissions.items.toPort:2375) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:2375 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:2375)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_dockerd_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5985 OR @requestParameters.ipPermissions.items.fromPort:5985 OR @requestParameters.toPort:5985 OR @requestParameters.ipPermissions.items.toPort:5985) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5985 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5985)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5986 OR @requestParameters.ipPermissions.items.fromPort:5986 OR @requestParameters.toPort:5986 OR @requestParameters.ipPermissions.items.toPort:5986) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5986 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5986)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:23 OR @requestParameters.ipPermissions.items.fromPort:23 OR @requestParameters.toPort:23 OR @requestParameters.ipPermissions.items.toPort:23) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:23 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:23)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_telnet_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:445 OR @requestParameters.ipPermissions.items.fromPort:445 OR @requestParameters.toPort:445 OR @requestParameters.ipPermissions.items.toPort:445) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:445 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:445)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_smb_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"medium","notifications":[],"name":"FTP","condition":"sg_ftp_port > 0"},{"status":"medium","notifications":[],"name":"SSH","condition":"sg_ssh_port > 0"},{"status":"medium","notifications":[],"name":"RDP","condition":"sg_rdp_port > 0"},{"status":"medium","notifications":[],"name":"VNC","condition":"sg_vnc_port > 0"},{"status":"medium","notifications":[],"name":"Docker Daemon","condition":"sg_dockerd_port > 0"},{"status":"medium","notifications":[],"name":"WinRm HTTP","condition":"sg_winrm_http_port > 0"},{"status":"medium","notifications":[],"name":"WinRm HTTPS","condition":"sg_winrm_https_port > 0"},{"status":"medium","notifications":[],"name":"Telnet","condition":"sg_telnet_port > 0"},{"status":"medium","notifications":[],"name":"SMB","condition":"sg_smb_port > 0"}],"type":"log_detection","id":"d8d-usi-xuo","createdAt":1652796652158,"name":"Potential administrative port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\n This rule monitors CloudTrail and detects when any `@evt.name` has a value of `Console Login`, and `@responseElements.ConsoleLogin` has a value of `Failure`.\n\n## Triage and response\n1. Determine if the user logged in with 2FA.\n2. Reach out to the user and ensure the login was legitimate.\n\n## Changelog \n17 March 2022 - Update rule query.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Failure","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:true","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_with_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful - MFA Unused","condition":"failed_login > 5 && successful_login_without_mfa > 0"},{"status":"info","notifications":[],"name":"Successful Login - MFA Used","condition":"failed_login > 5 && successful_login_with_mfa > 0"},{"status":"info","notifications":[],"name":"Failed Login","condition":"failed_login > 5"}],"type":"log_detection","id":"csj-nez-h1v","createdAt":1584475581986,"name":"Potential brute force attack on AWS ConsoleLogin"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","threat_intel_category:cryptomining","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a host is potentially infected with a cryptominer.\n\n## Strategy\nThis rule compares the `@network.client.ip` standard attribute to a curated list of cryptomining pools.\n\n## Triage and response\n1. Determine if the `{{host}}` host should be contacting a cryptomining pool.\n2. If not, begin your company's IR process.\n\n**Note** You can use the signal sidepanel to assist with the initial investigation by looking at CPU utilization and processes to identify unauthorized activity.\n\n## Changelog\n- 8 April 2022 - Initial beta release to select organizations.\n- 13 April 2022 - Added additional filters for specific ports to reduce false positives. \n- 26 April 2022 - Removed restrictedToOrgs settings, launching rule to all of production.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@threat_intel.results.category:cryptomining @network.destination.port:(6641 OR 6642 OR 9000 OR 9999 OR 14433 OR 10191 OR 20009) host:*","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cgb-2rq-tqx","createdAt":1650989902666,"name":"Potential cryptomining detected through IP callback"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with a database service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 1433 (MSSQL)\n* 3306 (MySQL)\n* 5432 (PostgresSQL)\n* 5984/6984 (CouchDB)\n* 6379 (Redis)\n* 9200 (Elasticsearch)\n* 27017 (MongoDB)\n\nDatabase ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** A separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n## Changelog\n* 15 December 2022 - Updated rule query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200)) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200))) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\")) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:3306 OR @requestParameters.ipPermissions.items.fromPort:3306 OR @requestParameters.toPort:3306 OR @requestParameters.ipPermissions.items.toPort:3306) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:3306 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:3306)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mysql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5432 OR @requestParameters.ipPermissions.items.fromPort:5432 OR @requestParameters.toPort:5432 OR @requestParameters.ipPermissions.items.toPort:5432) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5432 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5432)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_postgres_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:1433 OR @requestParameters.ipPermissions.items.fromPort:1433 OR @requestParameters.toPort:1433 OR @requestParameters.ipPermissions.items.toPort:1433) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:1433 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:1433)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mssql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:27017 OR @requestParameters.ipPermissions.items.fromPort:27017 OR @requestParameters.toPort:27017 OR @requestParameters.ipPermissions.items.toPort:27017) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:27017 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:27017)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mongodb_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:6379 OR @requestParameters.ipPermissions.items.fromPort:6379 OR @requestParameters.toPort:6379 OR @requestParameters.ipPermissions.items.toPort:6379) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:6379 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:6379)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_redis_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:5984 OR @requestParameters.ipPermissions.items.fromPort:5984 OR @requestParameters.toPort:5984 OR @requestParameters.ipPermissions.items.toPort:5984) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:5984 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:5984)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:6984 OR @requestParameters.ipPermissions.items.fromPort:6984 OR @requestParameters.toPort:6984 OR @requestParameters.ipPermissions.items.toPort:6984) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:6984 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:6984)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:(AuthorizeSecurityGroupIngress OR ModifySecurityGroupRules) ((@requestParameters.fromPort:9200 OR @requestParameters.ipPermissions.items.fromPort:9200 OR @requestParameters.toPort:9200 OR @requestParameters.ipPermissions.items.toPort:9200) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.FromPort:9200 OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.ToPort:9200)) ((@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) OR (@requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv4:\"0.0.0.0/0\" OR @requestParameters.ModifySecurityGroupRulesRequest.SecurityGroupRule.SecurityGroupRule.CidrIpv6:\"::/0\"))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_elastic_search_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"medium","notifications":[],"name":"MySQL","condition":"sg_mysql_port > 0"},{"status":"medium","notifications":[],"name":"PostgresSQL","condition":"sg_postgres_port > 0"},{"status":"medium","notifications":[],"name":"MSSQL","condition":"sg_mssql_port > 0"},{"status":"medium","notifications":[],"name":"MongoDB","condition":"sg_mongodb_port > 0"},{"status":"medium","notifications":[],"name":"redis","condition":"sg_redis_port > 0"},{"status":"medium","notifications":[],"name":"CouchDB HTTP","condition":"sg_couchdb_http_port > 0"},{"status":"medium","notifications":[],"name":"CouchDB HTTPS","condition":"sg_couchdb_https_port > 0"},{"status":"medium","notifications":[],"name":"Elasticsearch","condition":"sg_elastic_search_port > 0"}],"type":"log_detection","id":"1wf-ivp-q2g","createdAt":1652796776858,"name":"Potential database port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use automatically generated self-signed certificates for TLS connections between peers.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster. Hence, do not use self-signed certificates for authentication.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--peer-auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--peer-auto-tls` parameter or set it to false. \n\n```\n--peer-auto-tls=false\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-auto-tls` argument is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls][3]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.6","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l0y-lyz-foj","createdAt":1599598174666,"name":"Prevent use of self-signed certificates for TLS connections between etcd peers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.4","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDocker considers a private registry either secure or insecure. By default, registries are considered secure.\n\n## Rationale\n\nA secure registry uses TLS. A copy of the registry's CA certificate is placed on the Docker host in the `/etc/docker/certs.d//` directory. An insecure registry is one which does not have a valid registry certificate, or one not not using TLS. You should not use insecure registries because they present a risk of traffic interception and modification. Additionally, once a registry has been marked as insecure, commands such as `docker pull`, `docker push`, and `docker search` will not result in an error message, and users may indefinitely be working with this type of insecure registry without ever being notified of the risk of potential compromise.\n\n## Audit\n\nFind out if any insecure registries are in use by running: \n```\ndocker info --format 'Insecure Registries: {{.RegistryConfig.InsecureRegistryCIDRs}}'\n```\n\n## Remediation\n\nYou should ensure that no insecure registries are in use.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker assumes all registries except local ones are secure.\n\n## References\n\n1. [https://docs.docker.com/registry/insecure/][1]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://docs.docker.com/registry/insecure/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wki-o8r-1ha","createdAt":1599604688564,"name":"Private registry uses TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.4","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUsing the `--privileged` flag provides all Linux kernel capabilities to the container to which it is applied and therefore overwrites the `--cap-add` and `--cap-drop` flags. For this reason, ensure that it is not used.\n\n## Rationale\n\nThe `--privileged` flag provides all capabilities to the container to which it is applied, and also lifts all the limitations enforced by the device cgroup controller. As a consequence this the container has most of the rights of the underlying host. This flag only exists to allow for specific use cases (for example running Docker within Docker) and should not generally be used.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Privileged={{ .HostConfig.Privileged }}'` This command returns `Privileged=false` for each container instance.\n\n## Remediation\n\nDo not run containers with the `--privileged` flag. For example, do not start a container using the command `docker run --interactive --tty --privileged centos /bin/bash`\n\n## Impact\n\nIf you start a container without the `--privileged` flag, it will not have excessive default capabilities.\n\n## Default value\n\nFalse\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.4","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rbd-urm-klo","createdAt":1599602708557,"name":"Privileged containers are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.7","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TCP/IP port numbers below 1024are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Docker does, however allow a container port to be mapped to a privileged port.\n\n## Rationale\n\nBy default, if the user does not specifically declare a container port to host port mapping, Docker automatically and correctly maps the container port to one available in the `49153`-`65535` range on the host. Docker does, however, allow a container port to be mapped to a privileged port on the host if the user explicitly declares it. This is because containers are executed with `NET_BIND_SERVICE` Linux kernel capability which does not restrict privileged port mapping. The privileged ports receive and transmit various pieces of data which are security sensitive and allowing containers to use them is not in line with good security practice.\n\n## Audit\n\nList all running containers instances and their port mappings by executing this command: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'` You should then review the list and ensure that container ports are not mapped to host port numbers below `102.4`.\n\n## Remediation\n\nDo not map container ports to privileged host ports when starting a container. You should also ensure that there is no such container to host privileged port mapping declarations in the Dockerfile.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, mapping a container port to a privileged port on the host is allowed.\n\n**Note**: There might be certain cases where you want to map privileged ports, because if you forbid it, then the corresponding application has to run outside of a container.\n\nFor example: HTTP and HTTPS load balancers have to bind `80/tcp` and `443/tcp` respectively. Forbidding to map privileged ports effectively forbids from running those in a container, and mandates using an external load balancer. In such cases, those containers instances should be marked as exceptions for this recommendation.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.7","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ua5-ygj-jad","createdAt":1599602153218,"name":"Privileged ports are not mapped within containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a process launches with arguments associated with cryptocurrency miners.\n\n## Strategy\n\nCryptocurrency miners are often executed with unique arguments such as `--donate-level`. This can be used to identify suspicious processes with high confidence.\n\n## Triage and response\n\n1. Isolate the workload.\n2. Use host metrics to verify if cryptocurrency mining is taking place. This will be indicated by an increase in CPU usage.\n3. Review the process tree and related signals to determine the initial entry point.\n\n*Requires agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:cryptominer_args -@process.executable.path:\"/usr/bin/grep\"","groupByFields":["host"],"aggregation":"count","name":"cryptominer_args","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"cryptominer_args","condition":"cryptominer_args > 0"}],"type":"workload_security","id":"t95-1rc-mwi","createdAt":1660014107186,"name":"Process arguments match cryptocurrency miner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1055-process-injection","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace systemcall to inject code into another process.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. Malicious actors have been observed using ptrace to inject code into another process, for the purposes of defense evasion and privilege escalation.\n\n## Triage and response\n1. Check the name of the process doing the injection (the tracer).\n2. Identify if the file doing the injection (the tracer) is authorized.\n3. If the tracer is not authorized in this environment, or is not normally known to use the ptrace syscall, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_injection -@process.executable.name:(\"dlv\" OR \"dlv-linux-adm64\" OR \"strace\" OR \"gdb\" OR \"lldb-server\")","groupByFields":["host"],"aggregation":"count","name":"ptrace_injection_unknown_tracer","distinctFields":[]},{"query":"@agent.rule_id:ptrace_injection @process.executable.name:(\"dlv\" OR \"dlv-linux-adm64\" OR \"strace\" OR \"gdb\" OR \"lldb-server\")","groupByFields":["host"],"aggregation":"count","name":"ptrace_injection_known_tracer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_injection_unknown_tracer","condition":"ptrace_injection_unknown_tracer > 0"},{"status":"low","notifications":[],"name":"ptrace_injection_known_tracer","condition":"ptrace_injection_known_tracer > 0"}],"type":"workload_security","id":"1p3-rn6-jue","createdAt":1650464539501,"name":"Process injected into another process"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2021-4034 dubbed PwnKit.\n\n## Strategy\n\nPwnKit is a local privilege escalation vulnerability originally found by [Qualys](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034). It affects PolicyKit\u2019s `pkexec` program, which is a SUID-root program installed by default on many Linux distributions. This detection triggers whenever `pkexec` is executed by a non-root process with the `SHELL` and `PATH` variables set.\n\n## Triage and response\n\n1. Determine the purpose of the process executing `pkexec`.\n2. Look for any suspicious actions or commands being executed after the `pkexec` execution.\n3. If this behavior is unexpected, it could indicate a malicious actor has access to the host and is attempting to increase privileges for post exploitation actions. Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Ensure to update the PolicyKit package to its latest version to mitigate the vulnerability. If updating is not feasible, remove the SUID bit that is set by default on `pkexec` with the following command: `sudo chmod -s \\$(which pkexec)`.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:pwnkit_privilege_escalation","groupByFields":["host"],"aggregation":"count","name":"pwnkit_privilege_escalation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"pwnkit_privilege_escalation","condition":"pwnkit_privilege_escalation > 0"}],"type":"workload_security","id":"yne-n4q-dfs","createdAt":1643646954692,"name":"Pwnkit privilege escalation attempt"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1059-command-and-scripting-interpreter","tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect Python code being provided and executed on the command line using the `-c` flag.\n\n## Strategy\n\nPython code can be specified on the command line using the `-c` flag. Attackers may use this to run \"one-liners\" which establish communication with an attacker-run server, download additional malware, or otherwise advance their mission. Libraries such as `socket` and `subprocess` are commonly used in these attacks and are unlikely to have a legitimate purpose when used in this way.\n\n## Triage and response\n\n1. Review the process tree and identify if the Python command is expected.\n2. If the command is not expected, contain the host or container and roll back to a known good configuration.\n3. Start the incident response process and determine the initial entry point.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:python_cli_code @process.args:(*SOCK_STREAM* OR *subprocess* OR *\\/bash* OR *\\/bin\\/sh* OR *pty.spawn*)","groupByFields":["host"],"aggregation":"count","name":"python_cli_code_suspicious","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"python_cli_code_suspicious","condition":"python_cli_code_suspicious > 0"}],"type":"workload_security","id":"2mr-svj-kxj","createdAt":1655147245805,"name":"Python executed with suspicious arguments"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.9","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTurn on Role Based Access Control.\n\n## Rationale\n\nRole Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the cluster. It is recommended to use the RBAC authorization mode.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include RBAC.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes RBAC, for example: `--authorization-mode=Node,RBAC`\n\n## Impact\n\nWhen RBAC is enabled you will need to ensure that appropriate RBAC settings (including Roles, RoleBindings and ClusterRoleBindings) are configured to allow appropriate access.\n\n## Default value\n\nBy default, RBAC authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/access-authn-authz/rbac/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.9","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bn4-mzo-nyg","createdAt":1599605257601,"name":"RBAC is enabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","level:1","control:8.5","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.4.1","security:compliance","requirement:Least-Privileged-Access","control:7.2","framework:cis-azure","source:azure.kubernetes","control:7.1","control:2.3","requirement:Control-Activities","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","requirement:Other-Security-Considerations","framework:soc-2","control:A.9.2.3","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that RBAC is enabled on all Azure Kubernetes Services instances.\n\n## Rationale\n\nAzure Kubernetes Services can integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. Use this to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls, both to the overarching AKS instance and to the individual resources managed within Kubernetes.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment, your cluster will require recreation.\n\n## Impact\n\nIf RBAC is not enabled, the granularity of permissions granted to Kubernetes resources is diminished, because you are presenting more permissions than needed to users requiring access to your Kubernetes resources in AKS.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/aks/aad-integrationhttps://kubernetes.io/docs/reference/access-authn-authz/rbac/https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-list\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7\n\n4 Controlled Use of Administrative Privileges\n\n14 Controlled Access Based on the Need to Know\n\n9 AppService: This section covers security recommendations for Azure AppService\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.5","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aks_cluster) = \"pass\" if {\n\taks_cluster.enable_rbac\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_aks_cluster"]},"validationQuery":"","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"1ha-sj2-4mw","createdAt":1624867979755,"name":"RBAC within Azure Kubernetes Services is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","control:6.1","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable RDP access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using RDP over the internet is that attackers can use various brute force techniques to access Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\n1. [Disable direct RDP access][1] to your Azure Virtual Machines from the internet. \n2. Choose one of the following methods to access the virtual machines for remote management:\n * [Point-to-site VPN][3]\n * [Site-to-site VPN][4]\n * [ExpressRoute][5]\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][2]\n\n[1]: https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n[3]: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal\n[4]: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal\n[5]: https://learn.microsoft.com/en-us/azure/expressroute/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_access(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"TCP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\n\tsome port_range in split(security_rule.destination_port_range, \",\")\n\tcheck_non_compliant_port_range(port_range)\n\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"::/0\", \"Internet\", \"Any\"]\n}\n\ncheck_non_compliant_port_range(port_range) if {\n\tport_range in [\"3389\", \"*\"]\n} else if {\n\tcontains(port_range, \"-\")\n\tsplit_port_range := split(port_range, \"-\")\n\n\tto_number(split_port_range[0]) <= 3389\n\tto_number(split_port_range[1]) >= 3389\n}\n\neval(security_group) = \"fail\" if {\n\tsome security_rule in security_group.security_rules\n\tnon_compliant_access(security_rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tna-xfa-yol","createdAt":1624867976964,"name":"RDP access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.7","requirement:Communications-Security","control:1.4","control:3.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow users to specify the type of traffic,\nsuch as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, an IPv4 address or IPv4 block in CIDR notation can be used.\nGeneric (0.0.0.0/0) incoming traffic from the Internet to a VPC or VM instance using RDP\non Port 3389 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic\nfrom instances and incoming (ingress) traffic to instances in the network. Egress and\ningress traffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through RDP with the default\nPort 3389. Generic access from the Internet to a specific IP Range should be restricted.\n\n## Impact\nAll Remote Desktop Protocol (RDP) connections from outside of the network to the\nconcerned VPC(s) are blocked. There could be a business need where secure shell\naccess is required from outside of the network to access resources associated with the VPC.\nIn that case, specific source IP(s) should be mentioned in firewall rules to allow access\nto RDP ports for the concerned VPC(s).\n\n## Remediation\n\n### From the console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule to be modified.\n4. Click Edit.\n5. Modify Source IP ranges to your specific IPs.\n6. Click Save.\n\n### From the command line\n1.Update the RDP Firewall rule with a new SOURCE_RANGE using the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with validated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.1","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 3389\n\nis_numeric(x) if {\n\tregex.match(`^-?\\d+(\\.\\d+)?$`, x)\n}\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tsome port in allowed.ports\n\tcontains(port, \"-\")\n\trange := split(port, \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else if {\n\tsome port in allowed.ports\n\tport != \"\"\n\tis_numeric(port)\n\tto_number(port) == target_port\n} else if {\n\tsome port in allowed.ports\n\tport == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tsome allowed in compute_firewall.allowed\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" if {\n\tsome source_range in compute_firewall.source_ranges\n\tsource_range in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tvo-mpp-0fa","createdAt":1657310084116,"name":"RDP access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","source:rds","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:rds","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your AWS RDS database instances are encrypted.\n\n## Rationale\n\nEncrypting your AWS RDS clusters protects sensitive data from unauthorized access.\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling Amazon RDS encryption for a DB instance][1] documentation to ensure your database instances are encrypted.\n\n### From the command line\n\n1. Run `describe-db-instances` with an instance identifier query to list RDS database names.\n\n ```\n aws rds describe-db-instances \\\n --query 'DBInstances[*].DBInstanceIdentifier'\n ```\n\n2. Run `create-db-snapshot` with any returned database instance you wish to modify.\n\n ```\n aws rds create-db-snapshot \\\n --db-snapshot-identifier my-db-snapshot \\\n --db-instance-identifier my-db-id\n ```\n\n3. Run `list-aliases` to list KMS keys aliases by region.\n\n ```\n aws kms list-aliases \\\n --region us-west-1\n ```\n\n4. Run `copy-db-snapshot` with the `kms-key-id` returned in step 3.\n\n ```\n aws rds copy-db-snapshot \\\n --region us-west-1 \\\n --source-db-snapshot-identifier original-db-snapshot-id \\\n --target-db-snapshot-identifier encrypted-db-snapshot-id \\\n --copy-tags \\\n --kms-key-id 01234567-1a2b-1234a-b45c-abcdef123456\n ```\n\n5. Run `restore-db-instance-from-db-snapshot` to restore the previously created snapshot.\n\n ```\n aws rds restore-db-instance-from-db-snapshot \\\n --region us-west-1 \\\n --db-instance-identifier encrypted-db-id \\\n --db-snapshot-identifier encrypted-db-snapshot-id\n ```\n\n6. Run `describe-db-instances` with a query to ensure database encryption.\n\n ```\n aws rds describe-db-instances \\\n --region us-west-1 \\\n --db-instance-identifier encrypted-db-snapshot-id \\\n --query 'DBInstances[*].StorageEncrypted'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Enabling","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(rds_instance) = \"pass\" if {\n\trds_instance.storage_encrypted == true\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_rds_instance"]},"validationQuery":"","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"han-1rs-ghe","createdAt":1599574005316,"name":"RDS database instance is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:rds","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","scope:rds","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your RDS instance, so it is not publicly accessible.\n\n## Rationale\n\nUnrestricted access to your RDS instance allows everyone on the internet to establish a connection with your database. This can lead to brute-force, DoS/DDoS, or SQL injection attacks.\n\n## Remediation\n\n### From the command line\n\n1. Run the `modify-db-instance` command to make the instance not publicly accessible.\n\n ```\n aws rds modify-db-instance\n\t --region INSERT_DB_INSTANCE_REGION \\\n\t --db-instance-identifier INSERT_DB_INSTANCE_NAME \\\n\t --no-publicly-accessible \\\n\t --apply-immediately\n ```\n2. Run the `revoke-security-group-ingress` command to block any IPv4 address connecting to port 3306.\n\n ```\n aws ec2 revoke-security-group-ingress\n\t --region INSERT_DB_INSTANCE_REGION \\\n\t --group-id INSERT_SECURITY_GROUP_ID \\\n\t --protocol tcp \\\n\t --port 3306 \\\n\t --cidr 0.0.0.0/0 \n ```\n3. For IPv6 you can use the same command from step 2 but use the `--ip-permissions` option instead. Reference this [aws-cli documentation][1] for more information.\n\n4. After removing the 0.0.0.0/0 or ::/0 cidr ranges from ingress you need to add in better cidr ranges using the `authorize-security-group-ingress` command.\n\n ```\n aws ec2 authorize-security-group-ingress\n \t --region INSERT_DB_INSTANCE_REGION\n\t --group-id INSERT_SECURITY_GROUP_ID\n\t --protocol tcp\n\t --port 3306\n\t --cidr INSERT_SMALLER_CIDR_RANGE\n ```\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html#options","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nsecurity_group_vpc_id_to_compliant = {security_group.vpc_id |\n\tsome security_group in input.resources.aws_security_group\n\tcheck_group_non_compliance(security_group)\n}\n\ncheck_group_non_compliance(security_group) if {\n\tsecurity_group_rules := security_group.rules[_]\n\tlower(security_group_rules.direction) == \"ingress\"\n\tcheck_ip_range(security_group_rules)\n}\n\ncheck_ip_range(security_group_rules) if {\n\tsecurity_group_rules.ip_range == \"0.0.0.0/0\"\n}\n\ncheck_ip_range(security_group_rules) if {\n\tsecurity_group_rules.ipv6_range == \"::/0\"\n}\n\neval(rds_instance) = \"fail\" if {\n\trds_instance.publicly_accessible == true\n\tsecurity_group_vpc_id_to_compliant[rds_instance.db_subnet_group_vpc_id]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_rds_instance","aws_security_group"]},"validationQuery":"","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qgu-ris-pnv","createdAt":1619540057520,"name":"RDS instance is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","security:compliance","control:CC6.6","control:164.312-e-1","cloud_provider:aws","framework:gdpr","requirement:Default-Security-Parameter","scope:rds","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","source:rds","requirement:Security-Management-Process","control:32.1a","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Amazon RDS database instances][1] are not using default ports. This includes default ports such as MySQL/Aurora port 3306, SQL Server port 1433, and PostgreSQL port 5432.\n\n## Rationale\n\nUsing a custom port can protect against potential brute-force and dictionary attacks.\n\n## Remediation\n\n### From the console\n\nFollow the [Modifying an Amazon RDS DB instance][4] docs to verify you're not using a default. You can modify your port by modifying that [DB instance settings][5].\n\n### From the command line\n\n1. Run `create-db-snapshot` with your database instance and snapshot identifiers to [create a snapshot][2].\n\n ```\n aws rds create-db-snapshot \\\n --db-instance-identifier database-mysql \\\n --db-snapshot-identifier snapshotidentifier\n ```\n\n2. Run `modify-db-instance` with a new, valid port number. A [list of port numbers are available][3].\n\n ```\n aws rds modify-db-instance \\\n --db-instance-identifier database-identifier \\\n --option-group-name test-group-name \\\n --db-parameter-group-name test-sqlserver-name \\\n --apply-immediately\n ```\n\n\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-snapshot.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-instance.html#options\n[4]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n[5]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html#USER_ModifyInstance.Settings\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndefault_port_used(rds_instance) if {\n\trds_instance.engine in [\"aurora\", \"aurora-mysql\", \"mysql\", \"mariadb\"]\n\trds_instance.endpoint_port == 3306\n} else if {\n\trds_instance.engine in [\"postgres\", \"aurora-postgresql\"]\n\trds_instance.endpoint_port == 5432\n} else if {\n\trds_instance.engine in [\"oracle-ee\", \"oracle-se2\", \"oracle-se1\", \"oracle-se\"]\n\trds_instance.endpoint_port == 1521\n} else if {\n\trds_instance.engine in [\"sqlserver-ee\", \"sqlserver-se\", \"lserver-ex\", \"sqlserver-web\"]\n\trds_instance.endpoint_port == 1433\n}\n\neval(rds_instance) = \"fail\" if {\n\tdefault_port_used(rds_instance)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_rds_instance"]},"validationQuery":"","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"y0x-lgk-w1h","createdAt":1599574001845,"name":"RDS instance is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","framework:gdpr","control:164.308-a-3-i","source:rds","requirement:Security-Management-Process","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","scope:rds","control:1.4","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Relational Database Service (RDS) database snapshots by ensuring they are not publicly accessible.\n\n## Rationale\n\nRDS Snapshots can be marked as [public][3], allowing anyone the ability to copy the snapshot to their AWS account and create database instances from it. Unless a snapshot is being shared intentionally, it should be deleted.\n\n## Remediation\n\n### From the console\n\nFollow the [Stop sharing a manual DB snapshot with an AWS account][1] AWS Console docs.\n\n### From the command line\n\nRun `modify-db-snapshot-attribute` with the [snapshot identifier, attribute name, and values to remove][2]. This removes permission from a particular AWS account to restore the DB snapshot.\n\n```\naws rds modify-db-snapshot-attribute \\\n --db-snapshot-identifier yourdbsnapshot \\\n --attribute-name restore \\\n --values-to-remove \"all\"\n```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Sharing\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-snapshot-attribute.html#synopsis\n[3]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Public\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.4","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_restore_attributes(db_snapshot_restore_attribute_values) if {\n\tdb_snapshot_restore_attribute_values[_] == \"all\"\n}\n\neval(rds_db_snapshot) = \"fail\" if {\n\tnon_compliant_restore_attributes(rds_db_snapshot.db_snapshot_restore_attribute_values)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_rds_db_snapshot"]},"validationQuery":"","resourceType":"aws_rds_db_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_db_snapshot","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ptv-gce-is5","createdAt":1616090994243,"name":"RDS snapshot is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","control:3.4","scope:google_dns_managed_zone","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note:** The SHA1 algorithm has been removed from general use by Google. If used, it needs to be allowed on a per-project basis through Google, and therefore requires a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records. When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, you can select the DNSSEC signing algorithms and the denial-of-existence type. Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If there is a need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off, and then re-enable it with different settings.\n\n**Note**: RSASHA1 key-signing support may be required for compatibility reasons. The remediation CLI works with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If it is necessary to change the settings for a managed zone where it has been\nenabled, NSSEC must be turned off and re-enabled with different settings. To turn\noff DNSSEC, run the following command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update key-signing for a managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" if {\n\tdefault_key_spec := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tdefault_key_spec.algorithm == \"RSASHA1\"\n\tdefault_key_spec.key_type == \"keySigning\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gny-fox-6gg","createdAt":1659339844054,"name":"RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.5","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note**: The SHA1 algorithm has been removed from general use by Google, and if\nbeing used, needs to be safe listed on a project basis by Google, which\nrequire a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records.\nWhen enabling DNSSEC for a managed zone or creating a managed zone with DNSSEC, select the\nDNSSEC signing algorithms and the denial-of-existence type. Changing the\nDNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If\nyou need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off and then re-enable it with different settings.\n\n**note**: RSASHA1 zone-signing support may be required for compatibility reasons.\n**note**: The remediation CLI works well with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If you need to change the settings for a managed zone where it has been\nenabled, DNSSEC must be turned off and then re-enabled with different settings. To\nturn off DNSSEC, run this command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update zone-signing for a reported managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.5","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" if {\n\tkeyCheck := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tkeyCheck.algorithm == \"RSASHA1\"\n\tkeyCheck.key_type == \"zoneSigning\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"h57-78j-30x","createdAt":1659396390100,"name":"RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","scope:redshift","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS RedShift clusters are encrypted.\n\n## Rationale\n\nEncrypting Redshift clusters protects your sensitive data from unauthorized access.\n\n## Remediation\n\n### From the console\n\nFollow the [Changing cluster encryption][5] docs to ensure your clusters are encrypted.\n\n### From the command line\n\n1. Run `describe-clusters` with your [cluster identifier][1].\n\n ```\n aws redshift describe-clusters \\\n --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` using the configuration details returned in step 1 along with the [`encrypted` flag][2].\n\n ```\n aws redshift create-cluster \\\n --cluster-identifier cluster-name \\\n --encrypted\n ```\n\n3. Run `describe-cluster` with a [query filter][1] to expose the new endpoint address.\n\n ```\n aws redshift describe-clusters \\\n --cluster-identifier cluster-name \\\n --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Use the cluster endpoint URL with the [Amazon Redshift Unload/Copy][3] tool.\n\n5. Update your encrypted Redshift cluster configuration with the new Redshift cluster endpoint URL.\n\n6. Once the endpoint is changed, run `delete-cluster` to [remove the old unencrypted cluster][4].\n\n ```\n aws redshift delete-cluster \\\n --cluster-identifier old-cluster \\\n --final-cluster-snapshot-identifier old-cluster-finalsnapshot\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster.html\n[3]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.encrypted\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o5n-lxt-ayr","createdAt":1599574004941,"name":"Redshift cluster is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.3","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm Redshift clusters are not publicly available.\n\n## Rationale\n\nPublicly available Redshift clusters have a public IP address, which gives any machine the opportunity to attempt to connect to your clusters. Malicious activity, such as SQL injections or distributed denial-of-service (DDoS) attacks, can occur if a connection is established.\n\n## Remediation\n\n### From the console\n\nFollow the [Managing clusters in a VPC][2] docs to learn how to modify public accessibility for your clusters.\n\n[2]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#modify-cluster\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tnot redshift_cluster.publicly_accessible\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"syn-jic-zlu","createdAt":1599574002373,"name":"Redshift cluster is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","control:A.9.4.3","framework:soc-2","scope:redshift","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:redshift","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are using a custom master user name, versus the default master user name.\n\n## Rationale\n\nDefault master user names for publicly accessible clusters can be a backdoor for hacking. While setting a customer master user name alone does not fully protect against attacks, restricting the root account only to privileged users and using additional password measures can add an additional layer of protection.\n\n## Remediation\n\n### From the console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a master user name of `awsuser`, it is the default master user name. Modify the user name to a custom user name in the console.\n\n### From the command line\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` with the returned cluster metadata to [launch a new cluster][3] with the existing metadata and a new master user name.\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t --master-username awsmasterusr\n --vpc-security-group-ids id-012a3b4c\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier new-cluster-identifier\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n5. Use the returned new database cluster endpoint URL from step 3 to update your application's configuration to point to the new cluster endpoint.\n6. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.master_username != \"awsuser\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ewv-jbb-gxa","createdAt":1599574001675,"name":"Redshift cluster is not using a custom master user name"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","security:compliance","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are not using default port 5439 to protect against non-targeted attacks.\n\n## Rationale\n\nUsing a custom port can protect your publicly accessible AWS Redshift clusters against potential brute-force and dictionary attacks. Although setting a custom port can help fend off these attacks, it is also recommended to restrict public access, use SSL to encrypt client connections to database clusters, and control cluster access through security groups and Network Access Control Lists (NACLs) to add an additional layer of security for your account.\n\n## Remediation\n\n### From the console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a port 5439, it is the default port. Modify the port number in the console.\n\n### From the command line\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster-snapshot` with [create a snapshot of your database cluster][3].\n\n ```\n aws redshift create-cluster-snapshot\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n ```\n\n3. Run `restore-from-cluster-snapshot` to [create a new cluster from the snapshot created above][4]. Use the retrieved metadata in step one to configure a new port number.\n\n ```\n aws redshift restore-from-cluster-snapshot\n ...\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n --port 2000\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster-snapshot.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/restore-from-cluster-snapshot.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.endpoint.port != 5439\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"xrn-s6h-z9s","createdAt":1599574006854,"name":"Redshift cluster is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift Clusters][1] are using the [AWS EC2-VPC platform][2] for better cluster security.\n\n## Rationale\n\nThe AWS EC2-VPC platform offers better security control and traffic routing for clusters than the outdated EC2-Classic platform.\n\n## Remediation\n\n### From the console\n\nFollow the [Use EC2-VPC when you create your cluster][7] docs to learn how to use the EC2-VPC platform in the console to secure your clusters.\n\n### From the command line\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n ```\n\n2. Run `create-cluster` with the metadata to [launch a new cluster within a VPC][3].\n\n ```\n aws redshift create-cluster\n --cluster-identifier cluster-id\n --vpc-security-group-ids id-012a3b4c\n --port 5439\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n\n5. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.FindDefaultVPC.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#cluster-platforms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.vpc_id != \"\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"goz-ys2-tll","createdAt":1599573999940,"name":"Redshift cluster is using the EC2-VPC platform"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.6","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:redshift","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","source:redshift","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable logging for your Amazon Redshift cluster.\n\n## Rationale\n\nLogging data from Amazon Redshift clusters is helpful when troubleshooting or completing security and compliance audits.\n\n## Remediation\n\n### From the console\n\nFollow the Amazon Redshift [Configuring auditing using the console][1] docs to enable logging, create audit log files, and store them in an Amazon S3 bucket.\n\n### From the command line\n\n1. Run `enable-logging` with your [cluster ID and the S3 bucket][2] where log files are to be stored.\n\n ```\n aws redshift enable-logging\n --cluster-identifier your-cluster-id\n --bucket-name aws-redshift-logs\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/enable-logging.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.cluster_logging.logging_enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f05-rf3-w5i","createdAt":1619112188003,"name":"Redshift cluster logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","requirement:Least-Privileged-Access","framework:cis-azure","control:7.1","requirement:Credentials","requirement:AppService","requirement:Compliance","control:8.7","level:1","control:9.5","control:A.18.1.3","framework:soc-2","scope:azure.appservice","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nManaged service identity in App Service makes an app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app connects to other Azure services securely without the need for a username and password.\n\n## Rationale\n\nApp Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.\n\n## References\n\n1. https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Identity\n5. Set Status to On\n\n### From the command line\n\nTo set Register with Azure Active Directory for an existing app, run the following command: `az webapp identity assign --resource-group --name '`\n\n## CIS Controls\n\nVersion 7 16.2 - Configure Centralized Point of Authentication - Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.5","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_identity(app_service) if {\n\tapp_service.identity_principal_id\n} else if {\n\tapp_service.identity.principal_id\n}\n\neval(app_service) = \"pass\" if {\n\tcompliant_identity(app_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"t1t-uk4-nxu","createdAt":1631623033118,"name":"Register with Azure Active Directory is enabled on App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.8","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under `/etc/docker/certs.d/ directory`, have permissions of 444 or are set more restrictively.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must have permissions of 444or more restrictive permissions in order to ensure that unprivileged users do not have full access to them..\n\n## Audit\n\nYou should execute the command below to verify that registry certificate files have permissions of 444+.\n\n```\nstat -c %a /etc/docker/certs.d//*\n```\n\n## Remediation\n\nRun the following command: `chmod 444 /etc/docker/certs.d//*`\n\nThis sets the permissions for the registry certificate files to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for registry certificate files might not be 444. The default file permissions are governed by the system or user specific umask values which are defined within the operating system itself.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.8","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sjq-1m3-njp","createdAt":1599605226177,"name":"Registry certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:5.7.4","source:compliance-agent","requirement:General-Policies","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.\n\n## Rationale\n\nResources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources.\n\n## Audit\n\nRun this command to list objects in default namespace: `kubectl get all`\n\nThe only entries there should be system managed resources such as the Kubernetes service.\n\n## Remediation\n\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace.\n\n## Impact\n\nNone\n\n## Default value\n\nUnless a namespace is specific on object creation, the default namespace will be used.\n\n## References\n\nNone\n\n## CIS controls\n\nNone\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.7.4","framework":"cis-kubernetes","requirement":"General-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.7.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gly-1rp-obv","createdAt":1599604941259,"name":"Resources are not created in the default namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.14","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy using the `--restart` flag in the docker run command you can specify a restart policy for how a container should or should not be restarted on exit. You should choose the on-failure restart policy and limit the restart attempts to 5.\n\n## Rationale\n\nIf you indefinitely keep trying to start the container, it could possibly lead to a denial of service on the host. It could be an easy way to do a distributed denial of service attack especially if you have many containers on the same host. Additionally, ignoring the exit status of the container and always attempting to restart the container, leads to non-investigation of the root cause behind containers getting terminated. If a container gets terminated, you should investigate on the reason behind it instead of just attempting to restart it indefinitely. You should use the on-failure restart policy to limit the number of container restarts to a maximum of 5 attempts.\n\n## Audit\n\nExecute this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: RestartPolicyName={{ .HostConfig.RestartPolicy.Name }} MaximumRetryCount={{ .HostConfig.RestartPolicy.MaximumRetryCount }}'` \n\nIf this command returns `RestartPolicyName=always`, then the system is not configured optimally. If this command returns `RestartPolicyName=no` or just `RestartPolicyName=`, then restart policies are not being used and the container would never be restarted automatically. This may be a secure option, but it is not the best option from a usability standpoint. If this command returns `RestartPolicyName=on-failure`, then verify that the number of restart attempts is set to 5 or less by looking at `MaximumRetryCount`.\n\n## Remediation\n\nIf you wish a container to be automatically restarted, use `docker run --detach --restart=on-failure:5 nginx`\n\n## Impact\n\nIf this option is set, a container will only attempt to restart itself 5 times.\n\n## Default value\n\nBy default, containers are not configured with restart policies.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/run/#restart-policies-restart\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.14","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycq-buv-pf8","createdAt":1599598174688,"name":"Restart attempts on container failure is limited to 5 attempts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_logging_log_bucket","control:10.1","requirement:Monitoring","control:10.2.5","control:2.3","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","source:google_logging_log_bucket","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:2","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling retention policies on log buckets protects logs stored in cloud storage buckets\nfrom being overwritten or accidentally deleted. It is recommended to set up retention\npolicies and configure `Bucket Lock` on all storage buckets that are used as log sinks.\n\n### Default value\nBy default, storage buckets used as log sinks do not have retention policies and `Bucket Lock`\nconfigured.\n\n## Rationale\nLogs can be exported by creating one or more sinks that include a log filter and a\ndestination. As Cloud Logging receives new log entries, they are compared against each\nsink. If a log entry matches a sink's filter, then a copy of the log entry is written to the\ndestination.\nSinks can be configured to export logs in storage buckets. It is recommended to configure a\ndata retention policy for these cloud storage buckets and to lock the data retention policy,\nthus permanently preventing the policy from being reduced or removed. This way, if the\nsystem is ever compromised by an attacker or a malicious insider who wants to cover their\ntracks, the activity logs are definitely preserved for forensics and security investigations.\n\n\n### Impact\nLocking a bucket is an irreversible action. Once you lock a bucket, you cannot remove the\nretention policy from the bucket or decrease the retention period for the policy. You\nthen have to wait for the retention period for all items within the bucket before you can\ndelete them, and then delete the bucket.\n\n## Additional Information\n- **Caution**: Locking a retention policy is an irreversible action. Once locked, you must delete\nthe entire bucket in order to \"remove\" the bucket's retention policy. However, before you\ncan delete the bucket, you must be able to delete all the objects in the bucket, which itself is\nonly possible if all the objects have reached the retention period set by the retention policy.\n\n\n## Remediation\n\n### From the console \n1. If sinks are not configured, first follow the instructions in the recommendation:\nEnsure that sinks are configured for all log entries.\n2. For each storage bucket configured as a sink, go to the Cloud Storage browser at\nhttps://console.cloud.google.com/storage/browser/.\n3. Select the **Protection** tab near the top of the page.\n4. In the **Retention policy** section, click the **Lock** button. The **Lock retention policy?** dialog box appears\n5. Read the `Permanent` notice.\n6. In the **Bucket name** text box, type in the name of your bucket.\n7. Click **Lock policy**\n\n### From the command line\n1. To list all sinks destined to storage buckets:\n ```\n gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID\n | --project=PROJECT_ID\n ```\n\n2. For each storage bucket listed above, set a retention policy and lock it:\n ```\n gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]\n gsutil retention lock gs://[BUCKET_NAME]\n ```\nFor more information, visit [Set a retention policy on a bucket][1].\n\n## References\n1. [Retention policies and retention policy locks][2]\n2. [Use and lock retention policies ][3]\n\n[1]: https://cloud.google.com/storage/docs/using-bucket-lock#set-policy\n[2]: https://cloud.google.com/storage/docs/bucket-lock\n[3]: https://cloud.google.com/storage/docs/using-bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(logging_log_bucket) if {\n\tlogging_log_bucket.retention_days != \"\"\n\tlogging_log_bucket.locked == true\n}\n\ndestination_with_filter(logging_log_bucket) if {\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tlogging_log_sink.project_number == logging_log_bucket.project_number\n\tlog_bucket_bucket_name := trim_right(split(logging_log_bucket.resource_name, \"buckets/\")[1], \"\\\"\")\n\tsink_bucket_bucket_name := trim_right(split(logging_log_sink.destination, \"buckets/\")[1], \"\\\"\")\n\tlog_bucket_bucket_name == sink_bucket_bucket_name\n\tlogging_log_sink.filter != \"\"\n}\n\neval(logging_log_bucket) = \"skip\" if {\n\tnot destination_with_filter(logging_log_bucket)\n} else = \"pass\" if {\n\tcompliant(logging_log_bucket)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_logging_log_bucket","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_logging_log_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_logging_log_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"trq-twi-wxj","createdAt":1664803576934,"name":"Retention policies used for exporting logs are configured using the bucket lock on Cloud Storage buckets"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-ii-B","control:1.7","control:164.308-a-3-i","control:164.308-a-4-i","control:7.2.1","level:1","cloud:aws","framework:soc-2","framework:cis-aws","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Information-Access-Management","control:CC6.2","framework:pci","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWith the creation of an AWS account, a root user is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.\n\n## Rationale\n\nThe root user has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.\n\n## Remediation\n\nIf you find that the root user account is being used for daily activity and administrative tasks that do not require the root user, remediate this by doing the following:\n\n1. Change the root user password.\n2. Deactivate or delete access keys associated with the root user.\n**Note**: Anyone who has root user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.\n\n## References\n\n1. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][1]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html][2]\n3. [https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html][3]\n\n**Additional Information**: The root user for us-gov cloud regions is not enabled by default. However, on request AWS support can enable the root user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the root user for us-gov cloud regions is enabled, this recommendation is applicable. Monitor usage of the root user by implementing recommendation *3.3 Ensure a log metric filter and alarm exist for usage of the root user*.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[3]: https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.7","framework":"cis-aws","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nnon_compliant_keys(iam_credential_report) if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.password_last_used < thirty_days_ms # Used in last 30 days\n} else if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_1_last_used_date < thirty_days_ms # Used in last 30 days\n} else if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_2_last_used_date < thirty_days_ms # Used in last 30 days\n}\n\neval(iam_credential_report) = \"skip\" if {\n\tnot iam_credential_report.user == \"\"\n} else = \"fail\" if {\n\tnon_compliant_keys(iam_credential_report)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_credential_report"]},"validationQuery":"","resourceType":"aws_iam_credential_report","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yid-djj-bng","createdAt":1638865331666,"name":"Root account credentials have not been used in the past 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:kms","source:kms","framework:gdpr","requirement:Logging","level:2","control:3.8","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Security-of-Processing","framework:soc-2","control:3.5.2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:3.6.4","control:CC6.3","control:CC6.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS Key Management Service (KMS) allows customers to rotate the backing key, the key material stored within the KMS. The KMS connects to the key ID of the customer created customer master key (CMK). This backing key is used to perform cryptographic operations such as encryption and decryption. Automatic key rotation retains all prior backing keys so that encrypted data can be decrypted transparently. You should enable CMK key rotation.\n\n## Rationale\n\nRotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\n\n## Remediation\n\n### From the console\n\n1. Open the [AWS KMS console][1].\n2. To change the AWS region, use the region selector in the upper-right corner of the page.\n3. Choose **Customer managed keys**.\n4. Choose the alias of the key to update in the **Alias** column.\n5. Choose **Key rotation**.\n6. Select **Automatically rotate this KMS key every year** and then choose **Save**.\n\n### From the command line\n\n1. Use the [`enable-key-rotation`][2] command to set an automatic rotation of a KMS key on an annual basis.\n\n ```\n aws kms enable-key-rotation \\\n --region insert-region-here \\\n --key-id insert-kms-key-id-here\n ```\n2. Use the [`get-key-rotation-status'][3] command to verify that you've set the rotation correctly.\n\n ```\n aws kms get-key-rotation-status \\\n --region insert-region-here \\\n --key-id insert-kms-key-id-here\n ```\n\n## References\n\n1. [https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html][4]\n\n[1]: https://console.aws.amazon.com/kms\n[2]: https://docs.aws.amazon.com/cli/latest/reference/kms/enable-key-rotation.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/kms/get-key-rotation-status.html\n[4]: https://docs.aws.amazon.com/kms/latest/developerguide/best-practices.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.8","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aws_kms) = \"skip\" if {\n\taws_kms.key_manager != \"CUSTOMER\"\n} else = \"fail\" if {\n\tnot aws_kms.key_rotation_enabled\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_kms"]},"validationQuery":"","resourceType":"aws_kms","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_kms","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5xm-kxb-jxz","createdAt":1599574002243,"name":"Rotation for customer created CMKs is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:runtime-security-agent","technique:T1611-escape-to-host","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to the `runc` binary outside of the normal package management lifecycle.\n\n## Strategy\n[CVE-2019-5736][1], a vulnerability in `runc` through version 1.0-rc6 could allow attackers to overwrite the host `runc` binary, which allows the attacker to effectively escape a running container, and gain root access on the underlying host.\nAny modifications to `runc` (outside of standard package management upgrades) could be exploiting this vulnerability to gain root access to the system.\n\n## Triage & Response\n1. Check to see which user or process changed the `runc` binary.\n2. If these changes are not acceptable, roll back contain the host in question to an acceptable configuration.\n3. Update `runc` to a version above 1.0-rc6 (or Docker 18.09.2 and above).\n4. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://nvd.nist.gov/vuln/detail/CVE-2019-5736\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:runc_modification","groupByFields":["host"],"aggregation":"count","name":"runc_modification","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"runc_modification","condition":"runc_modification > 0"}],"type":"workload_security","id":"6ru-oyo-uag","createdAt":1627392837049,"name":"Runc binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your bucket ACL to remove public `READ_ACP`, `READ` access.\n\n## Rationale\n\n* Public `READ_ACP` access gives anyone the ability to read the bucket ACL. With this permission, anyone can see who controls your objects. This information can potentially be used to find misconfigured permissions and gain access to your S3 data.\n\n* Public `READ` access allows the grantee to list all objects within your bucket and exploit objects with misconfigured ACL permissions.\n\n\nFor more information about S3 bucket ACLs, see the [Access control list (ACL) documentation][3].\n\n## Remediation\n\n### From the console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### From the command line\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis\n[3]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nsecure_s3_access_block(s3_access_block) if {\n\ts3_access_block.ignore_public_acls == true\n}\n\ninsecure_s3_bucket(s3_bucket) if {\n\tacl := s3_bucket.acl[_]\n\tupper(acl.grantee_permission) in [\"READ\", \"READ_ACP\"]\n\tlower(acl.grantee_uri) in [\"http://acs.amazonaws.com/groups/global/authenticatedusers\", \"http://acs.amazonaws.com/groups/global/allusers\"]\n}\n\ncompliant_s3_bucket(s3_bucket) if {\n\ts3_account_public_access_block := input.resources.aws_s3_account_public_access_block[_]\n\ts3_account_public_access_block.account_id == s3_bucket.account_id\n\tsecure_s3_access_block(s3_account_public_access_block)\n} else if {\n\tsecure_s3_access_block(s3_bucket.access_block[_])\n} else if {\n\tnot insecure_s3_bucket(s3_bucket)\n}\n\neval(s3_bucket) = \"pass\" if {\n\tcompliant_s3_bucket(s3_bucket)\n} else = \"fail\"\n\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"i2o-7bz-zxc","createdAt":1619112188697,"name":"S3 bucket ACL and bucket objects are not publicly readable"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ_ACP` access for authenticated AWS accounts and AWS IAM users.\n\n## Rationale\n\nAWS authenticated accounts and users with `READ_ACP` access can examine Amazon S3 Access Control Lists (ACLs) configuration details. This information can be used maliciously to find misconfigured permissions and implement methods to access your S3 data.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `READ_ACP` access for AWS signed users.\n\n### From the command line\n\n1. Run `put-bucket-acl` with your [Amazon S3 bucket name and ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_not_compliant(acl) if {\n\tacl.grantee_permission == \"READ_ACP\"\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\"\n}\n\neval(s3_bucket) = \"fail\" if {\n\tacl = s3_bucket.acl[_]\n\tacl_not_compliant(acl)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"cer-xg1-llv","createdAt":1619112188867,"name":"S3 bucket ACL is not viewable by all authenticated users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.5","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove `WRITE_ACP`, `WRITE`, or `FULL_CONTROL` access for all AWS users or any authenticated AWS user.\n\n## Rationale\n\n* Public `WRITE_ACP` access gives anyone permissions to change the S3 bucket Access Control List. With these permissions, anyone can grant any permissions they want, such as reading or writing objects inside the bucket.\n\n* Public `WRITE` access allows the grantee to create new objects in the bucket. For the bucket and object owners of existing objects, also allows deletions and overwrites of those objects. \n\n* Public `FULL_CONTROL` access allows the grantee the `READ`, `WRITE`, `READ_ACP`, and `WRITE_ACP` permissions on the bucket.\n\nFor more information about S3 bucket ACLs, see the [Access control list (ACL) documentation][1].\n\n\n## Remediation\n\n### From the console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### From the command line\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.5","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nsecure_s3_access_block(s3_access_block) if {\n\ts3_access_block.ignore_public_acls == true\n}\n\ninsecure_s3_bucket(s3_bucket) if {\n\tacl := s3_bucket.acl[_]\n\tupper(acl.grantee_permission) in [\"WRITE\", \"WRITE_ACP\", \"FULL_CONTROL\"]\n\tlower(acl.grantee_uri) in [\"http://acs.amazonaws.com/groups/global/authenticatedusers\", \"http://acs.amazonaws.com/groups/global/allusers\"]\n}\n\ncompliant_s3_bucket(s3_bucket) if {\n\ts3_account_public_access_block := input.resources.aws_s3_account_public_access_block[_]\n\ts3_account_public_access_block.account_id == s3_bucket.account_id\n\tsecure_s3_access_block(s3_account_public_access_block)\n} else if {\n\tsecure_s3_access_block(s3_bucket.access_block[_])\n} else if {\n\tnot insecure_s3_bucket(s3_bucket)\n}\n\neval(s3_bucket) = \"pass\" if {\n\tcompliant_s3_bucket(s3_bucket)\n} else = \"fail\"\n\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"8au-91a-7zf","createdAt":1619112188436,"name":"S3 bucket ACLs are configured to block public write actions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","requirement:Compliance","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:s3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up the Multi-Factor Authentication (MFA) delete feature to prevent deletion of Amazon S3 objects.\n\n## Rationale\n\n## Remediation\n\nMFA-protected Amazon S3 buckets ensure S3 objects cannot be accidentally or intentionally deleted by AWS users who have access to your bucket.\n\n### From the console\n\n`MFA DELETE` [cannot be enabled in the AWS Console][1]. See the CLI remediation below for configuration instructions.\n\n### From the command line\n\n1. Run `put-bucket-versioning` with your [bucket name, versioning configuration, and MFA configuration][2].\n\n ```\n aws s3api put-bucket-versioning\n --bucket your-s3-bucket-name\n --versioning-configuration '{\"MFADelete\":\"Enabled\",\"Status\":\"Enabled\"}'\n --mfa 'arn:aws:iam::aws_account_id:mfa/root-account-mfa-device'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"pass\" if {\n\ts3_bucket.versioning_mfa_delete == \"Enabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"f22-rvk-qko","createdAt":1619112188477,"name":"S3 bucket MFA Delete feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.1","requirement:Monitoring","cloud_provider:aws","control:A.12.4.1","control:3.3","requirement:System-Operations","requirement:Logging","level:2","framework:soc-2","scope:cloudtrail","framework:cis-aws","source:cloudtrail","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nS3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.\n\n## Rationale\n\nBy enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.\n\n## Remediation\n\n### From the console\n\n1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.\n2. Under All Buckets click on the target S3 bucket\n3. Click on Properties in the top right of the console\n4. Under Bucket: click on Logging\n5. Configure bucket logging and click on the Enabled checkbox\n6. Select Target Bucket from list and enter a Target Prefix\n7. Click Save\n\n## Default value\n\nLogging is disabled.\n\n## References\n\n1. CCE-78918-0\n2. https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html\n\n## CIS controls\n\nVersion 7\n\n6.2 - Activate audit logging: Ensure that local logging has been enabled on all systems and networking devices.\n\n14.9 Enforce Detail Logging for Access or Changes to Sensitive Data: Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbucket_by_name := {bucket.bucket_name: bucket |\n\tbucket := input.resources.aws_s3_bucket[_]\n}\n\neval(cloudtrail_trail) = \"skip\" if {\n\tnot bucket_by_name[cloudtrail_trail.s3_bucket_name]\n} else = \"pass\" if {\n\ts3_bucket := bucket_by_name[cloudtrail_trail.s3_bucket_name]\n\tcount(s3_bucket.bucket_logging) > 0\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail","aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@trail_arn"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gzk-vm2-67k","createdAt":1635929074549,"name":"S3 bucket access logging is enabled on the CloudTrail S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","requirement:Storage","framework:gdpr","control:2.1.1","requirement:Compliance","level:1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides a variety of no-cost or low-cost encryption options to protect data at rest.\n\n## Rationale\n\nEncrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.\n\n## Remediation\n\n### From the console\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/\n2. Select the Check box next to the Bucket.\n3. Click on Properties.\n4. Click on Default Encryption.\n5. Select either AES-256 or AWS-KMS.\n6. Click Save.\n7. Repeat for all the buckets in your AWS account lacking encryption.\n\n### From the command line\n\nRun one of the following commands: \n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}''`\n\nor:\n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}''`\n\n**Note**: The `KMSMasterKeyID` can be set to the master key of your choosing; `aws/s3` is an AWS preconfigured default.\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html][1]\n2. [https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources][2]\n\n**Additional Information**: S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does not encrypt objects previously stored within the bucket.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.1.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ninsecure_sse_algorithm(encryption_configuration) if {\n\tnot encryption_configuration.sse_algorithm in [\"AES256\", \"aws:kms\"]\n}\n\nbad_encryption_rules(s3_bucket) if {\n\tsome encryption_rules in s3_bucket.bucket_encryption_rules\n\tsome rules in encryption_rules.rules\n\tinsecure_sse_algorithm(rules.apply_server_side_encryption_by_default)\n} else if {\n\tnot s3_bucket.bucket_encryption_rules\n}\n\neval(s3_bucket) = \"fail\" if {\n\tbad_encryption_rules(s3_bucket)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i5u-x9l-ytw","createdAt":1619112188944,"name":"S3 bucket employs default encryption at-rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:A.12.1.2","framework:gdpr","control:A.12.4.2","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:3.1","requirement:Control-Activities","control:7.2.1","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Logical-and-Physical-Access-Control","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable versioning on S3 buckets to keep multiple versions of an object in one bucket.\n\n## Rationale\n\nVersioning-enabled buckets help [recover objects in the case of accidental deletion or overwriting][1].\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning within the S3 console.\n\n### From the command line\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning with the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.1.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tnot s3_bucket.versioning_status == \"Enabled\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hfe-sv1-7ci","createdAt":1632209932330,"name":"S3 bucket has versioning enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS S3 bucket ACL to remove public `READ` access.\n\n## Rationale\n\nGranting public `READ` allows anyone to list objects within a bucket. Note that it does not allow to directly read the actual bucket objects.\n\n## Remediation\n\n### From the console\n\nFollow the [Blocking public access to your Amazon S3 storage][1] docs to learn how to manage access control lists for existing S3 buckets.\n\n**Note**: By default, new buckets, access points, and objects don't allow public access.\n\n### From the command line\n\n1. Run `put-bucket-acl` with [your S3 bucket name][2] and set the ACL of the bucket to `private`.\n ```\n\taws s3api put-bucket-acl\n\t\t--bucket webapp-data-repository\n\t\t--acl private\n ```\n\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tsome acl in s3_bucket.acl\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AllUsers\"\n\tacl.grantee_permission == \"READ\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"mqm-ntc-bra","createdAt":1619112188104,"name":"S3 bucket is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.3","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your bucket policy as your Amazon S3 bucket is currently publicly accessible.\n\n## Rationale\n\nPublicly accessible S3 buckets through bucket policies give any AWS user the ability to list, download, delete, and upload objects and edit object permissions.\n\n## Remediation\n\n### From the console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### From the command line\n\n1. Run the [`delete-bucket-policy`][2] command to fully remove any public access to the bucket.\n\n ```\n aws s3api delete-bucket-policy \\\n --bucket insert-bucket-name-here\n ```\n\n2. If you need a bucket policy, create a new non-public bucket policy using the [AWS Policy Generator][3].\n3. Apply the bucket policy from Step 2 with the [`put-bucket-policy`][4] command.\n\n ```\n aws s3api put-bucket-policy\n --bucket insert-bucket-name-here\n --policy file://insert-bucket-policy-file-name-here.json\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket-policy.html#synopsis\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html#","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nsecure_s3_access_block(s3_access_block) if {\n\ts3_access_block.restrict_public_buckets == true\n}\n\ninsecure_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n}\n\ninsecure_policy_principal(policy_principal) if {\n\tprincipal_aws := policy_principal.principal_aws[_]\n\tprincipal_aws == \"*\"\n}\n\ninsecure_policy_statements(s3_bucket) if {\n\tbucket_policy_statement := s3_bucket.bucket_policy_statement[_]\n\tbucket_policy_statement.statement_effect == \"Allow\"\n\tbucket_policy_statement.statement_has_condition == false\n\tinsecure_policy_principal(bucket_policy_statement.policy_principal)\n}\n\ncompliant_s3_bucket_access(s3_bucket) if {\n\taccount_public_access_block := input.resources.aws_s3_account_public_access_block[_]\n\taccount_public_access_block.account_id == s3_bucket.account_id\n\tsecure_s3_access_block(account_public_access_block)\n} else if {\n\tsecure_s3_access_block(s3_bucket.access_block[_])\n} else if {\n\tnot insecure_policy_statements(s3_bucket)\n}\n\neval(s3_bucket) = \"pass\" if {\n\tcompliant_s3_bucket_access(s3_bucket)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"ftf-6wr-t2z","createdAt":1624344845705,"name":"S3 bucket is not publicly exposed via bucket policy"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ` access for authenticated AWS accounts or IAM users.\n\n## Rationale\n\n`READ` access allows any authenticated IAM user or AWS authenticated account to list all objects within your bucket and exploit objects with misconfigured ACL permissions.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to deselect the `Bucket ACL - Read` permission and update ACL permissions.\n\n### From the command line\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tsome acl in s3_bucket.acl\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\"\n\tacl.grantee_permission == \"READ\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"73w-cje-dhm","createdAt":1619112189198,"name":"S3 bucket objects cannot be listed by all authenticated users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","requirement:Monitoring","scope:s3","framework:cis-aws","control:4.8","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a S3 Bucket policy is modified.\n\n## Strategy\nMonitor CloudTrail and detect when S3 policies are being modified via one of the following API calls:\n* [PutBucketAcl][1]\n* [PutBucketPolicy][2]\n* [PutBucketCors][3]\n* [PutBucketLifecycle][4]\n* [PutBucketReplication][5]\n* [DeleteBucketPolicy][6]\n* [DeleteBucketCors][7]\n* [DeleteBucketReplication][8]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n## Changelog\n* 18 March 2022 - Updated signal message, query and severity.\n* 16 November 2022 - Rule query updated.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html\n[3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketCors.html\n[4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLifecycle.html\n[5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html\n[6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html\n[7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html\n[8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:(cloudtrail OR amazon-security-lake) @evt.name:(PutBucketAcl OR PutBucketPolicy OR PutBucketCors OR PutBucketLifecycle OR PutBucketReplication OR DeleteBucketPolicy OR DeleteBucketCors OR DeleteBucketReplication)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"s3_bucket_policy_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"A S3 bucket policy was modified","condition":"s3_bucket_policy_modified > 0"}],"type":"log_detection","id":"nl3-oht-jhi","createdAt":1584475579499,"name":"S3 bucket policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when SELinux enforcement is disabled.\n\n## Strategy\nThis detection monitors the change of SELinux enforcing mode.\n\n## Triage & Response\n1. Check which user or process disabled SELinux enforcing mode.\n2. If the change is not expected, roll back to enable SELinux enforcing mode.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the attack.\n\n*Requires Agent version 7.30 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:selinux_disable_enforcement","groupByFields":["host"],"aggregation":"count","name":"selinux_disable_enforcement","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"selinux_disable_enforcement","condition":"selinux_disable_enforcement > 0"}],"type":"workload_security","id":"vvf-qwb-uhj","createdAt":1635332067172,"name":"SELinux enforcement disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.2","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSELinux is an effective and easy-to-use Linux application security system. It is available by default on some distributions such as Red Hat and Fedora.\n\n## Rationale\n\nSELinux provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model. You can therefore add an extra layer of safety to your containers by enabling SELinux on your Linux host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all the security options currently configured on the containers listed.\n\n## Remediation\n\nIf SELinux is applicable for your Linux OS, you should use it.\n\n1. Set the SELinux State.\n2. Set the SELinux Policy.\n3. Create or import a SELinux policy template for Docker containers.\n4. Start Docker in daemon mode with SELinux enabled. For example: `docker daemon --selinux-enabled`\n5. Start your Docker container using the security options. For example, `docker run --interactive --tty --security-opt label=level:TopSecret centos /bin/bash`\n\n## Impact\n\nAny restrictions defined in the SELinux policy will be applied to your containers. It should be noted that if your SELinux policy is misconfigured, this may have an impact on the correct operation of the affected containers.\n\n## Default value\n\nBy default, no SELinux security options are applied on containers.\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/\n4. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/docker_selinux_security_policy\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.2","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"eww-c9f-0hf","createdAt":1599605036108,"name":"SELinux security options are configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic [resource-based policy][4] to prevent unintended access to the resource.\n\n## Rationale\n\nWhen a `*` is specified as a `Principal`, along with an `Allow` `Effect` it grants [anyone][5] the ability to perform actions on a resource. In this situation, if the policy includes the `sns:Subscribe` `Action`, it would permit anyone the ability to receive messages from the topic, resulting in an impact to the confidentiality of the application.\n\n## Remediation\n\n### From the console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### From the command line\n\n1. Update your [resource-based policy][2] with an appropriate `Principal` ARN or a `Condition` element. Save the file as `policy.json`.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_sub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Subscribe\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```\n aws sns set-topic-attributes \\\n --topic-arn arn:aws:sns:region:123456789012:YourTopic \\\n --attribute-name Policy \\\n --attribute-value file://policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-anonymous\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_policy(policy) if {\n\tpolicy.policy_principal.principal == \"*\"\n} else if {\n\tpolicy.policy_principal.principal_aws[_] == \"*\"\n}\n\nnon_compliant_statement_action(statement_action) if {\n\tlower(statement_action[_]) == \"sns:subscribe\"\n}\n\neval(sns_topic) = \"fail\" if {\n\tsome policy in sns_topic.policies\n\tlower(policy.statement_effect) == \"allow\"\n\tnon_compliant_policy(policy)\n\tnon_compliant_statement_action(policy.statement_action)\n\tpolicy.statement_has_condition == false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"bin-p21-78u","createdAt":1616090993824,"name":"SNS Topic has access restrictions set for subscription"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic publishing permissions.\n\n## Rationale\n\nSetting the topic publishing permission to `*` gives anyone access to publish on a topic. Unauthenticated users can publish arbitrary messages, potentially leading to loss of integrity and denial of service.\n\n## Remediation\n\n### From the console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### From the command line\n\n1. Update your [access control policy][2] with an appropriate `Principal` ARN. Save the file as `policy.json`.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_pub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Publish\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```bash\n aws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name Policy\n --attribute-value file://policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tsome principal_aws in policy_principal.principal_aws\n\tprincipal_aws == \"*\"\n}\n\nnon_compliant_statement_action(statement_actions) if {\n\t\"SNS:Publish\" in statement_actions\n}\n\nnon_compliant_policy(policy) if {\n\tpolicy.statement_effect == \"Allow\"\n\tnon_compliant_statement_action(policy.statement_action)\n\tnot policy.statement_has_condition\n\n\tnon_compliant_policy_principal(policy.policy_principal)\n}\n\neval(sns_topic) = \"fail\" if {\n\tsome policy in sns_topic.policies\n\tnon_compliant_policy(policy)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mhf-jlo-c49","createdAt":1616090993934,"name":"SNS Topic has restrictions set for publishing"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","scope:sns","cloud_provider:aws","control:3.4","control:4.1","source:sns","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Server-Side Encryption for your AWS Simple Notification Service (SNS) topics.\n\n## Rationale\n\nServer-Side Encryption (SSE) protects the data of published messages within your SNS topics, which can help adhere to compliance and regulatory requirements.\n\n## Remediation\n\n### From the console\n\nFollow the [Enabling server-side encryption (SSE) for an Amazon SNS topic][1] docs to learn how to enable encryption from the AWS Management Console.\n\n### From the command line\n\nRun `set-topic-attributes` with the [ARN of the SNS topic][2] and the [KmsMasterKeyId][3].\n\n```\naws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name KmsMasterKeyId\n --attribute-value YourTopicDisplayName\n```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n[3]: https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html#sse-key-terms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sns_topic) = \"pass\" if {\n\tsns_topic.kms_master_key_id\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"iel-fa4-gpw","createdAt":1623249809232,"name":"SNS Topic has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","control:164.308-a-3-i","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic permissions.\n\n## Rationale\n\nPublicly-accessible topics allow unauthorized users access to receive and publish messages and subscribe to exposed topics.\n\n## Remediation\n\n### From the console\n\nFollow the [Using identity-based policies with Amazon SNS][1] docs to learn how to create or add to a policy in the AWS Console.\n\n### From the command line\n\nIf you do not have an access control policy, [create one][2].\n\n1. Select `SNS Topic Policy` as the type of policy.\n2. Add a statement to allow only specific IAM users and roles to have access to the topic. For example:\n\n ```\n Effect: `Allow`\n Principal: `arn:aws:iam::123456789012:root`\n Action: `Add permission`\n Amazon Resource Name: `arn:aws:iam::123456789012:root`\n ```\n\nIf you do have an access control policy, follow the [add-permissions][3] docs to add a permission to your existing policy.\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-using-identity-based-policies.html#iam-and-sns-policies\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprincipal_policy_lenient(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tpolicy_principal.principal_aws[_] == \"*\"\n}\n\npolicy_lenient(policy) if {\n\tpolicy.statement_effect == \"Allow\"\n\tnot policy.statement_has_condition\n\n\tprincipal_policy_lenient(policy.policy_principal)\n}\n\neval(sns_topic) = \"fail\" if {\n\tpolicy := sns_topic.policies[_]\n\tpolicy_lenient(policy)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"5q9-vwc-cqy","createdAt":1616090993891,"name":"SNS Topic is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:6.5","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nA database server should accept connections only from trusted networks and IPs and\nrestrict access from public IP addresses.\n\n## Rationale: \nTo minimize attack surface on a database server instance, only trusted, known, and\nrequired IPs should be allowed to connect to it.\nAn authorized network should not have IPs or networks configured to `0.0.0.0/0` which\nallows access to the instance from anywhere in the world. Authorized networks\napply only to instances with public IPs.\n\n## Impact: \nThe Cloud SQL database instance would not be available to public IP addresses.\n\n## Remediation: \n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Click the instance name to open its `Instance details` page.\n3. Under the `Configuration` section click `Edit configurations`.\n4. Under `Configuration options` expand the `Connectivity` section.\n5. Click the `delete` icon for the authorized network `0.0.0.0/0`.\n6. Click `Save` to update the instance.\n\n### From the command line\nUpdate the authorized network list by removing addresses:\n```\ngcloud sql instances patch --authorized-networks=IP_ADDR1,IP_ADDR2...\n```\n## Prevention:\nTo prevent new SQL instances from being configured to accept incoming connections from\nany IP addresses, set up a `Restrict Authorized Networks on Cloud SQL instances` Organization Policy at: [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][2].\n\n\n## Default value:\nBy default, authorized networks are not configured. Remote connection to Cloud SQL\ndatabase instance is not possible unless authorized networks are configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-ip][3]\n2. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][4] \n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://cloud.google.com/sql/docs/mysql/connection-org-policy][6]\n\n\n## Additional information:\nThere is no IPv6 configuration found for Google cloud SQL server services.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[3]: https://cloud.google.com/sql/docs/mysql/configure-ip\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://cloud.google.com/sql/docs/mysql/connection-org-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"fail\" if {\n\taddress := sql_database_instance.settings.ip_configuration.authorized_networks[_]\n\taddress.value in [\"0.0.0.0\", \"0.0.0.0/0\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"thi-vol-4qb","createdAt":1657138883399,"name":"SQL Database Instances do not implicitly accept all public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:6.3","framework:cis-azure","requirement:Communications-Security","control:2.4","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific data centers. By default for a SQL server, a firewall exists with start IP of 0.0.0.0 and end IP of 0.0.0.0, allowing access to all the Azure services. Additionally a custom rule can be set up with start IP of 0.0.0.0 and end IP of 255.255.255.255, allowing access from ANY IP over the Internet. In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific data centers.\n\n### Impact\n\nDisabling allow access to Azure Services will break all connections to SQL server and hosted databases unless custom IP-specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each SQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"\" -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nSet-AzureRmSqlServerFirewallRule -ResourceGroupName -ServerName -FirewallRuleName \"\" -StartIpAddress \"\" -EndIpAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017][1]\n2. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0][2]\n3. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0][3]\n4. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0][4] \n5. [https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure][5]\n6. [https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current][6] \n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][7]\n\nAdditional Information: Firewall rules configured on individual SQL Database using Transact-SQL overrides the rules set on SQL server. Azure does not provides any Powershell, API, CLI, Portal option to check database level firewall rules and so far Transact-SQL is the only way to check for the same. For comprehensive control over egress traffic on SQL Databases, firewall rules should be checked using SQL client.\n\n[1]:https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017\n[2]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[3]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[4]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[5]:https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure\n[6]:https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current\n[7]:https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"2.4","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_server) = \"fail\" if {\n\tsome firewall_rule in sql_server.firewall_rules\n\tfirewall_rule.start_ip_address == \"0.0.0.0\"\n\tfirewall_rule.end_ip_address in [\"0.0.0.0\", \"255.255.255.255\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"5k7-xx0-nje","createdAt":1635237001240,"name":"SQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.2.4","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure `send scan reports to` with the email IDs of concerned data owners and stakeholders for a critical SQL server.\n\n## Rationale\n\nVulnerability Assessment (VA) scan reports and alerts are sent to email IDs configured with `send scan reports to`. This may help in reducing time required for identifying risks and taking corrective measures.\n\n## Impact\n\n**Note**: Enabling the Azure Defender for SQL features incurs additional costs for each SQL server.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Ensure that Azure Defender for SQL is enabled\n5. Select Configure next to enabled at subscription-level\n6. In Vulnerability Assessment Settings, configure Storage Accounts\n7. Configure email IDs for concerned data owners and stakeholders in the `send scan reports to` section.\n8. Click Save\n\n### Using PowerShell\n\nIf not already, enable Advanced Data Security for a SQL: `ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True`\n\n\nTo enable ADS-VA service and set `send scan reports to`:\n\n```bash\nUpdate-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"fiu-woq-ui1","createdAt":1645802555241,"name":"SQL Server Vulnerability Assessments send scan reports to subscribed admins"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","scope:google_sql_database_instance","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","control:6.4","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to enforce all incoming connections to SQL database instances to use SSL.\n\n## Rationale\nSQL database connections, if successfully trapped (MITM), can reveal sensitive data like\ncredentials, database queries, query outputs, and so on. For security, it is recommended to always\nuse SSL encryption when connecting to your instance. This recommendation is applicable\nto PostgreSQL, MySQL generation 1, MySQL generation 2, and SQL Server 2017 instances.\n\n### Additional Information\nBy default, `Settings: ipConfiguration` has no `authorizedNetworks` set or configured. In\nthat case, even if `requireSSL` is not set by default, which is equivalent to `requireSSL:false`,\nthere is no risk as the instance cannot be accessed outside of the network, unless\n`authorizedNetworks` is configured. However, if the default for `requireSSL` is not updated to\n`true`, any `authorizedNetworks` created later on will not enforce SSL-only connections.\n\n### Impact\nAfter enforcing SSL connections, the existing client will not be able to communicate with the SQL\nserver, unless it is configured with appropriate client-certificates to communicate to the SQL\ndatabase instance.\n\n### Default Value\nBy default, the parameter `settings: ipConfiguration: requireSSL` is not set, which is\nequivalent to `requireSSL:false`.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1].\n2. Click on an instance name to see its configuration overview.\n3. In the left-side panel, select **Connections**.\n4. In the SSL connections section, click **Allow only SSL connections**.\n5. Under Configure SSL server certificates, click **Create new certificate**.\n6. Under Configure SSL client certificates, click **Create a client certificate**.\n7. Follow the instructions shown to learn how to connect to your instance.\n\n### From the command line\nTo enforce SSL encryption for an instance, run the command:\n```\ngcloud sql instances patch --require-ssl\n```\n\n**Note:** A **restart** is required for type MySQL Generation 1 Instances (`backendType: FIRST_GEN`) for\nthis configuration to go into effect.\n\n## References\n1. [http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot authorizedNetworksExists(sql_database_instance)\n} else = \"pass\" if {\n\tsql_database_instance.settings.ip_configuration.require_ssl\n} else = \"fail\"\n\nauthorizedNetworksExists(sql_database_instance) if {\n\tsql_database_instance.settings.ip_configuration.authorized_networks[_]\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"udh-mzm-bhu","createdAt":1658821626960,"name":"SQL database instance uses SSL for all incoming connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","scope:google_cloud_sql_instance","level:2","source:google_cloud_sql_instance","control:3.9","control:6.6","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nDatadog recommends configuring the second generation SQL instance to use private IPs instead of\npublic IPs.\n\n## Rationale: \nTo lower the organization's attack surface, ensure your Cloud SQL databases does not have public IPs.\nPrivate IPs provide improved network security and lower latency for your application.\n\n## Impact: \nRemoving the public IP address on SQL instances may break applications that relied\non it for database connectivity.\n\n## Remediation: \n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Click the instance name to open its Instance details page.\n3. Select the `Connections` tab.\n4. Deselect the `Public IP` checkbox.\n5. Click `Save` to update the instance.\n\n### From the command line\n\n1. For every instance, remove the public IP and assign a private IP instead:\n ```\n gcloud sql instances patch --network= --no-assign-ip\n ```\n\n2. Confirm the changes using the following command:\n ```\n gcloud sql instances describe \n ```\n\n## Prevention:\nTo prevent new SQL instances from getting configured with public IP addresses, set up a\n`Restrict Public IP access on Cloud SQL instances` Organization policy at:\n\n\n[https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][2]\n\n## Default value:\nBy default, Cloud Sql instances have a public IP.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-private-ip][3]\n2. [https://cloud.google.com/sql/docs/mysql/private-ip][4]\n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][6]\n\n## Additional information:\nReplicas inherit their private IP status from their primary instance. You cannot configure a private IP directly on a replica.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n[3]: https://cloud.google.com/sql/docs/mysql/configure-private-ip\n[4]: https://cloud.google.com/sql/docs/mysql/private-ip\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.9","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_second_gen_instance(sql_database_instance)\n} else = \"fail\" if {\n\tip := sql_database_instance.ip_addresses[_]\n\tip.type == \"PRIMARY\"\n} else = \"pass\"\n\nis_second_gen_instance(sql_database_instance) if {\n\tsql_database_instance.backend_type == \"SECOND_GEN\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cns-kbs-qb3","createdAt":1658244446751,"name":"SQL database instances do not have public IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.5","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:C1.1","requirement:Credentials","requirement:System-Operations","requirement:Compliance","level:1","requirement:Database-Services","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","control:3.5.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC7.2","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. With Customer-managed key support for TDE, the DEK can be protected with an asymmetric key stored in the Key Vault. The Key Vault is a highly available and scalable cloud-based key store that offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of keys and data for additional security. Based on business needs or the criticality of data/databases hosted a SQL server, Datadog recommends that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).\n\n## Rationale\n\nCustomer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azures cloud-based external key management system, is the first key management service where TDE has integrated support for customer-managed keys. With customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.\n\n## Remediation\n\n### From the console\n1. Go to SQL servers for the desired server instance\n2. Click On Transparent data encryption\n3. Set Use your own key to YES\n4. Browse through your key vaults to select an existing key or create a new key in the key vault.\n5. Check Make selected key the default TDE protector Using Azure CLI. Use the below command to encrypt SQL server's TDE protector with a Customer-managed key: `az sql server tde-key >> Set --resource-group --server --server-key-type {AzureKeyVault} [--kid ]`\n\n## Impact\n\nOnce the TDE protector is encrypted with a customer-managed key, it transfers the entire responsibility of key management to you. Hence, you should be more careful about doing any operations on the particular key to keep data from the corresponding SQL server Databases host accessible. When deploying customer-managed keys, ensure that you deploy an automated toolset for managing these keys (this should include discovery and key rotation), and keys should be stored in an HSM or hardware backed keystore; for example, Azure Key Vault). As far as toolsets go, check with your cryptographic key provider as they may well provide one as an add-on to their service.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-byok-azure-sql\n2. https://azure.microsoft.com/en-in/blog/preview-sql-transparent-data-encryption-tde-with-bring-your-own-key-support/\n3. https://winterdom.com/2017/09/07/azure-sql-tde-protector-keyvault\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: This configuration can be done only on an SQL server. The same configuration will be in effect on SQL Databases hosted on SQL Server. Ensuring yourTDE is protected by a Customer-managed key on SQL Server does not ensure SQL Databases' encryption. Transparent Data Encryption Data Encryption (ON/OFF) setting on individual SQL Database decides whether the database is encrypted or not.\n\n## CIS Controls\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials: Encrypt or hash with a salt all authentication credentials when stored. \n\n5 Logging and Monitoring: This section covers security recommendations to follow to set logging and monitoring policies on an Azure Subscription.\n\n5.1 Configuring Diagnostic Settings: The Azure Diagnostic Settings capture control/management activities performed on a subscription. By default, the Azure Portal retains activity logs only for 90 days. The Diagnostic Settings define the type of stored or streamed events and the output storage account, and the event hub. The Diagnostic Settings, if appropriately configured, can ensure that all activity logs are retained for a longer duration. This section has recommendations for correctly configuring the Diagnostic Settings so that all activity logs captured are retained for longer periods. When configuring Diagnostic Settings, you may choose to export in one of three ways in which you need to ensure appropriate data retention. The options are Log Analytics, Event Hub, and a Storage Account. It is important to ensure you are aware and have set retention as your organization sees fit.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_server) = \"pass\" if {\n\tsql_server.encryption_protector.kind == \"azurekeyvault\"\n\tsql_server.encryption_protector.server_key_type == \"AzureKeyVault\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_sql_server"]},"validationQuery":"","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ju5-j5j-p5u","createdAt":1624867975195,"name":"SQL server's TDE protector is encrypted with Customer-managed key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","source:sqs","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","scope:sqs","security:compliance","cloud_provider:aws","control:3.4","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Simple Queue Service (SQS) messages with server-side encryption.\n\n## Rationale\n\nEncryption ensures that Amazon SQS messages, which may contain sensitive data, are not available to anonymous or unauthorized users.\n\n## Remediation\n\n### From the console\n\nFollow the [Configuring service-side encryption for a queue(console)][1] docs to learn how to create and use AWS Key Management Service (AWS KMS) to manage customer master keys (CMK) for server-side encryption.\n\n### From the command line\n\n1. Define `set-queue-attributes` in [a file][2]. Use your custom KMS Master Key ARN for `KmsMasterKeyID`. Save the file.\n\n ```\n {\n \"KmsMasterKeyId\": \"custom_key_arn\",\n \"KmsDataKeyReusePeriodSeconds\": \"300\"\n }\n ```\n\n2. Run `set-queue-attributes` with the [queue URL and the file][2] created in step 1.\n\n ```\n aws sqs set-queue-attributes\n --queue-url https://us-west-2.queue.amazonaws.com//\n --attributes file://sqs-sse-enabled.json\n ```\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html\n[2]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-sqs-queue.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nhas_server_side_encryption(sqs_queue) if {\n\tsqs_queue.sqs_managed_sse_enabled == true\n} else if {\n\tsqs_queue.kms_master_key_id\n}\n\neval(sqs_queue) = \"pass\" if {\n\thas_server_side_encryption(sqs_queue)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sqs_queue"]},"validationQuery":"","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0m4-moi-xdg","createdAt":1616090993978,"name":"SQS Queue has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:sqs","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security","scope:sqs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate Amazon Simple Queue Service (SQS) queue permissions.\n\n## Rationale\n\nPublicly-available Amazon SQS queues give unauthorized users access to potentially intercept, delete, or send queue messages, which can lead to data leaks.\n\n## Remediation\n\n### From the console\n\nFollow the [Managing access to resources][1] docs to learn how to implement a permissions policy in the AWS console.\n\n### From the command line\n\n1. Run the `list-queues` command to get a list of queue URLs.\n \n ```\n aws sqs list-queues --region insert-your-region-here\n ```\n\n2. Run the `get-queue-attributes` command with a [queue URL][2] returned in step 1.\n\n ```\n aws sqs get-queue-attributes \\\n --queue-url https://queue.amazonaws.com/123456789012/YourQueue \\\n --attribute-names Policy\n ```\n3. Run the `remove-permission` command to [remove any unwanted permissions][3] from your queue policy.\n\n ```\n aws sqs remove-permission \\\n --region insert-your-region-here \\\n --queue-url https://queue.amazonaws.com/YourAccountID/YourQueue \\\n --label insert-label-name \\\n --aws-account-ids insert-aws-account-ids-here \\\n --actions insert-action-to-remove\n\n4. Run the `add-permission` command to [add a new permission][4] to your queue policy.\n\n ```\n aws sqs add-permission \\\n --queue-url https://queue.amazonaws.com/YourAccountID/YourQueue \\\n --label insert-label-name \\\n --aws-account-ids insert-aws-account-ids-here \\\n --actions insert-action-to-add\n ```\n5. Complete steps 2 through 4 for any remaining queue URLs returned from step 1 for each region you have SQS enabled.\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.html#sqs-managing-access-to-resources\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/get-queue-attributes.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/remove-permission.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else if {\n\tprincipal_aws = policy_principal.principal_aws[_]\n\tprincipal_aws == \"*\"\n}\n\neval(sqs_queue) = \"fail\" if {\n\tpolicy := sqs_queue.policies[_]\n\tbad_policy_principal(policy.policy_principal)\n\tpolicy.statement_effect = \"Allow\"\n\tpolicy.statement_has_condition = false\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sqs_queue"]},"validationQuery":"","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"aqs-n9k-inj","createdAt":1616090993985,"name":"SQS Queue is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:6.2","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable SSH access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using SSH over the internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\n1. [Disable direct SSH access][1] to your Azure Virtual Machines from the internet. \n2. Choose one of the following methods to access the virtual machines for remote management:\n * [Point-to-site VPN][3]\n * [Site-to-site VPN][4]\n * [ExpressRoute][5]\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][2]\n\n[1]: https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n[3]: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal\n[4]: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal\n[5]: https://learn.microsoft.com/en-us/azure/expressroute/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_access(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"TCP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\n\tsome port_range in split(security_rule.destination_port_range, \",\")\n\tcheck_non_compliant_port_range(port_range)\n\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"::/0\", \"Internet\", \"Any\"]\n}\n\ncheck_non_compliant_port_range(port_range) if {\n\tport_range in [\"22\", \"*\"]\n} else if {\n\tcontains(port_range, \"-\")\n\tsplit_port_range := split(port_range, \"-\")\n\n\tto_number(split_port_range[0]) <= 22\n\tto_number(split_port_range[1]) >= 22\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule := security_group.security_rules[_]\n\tnon_compliant_access(security_rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tox-iwp-m0l","createdAt":1624867978808,"name":"SSH access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.6","requirement:Communications-Security","control:1.4","control:3.2","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow the user to specify the type of\ntraffic, such as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be\nused. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using\nSSH on Port 22 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from\ninstances and incoming (ingress) traffic to instances in the network. Egress and ingress\ntraffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through SSH with the default\nPort 22. Generic access from the Internet to a specific IP Range needs to be restricted.\n\n## Impact\nAll Secure Shell (SSH) connections from outside of the network to the concerned VPC(s)\nwill be blocked. There could be a business need where SSH access is required from outside\nof the network to access resources associated with the VPC. In that case, specific source\nIP(s) should be mentioned in firewall rules to include access to SSH port for the\nconcerned VPC(s).\n\n## Remediation\n\n### From the console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule you want to modify.\n4. Click Edit.\n5. Modify Source IP ranges to specific IP.\n6. Click Save.\n\n### From the command line\n1.Update the Firewall rule with the new SOURCE_RANGE from the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.2","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 22\n\nis_numeric(x) if {\n\tregex.match(`^-?\\d+(\\.\\d+)?$`, x)\n}\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tsome port in allowed.ports\n\tcontains(port, \"-\")\n\trange := split(port, \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else if {\n\tsome port in allowed.ports\n\tport != \"\"\n\tis_numeric(port)\n\tto_number(port) == target_port\n} else if {\n\tsome port in allowed.ports\n\tport == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tsome allowed in compute_firewall.allowed\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" if {\n\tsome source_range in compute_firewall.source_ranges\n\tsource_range in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"23t-kvk-vbo","createdAt":1657310084964,"name":"SSH access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to authorized SSH keys.\n\n## Strategy\nSSH is a commonly used key-based authentication mechanism. In this system, the authorized_keys file specifies SSH keys that can be used to authenticate as a specific user on the system. Attacker's may modify the authorized_keys file to authorize attacker-owned SSH keys. This allows the attacker to maintain persistence on a system as a specific user.\n\n## Triage and response\n1. Check what changes were made to authorized_keys, and under which user.\n2. Determine whether any keys were added. If so, determine if the added keys belong to known trusted users.\n3. If they keys in question are not acceptable, roll back the host or container in question to a known trusted SSH configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chmod)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chmod","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chown)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chown","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_link)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_link","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_rename)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_rename","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_open)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_open","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_unlink)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_unlink","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_utimes)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"ssh_authorized_keys","condition":"ssh_authorized_keys_chmod > 0 || ssh_authorized_keys_chown > 0 || ssh_authorized_keys_link > 0 || ssh_authorized_keys_rename > 0 || ssh_authorized_keys_open > 0 || ssh_authorized_keys_unlink > 0 || ssh_authorized_keys_utimes > 0"}],"type":"workload_security","id":"iqs-k9p-ivj","createdAt":1606142954844,"name":"SSH authorized keys modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1553-subvert-trust-controls","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential tampering with SSL certificates.\n\n## Strategy\nSSL certificates, and other forms of trust controls establish trust between systems. Attackers may attempt to subvert trust controls such as SSL certificates in order to trick systems or users into trusting attacker-owned assets such as fake websites, or falsely signed applications.\n\n## Triage and response\n1. Check whether there were any planned changed to the SSL certificates stores in your infrastructure.\n2. If these changes are not acceptable, roll back the host or container in question to a known trustworthy configuration.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssl_certificate_tampering OR ssl_certificate_tampering_chmod OR ssl_certificate_tampering_chown OR ssl_certificate_tampering_link OR ssl_certificate_tampering_rename OR ssl_certificate_tampering_open OR ssl_certificate_tampering_unlink OR ssl_certificate_tampering_utimes) -@process.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.parent.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\" -@process.executable.name:runc*","groupByFields":["host"],"aggregation":"count","name":"ssl_certificate_tampering","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"ssl_certificate_tampering","condition":"ssl_certificate_tampering > 0"}],"type":"workload_security","id":"any-phm-6ub","createdAt":1606142980369,"name":"SSL certificate tampering"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","control:4.3.2","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","source:azure.dbformysql","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","scope:azure.dbformysql","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on MySQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for MySQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled for enforce SSL connection \n\nAlternatively, use the Azure Command Line Interface and run the below command to set MYSQL Databases to Enforce SSL connection:\n\n ```bash\n az mysql server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security\n2. https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(mysql_server) = \"pass\" if {\n\tmysql_server.ssl_enforcement == \"Enabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_mysql_server"]},"validationQuery":"","resourceType":"azure_mysql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_mysql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cxd-off-x2e","createdAt":1624867976718,"name":"SSL connection on MySQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.3.1","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on PostgreSQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\n### From the console\n1. Login to Azure Portal using [https://portal.azure.com][1]\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled to enforce SSL connection \n\n### From the command line\n\n ```\n az postgres server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security][2]\n2. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit][3]\n\n[1]: https://portal.azure.com\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"pass\" if {\n\tlower(postgresql_server.ssl_enforcement) == \"enabled\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"9cp-26e-jdc","createdAt":1624867978968,"name":"SSL connection on PostgreSQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a Salesforce user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login ten times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @status:\"Invalid Password\"","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:salesforce @status:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dm5-uvn-yrr","createdAt":1621929254947,"name":"Salesforce Brute force attack on user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a disabled account attempts to log into Salesforce\n\n## Strategy\nInspect Salesforce logs and determine if there is a login attempt (`@evt.name:LoginEvent`) from from a disabled account (`@status:\\\"User is Inactive\\\"`). If more than ten attempts to authenticate to a disabled account a `MEDIUM` severity signal is created.\n\n## Triage and response\n1. Determine if the IP (`@network.client.ip`) has attempted to log into other accounts.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @evt.name:LoginEvent @status:\"User is Inactive\"","groupByFields":["@usr.id"],"aggregation":"count","name":"disabled_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Single Attempt","condition":"disabled_login > 1"},{"status":"medium","notifications":[],"name":"Multiple Attempts","condition":"disabled_login > 10"}],"type":"log_detection","id":"j57-vod-bnw","createdAt":1621929254817,"name":"Salesforce Login from Disabled Account"}]} headers: Content-Type: - application/json @@ -793,7 +725,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.15","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/scheduler.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.15","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fmc-m0d-pe5","createdAt":1599604530000,"name":"Scheduler configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.16","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/scheduler.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.16","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pbp-y4b-dhf","createdAt":1599600185878,"name":"Scheduler configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.5","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the Scheduler service in the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.5","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qxe-hc6-qlm","createdAt":1599604179189,"name":"Scheduler pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.6","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the kube-scheduler service in the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.6","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"y79-4ts-a0k","createdAt":1599603078027,"name":"Scheduler pod specification file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.4.1","security:compliance","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` file on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-scheduler/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-scheduler/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.1","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hya-urf-09b","createdAt":1599603139661,"name":"Scheduler profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.21","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSeccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on a whitelist basis and allows for a large number of common system calls, whilst blocking all others. This filtering should not be disabled unless it causes a problem with your container application usage.\n\n## Rationale\n\nA large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis returns either `` or your modified seccomp profile. If it returns `[seccomp:unconfined]`, the container is running without any seccomp profiles and is therefore not configured in line with good security practices.\n\n## Remediation\n\nBy default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.\n\n## Impact\n\nWith Docker 1.10 and greater, the default seccomp profile blocks syscalls, regardless of `--cap-add passed` to the container. You should create your own custom seccomp profile in such cases. You can also disable the default seccomp profile by passing `--security-opt=seccomp:unconfined` on docker run.\n\n## Default value\n\nWhen you run a container, it uses the default profile unless you override it with the `--security-opt` option.\n\n## References\n\n1. http://blog.scalock.com/new-docker-security-features-and-what-they-mean-seccomp-profiles\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://github.com/docker/docker/blob/master/profiles/seccomp/default.json\n4. https://docs.docker.com/engine/security/seccomp/\n5. https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt\n6. https://github.com/docker/docker/issues/22870\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.21","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hub-v5u-cw0","createdAt":1599604972925,"name":"Seccomp profiles are enabled for filtering incoming system calls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.22","scored:true","control:CC6.7","source:azure.active_directory","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:azure.active_directory","level:1","requirement:IAM","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft security defaults are available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You can enable security defaults in the Azure portal.\n\n## Rationale\n\nSecurity defaults provide secure default settings that are managed on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example:\n\n- Requiring all users and admins to register for MFA\n- Challenging users with MFA, mostly when they show up on a new device or app, but more often for critical roles and tasks.\n- Disabling authentication from legacy authentication clients, which can't do MFA.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Sign in to the Azure portal as a security administrator, conditional access administrator, or global administrator.\n2. Navigate to Azure Active Directory > Properties.\n3. Select Manage security defaults.\n4. Set the Enable security defaults toggle to Yes.\n5. Select Save.\n\n## Impact\n\nEnabling security defaults may negatively impact the functionality of other Microsoft services, such as Microsoft 365. This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults\n2. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414\n\nAdditional Information: The settings in this recommendation are different in the Microsoft 365 Benchmark. This is because the potential impact associated with disabling of security defaults is dependent upon the security settings implemented in the environment. It is recommended that organizations disabling security defaults plan to implement equivalent settings to replace the settings configured by security defaults.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.22","framework":"cis-azure","requirement":"IAM","version":"1.3.0"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@is_enabled:false","resourceType":"azure_ad_security_defaults_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_ad_security_defaults_policy (@is_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@display_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"fub-xjw-qwz","createdAt":1635237007654,"name":"Security Defaults is enabled on Azure Active Directory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a threat on your application.\n\n## Strategy\nThis rule creates a signal for every security incident created by Sqreen.\n\n## Triage and response\n1. Review the incident on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/incidents\n\n## Changelog\n23 June 2022 - Updated groupby count to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:critical @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_critical_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:major @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_major_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:minor @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_minor_incidents","distinctFields":["@sqreen.payload.incident_id"]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical","condition":"sqreen_critical_incidents > 0"},{"status":"high","notifications":[],"name":"Major","condition":"sqreen_major_incidents > 0"},{"status":"medium","notifications":[],"name":"Minor","condition":"sqreen_minor_incidents > 0"}],"type":"log_detection","id":"qyk-emv-hui","createdAt":1620224110121,"name":"Security Incident Detected by Sqreen"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis","source:cloudtrail","technique:T1562-impair-defenses","control:cis-3.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` array to determine if either of the strings are contained:\n* `0.0.0.0/0`\n* `::/0`\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n\n## Changelog\n18 March 2022 - Updated rule query.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:AuthorizeSecurityGroupIngress @requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@usr.account_id"],"aggregation":"count","name":"sg_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"SG open to world","condition":"sg_open_to_world > 0"}],"type":"log_detection","id":"qdm-6uu-gqf","createdAt":1593621503430,"name":"Security group open to the world"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.5","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not allow sensitive host system directories such as those listed below to be mounted as container volumes, especially in read-write mode. `/` `/boot` `/dev` `/etc` `/lib` `/proc` `/sys` `/usr`\n\n## Rationale\n\nIf sensitive directories are mounted in read-write mode, it is possible to make changes to files within them. This has obvious security implications and should be avoided.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}'` This command returns a list of currently mapped directories and indicates whether they are mounted in read-write mode for each container instance.\n\n## Remediation\n\nDo not mount directories which are security sensitive on the host within containers, especially in read-write mode.\n\n## Impact\n\nNone\n\n## Default value\n\nDocker defaults to using a read-write volume but you can also mount a directory read-only. By default, no sensitive host directories are mounted within containers.\n\n## References\n\n1. https://docs.docker.com/engine/tutorials/dockervolumes/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.5","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmq-wqu-2im","createdAt":1599604814929,"name":"Sensitive host system directories are not mounted on containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","source:google_iam_policy","framework:cis-gcp","level:2","framework:iso-27001","requirement:Access-Control","framework:pci","scope:google_iam_policy","control:1.11","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.2.1","control:7.1.3","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.\n\n## Rationale\nThe built-in/predefined IAM role `Cloud KMS Admin` allows the user/identity to create, delete, and manage service account(s). \n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter/Decrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Decrypter` allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).\n\nSeparation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.\n\nNo user(s) should have `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles assigned at the same time.\n\n### Impact\nRemoved roles should be assigned to another user based on business needs.\n\n### Additional Information\nUsers granted Owner (roles/owner) and Editor (roles/editor) roles have privileges equivalent to `Cloud KMS Admin` and `Cloud KMS CryptoKey Encrypter/Decrypter`. To avoid misuse, Owner and Editor roles should be granted to a very limited group of users. Use of these primitive privileges should be minimal. These requirements are addressed in our other rules.\n\n## Remediation\n\n### From the console\n1. Go to **IAM & Admin/IAM** using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles granted/assigned, click the **Delete Bin** icon to remove the role from the member.\n\n## References\n1. [https://cloud.google.com/kms/docs/separation-of-duties][2]\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/kms/docs/separation-of-duties\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_type = \"gcp_iam_policy\"\n\nis_admin_user(gip) if {\n\tmembers_to_roles_array := gip.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/cloudkms.admin\"\n}\n\neval(gip) = \"skip\" if {\n\tnot is_admin_user(gip)\n} else = \"fail\" {\n\trole := gip.member_to_roles[_].roles[_]\n\trole in [\"roles/cloudkms.cryptoKeyDecrypter\", \"roles/cloudkms.cryptoKeyEncrypter\", \"roles/cloudkms.cryptoKeyEncrypterDecrypter\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8uv-2ds-fnx","createdAt":1658410212713,"name":"Separation of duties is enforced while assigning KMS-related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:1.8","control:7.2","control:7.1","requirement:Control-Activities","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity best practices recommend that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users. This is achieved by ensuring that no user has the Service Account Admin and Service Account User roles assigned at the same time.\n\n## Rationale\n\nThe predefined IAM role ``Service Account admin`` allows the user/identity to\ncreate, delete, and manage service account(s). The predefined IAM role ``Service Account User`` allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute instances.\n\nSeparation of duties is the concept of ensuring that one individual does not have all\nnecessary permissions to be able to complete a malicious action. Using Cloud IAM service\naccounts, a malicious user could assume the identity of a service account to access resources that\nthey otherwise cannot access.\n\nSeparation of duties is a business control typically used in larger organizations, meant to\nhelp avoid security or privacy incidents and errors. It is considered a best practice.\n\nNo user should have ``Service Account Admin`` and ``Service Account User`` roles assigned\nat the same time.\n\n## Remediation\n\n1. Go to ``IAM & Admin/IAM`` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having both ``Service Account Admin`` and ``Service Account User`` roles granted/assigned, click the ``Delete Bin`` icon to remove either role from the member.\n\nRemoval of a role should be done based on the business requirements.\n\n## Impact\n\nThe removed role should be assigned to a different user based on business needs.\n\n## References\n\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][4]\n\n## Additional information \n\nUsers granted the Owner (roles/owner) and Editor (roles/editor) roles have privileges\nequivalent to Service Account Admin and Service Account User. To avoid misuse,\nOwner and Editor roles should be granted to a very limited number of users. Use of these primitive\nprivileges should be minimal. These requirements are addressed in separate\nrecommendations.\n\n## CIS controls\n\nVersion 8 3.3 - Configure Data Access Control Lists: Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems, databases, and applications.\n\nVersion 7 14.6 - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"fail\" if {\n\tmembers_to_roles_array := iam_policy.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountAdmin\"\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountUser\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"re5-dlh-43x","createdAt":1656443521016,"name":"Separation of duties is enforced while assigning service account related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.6","cloud_provider:azure","framework:cis-azure","requirement:Default-Security-Parameter","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.4","framework:soc-2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `connection_throttling` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `connection_throttling` helps the PostgreSQL Database to Set the verbosity of logged messages which generates query and error logs about concurrent connections. Too many concurrent connections could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `connection_throttling`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `connection_throttling` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name connection_throttling --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.6","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthrottling_disabled(server_config) if {\n\tserver_config.name == \"connection_throttling\"\n\tserver_config.value != \"on\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tthrottling_disabled(server_config)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"w1l-qav-gcj","createdAt":1624867980066,"name":"Server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","control:10.1","requirement:Monitoring","control:4.3.3","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_checkpoints` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_checkpoints` helps the PostgreSQL Database to log each checkpoint and generate query and error logs. Access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_checkpoints`.\n5. Click ON and save.\n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_checkpoints` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_checkpoints --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"validationQuery":"-@value:(\"on\") @name:(\"log_checkpoints\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"server_configs","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@value:(\"on\") @name:(\"log_checkpoints\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sc0-yfd-hsz","createdAt":1624867976912,"name":"Server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:4.3.4","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_connections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_connections` helps PostgreSQL Database to log an attempted connection to the server, as well as successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_connections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_connections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_connections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nserver_config_not_compliant(server_config) if {\n\tnot server_config.value == \"on\"\n\tserver_config.name == \"log_connections\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config = postgresql_server.server_configs[_]\n\tserver_config_not_compliant(server_config)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gle-oql-wen","createdAt":1624867976676,"name":"Server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","control:10.1","control:4.3.5","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_disconnections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_disconnections` helps your PostgreSQL database to log the end of a session, including duration, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_disconnections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_disconnections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_disconnections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"validationQuery":"-@value:(\"on\") @name:(\"log_disconnections\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"server_configs","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@value:(\"on\") @name:(\"log_disconnections\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"5av-e46-div","createdAt":1624867974164,"name":"Server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","requirement:Records-of-Processing-Activities","cloud:azure","control:A1.1","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses logging to track the time it takes to complete an SQL query.\n\n## Rationale\n\nThe \"log_duration\" parameter allows recording the duration of each completed PostgreSQL statement. Logging this attribute enables administrators to monitor for potential issues in the database.\n\n## Remediation\n\n### Console\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][1] documentation to enable the 'log_duration' logging in the PostgreSQL database. Ensure **log_duration** is selected under **Server Parameters**.\n\n### CLI\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][2] documentation to enable **log_duration** in **Server Parameters**.\n2. Get a list of your PostgreSQL servers by running the following in Azure Powershell:\n\n ```\n az postgres server list\n\t--output table\n\t--query '[*].{name:name, resourceGroup:resourceGroup}'\n ```\n3. Run the 'postgres server configuration set' command:\n\n ```\n az postgres server configuration set\n\t--server-name \"INSERT-SERVER-NAME-HERE-FROM-STEP-2\"\n\t--resource-group \"cloud-shell-storage-westeurope\"\n\t--name log_duration\n\t--value on\n ```\n4. Repeat steps two and three for each server that is not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tserver_config.name == \"log_duration\"\n\tserver_config.value == \"off\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iwo-oh9-bpi","createdAt":1645804679249,"name":"Server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.7","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","control:10.7","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_retention_days` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_retention_days` helps PostgreSQL Database to set the number of days a log file is retained, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_retention_days`.\n5. Enter value in range 4-7 (inclusive) and save. \n\nAlternatively, use the Azure Command Line Interface and run the the below command to update `log_retention_days` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_retention_days --value <4-7>\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n2. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention\n\n## CIS Controls\n\nVersion 7 6.4 Ensure adequate storage for logs: Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.7","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nserver_config_not_compliant(server_config) if {\n\tto_number(server_config.value) < 3\n\tserver_config.name == \"log_retention_days\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config = postgresql_server.server_configs[_]\n\tserver_config_not_compliant(server_config)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"jsy-iuu-a38","createdAt":1624867974261,"name":"Server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:7.1","requirement:Credentials","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","source:google_service_account","framework:soc-2","control:A.9.2.3","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:8.1.2","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA service account is a special Google account that belongs to an application or a VM, instead\nof to an individual end-user. The application uses the service account to call the service's\nGoogle API so that users aren't directly involved. It's recommended not to use admin roles for ServiceAccount.\n\n## Rationale\n\nService accounts represent service-level security of the Resources (application or a VM)\nwhich can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin\nrights gives full access to an assigned application or a VM. A ServiceAccount Access holder\ncan perform critical actions like delete, update, and change settings, etc. without user\nintervention. For this reason, Datadog recommends that service accounts not have an Admin role.\n\n## Remediation\n\n## From Console:\n1. Go to `IAM & admin/IAM` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. Go to the `Members`\n3. Identify `User-Managed user created service account(s)` with roles containing `*Admin or *admin`\n4. Click the `Delete bin` icon to remove the role from the member (service account in this case)\n\n\n## From Command Line: \n\n```bash\ngcloud projects get-iam-policy PROJECT_ID --format json > iam.json\n```\n\n1. Using a text editor, Remove `Role` which contains `roles/ *Admin` or `roles/ *admin`. Add a role to the bindings array that defines the group members and the role for those members.\n2. Update the project's IAM policy:\n\n```bash\ngcloud projects set-iam-policy PROJECT_ID iam.json\n```\n\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/understanding-service-accounts][4] \n\n## CIS Controls\n\nVersion 8 5.4 Restrict Administrator Privileges to Dedicated - Administrator Accounts Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user\u2019s primary, non-privileged account.\n\nVersion 7 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/understanding-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.1.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmembers_with_admin_role := {member |\n\tbinding := input.resources.gcp_iam_policy[_].member_to_roles[_]\n\tstartswith(binding.member, \"serviceAccount:\")\n\trole := binding.roles[_]\n\tcontains(lower(role), \"admin\")\n\tmember := trim_prefix(binding.member, \"serviceAccount:\")\n}\n\neval(iam_service_account) = \"fail\" if {\n\tsplit_name := split(iam_service_account.name, \"/\")\n\tmember := split_name[count(split_name) - 1]\n\tmembers_with_admin_role[member]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"4ea-as1-0bv","createdAt":1655820189596,"name":"Service Accounts are not bound to built-in Administrative roles"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0005-defense_evasion","source:runtime-security-agent","technique:T1070-indicator_removal_on_host","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the tampering of shell command history on a host or container. \n\n## Strategy\nCommands used within a terminal are contained within a local file so users can review applications, scripts, or processes that were previously executed. Adversaries tamper with the integrity of the shell command history by deletion, truncation, or the linking of `/dev/null` by use of a symlink. This allows adversaries to obfuscate their actions and delay the incident response process. \n\n## Triage and response\n1. Review the tampering action taken against the shell command history files.\n2. Review the user or process that performed the action against the shell command history.\n3. Determine whether or not this is expected behavior.\n4. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(shell_history_symlink OR shell_history_truncated OR shell_history_deleted)","groupByFields":["host"],"aggregation":"count","name":"shell_history_tamper","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"shell_history_tamper","condition":"shell_history_tamper > 0"}],"type":"workload_security","id":"5bq-qe4-ctu","createdAt":1661196433820,"name":"Shell command history modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:signal_sciences","scope:signal_sciences"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP is flagged by Signal Sciences.\n\n## Strategy\nThis rule lets you monitor Signal Sciences events submitted through the Signal Sciences [integration][1] to detect when an IP is flagged. \n\n## Triage and response\n1. Determine whether the attack is a false positive.\n2. Determine whether the attack was successful.\n3. If the attack exploited a vulnerability in the application, triage the vulnerability.\n\n[1]: https://app.datadoghq.com/account/settings#integrations/sigsci\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:signal_sciences @title:*flag","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bmg-ftn-dzo","createdAt":1584993292228,"name":"Signal Sciences flagged an IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.2.1","requirement:Compliance","level:1","control:3.8","requirement:Cardholder-Data","framework:iso-27001","scope:azure.storage","framework:pci","requirement:Operations-Security","security:compliance","framework:cis-azure","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Control-Activities","requirement:Storage-Account","source:azure.storage","control:A1.2","control:A.18.1.3","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Storage blobs contain ePHI, financial, secret, or personal data. If erroneously modified or deleted accidentally by an application or other storage account user, data loss or data unavailability can occur. It is recommended that Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.\n\n## Rationale\n\nA user can accidentally run delete commands on Azure Storage blobs or blob snapshots, or an attacker/malicious user can do it deliberately to cause disruption. Deleting an Azure Storage blob leads to immediate data loss or non-accessible data. Enable recoverable blobs configuration in the Azure Storage blob service to ensure that even if blobs/data are deleted from the storage account, the objects remain recoverable for a time set in the retention policy. Retention policies can be 7 days to 365 days.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Storage Account\n2. For each Storage Account, navigate to Data Protection\n3. Select Set soft delete enabled and enter the number of days to retain soft deleted data.\n\nAzure Command-Line Interface:\n\nUpdate retention days with the following command: `az storage blob service-properties delete-policy update --days-retained --account-name --enable true'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete\n\n## CIS Controls\n\nVersion 7 10 - Data Recovery Capabilities\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"(@blob_services.delete_retention_policy_enabled:false OR (-@blob_services.delete_retention_policy_days:*) OR @blob_services.delete_retention_policy_days:0)","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account ((@blob_services.delete_retention_policy_enabled:false OR (-@blob_services.delete_retention_policy_days:*) OR @blob_services.delete_retention_policy_days:0))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"w0h-o5o-lyp","createdAt":1631690471228,"name":"Soft delete is enabled for Azure Storage"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1505-server-software-component","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects attempted post-exploitation activity of [CVE-2022-22965][1] with an HTTP GET parameter.\n\n## Strategy\nThis rule looks for `@http.url_details.path` = .jsp, `@http.url_details.queryString.pwd` = `*`, and `@http.url_details.queryString.cmd` = . If found, it indicates web shell activity observed with successful Spring RCE exploitation. \n\n## Triage and response\nCheck your host to see if the {{@http.url_details.queryString.cmd}} command ran successfully. If so,\n * Refer to your company's Incident Response process since this is detection post-exploitation activity.\n * Refer to the vendor's [advisory][2] for remediation of this Remote Code Execution (RCE) vulnerability.\n\n## Changelog\n- 06 June 2022 - The severity has been lowered due to rule fidelity on just log telemetry.\n- 31 March 2022 - Rule added in response to [CVE-2022-22965][1]\n\n[1]: https://tanzu.vmware.com/security/cve-2022-22965\n[2]: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@http.url_details.path:*.jsp @http.url_details.queryString.pwd:* @http.url_details.queryString.cmd:* @http.method:GET @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_details","distinctFields":[]},{"query":"@http.url:*cmd* @http.url:*pwd* @http.method:GET @http.url:*.jsp* @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_url","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"PWD/CMD request in http.url_details.queryString key","condition":"pwd_cmd_in_details > 0"},{"status":"low","notifications":[],"name":"PWD/CMD request in http.url key","condition":"pwd_cmd_in_url > 0"}],"type":"log_detection","id":"6nf-i0e-ff0","createdAt":1648746485630,"name":"Spring RCE post-exploitation activity attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","framework:cis-azure","requirement:Confidentiality","control:3.4","control:C1.1","requirement:Credentials","requirement:Compliance","requirement:Storage-Account","source:azure.storage","level:1","control:A.18.1.3","framework:soc-2","control:3.9","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","scope:azure.storage","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable sensitive data encryption at rest using customer managed keys rather than Microsoft managed keys.\n\n## Rationale\n\nBy default, data in the storage account is encrypted using Microsoft managed keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. However, if you want to control and manage the encryption key yourself, you can specify a customer-managed key, and that key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated key vault.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Storage Accounts\n2. For each storage account, go to Encryption\n3. Set Customer Managed Keys\n4. Select the encryption key and enter the appropriate setting value\n5. Click Save\n\n## Impact\n\nIf the key expires by setting the activation date and expiration date of the key, you must rotate the key manually. Using customer managed keys may also incur additional effort to create, store, manage, and protect the keys as needed.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest\n3. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption#azure-storage-encryption-versus-disk-encryption\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-1-discovery,-classify-and-label-sensitive-data\n\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"-@encryption.key_source:Microsoft.Keyvault","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@encryption.key_source:Microsoft.Keyvault)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"kh6-wzv-u3s","createdAt":1631690464889,"name":"Storage for critical data is encrypted with Customer Managed Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to `pam.d` directory.\n\n## Strategy\nLinux Pluggable Authentication Modules (PAM) provide authentication for applications and services. Authentication modules in the PAM system are setup and configured under the `/etc/pam.d/` directory. An attacker may attempt to modify or add an authentication module in PAM in order to bypass the authentication process, or reveal system credentials.\n\n## Triage and response\n1. Identify if the changes to the path `{{@file.path}}` were part of known system setup or mainenance.\n2. If these changes were unauthorized, roll back the host in question to a known good PAM configuration, or replace the system with a known-good system image.\n\n*Required agent version 7.27 or higher*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pam_modification OR pam_modification_chmod) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_chown)-@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_link) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_rename) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_open) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_unlink) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_utimes) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"pam_modification","condition":"pam_modification_chmod > 0 || pam_modification_chown > 0 || pam_modification_link > 0 || pam_modification_rename > 0 || pam_modification_open > 0 || pam_modification_unlink > 0 || pam_modification_utimes > 0"}],"type":"workload_security","id":"59x-93j-pek","createdAt":1606142936138,"name":"System authentication files modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1543-create-or-modify-system-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to system services.\n\n## Strategy\nEspecially in production, systems should be generated based on standard images such as AMIs for Amazon EC2, VM images in Azure, or GCP images. Systemd is the default service manager in many Linux distributions. It manages the lifecycle of background processes and services, and can be used by an attacker to establish persistence in the system. Attackers can do this by injecting code into existing systemd services, or by creating new ones. Systemd services can be started on system boot, and therefore attacker code can persist through system reboots.\n\n## Triage and response\n1. Check to see what service was modified of created.\n2. Identify whether it is a known service, being modified by a known user and/or process.\n3. If these changes are not acceptable, roll back the host in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chmod) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chown) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_link) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_rename) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_open) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_unlink) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"systemd_modification","condition":"systemd_modification_chmod > 0 || systemd_modification_chown > 0 || systemd_modification_link > 0 || systemd_modification_rename > 0 || systemd_modification_open > 0 || systemd_modification_unlink > 0 || systemd_modification_utimes > 0"}],"type":"workload_security","id":"vjt-chu-njs","createdAt":1606142929241,"name":"Systemd service modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through brute force attempts.\n\n## Strategy\nTo determine a successful attempt: Detect a high amount of failed logins and at least one successful login for a given IP address. This will generate a `HIGH` severity signal.\nTo determine an attempt: Detect a high amount of failed logins for a given IP address. This will generate an `INFO severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:authentication @evt.outcome:failure","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]},{"query":"@evt.name:authentication @evt.outcome:success","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":["@slack-secops"],"name":"Successful","condition":"a>5 && b>0"},{"status":"info","notifications":[],"name":"Attempted","condition":"a>5"}],"type":"log_detection","id":"wce-cxo-pe4","createdAt":1585870283641,"name":"TEMPLATE - Brute Force Attack Grouped By IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:threat-intel","scope:template"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect when a stolen laptop has been connected to the network.\n\n## Strategy\nUsing the Datadog [Lookup Processor](https://docs.datadoghq.com/logs/processing/processors/?tab=ui#lookup-processor) you can maintain a blocklist of MAC addresses.\nWhen a MAC address connects to the network, the @threat.stolen_laptop attribute is set to `true`.\nThis threat detection rule queries for `@threat.stolen_laptop:true` and generates a security signal. \n\n## Triage and response\nEnter your triage and response process for when a stolen laptop has connected to your network to help users responding to the security signal quickly triage and respond to the signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@threat.stolen_laptop:true @network.client.mac:*","groupByFields":["@network.client.mac"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ap3-xy9-tsm","createdAt":1585870283379,"name":"TEMPLATE - Stolen Laptop Connected to Network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.10","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert` parameter, has permissions of 444 or is set more restrictively.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must therefore have permissions of 444, or more restrictive permissions to ensure that the file cannot be modified by a less privileged user.\n\n## Audit\n\nVerify that the TLS CA certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the following command: `chmod 444 `\n\nThis sets the file permissions on the TLS CA file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the TLS CA certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.10","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hyd-ar9-kzl","createdAt":1602076723625,"name":"TLS CA certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.6","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to make the Docker daemon available remotely over a TCP port. If this is required, you should ensure that TLS authentication is configured in order to restrict access to the Docker daemon via IP address and port.\n\n## Rationale\n\nBy default, the Docker daemon binds to a non-networked Unix socket and runs with root privileges. If you change the default Docker daemon binding to a TCP port or any other Unix socket, anyone with access to that port or socket could have full access to the Docker daemon and therefore in turn to the host system. For this reason, you should not bind the Docker daemon to another IP/port or a Unix socket. If you must expose the Docker daemon via a network socket, you should configure TLS authentication for the daemon and for any Docker Swarm APIs (if they are in use). This type of configuration restricts the connections to your Docker daemon over the network to a limited number of clients who have access to the TLS client credentials.\n\n## Audit\n\nTo confirm that the TLS authentication setting is correct, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nConfirm that the following parameters are present: `--tlsverify --tlscacert --tlscert --tlskey`.\n\nAlso review the `/etc/docker/daemon.json` file to ensure these settings are in place.\n\n## Remediation\n\nFollow the steps mentioned in the Docker documentation or other references.\n\n## Impact\n\nYou would need to manage and guard certificates and keys for the Docker daemon and Docker clients.\n\n## Default value\n\nBy default, TLS authentication is not configured.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rh4-jeh-afu","createdAt":1602077571799,"name":"TLS authentication is configured for Docker daemon"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.18","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller-manager.conf file ownership is set to `root:root`.\n\n## Rationale\n\nThe controller-manager.conf file is the kubeconfig file for the Controller Manager. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/controller-manager.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.18","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bud-aya-umc","createdAt":1599605289575,"name":"The controller-manager.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","requirement:GCP","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","control:3.4","requirement:Communications-Security","control:2.6","control:1.2","control:2.1","control:1.3","control:3.1","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of the `default` network, a project should not have a `default` network.\n\n### Default value\nBy default, for each project, a `default` network is created.\n\n\n## Rationale\nThe `default` network has a preconfigured network configuration and automatically generates the following insecure firewall rules:\n\n - default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.\n - default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.\n - default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.\n - default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.\n\nThese automatically-created firewall rules do not get audit-logged and cannot be configured to enable firewall rule logging.\n\nFurthermore, the `default` network is an auto-mode network, which means that its subnets use the same predefined range of IP addresses. As a result, it's not possible to use Cloud VPN or VPC Network Peering with the `default` network.\n\nBased on organization security and networking requirements, the organization should create a new network and delete the `default` network.\n\n### Impact\nWhen an organization deletes the `default` network, it may need to migrate services onto a new network.\n\n## Remediation\n\n### From the console\n1. Go to the [VPC networks][1] page.\n2. Click the network named `default`.\n3. On the network detail page, click **EDIT**.\n4. Click **DELETE VPC NETWORK**.\n5. If needed, create a new network to replace the `default` network.\n\n### From the command line\n1. Delete the `default` network:\n\n ```\n gcloud compute networks delete default\n ```\n\n2. If needed, create a new network to replace it:\n\n ```\n gcloud compute networks create NETWORK_NAME\n ```\n\n## Prevention\nYou can prevent the `default` network and its insecure firewall rules from being created by setting up an Organization Policy to skip `default` network creation at [https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation][2].\n\n## References\n1. [https://cloud.google.com/compute/docs/networking#firewall_rules][3]\n2. [https://cloud.google.com/compute/docs/reference/latest/networks/insert][4]\n3. [https://cloud.google.com/compute/docs/reference/latest/networks/delete][5]\n4. [https://cloud.google.com/vpc/docs/firewall-rules-logging][6]\n5. [https://cloud.google.com/vpc/docs/vpc#default-network][7]\n6. [https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete][8]\n\n[1]: https://console.cloud.google.com/networking/networks/list\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation\n[3]: https://cloud.google.com/compute/docs/networking#firewall_rules\n[4]: https://cloud.google.com/compute/docs/reference/latest/networks/insert\n[5]: https://cloud.google.com/compute/docs/reference/latest/networks/delete\n[6]: https://cloud.google.com/vpc/docs/firewall-rules-logging\n[7]: https://cloud.google.com/vpc/docs/vpc#default-network\n[8]: https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.4","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.name == \"default\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0j0-lvk-9wm","createdAt":1658410212694,"name":"The default network does not exist in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.9","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %a /var/lib/kubelet/config.yaml`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step:\n\n```\nchmod 644 /var/lib/kubelet/config.yaml\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/var/lib/kubelet/config.yaml` file as set up by kubeadm has permissions of 644.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.9","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tc4-kmy-wlt","createdAt":1599605416397,"name":"The kubelet configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.1","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kubelet service file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.1","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j8k-7ii-fwo","createdAt":1599604432646,"name":"The kubelet service file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.5","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet.conf file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/kubernetes/kubelet.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chmod 644 /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.5","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x88-8vs-ygw","createdAt":1599604783481,"name":"The kubelet.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.6","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `kubelet.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/kubernetes/kubelet.conf`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file ownership is set to `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.6","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrc-waf-mbs","createdAt":1599599696342,"name":"The kubelet.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable timeouts on streaming connections.\n\n## Rationale\n\nSetting idle timeouts ensures that you are protected against denial-of-service attacks, inactive connections, and running out of ephemeral ports.\n\n*Note*: By default, `--streaming-connection-idle-timeout` is set to four hours, which might be too high for your environment. Setting this as appropriate would additionally ensure that such streaming connections are timed out after serving legitimate use cases.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--streaming-connection-idle-timeout` argument is not set to 0. If the argument is not present, and there is a Kubelet config file specified by `--config`, check that it does not set `streamingConnectionIdleTimeout` to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a value other than 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--streaming-connection-idle-timeout=5m`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nLong-lived connections could be interrupted.\n\n## Default value\n\nBy default, `--streaming-connection-idle-timeout` is set to four hours.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://github.com/kubernetes/kubernetes/pull/18552][2]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://github.com/kubernetes/kubernetes/pull/18552\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.5","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xmg-h3a-wj4","createdAt":1599602030157,"name":"Timeouts on streaming connections are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","control:6.6","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable internet exposed UDP ports on network security groups.\n\n## Rationale\n\nThe potential security problem with broadly exposing UDP services over the internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP, and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct UDP access to your Azure Virtual Machines from the internet. After direct UDP access from the internet is disabled, you can use other options to access UDP-based services running on these virtual machines.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#secure-your-critical-azure-service-resources-to-only-your-virtual-networks\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/ddos-best-practices\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n7 Virtual Machines: This section covers security recommendations to follow to set virtual machine policies on an Azure subscription.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@access:(\"Allow\") @protocol:(\"UDP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"*\" OR \"53\" OR \"123\" OR \"161\" OR \"389\" OR \"1900\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\")","resourceType":"azure_security_group","filter":"","queryPath":"security_rules","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group (@access:(\"Allow\") @protocol:(\"UDP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"*\" OR \"53\" OR \"123\" OR \"161\" OR \"389\" OR \"1900\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"1is-0om-n7k","createdAt":1624867977600,"name":"UDP Services are restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect shell utilities, HTTP utilities, or shells spawned by a web server.\n\n## Strategy\nWeb shell attacks often involve attackers loading and running malicious files onto a victim machine, creating a backdoor on the compromised system. Attackers use web shells for a variety of purposes, and they can signal the beginning of an intrusion or wider attack. This detection triggers when shell utilities, HTTP utilities, or shells are spawned by a common web server process.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your web application to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"potential_web_shell","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["host"],"query":"@agent.rule_id:potential_web_shell -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"potential_web_shell"}],"type":"workload_security","id":"aks-ytd-8pf","createdAt":1647265136526,"name":"Unfamiliar command spawned from web server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers can leverage malicious kernel modules to gain persistence on a system, ensuring their malicious code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions and cover their tracks through the use of a rootkit.\n\nLoading a malicious kernel module can be a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default, however attackers may attempt to load kernel modules from other locations as well. This detection detects all kernel module loads. \n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check the name of the process loading the kernel module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":14,"learningThreshold":0},"keepAlive":3600},"version":173,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_kernel_module","metric":"@module.name","aggregation":"new_value","metrics":["@module.name"],"groupByFields":["host"],"query":"@agent.rule_id:(kernel_module_load OR new_kernel_module_audit OR kernel_module_load_container OR new_kernel_module_audit_container) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"new_kernel_module"}],"type":"workload_security","id":"56o-bpk-lkz","createdAt":1656443525724,"name":"Unfamiliar kernel module loaded"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default. In an attempt to thwart forensics, attackers sometimes attempt to load malicious kernel modules from memory so as not to leave artifacts on disk. This detection watches for all new kernel modules being loaded directly from memory. \n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:kernel_module_load_from_memory","groupByFields":["host"],"aggregation":"count","name":"kernel_module_load_from_memory","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"kernel_module_load_from_memory","condition":"kernel_module_load_from_memory > 0"}],"type":"workload_security","id":"dx9-30j-pas","createdAt":1650464539839,"name":"Unfamiliar kernel module loaded from memory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when the AWS EKS service account token has been viewed by a user.\n\n## Strategy\nAWS provides an authentication mechanism called [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to allow Kubernetes workloads such as pods to securely authenticate to AWS without hardcoding credentials.\n\nThe authentication token made available by AWS is located at `/var/run/secrets/eks.amazonaws.com/serviceaccount/token` and can be exchanged for AWS credentials using `sts:AssumeRoleWithWebIdentity`. It is consequently an attractive target for attackers.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"aws_eks_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:aws_eks_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"aws_eks_service_account_token_accessed"}],"type":"workload_security","id":"wq5-pnt-ij8","createdAt":1656443561852,"name":"Unfamiliar process accessed AWS EKS service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"Detects when the Kubernetes pod service account token has been viewed by a user.\n\n## Strategy\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"k8s_pod_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:k8s_pod_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"k8s_pod_service_account_token_accessed"}],"type":"workload_security","id":"7ow-znp-4fx","createdAt":1656443563565,"name":"Unfamiliar process accessed Kubernetes pod service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:active-directory","tactic:TA0004-privilege-escalation","source:microsoft-365","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 Azure AD service principal uses an unusual authentication method.\n\n## Strategy\nUsing the `New Value` detection method, find when a `Microsoft 365 Azure AD service principal` uses a new `@AuthenticationMethod`.\n\n## Triage and response\n1. Determine if the service principal `{{@usr.id}}` should be authenticating using the `{{@AuthenticationMethod}}` authentication method and `{{@ExtendedProperties.RequestType}}` request type.\n2. If `{{@usr.email}}` should not be authenticating using `{{@AuthenticationMethod}}`,\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard \n * If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":3600},"version":41,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AuthenticationMethod","aggregation":"new_value","metrics":["@AuthenticationMethod"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:AzureActiveDirectory @evt.name:UserLoggedIn @evt.outcome:Success @UserDescription:\"A service principal\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"toz-wdr-r1v","createdAt":1660857301768,"name":"Unusual Authentication by Microsoft 365 Azure AD Service Principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attaches to a pod.\n\n## Strategy\nThis rule monitors when a user attaches (`@objectRef.subresource:attach`) to a pod (`@objectRef.resource:pods`).\n\nA user should not need to attach to a pod. Attaching to a pod allows a user to attach to any process in a running container which may give an attacker access to sensitive data.\n\n## Triage and response\n1. Determine if the user should be attaching to a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:attach @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:attach @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"j6t-mva-rul","createdAt":1589375996858,"name":"User Attached to a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user execs into a pod.\n\n## Strategy\nThis rule monitors when a user execs (`@objectRef.subresource:exec`) into to a pod (`@objectRef.resource:pods`).\n\nA user should not need to exec into a pod. Execing into a pod allows a user to execute any process in container which is not already running.\nIt is most common to execute the bash process to gain an interactive shell.\nIf this is an attacker, they can access any data which the pod has permissions to, including secrets.\n\n## Triage and response\n1. Determine if the user should be execing into a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:exec @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:exec @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"hyd-cu4-79x","createdAt":1589376094658,"name":"User Exec into a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs into an application that is using Sqreen from a new country.\n\n## Strategy\nThis rule lets you monitor when a user logs into an application from a country that has not been seen before.\n\n## Triage and response\n1. Review the user activity on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/application/goto/users/\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip.country.name","aggregation":"new_value","metrics":["@network.client.geoip.country.name"],"groupByFields":["@usr.id"],"query":"@evt.name:sq.dd0.user_event.login @sqreen.payload.success:true"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"4xm-2og-l7s","createdAt":1620224109989,"name":"User Logged into an Application from a New Country"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","security:threat-intel","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to log in with a password which is known to be compromised.\n\n## Strategy\nThis rule allows you to monitor this Google Activity API call to detect if an attacker is trying to login with a leaked password: \n\n* [Leaked password][1]\n\n## Triage and response\n1. Determine which user in your organization owns the compromised password.\n2. Contact the user and ensure they rotate the password on Google and any other accounts where they may have reused this password. Ensure the user is aware of strong password guidelines.\n\n[1]: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.category:account_warning @evt.name:account_disabled_password_leak","groupByFields":["@actor.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9zi-bom-nmh","createdAt":1585870280553,"name":"User attempted login with leaked password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-create-account","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation of a new user on the system using an interactive session.\n\n## Strategy\nAttacker's may add local accounts to systems that they have compromised to maintain access to those systems. If an attacker has gained a sufficient level of access (like admin privileges) on a system, they can make a new user for themselves.\nIn production systems, users should be created in the base image of the system (for example, the AMI or other VM image), or they should be created programmatically by configuration management tools. The creation of a new user by an interactive (human) session is suspicious.\n\n## Triage & Response\n1. Determine whether the creation of a new user is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether or not multiple systems had this user added around the same time, and whether the systems impacted follow a pattern. For example, if a user was added to multiple systems, do they share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:user_created_tty -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"user_created_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user_created_tty","condition":"user_created_tty > 0"}],"type":"workload_security","id":"beh-ejq-upe","createdAt":1627392836979,"name":"User created interactively"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of secrets, through Cloudtrail's [`GetSecretValue`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetSecretValue` event, and enables the detection of potentially anomalous activity when a user attempts to retrieve an anomalous volume of secrets.\n\nAn attacker may attempt to enumerate and access the AWS Secrets Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any AWS secrets that were accessed by the user with the `aws-cli` command [`update-secret`][2] or use the [AWS Console][3].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n[1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/update-secret.html\n[3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetSecretValue -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.secretId"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"eg6-ogp-n1f","createdAt":1656426823748,"name":"User enumerated AWS Secrets Manager - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of parameters, through Cloudtrail's [`GetParameter`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetParameter` event, and enables detection of potentially anomalous activity when a user attempts to retrieve an anomalous volume of parameters.\n\nAn attacker may attempt to enumerate and access the AWS Systems Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any parameters that were accessed by the user with the `aws-cli` command [`put-parameter`][2].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n[1]: https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ssm/put-parameter.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ssm.amazonaws.com @evt.name:GetParameter -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.name"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"os3-zft-ung","createdAt":1656426796721,"name":"User enumerated AWS Systems Manager parameters - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:5.2.1","control:A.12.4.1","requirement:Logging","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"\n## Description\n\nCreate an activity log alert for the Create Policy Assignment event.\n\n## Rationale\n\nMonitoring for create policy assignment events gives insight into changes done in \"azure policy - assignments\" and can reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Monitor \n2. Select Alerts \n3. Click On New Alert Rule \n4. Under Scope, click Select resource \n5. Select the appropriate subscription under Filter by subscription \n6. Select Policy Assignment under Filter by resource type \n7. Select All for Filter by location \n8. Click on the subscription resource from the entries populated under Resource \n9. Verify Selection preview shows All Policy assignment (policyAssignments) and your selected subscription name \n10. Click Done \n11. Under Condition click Add Condition \n12. Select Create policy assignment signal \n13. Click Done \n14. Under Action group, select Add action groups and complete creation process or select appropriate action group \n15. Under Alert rule details, enter Alert rule name and Description \n16. Select appropriate resource group to save the alert to \n17. Check Enable alert rule upon creation checkbox \n18. Click Create alert rule Using the Azure Command Line Interface Use the below command to create an Activity Log Alert for Create policy assignment az account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'' Where input.json contains the Request body JSON data as mentioned below. { \"location\"\"Global\", \"tags\"{}, \"properties\"{ \"scopes\"[ \"/subscriptions/\" ], \"enabled\"true, \"condition\"{ \"allOf\"[ { \"containsAny\"null, \"equals\"\"Administrative\", \"field\"\"category\" }, { \"containsAny\"null, \"equals\"\"Microsoft.Authorization/policyAssignments/write\", \"field\"\"operationName\" } ] }, \"actions\"{ \"actionGroups\"[ { \"actionGroupId\"\"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\", \"webhookProperties\"null } ] }, } } Configurable Parameters for command line Configurable Parameters for input.json in scopes in actionGroupId in actionGroupId in actionGroupId'\n\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7\n6.3 Enable Detailed Logging Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.1","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"arc-fhe-mie","createdAt":1645219743755,"name":"User has 'Create Policy Assignement' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"axd-sm2-68f","createdAt":1649972323590,"name":"User has 'Create Update Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbformysql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dbv-9dd-noe","createdAt":1648760551340,"name":"User has 'Create Update MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbforpostgresql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yvw-kk1-tgq","createdAt":1648755639067,"name":"User has 'Create Update PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nActivity log alert exists for the creation or update of a load balancer. \n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Load Balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/loadbalancers/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"20n-ohj-aov","createdAt":1647625355122,"name":"User has 'Create or Update Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:System-Operations","requirement:Logging","level:1","control:5.2.3","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an Activity Log Alert for the Create or Update Network Security Group event.\n\n## Rationale\n\nBy monitoring for creation and updates to network security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name.\n11. Under **Condition**, click **Add Condition**.\n12. Select **Create or Update Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.3","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ape-a9h-0uq","createdAt":1645642194422,"name":"User has 'Create or Update Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.1","control:A.12.4.1","requirement:Logging","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update SQL Server Firewall Rule event.\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the Azure Console:\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window, select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Create/Update server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel.\n * Create action group - If you do not have an existing action group or want to create a new one.\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the Azure CLI:\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.1","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/firewallrules/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zpn-jpa-nzg","createdAt":1645736563954,"name":"User has 'Create or Update SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","control:5.2.7","requirement:Logging","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Security Solution event.\n\n## Rationale\n\nBy monitoring to changes to security solutions, you get insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under Resource. \n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Create or Update Security Solutions** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**. \n\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Security/securitySolutions/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.7","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/securitysolutions/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8wl-yfi-m7y","createdAt":1645731976437,"name":"User has 'Create or Update Security Solutions' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Storage Account event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Storage Account**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Storage/storageAccounts/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Storage Account'\n$Signal = 'Microsoft.Storage/storageAccounts/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fho-nrd-kod","createdAt":1647625355199,"name":"User has 'Create or Update Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wjq-yup-bbt","createdAt":1648803814385,"name":"User has 'Create or Update Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Deallocate Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Deallocate Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/deallocate\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Deallocatete Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/deallocate'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/deallocate\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ox0-4lx-ldg","createdAt":1649702560249,"name":"User has 'Deallocate Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mwl-a79-2lj","createdAt":1649774827099,"name":"User has 'Delete Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activity-log-alerts/delete\n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hf7-wzu-yjg","createdAt":1649774825146,"name":"User has 'Delete Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Load Balancer event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete load balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/loadbalancers/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgu-5yo-cxv","createdAt":1646928388547,"name":"User has 'Delete Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbformysql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nb1-ajv-1w5","createdAt":1648831710685,"name":"User has 'Delete MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:System-Operations","requirement:Logging","level:1","framework:soc-2","control:5.2.4","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Network Security Group event.\n\n## Rationale\n\nBy monitoring for delete betwork security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name \n11. Under **Condition**, click **Add Condition**.\n12. Select **Delete Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n\n18. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.4","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yjc-pc8-ybn","createdAt":1645645262376,"name":"User has 'Delete Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Compliance","requirement:Logging","level:1","control:5.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Communications-Security","requirement:System-Operations","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Policy Assignment event.\n\n## Rationale\n\nBy monitoring delete policy assignment events, you gain insight into changes in the **Policy - Assignments** page and reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Policy Assignment** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription from the entries populated under **Resource**. \n9. Verify that **Selection preview** shows All Policy assignments (`policyAssignments`) and your selected subscription name. \n10. Click **Done**. \n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete policy assignment signal**. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Authorization/policyAssignments/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Policy Assignment'\n$Signal = 'Microsoft.Authorization/policyAssignments/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n\n## References\n\n1. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n2. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n5. https://azure.microsoft.com/en-us/services/blueprints/ \n\n## Additional Information\n\nThis log alert also applies for Azure Blueprints.\n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.2","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qh0-u5z-imx","createdAt":1645642194422,"name":"User has 'Delete Policy Assignement' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbforpostgresql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ras-5h8-nbb","createdAt":1647625355173,"name":"User has 'Delete PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.2","control:A.12.4.1","requirement:Logging","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the \"Delete SQL Server Firewall Rule.\"\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the Azure Console:\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window,select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Delete server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel\n * Create action group - If you do not have an existing action group or want to create a new one\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the Azure CLI:\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.2","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/firewallrules/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6mh-u2h-598","createdAt":1664214570453,"name":"User has 'Delete SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Logging","control:5.2.8","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Security Solution event.\n\n## Rationale\n\nBy monitoring deletion of security solution events, you gain insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**.\n7. Select **All** for **Filter by location**.\n8. Click on the subscription resource from the entries populated under **Resource**.\n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete Security Solutions** signal.\n13. Click **Done**.\n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group.\n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n**Using the Azure CLI:** \n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nwhere `input.json` contains the Request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/securitySolutions/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.8","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/securitysolutions/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dmv-rv8-crn","createdAt":1645733607452,"name":"User has 'Delete Security Solution' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.5.5","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Storage Account event.\n\n## Rationale\n\nBy monitoring for storage accounts deletion events, you gain insight into storage account changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click on **New Alert Rule**.\n4. Under **Scope**, click **Select scope**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Storage Accounts** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the **Include all future resources** checkbox.\n9. Click **Done**. \n10. Under **Condition**, click **Add Condition**.\n11. Select **Delete Storage Account** signal. \n12. Click **Done**. \n13. Under **Actions**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n14. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n15. Select appropriate resource group to save the alert to. \n16. Click on the **Enable alert rule upon creation** checkbox.\n17. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Storage/storageAccounts/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a41-nfr-mlw","createdAt":1646928386487,"name":"User has 'Delete Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2jg-psh-mzj","createdAt":1648803812991,"name":"User has 'Delete Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Power Off Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Power Off Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/powerOff/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Power Off Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/powerOff/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/poweroff/action\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a74-hjg-yok","createdAt":1648760544699,"name":"User has 'Power Off Virtual Machine' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Rename Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Rename Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/move/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Rename Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/move/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/databases/move/action\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgo-i7v-g9b","createdAt":1649774831328,"name":"User has 'Rename Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4ri-hhx-fnd","createdAt":1648803815885,"name":"User has 'Update Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Security Policy event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Security Policy**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/policies/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Security Policy'\n$Signal = 'Microsoft.Security/policies/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/defender-for-cloud/tutorial-security-policy\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/policies/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xjf-qfe-xzs","createdAt":1649774850199,"name":"User has 'Update Security Policy' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.compute","source:azure","tactic:TA0002-execution","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs a command on an Azure Virtual Machine through the Azure CLI or Portal.\n\n## Strategy\nMonitor Azure Compute logs for `MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION` events that have `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Reach out to the user to determine if the activity is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"vm_exec","distinctFields":[]},{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"scaleset_exec","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Virtual Machine","condition":"vm_exec > 0"},{"status":"info","notifications":[],"name":"Virtual Machine Scale Set","condition":"scaleset_exec > 0"}],"type":"log_detection","id":"zsk-t0h-9ll","createdAt":1614973225002,"name":"User ran a command on Azure Compute"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Event Summary\n`@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` had activity from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` which are approximately `{{@impossible_travel.triggering_locations.travel_distance}}km` apart within `{{@impossible_travel.triggering_locations.travel_time_human_readable}}`. This indicates a potential impossible travel.\n\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key in CloudTrail logs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key in CloudTrail logs.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"source:cloudtrail @userIdentity.type:IAMUser"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"gvs-ybz-d25","createdAt":1646247437717,"name":"User travel was impossible in AWS CloudTrail IAM log"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_service_account","control:1.7","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","control:8.2.4","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nService Account keys consist of a key ID (private_key_id) and a private key. These keys are used to sign programmatic requests that users make to Google Cloud services and make them accessible to the particular service account. You should regularly rotate all Service Account keys.\n\n## Rationale\n\nRotating Service Account keys reduces the opportunity window of an access key associated with a compromised or terminated account being used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that may have been lost, cracked, or stolen.\n\nEach service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.\n\nGCP provides the option to create one or more user-managed (also called external) key pairs for use from outside GCP, for example: with Application Default Credentials. When a new key pair is created, the user is required to download the private key, which is not retained by Google. \n\nWith external keys, users are responsible for keeping the private key secure and other management operations such as key rotation. External keys can be managed by the IAM API, the Google Cloud Platform command-line tool, or the Service Accounts page in the Google Cloud Platform Console. GCP facilitates up to 10 external service account keys per service account for key rotation.\n\n## Remediation\n\nDelete any external, user-managed Service Account Keys older than 90 days:\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**.\n2. In the **Service Account Keys** section, click the Delete icon to delete every external, user-managed service account key where the creation date is greater or equal to the past 90 days.\n\nTo create an external, user-managed Service Account Key for a Service Account:\n\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**. \n2. Click **Create Credentials** and **Service Account Key**. \n3. Select the service account from the drop-down menu for every external, user-managed Service Account key you want to create.\n4. Select the desired key type format, such as JSON or P12.\n5. Click **Create**, which downloads the private key. Keep this key safe.\n6. If prompted, click **Close**.\n\nYou are redirected to the **APIs & Services** > **Credentials** page and you can see the new ID displayed in the **Service Account Keys** section.\n\n\n## Impact\n\nRotating service account keys breaks communication for dependent applications. Dependent applications need to be configured manually with the new key ID displayed in the **Service Account Keys** section and the user needs to download the private key.\n\n## References\n\n1. https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n2. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/list\n3. https://cloud.google.com/iam/docs/service-accounts\n\n[1]: https://console.cloud.google.com/apis/credentials\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"8.2.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ej5-n8p-p3x","createdAt":1656445783171,"name":"User-managed or external keys for service accounts are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Confidentiality","control:C1.2","source:google_compute_disk","framework:cis-gcp","requirement:Compliance","level:2","control:A.18.1.3","framework:soc-2","control:4.7","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","scope:google_compute_disk","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCustomer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and\nGoogle Compute Engine. If you supply your own encryption keys, Google uses your key to\nprotect the Google-generated keys used to encrypt and decrypt your data. By default,\nGoogle Compute Engine encrypts all data at rest. Compute Engine handles and manages\nthis encryption for you without any additional actions on your part. However, if you\nwanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\n\n### Default value\nBy default, VM disks are encrypted with Google-managed keys. They are not encrypted\nwith `Customer-Supplied` Encryption Keys.\n\n## Rationale\nBy default, Google Compute Engine encrypts all data at rest. Compute Engine handles and\nmanages this encryption for you without any additional actions on your part. However, if\nyou wanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\nIf you provide your own encryption keys, Compute Engine uses your key to protect the\nGoogle-generated keys used to encrypt and decrypt your data. Only users who can provide\nthe correct key can use resources protected by a customer-supplied encryption key.\nGoogle does not store your keys on its servers and cannot access your protected data\nunless you provide the key. This also means that if you forget or lose your key, there is no\nway for Google to recover the key or to recover any data encrypted with the lost key.\nBusiness critical VMs should have VM disks encrypted with CSEK.\n\n### Impact\nIf you lose your encryption key, you will not be able to recover the data.\n\n## Remediation\nYou cannot update the encryption of an existing disk. Therefore, you\nshould create a new disk with encryption set to **Customer supplied**.\n\n### From the console: \n1. Go to [Compute Engine Disks][1] in your Google Cloud console.\n2. Click **CREATE DISK**.\n3. Set **Encryption type** to `Customer supplied`.\n4. Provide the **Key** in the box.\n5. Select **Wrapped key**.\n6. Click **Create**.\n\n### From the command line:\nYou can use the `gcloud` CLI to encrypt a disk using the `--csek-key-file` flag during instance\ncreation. If you are using an RSA-wrapped key, use the gcloud beta component. See [RSA key wrapping][5] in Google's Compute Engine documentation.\n```\ngcloud compute instances create --csek-key-file \n```\n\nTo encrypt a standalone persistent disk:\n```\ngcloud compute disks create --csek-key-file \n```\n\n## References\n1. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys][2]\n2. [https://cloud.google.com/compute/docs/reference/rest/v1/disks/get][3]\n3. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file][4]\n\n[1]: https://console.cloud.google.com/compute/disks\n[2]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys\n[3]: https://cloud.google.com/compute/docs/reference/rest/v1/disks/get\n[4]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file\n[5]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#rsa-encryption","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.7","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_disk) = \"pass\" if {\n\tcompute_disk.disk_encryption_key.sha256\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_disk"]},"validationQuery":"","resourceType":"gcp_compute_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ltx-1jr-roe","createdAt":1662120164402,"name":"VM disks for critical VMs are encrypted with customer-supplied encryption keys (CSEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","scope:google_compute_subnetwork","level:1","framework:soc-2","control:3.8","source:google_compute_subnetwork","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Networking","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nFlow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in an organization's VPC subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs is enabled for every business-critical VPC subnet.\n\n### Default value\nBy default Flow Logs is set to `Off` when a new VPC network subnet is created.\n\n## Rationale\nVPC networks and subnetworks that are not reserved for internal HTTP(S) load balancing provide logically isolated and secure network partitions from which GCP resources can be launched.\nWhen Flow Logs are enabled for a subnet, VMs within that subnet start reporting on all\nTransmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows. Each VM\nsamples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or\nfrom another VM, a host in the on-premise datacenter, a Google service, or a host on the\nInternet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow\nLogs enabled, both VMs report the flows.\n\nFlow Logs supports the following use cases:\n- Network monitoring\n- Understanding network usage and optimizing network traffic expenses\n- Network forensics\n- Real-time security analysis\n\nFlow Logs provides visibility into network traffic for each VM inside the subnet and can be\nused to detect anomalous traffic or provide insight on security workflows.\nThe Flow Logs must be configured such that all network traffic is logged. The interval of\nlogging is granular enough to provide detailed information on the connections, where no logs are filtered and metadata to facilitate investigations are included.\n\n- Note: Subnets reserved for use by internal HTTP(S) load balancers do not support VPC\nFlow Logs.\n\n### Impact\nStandard pricing for Stackdriver Logging, BigQuery, or Cloud Pub/Sub applies. VPC Flow\nLogs generation will be charged when it's generally available, as described in this reference:\n[https://cloud.google.com/vpc/][1]\n\n## Remediation\n\n### From the console: \n1. Go to the VPC network GCP Console page by visiting:\n[https://console.cloud.google.com/networking/networks/list][2]\n2. Click the name of a **subnet** to display the subnet details page.\n3. Click **EDIT** .\n4. Set Flow Logs to **On**.\n5. Expand the **Configure Logs** section.\n6. Set **Aggregation Interval** to `5 SEC`.\n7. Check the box for **Include metadata**.\n8. Set **Sample rate** to `100`.\n9. Click **Save**.\n\n- Note: You can only configure a log filter from the command line.\n\n### From the command line:\nTo enable VPC Flow Logs for a network subnet, run the following command:\n```\ngcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --\nenable-flow-logs --logging-aggregation-interval=interval-5-sec --logging-\nflow-sampling=1 --logging-metadata=include-all\n```\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging][3]\n2. [https://cloud.google.com/vpc/][1]\n\n[1]: https://cloud.google.com/vpc/\n[2]: https://console.cloud.google.com/networking/networks/list\n[3]: https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_subnetwork) = \"skip\" if {\n\tinternal_HTTPS_LB_subnet(compute_subnetwork)\n} else = \"pass\" {\n\tcompute_subnetwork.enable_flow_logs == true\n\tcompute_subnetwork.purpose == \"PRIVATE\"\n} else = \"fail\" {\n\ttrue\n}\n\ninternal_HTTPS_LB_subnet(compute_subnetwork) if {\n\tcompute_subnetwork.purpose == \"INTERNAL_HTTPS_LOAD_BALANCER\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_subnetwork"]},"validationQuery":"","resourceType":"gcp_compute_subnetwork","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_subnetwork","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q4v-tv4-txv","createdAt":1663355398183,"name":"VPC Flow Logs are enabled for all subnets in the VPC network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","level:2","framework:cis-aws","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.3","control:2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. \n\nSet up your default security group to restrict all traffic. The default VPC in every region should have its default security group updated to comply. Any newly created VPCs automatically contain a default security group that needs remediation to comply with this recommendation. \n\n**Note**: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.\n\n## Rationale\n\nConfiguring all VPC default security groups to restrict all traffic will encourage the least privileged security group development and mindful placement of AWS resources into security groups, which will reduce the exposure of those resources.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nImplementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79201-0\n2. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html][2]\n3. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group][3]\n\n## CIS controls\n\nVersion 7, 14.6 - Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"5.3","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ningress_or_egress(direction) if {\n\tdirection == \"ingress\"\n} else {\n\tdirection == \"egress\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\tingress_or_egress(rule.direction)\n\tstartswith(rule.security_group_name, \"default\")\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"75q-ngx-snx","createdAt":1599574003676,"name":"VPC default security groups restrict all traffic"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:7.2.1","requirement:Firewall-Configuration","scope:vpc","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your VPC endpoint by allowing access to only trusted AWS accounts.\n\n## Rationale\n\nVPC endpoints that are publicly accessible are at risk of data exposure, data loss, and unexpected AWS billing charges.\n\n## Remediation\n\n### Console\n\nFollow the [Add or remove permissions for your endpoint service][1] AWS console docs.\n\n### CLI\n\n1. Edit your existing Amazon VPC endpoint access policy and replace untrusted AWS identifiers. To create a new policy document, [use the AWS policy generator][2].\n\n ```\n {\n \"Id\": \"VPCCrossAccountAccessPolicy\",\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": \"*\",\n \"Effect\": \"Allow\",\n \"Resource\": \"*\",\n \"Principal\": {\n \"AWS\": [\n \"arn:aws:iam::0123456789012:root\"\n ]\n }\n }\n ]\n }\n ```\n\n2. Run `modify-vpc-endpoint` with your [VPC endpoint ID and the updated or new policy document][3] to replace the existing policy.\n\n ```\n aws ec2 modify-vpc-endpoint\n --vpc-endpoint-id vpce-0a12b345\n --policy-document file://vpc-access-policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/privatelink/add-endpoint-service-permissions.html\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-vpc-endpoint.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_has_condition:false","resourceType":"aws_vpc_endpoint_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc_endpoint_policy_statement ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@vpc_endpoint_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"slh-tlx-4m0","createdAt":1619540057529,"name":"VPC endpoint is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","control:3.9","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","scope:vpc","framework:soc-2","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. Enable VPC Flow Logs for packet \"Rejects\" for VPCs.\n\n## Rationale\n\nVPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect unusual traffic or insight during security workflows.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nBy default, CloudWatch Logs will store Logs indefinitely unless you define a specific retention period for the log group. When choosing the number of days to retain, keep in mind that, on average, it takes an organization 210 days to detect a breach. Since additional time is required to research a breach, a minimum 365-day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods: \n\n1. [http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html][2]\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79202-8 \n2. [http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html][2]\n\n## CIS controls\n\nVersion 7:\n\n6.2 - Activate audit logging - Enable local logging on all systems and networking devices.\n\n12.5 - Configure Monitoring Systems to Record Network Packets - Configure monitoring systems to record network packets passing through the boundary at each of the organization's network boundaries.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.9","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"-@flowlogs.flow_log_status:ACTIVE","resourceType":"aws_vpc","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc (-@flowlogs.flow_log_status:ACTIVE)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"hw6-cqk-hrz","createdAt":1599574005318,"name":"VPC flow logging is enabled in all VPCs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault root token is used. Root tokens can perform any activity and have the highest level of privileges in Vault and should only be used in emergencies. \n\n## Strategy\nThis rule lets you monitor Vault Audit Logs (`source:vault`) to detect when `root` is seen in either of these two attributes.\n\n* auth policy (`@auth.policies`)\n* auth display name (`@auth.display_name`)\n\nThis rule also lets you monitor the API endpoint `/sys/generate-root` which is used to create new root keys.\n\n## Triage & Response\n1. Determine who created the root token and when. You can get token creation time using the token accessor with `vault token lookup -accessor `. \n2. Inspect the requests made with the root token and ensure that its usage is valid.\n3. Ensure that after the root token is no longer needed, it is revoked (`vault token revoke -accessor `).\n\n## Change Log\n29 Jun 2022 - Updated queries to reduce noise levels. Replaced initial query with token creation detection.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @auth.policies:root @http.method:create","groupByFields":["@http.url_details.path"],"aggregation":"count","name":"root_token_created","distinctFields":[]},{"query":"source:vault @auth.policies:root","groupByFields":["@http.url_details.path"],"aggregation":"cardinality","name":"root_token_auth_policy","distinctFields":["@http.method"]},{"query":"source:vault @auth.display_name:root","groupByFields":["@http.url_details.path"],"aggregation":"cardinality","name":"root_token_display_name","distinctFields":["@http.method"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"A newly created root token was used","condition":"root_token_created > 0 && root_token_auth_policy > 0"},{"status":"high","notifications":[],"name":"The auth policy is root","condition":"root_token_auth_policy > 0"},{"status":"high","notifications":[],"name":"The auth display name is root","condition":"root_token_display_name > 0"}],"type":"log_detection","id":"oki-am6-qeh","createdAt":1619801884317,"name":"Vault Root Token Used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault token is created with an excessive time-to-live (TTL) which can be indicative of an adversary maintaining persistence. \n\n## Strategy\nMonitoring of vault audit logs where tokens are created with a time-to-live greater than 90000 seconds (25 hours). If the TTL requires modification, clone this rule and update `@auth.token_ttl:>90000` in the query. \n\n## Triage & Response\n1. Verify max TTL for tokens in the appropriate Vault configuration.\n2. If the max TTL is higher than required, modify the max TTL.\n3. Verify with the token creator to confirm that the high TTL token is legitimate.\n4. Revoke the token if it does not have a legitimate use case.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @request.operation:create @auth.token_ttl:>90000","groupByFields":["@usr.id"],"aggregation":"count","name":"high_vault_ttl","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"high_vault_ttl > 0"}],"type":"log_detection","id":"ag8-huz-nlj","createdAt":1619801884333,"name":"Vault Token Created with Excessive TTL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","security:compliance","framework:soc-2","scope:redshift","cloud_provider:aws","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","source:redshift","control:6.2","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm `AllowVersionUpgrade` is enabled so [Redshift clusters][1] can automatically upgrade to the latest version.\n\n## Rationale\n\nEnablement allows the latest version to automatically install, deploying the most recent bug fixes and security patches.\n\n## Remediation\n\n### Console\n\nFollow the [Cluster maintenance][4] docs to permit automatic upgrade for your clusters.\n\n### CLI\n\n1. Run `modify-cluster` to [set `allow-version-upgrade` for a cluster][3].\n\n ```\n aws redshift modify-cluster\n\t --cluster-identifier cluster-id-name\n\t --allow-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/modify-cluster.html\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#rs-cluster-maintenance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@allow_version_upgrade:false","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@allow_version_upgrade:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5wo-2kl-jv1","createdAt":1599574006748,"name":"Version upgrade is enabled for Redshift cluster"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:6.5.3","framework:cis-azure","control:7.1","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Application-Updates","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMigrate blob-based VHDs to managed disks on virtual machines to exploit the default features of this configuration. The features include:\n\n1. Default disk encryption\n2. Resilience, as Microsoft manages the disk storage and moves it if underlying hardware is faulty\n3. Reduction of costs over storage accounts\n\n## Rationale\n\nManaged disks are by default encrypted on the underlying hardware so no additional encryption is required for basic protection. Additional encryption is available if required. Managed disks are more resilient than storage accounts. For ARM deployed virtual machines, Azure Adviser recommends moving VHDs to managed disks from both a security and cost management perspective.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## Remediation\n\nFrom Azure Console:\n\n1. Using the search feature, go to Virtual Machines\n2. Select the virtual machine you would like to convert\n3. Select Disks in the menu for the VM\n4. Select Migrate to managed disks\n5. Follow the prompts to convert the disk and finish by selecting Migrate to start the process\n\n**NOTE**: VMs are stopped and restarted after migration is complete.\n\nPowerShell:\n\n```powershell\nStop-AzVM -ResourceGroupName $rgName -Name $vmName -Force ConvertTo-AzVMManagedDisk -ResourceGroupName $rgName -VMName $vmName Start-AzVM -ResourceGroupName $rgName -Name $vmName\n```\n\n## Impact\n\nThere is no operational impact of migrating to managed disks other than the benefits mentioned above.\n\n**NOTE**: When converting to managed disks, VMs are powered off and back on.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"(-@storage_profile.os_disk.managed_disk_id:*) OR (@storage_profile.os_disk.managed_disk_id:(\"\"))","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance ((-@storage_profile.os_disk.managed_disk_id:*) OR (@storage_profile.os_disk.managed_disk_id:(\"\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mcc-ygq-5xf","createdAt":1631690464170,"name":"Virtual Machines are utilizing Managed Disks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","requirement:Context-of-the-Organization","control:4.2.2","framework:iso-27001","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nEnabling Azure Defender for SQL server does not enable vulnerability assessment capabilities for individual SQL databases unless a storage account is set to store the scanning data and reports. The Vulnerability Assessment service scans databases for known security vulnerabilities and highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally, an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, Click Storage Account\n6. Choose Storage Account (Existing or Create New). Click Ok\n7. Click Save Using Azure PowerShell. If not already, enable Azure Defender for a SQLSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service by setting Storage Account Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"e0l-3r9-cvj","createdAt":1624867975658,"name":"Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the vulnerability assessment (VA) setting, \"Also send email notifications to admins and subscription owners\".\n\n## Rationale\n\nVA scan reports and alerts are sent to admins and subscription owners by enabling the setting, \"Also send email notifications to admins and subscription owners\". This helps to reduce the time required for identifying risks and taking corrective measures.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, configure Storage Accounts\n6. Check/enable \"Also send email notifications to admins and subscription owners\"\n7. Click Save using the Azure PowerShell. If not already set, Enable Advanced Data Security for a SQL:\n\n ```bash\n -ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service and Set ''Also send email notifications to admins and subscription owners'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"gnq-rte-6fy","createdAt":1624867976876,"name":"Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","control:4.2.3","requirement:Default-Security-Parameter","level:1","requirement:Database-Services","requirement:Context-of-the-Organization","requirement:Regular-Testing","framework:iso-27001","control:11.2.1","framework:pci","security:compliance","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC7.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable vulnerability assessment (VA) periodic recurring scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nVA setting \"Periodic recurring scans\" schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Routine vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Security Center\n4. In Section Vulnerability Assessment Settings, set Storage Account\n5. Toggle \"Periodic recurring scans\" to ON.\n6. Click Save using the Azure PowerShell. If not already set, enable Advanced Data Security for a SQL ServerSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service with ''Periodic recurring scans'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"jum-0ht-les","createdAt":1624867977012,"name":"Vulnerability Assessment (VA) setting Periodic Recurring Scans is enabled on a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:9.4","scope:azure.appservice","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:4.1","requirement:App-Service","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nClient certificates allow for an app to request a certificate for incoming requests. Only clients that have a valid certificate can reach the app.\n\n## Rationale\n\nThe TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, only an authenticated client who has valid certificates can access the app.\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Configuration\n5. Under Incoming client certificates, set the Client Certificate Mode option to Require.\n\n\nAzure Command Line Interface:\n\nTo set incoming client certificates value for an existing app, run the following command: `az webapp update --resource-group --name --set clientCertEnabled=true'`\n\n## Impact\n\nUsing and maintaining client certificates requires additional work to obtain and manage key replacement and rotation.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14 - Controlled Access Based on the Need to Know","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.4","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@client_cert_enabled:true","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (-@client_cert_enabled:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"esg-ed4-xa9","createdAt":1631623027807,"name":"Web app has 'Client Certificates (Incoming client certificates)' set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:6.6","control:9.3","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:4.1","requirement:App-Service","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Change-Management","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App Service uses TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.\n\n## Rationale\n\nApp Service currently allows web apps to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for a secure connection.\n\n## Remediation\n\nAzure Console:\n\n 1. Login to Azure Portal using https://portal.azure.com\n 2. Go to App Services\n 3. Click on each app\n 4. Under the Settings section, click on SSL settings\n 5. Under Protocol Settings, set Minimum TLS Version to 1.2\n\nAzure Command Line Interface:\n\nTo set TLS Version for an existing app, run the following command: `az webapp config set --resource-group --name --min-tls-version 1.2'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.3","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"-@site_config_min_tls_version:1.2","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (-@site_config_min_tls_version:1.2)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8iy-ghp-cvk","createdAt":1631623032658,"name":"Web app is using the latest version of TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","control:9.2","control:6.6","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:4.1","requirement:App-Service","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Web Apps allow sites to use both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.\n\n## Rationale\n\nEnabling HTTPS-only traffic redirects all non-secure HTTP request to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated, so it is important to support HTTPS for the security benefits.\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on SSL settings\n5. Under Protocol Settings, set HTTPS Only to On.\n\nAzure Command Line Interface:\n\nTo set the HTTPS-only traffic value for an existing app, run the following command: `az webapp update --resource-group --name --set httpsOnly=true'`\n\n## Impact\n\nWhen enabled, every incoming HTTP request is redirected to the HTTPS port. This adds an extra level of security to the HTTP requests made to the app.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.2","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@https_only:false","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (@https_only:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f9i-ctz-jrp","createdAt":1631623031127,"name":"Web app redirects all HTTP traffic to HTTPS in Azure App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:windows","technique:T1070-indicator-removal-on-host","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user clears Windows Security logs.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `1102`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to clear the security event logs on `{{host}}`. \n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"psn-7zq-iqz","createdAt":1619018680072,"name":"Windows Audit Log Cleared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user resets the Directory Services Restore Mode (DSRM). The DSRM enabled emergency access to a Domain Controller. The DSRM user is a local administrator account that can be utilized for persistence. \n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4794`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to change the DSRM password on `{{host}}`. ","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4794","groupByFields":["host"],"aggregation":"count","name":"standardized","distinctFields":[]},{"query":"@Event.System.EventID:4794","groupByFields":["host"],"aggregation":"count","name":"non_standardized","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized > 0"}],"type":"log_detection","id":"ckw-1ve-anp","createdAt":1619018671358,"name":"Windows Directory Service Restore Mode password changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Domain Administrator group is modified.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is 4737 and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason for changing the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"vtr-u5p-65a","createdAt":1619018671758,"name":"Windows Domain Admin Group Changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","source:windows","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Windows firewall is disabled.\n\n## Strategy\nMonitor the Windows event logs where `@evt.id` is `4950` and the `@Event.EventData.Data.SettingValue:No`.\n\n## Triage and response\nVerify if `{{@Event.System.Computer}}` has a legitimate reason for having the Windows firewall disabled.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"medium","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"5yc-jqo-y3n","createdAt":1619018678867,"name":"Windows Firewall Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1087-account-discovery","source:windows","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs the `net` command to enumerate the `Administrators` group, which could be indicative of adversarial reconnaissance activity.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4799`, `@Event.EventData.Data.CallerProcessName` is `*net1.exe` and `@Event.EventData.Data.TargetUserName` is `Administrators`.\n\n## Triage and response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason to check for users in the Administrator group on `{{host}}`. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"low","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"dqi-uaj-wgy","createdAt":1619018678865,"name":"Windows Net command executed to enumerate administrators"}]} + {"meta":{"page":{"total_filtered_count":100,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.4.2","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the scheduler service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.2","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"g1h-91b-y2x","createdAt":1599601351149,"name":"Scheduler API service is bound to localhost"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.15","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/scheduler.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.15","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fmc-m0d-pe5","createdAt":1599604530000,"name":"Scheduler configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.16","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/scheduler.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.16","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pbp-y4b-dhf","createdAt":1599600185878,"name":"Scheduler configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.5","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the Scheduler service in the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.5","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qxe-hc6-qlm","createdAt":1599604179189,"name":"Scheduler pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.6","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the kube-scheduler service in the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.6","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"y79-4ts-a0k","createdAt":1599603078027,"name":"Scheduler pod specification file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.4.1","security:compliance","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` file on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-scheduler/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-scheduler/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.1","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hya-urf-09b","createdAt":1599603139661,"name":"Scheduler profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.21","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSeccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on a whitelist basis and allows for a large number of common system calls, whilst blocking all others. This filtering should not be disabled unless it causes a problem with your container application usage.\n\n## Rationale\n\nA large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis returns either `` or your modified seccomp profile. If it returns `[seccomp:unconfined]`, the container is running without any seccomp profiles and is therefore not configured in line with good security practices.\n\n## Remediation\n\nBy default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.\n\n## Impact\n\nWith Docker 1.10 and greater, the default seccomp profile blocks syscalls, regardless of `--cap-add passed` to the container. You should create your own custom seccomp profile in such cases. You can also disable the default seccomp profile by passing `--security-opt=seccomp:unconfined` on docker run.\n\n## Default value\n\nWhen you run a container, it uses the default profile unless you override it with the `--security-opt` option.\n\n## References\n\n1. http://blog.scalock.com/new-docker-security-features-and-what-they-mean-seccomp-profiles\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://github.com/docker/docker/blob/master/profiles/seccomp/default.json\n4. https://docs.docker.com/engine/security/seccomp/\n5. https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt\n6. https://github.com/docker/docker/issues/22870\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.21","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hub-v5u-cw0","createdAt":1599604972925,"name":"Seccomp profiles are enabled for filtering incoming system calls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.22","scored:true","control:CC6.7","source:azure.active_directory","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:azure.active_directory","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft security defaults are available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You can enable security defaults in the Azure portal.\n\n## Rationale\n\nSecurity defaults provide secure default settings that are managed on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example:\n\n- Requiring all users and admins to register for MFA\n- Challenging users with MFA, mostly when they show up on a new device or app, but more often for critical roles and tasks.\n- Disabling authentication from legacy authentication clients, which can't do MFA.\n\n## Remediation\n\n### From the console\n\n1. Sign in to the Azure portal as a security administrator, conditional access administrator, or global administrator.\n2. Navigate to Azure Active Directory > Properties.\n3. Select Manage security defaults.\n4. Set the Enable security defaults toggle to Yes.\n5. Select Save.\n\n## Impact\n\nEnabling security defaults may negatively impact the functionality of other Microsoft services, such as Microsoft 365. This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults\n2. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414\n\nAdditional Information: The settings in this recommendation are different in the Microsoft 365 Benchmark. This is because the potential impact associated with disabling of security defaults is dependent upon the security settings implemented in the environment. It is recommended that organizations disabling security defaults plan to implement equivalent settings to replace the settings configured by security defaults.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.22","framework":"cis-azure","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(ad_security_defaults_policy) = \"pass\" if {\n\tad_security_defaults_policy.is_enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_ad_security_defaults_policy"]},"validationQuery":"","resourceType":"azure_ad_security_defaults_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_ad_security_defaults_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@display_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"fub-xjw-qwz","createdAt":1635237007654,"name":"Security Defaults is enabled on Azure Active Directory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a threat on your application.\n\n## Strategy\nThis rule creates a signal for every security incident created by Sqreen.\n\n## Triage and response\n1. Review the incident on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/incidents\n\n## Changelog\n23 June 2022 - Updated groupby count to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:critical @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_critical_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:major @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_major_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:minor @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_minor_incidents","distinctFields":["@sqreen.payload.incident_id"]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical","condition":"sqreen_critical_incidents > 0"},{"status":"high","notifications":[],"name":"Major","condition":"sqreen_major_incidents > 0"},{"status":"medium","notifications":[],"name":"Minor","condition":"sqreen_minor_incidents > 0"}],"type":"log_detection","id":"qyk-emv-hui","createdAt":1620224110121,"name":"Security Incident Detected by Sqreen"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis","source:cloudtrail","technique:T1562-impair-defenses","control:cis-3.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` array to determine if either of the strings are contained:\n* `0.0.0.0/0`\n* `::/0`\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n\n## Changelog\n18 March 2022 - Updated rule query.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:AuthorizeSecurityGroupIngress @requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@usr.account_id"],"aggregation":"count","name":"sg_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"SG open to world","condition":"sg_open_to_world > 0"}],"type":"log_detection","id":"qdm-6uu-gqf","createdAt":1593621503430,"name":"Security group open to the world"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.5","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not allow sensitive host system directories such as those listed below to be mounted as container volumes, especially in read-write mode. `/` `/boot` `/dev` `/etc` `/lib` `/proc` `/sys` `/usr`\n\n## Rationale\n\nIf sensitive directories are mounted in read-write mode, it is possible to make changes to files within them. This has obvious security implications and should be avoided.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}'` This command returns a list of currently mapped directories and indicates whether they are mounted in read-write mode for each container instance.\n\n## Remediation\n\nDo not mount directories which are security sensitive on the host within containers, especially in read-write mode.\n\n## Impact\n\nNone\n\n## Default value\n\nDocker defaults to using a read-write volume but you can also mount a directory read-only. By default, no sensitive host directories are mounted within containers.\n\n## References\n\n1. https://docs.docker.com/engine/tutorials/dockervolumes/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.5","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmq-wqu-2im","createdAt":1599604814929,"name":"Sensitive host system directories are not mounted on containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","source:google_iam_policy","framework:cis-gcp","level:2","framework:iso-27001","requirement:Access-Control","framework:pci","scope:google_iam_policy","control:1.11","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.2.1","control:7.1.3","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.\n\n## Rationale\nThe built-in/predefined IAM role `Cloud KMS Admin` allows the user/identity to create, delete, and manage service account(s). \n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter/Decrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Decrypter` allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).\n\nSeparation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.\n\nNo user(s) should have `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles assigned at the same time.\n\n### Impact\nRemoved roles should be assigned to another user based on business needs.\n\n### Additional Information\nUsers granted Owner (roles/owner) and Editor (roles/editor) roles have privileges equivalent to `Cloud KMS Admin` and `Cloud KMS CryptoKey Encrypter/Decrypter`. To avoid misuse, Owner and Editor roles should be granted to a very limited group of users. Use of these primitive privileges should be minimal. These requirements are addressed in our other rules.\n\n## Remediation\n\n### From the console\n1. Go to **IAM & Admin/IAM** using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles granted/assigned, click the **Delete Bin** icon to remove the role from the member.\n\n## References\n1. [https://cloud.google.com/kms/docs/separation-of-duties][2]\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/kms/docs/separation-of-duties\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nis_admin_user(gip) if {\n\tmembers_to_roles_array := gip.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/cloudkms.admin\"\n}\n\neval(gip) = \"skip\" if {\n\tnot is_admin_user(gip)\n} else = \"fail\" if {\n\trole := gip.member_to_roles[_].roles[_]\n\trole in [\"roles/cloudkms.cryptoKeyDecrypter\", \"roles/cloudkms.cryptoKeyEncrypter\", \"roles/cloudkms.cryptoKeyEncrypterDecrypter\"]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8uv-2ds-fnx","createdAt":1658410212713,"name":"Separation of duties is enforced while assigning KMS-related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:1.8","control:7.2","control:7.1","requirement:Control-Activities","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity best practices recommend that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users. This is achieved by ensuring that no user has the Service Account Admin and Service Account User roles assigned at the same time.\n\n## Rationale\n\nThe predefined IAM role ``Service Account admin`` allows the user/identity to\ncreate, delete, and manage service account(s). The predefined IAM role ``Service Account User`` allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute instances.\n\nSeparation of duties is the concept of ensuring that one individual does not have all\nnecessary permissions to be able to complete a malicious action. Using Cloud IAM service\naccounts, a malicious user could assume the identity of a service account to access resources that\nthey otherwise cannot access.\n\nSeparation of duties is a business control typically used in larger organizations, meant to\nhelp avoid security or privacy incidents and errors. It is considered a best practice.\n\nNo user should have ``Service Account Admin`` and ``Service Account User`` roles assigned\nat the same time.\n\n## Remediation\n\n1. Go to ``IAM & Admin/IAM`` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having both ``Service Account Admin`` and ``Service Account User`` roles granted/assigned, click the ``Delete Bin`` icon to remove either role from the member.\n\nRemoval of a role should be done based on the business requirements.\n\n## Impact\n\nThe removed role should be assigned to a different user based on business needs.\n\n## References\n\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][4]\n\n## Additional information \n\nUsers granted the Owner (roles/owner) and Editor (roles/editor) roles have privileges\nequivalent to Service Account Admin and Service Account User. To avoid misuse,\nOwner and Editor roles should be granted to a very limited number of users. Use of these primitive\nprivileges should be minimal. These requirements are addressed in separate\nrecommendations.\n\n## CIS controls\n\nVersion 8 3.3 - Configure Data Access Control Lists: Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems, databases, and applications.\n\nVersion 7 14.6 - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"fail\" if {\n\tmembers_to_roles_array := iam_policy.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountAdmin\"\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountUser\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"re5-dlh-43x","createdAt":1656443521016,"name":"Separation of duties is enforced while assigning service account related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.6","cloud_provider:azure","framework:cis-azure","requirement:Default-Security-Parameter","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.4","framework:soc-2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `connection_throttling` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `connection_throttling` helps the PostgreSQL Database to Set the verbosity of logged messages which generates query and error logs about concurrent connections. Too many concurrent connections could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `connection_throttling`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `connection_throttling` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name connection_throttling --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.6","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthrottling_disabled(server_config) if {\n\tserver_config.name == \"connection_throttling\"\n\tserver_config.value != \"on\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tthrottling_disabled(server_config)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"w1l-qav-gcj","createdAt":1624867980066,"name":"Server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","control:10.1","requirement:Monitoring","control:4.3.3","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_checkpoints` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_checkpoints` helps the PostgreSQL Database to log each checkpoint and generate query and error logs. Access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_checkpoints`.\n5. Click ON and save.\n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_checkpoints` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_checkpoints --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlog_checkpoints_on(server_config) if {\n\tserver_config.name == \"log_checkpoints\"\n\tserver_config.value == \"on\"\n}\n\neval(postgresql_server) = \"pass\" if {\n\tsome server_config in postgresql_server.server_configs\n\tlog_checkpoints_on(server_config)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sc0-yfd-hsz","createdAt":1624867976912,"name":"Server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:4.3.4","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_connections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_connections` helps PostgreSQL Database to log an attempted connection to the server, as well as successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_connections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_connections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_connections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlog_connections_off(server_config) if {\n\tserver_config.name == \"log_connections\"\n\tserver_config.value == \"off\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tsome server_config in postgresql_server.server_configs\n\tlog_connections_off(server_config)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gle-oql-wen","createdAt":1624867976676,"name":"Server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","control:10.1","control:4.3.5","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_disconnections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_disconnections` helps your PostgreSQL database to log the end of a session, including duration, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_disconnections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_disconnections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_disconnections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlog_disconnections_on(server_config) if {\n\tserver_config.name == \"log_disconnections\"\n\tserver_config.value == \"on\"\n}\n\neval(postgresql_server) = \"pass\" if {\n\tsome server_config in postgresql_server.server_configs\n\tlog_disconnections_on(server_config)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"5av-e46-div","createdAt":1624867974164,"name":"Server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","requirement:Records-of-Processing-Activities","cloud:azure","control:A1.1","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses logging to track the time it takes to complete an SQL query.\n\n## Rationale\n\nThe \"log_duration\" parameter allows recording the duration of each completed PostgreSQL statement. Logging this attribute enables administrators to monitor for potential issues in the database.\n\n## Remediation\n\n### From the console\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][1] documentation to enable the 'log_duration' logging in the PostgreSQL database. Ensure **log_duration** is selected under **Server Parameters**.\n\n### From the command line\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][2] documentation to enable **log_duration** in **Server Parameters**.\n2. Get a list of your PostgreSQL servers by running the following in Azure Powershell:\n\n ```\n az postgres server list\n\t--output table\n\t--query '[*].{name:name, resourceGroup:resourceGroup}'\n ```\n3. Run the 'postgres server configuration set' command:\n\n ```\n az postgres server configuration set\n\t--server-name \"INSERT-SERVER-NAME-HERE-FROM-STEP-2\"\n\t--resource-group \"cloud-shell-storage-westeurope\"\n\t--name log_duration\n\t--value on\n ```\n4. Repeat steps two and three for each server that is not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tserver_config.name == \"log_duration\"\n\tserver_config.value == \"off\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iwo-oh9-bpi","createdAt":1645804679249,"name":"Server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.7","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","control:10.7","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_retention_days` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_retention_days` helps PostgreSQL Database to set the number of days a log file is retained, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_retention_days`.\n5. Enter value in range 4-7 (inclusive) and save. \n\nAlternatively, use the Azure Command Line Interface and run the the below command to update `log_retention_days` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_retention_days --value <4-7>\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n2. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention\n\n## CIS Controls\n\nVersion 7 6.4 Ensure adequate storage for logs: Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.7","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nis_numeric(x) if {\n\tregex.match(`^-?\\d+(\\.\\d+)?$`, x)\n}\n\nserver_config_not_compliant(server_config) if {\n\tis_numeric(server_config.value)\n\tto_number(server_config.value) < 3\n\tserver_config.name == \"log_retention_days\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config = postgresql_server.server_configs[_]\n\tserver_config_not_compliant(server_config)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"jsy-iuu-a38","createdAt":1624867974261,"name":"Server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:7.1","requirement:Credentials","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","source:google_service_account","framework:soc-2","control:A.9.2.3","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:8.1.2","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA service account is a special Google account that belongs to an application or a VM, instead\nof to an individual end-user. The application uses the service account to call the service's\nGoogle API so that users aren't directly involved. It's recommended not to use admin roles for ServiceAccount.\n\n## Rationale\n\nService accounts represent service-level security of the Resources (application or a VM)\nwhich can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin\nrights gives full access to an assigned application or a VM. A ServiceAccount Access holder\ncan perform critical actions like delete, update, and change settings, etc. without user\nintervention. For this reason, Datadog recommends that service accounts not have an Admin role.\n\n## Remediation\n\n## From Console:\n1. Go to `IAM & admin/IAM` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. Go to the `Members`\n3. Identify `User-Managed user created service account(s)` with roles containing `*Admin or *admin`\n4. Click the `Delete bin` icon to remove the role from the member (service account in this case)\n\n\n## From Command Line: \n\n```bash\ngcloud projects get-iam-policy PROJECT_ID --format json > iam.json\n```\n\n1. Using a text editor, Remove `Role` which contains `roles/ *Admin` or `roles/ *admin`. Add a role to the bindings array that defines the group members and the role for those members.\n2. Update the project's IAM policy:\n\n```bash\ngcloud projects set-iam-policy PROJECT_ID iam.json\n```\n\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/understanding-service-accounts][4] \n\n## CIS Controls\n\nVersion 8 5.4 Restrict Administrator Privileges to Dedicated - Administrator Accounts Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user\u2019s primary, non-privileged account.\n\nVersion 7 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/understanding-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.1.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmembers_with_admin_role := {member |\n\tbinding := input.resources.gcp_iam_policy[_].member_to_roles[_]\n\tstartswith(binding.member, \"serviceAccount:\")\n\trole := binding.roles[_]\n\tcontains(lower(role), \"admin\")\n\tmember := trim_prefix(binding.member, \"serviceAccount:\")\n}\n\neval(iam_service_account) = \"fail\" if {\n\tsplit_name := split(iam_service_account.name, \"/\")\n\tmember := split_name[count(split_name) - 1]\n\tmembers_with_admin_role[member]\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"4ea-as1-0bv","createdAt":1655820189596,"name":"Service Accounts are not bound to built-in Administrative roles"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1070-indicator-removal","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the tampering of shell command history on a host or container. \n\n## Strategy\nCommands used within a terminal are contained within a local file so users can review applications, scripts, or processes that were previously executed. Adversaries tamper with the integrity of the shell command history by deletion, truncation, or the linking of `/dev/null` by use of a symlink. This allows adversaries to obfuscate their actions and delay the incident response process. \n\n## Triage and response\n1. Review the tampering action taken against the shell command history files.\n2. Review the user or process that performed the action against the shell command history.\n3. Determine whether or not this is expected behavior.\n4. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(shell_history_symlink OR shell_history_truncated OR shell_history_deleted)","groupByFields":["host"],"aggregation":"count","name":"shell_history_tamper","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"shell_history_tamper","condition":"shell_history_tamper > 0"}],"type":"workload_security","id":"5bq-qe4-ctu","createdAt":1661196433820,"name":"Shell command history modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:signal_sciences","scope:signal_sciences"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP is flagged by Signal Sciences.\n\n## Strategy\nThis rule lets you monitor Signal Sciences events submitted through the Signal Sciences [integration][1] to detect when an IP is flagged. \n\n## Triage and response\n1. Determine whether the attack is a false positive.\n2. Determine whether the attack was successful.\n3. If the attack exploited a vulnerability in the application, triage the vulnerability.\n\n[1]: https://app.datadoghq.com/account/settings#integrations/sigsci\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:signal_sciences @title:*flag","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bmg-ftn-dzo","createdAt":1584993292228,"name":"Signal Sciences flagged an IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.2.1","requirement:Compliance","level:1","requirement:Storage-Accounts","control:3.8","requirement:Cardholder-Data","framework:iso-27001","scope:azure.storage","framework:pci","requirement:Operations-Security","security:compliance","framework:cis-azure","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Control-Activities","source:azure.storage","control:A1.2","control:A.18.1.3","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Storage blobs contain ePHI, financial, secret, or personal data. If erroneously modified or deleted accidentally by an application or other storage account user, data loss or data unavailability can occur. It is recommended that Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.\n\n## Rationale\n\nA user can accidentally run delete commands on Azure Storage blobs or blob snapshots, or an attacker/malicious user can do it deliberately to cause disruption. Deleting an Azure Storage blob leads to immediate data loss or non-accessible data. Enable recoverable blobs configuration in the Azure Storage blob service to ensure that even if blobs/data are deleted from the storage account, the objects remain recoverable for a time set in the retention policy. Retention policies can be 7 days to 365 days.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Account\n2. For each Storage Account, navigate to Data Protection\n3. Select Set soft delete enabled and enter the number of days to retain soft deleted data.\n\nAzure Command-Line Interface:\n\nUpdate retention days with the following command: `az storage blob service-properties delete-policy update --days-retained --account-name --enable true'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete\n\n## CIS Controls\n\nVersion 7 10 - Data Recovery Capabilities\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_blob_service(blob_service) if {\n\tblob_service.delete_retention_policy_enabled\n\tblob_service.delete_retention_policy_days > 0\n} else if {\n\tblob_service.delete_retention_policy.enabled\n\tblob_service.delete_retention_policy.days > 0\n}\n\neval(storage_account) = \"pass\" if {\n\tsome blob_service in storage_account.blob_services\n\tcompliant_blob_service(blob_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"w0h-o5o-lyp","createdAt":1631690471228,"name":"Soft delete is enabled for Azure Storage"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1505-server-software-component","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects attempted post-exploitation activity of [CVE-2022-22965][1] with an HTTP GET parameter.\n\n## Strategy\nThis rule looks for `@http.url_details.path` = .jsp, `@http.url_details.queryString.pwd` = `*`, and `@http.url_details.queryString.cmd` = . If found, it indicates web shell activity observed with successful Spring RCE exploitation. \n\n## Triage and response\nCheck your host to see if the {{@http.url_details.queryString.cmd}} command ran successfully. If so,\n * Refer to your company's Incident Response process since this is detection post-exploitation activity.\n * Refer to the vendor's [advisory][2] for remediation of this Remote Code Execution (RCE) vulnerability.\n\n## Changelog\n- 06 June 2022 - The severity has been lowered due to rule fidelity on just log telemetry.\n- 31 March 2022 - Rule added in response to [CVE-2022-22965][1]\n\n[1]: https://tanzu.vmware.com/security/cve-2022-22965\n[2]: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@http.url_details.path:*.jsp @http.url_details.queryString.pwd:* @http.url_details.queryString.cmd:* @http.method:GET @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_details","distinctFields":[]},{"query":"@http.url:*cmd* @http.url:*pwd* @http.method:GET @http.url:*.jsp* @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_url","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"PWD/CMD request in http.url_details.queryString key","condition":"pwd_cmd_in_details > 0"},{"status":"low","notifications":[],"name":"PWD/CMD request in http.url key","condition":"pwd_cmd_in_url > 0"}],"type":"log_detection","id":"6nf-i0e-ff0","createdAt":1648746485630,"name":"Spring RCE post-exploitation activity attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","framework:cis-azure","requirement:Confidentiality","control:3.4","control:C1.1","requirement:Credentials","requirement:Compliance","source:azure.storage","level:1","requirement:Storage-Accounts","control:A.18.1.3","framework:soc-2","control:3.9","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","scope:azure.storage","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable sensitive data encryption at rest using customer managed keys rather than Microsoft managed keys.\n\n## Rationale\n\nBy default, data in the storage account is encrypted using Microsoft managed keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. However, if you want to control and manage the encryption key yourself, you can specify a customer-managed key, and that key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated key vault.\n\n## Remediation\n\n### From the console\n\n1. Go to Storage Accounts\n2. For each storage account, go to Encryption\n3. Set Customer Managed Keys\n4. Select the encryption key and enter the appropriate setting value\n5. Click Save\n\n## Impact\n\nIf the key expires by setting the activation date and expiration date of the key, you must rotate the key manually. Using customer managed keys may also incur additional effort to create, store, manage, and protect the keys as needed.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest\n3. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption#azure-storage-encryption-versus-disk-encryption\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-1-discovery,-classify-and-label-sensitive-data\n\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-azure","requirement":"Storage-Accounts","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_account) = \"pass\" if {\n\tstorage_account.encryption.key_source == \"Microsoft.Keyvault\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_account"]},"validationQuery":"","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"kh6-wzv-u3s","createdAt":1631690464889,"name":"Storage for critical data is encrypted with Customer Managed Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:runtime-security-agent","technique:T1574-hijack-execution-flow","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect attempts to load a malicious library.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container or host (for example, through a web shell exploit), they may attempt to escalate privileges, evade defenses, or establish persistence by hijacking environment variables such as `LD_PRELOAD`, or configuration files such as `/etc/ld.so.preload/`, which the dynamic linker uses to load shared libraries. \n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.39 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:dynamic_linker_config_unlink -@process.executable.path:(\"/usr/bin/dpkg\" OR \"/usr/bin/yum\")","groupByFields":["host"],"aggregation":"count","name":"dynamic_linker_config_unlink","distinctFields":[]},{"query":"@agent.rule_id:dynamic_linker_config_write","groupByFields":["host"],"aggregation":"count","name":"dynamic_linker_config_write","distinctFields":[]},{"query":"@agent.rule_id:ld_preload_unusual_library_path","groupByFields":["host"],"aggregation":"count","name":"ld_preload_unusual_library_path","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"suspected_dynamic_linker_hijacking","condition":"dynamic_linker_config_unlink > 0 || dynamic_linker_config_write > 0 || ld_preload_unusual_library_path > 0"}],"type":"workload_security","id":"qr1-yg4-ab3","createdAt":1670612608535,"name":"Suspected dynamic linker hijacking attempt"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to `pam.d` directory.\n\n## Strategy\nLinux Pluggable Authentication Modules (PAM) provide authentication for applications and services. Authentication modules in the PAM system are setup and configured under the `/etc/pam.d/` directory. An attacker may attempt to modify or add an authentication module in PAM in order to bypass the authentication process, or reveal system credentials.\n\n## Triage and response\n1. Identify if the changes to the path `{{@file.path}}` were part of known system setup or mainenance.\n2. If these changes were unauthorized, roll back the host in question to a known good PAM configuration, or replace the system with a known-good system image.\n\n*Required agent version 7.27 or higher*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pam_modification OR pam_modification_chmod) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_chown)-@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_link) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_rename) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_open) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_unlink) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_utimes) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"pam_modification","condition":"pam_modification_chmod > 0 || pam_modification_chown > 0 || pam_modification_link > 0 || pam_modification_rename > 0 || pam_modification_open > 0 || pam_modification_unlink > 0 || pam_modification_utimes > 0"}],"type":"workload_security","id":"59x-93j-pek","createdAt":1606142936138,"name":"System authentication files modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1543-create-or-modify-system-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to system services.\n\n## Strategy\nEspecially in production, systems should be generated based on standard images such as AMIs for Amazon EC2, VM images in Azure, or GCP images. Systemd is the default service manager in many Linux distributions. It manages the lifecycle of background processes and services, and can be used by an attacker to establish persistence in the system. Attackers can do this by injecting code into existing systemd services, or by creating new ones. Systemd services can be started on system boot, and therefore attacker code can persist through system reboots.\n\n## Triage and response\n1. Check to see what service was modified of created.\n2. Identify whether it is a known service, being modified by a known user and/or process.\n3. If these changes are not acceptable, roll back the host in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chmod) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chown) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_link) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_rename) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_open) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_unlink) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"systemd_modification","condition":"systemd_modification_chmod > 0 || systemd_modification_chown > 0 || systemd_modification_link > 0 || systemd_modification_rename > 0 || systemd_modification_open > 0 || systemd_modification_unlink > 0 || systemd_modification_utimes > 0"}],"type":"workload_security","id":"vjt-chu-njs","createdAt":1606142929241,"name":"Systemd service modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through brute force attempts.\n\n## Strategy\nTo determine a successful attempt: Detect a high amount of failed logins and at least one successful login for a given IP address. This will generate a `HIGH` severity signal.\nTo determine an attempt: Detect a high amount of failed logins for a given IP address. This will generate an `INFO severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:authentication @evt.outcome:failure","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]},{"query":"@evt.name:authentication @evt.outcome:success","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":["@slack-secops"],"name":"Successful","condition":"a>5 && b>0"},{"status":"info","notifications":[],"name":"Attempted","condition":"a>5"}],"type":"log_detection","id":"wce-cxo-pe4","createdAt":1585870283641,"name":"TEMPLATE - Brute Force Attack Grouped By IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:threat-intel","scope:template"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect when a stolen laptop has been connected to the network.\n\n## Strategy\nUsing the Datadog [Lookup Processor](https://docs.datadoghq.com/logs/processing/processors/?tab=ui#lookup-processor) you can maintain a blocklist of MAC addresses.\nWhen a MAC address connects to the network, the @threat.stolen_laptop attribute is set to `true`.\nThis threat detection rule queries for `@threat.stolen_laptop:true` and generates a security signal. \n\n## Triage and response\nEnter your triage and response process for when a stolen laptop has connected to your network to help users responding to the security signal quickly triage and respond to the signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@threat.stolen_laptop:true @network.client.mac:*","groupByFields":["@network.client.mac"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ap3-xy9-tsm","createdAt":1585870283379,"name":"TEMPLATE - Stolen Laptop Connected to Network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.10","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert` parameter, has permissions of 444 or is set more restrictively.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must therefore have permissions of 444, or more restrictive permissions to ensure that the file cannot be modified by a less privileged user.\n\n## Audit\n\nVerify that the TLS CA certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the following command: `chmod 444 `\n\nThis sets the file permissions on the TLS CA file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the TLS CA certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.10","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hyd-ar9-kzl","createdAt":1602076723625,"name":"TLS CA certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.6","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to make the Docker daemon available remotely over a TCP port. If this is required, you should ensure that TLS authentication is configured in order to restrict access to the Docker daemon via IP address and port.\n\n## Rationale\n\nBy default, the Docker daemon binds to a non-networked Unix socket and runs with root privileges. If you change the default Docker daemon binding to a TCP port or any other Unix socket, anyone with access to that port or socket could have full access to the Docker daemon and therefore in turn to the host system. For this reason, you should not bind the Docker daemon to another IP/port or a Unix socket. If you must expose the Docker daemon via a network socket, you should configure TLS authentication for the daemon and for any Docker Swarm APIs (if they are in use). This type of configuration restricts the connections to your Docker daemon over the network to a limited number of clients who have access to the TLS client credentials.\n\n## Audit\n\nTo confirm that the TLS authentication setting is correct, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nConfirm that the following parameters are present: `--tlsverify --tlscacert --tlscert --tlskey`.\n\nAlso review the `/etc/docker/daemon.json` file to ensure these settings are in place.\n\n## Remediation\n\nFollow the steps mentioned in the Docker documentation or other references.\n\n## Impact\n\nYou would need to manage and guard certificates and keys for the Docker daemon and Docker clients.\n\n## Default value\n\nBy default, TLS authentication is not configured.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rh4-jeh-afu","createdAt":1602077571799,"name":"TLS authentication is configured for Docker daemon"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":true,"message":"Test","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":1,"createdAt":1668092249514,"filters":[],"queries":[{"query":"@agent.rule_id:1234","groupByFields":[],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"6pg-sy3-vc5","isDefault":false,"name":"Test"},{"creationAuthorId":1445416,"tags":[],"isEnabled":false,"hasExtendedTitle":false,"message":"Test","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":1,"createdAt":1668092310914,"filters":[],"queries":[{"query":"@agent.rule_id:1234","groupByFields":[],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"c4n-gxt-rmi","isDefault":false,"name":"Test xxx1"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.18","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller-manager.conf file ownership is set to `root:root`.\n\n## Rationale\n\nThe controller-manager.conf file is the kubeconfig file for the Controller Manager. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/controller-manager.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.18","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bud-aya-umc","createdAt":1599605289575,"name":"The controller-manager.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","requirement:GCP","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","control:3.4","requirement:Communications-Security","control:2.6","control:1.2","control:2.1","control:1.3","control:3.1","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of the `default` network, a project should not have a `default` network.\n\n### Default value\nBy default, for each project, a `default` network is created.\n\n\n## Rationale\nThe `default` network has a preconfigured network configuration and automatically generates the following insecure firewall rules:\n\n - default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.\n - default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.\n - default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.\n - default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.\n\nThese automatically-created firewall rules do not get audit-logged and cannot be configured to enable firewall rule logging.\n\nFurthermore, the `default` network is an auto-mode network, which means that its subnets use the same predefined range of IP addresses. As a result, it's not possible to use Cloud VPN or VPC Network Peering with the `default` network.\n\nBased on organization security and networking requirements, the organization should create a new network and delete the `default` network.\n\n### Impact\nWhen an organization deletes the `default` network, it may need to migrate services onto a new network.\n\n## Remediation\n\n### From the console\n1. Go to the [VPC networks][1] page.\n2. Click the network named `default`.\n3. On the network detail page, click **EDIT**.\n4. Click **DELETE VPC NETWORK**.\n5. If needed, create a new network to replace the `default` network.\n\n### From the command line\n1. Delete the `default` network:\n\n ```\n gcloud compute networks delete default\n ```\n\n2. If needed, create a new network to replace it:\n\n ```\n gcloud compute networks create NETWORK_NAME\n ```\n\n## Prevention\nYou can prevent the `default` network and its insecure firewall rules from being created by setting up an Organization Policy to skip `default` network creation at [https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation][2].\n\n## References\n1. [https://cloud.google.com/compute/docs/networking#firewall_rules][3]\n2. [https://cloud.google.com/compute/docs/reference/latest/networks/insert][4]\n3. [https://cloud.google.com/compute/docs/reference/latest/networks/delete][5]\n4. [https://cloud.google.com/vpc/docs/firewall-rules-logging][6]\n5. [https://cloud.google.com/vpc/docs/vpc#default-network][7]\n6. [https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete][8]\n\n[1]: https://console.cloud.google.com/networking/networks/list\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation\n[3]: https://cloud.google.com/compute/docs/networking#firewall_rules\n[4]: https://cloud.google.com/compute/docs/reference/latest/networks/insert\n[5]: https://cloud.google.com/compute/docs/reference/latest/networks/delete\n[6]: https://cloud.google.com/vpc/docs/firewall-rules-logging\n[7]: https://cloud.google.com/vpc/docs/vpc#default-network\n[8]: https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.4","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.name == \"default\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0j0-lvk-9wm","createdAt":1658410212694,"name":"The default network does not exist in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.9","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %a /var/lib/kubelet/config.yaml`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step:\n\n```\nchmod 644 /var/lib/kubelet/config.yaml\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/var/lib/kubelet/config.yaml` file as set up by kubeadm has permissions of 644.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.9","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tc4-kmy-wlt","createdAt":1599605416397,"name":"The kubelet configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.1","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kubelet service file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.1","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j8k-7ii-fwo","createdAt":1599604432646,"name":"The kubelet service file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.5","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet.conf file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/kubernetes/kubelet.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chmod 644 /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.5","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x88-8vs-ygw","createdAt":1599604783481,"name":"The kubelet.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.6","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `kubelet.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/kubernetes/kubelet.conf`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file ownership is set to `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.6","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrc-waf-mbs","createdAt":1599599696342,"name":"The kubelet.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable timeouts on streaming connections.\n\n## Rationale\n\nSetting idle timeouts ensures that you are protected against denial-of-service attacks, inactive connections, and running out of ephemeral ports.\n\n*Note*: By default, `--streaming-connection-idle-timeout` is set to four hours, which might be too high for your environment. Setting this as appropriate would additionally ensure that such streaming connections are timed out after serving legitimate use cases.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--streaming-connection-idle-timeout` argument is not set to 0. If the argument is not present, and there is a Kubelet config file specified by `--config`, check that it does not set `streamingConnectionIdleTimeout` to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a value other than 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--streaming-connection-idle-timeout=5m`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nLong-lived connections could be interrupted.\n\n## Default value\n\nBy default, `--streaming-connection-idle-timeout` is set to four hours.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://github.com/kubernetes/kubernetes/pull/18552][2]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://github.com/kubernetes/kubernetes/pull/18552\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.5","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xmg-h3a-wj4","createdAt":1599602030157,"name":"Timeouts on streaming connections are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","control:6.6","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable internet exposed UDP ports on network security groups.\n\n## Rationale\n\nThe potential security problem with broadly exposing UDP services over the internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP, and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct UDP access to your Azure Virtual Machines from the internet. After direct UDP access from the internet is disabled, you can use other options to access UDP-based services running on these virtual machines.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#secure-your-critical-azure-service-resources-to-only-your-virtual-networks\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/ddos-best-practices\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n7 Virtual Machines: This section covers security recommendations to follow to set virtual machine policies on an Azure subscription.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_access(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"UDP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.destination_port_range in [\"*\", \"53\", \"123\", \"161\", \"389\", \"1900\"]\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"*/0\", \"Internet\", \"Any\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsome security_rule in security_group.security_rules\n\tnon_compliant_access(security_rule)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"1is-0om-n7k","createdAt":1624867977600,"name":"UDP Services are restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect shell utilities, HTTP utilities, or shells spawned by a web server.\n\n## Strategy\nWeb shell attacks often involve attackers loading and running malicious files onto a victim machine, creating a backdoor on the compromised system. Attackers use web shells for a variety of purposes, and they can signal the beginning of an intrusion or wider attack. This detection triggers when shell utilities, HTTP utilities, or shells are spawned by a common web server process.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your web application to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"potential_web_shell","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["host"],"query":"@agent.rule_id:potential_web_shell -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"potential_web_shell"}],"type":"workload_security","id":"aks-ytd-8pf","createdAt":1647265136526,"name":"Unfamiliar command spawned from web server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers can leverage malicious kernel modules to gain persistence on a system, ensuring their malicious code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions and cover their tracks through the use of a rootkit.\n\nLoading a malicious kernel module can be a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default, however attackers may attempt to load kernel modules from other locations as well. This detection detects all kernel module loads. \n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check the name of the process loading the kernel module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":14,"learningThreshold":0},"keepAlive":3600},"version":176,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_kernel_module","metric":"@module.name","aggregation":"new_value","metrics":["@module.name"],"groupByFields":["host"],"query":"@agent.rule_id:(kernel_module_load OR new_kernel_module_audit OR kernel_module_load_container OR new_kernel_module_audit_container) -@process.ancestors.executable.name:\"unattended-upgrade\" -@process.ancestors.executable.name:(\"xtables-legacy-multi\" OR \"apt.systemd.daily\") -@module.name:(\"nf_tables\" OR \"iptable_filter\" OR \"ip6table_filter\" OR \"bpfilter\" OR \"ip6_tables\" OR \"ip6table_nat\" OR \"nf_reject_ipv4\" OR \"ipt_REJECT\" OR \"iptable_raw\")"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"new_kernel_module"}],"type":"workload_security","id":"56o-bpk-lkz","createdAt":1656443525724,"name":"Unfamiliar kernel module loaded"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default. In an attempt to thwart forensics, attackers sometimes attempt to load malicious kernel modules from memory so as not to leave artifacts on disk. This detection watches for all new kernel modules being loaded directly from memory. \n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:kernel_module_load_from_memory","groupByFields":["host"],"aggregation":"count","name":"kernel_module_load_from_memory","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"kernel_module_load_from_memory","condition":"kernel_module_load_from_memory > 0"}],"type":"workload_security","id":"dx9-30j-pas","createdAt":1650464539839,"name":"Unfamiliar kernel module loaded from memory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when the AWS EKS service account token has been viewed by a user.\n\n## Strategy\nAWS provides an authentication mechanism called [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to allow Kubernetes workloads such as pods to securely authenticate to AWS without hardcoding credentials.\n\nThe authentication token made available by AWS is located at `/var/run/secrets/eks.amazonaws.com/serviceaccount/token` and can be exchanged for AWS credentials using `sts:AssumeRoleWithWebIdentity`. It is consequently an attractive target for attackers.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"aws_eks_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:aws_eks_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"aws_eks_service_account_token_accessed"}],"type":"workload_security","id":"wq5-pnt-ij8","createdAt":1656443561852,"name":"Unfamiliar process accessed AWS EKS service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"Detects when the Kubernetes pod service account token has been viewed by a user.\n\n## Strategy\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"k8s_pod_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:k8s_pod_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"k8s_pod_service_account_token_accessed"}],"type":"workload_security","id":"7ow-znp-4fx","createdAt":1656443563565,"name":"Unfamiliar process accessed Kubernetes pod service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:active-directory","tactic:TA0004-privilege-escalation","source:microsoft-365","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 Azure AD service principal uses an unusual authentication method.\n\n## Strategy\nUsing the `New Value` detection method, find when a `Microsoft 365 Azure AD service principal` uses a new `@AuthenticationMethod`.\n\n## Triage and response\n1. Determine if the service principal `{{@usr.id}}` should be authenticating using the `{{@AuthenticationMethod}}` authentication method and `{{@ExtendedProperties.RequestType}}` request type.\n2. If `{{@usr.email}}` should not be authenticating using `{{@AuthenticationMethod}}`,\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard \n * If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":3600},"version":41,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AuthenticationMethod","aggregation":"new_value","metrics":["@AuthenticationMethod"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:AzureActiveDirectory @evt.name:UserLoggedIn @evt.outcome:Success @UserDescription:\"A service principal\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"toz-wdr-r1v","createdAt":1660857301768,"name":"Unusual Authentication by Microsoft 365 Azure AD Service Principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attaches to a pod.\n\n## Strategy\nThis rule monitors when a user attaches (`@objectRef.subresource:attach`) to a pod (`@objectRef.resource:pods`).\n\nA user should not need to attach to a pod. Attaching to a pod allows a user to attach to any process in a running container which may give an attacker access to sensitive data.\n\n## Triage and response\n1. Determine if the user should be attaching to a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:attach @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:attach @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"j6t-mva-rul","createdAt":1589375996858,"name":"User Attached to a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user execs into a pod.\n\n## Strategy\nThis rule monitors when a user execs (`@objectRef.subresource:exec`) into to a pod (`@objectRef.resource:pods`).\n\nA user should not need to exec into a pod. Execing into a pod allows a user to execute any process in container which is not already running.\nIt is most common to execute the bash process to gain an interactive shell.\nIf this is an attacker, they can access any data which the pod has permissions to, including secrets.\n\n## Triage and response\n1. Determine if the user should be execing into a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:exec @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:exec @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"hyd-cu4-79x","createdAt":1589376094658,"name":"User Exec into a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs into an application that is using Sqreen from a new country.\n\n## Strategy\nThis rule lets you monitor when a user logs into an application from a country that has not been seen before.\n\n## Triage and response\n1. Review the user activity on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/application/goto/users/\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip.country.name","aggregation":"new_value","metrics":["@network.client.geoip.country.name"],"groupByFields":["@usr.id"],"query":"@evt.name:sq.dd0.user_event.login @sqreen.payload.success:true"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"4xm-2og-l7s","createdAt":1620224109989,"name":"User Logged into an Application from a New Country"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","security:threat-intel","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to log in with a password which is known to be compromised.\n\n## Strategy\nThis rule allows you to monitor this Google Activity API call to detect if an attacker is trying to login with a leaked password: \n\n* [Leaked password][1]\n\n## Triage and response\n1. Determine which user in your organization owns the compromised password.\n2. Contact the user and ensure they rotate the password on Google and any other accounts where they may have reused this password. Ensure the user is aware of strong password guidelines.\n\n[1]: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.category:account_warning @evt.name:account_disabled_password_leak","groupByFields":["@actor.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9zi-bom-nmh","createdAt":1585870280553,"name":"User attempted login with leaked password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1136-create-account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation of a new user on the system using an interactive session.\n\n## Strategy\nAttacker's may add local accounts to systems that they have compromised to maintain access to those systems. If an attacker has gained a sufficient level of access (like admin privileges) on a system, they can make a new user for themselves.\nIn production systems, users should be created in the base image of the system (for example, the AMI or other VM image), or they should be created programmatically by configuration management tools. The creation of a new user by an interactive (human) session is suspicious.\n\n## Triage & Response\n1. Determine whether the creation of a new user is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether or not multiple systems had this user added around the same time, and whether the systems impacted follow a pattern. For example, if a user was added to multiple systems, do they share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:user_created_tty -@process.ancestors.executable.path:(\"/usr/bin/unattended-upgrade\" OR \"/usr/bin/dpkg\" OR \"/usr/bin/yum\" OR \"/usr/bin/rpm\") -@process.args:\"-D\"","groupByFields":["host"],"aggregation":"count","name":"user_created_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user_created_tty","condition":"user_created_tty > 0"}],"type":"workload_security","id":"beh-ejq-upe","createdAt":1627392836979,"name":"User created interactively"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of secrets while also receiving an error message of `AccessDenied`, through Cloudtrail's [`GetSecretValue`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetSecretValue` event, and enables the detection of potentially anomalous activity when a user receives an anomalous number of `AccessDenied` messages while attempting to retrieve secrets.\n\nAn attacker may attempt to enumerate and access the AWS Secrets Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any AWS secrets that were accessed by the user with the `aws-cli` command [`update-secret`][2] or use the [AWS Console][3].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n## Changelog\n* 25 October 2022 - Updated query.\n\n[1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/update-secret.html\n[3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetSecretValue @error.kind:AccessDenied -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.secretId"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"eg6-ogp-n1f","createdAt":1656426823748,"name":"User enumerated AWS Secrets Manager - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of parameters, through Cloudtrail's [`GetParameter`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetParameter` event, and enables detection of potentially anomalous activity when a user attempts to retrieve an anomalous volume of parameters.\n\nAn attacker may attempt to enumerate and access the AWS Systems Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any parameters that were accessed by the user with the `aws-cli` command [`put-parameter`][2].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n[1]: https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ssm/put-parameter.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ssm.amazonaws.com @evt.name:GetParameter -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.name"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"os3-zft-ung","createdAt":1656426796721,"name":"User enumerated AWS Systems Manager parameters - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:5.2.1","control:A.12.4.1","requirement:Logging-and-Monitoring","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"\n## Description\n\nCreate an activity log alert for the Create Policy Assignment event.\n\n## Rationale\n\nMonitoring for create policy assignment events gives insight into changes done in \"azure policy - assignments\" and can reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\n### From the console\n\n1. Go to **Monitor**.\n2. Select **Alerts**.\n3. Click On **New Alert Rule**.\n4. Under **Scope**, click **Select Resource**.\n5. Select the appropriate subscription under **Filter by Subscription**.\n6. Select **Policy Assignment** under **Filter by Resource Type**.\n7. Select **All** for **Filter by Location**.\n8. Click on the subscription resource from the entries populated under **Resource**.\n9. Verify selection preview shows **All Policy** assignment (policyAssignments) and your selected subscription name.\n10. Click **Done**.\n11. Under **Condition** click **Add Condition**.\n12. Select **Create Policy Assignment** signal.\n13. Click **Done**.\n14. Under **Action Group**, select **Add Action Groups** and complete creation process or select appropriate action group.\n15. Under **Alert Rule Details**, enter **Alert Rule Name** and **Description**.\n16. Select appropriate resource group to save the alert to.\n17. Check **Enable alert rule upon creation** checkbox.\n18. Click **Create Alert Rule**.\n\n### From the Azure Command Line Interface\n\nTo create an Activity Log Alert for Create policy, use this command:\n```\naz account get-access-token --query\n\"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1\nbash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type:\napplication/json\"\nhttps://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"\n```\n\nWhere `input.json` contains the request body JSON data mentioned below:\n\n```json\n{\n\t\"location\": \"Global\",\n\t\"tags\": {},\n\t\"properties\": {\n\t\t\"scopes\": [\n\t\t\t\"/subscriptions/\"\n\t\t],\n\t\t\"enabled\": true,\n\t\t\"condition\": {\n\t\t\t\"allOf\": [{\n\t\t\t\t\t\"containsAny\": null,\n\t\t\t\t\t\"equals\": \"Administrative\",\n\t\t\t\t\t\"field\": \"category\"\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\t\"containsAny\": null,\n\t\t\t\t\t\"equals\": \"Microsoft.Authorization/policyAssignments/write\",\n\t\t\t\t\t\"field\": \"operationName\"\n\t\t\t\t}\n\t\t\t]\n\t\t},\n\t\t\"actions\": {\n\t\t\t\"actionGroups\": [{\n\t\t\t\t\"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\t\t\t\t\"webhookProperties\": null\n\t\t\t}]\n\t\t}\n\t}\n}\n```\n\nConfigurable parameters for the command line include the following: \n- \n- \n \nConfigurable parameters for `input.json` include the following: \n- in scopes \n- in actionGroupId \n- in actionGroupId \n- in actionGroupId\n\n\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2]\n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3]\n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n[5]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.1","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"arc-fhe-mie","createdAt":1645219743755,"name":"User has 'Create Policy Assignment' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"axd-sm2-68f","createdAt":1649972323590,"name":"User has 'Create Update Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.dbformysql/servers/databases/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dbv-9dd-noe","createdAt":1648760551340,"name":"User has 'Create Update MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.dbforpostgresql/servers/databases/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yvw-kk1-tgq","createdAt":1648755639067,"name":"User has 'Create Update PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nActivity log alert exists for the creation or update of a load balancer. \n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Load Balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/loadbalancers/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"20n-ohj-aov","createdAt":1647625355122,"name":"User has 'Create or Update Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:Logging-and-Monitoring","requirement:System-Operations","level:1","control:5.2.3","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an Activity Log Alert for the Create or Update Network Security Group event.\n\n## Rationale\n\nBy monitoring for creation and updates to network security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name.\n11. Under **Condition**, click **Add Condition**.\n12. Select **Create or Update Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.3","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ape-a9h-0uq","createdAt":1645642194422,"name":"User has 'Create or Update Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.1","control:A.12.4.1","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Logging-and-Monitoring","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update SQL Server Firewall Rule event.\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the console\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window, select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Create/Update server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel.\n * Create action group - If you do not have an existing action group or want to create a new one.\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the command line\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.1","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.sql/servers/firewallrules/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zpn-jpa-nzg","createdAt":1645736563954,"name":"User has 'Create or Update SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","control:5.2.7","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Logging-and-Monitoring","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Security Solution event.\n\n## Rationale\n\nBy monitoring to changes to security solutions, you get insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under Resource. \n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Create or Update Security Solutions** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**. \n\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Security/securitySolutions/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.7","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.security/securitysolutions/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8wl-yfi-m7y","createdAt":1645731976437,"name":"User has 'Create or Update Security Solutions' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Storage Account event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Storage Account**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Storage/storageAccounts/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Storage Account'\n$Signal = 'Microsoft.Storage/storageAccounts/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fho-nrd-kod","createdAt":1647625355199,"name":"User has 'Create or Update Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.compute/virtualmachines/write\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wjq-yup-bbt","createdAt":1648803814385,"name":"User has 'Create or Update Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Deallocate Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Using the Azure Portal search bar, search for **Monitor**. \n2. Select **Alerts** from the left-hand panel.\n3. Click **Create** and from the drop down select **Alert rule**.\n4. Under **Scope**, click **Select scope**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Virtual machines** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows your selected Virtual Machine(s) and subscription name.\n11. Under **Condition**, click **Add Condition**.\n12. Select **Deallocate Virtual Machine** signal name. \n13. Navigate to **Actions**.\n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Navigate to **Details** and select the appropriate resource group to save the alert to. \n16. Enter **Alert rule name** and **Alert rule description**.\n17. Under the **Advanced options** drop-down menu, click on the **Enable alert rule upon creation** checkbox.\n18. Click **Review + create** and verify all of the alert settings are correct.\n19. Click **Create**.\n\n### From the command line\n\n ```bash\n az account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n ```\n\n`input.json` contains the request body JSON data mentioned below. \n\n ```json\n {\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/deallocate\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n }\n ```\n\n**Using PowerShell AZ cmdlets**: \n ```powershell\n $ComplianceName = 'Deallocatete Virtual Machine'\n $Signal = 'Microsoft.Compute/virtualMachines/deallocate'\n $Category = 'Administrative'\n $ResourceGroupName = 'MyResourceGroup'\n $actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n $ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n $Subscription = (Get-AzContext).Subscription\n $location = 'Global'\n $scope = \"/subscriptions/$($Subscription.Id)\"\n $alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n $conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n )\n Set-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/deallocate/action\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ox0-4lx-ldg","createdAt":1649702560249,"name":"User has 'Deallocate Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mwl-a79-2lj","createdAt":1649774827099,"name":"User has 'Delete Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","requirement:Azure","control:164.308-a-3-ii-a","control:2.3","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","framework:security-labs","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activity-log-alerts/delete\n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"2.3","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hf7-wzu-yjg","createdAt":1649774825146,"name":"User has 'Delete Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Load Balancer event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete load balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.network/loadbalancers/delete\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(azure_activity_log_alert)\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgu-5yo-cxv","createdAt":1646928388547,"name":"User has 'Delete Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbformysql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nb1-ajv-1w5","createdAt":1648831710685,"name":"User has 'Delete MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:Logging-and-Monitoring","requirement:System-Operations","level:1","framework:soc-2","control:5.2.4","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Network Security Group event.\n\n## Rationale\n\nBy monitoring for delete betwork security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name \n11. Under **Condition**, click **Add Condition**.\n12. Select **Delete Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n\n18. Click **Create alert rule**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.4","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yjc-pc8-ybn","createdAt":1645645262376,"name":"User has 'Delete Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Compliance","level:1","control:5.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Communications-Security","requirement:Logging-and-Monitoring","requirement:System-Operations","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Policy Assignment event.\n\n## Rationale\n\nBy monitoring delete policy assignment events, you gain insight into changes in the **Policy - Assignments** page and reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Policy Assignment** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription from the entries populated under **Resource**. \n9. Verify that **Selection preview** shows All Policy assignments (`policyAssignments`) and your selected subscription name. \n10. Click **Done**. \n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete policy assignment signal**. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**.\n\n### From the command line\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\"\nhttps://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"\n```\n\nWhere `input.json` contains the request body JSON data below: \n\n```json\n{\n\t\"location\": \"Global\",\n\t\"tags\": {},\n\t\"properties\": {\n\t\t\"scopes\": [\n\t\t\t\"/subscriptions/\"\n\t\t],\n\t\t\"enabled\": true,\n\t\t\"condition\": {\n\t\t\t\"allOf\": [{\n\t\t\t\t\t\"containsAny\": null,\n\t\t\t\t\t\"equals\": \"Administrative\",\n\t\t\t\t\t\"field\": \"category\"\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\t\"containsAny\": null,\n\t\t\t\t\t\"equals\": \"Microsoft.Authorization/policyAssignments/delete\",\n\t\t\t\t\t\"field\": \"operationName\"\n\t\t\t\t}\n\t\t\t]\n\t\t},\n\t\t\"actions\": {\n\t\t\t\"actionGroups\": [{\n\t\t\t\t\"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\t\t\t\t\"webhookProperties\": null\n\t\t\t}]\n\t\t}\n\t}\n}\n```\n\nConfigurable Parameters for command line:\n- ``\n- ``\n\nConfigurable Parameters for `input.json`:\n- `` in scopes\n- `` in actionGroupId\n- `` in actionGroupId\n- `` in actionGroupId\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Policy Assignment'\n$Signal = 'Microsoft.Authorization/policyAssignments/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][1]\n2. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][3] \n4. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources][4] \n5. [https://azure.microsoft.com/en-us/services/blueprints/][5]\n\n[1]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[2]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[4]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n[5]: https://azure.microsoft.com/en-us/services/blueprints/\n\n## Additional Information\n\n- This log alert also applies for Azure Blueprints.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.2","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qh0-u5z-imx","createdAt":1645642194422,"name":"User has 'Delete Policy Assignment' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbforpostgresql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ras-5h8-nbb","createdAt":1647625355173,"name":"User has 'Delete PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.2","control:A.12.4.1","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Logging-and-Monitoring","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the \"Delete SQL Server Firewall Rule.\"\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the console\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window,select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Delete server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel\n * Create action group - If you do not have an existing action group or want to create a new one\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the command line\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.2","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/firewallrules/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6mh-u2h-598","createdAt":1664214570453,"name":"User has 'Delete SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","control:5.2.8","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Logging-and-Monitoring","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Security Solution event.\n\n## Rationale\n\nBy monitoring deletion of security solution events, you gain insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**.\n7. Select **All** for **Filter by location**.\n8. Click on the subscription resource from the entries populated under **Resource**.\n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete Security Solutions** signal.\n13. Click **Done**.\n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group.\n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n### From the command line \n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nwhere `input.json` contains the Request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/securitySolutions/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.8","framework":"cis-azure","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/securitysolutions/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dmv-rv8-crn","createdAt":1645733607452,"name":"User has 'Delete Security Solution' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.5.5","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Storage Account event.\n\n## Rationale\n\nBy monitoring for storage accounts deletion events, you gain insight into storage account changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click on **New Alert Rule**.\n4. Under **Scope**, click **Select scope**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Storage Accounts** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the **Include all future resources** checkbox.\n9. Click **Done**. \n10. Under **Condition**, click **Add Condition**.\n11. Select **Delete Storage Account** signal. \n12. Click **Done**. \n13. Under **Actions**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n14. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n15. Select appropriate resource group to save the alert to. \n16. Click on the **Enable alert rule upon creation** checkbox.\n17. Click **Create alert rule**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Storage/storageAccounts/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a41-nfr-mlw","createdAt":1646928386487,"name":"User has 'Delete Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2jg-psh-mzj","createdAt":1648803812991,"name":"User has 'Delete Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Power Off Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Power Off Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/powerOff/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Power Off Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/powerOff/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.compute/virtualmachines/poweroff/action\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tsome activity_log_alert in input.resources.azure_activity_log_alert\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(activity_log_alert)\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a74-hjg-yok","createdAt":1648760544699,"name":"User has 'Power Off Virtual Machine' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Rename Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Rename Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/move/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Rename Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/move/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_condition(condition) if {\n\tcondition.field == \"operationName\"\n\tlower(condition.equals) == \"microsoft.sql/servers/databases/move/action\"\n\tnot condition.contains_any\n}\n\ncompliant_conditions(activity_log_alert) if {\n\tsome condition in activity_log_alert.condition_all_of\n\tcompliant_condition(condition)\n} else if {\n\tsome condition in activity_log_alert.condition.all_of\n\tcompliant_condition(condition)\n}\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcompliant_conditions(azure_activity_log_alert)\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgo-i7v-g9b","createdAt":1649774831328,"name":"User has 'Rename Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4ri-hhx-fnd","createdAt":1648803815885,"name":"User has 'Update Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Security Policy event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n### From the console\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Security Policy**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n### From the command line\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/policies/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Security Policy'\n$Signal = 'Microsoft.Security/policies/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/defender-for-cloud/tutorial-security-policy\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/policies/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xjf-qfe-xzs","createdAt":1649774850199,"name":"User has 'Update Security Policy' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.compute","source:azure","tactic:TA0002-execution","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs a command on an Azure Virtual Machine through the Azure CLI or Portal.\n\n## Strategy\nMonitor Azure Compute logs for `MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION` events that have `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Reach out to the user to determine if the activity is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"vm_exec","distinctFields":[]},{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"scaleset_exec","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Virtual Machine","condition":"vm_exec > 0"},{"status":"info","notifications":[],"name":"Virtual Machine Scale Set","condition":"scaleset_exec > 0"}],"type":"log_detection","id":"zsk-t0h-9ll","createdAt":1614973225002,"name":"User ran a command on Azure Compute"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Event Summary\n`@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` had activity from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` which are approximately `{{@impossible_travel.triggering_locations.travel_distance}}km` apart within `{{@impossible_travel.triggering_locations.travel_time_human_readable}}`. This indicates a potential impossible travel.\n\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key in CloudTrail logs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key in CloudTrail logs.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"source:cloudtrail @userIdentity.type:IAMUser"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"gvs-ybz-d25","createdAt":1646247437717,"name":"User travel was impossible in AWS CloudTrail IAM log"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_service_account","control:1.7","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","control:8.2.4","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nService Account keys consist of a key ID (private_key_id) and a private key. These keys are used to sign programmatic requests that users make to Google Cloud services and make them accessible to the particular service account. You should regularly rotate all Service Account keys.\n\n## Rationale\n\nRotating Service Account keys reduces the opportunity window of an access key associated with a compromised or terminated account being used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that may have been lost, cracked, or stolen.\n\nEach service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.\n\nGCP provides the option to create one or more user-managed (also called external) key pairs for use from outside GCP, for example: with Application Default Credentials. When a new key pair is created, the user is required to download the private key, which is not retained by Google. \n\nWith external keys, users are responsible for keeping the private key secure and other management operations such as key rotation. External keys can be managed by the IAM API, the Google Cloud Platform command-line tool, or the Service Accounts page in the Google Cloud Platform Console. GCP facilitates up to 10 external service account keys per service account for key rotation.\n\n## Remediation\n\nDelete any external, user-managed Service Account Keys older than 90 days:\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**.\n2. In the **Service Account Keys** section, click the Delete icon to delete every external, user-managed service account key where the creation date is greater or equal to the past 90 days.\n\nTo create an external, user-managed Service Account Key for a Service Account:\n\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**. \n2. Click **Create Credentials** and **Service Account Key**. \n3. Select the service account from the drop-down menu for every external, user-managed Service Account key you want to create.\n4. Select the desired key type format, such as JSON or P12.\n5. Click **Create**, which downloads the private key. Keep this key safe.\n6. If prompted, click **Close**.\n\nYou are redirected to the **APIs & Services** > **Credentials** page and you can see the new ID displayed in the **Service Account Keys** section.\n\n\n## Impact\n\nRotating service account keys breaks communication for dependent applications. Dependent applications need to be configured manually with the new key ID displayed in the **Service Account Keys** section and the user needs to download the private key.\n\n## References\n\n1. https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n2. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/list\n3. https://cloud.google.com/iam/docs/service-accounts\n\n[1]: https://console.cloud.google.com/apis/credentials\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"8.2.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ej5-n8p-p3x","createdAt":1656445783171,"name":"User-managed or external keys for service accounts are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Confidentiality","control:C1.2","source:google_compute_disk","framework:cis-gcp","requirement:Compliance","level:2","control:A.18.1.3","framework:soc-2","control:4.7","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","scope:google_compute_disk","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCustomer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and\nGoogle Compute Engine. If you supply your own encryption keys, Google uses your key to\nprotect the Google-generated keys used to encrypt and decrypt your data. By default,\nGoogle Compute Engine encrypts all data at rest. Compute Engine handles and manages\nthis encryption for you without any additional actions on your part. However, if you\nwanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\n\n### Default value\nBy default, VM disks are encrypted with Google-managed keys. They are not encrypted\nwith `Customer-Supplied` Encryption Keys.\n\n## Rationale\nBy default, Google Compute Engine encrypts all data at rest. Compute Engine handles and\nmanages this encryption for you without any additional actions on your part. However, if\nyou wanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\nIf you provide your own encryption keys, Compute Engine uses your key to protect the\nGoogle-generated keys used to encrypt and decrypt your data. Only users who can provide\nthe correct key can use resources protected by a customer-supplied encryption key.\nGoogle does not store your keys on its servers and cannot access your protected data\nunless you provide the key. This also means that if you forget or lose your key, there is no\nway for Google to recover the key or to recover any data encrypted with the lost key.\nBusiness critical VMs should have VM disks encrypted with CSEK.\n\n### Impact\nIf you lose your encryption key, you will not be able to recover the data.\n\n## Remediation\nYou cannot update the encryption of an existing disk. Therefore, you\nshould create a new disk with encryption set to **Customer supplied**.\n\n### From the console \n1. Go to [Compute Engine Disks][1] in your Google Cloud console.\n2. Click **CREATE DISK**.\n3. Set **Encryption type** to `Customer supplied`.\n4. Provide the **Key** in the box.\n5. Select **Wrapped key**.\n6. Click **Create**.\n\n### From the command line\nYou can use the `gcloud` CLI to encrypt a disk using the `--csek-key-file` flag during instance\ncreation. If you are using an RSA-wrapped key, use the gcloud beta component. See [RSA key wrapping][5] in Google's Compute Engine documentation.\n```\ngcloud compute instances create --csek-key-file \n```\n\nTo encrypt a standalone persistent disk:\n```\ngcloud compute disks create --csek-key-file \n```\n\n## References\n1. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys][2]\n2. [https://cloud.google.com/compute/docs/reference/rest/v1/disks/get][3]\n3. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file][4]\n\n[1]: https://console.cloud.google.com/compute/disks\n[2]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys\n[3]: https://cloud.google.com/compute/docs/reference/rest/v1/disks/get\n[4]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file\n[5]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#rsa-encryption","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.7","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_disk) = \"pass\" if {\n\tcompute_disk.disk_encryption_key.sha256\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_disk"]},"validationQuery":"","resourceType":"gcp_compute_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ltx-1jr-roe","createdAt":1662120164402,"name":"VM disks for critical VMs are encrypted with customer-supplied encryption keys (CSEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","scope:google_compute_subnetwork","level:1","framework:soc-2","control:3.8","source:google_compute_subnetwork","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Networking","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nFlow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in an organization's VPC subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs is enabled for every business-critical VPC subnet.\n\n### Default value\nBy default Flow Logs is set to `Off` when a new VPC network subnet is created.\n\n## Rationale\nVPC networks and subnetworks that are not reserved for internal HTTP(S) load balancing provide logically isolated and secure network partitions from which GCP resources can be launched.\nWhen Flow Logs are enabled for a subnet, VMs within that subnet start reporting on all\nTransmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows. Each VM\nsamples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or\nfrom another VM, a host in the on-premise datacenter, a Google service, or a host on the\nInternet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow\nLogs enabled, both VMs report the flows.\n\nFlow Logs supports the following use cases:\n- Network monitoring\n- Understanding network usage and optimizing network traffic expenses\n- Network forensics\n- Real-time security analysis\n\nFlow Logs provides visibility into network traffic for each VM inside the subnet and can be\nused to detect anomalous traffic or provide insight on security workflows.\nThe Flow Logs must be configured such that all network traffic is logged. The interval of\nlogging is granular enough to provide detailed information on the connections, where no logs are filtered and metadata to facilitate investigations are included.\n\n- Note: Subnets reserved for use by internal HTTP(S) load balancers do not support VPC\nFlow Logs.\n\n### Impact\nStandard pricing for Stackdriver Logging, BigQuery, or Cloud Pub/Sub applies. VPC Flow\nLogs generation will be charged when it's generally available, as described in this reference:\n[https://cloud.google.com/vpc/][1]\n\n## Remediation\n\n### From the console \n1. Go to the VPC network GCP Console page by visiting:\n[https://console.cloud.google.com/networking/networks/list][2]\n2. Click the name of a **subnet** to display the subnet details page.\n3. Click **EDIT** .\n4. Set Flow Logs to **On**.\n5. Expand the **Configure Logs** section.\n6. Set **Aggregation Interval** to `5 SEC`.\n7. Check the box for **Include metadata**.\n8. Set **Sample rate** to `100`.\n9. Click **Save**.\n\n- Note: You can only configure a log filter from the command line.\n\n### From the command line\nTo enable VPC Flow Logs for a network subnet, run the following command:\n```\ngcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --\nenable-flow-logs --logging-aggregation-interval=interval-5-sec --logging-\nflow-sampling=1 --logging-metadata=include-all\n```\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging][3]\n2. [https://cloud.google.com/vpc/][1]\n\n[1]: https://cloud.google.com/vpc/\n[2]: https://console.cloud.google.com/networking/networks/list\n[3]: https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_subnetwork) = \"skip\" if {\n\tinternal_HTTPS_LB_subnet(compute_subnetwork)\n} else = \"pass\" if {\n\tcompute_subnetwork.enable_flow_logs == true\n\tcompute_subnetwork.purpose == \"PRIVATE\"\n} else = \"fail\"\n\ninternal_HTTPS_LB_subnet(compute_subnetwork) if {\n\tcompute_subnetwork.purpose == \"INTERNAL_HTTPS_LOAD_BALANCER\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_subnetwork"]},"validationQuery":"","resourceType":"gcp_compute_subnetwork","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_subnetwork","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q4v-tv4-txv","createdAt":1663355398183,"name":"VPC Flow Logs are enabled for all subnets in the VPC network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Default-Security-Parameter","requirement:Compliance","level:2","framework:cis-aws","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.3","control:2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. \n\nSet up your default security group to restrict all traffic. The default VPC in every region should have its default security group updated to comply. Any newly created VPCs automatically contain a default security group that needs remediation to comply with this recommendation. \n\n**Note**: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.\n\n## Rationale\n\nConfiguring all VPC default security groups to restrict all traffic will encourage the least privileged security group development and mindful placement of AWS resources into security groups, which will reduce the exposure of those resources.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nImplementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79201-0\n2. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html][2]\n3. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group][3]\n\n## CIS controls\n\nVersion 7, 14.6 - Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"5.3","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ningress_or_egress(direction) if {\n\tdirection == \"ingress\"\n} else if {\n\tdirection == \"egress\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\tingress_or_egress(rule.direction)\n\tstartswith(rule.security_group_name, \"default\")\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"75q-ngx-snx","createdAt":1599574003676,"name":"VPC default security groups restrict all traffic"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:7.2.1","requirement:Firewall-Configuration","scope:vpc","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your VPC endpoint by allowing access to only trusted AWS accounts.\n\n## Rationale\n\nVPC endpoints that are publicly accessible are at risk of data exposure, data loss, and unexpected AWS billing charges.\n\n## Remediation\n\n### From the console\n\nFollow the [Add or remove permissions for your endpoint service][1] AWS console docs.\n\n### From the command line\n\n1. Edit your existing Amazon VPC endpoint access policy and replace untrusted AWS identifiers. To create a new policy document, [use the AWS policy generator][2].\n\n ```\n {\n \"Id\": \"insert-vpc-policy-id\",\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": \"*\",\n \"Effect\": \"Allow\",\n \"Resource\": \"*\",\n \"Principal\": {\n \"AWS\": [\n \"insert-allowed-arns\"\n ]\n }\n }\n ]\n }\n ```\n\n2. Run the `modify-vpc-endpoint` command with your [VPC endpoint ID and the updated or new policy document][3] to replace the existing policy.\n\n ```\n aws ec2 modify-vpc-endpoint \\\n --region insert-region-here\n --vpc-endpoint-id insert-vpc-endpoint-id \\\n --policy-document file://insert-new-vpc-policy-filename.json\n ```\n\n3. Repeat steps 1 & 2 for all non-compliant VPC Endpoints in the current region.\n4. Repeat steps 1 & 2 for all non-compliant VPC Endpoints in other regions.\n\n[1]: https://docs.aws.amazon.com/vpc/latest/privatelink/add-endpoint-service-permissions.html\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-vpc-endpoint.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_vpc_endpoint_policy_statement(vpc_endpoint_policy_statement) if {\n\tcheck_principal_conditions(vpc_endpoint_policy_statement)\n\tnon_compliant_policy_statement_conditions(vpc_endpoint_policy_statement)\n}\n\nnon_compliant_policy_statement_conditions(vpc_endpoint_policy_statement) if {\n\tnot vpc_endpoint_policy_statement.statement_has_condition\n\tlower(vpc_endpoint_policy_statement.statement_effect) == \"allow\"\n}\n\ncheck_principal_conditions(vpc_endpoint_policy_statement) if {\n\tvpc_endpoint_policy_statement.policy_principal.principal == \"*\"\n} else if {\n\tvpc_endpoint_policy_statement.policy_principal.principal_aws[_] == \"*\"\n}\n\neval(vpc_endpoint_policy_statement) = \"fail\" if {\n\tnon_compliant_vpc_endpoint_policy_statement(vpc_endpoint_policy_statement)\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_vpc_endpoint_policy_statement"]},"validationQuery":"","resourceType":"aws_vpc_endpoint_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc_endpoint_policy_statement","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"slh-tlx-4m0","createdAt":1619540057529,"name":"VPC endpoint is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","control:3.9","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","scope:vpc","framework:soc-2","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. Enable VPC Flow Logs for packet \"Rejects\" for VPCs.\n\n## Rationale\n\nVPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect unusual traffic or insight during security workflows.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nBy default, CloudWatch Logs will store Logs indefinitely unless you define a specific retention period for the log group. When choosing the number of days to retain, keep in mind that, on average, it takes an organization 210 days to detect a breach. Since additional time is required to research a breach, a minimum 365-day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods: \n\n1. [http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html][2]\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79202-8 \n2. [http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html][2]\n\n## CIS controls\n\nVersion 7:\n\n6.2 - Activate audit logging - Enable local logging on all systems and networking devices.\n\n12.5 - Configure Monitoring Systems to Record Network Packets - Configure monitoring systems to record network packets passing through the boundary at each of the organization's network boundaries.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.9","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(vpc) = \"pass\" if {\n\tsome flowlog in vpc.flowlogs\n\tflowlog.flow_log_status == \"ACTIVE\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_vpc"]},"validationQuery":"","resourceType":"aws_vpc","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"hw6-cqk-hrz","createdAt":1599574005318,"name":"VPC flow logging is enabled in all VPCs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault root token is used. Root tokens can perform any activity and have the highest level of privileges in Vault and should only be used in emergencies. \n\n## Strategy\nThis rule monitors Vault Audit Logs (`source:vault`) to detect when `root` is seen in:\n\n* auth policy (`@auth.policies`)\n\nThis rule also monitors the API endpoint `/sys/generate-root` which is used to create new root keys.\n\n## Triage & Response\n1. Determine who created the root token and when. You can get token creation time using the token accessor with `vault token lookup -accessor `. \n2. Inspect the requests made with the root token and ensure that its usage is valid.\n3. Ensure that after the root token is no longer needed, it is revoked (`vault token revoke -accessor `).\n\n## Change Log\n* 29 June 2022 - Updated queries to reduce noise levels. Replaced initial query with token creation detection.\n* 17 October 2022 - Updated queries and cases.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @http.url_details.path:\"sys/generate-root/attempt\" @type:response @http.method:update","groupByFields":["@auth.accessor"],"aggregation":"count","name":"root_token_initialized","distinctFields":[]},{"query":"source:vault @http.url_details.path:\"sys/generate-root/update\" @type:response @http.method:update","groupByFields":["@auth.accessor"],"aggregation":"count","name":"root_token_created","distinctFields":[]},{"query":"source:vault @auth.policies:root @type:response","groupByFields":["@auth.accessor"],"aggregation":"count","name":"root_token_used","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Initialized","condition":"root_token_initialized > 0"},{"status":"high","notifications":[],"name":"Created","condition":"root_token_created > 0"},{"status":"high","notifications":[],"name":"Used","condition":"root_token_used > 0"}],"type":"log_detection","id":"oki-am6-qeh","createdAt":1619801884317,"name":"Vault Root Token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault token is created with an excessive time-to-live (TTL) which can be indicative of an adversary maintaining persistence. \n\n## Strategy\nMonitoring of vault audit logs where tokens are created with a time-to-live greater than 90000 seconds (25 hours). If the TTL requires modification, clone this rule and update `@auth.token_ttl:>90000` in the query. \n\n## Triage & Response\n1. Verify max TTL for tokens in the appropriate Vault configuration.\n2. If the max TTL is higher than required, modify the max TTL.\n3. Verify with the token creator to confirm that the high TTL token is legitimate.\n4. Revoke the token if it does not have a legitimate use case.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @request.operation:create @auth.token_ttl:>90000","groupByFields":["@usr.id"],"aggregation":"count","name":"high_vault_ttl","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"high_vault_ttl > 0"}],"type":"log_detection","id":"ag8-huz-nlj","createdAt":1619801884333,"name":"Vault Token Created with Excessive TTL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","framework:soc-2","scope:redshift","cloud_provider:aws","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","source:redshift","control:6.2","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm `AllowVersionUpgrade` is enabled so [Redshift clusters][1] can automatically upgrade to the latest version.\n\n## Rationale\n\nEnablement allows the latest version to automatically install, deploying the most recent bug fixes and security patches.\n\n## Remediation\n\n### From the console\n\nFollow the [Cluster maintenance][4] docs to permit automatic upgrade for your clusters.\n\n### From the command line\n\n1. Run `modify-cluster` to [set `allow-version-upgrade` for a cluster][3].\n\n ```\n aws redshift modify-cluster\n\t --cluster-identifier cluster-id-name\n\t --allow-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/modify-cluster.html\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#rs-cluster-maintenance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(redshift_cluster) = \"pass\" if {\n\tredshift_cluster.allow_version_upgrade\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_redshift_cluster"]},"validationQuery":"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5wo-2kl-jv1","createdAt":1599574006748,"name":"Version upgrade is enabled for Redshift cluster"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:6.5.3","framework:cis-azure","control:7.1","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Application-Updates","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMigrate blob-based VHDs to managed disks on virtual machines to exploit the default features of this configuration. The features include:\n\n1. Default disk encryption\n2. Resilience, as Microsoft manages the disk storage and moves it if underlying hardware is faulty\n3. Reduction of costs over storage accounts\n\n## Rationale\n\nManaged disks are by default encrypted on the underlying hardware so no additional encryption is required for basic protection. Additional encryption is available if required. Managed disks are more resilient than storage accounts. For ARM deployed virtual machines, Azure Adviser recommends moving VHDs to managed disks from both a security and cost management perspective.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## Remediation\n\n### From the console\n\n1. Using the search feature, go to Virtual Machines\n2. Select the virtual machine you would like to convert\n3. Select Disks in the menu for the VM\n4. Select Migrate to managed disks\n5. Follow the prompts to convert the disk and finish by selecting Migrate to start the process\n\n**NOTE**: VMs are stopped and restarted after migration is complete.\n\n### Using PowerShell\n\n```powershell\nStop-AzVM -ResourceGroupName $rgName -Name $vmName -Force ConvertTo-AzVMManagedDisk -ResourceGroupName $rgName -VMName $vmName Start-AzVM -ResourceGroupName $rgName -Name $vmName\n```\n\n## Impact\n\nThere is no operational impact of migrating to managed disks other than the benefits mentioned above.\n\n**NOTE**: When converting to managed disks, VMs are powered off and back on.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(virtual_machine_instance) = \"pass\" if {\n\tvirtual_machine_instance.storage_profile.os_disk.managed_disk_id != \"\"\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_virtual_machine_instance"]},"validationQuery":"","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mcc-ygq-5xf","createdAt":1631690464170,"name":"Virtual Machines are utilizing Managed Disks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","requirement:Context-of-the-Organization","control:4.2.2","framework:iso-27001","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nEnabling Azure Defender for SQL server does not enable vulnerability assessment capabilities for individual SQL databases unless a storage account is set to store the scanning data and reports. The Vulnerability Assessment service scans databases for known security vulnerabilities and highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally, an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, Click Storage Account\n6. Choose Storage Account (Existing or Create New). Click Ok\n7. Click Save Using Azure PowerShell. If not already, enable Azure Defender for a SQLSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service by setting Storage Account Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"e0l-3r9-cvj","createdAt":1624867975658,"name":"Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the vulnerability assessment (VA) setting, \"Also send email notifications to admins and subscription owners\".\n\n## Rationale\n\nVA scan reports and alerts are sent to admins and subscription owners by enabling the setting, \"Also send email notifications to admins and subscription owners\". This helps to reduce the time required for identifying risks and taking corrective measures.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, configure Storage Accounts\n6. Check/enable \"Also send email notifications to admins and subscription owners\"\n7. Click Save using the Azure PowerShell. If not already set, Enable Advanced Data Security for a SQL:\n\n ```bash\n -ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service and Set ''Also send email notifications to admins and subscription owners'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"gnq-rte-6fy","createdAt":1624867976876,"name":"Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","control:4.2.3","requirement:Default-Security-Parameter","level:1","requirement:Database-Services","requirement:Context-of-the-Organization","requirement:Regular-Testing","framework:iso-27001","control:11.2.1","framework:pci","security:compliance","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC7.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable vulnerability assessment (VA) periodic recurring scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nVA setting \"Periodic recurring scans\" schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Routine vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.\n\n## Remediation\n\n### From the console\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Security Center\n4. In Section Vulnerability Assessment Settings, set Storage Account\n5. Toggle \"Periodic recurring scans\" to ON.\n6. Click Save using the Azure PowerShell. If not already set, enable Advanced Data Security for a SQL ServerSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service with ''Periodic recurring scans'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"jum-0ht-les","createdAt":1624867977012,"name":"Vulnerability Assessment (VA) setting Periodic Recurring Scans is enabled on a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","requirement:AppService","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:9.4","scope:azure.appservice","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:4.1","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nClient certificates allow for an app to request a certificate for incoming requests. Only clients that have a valid certificate can reach the app.\n\n## Rationale\n\nThe TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, only an authenticated client who has valid certificates can access the app.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Configuration\n5. Under Incoming client certificates, set the Client Certificate Mode option to Require.\n\n\n### From the command line\n\nTo set incoming client certificates value for an existing app, run the following command: `az webapp update --resource-group --name --set clientCertEnabled=true'`\n\n## Impact\n\nUsing and maintaining client certificates requires additional work to obtain and manage key replacement and rotation.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14 - Controlled Access Based on the Need to Know","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.4","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(app_service) = \"pass\" if {\n\tapp_service.client_cert_enabled\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"esg-ed4-xa9","createdAt":1631623027807,"name":"Web app has 'Client Certificates (Incoming client certificates)' set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Credentials","requirement:AppService","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:6.6","control:9.3","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Change-Management","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App Service uses TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.\n\n## Rationale\n\nApp Service currently allows web apps to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for a secure connection.\n\n## Remediation\n\n### From the console\n\n 1. Login to Azure Portal using https://portal.azure.com\n 2. Go to App Services\n 3. Click on each app\n 4. Under the Settings section, click on SSL settings\n 5. Under Protocol Settings, set Minimum TLS Version to 1.2\n\n### From the command line\n\nTo set TLS Version for an existing app, run the following command: `az webapp config set --resource-group --name --min-tls-version 1.2'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.3","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_min_tls_version(app_service) if {\n\tapp_service.site_config_min_tls_version == \"1.2\"\n} else if {\n\tapp_service.site_config.min_tls_version == \"1.2\"\n}\n\neval(app_service) = \"pass\" if {\n\tcompliant_min_tls_version(app_service)\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8iy-ghp-cvk","createdAt":1631623032658,"name":"Web app is using the latest version of TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:AppService","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","control:9.2","control:6.6","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Azure","framework:cis-azure","control:4.1","control:2.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Web Apps allow sites to use both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.\n\n## Rationale\n\nEnabling HTTPS-only traffic redirects all non-secure HTTP request to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated, so it is important to support HTTPS for the security benefits.\n\n## Remediation\n\n### From the console\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on SSL settings\n5. Under Protocol Settings, set HTTPS Only to On.\n\n### From the command line\n\nTo set the HTTPS-only traffic value for an existing app, run the following command: `az webapp update --resource-group --name --set httpsOnly=true'`\n\n## Impact\n\nWhen enabled, every incoming HTTP request is redirected to the HTTPS port. This adds an extra level of security to the HTTP requests made to the app.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.2","framework":"cis-azure","requirement":"AppService","version":"1.3.0"},{"control":"2.1","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(app_service) = \"pass\" if {\n\tapp_service.https_only\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_app_service"]},"validationQuery":"","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f9i-ctz-jrp","createdAt":1631623031127,"name":"Web app redirects all HTTP traffic to HTTPS in Azure App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1070-indicator-removal","source:windows","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user clears Windows Security logs.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `1102`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to clear the security event logs on `{{host}}`.\n\n## Changelog\n* 27 October 2022 - updated tags.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"psn-7zq-iqz","createdAt":1619018680072,"name":"Windows Audit Log Cleared"}]} headers: Content-Type: - application/json @@ -810,7 +742,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the Domain Administrator group. A rogue active directory account can added to the Domain Admins group.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4728` and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.TargetUserName}}` should be added to the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"yzx-i3w-40t","createdAt":1619018679429,"name":"Windows User Added to Domain Admin Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"# WARNING: Rule is being deprecated on 10 April 2022\n\n## Goal\nDetect if an entire AWS S3 Lifecycle configuration is deleted from a bucket.\n\n## Strategy\nUsing the `@evt.name`, the Datadog standard attribute that shows the API call, determine if a `DeleteBucketLifecycle` call occurred.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@usr.name}}`, `accountId:` `{{@usr.id}}` of `type:` `{{@userIdentity.type}}`.\n2. If the `{{@evt.name}}` API call accidentally occurred, restore the configuration to the `{{@requestParameters.bucketName}}`. Otherwise, investigate further.\n\n## Changelog\n08 Mar 2022 - Deprecating rule. If a policy is deleted, the data remains forever.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:DeleteBucketLifecycle","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"policy_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"lifecycle policy deleted","condition":"policy_deleted > 0"}],"type":"log_detection","id":"lcn-irr-jo6","createdAt":1638798365190,"name":"[DEPRECATED] An AWS S3 bucket lifecycle policy was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.17","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `controller-manager.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `controller-manager.conf` file is the kubeconfig file for the Controller Manager. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/controller-manager.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.17","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iss-afi-xfp","createdAt":1599599454121,"name":"controller-manager.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use self-signed certificates for TLS.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--auto-tls` parameter or set it to false:\n\n```\n--auto-tls=false\n```\n\n## Impact\n\nClients will not be able to use self-signed certificates for TLS.\n\n## Default value\n\nBy default, `--auto-tls` is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls][3]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.3","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qai-h9s-xgt","createdAt":1599606018741,"name":"etcd does not allow the use of self-signed client certificates"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured for peer authentication.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-client-cert-auth` argument is set to `true`. \n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--peer-client-cert-auth=true\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-client-cert-auth` argument is set to false.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/security.html \n2. https://kubernetes.io/docs/admin/etcd/ \n3. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n\n## CIS controls\n\nVersion 6.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\nVersion 7.14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.5","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l01-5y2-miz","createdAt":1599605099307,"name":"etcd is configured for peer authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.1","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure TLS encryption for the etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--cert-file` and the `--key-file` arguments are set as appropriate.\n\n## Remediation\n\nFollow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--cert-file= \n--key-file=\n```\n\n## Impact\n\nClient connections only over TLS would be served.\n\n## Default value\n\nBy default, TLS encryption is not set.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.1","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ezf-1mn-luf","createdAt":1599604210918,"name":"etcd is configured with TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.2.33","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt etcd key-value store.\n\n## Rationale\n\netcd is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--encryption-provider-config` argument is set to a EncryptionConfig file. Additionally, ensure that the EncryptionConfig file has all the desired resources covered especially any secrets.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--encryption-provider-config` parameter to the path of that file: `--encryption-provider-config=`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--encryption-provider-config` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ \n2. https://acotten.com/post/kube17-security \n3. https://kubernetes.io/docs/admin/kube-apiserver/ \n4. https://github.com/kubernetes/features/issues/92\n\n## CIS controls\n\nVersion 6 14.5 Encrypt At Rest Sensitive Information Sensitive information stored on systems shall be encrypted at rest and require a secondary authentication mechanism, not integrated into the operating system, in order to access the information. \n\nVersion 7 14.8 Encrypt Sensitive Information at Rest Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.33","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.33\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7rg-crl-fs0","createdAt":1599602954959,"name":"etcd is encrypted at rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.29","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a client certificate and key.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-certfile` and `--etcd-keyfile` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate and key file parameters. \n```\n--etcd-certfile= \n--etcd-keyfile=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-certfile` and `--etcd-keyfile` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 9 Limitation and Control of Network Ports, Protocols, and Services\nVersion 7 9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.29","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.29\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2xl-vuo-tud","createdAt":1599606113167,"name":"etcd server requires API servers present a client certificate and key when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.32","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a SSL Certificate Authority file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-cafile` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate authority file parameter: `--etcd-cafile=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-cafile` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.32","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.32\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o8k-9hv-rri","createdAt":1599605669411,"name":"etcd server requires API servers present an SSL CA file when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured to make use of TLS encryption for peer connections.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit and also amongst peers in the etcd clusters.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-cert-file` and `--peer-key-file` arguments are set as appropriate. \n\n## Remediation\n\nFollow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--peer-cert-file= \n--peer-key-file=\n```\n\n## Impact\n\nEtcd cluster peers would need to set up TLS for their communication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, peer communication over TLS is not configured.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.4","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"lzq-1mk-xc7","createdAt":1599603941695,"name":"etcd uses TLS encryption for peer connections"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664268670005,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"0ki-9gf-7vw","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664268668"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664268675445,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"fis-tpv-7e9","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664268673"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664268680145,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"cz4-z0l-x9n","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664268677"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269014836,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rn5-nf5-ksh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269011"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269046838,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"fz1-gx5-cfu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269044"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269050802,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ypr-rnw-joz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269048"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269055831,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"zl4-kr6-djp","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269053"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664777973028,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"kth-eqs-z4b","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664777971"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778122036,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"0fg-gyo-jlu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778119"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778139644,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wee-m6g-g6a","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778135"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778146837,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"3it-fxn-3hr","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778144"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778474235,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"nw9-oof-55y","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778472"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778792415,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"gsl-t9k-ji6","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778790"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664779074513,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"dgt-zts-cbx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664779072"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664779118769,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"oxx-qrx-9b6","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664779116"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664779161311,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"7eo-dyi-vkr","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664779159"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664784675086,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sqx-soj-zop","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664784672"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664894383761,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rgz-io3-obc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664894381"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665500464305,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"py6-vnm-mjb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1665500463"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665500511838,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"bgv-pky-7u4","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1665500511"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":600,"keepAlive":300},"version":2,"isDefault":false,"filters":[{"action":"suppress","query":"does not really suppress (updated)"}],"queries":[{"query":"does not really match much (updated)","groupByFields":["service"],"aggregation":"cardinality","name":"first_updated","distinctFields":["@orgId"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first_updated > 3"},{"status":"high","notifications":[],"name":"warning case (updated)","condition":"first_updated > 0"}],"type":"log_detection","id":"rdc-qe2-jmq","createdAt":1664875756276,"name":"tf-TestAccDatadogSecurityMonitoringRule_Basic-local-1664875755 - updated"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664270708266,"filters":[],"queries":[{"query":"@agent.rule_id:(tf_TestAccDatadogSecurityMonitoringRule_CwsRule_local_1664270705_random_id OR random_id)","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"high case","condition":"first > 3"}],"type":"workload_security","id":"6i5-yop-zhx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_CwsRule-local-1664270705"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664270714195,"filters":[],"queries":[{"query":"@agent.rule_id:(tf_TestAccDatadogSecurityMonitoringRule_CwsRule_local_1664270711_random_id OR random_id)","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"high case","condition":"first > 3"}],"type":"workload_security","id":"h7e-iuc-twh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_CwsRule-local-1664270711"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"query":"@agent.rule_id:(tf_TestAccDatadogSecurityMonitoringRule_CwsRule_local_1664875755_random_id OR random_id)","groupByFields":["service"],"aggregation":"count","name":"first","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first > 10"}],"type":"workload_security","id":"4p6-8dj-vxk","createdAt":1664875756580,"name":"tf-TestAccDatadogSecurityMonitoringRule_CwsRule-local-1664875755"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875508591,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"l2h-irs-i4s","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_Import-local-1664875506"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664890796815,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rdn-on6-f0u","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_Import-local-1664890795"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"impossible travel rule triggered (updated)","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"evaluationWindow":0,"maxSignalDuration":900,"detectionMethod":"impossible_travel","decreaseCriticalityBasedOnEnv":false,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"distinctFields":[],"name":"my_updated_query","metric":"@usr.handle","aggregation":"geo_data","metrics":["@usr.handle"],"groupByFields":["@usr.handle"],"query":"*"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"new case name (updated)","condition":""}],"type":"log_detection","id":"2e6-1vj-hdm","createdAt":1664875756231,"name":"tf-TestAccDatadogSecurityMonitoringRule_ImpossibleTravelRule-local-1664875755"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"newValueOptions":{"learningDuration":0,"learningMethod":"duration","forgetAfter":1,"learningThreshold":0},"evaluationWindow":0,"maxSignalDuration":900,"detectionMethod":"new_value","decreaseCriticalityBasedOnEnv":false,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"distinctFields":[],"name":"first","metric":"@network.bytes_read","aggregation":"new_value","metrics":["@network.bytes_read"],"groupByFields":["service"],"query":"does not really match much (updated)"}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":""}],"type":"log_detection","id":"d3o-dyr-ekr","createdAt":1664875756432,"name":"tf-TestAccDatadogSecurityMonitoringRule_NewValueRule-local-1664875755 - updated"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875438577,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"wtp-e5k-o0m","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875437"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875465554,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bxr-aqc-o02","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875463"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875502543,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lv2-e1f-cec","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875500"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875517305,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"qp0-onn-m2p","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875516"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875546323,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bzi-ilx-fzv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875544"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875579060,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"xul-toc-q1p","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875577"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":600,"keepAlive":300},"version":2,"isDefault":false,"filters":[{"action":"suppress","query":"does not really suppress (updated)"}],"queries":[{"query":"does not really match much (updated)","groupByFields":["service"],"aggregation":"cardinality","name":"first_updated","distinctFields":["@orgId"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first_updated > 3"},{"status":"high","notifications":[],"name":"warning case (updated)","condition":"first_updated > 0"}],"type":"log_detection","id":"l6c-xu1-dnv","createdAt":1664875756561,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875755 - updated"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":600,"keepAlive":300},"version":2,"isDefault":false,"filters":[{"action":"suppress","query":"does not really suppress (updated)"}],"queries":[{"query":"does not really match much (updated)","groupByFields":["service"],"aggregation":"cardinality","name":"first_updated","distinctFields":["@orgId"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first_updated > 3"},{"status":"high","notifications":[],"name":"warning case (updated)","condition":"first_updated > 0"}],"type":"log_detection","id":"e8n-cae-ky2","createdAt":1664883056478,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664883054 - updated"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528193711,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"gbr-ngi-oug","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528189_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528202423,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"uyk-nla-buh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528198_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528210535,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"nqe-0ga-if6","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528205_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528372295,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"m3p-iae-qru","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528368_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528379975,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"r7b-s2q-xnm","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528376_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528389235,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"dbd-bwe-l7e","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528385_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528434444,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"1un-efa-hcu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528429_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528441879,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"2ar-joj-lnc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528437_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528451689,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ajt-mur-fzi","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528446_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529209432,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"heh-hcb-gkz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529203_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529218377,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"zee-ycu-lwy","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529213_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529225654,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vhx-spk-1ho","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529221_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529297426,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"koq-fd2-uwo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529293_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529304614,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"l2l-obs-hre","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529300_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529312691,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"xgn-6s6-kbb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529307_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664550716802,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"w1p-qig-yrs","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664550714_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664550722486,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ipa-wdu-rxp","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664550720_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664550727477,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"jeh-od4-wng","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664550725_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551028985,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wq1-uls-vzk","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551027_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551034504,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"hrv-psy-1lt","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551032_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551039412,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"6jo-jph-rom","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551037_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551131496,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"gpa-wht-hgc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551129_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553855904,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ere-3ih-4hw","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553850_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553865781,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"igs-lhm-bvu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553859_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553874136,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"mkn-3te-hny","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553869_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553997811,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sjp-5hc-wd1","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553993_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664554005892,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"5en-kmi-voy","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664554001_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664554016093,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"jif-umi-il5","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664554010_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555846704,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ayu-n1y-lqx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555844_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555846736,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"95d-moy-b5g","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555844_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555986763,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"qtr-rfo-jyg","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555984_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555986772,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"jtt-tqn-ftb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555984_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557003507,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"l6w-anp-wyx","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"m5n-4i5-vuj","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"4r7-mzb-i0w","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664556999"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557003221,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"l6w-anp-wyx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664556999_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557001385,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"m5n-4i5-vuj","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664556999_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557009505,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"atg-jqy-mel","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"wdi-bm8-1zq","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"fbs-vj5-dgz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557007"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557009232,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"atg-jqy-mel","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557007_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557009200,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wdi-bm8-1zq","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557007_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557015634,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"pra-dle-ewv","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"wgt-akt-j4r","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"o9e-8fc-h5s","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557013"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557015289,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"pra-dle-ewv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557013_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557015280,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wgt-akt-j4r","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557013_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557114930,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"x69-ehr-pdl","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"ypr-isf-4vo","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"oi0-hje-74l","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557112"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557114644,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"x69-ehr-pdl","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557112_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557114607,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ypr-isf-4vo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557112_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557121029,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"ptq-rcm-nwe","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"bg8-5ts-afc","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"f3z-x8q-dcn","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557118"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557120765,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ptq-rcm-nwe","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557118_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557120726,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"bg8-5ts-afc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557118_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557127622,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"wtt-nh6-juo","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"myy-dya-nr5","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"nfo-yne-q60","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557125"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557127340,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wtt-nh6-juo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557125_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557127298,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"myy-dya-nr5","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557125_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557158347,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"riy-u8c-b7c","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"sf3-rrp-eak","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"9zw-k5p-x8b","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557156"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557158069,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"riy-u8c-b7c","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557156_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557158073,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sf3-rrp-eak","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557156_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557164542,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"cur-pie-tfb","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"do1-l3w-hgc","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"yvb-ymn-q2k","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557162"}]} + {"meta":{"page":{"total_filtered_count":30,"total_count":730}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user resets the Directory Services Restore Mode (DSRM). The DSRM enabled emergency access to a Domain Controller. The DSRM user is a local administrator account that can be utilized for persistence. \n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4794`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to change the DSRM password on `{{host}}`. ","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4794","groupByFields":["host"],"aggregation":"count","name":"standardized","distinctFields":[]},{"query":"@Event.System.EventID:4794","groupByFields":["host"],"aggregation":"count","name":"non_standardized","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized > 0"}],"type":"log_detection","id":"ckw-1ve-anp","createdAt":1619018671358,"name":"Windows Directory Service Restore Mode password changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Domain Administrator group is modified.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is 4737 and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason for changing the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"vtr-u5p-65a","createdAt":1619018671758,"name":"Windows Domain Admin Group Changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","source:windows","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Windows firewall is disabled.\n\n## Strategy\nMonitor the Windows event logs where `@evt.id` is `4950` and the `@Event.EventData.Data.SettingValue:No`.\n\n## Triage and response\nVerify if `{{@Event.System.Computer}}` has a legitimate reason for having the Windows firewall disabled.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"medium","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"5yc-jqo-y3n","createdAt":1619018678867,"name":"Windows Firewall Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1087-account-discovery","source:windows","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs the `net` command to enumerate the `Administrators` group, which could be indicative of adversarial reconnaissance activity.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4799`, `@Event.EventData.Data.CallerProcessName` is `*net1.exe` and `@Event.EventData.Data.TargetUserName` is `Administrators`.\n\n## Triage and response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason to check for users in the Administrator group on `{{host}}`. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"low","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"dqi-uaj-wgy","createdAt":1619018678865,"name":"Windows Net command executed to enumerate administrators"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the Domain Administrator group. A rogue active directory account can added to the Domain Admins group.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4728` and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.TargetUserName}}` should be added to the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"yzx-i3w-40t","createdAt":1619018679429,"name":"Windows User Added to Domain Admin Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"# WARNING: Rule is being deprecated on 10 April 2022\n\n## Goal\nDetect if an entire AWS S3 Lifecycle configuration is deleted from a bucket.\n\n## Strategy\nUsing the `@evt.name`, the Datadog standard attribute that shows the API call, determine if a `DeleteBucketLifecycle` call occurred.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@usr.name}}`, `accountId:` `{{@usr.id}}` of `type:` `{{@userIdentity.type}}`.\n2. If the `{{@evt.name}}` API call accidentally occurred, restore the configuration to the `{{@requestParameters.bucketName}}`. Otherwise, investigate further.\n\n## Changelog\n08 Mar 2022 - Deprecating rule. If a policy is deleted, the data remains forever.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:DeleteBucketLifecycle","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"policy_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"lifecycle policy deleted","condition":"policy_deleted > 0"}],"type":"log_detection","id":"lcn-irr-jo6","createdAt":1638798365190,"name":"[DEPRECATED] An AWS S3 bucket lifecycle policy was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.17","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `controller-manager.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `controller-manager.conf` file is the kubeconfig file for the Controller Manager. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/controller-manager.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.17","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iss-afi-xfp","createdAt":1599599454121,"name":"controller-manager.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use self-signed certificates for TLS.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--auto-tls` parameter or set it to false:\n\n```\n--auto-tls=false\n```\n\n## Impact\n\nClients will not be able to use self-signed certificates for TLS.\n\n## Default value\n\nBy default, `--auto-tls` is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls][3]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.3","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qai-h9s-xgt","createdAt":1599606018741,"name":"etcd does not allow the use of self-signed client certificates"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured for peer authentication.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-client-cert-auth` argument is set to `true`. \n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--peer-client-cert-auth=true\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-client-cert-auth` argument is set to false.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/security.html \n2. https://kubernetes.io/docs/admin/etcd/ \n3. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n\n## CIS controls\n\nVersion 6.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\nVersion 7.14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.5","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l01-5y2-miz","createdAt":1599605099307,"name":"etcd is configured for peer authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.1","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure TLS encryption for the etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--cert-file` and the `--key-file` arguments are set as appropriate.\n\n## Remediation\n\nFollow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--cert-file= \n--key-file=\n```\n\n## Impact\n\nClient connections only over TLS would be served.\n\n## Default value\n\nBy default, TLS encryption is not set.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.1","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ezf-1mn-luf","createdAt":1599604210918,"name":"etcd is configured with TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.2.33","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt etcd key-value store.\n\n## Rationale\n\netcd is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--encryption-provider-config` argument is set to a EncryptionConfig file. Additionally, ensure that the EncryptionConfig file has all the desired resources covered especially any secrets.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--encryption-provider-config` parameter to the path of that file: `--encryption-provider-config=`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--encryption-provider-config` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ \n2. https://acotten.com/post/kube17-security \n3. https://kubernetes.io/docs/admin/kube-apiserver/ \n4. https://github.com/kubernetes/features/issues/92\n\n## CIS controls\n\nVersion 6 14.5 Encrypt At Rest Sensitive Information Sensitive information stored on systems shall be encrypted at rest and require a secondary authentication mechanism, not integrated into the operating system, in order to access the information. \n\nVersion 7 14.8 Encrypt Sensitive Information at Rest Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.33","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.33\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7rg-crl-fs0","createdAt":1599602954959,"name":"etcd is encrypted at rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.29","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a client certificate and key.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-certfile` and `--etcd-keyfile` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate and key file parameters. \n```\n--etcd-certfile= \n--etcd-keyfile=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-certfile` and `--etcd-keyfile` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 9 Limitation and Control of Network Ports, Protocols, and Services\nVersion 7 9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.29","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.29\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2xl-vuo-tud","createdAt":1599606113167,"name":"etcd server requires API servers present a client certificate and key when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.32","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a SSL Certificate Authority file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-cafile` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate authority file parameter: `--etcd-cafile=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-cafile` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.32","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.32\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o8k-9hv-rri","createdAt":1599605669411,"name":"etcd server requires API servers present an SSL CA file when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured to make use of TLS encryption for peer connections.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit and also amongst peers in the etcd clusters.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-cert-file` and `--peer-key-file` arguments are set as appropriate. \n\n## Remediation\n\nFollow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--peer-cert-file= \n--peer-key-file=\n```\n\n## Impact\n\nEtcd cluster peers would need to set up TLS for their communication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, peer communication over TLS is not configured.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.4","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"lzq-1mk-xc7","createdAt":1599603941695,"name":"etcd uses TLS encryption for peer connections"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671540941284,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"o68-soo-c12","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671540939"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671540946161,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"r7n-huo-4rt","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671540944"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671540952520,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"wth-wau-03b","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671540950"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["terraform:true","test:acceptance-updated"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"Acceptance test TF rule - updated","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_disk","regoRule":{"policy":"package datadog # updated","resourceTypes":["gcp_compute_disk","gcp_compute_instance","gcp_compute_firewall"]},"complexRule":true},"keepAlive":21600},"version":2,"isDefault":false,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":true,"defaultGroupByFields":null,"userGroupByFields":["@resource","@resource_type"]},"cases":[{"status":"high","notifications":["@channel-upd"],"name":"","condition":"a > 0"}],"id":"u2m-agy-swa","createdAt":1671541008003,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671541006 - updated"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671542720397,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"grb-fzj-wqh","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671542718"},{"creationAuthorId":1445416,"tags":["test:acceptance","terraform:true"],"type":"cloud_configuration","isEnabled":false,"hasExtendedTitle":true,"message":"Acceptance test TF rule","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"gcp_compute_instance","regoRule":{"policy":"package datadog","resourceTypes":["gcp_compute_instance","gcp_compute_disk"]},"complexRule":true},"keepAlive":21600},"version":1,"createdAt":1671542793321,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":null,"userActivationStatus":false,"defaultGroupByFields":null,"userGroupByFields":["@resource"]},"cases":[{"status":"low","notifications":["@channel"],"name":"","condition":"a > 0"}],"id":"il3-uli-eqq","isDefault":false,"name":"tf-TestAccDatadogCloudConfigurationRule_Basic-local-1671542791"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671552482017,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"77c-zma-o7f","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671552480"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671552551633,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"hop-rqz-f8v","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671552550"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671552663049,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vhn-veo-7mp","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671552661"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671552679840,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"kbd-8wc-8cq","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671552678"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553311788,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"3am-l1f-ved","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553310"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553346438,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vmb-tgh-ihm","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553344"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553410647,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"p3o-o9v-1ha","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553409"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553453803,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"qfz-lca-swv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553452"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1671553538312,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"zmw-kgv-yds","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1671553537"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:1.1.6","control:1.2.1","control:4.5","control:2.2.5","requirement:Communications-Security","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nInteracting with a serial port is often referred to as the serial console, which is similar to\nusing a terminal window, in that input and output is entirely in text mode and there is no\ngraphical interface or mouse support.\nIf you enable the interactive serial console on an instance, clients can attempt to connect to\nthat instance from any IP address. Therefore interactive serial console support should be\ndisabled.\n\n## Rationale\nA virtual machine instance has four virtual serial ports. The instance's operating system, BIOS,\nand other system-level entities often write output to the serial ports, and can accept input\nsuch as commands or answers to prompts. Typically, these system-level entities use the\nfirst serial port (port 1) and serial port 1 is often referred to as the serial console.\nThe interactive serial console does not support IP-based access restrictions such as IP\nallow lists. If you enable the interactive serial console on an instance, clients can attempt to\nconnect to that instance from any IP address. This allows anybody to connect to that\ninstance if they know the correct SSH key, username, project ID, zone, and instance name.\nTherefore interactive serial console support should be disabled.\n\n## Remediation\n\n### From the console\n1. Login to Google Cloud console.\n2. Go to Computer Engine.\n3. Go to VM instances.\n4. Click on the specific VM.\n5. Click `EDIT`.\n6. in the `Remote access` section, clear the `Enable connecting to serial ports`.\n7. Click `Save`.\n\n### From the command line\nUse the following command to disable connecting to serial ports:\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=false\n ```\nor\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=0\n ```\n\n## Prevention:\nYou can prevent VMs from having serial port access by enabling the `Disable VM serial port access` organization policy:\n[https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess][1]\n\n## Default value\nBy default, connecting to serial ports is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/interacting-with-serial-console][2]\n\n\n## CIS Controls\n\nVersion 8 - 4.8: Uninstall or Disable Unnecessary Services on Enterprise\nAssets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such\nas an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure Only Approved Ports, Protocols and Services Are Running\n\n[1]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess\n[2]: https://cloud.google.com/compute/docs/instances/interacting-with-serial-console","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"1.1.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"fail\" if {\n\tmeta := compute_instance.metadata.items[_]\n\tmeta.key == \"serial-port-enable\"\n\tmeta.value == \"true\"\n} else = \"pass\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mv9-8fa-zlf","createdAt":1656531993118,"name":"\u2018connecting to serial ports\u2019 is not enabled for VM Instance"}]} headers: Content-Type: - application/json @@ -827,109 +759,7 @@ interactions: method: GET response: body: | - {"meta":{"page":{"total_filtered_count":24,"total_count":824}},"data":[{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557164250,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"cur-pie-tfb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557162_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557164241,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"do1-l3w-hgc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557162_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557171963,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"vhe-hy6-vz3","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"0mi-hea-lgr","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"i5g-kql-euh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557169"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557171680,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vhe-hy6-vz3","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557169_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557171647,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"0mi-hea-lgr","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557169_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557192391,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"njf-br2-d9z","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"mth-ttg-pke","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"tss-r1h-syz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557188"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557192123,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"njf-br2-d9z","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557188_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557190826,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"mth-ttg-pke","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557188_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664559663240,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"oas-ciy-bcx","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"sem-0mj-yqv","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"uus-bhq-ihb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664559659"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664559662957,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"oas-ciy-bcx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664559659_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664559662131,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sem-0mj-yqv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664559659_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875671210,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"4ja-gok-1x4","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"kp1-lvc-xv8","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"ncd-ps2-wdo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875668"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875670732,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"4ja-gok-1x4","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875668_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875670705,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"kp1-lvc-xv8","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875668_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875700315,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"rvg-pbb-0tm","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"dyi-it0-nj4","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"bew-lfi-qak","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875697"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875700066,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rvg-pbb-0tm","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875697_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875700033,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"dyi-it0-nj4","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875697_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875723289,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"sz5-vsm-3tk","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"slo-i5s-pb3","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"3qe-a0j-8iy","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875721"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875723030,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sz5-vsm-3tk","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875721_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875723034,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"slo-i5s-pb3","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875721_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875756892,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"keh-s9a-uhd","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"rvh-vhq-wjs","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"jy2-9kq-psb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875755"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875756573,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"keh-s9a-uhd","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875755_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875756604,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rvh-vhq-wjs","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875755_rule_1"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:1.1.6","control:1.2.1","control:4.5","control:2.2.5","requirement:Communications-Security","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nInteracting with a serial port is often referred to as the serial console, which is similar to\nusing a terminal window, in that input and output is entirely in text mode and there is no\ngraphical interface or mouse support.\nIf you enable the interactive serial console on an instance, clients can attempt to connect to\nthat instance from any IP address. Therefore interactive serial console support should be\ndisabled.\n\n## Rationale\nA virtual machine instance has four virtual serial ports. The instance's operating system, BIOS,\nand other system-level entities often write output to the serial ports, and can accept input\nsuch as commands or answers to prompts. Typically, these system-level entities use the\nfirst serial port (port 1) and serial port 1 is often referred to as the serial console.\nThe interactive serial console does not support IP-based access restrictions such as IP\nallow lists. If you enable the interactive serial console on an instance, clients can attempt to\nconnect to that instance from any IP address. This allows anybody to connect to that\ninstance if they know the correct SSH key, username, project ID, zone, and instance name.\nTherefore interactive serial console support should be disabled.\n\n## Remediation\n\n### From console\n1. Login to Google Cloud console.\n2. Go to Computer Engine.\n3. Go to VM instances.\n4. Click on the specific VM.\n5. Click `EDIT`.\n6. in the `Remote access` section, clear the `Enable connecting to serial ports`.\n7. Click `Save`.\n\n### From the command line\nUse the following command to disable connecting to serial ports:\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=false\n ```\nor\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=0\n ```\n\n## Prevention:\nYou can prevent VMs from having serial port access by enabling the `Disable VM serial port access` organization policy:\n[https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess][1]\n\n## Default value\nBy default, connecting to serial ports is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/interacting-with-serial-console][2]\n\n\n## CIS Controls\n\nVersion 8 - 4.8: Uninstall or Disable Unnecessary Services on Enterprise\nAssets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such\nas an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure Only Approved Ports, Protocols and Services Are Running\n\n[1]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess\n[2]: https://cloud.google.com/compute/docs/instances/interacting-with-serial-console","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"1.1.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"fail\" if {\n\tmeta := compute_instance.metadata.items[_]\n\tmeta.key == \"serial-port-enable\"\n\tmeta.value == \"true\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mv9-8fa-zlf","createdAt":1656531993118,"name":"\u2018connecting to serial ports\u2019 is not enabled for VM Instance"}]} - headers: - Content-Type: - - application/json - status: 200 OK - code: 200 - duration: "" -- request: - body: "" - form: {} - headers: - Accept: - - application/json - url: https://api.datadoghq.com/api/v2/security_monitoring/rules?page%5Bnumber%5D=9&page%5Bsize%5D=100 - method: GET - response: - body: | - {"meta":{"page":{"total_filtered_count":0,"total_count":824}},"data":[]} - headers: - Content-Type: - - application/json - status: 200 OK - code: 200 - duration: "" -- request: - body: "" - form: {} - headers: - Accept: - - application/json - url: https://api.datadoghq.com/api/v2/security_monitoring/rules/myy-dsj-omk - method: GET - response: - body: | - {"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit the `docker.service` if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `docker.service`. The `docker.service` file might be present if the daemon parameters have been changed by an administrator. If so, it holds various parameters for the Docker daemon and should be audited.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n\n2. If the file does not exist, this recommendation does not apply. If the file does exist, verify that there is an audit rule corresponding to the `docker.service` file by running: \n\n ```\n auditctl -l | grep docker.service\n ```\n\n## Remediation\n\nIf the file exists, a rule for it should be added. For example, add the following line to the `/etc/audit/audit.rules` file: \n```\n-w /usr/lib/systemd/system/docker.service -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.service` may not be present on the system.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.6","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myy-dsj-omk","createdAt":1599605764788,"name":"Auditing for the docker.service file is configured"} - headers: - Content-Type: - - application/json - status: 200 OK - code: 200 - duration: "" -- request: - body: "" - form: {} - headers: - Accept: - - application/json - url: https://api.datadoghq.com/api/v2/security_monitoring/rules?page%5Bnumber%5D=0&page%5Bsize%5D=100 - method: GET - response: - body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.3.6","source:google_sql_database_instance","control:3.4","requirement:Communications-Security","framework:cis-gcp","requirement:Compliance","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_sql_database_instance","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `3625 (trace flag)` database flag to `off` for GCP SQL Server instance.\n\n## Rationale\n\nMicrosoft SQL trace flags are frequently used to diagnose performance issues or to debug stored procedures or complex computer systems, but they may also be recommended by Microsoft Support to address behavior that is negatively impacting a specific workload. All documented trace flags and those recommended by Microsoft Support are fully supported in a production environment when used as directed. `3625 (trace log)` limits the information returned to users who are not members of the sysadmin fixed server role, by masking the parameters of some error messages using '******'. Setting this in a Google Cloud flag for the instance allows for security through obscurity and prevents the disclosure of sensitive information. Hence, it is recommended to set this flag to `off` globally to prevent the flag from being left on or turned on by bad actors. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nChanging flags on a database may cause it to be restarted. The best time to do this is when there is low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `3625` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `3625` database flag for every GCP SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"3625=off\"\n```\n\n#### Note\nThis command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n\n## Additional Information\n\n- Configuring the above flag restarts the GCP SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/t-sql/database-console-commands/dbcc-traceon-trace-flags-transact-sql?view=sql-server-ver15#trace-flags\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"3625\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"2x0-5oi-nhu","createdAt":1657310084964,"name":"'3625 (trace flag)' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:2.11","cloud_provider:azure","control:A.12.4.1","level:1","source:azure.policy","requirement:Application-Updates","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","requirement:Security-Center","framework:cis-azure","control:6.2","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","scope:azure.policy","control:CC4.1","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable automatic provisioning of the monitoring agent to collect security data.\n\n## Rationale\n\nWhen automatic provisioning of monitoring agent is turned on, Azure Security Center provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Security Center\n2. Click on Pricing & Settings\n3. Click on a subscription\n4. Click on Data Collection\n5. Set Automatic provisioning to On\n6. Click save Repeat the above for any additional subscriptions.\n\nAzure Command Line Interface 2.0:\n\nUse the below command to set automatic provisioning of monitoring agent:\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/autoProvisioningSettings/default?api-version=2017-08-01-preview -d@\"input.json\"''\n```\n\nWhere input.json contains the Request body json data as mentioned below. \n\n```bash\n{ \"id\"\"/subscriptions//providers/Microsoft.Security/autoProvisioningSettings/default\", \"name\"\"default\", \"type\"\"Microsoft.Security/autoProvisioningSettings\", \"properties\"{ \"autoProvision\"\"On\" } }\n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security \n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection \n3. https://msdn.microsoft.com/en-us/library/mt704062.aspx\n4. https://msdn.microsoft.com/en-us/library/mt704063.aspx\n5. https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/list \n6. https://docs.microsoft.com/en-us/rest/api/securitycenter/autoprovisioningsettings/create \n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\nAdditional Information: Excluding any of the entries in `input.json` may disable the specific setting by default Microsoft has recently changed APIs to get and Update Automatic Provisioning setting. This recommendation is updated accordingly.\n\n## CIS Controls\n\nVersion 7 3.1 - Run Automated Vulnerability Scanning Tools: Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.11","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"validationQuery":"@auto_provision:Off","resourceType":"azure_security_center_auto_provisioning","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_center_auto_provisioning (@auto_provision:Off)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ota-kzg-lsb","createdAt":1635237006719,"name":"'Automatic provisioning of monitoring agent' is set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.2","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with a Customer Managed Key (CMK).\n\n## Rationale\n\nEncrypting the IaaS VM's OS disk (boot volume) and data disks (non-boot volume) ensures that the entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. CMK is superior encryption although requires additional planning.\n\n## Remediation\n\nAzure Console:\n\n**Note**: Disks must be detached from VMs to have encryption changed.\n\n1. Go to Virtual Machines\n2. For each virtual machine, go to Settings\n3. Click on Disks\n4. Click the X to detach the disk from the VM\n5. Search for disks and locate the unattached disk\n6. Click the disk select Encryption\n7. Change your encryption type and select your encryption set\n8. Click Save\n9. Go back to the VM and re-attach the disk\n\nPowerShell:\n\n```powershell\n$KVRGname = ''MyKeyVaultResourceGroup''; $VMRGName = ''MyVirtualMachineResourceGroup''; $vmName = ''MySecureVM''; $KeyVaultName = ''MySecureVault''; $KeyVault = Get-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $KVRGname; $diskEncryptionKeyVaultUrl = $KeyVault.VaultUri; $KeyVaultResourceId = $KeyVault.ResourceId; Set-AzVMDiskEncryptionExtension -ResourceGroupName $VMRGname -VMName $vmName -DiskEncryptionKeyVaultUrl $diskEncryptionKeyVaultUrl -DiskEncryptionKeyVaultId $KeyVaultResourceId;\n```\n\n**NOTES**:\n\n- During encryption, a reboot is likely required. It may take up to 15 minutes to complete the process.\n\n- On Linux machines, you may need to set the `-skipVmBackup` parameter.\n\n## Impact\n\nUsing CMK/BYOK entail additional management of keys. You must have your key vault setup to use this.\n\n## References\n\n\n1. https://docs.microsoft.com/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n3. https://docs.microsoft.com/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-resthttps://docs.microsoft.com/azure/virtual-machines/windows/disk-encryption-portal-quickstart\n4. https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n5. https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n7. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disks-enable-customer-managed-keys-powershell\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@encryption_type:EncryptionAtRestWithCustomerKey","resourceType":"azure_managed_disk","filter":"@disk_state:Attached","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk @disk_state:Attached (-@encryption_type:EncryptionAtRestWithCustomerKey)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i6x-xne-idt","createdAt":1631690475494,"name":"'OS and Data' disks are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Application-Updates","framework:iso-27001","scope:azure.storage","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","control:6.5.3","framework:cis-azure","control:4.1","control:3.1","requirement:Control-Activities","requirement:Storage-Account","source:azure.storage","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable data encryption in transit.\n\n## Rationale\n\nThe secure transfer option enhances the security of a storage account by only allowing requests to the storage account by a secure connection. For example, when calling REST APIs to access storage accounts, the connection must be HTTPS. Any requests using HTTP will be rejected when secure transfer required is enabled. When using the Azure files service, connection without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn't support HTTPS for custom domain names, this option is not applied when using a custom domain name.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Storage Accounts\n2. For each storage account, go to Configuration\n3. Set Secure transfer required to Enabled\n\nAzure Command Line:\n\nInterface 2.0 - Use the below command to enable Secure transfer required for a Storage Account: `az storage account update --name --resource-group --https-only true`\n\n## References\n\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#encryption-in-transit\n2. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_list\n3. https://docs.microsoft.com/en-us/cli/azure/storage/account?view=azure-cli-latest#az_storage_account_update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 - 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@supports_https_traffic_only:true","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@supports_https_traffic_only:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"vlg-zuu-zub","createdAt":1635847712936,"name":"'Secure transfer required' is set to 'Enabled'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:3.7","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Storage-Account","source:azure.storage","control:A.13.1.3","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSome Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services use strong authentication to access the storage account. If Allow trusted Microsoft services exception is enabled, the following services, when registered in the subscription, are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse.\n\n## Rationale\n\nTurning on firewall rules for storage account blocks access to incoming requests for data, including from other Azure services. This includes using the portal, writing logs, etc. You can re-enable access to services like Monitor, Networking, Hubs, and Event Grid by enabling Trusted Microsoft Services through exceptions. The exception also supports backing up and restoring virtual machines using unmanaged disks in storage accounts with network rules applied.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Ensure that Allow access from selected networks is enabled.\n4. Enable Allow trusted Microsoft services to access this storage account.\n5. Click Save to apply your changes.\n\nAzure Command Line Interface:\n\nUse the following command to update trusted Microsoft services: `az storage account update --name --resource-group --bypass AzureServices`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n\n## CIS Controls\n\nVersion 7 9.2 - Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@network_acls.bypass:*AzureServices*","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@network_acls.bypass:*AzureServices*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"psg-u8u-lwo","createdAt":1631690476330,"name":"'Trusted Microsoft Services' is enabled for Storage Account access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:3.4.1","control:7.3","framework:cis-azure","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that unattached disks in a subscription are encrypted with a customer managed key (CMK).\n\n## Rationale\n\nManaged disks are encrypted by default with platform-managed keys. Using customer-managed keys may provide an additional level of security or meet an organization's regulatory requirements. Encrypting managed disks ensures that its entire content is fully unrecoverable without a key and thus protects the volume from unwarranted reads. Even if the disk is not attached to any of the VMs, there is always a risk where a compromised user account with administrative access to VM service can mount/attach these data disks which may lead to sensitive information disclosure and tampering.\n\n## Impact\n\nEncryption is available only on standard tier VMs. This could impact cost. Utilizing and maintaining customer-managed keys requires additional work to create, protect, and rotate keys.\n\n## Remediation\n\nIf data stored in the disk is no longer useful, refer to [Azure documentation][1] to delete unattached data disks. If data stored in the disk is important, encrypt the disk. See the [Disk enable customer managed keys customer][2] or the [Encryption settings][3] documentation.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/fundamentals/azure-disk-encryption-vms-vmss\n2. https://docs.microsoft.com/en-us/azure/security-center/security-center-disk-encryption?toc=%2fazure%2fsecurity%2ftoc.json\n3. https://docs.microsoft.com/en-us/rest/api/compute/disks/delete\n4. https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n5. https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings\n6. https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-update\n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n\n[1]: https://docs.microsoft.com/en-us/rest/api/compute/disks/delete -https://docs.microsoft.com/en-us/cli/azure/disk?view=azure-cli-latest#az-disk-delete\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-enable-customer-managed-keys-portal\n[3]: https://docs.microsoft.com/en-us/rest/api/compute/disks/update#encryptionsettings","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@encryption_type:EncryptionAtRestWithCustomerKey","resourceType":"azure_managed_disk","filter":"@disk_state:Unattached","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_managed_disk @disk_state:Unattached (-@encryption_type:EncryptionAtRestWithCustomerKey)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bae-mte-pj5","createdAt":1631690476274,"name":"'Unattached disks' are encrypted with CMK"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","control:10.3.6","control:10.5.4","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","control:10.3.5","control:10.5.3","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.1","control:10.2.5","control:10.3.4","control:A.12.4.1","control:10.2.4","control:10.3.3","control:10.2.3","control:10.3.2","control:A.12.4.3","control:10.2.2","control:10.3.1","framework:cis-gcp","level:1","scope:google_sql_database_instance","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","control:6.2.9","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the `cloudsql.enable_pgaudit` database flag so that each Cloud SQL PostgreSQL instance has centralized logging.\n\n## Rationale\n\nBecause many other recommendations in this section involve turning on flags for logging\npurposes, your organization needs a way to manage these logs. If you do not already have a solution in \nplace, consider enabling database auditing in PostgreSQL by installing the open source pgAudit extension and enabling the `cloudsql.enable_pgaudit` flag. The extension provides\ndetailed session and object logging to comply with government, financial, and ISO standards. It provides \nauditing capabilities to mitigate threats by monitoring security events on the\ninstance. Enabling the flag and the settings described below sends the logs to\nGoogle Logs Explorer so that you can access them in a central location. This\nrecommendation is applicable only to PostgreSQL database instances.\n\n## Impact\n\nEnabling the pgAudit extension can lead to increased data storage requirements. To\nensure durability of pgAudit log records in the event of unexpected storage issues, \nenable the **Enable automatic storage increases** setting on the\ninstance. Enabling flags on the command line will overwrite all existing flags, so you\nshould apply _all_ needed flags in each CLI command. You might need to restart the\nserver to see the effects of enabling flags, so update your servers at a\ntime of low usage.\n\n## Remediation\n\n### Initialize the pgAudit flag\n\n#### From the console\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `cloudsql.enable_pgaudit` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\nRun the following command by providing to enable `cloudsql.enable_pgaudit` flag:\n```\ngcloud sql instances patch --database-flags=cloudsql.enable_pgaudit=on\n```\n \n**Note**: Restart the database server for this configuration change to take effect.\n\n### Create the extension\n1. Connect to the the server running PostgreSQL or through a SQL client of your choice.\n2. Open the PostgreSQL shell. For example, if you're using SSH to access the server, run:\n3. Run the following command as a superuser:\n ```\n CREATE EXTENSION pgaudit;\n ```\n### Update the `pgaudit.log` flag\n\n#### From the console\n**Note**: There are multiple options for updating the flag. The following instructions enable logging for all databases\non a server. Read [Customizing database audit logging][4] for more flag\noptions.\n\n1. Go to [GCP console][1].\n2. Select the instance to open its Overview page.\n3. Click **Edit**.\n4. Scroll down and expand Flags.\n5. To set a flag that has not been set on the instance before, click **Add item**.\n6. Enter `pgaudit.log=all` for the flag name and set the flag to on.\n7. Click **Done**.\n8. Click **Save** to update the configuration.\n9. Confirm your changes under Flags on the Overview page.\n\n#### From the command line\n\nRun the command:\n```\ngcloud sql instances patch --database-flags \\\ncloudsql.enable_pgaudit=on,pgaudit.log=all\n```\n\n### Check for the logs in Google Logs Explorer\n1. From the Google Console home page, open the menu in the top left.\n2. In the menu's Operations section, select Logs Explorer.\n3. In the query box, copy in the following query:\n\n ```\n resource.type=\"cloudsql_database\"\n logName=\"projects//logs/cloudaudit.googleapis.com%2Fdata_access\"\n protoPayload.request.@type=\"type.googleapis.com/google.cloud.sql.audit.v1.PgAuditEntry\n ```\nIf it returns any log sources, they are correctly set up.\n\n## Default value\nBy default `cloudsql.enable_pgaudit` database flag is set to off and the extension is not enabled.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres][2]\n2. [https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag][3]\n3. [https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging][4]\n4. [https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable][5]\n\n## Additional Information\n**WARNING**: This extension modifies database flag values, which may require your instance to be\nrestarted. Check the [List of supported flags][6] to see if your instance needs to be restarted\nwhen this extension is set up.\n**Note**: Configuring the `cloudsql.enable_pgaudit` database flag requires restarting the Cloud\nSQL PostgreSQL instance.\n\n## CIS controls\n\nVersion 8\n8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n8.9 - Centralize Audit Logs\n- Centralize, to the extent possible, audit log collection and retention across\nenterprise assets.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags#list-flags-postgres\n[3]: https://cloud.google.com/sql/docs/postgres/pg-audit#enable-auditing-flag\n[4]: https://cloud.google.com/sql/docs/postgres/pg-audit#customizing-database-audit-logging\n[5]: https://cloud.google.com/logging/docs/audit/configure-data-access#config-console-enable\n[6]: https://cloud.google.com/sql/docs/postgres/flags\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.9","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cloudsql.enable_pgaudit\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6hz-owg-7y7","createdAt":1657889011689,"name":"'cloudsql.enable_pgaudit' database flag is set to 'on' for centralized logging on Postgresql Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.4","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.7","requirement:Least-Privileged-Access","requirement:Confidentiality","requirement:Communications-Security","control:7.1","control:C1.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `contained database authentication` database flag for SQL Server instances to `off`.\n\n## Rationale\n\nA contained database includes all database settings and metadata required to define the database and has no configuration dependencies on the instance of the Database Engine where the database is installed. Users can connect to the database without authenticating a login at the Database Engine level. Isolating the database from the Database Engine makes it possible to easily move the database to another instance of SQL Server. Contained databases have some unique threats that should be understood and mitigated by SQL Server Database Engine administrators. Most of the threats are related to the `USER WITH PASSWORD` authentication process, which moves the authentication boundary from the Database Engine level to the database level. Hence, disabling this flag is recommended. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nWhen `contained database authentication` is off (`0`) for the instance, contained databases cannot be created, or attached to the Database Engine. Turning on logging will increase the required storage over time. Mismanaged logs may cause your storage costs to increase. Setting custom flags via the command line on certain instances will cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the [Cloud SQL Instances][1] page in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `contained database authentication` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line\n\nConfigure the `contained database authentication` database flag for every SQL Server database instance using the below command.\n```\ngcloud sql instances patch --database-flags \"contained database authentication=off\"\n```\n\n**Note**: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n\n## Additional Information\n\n- Configuring this flag does not restart the SQL Server instance.\n\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15][3]\n3. [https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15][4]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15\n[4]: https://docs.microsoft.com/en-us/sql/relational-databases/databases/security-best-practices-with-contained-databases?view=sql-server-ver15","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"contained database authentication\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"snw-rsr-ilm","createdAt":1658463161618,"name":"'contained database authentication' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.3.2","security:compliance","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that you set the `cross db ownership chaining` database flag for SQL Server instance to `off`.\n\n## Rationale\nThe `cross db ownership` option is used to configure cross-database ownership chaining for an instance of Microsoft SQL Server. This server option allows you to control cross-database ownership chaining at the database level or to allow cross-database ownership chaining for all databases. Enabling `cross db ownership` is not recommended unless all of the databases hosted by the instance of SQL Server must participate in cross-database ownership chaining, and you are aware of the security implications of this setting. This recommendation is applicable to SQL Server database instances.\n\n### Impact\nUpdating flags may cause the database to restart. This may cause the database to be unavailable for a short amount of time, so this is best done at a time of low usage. You should also determine if the tables in your databases reference another table without using credentials for that database, as turning off cross database ownership will break this relationship.\n\n - Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n - Configuring the `cross db ownership chaining` flag does not restart the Cloud SQL instance.\n\n - Note: The command to set database flags overwrites all database flags previously set. To keep the existing settings while adding new flags, include the values for all flags to be set on the instance. Cloud SQL sets any flag not specifically included in the list to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Remediation\n\n### From the console:\n1. Go to the [Cloud SQL Instances page][1] in Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `cross db ownership chaining` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n### From the command line:\nConfigure the `cross db ownership chaining` database flag for every SQL Server database instance using the below command:\n \n```\ngcloud sql instances patch --database-flags \"cross db ownership chaining=off\"\n```\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"cross db ownership chaining\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yje-u1y-rls","createdAt":1657665271111,"name":"'cross db ownership chaining' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.1","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set `external scripts enabled` database flag for SQL Server instance to `off`.\n\n## Rationale\n\nThe `external scripts enabled` flag enables the execution of scripts with certain remote language extensions. This flag is `off` by default. When Advanced Analytics Services is installed, during the set up, you can optionally set this flag to `on`. The External Scripts Enabled feature allows scripts external to SQL, such as files located in an R library, to be executed, which could adversely affect the security of the system. Hence, the flag should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances can cause all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flag section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the flag `external scripts enabled` from the drop-down menu, and set its value to `off`.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n\nConfigure the `external scripts enabled` database flag for every SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"external scripts enabled=off\"\n```\n\nNote: This command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default Value\n\nBy default `external scripts enabled` is `off`.\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n- Configuring the `external scripts enabled` flag restarts the Cloud SQL instance.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15][2]\n2. [https://cloud.google.com/sql/docs/sqlserver/flags][3]\n3. [https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15][4]\n4. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79347][5]\n\n## CIS Controls\n\nVersion 8 - 2.7 Allowlist Authorized Scripts\n- Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.\n\nVersion 7 - 2.9 Implement Application Whitelisting of Scripts\n- The organization's application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1, *.py, macros, etc) are allowed to run on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/external-scripts-enabled-server-configuration-option?view=sql-server-ver15\n[3]: https://cloud.google.com/sql/docs/sqlserver/flags\n[4]: https://docs.microsoft.com/en-us/sql/advanced-analytics/concepts/security?view=sql-server-ver15\n[5]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"external scripts enabled\"\n\tdatabase_flags.value == \"on\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"14g-yot-4od","createdAt":1657715719319,"name":"'external scripts enabled' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Communication-and-Information","security:compliance","control:6.1.3","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends setting the `local_infile` database flag for a Cloud SQL MySQL instance to off.\n\n## Rationale\n\nThe `local_infile` flag controls the server-side LOCAL capability for LOAD DATA statements. Depending on the `local_infile` setting, the server refuses or permits local data loading by clients that have LOCAL enabled on the client side.\n\nTo explicitly cause the server to refuse LOAD DATA LOCAL statements (regardless of how client programs and libraries are configured at build time or runtime), start mysqld with `local_infile` disabled. `local_infile` can also be set at runtime.\n\nDue to security issues associated with the `local_infile` flag, Datadog recommends disabling it. This recommendation is applicable to MySQL database instances.\n\n## Impact\n\nDisabling `local_infile` causes the server to refuse local data loading by clients that have LOCAL enabled on the client side.\n\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [Cloud SQL Instances page][1].\n2. Select the MySQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the `local_infile` flag from the dropdown menu, and set its value to **off**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From Command Line\n\n1. List all Cloud SQL database instances using \n ```\n `gcloud sql instances list`.\n ```\n2. Configure the `local_infile` database flag for every Cloud SQL MySQL database instance using \n ```\n `gcloud sql instances patch INSTANCE_NAME --database-flags local_infile=off`\n ```\n Note:\n This command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\n\n## Default Value\n\nBy default, `local_infile` is on.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile][3]\n3. [https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html][4]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n \n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/flags\n[3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_local_infile\n[4]: https://dev.mysql.com/doc/refman/5.7/en/load-data-local.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_mysql(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"local_infile\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_mysql(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"MYSQL_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"e40-q63-udh","createdAt":1657547707503,"name":"'local_infile' database flag is set to 'off' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.2","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy enabling the `log_connections` setting, every attempted server connection is logged along with the successful completion of client authentication. Once the session starts, you cannot change this parameter.\n\n## Rationale\n\nBy default, PostgreSQL does not log attempted connections. By enabling the `log_connections` setting, you can create log entries for every attempted connection as well as the successful completion of client authentication. This can be useful in troubleshooting issues and determining any unusual connection attempts to the server. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\n\nBy turning on logging, the required storage increaess over time. Mismanaged logs may cause your storage costs to increase. \n\nSetting custom flags through the command line on certain instances can cause all omitted flags to reset to defaults. This may cause you to lose\ncustom flags and can result in unforeseen complications or instance restarts. Because of this, Datadog recommends applying these flag changes during a period of low usage.\n\n## Remediation\n\n## From the console\n1. In the Google Cloud Console, navigate to the [Cloud SQL Instances page][1].\n2. Select the PostgreSQL instance that you want to enable the database flag for.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the **log_connections** flag from the dropdown menu, and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the Overview page.\n\n## From the command line\n\nConfigure the `log_connections` database flag for every Cloud SQL PosgreSQL database instance using the following command:\n\n ```\n gcloud sql instances patch --database-flags\n log_connections=on\n ```\n\nThis command overwrites all previously set database flags. To keep these flags and add new ones, include all flag values to be set on the instance. Otherwise, flags that are not specifically included are set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign, for example: `=`.\n\nYou do not need to restart the Cloud SQL instance.\n\n## Default Value\n\nBy default, `log_connections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\n\nThis patch modifies database flag values, which may require you to restart your instance. Check the [list of supported flags][2] to see if your instance will restart when this patch is submitted.\n\nSome database flag settings can affect instance availability or stability, and may remove the instance from the Cloud SQL SLA.\n\nFor information about these flags, see the Operational Guidelines.\n\n## CIS Controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_connections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"84u-fez-kpn","createdAt":1657547707503,"name":"'log_connections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:6.2.3","scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnabling the `log_disconnections` setting logs the end of each session, including the\nsession duration.\n\n## Rationale\n\nPostgreSQL does not log session details such as duration and session end by default.\nEnabling the `log_disconnections` setting will create log entries at the end of each session,\nwhich can be useful in troubleshooting issues and determining any unusual activity across a\ntime period. The `log_disconnections` and `log_connections` settings work together and\ngenerally, the pair would be enabled or disabled together. This recommendation is applicable\nto PostgreSQL database instances.\n\n## Impact\n\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flags changes during a period of low usage.\n\n\n## Remediation\n\n## From the console\n\n1. Go to the [Cloud SQL Instances][1] page.\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_disconnections` from the drop-down menu and set the value as **on**.\n6. Click **Save**.\n7. Confirm the changes under **Flags** on the **Overview** page.\n\n## From the command line\n\n1. Configure the `log_disconnections` database flag for every Cloud SQL PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags\n log_disconnections=on\n ```\n\n **Note:** This command will overwrite all previously set database flags. To keep\n those and add new ones, include the values for all flags to be set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals\n sign (\"=\").\n\n## Default Value\n\nBy default, `log_disconnections` is off.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n## Additional Information\n\n- Configuring the `log_disconnections` flag does not require restarting the Cloud SQL instance.\n- Although the `log_disconnections` flag does not require a restart, you might modify other database flag values when you apply this patch. **Many database flags require restarting the Cloud SQL instance.** Before you modify a database flag, check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n- Some database flag settings can affect instance availability or stability and remove the instance from the Cloud SQL SLA. For information about these flags, see [Operational Guidelines][4].\n\n\n## CIS controls\n\nVersion 8, 8.5 Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://console.cloud.google.com/sql/instances\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_disconnections\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-b91-wj5","createdAt":1657665210451,"name":"'log_disconnections' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:6.2.1","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","control:10.3","control:CC7.2","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_error_verbosity` flag controls the verbosity/details of messages logged. Valid values are:\n- `TERSE`\n- `DEFAULT`\n- `VERBOSE`\n\n`TERSE` excludes the logging of `DETAIL`, `HINT`, `QUERY`, and `CONTEXT` error information.\n`VERBOSE` output includes the `SQLSTATE` error code, source code file name, function name, and line number that generated the error.\n\nEnsure an appropriate value is set to `DEFAULT` or stricter.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_error_verbosity` is not set to the correct value, too many details or too few details\nmay be logged. This flag should be configured with a value of `DEFAULT` or stricter. This\nrecommendation is applicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags via the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended you apply these flag changes during a period of low usage.\n\n- **WARNING**: This patch modifies database flag values, which may require your instance to be restarted. Check the list of supported flags -[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance will be restarted when this patch is submitted.\n- Note: some database flag settings can affect instance availability orn stability and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n### Default value\nBy default, `log_error_verbosity` is `DEFAULT`.\n\n## Remediation\n\n### From the console: \n1. Go to the Cloud SQL Instances page by visiting [https://console.cloud.google.com/sql/instances][2]\n2. Select the **PostgreSQL instance** for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the\nflag `log_error_verbosity` from the drop-down menu and set appropriate **value**.\n6. Click **Save**\n7. Confirm your changes under Flags on the **Overview** page.\n\n### From the command line:\n1. Configure the `log_error_verbosity` database flag for every Cloud SQL PosgreSQL database instance using the below command.\n ```\n gcloud sql instances patch --database-flags\n log_error_verbosity=\n ```\n\n **Note**: This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all flags you want set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.1","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_error_verbosity\"\n\tnot lower(db_flags.value) in [\"default\", \"terse\", \"verbose\"]\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"scj-vbv-qiu","createdAt":1660014086758,"name":"'log_error_verbosity' database flag is set to 'DEFAULT or Stricter' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:6.2.5","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nPostgreSQL only logs the IP address of the connecting hosts. The `log_hostname` flag\ncontrols the logging of hostnames, in addition to the IP addresses logged. The performance\nhit depends on the configuration of the environment and the host name resolution\nsetup. This parameter can only be set in the `postgresql.conf` file or on the server's\ncommand line.\n\n## Rationale\nLogging hostnames allows for the association of a hostname with the IP address at the time of\nconnection. This information helps with incident response efforts, particularly in an\nenvironment that utilizes dynamic IP addresses. Logging hostnames may incur overhead\non server performance because DNS resolution will be required to\nconvert the IP address to hostname. Depending on the setup, the overhead may be non-negligible.\nEnabling the log_hostname flag on PostgreSQL databases is recommended.\n\n## Impact\nUsing the command line to set custom flags on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended that you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_hostname` from the drop-down menu and select the value **On**.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line\n1. Configure the `log_hostname` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\n gcloud sql instances patch --database-flags log_hostname=on\n```\n\nNote: This command will overwrite all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## Default value\nBy default `log_hostname` is off.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of [supported flags][2] to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5 - Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_hostname\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sco-bi7-twu","createdAt":1657547753389,"name":"'log_hostname' database flag is set to 'on' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:6.2.8","requirement:Confidentiality","control:A.12.4.1","control:C1.1","control:C1.2","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_duration_statement` flag defines the minimum execution time (milliseconds) of a\nstatement, where the total duration of the statement is logged. Ensure that\n`log_min_duration_statement` is disabled by setting the value to `-1`. This will disable statement logging.\n\n## Rationale\nSQL statement logs may include sensitive information that should not be recorded in\nthe logs. This recommendation is applicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From the console\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting\n[https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance where the database flag needs to be enabled.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_duration_statement` from the drop-down menu and set a value of `-1`.\n6. Click **Save**.\n7. Confirm the changes under the Flags section on the Overview page.\n\n### From the command line\n1. List all Cloud SQL database instances using the following command:\n\n ```\n gcloud sql instances list\n ```\n\n2. Configure the `log_min_duration_statement` flag for every PosgreSQL\ndatabase instance using the below command:\n\n ```\n gcloud sql instances patch --database-flags log_min_duration_statement=-1\n ```\n Note: This command will overwrite all database flags previously set. To keep\nthose and add new ones, include the values for all flags to be set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n## Default value\nBy default `log_min_duration_statement` is set to `-1`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n## Additional Information\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.8","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_duration_statement\"\n\tnot database_flags.value == \"-1\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hfp-mu9-szg","createdAt":1658302988596,"name":"'log_min_duration_statement' database flag is set to '-1' (disabled) for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","control:6.2.7","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_error_statement` flag defines the minimum message severity level that is\nconsidered an error statement. Messages for error statements are logged with the SQL\nstatement. Valid values include `DEBUG5`, `DEBUG4`, `DEBUG3`, `DEBUG2`, `DEBUG1`, `INFO`, `NOTICE`,\n`WARNING`, `ERROR`, `LOG`, `FATAL`, and `PANIC`. Each severity level includes the subsequent levels\nmentioned above. Ensure a value of `ERROR` or stricter is set.\n\n## Rationale\nAuditing helps with troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. If general log messages are considered as error messages,\nit would be difficult to determine the actual errors. If only stricter severity levels are considered as\nerror messages, true errors might not be logged with their SQL statements. The\n`log_min_error_statement` flag should be set to `ERROR` or stricter. This recommendation is\napplicable to PostgreSQL database instances.\n\n## Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From Console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the `Flags` section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_error_statement` from the drop-down menu and set the appropriate\nvalue.\n6. Click `Save` to save your changes.\n7. Confirm your changes under the `Flags` section on the Overview page.\n\n### From Command Line:\n1. Configure the `log_min_error_statement` database flag for every Cloud SQL\nPosgreSQL database instance using the below command.\n\n ```\n gcloud sql instances patch --database-flags log_min_error_statement=\n ```\n\n Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `log_min_error_statement` is `ERROR`.\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n## Additional Information\nWARNING: This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][2] - to see if your instance\nwill be restarted when this patch is submitted.\n\nNote: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n## CIS controls\n\nVersion 8, 8.5: Collect Detailed Audit Logs\n- Configure detailed audit logging for enterprise assets containing sensitive data.\nInclude event source, date, username, timestamp, source addresses, destination\naddresses, and other useful elements that could assist in a forensic investigation.\n\nVersion 7, 6.3: Enable Detailed Logging\n- Enable system logging to include detailed information such as an event source,\ndate, user, timestamp, source addresses, destination addresses, and other useful\nelements.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"log_min_error_statement\"\n\tnot upper(database_flags.value) in [\"ERROR\", \"LOG\", \"FATAL\", \"PANIC\"]\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dm2-ey8-wr5","createdAt":1657888969813,"name":"'log_min_error_statement' database flag is set to 'ERROR' or stricter for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.3.6","requirement:Cloud-SQL","cloud_provider:gcp","control:10.2.6","source:google_sql_database_instance","requirement:Monitoring","control:6.2.6","control:10.3.4","control:A.12.4.1","control:10.3.2","requirement:System-Operations","framework:cis-gcp","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:CC7.2","framework:pci","requirement:Operations-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe `log_min_messages` flag defines the minimum message severity level that is considered\nas an error statement. Messages for error statements are logged with the SQL statement.\nValid values include `debug5`, `debug4`, `debug3`, `debug2`, `debug1`, `info`, `notice`, `warning`, `error`,\n`log`, `fatal`, and `panic`. Each severity level includes the subsequent levels mentioned above.\nFor best practices, set the value to `error`. Changes should only be made in accordance\nwith the organization's logging policy.\n\n### Default value\nBy default `log_min_error_statement` is `warning`.\n\n## Rationale\nAuditing helps in troubleshooting operational problems and also permits forensic analysis.\nIf `log_min_error_statement` is not set to the correct value, messages may not be classified\nas error messages appropriately. An organization will need to decide their own threshold\nfor logging `log_min_messages` flag.\n\n### Impact\nSetting the threshold too low will might result in increased log storage size and length,\nmaking it difficult to find actual errors. Setting the threshold to `warning` logs\nmost needed error messages. Setting the threshold to a higher severity level may result in some errors (that need troubleshooting) to not be logged.\n\nNote: To effectively turn off logging failing statements, set this parameter to `panic`.\n\nNote: Configuring the above flag does not require restarting the Cloud SQL instance.\n\n## Remediation\n\n### From the console:\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud console.\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `log_min_messages` from the drop-down menu and set appropriate value.\n6. Click **Save**.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### From the command line:\n1. Configure the `log_min_messages` database flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n```\ngcloud sql instances patch --database-flags\nlog_min_messages=\n```\n\nNote: This command overwrites all database flags previously set. To keep\nflags previously set and add new ones, include the values for all flags you want set on the\ninstance; any flag not specifically included is set to its default value. For\nflags that do not take a value, specify the flag name followed by an equals\nsign (=).\n\n\n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][2]\n2. [https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/postgres/flags\n[3]: https://www.postgresql.org/docs/9.6/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHEN\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"fail\" {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tlower(db_flags.name) == \"log_min_messages\"\n\tlower(db_flags.value) in [\"debug5\", \"debug4\", \"debug3\", \"debug2\", \"debug1\", \"info\", \"notice\"]\n} else = \"pass\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"wha-a8w-2ic","createdAt":1661377322162,"name":"'log_min_messages' database flag is set to at least 'WARNING' for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.2.4","security:compliance","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:System-Operations","control:10.2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","scope:google_sql_database_instance","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nThe value of the `log_statement` flag determines the SQL statements that are logged. Valid\nvalues are:\n\n- `none`\n- `ddl`\n- `mod`\n- `all`\n\nThe value `ddl` logs all data definition statements. The value `mod` logs all `ddl` statements, plus\ndata-modifying statements.\n\nThe statements are logged after a basic parsing is done and the statement type is determined,\nthus log statements with errors are not logged. When using an extended query protocol,\nlogging occurs after an `Execute` message is received and values of the bind parameters are\nincluded.\n\nA value of `ddl` is recommended unless otherwise directed by your organization's logging\npolicy.\n\n## Rationale\nAuditing helps with forensic analysis. If the `log_statement` is not set to the correct value, too\nmany statements may be logged and lead to issues with finding relevant information from\nthe logs, or too few statements may be logged with relevant information missing from the\nlogs. Setting the `log_statement` to align with your organization's security and logging policies\nfacilitates auditing and review of database activities later on. This recommendation is\napplicable to PostgreSQL database instances.\n\n### Impact\nTurning on logging will increase the required storage over time. Mismanaged logs may\ncause your storage costs to increase. Setting custom flags using the command line on certain\ninstances will cause all omitted flags to be reset to defaults. This may cause you to lose\ncustom flags and could result in unforeseen complications or instance restarts. Because of\nthis, it is recommended that you apply these flag changes during a period of low usage.\n\n- **WARNING** This patch modifies database flag values, which may require your\ninstance to be restarted. Check the list of supported flags -\n[https://cloud.google.com/sql/docs/postgres/flags][1] - to see if your instance\nwill be restarted when this patch is submitted.\n- Note: Some database flag settings can affect instance availability or\nstability and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see Operational Guidelines.\n- Note: Configuring the above flag does not require restarting the Cloud SQL\ninstance.\n\n\n## Remediation\n\n### From the console:\n1. Go to the Cloud SQL Instances page by visiting: [https://console.cloud.google.com/sql/instances][2]\n2. Select the PostgreSQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**. Choose the flag `log_statement` from the drop-down menu and set the appropriate value.\n6. Click **Save**.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line:\n1. Configure the `log_statement database` flag for every Cloud SQL PosgreSQL database\ninstance using the below command.\n ```\n gcloud sql instances patch --database-flags log_statement=\n ```\n\n **Note** This command will overwrite all database flags previously set. To keep\n those and add new ones, include the values for all the flags that you want to set on the\n instance; any flag not specifically included is set to its default value. For\n flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n \n## References\n1. [https://cloud.google.com/sql/docs/postgres/flags][1]\n2. [https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT][3]\n\n\n[1]: https://cloud.google.com/sql/docs/postgres/flags\n[2]: https://console.cloud.google.com/sql/instances\n[3]: https://www.postgresql.org/docs/current/runtime-config-logging.html#RUNTIME-CONFIG-LOGGING-WHAT\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_PostgreSQL(sql_database_instance)\n} else = \"pass\" {\n\tdb_flags := sql_database_instance.settings.database_flags[_]\n\tdb_flags.name == \"log_statement\"\n\tdb_flags.value in [\"ddl\", \"mod\", \"all\"]\n} else = \"fail\" {\n\ttrue\n}\n\nis_PostgreSQL(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"POSTGRES_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xzi-8ya-6hp","createdAt":1659621705012,"name":"'log_statement' database flag is set appropriately for PostgreSQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","control:8.7","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","control:6.3.5","control:2.2.5","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended to set the `remote access` database flag for Cloud SQL SQL Server instances to `off`.\n\n## Rationale\n\nThe remote access option controls the execution of stored procedures from local or remote servers on which instances of SQL Server are running. The default value for this option is 1. This grants permission to run local stored procedures from remote servers or remote stored procedures from the local server. To prevent local stored procedures from being run from a remote server or remote stored procedures from being run on the local server, this must be disabled. Remote access functionality can be abused to launch a Denial-of-Service (DoS) attack on remote servers by off-loading query processing to a target, so it should be disabled. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nSetting custom flags through the command line on certain instances causes all omitted flags to be reset to defaults. This may cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From console\n\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance for which you want to enable the database flag.\n3. Click `Edit`.\n4. Scroll down to the `Flags` section.\n5. To set a flag that has not been set on the instance before, click `Add item`, choose the flag `remote access` from the drop-down menu, and set its value to `off`.\n6. Click `Save` to save your changes.\n7. Confirm your changes under `Flags` on the Overview page.\n\n### From the command line\n\nConfigure the remote access database flag for every Cloud SQL SQL Server database instance using the following command:\n\n```\ngcloud sql instances patch --database-flags \"remote access=off\"\n```\n\n### Note: \nThis command overwrites all database flags previously set. To keep those and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default Value\n\nRemote access is `on` by default.\n\n## Additional information\n\nConfiguring the remote access database flag does not restart the Cloud SQL instance.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337][4]\n\n## CIS Controls\n\nVersion 8 - 4.8 Uninstall or Disable Unnecessary Services on Enterprise Assets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-remote-access-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79337\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"remote access\"\n\tdatabase_flags.value == \"off\"\n} else = \"fail\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"tnw-ph8-chr","createdAt":1657296719786,"name":"'remote access' database flag is set to 'off' for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Communication-and-Information","security:compliance","control:6.1.2","requirement:Least-Privileged-Access","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that for Cloud SQL Instances, you set the `skip_show_database` database flag to `ON`.\n\n## Rationale\n\nThe `skip_show_database` database flag prevents people from using the `SHOW DATABASES`\nstatement if they do not have the `SHOW DATABASES` privilege. This can improve security if\nyou have concerns about users being able to see databases belonging to other users. The `skip_show_database` flag's effect depends on the `SHOW DATABASES` privilege: If the variable value is `ON`, the `SHOW\nDATABASES` statement is permitted only for users who have the `SHOW DATABASES`\nprivilege, and the statement displays all database names. If the value is `OFF`, `SHOW\nDATABASES` is permitted for all users, but displays the names of only those databases for\nwhich the user has `SHOW DATABASES` or other privilege. This recommendation is\napplicable to MySQL database instances.\n\n## Remediation\n\n## Using console\n\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the MySQL instance for which you want to enable the database flag.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. To set a flag that has not been set on the instance before, click **Add item**, choose the flag `skip_show_database` from the drop-down menu, and set its value to `ON`.\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n\n## Using command line:\n1. To list all Cloud SQL database Instances, run:\n `gcloud sql instances list`\n2. Configure the `skip_show_database` database flag for every Cloud SQL MySQL database instance using the following command:\n \n ```\n gcloud sql instances patch INSTANCE_NAME --database-flags\n skip_show_database=on\n ```\n **Note**: This command overwrites all database flags previously set. To keep the previously set flags and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (`=`).\n\n## References\n1. [https://cloud.google.com/sql/docs/mysql/flags][2]\n2. [https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database][3]\n\n\n## Additional information\n\n**Warning**: This patch modifies database flag values, which may require your instance to be restarted. Check the [list of supported flags][2] to see if your instance will be restarted when this patch is submitted.\n\n**Note**: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\n**Note**: Configuring the above flag restarts the Cloud SQL instance.\n\n## CIS controls\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\n access control lists, also known as access permissions, to local and remote file systems,\n databases, and applications.\n\n [1]: https://console.cloud.google.com/sql/instances\n [2]: https://cloud.google.com/sql/docs/mysql/flags\n [3]: https://dev.mysql.com/doc/refman/5.7/en/server-system-variables.html#sysvar_skip_show_database\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1.2","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot startswith(sql_database_instance.database_version, \"MYSQL_\")\n} else = \"pass\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"skip_show_database\"\n\tdatabase_flags.value == \"on\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qjv-gnn-q3l","createdAt":1657547753389,"name":"'skip_show_database' flag is set to 'on' for MySQL Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:6.3.3","security:compliance","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Control-Activities","level:1","control:2.2.3","framework:soc-2","scope:google_sql_database_instance","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to check the `user connections` option for a GCP SQL Server instance to\nensure that it is not artificially limiting connections.\n\n## Rationale\n\nThe `user connections` option specifies the maximum number of simultaneous user\nconnections that are allowed on an instance of SQL Server. The actual number of user\nconnections allowed also depends on the version of SQL Server that you are using, and also\nthe limits of your application(s) and hardware. SQL Server allows a maximum\nof 32,767 user connections. Because user connections is by default a self-configuring value,\nSQL Server adjusts the maximum number of user connections automatically as\nneeded, up to the maximum value allowed. For example, if only 10 users are logged in, then 10\nuser connection objects are allocated. In most cases, you do not have to change the value\nfor this option. The default is `0`, which means that the maximum (32,767) user connections\nare allowed. However, if there is a number defined here that limits connections, SQL Server\nwill not allow any connections above this limit. If the connections are at the limit, any new\nrequests will be dropped, potentially causing lost data or outages for those using the\ndatabase.\n\n## Impact\nSetting custom flags using the command line on certain instances will cause all omitted flags to be\nreset to defaults. This may cause you to lose custom flags and could result in unforeseen\ncomplications or instance restarts. Because of this, it is recommended you apply these flag\nchanges during a period of low usage.\n\n## Remediation\n\n### Using the console\n1. Go to the [Cloud SQL Instances page][1] in the Google Cloud Console.\n2. Select the SQL Server instance for which you want to enable to database flag.\n3. Click **Edit**.\n4. Scroll down to the Flags section.\n5. Click **Add item** to set a flag that has not been set on the instance before. Choose the\nflag `user connections` from the drop-down menu, and set its value to your organization's recommended value.\n6. Click **Save** to save your changes.\n7. Confirm your changes under the Flags section on the Overview page.\n\n### Using the command line\n1. Configure the `user connections` database flag for every GCP SQL Server\ndatabase instance using the below command.\n ```\n gcloud sql instances patch --database-flags \"userconnections=[0-32,767]\"\n ```\n \n\n\nNote: This command will overwrite all database flags previously set. To keep the flags previously set and add new ones, include the values for all flags you want set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).\n\n## Default value\nBy default `user connections` is set to '0', which does not limit the number of connections\nand allows the server to facilitate a maximum of 32,767 connections.\n\n## References\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][2]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15][3]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119][4]\n\n## Additional Information\n\nWARNING: This patch modifies database flag values, which may require your instance to be restarted. Check the list of [supported flags][2] to see if your instance will be restarted when this patch is submitted. \n\nNote: Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information about these flags, see Operational Guidelines.\n\nNote: Configuring the above flag does not restart the GCP SQL instance.\n\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/sqlserver/flags\n[3]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-connections-server-configuration-option?view=sql-server-ver15\n[4]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79119\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.3","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user connections\"\n\tnot database_flags.value == \"0\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER_\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"suj-vdt-udi","createdAt":1657547707508,"name":"'user connections' database flag is set to a non-limiting value for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:6.3.4","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","requirement:Control-Activities","control:7.2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the `user options` database flag for SQL Server instance not be configured.\n\n## Rationale\n\nThe `user options` flag specifies global defaults for all users. A list of default query processing options is established for the duration of a user's work session. The user options flag allows you to change the default values of the SET options (if the server's default settings are not appropriate).\n\nA user can override these defaults by using the SET statement. You can configure user options dynamically for new logins. After you change the setting of user options, new login sessions use the new setting; current login sessions are not affected. This recommendation is applicable to SQL Server database instances.\n\n## Impact\n\nIn some instances, setting custom flags via the command line causes all omitted flags to be reset to their defaults. This might cause you to lose custom flags and could result in unforeseen complications or instance restarts. Because of this, it is recommended you apply these flag changes during a period of low usage.\n\n## Remediation\n\n### From console\n\n1. Go to the **Cloud SQL Instances** page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Select the SQL Server instance you want to configure.\n3. Click **Edit**.\n4. Scroll down to the **Flags** section.\n5. Click the **X** next to the **user options** flag shown\n6. Click **Save** to save your changes.\n7. Confirm your changes under **Flags** on the **Overview** page.\n\n### From the command line\n\n1. List all Cloud SQL database Instances:\n \n ```\n gcloud sql instances list\n ```\n\n2. Clear the user options database flag for every Cloud SQL SQL Server database instance using either of the below commands:\n\n - To clear all flags and reset them to their default values:\n\n ```\n gcloud sql instances patch --clear-database-flags\n ```\n\n - To clear only the `user options` database flag, re-enter all of database flags that you want to configure and exclude the `user options` flag and its value:\n\n ```\n gcloud sql instances patch --database-flags [FLAG1=VALUE1,FLAG2=VALUE2]\n ```\n\n **Note**: This command overwrites all database flags previously set. To keep those flags and add new ones, include the values for all flags you want set on the instance. Any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (\"=\").\n\n## Default value\n\nBy default, 'user options' is not configured.\n\n## References\n\n1. [https://cloud.google.com/sql/docs/sqlserver/flags][1]\n2. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15][2]\n3. [https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335][3]\n\n\n## Additional information\n\n- Some database flag settings can affect instance availability or stability, and remove the instance from the Cloud SQL SLA. For information\nabout these flags, see [Operational Guidelines][4].\n\n- Configuring the above flag does not restart the Cloud SQL instance.\n\n[1]: https://cloud.google.com/sql/docs/sqlserver/flags\n[2]: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-the-user-options-server-configuration-option?view=sql-server-ver15\n[3]: https://www.stigviewer.com/stig/ms_sql_server_2016_instance/2018-03-09/finding/V-79335\n[4]: https://cloud.google.com/sql/docs/operational-guidelines\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_SQLServer(sql_database_instance)\n} else = \"fail\" {\n\tdatabase_flags := sql_database_instance.settings.database_flags[_]\n\tdatabase_flags.name == \"user options\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_SQLServer(sql_database_instance) if {\n\tstartswith(sql_database_instance.database_version, \"SQLSERVER\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"l6m-j1r-hz1","createdAt":1657665179501,"name":"'user options' database flag is not configured for SQL Server Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a Kubernetes user attempts to perform a high number of actions that are denied in a short amount of time.\n\n## Strategy\nThis rule identifies responses of the API server where the reason for the error is set to `Forbidden`, indicating that an authenticated user attempted to perform an action that they are not explicitly authorized to perform.\n\nThe rule flags users who receive permission denied errors on several distinct API endpoints in a short amount of time.\n\n## Triage and response\n1. Determine if the user: `{{@usr.id}}` is expected to perform the denied actions. If yes, the alert may be due to a misconfigured application or a service account with insufficient privileges.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @responseStatus.reason:Forbidden -@usr.id:(system\\:serviceaccount\\:*\\:datadog* OR system\\:kube-scheduler OR system\\:anonymous OR eks\\:authenticator OR eks\\:pod-identity-mutating-webhook OR system\\:serviceaccount\\:kube-system\\:root-ca-cert-publisher)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"access_denied","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"access_denied > 10"}],"type":"log_detection","id":"elb-nlu-hso","createdAt":1649948632063,"name":"A Kubernetes user attempted to perform a high number of actions that were denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIdentify when a Kubernetes user is assigned cluster-level administrative permissions.\n\n## Strategy\n\nThis rule monitory when a `ClusterRoleBinding` object is created to bind a Kubernetes user to the `cluster-admin` [default cluster-wide role](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles). This effectively grants the referenced user with full administrator permissions over all the Kubernetes cluster.\n\n## Triage and response\n\n1. Determine if the Kubernetes user referenced in `@requestObject.subjects` is expected to have been granted administrator permissions on the cluster\n2. Determine if the actor (`@usr.id`) is authorized to assign administrator permissions\n3. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @requestObject.kind:ClusterRoleBinding @requestObject.roleRef.name:cluster-admin -@usr.id:system\\:apiserver","groupByFields":["@usr.id"],"aggregation":"count","name":"cluster_admin_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"cluster_admin_added > 0"}],"type":"log_detection","id":"8ds-sxh-n83","createdAt":1649948626807,"name":"A Kubernetes user was assigned cluster administrator permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","scope:google_bigquery_dataset","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.3","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","source:google_bigquery_dataset","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user. For greater control, _customer-managed encryption keys_ (CMEKs) can be used as an encryption key management solution for BigQuery datasets.\n\n### Default Value\nGoogle-managed keys are used as key encryption keys.\n\n## Rationale\nBy default, BigQuery uses envelope encryption with Google-managed cryptographic keys to encrypt the data at rest. The data is encrypted using _data encryption keys_, and the data encryption keys themselves are further encrypted using _key encryption keys_. This is seamless and does not require any additional input from the user.\n\nFor greater control, CMEKs can be used as an encryption key management solution for BigQuery datasets. Setting a default CMEK for a dataset ensures that any tables created in the future will use the specified CMEK, if no others are provided.\n\n## Impact\nUsing CMEKs incurs an additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n**Note**: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n# Remediation\nTo update the default CMEK for existing data sets, specify the default key in the `EncryptionConfiguration.kmsKeyName` field when calling the `datasets.insert` or `datasets.patch` methods.\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.3","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_dataset) = \"pass\" if {\n\tbigquery_dataset.default_encryption_configuration.kms_key_name\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_dataset"]},"validationQuery":"","resourceType":"gcp_bigquery_dataset","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_dataset","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fdc-usk-ol3","createdAt":1664548344812,"name":"A default customer-managed encryption key (CMEK) is specified for the BigQuery data set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1158","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nHidden files may be used by attackers to hide from detection mechanisms on hosts and containers. This detection aims at finding the creation of any new hidden files.\n\n## Strategy\nIn Linux, files are hidden from users by prepending `.` to the filename. For example `.some.file`. This detection will monitor for the creation of any file thats name begins with a `.`.\n\n## Triage & Response\n1. Check to see which user or process created the new hidden file.\n3. If these new files are not expected contain the host or container, roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"hidden_file\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"irl-syq-8wf","createdAt":1598443015169,"name":"A hidden file was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the deletion of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was deleted.\n2. Check which user or process deleted the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_removed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"t7t-jio-cms","createdAt":1598516746158,"name":"A log file in /var/log/ was removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Logging","security:compliance","control:3.2.1","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes can audit the details of requests made to the API server. The `--audit-policy-file` flag must be set for this logging to be enabled.\n\n## Rationale\n\nLogging is an important detective control for all systems, to detect potential unauthorised access.\n\n## Audit\n\nRun the following command on one of the cluster master nodes: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-policy-file` is set. Review the contents of the file specified and ensure that it contains a valid audit policy.\n\n## Remediation\n\nCreate an audit policy file for your cluster.\n\n## Impact\n\nAudit logs will be created on the master nodes, which will consume disk space. Care should be taken to avoid generating too large volumes of log information as this could impact the available of the cluster nodes.\n\n## Default value\n\nUnless the `--audit-policy-file` flag is specified, no auditing will be carried out.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/debug-application-cluster/audit/][1]\n\n## CIS controls\n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices.\n\n[1]: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"3.2.1","framework":"cis-kubernetes","requirement":"Logging","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-3.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ehp-xpm-xi3","createdAt":1599602215207,"name":"A minimal audit policy exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a new Kubernetes [admission controller][1] is created in the cluster.\n\nAdmission controllers can intercept all incoming requests to the API server. An attacker can use them to establish persistence or to access sensitive data (such as secrets) sent to the API server.\n\n## Strategy\nThis rule identifies when a `MutatingWebhookConfiguration` or `ValidatingWebhookConfiguration` is created.\n\n## Triage and response\n1. Determine if the admission controller being created is expected.\n2. Determine if the user: `{{@usr.id}}` should be creating the admission controller.\n3. Use the Cloud SIEM `User Investigation` dashboard to review user actions that occurred after the potentially malicious action.\n\n## Changelog\n* 20 September 2022 - Updated tags\n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @http.method:create @objectRef.resource:(mutatingwebhookconfigurations OR validatingwebhookconfigurations) -@usr.id:(eks\\:cluster-bootstrap OR system\\:serviceaccount\\:kyverno\\:kyverno OR system\\:serviceaccount\\:kube-system\\:*)","groupByFields":["@usr.id"],"aggregation":"count","name":"admission_controller_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admission_controller_created > 0"}],"type":"log_detection","id":"jpb-ixq-qbz","createdAt":1649948611129,"name":"A new Kubernetes admission controller was created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 teams app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `AppInstalled`, where the `AddOnType` has a value of `4` and a new `@AddOnName` is observed.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@AddOnName}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@AddOnName}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":165,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AddOnName","aggregation":"new_value","metrics":["@AddOnName"],"groupByFields":["@usr.id"],"query":"source:microsoft-365 @evt.name:AppInstalled @AddOnType:4"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"sja-6t5-2xv","createdAt":1636984812148,"name":"A new Microsoft 365 Teams app is observed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Microsoft 365 app is installed as a means of establishing persistence.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Add application.` and event `@evt.outcome` of `Success`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to install `{{@ObjectId}}`.\n2. If `{{@usr.email}}` is not responsible for installing `{{@ObjectId}}`, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@ObjectId","aggregation":"new_value","metrics":["@ObjectId"],"groupByFields":["@ObjectId","@usr.id"],"query":"source:microsoft-365 @evt.name:\"Add application.\" @evt.outcome:Success"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"o4m-xqz-5gv","createdAt":1636984818117,"name":"A new Microsoft 365 application was installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:amazon","security:compliance","iaas:aws","framework:cis-aws","source:cloudtrail","control:4.1","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is assessing privileges in AWS through API bruteforcing technique.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect when the error message of `AccessDenied` is returned on more than 5 unique API calls.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be attempting to use {{@evt.name}} API commands.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. Contact the user to see if they intended to make these API calls.\n3. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate to see what API calls might have been made that were successful throughout the rest of the environment.\n\n## Changelog\nRule updated on 3 March 2022.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"unique_events_denied","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"more than 5 APIs AccessDenied","condition":"unique_events_denied > 5"}],"type":"log_detection","id":"3d9-oev-jbm","createdAt":1584475582956,"name":"A user received multiple AccessDenied errors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","security:compliance","control:164.312-e-1","cloud_provider:aws","framework:gdpr","scope:acm","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Cardholder-Data","requirement:Security-Management-Process","control:32.1a","source:acm","control:164.312-e-2-ii","framework:hipaa","control:164.308-a-1-ii-B","control:164.312-e-2-i","control:3.6.4","framework:pci","control:25.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRemove expired Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates with AWS Certificate Manager (ACM).\n\n## Rationale\n\nExpired AWS ACM SSL/TLS certificates that are deployed to another resource are at risk of triggering front-end errors and compromising the credibility of a web application.\n\n## Remediation\n\n### Console\n\nFollow the [Deleting Certificates Managed by ACM][1] docs to learn how to delete SSL/TLS certifications in the AWS Console.\n\n### CLI\n\n1. Run `delete-certificate` with the [certificate ARN][2].\n\n ```\n aws acm delete-certificate\n --certificate-arn arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012\n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-delete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/delete-certificate.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"EXPIRED\"\n\tacm.status != \"VALIDATION_TIMED_OUT\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qea-4gr-voj","createdAt":1616090994211,"name":"ACM certificate is active"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Security-of-Processing","requirement:Cardholder-Data","cloud_provider:aws","control:32.1a","source:acm","framework:gdpr","scope:acm","control:3.6.4","framework:pci","control:25.2","requirement:Data-Protection"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are 30 days left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### Console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### CLI\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\tthirty_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oc4-dzj-jtg","createdAt":1619112188918,"name":"ACM certificate is valid for 30 or more days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Security-of-Processing","requirement:Cardholder-Data","cloud_provider:aws","control:32.1a","source:acm","framework:gdpr","scope:acm","control:3.6.4","framework:pci","control:25.2","requirement:Data-Protection"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRenew your SSL/TLS certificate managed by AWS Certificate Manager (ACM) as there are seven day left to renew.\n\n## Rationale\n\nCertificates that are not renewed prior to their expiration date become invalid. Invalid certificates make communication between the client and AWS resources insecure.\n\n## Remediation\n\n### Console\n\nACM automatically renews certificates (if you are using DNS validation) or sends an email notification when expiration is approaching. Follow the [Managed renewal for ACM certificates][1] docs for more information.\n\n### CLI\n\n1. Run `import-certificate` using the [ARN of the SSL/TLS certificate][2] that you want to renew. This will return the ARN of the renewed SSL/TLS certificate.\n\n ```\n aws acm import-certificate\n --certificate-arn \n --certificate \n --private-key \n --certificate-chain \n ```\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nseven_days_ms := (((7 * 24) * 60) * 60) * 1000\n\neval(acm) = \"pass\" if {\n\t# assert that the difference between now (resource seen at) and not after time (certificate expiry) > 7 days\n\tseven_days_ms < acm.not_after - acm.resource_seen_at\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"32b-dj3-8n2","createdAt":1619112188607,"name":"ACM certificate is valid for 7 or more days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Cardholder-Data","cloud_provider:aws","source:acm","scope:acm","control:3.6.4","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nValidate all Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates in Amazon Certificate Manager (ACM).\n\n## Rationale\n\n[Requests for AMC certificates time out if they are not not validated within 72 hours][1]. If a certificate is not validated, it can interrupt an application or service.\n\n## Remediation\n\n### Console\n\nFollow the [Setting Up DNS Validation][2] or [Resending Validation Email][3] docs to validate a certificate in the AWS Console or by email.\n\n### CLI\n\n1. Run `resend-validation-email` using the ARN of the invalid certificate with your `domain` and `validation-domain`.\n\n ```\n aws acm resend-validation-email\n --certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/a1b2345c-d678-9123-4567-89ab12c2345d\n --domain www.example.com\n --validation-domain example.com\n ```\n\n2. Click the link in the generated email to navigate to the Amazon Certificates Approvals page, and click the `I Approve` button.\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-timed-out.html\n[2]: https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html#setting-up-dns-validation\n[3]: https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html#gs-acm-resend","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(acm) = \"pass\" if {\n\t0 < acm.not_after - acm.resource_seen_at\n\tacm.status != \"PENDING_VALIDATION\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_acm"]},"validationQuery":"","resourceType":"aws_acm","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_acm","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"lpi-kie-f8h","createdAt":1616090994081,"name":"ACM certificate issue request is validated"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:ec2","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.9.4.5","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIdentify publicly accessible Amazon Machine Images (AMIs).\n\n## Rationale\n\nWhen an AMI is shared publicly, anyone outside your organization can see it in the [list of public AMIs][1] and create an EC2 instance from it, accessing all the files it contains.\n\nAMIs typically contain source code, configuration files and credentials and should not be shared publicly.\n\n## Remediation\n\nStop sharing the AMI publicly. AMIs should be shared only with [specific AWS accounts][2] or [your AWS Organization][3].\n\n### Console\n\nFollow the instructions outlined in the [AWS documentation][4]. Untick the public sharing option.\n\n### CLI\n\nUse the following command to stop sharing the AMI:\n\n```\naws ec2 modify-image-attribute \\\n--image-id ami-xxxx \\\n--launch-permission \"Remove=[{Group=all}]\"\n```\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/usingsharedamis-finding.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/share-amis-with-organizations-and-OUs.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.5","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncustomer_owned(ami) if {\n\tami.image_owner_alias != \"aws-marketplace\"\n\tami.image_owner_alias != \"amazon\"\n} else {\n\tnot ami.image_owner_alias\n}\n\neval(ami) = \"skip\" if {\n\tnot customer_owned(ami)\n} else = \"pass\" {\n\tami.public == false\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_ami"]},"validationQuery":"","resourceType":"aws_ami","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ami","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6l2-azd-mlu","createdAt":1645630055435,"name":"AMI is not publicly shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.30","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the TLS certificate and private key file parameters. \n```\n--tls-cert-file= \n--tls-private-key-file=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.30","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"m9r-8ka-arc","createdAt":1599604115727,"name":"API Server requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.1","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable anonymous requests to the Kubelet server.\n\n## Rationale\n\nWhen enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests.\n\n## Audit\n\nIf using a Kubelet configuration file, check that there is an entry for authentication: anonymous: enabled set to false. Run the following command on each node: `ps -ef | grep kubelet`. Verify that the `--anonymous-auth` argument is set to false. This executable argument may be omitted, provided there is a corresponding entry set to false in the Kubelet config file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: anonymous: enabled` to false. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable:\n\n```\n--anonymous-auth=false\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nAnonymous requests will be rejected.\n\n## Default value\n\nBy default, anonymous access is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.1","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oun-uxo-viy","createdAt":1599606050277,"name":"API server anonymous-auth argument is set to false"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.24","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain 10 or an appropriate number of old log files.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. For example, if you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxbackup` argument is set to `10` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxbackup` parameter to `10` or to an appropriate value: `--audit-log-maxbackup=10`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.24","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"r0g-aai-2xf","createdAt":1599605542630,"name":"API server audit log files are retained for at least 10 log file rotations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.25","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRotate log files on reaching 100 MB or as appropriate.\n\n## Rationale\n\nKubernetes automatically rotates the log files. Retaining old log files ensures that you would have sufficient log data available for carrying out any investigation or correlation. If you have set file size of 100 MB and the number of old log files to keep as 10, you would approximate have 1 GB of log data that you could potentially use for your analysis.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxsize` argument is set to `100` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxsize` parameter to an appropriate size in MB. For example, to set it as 100 MB: `--audit-log-maxsize=100`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.25","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qhy-gng-bh4","createdAt":1599603202907,"name":"API server audit log files are rotated once the file reaches 100 MB or more"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.22","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on the Kubernetes API Server and set the desired audit log path.\n\n## Rationale\n\nAuditing the Kubernetes API Server provides a security-relevant chronological set of records documenting the sequence of activities that have affected system by individual users, administrators or other components of the system. Even though currently, Kubernetes provides only basic audit capabilities, it should be enabled. You can enable it by setting an appropriate audit log path.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-path` argument is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example: --audit-log-path=/var/log/apiserver/audit.log\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ 3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. Version 7 6.2 Activate audit logging Ensure that local logging has been enabled on all systems and networking devices. 6.3 Enable Detailed Logging Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.22","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fny-sti-0dk","createdAt":1599601104396,"name":"API server audit logs are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.23","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRetain the logs for at least 30 days or as appropriate.\n\n## Rationale\n\nRetaining logs for at least 30 days ensures that you can go back in time and investigate or correlate any events. Set your audit log retention period to 30 days or as per your business requirements.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--audit-log-maxage` argument is set to `30` or as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--audit-log-maxage` parameter to `30` or as an appropriate number of days: `--audit-log-maxage=30`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, auditing is not enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/concepts/cluster-administration/audit/ \n3. https://github.com/kubernetes/features/issues/22\n\n## CIS controls\n\nVersion 6 6.3 Ensure Audit Logging Systems Are Not Subject To Loss (i.e. rotation/archive) Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis. Version 7 6.4 Ensure adequate storage for logs Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.23","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.23\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jbu-o8v-pku","createdAt":1599605700813,"name":"API server audit logs are retained for at least 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.19","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind to insecure port.\n\n## Rationale\n\nSetting up the apiserver to serve on an insecure port would allow unauthenticated and unencrypted access to your master node. This would allow attackers who could access this port, to easily take control of the cluster.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-port` argument is set to `0`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --insecure-port=0\n\n## Impact\n\nAll components that use the API must connect via the secured port, authenticate themselves, and be authorized to use the API. This includes: kube-controller-manager kube-proxy kube-scheduler kubelets\n\n## Default value\n\nBy default, the insecure port is set to 8080.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.19","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2ci-yqv-wv0","createdAt":1599605796539,"name":"API server does not bind the API service to an insecure port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.18","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the insecure API service.\n\n## Rationale\n\nIf you bind the apiserver to an insecure address, basically anyone who could connect to it over the insecure port, would have unauthenticated and unencrypted access to your master node. The apiserver doesn't do any authentication checking for insecure binds and traffic to the Insecure API port is not encrpyted, allowing attackers to potentially read sensitive data in transit.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--insecure-bind-address` argument does not exist.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --insecure-bind-address parameter.\n\n## Impact\n\nConnections to the API server will require valid authentication credentials.\n\n## Default value\n\nBy default, the insecure bind address is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.18","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tzo-x3g-yya","createdAt":1599606081666,"name":"API server does not bind to an insecure API service address"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.2.3","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use token based authentication.\n\n## Rationale\n\nThe token-based authentication utilizes static tokens to authenticate requests to the apiserver. The tokens are stored in clear-text in a file on the apiserver, and cannot be revoked or rotated without restarting the apiserver. Hence, do not use static token-based authentication.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver \n```\nVerify that the `--token-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--token-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as certificates. Static token based authentication could not be used.\n\n## Default value\n\nBy default, `--token-auth-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/authentication/#static-token-file\n2. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.3","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mvv-hb7-ucv","createdAt":1599603449449,"name":"API server does not use token based authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not always authorize all requests.\n\n## Rationale\n\nThe API Server, can be configured to allow all requests. This mode should not be used on any production cluster.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is not set to `AlwaysAllow`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to values other than `AlwaysAllow`. One such example could be as below:\n\n```\n--authorization-mode=RBAC\n```\n\n## Impact\n\nOnly authorized requests will be served.\n\n## Default value\n\nBy default, `AlwaysAllow` is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.7","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kli-btm-jbr","createdAt":1599602646953,"name":"API server only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.1","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node:\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-apiserver.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-apiserver.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.1","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8tj-q6g-eyj","createdAt":1599601227733,"name":"API server pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.21","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --profiling=false\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.21","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wk0-7yo-dw9","createdAt":1599602770265,"name":"API server profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.26","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet global request timeout for API server requests as appropriate.\n\n## Rationale\n\nSetting global request timeout allows extending the API server request timeout limit to a duration appropriate to the user's connection speed. By default, it is set to 60 seconds which might be problematic on slower connections making cluster resources inaccessible once the data volume for requests exceeds what can be transmitted in 60 seconds. But, setting this timeout limit to be too large can exhaust the API server resources making it prone to Denial-of-Service attack. Hence, it is recommended to set this limit as appropriate and change the default limit of 60 seconds only if needed.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--request-timeout` argument is either not set or set to an appropriate value.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml and set the below parameter as appropriate and if needed. For example, --request-timeout=300s\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, --request-timeout is set to 60 seconds.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://github.com/kubernetes/kubernetes/pull/51415\n\n## CIS controls\n\nVersion 6 14.6 Enforce Detailed Audit Logging For Sensitive Information Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. Version 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.26","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1kt-cbt-hvl","createdAt":1599604242564,"name":"API server request timeout exceeds 60 seconds only if required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.20","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable the secure port.\n\n## Rationale\n\nThe secure port is used to serve https with authentication and authorization. If you disable it, no https traffic is served and all traffic is served unencrypted.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--secure-port` argument is either not set or is set to an integer value between `1` and `65535`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --secure-port parameter or set it to a different (non-zero) desired port.\n\n## Impact\n\nYou need to set the API Server up with the right TLS certificates.\n\n## Default value\n\nBy default, port 6443 is used as the secure port.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.20","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5w3-iw4-y16","createdAt":1599603757033,"name":"API server secure port is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.31","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the API server.\n\n## Rationale\n\nAPI server communication contains sensitive parameters that should remain encrypted in transit. Configure the API server to serve only HTTPS traffic. If `--client-ca-file` argument is set, any request presenting a client certificate signed by one of the authorities in the `client-ca-file` is authenticated with an identity corresponding to the CommonName of the client certificate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--client-ca-file` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection on the apiserver. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the client certificate authority file: `--client-ca-file=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--client-ca-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ \n3. https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.31","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"nad-eon-2rv","createdAt":1599599105054,"name":"API server uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.28","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account public key file for service accounts on the apiserver.\n\n## Rationale\n\nBy default, if no --service-account-key-file is specified to the apiserver, it uses the private key from the TLS serving certificate to verify service account tokens. To ensure that the keys for service account tokens could be rotated as needed, a separate public/private key pair should be used for signing service account tokens. Hence, the public key should be specified to the apiserver with --service-account-key-file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--service-account-key-file` argument exists and is set as appropriate.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--service-account-key-file` parameter to the public key file for service accounts: `--service-account-key-file=`\n\n## Impact\n\nThe corresponding private key must be provided to the controller manager. You would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-key-file` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167\n\n## CIS controls\n\nVersion 6 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers \nVersion 7 5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.28","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xtg-mzn-vft","createdAt":1599604846892,"name":"API server uses a service account public key file for service accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.27","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nValidate service account before validating token.\n\n## Rationale\n\nIf --service-account-lookup is not enabled, the apiserver only verifies that the authentication token is valid, and does not validate that the service account token mentioned in the request is actually present in etcd. This allows using a service account token even after the corresponding service account is deleted. This is an example of time of check to time of use security issue.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that if the `--service-account-lookup` argument exists it is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the below parameter. `--service-account-lookup=true` Alternatively, you can delete the `--service-account-lookup` parameter from this file so that the default takes effect.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--service-account-lookup` argument is set to true.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://github.com/kubernetes/kubernetes/issues/24167 \n3. https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.27","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.27\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycp-ppm-trb","createdAt":1599599105043,"name":"API server validates the service account token exists in etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify kubelet's certificate before establishing connection.\n\n## Rationale\n\nThe connections from the apiserver to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelets port-forwarding functionality. These connections terminate at the kubelets HTTPS endpoint. By default, the apiserver does not verify the kubelets serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-certificate-authority` argument exists and is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--kubelet-certificate-authority` parameter to the path to the cert file for the certificate authority. \n\n```\n--kubelet-certificate-authority=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, `--kubelet-certificate-authority` argument is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n3. https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.6","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sbm-nxt-qv3","createdAt":1599603880124,"name":"API server verifies the kubelet's certificate before establishing connection"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AMI is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an AMI is made public.\n\n* [ModifyImageAttribute][1]\n\nThis rule inspects the `@requestParameters.launchPermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the image is made public.\n\n## Triage and response\n1. Determine if the AMI (`@requestParameters.imageId`) should be made public using CloudTrail logs.\n2. Investigate the following ARN (`{{@userIdentity.arn}}`) that made the AMI public.\n3. Contact the user to see if they intended to make the image public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-image-attribute.html#examples","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifyImageAttribute @requestParameters.launchPermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"eh4-lwa-d9z","createdAt":1594140296319,"name":"AWS AMI Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:cloudtrail","framework:cis-aws","requirement:monitoring","control:4.5","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by modifying CloudTrail.\n\n## Strategy\nThis rule detects if a user is modifying CloudTrail by monitoring the CloudTrail API using [UpdateTrail][1] API calls.\n\n## Triage and response\n1. Review the `@responseElements` in the `UpdateTrail` event to determine the scope of the changes.\n2. Determine if the user ARN (`{{@userIdentity.arn}}`) intended to make a CloudTrail modification.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:UpdateTrail","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"configuration_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"configuration_modified > 0"}],"type":"log_detection","id":"4hv-083-miw","createdAt":1585870283907,"name":"AWS CloudTrail configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch Log Group is deleted. \n\n## Strategy\nDetect when a `@evt.name:DeleteLogGroup` event occurs successfully.\n\n## Triage and response\n1. Ensure that the `{{@requestParameters.logGroupName}}` log group is not used for auditing or security purposes.\n2. If it is then:\n * Ensure that the user: `{{@userIdentity.session_name}}` should be making this type of API call to your `{{env}}` environment.\n * Consider whitelisting the log group name: `{{@requestParameters.logGroupName}}` via a [suppression list][1]\n3. If not, begin your company's IR process and investigate.\n\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1] https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteLogGroup -@level:Error -@http.useragent:(cloudformation.amazonaws.com OR *www.terraform.io*) -@userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"j9h-inc-lg8","createdAt":1631618551008,"name":"AWS CloudWatch log group deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:amazon-cloudwatch","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a CloudWatch rule has been disabled or deleted.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if a [`DisableRule`][1] or [`DeleteRule`][2] API call has occurred. An attacker may delete rules in an attempt to evade defenses.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, consider including the EventBus name in a [suppression list][6]: `{{@requestParameters.eventBusName}}`.\n * If **No**, enable or create a rule using the `aws-cli` commands [`enable-rule`][4] or [`put-rule`][3], respectively, or reference the [AWS documentation][5] to revert the rules back to the last known good state.\n * Begin your company's IR process and investigate.\n\n## Changelog\n* 4 October 2022 - Updated severity\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/events/put-rule.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/events/enable-rule.html\n[5]: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html\n[6]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#customize-security-signal-messages-to-fit-your-environment","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DisableRule OR DeleteRule) -@userIdentity.invokedBy:(backup.amazonaws.com OR schemas.amazonaws.com OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudwatch_disable_or_delete_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"cloudwatch_disable_or_delete_rule > 0"}],"type":"log_detection","id":"dti-qfr-zle","createdAt":1631618552583,"name":"AWS CloudWatch rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","control:4.9","requirement:Monitoring","framework:cis-aws","scope:amazon-config","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by disabling or modifying AWS Config.\n\n## Strategy\nThis rule lets you monitor these AWS Config API calls per [CIS-AWS-4.9: Ensure a log metric filter and alarm exist for AWS Config configuration changes][5]:\n\n* [StopConfigurationRecorder][1] \n* [DeleteDeliveryChannel][2] \n* [PutDeliveryChannel][3]\n* [PutConfigurationRecorder][4]\n\n## Triage and response\n1. Determine which if {{@userIdentity.arn}} should have done a {{@evt.name}} to AWS Config.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html\n[2]: https://docs.aws.amazon.com/config/latest/APIReference/API_DeleteDeliveryChannel.html\n[3]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutDeliveryChannel.html\n[4]: https://docs.aws.amazon.com/config/latest/APIReference/API_PutConfigurationRecorder.html\n[5]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_2.html\n\n## Changelog\n* 1 April 2022 - Updated rule and signal message.\n\n* 10 October 2022 - Updated severities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(StopConfigurationRecorder OR DeleteDeliveryChannel)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_deleted_or_stopped","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(PutDeliveryChannel OR PutConfigurationRecorder)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_config_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Deleted/Stopped","condition":"aws_config_deleted_or_stopped > 0"},{"status":"info","notifications":[],"name":"Modified","condition":"aws_config_modified > 0"}],"type":"log_detection","id":"p1b-9np-rw1","createdAt":1585870283149,"name":"AWS Config modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to your AWS console without multi-factor authentication.\n\n## Strategy\nThis rule monitors CloudTrail and detects when any `IAMUser` or `Root` user does a `Console Login`, and `@userIdentity.sessionContext.attributes.mfaAuthenticated` has a value of `false`. \n\n**Notes:** \n\n- This rule triggers with a `High` severity if the user logging in is a `Root` user.\n- This rule ignores logins using SAML because 2FA is implemented on the IdP and not through AWS.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate. \n * Use Cloud SIEM - User Investigation dashboard to see if the user: {{@usr.name}} with an account type of: {{@userIdentity.type}} has done any actions after logging in. \n2. If the login was legitimate, request that the user enables 2FA. \n3. If the login wasn't legitimate, rotate the credentials, enable 2FA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n\n## Changelog\n3 March 2022 - Rule updated\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:IAMUser -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin -@additionalEventData.MFAUsed:Yes @responseElements.ConsoleLogin:Success @userIdentity.type:Root -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId","@usr.name"],"aggregation":"count","name":"root_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user console login no mfa","condition":"user_login_without_mfa > 0"},{"status":"high","notifications":[],"name":"root console login no mfa","condition":"root_login_without_mfa > 0"}],"type":"log_detection","id":"wkk-muq-vg8","createdAt":1585870278209,"name":"AWS Console login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the user used MFA.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n10 Mar 2022 - Rule updated.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"@evt.name:ConsoleLogin -@level:Error @userIdentity.sessionContext.attributes.mfaAuthenticated:true -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"impossible travel event for ConsoleLogin with MFA"}],"type":"log_detection","id":"vbv-f3o-8zo","createdAt":1646247475787,"name":"AWS ConsoleLogin with MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1078-valid-accounts","source:cloudtrail","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` performs a `consoleLogin` with a multi-factor authentication (MFA) device.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/h and the account does not have MFA enabled.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. \n\n## Changelog\n10 Mar 2022 - Rule updated.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_no_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"@evt.name:ConsoleLogin -@level:Error @userIdentity.sessionContext.attributes.mfaAuthenticated:false -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"a1n-son-6bk","createdAt":1646247437558,"name":"AWS ConsoleLogin without MFA triggered Impossible Travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1562-impair-defenses","source:cloudtrail","scope:aws-detective","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes an Amazon Detective behavior graph.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted an Amazon Detective behavior graph:\n\n* [DeleteGraph][1]\n\n## Triage and response\n1. Determine if the behavior graph should have been deleted.\n2. Determine which user ({{@userIdentity.arn}}) in your organization deleted the behavior graph.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Updated rule and signal message.\n\n[1]: https://docs.aws.amazon.com/detective/latest/APIReference/API_DeleteGraph.html\n\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:detective.amazonaws.com @evt.name:DeleteGraph","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oje-vzw-qjp","createdAt":1631642344123,"name":"AWS Detective Graph deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","tactic:TA0005-defence-evasion","scope:cloudtrail","technique:T1562-impair-defences","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when CloudTrail has been disabled by creating an event selector on the Trail.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect if an attacker used the [`PutEventSelectors`][1] API call to filter out management events, effectively disabling CloudTrail for the specified Trail.\n\nSee the [public Proof of Concept][2] (PoC) for this attack.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was **not** made legitimately by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or use the [AWS console][4] to revert the event selector back to the last known good state.\n3. If the API call was made legitimately by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, work with the user to ensure that CloudTrail logs for the affected account `{{@usr.account_id}}` are being sent to the Datadog platform.\n * If **No**, remove the event selector using the `aws-cli` command [`put-event-selectors`][3] or reference the [AWS console documentation][4] to revert the event selector back to the last known good state.\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_PutEventSelectors.html\n[2]: https://github.com/RhinoSecurityLabs/Cloud-Security-Research/tree/master/AWS/cloudtrail_guardduty_bypass\n[3]: https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/put-event-selectors.html\n[4]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"disable_cloudtrail_with_event_selectors","distinctFields":[]},{"query":"source:cloudtrail @eventSource:cloudtrail.amazonaws.com @evt.name:PutEventSelectors @requestParameters.eventSelectors.includeManagementEvents:false @responseElements.eventSelectors.dataResources.type:(\"AWS::S3::Object\" AND \"AWS::Lambda::Function\") @responseElements.eventSelectors.readWriteType:ReadOnly","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_poc","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Public POC","condition":"public_poc > 0"},{"status":"low","notifications":[],"name":"IncludeManagementEvents set to False","condition":"disable_cloudtrail_with_event_selectors > 0"}],"type":"log_detection","id":"jam-62o-d0n","createdAt":1652796620111,"name":"AWS Disable Cloudtrail with event selectors"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS snapshot is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an EBS snapshot is made public:\n\n* [ModifySnapshotAttribute][1]\n\nThis rule inspects the `@requestParameters.createVolumePermission.add.items.group` array to determine if the string `all` is contained. This is the indicator which means the EBS snapshot is made public.\n\n## Triage and response\n1. Determine if the EBS snapshot should be made public.\n2. Determine which user, `{{@@userIdentity.arn}}`, in your organization made the EBS snapshot public.\n3. Contact the user to see if they intended to make the EBS snapshot public.\n4. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html#examples\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.createVolumePermission.add.items.group:\"all\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kx1-upq-ea2","createdAt":1594140300821,"name":"AWS EBS Snapshot Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1537-transfer-data-to-cloud-account","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the possible exfiltration of an EBS snapshot.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect the following API calls within a 15 minute time window:\n\n* [`CreateSnapshot`][1]\n* [`ModifySnapshotAttribute`][2]\n\nAn attacker can create a EBS snapshot from the EBS volume and modify the permissions of the snapshot to allow it to be shared [publicly][3] or with another AWS account. Using an attacker-controlled account, a new EBS volume can be created from the snapshot and attached to an EC2 instance for analysis.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the API calls.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any snapshot attributes generated by the user with the `aws-cli` command [`modify-snapshot-attribute`][4].\n * Begin your organization's incident response process and investigate.\n3. If the API calls were made by the user:\n * Determine if the user should be performing these API calls.\n * If **No**, see if other API calls were made by the user and determine if they warrant further investigation.\n\n## Changelog\n* 10 October 2022 - Updated query and severity.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSnapshot.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html\n[3]: https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-ebs-snapshot-made-public/\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-snapshot-attribute.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":7200,"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSnapshot -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (-@userIdentity.assumed_role:(*orca* OR *wiz*) -@responseElements.description:\"Orca automatically generated snapshot\" -@requestParameters.description:auto-generatedbyWiz -@responseElements.description:\"auto-generated by Wiz\")","groupByFields":["@responseElements.snapshotId"],"aggregation":"count","name":"snapshot_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ModifySnapshotAttribute @requestParameters.attributeType:CREATE_VOLUME_PERMISSION -@userIdentity.invokedBy:(dlm.amazonaws.com OR events.amazonaws.com OR backup.amazonaws.com) (@requestParameters.createVolumePermission.add.items.userId:* OR @requestParameters.createVolumePermission.add.items.group:*) -@requestParameters.createVolumePermission.add.items.userId:(\"135916806842\" OR \"463932680998\" OR \"727815099310\" OR \"553950354547\" OR \"784971140435\" OR \"222606875197\")","groupByFields":["@requestParameters.snapshotId"],"aggregation":"count","name":"snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"EBS Snapshot created then shared","condition":"snapshot_created > 0 && snapshot_shared > 0"},{"status":"info","notifications":[],"name":"EBS Snapshot shared","condition":"snapshot_shared > 0"}],"type":"log_detection","id":"dka-ecn-adr","createdAt":1655223749994,"name":"AWS EBS Snapshot possible exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis-aws","control:2.2.1","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EBS encryption is disabled by default. \n\n## Strategy\nMonitor CloudTrail and detect when EBS encryption is disabled by default via the following API call:\n\n* [DisableEbsEncryptionByDefault][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user and let them know that it is best practice to enable EBS encryption by default.\n3. Re-enable EBS encryption by default.\n\nFor more information about Amazon EBS Encryption, check out the [Amazon EBS Encryption][2] documentation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html\n\n## Changelog\n18 March 2022 - Rule query and severity updated.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:DisableEbsEncryptionByDefault","groupByFields":["@usr.account_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4s7-uuu-lo8","createdAt":1585870284527,"name":"AWS EBS default encryption disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","security:attack","technique:T1522-cloud-instance-metadata-api"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes a DNS request and resolves to the AWS metadata IP address (169.254.169.254).\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MetadataDNSRebind][2]\n\n\n## Triage and response\n1. Determine which process made the DNS request. The DNS request can be found in the samples.\n2. Ensure the process is not a victim of an SSRF attack to steal the AWS EC2 Instance profile's STS credentials. \n2. If the STS credentials are compromised:\n * Review the AWS [documentation][3] on revoking the session.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#ec2-metadatadnsrebind\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MetadataDNSRebind)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"aad-vqz-7tk","createdAt":1587525387807,"name":"AWS EC2 Instance Victim to Metadata DNS Rebind Attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is compromised and sending spam emails.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Backdoor:EC2/Spambot][2]\n\n\n## Triage and response\n1. Determine if the EC2 should be sending out email over port 25. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor6\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/Spambot)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ecn-gew-dg2","createdAt":1587525385866,"name":"AWS EC2 instance Sending spam emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a malicious server.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/C&CActivity.B!DNS][2]\n* [Trojan:EC2/BlackholeTraffic][3]\n* [Trojan:EC2/DropPoint][4]\n* [Trojan:EC2/BlackholeTraffic!DNS][5]\n* [Trojan:EC2/DriveBySourceTraffic!DNS][6]\n* [Trojan:EC2/DropPoint!DNS][7]\n* [Trojan:EC2/DGADomainRequest.B][8]\n* [Trojan:EC2/DGADomainRequest.C!DNS][9]\n* [Trojan:EC2/DNSDataExfiltration][10]\n* [Trojan:EC2/PhishingDomainRequest!DNS][11]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][12] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor6\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan4\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan5\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan6\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan7\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan8\n[8]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan9\n[9]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan95\n[10]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan10\n[11]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_trojan.html#trojan11\n[12]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Trojan\\:EC2\\/BlackholeTraffic OR Trojan\\:EC2\\/DropPoint OR Trojan\\:EC2\\/BlackholeTraffic\\!DNS OR Trojan\\:EC2\\/DriveBySourceTraffic\\!DNS OR Trojan\\:EC2\\/DropPoint\\!DNS OR Trojan\\:EC2\\/DGADomainRequest.B OR Trojan\\:EC2\\/DGADomainRequest.C\\!DNS OR Backdoor\\:EC2\\/C&CActivity.B\\!DNS OR Trojan\\:EC2\\/PhishingDomainRequest\\!DNS)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9du-jhn-b4f","createdAt":1587525393367,"name":"AWS EC2 instance communicated with a malicious server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0011-command-and-control","technique:T1571-non-standard-port"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating over an unusual port.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/NetworkPortUnusual][2]\n\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_behavior.html#behavior3\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/NetworkPortUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"qfd-ned-cjn","createdAt":1587525391873,"name":"AWS EC2 instance communicating over unusual port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is communicating with a cryptocurrency server\n\n## Strategy\nThis rule lets you leverage GuardDuty to detect when an EC2 instance has made a DNS request or is communicating with an IP that is associated with cryptocurrency operations. The following GuardDuty Findings trigger this signal:\n\n* [CryptoCurrency:EC2/BitcoinTool.B!DNS][1]\n* [CryptoCurrency:EC2/BitcoinTool.B][2]\n\n\n## Triage and response\n1. Determine which domain name or IP address triggered the signal. This can be found in the samples. \n2. If the domain or IP address should not have been requested, open a security investigation, and determine which process requested the domain name or IP address.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_crypto.html#crypto3\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_crypto.html#crypto4\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(CryptoCurrency\\:EC2\\/BitcoinTool.B\\!DNS OR CryptoCurrency\\:EC2\\/BitcoinTool.B)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ky3-ds4-ipb","createdAt":1585870276326,"name":"AWS EC2 instance communicating with a cryptocurrency server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection to a malcious IP address.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/MaliciousIPCaller.Custom][2]\n\n## Triage and response\n1. Determine which IP address triggered the signal. This can be found in the sample.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized5\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/MaliciousIPCaller.Custom)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"22j-qk6-qv3","createdAt":1587525389461,"name":"AWS EC2 instance communicating with malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-scanning","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is conducting a port scan.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Recon:EC2/Portscan][2]\n\n\n## Triage and response\n1. Determine why traffic from the EC2 instance appears to be conducting a port scan.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n \n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon5\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/Portscan)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1y-h5t-gnp","createdAt":1587525376478,"name":"AWS EC2 instance conducting a port scan"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being used as a TOR relay.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorRelay][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be uses as a TOR relay. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized14\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorRelay)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tpv-3qf-v90","createdAt":1587525388119,"name":"AWS EC2 instance connecting to TOR as a relay"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","security:threat-intel","source:guardduty"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance receives an inbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorIPCaller][2]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized7\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorIPCaller)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"1ew-u8i-att","createdAt":1587525383148,"name":"AWS EC2 instance inbound connections from TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Brute Force Attacks\n\n## Strategy\nLeverage GuardDuty and detect when an attacker is performing a brute force attack. The following are GuardDuty findings trigger this signal:\n\n* [UnauthorizedAccess:EC2/SSHBruteForce][1]\n* [UnauthorizedAccess:EC2/RDPBruteForce][2]\n\n\n## Triage and response\n1. Inspect the role of the EC2 instance in the attack. Find the role in the signal name - either `ACTOR` or `TARGET`.\n * If you are the `TARGET` and the instance is available on the internet, expect to see IPs scanning your systems.\n * If you are the `TARGET` and the instance is **not** available on the internet, this means a host on your internal network is scanning your EC2 instance. Open an investigation.\n * If you are the `ACTOR`, this means that your instance is performing brute force attacks on other systems. Open an investigation.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized9\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized10\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":18,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:ACTOR","groupByFields":["instance-id"],"aggregation":"count","name":"actor","distinctFields":[]},{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/SSHBruteForce OR UnauthorizedAccess\\:EC2\\/RDPBruteForce OR Impact\\:EC2\\/WinRMBruteForce) @detail.service.resourceRole:TARGET","groupByFields":["instance-id"],"aggregation":"count","name":"target","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Actor","condition":"actor > 0"},{"status":"info","notifications":[],"name":"Target","condition":"target > 0"}],"type":"log_detection","id":"vyl-ylc-3io","createdAt":1585870284202,"name":"AWS EC2 instance involved in brute force attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","security:anomaly","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance network traffic volume is unusual.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Behavior:EC2/TrafficVolumeUnusual][2]\n\n## Triage and response\n1. Determine which port triggered the signal. This can be found in the samples.\n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance.\n\n## Changelog\n* 10 October 2022 - Updated tags.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_behavior.html#behavior4\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Behavior\\:EC2\\/TrafficVolumeUnusual)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipt-dpt-t69","createdAt":1587525393982,"name":"AWS EC2 instance network traffic volume unusual"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0011-command-and-control","technique:T1188-multi-hop-proxy","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an outbound network connection from TOR.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [UnauthorizedAccess:EC2/TorClient][2]\n\n\n## Triage and response\n1. Determine if the EC2 instance should be making requests to TOR. \n2. If the instance is compromised:\n * Review the AWS [documentation][3] on remediating a compromised EC2 instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized13\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:EC2\\/TorClient)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ihd-q9p-mwx","createdAt":1587525381864,"name":"AWS EC2 instance outbound connections to TOR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is participating in a Denial of Service (DoS) attack.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Backdoor:EC2/DenialOfService.Tcp][2]\n* [Backdoor:EC2/DenialOfService.Udp][3]\n* [Backdoor:EC2/DenialOfService.Dns][4]\n* [Backdoor:EC2/DenialOfService.UdpOnTcpPorts][5]\n* [Backdoor:EC2/DenialOfService.UnusualProtocol][6]\n\n\n## Triage and response\n1. Determine if the EC2 instance is compromised and participating in a DoS attack.\n2. If the instance is compromised:\n * Review the AWS [documentation][7] on remediating a compromised EC2 instance.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor8\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor9\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor10\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor11\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_backdoor.html#backdoor12\n[7]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Backdoor\\:EC2\\/DenialOfService.Tcp OR Backdoor\\:EC2\\/DenialOfService.Udp OR Backdoor\\:EC2\\/DenialOfService.Dns OR Backdoor\\:EC2\\/DenialOfService.UdpOnTcpPorts OR Backdoor\\:EC2\\/DenialOfService.UnusualProtocol)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3l6-vrm-iyn","createdAt":1587525383757,"name":"AWS EC2 instance participating in a DoS attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","source:guardduty","technique:T1046-network-service-scanning","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is being probed by a scanner.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:EC2/PortProbeUnprotectedPort][2]\n* [Recon:EC2/PortProbeEMRUnprotectedPort][3]\n\n\n## Triage and response\n1. This is typically an informative signal. However, if this instance should not be publicly available, you should review the security group for this instance. \n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon6\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#PortProbeEMRUnprotectedPort\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:EC2\\/PortProbeUnprotectedPort OR Recon\\:EC2\\/PortProbeEMRUnprotectedPort)","groupByFields":["instance-id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mrq-h3x-jus","createdAt":1587525381084,"name":"AWS EC2 instance probed by scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS EKS node group makes a new API call.\n\n## Strategy\nThis rule sets a baseline for host activity across an AWS EKS node group, and enables detection of potentially anomalous activity when a node group makes a new API call.\n\nA new API call from a node group can indicate an attacker gaining a foothold within the system and trying API calls not normally associated with this node group.\n\n## Triage and response\n1. Investigate API activity for the AWS EKS node group to determine if the specific API call is malicious.\n2. Review any other security signals for the AWS EKS node group.\n3. If the activity is deemed malicious:\n * If possible, isolate the compromised hosts.\n * Determine what other API calls were made by the EKS node group.\n * Begin your organization's incident response process and investigate.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":21,"learningThreshold":0},"keepAlive":3600},"version":187,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["eks_nodegroup-name"],"query":"source:cloudtrail"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"nkn-aw3-xb2","createdAt":1633097159259,"name":"AWS EC2 new event for EKS Node Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an application on a host has a new, unrecognized API call.\n\n## Strategy\nUsing the `New Value` detection method, find when an `application` has a new `@evt.name` on a `host`.\n\n## Triage and response\n1. Determine if the `host: {{host}}` running the `application: {{application}}` should have done the following event(s)`{{@evt.name}}`:\n * If yes, you can `Archive` the signal.\n * If no, investigate further by clicking on the **Suggested Actions** tab for the signal\n2. If necessary, initiate your company's incident response process.\n\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@evt.name","aggregation":"new_value","metrics":["@evt.name"],"groupByFields":["application"],"query":"source:cloudtrail host:i-*"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"qcg-jbs-kcd","createdAt":1632769125953,"name":"AWS EC2 new event for application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an EC2 subnet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting an EC2 subnet.\n\n* [DeleteSubnet][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be deleting EC2 subnets.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Update rule and signal message\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-subnet.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:DeleteSubnet -@level:Error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ygi-fi5-qns","createdAt":1585870282197,"name":"AWS EC2 subnet deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecs","technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying an ECS Cluster\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an ECS cluster is deleted:\n\n* [DeleteCluster][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arm}} should be making a {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n1 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_DeleteCluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecs.amazonaws.com @evt.name:DeleteCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"vwu-6id-9lz","createdAt":1585870279810,"name":"AWS ECS cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:elb","scope:elb","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous `@http.useragent`. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application using an HTTP header from [darkqusar][1]'s [gist][2]. The detection does this using 2 cases:\n* Case 1: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `200 TO 299`\n* Case 2: The scanner is accessing several unique `@http.url_details.path`s and receiving `@http.status_code`s in the range of `400 TO 499`\n\n## Triage and response\n1. Determine if this IP: {{@network.client.ip}} is making authenticated requests to the application.\n2. Check if these authentication requests are successful.\n * If they are successful, change the status of the signal to `UNDER REVIEW` and begin your company's incident response plan.\n * If they are not successful, `ARCHIVE` the signal.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Update rule cases and signal message.\n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:elb @http.status_code:[400 TO 499] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_400s_and_unique_paths","distinctFields":["@http.url_details.path"]},{"query":"source:elb @http.status_code:[200 TO 299] @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"multiple_200s_and_unique_paths","distinctFields":["@http.url_details.path"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"scan detected returning several 200s","condition":"multiple_200s_and_unique_paths > 10"},{"status":"info","notifications":[],"name":"scan detected returning several 400s","condition":"multiple_400s_and_unique_paths > 10"}],"type":"log_detection","id":"csd-1pb-wxh","createdAt":1587530043452,"name":"AWS ELB HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:eventbridge","iaas:aws","technique:T1089-disabling-security-tools","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting or disabling EventBridge rules.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is modifying or disabling EventBridge rules:\n\n* [DeleteRule][1]\n* [DisableRule][2]\n\n## Triage and response\n1. Determine if the arn: {{@userIdentity.arn}} should have made the {{@evt.name}} API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n**NOTE:** Your organization should tune out user agents that are valid and triggering this signal. To do this, see our [Fine-tune security signals to reduce noise][3] blog.\n\n## Changelog\n4 April 2022 - Rule query, options and signal markdown updated.\n\n[1]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html\n[2]: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html\n[3]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/#fine-tune-security-signals-to-reduce-noise\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:events.amazonaws.com @evt.name:(DeleteRule OR DisableRule)","groupByFields":["@userIdentity.arn","@requestParameters.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mq6-cjx-h9o","createdAt":1585870277044,"name":"AWS EventBridge rule disabled or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","source:amazon-fsx","scope:amazon-fsx","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify users accessing files they do not have permission to access.\n\n## Strategy\nMonitor AWS FSx logs and detect more than 10 occurrences where `@evt.id` is equal to `4656` and `@Event.System.Keywords` is equal to `0x8010000000000000`. \n\n## Triage & Response\n1. Inspect the log and determine if the user should be accessing the file: `{{@ObjectName}}`.\n2. If access is not legitimate, investigate user `({{@usr.id}})` activity. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:aws.fsx @evt.id:4656 @Event.System.Keywords:0x8010000000000000","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"file_deny","distinctFields":["@ObjectName"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"file_deny > 10"}],"type":"log_detection","id":"vsj-4y9-rg1","createdAt":1627668329581,"name":"AWS FSx Excessive File Denied"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail","tactic:TA0005-defense-evasion","technique:T1066-indicator-removal-from-tools","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is removing a FlowLogs collector.\n\n## Strategy\nThis rule lets you monitor this EC2 API call:\n\n* [DeleteFlowLogs][1]\n\n## Triage and response\n1. Determine if arn: {{@userIdentity.arn}} should make this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n4 April 2022 - Rule query and signal message updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteFlowLogs -@responseElements.DeleteFlowLogsResponse.unsuccessful:\"\"","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cws-b4f-uoh","createdAt":1585870278493,"name":"AWS FlowLogs removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1089-disabling-security-tools","scope:guardduty","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty detector.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty Detector:\n\n* [DeleteDetector][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/ug/delete-detector.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteDetector","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pzi-led-yyc","createdAt":1585870279177,"name":"AWS GuardDuty detector deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a publishing destination for a detector which will prevent the exporting of findings. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has deleted a Guard Duty publishing destination.\n\n* [DeletePublishingDestination][1]\n\n## Triage and response\n1. Determine which user in your organization owns the API key that made this API call.\n2. Contact the user to see if they intended to make this API call.\n3. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n[1]: https://docs.aws.amazon.com/fr_fr/guardduty/latest/APIReference/API_DeletePublishingDestination.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeletePublishingDestination","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rdm-leo-ndi","createdAt":1631642345554,"name":"AWS GuardDuty publishing destination deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:guardduty","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is trying to evade defenses by deleting a GuardDuty ThreatIntelSet.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a GuardDuty ThreatIntelSet:\n\n* [DeleteThreatIntelSet][1]\n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Replace ThreatIntelSets deleted by the user with the `aws-cli` command [create-threat-intel-set][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call and if it was an authorized change.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteThreatIntelSet.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/guardduty/create-threat-intel-set.html\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:DeleteThreatIntelSet","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"aws_guardduty_threatintel_set_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"aws_guardduty_threatintel_set_deleted > 0"}],"type":"log_detection","id":"vzr-qw9-k82","createdAt":1631642339660,"name":"AWS GuardDuty threat intel set deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","technique:T1098-account-manipulation","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.4","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to an AWS IAM Policy.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when any event pertaining to an AWS IAM policy is detected with one of the following API calls:\n\n* [DeleteGroupPolicy][1]\n* [DeleteRolePolicy][16]\n* [DeleteUserPolicy][2]\n* [PutGroupPolicy][3]\n* [PutRolePolicy][4]\n* [PutUserPolicy][5]\n* [CreatePolicy][6]\n* [DeletePolicy][7]\n* [SetPolicyVersion][17]\n* [CreatePolicyVersion][8]\n* [DeletePolicyVersion][9]\n* [AttachRolePolicy][10]\n* [DetachRolePolicy][11]\n* [AttachUserPolicy][12]\n* [DetachUserPolicy][13]\n* [AttachGroupPolicy][14]\n* [DetachGroupPolicy][15]\n\n## Triage and response\n1. Review the IAM Policy change and ensure it does not negatively impact your risk in relation to authentication or authorization controls.\n2. If risk is increased, contact the individual that used the arn: {{@userIdentity.arn}} and determine if {{@evt.name}} API calls were made by them.\n\n## Changelog\n5 April 2022 - Rule modified and signal message updated.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroupPolicy.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPolicy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html\n[5]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html\n[7]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html\n[8]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html\n[9]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicyVersion.html\n[10]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[11]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachRolePolicy.html\n[12]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[13]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachUserPolicy.html\n[14]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[15]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachGroupPolicy.html\n[16]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteRolePolicy.html\n[17]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetDefaultPolicyVersion.html\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteGroupPolicy OR PutGroupPolicy OR AttachGroupPolicy OR DetachGroupPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"group_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteRolePolicy OR PutRolePolicy OR AttachRolePolicy OR DetachRolePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"role_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteUserPolicy OR PutUserPolicy OR AttachUserPolicy OR DetachUserPolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"user_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreatePolicy OR DeletePolicy)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"account_policy_modified","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(SetPolicyVersion OR CreatePolicyVersion OR DeletePolicyVersion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"policy_version_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"group policy changed","condition":"group_policy_modified > 0"},{"status":"info","notifications":[],"name":"role policy changed","condition":"role_policy_modified > 0"},{"status":"info","notifications":[],"name":"user policy changed","condition":"user_policy_modified > 0"},{"status":"info","notifications":[],"name":"account policy changed","condition":"account_policy_modified > 0"},{"status":"info","notifications":[],"name":"policy version changed","condition":"policy_version_modified > 0"}],"type":"log_detection","id":"z8s-u06-ctu","createdAt":1584475584008,"name":"AWS IAM policy changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM group.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM group using the [`AttachGroupPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.groupName}}` group using the `aws-cli` command [detach-group-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the group `{{@requestParameters.groupName}}` requires the `AdministratorAccess` policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the group to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.groupName","aggregation":"new_value","metrics":["@requestParameters.groupName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachGroupPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"ju1-xlh-bdn","createdAt":1635445988771,"name":"AWS IAM privileged policy was applied to a group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM role.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to a new AWS IAM role via the [`AttachRolePolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.roleName}}` role using the `aws-cli` command [detach-role-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the role `{{@requestParameters.roleName}}` requires the AdministratorAccess policy to perform its intended function.\n * Advise the user to find the [least privileged][4] policy that allows the role to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-role-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.roleName","aggregation":"new_value","metrics":["@requestParameters.roleName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachRolePolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\" -@userIdentity.invokedBy:sso.amazonaws.com -@http.useragent:sso.amazonaws.com"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"kjs-xra-wzc","createdAt":1635445977216,"name":"AWS IAM privileged policy was applied to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","tactic:TA0004-privilege-escalation","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the `AdministratorAccess` policy is attached to an AWS IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attached the AWS managed policy [`AdministratorAccess`][1] to an AWS IAM user using the [`AttachUserPolicy`][2] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove the `AdministratorAccess` policy from the `{{@requestParameters.userName}}` user using the `aws-cli` command [detach-user-policy][3].\n3. If the API call was made legitimately by the user:\n * Determine if the user `{{@requestParameters.userName}}` requires the AdministratorAccess policy to perform the intended function.\n * Advise the user to find the [least privileged][4] policy that allows the user to operate as intended.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-user-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":1800,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":1800},"version":173,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@requestParameters.userName","aggregation":"new_value","metrics":["@requestParameters.userName"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @eventSource:iam.amazonaws.com @evt.name:AttachUserPolicy @requestParameters.policyArn:\"arn:aws:iam::aws:policy/AdministratorAccess\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"bxi-o7h-c79","createdAt":1635445981975,"name":"AWS IAM privileged policy was applied to a user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","technique:T1089-disabling-security-tools","source:guardduty","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is changing sensitive configurations and has no prior history of invoking these APIs.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Stealth:IAMUser/S3ServerAccessLoggingDisabled][2]\n* [Stealth:IAMUser/PasswordPolicyChange][3]\n* [Stealth:IAMUser/CloudTrailLoggingDisabled][4]\n* [Stealth:IAMUser/LoggingConfigurationModified][5]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][6] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth4\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth1\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth2\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_stealth.html#stealth3\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Stealth\\:IAMUser\\/S3ServerAccessLoggingDisabled OR Stealth\\:IAMUser\\/PasswordPolicyChange OR Stealth\\:IAMUser\\/CloudTrailLoggingDisabled OR Stealth\\:IAMUser\\/LoggingConfigurationModified)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"48o-8me-0mo","createdAt":1587525385196,"name":"AWS IAM user changing sensitive configurations"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user disables [S3 Block Public Access][1]\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][2] finding:\n\n* [Policy:IAMUser/S3BlockPublicAccessDisabled][3]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Contact the user and determine why the user disabled the S3 Block Access feature. \n3. Re-enable S3 Block Public Access.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n[2]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_policy.html#policy2\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/S3BlockPublicAccessDisabled)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"loc-nk4-pkc","createdAt":1587525377921,"name":"AWS IAM user disabled S3 Block Public Access"}]} - headers: - Content-Type: - - application/json - status: 200 OK - code: 200 - duration: "" -- request: - body: "" - form: {} - headers: - Accept: - - application/json - url: https://api.datadoghq.com/api/v2/security_monitoring/rules?page%5Bnumber%5D=1&page%5Bsize%5D=100 - method: GET - response: - body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","source:guardduty","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user is attempting to escalate permissions.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [PrivilegeEscalation:IAMUser/AdministrativePermissions][2]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_privilegeescalation.html#privilegeescalation1\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PrivilegeEscalation\\:IAMUser\\/AdministrativePermissions)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dsb-ciq-vrt","createdAt":1587525384559,"name":"AWS IAM user escalating privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","tactic:TA0007-disocvery","technique:T1580-cloud-infrastructure-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests with hacking tools.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [PenTest:IAMUser/KaliLinux][2]\n* [PenTest:IAMUser/ParrotLinux][3]\n* [PenTest:IAMUser/PentooLinux][4]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][5] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_pentest.html#pentest1\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_pentest.html#pentest2\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_pentest.html#pentest3\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(PenTest\\:IAMUser\\/KaliLinux OR PenTest\\:IAMUser\\/ParrotLinux OR PenTest\\:IAMUser\\/PentooLinux)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ocf-ys6-78v","createdAt":1587525392995,"name":"AWS IAM user making API requests with hacking tools"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:threat-intel","source:guardduty","tactic:TA0007-discovery","security:attack","technique:T1526-cloud-service-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user makes API requests from a malicious IP.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [Recon:IAMUser/TorIPCaller][2]\n* [Recon:IAMUser/MaliciousIPCaller.Custom][3]\n* [Recon:IAMUser/MaliciousIPCaller][4]\n* [UnauthorizedAccess:IAMUser/MaliciousIPCaller][5]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][6] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon1\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon2\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_recon.html#recon3\n[5]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized5\n[6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Recon\\:IAMUser\\/TorIPCaller OR Recon\\:IAMUser\\/MaliciousIPCaller.Custom OR Recon\\:IAMUser\\/MaliciousIPCaller OR UnauthorizedAccess\\:IAMUser\\/MaliciousIPCaller)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"8w7-aaz-ojp","createdAt":1587525380153,"name":"AWS IAM user requests from malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:guardduty","security:anomaly","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS IAM user login is suspicious.\n\n## Strategy\nThis rule lets you monitor these [GuardDuty integration][1] findings:\n\n* [UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B][2]\n* [UnauthorizedAccess:IAMUser/ConsoleLogin][3]\n\n## Triage and response\n1. Determine which user triggered the signal. This can be found in the signal.\n2. Determine if the user's credentials are compromised. \n3. If the user's credentials are compromised:\n * Review the AWS [documentation][4] on remediating compromised AWS credentials.\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized4\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_unauthorized.html#unauthorized12\n[4]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(UnauthorizedAccess\\:IAMUser\\/ConsoleLoginSuccess.B OR UnauthorizedAccess\\:IAMUser\\/ConsoleLogin)","groupByFields":["@detail.resource.accessKeyDetails.userName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kme-i0z-ylv","createdAt":1587525388403,"name":"AWS IAM user suspicious login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","scope:kms","requirement:Monitoring","tactic:TA0040-impact","framework:cis-aws","control:4.7","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a KMS (Key Management Service) key is deleted or scheduled for deletion.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect if an attacker is deleting KMS keys:\n* [DisableKey][1]\n* [ScheduleKeyDeletion][2]\n\n## Triage and response\n1. Determine if `user ARN:` {{@userIdentity.arn}} in your organization should be making this call.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Use the `Cloud SIEM - User Investigation` OOTB dashboard to investigate other potential unauthorized API calls from this user.\n\n[1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html\n[2]: https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html \n\n## Changelog\n16 March 2022 - Rule severity and markdown updated.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(DisableKey OR ScheduleKeyDeletion)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iff-hhm-bd3","createdAt":1584475576501,"name":"AWS KMS key deleted or scheduled for deletion"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","scope:firehose"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when an AWS Kinesis Firehose Destination is modified.\n\n## Strategy\nThe rule monitors AWS Kinesis Firehose logs `@eventSource:firehose.amazonaws.com` and detects when the `@evt.name` is `UpdateDestination`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:firehose.amazonaws.com @evt.name:UpdateDestination -@http.useragent:(cloudformation.amazonaws.com OR APN\\/*)","groupByFields":["@requestParameters.deliveryStreamName"],"aggregation":"count","name":"firehose_destination_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"firehose_destination_modified","condition":"firehose_destination_modified > 0"}],"type":"log_detection","id":"jwi-qgm-ncc","createdAt":1632158028824,"name":"AWS Kinesis Firehose stream destination modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","control:4.11"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Access Control List (NACL) has been created, deleted or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS NACL has been created, deleted or modified with one of the following API calls:\n* [CreateNetworkAcl][1] \n* [CreateNetworkAclEntry][2] \n* [DeleteNetworkAcl][3] \n* [DeleteNetworkAclEntry][4] \n* [ReplaceNetworkAclEntry][5] \n* [ReplaceNetworkAclAssociation][6]\n\n## Triage and response\n1. Determine if the usr with arn: {{@userIdentity.arn}} should have used the API call: {{@evt.name}}.\n2. Contact the user and see if this API call was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n## Changelog\n5 April 2022 - Rule queries, cases and signal message updated.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html\n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclEntry.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceNetworkAclAssociation.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateNetworkAcl OR CreateNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteNetworkAcl OR DeleteNetworkAclEntry)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_deleted","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceNetworkAclEntry OR ReplaceNetworkAclAssociation)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"nacl_updated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"network ACL/ACL entry created","condition":"nacl_created > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry deleted","condition":"nacl_deleted > 0"},{"status":"info","notifications":[],"name":"network ACL/ACL entry updated","condition":"nacl_updated > 0"}],"type":"log_detection","id":"pcs-k05-rbc","createdAt":1584475579808,"name":"AWS Network Access Control List created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.12","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Network Gateway has been created or modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS Network Gateway has been created or modified with one of the following API calls:\n* [CreateCustomerGateway][1] \n* [DeleteCustomerGateway][2] \n* [AttachInternetGateway][3] \n* [CreateInternetGateway][4]\n* [DeleteInternetGateway][5] \n* [DetachInternetGateway][6]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule cases and signal message.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateCustomerGateway \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteCustomerGateway \n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AttachInternetGateway \n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateInternetGateway \n[5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteInternetGateway \n[6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DetachInternetGateway.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(CreateCustomerGateway OR CreateInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"create_gateway","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteCustomerGateway OR DeleteInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"delete_gateway","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AttachInternetGateway OR DetachInternetGateway)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_gateway","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"create gateway","condition":"create_gateway > 0"},{"status":"info","notifications":[],"name":"delete gateway","condition":"delete_gateway > 0"},{"status":"info","notifications":[],"name":"modify gateway","condition":"modify_gateway > 0"}],"type":"log_detection","id":"umr-47s-eyj","createdAt":1584475581301,"name":"AWS Network Gateway created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","iaas:aws","tactic:TA0040-impact","source:cloudtrail","scope:rds","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deleted a database cluster in RDS.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a RDS cluster:\n\n* [DeleteDBCluster][1]\n\n## Triage and response\n1. Determine if the API call: {{@evt.name}} should have occurred.\n2. If it shouldn't have been made:\n * Contact the user: {{@userIdentity.arn}} and see if they made the API call.\n3. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made with the old credentials that were not made by the user.\n\n## Changelog\n6 April 2022 - Updated rule and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/rds/delete-db-cluster.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteDBCluster","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"6ng-pk1-ukh","createdAt":1585870276546,"name":"AWS RDS Cluster deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:guardduty","control:cis-1.1","framework:cis-aws","technique:T1078-valid-accounts","control:cis-3.3","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the AWS root user credentials are used.\n\n## Strategy\nThis rule lets you monitor this [GuardDuty integration][1] finding:\n\n* [Policy:IAMUser/RootCredentialUsage][2]\n\n## Triage and response\n1. Determine whether the root account activity was legitimate. \n * Review the sample for context. \n * Review CloudTrail logs for a full investigation. \n3. If the root user's credentials are compromised:\n * Review the AWS [documentation][3] on remediating compromised AWS credentials.\n\n**[Root Account Best Practices][4]**\n\n[1]: https://docs.datadoghq.com/integrations/amazon_guardduty/\n[2]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_policy.html#policy1\n[3]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-creds\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:guardduty @evt.name:(Policy\\:IAMUser\\/RootCredentialUsage)","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cjm-gyr-zxb","createdAt":1587525393683,"name":"AWS Root credential activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user deletes a Route 53 query logging configuration.\n\n## Strategy\nMonitor cloudtrail logs where `@evt.name` is `DeleteResolverQueryLogConfig` which would stop Route53 Query logging for all of the Amazon VPCs that are associated with the configuration.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n7 April 2022 - Updated rule query and signal message.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DeleteResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"0pz-0jr-nfz","createdAt":1631642351057,"name":"AWS Route 53 DNS query logging disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:route53","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disassociates a VPC from the query logging configuration.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disassociated.\n\n* [DisassociateResolverQueryLogConfig][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Update rule and signal message.\n\n[1]: https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DisassociateResolverQueryLogConfig.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:DisassociateResolverQueryLogConfig","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"nmk-a8n-zig","createdAt":1631642344888,"name":"AWS Route 53 VPC disassociated from query logging configuration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","control:4.13","requirement:Monitoring","framework:cis-aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Route Table has been created or modified.\n\n## Strategy\nThis rule lets you monitor CloudTrail and detect when an AWS Route Table has been created or modified with one of the following API calls:\n* [CreateRoute][1] \n* [CreateRouteTable][2] \n* [ReplaceRoute][3] \n* [ReplaceRouteTableAssociation][4] \n* [DeleteRouteTable][5] \n* [DeleteRoute][6] \n* [DisassociateRouteTable][7]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call which was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n\n## Changelog\n6 April 2022 - Update signal message. Updated rule query/case layout\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html \n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html \n [7]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":43200,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(CreateRoute OR CreateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(ReplaceRoute OR ReplaceRouteTableAssociation OR DisassociateRouteTable)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(DeleteRouteTable OR DeleteRoute)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"route_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"VPC route table created","condition":"route_created > 0"},{"status":"info","notifications":[],"name":"VPC route table modified","condition":"route_modified > 0"},{"status":"info","notifications":[],"name":"VPC route table deleted","condition":"route_deleted > 0"}],"type":"log_detection","id":"qgo-jqs-03x","createdAt":1584475582644,"name":"AWS Route Table created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket policy is made public.\n\n## Strategy\nThis rule lets you monitor these CloudTrail API calls to detect when an AWS bucket is made public:\n\n* [PutBucketAcl][1]\n\nThis rule inspects the `@requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI` array to determine if either of the strings are contained:\n* `http://acs.amazonaws.com/groups/global/AuthenticatedUsers`\n* `http://acs.amazonaws.com/groups/global/AllUsers`\n\nA match of either of these string indicates the S3 bucket policy is made public.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Update rule and signal message.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:PutBucketAcl -@level:Error @requestParameters.AccessControlPolicy.AccessControlList.Grant.Grantee.URI:(\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" OR \"http://acs.amazonaws.com/groups/global/AllUsers\")","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"zdk-9gu-nrg","createdAt":1594140279364,"name":"AWS S3 Bucket ACL Made Public"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:7.2.1","iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","framework:pci","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the S3 Public Access Block configuration has been removed \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting the S3 Public Access Block configuration:\n\n* [DeleteAccountPublicAccessBlock][1]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and inform them of best practices of enabling Public Access Block on S3 buckets.\n3. Re-enable Public Access Block on the S3 bucket.\n\nMore details on S3 Public Block Public Access can be found [here][2].\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/s3api/delete-public-access-block.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html\n\n## Changelog\n18 March 2022 - updated severity and query.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:error @evt.name:DeleteAccountPublicAccessBlock","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"public_access_block_removed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"User removed public access block","condition":"public_access_block_removed > 0"}],"type":"log_detection","id":"uxr-5wk-8hk","createdAt":1585870280316,"name":"AWS S3 Public Access Block removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","technique:T1562-impair-defenses","source:cloudtrail","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user disables AWS Security Hub.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user has disabled AWS Security Hub:\n\n* [DisableSecurityHub][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query and signal message.\n\n[1]: https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DisableSecurityHub.html","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"not_cloudformation_action","distinctFields":[]},{"query":"source:cloudtrail @network.client.ip:cloudformation.amazonaws.com -@level:Error @evt.name:DisableSecurityHub","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"cloudformation_action","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"not a cloudformation action","condition":"not_cloudformation_action > 0"},{"status":"low","notifications":[],"name":"cloudformation action","condition":"cloudformation_action > 0"}],"type":"log_detection","id":"obj-kmn-bsa","createdAt":1631642348526,"name":"AWS Security Hub disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:vpc","iaas:aws","requirement:Monitoring","framework:cis-aws","control:4.14","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is destroying a VPC.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if an attacker is deleting a VPC:\n\n* [DeleteVpc][1]\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. Contact the principal owner and see if this was an API call that was made by the user.\n3. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n7 April 2022 - Updated rule query, cases and signal message.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail -@level:Error @evt.name:(DeleteVpc OR DeleteVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_deleted","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(CreateVpc OR CreateVpcPeeringConnection)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_created","distinctFields":[]},{"query":"source:cloudtrail -@level:Error @evt.name:(ModifyVpcAttribute OR AcceptVpcPeeringConnection OR RejectVpcPeeringConnection OR AttachClassicLinkVpc OR DetachClassicLinkVpc OR DisableVpcClassicLink OR EnableVpcClassicLink)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"vpc_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"vpc deleted","condition":"vpc_deleted > 0"},{"status":"info","notifications":[],"name":"vpc created","condition":"vpc_created > 0"},{"status":"info","notifications":[],"name":"vpc modified","condition":"vpc_modified > 0"}],"type":"log_detection","id":"igj-dr4-ico","createdAt":1585870280906,"name":"AWS VPC created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a specific AWS Web Application Firewall (WAF) rule blocks an anomalous amount of traffic.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@webaclId`: `{{@webaclId}}` logs to confirm if the observed traffic should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"count","name":"waf_traffic_block","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"scr-lzp-wrd","createdAt":1632158031553,"name":"AWS WAF traffic blocked by specific rule"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a specific AWS Web Application Firewall (WAF) rule blocks traffic from multiple IPs.\n\n## Strategy\nThe rule monitors AWS WAF logs and detects when the `@system.action` has a value of `BLOCK`.\n\n## Triage and response\n1. Inspect the `@http.request_id`: `{{@http.request_id}}` to confirm if this request should have been blocked or not.\n2. If the request should have been blocked, then navigate to the IP Investigation dashboard. Inspect other requests from the IP address:{{@network.client.ip}} to find any other potentially malicious behaviors from the IP.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"service:waf @system.action:BLOCK","groupByFields":["@webaclId"],"aggregation":"cardinality","name":"waf_traffic_block","distinctFields":["@network.client.ip"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"imr-goq-uww","createdAt":1634658977105,"name":"AWS WAF traffic blocked by specific rule on multiple IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is deleted.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `DeleteWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made by the user, rotate the user credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:DeleteWebACL -@http.useragent:\\APN\\/*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_deletion","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"waf_webacl_deletion > 0"}],"type":"log_detection","id":"8js-pr5-qga","createdAt":1632158029295,"name":"AWS WAF web access control list deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:waf","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS Web Application Firewall (WAF) Access Control List (ACL) is updated.\n\n## Strategy\nThe rule monitors AWS WAF logs `@eventSource:waf*.amazonaws.com` and detects when the `@evt.name` is `UpdateWebACL`. \n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} is expected to perform the {{@evt.name}} API call on the account: {{@usr.account_id}}.\n2. If the API call was not made legitimately by the user, rotate the user's credentials and investigate what other APIs were successfully accessed.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:waf*.amazonaws.com @evt.name:UpdateWebACL -@http.useragent:(\\APN\\/* OR cloudformation.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"waf_webacl_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"waf_webacl_update > 0"}],"type":"log_detection","id":"pmp-fqa-lwy","createdAt":1632158031800,"name":"AWS WAF web access control list modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","iaas:aws","requirement:Monitoring","framework:cis-aws","technique:T1078-valid-accounts","source:cloudtrail","control:3.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect AWS root user activity. \n\n## Strategy\nMonitor CloudTrail and detect when any `@userIdentity.type` has a value of `Root`, but is not invoked by an AWS service or SAML provider.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate. \n2. If the login wasn't legitimate, rotate the credentials, enable 2FA, and open an investigation. \n\n* For best practices, check out the [AWS Root Account Best Practices][1] documentation.\n* For compliance, check out the [CIS AWS Foundations Benchmark controls][2] documentation.\n\n## Changelog\n30 March 2022 - Updated query and signal message.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[2]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:Root -@userIdentity.sessionContext.attributes.mfaAuthenticated:false -@userIdentity.invokedBy:* -@eventType:AwsServiceEvent -@additionalEventData.SamlProviderArn:*","groupByFields":["@userIdentity.accountId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"2kn-z6k-6kf","createdAt":1585870281964,"name":"AWS root account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group has been modified.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1] \n* [AuthorizeSecurityGroupEgress][2] \n* [RevokeSecurityGroupIngress][3] \n* [RevokeSecurityGroupEgress][4] \n* [CreateSecurityGroup][5] \n* [DeleteSecurityGroup][6]\n\n\n**Note:** There is a separate rule to detect AWS Security Group Open to the World.\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html \n [2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupEgress.html \n [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupIngress.html \n [4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RevokeSecurityGroupEgress.html \n [5]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSecurityGroup.html \n [6]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteSecurityGroup.html\n\n## Changelog\n18 March 2022 - Updated severity, split query into multiple queries, and split the single case into multiple cases.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:CreateSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_created","distinctFields":[]},{"query":"source:cloudtrail @evt.name:(AuthorizeSecurityGroupIngress OR AuthorizeSecurityGroupEgress OR RevokeSecurityGroupIngress OR RevokeSecurityGroupEgress) -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_modified","distinctFields":[]},{"query":"source:cloudtrail @evt.name:DeleteSecurityGroup -@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"security_group_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"security group created","condition":"security_group_created > 0"},{"status":"info","notifications":[],"name":"security group modified","condition":"security_group_modified > 0"},{"status":"info","notifications":[],"name":"security group deleted","condition":"security_group_deleted > 0"}],"type":"log_detection","id":"bax-btp-3ct","createdAt":1584475583507,"name":"AWS security group created, modified or deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1078-valid-accounts","scope:exchange-server","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event by a user logging in to Microsoft Exchange.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last and the current Microsoft-365 mailbox login event (`@evt.name:MailboxLogin`) to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if `{{@usr.name}}` should be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` in a short period of time.\n2. If the user should not be connecting from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login. ","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":192,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_mfa","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:Exchange @evt.name:MailboxLogin @evt.outcome:Succeeded @threat_intel.results.category:*"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"9xi-6r1-5o5","createdAt":1638460550019,"name":"Abnormal successful Microsoft 365 Exchange login event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:gcp","scope:google-cloud-iam","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account (`@usr.id:*.iam.gserviceaccount.com`) exhibits access denied behavior that deviates from normal.\n\n## Strategy \nInspect the GCP Service Account (`@usr.id:*.iam.gserviceaccount.com`) for errors (`@data.protoPayload.status.code:7`) caused by denied permissions (`@evt.outcome`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account {{@usr.id}} is compromised.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"count","name":"access_denied","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"access_denied"}],"type":"log_detection","id":"jsg-pwu-sfv","createdAt":1605263719237,"name":"Access denied for GCP Service Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.11","scope:iam","scored:true","security:compliance","source:iam","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:7.1.1","control:7.1.2","control:7.1.3","level:1","framework:soc-2","framework:cis-aws","control:A.9.2.3","requirement:IAM","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM user credentials, you have to determine what type of access they require.\n\n**Programmatic access**: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.\n\n**AWS Management Console access**: If the user needs to access the AWS Management Console, create a password for the user.\n\n## Rationale\n\nRequiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are necessary for their work and once the access key is established on an account that the keys may be in use somewhere in the organization.\n\n**Note**: Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html][2]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html][3]\n\n**Additional Information**: Credential report does not appear to contain \"Key Creation Date\"\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkeys_created_during_setup(credential_report) if {\n\tnot credential_report.access_key_1_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_1_last_rotated\n} else {\n\tnot credential_report.access_key_2_last_used_date\n\tcredential_report.user_creation_time == credential_report.access_key_2_last_rotated\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot keys_created_during_setup(credential_report)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yuh-0pg-pqy","createdAt":1619112188582,"name":"Access keys are not created for IAM user during initial set up"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-C","requirement:Credentials","level:1","framework:cis-aws","requirement:Cardholder-Data","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.14","cloud_provider:aws","requirement:Control-Activities","framework:soc-2","control:A.9.2.3","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:3.6.4","control:CC6.2","control:CC5.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAccess keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. You should regularly rotate all access keys.\n\n## Rationale\n\nRotating access keys reduces the window of opportunity for an access key that is associated with a compromised or terminated account to be used. Access keys should be rotated to ensure that data cannot be accessed with an old key that might have been lost, cracked, or stolen.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78902-4\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html][3]\n4. [https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][4]\n5. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html][5]\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#rotate-credentials\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html\n[4]: https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"1.14","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\nmore_than_ninety(timestamp, resource_seen_at) if {\n\tresource_seen_at - timestamp > ninety_days_ms # Not rotated in last 90 days\n}\n\nactive_and_rotated_more_than_90(credential_report, resource_seen_at) if {\n\tcredential_report.access_key_1_active\n\tmore_than_ninety(credential_report.access_key_1_last_rotated, resource_seen_at)\n} else {\n\tcredential_report.access_key_2_active\n\tmore_than_ninety(credential_report.access_key_2_last_rotated, resource_seen_at)\n}\n\neval(iam_user) = \"pass\" if {\n\tresource_seen_at := iam_user.resource_seen_at\n\tcredential_report := iam_user.credential_report[_]\n\tnot active_and_rotated_more_than_90(credential_report, resource_seen_at)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5se-kvq-6mk","createdAt":1599574003833,"name":"Access keys are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:4.3.8","scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.6","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable access from Azure services to PostgreSQL Database Server\n\n## Rationale\n\nIf access from Azure services is enabled, the server's firewall will accept connections from all Azure resources, including resources not in your subscription. This is usually not a desired configuration. Instead, set up firewall rules to allow access from specific network ranges or VNET rules to allow access from specific virtual networks.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In Firewall rules, ensure Allow access to Azure services is set to OFF.\n5. Click Save to apply the changed rule. \n\nAlternatively, use the Azure Command Line Interface and run the below command to delete the `AllowAllAzureIps` rule for PostgreSQL Database:\n\n ```bash\n az postgres server firewall-rule delete --name AllowAllAzureIps --resource-group --server-name \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-manage-firewall-using-cli\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-4-protect-applications-and-services-from-external-network-attacks\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.4 Apply Host-based Firewalls or Port Filtering: Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.\n\n9.5 Implement Application Firewalls: Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Any unauthorized traffic should be blocked and logged.\n\n14.2 Enable Firewall Filtering Between VLANs: Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.8","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@name:(\"AllowAllAzureIps\") OR @name:(\"ALL\") OR (@start_ip_address:(\"0.0.0.0\") @end_ip_address:(\"0.0.0.0\"))","resourceType":"azure_postgresql_firewall_rule","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_firewall_rule (@name:(\"AllowAllAzureIps\") OR @name:(\"ALL\") OR (@start_ip_address:(\"0.0.0.0\") @end_ip_address:(\"0.0.0.0\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"fn7-ase-uyc","createdAt":1624867979051,"name":"Access to Azure services for PostgreSQL Database Server is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 5432 (used by the PostgreSQL Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\nMalicious activity, such as hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 5432.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 5432 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 5432\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=5432 @to_port:>=5432))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=5432 @to_port:>=5432))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2ca-hhj-wzj","createdAt":1599574007949,"name":"Access to PostgreSQL Database Server port is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3389 (used to connect a remote Remote Desktop Protocol (RDP) client application with an RDP server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as pass-the-hash (PtH) and man-in-the-middle attacks (MITM), can occur when permitting unfettered access to this port.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3389.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3389 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3389\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.2\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3389 @to_port:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3389 @to_port:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oia-snq-ar0","createdAt":1599574006239,"name":"Access to port 3389 is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests.\n\n## Rationale\n\nSetting admission control plugin AlwaysAdmit allows all requests and do not filter any requests. The AlwaysAdmit admission controller was deprecated in Kubernetes v1.13. Its behavior was equivalent to turning off all admission controllers.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--enable-admission-plugins` argument's value (if set) does not include `AlwaysAdmit`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and either remove the --enable-admission-plugins parameter, or set it to a value that does not include AlwaysAdmit.\n\n## Impact\n\nOnly requests explicitly allowed by the admissions control plugins would be served.\n\n## Default value\n\nAlwaysAdmit is not in the list of default admission plugins.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#alwaysadmit\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.11","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysr-4gg-vu5","createdAt":1599599454382,"name":"Admission controller AlwaysAdmin is not enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.15","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating objects in a namespace that is undergoing termination.\n\n## Rationale\n\nSetting admission control policy to NamespaceLifecycle ensures that objects cannot be created in non-existent namespaces, and that namespaces undergoing termination are not used for creating the new objects. This is recommended to enforce the integrity of the namespace termination process and also for the availability of the newer objects.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--disable-admission-plugins` argument is set to a value that does not include `NamespaceLifecycle`.\n\n## Remediation\n\nEdit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --disable-admission-plugins parameter to ensure it does not include NamespaceLifecycle.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NamespaceLifecycle is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#namespacelifecycle\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.15","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"elk-zj3-p6m","createdAt":1599605447784,"name":"Admission controller NamespaceLifecycle is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.17","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nLimit the Node and Pod objects that a kubelet could modify.\n\n## Rationale\n\nUsing the NodeRestriction plug-in ensures that the kubelet is restricted to the Node and Pod objects that it could modify as defined. Such kubelets will only be allowed to modify their own Node API object, and only modify Pod API objects that are bound to their node.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `NodeRestriction`.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure NodeRestriction plug-in on kubelets. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes NodeRestriction. --enable-admission-plugins=...,NodeRestriction,...\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, NodeRestriction is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#noderestriction 3. https://kubernetes.io/docs/admin/authorization/node/ 4. https://acotten.com/post/kube17-security\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.17","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jre-tn7-yma","createdAt":1599601166101,"name":"Admission controller NodeRestriction is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.16","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReject creating pods that do not match Pod Security Policies.\n\n## Rationale\n\nA Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policies are comprised of settings and strategies that control the security features a pod has access to and hence this must be used to control pod access permissions. Note: When the PodSecurityPolicy admission plugin is in use, there needs to be at least one PodSecurityPolicy in place for ANY pods to be admitted. See section 1.7 for recommendations on PodSecurityPolicy settings.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--enable-admission-plugins` argument is set to a value that includes `PodSecurityPolicy`.\n\n## Remediation\n\nFollow the documentation and create Pod Security Policy objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --enable-admission-plugins parameter to a value that includes PodSecurityPolicy: --enable-admission-plugins=...,PodSecurityPolicy,... Then restart the API Server.\n\n## Impact\n\nThe policy objects must be created and granted before pod creation would be allowed.\n\n## Default value\n\nBy default, PodSecurityPolicy is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#podsecuritypolicy 3. https://kubernetes.io/docs/concepts/policy/pod-security-policy/#enabling-pod-security-policies\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.16","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vwz-aw9-c09","createdAt":1599604624793,"name":"Admission controller PodSecurityPolicy is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.14","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAutomate service accounts management.\n\n## Rationale\n\nWhen you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. You should create your own service account and let the API server manage its security tokens.\n\n## Audit\n\nRun the following command on the master node:\n\n```bash\nps -ef | grep kube-apiserver\n```\n\nVerify the `--disable-admission-plugins` argument is set to a value that does not include `ServiceAccount`.\n\n## Remediation\n\nFollow the documentation and create ServiceAccount objects as per your environment. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and ensure that the --disable-admission-plugins parameter is set to a value that does not include ServiceAccount.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, ServiceAccount is set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ 2. https://kubernetes.io/docs/admin/admission-controllers/#serviceaccount 3. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n\n## CIS controls\n\nVersion 6 16 Account Monitoring and Control Account Monitoring and Control Version 7 16 Account Monitoring and Control Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.14","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wrk-jrm-u8h","createdAt":1599601597784,"name":"Admission controller ServiceAccount is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:gcp","control:3.4.1","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","source:google_bigquery_table","control:2.2.2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:7.2","control:3.4","control:2.6","requirement:BigQuery","control:2.1","requirement:Control-Activities","scope:google_bigquery_table","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nBy default, BigQuery encrypts data at rest by employing `Envelope Encryption` using\nGoogle managed cryptographic keys. The data is encrypted using the `data encryption keys` and data encryption keys themselves are further encrypted using `key encryption keys`. This is done automatically and does not require any additional input from the user. However, if you want to have greater control, customer-managed encryption keys (CMEK) can be used as an encryption key management solution for BigQuery datasets. If CMEK is used, the CMEK is used to encrypt the data encryption keys, instead of using google-managed encryption keys.\n\n### Default Value\nGoogle-managed keys are used as `key encryption keys`.\n\n## Rationale\nFor greater control over the encryption, customer-managed encryption keys (CMEK) can\nbe used as encryption key management solution for BigQuery tables. CMEK is used to\nencrypt the data encryption keys instead of using google-managed encryption keys.\nBigQuery stores the table and CMEK association. The encryption/decryption is done\nautomatically.\n\nApply the default customer-managed keys on BigQuery datasets to ensure that all\nnew tables created in the future will be encrypted using CMEK. However, existing tables need to be updated individually to use CMEK.\n\n## Impact\nUsing customer-managed encryption keys (CMEK) will incur additional labor-hour\ninvestment to create, protect, and manage the keys.\n\n- Note: Google does not store your keys on its servers and cannot access your\nprotected data unless you provide the key. This also means that if you forget\nor lose your key, there is no way for Google to recover the key or to recover\nany data encrypted with the lost key.\n\n## Remediation\nCurrently, there is no way to update the encryption of existing data in the table. The data\nneeds to be copied to either an original table or another table. Either option requires the specification of the\ncustomer managed encryption key (CMEK).\n\n### From the command line:\nUse the following command to copy the data to the original table and encrypt it with the CMEK. The source and the destination needs to be same when copying to the original table.\n\n```\nbq cp --destination_kms_key source_dataset.source_table destination_dataset.destination_table\n```\n\n\n## References\n1. [https://cloud.google.com/bigquery/docs/customer-managed-encryption][1]\n\n[1]: https://cloud.google.com/bigquery/docs/customer-managed-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2","framework":"cis-gcp","requirement":"BigQuery","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(bigquery_table) = \"pass\" if {\n\tbigquery_table.encryption_configuration.kms_key_name\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_bigquery_table"]},"validationQuery":"","resourceType":"gcp_bigquery_table","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_bigquery_table","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4r0-dtx-hnw","createdAt":1659621698841,"name":"All BigQuery tables are encrypted with customer-managed encryption keys (CMEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Azure","cloud_provider:azure","control:2.7","control:8.1","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","scope:azure.keyvault","requirement:Cardholder-Data","requirement:Logical-and-Physical-Access-Control","control:3.6.4","source:azure.keyvault","framework:security-labs","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all keys in your Azure Key Vault have an expiration time set.\n\n## Rationale\n\nAzure Key Vault enables users to store and use cryptographic keys within the Microsoft Azure environment. The `exp` (expiration time) attribute identifies the expiration time on or after which the key **must not** be used for a cryptographic operation. By default, keys never expire. Datadog recommends that keys be rotated in the key vault and set an explicit expiration time for all keys. This ensures that the keys cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Key vaults\n2. For each Key vault, click on Keys.\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all keys. Using the Azure Command Line Interface, update the expiration date for the key using below command:\n\n ```bash\n az keyvault key set-attributes --name --vault-name --expires Y-m-d''T''H:M:S''Z''\n ```\n\n **Note**: To access expiration time on all keys in Azure Key Vault using Microsoft API requires \"List\" Key permission. To provide required access follow below steps:\n\n 1. Go to Key Vaults\n 2. For each Key Vault, click on Access Policy.\n 3. Add access policy with Key permission as List\n\n## Impact\n\nKeys cannot be used beyond their assigned expiration times respectively. Keys need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-keys\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## CIS Controls\n\nVersion 7 13 Data Protection Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.7","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_type := \"azure_key_vault_key\"\n\ncompliant(key_vault_key) if {\n\tkey_vault_key.attributes_enabled == true\n\tnot key_vault_key.attributes_exp == 0\n\tnot key_vault_key.attributes_exp == \"\"\n}\n\neval(key_vault_key) = \"pass\" if {\n\tcompliant(key_vault_key)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_key"]},"validationQuery":"","resourceType":"azure_key_vault_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"op6-3uk-40w","createdAt":1624867980258,"name":"All keys in Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Network-Policies-and-CNI","control:5.3.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse network policies to isolate traffic in your cluster network.\n\n## Rationale\n\nRunning different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. A network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints. Network Policies are namespace scoped. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace, all traffic will be allowed into and out of the pods in that namespace.\n\n## Audit\n\nRun the following command and review the NetworkPolicy objects created in the cluster: `kubectl --all-namespaces get networkpolicy`\n\nEnsure that each namespace defined in the cluster has at least one Network Policy.\n\n## Remediation\n\nFollow the documentation and create network policy objects as you need them.\n\n## Impact\n\nOnce network policies are in use within a given namespace, traffic not explicitly allowed by a network policy will be denied. It is important to ensure that, when introducing network policies, legitimate traffic is not blocked.\n\n## Default value\n\nBy default, network policies are not created.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/services-networking/networkpolicies/ ][1]\n2. [https://octetz.com/posts/k8s-network-policy-apis ][2]\n3. [https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/][3]\n\n## CIS controls\n\nVersion 6.14.1 Implement Network Segmentation Based On Information Class Segment - The network based on the label or classification level of the information stored on the servers. Locate all sensitive information on separated VLANS with firewall filtering to ensure that only authorized individuals are only able to communicate with systems necessary to fulfill their specific responsibilities.\n\nVersion 7.14.1 Segment the Network Based on Sensitivity - Segment the network based on the label or classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).\n\nVersion 7.14.2 Enable Firewall Filtering Between VLANs - Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.\n\n[1]: https://kubernetes.io/docs/concepts/services-networking/networkpolicies/\n[2]: https://octetz.com/posts/k8s-network-policy-apis\n[3]: https://kubernetes.io/docs/tasks/configure-pod-container/declare-network-policy/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.3.2","framework":"cis-kubernetes","requirement":"Network-Policies-and-CNI","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrw-bae-anz","createdAt":1604312181303,"name":"All namespaces have network policies defined"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:2.10","requirement:Azure","cloud_provider:azure","control:8.2","framework:cis-azure","requirement:Confidentiality","control:C1.2","level:1","requirement:Other-Security-Considerations","framework:soc-2","requirement:Change-Management","scope:azure.keyvault","requirement:Logical-and-Physical-Access-Control","source:azure.keyvault","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that all Secrets in the Azure Key Vault have an expiration time set.\n\n## Rationale\n\nThe Azure Key Vault enables users to store and keep secrets within the Microsoft Azure environment. Secrets in the Azure Key Vault are octet sequences with a maximum size of 25k bytes each. The `exp` (expiration time) attribute identifies the expiration time on or after which the secret **must not** be used. By default, secrets never expire. Datadog recommends rotating secrets in the key vault and setting an explicit expiration time for all secrets. This ensures that the secrets cannot be used beyond their assigned lifetimes.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Key vaults\n2. For each Key vault, click on Secrets\n3. Under the Settings section, Make sure Enabled? is set to Yes\n4. Set an appropriate expiration date on all secrets. Using the Azure Command Line Interface, use the below command to set expiration date on the all secrets:\n\n ```bash\n az keyvault secret set-attributes --name --vault-name --expires Y-m-d'T'H:M:S'Z'\n ```\n\n## Impact\n\nSecrets cannot be used beyond their assigned expiry times respectively. Secrets need to be rotated periodically wherever they are used.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis\n2. https://docs.microsoft.com/en-us/rest/api/keyvault/about-keys--secrets-and-certificates#key-vault-secrets\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-4-set-up-emergency-access-in-azure-ad\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-8-choose-approval-process-for-microsoft-support\n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy\n\n## CIS Controls\n\nVersion 7 16 Account Monitoring and Control\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.10","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_type := \"azure_key_vault_secret\"\n\ncompliant(key_vault_secret) if {\n\tkey_vault_secret.id\n\tkey_vault_secret.attributes_enabled == true\n\tnot key_vault_secret.attributes_exp == 0\n\tnot key_vault_secret.attributes_exp == \"\"\n}\n\neval(key_vault_secret) = \"pass\" if {\n\tcompliant(key_vault_secret)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault_secret"]},"validationQuery":"","resourceType":"azure_key_vault_secret","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault_secret","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"bbc-1aj-wsr","createdAt":1624867976874,"name":"All secrets in the Azure Key Vault have an expiration time set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:CC6.7","source:iam","requirement:Storage","requirement:Credentials","control:2.1.1","level:1","requirement:System-Acquisition-Development-and-Maintenance","framework:cis-aws","control:1.19","requirement:IAM","framework:iso-27001","requirement:Access-Control","framework:pci","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.\n\n## Rationale\n\nRemoving expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.\n\n## Remediation\n\nAWS Console:\n\nRemoving expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).\n\nAWS CLI:\n\nTo delete an expired certificate, run the following command by replacing `` with the name of the certificate to delete: `aws iam delete-server-certificate --server-certificate-name `.\n\n**Note**: When the preceding command is successful, it does not return any output.\n\n## Impact\n\nDeleting a certificate can have implications for your application. If you are using an expired server certificate with Elastic Load Balancing, Cloudfront, etc., you must update the configuration of the respective service to ensure there is no application interruption.\n\n## References\n\n1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html\n2. https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.19","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Storage","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_server_certificate) = \"pass\" if {\n\tiam_server_certificate.expiration - iam_server_certificate.resource_seen_at > 0\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"dih-stb-3p8","createdAt":1632209932850,"name":"All the expired SSL/TLS certificates stored in AWS IAM are removed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.7","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow Kubelet to manage `iptables`.\n\n## Rationale\n\nKubelets can automatically manage the required changes to `iptables` based on how you choose your networking options for the pods. It is recommended to let kubelets manage the changes to `iptables`. This ensures that the `iptables` configuration remains in sync with pods networking configuration. Manually configuring `iptables` with dynamic pod network configuration changes might hamper the communication between pods/containers and to the outside world. You might have `iptables` rules too restrictive or too open.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that if the `--make-iptables-util-chains` argument exists then it is set to true. If the `--make-iptables-util-chains` argument does not exist, and there is a Kubelet config file specified by `--config`, verify that the file does not set `makeIPTablesUtilChains` to `false`.\n\n## Remediation\n\nIf using a kubelet config file, edit the file to set `makeIPTablesUtilChains: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--make-iptables-util-chains` argument from the `KUBELET_SYSTEM_PODS_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nKubelet would manage the `iptables` on the system and keep it in sync. If you are using any other `iptables` management solution, then there might be some conflicts.\n\n## Default value\n\nBy default, `--make-iptables-util-chains argument` is set to true.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.7","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"f3g-zcg-jm0","createdAt":1599605004390,"name":"Allow Kubelets to manage changes to the iptables"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an AWS S3 lifecycle expiration policy is set to disabled in your CloudTrail logs.\n\n## Strategy\nCheck if `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days`, `@requestParameters.LifecycleConfiguration.Status:Disabled` and `@evt.name:PutBucketLifecycle` fields are present in your S3 Lifecycle configuration log. If these fields are present together, a bucket's lifecycle configuration has been turned off.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n2. If the `{{@requestParameters.bucketName}}` should not be disabled, escalate to engineering so they can re-enable it.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketLifecycle @requestParameters.LifecycleConfiguration.Rule.Expiration:* @requestParameters.LifecycleConfiguration.Rule.Status:Disabled","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"4gy-sks-edk","createdAt":1638798373598,"name":"An AWS S3 bucket lifecycle expiration policy was set to disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an S3 bucket has a lifecycle configuration set with an expiration policy of less than 90 days.\n\n## Strategy\nLook for `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90` in your Cloudtrail logs.\n\n**NOTE**: This rule should be set to logs that this policy applies to. The `@requestParameters.LifecycleConfiguration.Rule.Expiration.Days` key path must be set as a measure to do a query.\n\n\n## Triage & response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}` and that the `{{@requestParameters.bucketName}}` bucket should have a file expiration of less than 90 days.\n2. If `{{@requestParameters.bucketName}}` is equal to `{{@aws.s3.bucket}}`, the CloudTrail bucket, consider escalating to higher severity and investigating further.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:PutBucketLifecycle -status:error @eventSource:s3.amazonaws.com @requestParameters.LifecycleConfiguration.Rule.Expiration.Days:<90","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hdo-qqk-njz","createdAt":1638798329769,"name":"An AWS S3 bucket lifecycle policy expiration is set to < 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if versioning or MFA delete was disabled within an AWS S3 bucket's Lifecycle configuration.\n\n## Strategy\nThis rule has two separate queries. The first query determines if `@requestParameters.VersioningConfiguration.MfaDelete` is set to `Disabled`. The second query determines if `@requestParameters.VersioningConfiguration.Status` is set to `Suspended`. For generating a signal, there are two cases. Case one generates a `Medium` signal if query one AND two return `true`. Case two will generate a `Low` signal if query one OR two returns `true`.\n\n**NOTE**: Versioning cannot be disabled permanently; only suspended until turned back on, once it has been enabled on a bucket.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@userIdentity.sessionContext.sessionIssuer.userName}}`, `accountId:` `{{@usr.account_id}}` of `type:` `{{@userIdentity.assumed_role}}`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.MfaDelete:Disabled","groupByFields":["@aws.s3.bucket"],"aggregation":"count","name":"mfadelete_disabled","distinctFields":[]},{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:PutBucketVersioning @requestParameters.VersioningConfiguration.Status:Suspended","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"versioning_suspended","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"mfaDelete and Versioning are Disabled/Suspended","condition":"versioning_suspended > 0 && mfadelete_disabled > 0"},{"status":"low","notifications":[],"name":"mfaDelete or versioning are disabled","condition":"mfadelete_disabled > 0 || versioning_suspended > 0"}],"type":"log_detection","id":"qo0-ly0-8ls","createdAt":1638798322732,"name":"An AWS S3 bucket mfaDelete is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:cloudtrail","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an AWS account attempting to leave an AWS organization.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to have an AWS account leave an AWS organization using the [LeaveOrganization][1] API call.\n\nAn attacker may attempt this API call for several reasons, such as:\n\n* Target security configurations that are often defined at the organization level. Leaving an organization can disrupt or disable these controls.\n* Perform a denial of service (DoS) attack on the victim's account that prevents the victim's organization to access it.\n\n## Triage and response\n1. Determine if `{{@userIdentity.arn}}` should have made the `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Initiate your company's incident response (IR) process.\n3. If the API call was made legitimately by the user:\n * Communicate with the user to understand if this was a planned action.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n * Initiate your company's incident response (IR) process.\n\n[1]: https://docs.aws.amazon.com/organizations/latest/APIReference/API_LeaveOrganization.html\n[2]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html\n[3]: https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privileg","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:LeaveOrganization @eventSource:organizations.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"leave_organization","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"leave_organization > 0"}],"type":"log_detection","id":"9ku-enz-m7d","createdAt":1644595191484,"name":"An AWS account attempted to leave the AWS Organization"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","iaas:aws","scope:s3","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance makes an API call to AWS to list all of the S3 Buckets.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect a [ListBuckets][1] API call with the session name prefixed with `i-`. A session name prefixed with `i-` typically indicates that it is an EC2 instance using an [Instance Profile][2] to communicate with other AWS services, which is a common attacker technique to see the full list of S3 buckets in your AWS account.\n\n## Triage and response\n1. Determine if the EC2 instance should be making this API call.\n* If **not a legitimate** user/application, rotate the credentials, verify what else may have been accessed and open an investigation into how this instance was compromised.\n* If a **legitimate** user/application on the EC2 instance is making the `ListBuckets` API call, consider whether this API call is really needed. \n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#ec2-instance-profile\n\n## Changelog\n18 March 2022 - Updated rule severity and rule name.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_access_denied","distinctFields":[]},{"query":"source:cloudtrail @userIdentity.session_name:i-* @evt.name:ListBuckets -@error.kind:*","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"list_buckets_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Access denied for ListBuckets","condition":"list_buckets_access_denied > 0"},{"status":"medium","notifications":[],"name":"Successful ListBuckets","condition":"list_buckets_success > 0"}],"type":"log_detection","id":"t6r-kqt-hxb","createdAt":1585870281123,"name":"An EC2 instance attempted to enumerate S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is enumerating API Gateway API keys.\n\n## Strategy\nBaseline `GetApiKeys` events by `@userIdentity.session_name` to surface anomalous `GetApiKeys` calls. \n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetApiKeys","groupByFields":["@userIdentity.session_name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"cc8-ljp-wwt","createdAt":1624968912281,"name":"Anomalous API Gateway API key reads by user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","tactic:TA0009-collection","scope:s3","source:cloudtrail","technique:T1530-data-from-cloud-storage-object","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS user performs S3 bucket write activities they do not usually perform. \n\n## Strategy\nMonitor cloudtrail logs for S3 Data Plane events (`@eventCategory:Data`) to detect when an AWS User (`@userIdentity.arn`) is detected performing anomalous S3 Write `(@evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*))` API calls. \n\n## Triage and response\n1. Determine if user: `{{@userIdentity.arn}}` should be performing the: `{{@evt.name}}` API calls.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. If not, investigate the user: `{{@userIdentity.arn}}` for indicators of account compromise and rotate credentials as necessary.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventCategory:Data @eventSource:s3.amazonaws.com @evt.name:(Abort* OR Create* OR Delete* OR Initiate* OR Put* OR Replicate* OR Update*)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"s3_write_events","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"s3_write_events"}],"type":"log_detection","id":"mxi-syi-zeg","createdAt":1637613300981,"name":"Anomalous S3 bucket activity from user ARN"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker is attempting to hijack an EC2 AutoScaling Group.\n\n## Strategy\nThis rule lets you monitor AWS EC2 Autoscaling logs (`@eventSource:autoscaling.amazonaws.com`) to detect when an Autoscaling group receives an anomalous amount of API calls (`{{@evt.name}}`).\n\n## Triage and response\n1. Confirm if the user `{{@userIdentity.arn}}` intended to make the `{{@evt.name}}` API calls.\n2. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:autoscaling.amazonaws.com","groupByFields":["@evt.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"1fj-e0d-mcy","createdAt":1632769123714,"name":"Anomalous amount of Autoscaling Group events"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","scope:salesforce","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a spike in Salesforce query results for a user. A large query can be an early warning sign of a user attempting to exfiltrate Salesforce data. \n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a spike in the number of rows returned (`@rows_returned`). \n\n## Triage and response\n1. Determine if the user should be legitimately performing large queries.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@rows_returned","aggregation":"sum","metrics":["@rows_returned"],"groupByFields":["@usr.id"],"query":"source:salesforce @rows_returned:*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"kls-bnv-ip8","createdAt":1621929255172,"name":"Anomalous amount of Salesforce query results"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1485-data-destruction","source:salesforce","tactic:TA0040-impact","scope:salesforce","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is a significant increase in deleted records in Salesforce.\n\n## Strategy\nInspect and baseline Salesforce logs and determine if there is a significant increase in successful (`@evt.outcome:Success`) delete operations (`@operation:Delete`).\n\n## Triage and response\n1. Determine if the user should be legitimately deleting Salesforce records.\n","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":169,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @operation:Delete @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"1x7-fhs-sdy","createdAt":1621929255178,"name":"Anomalous amount of Salesforce records deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an EC2 instance is assessing privileges in AWS through various enumeration and discovery techniques.\n\n## Strategy\nMonitor CloudTrail logs to identify when an EC2 instance (`@userIdentity.session_name:i-*\"`) generates an anomalous amount of `AccessDenied` events.\n\n## Triage and response\n1. Determine what events the EC2 instance `{{@userIdentity.session_name}}` are generating in the time frame of the signal.\n2. If the root cause is not a misconfiguration, investigate any other signals around the same time of the signal by looking at the Host Investigation dashboard.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied @userIdentity.session_name:i-*","groupByFields":["@userIdentity.assumed_role"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"qyw-re3-iuf","createdAt":1605263699569,"name":"Anomalous amount of access denied events for AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","technique:T1619-cloud-storage-object-disovery","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS assumed role accesses S3 buckets that they do not usually access. \n\n## Strategy\nMonitor cloudtrail logs to identify when a `@userIdentity.assumed_role` makes an anomalous amount of `GetObject` calls to a unique number of S3 buckets (`@requestParameters.bucketName`).\n\n## Triage and response\n1. Determine if the user using the assumed role: {{@userIdentity.assumed_role}} should be accessing a bunch of random buckets.\n * Here is a list of buckets that were accessed (up to 10): {{@requestParameters.bucketName}}\n\n## Changelog\n30 Mar 2022 - Updated query and signal message.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":17,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetObject -status:error","groupByFields":["@userIdentity.assumed_role"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.bucketName"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"i41-jb1-c8r","createdAt":1608050033941,"name":"Anomalous number of S3 buckets accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user has attempted to assume an anomalous number of unique roles.\n\n## Strategy\nThis rule sets a baseline for user activity for the [`AssumeRole`][1] API call, and enables detection of potentially anomalous activity.\n\nAn attacker may attempt this for the following reasons:\n\n* To identify which roles the user account has access to.\n* To identify what AWS services are being used internally.\n* To identify third party integrations and internal software.\n\n## Triage and response\n1. Investigate activity for the following ARN `{{@userIdentity.arn}}` using `{{@userIdentity.session_name}}`.\n2. Review any other security signals for `{{@userIdentity.arn}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response process and investigate.\n\n[1]: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":7200},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @userIdentity.type:IAMUser @evt.name:AssumeRole","groupByFields":["@usr.name"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.roleArn"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rov-8oq-1fd","createdAt":1624968910002,"name":"Anomalous number of assumed roles from user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an unauthenticated request user is permitted in Kubernetes.\n\n## Strategy\nThis rule monitors when any action is permitted (`@http.status_code:[100 TO 299]`) for an unauthenticated user (`@user.username:\\\"system:anonymous\\\"`).\nThe `/healthz` endpoint is commonly accessed unauthenticated and it is excluded in the query filter.\n\n## Triage and response\n1. Inspect all of the HTTP paths accessed and determine if any of the path should be permitted by unauthenticated users.\n2. Determine what IP addresses accessed Kubernetes endpoints which may contain sensitive data.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@apiVersion:audit.k8s.io* @usr.name:\"system:anonymous\" @http.status_code:[100 TO 299] -@http.url_details.path:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @user.username:\"system:anonymous\" @responseStatus.code:[100 TO 299] -@requestURI:\"/healthz\"","groupByFields":[],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"f1o-py5-a50","createdAt":1589376002149,"name":"Anonymous Request Authorized"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:apache","technique:T1190-exploit-public-facing-application","source:apache","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[{"action":"require","query":"source:foo"}],"queries":[{"query":"source:apache @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ipl-oaz-eqf","createdAt":1587530038000,"name":"Apache HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1562-Impair-Defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modification of AppArmor profiles using an interactive session.\n\n## Strategy\nAfter an initial intrusion, attackers may attempt to disable security tools to avoid possible detection of their offensive tools and activities. [AppArmor][1] is a Linux Security Module (LSM) feature that confines programs to a limited set of resources. Disabling AppArmor could help an attacker run disallowed tools and gain access to resources that are otherwise blocked. This detection looks for commands that disable or modify AppArmor during interactive sessions, which is highly irregular in production environments.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://wiki.ubuntu.com/AppArmor\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:apparmor_modified_tty","groupByFields":["host"],"aggregation":"count","name":"apparmor_modified_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"apparmor_modified_tty","condition":"apparmor_modified_tty > 0"}],"type":"workload_security","id":"byn-fwk-eyv","createdAt":1627392836162,"name":"AppArmor profile modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","source:azure.sql","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Database-Services","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","framework:cis-azure","scope:azure.sql","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:4.1.3","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSQL Server Audit Retention should be configured to be greater than 90 days.\n\n## Rationale\n\nUse Audit Logs to check for anomalies and to get insight into suspected breaches or misuse of information and access.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Select Storage Details\n5. Set Retention (days) setting greater than 90 days\n6. Select OK\n7. Select Save using Azure PowerShell. For each server, set retention policy for more than or equal to 90 days:\n\n ```bash\n set-AzureRmSqlServerAuditing -ResourceGroupName -ServerName -RetentionInDays \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing\n2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditing?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention\n\n## CIS controls\n\nVersion 7\n\n6.4 Ensure adequate storage for logs: Ensure that all systems that store logs have adequate storage space for the logs generated.\n\n4.2 SQL Server: Azure Defender for SQL Azure Defender for SQL provides a layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. Users will receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access patterns. SQL Server Threat Detection alerts provide details of suspicious activity and recommend action on how to investigate and mitigate the threat. Azure Defender for SQL may incur additional cost per SQL server.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@audit_setting.retention_days:0 -@audit_setting.retention_days:>=90","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-@audit_setting.retention_days:0 -@audit_setting.retention_days:>=90)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"r6e-x2g-rfb","createdAt":1624867973932,"name":"Audit data for Azure SQL is retained for at least 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","source:google_iam_policy","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","scope:google_iam_policy","security:compliance","requirement:Logging-and-Monitoring","control:2.1","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that Cloud Audit Logging is configured to track all admin activities and\nread or write access to user data.\n\n### Default value\nAdmin Activity logs are always enabled. They cannot be disabled. Data Access audit logs are\ndisabled by default because they can be quite large.\n\n## Rationale\nCloud Audit Logging maintains two audit logs for each project, folder, and organization:\n**Admin Activity** and **Data Access**.\n\nAdmin Activity logs contain log entries for API calls or other administrative actions\nthat modify the configuration or metadata of resources. Admin Activity audit logs\nare enabled for all services and cannot be configured.\n\nData Access audit logs record API calls that create, modify, or read user-provided\ndata. These are disabled by default and should be enabled.\n\nThere are three kinds of Data Access audit log information:\n* Admin read: Records operations that read metadata or configuration\ninformation. Admin Activity audit logs record writes of metadata and\nconfiguration information. This cannot be disabled.\n* Data read: Records operations that read user-provided data.\n* Data write: Records operations that write user-provided data.\n\nIt is recommended to configure audit logging such that:\n\n* Log type is set to `DATA_READ` (to log user activity tracking) and `DATA_WRITES` (to\nlog changes/tampering to user data).\n* Audit config is enabled for all the services supported by the Data Access audit logs\nfeature.\n* Logs are captured for all users\u2014that is, there are no exempted users in any of the\naudit config sections. This ensures overriding the audit config does not contradict\nthe requirement.\n\n### Impact\nThere is no charge for Admin Activity audit logs. Enabling the Data Access audit logs might\nresult in your project being charged for the additional logs usage.\n- Note: Admin Activity Logs are not listed here, as they are enabled by default and cannot be disabled.\n `exemptedMembers` is not set, as audit logging should be enabled for all users.\n\n## Remediation\n\n### From the console: \n1. Go to the [Audit Logs page][1] in Google Cloud Console.\n2. Follow the steps in Google's [Configure Data Access audit logs][2] documentation to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.\n\n### From the command line:\n1. To read the project's IAM policy and store it in a file, run the following command:\n ```\n gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml\n ```\nAlternatively, the policy can be set at the organization or folder level. If you are setting the policy at\nthe organization level, it is not necessary to also set it for each folder or project.\n ```\n gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml\n gcloud resource-manager folders get-iam-policy FOLDER_ID >\n /tmp/folder_policy.yaml\n ```\n2. Edit the policy in `/tmp/policy.yaml`. Adding or change only the audit logs\nconfiguration to:\n ```\n auditConfigs:\n - auditLogConfigs:\n - logType: DATA_WRITE\n - logType: DATA_READ\n - service: allServices\n ```\n\n3. To write new IAM policy, run the following commands:\n ```\n gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml\n gcloud resource-manager folders set-iam-policy FOLDER_ID\n /tmp/folder_policy.yaml\n gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml\n ```\nIf the preceding command reports a conflict with another change, then repeat these steps,\nstarting with the first step.\n\n## Additional information\n* To track detailed user activities, the log type `DATA_READ` is as important as the log type `DATA_WRITE`.\n* BigQuery Data Access logs are handled differently than other data access logs.\n BigQuery logs are enabled by default and cannot be disabled. They do not count against logs allotment and do not result in extra logs charges.\n\n## References\n1. [https://cloud.google.com/logging/docs/audit/][1]\n2. [https://cloud.google.com/logging/docs/audit/configure-data-access][2]\n\n[1]: https://cloud.google.com/logging/docs/audit/\n[2]: https://cloud.google.com/logging/docs/audit/configure-data-access\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant(iam_policy) if {\n\tnot has_exempted_members(iam_policy)\n\taudit_config := iam_policy.audit_configs[_]\n\taudit_config.service == \"allServices\"\n\taudit_config.audit_log_configs[_].log_type == \"ADMIN_READ\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_WRITE\"\n\taudit_config.audit_log_configs[_].log_type == \"DATA_READ\"\n}\n\nhas_exempted_members(iam_policy) if {\n\tiam_policy.audit_configs[_].audit_log_configs[_].exempted_members[_]\n}\n\nis_project(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_project\"\n}\n\neval(iam_policy) = \"skip\" if {\n\tnot is_project(iam_policy)\n} else = \"pass\" {\n\tcompliant(iam_policy)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mtc-xf1-a6x","createdAt":1664804019062,"name":"Audit logging is properly configured across all services and users in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit all Docker daemon activities.\n\n## Rationale\n\nAs well as auditing the normal Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges. It is very important to audit its activities and usage.\n\n## Audit\n\nVerify that there are audit rules for the Docker daemon. To see the rules associated with the Docker daemon, run: \n\n```\nauditctl -l | grep /usr/bin/dockerd\n```\n\n## Remediation\n\nYou should add rules for the Docker daemon. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /usr/bin/dockerd -k docker \n```\n\nThen restart the audit daemon using the following command:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, the Docker daemon is not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.3","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fpu-oe5-feu","createdAt":1599604305682,"name":"Auditing for Docker Daemon executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.4","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/var/lib/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories. For example, audit `/var/lib/docker`, which holds all the information about containers it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/var/lib/docker` directory. To see the rule for the `/var/lib/docker` directory, run: \n\n```\nauditctl -l | grep /var/lib/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/var/lib/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /var/lib/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.4","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tfa-927-tto","createdAt":1599602523672,"name":"Auditing for Docker local storage is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.10","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker/daemon.json`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/docker/daemon.json`. This holds various parameters for the Docker daemon, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/docker/daemon.json` file. To display the rule for the `/etc/docker/daemon.json` file, run: \n\n```\nauditctl -l | grep /etc/docker/daemon.json\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker/daemon.json` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/docker/daemon.json -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/docker/daemon.json` may not exist on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file][2]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.10","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"v2o-aio-i0e","createdAt":1599601474412,"name":"Auditing for the Docker daemon configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.11","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/bin/containerd`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/bin/containerd`, so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/bin/containerd` file. To display the rule for the `/usr/bin/containerd` file, run: \n\n```\nauditctl -l | grep /usr/bin/containerd\n```\n\n## Remediation\n\nYou should add a rule for the `/usr/bin/containerd` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/bin/containerd -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/usr/bin/containerd` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.11","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tor-6yx-oyz","createdAt":1599605637503,"name":"Auditing for the containerd executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.8"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/default/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/etc/default/docker`. It holds various parameters related to the Docker daemon and should therefore be audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/default/docker` file. To see the rule for the `/etc/default/docker` file, run: \n```\nauditctl -l | grep /etc/default/docker \n```\n\n## Remediation\n\nYou should add a rule for the `/etc/default/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file: \n\n```\n-w /etc/default/docker -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited so these defaults should be changed in line with organizational security policy. The file `/etc/default/docker` may not be present, and if so, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.8","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qfi-cgy-a6e","createdAt":1599601659531,"name":"Auditing for the default Docker configuration file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent","control:1.2.9"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/sysconfig/docker`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including `/etc/sysconfig/docker`. It contains various parameters related to the Docker daemon when run on CentOS and RHEL based distributions. If present, it is important that it is audited.\n\n## Audit\n\nVerify that there is an audit rule associated with the `/etc/sysconfig/docker` file. To see the rule for the `/etc/sysconfig/docker` file, run: \n```\nauditctl -l | grep /etc/sysconfig/docker\n```\n\n## Remediation\n\nYou should add a rule for `/etc/sysconfig/docker` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/sysconfig/docker -k docker\n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `/etc/sysconfig/docker` may not be present on the system and in that case, this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.9","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ps6-vb4-bim","createdAt":1599604561498,"name":"Auditing for the default Docker configuration file is configured - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit the `docker.service` if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `docker.service`. The `docker.service` file might be present if the daemon parameters have been changed by an administrator. If so, it holds various parameters for the Docker daemon and should be audited.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n\n2. If the file does not exist, this recommendation does not apply. If the file does exist, verify that there is an audit rule corresponding to the `docker.service` file by running: \n\n ```\n auditctl -l | grep docker.service\n ```\n\n## Remediation\n\nIf the file exists, a rule for it should be added. For example, add the following line to the `/etc/audit/audit.rules` file: \n```\n-w /usr/lib/systemd/system/docker.service -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.service` may not be present on the system.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.6","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myy-dsj-omk","createdAt":1599605764788,"name":"Auditing for the docker.service file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.7","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `docker.socket`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges, it is very important to audit its activities and usage. Its behavior depends on some key files and directories, including the `docker.socket` file, which holds various parameters for the Docker daemon, it should be audited.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the `docker.socket` file exists, verify that there is an audit rule corresponding to the `docker.socket` file by running: \n ```\n auditctl -l | grep docker.socket \n ```\n\n## Remediation\n\nIf the file exists, you should add a rule for it. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/lib/systemd/system/docker.socket -k docker \n```\n\nThen restart the audit daemon: \n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.socket` may not be present, but if it is, it should be audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.7","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afg-qbt-7uw","createdAt":1599600857858,"name":"Auditing for the docker.socket file is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.12","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/usr/sbin/runc`, if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `/usr/sbin/runc`, and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule corresponding to the `/usr/sbin/runc` file. To display the rule for the `/usr/sbin/runc` file, run:\n\n```\nauditctl -l | grep /usr/sbin/runc\n```\n\n## Remediation\n\nYou should add a rule for `/usr/sbin/runc` file. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /usr/sbin/runc -k docker\n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The `file/usr/sbin/runc` may not be present on the system, and in that case this recommendation is not applicable.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n2. [https://github.com/docker/docker/pull/20662][2]\n3. [https://containerd.tools/][3]\n4. [https://github.com/opencontainers/runc][4]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html \n[2]: https://github.com/docker/docker/pull/20662 \n[3]: https://containerd.tools/ \n[4]: https://github.com/opencontainers/runc\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.12","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ksp-ylk-dub","createdAt":1599603510904,"name":"Auditing for the runc executable is configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.5","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit `/etc/docker`.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privilege and its behavior depends on some key files and directories, including `/etc/docker`. This holds various certificates and keys used for TLS communication between Docker daemon and Docker client and so it should be audited.\n\n## Audit\n\nVerify that there is an audit rule applied to the `/etc/docker` directory. To see the rule for the `/etc/docker` directory, run: \n\n```\nauditctl -l | grep /etc/docker\n```\n\n## Remediation\n\nYou should add a rule for the `/etc/docker` directory. For example, add the following line to the `/etc/audit/audit.rules` file:\n\n```\n-w /etc/docker -k docker \n```\n\nThen restart the audit daemon:\n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.5","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5ns-uab-zcf","createdAt":1599604003342,"name":"Auditing is configured for Docker-related files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.6","cloud_provider:azure","control:10.1","requirement:Monitoring","source:azure.sql","control:A.12.4.1","control:A.12.4.3","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","scope:azure.sql","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:4.1.1","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable auditing on SQL Servers.\n\n## Rationale\n\nThe Azure platform allows a SQL server to be created as a service. Enabling auditing at the server level ensures that all existing and newly created databases on the SQL server instance are audited. The auditing policy applied on the SQL database does not override auditing policy and settings applied on the particular SQL server where the database is hosted. Auditing tracks database events and writes them to an audit log in the Azure storage account. It also helps maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Auditing\n4. Set Auditing to On using Azure PowerShell.\n5. Get the list of all SQL Servers: `Get-AzureRmSqlServer`. For each Server, enable auditing:\n\n ```bash\n Set-AzureRmSqlServerAuditingPolicy -ResourceGroupName -ServerName -AuditType -StorageAccountName \n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-on-sql-servers\n2. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverauditing?view=azurermps-5.2.0\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverauditingpolicy?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-auditing\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n**Note**: A server policy applies to all existing and newly created databases on the server. If server blob auditing is enabled, it always applies to the database. The database is audited, regardless of the database auditing settings. The auditing type table is deprecated, leaving only the type blob available. Enabling blob auditing on the database, and enabling it on the server, does not override or change any of the settings of the server blob auditing. Both audits exist side by side. So, the database is audited twice in parallel; once by the server policy, and once by the database policy.\n\n## CIS controls\n\nVersion 7 6.3 Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"validationQuery":"-@audit_setting.state:(\"Enabled\")","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-@audit_setting.state:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"gxl-2f7-dso","createdAt":1624867978477,"name":"Auditing on SQL Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs in with a breached password.\n\n## Strategy\nAuth0 logs an event when a user logs in with a breached password. When this event is detected, Datadog generates a `MEDIUM` severity Security Signal.\n\nYou can see more information on how Auth0 detects breached passwords on their [documentation][1].\n\n## Triage and response\n1. Inspect the policy and user location to see if this was a login from approved location\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n[1][https://auth0.com/docs/anomaly-detection/brute-force-protection]\n","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:breached_password","groupByFields":["@usr.id"],"aggregation":"count","name":"breached_password","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"breached_password > 0"}],"type":"log_detection","id":"yhw-avf-dz0","createdAt":1597422957145,"name":"Auth0 user logged in with a breached password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","requirement:Cloud-SQL","cloud_provider:gcp","control:CC7.4","source:google_sql_database_instance","control:6.4.5.4","framework:cis-gcp","requirement:Compliance","level:1","control:6.7","scope:google_sql_database_instance","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Additional-Criteria-for-Availability","requirement:Communications-Security","requirement:System-Operations","control:3.1","requirement:Control-Activities","control:A1.1","control:A1.2","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:CC5.1","control:A.9.1.2","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nAll SQL database instances should have automated backups enabled.\n\n## Rationale: \nBackups provide a way to restore a Cloud SQL instance, to recover lost data, or to recover from\na problem with that instance. Enable automated backups for any instance that\ncontains data that should be protected from loss or damage. This recommendation is\napplicable for SQL Server, PostgreSql, MySql generation 1 and MySql generation 2\ninstances.\n\n## Impact: \nAutomated backups increase the required storage size and may affect the costs associated with it.\n\n## Remediation: \n\n### From the console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Select the instance where the backups need to be configured.\n3. Click `Edit`.\n4. In the `Backups` section, check 'Enable automated backups', and choose a backup window.\n5. Click `Save`.\n\n### From the command line:\n\n1. List all Cloud SQL database instances using the following command:\n ```\n gcloud sql instances list\n ```\n2. Enable automated backups for a Cloud SQL database instance by running:\n ```\n gcloud sql instances patch --backup-start-time <[HH:MM]>\n ```\n\nThe `backup-start-time` parameter is specified in 24-hour time, in the UTC\u00b100 time zone,\nand specifies the start of a 4-hour backup window. Backups can start any time during the\nbackup window.\n\n## Default value:\nBy default, automated backups are not configured for Cloud SQL instances. Data backup is\nnot possible on any Cloud SQL instance unless Automated Backup is configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/backup-recovery/backups][2]\n2. [https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up][3]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://cloud.google.com/sql/docs/mysql/backup-recovery/backups\n[3]: https://cloud.google.com/sql/docs/postgres/backup-recovery/backing-up\n\n## CIS controls:\n\nVersion 8: _11.2 Perform Automated Backups_. Perform automated backups of in-scope enterprise assets. Run backups weekly,\nor more frequently, based on the sensitivity of the data.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.7","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.4.5.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.1","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"pass\" if {\n\tsql_database_instance.settings.backup_configuration.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iir-4sf-rxn","createdAt":1657665285362,"name":"Automated backups are configured for SQL Database Instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when any user logs in to Azure AD without multi-factor authentication.\n\n## Strategy\nThis rule monitors Azure Activity logs for Active Directory logs and detects when any `@evt.category` has a value of `SignInLogs`, and `@properties.authenticationRequirement` has a value of `singleFactorAuthentication`.\n\n## Triage and response\n1. Reach out to the user to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables 2FA.\n3. If the login wasn't legitimate, rotate the credentials.\n4. Review all user accounts to ensure MFA is enabled.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:singleFactorAuthentication","groupByFields":["@usr.id"],"aggregation":"count","name":"user_login_without_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_login_without_mfa > 0"}],"type":"log_detection","id":"c8i-66d-m7u","createdAt":1598468815267,"name":"Azure AD Login Without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to the [Global Administrator][1] role.\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\"`\n\nThe Global Administrator role can manage all aspects of Azure AD and Microsoft services that use Azure AD identities. An adversary can add users as Global Administrators in order to maintain access to Azure AD.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][2] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.category:AuditLogs @evt.name:\"Add member to role\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_global_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"member_assigned_global_administrator_role > 0"}],"type":"log_detection","id":"bdq-rcs-dn5","createdAt":1658756175450,"name":"Azure AD member assigned Global Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Azure Active Directory (Azure AD) member being added to a [built-in Administrative role][1].\n\n## Strategy\nMonitor Azure AD Audit logs for the following operations:\n\n* `@evt.name:\"Add member to role\"` \n* `@properties.targetResources.modifiedProperties.newValue:*Administrator*`\n\nAzure AD uses roles to assign privileges to users. There are over 80 roles available, the list below details some of the highest privileged roles that adversaries could target:\n\n* [Application Administrator][2]\n* [Cloud Application Administrator][3]\n* [Exchange Administrator][4]\n* [Privileged Role Administrator][5]\n* [User Administrator][6]\n* [Sharepoint Administrator][7]\n* [Hybrid Identity Administrator][8]\n\nThis [whitepaper][9] from Mandiant describes the abuse of Azure AD privileged roles.\n\n## Triage and response\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Begin your organization's incident response (IR) process and investigate.\n3. If the API call was made legitimately by the user:\n * Determine if `{{@usr.id}}` was authorized to make the change.\n * Follow Microsoft's [best practices][10] where possible to ensure the user was assigned the correct level of privileges for their function.\n\n\n[1]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference\n[2]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#application-administrator\n[3]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#cloud-application-administrator\n[4]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#exchange-administrator\n[5]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#privileged-role-administrator\n[6]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#user-administrator\n[7]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#sharepoint-administrator\n[8]: https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#hybrid-identity-administrator\n[9]: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf\n[10]: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @properties.targetResources.modifiedProperties.newValue:*Administrator* @evt.category:AuditLogs @evt.name:\"Add member to role\" -@properties.targetResources.modifiedProperties.newValue:\"\\\"Global Administrator\\\"\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"member_assigned_built_in_administrator_role","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"member_assigned_built_in_administrator_role > 0"}],"type":"log_detection","id":"61p-mwe-rxm","createdAt":1658756175462,"name":"Azure AD member assigned built-in Administrator role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","control:8.7","level:1","requirement:Database-Services","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","scope:azure.sql","control:4.4","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse Azure Active Directory Authentication for authentication with SQL Database.\n\n## Rationale\n\nAzure Active Directory authentication is a mechanism to connect to the Microsoft Azure SQL Database and SQL Data Warehouse by using identities in Azure Active Directory (Azure AD). With Azure AD authentication, manage identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage database users and simplifies permission management in the following ways:\n\n- Provides an alternative to SQL Server authentication. \n- Helps stop the proliferation of user identities across database servers. \n- Allows password rotation in a single place. \n- Customers can manage database permissions using external (AAD) groups. \n- Eliminates storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure Active Directory. \n- Uses contained database users to authenticate identities at the database level. \n- Token-based authentication for applications connecting to SQL Database. \n- ADFS (domain federation) or native user/password authentication for a local Azure Active Directory without domain synchronization. \n- Connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication (MFA). MFA includes strong authentication with a range of easy verification options phone call, text message, smart cards with a pin, or mobile app notification.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each SQL server, click on Active Directory admin\n3. Click on Set admin\n4. Select an admin\n5. Click Save\n6. Using the Azure PowerShell for each Server, set `AD Admin Set-AzureRmSqlServerActiveDirectoryAdministrator -ResourceGroupName -ServerName -DisplayName \"\"`.\n6. From Azure Command Line Interface, get the ObjectID of user: `az ad user list --query \"[?mail==].{mail:mail, userPrincipal`.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure\n2. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication\n3. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n4. https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0\n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: Assigning an administrator in Azure Active Directory (AAD) is just the first step. When using AAD for central authentication there are many other groups and roles that need to be configured base on the needs of your organization. To determine what roles should be assigned and what groups should be created to manage permissions and access to resources, see the How-to Guides.\n\n## CIS Controls\n\nVersion 7 16.2 Configure Centralized Point of Authentication: Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-(@name:(\"ActiveDirectory\") @administrator_type:(\"ActiveDirectory\"))","resourceType":"azure_sql_server","filter":"","queryPath":"active_directory_administrators","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-(@name:(\"ActiveDirectory\") @administrator_type:(\"ActiveDirectory\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kiv-p8l-5mk","createdAt":1624867977317,"name":"Azure Active Directory Admin is configured for Azure SQL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure-active-directory","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect whenever Azure Identity Protection categorizes an Azure Active Directory login as risky.\n\n## Strategy\nMonitor Azure Active Directory sign in activity (`@evt.name:\"Sign-in activity\"`) and generate a signal when Azure identifies the user as risky or compromised (`@properties.riskState:\"atRisk\" OR \"confirmedCompromised\"`). \n\n## Triage and response\n1. Analyze the location (`@network.client.geoip.subdivision.name`) of `{{@usr.id}}` to determine if they're logging into from their usual location. \n2. If log in activity is not legitimate, disable `{{@usr.id}}` account.\n3. Investigate any devices owned by `{{@usr.id}}`.\n\n## Changelog\n14 June 2022 - Fixed bug in rule query.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":167,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelDuringSignIn:high @properties.riskLevelDuringSignIn:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_during_signin_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:high @properties.riskLevelAggregated:(medium OR high)","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_aggregated_high","distinctFields":[]},{"query":"source:azure.activedirectory @evt.name:\"Sign-in activity\" @evt.category:SignInLogs -@evt.outcome:failure @properties.riskState:(atRisk OR confirmedCompromised) @properties.riskLevelAggregated:medium @properties.riskLevelDuringSignIn:medium","groupByFields":["@usr.id"],"aggregation":"count","name":"risk_level_medium","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"High Risk Aggregated","condition":"risk_level_aggregated_high > 0"},{"status":"high","notifications":[],"name":"High Risk During Sign-In","condition":"risk_level_during_signin_high > 0"},{"status":"medium","notifications":[],"name":"Medium Risk","condition":"risk_level_medium > 0"}],"type":"log_detection","id":"h1h-4to-2ka","createdAt":1629464257705,"name":"Azure Active Directory Risky Sign-In"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.6","source:azure.appservice","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-7-ii-A","control:164.312-a-2-ii","control:2.2.4","scope:azure.appservice","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Risk-Mitigation","requirement:Logical-and-Physical-Access-Control","control:CC9.1","control:CC6.3","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'remote debugging' **disabled** to enhance security and protect applications.\n\n## Rationale\n\nIf remote debugging is enabled, this can allow an attacker access to your applications.\n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services web apps by running the following in Azure Powershell:\n\n ```\n az webapp list\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n\n az webapp config show\n\t--ids \"\"\n\t--query 'remoteDebuggingEnabled'\n3. Disable the web app's remote debugging capability with the command:\n\n ```\n az webapp config set\n\t--ids \"\"\n\t--remote-debugging-enabled false\n ```\n4. Repeat steps one through three for each server that is not configured correctly.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@site_config_remote_debugging_enabled:true","resourceType":"azure_app_service","filter":"@site_config_remote_debugging_enabled:*","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service @site_config_remote_debugging_enabled:* (@site_config_remote_debugging_enabled:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ciw-6dd-ffz","createdAt":1645807220230,"name":"Azure App Service has remote debugging enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","scope:azure.app_service","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","framework:soc-2","source:azure.app_service","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure App Services has 'always on' **enabled** for web apps.\n\n## Rationale\n\nEnabling 'always on' will enhance your Azure Apps web apps' availability.\n\n## Remediation\n\n### Azure CLI\n\n1. Get a list of your App Services by running the following in Azure Powershell:\n\n ```\n az webapp list\n\t--query '[*].id'\n ```\n2. Check the config of your web apps with the command:\n \n ```\n az webapp config show\n\t--ids \"\"\n\t--query 'alwaysOn'\n ```\n3. Enable the web app's 'always on' capability with the command:\n\n ```\n az webapp config set\n\t--ids \"\"\n\t--always-on true\n ```\n4. Repeat steps one through three for each server that is not configured correctly.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@site_config_always_on:false","resourceType":"azure_app_service","filter":"@site_config_always_on:*","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service @site_config_always_on:* (@site_config_always_on:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xmp-jgo-xdo","createdAt":1645807220325,"name":"Azure App Service is set to always on"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Datadog Azure function is deleted which will prevent Azure logs from being sent to Datadog.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.WEB/SITES/DELETE\"`, `@evt.outcome` is `Success`, and the `@resourceID` contains `DATADOG` and `LOG`. This rule does not work if the the Azure resource group or Azure function does not contain `DATADOG` or `LOG`.\n\n## Triage and response\n1. Verify the Azure function (`@resourceId`) is responsible for forwarding logs to Datadog.\n2. Determine if there is a legitimate reason for deleting the Azure function.\n3. If activity is not expected, investigate activity from the service principal (`@identity.authorization.evidence`) or user (`{{@usr.id}}`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.web @evt.name:\"MICROSOFT.WEB/SITES/DELETE\" @resourceId:(*DATADOG* AND *LOG*) @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"sit-o2a-uov","createdAt":1634570142022,"name":"Azure Datadog Log Forwarder Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","security:threat-intel"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure firewall threat intelligence alert is received.\n\n## Strategy\nMonitor Azure Network Diagnostic logs and detect when `@evt.name` is equal to `AzureFirewallThreatIntelLog`.\n\n## Triage and response\n1. Inspect the threat intelligence log.\n2. Investigate the activity from this IP address.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:AzureFirewallThreatIntelLog","groupByFields":["@network.client.ip"],"aggregation":"count","name":"azure_firewall_threat_intel_alert","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"azure_firewall_threat_intel_alert > 0"}],"type":"log_detection","id":"z0v-yfr-qat","createdAt":1607106300940,"name":"Azure Firewall Threat Intelligence Alert"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) blocks a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Block`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Block","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_blocked_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_blocked_a_request > 0"}],"type":"log_detection","id":"xyt-fqh-myv","createdAt":1598468816869,"name":"Azure Frontdoor WAF Blocked a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure Frontdoor Web Application Firewall (WAF) logs a request from an IP address.\n\n## Strategy\nThis rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the `@evt.name` has a value of `Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write` and `@properties.action` has a value of `Log`.\n\n## Triage and response\n1. Inspect whether this request should have been blocked or not.\n2. Navigate to the IP dashboard and inspect other requests this IP address has made.\n","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write\" @properties.action:Log","groupByFields":["@properties.clientIP"],"aggregation":"count","name":"waf_logged_a_request","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"waf_logged_a_request > 0"}],"type":"log_detection","id":"bkk-48l-vem","createdAt":1598468815399,"name":"Azure Frontdoor WAF Logged a Request"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","control:9.9","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","scope:azure.appservice","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nNew versions of HTTP are released periodically to address security issues and/or to include additional functionality. Using the latest version of HTTP for web apps takes advantage of security fixes and new functionality.\n\n## Rationale\n\nUsing the latest version is recommended in order to take advantage of enhancements and new capabilities. With each software update, your organization needs to determine if the latest update meets your requirements.\n\nFor example, HTTP 2.0 has performance improvements for the head-of-line blocking problem, header compression, and prioritization of requests. HTTP 2.0 no longer supports HTTP 1.1's chunked transfer encoding mechanism because it provides its own, more efficient mechanism for data streaming.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\nAzure Console:\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click *Configuration**.\n5. Set HTTP version to 2.0 under **General settings**.\n\n**Note**: Most modern browsers support HTTP 2.0 protocol over TLS, while non-encrypted traffic continues to use HTTP 1.1. To ensure that client browsers connect to your app with HTTP/2, either buy an App Service Certificate for your app's custom domain or bind a third party certificate.\n\nAzure CLI:\n\nTo set the HTTP version to 2.0 for an existing app, run the following command:\n\n`az webapp config set --resource-group --name --http20-enabled true'`\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.9","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"@site_config_http20_enabled:false","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (@site_config_http20_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"y1o-cvu-xc7","createdAt":1645813490516,"name":"Azure HTTP version is the latest available"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.3.1","level:1","scope:azure.keyvault","control:8.4","requirement:Cardholder-Data","framework:iso-27001","framework:pci","requirement:Operations-Security","security:compliance","requirement:Azure","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:2.2","control:A1.2","requirement:Other-Security-Considerations","framework:soc-2","requirement:Risk-Mitigation","control:3.5.3","requirement:Logical-and-Physical-Access-Control","control:CC9.1","source:azure.keyvault","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe key vault contains object keys, secrets, and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. Datadog recommends the key vault be made recoverable by enabling the \"Do Not Purge\" and \"Soft Delete\" functions. This is to prevent loss of encrypted data including storage accounts, SQL databases, and dependent services provided by key vault objects (Keys, Secrets, Certificates) etc., as may happen in the case of accidental deletion by a user or from disruptive activity by a malicious user.\n\n### Default value \n\nWhen a new Key Vault is created, both the parameters `enableSoftDelete` and `enablePurgeProtection` are set to `null`, disabling both the features.\n\n## Rationale\n\nThere could be scenarios where users accidentally run delete and purge commands on key vault or attacker or malicious user does it deliberately to cause disruption. Deleting or purging a key vault leads to immediate data loss as keys encrypting data and secrets and certificates causing access and services to become non-accessible. There are two key vault properties that plays role in permanent unavailability of a key vault:\n\n1. Setting the `enableSoftDeleteSetting` parameter to true for a key vault ensures that even if key vault is deleted, the key vault itself or its objects are recoverable for next 90 days. In this span of 90 days either key vault and objects can be recovered or purged (permanent deletion). If no action is taken, after 90 days, the key vault and its objects are purged.\n\n2. `enablePurgeProtectionenableSoftDelete` only ensures that the key vault is not deleted permanently and will be recoverable for 90 days from the deletion date. However, there is a chance that the key vault or objects are accidentally purged and are not recoverable. Setting `enablePurgeProtection` to \"true\" ensures that the key vault and its objects cannot be purged. Enabling both the parameters on key vaults ensures that key vaults and their objects cannot be deleted or purged permanently.\n\n### Impact\n\nOnce purge-protection and soft-delete is enabled for a key vault, the action is irreversible.\n\n- Note: When a key is used for the SQL server TDE or Encrypting Storage account, the corresponding key vault features \"Do Not Purge\" and \"Soft Delete\" are enabled by default by your Azure backend.\n\n## Remediation\n\n### From the command line \n\nTo enable \"Do Not Purge\" and \"Soft Delete\" for a key vault using Azure CLI:\n\n```bash\naz resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups//providers/Microsoft.KeyVault /vaults/ --set properties.enablePurgeProtection=true properties.enableSoftDelete=true\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli][1]\n2. [https://blogs.technet.microsoft.com/kv/2017/05/10/azure-key-vault-recovery-options/][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-8-define-backup-and-recovery-strategy][3]\n\n\n[1]: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli\n[2]: https://blogs.technet.microsoft.com/kv/2017/05/10/azure-key-vault-recovery-options/\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-8-define-backup-and-recovery-strategy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.4","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.2","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"3.5.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.3.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_key_vault_attributes(key_vault) if {\n\tkey_vault.enable_soft_delete\n} else {\n\tkey_vault.enable_purge_protection\n}\n\neval(key_vault) = \"pass\" if {\n\tcompliant_key_vault_attributes(key_vault)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_key_vault"]},"validationQuery":"","resourceType":"azure_key_vault","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_key_vault","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"4tq-la5-9ei","createdAt":1624867975393,"name":"Azure Key Vault is recoverable"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","control:1.3.5","control:1.3.6","control:1.3.7","framework:pci","control:6.4.1","security:compliance","control:1.3.4","control:1.2.1","source:azure.kubernetes","requirement:Communications-Security","control:1.2","control:1.3","cloud:azure","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Private Cluster feature for Azure Kubernetes Service (AKS) cluster is enabled.\n\n## Rationale\n\nThe Private Cluster feature ensures that network traffic between your API server and your node pools remains solely on the private network. The API server is not exposed over the internet as it is with the standard AKS deployment. This configuration is a common requirement in many regulatory and industry compliance standards.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment. Changing the setting requires recreating your cluster.\n\n## Impact\n\nCreating and managing a Private AKS Cluster requires additional considerations when compared to a standard AKS deployment. It requires understanding how Azure Private Link and Private Endpoints work. It also requires a thorough assessment of your AKS networking architecture and dependencies. If your AKS cluster is on an isolated Azure Virtual Network (VNET), the Private Cluster feature requires additional configurations to allow connectivity between your AKS Cluster and your management VNET. Microsoft's official documentation, which is included in ``references``, helps you navigate the deployment of Private AKS Clusters.\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/aks/private-clusters][1]\n2. [https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview][2]\n3. [https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/aks/private-clusters\n[2]: https://docs.microsoft.com/en-us/azure/private-link/private-link-service-overview\n[3]: https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-overview\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.7","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(aks_cluster) = \"fail\" if {\n\tnot aks_cluster.api_server_access_profile_enable_private_cluster\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_aks_cluster"]},"validationQuery":"","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxc-7gb-6q2","createdAt":1656924134424,"name":"Azure Kubernetes Service (AKS) Private Cluster Feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect and identify the network IP address when multiple user accounts failed to complete the MFA process.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, `@properties.authenticationRequirement` is equal to `multiFactorAuthentication` and `@evt.outcome` is equal to `failure`.\n\n## Triage and response \n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @properties.authenticationRequirement:multiFactorAuthentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"failed_login_mfa_denied_w_multiple_user_accounts","distinctFields":["@usr.email"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Greater than 10 unique users","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 10"},{"status":"low","notifications":[],"name":"Greater than 3 unique user","condition":"failed_login_mfa_denied_w_multiple_user_accounts > 3"}],"type":"log_detection","id":"zgm-z7i-mhu","createdAt":1607106317340,"name":"Azure Login Explicitly Denied MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group allows inbound traffic from all IP Addresses.\n\n## Strategy\nThis rule monitors Azure Activity logs for network changes and detects when the `@evt.name` has a value of `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`, `@properties.securityRules.properties.direction` has a value of `Inbound`, `@properties.securityRules.properties.access` has a value of `Allow`, and `@properties.securityRules.properties.sourceAddressPrefix` has a value of either `0.0.0.0/0` OR `*`.\n\n## Triage and response\n1. Inspect which Virtual Machines are associated with this security group.\n2. Determine whether this security group and the VMs should permit inbound traffic from all IP addresses.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\" @properties.securityRules.properties.direction:Inbound @properties.securityRules.properties.access:Allow @properties.securityRules.properties.sourceAddressPrefix:(\"0.0.0.0/0\" OR \"*\")","groupByFields":["@resourceId"],"aggregation":"count","name":"security_group_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"security_group_open_to_world > 0"}],"type":"log_detection","id":"owu-2uz-8cb","createdAt":1598468816111,"name":"Azure Network Security Group Open to the World"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security group or an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any one of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE`\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security group or security rule and determine if it exposes any Azure resources that should not be exposed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.network @evt.name:(\"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE\" OR \"MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE\") @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"mju-ynx-i1h","createdAt":1607106297216,"name":"Azure Network Security Groups or Rules Created, Modified, or Deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added as a new owner for an Active Directory application which could be used as a persistence mechanism. \n\n## Strategy\nMonitor Azure Active Directory logs for `@evt.name: \"Add owner to application\"` has an `@evt.outcome` of `success`. \n\n## Triage and response\n1. Review evidence of anomalous activity for the user being added as an owner (`@properties.targetResources`) for the Active Directory application.\n2. Determine if there is a legitimate reason for the user being added to the application.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to application\" @evt.outcome:success @usr.name:* -@identity:*","groupByFields":[],"aggregation":"count","name":"new_owner","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner > 0"}],"type":"log_detection","id":"8vm-rcm-ss1","createdAt":1630591816193,"name":"Azure New Owner added to Azure Active Directory application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a new service principal is created in Azure, which applies to a persistence mechanism.\n\n## Strategy\n\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n\n1. Inspect the new service principal in `@properties.targetResources`.\n2. Verify with the user (`{{$usr.name}}`) to determine if the service principal is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_sp > 0"}],"type":"log_detection","id":"bog-iak-dms","createdAt":1630591822167,"name":"Azure New Service Principal created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure policy assignment has been created.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to `MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE` and `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the policy assignment and determine if an unsolicited change was made on any Azure resources.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure @evt.name:\"MICROSOFT.AUTHORIZATION/POLICYASSIGNMENTS/WRITE\" @evt.outcome:Success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uvd-ets-ju9","createdAt":1607106302885,"name":"Azure Policy Assignment Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\nMonitor Azure Active Directory Sign-in logs and detect when any `@evt.category` is equal to `SignInLogs`, and `@evt.outcome` is equal to `failure`.\n\n## Triage and response\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Successful login","condition":"failed_login > 5 && successful_login > 0"},{"status":"info","notifications":[],"name":"Unsuccessful","condition":"failed_login > 5"}],"type":"log_detection","id":"y0f-vsz-xms","createdAt":1607106309289,"name":"Azure Portal brute force login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses SSL/TLS in-transit encryption.\n\n## Rationale\n\nUsing in-transit encryption with PostgreSQL protects data from attacks like Man-In-The-Middle (MITM), by ensuring that data is encrypted with Transport Layer Security (SSL/TLS) while moving between endpoints. This is the default option with Azure. \n\n## Remediation\n\n### Console\n\n1. Follow the instructions listed at [Configure TLS connectivity in Azure Database for PostgreSQL - Single Server][1] to transition to SSL/TLS encyrption in-transit. \n\n### CLI\n\n1. Follow the steps listed at [Configure TLS connectivity in Azure Database for PostgreSQL - Single Server][2] to use the CLI to transition to SSL/TLS encyrption in-transit. \n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security#using-the-azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security#using-azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@ssl_enforcement:Disabled","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (@ssl_enforcement:Disabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"t58-y4w-igs","createdAt":1645642196325,"name":"Azure PostgreSQL Database Server uses In-Transit Encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","security:compliance","control:CC7.4","cloud_provider:azure","control:6.2","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","control:CC7.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL is using the most recent major version available.\n\n## Rationale\n\nPostegreSQL employs both minor and major version updates. Using the most recent version available (particularly the most recent major version) ensures that you are using the most secure, feature rich, and supported version available. Azure Database Migration Service can help minimize downtime when performing version upgrades in Azure Database for PostgreSQL - Single Server. \n\n## Remediation\n\n### Console\n\n1. Use Azure's [Configure server parameters in Azure Database for PostgreSQL - Single Server via the Azure portal][1] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate/Upgrade Azure DB for PostgreSQL - Single Server to Azure DB for PostgreSQL - Single Server online using DMS via the Azure portal][2] to migrate the old database to the new database.\n\n### CLI\n\n1. Use Azure's [Customize server configuration parameters for Azure Database for PostgreSQL - Single Server using Azure CLI][3] to configure a target database with desired PostgreSQL version, network settings, and parameters. \n2. Follow the steps listed at [Tutorial: Migrate PostgreSQL to Azure DB for PostgreSQL online using DMS via the Azure CLI][4] to migrate the old database to the new database.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/dms/tutorial-azure-postgresql-to-azure-postgresql-online-portal\n[3]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli\n[4]: https://docs.microsoft.com/en-us/azure/dms/tutorial-postgresql-azure-postgresql-online","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"-@version:(\"11\" OR \"12\" OR \"13\" OR \"14\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@version:(\"11\" OR \"12\" OR \"13\" OR \"14\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"4ns-zxg-wye","createdAt":1645642207320,"name":"Azure PostgreSQL Database Server uses the current major PostgreSQL version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","control:CC7.4","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:A.12.3.1","source:azure.dbforpostgresql","control:164.308-a-7-ii-A","requirement:Compliance","scope:azure.dbforpostgresql","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Security-of-Processing","control:A1.2","control:A.18.1.3","framework:soc-2","control:32.1c"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses geo-redundant backups.\n\n## Rationale\n\nUsing geo-redundancy with PostgreSQL creates geographically distributed replicas by default. These replicas assist with achieving data durability, as they protect against data becoming unavailable because of a regional event, such as a natural disaster. You can select this option only at the time of database creation. To modify an existing database to use geo-redundancy, recreate the database.\n\n## Remediation\n\n### Console\n\n1. Follow the instructions listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using the Azure portal][1] to create a new PostgreSQL database. Ensure **Geo-redundant** is selected under **Backup redundancy options**.\n\n### CLI\n\n1. Follow the steps listed at [Tutorial: Design an Azure Database for PostgreSQL - Single Server using Azure CLI][2] to create and deploy a PostgreSQL server.\n2. When configuring the [`az postgres server create` Microsoft Azure Module][3] ensure that `geoRedundantBackup` is set to `Enabled`, as shown in the example below. \n\n ```\n az postgres server create \n -l northeurope \n -g mygroup \n -n mysvr \n -u username \n -p password \n --sku-name my_sku\n --ssl-enforcement Enabled \n --minimal-tls-version TLS1_0 \n --public-network-access Disabled \n --backup-retention 10 \n --geo-redundant-backup Enabled \n --storage-size 51200 \n --tags \"key=value\" \n --version 11\n ```\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/tutorial-design-database-using-azure-cli\n[3]: https://docs.microsoft.com/en-us/cli/azure/postgres/server?view=azure-cli-latest#az-postgres-server-create","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.3.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC7.4","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@storage_profile_geo_redundant_backup:Disabled","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (@storage_profile_geo_redundant_backup:Disabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"9t5-0qz-cj3","createdAt":1645642195699,"name":"Azure PostgreSQL database server uses geo-redundant backups"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure network security rule has been created, modified, or deleted.\n\n## Strategy\nMonitor Azure activity logs and detect when the `@evt.name` is equal to any of the following names:\n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE` \n- `MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE`\n\nand `@evt.outcome` is equal to `Success`.\n\n## Triage and response\n1. Inspect the security rule and determine if it exposes any Azure resources that should not be made public.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.sql @evt.name:\"MICROSOFT.SQL/SERVERS/FIREWALLRULES/WRITE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"kbv-sau-dwv","createdAt":1607106319051,"name":"Azure SQL Server Firewall Rules Created or Modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.15","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable security alert emails to subscription owners.\n\n## Rationale\n\nEnabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can quickly mitigate security risks.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. In the drop down of the All users with the following roles field, select Owner\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set Send email also to subscription owners:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management Storage Accounts: This section covers security recommendations to follow to set storage account policies on an Azure subscription. An Azure storage account provides a unique namespace to store and access Azure Storage data objects.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.15","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"validationQuery":"-(@properties.notifications_by_role.roles:(\"Owner\") AND @properties.notifications_by_role.state:(\"On\"))","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact (-(@properties.notifications_by_role.roles:(\"Owner\") AND @properties.notifications_by_role.state:(\"On\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qjw-pnm-kfh","createdAt":1625738237090,"name":"Azure Security Center is configured to send email notifications about security alerts to subscription owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","control:2.14","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule enables emailing security alerts to the email subscription owner or other designated security contact.\n\n## Rationale\n\nEnabling security alert emails ensures that security alert emails are received from Microsoft. This ensures that the right people are aware of any potential security issues and are able to mitigate the risk.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email notifications\n5. Under Notification types, check the check box next to Notify about alerts with the following severity (or higher) and select High from the drop-down menu\n6. Click save using the Azure Command Line Interface\n7. Use the below command to set Send email notification for high severity alerts:\n\n ```bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data as mentioned below. And replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default1\", \"name\"\"default1\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details\n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list\n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default. Microsoft has recently changed their REST APIs to get and update security contact information. This recommendation is updated accordingly.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.14","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"validationQuery":"-(@properties.alert_notifications.state:(\"On\") AND @properties.alert_notifications.minimal_severity:(\"High\"))","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact (-(@properties.alert_notifications.state:(\"On\") AND @properties.alert_notifications.minimal_severity:(\"High\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"cv4-lxu-yt1","createdAt":1625738237834,"name":"Azure Security Center is configured to send email notifications about security alerts with High severity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","requirement:Security-Center","scope:azure.security","cloud_provider:azure","requirement:Monitoring","framework:cis-azure","control:10.6.1","requirement:System-Operations","control:C2.2","level:1","requirement:Monitoring-Activities","framework:soc-2","requirement:Risk-Mitigation","control:CC4.2","source:azure.security","control:CC7.3","control:CC9.1","control:CC7.2","framework:pci","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity Center emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.\n\n## Rationale\n\nAzure Security Center emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the \"Additional email addresses\" field ensures that your organization's security team is included in these alerts. This ensures that the proper people are aware of any potential compromise to mitigate the risk in a timely fashion.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Security Center\n2. Click on Pricing and Settings\n3. Click on the appropriate Management Group, Subscription, or Workspace\n4. Click on Email Notifications\n5. Enter a valid security contact email address (or multiple addresses separated by commas) in the additional email addresses field\n6. Click Save using the Azure Command Line Interface\n7. Use the below command to set security contact emails:\n\n ``` bash\n get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/securityContacts/default1?api-version=2017-08-01-preview -d@\"input.json\"\n ```\n\n Where `input.json` contains the request body JSON data, as mentioned below. Replace `validEmailAddress` with email IDs, CSV for multiple.\n\n ```bash\n { \"id\"\"/subscriptions//providers/Microsoft.Security/securityContacts/default\", \"name\"\"default\", \"type\"\"Microsoft.Security/securityContacts\", \"properties\"{ \"email\"\"\", \"alertNotifications\"\"On\", \"alertsToAdmins\"\"On\" } }\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details \n2. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list \n3. https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/update \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-incident-response#ir-2-preparation--setup-incident-notification\n\n**Note**: Excluding any of the entries in the recommendations block in `input.json` disables the specific setting by default.\n\n## CIS Controls\n\nVersion 7 3 Continuous Vulnerability Management\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-azure","requirement":"Security-Center","version":"1.3.0"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"C2.2","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.2","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.3","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"}],"validationQuery":"((-@properties.emails:*) OR (@properties.emails:(\"\")))","resourceType":"azure_security_contact","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_contact (((-@properties.emails:*) OR (@properties.emails:(\"\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"1vo-ezv-ztj","createdAt":1625738244720,"name":"Azure Security Center is configured with a security contact email"}]} - headers: - Content-Type: - - application/json - status: 200 OK - code: 200 - duration: "" -- request: - body: "" - form: {} - headers: - Accept: - - application/json - url: https://api.datadoghq.com/api/v2/security_monitoring/rules?page%5Bnumber%5D=2&page%5Bsize%5D=100 - method: GET - response: - body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scope:iam","scored:true","requirement:Transmission-Security","source:iam","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","control:2.1.1","requirement:Compliance","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","control:4.1","control:1.2","control:1.3","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:4.1.1","requirement:Encryption-In-Transit","control:8.2.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse SSH authentication keys to secure Linux virtual machines.\n\n## Rationale\n\nUsing SSH to secure authentications is a security best practice, as traditional username and password authentication is vulnerable to malicious tactics such as brute-force attacks. SSH uses a combination of public and private key pairs to secure the authentication process. Access to the private key is automated and tightly controlled, without both keys SSH access will not be granted. This also eliminates the need for users to memorize complex passwords for virtual machine access.\n\n## Remediation\n\n### CLI\n\n1. Follow the steps listed at [Detailed steps: Create and manage SSH keys for authentication to a Linux VM in Azure][1] to create and deploy VMs using SSH.\n2. If needing to transition from Username and Password authentication, to SSH, there is no way to transition directly. You must deprovision the current VM and create an image of it with SSH as the authentication method. Follow the steps on [How to create a managed image of a virtual machine or VHD][2]. \n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-ssh-keys-detailed\n[2]: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/capture-image","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@os_profile.linux_configuration.disable_password_authentication:false","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance (@os_profile.linux_configuration.disable_password_authentication:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"p52-zrd-xlt","createdAt":1645813490150,"name":"Azure VM requires SSH Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.21","source:azure.active_directory","cloud_provider:azure","requirement:Compliance","scope:azure.active_directory","level:1","requirement:IAM","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:6.4","framework:cis-azure","requirement:Control-Activities","cloud:azure","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC8.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSubscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access.\n\n## Rationale\n\nClassic subscription admin roles offer basic access management and include Account Administrator, Service Administrator, and Co-Administrators. It is recommended the least necessary permissions be given initially. Permissions can be added as needed by the account holder. This ensures the account holder cannot perform actions which were not intended.\n\n## Remediation\n\nUsing Azure Command Line Interface 2.0, list all roles with the `az role definition list` command. Check the output for any entries with an `assignableScope` of `/` or a `subscription`, and an action of `*`. Verify the usage and impact of removing the role identified. You can delete a role with the `az role definition delete --name \"rolename\"` command.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/billing/billing-add-change-azure-subscription-administrator \n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-1-protect-and-limit-highly-privileged-users \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-5-automate-entitlement-management \n6. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-2-restrict-administrative-access-to-business-critical-systems \n7. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy \n8. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-6-define-identity-and-privileged-access-strategy \n9. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges 16 Account Monitoring and Control Account Monitoring and Control","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.21","framework":"cis-azure","requirement":"IAM","version":"1.3.0"},{"control":"6.4","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"@permissions.actions:\"*\" @assignable_scopes:(\\/ OR \\/subscriptions*)","resourceType":"azure_role_definition","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_role_definition (@permissions.actions:\"*\" @assignable_scopes:(\\/ OR \\/subscriptions*))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"til-md3-xoz","createdAt":1645802554619,"name":"Azure custom subscription owner roles do not exist"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a diagnostic setting is deleted which can disable centralized logging and metrics on Azure.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Inspect the diagnostic setting resource which is found in `@resourceId`.\n2. Verify that the user (`{{@usr.id}}`) to determine if the removal of the resource is legitimate.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"uhp-qsj-h45","createdAt":1615578377631,"name":"Azure diagnostic setting deleted or disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Azure disk is successfully exported. Export URLs generated in Azure are accessible to anyone with the URI. This could be utilized as an exfiltration method that would allow an attacker to download an Azure Compute VM's disk as a VHD file.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/SNAPSHOTS/DISKS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the disk (`{{@resourceId}}`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URI.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/DISKS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":["@resourceId"],"aggregation":"count","name":"export_uri_generated","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"export_uri_generated > 0"}],"type":"log_detection","id":"ggf-4ew-mxl","createdAt":1635258347843,"name":"Azure disk export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.8","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and new functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, your organization needs to determine if a given update meets your requirements and also verify the compatibility and support provided for any additional software against the update version.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Under General Settings, set Java version to latest version available\n6. Set Java minor version to latest version available\n7. Set Java web container to the latest version of web container available \n\n**NOTE**: No action is required if Java version is set to off as Java is not used by your web app.\n\nAzure CLI:\n\nTo see the list of supported runtimes, run the following command: `timesaz webapp list-runtimes | grep java`\n\nTo set latest Java version for an existing app, run the following command:\n\n```azurecli\naz webapp config set --resource-group --name --java-version ''\n1.8'' --java-container ''Tomcat'' --java-container-version '''''\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.8","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@site_config_java_version:11","resourceType":"azure_app_service","filter":"-@site_config_java_version:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service -@site_config_java_version:\"\" (-@site_config_java_version:11)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qhc-mac-fyy","createdAt":1645813490324,"name":"Azure is using the latest version of Java to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.6","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, a new version of PHP is released to address security issues and/or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes and additional functionalities.\n\n## Rationale\n\nNew versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software update, organizations need to determine if the update meets their requirements and also verify the new version's compatibility with other software.\n\n## Remediation\n\nAzure Console:\n\n1. Log into Azure Portal using https://portal.azure.com.\n2. Go to **App Services**.\n3. Click on each app.\n4. Under **Settings**, click **Configuration**.\n5. Set PHP version to latest version available under **General Settings**.\n\n**Note**: No action is required if PHP version is set to off because PHP is not used by your web app.\n\nAzure CLI: To see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep php To set latest PHP version for an existing app, run the following commandaz webapp config set --resource-group --name --php-version \n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n# CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.6","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@site_config_php_version:7.4","resourceType":"azure_app_service","filter":"-@site_config_php_version:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service -@site_config_php_version:\"\" (-@site_config_php_version:7.4)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"sja-htc-xkm","createdAt":1645813490100,"name":"Azure is using the latest version of PHP to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","requirement:Transmission-Security","source:azure.appservice","cloud_provider:azure","framework:gdpr","control:9.7","level:1","requirement:Security-Management-Process","requirement:Application-Updates","scope:azure.appservice","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","framework:cis-azure","control:6.2","requirement:App-Service","requirement:Control-Activities","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPeriodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version.\n\n## Rationale\n\nNewer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements and also verify the compatibility and support provided for any additional software against the update revision that is selected.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#general-settings\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-3-establish-secure-configurations-for-compute-resources\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under Settings, click on Application Settings\n5. Set Python version to latest version available under General Settings\n\n**Note**: No action is required if Python version is set to off as Python is not used by your web app.\n\nAzure CLI:\n\nTo see the list of supported runtimes, run the following command:\n\n```azurecli\naz webapp list-runtimes | grep python To set latest Python version for an existing app, run the following commandaz webapp config set --resource-group --name --python-version '\n```\n\n## CIS Controls\n\nVersion 7 2.2 - Ensure Software is Supported by Vendor: Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.7","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@site_config_python_version:3.6","resourceType":"azure_app_service","filter":"-@site_config_python_version:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service -@site_config_python_version:\"\" (-@site_config_python_version:3.6)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"kuq-3pj-gyn","createdAt":1645813504306,"name":"Azure is using the latest version of Python to run Web Apps"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","source:azure.networkwatcher","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","scope:azure.networkwatcher","framework:soc-2","control:10.3","control:CC2.1","control:164.312-e-2-i","control:10.7"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Watcher can use flow logs so that you can monitor traffic from resources. This rule generates a finding if there is no retention policy set with a duration over 90 days. \n\nNote: 0 days means unlimited retention.\n\n## Rationale\n\nSetting this attribute enables flow logs to be retained for an appropriate amount of time that enables a better security posture for your organization. These logs should be retained critical resources in your environment.\n\n## Remediation\n\n### Console\n\n1. Follow the instructions in [Tutorial: Log network traffic to and from a virtual machine using the Azure portal][1] to enable the 'flow logs' in Network Watcher.\n\n### CLI\n\n1. Follow the steps in [Configuring Network Security Group Flow logs with Azure CLI][2] to enable the 'flow logs' in Network Watcher.\n2. Ensure Insights provider is registered by running the following command to check:\n\n ```\n az provider register --namespace Microsoft.Insights\n ```\n3. Enable `flow logs`:\n Note: You will need to have a storage account setup prior to this.\n ```\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location\n az network watcher flow-log create --resource-group resourceGroupName --enabled true --nsg nsgName --storage-account storageAccountName --location location --format JSON --log-version 2\n ```\n4. Repeat steps 2 and 3 for resources that are not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal#enable-nsg-flow-log\n[2]: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-cli\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nflow_log_not_compliant(flow_log) if {\n\tflow_log.retention_policy_enabled == true\n\tflow_log.retention_policy_days >= 1\n\tflow_log.retention_policy_days <= 89\n} else {\n\tflow_log.retention_policy_enabled == false\n}\n\nflow_log_retention_policy_enabled_true_or_false(flow_log) if {\n\tflow_log.retention_policy_enabled == true\n} else {\n\tflow_log.retention_policy_enabled == false\n}\n\neval(network_watcher) = \"fail\" if {\n\tflow_log = network_watcher.flow_logs[_]\n\tflow_log_not_compliant(flow_log)\n} else = \"pass\" {\n\tflow_log = network_watcher.flow_logs[_]\n\tflow_log_retention_policy_enabled_true_or_false(flow_log)\n} else = \"skip\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_network_watcher"]},"validationQuery":"","resourceType":"azure_network_watcher","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_network_watcher","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"s5c-rsc-fkl","createdAt":1645572632106,"name":"Azure network service group log retention is properly set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.activedirectory","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new owner is added to a service principal, which applies to privilege escalation or persistence.\n\n## Strategy\nMonitor Azure Active Directory logs where `@evt.name` is `\"Add owner to service principal\"` and `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Inspect that the user is added to a service principal in `@properties.targetResources`.\n2. Verify with the user (`{{@usr.name}}`) to determine if the owner addition is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Add owner to service principal\" @evt.outcome:success @usr.name:*","groupByFields":[],"aggregation":"count","name":"new_owner_sp","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"new_owner_sp > 0"}],"type":"log_detection","id":"rtl-xes-5he","createdAt":1632250370345,"name":"Azure new owner added for service principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0009-collection","technique:T1074-data-staged","scope:azure-vm","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect if an Azure snapshot is exported. Export URLs generated in Azure are accessible to anyone with the URL.\n\n## Strategy\nMonitor Azure logs where `@evt.name` is `\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify the snapshot (`@resourceId`) has a legitimate reason for being exported.\n2. If the activity is not expected, investigate the activity around the IP (`{{@network.client.ip}}`) creating the export URL.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/SNAPSHOTS/BEGINGETACCESS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"export_uri","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"export_uri > 0"}],"type":"log_detection","id":"9tg-wsg-ung","createdAt":1635255178153,"name":"Azure snapshot export URI created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an invitation is sent to an external user.\n\n## Strategy\nMonitor Azure Active Directory Audit logs and detect when any `@evt.name` is equal to `Invite external user` and the `@evt.outcome` is equal to `success`.\n\n## Triage and response\n1. Review and determine if the invitation and its recipient are valid.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:\"Invite external user\" @evt.outcome:success","groupByFields":["@usr.id","@properties.targetResources.userPrincipalName"],"aggregation":"count","name":"invite_external_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"invite_external_user > 0"}],"type":"log_detection","id":"msq-9pm-ift","createdAt":1607106320758,"name":"Azure user invited an external user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure-containerinstances","source:azure","tactic:TA0002-execution","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a command is executed on a container instance with the Azure API.\n\n## Strategy\nMonitor Azure container instance logs where `@evt.name` is `\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.id}}`) should be executing commands on the container (`@resourceId`).\n2. If the activity is not expected, investigate the activity around the container (`@resourceId`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"service:azure @evt.name:\"MICROSOFT.CONTAINERINSTANCE/CONTAINERGROUPS/CONTAINERS/EXEC/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"container_exec_success","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"container_exec_success > 0"}],"type":"log_detection","id":"zgp-pfn-i0z","createdAt":1635255187164,"name":"Azure user ran command on container instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB access key with the Azure API. An attacker with the appropriate privileges can view an access key and use it to access and manage the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\\\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the access key for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB Database ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTKEYS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_keys","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_keys > 0"}],"type":"log_detection","id":"xtk-lr5-ryf","createdAt":1635356621176,"name":"Azure user viewed CosmosDB access keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1580-cloud-infrastructure-discovery","scope:azure-cosmosdb","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user successfully requests to view a CosmoDB connection string with the Azure API. An attacker with the appropriate privileges can view a connection string and use it to access or modify data in the CosmoDB database. \n\n## Strategy\nMonitor Azure CosmoDB logs where `@evt.name` is `\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\"` and `@evt.outcome` is `Success`.\n\n## Triage and response\n1. Verify that the user (`{{@usr.name}}`) should be viewing the connection string for the following CosmoDB database: ({{`@resourceId`}}).\n2. If the activity is not expected, investigate the activity around the CosmoDB ({{`@resourceId`}}).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.documentdb @evt.name:\"MICROSOFT.DOCUMENTDB/DATABASEACCOUNTS/LISTCONNECTIONSTRINGS/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"list_connectionstrings","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"list_connectionstrings > 0"}],"type":"log_detection","id":"h9n-pkk-zy9","createdAt":1635356624429,"name":"Azure user viewed CosmosDB connection string"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being exploited using the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `Base64` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. If you are not patched, decode the base64 string and look for any successful traffic to the malicious server.\n3. If a connection was successful to the malicious server, begin your company's IR procedures to remediate.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http.user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_referrer:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*) OR @http_user_agent:(*jndi\\:ldap*Base64* OR *jndi\\:rmi*Base64* OR *jndi\\:dns*Base64*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"medium","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"vfx-wnb-bkc","createdAt":1639665358897,"name":"Base64 was detected in an http.user_agent or http.referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","scored:true","security:compliance","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use basic authentication.\n\n## Rationale\n\nBasic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting the API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--basic-auth-file` argument does not exist.\n\n## Remediation\n\nFollow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--basic-auth-file=` parameter.\n\n## Impact\n\nYou will have to configure and use alternate authentication mechanisms such as tokens and certificates. Username and password for basic authentication could no longer be used.\n\n## Default value\n\nBy default, basic authentication is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n2. https://kubernetes.io/docs/admin/authentication/#static-password-file\n\n## CIS controls\n\nVersion 6\n\n16.14 Encrypt/Hash All Authentication Files And Monitor Their Access - Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials - Encrypt or hash with a salt all authentication credentials when stored.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.2","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oug-uvq-sti","createdAt":1599605479472,"name":"Basic authentication is disabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.6","cloud_provider:azure","requirement:Monitoring","framework:gdpr","requirement:Default-Security-Parameter","control:164.308-a-3-i","control:10.5.1","requirement:Compliance","level:1","control:2.2.4","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","scope:azure.storage","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Azure","requirement:Least-Privileged-Access","control:2.8","requirement:Control-Activities","requirement:Data-Protection","control:7.2.1","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAnonymous read access is disabled for Azure Storage Blobs.\n\n## Rationale\n\nAnonymous access to Azure storage blob containers allows un-authenticated users to perform operations against your storage account. Datadog recommends only allowing authenticated users access to storage blobs. \n\n## Remediation\n\n### From the Console\n\nFollow the [Set the public access level for a container - Azure Console][1] guide to disable anonymous read access with the Azure Console.\n\n### From the Azure CLI\n\nFollow the [Set the public access level for a container - Azure CLI][2] guide to disable anonymous read access with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"10.5.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"2.8","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_blob_container) = \"pass\" if {\n\tstorage_blob_container.public_access == \"None\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_storage_blob_container"]},"validationQuery":"","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"nlq-obf-whr","createdAt":1645177311610,"name":"Blob Containers do not allow anonymous access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:8.1","control:4.3","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:4.1.1","control:8.1.4","control:8.2.3","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDatadog recommends using instance-specific SSH key(s) instead of common or shared project-wide SSH key(s) to access instances.\n\n## Rationale\n\nProject-wide SSH keys are stored in compute or project-meta-data. Project-wide SSH keys can be used to log into all instances within a project. Using project-wide SSH keys facilitates SSH key management, but if compromised, poses a security risk which can impact all instances within a project. Datadog recommmends using instance-specific SSH keys, which can limit the attack surface if SSH keys are compromised.\n\n## Impact\n\nUsers already having project-wide SSH key pairs and are using third-party SSH clients will lose access to the impacted instances. For project users using Google Cloud or GCP Console-based SSH options, no manual key creation and distribution is required, this is all handled by Google Compute Engine (GCE) itself. To access an instance using third-party SSH clients, the instance-specific SSH key pairs need to be created and distributed to the required users.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. For every instance, click on the instance name.\n3. Under **SSH Keys**, ensure **Block project-wide SSH keys** is selected.\n\n## From command line\n\n1. List the instances in your project and get details on each instance using `gcloud compute instances list --format=json`.\n\n2. Ensure the `block-project-ssh-keys` key is set to true.\n\n## Remediation\n\n## From Console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project.\n2. Click on the impacted instance name.\n3. Click **Edit** in the toolbar.\n4. To block users with project-wide SSH keys from connecting to this instance, select **Block project-wide SSH keys** under **SSH Keys**.\n5. Click **Save** at the bottom of the page.\n6. Repeat these steps for every impacted instance.\n\n## From Command Line\n\nTo block project-wide public SSH keys, set the metadata value to true using `gcloud compute instances add-metadata --metadata block-project-ssh-keys=TRUE`.\n\n## Default Value\n\nBy default, Block Project-wide SSH keys is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n2. [https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n\n\n## Additional Information\n\nIf OS Login is enabled, SSH keys in the instance metadata are ignored, which means you do not need to block project-wide SSH keys.\n\n## CIS Controls\n\nVersion 8\n \n3.10 - Encrypt Sensitive Data in Transit\n- Encrypt sensitive data in transit. Example implementations can include: Transport\nLayer Security (TLS) and Open Secure Shell (OpenSSH).\n\n5.2 - Use Unique Passwords\n- Use unique passwords for all enterprise assets. Best practice implementation\nincludes, at a minimum, an 8-character password for accounts using MFA and a 14-\ncharacter password for accounts not using MFA.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys][2]\n[3]: https://cloud.google.com/sdk/gcloud/reference/topic/formats][3]\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_item(item) if {\n\titem.key == \"block-project-ssh-keys\"\n} else {\n\titem.key == \"enable-oslogin\"\n}\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" {\n\titem := compute_instance.metadata.items[_]\n\tnon_compliant_item(item)\n\titem.value == \"true\"\n} else = \"fail\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"v8z-9ik-mjr","createdAt":1657296719827,"name":"Block project-wide SSH keys is enabled for VM instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login five times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n","options":{"detectionMethod":"threshold","evaluationWindow":600,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dde-oia-yjr","createdAt":1597422956269,"name":"Brute force attack on an Auth0 user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a bruteforce login with a user attempting to assume an anomalous number of roles.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [Anomalous number of assumed roles from user][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security_platform/default_rules/cloudtrail-aws-user-attempted-to-assumerole-anomaly\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"anomalous_assumed_roles_from_user","additionalFilters":"","defaultRuleId":"fwu-obr-c9n","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to assumed role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && anomalous_assumed_roles_from_user > 0"}],"type":"signal_correlation","id":"vjo-1hm-1eg","createdAt":1664829839144,"name":"Brute forced ConsoleLogin event correlates with an assumed role event"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","iaas:azure","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a successful credential stuffing login with a user assumed a role.\n\n## Strategy\nCorrelate the [Credential Stuffing Attack on Azure][1] and [Azure AD member assigned Global Administrator role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the credential stuffing attack was successful.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the credential stuffed account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/azure_credential_stuffing_attack\n[2]: https://docs.datadoghq.com/security_platform/default_rules/azure-ad-user-assigned-global-admin-role","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"azure_credential_stuffing","correlatedQueryIndex":1,"additionalFilters":"","defaultRuleId":"ljt-3f4-8ty","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@usr.id"],"name":"admin_role_assigned","additionalFilters":"","defaultRuleId":"psm-gpc-pgy","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Brute-forced user has assigned a role","condition":"azure_credential_stuffing > 0 && admin_role_assigned > 0"}],"type":"signal_correlation","id":"it0-1kg-8pj","createdAt":1664829839146,"name":"Brute-forced user has assigned a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.11","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host you can control the host CPU resources that a container may consume.\n\n## Rationale\n\nBy default, CPU time is divided between containers equally. If you wish to control available CPU resources amongst container instances, you can use the CPU sharing feature. CPU sharing allows you to prioritize one container over others and prevents lower priority containers from absorbing CPU resources which may be required by other processes. This ensures that high priority containers are able to claim the CPU runtime they require.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CpuShares={{ .HostConfig.CpuShares }}'` \n\nIf this command returns 0 or 1024, it means that CPU shares are not in place. If it returns a non-zero value other than 1024, it means that they are in place.\n\n## Remediation\n\nYou should manage the CPU runtime between your containers dependent on their priority within your organization. To do so, start the container using the `--cpu-shares` argument. For example, you could run a container as `docker run --interactive --tty --cpu-shares 512 centos /bin/bash` The container is started with CPU shares of 50% of what other containers use. So if the other container has CPU shares of 80%, this container will have CPU shares of 40%. Every new container will have 1024 shares of CPU by default. However, this value is shown as 0 if you run the command mentioned in the audit section.\n\n\nAlternatively:\n\n1. Navigate to the `/sys/fs/cgroup/cpu/system.slice/` directory.\n2. Check your container instance ID using docker ps.\n3. Inside the above directory (in step 1), call a directory. For example: `docker-.scope` or `docker-4acae729e8659c6be696ee35b2237cc1fe4edd2672e9186434c5116e1a6fbed6.scope`. Navigate to this directory.\n4. You will find a file named `cpu.shares`. Execute `cat cpu.shares`. This will always give you the CPU share value based on the system. Even if there are no CPU shares configured using the `-c` or `--cpu-shares` argument in the docker run command, this file will have a value of 1024. If you set one containers CPU shares to 512 it will receive half of the CPU time compared to the other containers. So if you take 1024 as 100% you can then derive the number that you should set for respective CPU shares. For example, use 512 if you want to set it to 50% and 256 if you want to set it 25%.\n\n## Impact\n\nIf you do not correctly assign CPU thresholds, the container process may run out of resources and become unresponsive. If CPU resources on the host are not constrained, CPU shares do not place any restrictions on individual resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally. No CPU shares are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.11","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gfh-gqy-log","createdAt":1599605955638,"name":"CPU priorities are set to ensure critical containers do not become unresponsive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.7","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %a `. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command to modify the file permissions of the `--client-ca-file`:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7 14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.7","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qtd-deo-dgb","createdAt":1599600622129,"name":"Certificate authorities file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable certificate based kubelet authentication.\n\n## Rationale\n\nThe apiserver, by default, does not authenticate itself to the kubelet's HTTPS endpoints. The requests from the apiserver are treated anonymously. You should set up certificate-based kubelet authentication to ensure that the apiserver authenticates itself to kubelets when submitting requests.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-client-certificate` and `--kubelet-client-key` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the kubelet client certificate and key parameters as below. \n\n```\n--kubelet-client-certificate= \n--kubelet-client-key=\n```\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, certificate-based kubelet authentication is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ ][2]\n3. [https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet][3]\n\n## CIS controls\n\nVersion 6.3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC. \n\nVersion 7.4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ \n[3]: https://kubernetes.io/docs/concepts/cluster-administration/master-node-communication/#apiserver---kubelet\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.5","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ruj-lze-13b","createdAt":1599605732980,"name":"Certificate-based kubelet authentication is required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.2","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable client authentication on etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--client-cert-auth` argument is set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--client-cert-auth=\"true\"\n```\n\n## Impact\n\nAll clients attempting to access the etcd server will require a valid client certificate.\n\n## Default value\n\nBy default, the etcd service can be queried by unauthenticated clients.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][`]\n2. [https://kubernetes.io/docs/admin/etcd/ ][1]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.2","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"joa-fjx-1li","createdAt":1599605891818,"name":"Client authentication is enabled for etcd"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.8","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the certificate authorities file ownership is set to `root:root`.\n\n## Rationale\n\nThe certificate authorities file controls the authorities used to validate API requests. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the following command: `ps -ef | grep kubelet`. Find the file specified by the `--client-ca-file` argument. Run the following command: `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command to modify the ownership of the `--client-ca-file`:\n\n```\nchown root:root \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default no `--client-ca-file` is specified.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/authentication/#x509-client-certs][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/authentication/#x509-client-certs\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.8","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ifc-9ej-k7k","createdAt":1599603326156,"name":"Client certificate authorities file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:2.13","scored:true","security:compliance","cloud_provider:gcp","control:9.9.1","source:google_cloud_asset_inventory","requirement:Logging-and-Monitoring","framework:cis-gcp","requirement:Control-Activities","scope:google_cloud_asset_inventory","requirement:Firewall-Configuration","level:2","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Cloud Asset Inventory is a service that provides a historical view of GCP resources and\nIAM policies through a time-series database. The information recorded includes metadata\non Google Cloud resources, metadata on policies set on Google Cloud projects or resources,\nand runtime information gathered within a Google Cloud resource.\n\n## Rationale\nThe GCP resources and IAM policies captured by GCP Cloud Asset Inventory enables\nsecurity analysis, resource change tracking, and compliance auditing. It is recommended GCP Cloud Asset Inventory be enabled for all GCP projects.\n\n### Additional Information\n - Cloud Asset Inventory only keeps a five-week history of Google Cloud asset metadata. If you need a longer history, consider building automation to export the history to Cloud Storage or BigQuery.\n\n### Default Value\nThe Cloud Asset Inventory API is disabled by default in each project.\n\n## Remediation\n\n### From the console:\n\n1. Go to **API & Services/Library** by visiting [https://console.cloud.google.com/apis/library][1]\n2. Search for `Cloud Asset API` and select the result for Cloud Asset API\n3. Click the **ENABLE** button.\n\n### From the command line:\n\n1. Enable the Cloud Asset API through the services interface\n ```\n gcloud services enable cloudasset.googleapis.com\n ```\n\n## References\n1. [https://cloud.google.com/asset-inventory/docs][2]\n\n[1]: https://cloud.google.com/asset-inventory/docs\n[2]: https://console.cloud.google.com/apis/library","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.13","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"9.9.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(project) = \"pass\" if {\n\tproject.project_id\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"g71-wcx-ugx","createdAt":1659396390100,"name":"Cloud Asset Inventory is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:2.12","cloud_provider:gcp","control:10.6.2","control:10.1","requirement:Monitoring","control:10.6.1","control:A.12.4.1","control:10.2.4","control:A.12.4.3","framework:cis-gcp","level:2","framework:iso-27001","scope:google_dns_policy","framework:pci","requirement:Operations-Security","security:compliance","requirement:Logging-and-Monitoring","requirement:System-Operations","requirement:Control-Activities","framework:soc-2","source:google_dns_policy","control:10.2","control:10.3","control:CC7.2","control:10.6","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud DNS logging records the queries from the name servers within your VPC to\nStackdriver. Logged queries can come from Compute Engine VMs, GKE containers, or other\nGCP resources provisioned within the VPC.\n\n### Default value\nCloud DNS logging is disabled by default on each network.\n\n## Rationale\nSecurity monitoring and forensics cannot depend solely on IP addresses from VPC flow\nlogs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual\nhost routing, and other technology that can obscure the DNS name used by a client from the\nIP address. Monitoring Cloud DNS logs provides visibility into DNS names requested by the\nclients within the VPC. These logs can be monitored for anomalous domain names and\nevaluated against threat intelligence.\n\nTo fully capture DNS logging records, your firewall must block egress for UDP/53 (DNS) and TCP/443 (DNS\nover HTTPS) to prevent the client from using an external DNS name server for resolution.\n\nOnly queries that reach a name server are logged. Cloud DNS resolvers cache\nresponses, queries answered from caches, and direct queries to an external DNS\nresolver outside the VPC are not logged.\n\n### Impact\nEnabling of Cloud DNS logging might result in your project being charged for the additional\nlogs usage.\n\n## Remediation\n\n### From the command line:\nFor VPC networks that need a new DNS policy with logging enabled, run the following:\n```\ngcloud dns policies create enable-dns-logging --enable-logging --\ndescription=\"Enable DNS Logging\" --networks=VPC_NETWORK_NAME\n```\n\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\nFor VPC networks that have existing DNS policies, run the following to enable logging:\n```\ngcloud dns policies update POLICY_NAME --enable-logging --\nnetworks=VPC_NETWORK_NAME\n```\nThe `VPC_NETWORK_NAME` can be one or more networks in a comma-separated list.\n\n## References\n1. [https://cloud.google.com/dns/docs/monitoring][1]\n\n[1]: https://cloud.google.com/dns/docs/monitoring\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.12","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.6.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(dns_policy) = \"pass\" if {\n\tdns_policy.enable_logging\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_policy"]},"validationQuery":"","resourceType":"gcp_dns_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kcx-kad-uvs","createdAt":1662120179391,"name":"Cloud DNS logging is enabled for VPC networks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:7.2","control:1.9","control:3.5","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is recommended that the IAM policy on Cloud KMS `cryptokeys` should restrict anonymous and/or public access.\n\n## Rationale\n\nGranting permissions to `allUsers` or `allAuthenticatedUsers` allows anyone to access the\ndataset. Such access might not be desirable if sensitive data is stored at the location. In this\ncase, ensure that anonymous and/or public access to a Cloud KMS `cryptokey` is not\nallowed.\n\n### Default Value:\nBy default Cloud KMS does not allow access to `allUsers` or `allAuthenticatedUsers`.\n\n### Impact\nRemoving the binding for `allUsers` and `allAuthenticatedUsers` members denies anonymous and public users access to `cryptokeys`.\n\n`key_ring_name` is the resource ID of the key ring, which is the fully-qualified key ring name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING`\nYou can retrieve the key ring resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n3. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`key_name` is the resource ID of the key, which is the fully-qualified CryptoKey name. This value is case-sensitive and in the format: `projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY`\nYou can retrieve the key resource ID using the Cloud Console:\n\n1. Open the **Cryptographic Keys** page in the Cloud Console.\n2. Click the name of the key ring that contains the key.\n3. For the key ring whose resource ID you are retrieving, click the kebab menu (3 vertical dots).\n4. Click **Copy Resource ID**. The resource ID for the key ring is copied to your clipboard.\n\n`role` is the role to remove the member from.\n\n## Remediation\n\n### From the command line:\n\n1. List all Cloud KMS `Cryptokeys`.\n ```\n gcloud kms keys list --keyring=[key_ring_name] --location=global --format=json | jq '.[].name'\n ```\n2. To remove access to `allUsers` and `allAuthenticatedUsers`, remove the IAM policy binding for a KMS key using the below command.\n ```\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allAuthenticatedUsers' --role='[role]'\n\n gcloud kms keys remove-iam-policy-binding [key_name] --keyring=[key_ring_name] --location=global --member='allUsers' --role='[role]'\n ```\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding][1]\n2. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy][2]\n3. [https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy][3]\n4. [https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id][4]\n\n[1]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/remove-iam-policy-binding\n[2]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/set-iam-policy\n[3]: https://cloud.google.com/sdk/gcloud/reference/kms/keys/get-iam-policy\n[4]: https://cloud.google.com/kms/docs/object-hierarchy#key_resource_id\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot contains(iam_policy.resource_name, \"/keyRings/\")\n} else = \"fail\" {\n\tiam_policy.bindings[_].members[_] in [\"allAuthenticatedUsers\", \"allUsers\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kg9-ypa-tmt","createdAt":1658879416757,"name":"Cloud KMS cryptokeys are not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Storage","source:google_iam_policy","framework:cis-gcp","requirement:Compliance","level:1","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","scope:google_iam_policy","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Communications-Security","control:3.5","control:7.1","control:5.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:3.5.2","control:A.9.1.2","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that IAM policies on Cloud Storage buckets do not allow anonymous or public access.\n\n## Rationale\nWith anonymous or public access, anyone has permission to access bucket content. Such access might not be desired if you are storing sensitive data, so ensure that anonymous or public access to a bucket is not allowed.\n\n### Additional Information\nTo implement access restrictions on buckets, configuring Bucket IAM is preferred over configuring Bucket ACL. In the GCP console, the **Edit Permissions** button for a bucket exposes IAM configurations only. Bucket ACLs are configured to automatically implement and support user-enforced Bucket IAM policies. If an administrator changes a Bucket ACL using command-line gsutils or the API, the associated bucket IAM policy is also updated automatically.\n\n### Impact\nStorage buckets are not publicly accessible. You have to explicitly administer bucket access.\n\n### Prevention\nYou can prevent Storage buckets from becoming publicly accessible by setting up the `Domain restricted sharing` organization policy at:\n[https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains][2]\n\n### Default value\nBy default, Storage buckets are not publicly accessible.\n\n## Remediation\n\n### From the console:\n1. Go to `Storage browser` at [https://console.cloud.google.com/storage/browser][1].\n2. Click on the bucket name to access the `Bucket details` page.\n3. Click on the `Permissions` tab.\n4. Click the `Delete` button in front of `allUsers` and `allAuthenticatedUsers` to remove that particular role assignment.\n\n### From the command line:\nRemove `allUsers` and `allAuthenticatedUsers` access.\n``` \ngsutil iam ch -d allUsers gs://BUCKET_NAME\ngsutil iam ch -d allAuthenticatedUsers gs://BUCKET_NAME\n```\n\n## References\n1. [https://cloud.google.com/storage/docs/access-control/iam-reference][3]\n2. [https://cloud.google.com/storage/docs/access-control/making-data-public][4]\n3. [https://cloud.google.com/storage/docs/gsutil/commands/iam][5]\n\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-allowedPolicyMemberDomains\n[3]: https://cloud.google.com/storage/docs/access-control/iam-reference\n[4]: https://cloud.google.com/storage/docs/access-control/making-data-public\n[5]: https://cloud.google.com/storage/docs/gsutil/commands/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1","framework":"cis-gcp","requirement":"Storage","version":"1.3.0"},{"control":"3.5","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"skip\" if {\n\tnot isBucket(iam_policy)\n} else = \"fail\" {\n\tiam_policy.bindings[_].members[_] in [\"allUsers\", \"allAuthenticatedUsers\"]\n} else = \"pass\" {\n\ttrue\n}\n\nisBucket(iam_policy) if {\n\tiam_policy.gcp_resource_type == \"gcp_storage_bucket\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"c2m-9sq-pbl","createdAt":1658821626959,"name":"Cloud storage bucket is not anonymously or publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","requirement:Logging","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:5.2","requirement:Communications-Security","control:7.1","control:3.3","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","source:google_storage_bucket","control:A.18.1.3","framework:soc-2","scope:google_storage_bucket","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUniform bucket-level access is enabled on Cloud Storage buckets.\n\n## Rationale\n\nYou should use uniform bucket-level access to unify and simplify how you grant\naccess to your Cloud Storage resources.\nCloud Storage offers two systems for granting users permission to access your buckets and\nobjects: \n- **Cloud Identity and Access Management (Cloud IAM)**: Used throughout Google Cloud, and allows you to grant a variety of permissions at the bucket and project levels. \n- **Access Control Lists(ACLs)**: Used only by Cloud Storage and has limited permission options, but allows you to grant permissions on a per-object basis.\n\nThese systems act in parallel. A user needs only one of the systems to grant them permission in order to access a Cloud Storage resource. \n\nTo facilitate maintaining consistent permissions, Cloud Storage provides an option called Uniform bucket-\nlevel access. Using this feature disables ACLs for all Cloud Storage resources. Access to\n\nCloud Storage resources then is granted exclusively through Cloud IAM. Enabling uniform\nbucket-level access guarantees that if a Storage bucket is not publicly accessible, no object\nin the bucket is publicly accessible either.\n\n## Impact\nIf you enable uniform bucket-level access, you revoke access from users who gain their\naccess solely through object ACLs.\nCertain Google Cloud services, such as Stackdriver, Cloud Audit Logs, and Datastore, cannot\nexport to Cloud Storage buckets that have uniform bucket-level access enabled.\n\n## Remediation\n\n## From the console:\n1. Open the Cloud Storage browser by visiting [https://console.cloud.google.com/storage/browser][1].\n2. In the list of buckets, select the name of the desired bucket.\n3. Select the Permissions tab.\n4. In the text box that starts with This bucket uses fine-grained access control..., click **Edit**.\n5. In the pop-up menu that appears, select Uniform.\n6. Click **Save**.\n\n## From the command line:\n\nRun the following command: \n ```\n `gsutil uniformbucketlevelaccess set on gs://BUCKET_NAME/`\n ```\n\n\n## Prevention\nSet up an Organization Policy to enforce that any new bucket has uniform bucket-level access enabled. Read more about [Organization Policy constraints][2].\n\n## Default\n\nBy default, Cloud Storage buckets do not have uniform bucket-level access enabled.\n\n\n## References\n1. [https://cloud.google.com/storage/docs/uniform-bucket-level-access][3]\n2. [https://cloud.google.com/storage/docs/using-uniform-bucket-level-access][4]\n3. [https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket][5]\n\n## Additional Information\nUniform bucket-level access cannot be disabled if it has been active on a bucket for 90 consecutive days.\n\n## CIS controls\n\nVersion 8, 3.3 - Configure Data Access Control Lists\n- Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems,\ndatabases, and applications.\n\n[1]: https://console.cloud.google.com/storage/browser\n[2]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket\n[3]: https://cloud.google.com/storage/docs/uniform-bucket-level-access\n[4]: https://cloud.google.com/storage/docs/using-uniform-bucket-level-access\n[5]: https://cloud.google.com/storage/docs/setting-org-policies#uniform-bucket","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2","framework":"cis-gcp","requirement":"Logging","version":"1.3.0"},{"control":"3.3","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(storage_bucket) = \"pass\" if {\n\tstorage_bucket.iam_configuration.uniform_bucket_level_access.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_storage_bucket"]},"validationQuery":"","resourceType":"gcp_storage_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_storage_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dwn-5mi-cjt","createdAt":1657547752494,"name":"Cloud storage buckets have uniform bucket-level access enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Secure-Applications","control:CC6.7","security:compliance","control:CC6.6","scope:cloudfront","cloud_provider:aws","control:A.12.2.1","requirement:Communications-Security","control:A.12.4.1","control:A.13.1.1","framework:soc-2","control:6.6","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that your [AWS CloudFront][1] distributions are integrated with [AWS Web Application Firewall][2] (AWS WAF).\n\n## Rationale\n\nAWS WAF helps protect web applications from common exploits, such as SQL injection or cross-site scripting.\n\n## Remediation\n\n### Console\n\nFollow the [associate or disassociate an AWS WAF web ACL and an existing CloudFront distribution by using the CloudFront console][3] docs to integrate with AWS WAF.\n\n### CLI\n\n1. Run `aws waf get-change-token` to generate a token.\n2. Run `aws waf create-ip-set` with your newly generated token. Additional information can be found in the [create-ip-set AWS documentation][4].\n\n ```\n create-ip-set\n --name test_ipset\n --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n3. Create an `IPSetDescriptor` JSON object in a new document and define the IP address or ranges you wish to block. Save the file.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"IPSetDescriptor\": {\n \"Type\": \"IPV4\" | \"IPV6\",\n \"Value\": \"192.0.2.0/24\"\n }\n }\n ]\n ```\n\n4. Run `aws waf update-ip-set` with the `change-token` (generated in step 1), `ip-set-id` (generated in step 2), and the file you just created. Additional information can be found in the [update-ip-set AWS documentation][5].\n\n ```\n aws waf update-ip-set\n --ip-set-id bd12ea6c-012a-4b7c-9342-80ab96e4b291\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n\t --updates file://ip-set-descriptor.json\n ```\n\n5. Run `aws waf create-rule` with a new rule `name` and your `change-token` (generated in step 1). Additional information can be found in the [create-rule AWS documentation][6].\n\n ```\n aws waf create-rule\n\t --name NameOfRule\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n6. Run `aws waf create-web-acl` with a `name` and your `change-token` (generated in step 1), and set the default action to block. Additional information can be found in the [create-web-acl AWS documentation][7].\n\n ```\n aws waf create-web-acl\n\t --name NameOfACL\n --default-action Type=BLOCK\n\t --change-token abcd0123-1234-a12b-1234-a0b1c2e3d4f5\n ```\n\n7. Create a new JSON file and define `ActivatedRule` as an object that references the ACL rule created in step 6. Assign it a default action, `INSERT`.\n\n ```\n [\n {\n \"Action\": \"INSERT\",\n \"ActivatedRule\": {\n \"RuleId\": \"your-rule-id\",\n \"Action\": {\n \"Type\": \"BLOCK\"\n }\n }\n }\n ]\n ```\n\n8. Run `update-web-acl` with the `web-acl-id` (generated in step 5), `change-token` (generated in step 1), and the file you just created in step 7.\n\n ```\n aws waf update-web-acl\n --web-acl-id webaclid\n --change-token 96836241-b667-4f0a-a655-e4bc49eaa2c4\n --update activated-rule.json\n ```\n\n9. Run `get-distribution-config`.\n10. In a new JSON file, modify the returned configuration information to attach the WAF ACL. Set the `WebACLId` as the ID you returned in step 5. Save the file.\n\n ```\n {\n \"ETag\": \"etag\",\n \"DistributionConfig\": {\n ...\n \"WebACLId\": \"webaclid\",\n ...\n }\n }\n ```\n\n11. Run `update-distribution` with the `id` and `etag` previously returned in step 9. Additional information can be found in the [update-distribution AWS documentation][8].\n\n ```\n aws cloudfront update-distribution\n --id webaclid\n --distribution-config activated-ruled.json\n --if-match etag\n ```\n\n[1]: https://aws.amazon.com/cloudfront/\n[2]: https://aws.amazon.com/waf/\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html\n[4]: https://docs.aws.amazon.com/cli/latest/reference/wafv2/create-ip-set.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/waf/update-ip-set.html\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-rule.html\n[7]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/create-web-acl.html\n[8]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"pci","requirement":"Secure-Applications","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"validationQuery":"(@distribution_config.web_acl_id:\"\" OR @distribution_config_web_acl_id:\"\")","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.web_acl_id:\"\" OR @distribution_config_web_acl_id:\"\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"qo4-jsd-nfn","createdAt":1599574008896,"name":"CloudFront distribution is integrated with WAF"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that AWS CloudFront distributions have a security policy of TLS v1.1 or greater.\n\n## Rationale\n\nTLS v1.1, the minimum protocol recommended for AWS CloudFront, and the cipher used to encrypt this content, improve application security.\n\n## Remediation\n\n### Console\n\nFollow the [Values That You Specify When You Create or Update a Distribution][3] docs to update your CloudFront distribution's [Minimum Origin SSL Protocol][3] to TLS v1.1 or greater.\n\n### CLI\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration by setting the minimum protocol version to TLC v1.1 (2016) or v1.2 (2018).\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n ...\n \"ViewerCertificate\": {\n ...\n \"MinimumProtocolVersion\": \"TLSv1.1_2016\",\n },\n ...\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config tls-version.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesOriginSSLProtocols\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.viewer_certificate.minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\") OR @distribution_config_viewer_certificate_minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\"))","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.viewer_certificate.minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\") OR @distribution_config_viewer_certificate_minimum_protocol_version:(\"TLSv1\" OR \"TLSv1_2016\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2np-sw5-cre","createdAt":1599574001774,"name":"CloudFront distribution's security policy is TLS v1.1 or greater"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","source:cloudfront","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","scope:cloudfront","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure logging is enabled for AWS CloudFront to track things like client IP addresses and access points.\n\n## Rationale\n\nLogging tracks requests made through the CDN. With this information, you can detect changes in requests, complete security audits, and use other AWS tooling such as AWS WAF to block requests from certain IP addresses.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring and using standard logs][4] docs to enable logging for AWS CloudFront.\n\n### CLI\n\n1. Run `create-bucket` to [create an S3 bucket][1] for your CloudFront log files.\n\n ```\n aws s3api create-bucket\n --bucket your-bucket-name\n ```\n\n2. Once the S3 bucket location is returned, run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][2].\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n3. Create a new JSON file with the returned configuration. Enable logging and set an S3 bucket location (returned in step 1) to configure where the logs will be located. Save the file.\n\n ```\n {\n \"ETag\": \"ID000000000000\",\n \"DistributionConfig\": {\n ...\n \"Logging\": {\n \"Bucket\": \"your-bucket-name.s3.amazonaws.com\",\n \"Enabled\": true,\n },\n ...\n }\n }\n }\n ```\n\n4. Run `update-distribution` to [update your distribution][3] with your distribution `id`, the path of the configuration file (created in step 3), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config logging-enabled.json\n --if-match ETAG1000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[4]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(-@distribution_config.logging.enabled:true OR -@distribution_config_logging_enabled:true)","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((-@distribution_config.logging.enabled:true OR -@distribution_config_logging_enabled:true))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"e1l-f7w-llc","createdAt":1599574007739,"name":"CloudFront logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that an AWS CloudTrail trail has file integration validation enabled.\n\n### Rationale\n\nAWS CloudTrail file integration validation can verify whether files were modified or changed once delivered to an S3 bucket.\n\n### Remediation\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [enable-log-file-validation][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --enable-log-file-validation\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@log_file_validation_enabled:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ubl-mrs-ket","createdAt":1599574002238,"name":"CloudTrail Log File Integrity Validation Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:pci-aws","scope:cloudtrail","cloud:aws","source:cloudtrail","framework_version:3.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"### Description\n\nEnsure that AWS CloudTrail logs are encrypted.\n\n### Rationale\n\nEncrypting AWS CloudTrail logs with a KMS encryption key helps protect your data and ensures only certain IAM users can access these logs.\n\n### Remediation\n\n1. Create a new policy configuration file that enables CloudTrail [encrypting and decrypting permissions][1].\n2. Run `create-key` using the policy file path.\n\n ```\n aws kms create-key\n --policy new-policy-file.json\n ```\n\n3. Run `create-alias` with a [newly created alias name][2] and the `target-key-id` as the KMS key returned in step 2.\n\n ```\n aws kms create-alias\n --alias-name alias/CloudTrailKSM\n --target-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n4. Run `update-trail` on [the trail name you wish to update][3] and the KMS key returned in step 2.\n\n ```\n aws cloudtrail update-trail\n --name MyGlobalTrail\n --kms-key-id 12345678-abcd-1a2b-1234-012345678901\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail -@kms_key_id:*","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"cww-xfw-no7","createdAt":1599574002335,"name":"CloudTrail Logs Not Encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","control:A.12.4.2","requirement:Security-Incident-Procedures","control:10.3.2","control:10.3.1","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that an AWS CloudTrail trail has global service events enabled.\n\n## Rationale\n\nEasily troubleshoot security issues for global services that aren't region-specific.\n\n## Remediation\n\n### Console\n\nBy default, trail logs created in the CloudTrail console log global service events. For more information, see the [About global service events][2] docs.\n\n### CLI\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [include-global-service-events][1].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --include-global-service-events\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-update-trail.html\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-global-service-events","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":" @include_global_service_events:false","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail ( @include_global_service_events:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7ak-zke-f64","createdAt":1599574004589,"name":"CloudTrail global services are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.5.5","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","control:164.312-c-2","requirement:Integrity","control:164.312-c-1","security:compliance","cloud_provider:aws","control:3.2","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. Use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. You should enable file validation on all CloudTrails.\n\n## Rationale\n\nEnabling log file validation will provide additional integrity checking of CloudTrail logs.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNot Enabled\n\n## References\n\n1. [http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html][2]\n2. CCE-78914-9\n\n## CIS controls\n\nVersion 7, 6 - Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-enabling.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.2","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.312-c-2","framework":"hipaa","requirement":"Integrity","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"}],"validationQuery":"-@log_file_validation_enabled:true @log_file_validation_enabled:*","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail (-@log_file_validation_enabled:true @log_file_validation_enabled:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9we-gmy-kne","createdAt":1599574003762,"name":"CloudTrail log file validation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Logging","requirement:System-Acquisition-Development-and-Maintenance","level:2","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.7","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:cloudtrail","control:A.9.2.3","control:32.1a","control:3.5.2","source:cloudtrail","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources per IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data. It uses Hardware Security Modules (HSMs) to protect the security of encryption keys. Configure your CloudTrail logs to leverage server-side encryption (SSE), and KMS customer-created master keys (CMK) to further protect CloudTrail logs. You should set up CloudTrail to use SSE-KMS.\n\n## Rationale\n\nConfiguring CloudTrail to use SSE-KMS provides additional confidentiality controls on log data. A given user must have S3 read permission on the corresponding log bucket and have decrypt permission by the CMK policy.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nCustomer created keys incur an additional cost. See [https://aws.amazon.com/kms/pricing/][2] for more information.\n\n## Default value\n\nNone\n\n## References\n\n1. [https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html][3]\n2. [https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html][4]\n3. CCE-78919-8\n\n## CIS controls\n\nVersion 7 - 6 Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://aws.amazon.com/kms/pricing/\n[3]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html\n[4]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.7","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@kms_key_id:*","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail (-@kms_key_id:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kah-ejb-3v1","createdAt":1599574006065,"name":"CloudTrail logs are encrypted at rest using KMS CMKs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:164.308-a-7-i","requirement:Transmission-Security","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","control:10.2.1","framework:gdpr","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Context-of-the-Organization","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:4.4","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","scope:cloudtrail","source:cloudtrail","control:164.312-b","control:CC2.1","control:164.312-e-2-i","control:CC7.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS CloudTrail is enabled.\n\n## Rationale\n\nAWS CloudTrail enables you to configure regions from one location to maintain infrastructure security.\n\n## Remediation\n\n### Console\n\nFollow the [AWS CloudTrail tutorial][1] docs to get started with CloudTrail.\n\n### CLI\n\n1. Run `aws cloudtrail describe-trails`\n2. Run `update-trail` on any returned trail name above to [enable multi-region-trail][2].\n\n ```\n aws cloudtrail update-trail\n --name GlobalTrailName\n --is-multi-region-trail\n ```\n\n[1]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-tutorial.html#tutorial-step2\n[2]: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail-by-using-the-aws-cli-update-trail.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.2.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"4.4","framework":"iso-27001","requirement":"Context-of-the-Organization","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-7-i","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@is_multi_region_trail:true","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail (-@is_multi_region_trail:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"v41-4ht-rxo","createdAt":1599573999944,"name":"CloudTrail multi-region is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVerify that HTTPS is used to secure AWS CloudFront distributions communications.\n\n## Rationale\n\nHTTPS ensures that malicious activity cannot occur when data is sent within AWS CloudFront's Content Distribution Network (CDN).\n\n## Remediation\n\n### Console\n\nFollow the [configure CloudFront to require HTTPS between CloudFront and your custom origin][3] docs to change your Origin Protocol Policy to HTTPS only.\n\n### CLI\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `OriginProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"Items\": [\n {\n \"CustomOriginConfig\": {\n \"OriginProtocolPolicy\": \"https-only\",\n ...\n }\n }\n ]\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.origins.items.custom_origin_config.origin_protocol_policy:(\"http-only\" OR \"match-viewer\") OR @distribution_config.origins.items.custom_origin_config_origin_protocol_policy:(\"http-only\" OR \"match-viewer\"))","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.origins.items.custom_origin_config.origin_protocol_policy:(\"http-only\" OR \"match-viewer\") OR @distribution_config.origins.items.custom_origin_config_origin_protocol_policy:(\"http-only\" OR \"match-viewer\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q5e-clj-mow","createdAt":1599574006435,"name":"Cloudfront distribution is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","scope:cloudfront","cloud_provider:aws","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:164.312-e-2-i","control:8.2.1","control:CC8.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS CloudFront field-level encryption is enabled.\n\n## Rationale\n\nField-level encryption ensures sensitive data, such as identification and credit card numbers, is protected across your services and applications.\n\n## Remediation\n\n### Console\n\nFollow the [Setting Up Field-Level Encryption][1] docs to enable field-level encryption.\n\n### CLI\n\n1. Generate a RSA key pair. Run `ssh-keygen -t rsa`.\n\n2. Run `create-public-key` with the generated key.\n\n ```\n aws cloudfront create-public-key\n --public-key-config CallerReference=\"0123456789012\",Name=\"public-key\",EncodedKey=\"-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----\",Comment=\"Field-level encryption public key.\"\n ```\n\n3. Modify the returned configuration in a new JSON file by setting `PublicKeyID` as your public ID key. Configure any other options you require and save the file.\n\n ```\n {\n \"PublicKey\": {\n ...\n \"Id\": \"PUBKEYID000000\",\n ...\n }\n }\n ```\n\n4. Run `create-field-level-encryption-profile` using the path of the configuration file saved in step 3.\n\n ```\n aws cloudfront create-field-level-encryption-profile\n --field-level-encryption-profile-config public-key-id.json\n ```\n\n5. Modify the returned configuration in a new JSON file by setting `ProfileID` as your profile ID. Configure any other options you require and save the file.\n\n ```\n {\n ...\n \"ContentTypeProfileConfig\": {\n ...\n \"Items\": [\n {\n \"ProfileId\": \"ABCD1234567890\",\n }\n ]\n }\n }\n ```\n\n6. Run `create-field-level-encryption-config` using the path of the configuration file saved in step 5.\n\n ```\n aws cloudfront create-field-level-encryption-config\n --field-level-encryption-config profile-id.json\n ```\n\n7. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your distribution's configuration information.\n\n ```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n8. Modify the returned configuration in a new JSON file by setting `FieldLevelEncryptionID` as your field level encryption ID. Configure any other options you require and save the file.\n\n**Note**: Viewer Protocol Policy and Origin Protocol Policy must both be set to HTTPS.\n\n ```\n {\n \"DistributionConfig\": {\n ...\n \"Origins\": {\n \"Items\": [\n {\n ...,\n \"OriginProtocolPolicy\": \"https-only\",\n },\n ],\n ...\n },\n \"DefaultCacheBehavior\": {\n \"FieldLevelEncryptionId\": \"ACBD1234567890\",\n \"ViewerProtocolPolicy\" : \"https-only\"\n },\n ...\n }\n }\n ```\n\n9. Run `update-distribution` with your AWS CloudFront distribution `id`, the configuration file saved in step 8, and `etag` to enable field-level encryption.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config field-level-encryption-id.json\n --if-match E1000000000000\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.default_cache_behavior.field_level_encryption_id:\"\" OR @dist_config_default_cache_behavior_field_level_encryption_id:\"\")","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.default_cache_behavior.field_level_encryption_id:\"\" OR @dist_config_default_cache_behavior_field_level_encryption_id:\"\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"udh-nqo-4ct","createdAt":1599574007140,"name":"Cloudfront distribution is field-level encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","source:cloudfront","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","scope:cloudfront","cloud_provider:aws","control:2.3","control:4.1","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the AWS CloudFront Content Delivery Network (CDN) for your distribution is using HTTPS to send and receive content.\n\n## Rationale\n\nHTTPS ensures encrypted communication for your AWS CloudFront distribution, alleviating the possibility of malicious attacks like packet interception.\n\n## Remediation\n\n### Console\n\nFollow the [configure CloudFront to require HTTPS between viewers and CloudFront][3] docs to change your Viewer Protocol Policy to HTTPS only.\n\n### CLI\n\n1. Run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information][1].\n\n\t```\n aws cloudfront get-distribution-config\n --id ID000000000000\n ```\n\n2. In a new JSON file, modify the returned configuration. Set `ViewerProtocolPolicy` to `https-only` and save the configuration file.\n\n ```\n {\n \"ETag\": \"ETAG0000000000\",\n \"DistributionConfig\": {\n \"Origins\": {\n \"ViewerProtocolPolicy\": \"https-only\",\n ...\n }\n }\n }\n ```\n\n3. Run `update-distribution` to [update your distribution][2] with your distribution `id`, the path of the configuration file (created in step 2), and your `etag`.\n\n ```\n aws cloudfront update-distribution\n --id ID000000000000\n --distribution-config https-only.json\n --if-match ETAG0000000000\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html\n[3]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@distribution_config.default_cache_behavior.viewer_protocol_policy:\"allow-all\" OR @dist_config_default_cache_behavior_viewer_protocol_policy:\"allow-all\")","resourceType":"aws_cloudfront_distribution","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudfront_distribution ((@distribution_config.default_cache_behavior.viewer_protocol_policy:\"allow-all\" OR @dist_config_default_cache_behavior_viewer_protocol_policy:\"allow-all\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fei-uz9-zhw","createdAt":1599574003275,"name":"Cloudfront viewer is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1027-obfuscated-files-or-information","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a compiler (like `clang` or `bcc`) is executed inside of a container.\n\n## Strategy\nAfter an initial compromise, attackers may attempt to download additional tools to their victim's infrastructure. In order to make these additional tools difficult to detect or analyze, attackers sometimes deliver their tools as uncompiled code, and then compile their malicious binaries directly on the victim's infrastructure. In containerized environments, the use of compilers is especially suspicious because in production it is best practice to make containers immutable. The use of a compiler in a production container could indicate an attacker staging tools, or unwanted container configuration drift. \n\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee compile a tool inside of a container for an approved reason, or does an approved software compile additional files on startup?\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:compiler_in_container","groupByFields":["host"],"aggregation":"count","name":"compiler_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"compiler_in_container","condition":"compiler_in_container > 0"}],"type":"workload_security","id":"cu1-ji1-azm","createdAt":1627392836759,"name":"Compiler executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS EC2 access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the EC2 instance with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS EC2 access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` instance should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the EC2 access key should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`., then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n7 April 2022 - Updated rule name and signal message.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":166,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId"],"query":"source:cloudtrail -@level:Error @userIdentity.type:AssumedRole @userIdentity.session_name:i-* -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"5cf-9yq-zxn","createdAt":1646247437871,"name":"Compromised AWS EC2 Instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key and filter out VPNs and AWS Internal IPs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.\n\n## Changelog\n- 7 April 2022 - Updated signal message.\n- 3 August 2022 - Fixed null groupby field in query.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.accessKeyId","@usr.name"],"query":"source:cloudtrail -@level:Error @userIdentity.type:IAMUser -@network.client.geoip.invalidAddress:\"AWS Internal\" -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tln-vhi-j2e","createdAt":1646247475808,"name":"Compromised AWS IAM User Access Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:4.8","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:8.2.1","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTo defend against advanced threats and ensure that the boot loader and firmware on your VMs are signed and untampered, Datadog recommends launching compute instances with Shielded VM enabled.\n\n## Rationale\n\nShielded VMs are virtual machines on the Google Cloud Platform that are hardened by a set of security controls and help defend against rootkits and bootkits. Shielded VM offers verifiable integrity of your Compute Engine VM instances through Secure Boot, a virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring. This ensures your instances are not compromised by boot- or kernel-level malware, or rootkits. \n\nShielded VM instances run firmware which is signed and verified using Google's Certificate Authority, ensuring that the instance's firmware is unmodified and establishes trust for Secure Boot.\n\nIntegrity monitoring helps you understand and make decisions about the state of your VM instances and the Shielded VM vTPM enables Measured Boot by performing the measurements needed to create a known good boot baseline, also known as the integrity policy baseline. The integrity policy baseline is used to compare measurements from subsequent VM boots to determine if anything has changed.\n\nSecure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halts the boot process if signature verification fails.\n\n## Remediation\n\nTo turn on Shielded VM on an instance, your instance must use an image with Shielded VM support.\n\n### From console\n\n1. In the Google Cloud Console, navigate to [VM Instances page][1], which lists all instances in your project. \n2. Click on the instance name to see a VM Instance Details page.\n3. Click **Stop** to stop the instance.\n4. When the instance has stopped, click **Edit**.\n5. In the **Shielded VM** section, select **Turn on vTPM** and **Turn on Integrity Monitoring**.\n6. Optionally, if you do not use any custom or unsigned drivers on the instance, also select **Turn on Secure Boot**.\n7. Click the **Save** button to modify the instance and click **Start** to restart it.\n\n### From the command line\n\nYou can only enable Shielded VM options on instances that have Shielded VM support. For a list of Shielded VM public images, run the gcloud compute images list command with the following flags:\n\n```\ngcloud compute images list --project gce-uefi-images --no-standard-images\n```\n\n1. Stop the instance using `gcloud compute instances stop `.\n2. Update the instance using `gcloud compute instances update --shielded-vtpm --shielded-vm-integrity-monitoring`.\n3. Optionally, if you do not use any custom or unsigned drivers on the instance, also turn on Secure Boot using `gcloud compute instances update --shielded-vm-secure-boot`.\n4. Restart the instance using `gcloud compute instances start `.\n\n## Prevention\n\nTo ensure that all new VMs are created with Shielded VM enabled, create an Organization Policy for Shielded VM in the [Organization Policies page][2]. \n\nFor more information, see the [Google Cloud documentation][3].\n\n## Default Value\n\nBy default, Compute Instances do not have Shielded VM enabled.\n\n## References\n\n1. [https://cloud.google.com/compute/docs/instances/modifying-shielded-vm][4]\n2. [https://cloud.google.com/shielded-vm][5]\n3. [https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint][6]\n\n## Additional Information\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is created, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-requireShieldedVm\n[3]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n[4]: https://cloud.google.com/compute/docs/instances/modifying-shielded-vm\n[5]: https://cloud.google.com/shielded-vm\n[6]: https://cloud.google.com/security/shielded-cloud/shielded-vm#organization-policy-constraint\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.8","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"pass\" if {\n\tshieldedConfig := compute_instance.shielded_instance_config\n\tshieldedConfig.enable_integrity_monitoring\n\tshieldedConfig.enable_vtpm\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hwa-bzq-nzg","createdAt":1656620517029,"name":"Compute Instances are launched with Shielded VM enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","control:4.9","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:3.6","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCompute instances should not be configured to have external IP addresses.\n\n## Rationale\n\nTo reduce your attack surface, Compute instances should not have public IP addresses.\nInstead, instances should be configured behind load balancers, to minimize the instance's\nexposure to the internet.\n\nYou can connect to Linux VMs that do not have public IP addresses by using Identity-Aware Proxy for TCP forwarding. Learn more at\n[https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][8].\n\nFor Windows VMs, see [https://cloud.google.com/compute/docs/instances/connecting-to-instance][9].\n\n### Impact\n\nRemoving the external IP address from your Compute instance may cause some\napplications to stop working.\n\n### Prevention\n\nYou can configure the \"Define allowed external IPs for VM instances\" organization policy to prevent VMs from being configured with public IP addresses. Learn more at:\n[https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address][2]\n\n### Exception\n\nInstances created by GKE should be excluded because some of them have external IP\naddresses and cannot be changed by editing the instance settings. Instances created by GKE\nshould be excluded. These instances have names that start with \"gke-\" and are labeled\n\"goog-gke-node\".\n\n## Remediation\n\n### From the console:\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go the the Instance detail page.\n3. Click **Edit**.\n4. For each Network interface, ensure that **External IP** is set to None.\n5. Click **Done** and then click **Save**.\n\n### From the command line:\n\n1. Describe the instance properties:\n\n ```\n gcloud compute instances describe --zone=\n ```\n2. Identify the access config name that contains the external IP address. This access config appears in the following format:\n\n ```\n networkInterfaces:\n - accessConfigs:\n - kind: compute#accessConfig\n name: External NAT\n natIP: 130.211.181.55\n type: ONE_TO_ONE_NAT\n ```\n3. Delete the access config:\n\n ```\n gcloud compute instances delete-access-config --zone= --access-config-name \n ```\n\nIn the above example, the `ACCESS_CONFIG_NAME` is `External NAT`. The name of your access config might be different.\n\n## References\n\n1. [https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses][3]\n2. [https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances][4]\n3. [https://cloud.google.com/compute/docs/instances/connecting-to-instance][5]\n4. [https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip][6]\n5. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][7]\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address\n[3]: https://cloud.google.com/load-balancing/docs/backend-service#backends_and_external_ip_addresses\n[4]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[5]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n[6]: https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#unassign_ip\n[7]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[8]: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances\n[9]: https://cloud.google.com/compute/docs/instances/connecting-to-instance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.9","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tcompute_instance.network_interfaces[_].access_configs[_]\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"zxk-7n9-rtz","createdAt":1657888953309,"name":"Compute instances do not have public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","control:3.4.1","control:4.11","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:2","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:3.4","requirement:Communications-Security","requirement:Control-Activities","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:3.5.2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:3.5.4","source:google_compute_instance","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nGoogle Cloud encrypts both stored and in-transit data, but customer data needs to be decrypted while it is processed. Confidential Computing is a Google technology that protects data by encrypting it while it is in use. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).\n\nConfidential VMs leverage the Secure Encrypted Virtualization (SEV) feature of AMD\nEPYCTM CPUs, keeping customer data encrypted while it is used, indexed, queried, or\ntrained on. Encryption keys are generated in hardware, per VM, and not exportable. There is no significant performance penalty to Confidential Computing workloads because of built-in hardware optimizations.\n\n## Rationale\n\nConfidential Computing enables customers' sensitive code and other data to be encrypted in\nmemory during processing. Google does not have access to the encryption keys.\nConfidential VMs can help alleviate concerns about risk related to either dependency on\nGoogle infrastructure or Google insiders' access to customer data in the clear.\n\n## Impact\n\n- Confidential Computing for Compute instances does not support live migration. Unlike regular Compute instances, Confidential VMs experience disruptions during maintenance events like a software or hardware update.\n\n- Additional charges may be incurred when enabling this security feature. See [https://cloud.google.com/compute/confidential-vm/pricing][1] for more info.\n\n## Remediation\n\nConfidential Computing can only be enabled when an instance is created. You must delete\nthe current instance and create a new one.\n\n### From console\n\n1. Go to the VM instances page by visiting: [https://console.cloud.google.com/compute/instances][2].\n2. Click **Create instance**.\n3. Fill out the desired configuration for your instance.\n4. Under the **Confidential VM service** section, click **Enable** > **Enable** to enable the Confidential Computing service on this VM instance.\n5. Click **Create**.\n\n### From the command line\n\nCreate a new instance with Confidential Compute enabled.\n\n ```\n gcloud beta compute instances create --zone --confidential-compute --maintenance-policy=TERMINATE\n ```\n## Default Value\n\nBy default, Confidential Computing is disabled for Compute instances.\n\n## References\n\n1. [https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance][3]\n2. [https://cloud.google.com/compute/confidential-vm/docs/about-cvm][4]\n3. [https://cloud.google.com/confidential-computing][5]\n4. [https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms][6]\n\n## CIS Controls\n\nVersion 8 - 3.11: Encrypt Sensitive Data at Rest\n- Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data.\n\nVersion 7 - 14.8: Encrypt Sensitive Information at Rest\n- Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n\n[1]: https://cloud.google.com/compute/confidential-vm/pricing\n[2]: https://console.cloud.google.com/compute/instances\n[3]: https://cloud.google.com/compute/confidential-vm/docs/creating-cvm-instance\n[4]: https://cloud.google.com/compute/confidential-vm/docs/about-cvm\n[5]: https://cloud.google.com/confidential-computing\n[6]: https://cloud.google.com/blog/products/identity-security/introducing-google-cloud-confidential-computing-with-confidential-vms","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.11","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.4.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tnot machineType(compute_instance)\n} else = \"pass\" {\n\tcompute_instance.confidential_instance_config.enable_confidential_compute\n} else = \"fail\" {\n\ttrue\n}\n\nmachineType(compute_instance) if {\n\tcontains(compute_instance.machine_type, \"n2d-\")\n} else {\n\tcontains(compute_instance.machine_type, \"c2d-\")\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ofu-7xv-iqz","createdAt":1657888955714,"name":"Compute instances have confidential computing enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate a brute force login with a privileged policy being applied to a role.\n\n## Strategy\nCorrelate the [Potential brute force attack on AWS ConsoleLogin][1] and [AWS IAM privileged policy was applied to a role][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the brute force attack was successful.\n * If the login was not legitimate:\n * Revert the privileged policy change\n * Rotate credentials on the brute forced account\n * Enable MFA if it is not already\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-iam-brute-force-consolelogin/\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-iam-priv-policy-applied-to-role/","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":10800,"keepAlive":7200},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"potential_brute_force_attack_on_aws_console_login","additionalFilters":"","defaultRuleId":"8d2-d0c-0b6","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["@userIdentity.arn"],"name":"aws_iam_privileged_policy_was_applied_to_a_role","additionalFilters":"","defaultRuleId":"1np-ggw-qpo","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Brute force lead to privileged policy applying to a role","condition":"potential_brute_force_attack_on_aws_console_login > 0 && aws_iam_privileged_policy_was_applied_to_a_role > 0"}],"type":"signal_correlation","id":"z65-vsm-leu","createdAt":1664829682321,"name":"ConsoleLogin event correlates privileged policy applying to a role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.10","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all containers on a Docker host share resources equally. By using the resource management capabilities of the Docker host, you can control the amount of memory that a container is able to use.\n\n## Rationale\n\nBy default a container can use all of the memory on the host. You can use memory limit mechanisms to prevent a denial of service occurring where one container consumes all of the hosts resources and other containers on the same host are therefore not able to function. Having no limit on memory usage can lead to issues where one container can easily make the whole system unstable and as a result unusable.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Memory={{ .HostConfig.Memory }}'` \n\nIf this command returns 0, it means that memory limits are not in place; if it returns a non-zero value, it means that they are in place.\n\n## Remediation\n\nYou should run the container with only as much memory as it requires by using the `--memory argument`. For example, you could run a container using the command `docker run --interactive --tty --memory 256m centos /bin/bash`\n\nIn this example, the container is started with a memory limit of 256 MB. Note that the output of the command below returns values in scientific notation if memory limits are in place. `docker inspect --format='{{.Config.Memory}}' 7c5a2d4c7fe0`\n\nFor example, if the memory limit is set to 256 MB for a container instance, the output of the command above would be `2.68435456e+08` and NOT `256m`. You should convert this value using a scientific calculator.\n\n## Impact\n\nIf correct memory limits are not set on each container, one process can expand its usage and cause other containers to run out of resources.\n\n## Default value\n\nBy default, all containers on a Docker host share their resources equally and no memory limits are enforced.\n\n## References\n\n1. https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://docs.docker.com/engine/admin/runmetrics/\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.10","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ecn-mmt-tqe","createdAt":1599605860081,"name":"Container has memory usage limits configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.26","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf the container image does not have an HEALTHCHECK instruction defined, you should use the `--health-cmd` parameter at container runtime to check container health.\n\n## Rationale\n\nIf the container image you are using does not have a pre-defined HEALTHCHECK instruction, use the `--health-cmd` parameter to check container health at runtime. Based on the reported health status, remedial actions can be taken if necessary.\n\n## Audit\n\nRun this command and ensure that all containers are reporting their health status: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}'`\n\n## Remediation\n\nYou should run the container using the `--health-cmd` parameter. For example, `docker run -d --health-cmd='stat /etc/passwd || exit 1' nginx`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, health checks are not carried out at container runtime.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.26","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.26\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ojg-sb1-nso","createdAt":1599605067593,"name":"Container health is monitored when not supported by default"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should add the `HEALTHCHECK` instruction to your Docker container images in order to ensure that health checks are executed against running containers.\n\n## Rationale\n\nAn important security control is that of availability. Adding the `HEALTHCHECK` instruction to your container image ensures that the Docker engine periodically checks the running container instances against that instruction to ensure that containers are still operational. Based on the results of the health check, the Docker engine could terminate containers which are not responding correctly, and instantiate new ones.\n\n## Audit\n\nRun this command to ensure that Docker images have the appropriate `HEALTHCHECK` instruction configured: `docker inspect --format='{{ .Config.Healthcheck }}' `\n\n## Remediation\n\nYou should follow the Docker documentation and rebuild your container images to include the `HEALTHCHECK` instruction.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `HEALTHCHECK` is not set.\n\n## References\n\n1. https://docs.docker.com/engine/reference/builder/#healthcheck\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_image","complianceFrameworks":[{"control":"4.6","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"5xs-afd-sfx","createdAt":1599604909942,"name":"Container image includes HealthCheck instructions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect vulnerabilities in container images.\n\n## Strategy\nThis rule lets you monitor Twistlock logs `(@vulnerability.log_type:vulnerability)` to detect vulnerabilities in a container image. \n\n## Triage and response\n1. Determine the impact of this vulnerability.\n2. Update the container image in the registry with a patched version of the software.\n3. Deploy the new image to all containers running the vulnerable image.\n\n## Change Log\n29 Jun 2022 - Added queries for various vulnerability severity levels.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:medium","groupByFields":["container_name"],"aggregation":"count","name":"medium_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:vulnerability @vulnerability.severity:low","groupByFields":["container_name"],"aggregation":"count","name":"low_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerabiluty","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerabiluty","condition":"high_severity_vulnerability > 0"},{"status":"medium","notifications":[],"name":"Medium Severity Vulnerabiluty","condition":"medium_severity_vulnerability > 0"},{"status":"low","notifications":[],"name":"Low Severity Vulnerabiluty","condition":"low_severity_vulnerability > 0"}],"type":"log_detection","id":"d7s-rex-gjv","createdAt":1585870278701,"name":"Container image vulnerability detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.25","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should restrict the container from acquiring additional privileges via SUID or SGID bits.\n\n## Rationale\n\nA process can set the `no_new_priv` bit in the kernel and this persists across forks, clones and execve. The `no_new_priv` bit ensures that the process and its child processes do not gain any additional privileges via SUID or SGID bits. This reduces the danger associated with many operations because the possibility of subverting privileged binaries is lessened.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all of the security options currently configured for containers. The option `no-new-privileges` should be one of them.\n\n## Remediation\n\nStart your container with the options `docker run --rm -it --security-opt=no-new-privileges ubuntu bash`\n\n## Impact\n\nThe `no_new_priv` option prevents LSMs like SELinux from allowing processes to acquire new privileges.\n\n## Default value\n\nBy default, new privileges are not restricted.\n\n## References\n\n1. https://github.com/projectatomic/atomic-site/issues/269\n2. https://github.com/docker/docker/pull/20727\n3. https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt\n4. https://lwn.net/Articles/475678/\n5. https://lwn.net/Articles/475362/\n\n## CIS controls\n\nVersion 6\n\n5 Controlled Use of Administration Privileges Controlled Use of Administration Privileges\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.25","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.25\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"cft-3kh-z3l","createdAt":1599604337425,"name":"Container is restricted from acquiring additional privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a container management utility (e.g., `kubectl`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to escalate privileges, break out of the container, or exfiltrate secrets by running container management/orchestration utilities. This detection triggers when execution of one of a set of common container management utilities (like `kubectl` or `kubelet`) is detected in a container. If this is unexpected behavior, it could indicate an attacker attempting to compromise your containers and host.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires version 7.27 or higher*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:suspicious_container_client","groupByFields":["host"],"aggregation":"count","name":"suspicious_container_client","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"suspicious_container_client","condition":"suspicious_container_client > 0"}],"type":"workload_security","id":"ll8-gx6-k15","createdAt":1617722068555,"name":"Container management utility in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.12","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe container's root filesystem should be treated as a 'golden image' by using Docker run's `--read-only` option. This prevents any writes to the container's root filesystem at container runtime and enforces the principle of immutable infrastructure.\n\n## Rationale\n\nEnabling this option forces containers at runtime to explicitly define their data writing strategy to persist or not persist their data. This also reduces security attack vectors since the container instance's filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories.\n\n## Audit\n\nRun this command on the docker host: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: ReadonlyRootfs={{ .HostConfig.ReadonlyRootfs }}'` \n\nIf this command returns `true`, it means the container's root filesystem is mounted read-only. If the above command returns `false`, it means the container's root filesystem is writeable.\n\n## Remediation\n\nAdd a `--read-only` flag at a container's runtime to enforce the container's root filesystem being mounted as read only. For example, `docker run --read-only `\n\nEnabling the `--read-only` option at a container's runtime should be used by administrators to force a container's executable processes to only write container data to explicit storage locations during its lifetime. \n\nExamples of explicit storage locations during a container's runtime include, but are not limited to:\n\n1. Using the `--tmpfs` option to mount a temporary file system for non-persistent data writes. `docker run --interactive --tty --read-only --tmpfs \"/run\" --tmpfs \"/tmp\" centos /bin/bash`\n2. Enabling Docker rw mounts at a container's runtime to persist container data directly on the Docker host filesystem. For example, `docker run --interactive --tty --read-only -v /opt/app/data:/run/app/data:rw centos /bin/bash`\n\n3. Utilizing the Docker shared-storage volume plugin for Docker data volume to persist container data. For example, `docker volume create -d convoy --opt o=size=20GB my-named-volume docker run --interactive --tty --read-only -v my-named-volume:/run/app/data centos /bin/bash`\n\n3. Transmitting container data outside of the Docker controlled area during the container's runtime for container data in order to ensure that it is persistent. Examples include hosted databases, network file shares and APIs.\n\n## Impact\n\nEnabling `--read-only` at container runtime may break some container OS packages if a data writing strategy is not defined. You should define what the container's data should and should not persist at runtime in order to decide which strategy to use. Example: Enable use `--tmpfs` for temporary file writes to /tmp Use Docker shared data volumes for persistent data writes\n\n## Default value\n\nBy default, a container has its root filesystem writeable, allowing all container processes to write files owned by the container's actual runtime user.\n\n## References\n\n1. http://docs.docker.com/reference/commandline/cli/#run\n2. https://docs.docker.com/engine/tutorials/dockervolumes/\n3. http://www.projectatomic.io/blog/2015/12/making-docker-images-write-only-in-production/\n4. https://docs.docker.com/engine/reference/commandline/run/#mount-tmpfs-tmpfs\n5. https://docs.docker.com/engine/tutorials/dockervolumes/#creating-and-mounting-a-data-volume-container\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.12","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"635-mc8-3mr","createdAt":1599602276896,"name":"Container root file sytem is set to read-only"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:twistlock"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a container is not running within compliance standards.\n\n## Strategy\nThis rule lets you monitor Twistlock logs to detect when a `High` or `Critical` severity compliance issue is discovered in a running container. \n\n## Triage and response\n1. Determine the impact of the compliance finding.\n2. Remediate the compliance finding.\n\n## Change Log\n27 Jun 2022 - Updated Rule and added findings for critical vulnerabilities.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:critical","groupByFields":["container_name"],"aggregation":"count","name":"critical_severity_vulnerability","distinctFields":[]},{"query":"source:twistlock @vulnerability.log_type:compliance @vulnerability.severity:high","groupByFields":["container_name"],"aggregation":"count","name":"high_severity_vulnerability","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical Severity Vulnerability","condition":"critical_severity_vulnerability > 0"},{"status":"high","notifications":[],"name":"High Severity Vulnerability","condition":"high_severity_vulnerability > 0"}],"type":"log_detection","id":"9vp-d1j-kwp","createdAt":1585870281390,"name":"Container violated compliance standards"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:5.28","security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should use the `--pids-limit` flag at container runtime.\n\n## Rationale\n\nAttackers could launch a fork bomb with a single command inside the container. This fork bomb could crash the entire system and would require a restart of the host to make the system functional again. Using the PIDs cgroup parameter --pids-limit would prevent this kind of attack by restricting the number of forks that can happen inside a container within a specified time frame.\n\n## Audit\n\nRun this command and ensure that `PidsLimit` is not set to 0 or -\n1. A PidsLimit of 0 or -1 means that any number of processes can be forked concurrently inside the container. \n\n```\ndocker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidsLimit={{ .HostConfig.PidsLimit }}'\n```\n\n## Remediation\n\nUse `--pids-limit` flag with an appropriate value when launching the container. For example, `docker run -it --pids-limit 100 `\n\nIn the above example, the number of processes allowed to run at any given time is set to 100. After a limit of 100 concurrently running processes is reached, Docker would restrict any new process creation.\n\n## Impact\n\nSet the PIDs limit value as appropriate. Incorrect values might leave containers unusable.\n\n## Default value\n\nThe Default value for `--pids-limit` is 0 which means there is no restriction on the number of forks. Note that the PIDs cgroup limit works only for kernel versions 4.3 and higher.\n\n## References\n\n1. https://github.com/docker/docker/pull/18697\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.28","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.28\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tmp-lms-u8p","createdAt":1599603016485,"name":"Container's PIDs cgroup limit parameter is set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Container-Images-and-Build-File-Configuration","framework:cis-docker","control:4.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nContainers should run as a non-root user.\n\n## Rationale\n\nIt is good practice to run the container as a non-root user, where possible. This can be done either via the USER directive in the Dockerfile or through [gosu][1] or similar where used as part of the CMD or ENTRYPOINT directives.\n\n## Remediation\n\nEnsure that the Dockerfile for each container image contains `USER `\n\nIn this case, the user name or ID refers to the user that was found in the container base image. If there is no specific user created in the container base image, then make use of the `useradd` command to add a specific user before the USER instruction in the Dockerfile. \n\nFor example, add the below lines in the Dockerfile to create a user in the container:\n`RUN useradd -d /home/username -m -s /bin/bash username USER username`\n\n**Note**: If there are users in the image that are not needed, you should consider deleting them. After deleting those users, commit the image and then generate new instances of the containers. Alternatively, if it is not possible to set the USER directive in the Dockerfile, a script running as part of the CMD or ENTRYPOINT sections of the Dockerfile should be used to ensure that the container process switches to a non-root user.\n\n## Impact\n\nRunning as a non-root user can present challenges when binding mount volumes from the underlying host. In this case, ensure that the user running the contained process can read and write to the bound directory, according to their requirements.\n\n## Default value\n\nBy default, containers are run with root privileges and also run as the root user inside the container.\n\n## References\n\n1. https://github.com/docker/docker/issues/2918\n2. https://github.com/docker/docker/pull/4572\n3. https://github.com/docker/docker/issues/7906\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://github.com/tianon/gosu\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"4.1","framework":"cis-docker","requirement":"Container-Images-and-Build-File-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iml-sbn-bao","createdAt":1599605130883,"name":"Containers do not use the root user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","control:5.1","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAppArmor is an effective and easy-to-use Linux application security system. It is available on some Linux distributions by default, for example, on Debian and Ubuntu.\n\n## Rationale\n\nAppArmor protects the Linux OS and applications from various threats by enforcing a security policy which is also known as an AppArmor profile. You can create your own AppArmor profile for containers or use Docker's default profile. Enabling this feature enforces security policies on containers as defined in the profile.\n\n## Audit\n\nYou should run this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: AppArmorProfile={{ .AppArmorProfile }}'` \n\nThis command returns a valid AppArmor Profile for each container instance.\n\n## Remediation\n\nIf AppArmor is applicable for your Linux OS, enable it.\n\n1. Verify AppArmor is installed.\n2. Create or import a AppArmor profile for Docker containers.\n3. Enable enforcement of the policy.\n4. Start your Docker container using the customized AppArmor profile. For example: `docker run --interactive --tty --security-opt=\"apparmor:PROFILENAME\" ubuntu /bin/bash` Alternatively, Docker's default AppArmor policy can be used.\n\n## Impact\n\nThe container will have the security controls defined in the AppArmor profile. It should be noted that if the AppArmor profile is misconfigured, this may cause issues with the operation of the container.\n\n## Default value\n\nBy default, the docker-default AppArmor profile is applied to running containers. This profile can be found at `/etc/apparmor.d/docker`\n\n## References\n\n1. https://docs.docker.com/engine/security/apparmor/\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.1","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"s4z-dsj-llz","createdAt":1599600498264,"name":"Containers have an AppArmor profile enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.24","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to attach to a particular `cgroup` when a container is instantiated. Confirming `cgroup` usage would ensure that containers are running in defined `cgroup`s.\n\n## Rationale\n\nSystem administrators typically define `cgroup`s in which containers are supposed to run. If `cgroup`s are not explicitly defined by the system administrator, containers run in the docker `cgroup` by default. At run time, it is possible to attach a container to a different `cgroup` other than the one originally defined. This usage should be monitored and confirmed, as by attaching to a different `cgroup`, excess permissions and resources might be granted to the container and this can therefore prove to be a security risk.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}'` \n\nThis command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n\n## Remediation\n\nYou should not use the `--cgroup-parent` option within the docker run command unless strictly required.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers run under docker `cgroup`.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#specify-custom-cgroups\n2. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/ch01.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n\n## Audit\n\nYou should run the following command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}' The above command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.24","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.24\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"maa-bf8-zan","createdAt":1599601906764,"name":"Containers use the cgroup configured in Docker"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","source:compliance-agent","control:1.3.7","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the Controller Manager service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Controller Manager API service which runs on port 10252/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ \n\n*Notes*: Although the current Kubernetes documentation site says that `--address` is deprecated in favour of `--bind-address`. Kubeadm 1.11 still makes use of `--address`.\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.7","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pvo-5un-k18","createdAt":1599603818624,"name":"Controller Manager API service is bound to localhost"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.3.2","security:compliance","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.2","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1ie-ddf-7wm","createdAt":1599604031896,"name":"Controller Manager profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.4","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nExplicitly set a service account private key file for service accounts on the controller manager.\n\n## Rationale\n\nTo ensure that keys for service account tokens can be rotated as needed, a separate public/private key pair should be used for signing service account tokens. The private key should be specified to the controller manager with `--service-account-private-key-file` as appropriate.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--service-account-private-key-file` argument is set as appropriate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--service-account-private-key-file parameter` to the private key file for service accounts:\n\n```\n--service-account-private-key-file=\n```\n\n## Impact\n\nYou would need to securely maintain the key file and rotate the keys based on your organization's key rotation policy.\n\n## Default value\n\nBy default, `--service-account-private-key-file` it not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.4","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mj1-ode-sln","createdAt":1599600796213,"name":"Controller manager has a service account private key file set"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.1.3","scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of the Controller Manager on the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `kube-controller-manager.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.3","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pr0-hcf-xkw","createdAt":1599603633988,"name":"Controller manager pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.1.4","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller manager pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe controller manager pod specification file controls various parameters that set the behavior of various components of the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-controller-manager.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-controller-manager.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-controller-manager.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.4","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jwf-xdm-mi9","createdAt":1599599105053,"name":"Controller manager pod specification file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect and identify the network IP address when multiple user accounts have login attempt activities recorded.\n\n## Strategy\n\nMonitor Azure Active Directory and detect when any `@evt.category` is equal to `SignInLogs` and more than 10 of the `@evt.outcome` are equal to `false` by the same network IP address.\n\nSecurity Signal returns **HIGH** if`@evt.outcome` has value of `success` after 10 multiple failed logins by the same network IP address.\n\n## Triage and response\n\n1. Inspect the log and determine if this was a valid login attempt.\n2. If the user was compromised, rotate user credentials.\n\n## Changelog\n14 June 2022 - Updated triggering cases to align with other credential stuffing rules. Also updated other backend options to reduce noise levels.","options":{"detectionMethod":"threshold","evaluationWindow":3600,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"failed_login_multiple_user_accounts_same_ip_address","distinctFields":["@usr.id"]},{"query":"source:azure.activedirectory @evt.category:SignInLogs @evt.outcome:success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login_same_ip_address","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful login after multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 10 && successful_login_same_ip_address > 0"},{"status":"medium","notifications":[],"name":"Multiple failed login attempts from the same network IP address","condition":"failed_login_multiple_user_accounts_same_ip_address > 10 "}],"type":"log_detection","id":"igg-0ve-xxc","createdAt":1607106304164,"name":"Credential Stuffing Attack on Azure"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:success @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials.\" OR \"Update application \u2013 Certificates and secrets management\") @usr.id:*@* @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"credential_added_azure_ad_application_o365","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"credential_added_azure_ad_application > 0 || credential_added_azure_ad_application_o365 > 0"}],"type":"log_detection","id":"myf-gpu-vqf","createdAt":1659365955026,"name":"Credential added to Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","technique:T1098-account-manipulation","scope:azure","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user adds a secret or certificate to an Azure Active Directory Application that is not regularly updated.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Update application \u2013 Certificates and secrets management`\n* `Add service principal credentials.`\n\nAn attacker can add a secret or certificate to an application in order to connect to Azure AD as the application and perform API operation leveraging the application permissions that are assigned to it. An attacker may target an application that is seldom changed to avoid detection. Using the `New Value` detection method, a signal is raised when an application not seen in the previous 7 days has credentials added.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Remove the suspicious key.\n * Invalidate all existing refresh tokens. This ensures the attacker is unable to connect to your tenant.\n * Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n * Ensure the change was authorized.","options":{"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"evaluationWindow":0,"maxSignalDuration":86400,"detectionMethod":"new_value","decreaseCriticalityBasedOnEnv":true,"keepAlive":3600},"version":54,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@properties.targetResources.displayName","aggregation":"new_value","metrics":["@properties.targetResources.displayName"],"groupByFields":["@usr.id"],"query":"source:azure.activedirectory @evt.name:(\"Update application \u2013 Certificates and secrets management \" OR \"Add service principal credentials\" OR \"Update application \u2013 Certificates and secrets management\") @evt.outcome:success @evt.category:AuditLogs"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"1p0-9ix-ig2","createdAt":1660304687805,"name":"Credential added to rarely used Azure AD application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["category:authentication","tactic:TA0006-credential-access","template:true","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least 25 unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\nUse [this Datadog runbook](https://app.datadoghq.com/notebook/credentialstuffingrunbook) to assist in your investigation.\n\n1. Determine if it is a legitimate attack or a false positive\n2. Determine compromised users\n3. Remediate compromised user accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":1800,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@evt.category:authentication @evt.outcome:failure","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"@evt.category:authentication @evt.outcome:success","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful - Greater than 50","condition":"unique_users_failing_to_login>50 && successful_login>=1"},{"status":"medium","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>25 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>25"}],"type":"log_detection","id":"ypo-jbm-p2s","createdAt":1608750331867,"name":"Credential stuffing attack"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","source:auth0","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect Account Take Over (ATO) through credential stuffing attack.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user. This generates a `HIGH` severity signal.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated\n3. If the user was compromised, rotate user credentials.\n\n## Changelog\n13 June 2022 - Updated Keep Alive window and evaluation window to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":3600,"maxSignalDuration":86400,"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:auth0 @evt.name:(failed_login_incorrect_password OR failed_login_invalid_email_or_username)","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.id"]},{"query":"source:auth0 @evt.name:success_login","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login>10 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login>10"}],"type":"log_detection","id":"ryo-snu-uva","createdAt":1597422958108,"name":"Credential stuffing attack on Auth0"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through credential stuffing attack against a Salesforce account.\n\nA credential stuffing attack is used to gain initial access by compromising user accounts.\n\nThe attacker obtains a list of compromised usernames and passwords from a previous user database breach, phishing attempt, or other means. Then, they use the list of username and passwords to attempt to login to accounts on your application.\n\nIt is common for an attacker to use multiple IP addresses to target your application in order to distribute the attack load for load balancing purposes, to make it more difficult to detect, or make it more difficult to block.\n\n## Strategy\n**To determine a successful attempt:** Detect a high number of failed logins from at least ten unique users and at least one successful login for a user within a period of time from the same IP address.\n\n**To determine an unsuccessful attempt:** Detect a high number of failed logins from at least ten unique users within a period of time from the same IP address.\n\n## Triage and response\n\n1. Determine if it is a legitimate attack or a false positive.\n2. Determine compromised users.\n3. Remediate compromised user accounts.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @status:\"Invalid Password\"","groupByFields":["@network.client.ip"],"aggregation":"cardinality","name":"unique_users_failing_to_login","distinctFields":["@usr.email"]},{"query":"source:salesforce @status:\"Success\"","groupByFields":["@network.client.ip"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Successful","condition":"unique_users_failing_to_login > 10 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"unique_users_failing_to_login > 10 "}],"type":"log_detection","id":"y0t-wg6-3nq","createdAt":1621929255278,"name":"Credential stuffing attack on Salesforce"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1003-os-credential-dumping","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to sensitive credential files from non-standard processes.\n\n## Strategy\nEspecially in production, all credentials should be either defined as code, or static. Drift and unmonitored changes to these credentials can open up attack vectors for adversaries, and cause your organization to be out of compliance with any frameworks or regulations that you are subject to. This detection watches for the modification of sensitive credential files which should not be changed outside of their definitions as code (or static definitions). The Linux commands `vipw` and `vigr` are the standard way to modify shadow and gshadow files respectively. Other processes interacting with these sensitive credential files is highly suspicious and should be investigated.\n\n## Triage and response\n1. Identify the user or process that changed the credential file(s).\n2. Identify what was changed in the credential files.\n3. If these changes are not acceptable, roll back contain the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd","groupByFields":["host"],"aggregation":"count","name":"credential_modified","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd @process.comm:(adduser OR useradd OR groupadd OR userdel OR deluser OR chage)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_standard","distinctFields":[]},{"query":"@agent.rule_id:(credential_modified OR credential_modified_chmod OR credential_modified_chown OR credential_modified_link OR credential_modified_rename OR credential_modified_open OR credential_modified_unlink OR credential_modified_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.executable.path:(\\/usr\\/sbin\\/* OR \\/usr\\/bin\\/* OR \\/bin\\/*)","groupByFields":["host"],"aggregation":"count","name":"credential_modified_non_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"credential_modified_non_bin","condition":"credential_modified_non_bin > 0"},{"status":"info","notifications":[],"name":"credential_modified_standard","condition":"credential_modified_standard > 0"},{"status":"low","notifications":[],"name":"credential_modified","condition":"credential_modified > 0"}],"type":"workload_security","id":"srd-2ub-jov","createdAt":1598516746271,"name":"Credentials file modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","level:1","cloud:aws","cloud_provider:aws","control:8.1.4","framework:hipaa","requirement:Information-Access-Management","framework:pci","requirement:Credentials","control:164.308-a-4-ii-C"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. You should remove or deactivate all credentials that have been unused in 90+ days.\n\n## Rationale\n\nDisabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78900-8 2. CIS CSC v6.0 #16.6\n\n## CIS controls\n\n16.9 Disable Dormant Accounts Automatically - Disable dormant accounts after a set period of inactivity.\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nninety_days_ms := (((90 * 24) * 60) * 60) * 1000\n\npassword_used_recently(resource_seen_at, credential_report) if {\n\tcredential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_used > ninety_days_ms\n} else {\n\tnot credential_report.password_last_used\n\tresource_seen_at - credential_report.password_last_changed > ninety_days_ms\n}\n\nkey_used_recently(resource_seen_at, credential_report, key_name) if {\n\tcredential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_used_date\"])] > ninety_days_ms\n} else {\n\tnot credential_report[concat(\"\", [key_name, \"_last_used_date\"])]\n\tresource_seen_at - credential_report[concat(\"\", [key_name, \"_last_rotated\"])] > ninety_days_ms\n}\n\npassword_or_access_key_is_enabled(resource_seen_at, credential_report) if {\n\tcredential_report.password_enabled\n\tpassword_used_recently(resource_seen_at, credential_report)\n} else {\n\tcredential_report.access_key_1_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_1\")\n} else {\n\tcredential_report.access_key_2_active\n\tkey_used_recently(resource_seen_at, credential_report, \"access_key_2\")\n}\n\neval(iam_user) = \"pass\" if {\n\tcredential_report := iam_user.credential_report[_]\n\tnot password_or_access_key_is_enabled(iam_user.resource_seen_at, credential_report)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"credential_report","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cl8-844-szh","createdAt":1621238614316,"name":"Credentials have been used within the last 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","framework_version:3.2","control:11.5","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications of critical system binaries.\n\n## Strategy\nPCI-DSS is the payment-card industry's compliance framework. Any systems that handle credit card data and transactions from the major credit card companies must be PCI-DSS compliance. Control 11.5 of the PCI-DSS framework states that organizations must \"alert personnel to unauthorized modifications (including changes, additions, and deletions) of critical system files, configuration files, or content files\". On Linux, critical system binaries are typically stored in `/bin/`, `/sbin/`, or `/usr/sbin/`. This rule tracks any modifications to those directories.\n\n## Triage and response\n1. Identify which user or process changed the critical system binaries.\n2. If these changes were not authorized, and you cannot confirm the safety of the changes, roll back the host or container in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chmod) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_chown) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_chown","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_link) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_link","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_rename) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_rename","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_open) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_open","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_unlink) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pci_11_5_critical_binaries OR pci_11_5_critical_binaries_utimes) -@process.executable.name:(pip OR pip3 OR npm OR dockerd) -(@process.executable.name:containerd @process.args:info)","groupByFields":["host"],"aggregation":"count","name":"pci_11_5_critical_binaries_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"pci_11_5_critical_binaries","condition":"pci_11_5_critical_binaries_chmod > 0 || pci_11_5_critical_binaries_chown > 0 || pci_11_5_critical_binaries_link > 0 || pci_11_5_critical_binaries_rename > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_open > 0 || pci_11_5_critical_binaries_unlink > 0 || pci_11_5_critical_binaries_utimes > 0"}],"type":"workload_security","id":"3rk-f4l-c7j","createdAt":1606142933669,"name":"Critical system binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation or modification of new cron jobs on a system.\n\n## Strategy\nCron is a task scheduling system that runs tasks on a time-based schedule. Attackers can use cron jobs to gain persistence on a system, or even to run malicious code at system-boot. Cron jobs can also be used for remote code execution, or to run a process under a different user-context.\n\n## Triage and response\n1. Check to see which cron task was created or modified.\n2. Check whether the cron task was created or modified by a known user or process.\n3. If these changes are not acceptable, roll back the host or container in question to an acceptable configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(cron_at_job_creation OR cron_at_job_creation_chmod OR cron_at_job_creation_chown OR cron_at_job_creation_link OR cron_at_job_creation_rename OR cron_at_job_creation_open OR cron_at_job_creation_utimes) -(@file.name:*.dpkg-new AND @process.executable.name:dpkg) -@process.ancestors.executable.path:\"/usr/bin/unattended-upgrade\" -@process.executable.path:\"/usr/bin/dockerd\"","groupByFields":["host"],"aggregation":"count","name":"cron_at_job_creation","distinctFields":[]},{"query":"@agent.rule_id:cron_at_job_creation_unlink","groupByFields":["host"],"aggregation":"count","name":"cron_at_job_deletion","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"cron_at_job_creation","condition":"cron_at_job_creation > 0"},{"status":"low","notifications":[],"name":"cron_at_job_deletion","condition":"cron_at_job_deletion > 0"}],"type":"workload_security","id":"qqk-vqp-6xt","createdAt":1606142961130,"name":"Cron job modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nIP check services return the public IP of the client. They are used legitimately for configuration purposes when utilizing infrastructure as code. They can be abused by attackers to determine the organization they have compromised.\n\n## Strategy\n\nDetect when a DNS lookup is done for a domain belonging to an IP check service.\n\n## Triage and response\n\n1. Determine if `{{@process.executable.name}}` is expected to make a connection to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Start incident response and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ip_check_domain","groupByFields":["host"],"aggregation":"count","name":"ip_check_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"ip_check_domain","condition":"ip_check_domain > 0"}],"type":"workload_security","id":"v7i-jqs-gcx","createdAt":1653417825959,"name":"DNS lookup for IP lookup service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nAttackers often use compromised cloud infrastructure to mine cryptocurrency. \n\n## Strategy\n\nDetect when a process performs a DNS lookup for a domain related to cryptomining.\n\n## Triage and response\n\n`{{@process.executable.name}}` performed a DNS lookup for `{{@dns.question.name}}`\n\n1. Contain the host or container and roll back to a known good configuration.\n2. Review the process tree and determine the initial entry point.\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:potential_cryptominer","groupByFields":["host"],"aggregation":"count","name":"potential_cryptominer","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"potential_cryptominer","condition":"potential_cryptominer > 0"}],"type":"workload_security","id":"8am-wzf-ixk","createdAt":1653417822316,"name":"DNS lookup for cryptocurrency mining pool"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nPaste sites such as pastebin.com can be used by attackers to host malicious scripts, configuration files, and other text data. The files are then downloaded to the host using a network utility such as `wget` or `curl`. These sites may also be used to exfiltrate data.\n\n## Strategy\n\nDetect when a process performs a DNS lookup for a paste site.\n\n## Triage and response\n1. Check if the application `{{@process.executable.name}}` is expected to make connections to `{{@dns.question.name}}`.\n2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.\n3. Follow your organization's internal processes for investigating and remediating compromised systems.\n\n\n*Requires Agent version 7.36 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:paste_site","groupByFields":["host"],"aggregation":"count","name":"paste_site","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"paste_site","condition":"paste_site > 0"}],"type":"workload_security","id":"bze-mml-h8r","createdAt":1653417817764,"name":"DNS lookup for paste service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.3","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","framework:iso-27001","framework:pci","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCloud Domain Name System (DNS) is a fast, reliable, and cost-effective domain name system\nthat powers millions of domains on the internet. Domain Name System Security Extensions\n(DNSSEC) in Cloud DNS enables domain owners to take easy steps to protect their domains\nagainst DNS hijacking, man-in-the-middle attacks, and more.\n\n## Rationale\nDomain Name System Security Extensions (DNSSEC) adds security to the DNS protocol by enabling the DNS responses to be validated. A trustworthy DNS that translates a domain name like `www.example.com` into its associated IP address is an increasingly important building block for modern web-based applications. \n\nAttackers can hijack this process of domain/IP lookup and redirect users to a malicious site through DNS hijacking and man-in-the-middle attacks. DNSSEC helps mitigate the risk of such attacks by cryptographically signing DNS records to prevent attackers from issuing fake DNS responses that may misdirect browsers to nefarious websites.\n\nBy default, DNSSEC is not enabled.\n\n## Remediation\n\n### From the console:\n1. Navigate to the [Cloud DNS page][1].\n2. For each Type Public zone, set `DNSSEC` to **On**.\n\n### From the command line:\nUse this command to enable DNSSEC for Cloud DNS Zone Name:\n\n```\ngcloud dns managed-zones update ZONE_NAME --dnssec-state on\n```\n\n\n## References\n1. [https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html][2]\n2. [https://cloud.google.com/dns/dnssec-config#enabling][3]\n3. [https://cloud.google.com/dns/dnssec][4]\n\n\n[1]: https://console.cloud.google.com/net-services/dns/zones\n[2]: https://cloudplatform.googleblog.com/2017/11/DNSSEC-now-available-in-Cloud-DNS.html\n[3]: https://cloud.google.com/dns/dnssec-config#enabling\n[4]: https://cloud.google.com/dns/dnssec\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-gcp","requirement":"Cardholder-Data","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nisZonePublic(dns_managed_zone) if {\n\tupper(dns_managed_zone.visibility) == \"PUBLIC\"\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot isZonePublic(dns_managed_zone)\n} else = \"pass\" {\n\tupper(dns_managed_zone.dnssec_config.state) == \"ON\"\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"crl-ytf-ohh","createdAt":1659621733035,"name":"DNSSEC is enabled for Cloud DNS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","requirement:Credentials","requirement:Compliance","level:1","requirement:Database-Services","requirement:Cardholder-Data","requirement:Application-Updates","framework:iso-27001","framework:pci","security:compliance","control:6.5.3","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:3.4","control:C1.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Transparent Data Encryption on every SQL server.\n\n## Rationale\n\nAzure SQL Database transparent data encryption helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL databases\n2. For each DB instance\n3. Click on Transparent data encryption\n4. Set Data encryption to On using the Azure Command Line Interface\n5. Use the below command to enable Transparent data encryption for SQL DB instance:\n\n ```bash\n --resource-group --server --database --status\n ```\n\n **Note**: TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases. Azure Portal does not show master databases per SQL server. However, CLI/API responses will show master databases.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-with-azure-sql-database\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-5-encrypt-sensitive-data-at-rest\n\n**Note**: Transparent Data Encryption (TDE) can be enabled or disabled on individual SQL Database level and not on the SQL Server level. TDE cannot be used to encrypt the logical master database in SQL Database. The master database contains objects that are needed to perform the TDE operations on the user databases.\n\n# CIS Controls\n\nVersion 7 14.8 Encrypt Sensitive Information at Rest: Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"-@transparent_data_encryption.status:(\"Enabled\")","resourceType":"azure_sql_server_database","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server_database (-@transparent_data_encryption.status:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ahw-tol-knx","createdAt":1624867974429,"name":"Data encryption on SQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a database process (e.g., MySQL, PostgreSQL, MongoDB).\n\n## Strategy\nAttacks on databases often take advantage of oversights in I/O sanitization and validation to run attacker statements and commands. For example, these attacks could take the form of database query injection, which can signal the beginning of an intrusion and wider attack, by establishing a web shell or exfiltrating data. This detection triggers when common shell utilities, HTTP utilities, or shells are spawned by one of a set of database processes (e.g., MySQL, MongoDB, PostgreSQL). This is atypical behavior for a database. If this is unexpected behavior, it could indicate an attacker attempting to compromise your database or host machine.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your database to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:database_shell_execution -@process.ancestors.executable.name:initdb -@process.args:\"locale -a\"","groupByFields":["host"],"aggregation":"count","name":"database_shell_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"database_shell_execution","condition":"database_shell_execution > 0"}],"type":"workload_security","id":"4ni-kny-z5x","createdAt":1617722069155,"name":"Database process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:2","requirement:Cardholder-Data","control:1.17","framework:pci","security:compliance","requirement:Least-Privileged-Access","control:7.2","requirement:Confidentiality","control:3.5","control:7.1","control:C1.2","control:7.2.1","control:7.2.2","source:google_dataproc_cluster","control:7.2.3","framework:soc-2","requirement:Identity-and-Access-Management","control:3.5.2","control:3.6.1","scope:google_dataproc_cluster","control:3.6.2","requirement:Logical-and-Physical-Access-Control","control:3.6.3","control:3.6.4","control:3.6.5","control:CC6.3","control:CC6.2","control:3.6.7","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nWhen you use Dataproc, cluster and job data is stored on Persistent Disks (PDs) associated\nwith the Compute Engine VMs in your cluster and in a Cloud Storage staging bucket. This\nPD and bucket data is encrypted using a Google-generated data encryption key (DEK) and\nkey encryption key (KEK). The CMEK feature allows you to create, use, and revoke the key\nencryption key (KEK). Google still controls the data encryption key (DEK).\n\n## Rationale\nCloud services offer the ability to protect data related to those services using encryption\nkeys managed by the customer within Cloud KMS. These encryption keys are called\ncustomer-managed encryption keys (CMEK). When customers protect data in Google Cloud\nservices with CMEK, the CMEK key is within the customer's control.\n\n## Remediation\n\n### From the console:\n1. Log in to the GCP Console and navigate to the **Dataproc Cluster** page by visiting [https://console.cloud.google.com/dataproc/clusters][1].\n2. Select the project from the projects dropdown list.\n3. On the **Dataproc Cluster** page, click on the **Create Cluster** to create a new cluster with customer-managed encryption keys.\n4. On the **Create a cluster** page, perform the following steps:\n 1. Inside **Set up cluster** section perform these steps:\n 1. In the **Name** textbox, provide a name for your cluster.\n 2. From **Location** select the location in which you want to deploy a cluster.\n 3. Configure other configurations as per your requirements.\n 2. Inside **Configure Nodes** and **Customize cluster** section configure the settings as\nper your requirements.\n 3. Inside the **Manage security** section, perform these steps:\n 1. From **Encryption**, select **Customer-managed key**.\n 2. Select a customer-managed key from dropdown list.\n 3. Ensure that the selected KMS Key has the **Cloud KMS CryptoKey Encrypter/Decrypter** role assigned to the Dataproc Cluster service account (`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n 4. Click on **Create** to create a cluster.\n5. Once the cluster is created, migrate all of your workloads from the old cluster to the new cluster and delete the old cluster by performing the following steps:\n 1. On the **Clusters** page, select the old cluster and click on **Delete cluster**.\n 2. On the **Confirm deletion** window, click **Confirm** to delete the cluster.\n6. Repeat the steps above for other Dataproc clusters available in the selected project.\n7. Change the project from the project dropdown list and repeat the remediation procedure for other Dataproc clusters available in other projects.\n\n### From the command line:\nBefore creating a cluster, ensure that the selected KMS Key has the **Cloud KMS CryptoKey\nEncrypter/Decrypter** role assigned to the Dataproc Cluster service account\n(`serviceAccount:service-@compute-system.iam.gserviceaccount.com`).\n\nRun the `clusters create` command to create a new cluster with a customer-managed key:\n\n```\ngcloud dataproc clusters create --region=us-central1 --gce-pd-kms-key=\n```\n\nThe above command creates a new cluster in the selected region.\nAfter the cluster is created, migrate all your workloads from the older cluster to the new\ncluster and run the `clusters delete` command to delete the cluster:\n\n```\ngcloud dataproc clusters delete --region=us-central1\n```\n\nRepeat step no. 1 to create a new Dataproc cluster.\nChange the project by running the following command and repeat the remediation procedure\nfor other projects:\n\n```\ngcloud config set project \n```\n\n## References\n1. [https://cloud.google.com/docs/security/encryption/default-encryption][2]\n\n[1]: https://console.cloud.google.com/dataproc/clusters\n[2]: https://cloud.google.com/docs/security/encryption/default-encryption\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.17","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.3","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.5","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.6.7","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(gdc) = \"pass\" if {\n\tgdc.config.encryption_config.gce_pd_kms_key_name\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dataproc_cluster"]},"validationQuery":"","resourceType":"gcp_dataproc_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dataproc_cluster","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"7qp-kby-dut","createdAt":1659396397166,"name":"Dataproc cluster is encrypted using customer-managed encryption key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.22","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file permissions are set to `644` or more restrictively, by running: \n```\nstat -c %a /etc/default/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/default/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.22","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.22\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pqb-2cq-piw","createdAt":1599601845070,"name":"Default Docker configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.21","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/sysconfig/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 644 /etc/sysconfig/docker`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.21","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"au3-ayl-tdm","createdAt":1599601289420,"name":"Default Docker configuration file cannot be altered by non-owners - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.19","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/default/docker` file ownership and group-ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/default/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/default/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/default/docker | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/default/docker`\n\nThis sets the ownership and group ownership of the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.19","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o5w-d8y-ka1","createdAt":1599604751728,"name":"Default Docker configuration file is owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.20","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/sysconfig/docker` file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/sysconfig/docker` file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually owned and group owned by root to ensure that it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `/etc/sysconfig/docker` file is individually owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/sysconfig/docker | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root /etc/sysconfig/docker`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in this case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/admin/configuring/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.20","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xrt-uiz-s7o","createdAt":1599604498138,"name":"Default Docker configuration file is owned by the root account and group - RHEL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.6","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProtect tuned kernel parameters from overriding kubelet default kernel parameter values.\n\n## Rationale\n\nKernel parameters are usually tuned and hardened by the system administrators before putting the systems into production. These parameters protect the kernel and the system. Your kubelet kernel defaults that rely on such parameters should be appropriately set to match the desired secured system state. Ignoring this could potentially lead to running pods with undesired kernel behavior.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--protect-kernel-defaults` argument is set to true. If the `--protect-kernel-defaults` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets `protectKernelDefaults` to `true`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `protectKernelDefaults: true`. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--protect-kernel-defaults=true`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou would have to re-tune kernel parameters to match kubelet parameters.\n\n## Default value\n\nBy default, `--protect-kernel-defaults` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.6","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"uiw-kms-wwu","createdAt":1599602462044,"name":"Default Kubelet kernel parameter values are protected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","control:2.9","control:2.2.2","framework:iso-27001","requirement:Access-Control","scope:azure.storage","framework:pci","control:1.3.1","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","requirement:Least-Privileged-Access","control:1.2.1","control:3.6","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Storage-Account","source:azure.storage","control:A.13.1.3","requirement:Default-Security-Parameters","control:7.2.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestricting default network access provides a layer of security, because storage accounts accept connections from clients on any network. To limit access to selected networks, change the default action.\n\n## Rationale\n\nConfigure storage accounts to deny access to traffic from all networks (including internet traffic). Grant access to traffic from specific Azure Virtual networks, allowing a secure network boundary for specific applications to be built. Access can also be granted to public internet IP address ranges, to enable connections from specific internet or on-premises clients. When network rules are configured, only applications from allowed networks can access a storage account. When calling from an allowed network, applications continue to require proper authorization (a valid access key or SAS token) to access the storage account.\n\n## Remediation\n\n### From the console:\n\n1. Go to Storage Accounts\n2. For each storage account, click on the settings menu called Firewalls and Virtual Networks.\n3. Enable Allow access from selected networks.\n4. Add rules to allow traffic from a specific network.\n5. Click Save to apply your changes.\n\n### From the command line:\n\nUse the following command to update the default action to deny: \n```\naz storage account update --name --resource-group --default-action Deny\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security][1]\n2. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy][2]\n3. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][3]\n\n[1]: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security\n[2]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-2-define-enterprise-segmentation-strategy\n[3]: https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"2.9","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@network_acls.default_action:Deny","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@network_acls.default_action:Deny)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"hxy-syh-ofi","createdAt":1631690465637,"name":"Default network access rule for Storage Accounts is set to deny"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:RBAC-and-Service-Accounts","scored:true","security:compliance","control:5.1.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe default service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed.\n\n## Rationale\n\nKubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.\n\n## Audit\n\nFor each namespace in the cluster, review the rights assigned to the default service account and ensure that it has no roles or cluster roles bound to it apart from the defaults. Additionally ensure that the `automountServiceAccountToken: false` setting is in place for each default service account.\n\n## Remediation\n\nCreate explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value `automountServiceAccountToken: false`.\n\n## Impact\n\nAll workloads which require access to the Kubernetes API will require an explicit service account to be created.\n\n## Default value\n\nBy default the default service account allows for its service account token to be mounted in pods in its namespace.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/][1]\n\n## CIS controls\n\nNone\n\n[1]: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.1.5","framework":"cis-kubernetes","requirement":"RBAC-and-Service-Accounts","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3yv-aqm-bxc","createdAt":1604312204438,"name":"Default service accounts are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Logging-Monitoring","source:azure.monitor","level:1","requirement:Regular-Testing","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","control:5.1.2","requirement:System-Operations","requirement:Monitoring-Activities","framework:soc-2","control:11.4","control:CC4.1","scope:azure.monitor","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure the diagnostic setting to log the appropriate activities from the control/management plane.\n\n## Rationale\n\nA diagnostic setting controls how the diagnostic log is exported. Capturing the diagnostic setting categories for appropriate control/management plane activities allows proper alerting.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Azure Monitor\n2. Click Activity log\n3. Click on Diagnostic settings\n4. Click on Edit Settings for the diagnostic settings entry\n5. Ensure that the following categories are checked: Administrative, Alert, Policy, and Security\n\nARM Template with AZ PowerShell cmdlets:\n\nCreate a file to hold the following JSON:\n\n```json\n{ \"$schema\"\"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\", \"contentVersion\"\"\n1.0.0.0\", \"parameters\"{ \"settingName\"{ \"type\"\"String\" }, \"workspaceId\"{ \"type\"\"String\" } }, \"resources\"[ { \"type\"\"Microsoft.Insights/diagnosticSettings\", \"apiVersion\"\"2017-05-01-preview\", \"name\"\"[parameters(''settingName'')]\", \"dependsOn\"[], \"properties\"{ \"workspaceId\"\"[parameters(''workspaceId'')]\", \"logs\"[ { \"category\"\"Administrative\", \"enabled\"true }, { \"category\"\"Alert\", \"enabled\"true }, { \"category\"\"Autoscale\", \"enabled\"false }, { \"category\"\"Policy\", \"enabled\"true }, { \"category\"\"Recommendation\", \"enabled\"false }, { \"category\"\"ResourceHealth\", \"enabled\"false }, { \"category\"\"Security\", \"enabled\"true }, { \"category\"\"ServiceHealth\", \"enabled\"false } ] } } ] }\n```\n\nReference the JSON. In the `New-AzSubscriptionDeployment`, call `$OMSWorkspace`:\n\n```powershell\nGet-AzResource -ResourceType \"Microsoft.OperationalInsights/workspaces\" -Name New-AzSubscriptionDeployment -Name CreateDiagnosticSetting -location eastus -TemplateFile CreateDiagnosticSetting.jsonc -settingName \"Send Activity log to workspace\" -workspaceId $OMSWorkspace.ResourceId'\n```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings\n2. https://docs.microsoft.com/en-us/azure/azure-monitor/samples/resource-manager-diagnostic-settings\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.3 - Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.1.2","framework":"cis-azure","requirement":"Logging-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"11.4","framework":"pci","requirement":"Regular-Testing","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"validationQuery":"(@category:Administrative -@enabled:true) OR (@category:Alert -@enabled:true) OR (@category:Policy -@enabled:true) OR (@category:Security -@enabled:true)","resourceType":"azure_diagnostic_setting","filter":"","queryPath":"logs","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_diagnostic_setting ((@category:Administrative -@enabled:true) OR (@category:Alert -@enabled:true) OR (@category:Policy -@enabled:true) OR (@category:Security -@enabled:true))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q7k-c4u-n6i","createdAt":1635847719443,"name":"Diagnostic Setting captures appropriate categories"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2022-0847 \"Dirty Pipe\". Dirty Pipe is a vulnerability in the Linux kernel which allows underprivileged processes to write to arbitrary readable files, leading to privilege escalation. \n\n## Strategy\n\nThis detection triggers when the `splice()` syscall is made and the `PIPE_BUF_FLAG_CAN_MERGE` flag is set. Explanation of the vulnerability and exploitation can be found in the [public disclosure](https://dirtypipe.cm4all.com/).\n\n## Triage & Response\n\n1. Determine if the host is vulnerable. This vulnerability affects kernel versions starting from 5.8. After its discovery, it was fixed for all currently maintained releases of Linux in versions 5.16.11, 5.15.25, and 5.10.102. The exploit was successful if the field `splice.pipe_exit_flag` is `PIPE_BUF_FLAG_CAN_MERGE`.\n2. Attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. If the host is vulnerable, update the kernel to a patched version.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:dirty_pipe_attempt","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_attempt","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\")","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_exploitation","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation (@file.uid:0 OR @file.gid:0) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\")","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_root","distinctFields":[]},{"query":"@agent.rule_id:dirty_pipe_exploitation @file.path:(*\\/bin\\/* OR *\\/boot\\/*) -@process.executable.path:(\"/usr/bin/grep\" OR \"/bin/grep\")","groupByFields":["host"],"aggregation":"count","name":"dirty_pipe_bin","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"dirty_pipe_attempt","condition":"dirty_pipe_attempt > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_exploitation","condition":"dirty_pipe_exploitation > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_root","condition":"dirty_pipe_root > 0"},{"status":"critical","notifications":[],"name":"dirty_pipe_bin","condition":"dirty_pipe_bin > 0"}],"type":"workload_security","id":"dsi-8cf-mpj","createdAt":1648572788369,"name":"Dirty Pipe exploitation attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet Docker daemon log level to `info`.\n\n## Rationale\n\nSetting up an appropriate log level configures the Docker daemon to log events that you would want to review later. A base log level of `info` and above captures all logs except `debug` logs. Unless required, you should not run Docker daemon at `debug` log level.\n\n## Audit\n\nTo confirm that the log level setting is `info`, review both the `dockerd` startup options, and also the log level settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that either the `--log-level` parameter is not present or if present, that it is set to `info`. \n\nSimilarly, review the `/etc/docker/daemon.json` for the `log-level` setting.\n\n## Remediation\n\nEnsure that the Docker daemon configuration file has the following configuration included:\n\n```\n\"log-level\": \"info\" \n```\n\nAlternatively, run the Docker daemon with the `log-level` specified:\n\n```\ndockerd --log-level=\"info\"\n```\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker daemon is set to log level of `info`.\n\n## References\n\n1. [https://docs.docker.com/edge/engine/reference/commandline/dockerd/][1]\n\n## CIS controls\n\nVersion 6.6.2 Ensure Audit Log Settings Support Appropriate Log Entry Formatting - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format. \n\nVersion 7.6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices. \n\nVersion 6.3 Enable Detailed Logging - Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. \n\n[1]: https://docs.docker.com/edge/engine/reference/commandline/dockerd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"q6o-wrf-hf4","createdAt":1602076723155,"name":"Docker daemon logging level is set to 'info'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.5","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use `aufs` as the storage driver for your Docker instance.\n\n## Rationale\n\nThe `aufs` storage driver is the oldest storage driver used on Linux systems. It is based on a Linux kernel patch-set that is unlikely in future to be merged into the main OS kernel. The `aufs` driver is also known to cause some serious kernel crashes. `aufs` has only legacy support within systems using Docker. Most importantly, `aufs` is not a supported driver in many Linux distributions using latest Linux kernels.\n\n## Audit\n\nVerify that `aufs` is not used as storage driver by running this command and ensuring `aufs` is not listed: \n```\ndocker info --format 'Storage Driver: {{ .Driver }}' \n```\n\n## Remediation\n\nDo not explicitly use `aufs` as storage driver. For example, do not start Docker daemon with the `--storage-driver aufs` flag.\n\n## Impact\n\n`aufs` is the only storage driver that allows containers to share executable and shared library memory. It might be useful if you are running thousands of containers with the same program or libraries. However, you should review its use with respect to your organization's security policy.\n\n## Default value\n\nBy default, Docker uses `devicemapper` as the storage driver on most of the platforms. The default storage driver can vary based on your OS vendor. You should use the storage driver that is recommended by your preferred vendor and which is in line with policy around the applications which are being deployed.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems][1]\n2. [http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/][2]\n3. [http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1][3]\n4. [https://docs.docker.com/engine/userguide/storagedriver/][4]\n\n## CIS controls\n\nVersion 6.18 Application Software Security \n\n[1]: https://docs.docker.com/engine/userguide/storagedriver/selectadriver/#supported-backing-filesystems \n[2]: http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/ \n[3]: http://jpetazzo.github.io/assets/2015-03-05-deep-dive-into-docker-storage-drivers.html#1 \n[4]: https://docs.docker.com/engine/userguide/storagedriver/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"n0x-jqo-rof","createdAt":1599601042737,"name":"Docker does not use AUFS storage driver"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe `iptables` firewall is used to set up, maintain, and inspect the tables of IP packet filter rules within the Linux kernel. The Docker daemon should be allowed to make changes to the `iptables` ruleset.\n\n## Rationale\n\nDocker will not make changes to your system `iptables` rules unless you allow it to do so. If you do allow this, Docker server will automatically make any required changes. You should let Docker make changes to `iptables` automatically in order to avoid networking misconfigurations that could affect the communication between containers and with the outside world. Additionally, this reduces the administrative overhead of updating `iptables` every time you add containers or modify networking options.\n\n## Audit\n\nTo confirm that the Docker daemon is allowed to change the `iptables` ruleset, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nEnsure that the `--iptables` parameter is either not present or not set to `false`. Also review the `/etc/docker/daemon.json` file to check that the `iptables` setting is not set to `false`.\n\n## Remediation\n\nDo not run the Docker daemon with `--iptables=false` parameter. \n\n## Impact\n\nThe Docker daemon service requires `iptables` rules to be enabled before it starts. Any restarts of `iptables` during Docker daemon operation may result in losing Docker-created rules. Adding `iptables-persistent` to your `iptables` install can mitigate.\n\n## Default value\n\nBy default, `iptables` is set to true.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/][1]\n2. [https://fralef.me/docker-and-iptables.html][2]\n\n## CIS controls\n\nVersion 6.5 Controlled Use of Administration Privileges \n\n[1]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/\n[2]: https://fralef.me/docker-and-iptables.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3fv-xgy-7fb","createdAt":1599599453907,"name":"Docker is authorized to make firewall configuration changes"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:1.2.1","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAll Docker containers and their data and metadata are stored in the `/var/lib/docker` directory. By default, `/var/lib/docker` should be mounted under either the `/` or `/var` partitions depending on how the Linux operating system in use is configured.\n\n## Rationale\n\nDocker depends on `/var/lib/docker` as the default directory where all Docker related files, including the images, are stored. This directory could fill up quickly causing both Docker and the host to become unusable. For this reason, you should create a separate partition (logical volume) for storing Docker files.\n\n## Audit\n\nTo see the partition details for the `/var/lib/docker` mount point, at the Docker host run:\n\n```\ngrep '/var/lib/docker\\s' /proc/mounts \n```\n\nAlternatively, to see whether the configured root directory is a mount point, run.\n\n```\nmountpoint -- \"$(docker info -f '{{ .DockerRootDir }}')\" \n```\n\n## Remediation\n\nFor new installations, you should create a separate partition for the `/var/lib/docker` mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, `/var/lib/docker` is mounted under the `/` or `/var` partitions dependent on how the OS is configured.\n\n## References\n\n1. [https://www.projectatomic.io/docs/docker-storage-recommendation/][1]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know \n\n[1]: https://www.projectatomic.io/docs/docker-storage-recommendation/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.1","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wcf-c0t-fkz","createdAt":1602076808377,"name":"Docker local storage is mounted on a separate disk partition"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.5","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various other sensitive files. It should therefore be individual owned and group owned by root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the directory is owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker | grep -v root:root\n``` \n\nThis command does not return any data.\n\n## Remediation\n\nTo resolve this issue, run the following command: `chown root:root /etc/docker`\n\nThis sets the ownership and group ownership for the directory to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for this directory is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.`\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.5","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"heb-axz-wdc","createdAt":1599604466531,"name":"Docker related files are owned by the root account and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.6","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the `/etc/docker` directory permissions are correctly set to 755 or more restrictively.\n\n## Rationale\n\nThe `/etc/docker` directory contains certificates and keys in addition to various sensitive files. It should therefore only be writeable by root to ensure that it can not be modified by a less privileged user.\n\n## Audit\n\nYou should execute the command below to verify that the directory has permissions of 755+: \n\n```\nstat -c %a /etc/docker\n```\n\n## Remediation\n\nRun the following command: `chmod 755 /etc/docker`\n\nThis sets the permissions for the directory to 755.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for this directory are set to 755.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"een-7do-u18","createdAt":1599604083943,"name":"Docker related files cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.12","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, has permissions of 444 or more restrictive permissions.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It should therefore have permissions of 444 to prevent its modification.\n\n## Audit\n\nVerify that the Docker server certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the command below: `chmod 444 `\n\nThis sets the file permissions of the Docker server certificate file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.12","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"blu-k6b-re1","createdAt":1602076770300,"name":"Docker server certificate file permissions are set to read-only or more restrictive"}]} - headers: - Content-Type: - - application/json - status: 200 OK - code: 200 - duration: "" -- request: - body: "" - form: {} - headers: - Accept: - - application/json - url: https://api.datadoghq.com/api/v2/security_monitoring/rules?page%5Bnumber%5D=3&page%5Bsize%5D=100 - method: GET - response: - body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.31","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker socket docker.sock should not be mounted inside a container.\n\n## Rationale\n\nIf the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep docker.sock` This returns any instances where `docker.sock` has been mapped to a container as a volume.\n\n## Remediation\n\nYou should ensure that no containers mount docker.sock as a volume.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, docker.sock is not mounted inside containers.\n\n## References\n\n1. https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/\n2. https://forums.docker.com/t/docker-in-docker-vs-mounting-var-run-docker-sock/9450/2\n3. https://github.com/docker/docker/issues/21109\n\n## CIS controls\n\nVersion 6\n\n9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.31","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.31\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3iw-zus-yz3","createdAt":1599602585460,"name":"Docker socket is not allowed to mount inside any containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","source:dynamodb","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:dynamodb","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement server-side encryption for your AWS DynamoDB data.\n\n## Rationale\n\nServer-side encryption, or encryption at rest, provides an additional layer of data protection by securing your data in an encrypted table. Encryption at rest integrates with AWS Key Management Service (KMS) to manage encryption keys that are used to encrypt these tables.\n\n## Remediation\n\n### Console\n\nFollow the [Managing Encrypted Tables in DynamoDB tutorial][1] to learn how to create and update a table in the AWS Console.\n\n### CLI\n\nRun `create-table` with a table configuration to [create a new encrypted table][2]. You can create an encrypted table with the default AWS owned CMK, AWS managed CMK, or customer managed CMK. Refer to the [AWS documentation for examples of each configuration][3]. For example:\n\n ```\n aws dynamodb create-table\n --table-name your-table\n ...\n --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=abcd1234-abcd-1234-a123-ab1234a1b234\n ```\n\n[1]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/dynamodb/create-table.html\n[3]: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html#encryption.tutorial-creating\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@sse_description_status:DISABLED","resourceType":"aws_dynamodb","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_dynamodb (@sse_description_status:DISABLED)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ilq-ifj-zxi","createdAt":1615309114701,"name":"DynamoDB table is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt Amazon Elastic Block Store (EBS) snapshots with volume snapshot encryption keys.\n\n## Rationale\n\nAmazon EBS snapshots contain sensitive data, and publicly accessible snapshots can be copied. Keep your data secure from exploits or unauthorized users by using AWS key management.\n\n## Remediation\n\n### Console\n\nFollow the [Default key for EBS encryption][1] docs to learn how to encrypt a snapshot in the AWS Console.\n\n### CLI\n\n1. Run `get-ebs-default-kms-key-id` to describe [the default CMK][2].\n\n2. If you need to create a new key, follow the [Creating keys][3] AWS Console docs or the [create-key][4] AWS CLI docs.\n\n3. Run `modify-ebs-default-kms-key-id` with your `--kms-key-id` to [modify the default CMK used to encrypt EBS volumes][3].\n\nSee the [Set encryption defaults using the API and CLI][6] docs for additional information.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_key_mgmt\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/get-ebs-default-kms-key-id.html\n[3]: https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-ebs-default-kms-key-id.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encrypted:false","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot (@encrypted:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"i4v-od6-l5r","createdAt":1616090994130,"name":"EBS snapshot is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","requirement:Storage","framework:gdpr","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","source:ebs","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable encryption for Elastic Block Store (EBS).\n\n## Rationale\n\nAES-256 encryption, used by EBS, protects data stored on volumes, disk I/O, and the snapshots created from a volume to protect your sensitive data from exploits and unauthorized users.\n\n## Remediation\n\n### Console\n\nFollow the [EBS encryption][1] docs to learn about the requirements and methods for enabling encryption in the AWS Console.\n\n### CLI\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#ebs-encryption-requirements\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"2.2.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encrypted:false","resourceType":"aws_ebs_volume","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_volume (@encrypted:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"2b3-94n-p7e","createdAt":1616090994097,"name":"EBS volume is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","source:ebs","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.9.4.5","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1","scope:ebs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure Amazon Elastic Block Store (EBS) snapshots.\n\n## Rationale\n\nPublicly shared Amazon EBS volume snapshots contain sensitive application data that can be seen, copied, and exploited.\n\n## Remediation\n\n### Console\n\nFollow the [EBS encryption][1] docs to learn how to implement EBS encryption. Public snapshots, which are encrypted by default, are not supported\n\n **Note**: You can share an encrypted snapshot with specific accounts.\n\n### CLI\n\n1. Run `enable-ebs-encryption-by-default` to [enable encryption for your account in the current region][2].\n\n2. Run `get-ebs-encryption-by-default` to confirm encryption is enabled.\n\nSee the [Set encryption defaults using the API and CLI][3] docs for additional commands related to EBS encryption.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#how-ebs-encryption-works\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default-api\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/enable-ebs-encryption-by-default.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.5","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@attributes.create_volume_permission_group:all","resourceType":"aws_ebs_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ebs_snapshot (@attributes.create_volume_permission_group:all)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"t5f-m5z-oio","createdAt":1616090994084,"name":"EBS volume snapshot is not publicly shared with other AWS accounts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:route53","iaas:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain has a suspicious TLD.\n\n## Strategy\nInspect the Route 53 logs and determine if the TLD of the DNS question (`@dns.question.name`) matches one of the top 5 TLDs on [Spamhaus's Most Abused Top Level Domains list][1].\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n[1]: https://www.spamhaus.org/statistics/tlds/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@dns.question.name:(*.fit. OR *.work. OR *.webcam. OR *.loan. OR *.cf.) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_tld","distinctFields":[]},{"query":"@dns.question.name:(*.no-ip. OR *.hopto.org OR *.myftp.org OR *.us.to OR *.myvpc.com OR *.dlinkddns.com OR *.myftp.biz) -@route53_edge_location:*","groupByFields":["instance-id"],"aggregation":"count","name":"suspicious_ddns","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"TLD","condition":"suspicious_tld > 0"},{"status":"medium","notifications":[],"name":"Dynamic DNS","condition":"suspicious_ddns > 0"}],"type":"log_detection","id":"dus-bf6-3jr","createdAt":1603296605789,"name":"EC2 instance requested a suspicious domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:route53","iaas:aws","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a requested domain resolves to the AWS Metadata IP (169.254.169.254).\n\n## Strategy\nInspect the Route 53 logs and determine if the response data for a DNS request matches the AWS Metadata IP (169.254.169.254). This could indicate an attacker is attempting to steal your credentials from the AWS metadata service.\n\n## Triage and response\n1. Determine which instance is associated with the DNS request.\n2. Determine whether the domain name which was requested (`dns.question.name`) should be permitted. If not, conduct an investigation and determine what requested the domain and determine if the AWS metadata credentials were accessed by an attacker.\n\n## Changelog\n- 19 May 2022 - Updated rule query.\n- 5 Jun 2022 - Updated rule query.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:route53 @answers.Rdata:169.254.169.254 -@route53_edge_location:* -@dns.question.name:instance-data*","groupByFields":["instance-id"],"aggregation":"count","name":"domain_resolve_to_metadata_ip","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"domain_resolve_to_metadata_ip > 0"}],"type":"log_detection","id":"mwi-zj7-db9","createdAt":1603296598998,"name":"EC2 instance resolved a suspicious AWS metadata DNS query"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","requirement:Transmission-Security","scope:ec2","source:ec2","framework:gdpr","requirement:System-Acquisition-Development-and-Maintenance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:1.9","control:3.4","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse the IMDSv2 session-oriented communication method to transport instance metadata. \n\n## Rationale\n\nAWS default configurations allow the use of either IMDSv1, IMDSv2, or both. IMDSv1 uses insecure GET request/responses which are at risk for a number of vulnerabilities, whereas IMDSv2 uses session-oriented requests and a secret token that expires after a maximum of six hours. This adds protection against misconfigured-open website application firewalls, misconfigured-open reverse proxies, unpatched Server Side Request Forgery (SSRF) vulnerabilities, and misconfigured-open layer-3 firewalls and network address translation.\n\n## Remediation\n\nFollow the [Transition to using Instance Metadata Service Version 2][1] docs to learn how to transition and reconfigure your software. \n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.9","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@metadata_options_http_tokens:required","resourceType":"aws_ec2_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_ec2_instance (-@metadata_options_http_tokens:required)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zwp-mxe-p0v","createdAt":1649171077274,"name":"EC2 instance uses IMDSv2"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","source:elb","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","scope:elb","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up logging for your AWS Elastic Load Balancers (ELBs) to identify security issues.\n\n## Rationale\n\nAccess logs allow you to analyze each TCP and HTTP request, which are useful during security audits or troubleshooting.\n\n## Remediation\n\n### Console\n\nFollow the [Enable access logs for your Classic Load Balancer][1] docs to learn how to enable logging for your ELBs.\n\n### CLI\n\n1. Run `create-bucket` to [create an S3 bucket][2] that stores the ELB log files.\n\n **Note**: This bucket must be created in the same region as the ELB.\n\n ```\n aws s3api create-bucket\n --region us-west-1\n --bucket your-elb-logging-bucket\n ```\n\n2. Use the [AWS Policy Generator][3] to create a new policy.\n\n3. Run `put-bucket-policy` to [attach the policy document][4] to the S3 bucket.\n\n ```\n aws s3api put-bucket-policy\n --bucket your-elb-logging-bucket\n --policy file://elb-logging-policy.json\n ```\n\n4. Run `modify-load-balancer-attributes` to [enable logging][5] for the selected ELB.\n\n ```\n aws elb modify-load-balancer-attributes\n --region us-west-1\n --load-balancer-name YourLoadBalancerName\n --load-balancer-attributes\n \"{\\\"AccessLog\\\":{\\\"Enabled\\\":true,\\\"EmitInterval\\\":60,\\\"S3BucketName\\\":\\\"your-logging-bucket\\\"}}\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/elb/modify-load-balancer-attributes.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@attributes.access_log_enabled:false OR @load_balancer_attributes.access_log.enabled:false","resourceType":"aws_elb_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elb_load_balancer (@attributes.access_log_enabled:false OR @load_balancer_attributes.access_log.enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"orv-wcu-4d4","createdAt":1615309114856,"name":"ELB is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","security:compliance","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Security-of-Processing","scope:elbv2","framework:soc-2","requirement:Security-Management-Process","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","framework:hipaa","requirement:Encryption-In-Transit","control:164.308-a-1-ii-B","control:164.312-e-2-i","source:elbv2","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse HTTPS to secure communication between your application client and an Elastic Load Balancer (ELB) listener.\n\n## Rationale\n\nWithout an HTTPS listener, front-end connections are vulnerable to exploits, such as man-in-the-middle (MITM) attacks. Securing all communication between your application client and ELB listener ensures sensitive data is protected.\n\n## Remediation\n\n### Console\n\nFollow the [Create an HTTPS listener for your Application Load Balancer][1] docs to learn how to create a listener that checks for connection requests.\n\n### CLI\n\n1. Run `list-certificates` to retrieve the ARN of your SSL certificate. If you do not have an SSL certificate, follow the [Create or import an SSL/TLS certificate][2] docs.\n2. Run `create-listener` using the [ARN of the load balancer and SSL certificate][3].\n\n ```\n aws elbv2 create-listener\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912\n --protocol HTTPS\n --port 443\n --certificates CertificateArn=arn:aws:acm:region:123456789012:certificate/1abc0c41-bd73-5445-9ab9-123456a23456\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html#create-certificate-acm\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/create-listener.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@listeners.protocol:HTTPS","resourceType":"aws_elbv2_load_balancer","filter":"@type:application","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer @type:application (-@listeners.protocol:HTTPS)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"6vz-qof-84o","createdAt":1616090994110,"name":"ELBv2 ALB is using a secure listener"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","source:elb","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","scope:elb","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure Amazon Network Load Balancers so all listeners use either TLS or HTTPS encryption. \n\n## Rationale\n\nUsing TLS or HTTPS helps ensure the communication between your network load balancers (NLBs) and backend servers is protected from decryption, data leaks, and other exploits. NLS's can accept and route TCP connections to Application load balancers(ALBs), this allows AWS customers to directly register an ALB as an NLB target, eliminating the need to actively manage changing ALB IP addresses. Amazon's NLBs can be configured to handle TLS termination. This reduces the workload on your backend systems and localizes TLS configuration to the NLBs, thereby improving both performance and security.\n\n\n\n## Remediation\n\n### Console\n\nFollow the [Create a listener for your network load balancer][1] docs to learn how to add a TLS listener to your network load balancer.\n\n### CLI\n\n1. Run `describe-load-balancers` to retrieve the ARNs of your network load balancers.\n2. Run `list-certificates` to retrieve the ARN of your Amazon ACM TLS certificates, or `list-server-certificates` to retrieve the ARN of your AWS IAM TLS certificates. If you do not have a TLS certificate, follow the [Configure TLS listeners: Certificates][2] docs.\n3. Run `create-listener` using the ARN of the desired load balancer and TLS certificate.\n\n ```\n aws elbv2 create-listener \n --load-balancer-arn arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188 \n --certificates CertificateArn=arn:aws:acm:us-west-2:123456789012:certificate/3dcb0a41-bd72-4774-9ad9-756919c40557 \n --protocol TLS\n --port 443\n --ssl-policy ELBSecurityPolicy-2016-08 \n --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067\n ```\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-listener.html\n[2]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#tls-listener-certificates\n[3]: https://aws.amazon.com/fr/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@protocol:\"TLS\" -(@protocol:\"TCP\" @port:443)","resourceType":"aws_elbv2_load_balancer","filter":"@type:network","queryPath":"listeners","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer @type:network (-@protocol:\"TLS\" -(@protocol:\"TCP\" @port:443))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cyx-hvk-qq7","createdAt":1649774831020,"name":"ELBv2 Network Load Balancer listeners employ TLS or HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:elbv2","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","source:elbv2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Access Logging for your Amazon Application Load Balancers (ALBs).\n\n## Rationale\n\nLogs contain the time a request was received, a client's IP address, latencies, request paths, and server responses. You can use this information to analyze traffic patterns and troubleshoot issues.\n\n## Remediation\n\n### Console\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the console.\n\n### CLI\n\nFollow the AWS [Enable access logging][1] documentation to enable access logging using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#enable-access-logging","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_attribute(elbv2_load_balancer) if {\n\tattribute := elbv2_load_balancer.attributes[_]\n\tattribute.key == \"access_logs.s3.enabled\"\n\tattribute.value == \"true\"\n} else {\n\telbv2_load_balancer.attributes.access_logs_s3_enabled\n}\n\neval(elbv2_load_balancer) = \"pass\" if {\n\tcompliant_attribute(elbv2_load_balancer)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_elbv2_load_balancer"]},"validationQuery":"","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2sn-t47-ywf","createdAt":1632209936547,"name":"ELBv2 is generating access logs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","control:CC6.6","framework:gdpr","requirement:Compliance","scope:elbv2","requirement:System-Acquisition-Development-and-Maintenance","framework:iso-27001","control:1.3.5","source:elbv2","framework:pci","control:A.14.1.2","security:compliance","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:1.3","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Application Load Balancers (ALB) or Network Load Balancers (NLB) with an internal ELBv2 load balancer.\n\n## Rationale\n\nInternet-facing load balancers receive a public DNS name. Secure your connection by using an ELBv2 load balancer instead.\n\n## Remediation\n\n### Console\n\nFollow the [Create an application load balancer][1] docs to learn how to create an internal load balancer that routes requests to targets using private IP addresses.\n\n### CLI\n\nRun `create-load-balancer` with a [load balancer name, scheme, and subnet][2].\n\n```\naws elbv2 create-load-balancer\n--name my-internal-load-balancer\n--scheme internal\n--subnets subnet-b7d581c0 subnet-8360a9e7\n```\n\nSee the [create-load-balancer][2] AWS CLI docs to create a load balancer for a network or gateway.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-application-load-balancer.html#configure-load-balancer\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/create-load-balancer.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"validationQuery":"@scheme:internet-facing","resourceType":"aws_elbv2_load_balancer","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer (@scheme:internet-facing)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"3wl-huh-f7v","createdAt":1616090994241,"name":"ELBv2 load balancer is not internet facing"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:elbv2","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","source:elbv2","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","cloud_provider:aws","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Application Load Balancer (ALB) with the latest predefined AWS security policy.\n\n## Rationale\n\nInsecure or deprecated security policies can expose the client and the load balancer to various SSL/TLS vulnerabilities.\n\n## Remediation\n\n### Console\n\nFollow the [Update security policy][1] docs to learn how to update your HTTPS listener with the latest security policy.\n\n### CLI\n\nRun `modify-listener` with the [ARN of the listener and the recommended SSL policy][2].\n\n```\naws elbv2 create-listener\n --load-balancer-arn arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/app/my-load-balancer/12ab3c456d7e8912\n --ssl-policy ELBSecurityPolicy-2016-08 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:123456789012:targetgroup/my-targets/12ab3c456d7e8912\n```\n\nReview the [Security policies][3] docs for Amazon-recommended security policies.\n\n[1]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html#update-security-policy\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elbv2/modify-listener.html\n[3]: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-1-2017-01 -@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-2-Ext-2018-06 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-1-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2020-10","resourceType":"aws_elbv2_load_balancer","filter":"@type:application","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elbv2_load_balancer @type:application (-@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-1-2017-01 -@listeners.ssl_policy:ELBSecurityPolicy-TLS-1-2-Ext-2018-06 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-1-2019-08 -@listeners.ssl_policy:ELBSecurityPolicy-FS-1-2-Res-2020-10)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"pty-qoz-aa9","createdAt":1616090994247,"name":"ELBv2 load balancer is using the latest security policy"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.3.3","requirement:Controller-Manager","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse individual service account credentials for each controller.\n\n## Rationale\n\nThe controller manager creates a service account per controller in the kube-system namespace, generates a credential for it, and builds a dedicated API client with that service account credential for each controller loop to use. Setting the `--use-service-account-credentials` to true runs each control loop within the controller manager using a separate service account credential. When used in combination with RBAC, this ensures that the control loops run with the minimum permissions required to perform their intended tasks.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--use-service-account-credentials` argument is set to true.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node to set the below parameter:\n\n```\n--use-service-account-credentials=true\n```\n\n## Impact\n\nWhatever authorizer is configured for the cluster, it must grant sufficient permissions to the service accounts to perform their intended tasks. When using the RBAC authorizer, those roles are created and bound to the appropriate service accounts in the kube-system namespace automatically with default roles and rolebindings that are auto-reconciled on startup. If using other authorization methods (ABAC, Webhook, etc.), the cluster deployer is responsible for granting appropriate permissions to the service accounts (the required permissions can be seen by inspecting the `controller-roles.yaml` and `controller-role-bindings.yaml` files for the RBAC roles.\n\n## Default value\n\nBy default, `--use-service-account-credentials` is set to false.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://kubernetes.io/docs/admin/service-accounts-admin/ ][2]\n3. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml ][3]\n4. [https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml ][4]\n5. [https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles][5]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://kubernetes.io/docs/admin/service-accounts-admin/ \n[3]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-roles.yaml \n[4]: https://github.com/kubernetes/kubernetes/blob/release-1.6/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/controller-role-bindings.yaml \n[5]: https://kubernetes.io/docs/admin/authorization/rbac/#controller-roles\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.3","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"b7m-bho-nat","createdAt":1599602400314,"name":"Each controller uses individual service account credentials"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:A.12.2.1","framework:gdpr","requirement:Default-Security-Parameter","requirement:System-Acquisition-Development-and-Maintenance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","requirement:Operations-Security","control:25.2","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","source:elasticache","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","scope:elasticache","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nChange your AWS ElastiCache cluster endpoint port to a non-default port.\n\n## Rationale\n\nUsing the default port puts clusters at risk of exploits and attacks. Configure a custom port to add an extra layer of security to your clusters.\n\n## Remediation\n\n### Console\n\nFollow the [Finding connection endpoints][1] console documentation to learn how to find and modify your cluster's endpoint port.\n\n### CLI\n\n1. Run `aws elasticache describe-cache-clusters` with your [ElastiCache cluster ID][2] to output the existing cluster configuration.\n\n ```\n\n aws elasticache describe-cache-clusters\n --cache-cluster-id your-cc-id\n\n ```\n\n2. Run `aws elasticache create-cache-cluster` with the cluster data returned in the previous step. Configure the new cache cluster with [a custom value][3] for the endpoint port. This returns new cluster metadata.\n\n ```\n\n aws elasticache create-cache-cluster\n --cache-cluster-id new-cc-id\n ...\n --port 10001\n\n ```\n\n3. Once the cluster endpoint port is updated, remove the old ElastiCache cluster. Run `delete-cache-cluster` with the [original cluster ID][4].\n\n ```\n\n aws elasticache delete-cache-cluster\n --cache-cluster-id your-cc-id\n\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Endpoints.html#Endpoints.Find.Redis\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/describe-cache-clusters.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/delete-cache-cluster.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@engine:memcached @configuration_endpoint_port:11211) OR (@engine:redis @configuration_endpoint_port:6379)","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache ((@engine:memcached @configuration_endpoint_port:11211) OR (@engine:redis @configuration_endpoint_port:6379))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"skt-e9r-x89","createdAt":1619112189062,"name":"ElastiCache cluster is not using default ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","source:elasticache","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticache","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nProvision your AWS EC2-VPC ElastiCache cluster within the AWS ECS-VPC platform.\n\n## Rationale\n\nUsing the EC2-Classic platform minimizes control over cache cluster security and traffic routing. Provisioning with AWS EC2-VPC enables better networking infrastructure, control over VPC security groups, and more.\n\n## Remediation\n\n### Console\n\nFollow the [Getting started with Amazon VPC][1] docs to configure AWS EC2-VPC for your ElastiCache clusters.\n\n### CLI\n\n1. Run `create-vpc` to [create a new Virtual Private Cloud (VPC)][2] for your ElastiCache cluster.\n\n ```\n aws ec2 create-vpc\n --cidr-block 10.0.0.0/16\n ```\n\n2. Run `aws ec2 create-internet-gateway` to [create a new AWS Internet Gateway][3] for your new VPC.\n\n3. Run `attach-internet-gateway` with the [VPC ID returned in step 1, and the internet gateway ID returned in step 2][4].\n\n ```\n aws ec2 create-subnet\n --vpc-id vpc-ab12c345\n --cidr-block 10.0.1.0/24\n ```\n\n4. Run `create-route-table` with [your VPC ID][5] created in step 1.\n\n ```\n aws ec2 create-route-table\n --vpc-id vpc-ab12c345\n ```\n\n5. Run `associated-route-table` with the [subnet ID returned in step 3, and the route table ID returned in step 4][6].\n\n ```\n aws ec2 associate-route-table\n --route-table-id rta-12345678\n --subnet-id subnet-ab123c45\n ```\n\n6. Run `create-route` to [add a new route][7] to your new VPC route table.\n\n ```\n aws ec2 create-route\n --route-table-id rta-12345678\n --destination-cidr-block 0.0.0.0/0\n --gateway-id gwi-123a4b56\n ```\n\n7. Run `create-security-group` with your new VPC ID to [create a security group][8] for your new cluster.\n\n ```\n aws ec2 create-security-group\n --group-name ECSecurityGroup\n --description \"Redis CC Security Group\"\n --vpc-id vpc-ab12c345\n ```\n\n8. Run `authorize-security-group-ingress` to [add more inbound rules][9] to the security group created in step 7.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-id se-a12345b0\n --protocol tcp\n --port 1234\n --cidr 10.0.0.0/16\n ```\n\n9. Run `create-cache-cluster` to recreate your EC2-Classic cache cluster within your new AWS VPC. Use the newly created [ElastiCache cluster configuration attributes][10] returned in the steps above.\n\n ```\n aws elasticache create-cache-cluster\n --cache-cluster-id vpccachecluster\n --az-mode single-az\n --cache-node-type cache.m5.large\n --num-cache-nodes 1\n --engine redis\n --engine-version \"2.6.13\"\n --security-group-ids \"se-a12345b0\"\n --port 1234\n --auto-minor-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc.html#synopsis\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-internet-gateway.html#synopsis\n[4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/attach-internet-gateway.html#synopsis\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route-table.html#synopsis\n[6]: https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-route-table.html#synopsis\n[7]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route.html#synopsis\n[8]: https://docs.aws.amazon.com/cli/latest/reference/ec2/create-security-group.html#synopsis\n[9]: https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html#synopsis\n[10]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/elasticache/create-cache-cluster.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@cache_subnet_group_name:\"\" OR (-@cache_subnet_group_name:*)","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache (@cache_subnet_group_name:\"\" OR (-@cache_subnet_group_name:*))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"0uf-cns-jqu","createdAt":1619112189088,"name":"ElastiCache cluster is provisioned in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","security:compliance","control:CC7.5","source:elasticache","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticache","framework:soc-2","requirement:Change-Management","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon ElastiCache cluster to the latest, stable version of the Redis/Memcached cache engine.\n\n## Rationale\n\nUsing the latest version allows for security patches, bug fixes, better performance, and memory management.\n\n## Remediation\n\n### Console\n\nFollow the [Upgrading engine versions][1] docs to learn how to modify your ElastiCache cluster or replication group in the console.\n\n### CLI\n\nFollow the [Modify an ElastiCache cluster (AWS CLI)][2] or [Modify a replication group (AWS CLI)][3] docs for configuration options.\n\nFor example, to modify an ElastiCache cluster, run `modify-replication-group` with your replication group ID and enable Multi-AZ.\n\n ```\n aws elasticache modify-replication-group\n --replication-group-id myReplGroup\n --multi-az-enabled = true\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VersionManagement.html\n[2]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.Modify.html#Clusters.Modify.CLI\n[3]: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Replication.Modify.html#Replication.Modify.CLI","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"(@engine:memcached -@engine_version:1.6.6) OR (@engine:redis -@engine_version:6.*)","resourceType":"aws_elasticache","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticache ((@engine:memcached -@engine_version:1.6.6) OR (@engine:redis -@engine_version:6.*))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sw1-liy-ybw","createdAt":1619112188570,"name":"ElastiCache cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","security:compliance","control:CC7.5","cloud_provider:aws","control:6.2","requirement:System-Operations","scope:elasticsearch","framework:soc-2","requirement:Change-Management","source:elasticsearch","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpgrade to the latest version of Amazon Elasticsearch (ES) engine.\n\n## Rationale\n\nUsing the latest version of Amazon ES ensures you receive the latest bug fixes, security patches, and features.\n\n## Remediation\n\n### Console\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (console)][1] docs to learn about the upgrade process and how to complete an upgrade from the AWS Console.\n\n### CLI\n\nFollow the [To upgrade a domain to a later version of Elasticsearch (AWS CLI)][1] docs to being an upgrade using the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades\n[2]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-version-migration.html#starting-upgrades","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nformat(version) = semver if {\n\tcount(indexof_n(version, \".\")) == 0\n\tsemver := concat(\"\", [version, \".0.0\"])\n} else = semver {\n\tcount(indexof_n(version, \".\")) == 1\n\tsemver := concat(\"\", [version, \".0\"])\n} else = semver {\n\tsemver := version\n}\n\neval(version) = \"pass\" if {\n\tformatted_semver := format(version)\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"7.10.0\") >= 0\n} else = \"pass\" {\n\tstartswith(version, \"OpenSearch_\")\n\tformatted_semver := format(trim_prefix(version, \"OpenSearch_\"))\n\tsemver.is_valid(formatted_semver)\n\tsemver.compare(formatted_semver, \"1.3.0\") >= 0\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource.elasticsearch_version))\n}\n","resourceTypes":["aws_elasticsearch_domain"]},"validationQuery":"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wd7-iw7-z3h","createdAt":1619540057479,"name":"Elasticsearch cluster is using the latest engine version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","scope:elasticsearch","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate publicly accessible Amazon Elasticsearch domains to block unsigned requests.\n\n## Rationale\n\nUpdating your Amazon Elasticsearch domain to a private domain ensures your data cannot be accessed or altered by unauthorized users.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring Access Policies][1] docs to learn how to update your publicly accessible Amazon Elasticsearch domains in the AWS Console.\n\n### CLI\n\n1. Create a new policy JSON document. You can follow the [Amazon Elasticsearch templated policy][2] to create a custom policy that grants domain access only to a specific IP.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n \"Action\": \"es:*\",\n \"Condition\": {\n \"IpAddress\": {\n \"aws:SourceIp\": [\n \"54.197.25.93/32\"\n ]\n }\n },\n \"Resource\": \"arn:aws:es:123456789123:\n domain/es-cluster/*\"\n }\n ]\n }\n ```\n\n2. Run `update-elasticsearch-domain-config` using the name of the [Elasticsearch domain][3] created in the previous step.\n\n ```\n aws es update-elasticsearch-domain-config\n --domain-name es-cluster\n --access-policies file://ip-based-policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/update-elasticsearch-domain-config.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"policies","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ci6-bcw-l3n","createdAt":1615309114393,"name":"Elasticsearch domain is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:elasticsearch","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","scope:elasticsearch","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure your Amazon Elasticsearch (ES) domain is only accessible from an AWS VPC.\n\n## Rationale\n\nUsing a VPC gives your Amazon ES domains an extra layer of security. Launching your clusters within a VPC ensures communication between your clusters and other AWS services is secure.\n\n## Remediation\n\nOnce a domain is created with a public endpoint, it cannot be switched to VPC access. Follow the [Migrating from Public Access to VPC Access][1] docs to learn how to create a new domain and either manually reindex or migrate your data.\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html#es-migrating-public-to-vpc\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@endpoint:*\\.es\\.amazonaws\\.com","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain (@endpoint:*\\.es\\.amazonaws\\.com)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"vdg-rky-pye","createdAt":1619540057246,"name":"Elasticsearch domain resides in a VPC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImplement at-rest encryption for your Amazon Elasticsearch (ES) domain with the AWS KMS service.\n\n## Rationale\n\nImplementing encryption at-rest protects your domain from unauthorized access and ensures security and compliance requirements are met.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to implement encryption for your domain.\n\n### CLI\n\n1. Run `describe-elasticsearch-domain` with your ES domain to return configuration metadata.\n\n ```\n aws es describe-elasticsearch-domain\n --domain-name your-es-domain\n ```\n\n2. Run `create-elasticsearch-domain` with your domain name and `encryption-at-rest-options`. Use the metadata returned in the previous step to [create and relaunch your ES domain to enable at-rest encryption][3].\n\n ```\n aws es create-elasticsearch-domain\n --domain-name your-es-domain\n ...\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html#enabling-ear\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/describe-elasticsearch-domain.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encryption_at_rest_options_enabled:false","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain (@encryption_at_rest_options_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"75z-ehk-ced","createdAt":1615309114337,"name":"Elasticsearch domains are encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:System-Acquisition-Development-and-Maintenance","source:elasticsearch","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:A.14.1.3","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","scope:elasticsearch","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","control:3.5.2","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt your Amazon Elasticsearch domains with KMS Customer Master Keys (CMKs).\n\n## Rationale\n\nKMS Custom Master Keys protect your domains and allow more granular control over the encryption/decryption process.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling Encryption of Data at Rest][1] docs to learn how to encrypt Amazon Elasticsearch domains in the AWS Console.\n\n### CLI\n\n1. Create a new policy JSON document with the following [configuration][2]:\n\n ```\n {\n \"Id\": \"es-custom-key-policy\",\n \"Statement\": [\n {\n \"Sid\": \"Enable IAM User Permissions\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:root\"},\n \"Action\": \"kms:*\",\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Grant access to CMK manager\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:role/AmazonESManager\"},\n \"Action\": [\n \"kms:Create*\",\n \"kms:Describe*\",\n \"kms:Enable*\",\n \"kms:List*\",\n \"kms:Put*\",\n \"kms:Update*\",\n \"kms:Revoke*\",\n \"kms:Disable*\",\n \"kms:Get*\",\n \"kms:Delete*\",\n \"kms:ScheduleKeyDeletion\",\n \"kms:CancelKeyDeletion\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow the use of the CMK\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:Decrypt\",\n \"kms:ReEncrypt*\",\n \"kms:GenerateDataKey*\",\n \"kms:DescribeKey\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"Allow attachment of persistent resources\",\n \"Effect\": \"Allow\",\n \"Principal\": {\"AWS\": \"arn:aws:iam::111122223333:user/ESAdmin\"},\n \"Action\": [\n \"kms:CreateGrant\",\n \"kms:ListGrants\",\n \"kms:RevokeGrant\"\n ],\n \"Resource\": \"*\",\n \"Condition\": {\n \"Bool\": {\"kms:GrantIsForAWSResource\": \"true\"}\n }\n }\n ]\n }\n ```\n\n2. Run `create-key` to [create a KMS key][3] with the new policy document.\n\n ```\n aws kms create-key\n --description 'KMS CMK policy for encrypting es domain data'\n --policy file://es-kms-cmk-policy.json\n ```\n\n3. Run `create-alias` with the returned ARN key to [attach a new alias][4] to the CMK.\n\n ```\n aws kms create-alias\n --alias-name your-alias/ESCustomCMK\n --target-key-id arn:aws:kms:111122223333:key/abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\n ```\n\n4. Run `create-elasticsearch-domain` with the returned configuration data in step 3 to [create the selected domain][5] with `encryption-at-rest-options` set as `enabled= true` and the `KmsKeyId=your-key-id`.\n\n ```\n aws es create-elasticsearch-domain\n --domain-name your-domain-name\n ....\n --encryption-at-rest-options Enabled=true,KmsKeyId=\"abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd\"\n ```\n\n[1]: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createupdatedomains.html#es-createdomain-configure-access-policies\n[2]: https://docs.aws.amazon.com/kms/latest/developerguide/determining-access-key-policy.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-key.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/create-alias.html#options\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/es/create-elasticsearch-domain.html#options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@encryption_at_rest_options_kms_key_id:\"(Default) aws/es\"","resourceType":"aws_elasticsearch_domain","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_elasticsearch_domain (@encryption_at_rest_options_kms_key_id:\"(Default) aws/es\")","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"abl-8du-xrn","createdAt":1615309114399,"name":"Elasticsearch domains are encrypted with KMS Customer Master Keys"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation on controller-manager.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad. \n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--feature-gates` parameter to include `RotateKubeletServerCertificate=true`. \n\n```\n--feature-gates=RotateKubeletServerCe`rtificate=true\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `RotateKubeletServerCertificate` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller ][1]\n2. [https://github.com/kubernetes/features/issues/267 ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/45059 ][3]\n4. [https://kubernetes.io/docs/admin/kube-controller-manager/][4]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#approval-controller \n[2]: https://github.com/kubernetes/features/issues/267 \n[3]: https://github.com/kubernetes/kubernetes/pull/45059 \n[4]: https://kubernetes.io/docs/admin/kube-controller-manager/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.6","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"asw-6hh-yc2","createdAt":1599605162809,"name":"Enable kubelet server certificate rotation on controller-manager"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1555-credentials-from-password-stores","scope:ec2","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to retrieve the encrypted Administrator password for a Windows EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to retrieve the encrypted Administrator password for a Windows EC2 instance using the [`GetPasswordData`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n3. If the API call was made by the user:\n * Determine if this user should be accessing this EC2 instance.\n * If Yes, advise the user to speak with the instance owner to resolve the error.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_GetPasswordData.html","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetPasswordData @eventSource:ec2.amazonaws.com status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"get_passwordata","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Error","condition":"get_passwordata > 0"}],"type":"log_detection","id":"kyo-yjf-zbm","createdAt":1652796676631,"name":"Encrypted administrator password retrieved for Windows EC2 instance"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.12","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory ownership is set to `etcd:etcd`.\n\n## Rationale\n\n`etcd` is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should be owned by `etcd:etcd`.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir` from the command:\n\n```bash\nps -ef | grep etcd\n```\n\nBased on the etcd data directory found above, run the command:\n\n```bash\nstat -c %U:%G /var/lib/etcd\n```\n\nVerify the ownership is set to `etcd:etcd`.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chown etcd:etcd /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory ownership is set to `etcd:etcd`.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.12","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"25d-zal-sfr","createdAt":1599601968321,"name":"Etcd data directory is owned by the etcd user and group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.11","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the etcd data directory has permissions of 700 or more restrictive.\n\n## Rationale\n\netcd is a highly-available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. This data directory should be protected from any unauthorized reads or writes. It should not be readable or writable by any group members or the world.\n\n## Audit\n\nOn the etcd server node, get the etcd data directory passed as an argument `--data-dir`, from the command:\n\n```bash\nps -ef | grep etcd\n```\n\n Based on the etcd data directory found above, run the command:\n \n ```bash\n stat -c %a /var/lib/etcd\n ```\n \n Verify the permissions are `700` or more restrictive.\n\n## Remediation\n\nOn the etcd server node, get the etcd data directory, passed as an argument `--data-dir`, from the below command: `ps -ef | grep etcd`\n\nRun the command (based on the etcd data directory found above): `chmod 700 /var/lib/etcd`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, etcd data directory has permissions of 755.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#data-dir\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.11","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qgj-hf0-an1","createdAt":1599601412710,"name":"Etcd data directory permissions cannot be accessed by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.7","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file has permissions of 640.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.7","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vqc-dps-6tp","createdAt":1599605605880,"name":"Etcd pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.8","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to `root:root`.\n\n## Rationale\n\nThe etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` controls various parameters that set the behavior of the etcd service in the master node. etcd is a highly-available key-value store which Kubernetes uses for persistent storage of all of its REST API object. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/etcd.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/etcd.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/etc/kubernetes/manifests/etcd.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://coreos.com/etcd\n2. https://kubernetes.io/docs/admin/etcd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.8","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oac-lbl-npz","createdAt":1599600311388,"name":"Etcd pod specification file is owned by root"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"Test rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1665145801235,"filters":[],"queries":[{"query":"@test:true","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"e9v-9k1-5dm","isDefault":false,"name":"Example-Create_a_detection_rule_returns_OK_response"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":true,"message":"test","options":{"impossibleTravelOptions":{"baselineUserLocations":false},"detectionMethod":"impossible_travel","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1665145785229,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.id"],"query":"*"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"uaf-siz-jfo","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_impossible_travel_returns_OK_response"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"Test rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":1,"createdAt":1665145796516,"filters":[],"queries":[{"query":"@test:true","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"workload_security","id":"3cl-gl3-k7y","isDefault":false,"name":"Example-Create_a_detection_rule_with_type_workload_security_returns_OK_response"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:exchange-server","technique:T1137-office-application-startup","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user sets up a mail forwarding rule to another email address. An adversary or insider threat could set a forwarding rule to forward all emails to an external email address.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with `@evt.name` value of `Set-Mailbox`, where a value is set for `@Parameters.ForwardingSmtpAddress` and the `@evt.outcome` is `True`.\n\n## Triage and response\n1. Inspect the `@Parameters.ForwardingSmtpAddress` for `{{@usr.email}}` to see if it is sending email to an external non-company owned domain.\n2. Determine if there is a legitimate use case for the mail forwarding rule.\n3. If `{{@usr.email}}` is not aware of the mail forwarding rule, investigate all `{{@usr.email}}` accounts for anomalous activity. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-Mailbox -@Parameters.ForwardingSmtpAddress:\"\" @Parameters.ForwardingSmtpAddress:* @evt.outcome:True","groupByFields":["@usr.id"],"aggregation":"count","name":"forwarding_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"forwarding_rule > 0"}],"type":"log_detection","id":"vmq-1zo-03a","createdAt":1630681822552,"name":"Exchange Online mail forwarding rule enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.2","scope:azure.appservice","framework:iso-27001","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","requirement:Communications-Security","control:4.1","control:9.10","requirement:App-Service","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Azure functions, web, and API services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPs should be required for FTP login for all App Service apps and functions.\n\n## Rationale\n\nAzure FTP deployment endpoints are public. An attacker listening to traffic on a Wi-Fi network used by a remote employee or a corporate network could see login traffic in clear-text which would then grant them full control of the code base of the app or service. This finding is more severe if user credentials for deployment are set at the subscription level rather than using the default application credentials which are unique per app.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to the Azure Portal\n2. Select App Services\n3. Click on an app\n4. Select Settings > Configuration\n5. Under Platform Settings, set FTP state to Disabled or FTPS Only\n\n## Impact\n\nDeployment workflows that rely on FTP or FTPs rather than the WebDeploy or HTTPs endpoints may be affected.\n\n## References\n\n1. Azure Web Service Deploy via FTP - https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp\n2. Azure Web Service Deployment - https://docs.microsoft.com/en-us/azure/app-service/overview-security\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities\n\n## CIS Controls\n\nVersion 7\n\n14.4 Encrypt All Sensitive Information in Transit\n16.5 Encrypt Transmittal of Username and Authentication Credentials - Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.10","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@site_config_ftps_state:AllAllowed","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (@site_config_ftps_state:AllAllowed)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"chw-olp-dfn","createdAt":1631623028308,"name":"FTP deployments are disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:fastly","scope:fastly","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This identifies attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2]. \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:fastly @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dqs-oru-107","createdAt":1587530162282,"name":"Fastly HTTP Requests from Security Scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a file that is not part of the original container image has been created and executed within the container.\n\n## Strategy\nAttackers sometimes add scripts to running containers to exploit some functionality or automate some actions. Normally, containers are meant to be immutable environments, and when you require new scripts or other executable files, you add them to the container image itself and not to the running container. This detection identifies when newly created files are executed shortly after file creation or modification.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage & Response\n1. Determine whether the file executing is expected to be present in the container. \n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether the file was added to multiple containers around the same time, and whether the affected systems follow a pattern. For example, if a file was seen executing in multiple containers, do the containers share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.29 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_binary_execution_in_container","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:new_binary_execution_in_container"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"new_binary_execution_in_container"}],"type":"workload_security","id":"n5d-tm8-kco","createdAt":1652131404468,"name":"File created and executed inside container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","tactic:TA0009-collection","technique:T1530-data-from-cloud-storage-object","scope:google-cloud-storage","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect unauthenticated access to an object in a GCS bucket (`bucket_name`).\n\n## Strategy \nMonitor GCS bucket (`bucket_name`) for get requests(`@evt.name:storage.objects.get`) made by unauthenticated users (`@usr.id`).\n\n## Triage and response\nInvestigate the logs and determine whether or not the accessed bucket: {{bucket_name}} should be accessible to unauthenticated users.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket -@usr.id:* @evt.name:storage.objects.get status:info","groupByFields":["project_id","bucket_name"],"aggregation":"count","name":"get_object","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"get_object","condition":"get_object > 0"}],"type":"log_detection","id":"nmj-sov-f5d","createdAt":1598043413480,"name":"GCP Bucket Contents Downloaded Without Authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1083-file-and-directory-discovery","source:gcp","scope:google-cloud-storage","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service account lists out GCS Buckets.\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine when a service account invokes the following method:\n\n* `storage.buckets.list`\n\n## Triage and response\n1. Determine whether this service account should be making list bucket calls.\n * If the account was compromised, secure the account and investigate how it was compromised and if the account made other unauthorized calls.\n * If the owner of the service account intended to make the `ListBuckets` API call, consider whether this API call is needed. It could cause a security issue for the application to know the name of the bucket it needs to access. If it's not needed, modify this rule's filter to stop generating signals for this specific service account.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.list @usr.id:*gserviceaccount.com","groupByFields":["project_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cnc-wi1-llf","createdAt":1587592199858,"name":"GCP Bucket enumerated"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an administrative change to a GCS Bucket has been made. This could change the retention policy or bucket lock. For more information, see the [GCS Bucket Lock docs][1].\n\n## Strategy\nThis rule lets you monitor GCS bucket admin activity audit logs to determine if a bucket has been updated with the following method:\n\n* `storage.buckets.update`\n\n## Triage and response\n1. Review the bucket to ensure that it is properly configured.\n\n[1]: https://cloud.google.com/storage/docs/bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.buckets.update","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"iz3-sc4-ryy","createdAt":1585871279860,"name":"GCP Bucket modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-storage"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when permissions have changed on a GCS Bucket.\n\n## Strategy\nMonitor GCS bucket admin activity audit logs to determine the following method is invoked:\n\n* `storage.setIamPermissions`\n\n## Triage and response\n1. Review the bucket permissions and ensure they are not overly permissive.\n\n## Changelog\n5 Septermber 2022 - Updated rule query","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gcs.bucket @evt.name:storage.setIamPermissions -@evt.outcome:ERROR","groupByFields":["project_id","bucket_name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fdk-tly-4qr","createdAt":1585871193842,"name":"GCP Bucket permissions modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.cloudsql.database"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Cloud SQL DB has been modified.\n\n## Strategy\nThis rule lets you monitor GCP Cloud SQL admin activity audit logs to determine when one of the following methods are invoked:\n\n* `cloudsql.instances.create`\n* `cloudsql.instances.create`\n* `cloudsql.users.update`\n\n## Triage and response\n1. Review the Cloud SQL DB and ensure it is configured properly with the correct permissions.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.cloudsql.database @evt.name:(cloudsql.instances.create OR cloudsql.instances.create OR cloudsql.users.create OR cloudsql.users.update)","groupByFields":["project_id","database_id","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ikf-ye8-cnu","createdAt":1585871198921,"name":"GCP Cloud SQL database modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.gce.firewall.rule","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created, modified or deleted. \n\n## Strategy\nMonitor GCP GCE activity audit logs to determine when any of the following methods are invoked:\n\n* `v1.compute.firewalls.delete`\n* `v1.compute.firewalls.insert`\n* `v1.compute.firewalls.patch` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.firewall.rule @evt.name:(v1.compute.firewalls.delete OR v1.compute.firewalls.insert OR v1.compute.firewalls.patch)","groupByFields":["project_id","@data.protoPayload.resourceOriginalState.name","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"n1w-sql-apl","createdAt":1585870279610,"name":"GCP GCE Firewall rule modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a VPC network is created. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine when the following method is invoked to create a new VPC network:\n\n* `beta.compute.networks.insert`\n\n## Triage and response\n1. Review the VPC network.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:beta.compute.networks.insert","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"a9z-oic-grb","createdAt":1585871193403,"name":"GCP GCE VPC network modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:gcp.gce.route","source:gcp","security:compliance"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a firewall rule is created or modified. \n\n## Strategy\nThis rule lets you monitor GCP GCE activity audit logs to determine if a firewall is being adjusted by showing you when any of the following methods are invoked:\n\n* `beta.compute.routes.insert`\n* `beta.compute.routes.patch`\n\n## Triage and response\n1. Veirify that the GCP route is configured properly and that the user intended to modify the firewall.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.gce.route @evt.name:(beta.compute.routes.insert OR beta.compute.routes.patch)","groupByFields":["project_id","@data.protoPayload.resourceName","@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lht-ml8-u6r","createdAt":1585870282924,"name":"GCP GCE network route created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a custom role is created or modified. \n\n## Strategy\nMonitor GCP IAM activity audit logs to determine when any of the following methods are invoked:\n\n* `google.iam.admin.v1.CreateRole`\n* `google.iam.admin.v1.UpdateRole` \n\n## Triage and response\n1. Review the log and role and ensure the permissions are scoped properly.\n2. Review the users associated with the role and ensure they should have the permissions attached to the role.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.iam.role @evt.name:(google.iam.admin.v1.CreateRole OR google.iam.admin.v1.UpdateRole)","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rhy-fzm-gwl","createdAt":1585870282410,"name":"GCP IAM custom role created or modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1098-account-manipulation","scope:gcp.project","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a change to the IAM policy. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when the `SetIamPolicy` method is invoked. \n\n## Triage and response\n1. Review the log and inspect the policy deltas (`@data.protoPayload.serviceData.policyDelta.bindingDeltas`) and ensure none of the actions are `REMOVE`.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:SetIamPolicy","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"fgm-8w4-cgx","createdAt":1585870280073,"name":"GCP IAM policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.subscription","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP Pub/Sub Subscription has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.pubsub.v1.Subscriber.UpdateSubscription`\n* `google.pubsub.v1.Subscriber.DeleteSubscription`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.subscription @evt.name:(google.pubsub.v1.Subscriber.UpdateSubscription OR google.pubsub.v1.Subscriber.DeleteSubscription)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"tsj-mac-mdc","createdAt":1587592205917,"name":"GCP Pub/Sub Subscriber modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.pubsub.topic","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP Pub/Sub Subscribtion has been deleted. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when the following method is invoked:\n\n* `google.pubsub.v1.Publisher.DeleteTopic`\n\n## Triage and response\n1. Review the subscribtion and ensure it is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.pubsub.topic @evt.name:google.pubsub.v1.Publisher.DeleteTopic","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"dp6-zom-jyv","createdAt":1587592198839,"name":"GCP Pub/Sub topic deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1562-impair-defenses","scope:gcp.project","tactic:TA0005-defense-evasion"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a change to a GCP logging sink has been made. This could stop audit logs from being sent to Datadog.\n\n## Strategy\nMonitor GCP admin activity audit logs to determine when any of the following methods are invoked:\n\n* `google.logging.v2.ConfigServiceV2.UpdateSink`\n* `google.logging.v2.ConfigServiceV2.DeleteSink`\n\n## Triage and response\n1. Review the sink and ensure the sink is properly configured.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.project @evt.name:(google.logging.v2.ConfigServiceV2.UpdateSink OR google.logging.v2.ConfigServiceV2.DeleteSink)","groupByFields":["@usr.id","@data.protoPayload.resourceName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"hil-rl3-yxs","createdAt":1585871191688,"name":"GCP logging sink modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","scope:google-cloud-iam","technique:T1850-cloud-infrastructure-discovery","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a GCP service account is compromised.\n\n## Strategy \nInspect the GCP Admin Activity Logs (`@data.logName:*%2Factivity`) and filter for only GCP Service Accounts (`@usr.id:*.iam.gserviceaccount.com`). Count the unique number of GCP API calls (`@evt.name`) which are being made for each service account (`@usr.id`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline. \n\nTo read more about GCP Audit Logs, you can read our blog post [here][1].\n\n## Triage and response\nInvestigate the logs and determine whether or not the GCP Service Account is compromised.\n\n[1]: https://www.datadoghq.com/blog/monitoring-gcp-audit-logs/","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp* @data.logName:*%2Factivity @usr.id:*.iam.gserviceaccount.com","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"hc1-nv3-hzw","createdAt":1629125255724,"name":"GCP service account accessing anomalous number of GCP APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","technique:T1136-create-account","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account is created.\n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to determine when a service account is created. \n\n## Triage and response\n1. Contact the user who created the service account and ensure that the account is needed and that the role is scoped properly.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccount","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"szx-4kh-eqs","createdAt":1585870281733,"name":"GCP service account created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:gcp.service.account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new service account key is created. An attacker could use this key as a backdoor to your account. \n\n## Strategy\nThis rule lets you monitor GCP admin activity audit logs to detect the creation of a service account key. \n\n## Triage and response\n1. Contact the user who created the service account key to ensure they're managing the key securely.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.service.account @evt.name:google.iam.admin.v1.CreateServiceAccountKey","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"79j-4wh-xlq","createdAt":1585870277946,"name":"GCP service account key created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when there is unauthorized activity by a service account in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a service account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the service account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the service account:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the service account.\n2. If unauthorized, revoke access of compromised service account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 @usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"89d-2v1-fvm","createdAt":1587592191518,"name":"GCP unauthorized service account activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gcp","security:compliance","scope:google-cloud-iam","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when unauthorized activity by a user is detected in GCP.\n\n## Strategy\nMonitor GCP logs and detect when a user account makes an API request and the request returns the status code equal to `7` within the log attribute `@data.protoPayload.status.code`. The status code `7` indicates the user account did not have permission to make the API call.\n\n## Triage and response\n1. Investigate the user:`{{@usr.id}}` that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the user account.\n2. If unauthorized, revoke access of compromised user account and rotate credentials.\n\n## Changelog\n22 June 2022 - Updated query, rule case and triage.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:gcp.* @data.protoPayload.status.code:7 -@usr.id:(*gserviceaccount.com OR *google.com)","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"failed_attempt","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"greater than 999 failed attempts","condition":"failed_attempt > 999"},{"status":"medium","notifications":[],"name":"greater than 100 failed attempts","condition":"failed_attempt > 100"},{"status":"low","notifications":[],"name":"greater than 10 failed attempts","condition":"failed_attempt > 10"}],"type":"log_detection","id":"stt-ows-yte","createdAt":1587592193834,"name":"GCP unauthorized user activity"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google accesses your Google Workspace tenant using administrative tools. \n\n## Strategy\nMonitor Google Workspace logs to detect `ACCESS` events, which are part of Google's [Access Transparency][1] logs.\n\n## Triage and response\n1. Determine the scope of Google's access activity, which can be found in the `ACCESS` event in the Google Workspace event log.\n2. Review which Google Workspace user (`@event.parameters.OWNER_EMAIL`) and resources (`@event.parameters.RESOURCE_NAME`) were accessed by Google.\n3. Investigate the resource(s) being accessed to determine if there is a legitimate reason it should be reviewed by Google.\n\n[1]: https://support.google.com/a/answer/9230474?hl=en","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite service:access_transparency","groupByFields":[],"aggregation":"count","name":"workspace_accessed_by_google","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"workspace_accessed_by_google > 0"}],"type":"log_detection","id":"q4c-pxc-lbn","createdAt":1654120270956,"name":"Google Workspace accessed by Google"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","tactic:T1098-account-manipulation","technique:TA0003-persistence","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a new Google Workspace administrative role.\n\n## Strategy\nMonitor Google Workspace logs to detect `CREATE_ROLE` events.\n\n## Triage and response\n1. Determine if there is a legitimate reason for the new administrator role (`@event.parameters.ROLE_NAME`).\n2. If there is not a legitimate reason, investigate activity from around the Google Workspace administrator (`{{@usr.email}}`) and IP that created the role (`{{@network.client.ip}}`). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:CREATE_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_created","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_created > 0"}],"type":"log_detection","id":"isw-chn-iqi","createdAt":1654262215364,"name":"Google Workspace admin role created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","technique:T1098-account-manipulation","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the super administrator group on Google Workspace.\n\n## Strategy\nMonitor Google Workspace logs to detect `ASSIGN_ROLE` events where `@event.parameters.ROLE_NAME` is `_SEED_ADMIN_ROLE`. \n\n## Triage and response\n1. Verify with the Google admin (`{{@usr.email}}`) if the Google Workspace user in the `@event.parameters.USER_EMAIL` attribute should legitimately be given the super admin role.\n2. If the user in `@event.parameters.USER_EMAIL` was not legitimately added, investigate activity from the IP address (`{{@network.client.ip}}`) that made the role addition.\n3. Review activity around the Google Workspace admin who made the change (`{{@usr.email}}`) and the newly added super admin (`@event.parameters.USER_EMAIL`).","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:ASSIGN_ROLE @event.parameters.ROLE_NAME:_SEED_ADMIN_ROLE","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_added","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"admin_role_added > 0"}],"type":"log_detection","id":"ort-cx2-jwq","createdAt":1654014456902,"name":"Google Workspace user assigned to super admin role"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","tactic:TA0009-collection","technique:T1114-email-collection","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCreate a signal when Google Workspace detects a user setting up mail forwarding to a non-Google Workspace domain.\n\n## Strategy\nMonitor Google Workspace logs to detect when `email_forwarding_out_of_domain` events.\n\n## Triage and response\n1. Determine if the email address defined in `@event.parameters.email_forwarding_destination_address` is legitimate.\n2. If the forwarding destination address is not legitimate, review all activity for `{{@usr.email}}` and all activity around the following IP: `{{@network.client.ip}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.name:email_forwarding_out_of_domain","groupByFields":["@usr.email"],"aggregation":"count","name":"non_workspace_domain","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"non_workspace_domain > 0"}],"type":"log_detection","id":"ozn-l6x-exp","createdAt":1654021004136,"name":"Google Workspace user forwarding email out of non Google Workspace domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.16","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated.\n\n## Rationale\n\nThe IPC namespace provides separation of IPC between the host and containers. If the host's IPC namespace is shared with the container, it would allow processes within the container to see all of IPC communications on the host system. This would remove the benefit of IPC level isolation between host and containers. An attacker with access to a container could get access to the host at this level with major consequences. The IPC namespace should therefore not be shared between the host and its containers.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: IpcMode={{ .HostConfig.IpcMode }}'` \n\nIf the command returns `host`, it means that the host IPC namespace is shared with the container. Any other result means that it is not shared, and that the system is configured in line with good security practice.\n\n## Remediation\n\nDo not start a container with the `--ipc=host` argument. For example, do not start a container with the command `docker run --interactive --tty --ipc=host centos /bin/bash`\n\n## Impact\n\nShared memory segments are used in order to accelerate interprocess communications, commonly in high-performance applications. If this type of application is containerized into multiple containers, you might need to share the IPC namespace of the containers in order to achieve high performance. Under these circumstances, you should still only share container specific IPC namespaces and not the host IPC namespace. A container's IPC namespace can be shared with another container. For example, `docker run --interactive --tty --ipc=container:e3a7a1a97c58 centos /bin/bash`\n\n## Default value\n\nBy default, all containers have their IPC namespace enabled and host IPC namespace is not shared with any container.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#ipc-settings-ipc\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.16","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qpe-nj2-sl8","createdAt":1599604030036,"name":"Host's IPC namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.20","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUTS namespaces provide isolation between two system identifiers: the hostname and the NIS domain name. It is used to set the hostname and the domain which are visible to running processes in that namespace. Processes running within containers do not typically require to know either the hostname or the domain name. The UTS namespace should therefore not be shared with the host.\n\n## Rationale\n\nSharing the UTS namespace with the host provides full permission for each container to change the hostname of the host. This is not in line with good security practice and should not be permitted.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UTSMode={{ .HostConfig.UTSMode }}'` \n\nIf this command returns `host`, it means the host UTS namespace is shared with the container and this recommendation is non-compliant. If the above command returns nothing, then the host's UTS namespace is not shared. This recommendation is then compliant.\n\n## Remediation\n\nYou should not start a container with the `--uts=host` argument. For example, do not start a container using the command `docker run --rm --interactive --tty --uts=host rhel7.2`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, all containers have the UTS namespace enabled and the host UTS namespace is not shared with any containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#uts-settings-uts\n2. http://man7.org/linux/man-pages/man7/namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.20","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j1n-gsx-mlx","createdAt":1599605987292,"name":"Host's UTS namespace is not shared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.9","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWhen the networking mode on a container is set to `--net=host`, the container is not placed inside a separate network stack. Effectively, applying this option instructs Docker to not containerize the container's networking. The consequence of this is that the container lives \"outside\" in the main Docker host and has full access to its network interfaces.\n\n## Rationale\n\nSelecting this option is potentially dangerous. It allows the container process to open reserved low numbered ports in the way that any other root process can. It also allows the container to access network services such as D-bus on the Docker host. A container process could potentially carry out undesired actions, such as shutting down the Docker host. This option should not be used unless there is a very specific reason for enabling it.\n\n## Audit\n\nUse this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: NetworkMode={{ .HostConfig.NetworkMode }}'` If this returns `NetworkMode=host`, it means that the `--net=host` option was passed when the container was started.\n\n## Remediation\n\nYou should not pass the --net=host option when starting any container.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, containers connect to the Docker bridge when starting and do not run in the context of the host's network stack.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/ 2. https://docs.docker.com/engine/reference/run/#network-settings\n\n## CIS controls\n\nVersion 6 12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.9","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"1qj-oqa-jau","createdAt":1599605510860,"name":"Host's network namespace is not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.15","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host.\n\n## Rationale\n\nPID namespace provides separation between processes. It prevents system processes from being visible, and allows process ids to be reused including PID 1. If the host's PID namespace is shared with containers, it would basically allow these to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them. This could allow for the host itself being shut down, which could be extremely serious, particularly in a multi-tenanted environment. You should not share the host's process namespace with the containers running on it.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidMode={{ .HostConfig.PidMode }}'` \n\nIf the command returns `host`, it means that the host PID namespace is shared with its containers; any other result means that the system is configured in line with good security practice.\n\n## Remediation\n\nYou should not start a container with the `--pid=host` argument. For example, do not start a container with the command: `docker run --interactive --tty --pid=host centos /bin/bash`\n\n## Impact\n\nContainer processes cannot see processes on the host system. In certain circumstances, you may want your container to share the host's process namespace. For example, you could build a container containing debugging tools such as strace or gdb, and want to use these tools when debugging processes on the host. If this is desired, then share specific host processes using the `-p` switch. For example: `docker run --pid=host rhel7 strace -p 1234`\n\n## Default value\n\nBy default, all containers have the PID namespace enabled and the therefore the host's process namespace is not shared with its containers.\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#pid-settings-pid 2. http://man7.org/linux/man-pages/man7/pid_namespaces.7.html\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.15","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mk8-jwd-4ag","createdAt":1599600919537,"name":"Host's process namespace is isolated from containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent","control:5.30"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not share the host's user namespaces with containers running on it.\n\n## Rationale\n\nUser namespaces ensure that a root process inside the container will be mapped to a non-root process outside the container. Sharing the user namespaces of the host with the container does not therefore isolate users on the host from users in the containers.\n\n## Audit\n\nRun this command and ensure that it does not return any value for `UsernsMode`. If it returns a value of `host`, it means that the host user namespace is shared with its containers: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UsernsMode={{ .HostConfig.UsernsMode }}'`\n\n## Remediation\n\nDo not share user namespaces between host and containers. For example, do not run the command `docker run --rm -it --userns=host ubuntu bash`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the host user namespace is shared with containers unless user namespace support is enabled.\n\n## References\n\n1. https://docs.docker.com/engine/security/userns-remap/\n2. https://docs.docker.com/engine/reference/commandline/run/#options\n3. https://github.com/docker/docker/pull/12648\n4. https://events.linuxfoundation.org/sites/events/files/slides/User%20Namespaces%20-%20ContainerCon%202015%20-%2016-9-final_0.pdf\n\n## CIS controls\n\nVersion 6\n\n12 Boundary Defense Boundary Defense\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.30","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.30\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"e7c-uzf-jwy","createdAt":1599604878282,"name":"Host's user namespaces are not shared with containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","security:compliance","scored:false","source:iam","cloud_provider:aws","control:1.7","control:164.308-a-3-ii-C","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","framework:security-labs","requirement:Information-Access-Management","control:CC6.2","control:164.308-a-4-ii-C","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThis rule identifies IAM access keys that are older than one year and have not been used in the past 30 days.\n\n## Rationale\n\nThis is a good indicator that an access key or IAM user that is not used anymore, and raises a security risk. IAM access keys are static secrets that do not change. This leak represents a common cause for cloud security breaches.\n\n## Remediation\n\n* Verify that the IAM user is still actively used or if it can be removed.\n* Verify that the IAM access key is still actively used or if it can be removed.\n* If the IAM user is still needed, rotate the access key. For more information, see the [AWS documentation][2].\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/cis-aws-1.3.0-1.14/\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_RotateAccessKey\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-ii-C","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nlast_rotated_age_threshold := (((365 * 24) * 60) * 60) * 1000\n\nlast_used_age_threshold := (((30 * 24) * 60) * 60) * 1000\n\nhas_active_access_key(credential_report) if {\n\tcredential_report.access_key_1_active\n} else {\n\tcredential_report.access_key_2_active\n}\n\naccess_key_1_used_too_long_ago(credential_report, seen) if {\n\tnot credential_report.access_key_1_last_used_date\n}\n\naccess_key_1_used_too_long_ago(credential_report, seen) if {\n\tseen - credential_report.access_key_1_last_used_date > last_used_age_threshold\n}\n\naccess_key_1_non_compliant(credential_report, seen) if {\n\tcredential_report.access_key_1_active\n\tseen - credential_report.access_key_1_last_rotated > last_rotated_age_threshold\n\taccess_key_1_used_too_long_ago(credential_report, seen)\n}\n\naccess_key_2_used_too_long_ago(credential_report, seen) if {\n\tnot credential_report.access_key_2_last_used_date\n}\n\naccess_key_2_used_too_long_ago(credential_report, seen) if {\n\tseen - credential_report.access_key_2_last_used_date > last_used_age_threshold\n}\n\naccess_key_2_non_compliant(credential_report, seen) if {\n\tcredential_report.access_key_2_active\n\tseen - credential_report.access_key_2_last_rotated > last_rotated_age_threshold\n\taccess_key_2_used_too_long_ago(credential_report, seen)\n}\n\nis_not_compliant(credential_report, seen) if {\n\taccess_key_1_non_compliant(credential_report, seen)\n} else {\n\taccess_key_2_non_compliant(credential_report, seen)\n}\n\nshould_skip(iam_user) if {\n\tcredential_report := iam_user.credential_report[0]\n\tnot credential_report.access_key_1_active\n\tnot credential_report.access_key_2_active\n} else {\n\tcount(iam_user.credential_report) == 0\n}\n\neval(iam_user) = \"skip\" if {\n\tshould_skip(iam_user)\n} else = \"fail\" {\n\tcredential_report := iam_user.credential_report[0]\n\tseen := iam_user.resource_seen_at\n\tis_not_compliant(credential_report, seen)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_user"]},"validationQuery":"","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"jye-nyb-yvd","createdAt":1654722265266,"name":"IAM access keys older than 1 year have not been used in the last 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@user_policies:*","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@user_policies:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"qeq-byd-rf5","createdAt":1617159692975,"name":"IAM inline policy is not directly set for users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","security:compliance","cloud_provider:aws","control:1.8","control:8.1","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","control:CC6.3","control:8.1.1","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are a minimum length. The password policy should require a minimum password length of 14 characters.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78907-3\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\nVersion 7, 16 - Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.8","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.minimum_password_length:<14","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.minimum_password_length:<14)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fyg-ptq-tnx","createdAt":1599573999939,"name":"IAM password policy has 14 or more characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:1.9","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","framework:cis-aws","control:164.312-d","requirement:IAM","control:8.2.5","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.\n\n## Rationale\n\nPreventing password reuse increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78908-1\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy][3]\n\n## CIS controls\n\n4.4 Use unique passwords where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#configure-strong-password-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.2.5","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"1.9","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"-@password_policy.password_reuse_prevention:24","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (-@password_policy.password_reuse_prevention:24)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"wwj-kny-ll5","createdAt":1599574008460,"name":"IAM password policy prevents password reuse"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM policies are how privileges are granted to users, groups, or roles. It is recommended and considered best practice to give only the permissions required to perform a task. Determine what users need to do and then craft policies that let the users perform only those tasks, instead of allowing full administrative privileges.\n\n## Rationale\n\nIt's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later. Providing full administrative privileges instead of restricting to the minimum set of permissions that the user is required to do exposes the resources to potentially unwanted actions. IAM policies that have a statement with \"Effect\": \"Allow\" with \"Action\": \"*\" over \"Resource\": \"*\" should be removed.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2] \n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3] \n3. CCE-78912-3\n4. [http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam][4]\n\n## CIS controls\n\nVersion 7, 4 - Controlled Use of Administrative Privileges\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n[4]: http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_not_compliant(policy_version_statement) if {\n\tresource := policy_version_statement.resource[_]\n\tresource == \"*\"\n}\n\naction_not_compliant(policy_version_statement) if {\n\taction := policy_version_statement.action[_]\n\taction == \"*\"\n}\n\npolicy_version_statement_not_compliant(policy_version_statement) if {\n\tpolicy_version_statement.effect == \"Allow\"\n\tresource_not_compliant(policy_version_statement)\n\taction_not_compliant(policy_version_statement)\n}\n\neval(iam_policy) = \"skip\" if {\n\tiam_policy.scope != \"Local\"\n} else = \"fail\" {\n\tpolicy_version_statement := iam_policy.policy_version_statements[_]\n\tpolicy_version_statement_not_compliant(policy_version_statement)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_policy"]},"validationQuery":"","resourceType":"aws_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"31y-0if-yxo","createdAt":1599574003839,"name":"IAM policies that allow full \"*:*\" administrative privileges are not created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security","security:compliance","control:1.15","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Control-Activities","control:7.2.1","control:A.9.4.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, IAM users, groups, and roles have no access to AWS resources. IAM policies are how privileges are granted to users, groups, or roles. You should apply IAM policies directly to groups and roles but not to users.\n\n## Rationale\n\nAssigning privileges at the group or role level reduces access management's complexity as the number of users grows. Reducing access management complexity may in-turn, lessen the opportunity for a principal to receive or retain excessive privileges inadvertently.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html][3]\n3. CCE-78912-3\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.15","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@attached_policies:*","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@attached_policies:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"oys-6ti-vv4","createdAt":1599574006153,"name":"IAM policy does not have a user directly attached to it"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","framework:pci","control:164.308-a-4-ii-C","control:1.12","security:compliance","cloud_provider:aws","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:CC6.3","control:CC6.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIAM password policies can require passwords to be rotated or expired after a given number of days. The password policy should expire passwords after 90 days or less.\n\n## Rationale\n\nReducing the password lifetime increases account resiliency against brute force login attempts. Additionally, requiring regular password changes help if a password is stolen or compromised without your knowledge. This can happen if your system is compromised, because of a software vulnerability, or if there is an internal threat. Certain corporate and government web filters or proxy servers have the ability to intercept and record traffic even if it's encrypted. Many people use the same password for many systems such as work, email, and personal. Compromised end-user workstations might have a keystroke logger.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78909-9\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.3\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"1.12","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"(-@password_policy:*) OR ((@password_policy.expire_passwords:false) OR (@password_policy.max_password_age:>90))","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account ((-@password_policy:*) OR ((@password_policy.expire_passwords:false) OR (@password_policy.max_password_age:>90)))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"nus-wps-5cc","createdAt":1599574003696,"name":"IAM policy is set to expire passwords within 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78904-0\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.6\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_lowercase_characters:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_lowercase_characters:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yaz-xyw-dr5","createdAt":1599574008777,"name":"IAM policy is set to require at least one lowercase letter"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one number.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78906-5\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.8\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_numbers:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_numbers:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ufg-4pj-olz","createdAt":1599574005590,"name":"IAM policy is set to require at least one number"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure passwords are comprised of different character sets. It is recommended that the password policy require at least one symbol.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78905-7\n\n## CIS controls\n\n16 Account Monitoring and Control Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.7\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_symbols:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_symbols:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dwv-hdv-vfe","createdAt":1599573999909,"name":"IAM policy is set to require at least one symbol"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","security:compliance","source:iam","cloud_provider:aws","control:8.1","requirement:Credentials","level:1","control:A.9.4.3","framework:soc-2","control:164.312-d","framework:iso-27001","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.1.4","control:8.2.3","framework:hipaa","requirement:Access-Control","requirement:Information-Access-Management","control:8.1.1","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPassword policies are, in part, used to enforce password complexity requirements. Use IAM password policies to ensure passwords are comprised of different character sets. The password policy should require at least one uppercase letter.\n\n## Rationale\n\nSetting a password complexity policy increases account resiliency against brute force login attempts.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78903-2\n\n## CIS controls\n\n16 Account Monitoring and Control\n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.5\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.2.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_policy.require_uppercase_characters:false","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (@password_policy.require_uppercase_characters:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jfe-07v-m1n","createdAt":1599573999945,"name":"IAM policy is set to require uppercase characters"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","security:compliance","source:iam","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Security-Management-Process","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:CC6.3","requirement:Information-Access-Management","control:CC6.2","framework:pci","control:164.308-a-4-ii-C","requirement:Workforce-Security"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm there are no [Amazon IAM users][1] (privileged users) with administrator permissions for your AWS account.\n\n## Rationale\n\nA privileged IAM user can access all AWS services and control resources through the [AdministratorAccess IAM managed policy][2]. Any user with administrator access that should not have access can potentially, whether unknowingly or purposefully, cause security issues or data leaks.\n\n## Remediation\n\n### Console\n\nFollow the [Removing a permissions policy from a user][6] docs to revoke AdministratorAccess for a user.\n\n### CLI\n\n1. Run `list-users` to get [a list of current IAM users][3].\n2. Run `list-user-policies` with an IAM `user-name` to find the [users attached policies][4].\n\n ```\n aws iam list-user-policies --user-name Name\n ```\n\n3. Run `detach-user-policy` to [revoke Administrator access][5] for that user.\n\n ```\n aws iam detach-user-policy --user-name Bob --policy-arn arn:aws:iam::123456789012:policy/TesterPolicy\n ```\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_administrator\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-users.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-user-policies.html#examples\n[5]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/detach-user-policy.html\n[6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-remove-policy-console\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@attached_policies.policy_name:AdministratorAccess","resourceType":"aws_iam_user","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@attached_policies.policy_name:AdministratorAccess)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"z8a-10r-rdq","createdAt":1599574005071,"name":"IAM privileged user does have admin permissions to your AWS account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.2.1","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet a principal within your Amazon IAM policy.\n\n## Rationale\n\nA trust policy reduces the risks associated with privilege escalation. Setting a principal within your policy reduces the risk of unauthorized access to a resource.\n\n## Remediation\n\n### Console\n\nFollow the [Editing IAM policies][1] docs to learn how to grant permissions to a specific IAM user or account.\n\n### CLI\n\nFollow the [Editing managed policies (AWS CLI)][2] docs to learn how to grant permissions to a specific IAM or account using the CLI.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html#edit-policies-cli-api","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@role_policy.policy_principal.principal:(\"*\") OR @role_policy.policy_principal.principal_aws:(\"*\"))","resourceType":"aws_iam_role","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_role ((@role_policy.policy_principal.principal:(\"*\") OR @role_policy.policy_principal.principal_aws:(\"*\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q9l-42l-ape","createdAt":1619112188080,"name":"IAM role uses trusted principals"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","control:A.14.1.3","security:compliance","source:iam","cloud_provider:aws","framework:gdpr","control:4.1","requirement:Data-Protection","requirement:Security-of-Processing","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:A.9.4.3","framework:soc-2","requirement:Cardholder-Data","control:32.1a","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","requirement:Encryption-In-Transit","control:3.6.4","framework:pci","control:25.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your IAM service SSL/TLS certificates are renewed 30 days prior to their validity period ending.\n\n## Rationale\n\nIf a certificate becomes invalid, the communication between the client and AWS resource that implements certificates is no longer secure.\n\n## Remediation\n\n### Console\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n### CLI\n\nFollow the [Managed renewal for ACM certificates][1] AWS documentation to set up renewal by validation type (DNS, email, or private PKI).\n\n[1]: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nwithin_30_days(diff) if {\n\tdiff <= thirty_days_ms\n\tdiff > 0\n}\n\neval(iam_server_certificate) = \"pass\" if {\n\tdiff := iam_server_certificate.expiration - iam_server_certificate.resource_seen_at\n\tnot within_30_days(diff)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_server_certificate"]},"validationQuery":"","resourceType":"aws_iam_server_certificate","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_server_certificate","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"nqd-536-xhi","createdAt":1632209935742,"name":"IAM server certificate will expire within 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:1.6","control:7.1","framework:cis-gcp","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","level:1","source:google_service_account","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nVerify that users have the Service Account User (`iam.serviceAccountUser`) and Service Account Token Creator (`iam.serviceAccountTokenCreator`) roles for a specific service account rather than at the project level.\n\n## Rationale\nA service account is a special Google account that belongs to an application or a virtual machine (VM), instead of to an individual end user. Application/VM-Instance uses the service account to call the service's Google API so that users aren't directly involved. In addition to being an identity, a service account is a resource that has IAM policies attached to it. These policies determine who can use the service account.\nUsers with IAM roles to update the App Engine and Compute Engine instances (such as App Engine Deployer or Compute Instance Admin) can effectively run code as the service accounts used to run these instances, and indirectly gain access to all the resources for which the service accounts have access. Similarly, SSH access to a Compute Engine instance may also provide the ability to execute code as that instance/service account.\nBased on business needs, there can be multiple user-managed service accounts configured for a project. Granting the `iam.serviceAccountUser` or `iam.serviceAccountTokenCreator` roles to a user for a project gives the user access to all service accounts in the project, including service accounts that may be created in the future. These roles can result in an elevation of privileges when someone uses a service account and corresponding Compute Engine instances.\nIn order to implement least privileges best practices, IAM users should not be assigned the Service Account User or Service Account Token Creator roles at the project level. Instead, these roles should be assigned to a user for a specific service account, giving that user access to the service account. The Service Account User role allows a user to bind a service account to a long-running job service, whereas the Service Account Token Creator role allows a user to directly impersonate (or assert) the identity of a service account.\n\n## Impact\nAfter revoking Service Account User or Service Account Token Creator roles at the project level from all impacted user accounts, these roles should be assigned to users for specific service accounts according to business needs.\n\n## Remediation\n\n### From console\n1. Go to the [IAM page][1] in the GCP Console.\n2. In the filter table text bar, enter the text `Role: Service Account User`.\n3. Click the delete bin icon in front of the role `Service Account User` for every user\nlisted as a result of the filter.\n4. In the filter table text bar, enter the text `Role: Service Account Token Creator`.\n5. Click the delete bin icon in front of the role `Service Account Token Creator` for\nevery user listed as a result of the filter.\n\n### From the command line\n1. Using a text editor, remove the bindings with the `roles/iam.serviceAccountUser` or `roles/iam.serviceAccountTokenCreator`.\n For example, you can use the iam.json file shown below as follows:\n ```\n {\n \"bindings\": [\n {\n \"members\": [ \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n ],\n \"role\": \"roles/appengine.appViewer\" },\n {\n \"members\": [\n \"user:email1@gmail.com\"\n ],\n \"role\": \"roles/owner\"\n },\n {\n \"members\": [\n \"serviceAccount:our-project-123@appspot.gserviceaccount.com\",\n \"serviceAccount:123456789012-compute@developer.gserviceaccount.com\" ],\n \"role\": \"roles/editor\"\n }\n ],\n \"etag\": \"BwUjMhCsNvY=\"\n }\n ```\n2. Update the project's IAM policy:\n ```\n gcloud projects set-iam-policy PROJECT_ID iam.json\n ```\n## Default value\nBy default, users do not have the Service Account User or Service Account Token Creator role assigned at the project level.\n\n## References\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][3]\n3. [https://cloud.google.com/iam/docs/understanding-roles][4]\n4. [https://cloud.google.com/iam/docs/granting-changing-revoking-access][5]\n5. [https://console.cloud.google.com/iam-admin/iam][6]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts \n[4]: https://cloud.google.com/iam/docs/understanding-roles\n[5]: https://cloud.google.com/iam/docs/granting-changing-revoking-access \n[6]: https://console.cloud.google.com/iam-admin/iam\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.6","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_role(iam_policy, role) if {\n\tbinding := iam_policy.bindings[_]\n\tbinding.role == role\n\tmember := binding.members[_]\n\tnot endswith(member, \".gserviceaccount.com\")\n}\n\nnon_compliant_policy(iam_policy) if {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountUser\")\n} else {\n\tnon_compliant_role(iam_policy, \"roles/iam.serviceAccountTokenCreator\")\n}\n\neval(iam_policy) = \"fail\" if {\n\tnon_compliant_policy(iam_policy)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"x4c-mos-epr","createdAt":1655328785677,"name":"IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:iis","scope:iis","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:iis @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ftm-iao-udy","createdAt":1587530716843,"name":"IIS HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","requirement:Virtual-Machines","security:compliance","control:CC6.6","cloud_provider:gcp","control:4.6","requirement:Communications-Security","control:1.4","framework:cis-gcp","requirement:Compliance","level:1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCompute Engine instance cannot forward a packet unless the source IP address of the\npacket matches the IP address of the instance. Similarly, GCP won't deliver a packet whose\ndestination IP address is different than the IP address of the instance receiving the packet.\nHowever, both capabilities are required if you want to use instances to help route packets.\n\nDisable the forwarding of data packets to prevent data loss or information\ndisclosure.\n\n## Rationale\nTo enable source and destination IP check, disable the `canIpForward` option, which\nallows an instance to send and receive packets with non-matching destination or source\nIPs.\n\n## Impact\nDeleting instances that act as routers or packet forwarders may break network\nconnectivity.\n\n## Exception\nInstances created by GKE should be excluded because they need to have IP forwarding\nenabled and cannot be changed. Instances created by GKE have names that start with `gke-`.\n\n## Remediation\nYou can only edit the `canIpForward` setting at instance creation time. Therefore, if `canIpForward` is set to false for an instance, you must delete the instance and create a new one.\n\n### From console\n1. Go to the `VM Instances` page: \n[https://pantheon.corp.google.com/compute/instances][1].\n2. Select the `VM Instance` you want to remediate.\n3. Click the `Delete` button.\n4. On the `VM Instances` page, click `CREATE INSTANCE`.\n5. Create a new instance with the desired configuration. By default, the instance is\nconfigured to not allow IP forwarding.\n\n### From the command line\n1. Delete the instance:\n ```\n gcloud compute instances delete INSTANCE_NAME\n ```\n2. Create a new instance to replace it, with IP forwarding set to Off\n ```\n gcloud compute instances create\n ```\n\n## Default Value:\nBy default, instances are not configured to allow IP forwarding.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-routes#canipforward][2]\n\n\n## Additional Information:\n\nYou can only set the `canIpForward` field at instance creation time. After an instance is\ncreated, the field becomes read-only.\n\n## CIS Controls\n\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 11.1 Maintain Standard Security Configurations for Network\nDevices\n- Maintain standard, documented security configuration standards for all authorized\nnetwork devices.\n\nVersion 7 - 11.2 Document Traffic Configuration Rules\n- All configuration rules that allow traffic to flow through network devices should be\ndocumented in a configuration management system with a specific business reason for\neach rule, a specific individual\u2019s name responsible for that business need, and an\nexpected duration of the need.\n\n[1]: https://pantheon.corp.google.com/compute/instances\n[2]: https://cloud.google.com/vpc/docs/using-routes#canipforward","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.6","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tcompute_instance.can_ip_forward\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nh8-voo-5oy","createdAt":1656620560349,"name":"IP forwarding is not enabled on instances"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","framework:gdpr","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","level:1","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","requirement:Contingency-Plan","scope:azure.storage","framework:pci","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","source:azure.storage","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1c","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nImmutability is enabled for Azure Storage Blobs.\n\n## Rationale\n\nImmutability for Azure Blob enables Writes once read many (WORM) state storage, which protects data from being overwritten or deleted. \n\nThe two types of immutability policies are time-based retention and legal hold. Time-based policies are cleared when the time period expires. Legal holds are cleared when they are manually modified. \n\n## Remediation\n\n### Console\n\nFollow the [Enable version-level immutability support on a storage account - Azure Console][1] guide to enable version-level immutability with the Azure Console.\n\n### CLI\n\nFollow the [Enable version-level immutability support on a storage account - Azure CLI][2] guide to enable version-level immutability with the Azure CLI. \n\n[1]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-portal\n[2]: https://docs.microsoft.com/en-us/azure/storage/blobs/immutable-policy-configure-version-scope?tabs=azure-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"@hasLegalHold:false @hasImmutabilityPolicy:false","resourceType":"azure_storage_blob_container","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_blob_container (@hasLegalHold:false @hasImmutabilityPolicy:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"8q8-s4l-qhy","createdAt":1645177333114,"name":"Immutable Blob Storage is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1078-valid-accounts","source:auth0","scope:auth0","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event when two successful authentication events occur in a short time frame.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the user `{{@usr.name}}` traveled more than 500km at over 1,000km/hr.\n\n## Triage and response\n1. Determine if the user `{{@usr.name}}` should have authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If `{{@user.name}}` should not authenticated from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any instance actions that may have occurred after the illegitimate login.\n\n**NOTE** VPNs and other anonymous IPs are filtered out of this signal\n\n## Changelog\n* 10 October 2022 - Updated query.\n","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"auth0_impossible_travel","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.name"],"query":"source:auth0 @evt.category:authentication @evt.name:success_login -@threat_intel.results.category:anonymizer"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"m3u-dhg-c5l","createdAt":1651740293973,"name":"Impossible Travel Auth0 login"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:aws","source:aws","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nCorrelate an impossible travel login with permission enumeration of a user.\n\n## Strategy\nCorrelate the [User travel was impossible in AWS CloudTrail IAM log][1] and [A user received multiple AccessDenied errors][2] signals based on the ARN: {{@userIdentity.arn}}.\n\n## Triage and response\n1. Set signal triage state to `Under Review`.\n2. Determine if the impossible travel login was is legitimate.\n * If the login was not legitimate:\n * Investigate the user using the `User Investigation Dashboard`\n * Rotate credentials on the account\n * Enable MFA if it is not already enabled\n * If the login was legitimate:\n * Triage the signal as a false positive\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-user-impossible-travel-with-baseline-user-locations\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-access-denied-multiple-events","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"user_travel_was_impossible_in_cloudtrail_iam_log","additionalFilters":"","defaultRuleId":"fc6-4t7-vx9","groupByFields":[],"aggregation":"event_count"},{"distinctFields":[],"correlatedByFields":["network.client.ip","@userIdentity.arn"],"name":"a_user_received_multiple_access_denied_errors","additionalFilters":"","defaultRuleId":"1b1-37a-74c","groupByFields":[],"aggregation":"event_count"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"user_travel_was_impossible_in_cloudtrail_iam_log > 0 && a_user_received_multiple_access_denied_errors > 0"}],"type":"signal_correlation","id":"zfw-zxw-uf2","createdAt":1664829682320,"name":"Impossible travel event leads to permission enumeration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the possibility of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 445, commonly used by client/server applications, and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) or man-in-the-middle attacks (MITM), can occur when permitting unrestricted Common Internet File System (CIFS) access. TCP port 445 is the port commonly used by client/server applications as a means of communication between network nodes over TCP.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 445.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 445\n --cidr 0.0.0.0/0\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=445 @to_port:>=445))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=445 @to_port:>=445))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"l9k-64o-mzm","createdAt":1599573999953,"name":"Inbound CIFS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the possibility of a breach by checking EC2 security groups for inbound rules that allow unfettered access to TCP and UDP port 53, commonly used during DNS resolution when a request is sent from DNS clients to DNS servers or between DNS servers.\n\n## Rationale\n\nMalicious activity, such as distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered DNS access.\n\n## Remediation\n\n## Console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n## CLI\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to port 53.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 53, \"ToPort\": 53, \"IpRanges\": [{\"CidrIp\": \"192.0.2.0/24\"}]}]'\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 53\n\trule.to_port >= 53\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kri-ci1-ymo","createdAt":1599573999958,"name":"Inbound DNS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 9200, used by the [Elasticsearch][2], and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered Elasticsearch access.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][3] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. First, remove the security group rule(s) that allow public, unrestricted access to the Elasticsearch database. The rule in question will open port 9200 for ingress from anywhere.\n\n2. Now that the database is contained, authorize only the specific entities that need access to the database like EC2 instances, or lambdas. You can do this by adding inbound security group rules for a specific elastic IP address, a specific range of IP addresses, or by allowing access for entities in another AWS security group.\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://aws.amazon.com/elasticsearch-service/\n[3]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=9200 @to_port:>=9200))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=9200 @to_port:>=9200))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"rns-eiq-lpl","createdAt":1599574008022,"name":"Inbound Elasticsearch access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP ports 20 and 21 (used by client/server applications for communication and file transfer) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and FTP bounce attacks, can occur when permitting unfettered access to these ports.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 20 and 21.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict FTP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 20\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=20 @to_port:>=20) OR (@from_port:<=21 @to_port:>=21))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=20 @to_port:>=20) OR (@from_port:<=21 @to_port:>=21))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"9lv-1l3-vtp","createdAt":1599574002076,"name":"Inbound FTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 80 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 80.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 80\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 445\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=80 @to_port:>=80))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=80 @to_port:>=80))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o4x-exf-xn9","createdAt":1599574008139,"name":"Inbound HTTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 443 (used by HTTP) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 443.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict TCP access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 443\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 443\n\trule.to_port >= 443\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"vud-y9z-ucg","createdAt":1599574003526,"name":"Inbound HTTPS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to host using the Internet Control Message Protocol (ICMP), a protocol commonly used to troubleshoot TCP/IP networks and deliver IP packets, and restrict access.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and Smurf/Fraggle attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][2] docs to learn how to restrict access to host using the ICMP.\n\n### CLI\n\n1. Run `describe-security-groups` with a filter to [expose security groups][1] that allow access to host using ICMP.\n\n ```\n aws ec2 describe-security-groups\n\t --filters Name=ip-permission.protocol,Values=icmp Name=ip-permission.cidr,Values='192.0.2.0/24'\n\t --query 'SecurityGroups[*].{Name:GroupName}'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nunrestricted_protocol(protocol) if {\n\tprotocol == \"icmp\"\n} else {\n\tprotocol == \"all\"\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"ingress\"\n\tunrestricted_protocol(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"kyz-e99-tys","createdAt":1599573999911,"name":"Inbound ICMP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1433 (used by the Microsoft SQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1433.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1433 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1433\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1433 @to_port:>=1433))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1433 @to_port:>=1433))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5oc-hdq-fx7","createdAt":1599574003135,"name":"Inbound MSSQL access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 27017 (used by the MongoDB database) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 27017.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict CIFS access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 27017\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=27017 @to_port:>=27017))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=27017 @to_port:>=27017))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"lhy-ttz-yif","createdAt":1599574007108,"name":"Inbound MongoDB access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 3306 (used by the MySQL Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 3306.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 3306 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 3306\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3306 @to_port:>=3306))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=3306 @to_port:>=3306))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"yph-h6z-ant","createdAt":1599574008744,"name":"Inbound MySQL access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 1521 (used by the Oracle Database Server) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) attacks and hacking, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 1521.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 1521 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 1521\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1521 @to_port:>=1521))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=1521 @to_port:>=1521))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"2wg-auf-5gz","createdAt":1599574002369,"name":"Inbound Oracle access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 135 (used by Microsoft Message Queuing (MSMQ) and other Windows software) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as backdoor command shell hacking and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 135.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 135 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 135\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 135\n\trule.to_port >= 135\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7vm-6f7-nfs","createdAt":1599574003256,"name":"Inbound RPC access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 25 (used by Simple Mail Transfer Protocol (SMTP) for email transmission) and restrict access to IP addresses that require this port.\n\n\n## Rationale\n\nMalicious activity, such as spamming, hacking, Shellshock, and denial-of-service (DoS) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 25.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 25 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 25\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 25\n\trule.to_port >= 25\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"fxy-iwb-1ji","createdAt":1599574007156,"name":"Inbound SMTP access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 22 (used for secure remote login) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as man-in-the-middle (MITM) and brute-force attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 22.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 22 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 22\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=22 @to_port:>=22))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=22 @to_port:>=22))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"jq1-v7m-jkf","createdAt":1599574005407,"name":"Inbound SSH access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to TCP port 139.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 139\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 139\n\trule.to_port >= 139\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"bls-coy-rpp","createdAt":1599574002491,"name":"Inbound TCP NetBIOS access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 23 (used by the Telnet server application) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as spoofing, brute-force, and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-ingress` to [remove inbound rules][2] that allow unrestricted access to port 23.\n\n ```\n aws ec2 revoke-security-group-ingress\n --group-name group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict port 23 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol tcp\n --port 23\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=23 @to_port:>=23))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"tcp\" OR \"6\") ((-@from_port:* -@to_port:*) OR (@from_port:<=23 @to_port:>=23))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"6oq-7ce-kej","createdAt":1599574007874,"name":"Inbound Telnet access is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReduce the probability of a breach by checking [EC2 security groups][1] for inbound rules that allow unfettered access to TCP port 139 and UDP ports 137 and 138 (used by services for NetBIOS name resolution) and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as bad tunnel exploits or denial-of-service (DoS) and man-in-the-middle (MITM) attacks, can occur when permitting unfettered access to this port.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][4] docs to learn how to add a security group rule that will restrict access to a specific port.\n\n### CLI\n\n1. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 137 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 137\n --cidr 192.0.2.0/24\n ```\n\n2. Run `authorize-security-group-ingress` to [add new inbound rules][3] that restrict UDP ports 138 access.\n\n ```\n aws ec2 authorize-security-group-ingress\n --group-name your-group-name\n --protocol udp\n --port 138\n --cidr 192.0.2.0/24\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/revoke-security-group-ingress.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/authorize-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=137 @to_port:>=137) OR (@from_port:<=138 @to_port:>=138))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_security_group","filter":"","queryPath":"rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group (@direction:ingress (@ip_range:\"0.0.0.0/0\" OR @ip_range:\"::/0\") ((@protocol:(\"udp\" OR \"17\") ((-@from_port:* -@to_port:*) OR (@from_port:<=137 @to_port:>=137) OR (@from_port:<=138 @to_port:>=138))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dpw-bar-91p","createdAt":1599574006398,"name":"Inbound UDP NetBIOS access is restricted"}]} + {"meta":{"page":{"total_filtered_count":0,"total_count":730}},"data":[]} headers: Content-Type: - application/json @@ -942,11 +772,11 @@ interactions: headers: Accept: - application/json - url: https://api.datadoghq.com/api/v2/security_monitoring/rules?page%5Bnumber%5D=4&page%5Bsize%5D=100 + url: https://api.datadoghq.com/api/v2/security_monitoring/rules/3d9-oev-jbm method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","control:3.7","requirement:Communications-Security","control:4.1","control:2.1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3","framework:security-labs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nConfigure your instance to use an account other than the default Compute Engine service account, because it has the Editor role on the project.\n\n## Rationale\nThe default Compute Engine service account has the Editor role on the project, which allows read and write access to most Google Cloud Services. \nTo defend against privilege escalations if your VM is compromised and prevent an attacker from gaining access to all of your project, it is recommended that you not use the default Compute Engine service account. Instead, create a new service account and assign only the permissions needed by your instance. \nThe default Compute Engine service account is named `[PROJECT_NUMBER]-compute@developer.gserviceaccount.com`.\n\n## Exception\nVMs created by GKE are excluded from this guidance. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the instance name to go to its `VM instance details` page.\n3. Click `STOP` and then click `EDIT`.\n4. Under the section `API and identity management`, select a service account other\nthan the default Compute Engine service account. You may first need to create a new\nservice account.\n5. Click `Save` and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account=\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/service-accounts][2]\n2. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][3]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account][4]\n\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/service-accounts\n[3]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[4]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/set-service-account","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.7","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tsa := compute_instance.service_accounts[_]\n\tendswith(sa.email, \"compute@developer.gserviceaccount.com\")\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"oqw-y1z-sik","createdAt":1655990336323,"name":"Instances are not configured to use the default service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Communications-Security","requirement:Default-Security-Parameter","control:4.2","control:2.1","framework:cis-gcp","control:2.1.1","requirement:Compliance","control:A.13.1.3","level:1","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:google_compute_instance","control:CC6.3","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo support the principle of least privileges and to prevent potential privilege escalation, assign instances to a service account other than the default `Compute Engine default service account` with Scope `Allow full access to all Cloud APIs`.\n\n## Rationale\nThe Google `Compute Engine default service account` for an instance can access necessary cloud services, as well as create, manage, and use user-managed custom service accounts. The `Project Editor` role is assigned to `Compute Engine default service account` so it has almost all capabilities over all cloud services except billing. However, when `Compute Engine default service account` is assigned to an instance it can operate in three scopes:\n\n1. Allow default access: Allows the minimum access required to run an\ninstance (least privileges).\n\n2. Allow full access to all Cloud APIs: Allows full access to all cloud\nAPIs and services (too much access).\n\n3. Set access for each API: Allows an instance administrator to choose only\nthose APIs that are needed to perform the specific business functionality\nexpected by instance.\n\nWhen an instance is configured with the `Compute Engine default service account` with\nscope `Allow full access to all Cloud APIs`, depending on the IAM roles assigned to the users\naccessing the instance, it may allow users to perform cloud operations and API calls that they are not\nsupposed to perform, leading to successful privilege escalation.\n\n## Exception\nVMs created by GKE are excluded from this rule. These VMs have names that start with `gke-` and are labeled `goog-gke-node`.\n\n## Impact\nTo change a service account or scope for an instance, the instance must be stopped.\n\n## Remediation\n\n### From the console\n1. Go to the `VM instances` page by visiting:\n[https://console.cloud.google.com/compute/instances][1].\n2. Click on the impacted VM instance.\n3. If the instance is not stopped, click the `Stop` button. Wait for the instance to stop.\n4. Click the `Edit` button.\n5. Scroll down to the `Service Account` section.\n6. Select a different service account or ensure that `Allow full access to all Cloud APIs` is not selected.\n7. Click the `Save` button to save your changes and then click `START`.\n\n### From the command line\n1. Stop the instance:\n ```\n gcloud compute instances stop \n ```\n2. Update the instance:\n ```\n gcloud compute instances set-service-account --service-account= --scopes [SCOPE1, SCOPE2...]\n ```\n3. Restart the instance:\n ```\n gcloud compute instances start \n ```\n\n## Default value\nBy default, Compute instances are configured to use the default Compute Engine service\naccount.\n\n## References\n1. [https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances][2]\n2. [https://cloud.google.com/compute/docs/access/service-accounts][3]\n\n## Additional Information:\n- User IAM roles override service account scope, but configuring minimal scope\nensures a deeper defence.\n- Non-default service accounts do not offer selection of access scopes like the default\nservice account does. Use IAM roles with non-default service accounts to\ncontrol VM access.\n\n## CIS Controls\n\nVersion 8 - 4.7: Manage Default Accounts on Enterprise Assets and Software\n- Manage default accounts on enterprise assets and software, such as root,\nadministrator, and other pre-configured vendor accounts. Example implementations\ncan include: disabling default accounts or making them unusable.\n\nVersion 7 - 4.7 Limit Access to Script Tools\n- Limit access to scripting tools (such as Microsoft PowerShell and Python) to only\nadministrative or development users with the need to access those capabilities.\n\n\n[1]: https://console.cloud.google.com/compute/instances\n[2]: https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances\n[3]: https://cloud.google.com/compute/docs/access/service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.2","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"fail\" {\n\tservice_accounts := compute_instance.service_accounts[_]\n\tendswith(service_accounts.email, \"compute@developer.gserviceaccount.com\")\n\tstartswith(service_accounts.scopes[_], \"https://www.googleapis.com/auth/cloud-platform\")\n} else = \"pass\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ica-spj-rua","createdAt":1656620517092,"name":"Instances are not configured to use the default service account with full access to all cloud APIs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:runtime-security-agent","security:attack","technique:T1609-container-administration-command"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the execution of a shell with the interactive flag (`-i`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to escalate privileges, break out of the container, or exfiltrate secrets by running interative shell utilities inside of the container. This detection triggers when execution of one of a set of common Linux shell utilities (like `bash` or `sh`) is detected in a container with the interactive flag (`-i`). If this is unexpected behavior, it could indicate an attacker attempting to run arbitrary commands inside of your containers and potentially break out onto the host.\n\n## Triage & Response\n1. Inspect the command line arguments of the shell process execution to determine if the shell was run with the `-i` flag.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:interactive_shell_in_container -@process.comm:(hostname OR sed OR find)","groupByFields":["host"],"aggregation":"count","name":"interactive_shell_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"interactive_shell_in_container","condition":"interactive_shell_in_container > 0"}],"type":"workload_security","id":"vc2-nws-ebu","createdAt":1653417817781,"name":"Interactive shell spawned in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect common shell utilities, HTTP utilities, or shells spawned by a Java process.\n\n## Strategy\nMany applications (like some databases, web servers, and search engines) run as Java processes. Attackers may take advantage of flaws in programs built with these applications (for example, SQL injection on a database running as a Java process). This detection triggers when a Java process spawns common shell utilities, HTTP utilities, or shells. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\n## Triage and response\n1. Determine the nature and purpose of the Java process.\n2. Determine whether there is an approved purpose for the Java process to execute shells and utilities.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:java_shell_execution","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution @process.executable.name:(uname OR cat OR ls)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_suspicious","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution @process.executable.name:(curl OR wget OR whoami)","groupByFields":["host"],"aggregation":"count","name":"java_shell_execution_unusual","distinctFields":[]},{"query":"@agent.rule_id:java_shell_execution @process.envs:CONFLUENCE*","groupByFields":["host"],"aggregation":"count","name":"confluence_server_spawned_shell_potential_rce","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"confluence_server_spawned_shell_potential_rce","condition":"confluence_server_spawned_shell_potential_rce > 0"},{"status":"high","notifications":[],"name":"java_shell_execution_unusual","condition":"java_shell_execution_unusual > 0"},{"status":"medium","notifications":[],"name":"java_shell_execution_suspicious","condition":"java_shell_execution_suspicious > 0"},{"status":"low","notifications":[],"name":"java_shell_execution","condition":"java_shell_execution > 0"}],"type":"workload_security","id":"bax-h0z-d14","createdAt":1617722069224,"name":"Java process spawned shell"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","technique:T1098-account-manipulation","scope:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a JumpCloud user grants administrative privileges on a user endpoint. This is not indicative of malicious activity, but detecting this event is valuable for auditing.\n\n## Strategy\n\nThis rule monitors JumpCloud audit logs to detect when a user triggers the `@evt.name` of `system_admin_grant`.\n\n## Triage and response\n\n1. Reach out to the admin making the change (`{{@usr.email}}`) to confirm that the user `(@usr.name`) should have administrative privileges on the specified resource (`@resource.name`).\n2. If the change was not authorized, reverify there are no other signals from the jumpcloud admin: {{@usr.email}} and the system (`@resource.name`).\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:system_admin_grant","groupByFields":["@usr.email"],"aggregation":"count","name":"system_admin_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"system_admin_grant > 0"}],"type":"log_detection","id":"0ym-nwo-srl","createdAt":1648844751568,"name":"Jumpcloud admin granted system privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:jumpcloud","requirement:Monitoring","scope:jumpcloud","framework:cis-aws","technique:T1078-valid-accounts","control:4.2","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud administrator authenticates without multi-factor authentication (MFA) enabled. This is not indicative of malicious activity, however as a best practice, administrator accounts should have MFA enabled.\n\n## Strategy\nThis rule monitors JumpCloud audit logs to detect when an admin user successfully authenticates to JumpCloud and the log indicates that `@mfa` is `false`.\n\n## Triage and response\n1. Reach out to the {{@usr.name}} to determine if the login was legitimate.\n2. If the login was legitimate, request that the user enables MFA.\n3. If the login wasn\u2019t legitimate, rotate the credentials, enable MFA and triage an actions uncovered from step 1.\n4. Review all user accounts to ensure MFA is enabled.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:admin_login_attempt @mfa:false @evt.outcome:true","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_login_no_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"admin_login_no_mfa > 0"}],"type":"log_detection","id":"mds-4sd-v5i","createdAt":1648844751569,"name":"Jumpcloud admin login without MFA"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","scope:jumpcloud","technique:T1078-valid-accounts","tactic:TA0001-initial-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Impossible Travel event with a JumpCloud administrator.\n\n## Strategy\nThe Impossible Travel detection type\u2019s algorithm compares the GeoIP data of the last log and the current log to determine if the user (`@usr.name`) traveled more than 500km at over 1,000km/h.\n\n## Triage and response\n1. Determine if {@usr.name}} should be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}} in a short period of time.\n2. If the user should not be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} or {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}, then consider isolating the account and reset credentials.\n3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"impossible_travel_admin","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@usr.email"],"query":"source:jumpcloud @usr.type:admin"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":""}],"type":"log_detection","id":"wec-lzg-zau","createdAt":1648844772020,"name":"Jumpcloud admin triggered impossible travel scenario"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:jumpcloud","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to a JumpCloud user.\n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when administrative privileges are provisioned:\n\n* `user_admin_granted`\n\n## Triage and response\n1. Contact the JumpCloud administrator: `{{@usr.email}}` to confirm that the users or devices should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the JumpCloud administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:user_admin_granted","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_role_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"admin_role_grant > 0"}],"type":"log_detection","id":"goh-o1b-uuo","createdAt":1660796644737,"name":"Jumpcloud administrator role assigned"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is created. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is created:\n\n* `@evt.name:policy_create`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy creation was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_create","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_creation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_creation > 0"}],"type":"log_detection","id":"ht7-5pr-0hf","createdAt":1660809071730,"name":"Jumpcloud policy created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:jumpcloud","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a JumpCloud policy is modified. \n\n## Strategy\nThis rule lets you monitor the following JumpCloud event to detect when a policy is modified:\n\n* `@evt.name:policy_update`\n\n## Triage and response\n1. Contact the JumpCloud administrator `{{@usr.email}}` to confirm if the policy modification(s) was intended.\n2. If the change was **not** authorized, verify there are no other signals from the administrator:`{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:jumpcloud @evt.name:policy_update","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_update","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"policy_update > 0"}],"type":"log_detection","id":"epv-mm9-puh","createdAt":1660809071731,"name":"Jumpcloud policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:1.10","scope:google_kms_crypto_key","source:google_kms_crypto_key","requirement:Confidentiality","control:C1.2","framework:cis-gcp","requirement:Compliance","level:1","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","requirement:Identity-and-Access-Management","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGoogle Cloud Key Management Service stores cryptographic keys in a hierarchical structure designed for useful and elegant access control management.\nThe format for the rotation schedule depends on the client library that is used. For the gcloud CLI, the flag `--next-rotation-time` must be in ISO or RFC3339 format; the flag `--rotation-period` must be in the format `INTEGER[UNIT]`, where units can be one of: seconds (s), minutes (m), hours (h), or days (d). For example, `30d` for a rotation period of 30 days.\n\n## Rationale\nSet a key rotation period and starting time. A key can be created with a specified *rotation period*, which is the time between when new key versions are generated automatically. A key can also be created with a specified *next rotation time*. \n\nA key is a named object that represents a cryptographic key and is used for a specific purpose. The key material (the actual bits used for encryption) can change over time as new key versions are created.\nA key is used to protect a *corpus of data*. A collection of files could be encrypted with the same key, and people with `decrypt` permissions on that key would be able to decrypt those files. Therefore, it's necessary to make sure the rotation period is set to a specific time.\n\n## Impact\nAfter a successful key rotation, the older key version is required to decrypt the data encrypted by the previous key version.\n\n## Remediation\n\n### From console\n1. See your cryptographic keys by visiting: [https://console.cloud.google.com/security/kms][1].\n2. Click on the specific key ring.\n3. From the list of keys, locate the key you wish to edit. Click on the three vertical dots under the **Actions** column.\n4. Click on **Edit rotation period**.\n5. In the pop-up window, select a new rotation period. Choose value less than 90 days. Then, choose the date from which the rotation period begins.\n\n### From the command line\n1. Update and schedule rotation by `ROTATION_PERIOD` and `NEXT_ROTATION_TIME` for each key:\n For example, you can use the iam.json file shown below as follows:\n ```\n gcloud kms keys update new --keyring=KEY_RING --location=LOCATION --next- rotation-time=NEXT_ROTATION_TIME --rotation-period=ROTATION_PERIOD\n ```\n\n## Default value\nBy default, KMS encryption keys are rotated every 90 days.\n\n## References\n1. [https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation][2]\n2. [https://cloud.google.com/kms/docs/re-encrypt-data][3]\n\n\n## Additional Information\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/security/kms\n[2]: https://cloud.google.com/kms/docs/key-rotation#frequency_of_key_rotation\n[3]: https://cloud.google.com/kms/docs/re-encrypt-data\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\n# convert rotation period from string to int (number of days)\nparse_rotation_period(str) = parsed if {\n\tendswith(str, \"s\")\n\tparsed := to_number(trim_suffix(str, \"s\")) / 86400\n} else = parsed {\n\tendswith(str, \"m\")\n\tparsed := to_number(trim_suffix(str, \"m\")) / 1440\n} else = parsed {\n\tendswith(str, \"h\")\n\tparsed := to_number(trim_suffix(str, \"h\")) / 24\n} else = parsed {\n\tendswith(str, \"d\")\n\tparsed := to_number(trim_suffix(str, \"d\"))\n}\n\neval(kms_crypto_key) = \"skip\" if {\n\tnot lower(kms_crypto_key.primary.state) == \"enabled\"\n} else = \"pass\" {\n\ttoday := kms_crypto_key.resource_seen_at / 86400000\n\tnext_rotation := kms_crypto_key.next_rotation_time / 86400000\n\tnext_rotation - today <= 90\n\tparse_rotation_period(kms_crypto_key.rotation_period) <= 90\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_kms_crypto_key"]},"validationQuery":"","resourceType":"gcp_kms_crypto_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_kms_crypto_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"l1f-f94-1my","createdAt":1655491486886,"name":"KMS Encryption Keys are rotated within a period of 90 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1547","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications made to the `/boot/` directory.\n\n## Strategy\nThe /boot/ directory in Linux contains everything required for the system to boot. This includes the kernel and other important boot files and data. Attackers may attempt to modify the /boot/ directory to inject malicious code or configuration. This can allow the attacker to gain persistence, by running the malicious code or configuration at boot time. It can also allow the attacker to run malicious code with elevated system privileges.\n\n## Triage & Response\n1. Check to see what modifications were made to the `/boot/` directory.\n2. Cross-check any changes with known system activity, such as startup scripts, or maintenance.\n3. If these changes are not acceptable, roll back the host or container in question to a known good `/boot/` configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"kernel_modification\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"9cs-fap-2er","createdAt":1606142931057,"name":"Kernel Modification"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux. This detection watches for all new files created under that directory.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check which user or process created the module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(kernel_module OR kernel_module_chmod OR kernel_module_chown OR kernel_module_link OR kernel_module_rename OR kernel_module_open OR kernel_module_unlink OR kernel_module_utimes) -@process.envs:DPKG_FRONTEND_LOCKED","groupByFields":["host"],"aggregation":"count","name":"kernel_module","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"kernel_module","condition":"kernel_module > 0"}],"type":"workload_security","id":"jq9-m1m-spt","createdAt":1598516746168,"name":"Kernel module directory modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.3","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kube-proxy kubeconfig file controls various parameters of the kube-proxy service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system. It is possible to run kube-proxy with the kubeconfig parameters configured as a Kubernetes ConfigMap instead of a file. In this case, there is no proxy kubeconfig file.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a `. Verify that if a file is specified and it exists, the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n```\nchmod 644 \n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates. \n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.3","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"alc-y7j-j9q","createdAt":1599602091672,"name":"Kube-proxy configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.4","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIf kube-proxy is running, ensure that the file ownership of its kubeconfig file is set to root:root.\n\n## Rationale\n\nThe kubeconfig file for kube-proxy controls various parameters for the kube-proxy service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nFind the kubeconfig file being used by `kube-proxy` by running the following command: `ps -ef | grep kube-proxy`. If `kube-proxy` is running, get the kubeconfig file location from the `--kubeconfig` parameter.\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G `. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node:\n\n`chown root:root `\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, proxy file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-proxy/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kube-proxy/\n\n## Audit\n\nFind the kubeconfig file being used by kube-proxy by running the following command: ps -ef | grep kube-proxy If kube-proxy is running, get the kubeconfig file location from the --kubeconfig parameter. Run the below command (based on the file location on your system) on the each worker node. For example, stat -c %U:%G Verify that the ownership is set to root:root.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.4","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oat-dei-klo","createdAt":1599604401268,"name":"Kube-proxy configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.11","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet client certificate rotation.\n\n## Rationale\n\nThe `--rotate-certificates` setting causes the kubelet to rotate its client certificates by creating new CSRs as its existing credentials expire. This automated periodic rotation ensures that the there is no downtime due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself. \n\n*Note*: This feature also requires the `RotateKubeletClientCertificate` feature gate to be enabled (which is the default since Kubernetes v1.7).\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--rotate-certificates` argument is not present, or is set to true. If the `--rotate-certificates` argument is not present, verify that if there is a Kubelet config file specified by `--config`, that file does not contain `rotateCertificates: false`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to add the line `rotateCertificates: true` or remove it altogether to use the default value. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and remove the `--rotate-certificates=false` argument from the `KUBELET_CERTIFICATE_ARGS` variable. Based on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet client certificate rotation is enabled.\n\n## References\n\n1. [https://github.com/kubernetes/kubernetes/pull/41912 ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration ][2]\n3. [https://kubernetes.io/docs/imported/release/notes/ ][3]\n4. [https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted - Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/41912\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/#kubelet-configuration\n[3]: https://kubernetes.io/docs/imported/release/notes/\n[4]: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.11","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"9x3-sy5-pte","createdAt":1599605353070,"name":"Kubelet client certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.10","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file is owned by root:root.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %U:%G /var/lib/kubelet/config.yaml`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step): `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `/var/lib/kubelet/config.yaml` file as set up by kubeadm is owned by `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.10","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ptl-pla-t0c","createdAt":1599605828233,"name":"Kubelet configuration file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUse https for kubelet connections.\n\n## Rationale\n\nConnections from apiserver to kubelets could potentially carry sensitive data such as secrets and keys. It is thus important to use in-transit encryption for any communication between the apiserver and kubelets.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--kubelet-https` argument either does not exist or is set to `true`.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and remove the `--kubelet-https` parameter.\n\n## Impact\n\nYou require TLS to be configured on apiserver as well as kubelets.\n\n## Default value\n\nBy default, kubelet connections are over https.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.4","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ftg-h4g-hqj","createdAt":1599600981186,"name":"Kubelet connections use HTTPS"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.8","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nRestrict kubelet nodes to reading only objects associated with them.\n\n## Rationale\n\nThe Node authorization mode only allows kubelets to read Secret, ConfigMap, PersistentVolume, and PersistentVolumeClaim objects associated with their nodes.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include Node.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes Node. `--authorization-mode=Node,RBAC`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, Node authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-apiserver/ ][1]\n2. [https://kubernetes.io/docs/admin/authorization/node/ ][2]\n3. [https://github.com/kubernetes/kubernetes/pull/46076 ][3]\n4. [https://acotten.com/post/kube17-security][4]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/admin/kube-apiserver/ \n[2]: https://kubernetes.io/docs/admin/authorization/node/ \n[3]: https://github.com/kubernetes/kubernetes/pull/46076 \n[4]: https://acotten.com/post/kube17-security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.8","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vgg-kwx-7dh","createdAt":1599602338742,"name":"Kubelet nodes are only authorized to read objects they are associated with"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.2","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not allow all requests. Enable explicit authorization.\n\n## Rationale\n\nKubelets, by default, allow all authenticated requests (even anonymous ones) without needing explicit authorization checks from the API server. You should restrict this behavior and only allow explicitly authorized requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. If the `--authorization-mode` argument is present check that it is not set to AlwaysAllow. If it is not present check that there is a Kubelet config file specified by `--config`, and that file sets authorization: mode to something other than AlwaysAllow. It is also possible to review the running configuration of a Kubelet via the /configs endpoint on the Kubelet API port (typically `10250/TCP`). Accessing these with appropriate credentials will provide details of the Kubelet's configuration.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set authorization: mode to Webhook. If using executable arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--authorization-mode=Webhook`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nUnauthorized requests will be denied.\n\n## Default value\n\nBy default, `--authorization-mode` argument is set to `AlwaysAllow`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication][2]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\nVersion 7.14 Controlled Access Based on the Need to Know\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.2","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"un4-gin-3dq","createdAt":1599600248005,"name":"Kubelet only allows explicitly authorized requests"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.4","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable the read-only port.\n\n## Rationale\n\nThe Kubelet process provides a read-only API in addition to the main Kubelet API. Unauthenticated access is provided to this read-only API which could possibly retrieve potentially sensitive information about the cluster.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--read-only-port` argument exists and is set to 0. If the `--read-only-port` argument is not present, check that there is a Kubelet config file specified by `--config`. Check that if there is a readOnlyPort entry in the file, it is set to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `readOnlyPort` to 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--read-only-port=0`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nRemoval of the read-only port will require that any service which made use of it will need to be re-configured to use the main Kubelet API.\n\n## Default value\n\nBy default, `--read-only-port` is set to 10255/TCP. However, if a config file is specified by `--config` the default value for `readOnlyPort` is 0.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.4","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dgo-kog-lle","createdAt":1599604369044,"name":"Kubelet read-only port is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.10","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSetup TLS connection on the Kubelets.\n\n## Rationale\n\nKubelet communication contains sensitive parameters that should remain encrypted in transit. Configure the Kubelets to serve only HTTPS traffic.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--tls-cert-file` and `--tls-private-key-file` arguments exist and they are set as appropriate. If these arguments are not present, check that there is a Kubelet config specified by `--config` and that it contains appropriate settings for `tlsCertFile` and `tlsPrivateKeyFile`.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `tlsCertFile` to the location of the certificate file to use to identify this Kubelet, and `tlsPrivateKeyFile` to the location of the corresponding private key file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameters in K`UBELET_CERTIFICATE_ARGS` variable.\n\n```\n--tls-cert-file=\n--tls-private-key-file=\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nTLS and client certificate authentication must be configured for your Kubernetes cluster deployment.\n\n## Default value\n\nBy default, `--tls-cert-file` and `--tls-private-key-file` arguments are not set. If `--tls-cert-file` and `--tls-private-key-file` are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to `--cert-dir`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/ ][2]\n3. [https://github.com/kelseyhightower/docker-kubernetes-tls-guide ][3]\n4. [https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/][4]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: http://rootsquash.com/2016/05/10/securing-the-kubernetes-api/\n[3]: https://github.com/kelseyhightower/docker-kubernetes-tls-guide\n[4]: https://jvns.ca/blog/2017/08/05/how-kubernetes-certificates-work/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.10","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gqg-7cf-6bu","createdAt":1599603572402,"name":"Kubelet requires HTTPS connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.12","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable kubelet server certificate rotation.\n\n## Rationale\n\n`RotateKubeletServerCertificate` causes the kubelet to both request a serving certificate after bootstrapping its client credentials and rotate the certificate as its existing credentials expire. This automated periodic rotation ensures that the there are no downtimes due to expired certificates and thus addressing availability in the CIA security triad.\n\n*Note*: This recommendation only applies if you let kubelets get their certificates from the API server. In case your kubelet certificates come from an outside authority/tool (e.g. Vault) then you need to take care of rotation yourself.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that `RotateKubeletServerCertificate` argument exists and is set to `true`.\n\n## Remediation\n\nOn the master edit `/var/lib/kubelet/kubeadm-flags.env` and set the parameter `KUBELET_CERTIFICATE_ARGS --feature-gates=RotateKubeletServerCertificate=true` or as an alternative, and suggested as a last resort, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_CERTIFICATE_ARGS` variable:\n\n```\n--feature-gates=RotateKubeletServerCertificate=true\n```\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet server certificate rotation is disabled.\n\n## References\n\n1. https://github.com/kubernetes/kubernetes/pull/45059\n2. https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://github.com/kubernetes/kubernetes/pull/45059\n[2]: https://kubernetes.io/docs/admin/kubelet-tls-bootstrapping/#kubelet-configuration\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.12","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.12\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"afr-qkp-94a","createdAt":1599599105048,"name":"Kubelet server certificate rotation is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.2","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file ownership is set to root:root.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the ownership is set to root:root.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chown root:root /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, kubelet service file ownership is set to root:root.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.2","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sy4-z1k-udc","createdAt":1599605194356,"name":"Kubelet service file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.3","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Kubelet authentication using certificates.\n\n## Rationale\n\nThe connections from the API server to the kubelet are used for fetching logs for pods, attaching (through kubectl) to running pods, and using the kubelet's port-forwarding functionality. These connections terminate at the kubelet's HTTPS endpoint. By default, the API server does not verify the kubelet's serving certificate, which makes the connection subject to man-in-the-middle attacks, and unsafe to run over untrusted and/or public networks. Enabling Kubelet certificate authentication ensures that the API server could authenticate the Kubelet before submitting any requests.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--client-ca-file` argument exists and is set to the location of the client certificate authority file. If the `--client-ca-file` argument is not present, check that there is a Kubelet config file specified by `--config`, and that the file sets authentication: x509: clientCAFile to the location of the client certificate authority file.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `authentication: x509: clientCAFile` to the location of the client CA file. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_AUTHZ_ARGS` variable.\n\n`--client-ca-file=`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nYou require TLS to be configured on API server as well as kubelets.\n\n## Default value\n\nBy default, `--client-ca-file argument` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted.\n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.3","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x6l-4d1-dwh","createdAt":1599600373842,"name":"Kubelet uses TLS certificate client authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.1.20","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that Kubernetes PKI certificate files have permissions of 644 or more restrictive.\n\n## Rationale\n\nKubernetes makes use of a number of certificate files as part of the operation of its components. The permissions on these files should be set to 644 or more restrictive to protect their integrity.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nfind /etc/kubernetes/pki -name \"*.crt\" | xargs stat -c '%n %a'\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod -R 644 /etc/kubernetes/pki/*.crt`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the certificates used by Kubernetes are set to have permissions of 644\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.20","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.20\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ion-6fc-xd4","createdAt":1599604147464,"name":"Kubernetes PKI certificate file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.19","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the Kubernetes PKI directory and file ownership is set to root:root.\n\n## Rationale\n\nKubernetes makes use of a number of certificates as part of its operation. You should set the ownership of the directory containing the PKI information and all files in that directory to maintain their integrity. The directory and files should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nls -laR /etc/kubernetes/pki/\n```\n\nVerify the ownership of all files and directories in this hierarchy is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown -R root:root /etc/kubernetes/pki/`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/etc/kubernetes/pki/` directory and all of the files and directories contained within it, are set to be owned by the root user.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.19","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.19\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tgm-6a5-ttf","createdAt":1599603695482,"name":"Kubernetes PKI directory is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a pod in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating pods in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for Kubernetes objects which should be readable by unauthenticated users. Thus, a pod should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new pod in one of the default namespaces.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"tvf-ju6-h3i","createdAt":1589376012191,"name":"Kubernetes Pod Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a pod is attached to the host network.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a pod (`@objectRef.resource:pods`) with the host network `@requestObject.spec.hostNetwork:true` attached.\n\nAttaching the `hostNetwork` permits a pod to access the node's network adapter allowing a pod to listen to all network traffic for all pods on the node and communicate with other pods on the network namespace.\n\n## Triage and response\n1. Determine if the pod needs `hostNetwork` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.hostNetwork:true @http.status_code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.hostNetwork:true @responseStatus.code:[200 TO 299]","groupByFields":["@requestObject.metadata.generateName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"d3g-xpz-cwc","createdAt":1589376007079,"name":"Kubernetes Pod Created with hostNetwork"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","technique:T1536-create-account","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a service account in one of the Kubernetes default namespaces.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service account (`@objectRef.resource:serviceaccounts`) within either of the `kube-system` or `kube-public` namespaces.\n\nThe only users creating service accounts in the `kube-system` namespace should be cluster administrators. Furthermore, it is best practice to not run any cluster critical infrastructure in the `kube-system` namespace.\n\nThe `kube-public` namespace is intended for kubernetes objects which should be readable by unauthenticated users. Thus, a service account should likely not be created in the `kube-public` namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new service account in one of the default namespaces.\n\n## Changelog\n21 September 2022 - Tuned rule to remove system and EKS service account creations, increased severity, added decrease on environment flag.\n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:serviceaccounts @http.method:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299] -@user.username:(system\\:* OR eks\\:*)","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:serviceaccounts @verb:create @http.status_code:[200 TO 299] @objectRef.namespace:(\"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299] -@usr.id:(system\\:* OR eks\\:*)","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"loy-9ka-bc2","createdAt":1589376017036,"name":"Kubernetes Service Account Created in Kube Namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a service's port is attached to the node's IP.\n\n## Strategy\nThis rule monitors when a create (`@http.method:create`) action occurs for a service (`@objectRef.resource:services`) attaching the service's port to the node's IP `@requestObject.spec.type:NodePort`.\n\nExposing the service's port to the the node's IP allows other hosts on the network namespace to access this service.\n\n## Triage and response\n1. Determine if the service needs to expose it's network connection with `NodePort` access.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:services @http.method:create @requestObject.spec.type:NodePort @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:services @verb:create @requestObject.spec.type:NodePort @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"cvp-3wz-v3s","createdAt":1589376023160,"name":"Kubernetes Service Created with NodePort"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nIdentify when a user is attempting to enumerate their permissions.\n\n## Strategy\nThis rule identifies when a user attempts to enumerate their permissions, for example, through the use of `kubectl auth can-i --list`. This can be an indicator of an attacker having compromised a Kubernetes service account or user and attempting to determine what permissions it has.\n\n## Triage and response\n1. Determine if enumerating the permissions of the user: `{{@usr.id}}` is suspicious. For example, a service account assigned to a web application and enumerating its privileges is highly suspicious, while a group assigned to operations engineers is likely to represent legitimate activity.\n2. Use the Cloud SIEM `User Investigation` dashboard to review any user actions that may have occurred after the potentially malicious action.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @requestObject.kind:SelfSubjectRulesReview @http.method:create -@usr.id:system\\:serviceaccount\\:*\\:datadog-kube-state-metrics","groupByFields":[],"aggregation":"count","name":"enumeration_attempt","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"enumeration_attempt > 0"}],"type":"log_detection","id":"9ft-ohp-w9w","createdAt":1649702540393,"name":"Kubernetes principal attempted to enumerate their permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","source:lambda","scope:lambda","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure your Amazon Lambda Function to have access to VPC-only resources.\n\n## Rationale\n\nBy default, Amazon Lambda functions run in a secure VPC with access to any AWS service and the internet. Selecting which resources have access secures the connections within your private VPC.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring VPC access (console)][1] docs to configure VPC access for an existing function.\n\n### CLI\n\n1. Run `update-function-configuration` with your [Amazon Lambda function name and VPC configuration][2]. Set network connectivity to AWS resources within the configured VPC.\n\n ```\n aws lambda update-function-configuration\n --function-name your-lambda-function-name\n --vpc-config SubnetIds=\"subnet-ab12cd34\",\"subnet-12345678\",SecurityGroupIds=\"id-0abcd1234abcd5678\"\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#vpc-configuring\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@vpc_config_vpc_id:null OR @vpc_config_vpc_id:\"\")","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function ((@vpc_config_vpc_id:null OR @vpc_config_vpc_id:\"\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"byt-pin-xaq","createdAt":1619112188962,"name":"Lambda function has access to VPC resources"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","source:lambda","control:7.2.1","requirement:Compliance","scope:lambda","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS Lambda function access policy to remove access for unauthorized users.\n\n## Rationale\n\nGiving anonymous users the ability to invoke Amazon Lambda functions can lead to data loss, data exposure, and unexpected AWS billing charges.\n\n## Remediation\n\n### Console\n\nFollow the [Using resource-based policies for AWS lambda][1] docs to update your AWS lambda function permissions.\n\n### CLI\n\n1. Run `remove-permission` with your [function name and statement ID][2].\n\n ```\n aws lambda remove-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n ```\n\n2. Run `add-permission` with your [function name, statement ID, principal for the trusted account, and action][3].\n\n ```\n aws lambda add-permission\n --function-name your-function-name\n --statement-id ab-12ab34c5-6a78-9b0c-123d-a123b456c789\n --principal 0123456780123\n --action lambda:InvokeFunction\n ```\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/remove-permission.html#synopsis\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-permission.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false","resourceType":"aws_lambda_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_policy_statement ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"tko-rvz-akj","createdAt":1624344845094,"name":"Lambda function is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","control:CC6.7","requirement:Transmission-Security","security:compliance","control:CC7.5","cloud_provider:aws","framework:gdpr","control:6.2","requirement:System-Operations","source:lambda","scope:lambda","requirement:Security-of-Processing","framework:soc-2","requirement:Change-Management","requirement:Security-Management-Process","control:32.1b","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","framework:hipaa","control:164.308-a-1-ii-B","control:164.312-e-2-i","control:CC8.1","framework:pci"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Lambda Function to the latest runtime environment version.\n\n## Rationale\n\nAs a best practice, Amazon recommends consistently updating your runtime environment to the latest version for security patches, bug fixes, and the latest features.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring functions in the console][1] docs to learn how to update the Lambda runtime that runs your function.\n\n### CLI\n\n1. Run `update-function-configuration` with [your function name and the latest runtime version][2] supported by AWS.\n\n#### python3.9\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"python3.9\"\n ```\n\n#### nodejs16.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"nodejs14.x\"\n ```\n\n#### java11\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"java11\"\n ```\n\n#### go1.x\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"go1.x\"\n ```\n\n#### dotnet6\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"dotnet6\"\n ```\n\n#### ruby2.7\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"ruby2.7\"\n ```\n\n#### provided.al2\n ```\n aws lambda update-function-configuration\n --function-name YourLambdaFunction\n --runtime \"provided.al2\"\n ```\n\n\n[1]: https://docs.aws.amazon.com/lambda/latest/dg/configuration-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@runtime:(\"nodejs16.x\" OR \"python3.9\" OR \"ruby2.7\" OR \"java11\" OR \"go1.x\" OR \"dotnet6\" OR \"provided.al2\")","resourceType":"aws_lambda_function","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_lambda_function (-@runtime:(\"nodejs16.x\" OR \"python3.9\" OR \"ruby2.7\" OR \"java11\" OR \"go1.x\" OR \"dotnet6\" OR \"provided.al2\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mxh-rvp-txm","createdAt":1619112189173,"name":"Lambda function uses latest runtime environment version"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","level:1","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","requirement:Communications-Security","control:2.6","control:3.2","control:1.2","control:2.1","control:1.3","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of legacy networks, a project should not have a legacy network\nconfigured. Legacy networks can no longer be created, and their use is not recommended. This recommendation is to check old projects to ensure\nthat they are not using Legacy Networks.\n\n## Rationale\nEach legacy network has a single network IPv4 prefix range, and a single gateway IP address. The network is global in scope and spans all cloud regions.\nSubnetworks cannot be created in a legacy network, and are unable to switch from legacy to\nauto or custom subnet networks. Legacy networks can have an impact on high network\ntraffic projects, and are subject to a single point of contention or failure.\n\n### Default value\nBy default, networks are not created in the legacy mode.\n\n## Remediation\n\nFor each Google Cloud Platform project:\n1. Read [Create and modify Virtual Private Cloud (VPC) networks][3] to create a non-legacy network suitable for the organization's requirements.\n2. Read [Deleting a legacy network][2] to delete the networks in the `legacy` mode.\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network][1]\n2. [https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network][2]\n\n[1]: https://cloud.google.com/vpc/docs/using-legacy#creating_a_legacy_network\n[2]: https://cloud.google.com/vpc/docs/using-legacy#deleting_a_legacy_network\n[3]: https://cloud.google.com/vpc/docs/create-modify-vpc-networks\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.2","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.ipv4_range\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nzs-hyi-zqr","createdAt":1659405204525,"name":"Legacy networks do not exist for older projects"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostIPC flag set to true.\n\n## Rationale\n\nA container running in the host's IPC namespace can use IPC to interact with processes outside the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host IPC namespace. If you have a requirement to containers that require hostIPC, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostIPC}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the .spec.hostIPC field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostIPC: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.3","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vs4-ja0-gkh","createdAt":1599600435891,"name":"Limit admission of containers sharing the host IPC namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.2","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostPID flag set to true.\n\n## Rationale\n\nA container running in the host's PID namespace can inspect processes running outside the container. If the container also has access to ptrace capabilities this can be used to escalate privileges outside of the container. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host PID namespace. If you need to run containers which require hostPID, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostPID}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostPID` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostPID: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.2","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"flc-1s1-okw","createdAt":1599600559953,"name":"Limit admission of containers sharing the host PID namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the allowPrivilegeEscalation flag set to true.\n\n## Rationale\n\nA container running with the `allowPrivilegeEscalation` flag set to true may have processes that can gain more privileges than their parent. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to allow privilege escalation. The option exists (and is defaulted to true) to permit setuid binaries to run. If you have need to run containers that use setuid binaries or require privilege escalation, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.allowPrivilegeEscalation}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.allowPrivilegeEscalation` field is omitted or set to false.\n\n## Impact\n\nPods defined with `spec.allowPrivilegeEscalation: true` will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.5","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"frf-hog-dra","createdAt":1599601783271,"name":"Limit admission of containers that do not block privilege escalation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.3","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, Docker starts containers with a restricted set of Linux kernel capabilities. This means that any process can be granted the required capabilities instead of giving it root access. Using Linux kernel capabilities, processes in general do not need to run as the root user.\n\n## Rationale\n\nDocker supports the addition and removal of capabilities. Remove all capabilities not required for the correct function of the container. Specifically, in the default capability set provided by Docker, the NET_RAW capability should be removed if not explicitly required, as it can give an attacker with access to a container the ability to create spoofed network traffic.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CapAdd={{ .HostConfig.CapAdd }} CapDrop={{ .HostConfig.CapDrop }}'` \n\nVerify that the added and deleted Linux kernel capabilities are in line with the ones needed by the container process in each container instance. Specifically, ensure that the `NET_RAW` capability is removed if not required.\n\n## Remediation\n\nExecute the command `docker run --cap-add={\"Capability 1\",\"Capability 2\"} ` to add required capabilities.\n\nExecute the command `docker run --cap-drop={\"Capability 1\",\"Capability 2\"} ` to remove unneeded capabilities.\n\nAlternatively, remove all the currently configured capabilities and then restore only the ones you specifically use: `docker run --cap-drop=all --cap-add={\"Capability 1\",\"Capability 2\"} `\n\n## Impact\n\nRestrictions on processes within a container are based on which Linux capabilities are in force. Removal of the `NET_RAW` capability prevents the container from creating raw sockets which is good security practice under most circumstances, but may affect some networking utilities.\n\n## Default value\n\nBy default, the capabilities below are applied to containers:\n\n* `AUDIT_WRITE`\n* `CHOWN`\n* `DAC_OVERRIDE`\n* `FOWNER`\n* `FSETID`\n* `KILL`\n* `MKNOD`\n* `NET_BIND_SERVICE`\n* `NET_RAW`\n* `SETFCAP`\n* `SETGID`\n* `SETPCAP`\n* `SETUID`\n* `SYS_CHROOT`\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#linux-kernel-capabilities\n2. http://man7.org/linux/man-pages/man7/capabilities.7.html\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.3","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"3j5-bun-deq","createdAt":1599605923399,"name":"Linux kernel capabilities are restricted to only those which are required"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect use of the `passwd` or `chpasswd` commands to change account passwords.\n\n## Strategy\nThe `passwd` operating system command is used to change user account passwords. The `chpasswd` does this in bulk. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host machine and achieve persistence. This detection is triggered when execution of the `passwd` or `chpasswd` command is detected.\n\n## Triage and response\n1. Determine which user executed the command and whether or not this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:passwd_execution -@process.args:\"-S\"","groupByFields":["host"],"aggregation":"count","name":"passwd_execution","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"passwd_execution","condition":"passwd_execution > 0"}],"type":"workload_security","id":"yu0-i2l-ilb","createdAt":1617722068383,"name":"Local account password modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1070","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nMany attackers attempt to evade detection by deleting evidence of their presence on a host or container. A common way to do this is by deleting or modifying critical system logs that would otherwise log their activity. This detection aims to detect an attackers attempts to conceal themselves by destroying log data.\n\n## Strategy\nThis detection monitors the truncation (like the clearing of data within) of any log files under `/var/log` which is where many critical Linux log files are stored.\n\n## Triage & Response\n1. Check the name of the log file that was modified.\n2. Check which user or process modified the log.\n3. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"logs_altered\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"llg-1g6-q0n","createdAt":1598516746163,"name":"Log data in /var/log/ was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","level:1","cloud:aws","requirement:Monitoring","framework:cis-aws","cloud_provider:datadog","control:4.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nReal-time monitoring of API calls can be achieved by directing CloudTrail Logs to Datadog and enabling the default rule [A user received multiple AccessDenied errors][1]. It is recommended that a metric filter and alarm be established for unauthorized API calls.\n\n## Rationale\n\nMonitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.\n\n## Remediation\n\nTo enable default rule [A user received multiple AccessDenied errors][1], navigate to the [Rules page][2]. If you have not yet enabled Security Monitoring, visit the [Setup and Configuration page][3].\n\n## Impact\n\nThis alert may be triggered by normal read-only console activities that attempt to opportunistically gather optional information, but gracefully fail if they don't have permissions. If an excessive number of alerts are being generated then an organization may wish to consider adding read access to the limited IAM user permissions simply to quiet the alerts. In some cases doing this may allow the users to actually view some areas of the system - any additional access given should be reviewed for alignment with the original limited IAM user intent.\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79186-3\n2. https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-access-denied-multiple-events/\n\n**Additional Information**: Configuring log metric filter and alarm on multi-region (global) CloudTrail ensures that activities from all regions (used as well as unused) are monitored.\n\n## CIS controls\n\nVersion 7:\n\n6.5 - Central Log Management - Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.\n\n6.7 - Regularly Review Logs - On a regular basis, review logs to identify anomalies or abnormal events.\n\n[1]: https://docs.datadoghq.com/security_platform/default_rules/aws-cloudtrail-access-denied-multiple-events/\n[2]: https://app.datadoghq.com/security/configuration/rules?query=una%20ruleId%3Abxz-x3r-zqw&sort=rule\n[3]: https://app.datadoghq.com/security/configuration?detect-threats=apache&secure-cloud-environment=amazon-web-services&secure-hosts-and-containers=kubernetes&selected-products=security_monitoring","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.1","framework":"cis-aws","requirement":"Monitoring","version":"1.3.0"}],"validationQuery":"@disabled_rules:(\"d17-702-f4a\")","resourceType":"datadog_configuration","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:datadog_configuration (@disabled_rules:(\"d17-702-f4a\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"3s1-mb8-7yw","createdAt":1625745858883,"name":"Log metric filter and alarm exist for unauthorized API calls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","source:google_logging_log_sink","control:10.2.5","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","control:A.12.4.3","requirement:System-Operations","control:2.2","framework:cis-gcp","requirement:Control-Activities","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","scope:google_logging_log_sink","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nIt is recommended to create a sink that will export copies of all log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).\n\n## Rationale: \nLog entries are held in Cloud Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. To export logs, create a filter that selects the log entries to export, and then choose a destination, such as Cloud Storage, BigQuery, or Cloud Pub/Sub, to which to export them. The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts.\n\n**Note:**\n1. A sink created by [these commands](#from-the-command-line), exports logs to storage buckets. However, sinks can be configured to export logs to BigQuery, or Cloud Pub/Sub, or a `Custom Destination`.\n2. While creating a sink, do not use the sink option `--log-filter` to ensure the sink exports all log entries.\n3. A sink can be created at a folder or organization level that collects the logs of all the projects underneath, bypassing the option `--include-children` in the `gcloud` command.\n\n### Impact: \nThere are no costs or limitations in Cloud Logging for exporting logs, but the destinations to which the logs are exported charge for storing or transmitting the log data.\n\n### Default value:\nBy default, there are no sinks configured.\n\n## Remediation: \n\n### From the console:\n1. Go to the Logs Router page by visiting [https://console.cloud.google.com/logs/router][1].\n2. Click **CREATE SINK**.\n3. Fill out the fields for the Sink details sections.\n4. Select **Cloud Logging bucket** in the Select sink destination dropdown menu.\n5. Select a log bucket in the Sink destination drop down menu.\n6. If an inclusion filter is not provided for this sink, all ingested logs will be routed to the destination provided above. This may result in higher than expected resource usage.\n7. Click **Create Sink**.\n\n### From the command line:\n\n1. To create a sink to export all log entries in a Google Cloud Storage bucket:\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME\n ```\n2. Sinks can be created for a folder or organization, which will include all projects.\n ```\n gcloud logging sinks create \n storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children -- folder=FOLDER_ID | --organization=ORGANIZATION_ID\n ```\n\n## References:\n1. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging][2] \n2. [https://cloud.google.com/logging/quotas][3]\n3. [https://cloud.google.com/logging/docs/routing/overview][4]\n4. [https://cloud.google.com/logging/docs/export/using_exported_logs][5]\n5. [https://cloud.google.com/logging/docs/export/configure_export_v2][6]\n6. [https://cloud.google.com/logging/docs/export/aggregated_exports][7]\n7. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list][8]\n\n[1]: https://console.cloud.google.com/logs/router\n[2]: https://cloud.google.com/logging/docs/reference/tools/gcloud-logging\n[3]: https://cloud.google.com/logging/quotas\n[4]: https://cloud.google.com/logging/docs/routing/overview\n[5]: https://cloud.google.com/logging/docs/export/using_exported_logs\n[6]: https://cloud.google.com/logging/docs/export/configure_export_v2\n[7]: https://cloud.google.com/logging/docs/export/aggregated_exports\n[8]: https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.2","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nvalid_log_sinks := {logging_log_sink.project_id |\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tvalid_log_filter(logging_log_sink)\n\tvalid_log_exclusions(logging_log_sink)\n\tlogging_log_sink.destination != \"\"\n}\n\nvalid_log_filter(logging_log_sink) if {\n\tnot logging_log_sink.filter\n} else {\n\tlogging_log_sink.filter == \"\"\n}\n\nany_enabled_exclusion(logging_log_sink) if {\n\tlogging_log_sink.exclusions[_].disabled == false\n}\n\nvalid_log_exclusions(logging_log_sink) if {\n\tnot any_enabled_exclusion(logging_log_sink)\n}\n\neval(project) = \"pass\" if {\n\tvalid_log_sinks[project.project_id]\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_project","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_project","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_project","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hig-nyl-7xu","createdAt":1658996677403,"name":"Log sinks are configured for all log entries"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Log4j scanning attempt occurs in your environment.\n\n## Strategy\nRegex search on logs to find specific payloads indicative of Log4j scanning.\n\n## Triage and response\n1. Investigate if the host is running a vulnerable version of the Log4j Java library\n2. Use the [Log4j Investigation Dashboard](https://app.datadoghq.com/dash/integration/cloud_security_platform_log4shell_investigator) to conduct impact analysis\n3. Explore what other services the attacker hit in the last day - Linked to investigation query \n4. Explore Java logs associated with the attacker - linked to investigation query\n","options":{"detectionMethod":"hardcoded","evaluationWindow":300,"maxSignalDuration":3600,"hardcodedEvaluatorType":"log4shell","keepAlive":3600},"version":1,"isDefault":true,"filters":[],"queries":[{"query":"@http.url:*","groupByFields":["@network.client.ip"],"aggregation":"count","name":"log4shell_payloads_in_http_data","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"log4shell_payloads_in_http_data > 0"}],"type":"log_detection","id":"sdx-qzo-o9z","createdAt":1651680204724,"name":"Log4Shell Scanning Detected"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0043-reconnaissance","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects if your Apache or NGINX web servers are being scanned for the log4j vulnerability. The initial vulnerability was identified as [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).\n\n## Strategy\nThis signal evaluated that `jndi:(ldap OR rmi OR dns)` has been detected in the HTTP header fields `user agent` and `referrer` or `referer`.\n\n## Triage and response\n1. Ensure you servers have the most recent version of log4j installed. \n2. Check if the `Base64 was detected in an http.user_agent or http.referrer` rule was also triggered and follow the `Triage and response` steps in that rule.\n\nNote: Datadog's `The Monitor` blog has an article published about [\"The Log4j Logshell vulnerability: Overview, detection, and remediation\"](https://www.datadoghq.com/blog/log4j-log4shell-vulnerability-overview-and-remediation/). ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:(apache OR nginx) (@http.referer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.useragent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"standard_attributes","distinctFields":[]},{"query":"source:(apache OR nginx) (@http_referrer:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http_user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*) OR @http.user_agent:(*jndi\\:ldap* OR *jndi\\:rmi* OR *jndi\\:dns*))","groupByFields":[],"aggregation":"count","name":"non_standard_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standard attribute query triggered","condition":"standard_attributes > 0"},{"status":"info","notifications":[],"name":"non standard attribute query triggered","condition":"non_standard_attributes > 0"}],"type":"log_detection","id":"2oy-oni-kx6","createdAt":1639665375423,"name":"Log4j Scanner detected in user agent or referrer"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","control:1.5","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. MFA (multi-factor authentication) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they are prompted for their user name and password and an authentication code from their AWS MFA device.\n\n**Note**: When virtual MFA is used for root accounts, it should not be enabled on a personal device, but rather enable a dedicated and not personally owned mobile device (tablet or phone)(\"non-personal virtual MFA\"). This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and has knowledge of a credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-78911-5\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa][2]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root][3]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions does not have console access. This control is not applicable for us-gov cloud regions.\n\n## CIS controls\n\nVersion 7, 4.5 - Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html#enable-virt-mfa-for-root\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.5","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"-@account_mfa_enabled:1","resourceType":"aws_iam_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_account (-@account_mfa_enabled:1)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"dth-jwu-9zo","createdAt":1599573999963,"name":"MFA is enabled for the \"root\" account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP address identified as malicious by Okta's ThreatInsight communicates with your Okta account.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.threat.detected`\n\n## Triage and response\n1. Determine if the `@usr.email` is `Unknown` or is an authenticated user.\n2. If the user is authenticated, conduct an investigation to determine if the IP address that is communicating with Okta is the user's IP address, or if the account is compromised.\n3. Consider switching ThreatInsight from `log mode` to `log and block mode` to block future requests from IP addresses on the ThreatInsight threat intelligence list.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.threat.detected @evt.outcome:ALLOW","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"x5j-v1t-d2r","createdAt":1589315626499,"name":"Malicious IP Communicating with Okta"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1003","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers looking for a specific mission target commonly gain access to a host or container adjacent to their mission target. To move laterally to the planned target, attackers commonly try to find credentials that would give them access to the host or container in question. A technique for finding these credentials is memory dumping. By dumping the contents of system memory to disk, an attacker can often find unencrypted credentials.\n\n## Strategy\nThis detection monitors the access of memory and memory maps that can be accessed from the `/proc/` directory on Linux.\n\n## Triage & Response\n1. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n2. Consider rotating any credentials that were in use on the host/container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"memory_dump\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"lhm-dok-amc","createdAt":1598516746171,"name":"Memory files in /proc/ were accessed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:azure","tactic:TA0006-credential-access","scope:azure","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetects when a user creates or modifies a trusted domain object in Microsoft 365.\n\n## Strategy\n\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain`\n- `Set domain authentication`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n- `Set federation settings on domain.`\n- `Set domain authentication.`\n\nAn attacker can create a new attacker-controlled domain as federated or modify the existing federation settings for a domain by configuring a new, secondary signing certificate. Both of these techniques would allow the attacker to authenticate as any user bypassing authentication requirements like a valid password or MFA.\n\n## Triage and response\n\n1. Determine if `{{@usr.id}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n - Remove the suspicious domain or settings.\n - Begin your organization's Incident Response (IR) process.\n3. If the API call was made by the user:\n - Ensure the change was authorized.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.name:(\"Set domain authentication\" OR \"Set domain authentication \" OR \"Set federation settings on domain\" OR \"Set federation settings on domain \") @evt.category:AuditLogs","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_trusted_domain_modified","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:(\"Set domain authentication.\" OR \"Set domain authentication. \" OR \"Set federation settings on domain.\" OR \"Set federation settings on domain. \")","groupByFields":["@usr.id"],"aggregation":"count","name":"m365_trusted_domain_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"azure_ad_trusted_domain_modified > 0 || m365_trusted_domain_modified > 0"}],"type":"log_detection","id":"dqm-ikd-5zd","createdAt":1660304700624,"name":"Microsoft 365 - Modification of Trusted Domain"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0040-impact","scope:exchange-server","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an anomalous amount of emails are deleted from Microsoft 365 Exchange.\n\n## Strategy\nMonitor Microsoft 365 Exchange audit logs to look for events with an `@evt.name` value of `HardDelete`, where the `@Folder.Path` is the inbox (`*Inbox*`).\n\n## Triage and response\n1. Determine if the user `{{@usr.id}}` intended to delete the observed emails.\n2. If `{{@usr.id}}` is not responsible for the email deletions, investigate `{{@usr.id}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:HardDelete @Folder.Path:*Inbox*","groupByFields":["@usr.id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"tos-tbi-7dh","createdAt":1619020060666,"name":"Microsoft 365 Anomalous Amount of Deleted Emails"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-365","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 user downloads an anomalous amount of files. This could be an indicator of data exfilteration.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for an anomalous amount of logs with an `@evt.name` value of `@evt.name:FileDownloaded`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to download the files.\n2. If `{{@usr.email}}` is not responsible for file downloads, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:FileDownloaded","groupByFields":["@usr.id"],"aggregation":"cardinality","name":"files_downloaded","distinctFields":["@SourceFileName"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"yhr-gui-v9i","createdAt":1658353411918,"name":"Microsoft 365 Anomalous Amount of Downloaded files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","technique:T1562-impair-defenses","scope:microsoft-365","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when admin or unified audit logging is disabled. An adversary or insider threat can disable audit logging as a means of defense evasion.\n\n## Strategy\nMonitor Microsoft 365 audit logs to look for events with an `@evt.name` value of `Set-AdminAuditLogConfig`, where `@Parameters.AdminAuditLogEnabled` OR `@Parameters.UnifiedAuditLogIngestionEnabled` is set to `False`.\n\n## Triage and response\n1. Determine if the user `{{@usr.email}}` intended to disable audit logging.\n2. If `{{@usr.email}}` is not responsible for disabling the audit logging, investigate `{{@usr.email}}` for anomalous activity. If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.UnifiedAuditLogIngestionEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"unified_audit_disabled","distinctFields":[]},{"query":"source:microsoft-365 @evt.name:Set-AdminAuditLogConfig @Parameters.AdminAuditLogEnabled:False","groupByFields":["@usr.email"],"aggregation":"count","name":"admin_audit_disabled","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Unified Audit Logging Disabled","condition":"unified_audit_disabled > 0"},{"status":"high","notifications":[],"name":"Admin Audit Logging Disabled","condition":"admin_audit_disabled > 0"}],"type":"log_detection","id":"d86-6xx-tbg","createdAt":1630681812369,"name":"Microsoft 365 Audit Logging Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:onedrive","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user creates an anonymous link for a Microsoft 365 document in OneDrive. This would allow any unauthenticated user to access this document, if they had the link.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AnonymousLinkCreated`.\n\n## Triage and response\n1. Determine whether this document should be available anonymously.\n\n## Changelog\n* 4 October 2022 - Updated severity.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:OneDrive @evt.name:AnonymousLinkCreated","groupByFields":["@usr.id","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"y1h-h20-er6","createdAt":1608766368930,"name":"Microsoft 365 OneDrive Anonymous Link Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","tactic:TA0009-collection","technique:T1213-data-from-information-repositories","scope:sharepoint"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user shares a Microsoft 365 Sharepoint document with a guest.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `SharingInvitationCreated` when the `TargetUserOrGroupType` is `Guest`.\n\n## Triage and response\n1. Determine whether this document should be shared with the external user.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:SharePoint @evt.name:(SharingInvitationCreated) @TargetUserOrGroupType:Guest","groupByFields":["@TargetUserOrGroupName","@ObjectId"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"v72-psu-eln","createdAt":1608766365850,"name":"Microsoft 365 SharePoint object shared with guest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:microsoft-365","scope:microsoft-teams"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user installs an app to Microsoft 365 Teams.\n\n## Strategy\nThis rule monitors the Microsoft 365 logs for the event name `AppInstalled`.\n\n## Triage and response\n1. Determine whether this app should be installed to Microsoft 365 teams.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:microsoft-365 service:MicrosoftTeams @evt.name:AppInstalled","groupByFields":["@AddOnName"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"i03-grd-ppd","createdAt":1608766367312,"name":"Microsoft 365 Teams app installed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Pod-Security-Policies","control:5.2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not generally permit containers to be run with the hostNetwork flag set to true.\n\n## Rationale\n\nA container running in the host's network namespace could access the local loopback device, and could access network traffic to and from other pods. There should be at least one PodSecurityPolicy (PSP) defined which does not permit containers to share the host network namespace. If you have need to run containers which require hostNetwork, this should be defined in a separate PSP and you should carefully check RBAC controls to ensure that only limited service accounts and users are given permission to access that PSP.\n\n## Audit\n\nGet the set of PSPs with the following command: `kubectl get psp`\n\nFor each PSP, check whether privileged is enabled: `kubectl get psp -o=jsonpath='{.spec.hostNetwork}'`\n\nVerify that there is at least one PSP which does not return true.\n\n## Remediation\n\nCreate a PSP as described in the Kubernetes documentation, ensuring that the `.spec.hostNetwork` field is omitted or set to false.\n\n## Impact\n\nPods defined with spec.hostNetwork: true will not be permitted unless they are run under a specific PSP.\n\n## Default value\n\nBy default, PodSecurityPolicies are not defined.\n\n## References\n\n1. [https://kubernetes.io/docs/concepts/policy/pod-security-policy][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\n[1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.2.4","framework":"cis-kubernetes","requirement":"Pod-Security-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mlb-fwt-s80","createdAt":1599604274257,"name":"Minimize the admission of containers wishing to share the host network namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","scored:true","source:iam","requirement:Credentials","level:1","control:8.3","framework:cis-aws","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","cloud_provider:aws","control:164.308-a-3-ii-a","control:A.9.4.3","framework:soc-2","control:164.312-d","requirement:Authentication","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMulti-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password, and for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password.\n\n## Rationale\n\nEnabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of the credential.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://tools.ietf.org/html/rfc6238][2]\n2. [http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html][3]\n3. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users][4]\n4. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html][5]\n5. CCE-78901-6\n\n## CIS controls\n\n4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://tools.ietf.org/html/rfc6238\n[3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html\n[4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users\n[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.3","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"1.10","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-d","framework":"hipaa","requirement":"Authentication","version":"1"}],"validationQuery":"@password_enabled:true -@mfa_active:true","resourceType":"aws_iam_user","filter":"","queryPath":"credential_report","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_user (@password_enabled:true -@mfa_active:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"zd5-wvv-hv5","createdAt":1599573999956,"name":"Multi-factor authentication is enabled for all IAM users with a console password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","source:nginx","scope:nginx","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"5jr-xi3-uto","createdAt":1587530047261,"name":"NGINX HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1190-exploit-public-facing-application","scope:nginx-ingress-controller","source:nginx-ingress-controller","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a web application is being scanned. This will identify attacker IP addresses who are not trying to hide their attempt to attack your system. More advanced hackers will use an inconspicuous user agent. \n\n## Strategy\nInspect the user agent in the HTTP headers to determine if an IP is scanning your application and generate an `INFO` signal. \n\n## Triage and response\n1. Determine if this IP is making authenticated requests to the application.\n2. If the IP is making authenticated requests to the application:\n * Investigate the HTTP logs and determine if the user is attacking your application.\n\nThe HTTP headers in the query are from [darkqusar][1]'s [gist][2] \n\n[1]: https://gist.github.com/darkquasar\n[2]: https://gist.github.com/darkquasar/84fb2cec6cc1668795bd97c02302d380\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:nginx-ingress-controller @http.useragent:(*burp* OR *burpcollaborator.net* OR *qualys* OR *nexpose* OR *OpenVAS* OR *Nikto* OR *Meterpreter* OR *IceWeasel* OR *DirB* OR *Comodo* OR *Tripwire* OR *Retina* OR *MBSA* OR *ImmuniWeb* OR *Netsparker* OR *Acunetix* OR *Intruder* OR *nmap* OR *CVE* OR *base64* OR *eval* OR *javascript* OR *alert*)","groupByFields":["@network.client.ip"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"oxj-rwr-gxq","createdAt":1587530154864,"name":"NGINX ingress controller HTTP requests from security scanner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to nsswitch.conf.\n\n## Strategy\nThe Name Service Switch (nsswitch) configuration file is used to point\u00a0system services and other applications to the sources of name-service information. This name-service information includes where the password file is stored, publickey information, and more. An attacker may attempt to modify nsswitch.conf in order to inject attacker-owned information into the authentication process. For instance, the attacker could point to a malicious password file and then login to privileged user accounts.\n\n## Triage and response\n1. Check to see what changes were made to nsswitch.conf.\n2. Check if critical name-service sources were changed, and whether the changes were a part of known system-setup or maintenance.\n3. If these changes are unauthorized, roll back the host in question to a known good nsswitch.conf, or replace the system with a known-good system image.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chmod)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chmod","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_chown)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_chown","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_link)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_link","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_rename)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_rename","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_open)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_open","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_unlink)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_unlink","distinctFields":[]},{"query":"@agent.rule_id:(nsswitch_conf_mod OR nsswitch_conf_mod_utimes)","groupByFields":["host"],"aggregation":"count","name":"nsswitch_conf_mod_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"nsswitch_conf_mod","condition":"nsswitch_conf_mod_chmod > 0 || nsswitch_conf_mod_chown > 0 || nsswitch_conf_mod_link > 0 || nsswitch_conf_mod_rename > 0 || nsswitch_conf_mod_open > 0 || nsswitch_conf_mod_unlink > 0 || nsswitch_conf_mod_utimes > 0"}],"type":"workload_security","id":"djc-3dp-3qm","createdAt":1606142958657,"name":"Name Service Switch configuration modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:1.3.5","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that enable multiple open ports and limit ingress traffic access based on port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access malicious activities, such as Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks, by opening only the ports that are required by your application.\n\n## Remediation\n\n### Console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### CLI\n\n1. Run `replace-network-acl-entry` to create a rule that only allows ingress traffic from a specific port range.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --ingress\n --rule-number 01\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_lenient(acl_entry) if {\n\tnot acl_entry.egress\n\tacl_entry.rule_action == \"allow\"\n\tnot acl_entry.port_range_from\n\tnot acl_entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tacl_entry := network_acl.entries[_]\n\tacl_lenient(acl_entry)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"q0m-mtc-9ks","createdAt":1599574008182,"name":"Network ACL inbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","control:CC6.7","security:compliance","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","requirement:Compliance","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nInvestigate AWS Network Access Control Lists (NACLs) for rules that utilize multiple ports and limit outbound traffic access to a specific port range.\n\n## Rationale\n\nEliminate the threat of unauthorized access by setting a specified port range.\n\n## Remediation\n\n### Console\n\nFollow the [Adding and deleting rules][2] docs to limit ingress traffic access based on port range.\n\n### CLI\n\n1. Run `replace-network-acl-entry` to create a rule that sets a specific port range for egress traffic.\n\n ```\n aws ec2 replace-network-acl-entry\n --network-acl-id id-01234567\n --egress\n --rule-number 02\n --protocol tcp\n --port-range From=000,To=000\n --rule-action allow\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#default-network-acl\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nnon_compliant_entry(entry) if {\n\tentry.egress\n\tentry.rule_action == \"allow\"\n\tnot entry.port_range_from\n\tnot entry.port_range_to\n}\n\neval(network_acl) = \"fail\" if {\n\tentry := network_acl.entries[_]\n\tnon_compliant_entry(entry)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_network_acl"]},"validationQuery":"","resourceType":"aws_network_acl","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ykz-hrn-ev3","createdAt":1599574004771,"name":"Network ACL outbound traffic is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","control:CC6.6","requirement:Compliance","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:1.3.5","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","scope:vpc","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Network Access Control List (NACL) function provides stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.\n\n## Rationale\n\nPublic access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.\n\n## Remediation\n\n1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home\n2. In the left pane, click Network ACLs.\n3. For each network ACL to remediate, perform the following: Select the network ACL, Click the Inbound Rules tab, Click Edit inbound rules. Either update the Source field to a range other than `0.0.0.0/0` or click Delete to remove the offending inbound rule. Click save.\n\n## Reference\n\n1. [https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html][1]\n2. [https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison][2]\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"5.1","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"validationQuery":"@egress:false @rule_action:\"allow\" (@cidr_block:\"0.0.0.0/0\" OR @cidr_block:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@port_range_from:* -@port_range_to:*) OR (@port_range_from:<=22 @port_range_to:>=22) OR (@port_range_from:<=3389 @port_range_to:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\")))","resourceType":"aws_network_acl","filter":"","queryPath":"entries","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_network_acl (@egress:false @rule_action:\"allow\" (@cidr_block:\"0.0.0.0/0\" OR @cidr_block:\"::/0\") ((@protocol:(\"tcp\" OR \"6\" OR \"udp\" OR \"17\") ((-@port_range_from:* -@port_range_to:*) OR (@port_range_from:<=22 @port_range_to:>=22) OR (@port_range_from:<=3389 @port_range_to:>=3389))) OR (-@protocol:(\"icmp\" OR \"1\" OR \"tcp\" OR \"6\" OR \"udp\" OR \"17\"))))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b5p-spa-hx4","createdAt":1619112188801,"name":"Network ACLs do not allow ingress from 0.0.0.0/0 to remote server administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","control:CC6.6","cloud_provider:azure","framework:gdpr","source:azure.network","level:1","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","requirement:Communications-Security","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","scope:azure.network","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Network Security Group (NSG) is configured to allow specific ports rather than all ports or port ranges.\n\n## Rationale\n\nNSGs should be configured as granularly as possible, allowing only specific and necessary ports. Leaving ranges of ports open can allow access to ports that are vulnerabile to attack. \n\n## Remediation\n\n### Console\n\nFollow the [Work with security rules guide][1] to modify the port ranges associated with a NSG using the Microsoft Azure Console. \n\n### CLI\n\nUse the [Microsft Azure az network nsg rule update module][2] to update the ports associated with a NSG using the Microsoft Azure CLI. \n\n## References\n\n[1]: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#work-with-security-rules\n[2]: https://docs.microsoft.com/en-us/cli/azure/network/nsg/rule?view=azure-cli-latest#az-network-nsg-rule-update","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ndestination_port_not_compliant(security_rule) if {\n\tsecurity_rule.destination_port_range == \"*\"\n} else {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tdestination_port_range == \"*\"\n} else {\n\tregex.match(\"([0-9])+-([0-9])+\", security_rule.destination_port_range)\n} else {\n\tdestination_port_range := security_rule.destination_port_ranges[_]\n\tregex.match(\"([0-9])+-([0-9])+\", destination_port_range)\n}\n\nsecurity_rule_not_compliant(security_rule) if {\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.access == \"Allow\"\n\tdestination_port_not_compliant(security_rule)\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule = security_group.security_rules[_]\n\tsecurity_rule_not_compliant(security_rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cis-7ih-ek8","createdAt":1645736563232,"name":"Network Security Group does not use port ranges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1046-network-service-scanning","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of the `nmap` network utility.\n\n## Strategy\n`nmap` is a network utility commonly used by attackers to understand a victim's network topology and vulnerabilities. After an attacker's initial intrusion into a host (for example, through a web shell exploit, container breakout), they may attempt to use `nmap` to do reconnaissance. This detection triggers when an execution of `nmap` is detected on a system. If this is unexpected behavior, it could indicate an attacker attempting to compromise your systems.\n\n## Triage and response\n1. Determine which user executed `nmap` and whether this is allowed or expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and network tools involved. Investigate the security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:common_net_intrusion_util -@process.args:\"-V\"","groupByFields":["host"],"aggregation":"count","name":"common_net_intrusion_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"common_net_intrusion_util","condition":"common_net_intrusion_util > 0"}],"type":"workload_security","id":"yqg-ebh-po2","createdAt":1617722067554,"name":"Network scanning utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","source:compliance-agent","control:2.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy default, all network traffic is allowed between containers on the same host on the default network bridge. You can restrict all inter-container communication and link specific containers together that require communication. Or, you can create a custom network and only join containers that need to communicate to that custom network.\n\n## Rationale\n\nBy default, unrestricted network traffic is enabled between all containers on the same host on the default network bridge. Each container has the potential of reading all packets across the container network on the same host. This might lead to an unintended and unwanted disclosure of information to other containers. Hence, restrict inter-container communication on the default network bridge.\n\n## Audit\n\nVerify that the default network bridge has been configured to restrict inter-container communication by running:\n```\ndocker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}' \n```\nCheck that it returns `com.docker.network.bridge.enable_icc:false` for the default network bridge.\n\n## Remediation\n\nEdit the Docker daemon configuration file to ensure that inter-container communication is disabled:\n\n```\n\"icc\": false\n```\n\nAlternatively, run the Docker daemon directly and pass `--icc=false` as an argument:\n\n```\ndockerd --icc=false \n```\n\nFollow the Docker documentation and create a custom network, and only join containers that need to communicate to that custom network. The `--icc` parameter only applies to the default docker bridge. If you use a custom network, adopt the segmenting networks approach instead.\n\n## Impact\n\nInter-container communication is disabled on the default network bridge. If any communication between containers on the same host is desired, it needs to be explicitly defined using container linking or custom networks.\n\n## Default value\n\nBy default, all inter-container communication is allowed on the default network bridge.\n\n## References\n\n1. [https://docs.docker.com/engine/userguide/networking/][1]\n2. [https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers][2]\n\n## CIS controls\n\nNone \n\n[1]: https://docs.docker.com/engine/userguide/networking/ \n[2]: https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_network","complianceFrameworks":[{"control":"2.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmd-zy3-5un","createdAt":1599604593277,"name":"Network traffic is restricted between containers on the default network bridge"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a network utility (like `cURL` or `Wget`) is used to access the cloud instance metadata service (IMDS) in an interactive session.\n\n## Strategy\nThe cloud instance metadata service is a link-local HTTP endpoint that provides data about a given cloud instance. One function is to provide temporary security credentials so that they do not need to be stored on the host. Because IMDS can be used to fetch security credentials, attackers may use it to escalate privileges in order to access other cloud resources. This detection identifies when Linux network utilities are used in an interactive session to access the metadata service. Especially in production environments, it is unusual for this activity to occur interactively.\n\n## Triage & Response\n1. Determine whether or not this is expected behavior. For example, did an employee run commands for an approved reason, or does a configuration management utility use an interactive session?\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Using cloud audit logs, identify if the attached identity was misused.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:aws_metadata_service @process.tty:*","groupByFields":["host"],"aggregation":"count","name":"aws_metadata_service","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"aws_metadata_service","condition":"aws_metadata_service > 0"}],"type":"workload_security","id":"ugv-e7o-qpv","createdAt":1627392836096,"name":"Network utility accessed cloud metadata service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location on a host.\n\n## Strategy\nAfter an attacker's initial intrusion into a host (for example, through a web shell exploit, or a container breakout), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance, or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected on a host. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine which user executed the utility and whether or not this is allowed or expected behavior.\n2. Review the ancestors for unexpected processes or files executed. \n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util @process.ancestors.executable.path:(*\\/tmp\\/* OR *\\/home\\/*)","groupByFields":["host"],"aggregation":"count","name":"net_util","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"net_util","condition":"net_util > 0"}],"type":"workload_security","id":"med-78m-snu","createdAt":1617722067377,"name":"Network utility executed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1105-ingress-tool-transfer","tactic:TA0011-command-and-control","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect execution of a network utility executed from a suspicious location in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim container (for example, through a web shell exploit), they may attempt to use network utilities for a variety of malicious purposes (for example, reconnaissance or data exfiltration). This detection triggers when execution of one of a set of network utilities (for example, `nslookup`, `netcat`) is detected in a container. Different utilities may serve different purposes in an attack; for example, DNS tools like `nslookup` could be involved in a DNS data exfiltration attack, and `netcat` could indicate a backdoor and data exfiltration. If this is unexpected behavior, it could indicate an attacker attempting to compromise your containers and host.\n\nThese utilities executed by a file located in `/tmp` or another writeable directory could indicate a malicious script attempting to perform actions on the host. These actions may include downloading additional tools or exfiltrating data.\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. Review the ancestors for unexpected processes or files executed.\n3. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.34 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:net_util_in_container @process.ancestors.executable.path:(*\\/tmp\\/* OR \\/home\\/* OR \\/run\\/user\\/*)","groupByFields":["@container.id","host"],"aggregation":"count","name":"net_util_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"net_util_in_container","condition":"net_util_in_container > 0"}],"type":"workload_security","id":"idj-fom-4qg","createdAt":1617722068439,"name":"Network utility executed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","technique:T1199-trusted-relationship","source:cloudtrail","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker accesses your AWS account from their AWS Account.\n\n## Strategy\nThis rule lets you monitor AssumeRole (`@evt.name:AssumeRole`) CloudTrail API calls to detect when an external AWS account (`@usr.account_id`) assumes a role into your AWS account (`account`). It does this by learning all AWS accounts from which the AssumeRole call occurs within a 7-day window. Newly detected accounts after this 7-day window will generate security signals.\n\n## Triage and response\n1. Determine if the `@usr.account_id` is an AWS account is managed by your company.\n2. If not, try to determine who is the owner of the AWS account.\n3. Inspect the role the account is assuming. Determine who created this role and who allowed this AWS account to assume this role.\n\n## Changelog\n7 April 2022 - Update rule query and signal message.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":172,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @evt.name:AssumeRole"}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"xvo-lqg-7bu","createdAt":1614810571081,"name":"New AWS Account Seen Assuming a Role into AWS Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ec2","iaas:aws","tactic:TA0040-impact","source:cloudtrail","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an attacker spawns an instance for malicious purposes. \n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect when a new instance type (`@responseElements.instancesSet.items.instanceType`) is spawned:\n\n* [RunInstances][1]\n\nIt does this by inspecting the AWS Instance types each AWS account are seen over a 7-day window. Newly detected instance types after this 7-day window till generate security signals.\n\n## Triage and response\n1. Determine whether the instance type `{{@responseElements.instancesSet.items.instanceType}}` is expected to be used in your AWS account by checking the [Datadog Infrastructure List][2].\n2. If not, determine who spawned this instance and ask the user whether their activity was legitimate or whether their credentials were compromised and this instance is being used by an attacker.\n\n## Changelog\n7 April 2022 - Updated rule query.\n\n[1]: https://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html\n[2]: https://app.datadoghq.com/infrastructure?tab=details&tags=instance-type%3A{{@responseElements.instancesSet.items.instanceType}}","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@responseElements.instancesSet.items.instanceType","aggregation":"new_value","metrics":["@responseElements.instancesSet.items.instanceType"],"groupByFields":["account"],"query":"source:cloudtrail -@level:Error @eventSource:ec2.amazonaws.com @evt.name:RunInstances"}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"rk5-l8o-jir","createdAt":1619019323550,"name":"New EC2 Instance Type"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is creating a Kubernetes namespace.\n\n## Strategy\nThis rule monitors when a `create` action occurs for the Kubernetes namespace (`@objectRef.resource:namespaces`) to detect when a user is creating a new Kubernetes namespace.\n\n## Triage and response\n1. Determine if the user should be creating this new namespace.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:namespaces @http.method:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @http.status_code:[200 TO 299]","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:namespaces @verb:create -@objectRef.name:(\"default\" OR \"kube-system\" OR \"kube-public\") @responseStatus.code:[200 TO 299]","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"zgq-pd9-wgw","createdAt":1589376020564,"name":"New Kubernetes Namespace Created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:kubernetes","tactic:TA0004-privilege-escalation","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a privileged pod is created. Privileged pods remove container isolation which allows privileged actions on the host.\n\n## Strategy\nThis rule monitors when a pod (`@objectRef.resource:pods`) is created (`@http.method:create`) and the privileged security context (`@requestObject.spec.containers.securityContext.privileged`) is `true`.\n\n## Triage & Response\n1. Determine if the pod should be privileged. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @http.method:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @verb:create @requestObject.spec.containers.securityContext.privileged:true","groupByFields":["@objectRef.name","@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"smy-zpp-8hr","createdAt":1626700164544,"name":"New Kubernetes privileged pod created"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1525-implant-internal-image","scope:ecr","iaas:aws","source:cloudtrail","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential persistence mechanisms being deployed in the AWS Elastic Container Registry (ECR).\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr:GetAuthorizationToken` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException @threat_intel.indicators_matched:*","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ori-yda-7sc","createdAt":1630665990802,"name":"New Private Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:ecr","technique:T1567-exfiltration-over-web-service","iaas:aws","source:cloudtrail","tactic:TA0010-exfiltration","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new image is uploaded to the public ECR. This could be a potential exfil route of data from the cloud. Could be a supply chain effect as well if a company hosts their containers here for consumers.\n\nNOTE: Amazon ECR requires that users have permission to make calls to the `ecr-public:GetAuthorizationToken` and `sts:GetServiceBearerToken` API through an IAM policy before they can authenticate to a registry and push any images to an Amazon ECR repository.\n\n## Strategy\nDetect when `@evt.name:PutImage` is used against the `ecr-public.amazonaws.com` API. \n\n## Triage & Response\n1. Check that `{{@responseElements.image.imageId.imageDigest}}` is a valid sha256 hash for the container image with a tag of `{{@responseElements.image.imageId.imageTag}}` in the `{{@responseElements.image.repositoryName}}` repository on AWS Account `{{@usr.account_id}}`.\n2. If the hash is not valid for that container image, determine if the container image was placed there for a malicious purpose.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ecr-public.amazonaws.com @evt.name:PutImage -@error.kind:ImageAlreadyExistsException","groupByFields":["@requestParameters.repositoryName"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"3ye-k1x-9mp","createdAt":1630666006819,"name":"New Public Repository Container Image detected in AWS ECR"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ecs","iaas:aws","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user executes a command on an ECS container for the first time. An attacker may use this as a technique to escalate their privileges\nbecause they can run arbitrary commands on behalf of the container with the role and permissions associated with the\ncontainer.\n\n## Strategy\nThis rule lets you monitor this CloudTrail API call to detect if a user is executing a command on an ECS container:\n\n* `ExecuteCommand`\n\n## Triage and response\n1. Investigate the command that the user ({{@userIdentity.arn}}) ran on the container, which is located in the Cloudtrail log at `@requestParameters.container`, if the telemetry exists.\n2. Analyze Cloudtrail logs with {{@userIdentity.arn}} that are within the same time frame as this security signal.\n3. Review any other security signals generated for this container.\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":0,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":175,"isDefault":true,"filters":[{"action":"suppress","query":"foo"},{"action":"require","query":"bar"}],"queries":[{"distinctFields":[],"name":"","metric":"@usr.account_id","aggregation":"new_value","metrics":["@usr.account_id"],"groupByFields":["@userIdentity.arn"],"query":"source:cloudtrail @evt.name:ExecuteCommand @requestParameters.interactive:true"}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@me"],"name":""}],"type":"log_detection","id":"o2p-sbu-rlg","createdAt":1615916348842,"name":"New user seen executing a command in an ECS task"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console:\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line:\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_GCM_SHA256\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_GCM_SHA384\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_3DES_EDE_CBC_SHA\")\n}\n\npolicy_align(compute_target_https_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_https_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_https_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_https_proxy, compute_ssl_policy)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_https_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_https_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_https_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wsz-dzl-7cw","createdAt":1664548936030,"name":"No HTTPS proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.3.1","scored:true","control:1.1.4","security:compliance","control:CC6.6","cloud_provider:gcp","control:1.4","scope:google_compute_ssl_policy","framework:cis-gcp","level:1","requirement:Firewall-Configuration","framework:soc-2","control:3.9","source:google_compute_ssl_policy","requirement:Logical-and-Physical-Access-Control","framework:pci","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nSecure Sockets Layer (SSL) policies determine what port Transport Layer Security (TLS)\nfeatures clients are permitted to use when connecting to load balancers. To prevent usage\nof insecure features, SSL policies should use one of the following:\n- At least `TLS 1.2` with the `MODERN` profile;\n- The `RESTRICTED` profile, because it effectively requires clients to use TLS 1.2 regardless of the chosen minimum TLS version; or\n- a `CUSTOM` profile that does not support any of the following features:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n## Rationale\nLoad balancers are used to efficiently distribute traffic across multiple servers. Both SSL\nproxy and HTTPS load balancers are external load balancers, meaning they distribute\ntraffic from the Internet to a GCP network. GCP customers can configure load balancer SSL\npolicies with a minimum TLS version (1.0, 1.1, or 1.2) that clients can use to establish a\nconnection, along with a profile (Compatible, Modern, Restricted, or Custom) that specifies\npermissible cipher suites. To comply with users using outdated protocols, GCP load\nbalancers can be configured to permit insecure cipher suites. The GCP default SSL\npolicy uses a minimum TLS version of 1.0 and a Compatible profile, which allows the\nwidest range of insecure cipher suites. As a result, it is easy for customers to configure a\nload balancer without knowing that they are permitting outdated cipher suites.\n\n### Impact\nCreating more secure SSL policies has the potential to prevent clients using older TLS versions from\nestablishing a connection.\n\n### Default value\nThe GCP default SSL policy is the least secure setting: Min TLS 1.0 and Compatible profile\n\n## Remediation\n\n### From the console:\nIf the TargetSSLProxy or TargetHttpsProxy does not have an SSL policy configured, create a new SSL policy. Otherwise, modify the existing insecure policy.\n\n1. Navigate to the **SSL Policies** page by visiting: [https://console.cloud.google.com/net-security/sslpolicies][1]\n2. Click on the name of the insecure policy to go to its **SSL policy details** page.\n3. Click **EDIT**.\n4. Set `Minimum TLS version` to `TLS 1.2`.\n5. Set `Profile` to `Modern` or `Restricted`.\n6. Alternatively, if the user selects the profile `Custom`, make sure that the following features are disabled:\n ```\n TLS_RSA_WITH_AES_128_GCM_SHA256\n TLS_RSA_WITH_AES_256_GCM_SHA384\n TLS_RSA_WITH_AES_128_CBC_SHA\n TLS_RSA_WITH_AES_256_CBC_SHA\n TLS_RSA_WITH_3DES_EDE_CBC_SHA\n ```\n\n### From the command line:\n1. For each insecure SSL policy, update it to use secure ciphers:\n ```\n gcloud compute ssl-policies update NAME [--profile COMPATIBLE|MODERN|RESTRICTED|CUSTOM] --min-tls-version 1.2 [--custom-features FEATURES]\n ```\n2. If the target proxy has a GCP default SSL policy, use the following command corresponding to the proxy type to update it.\n ```\n gcloud compute target-ssl-proxies update TARGET_SSL_PROXY_NAME --ssl-policy SSL_POLICY_NAME\n gcloud compute target-https-proxies update TARGET_HTTPS_POLICY_NAME --ssl-policy SSL_POLICY_NAME\n ```\n\n## References\n1. [https://cloud.google.com/load-balancing/docs/use-ssl-policies][2]\n2. [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf][3]\n\n[1]: https://console.cloud.google.com/net-security/sslpolicies\n[2]: https://cloud.google.com/load-balancing/docs/use-ssl-policies\n[3]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ncompliant_policy(compute_ssl_policy) if {\n\tupper(compute_ssl_policy.profile) == \"MODERN\"\n\tupper(compute_ssl_policy.min_tls_version) == \"TLS_1_2\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"RESTRICTED\"\n} else {\n\tupper(compute_ssl_policy.profile) == \"CUSTOM\"\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_GCM_SHA256\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_GCM_SHA384\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_128_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_AES_256_CBC_SHA\")\n\tnot contains(upper(compute_ssl_policy.enabled_features), \"TLS_RSA_WITH_3DES_EDE_CBC_SHA\")\n}\n\npolicy_align(compute_target_ssl_proxy, compute_ssl_policy) if {\n\tpolicySplit := split(compute_target_ssl_proxy.ssl_policy, \"sslPolicies/\")\n\tpolicyName := policySplit[1]\n\tpolicyName == compute_ssl_policy.name\n\tcompliant_policy(compute_ssl_policy)\n}\n\neval(compute_target_ssl_proxy) = \"pass\" if {\n\tcompute_ssl_policy := input.resources.gcp_compute_ssl_policy[_]\n\tpolicy_align(compute_target_ssl_proxy, compute_ssl_policy)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_target_ssl_proxy","gcp_compute_ssl_policy"]},"validationQuery":"","resourceType":"gcp_compute_target_ssl_proxy","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_target_ssl_proxy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"kmq-mlb-uhu","createdAt":1664548316871,"name":"No SSL proxy load balancers permit SSL policies with weak cipher suites"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","scope:iam","scored:true","source:iam","control:164.308-a-3-ii-B","control:164.308-a-3-i","control:164.308-a-4-i","requirement:Compliance","level:1","framework:cis-aws","requirement:Security-Management-Process","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","requirement:Information-Access-Management","framework:pci","requirement:Workforce-Security","security:compliance","control:1.10","requirement:Least-Privileged-Access","cloud_provider:aws","control:7.1","control:1.4","control:2.1","control:2.2","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.2.1","control:7.1.3","requirement:Default-Security-Parameters","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:164.312-a-2-i","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.2","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed.\n\n## Rationale\n\nRemoving access keys associated with the root account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html][2]\n2. [http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html][3]\n3. [http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html][4]\n4. CCE-78910-7\n5. [https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/][5]\n\n**Additional Information**: IAM User account \"root\" for us-gov cloud regions is not enabled by default. However, on request to AWS support enables root access only through access-keys (CLI, API methods) for us-gov cloud region.\n\n## CIS controls\n\nVersions 7, 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html\n[3]: http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html\n[4]: http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountSummary.html\n[5]: https://aws.amazon.com/blogs/security/an-easier-way-to-determine-the-presence-of-aws-account-access-keys/\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.10","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.4","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.312-a-2-i","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@access_key_1_active:true OR @access_key_2_active:true","resourceType":"aws_iam_credential_report","filter":"@user:\"\"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report @user:\"\" (@access_key_1_active:true OR @access_key_2_active:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"snb-kjs-kgm","createdAt":1599574003908,"name":"No root account access key exists"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Transmission-Security","scope:ec2","source:ec2","control:CC6.6","framework:gdpr","requirement:Compliance","level:1","framework:cis-aws","control:2.2.2","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:1.3.1","control:1.2.3","security:compliance","control:1.3.4","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:5.2","requirement:Communications-Security","control:7.2.1","requirement:Default-Security-Parameters","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1b","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity groups provide stateful filtering of ingress/egress network traffic to AWS resources. You should not allow any security group unrestricted ingress access to port 22.\n\n## Rationale\n\nRemoving unfettered connectivity to remote console services, such as SSH, reduces a server's exposure to risk.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nIf you are updating an existing environment, ensure that administrators who currently rely on ingress from 0.0.0.0/0 have access to ports 22 and 3389 through another security group.\n\n## Default value\n\nNone\n\n## References\n\nNone\n\n## CIS controls\n\n9.2 Ensure Only Approved Ports, Protocols, and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-4.1\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"5.2","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_port(rule) if {\n\tnot rule.from_port\n\tnot rule.to_port\n} else {\n\trule.from_port <= 22\n\trule.to_port >= 22\n} else {\n\trule.from_port <= 3389\n\trule.to_port >= 3389\n}\n\nbad_protocol(rule) if {\n\tnot rule.protocol in [\"icmp\", \"1\", \"tcp\", \"6\", \"udp\", \"17\"]\n} else {\n\trule.protocol in [\"tcp\", \"6\", \"udp\", \"17\"]\n\tbad_port(rule)\n}\n\nbad_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\trule.direction == \"ingress\"\n\tbad_ip_range(rule.ip_range)\n\tbad_protocol(rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ueo-zqv-fep","createdAt":1607607222597,"name":"No security groups allow ingress from 0.0.0.0/0 to remote administration ports"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","control:3.8","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","requirement:Communication-and-Information","security:compliance","control:8.1","control:4.4","control:4.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","scope:google_compute_instance","control:A.9.1.2","control:4.1.1","control:8.1.4","requirement:Encryption-In-Transit","source:google_compute_instance","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling OS Login binds SSH certificates to IAM users and facilitates effective SSH certificate\nmanagement.\n\n## Rationale\nEnabling OS Login ensures that SSH keys used to connect to instances are mapped to IAM\nusers. Revoking access to an IAM user will revoke all the SSH keys associated with that\nparticular user. It facilitates centralized and automated SSH key pair management, which is\nuseful in handling cases like compromised SSH key pairs and/or revocation of\nexternal, third-party, vendor users.\n\nTo use OS Login, the instance using Custom Images must have the latest version\nof the Linux Guest Environment installed. The following image families do not\nsupport OS Login:\n\n - Project cos-cloud (Container-Optimized OS) image family cos-stable.\n - All project coreos-cloud (CoreOS) image families\n - Project suse-cloud (SLES) image family sles-11\n - All Windows Server and SQL Server image families\n\nThe project's `enable-oslogin` can be overridden by setting the `enable-oslogin` parameter to an\ninstance metadata individually.\n\n### Impact\nEnabling OS Login on a project disables metadata-based SSH key configurations on all\ninstances of a project. Disabling OS Login restores SSH keys that you have configured in a\nproject's or an instance's metadata.\n\n### Exception\nVMs created by GKE should be excluded. These VMs have names that start with `gke-`\nand are labeled `goog-gke-node`.\n\n### Default value\nBy default, the parameter `enable-oslogin` is not set, which is equivalent to setting it to `FALSE`.\n\n## Remediation\n\n### From the console:\n\n1. Go to the [VM compute metadata][1] page.\n2. Click **Edit**.\n3. Add a metadata entry for the key `enable-oslogin` with the value `TRUE`.\n4. Click **Save** to apply the changes.\n5. For every instance that overrides the project setting, go to the VM Instance's page at \n https://console.cloud.google.com/compute/instances.\n6. Click the name of the instance from which you want to remove the metadata value.\n7. At the top of the instance's details page, click **Edit** to edit the instance's settings.\n8. Under Custom Metadata, remove any entries with the key `enable-oslogin` set to `FALSE`.\n9. At the bottom of the instance's details page, click **Save** to apply your changes to the instance.\n\n### From the command line:\n\n1. Configure OS Login for the project by running the following command:\n ```\n gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE\n ```\n\n2. Use the following command to remove instance metadata that overrides the project setting:\n ```\n gcloud compute instances remove-metadata --keys=enable-oslogin\n ```\n\nOptionally, you can enable two-factor authentication for OS Login. See [Setting up OS Login with 2-step verification ][2] for more information.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/managing-instance-access][3]\n2. [https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin][4]\n3. [https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata][5]\n4. [https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication][2]\n\n\n\n[1]: https://console.cloud.google.com/compute/metadata\n[2]: https://cloud.google.com/compute/docs/oslogin/setup-two-factor-authentication\n[3]: https://cloud.google.com/compute/docs/instances/managing-instance-access\n[4]: https://cloud.google.com/compute/docs/instances/managing-instance-access#enable_oslogin\n[5]: https://cloud.google.com/sdk/gcloud/reference/compute/instances/remove-metadata\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.4","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.8","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"4.1.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.1.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"skip\" if {\n\tgke(compute_instance)\n} else = \"pass\" {\n\titem := compute_instance.metadata.items[_]\n\titem.key == \"enable-oslogin\"\n\titem.value == \"true\"\n} else = \"fail\" {\n\ttrue\n}\n\ngke(compute_instance) if {\n\tstartswith(compute_instance.name, \"gke-\")\n} else {\n\tcompute_instance.labels[_] == \"goog-gke-node:\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hpp-bv9-lom","createdAt":1657547711348,"name":"OS Login is enabled for the project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a new Okta API token is created.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a new Okta API token is created:\n\n* `system.api_token.create`\n\n## Triage and response\n1. Contact the user who created the API token and ensure that the API token is needed.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:system.api_token.create","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lpf-tho-8sx","createdAt":1589315541698,"name":"Okta API Token Created or Enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","scope:okta","technique:T1199-trusted-relationship","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect an Okta session impersonation.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect a user session impersonation:\n\n* `user.session.impersonation.initiate`\n* `user.session.impersonation.end`\n* `user.session.impersonation.grant`\n* `user.session.impersonation.extend`\n* `user.session.impersonation.revoke`\n\nThese events indicate that the user: `{{@usr.email}}` has the effective permissions of the impersonated user. This is likely to occur through [Okta support access][1]. This [blog][2] illustrates the potential impact an attacker can cause by impersonation session.\n\n## Triage and response\n1. Contact your Okta administrator to ensure the user: `{{@usr.email}}` is authorized to impersonate a user session.\n2. If the user impersonation session is not legitimate:\n * Task your Okta administrator to end the impersonation session.\n * Investigate the actions taken by the user `{{@usr.email}}` during the session and revert back to the last known good state.\n * Begin your company's incident response process and investigate.\n\n[1]: https://support.okta.com/help/s/article/Granting-Access-to-Okta-Support?language=en_US\n[2]: https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.session.impersonation.initiate","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_initiate","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.end","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_end","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_grant","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.extend","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_extend","distinctFields":[]},{"query":"source:okta @evt.name:user.session.impersonation.revoke","groupByFields":["@usr.email"],"aggregation":"count","name":"user_session_impersonation_revoke","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Session initiated","condition":"user_session_impersonation_initiate > 0"},{"status":"info","notifications":[],"name":"Session ended","condition":"user_session_impersonation_end > 0"},{"status":"info","notifications":[],"name":"Session granted","condition":"user_session_impersonation_grant > 0"},{"status":"info","notifications":[],"name":"Session extended","condition":"user_session_impersonation_extend > 0"},{"status":"info","notifications":[],"name":"Session revoked","condition":"user_session_impersonation_revoke > 0"}],"type":"log_detection","id":"dfw-lx0-cha","createdAt":1647981974902,"name":"Okta Impersonation"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to bypass multi-factor authentication (MFA).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user attempts to bypass MFA:\n\n* `user.mfa.attempt_bypass`\n\n## Triage and response\n1. Contact the user who attempted to bypass MFA and ensure the request was legitimate.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.attempt_bypass","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"wbd-slu-e6s","createdAt":1589315643307,"name":"Okta MFA Bypass Attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the multi-factor authentication (MFA) factors for an enrolled Okta user are reset.\n\n## Strategy\nThis rule lets you monitor the following Okta event to determine when a user's MFA factors are reset:\n\n* `user.mfa.factor.reset_all`\n\nAn attacker may attempt to reset MFA factors in a bid to access other user accounts by registering new attacker-controlled MFA factors.\n\n## Triage and response\n1. Determine if the user: `{{@usr.email}}` should have reset the MFA factors of the targeted user.\n2. If the change was not made by the user:\n * Disable the affected user accounts.\n * Rotate user credentials.\n * Return targeted users MFA factors to the last known good state.\n * Begin your organization's incident response process and investigate.\n3. If the change was made by the user:\n * Determine if the user was authorized to make that change.\n * If **Yes**, ensure the targeted user has new MFA factors assigned in accordance with organization policies.\n * If **No**, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_success","distinctFields":[]},{"query":"source:okta @evt.name:user.mfa.factor.reset_all @evt.outcome:FAILURE","groupByFields":["@usr.email"],"aggregation":"count","name":"mfa_reset_failed","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Succeeded","condition":"mfa_reset_success > 0"},{"status":"info","notifications":[],"name":"Failed","condition":"mfa_reset_failed > 0"}],"type":"log_detection","id":"ap2-mxs-fyh","createdAt":1622443751239,"name":"Okta MFA reset for user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to sign on to an app based on sign-on policy.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to sign on to an app based on sign-on policy:\n\n* `application.policy.sign_on.deny_access`\n\n## Triage and response\n1. Inspect the `@target` array to determine why the user was denied access to sign on.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:application.policy.sign_on.deny_access","groupByFields":["@usr.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"pjd-jyc-9fb","createdAt":1589315544752,"name":"Okta User Access Denied to Sign On"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is denied access to an app.\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a user is denied access to an app:\n\n* `app.generic.unauth_app_access_attempt`\n\n## Triage and response\n1. Determine whether or not the user should have access to this app.\n2. Contact the user to determine whether they attempted to access this app or whether their account is compromised.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:app.generic.unauth_app_access_attempt","groupByFields":["@usr.email","@target_app"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rht-pdf-gyx","createdAt":1607371843994,"name":"Okta User Attempted to Access Unauthorized App"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:okta","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when administrative privileges are provisioned to an Okta user.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when administrative privileges are provisioned:\n\n* `user.account.privilege.grant`\n\n## Triage and response\n1. Contact the Okta administrator: `{{@usr.email}}` to confirm that the user or users should have administrative privileges.\n2. If the change was **not** authorized, verify there are no other signals from the Okta administrator: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:user.account.privilege.grant","groupByFields":["@usr.email"],"aggregation":"count","name":"privilege_grant","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"privilege_grant > 0"}],"type":"log_detection","id":"onl-syw-pqn","createdAt":1622443751733,"name":"Okta administrator role assigned to user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a request is blocked due to a block list rule (such as an IP network zone or location rule).\n\n## Strategy\nThis rule lets you monitor the following Okta events to detect when a malicious IP address communicates with your Okta account:\n\n* `security.request.blocked`\n\n## Triage & Response\n1. Verify with the owner of `{{@usr.name}}` that they were attempting a request to `{{@target_app}}`.\n2. If the request cannot be verified with the user, correlate with other log sources to see if the blocked IP in the `title` of `{{@title}}` has communicated elsewhere on the network.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:security.request.blocked @evt.outcome:SUCCESS","groupByFields":["@network.client.ip","@target_app"],"aggregation":"count","name":"request_blocked","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"request_blocked > 10"}],"type":"log_detection","id":"y2s-qzk-u0a","createdAt":1622443750820,"name":"Okta blocked numerous requests from a malicious IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta [refresh token][1] is reused.\n\n## Strategy\nThis rule lets you monitor the following Okta events when token reuse is detected:\n\n* `app.oauth2.token.detect_reuse`\n* `app.oauth2.as.token.detect_reuse`\n\nAn attacker that has access to a refresh token could query the organization's authorization server `/token` endpoint to obtain additional access tokens. The additional access tokens potentially allow the attacker to get unauthorized access to applications.\n\n## Triage and response\n1. Determine if the source IP `{{@network.client.ip}}` is anomalous within the organization:\n * Does threat intelligence indicate that this IP has been associated with malicious activity?\n * Is the geo-location or ASN uncommon for the organization?\n * Has the IP created a `app.oauth2.token.detect_reuse` or `app.oauth2.as.token.detect_reuse` event previously?\n2. If the token reuse event has been determined to be malicious, carry out the following actions:\n * [Revoke compromised tokens][2].\n * Recycle the credentials of any impacted clients.\n * Begin your company's incident response process and investigate.\n\n[1]: https://developer.okta.com/docs/guides/refresh-tokens/main/\n[2]: https://developer.okta.com/docs/guides/revoke-tokens/main/","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:false","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse","distinctFields":[]},{"query":"source:okta @evt.name:(app.oauth2.token.detect_reuse OR app.oauth2.as.token.detect_reuse) @debugContext.debugData.threatSuspected:true","groupByFields":["@usr.email"],"aggregation":"count","name":"refresh_token_reuse_threat","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Threat suspected","condition":"refresh_token_reuse_threat > 0"},{"status":"low","notifications":[],"name":"Threat unlikely","condition":"refresh_token_reuse > 0"}],"type":"log_detection","id":"i4t-x8n-ack","createdAt":1622443751931,"name":"Okta one-time refresh token reused"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:okta"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an Okta policy rule is deleted.\n\n## Strategy\nThis rule lets you monitor the following Okta event to detect when a policy rule is deleted:\n\n* `policy.rule.delete`\n\n## Triage and response\n1. Contact the Okta administrator to confirm that the user: `{{@usr.email}}` should be deleting policy rules.\n2. If the change was **not** authorized, verify there are no other signals from the user: `{{@usr.email}}`.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:okta @evt.name:policy.rule.delete @evt.outcome:SUCCESS","groupByFields":["@usr.email"],"aggregation":"count","name":"policy_rule_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"policy_rule_deleted > 0"}],"type":"log_detection","id":"gxx-79h-brk","createdAt":1622443751301,"name":"Okta policy rule deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:onelogin","scope:onelogin","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user with appropriate privileges assumes another OneLogin user's identity. Logging in as another user allows the user to view another OneLogin user's account and perform actions on their behalf. \n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator assumes another OneLogin user's identity:\n\n* `@evt.name:USER_ASSUMED_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) should be legitimately assuming another user's identity.\n2. If the activity was not legitimate, review all activity from `{{@usr.name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_ASSUMED_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"admin_assumed_user","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"admin_assumed_user > 0"}],"type":"log_detection","id":"ohz-g7c-wkp","createdAt":1656426840747,"name":"OneLogin administrator assumed a user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","technique:T1098-account-manipulation","scope:onelogin","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin administrator grants additional privileges to another OneLogin user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when an administrator grants additional privileges to another OneLogin user:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\n## Triage and response\n1. Determine whether the user (`{{@actor_user_name}}`) should be legitimately adding additional roles to `@usr.name`. **Note:** The role granted to the user is not available in OneLogin logs.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:PRIVILEGE_GRANTED_TO_USER","groupByFields":["@usr.name"],"aggregation":"count","name":"user_granted_admin_privileges","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"user_granted_admin_privileges > 0"}],"type":"log_detection","id":"oks-cap-rw1","createdAt":1656426808697,"name":"OneLogin user granted administrative privileges"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin","tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user is locked out. This may be common if the user is repeatedly failing to log in. This rule is most useful when correlated with other anomalous activity for the user.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to when a user is locked out:\n* `@evt.name:USER_LOCKED`\n\n## Triage and response\n1. Determine whether the user (`{{@usr.name}}`) was legitimately trying to authenticate and was locked out.\n2. If the activity was not legitimate, review all activity from the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_LOCKED","groupByFields":["@usr.name"],"aggregation":"count","name":"user_locked_out","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"user_locked_out > 0"}],"type":"log_detection","id":"efg-trs-jzb","createdAt":1656526301026,"name":"OneLogin user locked out"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:onelogin","scope:onelogin"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a OneLogin user views a secure note.\n\n## Strategy\nThis rule lets you monitor the following OneLogin events to detect when a user views a secure note:\n\n* `@evt.name:PRIVILEGE_GRANTED_TO_USER`\n\nThis rule is useful when correlating its findings with other anomalous events from the same OneLogin user (`{{@actor_user_name}}`).\n\n## Triage and response\n1. Determine whether the OneLogin user (`{{@actor_user_name}}`) should be legitimately accessing secure notes.\n2. If the activity was not legitimate, review all activity from `{{@actor_user_name}}` and the IP (`{{@network.client.ip}}`) associated with this signal. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:onelogin @evt.name:USER_VIEWED_NOTE","groupByFields":["@actor_user_name"],"aggregation":"count","name":"viewed_secure_note","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"viewed_secure_note > 0"}],"type":"log_detection","id":"gl4-z5x-dun","createdAt":1656426832414,"name":"OneLogin user viewed secure note"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","requirement:Cardholder-Data","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","security:compliance","scope:google_service_account","requirement:Confidentiality","control:3.4","control:1.4","control:3.10","control:C1.1","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:8.2.1","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nUser managed service accounts should not have user-managed keys.\n\n## Rationale: \nAnyone who has access to the keys can access resources through the service account. GCP-managed keys are used by Cloud Platform services such as App Engine and Compute Engine. These keys cannot be downloaded. Google will keep the keys and automatically rotate them on an approximately weekly basis. User-managed keys are created, downloadable, and managed by users. They expire 10 years from creation.\nFor user-managed keys, you are responsible for key management activities including:\n- Key storage\n- Key distribution\n- Key revocation\n- Key rotation\n- Protecting the keys from unauthorized users\n- Key recovery\nEven with key owner precautions, it's easy to leak keys through common development accidents such as checking keys into the source code, leaving them in the Downloads directory, or posting them on support blogs.\nFor these reasons, it is recommended that you don't use user-managed service account keys.\n\n## Impact: \nDeleting user-managed service account keys may break communication with the applications using the keys.\n\n## Remediation: \n\n### From console:\n1. Go to the IAM page in the GCP Console at [https://console.cloud.google.com/iam-admin/iam][1].\n2. In the left navigation pane, click `Service accounts`. All service accounts and their\ncorresponding keys are listed.\n3. Click the service account.\n4. Click `Edit` and delete the keys.\n\n### From command line:\nTo delete a user-managed service account key run:\n```\ngcloud iam service-accounts keys delete --iam-account= \n```\n## Prevention:\nYou can disable service account key creation through the `Disable service account key creation` Organization policy by visiting [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation][2]. Learn more at: [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][3].\n\nIn addition, if you do not need service accounts in your project, you can prevent the creation of service accounts through the `Disable service account creation` Organization policy: [https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation][4].\n\n## Default value:\nBy default, there are no user-managed keys created for user-managed service accounts.\n\n## References:\n1. [https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys][5]\n2. [https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts][6]\n\n## Additional information:\nA user-managed key cannot be created on GCP-Managed Service Accounts.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountKeyCreation\n[3]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/iam-disableServiceAccountCreation\n[5]: https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n[6]: https://cloud.google.com/resource-manager/docs/organization-policy/restricting-service-accounts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.4","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"3.10","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nkey_parents_with_user_managed := {key.parent |\n\tkey := input.resources.gcp_iam_service_account_key[_]\n\tkey.key_type == \"USER_MANAGED\"\n}\n\neval(service_account) = \"fail\" if {\n\tkey_parents_with_user_managed[service_account.resource_name]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4cn-bpp-vya","createdAt":1654120292749,"name":"Only GCP-managed service account keys are used for service account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.14","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, has permissions of 400.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads. It holds the private key for the Docker server certificate. It must therefore have permissions of 400 to ensure that the certificate key file is not modified.\n\n## Audit\n\nVerify that the Docker server certificate key file has permissions of `400` by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nYou should execute the following command: `chmod 400 `\n\nThis sets the Docker server certificate key file permissions to 400.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker server certificate key file might not be 400. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.14","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"z0n-cod-mxi","createdAt":1602077570102,"name":"Only the owner of the server certificate key file can read its contents"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe Docker daemon requires access to the Docker socket which is, by default, owned by the user `root` and the group `docker`.\n\n## Rationale\n\nDocker allows you to share a directory between the Docker host and a guest container without limiting the access rights of the container. This means that you can start a container and map the `/` directory on your host to the container. The container is able to modify your host file system without any restrictions. This means that you could gain elevated privileges simply by being a member of the `docker` group and subsequently start a container which maps the root `/` directory on the host.\n\n\n## Audit\n\nRun the following command on the Docker host to see the members of the `docker` group, and ensure that only trusted users are members:\n\n```\ngetent group docker\n```\n\n## Remediation\n\nYou should remove any untrusted users from the `docker` group. Additionally, you should not create a mapping of sensitive directories from the host to container volumes.\n\n## Impact\n\nProvided the proceeding instructions are implemented, rights to build and execute containers as normal user would be restricted.\n\n## Default value\n\nNot Applicable\n\n## References\n\n1. [https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface]\n2. [https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful]\n3. [http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\n[1]: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface \n[2]: https://www.andreas-jung.com/contents/on-docker-security-docker-group-considered-harmful \n[3]: http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.2","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dev-mh8-u1i","createdAt":1599598174666,"name":"Only the root account and Docker group members can control the Docker daemon"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.16","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file has permissions of 660 or are configured more restrictively.\n\n## Rationale\n\nOnly root and the members of the docker group should be allowed to read and write to the default Docker Unix socket. The Docker socket file should therefore have permissions of 660 or more restrictive permissions.\n\n## Audit\n\nVerify that the Docker socket file has permissions of `660` or more restrictive, by running: \n```\nstat -c %a /var/run/docker.sock\n```\n\n## Remediation\n\nRun the command `chmod 660 /var/run/docker.sock`\n\nThis sets the file permissions of the Docker socket file to 660.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the Docker socket file is correctly set to 660.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.16","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"jxv-zrr-1c1","createdAt":1599603387716,"name":"Only the root account and Docker group members can read and write to the Docker socket file"}]} + {"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:amazon","security:compliance","iaas:aws","framework:cis-aws","source:cloudtrail","control:4.1","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is assessing privileges in AWS through API bruteforcing technique.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect when the error message of `AccessDenied` is returned on more than 5 unique API calls.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be attempting to use {{@evt.name}} API commands.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. Contact the user to see if they intended to make these API calls.\n3. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate to see what API calls might have been made that were successful throughout the rest of the environment.\n\n## Changelog\nRule updated on 3 March 2022.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"unique_events_denied","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"more than 5 APIs AccessDenied","condition":"unique_events_denied > 5"}],"type":"log_detection","id":"3d9-oev-jbm","createdAt":1584475582956,"name":"A user received multiple AccessDenied errors"} headers: Content-Type: - application/json @@ -959,11 +789,11 @@ interactions: headers: Accept: - application/json - url: https://api.datadoghq.com/api/v2/security_monitoring/rules?page%5Bnumber%5D=5&page%5Bsize%5D=100 + url: https://api.datadoghq.com/api/v2/security_monitoring/rules/3d9-oev-jbm method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.15","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker socket file is owned by root and group owned by docker.\n\n## Rationale\n\nThe Docker daemon runs as root. The default Unix socket therefore must be owned by root. If any other user or process owns this socket, it might be possible for that non-privileged user or process to interact with the Docker daemon. Additionally, in this case a non-privileged user or process might be able to interact with containers which is neither a secure nor desired behavior. Additionally, the Docker installer creates a Unix group called docker. You can add users to this group, and in this case, those users would be able to read and write to the default Docker Unix socket. The membership of the docker group is tightly controlled by the system administrator. However, ff any other group owns this socket, then it might be possible for members of that group to interact with the Docker daemon. Such a group might not be as tightly controlled as the docker group. Again, this is not in line with good security practice. For these reason, the default Docker Unix socket file should be owned by root and group owned by docker to maintain the integrity of the socket file.\n\n## Audit\n\nVerify that the Docker socket file is owned by root and group-owned by `docker` by running: \n```\nstat -c %U:%G /var/run/docker.sock | grep -v root:docker\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:docker /var/run/docker.sock`\n\nThis sets the ownership to root and group ownership to docker for the default Docker socket file.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group ownership for the Docker socket file is correctly set to root:docker.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option\n2. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.15","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ysh-lkt-poz","createdAt":1599605574088,"name":"Only the root account and Docker group members have ownership of the Docker socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.2","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the API server pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe API server pod specification file controls various parameters that set the behavior of the API server. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-apiserver.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, chown root:root /etc/kubernetes/manifests/kube-apiserver.yaml\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kube-apiserver.yaml file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/\n\n## CIS controls\n\nVersion 6 5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. Version 7 5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.2","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vbb-t30-k0f","createdAt":1599602893246,"name":"Only the root account and group have ownership of the API server pod specification file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.11","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate file, the file that is passed along with the `--tlscert` parameter, is individual owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate file should be protected from any tampering. It is used to authenticate the Docker server based on the given server certificate. It must therefore be individually owned and group owned by root to prevent modification by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root\n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and the group ownership for the Docker server certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for Docker server certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.11","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.11\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tkm-izb-xe1","createdAt":1602077837917,"name":"Only the root account and group have ownership of the Docker server certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:3.13","security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the Docker server certificate key file, the file that is passed along with the `--tlskey` parameter, is individually owned and group owned by root.\n\n## Rationale\n\nThe Docker server certificate key file should be protected from any tampering or unneeded reads/writes. As it holds the private key for the Docker server certificate, it must be individually owned and group owned by root to ensure that it cannot be accessed by less privileged users.\n\n## Audit\n\nVerify that the Docker server certificate key file is individually owned and group-owned by root, by running: \n```\nstat -c %U:%G | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the Docker server certificate key file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for the Docker server certificate key file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.13","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"oiu-e3x-yg6","createdAt":1602077710804,"name":"Only the root account and group have ownership of the Docker server certificate key file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.9","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert parameter`, is individually owned and group owned by root.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must be therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.\n\n## Audit\n\nYou should execute the command below to verify that the TLS CA certificate file is owned and group owned by root: \n\n```\nstat -c %U:%G | grep -v root:root\n```\n\nThis command does not return any data.\n\n## Remediation\n\nRun the following command: `chown root:root `\n\nThis sets the individual ownership and group ownership for the TLS CA certificate file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the ownership and group-ownership for TLS CA certificate file is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.9","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"8nb-ex2-pqe","createdAt":1602076303298,"name":"Only the root account and group have ownership of the TLS CA certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.14","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file ownership is set to root:root.\n\n## Rationale\n\nThe `admin.conf` file contains the admin credentials for the cluster. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/admin.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `admin.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.14","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"kcn-wwa-os0","createdAt":1599604720378,"name":"Only the root account and group have ownership of the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.17","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file individual ownership and group ownership is correctly set to root.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that could alter the behavior of the docker daemon. It should therefore be owned and group owned by root to ensure it can not be modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file is owned and group-owned by root by running: \n```\nstat -c %U:%G /etc/docker/daemon.json | grep -v root:root \n```\nThe command should return no results.\n\n## Remediation\n\nRun `chown root:root /etc/docker/daemon.json`\n\nThis sets the ownership and group ownership for the file to root.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.17","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hlb-qzw-opk","createdAt":1599603264485,"name":"Only the root account and group have ownership of the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent","control:3.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore be individually and group owned by the root user in order to ensure that it is not modified or corrupted by a less privileged user.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that it is owned and group-owned by root, by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.service | grep -v root:root \n ```\n The command should not return anything.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path, in order to set the ownership and group ownership for the file to root.\n\nFor example, `chown root:root /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone.\n\n## Default value\n\nThis file may not be present on the system and if it is not, this recommendation is not applicable. By default, if the file is present, the correct permissions are for the ownership and group ownership to be set to \"root\".\n\n## References\n\n1. https://docs.docker.com/engine/admin/systemd/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.1","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mhz-jes-n2m","createdAt":1599601536215,"name":"Only the root account and group have ownership of the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","control:3.3","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.socket file ownership and group ownership are correctly set to root.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. For this reason, it should be owned and group owned by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file is owned and group-owned by root by running the following command with the correct filepath:\n ```\n stat -c %U:%G /usr/lib/systemd/system/docker.socket | grep -v root:root \n ```\n The command should not return a value.\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below, including the correct file path to set the ownership and group ownership for the file to root. For example, `chown root:root /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the ownership and group ownership for it should be set to root.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option 2. https://github.com/docker/docker-ce/blob/master/components/packaging/deb/systemd/docker.socket\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.3","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"vc0-12t-fpa","createdAt":1599605321060,"name":"Only the root account and group have ownership over the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.7","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under the `/etc/docker/certs.d/` directory, are individually owned and group owned by root.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must be individually owned and group owned by root to ensure that less privileged users are unable to modify the contents of the directory.\n\n## Audit\n\nYou should execute the command below to verify that the registry certificate files are individually owned and group owned by root: \n\n```\nstat -c %U:%G /etc/docker/certs.d/* | grep -v root:root \n```\n\nThis command does not return any data.\n\n## Remediation\n\nExecute the following command: `chown root:root /etc/docker/certs.d//*`\n\nThis sets the individual ownership and group ownership for the registry certificate files to root.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the individual ownership and group ownership for registry certificate files is correctly set to root.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.7","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fbv-qsy-urc","createdAt":1599599454050,"name":"Only the root account and group have ownership over the registry certificate file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.13","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `admin.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe admin.conf is the administrator kubeconfig file defining various settings for the administration of the cluster. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/admin.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/admin.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, admin.conf has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.13","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.13\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zlc-pqm-t1x","createdAt":1599605384539,"name":"Only the root account has write permissions to the admin.conf file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.18","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the daemon.json file permissions are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe daemon.json file contains sensitive parameters that may alter the behavior of the docker daemon. Therefore it should be writeable only by root to ensure it is not modified by less privileged users.\n\n## Audit\n\nVerify that the `daemon.json` file permissions are set to `644` or more restrictive, by running: \n```\nstat -c %a /etc/docker/daemon.json\n```\n\n## Remediation\n\nRun `chmod 644 /etc/docker/daemon.json`\n\nThis sets the file permissions for this file to 644.\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system, and in that case, this recommendation is not applicable.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.18","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7df-4w8-g7l","createdAt":1599602831833,"name":"Only the root account has write permissions to the daemon.json file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.2","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the docker.service file permissions are either set to 644 or to a more restrictive value.\n\n## Rationale\n\nThe docker.service file contains sensitive parameters that may alter the behavior of the Docker daemon. It should therefore not be writable by any other user other than root in order to ensure that it can not be modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or a more restrictive value by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.service\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.service`\n2. If the file does not exist, this recommendation is not applicable. If the file exists, execute the command below including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.service`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the file permissions are correctly set to 644.\n\n## References\n\n1. https://docs.docker.com/articles/systemd/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.2","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"zyv-o6s-69z","createdAt":1599601721176,"name":"Only the root account has write permissions to the docker.service file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.4","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the file permissions on the docker.socket file are correctly set to 644 or more restrictively.\n\n## Rationale\n\nThe docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.\n\n## Audit\n\n1. Locate the `docker.socket` file by running: \n ```\n systemctl show -p FragmentPath docker.socket \n ```\n2. If the file does not exist, this recommendation is not applicable. If the file exists, verify that the file permissions are set to `644` or more restrictively, by running the following command with the correct filepath:\n ```\n stat -c %a /usr/lib/systemd/system/docker.socket\n ```\n\n## Remediation\n\n1. Find out the file location: `systemctl show -p FragmentPath docker.socket`\n2. If the file does not exist, this recommendation is not applicable. If the file does exist, you should execute the command below, including the correct file path to set the file permissions to 644. For example, `chmod 644 /usr/lib/systemd/system/docker.socket`\n\n## Impact\n\nNone\n\n## Default value\n\nThis file may not be present on the system and in that case, this recommendation is not applicable. By default, if the file is present, the permissions should be set to 644 or more restrictively.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket\n2. https://github.com/YungSang/fedora-atomic-packer/blob/master/oem/docker.socket\n3. http://daviddaeschler.com/2014/12/14/centos-7rhel-7-and-docker-containers-on-boot/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myf-zyh-89p","createdAt":1599604656679,"name":"Only the root account has write permissions to the docker.socket file"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.3","control:CC6.7","scope:ec2","security:compliance","source:ec2","control:CC6.6","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Compliance","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nReduce the probability of a breach by checking [EC2 security groups][1] for outbound rules that allow unfettered access to any TCP/UDP ports and restrict access to IP addresses that require this port.\n\n## Rationale\n\nMalicious activity, such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, can occur when permitting unfettered outbound access.\n\n## Remediation\n\n### Console\n\nFollow the [Security group rules][2] docs to learn how to add a security group rule that will restrict access to IP addresses that require a specific port.\n\n### CLI\n\n1. Run `revoke-security-group-egress` to remove IP permissions for the selected EC2 security group.\n\n ```\n aws ec2 revoke-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n2. Run `authorize-security-group-egress` with new parameters to restrict outbound access to specific destinations.\n\n ```\n aws ec2 authorize-security-group-egress\n --group-id your-group-id\n --ip-permissions '[{\"IpProtocol\": \"tcp\", \"FromPort\": 22, \"ToPort\": 22, \"IpRanges\": [{\"CidrIp\": \"0.0.0.0/0\"}]}]'\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html\n[2]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprotocol_icmp_or_1(protocol) if {\n\tprotocol == \"icmp\"\n} else {\n\tprotocol == \"1\"\n}\n\nunrestricted_ip_range(ip_range) if {\n\tip_range == \"0.0.0.0/0\"\n} else {\n\tip_range == \"::/0\"\n}\n\neval(group) = \"fail\" if {\n\trule := group.rules[_]\n\trule.direction == \"egress\"\n\tnot protocol_icmp_or_1(rule.protocol)\n\tunrestricted_ip_range(rule.ip_range)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"7lr-jfm-vcf","createdAt":1599574005188,"name":"Outbound access on all ports is restricted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1497-virtualization-sandbox-evasion","source:runtime-security-agent","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace system call with the `PTRACE_TRACEME` argument, indicating a program actively attempting to avoid debuggers attaching to the process. This behavior is typically indicative of malware activity.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. One limitation of this system call is that a process can only have one trace, and malicious actors have been observed making use of this limitation to prevent debuggers from attaching to malicious processes for the purpose of forensics or analysis.\n\n## Triage and response\n1. Check the name of the process using TRACEME\n2. If this file is not known or authorized, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_antidebug","groupByFields":["host"],"aggregation":"count","name":"ptrace_antidebug","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_antidebug","condition":"ptrace_antidebug > 0"}],"type":"workload_security","id":"u1r-hw3-pst","createdAt":1650464539514,"name":"PTRACE_TRACEME used to prevent process debugging"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect installation of software using a package management utility (`apt` or `yum`) in a container.\n\n## Strategy\nAfter an attacker's initial intrusion into a victim's container (for example, through a web shell exploit), they may attempt to install tools and utilities for a variety of malicious purposes. This detection triggers when one of a set of common package management utilities installs a package in a container. Package management in containers is against best practices which highly emphasize immutability. If this is unexpected behavior, it could indicate an attacker attempting to install tools to further compromise your systems.\n\n\n## Triage and response\n1. Determine whether or not this is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise. This may be achieved by terminating the workload, depending on the stage of attack.\n3. Look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and the tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:package_management_in_container @process.args:(add OR *install OR \"-i\")","groupByFields":["host"],"aggregation":"count","name":"package_management_in_container","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"package_management_in_container","condition":"package_management_in_container > 0"}],"type":"workload_security","id":"dgu-gba-tuf","createdAt":1617722067648,"name":"Package installed in container"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1222","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nTo access protected files and directories, attackers may attempt to change the permissions on these files and directories.\n\n## Strategy\nThis detection monitors the permissions changes to sensitive files and directories such as `/etc/` and `/sbin/`.\n\n## Triage & Response\n1. Check to see if the file or directory was made more permissive.\n2. Check which user or process made the change.\n3. If these changes are unexpected, contain the host or container and roll back to the last known good configuration.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:runtime-security-agent @agent_rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"previous_agent_rule","distinctFields":[]},{"query":"source:runtime-security-agent @agent.rule_id:\"permissions_changed\"","groupByFields":["host"],"aggregation":"count","name":"current_agent_rule","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"previous_agent_rule > 0 || current_agent_rule > 0"}],"type":"workload_security","id":"mj3-ucf-hr6","createdAt":1598516746259,"name":"Permissions were changed on sensitive Linux files"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Controller-Manager","control:1.3.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAllow pods to verify the API server's serving certificate before establishing connections.\n\n## Rationale\n\nProcesses running within pods that need to contact the API server must verify the API server's serving certificate. Failing to do so could be a subject to man-in-the-middle attacks. Providing the root certificate for the API server's serving certificate to the controller manager with the `--root-ca-file` argument allows the controller manager to inject the trusted bundle into pods so that they can verify TLS connections to the API server.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-controller-manager\n```\nVerify that the `--root-ca-file` argument exists and is set to a certificate bundle file containing the root certificate for the API server's serving certificate.\n\n## Remediation\n\nEdit the Controller Manager pod specification file `/etc/kubernetes/manifests/kube-controller-manager.yaml` on the master node and set the `--root-ca-file` parameter to the certificate bundle file: `--root-ca-file=`\n\n## Impact\n\nYou need to setup and maintain root certificate authority file.\n\n## Default value\n\nBy default, `--root-ca-file` is not set.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-controller-manager/ ][1]\n2. [https://github.com/kubernetes/kubernetes/issues/11000][2]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://kubernetes.io/docs/admin/kube-controller-manager/ \n[2]: https://github.com/kubernetes/kubernetes/issues/11000\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.3.5","framework":"cis-kubernetes","requirement":"Controller-Manager","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.3.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"k7t-yxp-axc","createdAt":1599598174692,"name":"Pods utilize `root-ca-file` to pass serving certificates to the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:ec2","iaas:aws","technique:T1037-boot-or-logon-initialization-scripts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to modify a [user data script][1] on an EC2 instance.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to modify the user data script on an EC2 instance using the following API calls:\n\n* [`StopInstances`][2]\n* [`ModifyInstanceAttribute`][3]\n* [`StartInstances`][4]\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have modified the user data script associated with `{{host}}`.\n2. If the API calls were not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Follow your company's incident response process to determine the impact to `{{host}}`.\n * Revert the user data script to the last known good state with the `aws-cli` command [modify-instance-attribute][5] or use the [AWS Console][6].\n3. If the API calls were made by the user:\n * Determine if the user should be modifying this user data script.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StopInstances.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyInstanceAttribute.html\n[4]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartInstances.html\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-instance-attribute.html\n[6]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-view-change","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StopInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"stop_instance","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:ModifyInstanceAttribute @requestParameters.userData:* ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"modify_instance_attribute","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @evt.name:StartInstances ((-@http.useragent:opsworks.amazonaws.com -@userIdentity.invokedBy:opsworks.amazonaws.com) (-@http.useragent:cloudformation.amazonaws.com -@userIdentity.invokedBy:cloudformation.amazonaws.com))","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"start_instance","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"stop_instance > 0 && modify_instance_attribute > 0 && start_instance > 0"}],"type":"log_detection","id":"suz-czd-zxh","createdAt":1652796652545,"name":"Possible AWS EC2 privilege escalation via the modification of user data"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","scope:iam","iaas:aws","technique:T1078-valid-accounts","source:cloudtrail","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to create a password for a specified IAM user.\n\n## Strategy\nThis rule allows you to monitor CloudTrail and detect if an attacker has attempted to create a password for an IAM user using the [`CreateLoginProfile`][1] API call.\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Remove any passwords generated by the user with the `aws-cli` command [delete-login-profile][2] or use the [AWS Console][3].\n3. If the API call was made by the user:\n * Determine if the user should be performing this API call.\n * If No, see if other API calls were made by the user and determine if they warrant further investigation.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/iam/delete-login-profile.html\n[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html#id_credentials_passwords_admin-change-user_console","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:iam.amazonaws.com @eventName:CreateLoginProfile status:error","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"loginprofile","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"loginprofile > 0"}],"type":"log_detection","id":"dkd-gqh-zrs","createdAt":1652796676631,"name":"Possible Privilege Escalation via AWS IAM CreateLoginProfile"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","technique:T1537-transfer-data-to-cloud-account","source:cloudtrail","scope:rds","tactic:TA0010-exfiltration"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a user attempting to exfiltrate data from an RDS Snapshot.\n\n## Strategy\nThis rule lets you monitor the [ModifyDBClusterSnapshotAttribute][1] CloudTrail API calls to detect when an RDS snapshot is made public.\n\nThis rule also inspects the:\n * `@requestParameters.valuesToAdd` array to determine if the string `all` is contained. This is the indicator which means the RDS snapshot is made public.\n * `@requestParameters.attributeName` array to determine if the string `restore` is contained. This is the indicator which means the RDS snapshot was shared with a new or unkown AWS Account.\n\n## Triage and response\n1. Confirm if the user: `{{@userIdentity.arn}}`intended to make the RDS snaphsot public.\n2. If the user did not make the API call:\n * Rotate the credentials.\n * Investigate if the same credentials made other unauthorized API calls.\n\n## Changelog\n* 11 October 2022 - updated severity.\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-cluster-snapshot-attribute.html#modify-db-cluster-snapshot-attribute\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:ModifyDBClusterSnapshotAttribute @requestParameters.valuesToAdd:all","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_made_public","distinctFields":[]},{"query":"source:cloudtrail @eventSource:rds.amazonaws.com @evt.name:(ModifyDBClusterSnapshotAttribute OR ModifyDBSnapshotAttribute) @requestParameters.attributeName:restore -@http.useragent:(*AWS_Lambda* OR *AWS_ECS_FARGATE* OR backup.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"rds_snapshot_shared","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Snapshot was shared","condition":"rds_snapshot_shared > 0"},{"status":"high","notifications":[],"name":"Snapshot was made public","condition":"rds_snapshot_made_public > 0"}],"type":"log_detection","id":"jqf-lpu-us1","createdAt":1594140309127,"name":"Possible RDS Snapshot Exfiltration"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:6.3","framework:cis-azure","control:2.5","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no PostgreSQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nPostgreSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.\n\n### Impact\n\nDisabling Allow access to Azure Services will break all connections to PostgreSQL server and Hosted Databases unless custom IP specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console:\n\n1. Go to PostgreSQL servers\n2. For each PostgreSQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell:\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzPostgreSqlFirewallRule -Name -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nNew-AzPostgreSqlFirewallRule -Name \"\" -ResourceGroupName \"\" -ServerName \"\" -EndIPAddress \"\" -StartIPAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules][1]\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/concepts-firewall-rules","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"2.5","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255)","resourceType":"azure_postgresql_server","filter":"","queryPath":"firewall_rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"f2j-y8v-pht","createdAt":1635237002781,"name":"PostgreSQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1566-phishing","source:azure","scope:azure","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when a user grants an application consent to access their data. An adversary may create an Azure-registered application to access data such as contact information, emails, or documents.\n\n## Strategy\nMonitor Azure AD Audit logs for the following `@evt.name`:\n\n* `Consent to application`\n\nMonitor Microsoft 365 Audit logs for the following `@evt.name`:\n\n* `Consent to application.`\n\nBecause these are thirty-party applications external to the organization, normal remediation steps like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts are not effective against this type of attack.\n\n## Triage and response\n1. See the official [Microsoft playbook][1] on responding to a potential Illicit Consent Grant.\n2. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out false positives.\n\n[1]: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.activedirectory @evt.category:AuditLogs @evt.name:\"Consent to application\" @evt.outcome:success","groupByFields":["@usr.id"],"aggregation":"count","name":"azure_ad_successful_consent_to_application","distinctFields":[]},{"query":"source:microsoft-365 @evt.category:AuditLogs @evt.name:\"Consent to application.\" @evt.outcome:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"o365_successful_consent_to_application","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"azure_ad_successful_consent_to_application > 0 || o365_successful_consent_to_application > 0"}],"type":"log_detection","id":"wu4-vsa-pec","createdAt":1658914589512,"name":"Potential Illicit Consent Grant attack via Azure registered application"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with an administrative service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 21 (FTP)\n* 22 (SSH)\n* 23 (Telnet)\n* 445 (SMB)\n* 2375 (Docker daemon)\n* 3389 (RDP)\n* 5900 (VNC)\n* 5985 (WinRM HTTP)\n* 5986 (WinRM HTTPS)\n\nAdministrative ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** There is a separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n## Changelog\n26 August 2022 - Updated rule query\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986) OR @requestParameters.ipPermissions.items.fromPort:(21 OR 22 OR 3389 OR 5900 OR 2375 OR 5985 OR 5986 OR 23 OR 445) OR @requestParameters.toPort:(21 OR 22 OR 3389 OR 5900 OR 2375 OR 5985 OR 5986 OR 23 OR 445) OR @requestParameters.ipPermissions.items.toPort:(21 OR 22 OR 23 OR 445 OR 2375 OR 3389 OR 5900 OR 5985 OR 5986)) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:21 OR @requestParameters.ipPermissions.items.fromPort:21 OR @requestParameters.toPort:21 OR @requestParameters.ipPermissions.items.toPort:21)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ftp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:22 OR @requestParameters.ipPermissions.items.fromPort:22 OR @requestParameters.toPort:22 OR @requestParameters.ipPermissions.items.toPort:22)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_ssh_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:3389 OR @requestParameters.ipPermissions.items.fromPort:3389 OR @requestParameters.toPort:3389 OR @requestParameters.ipPermissions.items.toPort:3389)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_rdp_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5900 OR @requestParameters.ipPermissions.items.fromPort:5900 OR @requestParameters.toPort:5900 OR @requestParameters.ipPermissions.items.toPort:5900)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_vnc_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:2375 OR @requestParameters.ipPermissions.items.fromPort:2375 OR @requestParameters.toPort:2375 OR @requestParameters.ipPermissions.items.toPort:2375)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_dockerd_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5985 OR @requestParameters.ipPermissions.items.fromPort:5985 OR @requestParameters.toPort:5985 OR @requestParameters.ipPermissions.items.toPort:5985)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5986 OR @requestParameters.ipPermissions.items.fromPort:5986 OR @requestParameters.toPort:5986 OR @requestParameters.ipPermissions.items.toPort:5986)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_winrm_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:23 OR @requestParameters.ipPermissions.items.fromPort:23 OR @requestParameters.toPort:23 OR @requestParameters.ipPermissions.items.toPort:23)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_telnet_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:445 OR @requestParameters.ipPermissions.items.fromPort:445 OR @requestParameters.toPort:445 OR @requestParameters.ipPermissions.items.toPort:445)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_smb_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"high","notifications":[],"name":"FTP","condition":"sg_ftp_port > 0"},{"status":"high","notifications":[],"name":"SSH","condition":"sg_ssh_port > 0"},{"status":"high","notifications":[],"name":"RDP","condition":"sg_rdp_port > 0"},{"status":"high","notifications":[],"name":"VNC","condition":"sg_vnc_port > 0"},{"status":"high","notifications":[],"name":"Docker Daemon","condition":"sg_dockerd_port > 0"},{"status":"high","notifications":[],"name":"WinRm HTTP","condition":"sg_winrm_http_port > 0"},{"status":"high","notifications":[],"name":"WinRm HTTPS","condition":"sg_winrm_https_port > 0"},{"status":"high","notifications":[],"name":"Telnet","condition":"sg_telnet_port > 0"},{"status":"high","notifications":[],"name":"SMB","condition":"sg_smb_port > 0"}],"type":"log_detection","id":"d8d-usi-xuo","createdAt":1652796652158,"name":"Potential administrative port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","tactic:TA0006-credential-access","source:cloudtrail","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is a victim of an Account Take Over (ATO) by a brute force attack.\n\n## Strategy\n This rule monitors CloudTrail and detects when any `@evt.name` has a value of `Console Login`, and `@responseElements.ConsoleLogin` has a value of `Failure`.\n\n## Triage and response\n1. Determine if the user logged in with 2FA.\n2. Reach out to the user and ensure the login was legitimate.\n\n## Changelog \n17 March 2022 - Update rule query.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Failure","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:false","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_without_mfa","distinctFields":[]},{"query":"source:cloudtrail @evt.name:ConsoleLogin @responseElements.ConsoleLogin:Success @userIdentity.sessionContext.attributes.mfaAuthenticated:true","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"successful_login_with_mfa","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful - MFA Unused","condition":"failed_login > 5 && successful_login_without_mfa > 0"},{"status":"info","notifications":[],"name":"Successful Login - MFA Used","condition":"failed_login > 5 && successful_login_with_mfa > 0"},{"status":"info","notifications":[],"name":"Failed Login","condition":"failed_login > 5"}],"type":"log_detection","id":"csj-nez-h1v","createdAt":1584475581986,"name":"Potential brute force attack on AWS ConsoleLogin"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","threat_intel_category:cryptomining","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a host is potentially infected with a cryptominer.\n\n## Strategy\nThis rule compares the `@network.client.ip` standard attribute to a curated list of cryptomining pools.\n\n## Triage and response\n1. Determine if the `{{host}}` host should be contacting a cryptomining pool.\n2. If not, begin your company's IR process.\n\n**Note** You can use the signal sidepanel to assist with the initial investigation by looking at CPU utilization and processes to identify unauthorized activity.\n\n## Changelog\n- 8 April 2022 - Initial beta release to select organizations.\n- 13 April 2022 - Added additional filters for specific ports to reduce false positives. \n- 26 April 2022 - Removed restrictedToOrgs settings, launching rule to all of production.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@threat_intel.results.category:cryptomining @network.destination.port:(6641 OR 6642 OR 9000 OR 9999 OR 14433 OR 10191 OR 20009) host:*","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"cgb-2rq-tqx","createdAt":1650989902666,"name":"Potential cryptomining detected through IP callback"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","requirement:Monitoring","framework:cis-aws","source:cloudtrail","technique:T1562-impair-defenses","control:4.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world on a port commonly associated with a database service.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [`AuthorizeSecurityGroupIngress`][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` or `@requestParameters.cidrIp` array to determine if either of the strings are contained - `0.0.0.0/0` or `::/0` for the following ports:\n* 1433 (MSSQL)\n* 3306 (MySQL)\n* 5432 (PostgresSQL)\n* 5984/6984 (CouchDB)\n* 6379 (Redis)\n* 9200 (Elasticsearch)\n* 27017 (MongoDB)\n\nDatabase ports that are open to the world are a common target for attackers to gain unauthorized access to resources or data.\n\n**Note:** There is a separate rule to detect AWS [Security Group Open to the World][2].\n\n## Triage and response\n1. Determine if `{{@userIdentity.session_name}}` should have made a `{{@evt.name}}` API call.\n2. If the API call was not made by the user:\n * Rotate the user credentials.\n * Determine what other API calls were made by the user.\n * Investigate VPC flow logs and OS system logs to determine if unauthorized access occurred.\n3. If the API call was made legitimately by the user:\n * Advise the user to modify the IP range to the company private network or bastion host.\n4. Revert security group configuration back to known good state if required:\n * Use the `aws-cli` command [`revoke-security-group-ingress`][3] or the [AWS console][4] to remove the rule.\n * Use the `aws-cli` command [`modify-security-group-rules`][5] or [AWS console][6] to modify the existing rule.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n[2]: https://docs.datadoghq.com/security_platform/default_rules/aws-security-group-open-to-world/\n[3]: https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html\n[4]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#deleting-security-group-rules\n[5]: https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-security-group-rules.html\n[6]: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#updating-security-group-rules","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.fromPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200) OR @requestParameters.ipPermissions.items.toPort:(3306 OR 5432 OR 1433 OR 27017 OR 6379 OR 5984 OR 6984 OR 9200)) @http.useragent:cloudformation.amazonaws.com @userIdentity.invokedBy:cloudformation.amazonaws.com","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_opened_by_automated_service","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:3306 OR @requestParameters.ipPermissions.items.fromPort:3306 OR @requestParameters.toPort:3306 OR @requestParameters.ipPermissions.items.toPort:3306)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mysql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5432 OR @requestParameters.ipPermissions.items.fromPort:5432 OR @requestParameters.toPort:5432 OR @requestParameters.ipPermissions.items.toPort:5432)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_postgres_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:1433 OR @requestParameters.ipPermissions.items.fromPort:1433 OR @requestParameters.toPort:1433 OR @requestParameters.ipPermissions.items.toPort:1433)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mssql_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:27017 OR @requestParameters.ipPermissions.items.fromPort:27017 OR @requestParameters.toPort:27017 OR @requestParameters.ipPermissions.items.toPort:27017)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_mongodb_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:6379 OR @requestParameters.ipPermissions.items.fromPort:6379 OR @requestParameters.toPort:6379 OR @requestParameters.ipPermissions.items.toPort:6379)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_redis_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:5984 OR @requestParameters.ipPermissions.items.fromPort:5984 OR @requestParameters.toPort:5984 OR @requestParameters.ipPermissions.items.toPort:5984)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_http_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:6984 OR @requestParameters.ipPermissions.items.fromPort:6984 OR @requestParameters.toPort:6984 OR @requestParameters.ipPermissions.items.toPort:6984)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_couchdb_https_port","distinctFields":[]},{"query":"source:cloudtrail @eventSource:ec2.amazonaws.com @eventName:AuthorizeSecurityGroupIngress (@requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\") OR @requestParameters.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")) (@requestParameters.fromPort:9200 OR @requestParameters.ipPermissions.items.fromPort:9200 OR @requestParameters.toPort:9200 OR @requestParameters.ipPermissions.items.toPort:9200)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"sg_elastic_search_port","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Event generated by automated service","condition":"sg_opened_by_automated_service > 0"},{"status":"high","notifications":[],"name":"MySQL","condition":"sg_mysql_port > 0"},{"status":"high","notifications":[],"name":"PostgresSQL","condition":"sg_postgres_port > 0"},{"status":"high","notifications":[],"name":"MSSQL","condition":"sg_mssql_port > 0"},{"status":"high","notifications":[],"name":"MongoDB","condition":"sg_mongodb_port > 0"},{"status":"high","notifications":[],"name":"redis","condition":"sg_redis_port > 0"},{"status":"high","notifications":[],"name":"CouchDB HTTP","condition":"sg_couchdb_http_port > 0"},{"status":"high","notifications":[],"name":"CouchDB HTTPS","condition":"sg_couchdb_https_port > 0"},{"status":"high","notifications":[],"name":"Elasticsearch","condition":"sg_elastic_search_port > 0"}],"type":"log_detection","id":"1wf-ivp-q2g","createdAt":1652796776858,"name":"Potential database port open to the world via AWS security group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.6","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use automatically generated self-signed certificates for TLS connections between peers.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster. Hence, do not use self-signed certificates for authentication.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--peer-auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--peer-auto-tls` parameter or set it to false. \n\n```\n--peer-auto-tls=false\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-auto-tls` argument is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls][3]\n\n## CIS controls\n\nVersion 6.14 Controlled Access Based on the Need to Know\n\nVersion 7.4 Controlled Use of Administrative Privileges \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.6","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l0y-lyz-foj","createdAt":1599598174666,"name":"Prevent use of self-signed certificates for TLS connections between etcd peers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Docker-Daemon-Configuration","control:2.4","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDocker considers a private registry either secure or insecure. By default, registries are considered secure.\n\n## Rationale\n\nA secure registry uses TLS. A copy of the registry's CA certificate is placed on the Docker host in the `/etc/docker/certs.d//` directory. An insecure registry is one which does not have a valid registry certificate, or one not not using TLS. You should not use insecure registries because they present a risk of traffic interception and modification. Additionally, once a registry has been marked as insecure, commands such as `docker pull`, `docker push`, and `docker search` will not result in an error message, and users may indefinitely be working with this type of insecure registry without ever being notified of the risk of potential compromise.\n\n## Audit\n\nFind out if any insecure registries are in use by running: \n```\ndocker info --format 'Insecure Registries: {{.RegistryConfig.InsecureRegistryCIDRs}}'\n```\n\n## Remediation\n\nYou should ensure that no insecure registries are in use.\n\n## Impact\n\nNone.\n\n## Default value\n\nBy default, Docker assumes all registries except local ones are secure.\n\n## References\n\n1. [https://docs.docker.com/registry/insecure/][1]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://docs.docker.com/registry/insecure/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.4","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"wki-o8r-1ha","createdAt":1599604688564,"name":"Private registry uses TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.4","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUsing the `--privileged` flag provides all Linux kernel capabilities to the container to which it is applied and therefore overwrites the `--cap-add` and `--cap-drop` flags. For this reason, ensure that it is not used.\n\n## Rationale\n\nThe `--privileged` flag provides all capabilities to the container to which it is applied, and also lifts all the limitations enforced by the device cgroup controller. As a consequence this the container has most of the rights of the underlying host. This flag only exists to allow for specific use cases (for example running Docker within Docker) and should not generally be used.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Privileged={{ .HostConfig.Privileged }}'` This command returns `Privileged=false` for each container instance.\n\n## Remediation\n\nDo not run containers with the `--privileged` flag. For example, do not start a container using the command `docker run --interactive --tty --privileged centos /bin/bash`\n\n## Impact\n\nIf you start a container without the `--privileged` flag, it will not have excessive default capabilities.\n\n## Default value\n\nFalse\n\n## References\n\n1. https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.4","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rbd-urm-klo","createdAt":1599602708557,"name":"Privileged containers are not used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.7","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TCP/IP port numbers below 1024are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Docker does, however allow a container port to be mapped to a privileged port.\n\n## Rationale\n\nBy default, if the user does not specifically declare a container port to host port mapping, Docker automatically and correctly maps the container port to one available in the `49153`-`65535` range on the host. Docker does, however, allow a container port to be mapped to a privileged port on the host if the user explicitly declares it. This is because containers are executed with `NET_BIND_SERVICE` Linux kernel capability which does not restrict privileged port mapping. The privileged ports receive and transmit various pieces of data which are security sensitive and allowing containers to use them is not in line with good security practice.\n\n## Audit\n\nList all running containers instances and their port mappings by executing this command: `docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'` You should then review the list and ensure that container ports are not mapped to host port numbers below `102.4`.\n\n## Remediation\n\nDo not map container ports to privileged host ports when starting a container. You should also ensure that there is no such container to host privileged port mapping declarations in the Dockerfile.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, mapping a container port to a privileged port on the host is allowed.\n\n**Note**: There might be certain cases where you want to map privileged ports, because if you forbid it, then the corresponding application has to run outside of a container.\n\nFor example: HTTP and HTTPS load balancers have to bind `80/tcp` and `443/tcp` respectively. Forbidding to map privileged ports effectively forbids from running those in a container, and mandates using an external load balancer. In such cases, those containers instances should be marked as exceptions for this recommendation.\n\n## References\n\n1. https://docs.docker.com/engine/userguide/networking/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.7","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.7\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ua5-ygj-jad","createdAt":1599602153218,"name":"Privileged ports are not mapped within containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","tactic:TA0040-impact","technique:T1496-resource-hijacking","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect when a process launches with arguments associated with cryptocurrency miners.\n\n## Strategy\n\nCryptocurrency miners are often executed with unique arguments such as `--donate-level`. This can be used to identify suspicious processes with high confidence.\n\n## Triage and response\n\n1. Isolate the workload.\n2. Use host metrics to verify if cryptocurrency mining is taking place. This will be indicated by an increase in CPU usage.\n3. Review the process tree and related signals to determine the initial entry point.\n\n*Requires agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:cryptominer_args","groupByFields":["host"],"aggregation":"count","name":"cryptominer_args","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"cryptominer_args","condition":"cryptominer_args > 0"}],"type":"workload_security","id":"t95-1rc-mwi","createdAt":1660014107186,"name":"Process arguments match cryptocurrency miner"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1055-process-injection","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect usage of the ptrace systemcall to inject code into another process.\n\n## Strategy\nThe ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. Malicious actors have been observed using ptrace to inject code into another process, for the purposes of defense evasion and privilege escalation.\n\n## Triage and response\n1. Check the name of the process doing the injection (the tracer).\n2. Identify if the file doing the injection (the tracer) is authorized.\n3. If the tracer is not authorized in this environment, or is not normally known to use the ptrace syscall, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:ptrace_injection","groupByFields":["host"],"aggregation":"count","name":"ptrace_injection","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"ptrace_injection","condition":"ptrace_injection > 0"}],"type":"workload_security","id":"1p3-rn6-jue","createdAt":1650464539501,"name":"Process injected into another process"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1068-Exploitation-for-Privilege-Escalation","source:runtime-security-agent","tactic:TA0004-Privilege-Escalation","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect exploitation of CVE-2021-4034 dubbed PwnKit.\n\n## Strategy\n\nPwnKit is a local privilege escalation vulnerability originally found by [Qualys](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034). It affects PolicyKit\u2019s `pkexec` program, which is a SUID-root program installed by default on many Linux distributions. This detection triggers whenever `pkexec` is executed by a non-root process with the `SHELL` and `PATH` variables set.\n\n## Triage and response\n\n1. Determine the purpose of the process executing `pkexec`.\n2. Look for any suspicious actions or commands being executed after the `pkexec` execution.\n3. If this behavior is unexpected, it could indicate a malicious actor has access to the host and is attempting to increase privileges for post exploitation actions. Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Ensure to update the PolicyKit package to its latest version to mitigate the vulnerability. If updating is not feasible, remove the SUID bit that is set by default on `pkexec` with the following command: `sudo chmod -s \\$(which pkexec)`.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:pwnkit_privilege_escalation","groupByFields":["host"],"aggregation":"count","name":"pwnkit_privilege_escalation","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"pwnkit_privilege_escalation","condition":"pwnkit_privilege_escalation > 0"}],"type":"workload_security","id":"yne-n4q-dfs","createdAt":1643646954692,"name":"Pwnkit privilege escalation attempt"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1059-command-and-scripting-interpreter","tactic:TA0002-execution","source:runtime-security-agent","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\n\nDetect Python code being provided and executed on the command line using the `-c` flag.\n\n## Strategy\n\nPython code can be specified on the command line using the `-c` flag. Attackers may use this to run \"one-liners\" which establish communication with an attacker-run server, download additional malware, or otherwise advance their mission. Libraries such as `socket` and `subprocess` are commonly used in these attacks and are unlikely to have a legitimate purpose when used in this way.\n\n## Triage and response\n\n1. Review the process tree and identify if the Python command is expected.\n2. If the command is not expected, contain the host or container and roll back to a known good configuration.\n3. Start the incident response process and determine the initial entry point.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:python_cli_code @process.args:(*SOCK_STREAM* OR *subprocess* OR *\\/bash* OR *\\/bin\\/sh* OR *pty.spawn*)","groupByFields":["host"],"aggregation":"count","name":"python_cli_code_suspicious","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"python_cli_code_suspicious","condition":"python_cli_code_suspicious > 0"}],"type":"workload_security","id":"2mr-svj-kxj","createdAt":1655147245805,"name":"Python executed with suspicious arguments"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","source:compliance-agent","control:1.2.9","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTurn on Role Based Access Control.\n\n## Rationale\n\nRole Based Access Control (RBAC) allows fine-grained control over the operations that different entities can perform on different objects in the cluster. It is recommended to use the RBAC authorization mode.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--authorization-mode` argument exists and is set to a value to include RBAC.\n\n## Remediation\n\nEdit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--authorization-mode` parameter to a value that includes RBAC, for example: `--authorization-mode=Node,RBAC`\n\n## Impact\n\nWhen RBAC is enabled you will need to ensure that appropriate RBAC settings (including Roles, RoleBindings and ClusterRoleBindings) are configured to allow appropriate access.\n\n## Default value\n\nBy default, RBAC authorization is not enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/access-authn-authz/rbac/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/access-authn-authz/rbac/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.9","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bn4-mzo-nyg","createdAt":1599605257601,"name":"RBAC is enabled for the API server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","framework:gdpr","requirement:Default-Security-Parameter","level:1","control:8.5","scope:azure.kubernetes","requirement:Application-Updates","framework:iso-27001","requirement:Access-Control","framework:pci","control:6.4.1","security:compliance","requirement:Least-Privileged-Access","control:7.2","framework:cis-azure","source:azure.kubernetes","control:7.1","control:2.3","requirement:Control-Activities","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","requirement:Other-Security-Considerations","framework:soc-2","control:A.9.2.3","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that RBAC is enabled on all Azure Kubernetes Services instances.\n\n## Rationale\n\nAzure Kubernetes Services can integrate Azure Active Directory users and groups into Kubernetes RBAC controls within the AKS Kubernetes API Server. Use this to enable granular access to Kubernetes resources within the AKS clusters supporting RBAC controls, both to the overarching AKS instance and to the individual resources managed within Kubernetes.\n\n## Remediation\n\n**Note**: This setting cannot be changed after AKS deployment, your cluster will require recreation.\n\n## Impact\n\nIf RBAC is not enabled, the granularity of permissions granted to Kubernetes resources is diminished, because you are presenting more permissions than needed to users requiring access to your Kubernetes resources in AKS.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/aks/aad-integrationhttps://kubernetes.io/docs/reference/access-authn-authz/rbac/https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-list\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-privileged-access#pa-7-follow-just-enough-administration-least-privilege-principle\n\n## CIS Controls\n\nVersion 7\n\n4 Controlled Use of Administrative Privileges\n\n14 Controlled Access Based on the Need to Know\n\n9 AppService: This section covers security recommendations for Azure AppService\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"8.5","framework":"cis-azure","requirement":"Other-Security-Considerations","version":"1.3.0"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"6.4.1","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"validationQuery":"@enable_rbac:false","resourceType":"azure_aks_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_aks_cluster (@enable_rbac:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"1ha-sj2-4mw","createdAt":1624867979755,"name":"RBAC within Azure Kubernetes Services is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","control:6.1","requirement:Communications-Security","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable RDP access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using RDP over the internet is that attackers can use various brute force techniques to access Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on an Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct RDP access to your Azure Virtual Machines from the internet. After direct RDP access from the internet is disabled, you have other options you can use to access these virtual machines for remote management.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.1","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@access:(\"Allow\") @protocol:(\"TCP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"3389\" OR \"*\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\")","resourceType":"azure_security_group","filter":"","queryPath":"security_rules","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group (@access:(\"Allow\") @protocol:(\"TCP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"3389\" OR \"*\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tna-xfa-yol","createdAt":1624867976964,"name":"RDP access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.7","requirement:Communications-Security","control:1.4","control:3.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow users to specify the type of traffic,\nsuch as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, an IPv4 address or IPv4 block in CIDR notation can be used.\nGeneric (0.0.0.0/0) incoming traffic from the Internet to a VPC or VM instance using RDP\non Port 3389 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic\nfrom instances and incoming (ingress) traffic to instances in the network. Egress and\ningress traffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through RDP with the default\nPort 3389. Generic access from the Internet to a specific IP Range should be restricted.\n\n## Impact\nAll Remote Desktop Protocol (RDP) connections from outside of the network to the\nconcerned VPC(s) are blocked. There could be a business need where secure shell\naccess is required from outside of the network to access resources associated with the VPC.\nIn that case, specific source IP(s) should be mentioned in firewall rules to allow access\nto RDP ports for the concerned VPC(s).\n\n## Remediation\n\n### From console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule to be modified.\n4. Click Edit.\n5. Modify Source IP ranges to your specific IPs.\n6. Click Save.\n\n### From the command line\n1.Update the RDP Firewall rule with a new SOURCE_RANGE using the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=[CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with validated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.7","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.1","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 3389\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tcontains(allowed.ports[_], \"-\")\n\trange := split(allowed.ports[_], \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else {\n\tto_number(allowed.ports[_]) == target_port\n} else {\n\tallowed.ports[_] == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tallowed := compute_firewall.allowed[_]\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" {\n\tcompute_firewall.source_ranges in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tvo-mpp-0fa","createdAt":1657310084116,"name":"RDP access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","source:rds","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","scope:rds","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that your AWS RDS database instances are encrypted.\n\n## Rationale\n\nEncrypting your AWS RDS clusters protects sensitive data from unauthorized access.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling Amazon RDS encryption for a DB instance][1] docs to ensure your database instances are encrypted.\n\n### CLI\n\n1. Run `describe-db-instances` with an instance identifier query to list RDS database names.\n\n ```\n aws rds describe-db-instances\n --query 'DBInstances[*].DBInstanceIdentifier'\n ```\n\n2. Run `create-db-snapshot` with any returned database instance you wish to modify.\n\n ```\n aws rds create-db-snapshot\n --db-snapshot-identifier my-db-snapshot\n --db-instance-identifier my-db-id\n ```\n\n3. Run `list-aliases` to list KMS keys aliases by region.\n\n ```\n aws kms list-aliases\n --region us-west-1\n ```\n\n4. Run `copy-db-snapshot` with the `kms-key-id` returned in step 3.\n\n ```\n aws rds copy-db-snapshot\n --region us-west-1\n --source-db-snapshot-identifier original-db-snapshot-id\n --target-db-snapshot-identifier encrypted-db-snapshot-id\n --copy-tags\n --kms-key-id 01234567-1a2b-1234a-b45c-abcdef123456\n ```\n\n5. Run `restore-db-instance-from-db-snapshot` to restore the previously created snapshot.\n\n ```\n aws rds restore-db-instance-from-db-snapshot\n --region us-west-1\n --db-instance-identifier encrypted-db-id\n --db-snapshot-identifier encrypted-db-snapshot-id\n ```\n\n6. Run `describe-db-instances` with a query to ensure database encryption.\n\n ```\n aws rds describe-db-instances\n --region us-west-1\n --db-instance-identifier encrypted-db-snapshot-id\n --query 'DBInstances[*].StorageEncrypted'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html#Overview.Encryption.Enabling","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@storage_encrypted:false","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance (@storage_encrypted:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"han-1rs-ghe","createdAt":1599574005316,"name":"RDS database instance is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","source:rds","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","scope:rds","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your RDS instance, so it is not publicly accessible.\n\n## Rationale\n\nUnrestricted access to your RDS instance allows everyone on the internet to establish a connection with your database. This can lead to brute-force, DoS/DDoS, or SQL injection attacks.\n\n## Remediation\n\n### Console\n\nFollow the [Modifying an Amazon RDS DB instance (Console)][2] docs to learn how to modify your RDS instance in the AWS console.\n\n### CLI\n\nFollow the [Modifying an Amazon RDS DB instance (AWS CLI)][2] docs to learn how to modify your RDS instance connection configuration.\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n[2]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@publicly_accessible:true","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance (@publicly_accessible:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"qgu-ris-pnv","createdAt":1619540057520,"name":"RDS instance is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","security:compliance","control:CC6.6","control:164.312-e-1","cloud_provider:aws","framework:gdpr","requirement:Default-Security-Parameter","scope:rds","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","framework:soc-2","source:rds","requirement:Security-Management-Process","control:32.1a","requirement:Logical-and-Physical-Access-Control","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","control:25.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Amazon RDS database instances][1] are not using default ports. This includes default ports such as MySQL/Aurora port 3306, SQL Server port 1433, and PostgreSQL port 5432.\n\n## Rationale\n\nUsing a custom port can protect against potential brute-force and dictionary attacks.\n\n## Remediation\n\n### Console\n\nFollow the [Modifying an Amazon RDS DB instance][4] docs to verify you're not using a default. You can modify your port by modifying that [DB instance settings][5].\n\n### CLI\n\n1. Run `create-db-snapshot` with your database instance and snapshot identifiers to [create a snapshot][2].\n\n ```\n aws rds create-db-snapshot \\\n --db-instance-identifier database-mysql \\\n --db-snapshot-identifier snapshotidentifier\n ```\n\n2. Run `modify-db-instance` with a new, valid port number. A [list of port numbers are available][3].\n\n ```\n aws rds modify-db-instance \\\n --db-instance-identifier database-identifier \\\n --option-group-name test-group-name \\\n --db-parameter-group-name test-sqlserver-name \\\n --apply-immediately\n ```\n\n\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-snapshot.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-instance.html#options\n[4]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html\n[5]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html#USER_ModifyInstance.Settings\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"(@engine:(\"aurora\" OR \"aurora-mysql\" OR \"mysql\" OR \"mariadb\") @endpoint_port:3306) OR (@engine:(\"postgres\" OR \"aurora-postgresql\") @endpoint_port:5432) OR (@engine:(\"oracle-ee\" OR \"oracle-se2\" OR \"oracle-se1\" OR \"oracle-se\") @endpoint_port:1521) OR (@engine:(\"sqlserver-ee\" OR \"sqlserver-se\" OR \"lserver-ex\" OR \"sqlserver-web\") @endpoint_port:1433)","resourceType":"aws_rds_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_instance ((@engine:(\"aurora\" OR \"aurora-mysql\" OR \"mysql\" OR \"mariadb\") @endpoint_port:3306) OR (@engine:(\"postgres\" OR \"aurora-postgresql\") @endpoint_port:5432) OR (@engine:(\"oracle-ee\" OR \"oracle-se2\" OR \"oracle-se1\" OR \"oracle-se\") @endpoint_port:1521) OR (@engine:(\"sqlserver-ee\" OR \"sqlserver-se\" OR \"lserver-ex\" OR \"sqlserver-web\") @endpoint_port:1433))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"y0x-lgk-w1h","createdAt":1599574001845,"name":"RDS instance is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","source:rds","requirement:Security-Management-Process","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","control:1.3.6","framework:pci","control:25.2","requirement:Workforce-Security","control:1.3.1","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","cloud_provider:aws","scope:rds","requirement:Data-Protection","control:7.2.1","requirement:Security-of-Processing","requirement:Firewall-Configuration","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Relational Database Service (RDS) database snapshots.\n\n## Rationale\n\nSnapshots that are publicly available give other AWS accounts permission to copy a snapshot and create database instances from it, potentially exposing your private data.\n\n## Remediation\n\n### Console\n\nFollow the [Stop sharing a manual DB snapshot with an AWS account][1] AWS Console docs.\n\n### CLI\n\nRun `modify-db-snapshot-attribute` with the [snapshot identifier, attribute name, and values to remove][2]. This removes permission from a particular AWS account to restore the DB snapshot.\n\n ```\n aws rds modify-db-snapshot-attribute\n --db-snapshot-identifier yourdbsnapshot\n --attribute-name restore\n --values-to-remove 1111222233333\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html#USER_ShareSnapshot.Sharing\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/modify-db-snapshot-attribute.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@db_snapshot_restore_attribute_values:all","resourceType":"aws_rds_db_snapshot","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_rds_db_snapshot (@db_snapshot_restore_attribute_values:all)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"ptv-gce-is5","createdAt":1616090994243,"name":"RDS snapshot is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","control:3.4","scope:google_dns_managed_zone","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note:** The SHA1 algorithm has been removed from general use by Google. If used, it needs to be allowed on a per-project basis through Google, and therefore requires a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records. When enabling DNSSEC for a managed zone, or creating a managed zone with DNSSEC, you can select the DNSSEC signing algorithms and the denial-of-existence type. Changing the DNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If there is a need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off, and then re-enable it with different settings.\n\n**Note**: RSASHA1 key-signing support may be required for compatibility reasons. The remediation CLI works with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If it is necessary to change the settings for a managed zone where it has been\nenabled, NSSEC must be turned off and re-enabled with different settings. To turn\noff DNSSEC, run the following command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update key-signing for a managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" {\n\tdefault_key_spec := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tdefault_key_spec.algorithm == \"RSASHA1\"\n\tdefault_key_spec.key_type == \"keySigning\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gny-fox-6gg","createdAt":1659339844054,"name":"RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.2.2","control:A.14.1.2","scored:true","control:A.14.1.3","security:compliance","cloud_provider:gcp","scope:google_dns_managed_zone","control:3.5","framework:cis-gcp","requirement:Control-Activities","requirement:Compliance","level:1","requirement:Firewall-Configuration","requirement:System-Acquisition-Development-and-Maintenance","control:A.18.1.3","framework:soc-2","framework:iso-27001","framework:pci","requirement:Networking","control:CC5.2","source:google_dns_managed_zone"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCertificate resource records may use the domain name system security extensions (DNSSEC) algorithm numbers in this registry. DNSSEC zone signing and transaction security mechanisms (SIG(0) and TSIG) make use of\nsubsets of these algorithms. Use the Google recommended algorithms for key signing.\n\n**Note**: The SHA1 algorithm has been removed from general use by Google, and if\nbeing used, needs to be safe listed on a project basis by Google, which\nrequire a Google Cloud support contract.\n\n## Rationale\nUse DNSSEC algorithm numbers from this registry in certificate resource records.\nWhen enabling DNSSEC for a managed zone or creating a managed zone with DNSSEC, select the\nDNSSEC signing algorithms and the denial-of-existence type. Changing the\nDNSSEC settings is only effective for a managed zone if DNSSEC is not already enabled. If\nyou need to change the settings for a managed zone where it has been enabled, turn\nDNSSEC off and then re-enable it with different settings.\n\n**note**: RSASHA1 zone-signing support may be required for compatibility reasons.\n**note**: The remediation CLI works well with gcloud-cli version 221.0.0 and later.\n\n## Remediation\n\n1. If you need to change the settings for a managed zone where it has been\nenabled, DNSSEC must be turned off and then re-enabled with different settings. To\nturn off DNSSEC, run this command:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state off\n ```\n\n2. To update zone-signing for a reported managed DNS Zone, run the following\ncommand:\n ```\n gcloud dns managed-zones update ZONE_NAME --dnssec-state on --ksk-algorithm KSK_ALGORITHM --ksk-key-length KSK_KEY_LENGTH --zsk-algorithm ZSK_ALGORITHM --zsk-key-length ZSK_KEY_LENGTH --denial-of-existence DENIAL_OF_EXISTENCE\n ```\n\n## References\n1. [https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options][1]\n\n[1]: https://cloud.google.com/dns/dnssec-advanced#advanced_signing_options\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.5","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nemploys_dns_sec(dns_managed_zone) if {\n\tdns_managed_zone.dnssec_config.default_key_specs[_].algorithm\n}\n\neval(dns_managed_zone) = \"skip\" if {\n\tnot employs_dns_sec(dns_managed_zone)\n} else = \"fail\" {\n\tkeyCheck := dns_managed_zone.dnssec_config.default_key_specs[_]\n\tkeyCheck.algorithm == \"RSASHA1\"\n\tkeyCheck.key_type == \"zoneSigning\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_dns_managed_zone"]},"validationQuery":"","resourceType":"gcp_dns_managed_zone","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_dns_managed_zone","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"h57-78j-30x","createdAt":1659396390100,"name":"RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","framework:gdpr","requirement:Compliance","scope:redshift","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that AWS RedShift clusters are encrypted.\n\n## Rationale\n\nEncrypting Redshift clusters protects your sensitive data from unauthorized access.\n\n## Remediation\n\n### Console\n\nFollow the [Changing cluster encryption][5] docs to ensure your clusters are encrypted.\n\n### CLI\n\n1. Run `describe-clusters` with your [cluster identifier][1].\n\n ```\n aws redshift describe-clusters\n --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` using the configuration details returned in step 1 along with the [`encrypted` flag][2].\n\n ```\n aws redshift create-cluster\n --cluster-identifier cluster-name\n ...\n --encrypted\n ```\n\n3. Run `describe-cluster` with a [query filter][1] to expose the new endpoint address.\n\n ```\n aws redshift describe-clusters\n --cluster-identifier cluster-name\n --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Use the cluster endpoint URL with the [Amazon Redshift Unload/Copy][3] tool.\n\n5. Update your encrypted Redshift cluster configuration with the new Redshift cluster endpoint URL.\n\n6. Once the endpoint is changed, run `delete-cluster` to [remove the old unencrypted cluster][4].\n\n ```\n aws redshift delete-cluster\n --cluster-identifier old-cluster\n --final-cluster-snapshot-identifier old-cluster-finalsnapshot\n ```\n\n[1]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster.html\n[3]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/changing-cluster-encryption.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@encrypted:true","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (-@encrypted:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"o5n-lxt-ayr","createdAt":1599574004941,"name":"Redshift cluster is encrypted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.3","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are not publicly available.\n\n## Rationale\n\nPublicly available Redshift clusters have a public IP address, which gives any machine the opportunity to attempt to connect to your clusters. Malicious activity, such as SQL injections or distributed denial-of-service (DDoS) attacks, can occur if a connection is established.\n\n## Remediation\n\n### Console\n\nFollow the [Managing clusters in a VPC][7] docs to learn how to modify public accessibility for your clusters.\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#modify-cluster\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@publicly_accessible:true","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@publicly_accessible:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"syn-jic-zlu","createdAt":1599574002373,"name":"Redshift cluster is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","control:A.9.4.3","framework:soc-2","scope:redshift","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","source:redshift","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are using a custom master user name, versus the default master user name.\n\n## Rationale\n\nDefault master user names for publicly accessible clusters can be a backdoor for hacking. While setting a customer master user name alone does not fully protect against attacks, restricting the root account only to privileged users and using additional password measures can add an additional layer of protection.\n\n## Remediation\n\n### Console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a master user name of `awsuser`, it is the default master user name. Modify the user name to a custom user name in the console.\n\n### CLI\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster` with the returned cluster metadata to [launch a new cluster][3] with the existing metadata and a new master user name.\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t --master-username awsmasterusr\n --vpc-security-group-ids id-012a3b4c\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier new-cluster-identifier\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n5. Use the returned new database cluster endpoint URL from step 3 to update your application's configuration to point to the new cluster endpoint.\n6. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecs/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.4.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"}],"validationQuery":"@master_username:awsuser","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@master_username:awsuser)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"ewv-jbb-gxa","createdAt":1599574001675,"name":"Redshift cluster is not using a custom master user name"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","requirement:Default-Security-Parameter","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","control:1.3.1","security:compliance","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","control:2.1","requirement:Data-Protection","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift clusters][1] are not using default port 5439 to protect against non-targeted attacks.\n\n## Rationale\n\nUsing a custom port can protect your publicly accessible AWS Redshift clusters against potential brute-force and dictionary attacks. Although setting a custom port can help fend off these attacks, it is also recommended to restrict public access, use SSL to encrypt client connections to database clusters, and control cluster access through security groups and Network Access Control Lists (NACLs) to add an additional layer of security for your account.\n\n## Remediation\n\n### Console\n\nFollow the [Getting information about cluster configuration][7] docs to access your cluster configuration information. If the cluster has a port 5439, it is the default port. Modify the port number in the console.\n\n### CLI\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-name\n ```\n\n2. Run `create-cluster-snapshot` with [create a snapshot of your database cluster][3].\n\n ```\n aws redshift create-cluster-snapshot\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n ```\n\n3. Run `restore-from-cluster-snapshot` to [create a new cluster from the snapshot created above][4]. Use the retrieved metadata in step one to configure a new port number.\n\n ```\n aws redshift restore-from-cluster-snapshot\n ...\n --cluster-identifier cluster-name\n --snapshot-identifier snapshot-identifier\n --port 2000\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/describe-clusters.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/create-cluster-snapshot.html\n[4]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/restore-from-cluster-snapshot.html\n[5]: https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#describe-cluster\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"@endpoint.port:5439 OR @endpoint_port:5439","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@endpoint.port:5439 OR @endpoint_port:5439)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"xrn-s6h-z9s","createdAt":1599574006854,"name":"Redshift cluster is not using the default port"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","scope:redshift","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","control:1.2.1","control:164.312-e-1","cloud_provider:aws","requirement:Communications-Security","requirement:Data-Protection","control:A.13.1.3","requirement:Security-of-Processing","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:32.1a","requirement:Logical-and-Physical-Access-Control","source:redshift","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm [Redshift Clusters][1] are using the [AWS EC2-VPC platform][2] for better cluster security.\n\n## Rationale\n\nThe AWS EC2-VPC platform offers better security control and traffic routing for clusters than the outdated EC2-Classic platform.\n\n## Remediation\n\n### Console\n\nFollow the [Use EC2-VPC when you create your cluster][7] docs to learn how to use the EC2-VPC platform in the console to secure your clusters.\n\n### CLI\n\n1. Run `describe-clusters` with a `cluster-identifier` to [retrieve cluster metadata][2].\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n ```\n\n2. Run `create-cluster` with the metadata to [launch a new cluster within a VPC][3].\n\n ```\n aws redshift create-cluster\n --cluster-identifier cluster-id\n --vpc-security-group-ids id-012a3b4c\n --port 5439\n ...\n ```\n\n3. Re-run `describe-clusters` with a [custom query filter][4] to retrieve the database cluster endpoint.\n\n ```\n aws redshift describe-clusters\n\t --cluster-identifier cluster-id\n\t --query 'Clusters[*].Endpoint.Address'\n ```\n\n4. Reload the old cluster data into the new database cluster with the [Unload Copy Utility][5].\n\n5. Run `delete-cluster` to [delete the old cluster][6].\n\n ```\n aws redshift create-cluster\n\t --cluster-identifier old-cluster-identifier\n\t ...\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.FindDefaultVPC.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/emr/create-cluster.html\n[4]: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-endpoints-find.html\n[5]: https://github.com/awslabs/amazon-redshift-utils/tree/master/src/UnloadCopyUtility\n[6]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/delete-cluster.html\n[7]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#cluster-platforms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@vpc_id:\"\"","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@vpc_id:\"\")","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"goz-ys2-tll","createdAt":1599573999940,"name":"Redshift cluster is using the EC2-VPC platform"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","control:10.2.6","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","scope:redshift","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","source:redshift","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable logging for your Amazon Redshift cluster.\n\n## Rationale\n\nLogging data from Amazon Redshift clusters is helpful when troubleshooting or completing security and compliance audits.\n\n## Remediation\n\n### Console\n\nFollow the Amazon Redshift [Configuring auditing using the console][1] docs to enable logging, create audit log files, and store them in an Amazon S3 bucket.\n\n### CLI\n\n1. Run `enable-logging` with your [cluster ID and the S3 bucket][2] where log files are to be stored.\n\n ```\n aws redshift enable-logging\n --cluster-identifier your-cluster-id\n --bucket-name aws-redshift-logs\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing-console.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/enable-logging.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"}],"validationQuery":"@cluster_logging.logging_enabled:false","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@cluster_logging.logging_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f05-rf3-w5i","createdAt":1619112188003,"name":"Redshift cluster logging is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","security:compliance","source:azure.appservice","cloud_provider:azure","requirement:Least-Privileged-Access","framework:cis-azure","control:7.1","requirement:Credentials","requirement:App-Service","requirement:Compliance","control:8.7","level:1","control:9.5","control:A.18.1.3","framework:soc-2","scope:azure.appservice","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nManaged service identity in App Service makes an app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app connects to other Azure services securely without the need for a username and password.\n\n## Rationale\n\nApp Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for apps, which is a turn-key solution for securing access to Azure SQL Database and other Azure services.\n\n## References\n\n1. https://docs.microsoft.com/en-gb/azure/app-service/app-service-web-tutorial-connect-msi\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Identity\n5. Set Status to On\n\nAzure Command Line Interface:\n\nTo set Register with Azure Active Directory for an existing app, run the following command: `az webapp identity assign --resource-group --name '`\n\n## CIS Controls\n\nVersion 7 16.2 - Configure Centralized Point of Authentication - Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.5","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.7","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@identity_principal_id:*","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (-@identity_principal_id:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"t1t-uk4-nxu","createdAt":1631623033118,"name":"Register with Azure Active Directory is enabled on App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:3.8","framework:cis-docker","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that all the registry certificate files, usually found under `/etc/docker/certs.d/ directory`, have permissions of 444 or are set more restrictively.\n\n## Rationale\n\nThe `/etc/docker/certs.d/` directory contains Docker registry certificates. These certificate files must have permissions of 444or more restrictive permissions in order to ensure that unprivileged users do not have full access to them..\n\n## Audit\n\nYou should execute the command below to verify that registry certificate files have permissions of 444+.\n\n```\nstat -c %a /etc/docker/certs.d//*\n```\n\n## Remediation\n\nRun the following command: `chmod 444 /etc/docker/certs.d//*`\n\nThis sets the permissions for the registry certificate files to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for registry certificate files might not be 444. The default file permissions are governed by the system or user specific umask values which are defined within the operating system itself.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.8","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.8\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"sjq-1m3-njp","createdAt":1599605226177,"name":"Registry certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:5.7.4","source:compliance-agent","requirement:General-Policies","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nKubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.\n\n## Rationale\n\nResources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources.\n\n## Audit\n\nRun this command to list objects in default namespace: `kubectl get all`\n\nThe only entries there should be system managed resources such as the Kubernetes service.\n\n## Remediation\n\nEnsure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace.\n\n## Impact\n\nNone\n\n## Default value\n\nUnless a namespace is specific on object creation, the default namespace will be used.\n\n## References\n\nNone\n\n## CIS controls\n\nNone\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_cluster","complianceFrameworks":[{"control":"5.7.4","framework":"cis-kubernetes","requirement":"General-Policies","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-5.7.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"gly-1rp-obv","createdAt":1599604941259,"name":"Resources are not created in the default namespace"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","control:5.14","framework:cis-docker","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nBy using the `--restart` flag in the docker run command you can specify a restart policy for how a container should or should not be restarted on exit. You should choose the on-failure restart policy and limit the restart attempts to 5.\n\n## Rationale\n\nIf you indefinitely keep trying to start the container, it could possibly lead to a denial of service on the host. It could be an easy way to do a distributed denial of service attack especially if you have many containers on the same host. Additionally, ignoring the exit status of the container and always attempting to restart the container, leads to non-investigation of the root cause behind containers getting terminated. If a container gets terminated, you should investigate on the reason behind it instead of just attempting to restart it indefinitely. You should use the on-failure restart policy to limit the number of container restarts to a maximum of 5 attempts.\n\n## Audit\n\nExecute this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: RestartPolicyName={{ .HostConfig.RestartPolicy.Name }} MaximumRetryCount={{ .HostConfig.RestartPolicy.MaximumRetryCount }}'` \n\nIf this command returns `RestartPolicyName=always`, then the system is not configured optimally. If this command returns `RestartPolicyName=no` or just `RestartPolicyName=`, then restart policies are not being used and the container would never be restarted automatically. This may be a secure option, but it is not the best option from a usability standpoint. If this command returns `RestartPolicyName=on-failure`, then verify that the number of restart attempts is set to 5 or less by looking at `MaximumRetryCount`.\n\n## Remediation\n\nIf you wish a container to be automatically restarted, use `docker run --detach --restart=on-failure:5 nginx`\n\n## Impact\n\nIf this option is set, a container will only attempt to restart itself 5 times.\n\n## Default value\n\nBy default, containers are not configured with restart policies.\n\n## References\n\n1. https://docs.docker.com/engine/reference/commandline/run/#restart-policies-restart\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.14","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.14\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ycq-buv-pf8","createdAt":1599598174688,"name":"Restart attempts on container failure is limited to 5 attempts"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_logging_log_bucket","control:10.1","requirement:Monitoring","control:10.2.5","control:2.3","control:A.12.4.1","control:10.2.4","requirement:Logging-and-Monitoring","source:google_logging_log_bucket","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","level:2","framework:soc-2","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nEnabling retention policies on log buckets protects logs stored in cloud storage buckets\nfrom being overwritten or accidentally deleted. It is recommended to set up retention\npolicies and configure `Bucket Lock` on all storage buckets that are used as log sinks.\n\n### Default value\nBy default, storage buckets used as log sinks do not have retention policies and `Bucket Lock`\nconfigured.\n\n## Rationale\nLogs can be exported by creating one or more sinks that include a log filter and a\ndestination. As Cloud Logging receives new log entries, they are compared against each\nsink. If a log entry matches a sink's filter, then a copy of the log entry is written to the\ndestination.\nSinks can be configured to export logs in storage buckets. It is recommended to configure a\ndata retention policy for these cloud storage buckets and to lock the data retention policy,\nthus permanently preventing the policy from being reduced or removed. This way, if the\nsystem is ever compromised by an attacker or a malicious insider who wants to cover their\ntracks, the activity logs are definitely preserved for forensics and security investigations.\n\n\n### Impact\nLocking a bucket is an irreversible action. Once you lock a bucket, you cannot remove the\nretention policy from the bucket or decrease the retention period for the policy. You\nthen have to wait for the retention period for all items within the bucket before you can\ndelete them, and then delete the bucket.\n\n## Additional Information\n- **Caution**: Locking a retention policy is an irreversible action. Once locked, you must delete\nthe entire bucket in order to \"remove\" the bucket's retention policy. However, before you\ncan delete the bucket, you must be able to delete all the objects in the bucket, which itself is\nonly possible if all the objects have reached the retention period set by the retention policy.\n\n\n## Remediation\n\n### From the console: \n1. If sinks are not configured, first follow the instructions in the recommendation:\nEnsure that sinks are configured for all log entries.\n2. For each storage bucket configured as a sink, go to the Cloud Storage browser at\nhttps://console.cloud.google.com/storage/browser/.\n3. Select the **Protection** tab near the top of the page.\n4. In the **Retention policy** section, click the **Lock** button. The **Lock retention policy?** dialog box appears\n5. Read the `Permanent` notice.\n6. In the **Bucket name** text box, type in the name of your bucket.\n7. Click **Lock policy**\n\n### From the command line:\n1. To list all sinks destined to storage buckets:\n ```\n gcloud logging sinks list --folder=FOLDER_ID | --organization=ORGANIZATION_ID\n | --project=PROJECT_ID\n ```\n\n2. For each storage bucket listed above, set a retention policy and lock it:\n ```\n gsutil retention set [TIME_DURATION] gs://[BUCKET_NAME]\n gsutil retention lock gs://[BUCKET_NAME]\n ```\nFor more information, visit [Set a retention policy on a bucket][1].\n\n## References\n1. [Retention policies and retention policy locks][2]\n2. [Use and lock retention policies ][3]\n\n[1]: https://cloud.google.com/storage/docs/using-bucket-lock#set-policy\n[2]: https://cloud.google.com/storage/docs/bucket-lock\n[3]: https://cloud.google.com/storage/docs/using-bucket-lock\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"2.3","framework":"cis-gcp","requirement":"Logging-and-Monitoring","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nvalid_log_filter(logging_log_sink) if {\n\tnot logging_log_sink.filter\n} else {\n\tlogging_log_sink.filter == \"\"\n}\n\ncompliant(logging_log_bucket) if {\n\tlogging_log_bucket.retention_days != \"\"\n\tlogging_log_bucket.locked == true\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tvalid_log_filter(logging_log_sink)\n}\n\ndestination_is_bucket(logging_log_bucket) if {\n\tlogging_log_sink := input.resources.gcp_logging_log_sink[_]\n\tlogging_log_sink.project_number == logging_log_bucket.project_number\n\tbucket_name := split(logging_log_bucket.resource_name, \"buckets/\")[1]\n\tendswith(logging_log_sink.destination, bucket_name)\n}\n\neval(logging_log_bucket) = \"skip\" if {\n\tnot destination_is_bucket(logging_log_bucket)\n} else = \"pass\" {\n\tcompliant(logging_log_bucket)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules.\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_logging_log_bucket","gcp_logging_log_sink"]},"validationQuery":"","resourceType":"gcp_logging_log_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_logging_log_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"trq-twi-wxj","createdAt":1664803576934,"name":"Retention policies used for exporting logs are configured using the bucket lock on Cloud Storage buckets"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-ii-B","control:1.7","control:164.308-a-3-i","control:164.308-a-4-i","control:7.2.1","level:1","cloud:aws","framework:soc-2","framework:cis-aws","requirement:IAM","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Information-Access-Management","control:CC6.2","framework:pci","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nWith the creation of an AWS account, a root user is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.\n\n## Rationale\n\nThe root user has unrestricted access to and control over all account resources. Use of it is inconsistent with the principles of least privilege and separation of duties, and can lead to unnecessary harm due to error or account compromise.\n\n## Remediation\n\nIf you find that the root user account is being used for daily activity and administrative tasks that do not require the root user, remediate this by doing the following:\n\n1. Change the root user password.\n2. Deactivate or delete access keys associated with the root user.\n**Note**: Anyone who has root user credentials for your AWS account has unrestricted access to and control of all the resources in your account, including billing information.\n\n## References\n\n1. [https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html][1]\n2. [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html][2]\n3. [https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html][3]\n\n**Additional Information**: The root user for us-gov cloud regions is not enabled by default. However, on request AWS support can enable the root user and grant access only through access-keys (CLI, API methods) for us-gov cloud region. If the root user for us-gov cloud regions is enabled, this recommendation is applicable. Monitor usage of the root user by implementing recommendation *3.3 Ensure a log metric filter and alarm exist for usage of the root user*.\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html\n[3]: https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"1.7","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"164.308-a-4-i","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.308-a-3-ii-B","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthirty_days_ms := (((30 * 24) * 60) * 60) * 1000\n\nnon_compliant_keys(iam_credential_report) if {\n\tiam_credential_report.resource_seen_at - iam_credential_report.password_last_used < thirty_days_ms # Used in last 30 days\n} else {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_1_last_used_date < thirty_days_ms # Used in last 30 days\n} else {\n\tiam_credential_report.resource_seen_at - iam_credential_report.access_key_2_last_used_date < thirty_days_ms # Used in last 30 days\n}\n\neval(iam_credential_report) = \"skip\" if {\n\tnot iam_credential_report.user == \"\"\n} else = \"fail\" {\n\tnon_compliant_keys(iam_credential_report)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_iam_credential_report"]},"validationQuery":"","resourceType":"aws_iam_credential_report","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_iam_credential_report","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yid-djj-bng","createdAt":1638865331666,"name":"Root account credentials have not been used in the past 30 days"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:kms","source:kms","framework:gdpr","requirement:Logging","level:2","control:3.8","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Security-of-Processing","framework:soc-2","control:3.5.2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:3.6.4","control:CC6.3","control:CC6.2"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAWS Key Management Service (KMS) allows customers to rotate the backing key, the key material stored within the KMS. The KMS connects o the key ID of the customer created customer master key (CMK). This backing key is used to perform cryptographic operations such as encryption and decryption. Automatic key rotation currently retains all prior backing keys so that encrypted data can be decrypted transparently. You should enable CMK key rotation.\n\n## Rationale\n\nRotating encryption keys helps reduce the potential impact of a compromised key as data encrypted with a new key cannot be accessed with a previous key that may have been exposed.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nNone\n\n## Default value\n\nNone\n\n## References\n\n1. [https://aws.amazon.com/kms/pricing/][2]\n2. [http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf][3]\n3. CCE-78920-6\n\n## CIS controls\n\nVersion 7, 6 - Maintenance, Monitoring, and Analysis of Audit Logs\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://aws.amazon.com/kms/pricing/\n[3]: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"3.8","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"}],"validationQuery":"@key_rotation_enabled:false","resourceType":"aws_kms","filter":"@key_manager:CUSTOMER","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_kms @key_manager:CUSTOMER (@key_rotation_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5xm-kxb-jxz","createdAt":1599574002243,"name":"Rotation for customer created CMKs is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0004-privilege-escalation","source:runtime-security-agent","technique:T1611-escape-to-host","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to the `runc` binary outside of the normal package management lifecycle.\n\n## Strategy\n[CVE-2019-5736][1], a vulnerability in `runc` through version 1.0-rc6 could allow attackers to overwrite the host `runc` binary, which allows the attacker to effectively escape a running container, and gain root access on the underlying host.\nAny modifications to `runc` (outside of standard package management upgrades) could be exploiting this vulnerability to gain root access to the system.\n\n## Triage & Response\n1. Check to see which user or process changed the `runc` binary.\n2. If these changes are not acceptable, roll back contain the host in question to an acceptable configuration.\n3. Update `runc` to a version above 1.0-rc6 (or Docker 18.09.2 and above).\n4. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n\n*Requires Agent version 7.27 or greater*\n\n[1]: https://nvd.nist.gov/vuln/detail/CVE-2019-5736\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:runc_modification","groupByFields":["host"],"aggregation":"count","name":"runc_modification","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"runc_modification","condition":"runc_modification > 0"}],"type":"workload_security","id":"6ru-oyo-uag","createdAt":1627392837049,"name":"Runc binary modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","cloud_provider:aws","requirement:Confidentiality","control:C1.1","control:3.1","requirement:Control-Activities","requirement:Compliance","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","source:s3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet up the Multi-Factor Authentication (MFA) delete feature to prevent deletion of Amazon S3 objects.\n\n## Rationale\n\n## Remediation\n\nMFA-protected Amazon S3 buckets ensure S3 objects cannot be accidentally or intentionally deleted by AWS users who have access to your bucket.\n\n### Console\n\n`MFA DELETE` [cannot be enabled in the AWS Console][1]. See the CLI remediation below for configuration instructions.\n\n### CLI\n\n1. Run `put-bucket-versioning` with your [bucket name, versioning configuration, and MFA configuration][2].\n\n ```\n aws s3api put-bucket-versioning\n --bucket your-s3-bucket-name\n --versioning-configuration '{\"MFADelete\":\"Enabled\",\"Status\":\"Enabled\"}'\n --mfa 'arn:aws:iam::aws_account_id:mfa/root-account-mfa-device'\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis\n\n\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"-@versioning_mfa_delete:Enabled","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (-@versioning_mfa_delete:Enabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"f22-rvk-qko","createdAt":1619112188477,"name":"S3 bucket MFA Delete feature is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:10.1","requirement:Monitoring","cloud_provider:aws","control:A.12.4.1","control:3.3","requirement:System-Operations","requirement:Logging","level:2","framework:soc-2","scope:cloudtrail","framework:cis-aws","source:cloudtrail","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nS3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.\n\n## Rationale\n\nBy enabling S3 bucket logging on target S3 buckets, it is possible to capture all events which may affect objects within any target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.\n\n## Remediation\n\n### Console\n\n1. Sign in to the AWS Management Console and open the S3 console at https://console.aws.amazon.com/s3.\n2. Under All Buckets click on the target S3 bucket\n3. Click on Properties in the top right of the console\n4. Under Bucket: click on Logging\n5. Configure bucket logging and click on the Enabled checkbox\n6. Select Target Bucket from list and enter a Target Prefix\n7. Click Save\n\n## Default value\n\nLogging is disabled.\n\n## References\n\n1. CCE-78918-0\n2. https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html\n\n## CIS controls\n\nVersion 7\n\n6.2 - Activate audit logging: Ensure that local logging has been enabled on all systems and networking devices.\n\n14.9 Enforce Detail Logging for Access or Changes to Sensitive Data: Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.3","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbucket_by_name := {bucket.bucket_name: bucket |\n\tbucket := input.resources.aws_s3_bucket[_]\n}\n\neval(cloudtrail_trail) = \"skip\" if {\n\tnot bucket_by_name[cloudtrail_trail.s3_bucket_name]\n} else = \"pass\" {\n\ts3_bucket := bucket_by_name[cloudtrail_trail.s3_bucket_name]\n\tcount(s3_bucket.bucket_logging) > 0\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_cloudtrail_trail","aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_cloudtrail_trail","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_cloudtrail_trail","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@trail_arn"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gzk-vm2-67k","createdAt":1635929074549,"name":"S3 bucket access logging is enabled on the CloudTrail S3 bucket"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your AWS S3 bucket to remove `WRITE` actions for any IAM user or AWS authenticated account.\n\n## Rationale\n\nAuthenticated users with AWS S3 bucket `WRITE` privileges can add, delete, and replace objects without restriction, which can lead to potential data loss or unintended billing charges.\n\n## Remediation\n\n### Console\n\nFollow the [Editing customer managed policies (console)][1] documentation to learn how to edit permissions for your existing policy. In the console, modify **Permissions** for Access Control Lists (ACLs). Deselect **Upload/Delete** for **Any Authenticated AWS User**.\n\n### CLI\n\n1. Run `list-buckets` to [list all available S3 buckets][2] for your account.\n\n ```\n aws s3api list-buckets\n --query \"Buckets[].Name\"\n ```\n\n2. Run `put-bucket-acl` with your [bucket name and the canned ACL to apply to the bucket][3].\n\n ```\n aws s3api put-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html#edit-managed-policy-console\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/list-buckets.html#examples\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"9rz-61l-xiu","createdAt":1619112188824,"name":"S3 bucket cannot be accessed for WRITE actions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your AWS S3 bucket content as it is publicly accessible.\n\n## Rationale\n\nGranting `READ` access to everyone allows unauthorized users to list objects within a bucket. Malicious users can use information exploited during this process to access compromised objects, which can lead to unfettered access to your data.\n\n## Remediation\n\n### Console\n\nFollow the [Blocking public access to your Amazon S3 storage][1] docs to learn how to manage access control lists for existing S3 buckets.\n\n**Note**: By default, new buckets, access points, and objects don't allow public access.\n\n### CLI\n\n1. Run `put-bucket-acl` with [your S3 bucket name][2] and set the ACL of the bucket to `private`.\n\n\t```\n\n\taws s3api put-bucket-acl\n\t\t--bucket webapp-data-repository\n\t\t--acl private\n\n\t```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:READ","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:READ)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"mqm-ntc-bra","createdAt":1619112188104,"name":"S3 bucket cannot be publicly listed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ` access for authenticated AWS accounts or IAM users.\n\n## Rationale\n\n`READ` access allows any authenticated IAM user or AWS authenticated account to list all objects within your bucket and exploit objects with misconfigured ACL permissions.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to deselect the `Bucket ACL - Read` permission and update ACL permissions.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:READ","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:READ)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"73w-cje-dhm","createdAt":1619112189198,"name":"S3 bucket content cannot be listed by users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove public `READ_ACP` access.\n\n## Rationale\n\nPublic `READ_ACP` access gives any user on the internet the `READ` Access Control List (ACL) permission. With this permission, anonymous users can see who controls your objects, and this information can be used to find misconfigured permissions and gain access to your S3 data.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_not_compliant(acl) if {\n\tacl.grantee_permission == \"READ_ACP\"\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AllUsers\"\n}\n\neval(s3_bucket) = \"fail\" if {\n\tacl = s3_bucket.acl[_]\n\tacl_not_compliant(acl)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i2o-7bz-zxc","createdAt":1619112188697,"name":"S3 bucket content permissions cannot be viewed by anonymous users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `READ_ACP` access for authenticated AWS accounts and AWS IAM users.\n\n## Rationale\n\nAWS authenticated accounts and users with `READ_ACP` access can examine Amazon S3 Access Control Lists (ACLs) configuration details. This information can be used maliciously to find misconfigured permissions and implement methods to access your S3 data.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `READ_ACP` access for AWS signed users.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [Amazon S3 bucket name and ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nacl_not_compliant(acl) if {\n\tacl.grantee_permission == \"READ_ACP\"\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\"\n}\n\neval(s3_bucket) = \"fail\" if {\n\tacl = s3_bucket.acl[_]\n\tacl_not_compliant(acl)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cer-xg1-llv","createdAt":1619112188867,"name":"S3 bucket content permissions cannot be viewed by authenticated users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove `WRITE_ACP` access for anonymous users.\n\n## Rationale\n\nPublic `WRITE_ACP` access gives anonymous users `READ` and `WRITE` Access Control List (ACL) permissions. With these permissions, anonymous users can modify, delete, and update S3 objects, which can lead to data loss or unexpected charges on your AWS bill.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE_ACP","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE_ACP)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"8au-91a-7zf","createdAt":1619112188436,"name":"S3 bucket does not allow anonymous users to modify access control permissions"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","control:164.308-a-3-i","control:7.2.1","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","source:s3","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove `WRITE_ACP` access for authenticated users.\n\n## Rationale\n\n`WRITE_ACP` access gives any authenticated AWS accounts or IAM users `READ` and `WRITE` Access Control List (ACL) permissions. With these permissions, authenticated users can modify, delete, and update S3 objects, which can lead to data loss or unexpected charges on your AWS bill.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE_ACP","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:WRITE_ACP)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"yuo-rt1-twl","createdAt":1619112188124,"name":"S3 bucket does not allow authenticated users to modify access controls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","requirement:Information-Access-Management","control:164.308-a-4-ii-B","framework:pci","control:164.308-a-4-ii-C","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your ACL permission to remove `FULL_CONTROL` access for authenticated AWS accounts and AWS IAM users.\n\n## Rationale\n\n`FULL_CONTROL` access allows any IAM user or AWS authenticated account to view, upload, modify and delete S3 objects without restriction.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `FULL_CONTROL` access and update ACL permissions.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-s3-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-4-ii-B","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-4-ii-C","framework":"hipaa","requirement":"Information-Access-Management","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:\"FULL_CONTROL\"","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AuthenticatedUsers\" @grantee_permission:\"FULL_CONTROL\")","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"qem-nxn-zvw","createdAt":1619112188863,"name":"S3 bucket does not allow users full control access"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","requirement:Storage","framework:gdpr","control:2.1.1","requirement:Compliance","level:1","framework:cis-aws","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","security:compliance","control:164.312-a-2-iv","cloud_provider:aws","control:3.4","requirement:Control-Activities","requirement:Data-Protection","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Change-Management","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides a variety of no-cost or low-cost encryption options to protect data at rest.\n\n## Rationale\n\nEncrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.\n\n## Remediation\n\n### Console\n\n1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/\n2. Select the Check box next to the Bucket.\n3. Click on Properties.\n4. Click on Default Encryption.\n5. Select either AES-256 or AWS-KMS.\n6. Click Save.\n7. Repeat for all the buckets in your AWS account lacking encryption.\n\n### CLI\n\nRun one of the following commands: \n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"AES256\"}}]}''`\n\nor:\n\n`aws s3api put-bucket-encryption --bucket --server-side-encryption-configuration ''{\"Rules\": [{\"ApplyServerSideEncryptionByDefault\": {\"SSEAlgorithm\": \"aws:kms\",\"KMSMasterKeyID\": \"aws/s3\"}}]}''`\n\n**Note**: The `KMSMasterKeyID` can be set to the master key of your choosing; `aws/s3` is an AWS preconfigured default.\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html][1]\n2. [https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources][2]\n\n**Additional Information**: S3 bucket encryption only applies to objects as they are placed in the bucket. Enabling S3 bucket encryption does not encrypt objects previously stored within the bucket.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"2.1.1","framework":"cis-aws","requirement":"Storage","version":"1.3.0"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-2-iv","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@bucket_encryption_rules.rules.apply_server_side_encryption_by_default.sse_algorithm:(\"AES256\" OR \"aws:kms\")","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (-@bucket_encryption_rules.rules.apply_server_side_encryption_by_default.sse_algorithm:(\"AES256\" OR \"aws:kms\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"i5u-x9l-ytw","createdAt":1619112188944,"name":"S3 bucket employs default encryption at-rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:A.12.1.2","framework:gdpr","control:A.12.4.2","control:164.308-a-7-ii-A","requirement:Compliance","control:164.312-a-2-ii","requirement:Cardholder-Data","framework:iso-27001","framework:hipaa","requirement:Access-Control","source:s3","requirement:Contingency-Plan","framework:pci","requirement:Operations-Security","requirement:Integrity","control:164.312-c-1","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:3.1","requirement:Control-Activities","control:7.2.1","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","requirement:Logical-and-Physical-Access-Control","control:32.1c","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable versioning on S3 buckets to keep multiple versions of an object in one bucket.\n\n## Rationale\n\nVersioning-enabled buckets help [recover objects in the case of accidental deletion or overwriting][1].\n\n## Remediation\n\n### Console\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning within the S3 console.\n\n### CLI\n\nFollow the [Enabling versioning on buckets][2] AWS documentation to enable bucket versioning with the AWS CLI.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.12.1.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1c","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.312-a-2-ii","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-7-ii-A","framework":"hipaa","requirement":"Contingency-Plan","version":"1"},{"control":"164.312-c-1","framework":"hipaa","requirement":"Integrity","version":"1"}],"validationQuery":"-@versioning_status:Enabled","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (-@versioning_status:Enabled)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"hfe-sv1-7ci","createdAt":1632209932330,"name":"S3 bucket has versioning enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:AWS","control:1.20","framework:gdpr","control:164.308-a-3-i","requirement:Compliance","framework:cis-aws","requirement:Security-Management-Process","requirement:IAM","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","requirement:Least-Privileged-Access","cloud_provider:aws","control:1.8","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","framework:security-labs","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAmazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you restrict unintended public access to Amazon S3 resources. By default, S3 buckets and objects are created without public access. However, someone with sufficient permissions can enable public access at the bucket or object level, often unexpectedly. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets in the account, and contained objects, from becoming publicly accessible.\n\n## Rationale\n\nAmazon S3 `Block public access (bucket settings)` prevents the accidental or malicious public exposure of data contained within the respective buckets. Amazon S3 `Block public access (account settings)` prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account. Blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.\n\n### Impact\n\nWhen you apply `Block Public Access` settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.\n\n\n## Remediation\n\n### From the Console:\n\nIf utilizing Block Public Access (account settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Choose **Block public access (account settings)**.\n3. Choose **Edit** to change the block public access settings for all the buckets in your AWS account.\n4. Click on **Block all public access**.\n5. When you're asked for confirmation, enter `confirm`. Then click Confirm to save your changes.\n\nIf utilizing Block public access (bucket settings):\n\n1. Login to AWS Management Console and open the Amazon S3 console page by visiting: [https://console.aws.amazon.com/s3/][1].\n2. Select the check box next to the bucket.\n3. Click on **Edit public access settings**.\n4. Click **Block all public access**.\n5. Repeat for all the buckets in your AWS account that contain sensitive data.\n\n\n### From the command line:\n\nIf utilizing Block Public Access (bucket settings):\n\n1. List all of the S3 buckets: `aws s3 ls`\n2. To set the public access to true on a bucket, run: `aws s3api put-public-access-block --bucket --public-access-block-configuration \"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true\"`\n\nIf utilizing Block Public Access (account settings):\n\nTo set Public access settings for this account, run the following command: `aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true, IgnorePublicAcls=true, BlockPublicPolicy=true, RestrictPublicBuckets=true --account-id '`\n\n## References\n\n1. [https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html][2]\n\n[1]: https://console.aws.amazon.com/s3/\n[2]: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"security-labs","requirement":"AWS","version":"1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.20","framework":"cis-aws","requirement":"IAM","version":"1.3.0"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\naccount_public_access_block_by_account_id = {s3_account_public_access_block.account_id: s3_account_public_access_block |\n\tsome s3_account_public_access_block in input.resources.aws_s3_account_public_access_block\n}\n\nsecure_public_access_block(s3_public_access_block) if {\n\ts3_public_access_block.block_public_acls\n\ts3_public_access_block.block_public_policy\n\ts3_public_access_block.ignore_public_acls\n\ts3_public_access_block.restrict_public_buckets\n}\n\naccess_block_compliant(s3_bucket) if {\n\ts3_account_public_access_block := account_public_access_block_by_account_id[s3_bucket.account_id]\n\tsecure_public_access_block(s3_account_public_access_block)\n} else {\n\tbucket_block := s3_bucket.access_block[_]\n\tsecure_public_access_block(bucket_block)\n}\n\neval(s3_bucket) = \"pass\" if {\n\taccess_block_compliant(s3_bucket)\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket","aws_s3_account_public_access_block"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"b1p-nxn-wxx","createdAt":1619112188591,"name":"S3 bucket is configured with 'Block public access'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nModify your access control permissions to remove public `WRITE` access.\n\n## Rationale\n\nPublic `WRITE` access gives unauthorized users the ability to add, replace, and delete objects within a bucket. Attackers can use these abilities to access your data or incur charges on your AWS bill.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [S3 bucket name and the ACL][2] set to `private`.\n\n ```\n aws s3api get-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-versioning.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE","resourceType":"aws_s3_bucket","filter":"","queryPath":"acl","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket (@grantee_uri:\"http://acs.amazonaws.com/groups/global/AllUsers\" @grantee_permission:WRITE)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"wyn-eku-mhg","createdAt":1619112188471,"name":"S3 bucket is not publicly accessible for write actions by anonymous users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSet your Amazon S3 bucket to private.\n\n## Rationale\n\nPublicly accessible Amazon S3 buckets grant `FULL_CONTROL` access to everyone, including anonymous users. `FULL_CONTROL` grants users the ability to upload, modify, delete, and view S3 objects.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring ACLs: Using the S3 console to set ACL permissions for a bucket][1] docs to remove `FULL_CONTROL` access and update ACL permissions.\n\n### CLI\n\n1. Run `put-bucket-acl` with your [bucket name and ACL][2] set to `private`.\n\n ```\n aws s3api put-bucket-acl\n --bucket your-bucket-name\n --acl private\n ```\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-acl.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(s3_bucket) = \"fail\" if {\n\tacl := s3_bucket.acl[_]\n\tacl.grantee_uri == \"http://acs.amazonaws.com/groups/global/AllUsers\"\n\tacl.grantee_permission == \"FULL_CONTROL\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_s3_bucket"]},"validationQuery":"","resourceType":"aws_s3_bucket","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"o0d-2zb-qbg","createdAt":1619112188881,"name":"S3 bucket is not publicly accessible to anonymous users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["framework:gdpr","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","source:s3","framework:pci","control:25.2","requirement:Workforce-Security","security:compliance","control:164.312-a-1","requirement:Least-Privileged-Access","cloud_provider:aws","requirement:Data-Protection","control:7.2.1","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","scope:s3","control:A.9.2.3","control:32.1a","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your bucket policy as your Amazon S3 bucket is currently publicly accessible.\n\n## Rationale\n\nPublicly accessible S3 buckets through bucket policies give any AWS user the ability to list, download, delete, and upload objects and edit object permissions.\n\n## Remediation\n\n### Console\n\nFollow the [Controlling access to a bucket with user policies][1] docs to edit your existing policy and set the policy permissions to private.\n\n### CLI\n\n1. To remove the existing public bucket policy, run `delete-bucket-policy` with [your bucket name][2].\n\n ```\n delete-bucket-policy\n --bucket your-bucket-name\n ```\n\n2. Create a new non-public bucket policy using the [AWS Policy Generator][3].\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket-policy.html#synopsis\n[3]: http://awspolicygen.s3.amazonaws.com/policygen.html","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"25.2","framework":"gdpr","requirement":"Data-Protection","version":"1"},{"control":"32.1a","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false","resourceType":"aws_s3_bucket","filter":"","queryPath":"bucket_policy_statement","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_s3_bucket ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_effect:Allow @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@bucket_name"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"ftf-6wr-t2z","createdAt":1624344845705,"name":"S3 bucket is publicly accessible (via policy)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","iaas:aws","requirement:Monitoring","scope:s3","framework:cis-aws","control:4.8","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a S3 Bucket policy is modified.\n\n## Strategy\nMonitor CloudTrail and detect when S3 policies are being modified via one of the following API calls:\n* [PutBucketAcl][1]\n* [PutBucketPolicy][2]\n* [PutBucketCors][3]\n* [PutBucketLifecycle][4]\n* [PutBucketReplication][5]\n* [DeleteBucketPolicy][6]\n* [DeleteBucketCors][7]\n* [DeleteBucketReplication][8]\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html\n [2]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html\n [3]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketCors.html\n [4]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLifecycle.html\n [5]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html\n [6]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html\n [7]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html\n [8]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html\n\n## Changelog\n18 March 2022 - Updated signal message, query and severity.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:(PutBucketAcl OR PutBucketPolicy OR PutBucketCors OR PutBucketLifecycle OR PutBucketReplication OR DeleteBucketPolicy OR DeleteBucketCors OR DeleteBucketReplication)","groupByFields":["@userIdentity.arn"],"aggregation":"count","name":"s3_bucket_policy_modified","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"A S3 bucket policy was modified","condition":"s3_bucket_policy_modified > 0"}],"type":"log_detection","id":"nl3-oht-jhi","createdAt":1584475579499,"name":"S3 bucket policy modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when SELinux enforcement is disabled.\n\n## Strategy\nThis detection monitors the change of SELinux enforcing mode.\n\n## Triage & Response\n1. Check which user or process disabled SELinux enforcing mode.\n2. If the change is not expected, roll back to enable SELinux enforcing mode.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the attack.\n\n*Requires Agent version 7.30 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:selinux_disable_enforcement","groupByFields":["host"],"aggregation":"count","name":"selinux_disable_enforcement","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"selinux_disable_enforcement","condition":"selinux_disable_enforcement > 0"}],"type":"workload_security","id":"vvf-qwb-uhj","createdAt":1635332067172,"name":"SELinux enforcement disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.2","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSELinux is an effective and easy-to-use Linux application security system. It is available by default on some distributions such as Red Hat and Fedora.\n\n## Rationale\n\nSELinux provides a Mandatory Access Control (MAC) system that greatly augments the default Discretionary Access Control (DAC) model. You can therefore add an extra layer of safety to your containers by enabling SELinux on your Linux host.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis command returns all the security options currently configured on the containers listed.\n\n## Remediation\n\nIf SELinux is applicable for your Linux OS, you should use it.\n\n1. Set the SELinux State.\n2. Set the SELinux Policy.\n3. Create or import a SELinux policy template for Docker containers.\n4. Start Docker in daemon mode with SELinux enabled. For example: `docker daemon --selinux-enabled`\n5. Start your Docker container using the security options. For example, `docker run --interactive --tty --security-opt label=level:TopSecret centos /bin/bash`\n\n## Impact\n\nAny restrictions defined in the SELinux policy will be applied to your containers. It should be noted that if your SELinux policy is misconfigured, this may have an impact on the correct operation of the affected containers.\n\n## Default value\n\nBy default, no SELinux security options are applied on containers.\n\n## References\n\n1. https://docs.docker.com/engine/security/security/#other-kernel-security-features\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/\n4. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/container_security_guide/docker_selinux_security_policy\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.2","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"eww-c9f-0hf","createdAt":1599605036108,"name":"SELinux security options are configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic publishing permissions.\n\n## Rationale\n\nSetting the topic publishing permission to `Everyone` gives anyone access to publish on a topic. Unauthenticated users can publish malicious messages.\n\n## Remediation\n\n### Console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### CLI\n\n1. Update your [access control policy][2] with the IAM user ARN. Configure `action` to `SNS:Publish` and include your AWS IAM ARN. Save the file.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_pub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Publish\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```\n aws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name DisplayName\n --attribute-value YourTopicDisplayName\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Publish\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false","resourceType":"aws_sns_topic","filter":"","queryPath":"policies","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic (@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Publish\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mhf-jlo-c49","createdAt":1616090993934,"name":"SNS Topic has restrictions set for publishing"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic subscription permissions.\n\n## Rationale\n\nAnonymous users can subscribe and receive messages that you publish, leaving the security of your application or service at risk.\n\n## Remediation\n\n### Console\n\nFollow the [Preventative best practices][1] docs to learn how to implement least-privilege access or use IAM roles for your applications and AWS services.\n\n### CLI\n\n1. Update your [access control policy][2] with the IAM user ARN. Configure `action` to `SNS:Publish` and include your AWS IAM ARN. Save the file.\n\n ```\n {\n ...\n \"Statement\": [\n ...\n {\n \"Sid\": \"console_sub\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::123456789012:root\"\n },\n \"Action\": [\n \"SNS:Subscribe\",\n \"SNS:Receive\"\n ],\n ...\n }\n ]\n }\n ```\n\n2. Run `set-topic-attributes` with the [ARN of the SNS topic][3].\n\n ```\n aws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name DisplayName\n --attribute-value YourTopicDisplayName\n ```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-security-best-practices.html#preventative-best-practices\n[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"validationQuery":"@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Subscribe\" OR \"sns:Subscribe\") @statement_action:(\"SNS:Receive\" OR \"sns:Receive\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false","resourceType":"aws_sns_topic","filter":"","queryPath":"policies","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic (@statement_effect:Allow (@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_action:(\"SNS:Subscribe\" OR \"sns:Subscribe\") @statement_action:(\"SNS:Receive\" OR \"sns:Receive\") @statement_resource:\"arn:aws:sns:*\" @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"bin-p21-78u","createdAt":1616090993824,"name":"SNS Topic has restrictions set for subscription"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","security:compliance","scope:sns","cloud_provider:aws","control:3.4","control:4.1","source:sns","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Server-Side Encryption for your AWS Simple Notification Service (SNS) topics.\n\n## Rationale\n\nServer-Side Encryption (SSE) protects the data of published messages within your SNS topics, which can help adhere to compliance and regulatory requirements.\n\n## Remediation\n\n### Console\n\nFollow the [Enabling server-side encryption (SSE) for an Amazon SNS topic][1] docs to learn how to enable encryption from the AWS Management Console.\n\n### CLI\n\nRun `set-topic-attributes` with the [ARN of the SNS topic][2] and the [KmsMasterKeyId][3].\n\n```\naws sns set-topic-attributes\n --topic-arn arn:aws:sns:region:123456789012:YourTopic\n --attribute-name KmsMasterKeyId\n --attribute-value YourTopicDisplayName\n```\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-enable-encryption-for-topic.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sns/set-topic-attributes.html#set-topic-attributes\n[3]: https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html#sse-key-terms\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-@kms_master_key_id:*","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic (-@kms_master_key_id:*)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"iel-fa4-gpw","createdAt":1623249809232,"name":"SNS Topic has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:sns","requirement:Least-Privileged-Access","cloud_provider:aws","framework:gdpr","control:164.308-a-3-i","source:sns","control:7.2.1","requirement:Compliance","control:7.2.2","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:A.9.2.3","control:32.1b","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate your Amazon Simple Notification Service (SNS) topic permissions.\n\n## Rationale\n\nPublicly-accessible topics allow unauthorized users access to receive and publish messages and subscribe to exposed topics.\n\n## Remediation\n\n### Console\n\nFollow the [Using identity-based policies with Amazon SNS][1] docs to learn how to create or add to a policy in the AWS Console.\n\n### CLI\n\nIf you do not have an access control policy, [create one][2].\n\n1. Select `SNS Topic Policy` as the type of policy.\n2. Add a statement to allow only specific IAM users and roles to have access to the topic. For example:\n\n ```\n Effect: `Allow`\n Principal: `arn:aws:iam::123456789012:root`\n Action: `Add permission`\n Amazon Resource Name: `arn:aws:iam::123456789012:root`\n ```\n\nIf you do have an access control policy, follow the [add-permissions][3] docs to add a permission to your existing policy.\n\n[1]: https://docs.aws.amazon.com/sns/latest/dg/sns-using-identity-based-policies.html#iam-and-sns-policies\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nprincipal_policy_lenient(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else {\n\tpolicy_principal.principal_aws[_] == \"*\"\n}\n\npolicy_lenient(policy) if {\n\tpolicy.statement_effect == \"Allow\"\n\tnot policy.statement_has_condition\n\n\tprincipal_policy_lenient(policy.policy_principal)\n}\n\neval(sns_topic) = \"fail\" if {\n\tpolicy := sns_topic.policies[_]\n\tpolicy_lenient(policy)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sns_topic"]},"validationQuery":"","resourceType":"aws_sns_topic","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sns_topic","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"5q9-vwc-cqy","createdAt":1616090993891,"name":"SNS Topic is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","framework:cis-gcp","requirement:Compliance","level:1","scope:google_sql_database_instance","control:6.5","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nA database server should accept connections only from trusted networks and IPs and\nrestrict access from public IP addresses.\n\n## Rationale: \nTo minimize attack surface on a database server instance, only trusted, known, and\nrequired IPs should be allowed to connect to it.\nAn authorized network should not have IPs or networks configured to `0.0.0.0/0` which\nallows access to the instance from anywhere in the world. Authorized networks\napply only to instances with public IPs.\n\n## Impact: \nThe Cloud SQL database instance would not be available to public IP addresses.\n\n## Remediation: \n\n### From console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console by visiting [https://console.cloud.google.com/sql/instances][1].\n2. Click the instance name to open its `Instance details` page.\n3. Under the `Configuration` section click `Edit configurations`.\n4. Under `Configuration options` expand the `Connectivity` section.\n5. Click the `delete` icon for the authorized network `0.0.0.0/0`.\n6. Click `Save` to update the instance.\n\n### From command line:\nUpdate the authorized network list by removing addresses:\n```\ngcloud sql instances patch --authorized-networks=IP_ADDR1,IP_ADDR2...\n```\n## Prevention:\nTo prevent new SQL instances from being configured to accept incoming connections from\nany IP addresses, set up a `Restrict Authorized Networks on Cloud SQL instances` Organization Policy at: [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][2].\n\n\n## Default value:\nBy default, authorized networks are not configured. Remote connection to Cloud SQL\ndatabase instance is not possible unless authorized networks are configured.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-ip][3]\n2. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks][4] \n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://cloud.google.com/sql/docs/mysql/connection-org-policy][6]\n\n\n## Additional information:\nThere is no IPv6 configuration found for Google cloud SQL server services.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[3]: https://cloud.google.com/sql/docs/mysql/configure-ip\n[4]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictAuthorizedNetworks\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://cloud.google.com/sql/docs/mysql/connection-org-policy\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.5","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"fail\" if {\n\taddress := sql_database_instance.settings.ip_configuration.authorized_networks[_]\n\taddress.value in [\"0.0.0.0\", \"0.0.0.0/0\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"thi-vol-4qb","createdAt":1657138883399,"name":"SQL Database Instances do not implicitly accept all public IP addresses"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Azure","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","control:6.3","framework:cis-azure","requirement:Communications-Security","control:2.4","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","framework:security-labs","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP).\n\n## Rationale\n\nSQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific data centers. By default for a SQL server, a firewall exists with start IP of 0.0.0.0 and end IP of 0.0.0.0, allowing access to all the Azure services. Additionally a custom rule can be set up with start IP of 0.0.0.0 and end IP of 255.255.255.255, allowing access from ANY IP over the Internet. In order to reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific data centers.\n\n### Impact\n\nDisabling allow access to Azure Services will break all connections to SQL server and hosted databases unless custom IP-specific rules are not added in Firewall Policy.\n\n## Remediation\n\n### From the console:\n\n1. Go to SQL servers\n2. For each SQL server, click on Firewall / Virtual Networks\n3. Set Allow access to Azure services to `OFF`\n4. Set firewall rules to limit access to only authorized connections\n\n### Using PowerShell:\n\nDisable default firewall rule \"Allow access to Azure services\":\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"AllowAllWindowsAzureIps\" -ResourceGroupName -ServerName \n```\n\nRemove custom firewall rule:\n\n```powershell\nRemove-AzureRmSqlServerFirewallRule -FirewallRuleName \"\" -ResourceGroupName -ServerName \n```\n\nSet the appropriate firewall rules:\n\n```powershell\nSet-AzureRmSqlServerFirewallRule -ResourceGroupName -ServerName -FirewallRuleName \"\" -StartIpAddress \"\" -EndIpAddress \"\"\n```\n\n## References\n\n1. [https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017][1]\n2. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0][2]\n3. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0][3]\n4. [https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0][4] \n5. [https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure][5]\n6. [https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current][6] \n7. [https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic][7]\n\nAdditional Information: Firewall rules configured on individual SQL Database using Transact-SQL overrides the rules set on SQL server. Azure does not provides any Powershell, API, CLI, Portal option to check database level firewall rules and so far Transact-SQL is the only way to check for the same. For comprehensive control over egress traffic on SQL Databases, firewall rules should be checked using SQL client.\n\n[1]:https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-a-windows-firewall-for-database-engine-access?view=sql-server-2017\n[2]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[3]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/set-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[4]:https://docs.microsoft.com/en-us/powershell/module/azurerm.sql/remove-azurermsqlserverfirewallrule?view=azurermps-5.2.0\n[5]:https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure\n[6]:https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-set-database-firewall-rule-azure-sql-database?view=azuresqldb-current\n[7]:https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.3","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"2.4","framework":"security-labs","requirement":"Azure","version":"1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255)","resourceType":"azure_sql_server","filter":"","queryPath":"firewall_rules","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (@start_ip_address:0.0.0.0 @end_ip_address:(0.0.0.0 OR 255.255.255.255))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"5k7-xx0-nje","createdAt":1635237001240,"name":"SQL Databases do not allow ingress 0.0.0.0/0 (ANY IP)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.2.4","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure `send scan reports to` with the email IDs of concerned data owners and stakeholders for a critical SQL server.\n\n## Rationale\n\nVulnerability Assessment (VA) scan reports and alerts are sent to email IDs configured with `send scan reports to`. This may help in reducing time required for identifying risks and taking corrective measures.\n\n## Impact\n\n**Note**: Enabling the Azure Defender for SQL features incurs additional costs for each SQL server.\n\n## Remediation\n\nAzure Console:\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Ensure that Azure Defender for SQL is enabled\n5. Select Configure next to enabled at subscription-level\n6. In Vulnerability Assessment Settings, configure Storage Accounts\n7. Configure email IDs for concerned data owners and stakeholders in the `send scan reports to` section.\n8. Click Save\n\nAzure PowerShell:\n\nIf not already, enable Advanced Data Security for a SQL: `ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True`\n\n\nTo enable ADS-VA service and set `send scan reports to`:\n\n```bash\nUpdate-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"fiu-woq-ui1","createdAt":1645802555241,"name":"SQL Server Vulnerability Assessments send scan reports to subscribed admins"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","requirement:Cloud-SQL","cloud_provider:gcp","source:google_sql_database_instance","requirement:Default-Security-Parameter","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","scope:google_sql_database_instance","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","control:6.4","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended to enforce all incoming connections to SQL database instances to use SSL.\n\n## Rationale\nSQL database connections, if successfully trapped (MITM), can reveal sensitive data like\ncredentials, database queries, query outputs, and so on. For security, it is recommended to always\nuse SSL encryption when connecting to your instance. This recommendation is applicable\nto PostgreSQL, MySQL generation 1, MySQL generation 2, and SQL Server 2017 instances.\n\n### Additional Information\nBy default, `Settings: ipConfiguration` has no `authorizedNetworks` set or configured. In\nthat case, even if `requireSSL` is not set by default, which is equivalent to `requireSSL:false`,\nthere is no risk as the instance cannot be accessed outside of the network, unless\n`authorizedNetworks` is configured. However, if the default for `requireSSL` is not updated to\n`true`, any `authorizedNetworks` created later on will not enforce SSL-only connections.\n\n### Impact\nAfter enforcing SSL connections, the existing client will not be able to communicate with the SQL\nserver, unless it is configured with appropriate client-certificates to communicate to the SQL\ndatabase instance.\n\n### Default Value\nBy default, the parameter `settings: ipConfiguration: requireSSL` is not set, which is\nequivalent to `requireSSL:false`.\n\n## Remediation\n\n### From the console:\n1. Go to the [Cloud SQL Instances page][1].\n2. Click on an instance name to see its configuration overview.\n3. In the left-side panel, select **Connections**.\n4. In the SSL connections section, click **Allow only SSL connections**.\n5. Under Configure SSL server certificates, click **Create new certificate**.\n6. Under Configure SSL client certificates, click **Create a client certificate**.\n7. Follow the instructions shown to learn how to connect to your instance.\n\n### From the command line:\nTo enforce SSL encryption for an instance, run the command:\n```\ngcloud sql instances patch --require-ssl\n```\n\n**Note:** A **restart** is required for type MySQL Generation 1 Instances (`backendType: FIRST_GEN`) for\nthis configuration to go into effect.\n\n## References\n1. [http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/][2]\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: http://cloud.google.com/sql/docs/postgres/configure-ssl-instance/","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.4","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot authorizedNetworksExists(sql_database_instance)\n} else = \"pass\" {\n\tsql_database_instance.settings.ip_configuration.require_ssl\n} else = \"fail\" {\n\ttrue\n}\n\nauthorizedNetworksExists(sql_database_instance) if {\n\tsql_database_instance.settings.ip_configuration.authorized_networks[_]\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"udh-mzm-bhu","createdAt":1658821626960,"name":"SQL database instance uses SSL for all incoming connections"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","requirement:Cloud-SQL","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","scope:google_cloud_sql_instance","level:2","source:google_cloud_sql_instance","control:3.9","control:6.6","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.2.3","control:1.3.2","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","requirement:Communications-Security","control:7.1","requirement:Control-Activities","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description: \nDatadog recommends configuring the second generation SQL instance to use private IPs instead of\npublic IPs.\n\n## Rationale: \nTo lower the organization's attack surface, ensure your Cloud SQL databases does not have public IPs.\nPrivate IPs provide improved network security and lower latency for your application.\n\n## Impact: \nRemoving the public IP address on SQL instances may break applications that relied\non it for database connectivity.\n\n## Remediation: \n\n### From console:\n1. Go to the Cloud SQL Instances page in the Google Cloud Console:\n[https://console.cloud.google.com/sql/instances][1]\n2. Click the instance name to open its Instance details page.\n3. Select the `Connections` tab.\n4. Deselect the `Public IP` checkbox.\n5. Click `Save` to update the instance.\n\n### From command line:\n\n1. For every instance, remove the public IP and assign a private IP instead:\n ```\n gcloud sql instances patch --network= --no-assign-ip\n ```\n\n2. Confirm the changes using the following command:\n ```\n gcloud sql instances describe \n ```\n\n## Prevention:\nTo prevent new SQL instances from getting configured with public IP addresses, set up a\n`Restrict Public IP access on Cloud SQL instances` Organization policy at:\n\n\n[https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][2]\n\n## Default value:\nBy default, Cloud Sql instances have a public IP.\n\n## References:\n1. [https://cloud.google.com/sql/docs/mysql/configure-private-ip][3]\n2. [https://cloud.google.com/sql/docs/mysql/private-ip][4]\n3. [https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints][5]\n4. [https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp][6]\n\n## Additional information:\nReplicas inherit their private IP status from their primary instance. You cannot configure a private IP directly on a replica.\n\n[1]: https://console.cloud.google.com/sql/instances\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n[3]: https://cloud.google.com/sql/docs/mysql/configure-private-ip\n[4]: https://cloud.google.com/sql/docs/mysql/private-ip\n[5]: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints\n[6]: https://console.cloud.google.com/iam-admin/orgpolicies/sql-restrictPublicIp\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-gcp","requirement":"Cloud-SQL","version":"1.3.0"},{"control":"3.9","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(sql_database_instance) = \"skip\" if {\n\tnot is_second_gen_instance(sql_database_instance)\n} else = \"fail\" {\n\tip := sql_database_instance.ip_addresses[_]\n\tip.type == \"PRIMARY\"\n} else = \"pass\" {\n\ttrue\n}\n\nis_second_gen_instance(sql_database_instance) if {\n\tsql_database_instance.backend_type == \"SECOND_GEN\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_sql_database_instance"]},"validationQuery":"","resourceType":"gcp_sql_database_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_sql_database_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"cns-kbs-qb3","createdAt":1658244446751,"name":"SQL database instances do not have public IPs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","control:4.5","framework:cis-azure","requirement:Confidentiality","scope:azure.sql","control:C1.1","requirement:Credentials","requirement:System-Operations","requirement:Compliance","level:1","requirement:Database-Services","control:A.18.1.3","framework:soc-2","requirement:Cardholder-Data","control:3.5.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","control:CC7.2","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nTDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. With TDE, data is encrypted at rest with a symmetric key (called the database encryption key) stored in the database or data warehouse distribution. To protect this data encryption key (DEK) in the past, only a certificate that the Azure SQL Service managed could be used. With Customer-managed key support for TDE, the DEK can be protected with an asymmetric key stored in the Key Vault. The Key Vault is a highly available and scalable cloud-based key store that offers central key management, leverages FIPS 140-2 Level 2 validated hardware security modules (HSMs), and allows separation of keys and data for additional security. Based on business needs or the criticality of data/databases hosted a SQL server, Datadog recommends that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key).\n\n## Rationale\n\nCustomer-managed key support for Transparent Data Encryption (TDE) allows user control of TDE encryption keys and restricts who can access them and when. Azure Key Vault, Azures cloud-based external key management system, is the first key management service where TDE has integrated support for customer-managed keys. With customer-managed key support, the database encryption key is protected by an asymmetric key stored in the Key Vault. The asymmetric key is set at the server level and inherited by all databases under that server.\n\n## Remediation\n\nFrom Azure Console:\n1. Go to SQL servers for the desired server instance\n2. Click On Transparent data encryption\n3. Set Use your own key to YES\n4. Browse through your key vaults to select an existing key or create a new key in the key vault.\n5. Check Make selected key the default TDE protector Using Azure CLI. Use the below command to encrypt SQL server's TDE protector with a Customer-managed key: `az sql server tde-key >> Set --resource-group --server --server-key-type {AzureKeyVault} [--kid ]`\n\n## Impact\n\nOnce the TDE protector is encrypted with a customer-managed key, it transfers the entire responsibility of key management to you. Hence, you should be more careful about doing any operations on the particular key to keep data from the corresponding SQL server Databases host accessible. When deploying customer-managed keys, ensure that you deploy an automated toolset for managing these keys (this should include discovery and key rotation), and keys should be stored in an HSM or hardware backed keystore; for example, Azure Key Vault). As far as toolsets go, check with your cryptographic key provider as they may well provide one as an add-on to their service.\n\n## References\n\n1. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption-byok-azure-sql\n2. https://azure.microsoft.com/en-in/blog/preview-sql-transparent-data-encryption-tde-with-bring-your-own-key-support/\n3. https://winterdom.com/2017/09/07/azure-sql-tde-protector-keyvault\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-identity-management#im-1-standardize-azure-active-directory-as-the-central-identity-and-authentication-system\n\n**Note**: This configuration can be done only on an SQL server. The same configuration will be in effect on SQL Databases hosted on SQL Server. Ensuring yourTDE is protected by a Customer-managed key on SQL Server does not ensure SQL Databases' encryption. Transparent Data Encryption Data Encryption (ON/OFF) setting on individual SQL Database decides whether the database is encrypted or not.\n\n## CIS Controls\n\nVersion 7\n\n16.4 Encrypt or Hash all Authentication Credentials: Encrypt or hash with a salt all authentication credentials when stored. \n\n5 Logging and Monitoring: This section covers security recommendations to follow to set logging and monitoring policies on an Azure Subscription.\n\n5.1 Configuring Diagnostic Settings: The Azure Diagnostic Settings capture control/management activities performed on a subscription. By default, the Azure Portal retains activity logs only for 90 days. The Diagnostic Settings define the type of stored or streamed events and the output storage account, and the event hub. The Diagnostic Settings, if appropriately configured, can ensure that all activity logs are retained for a longer duration. This section has recommendations for correctly configuring the Diagnostic Settings so that all activity logs captured are retained for longer periods. When configuring Diagnostic Settings, you may choose to export in one of three ways in which you need to ensure appropriate data retention. The options are Log Analytics, Event Hub, and a Storage Account. It is important to ensure you are aware and have set retention as your organization sees fit.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"3.5.2","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"-(@encryption_protector.kind:(\"azurekeyvault\") @encryption_protector.server_key_type:(\"AzureKeyVault\"))","resourceType":"azure_sql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_sql_server (-(@encryption_protector.kind:(\"azurekeyvault\") @encryption_protector.server_key_type:(\"AzureKeyVault\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ju5-j5j-p5u","createdAt":1624867975195,"name":"SQL server's TDE protector is encrypted with Customer-managed key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","source:sqs","framework:gdpr","requirement:Compliance","requirement:Cardholder-Data","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","control:164.308-a-1-ii-B","framework:pci","scope:sqs","security:compliance","cloud_provider:aws","control:3.4","control:4.1","requirement:Control-Activities","requirement:Security-of-Processing","control:A.18.1.3","framework:soc-2","control:32.1b","requirement:Logical-and-Physical-Access-Control","control:164.312-e-2-ii","requirement:Encryption-In-Transit","control:164.312-e-2-i","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your Amazon Simple Queue Service (SQS) messages with server-side encryption.\n\n## Rationale\n\nEncryption ensures that Amazon SQS messages, which may contain sensitive data, are not available to anonymous or unauthorized users.\n\n## Remediation\n\n### Console\n\nFollow the [Configuring service-side encryption for a queue(console)][1] docs to learn how to create and use AWS Key Management Service (AWS KMS) to manage customer master keys (CMK) for server-side encryption.\n\n### CLI\n\n1. Define `set-queue-attributes` in [a file][2]. Use your custom KMS Master Key ARN for `KmsMasterKeyID`. Save the file.\n\n ```\n {\n \"KmsMasterKeyId\": \"custom_key_arn\",\n \"KmsDataKeyReusePeriodSeconds\": \"300\"\n }\n ```\n\n2. Run `set-queue-attributes` with the [queue URL and the file][2] created in step 1.\n\n ```\n aws sqs set-queue-attributes\n --queue-url https://us-west-2.queue.amazonaws.com/123456789012/WebWorkerSQSQueue\n --attributes file://sqs-sse-enabled.json\n ```\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html\n[2]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-properties-sqs-queues-syntax\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/set-queue-attributes.html#synopsis\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"32.1b","framework":"gdpr","requirement":"Security-of-Processing","version":"1"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.312-e-2-ii","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"validationQuery":"-(@kms_master_key_id:* OR @sqs_managed_sse_enabled:true)","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue (-(@kms_master_key_id:* OR @sqs_managed_sse_enabled:true))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0m4-moi-xdg","createdAt":1616090993978,"name":"SQS Queue has server-side encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","source:sqs","requirement:Least-Privileged-Access","cloud_provider:aws","control:164.308-a-3-i","control:7.2.1","requirement:Compliance","control:7.2.2","control:A.18.1.3","framework:soc-2","control:A.9.2.3","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","framework:hipaa","requirement:Access-Control","control:CC6.3","framework:pci","control:CC6.1","requirement:Workforce-Security","scope:sqs"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nUpdate Amazon Simple Queue Service (SQS) queue permissions.\n\n## Rationale\n\nPublicly-available Amazon SQS queues give unauthorized users access to potentially intercept, delete, or send queue messages, which can lead to data leaks.\n\n## Remediation\n\n### Console\n\nFollow the [Managing access to resources][1] docs to learn how to implement a permissions policy in the AWS console.\n\n### CLI\n\n1. Run `list-queues` to get a list of queue URLs.\n2. Run `get-queue-attributes` with a [queue URL][2] returned in step 1.\n\n ```\n aws sqs get-queue-attributes\n --queue-url https://queue.amazonaws.com/123456789012/YourQueue\n --attribute-names Policy\n ```\n\n3. Run `add-permission` to [add a new statement][3] to your queue policy.\n\n ```\n aws sqs add-permission\n --queue-url https://queue.amazonaws.com/123456789012/YourQueue\n --label SendMessages\n --aws-account-ids 123456789012\n --actions SendMessage\n ```\n\n[1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-overview-of-managing-access.html#sqs-managing-access-to-resources\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/get-queue-attributes.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sqs/add-permission.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nbad_policy_principal(policy_principal) if {\n\tpolicy_principal.principal == \"*\"\n} else {\n\tprincipal_aws = policy_principal.principal_aws[_]\n\tprincipal_aws == \"*\"\n}\n\neval(sqs_queue) = \"fail\" if {\n\tpolicy := sqs_queue.policies[_]\n\tbad_policy_principal(policy.policy_principal)\n\tpolicy.statement_effect = \"Allow\"\n\tpolicy.statement_has_condition = false\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_sqs_queue"]},"validationQuery":"","resourceType":"aws_sqs_queue","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_sqs_queue","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"aqs-n9k-inj","createdAt":1616090993985,"name":"SQS Queue is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","requirement:Compliance","level:1","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:6.2","control:7.2.1","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable SSH access on network security groups from the internet.\n\n## Rationale\n\nThe potential security problem with using SSH over the internet is that attackers can use various brute force techniques to gain access to Azure Virtual Machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct SSH access to your Azure Virtual Machines from the internet. After direct SSH access from the internet is disabled, you have other options you can use to access these virtual machines for remote management.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/azure-security-network-security-best-practices#disable-rdpssh-access-to-azure-virtual-machines\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nssh_allowed(security_rule) if {\n\tsecurity_rule.access == \"Allow\"\n\tsecurity_rule.protocol in [\"TCP\", \"*\"]\n\tsecurity_rule.direction == \"Inbound\"\n\tsecurity_rule.destination_port_range in [\"22\", \"*\"]\n\tsecurity_rule.source_address_prefix in [\"*\", \"0.0.0.0\", \"/0\", \"*/0\", \"Internet\", \"Any\"]\n}\n\neval(security_group) = \"fail\" if {\n\tsecurity_rule := security_group.security_rules[_]\n\tssh_allowed(security_rule)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_security_group"]},"validationQuery":"","resourceType":"azure_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"tox-iwp-m0l","createdAt":1624867978808,"name":"SSH access is restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","scope:google_compute_firewall","control:CC6.6","cloud_provider:gcp","framework:cis-gcp","requirement:Compliance","level:2","framework:iso-27001","requirement:Access-Control","requirement:GCP","framework:pci","control:1.3.1","control:1.1.4","security:compliance","control:3.6","requirement:Communications-Security","control:1.4","control:3.2","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","source:google_compute_firewall","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nGCP Firewall Rules are specific to a VPC Network. Each rule either allows or denies\ntraffic when its conditions are met. Its conditions allow the user to specify the type of\ntraffic, such as ports and protocols, and the source or destination of the traffic, including IP\naddresses, subnets, and instances.\nFirewall rules are defined at the VPC network level and are specific to the network in which\nthey are defined. The rules themselves cannot be shared among networks. Firewall rules\nonly support IPv4 traffic. When specifying a source for an ingress rule or a destination for\nan egress rule by address, only an IPv4 address or IPv4 block in CIDR notation can be\nused. Generic (0.0.0.0/0) incoming traffic from the internet to VPC or VM instance using\nSSH on Port 22 can be avoided.\n\n## Rationale\nGCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from\ninstances and incoming (ingress) traffic to instances in the network. Egress and ingress\ntraffic flows are controlled even if the traffic stays within the network (for example,\ninstance-to-instance communication). For an instance to have outgoing Internet access, the\nnetwork must have a valid Internet gateway route or custom route whose destination IP is\nspecified. This route simply defines the path to the Internet, to avoid the most general\n(0.0.0.0/0) destination IP Range specified from the Internet through SSH with the default\nPort 22. Generic access from the Internet to a specific IP Range needs to be restricted.\n\n## Impact\nAll Secure Shell (SSH) connections from outside of the network to the concerned VPC(s)\nwill be blocked. There could be a business need where SSH access is required from outside\nof the network to access resources associated with the VPC. In that case, specific source\nIP(s) should be mentioned in firewall rules to include access to SSH port for the\nconcerned VPC(s).\n\n## Remediation\n\n### From console\n1. Go to VPC Network.\n2. Go to the Firewall Rules.\n3. Click the Firewall Rule you want to modify.\n4. Click Edit.\n5. Modify Source IP ranges to specific IP.\n6. Click Save.\n\n### From the command line\n1.Update the Firewall rule with the new SOURCE_RANGE from the following command:\n ```\n gcloud compute firewall-rules update FirewallName --allow=[PROTOCOL[:PORT[-PORT]],...] --source-ranges=CIDR_RANGE,...]\n ```\n\n## References\n1. [https://cloud.google.com/vpc/docs/firewalls#blockedtraffic][1]\n2. [https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts][2]\n\n## Additional Information\nAs of this writing, GCP VPC only supports IPv4; however, Google is working on adding IPv6 support for VPC. If you are using IPv6, the rule should check for the IPv6 equivalent ::0 along with source IP range 0.0.0.0.\n\n## CIS Controls\nVersion 8 - 4.4: Implement and Manage a Firewall on Servers\n- Implement and manage a firewall on servers, where supported. Example\nimplementations include a virtual firewall, operating system firewall, or a third-party\nfirewall agent.\n\nVersion 8 - 4.5: Implement and Manage a Firewall on End-User Devices\n- Implement and manage a host-based firewall or port-filtering tool on end-user\ndevices, with a default-deny rule that drops all traffic except those services and ports\nthat are explicitly allowed.\n\nVersion 7 - 9.2: Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure that only network ports, protocols, and services with\nvalidated business needs are listening on a system.\n\nVersion 7 - 12.4: 12.4 Deny Communication over Unauthorized Ports\n- Deny communication or application traffic over unauthorized TCP or UDP ports, to\nensure that only authorized protocols are allowed to cross the network boundary in or\nout of the network, at each of the organization's network boundaries.\n\n[1]: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic\n[2]: https://cloud.google.com/blog/products/identity-security/cloud-iap-enables-context-aware-access-to-vms-via-ssh-and-rdp-without-bastion-hosts\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.6","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.2","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"1.1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ntarget_port := 22\n\ntarget_direction_is_present(compute_firewall) if {\n\tcompute_firewall.direction == \"INGRESS\"\n}\n\ntarget_protocol_is_present(allowed) if {\n\tallowed.ip_protocol in [\"tcp\", \"ALL\"]\n}\n\ntarget_port_is_present(allowed) if {\n\tcontains(allowed.ports[_], \"-\")\n\trange := split(allowed.ports[_], \"-\")\n\tfrom := to_number(range[0])\n\tto := to_number(range[1])\n\ttarget_port >= from\n\ttarget_port <= to\n} else {\n\tto_number(allowed.ports[_]) == target_port\n} else {\n\tallowed.ports[_] == \"\"\n}\n\nshould_not_skip_compute_firewall(compute_firewall) if {\n\ttarget_direction_is_present(compute_firewall)\n\tallowed := compute_firewall.allowed[_]\n\ttarget_protocol_is_present(allowed)\n\ttarget_port_is_present(allowed)\n}\n\neval(compute_firewall) = \"skip\" if {\n\tnot should_not_skip_compute_firewall(compute_firewall)\n} else = \"fail\" {\n\tcompute_firewall.source_ranges[_] in [\"0.0.0.0/0\", \"::0\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_firewall"]},"validationQuery":"","resourceType":"gcp_compute_firewall","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_firewall","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"23t-kvk-vbo","createdAt":1657310084964,"name":"SSH access is restricted from the internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1098-account-manipulation","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to authorized SSH keys.\n\n## Strategy\nSSH is a commonly used key-based authentication mechanism. In this system, the authorized_keys file specifies SSH keys that can be used to authenticate as a specific user on the system. Attacker's may modify the authorized_keys file to authorize attacker-owned SSH keys. This allows the attacker to maintain persistence on a system as a specific user.\n\n## Triage and response\n1. Check what changes were made to authorized_keys, and under which user.\n2. Determine whether any keys were added. If so, determine if the added keys belong to known trusted users.\n3. If they keys in question are not acceptable, roll back the host or container in question to a known trusted SSH configuration.\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chmod)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chmod","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_chown)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_chown","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_link)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_link","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_rename)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_rename","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_open)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_open","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_unlink)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_unlink","distinctFields":[]},{"query":"@agent.rule_id:(ssh_authorized_keys OR ssh_authorized_keys_utimes)","groupByFields":["host"],"aggregation":"count","name":"ssh_authorized_keys_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"ssh_authorized_keys","condition":"ssh_authorized_keys_chmod > 0 || ssh_authorized_keys_chown > 0 || ssh_authorized_keys_link > 0 || ssh_authorized_keys_rename > 0 || ssh_authorized_keys_open > 0 || ssh_authorized_keys_unlink > 0 || ssh_authorized_keys_utimes > 0"}],"type":"workload_security","id":"iqs-k9p-ivj","createdAt":1606142954844,"name":"SSH authorized keys modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","source:runtime-security-agent","technique:T1553-subvert-trust-controls","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect potential tampering with SSL certificates.\n\n## Strategy\nSSL certificates, and other forms of trust controls establish trust between systems. Attackers may attempt to subvert trust controls such as SSL certificates in order to trick systems or users into trusting attacker-owned assets such as fake websites, or falsely signed applications.\n\n## Triage and response\n1. Check whether there were any planned changed to the SSL certificates stores in your infrastructure.\n2. If these changes are not acceptable, roll back the host or container in question to a known trustworthy configuration.\n3. Investigate security signals (if present) occurring around the time of the event to establish an attack path.\n4. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(ssl_certificate_tampering OR ssl_certificate_tampering_chmod OR ssl_certificate_tampering_chown OR ssl_certificate_tampering_link OR ssl_certificate_tampering_rename OR ssl_certificate_tampering_open OR ssl_certificate_tampering_unlink OR ssl_certificate_tampering_utimes) -@process.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.parent.executable.path:\\/usr\\/sbin\\/update-ca-certificates -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\" -@process.executable.name:runc*","groupByFields":["host"],"aggregation":"count","name":"ssl_certificate_tampering","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"ssl_certificate_tampering","condition":"ssl_certificate_tampering > 0"}],"type":"workload_security","id":"any-phm-6ub","createdAt":1606142980369,"name":"SSL certificate tampering"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","control:4.3.2","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","source:azure.dbformysql","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","scope:azure.dbformysql","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on MySQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for MySQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled for enforce SSL connection \n\nAlternatively, use the Azure Command Line Interface and run the below command to set MYSQL Databases to Enforce SSL connection:\n\n ```bash\n az mysql server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/concepts-ssl-connection-security\n2. https://docs.microsoft.com/en-us/azure/mysql/howto-configure-ssl\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.2","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@ssl_enforcement:(\"Enabled\")","resourceType":"azure_mysql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_mysql_server (-@ssl_enforcement:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"cxd-off-x2e","createdAt":1624867976718,"name":"SSL connection on MySQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","source:azure.dbforpostgresql","requirement:Compliance","scope:azure.dbforpostgresql","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","requirement:Database-Services","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:2.3","control:4.1","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","control:4.3.1","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable SSL connection on PostgreSQL Servers.\n\n## Rationale\n\nSSL connectivity helps to provide a new layer of security by connecting database servers to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between a database server and its client applications helps protect against \"man in the middle\" attacks by encrypting the data stream between the server and application.\n\n## Remediation\n\nFrom Azure Console:\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Connection security\n4. In SSL settings, click on Enabled to enforce SSL connection \n\nAlternatively, use the Azure Command Line Interface and run the below command to enforce SSL connection for PostgreSQL Database:\n\n ```bash\n az postgres server update --resource-group --name --ssl-enforcement Enabled\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.1","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@ssl_enforcement:(\"Enabled\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@ssl_enforcement:(\"Enabled\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@account_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"9cp-26e-jdc","createdAt":1624867978968,"name":"SSL connection on PostgreSQL Database Server is enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a brute force attack on a Salesforce user. \n\n## Strategy\n**To determine a successful attempt:** Detect when the same user fails to login five times and then successfully logs in. This generates a `MEDIUM` severity signal.\n\n**To determine an unsuccessful attempt:** Detect when the same user fails to login ten times. This generates an `INFO` severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @status:\"Invalid Password\"","groupByFields":["@usr.id"],"aggregation":"count","name":"failed_login","distinctFields":[]},{"query":"source:salesforce @status:Success","groupByFields":["@usr.id"],"aggregation":"count","name":"successful_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Successful","condition":"failed_login>5 && successful_login>=1"},{"status":"info","notifications":[],"name":"Attempt","condition":"failed_login>10"}],"type":"log_detection","id":"dm5-uvn-yrr","createdAt":1621929254947,"name":"Salesforce Brute force attack on user"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:salesforce","tactic:TA0006-credential-access","scope:salesforce","technique:T1110-brute-force","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a disabled account attempts to log into Salesforce\n\n## Strategy\nInspect Salesforce logs and determine if there is a login attempt (`@evt.name:LoginEvent`) from from a disabled account (`@status:\\\"User is Inactive\\\"`). If more than ten attempts to authenticate to a disabled account a `MEDIUM` severity signal is created.\n\n## Triage and response\n1. Determine if the IP (`@network.client.ip`) has attempted to log into other accounts.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:salesforce @evt.name:LoginEvent @status:\"User is Inactive\"","groupByFields":["@usr.id"],"aggregation":"count","name":"disabled_login","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Single Attempt","condition":"disabled_login > 1"},{"status":"medium","notifications":[],"name":"Multiple Attempts","condition":"disabled_login > 10"}],"type":"log_detection","id":"j57-vod-bnw","createdAt":1621929254817,"name":"Salesforce Login from Disabled Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.4.2","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not bind the scheduler service to non-loopback insecure addresses.\n\n## Rationale\n\nThe Scheduler API service which runs on port 10251/TCP by default is used for health and metrics information and is available without authentication or encryption. As such it should only be bound to a localhost interface, to minimize the cluster's attack surface\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--bind-address` argument is set to `127.0.0.1`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` on the master node and ensure the correct value for the `--bind-address` parameter.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `--bind-address` parameter is set to `0.0.0.0`.\n\n## References\n\n1. [https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/][1]\n\n## CIS controls\n\nVersion 6.9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system. \n\nVersion 7.9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system. \n\n[1]: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.2","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.2\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"g1h-91b-y2x","createdAt":1599601351149,"name":"Scheduler API service is bound to localhost"}]} + {"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:amazon","security:compliance","iaas:aws","framework:cis-aws","source:cloudtrail","control:4.1","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is assessing privileges in AWS through API bruteforcing technique.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect when the error message of `AccessDenied` is returned on more than 5 unique API calls.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be attempting to use {{@evt.name}} API commands.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. Contact the user to see if they intended to make these API calls.\n3. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate to see what API calls might have been made that were successful throughout the rest of the environment.\n\n## Changelog\nRule updated on 3 March 2022.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"unique_events_denied","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"more than 5 APIs AccessDenied","condition":"unique_events_denied > 5"}],"type":"log_detection","id":"3d9-oev-jbm","createdAt":1584475582956,"name":"A user received multiple AccessDenied errors"} headers: Content-Type: - application/json @@ -976,11 +806,11 @@ interactions: headers: Accept: - application/json - url: https://api.datadoghq.com/api/v2/security_monitoring/rules?page%5Bnumber%5D=6&page%5Bsize%5D=100 + url: https://api.datadoghq.com/api/v2/security_monitoring/rules/3d9-oev-jbm method: GET response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.15","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/scheduler.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.15","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.15\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"fmc-m0d-pe5","createdAt":1599604530000,"name":"Scheduler configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.16","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `scheduler.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `scheduler.conf` file is the kubeconfig file for the Scheduler. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/scheduler.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/scheduler.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `scheduler.conf` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kubeadm/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.16","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.16\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"pbp-y4b-dhf","createdAt":1599600185878,"name":"Scheduler configuration file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.5","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the Scheduler service in the master node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.5","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qxe-hc6-qlm","createdAt":1599604179189,"name":"Scheduler pod specification file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.1.6","requirement:Master-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the scheduler pod specification file ownership is set to root:root.\n\n## Rationale\n\nThe scheduler pod specification file controls various parameters that set the behavior of the kube-scheduler service in the master node. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/manifests/kube-scheduler.yaml\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/manifests/kube-scheduler.yaml`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kube-scheduler.yaml` file ownership is set to root:root.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-scheduler/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.6","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"y79-4ts-a0k","createdAt":1599603078027,"name":"Scheduler pod specification file ownership is assigned to root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:1.4.1","security:compliance","requirement:Scheduler","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable profiling, if not needed.\n\n## Rationale\n\nProfiling allows for the identification of specific performance bottlenecks. It generates a significant amount of program data that could potentially be exploited to uncover system and program details. If you are not experiencing any bottlenecks and do not need the profiler for troubleshooting purposes, it is recommended to turn it off to reduce the potential attack surface.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-scheduler\n```\nVerify that the `--profiling` argument is set to `false`.\n\n## Remediation\n\nEdit the Scheduler pod specification file `/etc/kubernetes/manifests/kube-scheduler.yaml` file on the master node and set the below parameter:\n\n```\n--profiling=false\n```\n\n## Impact\n\nProfiling information would not be available.\n\n## Default value\n\nBy default, profiling is enabled.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kube-scheduler/ ][1]\n2. [https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md][2]\n\n## CIS controls\n\nVersion 6 14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know Version 7 4 Controlled Use of Administrative Privileges Controlled Use of Administrative Privileges \n\n[1]: https://kubernetes.io/docs/admin/kube-scheduler/ \n[2]: https://github.com/kubernetes/community/blob/master/contributors/devel/profiling.md\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.4.1","framework":"cis-kubernetes","requirement":"Scheduler","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.4.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hya-urf-09b","createdAt":1599603139661,"name":"Scheduler profiling is disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.21","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSeccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on a whitelist basis and allows for a large number of common system calls, whilst blocking all others. This filtering should not be disabled unless it causes a problem with your container application usage.\n\n## Rationale\n\nA large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'` \n\nThis returns either `` or your modified seccomp profile. If it returns `[seccomp:unconfined]`, the container is running without any seccomp profiles and is therefore not configured in line with good security practices.\n\n## Remediation\n\nBy default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.\n\n## Impact\n\nWith Docker 1.10 and greater, the default seccomp profile blocks syscalls, regardless of `--cap-add passed` to the container. You should create your own custom seccomp profile in such cases. You can also disable the default seccomp profile by passing `--security-opt=seccomp:unconfined` on docker run.\n\n## Default value\n\nWhen you run a container, it uses the default profile unless you override it with the `--security-opt` option.\n\n## References\n\n1. http://blog.scalock.com/new-docker-security-features-and-what-they-mean-seccomp-profiles\n2. https://docs.docker.com/engine/reference/run/#security-configuration\n3. https://github.com/docker/docker/blob/master/profiles/seccomp/default.json\n4. https://docs.docker.com/engine/security/seccomp/\n5. https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt\n6. https://github.com/docker/docker/issues/22870\n\n## CIS controls\n\nVersion 6\n\n18 Application Software Security Application Software Security\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.21","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.21\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hub-v5u-cw0","createdAt":1599604972925,"name":"Seccomp profiles are enabled for filtering incoming system calls"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:1.22","scored:true","control:CC6.7","source:azure.active_directory","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","scope:azure.active_directory","level:1","requirement:IAM","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","framework:cis-azure","control:2.3","requirement:Control-Activities","control:7.2.1","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:8.3.2","control:8.3.1","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft security defaults are available to everyone. The goal is to ensure that all organizations have a basic level of security-enabled at no extra cost. You can enable security defaults in the Azure portal.\n\n## Rationale\n\nSecurity defaults provide secure default settings that are managed on behalf of organizations to keep customers safe until they are ready to manage their own identity security settings. For example:\n\n- Requiring all users and admins to register for MFA\n- Challenging users with MFA, mostly when they show up on a new device or app, but more often for critical roles and tasks.\n- Disabling authentication from legacy authentication clients, which can't do MFA.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Sign in to the Azure portal as a security administrator, conditional access administrator, or global administrator.\n2. Navigate to Azure Active Directory > Properties.\n3. Select Manage security defaults.\n4. Set the Enable security defaults toggle to Yes.\n5. Select Save.\n\n## Impact\n\nEnabling security defaults may negatively impact the functionality of other Microsoft services, such as Microsoft 365. This recommendation should be implemented initially and then may be overridden by other service/product specific CIS Benchmarks.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults\n2. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/introducing-security-defaults/ba-p/1061414\n\nAdditional Information: The settings in this recommendation are different in the Microsoft 365 Benchmark. This is because the potential impact associated with disabling of security defaults is dependent upon the security settings implemented in the environment. It is recommended that organizations disabling security defaults plan to implement equivalent settings to replace the settings configured by security defaults.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.22","framework":"cis-azure","requirement":"IAM","version":"1.3.0"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.3.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"8.3.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@is_enabled:false","resourceType":"azure_ad_security_defaults_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_ad_security_defaults_policy (@is_enabled:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@display_name"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"fub-xjw-qwz","createdAt":1635237007654,"name":"Security Defaults is enabled on Azure Active Directory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect a threat on your application.\n\n## Strategy\nThis rule creates a signal for every security incident created by Sqreen.\n\n## Triage and response\n1. Review the incident on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/incidents\n\n## Changelog\n23 June 2022 - Updated groupby count to reduce rule noise.","options":{"detectionMethod":"threshold","evaluationWindow":0,"maxSignalDuration":0,"keepAlive":0},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:critical @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_critical_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:major @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_major_incidents","distinctFields":["@sqreen.payload.incident_id"]},{"query":"@evt.name:sq.dd0.incident @sqreen.payload.severity:minor @sqreen.payload.event_type:create","groupByFields":["service","@sqreen.payload.name"],"aggregation":"cardinality","name":"sqreen_minor_incidents","distinctFields":["@sqreen.payload.incident_id"]}],"isDeleted":false,"cases":[{"status":"critical","notifications":[],"name":"Critical","condition":"sqreen_critical_incidents > 0"},{"status":"high","notifications":[],"name":"Major","condition":"sqreen_major_incidents > 0"},{"status":"medium","notifications":[],"name":"Minor","condition":"sqreen_minor_incidents > 0"}],"type":"log_detection","id":"qyk-emv-hui","createdAt":1620224110121,"name":"Security Incident Detected by Sqreen"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scope:ec2","iaas:aws","framework:cis","source:cloudtrail","technique:T1562-impair-defenses","control:cis-3.10","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an AWS security group is opened to the world.\n\n## Strategy\nMonitor CloudTrail and detect when an AWS security group has been created or modified with one of the following API calls:\n* [AuthorizeSecurityGroupIngress][1]\n\nThis rule inspects the `@requestParameters.ipPermissions.items.ipRanges.items.cidrIp` array to determine if either of the strings are contained:\n* `0.0.0.0/0`\n* `::/0`\n\n## Triage and response\n1. Determine who the user was who made this API call.\n2. Contact the user and see if this was an API call which was made by the user.\n3. If the API call was not made by the user:\n * Rotate the user credentials and investigate what other API calls.\n * Determine what other API calls the user made which were not made by the user.\n\n[1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html\n\n## Changelog\n18 March 2022 - Updated rule query.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:AuthorizeSecurityGroupIngress @requestParameters.ipPermissions.items.ipRanges.items.cidrIp:(\"0.0.0.0/0\" OR \"::/0\")","groupByFields":["@usr.account_id"],"aggregation":"count","name":"sg_open_to_world","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"SG open to world","condition":"sg_open_to_world > 0"}],"type":"log_detection","id":"qdm-6uu-gqf","createdAt":1593621503430,"name":"Security group open to the world"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:5.5","requirement:Container-Runtime-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should not allow sensitive host system directories such as those listed below to be mounted as container volumes, especially in read-write mode. `/` `/boot` `/dev` `/etc` `/lib` `/proc` `/sys` `/usr`\n\n## Rationale\n\nIf sensitive directories are mounted in read-write mode, it is possible to make changes to files within them. This has obvious security implications and should be avoided.\n\n## Audit\n\nRun this command: `docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}'` This command returns a list of currently mapped directories and indicates whether they are mounted in read-write mode for each container instance.\n\n## Remediation\n\nDo not mount directories which are security sensitive on the host within containers, especially in read-write mode.\n\n## Impact\n\nNone\n\n## Default value\n\nDocker defaults to using a read-write volume but you can also mount a directory read-only. By default, no sensitive host directories are mounted within containers.\n\n## References\n\n1. https://docs.docker.com/engine/tutorials/dockervolumes/\n\n## CIS controls\n\nVersion 6\n\n14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_container","complianceFrameworks":[{"control":"5.5","framework":"cis-docker","requirement":"Container-Runtime-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-5.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"dmq-wqu-2im","createdAt":1599604814929,"name":"Sensitive host system directories are not mounted on containers"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","source:google_iam_policy","framework:cis-gcp","level:2","framework:iso-27001","requirement:Access-Control","framework:pci","scope:google_iam_policy","control:1.11","security:compliance","requirement:Least-Privileged-Access","control:7.2","control:7.1","requirement:Control-Activities","control:7.1.1","control:7.2.1","control:7.1.3","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC6.2","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nIt is recommended that the principle of 'Separation of Duties' is enforced while assigning KMS related roles to users.\n\n## Rationale\nThe built-in/predefined IAM role `Cloud KMS Admin` allows the user/identity to create, delete, and manage service account(s). \n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter/Decrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt and decrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Encrypter` allows the user/identity (with adequate privileges on concerned resources) to encrypt data at rest using an encryption key(s).\n\nThe built-in/predefined IAM role `Cloud KMS CryptoKey Decrypter` allows the user/identity (with adequate privileges on concerned resources) to decrypt data at rest using an encryption key(s).\n\nSeparation of duties is the concept of ensuring that one individual does not have all necessary permissions to be able to complete a malicious action. In Cloud KMS, this could be an action such as using a key to access and decrypt data a user should not normally have access to. Separation of duties is a business control typically used in larger organizations, meant to help avoid security or privacy incidents and errors. It is considered best practice.\n\nNo user(s) should have `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles assigned at the same time.\n\n### Impact\nRemoved roles should be assigned to another user based on business needs.\n\n### Additional Information\nUsers granted Owner (roles/owner) and Editor (roles/editor) roles have privileges equivalent to `Cloud KMS Admin` and `Cloud KMS CryptoKey Encrypter/Decrypter`. To avoid misuse, Owner and Editor roles should be granted to a very limited group of users. Use of these primitive privileges should be minimal. These requirements are addressed in our other rules.\n\n## Remediation\n\n### From the console\n1. Go to **IAM & Admin/IAM** using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having `Cloud KMS Admin` and any of the `Cloud KMS CryptoKey Encrypter/Decrypter`, `Cloud KMS CryptoKey Encrypter`, `Cloud KMS CryptoKey Decrypter` roles granted/assigned, click the **Delete Bin** icon to remove the role from the member.\n\n## References\n1. [https://cloud.google.com/kms/docs/separation-of-duties][2]\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/kms/docs/separation-of-duties\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.11","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.2","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nresource_type = \"gcp_iam_policy\"\n\nis_admin_user(gip) if {\n\tmembers_to_roles_array := gip.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/cloudkms.admin\"\n}\n\neval(gip) = \"skip\" if {\n\tnot is_admin_user(gip)\n} else = \"fail\" {\n\trole := gip.member_to_roles[_].roles[_]\n\trole in [\"roles/cloudkms.cryptoKeyDecrypter\", \"roles/cloudkms.cryptoKeyEncrypter\", \"roles/cloudkms.cryptoKeyEncrypterDecrypter\"]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8uv-2ds-fnx","createdAt":1658410212713,"name":"Separation of duties is enforced while assigning KMS-related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:gcp","framework:cis-gcp","level:1","source:google_service_account","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","requirement:Least-Privileged-Access","scope:google_service_account","control:1.8","control:7.2","control:7.1","requirement:Control-Activities","control:7.2.1","control:7.2.2","framework:soc-2","control:A.9.2.3","requirement:Identity-and-Access-Management","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","control:CC6.3","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecurity best practices recommend that the principle of 'Separation of Duties' is enforced while assigning service-account related roles to users. This is achieved by ensuring that no user has the Service Account Admin and Service Account User roles assigned at the same time.\n\n## Rationale\n\nThe predefined IAM role ``Service Account admin`` allows the user/identity to\ncreate, delete, and manage service account(s). The predefined IAM role ``Service Account User`` allows the user/identity (with adequate privileges on Compute and App Engine) to assign service account(s) to Apps/Compute instances.\n\nSeparation of duties is the concept of ensuring that one individual does not have all\nnecessary permissions to be able to complete a malicious action. Using Cloud IAM service\naccounts, a malicious user could assume the identity of a service account to access resources that\nthey otherwise cannot access.\n\nSeparation of duties is a business control typically used in larger organizations, meant to\nhelp avoid security or privacy incidents and errors. It is considered a best practice.\n\nNo user should have ``Service Account Admin`` and ``Service Account User`` roles assigned\nat the same time.\n\n## Remediation\n\n1. Go to ``IAM & Admin/IAM`` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. For any member having both ``Service Account Admin`` and ``Service Account User`` roles granted/assigned, click the ``Delete Bin`` icon to remove either role from the member.\n\nRemoval of a role should be done based on the business requirements.\n\n## Impact\n\nThe removed role should be assigned to a different user based on business needs.\n\n## References\n\n1. [https://cloud.google.com/iam/docs/service-accounts][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/granting-roles-to-service-accounts][4]\n\n## Additional information \n\nUsers granted the Owner (roles/owner) and Editor (roles/editor) roles have privileges\nequivalent to Service Account Admin and Service Account User. To avoid misuse,\nOwner and Editor roles should be granted to a very limited number of users. Use of these primitive\nprivileges should be minimal. These requirements are addressed in separate\nrecommendations.\n\n## CIS controls\n\nVersion 8 3.3 - Configure Data Access Control Lists: Configure data access control lists based on a user\u2019s need to know. Apply data\naccess control lists, also known as access permissions, to local and remote file systems, databases, and applications.\n\nVersion 7 14.6 - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/iam/docs/service-accounts\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.8","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.2.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(iam_policy) = \"fail\" if {\n\tmembers_to_roles_array := iam_policy.member_to_roles[_]\n\tstartswith(members_to_roles_array.member, \"user:\")\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountAdmin\"\n\tmembers_to_roles_array.roles[_] == \"roles/iam.serviceAccountUser\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_policy","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_policy","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"re5-dlh-43x","createdAt":1656443521016,"name":"Separation of duties is enforced while assigning service account related roles to users"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.6","cloud_provider:azure","framework:cis-azure","requirement:Default-Security-Parameter","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","control:2.2.4","framework:soc-2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:CC7.2","framework:pci","requirement:Operations-Security","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `connection_throttling` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `connection_throttling` helps the PostgreSQL Database to Set the verbosity of logged messages which generates query and error logs about concurrent connections. Too many concurrent connections could lead to a successful Denial of Service (DoS) attack by exhausting connection resources. A system can also fail or be degraded by an overload of legitimate users. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `connection_throttling`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `connection_throttling` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name connection_throttling --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.6","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nthrottling_disabled(server_config) if {\n\tserver_config.name == \"connection_throttling\"\n\tserver_config.value != \"on\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tthrottling_disabled(server_config)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"w1l-qav-gcj","createdAt":1624867980066,"name":"Server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","control:10.1","requirement:Monitoring","control:4.3.3","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_checkpoints` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_checkpoints` helps the PostgreSQL Database to log each checkpoint and generate query and error logs. Access to transaction logs is not supported. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_checkpoints`.\n5. Click ON and save.\n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_checkpoints` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_checkpoints --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.3","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"validationQuery":"-@value:(\"on\") @name:(\"log_checkpoints\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"server_configs","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@value:(\"on\") @name:(\"log_checkpoints\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"sc0-yfd-hsz","createdAt":1624867976912,"name":"Server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:4.3.4","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_connections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_connections` helps PostgreSQL Database to log an attempted connection to the server, as well as successful completion of client authentication. Log data can be used to identify, troubleshoot, and repair configuration errors and suboptimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_connections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_connections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_connections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.4","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nserver_config_not_compliant(server_config) if {\n\tnot server_config.value == \"on\"\n\tserver_config.name == \"log_connections\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config = postgresql_server.server_configs[_]\n\tserver_config_not_compliant(server_config)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"gle-oql-wen","createdAt":1624867976676,"name":"Server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","control:10.1","control:4.3.5","requirement:Monitoring","control:A.12.4.1","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","security:compliance","framework:cis-azure","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","control:A1.1","requirement:Monitoring-Activities","framework:soc-2","control:CC4.1","control:10.3","control:CC2.1","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_disconnections` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_disconnections` helps your PostgreSQL database to log the end of a session, including duration, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_disconnections`.\n5. Click ON and save. \n\nAlternatively, use the Azure Command Line Interface and run the below command to update `log_disconnections` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_disconnections --value on\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n2. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7 6.2 Activate logging: Ensure that local logging has been enabled on all systems and networking devices.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.5","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC4.1","framework":"soc-2","requirement":"Monitoring-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"validationQuery":"-@value:(\"on\") @name:(\"log_disconnections\")","resourceType":"azure_postgresql_server","filter":"","queryPath":"server_configs","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server (-@value:(\"on\") @name:(\"log_disconnections\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"5av-e46-div","createdAt":1624867974164,"name":"Server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["requirement:Transmission-Security","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","source:azure.dbforpostgresql","scope:azure.dbforpostgresql","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","control:164.308-a-3-ii-a","requirement:Additional-Criteria-for-Availability","requirement:System-Operations","requirement:Records-of-Processing-Activities","cloud:azure","control:A1.1","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nPostgreSQL uses logging to track the time it takes to complete an SQL query.\n\n## Rationale\n\nThe \"log_duration\" parameter allows recording the duration of each completed PostgreSQL statement. Logging this attribute enables administrators to monitor for potential issues in the database.\n\n## Remediation\n\n### Console\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][1] documentation to enable the 'log_duration' logging in the PostgreSQL database. Ensure **log_duration** is selected under **Server Parameters**.\n\n### CLI\n\n1. Complete steps in Microsoft's [Customize server configuration parameters for Azure Database for PostgreSQL][2] documentation to enable **log_duration** in **Server Parameters**.\n2. Get a list of your PostgreSQL servers by running the following in Azure Powershell:\n\n ```\n az postgres server list\n\t--output table\n\t--query '[*].{name:name, resourceGroup:resourceGroup}'\n ```\n3. Run the 'postgres server configuration set' command:\n\n ```\n az postgres server configuration set\n\t--server-name \"INSERT-SERVER-NAME-HERE-FROM-STEP-2\"\n\t--resource-group \"cloud-shell-storage-westeurope\"\n\t--name log_duration\n\t--value on\n ```\n4. Repeat steps two and three for each server that is not configured correctly.\n\n[1]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n[2]: https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-cli","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config := postgresql_server.server_configs[_]\n\tserver_config.name == \"log_duration\"\n\tserver_config.value == \"off\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"iwo-oh9-bpi","createdAt":1645804679249,"name":"Server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.3.7","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","requirement:Additional-Criteria-for-Availability","control:A.12.4.1","requirement:System-Operations","source:azure.dbforpostgresql","control:A1.1","scope:azure.dbforpostgresql","level:1","requirement:Database-Services","framework:soc-2","framework:iso-27001","control:CC2.1","control:CC7.2","framework:pci","requirement:Operations-Security","control:10.7","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable `log_retention_days` on PostgreSQL Servers.\n\n## Rationale\n\nEnabling `log_retention_days` helps PostgreSQL Database to set the number of days a log file is retained, which generates query and error logs. Query and error logs can be used to identify, troubleshoot, and repair configuration errors and sub-optimal performance.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to Azure Database for PostgreSQL server\n3. For each database, click on Server parameters\n4. Search for `log_retention_days`.\n5. Enter value in range 4-7 (inclusive) and save. \n\nAlternatively, use the Azure Command Line Interface and run the the below command to update `log_retention_days` configuration:\n\n ```bash\n az postgres server configuration set --resource-group --server-name --name log_retention_days --value <4-7>\n ```\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/howto-configure-server-parameters-using-portal\n2. https://docs.microsoft.com/en-us/rest/api/postgresql/configurations/listbyserver\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-6-configure-log-storage-retention\n\n## CIS Controls\n\nVersion 7 6.4 Ensure adequate storage for logs: Ensure that all systems that store logs have adequate storage space for the logs generated.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.3.7","framework":"cis-azure","requirement":"Database-Services","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A1.1","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nserver_config_not_compliant(server_config) if {\n\tto_number(server_config.value) < 3\n\tserver_config.name == \"log_retention_days\"\n}\n\neval(postgresql_server) = \"fail\" if {\n\tserver_config = postgresql_server.server_configs[_]\n\tserver_config_not_compliant(server_config)\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_postgresql_server"]},"validationQuery":"","resourceType":"azure_postgresql_server","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_postgresql_server","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"jsy-iuu-a38","createdAt":1624867974261,"name":"Server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","requirement:Least-Privileged-Access","scope:google_service_account","control:7.1","requirement:Credentials","requirement:Control-Activities","control:7.1.1","control:7.1.2","control:7.1.3","source:google_service_account","framework:soc-2","control:A.9.2.3","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:8.1.2","control:CC6.3","framework:pci","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA service account is a special Google account that belongs to an application or a VM, instead\nof to an individual end-user. The application uses the service account to call the service's\nGoogle API so that users aren't directly involved. It's recommended not to use admin roles for ServiceAccount.\n\n## Rationale\n\nService accounts represent service-level security of the Resources (application or a VM)\nwhich can be determined by the roles assigned to it. Enrolling ServiceAccount with Admin\nrights gives full access to an assigned application or a VM. A ServiceAccount Access holder\ncan perform critical actions like delete, update, and change settings, etc. without user\nintervention. For this reason, Datadog recommends that service accounts not have an Admin role.\n\n## Remediation\n\n## From Console:\n1. Go to `IAM & admin/IAM` using [https://console.cloud.google.com/iam-admin/iam][1]\n2. Go to the `Members`\n3. Identify `User-Managed user created service account(s)` with roles containing `*Admin or *admin`\n4. Click the `Delete bin` icon to remove the role from the member (service account in this case)\n\n\n## From Command Line: \n\n```bash\ngcloud projects get-iam-policy PROJECT_ID --format json > iam.json\n```\n\n1. Using a text editor, Remove `Role` which contains `roles/ *Admin` or `roles/ *admin`. Add a role to the bindings array that defines the group members and the role for those members.\n2. Update the project's IAM policy:\n\n```bash\ngcloud projects set-iam-policy PROJECT_ID iam.json\n```\n\n\n## References\n\n1. [https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/][2]\n2. [https://cloud.google.com/iam/docs/understanding-roles][3]\n3. [https://cloud.google.com/iam/docs/understanding-service-accounts][4] \n\n## CIS Controls\n\nVersion 8 5.4 Restrict Administrator Privileges to Dedicated - Administrator Accounts Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user\u2019s primary, non-privileged account.\n\nVersion 7 4.3 - Ensure the Use of Dedicated Administrative Accounts - Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.\n\n[1]: https://console.cloud.google.com/iam-admin/iam\n[2]: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/\n[3]: https://cloud.google.com/iam/docs/understanding-roles\n[4]: https://cloud.google.com/iam/docs/understanding-service-accounts","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.2","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"7.1.3","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"8.1.2","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmembers_with_admin_role := {member |\n\tbinding := input.resources.gcp_iam_policy[_].member_to_roles[_]\n\tstartswith(binding.member, \"serviceAccount:\")\n\trole := binding.roles[_]\n\tcontains(lower(role), \"admin\")\n\tmember := trim_prefix(binding.member, \"serviceAccount:\")\n}\n\neval(iam_service_account) = \"fail\" if {\n\tsplit_name := split(iam_service_account.name, \"/\")\n\tmember := split_name[count(split_name) - 1]\n\tmembers_with_admin_role[member]\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_policy"]},"validationQuery":"","resourceType":"gcp_iam_service_account","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"4ea-as1-0bv","createdAt":1655820189596,"name":"Service Accounts are not bound to built-in Administrative roles"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0005-defense_evasion","source:runtime-security-agent","technique:T1070-indicator_removal_on_host","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the tampering of shell command history on a host or container. \n\n## Strategy\nCommands used within a terminal are contained within a local file so users can review applications, scripts, or processes that were previously executed. Adversaries tamper with the integrity of the shell command history by deletion, truncation, or the linking of `/dev/null` by use of a symlink. This allows adversaries to obfuscate their actions and delay the incident response process. \n\n## Triage and response\n1. Review the tampering action taken against the shell command history files.\n2. Review the user or process that performed the action against the shell command history.\n3. Determine whether or not this is expected behavior.\n4. If this activity is not expected, contain the host or container, and roll back to a known good configuration.\n\n*Requires Agent version 7.27 or greater*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(shell_history_symlink OR shell_history_truncated OR shell_history_deleted)","groupByFields":["host"],"aggregation":"count","name":"shell_history_tamper","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"shell_history_tamper","condition":"shell_history_tamper > 0"}],"type":"workload_security","id":"5bq-qe4-ctu","createdAt":1661196433820,"name":"Shell command history modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:signal_sciences","scope:signal_sciences"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when an IP is flagged by Signal Sciences.\n\n## Strategy\nThis rule lets you monitor Signal Sciences events submitted through the Signal Sciences [integration][1] to detect when an IP is flagged. \n\n## Triage and response\n1. Determine whether the attack is a false positive.\n2. Determine whether the attack was successful.\n3. If the attack exploited a vulnerability in the application, triage the vulnerability.\n\n[1]: https://app.datadoghq.com/account/settings#integrations/sigsci\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":300,"keepAlive":300},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:signal_sciences @title:*flag","groupByFields":[],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bmg-ftn-dzo","createdAt":1584993292228,"name":"Signal Sciences flagged an IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC7.5","cloud_provider:azure","requirement:Business-Continuity","control:A.17.1.2","control:A.12.2.1","requirement:Compliance","level:1","control:3.8","requirement:Cardholder-Data","framework:iso-27001","scope:azure.storage","framework:pci","requirement:Operations-Security","security:compliance","framework:cis-azure","requirement:Confidentiality","requirement:Additional-Criteria-for-Availability","control:C1.1","requirement:System-Operations","control:3.1","requirement:Control-Activities","requirement:Storage-Account","source:azure.storage","control:A1.2","control:A.18.1.3","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Storage blobs contain ePHI, financial, secret, or personal data. If erroneously modified or deleted accidentally by an application or other storage account user, data loss or data unavailability can occur. It is recommended that Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted.\n\n## Rationale\n\nA user can accidentally run delete commands on Azure Storage blobs or blob snapshots, or an attacker/malicious user can do it deliberately to cause disruption. Deleting an Azure Storage blob leads to immediate data loss or non-accessible data. Enable recoverable blobs configuration in the Azure Storage blob service to ensure that even if blobs/data are deleted from the storage account, the objects remain recoverable for a time set in the retention policy. Retention policies can be 7 days to 365 days.\n\n## Remediation\n\nAzure Console:\n\n1. Go to Storage Account\n2. For each Storage Account, navigate to Data Protection\n3. Select Set soft delete enabled and enter the number of days to retain soft deleted data.\n\nAzure Command-Line Interface:\n\nUpdate retention days with the following command: `az storage blob service-properties delete-policy update --days-retained --account-name --enable true'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete\n\n## CIS Controls\n\nVersion 7 10 - Data Recovery Capabilities\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"3.1","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"A.12.2.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.17.1.2","framework":"iso-27001","requirement":"Business-Continuity","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.5","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC9.1","framework":"soc-2","requirement":"Risk-Mitigation","version":"2"},{"control":"A1.2","framework":"soc-2","requirement":"Additional-Criteria-for-Availability","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"(@blob_services.delete_retention_policy_enabled:false OR (-@blob_services.delete_retention_policy_days:*) OR @blob_services.delete_retention_policy_days:0)","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account ((@blob_services.delete_retention_policy_enabled:false OR (-@blob_services.delete_retention_policy_days:*) OR @blob_services.delete_retention_policy_days:0))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"critical","notifications":[],"name":"","condition":"a > 0"}],"id":"w0h-o5o-lyp","createdAt":1631690471228,"name":"Soft delete is enabled for Azure Storage"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1505-server-software-component","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nThis rule detects attempted post-exploitation activity of [CVE-2022-22965][1] with an HTTP GET parameter.\n\n## Strategy\nThis rule looks for `@http.url_details.path` = .jsp, `@http.url_details.queryString.pwd` = `*`, and `@http.url_details.queryString.cmd` = . If found, it indicates web shell activity observed with successful Spring RCE exploitation. \n\n## Triage and response\nCheck your host to see if the {{@http.url_details.queryString.cmd}} command ran successfully. If so,\n * Refer to your company's Incident Response process since this is detection post-exploitation activity.\n * Refer to the vendor's [advisory][2] for remediation of this Remote Code Execution (RCE) vulnerability.\n\n## Changelog\n- 06 June 2022 - The severity has been lowered due to rule fidelity on just log telemetry.\n- 31 March 2022 - Rule added in response to [CVE-2022-22965][1]\n\n[1]: https://tanzu.vmware.com/security/cve-2022-22965\n[2]: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@http.url_details.path:*.jsp @http.url_details.queryString.pwd:* @http.url_details.queryString.cmd:* @http.method:GET @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_details","distinctFields":[]},{"query":"@http.url:*cmd* @http.url:*pwd* @http.method:GET @http.url:*.jsp* @http.status_code:200","groupByFields":[],"aggregation":"count","name":"pwd_cmd_in_url","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"PWD/CMD request in http.url_details.queryString key","condition":"pwd_cmd_in_details > 0"},{"status":"low","notifications":[],"name":"PWD/CMD request in http.url key","condition":"pwd_cmd_in_url > 0"}],"type":"log_detection","id":"6nf-i0e-ff0","createdAt":1648746485630,"name":"Spring RCE post-exploitation activity attempted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","framework:cis-azure","requirement:Confidentiality","control:3.4","control:C1.1","requirement:Credentials","requirement:Compliance","requirement:Storage-Account","source:azure.storage","level:1","control:A.18.1.3","framework:soc-2","control:3.9","requirement:Cardholder-Data","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","scope:azure.storage","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable sensitive data encryption at rest using customer managed keys rather than Microsoft managed keys.\n\n## Rationale\n\nBy default, data in the storage account is encrypted using Microsoft managed keys at rest. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted. However, if you want to control and manage the encryption key yourself, you can specify a customer-managed key, and that key is used to protect and control access to the key that encrypts your data. You can also choose to automatically update the key version used for Azure Storage encryption whenever a new version is available in the associated key vault.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Storage Accounts\n2. For each storage account, go to Encryption\n3. Set Customer Managed Keys\n4. Select the encryption key and enter the appropriate setting value\n5. Click Save\n\n## Impact\n\nIf the key expires by setting the activation date and expiration date of the key, you must rotate the key manually. Using customer managed keys may also incur additional effort to create, store, manage, and protect the keys as needed.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices#protect-data-at-rest\n3. https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption#azure-storage-encryption-versus-disk-encryption\n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-1-discovery,-classify-and-label-sensitive-data\n\n\n## CIS Controls\n\nVersion 7 14.8 - Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.9","framework":"cis-azure","requirement":"Storage-Account","version":"1.3.0"},{"control":"3.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.1","framework":"soc-2","requirement":"Confidentiality","version":"2"}],"validationQuery":"-@encryption.key_source:Microsoft.Keyvault","resourceType":"azure_storage_account","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_storage_account (-@encryption.key_source:Microsoft.Keyvault)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"kh6-wzv-u3s","createdAt":1631690464889,"name":"Storage for critical data is encrypted with Customer Managed Key"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1556-modify-authentication-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to `pam.d` directory.\n\n## Strategy\nLinux Pluggable Authentication Modules (PAM) provide authentication for applications and services. Authentication modules in the PAM system are setup and configured under the `/etc/pam.d/` directory. An attacker may attempt to modify or add an authentication module in PAM in order to bypass the authentication process, or reveal system credentials.\n\n## Triage and response\n1. Identify if the changes to the path `{{@file.path}}` were part of known system setup or mainenance.\n2. If these changes were unauthorized, roll back the host in question to a known good PAM configuration, or replace the system with a known-good system image.\n\n*Required agent version 7.27 or higher*\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(pam_modification OR pam_modification_chmod) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_chown)-@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_link) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_rename) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_open) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_unlink) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(pam_modification OR pam_modification_utimes) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"pam_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"pam_modification","condition":"pam_modification_chmod > 0 || pam_modification_chown > 0 || pam_modification_link > 0 || pam_modification_rename > 0 || pam_modification_open > 0 || pam_modification_unlink > 0 || pam_modification_utimes > 0"}],"type":"workload_security","id":"59x-93j-pek","createdAt":1606142936138,"name":"System authentication files modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["fim:true","technique:T1543-create-or-modify-system-process","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect modifications to system services.\n\n## Strategy\nEspecially in production, systems should be generated based on standard images such as AMIs for Amazon EC2, VM images in Azure, or GCP images. Systemd is the default service manager in many Linux distributions. It manages the lifecycle of background processes and services, and can be used by an attacker to establish persistence in the system. Attackers can do this by injecting code into existing systemd services, or by creating new ones. Systemd services can be started on system boot, and therefore attacker code can persist through system reboots.\n\n## Triage and response\n1. Check to see what service was modified of created.\n2. Identify whether it is a known service, being modified by a known user and/or process.\n3. If these changes are not acceptable, roll back the host in question to an acceptable configuration.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chmod) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chmod","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_chown) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_chown","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_link) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_link","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_rename) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_rename","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_open) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_open","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_unlink) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_unlink","distinctFields":[]},{"query":"@agent.rule_id:(systemd_modification OR systemd_modification_utimes) -(@process.executable.name:containerd @process.args:info) -@process.executable.name:dockerd -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"systemd_modification_utimes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"systemd_modification","condition":"systemd_modification_chmod > 0 || systemd_modification_chown > 0 || systemd_modification_link > 0 || systemd_modification_rename > 0 || systemd_modification_open > 0 || systemd_modification_unlink > 0 || systemd_modification_utimes > 0"}],"type":"workload_security","id":"vjt-chu-njs","createdAt":1606142929241,"name":"Systemd service modified"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0006-credential-access","technique:T1110-brute-force","security:attack"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect an account take over (ATO) through brute force attempts.\n\n## Strategy\nTo determine a successful attempt: Detect a high amount of failed logins and at least one successful login for a given IP address. This will generate a `HIGH` severity signal.\nTo determine an attempt: Detect a high amount of failed logins for a given IP address. This will generate an `INFO severity signal.\n\n## Triage and response\n1. Inspect the logs to see if this was a valid login attempt.\n2. See if 2FA was authenticated.\n3. If the user was compromised, rotate user credentials.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"@evt.name:authentication @evt.outcome:failure","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]},{"query":"@evt.name:authentication @evt.outcome:success","groupByFields":["@usr.name"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":["@slack-secops"],"name":"Successful","condition":"a>5 && b>0"},{"status":"info","notifications":[],"name":"Attempted","condition":"a>5"}],"type":"log_detection","id":"wce-cxo-pe4","createdAt":1585870283641,"name":"TEMPLATE - Brute Force Attack Grouped By IP"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:threat-intel","scope:template"],"isEnabled":false,"hasExtendedTitle":true,"message":"## Goal\nDetect when a stolen laptop has been connected to the network.\n\n## Strategy\nUsing the Datadog [Lookup Processor](https://docs.datadoghq.com/logs/processing/processors/?tab=ui#lookup-processor) you can maintain a blocklist of MAC addresses.\nWhen a MAC address connects to the network, the @threat.stolen_laptop attribute is set to `true`.\nThis threat detection rule queries for `@threat.stolen_laptop:true` and generates a security signal. \n\n## Triage and response\nEnter your triage and response process for when a stolen laptop has connected to your network to help users responding to the security signal quickly triage and respond to the signal. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"@threat.stolen_laptop:true @network.client.mac:*","groupByFields":["@network.client.mac"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"ap3-xy9-tsm","createdAt":1585870283379,"name":"TEMPLATE - Stolen Laptop Connected to Network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:3.10","requirement:Docker-Daemon-Configuration-Files","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nYou should verify that the TLS CA certificate file, the file that is passed along with the `--tlscacert` parameter, has permissions of 444 or is set more restrictively.\n\n## Rationale\n\nThe TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must therefore have permissions of 444, or more restrictive permissions to ensure that the file cannot be modified by a less privileged user.\n\n## Audit\n\nVerify that the TLS CA certificate file has permissions of `444` or more restrictive, by running: \n```\nstat -c %a \n```\n\n## Remediation\n\nRun the following command: `chmod 444 `\n\nThis sets the file permissions on the TLS CA file to 444.\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the permissions for the TLS CA certificate file might not be 444. The default file permissions are governed by the operating system or user specific umask values.\n\n## References\n\n1. https://docs.docker.com/registry/insecure/\n2. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\nVersion 7\n\n14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"3.10","framework":"cis-docker","requirement":"Docker-Daemon-Configuration-Files","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-3.10\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"hyd-ar9-kzl","createdAt":1602076723625,"name":"TLS CA certificate file permissions are set to read-only or more restrictive"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","control:2.6","requirement:Docker-Daemon-Configuration","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nIt is possible to make the Docker daemon available remotely over a TCP port. If this is required, you should ensure that TLS authentication is configured in order to restrict access to the Docker daemon via IP address and port.\n\n## Rationale\n\nBy default, the Docker daemon binds to a non-networked Unix socket and runs with root privileges. If you change the default Docker daemon binding to a TCP port or any other Unix socket, anyone with access to that port or socket could have full access to the Docker daemon and therefore in turn to the host system. For this reason, you should not bind the Docker daemon to another IP/port or a Unix socket. If you must expose the Docker daemon via a network socket, you should configure TLS authentication for the daemon and for any Docker Swarm APIs (if they are in use). This type of configuration restricts the connections to your Docker daemon over the network to a limited number of clients who have access to the TLS client credentials.\n\n## Audit\n\nTo confirm that the TLS authentication setting is correct, review the `dockerd` startup options and the settings in `/etc/docker/daemon.json`. To review the `dockerd` startup options, run: \n```\nps -ef | grep dockerd \n```\nConfirm that the following parameters are present: `--tlsverify --tlscacert --tlscert --tlskey`.\n\nAlso review the `/etc/docker/daemon.json` file to ensure these settings are in place.\n\n## Remediation\n\nFollow the steps mentioned in the Docker documentation or other references.\n\n## Impact\n\nYou would need to manage and guard certificates and keys for the Docker daemon and Docker clients.\n\n## Default value\n\nBy default, TLS authentication is not configured.\n\n## References\n\n1. https://docs.docker.com/engine/security/https/\n\n## CIS controls\n\nVersion 6\n\n9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"2.6","framework":"cis-docker","requirement":"Docker-Daemon-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"rh4-jeh-afu","createdAt":1602077571799,"name":"TLS authentication is configured for Docker daemon"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","source:compliance-agent","control:1.1.18","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the controller-manager.conf file ownership is set to `root:root`.\n\n## Rationale\n\nThe controller-manager.conf file is the kubeconfig file for the Controller Manager. You should set its file ownership to maintain the integrity of the file. The file should be owned by `root:root`.\n\n## Audit\n\nRun the below command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %U:%G /etc/kubernetes/controller-manager.conf\n```\n\nVerify the ownership is set to `root:root`.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chown root:root /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` file ownership is set to `root:root`.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.18","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.18\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"bud-aya-umc","createdAt":1599605289575,"name":"The controller-manager.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:google_compute_network","scored:true","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","control:2.1.1","requirement:Compliance","level:2","control:2.2.4","control:2.2.2","framework:iso-27001","requirement:Access-Control","requirement:GCP","control:1.3.5","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","control:3.4","requirement:Communications-Security","control:2.6","control:1.2","control:2.1","control:1.3","control:3.1","requirement:Control-Activities","source:google_compute_network","control:A.13.1.3","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","framework:security-labs","requirement:Networking","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nTo prevent use of the `default` network, a project should not have a `default` network.\n\n### Default value\nBy default, for each project, a `default` network is created.\n\n\n## Rationale\nThe `default` network has a preconfigured network configuration and automatically generates the following insecure firewall rules:\n\n - default-allow-internal: Allows ingress connections for all protocols and ports among instances in the network.\n - default-allow-ssh: Allows ingress connections on TCP port 22(SSH) from any source to any instance in the network.\n - default-allow-rdp: Allows ingress connections on TCP port 3389(RDP) from any source to any instance in the network.\n - default-allow-icmp: Allows ingress ICMP traffic from any source to any instance in the network.\n\nThese automatically-created firewall rules do not get audit-logged and cannot be configured to enable firewall rule logging.\n\nFurthermore, the `default` network is an auto-mode network, which means that its subnets use the same predefined range of IP addresses. As a result, it's not possible to use Cloud VPN or VPC Network Peering with the `default` network.\n\nBased on organization security and networking requirements, the organization should create a new network and delete the `default` network.\n\n### Impact\nWhen an organization deletes the `default` network, it may need to migrate services onto a new network.\n\n## Remediation\n\n### From the console\n1. Go to the [VPC networks][1] page.\n2. Click the network named `default`.\n3. On the network detail page, click **EDIT**.\n4. Click **DELETE VPC NETWORK**.\n5. If needed, create a new network to replace the `default` network.\n\n### From the command line\n1. Delete the `default` network:\n\n ```\n gcloud compute networks delete default\n ```\n\n2. If needed, create a new network to replace it:\n\n ```\n gcloud compute networks create NETWORK_NAME\n ```\n\n## Prevention\nYou can prevent the `default` network and its insecure firewall rules from being created by setting up an Organization Policy to skip `default` network creation at [https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation][2].\n\n## References\n1. [https://cloud.google.com/compute/docs/networking#firewall_rules][3]\n2. [https://cloud.google.com/compute/docs/reference/latest/networks/insert][4]\n3. [https://cloud.google.com/compute/docs/reference/latest/networks/delete][5]\n4. [https://cloud.google.com/vpc/docs/firewall-rules-logging][6]\n5. [https://cloud.google.com/vpc/docs/vpc#default-network][7]\n6. [https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete][8]\n\n[1]: https://console.cloud.google.com/networking/networks/list\n[2]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-skipDefaultNetworkCreation\n[3]: https://cloud.google.com/compute/docs/networking#firewall_rules\n[4]: https://cloud.google.com/compute/docs/reference/latest/networks/insert\n[5]: https://cloud.google.com/compute/docs/reference/latest/networks/delete\n[6]: https://cloud.google.com/vpc/docs/firewall-rules-logging\n[7]: https://cloud.google.com/vpc/docs/vpc#default-network\n[8]: https://cloud.google.com/sdk/gcloud/reference/compute/networks/delete","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.1","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"3.4","framework":"security-labs","requirement":"GCP","version":"1"},{"control":"1.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.5","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.1.1","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.4","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.6","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.13.1.3","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_network) = \"fail\" if {\n\tcompute_network.name == \"default\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_network"]},"validationQuery":"","resourceType":"gcp_compute_network","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_network","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"0j0-lvk-9wm","createdAt":1658410212694,"name":"The default network does not exist in a project"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.9","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that if the kubelet refers to a configuration file with the `--config` argument, that file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet reads various parameters, including security settings, from a config file specified by the `--config` argument. If this file is specified you should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nLocate the Kubelet config file as follows: `ps -ef | grep kubelet | grep config`. If the `--config` argument is present, this gives the location of the Kubelet config file, for example `/var/lib/kubelet/config.yaml`. Run the following command (using the file location you just identified) to find that file's permissions: `stat -c %a /var/lib/kubelet/config.yaml`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the following command (using the config file location identified in the Audit step:\n\n```\nchmod 644 /var/lib/kubelet/config.yaml\n```\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the `/var/lib/kubelet/config.yaml` file as set up by kubeadm has permissions of 644.\n\n## References\n\n1. [https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.9","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.9\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"tc4-kmy-wlt","createdAt":1599605416397,"name":"The kubelet configuration file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.1","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet service file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe kubelet service file controls various parameters that set the behavior of the kubelet service in the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the each worker node.\n\nFor example, `chmod 644 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, the kubelet service file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes ][2]\n3. [https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in][3]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#44-joining-your-nodes\n[3]: https://kubernetes.io/docs/admin/kubeadm/#kubelet-drop-in\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.1","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"j8k-7ii-fwo","createdAt":1599604432646,"name":"The kubelet service file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.5","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the kubelet.conf file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %a /etc/kubernetes/kubelet.conf`. Verify that the permissions are 644 or more restrictive.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chmod 644 /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file has permissions of 640.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior. \n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.5","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":10,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"x88-8vs-ygw","createdAt":1599604783481,"name":"The kubelet.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.1.6","requirement:Worker-Node-Configuration-Files","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `kubelet.conf` file ownership is set to `root:root`.\n\n## Rationale\n\nThe `kubelet.conf` file is the kubeconfig file for the node, and controls various parameters that set the behavior and identity of the worker node. You should set its file ownership to maintain the integrity of the file. The file should be owned by root:root.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the each worker node. For example, `stat -c %U:%G /etc/kubernetes/kubelet.conf`. Verify that the ownership is set to `root:root`.\n\n## Remediation\n\nRun this command (based on the file location on your system) on the each worker node. For example, `chown root:root /etc/kubernetes/kubelet.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `kubelet.conf` file ownership is set to `root:root`.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/][1]\n\n## CIS controls\n\nVersion 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7.5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.1.6","framework":"cis-kubernetes","requirement":"Worker-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.1.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"mrc-waf-mbs","createdAt":1599599696342,"name":"The kubelet.conf file is owned by root"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","source:compliance-agent","framework:cis-kubernetes","requirement:Kubelet"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not disable timeouts on streaming connections.\n\n## Rationale\n\nSetting idle timeouts ensures that you are protected against denial-of-service attacks, inactive connections, and running out of ephemeral ports.\n\n*Note*: By default, `--streaming-connection-idle-timeout` is set to four hours, which might be too high for your environment. Setting this as appropriate would additionally ensure that such streaming connections are timed out after serving legitimate use cases.\n\n## Audit\n\nRun the following command on each node: `ps -ef | grep kubelet`. Verify that the `--streaming-connection-idle-timeout` argument is not set to 0. If the argument is not present, and there is a Kubelet config file specified by `--config`, check that it does not set `streamingConnectionIdleTimeout` to 0.\n\n## Remediation\n\nIf using a Kubelet config file, edit the file to set `streamingConnectionIdleTimeout` to a value other than 0. If using command line arguments, edit the kubelet service file `/etc/systemd/system/kubelet.service.d/10-kubeadm.conf` on each worker node and set the below parameter in `KUBELET_SYSTEM_PODS_ARGS` variable.\n\n`--streaming-connection-idle-timeout=5m`\n\nBased on your system, restart the kubelet service. For example: `systemctl daemon-reload systemctl restart kubelet.service`\n\n## Impact\n\nLong-lived connections could be interrupted.\n\n## Default value\n\nBy default, `--streaming-connection-idle-timeout` is set to four hours.\n\n## References\n\n1. [https://kubernetes.io/docs/admin/kubelet/ ][1]\n2. [https://github.com/kubernetes/kubernetes/pull/18552][2]\n\n## CIS controls\n\nVersion 6.9 Limitation and Control of Network Ports, Protocols, and Services\n\n[1]: https://kubernetes.io/docs/admin/kubelet/\n[2]: https://github.com/kubernetes/kubernetes/pull/18552\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_worker_node","complianceFrameworks":[{"control":"4.2.5","framework":"cis-kubernetes","requirement":"Kubelet","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-4.2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"xmg-h3a-wj4","createdAt":1599602030157,"name":"Timeouts on streaming connections are enabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","cloud_provider:azure","level:1","control:6.6","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","control:1.3.2","security:compliance","scope:azure.security","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:azure.security","requirement:Networking","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDisable internet exposed UDP ports on network security groups.\n\n## Rationale\n\nThe potential security problem with broadly exposing UDP services over the internet is that attackers can use DDoS amplification techniques to reflect spoofed UDP traffic from Azure Virtual Machines. The most common types of these attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP, and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network or even attack networked devices outside of Azure.\n\n## Remediation\n\nDisable direct UDP access to your Azure Virtual Machines from the internet. After direct UDP access from the internet is disabled, you can use other options to access UDP-based services running on these virtual machines.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices#secure-your-critical-azure-service-resources-to-only-your-virtual-networks\n2. https://docs.microsoft.com/en-us/azure/security/fundamentals/ddos-best-practices\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7\n\n9.2 Ensure Only Approved Ports, Protocols and Services Are Running: Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.\n\n7 Virtual Machines: This section covers security recommendations to follow to set virtual machine policies on an Azure subscription.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.6","framework":"cis-azure","requirement":"Networking","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@access:(\"Allow\") @protocol:(\"UDP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"*\" OR \"53\" OR \"123\" OR \"161\" OR \"389\" OR \"1900\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\")","resourceType":"azure_security_group","filter":"","queryPath":"security_rules","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_security_group (@access:(\"Allow\") @protocol:(\"UDP\" OR \"*\") @direction:(\"Inbound\") @destination_port_range:(\"*\" OR \"53\" OR \"123\" OR \"161\" OR \"389\" OR \"1900\") @source_address_prefix:(\"*\" OR \"0.0.0.0\" OR \"/0\" OR *\\/0 OR \"Internet\" OR \"Any\"))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@resource_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"1is-0om-n7k","createdAt":1624867977600,"name":"UDP Services are restricted from the Internet"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:runtime-security-agent","technique:T1190-exploit-public-facing-application","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect shell utilities, HTTP utilities, or shells spawned by a web server.\n\n## Strategy\nWeb shell attacks often involve attackers loading and running malicious files onto a victim machine, creating a backdoor on the compromised system. Attackers use web shells for a variety of purposes, and they can signal the beginning of an intrusion or wider attack. This detection triggers when shell utilities, HTTP utilities, or shells are spawned by a common web server process.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine whether or not there is an approved purpose for your web application to execute shells and utilities.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack). Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":174,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"potential_web_shell","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["host"],"query":"@agent.rule_id:potential_web_shell -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"potential_web_shell"}],"type":"workload_security","id":"aks-ytd-8pf","createdAt":1647265136526,"name":"Unfamiliar command spawned from web server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nAttackers can leverage malicious kernel modules to gain persistence on a system, ensuring their malicious code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions and cover their tracks through the use of a rootkit.\n\nLoading a malicious kernel module can be a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default, however attackers may attempt to load kernel modules from other locations as well. This detection detects all kernel module loads. \n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. Check the name of the process loading the kernel module.\n3. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":1,"learningMethod":"duration","forgetAfter":14,"learningThreshold":0},"keepAlive":3600},"version":173,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"new_kernel_module","metric":"@module.name","aggregation":"new_value","metrics":["@module.name"],"groupByFields":["host"],"query":"@agent.rule_id:(kernel_module_load OR new_kernel_module_audit OR kernel_module_load_container OR new_kernel_module_audit_container) -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"new_kernel_module"}],"type":"workload_security","id":"56o-bpk-lkz","createdAt":1656443525724,"name":"Unfamiliar kernel module loaded"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1547-boot-or-logon-autostart-execution","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nKernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules can also help attackers gain elevated permissions on a system.\n\nLoading a malicious kernel module is a type of rootkit. Rootkits often create backdoor access and hide evidence of themselves. This includes process, file, and network activity.\n\n## Strategy\nKernel modules are loaded from the `/lib/modules` directory in Linux by default. In an attempt to thwart forensics, attackers sometimes attempt to load malicious kernel modules from memory so as not to leave artifacts on disk. This detection watches for all new kernel modules being loaded directly from memory. \n\n## Triage and response\n1. Check the name of the new kernel module created.\n2. If the new kernel module is not expected, contain the host or container and roll back to a known good configuration. Initiate the incident response process.\n\n*Requires Agent version 7.35 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":2,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:kernel_module_load_from_memory","groupByFields":["host"],"aggregation":"count","name":"kernel_module_load_from_memory","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"kernel_module_load_from_memory","condition":"kernel_module_load_from_memory > 0"}],"type":"workload_security","id":"dx9-30j-pas","createdAt":1650464539839,"name":"Unfamiliar kernel module loaded from memory"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetects when the AWS EKS service account token has been viewed by a user.\n\n## Strategy\nAWS provides an authentication mechanism called [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) to allow Kubernetes workloads such as pods to securely authenticate to AWS without hardcoding credentials.\n\nThe authentication token made available by AWS is located at `/var/run/secrets/eks.amazonaws.com/serviceaccount/token` and can be exchanged for AWS credentials using `sts:AssumeRoleWithWebIdentity`. It is consequently an attractive target for attackers.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":169,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"aws_eks_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:aws_eks_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"aws_eks_service_account_token_accessed"}],"type":"workload_security","id":"wq5-pnt-ij8","createdAt":1656443561852,"name":"Unfamiliar process accessed AWS EKS service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-unsecured-credentials","source:runtime-security-agent","tactic:TA0006-credential-access","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"Detects when the Kubernetes pod service account token has been viewed by a user.\n\n## Strategy\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\nKubernetes uses service accounts as its own internal identity system. Pods can authenticate with the Kubernetes API server using an auto-mounted token that only the Kubernetes API server could validate. These service account tokens can be used to authenticate to the Kubernetes API.\n\nThis rule uses the New Value detection method. Datadog will learn the historical behavior of a specified field in agent logs and then create a signal when unfamiliar values appear.\n\n## Triage and response\n1. Determine which user executed the command to read the token and determine if that access is authorized.\n2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n4. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.\n5. Find and repair the root cause of the exploit.\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":7,"learningThreshold":0},"keepAlive":3600},"version":170,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"k8s_pod_service_account_token_accessed","metric":"@process.comm","aggregation":"new_value","metrics":["@process.comm"],"groupByFields":["container.id"],"query":"@agent.rule_id:k8s_pod_service_account_token_accessed"}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"k8s_pod_service_account_token_accessed"}],"type":"workload_security","id":"7ow-znp-4fx","createdAt":1656443563565,"name":"Unfamiliar process accessed Kubernetes pod service account token"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:active-directory","tactic:TA0004-privilege-escalation","source:microsoft-365","technique:T1078-valid-accounts","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a Microsoft 365 Azure AD service principal uses an unusual authentication method.\n\n## Strategy\nUsing the `New Value` detection method, find when a `Microsoft 365 Azure AD service principal` uses a new `@AuthenticationMethod`.\n\n## Triage and response\n1. Determine if the service principal `{{@usr.id}}` should be authenticating using the `{{@AuthenticationMethod}}` authentication method and `{{@ExtendedProperties.RequestType}}` request type.\n2. If `{{@usr.email}}` should not be authenticating using `{{@AuthenticationMethod}}`,\n * Investigate other activities performed by the user `{{@usr.id}}` using the Cloud SIEM - User Investigation dashboard \n * If necessary, initiate your company's incident response (IR) process.","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":3600},"version":41,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@AuthenticationMethod","aggregation":"new_value","metrics":["@AuthenticationMethod"],"groupByFields":["@usr.email"],"query":"source:microsoft-365 service:AzureActiveDirectory @evt.name:UserLoggedIn @evt.outcome:Success @UserDescription:\"A service principal\""}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":""}],"type":"log_detection","id":"toz-wdr-r1v","createdAt":1660857301768,"name":"Unusual Authentication by Microsoft 365 Azure AD Service Principal"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:kubernetes","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attaches to a pod.\n\n## Strategy\nThis rule monitors when a user attaches (`@objectRef.subresource:attach`) to a pod (`@objectRef.resource:pods`).\n\nA user should not need to attach to a pod. Attaching to a pod allows a user to attach to any process in a running container which may give an attacker access to sensitive data.\n\n## Triage and response\n1. Determine if the user should be attaching to a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:attach @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:attach @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"j6t-mva-rul","createdAt":1589375996858,"name":"User Attached to a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["tactic:TA0002-execution","source:kubernetes","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user execs into a pod.\n\n## Strategy\nThis rule monitors when a user execs (`@objectRef.subresource:exec`) into to a pod (`@objectRef.resource:pods`).\n\nA user should not need to exec into a pod. Execing into a pod allows a user to execute any process in container which is not already running.\nIt is most common to execute the bash process to gain an interactive shell.\nIf this is an attacker, they can access any data which the pod has permissions to, including secrets.\n\n## Triage and response\n1. Determine if the user should be execing into a running container.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:kubernetes.audit @objectRef.resource:pods @objectRef.subresource:exec @http.method:create @http.status_code:[101 TO 299]","groupByFields":["@usr.name"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@apiVersion:audit.k8s.io* @objectRef.resource:pods @objectRef.subresource:exec @verb:create @responseStatus.code:[101 TO 299]","groupByFields":["@user.username"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"hyd-cu4-79x","createdAt":1589376094658,"name":"User Exec into a Pod"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:sqreen"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user logs into an application that is using Sqreen from a new country.\n\n## Strategy\nThis rule lets you monitor when a user logs into an application from a country that has not been seen before.\n\n## Triage and response\n1. Review the user activity on the [Sqreen dashboard][1].\n\n[1]: https://my.sqreen.com/application/goto/users/\n","options":{"detectionMethod":"new_value","evaluationWindow":0,"maxSignalDuration":86400,"newValueOptions":{"learningDuration":7,"learningMethod":"duration","forgetAfter":28,"learningThreshold":0},"keepAlive":0},"version":171,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip.country.name","aggregation":"new_value","metrics":["@network.client.geoip.country.name"],"groupByFields":["@usr.id"],"query":"@evt.name:sq.dd0.user_event.login @sqreen.payload.success:true"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"4xm-2og-l7s","createdAt":1620224109989,"name":"User Logged into an Application from a New Country"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:gsuite","scope:gsuite","security:threat-intel","technique:T1078-valid-accounts","security:attack","tactic:TA0001-initial-access"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user attempts to log in with a password which is known to be compromised.\n\n## Strategy\nThis rule allows you to monitor this Google Activity API call to detect if an attacker is trying to login with a leaked password: \n\n* [Leaked password][1]\n\n## Triage and response\n1. Determine which user in your organization owns the compromised password.\n2. Contact the user and ensure they rotate the password on Google and any other accounts where they may have reused this password. Ensure the user is aware of strong password guidelines.\n\n[1]: https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#account_disabled_password_leak\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"source:gsuite @evt.category:account_warning @evt.name:account_disabled_password_leak","groupByFields":["@actor.email"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"9zi-bom-nmh","createdAt":1585870280553,"name":"User attempted login with leaked password"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1552-create-account","source:runtime-security-agent","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect the creation of a new user on the system using an interactive session.\n\n## Strategy\nAttacker's may add local accounts to systems that they have compromised to maintain access to those systems. If an attacker has gained a sufficient level of access (like admin privileges) on a system, they can make a new user for themselves.\nIn production systems, users should be created in the base image of the system (for example, the AMI or other VM image), or they should be created programmatically by configuration management tools. The creation of a new user by an interactive (human) session is suspicious.\n\n## Triage & Response\n1. Determine whether the creation of a new user is expected behavior.\n2. If this behavior is unexpected, attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack), and look for indications of the initial compromise. Follow your organization's internal processes for investigating and remediating compromised systems.\n3. Determine the scope of the attack. Investigate whether or not multiple systems had this user added around the same time, and whether the systems impacted follow a pattern. For example, if a user was added to multiple systems, do they share the same workload or base image? What other activity occurred directly before or after the user was added?\n\n\n*Requires Agent version 7.27 or greater*","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"@agent.rule_id:user_created_tty -@process.ancestors.file.path:\"/usr/bin/unattended-upgrade\"","groupByFields":["host"],"aggregation":"count","name":"user_created_tty","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"user_created_tty","condition":"user_created_tty > 0"}],"type":"workload_security","id":"beh-ejq-upe","createdAt":1627392836979,"name":"User created interactively"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of secrets, through Cloudtrail's [`GetSecretValue`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetSecretValue` event, and enables the detection of potentially anomalous activity when a user attempts to retrieve an anomalous volume of secrets.\n\nAn attacker may attempt to enumerate and access the AWS Secrets Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any AWS secrets that were accessed by the user with the `aws-cli` command [`update-secret`][2] or use the [AWS Console][3].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n[1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/secretsmanager/update-secret.html\n[3]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-secret.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @evt.name:GetSecretValue -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.secretId"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"eg6-ogp-n1f","createdAt":1656426823748,"name":"User enumerated AWS Secrets Manager - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","source:cloudtrail","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is attempting to retrieve a high number of parameters, through Cloudtrail's [`GetParameter`][1] event.\n\n## Strategy\nThis rule sets a baseline for user activity in the `GetParameter` event, and enables detection of potentially anomalous activity when a user attempts to retrieve an anomalous volume of parameters.\n\nAn attacker may attempt to enumerate and access the AWS Systems Manager to gain access to Application Programming Interface (API) keys, database credentials, Identity and Access Management (IAM) permissions, Secure Shell (SSH) keys, certificates, and more. Once these credentials are obtained, they can be used to perform lateral movement and access restricted information.\n\n## Triage and response\n1. Investigate API activity for `{{@userIdentity.session_name}}` to determine if the specific set of API calls are malicious.\n * Use the investigation queries on the suggested actions panel.\n2. Review any other security signals for `{{@userIdentity.session_name}}`.\n3. If the activity is deemed malicious:\n * Rotate user credentials.\n * Determine what other API calls were made by the user.\n * Rotate any parameters that were accessed by the user with the `aws-cli` command [`put-parameter`][2].\n * Begin your organization's incident response process and investigate.\n4. If the activity is benign:\n * Use the linked blog post in the suggested actions panel to tune out noise.\n\n[1]: https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html\n[2]: https://docs.aws.amazon.com/cli/latest/reference/ssm/put-parameter.html","options":{"detectionMethod":"anomaly_detection","evaluationWindow":1800,"maxSignalDuration":1800,"keepAlive":1800},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @eventSource:ssm.amazonaws.com @evt.name:GetParameter -@userIdentity.invokedBy:(apidestinations.events.amazonaws.com OR rds.amazonaws.com OR access-analyzer.amazonaws.com OR config.amazonaws.com)","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"","distinctFields":["@requestParameters.name"]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":""}],"type":"log_detection","id":"os3-zft-ung","createdAt":1656426796721,"name":"User enumerated AWS Systems Manager parameters - Anomaly"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:5.2.1","control:A.12.4.1","requirement:Logging","level:1","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"\n## Description\n\nCreate an activity log alert for the Create Policy Assignment event.\n\n## Rationale\n\nMonitoring for create policy assignment events gives insight into changes done in \"azure policy - assignments\" and can reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to Monitor \n2. Select Alerts \n3. Click On New Alert Rule \n4. Under Scope, click Select resource \n5. Select the appropriate subscription under Filter by subscription \n6. Select Policy Assignment under Filter by resource type \n7. Select All for Filter by location \n8. Click on the subscription resource from the entries populated under Resource \n9. Verify Selection preview shows All Policy assignment (policyAssignments) and your selected subscription name \n10. Click Done \n11. Under Condition click Add Condition \n12. Select Create policy assignment signal \n13. Click Done \n14. Under Action group, select Add action groups and complete creation process or select appropriate action group \n15. Under Alert rule details, enter Alert rule name and Description \n16. Select appropriate resource group to save the alert to \n17. Check Enable alert rule upon creation checkbox \n18. Click Create alert rule Using the Azure Command Line Interface Use the below command to create an Activity Log Alert for Create policy assignment az account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c ''curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'' Where input.json contains the Request body JSON data as mentioned below. { \"location\"\"Global\", \"tags\"{}, \"properties\"{ \"scopes\"[ \"/subscriptions/\" ], \"enabled\"true, \"condition\"{ \"allOf\"[ { \"containsAny\"null, \"equals\"\"Administrative\", \"field\"\"category\" }, { \"containsAny\"null, \"equals\"\"Microsoft.Authorization/policyAssignments/write\", \"field\"\"operationName\" } ] }, \"actions\"{ \"actionGroups\"[ { \"actionGroupId\"\"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\", \"webhookProperties\"null } ] }, } } Configurable Parameters for command line Configurable Parameters for input.json in scopes in actionGroupId in actionGroupId in actionGroupId'\n\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7\n6.3 Enable Detailed Logging Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.1","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"arc-fhe-mie","createdAt":1645219743755,"name":"User has 'Create Policy Assignement' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"axd-sm2-68f","createdAt":1649972323590,"name":"User has 'Create Update Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbformysql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dbv-9dd-noe","createdAt":1648760551340,"name":"User has 'Create Update MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create/Update PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create/Update PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbforpostgresql/servers/databases/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yvw-kk1-tgq","createdAt":1648755639067,"name":"User has 'Create Update PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nActivity log alert exists for the creation or update of a load balancer. \n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Load Balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/loadbalancers/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"20n-ohj-aov","createdAt":1647625355122,"name":"User has 'Create or Update Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:System-Operations","requirement:Logging","level:1","control:5.2.3","framework:soc-2","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an Activity Log Alert for the Create or Update Network Security Group event.\n\n## Rationale\n\nBy monitoring for creation and updates to network security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name.\n11. Under **Condition**, click **Add Condition**.\n12. Select **Create or Update Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.3","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ape-a9h-0uq","createdAt":1645642194422,"name":"User has 'Create or Update Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.1","control:A.12.4.1","requirement:Logging","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update SQL Server Firewall Rule event.\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the Azure Console:\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window, select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Create/Update server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel.\n * Create action group - If you do not have an existing action group or want to create a new one.\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the Azure CLI:\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.1","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/firewallrules/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"zpn-jpa-nzg","createdAt":1645736563954,"name":"User has 'Create or Update SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","control:5.2.7","requirement:Logging","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Security Solution event.\n\n## Rationale\n\nBy monitoring to changes to security solutions, you get insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under Resource. \n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Create or Update Security Solutions** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**. \n\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Security/securitySolutions/write\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.7","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/securitysolutions/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8wl-yfi-m7y","createdAt":1645731976437,"name":"User has 'Create or Update Security Solutions' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Storage Account event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Storage Account**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Storage/storageAccounts/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Storage Account'\n$Signal = 'Microsoft.Storage/storageAccounts/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"fho-nrd-kod","createdAt":1647625355199,"name":"User has 'Create or Update Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Create or Update Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Create or Update Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Create or Update Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/write\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"wjq-yup-bbt","createdAt":1648803814385,"name":"User has 'Create or Update Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:CC2.1","control:164.312-e-2-i"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Deallocate Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Deallocate Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/deallocate\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Deallocatete Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/deallocate'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/deallocate\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ox0-4lx-ldg","createdAt":1649702560249,"name":"User has 'Deallocate Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mwl-a79-2lj","createdAt":1649774827099,"name":"User has 'Delete Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activity-log-alerts/delete\n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"hf7-wzu-yjg","createdAt":1649774825146,"name":"User has 'Delete Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Load Balancer event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete load balancer**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Network/loadBalancers/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Load Balancers'\n$Signal = 'Microsoft.Network/loadBalancers/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/loadbalancers/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgu-5yo-cxv","createdAt":1646928388547,"name":"User has 'Delete Load Balancer' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete MySQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete MySQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforMySQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete MySQL Database'\n$Signal = 'Microsoft.DBforMySQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/mysql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbformysql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"nb1-ajv-1w5","createdAt":1648831710685,"name":"User has 'Delete MySQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","source:azure.activity_log","security:compliance","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","framework:cis-azure","control:A.12.4.1","requirement:System-Operations","requirement:Logging","level:1","framework:soc-2","control:5.2.4","framework:iso-27001","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Network Security Group event.\n\n## Rationale\n\nBy monitoring for delete betwork security group events, you gain insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Network Security Groups** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription resource from the entries populated under **Resource**. \n9. Click **Done**. \n10. Verify that **Selection preview** shows Network Security Groups and your selected subscription name \n11. Under **Condition**, click **Add Condition**.\n12. Select **Delete Network Security Group** signal. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n\n18. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Network/networkSecurityGroups/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.4","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.network/networksecuritygroups/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"yjc-pc8-ybn","createdAt":1645645262376,"name":"User has 'Delete Network Security Group' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Compliance","requirement:Logging","level:1","control:5.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:Communications-Security","requirement:System-Operations","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Policy Assignment event.\n\n## Rationale\n\nBy monitoring delete policy assignment events, you gain insight into changes in the **Policy - Assignments** page and reduce the time it takes to detect unsolicited changes.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Policy Assignment** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the subscription from the entries populated under **Resource**. \n9. Verify that **Selection preview** shows All Policy assignments (`policyAssignments`) and your selected subscription name. \n10. Click **Done**. \n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete policy assignment signal**. \n13. Click **Done**. \n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group. \n15. Under **Alert rule details**, enter **Alert rule name** and **Description**. \n16. Select the appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox. \n18. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Authorization/policyAssignments/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Policy Assignment'\n$Signal = 'Microsoft.Authorization/policyAssignments/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n\n## References\n\n1. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n2. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n4. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n5. https://azure.microsoft.com/en-us/services/blueprints/ \n\n## Additional Information\n\nThis log alert also applies for Azure Blueprints.\n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.2","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.authorization/policyassignments/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"qh0-u5z-imx","createdAt":1645642194422,"name":"User has 'Delete Policy Assignement' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete PostgreSQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete PostgreSQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.DBforPostgreSQL/servers/databases/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete PostgreSQL Database'\n$Signal = 'Microsoft.DBforPostgreSQL/servers/databases/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/postgresql/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.dbforpostgresql/servers/databases/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ras-5h8-nbb","createdAt":1647625355173,"name":"User has 'Delete PostgreSQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:5.2.9.2","control:A.12.4.1","requirement:Logging","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the \"Delete SQL Server Firewall Rule.\"\n\n### Default value\n\nBy default, no monitoring alerts are created or active.\n\n## Rationale\n\nMonitoring for Create or Update SQL Server Firewall Rule events gives insight into network access changes and may reduce the time it takes to detect suspicious activity.\n\n### Impact\n\nThere will be a substantial increase in log size if there are a large number of administrative actions on a server.\n\n## Remediation\n\n### From the Azure Console:\n\n1. Navigate to `Monitor` blade.\n2. Select `Alerts`.\n3. Click `Create`.\n4. Click on `Alert rule`.\n5. Under the Scope tab, click `Select scope`.\n6. In the `Select a resource` window,select the appropriate filters:\n * Filter by subscription: `< choose the subscription alerts are needed for >`\n * Filter by resource type: **Server Firewall Rule (servers/firewallRules)** \n * Filter by location: `All`\n * Click on the `subscription name` or `resource group` that the Log Alert Rule will be applied to\n7. Verify that the selection preview shows:\n * **All server firewall rule (servers/firewallrules)** or `< your selected resource >`\n * `< Resource Name >` - The subscription, group, or resource you selected\n8. Click `Done`.\n9. Under the Condition tab, click `Add Condition`. The `Select a signal` window may automatically open without clicking.\n10. In the `Select a signal` window, under the \"Signal Name\" heading, click **Delete server firewall rule (Microsoft.Sql/servers/firewallRules)**.\n11. Under the Actions tab, choose appropriately:\n * Select action groups - If you have an existing action group to notify the necessary personnel\n * Create action group - If you do not have an existing action group or want to create a new one\n12. Under the Details tab, fill in:\n * Resource group - Select the resource group you want the alert rule to reside in\n * Alert rule name - Give your alert a recognizable and standardized name\n * Alert rule description - (Optional)\n13. Click `Review + create` then verify the summary details.\n14. Click `Create`.\n\n### From the Azure CLI:\n\n```\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the following request body JSON data:\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/firewallRules/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n1. [https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement][1]\n2. [https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log][2] \n3. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate][3] \n4. [https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid][4]\n5. [https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation][5]\n\n[1]: https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement\n[2]: https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log\n[3]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate\n[4]: https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid\n[5]: https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-3-enable-logging-for-security-investigation","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.9.2","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/firewallrules/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"6mh-u2h-598","createdAt":1664214570453,"name":"User has 'Delete SQL Server Firewall Rule' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","requirement:Monitoring","control:A.12.4.1","requirement:Logging","control:5.2.8","level:1","framework:iso-27001","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","source:azure.activity_log","security:compliance","framework:cis-azure","requirement:System-Operations","framework:soc-2","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Security Solution event.\n\n## Rationale\n\nBy monitoring deletion of security solution events, you gain insight into changes to the active security solutions and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, click **Select resource**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Security Solutions** under **Filter by resource type**.\n7. Select **All** for **Filter by location**.\n8. Click on the subscription resource from the entries populated under **Resource**.\n9. Click **Done**. \n10. Verify that **Selection preview** shows **Security Solutions** and your selected subscription name.\n11. Under **Condition**, click **Add Condition**. \n12. Select **Delete Security Solutions** signal.\n13. Click **Done**.\n14. Under **Action group**, select **Add action groups** and either complete the creation process or select the appropriate action group.\n15. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n16. Select appropriate resource group to save the alert to. \n17. Click on the **Enable alert rule upon creation** checkbox.\n18. Click **Create alert rule**.\n\n**Using the Azure CLI:** \n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nwhere `input.json` contains the Request body JSON data as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Security\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/securitySolutions/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"5.2.8","framework":"cis-azure","requirement":"Logging","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tactivity_log_alert := input.resources.azure_activity_log_alert[_]\n\tactivity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/securitysolutions/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tactivity_log_alert.location == \"Global\"\n\tactivity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tactivity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"dmv-rv8-crn","createdAt":1645733607452,"name":"User has 'Delete Security Solution' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:10.5.5","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.5.2","control:A.12.4.1","control:A.12.4.2","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Storage Account event.\n\n## Rationale\n\nBy monitoring for storage accounts deletion events, you gain insight into storage account changes and may reduce the time it takes to detect suspicious activity.\n\n## Remediation\n\n**In the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Alerts**.\n3. Click on **New Alert Rule**.\n4. Under **Scope**, click **Select scope**. \n5. Select the appropriate subscription under **Filter by subscription**. \n6. Select **Storage Accounts** under **Filter by resource type**. \n7. Select **All** for **Filter by location**. \n8. Click on the **Include all future resources** checkbox.\n9. Click **Done**. \n10. Under **Condition**, click **Add Condition**.\n11. Select **Delete Storage Account** signal. \n12. Click **Done**. \n13. Under **Actions**, select **Add action groups** and either complete the creation process, or select the appropriate action group. \n14. Under **Alert rule details**, enter **Alert rule name** and **Description**.\n15. Select appropriate resource group to save the alert to. \n16. Click on the **Enable alert rule upon creation** checkbox.\n17. Click **Create alert rule**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"Authorization: Bearer $1\" -H \"Content-Type: application/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\nWhere `input.json` contains the request body JSON data, as mentioned below.\n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"field\": \"operationName\",\n \"equals\": \"Microsoft.Storage/storageAccounts/delete\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n \"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n## References\n\n\n1. https://azure.microsoft.com/en-us/updates/classic-alerting-monitoring-retirement \n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources\n\n## CIS Controls\n\nVersion 7, 6.3 - Enable Detailed Logging: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.2","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.5.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.2","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.storage/storageaccounts/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a41-nfr-mlw","createdAt":1646928386487,"name":"User has 'Delete Storage Accounts' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","control:10.2.7","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Delete Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Delete Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/delete\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Delete Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/delete'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.7","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/delete\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"2jg-psh-mzj","createdAt":1648803812991,"name":"User has 'Delete Virtual Machines' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Power Off Virtual Machine event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Power Off Virtual Machine**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Compute/virtualMachines/powerOff/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Power Off Virtual Machine'\n$Signal = 'Microsoft.Compute/virtualMachines/powerOff/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.compute/virtualmachines/poweroff/action\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"a74-hjg-yok","createdAt":1648760544699,"name":"User has 'Power Off Virtual Machine' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","requirement:Logical-and-Physical-Access-Control","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Rename Azure SQL Database event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Rename Azure SQL Database**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Sql/servers/databases/move/action\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Rename Azure SQL Database'\n$Signal = 'Microsoft.Sql/servers/databases/move/action'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-database-paas-overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.sql/servers/databases/move/action\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"rgo-i7v-g9b","createdAt":1649774831328,"name":"User has 'Rename Azure SQL Database' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Key Vault event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Key Vault**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.KeyVault/vaults/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Key Vault'\n$Signal = 'Microsoft.KeyVault/vaults/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/key-vault/general/overview\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.keyvault/vaults/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"4ri-hhx-fnd","createdAt":1648803815885,"name":"User has 'Update Key Vault' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","scope:azure.activity_log","cloud_provider:azure","control:10.1","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:A.12.4.1","requirement:Security-Incident-Procedures","level:1","requirement:Audit-Controls","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","source:azure.activity_log","security:compliance","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","framework:soc-2","control:164.312-b","control:10.3","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nCreate an activity log alert for the Update Security Policy event.\n\n## Rationale\n\nBy implementing alerting on significant infrastructure changes in Microsoft Azure, you can detect unauthorized or unwanted activity.\n\n## Remediation\n\n\n**Using the Azure Console:**\n\n1. Navigate to **Monitor**. \n2. Select **Activity Logs**.\n3. Search the operation name **Update Security Policy**.\n3. Click **On New Alert Rule**.\n4. Under **Scope**, select the Subscription and any Resource Groups that need monitoring.\n5. Configure Action groups if needed.\n6. In **Details**, provide a descriptive Alert rule name and description.\n7. Go to **Tags** and enter relevant tags.\n8. Click **Review + create**.\n\n**Using the Azure CLI:**\n\n```bash\naz account get-access-token --query \"{subscription:subscription,accessToken:accessToken}\" --out tsv | xargs -L1 bash -c 'curl -X PUT -H \"AuthorizationBearer $1\" -H \"Content-Typeapplication/json\" https://management.azure.com/subscriptions/$0/resourceGroups//providers/microsoft.insights/activityLogAlerts/?api-version=2017-04-01 -d@\"input.json\"'\n```\n\n`input.json` contains the request body JSON data mentioned below. \n\n```json\n{\n \"location\": \"Global\",\n \"tags\": {},\n \"properties\": {\n \"scopes\": [\n \"/subscriptions/\"\n ],\n \"enabled\": true,\n \"condition\": {\n \"allOf\": [\n {\n \"containsAny\": null,\n \"equals\": \"Administrative\",\n \"field\": \"category\"\n },\n {\n \"containsAny\": null,\n \"equals\": \"Microsoft.Security/policies/write\",\n \"field\": \"operationName\"\n }\n ]\n },\n \"actions\": {\n \"actionGroups\": [\n {\n \"actionGroupId\": \"/subscriptions//resourceGroups//providers/microsoft.insights/actionGroups/\",\n\"webhookProperties\": null\n }\n ]\n },\n }\n}\n```\n\n**Using PowerShell AZ cmdlets**: \n\n```powershell\n$ComplianceName = 'Update Security Policy'\n$Signal = 'Microsoft.Security/policies/write'\n$Category = 'Administrative'\n$ResourceGroupName = 'MyResourceGroup'\n$actiongroup = (Get-AzActionGroup -Name corenotifications -ResourceGroupName $ResourceGroupName)\n$ActionGroupId = (New-Object Microsoft.Azure.Management.Monitor.Models.ActivityLogAlertActionGroup $ActionGroup.Id)\n$Subscription = (Get-AzContext).Subscription\n$location = 'Global'\n$scope = \"/subscriptions/$($Subscription.Id)\"\n$alertName = \"$($Subscription.Name) - $($ComplianceName)\"\n$conditions = @(\n New-AzActivityLogAlertCondition -Field 'category' -Equal $Category\n New-AzActivityLogAlertCondition -Field 'operationName' -Equal $Signal\n)\nSet-AzActivityLogAlert -Location $location -Name $alertName -ResourceGroupName $ResourceGroupName -Scope $scope -Action $ActionGroupId -Condition $conditions\n```\n## References\n\n1. https://docs.microsoft.com/en-us/azure/defender-for-cloud/tutorial-security-policy\n2. https://docs.microsoft.com/en-in/azure/azure-monitor/platform/alerts-activity-log \n3. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/createorupdate \n4. https://docs.microsoft.com/en-in/rest/api/monitor/activitylogalerts/listbysubscriptionid \n5. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-logging-threat-detection#lt-4-enable-logging-for-azure-resources \n\n## CIS Controls\n\nVersion 7: _6.3 Enable Detailed Logging_. Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-b","framework":"hipaa","requirement":"Audit-Controls","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(subscription) = \"pass\" if {\n\tazure_activity_log_alert := input.resources.azure_activity_log_alert[_]\n\tazure_activity_log_alert.subscription_id == subscription.subscription_id\n\n\tcondition_all_of := azure_activity_log_alert.condition_all_of[j]\n\tcondition_all_of.field == \"operationName\"\n\n\tlower(condition_all_of.equals) == \"microsoft.security/policies/write\"\n\n\tnot condition_all_of.contains_any\n\n\tazure_activity_log_alert.location == \"Global\"\n\tazure_activity_log_alert.scopes[_] == concat(\"\", [\"/subscriptions/\", subscription.subscription_id])\n\tazure_activity_log_alert.enabled\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["azure_subscription","azure_activity_log_alert"]},"validationQuery":"","resourceType":"azure_subscription","filter":"","queryPath":"","complexRule":true},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_subscription","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"xjf-qfe-xzs","createdAt":1649774850199,"name":"User has 'Update Security Policy' activity log alert configured"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:azure.compute","source:azure","tactic:TA0002-execution","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs a command on an Azure Virtual Machine through the Azure CLI or Portal.\n\n## Strategy\nMonitor Azure Compute logs for `MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION` events that have `@evt.outcome` of `Success`. \n\n## Triage and response\n1. Reach out to the user to determine if the activity is legitimate. ","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"vm_exec","distinctFields":[]},{"query":"source:azure.compute @evt.name:\"MICROSOFT.COMPUTE/VIRTUALMACHINESCALESETS/VIRTUALMACHINES/RUNCOMMAND/ACTION\" @evt.outcome:Success","groupByFields":[],"aggregation":"count","name":"scaleset_exec","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"Virtual Machine","condition":"vm_exec > 0"},{"status":"info","notifications":[],"name":"Virtual Machine Scale Set","condition":"scaleset_exec > 0"}],"type":"log_detection","id":"zsk-t0h-9ll","createdAt":1614973225002,"name":"User ran a command on Azure Compute"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:iam","iaas:aws","source:cloudtrail"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Event Summary\n`@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` had activity from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}` which are approximately `{{@impossible_travel.triggering_locations.travel_distance}}km` apart within `{{@impossible_travel.triggering_locations.travel_time_human_readable}}`. This indicates a potential impossible travel.\n\n## Goal\nDetect an Impossible Travel event when a `@userIdentity.type:` `{{@userIdentity.type}}` uses an AWS IAM access key in CloudTrail logs.\n\n## Strategy\nThe Impossible Travel detection type's algorithm compares the GeoIP data of the last log and the current log to determine if the IAM user with `@userIdentity.session_name:` `{{@userIdentity.session_name}}` traveled more than 500km at over 1,000km/hr and used an AWS IAM access key in CloudTrail logs.\n\n## Triage and response\n1. Determine if the `@userIdentity.accessKeyId:` `{{@userIdentity.accessKeyId}}` for `@userIdentity.session_name:` `{{@userIdentity.session_name}}` should be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`.\n2. If the IAM user should not be used from `{{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}}` and `{{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}`, then consider isolating the account and reset credentials.\n3. Audit any user actions that may have occurred after the illegitimate login.","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":86400,"keepAlive":21600},"version":167,"isDefault":true,"filters":[],"queries":[{"distinctFields":[],"name":"","metric":"@network.client.geoip","aggregation":"geo_data","metrics":["@network.client.geoip"],"groupByFields":["@userIdentity.session_name"],"query":"source:cloudtrail @userIdentity.type:IAMUser"}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":""}],"type":"log_detection","id":"gvs-ybz-d25","createdAt":1646247437717,"name":"User travel was impossible in AWS CloudTrail IAM log"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","scope:google_service_account","control:1.7","requirement:Credentials","framework:cis-gcp","requirement:Compliance","level:1","source:google_service_account","control:A.18.1.3","framework:soc-2","requirement:Identity-and-Access-Management","control:A.9.1.2","control:8.2.4","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nService Account keys consist of a key ID (private_key_id) and a private key. These keys are used to sign programmatic requests that users make to Google Cloud services and make them accessible to the particular service account. You should regularly rotate all Service Account keys.\n\n## Rationale\n\nRotating Service Account keys reduces the opportunity window of an access key associated with a compromised or terminated account being used. Service Account keys should be rotated to ensure that data cannot be accessed with an old key that may have been lost, cracked, or stolen.\n\nEach service account is associated with a key pair managed by Google Cloud Platform (GCP). It is used for service-to-service authentication within GCP. Google rotates the keys daily.\n\nGCP provides the option to create one or more user-managed (also called external) key pairs for use from outside GCP, for example: with Application Default Credentials. When a new key pair is created, the user is required to download the private key, which is not retained by Google. \n\nWith external keys, users are responsible for keeping the private key secure and other management operations such as key rotation. External keys can be managed by the IAM API, the Google Cloud Platform command-line tool, or the Service Accounts page in the Google Cloud Platform Console. GCP facilitates up to 10 external service account keys per service account for key rotation.\n\n## Remediation\n\nDelete any external, user-managed Service Account Keys older than 90 days:\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**.\n2. In the **Service Account Keys** section, click the Delete icon to delete every external, user-managed service account key where the creation date is greater or equal to the past 90 days.\n\nTo create an external, user-managed Service Account Key for a Service Account:\n\n1. In the [Cloud Console][1], navigate to **APIs & Services** > **Credentials**. \n2. Click **Create Credentials** and **Service Account Key**. \n3. Select the service account from the drop-down menu for every external, user-managed Service Account key you want to create.\n4. Select the desired key type format, such as JSON or P12.\n5. Click **Create**, which downloads the private key. Keep this key safe.\n6. If prompted, click **Close**.\n\nYou are redirected to the **APIs & Services** > **Credentials** page and you can see the new ID displayed in the **Service Account Keys** section.\n\n\n## Impact\n\nRotating service account keys breaks communication for dependent applications. Dependent applications need to be configured manually with the new key ID displayed in the **Service Account Keys** section and the user needs to download the private key.\n\n## References\n\n1. https://cloud.google.com/iam/docs/understanding-service-accounts#managing_service_account_keys\n2. https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/keys/list\n3. https://cloud.google.com/iam/docs/service-accounts\n\n[1]: https://console.cloud.google.com/apis/credentials\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.7","framework":"cis-gcp","requirement":"Identity-and-Access-Management","version":"1.3.0"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"8.2.4","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account_key"]},"validationQuery":"","resourceType":"gcp_iam_service_account_key","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_iam_service_account_key","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"ej5-n8p-p3x","createdAt":1656445783171,"name":"User-managed or external keys for service accounts are rotated every 90 days or less"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:gcp","requirement:Confidentiality","control:C1.2","source:google_compute_disk","framework:cis-gcp","requirement:Compliance","level:2","control:A.18.1.3","framework:soc-2","control:4.7","requirement:Cardholder-Data","control:A.9.1.2","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","requirement:Access-Control","control:3.6.4","framework:pci","scope:google_compute_disk","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nCustomer-Supplied Encryption Keys (CSEK) are a feature in Google Cloud Storage and\nGoogle Compute Engine. If you supply your own encryption keys, Google uses your key to\nprotect the Google-generated keys used to encrypt and decrypt your data. By default,\nGoogle Compute Engine encrypts all data at rest. Compute Engine handles and manages\nthis encryption for you without any additional actions on your part. However, if you\nwanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\n\n### Default value\nBy default, VM disks are encrypted with Google-managed keys. They are not encrypted\nwith `Customer-Supplied` Encryption Keys.\n\n## Rationale\nBy default, Google Compute Engine encrypts all data at rest. Compute Engine handles and\nmanages this encryption for you without any additional actions on your part. However, if\nyou wanted to control and manage this encryption yourself, you can provide your own\nencryption keys.\nIf you provide your own encryption keys, Compute Engine uses your key to protect the\nGoogle-generated keys used to encrypt and decrypt your data. Only users who can provide\nthe correct key can use resources protected by a customer-supplied encryption key.\nGoogle does not store your keys on its servers and cannot access your protected data\nunless you provide the key. This also means that if you forget or lose your key, there is no\nway for Google to recover the key or to recover any data encrypted with the lost key.\nBusiness critical VMs should have VM disks encrypted with CSEK.\n\n### Impact\nIf you lose your encryption key, you will not be able to recover the data.\n\n## Remediation\nYou cannot update the encryption of an existing disk. Therefore, you\nshould create a new disk with encryption set to **Customer supplied**.\n\n### From the console: \n1. Go to [Compute Engine Disks][1] in your Google Cloud console.\n2. Click **CREATE DISK**.\n3. Set **Encryption type** to `Customer supplied`.\n4. Provide the **Key** in the box.\n5. Select **Wrapped key**.\n6. Click **Create**.\n\n### From the command line:\nYou can use the `gcloud` CLI to encrypt a disk using the `--csek-key-file` flag during instance\ncreation. If you are using an RSA-wrapped key, use the gcloud beta component. See [RSA key wrapping][5] in Google's Compute Engine documentation.\n```\ngcloud compute instances create --csek-key-file \n```\n\nTo encrypt a standalone persistent disk:\n```\ngcloud compute disks create --csek-key-file \n```\n\n## References\n1. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys][2]\n2. [https://cloud.google.com/compute/docs/reference/rest/v1/disks/get][3]\n3. [https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file][4]\n\n[1]: https://console.cloud.google.com/compute/disks\n[2]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#encrypt_a_new_persistent_disk_with_your_own_keys\n[3]: https://cloud.google.com/compute/docs/reference/rest/v1/disks/get\n[4]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#key_file\n[5]: https://cloud.google.com/compute/docs/disks/customer-supplied-encryption#rsa-encryption","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.7","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"3.6.4","framework":"pci","requirement":"Cardholder-Data","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"C1.2","framework":"soc-2","requirement":"Confidentiality","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_disk) = \"pass\" if {\n\tcompute_disk.disk_encryption_key.sha256\n} else = \"fail\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_disk"]},"validationQuery":"","resourceType":"gcp_compute_disk","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_disk","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"low","notifications":[],"name":"","condition":"a > 0"}],"id":"ltx-1jr-roe","createdAt":1662120164402,"name":"VM disks for critical VMs are encrypted with customer-supplied encryption keys (CSEK)"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:gcp","control:10.1","requirement:Monitoring","control:10.2.5","control:A.12.4.1","control:10.2.4","control:A.12.4.3","requirement:System-Operations","framework:cis-gcp","requirement:Control-Activities","scope:google_compute_subnetwork","level:1","framework:soc-2","control:3.8","source:google_compute_subnetwork","framework:iso-27001","control:10.3","control:CC7.2","framework:pci","requirement:Networking","requirement:Operations-Security","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nFlow Logs is a feature that enables users to capture information about the IP traffic going to and from network interfaces in an organization's VPC subnets. Once a flow log is created, the user can view and retrieve its data in Stackdriver Logging. It is recommended that Flow Logs is enabled for every business-critical VPC subnet.\n\n### Default value\nBy default Flow Logs is set to `Off` when a new VPC network subnet is created.\n\n## Rationale\nVPC networks and subnetworks that are not reserved for internal HTTP(S) load balancing provide logically isolated and secure network partitions from which GCP resources can be launched.\nWhen Flow Logs are enabled for a subnet, VMs within that subnet start reporting on all\nTransmission Control Protocol (TCP) and User Datagram Protocol (UDP) flows. Each VM\nsamples the TCP and UDP flows it sees, inbound and outbound, whether the flow is to or\nfrom another VM, a host in the on-premise datacenter, a Google service, or a host on the\nInternet. If two GCP VMs are communicating, and both are in subnets that have VPC Flow\nLogs enabled, both VMs report the flows.\n\nFlow Logs supports the following use cases:\n- Network monitoring\n- Understanding network usage and optimizing network traffic expenses\n- Network forensics\n- Real-time security analysis\n\nFlow Logs provides visibility into network traffic for each VM inside the subnet and can be\nused to detect anomalous traffic or provide insight on security workflows.\nThe Flow Logs must be configured such that all network traffic is logged. The interval of\nlogging is granular enough to provide detailed information on the connections, where no logs are filtered and metadata to facilitate investigations are included.\n\n- Note: Subnets reserved for use by internal HTTP(S) load balancers do not support VPC\nFlow Logs.\n\n### Impact\nStandard pricing for Stackdriver Logging, BigQuery, or Cloud Pub/Sub applies. VPC Flow\nLogs generation will be charged when it's generally available, as described in this reference:\n[https://cloud.google.com/vpc/][1]\n\n## Remediation\n\n### From the console: \n1. Go to the VPC network GCP Console page by visiting:\n[https://console.cloud.google.com/networking/networks/list][2]\n2. Click the name of a **subnet** to display the subnet details page.\n3. Click **EDIT** .\n4. Set Flow Logs to **On**.\n5. Expand the **Configure Logs** section.\n6. Set **Aggregation Interval** to `5 SEC`.\n7. Check the box for **Include metadata**.\n8. Set **Sample rate** to `100`.\n9. Click **Save**.\n\n- Note: You can only configure a log filter from the command line.\n\n### From the command line:\nTo enable VPC Flow Logs for a network subnet, run the following command:\n```\ngcloud compute networks subnets update [SUBNET_NAME] --region [REGION] --\nenable-flow-logs --logging-aggregation-interval=interval-5-sec --logging-\nflow-sampling=1 --logging-metadata=include-all\n```\n\n## References\n1. [https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging][3]\n2. [https://cloud.google.com/vpc/][1]\n\n[1]: https://cloud.google.com/vpc/\n[2]: https://console.cloud.google.com/networking/networks/list\n[3]: https://cloud.google.com/vpc/docs/using-flow-logs#enabling_vpc_flow_logging\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"3.8","framework":"cis-gcp","requirement":"Networking","version":"1.3.0"},{"control":"10.1","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.2.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"A.12.4.3","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_subnetwork) = \"skip\" if {\n\tinternal_HTTPS_LB_subnet(compute_subnetwork)\n} else = \"pass\" {\n\tcompute_subnetwork.enable_flow_logs == true\n\tcompute_subnetwork.purpose == \"PRIVATE\"\n} else = \"fail\" {\n\ttrue\n}\n\ninternal_HTTPS_LB_subnet(compute_subnetwork) if {\n\tcompute_subnetwork.purpose == \"INTERNAL_HTTPS_LOAD_BALANCER\"\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_subnetwork"]},"validationQuery":"","resourceType":"gcp_compute_subnetwork","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_subnetwork","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"q4v-tv4-txv","createdAt":1663355398183,"name":"VPC Flow Logs are enabled for all subnets in the VPC network"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","scope:ec2","source:ec2","control:CC6.6","requirement:Compliance","level:2","framework:cis-aws","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.2.3","security:compliance","control:1.3.4","control:1.2.1","cloud_provider:aws","requirement:Communications-Security","control:5.3","control:2.1","requirement:Default-Security-Parameters","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Networking","control:CC6.1"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nA VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. \n\nSet up your default security group to restrict all traffic. The default VPC in every region should have its default security group updated to comply. Any newly created VPCs automatically contain a default security group that needs remediation to comply with this recommendation. \n\n**Note**: When implementing this recommendation, VPC flow logging is invaluable in determining the least privilege port access required by systems to work properly because it can log all packet acceptances and rejections occurring under the current security groups. This dramatically reduces the primary barrier to least privilege engineering - discovering the minimum ports required by systems in the environment. Even if the VPC flow logging recommendation in this benchmark is not adopted as a permanent security measure, it should be used during any period of discovery and engineering for least privileged security groups.\n\n## Rationale\n\nConfiguring all VPC default security groups to restrict all traffic will encourage the least privileged security group development and mindful placement of AWS resources into security groups, which will reduce the exposure of those resources.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nImplementing this recommendation in an existing VPC containing operating resources requires extremely careful migration planning as the default security groups are likely to be enabling many ports that are unknown. Enabling VPC flow logging (of accepts) in an existing environment that is known to be breach free will reveal the current pattern of ports being used for each instance to communicate successfully.\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79201-0\n2. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html][2]\n3. [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group][3]\n\n## CIS controls\n\nVersion 7, 14.6 - Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html\n[3]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#default-security-group\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.3","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.1","framework":"pci","requirement":"Default-Security-Parameters","version":"3.2.1"},{"control":"5.3","framework":"cis-aws","requirement":"Networking","version":"1.3.0"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\ningress_or_egress(direction) if {\n\tdirection == \"ingress\"\n} else {\n\tdirection == \"egress\"\n}\n\neval(security_group) = \"fail\" if {\n\trule := security_group.rules[_]\n\tingress_or_egress(rule.direction)\n\tstartswith(rule.security_group_name, \"default\")\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["aws_security_group"]},"validationQuery":"","resourceType":"aws_security_group","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":13,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_security_group","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"75q-ngx-snx","createdAt":1599574003676,"name":"VPC default security groups restrict all traffic"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.7","requirement:Transmission-Security","control:CC6.6","control:164.308-a-3-i","requirement:Compliance","requirement:Security-Management-Process","framework:iso-27001","framework:hipaa","requirement:Access-Control","control:164.308-a-1-ii-B","framework:pci","requirement:Workforce-Security","control:1.3.1","control:1.3.2","security:compliance","control:1.3.4","control:164.312-a-1","requirement:Least-Privileged-Access","control:1.2.1","control:164.312-e-1","cloud_provider:aws","control:7.2.1","requirement:Firewall-Configuration","scope:vpc","control:A.18.1.3","framework:soc-2","control:A.9.2.3","requirement:Logical-and-Physical-Access-Control","control:CC6.1","source:vpc"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nSecure your VPC endpoint by allowing access to only trusted AWS accounts.\n\n## Rationale\n\nVPC endpoints that are publicly accessible are at risk of data exposure, data loss, and unexpected AWS billing charges.\n\n## Remediation\n\n### Console\n\nFollow the [Add or remove permissions for your endpoint service][1] AWS console docs.\n\n### CLI\n\n1. Edit your existing Amazon VPC endpoint access policy and replace untrusted AWS identifiers. To create a new policy document, [use the AWS policy generator][2].\n\n ```\n {\n \"Id\": \"VPCCrossAccountAccessPolicy\",\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": \"*\",\n \"Effect\": \"Allow\",\n \"Resource\": \"*\",\n \"Principal\": {\n \"AWS\": [\n \"arn:aws:iam::0123456789012:root\"\n ]\n }\n }\n ]\n }\n ```\n\n2. Run `modify-vpc-endpoint` with your [VPC endpoint ID and the updated or new policy document][3] to replace the existing policy.\n\n ```\n aws ec2 modify-vpc-endpoint\n --vpc-endpoint-id vpce-0a12b345\n --policy-document file://vpc-access-policy.json\n ```\n\n[1]: https://docs.aws.amazon.com/vpc/latest/privatelink/add-endpoint-service-permissions.html\n[2]: https://awspolicygen.s3.amazonaws.com/policygen.html\n[3]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-vpc-endpoint.html#synopsis","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.2","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.4","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"A.9.2.3","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"164.308-a-1-ii-B","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-a-1","framework":"hipaa","requirement":"Access-Control","version":"1"},{"control":"164.312-e-1","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-3-i","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"(@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_has_condition:false","resourceType":"aws_vpc_endpoint_policy_statement","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc_endpoint_policy_statement ((@policy_principal.principal:(\"*\") OR @policy_principal.principal_aws:(\"*\")) @statement_has_condition:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":true,"userActivationStatus":null,"defaultGroupByFields":["@vpc_endpoint_id"],"userGroupByFields":null},"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"id":"slh-tlx-4m0","createdAt":1619540057529,"name":"VPC endpoint is not publicly accessible"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Transmission-Security","control:10.3.6","control:10.3.5","control:164.308-a-6-ii","requirement:Monitoring","control:30.1","framework:gdpr","control:10.3.4","control:A.12.4.1","control:10.3.3","requirement:Security-Incident-Procedures","requirement:Logging","level:2","framework:cis-aws","control:3.9","requirement:Security-Management-Process","control:164.308-a-1-ii-D","framework:iso-27001","framework:hipaa","framework:pci","requirement:Operations-Security","requirement:Communication-and-Information","requirement:Workforce-Security","security:compliance","cloud_provider:aws","control:164.308-a-3-ii-a","requirement:System-Operations","requirement:Records-of-Processing-Activities","scope:vpc","framework:soc-2","control:CC2.1","control:164.312-e-2-i","control:CC7.2","control:CC7.1","source:vpc"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nVPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. Enable VPC Flow Logs for packet \"Rejects\" for VPCs.\n\n## Rationale\n\nVPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect unusual traffic or insight during security workflows.\n\n## Remediation\n\nSee the [CIS AWS Foundations Benchmark controls docs][1] for console remediation steps.\n\n## Impact\n\nBy default, CloudWatch Logs will store Logs indefinitely unless you define a specific retention period for the log group. When choosing the number of days to retain, keep in mind that, on average, it takes an organization 210 days to detect a breach. Since additional time is required to research a breach, a minimum 365-day retention policy allows time for detection and research. You may also wish to archive the logs to a cheaper storage service rather than simply deleting them. See the following AWS resource to manage CloudWatch Logs retention periods: \n\n1. [http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/SettingLogRetention.html][2]\n\n## Default value\n\nNone\n\n## References\n\n1. CCE-79202-8 \n2. [http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html][2]\n\n## CIS controls\n\nVersion 7:\n\n6.2 - Activate audit logging - Enable local logging on all systems and networking devices.\n\n12.5 - Configure Monitoring Systems to Record Network Packets - Configure monitoring systems to record network packets passing through the boundary at each of the organization's network boundaries.\n\n[1]: https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html\n[2]: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"10.3.3","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.4","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.5","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"10.3.6","framework":"pci","requirement":"Monitoring","version":"3.2.1"},{"control":"3.9","framework":"cis-aws","requirement":"Logging","version":"1.3.0"},{"control":"CC2.1","framework":"soc-2","requirement":"Communication-and-Information","version":"2"},{"control":"CC7.1","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"CC7.2","framework":"soc-2","requirement":"System-Operations","version":"2"},{"control":"A.12.4.1","framework":"iso-27001","requirement":"Operations-Security","version":"2"},{"control":"30.1","framework":"gdpr","requirement":"Records-of-Processing-Activities","version":"1"},{"control":"164.308-a-1-ii-D","framework":"hipaa","requirement":"Security-Management-Process","version":"1"},{"control":"164.312-e-2-i","framework":"hipaa","requirement":"Transmission-Security","version":"1"},{"control":"164.308-a-6-ii","framework":"hipaa","requirement":"Security-Incident-Procedures","version":"1"},{"control":"164.308-a-3-ii-a","framework":"hipaa","requirement":"Workforce-Security","version":"1"}],"validationQuery":"-@flowlogs.flow_log_status:ACTIVE","resourceType":"aws_vpc","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_vpc (-@flowlogs.flow_log_status:ACTIVE)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"hw6-cqk-hrz","createdAt":1599574005318,"name":"VPC flow logging is enabled in all VPCs"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault root token is used. Root tokens can perform any activity and have the highest level of privileges in Vault and should only be used in emergencies. \n\n## Strategy\nThis rule lets you monitor Vault Audit Logs (`source:vault`) to detect when `root` is seen in either of these two attributes.\n\n* auth policy (`@auth.policies`)\n* auth display name (`@auth.display_name`)\n\nThis rule also lets you monitor the API endpoint `/sys/generate-root` which is used to create new root keys.\n\n## Triage & Response\n1. Determine who created the root token and when. You can get token creation time using the token accessor with `vault token lookup -accessor `. \n2. Inspect the requests made with the root token and ensure that its usage is valid.\n3. Ensure that after the root token is no longer needed, it is revoked (`vault token revoke -accessor `).\n\n## Change Log\n29 Jun 2022 - Updated queries to reduce noise levels. Replaced initial query with token creation detection.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @auth.policies:root @http.method:create","groupByFields":["@http.url_details.path"],"aggregation":"count","name":"root_token_created","distinctFields":[]},{"query":"source:vault @auth.policies:root","groupByFields":["@http.url_details.path"],"aggregation":"cardinality","name":"root_token_auth_policy","distinctFields":["@http.method"]},{"query":"source:vault @auth.display_name:root","groupByFields":["@http.url_details.path"],"aggregation":"cardinality","name":"root_token_display_name","distinctFields":["@http.method"]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"A newly created root token was used","condition":"root_token_created > 0 && root_token_auth_policy > 0"},{"status":"high","notifications":[],"name":"The auth policy is root","condition":"root_token_auth_policy > 0"},{"status":"high","notifications":[],"name":"The auth display name is root","condition":"root_token_display_name > 0"}],"type":"log_detection","id":"oki-am6-qeh","createdAt":1619801884317,"name":"Vault Root Token Used"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:vault","source:vault","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a vault token is created with an excessive time-to-live (TTL) which can be indicative of an adversary maintaining persistence. \n\n## Strategy\nMonitoring of vault audit logs where tokens are created with a time-to-live greater than 90000 seconds (25 hours). If the TTL requires modification, clone this rule and update `@auth.token_ttl:>90000` in the query. \n\n## Triage & Response\n1. Verify max TTL for tokens in the appropriate Vault configuration.\n2. If the max TTL is higher than required, modify the max TTL.\n3. Verify with the token creator to confirm that the high TTL token is legitimate.\n4. Revoke the token if it does not have a legitimate use case.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":3,"isDefault":true,"filters":[],"queries":[{"query":"source:vault @request.operation:create @auth.token_ttl:>90000","groupByFields":["@usr.id"],"aggregation":"count","name":"high_vault_ttl","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"high_vault_ttl > 0"}],"type":"log_detection","id":"ag8-huz-nlj","createdAt":1619801884333,"name":"Vault Token Created with Excessive TTL"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","security:compliance","framework:soc-2","scope:redshift","cloud_provider:aws","requirement:Application-Updates","requirement:Logical-and-Physical-Access-Control","source:redshift","control:6.2","framework:pci"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfirm `AllowVersionUpgrade` is enabled so [Redshift clusters][1] can automatically upgrade to the latest version.\n\n## Rationale\n\nEnablement allows the latest version to automatically install, deploying the most recent bug fixes and security patches.\n\n## Remediation\n\n### Console\n\nFollow the [Cluster maintenance][4] docs to permit automatic upgrade for your clusters.\n\n### CLI\n\n1. Run `modify-cluster` to [set `allow-version-upgrade` for a cluster][3].\n\n ```\n aws redshift modify-cluster\n\t --cluster-identifier cluster-id-name\n\t --allow-version-upgrade\n ```\n\n[1]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html\n[2]: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/redshift/modify-cluster.html\n[3]: https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#rs-cluster-maintenance\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"6.2","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@allow_version_upgrade:false","resourceType":"aws_redshift_cluster","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:aws_redshift_cluster (@allow_version_upgrade:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"type":"cloud_configuration","id":"5wo-2kl-jv1","createdAt":1599574006748,"name":"Version upgrade is enabled for Redshift cluster"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","security:compliance","cloud_provider:azure","control:6.5.3","framework:cis-azure","control:7.1","requirement:Credentials","requirement:Compliance","scope:azure.compute","level:1","control:A.18.1.3","framework:soc-2","requirement:Application-Updates","framework:iso-27001","requirement:Logical-and-Physical-Access-Control","control:8.2.1","source:azure.compute","framework:pci","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nMigrate blob-based VHDs to managed disks on virtual machines to exploit the default features of this configuration. The features include:\n\n1. Default disk encryption\n2. Resilience, as Microsoft manages the disk storage and moves it if underlying hardware is faulty\n3. Reduction of costs over storage accounts\n\n## Rationale\n\nManaged disks are by default encrypted on the underlying hardware so no additional encryption is required for basic protection. Additional encryption is available if required. Managed disks are more resilient than storage accounts. For ARM deployed virtual machines, Azure Adviser recommends moving VHDs to managed disks from both a security and cost management perspective.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/convert-unmanaged-to-managed-disks\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-governance-strategy#gs-1-define-asset-management-and-data-protection-strategy\n\n## Remediation\n\nFrom Azure Console:\n\n1. Using the search feature, go to Virtual Machines\n2. Select the virtual machine you would like to convert\n3. Select Disks in the menu for the VM\n4. Select Migrate to managed disks\n5. Follow the prompts to convert the disk and finish by selecting Migrate to start the process\n\n**NOTE**: VMs are stopped and restarted after migration is complete.\n\nPowerShell:\n\n```powershell\nStop-AzVM -ResourceGroupName $rgName -Name $vmName -Force ConvertTo-AzVMManagedDisk -ResourceGroupName $rgName -VMName $vmName Start-AzVM -ResourceGroupName $rgName -Name $vmName\n```\n\n## Impact\n\nThere is no operational impact of migrating to managed disks other than the benefits mentioned above.\n\n**NOTE**: When converting to managed disks, VMs are powered off and back on.\n\n## CIS Controls\n\nVersion 7 13 - Data Protection","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"7.1","framework":"cis-azure","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"6.5.3","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"(-@storage_profile.os_disk.managed_disk_id:*) OR (@storage_profile.os_disk.managed_disk_id:(\"\"))","resourceType":"azure_virtual_machine_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_virtual_machine_instance ((-@storage_profile.os_disk.managed_disk_id:*) OR (@storage_profile.os_disk.managed_disk_id:(\"\")))","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mcc-ygq-5xf","createdAt":1631690464170,"name":"Virtual Machines are utilizing Managed Disks"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","requirement:Context-of-the-Organization","control:4.2.2","framework:iso-27001","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nEnabling Azure Defender for SQL server does not enable vulnerability assessment capabilities for individual SQL databases unless a storage account is set to store the scanning data and reports. The Vulnerability Assessment service scans databases for known security vulnerabilities and highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Additionally, an assessment report can be customized by setting an acceptable baseline for permission configurations, feature configurations, and database settings.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, Click Storage Account\n6. Choose Storage Account (Existing or Create New). Click Ok\n7. Click Save Using Azure PowerShell. If not already, enable Azure Defender for a SQLSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service by setting Storage Account Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"e0l-3r9-cvj","createdAt":1624867975658,"name":"Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:4.2.5","cloud_provider:azure","source:azure.sql","framework:cis-azure","scope:azure.sql","control:5.3","requirement:Default-Security-Parameter","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","level:1","requirement:Database-Services","framework:soc-2","requirement:Risk-Mitigation","control:CC7.3","control:CC9.1","control:CC7.1","framework:pci","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable the vulnerability assessment (VA) setting, \"Also send email notifications to admins and subscription owners\".\n\n## Rationale\n\nVA scan reports and alerts are sent to admins and subscription owners by enabling the setting, \"Also send email notifications to admins and subscription owners\". This helps to reduce the time required for identifying risks and taking corrective measures.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. Select a server instance\n3. Click on Security Center\n4. Select Configure next to Enabled at subscription-level\n5. In Section Vulnerability Assessment Settings, configure Storage Accounts\n6. Check/enable \"Also send email notifications to admins and subscription owners\"\n7. Click Save using the Azure PowerShell. If not already set, Enable Advanced Data Security for a SQL:\n\n ```bash\n -ServerSet-AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service and Set ''Also send email notifications to admins and subscription owners'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"gnq-rte-6fy","createdAt":1624867976876,"name":"Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","cloud_provider:azure","source:azure.sql","control:4.2.3","requirement:Default-Security-Parameter","level:1","requirement:Database-Services","requirement:Context-of-the-Organization","requirement:Regular-Testing","framework:iso-27001","control:11.2.1","framework:pci","security:compliance","framework:cis-azure","scope:azure.sql","control:4.4","control:5.3","requirement:System-Operations","control:2.2","requirement:Control-Activities","requirement:Regularly-Update-Antivirus","framework:soc-2","requirement:Risk-Mitigation","control:CC9.1","control:CC7.1","control:CC5.2"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnable vulnerability assessment (VA) periodic recurring scans for critical SQL servers and corresponding SQL databases.\n\n## Rationale\n\nVA setting \"Periodic recurring scans\" schedules periodic (weekly) vulnerability scanning for the SQL server and corresponding Databases. Routine vulnerability scanning provides risk visibility based on updated known vulnerability signatures and best practices.\n\n## Remediation\n\nFrom Azure Console:\n\n1. Go to SQL servers\n2. For each server instance\n3. Click on Security Center\n4. In Section Vulnerability Assessment Settings, set Storage Account\n5. Toggle \"Periodic recurring scans\" to ON.\n6. Click Save using the Azure PowerShell. If not already set, enable Advanced Data Security for a SQL ServerSet:\n\n ```bash\n -AZSqlServerThreatDetectionPolicy -ResourceGroupName -ServerName -EmailAdmins $True To enable ADS-VA service with ''Periodic recurring scans'' Update-AzSqlServerVulnerabilityAssessmentSetting ` -ResourceGroupName \"\"` -ServerName \"\"` -StorageAccountName \" 0"}],"id":"jum-0ht-les","createdAt":1624867977012,"name":"Vulnerability Assessment (VA) setting Periodic Recurring Scans is enabled on a SQL server"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","control:CC6.6","source:azure.appservice","cloud_provider:azure","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:9.4","scope:azure.appservice","framework:iso-27001","requirement:Access-Control","framework:pci","control:1.3.1","control:A.14.1.2","control:A.14.1.3","security:compliance","requirement:Least-Privileged-Access","control:1.2.1","framework:cis-azure","requirement:Communications-Security","control:4.1","requirement:App-Service","control:7.2.1","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nClient certificates allow for an app to request a certificate for incoming requests. Only clients that have a valid certificate can reach the app.\n\n## Rationale\n\nThe TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, only an authenticated client who has valid certificates can access the app.\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on Configuration\n5. Under Incoming client certificates, set the Client Certificate Mode option to Require.\n\n\nAzure Command Line Interface:\n\nTo set incoming client certificates value for an existing app, run the following command: `az webapp update --resource-group --name --set clientCertEnabled=true'`\n\n## Impact\n\nUsing and maintaining client certificates requires additional work to obtain and manage key replacement and rotation.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n\n## CIS Controls\n\nVersion 7 14 - Controlled Access Based on the Need to Know","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.4","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.3.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"7.2.1","framework":"pci","requirement":"Least-Privileged-Access","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"-@client_cert_enabled:true","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (-@client_cert_enabled:true)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"esg-ed4-xa9","createdAt":1631623027807,"name":"Web app has 'Client Certificates (Incoming client certificates)' set to 'On'"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["control:CC6.8","scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:6.6","control:9.3","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:4.1","requirement:App-Service","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Change-Management","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC8.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nThe TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App Service uses TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS.\n\n## Rationale\n\nApp Service currently allows web apps to set TLS versions 1.0, 1.1 and 1.2. It is highly recommended to use the latest TLS 1.2 version for a secure connection.\n\n## Remediation\n\nAzure Console:\n\n 1. Login to Azure Portal using https://portal.azure.com\n 2. Go to App Services\n 3. Click on each app\n 4. Under the Settings section, click on SSL settings\n 5. Under Protocol Settings, set Minimum TLS Version to 1.2\n\nAzure Command Line Interface:\n\nTo set TLS Version for an existing app, run the following command: `az webapp config set --resource-group --name --min-tls-version 1.2'`\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-tls-versions\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections\n","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.3","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.8","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC8.1","framework":"soc-2","requirement":"Change-Management","version":"2"}],"validationQuery":"-@site_config_min_tls_version:1.2","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (-@site_config_min_tls_version:1.2)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"8iy-ghp-cvk","createdAt":1631623032658,"name":"Web app is using the latest version of TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","control:CC6.7","source:azure.appservice","cloud_provider:azure","requirement:Default-Security-Parameter","requirement:Credentials","requirement:Compliance","level:1","requirement:System-Acquisition-Development-and-Maintenance","control:2.2.3","control:9.2","control:6.6","requirement:Application-Updates","scope:azure.appservice","framework:iso-27001","framework:pci","control:A.14.1.2","control:A.14.1.3","security:compliance","framework:cis-azure","control:4.1","requirement:App-Service","requirement:Control-Activities","control:A.18.1.3","framework:soc-2","requirement:Logical-and-Physical-Access-Control","requirement:Encryption-In-Transit","control:8.2.1","control:CC5.2","control:CC6.1"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAzure Web Apps allow sites to use both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic.\n\n## Rationale\n\nEnabling HTTPS-only traffic redirects all non-secure HTTP request to HTTPS ports. HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated, so it is important to support HTTPS for the security benefits.\n\n## Remediation\n\nAzure Console:\n\n1. Login to Azure Portal using https://portal.azure.com\n2. Go to App Services\n3. Click on each app\n4. Under the Settings section, click on SSL settings\n5. Under Protocol Settings, set HTTPS Only to On.\n\nAzure Command Line Interface:\n\nTo set the HTTPS-only traffic value for an existing app, run the following command: `az webapp update --resource-group --name --set httpsOnly=true'`\n\n## Impact\n\nWhen enabled, every incoming HTTP request is redirected to the HTTPS port. This adds an extra level of security to the HTTP requests made to the app.\n\n## References\n\n1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl#enforce-https\n2. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-data-protection#dp-4-encrypt-sensitive-information-in-transit\n3. https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls-v2-network-security#ns-1-implement-security-for-internal-traffic\n\n## CIS Controls\n\nVersion 7 7 - Email and Web Browser Protections","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"9.2","framework":"cis-azure","requirement":"App-Service","version":"1.3.0"},{"control":"2.2.3","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"4.1","framework":"pci","requirement":"Encryption-In-Transit","version":"3.2.1"},{"control":"6.6","framework":"pci","requirement":"Application-Updates","version":"3.2.1"},{"control":"8.2.1","framework":"pci","requirement":"Credentials","version":"3.2.1"},{"control":"A.14.1.2","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.14.1.3","framework":"iso-27001","requirement":"System-Acquisition-Development-and-Maintenance","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC5.2","framework":"soc-2","requirement":"Control-Activities","version":"2"},{"control":"CC6.1","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.7","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"validationQuery":"@https_only:false","resourceType":"azure_app_service","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":6,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:azure_app_service (@https_only:false)","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"f9i-ctz-jrp","createdAt":1631623031127,"name":"Web app redirects all HTTP traffic to HTTPS in Azure App Service"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["source:windows","technique:T1070-indicator-removal-on-host","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user clears Windows Security logs.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `1102`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to clear the security event logs on `{{host}}`. \n","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:1102","groupByFields":["@Event.UserData.LogFileCleared.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"psn-7zq-iqz","createdAt":1619018680072,"name":"Windows Audit Log Cleared"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user resets the Directory Services Restore Mode (DSRM). The DSRM enabled emergency access to a Domain Controller. The DSRM user is a local administrator account that can be utilized for persistence. \n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4794`.\n\n## Triage and response\nVerify if `{{@Event.UserData.LogFileCleared.SubjectUserName}}` has a legitimate reason to change the DSRM password on `{{host}}`. ","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":7,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4794","groupByFields":["host"],"aggregation":"count","name":"standardized","distinctFields":[]},{"query":"@Event.System.EventID:4794","groupByFields":["host"],"aggregation":"count","name":"non_standardized","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized > 0"}],"type":"log_detection","id":"ckw-1ve-anp","createdAt":1619018671358,"name":"Windows Directory Service Restore Mode password changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Domain Administrator group is modified.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is 4737 and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason for changing the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4737 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"high","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"vtr-u5p-65a","createdAt":1619018671758,"name":"Windows Domain Admin Group Changed"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","source:windows","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when the Windows firewall is disabled.\n\n## Strategy\nMonitor the Windows event logs where `@evt.id` is `4950` and the `@Event.EventData.Data.SettingValue:No`.\n\n## Triage and response\nVerify if `{{@Event.System.Computer}}` has a legitimate reason for having the Windows firewall disabled.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4950 @Event.EventData.Data.SettingValue:No","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"medium","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"5yc-jqo-y3n","createdAt":1619018678867,"name":"Windows Firewall Disabled"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["technique:T1087-account-discovery","source:windows","tactic:TA0007-discovery","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user runs the `net` command to enumerate the `Administrators` group, which could be indicative of adversarial reconnaissance activity.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4799`, `@Event.EventData.Data.CallerProcessName` is `*net1.exe` and `@Event.EventData.Data.TargetUserName` is `Administrators`.\n\n## Triage and response\nVerify if `{{@Event.EventData.Data.SubjectUserName}}` has a legitimate reason to check for users in the Administrator group on `{{host}}`. \n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":4,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4799 @Event.EventData.Data.CallerProcessName:*net1.exe @Event.EventData.Data.TargetUserName:Administrators","groupByFields":["@Event.System.Computer"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"low","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"low","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"dqi-uaj-wgy","createdAt":1619018678865,"name":"Windows Net command executed to enumerate administrators"}]} + {"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:amazon","security:compliance","iaas:aws","framework:cis-aws","source:cloudtrail","control:4.1","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is assessing privileges in AWS through API bruteforcing technique.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect when the error message of `AccessDenied` is returned on more than 5 unique API calls.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be attempting to use {{@evt.name}} API commands.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. Contact the user to see if they intended to make these API calls.\n3. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate to see what API calls might have been made that were successful throughout the rest of the environment.\n\n## Changelog\nRule updated on 3 March 2022.","options":{"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":15,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"unique_events_denied","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"more than 5 APIs AccessDenied","condition":"unique_events_denied > 5"}],"type":"log_detection","id":"3d9-oev-jbm","createdAt":1584475582956,"name":"A user received multiple AccessDenied errors"} headers: Content-Type: - application/json @@ -988,50 +818,19 @@ interactions: code: 200 duration: "" - request: - body: "" - form: {} - headers: - Accept: - - application/json - url: https://api.datadoghq.com/api/v2/security_monitoring/rules?page%5Bnumber%5D=7&page%5Bsize%5D=100 - method: GET - response: body: | - {"meta":{"page":{"total_filtered_count":100,"total_count":824}},"data":[{"updateAuthorId":0,"creationAuthorId":0,"tags":["scope:windows","technique:T1098-account-manipulation","source:windows","security:attack","tactic:TA0003-persistence"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is added to the Domain Administrator group. A rogue active directory account can added to the Domain Admins group.\n\n## Strategy\nMonitoring of Windows event logs where `@evt.id` is `4728` and the `@Event.EventData.Data.TargetUserName:\"Domain Admins\"`\n\n## Triage & Response\nVerify if `{{@Event.EventData.Data.TargetUserName}}` should be added to the `Domain Admins` group\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":3600,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"source:windows.events @evt.id:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"standardized_attributes","distinctFields":[]},{"query":"@Event.System.EventID:4728 @Event.EventData.Data.TargetUserName:\"Domain Admins\"","groupByFields":["@Event.EventData.Data.SubjectUserName","@Event.EventData.Data.TargetUserName"],"aggregation":"count","name":"non_standardized_attributes","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"standardized","condition":"standardized_attributes > 0"},{"status":"info","notifications":[],"name":"non-standardized","condition":"non_standardized_attributes > 0"}],"type":"log_detection","id":"yzx-i3w-40t","createdAt":1619018679429,"name":"Windows User Added to Domain Admin Group"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["iaas:aws","scope:s3","source:cloudtrail","technique:T1562-impair-defenses","tactic:TA0005-defense-evasion","security:attack"],"isEnabled":true,"hasExtendedTitle":true,"message":"# WARNING: Rule is being deprecated on 10 April 2022\n\n## Goal\nDetect if an entire AWS S3 Lifecycle configuration is deleted from a bucket.\n\n## Strategy\nUsing the `@evt.name`, the Datadog standard attribute that shows the API call, determine if a `DeleteBucketLifecycle` call occurred.\n\n## Triage & Response\n1. Determine if `{{@evt.name}}` should have occurred on the `{{@requestParameters.bucketName}}` by `username:` `{{@usr.name}}`, `accountId:` `{{@usr.id}}` of `type:` `{{@userIdentity.type}}`.\n2. If the `{{@evt.name}}` API call accidentally occurred, restore the configuration to the `{{@requestParameters.bucketName}}`. Otherwise, investigate further.\n\n## Changelog\n08 Mar 2022 - Deprecating rule. If a policy is deleted, the data remains forever.","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":7200,"keepAlive":3600},"version":5,"isDefault":true,"filters":[],"queries":[{"query":"-status:error @eventSource:s3.amazonaws.com @evt.name:DeleteBucketLifecycle","groupByFields":["@requestParameters.bucketName"],"aggregation":"count","name":"policy_deleted","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"info","notifications":[],"name":"lifecycle policy deleted","condition":"policy_deleted > 0"}],"type":"log_detection","id":"lcn-irr-jo6","createdAt":1638798365190,"name":"[DEPRECATED] An AWS S3 bucket lifecycle policy was deleted"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","requirement:Master-Node-Configuration-Files","control:1.1.17","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEnsure that the `controller-manager.conf` file has permissions of 644 or more restrictive.\n\n## Rationale\n\nThe `controller-manager.conf` file is the kubeconfig file for the Controller Manager. You should restrict its file permissions to maintain the integrity of the file. The file should be writable by only the administrators on the system.\n\n## Audit\n\nRun the following command (based on the file location on your system) on the master node.\n\n```bash\nstat -c %a /etc/kubernetes/controller-manager.conf\n```\n\nVerify the permissions are `644` or more restrictive.\n\n## Remediation\n\nRun the below command (based on the file location on your system) on the master node. For example, `chmod 644 /etc/kubernetes/controller-manager.conf`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `controller-manager.conf` has permissions of 640.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-controller-manager/\n\n## CIS controls\n\nVersion 6\n\n5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.\n\nVersion 7\n\n5.2 Maintain Secure Images - Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.1.17","framework":"cis-kubernetes","requirement":"Master-Node-Configuration-Files","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.1.17\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"iss-afi-xfp","createdAt":1599599454121,"name":"controller-manager.conf file cannot be altered by non-owners"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.3","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nDo not use self-signed certificates for TLS.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.\n\n## Audit\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that if the `--auto-tls` argument exists, it is not set to `true`.\n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and either remove the `--auto-tls` parameter or set it to false:\n\n```\n--auto-tls=false\n```\n\n## Impact\n\nClients will not be able to use self-signed certificates for TLS.\n\n## Default value\n\nBy default, `--auto-tls` is set to false.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/ ][2]\n3. [https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls][3]\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. Version 7 14.4 Encrypt All Sensitive Information in Transit Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#auto-tls\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.3","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.3\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"qai-h9s-xgt","createdAt":1599606018741,"name":"etcd does not allow the use of self-signed client certificates"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.5","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured for peer authentication.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-client-cert-auth` argument is set to `true`. \n\n## Remediation\n\nEdit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameter:\n\n```\n--peer-client-cert-auth=true\n```\n\n## Impact\n\nAll peers attempting to communicate with the etcd server will require a valid client certificate for authentication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, `--peer-client-cert-auth` argument is set to false.\n\n## References\n\n1. https://coreos.com/etcd/docs/latest/op-guide/security.html \n2. https://kubernetes.io/docs/admin/etcd/ \n3. https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n\n## CIS controls\n\nVersion 6.14.4 Protect Information With Access Control Lists - All information stored on systems shall be protected with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\nVersion 7.14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/ \n[3]: https://coreos.com/etcd/docs/latest/op-guide/configuration.html#peer-client-cert-auth\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.5","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.5\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"l01-5y2-miz","createdAt":1599605099307,"name":"etcd is configured for peer authentication"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","source:compliance-agent","control:2.1","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nConfigure TLS encryption for the etcd service.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit.\n\n## Audit\n\nRun the following command on the etcd server node:\n```\nps -ef | grep etcd\n```\nVerify that the `--cert-file` and the `--key-file` arguments are set as appropriate.\n\n## Remediation\n\nFollow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--cert-file= \n--key-file=\n```\n\n## Impact\n\nClient connections only over TLS would be served.\n\n## Default value\n\nBy default, TLS encryption is not set.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.1","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":12,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.1\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"ezf-1mn-luf","createdAt":1599604210918,"name":"etcd is configured with TLS encryption"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","scored:false","control:1.2.33","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEncrypt etcd key-value store.\n\n## Rationale\n\netcd is a highly available key-value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted at rest to avoid any disclosures.\n\n## Audit\n\nRun the following command on the master node:\n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--encryption-provider-config` argument is set to a EncryptionConfig file. Additionally, ensure that the EncryptionConfig file has all the desired resources covered especially any secrets.\n\n## Remediation\n\nFollow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the `--encryption-provider-config` parameter to the path of that file: `--encryption-provider-config=`\n\n## Impact\n\nNone\n\n## Default value\n\nBy default, `--encryption-provider-config` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/ \n2. https://acotten.com/post/kube17-security \n3. https://kubernetes.io/docs/admin/kube-apiserver/ \n4. https://github.com/kubernetes/features/issues/92\n\n## CIS controls\n\nVersion 6 14.5 Encrypt At Rest Sensitive Information Sensitive information stored on systems shall be encrypted at rest and require a secondary authentication mechanism, not integrated into the operating system, in order to access the information. \n\nVersion 7 14.8 Encrypt Sensitive Information at Rest Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.33","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":14,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.33\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"7rg-crl-fs0","createdAt":1599602954959,"name":"etcd is encrypted at rest"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.29","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a client certificate and key.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-certfile` and `--etcd-keyfile` arguments exist and they are set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate and key file parameters. \n```\n--etcd-certfile= \n--etcd-keyfile=\n```\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-certfile` and `--etcd-keyfile` arguments are not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 9 Limitation and Control of Network Ports, Protocols, and Services\nVersion 7 9 Limitation and Control of Network Ports, Protocols, and Services\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.29","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":11,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.29\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"2xl-vuo-tud","createdAt":1599606113167,"name":"etcd server requires API servers present a client certificate and key when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","security:compliance","control:1.2.32","source:compliance-agent","framework:cis-kubernetes","requirement:API-Server"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\netcd should be configured to make use of TLS encryption for client connections.\n\n## Rationale\n\netcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a SSL Certificate Authority file.\n\n## Audit\n\nRun the following command on the master node: \n```\nps -ef | grep kube-apiserver\n```\nVerify that the `--etcd-cafile` argument exists and it is set as appropriate.\n\n## Remediation\n\nFollow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file `/etc/kubernetes/manifests/kube-apiserver.yaml` on the master node and set the etcd certificate authority file parameter: `--etcd-cafile=`\n\n## Impact\n\nTLS and client certificate authentication must be configured for etcd.\n\n## Default value\n\nBy default, `--etcd-cafile` is not set.\n\n## References\n\n1. https://kubernetes.io/docs/admin/kube-apiserver/ \n2. https://coreos.com/etcd/docs/latest/op-guide/security.html\n\n## CIS controls\n\nVersion 6 14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7 14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit.\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"1.2.32","framework":"cis-kubernetes","requirement":"API-Server","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-1.2.32\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"o8k-9hv-rri","createdAt":1599605669411,"name":"etcd server requires API servers present an SSL CA file when connecting"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:etcd","security:compliance","control:2.4","source:compliance-agent","framework:cis-kubernetes"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nEtcd should be configured to make use of TLS encryption for peer connections.\n\n## Rationale\n\nEtcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit and also amongst peers in the etcd clusters.\n\n## Audit\n\nThis recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable.\n\nRun the following command on the etcd server node: \n```\nps -ef | grep etcd\n```\nVerify that the `--peer-cert-file` and `--peer-key-file` arguments are set as appropriate. \n\n## Remediation\n\nFollow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster. Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters:\n\n```\n--peer-cert-file= \n--peer-key-file=\n```\n\n## Impact\n\nEtcd cluster peers would need to set up TLS for their communication.\n\n## Default value\n\n*Note*: This recommendation is applicable only for etcd clusters. If you are using only one etcd server in your environment then this recommendation is not applicable. By default, peer communication over TLS is not configured.\n\n## References\n\n1. [https://coreos.com/etcd/docs/latest/op-guide/security.html ][1]\n2. [https://kubernetes.io/docs/admin/etcd/][2]\n\n## CIS controls\n\nVersion 6.14.2 Encrypt All Sensitive Information Over Less-trusted Networks - All communication of sensitive information over less-trusted networks should be encrypted. Whenever information flows over a network with a lower trust level, the information should be encrypted. \n\nVersion 7.14.4 Encrypt All Sensitive Information in Transit - Encrypt all sensitive information in transit. \n\n[1]: https://coreos.com/etcd/docs/latest/op-guide/security.html \n[2]: https://kubernetes.io/docs/admin/etcd/\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"kubernetes_master_node","complianceFrameworks":[{"control":"2.4","framework":"cis-kubernetes","requirement":"etcd","version":"1.5.1"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-kubernetes-1.5.1-2.4\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"lzq-1mk-xc7","createdAt":1599603941695,"name":"etcd uses TLS encryption for peer connections"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664268670005,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"0ki-9gf-7vw","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664268668"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664268675445,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"fis-tpv-7e9","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664268673"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664268680145,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"cz4-z0l-x9n","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664268677"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269014836,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rn5-nf5-ksh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269011"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269046838,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"fz1-gx5-cfu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269044"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269050802,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ypr-rnw-joz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269048"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664269055831,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"zl4-kr6-djp","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664269053"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664777973028,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"kth-eqs-z4b","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664777971"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778122036,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"0fg-gyo-jlu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778119"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778139644,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wee-m6g-g6a","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778135"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778146837,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"3it-fxn-3hr","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778144"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778474235,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"nw9-oof-55y","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778472"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664778792415,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"gsl-t9k-ji6","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664778790"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664779074513,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"dgt-zts-cbx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664779072"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664779118769,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"oxx-qrx-9b6","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664779116"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664779161311,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"7eo-dyi-vkr","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664779159"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664784675086,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sqx-soj-zop","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664784672"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664894383761,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rgz-io3-obc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1664894381"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665500464305,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"py6-vnm-mjb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1665500463"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1665500511838,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"bgv-pky-7u4","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRuleDatasource-local-1665500511"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":600,"keepAlive":300},"version":2,"isDefault":false,"filters":[{"action":"suppress","query":"does not really suppress (updated)"}],"queries":[{"query":"does not really match much (updated)","groupByFields":["service"],"aggregation":"cardinality","name":"first_updated","distinctFields":["@orgId"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first_updated > 3"},{"status":"high","notifications":[],"name":"warning case (updated)","condition":"first_updated > 0"}],"type":"log_detection","id":"rdc-qe2-jmq","createdAt":1664875756276,"name":"tf-TestAccDatadogSecurityMonitoringRule_Basic-local-1664875755 - updated"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664270708266,"filters":[],"queries":[{"query":"@agent.rule_id:(tf_TestAccDatadogSecurityMonitoringRule_CwsRule_local_1664270705_random_id OR random_id)","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"high case","condition":"first > 3"}],"type":"workload_security","id":"6i5-yop-zhx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_CwsRule-local-1664270705"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664270714195,"filters":[],"queries":[{"query":"@agent.rule_id:(tf_TestAccDatadogSecurityMonitoringRule_CwsRule_local_1664270711_random_id OR random_id)","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"high case","condition":"first > 3"}],"type":"workload_security","id":"h7e-iuc-twh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_CwsRule-local-1664270711"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"query":"@agent.rule_id:(tf_TestAccDatadogSecurityMonitoringRule_CwsRule_local_1664875755_random_id OR random_id)","groupByFields":["service"],"aggregation":"count","name":"first","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first > 10"}],"type":"workload_security","id":"4p6-8dj-vxk","createdAt":1664875756580,"name":"tf-TestAccDatadogSecurityMonitoringRule_CwsRule-local-1664875755"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875508591,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"l2h-irs-i4s","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_Import-local-1664875506"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664890796815,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"rdn-on6-f0u","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_Import-local-1664890795"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"impossible travel rule triggered (updated)","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"evaluationWindow":0,"maxSignalDuration":900,"detectionMethod":"impossible_travel","decreaseCriticalityBasedOnEnv":false,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"distinctFields":[],"name":"my_updated_query","metric":"@usr.handle","aggregation":"geo_data","metrics":["@usr.handle"],"groupByFields":["@usr.handle"],"query":"*"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"new case name (updated)","condition":""}],"type":"log_detection","id":"2e6-1vj-hdm","createdAt":1664875756231,"name":"tf-TestAccDatadogSecurityMonitoringRule_ImpossibleTravelRule-local-1664875755"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"newValueOptions":{"learningDuration":0,"learningMethod":"duration","forgetAfter":1,"learningThreshold":0},"evaluationWindow":0,"maxSignalDuration":900,"detectionMethod":"new_value","decreaseCriticalityBasedOnEnv":false,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"distinctFields":[],"name":"first","metric":"@network.bytes_read","aggregation":"new_value","metrics":["@network.bytes_read"],"groupByFields":["service"],"query":"does not really match much (updated)"}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":""}],"type":"log_detection","id":"d3o-dyr-ekr","createdAt":1664875756432,"name":"tf-TestAccDatadogSecurityMonitoringRule_NewValueRule-local-1664875755 - updated"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875438577,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"wtp-e5k-o0m","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875437"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875465554,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bxr-aqc-o02","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875463"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875502543,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"lv2-e1f-cec","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875500"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875517305,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"qp0-onn-m2p","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875516"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875546323,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"bzi-ilx-fzv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875544"},{"creationAuthorId":1445416,"tags":[],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875579060,"filters":[],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"high","notifications":[],"name":"","condition":"a > 0"}],"type":"log_detection","id":"xul-toc-q1p","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875577"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":600,"keepAlive":300},"version":2,"isDefault":false,"filters":[{"action":"suppress","query":"does not really suppress (updated)"}],"queries":[{"query":"does not really match much (updated)","groupByFields":["service"],"aggregation":"cardinality","name":"first_updated","distinctFields":["@orgId"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first_updated > 3"},{"status":"high","notifications":[],"name":"warning case (updated)","condition":"first_updated > 0"}],"type":"log_detection","id":"l6c-xu1-dnv","createdAt":1664875756561,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664875755 - updated"},{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":true,"hasExtendedTitle":false,"message":"acceptance rule triggered (updated)","options":{"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"threshold","evaluationWindow":60,"maxSignalDuration":600,"keepAlive":300},"version":2,"isDefault":false,"filters":[{"action":"suppress","query":"does not really suppress (updated)"}],"queries":[{"query":"does not really match much (updated)","groupByFields":["service"],"aggregation":"cardinality","name":"first_updated","distinctFields":["@orgId"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":["@user"],"name":"high case (updated)","condition":"first_updated > 3"},{"status":"high","notifications":[],"name":"warning case (updated)","condition":"first_updated > 0"}],"type":"log_detection","id":"e8n-cae-ky2","createdAt":1664883056478,"name":"tf-TestAccDatadogSecurityMonitoringRule_OnlyRequiredFields-local-1664883054 - updated"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528193711,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"gbr-ngi-oug","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528189_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528202423,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"uyk-nla-buh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528198_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528210535,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"nqe-0ga-if6","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528205_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528372295,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"m3p-iae-qru","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528368_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528379975,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"r7b-s2q-xnm","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528376_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528389235,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"dbd-bwe-l7e","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528385_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528434444,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"1un-efa-hcu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528429_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528441879,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"2ar-joj-lnc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528437_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664528451689,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ajt-mur-fzi","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664528446_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529209432,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"heh-hcb-gkz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529203_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529218377,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"zee-ycu-lwy","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529213_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529225654,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vhx-spk-1ho","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529221_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529297426,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"koq-fd2-uwo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529293_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529304614,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"l2l-obs-hre","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529300_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664529312691,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"xgn-6s6-kbb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664529307_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664550716802,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"w1p-qig-yrs","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664550714_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664550722486,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ipa-wdu-rxp","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664550720_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664550727477,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"jeh-od4-wng","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664550725_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551028985,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wq1-uls-vzk","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551027_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551034504,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"hrv-psy-1lt","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551032_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551039412,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"6jo-jph-rom","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551037_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664551131496,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"gpa-wht-hgc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664551129_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553855904,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ere-3ih-4hw","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553850_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553865781,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"igs-lhm-bvu","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553859_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553874136,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"mkn-3te-hny","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553869_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664553997811,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sjp-5hc-wd1","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664553993_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664554005892,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"5en-kmi-voy","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664554001_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664554016093,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"jif-umi-il5","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664554010_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555846704,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ayu-n1y-lqx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555844_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555846736,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"95d-moy-b5g","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555844_rule_1"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555986763,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"qtr-rfo-jyg","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555984_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664555986772,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"jtt-tqn-ftb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664555984_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557003507,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"l6w-anp-wyx","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"m5n-4i5-vuj","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"4r7-mzb-i0w","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664556999"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557003221,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"l6w-anp-wyx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664556999_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557001385,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"m5n-4i5-vuj","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664556999_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557009505,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"atg-jqy-mel","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"wdi-bm8-1zq","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"fbs-vj5-dgz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557007"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557009232,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"atg-jqy-mel","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557007_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557009200,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wdi-bm8-1zq","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557007_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557015634,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"pra-dle-ewv","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"wgt-akt-j4r","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"o9e-8fc-h5s","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557013"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557015289,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"pra-dle-ewv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557013_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557015280,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wgt-akt-j4r","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557013_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557114930,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"x69-ehr-pdl","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"ypr-isf-4vo","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"oi0-hje-74l","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557112"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557114644,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"x69-ehr-pdl","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557112_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557114607,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ypr-isf-4vo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557112_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557121029,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"ptq-rcm-nwe","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"bg8-5ts-afc","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"f3z-x8q-dcn","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557118"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557120765,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"ptq-rcm-nwe","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557118_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557120726,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"bg8-5ts-afc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557118_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557127622,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"wtt-nh6-juo","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"myy-dya-nr5","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"nfo-yne-q60","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557125"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557127340,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"wtt-nh6-juo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557125_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557127298,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"myy-dya-nr5","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557125_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557158347,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"riy-u8c-b7c","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"sf3-rrp-eak","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"9zw-k5p-x8b","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557156"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557158069,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"riy-u8c-b7c","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557156_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557158073,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sf3-rrp-eak","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557156_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557164542,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"cur-pie-tfb","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"do1-l3w-hgc","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"yvb-ymn-q2k","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557162"}]} - headers: - Content-Type: - - application/json - status: 200 OK - code: 200 - duration: "" -- request: - body: "" + {"filters":[],"isEnabled":true,"options":{"decreaseCriticalityBasedOnEnv":true}} form: {} headers: Accept: - application/json - url: https://api.datadoghq.com/api/v2/security_monitoring/rules?page%5Bnumber%5D=8&page%5Bsize%5D=100 - method: GET - response: - body: | - {"meta":{"page":{"total_filtered_count":24,"total_count":824}},"data":[{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557164250,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"cur-pie-tfb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557162_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557164241,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"do1-l3w-hgc","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557162_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557171963,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"vhe-hy6-vz3","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"0mi-hea-lgr","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"i5g-kql-euh","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557169"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557171680,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"vhe-hy6-vz3","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557169_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557171647,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"0mi-hea-lgr","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557169_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557192391,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"njf-br2-d9z","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"mth-ttg-pke","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"tss-r1h-syz","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557188"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557192123,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"njf-br2-d9z","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557188_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664557190826,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"mth-ttg-pke","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664557188_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664559663240,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"oas-ciy-bcx","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":0},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"sem-0mj-yqv","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"uus-bhq-ihb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664559659"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664559662957,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"oas-ciy-bcx","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664559659_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664559662131,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sem-0mj-yqv","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664559659_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875671210,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"4ja-gok-1x4","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"kp1-lvc-xv8","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"ncd-ps2-wdo","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875668"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875670732,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"4ja-gok-1x4","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875668_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875670705,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"kp1-lvc-xv8","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875668_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875700315,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"rvg-pbb-0tm","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"dyi-it0-nj4","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"bew-lfi-qak","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875697"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875700066,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rvg-pbb-0tm","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875697_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875700033,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"dyi-it0-nj4","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875697_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875723289,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"sz5-vsm-3tk","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"slo-i5s-pb3","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"3qe-a0j-8iy","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875721"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875723030,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"sz5-vsm-3tk","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875721_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875723034,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"slo-i5s-pb3","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875721_rule_1"},{"creationAuthorId":1445416,"tags":["attack:advanced","alert:red"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875756892,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"distinctFields":[],"correlatedByFields":["host"],"name":"first","ruleId":"keh-s9a-uhd","aggregation":"event_count","groupByFields":[]},{"distinctFields":[],"correlatedByFields":["host"],"name":"second","ruleId":"rvh-vhq-wjs","aggregation":"event_count","groupByFields":[],"correlatedQueryIndex":1}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 0 && second > 0"}],"type":"signal_correlation","id":"jy2-9kq-psb","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875755"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875756573,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"keh-s9a-uhd","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875755_rule_0"},{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":true,"message":"acceptance rule triggered","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1664875756604,"filters":[{"action":"suppress","query":"does not really suppress"},{"action":"require","query":"does not really require neither"}],"queries":[{"query":"does not really match much","groupByFields":["host"],"aggregation":"count","name":"first","distinctFields":[]},{"query":"does not really match much either","groupByFields":["host"],"aggregation":"cardinality","name":"second","distinctFields":["@orgId"]},{"distinctFields":[],"name":"third","metric":"@network.bytes_read","aggregation":"sum","metrics":["@network.bytes_read"],"groupByFields":["host"],"query":"does not really match much either"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"high case","condition":"first > 3 || second > 10"},{"status":"medium","notifications":[],"name":"warning case","condition":"first > 0 || second > 0"},{"status":"low","notifications":[],"name":"low case","condition":"third > 9000"}],"type":"log_detection","id":"rvh-vhq-wjs","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_SignalCorrelation-local-1664875755_rule_1"},{"updateAuthorId":0,"creationAuthorId":0,"tags":["scored:true","requirement:Virtual-Machines","control:CC6.6","cloud_provider:gcp","requirement:Default-Security-Parameter","framework:cis-gcp","requirement:Compliance","level:1","control:2.2.2","framework:iso-27001","requirement:Access-Control","framework:pci","security:compliance","control:1.1.6","control:1.2.1","control:4.5","control:2.2.5","requirement:Communications-Security","requirement:Firewall-Configuration","control:A.13.1.1","control:A.18.1.3","framework:soc-2","scope:google_compute_instance","control:A.9.1.2","requirement:Logical-and-Physical-Access-Control","source:google_compute_instance","control:CC6.3"],"type":"cloud_configuration","isEnabled":true,"hasExtendedTitle":true,"message":"## Description\nInteracting with a serial port is often referred to as the serial console, which is similar to\nusing a terminal window, in that input and output is entirely in text mode and there is no\ngraphical interface or mouse support.\nIf you enable the interactive serial console on an instance, clients can attempt to connect to\nthat instance from any IP address. Therefore interactive serial console support should be\ndisabled.\n\n## Rationale\nA virtual machine instance has four virtual serial ports. The instance's operating system, BIOS,\nand other system-level entities often write output to the serial ports, and can accept input\nsuch as commands or answers to prompts. Typically, these system-level entities use the\nfirst serial port (port 1) and serial port 1 is often referred to as the serial console.\nThe interactive serial console does not support IP-based access restrictions such as IP\nallow lists. If you enable the interactive serial console on an instance, clients can attempt to\nconnect to that instance from any IP address. This allows anybody to connect to that\ninstance if they know the correct SSH key, username, project ID, zone, and instance name.\nTherefore interactive serial console support should be disabled.\n\n## Remediation\n\n### From console\n1. Login to Google Cloud console.\n2. Go to Computer Engine.\n3. Go to VM instances.\n4. Click on the specific VM.\n5. Click `EDIT`.\n6. in the `Remote access` section, clear the `Enable connecting to serial ports`.\n7. Click `Save`.\n\n### From the command line\nUse the following command to disable connecting to serial ports:\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=false\n ```\nor\n ```\n gcloud compute instances add-metadata --zone= --metadata=serial-port-enable=0\n ```\n\n## Prevention:\nYou can prevent VMs from having serial port access by enabling the `Disable VM serial port access` organization policy:\n[https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess][1]\n\n## Default value\nBy default, connecting to serial ports is not enabled.\n\n## References\n1. [https://cloud.google.com/compute/docs/instances/interacting-with-serial-console][2]\n\n\n## CIS Controls\n\nVersion 8 - 4.8: Uninstall or Disable Unnecessary Services on Enterprise\nAssets and Software\n- Uninstall or disable unnecessary services on enterprise assets and software, such\nas an unused file sharing service, web application module, or service function.\n\nVersion 7 - 9.2 Ensure Only Approved Ports, Protocols and Services Are Running\n- Ensure Only Approved Ports, Protocols and Services Are Running\n\n[1]: https://console.cloud.google.com/iam-admin/orgpolicies/compute-disableSerialPortAccess\n[2]: https://cloud.google.com/compute/docs/instances/interacting-with-serial-console","options":{"detectionMethod":"threshold","evaluationWindow":7200,"maxSignalDuration":86400,"complianceRuleOptions":{"complianceFrameworks":[{"control":"4.5","framework":"cis-gcp","requirement":"Virtual-Machines","version":"1.3.0"},{"control":"1.1.6","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"1.2.1","framework":"pci","requirement":"Firewall-Configuration","version":"3.2.1"},{"control":"2.2.2","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"2.2.5","framework":"pci","requirement":"Default-Security-Parameter","version":"3.2.1"},{"control":"A.9.1.2","framework":"iso-27001","requirement":"Access-Control","version":"2"},{"control":"A.13.1.1","framework":"iso-27001","requirement":"Communications-Security","version":"2"},{"control":"A.18.1.3","framework":"iso-27001","requirement":"Compliance","version":"2"},{"control":"CC6.3","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"},{"control":"CC6.6","framework":"soc-2","requirement":"Logical-and-Physical-Access-Control","version":"2"}],"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(compute_instance) = \"fail\" if {\n\tmeta := compute_instance.metadata.items[_]\n\tmeta.key == \"serial-port-enable\"\n\tmeta.value == \"true\"\n} else = \"pass\" {\n\ttrue\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_instance"]},"validationQuery":"","resourceType":"gcp_compute_instance","filter":"","queryPath":"","complexRule":false},"keepAlive":21600},"version":8,"isDefault":true,"filters":[],"queries":[{"query":"resource_type:gcp_compute_instance","groupByFields":["resource_type","resource_id"],"aggregation":"count","name":"a","distinctFields":[]}],"isDeleted":false,"complianceSignalOptions":{"defaultActivationStatus":false,"userActivationStatus":null,"defaultGroupByFields":["@resource"],"userGroupByFields":null},"cases":[{"status":"medium","notifications":[],"name":"","condition":"a > 0"}],"id":"mv9-8fa-zlf","createdAt":1656531993118,"name":"\u2018connecting to serial ports\u2019 is not enabled for VM Instance"}]} - headers: Content-Type: - application/json - status: 200 OK - code: 200 - duration: "" -- request: - body: "" - form: {} - headers: - Accept: - - application/json - url: https://api.datadoghq.com/api/v2/security_monitoring/rules?page%5Bnumber%5D=9&page%5Bsize%5D=100 - method: GET + url: https://api.datadoghq.com/api/v2/security_monitoring/rules/3d9-oev-jbm + method: PUT response: body: | - {"meta":{"page":{"total_filtered_count":0,"total_count":824}},"data":[]} + {"updateAuthorId":1445416,"creationAuthorId":0,"tags":["scope:amazon","security:compliance","iaas:aws","framework:cis-aws","source:cloudtrail","control:4.1","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is assessing privileges in AWS through API bruteforcing technique.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect when the error message of `AccessDenied` is returned on more than 5 unique API calls.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be attempting to use {{@evt.name}} API commands.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. Contact the user to see if they intended to make these API calls.\n3. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate to see what API calls might have been made that were successful throughout the rest of the environment.\n\n## Changelog\nRule updated on 3 March 2022.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"unique_events_denied","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"more than 5 APIs AccessDenied","condition":"unique_events_denied > 5"}],"type":"log_detection","id":"3d9-oev-jbm","createdAt":1584475582956,"name":"A user received multiple AccessDenied errors"} headers: Content-Type: - application/json @@ -1044,11 +843,11 @@ interactions: headers: Accept: - application/json - url: https://api.datadoghq.com/api/v2/security_monitoring/rules/myy-dsj-omk + url: https://api.datadoghq.com/api/v2/security_monitoring/rules/3d9-oev-jbm method: GET response: body: | - {"updateAuthorId":0,"creationAuthorId":0,"tags":["security:compliance","framework:cis-docker","requirement:Linux-Hosts-Specific-Configuration","control:1.2.6","source:compliance-agent"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Description\n\nAudit the `docker.service` if applicable.\n\n## Rationale\n\nAs well as auditing Linux file system and system calls, you should also audit all Docker related files and directories. The Docker daemon runs with root privileges and its behavior depends on some key files and directories, including `docker.service`. The `docker.service` file might be present if the daemon parameters have been changed by an administrator. If so, it holds various parameters for the Docker daemon and should be audited.\n\n## Audit\n\n1. Locate the `docker.service` file by running: \n ```\n systemctl show -p FragmentPath docker.service\n ```\n\n2. If the file does not exist, this recommendation does not apply. If the file does exist, verify that there is an audit rule corresponding to the `docker.service` file by running: \n\n ```\n auditctl -l | grep docker.service\n ```\n\n## Remediation\n\nIf the file exists, a rule for it should be added. For example, add the following line to the `/etc/audit/audit.rules` file: \n```\n-w /usr/lib/systemd/system/docker.service -k docker \n```\n\nThen restart the audit daemon: \n\n```\nservice auditd restart\n```\n\n## Impact\n\nAuditing can generate large log files. You should ensure that these are rotated and archived periodically. A separate partition should also be created for audit logs to avoid filling up any other critical partition.\n\n## Default value\n\nBy default, Docker related files and directories are not audited. The file `docker.service` may not be present on the system.\n\n## References\n\n1. [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html][1]\n\n## CIS controls\n\nVersion 6.14.6 Enforce Detailed Audit Logging For Sensitive Information - Enforce detailed audit logging for access to nonpublic data and special authentication for sensitive data. \n\nVersion 7.14.9 Enforce Detail Logging for Access or Changes to Sensitive Data - Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring). \n\n[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html\n","options":{"detectionMethod":"threshold","evaluationWindow":300,"maxSignalDuration":86400,"complianceRuleOptions":{"resourceType":"docker_daemon","complianceFrameworks":[{"control":"1.2.6","framework":"cis-docker","requirement":"Linux-Hosts-Specific-Configuration","version":"1.2.0"}],"validationQuery":"","complexRule":false},"keepAlive":7200},"version":9,"isDefault":true,"filters":[],"queries":[{"query":"source:compliance-agent @agent_rule_id:\"cis-docker-1.2.0-1.2.6\"","groupByFields":["@resource_id"],"aggregation":"count","name":"","distinctFields":[]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"Failed","condition":"a > 0"}],"type":"infrastructure_configuration","id":"myy-dsj-omk","createdAt":1599605764788,"name":"Auditing for the docker.service file is configured"} + {"updateAuthorId":1445416,"creationAuthorId":0,"tags":["scope:amazon","security:compliance","iaas:aws","framework:cis-aws","source:cloudtrail","control:4.1","tactic:TA0007-discovery"],"isEnabled":true,"hasExtendedTitle":true,"message":"## Goal\nDetect when a user is assessing privileges in AWS through API bruteforcing technique.\n\n## Strategy\nThis rule lets you monitor CloudTrail to detect when the error message of `AccessDenied` is returned on more than 5 unique API calls.\n\n## Triage and response\n1. Determine if {{@userIdentity.arn}} should be attempting to use {{@evt.name}} API commands.\n * Use the Cloud SIEM - User Investigation dashboard to assess user activity.\n2. Contact the user to see if they intended to make these API calls.\n3. If the user did not make the API calls:\n * Rotate the credentials.\n * Investigate to see what API calls might have been made that were successful throughout the rest of the environment.\n\n## Changelog\nRule updated on 3 March 2022.","options":{"decreaseCriticalityBasedOnEnv":true,"detectionMethod":"threshold","evaluationWindow":900,"maxSignalDuration":86400,"keepAlive":3600},"version":16,"isDefault":true,"filters":[],"queries":[{"query":"source:cloudtrail @error.kind:AccessDenied","groupByFields":["@userIdentity.arn"],"aggregation":"cardinality","name":"unique_events_denied","distinctFields":["@evt.name"]}],"isDeleted":false,"cases":[{"status":"medium","notifications":[],"name":"more than 5 APIs AccessDenied","condition":"unique_events_denied > 5"}],"type":"log_detection","id":"3d9-oev-jbm","createdAt":1584475582956,"name":"A user received multiple AccessDenied errors"} headers: Content-Type: - application/json diff --git a/datadog/tests/resource_datadog_security_monitoring_default_rule_test.go b/datadog/tests/resource_datadog_security_monitoring_default_rule_test.go index ac0520788b..e9e45bfd3d 100644 --- a/datadog/tests/resource_datadog_security_monitoring_default_rule_test.go +++ b/datadog/tests/resource_datadog_security_monitoring_default_rule_test.go @@ -18,20 +18,22 @@ func TestAccDatadogSecurityMonitoringDefaultRule_Basic(t *testing.T) { PreCheck: func() { testAccPreCheck(t) }, ProviderFactories: accProviders, Steps: []resource.TestStep{ + // Define an existing default rule as one we want to import { - Config: testAccCheckDatadogSecurityMonitoringDefaultDatasource(), + Config: testAccDatadogSecurityMonitoringDefaultDatasource(), }, + // Import the rule { - Config: testAccCheckDatadogSecurityMonitoringDefaultNoop(), - ResourceName: tfSecurityDefaultRuleName, - ImportState: true, - ImportStateIdFunc: idFromDatasource, + Config: testAccCheckDatadogSecurityMonitoringDefaultNoop(), + ResourceName: tfSecurityDefaultRuleName, + ImportState: true, + ImportStateIdFunc: idFromDatasource, + ImportStatePersist: true, }, + // Change the "decrease criticality" flag { - Config: testAccCheckDatadogSecurityMonitoringDefaultDynamicCriticality(), - ResourceName: tfSecurityDefaultRuleName, - ImportState: true, - ImportStateIdFunc: idFromDatasource, + Config: testAccDatadogSecurityMonitoringDefaultRuleDynamicCriticality(), + Check: testAccCheckDatadogSecurityMonitoringDefaultDynamicCriticality(), }, }, }) @@ -43,10 +45,11 @@ func idFromDatasource(state *terraform.State) (string, error) { return resourceState.Primary.Attributes["rule_ids.0"], nil } -func testAccCheckDatadogSecurityMonitoringDefaultDatasource() string { +func testAccDatadogSecurityMonitoringDefaultDatasource() string { return ` data "datadog_security_monitoring_rules" "bruteforce" { - name_filter = "docker" + tags_filter = ["source:cloudtrail"] + default_only_filter = "true" } ` } @@ -54,7 +57,8 @@ data "datadog_security_monitoring_rules" "bruteforce" { func testAccCheckDatadogSecurityMonitoringDefaultNoop() string { return ` data "datadog_security_monitoring_rules" "bruteforce" { - name_filter = "docker" + tags_filter = ["source:cloudtrail"] + default_only_filter = "true" } resource "datadog_security_monitoring_default_rule" "acceptance_test" { @@ -62,7 +66,7 @@ resource "datadog_security_monitoring_default_rule" "acceptance_test" { ` } -func testAccCheckDatadogSecurityMonitoringDefaultDynamicCriticality() string { +func testAccDatadogSecurityMonitoringDefaultRuleDynamicCriticality() string { return ` resource "datadog_security_monitoring_default_rule" "acceptance_test" { options { @@ -72,7 +76,7 @@ resource "datadog_security_monitoring_default_rule" "acceptance_test" { ` } -func testAccCheckDatadogSecurityMonitoringDefaultDynamicCriticalityCheck() resource.TestCheckFunc { +func testAccCheckDatadogSecurityMonitoringDefaultDynamicCriticality() resource.TestCheckFunc { return resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr( tfSecurityDefaultRuleName, "options.0.decrease_criticality_based_on_env", "true"),